search

micromdm / scep

Go SCEP server
MIT License
310 stars 121 forks source link

Proxy Implementation #219

Open matteoraf opened 11 months ago

matteoraf commented 11 months ago

Hi I started working on an SCEP to SCEP proxy implementation.

I actually just put together existing bits from the scepclient into a proxy_signer. I don't feel confident in submitting a PR right now, since it's my very first time working with go, but I forked your repo and worked on it here.

The proxy is working as expected, but I feel that a look from a more experienced go dev might be worth.

There are a couple of things that I wasn't able to do:

  1. Using a separate challenge for the proxy That (I believe) is due to having the ChallengePassword written into the CSR which must be signed by the client with its own key. I don't think there's any workaround to this, but I'd be happy to find out that there is.

  2. Passing over the PKIMessage.MessageType That would require changing the whole scepserver implementation by adding some kind of hook around here. The CSRSigner of course only gets the CSRReqMessage, as it is meant to handle the Signing of the certificate and not other stuff.

jessepeterson commented 11 months ago

Heya!

It sounds like you're implementing an "RA" (registration authority) — sort of an intermediary SCEP request. This is super common in MDM implementations, I think. Regarding point 1: I think that's right — you shouldn't change a CSR (including the challenge) because it is signed by the client's key. One way to add an additional layer of security is perhaps a time-limited token in the URL preceding the SCEP url. Instead of /scep it was /<random-token>/scep that we validated. I didn't have much luck attaching URL parameters to the request — so I fell back on URL path elements.

The CSRSigner is probably the right place to implement this (and is the way we've done it in the past — though we weren't proxying a SCEP request — it went to another proprietary-ish CA). But, essentially: take the CSR given inside the CSRReqMessage, pass that onto the next SCEP server, and return the signed certificate from the CSRSigner interface.

All of that said I'd recommend checking out https://smallstep.com/docs/step-ca/ for your SCEP needs instead of relying on this project's server code. Thanks!

matteoraf commented 11 months ago

Hey! Thanks for the feedback.

Yes, I know about smallstep. Actually, what I'm trying to do, is to build a proxy to sit in front of it, so that I don't have to expose the CA and to be able to implement some additional logic for CSR verification with the MDM.

Thanks for your help!