the end entity certificate enrollment fails because NDES cannot decrypt it
554 views
Skip to first unread message
OV
Jan 13, 2012, 6:31:51 PM1/13/12
to jscep Support
Our Java EE application is deployed into JBoss AS 6-M2 and it has to
use Microsoft Active Directory Certificate Services for TLS. It
connects to NDES with a valid request, but NDES cannot decrypt it and
issues the error message with event ID #18 :“The Network Device
Enrollment Service cannot decrypt the client's PKCS7 message
(0x80090005). Bad Data.” By running with a remote debugger, we were
able to extract the message from the client and decrypt it by using
the Decoder from http://certlogik.com/decoder. The Decoder reported
the certificate is valid.
We are using jSCEP version 1.1.4 from Marven Central (for some reason
v1.2 is not there), jdk 1.6. For the CA server I am using Windows
Server 2008 R2 Enterprise with SP1, and I installed Active Directory
Certificate Services with NDES and Online Responder. I also installed
the hot fix 2483564 on the server:
http://support.microsoft.com/kb/2483564.
Does anyone know the workaround for this problem?
Thank you,
OV
use Microsoft Active Directory Certificate Services for TLS. It
connects to NDES with a valid request, but NDES cannot decrypt it and
issues the error message with event ID #18 :“The Network Device
Enrollment Service cannot decrypt the client's PKCS7 message
(0x80090005). Bad Data.” By running with a remote debugger, we were
able to extract the message from the client and decrypt it by using
the Decoder from http://certlogik.com/decoder. The Decoder reported
the certificate is valid.
We are using jSCEP version 1.1.4 from Marven Central (for some reason
v1.2 is not there), jdk 1.6. For the CA server I am using Windows
Server 2008 R2 Enterprise with SP1, and I installed Active Directory
Certificate Services with NDES and Online Responder. I also installed
the hot fix 2483564 on the server:
http://support.microsoft.com/kb/2483564.
Does anyone know the workaround for this problem?
Thank you,
OV
Ryan Schipper
Jan 16, 2012, 4:07:54 PM1/16/12
to jscep-...@googlegroups.com
Hi OV,
As you noted in your other email, this is likely issue 53.
The milestone for issue 53 is release 1.3 so you will probably need to
apply the patches on that bug yourself.
Regards,
Ryan Schipper
OV
Jan 17, 2012, 4:53:41 PM1/17/12
to jscep Support
I built 1.3-SNAPSHOT and tried to use it instead of 1.1.4. I got the
compilation error at the statement
final List<X509Certificate> certs = trans.sendRequest(req);
in this fragment:
public List<X509Certificate> getNextCaCertificate (X509Certificate
cert) throws SCEPClientException
{
log.trace("getNextCaCertificate");
final GetNextCaCert req = new GetNextCaCert(caIdentifier, new
NextCaCertificateContentHandler(cert));
final Transport trans =
Transport.createTransport(Transport.Method.GET, url);
try
{
final List<X509Certificate> certs =
trans.sendRequest(req);
log.trace("GetNextCACert returned: " + certs);
X509Certificate validOne = validateCACertificate(certs);
........
It looks like API changed.
The actual error was:
Incompatible types
Required: java.util.List<java.security.cert.X509Certificate>
Found: java.security.cert.GetStore.
OV
compilation error at the statement
final List<X509Certificate> certs = trans.sendRequest(req);
in this fragment:
public List<X509Certificate> getNextCaCertificate (X509Certificate
cert) throws SCEPClientException
{
log.trace("getNextCaCertificate");
final GetNextCaCert req = new GetNextCaCert(caIdentifier, new
NextCaCertificateContentHandler(cert));
final Transport trans =
Transport.createTransport(Transport.Method.GET, url);
try
{
final List<X509Certificate> certs =
trans.sendRequest(req);
log.trace("GetNextCACert returned: " + certs);
X509Certificate validOne = validateCACertificate(certs);
........
It looks like API changed.
The actual error was:
Incompatible types
Required: java.util.List<java.security.cert.X509Certificate>
Found: java.security.cert.GetStore.
