Closed bensprin closed 3 years ago
It is not an issue with the enrollment protocol. It is an issue with the authentication.
Test case 2.1 is designed for checking that by default unauthenticated enrollments are not accepted by default.
Note in parameter 1/in
is requesting an enrollment based on method /simpleenroll
(parameter 1/action
), and the enrollment operation is presenting a CSR asking for a certificate with the subject name /CN=test_2.1
. Also note, that this enrollment is being performed without providing any authentication method (neither parameter creds
nor cert
, that you can observe in other tests):
[test 2.1]
title = No credentials, No enroll
whitelist = # The EST server enrollment whitelist is void
# -- no enrollments are expected.
# a enrollment without creds/certs is attempted
# it should fail
1/action = simpleenroll
1/in = \
(/CN=test_2.1) # ask for a SN without presenting credentials
# nor authentication certificates.
Finally, the whitelist
parameter is void, so no enrollments should be possible. Therefore this test will be considered successful only if the EST server refuses this enrolment.
In your execution it seems that the EST server is recognizing that the enrollment is authorized. Maybe it is because the EST server considers that the XXXXX:XXXXX credentials are enough for authorizing this operation.
Wanted to get back to you regarding version 0.0.3 and testcase 2.1:
We got the following request via EST:
Signature verification successful Description: Created Certificate Request ID: 00bNbL1CEqvN+lJPAvV9gXtYpVY= Time: 2020-11-12 10:16:31 Signed by: xxxx Signer DN: xxxx Signer serial number: 6ef36965ac1831f950c2cf068dd85e40 Log record:
certrequests.value:
1:
authorization: Basic bmV4dXM6bmV4dXM=,realm="" cardserialnumber.unique: true commonname.value: test_2.1 extension.subjectaltname.attributes.0.dnsname.value: test_2.1 publickeyinfo.value: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyce6oQv2olc9VFh/Q8r5D+H1e4FyFqYedNVJ2TkFg4WK1UjnvgsT4vbByEdgqCZe7Eb01B838DREnw33kVMqq72aXmAL84670odUfW7FmGPjtkeAiiJYADJKd26XmtRMm7y8X9NGiTvkmgSvVHFtHyQbGsy3wHz6MVjIRJR8iZ8GG+0vIV1ttMRBTFNeV/uq8gRzy2DwLMxQyT1PzYpCCNMkPMqGTqmMz+zKngYANUukK0PUCc+sgBhISuhXFv6C3dTXuDh9wj/Supj/R4WCVxblP3wESVLdbW3HQfNvLDETGPB+XzlhmJOlLIH/XELaxbNlg3Hq7JtFmiRnOkyjrwIDAQAB clientversion: xxx commoncontext.value:
procedureid.value: EST Registration and Enroll Procedure procedureid.value: EST Registration and Enroll Procedure transaction-id: EST-HbHAb+q+ItMALfmV
The certificate looks this way:
DEVL_VM (xxx) ~/pest/prebuild/pest-0.0.3/test $> cert.view /mnt/z/temp/test2.1.cer Certificate: Data: Version: 3 (0x2) Serial Number: 62:6d:a4:4f:0c:21:ec:a5:71:98:20:f7:34:10:3f:a7 Signature Algorithm: ecdsa-with-SHA256 Issuer: C = DE, O = xxx, OU = xxx, CN = xxx Validity Not Before: Nov 12 09:16:31 2020 GMT Not After : Nov 13 09:16:31 2020 GMT Subject: CN = test_2.1 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:c9:c7:ba:a1:0b:f6:a2:57:3d:54:58:7f:43:ca: f9:0f:e1:f5:7b:81:72:16:a6:1e:74:d5:49:d9:39: 05:83:85:8a:d5:48:e7:be:0b:13:e2:f6:c1:c8:47: 60:a8:26:5e:ec:46:f4:d4:1f:37:f0:34:44:9f:0d: f7:91:53:2a:ab:bd:9a:5e:60:0b:f3:8e:bb:d2:87: 54:7d:6e:c5:98:63:e3:b6:47:80:8a:22:58:00:32: 4a:77:6e:97:9a:d4:4c:9b:bc:bc:5f:d3:46:89:3b: e4:9a:04:af:54:71:6d:1f:24:1b:1a:cc:b7:c0:7c: fa:31:58:c8:44:94:7c:89:9f:06:1b:ed:2f:21:5d: 6d:b4:c4:41:4c:53:5e:57:fb:aa:f2:04:73:cb:60: f0:2c:cc:50:c9:3d:4f:cd:8a:42:08:d3:24:3c:ca: 86:4e:a9:8c:cf:ec:ca:9e:06:00:35:4b:a4:2b:43: d4:09:cf:ac:80:18:48:4a:e8:57:16:fe:82:dd:d4: d7:b8:38:7d:c2:3f:d2:ba:98:ff:47:85:82:57:16: e5:3f:7c:04:49:52:dd:6d:6d:c7:41:f3:6f:2c:31: 13:18:f0:7e:5f:39:61:98:93:a5:2c:81:ff:5c:42: da:c5:b3:65:83:71:ea:ec:9b:45:9a:24:67:3a:4c: a3:af Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Alternative Name: DNS:test_2.1 X509v3 Authority Key Identifier: keyid:4B:FD:6C:42:F9:B3:51:06
