[prev in list] [next in list] [prev in thread] [next in thread]
List: bouncycastle-crypto-dev
Subject: RE: [dev-crypto] Certificate request via EST protocol with Bouncy Castle
From: "Buschart, Rufus" <rufus.buschart () siemens ! com>
Date: 2022-04-01 9:22:45
Message-ID: AM8PR10MB46583B38783C3823404FF3509EE09 () AM8PR10MB4658 ! EURPRD10 ! PROD ! OUTLOOK ! COM
[Download RAW message or body]
0 *H
010 + 0 *H
$PContent-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: 8bit
With some help of StackOverflow we were able to solve this issue:
Based on the input by Peter we were able to fix this problem as following:
//just for testrfc7030.com
ESTAuth auth = new JcaHttpAuthBuilder(null, "estuser",
"estpwd".toCharArray())
.setNonceGenerator(new SecureRandom())
.setProvider("BC")
.build();
EnrollmentResponse resp = eSTService.simpleEnrollPoP(false,
cb.csrBuilder, cb.signer, auth);
It turned out, that testrfc3070 requires the following authentication schemes:
* Port 443: requires HTTP user auth + identity POP linking
* Port 8443: requires HTTP user auth but no identity POP linking
* Port 9443: requires user auth with client certificate (obtained via Port
8443 or Port 443) but no identity POP linking
identity POP linking = TLS channel binding
Thank you for your support!
/Rufus
> -----Original Message-----
> From: David Hook <dgh@cryptoworkshop.com>
> Sent: Tuesday, 29 March 2022 07:04
> To: Buschart, Rufus (IT IPS SIP ET) <rufus.buschart@siemens.com>; dev-
> crypto@bouncycastle.org
> Cc: Lehr, Andras (ext) (IT IPS SIP ET) <andras.lehr.ext@siemens.com>
> Subject: Re: [dev-crypto] Certificate request via EST protocol with Bouncy
> Castle
>
>
> Try what's in:
>
> test/est/example/ on github at
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.
> com%2Fbcgit%2Fbc-
> java&data=04%7C01%7Crufus.buschart%40siemens.com%7C109abdd15
> 0f44523c55008da114193c8%7C38ae3bcd95794fd4addab42e1495d55a%7C1
> %7C0%7C637841271195828836%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC
> 4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&
> amp;sdata=lZSpfaSCAiheZAypq0MzKpl6tnBdcRjuU1smYOLMVUE%3D&res
> erved=0
>
> There's a README.md file with instructions, and the examples were put
> together to talk to testrfc7030.com.
>
> Regards,
>
> David
>
> On 28/3/22 20:15, Buschart, Rufus wrote:
> > Hello all!
> >
> > I try to request a new certificate via EST protocol from the EST test
> > service URL
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftestrfc7
> 030.com%2F&data=04%7C01%7Crufus.buschart%40siemens.com%7C10
> 9abdd150f44523c55008da114193c8%7C38ae3bcd95794fd4addab42e1495d5
> 5a%7C1%7C0%7C637841271195828836%7CUnknown%7CTWFpbGZsb3d8eyJ
> WIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7
> C3000&sdata=GCw%2BDz9T21CMw6ybebK25ZElmdN8tE6TK8JBILxcAPw
> %3D&reserved=0. The program uses Bouncy Castle for this.
> >
> > I have already configured the EST service's TA and my client
> > certificate obtained from them. I also use the BC JSSE provider to get
> > access to the "tls-unique" channel binding value.
> >
> > eSTService = new
> > JsseESTServiceBuilder(Config.CredAdmin.caHost, trustManagers)
> >
> > .withKeyManagers(keyManagers)
> >
> >
> > .withProvider(BouncyCastleJsseProvider.PROVIDER_NAME)
> >
> > .withChannelBindingProvider(new
> > ChannelBindingProvider() {
> >
> > //Use an anonymous binding provider
> > that supports linking
> >
> > //Identity and POP Information
> > (RFC7030, Section 3.5.), that
> >
> > //relies on Channel Bindings for
> > TLS
> > (RFC5929) using "tls-unique".
> >
> > public boolean
> > canAccessChannelBinding(Socket sock) {
> >
> > boolean ret = sock
> > instanceof BCSSLSocket;
> >
> > if (!ret)
> >
> >
> > //should never happen
> >
> >
> > MyUtils.LambdaLogger.error("Can't get channel binding value, check if
> > BouncyCastleJsseProvider could be loaded.");
> >
> > return ret;
> >
> > }
> >
> > publ*ic byte[]
> > getChannelBinding(Socket sock, String binding) {
> >
> > BCSSLConnection
> > bcon = ((BCSSLSocket)sock).getConnection();
> >
> > if (bcon == null) {
> >
> >
> > //should never happen
> >
> >
> > MyUtils.LambdaLogger.error("Can't get \"%s\" channel binding value,
> > check if BouncyCastleJsseProvider could be loaded.", binding);
> >
> >
> > return null;
> >
> > }
> >
> > byte[] ret =
> > bcon.getChannelBinding(binding);
> >
> > MyUtils.LambdaLogger.debug("retrieved %d
> > bytes \"%s\" channel binding value", ret.length, binding);
> >
> > return ret;
> >
> > }
> >
> > })
> >
> > .build();
> >
> > and
> >
> > Security.addProvider(new BouncyCastleJsseProvider());
> >
> >
> > When I configure EST service port 9443 – that requires my client cert
> > but no TLS channel binding – I do get a new certificate:
> >
> > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fi.st
> >
> ack.imgur.com%2FoOJXh.png&data=04%7C01%7Crufus.buschart%40sie
> mens.
> >
> com%7C109abdd150f44523c55008da114193c8%7C38ae3bcd95794fd4addab
> 42e1495d
> >
> 55a%7C1%7C0%7C637841271195828836%7CUnknown%7CTWFpbGZsb3d8ey
> JWIjoiMC4wL
> >
> jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&
> sdata
> >
> =2nrwj9hsrr5pzDe%2FQ9eJVsaYI8MQosPzrqsyADoTsko%3D&reserved=0
> >
> > However, when I configure port 443 – that also needs TLS channel
> > binding – although I get 12 bytes of "tls-unique" from BC JSSE, these
> > won't get accepted by the EST service testrfc7030.com, so it gives me an
> HTTP 401 – Unauthorized:
> >
> > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fi.st
> >
> ack.imgur.com%2Fa68Gx.png&data=04%7C01%7Crufus.buschart%40sie
> mens.
> >
> com%7C109abdd150f44523c55008da114193c8%7C38ae3bcd95794fd4addab
> 42e1495d
> >
> 55a%7C1%7C0%7C637841271195828836%7CUnknown%7CTWFpbGZsb3d8ey
> JWIjoiMC4wL
> >
> jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&
> sdata
> >
> =ExF9OHynY%2Ba53utWB60YwjLeS4eXP3WoWYw7Nh%2BCagQ%3D&res
> erved=0
> >
> > My problem is, I don't know, what's wrong:
> > * my code
> > * the BC JSSE implementation of "tls-unique" (RFC 5929)
> > * the EST service's implementation of "tls-unique" (RFC 5929)?
> >
> > Does someone have an implementation that works with the EST service
> > "testrfc7030.com:443" art has at least an idea, what's wrong?