OV
On Jan 16, 4:07 pm, Ryan Schipper <psychodr...@gmail.com> wrote:
> Hi OV,
>
> As you noted in your other email, this is likely issue 53.
>
> The milestone for issue 53 is release 1.3 so you will probably need to
> apply the patches on that bug yourself.
>
> Regards,
>
> Ryan Schipper
>
> Hi OV,
>
> As you noted in your other email, this is likely issue 53.
>
> The milestone for issue 53 is release 1.3 so you will probably need to
> apply the patches on that bug yourself.
>
> Regards,
>
> Ryan Schipper
>
> On 17/01/2012, at 7:06 AM, OV <ovolb...@gmail.com> wrote:
>
>
>
>
>
>
>
> > Our Java EE application is deployed into JBoss AS 6-M2 and it has to
> > use Microsoft Active Directory Certificate Services for TLS. It
> > connects to NDES with a valid request, but NDES cannot decrypt it and
> > issues the error message with event ID #18 :“The Network Device
> > Enrollment Service cannot decrypt the client's PKCS7 message
> > (0x80090005). Bad Data.” By running with a remote debugger, we were
> > able to extract the message from the client and decrypt it by using
> > the Decoder fromhttp://certlogik.com/decoder. The Decoder reported
>
>
>
>
>
>
>
> > Our Java EE application is deployed into JBoss AS 6-M2 and it has to
> > use Microsoft Active Directory Certificate Services for TLS. It
> > connects to NDES with a valid request, but NDES cannot decrypt it and
> > issues the error message with event ID #18 :“The Network Device
> > Enrollment Service cannot decrypt the client's PKCS7 message
> > (0x80090005). Bad Data.” By running with a remote debugger, we were
> > able to extract the message from the client and decrypt it by using
OV
Jan 17, 2012, 6:54:46 PM1/17/12
to jscep Support
The class CaCertificateContentHandler is the reason for this error.
In 1.1.4 it was declared as public class CaCertificateContentHandler
implements ScepContentHandler<List<X509Certificate>>
but in 1.3-SNAPSHOT it was changed to
public class CaCertificateContentHandler implements
ScepContentHandler<CertStore>
What should I do? Could the class GetNextCaCert be used instead of
GetCaCert in this case?
In 1.1.4 it was declared as public class CaCertificateContentHandler
implements ScepContentHandler<List<X509Certificate>>
but in 1.3-SNAPSHOT it was changed to
public class CaCertificateContentHandler implements
ScepContentHandler<CertStore>
What should I do? Could the class GetNextCaCert be used instead of
GetCaCert in this case?
David Grant
Jan 18, 2012, 4:43:09 AM1/18/12
to jscep-...@googlegroups.com
Are you using the same version of the API and Client?
Dave
Dave
OV
Jan 18, 2012, 5:05:01 PM1/18/12
to jscep Support
Dave,
I am using API. I am building our transport module with this stanza
for jscep in pom.xml for this module:
<dependency>
<groupId>com.google.code.jscep</groupId>
<artifactId>api</artifactId>
<version>1.3-SNAPSHOT</version>
<type>jar</type>
<scope>compile</scope>
</dependency>
In the folder ..m2\repository\com\google\code\jscep\api I have 2 sub-
folders 1.1.4 and 1.3-SNAPSHOT. Both have an api jar file and pom
file, and 1.1.4 also has other jars available from Maven Central
(totally 6 files). The 1.3-SNAPSHOT has the following files:
api-1.3-SNAPSHOT.jar
api-1.3-SNAPSHOT.pom
maven-metadata-local.xml
Client is also in my local repository but I don't use it. It is my
understanding that I don't need it because our transport module is the
client. Please correct me if I don't understand something.
OV
On Jan 18, 4:43 am, David Grant <da...@grant.org.uk> wrote:
> Are you using the same version of the API and Client?
>
> Dave
>
I am using API. I am building our transport module with this stanza
for jscep in pom.xml for this module:
<dependency>
<groupId>com.google.code.jscep</groupId>
<artifactId>api</artifactId>
<version>1.3-SNAPSHOT</version>
<type>jar</type>
<scope>compile</scope>
</dependency>
In the folder ..m2\repository\com\google\code\jscep\api I have 2 sub-
folders 1.1.4 and 1.3-SNAPSHOT. Both have an api jar file and pom
file, and 1.1.4 also has other jars available from Maven Central
(totally 6 files). The 1.3-SNAPSHOT has the following files:
api-1.3-SNAPSHOT.jar
api-1.3-SNAPSHOT.pom
maven-metadata-local.xml
Client is also in my local repository but I don't use it. It is my
understanding that I don't need it because our transport module is the
client. Please correct me if I don't understand something.
OV
On Jan 18, 4:43 am, David Grant <da...@grant.org.uk> wrote:
> Are you using the same version of the API and Client?
>
> Dave
>
OV
Jan 19, 2012, 3:07:25 PM1/19/12
to jscep Support
I can build our code only with 1.1.4 specified in our pom file. Both
versions 1.2 and 1.3-SNAPSHOT have compilation errors.
It seems to me that the pom file in api-1.2.jar is incorrect. Is it
possible to fix version 1.2 to the point that it could be submitted to
Maven Central?As possible alternative I will check out the code the
jscep-1.2 tag from the repository and try to build it locally.
Any news regarding version 1.3?
OV
versions 1.2 and 1.3-SNAPSHOT have compilation errors.
It seems to me that the pom file in api-1.2.jar is incorrect. Is it
possible to fix version 1.2 to the point that it could be submitted to
Maven Central?As possible alternative I will check out the code the
jscep-1.2 tag from the repository and try to build it locally.
Any news regarding version 1.3?
OV
David Grant
Jan 19, 2012, 3:28:36 PM1/19/12
to jscep-...@googlegroups.com
Hi,
I've just fixed a bunch of issues on trunk. Can you try checking out/updating the trunk then doing a mvn clean install from the parent module? Can you then try out the SNAPSHOT jars and let me know how you get on?
Dave
I've just fixed a bunch of issues on trunk. Can you try checking out/updating the trunk then doing a mvn clean install from the parent module? Can you then try out the SNAPSHOT jars and let me know how you get on?
Dave
David Grant
Jan 19, 2012, 3:31:15 PM1/19/12
to jscep-...@googlegroups.com
You don't have to use the client, but I'd definitely recommend you to do it. You could probably think of the client module as a client API, and the api module as the common elements shared between client and server modules.
Dave
Dave
OV
Jan 19, 2012, 4:02:32 PM1/19/12
to jscep Support
Dave,
I will do it immediately. By the way my build with locally built
version of 1.2 was successful.
However I haven't tested it with MS CA yet. But I will try it tonight.
OV
On Jan 19, 3:28 pm, David Grant <da...@grant.org.uk> wrote:
> Hi,
>
> I've just fixed a bunch of issues on trunk. Can you try checking
> out/updating the trunk then doing a mvn clean install from the parent
> module? Can you then try out the SNAPSHOT jars and let me know how you get
> on?
>
> Dave
>
I will do it immediately. By the way my build with locally built
version of 1.2 was successful.
However I haven't tested it with MS CA yet. But I will try it tonight.
OV
On Jan 19, 3:28 pm, David Grant <da...@grant.org.uk> wrote:
> Hi,
>
> I've just fixed a bunch of issues on trunk. Can you try checking
> out/updating the trunk then doing a mvn clean install from the parent
> module? Can you then try out the SNAPSHOT jars and let me know how you get
> on?
>
> Dave
>
David Grant
Jan 19, 2012, 4:14:27 PM1/19/12
to jscep-...@googlegroups.com
Hi OV,
It's probably be better for me if you could do it sooner rather than later and let me know your results.
Dave
It's probably be better for me if you could do it sooner rather than later and let me know your results.
Dave
OV
Jan 19, 2012, 4:28:23 PM1/19/12
to jscep Support
David,
I checked out the code from the trunk and built 1.3-SNAPSHOT from the
top level. After that I started our build.
Unfortunately it ended with the the same error as before:
-------------------------------------------------------------
[ERROR] COMPILATION ERROR :
[INFO] -------------------------------------------------------------
[ERROR] \OVwork\IDEA_X2S\java\hsl\src\bb\transport\src\main\java\com
\hsl\chi\transport\ssl\SCEPClient.java:[160,65] incompatible types
found : java.security.cert.CertStore
required: java.util.List<java.security.cert.X509Certificate>
[INFO] 1error
[INFO] -------------------------------------------------------------
[INFO]
------------------------------------------------------------------------
[ERROR] BUILD FAILURE
[INFO]
------------------------------------------------------------------------
[INFO] Compilation failure
\OVwork\IDEA_X2S\java\hsl\src\bb\transport\src\main\java\com\hsl\chi
\transport\ssl\SCEPClient.java:[160,65] incompatible types
found : java.security.cert.CertStore
required: java.util.List<java.security.cert.X509Certificate>
Thus 1.3 API is still different from 1.2, which gave a successful
build of our application.
I am starting to test our application with 1.2 against MS CA now.
Best regards,
OV
On Jan 19, 4:14 pm, David Grant <da...@grant.org.uk> wrote:
> Hi OV,
>
> It's probably be better for me if you could do it sooner rather than later
> and let me know your results.
>
> Dave
>
I checked out the code from the trunk and built 1.3-SNAPSHOT from the
top level. After that I started our build.
Unfortunately it ended with the the same error as before:
-------------------------------------------------------------
[ERROR] COMPILATION ERROR :
[INFO] -------------------------------------------------------------
[ERROR] \OVwork\IDEA_X2S\java\hsl\src\bb\transport\src\main\java\com
\hsl\chi\transport\ssl\SCEPClient.java:[160,65] incompatible types
found : java.security.cert.CertStore
required: java.util.List<java.security.cert.X509Certificate>
[INFO] 1error
[INFO] -------------------------------------------------------------
[INFO]
------------------------------------------------------------------------
[ERROR] BUILD FAILURE
[INFO]
------------------------------------------------------------------------
[INFO] Compilation failure
\OVwork\IDEA_X2S\java\hsl\src\bb\transport\src\main\java\com\hsl\chi
\transport\ssl\SCEPClient.java:[160,65] incompatible types
found : java.security.cert.CertStore
required: java.util.List<java.security.cert.X509Certificate>
Thus 1.3 API is still different from 1.2, which gave a successful
build of our application.
I am starting to test our application with 1.2 against MS CA now.
Best regards,
OV
On Jan 19, 4:14 pm, David Grant <da...@grant.org.uk> wrote:
> Hi OV,
>
> It's probably be better for me if you could do it sooner rather than later
> and let me know your results.
>
> Dave
>
David Grant
Jan 19, 2012, 4:42:53 PM1/19/12
to jscep-...@googlegroups.com
Hi OV,
Sorry, the API has definitely changed. I'd recommend updating your project, since 1.3 contains the fixes for NDES you're after.
Dave
Sorry, the API has definitely changed. I'd recommend updating your project, since 1.3 contains the fixes for NDES you're after.
Dave
OV
Jan 19, 2012, 4:48:17 PM1/19/12
to jscep Support
David,
Yes, I will do. But it is a huge code base and I am learning PKI.
So it will take a little time (-:
OV
Yes, I will do. But it is a huge code base and I am learning PKI.
So it will take a little time (-:
OV
> Sorry, the API has definitely changed. I'd recommend updating your
> project, since 1.3 contains the fixes for NDES you're after.
>
> Dave
>
> project, since 1.3 contains the fixes for NDES you're after.
>
> Dave
>
David Grant
Jan 19, 2012, 4:51:17 PM1/19/12
to jscep-...@googlegroups.com
Using the client module will really reduce the amount of time it takes you to write a functioning SCEP client, and you'll be able to get better support from this group too!
Dave
Dave
Marco Dalco
Jan 17, 2012, 5:02:32 PM1/17/12
to jscep-...@googlegroups.com
From the little I remember, the "Store" is likely to be a certificate store and have a .getCertificates method or something like that on it? Have you checked? I know this shouldn't happen and should mean the build is broken, though.
Marco
-------------------- Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. Thrupoint, Inc. - ubq
Reply all
Reply to author
Forward
0 new messages