Testing SCEP

From Dogtag
(Redirected from SCEP in Dogtag)
Jump to: navigation, search

Overview

CA signing or designated SCEP signing certificates can be generated using SHA2 algorithms. If yes SSCEP client has to be updated.

Router certificate request can be generated using SHA2 algorithms. If yes SSCEP client has to be updated.

Router certificate can be generated using SHA2 algorithms. This is configurable through either caRouterCert profile defaults and constraints for signing algorithms or CA's default signing algorithm defined.

SCEP message (in PKCS7 format) can be generated using SHA2 algorithms:

  • Server side messages are configured within ca.scep section of CS.cfg (ca.scep.hashAlgorithm=SHA512).
  • Client side messages are configured by SSCEP client configuration

Testing with SSCEP

Building SSCEP

See Building SSCEP.

SSCEP Updates

SSCEP client can be modify to enable use of SHA2 hashes by editing sscep.c:

diff ../sscep-org/sscep.c sscep.c
368a369,372
> 	} else if (!strncmp(S_char, "sha256", 6)) {
> 		sig_alg = (EVP_MD *)EVP_sha256();
> 	} else if (!strncmp(S_char, "sha512", 6)) {
> 		sig_alg = (EVP_MD *)EVP_sha512();
380a385,388
> 	} else if (!strncmp(F_char, "sha256", 6)) {
> 		fp_alg = (EVP_MD *)EVP_sha256();
> 	} else if (!strncmp(F_char, "sha512", 6)) {
> 		fp_alg = (EVP_MD *)EVP_sha512();

Rebuilt sscep client using new sscep.c.

SSCEP Configuration

SSCEP client configuration can be altered by editing sscep.conf:

diff ../sscep-org/sscep.conf sscep.conf 
30a31,32
> # Verbose		no
> # Debug		no
42,43c44,45
< #FingerPrint	md5
< FingerPrint		sha1
---
> # FingerPrint	md5
> FingerPrint	sha512
66d67
< EncAlgorithm	3des
69c70
< SigAlgorithm	sha1
---
> SigAlgorithm	sha512

SSCEP client configuration can be altered by using edited sscep.conf file through the -f option:

./sscep enroll -f sscep.conf -c ca.crt -k local.key -r local.csr  -l cert.crt -u 'http://<host-name>:9180/ca/cgi-bin/pkiclient.exe'

SSCEP Nonce Length

SSCEP client can be modified to generate longer nonces by editing pkcs7.c:

diff ../sscep-org/pkcs7.c pkcs7.c    
36c36,37
< 	s->sender_nonce_len = 16;
---
> //	s->sender_nonce_len = 16;
> 	s->sender_nonce_len = 20;

SCEP Request Generation with SHA2

SSCEP client can be modified to generate SCEP requests using SHA2 algorithms by editing mkrequest:

diff ../sscep-org/mkrequest mkrequest
159a160,167
> if [ "$4" ]; then
> 	DIGEST=-$4
> else
> 	DIGEST=""
> fi
> 
> echo "DIGEST=$DIGEST"
> 
161c169
< openssl req -new -key $PREFIX.key -out $PREFIX.csr -config $CONFIG \
---
> openssl req -new -key $PREFIX.key $DIGEST -out $PREFIX.csr -config $CONFIG \

Here is an example how to set SHA512:

./mkrequest -ip 10.14.54.237 password sha512
Generating RSA private key, 1024 bit long modulus
...........++++++
.++++++
e is 65537 (0x10001)
DIGEST=-sha512

Using SSCEP Options

./sscep enroll -c ca.crt -k local.key -r local.csr -E 3des -S sha256 -l cert.crt -u 'http://<hostname>:9180/ca/cgi-bin/pkiclient.exe'
./sscep enroll -c ca.crt -k local.key -r local.csr -E 3des -S sha256 -d -l cert.crt -u 'http://<hostname>:9180/ca/cgi-bin/pkiclient.exe'

SSCEP Error

SSCEP client fails to verify SCEP response including SHA2 hashing algorithm:

./sscep enroll -f sscep.conf -c ca.crt -k local.key -r local.csr  -l cert.crt -u http://<host-name>:9180/ca/cgi-bin/pkiclient.exe
...
./sscep: verifying signature
./sscep: error verifying signature
8570:error:2107106C:PKCS7 routines:PKCS7_signatureVerify:unable to find message digest:pk7_doit.c:897:

Ignoring SSCEP Error

PKCS7 verification error can be ignored by modifying pkcs7.c:

diff ../sscep-org/pkcs7.c pkcs7.c
392c393
< 		exit (SCEP_PKISTATUS_P7);
---
> 		//exit (SCEP_PKISTATUS_P7);

Testing with Key Manager

Key Manager extension provides another SCEP client that works with PKI 9.0. Key Manager extension is available at https://addons.thunderbird.net/en-us/firefox/addon/key-manager.

Test Results

SCEP unit testing was performed using SSCEP and FF Key Manager as SCEP clients:

  Signing certificate SCEP certificate SCEP request SCEP response PKCS10 request
 MD5   SSCEP   SSCEP   SSCEP   SSCEP   SSCEP
 SHA1   SSCEP   SSCEP   SSCEP   SSCEP   SSCEP
 SHA256   Modified SSCEP   Modified SSCEP   Modified SSCEP   Key Manager   Modified Request Generation
 SHA512   Modified SSCEP   Modified SSCEP   Modified SSCEP   Key Manager   Modified Request Generation