Re: [OpenXPKI-users] Bouncy Castle won't verify a signed cert coming back from OpenXPKI

[Oliver Welter]

Hi James, Bernd,

there is already a ticket open for this 
https://github.com/openxpki/openxpki/issues/789

@Bernd: For me the error messages looks more like a problem in the PKCS7 
envelope structure, so I dont think that this is the problem and the 
mentioned header should be send.

As we are working on a full rewrite of the SCEP engine for the (likely) 
next but one release, I would appreciate if you can help us with some 
test effort on this topic.

best regards

Oliver

Am 11.08.21 um 11:14 schrieb Bernd Krietenstein:
Hi James,

I had a similar problem yesterday using sscep, though in my case it was 
OpenXPKI, who complained about a missing HTTP header "Content-Type". It 
looks like JSCEP expects this HTTP header in OpenXPKI's reply. Can you 
check, if the header is present in the reply (use wireshark on Windows 
or tcpdump on Linux)?

According to RFC8894, the reply should have Content-Type: 
application/x-pki-message:

/4.3.1.  Certificate Enrolment/Renewal Response Message/

//

/   If the request is granted, a CertRep SUCCESS message/

/   (Section 3.3.2.1) is returned.  If the request is rejected, a CertRep/

/   FAILURE message (Section 3.3.2.2) is returned.  If the CA is/

/   configured to manually authenticate the client, a CertRep PENDING/

/   message (Section 3.3.2.3) MAY be returned.  The CA MAY return a/

/   PENDING for other reasons./

//

/   The response will have a Content-Type of "application/x-pki-message"./

//

/   "Content-Type: application/x-pki-message"/

//

/   <binary CertRep message>/

I will check this in my tests, too.

Best Regards,**

**

*Bernd*

Software Development

14DS3 Softwareplatform III

Corporate R&D

Rohde & Schwarz GmbH & Co. KG

Muehldorfstrasse 15 | 81671 Munich | Germany

Internet: https://www.rohde-schwarz.com <https://www.rohde-schwarz.com>

Executive Board: Christian Leicher (President & CEO), Peter Riedel 
(President & COO)

Company‘s Place of Business: Munich | Commercial Register No.: HRA 16 270

Personally Liable Partner: RUSEG Verwaltungs-GmbH | Company’s Place of 
Business: Munich

Commercial Register No.: HRB 7 534 | VAT Identification No.: DE 130 256 683

WEEE Register No.: DE 240 437 86

*From:*James Ervin <james.er...@hypori.com>
*Sent:* Tuesday, August 10, 2021 3:51 PM
*To:* OpenXPKI-users@lists.sourceforge.net
*Subject:* *EXT* [Newsletter] [OpenXPKI-users] Bouncy Castle won't 
verify a signed cert coming back from OpenXPKI

Hello,

I am working on a feature to support SCEP in our product.  I have a 
problem where I can get OpenXPKI setup (using the Docker container – 
very nice BTW), and I am using the JSCEP library to send a CSR to 
OpenXPKI.  The CSR is below (it is test data):

-----BEGIN CERTIFICATE REQUEST-----
MIIDMzCCAhsCAQAwgcwxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEPMA0G
A1UEBwwGQXVzdGluMSAwHgYDVQQKDBdIeXBvcmkgVmlydHVhbCBNb2JpbGl0eTEu
MCwGA1UECwwlSHlwb3JpIFZpcnR1YWwgTW9iaWxpdHkgLSBEZXZlbG9wbWVudDEb
MBkGA1UEAwwSSHlwb3JpIFNlcnZlciBUZWFtMS0wKwYJKoZIhvcNAQkBFh5qYW1l
cy5lcnZpbkBzYXZleW91cnN0dWZmLm1vYmkwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCyNZkcGjf1ifsiFWVGVseNa2NYc3K0d/n+9+VU88VVHHLMXvmd
6d4iVSXUlIMxL5Mh4HDswRtzkNskg8Ol1QL4+dY8qZEM4+JNH6hmCDM0f5VgwQBm
rPELqLSJDgJgYdjbfVRhNgW8J7i48l8VsM0f2yamXldbCx52QzYANpxbC8hrfKQS
zlrDQTneiaNngHaX4NbzizNVO25hkUxdQRBAnL9Dv247P/RzB5GOvmEe/nxgN0fa
iF16Qluqc2/wh55NVSdQU2n64enPHxl2f7/Xdl9X9nqdwhiMZ+5eeB5VvUy+noS9
wqL99ECpRhDWi2lsiPrskUo1WcRcbpBUiYzvAgMBAAGgITAfBgkqhkiG9w0BCQcx
EgwQQjVBMzgzMDBBRTcwMzIxNDANBgkqhkiG9w0BAQsFAAOCAQEAbLBJVdRiLV88
jAgOUa1rcjWkVsrGZEkufI5yEomlMDCdL9nNG+VxYF9Eh75EM8EM80FCbqYSFzWE
h4rvOxTYqWguiM5mmkvAEPqq0G0CBe7B5NkvoazSxmGt/a2Tls20X1BxdJWKO0u3
hm/bbQ7e2ZV5NIXv6hig/uaG0jXX/cvn+4If6cSe0rpHm8Bgbs+7z4kP3JIQsuwf
AzRIC6dCJuxVUJGqDSQsHPrE2CgfHE5sVE31ejCHs481BD9c32007ZEhIsWPpFno
2+PAw6jUNDvrsA5UzMA/9iMufWlwiEOB6Tm1j9m0+ABvUDY1QaMRGy3AwwRNe29z
ictdVAqDVA==
-----END CERTIFICATE REQUEST-----

