Hi Marc,
> After weeks of "unqualified hacking around" on my machine adapting
> the openxpki installation to suit my needs I thought i'd share the
> experience and work I have put into this back to you.
> So, I came up with some modification proposals and setup hints for
> the other users who want to "try this at home" ;-)
thanks a lot for your effort of summarizing your findings. If you
like, you are invited to contribute to the OpenXPKI wiki at http://
wiki.openxpki.org
> I first started trying to sign in with certificate challenge/
> response which led me to the following problem in the debug log:
>
> For some reason the Certificate subject sent by the browser looked
> like that:
> UID=root/CN=Root DemoCA,...
>
> and was compared to the following certificate subject in the database:
> CN=Root DemoCA+UID=root,...
>
> I didn't look into the reason why the subject line looked that
> weird (exchanged separator, swapped elements)
> but just added a few checks and changing the subject line on the
> fly (replacing / with + and swapping the elements)
> until it matches. Challenge/response signon was possible after
> these changes.
> Not very clean, but it works for me. ;-)
Interesting, need to have a look at that. (Never used the UID RDN,
maybe that's the reason). Not sure if this is a bug, though.
> === ./Server/Workflow/Validator/ApprovalSignature.pm ===
> When trying to approve CSRs with signature I think I received the
> I18N_OPENXPKI_SERVER_WORKFLOW_VALIDATOR_APPROVALSIGNATURE_UNTRUSTED_CE
> RTIFICATE error, even though I had defined the trust anchors
> in workflow_validator_certificate_revocation_request.xml and
> workflow_validator_certificate_signing_request.xml.
> Digging deeper in the debug logs I found that the module tried to
> load its config from CTX('pki_realm')
> which is not allowed in Workflow context so this call didn't return
> the config and so the trust anchor variables didn't get filled.
Thanks for pointing this out. Could you please raise a bug report for
this on the SF tracker?
> === ./Crypto/Profile/Base.pm ===
...
> I presented a client certificate to it. Examining more closely the
> netscape certificate type field (and after endless searching for
> openssl error codes) I found out that there were certificate types
> set which must not be set for a server sertificate to fulfil its role.
> It must be either not set or have the server bit set.
> Examinig the certificate issuance debug logs I found that the XML
> file was nor parsed correctly, so I copied the "space eliminator":
> $bit =~ s/\s+//g; from elsewhere ;-)
Please note that using Netscape extensions is nowadays no longer
necessary. You should use the corresponding Key Usage and Extended
Key Usage extensions (see RFC 3280) which cover all required cases
nicely. If used properly, Apache/mod_ssl will accept certificates
without any netscape extension. The stock OpenXPKI sample profiles
should come with usable TLS Server and TLS Client profiles.
> Still - that didn't satisfy me, because now openssl command always
> failed when issuing server certificates, and I didn't figure out yet
> (and I still didn't) how to actually get the verbose openssl
> command text output in the debug logs. But I accidentally stumbled
> across the
> contents of the openssl.cnf file which had the nsCertType line set to:
> nsCertType =
>
> So I assumed this was the error, found out later that the @values
> array was empty which caused this, and added a security check in:
> === ./Crypto/Backend/OpenSSL/Config.pm ===
> if (@bits) {
> ...
> }
> so the array was checked for existing elements before any line was
> written to the config file.
... don't use Netscape extensions :-) Use a UserNotice extensions for
this...
Hope OpenXPKI is useful for you - again, feel free to populate the
Wiki if you like.
cheers
Martin
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
