[rs-dev] Generating degenerate CMS for SCEP (after crl2p7 example)
Dirk-Willem van Gulik
dirkx at webweaving.org
Tue Aug 1 21:27:04 CEST 2023
On 1 Aug 2023, at 21:15, Dirk-Willem van Gulik via rs-dev <rs-dev at redwax.eu> wrote:
>
> After looking at the crl2p7.c for how to generate a Degenerate CMS for SCEP its getCACErt - below sketch seems to do the trick.
>
> Not yet committed.
With a few small cleanups; passes the tests I can do (against mac, cisco and huawei)
Index: mod_scep.c
===================================================================
--- mod_scep.c (revision 432)
+++ mod_scep.c (working copy)
@@ -725,6 +725,15 @@
return APR_SUCCESS;
}
+static apr_status_t scep_PKCS7s_cleanup(void *data)
+{
+ // XXX "TYPE_free() releases the object and all pointers and sub-objects within it.
+ // assuming that ->certs and ->crls its stack is freeded; the objects on those
+ // stacks already have thier own cleanups.
+ PKCS7_SIGNED_free((PKCS7_SIGNED *) data);
+ return APR_SUCCESS;
+}
+
static apr_status_t scep_PKCS7_ISSUER_AND_SUBJECT_cleanup(void *data)
{
PKCS7_ISSUER_AND_SUBJECT_free((PKCS7_ISSUER_AND_SUBJECT *) data);
@@ -1101,6 +1110,8 @@
apr_off_t offset;
PKCS7 *p7 = NULL;
+ PKCS7_SIGNED *p7s=NULL;
+
BIO *b;
X509 *cert = NULL;
X509_STORE_CTX *ctx;
@@ -1116,24 +1127,6 @@
char *etag;
apr_time_t validity;
- ap_set_content_type(r, "application/x-x509-ca-ra-cert");
-
- /* create a new signed data PKCS#7 */
- p7 = PKCS7_new();
- if (!p7) {
- log_message(r, APR_SUCCESS,
- "could not create a PKCS7 degenerate response");
-
- return HTTP_INTERNAL_SERVER_ERROR;
- }
- else {
- apr_pool_cleanup_register(r->pool, p7, scep_PKCS7_cleanup,
- apr_pool_cleanup_null);
- }
-
- PKCS7_set_type(p7, NID_pkcs7_signed);
- PKCS7_content_new(p7, NID_pkcs7_data);
-
/* get the CA certificate */
rv = ap_run_ca_getca(r, &der, &len, &validity);
if (rv == DECLINED) {
@@ -1155,19 +1148,6 @@
apr_pool_cleanup_register(r->pool, cert, scep_X509_cleanup,
apr_pool_cleanup_null);
- if (!PKCS7_add_certificate(p7, cert)) {
- log_message(r, APR_SUCCESS,
- "could not add the CA certificate to the degenerate PKCS7 response");
-
- return HTTP_INTERNAL_SERVER_ERROR;
- }
- if (!PKCS7_add_certificate(p7, conf->signer)) {
- log_message(r, APR_SUCCESS,
- "could not add the RA certificate to the degenerate PKCS7 response");
-
- return HTTP_INTERNAL_SERVER_ERROR;
- }
-
/* sanity checks */
ctx = X509_STORE_CTX_new();
if (!ctx) {
@@ -1213,6 +1193,45 @@
return HTTP_INTERNAL_SERVER_ERROR;
}
+
+ ap_set_content_type(r, "application/x-x509-ca-ra-cert");
+
+ /* RFC 8894, 3.4: For SCEP, the content field of the ContentInfo value of
+ * a degenerate certificates-only SignedData MUST be omitted.
