[rs-commit] r537 - in /mod_scep/trunk: ChangeLog mod_scep.c
rs-commit at redwax.eu
rs-commit at redwax.eu
Fri Mar 6 13:54:57 CET 2026
Author: minfrin at redwax.eu
Date: Fri Mar 6 13:54:57 2026
New Revision: 537
Log:
Accept signed renewals submitted via PkcsReq in addition to
RenewalReq.
Modified:
mod_scep/trunk/ChangeLog
mod_scep/trunk/mod_scep.c
Modified: mod_scep/trunk/ChangeLog
==============================================================================
--- mod_scep/trunk/ChangeLog (original)
+++ mod_scep/trunk/ChangeLog Fri Mar 6 13:54:57 2026
@@ -1,5 +1,8 @@
Changes with v1.0.0
+
+ *) Accept signed renewals submitted via PkcsReq in addition to
+ RenewalReq. [Graham Leggett]
*) Update messageTypes to be consistent with RFC8894, add RenewalReq
support. [Graham Leggett]
Modified: mod_scep/trunk/mod_scep.c
==============================================================================
--- mod_scep/trunk/mod_scep.c (original)
+++ mod_scep/trunk/mod_scep.c Fri Mar 6 13:54:57 2026
@@ -1916,7 +1916,7 @@
/**
* MessageType: PKCSReq
*/
-static int scep_messagetype_pkcsreq(request_rec *r, X509_REQ *req, scep_t *scep)
+static int scep_messagetype_pkcsreq(request_rec *r, X509_REQ *req, X509 *xpop, scep_t *scep)
{
char buf[HUGE_STRING_LEN];
X509_REQ *creq = NULL;
@@ -1933,7 +1933,7 @@
/* print the request, if necessary */
if (APLOGrdebug(r))
- log_request(r, req, "Certificate Request");
+ log_request(r, req, "Certificate Initial Request");
/**
* Create a CSR for signing.
@@ -2017,8 +2017,37 @@
/* handle the proof of possession */
if (req) {
- apr_hash_set(params, "popCertificateSignRequest", APR_HASH_KEY_STRING,
+ apr_hash_set(params, CA_POP_CSR, APR_HASH_KEY_STRING,
make_X509_REQ(r->pool, req));
+ }
+ if (xpop) {
+
+ X509_NAME *popsubject = X509_get_subject_name(xpop);
+
+ /* some clients send renewal requests as initial requests, but
+ * signed with the previous certificate, add the signing cert
+ * here just in case
+ */
+
+ if (!popsubject) {
+ log_message(r, APR_SUCCESS,
+ "renewal signature must have a subject");
+
+ return HTTP_BAD_REQUEST;
+ }
+ else if (X509_self_signed(xpop, 0)) {
+ /* ignore the signature if self signed */
+ }
+ else if (X509_NAME_cmp(popsubject, subject)) {
+ log_message(r, APR_SUCCESS,
+ "renewal signature did not match subject");
+
+ return HTTP_BAD_REQUEST;
+ }
+ else {
+ apr_hash_set(params, CA_POP_CERT, APR_HASH_KEY_STRING,
+ make_X509(r->pool, xpop));
+ }
}
/* handle the transaction ID */
@@ -2177,7 +2206,7 @@
/* print the request, if necessary */
if (APLOGrdebug(r))
- log_request(r, req, "Certificate Request");
+ log_request(r, req, "Certificate Renewal Request");
/**
* Create a CSR for signing.
@@ -2254,9 +2283,32 @@
}
/* handle the proof of possession */
- if (req) {
- apr_hash_set(params, "popCertificate", APR_HASH_KEY_STRING,
- make_X509(r->pool, xpop));
+ if (xpop) {
+
+ X509_NAME *popsubject = X509_get_subject_name(xpop);
+
+ if (!popsubject) {
+ log_message(r, APR_SUCCESS,
+ "renewal signature must have a subject");
+
+ return HTTP_BAD_REQUEST;
+ }
+ else if (X509_self_signed(xpop, 0)) {
+ log_message(r, APR_SUCCESS,
+ "renewal signature cannot be self signed");
+
+ return HTTP_BAD_REQUEST;
+ }
+ else if (X509_NAME_cmp(popsubject, subject)) {
+ log_message(r, APR_SUCCESS,
+ "renewal signature did not match subject");
+
+ return HTTP_BAD_REQUEST;
+ }
+ else {
+ apr_hash_set(params, CA_POP_CERT, APR_HASH_KEY_STRING,
+ make_X509(r->pool, xpop));
+ }
}
/* handle the transaction ID */
@@ -2886,7 +2938,7 @@
apr_pool_cleanup_register(r->pool, req, scep_X509_REQ_cleanup,
apr_pool_cleanup_null);
}
- return scep_messagetype_pkcsreq(r, req, scep);
+ return scep_messagetype_pkcsreq(r, req, x509, scep);
}
case SCEP_MESSAGETYPE_RENEWALREQ: {
X509_REQ *req = d2i_X509_REQ_bio(outbio, NULL);
More information about the rs-commit
mailing list