Re: [OpenXPKI-users] trouble with SCEP and Apple devices

Tue, 22 Jun 2021 13:39:48 -0700 

Thanks! That helped and I learned a lot about the datapool and keys.

update:
Success with SSCEP. It worked. Apple devices now fail with an invalid CSR
error.

sscep:

Apple devices:
openxpki.log

2021/06/22 14:28:46 ERROR Error executing SCEP command 'PKIOperation':
I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
OpenXPKI::Crypto::Tool::LibSCEP::Command::unwrap, __ERRVAL__ =>
message_static_functions.c:238: Not valid CSR after decrpytion
LibSCEP.xs:1197: scep_unwrap failed
34370961408:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid
object encoding:/usr/src/crypto/openssl/crypto/asn1/a_object.c:254:
34370961408:error:0D08303A:asn1 encoding
routines:asn1_template_noexp_d2i:nested asn1
error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=object,
Type=X509_NAME_ENTRY
34370961408:error:0D08303A:asn1 encoding
routines:asn1_template_noexp_d2i:nested asn1
error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:615:
34370961408:error:0D08303A:asn1 encoding
routines:asn1_template_noexp_d2i:nested asn1
error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:615:
34370961408:error:0D08303A:asn1 encoding
routines:asn1_template_noexp_d2i:nested asn1
error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=subject,
Type=X509_REQ_INFO
34370961408:error:0D08303A:asn1 encoding
routines:asn1_template_noexp_d2i:nested asn1
error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=req_info,
Type=X509_REQ
[pid=57435|sid=aCoa]

I captured the CSR in scep.log and decoded it:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=MDM SCEP SIGNER E9BD4746-3B6A-4A50-8F99-F78A422D3DDF,
C=US
        Validity
            Not Before: Jun 22 20:18:47 2021 GMT
            Not After : Jun 22 20:18:47 2022 GMT
        Subject: CN=MDM SCEP SIGNER E9BD4746-3B6A-4A50-8F99-F78A422D3DDF,
C=US
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
              Truncated
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: critical
                TLS Web Client Authentication
    Signature Algorithm: sha256WithRSAEncryption
        Truncated
-----BEGIN CERTIFICATE-----
Truncated
-----END CERTIFICATE-----

My rules in generic.yaml

workflow:
    type: certificate_enroll
    param:
        # key: name in workflow context, value: parameter from scep wrapper
        # server and interface are always set, the mapping below is
        # the default set that is used when no map is given
        transaction_id: transaction_id
        signer_cert: signer_cert
        pkcs10: pkcs10
        _url_params: url_params
        #_pkcs7: pkcs7

authorized_signer:
    rule1:
        # Full DN
        #subject: CN=.+:pkiclient,.*
        subject: .*,CN=US
    rule2:
        # Full DN
            subject: CN=my.scep.enroller.com
<http://cn%3Dmy.scep.enroller.com/>:generic,.*
    rule3:
            #Attempt match on Apple CSRs
            subject: CN=MDM.+.*
policy:

    allow_man_authen: 1
    allow_anon_enroll: 0
    allow_man_approv: 1
    allow_eligibility_recheck: 0
    approval_points: 0
    max_active_certs: 1
    auto_revoke_existing_certs: 1
    allow_replace: 1


On Mon, Jun 21, 2021 at 11:57 PM, Oliver Welter <[email protected]> wrote:

> Hi Nick,
>
> Am 22.06.21 um 03:08 schrieb Nick Dawson:
>
> If I ra | issuer: endentity or chain, I get an SSL error. BUT scep.log
> looks like it can interpret the request
>
> Openxpki.log:
>
> ERROR Error executing SCEP command 'PKIOperation':
> I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
> OpenXPKI::Crypto::Tool::LibSCEP::Command::unwrap, __ERRVAL__ =>
> 34370961408:error:0B080074:x509 certificate
> routines:X509_check_private_key:key values
> mismatch:/usr/src/crypto/openssl/crypto/x509/x509_cmp.c:297:
> 34370961408:error:2107207F:PKCS7 routines:PKCS7_decrypt:private key does
> not match
> certificate:/usr/src/crypto/openssl/crypto/pkcs7/pk7_smime.c:495:
> message_static_functions.c:221: decryption failed
> LibSCEP.xs:1197: scep_unwrap failed
>
> this sounds as you now finally broke your SCEP setup - if you really
> ignored the SQL errors (and have created a new key) then your Cert and Key
> does not match so you get a crypto error. All logs you have shown are far
> away from an enrollment request where we have to work around the
> "signer cert" problem.
>
> I suggest you just create a new token (key and cert) and import it again,
> this should create a new SCEP Token alias with a new generation number.
> Make sure your DataVault token ist operational before you try loading the
> key!
>
> Oliver
>
> --
> Protect your environment - close windows and adopt a penguin!
>
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>

_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users






















					Reply via email to