Hello Oliver. Sorry, maybe I couldn't explain my situation as well.
The original example (in the config repository) has eligibility check based on the subject of the CSR using the regex (matching every FQDN having openxpki.test) For testing purposes, I keep this regex but to matching against the MAC query string (url parameter ) So, I sent a valid domain as MAC parameter In order to pass the check using the url parameter (?mac=demo.openxpki.test) It is possible to read an url parameter in the eligibility check ? Like this example : https://openxpki.readthedocs.io/en/develop/reference/configuration/workflows/enroll.html?highlight=eligible#eligibility Best regards Gamboa On Sun, Aug 13, 2023, 3:56 AM Oliver Welter <m...@oliwel.de> wrote: > Hello Antonio, > > if you see a state PENDING, the MAC signature was accepted. The example > eligibility code generates the required approval point if the FQDN used as > the common name ends on "openxpki.test". I am pretty sure you will see the > certificate being issued when you use such a CSR. If you want to approve > any request having a valid HMAC, just set the value in the eligibility > iniital section to a literal "1" as seen in the other sections. For more > details please have a look at the quite extensive documentataion here > https://openxpki.readthedocs.io/en/stable/reference/configuration/workflows/enroll.html > . > > Oliver > > Regarding a donation: I appreciate this but I do the community support for > fun. If you feel you want to give back something, make a donation to the > United Nations educational program or some other NGO around you feel > comfortable with. > > On 12.08.23 22:47, Antonio Gamboa wrote: > > Hello Oliver. > > A really appreciate your support. I was able to authenticate the RPC > request. > > Now, I want to auto-approve the request based on the Eligibility criteria > set in the *my-realm/rpc/enroll.yaml:* > > eligible: > initial: > value@: connector:rpc.enroll.connector.intranet > args: '[% context.url_mac %]' > > renewal: > value: 1 > > onbehalf: > value: 1 > > connector: > intranet: > class: OpenXPKI::Connector::Regex > LOCATION: \w+\.openxpki.test(:[\w]+)?\z > macs: > > > *In the RPC request: * > > POST /rpc/enroll?mac=demo.openxpki.test HTTP/1.1 > Accept: application/json > Content-Type: application/x-www-form-urlencoded > Host: localhost:8443 > Content-Length: 1195 > > method=RequestCertificate& > pkcs10={CSR}& > comment=test& > signature=a254eb2c1b2087ef190024cc7a3edfb75454a7c77bf8ce0badabeb54bfc2adb7 > > > I am just testing the functionality but have not been successful. I set > the mac in query string with a valid string (must pass the regex > evaluation) > > *This is the RPC response I receive : * > { > "result": { > "pid": 1313, > "retry_after": 300, > "data": { > "error_code": "Request was not approved", > "transaction_id": "b760bc72a3a4281c1550df20c2814d52a5e6b92a" > }, > "proc_state": "manual", > "state": "PENDING", > "id": 6143 > } > } > > > What am I missing? > > An apology for being such a nuisance. If you are able to > receive donations, I would like to support with a donation. > > Best regards. > > El dom, 6 ago 2023 a las 1:03, Oliver Welter (<m...@oliwel.de>) escribió: > >> Hello Antonio, >> >> the HMAC Secret is defined in the rpc/enroll.yaml configuration and the >> expected value is an HMAC256 (hex notation) of the DER encoded CSR. >> >> best regards >> >> Oliver >> >> On 05.08.23 06:36, Antonio Gamboa wrote: >> > Hi Oliver. >> > >> > I could set up the RPC API successfully, thanks. >> > >> > But, I have the following question, How I could create the signature >> > parameter in the RPC request? It is the HMAC authentication, right? >> > I want to send this signature to make an authenticated request in >> > order to avoid manual authorization in the UI >> > >> > >> > Best regards. >> > >> > >> > _______________________________________________ >> > OpenXPKI-users mailing list >> > OpenXPKI-users@lists.sourceforge.net >> > https://lists.sourceforge.net/lists/listinfo/openxpki-users >> >> -- >> Protect your environment - close windows and adopt a penguin! >> >> >> >> _______________________________________________ >> OpenXPKI-users mailing list >> OpenXPKI-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/openxpki-users >> > > > _______________________________________________ > OpenXPKI-users mailing > listOpenXPKI-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/openxpki-users > > > -- > Protect your environment - close windows and adopt a penguin! > > _______________________________________________ > OpenXPKI-users mailing list > OpenXPKI-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openxpki-users >
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
