Hello
I've some strange problems using SCEP:GetCRL to obtain the crl list from
a
cisco router, after the initial rollout was successful. The setup is the
usual
OpenXPKI setup using Root + Issuing CA. SCEP is working fine including
renew,
but the GetCRL messages always fails, even though the CRL is generated
and published.
We've opted against HTTP CDP Endpoints (for the moment) due to network
design
decisions and wanted to use the GetCRL Method.
We're using the current OpenXPKI debian packages provided by the
OpenXPKI
Repository in our test environment.
SHORT
=====
The router starts the GetCRL command and ask for its own cert serial +
name of
the Issuing CA. But OpenXPKI looks for the wrong certificate within the
data pool. According to Logs and MySQL Query Log OpenXPKI searches for
the
certificate with the issuing-ca-serial and the issuer_dn =
issuing-ca-name which
obviously can't work unless the issuing would be self-sign.
Now I'm stuck and it looks like there's an internal error or
understanding
problem.
LONG
====
Certificates
------------
Router1
Subject: OU=Signer, CN=router1.example.org
Issuer: C=DE, O=Operations, OU=PKI, CN=WAN Issuing CA 1
Serial hex: 04ff54b3d6c5ae734f81
Serial dec: 23599489128339057364865
Identifier: pUqhn_c-vhKM0WoKCQMNle07o7s
WAN Issuing CA
Subject: C=DE, O=Operations, OU=PKI, CN=WAN Issuing CA 1
Issuer: C=DE, O=Operations, CN=WAN Root CA 1
Serial hex: 635066cf3c30cc407e23141dd3160db77510699b
Serial dec: 566983101899064607647327682512858504386304829851
Identifier: TKzRUCNizkaQ8qUe0ycSpNi1uo4
WAN Root CA
Issuer: C=DE, O=Operations, CN=WAN Root CA 1
Subject: C=DE, O=Operations, CN=WAN Root CA 1
Serial hex: 3d6ae0104bd2b26f173537ca6af60aa26c65af2c
Serial dec: 350631834708651143156067806958950427217659014956
Identifier: Vc-JZljdHdyxlbNhXce9ZLDKESY
SCEP Request PKCS7 Message
--------------------------
I've reduced the PKCS7 message to it's most IMHO relevant fields
$ openssl pkcs7 -in cisco-getcrl-message.pem -print -noout
PKCS7:
type: pkcs7-signedData (1.2.840.113549.1.7.2)
d.sign:
[...]
cert:
cert_info:
version: 2
serialNumber: 23599489128339057364865
issuer: C=DE, O=Operations, OU=PKI, CN=WAN Issuing CA 1
subject: OU=Signer, CN=router1.example.org
[...]
crl:
<ABSENT>
signer_info:
version: 1
issuer_and_serial:
issuer: C=DE, O=Operations, OU=PKI, CN=WAN Issuing CA 1
serial: 23599489128339057364865
[...]
From my understandings of the RFC and the code and manpages about
LibSCEP i've
read, the client requests the CRL list which is responsible for its own
serial
provided by the given issuer. So far so good
Debugging
---------
I've added a few CTX('log') commands to PKIOperation.pm to make sure I
understand why the GetCRL PKIOperation command fails.
/usr/share/perl5/OpenXPKI/Service/LibSCEP/Command/PKIOperation.pm
sub __find_cert_issuer_serial : PRIVATE {
my $self = shift;
my $arg_ref = shift;
CTX('log')->application()->info('__find_cert_issuer_serial: ' .
Dumper $arg_ref);
[...]
my $requested_serial_dec = $token->command({ COMMAND =>
'get_getcert_serial', ... });
my $issuer_dn = $token->command({ COMMAND => 'get_issuer', ...
});
CTX('log')->application()->info('Requested serial: ' .
$requested_serial_dec . ' for issuer ' .$issuer_dn);
my $cert_result = CTX('api2')->search_cert(...);
[...]
}
Log Messages
------------
2021/10/01 09:11:25 openxpki.application.INFO LibSCEP PKIOperation;
message type: GetCRL [pid=16009|sid=fAmi]
2021/10/01 09:11:25 openxpki.application.INFO
__find_cert_issuer_serial: $VAR1 = {
'PARAMS' => {
'remote_addr' => 'x.x.x.x'
},
'PKCS7' => '-----BEGIN PKCS7-----[...]-----END
PKCS7-----',
'SCEP_HANDLE' => bless( do{\(my $o = '94672449588400')},
'Crypt::LibSCEP' ),
'TOKEN' => bless( do{\(my $o = undef)},
'OpenXPKI::Crypto::Tool::LibSCEP::API' )
};
2021/10/01 09:11:25 openxpki.application.INFO Requested serial:
0x635066CF3C30CC407E23141DD3160DB77510699B for issuer CN=WAN Issuing CA
1,OU=PKI,O=Operations,C=DE [pid=16009|sid=fAmi]
2021/10/01 09:11:25 openxpki.application.INFO Search result $VAR1 =
[];
[...]
It looks like the 'get_getcert_serial' method returns the serial of the
Issuing
CA and not the serial field in the issuer_and_serial pkcs7 field. Not
sure where
it got it from.
The following search_cert method returns an empty result because there's
no
certificate available with this search criteria.
Debugging with manipulation
---------------------------
To validate that my thoughts about the 'get_getcert_serial' method might
be
real, I've hardcoded the correct serial withing the code to see if my
thoughts
are correct
sub __find_cert_issuer_serial : PRIVATE {
[...]
$requested_serial_dec = '23599489128339057364865';
CTX('log')->application()->info('Requested serial: ' .
$requested_serial_dec . ' for issuer ' .$issuer_dn);
my $cert_result = CTX('api2')->search_cert(...);
[...]
}
When I now restart the GetCRL call it seems to work, the correct
certificate
will be searched and the correct CRL list will be loaded from the
datapool
and delivered via GetCRL
2021/10/01 14:08:32 openxpki.application.INFO Requested serial:
23599489128339057364865 for issuer CN=WAN Issuing CA
1,OU=PKI,O=Operations,C=DE [pid=3182|sid=t/1H]
2021/10/01 14:08:32 openxpki.application.INFO Search result $VAR1 =
[
{
'identifier' => 'pUqhn_c-vhKM0WoKCQMNle07o7s',
'issuer_identifier' => 'TKzRUCNizkaQ8qUe0ycSpNi1uo4'
}
];
From my understanding the 'get_getcert_serial' method is part of the
LibSCEP
lib written in C. I've currently no idea on how to fix this certificate
lookup
issue and would be happy if someone could point me in the right
direction
or help me dive deeper into this issue.
Best Regards
Daniel Hoffend
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
