libest icon indicating copy to clipboard operation
libest copied to clipboard

Published 20 hours ago verified publisher icon cisco

Invalid enrolled certificate for testrfc7030.com

Open lgtti opened this issue 1 year ago • 0 comments

I'm trying to run some test with your example server http://testrfc7030.com/ Using the instructions in the welcome page the enrolled certificate is correctly verified by openssl:

openssl verify -CAfile dstcax3.pem cert.pem
cert.pem: OK

After this, i have tried with my EST Client written using C and OpenSSL using the same CSR as before. It works but the resulting certificate is not signed by the EST TA /cacerts result.

This is the HTTP response i receive:

HTTP/1.1 200 OK
Status: 200 OK
Content-Type: application/pkcs7-mime; smime-type=certs-only
Content-Transfer-Encoding: base64
Content-Length: 581

MIIBqQYJKoZIhvcNAQcCoIIBmjCCAZYCAQExADALBgkqhkiG9w0BBwGgggF+MIIB
ejCCASCgAwIBAgICRgowCQYHKoZIzj0EATAXMRUwEwYDVQQDEwxlc3RFeGFtcGxl
Q0EwHhcNMjMwNTI0MTUwMjU5WhcNMjQwNTIzMTUwMjU5WjAaMRgwFgYDVQQDDA9J
bnRlZ3JhdGlvblRlc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASokWYzytG8
zPnEGPXo/Jmnic99bic4tDPWlmFfh5OxlWNkIFwh5Icrwgr6J0AGU0YY0ZHFAXr4
y0qG/RWfRDxpo1owWDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQU
j8bjcy/sbrXxm0UsehtszyszO4IwHwYDVR0jBBgwFoAU19Ls64zSgHGcy/RG01LR
JqtjXiowCQYHKoZIzj0EAQNJADBGAiEAhofY7Ey3j91q3lyp7nAshpuQZr7oKQWr
mxA9P6D1yv0CIQD6EhXZlDwcbDkjI1GmdZxa2tVzsb/Cq2/A7b7ONLJFhzEA

If you try to parse the certificate this is the output (please note the signature algorithm!)

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 17930 (0x460a)
        Signature Algorithm: ecdsa-with-SHA1
        Issuer: CN=estExampleCA
        Validity
            Not Before: May 24 15:02:59 2023 GMT
            Not After : May 23 15:02:59 2024 GMT
        Subject: CN=IntegrationTest
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:a8:91:66:33:ca:d1:bc:cc:f9:c4:18:f5:e8:fc:
                    99:a7:89:cf:7d:6e:27:38:b4:33:d6:96:61:5f:87:
                    93:b1:95:63:64:20:5c:21:e4:87:2b:c2:0a:fa:27:
                    40:06:53:46:18:d1:91:c5:01:7a:f8:cb:4a:86:fd:
                    15:9f:44:3c:69
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature
            X509v3 Subject Key Identifier: 
                8F:C6:E3:73:2F:EC:6E:B5:F1:9B:45:2C:7A:1B:6C:CF:2B:33:3B:82
            X509v3 Authority Key Identifier: 
                D7:D2:EC:EB:8C:D2:80:71:9C:CB:F4:46:D3:52:D1:26:AB:63:5E:2A
    Signature Algorithm: ecdsa-with-SHA1
    Signature Value:
        30:46:02:21:00:86:87:d8:ec:4c:b7:8f:dd:6a:de:5c:a9:ee:
        70:2c:86:9b:90:66:be:e8:29:05:ab:9b:10:3d:3f:a0:f5:ca:
        fd:02:21:00:fa:12:15:d9:94:3c:1c:6c:39:23:23:51:a6:75:
        9c:5a:da:d5:73:b1:bf:c2:ab:6f:c0:ed:be:ce:34:b2:45:87

Obviusly the verify command fails: openssl verify -CAfile dstcax3.pem cert-client.pem CN = IntegrationTest error 20 at 0 depth lookup:unable to get local issuer certificate cert-client.pem: verification failed: 20 (unable to get local issuer certificate)

Why i receive a certificate with a dignature SHA1? Is this signed by another CA?

NB: this is done using a P12 as client certificate connecting to port 9443. If i try to run the same test using basic auth connecting to the port 8443 the enrolled certificate is correct (validated and with SHA256 as signature algorithm).

lgtti avatar May 24 '23 15:05 lgtti