[openssl-users] Error condition at a customer site

Thomas Herchek therchek at fiberlink.com
Sun Jul 12 20:01:31 UTC 2015


Hi,

Sometimes, during the processing of an HTTP cert response from the Symantec PKI Manager SCEP server, our application encounters an error condition while validating the certs attributes.  The error that we see is "Transaction not permitted or supported".

It appears that this error is detected either in the ASN1_TYPE_get() function or the OBJ_nid2obj() function.
Can you tell me, what conditions might cause this type of failure when unwrapping and validating a cert response?

Here is a snippet of our code that detects this condition:

                /* Get signed attributes */
                attribs = PKCS7_get_signed_attributes(si);
                if (attribs == NULL)
                {
                                ReportAPIError("[PKCS7_UnWrap] No attributes found in PKCS#7 data", szErr);
                                goto cleanup;
                }

                ...

                /* Get pkiStatus */
                if ((i = get_signed_attribute(attribs, nid_pkiStatus, V_ASN1_PRINTABLESTRING, &p)) == 1)
                {
                                ReportAPIError("[PKCS7_UnWrap] Failed to get the signer pkiStatus attributes", szErr);
                                goto cleanup;
                }

                /* Get failInfo */
                if (atoi(p)!= SCEP_PKISTATUS_SUCCESS)
                {
                                if (atoi(p) == SCEP_PKISTATUS_FAILURE)
                                {
                                                if ((i = get_signed_attribute(attribs, nid_failInfo, V_ASN1_PRINTABLESTRING, &p)) == 1)
                                                {
                                                                ReportError("[PKCS7_UnWrap] Cannot find failInfo", szErr);
                                                                goto cleanup;
                                                }
                                                switch (atoi(p))
                                                {
                                                case SCEP_FAILINFO_BADALG:
                                                                ReportError("[PKCS7_UnWrap] Unrecognized or unsupported algorithm ident", szErr);
                                                                break;
                                                case SCEP_FAILINFO_BADMSGCHK:
                                                                ReportError("[PKCS7_UnWrap] Integrity check failed", szErr);
                                                                break;
                                                case SCEP_FAILINFO_BADREQ:
                                                                ReportError("[PKCS7_UnWrap] Transaction not permitted or supported", szErr);
                                                                break;
                                                case SCEP_FAILINFO_BADTIME:
                                                                ReportError("[PKCS7_UnWrap] Message time field was not sufficiently close to the system time", szErr);
                                                                break;
                                                case SCEP_FAILINFO_BADCERTID:
                                                                ReportError("[PKCS7_UnWrap] No certificate could be identified matching", szErr);
                                                                break;
                                                default:
                                                                ReportError("[PKCS7_UnWrap] Wrong failInfo in reply", szErr);
                                                }
                                }
                                else
                                {
                                                ReportAPIError("[PKCS7_UnWrap] PKI Status: Not success", szErr);
                                }
                                goto cleanup;



________________________________
Fiberlink Disclaimer: The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150712/d3f9cdbb/attachment-0001.html>


More information about the openssl-users mailing list