search

openca / openca-ocspd

The OpenCA's Online Certificate Status Protocol Daemon
Other
90 stars 34 forks source link

OCSPD v3.1.2 - Can not parse cert #49

Closed ib-mlatin closed 2 years ago

ib-mlatin commented 4 years ago

OCSPD fails to load any CA I provide in any method. I have verified that the CAs are completely valid and "openssl x509" reads them perfectly. All that OCSPD mentions is that it "could not parse cert" or "Can not get CA cert". See below for both log entries and my root CA file.

Using caCertUrl

OpenCA's OCSP Responder - v3.1.2 (Build: Mon Jan 20 13:42:35 CST 2020)
(c) 2002-2018 by Massimiliano Pala and OpenCA Project
    OpenCA licensed software

Jan 27 14:58:53 2020 GMT [23174] GENERAL: OpenCA OCSPD v3.1.2 (Mon Jan 20 13:42:35 CST 2020)- starting.
Jan 27 14:58:53 2020 GMT [23174] INFO: [token.c:2585] [PKI_TOKEN_load_profiles()] [DEBUG] ERROR, can not load directory /home/ubuntu/.libpki/profile.d!
Jan 27 14:58:53 2020 GMT [23174] INFO: [token.c:838] [PKI_TOKEN_init()] [DEBUG] Can not load profiles (/home/ubuntu/.libpki/profile.d)

Jan 27 14:58:53 2020 GMT [23174] INFO: [pki_config.c:876] [PKI_CONFIG_load_dir()] [DEBUG]: Loading file /usr/etc/ocspd/ca.d/001-ibGlobalCA01.xml
Jan 27 14:58:53 2020 GMT [23174] INFO: [pki_config.c:892] [PKI_CONFIG_load_dir()] [DEBUG]: Loaded /usr/etc/ocspd/ca.d/001-ibGlobalCA01.xml file
Jan 27 14:58:53 2020 GMT [23174] INFO: [pki_config.c:876] [PKI_CONFIG_load_dir()] [DEBUG]: Loading file /usr/etc/ocspd/ca.d/000-ibRootCA.xml
Jan 27 14:58:53 2020 GMT [23174] INFO: [pki_config.c:892] [PKI_CONFIG_load_dir()] [DEBUG]: Loaded /usr/etc/ocspd/ca.d/000-ibRootCA.xml file
Jan 27 14:58:53 2020 GMT [23174] INFO: [pki_config.c:866] [PKI_CONFIG_load_dir()] [DEBUG]: Skipping file ..
Jan 27 14:58:53 2020 GMT [23174] INFO: [pki_config.c:866] [PKI_CONFIG_load_dir()] [DEBUG]: Skipping file .
Jan 27 14:58:53 2020 GMT [23174] INFO: [pki_config.c:412] [PKI_CONFIG_get_element()] [DEBUG]: Element Not Found [Search: /serverConfig/security/chrootDir, Position: -1]
Jan 27 14:58:53 2020 GMT [23174] INFO: [config.c:277] [OCSPD_load_config()] [DEBUG] Selected response digest algorithm: SHA1
Jan 27 14:58:53 2020 GMT [23174] INFO: [config.c:298] [OCSPD_load_config()] [DEBUG] Selected signature digest algorithm: SHA256
Jan 27 14:58:53 2020 GMT [23174] INFO: [pki_config.c:412] [PKI_CONFIG_get_element()] [DEBUG]: Element Not Found [Search: /serverConfig/general/dbUrl, Position: -1]
Jan 27 14:58:53 2020 GMT [23174] INFO: [pki_config.c:412] [PKI_CONFIG_get_element()] [DEBUG]: Element Not Found [Search: /serverConfig/general/dbPersistant, Position: -1]
Jan 27 14:58:53 2020 GMT [23174] INFO: [config.c:414] [OCSPD_build_ca_list()] [DEBUG] Building CA List
Jan 27 14:58:53 2020 GMT [23174] GENERAL: Processing Configuration for [CA: XXXXX Global CA-1]
Jan 27 14:58:53 2020 GMT [23174] INFO: [pki_config.c:412] [PKI_CONFIG_get_element()] [DEBUG]: Element Not Found [Search: /caConfig/caCertValue, Position: -1]
Jan 27 14:58:53 2020 GMT [23174] ERROR: [config.c:495] [OCSPD_build_ca_list()] [ERROR] Can not get CA cert [CA: file:///var/www/cacerts/globalca1.crt, URL: XXXXX Global CA-1]
Jan 27 14:58:53 2020 GMT [23174] GENERAL: Processing Configuration for [CA: XXXXX Root CA]
Jan 27 14:58:53 2020 GMT [23174] INFO: [pki_config.c:412] [PKI_CONFIG_get_element()] [DEBUG]: Element Not Found [Search: /caConfig/caCertValue, Position: -1]
Jan 27 14:58:53 2020 GMT [23174] ERROR: [config.c:495] [OCSPD_build_ca_list()] [ERROR] Can not get CA cert [CA: file:///var/www/cacerts/rootca.crt, URL: XXXXX Root CA]
Jan 27 14:58:53 2020 GMT [23174] INFO: Configuration loaded and parsed