-----BEGIN CERTIFICATE----- MIIDBzCCAqygAwIBAgIQYm2kTwwh7KVxmCD3NBA/pzAKBggqhkjOPQQDAjBaMQsw CQYDVQQGEwJERTEeMBwGA1UEChMVTmV4dXMgVGVjaG5vbG9neSBHbWJIMQ4wDAYD VQQLEwVTYWxlczEbMBkGA1UEAxMSTmV4dXMgSXNzdWluZyBDQSAxMB4XDTIwMTEx MjA5MTYzMVoXDTIwMTExMzA5MTYzMVowEzERMA8GA1UEAwwIdGVzdF8yLjEwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJx7qhC/aiVz1UWH9DyvkP4fV7 gXIWph501UnZOQWDhYrVSOe+CxPi9sHIR2CoJl7sRvTUHzfwNESfDfeRUyqrvZpe YAvzjrvSh1R9bsWYY+O2R4CKIlgAMkp3bpea1EybvLxf00aJO+SaBK9UcW0fJBsa zLfAfPoxWMhElHyJnwYb7S8hXW20xEFMU15X+6ryBHPLYPAszFDJPU/NikII0yQ8 yoZOqYzP7MqeBgA1S6QrQ9QJz6yAGEhK6FcW/oLd1Ne4OH3CP9K6mP9HhYJXFuU/ fARJUt1tbcdB828sMRMY8H5fOWGYk6Usgf9cQtrFs2WDcersm0WaJGc6TKOvAgMB AAGjgc8wgcwwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEwYDVR0RBAwwCoIIdGVzdF8y LjEwEwYDVR0jBAwwCoAIS/1sQvmzUQYwCwYDVR0PBAQDAgWgMH4GA1UdHwR3MHUw c6BxoG+GbWxkYXA6Ly9jbTgubG9jYWwvQ049TmV4dXMlMjBJc3N1aW5nJTIwQ0El MjAxLGNuPWNybCxjbj1wa2ksZGM9bmV4dXMsZGM9bG9jYWw/Y2VydGlmaWNhdGVS ZXZvY2F0aW9uTGlzdDtiaW5hcnkwCgYIKoZIzj0EAwIDSQAwRgIhAObRSVxDQdyp rl0HY/wqYtsxW9MHj4NpeakInLZD60h5AiEAwwUhUpgSz75sSVUdqUBQjR34ZuhA DnCefA9zwb95M9s= -----END CERTIFICATE-----
The PEST says the following:
test:OUT[test/2.1]: Running test 'No credentials, No enroll' for the first time. test:MSG: Running step '0' test:MSG: Running step/enroll '0/1' test:MSG: Command: ../pest -C /usr/share/ca-certificates/xxx -l https://xxx/est -O -o out/std/test-2.1/step-0/in-1 -b 2048 -u xxx:xxx-s /CN=test_2.1 simpleenroll ../pest:MSG: Parameters: ../pest:MSG: - ca_file =
../pest:MSG: - client_key = not defined
../pest:MSG: - client_pem = not defined
../pest:MSG: - creds =
../pest:MSG: - est_url = https://xxx/est
../pest:MSG: - est_proto =
../pest:MSG: - est_host =
../pest:MSG: - est_port = <8443>
../pest:MSG: - est_path = </pgwy/est>
../pest:MSG: - http_basic_username =
../pest:MSG: - http_basic_password =
../pest:MSG: - rsa_bits = <2048>
../pest:MSG: - subject = </CN=test_2.1>
../pest:MSG: - subject_alt = not defined
../pest:MSG: - change_subject = not defined
../pest:MSG: - change_subject_alt = not defined
../pest:MSG: - output_directory = <out/std/test-2.1/step-0/in-1>
../pest:MSG: - timestamp_prefix = not defined
../pest:MSG: - overwrite = <1>
../pest:MSG: Building a RSA key (2048 bits)
../pest:MSG: Writing file 'out/std/test-2.1/step-0/in-1/public.key' (application/pkcs8)
../pest:MSG: Writing file 'out/std/test-2.1/step-0/in-1/private.key' (application/pkcs8)
../pest:MSG: Building certificate signing request
../pest:MSG: Writing file 'out/std/test-2.1/step-0/in-1/request.csr' (application/pkcs10)
../pest:MSG: Pushing HTTP BASIC credentials
../pest:MSG: Performing EST request
../pest:MSG: Writing file 'out/std/test-2.1/step-0/in-1/response.pk7' (unknown type)
../pest:MSG: Writing file 'out/std/test-2.1/step-0/in-1/enroll-001.pem' (application/pkix-cert)
../pest:MSG: Writing file 'out/std/test-2.1/step-0/in-1/enroll-002.pem' (application/pkix-cert)
../pest:MSG: Writing file 'out/std/test-2.1/step-0/in-1/enroll-003.pem' (application/pkix-cert)
../pest:MSG: Writing file 'out/std/test-2.1/step-0/in-1/enroll-004.pem' (application/pkix-cert)
test:OUT[test/2.1]: WRITING STATUS: failed(Action simpleenroll using '', requesting '/CN=test_2.1' expected to fail, but worked instead)
test:MSG: Creating file 'out/std/test-2.1/status'
test:OUT[test/2.1]: TEST FAILED.
Why is it set to failed? Subject and SAN are set accordingly.