SCEP in Dogtag

From Dogtag
Jump to: navigation, search

SCEP and Hashing Algorithms

  • CA signing or designated SCEP signing certificates can be generated using SHA2 algorithms. If yes SSCEP client has to be updated.
  • Router certificate request can be generated using SHA2 algorithms. If yes SSCEP client has to be updated.
  • Router certificate can be generated using SHA2 algorithms. This is configurable through either caRouterCert profile defaults and constraints for signing algorithms or CA's default signing algorithm defined.
  • SCEP message (in PKCS7 format) can be generated using SHA2 algorithms.
    • Server side messages are configured within ca.scep section of CS.cfg (ca.scep.hashAlgorithm=SHA512).
    • Client side messages are configured by SSCEP client configuration


SCEP Clients

I used two clients to test SCEP enhancements:


SSCEP

SSCEP client is provided by https://github.com/certnanny/sscep and it can be downloaded using the following link https://github.com/certnanny/sscep/archive/master.zip

SSCEP client can be built simply by running make command.


SSCEP Quick Start

  • Enable SCEP support by setting ca.scep.enable=true in /var/lib/pki-ca/conf/CS.cfg
  • Add IP address and password to /var/lib/pki-ca/conf/flatfile.txt. Leave empty line between and after each pair of lines containing UID and PWD.
  • Run scep getca command: ./sscep getca ...
  • Generate PKSC10 request containing password using ./mkrequest ...
  • Submit generated request using ./sscep enroll ...
./sscep getca -c ca.crt -u 'http://<host-name>:9180/ca/cgi-bin/pkiclient.exe'
...

./mkrequest -ip 10.14.54.237 password       
Generating RSA private key, 1024 bit long modulus
........................++++++
.........++++++
e is 65537 (0x10001)

./sscep enroll -c ca.crt -k local.key -r local.csr  -l cert.crt -u 'http://<host-name>:9180/ca/cgi-bin/pkiclient.exe'
...

SSCEP Updates

SSCEP client can be modify to enable use of SHA2 hashes by editing sscep.c:

diff ../sscep-org/sscep.c sscep.c
368a369,372
> 	} else if (!strncmp(S_char, "sha256", 6)) {
> 		sig_alg = (EVP_MD *)EVP_sha256();
> 	} else if (!strncmp(S_char, "sha512", 6)) {
> 		sig_alg = (EVP_MD *)EVP_sha512();
380a385,388
> 	} else if (!strncmp(F_char, "sha256", 6)) {
> 		fp_alg = (EVP_MD *)EVP_sha256();
> 	} else if (!strncmp(F_char, "sha512", 6)) {
> 		fp_alg = (EVP_MD *)EVP_sha512();

Rebuilt sscep client using new sscep.c.


SSCEP Configuration

SSCEP client configuration can be altered by editing sscep.conf:

diff ../sscep-org/sscep.conf sscep.conf 
30a31,32
> # Verbose		no
> # Debug		no
42,43c44,45
< #FingerPrint	md5
< FingerPrint		sha1
---
> # FingerPrint	md5
> FingerPrint	sha512
66d67
< EncAlgorithm	3des
69c70
< SigAlgorithm	sha1
---
> SigAlgorithm	sha512

SSCEP client configuration can be altered by using edited sscep.conf file through the -f option:

./sscep enroll -f sscep.conf -c ca.crt -k local.key -r local.csr  -l cert.crt -u 'http://<host-name>:9180/ca/cgi-bin/pkiclient.exe'


SSCEP Nonce Length

SSCEP client can be modified to generate longer nonces by editing pkcs7.c:

diff ../sscep-org/pkcs7.c pkcs7.c    
36c36,37
< 	s->sender_nonce_len = 16;
---
> //	s->sender_nonce_len = 16;
> 	s->sender_nonce_len = 20;


