From Florian.Supper at s-itsolutions.at Wed Oct 4 12:40:06 2017 From: Florian.Supper at s-itsolutions.at (Supper Florian 6342 sIT) Date: Wed, 4 Oct 2017 14:40:06 +0200 Subject: [Pki-users] WG: Scep enrollment with DES3 failed when using Safenet HSM In-Reply-To: <85C87A9995875247B2DD471950E0AE4D3146EB7B@M0182.s-mxs.net> References: <1507010002.25648.96.camel@s-itsolutions.at> <85C87A9995875247B2DD471950E0AE4D3146EB7B@M0182.s-mxs.net> Message-ID: Dear dogtag team, We?ve been using dogtag CAs (the RHEL packages in server-rpm repo) together with Safenet HSMs for some years for handling SCEP requests. We?re running into an issue again which we also had in the past: when using the HSM (a requirement here), only SCEP requests using DES for the encryption can be decoded. When DES3 is used, dogtag throws an error with ?could not unwrap PKCS10 blob?. With no HSM, both algorithms work. However, the DES3 requests themselves are OK: we can unpack the inner pkcs#7, and decrypt the payload using ?cmsutil? (pointed at the nss db of the CA instance) and read the pkcs#10 request within. So the HSM itself has no problem decrypting. We also encountered this issue in the past with RHEL6 / DogTag 9, and it is still present with RHEL7 / Dogtag 10. At that time, we were able to configure the clients to use DES to avoid the issue, but we can?t always dictate which algorithm the clients use, and DES is nevertheless very weak. It may still be related the old BZ: https://bugzilla.redhat.com/show_bug.cgi?id=825887 and be an issue with the FIPS-2 mode (which we are using) It appears to be an issue with Dogtag. If someone has a suggestion or idea, we would appreciate hearing it. Thanks in advances BR Florian Below you can find all needed parameters and config which we used. - CA is an subca - (But dont matter, because the same issue occures also on an root ca) - SCEP enrollment works with DES encryption (HSM attached) - SCEP enrollment with DES3 works when __NO__ hsm is used - SCEP requests (DES + 3DES) can be decoded when using cmsutil direct against the HSM libary. (cmsutil -d /var/lib/pki/pkit04/alias -D -i inner_pkcs7_request.p7 -o request_des3.der ) - HSM client logs can be provided if needed - For us is seems to be a problem in dogtag. #Installed packages pki-base-java-10.3.3-19.el7_3.noarch pki-ca-10.3.3-19.el7_3.noarch pki-base-10.3.3-19.el7_3.noarch pki-tools-10.3.3-19.el7_3.x86_64 pki-kra-10.3.3-19.el7_3.noarch pki-symkey-10.3.3-19.el7_3.x86_64 pki-core-debuginfo-10.3.3-19.el7_3.x86_64 pki-server-10.3.3-19.el7_3.noarch pki-javadoc-10.3.3-19.el7_3.noarch #OS Red Hat Enterprise Linux Server release 7.3 (Maipo) #Java java-1.8.0-openjdk-1.8.0.131-3.b12.el7_3.x86_64 #SafeNet LunaClient Version : 5.4.1 Release : 2 #SCEP enrollment profile: caRouterCert.cfg (default) #SCEP config in CS.cfg ca.scep.allowedEncryptionAlgorithms=DES3,DES ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512 ca.scep.enable=true ca.scep.encryptionAlgorithm=DES3 ca.scep.hashAlgorithm=SHA1 ca.scep.nonceSizeLimit=16 #SSECP call ./sscep enroll -u http : / / pkit04 . eb . lan . at : 8080 / ca / cgi-bin / pkiclient . exe -c pkit04-ca.crt -k local.key -r local.csr -l cert.crt -S sha1 -E 3des #debug log [03/Oct/2017:07:35:52][http-bio-8080-exec-1]: CRSEnrollment.java:263:init() CRSEnrollment: init: SCEP support is enabled. [03/Oct/2017:07:35:52][http-bio-8080-exec-1]: CRSEnrollment.java:264:init() CRSEnrollment: init: SCEP nickname: pkit04:caSigningCert cert-pkit04 CA [03/Oct/2017:07:35:52][http-bio-8080-exec-1]: CRSEnrollment.java:265:init() CRSEnrollment: init: CA nickname: pkit04:caSigningCert cert-pkit04 CA [03/Oct/2017:07:35:52][http-bio-8080-exec-1]: CRSEnrollment.java:266:init() CRSEnrollment: init: Token name: pkit04 [03/Oct/2017:07:35:52][http-bio-8080-exec-1]: CRSEnrollment.java:267:init() CRSEnrollment: init: Is SCEP using CA keys: true [03/Oct/2017:07:35:52][http-bio-8080-exec-1]: CRSEnrollment.java:268:init() CRSEnrollment: init: mNonceSizeLimit: 16 [03/Oct/2017:07:35:52][http-bio-8080-exec-1]: CRSEnrollment.java:269:init() CRSEnrollment: init: mHashAlgorithm: SHA1 [03/Oct/2017:07:35:52][http-bio-8080-exec-1]: CRSEnrollment.java:270:init() CRSEnrollment: init: mHashAlgorithmList: SHA1,SHA256,SHA512 [03/Oct/2017:07:35:52][http-bio-8080-exec-1]: CRSEnrollment.java:273:init() CRSEnrollment: init: mAllowedHashAlgorithm[0]=SHA1 [03/Oct/2017:07:35:52][http-bio-8080-exec-1]: CRSEnrollment.java:273:init() CRSEnrollment: init: mAllowedHashAlgorithm[1]=SHA256 [03/Oct/2017:07:35:52][http-bio-8080-exec-1]: CRSEnrollment.java:273:init() CRSEnrollment: init: mAllowedHashAlgorithm[2]=SHA512 [03/Oct/2017:07:35:52][http-bio-8080-exec-1]: CRSEnrollment.java:275:init() CRSEnrollment: init: mEncryptionAlgorithm: DES3 [03/Oct/2017:07:35:52][http-bio-8080-exec-1]: CRSEnrollment.java:276:init() CRSEnrollment: init: mEncryptionAlgorithmList: DES3,DES [03/Oct/2017:07:35:52][http-bio-8080-exec-1]: CRSEnrollment.java:279:init() CRSEnrollment: init: mAllowedEncryptionAlgorithm[0]=DES3 [03/Oct/2017:07:35:52][http-bio-8080-exec-1]: CRSEnrollment.java:279:init() CRSEnrollment: init: mAllowedEncryptionAlgorithm[1]=DES [03/Oct/2017:07:35:52][http-bio-8080-exec-1]: CRSEnrollment.java:285:init() CRSEnrollment: init: mProfileId=caRouterCert [03/Oct/2017:07:35:52][http-bio-8080-exec-1]: CRSEnrollment.java:349:service() operation=PKIOperation [03/Oct/2017:07:35:52][http-bio-8080-exec-1]: CRSEnrollment.java:351:service() message=MIIKywYJKoZIhvcNAQcCoIIKvDCCCrgCAQExCzAJBgUrDgMCGgUAMIIFnwYJKoZI -...snip.. t3fqG6FkBAh3L1saONZJ0pfzOnnY5CZ4aJuf5ql3XA== [03/Oct/2017:07:35:53][http-bio-8080-exec-1]: CRSEnrollment.java:920:handlePKIOperation() Processing