Custom SCEP Client works for NDES, not GO SCEP Server #224
Comments
|
Which version are you using? Can you try 0.2.1 if you're using the newest 0.2.2? Thanks! |
|
I tried 0.2.1 (was previously using 0.2.2). It is still complaining.
C:\goscep>scepserver-windows-amd64 -port "5004" -log-json -debug "enable" -allowrenew "0"
{"address":":5004","caller":"scepserver.go:159","level":"info","msg":"listening","transport":"http","ts":"2023-12-04T19:59:41.173741Z"}
{"caller":"service_logging.go:22","component":"scep_service","err":null,"level":"info","method":"GetCACaps","took":"0s","ts":"2023-12-04T19:59:52.5210714Z"}
{"caller":"endpoint.go:186","error":null,"level":"info","op":"GetCACaps","took":"319.7µs","ts":"2023-12-04T19:59:52.5213911Z"}
{"caller":"logutil.go:70","component":"http","host":"127.0.0.1","level":"info","method":"GET","path":"/scep?operation=GetCACaps","proto":"HTTP/1.1","status":200,"ts":"2023-12-04T19:59:52.5213911Z","user_agent":""}
{"caller":"service_logging.go:34","component":"scep_service","err":null,"level":"info","message":"ignored","method":"GetCACert","took":"0s","ts":"2023-12-04T19:59:52.7001524Z"}
{"caller":"endpoint.go:186","error":null,"level":"info","op":"GetCACert","took":"751.3µs","ts":"2023-12-04T19:59:52.7009037Z"}
{"caller":"logutil.go:70","component":"http","host":"127.0.0.1","level":"info","method":"GET","path":"/scep?operation=GetCACert\u0026message=ignored","proto":"HTTP/1.1","status":200,"ts":"2023-12-04T19:59:52.7016148Z","user_agent":""}
{"caller":"service_logging.go:47","component":"scep_service","err":"pkcs7: cannot decrypt data: only RSA, DES, DES-EDE3, AES-256-CBC and AES-128-GCM supported","level":"info","method":"PKIOperation","took":"1.4114ms","ts":"2023-12-04T20:00:01.6054969Z"}
{"caller":"endpoint.go:186","error":null,"level":"info","op":"PKIOperation","took":"1.4968ms","ts":"2023-12-04T20:00:01.6055823Z"}
{"caller":"logutil.go:70","component":"http","host":"127.0.0.1","level":"info","method":"GET","path":"/scep?operation=PKIOperation\u0026message=MIIKOAYJKoZIhvcNAQcCoIIKKTCCCiUCAQExDDAKBggqhkiG9w0CBTCCBMAGCSqGSIb3DQEHAaCCBLEEggStMIIEqQYJKoZIhvcNAQcDoIIEmjCCBJYCAQAxggFtMIIBaQIBADBRMEwxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdzY2VwLWNhMRAwDgYDVQQLEwdTQ0VQIENBMRkwFwYDVQQDExBNSUNST01ETSBTQ0VQIENBAgEBMA0GCSqGSIb3DQEBAQUABIIBAI8wHEvdKnY%2FwMQvsPak%2Fqi3hYzV1ytCr94vCztVbt%2BnqnrXXs%2Bz0pcZ8oYkDdgWXtetbY7cmHjcnpAITvEpBkZAoAU4jDC7PAZzXDHAyBknEaFtNkn%2FmeRl%2FXLHVfZWmjdZih16yqtJr43R3eBqfHvGuUb5ondaWoSU%2FJbnPi1TTPI4oPNuqlTXtp7DDuK97iGhsw065GoYfxz%2FrjO8B7rI%2FTTn7CWbOXQCK4fRFs4xz4oRznG6IL3z1YYU%2BVtk3DEEwbPaN4fa2YK6c5FrOoKULs9f1Ws25BVD92SEWZrPMDoxVrDO%2FVtjoTayex3UHyPEXGQwjmYEapWjQI%2FyNiMwggMeBgkqhkiG9w0BBwYwHQYJYIZIAWUDBAEqBBApa9%2FCjhYuYqPPZ3fMmFGdgIIC8GaVPim1CCB26OSQjZDiJzrMcnkkBcqjP1qu8L5QuvrnZ0K3SimowBhD7fipjWdIAQVNSUhq4xRx9DaCvlmbUtAtFrc0x3uCTbHViCacckTQKKV8%2F%2Fs3kDkQh0XxMUc5Iq%2BNzqdxmnJDYyStys%2Fj0QWp%2FBqjDtIGh3HSG2MFL3Vnbcc4NvF2USewtpHLNFH%2F7fs%2F8886LsLOf6UmX0UKaViwfE9mPDhClFuXC5NV8qWdq97BFZqliJOle%2F%2BnMNkOr1Ln1hvVbzitlmO3QDIUeBZuCT4QOlHkdalMG%2FjKJICqmDow3RxmpIQuZUq%2F4Tzvf1V8BIbUON8uEwV9WIezvFZM7u5Bo0AcSkAy4dk8ZYuv6zEwgVTry9uOScPUS%2FATnxQdZBe5VmxjWjZRO8miVFK72iy1StOQ5ZeZ8mFCLW55iKAJWG6xRe3YERa5G5hSqO7E5SSu15ZhhWmSTWP963rcQ75an%2FNpL7zNbEAomlYx9OKs8gpuKPqU9DixPpU4RAftc6dPRtmFczShWObyvDl3jUPYYWeIlMsnOC3pyKPBu7sjl0mimsminW8%2FvIukZByX8sXDUIScxS3cfNMMAy8Ff%2Bwv6HWTy88GYida87BFyXObXR8BpVPvLc14Kgct%2FS00aBSkIaENVMChFAWGTyF%2FwqNuaydTAtmgUkQVOkZ0yrxDVd7DedT97sWjumF6cCWbkqk5TqdZgoER9WU1cg82BbXRi9%2BppA8ndMkstEkwBtGWX%2BkN55ybTAtiAq4W5Pas7RrIMD601XDqGFq83xIT6Niv66GnkJdgUdkT8GJvkAkQhhKL7cNMcc0uhycfljvUMG1DWgZa86geVyOPONOqd3R%2FTg%2FnKylOpwoXTasdtvEywmLY8GSwMcQYHWQ8HvZcNLcAUMa%2BAcoFh50kUENdkabAOPF3dqYLVYTUU60lJWFy%2BD1n%2FZ5g2H1MoFdHZ%2BqLQmce9NpeKKlRzIoHL%2BOMxnkQIjkfUT5SsC3m%2FU3moIIDOzCCAzcwggIfoAMCAQICCBr3UPqcAwJ2MA0GCSqGSIb3DQEBCwUAMCkxJzAlBgNVBAMTHkdhcmliYWxkaSBXSU4tOUhFODk2VlNUVTUgZ2RvaTAeFw0yMzEyMDMxNjA1NTBaFw0zMzEyMDExNjA1NTBaMCkxJzAlBgNVBAMTHkdhcmliYWxkaSBXSU4tOUhFODk2VlNUVTUgZ2RvaTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM%2FwlF%2BPJ9Z8MGFFrs26%2FI9MKiUZjrlzaTvl%2Ba4PFaq4%2B8jTpCAk1hQwl62LzL4ScQVoqCevDGPR54ecdbCb0CCCsZ4bBudnFpUovzGRRC%2FrcTgQgnOaKLqkfM0DLFnL6XaIpNWZP4xrvjYWphzwm5F3Kv7ScE2cKRLknfL21LYzjr8f1A%2B1jFfUBg3sQdOLpgmK80cqLb3Vch%2FjgAGrMnzt4hg39H3OZi9VCKYSpZbP4JJw3%2Bw0o7f4Ih0bs5PFC4VxnSYlcGG8nXlNNOb7Q32Bcikw6lBT02Il7JdKcLH%2F2KKI5IP%2FMD%2Bpi0AQAqlrVQw5lETlapttyLhjhQ%2FJzykCAwEAAaNjMGEwCwYDVR0PBAQDAgO4MBMGA1UdJQQMMAoGCCsGAQUFBwMBMD0GA1UdEQQ2MDSHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAGCCWxvY2FsaG9zdIIPV0lOLTlIRTg5NlZTVFU1MA0GCSqGSIb3DQEBCwUAA4IBAQBbfnDrBQp0j7qZOzvmwMeJwFZsJIYu6wxYOL4sAI1Q16SGRVDjXvxQjX8GS4NsmoeB%2FHKYmc4wncboIz4xad8FB6uIzzYlziwHDhtHkLhyi%2BooXtaE0B58cGySoeNuna9bTGkCfa6B9%2FvCZDzNbwauYSrEhdj51tKHYFkrlNuUbpIjnovadlCT6c3EsYNdtZuGtU%2F2SpOEnx93E9huWeP4l32xYMoBKXd8%2Bi3I4wyJcaCL3PTLgRT%2Bzw13R6%2FmAjCKv1Q%2FW3igJrIl4tBBex2r7mybRd0ZAXc7NSEiISCY8AZFPcBfzjxZ%2Bx1BtyS%2BQsCntUaoIKf5nssA4BD5YVHZMYICDTCCAgkCAQEwNTApMScwJQYDVQQDEx5HYXJpYmFsZGkgV0lOLTlIRTg5NlZTVFU1IGdkb2kCCBr3UPqcAwJ2MAoGCCqGSIb3DQIFoIGvMBIGCmCGSAGG%2BEUBCQIxBBMCMTkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAfBgkqhkiG9w0BCQQxEgQQpbBktx53Eym2%2F%2BcagcyWuTAgBgpghkgBhvhFAQkFMRIEEOVCXExqooHIJ1jLmrdJhvMwPAYKYIZIAYb4RQEJBzEuEyx0alFoNzMzc3B4NC9UNW9ua2QyY1phNDQxTTNzUWh6aURGNkR5VW5wY2JZPTALBgkqhkiG9w0BAQEEggEAwwcwrZq3D9%2BhW9TUS2VGOQGQUUum60yo%2FNpkVjU7V%2Ffa%2Bglaj8DD8n%2BmFQSDNyp1UQnhdlj1iBK%2Badefi%2F1Iqu3abv7%2B7tkYIyUbdBCH5iA%2BRi34RbmqtugcZCPlD1GCXLuUj33SrYgQ1DDBpD5EnuUHa%2BylIuoSXI9u6jMp9vjRQe%2Fzx573zMmyc5duAZ1Vdsu6OAP5uUuj5f6fi1C40iY9qUXuoG9zkpbTMA8JLjuQWFUFrQwhNuwmROCVmUk7OiIhZLDQxb2IwP929W9Z4GMiJ9AXtYeSkbiPzKfnR73iJiWTXADZieuqLHvKauvyX1IpmFb2p2NjVODDBWIrUA%3D%3D","proto":"HTTP/1.1","status":500,"ts":"2023-12-04T20:00:01.6063806Z","user_agent":""}
From: Jesse Peterson ***@***.***>
Sent: Monday, December 4, 2023 2:38 PM
To: micromdm/scep ***@***.***>
Cc: herbfalkmi ***@***.***>; Author ***@***.***>
Subject: Re: [micromdm/scep] Custom SCEP Client works for NDES, not GO SCEP Server (Issue #224)
Which version are you using? Can you try 0.2.1 if you're using the beer est 0.2.2? Thanks!
—
Reply to this email directly, view it on GitHub <#224 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AIL4G4L3WHWVEVOJXKZJT73YHYRDHAVCNFSM6AAAAABAGQKGRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMZZGM2DQNJXGE> .
You are receiving this because you authored the thread. <https://github.com/notifications/beacon/AIL4G4LJPNLM5JCAW6JQP2DYHYRDHA5CNFSM6AAAAABAGQKGRSWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTTNUI5VW.gif> Message ID: ***@***.*** ***@***.***> >
|
|
Quick reproducer: # error:
2023/12/04 21:51:55 pkcs7: cannot decrypt data: only RSA, DES, DES-EDE3, AES-256-CBC and AES-128-GCM supportedSome debug statement in
@herbfalkmi do you have control over the hashing algorithm used by the client? I would suggest upgrading to SHA256. I'll make |
|
Progress, changed the signature to SHA-256 and the new error is:
Line 22: {"caller":"service_logging.go:47","component":"scep_service","err":"parse CSR from pkiEnvelope: asn1: structure error: tags don't match (16 vs {class:0 tag:2 length:1 isCompound:false}) {optional:false explicit:false application:false private:false defaultValue:\u003cnil\u003e tag:\u003cnil\u003e stringType:0 timeType:0 set:false omitEmpty:false} tbsCertificateRequest @2","level":"info","method":"PKIOperation","took":"4.7176ms","ts":"2023-12-04T21:59:48.1558002Z"}
The bytes logged:
{"caller":"logutil.go:70","component":"http","host":"127.0.0.1","level":"info","method":"GET","path":"/scep?operation=PKIOperation\u0026message=MIIKSgYJKoZIhvcNAQcCoIIKOzCCCjcCAQExDTALBglghkgBZQMEAgEwggTABgkqhkiG9w0BBwGgggSxBIIErTCCBKkGCSqGSIb3DQEHA6CCBJowggSWAgEAMYIBbTCCAWkCAQAwUTBMMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHc2NlcC1jYTEQMA4GA1UECxMHU0NFUCBDQTEZMBcGA1UEAxMQTUlDUk9NRE0gU0NFUCBDQQIBATANBgkqhkiG9w0BAQEFAASCAQCFvU3RntCsaaJ%2BcSZfdmALEo8e5MWZM%2FFEatHn61Is%2B5YG7do6jEAK7W2JBYrmqm%2BSj2E7lj06dU1MhhsVabPlOKaJ%2Fmim07mJlZD%2FikScdN3HbPOT6ElAMkO9b81S4bbZQ3SkaJJWtDfHF3CSFjjPwVnLesEQpXQ4hnEjO95FDM2ajxQz3excxSd6eNLogfD7zSV0ywZQ0LEoiuoij0zVIR%2Bl0MYgQ%2F7z7Rz%2BWCy9zmfdTtWQ8BEawGY8%2BxuDxUAxPZnc%2BhUBIqcdiMDTeZjYTWC9JoyjFSRhLKCS8%2FjjTSgiNWxn%2BjmGttDMY0UyOp86BIrcUwbFR2EhhGa1EY1KMIIDHgYJKoZIhvcNAQcGMB0GCWCGSAFlAwQBKgQQVRdf4Fqt1VSdHtpfGLIXDICCAvCDbeSj7gHI7y5XyvFpZz7Vj3uORC1bev5QvXpQ9l5sANBeOFpq8qC6%2BTZ77q5e1QQdvUsVC2WO8CKuISp4wi0dgUl6zRLxdEhaAr%2FJwHdfoEnb7l1rEWPgVf7dZrJaIytgHz3D0TOZd93PbVwd4vipidm3vJbyf7kiwZGVI2jovwrmNprdJ4MirqHhTRX1g5hsrw17LRfO9KJdOVuPLTGcDhbHGlXXY2RgYVjaGndhbAGpLdH4g30QlLm9GobNsYJ9s0ZD0GxQdoczyJURYujFfqj9aR7HAWu0sXOgzcIdnoQgKEFkIzw1lRyxODrLnID9fxj3ybDrvUHW8xTT%2FnQljcbOKpmowGHky4%2BrL7GsRxMvItiF8qS9OOYipoyCd8CQF9ZMVZmcmZhoZ%2BhmxJ%2Bo%2FRVNa0RXt1NvHwjSMs8RO%2BFzWmo3%2BcTyIjCQsUl%2B54EnFOYEI7mPmd332HOuB%2F89r7V1%2ByZSUiJDAJqcxR7EZCtCdSbBHHfKevMhoYKLUK5NQj3xUox5PGZzW%2F4ceD0PnrN5rP4wvh%2FPiV%2FEr%2Bw8pD3IAJoDzB96txsz0vvPQVG9b0JRcLjKFK4qaykvNqF%2F9XZGzxK7ueJAMPw235%2FwIsG%2B05uTY6EbuNhNdHyusiliuBWEeWvIW0VFz1gt0hZBbI2usXSIpENC6q5En4V72VtXnHyZucN%2FTB%2FSsuxumWA8yELd94sqaaDy0zz1ETe79FRQX%2B6PaorOX8zB2%2B1OTT%2B9QMkzn%2F%2B1DiM6PMWMJRgoVyMeN8m9ROWmIm3AqBh6L884Pz%2B0986CmnUBzCBEElPMoeuRAZvy6ZE0iOL2c9cQ74YAdcf5kdxdQ9H9oWwKSS8qjRkB0pX5rPNoeCWyP8%2FpuvnZc3GMPnnkYDZk%2BLpyfqA2orS84sgowV0lD33wvkRpp%2FlN7orc7ZfmKoUKSUWT1M5fuX4QQZliz10K6RUQx%2Bo5ldiYg5SKnghPitDNXWzwRvm6QARYNxbdAOgHKqCCAzswggM3MIICH6ADAgECAggnmGnVYUbcJTANBgkqhkiG9w0BAQsFADApMScwJQYDVQQDEx5HYXJpYmFsZGkgV0lOLTlIRTg5NlZTVFU1IGdkb2kwHhcNMjMxMjAzMjExODM5WhcNMzMxMjAxMjExODM5WjApMScwJQYDVQQDEx5HYXJpYmFsZGkgV0lOLTlIRTg5NlZTVFU1IGdkb2kwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD3peyLWkWfNzcsSwH6KSrNnRgXHsZQESvyHgA7NluEq4Z%2FUtdxE1XjeMgDoUb2KLcNuNWPsyQ%2BH3PjqbkEe%2BUqmDWCzK3N%2FZuyKZu%2BpVJDfZvr04gPOHWlbsJFW1gT3bcCrPA3e08coKTtS175G9heM8nYm2s276kFVkwt4oUOHZbxX4Bx702InziLI1qIEddsRPLpK5%2FNbgaV5vHgpYugBG22zjDi%2BLKg2OBjuIPcGHrgcHYQYXFhTAvEArOgq2BXfVOAJW751pMFFf1kT7%2FtmfFq76Vzoc93%2BjGEvcLEV2aMfwI2jAtpwdy8wTDwr5H%2BDHGGrZrsCRYJDx2B%2FvEVAgMBAAGjYzBhMAsGA1UdDwQEAwIDuDATBgNVHSUEDDAKBggrBgEFBQcDATA9BgNVHREENjA0hwR%2FAAABhxAAAAAAAAAAAAAAAAAAAAABgglsb2NhbGhvc3SCD1dJTi05SEU4OTZWU1RVNTANBgkqhkiG9w0BAQsFAAOCAQEAotgjhLNP4ivp4occoNHA%2FrEnfYWE1yfm%2Bb6rBQt8JBYpV3aIe9T%2FaXk0nF6XHb83bShHmTuF4%2BtAWQkhj5eVvxZztP3IMuVJyH%2F%2B6G6055OYAQFs%2F%2BYqPGB5KXQWfSj9l76dtksn7vhX0p58ob0fo3%2F4MrnbRkrctb4j7cxHaS3T1LIPPqFKGbIyVbLPvOIrogvxfQyZLt7wUkAofZCUtiPNIA%2FodDkXd8jW7irBvoa2X91il5zyIH8xJoMRjfkdKWQ5r3sgF3BrPZbyGDzLflB7cmFHU574uE7dfOyJXapWbeTEQThcOhf9WoXrCaGAo5X6w%2FkOgTfhxamVSO%2BZjTGCAh4wggIaAgEBMDUwKTEnMCUGA1UEAxMeR2FyaWJhbGRpIFdJTi05SEU4OTZWU1RVNSBnZG9pAggnmGnVYUbcJTALBglghkgBZQMEAgGggb8wEgYKYIZIAYb4RQEJAjEEEwIxOTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMCAGCmCGSAGG%2BEUBCQUxEgQQmsTA1mBgBxtaK%2BCvtOASYzAvBgkqhkiG9w0BCQQxIgQgj9CcYOWU9xOqS7MORrnIEByEjWvv89UnnLCuhhMcJAwwPAYKYIZIAYb4RQEJBzEuEyx0a0xLVFBWeTJoZmVJWlZ4UE9CWlJwS1ZHTnRRZ2RwUE5RSUtJUTBxSk1ZPTALBgkqhkiG9w0BAQEEggEAhHfvfp2BwR0APpD2wDzZlHaDOvaL5RNJpWa1wwPtPhCj4RnNlXX1qy3%2Fd88vye0K3jVSw98PEzn6amiIrNJEAxTlz6i3mnbsnK%2Bj0mK3vu3UUDzCHyQGt7BITGalu6fpmlTf8qijPI1WSCAly69z3%2B%2FupOKqBPD4Veq9BURLUim2YLS3K9TWSPDK4SyRrktT4Kh4NQ8ij%2FBGuUJUb%2B0Bz8naTNjc0wwdl3gAhlU7FYVqjMwx1is7hJMIqIxBsxSDDXYFVg1oog5GaHvNjWYj2zNG8bMttCJWMBWeTFmxseuXESK6XfQLRYkycPoh2wKyB5GllcVWTMNIigrpI4eNYA%3D%3D","proto":"HTTP/1.1","status":500,"ts":"2023-12-04T21:59:48.1566935Z","user_agent":""}
If you can interpret the error, I should be able to fix it?
From: ***@***.*** ***@***.***> ***@***.*** ***@***.***>
Sent: Monday, December 4, 2023 3:02 PM
To: 'micromdm/scep' ***@***.*** ***@***.***> ; 'micromdm/scep' ***@***.*** ***@***.***>
Cc: 'Author' ***@***.*** ***@***.***>
Subject: RE: [micromdm/scep] Custom SCEP Client works for NDES, not GO SCEP Server (Issue #224)
I tried 0.2.1 (was previously using 0.2.2). It is still complaining.
C:\goscep>scepserver-windows-amd64 -port "5004" -log-json -debug "enable" -allowrenew "0"
{"address":":5004","caller":"scepserver.go:159","level":"info","msg":"listening","transport":"http","ts":"2023-12-04T19:59:41.173741Z"}
{"caller":"service_logging.go:22","component":"scep_service","err":null,"level":"info","method":"GetCACaps","took":"0s","ts":"2023-12-04T19:59:52.5210714Z"}
{"caller":"endpoint.go:186","error":null,"level":"info","op":"GetCACaps","took":"319.7µs","ts":"2023-12-04T19:59:52.5213911Z"}
{"caller":"logutil.go:70","component":"http","host":"127.0.0.1","level":"info","method":"GET","path":"/scep?operation=GetCACaps","proto":"HTTP/1.1","status":200,"ts":"2023-12-04T19:59:52.5213911Z","user_agent":""}
{"caller":"service_logging.go:34","component":"scep_service","err":null,"level":"info","message":"ignored","method":"GetCACert","took":"0s","ts":"2023-12-04T19:59:52.7001524Z"}
{"caller":"endpoint.go:186","error":null,"level":"info","op":"GetCACert","took":"751.3µs","ts":"2023-12-04T19:59:52.7009037Z"}
{"caller":"logutil.go:70","component":"http","host":"127.0.0.1","level":"info","method":"GET","path":"/scep?operation=GetCACert\u0026message=ignored","proto":"HTTP/1.1","status":200,"ts":"2023-12-04T19:59:52.7016148Z","user_agent":""}
{"caller":"service_logging.go:47","component":"scep_service","err":"pkcs7: cannot decrypt data: only RSA, DES, DES-EDE3, AES-256-CBC and AES-128-GCM supported","level":"info","method":"PKIOperation","took":"1.4114ms","ts":"2023-12-04T20:00:01.6054969Z"}
{"caller":"endpoint.go:186","error":null,"level":"info","op":"PKIOperation","took":"1.4968ms","ts":"2023-12-04T20:00:01.6055823Z"}
{"caller":"logutil.go:70","component":"http","host":"127.0.0.1","level":"info","method":"GET","path":"/scep?operation=PKIOperation\u0026message=MIIKOAYJKoZIhvcNAQcCoIIKKTCCCiUCAQExDDAKBggqhkiG9w0CBTCCBMAGCSqGSIb3DQEHAaCCBLEEggStMIIEqQYJKoZIhvcNAQcDoIIEmjCCBJYCAQAxggFtMIIBaQIBADBRMEwxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdzY2VwLWNhMRAwDgYDVQQLEwdTQ0VQIENBMRkwFwYDVQQDExBNSUNST01ETSBTQ0VQIENBAgEBMA0GCSqGSIb3DQEBAQUABIIBAI8wHEvdKnY%2FwMQvsPak%2Fqi3hYzV1ytCr94vCztVbt%2BnqnrXXs%2Bz0pcZ8oYkDdgWXtetbY7cmHjcnpAITvEpBkZAoAU4jDC7PAZzXDHAyBknEaFtNkn%2FmeRl%2FXLHVfZWmjdZih16yqtJr43R3eBqfHvGuUb5ondaWoSU%2FJbnPi1TTPI4oPNuqlTXtp7DDuK97iGhsw065GoYfxz%2FrjO8B7rI%2FTTn7CWbOXQCK4fRFs4xz4oRznG6IL3z1YYU%2BVtk3DEEwbPaN4fa2YK6c5FrOoKULs9f1Ws25BVD92SEWZrPMDoxVrDO%2FVtjoTayex3UHyPEXGQwjmYEapWjQI%2FyNiMwggMeBgkqhkiG9w0BBwYwHQYJYIZIAWUDBAEqBBApa9%2FCjhYuYqPPZ3fMmFGdgIIC8GaVPim1CCB26OSQjZDiJzrMcnkkBcqjP1qu8L5QuvrnZ0K3SimowBhD7fipjWdIAQVNSUhq4xRx9DaCvlmbUtAtFrc0x3uCTbHViCacckTQKKV8%2F%2Fs3kDkQh0XxMUc5Iq%2BNzqdxmnJDYyStys%2Fj0QWp%2FBqjDtIGh3HSG2MFL3Vnbcc4NvF2USewtpHLNFH%2F7fs%2F8886LsLOf6UmX0UKaViwfE9mPDhClFuXC5NV8qWdq97BFZqliJOle%2F%2BnMNkOr1Ln1hvVbzitlmO3QDIUeBZuCT4QOlHkdalMG%2FjKJICqmDow3RxmpIQuZUq%2F4Tzvf1V8BIbUON8uEwV9WIezvFZM7u5Bo0AcSkAy4dk8ZYuv6zEwgVTry9uOScPUS%2FATnxQdZBe5VmxjWjZRO8miVFK72iy1StOQ5ZeZ8mFCLW55iKAJWG6xRe3YERa5G5hSqO7E5SSu15ZhhWmSTWP963rcQ75an%2FNpL7zNbEAomlYx9OKs8gpuKPqU9DixPpU4RAftc6dPRtmFczShWObyvDl3jUPYYWeIlMsnOC3pyKPBu7sjl0mimsminW8%2FvIukZByX8sXDUIScxS3cfNMMAy8Ff%2Bwv6HWTy88GYida87BFyXObXR8BpVPvLc14Kgct%2FS00aBSkIaENVMChFAWGTyF%2FwqNuaydTAtmgUkQVOkZ0yrxDVd7DedT97sWjumF6cCWbkqk5TqdZgoER9WU1cg82BbXRi9%2BppA8ndMkstEkwBtGWX%2BkN55ybTAtiAq4W5Pas7RrIMD601XDqGFq83xIT6Niv66GnkJdgUdkT8GJvkAkQhhKL7cNMcc0uhycfljvUMG1DWgZa86geVyOPONOqd3R%2FTg%2FnKylOpwoXTasdtvEywmLY8GSwMcQYHWQ8HvZcNLcAUMa%2BAcoFh50kUENdkabAOPF3dqYLVYTUU60lJWFy%2BD1n%2FZ5g2H1MoFdHZ%2BqLQmce9NpeKKlRzIoHL%2BOMxnkQIjkfUT5SsC3m%2FU3moIIDOzCCAzcwggIfoAMCAQICCBr3UPqcAwJ2MA0GCSqGSIb3DQEBCwUAMCkxJzAlBgNVBAMTHkdhcmliYWxkaSBXSU4tOUhFODk2VlNUVTUgZ2RvaTAeFw0yMzEyMDMxNjA1NTBaFw0zMzEyMDExNjA1NTBaMCkxJzAlBgNVBAMTHkdhcmliYWxkaSBXSU4tOUhFODk2VlNUVTUgZ2RvaTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM%2FwlF%2BPJ9Z8MGFFrs26%2FI9MKiUZjrlzaTvl%2Ba4PFaq4%2B8jTpCAk1hQwl62LzL4ScQVoqCevDGPR54ecdbCb0CCCsZ4bBudnFpUovzGRRC%2FrcTgQgnOaKLqkfM0DLFnL6XaIpNWZP4xrvjYWphzwm5F3Kv7ScE2cKRLknfL21LYzjr8f1A%2B1jFfUBg3sQdOLpgmK80cqLb3Vch%2FjgAGrMnzt4hg39H3OZi9VCKYSpZbP4JJw3%2Bw0o7f4Ih0bs5PFC4VxnSYlcGG8nXlNNOb7Q32Bcikw6lBT02Il7JdKcLH%2F2KKI5IP%2FMD%2Bpi0AQAqlrVQw5lETlapttyLhjhQ%2FJzykCAwEAAaNjMGEwCwYDVR0PBAQDAgO4MBMGA1UdJQQMMAoGCCsGAQUFBwMBMD0GA1UdEQQ2MDSHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAGCCWxvY2FsaG9zdIIPV0lOLTlIRTg5NlZTVFU1MA0GCSqGSIb3DQEBCwUAA4IBAQBbfnDrBQp0j7qZOzvmwMeJwFZsJIYu6wxYOL4sAI1Q16SGRVDjXvxQjX8GS4NsmoeB%2FHKYmc4wncboIz4xad8FB6uIzzYlziwHDhtHkLhyi%2BooXtaE0B58cGySoeNuna9bTGkCfa6B9%2FvCZDzNbwauYSrEhdj51tKHYFkrlNuUbpIjnovadlCT6c3EsYNdtZuGtU%2F2SpOEnx93E9huWeP4l32xYMoBKXd8%2Bi3I4wyJcaCL3PTLgRT%2Bzw13R6%2FmAjCKv1Q%2FW3igJrIl4tBBex2r7mybRd0ZAXc7NSEiISCY8AZFPcBfzjxZ%2Bx1BtyS%2BQsCntUaoIKf5nssA4BD5YVHZMYICDTCCAgkCAQEwNTApMScwJQYDVQQDEx5HYXJpYmFsZGkgV0lOLTlIRTg5NlZTVFU1IGdkb2kCCBr3UPqcAwJ2MAoGCCqGSIb3DQIFoIGvMBIGCmCGSAGG%2BEUBCQIxBBMCMTkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAfBgkqhkiG9w0BCQQxEgQQpbBktx53Eym2%2F%2BcagcyWuTAgBgpghkgBhvhFAQkFMRIEEOVCXExqooHIJ1jLmrdJhvMwPAYKYIZIAYb4RQEJBzEuEyx0alFoNzMzc3B4NC9UNW9ua2QyY1phNDQxTTNzUWh6aURGNkR5VW5wY2JZPTALBgkqhkiG9w0BAQEEggEAwwcwrZq3D9%2BhW9TUS2VGOQGQUUum60yo%2FNpkVjU7V%2Ffa%2Bglaj8DD8n%2BmFQSDNyp1UQnhdlj1iBK%2Badefi%2F1Iqu3abv7%2B7tkYIyUbdBCH5iA%2BRi34RbmqtugcZCPlD1GCXLuUj33SrYgQ1DDBpD5EnuUHa%2BylIuoSXI9u6jMp9vjRQe%2Fzx573zMmyc5duAZ1Vdsu6OAP5uUuj5f6fi1C40iY9qUXuoG9zkpbTMA8JLjuQWFUFrQwhNuwmROCVmUk7OiIhZLDQxb2IwP929W9Z4GMiJ9AXtYeSkbiPzKfnR73iJiWTXADZieuqLHvKauvyX1IpmFb2p2NjVODDBWIrUA%3D%3D","proto":"HTTP/1.1","status":500,"ts":"2023-12-04T20:00:01.6063806Z","user_agent":""}
From: Jesse Peterson ***@***.*** ***@***.***> >
Sent: Monday, December 4, 2023 2:38 PM
To: micromdm/scep ***@***.*** ***@***.***> >
Cc: herbfalkmi ***@***.*** ***@***.***> >; Author ***@***.*** ***@***.***> >
Subject: Re: [micromdm/scep] Custom SCEP Client works for NDES, not GO SCEP Server (Issue #224)
Which version are you using? Can you try 0.2.1 if you're using the beer est 0.2.2? Thanks!