> >
> > /Rufus
>
70*0 8c0
*H
010U
Entrust.net1@0>U7www.entrust.net/CPS_2048 incorp. by ref. (limits \
liab.)1%0#U(c) 1999 Entrust.net Limited1301U*Entrust.net Certification \
Authority (2048)0 991224175051Z
290724141512Z010U
Entrust.net1@0>U7www.entrust.net/CPS_2048 incorp. by ref. (limits \
liab.)1%0#U(c) 1999 Entrust.net Limited1301U*Entrust.net Certification \
Authority (2048)0"0 *H
0
MK d*+KѿJMvgx@sBhS+^v5|:[$}kKܫ@$ \
t)wU~jd[2Po=ȺfIvIg/Ɵq`-,ɐvf{xeS]<֜) \
/PH2UdLu߹U`0){Hi5?]zz "T &IhGӝBMo&!bfCp B0@0U0U00UU؉1$ p0
*H
;V0S|zyM3|Fcf$@!'rsO1LhSƀ]=n? \
/W,ɻDO}W/ Zn:֞ly^yL;e<=õý^[#h'\-o0 \
ZѪ'yy3WBlVm~ט!<y/^L"7̚C܀goHVϿ+|^vY|5eQ00 \
>MD; Q0 *H
010U
Entrust.net1@0>U7www.entrust.net/CPS_2048 incorp. by ref. (limits \
liab.)1%0#U(c) 1999 Entrust.net Limited1301U*Entrust.net Certification \
Authority (2048)0 210507153200Z
290707160200Z0Y10 UUS10U
Entrust, Inc.1200U)Entrust Enterprise Intermediate CA - ICA10"0
*H
0
VoNd:/o`]_"dQs$`<Ń<l]&>
^<-E`~]VcoINa BCSXsmi5Iuaf \
Ml=UAd!"s%z1@p-{.$b6TG" \
3:8TtlYJۃ//$&Mу4u06o/mrR|5FM<ۈtsZma [0W0U0U00NU%G0E++
+7
+7
+7
+7C0;U 40200U \
0(0&+http://www.entrust.net/rpa03+'0%0#+0http://ocsp.entrust.net02U+0)0' \
% #!http://crl.entrust.net/2048ca.crl0U8 pݣWY- \
ܳ0U#0U؉1$ p0 *H
XJ,%c r_7N-Mzs=# q9$YE \
H9)O=qc)]Lfc\o-SS<Ir@mfҮȹ \
M׃McؓX]m^jwIu1[(C\ t~?}ǩ' \
ΛvEㄷm4T*h=;kӋP0L但JTy.V0u0] Yy{M}e60 \
*H 0l10 UDE10
UBayern10U
Siemens10UZZZZZZD31'0%USiemens Issuing CA EE Enc 20210
220204161649Z
250204161649Z010 UDE10
UBayern10U
Siemens1)0' *H
rufus.buschart@siemens.com10UZ002M76A10U*Rufus10UBuschart10UBuschart \
Rufus0"0 *H
0
Z _Qv
r:,njs"gPƾĩxIE OƿVC6^f"J͉K @ \
jY<5d{?jï.ۓ)6J|WQ=<e'("1=Ԩ \
F&bux}cEqbHtc\.F \
\nWe3o\~zȱ* Zx%B_m$h|0K}"=SqrC). 0 \
0+002+0&http://ah.siemens.com/pki?ZZZZZZD3.crt0A+05 \
ldap://al.siemens.net/CN=ZZZZZZD3,L=PKI?cACertificate0I+0=ldap://al.siemens.c \
om/CN=ZZZZZZD3,o=Trustcenter?cACertificate0#+0http://ocsp.siemens.com0FU \
?0=0; +i0*0(+https://www.siemens.com/pki/0U0 08U%10/+
+7
+7
+7C0%U0rufus.buschart@siemens.com0U 00 \
&http://ch.siemens.com/pki?ZZZZZZD3.crlAldap://cl.siemens.net/CN=ZZZZZZD3,L=PKI?ce \
rtificateRevocationListIldap://cl.siemens.com/CN=ZZZZZZD3,o=Trustcenter?certificateRe \
vocationList0U#0;+CEG6Lڥ0U00U%MՎ鏲Z,'sag>0
*H
;
*L[yDz",K&0 S%pi㟫8xS`:IL>M \
-KyP^OOJaea)"e@a6Y8T6X^kG(Seb@։BJ V̪Xc \
rs 3 sK(G<Üv72A Y4pƝhHK`Sy
Ӂ7mèd!ު"hlKEzTec6A=$:F1X2]atmXVE$3gY1JQE^q=: \
h+uT?ےO2F*CpŒsX$Prξ|T;~"xk#E˞;&cc@, \
Lf鮬юݯ9نu ;i.* 6awN4+#r$3u LKl_TP"mtoj8hD \
00 SCĻs0 *H
010 UDE10
UBayern10U
Siemens10UZZZZZZDD1:08U1Siemens Issuing CA EE Network Smartcard Auth \
20210 220315142028Z
220615142028Z010 UDE10
UBayern10U
Siemens1)0' *H
rufus.buschart@siemens.com10UZ002M76A10U*Rufus10UBuschart10UBuschart \
Rufus0"0 *H
0
VqWOCN^
z|wFҷU $.osجKmpҙ2|; T&G}ޝpx4)CLt=b7& \
1A.1:A2#Yl{9S8K,AĂJ6jְ4 w8gQh|CPsPe5*TŒ0`E9o?&F7qV9@9 \
I036lֿڇ 00+002+0&http://ah.siemens.com/pki \
?ZZZZZZDD.crt0A+05ldap://al.siemens.net/CN=ZZZZZZDD,L=PKI?cACertificate0I+ \
0=ldap://al.siemens.com/CN=ZZZZZZDD,o=Trustcenter?cACertificate0#+0http://ocsp.siemens.com0FU \
?0=0; +i0*0(+https://www.siemens.com/pki/0U0 0)U%"0 \
++ +70QUJ0Hrufus.buschart@siemens.com *
+7 rufus.buschart@siemens.com0U 00 \
&http://ch.siemens.com/pki?ZZZZZZDD.crlAldap://cl.siemens.net/CN=ZZZZZZDD,L=PKI?ce \
rtificateRevocationListIldap://cl.siemens.com/CN=ZZZZZZDD,o=Trustcenter?certificateRe \
vocationList0U#0ڸn6NVyS-0U0UTܵf?m`0
*H
M,!sDJ۵>|,aFUF\J$8MmLa̛ؑE҅+#pH
jFX4.5@9ZiiVT_/
'P+ò6xޕEY]KZ?KsHcEə&BH諈J!!nK.5y@wu}ԧi<ZSf \
?3r@5gNafAIc^TwUPW'q!lڧ{wsPrmbmӱI^[-\B \
FRzuLcDP+ Йh#SOOn,&48"\#1BS;)3'*#N:/E!hCż2.eA"bfc. llC<U.r`Pܱz2dS
Ve
$l>ؙEX
MCPBRTUVI"`ثC8랃{bzRq/]{00 \
UJpy0 *H
0F10 UDE10U
Siemens1%0#USiemens Intermediate CA 20210
210531123620Z
250728121836Z010 UDE10
UBayern10U
Siemens10UZZZZZZDD1:08U1Siemens Issuing CA EE Network Smartcard Auth \
20210"0 *H
0
9N+sο &`|,U
1p<:-/D V6WO~{z./\)DV<L)6X~[
sLaK1=d d]%Rw_B,z[efIElc̖ Ld { .@Z
l-.VHW:VtXܢr Όlx`oztlX*{Hzy&1ᅟՀ Ж. \
< QxJ$,Ip<SLPȴ(L+&bd!mO6Btwr$Tu1~E=z}_ \
|ň ï$FT!t!cr%NS\JS2 ͞\! \
ƘFy /^"b(Nz;:T֓U #t :-z*S&G$ \
ȷe#$ҭ\rrA %~@Aڽ`ZD;
H71L Lm*8p̀큛 00)U%"0 ++
+70U#0GW}``H`N b0+00A+05ldap://al. \
siemens.net/CN=ZZZZZZD0,L=PKI?cACertificate02+0&http://ah.siemens.com/pki?ZZZ \
ZZZD0.crt0J+0>ldap://al.siemens.com/uid=ZZZZZZD0,o=Trustcenter?cACertificate0#+0http://ocsp.siemens.com01U \
(0$06+i0*0(+https://www.siemens.com/pki/0; \
+i0*0(+https://www.siemens.com/pki/0; \
+i0*0(+https://www.siemens.com/pki/08 \
