1808052 – Message failed verification: error:2107C080:PKCS7 routines:PKCS7_get0_signers:signer certificate not found

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1808052 - Message failed verification: error:2107C080:PKCS7 routines:PKCS7_get0_signers:signer certificate not found

Summary: Message failed verification: error:2107C080:PKCS7 routines:PKCS7_get0_signers...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	certmonger
Sub Component:
Version:	8.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	Rob Crittenden
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1825061
TreeView+	depends on / blocked

Reported:	2020-02-27 17:29 UTC by Graham Leggett
Modified:	2020-11-04 02:52 UTC (History)
CC List:	5 users (show)
Fixed In Version:	certmonger-0.79.7-8.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-11-04 02:51:52 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2020:4671	0	None	None	None	2020-11-04 02:52:13 UTC

Description Graham Leggett 2020-02-27 17:29:00 UTC

Description of problem:

When trying to enroll a new certificate using the Redwax Interop testing CA, the attempt to enroll fails with the following error:

Feb 27 17:19:23 bob scep-submit[22086]: Message failed verification.
Feb 27 17:19:23 bob scep-submit[22086]: error:2107C080:PKCS7 routines:PKCS7_get0_signers:signer certificate not found
Feb 27 17:19:23 bob scep-submit[22086]: Error: failed to verify signature on server response.

Version-Release number of selected component (if applicable):

certmonger 0.79.7-3.el8

How reproducible:

Always

Steps to Reproduce:
1. Retrieve the RA and CA certificate as follows:

/usr/libexec/certmonger/scep-submit -u http://interop.redwax.eu/test/simple/scep -C

2. Add a SCEP CA as follows:

getcert add-scep-ca -c "Redwax Interop" -u http://interop.redwax.eu/test/simple/scep -R /etc/pki/interop/ca-cert.pem -r /etc/pki/interop/ra-cert.pem

3. Request a certificate as follows:

getcert request -f /etc/pki/interop/test.example.com.cert -k /etc/pki/interop/test.example.com.key -c "Redwax Interop" -I test.example.com -D test.example.com -G rsa -g 4096 -u digitalSignature -u keyEncipherment -L challenge

Actual results:

The scep request fails, and the following is logged:

Feb 27 17:19:23 bob scep-submit[22086]: Message failed verification.
Feb 27 17:19:23 bob scep-submit[22086]: error:2107C080:PKCS7 routines:PKCS7_get0_signers:signer certificate not found
Feb 27 17:19:23 bob scep-submit[22086]: Error: failed to verify signature on server response.

Expected results:

The scep request succeeds.

Additional info:

The following PKCS7 message cannot be verified by certmonger:

