URI error in est_client_build_csr_header

[dreamlich]

When client requests CSR attributes, function est_client_build_csr_header use URI EST_SIMPLE_ENROLL_URI but not EST_CSR_ATTRS_URI. Is it a typo?

[dreamlich]

Same issue in est_client_build_reenroll_header

[rpb5bnc]

Hello,

Thanks for bringing this up. This is a typo in the code and will be addressed in the next release.

The following is more detail on this issue:

• Issue is that the digest value generated for a /csrattrs or /simplereenroll uses an incorrect uri of "/.well-known/est/simpleenroll"

• This issue is limited to when the client has been requested to use digest mode of HTTP authentication

• In EST, priority is given to TLS authentication per 3.2.2 paragraph 1.

• For /csrattrs,

  • the issue does not actually exist when using the EST server within libEST because it does not authenticate the client per 4.5 paragraph 2.
  • Interop testing has not uncovered this issue with other EST server implementations.

• For /simplereenroll,

  • Client must provide a valid certificate that can be authenticated when issuing a /simplereenroll.
  • If the EST server is configured for two factor auth, requiring HTTP auth, and that auth is digest mode, then it's possible that this incorrect uri value in the authorization header could become a problem.

• In the case of the libEST server, the HTTP processing code is based upon the Mongoose embedded HTTP server. The Mongoose code does not compare the uri used in the digest against the actual uri of the request due to, / NOTE(lsm): due to a bug in MSIE, we do not compare URIs / (mg_http.c)

• As a result, the libEST server does not either perform this check. As long as the uri in the authorization header matches the uri used in the generation of the digest response value then the digest will be valid.