Sorry (again) to send multiple messages. I made some progress but have new
errors.
It seems even with the SQL errors, the new cert and key were loaded into
the datapool and key store.
I've verified that the new scep-2 cert does, in fact, have the right
keyUsage bits.
I'm trying to auto-approve for testing:
In Michael's github filing, it sounds like Apple sends a different
self-signed cert. Could it be possible that I need to know the subject of
that cert and add it to the authorized_signer section? Not quite sure how
to determine that subject since it appears to be obfuscated in the client
logs.
I tried: authorized_signer:
rule1:
# Full DN
subject: CN=.+:pkiclient,.*
rule2:
# Full DN
subject: CN=my.scep.enroller.com
<http://cn=my.scep.enroller.com/>:generic,.*
rule3:
subject: CN=.*,DC=DZsec,DC=net
approval_points: 0
If I ra | issuer: endentity or chain, I get an SSL error. BUT scep.log
looks like it can interpret the request
Openxpki.log:
ERROR Error executing SCEP command 'PKIOperation':
I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
OpenXPKI::Crypto::Tool::LibSCEP::Command::unwrap, __ERRVAL__ =>
34370961408:error:0B080074:x509 certificate
routines:X509_check_private_key:key values
mismatch:/usr/src/crypto/openssl/crypto/x509/x509_cmp.c:297:
34370961408:error:2107207F:PKCS7 routines:PKCS7_decrypt:private key does
not match certificate:/usr/src/crypto/openssl/crypto/pkcs7/pk7_smime.c:495:
message_static_functions.c:221: decryption failed
LibSCEP.xs:1197: scep_unwrap failed
scep.log:
2021/06/21 18:54:09 DEB Config for service scep loaded [pid=50402]
2021/06/21 18:54:09 INF SCEP handler initialized [pid=50402]
2021/06/21 18:54:09 INF Incoming request from 10.15.1.167 with GetCACaps
[pid=50402]
2021/06/21 18:54:09 DEB Response send [pid=50402]
2021/06/21 18:54:11 DEB Config for service scep loaded [pid=50404]
2021/06/21 18:54:11 INF SCEP handler initialized [pid=50404]
2021/06/21 18:54:11 INF Incoming request from 10.15.1.167 with GetCACert
[pid=50404]
2021/06/21 18:54:11 DEB Response send [pid=50404]
2021/06/21 18:54:15 DEB Config for service scep loaded [pid=50407]
2021/06/21 18:54:15 INF SCEP handler initialized [pid=50407]
2021/06/21 18:54:15 DEB Got PKIOperation via POST [pid=50407]
2021/06/21 18:54:15 DEB Decoded SCEP message MIAG...<TRUNCATED>
[pid=50407]
2021/06/21 18:54:15 INF Incoming request from 10.15.1.167 with PKIOperation
[pid=50407]
2021/06/21 18:54:15 ERR SCEP response is empty [pid=50407]
if I use fullchain, I get the same security failed error on the clients
(MacOS and iOS)
On Mon, Jun 21, 2021 at 4:15 PM, Nick Dawson <nd+openx...@nickdawson.net>
wrote:
> update:
> When I try and re-add the alias/token it tells me that it already exists.
>
> I tried to add the keys and get an SQL error:
> Error: Database error: execution of SQL query failed
>
> details:
>
> openxpkicli set_data_pool_entry --arg namespace=sys.crypto.keys --arg
> key=scep-1 --arg encrypt=1 --filearg
> value=/usr/local/etc/openxpki/ssl/dzsec/scep2.pem --authstack
> DZsec_Operator --authuser dzsecop --authpass <very long complex pass>
> --debug
>
> Log4perl: Seems like no initialization happened. Forgot to call init()?
