search

mpeylo / cmpossl

An OpenSSL-based implementation of the Certificate Management Protocol (CMP), defined in IETF RFCs 4210, 4211, and 6712. It is being extended according to the emerging RFCs 'CMP Updates' (CMPv3), 'CMP Algorithms', and 'Lightweight CMP Profile'.
https://github.com/mpeylo/cmpossl/wiki
Other
35 stars 13 forks source link

Getting error : "certificate Subject Key Identifier does not match senderKID" #212

Closed bairathivivek closed 4 years ago

bairathivivek commented 4 years ago

Hi,

We are facing a strange issue in testing the cmpossl (latest version) client with our RSA certificate manager (RSA CM). The scenario that we are testing with is vendor cert based authentication. The ir is going with sender name as vendor cert and senderKID as vendor cert subject key identifier. The ip from server is coming as sender name as issuer CA name and senderKID as vendor cert subject key identifier. The RSA CA server is able to issue certificate.

Finally, at cmpossl client it is failing with following error: [root@centos7 cmp_test]# ./cmpclient.sh ir 140646519150400:error:390730A1:CMP routines:find_srvcert:no valid server cert found:crypto/cmp/cmp_vfy.c:591: trying to match msg sender name = /C=IN/O=tst/OU=qa/CN=cmpca considering cert with subject = /C=IN/O=tst/OU=qa/CN=cmpca and issuer = /C=IN/O=tst/OU=qa/CN=cmpca certificate Subject Key Identifier does not match senderKID: actual = 75:20:C2:F2:CB:75:20:21:74:8B:CF:C0:3A:A6:55:58:C5:C9:15:5C expected = B0:2E:9F:EC:94:65:C5:07:EE:A2:7F:C5:71:FD:43:0D:C7:23:2B:8D considering cert with subject = /C=IN/O=tst/OU=qa/CN=cmpca and issuer = /C=IN/O=tst/OU=qa/CN=cmpca certificate Subject Key Identifier does not match senderKID: actual = 75:20:C2:F2:CB:75:20:21:74:8B:CF:C0:3A:A6:55:58:C5:C9:15:5C expected = B0:2E:9F:EC:94:65:C5:07:EE:A2:7F:C5:71:FD:43:0D:C7:23:2B:8D considering cert with subject = /C=IN/ST=KA/L=BN/O=Test1234/OU=System Test/CN=Test1234RootCaCert.com and issuer = /C=IN/ST=KA/L=BN/O=Test1234/OU=System Test/CN=Test1234RootCaCert.com certificate subject does not match sender: actual = /C=IN/ST=KA/L=BN/O=Test1234/OU=System Test/CN=Test1234RootCaCert.com expected = /C=IN/O=tst/OU=qa/CN=cmpca no current matching server cert found 140646519150400:error:390BE0A0:CMP routines:OSSL_CMP_validate_msg:no suitable server cert:crypto/cmp/cmp_vfy.c:771: 140646519150400:error:390AC08F:CMP routines:OSSL_CMP_MSG_check_received:error validating protection:crypto/cmp/cmp_lib.c:1547: [root@centos7 cmp_test]#

Please let me know is it some problem in cmpossl code or with my RSA server bring not RFC compliant. We have another cmpv2 code and same thing is working there. Waiting for your earliest reply.

cmp.cnf: [root@centos7 cmp_test]# cat cmp.cnf [default]

vendor certificate dir

vendorcertdir = cmp/vendorcerts

certficate dir

certdir = cmp/certs

key dir

keydir = cmp/certs

server info

server = ejbca-ce-6-testvm:8080

server = 10.1.26.116:449

server path

path = cmp

client trusted operatorroot ca certificate

trusted = $certdir/cmpca.pem,$vendorcertdir/Test1234RootCaCert.pem

CMS/CA CN name

recipient = "/C=IN/O=tst/OU=qa/CN=cmpca"

client subject name

subject = "/C=IN/O=tst/OU=qa/CN=vivek"

client old key

key = $keydir/client_key.pem

keypass = pass:Test12345

client new certifcate

certout = $certdir/client.crt

CMS/intermediate operator CA certificate

cacertsout = $certdir/OperatorCA.pem

default cmp request

cmd = ir

unprotectederrors = 1

pre-registered data:IAK ref value for client authentication

ref = interop

pre-registered data:IAK secret value for client authentication

secret = pass:interop

cmp section

[cmp]

initization request

[ir]

ir request

cmd = ir

pre-registered data:IAK ref value for client authentication

ref = interop

pre-registered data:IAK secret value for client authentication

secret = pass:interop

client old certifcate

cert = $default::vendorcertdir/Test1234EnodeRootCert.pem

client old key

key = $default::vendorcertdir/Test1234EnodeRootCertkey.pem keypass = pass:Test1234

client new key

key = $default::vendorcertdir/Test1234EnodeRootCertkey.pem

keypass = pass:Test1234

newkey = $default::key

keypass = pass:Test12345

client new certificate

certout = $default::certout

extracerts = $default::vendorcertdir/Test1234RootCaCert.pem

extracertsout = $default::cacertsout

certificate renewal section

[cr]

cr request

cmd = cr

client old certifcate

cert = $default::certout

client old key

key = $default::key

keypass = pass:Test12345

client new key

newkey = $default::key

keypass = pass:Test12345

client new certificate

certout = $default::certdir/client_newcert.crt

certout = $default::certout

key update or certificate renewal section

[kur]

KUR request

cmd = kur

client old key

key = $default::key

keypass = pass:Test12345

client old certifcate

cert = $default::certout

client new key

newkey = $default::keydir/client_key_new.pem

keypass = pass:Test12345

client new certificate

certout = cmp/certs/client_newcert.crt

certout = $default::certdir/client_newcert.crt

client intermediate CA certificate

extracerts = $default::cacertsout

[root@centos7 cmp_test]#

Thanks, Vivek

DDvO commented 4 years ago

Hi Vivek,

this looks like our CA uses a wrong senderKID in the ir.

According to the client output:

trying to match msg sender name = /C=IN/O=tst/OU=qa/CN=cmpca
considering cert with subject = /C=IN/O=tst/OU=qa/CN=cmpca and issuer = /C=IN/O=tst/OU=qa/CN=cmpca
certificate Subject Key Identifier does not match senderKID:
actual = 75:20:C2:F2:CB:75:20:21:74:8B:CF:C0:3A:A6:55:58:C5:C9:15:5C
expected = B0:2E:9F:EC:94:65:C5:07:EE:A2:7F:C5:71:FD:43:0D:C7:23:2B:8D

the senderKID is B0:2E:9F:EC:94:65:C5:07:EE:A2:7F:C5:71:FD:43:0D:C7:23:2B:8D, while the cert being tried here has Subject Key Identifier = 75:20:C2:F2:CB:75:20:21:74:8B:CF:C0:3A:A6:55:58:C5:C9:15:5C.

It is strange (and not RFC compliant) that you wrote:

The ip from server is coming as ... senderKID as vendor cert subject key identifier.

The senderKID in the response should be the Subject Key Identifier of the CA/server cert, not of the vendor/client cert.

Please let me know is it some problem in cmpossl code or with my RSA server bring not RFC compliant.

From the data just commented apparently the server is doing wrong here.

We have another cmpv2 code and same thing is working there.

It could be that that code does not check if the senderKID is correct.

Waiting for your earliest reply.

Please check the above comments and your server setup. Do my comments give sufficient hints to solve the issue? If not, please send the Subject Key Identifier of the cert the server uses for protecting the ir.

Best, David

bairathivivek commented 4 years ago

Hi David,

Thanks for the reply.

Below are my certificates and there subject key identifiers: Please let me know, if I need to correct my RSA server config, as you have already mentioned that there is no issue on cmpossl client side.

Vendor CA: Test1234RootCaCert.pem [root@centos7 vendorcerts]# openssl x509 -in Test1234RootCaCert.pem -text Certificate: Data: Version: 3 (0x2) Serial Number: a6:64:69:bc:d5:b7:d7:e3 X509v3 extensions: X509v3 Subject Key Identifier: 8F:7E:4D:6F:1E:A1:A8:F0:AB:C1:C6:8B:AC:AA:34:38:09:1D:B9:D4 X509v3 Authority Key Identifier: keyid:8F:7E:4D:6F:1E:A1:A8:F0:AB:C1:C6:8B:AC:AA:34:38:09:1D:B9:D4 DirName:/C=IN/ST=KA/L=BN/O=Test1234/OU=System Test/CN=Test1234RootCaCert.com serial:A6:64:69:BC:D5:B7:D7:E3 X509v3 Basic Constraints: CA:TRUE

Vendor Certificate: Test1234EnodeRootCert.pem

[root@centos7 vendorcerts]# openssl x509 -in Test1234EnodeRootCert.pem -text Certificate: Data: Version: 3 (0x2) Serial Number: 4666 (0x123a) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: B0:2E:9F:EC:94:65:C5:07:EE:A2:7F:C5:71:FD:43:0D:C7:23:2B:8D X509v3 Authority Key Identifier: keyid:8F:7E:4D:6F:1E:A1:A8:F0:AB:C1:C6:8B:AC:AA:34:38:09:1D:B9:D4

Issuer CA: cmpca.pem

[root@centos7 certs]# openssl x509 -in cmpca.pem -text Certificate: Data: Version: 3 (0x2) Serial Number: ec:27:3d:5e:15:80:ff:01:3a:ce:3d:ba:e9:91:9f:4a X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: CA:TRUE X509v3 Subject Key Identifier: 75:20:C2:F2:CB:75:20:21:74:8B:CF:C0:3A:A6:55:58:C5:C9:15:5C X509v3 Authority Key Identifier: keyid:75:20:C2:F2:CB:75:20:21:74:8B:CF:C0:3A:A6:55:58:C5:C9:15:5C

Waiting for your reply.

Thanks & Regards, Vivek

DDvO commented 4 years ago

Hi Vitek,

you are welcome. As I suspected your cmpca.pem server certificate used for protecting the ir has Subject Key Identifier 75:20:C2:F2:CB:75:20:21:74:8B:CF:C0:3A:A6:55:58:C5:C9:15:5C. This is the value it should include in the message header as senderKID. Unfortunately RFC 4210 section 5.1.1 is a bit vague here:

 senderKID and recipKID are usable to indicate which keys have been
   used to protect the message (recipKID will normally only be required
   where protection of the message uses Diffie-Hellman (DH) keys).

Best, David

mpeylo commented 4 years ago

Hi,

To me, this other snippet from RFC 4210, section 5.1.1 makes it rather clear:

   The sender field contains the name of the sender of the PKIMessage.
   This name (in conjunction with senderKID, if supplied) should be
   sufficient to indicate the key to use to verify the protection on the
   message.

Main intention for senderKID is to identify the correct certificate for a subject have multiple certificates. It is optional as it might not be needed e.g. if a subject's certificate may not be rekeyed, but if senderKID is there it of course must be correct.

It seems somehow as if the CMP server you use doesn't conform to the standard - it either puts a wrong senderKID, or it does not include the right CMP server certificate into extraCerts.

Can you figure out what the certificate that has "B0:2E:9F:EC:94:65:C5:07:EE:A2:7F:C5:71:FD:43:0D:C7:23:2B:8D" KID might be? If possible, I recommend using Wireshark to trace the messages so you can see whether that e.g. would be the KID of the issued certificate.

Is it every time the same senderKID or does it change for every request?

Cheers, Martin

DDvO commented 4 years ago

Rather than using Wireshark one can also simply use the -rspout option to dump the response(s) into file(s) and then use dumpasn1 or openssl asn1parse for viewing.

bairathivivek commented 4 years ago

Hi Martin,

Thanks for the reply.

Hi,

To me, this other snippet from RFC 4210, section 5.1.1 makes it rather clear:

   The sender field contains the name of the sender of the PKIMessage.
   This name (in conjunction with senderKID, if supplied) should be
   sufficient to indicate the key to use to verify the protection on the
   message.

Yes, I was also referring to the same snippet from the RFC in my first comment.

Main intention for senderKID is to identify the correct certificate for a subject have multiple certificates. It is optional as it might not be needed e.g. if a subject's certificate may not be rekeyed, but if senderKID is there it of course must be correct.

It seems somehow as if the CMP server you use doesn't conform to the standard - it either puts a wrong senderKID, or it does not include the right CMP server certificate into extraCerts.

Can you figure out what the certificate that has "B0:2E:9F:EC:94:65:C5:07:EE:A2:7F:C5:71:FD:43:0D:C7:23:2B:8D" KID might be? If possible, I recommend using Wireshark to trace the messages so you can see whether that e.g. would be the KID of the issued certificate.

Yes, so my RSA server issuer is CN= cmpca and in "ip" RSA server is sending its CA cert in extracerts and its name in sender field. But senderKID, it is sending as "B0:2E:9F:EC:94:65:C5:07:EE:A2:7F:C5:71:FD:43:0D:C7:23:2B:8D" which actually is the subject key identifier of local vendor cert (as shown below). Here's my topology and configuration: CMPOSSL Client -------------------ir----------------> RSA CMS CMPOSSL Client <-------------------ip--------------- RSA CMS CMPOSSL Client (Pre-installed with Vendor Root CA, Local Vendor cert and Issuer CA) RSA CMS (Pre-installed with Vendor Root CA and configured with Issuer CA whose CN=cmpca)

Vendor Certificate: Test1234EnodeRootCert.pem

[root@centos7 vendorcerts]# openssl x509 -in Test1234EnodeRootCert.pem -text Certificate: Data: Version: 3 (0x2) Serial Number: 4666 (0x123a) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: B0:2E:9F:EC:94:65:C5:07:EE:A2:7F:C5:71:FD:43:0D:C7:23:2B:8D X509v3 Authority Key Identifier: keyid:8F:7E:4D:6F:1E:A1:A8:F0:AB:C1:C6:8B:AC:AA:34:38:09:1D:B9:D4

Is it every time the same senderKID or does it change for every request?

Not sure have tried with only single local vendor cert and its sending the same sender KID back.

