search

dogtagpki / pki

The Dogtag Certificate System is an enterprise-class Certificate Authority (CA) which supports all aspects of certificate lifecycle management, including key archival, OCSP and smartcard management.
https://www.dogtagpki.org
GNU General Public License v2.0
366 stars 135 forks source link

SCEP PKIOperation InvalidBERException #1185

Closed pki-bot closed 4 years ago

pki-bot commented 4 years ago

This issue was migrated from Pagure Issue #615. Originally filed by nkinder (@nkinder) on 2013-05-13 17:19:43:

Cisco router, the model is probably: Router MSR20-21 (Comware). 5.20 Release 2207P02 ( the config is showing this: version 5.20, Release 2207P02, Standard )

Steps to Reproduce:

  1. have a CA instance configured

  2. enable SCEP /etc/init.d/pki-ca stop cp -p /etc/pki-ca/CS.cfg /etc/pki-ca/CS.cfg-1 vi /etc/pki-ca/CS.cfg ... ca.scep.enable=true

/etc/init.d/pki-ca start

  1. take request from collected CA debug log, convert to escape and remove \n

  2. submit request using csr using wget to the EE interface for SCEP enrollment, example:

wget http://ca1.example.com:9180/ca/ee/ca/pkiclient --post-data 'operation=PKIO peration&message=MIIJiAYJKoZIhvcNAQcCoIIJeTCCCXUCAQExDjAMBggqhkiG9w0CBQUAMIIEZg YJKoZIhvcNAQcBoIIEVwSCBFMwggRPBgkqhkiG9w0BBwOgggRAMIIEPAIBADGCAYcwggGDAgEAMGswZ jEYMBYGA1UEChMPUGNjU3NuSHAgRG9tYWluMQ8wDQYDVQQLEwZwa2ktY2ExOTA3BgNVBAMTMEhld2xl dHQtUGFja2FyZCBFUyBQQ0MgTGFiIENlcnRpZmljYXRlIEF1dGhvcml0eQIBBjANBgkqhkiG9w0BAQE FAASCAQBzZL6jnU6sHn0ZG%2FuQ2Bqm137bwNPjMzH%2BxFy%2Bb2Va0uAJzTYjsU1A66te3r%2BCE9 BcyNZqFl%2F1HQ84BHPVvZyfeDSgx8E0SkOmCG2xnLIL%2BjW%2BlEZUGngr%2BrEeaKZEpcog2gs%2 FDY%2BEAbv36%2FknQyro%2BjrpYL8TI3Y0MT%2F7BssKWq99p1sRnjgR9Bm5o3Uu5E4EudYEj7GETb SjLCUe8r4a3U63bnx3gYir2rUJX8wwvrcPXBbR24I9fkCIxaUQd89uxYvg7W9k%2F0SMe4nLPq9a39r BzMPHnuvTVYYLr9eBQiXt2C911lrTtxhekXXI04T1so4lfK8E5T3lsAiTAL85MIICqgYJKoZIhvcNAQ cBMBEGBSsOAwIHBAjkfW0ASyuioYCCAogbIMh0q6GMmY7kb09Y%2BtoUHuI95XGkavK1%2FetxesN00 cqMECDiW6FC4CtOH7f1zkTlZQGqzTjkpX4p7TfxIoqADraZ4HwI6ZxNa7Oy%2FrkFk1PFP9TeH1CaVW R34zzGuSOBJmCWcpSc%2BBhrHJX%2FF6%2FV4tCmOmFEZbCZwrv7qYid9LNU47p1jWSa0njpyKGYft4 pDYgQkt29h2wLiNu2N7FsXNhfxngyBI1Hy25xteCcuUtDbrlwaOVosOYyZNGvh7Xv1Ks2Xn05nq2HR7 ZHR3Kvp2pApCiMlMFms%2BWvJxTACjKizjLcqY9QYyeZ3TUvEyTTjcNX72B6rXs8IdD9IBrb3eKIgq9 ZHCyUZCEMdCr1hAFZGW9CVkuBEqrSWTgZn3c0iD8lXflPbLme0BLqfx%2BylJf0QGui6ZInhuBj5Cfq aUInStEam6aZ6Sm1g6VSEZnMILojn6N236U1aE5rUg5SCsskbFOE1tYDo5dcYyN7OR6N4e%2B3MhuhM 