+ */
+ p7s = PKCS7_SIGNED_new();
+ if ((!p7s) || !(p7s->cert = sk_X509_new_null()) || !(p7s->crl = sk_X509_CRL_new_null())) {
+ log_message(r, APR_SUCCESS,
+ "could not create a PKCS7 signed degenerate response");
+
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+ else {
+ apr_pool_cleanup_register(r->pool, p7s, scep_PKCS7s_cleanup,
+ apr_pool_cleanup_null);
+ }
+
+ p7 = PKCS7_new();
+ if (!p7) {
+ log_message(r, APR_SUCCESS,
+ "could not create a PKCS7 degenerate response");
+
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+ else {
+ apr_pool_cleanup_register(r->pool, p7, scep_PKCS7_cleanup,
+ apr_pool_cleanup_null);
+ }
+
+ ASN1_INTEGER_set(p7s->version,1);
+ p7s->contents->type=OBJ_nid2obj(NID_pkcs7_data);
+
+ sk_X509_push(p7s->cert, cert);
+ sk_X509_push(p7s->cert, conf->signer);
+
+ PKCS7_set_type(p7, NID_pkcs7_signed);
+ p7->d.sign=p7s;
+
b = BIO_new(BIO_s_mem());
apr_pool_cleanup_register(r->pool, b, scep_BIO_cleanup,
apr_pool_cleanup_null);
@@ -1219,6 +1238,7 @@
i2d_PKCS7_bio(b, p7);
+
apr_sha1_init(&sha1);
while ((offset = BIO_read(b, buf, sizeof(buf))) > 0) {
apr_sha1_update(&sha1, buf, offset);
Index: README
===================================================================
--- README (revision 432)
+++ README (working copy)
@@ -1,24 +1,38 @@
+# AA basic configuration for SCEP issuing.
+#
+# 0. Set up some directories; The directory cert needs to be server writable.
+#
+# mkdir ca ra cert
+# chown www:www cert
+#
+# 1. Generate a CA with an issuing RA
+#
+# openssl req -new -x509 -subj /CN=ca-test-scep -out ca/ca-cert.pem -keyout ca/ca-key.pem -nodes
+# openssl req -new -subj /CN=ra-test-scep -out ra/ra-cert.csr -keyout ra/ra-key.pem -nodes
+# echo "[ra]" > config.cnf
+# echo "keyUsage=digitalSignature,keyEncipherment >> config.cnf
+# openssl x509 -req -in ra/ra-cert.csr -CAkey ca/ca-key.pem -CA ca/ca-cert.pem -out ra/ra-cert.pem -extfile config.cnf -extensions ra
+#
-A basic configuration.
+LoadModule ca_module lib/apache2/modules/mod_ca.so
+LoadModule scep_module lib/apache2/modules/mod_scep.so
+LoadModule ca_simple_module lib/apache2/modules/mod_ca_simple.so
+LoadModule ca_disk_module lib/apache2/modules/mod_ca_disk.so
-<IfModule mod_scep.c>
<Location /scep>
- SetHandler scep
-# ScepRACertificate /tmp/ra-cert.pem
-# ScepRAKey /tmp/ra-key.pem
- ScepSubjectRequest O
- ScepSubjectRequest countryName
- ScepSubjectRequest stateOrProvinceName
- ScepSubjectRequest commonName
- ScepSubjectCGI OU UNIQUE_ID
- ScepSubjectSet OU "Test Certificate"
- CASimpleCertificate /etc/pki/certs/ca-cert.pem
- CASimpleKey /etc/pki/certs/ca-key.pem
- CASimpleSerialRandom on
- CASimpleTime on
- CADiskCertificateSignRequestPath /etc/pki/ca/
- CADiskCertificateByTransactionPath /etc/pki/ca/
+ SetHandler scep
+ ScepRACertificate /opt/local/etc/pki/ra/ra-cert.pem
+ ScepRAKey /opt/local/etc/pki/ra/ra-key.pem
+ ScepSubjectRequest O
+ ScepSubjectRequest countryName
+ ScepSubjectRequest stateOrProvinceName
+ ScepSubjectRequest commonName
+ ScepSubjectSet OU "Test Certificate"
+ CASimpleCertificate /opt/local/etc/pki/ca/ca-cert.pem
+ CASimpleKey /opt/local/etc/pki/ca/ca-key.pem
+ CASimpleSerialRandom on
+ CASimpleTime on
+ CADiskCertificateSignRequestPath /opt/local//etc/pki/certs/
+ CADiskCertificateByTransactionPath /opt/local//etc/pki/certs/
</Location>
-</IfModule>
-
>
> dirkx at cheesegrater .zsh_sessions % curl --silent --verbose http://localhost/scep\?operation=GetCACert | openssl asn1parse -inform DER -i
>
> * processing: http://localhost/scep?operation=GetCACert
> * Trying [::1]:80...
> * Connected to localhost (::1) port 80
>> GET /scep?operation=GetCACert HTTP/1.1
>> Host: localhost
>> User-Agent: curl/8.2.1
>> Accept: */*
>>
> < HTTP/1.1 200 OK
> < Date: Tue, 01 Aug 2023 19:14:02 GMT
> < Server: Apache/2.4.57 (Unix)
> < ETag: "j3GWtbZRPnAQwIYCURnlqGW/e6o="
> < Cache-Control: max-age=0
> < Content-Length: 1619
> < Content-Type: application/x-x509-ca-ra-cert
> <
> 0:d=0 hl=4 l=1615 cons: SEQUENCE
> 4:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-signedData
> 15:d=1 hl=4 l=1600 cons: cont [ 0 ]
> 19:d=2 hl=4 l=1596 cons: SEQUENCE
> 23:d=3 hl=2 l= 1 prim: INTEGER :01
> 26:d=3 hl=2 l= 0 cons: SET
> 28:d=3 hl=2 l= 11 cons: SEQUENCE
> 30:d=4 hl=2 l= 9 prim: OBJECT :pkcs7-data
> 41:d=3 hl=4 l=1570 cons: cont [ 0 ]
> 45:d=4 hl=4 l= 783 cons: SEQUENCE
> 49:d=5 hl=4 l= 503 cons: SEQUENCE
> 53:d=6 hl=2 l= 3 cons: cont [ 0 ]
> 55:d=7 hl=2 l= 1 prim: INTEGER :02
> 58:d=6 hl=2 l= 20 prim: INTEGER :7ACEBF564F34757DC970F67683F5435CEC159F3B
> 80:d=6 hl=2 l= 13 cons: SEQUENCE
> 82:d=7 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
> 93:d=7 hl=2 l= 0 prim: NULL
> 95:d=6 hl=2 l= 23 cons: SEQUENCE
> 97:d=7 hl=2 l= 21 cons: SET
> 99:d=8 hl=2 l= 19 cons: SEQUENCE
> 101:d=9 hl=2 l= 3 prim: OBJECT :commonName
> 106:d=9 hl=2 l= 12 prim: UTF8STRING :ca-test-scep
> 120:d=6 hl=2 l= 30 cons: SEQUENCE
> 122:d=7 hl=2 l= 13 prim: UTCTIME :230801130637Z
> 137:d=7 hl=2 l= 13 prim: UTCTIME :230831130637Z
> 152:d=6 hl=2 l= 23 cons: SEQUENCE
> 154:d=7 hl=2 l= 21 cons: SET
> 156:d=8 hl=2 l= 19 cons: SEQUENCE
> 158:d=9 hl=2 l= 3 prim: OBJECT :commonName
> 163:d=9 hl=2 l= 12 prim: UTF8STRING :ca-test-scep
> 177:d=6 hl=4 l= 290 cons: SEQUENCE
> 181:d=7 hl=2 l= 13 cons: SEQUENCE
> 183:d=8 hl=2 l= 9 prim: OBJECT :rsaEncryption
> 194:d=8 hl=2 l= 0 prim: NULL
> 196:d=7 hl=4 l= 271 prim: BIT STRING
> 471:d=6 hl=2 l= 83 cons: cont [ 3 ]
> 473:d=7 hl=2 l= 81 cons: SEQUENCE
> 475:d=8 hl=2 l= 29 cons: SEQUENCE
> 477:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
> 482:d=9 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414ABC6FE23ECBD13AAF777B0CCDFA0A2E4C9A6DD79
> 506:d=8 hl=2 l= 31 cons: SEQUENCE
> 508:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
> 513:d=9 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014ABC6FE23ECBD13AAF777B0CCDFA0A2E4C9A6DD79
> 539:d=8 hl=2 l= 15 cons: SEQUENCE
> 541:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
> 546:d=9 hl=2 l= 1 prim: BOOLEAN :255
> 549:d=9 hl=2 l= 5 prim: OCTET STRING [HEX DUMP]:30030101FF
> 556:d=5 hl=2 l= 13 cons: SEQUENCE
> 558:d=6 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
> 569:d=6 hl=2 l= 0 prim: NULL
> 571:d=5 hl=4 l= 257 prim: BIT STRING
> 832:d=4 hl=4 l= 779 cons: SEQUENCE
> 836:d=5 hl=4 l= 499 cons: SEQUENCE
> 840:d=6 hl=2 l= 3 cons: cont [ 0 ]
> 842:d=7 hl=2 l= 1 prim: INTEGER :02
> 845:d=6 hl=2 l= 20 prim: INTEGER :0F7078BF3836891FEDD9F4827383C70CEF8E6E99
> 867:d=6 hl=2 l= 13 cons: SEQUENCE
> 869:d=7 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
> 880:d=7 hl=2 l= 0 prim: NULL
> 882:d=6 hl=2 l= 23 cons: SEQUENCE
> 884:d=7 hl=2 l= 21 cons: SET
> 886:d=8 hl=2 l= 19 cons: SEQUENCE
> 888:d=9 hl=2 l= 3 prim: OBJECT :commonName
> 893:d=9 hl=2 l= 12 prim: UTF8STRING :ca-test-scep
> 907:d=6 hl=2 l= 30 cons: SEQUENCE
> 909:d=7 hl=2 l= 13 prim: UTCTIME :230801150559Z
> 924:d=7 hl=2 l= 13 prim: UTCTIME :230831150559Z
> 939:d=6 hl=2 l= 23 cons: SEQUENCE
> 941:d=7 hl=2 l= 21 cons: SET
> 943:d=8 hl=2 l= 19 cons: SEQUENCE
> 945:d=9 hl=2 l= 3 prim: OBJECT :commonName
> 950:d=9 hl=2 l= 12 prim: UTF8STRING :ra-test-scep
> 964:d=6 hl=4 l= 290 cons: SEQUENCE
> 968:d=7 hl=2 l= 13 cons: SEQUENCE
> 970:d=8 hl=2 l= 9 prim: OBJECT :rsaEncryption
> 981:d=8 hl=2 l= 0 prim: NULL
> 983:d=7 hl=4 l= 271 prim: BIT STRING
> 1258:d=6 hl=2 l= 79 cons: cont [ 3 ]
> 1260:d=7 hl=2 l= 77 cons: SEQUENCE
> 1262:d=8 hl=2 l= 11 cons: SEQUENCE
> 1264:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
> 1269:d=9 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0
> 1275:d=8 hl=2 l= 29 cons: SEQUENCE
> 1277:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
> 1282:d=9 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:04146B9856B974066BF9B1B183A405D402138C5C7691
> 1306:d=8 hl=2 l= 31 cons: SEQUENCE
> 1308:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
> 1313:d=9 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014ABC6FE23ECBD13AAF777B0CCDFA0A2E4C9A6DD79
> 1339:d=5 hl=2 l= 13 cons: SEQUENCE
> 1341:d=6 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
> 1352:d=6 hl=2 l= 0 prim: NULL
> 1354:d=5 hl=4 l= 257 prim: BIT STRING
> 1615:d=3 hl=2 l= 0 cons: cont [ 1 ]
> 1617:d=3 hl=2 l= 0 cons: SET
>
> _______________________________________________
> rs-dev mailing list
> rs-dev at redwax.eu
> https://redwax.eu/mailman/listinfo/rs-dev
>
More information about the rs-dev
mailing list