Cheers, Martin

Thanks, Vivek

bairathivivek commented 4 years ago

Rather than using Wireshark one can also simply use the -rspout option to dump the response(s) into file(s) and then use dumpasn1 or openssl asn1parse for viewing.

Hi David,

Thanks for the reply.

I did below config and generated the rspout in a file by running ir but not able to parse using the given commands. So, not able to provide it here.

Options added in cmp.cnf file: reqout = ir_request.txt rspout = ip_response.txt

[root@centos7 cmp_test]# openssl asn1parse -in ir_request.txt Error: offset too large [root@centos7 cmp_test]# openssl asn1parse -in ip_response.txt Error: offset too large [root@centos7 cmp_test]#

Thanks & Regards, Vivek

DDvO commented 4 years ago

Hi Vivek,

the output format of the -reqout and -rspout options is not PEM (text), but DER encoded (binary). So you need to provide openssl asn1parse with the additional option -inform der.

Yet the output of openssl asn1parse is not as well readable as of dumpasn1, which can be installed, e.g., as a Debian package of the same name or compiled from its source file at https://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c.

HTH, David

bairathivivek commented 4 years ago

Hi David,

Thanks for the reply, now am able to decode the reqout and rspout. Please see the below output using dumpasn1:

reqout: ir_request.der:

