Hello Artur, whatever you place in this workflow config is handed over (almost) unchanged to "openssl asn1parse -genconf". My first guess (without checking this) would be that openssl does not know the verbose label "macAddress" so you might want to try the raw oid instead?
The EST enrollment itself does not use those attributes at the moment, so there is no check or enforcement on this - you need to add those validations to the enrollment workflow yourself. Oliver Am 22.02.21 um 01:38 schrieb Artur Wachowski via OpenXPKI-users: > > Hi OpenXPKI Team! > > > > I am playing around with your EST implementation, currently trying to > understand CSR Attributes function / configuration part > > > > So this is what I get: > > > > root@est-virtual-machine:~# curl > https://pki.example.com:443/.well-known/est/csrattrs > <https://pki.example.com:443/.well-known/est/csrattrs> --cacert > RootCA.crt | openssl base64 -d -A | openssl asn1parse -inform DER > > % Total % Received % Xferd Average Speed Time Time > Time Current > > Dload Upload Total Spent > Left Speed > > 100 56 100 56 0 0 186 0 --:--:-- --:--:-- > --:--:-- 186 > > 0:d=0 hl=2 l= 38 cons: SEQUENCE > > 2:d=1 hl=2 l= 7 prim: OBJECT :1.3.6.1.1.1.1.22 > > 11:d=1 hl=2 l= 9 prim: OBJECT :emailAddress > > 22:d=1 hl=2 l= 5 prim: OBJECT :secp384r1 > > 29:d=1 hl=2 l= 9 prim: OBJECT :sha384 > > > > first thing what I wanted to do is change emailAddress to macAddress, > however, after making the change here > > > > /etc/openxpki/config.d/realm/democa/workflow/def/est_csrattrs.yaml > > > > I get an error > > > > root@est-virtual-machine:~# curl > https://est.vatest.com:443/.well-known/est/csrattrs > <https://est.vatest.com:443/.well-known/est/csrattrs> --cacert > RootCA.crt | openssl base64 -d -A | openssl asn1parse -inform DER > > % Total % Received % Xferd Average Speed Time Time > Time Current > > Dload Upload Total Spent > Left Speed > > 0 0 0 0 0 0 0 0 --:--:-- --:--:-- > --:--:-- 0 > > Error: offset out of range > > > > root@est:~# > > ==> /var/log/apache2/error.log <== > > [Sun Feb 21 23:54:52.075064 2021] [fcgid:warn] [pid 1675:tid > 139667566380800] [client 10.100.235.53:50180] mod_fcgid: stderr: [Sun > Feb 21 23:54:52 2021] est.fcgi: Use of uninitialized value $out in > substitution (s///) at /usr/lib/cgi-bin/est.fcgi line 307. > > [Sun Feb 21 23:54:52.075145 2021] [fcgid:warn] [pid 1675:tid > 139667566380800] [client 10.100.235.53:50180] mod_fcgid: stderr: [Sun > Feb 21 23:54:52 2021] est.fcgi: Use of uninitialized value $out in > substitution (s///) at /usr/lib/cgi-bin/est.fcgi line 307. > > > > ==> /var/log/apache2/other_vhosts_access.log <== > > est.vetest.com:443 10.100.235.53 - - [21/Feb/2021:23:54:51 +0000] "GET > /.well-known/est/csrattrs HTTP/1.1" 200 4698 "-" "curl/7.68.0" > > > > so it simply breaks after manipulating emailAddress > > > > I would like to know how I can modify / add more attributes? What is > the correct syntax? > > > > For example, I would like to add this > > *OID value:* 1.2.840.113549.1.9.7 > > *OID description:* > Challenge Password attribute for use in signatures. > > > > /etc/openxpki/config.d/realm/democa/workflow/def/est_csrattrs.yaml > > […] > > param: > > target_key: output > > oidlist: | > > 1.3.6.1.1.1.1.22 > > macAddress > > secp384r1 > > sha384 > > oidlist: | ?? > > 1.2.840.113549.1.9.7 > > ?? > > ?? > > > > So far I haven’t tested enrolment yet, still exploring/learning EST so > these will be just a blind shot questions; > > > > how these attributes are enforced? Do I need to create a policy? I > guess, Server needs to verify presence of these attributes before > proceeding with authentication/ enrolment? > > > > Can these additional attributes be thighed up with “individual” > usernames/passwords in form of SQL table that is used for http > authentication? Could you provide some additional explanation on this > please. > > > > > > _____________________________________________________________ > > *Regards,* > > * * > > *Artur * > > > > > > _______________________________________________ > OpenXPKI-users mailing list > OpenXPKI-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin!
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
