search

mpeylo / cmpossl

An OpenSSL-based implementation of the Certificate Management Protocol (CMP), defined in IETF RFCs 4210, 4211, and 6712. It is being extended according to the emerging RFCs 'CMP Updates' (CMPv3), 'CMP Algorithms', and 'Lightweight CMP Profile'.
https://github.com/mpeylo/cmpossl/wiki
Other
35 stars 13 forks source link

使用CMP客户端申请证书时,HttpRequesterf发送请求如何加Content-Type字段? #193

Closed gezhouyu closed 5 years ago

gezhouyu commented 5 years ago

How to set Content-Type when the cmp client sends a request whose Content-Type is application/pkixcmp in HttpRequester?

mpeylo commented 5 years ago

What do you aim to achieve? The HTTP content type should be set automatically.

If you feel it is not there, please provide a Wireshark trace and background how you invoked the CLI or API.

gezhouyu commented 5 years ago

I use the command sent by openssl cmp to apply for a certificate from the CA. The returned result is 415. The CA log is as follows: How to set Content-Type when the Content-Type sent by the HttpRequester of the cmp client is not application / pkixcmp? [root@dggphicprd08002 gezhouyu]# openssl cmp -cmd ir -server 10.243.21.73:8090 -path /minica/certreq/org-certreq/ -ref northcert.pem -secret pass:huawei@123 -recipient "/CN=openssl-cmp" -newkey northkey.pem -subject "/CN=MyName" -cacertsout trust.pem -certout cl_cert.pem CMP INFO: using OpenSSL configuration file '/opt/openssl/../openssl-1.1.0j/openssl.cnf' CMP INFO: no [cmp] section found in config file '/opt/openssl/../openssl-1.1.0j/openssl.cnf'; will thus use just [default] and unnamed section if present Enter pass phrase for northkey.pem: CMP INFO: sending ir 140401340024640:error:27076072:OCSP routines:parse_http_line1:server response error:crypto/ocsp/ocsp_ht.c:260:Code=415 140401340024640:error:390B1091:CMP routines:OSSL_CMP_MSG_http_perform:failed to receive pkimessage:crypto/cmp/cmp_http.c:516: 140401340024640:error:390A1098:CMP routines:OSSL_CMP_exec_IR_ses:ip not received:crypto/cmp/cmp_ses.c:199:

CA logs: 2019-08-09 11:49:44.726 WARN 29911 --- [http-nio-8090-exec-8] .w.s.m.s.DefaultHandlerExceptionResolver : Resolved [org.sprin

mpeylo commented 5 years ago

Either the CA / CMP / HTTP server is not properly configured, or the CA / CMP / HTTP server does not comply with RFC 6712.

As that is not an issue with the client, there's nothing we could do. You need to direct the questions to the vendor / implementer of your CA.

DDvO commented 5 years ago

The Media Type application/pkixcmp is mandated by RFC 6712 section 3.4. Therefore the client always uses this when sending requests (while on responses it so war does not check the content type).

DDvO commented 5 years ago

BTW, you should have a closer look at the help output and/or the man page of the CMP CLI. Providing a cert file name for the -ref parameter makes little sense. You did not provide any root/server cert for authenticating responses of the server, which may be fine if it uses PBM instead our you can trust them for other reasons.