[root@centos7 cmp_test]# ./dumpasn1 ir_request.der Cannot open config file 'dumpasn1.cfg', which should be in the same directory as the dumpasn1 program, a standard system directory, or in a location pointed to by the DUMPASN1_PATH environment variable. Operation will continue without the ability to display Object Identifier information. ~ If the config file is located elsewhere, you can set the environment 516,10 Bot variable DUMPASN1_PATH to the path to the file. 0 2201: SEQUENCE { 4 279: SEQUENCE { 8 1: INTEGER 2 11 116: [4] { 13 114: SEQUENCE { 15 11: SET { 17 9: SEQUENCE { 19 3: OBJECT IDENTIFIER '2 5 4 6' 24 2: PrintableString 'IN' : } : } 28 11: SET { 30 9: SEQUENCE { 32 3: OBJECT IDENTIFIER '2 5 4 8' 37 2: PrintableString 'KA' : } : } 41 11: SET { 43 9: SEQUENCE { 45 3: OBJECT IDENTIFIER '2 5 4 7' 50 2: PrintableString 'BN' : } : } 54 16: SET { 56 14: SEQUENCE { 58 3: OBJECT IDENTIFIER '2 5 4 10' 63 7: PrintableString 'Test1234' : } : } 72 20: SET { 74 18: SEQUENCE { 76 3: OBJECT IDENTIFIER '2 5 4 11' 81 11: PrintableString 'System Test' : } : } 94 33: SET { 96 31: SEQUENCE { 98 3: OBJECT IDENTIFIER '2 5 4 3' 103 24: PrintableString 'Test1234EnodeRootCert.com' : } : } : } : } 129 58: [4] { 131 56: SEQUENCE { 133 11: SET { 135 9: SEQUENCE { 137 3: OBJECT IDENTIFIER '2 5 4 6' 142 2: PrintableString 'IN' : } : } 146 12: SET { 148 10: SEQUENCE { 150 3: OBJECT IDENTIFIER '2 5 4 10' 155 3: UTF8String 'tst' : } : } 160 11: SET { 162 9: SEQUENCE { 164 3: OBJECT IDENTIFIER '2 5 4 11' 169 2: UTF8String 'qa' : } : } 173 14: SET { 175 12: SEQUENCE { 177 3: OBJECT IDENTIFIER '2 5 4 3' 182 5: UTF8String 'cmpca' : } : } : } : } 189 17: [0] { 191 15: GeneralizedTime 27/06/2020 09:31:55 GMT : } 208 13: [1] { 210 11: SEQUENCE { 212 9: OBJECT IDENTIFIER '1 2 840 113549 1 1 11' : } : } 223 22: [2] { 225 20: OCTET STRING B0 2E 9F EC 94 65 C5 07 EE A2 7F C5 71 FD 43 0D C7 23 2B 8D : } 247 18: [4] { 249 16: OCTET STRING 17 CD 79 5C 27 DC B4 E8 C7 69 88 4E DE C0 A5 80 : } 267 18: [5] { 269 16: OCTET STRING 0A 85 54 19 BD 4B A9 A6 0B 6C E5 78 9A D3 9B 0B : } : } 287 653: [0] { 291 649: SEQUENCE { 295 645: SEQUENCE { 299 361: SEQUENCE { 303 1: INTEGER 0 306 354: SEQUENCE { 310 58: [5] { 312 56: SEQUENCE { 314 11: SET { 316 9: SEQUENCE { 318 3: OBJECT IDENTIFIER '2 5 4 6' 323 2: PrintableString 'IN' : } : } 327 12: SET { 329 10: SEQUENCE { 331 3: OBJECT IDENTIFIER '2 5 4 10' 336 3: UTF8String 'tst' : } : } 341 11: SET { 343 9: SEQUENCE { 345 3: OBJECT IDENTIFIER '2 5 4 11' 350 2: UTF8String 'qa' : } : } 354 14: SET { 356 12: SEQUENCE { 358 3: OBJECT IDENTIFIER '2 5 4 3' 363 5: UTF8String 'vivek' : } : } : } : } 370 290: [6] { 374 13: SEQUENCE { 376 9: OBJECT IDENTIFIER '1 2 840 113549 1 1 1' 387 0: NULL : } 389 271: BIT STRING, encapsulates { 394 266: SEQUENCE { 398 257: INTEGER : 00 BD 15 05 75 F3 69 36 CE 40 B4 F8 F0 81 CE 1C : 6C 1E 28 C3 9B CD D5 EC 8F A9 2D D3 C0 E2 EE F7 : FE 8E 85 5B 2A 41 64 72 D8 51 A1 D5 ED 51 10 99 : B1 CE 1D E7 EC BD 65 CD 74 40 10 49 8A 4D 21 9E : A5 70 1C 33 86 D7 48 D9 37 BC 89 A3 83 98 6C BB : F0 46 C4 C4 B8 2F 4A C7 99 54 7A D2 1B 2E DC EC : 53 8A 68 4B F4 05 91 29 61 8E 2C E3 AA 1F A1 CA : 4B 89 8A FA EC 85 4C 19 6A 65 AD AA 2B C8 20 35 : [ Another 129 bytes skipped ] 659 3: INTEGER 65537 : } : } : } : } : } 664 276: [1] { 668 13: SEQUENCE { 670 9: OBJECT IDENTIFIER '1 2 840 113549 1 1 11' 681 0: NULL : } 683 257: BIT STRING : 64 E0 28 9A 73 7F 68 C3 0D 5F FE 62 D4 3B 5A 66 : 73 C3 4F 7A 5E 51 7F 29 27 E4 E3 FD CA 93 F0 29 : E7 6A F4 E1 29 AB 32 79 88 38 98 25 0E 64 ED BE : 61 0D D6 C1 1D 8D 2C 80 A8 DE 57 54 36 14 40 B4 : 06 AC 12 B2 7A A8 5C 87 3D 00 02 40 73 57 DF 6B : 6B 99 58 34 54 47 87 E9 ED 70 7A 1B 03 D0 29 BE : C4 BD 50 FA 22 84 07 DA 1B 52 A0 CE 2F A7 BA DC : 65 93 D4 29 E3 02 E2 4E D4 5D C3 26 12 09 D9 56 : [ Another 128 bytes skipped ] : } : } : } : } 944 261: [0] { 948 257: BIT STRING : 3A 11 D1 EE 00 A4 28 65 08 73 3E BB DC FC 2A 08 : 62 C0 1F 8E 4E FF 1A B6 D3 46 D6 E5 0A 99 2D 47 : ED BB 56 E5 F6 B7 25 83 C8 F1 9B 59 89 3C 1C B4 : 76 04 F3 1F 8D 22 60 CC 97 09 96 3C BA 25 71 91 : 14 DF A7 2D 60 E3 AF A4 8B 84 24 01 64 12 D4 DA : 40 1C 69 5B 04 37 E4 DF 5B B7 58 6B 51 C8 58 D0 : 37 86 B0 43 EF A7 99 2B BE 21 32 2A 59 82 78 40 : 04 37 BD 76 7E 0C DB BD C0 F1 B8 DD F7 31 2D 43 : [ Another 128 bytes skipped ] : } 1209 992: [1] { 1213 988: SEQUENCE { 1217 984: SEQUENCE { 1221 704: SEQUENCE { 1225 3: [0] { 1227 1: INTEGER 2 : } 1230 2: INTEGER 4666 1234 13: SEQUENCE { 1236 9: OBJECT IDENTIFIER '1 2 840 113549 1 1 5' 1247 0: NULL : } 1249 111: SEQUENCE { 1251 11: SET { 1253 9: SEQUENCE { 1255 3: OBJECT IDENTIFIER '2 5 4 6' 1260 2: PrintableString 'IN' : } : } 1264 11: SET { 1266 9: SEQUENCE { 1268 3: OBJECT IDENTIFIER '2 5 4 8' 1273 2: PrintableString 'KA' : } : } 1277 11: SET { 1279 9: SEQUENCE { 1281 3: OBJECT IDENTIFIER '2 5 4 7' 1286 2: PrintableString 'BN' : } : } 1290 16: SET { 1292 14: SEQUENCE { 1294 3: OBJECT IDENTIFIER '2 5 4 10' 1299 7: PrintableString 'Test1234' : } : } 1308 20: SET { 1310 18: SEQUENCE { 1312 3: OBJECT IDENTIFIER '2 5 4 11' 1317 11: PrintableString 'System Test' : } : } 1330 30: SET { 1332 28: SEQUENCE { 1334 3: OBJECT IDENTIFIER '2 5 4 3' 1339 21: PrintableString 'Test1234RootCaCert.com' : } : } : } 1362 30: SEQUENCE { 1364 13: UTCTime 27/02/2020 20:56:56 GMT 1379 13: UTCTime 15/07/2047 20:56:56 GMT : } 1394 114: SEQUENCE { 1396 11: SET { 1398 9: SEQUENCE { 1400 3: OBJECT IDENTIFIER '2 5 4 6' 1405 2: PrintableString 'IN' : } : } 1409 11: SET { 1411 9: SEQUENCE { 1413 3: OBJECT IDENTIFIER '2 5 4 8' 1418 2: PrintableString 'KA' : } : } 1422 11: SET { 1424 9: SEQUENCE { 1426 3: OBJECT IDENTIFIER '2 5 4 7' 1431 2: PrintableString 'BN' : } : } 1435 16: SET { 1437 14: SEQUENCE { 1439 3: OBJECT IDENTIFIER '2 5 4 10' 1444 7: PrintableString 'Test1234' : } : } 1453 20: SET { 1455 18: SEQUENCE { 1457 3: OBJECT IDENTIFIER '2 5 4 11' 1462 11: PrintableString 'System Test' : } : } 1475 33: SET { 1477 31: SEQUENCE { 1479 3: OBJECT IDENTIFIER '2 5 4 3' 1484 24: PrintableString 'Test1234EnodeRootCert.com' : } : } : } 1510 290: SEQUENCE { 1514 13: SEQUENCE { 1516 9: OBJECT IDENTIFIER '1 2 840 113549 1 1 1' 1527 0: NULL : } 1529 271: BIT STRING, encapsulates { 1534 266: SEQUENCE { 1538 257: INTEGER : 00 AD 29 2A 73 AB 49 B2 78 59 52 DB 84 D6 66 13 : 4B 76 54 A2 A5 1A FE 30 E2 81 3C DC 2B 98 5C DF : DB 52 35 E5 D9 55 D1 E7 2B E8 A4 40 0F 74 60 20 : 00 39 B6 F6 D9 22 53 94 34 6A 60 34 58 A9 AB E5 : 47 37 EC 34 8A 27 5E 99 E9 9E 12 88 48 2D 11 42 : 4C 6E CD 89 C9 48 70 02 C0 52 98 A2 77 B9 42 85 : 38 4D FA C9 24 2C F0 D5 65 38 70 AB 45 23 7D EF : 74 E1 6D 04 D0 95 5E 46 46 0F 86 D2 24 61 A8 F5 : [ Another 129 bytes skipped ] 1799 3: INTEGER 65537 : } : } : } 1804 123: [3] { 1806 121: SEQUENCE { 1808 9: SEQUENCE { 1810 3: OBJECT IDENTIFIER '2 5 29 19' 1815 2: OCTET STRING, encapsulates { 1817 0: SEQUENCE {} : } : } 1819 44: SEQUENCE { 1821 9: OBJECT IDENTIFIER '2 16 840 1 113730 1 13' 1832 31: OCTET STRING, encapsulates { 1834 29: IA5String 'OpenSSL Generated Certificate' : } : } 1865 29: SEQUENCE { 1867 3: OBJECT IDENTIFIER '2 5 29 14' 1872 22: OCTET STRING, encapsulates { 1874 20: OCTET STRING : B0 2E 9F EC 94 65 C5 07 EE A2 7F C5 71 FD 43 0D : C7 23 2B 8D : } : } 1896 31: SEQUENCE { 1898 3: OBJECT IDENTIFIER '2 5 29 35' 1903 24: OCTET STRING, encapsulates { 1905 22: SEQUENCE { 1907 20: [0] : 8F 7E 4D 6F 1E A1 A8 F0 AB C1 C6 8B AC AA 34 38 : 09 1D B9 D4 : } : } : } : } : } : } 1929 13: SEQUENCE { 1931 9: OBJECT IDENTIFIER '1 2 840 113549 1 1 5' 1942 0: NULL : } 1944 257: BIT STRING : 7A 5A 93 37 6B B0 EA 67 E1 9B 82 F7 E1 72 AA 32 : BF FF 1C 31 AD AD 7F F7 98 62 27 F7 EC AD 1D A0 : F4 F6 22 CC 3E B2 68 BE 16 8C CC 28 64 75 6D DA : AE AF 1D 9E 7D 3A 73 A8 BF A7 0F 81 C1 53 6E 28 : 36 4C BA 52 34 D3 41 B4 C0 6E 09 71 42 FC 15 7D : 52 3B 3B 13 0C C8 2D 9E 32 D9 5C E4 D3 1D 14 68 : 88 07 24 8E 6B BB E0 FF 9C 21 AA 1E 58 CF 50 FE : 02 DD 12 B7 61 22 04 B6 91 47 B9 D3 06 F5 7D BD : [ Another 128 bytes skipped ] : } : } : } : }

0 warnings, 0 errors.

rspout: ip_response.der:

[root@centos7 cmp_test]# ./dumpasn1 ip_response.der Cannot open config file 'dumpasn1.cfg', which should be in the same directory as the dumpasn1 program, a standard system directory, or in a location pointed to by the DUMPASN1_PATH environment variable. Operation will continue without the ability to display Object Identifier information.

