forked from certnanny/sscep
-
Notifications
You must be signed in to change notification settings - Fork 1
Customizing SSCEP
Endi S. Dewata edited this page Nov 3, 2021
·
4 revisions
SSCEP can be modified to use SHA2 hashes by editing sscep.c:
diff ../sscep-org/sscep.c sscep.c 368a369,372 > } else if (!strncmp(S_char, "sha256", 6)) { > sig_alg = (EVP_MD *)EVP_sha256(); > } else if (!strncmp(S_char, "sha512", 6)) { > sig_alg = (EVP_MD *)EVP_sha512(); 380a385,388 > } else if (!strncmp(F_char, "sha256", 6)) { > fp_alg = (EVP_MD *)EVP_sha256(); > } else if (!strncmp(F_char, "sha512", 6)) { > fp_alg = (EVP_MD *)EVP_sha512();
SSCEP can be modified to generate longer nonces by editing pkcs7.c:
diff ../sscep-org/pkcs7.c pkcs7.c 36c36,37 < s->sender_nonce_len = 16; --- > // s->sender_nonce_len = 16; > s->sender_nonce_len = 20;
SSCEP can be modified to generate SCEP requests using SHA2 algorithms by editing mkrequest:
diff ../sscep-org/mkrequest mkrequest 159a160,167 > if [ "$4" ]; then > DIGEST=-$4 > else > DIGEST="" > fi > > echo "DIGEST=$DIGEST" > 161c169 < openssl req -new -key $PREFIX.key -out $PREFIX.csr -config $CONFIG \ --- > openssl req -new -key $PREFIX.key $DIGEST -out $PREFIX.csr -config $CONFIG \
If necessary PKCS7 verification error can be ignored by modifying pkcs7.c:
diff ../sscep-org/pkcs7.c pkcs7.c 392c393 < exit (SCEP_PKISTATUS_P7); --- > //exit (SCEP_PKISTATUS_P7);