Hi Ryan, we have several Problems with scep and MAC devices. Here my experiences.
1) IOS + MacOS -> Request the pkiclient.ext?operation=GetCACaps (can be found in tomcat access log) This request ends up in an "500 Server Error". After this error, the IOS devices stop requesting.. We had to implement that method in CSREnrollment.java File to fix that issue.. 2) Could not decode request... Decode failed because of bug with DES3 in combination with HSM 3) IOS11 Beta -cloud not decode request Bug in IOS Scep implementation - in the inner pkcs req data there are multiple objects included which cannot be decoded.. IOS11 & Mac deviced- > I had to test that devices in the next week. I can share my informations about the tests at the end of next week. BR Florian -----Ursprüngliche Nachricht----- Von: [email protected] [mailto:[email protected]] Im Auftrag von Ryan Trinder Gesendet: Donnerstag, 31. August 2017 16:37 An: [email protected] Betreff: [Pki-users] Mac OS SCEP request failure: "Could not decode therequest" [phishing][bayes][heur][dkim][html-removed] Hello PKI users! I am looking to use Dogtag for my org as the full PKI solution. Initially, Ill be using it for certificate issuance for an EAP-TLS rollout. In the beginning to get certificates issued throughout the org, I would like utilize the SCEP server across multiple devices including Mac OS, iOS, Linux, Windows, Chromebooks. So far, I have tested with the *sscep* utility on linux and with Mac OS through the mobileconfig xml configuration. Using *sscep *works great on linux, however any testing from Mac OS resides in a 500 from the server declaring that the request could not be decoded. I initially thought the requests were using the wrong CA, however intentionally using a wrong CA with the *sscep *utility shows a completely different response in the logs. Here is an excerpt from the *ca / debug* log for a failed request: ==> ca / debug <== [31 / Aug / 2017 : 14 : 20 : 38][http-bio-8080-exec-5]: operation=GetCACert [31 / Aug / 2017 : 14 : 20 : 38][http-bio-8080-exec-5]: message=CAIdentifier [31 / Aug / 2017 : 14 : 20 : 38][http-bio-8080-exec-5]: handleGetCACert message=CAIdentifier [31 / Aug / 2017 : 14 : 20 : 38][http-bio-8080-exec-5]: handleGetCACert selected chain=0 [31 / Aug / 2017 : 14 : 20 : 38][http-bio-8080-exec-5]: Output certificate chain: 30 82 03 a9 30 82 02 91 a0 03 02 01 02 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 44 31 21 30 1f 06 03 55 04 0a 0c 18 77 61 72 62 79 2e 69 6f 20 53 65 63 75 72 69 74 79 20 44 6f 6d 61 69 6e 31 1f 30 1d 06 03 55 04 03 0c 16 43 41 20 53 69 67 6e 69 6e 67 20 43 65 72 74 69 66 69 63 61 74 65 30 1e 17 0d 31 37 30 38 32 39 31 35 32 38 30 36 5a 17 0d 33 37 30 38 32 39 31 35 32 38 30 36 5a 30 44 31 21 30 1f 06 03 55 04 0a 0c 18 77 61 72 62 79 2e 69 6f 20 53 65 63 75 72 69 74 79 20 44 6f 6d 61 69 6e 31 1f 30 1d 06 03 55 04 03 0c 16 43 41 20 53 69 67 6e 69 