Option unknown option -user

[zentavr]

I'm trying to setup the CMP flow using EJBCA and cmpossl and cannot request the certificate from EJBCA.

The problem is the next:

zentavr@zentavr-mac:~/cmpossl/bin
2018-07-28 20:04:27 EEST $ ./openssl cmp -cmd ir \
>         -server ca.example.com:8080 \
>         -path ejbca/publicweb/cmp/rpcmp \
>         -srvcert /Users/zentavr/ngCA/NgICA.pem \
>         -user user4711 \
>         -pass zxcvbn \
>         -certout /Users/zentavr/ngCA/user4711.pem \
>         -cacertsout /Users/zentavr/ngCA/user4711-CA.pem \
>         -newkey /Users/zentavr/ngCA/user4711-Key.pem \
>         -keyfmt PEM \
>         -certfmt PEM \
>         -subject "/CN=user4711/O=Test Organization/C=DE"
CMP INFO: using OpenSSL configuration file '/Users/zentavr/cmpossl/ssl/openssl.cnf'
CMP INFO: no [cmp] section found in config file '/Users/zentavr/cmpossl/ssl/openssl.cnf'; will thus use just [default] and unnamed section if present
cmp: Option unknown option -user
cmp: Use -help for summary.

As a manual I used these articles:

• Using CMP with CMP for OpenSSL
• EJBCA CMP Admin Guide

[zentavr]

I can guess that the options had been replaced with -ref and -secret, right?

[zentavr]

Specifying -secret and -ref options falls with the next error:

zentavr@zentavr-mac:~/cmpossl/bin
2018-07-28 20:12:49 EEST $ ./openssl cmp -cmd ir \
>         -server ca.example.com:8080 \
>         -path ejbca/publicweb/cmp/riverpay \
>         -srvcert /Users/zentavr/ngCA/NgICA.pem \
>         -ref user4711 \
>         -secret pass:zxcvbn \
>         -certout /Users/zentavr/ngCA/user4711.pem \
>         -cacertsout /Users/zentavr/ngCA/user4711-CA.pem \
>         -newkey /Users/zentavr/ngCA/user4711-Key.pem \
>         -subject "/CN=user4711/O=Test Organization/C=DE"
CMP INFO: using OpenSSL configuration file '/Users/zentavr/cmpossl/ssl/openssl.cnf'
CMP INFO: no [cmp] section found in config file '/Users/zentavr/cmpossl/ssl/openssl.cnf'; will thus use just [default] and unnamed section if present
CMP INFO: sending ir
CMP INFO: got response
CMP ERROR: 360AA098:CMP routines:OSSL_CMP_MSG_check_received:missing protection:crypto/cmp/cmp_lib.c:1705:

[DDvO]

Hi, the -user option has been renamed to -ref. See also the -help output and the online doc of our project. Regards, David

This message was sent using my Vernee Apollo Lite with K-9 Mail. Please excuse my brevity.

On July 28, 2018 7:10:37 PM GMT+02:00, Andrey Miroshnichenko notifications@github.com wrote:

I'm trying to setup the CMP flow using EJBCA and cmpossl and cannot request the certificate from EJBCA.

The problem is the next:

zentavr@zentavr-mac:~/cmpossl/bin
2018-07-28 20:04:27 EEST $ ./openssl cmp -cmd ir \
>         -server ca.example.com:8080 \
>         -path ejbca/publicweb/cmp/rpcmp \
>         -srvcert /Users/zentavr/ngCA/NgICA.pem \
>         -user user4711 \
>         -pass zxcvbn \
>         -certout /Users/zentavr/ngCA/user4711.pem \
>         -cacertsout /Users/zentavr/ngCA/user4711-CA.pem \
>         -newkey /Users/zentavr/ngCA/user4711-Key.pem \
>         -keyfmt PEM \
>         -certfmt PEM \
>         -subject "/CN=user4711/O=Test Organization/C=DE"
CMP INFO: using OpenSSL configuration file
'/Users/zentavr/cmpossl/ssl/openssl.cnf'
CMP INFO: no [cmp] section found in config file
'/Users/zentavr/cmpossl/ssl/openssl.cnf'; will thus use just [default]
and unnamed section if present
cmp: Option unknown option -user
cmp: Use -help for summary.

As a manual I used these articles:

• Using CMP with CMP for OpenSSL
• EJBCA CMP Admin Guide

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/mpeylo/cmpossl/issues/147

[zentavr]

Hello @DDvO. I found the examples at cmp/doc/man1/cmp.pod.

I used

./openssl cmp -cmd ir \
>         -server ca.example.com:8080 \
>         -path ejbca/publicweb/cmp/riverpay \
>         -ref user4711 \
>         -secret pass:zxcvbn \
>         -recipient "/CN=RP VPN Certificate Authority/O=RPay/C=US" \
>         -certout /Users/zentavr/ngCA/user4711.pem \
>         -cacertsout /Users/zentavr/ngCA/user4711-CA.pem \
>         -newkey /Users/zentavr/ngCA/user4711-Key.pem \
>         -subject "/CN=user4711/O=Test Organization/C=DE"

throws me the error:

CMP INFO: using OpenSSL configuration file '/Users/zentavr/cmpossl/ssl/openssl.cnf'
CMP INFO: no [cmp] section found in config file '/Users/zentavr/cmpossl/ssl/openssl.cnf'; will thus use just [default] and unnamed section if present
CMP INFO: sending ir
CMP INFO: got response
CMP ERROR: 360AA098:CMP routines:OSSL_CMP_MSG_check_received:missing protection:crypto/cmp/cmp_lib.c:1705:

I wonder what is the missing protection problem it tells me?

[zentavr]

At the EJBCA side the log tells me:

18:20:42,777 INFO  [org.ejbca.ui.web.protocol.CmpServlet] (default task-9) CMP message received from: ***.***.**.***, for CMP alias: riverpay
18:20:42,851 INFO  [org.ejbca.core.protocol.cmp.authentication.HMACAuthenticationModule] (default task-9) Authentication failed for message. Auth secret for CA=RP VPN Certificate Authority.
18:20:42,852 INFO  [org.ejbca.core.protocol.cmp.CrmfMessageHandler] (default task-9) Failed to verify message using both Global Shared Secret and CMP RA Authentication Secret
18:20:42,853 INFO  [org.ejbca.ui.web.protocol.CmpServlet] (default task-9) Sent a CMP response to: ***.***.***.***, process time 76.

[zentavr]

EJBCA CMP Alias is the next:

• CMP Operational Mode: RA Mode
• CMP Response Protection: signature
• CMP Authentication Module: HMAC (yes), CA Shared Secret (selected) - all the rest options are disabled
• RA Verify Proof-of-Possession - nothing
• RA Name Generation Scheme: DN Parts: CN
• RA Name Generation Prefix: rpay-
• RA Name Generation Postfix:
• Password Generation Parameter: zxcvbn
• Custom Certificate Serial Number:
• RA End Entity Profile: RPay VPN Endpoint Entity Profile
• RA Certificate Profile: RPay VPN Certificate Profile
• RA CA Name: RP VPN Certificate Authority
• Default CA: RP VPN Certificate Authority
• Automatic Key Update: Allow (checked)
• Certificate renewal with same keys: Allow (checked)
• Allow server generated keys: Allow (checked)
• Trusted Certificates Path:
• Verifications in EndEntityCertificate Authentication Module:

What I expect is that the client calls the openssl cmp script, gets its certificate and installs where is needed. No operator's actions are needed.

[zentavr]

Probably the problem was in the CMP setup. I changed:

• CMP Response Protection: pbe

[zentavr]

Also, I removed the mandatory of email field to be present (I have no idea how I can pass email field using openssl cmp request) in End entity profile. Also as Available Tokens I added the value of User Generated

[zentavr]

So, I was able to do Issue Request at last. Now I have another problem - how to perform Key Update Request. In order to do that I created the second CMP alias with CMP Response Protection: signature.

The client does:

zentavr@zentavr-mac:~/cmpossl/bin
2018-07-29 00:32:39 EEST $ ./openssl cmp -cmd kur \
>         -server ca.example.com:8080 \
>         -path ejbca/publicweb/cmp/riverpay-kur \
>         -certout /Users/zentavr/ngCA/user4712-updated.pem \
>         -newkey /Users/zentavr/ngCA/user4712-updated-Key.pem \
>         -cacertsout /Users/zentavr/ngCA/user4712-updated-CA.pem \
>         -cert /Users/zentavr/ngCA/user4712.pem \
>         -key /Users/zentavr/ngCA/user4712-Key.pem \
>         -trusted /Users/zentavr/ngCA/user4712-CA.pem
CMP INFO: using OpenSSL configuration file '/Users/zentavr/cmpossl/ssl/openssl.cnf'
CMP INFO: no [cmp] section found in config file '/Users/zentavr/cmpossl/ssl/openssl.cnf'; will thus use just [default] and unnamed section if present
CMP INFO: sending kur
CMP INFO: got response
CMP ERROR: 360AA098:CMP routines:OSSL_CMP_MSG_check_received:missing protection:crypto/cmp/cmp_lib.c:1705:

The server's log:

21:44:46,465 INFO  [org.ejbca.ui.web.protocol.CmpServlet] (default task-40) CMP message received from: 178.218.68.153, for CMP alias: riverpay-kur
21:44:46,532 INFO  [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-40) 2018-07-28 21:44:46+00:00;ACCESS_CONTROL;SUCCESS;ACCESSCONTROL;CORE;**.**.**.**;;;;resource0=/ca/1976797132
21:44:46,560 INFO  [org.ejbca.core.protocol.cmp.authentication.EndEntityCertificateAuthenticationModule] (default task-40) Administrator CN=user4712,O=Test Organization,C=DE was not authorized to edit end entities with EndEntityProfile River Pay VPN Endpoint Entity Profile
21:44:46,561 INFO  [org.ejbca.core.protocol.cmp.CrmfKeyUpdateHandler] (default task-40) 'CN=user4712,O=Test Organization,C=DE' is not an authorized administrator.
21:44:46,566 INFO  [org.ejbca.ui.web.protocol.CmpServlet] (default task-40) Sent a CMP response to: **.**.**.**, process time 101.

[zentavr]

In order to do key update request for myself, I created another one CMP Alias:

• CMP Operational Mode: Client mode
• CMP Response Protection: signature
• CMP Authentication Module: HMAC, EndEntityCertificate
• Extract Username Component: CN
• Default CA: RP VPN Certificate Authority
• Automatic Key Update: Allow
• Certificate renewal with same keys: Allow
• Allow server generated keys: Allow

The request is the next:

cd /opt/cmpossl/bin
    ./openssl genrsa -out /Users/zentavr/ngCA/user4712-updated-Key.pem 4096
    ./openssl cmp -cmd kur \
        -server ca.example.com:8080 \
        -path ejbca/publicweb/cmp/riverpay-kur \
        -recipient "/CN=RP VPN Certificate Authority/O=River Pay/C=US" \
        -certout /Users/zentavr/ngCA/user4712-updated.pem \
        -newkey /Users/zentavr/ngCA/user4712-updated-Key.pem \
        -cacertsout /Users/zentavr/ngCA/user4712-updated-CA.pem \
        -cert /Users/zentavr/ngCA/user4712.pem \
        -key /Users/zentavr/ngCA/user4712-Key.pem \
        -trusted /Users/zentavr/ngCA/RPVPNCA.pem

[DDvO]

Part of your problems were due to the strange behavior of EJBCA that it tends not to protect negative responses. That's why we introduced the -unprotectederrors option as a workaround.

[DDvO]

You can specify an email address as part of the subject Distinguished Name, like this: -subject "/CN=test1/emailAddress=mail@test.com"

[DDvO]

Yet the recommended way is to set email addresses as Subject Alternative Names. To this end you can use the -reqexts option referring to a section in your OpenSSL config file typically called openssl.cnf, like this: -reqexts myexts

[myexts]
#basicConstraints = CA:FALSE
#keyUsage = critical, digitalSignature
#extendedKeyUsage = critical, clientAuth
#crlDistributionPoints = URI:http://192.168.3.20/myca.crl
subjectAltName = @alt_names

[sans]
email.0 = mail@test.com
DNS.0 = localhost
IP.0 = 127.0.0.1
IP.1 = 192.168.1.1

[DDvO]

BTW, you can specify your cmp options pretty conveniently also within the config file, like this:

[cmp]
server = ca.example.com:8080
path =  ...
...
reqexts = myexts
unprotectederrors = 1

ant then invoke for instance openssl cmp -section cmp -cmd kur (where -section cmp can be left out since this is the default).