Hi Andreas,
this commit was made to address another problem with GetCertInitial so
it was intentional but I did not find the time for a closer look now.
I just stumbled over your initial post:
> SCEP GetCertInitial request containing an issuer_serial payload fails
The GetCertInitial command is specified to carry an issuerAndSubject
hash, not a serial number which makes sense as you dont know the serial
yet - and this is just not implemented in OpenXPKI. The GetCertInitial
command evaluates only the transaction_id and I would assume that the
problem you are experiencing here is that this lookup fails (likely due
to the problem that was reported last year:
https://sourceforge.net/p/openxpki/mailman/message/56898589/)
Looks like we need to check again for the different edge cases here...
Oliver
On 23.01.24 13:58, Andreas Steffen wrote:
I think the commit
https://github.com/openxpki/openxpki/commit/69a9e7d6c696ec6fafd00aa046f7b59db1123725
introduced a regression in line 181 of SCEP.pm:
} elsif ($self->message_type() eq 'GetCertInitial') {
- $params->{pkcs10} = '';
+ $params->{pkcs10} = undef;
Changing the contents of $params->{pkcs10} back from undef to '' fixes
the problem
because then in line 167 of Base.pm:
https://github.com/openxpki/openxpki/blob/v3.28.0/core/server/OpenXPKI/Client/Service/Base.pm#L167
the if statement
# if pkcs10 was not already passed from build params
# we assume it is a raw POST
if (!defined $param->{pkcs10}) {
evaluates FALSE and the non-existing pkcs10 payload is not parsed in
the GetCertInitial request.
On 23.01.24 09:21, Oliver Welter wrote:
Hi Andreas,
did you change from LibSCEP to the Builtin SCEP with the code
upgrade or did you just upgrade the packages?
It sounds like the pickup of the workflow (which we do only by
transaction id) is not working and in turn the system tries to run an
enrollment (the fallback solution here is not really nice....).
Oliver
On 22.01.24 17:33, Andreas Steffen wrote:
After upgrading from v3.26 to v3.28 the ASN.1 parsing of the
SCEP GetCertInitial request containing an issuer_serial payload fails
because the parser seems to expect a pkcs10 payload instead
as the following log shows:
# PKIOperation - PKCSReq request with pkcs10 payload successful
2024/01/22 13:12:45 DEB Parsed URI: generic =>
[pid=1407|endpoint=generic|server=generic]
2024/01/22 13:12:45 DEB Incoming SCEP operation PKIOperation on
endpoint generic [pid=1407|server=generic|endpoint=generic]
2024/01/22 13:12:45 DEB Got PKIOperation via POST
[pid=1407|endpoint=generic|server=generic]
2024/01/22 13:12:45 DEB Config created
[pid=1407|endpoint=generic|server=generic]
2024/01/22 13:12:45 DEB Initialize client
[pid=1407|endpoint=generic|server=generic]
2024/01/22 13:12:45 DEB Started volatile session with id:
KZ+dfqjvSrqMY0bR8kWbLA== [pid=1407|endpoint=generic|server=generic]
2024/01/22 13:12:45 DEB Selecting auth stack _System
[pid=1407|server=generic|endpoint=generic]
2024/01/22 13:12:46 DEB Handle enrollment
[pid=1407|server=generic|endpoint=generic]
2024/01/22 13:12:46 DEB Adding extra params for message type PKCSReq
[pid=1407|server=generic|endpoint=generic]
2024/01/22 13:12:46 DEB Pickup via attribute with transaction_id =>
5A2019C1EB3543921E4FD658ECF88073BA62D781
[pid=1407|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|endpoint=generic|server=generic]
2024/01/22 13:12:46 DEB Initialize certificate_enroll with params
interface, _url_params, signer_cert, server, pkcs10, transaction_id
[pid=1407|server=generic|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781]
2024/01/22 13:12:46 DEB Workflow created (ID: 28671), State:
MANUAL_AUTHORIZATION
[pid=1407|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|endpoint=generic|server=generic]
2024/01/22 13:12:46 INF Request Pending - MANUAL_AUTHORIZATION
[pid=1407|server=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|endpoint=generic]
2024/01/22 13:12:46 DEB Status: 202 Request Pending - Retry Later
(5A2019C1EB3543921E4FD658ECF88073BA62D781)
[pid=1407|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|server=generic]
2024/01/22 13:12:46 INF Send pending response for
5A2019C1EB3543921E4FD658ECF88073BA62D781
[pid=1407|server=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|endpoint=generic]
2024/01/22 13:12:46 INF Disconnect client
[pid=1407|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|endpoint=generic|server=generic]
# PKIOperation - GetCertInitial request with transaction_id and
issuer_serial payload fails
2024/01/22 13:13:46 DEB Parsed URI: generic =>
[pid=1407|server=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|endpoint=generic]
2024/01/22 13:13:46 DEB Incoming SCEP operation PKIOperation on
endpoint generic
[pid=1407|server=generic|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781]
2024/01/22 13:13:46 DEB Got PKIOperation via POST
[pid=1407|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|endpoint=generic|server=generic]
2024/01/22 13:13:46 DEB Config created
[pid=1407|server=generic|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781]
2024/01/22 13:13:46 DEB Initialize client
[pid=1407|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|server=generic]
2024/01/22 13:13:46 DEB Started volatile session with id:
siYXZDTVRqifdA3BD8uZxg==
[pid=1407|server=generic|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781]
2024/01/22 13:13:46 DEB Selecting auth stack _System
[pid=1407|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|server=generic]
2024/01/22 13:13:46 DEB Handle enrollment
[pid=1407|server=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|endpoint=generic]
2024/01/22 13:13:46 DEB Adding extra params for message type
GetCertInitial
[pid=1407|server=generic|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781]
2024/01/22 13:13:46 ERR Unable to parse PKCS10: decode: decode error
06<=>30 4 8 certificationRequestInfo at
/usr/share/perl5/Convert/ASN1/_decode.pm line 117.
Cannot handle input or missing ASN.1 definitions at
/usr/share/perl5/Crypt/PKCS10.pm line 756.
Crypt::PKCS10::_new(undef, undef, undef, "ignoreNonBase64",
1, "verifySignature", 1) called at /usr/share/perl5/Crypt/PKCS10.pm
line 607
eval {...} called at /usr/share/perl5/Crypt/PKCS10.pm line 604
Crypt::PKCS10::new("Crypt::PKCS10",
"0\x{82}\x{b}\x{18}\x{6}\x{9}*\x{86}H\x{86}\x{f7}\x{d}\x{1}\x{7}\x{2}\x{a0}\x{82}\x{b}\x{9}0\x{82}\x{b}\x{5}\x{2}\x{1}\x{1}1\x{f}0\x{d}\x{6}\x{9}`\x{86}H\x{1}e\x{3}\x{4}\x{2}\x{1}\x{5}\x{0}0\x{82}\x{3}\x{e}\x{6}\x{9}*\x{86}H\x{86}\x{f7}\x{d}\x{1}\x{7}\x{1}\x{a0}\x{82}\x{2}"...,
"ignoreNonBase64", 1, "verifySignature", 1) called at
/usr/share/perl5/OpenXPKI/Client/Service/Base.pm line 185
OpenXPKI::Client::Service::Base::handle_enrollment_request(OpenXPKI::Client::Service::SCEP=HASH(0x5574a92cd9b0),
CGI::Fast=HASH(0x5574a6bc5e40)) called at
/usr/lib/cgi-bin/scepv3.fcgi line 100
[pid=1407|server=generic|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781]
...
2024/01/22 13:13:46 DEB Status: 400 Unable to parse request
[pid=1407|server=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|endpoint=generic]
2024/01/22 13:13:46 WAR Client error / malformed request badRequest
[pid=1407|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|server=generic]
2024/01/22 13:13:46 INF Disconnect client
[pid=1407|server=generic|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781]
Best regards
Andreas
======================================================================
Andreas Steffen [email protected]
strongSwan - the Open Source VPN Solution! www.strongswan.org
strongSec GmbH, 8952 Schlieren (Switzerland)
======================================================================
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
