Open fmarco76 opened 1 year ago
@fmarco76 just a general question without looking at the whole source code context. Is there any Usage info for the user that you need to update for?
@fmarco76 just a general question without looking at the whole source code context. Is there any Usage info for the user that you need to update for?
This is the script I have used to test the code against a server in FIPS mode. It requires PyScep to be installed and patched with this PR.
@fmarco76 Could you please try from OAEP_Server
branch once? I've taken your code and added few more items
I did a quick test with the OAEP_Server
branch. First of all the new branch force me to install flask even I am using only the client (maybe you can split client and server to avoid this).
There are several differences in the interface with my previous code so I have create a script as follow:
import codecs
from scep.client import Client
from scep._commons import SigningRequest
identity, identity_private_key = SigningRequest.generate_self_signed(
cn=u'127.0.0.1',
key_usage={u'digital_signature', u'key_encipherment'}
)
csr, private_key = SigningRequest.generate_csr(
cn=u'127.0.0.1',
key_usage={u'digital_signature', u'key_encipherment'},
password='Secret.123',
private_key= identity_private_key
)
print(codecs.decode(csr.to_pem()))
print(codecs.decode(private_key.to_pem()))
client = Client(
'http://127.0.0.1:8080/ca/cgi-bin/pkiclient.exe'
)
res = client.enrol(
csr=csr,
identity=identity,
identity_private_key=identity_private_key,
key_enc_alg=u'rsaes_oaep',
trans_id_alg='sha256'
)
if res.status == Client.PKIStatus.FAILURE:
print(res.fail_info)
elif res.status == Client.PKIStatus.PENDING:
print(res.transaction_id)
else:
i = 0
for cert in res.certificates:
print(codecs.decode(cert.to_pem(), "unicode_escape"))
With this I get the following error on decrypt:
Updating
INFO:CA Certificate: <scep._commons.certificate.Certificate object at 0x7fd3039a9080>
-----BEGIN CERTIFICATE REQUEST-----
MIICvzCCAacCAQAwFDESMBAGA1UEAwwJMTI3LjAuMC4xMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAwl4Y/4h9WtiH9RJPqNnIWe4xOJZ4Oc/0l8NKqcB2
CXr6/UYBhToQ/1z/pI3CUjF61Td8Q7LKNRf3m7mPGSXWbxxGIhFngiNJkdb9i6Ds
gP+/FGGs8PC2rPXZmW9C4BuPhs6QHdpiX0E8kso1+BZ+s15s7keK+XfWds60ZzBn
6hGb65UDGHivhgdML+a36sW3G7ynwh1e5Fd1kKvrDUwNkeX/txrPujwozrPourVp
DA8pSeaY3ZcJ53rUEgZuW2YkmMqEtsxQDEkS+pRNfwmVobNDrHS+mirhw75gNf2k
XfXusFGwF2Mo0WR39hDcLpPpuRomztX6VZecpE91enydiQIDAQABoGYwGQYJKoZI
hvcNAQkHMQwTClNlY3JldC4xMjMwSQYJKoZIhvcNAQkOMTwwOjAJBgNVHRMEAjAA