If the config file is located elsewhere, you can set the environment variable DUMPASN1_PATH to the path to the file. 0 2322: SEQUENCE { 4 301: SEQUENCE { 8 1: INTEGER 2 11 58: [4] { 13 56: SEQUENCE { 15 11: SET { 17 9: SEQUENCE { 19 3: OBJECT IDENTIFIER '2 5 4 6' 24 2: PrintableString 'IN' : } : } 28 12: SET { 30 10: SEQUENCE { 32 3: OBJECT IDENTIFIER '2 5 4 10' 37 3: UTF8String 'tst' : } : } 42 11: SET { 44 9: SEQUENCE { 46 3: OBJECT IDENTIFIER '2 5 4 11' 51 2: UTF8String 'qa' : } : } 55 14: SET { 57 12: SEQUENCE { 59 3: OBJECT IDENTIFIER '2 5 4 3' 64 5: UTF8String 'cmpca' : } : } : } : } 71 116: [4] { 73 114: SEQUENCE { 75 11: SET { 77 9: SEQUENCE { 79 3: OBJECT IDENTIFIER '2 5 4 6' 84 2: PrintableString 'IN' : } : } 88 11: SET { 90 9: SEQUENCE { 92 3: OBJECT IDENTIFIER '2 5 4 8' 97 2: PrintableString 'KA' : } : } 101 11: SET { 103 9: SEQUENCE { 105 3: OBJECT IDENTIFIER '2 5 4 7' 110 2: PrintableString 'BN' : } : } 114 16: SET { 116 14: SEQUENCE { 118 3: OBJECT IDENTIFIER '2 5 4 10' 123 7: PrintableString 'Test1234' : } : } 132 20: SET { 134 18: SEQUENCE { 136 3: OBJECT IDENTIFIER '2 5 4 11' 141 11: PrintableString 'System Test' : } : } 154 33: SET { 156 31: SEQUENCE { 158 3: OBJECT IDENTIFIER '2 5 4 3' 163 24: PrintableString 'Test1234EnodeRootCert.com' : } : } : } : } 189 17: [0] { 191 15: GeneralizedTime 27/06/2020 09:15:02 GMT : } 208 15: [1] { 210 13: SEQUENCE { 212 9: OBJECT IDENTIFIER '1 2 840 113549 1 1 11' 223 0: NULL : } : } 225 22: [2] { 227 20: OCTET STRING B0 2E 9F EC 94 65 C5 07 EE A2 7F C5 71 FD 43 0D C7 23 2B 8D : } 249 18: [4] { 251 16: OCTET STRING 17 CD 79 5C 27 DC B4 E8 C7 69 88 4E DE C0 A5 80 : } 269 18: [5] { 271 16: OCTET STRING A3 5A 73 65 6B 20 D1 5E 35 C3 4C 1A 21 3A 4D 02 : } 289 18: [6] { 291 16: OCTET STRING 0A 85 54 19 BD 4B A9 A6 0B 6C E5 78 9A D3 9B 0B : } : } 309 1268: [1] { 313 1264: SEQUENCE { 317 606: [1] { 321 602: SEQUENCE { 325 598: SEQUENCE { 329 447: SEQUENCE { 333 3: [0] { 335 1: INTEGER 2 : } 338 17: INTEGER 00 EC 27 3D 5E 15 80 FF 01 3A CE 3D BA E9 91 9F 4A 357 13: SEQUENCE { 359 9: OBJECT IDENTIFIER '1 2 840 113549 1 1 11' 370 0: NULL : } 372 56: SEQUENCE { 374 11: SET { 376 9: SEQUENCE { 378 3: OBJECT IDENTIFIER '2 5 4 6' 383 2: PrintableString 'IN' : } : } 387 12: SET { 389 10: SEQUENCE { 391 3: OBJECT IDENTIFIER '2 5 4 10' 396 3: PrintableString 'tst' : } : } 401 11: SET { 403 9: SEQUENCE { 405 3: OBJECT IDENTIFIER '2 5 4 11' 410 2: PrintableString 'qa' : } : } 414 14: SET { 416 12: SEQUENCE { 418 3: OBJECT IDENTIFIER '2 5 4 3' 423 5: PrintableString 'cmpca' : } : } : } 430 30: SEQUENCE { 432 13: UTCTime 10/06/2020 14:09:29 GMT 447 13: UTCTime 10/06/2023 14:09:29 GMT : } 462 56: SEQUENCE { 464 11: SET { 466 9: SEQUENCE { 468 3: OBJECT IDENTIFIER '2 5 4 6' 473 2: PrintableString 'IN' : } : } 477 12: SET { 479 10: SEQUENCE { 481 3: OBJECT IDENTIFIER '2 5 4 10' 486 3: PrintableString 'tst' : } : } 491 11: SET { 493 9: SEQUENCE { 495 3: OBJECT IDENTIFIER '2 5 4 11' 500 2: PrintableString 'qa' : } : } 504 14: SET { 506 12: SEQUENCE { 508 3: OBJECT IDENTIFIER '2 5 4 3' 513 5: PrintableString 'cmpca' : } : } : } 520 159: SEQUENCE { 523 13: SEQUENCE { 525 9: OBJECT IDENTIFIER '1 2 840 113549 1 1 1' 536 0: NULL : } 538 141: BIT STRING, encapsulates { 542 137: SEQUENCE { 545 129: INTEGER : 00 B9 43 43 C0 61 6A 49 DF 83 F8 21 A5 D8 3F D2 : A6 F4 C9 7F A4 39 6A C3 AD D1 00 5B 4E 9F 49 51 : 82 F1 15 DA A3 02 13 D5 E3 B8 A0 A6 0F 6B 96 A3 : DE 30 D0 FD 48 2D 1F 5C AC 90 F3 22 05 64 AB BC : 6B 01 4B D0 DD 5A 6E 02 D0 BA 9F C7 6E A9 30 DF : 79 95 F3 23 91 A1 8F 18 58 E7 91 D9 EE B7 12 6B : 59 34 1C 49 3B 3E 4D 33 92 19 14 9F D2 84 82 60 : 7E 63 D9 CA 79 CB F2 55 B0 D3 A9 4C 9A 55 B3 8F : 4F 677 3: INTEGER 65537 : } : } : } 682 96: [3] { 684 94: SEQUENCE { 686 14: SEQUENCE { 688 3: OBJECT IDENTIFIER '2 5 29 15' 693 1: BOOLEAN TRUE 696 4: OCTET STRING, encapsulates { 698 2: BIT STRING 1 unused bit : '1100001'B : } : } 702 12: SEQUENCE { 704 3: OBJECT IDENTIFIER '2 5 29 19' 709 5: OCTET STRING, encapsulates { 711 3: SEQUENCE { 713 1: BOOLEAN TRUE : } : } : } 716 29: SEQUENCE { 718 3: OBJECT IDENTIFIER '2 5 29 14' 723 22: OCTET STRING, encapsulates { 725 20: OCTET STRING : 75 20 C2 F2 CB 75 20 21 74 8B CF C0 3A A6 55 58 : C5 C9 15 5C : } : } 747 31: SEQUENCE { 749 3: OBJECT IDENTIFIER '2 5 29 35' 754 24: OCTET STRING, encapsulates { 756 22: SEQUENCE { 758 20: [0] : 75 20 C2 F2 CB 75 20 21 74 8B CF C0 3A A6 55 58 : C5 C9 15 5C : } : } : } : } : } : } 780 13: SEQUENCE { 782 9: OBJECT IDENTIFIER '1 2 840 113549 1 1 11' 793 0: NULL : } 795 129: BIT STRING : 48 84 70 D7 BD 24 A6 93 F3 E0 87 D2 A8 BB DC 76 : 07 C5 27 88 EC CD 92 05 A3 5A DC 67 29 1A 8B 6B : 3E AF F1 E8 18 76 DD 59 98 90 2B 95 E4 1A A9 26 : D6 4A 72 FB AA 8D 59 29 6C 16 AF 38 87 9C 40 0E : 88 89 20 40 8E 78 79 65 4D 5C B3 E3 3C AC 84 A5 : 22 9E 95 55 30 C2 A8 01 FF D0 3A B1 2D 5E 8A E5 : 6C AF 6E 7F 10 14 83 70 FD 2B 08 2A B0 E4 FA E6 : 23 87 5F AD 7B 24 36 45 78 CA 0F C8 EA 39 51 86 : } : } : } 927 650: SEQUENCE { 931 646: SEQUENCE { 935 1: INTEGER 0 938 3: SEQUENCE { 940 1: INTEGER 0 : } 943 634: SEQUENCE { 947 630: [0] { 951 626: SEQUENCE { 955 475: SEQUENCE { 959 16: INTEGER 22 D5 1F 24 78 81 9D 96 97 8A 54 84 0F 95 70 9E 977 13: SEQUENCE { 979 9: OBJECT IDENTIFIER '1 2 840 113549 1 1 11' 990 0: NULL : } 992 56: SEQUENCE { 994 11: SET { 996 9: SEQUENCE { 998 3: OBJECT IDENTIFIER '2 5 4 6' 1003 2: PrintableString 'IN' : } : } 1007 12: SET { 1009 10: SEQUENCE { 1011 3: OBJECT IDENTIFIER '2 5 4 10' 1016 3: PrintableString 'tst' : } : } 1021 11: SET { 1023 9: SEQUENCE { 1025 3: OBJECT IDENTIFIER '2 5 4 11' 1030 2: PrintableString 'qa' : } : } 1034 14: SET { 1036 12: SEQUENCE { 1038 3: OBJECT IDENTIFIER '2 5 4 3' 1043 5: PrintableString 'cmpca' : } : } : } 1050 30: SEQUENCE { 1052 13: UTCTime 27/06/2020 09:15:02 GMT 1067 13: UTCTime 27/06/2021 09:15:02 GMT : } 1082 56: SEQUENCE { 1084 11: SET { 1086 9: SEQUENCE { 1088 3: OBJECT IDENTIFIER '2 5 4 6' 1093 2: PrintableString 'IN' : } : } 1097 12: SET { 1099 10: SEQUENCE { 1101 3: OBJECT IDENTIFIER '2 5 4 10' 1106 3: PrintableString 'tst' : } : } 1111 11: SET { 1113 9: SEQUENCE { 1115 3: OBJECT IDENTIFIER '2 5 4 11' 1120 2: PrintableString 'qa' : } : } 1124 14: SET { 1126 12: SEQUENCE { 1128 3: OBJECT IDENTIFIER '2 5 4 3' 1133 5: PrintableString 'vivek' : } : } : } 1140 290: SEQUENCE { 1144 13: SEQUENCE { 1146 9: OBJECT IDENTIFIER '1 2 840 113549 1 1 1' 1157 0: NULL : } 1159 271: BIT STRING, encapsulates { 1164 266: SEQUENCE { 1168 257: INTEGER : 00 BD 15 05 75 F3 69 36 CE 40 B4 F8 F0 81 CE 1C : 6C 1E 28 C3 9B CD D5 EC 8F A9 2D D3 C0 E2 EE F7 : FE 8E 85 5B 2A 41 64 72 D8 51 A1 D5 ED 51 10 99 : B1 CE 1D E7 EC BD 65 CD 74 40 10 49 8A 4D 21 9E : A5 70 1C 33 86 D7 48 D9 37 BC 89 A3 83 98 6C BB : F0 46 C4 C4 B8 2F 4A C7 99 54 7A D2 1B 2E DC EC : 53 8A 68 4B F4 05 91 29 61 8E 2C E3 AA 1F A1 CA : 4B 89 8A FA EC 85 4C 19 6A 65 AD AA 2B C8 20 35 : [ Another 129 bytes skipped ] 1429 3: INTEGER 65537 : } : } : } : } 1434 13: SEQUENCE { 1436 9: OBJECT IDENTIFIER '1 2 840 113549 1 1 11' 1447 0: NULL : } 1449 129: BIT STRING : 3E A4 43 B4 D3 2C 0D 85 38 83 A2 47 FF E6 54 1D : A4 22 AE EA 6C F4 7E 09 FF 5C 58 D2 80 2B 05 D5 : 0F 83 EC B5 4C CC D7 D6 97 AF 36 E5 D4 29 51 FD : 5F D6 4F F1 8B E2 7F F1 BA 77 62 11 8F 6E 35 71 : 37 63 BB 81 C4 19 DD BD 46 30 6B 3B BA 0D 81 B6 : 0B F9 32 BE F1 16 3A 73 7D 80 1B 44 4D EA C0 88 : 0A 3C 39 00 0F 35 BF 5A 3D 53 8B 86 E5 2F ED 38 : FB 82 9A 10 F4 CB 81 09 16 BA C8 0A 28 B7 7A 86 : } : } : } : } : } : } : } 1581 132: [0] { 1584 129: BIT STRING : 26 B6 C2 F9 CB 75 0E 66 CF 8D 3F 4B 15 93 9A DC : 13 0E 05 C5 4D 70 05 6E 1F 27 B9 14 1F CD 72 88 : 34 6E 35 95 CD CC 1A 22 B3 C0 95 92 30 3A 54 8D : 14 EE C5 05 14 3E A3 53 03 79 C7 4F 7B 0B 9F 92 : 10 D2 40 DB 24 C8 C1 FE 34 59 EA E6 A5 0C 6A C5 : 1A 80 C6 4D 78 AC D2 93 55 2F 9B 85 8B 59 E8 06 : 07 0E 5C DF EA 8C D9 7A EE 5C 03 CC BB 45 D5 54 : 9B 24 AB FD F5 93 82 41 09 10 CA 7C 08 DE 6F 85 : } 1716 606: [1] { 1720 602: SEQUENCE { 1724 598: SEQUENCE { 1728 447: SEQUENCE { 1732 3: [0] { 1734 1: INTEGER 2 : } 1737 17: INTEGER 00 EC 27 3D 5E 15 80 FF 01 3A CE 3D BA E9 91 9F 4A 1756 13: SEQUENCE { 1758 9: OBJECT IDENTIFIER '1 2 840 113549 1 1 11' 1769 0: NULL : } 1771 56: SEQUENCE { 1773 11: SET { 1775 9: SEQUENCE { 1777 3: OBJECT IDENTIFIER '2 5 4 6' 1782 2: PrintableString 'IN' : } : } 1786 12: SET { 1788 10: SEQUENCE { 1790 3: OBJECT IDENTIFIER '2 5 4 10' 1795 3: PrintableString 'tst' : } : } 1800 11: SET { 1802 9: SEQUENCE { 1804 3: OBJECT IDENTIFIER '2 5 4 11' 1809 2: PrintableString 'qa' : } : } 1813 14: SET { 1815 12: SEQUENCE { 1817 3: OBJECT IDENTIFIER '2 5 4 3' 1822 5: PrintableString 'cmpca' : } : } : } 1829 30: SEQUENCE { 1831 13: UTCTime 10/06/2020 14:09:29 GMT 1846 13: UTCTime 10/06/2023 14:09:29 GMT : } 1861 56: SEQUENCE { 1863 11: SET { 1865 9: SEQUENCE { 1867 3: OBJECT IDENTIFIER '2 5 4 6' 1872 2: PrintableString 'IN' : } : } 1876 12: SET { 1878 10: SEQUENCE { 1880 3: OBJECT IDENTIFIER '2 5 4 10' 1885 3: PrintableString 'tst' : } : } 1890 11: SET { 1892 9: SEQUENCE { 1894 3: OBJECT IDENTIFIER '2 5 4 11' 1899 2: PrintableString 'qa' : } : } 1903 14: SET { 1905 12: SEQUENCE { 1907 3: OBJECT IDENTIFIER '2 5 4 3' 1912 5: PrintableString 'cmpca' : } : } : } 1919 159: SEQUENCE { 1922 13: SEQUENCE { 1924 9: OBJECT IDENTIFIER '1 2 840 113549 1 1 1' 1935 0: NULL : } 1937 141: BIT STRING, encapsulates { 1941 137: SEQUENCE { 1944 129: INTEGER : 00 B9 43 43 C0 61 6A 49 DF 83 F8 21 A5 D8 3F D2 : A6 F4 C9 7F A4 39 6A C3 AD D1 00 5B 4E 9F 49 51 : 82 F1 15 DA A3 02 13 D5 E3 B8 A0 A6 0F 6B 96 A3 : DE 30 D0 FD 48 2D 1F 5C AC 90 F3 22 05 64 AB BC : 6B 01 4B D0 DD 5A 6E 02 D0 BA 9F C7 6E A9 30 DF : 79 95 F3 23 91 A1 8F 18 58 E7 91 D9 EE B7 12 6B : 59 34 1C 49 3B 3E 4D 33 92 19 14 9F D2 84 82 60 : 7E 63 D9 CA 79 CB F2 55 B0 D3 A9 4C 9A 55 B3 8F : 4F 2076 3: INTEGER 65537 : } : } : } 2081 96: [3] { 2083 94: SEQUENCE { 2085 14: SEQUENCE { 2087 3: OBJECT IDENTIFIER '2 5 29 15' 2092 1: BOOLEAN TRUE 2095 4: OCTET STRING, encapsulates { 2097 2: BIT STRING 1 unused bit : '1100001'B : } : } 2101 12: SEQUENCE { 2103 3: OBJECT IDENTIFIER '2 5 29 19' 2108 5: OCTET STRING, encapsulates { 2110 3: SEQUENCE { 2112 1: BOOLEAN TRUE : } : } : } 2115 29: SEQUENCE { 2117 3: OBJECT IDENTIFIER '2 5 29 14' 2122 22: OCTET STRING, encapsulates { 2124 20: OCTET STRING : 75 20 C2 F2 CB 75 20 21 74 8B CF C0 3A A6 55 58 : C5 C9 15 5C : } : } 2146 31: SEQUENCE { 2148 3: OBJECT IDENTIFIER '2 5 29 35' 2153 24: OCTET STRING, encapsulates { 2155 22: SEQUENCE { 2157 20: [0] : 75 20 C2 F2 CB 75 20 21 74 8B CF C0 3A A6 55 58 : C5 C9 15 5C : } : } : } : } : } : } 2179 13: SEQUENCE { 2181 9: OBJECT IDENTIFIER '1 2 840 113549 1 1 11' 2192 0: NULL : } 2194 129: BIT STRING : 48 84 70 D7 BD 24 A6 93 F3 E0 87 D2 A8 BB DC 76 : 07 C5 27 88 EC CD 92 05 A3 5A DC 67 29 1A 8B 6B : 3E AF F1 E8 18 76 DD 59 98 90 2B 95 E4 1A A9 26 : D6 4A 72 FB AA 8D 59 29 6C 16 AF 38 87 9C 40 0E : 88 89 20 40 8E 78 79 65 4D 5C B3 E3 3C AC 84 A5 : 22 9E 95 55 30 C2 A8 01 FF D0 3A B1 2D 5E 8A E5 : 6C AF 6E 7F 10 14 83 70 FD 2B 08 2A B0 E4 FA E6 : 23 87 5F AD 7B 24 36 45 78 CA 0F C8 EA 39 51 86 : } : } : } : }

