Open dirkx opened 11 months ago
The DES default is getting a bit long in the tooth; and I am seeing the first OpenSSL 3 based SCEP counterparts starting to no longer support it.
May be as simple as going AES; or a flag
diff --git a/scep/scep.go b/scep/scep.go index c01f9bd..d617230 100644 --- a/scep/scep.go +++ b/scep/scep.go @@ -466,6 +466,7 @@ func (msg *PKIMessage) Success(crtAuth *x509.Certificate, keyAuth *rsa.PrivateKe } // encrypt degenerate data using the original messages recipients + pkcs7.ContentEncryptionAlgorithm = pkcs7.EncryptionAlgorithmAES128CBC // default is DES,CBC e7, err := pkcs7.Encrypt(deg, msg.p7.Certificates) if err != nil { return nil, err @@ -571,6 +572,7 @@ func NewCSRRequest(csr *x509.CertificateRequest, tmpl *PKIMessage, opts ...Optio } return nil, errors.New("no CA/RA recipients") } + pkcs7.ContentEncryptionAlgorithm = pkcs7.EncryptionAlgorithmAES128CBC // default is DES,CBC e7, err := pkcs7.Encrypt(derBytes, recipients) if err != nil { return nil, err
The DES default is getting a bit long in the tooth; and I am seeing the first OpenSSL 3 based SCEP counterparts starting to no longer support it.
May be as simple as going AES; or a flag