Dogtag should support AES ciphers in SCEP - Githubissues

dogtagpki / pki

The Dogtag Certificate System is an enterprise-class Certificate Authority (CA) which supports all aspects of certificate lifecycle management, including key archival, OCSP and smartcard management.

https://www.dogtagpki.org

GNU General Public License v2.0

378 stars 138 forks source link

Dogtag should support AES ciphers in SCEP #3035

Open pki-bot opened 4 years ago

pki-bot commented 4 years ago

This issue was migrated from Pagure Issue #2917. Originally filed by tvaughan (@trevor-vaughan) on 2018-01-30 17:37:01:

Assigned to nobody

According to https://tools.ietf.org/html/draft-gutmann-scep-06#section-2.8, AES is now mandatory to implement for SCEP.

Looking at the dogtag code, this should be relatively simple since the underlying logic at https://github.com/dogtagpki/pki/blob/master/base/server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java#L1125-L1130 seems to just choose between DES and DES3 without allowing for other ciphers.

pki-bot commented 4 years ago

Comment from mharmsen (@mharmsen) at 2018-02-01 11:57:18

Metadata Update from @mharmsen:

Custom field component adjusted to None
Custom field feature adjusted to None
Custom field origin adjusted to None
Custom field proposedmilestone adjusted to None
Custom field proposedpriority adjusted to None
Custom field reviewer adjusted to None
Custom field type adjusted to None
Custom field version adjusted to None
Issue set to the milestone: 0.0 NEEDS_TRIAGE

pki-bot commented 4 years ago

Comment from mharmsen (@mharmsen) at 2018-02-01 13:52:46

Metadata Update from @mharmsen:

Issue priority set to: critical
Issue set to the milestone: 10.6 (was: 0.0 NEEDS_TRIAGE)

pki-bot commented 4 years ago

Comment from cfu (@cfu) at 2018-02-01 17:29:34

Hi, thank you for bringing up the issue. Would you be interested in contributing to the code by providing a patch? From time to time we get patch contributions from the community and we find such practice beneficial to all parties due to limited resources on our end. The process will require the contributor to provide a working patch against the master, complete with details on how it's setup and the testing procedure. The Dogtag team will then assign someone to review the code. Once the fix is hashed out, patch will be checked in with proper credit given to the contributor.

Please let us know.

pki-bot commented 4 years ago

Comment from tvaughan (@trevor-vaughan) at 2018-02-01 19:12:55

@cfu I don't mind in theory but I have no idea when I'll be able to get to it since I'm currently trying to patch both certmonger and sscep to work properly.