PKCSReq [03/Oct/2017:07:35:53][http-bio-8080-exec-1]: LdapBoundConnFactory.java:324:getConn() In LdapBoundConnFactory::getConn() [03/Oct/2017:07:35:53][http-bio-8080-exec-1]: LdapBoundConnFactory.java:326:getConn() masterConn is connected: true [03/Oct/2017:07:35:53][http-bio-8080-exec-1]: LdapBoundConnFactory.java:368:getConn() getConn: conn is connected true [03/Oct/2017:07:35:53][http-bio-8080-exec-1]: LdapBoundConnFactory.java:398:getConn() getConn: mNumConns now 5 [03/Oct/2017:07:35:53][http-bio-8080-exec-1]: LdapBoundConnFactory.java:444:returnConn() returnConn: mNumConns now 6 [03/Oct/2017:07:35:53][http-bio-8080-exec-1]: CRSEnrollment.java:1164:unwrapPKCS10() failed to unwrap PKCS10 org.mozilla.jss.crypto.SymmetricKey$NotExtractableException [03/Oct/2017:07:35:53][http-bio-8080-exec-1]: CRSEnrollment.java:385:service() ServletException javax.servlet.ServletException: Couldn't handle CEP request (PKCSReq) - Could not unwrap PKCS10 blob: null #Error in localhost_access log 10.10.10.10 - - [02/Oct/2017:11:09:27 +0200] "GET / ca / cgi-bin / pkiclient . exe ? operation = PKIOperation & message = MIIKzgYJKoZIhvcNAQcCoIIKvz...snip.. HTTP/1.0" 500 3071 #Error in localhost log SEVERE: Servlet.service() for servlet [caSCEP] in context with path [/ca] threw exception [Couldn't handle CEP request (PKCSReq) - Could not unwrap PKCS10 blob: null] with root cause javax.servlet.ServletException: Couldn't handle CEP request (PKCSReq) - Could not unwrap PKCS10 blob: null at com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:386) at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Wed Oct 4 18:24:51 2017 From: cfu at redhat.com (Christina Fu) Date: Wed, 4 Oct 2017 11:24:51 -0700 Subject: [Pki-users] WG: Scep enrollment with DES3 failed when using Safenet HSM In-Reply-To: References: <1507010002.25648.96.camel@s-itsolutions.at> <85C87A9995875247B2DD471950E0AE4D3146EB7B@M0182.s-mxs.net> Message-ID: <37d881ed-e032-6425-453b-b88de236025d@redhat.com> Florian, I don't have a whole lot of time at this point, but I could offer a little info from my experience with LunaSA in case of private key unwrapping (your case seems to be sym key unwrapping though). For LunaSA private key unwrapping the isSensitive flag needs to be false and isExtractable needs to be true, and the key needs to be "temporary". In CRSEnrollment.java where it fails to decrypt PKCS10 blob, kw.unwrapSymmetric() is being called to decrypt the symmetric key and failed. My guess is that the usage or flags (internally CK_FLAGS) might need to be manipulated similar to what I've done with private key unwrapping in JSS PK11KeyWrapper.c:Java_org_mozilla_jss_pkcs11_PK11KeyWrapper_nativeUnwrapPrivWithSym() (search for "isLunasa"). Of course without spending actual time investigating, this is just one guess. Another guess is that in the following call, "keylength" needs to e specified: (given the symptom you reported, this might be a likely case) sk = kw.unwrapSymmetric(req.getWrappedKey(), skt, SymmetricKey.Usage.DECRYPT, 0); // keylength is ignored If you are a customer, feel free to escalate the BZ. And if you are not, you could try to vote in on https://pagure.io/dogtagpki/issue/442. regards, Christina On 10/04/2017 05:40 AM, Supper Florian 6342 sIT wrote: > > Dear dogtag team, > > We?ve been using dogtag CAs (the RHEL packages in server-rpm repo) > together with Safenet HSMs for some years for handling SCEP requests. > > We?re running into an issue again which we also had in the past: when > using the HSM (a requirement here), only SCEP requests using DES for > the encryption > > can be decoded. When DES3 is used, dogtag throws an error with ?could > not unwrap PKCS10 blob?. With no HSM, both algorithms work. > > However, the DES3 requests themselves are OK: we can unpack the inner > pkcs#7, and decrypt the payload using ?cmsutil? (pointed at the nss db > of the CA instance) > > and read the pkcs#10 request within. So the HSM itself has no problem > decrypting. > > We also encountered this issue in the past with RHEL6 / DogTag 9, and > it is still present with RHEL7 / Dogtag 10. At that time, we were able > to configure the clients > > to use DES to avoid the issue, but we can?t always dictate which > algorithm the clients use, > > and DES is nevertheless very weak. > > It may still be related the old BZ: > https://bugzilla.redhat.com/show_bug.cgi?id=825887 and be an issue > with the FIPS-2 mode (which we are using) > > It appears to be an issue with Dogtag. If someone has a suggestion or > idea, we would appreciate hearing it. > > Thanks in advances > > BR > > Florian > > Below you can find all needed parameters and config which we used. > > - CA is an subca - (But dont matter, because the same issue occures > also on an root ca) > > - SCEP enrollment works with DES encryption (HSM attached) > > - SCEP enrollment with DES3 works when __NO__ hsm is used > > - SCEP requests (DES + 3DES) can be decoded when using cmsutil direct > against the HSM libary. (cmsutil -d /var/lib/pki/pkit04/alias -D -i > inner_pkcs7_request.p7 -o request_des3.der ) > > - HSM client logs can be provided if needed > > - For us is seems to be a problem in dogtag. > > #Installed packages > > pki-base-java-10.3.3-19.el7_3.noarch > > pki-ca-10.3.3-19.el7_3.noarch > > pki-base-10.3.3-19.el7_3.noarch > > pki-tools-10.3.3-19.el7_3.x86_64 > > pki-kra-10.3.3-19.el7_3.noarch > > pki-symkey-10.3.3-19.el7_3.x86_64 > > pki-core-debuginfo-10.3.3-19.el7_3.x86_64 > > pki-server-10.3.3-19.el7_3.noarch > > pki-javadoc-10.3.3-19.el7_3.noarch > > #OS > > Red Hat Enterprise Linux Server release 7.3 (Maipo) > > #Java > > java-1.8.0-openjdk-1.8.0.131-3.b12.el7_3.x86_64 > > #SafeNet LunaClient > > Version : 5.4.1 > > Release : 2 > > #SCEP enrollment profile: > > caRouterCert.cfg (default) > > #SCEP config in CS.cfg > > ca.scep.allowedEncryptionAlgorithms=DES3,DES > > ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512 > > ca.scep.enable=true > > ca.scep.encryptionAlgorithm=DES3 > > ca.scep.hashAlgorithm=SHA1 > > ca.scep.nonceSizeLimit=16 > > #SSECP call > > ./sscep enroll -u http : / / pkit04 . eb . lan . at : 8080 / ca / > cgi-bin / pkiclient . exe -c pkit04-ca.crt -k local.key -r local.csr > -l cert.crt -S sha1 -E 3des > > #debug log > > [03/Oct/2017:07:35:52][http-bio-8080-exec-1]: > CRSEnrollment.java:263:init() CRSEnrollment: init: SCEP support is > enabled. > > [03/Oct/2017:07:35:52][http-bio-8080-exec-1]: > CRSEnrollment.java:264:init() CRSEnrollment: init: SCEP nickname: > pkit04:caSigningCert cert-pkit04 CA > > [03/Oct/2017:07:35:52][http-bio-8080-exec-1]: > CRSEnrollment.java:265:init() CRSEnrollment: init: CA nickname: > pkit04:caSigningCert cert-pkit04 CA > > [03/Oct/2017:07:35:52][http-bio-8080-exec-1]: > CRSEnrollment.java:266:init() CRSEnrollment: init: Token name: pkit04 > > [03/Oct/2017:07:35:52][http-bio-8080-exec-1]: > CRSEnrollment.java:267:init() CRSEnrollment: init: Is SCEP using CA > keys: true > > [03/Oct/2017:07:35:52][http-bio-8080-exec-1]: > CRSEnrollment.java:268:init() CRSEnrollment: init: mNonceSizeLimit: 16 > > [03/Oct/2017:07:35:52][http-bio-8080-exec-1]: > CRSEnrollment.java:269:init() CRSEnrollment: init: mHashAlgorithm: SHA1 > > [03/Oct/2017:07:35:52][http-bio-8080-exec-1]: > CRSEnrollment.java:270:init() CRSEnrollment: init: mHashAlgorithmList: > SHA1,SHA256,SHA512 > > [03/Oct/2017:07:35:52][http-bio-8080-exec-1]: > CRSEnrollment.java:273:init() CRSEnrollment: init: > mAllowedHashAlgorithm[0]=SHA1 > > [03/Oct/2017:07:35:52][http-bio-8080-exec-1]: > CRSEnrollment.java:273:init() CRSEnrollment: init: > mAllowedHashAlgorithm[1]=SHA256 > > [03/Oct/2017:07:35:52][http-bio-8080-exec-1]: > CRSEnrollment.java:273:init() CRSEnrollment: init: > mAllowedHashAlgorithm[2]=SHA512 > > [03/Oct/2017:07:35:52][http-bio-8080-exec-1]: > CRSEnrollment.java:275:init() CRSEnrollment: init: > mEncryptionAlgorithm: DES3 > > [03/Oct/2017:07:35:52][http-bio-8080-exec-1]: > CRSEnrollment.java:276:init() CRSEnrollment: init: > mEncryptionAlgorithmList: DES3,DES > > [03/Oct/2017:07:35:52][http-bio-8080-exec-1]: > CRSEnrollment.java:279:init() CRSEnrollment: init: > mAllowedEncryptionAlgorithm[0]=DES3 > > [03/Oct/2017:07:35:52][http-bio-8080-exec-1]: > CRSEnrollment.java:279:init() CRSEnrollment: init: > mAllowedEncryptionAlgorithm[1]=DES > > [03/Oct/2017:07:35:52][http-bio-8080-exec-1]: > CRSEnrollment.java:285:init() CRSEnrollment: init: mProfileId=caRouterCert > > [03/Oct/2017:07:35:52][http-bio-8080-exec-1]: > CRSEnrollment.java:349:service() operation=PKIOperation > > [03/Oct/2017:07:35:52][http-bio-8080-exec-1]: > CRSEnrollment.java:351:service() > message=MIIKywYJKoZIhvcNAQcCoIIKvDCCCrgCAQExCzAJBgUrDgMCGgUAMIIFnwYJKoZI > > -...snip.. > > t3fqG6FkBAh3L1saONZJ0pfzOnnY5CZ4aJuf5ql3XA== > > [03/Oct/2017:07:35:53][http-bio-8080-exec-1]: > CRSEnrollment.java:920:handlePKIOperation() Processing PKCSReq > > [03/Oct/2017:07:35:53][http-bio-8080-exec-1]: > LdapBoundConnFactory.java:324:getConn() In LdapBoundConnFactory::getConn() > > [03/Oct/2017:07:35:53][http-bio-8080-exec-1]: > LdapBoundConnFactory.java:326:getConn() masterConn is connected: true > > [03/Oct/2017:07:35:53][http-bio-8080-exec-1]: > LdapBoundConnFactory.java:368:getConn() getConn: conn is connected true > > [03/Oct/2017:07:35:53][http-bio-8080-exec-1]: > LdapBoundConnFactory.java:398:getConn() getConn: mNumConns now 5 > > [03/Oct/2017:07:35:53][http-bio-8080-exec-1]: > LdapBoundConnFactory.java:444:returnConn() returnConn: mNumConns now 6 > > [03/Oct/2017:07:35:53][http-bio-8080-exec-1]: > CRSEnrollment.java:1164:unwrapPKCS10() failed to unwrap PKCS10 > org.mozilla.jss.crypto.SymmetricKey$NotExtractableException > > [03/Oct/2017:07:35:53][http-bio-8080-exec-1]: > CRSEnrollment.java:385:service() ServletException > javax.servlet.ServletException: Couldn't handle CEP request (PKCSReq) > - Could not unwrap PKCS10 blob: null > > #Error in localhost_access log > > 10.10.10.10 - - [02/Oct/2017:11:09:27 +0200] "GET / ca / cgi-bin / > pkiclient . exe ? operation = PKIOperation & message = > MIIKzgYJKoZIhvcNAQcCoIIKvz...snip.. HTTP/1.0" 500 3071 > > #Error in localhost log > > SEVERE: Servlet.service() for servlet [caSCEP] in context with path > [/ca] threw exception [Couldn't handle CEP request (PKCSReq) - Could > not unwrap PKCS10 blob: null] with root cause > > javax.servlet.ServletException: Couldn't handle CEP request (PKCSReq) > - Could not unwrap PKCS10 blob: null > > at > com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:386) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) > > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) > > at java.security.AccessController.doPrivileged(Native Method) > > at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) > > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) > > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) > > at > org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) > > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) > > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) > > at java.security.AccessController.doPrivileged(Native Method) > > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) > > at > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) > > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) > > at