[rs-commit] r539 - in /mod_scep/trunk: ChangeLog mod_scep.c

rs-commit at redwax.eu rs-commit at redwax.eu
Fri Mar 6 14:09:44 CET 2026 

Author: minfrin at redwax.eu
Date: Fri Mar  6 14:09:44 2026
New Revision: 539

Log:
Pass the challengePassword as a proof of possession in PkcsReq
messages.

Modified:
    mod_scep/trunk/ChangeLog
    mod_scep/trunk/mod_scep.c

Modified: mod_scep/trunk/ChangeLog
==============================================================================
--- mod_scep/trunk/ChangeLog	(original)
+++ mod_scep/trunk/ChangeLog	Fri Mar  6 14:09:44 2026
@@ -1,5 +1,8 @@
 
 Changes with v1.0.0
+
+ *) Pass the challengePassword as a proof of possession in PkcsReq
+    messages. [Graham Leggett]
 
  *) Accept signed renewals submitted via PkcsReq in addition to
     RenewalReq. [Graham Leggett]

Modified: mod_scep/trunk/mod_scep.c
==============================================================================
--- mod_scep/trunk/mod_scep.c	(original)
+++ mod_scep/trunk/mod_scep.c	Fri Mar  6 14:09:44 2026
@@ -812,6 +812,18 @@
     return buf;
 }
 
+static ca_asn1_t *make_X509_ATTRIBUTE(apr_pool_t *pool, X509_ATTRIBUTE *attr)
+{
+    ca_asn1_t *buf = apr_palloc(pool, sizeof(ca_asn1_t));
+    unsigned char *tmp;
+
+    buf->len = i2d_X509_ATTRIBUTE(attr, NULL);
+    buf->val = tmp = apr_palloc(pool, buf->len);
+    i2d_X509_ATTRIBUTE(attr, &tmp);
+
+    return buf;
+}
+
 static ca_asn1_t *make_X509_NAME(apr_pool_t *pool, X509_NAME *name)
 {
     ca_asn1_t *buf = apr_palloc(pool, sizeof(ca_asn1_t));
@@ -2006,7 +2018,12 @@
     /* handle the challenge */
     idx = X509_REQ_get_attr_by_NID(req, OBJ_sn2nid("challengePassword"), -1);
     if (idx > -1) {
-        X509_REQ_add1_attr(creq, X509_REQ_get_attr(req, idx));
+        X509_ATTRIBUTE *popchallenge = X509_REQ_get_attr(req, idx);
+
+        X509_REQ_add1_attr(creq, popchallenge);
+
+        apr_hash_set(params, CA_POP_CHALLENGE, APR_HASH_KEY_STRING,
+                make_X509_ATTRIBUTE(r->pool, popchallenge));
     }
 
     /* handle the subject */
@@ -2022,7 +2039,7 @@
     }
     if (xpop) {
 
-    	X509_NAME *popsubject = X509_get_subject_name(xpop);
+        X509_NAME *popsubject = X509_get_subject_name(xpop);
 
         /* some clients send renewal requests as initial requests, but
          * signed with the previous certificate, add the signing cert
@@ -2036,7 +2053,7 @@
             return HTTP_BAD_REQUEST;
         }
         else if (X509_self_signed(xpop, 0)) {
-        	/* ignore the signature if self signed */
+            /* ignore the signature if self signed */
         }
         else if (X509_NAME_cmp(popsubject, subject)) {
             log_message(r, APR_SUCCESS,
@@ -2285,7 +2302,7 @@
     /* handle the proof of possession */
     if (xpop) {
 
-    	X509_NAME *popsubject = X509_get_subject_name(xpop);
+        X509_NAME *popsubject = X509_get_subject_name(xpop);
 
         if (!popsubject) {
             log_message(r, APR_SUCCESS,

More information about the rs-commit mailing list