From 9df5f513e7ac4e55aa4f688c75be24f30e63a2fe Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Sat, 6 Mar 2021 22:35:41 +0100 Subject: [PATCH] Change to a fixed fork of go.mozilla.org/pkcs7 Hopefully this will be a temporary change until the fix is merged in the upstream module. --- go.mod | 3 +++ go.sum | 2 ++ scep/api/api.go | 13 ++----------- scep/authority.go | 7 ------- 4 files changed, 7 insertions(+), 18 deletions(-) diff --git a/go.mod b/go.mod index 921067ea..f5f1e64d 100644 --- a/go.mod +++ b/go.mod @@ -21,6 +21,7 @@ require ( github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262 github.com/smallstep/nosql v0.3.6 github.com/urfave/cli v1.22.4 + go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1 go.step.sm/cli-utils v0.1.0 go.step.sm/crypto v0.7.3 golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897 @@ -34,3 +35,5 @@ require ( // replace github.com/smallstep/nosql => ../nosql // replace go.step.sm/crypto => ../crypto + +replace go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1 => github.com/omorsi/pkcs7 v0.0.0-20210217142924-a7b80a2a8568 diff --git a/go.sum b/go.sum index 59417e6a..ca8060a1 100644 --- a/go.sum +++ b/go.sum @@ -257,6 +257,8 @@ github.com/mitchellh/reflectwalk v1.0.0 h1:9D+8oIskB4VJBN5SFlmc27fSlIBZaov1Wpk/I github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/newrelic/go-agent v2.15.0+incompatible h1:IB0Fy+dClpBq9aEoIrLyQXzU34JyI1xVTanPLB/+jvU= github.com/newrelic/go-agent v2.15.0+incompatible/go.mod h1:a8Fv1b/fYhFSReoTU6HDkTYIMZeSVNffmoS726Y0LzQ= +github.com/omorsi/pkcs7 v0.0.0-20210217142924-a7b80a2a8568 h1:+MPqEswjYiS0S1FCTg8MIhMBMzxiVQ94rooFwvPPiWk= +github.com/omorsi/pkcs7 v0.0.0-20210217142924-a7b80a2a8568/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk= github.com/pelletier/go-toml v1.2.0 h1:T5zMGML61Wp+FlcbWjRDT7yAxhJNAiPPLOFECq181zc= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= diff --git a/scep/api/api.go b/scep/api/api.go index 4df5d6a1..fc134a95 100644 --- a/scep/api/api.go +++ b/scep/api/api.go @@ -82,7 +82,6 @@ func (h *Handler) Route(r api.Router) { r.MethodFunc(http.MethodGet, getLink("{provisionerID}", false, nil), h.lookupProvisioner(h.Get)) r.MethodFunc(http.MethodPost, getLink("{provisionerID}", false, nil), h.lookupProvisioner(h.Post)) - } // Get handles all SCEP GET requests @@ -103,7 +102,7 @@ func (h *Handler) Get(w http.ResponseWriter, r *http.Request) { case opnGetCACaps: response, err = h.GetCACaps(ctx) case opnPKIOperation: - // TODO: implement the GET for PKI operation + // TODO: implement the GET for PKI operation? Default CACAPS doesn't specify this is in use, though default: err = fmt.Errorf("unknown operation: %s", request.Operation) } @@ -170,6 +169,7 @@ func decodeSCEPRequest(r *http.Request) (SCEPRequest, error) { if _, ok := query["message"]; ok { message = query.Get("message") } + // TODO: verify this; it seems like it should be StdEncoding instead of URLEncoding decodedMessage, err := base64.URLEncoding.DecodeString(message) if err != nil { return SCEPRequest{}, err @@ -269,8 +269,6 @@ func (h *Handler) PKIOperation(ctx context.Context, request SCEPRequest) (SCEPRe response := SCEPResponse{Operation: opnPKIOperation} - fmt.Println("BEFORE PARSING") - microMsg, err := microscep.ParsePKIMessage(request.Message) if err != nil { return SCEPResponse{}, err @@ -283,12 +281,7 @@ func (h *Handler) PKIOperation(ctx context.Context, request SCEPRequest) (SCEPRe Raw: microMsg.Raw, } - fmt.Println("len raw:", len(microMsg.Raw)) - - fmt.Println("AFTER PARSING") - if err := h.Auth.DecryptPKIEnvelope(ctx, msg); err != nil { - fmt.Println("ERROR IN DECRYPTPKIENVELOPE") return SCEPResponse{}, err } @@ -312,8 +305,6 @@ func (h *Handler) PKIOperation(ctx context.Context, request SCEPRequest) (SCEPRe response.Data = certRep.Raw response.Certificate = certRep.Certificate - fmt.Println("HERE!!!") - return response, nil } diff --git a/scep/authority.go b/scep/authority.go index e5d1ea48..a1d47700 100644 --- a/scep/authority.go +++ b/scep/authority.go @@ -205,8 +205,6 @@ func (a *Authority) DecryptPKIEnvelope(ctx context.Context, msg *PKIMessage) err return err } - fmt.Println("len content:", len(p7.Content)) - var tID microscep.TransactionID if err := p7.UnmarshalSignedAttribute(oidSCEPtransactionID, &tID); err != nil { return err @@ -225,11 +223,6 @@ func (a *Authority) DecryptPKIEnvelope(ctx context.Context, msg *PKIMessage) err return err } - fmt.Println(tID) - fmt.Println(msgType) - - fmt.Println("len p7c content:", len(p7c.Content)) - envelope, err := p7c.Decrypt(a.intermediateCertificate, a.service.Decrypter) if err != nil { return err