> 2021/06/21 16:13:49 [DEBUG] Socketfile: /var/openxpki/openxpki.socket
> 2021/06/21 16:13:50 [DEBUG] Session id: ru+w9N3S6xGF4iqMjmfNZQ==
> 2021/06/21 16:13:50 [DEBUG] $VAR1 = {
> 'PARAMS' => {
> 'AUTHENTICATION_STACKS' => {
> 'DZsec_CA' => {
>
> 'LABEL' => 'DZsec_CA',
>
> 'NAME' => 'DZsec_CA',
>
> 'DESCRIPTION' => undef
> },
> 'DZsec_User' => {
>
> 'LABEL' => 'DZsec_User',
>
> 'NAME' => 'DZsec_User',
>
> 'DESCRIPTION' => 'I18N_OPENXPKI_CONFIG_AUTH_STACK_DESCRIPTION_USER'
> },
> 'DZsec_RA' => {
>
> 'NAME' => 'DZsec_RA',
>
> 'DESCRIPTION' => undef,
>
> 'LABEL' => 'DZsec_RA'
> },
> '_System' => {
>
> 'DESCRIPTION' => undef,
> 'NAME'
> => '_System',
>
> 'LABEL' => '_System'
> },
> 'DZsec_Operator' => {
>
> 'LABEL' => 'DZsec_Operator',
>
> 'DESCRIPTION' => undef,
>
> 'NAME' => 'DZsec_Operator'
> }
> }
> },
> 'SERVICE_MSG' => 'GET_AUTHENTICATION_STACK'
> };
> 2021/06/21 16:13:50 [DEBUG] $VAR1 = {
> 'SERVICE_MSG' => 'GET_PASSWD_LOGIN',
> 'PARAMS' => {
> 'DESCRIPTION' =>
> 'I18N_OPENXPKI_CONFIG_AUTH_HANDLER_DESCRIPTION_PASSWORD',
> 'NAME' => 'Operator Password'
> }
> };
> 2021/06/21 16:13:50 [DEBUG] $VAR1 = {
> 'SERVICE_MSG' => 'SERVICE_READY'
> };
> Error: Database error: execution of SQL query failed
>
>
>
> On Mon, Jun 21, 2021 at 3:59 PM, Nick Dawson <nd+openx...@nickdawson.net>
> wrote:
>
> Thanks gents
> I saw that commit and have been anxious to try to see if adding the
> keyusage bits will help.
>
> Well, now I've broken it further :)
> TL;DR I cannot import the new SCEP cert and key into the datastore.
> 2021/06/21 15:52:51 Initialization failed - message is ERROR
> Initialization failed. Stopped at /usr/local/lib/perl5/site_perl/OpenXPKI/
> Client/Simple.pm line 310.
>
>
> I started with checking the new stuff in git and adding the following to
> my openssl.cnf
> [ v3_scep_reqexts ]
> subjectKeyIdentifier = hash
> [ v3_scep_extensions ]
> subjectKeyIdentifier = hash
> keyUsage = digitalSignature, keyEncipherment
> basicConstraints = CA:FALSE
> authorityKeyIdentifier = keyid,issuer
>
> Then I removed the existing token
>
> openxpkiadm alias --realm dzsec --remove --alias scep-1
>
> I generated a new CSR for a new SCEP cert
>
> openssl req -verbose -config "openssl.cnf" -reqexts v3_scep_reqexts -batch
> -newkey rsa:2048 -passout pass:<long complex pass> -keyout "scep2.pem"
> -subj "/DC=DZsec/DC=net/CN=scep2" -out "scep.csr"
> Using configuration from openssl.cnf
> Generating a RSA private key
> ...........................................+++++
>
> ..............................................................................................................................................................................+++++
> writing new private key to 'scep2.pem'
> -----
>
> I verified it is using a new subject name, but I don't see the key usage
> flags reflected...