1IIYtCRsR4%2Fja3Gq%2BvYpsKw1l2JPpx%2BP2rPz%2FiPzTHiemSY2PgYw3D8c08fGicLDRYZwLdV P1UPpQ%2BOXjJwwXivGk18Pbbv26Wb8tusZyO0ut1L1z5vsb%2BRIj6BQpCEZZNl4Xg1q2ZYKGMGeLc RB5bVm1ceShNgPij5T7R3ZL7QNQ3edrPPGJKUhgWszFHYyRyGgV7vUiNdb6xdLZmCzUkTys%2Ftnz5P 3KnAbrG%2FNLmm%2B8aYwiYR1X2uu8rC5F%2FrC5uxJXWaagnWe%2BC4PtVkeSXYqzX2q8eLU%2F%2B Fg4BWM%2BnIH3XCjiUjKka%2BxtFGHx889gtt2OZGqCxQvduZDKhS8erxkx22ITvKxwuyF0DTUNCggg LIMIICxDCCAaygAwIBAwIgRjYyQjM1NzE3NUE5MTJEOUY1RkY2NzBBNjk4NUI4NTAwDQYJKoZIhvcNA QEEBQAwFjEUMBIGA1UEAxMLcmgtdGVzdC1ydHIwHhcNMTMwMjA4MDU0MDQwWhcNMTQwMjA4MDU0MDQw WjAWMRQwEgYDVQQDEwtyaC10ZXN0LXJ0cjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOs IpJSMfIm1cr0NE0kpXLBE8Pw3vFfoDxjiwN9lbjyBKRQfwzq1alQbkRmi7ddleuWJS0YsUlqoPfbxL0 j%2FnvwR6lYC4FpAVm8arvijyntHLPKroiS5%2BRe972uEk0Oe4n5cobP7bvy2P9fdmzPoSwukkY2aO 552I1juNneuXVzCO5qwMEgfHGgq1ni1KjommFup3%2FloRvBRsQY165OzTk1QwaKTvi3O9h7OhaIXEl Fstkp2lW2XwiiZTYcq9b9C83cAHZQ%2F%2BfilvSb6r7wOiZ98m0ZdYqmWgfZUCJmi2tEjC2iN9qh8S DXg3rxJBywc%2BmoaRn6Hz%2Bwp82Bo7Spi2v0CAwEAATANBgkqhkiG9w0BAQQFAAOCAQEA1kHOSCBC 8NVznzyZGBSiJclyblroTviSmrm%2BhLlieuwmQaFLBzSR4eUT5OYsiDOpsQ4cOBL1XfbaVE%2FTG8B R8NqBBn3fJgsP8x2Qhqx806xl6Zw%2B5Gw%2B72kMgon%2FN8hYlrpjV%2Fi96h8xnvekHet301cpUG f7s38o51JIZPw4X5j%2BNBe%2Fhi16qYTAYM7rDCf8IHzrHSZP7KjucwpoTebENb7OzCo5sTk%2Ft97 j1P1pNF%2F2kuElnOKWLVTfSFYOurofOSL8anUUWjtsXhCwQUqakeu0cktFNhzp%2FcabBQAgyKdURb eCIjKZNUAOQ0jC%2BMRkUcvOOkTg0VGOuPhtFVe0UjGCAigwggIkAgEBMDowFjEUMBIGA1UEAxMLcmg tdGVzdC1ydHICIEY2MkIzNTcxNzVBOTEyRDlGNUZGNjcwQTY5ODVCODUwMAwGCCqGSIb3DQIFBQCggc EwEgYKYIZIAYb4RQEJAjEEEwIxOTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJB TEPFw0xMzAyMDgwNTQwNDBaMB8GCSqGSIb3DQEJBDESBBDmQXWNFDf9DS%2BS52vqZtfvMCAGCmCGSA GG%2BEUBCQUxEgQQP6KsesXEvFoKz%2FTGfxfbijAwBgpghkgBhvhFAQkHMSITIEY2MkIzNTcxNzVBO TEyRDlGNUZGNjcwQTY5ODVCODUwMA0GCSqGSIb3DQEBAQUABIIBAA00Uc5qyKVEGTmdNyAWpNNYS5y% 2BKVxfIzcESyKuBbkSIgLylLaFFfoV%2BrBVqIDMPsbpavpsgauvL2Fah3YF7dG4LOBnrRIwPWVwMjw L2kxCR%2BpIlTGMY0Wlz8sT6GnvII9%2FW1ihlk4qRPu5nS9pk3ZyIyNJ6L%2BMyz%2FnQjVyqEsaer NDfIIudNOnFVukKfIx%2B84KN0msv203q1kYGguYVfkcpI4B1fsRNJgx8U9Yy11iHu%2FHaIWxguqdD 6A2%2FSRpS6jiUYTnhRRMSZZuuB%2BrwU4xAlGzB0%2FptI2ZYW%2F2gEpPzmjqfj2BgtIr3pWQ2UWW iMuju7AiMr5JmtQGrD%2BsUUA%3D'

Actual results:

--2013-03-12 15:41:15-- http://ca1.example.com:9180/ca/ee/ca/pkiclient Resolving ca1.example.com... 10.14.5.17 Connecting to ca1.example.com|10.14.5.17|:9180... connected. HTTP request sent, awaiting response... 500 Internal Server Error 2013-03-12 15:41:15 ERROR 500: Internal Server Error.

