Re: CMP mock server OldCertID check behavior

David von Oheimb <dev@xxxxxxxx> · Mon, 12 Jul 2021 17:39:18 +0200



    Hello Petr,
    thank you for your message and filing the related issue at https://github.com/openssl/openssl/issues/16041.

      I very much appreciate such feedback on the new CMP implementation
      and its tests.

    
    You are right that the behavior of the mock server appears pretty
      strange regarding the checks on the oldCertID in kur
      messages.

      This is because for the HTTP-based OpenSSL-internal CMP test cases
      the mock server deals, as you noticed, with just a single
      certificate.

      For this reason, the short-circuit comparison given in cmp_mock_srv.c
      is sufficient but at least would have deserved an explaining
      comment and documentation.
    In order to make the mock server more generally useful, I've
      extended it in https://github.com/openssl/openssl/pull/16050
      

      by giving the option -ref_cert to specify an independent
      reference certificate to be used for the checks done for kur
      and rr messages.
    Kind regards,
        David

    
    On 08.07.21 13:17, Petr Gotthard wrote:

    
        Hello,
         
        I am trying to renew a
            certificate via CMP and authenticate the request using the
            same cert.
         
        I start the mock server:
        openssl cmp -port 8080
            -srv_trusted test-ca-cert.pem \
                    -srv_key
            test-server-key.pem -srv_cert test-server-cert.pem \
                    -rsp_cert
            test-client-cert2.pem -rsp_capubs test-ca-cert.pem &
         
        And run the client:
        openssl cmp -cmd kur
            -server localhost:8080/pkix/ -srvcert test-server-cert.pem \
                    -key
            test-client-key.pem -cert test-my-cert.pem \
                    -newkey
            test-client-key2.pem -certout test-my-cert2.pem
         
        However, the CMP
            server(?) compares the serial number of the old client
            certificate with the serial of the new (enrolled)
            certificate and fails. (I can make the enrollment succeed if
            I force the old and the new certificate to have the same
            serial.)
         
        CMP error: received
            error:PKIStatus: rejection; PKIFailureInfo: badRequest;
            StatusString: "wrong certid"; errorCode: 1D0000BD;
            errorDetails: CMP routines, wrong certid
         
        What am I doing wrong,
            please? It is quite obvious the new certificate will have a
            different certid, isn’t it?
         
         
        Kind Regards,
        Petr