[Pki-users] Mac OS SCEP request failure: "Could not decode therequest"
Supper Florian 6342 sIT
Florian.Supper at s-itsolutions.at
Wed Oct 18 19:09:08 UTC 2017
Hi Ryan,
we have several Problems with scep and MAC devices. Here my experiences.
1)
IOS + MacOS -> Request the pkiclient.ext?operation=GetCACaps (can be found in tomcat access log)
This request ends up in an "500 Server Error". After this error, the IOS devices stop requesting..
We had to implement that method in CSREnrollment.java File to fix that issue..
2)
Could not decode request...
Decode failed because of bug with DES3 in combination with HSM
3)
IOS11 Beta -cloud not decode request
Bug in IOS Scep implementation - in the inner pkcs req data there are multiple objects included which cannot be decoded..
IOS11 & Mac deviced- > I had to test that devices in the next week. I can share my informations about the tests at the end of next week.
BR
Florian
-----Ursprüngliche Nachricht-----
Von: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] Im Auftrag von Ryan Trinder
Gesendet: Donnerstag, 31. August 2017 16:37
An: pki-users at redhat.com
Betreff: [Pki-users] Mac OS SCEP request failure: "Could not decode therequest" [phishing][bayes][heur][dkim][html-removed]
Hello PKI users!
I am looking to use Dogtag for my org as the full PKI solution. Initially,
Ill be using it for certificate issuance for an EAP-TLS rollout.
In the beginning to get certificates issued throughout the org, I would
like utilize the SCEP server across multiple devices including Mac OS, iOS,
Linux, Windows, Chromebooks.
So far, I have tested with the *sscep* utility on linux and with Mac OS
through the mobileconfig xml configuration. Using *sscep *works great on
linux, however any testing from Mac OS resides in a 500 from the server
declaring that the request could not be decoded. I initially thought the
requests were using the wrong CA, however intentionally using a wrong CA
with the *sscep *utility shows a completely different response in the logs.
Here is an excerpt from the *ca / debug* log for a failed request:
==> ca / debug <==
[31 / Aug / 2017 : 14 : 20 : 38][http-bio-8080-exec-5]: operation=GetCACert
[31 / Aug / 2017 : 14 : 20 : 38][http-bio-8080-exec-5]: message=CAIdentifier
[31 / Aug / 2017 : 14 : 20 : 38][http-bio-8080-exec-5]: handleGetCACert
message=CAIdentifier
[31 / Aug / 2017 : 14 : 20 : 38][http-bio-8080-exec-5]: handleGetCACert selected
chain=0
[31 / Aug / 2017 : 14 : 20 : 38][http-bio-8080-exec-5]: Output certificate chain:
30 82 03 a9 30 82 02 91 a0 03 02 01 02 02 01 01
30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30
44 31 21 30 1f 06 03 55 04 0a 0c 18 77 61 72 62
79 2e 69 6f 20 53 65 63 75 72 69 74 79 20 44 6f
6d 61 69 6e 31 1f 30 1d 06 03 55 04 03 0c 16 43
41 20 53 69 67 6e 69 6e 67 20 43 65 72 74 69 66
69 63 61 74 65 30 1e 17 0d 31 37 30 38 32 39 31
35 32 38 30 36 5a 17 0d 33 37 30 38 32 39 31 35
32 38 30 36 5a 30 44 31 21 30 1f 06 03 55 04 0a
0c 18 77 61 72 62 79 2e 69 6f 20 53 65 63 75 72
69 74 79 20 44 6f 6d 61 69 6e 31 1f 30 1d 06 03
55 04 03 0c 16 43 41 20 53 69 67 6e 69 6e 67 20
43 65 72 74 69 66 69 63 61 74 65 30 82 01 22 30
0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82
01 0f 00 30 82 01 0a 02 82 01 01 00 a6 07 b9 27
e5 fd a9 47 e6 d9 f3 01 6f 28 62 9b 4d 9c 8c 21
40 bf 4e 0c 99 ca c7 9d e7 88 ae c9 30 13 f9 1c
34 b4 6e 9d 0b 7a 78 d5 0c ae 10 be 4a cd 1d 33
d1 3d e7 c2 a9 22 ee d0 03 35 b9 8d c8 c8 17 4d
6a 4d 79 65 5b 7a 5b 82 7c d1 51 d5 45 be 7c d9
a7 70 98 fe 80 55 a7 5e 98 2b 7f a3 f3 02 67 9c
43 97 7d 8f fa dc 37 83 bc 6a 08 fc 70 7b f4 c9
bd 8c 41 e8 bd 4a ee 75 1e aa 45 41 2f 10 87 57
08 e8 16 e3 b2 4c 1f 43 58 d9 ad 52 8b 4f fe 72
4f 87 87 08 de 37 a1 c2 6e 9a e4 a8 49 a6 74 46
0b 3b 68 1d 06 f5 ed 09 6a dd 9a 49 6a b5 92 3a
e6 24 26 25 73 ac ff 8b 72 46 e6 1a 0e dd 0b 41
d3 5d 09 df 55 b5 46 99 73 9f 6c 0f de 91 4f fc
58 3e dd 11 2d 76 73 e2 fa 1a ed b7 cd b3 17 66
7a 0e c3 3d be b1 f2 b5 61 47 f3 32 68 00 c1 2f
92 86 b5 0d 4c e2 c6 b0 57 35 42 2b 02 03 01 00
01 a3 81 a5 30 81 a2 30 1f 06 03 55 1d 23 04 18
30 16 80 14 14 ea b1 73 42 97 87 7a a2 ef 2f 1e
04 c3 18 14 32 82 5b a1 30 0f 06 03 55 1d 13 01
01 ff 04 05 30 03 01 01 ff 30 0e 06 03 55 1d 0f
01 01 ff 04 04 03 02 01 c6 30 1d 06 03 55 1d 0e
04 16 04 14 14 ea b1 73 42 97 87 7a a2 ef 2f 1e
04 c3 18 14 32 82 5b a1 30 3f 06 08 2b 06 01 05
05 07 01 01 04 33 30 31 30 2f 06 08 2b 06 01 05
05 07 30 01 86 23 68 74 74 70 3a 2f 2f 64 6f 67
74 61 67 2e 77 61 72 62 79 2e 69 6f 3a 38 30 38
30 2f 63 61 2f 6f 63 73 70 30 0d 06 09 2a 86 48
86 f7 0d 01 01 0b 05 00 03 82 01 01 00 37 fb 44
f8 0f 63 ab a6 7f 17 c5 0e 15 1f 0a 78 fa 58 72
c2 63 6f de cb 4f 5a ce b7 95 1b 65 9f e4 fe 61
d3 0b e6 51 92 cb f8 f1 8f 9c 9c ab 0c 7c 3e 9f
cd 80 c5 52 f2 d1 36 09 2c e3 cc a5 45 f3 47 71
62 0d 46 b5 df 3f a2 0e f8 35 7d 13 5a b3 ca a6
60 d1 4a 07 14 41 dd 8c b2 0b c8 c4 aa ab 50 6c
69 78 70 59 a6 00 7c 2f ce a0 d6 be 66 58 36 cf
81 18 92 db af 75 a9 63 8b 8a 84 db a5 8d d3 77
e0 78 bb 80 b4 a6 94 93 89 f0 95 00 18 d7 bf 2b
f6 a5 92 d1 d3 f1 83 cb f3 7f fb 31 f1 d0 1c 96
16 11 71 c4 07 16 f8 d1 19 af bd e3 6f a9 e4 06
ba 1d 8f 29 75 57 3f c5 c9 e4 b6 3b 08 4c 19 07
99 b3 50 e1 e0 d1 1a e6 d1 94 ab 27 00 82 c7 4a
c2 11 31 dd 83 48 23 c1 7e fa f9 b9 61 7e fb 3c
b0 26 45 fd ff e8 bb b6 c1 fc 9a fb 9f dd 24 e2
b3 9f 6a 64 25 62 c3 b2 bb 8b 47 98 95
[31 / Aug / 2017 : 14 : 20 : 39][http-bio-8080-exec-6]: operation=PKIOperation
[31 / Aug / 2017 : 14 : 20 : 39][http-bio-8080-exec-6]:
message=MIIIfgYJKoZIhvcNAQcCoIIIbzCCCGsCAQExCzAJBgUrDgMCGgUAMIIDTwYJKoZIhvcNAQcBoIIDQASCAzwwggM4BgkqhkiG9w0BBwOgggMpMIIDJQIBADGCAWUwggFhAgEAMEkwRDEhMB8GA1UECgwYd2FyYnkuaW8gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaWduaW5nIENlcnRpZmljYXRlAgEBMA0GCSqGSIb3DQEBAQUABIIBAJajcdeb6TpsXF4gDJwVVwOyHROBXT0TcbBUSKbqIYXaRRH2koYfIkqCubQBRgHYOY4axGeMiNAXl1uO / LkUf0nTArx4JSLCmm3efFVznb8rJOEI / 9gbdLVpGLlRDcCLsjK / / mJxO / nsDwmnrsGcQ / zR434MYM9RVPs1QSSiFGqvWHiqkJ1iY
