Hi Nick, a valid SCEP message has a PKCS10 formated CSR that is wrapped in two PKCS7 containers, one encrypted with the certificate of the SCEP server and one signed by the client. Most MDMs allow to import a so called "on behalf" certificate/key for signing which can than be used on the RA to validate the origin of the request. We saw in several MDM projects that the MDM server just creates a certificate "on the fly" for this signature which looks like the cert you have posted below.
> LibSCEP.xs:1197: scep_unwrap failed Does very likely mean that the SCEP server was not able to unwarp the encrypted container. OpenXPKI always sends the to-be-used RA certificate as first item in the GetCA response and most clients use this. We have also seen clients that take the "wrong" certificate from the list, usually the CA signer certificate. The best way to track this down is to capture the PKCS7 data send and use "openssl asn1parse" to see whats in there. You can find the PKCS7 in the apache log file as the value of the "message" parameter in the query string or in the scep.log file of OpenXPKI with loglevel DEBUG. Oliver Am 27.06.21 um 02:49 schrieb Nick Dawson: > The more I look at this log: > > LibSCEP.xs:1197: scep_unwrap failed > 34370961408:error:0D0C40D8:asn1 encoding > routines:c2i_ASN1_OBJECT:invalid object > encoding:/usr/src/crypto/openssl/crypto/asn1/a_object.c:254: > 34370961408:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=object, > Type=X509_NAME_ENTRY > 34370961408:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:615: > 34370961408:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:615: > 34370961408:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=subject, > Type=X509_REQ_INFO > 34370961408:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=req_info, > Type=X509_REQ > [pid=54863|sid=rnuS] > > and compare it to the SCEP request: > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 1 (0x1) > Signature Algorithm: sha256WithRSAEncryption > Issuer: CN=MDM SCEP SIGNER C066EE1B-43F7-4B92-A19C-REDACTED, C=US > Validity > Not Before: Jun 27 00:40:50 2021 GMT > Not After : Jun 27 00:40:50 2022 GMT > Subject: CN=MDM SCEP SIGNER C066EE1B-43F7-4B92-A19C-REDACTED, C=US > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (2048 bit) > Modulus: > REDACTED > Exponent: 65537 (0x10001) > X509v3 extensions: > X509v3 Key Usage: critical > Digital Signature, Key Encipherment > X509v3 Extended Key Usage: critical > TLS Web Client Authentication > > the more I wonder: > > - is Apple not sending an X509 name and info segment? I see the > subject name for the issuing CSR, but not the the cert itself. > > > On Sat, Jun 26, 2021 at 6:35 PM, Nick Dawson > <[email protected] <mailto:[email protected]>> wrote: > > Happy to post my mobileconfig file (below). > > My environment is in production…. Guess it shows my naiveté (which > I'm sure is obvious, although I'm learning quite a lot here > lately!) , I know posting certs is, in theory, safe (with the keys > being safely held). Is there any thing I should be careful to > redact from the OpenXPKI files besides secrets? > > Mobileconfig: > > <?xml version="1.0" encoding="UTF-8"?> > <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" > "http://www.apple.com/DTDs/PropertyList-1.0.dtd > <http://www.apple.com/DTDs/PropertyList-1.0.dtd>"> > <plist version="1.0"> > <dict> > <key>PayloadContent</key> > <array> > <dict> > <key>PayloadContent</key> > <dict> > <key>CAFingerprint</key> > <data> > REDACTED > </data> > <key>Challenge</key> > <string>REDACTED</string> > <key>Key Type</key> > <string>RSA</string> > <key>Key Usage</key> > <integer>5</integer> > <key>Keysize</key> > <integer>2048</integer> > <key>Name</key> > <string>scep4</string> #my active SCEP cert name > <key>Retries</key> > <integer>3</integer> > <key>RetryDelay</key> > <integer>10</integer> > <key>Subject</key> > <array> > <array> > <array> #THIS AREA LOOKS PROBLEMATIC, ALSO TRIED /notation > <string>CN</string> > <string>MyDeviceName,DC</string> > </array> > </array> > <array> > <array> > <string>DZSEC,DC</string> > <string>NET</string> > </array> > </array> > </array> > <key>URL</key> > <string>http://scep.dzsec.net/scep/ > <http://scep.dzsec.net/scep/></string> > </dict> > <key>PayloadDescription</key> > <string>Configures SCEP settings</string> > <key>PayloadDisplayName</key> > <string>SCEP</string> > <key>PayloadIdentifier</key> > <string>com.apple.security.scep.1959D1B9-6DD9-4C56-9B5F-65ED4494853D > > <http://com.apple.security.scep.1959d1b9-6dd9-4c56-9b5f-65ed4494853d/></string> > <key>PayloadType</key> > <string>com.apple.security.scep > <http://com.apple.security.scep/></string> > <key>PayloadUUID</key> > <string>1959D1B9-6DD9-4C56-9B5F-REDACTED</string> > <key>PayloadVersion</key> > <integer>1</integer> > </dict> > </array> > <key>PayloadDescription</key> > <string>this is a test of the DZsec SCEP deployment</string> > <key>PayloadDisplayName</key> > <string>scep test</string> > <key>PayloadIdentifier</key> > <string>MyHostName.6BF88F76-C55C-4560-BEEE-11E8DF8EA9F2</string> > <key>PayloadOrganization</key> > <string>DZsec</string> > <key>PayloadRemovalDisallowed</key> > <false/> > <key>PayloadType</key> > <string>Configuration</string> > <key>PayloadUUID</key> > <string>F1949DEA-FF3E-4EA2-8BFC-7D3EBAA31BB2</string> > <key>PayloadVersion</key> > <integer>1</integer> > </dict> > </plist> > > > > On Tue, Jun 22, 2021 at 2:50 PM, Michal Moravec > <[email protected] > <mailto:[email protected]>> wrote: > > Could you post you mobileconfig file, All CA certificates > currently in use and you OpenXPKI configuration? > > MM > > >> On 22. 6. 2021, at 22:37, Nick Dawson >> <[email protected] >> <mailto:[email protected]>> wrote: >> >> Thanks! That helped and I learned a lot about the datapool >> and keys. >> >> update: >> Success with SSCEP. It worked. Apple devices now fail with an >> invalid CSR error. >> >> sscep: >> >> Apple devices: >> openxpki.log >> >> 2021/06/22 14:28:46 ERROR Error executing SCEP command >> 'PKIOperation': I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; >> __COMMAND__ => >> OpenXPKI::Crypto::Tool::LibSCEP::Command::unwrap, __ERRVAL__ >> => message_static_functions.c:238: Not valid CSR after decrpytion >> LibSCEP.xs:1197: scep_unwrap failed >> 34370961408:error:0D0C40D8:asn1 encoding >> routines:c2i_ASN1_OBJECT:invalid object >> encoding:/usr/src/crypto/openssl/crypto/asn1/a_object.c:254: >> 34370961408:error:0D08303A:asn1 encoding >> routines:asn1_template_noexp_d2i:nested asn1 >> >> error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=object, >> Type=X509_NAME_ENTRY >> 34370961408:error:0D08303A:asn1 encoding >> routines:asn1_template_noexp_d2i:nested asn1 >> error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:615: >> 34370961408:error:0D08303A:asn1 encoding >> routines:asn1_template_noexp_d2i:nested asn1 >> error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:615: >> 34370961408:error:0D08303A:asn1 encoding >> routines:asn1_template_noexp_d2i:nested asn1 >> >> error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=subject, >> Type=X509_REQ_INFO >> 34370961408:error:0D08303A:asn1 encoding >> routines:asn1_template_noexp_d2i:nested asn1 >> >> error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=req_info, >> Type=X509_REQ >> [pid=57435|sid=aCoa] >> >> I captured the CSR in scep.log and decoded it: >> >> Certificate: >> Data: >> Version: 3 (0x2) >> Serial Number: 1 (0x1) >> Signature Algorithm: sha256WithRSAEncryption >> Issuer: CN=MDM SCEP SIGNER >> E9BD4746-3B6A-4A50-8F99-F78A422D3DDF, C=US >> Validity >> Not Before: Jun 22 