Hi OpenXPKI Team! I am playing around with your EST implementation, currently trying to understand CSR Attributes function / configuration part
So this is what I get: root@est-virtual-machine:~# curl https://pki.example.com:443/.well-known/est/csrattrs --cacert RootCA.crt | openssl base64 -d -A | openssl asn1parse -inform DER % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 56 100 56 0 0 186 0 --:--:-- --:--:-- --:--:-- 186 0:d=0 hl=2 l= 38 cons: SEQUENCE 2:d=1 hl=2 l= 7 prim: OBJECT :1.3.6.1.1.1.1.22 11:d=1 hl=2 l= 9 prim: OBJECT :emailAddress 22:d=1 hl=2 l= 5 prim: OBJECT :secp384r1 29:d=1 hl=2 l= 9 prim: OBJECT :sha384 first thing what I wanted to do is change emailAddress to macAddress, however, after making the change here /etc/openxpki/config.d/realm/democa/workflow/def/est_csrattrs.yaml I get an error root@est-virtual-machine:~# curl https://est.vatest.com:443/.well-known/est/csrattrs --cacert RootCA.crt | openssl base64 -d -A | openssl asn1parse -inform DER % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 Error: offset out of range root@est:~# ==> /var/log/apache2/error.log <== [Sun Feb 21 23:54:52.075064 2021] [fcgid:warn] [pid 1675:tid 139667566380800] [client 10.100.235.53:50180] mod_fcgid: stderr: [Sun Feb 21 23:54:52 2021] est.fcgi: Use of uninitialized value $out in substitution (s///) at /usr/lib/cgi-bin/est.fcgi line 307. [Sun Feb 21 23:54:52.075145 2021] [fcgid:warn] [pid 1675:tid 139667566380800] [client 10.100.235.53:50180] mod_fcgid: stderr: [Sun Feb 21 23:54:52 2021] est.fcgi: Use of uninitialized value $out in substitution (s///) at /usr/lib/cgi-bin/est.fcgi line 307. ==> /var/log/apache2/other_vhosts_access.log <== est.vetest.com:443 10.100.235.53 - - [21/Feb/2021:23:54:51 +0000] "GET /.well-known/est/csrattrs HTTP/1.1" 200 4698 "-" "curl/7.68.0" so it simply breaks after manipulating emailAddress I would like to know how I can modify / add more attributes? What is the correct syntax? For example, I would like to add this OID value: 1.2.840.113549.1.9.7 OID description: Challenge Password attribute for use in signatures. /etc/openxpki/config.d/realm/democa/workflow/def/est_csrattrs.yaml [...] param: target_key: output oidlist: | 1.3.6.1.1.1.1.22 macAddress secp384r1 sha384 oidlist: | ?? 1.2.840.113549.1.9.7 ?? ?? So far I haven't tested enrolment yet, still exploring/learning EST so these will be just a blind shot questions; how these attributes are enforced? Do I need to create a policy? I guess, Server needs to verify presence of these attributes before proceeding with authentication/ enrolment? Can these additional attributes be thighed up with "individual" usernames/passwords in form of SQL table that is used for http authentication? Could you provide some additional explanation on this please. _____________________________________________________________ Regards, Artur
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