ayN8HdLHvYHJkHW3F0d5 / NF9BD6fY7UjGwqjD3PrmP91rrBWk / QpTdnRg / IRUshxRm4TeWQWQOOtrlRU7XUTm / ALZlr9DXN3r / YoWMdrasD8AXsyzQpcyU
Y2OPpFIwpFaXXV / kxf9sc7OG
BVzAvX41OjFjfWVBwwggG1BgkqhkiG9w0BBwEwFAYIKoZIhvcNAwcECJpHqEsbh10rgIIBkDKejpodVxi3v5VA0AR0kDlkJKzuozbXzVE6f / ECa7B0y / ahhtmGPvfP9QbQ / lOybhca83jg6dUOmfXmEZn / HTI2hWqUpLn0G1GkyFKtDYM79mIOlHkTMA2rWGyMkqSxgwH0RRfdxxXjSPTLwZPX3eP1zr05xkIRYuZWkohI56D02eo4DZK
Zfg6sY8ATd7EpmHnNLXLACc7ejwYsAqLi4rAwF5Hrv4KSo / qq3VN
cAh2E95SgRE5ae1dje / 490cmZY5aYniFr / ZfFVHHyyOODc
fY4q6EAQ6eygvhrHyZQXAwfioo0BVWYToJSRFKiZ2 / p6OeuiNP8YtN65suiavlFDkCINt2
GyXVow9IG7 / ol
GzHo5Q36Xu6Hhk6oAv2ui7RXJ0YcPZCnHRHe / gPF5SNn3y5Stdtchrm4UBC1fCZCk4vJvZZtB6DIzKUkwHZBM2I0GlLxxaA7gpe6t3U5VR7T68VHwlCEXzd5oxQLEQjSERXC2
QfVITkfpkarKw9buDo / B
1f2cbZ5HZZWK226gggLdMIIC2TCCAcGgAwIBAgIBATANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDDA9NRE0gU0NFUCBTSUdORVIwHhcNMTcwODMxMTQyMDM5WhcNMTgwODMxMTQyMDM5WjAaMRgwFgYDVQQDDA9NRE0gU0NFUCBTSUdORVIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgyEO4EhA
H9 7uUXCTXi1KHRSZ O5bmjnG82vKnUfYJH2vDYdK8ySgGadgXpdYDevLgQq
IpOdkr8TmsQygFqpfB6
gzaLsfwIUftHMEqRYcTrvkpJvUL6a8rgJ9Qk2QLlXW9VgDCSJuQEb7Djg8ztmEzrkxW0jrBgZUB2RuNz8 / GtYpwiqOn0H2Y8XpQnVX
gLfYCrWic ydDUPcpvNJGxYHT3VlcavVYCJ0fCXtlq8LYSHLmjIZBuZ3GskYpcpSFcVt
wdGReDq2J9qrW3MrUCofwnJm2EM975Z6L8oESFGgi75
AZcxv31igjbGowObi1JdmaiBP7s4IIqjzOBAgMBAAGjKjAoMA4GA1UdDwEB / wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAWNNND6b / g7k1mGH2bbYNguNAHbE2d2nbi3dA4y7eIqK
KG1iPGfznBRO0SQ36ISYhV7zCgZnGWpqdfqpPoNZFA06ffHxnoeEy8CBJgABb3 / WKTkHrzk5
WiKY3xMHng76sUMlo9ZmoAPv4TefG m4IHqS4PLOiOnlB3tnh
FNCW6kZpvQ67w3Qzq74DQ5vsxkj tCK254tFPHmCtzCf4IA / tnVhx
a4ZdrYhQdfSzeTV0OH29wcsZkkj7eYdElJRBgSLshnUNgHLYGat0yL
qFyHwtniTDhstYkDzohRZqdRm1PLKhx1fydjPIJCgqlfizNaLKliPVqw1Kg / 3EOszGCAiMwggIfAgEBMB8wGjEYMBYGA1UEAwwPTURNIFNDRVAgU0lHTkVSAgEBMAkGBSsOAwIaBQCggdowEgYKYIZIAYb4RQEJAjEEEwIxOTATBgkqhkiG9w0BCQcxBhMEd2hhdDAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBgGCmCGSAGG
EUBCQUxCgQIUjA1J7asfb0wHAYJKoZIhvcNAQkFMQ8XDTE3MDgzMTE0MjAzOVowIwYJKoZIhvcNAQkEMRYEFOwjJDjdDs6SCjnPNHsc29ZsI05MMDgGCmCGSAGG
EUBCQcxKhMoOEIzNzhBODE1RjZDQjEyODJBMzU1NkIwRkFDNjJDNkM2MTQ4OTBDMjANBgkqhkiG9w0BAQEFAASCAQAEzTvWktV9S
8w0 EiqsakAO1
LfyToBz8atr / FXxJ45cKAOcPMk / sArtQlbrrg3fhStDTZGiPqFD1oqaq6r1IlkGG / m2mYoDxZXXTtvwODKMdYjjNCsFKmverk0IOAxUu5XX32oWB2ROgEOKGCSV1oPSB4KlsQRm5QQk5VFuJbkIG5idd3fg / 86TwetIlu6NEi2qWQDXeZUtdbn7n4Zi8pw2AtxLdjOgTutqT7FQqVc / KTRXdcqxUpHrZSLHCTDR0Pzyky0pFhW / 3K41 / QpDFy6H7vwoEVVibK7QXGgZI6xFY0T
dL43QQW 3fHji7wjaAbRtGPvBSd8Bc6d3wHis
java . io . EOFException
at org . mozilla . jss . asn1 . ASN1Util . readFully(ASN1Util . java : 114)
at org . mozilla . jss . asn1 . ANY$Template . decode(ANY . java : 274)
at org . mozilla . jss . asn1 . EXPLICIT$Template . decode(EXPLICIT . java : 157)