The cert returned fails when JSCEP tries to verify the certificate 
(verify the signature I believe).  I get the following error message:
Reason: org.jscep.message.MessageDecodingException: 
org.bouncycastle.cms.CMSException: The content-type attribute type MUST 
be present whenever signed attributes are present in signed-data

This is the encoded cert I get back from OpenXPKI:

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwGggCSABIID6DCABgkqhkiG9w0BBwOggDCAAgEAMYICDjCCAgoCAQAwcjBaMQswCQYDVQQGEwJERTERMA8GA1UECgwIT3BlblhQS0kxDDAKBgNVBAsMA1BLSTEqMCgGA1UEAwwhT3BlblhQS0kgRGVtbyBJc3N1aW5nIENBIDIwMjEwNzAxAhRcaw+zpI9iRHOqbhbybqN2MR6d4TANBgkqhkiG9w0BAQEFAASCAYC08tqIhCenD8B7yZe/WDPdtG6GdBcBI5wJ9eMDUJInAAR4ovI79zozC/u08TpvAJeAhxnLX8OrQKEZinoblmeL9CmQsuFLpv5B9u7qPWg0la+RRHPOHN8VP5lDMukoqty2swXRd/uWRW4eFO/lgfIzAQyXkgNcfTfbt3c7ARTEfBx1Ww2xrtAPmQReTFh7GeGxZVV7ZX1b3UP3X+sfBVrrWqvgAhrUTTCdk8zqJGsW1XMYo7zhhNagDMA+twTqZO1HYlMULTTUW5hi3Jh7eGgluwCxT4XGjNJovPSSRxlbS9uW3zSh3LaEUDx2uCnEf2TZQ5SOdIW85k2MF2iSvMPs1FHwPgiNXp2ZBUesCnDPaq+gYFOancmbENqnd95tRAkEV4le3McxTTvSqwiizdXRU2C9ZW55QEt959cmapVAs13xR19LBC9in/o1BSr37Tl2yUi9gl2a2RlS8RkKymSkbxFRnhQUderO1H5mJ3dU0pANGI1iBKyo5yg+qG1oEPMwgAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBAgQQcc8Be7eljdoaKawFQNl7maCABIIDQFUl5/3dYg7BkKAo6MLGXHOHdiDI/06nKwEu7sJGkUABLz3RdkkhBeJ7du7KkanYEqrx+p3glieTEnc5CkzGiw2PuONo2/G3NfwEbA9kl7H7J5aVWtQihFVzid7DKi4u4MYloGgOPYzRMqDVBhOFCjIQp7uV3SGa20epl2r7ooTOXlFjFOslr/8RBf3C9xBDQGoTzp6nj1zSbL84pR3km4K5aGjbZLvZ8beqW/tvOchmI496SXZNa+y3HVqGRNhVHqM4BqiGu0MwT1XK8OzvfJCkWIRqk80wjv3Yg83FifVWz+PRkHRNCNWg+az5guVjVvM2tnYayXhnXuXsVn2CiPSWaR8LXx0E+YU/r4y8xQJtC51P9jtHFmu3D5m/m91h0cMgS4nbcuKx6YFmVjoB6QYtUGwUiKo2mIOzOg1tSMXac9eOFOsgRna5rXdiDfG3dIJeHOZsMomrts0JwjZt57hhBa3a8evTb6RMnDupodsUM0aMx4KGq4ifIIIpedk1o5d6o497E/WvXVsJzgOaWekEggG6sLPgaGJAUozSU+NNi/L8QMMEpFZZQjak1FVU3pIBICAuB2trWod8AyVFNltUghiJaBvoHZwbuI2WQnrRBpBYvk33QXLQbDXICPJeIdjAPI8Xh0gUV/VQbb6OrygoqYkzox+OUyN0sJkK5sJY1x+xIc5zGiudtf35Zt7tfOAVL3ff/KDMmpLev4AWpi+WpWruLXkEUWtekKmp+vG9j/8EGeJMfkTC8fJhd+RzQTBOCgUtAkhzUWoE1ssqbjbCPMAHLTJPxOO2o1PB8aFh8G6wx9WBbGSWJ5qI+ZPT4qKF4dlHOBtHTTd7SOlzhSEulEkvpluj7IaWT/rzFa2CXZjoPdxMdr+X4mdMRK0WxOT2yEsJONe4DkhzEGepQmGwnuMHvMlFU8MjQMvO8mu9u54HKat9e3qQYprr/sWTph7GNcgQv6VYayw+nl3of4BEqAdp64UUIWTDFqsqPdP/Jrxk3ey03SvkTUhNNvhVIJpxkKbHXHQdn/KEJfAydcangfOMiGXoFIV7KWwuuGis4a4NXQsoRg95RLlsKJ0A8CAJYJX1CQFf5X24HpQtwr9uwMbCAAAAAAAAAAAAAAAAAAAAAKCAMIIGDzCCA/egAwIBAgIUSeuqzIhMGTAvphPK07S2CHF8ifEwDQYJKoZIhvcNAQELBQAwgY4xCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEPMA0GA1UEBwwGQXVzdGluMRQwEgYDVQQKDAtIeXBvcmkgVGVzdDEqMCgGA1UECwwhSHlwb3JpIFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRwwGgYDVQQDDBNIeXBvcmkgVGVzdCBSb290IENBMB4XDTIxMDUyNTE4NTMyNFoXDTQxMDUyMDE4NTMyNFowgY4xCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEPMA0GA1UEBwwGQXVzdGluMRQwEgYDVQQKDAtIeXBvcmkgVGVzdDEqMCgGA1UECwwhSHlwb3JpIFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRwwGgYDVQQDDBNIeXBvcmkgVGVzdCBSb290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0nz6Ns7pfGZ3GYKGuHTbEO7siKPrgbtlasoWG8LTcr8sZxvz3JI82FMGq4gNavQz28p2MQHC0TrmggifdrNbvFB/hxMS3hr1EjBByXdWxTg+JmHDyBnvL9eEV6mnySjwHEp5H/z86ybX5jLcnIE32VYvoJAxC6QhgFEtWrHpiugtOqjUbzkfC1jPVJdBccJjg4ALZIW9MBt1qjoCNcCnj14U0/1Tldmgbdi5xFouVMd/B1TKQEI0zijvfUxqy+4xVQdE6EmyRVEbBPYHW1ePQceuIOuXbw774Uh6LFG8zS9/fLHLHugaF9JgFm6B3Rgmz9axs+cehPUcjwqMXGhacOsFxN3BfMwu81NpE46wJHBMIYhDvvduTiNn88KbfKiPz1k1aUyuLPhozoPQ2rMulrkFnbSD29hmuljODOP+rd2bBVKxKjeAXBd9JTADkrfu//1H5919ZhigKuFwUMtu3C1G5c6pykHgRFV8w2/RyroOQlib/7BVKC7ggbSFPdZpcIdotxS+uZP7ad9/QVBcPOHQLomuRgvuEECAhSGdJJtRpaBTnVoIC1yV7sMhciXuUYod78wYzn1iNv6mbxJUzZ1I/XkXIPCox6kmpAkF7sRj5Oyz52Iz+ORIGztzW2iFxS5NLJVktLmPtmAR3YQyNOw5efWm69TIwtlm1tGRIoECAwEAAaNjMGEwHQYDVR0OBBYEFCN8NLDfzpVDLIIJRPLRYoY9VgABMB8GA1UdIwQYMBaAFCN8NLDfzpVDLIIJRPLRYoY9VgABMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQAtVgIZp/fhhjn1MTfJkn2SZuGmq//5w6X4BBpnKTrkRlbOH2gqocN6pqIjnhYlw/QmAJpr0FvboqqWCaEg5VsGzC2uckWitGRpNylEXyjYNZ0mYh3DK1i9qsTQWeH/ur0Ok2ZG7pbQusIwBhOtp/sr3ljXhlM6LBAO74GUYV9pVHvaq8iU+/3LlzDCh6so8vB9qQTLCyY2hdoqyyQ+YBzpNm2x1832xceNAUntOqd4cj0XUXpqgSheY4tqAVURGtpfsJ8M7/CDsNIAyDpoVBLruHyxYrbrAoXKAN6iLJbySyK/SBiiD03obJtvl7NRIOTFU3KGuP6nsOI3vuSTQ5Hjhcf6qHvyiH6iyCbuIwhUDWGXWcZahgloGkKequnBH+7v2C+BS/UzvCw+4L4ylk24Gak8elcsV0R6w1kvGWPTye3Cp6Hqkkl9TkdFm8GJ1vJ33cni/AA7msggUrmLtalkIS8GEkCdNcKf97M/0ig72khiSg5RtQ07hpY3ZAal55LiIEV0WMW+lmudpJKUG4wKqIn2FeE5C2ltxDhbb46sa4qMSWu4M2lA1eJ1k3Z3y4t9uxwMarvjNvSHltrk6DgWhULyDBVoJgHEd64tHpzZsMmUxzaLgxVYv8k4OTujpcsb+Hp6EHWAxAH36WZgxSCCbluKoLTOdm/izJh4Fs2DMAAAMYIDzzCCA8sCAQEwgacwgY4xCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEPMA0GA1UEBwwGQXVzdGluMRQwEgYDVQQKDAtIeXBvcmkgVGVzdDEqMCgGA1UECwwhSHlwb3JpIFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRwwGgYDVQQDDBNIeXBvcmkgVGVzdCBSb290IENBAhRJ66rMiEwZMC+mE8rTtLYIcXyJ8TANBglghkgBZQMEAgMFAKCB+TASBgpghkgBhvhFAQkCMQQTAjE5MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIxMDgxMDEzNDkzN1owIAYKYIZIAYb4RQEJBTESBBBKrnx0XKuB2MnkJ2lKUeoMMDgGCmCGSAGG+EUBCQcxKhMoZGJhNmNmYTc5NjdkYmEyZTE3NDY0ZTE4NGRlNTg0YTE5ZmZhY2NhMzBPBgkqhkiG9w0BCQQxQgRAdguvenNoU0h99At9WMSBxz8Rt4MtBPSMVswtoYWv5I4GpVtdAZ0ZSn/YiEhWpZM4nnFgnSZW5FoDRFmaTiKMyjANBgkqhkiG9w0BAQEFAASCAgDEoYX+cm6STEwGhs1/jDaSVzvezALN7vSX6JRN8OLy5QFSuUo3ZAEzpoKNYaGRFeAEdheE7BusYi57l+3OYR6XmKIiJrf7prDIZgfobfRizVMVSgfdFEGGfF54lryaLdPIjUg/9YI05nRySRF2VCu6UELbfKroJ9na2NyQ6Ou2m8Zho53yxTW/n2hvcxDOgpqcErM7g8pwHHgdgSE7I1XBC8j17p6thdY/w1K7eeQ1MLF7E0EVg/iOWH9cPdCo6WG2eHnCnEKOlcfmf6CmrSCgyhYHhWWCXuWzaTj44pz/SNEMHB6nZgyYV/bkVHo7VNuTSs/yn4Y40J1WzLPE0lJZxI4/xjUKSioleClHiuUaf5+4vKEmpVVcL3fOdIL2BZ1hxoMp0hCOTQ8FlNFACmuqmYfUbRDMDzNRomwrC97TCibuowgcEuLzeESiqnJUIop7fkwXj6R2vszFVeQawGcrofjTawVpfau59/foAE7e5kBKFh6jSEPurJTtxE9ISNwgw9UfQBfSoyd5/mP01y/Z5lP3Th7KzzuOJ3zVVolAhDnJBnl+UEeFu1LhUdOFA2Gxn1Yw9N3kdPj42/YSHoGE4zyRu5HO0yUpqKDHcNkBu5RuNzEtyzF0e2VS9lGPaAwBWU+4ad3s8UFU2V1UrTRhDXkpGjjFQiRYkinvGc9gEAAAAAAAAA==

OpenXPKI is returning a 200 on that HTTP call, so it thinks things are 
fine, any ideas?

*James E. Ervin*

Senior Software Engineer

signature_865620494Cell #  M 210-251-1503

signature_865620494866.324.9345 W

signature_615102543james.er...@hypori.com <mailto:james.er...@hypori.com>

signature_817086089 https://hypori.com <https://hypori.com>

Logo, icon Description automatically generated 
<https://linkedin.com/company/hypori>Logo, icon Description 
automatically generated <https://www.facebook.com/HyporiVMI>Logo 
Description automatically generated <https://twitter.com/Hypori_VM>

*Logo, company name Description automatically generated*

NOTE: This message is intended for the use of the individual or entity 
to which it is addressed and may contain information that is privileged, 
confidential, and/or exempt from disclosure under applicable law. If you 
are not the intended recipient, or the employee or agent responsible for 
delivering this message to the intended recipient, you are hereby 
notified that any dissemination, disclosure, copying, distribution, or 
use of the information contained herein (including any reliance thereon) 
is strictly prohibited. If you received this transmission in error, 
please contact the sender by reply email and destroy or delete all 
copies of the message, including any attachments.



_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users



--
Protect your environment -  close windows and adopt a penguin!

_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users