Re: [Handle-info] SSL certificate error on Rest API request

Hi,

Robert found the solution.

Actually my server certificate was broken.

A request over HTTPS without client key produced the same error:

$ curl -i -k -v 'https://192.168.178.224:8000/api/handles/20.500.13090/test?index=1'
* Trying 192.168.178.224:8000...
* Connected to 192.168.178.224 (192.168.178.224) port 8000 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (OUT), TLS alert, decrypt error (563):
* error:0407E085:rsa routines:RSA_verify_PKCS1_PSS_mgf1:first octet invalid
* Closing connection 0
curl: (35) error:0407E085:rsa routines:RSA_verify_PKCS1_PSS_mgf1:first octet invalid

That was a problem with the serverCertificate.pem which probably did not match the server key.

After deleting server_certificate.pem and restarting the server, the file server_certificate.pem was regenerated.

I recreated the certificate with admpriv.bin as explained in the first message of this thread.

And everything works fine now.

$ curl -i -k -v --cert /usr/local/hdl/cert2022-02-04.pem --key /usr/local/hdl/admprivatekey-2022-02-04.pem -H 'Authorization: Handle clientCert="true"' 'https://192.168.178.224:8000/api/handles/20.500.13090/test?index=1'
* Trying 192.168.178.224:8000...
* Connected to 192.168.178.224 (192.168.178.224) port 8000 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=anonymous
* start date: Jan 1 00:00:00 2000 GMT
* expire date: Dec 31 23:59:59 9999 GMT
* issuer: CN=anonymous
* SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET /api/handles/20.500.13090/test?index=1 HTTP/1.1
> Host: 192.168.178.224:8000
> User-Agent: curl/7.74.0
> Accept: */*
> Authorization: Handle clientCert="true"
>
* TLSv1.2 (IN), TLS handshake, Hello request (0):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Fri, 04 Feb 2022 18:41:50 GMT
Date: Fri, 04 Feb 2022 18:41:50 GMT
< Content-Type: application/json;charset=utf-8
Content-Type: application/json;charset=utf-8
< Vary: Accept-Encoding, User-Agent
Vary: Accept-Encoding, User-Agent
< Content-Length: 195
Content-Length: 195

<
* Connection #0 to host 192.168.178.224 left intact
{"responseCode":1,"handle":"20.500.13090/test","values":[{"index":1,"type":"URL","data":{"format":"string","value":"https://www.openedition.org"},"ttl":86400,"timestamp":"2022-02-04T18:35:03Z"}]}

Thanks Robert!

Jean-François

Le ven. 4 févr. 2022 à 16:41, Robert Tupelo-Schneck <schneck@cnri.reston.va.us> a écrit :

My apologies! I was actually the one confused about the key. You are not creating a server certificate, but a client certificate, so indeed you do want to use the key for the client, which is admpriv.bin.

I'll take the rest of the debugging off of the handle-info mailing list and we can report back once we have a solution.

Robert

On Fri, Feb 4, 2022 at 2:00 AM Jean-François Rivière <jean-francois.riviere@openedition.org> wrote:
Thanks for your answer!
I just tried with the correct key but I still have the same error.
There's maybe something obvious. I'm not comfortable with SSL and certificates...

$ sudo ../handle-9.3.0/bin/hdl-convert-key privkey.bin -o privkey-2022-02-04.pem
$ sudo openssl req -new -x509 -key /usr/local/hdl/privkey-2022-02-04.pem -subj '/UID=300:0.NA\/20.500.13090' -days 365 -out /usr/local/hdl/cert2022-02-04.pem
$ curl -i -k -v --cert /usr/local/hdl/cert2022-02-04.pem --key /usr/local/hdl/privkey-2022-02-04.pem -H 'Authorization: Handle clientCert="true"' 'https://192.168.178.224:8000/api/handles/20.500.13090/test?index=1'
* Trying 192.168.178.224:8000...
* Connected to 192.168.178.224 (192.168.178.224) port 8000 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (OUT), TLS alert, decrypt error (563):
* error:0407E085:rsa routines:RSA_verify_PKCS1_PSS_mgf1:first octet invalid
* Closing connection 0
curl: (35) error:0407E085:rsa routines:RSA_verify_PKCS1_PSS_mgf1:first octet invalid

Jean-François

Le ven. 4 févr. 2022 à 07:18, Robert Tupelo-Schneck <schneck@cnri.reston.va.us> a écrit :
You created your certificate with admpriv.bin, but the server actually uses privkey.bin. admpriv.bin is a convenience to use for an administrative identity, whereas privkey.bin is the server's own key.

I suspect if you recreate with privkey.bin it will work for you!

Robert

On Thu, Feb 3, 2022 at 1:15 PM Jean-François Rivière <jean-francois.riviere@openedition.org> wrote:
Hi,

I am trying to use the Rest API on my Handle server.
It works fine without authentication on GET request

$ curl -s 'http://192.168.178.224:8000/api/handles/20.500.13090/test?index=1' | json_pp
{
"handle" : "20.500.13090/test",
"responseCode" : 1,
"values" : [
{
"data" : {
"format" : "string",
"value" : "https://books.openedition.org"
},
"index" : 1,
"timestamp" : "2022-01-16T21:13:51Z",
"ttl" : 86400,
"type" : "URL"
}
]
}

But it fails with an SSL certificate error on https :
curl: (35) error:0407E086:rsa routines:RSA_verify_PKCS1_PSS_mgf1:last octet invalid

I tried the method described in this message to generate certificate: http://www.handle.net/mail-archive/handle-info/msg00816.html

$ sudo ../handle-9.3.0/bin/hdl-convert-key admpriv.bin -o admprivatekey-2022-02-03.pem
$ sudo openssl req -new -x509 -key /usr/local/hdl/admprivatekey-2022-02-03.pem -subj '/UID=300:0.NA\/20.500.13090' -days 365 -out /usr/local/hdl/cert2022-02-03.pem

Error on GET request:

$ curl -i -k -v --cert /usr/local/hdl/cert2022-02-03.pem --key /usr/local/hdl/admprivatekey-2022-02-03.pem -H 'Authorization: Handle clientCert="true"' 'https://192.168.178.224:8000/api/handles/20.500.13090/test?index=1'
* Trying 192.168.178.224:8000...
* Connected to 192.168.178.224 (192.168.178.224) port 8000 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (OUT), TLS alert, decrypt error (563):
* error:0407E086:rsa routines:RSA_verify_PKCS1_PSS_mgf1:last octet invalid
* Closing connection 0
curl: (35) error:0407E086:rsa routines:RSA_verify_PKCS1_PSS_mgf1:last octet invalid

Error on DELETE request:

riviere@handle-dev:~$ curl -i -k -v --cert /usr/local/hdl/cert2022-02-03.pem --key /usr/local/hdl/admprivatekey-2022-02-03.pem -H 'Authorization: Handle clientCert="true"'-X DELETE 'https://192.168.178.224:8000/api/handles/20.500.13090/test?index=1'
* Could not resolve host: DELETE
* Closing connection 0
curl: (6) Could not resolve host: DELETE
* Trying 192.168.178.224:8000...
* Connected to 192.168.178.224 (192.168.178.224) port 8000 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (OUT), TLS alert, decrypt error (563):
* error:0407E086:rsa routines:RSA_verify_PKCS1_PSS_mgf1:last octet invalid
* Closing connection 1
curl: (35) error:0407E086:rsa routines:RSA_verify_PKCS1_PSS_mgf1:last octet invalid

Does anyone have any idea what I am doing wrong?

Thanks,
Jean-François

--
Jean-François Rivière
OpenEdition, service données
jean-francois.riviere@openedition.org
Tél. +33 4 13 55 03 50
22, rue John Maynard Keynes, BAT C, 13013 Marseille
http://www.openedition.org
_______________________________________________
Handle-Info mailing list
Handle-Info@cnri.reston.va.us
http://www.handle.net/mailman/listinfo/handle-info

--
Jean-François Rivière
OpenEdition, service données
jean-francois.riviere@openedition.org
Tél. +33 4 13 55 03 50
22, rue John Maynard Keynes, BAT C, 13013 Marseille
http://www.openedition.org

Jean-François Rivière
OpenEdition, service données

jean-francois.riviere@openedition.org

Tél. +33 4 13 55 03 50

22, rue John Maynard Keynes, BAT C, 13013 Marseille

http://www.openedition.org