[[12/Mar/2013:15:41:15]http-9180-Processor25: CRSEnrollment: init: SCEP support is enabled. [12/Mar/2013:15:41:15]http-9180-Processor25: CRSEnrollment: init: SCEP nickname: caSigningCert cert-pki-ca [12/Mar/2013:15:41:15]http-9180-Processor25: CRSEnrollment: init: CA nickname: caSigningCert cert-pki-ca [12/Mar/2013:15:41:15]http-9180-Processor25: CRSEnrollment: init: Token name: Internal Key Storage Token [12/Mar/2013:15:41:15]http-9180-Processor25: CRSEnrollment: init: Is SCEP using CA keys: true [12/Mar/2013:15:41:15]http-9180-Processor25: CRSEnrollment: init: mNonceSizeLimit: 16 [12/Mar/2013:15:41:15]http-9180-Processor25: CRSEnrollment: init: mHashAlgorithm: SHA1 [12/Mar/2013:15:41:15]http-9180-Processor25: CRSEnrollment: init: mHashAlgorithmList: SHA1,SHA256,SHA512 [12/Mar/2013:15:41:15]http-9180-Processor25: CRSEnrollment: init: mAllowedHashAlgorithm[0]=SHA1 [12/Mar/2013:15:41:15]http-9180-Processor25: CRSEnrollment: init: mAllowedHashAlgorithm[1]=SHA256 [12/Mar/2013:15:41:15]http-9180-Processor25: CRSEnrollment: init: mAllowedHashAlgorithm[2]=SHA512 [12/Mar/2013:15:41:15]http-9180-Processor25: CRSEnrollment: init: mEncryptionAlgorithm: DES3 [12/Mar/2013:15:41:15]http-9180-Processor25: CRSEnrollment: init: mEncryptionAlgorithmList: DES3 [12/Mar/2013:15:41:15]http-9180-Processor25: CRSEnrollment: init: mAllowedEncryptionAlgorithm[0]=DES3 [12/Mar/2013:15:41:15]http-9180-Processor25: CRSEnrollment: init: mProfileId=caRARouterCert [12/Mar/2013:15:41:15]http-9180-Processor25: operation=PKIOperation [12/Mar/2013:15:41:15]http-9180-Processor25: message=MIIJiAYJKoZIhvcNAQcCoIIJ eTCCCXUCAQExDjAMBggqhkiG9w0CBQUAMIIEZgYJKoZIhvcNAQcBoIIEVwSCBFMwggRPBgkqhkiG9w0 BBwOgggRAMIIEPAIBADGCAYcwggGDAgEAMGswZjEYMBYGA1UEChMPUGNjU3NuSHAgRG9tYWluMQ8wDQ YDVQQLEwZwa2ktY2ExOTA3BgNVBAMTMEhld2xldHQtUGFja2FyZCBFUyBQQ0MgTGFiIENlcnRpZmljY XRlIEF1dGhvcml0eQIBBjANBgkqhkiG9w0BAQEFAASCAQBzZL6jnU6sHn0ZG/uQ2Bqm137bwNPjMzH+ xFy+b2Va0uAJzTYjsU1A66te3r+CE9BcyNZqFl/1HQ84BHPVvZyfeDSgx8E0SkOmCG2xnLIL+jW+lEZ UGngr+rEeaKZEpcog2gs/DY+EAbv36/knQyro+jrpYL8TI3Y0MT/7BssKWq99p1sRnjgR9Bm5o3Uu5E 4EudYEj7GETbSjLCUe8r4a3U63bnx3gYir2rUJX8wwvrcPXBbR24I9fkCIxaUQd89uxYvg7W9k/0SMe 4nLPq9a39rBzMPHnuvTVYYLr9eBQiXt2C911lrTtxhekXXI04T1so4lfK8E5T3lsAiTAL85MIICqgYJ KoZIhvcNAQcBMBEGBSsOAwIHBAjkfW0ASyuioYCCAogbIMh0q6GMmY7kb09Y+toUHuI95XGkavK1/et xesN00cqMECDiW6FC4CtOH7f1zkTlZQGqzTjkpX4p7TfxIoqADraZ4HwI6ZxNa7Oy/rkFk1PFP9TeH1 CaVWR34zzGuSOBJmCWcpSc+BhrHJX/F6/V4tCmOmFEZbCZwrv7qYid9LNU47p1jWSa0njpyKGYft4pD YgQkt29h2wLiNu2N7FsXNhfxngyBI1Hy25xteCcuUtDbrlwaOVosOYyZNGvh7Xv1Ks2Xn05nq2HR7ZH R3Kvp2pApCiMlMFms+WvJxTACjKizjLcqY9QYyeZ3TUvEyTTjcNX72B6rXs8IdD9IBrb3eKIgq9ZHCy UZCEMdCr1hAFZGW9CVkuBEqrSWTgZn3c0iD8lXflPbLme0BLqfx+ylJf0QGui6ZInhuBj5CfqaUInSt Eam6aZ6Sm1g6VSEZnMILojn6N236U1aE5rUg5SCsskbFOE1tYDo5dcYyN7OR6N4e+3MhuhM1IIYtCRs R4/ja3Gq+vYpsKw1l2JPpx+P2rPz/iPzTHiemSY2PgYw3D8c08fGicLDRYZwLdVP1UPpQ+OXjJwwXiv Gk18Pbbv26Wb8tusZyO0ut1L1z5vsb+RIj6BQpCEZZNl4Xg1q2ZYKGMGeLcRB5bVm1ceShNgPij5T7R 3ZL7QNQ3edrPPGJKUhgWszFHYyRyGgV7vUiNdb6xdLZmCzUkTys/tnz5P3KnAbrG/NLmm+8aYwiYR1X 2uu8rC5F/rC5uxJXWaagnWe+C4PtVkeSXYqzX2q8eLU/+Fg4BWM+nIH3XCjiUjKka+xtFGHx889gtt2 OZGqCxQvduZDKhS8erxkx22ITvKxwuyF0DTUNCgggLIMIICxDCCAaygAwIBAwIgRjYyQjM1NzE3NUE5 MTJEOUY1RkY2NzBBNjk4NUI4NTAwDQYJKoZIhvcNAQEEBQAwFjEUMBIGA1UEAxMLcmgtdGVzdC1ydHI wHhcNMTMwMjA4MDU0MDQwWhcNMTQwMjA4MDU0MDQwWjAWMRQwEgYDVQQDEwtyaC10ZXN0LXJ0cjCCAS IwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOsIpJSMfIm1cr0NE0kpXLBE8Pw3vFfoDxjiwN9lb jyBKRQfwzq1alQbkRmi7ddleuWJS0YsUlqoPfbxL0j/nvwR6lYC4FpAVm8arvijyntHLPKroiS5+Re9 72uEk0Oe4n5cobP7bvy2P9fdmzPoSwukkY2aO552I1juNneuXVzCO5qwMEgfHGgq1ni1KjommFup3/l oRvBRsQY165OzTk1QwaKTvi3O9h7OhaIXElFstkp2lW2XwiiZTYcq9b9C83cAHZQ/+filvSb6r7wOiZ 98m0ZdYqmWgfZUCJmi2tEjC2iN9qh8SDXg3rxJBywc+moaRn6Hz+wp82Bo7Spi2v0CAwEAATANBgkqh kiG9w0BAQQFAAOCAQEA1kHOSCBC8NVznzyZGBSiJclyblroTviSmrm+hLlieuwmQaFLBzSR4eUT5OYs iDOpsQ4cOBL1XfbaVE/TG8BR8NqBBn3fJgsP8x2Qhqx806xl6Zw+5Gw+72kMgon/N8hYlrpjV/i96h8 xnvekHet301cpUGf7s38o51JIZPw4X5j+NBe/hi16qYTAYM7rDCf8IHzrHSZP7KjucwpoTebENb7OzC