|
« Return to Thread: CMP and SCEP problem
Re: CMP and SCEP problem
by Juraj Michalak
::
Rate this Message:
Hi Tomas and Peter,
Yes I have "cmp.responseprotection=pbe". My whole EJBCA config is:
http://student.fiit.stuba.sk/~michalak04/zdielane/ejbca_conf.zip
All below mentioned file are at:
http://student.fiit.stuba.sk/~michalak04/zdielane/problem2.zip
CMP
===
I'm so sorry and I want to apologize. I've done a big mistake - I've
missed the CRYPT_ATTRIBUTE_INT_ERRORMESSAGE in CRYPTLIB manual. So now:
My CMP error with extended error info is:
error: crytSetAttribute(CRYPT_SESSINFO_ACTIVE) = -20
INFO: Can't confirm certificate issue using algorithm 205
205 is SHA256 (according to cryptlib.h). So I switched to new CA in
EJBCA with:
ca.signaturealgorithm=SHA1WithRSA
I was so happy that my problem will be solved but there is new problem :-( :
"generate_cmp.c":
error: crytSetAttribute(CRYPT_SESSINFO_ACTIVE) = -41
INFO: HTTP response status: Internal Server Error
On the EJBCA side (full EJBCA log is in "ejbca_failure.log"):
===============================================
...
12:19:03,259 INFO [Log4jLogDevice] April 11, 2009 12:19:03 PM CEST,
CAId : 1961146099, CA, EVENT_INFO_CHANGEDENDENTITY, Administrator :
RACMDLINE, User : lala@tinky, Certificate : No certificate involved,
Comment : Changed status to STATUS_GENERATED.
12:19:03,275 INFO [CmpServlet] Sent a CMP response to: 192.168.101.1.
12:19:03,285 INFO [CmpServlet] CMP message received from: 192.168.101.1.
12:19:03,292 ERROR [CmpServlet] Error in CmpServlet:
java.lang.IllegalArgumentException: unknown object in factory
at
com.novosec.pkix.asn1.crmf.PBMParameter.getInstance(PBMParameter.java:68)
at
org.ejbca.core.protocol.cmp.CmpPbeVerifyer.verify(CmpPbeVerifyer.java:70)
at
org.ejbca.core.protocol.cmp.ConfirmationMessageHandler.handleMessage(ConfirmationMessageHandler.java:88)
at
org.ejbca.core.protocol.cmp.CmpMessageDispatcher.dispatch(CmpMessageDispatcher.java:139)
at org.ejbca.ui.web.protocol.CmpServlet.service(CmpServlet.java:225)
at org.ejbca.ui.web.protocol.CmpServlet.doPost(CmpServlet.java:186)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at
org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
at
org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at
org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at
org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601)
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
...
===============================================
For now it seems that error is on EJBCA side but:
I have also tcpdump "cmp_dump.cap" of that communication and in last
response (confirm) from my cryptlib client (generate_cmp.c) is some BER
encoding Error - in PBM. Could it cause that EJBCA above failure?
For Peter
======
Why SHA256 is problem? Is it bed to provide stronger security (SHA1 has
also some possible weakness...)?
When I was implementing my S/MIME enveloping I made notice to ask you,
how to use SHA384 or SHA512?
in cryptlib.h:
CRYPT_ALGO_SHA2, /* SHA2 (SHA-256/384/512)*/
because also your crypt/sha2.c contains functions for full
SHA-256/384/512 support.
best regards,
Juraj Michalak
_______________________________________________
Cryptlib mailing list
Cryptlib@... via Mail: cryptlib-request@...
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please
subscribe in order to post messages.
Yes I have "cmp.responseprotection=pbe". My whole EJBCA config is:
http://student.fiit.stuba.sk/~michalak04/zdielane/ejbca_conf.zip
All below mentioned file are at:
http://student.fiit.stuba.sk/~michalak04/zdielane/problem2.zip
CMP
===
I'm so sorry and I want to apologize. I've done a big mistake - I've
missed the CRYPT_ATTRIBUTE_INT_ERRORMESSAGE in CRYPTLIB manual. So now:
My CMP error with extended error info is:
error: crytSetAttribute(CRYPT_SESSINFO_ACTIVE) = -20
INFO: Can't confirm certificate issue using algorithm 205
205 is SHA256 (according to cryptlib.h). So I switched to new CA in
EJBCA with:
ca.signaturealgorithm=SHA1WithRSA
I was so happy that my problem will be solved but there is new problem :-( :
"generate_cmp.c":
error: crytSetAttribute(CRYPT_SESSINFO_ACTIVE) = -41
INFO: HTTP response status: Internal Server Error
On the EJBCA side (full EJBCA log is in "ejbca_failure.log"):
===============================================
...
12:19:03,259 INFO [Log4jLogDevice] April 11, 2009 12:19:03 PM CEST,
CAId : 1961146099, CA, EVENT_INFO_CHANGEDENDENTITY, Administrator :
RACMDLINE, User : lala@tinky, Certificate : No certificate involved,
Comment : Changed status to STATUS_GENERATED.
12:19:03,275 INFO [CmpServlet] Sent a CMP response to: 192.168.101.1.
12:19:03,285 INFO [CmpServlet] CMP message received from: 192.168.101.1.
12:19:03,292 ERROR [CmpServlet] Error in CmpServlet:
java.lang.IllegalArgumentException: unknown object in factory
at
com.novosec.pkix.asn1.crmf.PBMParameter.getInstance(PBMParameter.java:68)
at
org.ejbca.core.protocol.cmp.CmpPbeVerifyer.verify(CmpPbeVerifyer.java:70)
at
org.ejbca.core.protocol.cmp.ConfirmationMessageHandler.handleMessage(ConfirmationMessageHandler.java:88)
at
org.ejbca.core.protocol.cmp.CmpMessageDispatcher.dispatch(CmpMessageDispatcher.java:139)
at org.ejbca.ui.web.protocol.CmpServlet.service(CmpServlet.java:225)
at org.ejbca.ui.web.protocol.CmpServlet.doPost(CmpServlet.java:186)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at
org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
at
org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at
org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at
org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601)
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
...
===============================================
For now it seems that error is on EJBCA side but:
I have also tcpdump "cmp_dump.cap" of that communication and in last
response (confirm) from my cryptlib client (generate_cmp.c) is some BER
encoding Error - in PBM. Could it cause that EJBCA above failure?
For Peter
======
Why SHA256 is problem? Is it bed to provide stronger security (SHA1 has
also some possible weakness...)?
When I was implementing my S/MIME enveloping I made notice to ask you,
how to use SHA384 or SHA512?
in cryptlib.h:
CRYPT_ALGO_SHA2, /* SHA2 (SHA-256/384/512)*/
because also your crypt/sha2.c contains functions for full
SHA-256/384/512 support.
best regards,
Juraj Michalak
_______________________________________________
Cryptlib mailing list
Cryptlib@... via Mail: cryptlib-request@...
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please
subscribe in order to post messages.
« Return to Thread: CMP and SCEP problem
| Free embeddable forum powered by Nabble | Forum Help |
