[rs-commit] r550 - in /mod_scep/trunk: ChangeLog mod_scep.c
rs-commit at redwax.eu
rs-commit at redwax.eu
Sat Mar 14 12:40:18 CET 2026
Author: minfrin at redwax.eu
Date: Sat Mar 14 12:40:17 2026
New Revision: 550
Log:
Add ScepRenewal to control whether renewal is supported for the
given certificate authority.
Modified:
mod_scep/trunk/ChangeLog
mod_scep/trunk/mod_scep.c
Modified: mod_scep/trunk/ChangeLog
==============================================================================
--- mod_scep/trunk/ChangeLog (original)
+++ mod_scep/trunk/ChangeLog Sat Mar 14 12:40:17 2026
@@ -1,5 +1,8 @@
Changes with v1.0.0
+
+ *) Add ScepRenewal to control whether renewal is supported for the
+ given certificate authority. [Graham Leggett]
*) Remove SHA1 from GetCACaps. [Graham Leggett]
Modified: mod_scep/trunk/mod_scep.c
==============================================================================
--- mod_scep/trunk/mod_scep.c (original)
+++ mod_scep/trunk/mod_scep.c Sat Mar 14 12:40:17 2026
@@ -74,6 +74,7 @@
#define DEFAULT_SCEP_SIZE 128*1024
#define DEFAULT_FRESHNESS 2
#define DEFAULT_FRESHNESS_MAX 3600*24
+#define DEFAULT_RENEWAL 0
#define DN_UNLIMITED (-1)
@@ -106,8 +107,10 @@
apr_array_header_t *subjectaltname;
int freshness;
int freshness_max;
+ int renewal;
const char *crl_url;
unsigned int crl_url_set :1;
+ unsigned int renewal_set :1;
unsigned int freshness_set :1;
unsigned int subject_set :1;
unsigned int subjectaltname_set :1;
@@ -276,6 +279,7 @@
conf->subjectaltname = apr_array_make(p, 10, sizeof(name_rec));
conf->freshness = DEFAULT_FRESHNESS;
conf->freshness_max = DEFAULT_FRESHNESS_MAX;
+ conf->renewal = DEFAULT_RENEWAL;
return conf;
}
@@ -315,6 +319,10 @@
new->freshness_set = add->freshness_set || base->freshness_set;
new->crl_url = (add->crl_url_set == 0) ? base->crl_url : add->crl_url;
new->crl_url_set = add->crl_url_set || base->crl_url_set;
+ new->renewal =
+ (add->renewal_set == 0) ? base->renewal :
+ add->renewal;
+ new->renewal_set = add->renewal_set || base->renewal_set;
return new;
}
@@ -445,6 +453,16 @@
apr_pool_cleanup_null);
BIO_free(in);
+ return NULL;
+}
+
+static const char *set_renewal(cmd_parms *cmd, void *dconf, int flag)
+{
+ scep_config_rec *conf = dconf;
+
+ conf->renewal = flag;
+ conf->renewal_set = 1;
+
return NULL;
}
@@ -679,6 +697,9 @@
"ScepRANextCertificate", set_ra_next_certificate, NULL,
RSRC_CONF | ACCESS_CONF,
"Set to the name of the next RA signing certificate."),
+ AP_INIT_FLAG("ScepRenewal",
+ set_renewal, NULL, RSRC_CONF | ACCESS_CONF,
+ "When enabled, renewals signed with the previous certificate will be supported."),
AP_INIT_TAKE1("ScepSize", set_scep_size, NULL,
RSRC_CONF | ACCESS_CONF,
"Set to the maximum size of the SCEP request from the client."),
@@ -1607,11 +1628,12 @@
"AES\n"
"%s"
"POSTPKIOperation\n"
- "Renewal\n"
+ "%s"
"SHA-256\n"
"SHA-512\n"
"SCEPStandard\n",
- conf->next_signer ? "GetNextCACert\n" : ""), r);
+ conf->next_signer ? "GetNextCACert\n" : "",
+ conf->renewal ? "Renewal\n" : ""), r);
return OK;
}
@@ -1976,6 +1998,9 @@
const unsigned char *buffer;
apr_hash_t *params = apr_hash_make(r->pool);
+ scep_config_rec *conf = ap_get_module_config(r->per_dir_config,
+ &scep_module);
+
/* print the request, if necessary */
if (APLOGrdebug(r))
log_request(r, req, "Certificate Initial Request");
@@ -2057,6 +2082,12 @@
apr_hash_set(params, CA_POP_CHALLENGE, APR_HASH_KEY_STRING,
make_X509_ATTRIBUTE(r->pool, popchallenge));
+ }
+ else if (!conf->renewal) {
+ log_message(r, APR_SUCCESS,
+ "renewal not allowed for this CA");
+
+ return HTTP_BAD_REQUEST;
}
/* handle the subject */
@@ -2264,9 +2295,19 @@
const unsigned char *buffer;
apr_hash_t *params = apr_hash_make(r->pool);
+ scep_config_rec *conf = ap_get_module_config(r->per_dir_config,
+ &scep_module);
+
/* print the request, if necessary */
if (APLOGrdebug(r))
log_request(r, req, "Certificate Renewal Request");
+
+ if (!conf->renewal) {
+ log_message(r, APR_SUCCESS,
+ "renewal not allowed for this CA");
+
+ return HTTP_BAD_REQUEST;
+ }
/**
* Create a CSR for signing.
@@ -3214,39 +3255,39 @@
return HTTP_BAD_REQUEST;
}
else if (!strcmp(operation, "GetCACert")) {
- /*
- * 4.2. Get CA Certificate
- *
- * To get the CA certificate(s), the client sends a GetCACert
- * message to the CA. The OPERATION MUST be set to "GetCACert".
- * There is no request data associated with this message.
- */
+ /*
+ * 4.2. Get CA Certificate
+ *
+ * To get the CA certificate(s), the client sends a GetCACert
+ * message to the CA. The OPERATION MUST be set to "GetCACert".
+ * There is no request data associated with this message.
+ */
return get_ca_cert(r, conf, message);
}
else if (!strcmp(operation, "GetNextCACert")) {
- /*
- * 4.7. Get Next Certificate Authority Certificate
- *
- * When a CA certificate is about to expire, clients
- * need to retrieve the CA's next CA certificate
- * (i.e., the rollover certificate). This is done via
- * the GetNextCACert message. The OPERATION MUST be
- * set to "GetNextCACert". There is no request data
- * associated with this message.
- */
+ /*
+ * 4.7. Get Next Certificate Authority Certificate
+ *
+ * When a CA certificate is about to expire, clients
+ * need to retrieve the CA's next CA certificate
+ * (i.e., the rollover certificate). This is done via
+ * the GetNextCACert message. The OPERATION MUST be
+ * set to "GetNextCACert". There is no request data
+ * associated with this message.
+ */
return get_next_ca_cert(r, conf, message);
}
else if (!strcmp(operation, "GetCACaps")) {
- /*
- * 3.5. CA Capabilities
- *
- * In order to provide support for future enhancements
- * to the protocol, CAs MUST implement the GetCACaps
- * message to allow clients to query which functionality
- * is available from the CA.
- */
+ /*
+ * 3.5. CA Capabilities
+ *
+ * In order to provide support for future enhancements
+ * to the protocol, CAs MUST implement the GetCACaps
+ * message to allow clients to query which functionality
+ * is available from the CA.
+ */
return get_ca_caps(r, conf, message);
}
else if (!strcmp(operation, "PKIOperation")) {
More information about the rs-commit
mailing list