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAw
DQYJKoZIhvcNAQELBQADggEBAFHepIVFS1iOCS40itsVsbAIEJNGyaGzKfg9st7/
JAiQusRaVJ14E9oHtFrth/lVnFVRmJqJGFy21F/gD8xZvCIQ/TIWEURmH9ymP84R
9PGVhmqZguDQs8gxCKREyRJUBpxeurhPEVlbf74hpfBeVhGIBGL816/fHOC6JXMj
CTxTGH9TsFjp8C+b5vh3tnZocpH5oihkLeENmzBBzK2DqOlhbgLVPP1LneVgzE69
hwuO6UMs5DCE5dR91j9Xjk1vI9rDqNO9WfZW24w2iU1C1OnLNzemXjK8r/aIqpfu
/XNPu62LAnC2bx8pPNM7fP0BBNrV1ON8nUTG+CrFaYddG3M=
-----END CERTIFICATE REQUEST-----
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDCXhj/iH1a2If1
Ek+o2chZ7jE4lng5z/SXw0qpwHYJevr9RgGFOhD/XP+kjcJSMXrVN3xDsso1F/eb
uY8ZJdZvHEYiEWeCI0mR1v2LoOyA/78UYazw8Las9dmZb0LgG4+GzpAd2mJfQTyS
yjX4Fn6zXmzuR4r5d9Z2zrRnMGfqEZvrlQMYeK+GB0wv5rfqxbcbvKfCHV7kV3WQ
q+sNTA2R5f+3Gs+6PCjOs+i6tWkMDylJ5pjdlwnnetQSBm5bZiSYyoS2zFAMSRL6
lE1/CZWhs0OsdL6aKuHDvmA1/aRd9e6wUbAXYyjRZHf2ENwuk+m5GibO1fpVl5yk
T3V6fJ2JAgMBAAECggEAB0tXvdNF/RBOPeTDh48wxSs6vqhq96R1xfJGzYsTAvUS
EUo8yV6t/59iWq8VQVdpCDJuX+4IR6jQGpCCrcttOjtB6Iplq40eeDIszr4p0geH
CMFHp70o5eHOGkOCK33tS35aCzzEX1XH66xaDSbu91VOWjzmGsmkC05jl9HJvI9+
xdT+CjjYguNtVJs1NGc91OMQVKLK0Rjtcfc8P2nPauOr136V55lsaC4c4d/mUzxQ
BxBSRBbzxu/DwvfLd8BqbdG02ldSRzjqIqo2YSa+AIbUbpbKEB3IScYL1UmlSXNc
RurGRX0LXroQ81zJ751uRRY1Iz1D4wugGMhwYqXt7wKBgQD5BpD4D0RPCntGRjMB
j9aDZKPj1qjYQY055gQ/iTa8ZjgWETepjxgEvK/+yvmso6PMLgrpS7nEhA3TlZXM
T/eGPJCJkqwsXg+b4FyKgVfHZyr6rU5+NeGw9oXEDoI4Ngqr92cQOQ3r9EP7jL10
MeDwqeY2/pFx4xCFIGmHquNUgwKBgQDHz6aI9Ttg3+R5PKebIAb2FTOYzqmdY+V/
zVlSqbRTiziisi1SLYBBrA+Qob5RPLBYcBRg4887uE3BYrmNU6DE86hmCF5RhqbS
lf39PcyKLiniHaz5rMxMEP+cln4EUecFfaJRJuZz5aspkPUtWDRqgvL2sFLHmGnu
07qB6qDgAwKBgQDXHNj1rxpuvLsoRVOiMcI31iPMmI1Z4aZBMXTR/ZGOxS4FwfG3
QqiYzvWov2VVwDWqFsvOI1/hZcEb2MeBqkJDbuXcMRsRaF9LY1ANRRWyZmg2CqcX
VywSVaHPbkkGjYhCbIBW/zILdQGUtkqhqMSKn/kB4H17R43pscn3K6McSQKBgQCq
2nVVcRRn/qqXvHS44YbyTyjChhxk97GbOZUiaPhH46j2/ZJhTYT5Is5gZt2dC17j
EFtsif9+2laqgOeW4CZ9orehH5C+93uYYCdBruFCWrz3m1Z4W/iJJpPbapewy/PW
Lxpnd/LgsUdNkKUFNAIF/ZkRta3i/AHA9Qzq4BzVzwKBgHBvkTVT0ZLwa6wfY+Oy
/bkFiyh8LoNDNtBX4zDbLyEueuvMMrm7CFzzJuufK2PRpxtXXWfQh/VvbkJplolw
3VpBlmsdPxHaNX3FvAKoGzkp6QiOHRBX1/4nyEU+9/brGJScVqzpeTyll/+l7HUt
zct8b92Wc4XJcSks9jm9SQae
-----END PRIVATE KEY-----
DEBUG:Starting new HTTP connection (1): 127.0.0.1:8080
DEBUG:http://127.0.0.1:8080 "GET /ca/cgi-bin/pkiclient.exe?operation=GetCACaps&message= H
TTP/1.1" 200 25
DEBUG:Server Capabilities are AES, SHA-512, DES3, SHA-256
DEBUG:Starting new HTTP connection (1): 127.0.0.1:8080
DEBUG:http://127.0.0.1:8080 "GET /ca/cgi-bin/pkiclient.exe?operation=GetCACert&message= H
TTP/1.1" 200 1205
DEBUG:Received response with CA certificates
DEBUG:Message Type : 19
DEBUG:Transaction ID : 4b9bf69687399877d60c286e7b44e0a0cdb3e55870a22d5a54add2646c6dd
c27
DEBUG:Sender Nonce : b'wkEQKq2MjaaDxfQv/9vcTw=='
DEBUG:Starting new HTTP connection (1): 127.0.0.1:8080
DEBUG:http://127.0.0.1:8080 "GET /ca/cgi-bin/pkiclient.exe?operation=PKIOperation&message
=MIIKyAYJKoZIhvcNAQcCoIIKuTCCCrUCAQExDzANBglghkgBZQMEAgMFADCCBUsGCSqGSIb3DQEHAaCCBTwEggU4
MIIFNAYJKoZIhvcNAQcDoIIFJTCCBSECAQExggIYMIICFAIBADBNMEgxEDAOBgNVBAoMB0VYQU1QTEUxEzARBgNVB
AsMCnBraS10b21jYXQxHzAdBgNVBAMMFkNBIFNpZ25pbmcgQ2VydGlmaWNhdGUCAQEwPAYJKoZIhvcNAQEHMC%2Bg
DzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAASCAYCB0y%2Bj7He5YRRvoUNT6u8
9T8uVE%2Fd71H3opGe%2B9V1A9CVoCn6SJU5MuiLDdZiCAn2ZoSJ6KcQNGH4Vkv99rtgxa4HUL8hhv5Sj26u3LZEV
gJc6YNyC3w%2FrMI4%2FraPbE%2Fds4QIxl7V30bXVkxv%2B8CeUC1Sbt4iCjeuwcK4mnyOrgXdM9R2%2FnNbfFoW
%2F%2F7ECf9AnTrV8YNTAhogaukuv4xH88NkxlGUQ5Ua9Cf9b5GA4OqvIFFDWm0hpoHW20EiinyZjsoJB%2BEmURH
Z3%2BubbX8glYQCd7a75cr4Q7DByzJECor1ks%2FPGYiQzm6kbKX2NDus02LbnccpnXqFeEZLYMHp4OrF1HlzE%2B
Q3pRZYMbeM2RLPKPNAR62OjVVWS3fqxrLDcTzQK%2B3dR6gwB21kOwflQUIYUidRIuRGpg23srLT5zQMOPc7x6dFc
Eg9tcf1InJNxFw%2FPqlTNO2wRDG8EVu77YHYKAGmZBP6zqaIV79w6jYmcsejKkQ5kSHSdfQmJoxgwggL%2BBgkqh
kiG9w0BBwEwHQYJYIZIAWUDBAECBBDoVHAipHnHflrZVpcxoWIRgIIC0IfF7boufAZM46vvQypXVnjjFpgnSt6JBJ
CBtXBUvjFEvVJpyqK3SWGpvTCN2X0arZPbeC28ABmv4eChwdFAvGIRl8iC2j3U7onL8G6PTeZxI42pVVGPQSf590C
OQrKgKejfMlZugbpsmVYovg5D%2BvpFfTgNplBzGZCtUl5UsJX8%2BecVvSquW2wX0MN4SwMnVM1IFdUy%2FoGBjv
NqkNlQwQ4At%2FufmctXSzk0sWAMvHtsM5GiikkgaXIsJmBrxbAD%2Fd%2FspHo4pFkWwbzZWlvT%2BnTBaRbm0mV
M5B%2FVIcKUFdRWKBxO6Ew0mK1VKSFj27GZ3Ub25E3Z%2BruKBgBy4%2F1E5TXDNu1n0%2Fq9REZaGobbrImZ6mB9
xTyRj4EErmb2OUZQaVQLgrWmXkwBescah2RN7cr9RapQJy4mubXoKoMn98ZC%2FOdVexBkE0vGgaPZVTSVVtCJV99
koMHuDC9UCtHj%2B7sE0MUiNwTXc9YgjdyS68NqAhwy3z0326h%2FyuWVuQyyZM7fqUTS0Y%2F7FzjlugWOQ%2BJx
EVFGSjRmrVaKdYe4d2tp8t4GQSp7b9VDeIXqsP%2FqtIpJUhuNL2lPhWee0Cinsz%2FFfzEu3WgrsfSo2raLeCQTO
AvWjOj6y9Djaq%2FPWRL64lTDCBD76%2FvU%2FjEYqtARFLPrvwooxPfg%2Bhz%2Fiog3Ye3Qj3SxhaLjqcuG%2FL
LhAMXZswFSIr04hNkrcU1DJA5w7SSYTdlIo6FKj6O8Su4VXsM8MkbJQ3Fm0YNQnMC2tKvdTWQ%2FjQ7dSE6rRZZdZ
qpFdeF0VqTitkqw3OOaWjp8t5Sp%2BU%2BHj2lL4YK%2BJJjMV%2FnLsH0w7m%2FvwXi8vflGu2L3cOHuI4QgKqt5
eagELllOw3Nn1plpJ7%2FCnmoMOMwGEtgksi07KAOVFTVGnYOgkLH2%2BYMei1k1grVsvRRrO%2BLz7xoQEfpnn%2
B63NXzTHIvNuXwkyaCCAwkwggMFMIIB7aADAgECAghjzmhY%2FMGk8zANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQD
DAkxMjcuMC4wLjEwHhcNMjMwMTIzMTA1ODMyWhcNMjQwMTIzMTA1ODMyWjAUMRIwEAYDVQQDDAkxMjcuMC4wLjEwg
gEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCXhj%2FiH1a2If1Ek%2Bo2chZ7jE4lng5z%2FSXw0qpwHYJ
evr9RgGFOhD%2FXP%2BkjcJSMXrVN3xDsso1F%2FebuY8ZJdZvHEYiEWeCI0mR1v2LoOyA%2F78UYazw8Las9dmZb
0LgG4%2BGzpAd2mJfQTySyjX4Fn6zXmzuR4r5d9Z2zrRnMGfqEZvrlQMYeK%2BGB0wv5rfqxbcbvKfCHV7kV3WQq%
2BsNTA2R5f%2B3Gs%2B6PCjOs%2Bi6tWkMDylJ5pjdlwnnetQSBm5bZiSYyoS2zFAMSRL6lE1%2FCZWhs0OsdL6aK
uHDvmA1%2FaRd9e6wUbAXYyjRZHf2ENwuk%2Bm5GibO1fpVl5ykT3V6fJ2JAgMBAAGjWzBZMAkGA1UdEwQCMAAwHQ
YDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBSObek5KpbcQP3YQ3DgJaHgW2VHajAOBgNVHQ8
BAf8EBAMCBaAwDQYJKoZIhvcNAQELBQADggEBABJsX%2BOFJjToK2yI4kCcUyQZ38Iv3JRMFVqdF4aZHVb1W%2Fa%
2BDyZK5UCZYeVAhqzU9SRie8T8sneSbAiltLW9cqwVDRtCLCXfEjFWXpi1eTSxVP6xY6AuCpac0a%2F4%2FjILaHY
oqZ16wdt7W%2BPx30xySBXwiP3GZcEk3dGbimXccJbdaxyCWm5N47XzTsmYGg9TRUqRi%2BT54o2Q%2FooV776%2F
YrT0pONyI3hEvQNLEuNSaGbK3I0QI8dzucqtIrOryGZilmlfgkZ2dNvjsUgmfFRbUrljwrCftdbXPhNm83IG1vY5e
%2FIKCKdhTlZ19s18iooKpRzxCC0SHBbteOZ2t7YyE1cxggJBMIICPQIBATAgMBQxEjAQBgNVBAMMCTEyNy4wLjAu
MQIIY85oWPzBpPMwDQYJYIZIAWUDBAIDBQCggfMwEgYKYIZIAYb4RQEJAjEEEwIxOTAYBgkqhkiG9w0BCQMxCwYJK
oZIhvcNAQcBMCAGCmCGSAGG%2BEUBCQUxEgQQwkEQKq2MjaaDxfQv%2F9vcTzBPBgkqhkiG9w0BCQQxQgRA3Mcwqf
aNlXsr3%2Ff7hSACfA7A0DN0JqwHLSNRncBbMCoem4o59ZbaWTKCMxzG9cZGtAftmytOpFrO%2BJ1I6kYBEjBQBgp
ghkgBhvhFAQkHMUITQDRiOWJmNjk2ODczOTk4NzdkNjBjMjg2ZTdiNDRlMGEwY2RiM2U1NTg3MGEyMmQ1YTU0YWRk
MjY0NmM2ZGRjMjcwDQYJKoZIhvcNAQEBBQAEggEAPPNvLWYAZPydRTWuVcIjJl6zvqT7ITeOYd0eKXERnpFdXAXco
rA%2F3I3UKEfzc7fjR9Lt%2B7Pt92wlZqwkChE%2BZPfyxAJZ4U1uBqz5ePp0soStehnlIM67JVbgGPeK2VjoyRkY
4t1WqGJ%2BpAKQLsR8X2D6FnLLW8WeA5QEpGsNMDKY1jC8JBLCT5gkX9YyDfE87AY%2BKDShtV%2BvvCvyyqtOFoH
6iAxGVBppALoyMMEpczyfuDfIDOnwdEwzKgY75jwiMR%2BtT1AVBTa5EeRWkPOBSWapWxesZLyA%2Fjjl4os1enUk
8u18G4FNJ0N0O77tZ0qBkrh0iHuHS5ZWz5EiKF7xWg%3D%3D HTTP/1.1" 200 2293
DEBUG:No certificates attached to SignedData
DEBUG:Using signature algorithm: rsassa_pkcs1v15
DEBUG:Using digest algorithm: sha256
DEBUG:SCEP Message
DEBUG:------------
DEBUG:Transaction ID : 4b9bf69687399877d60c286e7b44e0a0cdb3e55870a22d5a54add2646c6dd
c27
DEBUG:Message Type : MessageType.CertRep
DEBUG:PKI Status : PKIStatus.SUCCESS
DEBUG:Sender Nonce : b'JOln6e/ndxH5eCcKJiao/Q=='
DEBUG:Recipient Nonce : b'wkEQKq2MjaaDxfQv/9vcTw=='
DEBUG:------------
DEBUG:Certificates
DEBUG:------------
DEBUG:Includes 0 certificate(s)
DEBUG:Signer(s)
DEBUG:------------
DEBUG:Issuer X.509 Name : Common Name: CA Signing Certificate, Organizational Unit: pki
-tomcat, Organization: EXAMPLE
DEBUG:Signature Algorithm : rsassa_pkcs1v15
DEBUG:Digest Algorithm : sha256
DEBUG:content_type is enveloped_data
DEBUG:Algo is rsaes_pkcs1v15 Padding is pkcs
Traceback (most recent call last):
File "py-scep-new.py", line 30, in <module>
trans_id_alg='sha256'
File "/home/mfargett/.local/lib/python3.6/site-packages/scep/client.py", line 124, in e
nrol
return self._pki_operation(identity=identity, identity_private_key=identity_private_k
ey, envelope=envelope, message_type=MessageType.PKCSReq, cacaps=cacaps, ca_certs=ca_certs
, transaction_id=transaction_id)
File "/home/mfargett/.local/lib/python3.6/site-packages/scep/client.py", line 155, in _
pki_operation
decrypted_bytes = cert_rep.get_decrypted_envelope_data(identity, identity_private_key
)
File "/home/mfargett/.local/lib/python3.6/site-packages/scep/_commons/message.py", line
231, in get_decrypted_envelope_data
padding_type=padding
File "/home/mfargett/.local/lib/python3.6/site-packages/scep/_commons/privatekey.py", l
ine 90, in decrypt
return self._crypto_private_key.decrypt(ciphertext=ciphertext, padding=padding)
File "/usr/lib64/python3.6/site-packages/cryptography/hazmat/backends/openssl/rsa.py",
line 349, in decrypt
return _enc_dec_rsa(self._backend, self, ciphertext, padding)
File "/usr/lib64/python3.6/site-packages/cryptography/hazmat/backends/openssl/rsa.py",
line 75, in _enc_dec_rsa
return _enc_dec_rsa_pkey_ctx(backend, key, data, padding_enum, padding)
File "/usr/lib64/python3.6/site-packages/cryptography/hazmat/backends/openssl/rsa.py",
line 133, in _enc_dec_rsa_pkey_ctx
raise ValueError("Encryption/decryption failed.")
ValueError: Encryption/decryption failed.
There is no error server side. Additionally, testing with my version it works so there should be some change which generate the error.
Hi,
I am currently trying PyScep with my MS NDES and I am getting the same error above
File "/usr/lib64/python3.6/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 133, in _enc_dec_rsa_pkey_ctx raise ValueError("Encryption/decryption failed.") ValueError: Encryption/decryption failed.
Also with your PR patches, any idea why?
Thanks
@svenauhagen it is a problem with encrypt/decrypt but I do not know "MS NDES" in the details so I am not aware of what is used. Is this working with RSA+OAEP or other? I think you can take a look on the exchanged messages to understand what is going on.
Introduce the RSA with OAEP encryption to support FIPS compliant services.
Fix #9