certmonger

#202 SCEP renewal with OpenXPKI is not working (+patch PoC)
Closed: fixed by rcritten. Opened by morian.

Closed: fixed
Reopen Issue

I am trying to use certmonger with an OpenXPKI instance for automatic renewal of issued certificates, using SCEP. The request is properly crafted and sent to OpenXPKI, using the old certificate as a proof, and OpenXPKI seem to answers appropriately.

The received output is then parsed by certmonger but decryption silently fails:

May 19 22:49:53 portal certmonger[29712]: 2021-05-19 22:49:53 [29970] Succeeded in decrypting enveloped data.
May 19 22:49:53 portal certmonger[29712]: 2021-05-19 22:49:53 [29970] Error retrieving SPKI from certificate
[...]
May 19 22:49:53 portal certmonger[29712]: 2021-05-19 22:49:53 [29712] Child status = 0.
May 19 22:49:53 portal certmonger[29712]: 2021-05-19 22:49:53 [29712] Child output:
May 19 22:49:53 portal certmonger[29712]: "{}
May 19 22:49:53 portal certmonger[29712]: "
May 19 22:49:53 portal certmonger[29712]: 2021-05-19 22:49:53 [29712] No issued certificate read.
May 19 22:49:53 portal certmonger[29712]: 2021-05-19 22:49:53 [29712] Unable to determine course of action for Request1('portal').
May 19 22:49:53 portal certmonger[29712]: 2021-05-19 22:49:53 [29712] Request1('portal') moved to state 'NEED_GUIDANCE'

While debugging this issue, I came across a major difference between sscep and certmonger regarding the decryption of the received PKCS7 message.

  /* sscep/src/pkcs7.c +807 */
  if (PKCS7_decrypt(p7enc, recipientkey, recipientcert, outbio, 0) == 0) {

The main difference is sscep uses the previous certificate to decrypt the PKCS7 message while certmonger does not (and passes NULL). For an unknown reason this function does not fail in my situation writes garbage to the output BIO (and not an ASN1 structure as expected).

I am not familiar at all with either sscep or certmonger code base, but I came to find a working patch for certmonger with regards to this issue:
https://pagure.io/fork/morian/certmonger/c/e8c0923ed403030d0c86a3b987f0b6cfc48036aa

As I am not really aware of all the code base around, I would not pretend to issue a merge request from this, but this code made the renewal process work smoothly, which fixes the issue I encountered. The same kind of fix should probable be performed on submit-n.c, which seems to be used in NSS database.

Let me know if I can bring additional information, I would really like to be able to renew my certificates this way using certmonger!

Sorry for the delay, I'll take a look. Thanks for doing so much investigation!

I haven't been able to duplicate the PKCS#7 failure but I also don't have an OpenXPKI to test against. I've modified your candidate patch a bit and will be submitting a PR soon. Would you be able to help test it?

PR https://pagure.io/certmonger/pull-request/207

Sorry for the delay, I just found out you replied yesterday.

I have just applied your patch, ran a rekey against my OpenXPKI and it worked, thanks!

On my first post I mentioned that submit-n.c also contains a call to PKCS7_decrypt, when certmonger is used with a NSS database. I do not use this feature but it may also benefit from the same kind of patch (I guess?).

On a side topic and for the sake of the record for OpenXPKI administrators here, you need to edit or comment the match field of your configuration file in realm/workflow/global/field/transaction_id.yaml to make certmonger work with OpenXPKI. This is because OpenXPKI expects the transaction ID to be a 32 to 40 hexadecimal string while certmonger provides a decimal representation of something (with a variable length).

Here is the original content for this file:

label: I18N_OPENXPKI_UI_WORKFLOW_FIELD_TRANSACTION_ID_LABEL
name: transaction_id
description: I18N_OPENXPKI_UI_WORKFLOW_FIELD_TRANSACTION_ID_DESC
placeholder: d2b5848880cdb8bdac5cfe01adbe50c475fc00e8
required: 0
type: text
api_type: Str
# Older SCEP clients still use md5 which is 32 chars and most times uppercase
match: \A[0-9a-zA-Z]{32,40}\z

Again thanks for your time and sorry for the delay!

Metadata Update from @rcritten:
- Issue assigned to rcritten

PR updated to include similar code for the NSS path.

merged.

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
Metadata
None
None
None
None
Static archive. pagure.io was sunset in 2026; this is a read-only snapshot.
Red Hat Logo

Fedora is sponsored by Red Hat. Learn more about the relationship between Red Hat and Fedora »

© Red Hat, Inc. and others.