The more I look at this log:
LibSCEP.xs:1197: scep_unwrap failed
34370961408:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid
object encoding:/usr/src/crypto/openssl/crypto/asn1/a_object.c:254:
34370961408:error:0D08303A:asn1 encoding
routines:asn1_template_noexp_d2i:nested asn1
error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=object,
Type=X509_NAME_ENTRY
34370961408:error:0D08303A:asn1 encoding
routines:asn1_template_noexp_d2i:nested asn1
error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:615:
34370961408:error:0D08303A:asn1 encoding
routines:asn1_template_noexp_d2i:nested asn1
error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:615:
34370961408:error:0D08303A:asn1 encoding
routines:asn1_template_noexp_d2i:nested asn1
error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=subject,
Type=X509_REQ_INFO
34370961408:error:0D08303A:asn1 encoding
routines:asn1_template_noexp_d2i:nested asn1
error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=req_info,
Type=X509_REQ
[pid=54863|sid=rnuS]
and compare it to the SCEP request:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=MDM SCEP SIGNER C066EE1B-43F7-4B92-A19C-REDACTED, C=US
Validity
Not Before: Jun 27 00:40:50 2021 GMT
Not After : Jun 27 00:40:50 2022 GMT
Subject: CN=MDM SCEP SIGNER C066EE1B-43F7-4B92-A19C-REDACTED, C=US
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
REDACTED
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage: critical
TLS Web Client Authentication
the more I wonder:
- is Apple not sending an X509 name and info segment? I see the subject
name for the issuing CSR, but not the the cert itself.
On Sat, Jun 26, 2021 at 6:35 PM, Nick Dawson <[email protected]>
wrote:
> Happy to post my mobileconfig file (below).
>
> My environment is in production…. Guess it shows my naiveté (which I'm
> sure is obvious, although I'm learning quite a lot here lately!) , I know
> posting certs is, in theory, safe (with the keys being safely held). Is
> there any thing I should be careful to redact from the OpenXPKI files
> besides secrets?
>
> Mobileconfig:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.
> com/DTDs/PropertyList-1.0.dtd">
> <plist version="1.0">
> <dict>
> <key>PayloadContent</key>
> <array>
> <dict>
> <key>PayloadContent</key>
> <dict>
> <key>CAFingerprint</key>
> <data>
> REDACTED
> </data>
> <key>Challenge</key>
> <string>REDACTED</string>
> <key>Key Type</key>
> <string>RSA</string>
> <key>Key Usage</key>
> <integer>5</integer>
> <key>Keysize</key>
> <integer>2048</integer>
> <key>Name</key>
> <string>scep4</string> #my active SCEP cert name
> <key>Retries</key>
> <integer>3</integer>
> <key>RetryDelay</key>
> <integer>10</integer>
> <key>Subject</key>
> <array>
> <array>
> <array> #THIS AREA LOOKS PROBLEMATIC, ALSO TRIED /notation
> <string>CN</string>
> <string>MyDeviceName,DC</string>
> </array>
> </array>
> <array>
> <array>
> <string>DZSEC,DC</string>
> <string>NET</string>
> </array>
> </array>
> </array>
> <key>URL</key>
> <string>http://scep.dzsec.net/scep/</string>
> </dict>
> <key>PayloadDescription</key>
> <string>Configures SCEP settings</string>
> <key>PayloadDisplayName</key>
> <string>SCEP</string>
> <key>PayloadIdentifier</key>
> <string>com.apple.security.scep.1959D1B9-6DD9-4C56-9B5F-65ED4494853D
> <http://com.apple.security.scep.1959d1b9-6dd9-4c56-9b5f-65ed4494853d/>
> </string>
> <key>PayloadType</key>
> <string>com.apple.security.scep</string>
> <key>PayloadUUID</key>
> <string>1959D1B9-6DD9-4C56-9B5F-REDACTED</string>
> <key>PayloadVersion</key>
> <integer>1</integer>
> </dict>
> </array>
> <key>PayloadDescription</key>
> <string>this is a test of the DZsec SCEP deployment</string>
> <key>PayloadDisplayName</key>
> <string>scep test</string>
> <key>PayloadIdentifier</key>
> <string>MyHostName.6BF88F76-C55C-4560-BEEE-11E8DF8EA9F2</string>
> <key>PayloadOrganization</key>
> <string>DZsec</string>
> <key>PayloadRemovalDisallowed</key>
> <false/>
> <key>PayloadType</key>
> <string>Configuration</string>
> <key>PayloadUUID</key>
> <string>F1949DEA-FF3E-4EA2-8BFC-7D3EBAA31BB2</string>
> <key>PayloadVersion</key>
> <integer>1</integer>
> </dict>
> </plist>
>
>
>
> On Tue, Jun 22, 2021 at 2:50 PM, Michal Moravec <michal.moravec@
> logicworks.cz> wrote:
>
> Could you post you mobileconfig file, All CA certificates currently in use
> and you OpenXPKI configuration?
>
> MM
>
>
> On 22. 6. 2021, at 22:37, Nick Dawson <[email protected]> wrote:
>
> Thanks! That helped and I learned a lot about the datapool and keys.
>
> update:
> Success with SSCEP. It worked. Apple devices now fail with an invalid CSR
> error.
>
> sscep:
>
> Apple devices:
> openxpki.log
>
> 2021/06/22 14:28:46 ERROR Error executing SCEP command 'PKIOperation':
> I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
> OpenXPKI::Crypto::Tool::LibSCEP::Command::unwrap, __ERRVAL__ =>
> message_static_functions.c:238: Not valid CSR after decrpytion
> LibSCEP.xs:1197: scep_unwrap failed
> 34370961408:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid
> object encoding:/usr/src/crypto/openssl/crypto/asn1/a_object.c:254:
> 34370961408:error:0D08303A:asn1 encoding
> routines:asn1_template_noexp_d2i:nested asn1
> error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=object,
> Type=X509_NAME_ENTRY
> 34370961408:error:0D08303A:asn1 encoding
> routines:asn1_template_noexp_d2i:nested asn1
> error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:615:
> 34370961408:error:0D08303A:asn1 encoding
> routines:asn1_template_noexp_d2i:nested asn1
> error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:615:
> 34370961408:error:0D08303A:asn1 encoding
> routines:asn1_template_noexp_d2i:nested asn1
> error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=subject,
> Type=X509_REQ_INFO
> 34370961408:error:0D08303A:asn1 encoding
> routines:asn1_template_noexp_d2i:nested asn1
> error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=req_info,
> Type=X509_REQ
> [pid=57435|sid=aCoa]
>
> I captured the CSR in scep.log and decoded it:
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 1 (0x1)
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: CN=MDM SCEP SIGNER E9BD4746-3B6A-4A50-8F99-F78A422D3DDF,
> C=US
> Validity
> Not Before: Jun 22 20:18:47 2021 GMT
> Not After : Jun 22 20:18:47 2022 GMT
> Subject: CN=MDM SCEP SIGNER E9BD4746-3B6A-4A50-8F99-F78A422D3DDF,
> C=US
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (2048 bit)
> Modulus:
> Truncated
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Key Usage: critical
> Digital Signature, Key Encipherment
> X509v3 Extended Key Usage: critical
> TLS Web Client Authentication
> Signature Algorithm: sha256WithRSAEncryption
> Truncated
> -----BEGIN CERTIFICATE-----
> Truncated
> -----END CERTIFICATE-----
>
> My rules in generic.yaml
>
> workflow:
> type: certificate_enroll
> param:
> # key: name in workflow context, value: parameter from scep wrapper
> # server and interface are always set, the mapping below is
> # the default set that is used when no map is given
> transaction_id: transaction_id
> signer_cert: signer_cert
> pkcs10: pkcs10
> _url_params: url_params
> #_pkcs7: pkcs7
>
> authorized_signer:
> rule1:
> # Full DN
> #subject: CN=.+:pkiclient,.*
> subject: .*,CN=US
> rule2:
> # Full DN
> subject: CN=my.scep.enroller.com
> <http://cn=my.scep.enroller.com/>:generic,.*
> rule3:
> #Attempt match on Apple CSRs
> subject: CN=MDM.+.*
> policy:
>
> allow_man_authen: 1
> allow_anon_enroll: 0
> allow_man_approv: 1
> allow_eligibility_recheck: 0
> approval_points: 0
> max_active_certs: 1
> auto_revoke_existing_certs: 1
> allow_replace: 1
>
>
> On Mon, Jun 21, 2021 at 11:57 PM, Oliver Welter <[email protected]> wrote:
>
> Hi Nick,
>
> Am 22.06.21 um 03:08 schrieb Nick Dawson:
>
> If I ra | issuer: endentity or chain, I get an SSL error. BUT scep.log
> looks like it can interpret the request
>
> Openxpki.log:
>
> ERROR Error executing SCEP command 'PKIOperation':
> I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
> OpenXPKI::Crypto::Tool::LibSCEP::Command::unwrap, __ERRVAL__ =>
> 34370961408:error:0B080074:x509 certificate
> routines:X509_check_private_key:key values
> mismatch:/usr/src/crypto/openssl/crypto/x509/x509_cmp.c:297:
> 34370961408:error:2107207F:PKCS7 routines:PKCS7_decrypt:private key does
> not match
> certificate:/usr/src/crypto/openssl/crypto/pkcs7/pk7_smime.c:495:
> message_static_functions.c:221: decryption failed
> LibSCEP.xs:1197: scep_unwrap failed
>
> this sounds as you now finally broke your SCEP setup - if you really
> ignored the SQL errors (and have created a new key) then your Cert and Key
> does not match so you get a crypto error. All logs you have shown are far
> away from an enrollment request where we have to work around the
> "signer cert" problem.
>
> I suggest you just create a new token (key and cert) and import it again,
> this should create a new SCEP Token alias with a new generation number.
> Make sure your DataVault token ist operational before you try loading the
> key!
>
> Oliver
>
> --
> Protect your environment - close windows and adopt a penguin!
>
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
>
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
>
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
>
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
