Hi Cho,thanks for the debugging efforts - I must admit that I am not the "sscep guy", but after having a very quick look at that code, this looks fishy to me:
https://github.com/certnanny/sscep/blob/master/sscep.c#L867IMHO this needs to be "X509_get_serialNumber(localcert)" and the current code perfectly matches the observered behaviour.
You might also give this project a try https://github.com/gknocke/libscep/tree/develop - it was written by a collegue to replace the current SCEP toolchain in OpenXPKI and it offers dropin replacement script for sscep (hopefully without the bugs). We are still working on getting it included but still didnt find the time yet.
Oliver Am 09.06.2017 um 18:05 schrieb Cho Chan:
Hi Oliver, today I decided to debug a bit this issue and started completely new and clean openxpki system following the quickstart guide (certificates were generated via examples/sampleconfig.sh). The only modification which I did was to change where to publish crl and cacert -> /var/www/html/ca-one/ (publishing.yaml) Next ... openxpkicmd --realm ca-one crl_issuance Workflow created (ID: 1791), State: SUCCESS openxpkicmd --realm ca-one ca_publish Workflow created (ID: 2047), State: SUCCESS Verification openssl crl -in /var/www/html/ca-one/ca-one.crl -crlnumber -lastupdate -issuer -noout crlNumber=01FF lastUpdate=Jun 9 13:07:32 2017 GMT issuer=/DC=ORG/DC=OpenXPKI/OU=Test CA/CN=CA ONE curl -s http://pki.local/ca-one/ca-one.crl | openssl crl -crlnumber -lastupdate -issuer -noout crlNumber=01FF lastUpdate=Jun 9 13:07:32 2017 GMT issuer=/DC=ORG/DC=OpenXPKI/OU=Test CA/CN=CA ONE printf "%d\n" 0x01FF 511 confirm also from web interface that CRL with serial 511 was issued ============================ cd test ./sscep getca -u http://pki.local/scep/default \ -c cacert SUCCESS openssl req \ -new -keyout scep-test.key -out scep-test.csr \ -newkey rsa:2048 -nodes \ -subj "/DC=ORG/DC=OpenXPKI/OU=Test CA/CN=scep-test.local" \ -batch ./sscep enroll -u http://pki.local/scep/default \ -k scep-test.key -r scep-test.csr \ -c cacert-0 \ -l scep-test.crt \ -t 10 -n 1 SUCCESS ./sscep getcrl -u http://pki.local/scep/default \ -k scep-test.key \ -c cacert-0 \ -l scep-test.crt \ -w ca-one.crl *FAILED * ** *getcrl again failed with the same error mentioned in my previous mail -> time to debug mode:* openxpkictl --debug .*:100 start and run the getcrl again. I am attaching stderr.log. From the log I am seeing the following: start executing getcrl line 1536 OpenXPKI::Service::SCEP::Command::PKIOperation::execute (line 109): PKCS7 GetCRL get_getcrl_issuer_serial line 1656 2017-06-09 16:00:59.171693 DEBUG:2 PID:2414 OpenXPKI::Crypto::Toolkit::command (line 421): Command: OpenXPKI::Crypto::Tool::SCEP::Command::get_getcrl_issuer_serial 2017-06-09 16:00:59.171999 DEBUG:64 PID:2414 OpenXPKI::Crypto::Tool::SCEP::Command::get_getcrl_issuer_serial::get_command (line 40): engine: $VAR1 = bless( { 'CERT' => '/var/tmp/openxpki2414fGk_WH84', 'ENGINE_SECTION' => '', 'ENGINE_USAGE' => '', 'KEY' => '/etc/openxpki/ssl/ca-one/ca-one-scep-1.pem', 'KEY_STORE' => 'OPENXPKI', 'SECRET *the rest of this debug message is censored by OpenXPKI::Debug* Here for me it is strange that get_getcrl_issuer_serial is trying on SCEP ssl cert and not on the scep-test.crt which was sent on the request openssl x509 -in /var/tmp/openxpki2414fGk_WH84 -subject -issuer -noout subject= /DC=ORG/DC=OpenXPKI/OU=Test CA/CN=SCEP issuer= /DC=ORG/DC=OpenXPKI/OU=Test CA/CN=Root CA line 1794 2017-06-09 16:00:59.191031 DEBUG:16 PID:2414 OpenXPKI::Service::SCEP::Command::PKIOperation::__send_crl (line 234): Issuer Serial $VAR1 = { 'ISSUER' => 'CN=Root CA,OU=Test CA,DC=OpenXPKI,DC=ORG', 'SERIAL' => '0x02' }; as SCEP ssl cert is singed by Root CA, normally Root CA serial was found... around line 1965 2017-06-09 16:00:59.196698 DEBUG:64 PID:2414 OpenXPKI::Server::API::__ANON__ (line 1801): Calling OpenXPKI::Server::API::Object->get_crl_list ... 