Open Javex opened 9 years ago
Whoops, wrong commit message. Still open...
Anyways, since this is a server side operation to be implemented (likely as part of scep_certrep
?), is it okay if I assign this to you @gknocke? I'd actually consider this pretty high-priority as this is basic functionality (e.g. CertNanny requires this to work as it uses the operation).
Currently, GetCACert responses cannot be built: It is a special case as e.g. no encryption certificate is present. The standard is not very clear on this message type (for example, it does not appear in the list of response content for CertRep).
However, combining logic with what openca-scep does, I see that there is no encryption and no actual content (the ContentInfo field). Instead, only the certificates field is set to the required certificates. There is no signer as well, the message is not signed at all.
But
scep_certrep
is neither ready to have no content to be encrypted nor is it possible to not sign a message. Both must be possible for a response here.Finally, I am a little confused: We are currently doing it correctly? That is, in all other cases the response is still encrypted and the degenerate case is INSIDE the envelopedData? The outside case is as usual?