—
Reply to this email directly, <#224 (comment)> view it on GitHub, or <https://github.com/notifications/unsubscribe-auth/AIL4G4L3WHWVEVOJXKZJT73YHYRDHAVCNFSM6AAAAABAGQKGRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMZZGM2DQNJXGE> unsubscribe.
You are receiving this because you authored the thread. <https://github.com/notifications/beacon/AIL4G4LJPNLM5JCAW6JQP2DYHYRDHA5CNFSM6AAAAABAGQKGRSWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTTNUI5VW.gif> Message ID: < ***@***.***> ***@***.***>
|
|
@herbfalkmi that one's harder to debug without the private key, as it operates on the decrypted data. What SCEP client are you using? I see you're running on Windows, but it doesn't look like the built-in (MDM) SCEP client. It might be possible to replicate. If you run the server with a small patch here as follows, you should get some additional output with the decrypted CSR in it, which can then be inspected more easily. fmt.Println(base64.StdEncoding.EncodeToString(msg.pkiEnvelope))Alternatively, you can provide the cert + key. |
|
This is a custom Client, written based upon some Internet Examples. This is for a “special” procduct.
The CSR generation code is using BouncyCastle.
Here is the CSR generation…
static public void generateCSR(string commonName, System.Security.Cryptography.RSA rsa, out string csr, out string privateKey, string challengePW = null, string companyName = null, string division = null, string city = null, string state = null, string countryIso2Characters = null, string email = null)
{
/// <summary>
/// Generates certificate request in PKCS#10 format defined by RFC 2986.
/// This will also output the private key at the same time.
/// *******************************************
/// Notes / Handy references:
/// http://www.keylength.com/en/compare/
/// http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf
/// </summary>
///
csr = null;
privateKey = null;
DerSequence challengePWSeq = null;
if (!String.IsNullOrEmpty(challengePW)) //if there is no pw, don't encode it
{
Asn1TaggedObject PwAndExtensions = createAttributeList(challengePW);
challengePWSeq = encodeCallengePW(PCICommonSCEP.Oids.Pkcs9.ChallengePWAttribute, challengePW);
}
DerSequence extensions = encodeRequestedExtensions();
RSAParameters mParms = rsa.ExportParameters(true);
RSAParameters mPubParms = rsa.ExportParameters(false);
byte[] rsaPrivateKey = rsa.ExportRSAPrivateKey();
try
{
#if mine
//original code
var rsaKeyPairGenerator = new RsaKeyPairGenerator();
// Note: the numbers {3, 5, 17, 257 or 65537} as Fermat primes.
// NIST doesn't allow a public exponent smaller than 65537, since smaller exponents are a problem if they aren't properly padded.
// Note: the default in openssl is '65537', i.e. 0x10001.
var genParam = new RsaKeyGenerationParameters
(BigInteger.ValueOf(0x10001), new SecureRandom(), 2048, 128);
rsaKeyPairGenerator.Init(genParam);
AsymmetricCipherKeyPair pair = rsaKeyPairGenerator.GenerateKeyPair();
#endif
RsaKeyParameters privateParm = new RsaKeyParameters(true, new BigInteger(1, mParms.Modulus), new BigInteger(1,mParms.D));
RsaKeyParameters pubParm = new RsaKeyParameters(false, new BigInteger(1, mParms.Modulus), new BigInteger(1,mParms.Exponent));
AsymmetricCipherKeyPair pair = new AsymmetricCipherKeyPair(pubParm, privateParm);
//
IDictionary attrs = new Hashtable();
attrs.Add(X509Name.CN, commonName);
if(null!=companyName)
attrs.Add(X509Name.O, companyName);
if (null != city)
attrs.Add(X509Name.L, city);
if (null != state)
attrs.Add(X509Name.ST, state);
if(null!= countryIso2Characters)
attrs.Add(X509Name.C, countryIso2Characters);
if (division != null)
{
attrs.Add(X509Name.OU, division);
}
if (email != null)
{
attrs.Add(X509Name.EmailAddress, email);
}
var subject = new X509Name(new ArrayList(attrs.Keys), attrs);
Pkcs10CertificationRequest pkcs10CertificationRequest = null;
if(null!= challengePWSeq)
pkcs10CertificationRequest = new Pkcs10CertificationRequest
(PkcsObjectIdentifiers.Sha256WithRsaEncryption.Id, subject, pair.Public, new DerSet(challengePWSeq,extensions), pair.Private);
else
pkcs10CertificationRequest = new Pkcs10CertificationRequest
(PkcsObjectIdentifiers.Sha256WithRsaEncryption.Id, subject, pair.Public, new DerSet(extensions), pair.Private);
Asn1Object obj = pkcs10CertificationRequest.ToAsn1Object();
byte[] temp = obj.GetDerEncoded();
csr = Convert.ToBase64String(temp);
//csr = Convert.ToBase64String(pkcs10CertificationRequest.GetEncoded());
var pkInfo = PrivateKeyInfoFactory.CreatePrivateKeyInfo(pair.Private);
privateKey = Convert.ToBase64String(pkInfo.GetDerEncoded());
}
catch (Exception ex)
{
// Note: handles errors on the page. Redirect to error page.
string emsg = ex.ToString();
}
}
}
I will try the server with the logging change. And get back to you.
From: Herman Slatman ***@***.***>
Sent: Monday, December 4, 2023 6:21 PM
To: micromdm/scep ***@***.***>
Cc: herbfalkmi ***@***.***>; Mention ***@***.***>
Subject: Re: [micromdm/scep] Custom SCEP Client works for NDES, not GO SCEP Server (Issue #224)
@herbfalkmi <https://github.com/herbfalkmi> that one's harder to debug without the contents, as it operates on the decrypted data.
What SCEP client are you using? I see you're running on Windows, but it doesn't look like the built-in (MDM) SCEP client. It might be possible to replicate.
If you run the server with a small patch here <https://github.com/micromdm/scep/blob/aa863fe13ac2d85ce4ac074cc259bf29b7798e9a/scep/scep.go#L351> as follows, you should get some additional output with the decrypted CSR in it, which can then be inspected more easily.
fmt.Println(base64.StdEncoding.EncodeToString(msg.pkiEnvelope))
Alternatively, you can provide the cert + key.
—
Reply to this email directly, view it on GitHub <#224 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AIL4G4NC37ZXQHIH3C5L76DYHZLHNAVCNFSM6AAAAABAGQKGRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMZZG4YDOMBXG4> .
You are receiving this because you were mentioned. <https://github.com/notifications/beacon/AIL4G4MGJAPBCXEEE4QBCOTYHZLHNA5CNFSM6AAAAABAGQKGRSWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTTNU6Z4K.gif> Message ID: ***@***.*** ***@***.***> >
|
|
I guess I have to compile the source. Was just running the EXE.
From: Herman Slatman ***@***.***>
Sent: Monday, December 4, 2023 6:21 PM
To: micromdm/scep ***@***.***>
Cc: herbfalkmi ***@***.***>; Mention ***@***.***>
Subject: Re: [micromdm/scep] Custom SCEP Client works for NDES, not GO SCEP Server (Issue #224)
@herbfalkmi <https://github.com/herbfalkmi> that one's harder to debug without the contents, as it operates on the decrypted data.
What SCEP client are you using? I see you're running on Windows, but it doesn't look like the built-in (MDM) SCEP client. It might be possible to replicate.
If you run the server with a small patch here <https://github.com/micromdm/scep/blob/aa863fe13ac2d85ce4ac074cc259bf29b7798e9a/scep/scep.go#L351> as follows, you should get some additional output with the decrypted CSR in it, which can then be inspected more easily.
fmt.Println(base64.StdEncoding.EncodeToString(msg.pkiEnvelope))
Alternatively, you can provide the cert + key.
—
Reply to this email directly, view it on GitHub <#224 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AIL4G4NC37ZXQHIH3C5L76DYHZLHNAVCNFSM6AAAAABAGQKGRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMZZG4YDOMBXG4> .
You are receiving this because you were mentioned. <https://github.com/notifications/beacon/AIL4G4MGJAPBCXEEE4QBCOTYHZLHNA5CNFSM6AAAAABAGQKGRSWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTTNU6Z4K.gif> Message ID: ***@***.*** ***@***.***> >
|
|
Putting that base64 data into Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=CN=Garibaldi WIN-9HE896VSTU5 gdoi
Subject Public Key Info:
Public Key Algorithm: RSA
Public-Key: (2048 bit)
Modulus:
d2:fa:4e:78:f8:0e:51:96:cd:c4:a4:a4:7a:61:e3:
28:52:35:03:16:1f:7c:10:fe:7b:8e:07:7a:52:40:
d8:0b:8e:36:c4:82:80:9b:fc:49:8b:b4:a7:fe:17:
88:31:30:2b:71:11:12:bb:d2:bc:d9:4c:7b:1b:30:
c5:b9:3d:ac:37:aa:08:43:17:df:2e:40:55:59:57:
fc:3b:0a:17:6a:d8:1a:ba:b0:e7:e9:43:47:7e:6e:
ea:24:8e:cf:b7:14:b2:34:59:23:e5:e9:55:72:3d:
18:9f:e3:79:45:c9:5b:27:73:50:c0:be:19:17:2f:
ad:ba:71:bb:c6:6c:21:ef:01:83:49:e1:ed:0e:bd:
d1:85:7f:81:56:47:f7:aa:26:bc:0d:d6:fa:22:81:
6f:ed:3c:6a:c1:37:44:be:e5:aa:50:04:f5:73:7c:
8d:e5:b9:9a:4d:66:a2:e8:2d:82:3d:34:07:42:b3:
46:26:65:9e:1f:0c:8a:b7:6f:7f:62:f6:bc:db:da:
04:a1:91:bd:02:5b:29:a5:cf:f6:7b:39:d8:fb:8d:
00:6d:89:87:31:e9:5c:3b:4e:85:22:6f:4e:6b:d9:
de:3b:00:f7:f5:7f:08:e8:9e:9f:28:e0:83:6f:96:
09:86:77:7c:cd:25:ec:c4:09:36:fb:71:ef:57:40:
99
Exponent: 65537 (0x10001)
Requested Extensions:
Attributes:
2.16.840.1.113733.9.7:
..J6....
7f:b5:4a:36:c1:12:09:c0
2.16.840.1.113733.9.2:
19
2.16.840.1.113733.9.5:
Dƭ.....+._0...z
44:c6:ad:a1:9f:b2:18:94:2b:04:5f:30:2e:ab:9c:7a
Signature Algorithm: SHA256-RSA
c3:8a:bd:16:d0:a9:b7:df:59:72:a2:3e:d5:d1:aa:70:68:16:
39:47:19:df:3a:2b:af:47:e0:31:bd:a1:d4:94:fc:52:19:ef:
b0:77:ec:de:af:21:b2:83:2d:a5:e2:0f:ca:1a:65:e0:27:6f:
cc:fe:cb:32:01:5b:15:71:4a:80:95:a8:4c:54:00:9d:f7:e3:
bf:5b:39:46:32:99:21:b2:41:9a:bc:16:68:ed:d1:a9:30:86:
54:15:4b:d7:0b:b7:e3:9c:d2:f3:a7:ea:06:d8:55:83:c9:52:
85:f1:1c:52:6a:72:d3:9e:62:4a:e3:8c:a5:9a:f9:00:d6:3e:
98:01:5a:83:06:b7:ec:ad:fe:b2:d3:0f:4a:41:80:f5:80:7b:
47:5e:64:bb:85:81:cc:80:d2:36:e0:de:99:16:0e:a0:3b:14:
71:84:c4:1d:27:64:59:27:83:56:75:05:f0:26:1b:c5:fb:1f:
7d:f7:cf:d6:d4:a4:6d:af:8f:a6:2e:d9:33:98:98:86:90:c7:
8d:51:99:dd:2b:f6:7f:01:ef:43:2c:b1:c0:a5:32:51:89:ce:
cf:83:9b:04:e9:00:0d:3a:31:ed:f5:27:7a:86:36:57:a2:73:
b5:b6:4a:77:d2:04:4d:c0:f0:3b:e9:de:33:5d:d0:2b:59:a1:
e1:9c:d1:0f
So that seems to work as expected; no ASN1 error in this case. Is it returning an error for you every time? Or only in some cases? |
|
Every time. I do not know GO and have been trying to figure out if it is worthwhile to compile and try to debug.
If you are willing to do a debug session I can send a Teams and repoint my SCEP Client to your SCEP Server?
That way we can debug both ends?
From: Herman Slatman ***@***.***>
Sent: Tuesday, December 5, 2023 2:36 PM
To: micromdm/scep ***@***.***>
Cc: herbfalkmi ***@***.***>; Mention ***@***.***>
Subject: Re: [micromdm/scep] Custom SCEP Client works for NDES, not GO SCEP Server (Issue #224)
Putting that base64 data into x509.ParseCertificateRequest results in the below certificate request data:
Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=CN=Garibaldi WIN-9HE896VSTU5 gdoi
Subject Public Key Info:
Public Key Algorithm: RSA
Public-Key: (2048 bit)
Modulus:
d2:fa:4e:78:f8:0e:51:96:cd:c4:a4:a4:7a:61:e3:
28:52:35:03:16:1f:7c:10:fe:7b:8e:07:7a:52:40:
d8:0b:8e:36:c4:82:80:9b:fc:49:8b:b4:a7:fe:17:
88:31:30:2b:71:11:12:bb:d2:bc:d9:4c:7b:1b:30:
c5:b9:3d:ac:37:aa:08:43:17:df:2e:40:55:59:57:
fc:3b:0a:17:6a:d8:1a:ba:b0:e7:e9:43:47:7e:6e:
ea:24:8e:cf:b7:14:b2:34:59:23:e5:e9:55:72:3d:
18:9f:e3:79:45:c9:5b:27:73:50:c0:be:19:17:2f:
ad:ba:71:bb:c6:6c:21:ef:01:83:49:e1:ed:0e:bd:
d1:85:7f:81:56:47:f7:aa:26:bc:0d:d6:fa:22:81:
6f:ed:3c:6a:c1:37:44:be:e5:aa:50:04:f5:73:7c:
8d:e5:b9:9a:4d:66:a2:e8:2d:82:3d:34:07:42:b3:
46:26:65:9e:1f:0c:8a:b7:6f:7f:62:f6:bc:db:da:
04:a1:91:bd:02:5b:29:a5:cf:f6:7b:39:d8:fb:8d:
00:6d:89:87:31:e9:5c:3b:4e:85:22:6f:4e:6b:d9:
de:3b:00:f7:f5:7f:08:e8:9e:9f:28:e0:83:6f:96:
09:86:77:7c:cd:25:ec:c4:09:36:fb:71:ef:57:40:
99
Exponent: 65537 (0x10001)
Requested Extensions:
Attributes:
2.16.840.1.113733.9.7:
..J6....
7f:b5:4a:36:c1:12:09:c0
2.16.840.1.113733.9.2:
19
2.16.840.1.113733.9.5:
Dƭ.....+._0...z
44:c6:ad:a1:9f:b2:18:94:2b:04:5f:30:2e:ab:9c:7a
Signature Algorithm: SHA256-RSA
c3:8a:bd:16:d0:a9:b7:df:59:72:a2:3e:d5:d1:aa:70:68:16:
39:47:19:df:3a:2b:af:47:e0:31:bd:a1:d4:94:fc:52:19:ef:
b0:77:ec:de:af:21:b2:83:2d:a5:e2:0f:ca:1a:65:e0:27:6f:
cc:fe:cb:32:01:5b:15:71:4a:80:95:a8:4c:54:00:9d:f7:e3:
bf:5b:39:46:32:99:21:b2:41:9a:bc:16:68:ed:d1:a9:30:86:
54:15:4b:d7:0b:b7:e3:9c:d2:f3:a7:ea:06:d8:55:83:c9:52:
85:f1:1c:52:6a:72:d3:9e:62:4a:e3:8c:a5:9a:f9:00:d6:3e:
98:01:5a:83:06:b7:ec:ad:fe:b2:d3:0f:4a:41:80:f5:80:7b:
47:5e:64:bb:85:81:cc:80:d2:36:e0:de:99:16:0e:a0:3b:14:
71:84:c4:1d:27:64:59:27:83:56:75:05:f0:26:1b:c5:fb:1f:
7d:f7:cf:d6:d4:a4:6d:af:8f:a6:2e:d9:33:98:98:86:90:c7:
8d:51:99:dd:2b:f6:7f:01:ef:43:2c:b1:c0:a5:32:51:89:ce:
cf:83:9b:04:e9:00:0d:3a:31:ed:f5:27:7a:86:36:57:a2:73:
b5:b6:4a:77:d2:04:4d:c0:f0:3b:e9:de:33:5d:d0:2b:59:a1:
e1:9c:d1:0f
So that seems to work as expected; no ASN1 error in this case.
Is it returning an error for you every time? Or only in some cases?
—
Reply to this email directly, view it on GitHub <#224 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AIL4G4JLIFO6HMN6KVHXTK3YH5ZQVAVCNFSM6AAAAABAGQKGRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNBRGQ4TINRSG4> .
You are receiving this because you were mentioned. <https://github.com/notifications/beacon/AIL4G4NF2SQNN5DM3TSUQKDYH5ZQVA5CNFSM6AAAAABAGQKGRSWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTTNYL5GG.gif> Message ID: ***@***.*** ***@***.***> >
|
|
@herbfalkmi so the CSR you provided previously wasn't the decrypted value? Compilation of the server is described here: https://github.com/micromdm/scep#compiling-from-source. At the moment I'm not inclined to do a remote debug session. |
|
Trying to compile the sourcecode on windows. Here is what the Make comes back with?
