search

bikram990 / PyScep

A Python SCEP client and server
MIT License
8 stars 6 forks source link

Invalid signature error in enrollment #15

Open b0tting opened 10 months ago

b0tting commented 10 months ago

Hi,

Thank you for taking the time to create this module. So I have been trying to use this library to extract new certificates from our Windows CA Server running a caserver01. Based on your examples I have the following code: 

from logging.config import fileConfig
fileConfig('logging.ini')
from scep import Client
from scep.Client import PKIStatus

identity, identity_private_key = Client.SigningRequest.generate_self_signed(
    cn=u'ieaws1s001',
    key_usage={u'digital_signature', u'key_encipherment'}
)

csr, private_key = Client.SigningRequest.generate_csr(
    cn=u'ieaws1s001',
    key_usage={u'digital_signature', u'key_encipherment'},
    password='<msscep challenge password>'
)

client = Client.Client('http://caserver01/certsrv/mscep/mscep.dll')
res = client.enrol(
    csr=csr,
    identity=identity,
    identity_private_key=identity_private_key,
)

..this fails with a signature error as following: 

Traceback (most recent call last):
  File "mark.py", line 20, in <module>
    res = client.enrol(
  File "/root/mark/venv/lib/python3.8/site-packages/scep/Client/client.py", line 123, in enrol
    return self._pki_operation(identity=identity, identity_private_key=identity_private_key, envelope=envelope, message_type=MessageType.PKCSReq, cacaps=cacaps, ca_certs=ca_certs, transaction_id=transaction_id)
  File "/root/mark/venv/lib/python3.8/site-packages/scep/Client/client.py", line 147, in _pki_operation
    cert_rep = SCEPMessage.parse(raw=res.content, signer_cert=ca_certs.signer)
  File "/root/mark/venv/lib/python3.8/site-packages/scep/Client/message.py", line 83, in parse
    signer_cert.verify(
  File "/root/mark/venv/lib/python3.8/site-packages/scep/Client/certificate.py", line 106, in verify
    return self.public_key.verify(signature=signature, padding_type=padding_type, digest_algorithm=digest_algorithm, data=data)
  File "/root/mark/venv/lib/python3.8/site-packages/scep/Client/publickey.py", line 59, in verify
    return self._crypto_public_key.verify(signature, data, padding, hasher)
  File "/root/mark/venv/lib/python3.8/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 582, in verify
    _rsa_sig_verify(
  File "/root/mark/venv/lib/python3.8/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 324, in _rsa_sig_verify
    raise InvalidSignature

I added some debug logging which might be relevant: 

2023-09-15 15:16:34,628 [DEBUG] urllib3.connectionpool: Starting new HTTP connection (1): caserver01:80
2023-09-15 15:16:34,643 [DEBUG] urllib3.connectionpool: http://caserver01:80 "GET /certsrv/mscep/mscep.dll?operation=GetCACaps&message= HTTP/1.1" 200 51
2023-09-15 15:16:34,644 [DEBUG] scep.Client.client: Server Capabilities are SHA-512, Renewal, SHA-1, SHA-256, POSTPKIOperation, DES3
2023-09-15 15:16:34,647 [DEBUG] urllib3.connectionpool: Starting new HTTP connection (1): caserver01:80
2023-09-15 15:16:34,651 [DEBUG] urllib3.connectionpool: http://caserver01:80 "GET /certsrv/mscep/mscep.dll?operation=GetCACert&message= HTTP/1.1" 200 3760
2023-09-15 15:16:34,651 [DEBUG] scep.Client.client: Received response with RA certificates
2023-09-15 15:16:34,652 [DEBUG] scep.Client.message: 3 certificate(s) attached to signedData
[]
[]
2023-09-15 15:16:34,672 [DEBUG] scep.Client.builders: Message Type        : 19
2023-09-15 15:16:34,672 [DEBUG] scep.Client.builders: Transaction ID      : 25cae44d98e6e54b74a0fa54aa8c00bf94a5cdb9
2023-09-15 15:16:34,673 [DEBUG] scep.Client.builders: Sender Nonce        : b'BAtoEIMsmBsKkHV6mJRUgw=='
2023-09-15 15:16:34,682 [DEBUG] urllib3.connectionpool: Starting new HTTP connection (1): caserver01:80
2023-09-15 15:16:34,689 [DEBUG] urllib3.connectionpool: http://caserver01:80 "POST /certsrv/mscep/mscep.dll?operation=PKIOperation&message= HTTP/1.1" 200 730
2023-09-15 15:16:34,690 [DEBUG] scep.Client.message: No certificates attached to SignedData
2023-09-15 15:16:34,690 [DEBUG] scep.Client.message: Using signature algorithm: rsassa_pkcs1v15
2023-09-15 15:16:34,691 [DEBUG] scep.Client.message: Using digest algorithm: sha1
[<OpenSSLError(code=33554570, lib=4, reason=138, reason_text=invalid padding)>, <OpenSSLError(code=33554546, lib=4, reason=114, reason_text=padding check failed)>, <OpenSSLError(code=478674948,lib=57, reason=524292, reason_text=RSA lib)>]

Before investing time in further troubleshooting, were there already succesful tests versus Microsoft CA Server?

shankara-n commented 8 months ago

Same issue.

itaysp commented 4 months ago

Same here with NDES

bikram990 commented 4 months ago

This library is only tested against EJBCA. I don't have access to Microsoft CA Server/NDES.

Could you please provide me some support on these servers ?

svenauhagen commented 3 months ago

@bikram990 I can give you access to a Microsoft CA Server/NDES test system if you are still interested to fix this problem?

srikanthsoma commented 1 month ago

@bikram990 Am also seeing same issue when tried to enroll against Microsoft CA NDES server. Do you have an update on what we can do to get it resolved. On the server we are seeing below error in the Event viewer "The Network Device Enrollment Service cannot decrypt the client's PKCS7 message (0x80090005). Bad Data."