[rs-commit] r287 - in /mod_scep/trunk: ChangeLog mod_scep.c
rs-commit at redwax.eu
rs-commit at redwax.eu
Sun Feb 16 01:51:33 CET 2020
Author: minfrin at redwax.eu
Date: Sun Feb 16 01:51:33 2020
New Revision: 287
Log:
Encrypt responses with AES instead of DES3.
Modified:
mod_scep/trunk/ChangeLog
mod_scep/trunk/mod_scep.c
Modified: mod_scep/trunk/ChangeLog
==============================================================================
--- mod_scep/trunk/ChangeLog (original)
+++ mod_scep/trunk/ChangeLog Sun Feb 16 01:51:33 2020
@@ -1,5 +1,7 @@
Changes with v0.2.4
+
+ *) Encrypt responses with AES instead of DES3. [Graham Leggett]
*) Add a temporary signature to the certificate sign request that is
passed for signing. [Graham Leggett]
Modified: mod_scep/trunk/mod_scep.c
==============================================================================
--- mod_scep/trunk/mod_scep.c (original)
+++ mod_scep/trunk/mod_scep.c Sun Feb 16 01:51:33 2020
@@ -1499,66 +1499,40 @@
}
/**
- * Appendix C. CA Capabilities
- *
- * C.1. GetCACaps HTTP Message Format
- *
- * "GET" CGI-PATH CGI-PROG "?operation=GetCACaps" "&message=" CA-IDENT
- *
- * This message requests capabilities from CA. The response is a list
- * of text capabilities, as defined in Appendix C.2. CA servers SHOULD
- * support the GetCACaps message and MUST support it when they support
- * certificate renewal using the method described in Appendix D.
- *
- * C.2. CA Capabilities Response Format
- *
- * The response for a GetCACaps message is a list of CA capabilities, in
- * plain text, separated by <LF> characters, as follows (quotation marks
- * are NOT sent):
- *
- * +--------------------+----------------------------------------------+
- * | Keyword | Description |
- * +--------------------+----------------------------------------------+
- * | "GetNextCACert" | CA Supports the GetNextCACert message. |
- * | "POSTPKIOperation" | PKIOPeration messages may be sent via HTTP |
- * | | POST. |
- * | "Renewal" | Clients may use current certificate and key |
- * | | to authenticate an enrollment request for a |
- * | | new certificate. |
- * | "SHA-512" | CA Supports the SHA-512 hashing algorithm. |
- * | "SHA-256" | CA Supports the SHA-256 hashing algorithm. |
- * | "SHA-1" | CA Supports the SHA-1 hashing algorithm. |
- * | "DES3" | CA Supports the Triple-DES encryption |
- * | | algorithm. |
- * +--------------------+----------------------------------------------+
- *
- * The client SHOULD use SHA-1, SHA-256, or SHA-512 in preference to MD5
- * hashing if it is supported by the CA.
- *
- * The server MUST use the texual case specified here, but clients
- * SHOULD ignore the textual case when processing this message. A
- * client MUST be able to accept and ignore any unknown keywords that
- * might be sent back by a CA.
- *
- * If the CA supports none of the above capabilities the SCEP server
- * SHOULD return an empty message. A server MAY simply return an HTTP
- * Error. A client that receives an empty message or an HTTP error
- * SHOULD interpret the response as if none of the requested
- * capabilities are supported by the CA.
- *
- * The Content-type of the reply SHOULD be "text/plain". Clients SHOULD
- * ignore the Content-type, as older server implementations of SCEP may
- * send various Content-types.
- *
- * Example:
- * GET /cgi-bin/pkiclient.exe?operation=GetCACaps&message=myca
- *
- * might return:
- * GetNextCACert<LF>POSTPKIOperation
- *
- * This means that the CA supports the GetNextCACert message and allows
- * PKIOperation messages (PKCSreq, GetCert, GetCertInitial, ...) to be
- * sent using HTTP POST.
+ * 3.5.2. CA Capabilities Response Format
+ *
+ *
+ * +--------------------+----------------------------------------------+
+ * | Keyword | Description |
+ * +--------------------+----------------------------------------------+
+ * | "AES" | CA supports the AES128-CBC encryption |
+ * | | algorithm. |
+ * | | |
+ * | "DES3" | CA supports the triple DES-CBC encryption |
+ * | | algorithm. |
+ * | | |
+ * | "GetNextCACert" | CA supports the GetNextCACert |
+ * | | message. |
+ * | | |
+ * | "POSTPKIOperation" | CA supports PKIOPeration messages sent |
+ * | | via HTTP POST. |
+ * | | |
+ * | "Renewal" | CA supports the Renewal CA operation. |
+ * | | |
+ * | "SHA-1" | CA supports the SHA-1 hashing algorithm. |
+ * | | |
+ * | "SHA-256" | CA supports the SHA-256 hashing algorithm. |
+ * | | |
+ * | "SHA-512" | CA supports the SHA-512 hashing algorithm. |
+ * | | |
+ * | "SCEPStandard" | CA supports all mandatory-to-implement |
+ * | | sections of the SCEP standard. This keyword |
+ * | | implies "AES", |
+ * | | "POSTPKIOperation", and "SHA-256", as well |
+ * | | as the provisions of |
+ * | | Section 2.9. |
+ * +--------------------+----------------------------------------------+
+ *
*
*/
static int get_ca_caps(request_rec *r, scep_config_rec *conf,
@@ -1567,15 +1541,18 @@
ap_set_content_type(r, "text/plain");
- ap_rputs(apr_psprintf(r->pool, "%s"
- "POSTPKIOperation\n"
+ ap_rputs(apr_psprintf(r->pool,
+ "AES\n"
+ "%s"
+ "POSTPKIOperation\n"
#if 0
"Renewal\n"
#endif
+ "SHA-1\n"
+ "SHA-256\n"
"SHA-512\n"
- "SHA-256\n"
- "SHA-1\n"
- "DES3\n", conf->next_signer ? "GetNextCACert\n" : ""), r);
+ "SCEPStandard\n",
+ conf->next_signer ? "GetNextCACert\n" : ""), r);
return OK;
}
@@ -1742,8 +1719,7 @@
return HTTP_INTERNAL_SERVER_ERROR;
}
-// EVP_des_cbc?
- p7e = PKCS7_encrypt(certs, inbio, EVP_des_ede3_cbc(), PKCS7_BINARY);
+ p7e = PKCS7_encrypt(certs, inbio, EVP_aes_128_cbc(), PKCS7_BINARY);
if (!p7e) {
log_message(r, APR_SUCCESS, "could not encrypt PKCS7 payload");
More information about the rs-commit
mailing list