Am 28.06.21 um 19:30 schrieb Nick Dawson: > "We're not in windows" :) :) :) should be "on windows" I guess, but my fingers tend to be to large sometimes ;) > I thought I'd found a breakthrough hint > here: https://support.apple.com/en-us/HT210176 > <https://support.apple.com/en-us/HT210176> > So I made yet another new scep cert/key with the DNS names in the SAN > field. Still no luck. This is related to TLS certificates and should not be relevant to SCEP (which is plain HTTP on the transport layer) > > I'm starting to think, unless anyone has demonstrated otherwise, that > the way apple handles SCEP is just not compatible. > > One other curiosity: > Apple requires an SHA1 or MD5 fingerprint of the SCEP cert. Makes > sense. I've been using sscep getca to see what openxpi is sending and > I have been using the MD5 fingerprint from the SCEP cert from that > output. Any reason that would be an incorrect process? I've also used Either I don't understand the purpose or you got that wrong, an SCEP message includes several digests/encryption steps (also in the reply) which is something you can configure but I never heard of the need to add the value of a fingerprint soemwhere. > here's the request, as decoded from the scep.log file (not sure how to > change log level to debug) /etc/openxpki/scep/log.conf (restart apache after changing it) > > cat request.txt | perl -pe 'use > MIME::Base64;s/%([0-9a-f]{2})/sprintf("%s",pack("H2",$1))/eig;$_=MIME::Base64::decode($_);' > | openssl pkcs7 -inform DER -print_certs -text
Print certs just gives you the signer cert which we already saw earlier, the CSR is in the payload of this message here 238:d=3 hl=4 l= 271 prim: BIT STRING The value in this section is the CSR wrapped in a PKCS7 container encrypted with the SCEP RA key (at least it should be and I think this is the problem). You should be able to extract the payload this with "openssl cms" and pipe it to asn1parse openssl cms -inform PEM -in scep.p7 -verify -noverify | openssl asn1parse -inform der -i Verification successful 0:d=0 hl=4 l=1343 cons: SEQUENCE 4:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-envelopedData 15:d=1 hl=4 l=1328 cons: cont [ 0 ] 19:d=2 hl=4 l=1324 cons: SEQUENCE 23:d=3 hl=2 l= 1 prim: INTEGER :00 26:d=3 hl=4 l= 647 cons: SET 30:d=4 hl=4 l= 643 cons: SEQUENCE 34:d=5 hl=2 l= 1 prim: INTEGER :00 37:d=5 hl=2 l= 107 cons: SEQUENCE 39:d=6 hl=2 l= 83 cons: SEQUENCE 41:d=7 hl=2 l= 11 cons: SET 43:d=8 hl=2 l= 9 cons: SEQUENCE 45:d=9 hl=2 l= 3 prim: OBJECT :countryName 50:d=9 hl=2 l= 2 prim: PRINTABLESTRING :DE 54:d=7 hl=2 l= 17 cons: SET 56:d=8 hl=2 l= 15 cons: SEQUENCE 58:d=9 hl=2 l= 3 prim: OBJECT :organizationName 63:d=9 hl=2 l= 8 prim: UTF8STRING :OpenXPKI 73:d=7 hl=2 l= 12 cons: SET 75:d=8 hl=2 l= 10 cons: SEQUENCE 77:d=9 hl=2 l= 3 prim: OBJECT :organizationalUnitName 82:d=9 hl=2 l= 3 prim: UTF8STRING :PKI 87:d=7 hl=2 l= 35 cons: SET 89:d=8 hl=2 l= 33 cons: SEQUENCE 91:d=9 hl=2 l= 3 prim: OBJECT :commonName 96:d=9 hl=2 l= 26 prim: UTF8STRING :OpenXPKI Demo Issuing CA 1 124:d=6 hl=2 l= 20 prim: INTEGER :5243CE43D4216F8CAFD5A7F73809259AA84CBD2C 146:d=5 hl=2 l= 13 cons: SEQUENCE 148:d=6 hl=2 l= 9 prim: OBJECT :rsaEncryption 159:d=6 hl=2 l= 0 prim: NULL 161:d=5 hl=4 l= 512 prim: OCTET STRING [HEX DUMP]:0B1....71F83 677:d=3 hl=4 l= 666 cons: SEQUENCE 681:d=4 hl=2 l= 9 prim: OBJECT :pkcs7-data 692:d=4 hl=2 l= 17 cons: SEQUENCE 694:d=5 hl=2 l= 5 prim: OBJECT :des-cbc 701:d=5 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:803B9371AD89BDFC 711:d=4 hl=4 l= 632 prim: cont [ 0 ] The upper part denotes the IssuerSerial of the used encryption certificate with the value at pos 124 being the serial number of the encryption certificate, the lower part is the symetric key material and the encrypted payload. Oliver -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