20:18:47 2021 GMT >> Not After : Jun 22 20:18:47 2022 GMT >> Subject: CN=MDM SCEP SIGNER >> E9BD4746-3B6A-4A50-8F99-F78A422D3DDF, C=US >> Subject Public Key Info: >> Public Key Algorithm: rsaEncryption >> Public-Key: (2048 bit) >> Modulus: >> Truncated >> Exponent: 65537 (0x10001) >> X509v3 extensions: >> X509v3 Key Usage: critical >> Digital Signature, Key Encipherment >> X509v3 Extended Key Usage: critical >> TLS Web Client Authentication >> Signature Algorithm: sha256WithRSAEncryption >> Truncated >> -----BEGIN CERTIFICATE----- >> Truncated >> -----END CERTIFICATE----- >> >> My rules in generic.yaml >> >> workflow: >> type: certificate_enroll >> param: >> # key: name in workflow context, value: parameter >> from scep wrapper >> # server and interface are always set, the mapping >> below is >> # the default set that is used when no map is given >> transaction_id: transaction_id >> signer_cert: signer_cert >> pkcs10: pkcs10 >> _url_params: url_params >> #_pkcs7: pkcs7 >> >> authorized_signer: >> rule1: >> # Full DN >> #subject: CN=.+:pkiclient,.* >> subject: .*,CN=US >> rule2: >> # Full DN >> subject: CN=my.scep.enroller.com >> <http://cn=my.scep.enroller.com/>:generic,.* >> rule3: >> #Attempt match on Apple CSRs >> subject: CN=MDM.+.* >> policy: >> >> allow_man_authen: 1 >> allow_anon_enroll: 0 >> allow_man_approv: 1 >> allow_eligibility_recheck: 0 >> approval_points: 0 >> max_active_certs: 1 >> auto_revoke_existing_certs: 1 >> allow_replace: 1 >> >> >> On Mon, Jun 21, 2021 at 11:57 PM, Oliver Welter >> <[email protected] <mailto:[email protected]>> wrote: >> >> Hi Nick, >> >> Am 22.06.21 um 03:08 schrieb Nick Dawson: >> >> If I ra | issuer: endentity or chain, I get an SSL >> error. BUT scep.log looks like it can interpret the >> request >> >> Openxpki.log: >> >> ERROR Error executing SCEP command 'PKIOperation': >> I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => >> OpenXPKI::Crypto::Tool::LibSCEP::Command::unwrap, >> __ERRVAL__ => 34370961408:error:0B080074:x509 >> certificate >> routines:X509_check_private_key:key values >> mismatch:/usr/src/crypto/openssl/crypto/x509/x509_cmp.c:297: >> 34370961408:error:2107207F:PKCS7 >> routines:PKCS7_decrypt:private key does not match >> >> certificate:/usr/src/crypto/openssl/crypto/pkcs7/pk7_smime.c:495: >> message_static_functions.c:221: decryption failed >> LibSCEP.xs:1197: scep_unwrap failed >> >> this sounds as you now finally broke your SCEP setup - if >> you really ignored the SQL errors (and have created a new >> key) then your Cert and Key does not match so you get a >> crypto error. All logs you have shown are far away from >> an enrollment request where we have to work around the >> "signer cert" problem. >> >> I suggest you just create a new token (key and cert) and >> import it again, this should create a new SCEP Token >> alias with a new generation number. Make sure your >> DataVault token ist operational before you try loading >> the key! >> >> Oliver >> >> -- >> Protect your environment - close windows and adopt a >> penguin! >> >> _______________________________________________ >> OpenXPKI-users mailing list >> [email protected] >> <mailto:[email protected]> >> https://lists.sourceforge.net/lists/listinfo/openxpki-users >> <https://lists.sourceforge.net/lists/listinfo/openxpki-users> >> >> >> _______________________________________________ >> OpenXPKI-users mailing list >> [email protected] >> <mailto:[email protected]> >> https://lists.sourceforge.net/lists/listinfo/openxpki-users >> <https://lists.sourceforge.net/lists/listinfo/openxpki-users> > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/openxpki-users > <https://lists.sourceforge.net/lists/listinfo/openxpki-users> > > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin!
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
