-
Notifications
You must be signed in to change notification settings - Fork 95
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
missing BIO_FLAGS_BASE64_NO_NL flag in est_client.c/b64_decode_cacerts function #100
Comments
Hi Tomasz, I can confirm your observation. Setting the flag BIO_FLAGS_BASE64_NO_NL only helps in your situation, but not for other EST servers that are using Base64 code with NL. There are functions that could solve the problem like est_client_get_pkcs7_from_buf(..) in est_client.c or est_base64_decode(...) in est.c. I don't know why verify_cacert_resp(..) doesn't use it. BTW Did you succeed to get a certificate from OpenXPKI? Regards, Guido |
Hi Guido, I succeeded in getting CA chain and end-certificate from OpenXPKI. 1st modification: as I wrote before, because of base64 decoding error
2nd modification: after removing CRL from certificate, output length was 0
Now I get:
Best regards, |
Hi, I have tested it with OpenXPKI server where there are 2 certificates returned on est_client_get_cacerts request. The 2nd difference is that Can library support both of this cases ? |
Hi Tomasz, You are right. It seems to me that nobody cares about this project anymore. It's just a demo, and you have to fix the code to allow reading base64 data w/ and w/out newlines. It's more or less a strange OpenSSL feature that you have to set the flag BIO_FLAGS_BASE64_NO_NL for reading base64 data without newlines. -Guido |
Same issue here. |
Add subject DN configuration options to certd and refactor create_cert
Hi,
When I try to get CA chain from OpenXPKI by est_client_get_cacerts function I get error:
***EST [INFO][est_io_get_response_internal:1589]--> Read 4075 bytes of HTTP data
***EST [INFO][parse_http_headers:893]--> Found HTTP header -> Date:Mon, 29 Mar 2021 11:49:27 GMT
***EST [INFO][parse_http_headers:893]--> Found HTTP header -> Server:Apache/2.4.38 (Debian)
***EST [INFO][parse_http_headers:893]--> Found HTTP header -> Content-Transfer-Encoding:base64
***EST [INFO][parse_http_headers:893]--> Found HTTP header -> Content-Length:3748
***EST [INFO][parse_http_headers:893]--> Found HTTP header -> Strict-Transport-Security:max-age=31536000
***EST [INFO][parse_http_headers:893]--> Found HTTP header -> X-Frame-Options:deny
***EST [INFO][parse_http_headers:893]--> Found HTTP header -> X-XSS-Protection:1; mode=block;
***EST [INFO][parse_http_headers:893]--> Found HTTP header -> Connection:close
***EST [INFO][parse_http_headers:893]--> Found HTTP header -> Content-Type:application/pkcs7-mime; smime-type=certs-only
***EST [INFO][parse_http_headers:903]--> Found 9 HTTP headers
***EST [INFO][est_io_get_response_internal:1610]--> HTTP status 200 received
***EST [INFO][est_io_get_response_internal:1767]--> HTTP Content len=3748
***EST [ERROR][create_PKCS7:472]--> Unable to read in PKCS7 based certificate buffer
***EST [WARNING][ossl_dump_ssl_errors:322]--> OSSL error: 3046806624:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:crypto/asn1/asn1_lib.c:101:
***EST [ERROR][verify_cacert_resp:587]--> Failed to build PKCS7 structure from received buffer
***EST [ERROR][est_client_send_cacerts_request:3121]--> Returned CACerts chain was invalid
But when I add
everything works correct.
I have tested it on buildroot and Zynq CPU.
libest_client-3.2.0p.so
Best regards,
Tomasz Przybysz
The text was updated successfully, but these errors were encountered: