Skip to content

Customizing SSCEP

Endi S. Dewata edited this page Nov 3, 2021 · 4 revisions

Customizing Hash Algorithm

SSCEP can be modified to use SHA2 hashes by editing sscep.c:

diff ../sscep-org/sscep.c sscep.c
368a369,372
> 	} else if (!strncmp(S_char, "sha256", 6)) {
> 		sig_alg = (EVP_MD *)EVP_sha256();
> 	} else if (!strncmp(S_char, "sha512", 6)) {
> 		sig_alg = (EVP_MD *)EVP_sha512();
380a385,388
> 	} else if (!strncmp(F_char, "sha256", 6)) {
> 		fp_alg = (EVP_MD *)EVP_sha256();
> 	} else if (!strncmp(F_char, "sha512", 6)) {
> 		fp_alg = (EVP_MD *)EVP_sha512();

Customizing Nonce Length

SSCEP can be modified to generate longer nonces by editing pkcs7.c:

diff ../sscep-org/pkcs7.c pkcs7.c
36c36,37
< 	s->sender_nonce_len = 16;
---
> //	s->sender_nonce_len = 16;
> 	s->sender_nonce_len = 20;

Customizing SCEP Request

SSCEP can be modified to generate SCEP requests using SHA2 algorithms by editing mkrequest:

diff ../sscep-org/mkrequest mkrequest
159a160,167
> if [ "$4" ]; then
> 	DIGEST=-$4
> else
> 	DIGEST=""
> fi
>
> echo "DIGEST=$DIGEST"
>
161c169
< openssl req -new -key $PREFIX.key -out $PREFIX.csr -config $CONFIG \
---
> openssl req -new -key $PREFIX.key $DIGEST -out $PREFIX.csr -config $CONFIG \

Customizing Error Handling

If necessary PKCS7 verification error can be ignored by modifying pkcs7.c:

diff ../sscep-org/pkcs7.c pkcs7.c
392c393
< 		exit (SCEP_PKISTATUS_P7);
---
> 		//exit (SCEP_PKISTATUS_P7);