Hello, I am trying to get macOS SCEP client to work with OpenXPKI.
I've already overcome two major hurdles: 1. making the client to select right certiificate to encrypt the payload https://github.com/openxpki/openxpki-config/issues/14 2. Modiny enrollment workflow to bypass ONBEHALF checks Right now I am in the phase when OpenXPKI (Signing CA) signs the client certificate and sends it back to the macOS SCEP client (200 OK). However macOS SCEP client does not like something and fails to use it. Being a blackbox it is hard to determine what exactly went wrong. However there are these errors in the macOS system log: > CertificateService: (SCEP) [com.apple.SCEP:SCEP.fw] Decrypting response > payload > CertificateService: (SCEP) [com.apple.SCEP:SCEP.fw] SCEP: (failureInfo == > NULL) && (receipientNonce == NULL || !CFEqual(senderNonce, receipientNonce)) > CertificateService: (SCEP) [com.apple.SCEP:SCEP.fw] > ProcessRequestCertSignatureResponse: ValidateReplyAttrs returned: -67686 > SCEP: (failureInfo == NULL) && (receipientNonce == NULL || > !CFEqual(senderNonce, receipientNonce)) This is interesting. Could this be a problem with the nonce field? PKIOperation POST Message nonce: > 2496 24: SEQUENCE { > 2498 10: OBJECT IDENTIFIER senderNonce (2 16 840 1 113733 1 9 > 5) > 2510 10: SET { > 2512 8: OCTET STRING C4 32 33 C5 54 54 74 55 > : } > : } PKIOperation response nonce: > 3711 32: SEQUENCE { > 3713 10: OBJECT IDENTIFIER senderNonce (2 16 840 1 113733 1 9 > 5) > 3725 18: SET { > 3727 16: OCTET STRING C4 32 33 C5 54 54 74 55 00 00 00 00 > 00 00 00 00 > : } > : } > 3745 32: SEQUENCE { > 3747 10: OBJECT IDENTIFIER > : recipientNonce (2 16 840 1 113733 1 9 6) > 3759 18: SET { > 3761 16: OCTET STRING C4 32 33 C5 54 54 74 55 00 00 00 00 > 00 00 00 00 > : } > : } This looks like macOS client is sending only 8-byte nonce and does not like the copy in the proper 16-byte response. I tested my suspicion with working SCEP setup (Profile Manager MDM): (MDM) PKIOperation POST Message nonce: > 2807 24: SEQUENCE { > 2809 10: OBJECT IDENTIFIER senderNonce (2 16 840 1 113733 1 9 > 5) > 2821 10: SET { > 2823 8: OCTET STRING EF 94 4D 58 EC 6B DE 76 > : } > : } (MDM) PKIOperation response nonce: > 2764 24: SEQUENCE { > 2766 10: OBJECT IDENTIFIER > : recipientNonce (2 16 840 1 113733 1 9 6) > 2778 10: SET { > 2780 8: OCTET STRING EF 94 4D 58 EC 6B DE 76 > : } > : } > 2820 32: SEQUENCE { > 2822 10: OBJECT IDENTIFIER senderNonce (2 16 840 1 113733 1 9 > 5) > 2834 18: SET { > 2836 16: OCTET STRING 6A 43 AA 9A 23 74 5F D7 31 94 BB 5B > 89 7C 82 D4 > : } > : } This works Ok. Damn you Apple. Why can't you follow the RFC! I tried to test also with other MDMs but they do SCEP over TLS. I would like to verify this with OpenXPKI but I need to get the 8 byte recipientNonce back from the server. I tried to compile and install my own libscep.so with NONCE_LENGTH set to 8. However doing so I broke something else since PKIOperation.pm is unable to determine message type > openxpki.application.INFO LibSCEP PKIOperation; message type: > [pid=1670|sid=mP9+] Client then gets empty response with failInfo == 2 (badRequest) but senderNonce and recipientNonce is exactly the same 8 bytes which client sent. Could anyone from the dev team help me with this? It is possible to make the libscep work with 8byte nonstandard nonce? -> If it is possible I might be to able confirm/disprove my suspicion. -> If my suspicion is true I could create bugreport for Apple. Best Regards Michal Moravec _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