>
> openssl req -text -noout -verify -in ./scep.csr
>
> verify OK
> Certificate Request:
> Data:
> Version: 1 (0x0)
> Subject: DC = DZsec, DC = net, CN = scep2
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public-Key: (2048 bit)
> Modulus:
>
> Attributes:
> Requested Extensions:
> X509v3 Subject Key Identifier:
>
> I signed the CSR and generated a new cert
>
> openssl ca -in scep.csr -config openssl.cnf -extensions
> v3_scep_extensions -keyfile "$BASE/ca-root-1.pem" -cert
> "$BASE/ca-root-1.crt" -out "$BASE/ca-one-scep-2.crt" -batch -passin
> pass:<long complex pass> -outdir ./
> Using configuration from openssl.cnf
> Check that the request matches the signature
> Signature ok
> The Subject's Distinguished Name is as follows
> domainComponent :IA5STRING:'DZsec'
> domainComponent :IA5STRING:'net'
> commonName :ASN.1 12:'scep2'
> Certificate is to be certified until Jan 7 21:52:35 2023 GMT (565 days)
>
> Write out database with 1 new entries
> Data Base Updated
>
> I tried to import into OpenXPKI but it fails. I've verified file
> ownerships and paths.
>
> openxpkiadm alias --realm dzsec --token scep --file
> /usr/local/etc/openxpki/ssl/dzsec/ca-one-scep-2.crt --key
> /usr/local/etc/openxpki/ssl/dzsec/scep2.pem
>
> 2021/06/21 15:52:51 Initialization failed - message is ERROR
> Initialization failed. Stopped at /usr/local/lib/perl5/site_perl/OpenXPKI/
> Client/Simple.pm line 310.
>
>
>
>
> On Sun, Jun 20, 2021 at 2:11 AM, Oliver Welter <m...@oliwel.de> wrote:
>
> Hi Nick,
>
> Michal created a ticket https://github.com/openxpki/openxpki-config/
> issues/14 saying that SCEP on Apple expects the proper keyUsage bits set
> which we did not on older sample configs, so might this be the problem in
> your setup, too?
>
> Oliver
>
> Am 18.06.21 um 18:54 schrieb Nick Dawson:
>
> Thanks gents!
> I'm finding some interesting things on different platforms.
>
> Summary: MacOS 11 reports a security error after it retrieves the SCEP and
> CA certs. iOS 14 simply fails. iOS 15 a little more descriptive "The
> Registration Authority’s response is invalid" and MacOS 12 fails with the
> same error as MacOS11.
>
> OpenXPKI SCEP log:
> 2021/06/18 10:51:04 DEB Config for service scep loaded [pid=30304]
> 2021/06/18 10:51:04 INF SCEP handler initialized [pid=30304]
> 2021/06/18 10:51:04 INF Incoming request from 10.15.1.153 with GetCACaps
> [pid=30304]
> 2021/06/18 10:51:04 DEB Response send [pid=30304]
> 2021/06/18 10:51:05 DEB Config for service scep loaded [pid=30306]
> 2021/06/18 10:51:05 INF SCEP handler initialized [pid=30306]
> 2021/06/18 10:51:05 INF Incoming request from 10.15.1.153 with GetCACert
> [pid=30306]
> 2021/06/18 10:51:05 DEB Response send [pid=30306]
>
>
> MacOS:
> default 10:37:47.912045-0600 CertificateService
> [1366478549:Cert_PI:HTTPUtil:<0x66d303>] >>>>> Sending HTTP request (GET)
> [SCEP:GetCACert] >>>>>
> default 10:37:48.661191-0600 CertificateService
> [1366478549:Cert_PI:HTTPUtil:<0x66d303>] <<<<< Received HTTP response (200)
> [SCEP:GetCACert] <<<<<
> default 10:37:48.661886-0600 CertificateService ProcessGetCACertResponse:
> Content-Type: 'application/x-x509-ca-ra-cert'
> default 10:37:48.661978-0600 CertificateService ProcessGetCACertResponse:
> application/x-x509-ca-ra-cert; err = errSecCertificateCannotOperate
> default 10:37:48.662168-0600 CertificateService ProcessGetCACertResponse:
> CFArrayGetCount(returnedCerts) > 1
> default 10:37:48.662254-0600 CertificateService SortAndSetCACertificates:
> (CFArrayGetCount(returnedCerts) = 3
> default 10:37:48.662409-0600 CertificateService SortAndSetCACertificates:
> use heuristics to determine which is which, namely find the encryption and
> signature certificates
> default 10:37:48.662482-0600 CertificateService SortAndSetCACertificates:
> certs[0]
> default 10:37:48.666002-0600 CertificateService SortAndSetCACertificates:
> certs[1]
> default 10:37:48.666450-0600 CertificateService SortAndSetCACertificates:
> certs[2]
> error 10:37:48.666852-0600 CertificateService ProcessGetCACertResponse:
> session->caCert == NULL
> error 10:37:48.667010-0600 CertificateService [ERROR] <: [MDM_SCEP_Enroll]
> Calling SCEPGetCACert. CA Ident: CA One --> <NSOSStatusErrorDomain:-67817>
> error 10:37:48.820130-0600 com.apple.preferences.configurationprofiles.
