[rs-dev] Generating degenerate CMS for SCEP (after crl2p7 example)
Dirk-Willem van Gulik
dirkx at webweaving.org
Tue Aug 1 21:15:53 CEST 2023
After looking at the crl2p7.c for how to generate a Degenerate CMS for SCEP its getCACErt - below sketch seems to do the trick.
Not yet committed.
Dw
Index: mod_scep.c
===================================================================
--- mod_scep.c (revision 432)
+++ mod_scep.c (working copy)
@@ -725,6 +725,13 @@
return APR_SUCCESS;
}
+static apr_status_t scep_PKCS7s_cleanup(void *data)
+{
+ // XXXX assuming this frees ->cert/->crls too.
+ PKCS7_SIGNED_free((PKCS7_SIGNED *) data);
+ return APR_SUCCESS;
+}
+
static apr_status_t scep_PKCS7_ISSUER_AND_SUBJECT_cleanup(void *data)
{
PKCS7_ISSUER_AND_SUBJECT_free((PKCS7_ISSUER_AND_SUBJECT *) data);
@@ -1095,12 +1102,14 @@
static int get_ca_cert(request_rec *r, scep_config_rec *conf,
const char *message)
{
- char buf[HUGE_STRING_LEN];
+ char buf[HUGE_STRING_LEN];
int rv;
apr_size_t len;
apr_off_t offset;
PKCS7 *p7 = NULL;
+ PKCS7_SIGNED *p7s=NULL;
+
BIO *b;
X509 *cert = NULL;
X509_STORE_CTX *ctx;
@@ -1116,24 +1125,6 @@
char *etag;
apr_time_t validity;
- ap_set_content_type(r, "application/x-x509-ca-ra-cert");
-
- /* create a new signed data PKCS#7 */
- p7 = PKCS7_new();
- if (!p7) {
- log_message(r, APR_SUCCESS,
- "could not create a PKCS7 degenerate response");
-
- return HTTP_INTERNAL_SERVER_ERROR;
- }
- else {
- apr_pool_cleanup_register(r->pool, p7, scep_PKCS7_cleanup,
- apr_pool_cleanup_null);
- }
-
- PKCS7_set_type(p7, NID_pkcs7_signed);
- PKCS7_content_new(p7, NID_pkcs7_data);
-
/* get the CA certificate */
rv = ap_run_ca_getca(r, &der, &len, &validity);
if (rv == DECLINED) {
@@ -1155,19 +1146,6 @@
apr_pool_cleanup_register(r->pool, cert, scep_X509_cleanup,
apr_pool_cleanup_null);
- if (!PKCS7_add_certificate(p7, cert)) {
- log_message(r, APR_SUCCESS,
- "could not add the CA certificate to the degenerate PKCS7 response");
-
- return HTTP_INTERNAL_SERVER_ERROR;
- }
- if (!PKCS7_add_certificate(p7, conf->signer)) {
- log_message(r, APR_SUCCESS,
- "could not add the RA certificate to the degenerate PKCS7 response");
-
- return HTTP_INTERNAL_SERVER_ERROR;
- }
-
/* sanity checks */
ctx = X509_STORE_CTX_new();
if (!ctx) {
@@ -1213,12 +1191,60 @@
return HTTP_INTERNAL_SERVER_ERROR;
}
+
+ ap_set_content_type(r, "application/x-x509-ca-ra-cert");
+
+ /* RFC 8894, 3.4: For SCEP, the content field of the ContentInfo value of
+ * a degenerate certificates-only SignedData MUST be omitted.
+ */
+ p7s = PKCS7_SIGNED_new();
+ if ((!p7s) || !(p7s->cert = sk_X509_new_null()) || !(p7s->crl = sk_X509_CRL_new_null())) {
+ log_message(r, APR_SUCCESS,
+ "could not create a PKCS7 signed degenerate response");
+
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+ else {
+ apr_pool_cleanup_register(r->pool, p7s, scep_PKCS7s_cleanup,
+ apr_pool_cleanup_null);
+ }
+
+ p7 = PKCS7_new();
+ if (!p7) {
+ log_message(r, APR_SUCCESS,
+ "could not create a PKCS7 degenerate response");
+
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+ else {
+ apr_pool_cleanup_register(r->pool, p7, scep_PKCS7_cleanup,
+ apr_pool_cleanup_null);
+ }
+
+ ASN1_INTEGER_set(p7s->version,1);
+ p7s->crl = sk_X509_CRL_new_null();
+ p7s->contents->type=OBJ_nid2obj(NID_pkcs7_data);
+
+ sk_X509_push(p7s->cert, cert);
+ sk_X509_push(p7s->cert, conf->signer);
+
+ PKCS7_set_type(p7, NID_pkcs7_signed);
+ p7->d.sign=p7s;
+
b = BIO_new(BIO_s_mem());
apr_pool_cleanup_register(r->pool, b, scep_BIO_cleanup,
apr_pool_cleanup_null);
+{
+ FILE *fd = fopen("/tmp/abcd","w");
+ BIO *b = BIO_new_fp(fd, BIO_NOCLOSE);
i2d_PKCS7_bio(b, p7);
+ fclose(fd);
+}
+ i2d_PKCS7_bio(b, p7);
+
+
apr_sha1_init(&sha1);
while ((offset = BIO_read(b, buf, sizeof(buf))) > 0) {
apr_sha1_update(&sha1, buf, offset);
Index: README
===================================================================
--- README (revision 432)
+++ README (working copy)
@@ -1,24 +1,38 @@
+# AA basic configuration for SCEP issuing.
