I think the commit
https://github.com/openxpki/openxpki/commit/69a9e7d6c696ec6fafd00aa046f7b59db1123725
introduced a regression in line 181 of SCEP.pm:
} elsif ($self->message_type() eq 'GetCertInitial') {
- $params->{pkcs10} = '';
+ $params->{pkcs10} = undef;
Changing the contents of $params->{pkcs10} back from undef to '' fixes the
problem
because then in line 167 of Base.pm:
https://github.com/openxpki/openxpki/blob/v3.28.0/core/server/OpenXPKI/Client/Service/Base.pm#L167
the if statement
# if pkcs10 was not already passed from build params
# we assume it is a raw POST
if (!defined $param->{pkcs10}) {
evaluates FALSE and the non-existing pkcs10 payload is not parsed in the
GetCertInitial request.
On 23.01.24 09:21, Oliver Welter wrote:
Hi Andreas,
did you change from LibSCEP to the Builtin SCEP with the code upgrade or did
you just upgrade the packages?
It sounds like the pickup of the workflow (which we do only by transaction id)
is not working and in turn the system tries to run an enrollment (the fallback
solution here is not really nice....).
Oliver
On 22.01.24 17:33, Andreas Steffen wrote:
After upgrading from v3.26 to v3.28 the ASN.1 parsing of the
SCEP GetCertInitial request containing an issuer_serial payload fails
because the parser seems to expect a pkcs10 payload instead
as the following log shows:
# PKIOperation - PKCSReq request with pkcs10 payload successful
2024/01/22 13:12:45 DEB Parsed URI: generic =>
[pid=1407|endpoint=generic|server=generic]
2024/01/22 13:12:45 DEB Incoming SCEP operation PKIOperation on endpoint
generic [pid=1407|server=generic|endpoint=generic]
2024/01/22 13:12:45 DEB Got PKIOperation via POST
[pid=1407|endpoint=generic|server=generic]
2024/01/22 13:12:45 DEB Config created
[pid=1407|endpoint=generic|server=generic]
2024/01/22 13:12:45 DEB Initialize client
[pid=1407|endpoint=generic|server=generic]
2024/01/22 13:12:45 DEB Started volatile session with id:
KZ+dfqjvSrqMY0bR8kWbLA== [pid=1407|endpoint=generic|server=generic]
2024/01/22 13:12:45 DEB Selecting auth stack _System
[pid=1407|server=generic|endpoint=generic]
2024/01/22 13:12:46 DEB Handle enrollment
[pid=1407|server=generic|endpoint=generic]
2024/01/22 13:12:46 DEB Adding extra params for message type PKCSReq
[pid=1407|server=generic|endpoint=generic]
2024/01/22 13:12:46 DEB Pickup via attribute with transaction_id =>
5A2019C1EB3543921E4FD658ECF88073BA62D781
[pid=1407|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|endpoint=generic|server=generic]
2024/01/22 13:12:46 DEB Initialize certificate_enroll with params interface,
_url_params, signer_cert, server, pkcs10, transaction_id
[pid=1407|server=generic|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781]
2024/01/22 13:12:46 DEB Workflow created (ID: 28671), State:
MANUAL_AUTHORIZATION
[pid=1407|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|endpoint=generic|server=generic]
2024/01/22 13:12:46 INF Request Pending - MANUAL_AUTHORIZATION
[pid=1407|server=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|endpoint=generic]
2024/01/22 13:12:46 DEB Status: 202 Request Pending - Retry Later
(5A2019C1EB3543921E4FD658ECF88073BA62D781)
[pid=1407|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|server=generic]
2024/01/22 13:12:46 INF Send pending response for
5A2019C1EB3543921E4FD658ECF88073BA62D781
[pid=1407|server=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|endpoint=generic]
2024/01/22 13:12:46 INF Disconnect client
[pid=1407|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|endpoint=generic|server=generic]
# PKIOperation - GetCertInitial request with transaction_id and issuer_serial
payload fails
2024/01/22 13:13:46 DEB Parsed URI: generic =>
[pid=1407|server=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|endpoint=generic]
2024/01/22 13:13:46 DEB Incoming SCEP operation PKIOperation on endpoint
generic
[pid=1407|server=generic|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781]
2024/01/22 13:13:46 DEB Got PKIOperation via POST
[pid=1407|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|endpoint=generic|server=generic]
2024/01/22 13:13:46 DEB Config created
[pid=1407|server=generic|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781]
2024/01/22 13:13:46 DEB Initialize client
[pid=1407|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|server=generic]
2024/01/22 13:13:46 DEB Started volatile session with id:
siYXZDTVRqifdA3BD8uZxg==
[pid=1407|server=generic|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781]
2024/01/22 13:13:46 DEB Selecting auth stack _System
[pid=1407|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|server=generic]
2024/01/22 13:13:46 DEB Handle enrollment
[pid=1407|server=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|endpoint=generic]
2024/01/22 13:13:46 DEB Adding extra params for message type GetCertInitial
[pid=1407|server=generic|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781]
2024/01/22 13:13:46 ERR Unable to parse PKCS10: decode: decode error 06<=>30 4
8 certificationRequestInfo at /usr/share/perl5/Convert/ASN1/_decode.pm line 117.
Cannot handle input or missing ASN.1 definitions at
/usr/share/perl5/Crypt/PKCS10.pm line 756.
Crypt::PKCS10::_new(undef, undef, undef, "ignoreNonBase64", 1,
"verifySignature", 1) called at /usr/share/perl5/Crypt/PKCS10.pm line 607
eval {...} called at /usr/share/perl5/Crypt/PKCS10.pm line 604
Crypt::PKCS10::new("Crypt::PKCS10",
"0\x{82}\x{b}\x{18}\x{6}\x{9}*\x{86}H\x{86}\x{f7}\x{d}\x{1}\x{7}\x{2}\x{a0}\x{82}\x{b}\x{9}0\x{82}\x{b}\x{5}\x{2}\x{1}\x{1}1\x{f}0\x{d}\x{6}\x{9}`\x{86}H\x{1}e\x{3}\x{4}\x{2}\x{1}\x{5}\x{0}0\x{82}\x{3}\x{e}\x{6}\x{9}*\x{86}H\x{86}\x{f7}\x{d}\x{1}\x{7}\x{1}\x{a0}\x{82}\x{2}"...,
"ignoreNonBase64", 1, "verifySignature", 1) called at
/usr/share/perl5/OpenXPKI/Client/Service/Base.pm line 185
OpenXPKI::Client::Service::Base::handle_enrollment_request(OpenXPKI::Client::Service::SCEP=HASH(0x5574a92cd9b0),
CGI::Fast=HASH(0x5574a6bc5e40)) called at /usr/lib/cgi-bin/scepv3.fcgi line 100
[pid=1407|server=generic|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781]
...
2024/01/22 13:13:46 DEB Status: 400 Unable to parse request
[pid=1407|server=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|endpoint=generic]
2024/01/22 13:13:46 WAR Client error / malformed request badRequest
[pid=1407|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|server=generic]
2024/01/22 13:13:46 INF Disconnect client
[pid=1407|server=generic|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781]
Best regards
Andreas
======================================================================
Andreas Steffen [email protected]
strongSwan - the Open Source VPN Solution! www.strongswan.org
strongSec GmbH, 8952 Schlieren (Switzerland)
======================================================================
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
======================================================================
Andreas Steffen [email protected]
strongSwan - the Open Source VPN Solution! www.strongswan.org
strongSec GmbH, 8952 Schlieren (Switzerland)
======================================================================
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