o5sTk/t97j1P1pNF/2kuElnOKWLVTfSFYOurofOSL8anUUWjtsXhCwQUqakeu0cktFNhzp/cabBQAgy KdURbeCIjKZNUAOQ0jC+MRkUcvOOkTg0VGOuPhtFVe0UjGCAigwggIkAgEBMDowFjEUMBIGA1UEAxML cmgtdGVzdC1ydHICIEY2MkIzNTcxNzVBOTEyRDlGNUZGNjcwQTY5ODVCODUwMAwGCCqGSIb3DQIFBQC ggcEwEgYKYIZIAYb4RQEJAjEEEwIxOTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQ EJBTEPFw0xMzAyMDgwNTQwNDBaMB8GCSqGSIb3DQEJBDESBBDmQXWNFDf9DS+S52vqZtfvMCAGCmCGS AGG+EUBCQUxEgQQP6KsesXEvFoKz/TGfxfbijAwBgpghkgBhvhFAQkHMSITIEY2MkIzNTcxNzVBOTEy RDlGNUZGNjcwQTY5ODVCODUwMA0GCSqGSIb3DQEBAQUABIIBAA00Uc5qyKVEGTmdNyAWpNNYS5y+KVx fIzcESyKuBbkSIgLylLaFFfoV+rBVqIDMPsbpavpsgauvL2Fah3YF7dG4LOBnrRIwPWVwMjwL2kxCR+ pIlTGMY0Wlz8sT6GnvII9/W1ihlk4qRPu5nS9pk3ZyIyNJ6L+Myz/nQjVyqEsaerNDfIIudNOnFVukK fIx+84KN0msv203q1kYGguYVfkcpI4B1fsRNJgx8U9Yy11iHu/HaIWxguqdD6A2/SRpS6jiUYTnhRRM SZZuuB+rwU4xAlGzB0/ptI2ZYW/2gEpPzmjqfj2BgtIr3pWQ2UWWiMuju7AiMr5JmtQGrD+sUUA= org.mozilla.jss.cryptomilk1.InvalidBERException: SEQUENCE(item 3) >> SET at org.mozilla.jss.cryptomilk1.SET$Template.decode(SET.java:726) at org.mozilla.jss.cryptomilk1.SET$OF_Template.decode(SET.java:874) at org.mozilla.jss.cryptomilk1.SEQUENCE$Template.decode(SEQUENCE.java:402) at org.mozilla.jss.pkcs7.SignedData$Template.decode(SignedData.java:415) at org.mozilla.jss.pkcs7.SignedData$Template.decode(SignedData.java:409) at com.netscape.cmsutil.scep.CRSPKIMessage.decodeCRSPKIMessage(CRSPKIMe ssage.java:703) at com.netscape.cmsutil.scep.CRSPKIMessage.(CRSPKIMessage.java:716) at com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation( CRSEnrollment.java:781) at com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollme nt.java:305) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcce ssorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:616) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:244) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:537) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:276) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:162) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(App licationFilterChain.java:262) at org.apache.catalina.core.ApplicationFilterChain.access$0(Application FilterChain.java:192) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFil terChain.java:171) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(Application FilterChain.java:167) at com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFi lter.java:139) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcce ssorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:616) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:244) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:537) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:276) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:218) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(App licationFilterChain.java:210) at org.apache.catalina.core.ApplicationFilterChain.access$0(Application FilterChain.java:192) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFil terChain.java:171) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(Application FilterChain.java:167) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapper Valve.java:210) at org.apache.catalina.core.StandardContextValve.invoke(StandardContext Valve.java:172) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:542) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVa lve.java:108) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:875) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler. processConnection(Http11BaseProtocol.java:665) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndp oint.java:528) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFo llowerWorkerThread.java:81) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(Thread Pool.java:685) at java.lang.Thread.run(Thread.java:679) [12/Mar/2013:15:41:15]http-9180-Processor25: ServletException javax.servlet.ServletException: Could not decode the request.