C:\goscep\scep>make win
GOOS=windows GOARCH=amd64 go build -ldflags "-X main.version=v2.2.0-1-gaa863fe" -o scepclient-windows-amd64.exe ./cmd/scepclient
'GOOS' is not recognized as an internal or external command,
operable program or batch file.
make: *** [scepclient-windows-amd64.exe] Error 1
From: Herman Slatman ***@***.***>
Sent: Tuesday, December 5, 2023 2:54 PM
To: micromdm/scep ***@***.***>
Cc: herbfalkmi ***@***.***>; Mention ***@***.***>
Subject: Re: [micromdm/scep] Custom SCEP Client works for NDES, not GO SCEP Server (Issue #224)
@herbfalkmi <https://github.com/herbfalkmi> so the CSR you provided previously wasn't the decrypted value?
Compilation of the server is described here: https://github.com/micromdm/scep#compiling-from-source.
At the moment I'm not inclined to do a remote debug session.
—
Reply to this email directly, view it on GitHub <#224 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AIL4G4PEBFSXXUXAKLPXGOLYH53VNAVCNFSM6AAAAABAGQKGRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNBRGUYTSNJYGE> .
You are receiving this because you were mentioned. <https://github.com/notifications/beacon/AIL4G4JL3JE2BHIFZJQPDYTYH53VNA5CNFSM6AAAAABAGQKGRSWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTTNYNN52.gif> Message ID: ***@***.*** ***@***.***> >
|
|
If you run |
|
Will give it a try tomorrowSent from my iPadOn Dec 10, 2023, at 4:42 PM, Herman Slatman ***@***.***> wrote:
If you run go build -ldflags "-X main.version=v2.2.0-1-gaa863fe" -o scepclient-windows-amd64.exe ./cmd/scepclient in your terminal, it'll pick the right values for your Windows installation automatically. Then you don't need to use make.
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
We have it compiled, with VSCode as the debugger. What is the go module I should run (e.g. entrance for the SCEP Server)?
Unfortunately, this is a stupid question, but I really don’t know GO.
From: Herman Slatman ***@***.***>
Sent: Sunday, December 10, 2023 4:43 PM
To: micromdm/scep ***@***.***>
Cc: herbfalkmi ***@***.***>; Mention ***@***.***>
Subject: Re: [micromdm/scep] Custom SCEP Client works for NDES, not GO SCEP Server (Issue #224)
If you run go build -ldflags "-X main.version=v2.2.0-1-gaa863fe" -o scepclient-windows-amd64.exe ./cmd/scepclient in your terminal, it'll pick the right values for your Windows installation automatically. Then you don't need to use make.
—
Reply to this email directly, view it on GitHub <#224 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AIL4G4LOQRJ6HNZVFVGXM5TYIYUETAVCNFSM6AAAAABAGQKGRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNBZGA4TKMJRHE> .
You are receiving this because you were mentioned. <https://github.com/notifications/beacon/AIL4G4NTSBDFPDGLSVKTRITYIYUETA5CNFSM6AAAAABAGQKGRSWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTTOG3Z46.gif> Message ID: ***@***.*** ***@***.***> >
|
|
Running it with an active debugger may not be required. Try adding the
That should print the decrypted message. |
|
Made the patch. I am attaching a couple of files.
The scepserveroutput.txt is from the SCEP Server. The additional fmt statement, when placed into the ASN decoder, does not show the signature. The CRSRequest file is what was included.
Comments?
From: Herman Slatman ***@***.***>
Sent: Monday, December 11, 2023 10:34 AM
To: micromdm/scep ***@***.***>
Cc: herbfalkmi ***@***.***>; Mention ***@***.***>
Subject: Re: [micromdm/scep] Custom SCEP Client works for NDES, not GO SCEP Server (Issue #224)
Running it with an active debugger may not be required. Try adding the fmt.Println (on line 351 in scep/scep/scep.go) as described below, compile it again, and then run it:
If you run the server with a small patch here<https://github.com/micromdm/scep/blob/aa863fe13ac2d85ce4ac074cc259bf29b7798e9a/scep/scep.go#L351> as follows, you should get some additional output with the decrypted CSR in it, which can then be inspected more easily.
fmt.Println(base64.StdEncoding.EncodeToString(msg.pkiEnvelope))
That should print the decrypted message.
—
Reply to this email directly, view it on GitHub<#224 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AIL4G4MD46GSOGSRO2AWTBDYI4RXDAVCNFSM6AAAAABAGQKGRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNJQGMYTSNRUHE>.
You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>
MIIKgQYJKoZIhvcNAQcCoIIKcjCCCm4CAQExDTALBglghkgBZQMEAgEwggT3BgkqhkiG9w0BBwGgggToBIIE5DCCBOAGCSqGSIb3DQEHA6CCBNEwggTNAgEAMYIBhDCCAYACAQAwaDBRMRMwEQYKCZImiZPyLGQBGRYDY29tMRYwFAYKCZImiZPyLGQBGRYGcGNpdGVrMSIwIAYDVQQDExlwY2l0ZWstV0lOLUQ0U09DRDRJSTBELUNBAhNqAAAABDF6DnowOSOrAAAAAAAEMA0GCSqGSIb3DQEBAQUABIIBAANGbBvrgV1K3SgutLXnCigKJOygCSTL4ebQSTSYYusSReo0x5hb49EukmciLiQdokXcJSMifBGJrNHH3Gnoi9wqWajZzrlixWcAIffe2HwhBZUzrGja8zDqY6gi%2FISPA4plvXX%2FOvRV09rX2TrbdSPYhky6Ho6%2F1dVZlPzvSO3HB3RYrRc3BlI8%2Fqy8q5uDq6ApteyQzeSVftu8t84T5BfCfo9ZqIUrj%2BwAbHMaMwGl3gMvQGXu7XgLlWxIxK0dYY6dxgrhcZzDlG5VbRWkRvNCY4jzCaRgi8ZKnY8a2Qb2tSAOqUY8eq15bXz8WtRmUtoyUokyHPZ0FltMRKm9qE0wggM%2BBgkqhkiG9w0BBwYwHQYJYIZIAWUDBAEqBBCnjZvvhClaNFr63ufb%2BKuigIIDEE580GjnzlsyAT94Ayb3Rgtpt%2B6ESJgcqqyQtYFCNnTJl3DP1L3Lx9b3o8Z88G6YPyIDRVfaqTrNZnBzobDlqk5aKesmxCPh%2BqgNgCJ%2FQaRWgRvuHCNd%2B9%2B0unYs%2F2t%2FDl8Zx4CQctGCMVd5JchFRgZwOZSqqo2K2YW%2FhDjKF2%2BTOMtFpLpry6gT9EwSZzUf%2B52Bvd%2F8SoKCnew8u7XrTZDnG9lAlUJEBNgpBbjbwsoqV8rmXHz2JB%2FkZW%2FtNaNdjrk1Pb7EGUKY%2FRyMhfHLe4bBu3pNXk%2Byvm5ob8adz%2FhVfGeV9RhVe%2FS%2BQbn%2BVWPshKe10KqrngBPHBW2L0DKJI474cRZWecBEx6WOefmvBLzb5iAoSGy8Ims3Qfm0bkK2LBSDAYFGEXl%2FF5LBrH%2FJGpdf4gUrFGCzOtkFxhAZ9VMNrRy1M7lsGQjuA2SwYL43QZ1YZiZJxQ3vcMWVY4axCOfeLr%2Fqq%2B5OfqBXcu4ia%2B6TwtKzC4zDBim1mf0GNZ07hTwXuxOiQrsk%2FXttPwyCKedMaQnc0zoHSrrOzynnI0e1SKnEUySE367AQmk0z%2FjPnBZF69I2oMoqIDAHgJNAWWhMka8yB9OPfqsW5IPqJEwlNcxsx0ucr%2FWM9TvaIltVMdF2Q%2FUEsVt5TCGEoMYrGrXIToLUsgMzLYwr8fb4KkTkbvel6FXmEm1Hg1tLJAU4t9Mi0RU0jpKOd7q5QQe5kHMjK2m3FpTE1Nz5AsAJoCqCWmvEh8TxeybKjFrMT%2FlUinqqB2KlANsN7qJws8AAv8XFz1pExTf9RkNrRkKpHYvnhseQEBylW0AfTjC2AozBM9rpB8JmaGES7RZDm1f2veKv%2B86cYIjaPRxWg7wK7p9F3DY8Ybw2ozwrQIu3v0sHlcueT4yEgNxi3bhRVoAtvGnqCbRNV5IXc1KQ6%2FXxc0X%2BRcYV9zP%2FhrmsnxL%2FMSueiq6fyE8Q0wAwvIHsqt1Lt2LTDpiIIsGPMhglJYCKQ5ycdNXMqzeSxGaE94JH0DUNrrEX%2BoqURCSyL6%2FP3wJ9jCgggM7MIIDNzCCAh%2BgAwIBAgIIG%2FEhaWPZpp8wDQYJKoZIhvcNAQELBQAwKTEnMCUGA1UEAxMeR2FyaWJhbGRpIFdJTi05SEU4