Using caCertValue

OpenCA's OCSP Responder - v3.1.2 (Build: Mon Jan 20 13:42:35 CST 2020)
(c) 2002-2018 by Massimiliano Pala and OpenCA Project
    OpenCA licensed software

Jan 27 15:13:45 2020 GMT [23409] GENERAL: OpenCA OCSPD v3.1.2 (Mon Jan 20 13:42:35 CST 2020)- starting.
Jan 27 15:13:45 2020 GMT [23409] INFO: [token.c:2585] [PKI_TOKEN_load_profiles()] [DEBUG] ERROR, can not load directory /home/ubuntu/.libpki/profile.d!
Jan 27 15:13:45 2020 GMT [23409] INFO: [token.c:838] [PKI_TOKEN_init()] [DEBUG] Can not load profiles (/home/ubuntu/.libpki/profile.d)

Jan 27 15:13:45 2020 GMT [23409] INFO: [pki_config.c:876] [PKI_CONFIG_load_dir()] [DEBUG]: Loading file /usr/etc/ocspd/ca.d/001-ibGlobalCA01.xml
Jan 27 15:13:45 2020 GMT [23409] INFO: [pki_config.c:892] [PKI_CONFIG_load_dir()] [DEBUG]: Loaded /usr/etc/ocspd/ca.d/001-ibGlobalCA01.xml file
Jan 27 15:13:45 2020 GMT [23409] INFO: [pki_config.c:876] [PKI_CONFIG_load_dir()] [DEBUG]: Loading file /usr/etc/ocspd/ca.d/000-ibRootCA.xml
Jan 27 15:13:45 2020 GMT [23409] INFO: [pki_config.c:892] [PKI_CONFIG_load_dir()] [DEBUG]: Loaded /usr/etc/ocspd/ca.d/000-ibRootCA.xml file
Jan 27 15:13:45 2020 GMT [23409] INFO: [pki_config.c:866] [PKI_CONFIG_load_dir()] [DEBUG]: Skipping file ..
Jan 27 15:13:45 2020 GMT [23409] INFO: [pki_config.c:866] [PKI_CONFIG_load_dir()] [DEBUG]: Skipping file .
Jan 27 15:13:45 2020 GMT [23409] INFO: [pki_config.c:412] [PKI_CONFIG_get_element()] [DEBUG]: Element Not Found [Search: /serverConfig/security/chrootDir, Position: -1]
Jan 27 15:13:45 2020 GMT [23409] INFO: [config.c:277] [OCSPD_load_config()] [DEBUG] Selected response digest algorithm: SHA1
Jan 27 15:13:45 2020 GMT [23409] INFO: [config.c:298] [OCSPD_load_config()] [DEBUG] Selected signature digest algorithm: SHA256
Jan 27 15:13:45 2020 GMT [23409] INFO: [pki_config.c:412] [PKI_CONFIG_get_element()] [DEBUG]: Element Not Found [Search: /serverConfig/general/dbUrl, Position: -1]
Jan 27 15:13:45 2020 GMT [23409] INFO: [pki_config.c:412] [PKI_CONFIG_get_element()] [DEBUG]: Element Not Found [Search: /serverConfig/general/dbPersistant, Position: -1]
Jan 27 15:13:45 2020 GMT [23409] INFO: [config.c:414] [OCSPD_build_ca_list()] [DEBUG] Building CA List
Jan 27 15:13:45 2020 GMT [23409] GENERAL: Processing Configuration for [CA: XXXXX Global CA-1]
Jan 27 15:13:45 2020 GMT [23409] ERROR: [config.c:531] [OCSPD_build_ca_list()] [ERROR] Can not parse cert from /caConfig/caCertValue [CA: XXXXX Global CA-1]
Jan 27 15:13:45 2020 GMT [23409] GENERAL: Processing Configuration for [CA: XXXXX Root CA]
Jan 27 15:13:45 2020 GMT [23409] ERROR: [config.c:531] [OCSPD_build_ca_list()] [ERROR] Can not parse cert from /caConfig/caCertValue [CA: XXXXX Root CA]
Jan 27 15:13:45 2020 GMT [23409] INFO: Configuration loaded and parsed

