Re: [OpenXPKI-users] SCEP GetCertInitial request fails with v3.28

Tue, 23 Jan 2024 00:22:46 -0800 

Hi Andreas,
did you change from LibSCEP to the Builtin SCEP with  the code upgrade or did you just upgrade the packages? 


It sounds like the pickup of the workflow (which we do only by 
transaction id) is not working and in turn the system tries to run an 
enrollment (the fallback solution here is not really nice....).


Oliver

On 22.01.24 17:33, Andreas Steffen wrote:

After upgrading from v3.26 to v3.28 the ASN.1 parsing of the
SCEP GetCertInitial request containing an issuer_serial payload fails
because the parser seems to expect a pkcs10 payload instead
as the following log shows:

# PKIOperation - PKCSReq request with pkcs10 payload successful

2024/01/22 13:12:45 DEB Parsed URI: generic => 
[pid=1407|endpoint=generic|server=generic]
2024/01/22 13:12:45 DEB Incoming SCEP operation PKIOperation on 
endpoint generic [pid=1407|server=generic|endpoint=generic]
2024/01/22 13:12:45 DEB Got PKIOperation via POST 
[pid=1407|endpoint=generic|server=generic]
2024/01/22 13:12:45 DEB Config created 
[pid=1407|endpoint=generic|server=generic]
2024/01/22 13:12:45 DEB Initialize client 
[pid=1407|endpoint=generic|server=generic]
2024/01/22 13:12:45 DEB Started volatile session with id: 
KZ+dfqjvSrqMY0bR8kWbLA== [pid=1407|endpoint=generic|server=generic]
2024/01/22 13:12:45 DEB Selecting auth stack _System 
[pid=1407|server=generic|endpoint=generic]
2024/01/22 13:12:46 DEB Handle enrollment 
[pid=1407|server=generic|endpoint=generic]
2024/01/22 13:12:46 DEB Adding extra params for message type PKCSReq 
[pid=1407|server=generic|endpoint=generic]
2024/01/22 13:12:46 DEB Pickup via attribute with transaction_id => 
5A2019C1EB3543921E4FD658ECF88073BA62D781 
[pid=1407|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|endpoint=generic|server=generic]
2024/01/22 13:12:46 DEB Initialize certificate_enroll with params 
interface, _url_params, signer_cert, server, pkcs10, transaction_id 
[pid=1407|server=generic|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781]
2024/01/22 13:12:46 DEB Workflow created (ID: 28671), State: 
MANUAL_AUTHORIZATION 
[pid=1407|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|endpoint=generic|server=generic]
2024/01/22 13:12:46 INF Request Pending - MANUAL_AUTHORIZATION 
[pid=1407|server=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|endpoint=generic]
2024/01/22 13:12:46 DEB Status: 202 Request Pending - Retry Later 
(5A2019C1EB3543921E4FD658ECF88073BA62D781) 
[pid=1407|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|server=generic]
2024/01/22 13:12:46 INF Send pending response for 
5A2019C1EB3543921E4FD658ECF88073BA62D781 
[pid=1407|server=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|endpoint=generic]
2024/01/22 13:12:46 INF Disconnect client 
[pid=1407|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|endpoint=generic|server=generic]



# PKIOperation - GetCertInitial request with transaction_id and 
issuer_serial payload fails
2024/01/22 13:13:46 DEB Parsed URI: generic => 
[pid=1407|server=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|endpoint=generic]
2024/01/22 13:13:46 DEB Incoming SCEP operation PKIOperation on 
endpoint generic 
[pid=1407|server=generic|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781]
2024/01/22 13:13:46 DEB Got PKIOperation via POST 
[pid=1407|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|endpoint=generic|server=generic]
2024/01/22 13:13:46 DEB Config created 
[pid=1407|server=generic|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781]
2024/01/22 13:13:46 DEB Initialize client 
[pid=1407|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|server=generic]
2024/01/22 13:13:46 DEB Started volatile session with id: 
siYXZDTVRqifdA3BD8uZxg== 
[pid=1407|server=generic|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781]
2024/01/22 13:13:46 DEB Selecting auth stack _System 
[pid=1407|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|server=generic]
2024/01/22 13:13:46 DEB Handle enrollment 
[pid=1407|server=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|endpoint=generic]
2024/01/22 13:13:46 DEB Adding extra params for message type 
GetCertInitial 
[pid=1407|server=generic|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781]
2024/01/22 13:13:46 ERR Unable to parse PKCS10: decode: decode error 
06<=>30 4 8 certificationRequestInfo at 
/usr/share/perl5/Convert/ASN1/_decode.pm line 117.
Cannot handle input or missing ASN.1 definitions at 
/usr/share/perl5/Crypt/PKCS10.pm line 756.
        Crypt::PKCS10::_new(undef, undef, undef, "ignoreNonBase64", 1, 
"verifySignature", 1) called at /usr/share/perl5/Crypt/PKCS10.pm line 607

        eval {...} called at /usr/share/perl5/Crypt/PKCS10.pm line 604

        Crypt::PKCS10::new("Crypt::PKCS10", 
"0\x{82}\x{b}\x{18}\x{6}\x{9}*\x{86}H\x{86}\x{f7}\x{d}\x{1}\x{7}\x{2}\x{a0}\x{82}\x{b}\x{9}0\x{82}\x{b}\x{5}\x{2}\x{1}\x{1}1\x{f}0\x{d}\x{6}\x{9}`\x{86}H\x{1}e\x{3}\x{4}\x{2}\x{1}\x{5}\x{0}0\x{82}\x{3}\x{e}\x{6}\x{9}*\x{86}H\x{86}\x{f7}\x{d}\x{1}\x{7}\x{1}\x{a0}\x{82}\x{2}"..., 
"ignoreNonBase64", 1, "verifySignature", 1) called at 
/usr/share/perl5/OpenXPKI/Client/Service/Base.pm line 185
OpenXPKI::Client::Service::Base::handle_enrollment_request(OpenXPKI::Client::Service::SCEP=HASH(0x5574a92cd9b0), 
CGI::Fast=HASH(0x5574a6bc5e40)) called at /usr/lib/cgi-bin/scepv3.fcgi 
line 100
 [pid=1407|server=generic|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781] 


...

2024/01/22 13:13:46 DEB Status: 400 Unable to parse request 
[pid=1407|server=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|endpoint=generic]
2024/01/22 13:13:46 WAR Client error / malformed request badRequest 
[pid=1407|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|server=generic]
2024/01/22 13:13:46 INF Disconnect client 
[pid=1407|server=generic|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781]


Best regards

Andreas

======================================================================
Andreas Steffen [email protected]
strongSwan - the Open Source VPN Solution! www.strongswan.org
strongSec GmbH, 8952 Schlieren (Switzerland)
======================================================================


_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users


--
Protect your environment -  close windows and adopt a penguin!



_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users






















					Reply via email to