diff --git a/ca/ca.go b/ca/ca.go index 7993ba38..edcc9bba 100644 --- a/ca/ca.go +++ b/ca/ca.go @@ -156,7 +156,6 @@ func (ca *CA) Init(config *authority.Config) (*CA, error) { // well as certificates via SCEP. tlsConfig = nil - // TODO: get the SCEP service scepPrefix := "scep" scepAuthority, err := scep.New(auth, scep.AuthorityOptions{ IntermediateCertificatePath: config.IntermediateCert, diff --git a/scep/api/api.go b/scep/api/api.go index fc134a95..09ffddd0 100644 --- a/scep/api/api.go +++ b/scep/api/api.go @@ -16,6 +16,7 @@ import ( "github.com/smallstep/certificates/api" "github.com/smallstep/certificates/authority/provisioner" "github.com/smallstep/certificates/scep" + "go.mozilla.org/pkcs7" microscep "github.com/micromdm/scep/scep" ) @@ -269,16 +270,24 @@ func (h *Handler) PKIOperation(ctx context.Context, request SCEPRequest) (SCEPRe response := SCEPResponse{Operation: opnPKIOperation} + // parse the message using microscep implementation microMsg, err := microscep.ParsePKIMessage(request.Message) if err != nil { return SCEPResponse{}, err } + p7, err := pkcs7.Parse(microMsg.Raw) + if err != nil { + return SCEPResponse{}, err + } + + // copy over properties to our internal PKIMessage msg := &scep.PKIMessage{ TransactionID: microMsg.TransactionID, MessageType: microMsg.MessageType, SenderNonce: microMsg.SenderNonce, Raw: microMsg.Raw, + P7: p7, } if err := h.Auth.DecryptPKIEnvelope(ctx, msg); err != nil { diff --git a/scep/authority.go b/scep/authority.go index a1d47700..a61c093a 100644 --- a/scep/authority.go +++ b/scep/authority.go @@ -198,27 +198,7 @@ func (a *Authority) GetCACertificates() ([]*x509.Certificate, error) { // DecryptPKIEnvelope decrypts an enveloped message func (a *Authority) DecryptPKIEnvelope(ctx context.Context, msg *PKIMessage) error { - data := msg.Raw - - p7, err := pkcs7.Parse(data) - if err != nil { - return err - } - - var tID microscep.TransactionID - if err := p7.UnmarshalSignedAttribute(oidSCEPtransactionID, &tID); err != nil { - return err - } - - var msgType microscep.MessageType - if err := p7.UnmarshalSignedAttribute(oidSCEPmessageType, &msgType); err != nil { - return err - } - - msg.p7 = p7 - - //p7c, err := pkcs7.Parse(p7.Content) - p7c, err := pkcs7.Parse(p7.Content) + p7c, err := pkcs7.Parse(msg.P7.Content) if err != nil { return err } @@ -253,7 +233,6 @@ func (a *Authority) DecryptPKIEnvelope(ctx context.Context, msg *PKIMessage) err CSR: csr, ChallengePassword: cp, } - //msg.Certificate = p7.Certificates[0] // TODO: check if this is necessary to add (again) return nil case microscep.GetCRL, microscep.GetCert, microscep.CertPoll: return fmt.Errorf("not implemented") //errNotImplemented @@ -355,7 +334,7 @@ func (a *Authority) SignCSR(ctx context.Context, csr *x509.CertificateRequest, m return nil, err } - e7, err := pkcs7.Encrypt(deg, msg.p7.Certificates) + e7, err := pkcs7.Encrypt(deg, msg.P7.Certificates) if err != nil { return nil, err } diff --git a/scep/scep.go b/scep/scep.go index 6a636aee..7fc4c261 100644 --- a/scep/scep.go +++ b/scep/scep.go @@ -35,7 +35,7 @@ type PKIMessage struct { Raw []byte // parsed - p7 *pkcs7.PKCS7 + P7 *pkcs7.PKCS7 // decrypted enveloped content pkiEnvelope []byte