cisco / libest

Other
98 stars 94 forks source link

No possibility to rekey over simplereenroll endpoint #113

Open stbenz opened 2 years ago

stbenz commented 2 years ago

Hello,

As far as I can see, the only possibility to use the simplereenroll endpoint of an EST server (as specified in section 4.2.2 of RFC 7030) is through the est_client_reenroll API function.

This function calls X509_check_private_key to check that the passed private key belongs to the passed certificate, which prevents passing a new private key to perform a "rekey" operation as specified in section 4.2.2 of RFC 7030.

I already saw the similar issue #90, but the solution to use the simpleenroll endpoint might not be applicable, if for example the EST server provider doesn't provide the same authentication and/or check mechanisms in the simpleenroll endpoint as in the simplereenroll endpoint.