2015年3月10日 星期二

EJBCA with openSSL CMP


https://download.primekey.se/public/ejbcav6ce-vm.zip
EJBCA CE v6.2.0
v4.3.24 r98716 can import the ovf.


ERROR: Can only connect to localhost by: https://ejbca:8443/ejbca. Connect from other host result in ssl_error_bad_cert_alert.
FIX:
According to /home/ejbca/ejbca_ce_6_2_0/conf/web.properties.sample
The private port JBoss will listen on 8443 to https on, client cert required
https://ejbca:8443/ejbca/
https://ejbca:8443/ejbca/adminweb/

The public port JBoss will listen to http on 8080 (no SSL, no client cert)
http://ejbca:8080/ejbca/
http://ejbca:8080/ejbca/adminweb/ (Authorization faild, require client certificate)

The public port JBoss will listen to https on 8442, no client cert required
https://ejbca:8442/ejbca/
https://ejbca:8442/ejbca/adminweb/ (Authorization faild, require client certificate)

Admin Web always require  client cert.
Public Web can be connected at http(8080) or https(8442).



CMP - Admin Guide
http://ejbca.org/docs/adminguide.html#CMP


Build cmpclient as decribed here:
http://mkl-note.blogspot.tw/2015/03/cmpforopenssl.html

In ./cmpforopenssl-code/src/openssl/app
  1. Get CA cert (ManagementCA.pem)
    [EJBCA public Web] -> [Fetch CA certificates] -> [CA certificate: Download as PEM]
    cp ~/Downloads/ManagementCA.pem  .
    Or, (not sure if this link works for all)
    wget -O ManagementCA.pem "http://ejbca:8080/ejbca/publicweb/webdist/certdist?cmd=cacert&issuer=CN%3dManagementCA%2cO%3dEJBCA+Sample%2cC%3dSE&level=0"
  2. Prepare environment for openssl
    mkdir -p ../../../ssl; ln -s ../src/openssl/apps/openssl.cnf ssl

CMP for OpenSSL - Admin Guide
http://ejbca.org/docs/adminguide.html#CMP%20for%20OpenSSL

RA mode

  1. Generate private key
    openssl genrsa  -out key1.pem 2048
  2. Passed
    $ ./openssl cmp -cmd ir -server localhost:8080 -path ejbca/publicweb/cmp/opensslra -srvcert ManagementCA.pem -user NewUser -pass password -certout clcert1.pem -newkey key1.pem -keyfmt PEM -certfmt PEM -subject "/CN=NewUser/O=My Organization/C=SE"
    Using configuration from /home/ejbca/prj/cmpforopenssl-code/src/../ssl/openssl.cnf
    INFO: Sending Initialization Request
    SUCCESS: validating protection of incoming message
    INFO: Sending Certificate Confirm
    SUCCESS: validating protection of incoming message
    saving certificate to 'clcert1.pem'...


Client mode, HMAC password authentication

  1. Generate private key
    openssl genrsa  -out key2.pem 2048
  2.  Passed
    $ ./openssl cmp -cmd ir -server localhost:8080 -path ejbca/publicweb/cmp/opensslclient -srvcert ManagementCA.pem -user user1 -pass password -certout clcert2.pem -newkey key2.pem -keyfmt PEM -certfmt PEM -subject "/CN=user1/O=My Organization/C=SE"
    Using configuration from /home/ejbca/prj/cmpforopenssl-code/src/../ssl/openssl.cnf
    INFO: Sending Initialization Request
    SUCCESS: validating protection of incoming message
    INFO: Sending Certificate Confirm
    SUCCESS: validating protection of incoming message
    saving certificate to 'clcert2.pem'...
Client mode, client certificate authentication

  1. Generate private key
    openssl genrsa  -out key3.pem 2048
  2.  Failed
    $ ./openssl cmp -cmd ir -server localhost:8080 -path ejbca/publicweb/cmp/openssleec -srvcert ManagementCA.pem -cert clcert2.pem -key key2.pem -certout clcert3.pem -newkey key3.pem -keyfmt PEM -certfmt PEM -subject "/CN=user1/O=My Organization/C=SE"
    Using configuration from /home/ejbca/prj/cmpforopenssl-code/src/../ssl/openssl.cnf
    INFO: Sending Initialization Request
    140361658017440:error:3209608B:CMP routines:CMP_doInitialRequestSeq:pkibody error:cmp_ses.c:381:bodytype=23, error="PKIStatus: rejection, PKIFailureInfo: badRequest: Got request with status GENERATED (40), NEW, FAILED or INPROCESS required: user1."

  3. $ bin/ejbca.sh ra setclearpwd user1 password
    SETTING: --username as user1
    SETTING: --password as password
    Setting clear text password for user user1
    $ bin/ejbca.sh ra setendentitystatus user1 10
    SETTING: --username as user1
    SETTING: -S as 10
    New status for end entity user1 is 10
  4. Passed
    $ ./openssl cmp -cmd ir -server localhost:8080 -path ejbca/publicweb/cmp/openssleec -srvcert ManagementCA.pem -cert clcert2.pem -key key2.pem -certout clcert3.pem -newkey key3.pem -keyfmt PEM -certfmt PEM -subject "/CN=user1/O=My Organization/C=SE"
    Using configuration from /home/ejbca/prj/cmpforopenssl-code/src/../ssl/openssl.cnf
    INFO: Sending Initialization Request
    SUCCESS: validating protection of incoming message
    INFO: Sending Certificate Confirm
    SUCCESS: validating protection of incoming message
    saving certificate to 'clcert3.pem'...

Client mode, Vendor certificate authentication
Not tested, for it's EJBCA Enterprise only


Using Key Update Request instead of Initial Request
RA-Failed

openssl cmp -cmd kur -server $SERVER:8080 -path ejbca/publicweb/cmp/opensslra -srvcert $CACERT -user NewUser -pass password -cert $MYCERT -key $MYKEY -certout ${MYCERT}1 -newkey $MYKEY -keyfmt PEM -certfmt PEM -subject "/CN=NewUser/O=My Organization/C=SE"
WARNING: can't open config file: /home/prj/cmpforopenssl-code/src/../ssl/openssl.cnf
Using configuration from /home/prj/cmpforopenssl-code/src/../ssl/openssl.cnf
error loading the config file '/home/prj/cmpforopenssl-code/src/../ssl/openssl.cnf'
INFO: Sending Key Update Request
3075856008:error:3209708B:CMP routines:CMP_doKeyUpdateRequestSeq:pkibody error:cmp_ses.c:724:bodytype=23, error="PKIStatus: rejection, PKIFailureInfo: badRequest: EndEnityCertificate authentication module is not configured. For a KeyUpdate request to be authentication in RA mode, EndEntityCertificate authentication module has to be set and config
[CMP Configuration] -> [Edit CMP Alias: opensslra]
CMP Response Protection: pbe -> signature
CMP Authentication Module: enable EndEntityCertificate
Automatic Key Update: Allow

openssl cmp -cmd kur -server 192.168.110.120:8080 -srvcert /etc/ipsec.d/cacerts/cacert.pem -cert /etc/ipsec.d/certs/mycert.pem.old -key /etc/ipsec.d/private/mykey.pem -certout /etc/ipsec.d/certs/mycert.pem -newkey /etc/ipsec.d/private/mykey.pem -keyfmt PEM -certfmt PEM -subject "/CN=NewUser/O=My Organization/C=SE" -user NewUser -pass password -path ejbca/publicweb/cmp/opensslra                   
Using configuration from /usr/openssl.cnf                                      
INFO: Sending Key Update Request                                               
1099268871952:error:3209708B:CMP routines:CMP_doKeyUpdateRequestSeq:pkibody error:cmp_ses.c:714:bodytype=23, error="PKIStatus: rejection, PKIFailureInfo: badRequest: 'CN=NewUser,O=My Organization,C=SE' is not an authorized administrator."

