scep icon indicating copy to clipboard operation
scep copied to clipboard
verified publisher icon micromdm

SCEP Asking for Password

Open 0xab3d opened this issue 10 months ago • 5 comments

Hello, trying to test the SCEP client with EJBCA-CE however getting no password was sent with the request.

➜ scepclient-windows-amd64-v2.2.0 ✗ .\scepclient-windows-amd64.exe -cn "test-LAP-7344-EJBCA" -challenge "test" -cacert-message "default" -debug -server-url "http://10.68.30.33:8080/ejbca/publicweb/apply/scep/portal/pkiclient.exe" -private-key ./nn.key level=info ts=2025-01-22T18:59:17.5236031Z op=GetCACert error=null took=11.2827ms level=debug ts=2025-01-22T18:59:17.5236031Z msg=cacertlist count=1 level=debug ts=2025-01-22T18:59:17.5236031Z msg=cacertlist number=0 rdn="CN=test Issuing CA - G3" hash_type=SHA-256 hash=234fbf1862db313606c56e23b0989332ae7504418c5b257e0448fda869be7555 level=debug ts=2025-01-22T18:59:17.5241062Z msg="creating SCEP CSR request" transaction_id="2S4qJDk1BRPz41+yrFOolpHyxAg=" signer_cn="SCEP SIGNER" level=info ts=2025-01-22T18:59:17.5296515Z op=GetCACaps error=null took=4.5185ms level=info ts=2025-01-22T18:59:17.5446602Z op=PKIOperation error="http request failed with status 400 Bad Request, msg:

ErrorNo password in request." took=15.0087ms PKIOperation for PKCSReq (19): http request failed with status 400 Bad Request, msg: ErrorNo password in request.

0xab3d avatar Jan 22 '25 19:01 0xab3d

Hey @0xab3d, the error seems to come from here: https://github.com/Keyfactor/ejbca-ce/blob/f2e334c7befea0def86c230e823555658e604827/modules/ejbca-ejb/src/org/ejbca/core/ejb/ca/sign/SignSessionBean.java#L526-L535, which I think gets the password from here: https://github.com/Keyfactor/ejbca-ce/blob/main/modules/cesecore-common/src/org/cesecore/certificates/certificate/request/PKCS10RequestMessage.java#L184-L238.

Since it's HTTP, can you capture the request using e.g. Wireshark, and paste the base64 here?

hslatman avatar Jan 22 '25 23:01 hslatman

Thanks @hslatman for checking this. Here you go.

