[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: question on interop with entrust server

To: Ricky Charlet <rcharlet@xxxxxxxxxx>
Subject: Re: question on interop with entrust server
From: Max Pritikin <pritikin@xxxxxxxxx>
Date: Tue, 7 Nov 2006 23:42:16 -0800
Authentication-results: sj-dkim-3.cisco.com; header.From=pritikin@xxxxxxxxx; dkim=pass ( sig from cisco.com verified; );
Cc: <scep@xxxxxxxx>
Dkim-signature: a=rsa-sha1; q=dns; l=5077; t=1162971742; x=1163835742; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=pritikin@xxxxxxxxx; z=From:Max=20Pritikin=20<pritikin@xxxxxxxxx> |Subject:Re=3A=20question=20on=20interop=20with=20entrust=20server; X=v=3Dcisco.com=3B=20h=3D7UuzHhTdPuxusP2a2aRB3lbErpo=3D; b=Kzppd6Oe8JsY5daZ9DVudzrJi/T9BUZ7DBFQQrL5mEMjMOToixn2Z9RjfZ700VDDrJA2gEJr C8Q8bmHsXx+0DyWU/iUNM8f7Rc/Uv5/NXMcCfCNhu8kaOttq8/rdjTbP;
In-reply-to: <7E49849DDCBEAA489C65292E8B8AE7E8140333A1@xxxxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.vpnc.org/scep/mail-archive/>
List-id: <scep.vpnc.org>
List-unsubscribe: <mailto:scep-request@vpnc.org?body=unsubscribe>
References: <7E49849DDCBEAA489C65292E8B8AE7E8140333A1@xxxxxxxxxxxxxxxxxxxxxxxx>
Sender: owner-scep@xxxxxxxxxxxxx

Hmm. Repeating my refrain about not knowing anything... but recentlywe had an internal discussion where we noted that:

IOS structures its SCEP requests differently to the Authoritydepending

if its a CA or an RA.  One of those differences is in the
extensionRequest attribute.  Here is the behavior:

CA
----
Uses the Verisign OID for extensionRequest - 2.16.840.1.113733.1.9.8
ExtensionRequest is encoded as an Octet String

RA
-----
Uses pkcs #9 OID for extensionRequest - 1.2.840.113549.1.9.14
ExtensionRequest is encoded as a T61 String

With the reasons for this being historical, uninteresting, and notobvious from the present. The result though is that if theextensionRequest attribute sent to the entrust RA is encoded as anOctet string (which works for CAs!) it will fail.


I wonder if you're running into something like this?

	- max

On Nov 7, 2006, at 12:24 PM, Ricky Charlet wrote:

Hi Max,
	
	I think we just had some emails cross in transit. My new email
on the thread
"draft 6 of draft-nourse-scep" should speak to your question.


	But, I'll also reply here. The entrust server is a CA+RA. I

receive both CA cert and RA cert during my authentication step. Istoreboth. When I get to my enrollment step, we des-encrypt the pkcs10with a

new content key, rsa-encrypt the content key with the RA-cert-pub-key,
and attache the encrypted content key to the pkcs7 recepient info.

	I don't know if the entrust server is failing to decrypt the
content key or failing to decrypt the pkcs10.

---
Ricky Charlet
W: 408.754.1733
rcharlet@xxxxxxxxxx
--- _
   ( )  ASCII ribbon campaign
    X    - against HTML email
   / \

-----Original Message-----
From: Max Pritikin [mailto:pritikin@xxxxxxxxx]
Sent: Tuesday, November 07, 2006 12:17 PM
To: Charlet, Ricky (HLYER:0000)
Cc: scep@xxxxxxxx
Subject: Re: question on interop with entrust server

Well, again voicing my complete lack of knowledge about
entrust internals...

Is this against a CA or an RA? And is there a difference in
the behavior you are seeing?

	- max

On Nov 7, 2006, at 9:17 AM, Ricky Charlet wrote:

Hi Max,

	I don't have a clear enough view into the entrust

server operation to

firmly answer your quesetion. But I strongly suspect it is a proble
with decryption. The specific error message I get from the entrust
logs says

"[-00151 The signature verification failed.] Failure during

unprotect

of signed data"

	The signature verification failure is irrelevant. I

know this from 1)

the standards don't require it, and 2) a successful

enrollment from a

cisco router gets a similar log entry about

sig-verification failure,

but the proceeds onward.

	The relevant part of that log message above seems to be

"Failure

during unprotect of signed data"


---
Ricky Charlet
W: 408.754.1733
rcharlet@xxxxxxxxxx
--- _
   ( )  ASCII ribbon campaign
    X    - against HTML email
   / \

-----Original Message-----
From: Max Pritikin [mailto:pritikin@xxxxxxxxx]
Sent: Monday, November 06, 2006 5:26 PM
To: Charlet, Ricky (HLYER:0000)
Cc: scep@xxxxxxxx
Subject: Re: question on interop with entrust server

"After a bit more reading..." Then what? :)

Are you having trouble with the entrust CA decrypting the
pkcs7 or is it trouble parsing the pkcs7? Does your client work
against a different CA server?

	- max

On Nov 6, 2006, at 5:04 PM, Ricky Charlet wrote:


After a bit more reading....


---
Ricky Charlet
W: 408.754.1733
rcharlet@xxxxxxxxxx
--- _
   ( )  ASCII ribbon campaign
    X    - against HTML email
   / \

-----Original Message-----
From: owner-scep@xxxxxxxxxxxxx
[mailto:owner-scep@xxxxxxxxxxxxx] On Behalf Of Charlet, Ricky
(HLYER:0000)
Sent: Monday, November 06, 2006 12:49 PM
To: scep@xxxxxxxx
Subject: question on interop with entrust server


Howdy,

	My group is building a new scep client. We have successfully
interoperated against microsoft but are having a difficult time
interoperating with entrust. The entrust server seems not

to be able

to decrypt our PKCS7. But the log message is very vague.
	
	I'm hoping an Entrust VPN enrollment server person is

reading this

and can contact me directly to work out some interop testing.


---
Ricky Charlet
W: 408.754.1733
rcharlet@xxxxxxxxxx
--- _
   ( )  ASCII ribbon campaign
    X    - against HTML email
   / \

References:
- RE: question on interop with entrust server
  - From: Ricky Charlet

Prev by Date: RE: question on interop with entrust server
Previous by thread: RE: question on interop with entrust server
Next by thread: Q: draft 6 of draft-nourse-scep
Index(es):
- Date
- Thread