search

siemens / gencmpclient

generic CMP [RFC 4210, RFC 9483] client library and CLI, based on CMPforOpenSSL (https://github.com/mpeylo/cmpossl)
Other
10 stars 7 forks source link

demo_CloudCA not working #59

Closed rajeev-0 closed 2 months ago

rajeev-0 commented 2 months ago

Issue Report

demo_CloudCA failing with below error. 

no_proxy=localhost,127.0.0.1 LD_LIBRARY_PATH="." ./cmpClient update -section CloudCA -path /.well-known/cmp -reqexts empty -subject /CN=CloudCA-Integration-Test-User
cmpClient:main():src/cmpClient.c:2520: INFO: Using section(s) 'CloudCA,update' of CMP configuration file 'config/demo.cnf'
cmpClient:check_options():src/cmpClient.c:1578: INFO: Given -subject '/CN=CloudCA-Integration-Test-User' overrides the subject of 'creds/operational.crt' for 'kur'
cmpClient:setup_TLS():src/cmpClient.c:571: WARNING: -tls_used given without -tls_key; cannot authenticate to the TLS server
cmpClient:CMPclient_setup_HTTP():src/genericCMPClient.c:505: INFO: will contact [https://broker.sdo-qa.siemens.cloud:443/.well-known/cmp](https://broker.sdo-qa.siemens.cloud/.well-known/cmp)
cmpClient:send_receive_check():crypto/cmp/cmp_client.c:183: INFO: sending KUR
cmpClient:send_receive_check():crypto/cmp/cmp_client.c:203: INFO: received ERROR
cmpClient:unprotected_exception():crypto/cmp/cmp_client.c:83: WARNING: ignoring missing protection of error response
cmpClient:CMPclient():src/cmpClient.c:2365: ERROR: received from broker.sdo-qa.siemens.cloud:443 PKIStatus: rejection; PKIFailureInfo: badRequest; StatusString: "Could not verify the RA, signature verification on NestedMessageContent failed."
cmpClient:CMPclient():src/cmpClient.c:2381: ERROR: Failed to perform CMP transaction
cmpClient:send_receive_check():crypto/cmp/cmp_client.c:229: ERROR: received error:PKIStatus: rejection; PKIFailureInfo: badRequest; StatusString: "Could not verify the RA, signature verification on NestedMessageContent failed."
cmpClient:CMPclient():src/cmpClient.c:2424: ERROR: CMPclient error 180: received error
DDvO commented 2 months ago

This is likely due to a wrong configuration how to check the protection of KUR message, likely on the RA side but possibly also the client side will need to be adapted.

DDvO commented 2 months ago

I suppose we will have to wait for @RufusJWB on that.

RufusJWB commented 2 months ago

I suppose we will have to wait for @RufusJWB on that.

I'm back and will work on this in the next days

RufusJWB commented 2 months ago

I suppose we will have to wait for @RufusJWB on that.

I'm back and will work on this in the next days

Works again