+i0*0(+https://www.siemens.com/pki/06+ic0*0(+https://www.siemens.com/pki/0U00 \
?ldap://cl.siemens.net/CN=ZZZZZZD0,L=PKI?authorityRevocationList&http://ch.siem \
ens.com/pki?ZZZZZZD0.crlHldap://cl.siemens.com/uid=ZZZZZZD0,o=Trustcenter?authorityRevocationList0Uڸn6NVyS-0U0U0 0
*H
qHbf"Ɏ߳҈B'1LJNHa5\bNTԐDL=X7$#zZ1OP㲫`q7s(Bcj&e4LṀ:p0lNLşH
6M-f7X?|,i
#MJ&Bm5+Iz'qd4BѲNRux/z?/cwg-APTWڭ_G \
yTnz2[bgV+fEٴVZ2OP<.7رא[Eقdeg~Hk$/[j+˱lk,-P[fC@ҋYj~ZfE/gY$ \
IV?4v4jB՛S09(- - h'K4w1"P'j; \
dTE1XrтN-7iW4d\x0 0 P OV(m|jb?h0 *H
0F10 UDE10U
Siemens1%0#USiemens Intermediate CA 20210
210531122415Z
250728121836Z0l10 UDE10
UBayern10U
Siemens10UZZZZZZD31'0%USiemens Issuing CA EE Enc 20210"0
*H
0
'E[P;T7%n%Xꏋ|M]xO/ Hp~3yKG-Ͽ \
Ba@C`bEg^-%t7On63K/mmSqWt4m \
7<S@Դjѧu=87(ܢ(gQΏgcFRRScDi$^~TXQ*]LsbI.xMx<u! \
i'[?agBh;yAmv2@]tlKnzZӅ~qyE`oJ'd CS;'0ܛ*@4uj,pv&A`hgk{'=)Ɗv[UBǚÁ~'0~9 \
C;4%w\e <tP_DEt]ſ-qBÖ/bGl+LT4J;m?HQj,;o pQ
h),G7ϰ}*(_4z9{@UZ* 008U%10/+
+7
+7
+7C0U#0GW}``H`N b0+00A+05ldap://al. \
siemens.net/CN=ZZZZZZD0,L=PKI?cACertificate02+0&http://ah.siemens.com/pki?ZZZ \
ZZZD0.crt0J+0>ldap://al.siemens.com/uid=ZZZZZZD0,o=Trustcenter?cACertificate0#+0http://ocsp.siemens.com0nU \
e0a06+i0*0(+https://www.siemens.com/pki/0; \
+i0*0(+https://www.siemens.com/pki/0; \
+i0*0(+https://www.siemens.com/pki/0; \
+i0*0(+https://www.siemens.com/pki/08 \
+i0*0(+https://www.siemens.com/pki/06+ic0*0(+https://www.siemens.com/pki/0U00 \
?ldap://cl.siemens.net/CN=ZZZZZZD0,L=PKI?authorityRevocationList&http://ch.siem \
ens.com/pki?ZZZZZZD0.crlHldap://cl.siemens.com/uid=ZZZZZZD0,o=Trustcenter?authorityRevocationList0U;+CEG6Lڥ0U0U0 0
*H
$MaDn^.|,~CPeHCQBwT6((?ˡuQ(dpJJxeÇM>
˯'.Kч~>b\W@c7bQcu`>%xW'5l \
1|DeH3{bOK<)`l}=? |'[ \
ƭ-d$&Q%R=0z> #@|m0pCHqb+w['G1bj ٝz.dIYU%{>FuE[р$C͐ZFzDwI$qv \
7?wj ..%2t `K3fe1|u wf7!T ;%
"xIkv:1?xj@lS őzq<Э:6ɇ`;bhe\ǗT-D \
AVpA} k0 0 "A"Kiu0 *H
0Y10 UUS10U
Entrust, Inc.1200U)Entrust Enterprise Intermediate CA - ICA10
210609000000Z
250809000000Z0F10 UDE10U
Siemens1%0#USiemens Intermediate CA 20210"0
*H
0
?k'h-j
D$/,Lq&% \
Ǵ]DdrxbH\%Tk&@*]kY gM!b>>ukp? \
OG;jRłk69ZCՄިqG(79n,Xigؓ\U \
s`a--%#eb/7<FHP"+qry<G.K ^ =!v
*pf4k娄=uEBTg>d$^ BC췣ټrjP _҂40Y,{|,x5* \
7u_d3k36GZk"H[>\@G&n?4'@7dCJnQSM(&P \
{n׀Jc㿋uߴU<X,a2A9YhU_tC(4 Hz} \
9'ʱ%dV 00U00UGW}``H`N b0U#08
pݣWY- ܳ0i+]0[0#+0http://ocsp.entrust.net04+0(http://aia.entrust.net/entica1-chain.cer03U,0*0( \
& $"http://crl.entrust.net/entica1.crl0!U0 0420010 UDE10 \
UBayern10U Siemens0
acrorad.jp0advanced-airfoils.com0advancedairfoils.com0airportmunichls.com0chemtech.com.br0education-siemens.com0electrium.co.uk0etm.at0
evosoft.com0fast-trackdiagnostics.com0flender-graff.com0.flender.com0
flender.com0
hacon.de0hspkoeln.com0
hspkoeln.de0kaco-newenergy.de0
lmsintl.com0 loher.com0
mendix.com0
mindsphere.io0nem.nl0nemusacorp.com0
next47.com0 oez.com0omnetric.com0petnetsolutions.com0 remech.de0sat-autom \
ation.com0 sbk.org0.siemens-energy.com0siemens-energy.com0siemensgamesa.com \
0siemens-healthcare.com0.siemens-healthineers.com0siemens-healthineers.com0siemens-logistics.com0siemens-stiftung.org0
siemens.com0.siemens.com0
siemens.eu0siemensgovt.com0
sykatec.de0trench-group.com0trenchgroup.com0
verteiler.com0
vmzberlin.com0weissgmbh.de0winergy-group.com0
siemens.com0.siemens.com00
0" 0U0NU%G0E++
+7
+7
+7
+7C0U
0 08`Hl
0)0'+https://www.entrust.net/rpa06+i0*0(+https://www.siemens.com/pki/0;
+i0*0(+https://www.siemens.com/pki/0;
+i0*0(+https://www.siemens.com/pki/0;
+i0*0(+https://www.siemens.com/pki/0;
+i0*0(+https://www.siemens.com/pki/0;
+i0*0(+https://www.siemens.com/pki/0;
+i0*0(+https://www.siemens.com/pki/08
+i0*0(+https://www.siemens.com/pki/06+ic0*0(+https://www.siemens.com/pki/0;
+i0*0(+https://www.siemens.com/pki/0;
+i0*0(+https://www.siemens.com/pki/0;
+i0*0(+https://www.siemens.com/pki/0
*H
6#
`AGDV/ r띋z'MjcSCʔƯK+1ZWe8S$J(r
܍ymds BO}F@aտB<rM?#WϤs`ıCuMo6<y+bf!!c3d
[
yi^wS,ۮ3`l@u*{<6o \
J<:-qp4gAў`s:ILG100010 UDE10 \
UBayern10U Siemens10UZZZZZZDD1:08U1Siemens Issuing CA EE \
Network Smartcard Auth 2021SCĻs0 + 0 *H 1 *H
0 *H
1
220401092239Z0# *H
1Yɴ' ChqǸ0 +7100l10 UDE10
UBayern10U
Siemens10UZZZZZZD31'0%USiemens Issuing CA EE Enc \
2021Yy{M}e60 *H 100 `He*0 `He0
*H
0 `He0*H
0
*H
@0+0 `He0 `He0 `He0*H
1 0l10 UDE10
UBayern10U
Siemens10UZZZZZZD31'0%USiemens Issuing CA EE Enc \
2021Yy{M}e60 *H
B~vє[ݶ\MӰK@
6t,1!;V P}+R
)'_U3h@iG< m`2j\˒~
4 =35|)
[:aeRxP1.}C97~T
= -{tғ뾌 :24{.:SeYjϗ`,jc1'G)L[ưgV
m{j @I
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic