Ugh. That does present me with a challenge. The Mac I have for testing is too old to run Monterey.
The iOS also complains. Invalid response. Any ideas or should I try to hack it a bit so I can trick the mac to think it is a AD-certificate which it might be able to fetch via the API. Otherwise I’m open to suggestions. :) /Martin On 27 Oct 2021 at 07.38.19, Michal Moravec <[email protected]> wrote: > For what it is worth, I've found that SCEP enrollment works in macOS > Monterey (12.0) > > That's to be expected. Although the problem with rfc-noncompliant nonce > lenght I reported to Apple for 11.0 happened on the client not on the > server. > You are hitting some issue with that server log you sent. > > Anyway I would spend much time testing 11.0 if 12.0 works because you > wouldn't make the 11.0 work anyway. > (Unless you would rework C code in libscep to make it work). > > MM > > On 27. 10. 2021, at 0:54, Nick Dawson <[email protected]> wrote: > > For what it is worth, I've found that SCEP enrollment works in macOS > Monterey (12.0) and still seems broken in iOS 15.x > > > On Tue, Oct 26, 2021 at 3:47 AM, Martin Arendtsen < > [email protected]> wrote: > >> Hi Oliver, >> >> That does indeed smell like it. >> >> Indeed I can. >> >> The payload: >> >> >> MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwGggCSABIIF >> >> TDCABgkqhkiG9w0BBwOggDCAAgEAMYICBjCCAgICAQAwajBSMQswCQYDVQQGEwJESzESMBAGA1UE >> >> CgwJQXJlbmR0c2VuMS8wLQYDVQQDDCZBcmVuZHRzZW4gRGV2aWNlcyBJc3N1c2luZyBDQSAyMDIx >> >> MTAxMQIUNqBxkdNKblVxSmZVbeEj6a+NrcwwDQYJKoZIhvcNAQEBBQAEggGASuNBxXytov2RDQm5 >> >> gfLDLe5zbeCGCIcRjR7vrx817Xs86r200WyuFgyjLrnh2ATlgUlklp15WCn/MVFkK3/QoFeSLqnS >> >> 5qttIPMjw+qK+OIllkxaQaMeyEKylq4eGZ9p25aLFZIwiMH3pKieHQY4AgfGRG7mG+w+U9qGUbj4 >> >> ZQV2heQjepnTtg6HHsBIBWwL7mON/Y3HZ7eq4lZ5hNVBQJdYyJgnpi0HL7OgmTJdF0odHo0Su7nh >> >> Fec+qpGEDKM4R9O3n8Vd18hMdzZwp9e0cLTn+AEg+/6ibpXypFbrqXagb9+WZfTfcAN9KJxtnzZ8 >> >> rriYAcV+XnXh07Lqn6P5pEDFRHWGSIO7gEfaV2KiL9r1fQ6dWaW6spFBaHXqZOFi4kDfz7zc3j92 >> >> Bpv0z102DQQrcHIAzorIKIKJ9OJI5K83AR+s81O9AiWJdtcj21LHXDyr+AidXRWiRY97fG60s9mE >> >> NFdCpuvpC/9J6oX/kMw7/gUr2XdmBzQUorwDR0yHMIAGCSqGSIb3DQEHATAdBglghkgBZQMEAQIE >> >> EP7W0g0JMnncdS9Ej0Oy3puggASCAuBUd1xAM81D/tc3gbr5jlW8QJkxOVyo99GVPnNatiWNzVe1 >> >> WeOaXdyQlQvAAmtwYZvir9/7/I/vEf1ZgBUfGHNSs2s8wo1w1NaMx28AxRsJeBPxYSrTbqWIdCW9 >> >> NZwi/xTHkQCx3DxexFhjpEuRA2zBJQZFQTDYCTCsNiSYnd+H8yJllSoX/3Zpsex4FBDpJ2sUtoHk >> >> pEcTLhtQhsKXQPReGKTfvOEkvm7ni2FdwNhUh3ATECPqh7c/xBW/2WrCNShZPVkyRotkOfwGql4F >> >> i8+pq6dOqQgMmmSMQD/q2zB9Q0I3ETxHEwESpygFjggqETwR4RUAoE766Etdz7vzIW9APDIkAcHd >> >> SJYjpC4fpPZMiTcXzOVvuR8Pl0yEgy17VPAyYkfsdQ6rnSZpAcdVJ0brUtqhI4K/Ref0uYOjTEny >> >> qA/SUs5TORAUeV4dE0p7tEr89xBpF34Q4MKapOvc8BT+vmmsKa4yBC3/FXEOG4XGjVbeTtDO0gle >> >> G/hPVmMuJpoYOQgFnDUWMeDoolZKlsC3AltH6pgsziu6zVnQ5A17Fte9WdszVsFe7b6p4uOQyXFB >> >> mxDLg5OoKVlHSYugcjz9DL63Z16aGJEm49S+OrPA2pXXPOlmES9LeoP7bWxmCEGHO14fc7ECcPAh >> >> 1xX6OcSJxfrI8A5fIMa0hRdCXUBVPDTOttdbu1azPaEEui6KM/2hpb42aN296Q7Mv7k9HR5e6tE4 >> >> aWO4nIFmZE8p0uLXyY2+dQynSBzsVNFCDUsdHJNok5SZxiv84bzogmrLqi75L7PdHD8dwXGp3Mkb >> >> JAqjKVaO2m0sLmjRBL5/w2eJb3H/xX3x8gzj4H/2QpNZdtSzU1VDuA36BugkSD6HsmDBNERYVyxq >> >> hogulGY0EaF4AFI7cQ2zzjfiM3D/U3H9xxXdSDnE/SgUA1ehbeybkgoKjNDfC8qwgo6yaNkksHkz >> >> EN+pb+wyRIpTFhLvmCOpUURGBBCP4GDw2ZWeTUE+mi+EoNN9AAAAAAAAAAAAAAAAAAAAAKCCA0Ew >> >> ggM9MIICJaADAgECAgEBMA0GCSqGSIb3DQEBCwUAMEwxPTA7BgNVBAMMNE1ETSBTQ0VQIFNJR05F >> >> UiAxRUEyMTRGRS00QTAzLTQ5NkEtQjcyRC1BNjc0ODNEREM5Q0QxCzAJBgNVBAYTAkRLMB4XDTIx >> >> MTAyNjA5NDI1MloXDTIyMTAyNjA5NDI1MlowTDE9MDsGA1UEAww0TURNIFNDRVAgU0lHTkVSIDFF >> >> QTIxNEZFLTRBMDMtNDk2QS1CNzJELUE2NzQ4M0REQzlDRDELMAkGA1UEBhMCREswggEiMA0GCSqG >> >> SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCYSBoLPP1kajK2WDgf9zCrBjEPFDBPKLfPQfJaBJhlzyhJ >> >> DeSUMOUNHcvznCUa6y/WAHzEj8OwAp7k5pFCYve3ZuEBvHq6bZkKkSdr/GoiOrjab2zKBGTbHWCo >> >> ApUwT7Knl5tJ4Cz4FIjq/jtZpsh2OAKLEZ6cWWuo9OubMjVuEyVMIDdxCVHNUW2g6QujE5GQiXZz >> >> baURD8kd9jxoH0y824yGFIAZq3kjh5t+H/N3jfF5/MPrvKUaDa8lHzUJjlp3m98Q07Gw7p0U86uF >> >> mr5dy3bfiG8gwwORwpjal73U0CWyJFt8JjT8aMBZn2D7iOZhEzC3Kj4cpTMUBjwrIrhbAgMBAAGj >> >> KjAoMA4GA1UdDwEB/wQEAwIFoDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQsF >> >> AAOCAQEANtRL0kEdLe1SnnvmxmYdTO5KpWdrADIE+RFM5pf764+K8+NI0WBAAu0Q+Fr38LnSts8U >> >> +GsZXbnSBzF6sgunqu7u8D6gdV8A6uAcJPyr4W1Oo8AVWEawGz7btgPKtUzTQvXrvPz0BSU7fo2r >> >> 042HiPlCWSi5geElPtAD5irQM3GGyFbAdjYWDRl4gAP57t73pAJF6RS0C/wb0bB8iBkoU2pUkJaF >> >> tCAwRqbOS2V/XXbbGLBhKr9Xva4//EKTSGiu0h++yZ7TxXFg6xB+riCxNIemT8syxrafgEWrzHcO >> >> epBcRYdcvzZouPTQUyUhKf3dJIjg9J/MWGMI0mPmheTooDGCApowggKWAgEBMFEwTDE9MDsGA1UE >> >> Aww0TURNIFNDRVAgU0lHTkVSIDFFQTIxNEZFLTRBMDMtNDk2QS1CNzJELUE2NzQ4M0REQzlDRDEL >> >> MAkGA1UEBhMCREsCAQEwDQYJYIZIAWUDBAIDBQCgggEaMBIGCmCGSAGG+EUBCQIxBBMCMTkwGAYJ >> >> KoZIhvcNAQkDMQsGCSqGSIb3DQEHATAYBgpghkgBhvhFAQkFMQoECLtPCXuIQoouMBwGCSqGSIb3 >> >> DQEJBTEPFw0yMTEwMjYwOTQyNTNaMCcGCSqGSIb3DQEJBzEaExhyZWVib2g4YWlQaDVwaGFpdGhv >> >> b25naWEwOAYKYIZIAYb4RQEJBzEqEygxMUEyMUFGNTlCMEQ3MDA2ODg2NUUxNDlCRkMzQjk5NTVG >> >> QTYyQjRFME8GCSqGSIb3DQEJBDFCBEC24ju9wuXTfxSjTFsX3bzaJnjD7ZUTjBEUm0fS/x2cKkmP >> >> r/XbcJtTCoHyLOPf19a81egsOoYh4ooADyiMPreSMA0GCSqGSIb3DQEBDQUABIIBAJcTZW4hWHxY >> >> ily9Hc1SOhunH/p4woBPMOCQ+KYeJvx/SKE39jxza9ToLexu2opXIlYE6YDhX+lMNKGPL7emy8Ju >> >> haybLaop8NIDW2aI3gduLaZuLqiwotrsMWT5KcjQCPo5QkXLvZlwdtHLZnK9zZLetzEn6AoEvb2B >> >> QUFhqE4Z2K5HRLj4NAeNy3U8e7y+Yn/Vs50p0hk4HSsOBUOCJiKzeD5AlGQTHSjgyiFWHHnBbNVM >> >> h55nBl11oYPvbYnw8suysaBbPt/+/7OSWPio/g8yxnzFYr7PvATyvUoP6qh8sgp2wW53xGJV+BhI >> BNj/8V1mx2+YbBWlZ4NxO8X3N8EAAAAAAAA= >> >> The step-ra is: >> >> -----BEGIN CERTIFICATE----- >> MIIEZzCCAs+gAwIBAgIUNqBxkdNKblVxSmZVbeEj6a+NrcwwDQYJKoZIhvcNAQEL >> BQAwUjELMAkGA1UEBhMCREsxEjAQBgNVBAoMCUFyZW5kdHNlbjEvMC0GA1UEAwwm >> QXJlbmR0c2VuIERldmljZXMgSXNzdXNpbmcgQ0EgMjAyMTEwMTEwHhcNMjExMDEx >> MTkyNTQwWhcNMjIxMDExMTkyNTQwWjAtMSswKQYDVQQDDCJjYTAxLmludGVybmFs >> LmFyZW5kdHNlbi5kazpzY2VwLXJhMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIB >> igKCAYEA00oBgll+5OagFVuFe98a45EZCbw+eB6S5RX3gX4giGuubEBOZv9FKwv6 >> Yn+yRgCEfOZPDxLJu+ZX2iUMcIsWwtg3igpNqCRnbOREm1Xqy8/12IYtQB8/8yqx >> sLiE1bZQWhBTM6vlWQSgVfMk6Y4dtO77FAUX0+ECJjp5wQ9OKp0Dh0AkVBil5iUK >> BvFouxSxY1phKK6o4G59PIa4+wSjg1zSwgbYO4HCzBpfAeKepfHDwnRwajMvKKqG >> 8qTkXuEnQ0eEB9Ln7H0oGrOAY5CqWTLYSRr36/k33AA1AWBjU/MgEySdJuXB0JyB >> lahaplMG+ai+Or3NA61CTMwb0/W7oWyH1IZxhEZW4zLLFsSI6t1SP35N+57pRWkW >> Ylu6VZRSq7vZ4t8gH9Pgkhy8KzVNu8Bdjst9aUMkxy59UThgyis6UIl1xezN6ozd >> IHryn9OaDmn3hHqc3I7x6DywYnRpAp6kqauzIFTwtdo9T6XwQvbcMmbwj3LU1qSM >> UtIhryuVAgMBAAGjWjBYMB0GA1UdDgQWBBQpD0JoGgj/115wn6A2KiyTp3cY6zAL >> BgNVHQ8EBAMCBaAwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQQHKeM1xdpYcYL84+y >> 1H7sDRGCJzANBgkqhkiG9w0BAQsFAAOCAYEAdo/WB93mS6u9IjpHed43qclQs4eS >> NrlY0fMGpr4ov0+aDcDtwVQdBHVTCeGoiOzEs8uwMuAa0tbDlI8aFdrBk1yJBOh1 >> weu/KmWUXL1cRWd0AvesxRoCvQFpl/W++RsE7gPsBkQuol7GCGxA88iN/8Od079j >> zGYyVfvAOstUTAzqZPuQFHg1OQ56i49FROkxaQvxskVNwSwbM8Se6f/FFJPm+Vfw >> q39CbeRDrXthEWGZym8Hg1APNVEYQhb7MS8eR3Q5JGzG06iUWJSK5ji9hEKgGrIk >> esFnBqFM/zafrnQZsfQ6zeASodTICU0FOih/9XVeSGMH0WnWwfQQcRyQ9RubDLZd >> LgNTWiyMYtr8q0WQLmkCrwYc+oDV5zbozkxmUPq1h0ANhnw7pWW/TrbCWqQGS2BN >> tC3PCJ8UwRWlKElkiXn9ExNcPJXfPlvgMQmHWTWls8ZtdcjsTHbltg7okwE4eFPX >> 4HdAnnbiDKqQfC0Yri8qQgkh4skgsjiiIbUu >> -----END CERTIFICATE—— >> >> /Martin >> >> On 25 Oct 2021 at 22.02.45, Oliver Welter <[email protected]> wrote: >> >> Hi Martin, >> >> as Michal already said, the quoted fix is not related to this problem, >> something is wrong on the OpenXPKI side when it tries to unwrap the >> incoming message. There was a very long and detailed discussion (without a >> solution in the end) mid this year - https://www.mail-archive.com/ >> [email protected]/msg02041.html - I am not really >> sure if this matches your problem but