search

mpeylo / cmpossl

An OpenSSL-based implementation of the Certificate Management Protocol (CMP), defined in IETF RFCs 4210, 4211, and 6712. It is being extended according to the emerging RFCs 'CMP Updates' (CMPv3), 'CMP Algorithms', and 'Lightweight CMP Profile'.
https://github.com/mpeylo/cmpossl/wiki
Other
35 stars 13 forks source link

Error when Certificate Request as requexts section with custom extension #200

Closed highercomve closed 4 years ago

highercomve commented 4 years ago

Hello,

First thanks for all the good work inside this project, I'm learning about this topic for the first time, and maybe the problem is something I'm doing wrong. I will try to put all the information need it in order to know if is that or is and actual bug.

I'm trying to create a Certificate Request using custom extensions for the certificate.

This is what I have

openssl cmp -cmd cr -config cert.conf  -server $SERVER_IP -path ejbca/public/web/cmp/ra -srvcert ca.crt -ref $USER -secret $SECRET -certout cout-ra.pem -newkey nk-ra.pem -reqexts req_extensions

This is the configuration file

[cmp]
subject = /O=PantacorLtd/OU=PantahubDevices/CN=5de8175d@domain/serialNumber=5de8175d

[req_extensions]
1.3.6.1.4.1.54621.100.9 = DER:70726e3a3a3a646576696365733a2f3564653831373564643037336436306231646163386237630a

I added a new profile certificate that is used by the RA alias

Screenshot from 2019-12-05 12-25-51

Screenshot from 2019-12-05 12-23-32

And I always get this error

CMP INFO: using OpenSSL configuration file 'cert.conf'
CMP INFO: using default port 8080 for server
CMP INFO: sending cr
139917500898632:error:27076072:OCSP routines:parse_http_line1:server response error:crypto/ocsp/ocsp_ht.c:260:Code=500,Reason=Internal Server Error
139917500898632:error:390B1091:CMP routines:OSSL_CMP_MSG_http_perform:failed to receive pkimessage:crypto/cmp/cmp_http.c:516:
139917500898632:error:3909F06F:CMP routines:OSSL_CMP_exec_CR_ses:cp not received:crypto/cmp/cmp_ses.c:199:
DDvO commented 4 years ago

Hi, thanks for your positive feedback and details on a potential bug.

From the output of the CMP client one can see that

Does everything go well when you leave out -reqexts req_extensions? This would indicate a bug on the server handling that extension. BTW, you could put at least part of the command-line options you mention above inside your cert.conf file such that you do not need to explicitly give them for each call of the openssl cmpclient.

If the server does not accept the request extension the server should return a to-the-point CMP error message indicating the reason (which the client would print at least when you add the -unprotectederrors option since some CMP servers like EJBCA do not properly protect the error responses they send). The server should react with an unspecific HTTP-level error only in rather low-level error situations (such as: out of memory).

highercomve commented 4 years ago

Thanks for the super-fast response.

Without a doubt, the error seems to be on EJBCA server when I remove the -reqexts req_extensions work perfect.

Using the -unprotectederrors give me the same error

I guess i should write about this in the EJBCA issue board :)

Thanks again and sorry for the confusion.