6e 67 20 43 65 72 74 69 66 69 63 61 74 65 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 a6 07 b9 27 e5 fd a9 47 e6 d9 f3 01 6f 28 62 9b 4d 9c 8c 21 40 bf 4e 0c 99 ca c7 9d e7 88 ae c9 30 13 f9 1c 34 b4 6e 9d 0b 7a 78 d5 0c ae 10 be 4a cd 1d 33 d1 3d e7 c2 a9 22 ee d0 03 35 b9 8d c8 c8 17 4d 6a 4d 79 65 5b 7a 5b 82 7c d1 51 d5 45 be 7c d9 a7 70 98 fe 80 55 a7 5e 98 2b 7f a3 f3 02 67 9c 43 97 7d 8f fa dc 37 83 bc 6a 08 fc 70 7b f4 c9 bd 8c 41 e8 bd 4a ee 75 1e aa 45 41 2f 10 87 57 08 e8 16 e3 b2 4c 1f 43 58 d9 ad 52 8b 4f fe 72 4f 87 87 08 de 37 a1 c2 6e 9a e4 a8 49 a6 74 46 0b 3b 68 1d 06 f5 ed 09 6a dd 9a 49 6a b5 92 3a e6 24 26 25 73 ac ff 8b 72 46 e6 1a 0e dd 0b 41 d3 5d 09 df 55 b5 46 99 73 9f 6c 0f de 91 4f fc 58 3e dd 11 2d 76 73 e2 fa 1a ed b7 cd b3 17 66 7a 0e c3 3d be b1 f2 b5 61 47 f3 32 68 00 c1 2f 92 86 b5 0d 4c e2 c6 b0 57 35 42 2b 02 03 01 00 01 a3 81 a5 30 81 a2 30 1f 06 03 55 1d 23 04 18 30 16 80 14 14 ea b1 73 42 97 87 7a a2 ef 2f 1e 04 c3 18 14 32 82 5b a1 30 0f 06 03 55 1d 13 01 01 ff 04 05 30 03 01 01 ff 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 01 c6 30 1d 06 03 55 1d 0e 04 16 04 14 14 ea b1 73 42 97 87 7a a2 ef 2f 1e 04 c3 18 14 32 82 5b a1 30 3f 06 08 2b 06 01 05 05 07 01 01 04 33 30 31 30 2f 06 08 2b 06 01 05 05 07 30 01 86 23 68 74 74 70 3a 2f 2f 64 6f 67 74 61 67 2e 77 61 72 62 79 2e 69 6f 3a 38 30 38 30 2f 63 61 2f 6f 63 73 70 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 37 fb 44 f8 0f 63 ab a6 7f 17 c5 0e 15 1f 0a 78 fa 58 72 c2 63 6f de cb 4f 5a ce b7 95 1b 65 9f e4 fe 61 d3 0b e6 51 92 cb f8 f1 8f 9c 9c ab 0c 7c 3e 9f cd 80 c5 52 f2 d1 36 09 2c e3 cc a5 45 f3 47 71 62 0d 46 b5 df 3f a2 0e f8 35 7d 13 5a b3 ca a6 60 d1 4a 07 14 41 dd 8c b2 0b c8 c4 aa ab 50 6c 69 78 70 59 a6 00 7c 2f ce a0 d6 be 66 58 36 cf 81 18 92 db af 75 a9 63 8b 8a 84 db a5 8d d3 77 e0 78 bb 80 b4 a6 94 93 89 f0 95 00 18 d7 bf 2b f6 a5 92 d1 d3 f1 83 cb f3 7f fb 31 f1 d0 1c 96 16 11 71 c4 07 16 f8 d1 19 af bd e3 6f a9 e4 06 ba 1d 8f 29 75 57 3f c5 c9 e4 b6 3b 08 4c 19 07 99 b3 50 e1 e0 d1 1a e6 d1 94 ab 27 00 82 c7 4a c2 11 31 dd 83 48 23 c1 7e fa f9 b9 61 7e fb 3c b0 26 45 fd ff e8 bb b6 c1 fc 9a fb 9f dd 24 e2 b3 9f 6a 64 25 62 c3 b2 bb 8b 47 98 95 [31 / Aug / 2017 : 14 : 20 : 39][http-bio-8080-exec-6]: operation=PKIOperation [31 / Aug / 2017 : 14 : 20 : 39][http-bio-8080-exec-6]: message=MIIIfgYJKoZIhvcNAQcCoIIIbzCCCGsCAQExCzAJBgUrDgMCGgUAMIIDTwYJKoZIhvcNAQcBoIIDQASCAzwwggM4BgkqhkiG9w0BBwOgggMpMIIDJQIBADGCAWUwggFhAgEAMEkwRDEhMB8GA1UECgwYd2FyYnkuaW8gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaWduaW5nIENlcnRpZmljYXRlAgEBMA0GCSqGSIb3DQEBAQUABIIBAJajcdeb6TpsXF4gDJwVVwOyHROBXT0TcbBUSKbqIYXaRRH2koYfIkqCubQBRgHYOY4axGeMiNAXl1uO / LkUf0nTArx4JSLCmm3efFVznb8rJOEI / 9gbdLVpGLlRDcCLsjK / / mJxO / nsDwmnrsGcQ / zR434MYM9RVPs1QSSiFGqvWHiqkJ1iY ayN8HdLHvYHJkHW3F0d5 / NF9BD6fY7UjGwqjD3PrmP91rrBWk / QpTdnRg / IRUshxRm4TeWQWQOOtrlRU7XUTm / ALZlr9DXN3r / YoWMdrasD8AXsyzQpcyU Y2OPpFIwpFaXXV / kxf9sc7OG BVzAvX41OjFjfWVBwwggG1BgkqhkiG9w0BBwEwFAYIKoZIhvcNAwcECJpHqEsbh10rgIIBkDKejpodVxi3v5VA0AR0kDlkJKzuozbXzVE6f / ECa7B0y / ahhtmGPvfP9QbQ / lOybhca83jg6dUOmfXmEZn / HTI2hWqUpLn0G1GkyFKtDYM79mIOlHkTMA2rWGyMkqSxgwH0RRfdxxXjSPTLwZPX3eP1zr05xkIRYuZWkohI56D02eo4DZK Zfg6sY8ATd7EpmHnNLXLACc7ejwYsAqLi4rAwF5Hrv4KSo / qq3VN cAh2E95SgRE5ae1dje / 490cmZY5aYniFr / ZfFVHHyyOODc fY4q6EAQ6eygvhrHyZQXAwfioo0BVWYToJSRFKiZ2 / p6OeuiNP8YtN65suiavlFDkCINt2 GyXVow9IG7 / ol GzHo5Q36Xu6Hhk6oAv2ui7RXJ0YcPZCnHRHe / gPF5SNn3y5Stdtchrm4UBC1fCZCk4vJvZZtB6DIzKUkwHZBM2I0GlLxxaA7gpe6t3U5VR7T68VHwlCEXzd5oxQLEQjSERXC2 QfVITkfpkarKw9buDo / B 1f2cbZ5HZZWK226gggLdMIIC2TCCAcGgAwIBAgIBATANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDDA9NRE0gU0NFUCBTSUdORVIwHhcNMTcwODMxMTQyMDM5WhcNMTgwODMxMTQyMDM5WjAaMRgwFgYDVQQDDA9NRE0gU0NFUCBTSUdORVIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgyEO4EhA H9 7uUXCTXi1KHRSZ O5bmjnG82vKnUfYJH2vDYdK8ySgGadgXpdYDevLgQq IpOdkr8TmsQygFqpfB6 gzaLsfwIUftHMEqRYcTrvkpJvUL6a8rgJ9Qk2QLlXW9VgDCSJuQEb7Djg8ztmEzrkxW0jrBgZUB2RuNz8 / GtYpwiqOn0H2Y8XpQnVX gLfYCrWic ydDUPcpvNJGxYHT3VlcavVYCJ0fCXtlq8LYSHLmjIZBuZ3GskYpcpSFcVt wdGReDq2J9qrW3MrUCofwnJm2EM975Z6L8oESFGgi75 AZcxv31igjbGowObi1JdmaiBP7s4IIqjzOBAgMBAAGjKjAoMA4GA1UdDwEB / wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAWNNND6b / g7k1mGH2bbYNguNAHbE2d2nbi3dA4y7eIqK KG1iPGfznBRO0SQ36ISYhV7zCgZnGWpqdfqpPoNZFA06ffHxnoeEy8CBJgABb3 / WKTkHrzk5 WiKY3xMHng76sUMlo9ZmoAPv4TefG m4IHqS4PLOiOnlB3tnh FNCW6kZpvQ67w3Qzq74DQ5vsxkj tCK254tFPHmCtzCf4IA / tnVhx a4ZdrYhQdfSzeTV0OH29wcsZkkj7eYdElJRBgSLshnUNgHLYGat0yL qFyHwtniTDhstYkDzohRZqdRm1PLKhx1fydjPIJCgqlfizNaLKliPVqw1Kg / 3EOszGCAiMwggIfAgEBMB8wGjEYMBYGA1UEAwwPTURNIFNDRVAgU0lHTkVSAgEBMAkGBSsOAwIaBQCggdowEgYKYIZIAYb4RQEJAjEEEwIxOTATBgkqhkiG9w0BCQcxBhMEd2hhdDAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBgGCmCGSAGG EUBCQUxCgQIUjA1J7asfb0wHAYJKoZIhvcNAQkFMQ8XDTE3MDgzMTE0MjAzOVowIwYJKoZIhvcNAQkEMRYEFOwjJDjdDs6SCjnPNHsc29ZsI05MMDgGCmCGSAGG EUBCQcxKhMoOEIzNzhBODE1RjZDQjEyODJBMzU1NkIwRkFDNjJDNkM2MTQ4OTBDMjANBgkqhkiG9w0BAQEFAASCAQAEzTvWktV9S 8w0 EiqsakAO1 LfyToBz8atr / FXxJ45cKAOcPMk / sArtQlbrrg3fhStDTZGiPqFD1oqaq6r1IlkGG / m2mYoDxZXXTtvwODKMdYjjNCsFKmverk0IOAxUu5XX32oWB2ROgEOKGCSV1oPSB4KlsQRm5QQk5VFuJbkIG5idd3fg / 86TwetIlu6NEi2qWQDXeZUtdbn7n4Zi8pw2AtxLdjOgTutqT7FQqVc / KTRXdcqxUpHrZSLHCTDR0Pzyky0pFhW / 3K41 / QpDFy6H7vwoEVVibK7QXGgZI6xFY0T dL43QQW 3fHji7wjaAbRtGPvBSd8Bc6d3wHis java . io . EOFException at org . mozilla . jss . asn1 . ASN1Util . readFully(ASN1Util . java : 114) at org . mozilla . jss . asn1 . ANY$Template . decode(ANY . java : 274) at org . mozilla . jss . asn1 . EXPLICIT$Template . decode(EXPLICIT . java : 157) at org . mozilla . jss . asn1 . EXPLICIT$Template . decode(EXPLICIT . java : 146) at org . mozilla . jss . asn1 . SEQUENCE$Template . decode(SEQUENCE . java : 400) at org . mozilla . jss . pkcs7 . ContentInfo$Template . decode(ContentInfo . java : 254) at org . mozilla . jss . pkcs7 . ContentInfo$Template . decode(ContentInfo . java : 247) at com . netscape . cmsutil . scep . CRSPKIMessage . decodeCRSPKIMessage(CRSPKIMessage . java : 701) at com . netscape . cmsutil . scep . CRSPKIMessage . <init>(CRSPKIMessage . java : 723) at com . netscape . cms . servlet . cert . scep . CRSEnrollment . handlePKIOperation(CRSEnrollment . java : 832) at com . netscape . cms . servlet . cert . scep . CRSEnrollment . service(CRSEnrollment . java : 370) at javax . servlet . http . HttpServlet . service(HttpServlet . java : 731) at org . apache . catalina . core . ApplicationFilterChain . internalDoFilter(ApplicationFilterChain . java : 303) at org . apache . catalina . core . ApplicationFilterChain . doFilter(ApplicationFilterChain . java : 208) at org . apache . tomcat . websocket . server . WsFilter . doFilter(WsFilter . java : 52) at org . apache . catalina . core . ApplicationFilterChain . internalDoFilter(ApplicationFilterChain . java : 241) at org . apache . catalina . core . ApplicationFilterChain . doFilter(ApplicationFilterChain . java : 208) at org . apache . catalina . core . StandardWrapperValve . invoke(StandardWrapperValve . java : 221) at org . apache . catalina . core . StandardContextValve . invoke(StandardContextValve . java : 122) at org . apache . catalina . authenticator . AuthenticatorBase . invoke(AuthenticatorBase . java : 505) at org . apache . catalina . core . StandardHostValve . invoke(StandardHostValve . java : 169) at org . apache . catalina . valves . ErrorReportValve . invoke(ErrorReportValve . java : 103) at org . apache . catalina . valves . AccessLogValve . invoke(AccessLogValve . java : 956) at org . apache . catalina . core . StandardEngineValve . invoke(StandardEngineValve . java : 116) at org . apache . catalina . connector . CoyoteAdapter . service(CoyoteAdapter . java : 436) at org . apache . coyote . http11 . AbstractHttp11Processor . process(AbstractHttp11Processor . java : 1078) at org . apache . coyote . AbstractProtocol$AbstractConnectionHandler . process(AbstractProtocol . java : 625) at org . apache . tomcat . util . net . JIoEndpoint$SocketProcessor . run(JIoEndpoint . java : 316) at java . util . concurrent . ThreadPoolExecutor . runWorker(ThreadPoolExecutor . java : 1149) at java . util . concurrent . ThreadPoolExecutor$Worker . run(ThreadPoolExecutor . java : 624) at org . apache . tomcat . util . threads . TaskThread$WrappingRunnable . run(TaskThread . java : 61) at java . lang . Thread . run(Thread . java : 748) [31 / Aug / 2017 : 14 : 20 : 39][http-bio-8080-exec-6]: ServletException javax . servlet . ServletException: Could not decode the request. And the failure from localhost . log ==> localhost . 