Hi openxpki team, I hope someone could help me as at this point even google can't :). Having issues running sscep enroll with sscep version 0.7.1 (the latest) and openxpki 3.6.1.
1. sscep getca request works properly (gets ca.crt-1 and ca.crt-0). ca.crt-1 is Signing ca for democa realm. 2. sscep enroll does not and fails with: "SCEP Response was empty" (response 500 from the server) and "*ERROR LibSCEP.xs:339: Reading private key failed" * 3. Using Web portal signing of certificates (TLS/sub-ca/ or any profile) *works without any issues,* SCEP does not work. The same happens when we try to enroll using an already signed cert and key (enrolled using web) who's CN matches the rules inside the scep profile / *authorized_signe*r section. ~# sscep enroll -u http://$MYIP:8080/scep/scep -k tmp/scep-test.key -r tmp/scep-test.csr -c ca.crt-1 -l tmp/scep-test.crt -t 10 -n 1 -v sscep: starting sscep, version 0.7.ipv6.1 sscep: new transaction sscep: transaction id: D41D8CD98F00B204E9800998ECF8427E sscep: hostname: $MYIP sscep: directory: scep/scep sscep: port: 8080 sscep: Read request with transaction id: 444F1BA8C5262E5F5E8424AC850A388B sscep: generating selfsigned certificate sscep: SCEP_OPERATION_ENROLL sscep: sending certificate request sscep: creating inner PKCS#7 sscep: inner PKCS#7 in mem BIO sscep: request data dump -----BEGIN CERTIFICATE REQUEST----- SNIP -----END CERTIFICATE REQUEST----- sscep: data payload size: 692 bytes sscep: successfully encrypted payload sscep: envelope size: 1082 bytes sscep: creating outer PKCS#7 sscep: signature added successfully sscep: adding signed attributes sscep: adding string attribute transId sscep: adding string attribute messageType sscep: adding octet attribute senderNonce sscep: PKCS#7 data written successfully sscep: applying base64 encoding sscep: base64 encoded payload size: 3494 bytes sscep: server returned status code 500 sscep: mime_err: HTTP/1.1 500 Internal Server Error Date: Thu, 27 Aug 2020 12:07:46 GMT Server: Apache/2.4.38 (Debian) Connection: close Content-Type: text/plain; charset=ISO-8859-1 *SCEP Response was emptysscep: wrong (or missing) MIME content typesscep: error while sending message* *### /var/log/openxpki/openxpki.log* At the same time openxpki.log shows: /var/log/openxpki# tail -f /var/log/openxpki/openxpki.log 139687353561536:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: 139687353561536:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: 139687353561536:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: 139687353561536:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: 139687353561536:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: 139687353561536:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:570: 139687353561536:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:../crypto/pkcs12/p12_decr.c:63: 139687353561536:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:../crypto/pkcs12/p12_decr.c:94: 139687353561536:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib:../crypto/pem/pem_pkey.c:88: [pid=23413|sid=O29r] *2020/08/27 12:22:21 ERROR LibSCEP.xs:339: Reading private key failed* 139687353561536:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: 139687353561536:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: 139687353561536:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: 139687353561536:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: 139687353561536:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: 139687353561536:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: 139687353561536:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: 139687353561536:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:570: 139687353561536:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:../crypto/pkcs12/p12_decr.c:63: 139687353561536:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:../crypto/pkcs12/p12_decr.c:94: 139687353561536:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib:../crypto/pem/pem_pkey.c:88: [pid=23428|sid=BRLr] *2020/08/27 12:22:21 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => OpenXPKI::Crypto::Tool::LibSCEP::Command::unwrap, __ERRVAL__ => LibSCEP.xs:339: Reading private key failed* 139687353561536:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: 139687353561536:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: 139687353561536:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: 139687353561536:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: 139687353561536:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: 