Re: [OpenXPKI-users] trouble with SCEP and Apple devices

Wed, 23 Jun 2021 07:18:46 -0700 

Hi Michal,


Workspace ONE problem?
Check this out:

- https://github.com/openxpki/libscep/pull/5
- https://github.com/openssl/openssl/issues/14927


this is exactly my problem, thanks for the link!



M
On 23. 6. 2021, at 14:12, Claas Hilbrecht <claas-pool.openx...@linum.com> wrote: 

Hi,
I've struggled with this a year ago. You need to change some settings in different files to make it work. If time permits I will try later today to collect everything I remember.
BTW, if you try this with Workspace ONE it fails since 24.03.2021 because of a breaking change made by vmware. I still try to figure out what exactly has changed.
Could you post you mobileconfig file, All CA certificates currently in use and you OpenXPKI configuration? 

MM
On 22. 6. 2021, at 22:37, Nick Dawson <nd+openx...@nickdawson.net<mailto:nd+openx...@nickdawson.net>> wrote: 

Thanks! That helped and I learned a lot about the datapool and keys.

update:
Success with SSCEP. It worked. Apple devices now fail with an invalid CSR error. 

sscep:

Apple devices:
openxpki.log
2021/06/22 14:28:46 ERROR Error executing SCEP command 'PKIOperation': I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => OpenXPKI::Crypto::Tool::LibSCEP::Command::unwrap, __ERRVAL__ => message_static_functions.c:238: Not valid CSR after decrpytion 
LibSCEP.xs:1197: scep_unwrap failed
34370961408:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:/usr/src/crypto/openssl/crypto/asn1/a_object.c:254: 34370961408:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=object, Type=X509_NAME_ENTRY 34370961408:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:615: 34370961408:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:615: 34370961408:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=subject, Type=X509_REQ_INFO 34370961408:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=req_info, Type=X509_REQ 
[pid=57435|sid=aCoa]

I captured the CSR in scep.log and decoded it:

Certificate:
   Data:
       Version: 3 (0x2)
       Serial Number: 1 (0x1)
   Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=MDM SCEP SIGNER E9BD4746-3B6A-4A50-8F99-F78A422D3DDF, C=US 
       Validity
           Not Before: Jun 22 20:18:47 2021 GMT
           Not After : Jun 22 20:18:47 2022 GMT
Subject: CN=MDM SCEP SIGNER E9BD4746-3B6A-4A50-8F99-F78A422D3DDF, C=US 
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
               Public-Key: (2048 bit)
               Modulus:
             Truncated
               Exponent: 65537 (0x10001)
       X509v3 extensions:
           X509v3 Key Usage: critical
               Digital Signature, Key Encipherment
           X509v3 Extended Key Usage: critical
               TLS Web Client Authentication
   Signature Algorithm: sha256WithRSAEncryption
       Truncated
-----BEGIN CERTIFICATE-----
Truncated
-----END CERTIFICATE-----

My rules in generic.yaml

workflow:
   type: certificate_enroll
   param:
       # key: name in workflow context, value: parameter from scep wrapper
       # server and interface are always set, the mapping below is
       # the default set that is used when no map is given
       transaction_id: transaction_id
       signer_cert: signer_cert
       pkcs10: pkcs10
       _url_params: url_params
       #_pkcs7: pkcs7

authorized_signer:
   rule1:
       # Full DN
       #subject: CN=.+:pkiclient,.*
       subject: .*,CN=US
   rule2:
       # Full DN
subject: CN=my.scep.enroller.com<http://cn=my.scep.enroller.com/>:generic,.* 
   rule3:
           #Attempt match on Apple CSRs
           subject: CN=MDM.+.*
policy:

   allow_man_authen: 1
   allow_anon_enroll: 0
   allow_man_approv: 1
   allow_eligibility_recheck: 0
   approval_points: 0
   max_active_certs: 1
   auto_revoke_existing_certs: 1
   allow_replace: 1
On Mon, Jun 21, 2021 at 11:57 PM, Oliver Welter <m...@oliwel.de<mailto:m...@oliwel.de>> wrote: 

Hi Nick,

Am 22.06.21 um 03:08 schrieb Nick Dawson:
If I ra | issuer: endentity or chain, I get an SSL error. BUT scep.log looks like it can interpret the request 

Openxpki.log:
ERROR Error executing SCEP command 'PKIOperation': I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => OpenXPKI::Crypto::Tool::LibSCEP::Command::unwrap, __ERRVAL__ => 34370961408:error:0B080074:x509 certificate 
routines:X509_check_private_key:key values
mismatch:/usr/src/crypto/openssl/crypto/x509/x509_cmp.c:297: 34370961408:error:2107207F:PKCS7 routines:PKCS7_decrypt:private key does not match certificate:/usr/src/crypto/openssl/crypto/pkcs7/pk7_smime.c:495: message_static_functions.c:221: decryption failed 
LibSCEP.xs:1197: scep_unwrap failed
this sounds as you now finally broke your SCEP setup - if you really ignored the SQL errors (and have created a new key) then your Cert and Key does not match so you get a crypto error. All logs you have shown are far away from an enrollment request where we have to work around the 
"signer cert" problem.
I suggest you just create a new token (key and cert) and import it again, this should create a new SCEP Token alias with a new generation number. Make sure your DataVault token ist operational before you try loading the key! 

Oliver

--
Protect your environment - close windows and adopt a penguin!

_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net<mailto:OpenXPKI-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/openxpki-users

_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net<mailto:OpenXPKI-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/openxpki-users






_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users




_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users



--
 http://www.linum.com mailto:claas.hilbre...@linum.com
 Linum Software GmbH, Langer Wall 5, 37574 Einbeck, Germany
 Tel: +49-5561-926730 Fax: +49-5561-926750
Handelsregister Amtsgericht Göttingen HRB 131128 / Geschäftsführer Claas-Jörg Hilbrecht 



_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Reply via email to