java.security.AccessController.doPrivileged(Native Method) > > at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) > > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260) > > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) > > at > org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) > > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) > > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) > > at java.security.AccessController.doPrivileged(Native Method) > > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) > > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) > > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) > > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) > > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) > > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) > > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956) > > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) > > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436) > > at > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078) > > at > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) > > at > org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) > > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > > at java.lang.Thread.run(Thread.java:748) > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From richard.harmonson at gmail.com Tue Oct 17 21:21:41 2017 From: richard.harmonson at gmail.com (Richard Harmonson) Date: Tue, 17 Oct 2017 14:21:41 -0700 Subject: [Pki-users] Assistance with creating and submitting a Windows LDAPS Certificate; PKI 10.3.3 Message-ID: I created a certificate request using certreq.exe and the prerequisite request.info on a Windows Server 2012R2 DC--references and details given below. However, I receive the error "Sorry, your request is not submitted. The reason is "Invalid Request." when attempting to submit "Manual Server Certificate Enrollment" it to my Root CA. Am I using the wrong template profile? Is there a template that supports OID=1.3.6.1.5.5.7.3.1? Currently using PKI/Dogtag 10.3, but I did update to 10.4, briefly, then recovered from snap/backup to 10.3 for the error persisted with 10.4. These are my primary references: https://support.microsoft.com/en-us/help/321051/how-to- enable-ldap-over-ssl-with-a-third-party-certification-authority https://technet.microsoft.com/en-us/library/ff625722(v=ws. 10).aspx#BKMK_Certreq Created the CSR by executing "certreq -new request.inf request.csr" The request.inf follows: ======================================== [Version] Signature="$Windows NT$ [NewRequest] Subject = "CN=ad.winauth.mydomain.net" KeySpec = 1 KeyLength = 2048 Exportable = TRUE MachineKeySet = TRUE SMIME = False PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [Extensions] 2.5.29.17 = "dns=ad.winauth.mydomain.net&" _continue_ = "dn=CN=AD,OU=Domain Controllers,DC=winauth,DC=mydomain,DC=net&" _continue_ = "ipaddress=192.168.1.1&" [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication ======================================== -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Wed Oct 18 00:03:26 2017 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 18 Oct 2017 10:03:26 +1000 Subject: [Pki-users] Assistance with creating and submitting a Windows LDAPS Certificate; PKI 10.3.3 In-Reply-To: References: Message-ID: <20171018000326.GG4923@T470s> On Tue, Oct 17, 2017 at 02:21:41PM -0700, Richard Harmonson wrote: > I created a certificate request using certreq.exe and the prerequisite > request.info on a Windows Server 2012R2 DC--references and details given > below. > > However, I receive the error "Sorry, your request is not submitted. The > reason is "Invalid Request." when attempting to submit "Manual Server > Certificate Enrollment" it to my Root CA. > > Am I using the wrong template profile? Is there a template that supports > OID=1.3.6.1.5.5.7.3.1? > Yes, this OID is configured in the server certificate profile. You don't need to include it in the CSR (but it doesn't hurt). There is something about the request that Dogtag does not like. Could you attach the CSR itself and/or the relevant portion of the /var/log/pki/pki-tomcat/ca/debug log file? Thanks, Fraser > > Currently using PKI/Dogtag 10.3, but I did update to 10.4, briefly, then > recovered from snap/backup to 10.3 for the error persisted with 10.4. > > > These are my primary references: > > https://support.microsoft.com/en-us/help/321051/how-to- > enable-ldap-over-ssl-with-a-third-party-certification-authority > > https://technet.microsoft.com/en-us/library/ff625722(v=ws. > 10).aspx#BKMK_Certreq > > Created the CSR by executing "certreq -new request.inf request.csr" > > The request.inf follows: > > ======================================== > [Version] > > Signature="$Windows NT$ > > [NewRequest] > Subject = "CN=ad.winauth.mydomain.net" > KeySpec = 1 > KeyLength = 2048 > Exportable = TRUE > MachineKeySet = TRUE > SMIME = False > PrivateKeyArchive = FALSE > UserProtected = FALSE > UseExistingKeySet = FALSE > ProviderName = "Microsoft RSA SChannel Cryptographic Provider" > ProviderType = 12 > RequestType = PKCS10 > KeyUsage = 0xa0 > > [Extensions] > 2.5.29.17 = "dns=ad.winauth.mydomain.net&" > _continue_ = "dn=CN=AD,OU=Domain Controllers,DC=winauth,DC=mydomain,DC=net&" > _continue_ = "ipaddress=192.168.1.1&" > > [EnhancedKeyUsageExtension] > OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication > ======================================== From richard.harmonson at gmail.com Wed Oct 18 02:08:15 2017 From: richard.harmonson at gmail.com (Richard Harmonson) Date: Tue, 17 Oct 2017 19:08:15 -0700 Subject: [Pki-users] Assistance with creating and submitting a Windows LDAPS Certificate; PKI 10.3.3 In-Reply-To: <20171018000326.GG4923@T470s> References: <20171018000326.GG4923@T470s> Message-ID: On Tue, Oct 17, 2017 at 5:03 PM, Fraser Tweedale wrote: > On Tue, Oct 17, 2017 at 02:21:41PM -0700, Richard Harmonson wrote: > > I created a certificate request using certreq.exe and the prerequisite > > request.info on a Windows Server 2012R2 DC--references and details given > > below. > > > > However, I receive the error "Sorry, your request is not submitted. The > > reason is "Invalid Request." when attempting to submit "Manual Server > > Certificate Enrollment" it to my Root CA. > > > > Am I using the wrong template profile? Is there a template that supports > > OID=1.3.6.1.5.5.7.3.1? > > > Yes, this OID is configured in the server certificate profile. You > don't need to include it in the CSR (but it doesn't hurt). > > There is something about the request that Dogtag does not like. > Could you attach the CSR itself and/or the relevant portion of the > /var/log/pki/pki-tomcat/ca/debug log file? > > Thanks, > Fraser > > > > > Currently using PKI/Dogtag 10.3, but I did update to 10.4, briefly, then > > recovered from snap/backup to 10.3 for the error persisted with 10.4. > > > > > > These are my primary references: > > > > https://support.microsoft.com/en-us/help/321051/how-to- > > enable-ldap-over-ssl-with-a-third-party-certification-authority > > > > https://technet.microsoft.com/en-us/library/ff625722(v=ws. > > 10).aspx#BKMK_Certreq > > > > Created the CSR by executing "certreq -new request.inf request.csr" > > > > The request.inf follows: > > > > ======================================== > > [Version] > > > > Signature="$Windows NT$ > > > > [NewRequest] > > Subject = "CN=ad.winauth.mydomain.net" > > KeySpec = 1 > > KeyLength = 2048 > > Exportable = TRUE > > MachineKeySet = TRUE > > SMIME = False > > PrivateKeyArchive = FALSE > > UserProtected = FALSE > > UseExistingKeySet = FALSE > > ProviderName = "Microsoft RSA SChannel Cryptographic Provider" > > ProviderType = 12 > > RequestType = PKCS10 > > KeyUsage = 0xa0 > > > > [Extensions] > > 2.5.29.17 = "dns=ad.winauth.mydomain.net&" > > _continue_ = "dn=CN=AD,OU=Domain Controllers,DC=winauth,DC=mydo > main,DC=net&" > > _continue_ = "ipaddress=192.168.1.1&" > > > I reviewed the suggested log, thank you, which clearly showed DogTag complaining about something being provided in the CSR. I couldn't interpret exactly what was the problem but I removed the one thing I had never done before, the [Extensions] stanza with the SAN. I successfully submitted! What is the correct method to provide a 'Subject Alternative Name" in a CSR to DogTag? Or am I going about this all wrong? I was intending to provide FQDN, IP address, and DN in the SAN. Thank you, Richard > > [EnhancedKeyUsageExtension] > > OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication > > ======================================== > -------------- next part -------------- An HTML attachment was scrubbed... URL: From richard.harmonson at gmail.com Wed Oct 18 14:41:12 2017 From: richard.harmonson at gmail.com (Richard Harmonson) Date: Wed, 18 Oct 2017 07:41:12 -0700 Subject: [Pki-users] Assistance with creating and submitting a Windows LDAPS Certificate; PKI 10.3.3 In-Reply-To: References: <20171018000326.GG4923@T470s> Message-ID: > > > >> > [Extensions] >> > 2.5.29.17 = "dns=ad.winauth.mydomain.net&" >> > _continue_ = "dn=CN=AD,OU=Domain Controllers,DC=winauth,DC=mydo >> main,DC=net&" >> > _continue_ = "ipaddress=192.168.1.1&" >> > >> > > I got it! Essentially, I didn't follow the instructions. Note the missing "{text}" above! I thought the author was giving an example so excluded it. After a night's sleep, I checked my erroneous assumption. [Extensions] 2.5.29.17 = "{text}" _continue_ = "dns=ad.winauth.mydomain.net&" _continue_ = "dn=CN=AD,OU=Domain Controllers,DC=winauth,DC=maydomain,DC=net&" _continue_ = "ipaddress=192.168.1.1&" Thank you for your help Fraser. > I reviewed the suggested log, thank you, which clearly showed DogTag > complaining about something being provided in the CSR. I couldn't interpret > exactly what was the problem but I removed the one thing I had never done > before, the [Extensions] stanza with the SAN. > > I successfully submitted! > > What is the correct method to provide a 'Subject Alternative Name" in a > CSR to DogTag? Or am I going about this all wrong? I was intending to > provide FQDN, IP address, and DN in the SAN. > > Thank you, > > Richard > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Florian.Supper at s-itsolutions.at Wed Oct 18 19:09:08 2017 From: Florian.Supper at s-itsolutions.at (Supper Florian 6342 sIT) Date: Wed, 18 Oct 2017 21:09:08 +0200 Subject: [Pki-users] Mac OS SCEP request failure: "Could not decode therequest" In-Reply-To: References: Message-ID: Hi Ryan, we have several Problems with scep and MAC devices. Here my experiences. 1) IOS + MacOS -> Request the pkiclient.ext?operation=GetCACaps (can be found in tomcat access log) This request ends up in an "500 Server Error". After this error, the IOS devices stop requesting.. We had to implement that method in CSREnrollment.java File to fix that issue.. 