killabytenow / pest

PEST and TEST RFC 7030 testing tools.
2 stars 1 forks source link

Test 2.1 fails for version 0.0.3 even though subject and SAN attribute are set correctly #2

Closed bensprin closed 4 years ago

bensprin commented 4 years ago

Wanted to get back to you regarding version 0.0.3 and testcase 2.1:

We got the following request via EST:

Signature verification successful Description: Created Certificate Request ID: 00bNbL1CEqvN+lJPAvV9gXtYpVY= Time: 2020-11-12 10:16:31 Signed by: xxxx Signer DN: xxxx Signer serial number: 6ef36965ac1831f950c2cf068dd85e40 Log record:
certrequests.value:
1:
authorization: Basic bmV4dXM6bmV4dXM=,realm="" cardserialnumber.unique: true commonname.value: test_2.1 extension.subjectaltname.attributes.0.dnsname.value: test_2.1 publickeyinfo.value: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyce6oQv2olc9VFh/Q8r5D+H1e4FyFqYedNVJ2TkFg4WK1UjnvgsT4vbByEdgqCZe7Eb01B838DREnw33kVMqq72aXmAL84670odUfW7FmGPjtkeAiiJYADJKd26XmtRMm7y8X9NGiTvkmgSvVHFtHyQbGsy3wHz6MVjIRJR8iZ8GG+0vIV1ttMRBTFNeV/uq8gRzy2DwLMxQyT1PzYpCCNMkPMqGTqmMz+zKngYANUukK0PUCc+sgBhISuhXFv6C3dTXuDh9wj/Supj/R4WCVxblP3wESVLdbW3HQfNvLDETGPB+XzlhmJOlLIH/XELaxbNlg3Hq7JtFmiRnOkyjrwIDAQAB clientversion: xxx commoncontext.value:
procedureid.value: EST Registration and Enroll Procedure procedureid.value: EST Registration and Enroll Procedure transaction-id: EST-HbHAb+q+ItMALfmV

The certificate looks this way:

DEVL_VM (xxx) ~/pest/prebuild/pest-0.0.3/test $> cert.view /mnt/z/temp/test2.1.cer Certificate: Data: Version: 3 (0x2) Serial Number: 62:6d:a4:4f:0c:21:ec:a5:71:98:20:f7:34:10:3f:a7 Signature Algorithm: ecdsa-with-SHA256 Issuer: C = DE, O = xxx, OU = xxx, CN = xxx Validity Not Before: Nov 12 09:16:31 2020 GMT Not After : Nov 13 09:16:31 2020 GMT Subject: CN = test_2.1 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:c9:c7:ba:a1:0b:f6:a2:57:3d:54:58:7f:43:ca: f9:0f:e1:f5:7b:81:72:16:a6:1e:74:d5:49:d9:39: 05:83:85:8a:d5:48:e7:be:0b:13:e2:f6:c1:c8:47: 60:a8:26:5e:ec:46:f4:d4:1f:37:f0:34:44:9f:0d: f7:91:53:2a:ab:bd:9a:5e:60:0b:f3:8e:bb:d2:87: 54:7d:6e:c5:98:63:e3:b6:47:80:8a:22:58:00:32: 4a:77:6e:97:9a:d4:4c:9b:bc:bc:5f:d3:46:89:3b: e4:9a:04:af:54:71:6d:1f:24:1b:1a:cc:b7:c0:7c: fa:31:58:c8:44:94:7c:89:9f:06:1b:ed:2f:21:5d: 6d:b4:c4:41:4c:53:5e:57:fb:aa:f2:04:73:cb:60: f0:2c:cc:50:c9:3d:4f:cd:8a:42:08:d3:24:3c:ca: 86:4e:a9:8c:cf:ec:ca:9e:06:00:35:4b:a4:2b:43: d4:09:cf:ac:80:18:48:4a:e8:57:16:fe:82:dd:d4: d7:b8:38:7d:c2:3f:d2:ba:98:ff:47:85:82:57:16: e5:3f:7c:04:49:52:dd:6d:6d:c7:41:f3:6f:2c:31: 13:18:f0:7e:5f:39:61:98:93:a5:2c:81:ff:5c:42: da:c5:b3:65:83:71:ea:ec:9b:45:9a:24:67:3a:4c: a3:af Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Alternative Name: DNS:test_2.1 X509v3 Authority Key Identifier: keyid:4B:FD:6C:42:F9:B3:51:06

