11:01 p.m.
Adewumi, Julius-p99373 wrote:
Has anyone familiarity with the following VFY_CreateContext() failure
or the verifyProof failure
who can shed some light on what is going on, config or software
release version --suspect is certEnroll()?
The proof verification is for proving that the token does have the
private key that goes with the public key in the cert request. Like you
have observed, the userKey profile's encryption cert by default has the
server generate the keys, therefore does not need the proof
verification. The signing cert does generate keys on the token itself,
thus causes the proof verification. And you can see the success proof
verification like the following:
[2009-07-15 15:53:55] a3c21b8 CertEnroll::verifyProof - verify proof begins
[2009-07-15 15:53:55] a3c21b8 CertEnroll::verifyProof -
VFY_CreateContext() succeeded
[2009-07-15 15:53:55] a3c21b8 CertEnroll::verifyProof - VFY_End()
returned 0
If you try changing the userKey profile's encryption cert to generate
the keys on the token instead, such as:
op.enroll.userKey.keyGen.encryption.serverKeygen.enable=false
You will notice now that you have both signing and encryption cert
requests going through the verifyProof (2 sets of the above messages in
log).
It seems like in the security officer case, the proof somehow is
incorrect, thus failed the verifyProof check on TPS.
Further investigation is needed.
Christina
Here is a section of the log:
-------------------------------------------
[2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment -
Successfully read public key buffer
[2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment -
public_key = (length='271')
[2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 00
8b 00 01 04 00 00 80 8d aa
[2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - cc
88 8d f5 b5 ae 93 72 9c ec
[2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 60
c7 3c a8 65 f8 09 62 65 b7
[2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 95
8a fe 5e 75 7e 00 2c ad 06
[2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 15
c3 ad 3f 96 39 c9 78 d8 73
[2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 07
92 3e 39 d9 3e 88 63 3b 18
[2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - de
76 6d 33 ec 49 53 25 ce 9c
[2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 5b
55 70 fe 4b 60 a0 f9 8a 75
[2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 29
9e 90 ac 87 9e fc 2b 1a 55
[2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - c9
04 00 21 ea 5c e1 f0 2f 0d
[2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 72
49 38 47 96 51 3d f2 ab 06
[2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 6e
9f e8 93 e6 22 9b dc ab 3a
[2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - eb
80 d1 8d 5b 68 b1 6f 66 1b
[2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 3a
3d 5d 75 e9 87 00 03 01 00
[2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 01
00 80 5f a0 76 96 30 ff 55
[2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - db
d5 4e b5 ed 4e 82 c9 8c d9
[2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - a7
56 0b bd fd e7 b2 34 c9 50
[2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - fa
2a 19 88 99 89 a6 80 39 5c
[2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - ed
89 a8 c8 17 52 b7 04 eb 25
[2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 91
b9 35 bd d9 e8 6e 5c 0b 7c
[2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 0a
80 bd 3f fc f4 20 a8 b6 61
[2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 49
0b 9f 0e c6 8b a5 8c 60 e7
[2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - d2
46 91 86 93 2f 6c 9d 56 62
[2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 30
33 79 84 ba 4d b5 60 14 87
[2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 03
8d cd 17 85 a0 bc 02 21 ff
[2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 5c
fe 71 cf fd f2 2b 7f 68 bb
[2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 1e
38 26 33 96 ff e2 48 66 ef
[2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 57
[2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment -
challenge size=16
[2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::process - challenge
= (length='16')
[2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::process - c9 1f 72
35 21 17 90 5a ed ce
[2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::process - dd a5 c6
9d ad 51
[2009-07-01 16:35:52] b5b5710 AP_Session::WriteMsg - Sent
's=69&msg_type=14¤t_state=73&next_task_name=PROGRESS_PARSE_PUBLIC_KEY'
[2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment -
About to Parse Public Key
[2009-07-01 16:35:52] b5b5710 CertEnroll::verifyProof -
VFY_CreateContext() failed
[2009-07-01 16:35:52] b5b5710 CertEnroll::ParsePublicKeyBlob - verify
proof failed
[2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment -
Failed to parse public key
[2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::GenerateCertificate
- Got a status error from DoEnrollment: 7
[2009-07-01 16:35:53] b5b5710 AP_Session::WriteMsg - Sent
's=42&msg_type=13&operation=1&result=1&message=7'
----------------------------------------
The config seems to show that Private Key is to be generated on the
Token for SO mode (Security Officer Mode enrollment). It is during
this Private Key generation that this failure occurs each time. Any
input will help. The lkast line of the log is where Error 7 was spawned.
/From: Julius Adewumi/
/(a)GDC4S.com/
/Ph:480-441-6768/
/Contract Corp:MTSI/
------------------------------------------------------------------------
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users