2) Could not decode request... Decode failed because of bug with DES3 in combination with HSM 3) IOS11 Beta -cloud not decode request Bug in IOS Scep implementation - in the inner pkcs req data there are multiple objects included which cannot be decoded.. IOS11 & Mac deviced- > I had to test that devices in the next week. I can share my informations about the tests at the end of next week. BR Florian -----Urspr?ngliche Nachricht----- Von: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] Im Auftrag von Ryan Trinder Gesendet: Donnerstag, 31. August 2017 16:37 An: pki-users at redhat.com Betreff: [Pki-users] Mac OS SCEP request failure: "Could not decode therequest" [phishing][bayes][heur][dkim][html-removed] Hello PKI users! I am looking to use Dogtag for my org as the full PKI solution. Initially, Ill be using it for certificate issuance for an EAP-TLS rollout. In the beginning to get certificates issued throughout the org, I would like utilize the SCEP server across multiple devices including Mac OS, iOS, Linux, Windows, Chromebooks. So far, I have tested with the *sscep* utility on linux and with Mac OS through the mobileconfig xml configuration. Using *sscep *works great on linux, however any testing from Mac OS resides in a 500 from the server declaring that the request could not be decoded. I initially thought the requests were using the wrong CA, however intentionally using a wrong CA with the *sscep *utility shows a completely different response in the logs. Here is an excerpt from the *ca / debug* log for a failed request: ==> ca / debug <== [31 / Aug / 2017 : 14 : 20 : 38][http-bio-8080-exec-5]: operation=GetCACert [31 / Aug / 2017 : 14 : 20 : 38][http-bio-8080-exec-5]: message=CAIdentifier [31 / Aug / 2017 : 14 : 20 : 38][http-bio-8080-exec-5]: handleGetCACert message=CAIdentifier [31 / Aug / 2017 : 14 : 20 : 38][http-bio-8080-exec-5]: handleGetCACert selected chain=0 [31 / Aug / 2017 : 14 : 20 : 38][http-bio-8080-exec-5]: Output certificate chain: 30 82 03 a9 30 82 02 91 a0 03 02 01 02 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 44 31 21 30 1f 06 03 55 04 0a 0c 18 77 61 72 62 79 2e 69 6f 20 53 65 63 75 72 69 74 79 20 44 6f 6d 61 69 6e 31 1f 30 1d 06 03 55 04 03 0c 16 43 41 20 53 69 67 6e 69 6e 67 20 43 65 72 74 69 66 69 63 61 74 65 30 1e 17 0d 31 37 30 38 32 39 31 35 32 38 30 36 5a 17 0d 33 37 30 38 32 39 31 35 32 38 30 36 5a 30 44 31 21 30 1f 06 03 55 04 0a 0c 18 77 61 72 62 79 2e 69 6f 20 53 65 63 75 72 69 74 79 20 44 6f 6d 61 69 6e 31 1f 30 1d 06 03 55 04 03 0c 16 43 41 20 53 69 67 6e 69 6e 67 20 43 65 72 74 69 66 69 63 61 74 65 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 a6 07 b9 27 e5 fd a9 47 e6 d9 f3 01 6f 28 62 9b 4d 9c 8c 21 40 bf 4e 0c 99 ca c7 9d e7 88 ae c9 30 13 f9 1c 34 b4 6e 9d 0b 7a 78 d5 0c ae 10 be 4a cd 1d 33 d1 3d e7 c2 a9 22 ee d0 03 35 b9 8d c8 c8 17 4d 6a 4d 79 65 5b 7a 5b 82 7c d1 51 d5 45 be 7c d9 a7 70 98 fe 80 55 a7 5e 98 2b 7f a3 f3 02 67 9c 43 97 7d 8f fa dc 37 83 bc 6a 08 fc 70 7b f4 c9 bd 8c 41 e8 bd 4a ee 75 1e aa 45 41 2f 10 87 57 08 e8 16 e3 b2 4c 1f 43 58 d9 ad 52 8b 4f fe 72 4f 87 87 08 de 37 a1 c2 6e 9a e4 a8 49 a6 74 46 0b 3b 68 1d 06 f5 ed 09 6a dd 9a 49 6a b5 92 3a e6 24 26 25 73 ac ff 8b 72 46 e6 1a 0e dd 0b 41 d3 5d 09 df 55 b5 46 99 73 9f 6c 0f de 91 4f fc 58 3e dd 11 2d 76 73 e2 fa 1a ed b7 cd b3 17 66 7a 0e c3 3d be b1 f2 b5 61 47 f3 32 68 00 c1 2f 92 86 b5 0d 4c e2 c6 b0 57 35 42 2b 02 03 01 00 01 a3 81 a5 30 81 a2 30 1f 06 03 55 1d 23 04 18 30 16 80 14 14 ea b1 73 42 97 87 7a a2 ef 2f 1e 04 c3 18 14 32 82 5b a1 30 0f 06 03 55 1d 13 01 01 ff 04 05 30 03 01 01 ff 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 01 c6 30 1d 06 03 55 1d 0e 04 16 04 14 14 ea b1 73 42 97 87 7a a2 ef 2f 1e 04 c3 18 14 32 82 5b a1 30 3f 06 08 2b 06 01 05 05 07 01 01 04 33 30 31 30 2f 06 08 2b 06 01 05 05 07 30 01 86 23 68 74 74 70 3a 2f 2f 64 6f 67 74 61 67 2e 77 61 72 62 79 2e 69 6f 3a 38 30 38 30 2f 63 61 2f 6f 63 73 70 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 37 fb 44 f8 0f 63 ab a6 7f 17 c5 0e 15 1f 0a 78 fa 58 72 c2 63 6f de cb 4f 5a ce b7 95 1b 65 9f e4 fe 61 d3 0b e6 51 92 cb f8 f1 8f 9c 9c ab 0c 7c 3e 9f cd 80 c5 52 f2 d1 36 09 2c e3 cc a5 45 f3 47 71 62 0d 46 b5 df 3f a2 0e f8 35 7d 13 5a b3 ca a6 60 d1 4a 07 14 41 dd 8c b2 0b c8 c4 aa ab 50 6c 69 78 70 59 a6 00 7c 2f ce a0 d6 be 66 58 36 cf 81 18 92 db af 75 a9 63 8b 8a 84 db a5 8d d3 77 e0 78 bb 80 b4 a6 94 93 89 f0 95 00 18 d7 bf 2b f6 a5 92 d1 d3 f1 83 cb f3 7f fb 31 f1 d0 1c 96 16 11 71 c4 07 16 f8 d1 19 af bd e3 6f a9 e4 06 ba 1d 8f 29 75 57 3f c5 c9 e4 b6 3b 08 4c 19 07 99 b3 50 e1 e0 d1 1a e6 d1 94 ab 27 00 82 c7 4a c2 11 31 dd 83 48 23 c1 7e fa f9 b9 61 7e fb 3c b0 26 45 fd ff e8 bb b6 c1 fc 9a fb 9f dd 24 e2 b3 9f 6a 64 25 62 c3 b2 bb 8b 47 98 95 [31 / Aug / 2017 : 14 : 20 : 39][http-bio-8080-exec-6]: operation=PKIOperation [31 / Aug / 2017 : 14 : 20 : 39][http-bio-8080-exec-6]: message=MIIIfgYJKoZIhvcNAQcCoIIIbzCCCGsCAQExCzAJBgUrDgMCGgUAMIIDTwYJKoZIhvcNAQcBoIIDQASCAzwwggM4BgkqhkiG9w0BBwOgggMpMIIDJQIBADGCAWUwggFhAgEAMEkwRDEhMB8GA1UECgwYd2FyYnkuaW8gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaWduaW5nIENlcnRpZmljYXRlAgEBMA0GCSqGSIb3DQEBAQUABIIBAJajcdeb6TpsXF4gDJwVVwOyHROBXT0TcbBUSKbqIYXaRRH2koYfIkqCubQBRgHYOY4axGeMiNAXl1uO / LkUf0nTArx4JSLCmm3efFVznb8rJOEI / 9gbdLVpGLlRDcCLsjK / / mJxO / nsDwmnrsGcQ / zR434MYM9RVPs1QSSiFGqvWHiqkJ1iY ayN8HdLHvYHJkHW3F0d5 / NF9BD6fY7UjGwqjD3PrmP91rrBWk / QpTdnRg / IRUshxRm4TeWQWQOOtrlRU7XUTm / ALZlr9DXN3r / YoWMdrasD8AXsyzQpcyU Y2OPpFIwpFaXXV / kxf9sc7OG BVzAvX41OjFjfWVBwwggG1BgkqhkiG9w0BBwEwFAYIKoZIhvcNAwcECJpHqEsbh10rgIIBkDKejpodVxi3v5VA0AR0kDlkJKzuozbXzVE6f / ECa7B0y / ahhtmGPvfP9QbQ / lOybhca83jg6dUOmfXmEZn / HTI2hWqUpLn0G1GkyFKtDYM79mIOlHkTMA2rWGyMkqSxgwH0RRfdxxXjSPTLwZPX3eP1zr05xkIRYuZWkohI56D02eo4DZK Zfg6sY8ATd7EpmHnNLXLACc7ejwYsAqLi4rAwF5Hrv4KSo / qq3VN cAh2E95SgRE5ae1dje / 490cmZY5aYniFr / ZfFVHHyyOODc fY4q6EAQ6eygvhrHyZQXAwfioo0BVWYToJSRFKiZ2 / p6OeuiNP8YtN65suiavlFDkCINt2 GyXVow9IG7 / ol