Hi Antonio,
sorry I did not see the changes you made in the code. When using the RPC
Layer the signature parameter is in context.signature, the stuff with
the url_ prefix is only used in SCEP and EST to map metadata into the
context. The RPC implementation does NOT allow arbitraty parameters in
the context, if you need additional parameters you need to add them to
the parameter list in the "outer" wrapper configuration as well as to
the initialize method of the workflow.
Oliver
On 13.08.23 17:57, Antonio Gamboa wrote:
Hello Oliver.
Sorry, maybe I couldn't explain my situation as well.
The original example (in the config repository) has eligibility check
based on the subject of the CSR using the regex (matching every FQDN
having openxpki.test)
For testing purposes, I keep this regex but to matching against the
MAC query string (url parameter )
So, I sent a valid domain as MAC parameter
In order to pass the check using the url parameter
(?mac=demo.openxpki.test)
It is possible to read an url parameter in the eligibility check ?
Like this example :
https://openxpki.readthedocs.io/en/develop/reference/configuration/workflows/enroll.html?highlight=eligible#eligibility
Best regards
Gamboa
On Sun, Aug 13, 2023, 3:56 AM Oliver Welter <m...@oliwel.de> wrote:
Hello Antonio,
if you see a state PENDING, the MAC signature was accepted. The
example eligibility code generates the required approval point if
the FQDN used as the common name ends on "openxpki.test". I am
pretty sure you will see the certificate being issued when you use
such a CSR. If you want to approve any request having a valid
HMAC, just set the value in the eligibility iniital section to a
literal "1" as seen in the other sections. For more details please
have a look at the quite extensive documentataion here
https://openxpki.readthedocs.io/en/stable/reference/configuration/workflows/enroll.html.
Oliver
Regarding a donation: I appreciate this but I do the community
support for fun. If you feel you want to give back something, make
a donation to the United Nations educational program or some other
NGO around you feel comfortable with.
On 12.08.23 22:47, Antonio Gamboa wrote:
Hello Oliver.
A really appreciate your support. I was able to authenticate the
RPC request.
Now, I want to auto-approve the request based on the Eligibility
criteria set in the *my-realm/rpc/enroll.yaml:*
eligible:
initial:
value@: connector:rpc.enroll.connector.intranet
args: '[% context.url_mac %]'
renewal:
value: 1
onbehalf:
value: 1
connector:
intranet:
class: OpenXPKI::Connector::Regex
LOCATION: \w+\.openxpki.test(:[\w]+)?\z
macs:
*In the RPC request:
*
*
*
POST /rpc/enroll?mac=demo.openxpki.test HTTP/1.1
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Host: localhost:8443
Content-Length: 1195
method=RequestCertificate&
pkcs10={CSR}&
comment=test&
signature=a254eb2c1b2087ef190024cc7a3edfb75454a7c77bf8ce0badabeb54bfc2adb7
I am just testing the functionality but have not been successful.
I set the mac in query string with a valid string (must pass the
regex evaluation)
*This is the RPC response I receive :
*
{
"result": {
"pid": 1313,
"retry_after": 300,
"data": {
"error_code": "Request was not approved",
"transaction_id": "b760bc72a3a4281c1550df20c2814d52a5e6b92a"
},
"proc_state": "manual",
"state": "PENDING",
"id": 6143
}
}
What am I missing?
An apology for being such a nuisance. If you are able to
receive donations, I would like to support with a donation.
Best regards.
El dom, 6 ago 2023 a las 1:03, Oliver Welter (<m...@oliwel.de>)
escribió:
Hello Antonio,
the HMAC Secret is defined in the rpc/enroll.yaml
configuration and the
expected value is an HMAC256 (hex notation) of the DER
encoded CSR.
best regards
Oliver
On 05.08.23 06:36, Antonio Gamboa wrote:
> Hi Oliver.
>
> I could set up the RPC API successfully, thanks.
>
> But, I have the following question, How I could create the
signature
> parameter in the RPC request? It is the HMAC
authentication, right?
> I want to send this signature to make an authenticated
request in
> order to avoid manual authorization in the UI
>
>
> Best regards.
>
>
> _______________________________________________
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