OTZWU1RVNSBnZG9pMB4XDTIzMTIwNjE0NTYyMVoXDTMzMTIwNDE0NTYyMVowKTEnMCUGA1UEAxMeR2FyaWJhbGRpIFdJTi05SEU4OTZWU1RVNSBnZG9pMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz77NHAN%2BN8%2Bf5LoxyshOpb2iTn2LQ%2FABbUnXK%2Bd71Zx3Laix6PDEmCYijxd83yrg%2FuN7EhPQJS3z06B9QDtTO6CH%2Fa3JQvXwd09RgHcR0jlwJXaVHfV9ZODzaElOdBe5SiuHYdbaTu29gwbJEnoAkZSuhYbP%2B9Oy6kYmDi5CKSS0tZlDzUjGRJ9Z9IWWyPAGqrrbVWQBHPCpSLKPdgj1kZ8gWm3%2BdHZfDCXuOLd0f9UW%2B5VnPZ7WzRYHsdSMrUujsUPlVy3aZUAvr5sxAPx5KNREtlaF2QTGTMp%2BmomIpm3uXFudkjVukDobAlrwigDyqioElrL4vOYqIWi3ect5AQIDAQABo2MwYTALBgNVHQ8EBAMCA7gwEwYDVR0lBAwwCgYIKwYBBQUHAwEwPQYDVR0RBDYwNIcEfwAAAYcQAAAAAAAAAAAAAAAAAAAAAYIJbG9jYWxob3N0gg9XSU4tOUhFODk2VlNUVTUwDQYJKoZIhvcNAQELBQADggEBACG191FjxSxsGCDGU0DzjjRwj2FKMF4QfayJNo72aphaEdJe1aeM6uILc%2B5N%2FJeG2tNwCZmpxBdjOQIaLhPbU1F0hPzFzDCvWrxcFaCNksK9p5C1sAel1N0W5TM4B9B3gnAQ%2BGItCt09uejFnAzO9VX7I5snoZdfNYb2bMFKs8aqmBI7swhWOrp2tyZYLB7H%2BcgR6EDskHH3115pqD3nCS7dmJURRgyAga5FFFXDJ0SnDIQ8Xvj8k%2FkmdGWMP4uenCU08wMXKNLNh8CFEx50%2FMAOHPsusGHeIyW5lYQf1T%2BQMUldzSNW74BcI2eQ7i8xJe9HTeKIfOeXenA71wMDpAsxggIeMIICGgIBATA1MCkxJzAlBgNVBAMTHkdhcmliYWxkaSBXSU4tOUhFODk2VlNUVTUgZ2RvaQIIG%2FEhaWPZpp8wCwYJYIZIAWUDBAIBoIG%2FMBIGCmCGSAGG%2BEUBCQIxBBMCMTcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAgBgpghkgBhvhFAQkFMRIEEOela95NoMpuws899AmoAWwwLwYJKoZIhvcNAQkEMSIEILhlDJ2R7j%2F4he%2Bs0dLwG082cqTQyBuxh2ctMexsKOLAMDwGCmCGSAGG%2BEUBCQcxLhMsWU9qQ1BydEZTaXRWcjhocHB0V3JsTjVLRnh3NnVYWUpzWThlRmZvR3JSdz0wCwYJKoZIhvcNAQEBBIIBAApfpHwqP%2FzcHqMuEm93Fnsrv76gpo6yBrysxwC2VkmVdBgL1LCe%2FAm%2BiH2KeBPRdjJur8phrrksbYMN4azXw3FCi1UqpuDURFbgftfTk3lq4iDboNpwn3R%2FqnKc4YqYDJ5egLFI2xR9iqRg0iXKEUJcT4eZww%2Fz4HCd6wor9MaBRWjjgyJZ0f2cT3mMeAx5VOhRNi9e%2BgUw%2BrMtCBZFQF9zIkEJkZ2qZqicVAnBqgN7e4FXgiVix3ShfARJgcMSsT89cU5ahMAvRl7m%2F6oip7gbdzUbTU%2FP%2FJqBDAI%2FBeL0wWQUm94nKWqD7Xrk%2B19NToTprbVlcHwjH4ctmQWMJao%3D
C:\goscep>scepserver-windows-amd64 -port "5004" -log-json -debug "enable" -allowrenew "0" -challenge "disable" -debug
{"address":":5004","caller":"scepserver.go:176","level":"info","msg":"listening","transport":"http","ts":"2023-12-11T18:11:25.6541021Z"}
{"caller":"service_logging.go:22","component":"scep_service","err":null,"level":"info","method":"GetCACaps","took":"0s","ts":"2023-12-11T18:13:25.1849776Z"}
{"caller":"endpoint.go:186","error":null,"level":"info","op":"GetCACaps","took":"8.4182ms","ts":"2023-12-11T18:13:25.1933958Z"}
{"caller":"logutil.go:70","component":"http","host":"127.0.0.1","level":"info","method":"GET","path":"/scep?operation=GetCACaps","proto":"HTTP/1.1","status":200,"ts":"2023-12-11T18:13:25.194111Z","user_agent":""}
{"caller":"service_logging.go:34","component":"scep_service","err":null,"level":"info","message":"ignored","method":"GetCACert","took":"0s","ts":"2023-12-11T18:13:25.2087474Z"}
{"caller":"endpoint.go:186","error":null,"level":"info","op":"GetCACert","took":"2.4097ms","ts":"2023-12-11T18:13:25.2111571Z"}
{"caller":"logutil.go:70","component":"http","host":"127.0.0.1","level":"info","method":"GET","path":"/scep?operation=GetCACert\u0026message=ignored","proto":"HTTP/1.1","status":200,"ts":"2023-12-11T18:13:25.2111571Z","user_agent":""}
{"caller":"service_logging.go:22","component":"scep_service","err":null,"level":"info","method":"GetCACaps","took":"0s","ts":"2023-12-11T18:13:26.2258065Z"}
{"caller":"endpoint.go:186","error":null,"level":"info","op":"GetCACaps","took":"1.2204ms","ts":"2023-12-11T18:13:26.2270269Z"}
{"caller":"logutil.go:70","component":"http","host":"127.0.0.1","level":"info","method":"GET","path":"/scep?operation=GetCACaps","proto":"HTTP/1.1","status":200,"ts":"2023-12-11T18:13:26.2270269Z","user_agent":""}
{"caller":"service_logging.go:34","component":"scep_service","err":null,"level":"info","message":"ignored","method":"GetCACert","took":"0s","ts":"2023-12-11T18:13:34.851752Z"}
{"caller":"endpoint.go:186","error":null,"level":"info","op":"GetCACert","took":"7.465ms","ts":"2023-12-11T18:13:34.859217Z"}
{"caller":"logutil.go:70","component":"http","host":"127.0.0.1","level":"info","method":"GET","path":"/scep?operation=GetCACert\u0026message=ignored","proto":"HTTP/1.1","status":200,"ts":"2023-12-11T18:13:34.8599572Z","user_agent":""}
{"caller":"scep.go:279","level":"debug","msg":"parsed scep pkiMessage","scep_message_type":"PKCSReq (19)","transaction_id":"YPJlORD/cw9EEou5rqz1o6fyLuNyJ6xl3FmI3NqSQ+Y=","ts":"2023-12-11T18:13:44.0105256Z"}
MIIBVgIBADApMScwJQYDVQQDDB5HYXJpYmFsZGkgV0lOLTlIRTg5NlZTVFU1IGdkb2kwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9BupHAERv0sMFm2TJc5slQoeKI++TGPbkCKwC/c/VttYp+lotlHDo/UGMX1Wg2rTb7YxHLPTh9+KXv1IZJCHNCHeeMX00qeod2kYbJdJEKmbCVoSCyu89czQPS+6Rq3eokvS2L1LqHv238fj9la/bxTzeWJIu6N/O+yH1dsO+MP8Q44F1kjweL2YDQgOq+Jq7PAj4hMwe3oTmRV9HSfA3Sxhc1c83iZXExMwbjvq2j6ulCMqowjEEEJCzkaidyVKb4+hsZp7mZl4SzN/82LE1kHTQkbuyhOmb1rq+ckIzTWUBx3QkoLpF3rros1DC5Dt1yuxwztVQwSc5sVCc2W8ZAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAE/J8y48/ldJwsPAzhy6C8imaed7xYhnZ2qtKLAZ2/B1QZFUvWrlTUtlUHTbTPIfIDIjrQHGywcVlq0oCfES/6DmH3WLbFCvk3qRA88eJ3MUl6ls07P5Wr6tdFkVCpzIhb8Kuj0pyogYUyGBYLww+QGvxfrhrPRJPuSoYrzPVT+WHam6OuCNz31K68pAmMkm0bJzpDLyv4OzSWDF8QvW6G4OiGsWauBH5jSjU2UyiQnlnbZWIXOFRV4h4Hpakc9aHmXol1H8iDj80RaL3tWBMqfpa+f3CEulmJ18jesXPGzouMVOrEZJ1IJqLgIr76K4ja2unySDZ46BaV4nzL+1/PQ==
{"caller":"scep.go:357","level":"debug","msg":"decrypt pkiEnvelope","ts":"2023-12-11T18:13:44.0127707Z"}
{"caller":"service_logging.go:47","component":"scep_service","err":"parse CSR from pkiEnvelope: asn1: structure error: tags don't match (16 vs {class:0 tag:2 length:1 isCompound:false}) {optional:false explicit:false application:false private:false defaultValue:\u003cnil\u003e tag:\u003cnil\u003e stringType:0 timeType:0 set:false omitEmpty:false} tbsCertificateRequest @2","level":"info","method":"PKIOperation","took":"2.3985ms","ts":"2023-12-11T18:13:44.0127707Z"}
{"caller":"endpoint.go:186","error":null,"level":"info","op":"PKIOperation","took":"3.5299ms","ts":"2023-12-11T18:13:44.0139021Z"}