2017-08-31 . log <== Aug 31, 2017 2 : 20 : 39 PM org . apache . catalina . core . StandardWrapperValve invoke SEVERE: Servlet . service() for servlet [caSCEP] in context with path [ / ca] threw exception [Could not decode the request . ] with root cause javax . servlet . ServletException: Could not decode the request. at com . netscape . cms . servlet . cert . scep . CRSEnrollment . service(CRSEnrollment . java : 381) at javax . servlet . http . HttpServlet . service(HttpServlet . java : 731) at org . apache . catalina . core . ApplicationFilterChain . internalDoFilter(ApplicationFilterChain . java : 303) at org . apache . catalina . core . ApplicationFilterChain . doFilter(ApplicationFilterChain . java : 208) at org . apache . tomcat . websocket . server . WsFilter . doFilter(WsFilter . java : 52) at org . apache . catalina . core . ApplicationFilterChain . internalDoFilter(ApplicationFilterChain . java : 241) at org . apache . catalina . core . ApplicationFilterChain . doFilter(ApplicationFilterChain . java : 208) at org . apache . catalina . core . StandardWrapperValve . invoke(StandardWrapperValve . java : 221) at org . apache . catalina . core . StandardContextValve . invoke(StandardContextValve . java : 122) at org . apache . catalina . authenticator . AuthenticatorBase . invoke(AuthenticatorBase . java : 505) at org . apache . catalina . core . StandardHostValve . invoke(StandardHostValve . java : 169) at org . apache . catalina . valves . ErrorReportValve . invoke(ErrorReportValve . java : 103) at org . apache . catalina . valves . AccessLogValve . invoke(AccessLogValve . java : 956) at org . apache . catalina . core . StandardEngineValve . invoke(StandardEngineValve . java : 116) at org . apache . catalina . connector . CoyoteAdapter . service(CoyoteAdapter . java : 436) at org . apache . coyote . http11 . AbstractHttp11Processor . process(AbstractHttp11Processor . java : 1078) at org . apache . coyote . AbstractProtocol$AbstractConnectionHandler . process(AbstractProtocol . java : 625) at org . apache . tomcat . util . net . JIoEndpoint$SocketProcessor . run(JIoEndpoint . java : 316) at java . util . concurrent . ThreadPoolExecutor . runWorker(ThreadPoolExecutor . java : 1149) at java . util . concurrent . ThreadPoolExecutor$Worker . run(ThreadPoolExecutor . java : 624) at org . apache . tomcat . util . threads . TaskThread$WrappingRunnable . run(TaskThread . java : 61) at java . lang . Thread . run(Thread . java : 748) This seems like a MacOS specific difference in the requests, but I cannot determine exactly what it is. Would anyone have any experience with this? For reference, this is dogtag-pki 10 . 2 . 6+git20160317-1 installed via apt on Ubuntu 16 . 04. -- _______________________________________________ Pki-users mailing list Pki-users(at)redhat . com https : / / www . redhat . com / mailman / listinfo / pki-users _______________________________________________ Pki-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-users