> remoteservice [ERROR] Profile installation (scep test
> (andesite.6BF88F76-C55C-4560-BEEE-11E8DF8EA9F2:361796F2-11EC-41D8-8F2C-E9648FE4EF1E))
> ( <NSOSStatusErrorDomain:-67817>)
> default 10:37:49.443017-0600 AssetCache Notification user info: {
> ProfileAction = Remove;
> ProfileTypes = (
> "com.apple.security.scep"
> );
> ProfileUUID = "361796F2-11EC-41D8-8F2C-E9648FE4EF1E";
> ProfileUserUID = 1366478549;
> ProfileUsername = ndawson;
> }
> default 10:49:53.207134-0600 Finder Trying to issue sandbox extension for
> /Users/ndawson/Library/Mobile
> Documents/iCloud~com~apple~configurator~ui/Documents/scep test.mobileconfig
> default 10:49:53.207235-0600 Finder Successfully issued sandbox extension
> for /Users/ndawson/Library/Mobile
> Documents/iCloud~com~apple~configurator~ui/Documents/scep test.mobileconfig
>
>
>
> iOS:
>
> error 10:31:21.622518-0600 profiled Cannot retrieve SCEP identity: NSError:
> Desc : The Registration Authority’s response is invalid.
> US Desc: The Registration Authority’s response is invalid.
> Domain : MCSCEPErrorDomain
> Code : 22003
> Type : MCFatalError
> error 10:31:21.622745-0600 profiled Installation of profile
> “andesite.6BF88F76-C55C-4560-BEEE-11E8DF8EA9F2” failed with error: NSError:
> Desc : The profile “scep test” could not be installed.
> Sugg : The Registration Authority’s response is invalid.
> US Desc: The profile “scep test” could not be installed.
> US Sugg: The Registration Authority’s response is invalid.
> Domain : MCProfileErrorDomain
> Code : 1009
> Type : MCFatalError
> Params : (
> "scep test"
> )
> ...Underlying error:
> NSError:
> Desc : The Registration Authority’s response is invalid.
> US Desc: The Registration Authority’s response is invalid.
> Domain : MCSCEPErrorDomain
> Code : 22003
> Type : MCFatalError
> Extra info:
> {
> isPrimary = 1;
> }
> error 10:31:21.623296-0600 profiled Profile
> “andesite.6BF88F76-C55C-4560-BEEE-11E8DF8EA9F2” failed to install with
> error: NSError:
> Desc : Profile Failed to Install
> Sugg : The Registration Authority’s response is invalid.
> US Desc: Profile Failed to Install
> US Sugg: The Registration Authority’s response is invalid.
> Domain : MCInstallationErrorDomain
> Code : 4001
> Type : MCFatalError
> ...Underlying error:
> NSError:
> Desc : The profile “scep test” could not be installed.
> Sugg : The Registration Authority’s response is invalid.
> US Desc: The profile “scep test” could not be installed.
> US Sugg: The Registration Authority’s response is invalid.