A dumpcryptomilk1 of th request does not show any errors, but that request is quite larger than usual ones.

pki-bot commented 4 years ago

Comment from awnuk (@awnuk) at 2013-07-09 19:27:50

Look at request pretty print included above shows that certificate included in the certificate list has invalid version 4

        . . .
        Certificate List:
            Certificate (1):
                Data:
                    Version: 4 (0x3)
        . . .

where currently allowed versions specified in RFC 5280 are:

   . . .
   Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
   . . .

see: http://tools.ietf.org/html/rfc5280#section-4.1

This issue requires more investigation. (https://bugzilla.redhat.com/show_bug.cgi?id=921307)

pki-bot commented 4 years ago

Comment from awnuk (@awnuk) at 2013-10-17 01:18:51

This is copy of [comment 20] from https://bugzilla.redhat.com/show_bug.cgi?id=921307 bug 921307:

Any SCEP request generated with an INCORRECT certificate version 4 causes the same parsing error as reported by this customer, while any SCEP request with certificate version 3 are parsed properly.

As previously reported in [comment 9] of https://bugzilla.redhat.com/show_bug.cgi?id=921307 bug 921307, the standard way to encode the version of any X509 certificate is the following: Version ::= INTEGER { v1(0), v2(1), v3(2) } see: http://tools.ietf.org/html/rfc5280#section-4.1 and X509 standard.

pki-bot commented 4 years ago

Comment from nkinder (@nkinder) at 2017-02-27 14:10:48

Metadata Update from @nkinder: