Re: [OpenXPKI-users] Signature in the I18N_OPENXPKI_WF_ACTION_APPROVE_CSR activity

Mon, 19 Jan 2009 00:42:49 -0800 

Hello Alex,

You wrote: "The error typically means that you do not have a CA installed that 
can satisfy the requested notafter date - did you install a CA certificate yet? 
If so, does it run out before August 2009?"

We used "openxpkiadm key generate --realm CYBORG --group default" command in 
order to generate CA certificate (it's valid during 365 days from the 
generation date, in other words, until Jan 2010) and got the following warning:
 EVAL_ERROR: I18N_OPENXPKI_XML_CACHE_GET_XPATH_COUNT_NOTHING_FOUND; __XPATH__ 
=> pki_realm/0/common/0/secret/0/group/0/method/0/required_shares

And we still get the following error during certificate's issuing workflow:

$VAR1 = {
          'LIST' => [
                      {
                        'LABEL' => 
'I18N_OPENXPKI_SERVER_WORKFLOW_ACTIVITY_TOOLS_FORKWORKFLOWINSTANCE_ERROR_FORKING',
                        'PARAMS' => {
                                      '__EVAL_ERROR__' => 
'I18N_OPENXPKI_SERVER_WORKFLOW_ACTIVITY_TOOLS_FORKWORKFLOWINSTANCE_ERROR_EXECUTING_ACTIVITY;
 __STATE__ => ; __EVAL_ERROR__ => 
I18N_OPENXPKI_ACTIVITY_TOOLS_DETERMINEISSUINGCA_NO_MATCHING_CA; 
__REQUESTED_NOTAFTER__ => 2009-07-16T13:13:56'
                                    }
                      }
                    ],
          'SERVICE_MSG' => 'ERROR'


The following is a corresponding part of the /var/log/openxpki.log file:
 
2009/01/16 16:05:46 Workflow.ERROR Caught exception from action: 
I18N_OPENXPKI_ACTIVITY_TOOLS_DETERMINEISSUINGCA_NO_MATCHING_CA; 
__REQUESTED_NOTAFTER__ => 2009-07-16T13:10:46; reset workflow to old state 
'WAITING_FOR_START'

2009/01/16 16:05:46 Workflow.ERROR Caught exception from action: 
I18N_OPENXPKI_SERVER_WORKFLOW_ACTIVITY_TOOLS_FORKWORKFLOWINSTANCE_ERROR_FORKING;
 __EVAL_ERROR__ => 
I18N_OPENXPKI_SERVER_WORKFLOW_ACTIVITY_TOOLS_FORKWORKFLOWINSTANCE_ERROR_EXECUTING_ACTIVITY;
 __STATE__ => ; __EVAL_ERROR__ => 
I18N_OPENXPKI_ACTIVITY_TOOLS_DETERMINEISSUINGCA_NO_MATCHING_CA; 
__REQUESTED_NOTAFTER__ => 2009-07-16T13:10:46; reset workflow to old state 
'SPAWNING_CERT_ISSUANCE'

Does it mean that CA certificate's expiration date should match the "notbefore" 
and "notafter" dates interval? Could you explain where we can change these 
values ("notbefore" and "notafter")?

______________________________
With best regards, Dmitry Golomolzin
INDEC Ltd.
[email protected]
[email protected]

-----Original Message-----
From: Alexander Klink [mailto:[email protected]] 
Sent: Monday, January 12, 2009 5:13 PM
To: [email protected]
Cc: [email protected]
Subject: Re: [OpenXPKI-users] Signature in the 
I18N_OPENXPKI_WF_ACTION_APPROVE_CSR activity

Hi Dmitry,

On Sun, Jan 11, 2009 at 06:08:38PM +0500, Dmitry Golomolzin wrote:
> We tried to issue new certificate and faced some troubles during the 
> process of the certificate approval (see our questions marked by â  ###
> â   prefix below).

> my $serialized_context = OpenXPKI::Serialization::Simple->new()->
> serialize($current_context);
> 
> my $context_hash = sha1_hex($serialized_context);
> 
> my $params = {};
> 
> $params{'_signature'} = ?????;
> 
> ### Question: What kind of signature should we use here?

This signature is generated by Mozilla's crypto.signText() or CAPICOM's 
SignedData.Sign() method. Do you really need the signature? In a normal 
deployment, you should be able to approve without signature, the 
signature-based approval is just an optional additional feature with added 
security.

> $msg = $client->send_receive_command_msg('execute_workflow_activity',{
> 
> ACTIVITY=>"I18N_OPENXPKI_WF_ACTION_APPROVE_CSR",
> 
> ID=>$w_id,
> 
> PARAMS=>$params,

try PARAMS => {}, for a start

> ### Then we used 'I18N_OPENXPKI_WF_ACTION_PERSIST_CSR' activity 
> without additional parameters, but got the following error:
> 
> $VAR1 = {
> 'LIST' => [
> {
> 'LABEL' =>
> 'I18N_OPENXPKI_SERVER_WORKFLOW_ACTIVITY_TOOLS_FORKWORKFLOWINSTANCE_ERR
> OR_FORKING',
> 'PARAMS' => {
> '__EVAL_ERROR__' =>
> 'I18N_OPENXPKI_SERVER_WORKFLOW_ACTIVITY_TOOLS_FORKWORKFLOWINSTANCE_ERR
> OR_EXECUTING_ACTIVITY;
> __STATE__ => ; __EVAL_ERROR__ =>
> I18N_OPENXPKI_ACTIVITY_TOOLS_DETERMINEISSUINGCA_NO_MATCHING_CA;
> __REQUESTED_NOTAFTER__ => 2009-07-11T12:22:29'
> }
> }
> ],
> 'SERVICE_MSG' => 'ERROR'
> };
> 
> ### Question: What may be the cause of this error?

The error typically means that you do not have a CA installed that can satisfy 
the requested notafter date - did you install a CA certificate yet? If so, does 
it run out before August 2009?

HTH,
Cheers,
  Alex
--
Dipl.-Math. Alexander Klink | IT-Security Engineer
        [email protected] | working @ urn:oid:1.3.6.1.4.1.11417


------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Reply via email to