Add SCEP support for GetCACaps

[pki-bot]

This issue was migrated from Pagure Issue #627. Originally filed by awnuk (@awnuk) on 2013-05-29 23:40:04:

• Assigned to cfu (@cfu)
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=1198257

---

Add SCEP support for GetCACaps - http://tools.ietf.org/html/draft-nourse-scep-23#appendix-C.1

[pki-bot]

Comment from awnuk (@awnuk) at 2013-06-07 22:58:41

Moving to FUTURE milestone due to security issues described in http://tools.ietf.org/html/draft-nourse-scep-23#section-8.7

[pki-bot]

Comment from mharmsen (@mharmsen) at 2015-03-10 00:50:41

From duplicate ticket 1298:

When ca.scep.enable is set to 'true', the default SCEP configuration currently
rejects PKCSReq PKIOperation requests which use MD5 or DES, but the server
doesn't respond to GetCACaps requests, so clients have no way of reliably
determining what they should be doing instead.

How reproducible:

Always

Steps to Reproduce:

1. Enable SCEP.
2. curl -v -v -v
'http://$server:9180/ca/cgi-bin/pkiclient.exe?operation=GetCACaps&message=0'

Actual results:

404 error

Expected results:

200 OK, contents based on the ca.scep.allowedEncryptionAlgorithms and
ca.scep.allowedHashAlgorithms settings.

[pki-bot]

Comment from mharmsen (@mharmsen) at 2015-03-10 00:56:33

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1198257 (Red Hat Certificate System)

[pki-bot]

Comment from mharmsen (@mharmsen) at 2015-03-10 00:58:00

Per CS/DS Meeting of 03/09/2015: 10.3

[pki-bot]

Comment from nkinder (@nkinder) at 2015-07-29 01:07:59

Certmonger recently added SCEP support, and it relies on GetCACaps. Without adding this support, certmonger fails with somewhat cryptic error messages. We should add this in 10.3 so certmonger works nicely with Dogtag via SCEP.

[pki-bot]

Comment from mharmsen (@mharmsen) at 2016-05-04 20:08:22

Per Bug Triage of 05/03/2016: 10.4

[pki-bot]

Comment from awnuk (@awnuk) at 2017-02-27 14:05:28

Metadata Update from @awnuk:

• Issue set to the milestone: UNTRIAGED

[pki-bot]

Comment from mharmsen (@mharmsen) at 2017-08-31 13:41:16

Metadata Update from @mharmsen:

• Custom field feature adjusted to None
• Custom field proposedmilestone adjusted to None
• Custom field proposedpriority adjusted to None
• Custom field reviewer adjusted to None
• Custom field version adjusted to None
• Issue close_status updated to: None
• Issue set to the milestone: FUTURE (was: UNTRIAGED)

[pki-bot]

Comment from tvaughan (@trevor-vaughan) at 2018-01-11 17:23:00

Is there going to be any movement on this?

Ideally, this would be something that I could enable if I choose to accept the risk as presented in http://tools.ietf.org/html/draft-nourse-scep-23#section-8.7.

I would like to note that for certmonger, you can make the entire SCEP transaction over HTTPS, so that threat is nullified and, as it currently sits, you have effectively executed the risk in certmonger since it will downgrade to the lowest possible cipher and hash by default and the user cannot override it. See https://pagure.io/certmonger/issue/89 for details.

[pki-bot]

Comment from mharmsen (@mharmsen) at 2018-04-13 15:01:02

Metadata Update from @mharmsen:

• Issue assigned to cfu
• Issue set to the milestone: 10.6 (was: FUTURE)

[pki-bot]

Comment from mharmsen (@mharmsen) at 2018-04-13 16:53:07

Per 10.5.x/10.6 Triage: 10.6

Upgrading SCEP is being proposed for 10.6

[pki-bot]

Comment from tvaughan (@trevor-vaughan) at 2018-09-10 15:00:34

Is this still on the road map for 10.6?