Hi Oliver, Thank you very much for your help. As you mentioned, I follow all the steps mentioned and I was able to authenticate with HMAC-SHA256.
Thanks a lot for your help. Sincerely, Jairo R. Mejia Aponte | Embedded Software Linux Junior Engineer Netmodule | Hirschmann Automation & Control GmbH Location Eschborn | Frankfurter Str. 10-14 | 65760 Eschborn | Germany jairo.mejiaapo...@belden.com<mailto:jairo.mejiaapo...@belden.com> | www.netmodule.com<http://www.netmodule.com/> | www.belden.com<http://www.belden.com/> ________________________________ From: Oliver Welter <m...@oliwel.de> Sent: 25 July 2024 8:03 AM To: openxpki-users@lists.sourceforge.net <openxpki-users@lists.sourceforge.net> Subject: [EXTERNAL] Re: [OpenXPKI-users] How to make an Enrollment with HMAC Authentification? External Message:Use caution before opening links or attachments Hi Jairo, the HMAC functionality is nothing which comes from a PKI standard but was invented by us :) The SCEP (and also EST) layer allow you to pass arbitrary additional data fields to the workflow backends by adding them as query paramters to the URI. The sscep tool offers the "-M" switch for this purpose. The inner logic of the enrollment workflow can use several types of secrets/signatures to preauthenticate incoming requests, where HMAC is one of it. I dont have the commands here from the top of my head but here is what you need to do: - set the hmac shared secret in the endpoint configuration - create a CSR - calculate the SHA256 HMAC using the shared secret over the DER encoded CSR - append the HMAC in hex notation using the parameter "signature" to the request If you have a look at the workflow context afterwards, there should be a parameter "url_signature" holding your HMAC Oliver On 24.07.24 14:39, Jairo Mejia Aponte via OpenXPKI-users wrote: Dear Devs, I am able to communicate successfully to the OpenXPKI server with SSCEP and I could also use the challenge password to authenticate to the server. However, I have not found any information about the HMAC Authentication. Could you please explain how can I make the CSR and the key to be able to use HMAC? The only thing that I found related to HMAC in openssl was here<https://urldefense.com/v3/__https://docs.openssl.org/3.3/man1/openssl-dgst/*options__;Iw!!Fpyg6SJIkmElPg!2ukv5GV5r1ZQvoXpPiRA4Dr8mtHHl8_zyblgFM5a_vuG0zmjKFXYt4z1a4yzFtAFAOQ256w7rZ6dEtshAFdr$>, for the command openssl-dgst and openssl-mac, but I am unsure how to use to be able to communicate with OpenXPKI. Thanks again for all the support and the awesome application. Sincerely, Jairo M. ________________________________ DISCLAIMER: Privileged and/or Confidential information may be contained in this message. If you are not the addressee of this message, you may not copy, use or deliver this message to anyone. In such event, you should destroy the message and kindly notify the sender by reply e-mail. It is understood that opinions or conclusions that do not relate to the official business of the company are neither given nor endorsed by the company. Thank You. _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net<mailto:OpenXPKI-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/openxpki-users<https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/openxpki-users__;!!Fpyg6SJIkmElPg!2ukv5GV5r1ZQvoXpPiRA4Dr8mtHHl8_zyblgFM5a_vuG0zmjKFXYt4z1a4yzFtAFAOQ256w7rZ6dEsOBlCYw$> -- Protect your environment - close windows and adopt a penguin! ********************************************************************** DISCLAIMER: Privileged and/or Confidential information may be contained in this message. If you are not the addressee of this message, you may not copy, use or deliver this message to anyone. In such event, you should destroy the message and kindly notify the sender by reply e-mail. It is understood that opinions or conclusions that do not relate to the official business of the company are neither given nor endorsed by the company. Thank You.
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
