From 7855dbeafcb02e9753d118657741ca81c18bce75 Mon Sep 17 00:00:00 2001 From: Petr Gotthard Date: Sat, 16 Jan 2021 12:01:03 +0100 Subject: [PATCH] Added -E options for aes128, aes192 and aes256 --- ChangeLog | 4 ++- README.md | 65 +++++++++++++++++++++++++++++++++++++--------- VERSION | 2 +- configure.ac | 2 +- scripts/sscep.spec | 2 +- src/sscep.c | 17 ++++++++---- src/sscep.h | 2 +- 7 files changed, 72 insertions(+), 22 deletions(-) diff --git a/ChangeLog b/ChangeLog index dc20310..edf4ece 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,7 +1,9 @@ SSCEP Release history ======================================== -v0.8.1 +v0.9.0 +* Added -E options for aes128, aes192 and aes256. + Per RFC8894, plain aes is equal to aes128. (Before 0.9.0 it was aes256.) * Implemented mechanism to auto-detect CA certificates (-c) * Fixed handling of Content-Type headers with a charset defined * Fixed Content-Type handling in GetCACaps responses diff --git a/README.md b/README.md index 320a35a..d153963 100644 --- a/README.md +++ b/README.md @@ -150,7 +150,7 @@ of arguments and command line options. ```bash $ ./sscep -sscep version 0.8.x +sscep version 0.9.x Usage: ./sscep OPERATION [OPTIONS] @@ -166,8 +166,8 @@ General OPTIONS -p Use proxy server at host:port -g Use the given cryptographic engine -f Use configuration file - -c CA certificate file (write if OPERATION is getca) - -E PKCS#7 encryption algorithm (des|3des|blowfish|aes) + -c CA certificate file or '-n' suffixed files (write if OPERATION is getca) + -E PKCS#7 encryption algorithm (des|3des|blowfish|aes[128]|aes192|aes256) -S PKCS#7 signature algorithm (md5|sha1|sha224|sha256|sha384|sha512) -v Verbose output (for debugging the configuration) -d Debug output (more verbose, for debugging the implementation) @@ -222,11 +222,11 @@ Here are the available configuration file keys and example values: | Key | Explanation | Example | Command options | |-------|-------------------|---------|---------| -| CACertFile | This is one is needed with all operations. |`./ca.crt` |`-c` | +| URL | URL of the SCEP server. | `http://localhost/cgi-bin/pkiclient.exe` | `-u` | +| CACertFile | Sigle CA certificate file, or mutiple CA certificates suffixed with `-0`, `-1`, ... to write (getca) or to choose from (all other operations). | `./ca.crt` |`-c` | | CAIdentifier | Some CAs require you to define this. | `mydomain.com` | `-i` | | CertReqFile | Certificate request file created with mkrequest. | `./local.csr` | `-r` -| Debug | Debug? Answer "yes" or "no". | | `-d` | -| EncAlgorithm | PKCS#7 encryption algorithm. Available algorithms are des, 3des, blowfish and aes. NOTE: SCEP provides no mechanism to "negotiate" the algorithm - even if you send 3des, reply might be des (same thing applies to SigAlgorithm). | | `-E` | +| EncAlgorithm | PKCS#7 encryption algorithm. Available algorithms are des, 3des, blowfish, aes/aes128, aes192 and aes256. NOTE: SCEP provides no mechanism to "negotiate" the algorithm - even if you send 3des, reply might be des (same thing applies to SigAlgorithm). | | `-E` | | EncCertFile | If your CA/RA uses a different certificate for encyption and signing, define this. CACertFile is used for verifying the signature. | `./enc.crt` | `-e` | | SignCertFile | Instead of creating a self-signed certificate from the new key pair use an already existing certficate/key to sign the SCEP request. If the "old" certificate and key is used, the CA can verify that the holder of the private key for an existing certificate re-enrolls for a renewal certificate, allowing for automatic approval of the request. Requires specification of the corresponding signature private key file (-K, SignKeyFile). | `./sig.crt` | `-O` | | SignKeyFile | See SignCertFile. Specifies the corresponding private key. | `./sig.key` | `-K` | @@ -242,8 +242,8 @@ Here are the available configuration file keys and example values: | Proxy | Use HTTP proxy at host:port. | `localhost:8080` | `-p` | | SelfSignedFile | Write optionally the selfsigned certificate in file (needed in SCEP transaction). | `./selfsigned.crt` | `-L` | | SigAlgorithm | PKCS#7 signature algorithm. Available algorithms are md5, sha1, sha224, sha256, sha384 and sha512. Default is md5. | | `-S` | -| URL | URL of the SCEP server. | `http://localhost/cgi-bin/pkiclient.exe` | `-u` | -| Verbose | Verbose? Answer "yes" or "no" | | `-v`| +| Verbose | Verbose output? Answer "yes" or "no" | | `-v`| +| Debug | Debug output? Answer "yes" or "no". | | `-d` | The actual enrollment is done with the following procedure: @@ -262,9 +262,50 @@ unstructuredName naming, some may require a CN with localityName, etc. ### STEP 2 - Make certificate request and key Before the enrollment can take place, sscep needs a private key file -and the corresponding X.509 certificate request in PKCS#10 format. Edit -the DN variables in the file mkrequest (it's a shell script) if you need. -When ready, make the request: +and the corresponding X.509 certificate request in PKCS#10 format. + +This can be created using the mkrequest script, or manually by openssl. Create +an request.cnf, such as: + +``` +oid_section = new_oids + +[ req ] +default_bits = 2048 +default_keyfile = local.key +encrypt_key = no + +distinguished_name = req_dn +attributes = req_attributes +req_extensions = req_ext + +[ new_oids ] +certTemplateName = 1.3.6.1.4.1.311.20.2 + +[ req_dn ] +0.domainComponent = org +1.domainComponent = OpenXPKI +2.domainComponent = Test Deployment +commonName = device + +[ req_attributes ] + +[ req_ext ] +basicConstraints = critical, CA:FALSE +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth, clientAuth + +certTemplateName = ASN1:UTF8String:pc-client +``` + +To create a key and a request named local.key and local.csr run: + +```bash +$ openssl req -new -config request.cnf -out local.csr +``` + +You can automate this process using the mkrequest shell script. Edit the DN +variables in the mkrequest file if you need. When ready, make the request: ```bash $ mkrequest -ip 172.30.0.1 @@ -275,7 +316,7 @@ e is 65537 (0x10001) Using configuration from .4018client.cnf ``` -This writes key and request named local.key and local.csr (you can change +This also writes key and request named local.key and local.csr (you can change the "local" with variable PREFIX in mkrequest). If the CA supports automatic enrollment, you may supply the password in diff --git a/VERSION b/VERSION index 6f4eebd..ac39a10 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.8.1 +0.9.0 diff --git a/configure.ac b/configure.ac index 68ef63a..5b0ed8c 100644 --- a/configure.ac +++ b/configure.ac @@ -2,7 +2,7 @@ # Process this file with autoconf to produce a configure script. AC_PREREQ([2.69]) -AC_INIT([sscep],[0.8.1],[certnanny@github.com]) +AC_INIT([sscep],[0.9.0],[certnanny@github.com]) AC_CONFIG_AUX_DIR([build-aux]) AM_INIT_AUTOMAKE([foreign subdir-objects dist-bzip2]) m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])]) diff --git a/scripts/sscep.spec b/scripts/sscep.spec index cb2f03c..65a253c 100644 --- a/scripts/sscep.spec +++ b/scripts/sscep.spec @@ -4,7 +4,7 @@ # Name: sscep -Version: 0.8.1 +Version: 0.9.0 Release: 1 Summary: Simple SCEP client License: BSD diff --git a/src/sscep.c b/src/sscep.c index dff315c..cccdd12 100644 --- a/src/sscep.c +++ b/src/sscep.c @@ -71,8 +71,8 @@ EVP_MD *sig_alg; EVP_CIPHER *enc_alg; static SCEP_CAP scep_caps[SCEP_CAPS] = { - { .cap = SCEP_CAP_AES, .str = "AES" }, - { .cap = SCEP_CAP_3DES, .str = "DES3" }, + { .cap = SCEP_CAP_AES, .str = "AES" }, /* AES128-CBC */ + { .cap = SCEP_CAP_3DES, .str = "DES3" }, /* DES-CBC */ { .cap = SCEP_CAP_NEXT_CA, .str = "GetNextCACert" }, { .cap = SCEP_CAP_POST_PKI, .str = "POSTPKIOperation" }, { .cap = SCEP_CAP_RENEWAL, .str = "Renewal" }, @@ -577,8 +577,15 @@ main(int argc, char **argv) { enc_alg = (EVP_CIPHER *)EVP_des_cbc(); } else if (!strncmp(E_char, "3des", 4)) { enc_alg = (EVP_CIPHER *)EVP_des_ede3_cbc(); - } else if (!strncmp(E_char, "aes", 3)) { + } else if (!strncmp(E_char, "aes128", 6)) { + enc_alg = (EVP_CIPHER *)EVP_aes_128_cbc(); + } else if (!strncmp(E_char, "aes192", 6)) { + enc_alg = (EVP_CIPHER *)EVP_aes_192_cbc(); + } else if (!strncmp(E_char, "aes256", 6)) { enc_alg = (EVP_CIPHER *)EVP_aes_256_cbc(); + } else if (!strncmp(E_char, "aes", 3)) { + /* per RFC8894 "AES" represents "AES128-CBC" */ + enc_alg = (EVP_CIPHER *)EVP_aes_128_cbc(); } else { fprintf(stderr, "%s: unsupported algorithm: %s\n", pname, E_char); @@ -1241,8 +1248,8 @@ usage() { " -g Use the given cryptographic engine\n" " -h Keyforme=ID. \n"//TODO " -f Use configuration file\n" - " -c CA certificate file (write if OPERATION is getca or getnextca)\n" - " -E PKCS#7 encryption algorithm (des|3des|blowfish|aes)\n" + " -c CA certificate file or '-n' suffixed files (write if OPERATION is getca)\n" + " -E PKCS#7 encryption algorithm (des|3des|blowfish|aes[128]|aes192|aes256)\n" " -S PKCS#7 signature algorithm (md5|sha1|sha224|sha256|sha384|sha512)\n" " -v Verbose output (for debugging the configuration)\n" " -d Debug output (more verbose, for debugging the implementation)\n" diff --git a/src/sscep.h b/src/sscep.h index 81004ef..51445db 100644 --- a/src/sscep.h +++ b/src/sscep.h @@ -66,7 +66,7 @@ #include /* Global defines */ -#define VERSION "0.8.1" +#define VERSION "0.9.0" /* SCEP operations */ #define SCEP_OPERATION_GETCA 1