[Pki-users] Best way to bypass challenge password verification

Peter Beal rpb5bnc at gmail.com
Wed Dec 3 19:16:47 UTC 2014 

Hello,

Our group is developing its own RA to be part of a PKI solution that 
includes Dogtag.  Our solution uses EST (RFC 7030) between the the 
clients and the RA, with the EST protocol terminating at the RA. The RA 
then takes the CSRs and sends them on to Dogtag using REST commands.  
This project has been going very well, however we did just hit one issue 
that we were hoping others might be able to provide some guidance on.

The EST protocol defines a feature called Proof Of Possession (PoP) 
where the clients insert the TLS unique ID of the TLS session between it 
and the EST server, in our case our RA. This TLS UID is sent in the 
challenge password attribute field of the CSR so that it can be signed 
by the client.  The EST server is responsible for verifying this TLS 
UID, and once this verification is performed the value in the challenge 
password field no longer has any meaning. Because the CSR cannot be 
resigned at this point, the challenge password cannot be taken out of 
the CSR.  This CSR is passed as is along to Dogtag and we're currently 
finding that Dogtag is checking the CSR and does not like the challenge 
password attribute:

[03/Dec/2014:13:37:59][http-bio-8444-exec-3]: Start parsePKCS10(): 
MIIBdDCB3gIBADAUMRIwEAYDVQQDDAkxMjcuMC4wLjEwgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBAMPNKtwZO82WfR5u/hS+SsVghdS9jD5BQS6Z5ymXrKcr9R4t
DtSeEQ+AtCZ5qVNXcangb00vJgVqgS/7NH4MzSqscgNzZdpx9+mPklvOUuqTuYCv
MFIlMwP/2DJ6TBrmF86vJ1I0GmZAyTSzHg4V4YWaN7r0V7x0RyvFqoBnZU51AgMB
AAGgITAfBgkqhkiG9w0BCQcxEgwQTUR4clVZNmd6TnZqdWRmNzANBgkqhkiG9w0B
AQsFAAOBgQAAKLbWGndYFfa+8IhopufYOEKIOAmcT+Nhr27vFt5I4ymoUwSlKX9L
K+KpLho5Q2GsRoItNXJ6VxRcGe1CPZBW2ef7yPdZaKhFmnxXsYVQaqPY5BGI8kAY
MMMr75WQcpn+XUpu+FNB4F2j8YY314u2rsplCMbOdR4tcrgc8WqucA==

[03/Dec/2014:13:37:59][http-bio-8444-exec-3]: EnrollProfile: 
parsePKCS10: signature verification enabled
[03/Dec/2014:13:37:59][http-bio-8444-exec-3]: EnrollProfile: 
parsePKCS10: use internal token
[03/Dec/2014:13:37:59][http-bio-8444-exec-3]: EnrollProfile: parsePKCS10 
setting thread token
[03/Dec/2014:13:37:59][http-bio-8444-exec-3]: EnrollProfile: parsePKCS10 
java.io.IOException: DerValue.getPrintableString, not a string 12
[03/Dec/2014:13:37:59][http-bio-8444-exec-3]: EnrollProfile: parsePKCS10 
restoring thread token

So we're wondering what the best approach might be to handle this. Is 
there a way to configure Dogtag so that it will ignore the challenge 
password?

Thanks very much,
Pete Beal

More information about the Pki-users mailing list