+#
+# 0. Set up some directories; The directory cert needs to be server writable.
+#
+# mkdir ca ra cert
+# chown www:www cert
+#
+# 1. Generate a CA with an issuing RA
+#
+# openssl req -new -x509 -subj /CN=ca-test-scep -out ca/ca-cert.pem -keyout ca/ca-key.pem -nodes
+# openssl req -new -subj /CN=ra-test-scep -out ra/ra-cert.csr -keyout ra/ra-key.pem -nodes
+# echo "[ra]" > config.cnf
+# echo "keyUsage=digitalSignature,keyEncipherment >> config.cnf
+# openssl x509 -req -in ra/ra-cert.csr -CAkey ca/ca-key.pem -CA ca/ca-cert.pem -out ra/ra-cert.pem -extfile config.cnf -extensions ra
+#
-A basic configuration.
+LoadModule ca_module lib/apache2/modules/mod_ca.so
+LoadModule scep_module lib/apache2/modules/mod_scep.so
+LoadModule ca_simple_module lib/apache2/modules/mod_ca_simple.so
+LoadModule ca_disk_module lib/apache2/modules/mod_ca_disk.so
-<IfModule mod_scep.c>
<Location /scep>
- SetHandler scep
-# ScepRACertificate /tmp/ra-cert.pem
-# ScepRAKey /tmp/ra-key.pem
- ScepSubjectRequest O
- ScepSubjectRequest countryName
- ScepSubjectRequest stateOrProvinceName
- ScepSubjectRequest commonName
- ScepSubjectCGI OU UNIQUE_ID
- ScepSubjectSet OU "Test Certificate"
- CASimpleCertificate /etc/pki/certs/ca-cert.pem
- CASimpleKey /etc/pki/certs/ca-key.pem
- CASimpleSerialRandom on
- CASimpleTime on
- CADiskCertificateSignRequestPath /etc/pki/ca/
- CADiskCertificateByTransactionPath /etc/pki/ca/
+ SetHandler scep
+ ScepRACertificate /opt/local/etc/pki/ra/ra-cert.pem
+ ScepRAKey /opt/local/etc/pki/ra/ra-key.pem
+ ScepSubjectRequest O
+ ScepSubjectRequest countryName
+ ScepSubjectRequest stateOrProvinceName
+ ScepSubjectRequest commonName
+ ScepSubjectSet OU "Test Certificate"
+ CASimpleCertificate /opt/local/etc/pki/ca/ca-cert.pem
+ CASimpleKey /opt/local/etc/pki/ca/ca-key.pem
+ CASimpleSerialRandom on
+ CASimpleTime on
+ CADiskCertificateSignRequestPath /opt/local//etc/pki/certs/
+ CADiskCertificateByTransactionPath /opt/local//etc/pki/certs/
</Location>
-</IfModule>
dirkx at cheesegrater .zsh_sessions % curl --silent --verbose http://localhost/scep\?operation=GetCACert | openssl asn1parse -inform DER -i
* processing: http://localhost/scep?operation=GetCACert
* Trying [::1]:80...
* Connected to localhost (::1) port 80
> GET /scep?operation=GetCACert HTTP/1.1
> Host: localhost
> User-Agent: curl/8.2.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Tue, 01 Aug 2023 19:14:02 GMT
< Server: Apache/2.4.57 (Unix)
< ETag: "j3GWtbZRPnAQwIYCURnlqGW/e6o="
< Cache-Control: max-age=0
< Content-Length: 1619
< Content-Type: application/x-x509-ca-ra-cert
<
0:d=0 hl=4 l=1615 cons: SEQUENCE
4:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-signedData
15:d=1 hl=4 l=1600 cons: cont [ 0 ]
19:d=2 hl=4 l=1596 cons: SEQUENCE
23:d=3 hl=2 l= 1 prim: INTEGER :01
26:d=3 hl=2 l= 0 cons: SET
28:d=3 hl=2 l= 11 cons: SEQUENCE
30:d=4 hl=2 l= 9 prim: OBJECT :pkcs7-data
41:d=3 hl=4 l=1570 cons: cont [ 0 ]
45:d=4 hl=4 l= 783 cons: SEQUENCE
49:d=5 hl=4 l= 503 cons: SEQUENCE
53:d=6 hl=2 l= 3 cons: cont [ 0 ]
55:d=7 hl=2 l= 1 prim: INTEGER :02
58:d=6 hl=2 l= 20 prim: INTEGER :7ACEBF564F34757DC970F67683F5435CEC159F3B
80:d=6 hl=2 l= 13 cons: SEQUENCE
82:d=7 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
93:d=7 hl=2 l= 0 prim: NULL
95:d=6 hl=2 l= 23 cons: SEQUENCE
97:d=7 hl=2 l= 21 cons: SET
99:d=8 hl=2 l= 19 cons: SEQUENCE
101:d=9 hl=2 l= 3 prim: OBJECT :commonName
106:d=9 hl=2 l= 12 prim: UTF8STRING :ca-test-scep
120:d=6 hl=2 l= 30 cons: SEQUENCE
122:d=7 hl=2 l= 13 prim: UTCTIME :230801130637Z
137:d=7 hl=2 l= 13 prim: UTCTIME :230831130637Z
152:d=6 hl=2 l= 23 cons: SEQUENCE
154:d=7 hl=2 l= 21 cons: SET
156:d=8 hl=2 l= 19 cons: SEQUENCE
158:d=9 hl=2 l= 3 prim: OBJECT :commonName
163:d=9 hl=2 l= 12 prim: UTF8STRING :ca-test-scep
177:d=6 hl=4 l= 290 cons: SEQUENCE
181:d=7 hl=2 l= 13 cons: SEQUENCE
183:d=8 hl=2 l= 9 prim: OBJECT :rsaEncryption
194:d=8 hl=2 l= 0 prim: NULL
196:d=7 hl=4 l= 271 prim: BIT STRING
471:d=6 hl=2 l= 83 cons: cont [ 3 ]
473:d=7 hl=2 l= 81 cons: SEQUENCE
475:d=8 hl=2 l= 29 cons: SEQUENCE
477:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
482:d=9 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414ABC6FE23ECBD13AAF777B0CCDFA0A2E4C9A6DD79
506:d=8 hl=2 l= 31 cons: SEQUENCE
508:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
513:d=9 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014ABC6FE23ECBD13AAF777B0CCDFA0A2E4C9A6DD79
539:d=8 hl=2 l= 15 cons: SEQUENCE
541:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
546:d=9 hl=2 l= 1 prim: BOOLEAN :255
549:d=9 hl=2 l= 5 prim: OCTET STRING [HEX DUMP]:30030101FF
556:d=5 hl=2 l= 13 cons: SEQUENCE
558:d=6 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
569:d=6 hl=2 l= 0 prim: NULL
571:d=5 hl=4 l= 257 prim: BIT STRING
832:d=4 hl=4 l= 779 cons: SEQUENCE
836:d=5 hl=4 l= 499 cons: SEQUENCE
840:d=6 hl=2 l= 3 cons: cont [ 0 ]
842:d=7 hl=2 l= 1 prim: INTEGER :02
845:d=6 hl=2 l= 20 prim: INTEGER :0F7078BF3836891FEDD9F4827383C70CEF8E6E99
867:d=6 hl=2 l= 13 cons: SEQUENCE
869:d=7 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
880:d=7 hl=2 l= 0 prim: NULL
882:d=6 hl=2 l= 23 cons: SEQUENCE
884:d=7 hl=2 l= 21 cons: SET
886:d=8 hl=2 l= 19 cons: SEQUENCE
888:d=9 hl=2 l= 3 prim: OBJECT :commonName
893:d=9 hl=2 l= 12 prim: UTF8STRING :ca-test-scep
907:d=6 hl=2 l= 30 cons: SEQUENCE
909:d=7 hl=2 l= 13 prim: UTCTIME :230801150559Z
924:d=7 hl=2 l= 13 prim: UTCTIME :230831150559Z
939:d=6 hl=2 l= 23 cons: SEQUENCE
941:d=7 hl=2 l= 21 cons: SET
943:d=8 hl=2 l= 19 cons: SEQUENCE
945:d=9 hl=2 l= 3 prim: OBJECT :commonName
950:d=9 hl=2 l= 12 prim: UTF8STRING :ra-test-scep
964:d=6 hl=4 l= 290 cons: SEQUENCE
968:d=7 hl=2 l= 13 cons: SEQUENCE
970:d=8 hl=2 l= 9 prim: OBJECT :rsaEncryption
981:d=8 hl=2 l= 0 prim: NULL
983:d=7 hl=4 l= 271 prim: BIT STRING
1258:d=6 hl=2 l= 79 cons: cont [ 3 ]
1260:d=7 hl=2 l= 77 cons: SEQUENCE
1262:d=8 hl=2 l= 11 cons: SEQUENCE
1264:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
1269:d=9 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0
1275:d=8 hl=2 l= 29 cons: SEQUENCE
1277:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
1282:d=9 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:04146B9856B974066BF9B1B183A405D402138C5C7691
1306:d=8 hl=2 l= 31 cons: SEQUENCE
1308:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
1313:d=9 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014ABC6FE23ECBD13AAF777B0CCDFA0A2E4C9A6DD79
1339:d=5 hl=2 l= 13 cons: SEQUENCE
1341:d=6 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
1352:d=6 hl=2 l= 0 prim: NULL
1354:d=5 hl=4 l= 257 prim: BIT STRING
1615:d=3 hl=2 l= 0 cons: cont [ 1 ]
1617:d=3 hl=2 l= 0 cons: SET
More information about the rs-dev
mailing list