[root@bob ~]# openssl pkcs7 -print
PKCS7: 
  type: pkcs7-signedData (1.2.840.113549.1.7.2)
  d.sign: 
    version: 1
    md_algs:
        algorithm: sha256 (2.16.840.1.101.3.4.2.1)
        parameter: NULL
    contents: 
      type: pkcs7-data (1.2.840.113549.1.7.1)
      d.data: 
        0000 - 30 82 07 43 06 09 2a 86-48 86 f7 0d 01 07 03   0..C..*.H......
        000f - a0 82 07 34 30 82 07 30-02 01 00 31 82 02 57   ...40..0...1..W
        001e - 30 82 02 53 02 01 00 30-3b 30 17 31 15 30 13   0..S...0;0.1.0.
        002d - 06 03 55 04 03 13 0c 62-6f 62 2e 73 68 61 72   ..U....bob.shar
        003c - 70 2e 66 6d 02 20 06 a7-7b da c3 d3 71 dc 51   p.fm. ..{...q.Q
        004b - 75 e9 a7 14 0f 8b f6 e4-a8 2b 3d 1b 92 ac f8   u........+=....
        005a - 96 a1 2f 33 f7 d3 99 90-30 0d 06 09 2a 86 48   ../3....0...*.H
        0069 - 86 f7 0d 01 01 01 05 00-04 82 02 00 0b 38 bf   .............8.
        0078 - d0 fd 6c cc 0a 6b c3 a2-84 93 17 66 50 be f2   ..l..k.....fP..
        0087 - 81 d3 16 28 81 ca 1a 7f-5c b9 84 22 98 3d e7   ...(....\..".=.
        0096 - 86 8a 57 15 73 f9 59 34-60 37 15 5a e6 a0 3e   ..W.s.Y4`7.Z..>
        00a5 - 16 e3 0c 02 47 54 4f e3-6b 05 64 e8 d6 c7 a5   ....GTO.k.d....
        00b4 - 12 22 b0 6a d1 68 3b b5-f9 1b d4 50 c2 37 75   .".j.h;....P.7u
        00c3 - f2 f2 93 0e 61 e7 88 91-c8 d1 96 07 bb 03 ca   ....a..........
        00d2 - 95 e7 ba 02 15 74 1f e8-fe a8 7c c9 bd 33 67   .....t....|..3g
        00e1 - 25 ca bb 8b 87 18 88 33-45 25 b2 1f 75 01 6b   %......3E%..u.k
        00f0 - 58 d8 8d f9 4d d7 57 c0-a8 7a df 5b 77 f2 e3   X...M.W..z.[w..
        00ff - 1c ac 98 ad 5c 95 d2 33-7a 02 6f c6 a6 56 9e   ....\..3z.o..V.
        010e - 84 7f f6 6f ae d3 1d 42-c2 0d 9e ab 20 64 f7   ...o...B.... d.
        011d - 2c 59 6f e5 29 0f f8 2c-8b 8c c3 a4 ea 61 71   ,Yo.)..,.....aq
        012c - 0e 36 cc 9f 84 11 70 d6-ce 73 47 67 0e 25 32   .6....p..sGg.%2
        013b - d4 25 b1 52 b9 6e 82 49-39 8a e9 0f a0 c0 5b   .%.R.n.I9.....[
        014a - f8 1b 12 9b 38 c1 3a 88-82 53 00 93 6b 8e 12   ....8.:..S..k..
        0159 - 57 2b 33 e7 2f 72 14 98-78 06 7c 3d b9 09 e4   W+3./r..x.|=...
        0168 - 5f 2d d1 2d d1 69 d2 f2-09 1d 9c cb ed a6 3c   _-.-.i........<
        0177 - 52 27 fe b2 98 ee 60 f5-3e e7 c1 40 a6 9b 24   R'....`.>..@..$
        0186 - 66 6f ad 5a 98 c1 00 20-76 29 cd 74 54 77 ed   fo.Z... v).tTw.
        0195 - f5 a3 04 53 77 70 c2 35-17 d7 55 2b 2e 1e 13   ...Swp.5..U+...
        01a4 - 86 a8 21 2d 83 68 d1 9b-23 96 5c 49 0d 40 59   ..!-.h..#.\I.@Y
        01b3 - 06 f3 f8 ad 21 d5 24 34-87 6a b4 32 a8 17 22   ....!.$4.j.2.."
        01c2 - ba 97 4b e8 c7 b8 75 ec-96 6d 00 7b fb 90 9c   ..K...u..m.{...
        01d1 - f0 2e 95 bf d8 ef 83 93-b2 d2 db 68 de b0 32   ...........h..2
        01e0 - 3d a1 ce 2a 1f fc 01 33-84 52 21 91 d9 7b f0   =..*...3.R!..{.
        01ef - d8 ee 23 8d 34 bf 71 96-df 9f ed c5 5c 06 8a   ..#.4.q.....\..
        01fe - ea 11 08 16 78 61 08 55-3c 10 b7 26 92 40 71   ....xa.U<..&.@q
        020d - b8 4d bd b2 60 4f 1d f9-21 c4 6d 50 45 71 66   .M..`O..!.mPEqf
        021c - 18 a0 65 e3 ba a7 42 86-c0 b7 74 b5 ba ef ca   ..e...B...t....
        022b - 0f e0 a7 a4 63 27 76 a9-15 23 18 43 e4 88 69   ....c'v..#.C..i
        023a - 79 ae 41 3d 1b ce c2 5a-60 fc 91 72 73 ef cf   y.A=...Z`..rs..
        0249 - 1f 36 af 55 b5 53 54 b8-16 a3 70 9d 7b ed 3b   .6.U.ST...p.{.;
        0258 - 82 87 51 d7 2c 91 c7 75-0d 29 25 04 7e 80 27   ..Q.,..u.)%.~.'
        0267 - 11 ba c4 6b b4 53 ee 8c-22 d5 2c e5 20 ce 30   ...k.S..".,. .0
        0276 - 82 04 ce 06 09 2a 86 48-86 f7 0d 01 07 01 30   .....*.H......0
        0285 - 1d 06 09 60 86 48 01 65-03 04 01 02 04 10 96   ...`.H.e.......
        0294 - 83 b0 89 c3 f7 f6 90 61-3b f0 e8 b5 46 4d cc   .......a;...FM.
        02a3 - 80 82 04 a0 c7 a2 6a 69-c7 8b 5f bd a2 1f b2   ......ji.._....
        02b2 - e8 0a c3 ca c5 ef fc f8-af bd f3 a8 5b e5 ad   ............[..
        02c1 - fc 86 87 32 c5 fd 4d 13-29 a3 11 fe fb 64 67   ...2..M.)....dg
        02d0 - a2 4c f1 e6 cb 1b 04 ce-27 5f 66 99 52 1b ac   .L......'_f.R..
        02df - 86 43 c6 79 fc 03 0a 70-48 e0 6f 42 b3 77 8d   .C.y...pH.oB.w.
        02ee - 14 5b e7 0c d3 96 11 29-03 27 3c db 54 1c c8   .[.....).'<.T..
        02fd - 20 a1 74 a0 f8 18 46 ae-fd 06 10 a3 53 d8 2f    .t...F.....S./
        030c - bd 91 1b ff ca 68 0c f6-ee 17 9b bb 57 14 a2   .....h......W..
        031b - 4a 3a 30 f1 95 8a f5 d4-07 f0 42 0f 13 78 36   J:0.......B..x6
        032a - 03 7f f2 01 cd e6 23 e0-5f 1f 65 6b 99 51 3c   ......#._.ek.Q<
        0339 - b1 54 18 c5 0c 10 bb e3-fc 50 f5 e5 47 7b b3   .T.......P..G{.
        0348 - ca f9 b4 15 fe 4c 07 b5-29 f1 a7 d2 81 ac 3c   .....L..).....<
        0357 - 47 e1 6e 1c 33 e9 b8 04-cf ba 05 68 79 1b 03   G.n.3......hy..
        0366 - 32 0e 89 c4 97 92 fa 65-b0 72 f2 b3 99 24 c5   2......e.r...$.
        0375 - f0 9f c5 a4 59 8c 2c 2a-48 69 8a bc 77 2a dd   ....Y.,*Hi..w*.
        0384 - 16 6d 80 b5 13 13 96 e9-1b 6f 0f c9 0e ff 0a   .m.......o.....
        0393 - 9d 0f 7a e4 c7 74 83 46-b2 b6 7a 01 63 97 1a   ..z..t.F..z.c..
        03a2 - d7 75 b9 e2 7f 70 71 08-39 24 59 00 63 ce 78   .u...pq.9$Y.c.x
        03b1 - 29 3c 7b 69 1b bf 88 ef-e2 3a 05 ce ea fd 05   )<{i.....:.....
        03c0 - 9d 9c f7 b0 32 1d da d3-39 9c 66 ce 69 04 28   ....2...9.f.i.(
        03cf - e3 e3 c5 e2 1c b6 44 ad-a8 0d 17 75 8e 7d 00   ......D....u.}.
        03de - bd 1c 31 6e b8 a8 3e d4-72 9d 82 2e 93 6d 3c   ..1n..>.r....m<
        03ed - f7 4c b0 23 a2 c6 4e 10-3f 14 ce 53 c2 b6 6d   .L.#..N.?..S..m
        03fc - c2 2e d5 a8 26 8d 99 ef-11 04 7d c4 b6 47 1a   ....&.....}..G.
        040b - 28 ad be b1 19 02 e7 0a-d1 7f 7e 27 fe b9 eb   (.........~'...
        041a - db 12 88 ca 55 de 66 1a-a2 8c b5 c2 1c c1 1f   ....U.f........
        0429 - c2 79 a5 e1 ad 3f e0 34-6e 71 00 f4 be 8f 39   .y...?.4nq....9
        0438 - 32 a5 ab 70 c4 7d 20 c9-f9 55 29 6f 1d ca 30   2..p.} ..U)o..0
        0447 - 09 6e b3 92 15 6e f3 52-22 c7 94 eb 4f 35 18   .n...n.R"...O5.
        0456 - d8 67 52 f6 83 67 df 73-24 ad fe e4 90 b9 37   .gR..g.s$.....7
        0465 - eb 16 74 19 44 90 7a 34-31 e8 2e c4 99 2d 3e   ..t.D.z41....->
        0474 - 56 97 ea 7a d0 59 8f 71-65 56 58 69 07 f1 69   V..z.Y.qeVXi..i
        0483 - e9 3a e5 5f 37 74 9c 03-cd ff 5b a2 70 03 13   .:._7t....[.p..
        0492 - 4b 5e fd 57 2e 50 49 88-d5 cb 62 7c 39 98 78   K^.W.PI...b|9.x
        04a1 - 43 6c 5a f4 77 cd ab 65-6b 87 6e 86 e4 7d 57   ClZ.w..ek.n..}W
        04b0 - 82 9b 74 28 87 83 01 5f-db bd 12 ca c7 95 f5   ..t(..._.......
        04bf - 2b b9 ed 38 cf e4 5b fd-68 e0 14 a0 bb 54 dc   +..8..[.h....T.
        04ce - 80 20 3c 78 80 2b c9 cb-67 01 56 78 25 a7 e3   . <x.+..g.Vx%..
        04dd - df 21 4b 0d a4 f3 28 f0-30 ea 95 9e 94 f4 93   .!K...(.0......
        04ec - 7b d4 66 ee 35 80 71 91-66 ae 59 76 5c b8 bf   {.f.5.q.f.Yv\..
        04fb - 25 9f 72 76 0d da e8 b0-8f 0c 39 a5 49 bd 14   %.rv......9.I..
        050a - db 9a 51 d3 e6 70 93 18-c0 48 61 7a a3 6f 40   ..Q..p...Haz.o@
        0519 - 3e 93 13 97 21 5c 55 8c-29 a6 cf 14 0e ef 5a   >...!\U.).....Z
        0528 - 2b cc 36 d1 a6 54 91 da-72 63 33 5c 79 16 72   +.6..T..rc3\y.r
        0537 - 05 ee cf b6 a4 c6 42 30-c2 b6 a7 dc e6 bd 30   ......B0......0
        0546 - 05 8c fa d2 e7 9c a5 36-ca a3 8d ef 01 b3 4d   .......6......M
        0555 - e5 c0 05 a0 14 e7 05 45-58 47 28 fb 57 51 3a   .......EXG(.WQ:
        0564 - 26 af 2d 70 fe 78 8a a6-0d 4e f0 77 53 2a 5b   &.-p.x...N.wS*[
        0573 - 25 a7 1a 2b 03 bd 55 f9-53 06 47 3e 7b 17 b6   %..+..U.S.G>{..
        0582 - cf d3 9a 0b 39 25 60 76-51 56 25 85 53 2e 6a   ....9%`vQV%.S.j
        0591 - 9c 87 2b b1 80 56 9e 90-18 22 2e e0 10 92 76   ..+..V..."....v
        05a0 - 38 38 ce 54 55 87 df d9-67 fa 93 79 26 80 6b   88.TU...g..y&.k
        05af - 30 1c 7f 93 97 4f 42 36-c8 1b d4 80 38 b1 e3   0....OB6....8..
        05be - 68 5f 68 80 4e 01 96 71-9e 7e 89 d7 d1 14 34   h_h.N..q.~....4
        05cd - 83 d3 c2 b0 8d 95 29 7d-ec a0 da 73 d1 a7 63   ......)}...s..c
        05dc - 12 a3 f3 74 70 bb 21 43-7f d1 82 14 25 84 33   ...tp.!C....%.3
        05eb - 38 fc 0c 05 3e 97 5b 30-3e 8c 07 ea 72 02 93   8...>.[0>...r..
        05fa - 5a 5a 6c 92 75 87 ee 59-5d 76 eb 85 83 fc 55   ZZl.u..Y]v....U
        0609 - ab 05 6a 68 f9 ad 2e b2-9a 7f fb a3 93 b9 75   ..jh..........u
        0618 - 54 02 e1 82 95 56 5d d7-91 68 f6 22 be 27 96   T....V]..h.".'.
        0627 - 39 50 0a ea 77 aa ab cf-86 70 ff 79 db 54 1a   9P..w....p.y.T.
        0636 - bc 6e 5b d5 c7 1b f7 1d-ae c5 81 8b 73 d0 07   .n[.........s..
        0645 - ae f7 9f 6f 39 4b 43 84-0c 06 85 22 ff d1 15   ...o9KC...."...
        0654 - 10 d0 46 0b cb e0 b0 68-24 de 6f ab e3 b5 d7   ..F....h$.o....
        0663 - 0e 25 73 53 a9 28 28 99-57 df e0 3e 59 49 3f   .%sS.((.W..>YI?
        0672 - 81 10 4a 25 3d d3 27 b6-51 5b 92 b8 d6 c6 db   ..J%=.'.Q[.....
        0681 - 4e 52 39 53 c4 b9 54 1a-3f 90 26 84 28 93 95   NR9S..T.?.&.(..
        0690 - 98 d1 10 9b fa 34 42 65-8a 53 41 09 13 09 8b   .....4Be.SA....
        069f - 05 0b 22 f8 ac 44 38 f0-3d c2 b2 11 02 37 3b   .."..D8.=....7;
        06ae - 47 e8 9e 11 64 5f 3d 98-58 fe e4 bb e9 ef 89   G...d_=.X......
        06bd - f1 f1 b4 1d d2 4e af 68-2f 90 4a 04 e2 99 02   .....N.h/.J....
        06cc - e3 79 fa d1 74 85 da 06-d2 e1 28 a2 dd 32 d7   .y..t.....(..2.
        06db - b5 7b d9 55 3a 1a 5c e4-1c 96 84 82 4e 13 29   .{.U:.\.....N.)
        06ea - 0f b0 6e de 7c f2 0e ad-77 3e e6 3c 98 47 56   ..n.|...w>.<.GV
        06f9 - 73 17 b1 1b e0 da 4f 2e-7a f1 14 5a dc 84 0d   s.....O.z..Z...
        0708 - 76 71 11 9d 19 fc 6e 8b-95 f6 4d 59 69 dd f0   vq....n...MYi..
        0717 - d7 ba 62 92 4b bc 22 1e-46 45 17 fc a3 6b 33   ..b.K.".FE...k3
        0726 - 83 e9 9a f4 b6 8e 66 55-1b b3 38 be e0 86 22   ......fU..8..."
        0735 - 47 b2 d0 db b0 c1 68 62-b0 cb 3d c8 0d 4f 0c   G.....hb..=..O.
        0744 - 08 14 c1                                       ...
    cert:
      <ABSENT>
    crl:
      <ABSENT>
    signer_info:
        version: 1
        issuer_and_serial: 
          issuer: CN=Redwax Interop Testing Root Certificate Authority 2040, O=Redwax Project
          serial: 6
        digest_alg: 
          algorithm: sha256 (2.16.840.1.101.3.4.2.1)
          parameter: NULL
        auth_attr:
            object: undefined (2.16.840.1.113733.1.9.2)
            set:
              PRINTABLESTRING:3

            object: undefined (2.16.840.1.113733.1.9.3)
            set:
              PRINTABLESTRING:0

            object: contentType (1.2.840.113549.1.9.3)
            set:
              OBJECT:pkcs7-data (1.2.840.113549.1.7.1)

            object: signingTime (1.2.840.113549.1.9.5)
            set:
              UTCTIME:Feb 27 14:11:44 2020 GMT

            object: undefined (2.16.840.1.113733.1.9.5)
            set:
              OCTET STRING:
                0000 - 4b ea 07 c7 e3 58 7b d4-a9 2e f1 af 32   K....X{.....2
                000d - 16 76 06                                 .v.

            object: undefined (2.16.840.1.113733.1.9.6)
            set:
              OCTET STRING:
                0000 - 13 22 4d e0 73 1a 2b 55-0d 42 03 da d4   ."M.s.+U.B...
                000d - 49 bd 97                                 I..

            object: messageDigest (1.2.840.113549.1.9.4)
            set:
              OCTET STRING:
                0000 - 08 0d e8 53 cb 92 b0 60-a6 16 79 42 78   ...S...`..yBx
                000d - 17 fa a8 3c 78 6a e0 bd-dc 75 2f e8 eb   ...<xj...u/..
                001a - 30 81 14 c0 da a9                        0.....

            object: undefined (2.16.840.1.113733.1.9.7)
            set:
              PRINTABLESTRING:3009795364009497399191821446373870825032899820247616652657212371418777622928
        digest_enc_alg: 
          algorithm: rsaEncryption (1.2.840.113549.1.1.1)
          parameter: NULL
        enc_digest: 
          0000 - 39 78 6b de 2c 78 d0 1c-64 2e bb 8b 40 24 a4   9xk.,x..d...@$.
          000f - a8 56 a1 ca 1b e1 a5 0a-44 c8 78 b5 71 33 1c   .V......D.x.q3.
          001e - cf 43 1a 9c b0 f6 cd 7b-4f 28 8a f0 a1 2a 19   .C.....{O(...*.
          002d - 99 96 4d 5a f4 49 ac 95-63 3f e4 b1 5c 58 fb   ..MZ.I..c?..\X.
          003c - b7 8d 16 f9 1c 4c c4 79-ff e1 f1 82 69 02 19   .....L.y....i..
          004b - 5a cf d9 da b2 24 6c e6-67 1f fc 95 aa 29 0a   Z....$l.g....).
          005a - f7 6b d1 a6 d6 bf 86 a2-96 7d 4b 7c 72 55 bd   .k.......}K|rU.
          0069 - 3f 7d 8f 97 cd f0 73 f4-cb 40 e2 72 a9 d2 bc   ?}....s..@.r...
          0078 - ef 5b 98 28 23 fd a9 c8-2c e6 fc 30 e0 b2 64   .[.(#...,..0..d
          0087 - d4 9a db b8 b4 1c 76 1b-39 40 63 85 b9 c0 d7   ......v.9@c....
          0096 - 66 eb 2f 1f 60 84 c3 11-07 09 a9 c1 38 73 e9   f./.`.......8s.
          00a5 - 85 db e0 87 b2 e0 69 44-dd 9b 98 68 99 dd 29   ......iD...h..)
          00b4 - b6 ae 77 da d5 57 fa 7e-f5 42 19 9c 96 6b 8a   ..w..W.~.B...k.
          00c3 - f0 99 b0 36 29 4e 90 3f-a4 45 e4 2a 21 e2 0e   ...6)N.?.E.*!..
          00d2 - aa d7 b2 05 98 50 a0 0f-81 70 4b 66 93 73 3f   .....P...pKf.s?
          00e1 - 7f 9b cf 6e 4e af 74 f5-7f ad 7a af e8 dc 6d   ...nN.t...z...m
          00f0 - fb 80 09 81 f7 fb f4 d7-e6 d8 1e 78 59 42 53   ...........xYBS
          00ff - a8 5e 30 4a 67 6b ff da-6a 5c c5 dc 69 5c a9   .^0Jgk..j\..i\.
          010e - 0b b4 20 36 31 8b 33 91-d2 95 4d 6a ef ac 9e   .. 61.3...Mj...
          011d - a4 93 bb 99 54 b5 dc d4-7e 43 7c a5 9b 10 2d   ....T...~C|...-
          012c - 9a 7a 97 3a c5 18 4a 16-0f c9 8f ec 0c 38 dc   .z.:..J......8.
          013b - bd a8 ba 57 c6 f4 80 63-ac 17 f7 8c 5a ba 8e   ...W...c....Z..
          014a - 77 0f 11 fd fd 05 de 76-03 e2 4b 34 90 fe 96   w......v..K4...
          0159 - 9d 5f 8a c2 79 8e 57 29-39 03 f6 7c b6 d5 33   ._..y.W)9..|..3
          0168 - d6 81 ff db b1 5d b6 b9-d6 b6 36 19 45 e7 97   .....]....6.E..
          0177 - f3 fe ee 40 90 19 3d 87-5b f5 c6 a7 66 79 99   ...@..=.[...fy.
          0186 - f7 e2 53 43 a2 af 80 98-09 25 1d 7f 46 1d 95   ..SC.....%..F..
          0195 - f6 43 45 18 60 6d de 31-9d cf 28 99 c7 8a 3f   .CE.`m.1..(...?
          01a4 - 33 a5 19 78 80 c1 93 00-6c 4c 03 3a 15 66 e9   3..x....lL.:.f.
          01b3 - 99 e2 ff 20 b7 e4 db a7-5b 02 43 e8 13 10 18   ... ....[.C....
          01c2 - 59 97 40 c0 84 1b a5 cf-b5 df 7a 4d 54 be 28   Y.@.......zMT.(
          01d1 - 7d fc 81 68 e3 a0 06 78-e2 69 f8 5d c0 94 e4   }..h...x.i.]...
          01e0 - 6f 8b 2c 0c 5b 2e 20 5e-aa 68 96 c9 b3 8b a2   o.,.[. ^.h.....
          01ef - ef 7b ee aa b4 a6 8e 17-fa 54 f3 93 00 2c 01   .{.......T...,.
          01fe - bd 35                                          .5
        unauth_attr:
          <ABSENT>
-----BEGIN PKCS7-----
MIILSAYJKoZIhvcNAQcCoIILOTCCCzUCAQExDzANBglghkgBZQMEAgEFADCCB1oG
CSqGSIb3DQEHAaCCB0sEggdHMIIHQwYJKoZIhvcNAQcDoIIHNDCCBzACAQAxggJX
MIICUwIBADA7MBcxFTATBgNVBAMTDGJvYi5zaGFycC5mbQIgBqd72sPTcdxRdemn
FA+L9uSoKz0bkqz4lqEvM/fTmZAwDQYJKoZIhvcNAQEBBQAEggIACzi/0P1szApr
w6KEkxdmUL7ygdMWKIHKGn9cuYQimD3nhopXFXP5WTRgNxVa5qA+FuMMAkdUT+Nr
BWTo1selEiKwatFoO7X5G9RQwjd18vKTDmHniJHI0ZYHuwPKlee6AhV0H+j+qHzJ
vTNnJcq7i4cYiDNFJbIfdQFrWNiN+U3XV8Coet9bd/LjHKyYrVyV0jN6Am/Gplae
hH/2b67THULCDZ6rIGT3LFlv5SkP+CyLjMOk6mFxDjbMn4QRcNbOc0dnDiUy1CWx
Urlugkk5iukPoMBb+BsSmzjBOoiCUwCTa44SVysz5y9yFJh4Bnw9uQnkXy3RLdFp
0vIJHZzL7aY8Uif+spjuYPU+58FAppskZm+tWpjBACB2Kc10VHft9aMEU3dwwjUX
11UrLh4ThqghLYNo0ZsjllxJDUBZBvP4rSHVJDSHarQyqBciupdL6Me4deyWbQB7
+5Cc8C6Vv9jvg5Oy0tto3rAyPaHOKh/8ATOEUiGR2Xvw2O4jjTS/cZbfn+3FXAaK
6hEIFnhhCFU8ELcmkkBxuE29smBPHfkhxG1QRXFmGKBl47qnQobAt3S1uu/KD+Cn
pGMndqkVIxhD5Ihpea5BPRvOwlpg/JFyc+/PHzavVbVTVLgWo3Cde+07godR1yyR
x3UNKSUEfoAnEbrEa7RT7owi1SzlIM4wggTOBgkqhkiG9w0BBwEwHQYJYIZIAWUD
BAECBBCWg7CJw/f2kGE78Oi1Rk3MgIIEoMeiamnHi1+9oh+y6ArDysXv/PivvfOo
W+Wt/IaHMsX9TRMpoxH++2Rnokzx5ssbBM4nX2aZUhushkPGefwDCnBI4G9Cs3eN
FFvnDNOWESkDJzzbVBzIIKF0oPgYRq79BhCjU9gvvZEb/8poDPbuF5u7VxSiSjow
8ZWK9dQH8EIPE3g2A3/yAc3mI+BfH2VrmVE8sVQYxQwQu+P8UPXlR3uzyvm0Ff5M
B7Up8afSgaw8R+FuHDPpuATPugVoeRsDMg6JxJeS+mWwcvKzmSTF8J/FpFmMLCpI
aYq8dyrdFm2AtRMTlukbbw/JDv8KnQ965Md0g0aytnoBY5ca13W54n9wcQg5JFkA
Y854KTx7aRu/iO/iOgXO6v0FnZz3sDId2tM5nGbOaQQo4+PF4hy2RK2oDRd1jn0A
vRwxbrioPtRynYIuk20890ywI6LGThA/FM5TwrZtwi7VqCaNme8RBH3EtkcaKK2+
sRkC5wrRf34n/rnr2xKIylXeZhqijLXCHMEfwnml4a0/4DRucQD0vo85MqWrcMR9
IMn5VSlvHcowCW6zkhVu81Iix5TrTzUY2GdS9oNn33Mkrf7kkLk36xZ0GUSQejQx
6C7EmS0+VpfqetBZj3FlVlhpB/Fp6TrlXzd0nAPN/1uicAMTS179Vy5QSYjVy2J8
OZh4Q2xa9HfNq2Vrh26G5H1Xgpt0KIeDAV/bvRLKx5X1K7ntOM/kW/1o4BSgu1Tc
gCA8eIAryctnAVZ4Jafj3yFLDaTzKPAw6pWelPSTe9Rm7jWAcZFmrll2XLi/JZ9y
dg3a6LCPDDmlSb0U25pR0+ZwkxjASGF6o29APpMTlyFcVYwpps8UDu9aK8w20aZU
kdpyYzNceRZyBe7PtqTGQjDCtqfc5r0wBYz60uecpTbKo43vAbNN5cAFoBTnBUVY
Ryj7V1E6Jq8tcP54iqYNTvB3UypbJacaKwO9VflTBkc+exe2z9OaCzklYHZRViWF
Uy5qnIcrsYBWnpAYIi7gEJJ2ODjOVFWH39ln+pN5JoBrMBx/k5dPQjbIG9SAOLHj
aF9ogE4BlnGefonX0RQ0g9PCsI2VKX3soNpz0adjEqPzdHC7IUN/0YIUJYQzOPwM
BT6XWzA+jAfqcgKTWlpsknWH7lldduuFg/xVqwVqaPmtLrKaf/ujk7l1VALhgpVW
XdeRaPYivieWOVAK6neqq8+GcP9521QavG5b1ccb9x2uxYGLc9AHrvefbzlLQ4QM
BoUi/9EVENBGC8vgsGgk3m+r47XXDiVzU6koKJlX3+A+WUk/gRBKJT3TJ7ZRW5K4
1sbbTlI5U8S5VBo/kCaEKJOVmNEQm/o0QmWKU0EJEwmLBQsi+KxEOPA9wrIRAjc7
R+ieEWRfPZhY/uS76e+J8fG0HdJOr2gvkEoE4pkC43n60XSF2gbS4Sii3TLXtXvZ
VToaXOQcloSCThMpD7Bu3nzyDq13PuY8mEdWcxexG+DaTy568RRa3IQNdnERnRn8
bouV9k1Zad3w17pikku8Ih5GRRf8o2szg+ma9LaOZlUbszi+4IYiR7LQ27DBaGKw
yz3IDU8MCBTBMYIDvzCCA7sCAQEwXzBaMT8wPQYDVQQDEzZSZWR3YXggSW50ZXJv
cCBUZXN0aW5nIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwNDAxFzAVBgNV
BAoTDlJlZHdheCBQcm9qZWN0AgEGMA0GCWCGSAFlAwQCAQUAoIIBMTARBgpghkgB
hvhFAQkCMQMTATMwEQYKYIZIAYb4RQEJAzEDEwEwMBgGCSqGSIb3DQEJAzELBgkq
hkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIwMDIyNzE0MTE0NFowIAYKYIZIAYb4
RQEJBTESBBBL6gfH41h71Kku8a8yFnYGMCAGCmCGSAGG+EUBCQYxEgQQEyJN4HMa
K1UNQgPa1Em9lzAvBgkqhkiG9w0BCQQxIgQgCA3oU8uSsGCmFnlCeBf6qDx4auC9
3HUv6OswgRTA2qkwXAYKYIZIAYb4RQEJBzFOE0wzMDA5Nzk1MzY0MDA5NDk3Mzk5
MTkxODIxNDQ2MzczODcwODI1MDMyODk5ODIwMjQ3NjE2NjUyNjU3MjEyMzcxNDE4
Nzc3NjIyOTI4MA0GCSqGSIb3DQEBAQUABIICADl4a94seNAcZC67i0AkpKhWocob
4aUKRMh4tXEzHM9DGpyw9s17TyiK8KEqGZmWTVr0SayVYz/ksVxY+7eNFvkcTMR5
/+HxgmkCGVrP2dqyJGzmZx/8laopCvdr0abWv4ailn1LfHJVvT99j5fN8HP0y0Di
cqnSvO9bmCgj/anILOb8MOCyZNSa27i0HHYbOUBjhbnA12brLx9ghMMRBwmpwThz
6YXb4Iey4GlE3ZuYaJndKbaud9rVV/p+9UIZnJZrivCZsDYpTpA/pEXkKiHiDqrX
sgWYUKAPgXBLZpNzP3+bz25Or3T1f616r+jcbfuACYH3+/TX5tgeeFlCU6heMEpn
a//aalzF3GlcqQu0IDYxizOR0pVNau+snqSTu5lUtdzUfkN8pZsQLZp6lzrFGEoW
D8mP7Aw43L2oulfG9IBjrBf3jFq6jncPEf39Bd52A+JLNJD+lp1fisJ5jlcpOQP2
fLbVM9aB/9uxXba51rY2GUXnl/P+7kCQGT2HW/XGp2Z5mffiU0Oir4CYCSUdf0Yd
lfZDRRhgbd4xnc8omceKPzOlGXiAwZMAbEwDOhVm6Zni/yC35NunWwJD6BMQGFmX
QMCEG6XPtd96TVS+KH38gWjjoAZ44mn4XcCU5G+LLAxbLiBeqmiWybOLou977qq0
po4X+lTzkwAsAb01
-----END PKCS7-----

Comment 1 Rob Crittenden 2020-02-28 14:52:08 UTC

Can you try re-creating the SCEP CA and add -I /etc/pki/interop/ca-cert.pem

Comment 2 Graham Leggett 2020-02-28 17:48:09 UTC

That worked, and I'm trying to work out why.

Taking your advice, the CA was created like this:

[root@bob ~]# getcert add-scep-ca -c "Redwax Interop" -u http://interop.redwax.eu/test/simple/scep -R /etc/pki/interop/ca-cert.pem -r /etc/pki/interop/ra-cert.pem -I /etc/pki/interop/ca-cert.pem -v -v -v

and the request like this:

[root@bob ~]# getcert request -f /etc/pki/interop/test.example.com.cert -k /etc/pki/interop/test.example.com.key -c "Redwax Interop" -I test.example.com -D test.example.com -G rsa -g 4096 -u digitalSignature -u keyEncipherment -L challenge

Resulting in a certificate like this:

[root@bob ~]# getcert list
Number of certificates and requests being tracked: 1.
Request ID 'test.example.com':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/pki/interop/test.example.com.key'
	certificate: type=FILE,location='/etc/pki/interop/test.example.com.cert'
	signing request thumbprint (MD5): 29311BB1 B8130762 191CF677 1EE7C10A
	signing request thumbprint (SHA1): 79EF9367 32A65CD5 432EDD20 05E24E65 7F2DECB4
	CA: Redwax Interop
	issuer: O=Redwax Project,CN=Redwax Interop Testing Root Certificate Authority 2040
	subject: CN=bob.sharp.fm
	expires: 2020-02-29 17:40:51 GMT
	key usage: digitalSignature,nonRepudiation,keyEncipherment
	eku: id-kp-clientAuth
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes

Looking at man getcert-add-scep-ca, there is this:

       -R ca-certificate-file
              The location of a PEM-formatted copy of the SCEP server's CA's certificate.  A discovered value is supplied by the certmonger daemon for use in  verifying  the  signature  on
              data returned by the SCEP server, but it is not used for verifying HTTPS server certificates.  This option must be specified if the URL is an https location.

This confuses me - "for use in verifying the signature on data returned by the SCEP server" - what is this certificate used for, if not this?

There is also this in the man page:

       -I other-certificates-file
              The location of a file containing other PEM-formatted certificates which may be needed in order to properly verify signed responses sent  by  the  SCEP  server  back  to  the   client.

Also confuses me - in reality this is the CA certificate that issued the RA certificate that signed the PKCS7 messages? The docs imply this would be intermediate certificates, not the CA certificate.

Would it be possible to confirm if the code is wrong, or the docs are wrong?

Comment 3 Graham Leggett 2020-02-28 18:06:58 UTC

To sum up, the automatic setup querying the scep server for the CA and RA server doesn't work, instead you have to set the CA certificate manually as an "other certificate":

getcert add-scep-ca -c "Redwax Interop" -u http://interop.redwax.eu/test/simple/scep -v -v -v

The workaround as above is this:

getcert add-scep-ca -c "Redwax Interop" -u http://interop.redwax.eu/test/simple/scep -I /etc/pki/interop/ca-cert.pem -v -v -v

Comment 4 Rob Crittenden 2020-02-28 20:02:26 UTC

I noticed that the PKCS#7 file was signed by the CA (educated guess based on subject).

-I specifies other certificates that can be used to verify the PKCS#7 response. The -R version of the CA is only used for TLS validation for the case where the URI is secured.

I think the query worked in that it perhaps returned the right certs (I have no idea how to verify in your case) but the SCEP server is signing the response with the CA cert rather than the RA cert.

And sadly until I get the upstream PR https://pagure.io/certmonger/pull-request/145 merged the -v will all be silently dropped.

Comment 5 Graham Leggett 2020-02-28 22:09:09 UTC

Just checked from the bottom up to be 100% sure, as openssl doesn't have a way to verify a signature on a PKCS7 that doesn't also want a lot of smime headers.

