Re: [OpenXPKI-users] Disabling PKCS10 signature verification

Tue, 15 Nov 2022 07:22:59 -0800 

  
Hi Oliver,

Thanks for your fast response. 

Does it mean that we can't ignore signatureverification for CSR? I will explain 
the use case. We would like to modify theSubjectDN/SAN as part of our own 
policy while internal clients (devices, computersand etc) are raising 
certificate requests. The internal clients will send theCSR to a proxy, then 
proxy will contact on behalf of client to send CSR and receivecertificate. The 
proxy will do all the policy implementation related to Subjectand SAN. 

Since the Subject DN/SAN is modified in proxy,we would like to instruct the 
OpenXPKI to ignore signature validation for CSR.Is there any way/configuration 
parameter to instruct the OpenXPKI to ignore thesignature validation for CSR.

Regards,Mukilan

    On Tuesday, 15 November, 2022 at 02:31:50 pm GMT+1, Oliver Welter 
<[email protected]> wrote:  
 
   
Hi Mukilan,
 
if you look at the workflow history you will very likely see the output of a 
crashed OpenSSL command. The OpenXPKI default backend uses the openssl binary 
to sign CSRs and this does not work if the PCKS10 container is not properly 
formated/signed.
 
We had such a problem at a customer installation some time ago with broken 
appliances and ended up with a patched version of OpenSSL doing the job.
 
best regards
 
 
Oliver
 
 On 15.11.22 13:59, Mukilan P via OpenXPKI-users wrote:
  
  Hi Experts, 
  This is further to the above query. I changed the value verify_signature to 0 
in workflow/global/validator/pkcs10_valid.yaml like below, but getting 
'PREPARED' status instead of SUCCESS  
  class: OpenXPKI::Server::Workflow::Validator::PKCS10 param:     
empty_subject: 1     verify_signature: 0 
  arg:   - $pkcs10   
      On Tuesday, 15 November, 2022 at 12:29:57 pm GMT+1, Mukilan P via 
OpenXPKI-users <[email protected]> wrote:  
  
      Hi Experts, 
  Is there any way to disable pkcs10 signature verification as part of 
enroll/renewal in OpenXPKI? 
  Thanks in advance. 
  Regards, Mukilan    _______________________________________________
 OpenXPKI-users mailing list
 [email protected]
 https://lists.sourceforge.net/lists/listinfo/openxpki-users
    
  
  _______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
 
 -- 
Protect your environment -  close windows and adopt a penguin! 
 _______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
  
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users






















					Reply via email to