139687353561536:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: 139687353561536:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: 139687353561536:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:570: 139687353561536:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:../crypto/pkcs12/p12_decr.c:63: 139687353561536:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:../crypto/pkcs12/p12_decr.c:94: 139687353561536:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib:../crypto/pem/pem_pkey.c:88: [pid=23428|sid=BRLr] 2020/08/27 12:22:21 ERROR Error executing SCEP command 'PKIOperation': I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => OpenXPKI::Crypto::Tool::LibSCEP::Command::unwrap, __ERRVAL__ => LibSCEP.xs:339: Reading private key failed 139687353561536:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: 139687353561536:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: 139687353561536:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: 139687353561536:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: 139687353561536:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: 139687353561536:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: 139687353561536:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: 139687353561536:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:570: 139687353561536:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:../crypto/pkcs12/p12_decr.c:63: 139687353561536:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:../crypto/pkcs12/p12_decr.c:94: 139687353561536:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib:../crypto/pem/pem_pkey.c:88: [pid=23428|sid=BRLr] *## More detailed Setup description* Running openxpki-docker (OpenXPKI Version: 3.6.1) and trying to make the following structure: The CA/Sub-Ca stricture is as follows: *- Root CA* - realm democa: issuing CA 01 - realm: tenant02: issuing CA tenant02 - realm: in the future more realms will be created and issuing CS created - The first realm / init I did using the* sampleconfig.sh*. - The second realm I did create some of the files manually, but the signing CA is signed by the "Root CA". In essence the idea is that root CA signs signing-CA for each realm, that represent subordinate CAs. Furtheron, based on the scep profile inside the scep request, one will choose a corresponding scep profile (realm/server-name and with that a certificate profile to use). Now this works for now properly: *### democa realm alias output* ``` ~# openxpkiadm alias --realm democa === functional token === vault (datasafe): Alias : vault-1 Identifier: 4FB18exc8E2cFnZVKL19yb2UM6Y NotBefore : 2020-08-19 17:17:46 NotAfter : 2030-08-22 17:17:46 ca-signer (certsign): Alias : ca-signer-2 Identifier: uMfcGV5v8pLJyqLkt5UscPQk1Gs NotBefore : 2020-08-20 13:27:56 NotAfter : 2025-07-25 13:27:56 scep (scep): Alias : scep-2 Identifier: 6MhZl8OPyC2M6XL1LdHCGnyyhNw NotBefore : 2020-08-20 14:27:51 NotAfter : 2023-12-03 14:27:51 === root ca === current root ca: Alias : root-1 Identifier: 3JG0DNiOYkWu-wBY72-uLn5uWho NotBefore : 2020-08-19 17:17:44 NotAfter : 2030-08-22 17:17:44 upcoming root ca: not set ``` *### tenant02 realm alias output* ``` # openxpkiadm alias --realm tenant02 === functional token === ca-signer (certsign): Alias : ca-signer-3 Identifier: 4w7iVcx9Kc-dUXgM3wUg3o4mRks NotBefore : 2020-08-25 11:15:03 NotAfter : 2025-08-27 11:15:03 scep (scep): Alias : scep-1 Identifier: sIL5JDpRRIIWYrm8kxNvlrkaB20 NotBefore : 2020-08-25 11:15:04 NotAfter : 2021-08-25 11:15:04 vault (datasafe): Alias : vault-3 Identifier: Erri6kfvzgy-T_aDp5RHMwZ_zCI NotBefore : 2020-08-25 11:15:03 NotAfter : 2030-08-28 11:15:03 === root ca === current root ca: Alias : root-2 Identifier: *3JG0DNiOYkWu-wBY72-uLn5uWho* NotBefore : 2020-08-19 17:17:44 NotAfter : 2030-08-22 17:17:44 upcoming root ca: not set ``` *## SCEP implementation* Each of the realms will have the scep profile inside /etc/openxpki/scep so we are able to choose the profile based on the SCEP URI (http:/myserver:8080/scep/mystring), where mystring is name of the config file inside /etc/openxpki/scep (mystring.conf, or default.conf if not provided / found). Based on the *servername* and *realm* parameters of the global SCEP profile, then a corresponding yaml profile is chosen from: /etc/openxpki/config.d/realm/$realmname/scep/ folder. This seems to work (choosing the profile part only), but enroll still fails miserably as above stated. Thank you & best regards, Ana -- *Ana Perić*
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