2017-06-09 16:00:59.199200 DEBUG:32 PID:2414 OpenXPKI::Server::API::Object::get_crl_list (line 816): Found crl 2017-06-09 16:00:59.199315 DEBUG:1 PID:2414 OpenXPKI::Server::API::Object::get_crl_list (line 818): Finished The line Found crl is also a bit strange as there is no crl issued by Root CA... I am suspecting that either sscep is not properly preparing/sending getcrl request or eventually openxpki somehow is not properly processing the request as for me the logically will be pki to try to identify issuer and his serial of the certificate that was sent via -l/-k options not the SCEP certificate. To increase my suspicions I did the same setup like above with only one difference -> SCEP was issued by CA ONE, not by Root CA. ./sscep getcrl -u http://pki.local/scep/default -k scep-test.key -c cacert-0 -l scep-test.crt -w ca-one.crl ./sscep: requesting crl ./sscep: valid response from server ./sscep: reply transaction id: SSCEP transactionId ./sscep: pkistatus: SUCCESS ./sscep: CRL written as ca-one.crl Also tried with self-signed SCEP cert and again there was the error. This at last for me points that pki is executing get_getcrl_issuer_serial on SCEP cert and not on scep-test.crt which was sent via the request and from there it tries to find CRL.....and it fails. Please correct me if I am wrong somewhere. Thank you in advance! Regards, Cho On Fri, Jun 9, 2017 at 8:15 AM, Oliver Welter <[email protected] <mailto:[email protected]>> wrote: Hi Cho, I can not really make any sense of that...it looks like OpenXPKI finds the correct CRL but it is zero bytes. Can you please check the catchall.log if you can see any more usefull messages? Oliver Am 08.06.2017 um 15:59 schrieb Cho Chan: Hi Oliver, I will use the same thread as it is related to getcrl. I am trying to get the CRL via SCEP using sscep, but I am receiving the following error: 2017/06/08 15:44:21 openxpki.system.ERROR:7980 [OpenXPKI::Exception (/usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Exception.pm:109); scep-server-1()@ee1c] Exception: I18N_OPENXPKI_FILEUTILS_WRITE_FILE_NO_CONTENT_SPECIFIED 2017/06/08 15:44:21 openxpki.system.ERROR:7980 [OpenXPKI::Exception (109); scep-server-1()@ee1c] Exception: I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __ERRVAL__ => I18N_OPENXPKI_FILEUTILS_WRITE_FILE_NO_CONTENT_SPECIFIED; __COMMAND__ => OpenXPKI::Crypto::Tool::SCEP::Command::create_crl_reply 2017/06/08 15:44:21 openxpki.system.ERROR:7980 [OpenXPKI::Service::SCEP (/usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Service/SCEP.pm:395); scep-server-1()@ee1c] Error executing SCEP command 'PKIOperation': I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => OpenXPKI::Crypto::Tool::SCEP::Command::create_crl_reply; __ERRVAL__ => I18N_OPENXPKI_FILEUTILS_WRITE_FILE_NO_CONTENT_SPECIFIED Here is my action: 1) Issuing new CRL on pki.local # openxpkicmd --realm ca-web crl_issuance Workflow created (ID: 1304063), State: SUCCESS From openxpki.log 