« Return to Thread: CMP and SCEP problem
CMP and SCEP problem
by Juraj Michalak
::
Rate this Message:
Hello,
Thanks for your response (Peter and Tomas).
All files which will be mentioned are available here:
http://student.fiit.stuba.sk/~michalak04/zdielane/problem.zip
CMP
===
So I changed settings of EJBCA (mulholland CA) to interact in "RA mode"
- means that my cryptlib CMP client will act as RA. PBM authentication
is working then and it's better for my solution because in "RA mode"
because I don't need to have precreated end user in EJBCA.
So I have new "generate_cmp.c". With this EJBCA created successfully new
end user and signed his certificate. But when response is sent from
EJBCA cryptlib generate_cmp.c client fails with:
error: crytSetAttribute(CRYPT_SESSINFO_ACTIVE) = -20 (what is
CRYPT_ERROR_NOTAVAIL)
The tcpdump/wireshark dumped file of that communication is "br0.cap"
I have tried to download that signed certificate of new end-user from
browser and imported it into "cryptlib" via "import_cert.c". It was
working, certificate imported successfully.
So question for Tomas: When you tested cryptlib, have you checked also
the return value of cryptSetAttribute( cmp_session,
CRYPT_SESSINFO_ACTIVE, 1 ); ?
So for now I can download all certificates manually and import themm
into my cryptlib solution. But it's only a big trade-off.
SCEP
====
So I decided to try SCEP. I have created new CA (router) in EJBCA with
"Key encipherment" key usage - according to EJBCA docs. Cryptlib's
client is written in "generate_scep.c". This time there is no
communication because cryptlib encounters error earlier:
error: crytSetAttribute(CRYPT_SESSINFO_ACTIVE) = -15 (what is
CRYPT_ERROR_FAILED)
I have little bit debugged and this is my observation (cryptlib's sources):
session/scep_cli.c:168
"Couldn't create SCEP request signing attributes"
END
===
Peter can you look at "generate_scep.c" created by me to tell if I have
done some misuse with SCEP?
And what about CMP?
best regards
Juraj Michalak
_______________________________________________
Cryptlib mailing list
Cryptlib@... via Mail: cryptlib-request@...
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please
subscribe in order to post messages.
Thanks for your response (Peter and Tomas).
All files which will be mentioned are available here:
http://student.fiit.stuba.sk/~michalak04/zdielane/problem.zip
CMP
===
So I changed settings of EJBCA (mulholland CA) to interact in "RA mode"
- means that my cryptlib CMP client will act as RA. PBM authentication
is working then and it's better for my solution because in "RA mode"
because I don't need to have precreated end user in EJBCA.
So I have new "generate_cmp.c". With this EJBCA created successfully new
end user and signed his certificate. But when response is sent from
EJBCA cryptlib generate_cmp.c client fails with:
error: crytSetAttribute(CRYPT_SESSINFO_ACTIVE) = -20 (what is
CRYPT_ERROR_NOTAVAIL)
The tcpdump/wireshark dumped file of that communication is "br0.cap"
I have tried to download that signed certificate of new end-user from
browser and imported it into "cryptlib" via "import_cert.c". It was
working, certificate imported successfully.
So question for Tomas: When you tested cryptlib, have you checked also
the return value of cryptSetAttribute( cmp_session,
CRYPT_SESSINFO_ACTIVE, 1 ); ?
So for now I can download all certificates manually and import themm
into my cryptlib solution. But it's only a big trade-off.
SCEP
====
So I decided to try SCEP. I have created new CA (router) in EJBCA with
"Key encipherment" key usage - according to EJBCA docs. Cryptlib's
client is written in "generate_scep.c". This time there is no
communication because cryptlib encounters error earlier:
error: crytSetAttribute(CRYPT_SESSINFO_ACTIVE) = -15 (what is
CRYPT_ERROR_FAILED)
I have little bit debugged and this is my observation (cryptlib's sources):
session/scep_cli.c:168
"Couldn't create SCEP request signing attributes"
END
===
Peter can you look at "generate_scep.c" created by me to tell if I have
done some misuse with SCEP?
And what about CMP?
best regards
Juraj Michalak
_______________________________________________
Cryptlib mailing list
Cryptlib@... via Mail: cryptlib-request@...
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please
subscribe in order to post messages.
« Return to Thread: CMP and SCEP problem
| Free embeddable forum powered by Nabble | Forum Help |
