Are PKCS#10 requests over CMP supported?

[ralienpp]

I would like to find out if p10cr message types are supported with PKIMessage structures used by CMP.

I put together a prototype as follows:

• EJBCA started as docker run -it --rm -p 80:8080 -p 443:8443 -h testca -e TLS_SETUP_ENABLED="simple" primekey/ejbca-ce
• A CMP alias called test is created via the web-UI
• I send a CMP request using OpenSSL: openssl cmp -cmd p10cr -server 127.0.0.1 -path /ejbca/publicweb/cmp/test -unprotected_requests -ref 11111 -csr csr.txt

EJBCA rejects the request

2022-11-22 13:05:45,993+0000 INFO  [org.ejbca.ui.web.protocol.CmpServlet] (default task-4) CMP message received from: 172.17.0.1, for CMP alias: test 
2022-11-22 13:05:46,003+0000 INFO  [org.ejbca.core.protocol.cmp.CmpMessageDispatcherSessionBean] (default task-4) Dispatching message of type 4 with transaction ID: #6d92d3417d81e21ecabf03014e98de25 
2022-11-22 13:05:46,003+0000 INFO  [org.ejbca.core.protocol.cmp.CmpMessageDispatcherSessionBean] (default task-4) Received an unknown message type, tagno=4 
2022-11-22 13:05:46,004+0000 ERROR [org.ejbca.core.protocol.cmp.CmpMessageDispatcherSessionBean] (default task-4) Can not handle message type '4'. 
2022-11-22 13:05:46,007+0000 INFO  [org.ejbca.ui.web.protocol.CmpServlet] (default task-4) Sent a CMP response to: 172.17.0.1, process time 13. 

My interpretation of the error message is that PKIBody of type 4 (p10cr) is not recognized by the CA. However, my understanding is that these message types are supported by the underlying BouncyCastle library, and a superficial search through this code repository didn't reveal any checks that would reject such requests.

To get an "independent opinion", I sniffed the traffic with Wireshark, and its CMP dissector could parse it without errors.

So I would like to understand whether this isn't supposed to work in principle, or if I have overlooked something. My objective is to create the simplest possible example of a CMP request-response interaction between a client and a CA.

For reference, this is the contents of csr.txt

-----BEGIN CERTIFICATE REQUEST-----
MIICmTCCAYECAQAwVDELMAkGA1UEBhMCTUQxDjAMBgNVBAgMBU9yaGVpMRswGQYD
VQQLDBJTb2NpYWwgZW5naW5lZXJpbmcxGDAWBgNVBAMMD3NvY2lhbC5vcmhlaS5t
ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK49fjBAzU7E8NuRNsfI
rfHlBdUpofH5SRweb1IztmrwUDSDJ+GrzfykL+Cr2S/QX7ugLEzi4IgYks9ncNrq
rqlJ3IbT6I0YEMJN/a9nWrAv5QIDcUczeAQfArW7apOYf0DQIJPzO9x2GbbNqAQk
P88h9RtiTQ2CrMDvf5IxoHyzy8l3eo1pvdvR8FTCl5bLbPRoRougQaNoa92G/NA9
pNME/jJBAVCRAdX5hwlI8O3tsKpaOgqgeJ+sh18MfOG+4Kq6UnXSfGWjUkvKaVdV
zDhGSqSngQnMEmS/Xp44VAKvb3jrWvoubU/R4U5qVOboPdnFIskyh0r6o65Wgz4S
UaUCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQBSjD2Vd46NiFjvy7Dx2Fll/ejr
Kfy40/rd0FsS3++yxe8TCOT/qcEaLZLiXLtYfcRq41M3ZUQ/zDRVhqCK5IGS5FWF
2BEDARqYCtZX5lsqP/VwCjd7bybsbF2bJNRX3Ua7etis7CVDgClxQU+07QFhmF4n
xCn9o9QnVwqshonkDnlqtCAK+wmWd5kwUE+EZwg0mucFyNaxFJUo3S/hre2XKN32
y6NQPa6JcSvWVnZh56QjWkhZrNml1mL20qsXi9/SVg2oGIkLyt3oxF+NABAwRwJi
cfwMWYNwz5fg63sOFJeqDIDh1L6vom+XE3URO3hGZcqvh/V9Q7Lj+9ZwHXEz
-----END CERTIFICATE REQUEST-----

[primetomas]

That is correct, EJBCA does not support p10cr right now. As it happens, it's in the works as part of the effort of the CMP Lightweight Profile.

(An interesting side note is that PKCS#10 will have problems in the future with Post Quantum KEM keys as they can not create signature based POP, while CRMF as used in CMP will be able to support this using indirect POP methods).

[ralienpp]

Thanks for the quick feedback, much appreciated!