SCEP Request Generation with SHA2

SSCEP client can be modified to generate SCEP requests using SHA2 algorithms by editing mkrequest:

diff ../sscep-org/mkrequest mkrequest
159a160,167
> if [ "$4" ]; then
> 	DIGEST=-$4
> else
> 	DIGEST=""
> fi
> 
> echo "DIGEST=$DIGEST"
> 
161c169
< openssl req -new -key $PREFIX.key -out $PREFIX.csr -config $CONFIG \
---
> openssl req -new -key $PREFIX.key $DIGEST -out $PREFIX.csr -config $CONFIG \

Here is an example how to set SHA512:

./mkrequest -ip 10.14.54.237 password sha512
Generating RSA private key, 1024 bit long modulus
...........++++++
.++++++
e is 65537 (0x10001)
DIGEST=-sha512


Using SSCEP Options

./sscep enroll -c ca.crt -k local.key -r local.csr -E 3des -S sha256 -l cert.crt -u 'http://<hostname>:9180/ca/cgi-bin/pkiclient.exe'
./sscep enroll -c ca.crt -k local.key -r local.csr -E 3des -S sha256 -d -l cert.crt -u 'http://<hostname>:9180/ca/cgi-bin/pkiclient.exe'


SSCEP Error

SSCEP client fails to verify SCEP response including SHA2 hashing algorithm:

./sscep enroll -f sscep.conf -c ca.crt -k local.key -r local.csr  -l cert.crt -u http://<host-name>:9180/ca/cgi-bin/pkiclient.exe
...
./sscep: verifying signature
./sscep: error verifying signature
8570:error:2107106C:PKCS7 routines:PKCS7_signatureVerify:unable to find message digest:pk7_doit.c:897:


Ignoring SSCEP Error

PKCS7 verification error can be ignored by modifying pkcs7.c:

diff ../sscep-org/pkcs7.c pkcs7.c
392c393
< 		exit (SCEP_PKISTATUS_P7);
---
> 		//exit (SCEP_PKISTATUS_P7);

Key Manager FireFox Extension

Key Manager extension provides another SCEP client that works with Dogtag 9.0. Key Manager extension is available at https://addons.mozilla.org/en-US/firefox/addon/4471/


SCEP Server

Dogtag 9.0 CA provides SCEP server support, which can be configured by SCEP section of /var/lib/pki-ca/conf/CS.cfg.

ca.scep.enable=true
ca.scep.encryptionAlgorithm=DES3
ca.scep.allowedEncryptionAlgorithms=DES,DES3
ca.scep.hashAlgorithm=SHA1
ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512
ca.scep.nonceSizeLimit=16


SCEP supports usage of its own key pair, which can be configured by adding the following line:

ca.scep.nickname=scepSigningCert cert-pki-ca
ca.scep.tokenname=Internal Key Storage Token

to the SCEP section of /var/lib/pki-ca/conf/CS.cfg.


Keep in mind that to enable separate SCEP key pair:

  • new SCEP key pair has to be designated
  • SCEP certificate has to be created
  • SCEP certificate has to be imported to NSS-DB using 'scepSigningCert cert-pki-ca' as its nickname


SCEP support for its own key pair was tested using existing OCSP keys and certificate. Test was configured by adding the following line:

ca.scep.nickname=ocspSigningCert cert-pki-ca
ca.scep.tokenname=Internal Key Storage Token

to the SCEP section of /var/lib/pki-ca/conf/CS.cfg.

Note that ca.crt was replaced by ocsp.crt

./sscep enroll -c ocsp.crt -k local.key -r local.csr -E 3des -S sha256 -d -l cert.crt -u 'http://<hostname>:9180/ca/cgi-bin/pkiclient.exe'


SCEP Test Results

SCEP unit testing was performed using SSCEP and FF Key Manager as SCEP clients:

  Signing certificate SCEP certificate SCEP request SCEP response PKCS10 request
 MD5   SSCEP   SSCEP   SSCEP   SSCEP   SSCEP
 SHA1   SSCEP   SSCEP   SSCEP   SSCEP   SSCEP
 SHA256   Modified SSCEP   Modified SSCEP   Modified SSCEP   Key Manager   Modified Request Generation
 SHA512   Modified SSCEP   Modified SSCEP   Modified SSCEP   Key Manager   Modified Request Generation