|
« Return to Thread: CMP authentication
Re: CMP authentication
by Peter Gutmann
::
Rate this Message:
Juraj Michalak <juraj.michalak@...> writes:
>I created CMP session (CRYPT_REQUESTTYPE_INITIALIZATION) to obtain
>certificate from CA. In my project I have used EJBCA (http://www.ejbca.org)
>as CA. I have created end user with password in EJBCA. I have set that user
>and password on my cryptlib CMP session and activated it... -> error ...
>
>In EJBCA logs I can see that there is problem with user authentication. EJBCA
>is expecting authentication via regToken attribute in
>CRMF->CertRequest->Controls (it is only supported auth. by EJBCA).
How does it authenticate the CMP exchange then? It needs either a MAC or a
signature, and you can't sign at that point because you don't have a
certificate. The regToken isn't meant to be used for this, AFAIK it was some
Entrust thing based on their one-time pasword tokens that no-one else ever
used (or even knew what to do with, for that matter).
>What can I do? I'm so far with my project. Till now I have used only
>those dummy self signed certificates (CRYPT_CERTINFO_XYZZY) or imported
>certificates.
If EJBCA doesn't implement CMP properly then you'd have to use a proper
implementation on the CA side.
(A caveat about CMP, the protocol is such a mess that it's more or less just
blind luck to find two independent implementations that interoperate. See the
bit about halfway through "Plug-and-play PKI: A PKI your mother can use"
linked off my home page for just a small taste of some of the problems).
Peter.
_______________________________________________
Cryptlib mailing list
Cryptlib@... via Mail: cryptlib-request@...
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please
subscribe in order to post messages.
>I created CMP session (CRYPT_REQUESTTYPE_INITIALIZATION) to obtain
>certificate from CA. In my project I have used EJBCA (http://www.ejbca.org)
>as CA. I have created end user with password in EJBCA. I have set that user
>and password on my cryptlib CMP session and activated it... -> error ...
>
>In EJBCA logs I can see that there is problem with user authentication. EJBCA
>is expecting authentication via regToken attribute in
>CRMF->CertRequest->Controls (it is only supported auth. by EJBCA).
How does it authenticate the CMP exchange then? It needs either a MAC or a
signature, and you can't sign at that point because you don't have a
certificate. The regToken isn't meant to be used for this, AFAIK it was some
Entrust thing based on their one-time pasword tokens that no-one else ever
used (or even knew what to do with, for that matter).
>What can I do? I'm so far with my project. Till now I have used only
>those dummy self signed certificates (CRYPT_CERTINFO_XYZZY) or imported
>certificates.
If EJBCA doesn't implement CMP properly then you'd have to use a proper
implementation on the CA side.
(A caveat about CMP, the protocol is such a mess that it's more or less just
blind luck to find two independent implementations that interoperate. See the
bit about halfway through "Plug-and-play PKI: A PKI your mother can use"
linked off my home page for just a small taste of some of the problems).
Peter.
_______________________________________________
Cryptlib mailing list
Cryptlib@... via Mail: cryptlib-request@...
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please
subscribe in order to post messages.
« Return to Thread: CMP authentication
| Free embeddable forum powered by Nabble | Forum Help |