Verifications in EndEntityCertificate Authentication Module: Omit

openssl cmp -cmd kur -server 192.168.110.120:8080 -srvcert /etc/ipsec.d/cacerts/cacert.pem -cert /etc/ipsec.d/certs/mycert.pem.old -key /etc/ipsec.d/private/mykey.pem -certout /etc/ipsec.d/certs/mycert.pem -newkey /etc/ipsec.d/private/mykey.pem -keyfmt PEM -certfmt PEM -subject "/CN=NewUser/O=My Organization/C=SE" -user NewUser -pass password -path ejbca/publicweb/cmp/opensslra                   
Using configuration from /usr/openssl.cnf                                      
INFO: Sending Key Update Request                                               
1099117520656:error:3209708B:CMP routines:CMP_doKeyUpdateRequestSeq:pkibody error:cmp_ses.c:714:bodytype=23, error="PKIStatus: rejection, PKIFailureInfo: badRequest: Omitting some verifications can only be accepted in RA mode and when the CMP request has already been authenticated, for example, through the use of NestedMessageContent"






2015年3月2日 星期一

Optical fiber



Optical fiber connector - Wikipedia, the free encyclopedia
http://en.wikipedia.org/wiki/Optical_fiber_connector

HP X120 1G SFP RJ45 T Transceiver - Transceivers - HP: JD089B
http://h30094.www3.hp.com/product.aspx?sku=10256625&pagemode=ca

10 Gigabit Ethernet - Wikipedia, the free encyclopedia
http://en.wikipedia.org/wiki/10_Gigabit_Ethernet#Physical_layer_modules

2015年3月1日 星期日

cmpforopenssl

http://sourceforge.net/projects/cmpforopenssl/
 
Forked at https://github.com/mkl0301/cmpforopenssl/

sudo apt-get install libidn11-dev
make cmpclient

sudo apt-get install libpcre3-dev libsqlite3-dev libcurl4-openssl-dev unixODBC-dev
make



Running Server
sudo apt-get install unixodbc unixodbc-bin libmyodbc mysql-server

MySQL 新增使用者與權限設定 (筆記)
http://blog.toright.com/posts/1214/mysql-%E6%96%B0%E5%A2%9E%E4%BD%BF%E7%94%A8%E8%80%85%E8%88%87%E6%AC%8A%E9%99%90%E8%A8%AD%E5%AE%9A-%E7%AD%86%E8%A8%98.html
mysql的重要語法
http://mail.hmes.kh.edu.tw/~jona/redhat/mysqlphp/mysqlsyntax.htm

mysql -uroot -p
use mysql;
INSERT INTO user(host,user,password) VALUES('%','odbc',password('odbcpwd'));
GRANT ALL ON *.* TO 'odbc'@localhost IDENTIFIED BY 'odbcpwd' WITH GRANT OPTION;
FLUSH PRIVILEGES;

CREATE DATABASE odbc;
Check the path of the libmyodbc.so:
# dpkg-query -L libmyodbc
(..................)
/usr/lib/i386-linux-gnu/odbc/libmyodbc.so

Edit /etc/odbc.ini, add the following with the driver path from previous step:
[myodbc]
Driver       = /usr/lib/i386-linux-gnu/odbc/libmyodbc.so
Description  = MySQL ODBC 2.50 Driver DSN
SERVER       = localhost
PORT         = 3306
USER         = odbc
Password     = odbcpwd
Database     = odbc
OPTION       = 3
SOCKET       =
# ./srv_create_ca_cert.sh
./../bin/cmpserver-cl --createcert --cacert ./../certs/ca_cert.der --key ./../certs/ca_key.p15 --country DE --organization NSN --unit PG RDE 3 --commonname Martin's CA
SUCCESS init
SUCCESS add random
SUCCESS open keyset
SUCCESS creating Context
SUCCESS setting Attribute CRYPT_CTXINFO_LABEL
SUCCESS generating Key
SUCCESS creating the certificate
SUCCESS setting the CRYPT_CERTINFO_SUBJECTPUBLICKEYINFO attribute
SUCCESS setting the CRYPT_CERTINFO_COUNTRYNAME attribute
SUCCESS setting the CRYPT_CERTINFO_ORGANIZATIONNAME attribute
SUCCESS setting the CRYPT_CERTINFO_ORGANIZATIONALUNITNAME attribute
SUCCESS setting the CRYPT_CERTINFO_COMMONNAME attribute
SUCCESS setting the validity
SUCCESS setting the CRYPT_CERTINFO_SELFSIGNED attribute
SUCCESS setting the CRYPT_CERTINFO_CA attribute
SUCCESS signing the certificate
SUCCESS storing the private key
SUCCESS setting Certificat to be trusted
SUCCESS storing the public key
SUCCESS export Certificate - checking certMaxLength
SUCCESS export Certificate
SUCCESS Destroying the certificate
SUCCESS destroying context
SUCCESS close keyset
SUCCESS shutting down cryptlib
HINT:
  Don't forget to copy "./../certs/ca_cert.der" to the certs-directory
  of the client if it is different from this installation!

# ./srv_add_pki_usr.sh
./../bin/cmpserver-cl --createuser --country DE --organization NSN --unit PG RDE 312280 --commonname Martin Peylo
SUCCESS init
SUCCESS add random
SUCCESS open certstore
INFO: Creating PKI User COUNTRY:"DE" ORG:"NSN" UNIT:"PG RDE 319273" CN:"Martin Peylo"
SUCCESS creating certificate
SUCCESS storing the PKI User
User= CUF8T-BY2NY-WDB34
Password= VSZQH-3JZ8S-8FYJD-95V5H
RevPW= 7PCRB-2USY6-CFXGZ-NVGCX
DECODED, HEX: User= 8BE886D865A830E740
Password= 2EE3E517F43C5B207FDCF670
RevPW= 44F0E250B7045A9AEC998550
SUCCESS destroying certificate
SUCCESS close certstore
SUCCESS shutting down cryptlib

# ./srv_run_daemon.sh
./../bin/cmpserver-cl --daemon --server 192.168.1.107 --port 4711 --cacert ./../certs/ca_cert.der --key ./../certs/ca_key.p15
SUCCESS init
SUCCESS add random
SUCCESS open certstore
SUCCESS open keyset
INFO: Starting CMP Server, serverName=192.168.1.107, serverPort=4711
SUCCESS get the private Key
SUCCESS create CMP Server
SUCCESS set attribute for certStore
SUCCESS set attribute for private Key
SUCCESS set attribute for server Address
SUCCESS set attribute for server Port


Error: Segmentation fault while running srv_add_pki_usr.sh
64-bit Ubuntu 14.04.2,
$ ./srv_add_pki_usr.sh
./../bin/cmpserver-cl --createuser --country DE --organization NSN --unit PG RDE 327804 --commonname Martin Peylo
SUCCESS init
SUCCESS add random
SUCCESS open certstore
INFO: Creating PKI User COUNTRY:"DE" ORG:"NSN" UNIT:"PG RDE 39791" CN:"Martin Peylo"
SUCCESS creating certificate
./srv_add_pki_usr.sh: line 13: 24173 Segmentation fault      (core dumped) ${CMPSERVER} --createuser --country "${COUNTRY}" --organization "${ORG}" --unit "${UNIT}$RANDOM" --commonname "${CN}"
FIX: this issue didn't happen on 32-bit Ubuntu 12.04.3. It's likely that the root cause is 64-bit.

ERROR: User ID provided by client isn't a cryptlib user ID

# ./do_ossl_ir.sh CUF8T-BY2NY-WDB34 VSZQH-3JZ8S-8FYJD-95V5H
+ ./../bin/cmpclient --ir --server 192.168.1.107 --port 4711 --srvcert ./../certs/ca_cert.der --newkey ./../certs/cl_key.pem --newkeypass password --newclcert ./../certs/cl_cert.der --user CUF8T-BY2NY-WDB34 --password VSZQH-3JZ8S-8FYJD-95V5H
INFO: Reading DER Certificate from File ./../certs/ca_cert.der
SUCCESS: BIO_new
INFO: Using existing key file "./../certs/cl_key.pem"
INFO: Reading Public Key from File ./../certs/cl_key.pem
INFO: the passphrase is "password"...
SUCCESS: Reading PKEY
INFO: Sending Initialization Request
ERROR: received no initial Client Certificate. FILE cmpclient.c, LINE 394
3075692168:error:33080064:CRMF routines:CRMF_CERTREQMSG_set1_subject:crmferror:crmf_lib.c:509:
3075692168:error:3209608B:CMP routines:CMP_doInitialRequestSeq:pkibody error:cmp_ses.c:381:bodytype=23, error="PKIStatus: rejection, PKIFailureInfo: signerNotTrusted"
+ set +x
And server shows:
ERROR set attribute CMP session active  - in FILE: cmpserver-cl.c, LINE 365, status=-22
trying to get the Errorstring:
get errorStringLength:
The ErrorStringLength:51
get errorString:
The ErrorString: User ID provided by client isn't a cryptlib user ID
SUCCESS destroy private Key
SUCCESS destroy session
INFO: Starting CMP Server, serverName=192.168.1.107, serverPort=4711
SUCCESS get the private Key
SUCCESS create CMP Server
SUCCESS set attribute for certStore
SUCCESS set attribute for private Key
SUCCESS set attribute for server Address
SUCCESS set attribute for server Port
Neither does "/do_ossl_ir.sh CUF8T-BY2NY-WDB34 VSZQH-3JZ8S-8FYJD-95V5H" work.
FIX:

cryptlib-340/session/cmp_rd.c, updateUserID(), protocolInfo->userIDsize should be 9.

Use the "DECODED" hex string and encode the hex string to binary string, for example:
./do_ossl_ir.sh $(echo -en '\xD5\x79\xE9\x07\x16\xAD\x06\x42\x60') $(echo -en '\x57\x06\x2E\x02\xEA\x2A\x4E\x85\xFA\xEE\x52\xE0')
https://github.com/mkl0301/cmpforopenssl/commit/b7c446f264b402074aa9c6af8c7d8842be3ff24c


Error: Server core dump again...

# ./do_ossl_ir.sh 8BE886D865A830E740 2EE3E517F43C5B207FDCF670
+ ./../bin/cmpclient --ir --server 192.168.1.107 --port 4711 --srvcert ./../certs/ca_cert.der --newkey ./../certs/cl_key.pem --newkeypass password --newclcert ./../certs/cl_cert.der --user $'\213\350\206\330e\2500\347@' --password '.�� �<[ ��p'
INFO: Reading DER Certificate from File ./../certs/ca_cert.der
SUCCESS: BIO_new
INFO: Using existing key file "./../certs/cl_key.pem"
INFO: Reading Public Key from File ./../certs/cl_key.pem
INFO: the passphrase is "password"...
SUCCESS: Reading PKEY
INFO: Sending Initialization Request
ERROR: received no initial Client Certificate. FILE cmpclient.c, LINE 394
3075499656:error:33080064:CRMF routines:CRMF_CERTREQMSG_set1_subject:crmferror:crmf_lib.c:509:
3075499656:error:3209608B:CMP routines:CMP_doInitialRequestSeq:pkibody error:cmp_ses.c:381:bodytype=23, error="PKIStatus: rejection, PKIFailureInfo: duplicateCertReq"
+ set +x
And server core dumped(cryptlib debug enabled):
SVR: Reading message type 26.
SVR: Read new userID.
SVR: Read initial transID.
SVR: Read initial MAC params with salt, 500 iterations.
SVR: Writing message body type 1.
SVR: Writing MAC params with salt, 500 iterations.
SVR: Writing MAC params with salt, 500 iterations.
SVR: Writing userID.
SVR: Writing message body type 5.
SVR: Writing userID.
keyset/odbc.c:getErrorInfo:397: Couldn't read error information from database backend.
cmpserver-cl: keyset/odbc.c:398: getErrorInfo: Assertion `0' failed.
./srv_run_daemon.sh: line 12: 13306 Aborted                 (core dumped) ${CMPSERVER} --daemon --server ${SERVER} --port ${PORT} --cacert ${CACERT} --key ${CAKEY}
FIX:
I just think of that the libmyodbc installed by Ubuntu 12.04 is of version 5.1.10-1. And the README uses libmyodbc3.so. So I decided to rebuild libmyodbc3.

sudo apt-get install libmysqlclient-dev
(for libmyodbc3 require mysql_config)

http://cdn.mysql.com/Downloads/Connector-ODBC/3.51/mysql-connector-odbc-3.51.30-src.tar.gz
./configure --enable-test=no
make

Change the /etc/odbc.ini:
Driver       = /path/to/mysql-connector-odbc-3.51.30-src/driver/.libs/libmyodbc3.so
Purge the database and run again, than this issue is gone!! (but another issue await...)

ERROR:
# ./do_ossl_ir.sh 250660288E8F818C80 DD1574745262358B34341A70
+ ./../bin/cmpclient --ir --server 192.168.1.107 --port 4711 --srvcert ./../certs/ca_cert.der --newkey ./../certs/cl_key.pem --newkeypass password --newclcert ./../certs/cl_cert.der --user '% `(���' --password $'\335\025ttRb5\21344\032p'
INFO: Reading DER Certificate from File ./../certs/ca_cert.der
SUCCESS: BIO_new
INFO: Using existing key file "./../certs/cl_key.pem"
INFO: Reading Public Key from File ./../certs/cl_key.pem
INFO: the passphrase is "password"...
SUCCESS: Reading PKEY
INFO: Sending Initialization Request
SUCCESS: validating protection of incoming message
INFO: Sending Certificate Confirm

ERROR: received no initial Client Certificate. FILE cmpclient.c, LINE 394
3075491464:error:33080064:CRMF routines:CRMF_CERTREQMSG_set1_subject:crmferror:crmf_lib.c:509:
3075491464:error:3209D090:CMP routines:CMP_PKIMESSAGE_http_perform:server not reachable:cmp_http.c:893:56:Failure when receiving data from the peer:unable to send certConf
+ set +x
And server reported(cryptlib debug enabled):
SVR: Reading message type 26.
SVR: Read new userID.
SVR: Read initial transID.
SVR: Read initial MAC params with salt, 500 iterations.
SVR: Writing message body type 1.
SVR: Writing MAC params with salt, 500 iterations.
SVR: Writing MAC params with salt, 500 iterations.
SVR: Writing userID.
SVR: Writing message body type 5.
SVR: Writing userID.
ERROR set attribute CMP session active  - in FILE: cmpserver-cl.c, LINE 365, status=-41
trying to get the Errorstring:
get errorStringLength:
The ErrorStringLength:78
get errorString:
The ErrorString: No data was read because the remote system closed the connection (recv() == 0)
Facts:
  1. The first IR (type0/26 stands for any) and IP(type1) is sent and received successfully.
  2. client has sent the certConf
  3. ??server CANNOT receive anything??
  4. ??From server side message, server sent another type 5(CMPBODY_ERROR), but nothing reached wire??
  5. ??server actively close the socket (FIN is sent by server)?? 

Server side failed at cryptlib-340/session/cmp_svr.c: serverTransact() while reading data of CTAG_PB_CERTCONF, but nothing is received. I tried to use a while loop but nothing can be received. From packet captured, server had received the certConf, and ACKed, and even FINed. But nothing received in software.

 (Stuck)




ftp://ftp.franken.de/pub/crypt/cryptlib/manual.pdf
cryptlib uses a standard format for the user ID and password that follows the style used for software registration codes and serial numbers. The user ID is in the form XXXXX-XXXXX-XXXXX and the password is in the form XXXXX-XXXXX-XXXXX-XXXXX. Characters that might cause confusion (for example O and 0 or 1 and l) aren’t present, and the data contains a checksum which is used to catch typing errors when the user enters the information.

Error in running openssl cmp client
http://ejbca-develop.narkive.com/GiMkYheS/error-in-running-openssl-cmp-client
/root/sriram/cmpforopenssl-code/src/openssl-1.0.1e-cmp/apps/openssl cmp -cmd ir -server 10.206.1.3:8080 -path ejbca/publicweb/cmp -srvcert certs/ManagementCA.pem -user cmptest -pass CMP-pwd -newkey certs/cl_key.pem -certout certs/cl_cert.pem -subject "/CN=cmptest"
Getting error using CMP client with EJBCA
http://comments.gmane.org/gmane.comp.java.ejbca.devel/4541
ejbca:~/cmpforopenssl-code-766/src/openssl-client$ ./cmpclient --server localhost --port 8080 --path ejbca/public/cmp --srvcert ManagementCA.cacert.pem --ir --user vmware --password vmware --newclcert user1.der --newkey user_key.pem --subject "CN=vmware,C=SC"