GzHo5Q36Xu6Hhk6oAv2ui7RXJ0YcPZCnHRHe / gPF5SNn3y5Stdtchrm4UBC1fCZCk4vJvZZtB6DIzKUkwHZBM2I0GlLxxaA7gpe6t3U5VR7T68VHwlCEXzd5oxQLEQjSERXC2 QfVITkfpkarKw9buDo / B 1f2cbZ5HZZWK226gggLdMIIC2TCCAcGgAwIBAgIBATANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDDA9NRE0gU0NFUCBTSUdORVIwHhcNMTcwODMxMTQyMDM5WhcNMTgwODMxMTQyMDM5WjAaMRgwFgYDVQQDDA9NRE0gU0NFUCBTSUdORVIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgyEO4EhA H9 7uUXCTXi1KHRSZ O5bmjnG82vKnUfYJH2vDYdK8ySgGadgXpdYDevLgQq IpOdkr8TmsQygFqpfB6 gzaLsfwIUftHMEqRYcTrvkpJvUL6a8rgJ9Qk2QLlXW9VgDCSJuQEb7Djg8ztmEzrkxW0jrBgZUB2RuNz8 / GtYpwiqOn0H2Y8XpQnVX gLfYCrWic ydDUPcpvNJGxYHT3VlcavVYCJ0fCXtlq8LYSHLmjIZBuZ3GskYpcpSFcVt wdGReDq2J9qrW3MrUCofwnJm2EM975Z6L8oESFGgi75 AZcxv31igjbGowObi1JdmaiBP7s4IIqjzOBAgMBAAGjKjAoMA4GA1UdDwEB / wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAWNNND6b / g7k1mGH2bbYNguNAHbE2d2nbi3dA4y7eIqK KG1iPGfznBRO0SQ36ISYhV7zCgZnGWpqdfqpPoNZFA06ffHxnoeEy8CBJgABb3 / WKTkHrzk5 WiKY3xMHng76sUMlo9ZmoAPv4TefG m4IHqS4PLOiOnlB3tnh FNCW6kZpvQ67w3Qzq74DQ5vsxkj tCK254tFPHmCtzCf4IA / tnVhx a4ZdrYhQdfSzeTV0OH29wcsZkkj7eYdElJRBgSLshnUNgHLYGat0yL qFyHwtniTDhstYkDzohRZqdRm1PLKhx1fydjPIJCgqlfizNaLKliPVqw1Kg / 3EOszGCAiMwggIfAgEBMB8wGjEYMBYGA1UEAwwPTURNIFNDRVAgU0lHTkVSAgEBMAkGBSsOAwIaBQCggdowEgYKYIZIAYb4RQEJAjEEEwIxOTATBgkqhkiG9w0BCQcxBhMEd2hhdDAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBgGCmCGSAGG EUBCQUxCgQIUjA1J7asfb0wHAYJKoZIhvcNAQkFMQ8XDTE3MDgzMTE0MjAzOVowIwYJKoZIhvcNAQkEMRYEFOwjJDjdDs6SCjnPNHsc29ZsI05MMDgGCmCGSAGG EUBCQcxKhMoOEIzNzhBODE1RjZDQjEyODJBMzU1NkIwRkFDNjJDNkM2MTQ4OTBDMjANBgkqhkiG9w0BAQEFAASCAQAEzTvWktV9S 8w0 EiqsakAO1 LfyToBz8atr / FXxJ45cKAOcPMk / sArtQlbrrg3fhStDTZGiPqFD1oqaq6r1IlkGG / m2mYoDxZXXTtvwODKMdYjjNCsFKmverk0IOAxUu5XX32oWB2ROgEOKGCSV1oPSB4KlsQRm5QQk5VFuJbkIG5idd3fg / 86TwetIlu6NEi2qWQDXeZUtdbn7n4Zi8pw2AtxLdjOgTutqT7FQqVc / KTRXdcqxUpHrZSLHCTDR0Pzyky0pFhW / 3K41 / QpDFy6H7vwoEVVibK7QXGgZI6xFY0T dL43QQW 3fHji7wjaAbRtGPvBSd8Bc6d3wHis java . io . EOFException at org . mozilla . jss . asn1 . ASN1Util . readFully(ASN1Util . java : 114) at org . mozilla . jss . asn1 . ANY$Template . decode(ANY . java : 274) at org . mozilla . jss . asn1 . EXPLICIT$Template . decode(EXPLICIT . java : 157) at org . mozilla . jss . asn1 . EXPLICIT$Template . decode(EXPLICIT . java : 146) at org . mozilla . jss . asn1 . SEQUENCE$Template . decode(SEQUENCE . java : 400) at org . mozilla . jss . pkcs7 . ContentInfo$Template . decode(ContentInfo . java : 254) at org . mozilla . jss . pkcs7 . ContentInfo$Template . decode(ContentInfo . java : 247) at com . netscape . cmsutil . scep . CRSPKIMessage . decodeCRSPKIMessage(CRSPKIMessage . java : 701) at com . netscape . cmsutil . scep . CRSPKIMessage . (CRSPKIMessage . java : 723) at com . netscape . cms . servlet . cert . scep . CRSEnrollment . handlePKIOperation(CRSEnrollment . java : 832) at com . netscape . cms . servlet . cert . scep . CRSEnrollment . service(CRSEnrollment . java : 370) at javax . servlet . http . HttpServlet . service(HttpServlet . java : 731) at org . apache . catalina . core . ApplicationFilterChain . internalDoFilter(ApplicationFilterChain . java : 303) at org . apache . catalina . core . ApplicationFilterChain . doFilter(ApplicationFilterChain . java : 208) at org . apache . tomcat . websocket . server . WsFilter . doFilter(WsFilter . java : 52) at org . apache . catalina . core . ApplicationFilterChain . internalDoFilter(ApplicationFilterChain . java : 241) at org . apache . catalina . core . ApplicationFilterChain . doFilter(ApplicationFilterChain . java : 208) at org . apache . catalina . core . StandardWrapperValve . invoke(StandardWrapperValve . java : 221) at org . apache . catalina . core . StandardContextValve . invoke(StandardContextValve . java : 122) at org . apache . catalina . authenticator . AuthenticatorBase . invoke(AuthenticatorBase . java : 505) at org . apache . catalina . core . StandardHostValve . invoke(StandardHostValve . java : 169) at org . apache . catalina . valves . ErrorReportValve . invoke(ErrorReportValve . java : 103) at org . apache . catalina . valves . AccessLogValve . invoke(AccessLogValve . java : 956) at org . apache . catalina . core . StandardEngineValve . invoke(StandardEngineValve . java : 116) at org . apache . catalina . connector . CoyoteAdapter . service(CoyoteAdapter . java : 436) at org . apache . coyote . http11 . AbstractHttp11Processor . process(AbstractHttp11Processor . java : 1078) at org . apache . coyote . AbstractProtocol$AbstractConnectionHandler . process(AbstractProtocol . java : 625) at org . apache . tomcat . util . net . JIoEndpoint$SocketProcessor . run(JIoEndpoint . java : 316) at java . util . concurrent . ThreadPoolExecutor . runWorker(ThreadPoolExecutor . java : 1149) at java . util . concurrent . ThreadPoolExecutor$Worker . run(ThreadPoolExecutor . java : 624) at org . apache . tomcat . util . threads . TaskThread$WrappingRunnable . run(TaskThread . java : 61) at java . lang . Thread . run(Thread . java : 748) [31 / Aug / 2017 : 14 : 20 : 39][http-bio-8080-exec-6]: ServletException javax . servlet . ServletException: Could not decode the request. And the failure from localhost . log ==> localhost . 2017-08-31 . log <== Aug 31, 2017 2 : 20 : 39 PM org . apache . catalina . core . StandardWrapperValve invoke SEVERE: Servlet . service() for servlet [caSCEP] in context with path [ / ca] threw exception [Could not decode the request . ] with root cause javax . servlet . ServletException: Could not decode the request. at com . netscape . cms . servlet . cert . scep . CRSEnrollment . service(CRSEnrollment . java : 381) at javax . servlet . http . HttpServlet . service(HttpServlet . java : 731) at org . apache . catalina . core . ApplicationFilterChain . internalDoFilter(ApplicationFilterChain . java : 303) at org . apache . catalina . core . ApplicationFilterChain . doFilter(ApplicationFilterChain . java : 208) at org . apache . tomcat . websocket . server . WsFilter . doFilter(WsFilter . java : 52) at org . apache . catalina . core . ApplicationFilterChain . internalDoFilter(ApplicationFilterChain . java : 241) at org . apache . catalina . core . ApplicationFilterChain . doFilter(ApplicationFilterChain . java : 208) at org . apache . catalina . core . StandardWrapperValve . invoke(StandardWrapperValve . java : 221) at org . apache . catalina . core . StandardContextValve . invoke(StandardContextValve . java : 122) at org . apache . catalina . authenticator . AuthenticatorBase . invoke(AuthenticatorBase . java : 505) at org . apache . catalina . core . StandardHostValve . invoke(StandardHostValve . java : 169) at org . apache . catalina . valves . ErrorReportValve . invoke(ErrorReportValve . java : 103) at org . apache . catalina . valves . AccessLogValve . invoke(AccessLogValve . java : 956) at org . apache . catalina . core . StandardEngineValve . invoke(StandardEngineValve . java : 116) at org . apache . catalina . connector . CoyoteAdapter . service(CoyoteAdapter . java : 436) at org . apache . coyote . http11 . AbstractHttp11Processor . process(AbstractHttp11Processor . java : 1078) at org . apache . coyote . AbstractProtocol$AbstractConnectionHandler . process(AbstractProtocol . java : 625) at org . apache . tomcat . util . net . JIoEndpoint$SocketProcessor . run(JIoEndpoint . java : 316) at java . util . concurrent . ThreadPoolExecutor . runWorker(ThreadPoolExecutor . java : 1149) at java . util . concurrent . ThreadPoolExecutor$Worker . run(ThreadPoolExecutor . java : 624) at org . apache . tomcat . util . threads . TaskThread$WrappingRunnable . run(TaskThread . java : 61) at java . lang . Thread . run(Thread . java : 748) This seems like a MacOS specific difference in the requests, but I cannot determine exactly what it is. Would anyone have any experience with this? For reference, this is dogtag-pki 10 . 2 . 6+git20160317-1 installed via apt on Ubuntu 16 . 04. -- _______________________________________________ Pki-users mailing list Pki-users(at)redhat . com https : / / www . redhat . com / mailman / listinfo / pki-users From jmagne at redhat.com Wed Oct 18 20:01:47 2017 From: jmagne at redhat.com (John Magne) Date: Wed, 18 Oct 2017 16:01:47 -0400 (EDT) Subject: [Pki-users] Invalid chunk header In-Reply-To: <1027652427.3552018.1498597283445@mail.yahoo.com> References: <1027652427.3552018.1498597283445.ref@mail.yahoo.com> <1027652427.3552018.1498597283445@mail.yahoo.com> Message-ID: <54463925.13313887.1508356907878.JavaMail.zimbra@redhat.com> Haven't seen anything like that in a long time. Have you tried a client on rhel or fedora? Perhaps the old windows one doesn't go well? ----- Original Message ----- From: "Dennis Gnatowski" To: pki-users at redhat.com Sent: Tuesday, June 27, 2017 2:01:23 PM Subject: [Pki-users] Invalid chunk header I?m getting an error when attempting to format a new blank card (sc650). Fresh, new install of CA, KRA, TKS, TPS on single instance. Insert card into reader (3121) and ESC (1.1.0-13 on Windows 10) prompts for phone Home URL. Enter TPS phone Home URL then press Format button and get error (in localhost.log). I have the same issue on RHCS 9.1 (latest patches) as well as Dogtag 10.3.x. Not sure where the issue lies or how to fix. SEVERE: Servlet.service() for servlet [tps] in context with path [/tps] threw exception java.io.IOException: Invalid chunk header at org.apache.coyote.http11.filters.ChunkedInputFilter.throwIOException(ChunkedInputFilter.java:615) at org.apache.coyote.http11.filters.ChunkedInputFilter.doRead(ChunkedInputFilter.java:192) at org.apache.coyote.http11.AbstractInputBuffer.doRead(AbstractInputBuffer.java:287) at org.apache.coyote.Request.doRead(Request.java:438) at org.apache.catalina.connector.InputBuffer.realReadBytes(InputBuffer.java:290) at org.apache.tomcat.util.buf.ByteChunk.substract(ByteChunk.java:390) at org.apache.catalina.connector.InputBuffer.readByte(InputBuffer.java:304) at org.apache.catalina.connector.CoyoteInputStream$1.run(CoyoteInputStream.java:91) at org.apache.catalina.connector.CoyoteInputStream$1.run(CoyoteInputStream.java:87) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.connector.CoyoteInputStream.read(CoyoteInputStream.java:85) at org.dogtagpki.tps.TPSConnection.read(TPSConnection.java:55) at org.dogtagpki.server.tps.TPSSession.read(TPSSession.java:72) at org.dogtagpki.server.tps.processor.TPSProcessor.handleAPDURequest(TPSProcessor.java:311) at org.dogtagpki.server.tps.processor.TPSProcessor.selectApplet(TPSProcessor.java:279) at org.dogtagpki.server.tps.processor.TPSProcessor.selectCardManager(TPSProcessor.java:2968) at org.dogtagpki.server.tps.processor.TPSProcessor.getAppletInfo(TPSProcessor.java:2900) at org.dogtagpki.server.tps.processor.TPSProcessor.format(TPSProcessor.java:1831) at org.dogtagpki.server.tps.processor.TPSProcessor.process(TPSProcessor.java:2852) at org.dogtagpki.server.tps.TPSSession.process(TPSSession.java:119) at org.dogtagpki.server.tps.TPSServlet.service(TPSServlet.java:60) at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) at sun.reflect.GeneratedMethodAccessor48.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) ----------------------------------------------------------- Dennis Gnatowski dgnatowski at yahoo.com _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users