0 warnings, 0 errors. [root@centos7 cmp_test]#

Error at cmpossl client end after recieving the above ip response from RSA CMS server:

[root@centos7 cmp_test]# ./cmpclient.sh ir 140050278958912:error:390730A1:CMP routines:find_srvcert:no valid server cert found:crypto/cmp/cmp_vfy.c:591: trying to match msg sender name = /C=IN/O=tst/OU=qa/CN=cmpca considering cert with subject = /C=IN/O=tst/OU=qa/CN=cmpca and issuer = /C=IN/O=tst/OU=qa/CN=cmpca certificate Subject Key Identifier does not match senderKID: actual = 75:20:C2:F2:CB:75:20:21:74:8B:CF:C0:3A:A6:55:58:C5:C9:15:5C expected = B0:2E:9F:EC:94:65:C5:07:EE:A2:7F:C5:71:FD:43:0D:C7:23:2B:8D considering cert with subject = /C=IN/O=tst/OU=qa/CN=cmpca and issuer = /C=IN/O=tst/OU=qa/CN=cmpca certificate Subject Key Identifier does not match senderKID: actual = 75:20:C2:F2:CB:75:20:21:74:8B:CF:C0:3A:A6:55:58:C5:C9:15:5C expected = B0:2E:9F:EC:94:65:C5:07:EE:A2:7F:C5:71:FD:43:0D:C7:23:2B:8D considering cert with subject = /C=IN/ST=KA/L=BN/O=Test1234/OU=System Test/CN=Test1234RootCaCert.com and issuer = /C=IN/ST=KA/L=BN/O=Test1234/OU=System Test/CN=Test1234RootCaCert.com certificate subject does not match sender: actual = /C=IN/ST=KA/L=BN/O=Test1234/OU=System Test/CN=Test1234RootCaCert.com expected = /C=IN/O=tst/OU=qa/CN=cmpca no current matching server cert found 140050278958912:error:390BE0A0:CMP routines:OSSL_CMP_validate_msg:no suitable server cert:crypto/cmp/cmp_vfy.c:771: 140050278958912:error:390AC08F:CMP routines:OSSL_CMP_MSG_check_received:error validating protection:crypto/cmp/cmp_lib.c:1547: [root@centos7 cmp_test]#

Waiting for your reply.

