Hi Oliver,
sorry, of course the GetCertInitial request carries an IssuerAndSubject payload
as implemented by the strongSwan pki --scep command. Anyway this payload is
usually ignored
by OpenXPKI since the pickup is based on the transactionID.
But if you take a closer look at the error trace in my posted log:
1) Handle enrollment
[pid=1407|server=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|endpoint=generic]
2) Adding extra params for message type GetCertInitial
[pid=1407|server=generic|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781]
3) Unable to parse PKCS10: decode: decode error 06<=>30 4 8
certificationRequestInfo
at /usr/share/perl5/Convert/ASN1/_decode.pm line 117.
4) Cannot handle input or missing ASN.1 definitions
at /usr/share/perl5/Crypt/PKCS10.pm line 756.
5) Crypt::PKCS10::_new(undef, undef, undef, "ignoreNonBase64", 1,
"verifySignature", 1) called
at /usr/share/perl5/Crypt/PKCS10.pm line 607
6) eval {...} called
at /usr/share/perl5/Crypt/PKCS10.pm line 604
7) Crypt::PKCS10::new("Crypt::PKCS10", "0\x{82}...}"..., "ignoreNonBase64", 1,
"verifySignature", 1) called
at /usr/share/perl5/OpenXPKI/Client/Service/Base.pm line 185
8)
OpenXPKI::Client::Service::Base::handle_enrollment_request(OpenXPKI::Client::Service::SCEP=HASH(0x5574a92cd9b0),
CGI::Fast=HASH(0x5574a6bc5e40)) called
at /usr/lib/cgi-bin/scepv3.fcgi line 100
The program flow is as follows
2) The received message is of type GetCertInitial.
8) In line 100 of the scepv3.fcgi Script,
OpenXPKI::Client::Service::Base::handle_enrollment_request is called
7) At line 185 of OpenXPKI::Client::Service::Base::handle_enrollment_request,
Crypt::PKCS10::new is called
because as I wrote in my previous post the if statement in line 176:
if (!defined $param->{pkcs10})
evaluates as TRUE since $param->{pkcs10} is set to undef
3) The Perl ASN.1 decoder throws an error because it tries to decode the
issuerAndSubject payload as a pkcs10 payload.
The reason for this strange flow is that due to the commit
https://github.com/openxpki/openxpki/commit/69a9e7d6c696ec6fafd00aa046f7b59db1123725
build_params in line 181 of SCEP.pm was set to
} elsif ($self->message_type() eq 'GetCertInitial') {
$params->{pkcs10} = undef;
But if I revert this commit to the previous setting
} elsif ($self->message_type() eq 'GetCertInitial') {
$params->{pkcs10} = '';
then the GetCertInitial request just completes succesfully:
2024/01/23 13:13:19 DEB Handle enrollment
[pid=2838|server=generic|endpoint=generic|tid=4AB359CC95381913B6D6E0BE0D20EC24D4AEAD66]
2024/01/23 13:13:19 DEB Adding extra params for message type GetCertInitial
[pid=2838|server=generic|tid=4AB359CC95381913B6D6E0BE0D20EC24D4AEAD66|endpoint=generic]
2024/01/23 13:13:19 DEB Pickup via attribute with transaction_id =>
4AB359CC95381913B6D6E0BE0D20EC24D4AEAD66
[pid=2838|server=generic|endpoint=generic|tid=4AB359CC95381913B6D6E0BE0D20EC24D4AEAD66]
2024/01/23 13:13:19 DEB Pickup 29439 for
4AB359CC95381913B6D6E0BE0D20EC24D4AEAD66
[pid=2838|endpoint=generic|tid=4AB359CC95381913B6D6E0BE0D20EC24D4AEAD66|server=generic]
2024/01/23 13:13:19 DEB request for workflow info on 29439
[pid=2838|server=generic|endpoint=generic|tid=4AB359CC95381913B6D6E0BE0D20EC24D4AEAD66]
2024/01/23 13:13:19 DEB Sending output for qWWw1x2z4d_LzND6VZ6djmFclIE
[pid=2838|server=generic|endpoint=generic|tid=4AB359CC95381913B6D6E0BE0D20EC24D4AEAD66]
2024/01/23 13:13:19 DEB Status: 200 OK
[pid=2838|server=generic|tid=4AB359CC95381913B6D6E0BE0D20EC24D4AEAD66|endpoint=generic]
Kind regards
Andreas
On 24.01.24 17:51, Oliver Welter wrote:
Hi Andreas,
this commit was made to address another problem with GetCertInitial so it was
intentional but I did not find the time for a closer look now.
I just stumbled over your initial post:
> SCEP GetCertInitial request containing an issuer_serial payload fails
The GetCertInitial command is specified to carry an issuerAndSubject hash, not
a serial number which makes sense as you dont know the serial yet - and this is
just not implemented in OpenXPKI. The GetCertInitial command evaluates only the
transaction_id and I would assume that the problem you are experiencing here is
that this lookup fails (likely due to the problem that was reported last year:
https://sourceforge.net/p/openxpki/mailman/message/56898589/)
Looks like we need to check again for the different edge cases here...
Oliver
On 23.01.24 13:58, Andreas Steffen wrote:
I think the commit
https://github.com/openxpki/openxpki/commit/69a9e7d6c696ec6fafd00aa046f7b59db1123725
introduced a regression in line 181 of SCEP.pm:
} elsif ($self->message_type() eq 'GetCertInitial') {
- $params->{pkcs10} = '';
+ $params->{pkcs10} = undef;
Changing the contents of $params->{pkcs10} back from undef to '' fixes the
problem
because then in line 167 of Base.pm:
https://github.com/openxpki/openxpki/blob/v3.28.0/core/server/OpenXPKI/Client/Service/Base.pm#L167
the if statement
# if pkcs10 was not already passed from build params
# we assume it is a raw POST
if (!defined $param->{pkcs10}) {
evaluates FALSE and the non-existing pkcs10 payload is not parsed in the
GetCertInitial request.
On 23.01.24 09:21, Oliver Welter wrote:
Hi Andreas,
did you change from LibSCEP to the Builtin SCEP with the code upgrade or did
you just upgrade the packages?
It sounds like the pickup of the workflow (which we do only by transaction id)
is not working and in turn the system tries to run an enrollment (the fallback
solution here is not really nice....).
Oliver
On 22.01.24 17:33, Andreas Steffen wrote:
After upgrading from v3.26 to v3.28 the ASN.1 parsing of the
SCEP GetCertInitial request containing an issuer_serial payload fails
because the parser seems to expect a pkcs10 payload instead
as the following log shows:
# PKIOperation - PKCSReq request with pkcs10 payload successful
2024/01/22 13:12:45 DEB Parsed URI: generic =>
[pid=1407|endpoint=generic|server=generic]
2024/01/22 13:12:45 DEB Incoming SCEP operation PKIOperation on endpoint
generic [pid=1407|server=generic|endpoint=generic]
2024/01/22 13:12:45 DEB Got PKIOperation via POST
[pid=1407|endpoint=generic|server=generic]
2024/01/22 13:12:45 DEB Config created
[pid=1407|endpoint=generic|server=generic]
2024/01/22 13:12:45 DEB Initialize client
[pid=1407|endpoint=generic|server=generic]
2024/01/22 13:12:45 DEB Started volatile session with id:
KZ+dfqjvSrqMY0bR8kWbLA== [pid=1407|endpoint=generic|server=generic]
2024/01/22 13:12:45 DEB Selecting auth stack _System
[pid=1407|server=generic|endpoint=generic]
2024/01/22 13:12:46 DEB Handle enrollment
[pid=1407|server=generic|endpoint=generic]
2024/01/22 13:12:46 DEB Adding extra params for message type PKCSReq
[pid=1407|server=generic|endpoint=generic]
2024/01/22 13:12:46 DEB Pickup via attribute with transaction_id =>
5A2019C1EB3543921E4FD658ECF88073BA62D781
[pid=1407|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|endpoint=generic|server=generic]
2024/01/22 13:12:46 DEB Initialize certificate_enroll with params interface,
_url_params, signer_cert, server, pkcs10, transaction_id
[pid=1407|server=generic|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781]
2024/01/22 13:12:46 DEB Workflow created (ID: 28671), State:
MANUAL_AUTHORIZATION
[pid=1407|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|endpoint=generic|server=generic]
2024/01/22 13:12:46 INF Request Pending - MANUAL_AUTHORIZATION
[pid=1407|server=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|endpoint=generic]
2024/01/22 13:12:46 DEB Status: 202 Request Pending - Retry Later
(5A2019C1EB3543921E4FD658ECF88073BA62D781)
[pid=1407|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|server=generic]
2024/01/22 13:12:46 INF Send pending response for
5A2019C1EB3543921E4FD658ECF88073BA62D781
[pid=1407|server=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|endpoint=generic]
2024/01/22 13:12:46 INF Disconnect client
[pid=1407|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|endpoint=generic|server=generic]
# PKIOperation - GetCertInitial request with transaction_id and issuer_serial
payload fails
2024/01/22 13:13:46 DEB Parsed URI: generic =>
[pid=1407|server=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|endpoint=generic]
2024/01/22 13:13:46 DEB Incoming SCEP operation PKIOperation on endpoint
generic
[pid=1407|server=generic|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781]
2024/01/22 13:13:46 DEB Got PKIOperation via POST
[pid=1407|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|endpoint=generic|server=generic]
2024/01/22 13:13:46 DEB Config created
[pid=1407|server=generic|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781]
2024/01/22 13:13:46 DEB Initialize client
[pid=1407|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|server=generic]
2024/01/22 13:13:46 DEB Started volatile session with id:
siYXZDTVRqifdA3BD8uZxg==
[pid=1407|server=generic|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781]
2024/01/22 13:13:46 DEB Selecting auth stack _System
[pid=1407|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|server=generic]
2024/01/22 13:13:46 DEB Handle enrollment
[pid=1407|server=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|endpoint=generic]
2024/01/22 13:13:46 DEB Adding extra params for message type GetCertInitial
[pid=1407|server=generic|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781]
2024/01/22 13:13:46 ERR Unable to parse PKCS10: decode: decode error 06<=>30 4
8 certificationRequestInfo at /usr/share/perl5/Convert/ASN1/_decode.pm line 117.
Cannot handle input or missing ASN.1 definitions at
/usr/share/perl5/Crypt/PKCS10.pm line 756.
Crypt::PKCS10::_new(undef, undef, undef, "ignoreNonBase64", 1,
"verifySignature", 1) called at /usr/share/perl5/Crypt/PKCS10.pm line 607
eval {...} called at /usr/share/perl5/Crypt/PKCS10.pm line 604
Crypt::PKCS10::new("Crypt::PKCS10",
"0\x{82}\x{b}\x{18}\x{6}\x{9}*\x{86}H\x{86}\x{f7}\x{d}\x{1}\x{7}\x{2}\x{a0}\x{82}\x{b}\x{9}0\x{82}\x{b}\x{5}\x{2}\x{1}\x{1}1\x{f}0\x{d}\x{6}\x{9}`\x{86}H\x{1}e\x{3}\x{4}\x{2}\x{1}\x{5}\x{0}0\x{82}\x{3}\x{e}\x{6}\x{9}*\x{86}H\x{86}\x{f7}\x{d}\x{1}\x{7}\x{1}\x{a0}\x{82}\x{2}"...,
"ignoreNonBase64", 1, "verifySignature", 1) called at
/usr/share/perl5/OpenXPKI/Client/Service/Base.pm line 185
OpenXPKI::Client::Service::Base::handle_enrollment_request(OpenXPKI::Client::Service::SCEP=HASH(0x5574a92cd9b0),
CGI::Fast=HASH(0x5574a6bc5e40)) called at /usr/lib/cgi-bin/scepv3.fcgi line 100
[pid=1407|server=generic|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781]
...
2024/01/22 13:13:46 DEB Status: 400 Unable to parse request
[pid=1407|server=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|endpoint=generic]
2024/01/22 13:13:46 WAR Client error / malformed request badRequest
[pid=1407|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781|server=generic]
2024/01/22 13:13:46 INF Disconnect client
[pid=1407|server=generic|endpoint=generic|tid=5A2019C1EB3543921E4FD658ECF88073BA62D781]
Best regards
Andreas
======================================================================
Andreas Steffen [email protected]
strongSwan - the Open Source VPN Solution! www.strongswan.org
strongSec GmbH, 8952 Schlieren (Switzerland)
======================================================================
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
======================================================================
Andreas Steffen [email protected]
strongSwan - the Open Source VPN Solution! www.strongswan.org
strongSec GmbH, 8952 Schlieren (Switzerland)
======================================================================
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
