Comments (5)
mbartosch
commented on August 26, 2024
I am afraid I do not understand the problem properly.
Does sscep terminate after finding a difference? Reading the code (master and develop differ a bit) seems to indicate that the program might complain about a difference (when called with -v) but continue anyway. This is correct in my opinion, because the CA should be able to modify the scep request to match its policies.
So if the program complains about differing subjects but continues anyway you should be fine.
If it terminates, this is an error and should be fixed (but as far as I can see it should not).
from sscep.
nikedlab
commented on August 26, 2024
May be it is OpenSsl issue when executed X509_NAME_cmp(). I need to find matches in certificate subject:
"(/C=US/ST=Qwerty/L=Asdfg/O=Test organization/CN=Test User)" with subject from CSR: "(/CN=Test User)" but X509_NAME_cmp() returned not zero.
As workaround now I use strstr(cert_buf, req_buf) to find my CN in certificate subject as substring but I think it is not best way
from sscep.
mbartosch
commented on August 26, 2024
I understand you actually WANT to match the cert subject against the csr subject? I don't know why this would be useful (in fact it can cause a lot of trouble, which is why the original check was removed from the sscep code).
Your problem is very likely caused by a nasty side effect of the OpenSSL X509_NAME_cmp() function: even if the string representation of a subject looks exactly the same, the corresponding DER representation does not necessarily have to match. For example, I had the problem that the request contained a BMPString with the requested subject. The CA then returned a certificate with the exact same subject, but encoded as IA5String (or vice versa). The OpenSSL compare function considers the string as different even if their ASCII representation is identical.
Alone for this reason it's not really useful to rely on DN matching - IMO, that is.
from sscep.
nikedlab
commented on August 26, 2024
Ok, I understood. Best solution it is to disable subject comparison. I'm right?
from sscep.
mbartosch
commented on August 26, 2024
In my opinion and from my experience designing and developing PKI solutions (OpenXPKI and CertNanny) I think it is best to disable it - it does hurt more than help.
from sscep.
Related Issues (20)
- Questions about SCEP polling mode HOT 4
- Does SSCEP enroll works with RA? HOT 1
- sscep: illegal URL https HOT 6
- Issue generating certs HOT 19
- IPv6 address malformatted in getca requests
- CA Identifier switch -i not functional? HOT 1
- any way to pass a private key passphrase to an enroll request?
- Sscep version compatible with openssl 3.0.2 15 HOT 6
- enrollment challenge password HOT 1
- Error parsing IPv6 address without port
- Does the sscep support PKCS11 engine? HOT 8
- Also not able to Enroll with NDES, failure reason: Integrity check failed, illegal size of payload HOT 1
- sscep: error verifying signature with Red Hat 9 HOT 3
- Dogtag 10.12 Seemingly Returning Incorrect pkiStatus to sscep 0.9.1 When Certificate Request is Awaiting Approval HOT 1
- CAIdentifier will send with GETCA even it is not defined in the call HOT 1
- getca option -> "cannot parse response"
- I want to add 'I' option on making enrollment on sscep-0.9.0 version to use specific ip address on multi ethernet port.
- Building sscep client in Rockey Linux8 Failed HOT 1
- sscep for FreeRTOS
- sscep enroll server response status code: 500, MIME header: missing HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sscep.