Re: [OpenXPKI-users] How to make an Enrollment with HMAC Authentification?

Wed, 24 Jul 2024 23:04:36 -0700 

Hi Jairo,
the HMAC functionality is nothing which comes from a PKI standard but was invented by us :)
The SCEP (and also EST) layer allow you to pass arbitrary additional data fields to the workflow backends by adding them as query paramters to the URI. The sscep tool offers the "-M" switch for thisĀ  purpose. The inner logic of the enrollment workflow can use several types of secrets/signatures to preauthenticate incoming requests, where HMAC is one of it.
I dont have the commands here from the top of my head but here is what you need to do: 

- set the hmac shared secret in the endpoint configuration

- create a CSR

- calculate the SHA256 HMAC using the shared secret over the DER encoded CSR
- append the HMAC in hex notation using the parameter "signature" to the request
If you have a look at the workflow context afterwards, there should be a parameter "url_signature" holding your HMAC 


Oliver


On 24.07.24 14:39, Jairo Mejia Aponte via OpenXPKI-users wrote:

Dear Devs,
I am able to communicate successfully to the OpenXPKI server with SSCEP and I could also use the challenge password to authenticate to the server. However, I have not found any information about the HMAC Authentication. Could you please explain how can I make the CSR and the key to be able to use HMAC?
The only thing that I found related to HMAC in openssl was here <https://docs.openssl.org/3.3/man1/openssl-dgst/#options>, for the command openssl-dgst and openssl-mac, but I am unsure how to use to be able to communicate with OpenXPKI. 

Thanks again for all the support and the awesome application.

Sincerely,

Jairo M.
------------------------------------------------------------------------
DISCLAIMER:
Privileged and/or Confidential information may be contained in this message. If you are not the addressee of this message, you may not copy, use or deliver this message to anyone. In such event, you should destroy the message and kindly notify the sender by reply e-mail. It is understood that opinions or conclusions that do not relate to the official business of the company are neither given nor endorsed by the company. Thank You. 


_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users


--
Protect your environment -  close windows and adopt a penguin!

_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users






















					Reply via email to