Re: [OpenXPKI-users] SCEP not getting URI - new endpoint

[Carlos Velasco]

Hi,

Sorry, I missed 1 line, both $ep and $rt are uninitialized:
scep.fcgi: Use of uninitialized value $ep in concatenation (.) or string at 
/usr/lib64/perl5/site_perl/5.32.0/OpenXPKI/Client/Config.pm line 345.
scep.fcgi: Use of uninitialized value $rt in concatenation (.) or string at 
/usr/lib64/perl5/site_perl/5.32.0/OpenXPKI/Client/Config.pm line 345.

Further troubleshooting modifying Config.pm, I see the envs are ok:
SCRIPT_URL: /scep/otro/pkiclient.exe [pid=710817]
SCRIPT_URI: /scep/otro/pkiclient.exe?operation=GetCACert&message=test 
[pid=710817]

I suppose the problem is then in the regex:
===
    my ($ep, $nn, $rt);
    if (defined $ENV{SCRIPT_URL}) {
        ($ep, $nn, $rt) = $ENV{SCRIPT_URL} =~ 
qq|${service}/([^/]+)(/([\\w\\-\\/]*))?\$|;
    } elsif (defined $ENV{REQUEST_URI}) {
        ($ep, $nn, $rt) = $ENV{REQUEST_URI} =~ 
qq|${service}/([^/\?]+)(/([\\w\\-\\/]*))?(\\?.*)?\$|;
    }
    $self->logger()->warn("Parsed URI: $ep => $rt".($rt||''));
===

I'm using a Cisco router as SCEP client.
But "pkiclient.exe", that I think is causing the problem, is added 
automatically by the SCEP client in the Cisco router (IOS-XE) and it cannot be omitted.

Regards,
Carlos Velasco

Carlos Velasco escribió el 24/08/2021 a las 18:42:

Hi,

I'm currently testing SCEP in OpenXPKI v3.14.2.

I added a new realm and then I tried to setup new endpoint for SCEP for this 
new realm. I did all setup however I see these errors when requesting (GET) a 
GetCAcert:

===
WAR Parsed URI:  =>  [pid=708328]
-
scep.fcgi: Use of uninitialized value $rt in concatenation (.) or string at 
/usr/lib64/perl5/site_perl/5.32.0/OpenXPKI/Client/Config.pm line 345.
===

It seems not to be getting the URI of the GET.

Troubleshooting I replaced scep.fcgi for this script:
===
#!/usr/bin/perl
use FCGI ();
my %fenv;
my $request = FCGI::Request(\*STDIN, \*STDOUT, \*STDERR, \%fenv, 0,
        FCGI::FAIL_ACCEPT_ON_INTR);
use Data::Dumper ();
$Data::Dumper::Sortkeys = 1;
while($request->Accept() >= 0) {
        print("Content-Type: text/plain\r\n\r\n");
        print("fenv: " . Data::Dumper::Dumper(\%fenv));
        print("ENV: " . Data::Dumper::Dumper(\%ENV));
}
===

And indeed it gets the URI request from the Apache server:
===
fenv: $VAR1 = {
          'CONTEXT_DOCUMENT_ROOT' => '/htdocs/xxxxxxxxx/pki/cgi-bin/scep.fcgi',
          'CONTEXT_PREFIX' => '/scep',
          'DOCUMENT_ROOT' => '/htdocs/xxxxxxxxx/pki',
          'FCGI_ROLE' => 'RESPONDER',
          'GATEWAY_INTERFACE' => 'CGI/1.1',
          'HTTP_ACCEPT' => '*/*',
          'HTTP_ACCEPT_ENCODING' => 'identity',
          'HTTP_CONNECTION' => 'close',
          'HTTP_HOST' => 'pki.xxxxxxxxx',
          'HTTP_USER_AGENT' => 'Wget/1.20.3 (linux-gnu)',
          'LD_LIBRARY_PATH' => '/usr/lib64',
          'PATH' => 
'/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
          'PATH_INFO' => '/otro/pkiclient.exe',
          'PATH_TRANSLATED' => '/htdocs/xxxxxxxxx/pki/otro/pkiclient.exe',
          'QUERY_STRING' => 'operation=GetCACert&message=test',
          'REMOTE_ADDR' => '10.204.196.1',
          'REMOTE_PORT' => '54486',
          'REQUEST_METHOD' => 'GET',
          'REQUEST_SCHEME' => 'http',
          'REQUEST_URI' => 
'/scep/otro/pkiclient.exe?operation=GetCACert&message=test',
          'SCRIPT_FILENAME' => '/htdocs/xxxxxxxxx/pki/cgi-bin/scep.fcgi',
          'SCRIPT_NAME' => '/scep',
          'SCRIPT_URI' => 'http://pki.xxxxxxxxx/scep/otro/pkiclient.exe',
          'SCRIPT_URL' => '/scep/otro/pkiclient.exe',
          'SERVER_ADDR' => '10.204.196.1',
          'SERVER_ADMIN' => 'webmaster@xxxxxxxxx',
          'SERVER_NAME' => 'pki.xxxxxxxxx',
          'SERVER_PORT' => '80',
          'SERVER_PROTOCOL' => 'HTTP/1.1',
          'SERVER_SIGNATURE' => '',
          'SERVER_SOFTWARE' => 'Apache',
          'UNIQUE_ID' => 'YSUd9Zo5HQgmfJMYbA0wsQAAAJI'
        };
ENV: $VAR1 = {
          'LD_LIBRARY_PATH' => '/usr/lib64',
          'PATH' => 
'/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
        };
===

So, discarding web server I look into the code.
I'm not a Perl expert, but looking into Config.pm it seems env values should be set by the 
call to "$self->service()", but I don't know where to look for this function.
===
    # generate name of the environemnt values from the service name
    my $service = $self->service();

    $self->endpoint('');
    $self->route('');

    # Test for specific config file based on script name
    # SCRIPT_URL is only available with mod_rewrite
    my ($ep, $nn, $rt);
    if (defined $ENV{SCRIPT_URL}) {
        ($ep, $nn, $rt) = $ENV{SCRIPT_URL} =~ 
qq|${service}/([^/]+)(/([\\w\\-\\/]*))?\$|;
    } elsif (defined $ENV{REQUEST_URI}) {
        ($ep, $nn, $rt) = $ENV{REQUEST_URI} =~ 
qq|${service}/([^/\?]+)(/([\\w\\-\\/]*))?(\\?.*)?\$|;
    }
    $self->logger()->warn("Parsed URI: $ep => $rt".($rt||''));
===

Versions:
perl v5.32.0
CGI v4.51
CGI::Fas v2.15

Regards,
Carlos Velasco

_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users