Cryptlib

 « Return to Thread: CMP and SCEP problem

Re: CMP and SCEP problem

by Tomas Gustavsson-3 :: Rate this Message:

Reply to Author | View in Thread


Hi Juraj,

EJBCA does support MD5 for SCEP message protection. It's the default
since it's the default in the standard. We try to be nice though and
will use whatever digest algorithms the request message uses. That's for
message protection...
For the issued certificates we also allow (reluctantly since EJBCA
3.4.2) MD5WithRSA. SHA1 is usually supported though and is
inter-operable with all routers we have tested such as Juniper and
Cisco. they support certificates issued using SHA1WithRSA.

Did you check my test code if you do anything different when creating
the SCEP session (I did not compare it to your code myself)?

Peter: If you are interested I'll try to save you some work.
I try to attach the DER coded CMP messages I decoded form the log file
(foo1.der is the init request and foo the confirm).

Cheers,
Tomas


Juraj Michalak wrote:

> Peter Gutmann wrote:
>>> error: crytSetAttribute(CRYPT_SESSINFO_ACTIVE) = -15 (what is
>>> CRYPT_ERROR_FAILED)
>>>
>>> session/scep_cli.c:168 "Couldn't create SCEP request signing attributes"
>>>    
>>
>> Hmm, it looks like you used SHA-256 here as well, SCEP had an even worse
>> problem in that it hardcoded MD5 as the only allowed algorithm.  There
>> is a
>> way to kludge in other algorithms (by sending an HTTP request
>> containing an
>> argument other than a standard SCEP request, which is supposed to
>> return a
>> text page containing information about what new algorithms are
>> supported) but
>> the last time I tried it it wasn't supported very well (there are lots
>> of old,
>> mininal SCEP implementations built into routers and the like) and lead to
>> strange failures if you use it.  In general it seems safe to assume SHA-1
>> (which is what cryptlib does), but trying to push it beyond that is
>> kind of
>> risky.
>>
>> Peter.
>>
>>  
> After the knowledge that CMP has problem with SHA256 I have tried to use
> SHA-1 also with scep but there is no difference. It's still the -15
> error with "Couldn't create SCEP request signing attributes". My scep CA
> certificate and scep source code is available here:
> http://student.fiit.stuba.sk/~michalak04/zdielane/scepca.der
> http://student.fiit.stuba.sk/~michalak04/zdielane/generate_scep.c
>
> It is not possible to try MD5 because EJBCA doesn't allow it.
>
> CMP
> ===
> Is the DER encoded object from EJBCA log or what Tomas provided enough
> for you?:
>
> MIH8MIHBAgECpCQwIjELMAkGA1UEBhMCU0sxEzARBgNVBAMUCmxhbGFAdGlua3mk
> OzA5MRMwEQYDVQQDDAptdWxob2xsYW5kMRUwEwYDVQQKDAxFSkJDQSBTYW1wbGUx
> CzAJBgNVBAYTAlNLoQ8wDQYJKoZIhvZ9B0INBQCiDAQKbGFsYUB0aW5reaQSBBCc
> 3xJ8jgerIBweDQdHl/UkpRIEELr9RaGdtggdMcq3mt4z4QCmEgQQOkmvuW/uI1mw
> AI92BLRo2bgdMBswGQQUrlaasgqkT51Gg8Oj4PYdf14KmWQCAQCgFwMVAGy5nP+4
> rPtLB+tiNndmywHlsXrd
>
> Juraj.
>
>
> _______________________________________________
> Cryptlib mailing list
> Cryptlib@... via Mail:
> cryptlib-request@...
> Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
> http://news.gmane.org/gmane.comp.encryption.cryptlib
> Posts from non-subscribed addresses are blocked to prevent spam, please
> subscribe in order to post messages.



_______________________________________________
Cryptlib mailing list
Cryptlib@... via Mail: cryptlib-request@...
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please
subscribe in order to post messages.

foo.der (348 bytes) Download Attachment
foo1.der (1K) Download Attachment

 « Return to Thread: CMP and SCEP problem

Free embeddable forum powered by Nabble Forum Help