MzA4MjBhYWQwNjA5MmE4NjQ4ODZmNzBkMDEwNzAyYTA4MjBhOWUzMDgyMGE5YTAyMDEwMTMxMDkzMDA3MDYwNTJiMGUwMzAyMWEzMDgyMDUzYzA2MDkyYTg2NDg4NmY3MGQwMTA3MDFhMDgyMDUyZDA0ODIwNTI5MzA4MjA1MjUwNjA5MmE4NjQ4ODZmNzBkMDEwNzAzYTA4MjA1MTYzMDgyMDUxMjAyMDEwMDMxODIwMjU1MzA4MjAyNTEwMjAxMDAzMDNiMzAyMzMxMjEzMDFmMDYwMzU1MDQwMzBjMTg0Mzc5NjI2NTcyNjE2Mzc0Njk2MzczMjA1MjZmNmY3NDIwNDM0MTIwMmQyMDQ3MzMwMjE0MmEyNzgwMjg5ZGFlODI5MTEwYmFjMWE0ODMyZjRhY2NkNmI1MjRmNDMwMGIwNjA5MmE4NjQ4ODZmNzBkMDEwMTAxMDQ4MjAyMDA1YmVjM2ZlZGEwNWI1ZmMwN2M4NTZiMWRmNjA1MWRhMmUwNTllZTkwMzdiMmI3MWY1NGEzOGM4ZTY4MmNlMTZjNDYwMjcxZjZhMjVhNjRlYmE2MmFkN2E1YWRjNTRhMzFmYmFlOGNiYmUwOTg5MzJhZTBmMWVjMzA3MDlhNjhmMTIyNmY1Y2QwNDkzYTkzM2MzMzYyODg2OTg1NTExNTRjMDg5ODFkNjk5YjYxN2YwNzg4ZDgyNTEwZTgyZjFlOWYwOGNkNjE3NTA3MmQ2NGY3MzQ3NTkwYTRmZjUyMGEwZjBlMzA5MzYzY2JiNjFiNmM5NDg1MmE4NzUyZDY5YjA3ODAwNDM0YWZhNjgxZTE3ZTM3Yzc1NTRkNjFmZWJjZDc1OTNiZjVhYTFiMGYzZWIwMjlhNWE3M2EzZjA2YTQyMzZhZWMwYjM5MjY5ODU4OGQ5M2U4MGMwZGNjZTk4MjdmYzI5MzY5OGY5NTZiNDFlM2MwNzYyOWM4MjEzMTVhMzU5YmRhMTcwNTM1ODc3ZGYyN2MyOTU0MzVmZTJjOTIyYWVlMzY5NDFjMzFkNWIwODVlNWE0MGM4OTRmMTQ1NGNiOTY4OWUyZWUzNmI4MDQ4ZTFjYmEwNWJlNmQ1NDE5ODZiNzUyYWU3NzdmMmJkM2IyNTk5ZGQ4YmYyZDBmNjBkYmE5N2VmYjVjN2ExOWQ3OGYxNzJkYTlmYTEwMjIzMGVlM2E2ZDA1YjFjMzYxNDQwMDMwOTU2YzliN2JmYTgyMzdmNzdmZGUwMDM1MjYzMzZlYmM0NjI1ZDRiN2U5ODNiZDc0ZTA0NDRhZTZmY2JmZWEwOTMwNjYxYjlmZTA1YjFkOGQyZTc5N2IzYWRhNDRiYWIxNjIwYWFmMmMyOTc0MjQzMDM4YjM1MzY1MTA0YzcwMmQ5ZTI4OTYyNmJmOTI3ZmE4NmVmM2VhNzM0OGRlY2ZiYzIyOTllOTYxNTU1YzA2YzJjMThjYjEzMzgyZDcyYTQwNzVjNWIwNzA0NTQ3MjJhMzhhZjU0NTg1OTA3NTY5NDY0OTc3YjRiMGNiZTJlYzhiYmQ0YmZlMzRjNTFiNTA4Mzc3MGY1ZjAzOGM1NmFiNTU4MGYzMTY1NzFlZDQyNzg4MGFmNTJlY2NhOTJjYmNlZjMyNjY3MzdhODk3MWQyNGI4ZDI5ZTU2NTMwYTAxOWNjNDJhYTA4ODhmMzU0YzkzMGMyYzE5MzEzMzYwNGY3MDZhNzdiNTAyZTRiNzMyMjU0NTdhNzNhNTcwMDhlMDgzNDQyODU0NmNlOGYxYmM0OTU5MTQ3OTYzMWUzYmU4OWQwZDA4ZWMxMmYzYzQ1NTgwNGRmMWRiYzA0NGZkYzM2MzA4MjAyYjIwNjA5MmE4NjQ4ODZmNzBkMDEwNzAxMzAxMTA2MDUyYjBlMDMwMjA3MDQwODEzMWQyMDk2Y2ZkNWZkZGU4MDgyMDI5MGM1MWFlMDc2N2UyZGE2YTg3YTYxNmFmZTU1NTI4MDhlNzdiOGY3N2Q1MTg2MDU1OWFkYjQwMWFmMDUzZDIyN2EyOTJhMTU2MzVjYWEwNTA0NjRmOThlYjE1ZjY4ZTkzYWRkM2JkNDI3YWFlMmI2YTMyOTk4NDMyODI1ODUxMzE2OTg1MWM5YjI4ZmUyOGQ1MjcxNzhmMjc4OGRkNGQwYzFhYTc1YjFmZDViZWEzMTdhOWI0MTQ0ZWNjODdjZGFjNDUyNTZmZjVkYjVhODJhMThjZjMyMGM2M2MxOTFiMzUxYjcyNDIzMjRlYWI4YTY0MjdjNDE1MzMwM2ZlMjU4ZjQ4NzMwYTdlMTAwYjczZWUwODJmODFiNzViMjNkMjc1ZWNiZWE3MzBmN2Y4YjI3MTNmNzhkMmJmNTZlZjE2YmNjMzhkMjNiNjg0MDk1ZDIwMzM3MDNhMGRlNmQ5NjIyODNjNzQ2NTNkNGZjZjk0YzQyY2NmOTY1NzMxMDVhNGM0ZWM0MTI3NGUxZjBjYWRkMDM1OTRlM2Q4MmJhMjY2YTY2YTAzOTZmMjI4NzkwYzEwMzZjYzk2ODE5ZTI2ZWJkNzAzMGFjYWFmZGI2MDhlNzg1MmI1M2QxY2U1YmI0YWYyYWE3MDU5MjYwYWM4ODdlOTk5MjIxYTMyOTFlNGRkZDFjNjM5NzhiMGYwMzllZTA5ZTZkNTYzZTQzY2I1N2E5M2Q4OWYyZWY4NzE2ZWQ2Yzg2N2Y4MGU4OTdhYjE2NDI2OTQ3ZWJhZTliNTYyMDg2MDc2NGMxMjcwZDkyZTJjMzA3ZmNiMTJiZWYyOGJlNWI3MWJhMTg3N2NmMTE4YjI4MTZlMDIwMTk0NGZmZjk2NDQ5NTEzN2I5Mjg2NDg0MzJiZDQ4NWUxOWE0N2Y2MjcyYjkwZTFjNDI3ZTJhNTE3MTMwZmE3ZTYxMzU1YWY4OWYyZTc4ODg5ZGQ3MWFiNTUwYmQyOTUxODUxZmM2MDAwNTZiNGQ5MTQ1OThhN2QyMWY2YjM0NmZjMjA1NzM5MDY1Y2JjMjg3NjcwNjc4Mzk1ZWNiZTgxMzBkY2ZiZWJlYWE2ZjU1NDAxMmFjMzE5NmQ2MGFjZTkzNjhhOTBhMDdjYmVlMDZjNGM1MzE2MDhjMTliNmU3NTU4NTkxMzY0ODRkZDY4OGI3NGZmZjc5ZDc5MTg0YzA1M2U4NWEyYThmODQwMGU2Mjc2ZTNkOWIzMDljOTk4MmQ5MTNjNzliNWMxNWJlNDg2NmRhMTY1MDFlMzMzYmJiN2FkZjQ0ZjI4OGE3NmYzZDIzNjFmZTQwZTEwZTA4MTI2NWVjOTdjZTU3MmRhMTA1ZjUwNjE1MmVmOTVhNWQ2MjYwYWI2Mjk1ZThhOTM0NGQ0ZTU0ZDdkNDI4ODY2MmY5ODA1ZThjMjRhMTU0MmI2NGJjNDRkNGMxMjY3ZTIzY2Y1NDMxOWZjNDU1NzllYTkzYTM5NTEyNmExMzA0NmJiYTk0M2UxNTE5NzM3NTYyYjUzZTQ2ZDNjM2MyNjIwODhkYWFlODAyNzNhMTFiMTdhMzA0ZWU2NDhhNzc3NDUxZTdiNGMxZmFkNWY5OGU1MjdlNmI0N2ZjNmIzZDkwYTkzNjMzZjY1ZDE4MTM4ODZhMWExMTFjNTViYmIxNTM4MWEwODQxMjk1YjkyMTllNDIwZmUyYzA0MzFmMzY0NWFjMWVhNGEzNzAxOThiNDc0YWRjYjdjZWIyNWMyZDNlMzhhMDgyMDMxYzMwODIwMzE4MzA4MjAyMDBhMDAzMDIwMTAyMDIxMTAwYjYxZWQwMjQ0NDZmZmRiMTMwMGFjOGZmM2Y2ZjMxNmUzMDBkMDYwOTJhODY0ODg2ZjcwZDAxMDEwYjA1MDAzMDJjMzExNDMwMTIwNjAzNTUwNDBhMTMwYjczNjM2NTcwMmQ2MzZjNjk2NTZlNzQzMTE0MzAxMjA2MDM1NTA0MDMxMzBiNTM0MzQ1NTAyMDUzNDk0NzRlNDU1MjMwMWUxNzBkMzIzNTMwMzEzMjMyMzEzODM0MzkzMjMyNWExNzBkMzIzNTMwMzEzMjMyMzEzOTM0MzkzMjMyNWEzMDJjMzExNDMwMTIwNjAzNTUwNDBhMTMwYjczNjM2NTcwMmQ2MzZjNjk2NTZlNzQzMTE0MzAxMjA2MDM1NTA0MDMxMzBiNTM0MzQ1NTAyMDUzNDk0NzRlNDU1MjMwODIwMTIyMzAwZDA2MDkyYTg2NDg4NmY3MGQwMTAxMDEwNTAwMDM4MjAxMGYwMDMwODIwMTBhMDI4MjAxMDEwMGI3ODZhM2U2MGI4Yjc1NDhiOWY0NGZkNWVkZTYyNzZmNjRhNmY0NzI3M2JkMTg3ZmU2ZWI1Y2I0MjdmMGY5MjU5Mzc0YmNhOWM3ODk5ZDQwNDI5OTkzOWIxMjM2N2E2NDdkYWM5NzBmYzNmN2U5NTAzMTRhZDc2M2E4NmY5OGQ4MGJmZGYyN2FjODNhOTMyZDlkNzY3NTNiMGJkODQ4NTlmOWQ5MTE2OGIzYzQxMWFhNTI2Yjg1ZTQ5ZTc3OWVhNmJkYTA4NWY1MzYzOGQ1Njg0YTY3MjcwNDQyMDVmZTkwMWFiMmQxNDQ4MDQxNGQyYTFiNjFlYWQ2NmRmOWNhODVkY2Y4MDIzMDhkZTdiZDRiN2UwZmVmMGUwZTEwNGFjY2FkYWIwOGZjNGRiMzQwZmQ2NWExNGY2N2M0Yzc5ZWI4N2ZiNjkwZmU0MDM4OGVkNzVlOTJmMmI1NjZmMTAzM2Q5NDYzYTdkMDAyNGUwZjMxMzAzNDA1MDM5OGJmNmI0MTk1YzRlYjkxZjg4NDBlZTgwYjQwZjMwZmUxMThkM2JiZmExNjZiYTQ3YzI4OWMyYTgyZjIyNmJmZWJkMWFhOTliMTJiZGJjMDQ3NGQwMzg3YTZiNmVjMWQ4OGJkNzg2ZTJkM2I5ZDIyMTAxMmIwMmE5NTdlYjFmNjFiNWRjODliMDIwMzAxMDAwMWEzMzUzMDMzMzAwZTA2MDM1NTFkMGYwMTAxZmYwNDA0MDMwMjA1YTAzMDEzMDYwMzU1MWQyNTA0MGMzMDBhMDYwODJiMDYwMTA1MDUwNzAzMDEzMDBjMDYwMzU1MWQxMzAxMDFmZjA0MDIzMDAwMzAwZDA2MDkyYTg2NDg4NmY3MGQwMTAxMGIwNTAwMDM4MjAxMDEwMDM4YWNjN2U2YmVmYTI2M2Y5OTFmMGFhNzUzYTNhNTZiZTVmMGYyZDU5MmE3YWRkMzNkOWRjNjYwNjQ1NmEwMzRlNGQxNGMxM2M5MGZiNjFmMTRkNjM0MGZkN2JlZjIxMTc3N2E5OTQzZTQ2NzM0NzdmZjkxZDM1ODk4YzRjNjU4M2E3ZDNmY2QxMGE2Mzc3YzZkYmFjN2MxYmZlNTEwNzgyZGQ2NWIyY2EwZWRkMmEzZWY1ZjVhNWY5N2M5YzE0NzA4YTVhZjU0OTdiYTdhOTc1NjEwZjI4MmU5YzQwZTcyNTI5ZDlkNDI0ZGFkM2FiMzI4ZWNmYzg4ZTBmOWIxNmMxY2RjMmM3YzI2OTZhMGNjYmYyMDE2NDZiYWY5NDJhMWVhODQzN2ZhODUwNTM4OGJiZTA0MmQ0YjdhNTI0MTk5MTc3YTYzNTk0MDMwMjg5NTY1OGNlNjNhYzM5ZTRkOTQ3MDMwZDg0MmVhZmU3MGZhMWNmNjk0NmVlYzg5MzcxMjZhNzBkMjBhOTdjMDYwZDM1MmQxNDAyY2JjY2U3NzI3MWUwMWU2ZWZkZDg5M2JmYWY3N2M1ZDUwMzhkYzM0ZGMyZWRkNzliYWViNzI2OTlkNzNiM2Y0YTgzYWNiMDk4MWNmOWM4NzBlMjAzNzFiMzYxZWVkNjNhMGI0MzU0MmRiMzE4MjAyMjgzMDgyMDIyNDAyMDEwMTMwNDEzMDJjMzExNDMwMTIwNjAzNTUwNDBhMTMwYjczNjM2NTcwMmQ2MzZjNjk2NTZlNzQzMTE0MzAxMjA2MDM1NTA0MDMxMzBiNTM0MzQ1NTAyMDUzNDk0NzRlNDU1MjAyMTEwMGI2MWVkMDI0NDQ2ZmZkYjEzMDBhYzhmZjNmNmYzMTZlMzAwNzA2MDUyYjBlMDMwMjFhYTA4MWMxMzAxMjA2MGE2MDg2NDgwMTg2Zjg0NTAxMDkwMjMxMDQxMzAyMzEzOTMwMTgwNjA5MmE4NjQ4ODZmNzBkMDEwOTAzMzEwYjA2MDkyYTg2NDg4NmY3MGQwMTA3MDEzMDFjMDYwOTJhODY0ODg2ZjcwZDAxMDkwNTMxMGYxNzBkMzIzNTMwMzEzMjMyMzEzODM1MzIzMzM1NWEzMDIwMDYwYTYwODY0ODAxODZmODQ1MDEwOTA1MzExMjA0MTAwN2JlZDNmZjZlNmZlNGNmMzFhNzMxZjFiZGU5NmIxNDMwMjMwNjA5MmE4NjQ4ODZmNzBkMDEwOTA0MzExNjA0MTQ0YjZmMDBiNGQwMDQwM2YxMDc5NGNkMzdiNDNjZTM0OTU4YzAwMjc0MzAyYzA2MGE2MDg2NDgwMTg2Zjg0NTAxMDkwNzMxMWUxMzFjMzI1MzM0NzE0YTQ0NmIzMTQyNTI1MDdhMzQzMTJiNzk3MjQ2NGY2ZjZjNzA0ODc5Nzg0MTY3M2QzMDBiMDYwOTJhODY0ODg2ZjcwZDAxMDEwNTA0ODIwMTAwMTA3MWFkODNiMzUyN2NjNjJlN2QwZTJkODE0MTVjODMxNjg0M2VjYzUzYzFmMjBkMDE5MmQ1N2M4NmZlZjQwOWUyMDAzMTdiMTZlZGFhNGY1MmU0NjQ0Mjc4MjZlY2FlY2I3ODhjN2IyNDk3MmQ2MmI0ZWFmODMzZjJiOWRmMTNhMDRlMjA1MzM1N2RiMzdiNzZlOTg3NjQzODYzMjlmNzdjY2ViNzg1Y2NiODU1YzQwMjM3OTRhYWUxMWJhNmY2NzYzODY4NWY3OWJkMTkzYjBiMGQ2MjA0MDQzNmI1NDBkYWZlYTgzMmJjMWJjZTExOWY2ODcyNDYyMDI0OTRkNWFjNjZlNmQwYzFlOTBlN2MxODA2NGY4ZDI2YTcwNmFhODMxNmE1N2U5YjQwMWYxYzdiMzU4Y2Y1ZDM1NDBmY2I5YmMxMzhhMmYyZDg1YmVjNTI1YjZlMjI4MzBkMjhkMmYxZGM0YTQzNmZhNTE4MDVmOTkyMGY5ZGY2ZWIyMGY3NTBhN2JiMzNlNzFhNmE0NzE1ZDJmMGFmY2M5ZWYwZmY4NzQ0ZmRjNGQ3ZjRiNjFjZTNmMDlhZWY3NjQ3MDE4ZTE3NjM4ZTUyODI0YzkzZWYzMmQ0NDg0MzI0YTNkNjI5ZmFlNGM4NDBiYjk0N2EzMjVlM2U1YmEzMmRiODgzZWI=

0xab3d avatar Jan 23 '25 07:01 0xab3d

The message looks OK.

I checked it out, but I forgot that the actual CSR that should contain the challenge is embedded in the message, and is not readily available for inspection.

Is it an option for you to compile your own scepclient from this repo, and add some debug statements?

hslatman avatar Jan 23 '25 16:01 hslatman

Thanks for checking. Let me try and will let you know.

0xab3d avatar Jan 26 '25 08:01 0xab3d

Thanks for checking. Let me try and will let you know.

Great 🙂

The minimal change to debug the CSR is something like this: https://github.com/hslatman/scep/pull/1.

hslatman avatar Jan 26 '25 11:01 hslatman