at org . mozilla . jss . asn1 . EXPLICIT$Template . decode(EXPLICIT . java : 146)
at org . mozilla . jss . asn1 . SEQUENCE$Template . decode(SEQUENCE . java : 400)
at
org . mozilla . jss . pkcs7 . ContentInfo$Template . decode(ContentInfo . java : 254)
at
org . mozilla . jss . pkcs7 . ContentInfo$Template . decode(ContentInfo . java : 247)
at
com . netscape . cmsutil . scep . CRSPKIMessage . decodeCRSPKIMessage(CRSPKIMessage . java : 701)
at
com . netscape . cmsutil . scep . CRSPKIMessage . <init>(CRSPKIMessage . java : 723)
at
com . netscape . cms . servlet . cert . scep . CRSEnrollment . handlePKIOperation(CRSEnrollment . java : 832)
at
com . netscape . cms . servlet . cert . scep . CRSEnrollment . service(CRSEnrollment . java : 370)
at javax . servlet . http . HttpServlet . service(HttpServlet . java : 731)
at
org . apache . catalina . core . ApplicationFilterChain . internalDoFilter(ApplicationFilterChain . java : 303)
at
org . apache . catalina . core . ApplicationFilterChain . doFilter(ApplicationFilterChain . java : 208)
at
org . apache . tomcat . websocket . server . WsFilter . doFilter(WsFilter . java : 52)
at
org . apache . catalina . core . ApplicationFilterChain . internalDoFilter(ApplicationFilterChain . java : 241)
at
org . apache . catalina . core . ApplicationFilterChain . doFilter(ApplicationFilterChain . java : 208)
at
org . apache . catalina . core . StandardWrapperValve . invoke(StandardWrapperValve . java : 221)
at
org . apache . catalina . core . StandardContextValve . invoke(StandardContextValve . java : 122)
at
org . apache . catalina . authenticator . AuthenticatorBase . invoke(AuthenticatorBase . java : 505)
at
org . apache . catalina . core . StandardHostValve . invoke(StandardHostValve . java : 169)
at
org . apache . catalina . valves . ErrorReportValve . invoke(ErrorReportValve . java : 103)
at
org . apache . catalina . valves . AccessLogValve . invoke(AccessLogValve . java : 956)
at
org . apache . catalina . core . StandardEngineValve . invoke(StandardEngineValve . java : 116)
at
org . apache . catalina . connector . CoyoteAdapter . service(CoyoteAdapter . java : 436)
at
org . apache . coyote . http11 . AbstractHttp11Processor . process(AbstractHttp11Processor . java : 1078)
at
org . apache . coyote . AbstractProtocol$AbstractConnectionHandler . process(AbstractProtocol . java : 625)
at
org . apache . tomcat . util . net . JIoEndpoint$SocketProcessor . run(JIoEndpoint . java : 316)
at
java . util . concurrent . ThreadPoolExecutor . runWorker(ThreadPoolExecutor . java : 1149)
at
java . util . concurrent . ThreadPoolExecutor$Worker . run(ThreadPoolExecutor . java : 624)
at
org . apache . tomcat . util . threads . TaskThread$WrappingRunnable . run(TaskThread . java : 61)
at java . lang . Thread . run(Thread . java : 748)
[31 / Aug / 2017 : 14 : 20 : 39][http-bio-8080-exec-6]: ServletException
javax . servlet . ServletException: Could not decode the request.