2017/06/08 15:37:28 openxpki.system.INFO:7990 <http://openxpki.system.INFO:7990> <http://openxpki.system.INFO:7990 <http://openxpki.system.INFO:7990>> [OpenXPKI::Server::Workflow::NICE::Local (446); anonymous(System)@8d6a#1304063] CRL issued for CA ca-web-signer-1 in realm ca-web 2017/06/08 15:37:28 openxpki.application.INFO:7990 <http://openxpki.application.INFO:7990> <http://openxpki.application.INFO:7990 <http://openxpki.application.INFO:7990>> [OpenXPKI::Server::Workflow (147); anonymous(System)@8d6a#1304063] Execute action crl_add_serial_to_status_hash on workflow #1304063 2017/06/08 15:37:28 openxpki.application.INFO:7990 <http://openxpki.application.INFO:7990> <http://openxpki.application.INFO:7990 <http://openxpki.application.INFO:7990>> [OpenXPKI::Server::Workflow (147); anonymous(System)@8d6a#1304063] Execute action crl_publish_crl on workflow #1304063 2017/06/08 15:37:28 openxpki.system.INFO:7990 <http://openxpki.system.INFO:7990> <http://openxpki.system.INFO:7990 <http://openxpki.system.INFO:7990>> [OpenXPKI::Server::Workflow::Activity::Tools::PublishCRL (220); anonymous(System)@8d6a#1304063] CRL pubication date set for crl 4607 Verifying... a) # openssl crl -in /var/www/html/ca-web/ca-web-crl.pem -crlnumber -lastupdate -noout crlNumber=11FF lastUpdate=Jun 8 13:37:28 2017 GMT curl -s http://pki.local/ca-web/ca-web-crl.pem <http://pki.local/ca-web/ca-web-crl.pem> | openssl crl -crlnumber -lastupdate -noout crlNumber=11FF lastUpdate=Jun 8 13:37:28 2017 GMT # printf "%d\n" 0x11FF 4607 b) Confirm also from web interface that CRL with serial 4607 was issued 2) Trying to getcrl via SCEP ( using sscep - https://github.com/certnanny/sscep <https://github.com/certnanny/sscep> ) $ ./sscep | grep version sscep version 0.5 $ ./sscep getca -c web_cacert -u http://pki.local/scep/web $ ls -l -rw------- 1 root root 1659 Jun 8 15:44 web_cacert-0 -rw------- 1 root root 1728 Jun 8 15:44 web_cacert-1 -rw------- 1 root root 1724 Jun 8 15:44 web_cacert-2 -r-------- 1 root root 1704 May 17 17:17 server.key -rw------- 1 root root 6189 May 17 17:17 server.crt web_cacert-0 - SCEP ssl cert web_cacert-1 - RootCA web_cacert-2 - Intermediate CA (WebCA) server.crt - server ssl cert issued by WebCA $ ./sscep getcrl -v -c web_cacert-0 -u http://pki.local/scep/web -l server.crt -k server.key -w t.crl sscep: starting sscep, version 0.5 sscep: new transaction sscep: transaction id: SSCEP transactionId sscep: hostname: pki.local sscep: directory: scep/web sscep: port: 80 sscep: SCEP_OPERATION_GETCRL sscep: requesting crl sscep: request data dump -----BEGIN CERTIFICATE REQUEST----- -----END CERTIFICATE REQUEST----- sscep: data payload size: 177 bytes sscep: successfully encrypted payload sscep: envelope size: 709 bytes sscep: creating outer PKCS#7 sscep: signature added successfully sscep: adding signed attributes sscep: adding string attribute transId sscep: adding string attribute messageType sscep: adding octet attribute senderNonce sscep: PKCS#7 data written successfully sscep: applying base64 encoding sscep: base64 encoded payload size: 4043 bytes sscep: server returned status code 500 sscep: mime_err: HTTP/1.1 500 Internal Server Error Date: Thu, 08 Jun 2017 13:48:20 GMT Server: Apache Connection: close Content-Type: text/html <h1>Software error:</h1> <pre>I18N_OPENXPKI_CLIENT_DETACH_FAILED; __MESSAGE_FROM_SERVER__ => $VAR1 = { 'LABEL' => 'I18N_OPENXPKI_SERVICE_SCEP_RUN_UNRECOGNIZED_SERVICE_MESSAGE' }; </pre> sscep: wrong (or missing) MIME content type sscep: error while sending message From openxpki.log 2017/06/08 15:44:21 openxpki.system.ERROR:7980 [OpenXPKI::Exception (/usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Exception.pm:109); scep-server-1()@ee1c] Exception: I18N_OPENXPKI_FILEUTILS_WRITE_FILE_NO_CONTENT_SPECIFIED 2017/06/08 15:44:21 openxpki.system.ERROR:7980 [OpenXPKI::Exception (109); scep-server-1()@ee1c] Exception: I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __ERRVAL__ => I18N_OPENXPKI_FILEUTILS_WRITE_FILE_NO_CONTENT_SPECIFIED; __COMMAND__ => OpenXPKI::Crypto::Tool::SCEP::Command::create_crl_reply 2017/06/08 15:44:21 openxpki.system.ERROR:7980 [OpenXPKI::Service::SCEP (/usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Service/SCEP.pm:395); scep-server-1()@ee1c] Error executing SCEP command 'PKIOperation': I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => OpenXPKI::Crypto::Tool::SCEP::Command::create_crl_reply; __ERRVAL__ => I18N_OPENXPKI_FILEUTILS_WRITE_FILE_NO_CONTENT_SPECIFIED Regards, Cho On Tue, Jun 6, 2017 at 8:42 AM, Oliver Welter <[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>>> wrote: Hi Kevin, thanks for bringing this up - we will investigate how to solve this without breaking other things. Oliver Am 22.05.2017 um 14:47 schrieb Kevin Wallis: At the moment I solved the problem by changing the code from the “get_getcrl_issuer_serial.pm <http://get_getcrl_issuer_serial.pm> <http://get_getcrl_issuer_serial.pm <http://get_getcrl_issuer_serial.pm>>“ file. I added the following code in line 107: $issuer = join ",", reverse split (/,/, $issuer); So the DN is reversed. It would be very good, when the “get_getcrl_issuer_serial.pm <http://get_getcrl_issuer_serial.pm> <http://get_getcrl_issuer_serial.pm <http://get_getcrl_issuer_serial.pm>>“ would order the issuer content itself. The result would be a request source independent solution. Thanks for the help! Regards, Kevin ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ OpenXPKI-users mailing list [email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> https://lists.sourceforge.net/lists/listinfo/openxpki-users <https://lists.sourceforge.net/lists/listinfo/openxpki-users> <https://lists.sourceforge.net/lists/listinfo/openxpki-users <https://lists.sourceforge.net/lists/listinfo/openxpki-users>> -- Protect your environment - close windows and adopt a penguin! ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ OpenXPKI-users mailing list [email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> https://lists.sourceforge.net/lists/listinfo/openxpki-users <https://lists.sourceforge.net/lists/listinfo/openxpki-users> <https://lists.sourceforge.net/lists/listinfo/openxpki-users <https://lists.sourceforge.net/lists/listinfo/openxpki-users>> ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ OpenXPKI-users mailing list [email protected] <mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/openxpki-users <https://lists.sourceforge.net/lists/listinfo/openxpki-users> -- Protect your environment - close windows and adopt a penguin! ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ OpenXPKI-users mailing list [email protected] <mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/openxpki-users <https://lists.sourceforge.net/lists/listinfo/openxpki-users> ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
-- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