Config is:

<Location /test/simple/scep>
  Require all granted
  SetHandler scep
  ScepRACertificate /etc/pki/interop/scep-ra.cert
  ScepRAKey /etc/pki/interop/private/scep-ra.key
  ScepSubjectRequest O
  ScepSubjectRequest CN
  ScepSubjectRequest C
  ScepSubjectAltNameRequest rfc822Name
</Location>

The RA certificate looks like this, and has the issuer and serial number that is in the PKCS7 signature:

[root@coconut ~]# openssl x509 -text -in /etc/pki/interop/scep-ra.cert
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 6 (0x6)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Redwax Interop Testing Root Certificate Authority 2040, O = Redwax Project
        Validity
            Not Before: Feb 15 20:53:52 2020 GMT
            Not After : Feb 10 20:53:52 2040 GMT
        Subject: C = NL, ST = Zuid-Holland, L = Leiden, O = SCEP, CN = Redwax Interop Test SCEP RA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:e9:76:a4:b7:8e:c0:0e:8c:39:6d:93:a4:3c:67:
                    46:92:9a:06:c3:f9:fe:f3:30:67:61:44:15:27:b7:
                    68:60:ac:7c:cd:e6:72:3c:f0:50:69:6a:31:42:0d:
                    91:81:84:d5:31:e4:6f:07:26:ef:62:1c:bf:11:65:
                    68:a2:c0:4b:63:b3:7b:6a:4d:d2:00:20:33:4c:c5:
                    24:31:cb:9e:26:ac:57:b6:22:fe:69:52:ec:26:0f:
                    9b:83:03:b3:7d:4c:0c:49:00:5d:93:d4:23:5c:a9:
                    a4:fe:d2:45:dc:fe:ce:cb:97:ac:24:6b:bd:4a:0e:
                    23:b6:07:e8:34:a8:82:aa:f7:7b:97:f8:84:f7:ac:
                    9f:f9:53:73:46:cc:e7:ac:e7:75:25:62:d5:71:9e:
                    b7:4b:dc:3e:fe:22:aa:fe:75:18:d6:0c:06:f4:14:
                    7c:4c:8c:97:08:71:f9:51:82:d9:a4:5f:18:ce:c9:
                    42:e3:86:81:92:7c:70:8d:aa:fe:e7:33:78:f0:93:
                    d5:77:2c:1f:7b:a2:6a:69:0d:5a:36:16:8d:73:d4:
                    36:f4:7e:6e:bb:5e:e4:a0:08:21:bf:c8:41:8d:c9:
                    f5:fa:00:af:e8:16:a5:da:d5:19:6d:7e:3c:de:24:
                    b6:79:62:03:88:1b:39:2a:b6:a3:d7:f9:c2:35:fa:
                    a7:78:41:25:8b:69:28:23:68:8f:ff:10:da:3d:3b:
                    9a:ec:77:37:b2:66:b7:a4:37:4b:4e:a2:ed:b5:9c:
                    59:1c:76:cd:9f:53:fc:f9:35:39:a1:96:0f:2b:2f:
                    a9:02:6c:1b:64:ea:7b:f4:cf:05:76:02:de:92:97:
                    ab:c4:1b:18:96:18:fd:f9:af:5a:26:46:60:89:4b:
                    ff:a7:78:d4:a6:6c:32:7d:f0:54:d0:7a:7c:52:c6:
                    a7:ca:c9:1d:3c:78:1e:f6:25:fd:75:cc:83:35:54:
                    71:5e:c6:84:5a:74:0d:bb:dd:e5:ee:7d:e9:9e:f8:
                    74:1a:18:55:51:ab:61:e1:bb:ee:73:af:d0:f1:73:
                    9d:ce:2b:cd:b6:b5:72:1c:c5:19:37:31:60:bb:91:
                    56:8e:22:a9:69:70:55:57:7d:73:5e:b4:d8:cf:93:
                    86:7d:2e:7e:0e:de:5e:42:af:78:71:ee:5b:fb:ad:
                    d6:ae:7d:18:f7:40:a4:63:06:47:cb:ba:0e:61:1d:
                    a8:87:26:2f:14:4e:76:c9:ad:b2:20:75:17:f7:bc:
                    e4:d2:31:e8:f8:71:a7:71:ad:84:3e:b6:d9:18:5a:
                    b0:3a:6b:85:10:4a:e9:a9:fe:aa:48:76:6b:8e:31:
                    ad:d0:26:56:3f:f3:a8:0a:a0:78:69:43:ed:02:0a:
                    63:e7:c9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            X509v3 Subject Key Identifier: 
                2C:14:AC:3D:6D:3B:A4:1F:F8:2A:36:2D:CE:F1:16:65:57:C0:FA:63
            X509v3 Authority Key Identifier: 
                keyid:ED:75:DE:35:14:3C:47:23:F1:B1:1A:E4:13:43:8C:BB:CC:C2:2B:56
                DirName:/CN=Redwax Interop Testing Root Certificate Authority 2040/O=Redwax Project
                serial:6F:11:B7:D8:55:D2:7D:9A:14:F3:B6:E9:15:2B:60:CA:8C:4B:E2:AA

    Signature Algorithm: sha256WithRSAEncryption
         7e:fd:9f:71:a5:d5:50:f0:a0:f5:da:c6:32:31:cb:f1:de:3e:
         d8:79:1e:20:d4:f7:a9:c5:6f:fc:c2:47:cd:f1:ba:bf:92:ab:
         1a:57:f8:85:da:cb:54:f6:28:59:d9:8d:ee:0c:02:66:39:78:
         f7:03:99:79:f1:25:67:d6:ca:4c:60:32:c2:82:25:ab:02:c1:
         91:ea:59:ad:e3:0e:28:91:c1:91:69:37:87:42:b3:8e:7d:7c:
         01:09:cd:11:34:32:34:11:b5:98:47:ab:8e:9f:5e:40:5d:03:
         a1:ac:ed:cf:42:ff:34:0c:5c:e5:ac:f3:97:3e:7d:3f:45:5f:
         48:95:b1:af:69:f2:ba:f5:5a:98:65:a1:93:ad:df:a2:1e:47:
         ad:3d:42:d8:b0:02:7a:bb:44:f8:b6:b9:39:e7:a3:36:f9:1b:
         9c:ca:86:8f:b7:2a:71:17:46:ab:bd:76:d7:31:4c:63:84:c4:
         b2:08:41:58:8b:d9:e2:0d:1d:5a:fa:23:79:7f:02:52:bd:b5:
         1c:5a:e3:fb:c0:88:a1:5f:2f:72:18:39:7b:a7:c1:22:3c:da:
         34:9f:91:bf:e7:df:3b:92:21:85:9d:cc:34:eb:93:66:ae:d6:
         5e:0d:29:42:5f:30:ab:e6:2b:27:4f:53:bb:d0:4f:e1:eb:ef:
         a2:84:9f:aa
-----BEGIN CERTIFICATE-----
MIIFFzCCA/+gAwIBAgIBBjANBgkqhkiG9w0BAQsFADBaMT8wPQYDVQQDEzZSZWR3
YXggSW50ZXJvcCBUZXN0aW5nIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIw
NDAxFzAVBgNVBAoTDlJlZHdheCBQcm9qZWN0MB4XDTIwMDIxNTIwNTM1MloXDTQw
MDIxMDIwNTM1MlowajELMAkGA1UEBhMCTkwxFTATBgNVBAgMDFp1aWQtSG9sbGFu
ZDEPMA0GA1UEBwwGTGVpZGVuMQ0wCwYDVQQKDARTQ0VQMSQwIgYDVQQDDBtSZWR3
YXggSW50ZXJvcCBUZXN0IFNDRVAgUkEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
ggIKAoICAQDpdqS3jsAOjDltk6Q8Z0aSmgbD+f7zMGdhRBUnt2hgrHzN5nI88FBp
ajFCDZGBhNUx5G8HJu9iHL8RZWiiwEtjs3tqTdIAIDNMxSQxy54mrFe2Iv5pUuwm
D5uDA7N9TAxJAF2T1CNcqaT+0kXc/s7Ll6wka71KDiO2B+g0qIKq93uX+IT3rJ/5
U3NGzOes53UlYtVxnrdL3D7+Iqr+dRjWDAb0FHxMjJcIcflRgtmkXxjOyULjhoGS
fHCNqv7nM3jwk9V3LB97omppDVo2Fo1z1Db0fm67XuSgCCG/yEGNyfX6AK/oFqXa
1RltfjzeJLZ5YgOIGzkqtqPX+cI1+qd4QSWLaSgjaI//ENo9O5rsdzeyZrekN0tO
ou21nFkcds2fU/z5NTmhlg8rL6kCbBtk6nv0zwV2At6Sl6vEGxiWGP35r1omRmCJ
S/+neNSmbDJ98FTQenxSxqfKyR08eB72Jf11zIM1VHFexoRadA273eXufeme+HQa
GFVRq2Hhu+5zr9Dxc53OK822tXIcxRk3MWC7kVaOIqlpcFVXfXNetNjPk4Z9Ln4O
3l5Cr3hx7lv7rdaufRj3QKRjBkfLug5hHaiHJi8UTnbJrbIgdRf3vOTSMej4cadx
rYQ+ttkYWrA6a4UQSump/qpIdmuOMa3QJlY/86gKoHhpQ+0CCmPnyQIDAQABo4HX
MIHUMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgWgMB0GA1UdDgQWBBQsFKw9bTuk
H/gqNi3O8RZlV8D6YzCBlwYDVR0jBIGPMIGMgBTtdd41FDxHI/GxGuQTQ4y7zMIr
VqFepFwwWjE/MD0GA1UEAxM2UmVkd2F4IEludGVyb3AgVGVzdGluZyBSb290IENl
cnRpZmljYXRlIEF1dGhvcml0eSAyMDQwMRcwFQYDVQQKEw5SZWR3YXggUHJvamVj
dIIUbxG32FXSfZoU87bpFStgyoxL4qowDQYJKoZIhvcNAQELBQADggEBAH79n3Gl
1VDwoPXaxjIxy/HePth5HiDU96nFb/zCR83xur+SqxpX+IXay1T2KFnZje4MAmY5
ePcDmXnxJWfWykxgMsKCJasCwZHqWa3jDiiRwZFpN4dCs459fAEJzRE0MjQRtZhH
q46fXkBdA6Gs7c9C/zQMXOWs85c+fT9FX0iVsa9p8rr1WphloZOt36IeR609Qtiw
Anq7RPi2uTnnozb5G5zKho+3KnEXRqu9dtcxTGOExLIIQViL2eINHVr6I3l/AlK9
tRxa4/vAiKFfL3IYOXunwSI82jSfkb/n3zuSIYWdzDTrk2au1l4NKUJfMKvmKydP
U7vQT+Hr76KEn6o=
-----END CERTIFICATE-----

Signing on the mod_scep side happens here:

https://source.redwax.eu/projects/RS/repos/mod_scep/browse/mod_scep.c#1612

RA cert is set here:

https://source.redwax.eu/projects/RS/repos/mod_scep/browse/mod_scep.c#335

from this directive:

https://source.redwax.eu/projects/RS/repos/mod_scep/browse/mod_scep.c#652

The scep GetCACert returns both the RA cert, and the CA cert that signed the RA cert, and these both appear in the certmonger config file:

id=Redwax Interop
ca_aka=SCEP (certmonger 0.79.7)
ca_is_default=0
ca_type=EXTERNAL
ca_external_helper=/usr/libexec/certmonger/scep-submit -u http://interop.redwax.eu/test/simple/scep     -I /etc/pki/interop/ca-cert.pem 
ca_capabilities=AES,POSTPKIOperation,SHA-1,SHA-256,SHA-512,SCEPStandard
ca_encryption_cert=-----BEGIN CERTIFICATE-----
 MIIFFzCCA/+gAwIBAgIBBjANBgkqhkiG9w0BAQsFADBaMT8wPQYDVQQDEzZSZWR3
 YXggSW50ZXJvcCBUZXN0aW5nIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIw
 NDAxFzAVBgNVBAoTDlJlZHdheCBQcm9qZWN0MB4XDTIwMDIxNTIwNTM1MloXDTQw
 MDIxMDIwNTM1MlowajELMAkGA1UEBhMCTkwxFTATBgNVBAgMDFp1aWQtSG9sbGFu
 ZDEPMA0GA1UEBwwGTGVpZGVuMQ0wCwYDVQQKDARTQ0VQMSQwIgYDVQQDDBtSZWR3
 YXggSW50ZXJvcCBUZXN0IFNDRVAgUkEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
 ggIKAoICAQDpdqS3jsAOjDltk6Q8Z0aSmgbD+f7zMGdhRBUnt2hgrHzN5nI88FBp
 ajFCDZGBhNUx5G8HJu9iHL8RZWiiwEtjs3tqTdIAIDNMxSQxy54mrFe2Iv5pUuwm
 D5uDA7N9TAxJAF2T1CNcqaT+0kXc/s7Ll6wka71KDiO2B+g0qIKq93uX+IT3rJ/5
 U3NGzOes53UlYtVxnrdL3D7+Iqr+dRjWDAb0FHxMjJcIcflRgtmkXxjOyULjhoGS
 fHCNqv7nM3jwk9V3LB97omppDVo2Fo1z1Db0fm67XuSgCCG/yEGNyfX6AK/oFqXa
 1RltfjzeJLZ5YgOIGzkqtqPX+cI1+qd4QSWLaSgjaI//ENo9O5rsdzeyZrekN0tO
 ou21nFkcds2fU/z5NTmhlg8rL6kCbBtk6nv0zwV2At6Sl6vEGxiWGP35r1omRmCJ
 S/+neNSmbDJ98FTQenxSxqfKyR08eB72Jf11zIM1VHFexoRadA273eXufeme+HQa
 GFVRq2Hhu+5zr9Dxc53OK822tXIcxRk3MWC7kVaOIqlpcFVXfXNetNjPk4Z9Ln4O
 3l5Cr3hx7lv7rdaufRj3QKRjBkfLug5hHaiHJi8UTnbJrbIgdRf3vOTSMej4cadx
 rYQ+ttkYWrA6a4UQSump/qpIdmuOMa3QJlY/86gKoHhpQ+0CCmPnyQIDAQABo4HX
 MIHUMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgWgMB0GA1UdDgQWBBQsFKw9bTuk
 H/gqNi3O8RZlV8D6YzCBlwYDVR0jBIGPMIGMgBTtdd41FDxHI/GxGuQTQ4y7zMIr
 VqFepFwwWjE/MD0GA1UEAxM2UmVkd2F4IEludGVyb3AgVGVzdGluZyBSb290IENl
 cnRpZmljYXRlIEF1dGhvcml0eSAyMDQwMRcwFQYDVQQKEw5SZWR3YXggUHJvamVj
 dIIUbxG32FXSfZoU87bpFStgyoxL4qowDQYJKoZIhvcNAQELBQADggEBAH79n3Gl
 1VDwoPXaxjIxy/HePth5HiDU96nFb/zCR83xur+SqxpX+IXay1T2KFnZje4MAmY5
 ePcDmXnxJWfWykxgMsKCJasCwZHqWa3jDiiRwZFpN4dCs459fAEJzRE0MjQRtZhH
 q46fXkBdA6Gs7c9C/zQMXOWs85c+fT9FX0iVsa9p8rr1WphloZOt36IeR609Qtiw
 Anq7RPi2uTnnozb5G5zKho+3KnEXRqu9dtcxTGOExLIIQViL2eINHVr6I3l/AlK9
 tRxa4/vAiKFfL3IYOXunwSI82jSfkb/n3zuSIYWdzDTrk2au1l4NKUJfMKvmKydP
 U7vQT+Hr76KEn6o=
 -----END CERTIFICATE-----
ca_encryption_issuer_cert=-----BEGIN CERTIFICATE-----
 MIIEDTCCAvWgAwIBAgIUbxG32FXSfZoU87bpFStgyoxL4qowDQYJKoZIhvcNAQEF
 BQAwWjE/MD0GA1UEAxM2UmVkd2F4IEludGVyb3AgVGVzdGluZyBSb290IENlcnRp
 ZmljYXRlIEF1dGhvcml0eSAyMDQwMRcwFQYDVQQKEw5SZWR3YXggUHJvamVjdDAe
 Fw0yMDAyMTExNjM4NTZaFw00MDAyMDYxNjM4NTZaMFoxPzA9BgNVBAMTNlJlZHdh
 eCBJbnRlcm9wIFRlc3RpbmcgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgMjA0
 MDEXMBUGA1UEChMOUmVkd2F4IFByb2plY3QwggEiMA0GCSqGSIb3DQEBAQUAA4IB
 DwAwggEKAoIBAQDnICcjGF9EcH0kRu9TgqiXAV+YdBUOjV4jG9wCbJdZMv6tGYWY
 IPszrK3Cmw49uMbMgAEL/hB2mr/gZIFMQ0rs2GWwkaKolvg0rw9gE8PwR2p6jthu
 L+CzocyHkc27f/UGhekYSnbcgIitFNseaJWEI/d+eF8LPkPXhsSUVkCF/wcEG2xM
 DgS1KckoF7EJ9Tsc7XRVQ3Doq5WL+NCCnuSmeMcVTGhI9XaGreu+DYYmCR3vnDXa
 vx67A45vlYcgJU4pDL/oMwJW+WKiwKjpiZm4kyRZWYHGLlCUb+ckedhM1eCZwwsg
 yJKm0aPJbTDjlqRBshU++4aZMV2AFdLRIVq7AgMBAAGjgcowgccwHQYDVR0OBBYE
 FO113jUUPEcj8bEa5BNDjLvMwitWMIGXBgNVHSMEgY8wgYyAFO113jUUPEcj8bEa
 5BNDjLvMwitWoV6kXDBaMT8wPQYDVQQDEzZSZWR3YXggSW50ZXJvcCBUZXN0aW5n
 IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwNDAxFzAVBgNVBAoTDlJlZHdh
 eCBQcm9qZWN0ghRvEbfYVdJ9mhTztukVK2DKjEviqjAMBgNVHRMEBTADAQH/MA0G
 CSqGSIb3DQEBBQUAA4IBAQDONOZcaEB3HjLi4wCkeSucGgmDyC2bwPIvZojr9UOx
 45FyB5awhRgUP/pKwZIDJ7y5b1Gd20AKjkac3kiXETTjCvGSm3v9EKtKclykd3Jd
 oKK1WupKhQxoTb6qTakwahxf9nggsjt0u+G9ngnHJiIRdejP8TIAtxZVKAn1Riw7
 OdNWzrNdq9E/4Ysr9m5jEYBlZKHLAkyvltjQfet9fsMCG7Ty9kxYVX7AszTEBkeH
 4Zd5gubTX2phjMbQk+uzHtoAQF4E5mwrhNjuMn6q2COB+M254u/pGQsi3i1LMxBD
 ch5AKvxjPsO3pLFi1oWvkJNArKw3DJLcTnCQl7Wn4ZzR
 -----END CERTIFICATE-----

Comment 6 Graham Leggett 2020-02-28 23:54:54 UTC

Using the following patch to print out the certs from the environment as they come in:

--- src/scep.c-orig     2020-02-28 22:54:43.151569846 +0000
+++ src/scep.c  2020-02-28 22:58:07.725289195 +0000
@@ -307,6 +307,10 @@
        else
                cm_log_set_method(cm_log_syslog);
 
+       cm_log(0, "RA: %s", racert);
+       cm_log(0, "CA: %s", cacert);
+       cm_log(0, "Cert: %s", certs);
+
        pctx = poptGetContext(argv[0], argc, argv, popts, 0);
        if (pctx == NULL) {
                return CM_SUBMIT_STATUS_UNCONFIGURED;

and removing the -I, we get this:

Feb 28 23:16:51 bob scep-submit[16536]: RA: -----BEGIN CERTIFICATE-----#012MIIFFzCCA/+gAwIBAgIBBjANBgkqhkiG9w0BAQsFADBaMT8wPQYDVQQDEzZSZWR3#012YXggSW50ZXJvcCBUZXN0aW5nIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIw#012NDAxFzAVBgNVBAoTDlJlZHdheCBQcm9qZWN0MB4XDTIwMDIxNTIwNTM1MloXDTQw#012MDIxMDIwNTM1MlowajELMAkGA1UEBhMCTkwxFTATBgNVBAgMDFp1aWQtSG9sbGFu#012ZDEPMA0GA1UEBwwGTGVpZGVuMQ0wCwYDVQQKDARTQ0VQMSQwIgYDVQQDDBtSZWR3#012YXggSW50ZXJvcCBUZXN0IFNDRVAgUkEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw#012ggIKAoICAQDpdqS3jsAOjDltk6Q8Z0aSmgbD+f7zMGdhRBUnt2hgrHzN5nI88FBp#012ajFCDZGBhNUx5G8HJu9iHL8RZWiiwEtjs3tqTdIAIDNMxSQxy54mrFe2Iv5pUuwm#012D5uDA7N9TAxJAF2T1CNcqaT+0kXc/s7Ll6wka71KDiO2B+g0qIKq93uX+IT3rJ/5#012U3NGzOes53UlYtVxnrdL3D7+Iqr+dRjWDAb0FHxMjJcIcflRgtmkXxjOyULjhoGS#012fHCNqv7nM3jwk9V3LB97omppDVo2Fo1z1Db0fm67XuSgCCG/yEGNyfX6AK/oFqXa#0121RltfjzeJLZ5YgOIGzkqtqPX+cI1+qd4QSWLaSgjaI//ENo9O5rsdzeyZrekN0tO#012ou21nFkcds2fU/z5NTmhlg8rL6kCbBtk6nv0zwV2At6Sl6vEGxiWGP35r1omRmCJ#012S/+neNSmbDJ98FTQenxSxqfKyR08eB72Jf11zIM1VHFexoRadA273eXufeme+HQa#012GFVRq2Hhu+5zr9Dxc53OK822tXIcxRk3MWC7kVaOIqlpcFVXfXNetNjPk4Z9Ln4O#0123l5Cr3hx7lv7rdaufRj3QKRjBkfLug5hHaiHJi8UTnbJrbIgdRf3vOTSMej4cadx#012rYQ+ttkYWrA6a4UQSump/qpIdmuOMa3QJlY/86gKoHhpQ+0CCmPnyQIDAQABo4HX#012MIHUMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgWgMB0GA1UdDgQWBBQsFKw9bTuk#012H/gqNi3O8RZlV8D6YzCBlwYDVR0jBIGPMIGMgBTtdd41FDxHI/GxGuQTQ4y7zMIr#012VqFepFwwWjE/MD0GA1UEAxM2UmVkd2F4IEludGVyb3AgVGVzdGluZyBSb290IENl#012cnRpZmljYXRlIEF1dGhvcml0eSAyMDQwMRcwFQYDVQQKEw5SZWR3YXggUHJvamVj#012dIIUbxG32FXSfZoU87bpFStgyoxL4qowDQYJKoZIhvcNAQELBQADggEBAH79n3Gl#0121VDwoPXaxjIxy/HePth5HiDU96nFb/zCR83xur+SqxpX+IXay1T2KFnZje4MAmY5#012ePcDmXnxJWfWykxgMsKCJasCwZHqWa3jDiiRwZFpN4dCs459fAEJzRE0MjQRtZhH#012q46fXkBdA6Gs7c9C/zQMXOWs85c+fT9FX0iVsa9p8rr1WphloZOt36IeR609Qtiw#012Anq7RPi2uTnnozb5G5zKho+3KnEXRqu9dtcxTGOExLIIQViL2eINHVr6I3l/AlK9#012tRxa4/vAiKFfL3IYOXunwSI82jSfkb/n3zuSIYWdzDTrk2au1l4NKUJfMKvmKydP#012U7vQT+Hr76KEn6o=#012-----END CERTIFICATE-----
Feb 28 23:16:51 bob scep-submit[16536]: CA: -----BEGIN CERTIFICATE-----#012MIIEDTCCAvWgAwIBAgIUbxG32FXSfZoU87bpFStgyoxL4qowDQYJKoZIhvcNAQEF#012BQAwWjE/MD0GA1UEAxM2UmVkd2F4IEludGVyb3AgVGVzdGluZyBSb290IENlcnRp#012ZmljYXRlIEF1dGhvcml0eSAyMDQwMRcwFQYDVQQKEw5SZWR3YXggUHJvamVjdDAe#012Fw0yMDAyMTExNjM4NTZaFw00MDAyMDYxNjM4NTZaMFoxPzA9BgNVBAMTNlJlZHdh#012eCBJbnRlcm9wIFRlc3RpbmcgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgMjA0#012MDEXMBUGA1UEChMOUmVkd2F4IFByb2plY3QwggEiMA0GCSqGSIb3DQEBAQUAA4IB#012DwAwggEKAoIBAQDnICcjGF9EcH0kRu9TgqiXAV+YdBUOjV4jG9wCbJdZMv6tGYWY#012IPszrK3Cmw49uMbMgAEL/hB2mr/gZIFMQ0rs2GWwkaKolvg0rw9gE8PwR2p6jthu#012L+CzocyHkc27f/UGhekYSnbcgIitFNseaJWEI/d+eF8LPkPXhsSUVkCF/wcEG2xM#012DgS1KckoF7EJ9Tsc7XRVQ3Doq5WL+NCCnuSmeMcVTGhI9XaGreu+DYYmCR3vnDXa#012vx67A45vlYcgJU4pDL/oMwJW+WKiwKjpiZm4kyRZWYHGLlCUb+ckedhM1eCZwwsg#012yJKm0aPJbTDjlqRBshU++4aZMV2AFdLRIVq7AgMBAAGjgcowgccwHQYDVR0OBBYE#012FO113jUUPEcj8bEa5BNDjLvMwitWMIGXBgNVHSMEgY8wgYyAFO113jUUPEcj8bEa#0125BNDjLvMwitWoV6kXDBaMT8wPQYDVQQDEzZSZWR3YXggSW50ZXJvcCBUZXN0aW5n#012IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwNDAxFzAVBgNVBAoTDlJlZHdh#012eCBQcm9qZWN0ghRvEbfYVdJ9mhTztukVK2DKjEviqjAMBgNVHRMEBTADAQH/MA0G#012CSqGSIb3DQEBBQUAA4IBAQDONOZcaEB3HjLi4wCkeSucGgmDyC2bwPIvZojr9UOx#01245FyB5awhRgUP/pKwZIDJ7y5b1Gd20AKjkac3kiXETTjCvGSm3v9EKtKclykd3Jd#012oKK1WupKhQxoTb6qTakwahxf9nggsjt0u+G9ngnHJiIRdejP8TIAtxZVKAn1Riw7#012OdNWzrNdq9E/4Ysr9m5jEYBlZKHLAkyvltjQfet9fsMCG7Ty9kxYVX7AszTEBkeH#0124Zd5gubTX2phjMbQk+uzHtoAQF4E5mwrhNjuMn6q2COB+M254u/pGQsi3i1LMxBD#012ch5AKvxjPsO3pLFi1oWvkJNArKw3DJLcTnCQl7Wn4ZzR#012-----END CERTIFICATE-----
Feb 28 23:16:51 bob scep-submit[16536]: Cert: (null)
Feb 28 23:16:51 bob scep-submit[16536]: Checking server capabilities list for "Renewal"
Feb 28 23:16:51 bob scep-submit[16536]: found it.
Feb 28 23:16:52 bob scep-submit[16536]: Message failed verification.
Feb 28 23:16:52 bob scep-submit[16536]: error:2107C080:PKCS7 routines:PKCS7_get0_signers:signer certificate not found
Feb 28 23:16:52 bob scep-submit[16536]: Error: failed to verify signature on server response.

The CA cert has arrived inside scep.c, but is being ignored...

Comment 7 Graham Leggett 2020-02-29 00:50:20 UTC

...this code is strange: https://pagure.io/certmonger/blob/master/f/src/scep.c#_888

			memset(&cacerts, 0, sizeof(cacerts));
			cacerts[0] = cacert ? cacert : racert;
			cacerts[1] = cacert ? racert : NULL;
			cacerts[2] = NULL;

Typically a certificate chain needs to be the leaf certificate first, then the intermediates, then lastly the CA certificates.

In the above code the CA cert comes first, then the RA cert, and then the intermediates come after, which is the wrong order.

In theory, this is the correct order:

--- src/scep.c-orig     2020-02-29 00:11:34.217139348 +0000
+++ src/scep.c  2020-02-29 00:15:56.931780124 +0000
@@ -895,8 +895,8 @@
                if ((content_type2 != NULL) && (strcasecmp(content_type2,
                               "application/x-pki-message") == 0)) {
                        memset(&cacerts, 0, sizeof(cacerts));
-                       cacerts[0] = cacert ? cacert : racert;
-                       cacerts[1] = cacert ? racert : NULL;
+                       cacerts[0] = racert ? racert : cacert;
+                       cacerts[1] = racert ? cacert : NULL;
                        cacerts[2] = NULL;
                        racerts = NULL;
                        if ((certs != NULL) &&

The above patch isn't enough, we have some more strange code here:

https://pagure.io/certmonger/blob/master/f/src/scep.c#_891

After putting the cacert and racert in backwards order into cacerts, we now take the othercerts and put that into a variable called racerts. We then feed cacerts (containing the racert) and racerts (containing the othercert) and pass these to cm_pkcs7_verify_signed().

https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889

In this code cacerts (containing the cacert and racert), now called roots, is put into a searchable X509_STORE, and racerts (containing the othercert that in the above workaround contained the cacert, but not the RA cert), now called othercerts, is added to the PKCS7 signer certificates.

Then we try to verify.

I am not seeing how to fix this without just rewriting the whole thing.

Comment 8 Graham Leggett 2020-02-29 18:10:14 UTC

I redid the certificate handling for op_get_cert_initial below, this allows certificates to be issued successfully both with and without the other certificates. The comment in the code explains what needs to be done. Variables are renamed to match the cm_pkcs7_parse() and cm_pkcs7_verify_signed() calls.


[minfrin@bob SPECS]$ cat ../SOURCES/0034-reorder-certs.patch 
--- src/scep.c-orig	2020-02-29 17:47:21.865202443 +0000
+++ src/scep.c	2020-02-29 17:49:17.153040316 +0000
@@ -211,12 +211,12 @@
 	const char *mode = NULL, *content_type = NULL, *content_type2 = NULL;
 	void *ctx;
 	char *params = "", *params2 = NULL, *racert = NULL, *cacert = NULL;
-	char **othercerts = NULL, *cert1 = NULL, *cert2 = NULL, *certs = NULL;
+	char **certothers = NULL, *certleaf = NULL, *certtop = NULL, *certs = NULL;
 	char **racertp, **cacertp, *dracert = NULL, *dcacert = NULL;
 	char buf[LINE_MAX] = "";
 	const unsigned char **buffers = NULL;
 	size_t n_buffers = 0, *lengths = NULL, j;
-	const char *cacerts[3], **racerts;
+	const char *roots[3], **othercerts;
 	dbus_bool_t missing_args = FALSE;
 	char *sent_tx, *tx, *msgtype, *pkistatus, *failinfo, *s, *tmp1, *tmp2;
 	unsigned char *sent_nonce, *sender_nonce, *recipient_nonce, *payload;
@@ -858,27 +858,27 @@
 			n_buffers++;
 		}
 		if (cm_pkcs7_parsev(CM_PKCS7_LEAF_PREFER_ENCRYPT, ctx,
-				    racertp, cacertp, &othercerts,
+				    racertp, cacertp, &certothers,
 				    NULL, NULL,
 				    n_buffers, buffers, lengths) == 0) {
 			if (racert != NULL) {
 				printf("%s", racert);
 				if (cacert != NULL) {
 					printf("%s", cacert);
-					if (othercerts != NULL) {
+					if (certothers != NULL) {
 						for (c = 0;
-						     othercerts[c] != NULL;
+						     certothers[c] != NULL;
 						     c++) {
 							printf("%s",
-							       othercerts[c]);
+							       certothers[c]);
 						}
 					}
 					if ((dracert != NULL) &&
-					    (cert_among(dracert, racert, cacert, othercerts) != 0)) {
+					    (cert_among(dracert, racert, cacert, certothers) != 0)) {
 						printf("%s", dracert);
 					}
 					if ((dcacert != NULL) &&
-					    (cert_among(dcacert, racert, cacert, othercerts) != 0)) {
+					    (cert_among(dcacert, racert, cacert, certothers) != 0)) {
 						printf("%s", dcacert);
 					}
 				}
@@ -894,47 +894,66 @@
 	case op_pkcsreq:
 		if ((content_type2 != NULL) && (strcasecmp(content_type2,
 			       "application/x-pki-message") == 0)) {
-			memset(&cacerts, 0, sizeof(cacerts));
-			cacerts[0] = cacert ? cacert : racert;
-			cacerts[1] = cacert ? racert : NULL;
-			cacerts[2] = NULL;
-			racerts = NULL;
+			/*
+			 * At this point, we have:
+			 * - zero or more ra certs; and
+			 * - zero or more ca certificates; and
+			 * - zero or more other certificates; that
+			 * need to be reordered so that the leaf
+			 * certificates go first, the ca certificates
+			 * are separated into a seperate certificate
+			 * store, and the other certificates go after
+			 * the leaf certificates.
+			 *
+			 * To do this we put cacert into the ca store,
+			 * the racert at the top of the othercerts list.
+			 * Then we parse certs, placing all ca certs
+			 * we find into the ca store, and all other
+			 * certs we find after the racert.
+			 *
+			 * As a limitation of cm_pkcs7_parse(), we
+			 * can only isolate one ca certificate in the
+			 * list of other certificates.
+			 */
+                        /* handle the other certs */
 			if ((certs != NULL) &&
 			    (cm_pkcs7_parse(0, ctx,
-					    &cert1, &cert2, &othercerts,
+					    &certleaf, &certtop, &certothers,
 					    NULL, NULL,
 					    (const unsigned char *) certs,
 					    strlen(certs), NULL) == 0)) {
+				roots[0] = cacert ? cacert : certtop ? certtop : NULL;
+				roots[1] = cacert ? certtop : NULL;
+				roots[2] = NULL;
 				for (c = 0;
-				     (othercerts != NULL) &&
-				     (othercerts[c] != NULL);
+				     (certothers != NULL) &&
+				     (certothers[c] != NULL);
 				     c++) {
 					continue;
 				}
-				racerts = talloc_array_ptrtype(ctx, racerts, c + 5);
-				for (c = 0;
-				     (othercerts != NULL) &&
-				     (othercerts[c] != NULL);
-				     c++) {
-					racerts[c] = othercerts[c];
-				}
-				if (cacert != NULL) {
-					racerts[c++] = cacert;
-				}
-				if (cert1 != NULL) {
-					racerts[c++] = cert1;
+				othercerts = talloc_array_ptrtype(ctx, othercerts, c + 3);
+				c = 0;
+				if (racert != NULL) {
+					othercerts[c++] = racert;
 				}
-				if (cert2 != NULL) {
-					racerts[c++] = cert2;
+				if (certleaf != NULL) {
+					othercerts[c++] = certleaf;
 				}
-				if (racert != NULL) {
-					racerts[c++] = racert;
+				while (certothers != NULL && *certothers != NULL) {
+					othercerts[c++] = *certothers++;
 				}
-				racerts[c++] = NULL;
+				othercerts[c++] = NULL;
+			}
+			else {
+				roots[0] = cacert;
+				roots[1] = NULL;
+				othercerts = talloc_array_ptrtype(ctx, othercerts, 2);
+				othercerts[0] = racert ? racert : NULL;
+				othercerts[1] = NULL;
 			}
 			ERR_clear_error();
 			i = cm_pkcs7_verify_signed((unsigned char *) results2, results_length2,
-						   cacerts, racerts,
+						   roots, othercerts,
 						   NID_pkcs7_data, ctx, NULL,
 						   &tx, &msgtype, &pkistatus, &failinfo,
 						   &sender_nonce, &sender_nonce_length,

Comment 9 Rob Crittenden 2020-03-02 21:31:30 UTC

Thanks for the patch, I'll take a look.

Comment 10 Graham Leggett 2020-03-02 23:14:39 UTC

Thanks for this.

Comment 11 Graham Leggett 2020-03-13 14:01:05 UTC

Had a chance to look at this stage? Keen to see this fix backported so we can deploy private certs via SCEP.

Comment 12 Rob Crittenden 2020-03-13 14:28:49 UTC

Not yet, sorry, and I can't really give an ETA.

Comment 13 Rob Crittenden 2020-04-14 21:10:07 UTC

Can you attach a copy of the patch to the BZ? It'll make importing it officially a lot easier due to the tab use.

Did you mean certtop instead of cacert here?

roots[1] = cacert ? certtop : NULL;

I think I'll need to document in getcert-add-scep-ca that if othercerts is provided them it should be a discrete set of certificates relevant to the PKI issuing the cert over SCEP given that cm_pkcs7_parse() can return only a single root cert (whichever one it finds first).

So far this is looking good.

Comment 14 Rob Crittenden 2020-04-15 02:45:45 UTC

Sort of thinking out loud here in case I need to refer back to it.

In cm_pkcs7_parsev() a cert is considered a leaf if it didn't sign any others. And a leaf cannot be a top. So the output of a self-signed CA as othercerts will be certleaf and certtop will be NULL.

For the IPA case, which typically has a self-signed CA, this causes what was arguably a workaround to break. IPA (dogtag) issues SCEP certs using its CA cert, not a special RA cert. So the workaround was to pass it in as othercerts which caused it to appear in both cacerts and racerts.

To make IPA issue SCEP certs one would generally do something like:

getcert add-scep-ca -c ipascep -u http://`hostname`:8080/ca/cgi-bin/pkiclient.exe -I /etc/ipa/ca.crt

cm_pkcs7_parsev() evaluates with certleaf == cert, certtop = NULL.

With this change roots will be all NULL and racerts will contain certleaf (twice). So we pass into PKCS7_verify(p7, NULL, store, ...). With nothing to verify against it blows up (I'm assuming).

As a test I hardcoded it so that cert1 is set as roots[0] and the verification passed because racerts also gets the contents of othercerts.

I'm thinking a special case is needed, I'm just not sure where to apply it yet. The corner case is that there is no separate RA agent detected from the SCEP CA, only ca_encryption_cert gets set (dogtag in the simplest case returns a single cert). The condition makes my head hurt.

pseudo-ish code:
if (cacert == NULL && racert == NULL && certtop == NULL && certleaf != NULL) { 
    /* does this imply that othercerts != NULL? I guess so */
    roots[0] == certleaf;
}
/* racerts is processed as-is and will pull in the lone cert in othercerts */

The result is that cacerts == racerts == IPA cert which both signed the PKCS#7 and itself.

Comment 15 Rob Crittenden 2020-04-15 22:43:09 UTC

https://pagure.io/certmonger/pull-request/146

Comment 16 Rob Crittenden 2020-04-17 14:20:08 UTC

Fixed upstream in master:

71f5fbdbcddd464711a15d94e8c73cb598f837dd

Comment 25 Mohammad Rizwan 2020-07-08 11:25:16 UTC

Yeah so it was resolv.conf. When I added nameserver in it, it worked.

version:
certmonger-0.79.7-14.el8.x86_64

[root@master ~]#  getcert add-scep-ca -c "Redwax Interop" -u http://interop.redwax.eu/test/simple/scep
New CA "Redwax Interop" added.
[root@master ~]# 
[root@master ~]# getcert list-cas -c "Redwax Interop"
CA 'Redwax Interop':
	is-default: no
	ca-type: EXTERNAL
	helper-location: /usr/libexec/certmonger/scep-submit -u http://interop.redwax.eu/test/simple/scep         
	SCEP CA certificate thumbprint (MD5): 9B3BB9A9 0EFDCDB9 3434F633 54240F40
	SCEP CA certificate thumbprint (SHA1): 14AC57D3 5562DA67 0490F9C1 A76696BE 1162B5AA
[root@master ~]# 
[root@master ~]# 
[root@master ~]#  getcert request -f /etc/pki/tls/certs/test.example.com.cert -k /etc/pki/tls/certs/test.example.com.key -c "Redwax Interop" -I test.example.com -D test.example.com -G rsa -g 4096 -u digitalSignature -u keyEncipherment -L challenge
New signing request "test.example.com" added.
[root@master ~]# 
[root@master ~]# getcert list -i test.example.com
Number of certificates and requests being tracked: 10.
Request ID 'test.example.com':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/pki/tls/certs/test.example.com.key'
	certificate: type=FILE,location='/etc/pki/tls/certs/test.example.com.cert'
	signing request thumbprint (MD5): A84AC65E E2C8A642 16314AF6 6F547144
	signing request thumbprint (SHA1): A826026B 05751F9E B7591865 5422B24A B595004F
	CA: Redwax Interop
	issuer: O=Redwax Project,CN=Redwax Interop Testing Root Certificate Authority 2040
	subject: CN=master.testrelm.test
	expires: 2020-07-09 07:22:53 EDT
	key usage: digitalSignature,nonRepudiation,keyEncipherment
	eku: id-kp-clientAuth
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes

The scep CA added and cert issued and in monitoring state. Hence marking the bug as verified.

Comment 28 errata-xmlrpc 2020-11-04 02:51:52 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (certmonger bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4671

Note You need to log in before you can comment on or make changes to this bug.