{"caller":"logutil.go:70","component":"http","host":"127.0.0.1","level":"info","method":"GET","path":"/scep?operation=PKIOperation\u0026message=MIIJrQYJKoZIhvcNAQcCoIIJnjCCCZoCAQExDTALBglghkgBZQMEAgEwggQjBgkqhkiG9w0BBwGgggQUBIIEEDCCBAwGCSqGSIb3DQEHA6CCA%2F0wggP5AgEAMYIBUDCCAUwCAQAwNDAvMQswCQYDVQQGEwJDQTENMAsGA1UEChMER0UtMjERMA8GA1UECxMITXVsdGlsaW4CAQEwDQYJKoZIhvcNAQEBBQAEggEAif%2Fon81e7p3Mj7aXd8cmPGZcLCK%2B0a3Ko65VpOIqvEq7292ZAs92XQ2klfUKGbxY9nagATG7JMKM97%2FPFU1SiYTKz20VahfmkUChN3CjCh%2Bk3gB6juck0YPSt4Apo2pMz6OLabNexzoG3e63RZn6zlM5zAnLioahqIblSV6rG10oYPt5IQQct2JPTk2ANDBK6kKvDLXW%2BdXULao8vy%2FbQIdRlMPxbLONd2VE88TQ5A%2FmkXE9sYVdqh7LHZRn%2Fy0AIt8Ao4wba5YeO%2BJS1TCAFN500GLvnN%2FMpTzGs7LzKk6fgtYzB1P8Qi2NMRx2a7Uwc2xwFxy3n0%2BsmdXBxOISaDCCAp4GCSqGSIb3DQEHBjAdBglghkgBZQMEASoEEFLUqW3TkH0N5ll%2FdeZ%2FMuaAggJw0uae6%2FPoP7OgIRgmnxPz31wNx4fHtEpsoWTLYDWBRQSV7uzJrrgvgCV3v8qQmpFJnwAfFuwNvwN6vS1BV7PWq355QVcoUliaG0%2FFtzWNC%2BIRbPg1mf9NceiY1%2FIYFbZ4oxjaejCyktMxGo1wGuNnZIbCs8jJTtaL4qwUqsjYfkq2oVAW5DvUyNNgNrneH8r5pvzMW155tm%2BnGoOuT5iP5bQLTXrH9WodvF%2FuDCEnDspMSqfhxDs5DdQvy%2BJYxe30f6UP3fmymW1CRUYLUqN76hreAen5rJKmtulx6XbYSTG3Tk7YXhMhhgwjvEYlMwS%2FQXliqxxKwER01pRS91TuGGCn4BzITmz%2FHCEAXsvAya6t87iffZ09pwqUT6acnIk%2Bq19XPHbkV47jPeZbXYGYIX6sw0kVv86f3HQcotrMjxjSNXa4MThqZbcNZQwDe5vxWlKjKEWCKPRxCK2cwVNL1Q%2FepIKKn8QEqbyq2Q1EFWpaWvNyAFTa2KDA2gJehq2cJMVV55P0ClxRcO2Kyw7UGnh7Y9MUC%2BJ0H%2BJDp0KosI1RuYqUiYgUoDbnHyCNA2iriV69hN1wrF6JBUB2GTJGO3YIaYuqeayRIhU4SzJFlO1Ei4Q5ZB%2BNVUfYbtOUkQXx38ikrdT6dFh6IaCJdflq7Y4O1l8LGEEh3m8%2BeGur7q8lObUpT6EtlA5VF9lZFYTWOK0qf%2BncaANyuNNbfUIEafu9LqjxFfnHmJx00TgyXAZT%2ByBt7bK1j%2B5bzxtviNqZRyWS6J3BLLfuP4dAM428d%2BrJdR1QZuTcGcPiT46KXtqb%2Ff823vKjcwfXAPNcLyQfoIIDOzCCAzcwggIfoAMCAQICCBKEBwnf9%2FFcMA0GCSqGSIb3DQEBCwUAMCkxJzAlBgNVBAMTHkdhcmliYWxkaSBXSU4tOUhFODk2VlNUVTUgZ2RvaTAeFw0yMzEyMTAxODEzMjZaFw0zMzEyMDgxODEzMjZaMCkxJzAlBgNVBAMTHkdhcmliYWxkaSBXSU4tOUhFODk2VlNUVTUgZ2RvaTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL0G6kcARG%2FSwwWbZMlzmyVCh4oj75MY9uQIrAL9z9W21in6Wi2UcOj9QYxfVaDatNvtjEcs9OH34pe%2FUhkkIc0Id54xfTSp6h3aRhsl0kQqZsJWhILK7z1zNA9L7pGrd6iS9LYvUuoe%2Fbfx%2BP2Vr9vFPN5Yki7o3877IfV2w74w%2FxDjgXWSPB4vZgNCA6r4mrs8CPiEzB7ehOZFX0dJ8DdLGFzVzzeJlcTEzBuO%2BraPq6UIyqjCMQQQkLORqJ3JUpvj6GxmnuZmXhLM3%2FzYsTWQdNCRu7KE6ZvWur5yQjNNZQHHdCSgukXeuuizUMLkO3XK7HDO1VDBJzmxUJzZbxkCAwEAAaNjMGEwCwYDVR0PBAQDAgO4MBMGA1UdJQQMMAoGCCsGAQUFBwMBMD0GA1UdEQQ2MDSHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAGCCWxvY2FsaG9zdIIPV0lOLTlIRTg5NlZTVFU1MA0GCSqGSIb3DQEBCwUAA4IBAQBL9ZA6higsktxF5wZ2zwJXtxl0%2BVThYGvvRfW1RQfsySghuvzAUAIUk3vvGWZQkEjsRA2Qc%2Fi3Di13vwOStkseItzNXMjRvsY%2Bm3qgt4siQduZmH99BQoffibVtbXrMlbpK6AoDNIRaa0Sbe3CFwyVH335Ty3qM82g8wIs%2FWJxgM9icitiP00kxArH3JRhxaBoXd7YoAvh9xTc80%2BJYh%2FuzWDG%2FVm0%2BL8dA%2FnJHNpQVeOYF6t7bPsk5HgPzuiz4XLMi05OrJgCyNMN7SxVzoVImdAOBZuTu%2Bh4kneUBtQxDms%2FjG3h%2FcgVGpuqI4kEL8H7CxGUu9L%2FuytZK5pPI277MYICHjCCAhoCAQEwNTApMScwJQYDVQQDEx5HYXJpYmFsZGkgV0lOLTlIRTg5NlZTVFU1IGdkb2kCCBKEBwnf9%2FFcMAsGCWCGSAFlAwQCAaCBvzASBgpghkgBhvhFAQkCMQQTAjE5MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwIAYKYIZIAYb4RQEJBTESBBC%2Be3dKK3XJFe6rFF%2FX3yUKMC8GCSqGSIb3DQEJBDEiBCBCoTmk3BBZ%2BENBEJGwPpL8daC4yqDYviCUDNvXxw5AkDA8BgpghkgBhvhFAQkHMS4TLFlQSmxPUkQvY3c5RUVvdTVycXoxbzZmeUx1TnlKNnhsM0ZtSTNOcVNRK1k9MAsGCSqGSIb3DQEBAQSCAQB9izti3ngzlIRgYVO6BWU2FoPg6NfbBFBmm7ZeJ%2BpuCTnpoA2N9Efo4LNw1TQip4axCHxskOV2lrFxod8ASymOIE5iIExUuBL7tp5lR%2FyKcsiokXBbLs%2F5AJo6ZLLA7LaDz8ACGKUkCArOsZ4GeNhYj%2FznkZoqKLAY8jZb0N1dmr5o%2FFDWH2hrLtyG9caxZzrYPlZK3C4RJouLw%2BjX8MWktT50N5JT8xuTplSXfslMdooSh913JZh%2BRs8f1polk%2FfnpQBMhtjt9QIzHAb0G1QuNSiY%2FdzfGT9cxI4LxKaoOjfDgr2hqkxQFMYJIJ5o0Q%2BKd9S4Sxpc5mIlOqN1B5MI","proto":"HTTP/1.1","status":500,"ts":"2023-12-11T18:13:44.0139901Z","user_agent":""}
|
|
I tried running it locally with the MicroMDM SCEP server. Using the below base64-URL encoded data in a GET request with Postman to http://127.0.0.1:5004/scep?operation=PKIOperation&message= results in I get the same error using the following base64-url encoded data: So those messages seem to decode fine in my configuration. It looks like I'm using a similar one as yours, though. You could try adding more of these It might also be the case that the decryption fails, but I would expect a clear error message in that case. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The GO SCEP Server complains that it can't decrypt the PKC7 payload.
Here is a decode of the CMS information (minus being decrypted).
ContentInfo SEQUENCE (2 elem)
contentType ContentType OBJECT IDENTIFIER 1.2.840.113549.1.7.3 envelopedData (PKCS #7)
content [0] (1 elem)
EnvelopedData SEQUENCE (3 elem)
version CMSVersion INTEGER 0
recipientInfos RecipientInfos SET (1 elem)
RecipientInfo SEQUENCE (4 elem)
version CMSVersion INTEGER 0
rid RecipientIdentifier SEQUENCE (2 elem)
issuer Name SEQUENCE (4 elem)
RelativeDistinguishedName SET (1 elem)
AttributeTypeAndValue SEQUENCE (2 elem)
type AttributeType OBJECT IDENTIFIER 2.5.4.6 countryName (X.520 DN component)
value AttributeValue [?] PrintableString US
RelativeDistinguishedName SET (1 elem)
AttributeTypeAndValue SEQUENCE (2 elem)
type AttributeType OBJECT IDENTIFIER 2.5.4.10 organizationName (X.520 DN component)
value AttributeValue [?] PrintableString scep-ca
RelativeDistinguishedName SET (1 elem)
AttributeTypeAndValue SEQUENCE (2 elem)
type AttributeType OBJECT IDENTIFIER 2.5.4.11 organizationalUnitName (X.520 DN component)
value AttributeValue [?] PrintableString SCEP CA
RelativeDistinguishedName SET (1 elem)
AttributeTypeAndValue SEQUENCE (2 elem)
type AttributeType OBJECT IDENTIFIER 2.5.4.3 commonName (X.520 DN component)
value AttributeValue [?] PrintableString MICROMDM SCEP CA
serialNumber CertificateSerialNumber INTEGER 1
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier SEQUENCE (2 elem)
algorithm OBJECT IDENTIFIER 1.2.840.113549.1.1.1 rsaEncryption (PKCS #1)
parameters ANY NULL
encryptedKey EncryptedKey OCTET STRING (256 byte) 3DFA635EF5C92385CBBAEA03366AB54613C7523A814A7C7071DC62FAB1F01B72458A6…
encryptedContentInfo EncryptedContentInfo SEQUENCE (3 elem)
contentType ContentType OBJECT IDENTIFIER 1.2.840.113549.1.7.6 encryptedData (PKCS #7)
contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier SEQUENCE (2 elem)
algorithm OBJECT IDENTIFIER 2.16.840.1.101.3.4.1.42 aes256-CBC (NIST Algorithm)
parameters ANY OCTET STRING (16 byte) 11554D0A8B54B7E9357979080E0701B8
EncryptedContent [?] [0] (752 byte) 091B26A6F56E0546D302610A13EE597C739733F9B4D05DCC1B0E18390D250E09F4540…
Any Ideas?
The text was updated successfully, but these errors were encountered: