Hi James, I had a similar problem yesterday using sscep, though in my case it was OpenXPKI, who complained about a missing HTTP header "Content-Type". It looks like JSCEP expects this HTTP header in OpenXPKI's reply. Can you check, if the header is present in the reply (use wireshark on Windows or tcpdump on Linux)?
According to RFC8894, the reply should have Content-Type: application/x-pki-message: 4.3.1. Certificate Enrolment/Renewal Response Message If the request is granted, a CertRep SUCCESS message (Section 3.3.2.1) is returned. If the request is rejected, a CertRep FAILURE message (Section 3.3.2.2) is returned. If the CA is configured to manually authenticate the client, a CertRep PENDING message (Section 3.3.2.3) MAY be returned. The CA MAY return a PENDING for other reasons. The response will have a Content-Type of "application/x-pki-message". "Content-Type: application/x-pki-message" <binary CertRep message> I will check this in my tests, too. Best Regards, Bernd Software Development 14DS3 Softwareplatform III Corporate R&D Rohde & Schwarz GmbH & Co. KG Muehldorfstrasse 15 | 81671 Munich | Germany Internet: https://www.rohde-schwarz.com [cid:[email protected]] Executive Board: Christian Leicher (President & CEO), Peter Riedel (President & COO) Company‘s Place of Business: Munich | Commercial Register No.: HRA 16 270 Personally Liable Partner: RUSEG Verwaltungs-GmbH | Company’s Place of Business: Munich Commercial Register No.: HRB 7 534 | VAT Identification No.: DE 130 256 683 WEEE Register No.: DE 240 437 86 From: James Ervin <[email protected]> Sent: Tuesday, August 10, 2021 3:51 PM To: [email protected] Subject: *EXT* [Newsletter] [OpenXPKI-users] Bouncy Castle won't verify a signed cert coming back from OpenXPKI Hello, I am working on a feature to support SCEP in our product. I have a problem where I can get OpenXPKI setup (using the Docker container – very nice BTW), and I am using the JSCEP library to send a CSR to OpenXPKI. The CSR is below (it is test data): -----BEGIN CERTIFICATE REQUEST----- MIIDMzCCAhsCAQAwgcwxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEPMA0G A1UEBwwGQXVzdGluMSAwHgYDVQQKDBdIeXBvcmkgVmlydHVhbCBNb2JpbGl0eTEu MCwGA1UECwwlSHlwb3JpIFZpcnR1YWwgTW9iaWxpdHkgLSBEZXZlbG9wbWVudDEb MBkGA1UEAwwSSHlwb3JpIFNlcnZlciBUZWFtMS0wKwYJKoZIhvcNAQkBFh5qYW1l cy5lcnZpbkBzYXZleW91cnN0dWZmLm1vYmkwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQCyNZkcGjf1ifsiFWVGVseNa2NYc3K0d/n+9+VU88VVHHLMXvmd 6d4iVSXUlIMxL5Mh4HDswRtzkNskg8Ol1QL4+dY8qZEM4+JNH6hmCDM0f5VgwQBm rPELqLSJDgJgYdjbfVRhNgW8J7i48l8VsM0f2yamXldbCx52QzYANpxbC8hrfKQS zlrDQTneiaNngHaX4NbzizNVO25hkUxdQRBAnL9Dv247P/RzB5GOvmEe/nxgN0fa iF16Qluqc2/wh55NVSdQU2n64enPHxl2f7/Xdl9X9nqdwhiMZ+5eeB5VvUy+noS9 wqL99ECpRhDWi2lsiPrskUo1WcRcbpBUiYzvAgMBAAGgITAfBgkqhkiG9w0BCQcx EgwQQjVBMzgzMDBBRTcwMzIxNDANBgkqhkiG9w0BAQsFAAOCAQEAbLBJVdRiLV88 jAgOUa1rcjWkVsrGZEkufI5yEomlMDCdL9nNG+VxYF9Eh75EM8EM80FCbqYSFzWE h4rvOxTYqWguiM5mmkvAEPqq0G0CBe7B5NkvoazSxmGt/a2Tls20X1BxdJWKO0u3 hm/bbQ7e2ZV5NIXv6hig/uaG0jXX/cvn+4If6cSe0rpHm8Bgbs+7z4kP3JIQsuwf AzRIC6dCJuxVUJGqDSQsHPrE2CgfHE5sVE31ejCHs481BD9c32007ZEhIsWPpFno 2+PAw6jUNDvrsA5UzMA/9iMufWlwiEOB6Tm1j9m0+ABvUDY1QaMRGy3AwwRNe29z ictdVAqDVA== -----END CERTIFICATE REQUEST----- The cert returned fails when JSCEP tries to verify the certificate (verify the signature I believe). I get the following error message: Reason: org.jscep.message.MessageDecodingException: org.bouncycastle.cms.CMSException: The content-type attribute type MUST be present whenever signed attributes are present in signed-data This is the encoded cert I get back from OpenXPKI: MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwGggCSABIID6DCABgkqhkiG9w0BBwOggDCAAgEAMYICDjCCAgoCAQAwcjBaMQswCQYDVQQGEwJERTERMA8GA1UECgwIT3BlblhQS0kxDDAKBgNVBAsMA1BLSTEqMCgGA1UEAwwhT3BlblhQS0kgRGVtbyBJc3N1aW5nIENBIDIwMjEwNzAxAhRcaw+zpI9iRHOqbhbybqN2MR6d4TANBgkqhkiG9w0BAQEFAASCAYC08tqIhCenD8B7yZe/WDPdtG6GdBcBI5wJ9eMDUJInAAR4ovI79zozC/u08TpvAJeAhxnLX8OrQKEZinoblmeL9CmQsuFLpv5B9u7qPWg0la+RRHPOHN8VP5lDMukoqty2swXRd/uWRW4eFO/lgfIzAQyXkgNcfTfbt3c7ARTEfBx1Ww2xrtAPmQReTFh7GeGxZVV7ZX1b3UP3X+sfBVrrWqvgAhrUTTCdk8zqJGsW1XMYo7zhhNagDMA+twTqZO1HYlMULTTUW5hi3Jh7eGgluwCxT4XGjNJovPSSRxlbS9uW3zSh3LaEUDx2uCnEf2TZQ5SOdIW85k2MF2iSvMPs1FHwPgiNXp2ZBUesCnDPaq+gYFOancmbENqnd95tRAkEV4le3McxTTvSqwiizdXRU2C9ZW55QEt959cmapVAs13xR19LBC9in/o1BSr37Tl2yUi9gl2a2RlS8RkKymSkbxFRnhQUderO1H5mJ3dU0pANGI1iBKyo5yg+qG1oEPMwgAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBAgQQcc8Be7eljdoaKawFQNl7maCABIIDQFUl5/3dYg7BkKAo6MLGXHOHdiDI/06nKwEu7sJGkUABLz3RdkkhBeJ7du7KkanYEqrx+p3glieTEnc5CkzGiw2PuONo2/G3NfwEbA9kl7H7J5aVWtQihFVzid7DKi4u4MYloGgOPYzRMqDVBhOFCjIQp7uV3SGa20epl2r7ooTOXlFjFOslr/8RBf3C9xBDQGoTzp6nj1zSbL84pR3km4K5aGjbZLvZ8beqW/tvOchmI496SXZNa+y3HVqGRNhVHqM4BqiGu0MwT1XK8OzvfJCkWIRqk80wjv3Yg83FifVWz+PRkHRNCNWg+az5guVjVvM2tnYayXhnXuXsVn2CiPSWaR8LXx0E+YU/r4y8xQJtC51P9jtHFmu3D5m/m91h0cMgS4nbcuKx6YFmVjoB6QYtUGwUiKo2mIOzOg1tSMXac9eOFOsgRna5rXdiDfG3dIJeHOZsMomrts0JwjZt57hhBa3a8evTb6RMnDupodsUM0aMx4KGq4ifIIIpedk1o5d6o497E/WvXVsJzgOaWekEggG6sLPgaGJAUozSU+NNi/L8QMMEpFZZQjak1FVU3pIBICAuB2trWod8AyVFNltUghiJaBvoHZwbuI2WQnrRBpBYvk33QXLQbDXICPJeIdjAPI8Xh0gUV/VQbb6OrygoqYkzox+OUyN0sJkK5sJY1x+xIc5zGiudtf35Zt7tfOAVL3ff/KDMmpLev4AWpi+WpWruLXkEUWtekKmp+vG9j/8EGeJMfkTC8fJhd+RzQTBOCgUtAkhzUWoE1ssqbjbCPMAHLTJPxOO2o1PB8aFh8G6wx9WBbGSWJ5qI+ZPT4qKF4dlHOBtHTTd7SOlzhSEulEkvpluj7IaWT/rzFa2CXZjoPdxMdr+X4mdMRK0WxOT2yEsJONe4DkhzEGepQmGwnuMHvMlFU8MjQMvO8mu9u54HKat9e3qQYprr/sWTph7GNcgQv6VYayw+nl3of4BEqAdp64UUIWTDFqsqPdP/Jrxk3ey03SvkTUhNNvhVIJpxkKbHXHQdn/KEJfAydcangfOMiGXoFIV7KWwuuGis4a4NXQsoRg95RLlsKJ0A8CAJYJX1CQFf5X24HpQtwr9uwMbCAAAAAAAAAAAAAAAAAAAAAKCAMIIGDzCCA/egAwIBAgIUSeuqzIhMGTAvphPK07S2CHF8ifEwDQYJKoZIhvcNAQELBQAwgY4xCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEPMA0GA1UEBwwGQXVzdGluMRQwEgYDVQQKDAtIeXBvcmkgVGVzdDEqMCgGA1UECwwhSHlwb3JpIFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRwwGgYDVQQDDBNIeXBvcmkgVGVzdCBSb290IENBMB4XDTIxMDUyNTE4NTMyNFoXDTQxMDUyMDE4NTMyNFowgY4xCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEPMA0GA1UEBwwGQXVzdGluMRQwEgYDVQQKDAtIeXBvcmkgVGVzdDEqMCgGA1UECwwhSHlwb3JpIFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRwwGgYDVQQDDBNIeXBvcmkgVGVzdCBSb290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0nz6Ns7pfGZ3GYKGuHTbEO7siKPrgbtlasoWG8LTcr8sZxvz3JI82FMGq4gNavQz28p2MQHC0TrmggifdrNbvFB/hxMS3hr1EjBByXdWxTg+JmHDyBnvL9eEV6mnySjwHEp5H/z86ybX5jLcnIE32VYvoJAxC6QhgFEtWrHpiugtOqjUbzkfC1jPVJdBccJjg4ALZIW9MBt1qjoCNcCnj14U0/1Tldmgbdi5xFouVMd/B1TKQEI0zijvfUxqy+4xVQdE6EmyRVEbBPYHW1ePQceuIOuXbw774Uh6LFG8zS9/fLHLHugaF9JgFm6B3Rgmz9axs+cehPUcjwqMXGhacOsFxN3BfMwu81NpE46wJHBMIYhDvvduTiNn88KbfKiPz1k1aUyuLPhozoPQ2rMulrkFnbSD29hmuljODOP+rd2bBVKxKjeAXBd9JTADkrfu//1H5919ZhigKuFwUMtu3C1G5c6pykHgRFV8w2/RyroOQlib/7BVKC7ggbSFPdZpcIdotxS+uZP7ad9/QVBcPOHQLomuRgvuEECAhSGdJJtRpaBTnVoIC1yV7sMhciXuUYod78wYzn1iNv6mbxJUzZ1I/XkXIPCox6kmpAkF7sRj5Oyz52Iz+ORIGztzW2iFxS5NLJVktLmPtmAR3YQyNOw5efWm69TIwtlm1tGRIoECAwEAAaNjMGEwHQYDVR0OBBYEFCN8NLDfzpVDLIIJRPLRYoY9VgABMB8GA1UdIwQYMBaAFCN8NLDfzpVDLIIJRPLRYoY9VgABMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQAtVgIZp/fhhjn1MTfJkn2SZuGmq//5w6X4BBpnKTrkRlbOH2gqocN6pqIjnhYlw/QmAJpr0FvboqqWCaEg5VsGzC2uckWitGRpNylEXyjYNZ0mYh3DK1i9qsTQWeH/ur0Ok2ZG7pbQusIwBhOtp/sr3ljXhlM6LBAO74GUYV9pVHvaq8iU+/3LlzDCh6so8vB9qQTLCyY2hdoqyyQ+YBzpNm2x1832xceNAUntOqd4cj0XUXpqgSheY4tqAVURGtpfsJ8M7/CDsNIAyDpoVBLruHyxYrbrAoXKAN6iLJbySyK/SBiiD03obJtvl7NRIOTFU3KGuP6nsOI3vuSTQ5Hjhcf6qHvyiH6iyCbuIwhUDWGXWcZahgloGkKequnBH+7v2C+BS/UzvCw+4L4ylk24Gak8elcsV0R6w1kvGWPTye3Cp6Hqkkl9TkdFm8GJ1vJ33cni/AA7msggUrmLtalkIS8GEkCdNcKf97M/0ig72khiSg5RtQ07hpY3ZAal55LiIEV0WMW+lmudpJKUG4wKqIn2FeE5C2ltxDhbb46sa4qMSWu4M2lA1eJ1k3Z3y4t9uxwMarvjNvSHltrk6DgWhULyDBVoJgHEd64tHpzZsMmUxzaLgxVYv8k4OTujpcsb+Hp6EHWAxAH36WZgxSCCbluKoLTOdm/izJh4Fs2DMAAAMYIDzzCCA8sCAQEwgacwgY4xCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEPMA0GA1UEBwwGQXVzdGluMRQwEgYDVQQKDAtIeXBvcmkgVGVzdDEqMCgGA1UECwwhSHlwb3JpIFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRwwGgYDVQQDDBNIeXBvcmkgVGVzdCBSb290IENBAhRJ66rMiEwZMC+mE8rTtLYIcXyJ8TANBglghkgBZQMEAgMFAKCB+TASBgpghkgBhvhFAQkCMQQTAjE5MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIxMDgxMDEzNDkzN1owIAYKYIZIAYb4RQEJBTESBBBKrnx0XKuB2MnkJ2lKUeoMMDgGCmCGSAGG+EUBCQcxKhMoZGJhNmNmYTc5NjdkYmEyZTE3NDY0ZTE4NGRlNTg0YTE5ZmZhY2NhMzBPBgkqhkiG9w0BCQQxQgRAdguvenNoU0h99At9WMSBxz8Rt4MtBPSMVswtoYWv5I4GpVtdAZ0ZSn/YiEhWpZM4nnFgnSZW5FoDRFmaTiKMyjANBgkqhkiG9w0BAQEFAASCAgDEoYX+cm6STEwGhs1/jDaSVzvezALN7vSX6JRN8OLy5QFSuUo3ZAEzpoKNYaGRFeAEdheE7BusYi57l+3OYR6XmKIiJrf7prDIZgfobfRizVMVSgfdFEGGfF54lryaLdPIjUg/9YI05nRySRF2VCu6UELbfKroJ9na2NyQ6Ou2m8Zho53yxTW/n2hvcxDOgpqcErM7g8pwHHgdgSE7I1XBC8j17p6thdY/w1K7eeQ1MLF7E0EVg/iOWH9cPdCo6WG2eHnCnEKOlcfmf6CmrSCgyhYHhWWCXuWzaTj44pz/SNEMHB6nZgyYV/bkVHo7VNuTSs/yn4Y40J1WzLPE0lJZxI4/xjUKSioleClHiuUaf5+4vKEmpVVcL3fOdIL2BZ1hxoMp0hCOTQ8FlNFACmuqmYfUbRDMDzNRomwrC97TCibuowgcEuLzeESiqnJUIop7fkwXj6R2vszFVeQawGcrofjTawVpfau59/foAE7e5kBKFh6jSEPurJTtxE9ISNwgw9UfQBfSoyd5/mP01y/Z5lP3Th7KzzuOJ3zVVolAhDnJBnl+UEeFu1LhUdOFA2Gxn1Yw9N3kdPj42/YSHoGE4zyRu5HO0yUpqKDHcNkBu5RuNzEtyzF0e2VS9lGPaAwBWU+4ad3s8UFU2V1UrTRhDXkpGjjFQiRYkinvGc9gEAAAAAAAAA== OpenXPKI is returning a 200 on that HTTP call, so it thinks things are fine, any ideas? James E. Ervin Senior Software Engineer [signature_865620494]Cell # M 210-251-1503 [signature_865620494]866.324.9345 W [signature_615102543] [email protected]<mailto:[email protected]> [signature_817086089] https://hypori.com [Logo, icon Description automatically generated]<https://linkedin.com/company/hypori> [Logo, icon Description automatically generated] <https://www.facebook.com/HyporiVMI> [Logo Description automatically generated] <https://twitter.com/Hypori_VM> [Logo, company name Description automatically generated] NOTE: This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please contact the sender by reply email and destroy or delete all copies of the message, including any attachments.
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
