scep icon indicating copy to clipboard operation
scep copied to clipboard
verified publisher icon micromdm

DES default

Open dirkx opened this issue 2 years ago • 0 comments

The DES default is getting a bit long in the tooth; and I am seeing the first OpenSSL 3 based SCEP counterparts starting to no longer support it.

May be as simple as going AES; or a flag

diff --git a/scep/scep.go b/scep/scep.go
index c01f9bd..d617230 100644
--- a/scep/scep.go
+++ b/scep/scep.go
@@ -466,6 +466,7 @@ func (msg *PKIMessage) Success(crtAuth *x509.Certificate, keyAuth *rsa.PrivateKe
        }
 
        // encrypt degenerate data using the original messages recipients
+        pkcs7.ContentEncryptionAlgorithm = pkcs7.EncryptionAlgorithmAES128CBC // default is DES,CBC
        e7, err := pkcs7.Encrypt(deg, msg.p7.Certificates)
        if err != nil {
                return nil, err
@@ -571,6 +572,7 @@ func NewCSRRequest(csr *x509.CertificateRequest, tmpl *PKIMessage, opts ...Optio
                }
                return nil, errors.New("no CA/RA recipients")
        }
+        pkcs7.ContentEncryptionAlgorithm = pkcs7.EncryptionAlgorithmAES128CBC // default is DES,CBC
        e7, err := pkcs7.Encrypt(derBytes, recipients)
        if err != nil {
                return nil, err

dirkx avatar Aug 01 '23 17:08 dirkx