Hi,
Sometimes, during the processing of an HTTP cert response from the Symantec PKI
Manager SCEP server, our application encounters an error condition while
validating the certs attributes. The error that we see is "Transaction not
permitted or supported".
It appears that this error is detected either in the ASN1_TYPE_get() function
or the OBJ_nid2obj() function.
Can you tell me, what conditions might cause this type of failure when
unwrapping and validating a cert response?
Here is a snippet of our code that detects this condition:
/* Get signed attributes */
attribs = PKCS7_get_signed_attributes(si);
if (attribs == NULL)
{
ReportAPIError("[PKCS7_UnWrap] No attributes
found in PKCS#7 data", szErr);
goto cleanup;
}
...
/* Get pkiStatus */
if ((i = get_signed_attribute(attribs, nid_pkiStatus,
V_ASN1_PRINTABLESTRING, &p)) == 1)
{
ReportAPIError("[PKCS7_UnWrap] Failed to get
the signer pkiStatus attributes", szErr);
goto cleanup;
}
/* Get failInfo */
if (atoi(p)!= SCEP_PKISTATUS_SUCCESS)
{
if (atoi(p) == SCEP_PKISTATUS_FAILURE)
{
if ((i =
get_signed_attribute(attribs, nid_failInfo, V_ASN1_PRINTABLESTRING, &p)) == 1)
{
ReportError("[PKCS7_UnWrap] Cannot find failInfo", szErr);
goto cleanup;
}
switch (atoi(p))
{
case SCEP_FAILINFO_BADALG:
ReportError("[PKCS7_UnWrap] Unrecognized or unsupported algorithm ident",
szErr);
break;
case SCEP_FAILINFO_BADMSGCHK:
ReportError("[PKCS7_UnWrap] Integrity check failed", szErr);
break;
case SCEP_FAILINFO_BADREQ:
ReportError("[PKCS7_UnWrap] Transaction not permitted or supported", szErr);
break;
case SCEP_FAILINFO_BADTIME:
ReportError("[PKCS7_UnWrap] Message time field was not sufficiently close to
the system time", szErr);
break;
case SCEP_FAILINFO_BADCERTID:
ReportError("[PKCS7_UnWrap] No certificate could be identified matching",
szErr);
break;
default:
ReportError("[PKCS7_UnWrap] Wrong failInfo in reply", szErr);
}
}
else
{
ReportAPIError("[PKCS7_UnWrap]
PKI Status: Not success", szErr);
}
goto cleanup;
________________________________
Fiberlink Disclaimer: The information transmitted is intended only for the
person or entity to which it is addressed and may contain confidential and/or
privileged material. Any review, retransmission, dissemination or other use of,
or taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you received this
in error, please contact the sender and delete the material from any computer.
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