Thanks & Regards, Vivek

mpeylo commented 4 years ago

Hi,

Yes, so my RSA server issuer is CN= cmpca and in "ip" RSA server is sending its CA cert in extracerts and its name in sender field. But senderKID, it is sending as "B0:2E:9F:EC:94:65:C5:07:EE:A2:7F:C5:71:FD:43:0D:C7:23:2B:8D" which actually is the subject key identifier of local vendor cert (as shown below).

So, if I understand right that your CMP server is blindly reflecting the senderKID the client has sent? In that case, the only standard-conforming option to fix this is to ask the vendor of the CMP server to do that.

Note: For a comfortable viewing experience, it should be possible to load the dumped ASN.1 files using Wireshark and decode them as "PKIMessage". 😊

Kind regards, Martin

DDvO commented 4 years ago

Yes, so my RSA server issuer is CN= cmpca and in "ip" RSA server is sending its CA cert in extracerts and its name in sender field. But senderKID, it is sending as "B0:2E:9F:EC:94:65:C5:07:EE:A2:7F:C5:71:FD:43:0D:C7:23:2B:8D" which actually is the subject key identifier of local vendor cert (as shown below).

So, if I understand right that your CMP server is blindly reflecting the senderKID the client has sent?

Yes, this is what I already suspected.

In that case, the only standard-conforming option to fix this is to ask the vendor of the CMP server to do that.

Indeed the CA server is wrong and should be fixed.

Note: For a comfortable viewing experience, it should be possible to load the dumped ASN.1 files using Wireshark and decode them as "PKIMessage".

Yeah, that would be the most pretty way of viewing CMP messages.

Yet @bairathivivek should at least used triple backticks for Markdown code block formatting when quoting the output of dumpasn1 such that the nested indentation would not have been lost. Moreover, it is strongly avisable to use the config file dumpasn1.cfg such that (most of the) OID names would be printed in mnemonic form, for instance:

$ dumpasn1 req.der 
  0 341: SEQUENCE {
  4  82:   SEQUENCE {
  6   1:     INTEGER 2
  9  14:     [4] {
 11  12:       SEQUENCE {
 13  10:         SET {
 15   8:           SEQUENCE {
 17   3:             OBJECT IDENTIFIER organizationName (2 5 4 10)
 22   1:             PrintableString 'X'
       :             }
       :           }
       :         }
       :       }
 25   2:     [4] {
 27   0:       SEQUENCE {}
       :       }
 29  17:     [0] {
 31  15:       GeneralizedTime 27/06/2020 08:46:10 GMT
       :       }
 48  18:     [4] {
 50  16:       OCTET STRING D2 74 28 AE 8F D2 4F F0 78 41 DE D6 7A 00 F6 17
       :       }
 68  18:     [5] {
 70  16:       OCTET STRING 6A 10 F6 FA D7 56 CB 9A 14 80 01 F1 86 AB AC 7E
       :       }
       :     }
 88 254:   [0] {
 91 251:     SEQUENCE {
 94 248:       SEQUENCE {
 97 245:         SEQUENCE {
100   1:           INTEGER 0
103 239:           SEQUENCE {
106   2:             [3] {
108   0:               SEQUENCE {}
       :               }
110  55:             [5] {
112  53:               SEQUENCE {
114  16:                 SET {
116  14:                   SEQUENCE {
118   3:                     OBJECT IDENTIFIER commonName (2 5 4 3)
123   7:                     UTF8String '<empty>'
       :                     }
       :                   }
132  15:                 SET {
134  13:                   SEQUENCE {
136   3:                     OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
141   6:                     UTF8String 'myDept'
       :                     }
       :                   }
149  16:                 SET {
151  14:                   SEQUENCE {
153   3:                     OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
158   7:                     UTF8String 'myGroup'
       :                     }
       :                   }
       :                 }
       :               }
167  92:             [6] {
169  13:               SEQUENCE {
171   9:                 OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
182   0:                 NULL
       :                 }
184  75:               BIT STRING, encapsulates {
187  72:                 SEQUENCE {
189  65:                   INTEGER
       :                     00 B8 DD DB 67 55 BA 03 82 F7 7E 28 9A B9 3B 0E
       :                     E6 12 B0 C9 AE 20 3E B5 20 81 FF 84 6E 35 B5 6A
       :                     77 5E A2 B5 29 4B EF BD 48 87 D7 5A A7 4D 86 DE
       :                     3F F2 1A E9 7A F3 6B 15 1E 72 CB 22 E4 BE B2 11
       :                     AD
256   3:                   INTEGER 65537
       :                   }
       :                 }
       :               }
261  82:             [9] {
263  33:               SEQUENCE {
265   3:                 OBJECT IDENTIFIER subjectAltName (2 5 29 17)
270  26:                 OCTET STRING, encapsulates {
272  24:                   SEQUENCE {
274  16:                     [2] 'www.myServer.com'
292   4:                     [7] 01 01 01 01
       :                     }
       :                   }
       :                 }
298  14:               SEQUENCE {
300   3:                 OBJECT IDENTIFIER keyUsage (2 5 29 15)
305   1:                 BOOLEAN TRUE
308   4:                 OCTET STRING, encapsulates {
310   2:                   BIT STRING 3 unused bits
       :                     '10001'B
       :                   }
       :                 }
314  29:               SEQUENCE {
316   3:                 OBJECT IDENTIFIER extKeyUsage (2 5 29 37)
321  22:                 OCTET STRING, encapsulates {
323  20:                   SEQUENCE {
325   8:                     OBJECT IDENTIFIER clientAuth (1 3 6 1 5 5 7 3 2)
335   8:                     OBJECT IDENTIFIER serverAuth (1 3 6 1 5 5 7 3 1)
       :                     }
       :                   }
       :                 }
       :               }
       :             }
       :           }
       :         }
       :       }
       :     }
       :   }

0 warnings, 0 errors.
bairathivivek commented 4 years ago

Thanks David and Martin for confirming that the issue is on server side. Will check with the RSA CMS.

Thanks & Regards, Vivek

DDvO commented 4 years ago

Glad we've been able to help clarifying this issue, Vivek.

So closing this.