And the failure from localhost . log
==> localhost . 2017-08-31 . log <==
Aug 31, 2017 2 : 20 : 39 PM org . apache . catalina . core . StandardWrapperValve invoke
SEVERE: Servlet . service() for servlet [caSCEP] in context with path [ / ca]
threw exception [Could not decode the request . ] with root cause
javax . servlet . ServletException: Could not decode the request.
at
com . netscape . cms . servlet . cert . scep . CRSEnrollment . service(CRSEnrollment . java : 381)
at javax . servlet . http . HttpServlet . service(HttpServlet . java : 731)
at
org . apache . catalina . core . ApplicationFilterChain . internalDoFilter(ApplicationFilterChain . java : 303)
at
org . apache . catalina . core . ApplicationFilterChain . doFilter(ApplicationFilterChain . java : 208)
at
org . apache . tomcat . websocket . server . WsFilter . doFilter(WsFilter . java : 52)
at
org . apache . catalina . core . ApplicationFilterChain . internalDoFilter(ApplicationFilterChain . java : 241)
at
org . apache . catalina . core . ApplicationFilterChain . doFilter(ApplicationFilterChain . java : 208)
at
org . apache . catalina . core . StandardWrapperValve . invoke(StandardWrapperValve . java : 221)
at
org . apache . catalina . core . StandardContextValve . invoke(StandardContextValve . java : 122)
at
org . apache . catalina . authenticator . AuthenticatorBase . invoke(AuthenticatorBase . java : 505)
at
org . apache . catalina . core . StandardHostValve . invoke(StandardHostValve . java : 169)
at
org . apache . catalina . valves . ErrorReportValve . invoke(ErrorReportValve . java : 103)
at
org . apache . catalina . valves . AccessLogValve . invoke(AccessLogValve . java : 956)
at
org . apache . catalina . core . StandardEngineValve . invoke(StandardEngineValve . java : 116)
at
org . apache . catalina . connector . CoyoteAdapter . service(CoyoteAdapter . java : 436)
at
org . apache . coyote . http11 . AbstractHttp11Processor . process(AbstractHttp11Processor . java : 1078)
at
org . apache . coyote . AbstractProtocol$AbstractConnectionHandler . process(AbstractProtocol . java : 625)
at
org . apache . tomcat . util . net . JIoEndpoint$SocketProcessor . run(JIoEndpoint . java : 316)
at
java . util . concurrent . ThreadPoolExecutor . runWorker(ThreadPoolExecutor . java : 1149)
at
java . util . concurrent . ThreadPoolExecutor$Worker . run(ThreadPoolExecutor . java : 624)
at
org . apache . tomcat . util . threads . TaskThread$WrappingRunnable . run(TaskThread . java : 61)
at java . lang . Thread . run(Thread . java : 748)
This seems like a MacOS specific difference in the requests, but I cannot
determine exactly what it is. Would anyone have any experience with this?
For reference, this is dogtag-pki 10 . 2 . 6+git20160317-1 installed via apt on
Ubuntu 16 . 04.
--
_______________________________________________
Pki-users mailing list
Pki-users(at)redhat . com
https : / / www . redhat . com / mailman / listinfo / pki-users
More information about the Pki-users
mailing list