[OpenXPKI-users] EST - invalid profile

Thomas Gusset Wed, 23 Aug 2023 04:25:15 -0700

Hi
I have a strange problem with EST. I try to issue certificates and (this is the 
weird part) sometimes it works and sometimes it results in an 
I18N_OPENXPKI_UI_INVALID_PROFILE error.
Yesterday during the day it worked at the beginning and then it didn't work 
anymore. In the evening I tried it again from home and it worked there. Then 
this morning it didn't work again. I always do the tests directly on the server 
on which openXPKI is installed. I use ECC keys, but have also tried RSA keys. 
Both have worked before.


The logs show
workflow.log
…
2023/08/23 13:04:35 14335 Using custom field class 
OpenXPKI::Server::Workflow::Field
2023/08/23 13:04:35 14335 Execute action global_map_url_params
2023/08/23 13:04:35 14335 Execute action enroll_set_transaction_id
2023/08/23 13:04:35 14335 Setting context transaction_id to 
cc884f27bef5d142073490e184894597234abb82
2023/08/23 13:04:35 14335 Execute action enroll_set_workflow_attributes
2023/08/23 13:04:35 14335 Execute action global_load_policy
2023/08/23 13:04:35 14335 No policy params set in LoadPolicy
2023/08/23 13:04:35 14335 Execute action global_set_profile
2023/08/23 13:04:35 14335 Calling Connector::GetValue in mode hash with path 
est|ivoc-test|profile
2023/08/23 13:04:35 14335 Execute action enroll_parse_pkcs10
2023/08/23 13:04:35 14335 Testing if WFHash req_extensions key 
certificateTemplateName is key_nonempty
2023/08/23 13:04:35 14335 Testing if WFHash req_extensions key 
certificateTemplateName is key_nonempty
2023/08/23 13:04:35 14335 Execute action global_noop
2023/08/23 13:04:35 14335 Testing if WFHash req_extensions key 
certificateTemplateName is key_nonempty
2023/08/23 13:04:35 14335 Execute action global_set_error_invalid_profile
2023/08/23 13:04:35 14335 Set error code I18N_OPENXPKI_UI_INVALID_PROFILE for 
workflow 14335

est.log:
2023/08/23 13:04:34 DEB Parsed URI: ivoc-test => simpleenroll 
[pid=1010|ep=[undef]]
2023/08/23 13:04:34 DEB calling context is https [pid=1010|ep=[undef]]
2023/08/23 13:04:34 DEB unauthenticated (no cert) [pid=1010|ep=[undef]]
2023/08/23 13:04:34 DEB Pickup via attribute with transaction_id => 
cc884f27bef5d142073490e184894597234abb82 [pid=1010|ep=[undef]]
2023/08/23 13:04:34 DEB Initialize client [pid=1010|ep=[undef]]
2023/08/23 13:04:34 DEB Started volatile session with id: 
VeYXALjtTsO+gXyosTfWeA== [pid=1010|ep=[undef]]
2023/08/23 13:04:34 DEB Selecting auth stack _System [pid=1010|ep=[undef]]
2023/08/23 13:04:34 DEB Initialize certificate_enroll with params pkcs10, 
transaction_id, server, interface [pid=1010|ep=[undef]]
2023/08/23 13:04:35 DEB Workflow created (ID: 14335), State: FAILURE 
[pid=1010|ep=[undef]]
2023/08/23 13:04:35 DEB Status: 400 Request was rejected [pid=1010|ep=[undef]]
2023/08/23 13:04:35 INF Disconnect client [pid=1010|ep=[undef]]

If I take the pkcs10 certificate request from the workflow concept (from the 
Web GUI) I can enrol the certificate.

The profile is
# The name of the file equals the name of the profile
label: IvoControl device certificate

key:
    alg:
      - ec
    generate: client

    ec:
      curve_name:
        - prime256v1
        - secp256r1

style:
    00_basic_style:
        label: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_LABEL
        description: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_DESC
        ui:
            subject:
                - cn
            info:
                - requestor_realname
                - requestor_email
                - requestor_affiliation
                - owner_contact
                - comment

        subject:
            dn: CN=[% CN %],DC=IvoControl Test CA,DC=IvoControl,DC=net

        metadata:
            requestor: "[% requestor_realname %]"
            email: "[% requestor_email %]"
            owner_contact: "[% owner_contact || requestor_email %]"
            entity: "[% hostname FILTER lower %]"

    enroll:
        subject:
            dn: CN=[% CN.0 %],O=Ivoclar Vivadent 
AG,L=Schaan,C=LI,DC=ivocontrol,DC=net

        metadata:
            system_id: "[% data.cust_id %]"
            server_id: "[% data.server_id %]"
            # entity: "[% CN.0.replace(':.*','') FILTER lower %]"

# Profile extensions - set 0/1 as needed
# Also see sections defined in default.yaml
extensions:
    key_usage:
        critical: 1
        digital_signature: 1
        key_encipherment:  1

    extended_key_usage:
        critical: 0
        client_auth:      1

I have no idea where to start looking for the cause of the problem.

Thanks in advance
Thomas

NetSec.co AG
Thomas Gusset
CEO & CTO
Im alten Riet 125, 9494 Schaan, Liechtenstein
https://netsec.co
+423 388 2777 / +423 388 2770 (direkt)
[email protected]<mailto:[email protected]>
https://threema.id/NK3MJMNP
Chat on MS 
Teams<https://teams.microsoft.com/l/chat/0/[email protected]>

smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users

[OpenXPKI-users] EST - invalid profile

Reply via email to