        X509v3 Key Usage:
            Digital Signature, Key Encipherment
        X509v3 CRL Distribution Points:

            Full Name:
              URI:ldap://xxx

Signature Algorithm: ecdsa-with-SHA256
     30:46:02:21:00:e6:d1:49:5c:43:41:dc:a9:ae:5d:07:63:fc:
     2a:62:db:31:5b:d3:07:8f:83:69:79:a9:08:9c:b6:43:eb:48:
     79:02:21:00:c3:05:21:52:98:12:cf:be:6c:49:55:1d:a9:40:
     50:8d:1d:f8:66:e8:40:0e:70:9e:7c:0f:73:c1:bf:79:33:db

-----BEGIN CERTIFICATE----- MIIDBzCCAqygAwIBAgIQYm2kTwwh7KVxmCD3NBA/pzAKBggqhkjOPQQDAjBaMQsw CQYDVQQGEwJERTEeMBwGA1UEChMVTmV4dXMgVGVjaG5vbG9neSBHbWJIMQ4wDAYD VQQLEwVTYWxlczEbMBkGA1UEAxMSTmV4dXMgSXNzdWluZyBDQSAxMB4XDTIwMTEx MjA5MTYzMVoXDTIwMTExMzA5MTYzMVowEzERMA8GA1UEAwwIdGVzdF8yLjEwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJx7qhC/aiVz1UWH9DyvkP4fV7 gXIWph501UnZOQWDhYrVSOe+CxPi9sHIR2CoJl7sRvTUHzfwNESfDfeRUyqrvZpe YAvzjrvSh1R9bsWYY+O2R4CKIlgAMkp3bpea1EybvLxf00aJO+SaBK9UcW0fJBsa zLfAfPoxWMhElHyJnwYb7S8hXW20xEFMU15X+6ryBHPLYPAszFDJPU/NikII0yQ8 yoZOqYzP7MqeBgA1S6QrQ9QJz6yAGEhK6FcW/oLd1Ne4OH3CP9K6mP9HhYJXFuU/ fARJUt1tbcdB828sMRMY8H5fOWGYk6Usgf9cQtrFs2WDcersm0WaJGc6TKOvAgMB AAGjgc8wgcwwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEwYDVR0RBAwwCoIIdGVzdF8y LjEwEwYDVR0jBAwwCoAIS/1sQvmzUQYwCwYDVR0PBAQDAgWgMH4GA1UdHwR3MHUw c6BxoG+GbWxkYXA6Ly9jbTgubG9jYWwvQ049TmV4dXMlMjBJc3N1aW5nJTIwQ0El MjAxLGNuPWNybCxjbj1wa2ksZGM9bmV4dXMsZGM9bG9jYWw/Y2VydGlmaWNhdGVS ZXZvY2F0aW9uTGlzdDtiaW5hcnkwCgYIKoZIzj0EAwIDSQAwRgIhAObRSVxDQdyp rl0HY/wqYtsxW9MHj4NpeakInLZD60h5AiEAwwUhUpgSz75sSVUdqUBQjR34ZuhA DnCefA9zwb95M9s= -----END CERTIFICATE-----

The PEST says the following:

test:OUT[test/2.1]: Running test 'No credentials, No enroll' for the first time. test:MSG: Running step '0' test:MSG: Running step/enroll '0/1' test:MSG: Command: ../pest -C /usr/share/ca-certificates/xxx -l https://xxx/est -O -o out/std/test-2.1/step-0/in-1 -b 2048 -u xxx:xxx-s /CN=test_2.1 simpleenroll ../pest:MSG: Parameters: ../pest:MSG: - ca_file = ../pest:MSG: - client_key = not defined ../pest:MSG: - client_pem = not defined ../pest:MSG: - creds = ../pest:MSG: - est_url = https://xxx/est ../pest:MSG: - est_proto = ../pest:MSG: - est_host = ../pest:MSG: - est_port = <8443> ../pest:MSG: - est_path = </pgwy/est> ../pest:MSG: - http_basic_username = ../pest:MSG: - http_basic_password = ../pest:MSG: - rsa_bits = <2048> ../pest:MSG: - subject = </CN=test_2.1> ../pest:MSG: - subject_alt = not defined ../pest:MSG: - change_subject = not defined ../pest:MSG: - change_subject_alt = not defined ../pest:MSG: - output_directory = <out/std/test-2.1/step-0/in-1> ../pest:MSG: - timestamp_prefix = not defined ../pest:MSG: - overwrite = <1> ../pest:MSG: Building a RSA key (2048 bits) ../pest:MSG: Writing file 'out/std/test-2.1/step-0/in-1/public.key' (application/pkcs8) ../pest:MSG: Writing file 'out/std/test-2.1/step-0/in-1/private.key' (application/pkcs8) ../pest:MSG: Building certificate signing request ../pest:MSG: Writing file 'out/std/test-2.1/step-0/in-1/request.csr' (application/pkcs10) ../pest:MSG: Pushing HTTP BASIC credentials ../pest:MSG: Performing EST request ../pest:MSG: Writing file 'out/std/test-2.1/step-0/in-1/response.pk7' (unknown type) ../pest:MSG: Writing file 'out/std/test-2.1/step-0/in-1/enroll-001.pem' (application/pkix-cert) ../pest:MSG: Writing file 'out/std/test-2.1/step-0/in-1/enroll-002.pem' (application/pkix-cert) ../pest:MSG: Writing file 'out/std/test-2.1/step-0/in-1/enroll-003.pem' (application/pkix-cert) ../pest:MSG: Writing file 'out/std/test-2.1/step-0/in-1/enroll-004.pem' (application/pkix-cert) test:OUT[test/2.1]: WRITING STATUS: failed(Action simpleenroll using '', requesting '/CN=test_2.1' expected to fail, but worked instead) test:MSG: Creating file 'out/std/test-2.1/status' test:OUT[test/2.1]: TEST FAILED.

Why is it set to failed? Subject and SAN are set accordingly.

killabytenow commented 4 years ago

It is not an issue with the enrollment protocol. It is an issue with the authentication.

Test case 2.1 is designed for checking that by default unauthenticated enrollments are not accepted by default.

Note in parameter 1/in is requesting an enrollment based on method /simpleenroll (parameter 1/action), and the enrollment operation is presenting a CSR asking for a certificate with the subject name /CN=test_2.1. Also note, that this enrollment is being performed without providing any authentication method (neither parameter creds nor cert, that you can observe in other tests):

[test 2.1]
title     = No credentials, No enroll
whitelist = # The EST server enrollment whitelist is void
            #    -- no enrollments are expected.

        # a enrollment without creds/certs is attempted
        #       it should fail
        1/action  = simpleenroll
        1/in      = \
                (/CN=test_2.1) # ask for a SN without presenting credentials
                               # nor authentication certificates.

Finally, the whitelist parameter is void, so no enrollments should be possible. Therefore this test will be considered successful only if the EST server refuses this enrolment.

In your execution it seems that the EST server is recognizing that the enrollment is authorized. Maybe it is because the EST server considers that the XXXXX:XXXXX credentials are enough for authorizing this operation.