Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-3807

Root CA key is always used when decrypting SCEP requests


    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: EJBCA 6.2.0
    • Fix Version/s: EJBCA 6.2.8
    • Component/s: None
    • Labels:
    • Issue discovered during:


      Hi, I recently tried to use RA mode of SCEP and encountered an decryption error of the request. I guess this is because EJBCA is trying to use the wrong CA key to decrypt the request in SCEP RA Mode while it does right in CA mode. All using release 6.2.0.
      This error proberbly will only appear if you are using a subca to issue certs for SCEP. In my example I have RootCA->SubCA->SCEPClientCert.
      Starting with ScepPkiOpHelper.scepCertRequest if you are using RA Mode "addOrEditUser" otherwise SignSessionBean.createCertificate function is called.
      The SignSessionBean.createCertificate always use the getCADnFromRequest function of the CertificateStoreSessionBean which leads to the correct subca certiticate, by using IssuerDN and serialnumber.
      On the other hand in ScepPkiOpHelper.addOrEditUser respectivly ScepPkiOpHelper.getCAName only uses the IssuerDN which lead to the root certificate instead of the subca certificate.
      This leads to the situation that EJBCA trys to decrypt the SCEP request with the root certificate instead of the subca certificate which leads to a bad padding exception:
      Error in PKCS7:: org.bouncycastle.cms.CMSException: exception unwrapping key: bad padding: doFinal() failed
      at org.bouncycastle.cms.jcajce.JceKeyTransRecipient.extractSecretKey(Unknown Source) [bcpkix-jdk15on-149.jar:1.49.0]
      at org.bouncycastle.cms.jcajce.JceKeyTransEnvelopedRecipient.getRecipientOperator(Unknown Source) [bcpkix-jdk15on-149.jar:1.49.0]
      at org.bouncycastle.cms.KeyTransRecipientInformation.getRecipientOperator(Unknown Source) [bcpkix-jdk15on-149.jar:1.49.0]
      at org.bouncycastle.cms.RecipientInformation.getContentStream(Unknown Source) [bcpkix-jdk15on-149.jar:1.49.0]
      at org.bouncycastle.cms.RecipientInformation.getContent(Unknown Source) [bcpkix-jdk15on-149.jar:1.49.0]
      at org.ejbca.core.protocol.scep.ScepRequestMessage.decrypt(ScepRequestMessage.java:388) [ejbca-util.jar:EJBCA 6.2.0 (r19221)]
      at org.ejbca.core.protocol.scep.ScepRequestMessage.getPassword(ScepRequestMessage.java:498) [ejbca-util.jar:EJBCA 6.2.0 (r19221)]
      at org.ejbca.ui.web.protocol.ScepPkiOpHelper.addOrEditUser(ScepPkiOpHelper.java:207) [classes:]
      at org.ejbca.ui.web.protocol.ScepPkiOpHelper.scepCertRequest(ScepPkiOpHelper.java:135) [classes:]
      at org.ejbca.ui.web.protocol.ScepServlet.service(ScepServlet.java:245) [classes:]
      at org.ejbca.ui.web.protocol.ScepServlet.doPost(ScepServlet.java:156) [classes:]




            • Assignee:
              mikek Mike Agrenius Kushner
              mikek Mike Agrenius Kushner
              Verified by:
              Tomas Gustavsson
            • Votes:
              0 Vote for this issue
              2 Start watching this issue


              • Created: