Re: [OpenXPKI-users] Disabling PKCS10 signature verification
Hi Martin/Oliver, What are the general steps if we want to add custom inputs through RPC to workflow context and later it will be used/referenced in render subject? Thanks in advance. Regards,Mukilan On Monday, 19 December, 2022 at 12:17:10 pm GMT+1, Mukilan P via OpenXPKI-users wrote: Thanks Martin for your response. Regards,Mukilan On Tuesday, 15 November, 2022 at 04:22:56 pm GMT+1, Mukilan P via OpenXPKI-users wrote: Hi Oliver, Thanks for your fast response. Does it mean that we can't ignore signatureverification for CSR? I will explain the use case. We would like to modify theSubjectDN/SAN as part of our own policy while internal clients (devices, computersand etc) are raising certificate requests. The internal clients will send theCSR to a proxy, then proxy will contact on behalf of client to send CSR and receivecertificate. The proxy will do all the policy implementation related to Subjectand SAN. Since the Subject DN/SAN is modified in proxy,we would like to instruct the OpenXPKI to ignore signature validation for CSR.Is there any way/configuration parameter to instruct the OpenXPKI to ignore thesignature validation for CSR. Regards,Mukilan On Tuesday, 15 November, 2022 at 02:31:50 pm GMT+1, Oliver Welter wrote: Hi Mukilan, if you look at the workflow history you will very likely see the output of a crashed OpenSSL command. The OpenXPKI default backend uses the openssl binary to sign CSRs and this does not work if the PCKS10 container is not properly formated/signed. We had such a problem at a customer installation some time ago with broken appliances and ended up with a patched version of OpenSSL doing the job. best regards Oliver On 15.11.22 13:59, Mukilan P via OpenXPKI-users wrote: Hi Experts, This is further to the above query. I changed the value verify_signature to 0 in workflow/global/validator/pkcs10_valid.yaml like below, but getting 'PREPARED' status instead of SUCCESS class: OpenXPKI::Server::Workflow::Validator::PKCS10 param: empty_subject: 1 verify_signature: 0 arg: - $pkcs10 On Tuesday, 15 November, 2022 at 12:29:57 pm GMT+1, Mukilan P via OpenXPKI-users wrote: Hi Experts, Is there any way to disable pkcs10 signature verification as part of enroll/renewal in OpenXPKI? Thanks in advance. Regards, Mukilan___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin! ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] Disabling PKCS10 signature verification
Thanks Martin for your response. Regards,Mukilan On Tuesday, 15 November, 2022 at 04:22:56 pm GMT+1, Mukilan P via OpenXPKI-users wrote: Hi Oliver, Thanks for your fast response. Does it mean that we can't ignore signatureverification for CSR? I will explain the use case. We would like to modify theSubjectDN/SAN as part of our own policy while internal clients (devices, computersand etc) are raising certificate requests. The internal clients will send theCSR to a proxy, then proxy will contact on behalf of client to send CSR and receivecertificate. The proxy will do all the policy implementation related to Subjectand SAN. Since the Subject DN/SAN is modified in proxy,we would like to instruct the OpenXPKI to ignore signature validation for CSR.Is there any way/configuration parameter to instruct the OpenXPKI to ignore thesignature validation for CSR. Regards,Mukilan On Tuesday, 15 November, 2022 at 02:31:50 pm GMT+1, Oliver Welter wrote: Hi Mukilan, if you look at the workflow history you will very likely see the output of a crashed OpenSSL command. The OpenXPKI default backend uses the openssl binary to sign CSRs and this does not work if the PCKS10 container is not properly formated/signed. We had such a problem at a customer installation some time ago with broken appliances and ended up with a patched version of OpenSSL doing the job. best regards Oliver On 15.11.22 13:59, Mukilan P via OpenXPKI-users wrote: Hi Experts, This is further to the above query. I changed the value verify_signature to 0 in workflow/global/validator/pkcs10_valid.yaml like below, but getting 'PREPARED' status instead of SUCCESS class: OpenXPKI::Server::Workflow::Validator::PKCS10 param: empty_subject: 1 verify_signature: 0 arg: - $pkcs10 On Tuesday, 15 November, 2022 at 12:29:57 pm GMT+1, Mukilan P via OpenXPKI-users wrote: Hi Experts, Is there any way to disable pkcs10 signature verification as part of enroll/renewal in OpenXPKI? Thanks in advance. Regards, Mukilan___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin! ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] Disabling PKCS10 signature verification