> Domain : MCProfileErrorDomain
> Code : 1009
> Type : MCFatalError
> Params : (
> "scep test"
> )
> ...Underlying error:
> NSError:
> Desc : The Registration Authority’s response is invalid.
> US Desc: The Registration Authority’s response is invalid.
> Domain : MCSCEPErrorDomain
> Code : 22003
> Type : MCFatalError
> Extra info:
> {
> isPrimary = 1;
> }
> error 10:31:21.667570-0600 profiled Installation failed. Error: NSError:
> Desc : Profile Installation Failed
> Sugg : The Registration Authority’s response is invalid.
> US Desc: Profile Installation Failed
> US Sugg: The Registration Authority’s response is invalid.
> Domain : MCInstallationErrorDomain
> Code : 4001
> Type : MCFatalError
> ...Underlying error:
> NSError:
> Desc : Profile Failed to Install
> Sugg : The Registration Authority’s response is invalid.
> US Desc: Profile Failed to Install
> US Sugg: The Registration Authority’s response is invalid.
> Domain : MCInstallationErrorDomain
> Code : 4001
> Type : MCFatalError
> ...Underlying error:
> NSError:
> Desc : The profile “scep test” could not be installed.
> Sugg : The Registration Authority’s response is invalid.
> US Desc: The profile “scep test” could not be installed.
> US Sugg: The Registration Authority’s response is invalid.
> Domain : MCProfileErrorDomain
> Code : 1009
> Type : MCFatalError
> Params : (
> "scep test"
> )
> ...Underlying error:
> NSError:
> Desc : The Registration Authority’s response
>
>
>
>
> On Fri, Jun 18, 2021 at 12:46 AM, Michal Moravec <michal.moravec@
> logicworks.cz> wrote:
>
> Hey Nick,
>
> do you have this problem with iOS or macOS?
>
> I spent a lot of time this year trying use SCEP directly between Apple
> systems and OpenXPKI.
>
> There are bugs in macOS 11 and earlier preventing this.
> Apple fixed all of the bugs I reported in macOS 12. I’ve tested with first
> beta and can confirm.
>
> I was unable to persuade iOS SCEP client to accept CA certificates from
> OpenXPKI.
> SCEP client bailed out before even trying to request the certificate.
> Apple also stated they fixed this problem but currently I don’t have a iOS
> device to run beta iOS so I can’t test.
>
> Michal Moravec
> Sent from my iPhone
>
> On 17. 6. 2021, at 23:50, Nick Dawson <nd+openx...@nickdawson.net> wrote:
>
>
> hey OpenXPKI friends,
> I've been struggling with SCEP and could use some help. I have SCEP set up
> using the default config. When I use sscep I can get the capabilities and
> get the CA certs. sscep downloads 3 certs (the scep cert, the CA cert, and
> the root cert). I have fullchain set in the config so that seems correct.
>
> On Apple devices, I'm attempting to install a profile. On OpenXPKI, the
> logs show the apple devices trying to get the CA. The server sends the
> certs. And then the apple devices fail.
>
> Specifically, apple devices return: errSecCertificateCannotOperate
> (which is error: -67817).
>
> I've tried capturing the exact url queries from the webserver's access
> logs. When I paste them into a browser, it downloads a file called
> "untitled". When I examine untitled with OpenSSL, I can see that it is a
> pkcs7 bundle of the three certs.
>
> Could it be as simple as needed a better filename like untiled.p7 ? And,
> if so, where would I set that in OpenXPKI's config files? I didnt see
> anything in scep or enrollment files.
>
> Or, might this be a different issue? Does anyone have experience with
> Apple devices and OpenXPKI's SCEP implementation? Any tips or tricks?
>
> thanks!
>
>
>
>
>
> _______________________________________________
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
> _______________________________________________
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
>
>
>
> _______________________________________________
> OpenXPKI-users mailing
> listOpenXPKI-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/openxpki-users
>
>
> --
> Protect your environment - close windows and adopt a penguin!
>
> _______________________________________________
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
>
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