Current 000-ibRootCA.xml config (Certificate removed)

<?xml version="1.0" ?>
<!-- OCSP Daemon configuration -->
<pki:caConfig xmlns:pki="http://www.openca.org/openca/pki/1/0/0">
   <!-- Give a meaningful name to this CA - This name will be used in the
        logfiles -->
   <pki:name>intelli-building Root CA</pki:name>
   <!-- You can embed the CA certificate in the configuration file by
        using the caCert option and putting the PEM formatted version of
        the certificate here -->
   <pki:caCertValue>
-----BEGIN CERTIFICATE-----
CERT
-----END CERTIFICATE-----
   </pki:caCertValue>
   <!-- You can specify the URL where to download the CA certificate from.
        The URL is any URL supported by LibPKI (file://, id://, http://,
        https://, ldap://) -->
   <!--<pki:caCertUrl>file:///usr/etc/ocspd/certs/rootca.crt</pki:caCertUrl>-->
   <!-- <pki:caCertUrl>file:///usr/etc/ocspd/certs/cacert.pem</pki:caCertUrl> -->
   <pki:crlUrl>file:///var/www/cacrls/rootca.crl</pki:crlUrl>
   <!-- Use serverCertUrl if your OCSP server has only one private
        keypair (configured in the ocsp.xml -> token ) but different
        certificates issued by different CAs. This is the cert that
        will be used to generate responses for this CA -->
   <!-- <pki:serverCertUrl></pki:serverCertUrl> -->
   <!-- Use serverToken if your OCSP server has a full token configured
        (private key + certificate) to be used with this CA. The serverCertUrl
        and serverToken options are mutually exclusive, use only one! If
        the serverToken is used, it has the precedence over the serverCertUrl
        one -->
   <pki:serverToken>rootCertAuthToken</pki:serverToken>
   <!-- This allows for setting the responderIdType for the responder. The allowed
        values are:
        - 'name' for using the hash of the signer's certificate name
        - 'keyid' for using the hash of the signer's public key
        The default value (if not set) is to use the name identifier -->
   <pki:responderIdType>name</pki:responderIdType>
   <!-- In case a CA is compromised, set this option to yes. All the
        responses for this CA will carry the caCompromised flag. -->
   <pki:caCompromised>no</pki:caCompromised>
</pki:caConfig>
GoodFor-Nothing commented 4 years ago

Second one having exactly the same problem. Both libpki and ocspd have been self compiled, checkout out from Github (master branch).

205Thallium commented 4 years ago

My $0.02... A new libpki argument PKI_DATA_FORMAT was introduced as 2nd arg to several X509 functions with the current master branch of libpki (something 0.9.x). Current master branch of ocspd appears to use a fixed value of -1 (instead of a default value PKI_DATA_FORMAT_UNKNOWN) as value to the new function arguments. I replaced all "-1" in PKIX509* calls with PKI_DATA_FORMAT_UNKNOWN in config.c, response.c and crl.c. At first glance, I get much better results now. Can someone please confirm this?

inkosta commented 3 years ago

Confirm this works on FreeBSD 12.2, openssl-1.1.1.i .

scottthomas007 commented 3 years ago

Confirm this works on FreeBSD 12.2, openssl-1.1.1.i .

I tried this on Debian 10.8.0 64-bit version. The valid/good ocsp response works fine but the response to a revoked certificate is invalid. OpenSSL ocsp tool warna the internal ocsp server error. The log shows no detailed response