it smells a bit like this... >> >> Can you perhaps share the payload information and your SCEP RA >> certificate, I want to have a look at it. >> >> Oliver >> >> Am 24.10.21 um 20:09 schrieb Martin Arendtsen: >> >> Hi >> >> I have been reading on the ML about this problem but I’m not able to fix >> it with the commit (https://github.com/openxpki/openxpki-config/commit/ >> 802162e6d4ae719c0728ddc392be7f76de1d7815) >> >> When trying to retrieve a certificate by SCEP I get this error. >> >> 2021/10/24 19:46:16 openxpki.system.ERROR message_static_functions.c:249: >> Not valid CSR after decrpytion >> LibSCEP.xs:1197: scep_unwrap failed >> 34374492160:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid >> object encoding:/usr/src/crypto/openssl/crypto/asn1/a_object.c:254: >> 34374492160:error:0D08303A:asn1 encoding >> routines:asn1_template_noexp_d2i:nested asn1 >> error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=object, >> Type=X509_NAME_ENTRY >> 34374492160:error:0D08303A:asn1 encoding >> routines:asn1_template_noexp_d2i:nested asn1 >> error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:615: >> 34374492160:error:0D08303A:asn1 encoding >> routines:asn1_template_noexp_d2i:nested asn1 >> error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:615: >> 34374492160:error:0D08303A:asn1 encoding >> routines:asn1_template_noexp_d2i:nested asn1 >> error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=subject, >> Type=X509_REQ_INFO >> 34374492160:error:0D08303A:asn1 encoding >> routines:asn1_template_noexp_d2i:nested asn1 >> error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=req_info, >> Type=X509_REQ >> [pid=80956|sid=Sonc] >> 2021/10/24 19:46:16 openxpki.system.ERROR >> I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => >> OpenXPKI::Crypto::Tool::LibSCEP::Command::unwrap, __ERRVAL__ => >> message_static_functions.c:249: Not valid CSR after decrpytion >> LibSCEP.xs:1197: scep_unwrap failed >> 34374492160:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid >> object encoding:/usr/src/crypto/openssl/crypto/asn1/a_object.c:254: >> 34374492160:error:0D08303A:asn1 encoding >> routines:asn1_template_noexp_d2i:nested asn1 >> error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=object, >> Type=X509_NAME_ENTRY >> 34374492160:error:0D08303A:asn1 encoding >> routines:asn1_template_noexp_d2i:nested asn1 >> error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:615: >> 34374492160:error:0D08303A:asn1 encoding >> routines:asn1_template_noexp_d2i:nested asn1 >> error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:615: >> 34374492160:error:0D08303A:asn1 encoding >> routines:asn1_template_noexp_d2i:nested asn1 >> error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=subject, >> Type=X509_REQ_INFO >> 34374492160:error:0D08303A:asn1 encoding >> routines:asn1_template_noexp_d2i:nested asn1 >> error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=req_info, >> Type=X509_REQ >> [pid=80956|sid=Sonc] >> 2021/10/24 19:46:16 openxpki.system.ERROR Error executing SCEP command >> 'PKIOperation': I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => >> OpenXPKI::Crypto::Tool::LibSCEP::Command::unwrap, __ERRVAL__ => >> message_static_functions.c:249: Not valid CSR after decrpytion >> LibSCEP.xs:1197: scep_unwrap failed >> 34374492160:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid >> object encoding:/usr/src/crypto/openssl/crypto/asn1/a_object.c:254: >> 34374492160:error:0D08303A:asn1 encoding >> routines:asn1_template_noexp_d2i:nested asn1 >> error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=object, >> Type=X509_NAME_ENTRY >> 34374492160:error:0D08303A:asn1 encoding >> routines:asn1_template_noexp_d2i:nested asn1 >> error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:615: >> 34374492160:error:0D08303A:asn1 encoding >> routines:asn1_template_noexp_d2i:nested asn1 >> error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:615: >> 34374492160:error:0D08303A:asn1 encoding >> routines:asn1_template_noexp_d2i:nested asn1 >> error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=subject, >> Type=X509_REQ_INFO >> 34374492160:error:0D08303A:asn1 encoding >> routines:asn1_template_noexp_d2i:nested asn1 >> error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:646:Field=req_info, >> Type=X509_REQ >> [pid=80956|sid=Sonc] >> >> I have added the fix as linked above but it still gives me that error. >> sscep works like a charm. >> >> So I need a hint to what I have missed - any ideas? >> >> Best regards >> Martin Arendtsen >> >> >> _______________________________________________ >> OpenXPKI-users mailing >> [email protected]https://lists.sourceforge.net/lists/listinfo/openxpki-users >> >> >> -- >> Protect your environment - close windows and adopt a penguin! >> >> _______________________________________________ >> OpenXPKI-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/openxpki-users >> >> _______________________________________________ >> OpenXPKI-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/openxpki-users >> > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users >
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