Hi Mukilan, > Does it mean that we can't ignore signature verification for CSR? I will > explain the use case. We would like to modify the SubjectDN/SAN as part of > our own policy while internal clients (devices, computers and etc) are > raising certificate requests. The internal clients will send the CSR to a > proxy, then proxy will contact on behalf of client to send CSR and receive > certificate. The proxy will do all the policy implementation related to > Subject and SAN. > Since the Subject DN/SAN is modified in proxy, we would like to instruct the > OpenXPKI to ignore signature validation for CSR. Is there any > way/configuration parameter to instruct the OpenXPKI to ignore the signature > validation for CSR. Well, this is not how it's supposed to work. ;) I honestly cannot imagine a use case in which it would be necessary to modify the CSR itself in order to enforce a naming policy (and I have seen a *lot* of really strange requirements). OpenXPKI itself provides sufficient means to selectively process data provided in the CSR to form the desired DN/SANs. Get rid of that proxy and configure your policy correctly. Cheers Martin ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] Disabling PKCS10 signature verification
Hi Oliver, Thanks for your fast response. Does it mean that we can't ignore signatureverification for CSR? I will explain the use case. We would like to modify theSubjectDN/SAN as part of our own policy while internal clients (devices, computersand etc) are raising certificate requests. The internal clients will send theCSR to a proxy, then proxy will contact on behalf of client to send CSR and receivecertificate. The proxy will do all the policy implementation related to Subjectand SAN. Since the Subject DN/SAN is modified in proxy,we would like to instruct the OpenXPKI to ignore signature validation for CSR.Is there any way/configuration parameter to instruct the OpenXPKI to ignore thesignature validation for CSR. Regards,Mukilan On Tuesday, 15 November, 2022 at 02:31:50 pm GMT+1, Oliver Welter wrote: Hi Mukilan, if you look at the workflow history you will very likely see the output of a crashed OpenSSL command. The OpenXPKI default backend uses the openssl binary to sign CSRs and this does not work if the PCKS10 container is not properly formated/signed. We had such a problem at a customer installation some time ago with broken appliances and ended up with a patched version of OpenSSL doing the job. best regards Oliver On 15.11.22 13:59, Mukilan P via OpenXPKI-users wrote: Hi Experts, This is further to the above query. I changed the value verify_signature to 0 in workflow/global/validator/pkcs10_valid.yaml like below, but getting 'PREPARED' status instead of SUCCESS class: OpenXPKI::Server::Workflow::Validator::PKCS10 param: empty_subject: 1 verify_signature: 0 arg: - $pkcs10 On Tuesday, 15 November, 2022 at 12:29:57 pm GMT+1, Mukilan P via OpenXPKI-users wrote: Hi Experts, Is there any way to disable pkcs10 signature verification as part of enroll/renewal in OpenXPKI? Thanks in advance. Regards, Mukilan___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin! ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] Disabling PKCS10 signature verification
Hi Mukilan, if you look at the workflow history you will very likely see the output of a crashed OpenSSL command. The OpenXPKI default backend uses the openssl binary to sign CSRs and this does not work if the PCKS10 container is not properly formated/signed. We had such a problem at a customer installation some time ago with broken appliances and ended up with a patched version of OpenSSL doing the job. best regards Oliver On 15.11.22 13:59, Mukilan P via OpenXPKI-users wrote: Hi Experts, This is further to the above query. I changed the value verify_signature to 0 in workflow/global/validator/pkcs10_valid.yaml like below, but getting 'PREPARED' status instead of SUCCESS class: OpenXPKI::Server::Workflow::Validator::PKCS10 param: empty_subject: 1 verify_signature: 0 arg: - $pkcs10 On Tuesday, 15 November, 2022 at 12:29:57 pm GMT+1, Mukilan P via OpenXPKI-users wrote: Hi Experts, Is there any way to disable pkcs10 signature verification as part of enroll/renewal in OpenXPKI? Thanks in advance. Regards, Mukilan ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin! ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] Disabling PKCS10 signature verification
Hi Experts, This is further to the above query. I changed the value verify_signature to 0 in workflow/global/validator/pkcs10_valid.yaml like below, but getting 'PREPARED' status instead of SUCCESS class: OpenXPKI::Server::Workflow::Validator::PKCS10param: empty_subject: 1 verify_signature: 0 arg: - $pkcs10 On Tuesday, 15 November, 2022 at 12:29:57 pm GMT+1, Mukilan P via OpenXPKI-users wrote: Hi Experts, Is there any way to disable pkcs10 signature verification as part of enroll/renewal in OpenXPKI? Thanks in advance. Regards,Mukilan___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
[OpenXPKI-users] Disabling PKCS10 signature verification
Hi Experts, Is there any way to disable pkcs10 signature verification as part of enroll/renewal in OpenXPKI? Thanks in advance. Regards,Mukilan___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users