Incorrect response format for GetNextCACert operation in ScepServlet

[ngaya-ll]

The current SCEP spec section 4.7.1 states that the response to a GetNextCACert request should be Signed-Data CMS message signed by the current CA certificate key, whose contents are a degenerate Signed-Data message containing the new certificates.

The current implementation of ScepServlet.doGetCaCert() returns a single degenerate Signed-Data message signed by the recipient key , but including the new certificates.

The following is a sketch of the proposed fix:

            // Generate degenerate Signed-Data containing new certificate store
            CMSSignedDataGenerator innerGenerator = new CMSSignedDataGenerator();
            generator.addCertificates(store);
            CMSSignedData degenerateSd = generator
                    .generate(new CMSAbsentContent());

            // Generate Signed-Data signed by current signer
            CMSSignedDataGenerator outerGenerator = new CMSSignedDataGenerator();
            DigestCalculatorProvider digestProvider = new JcaDigestCalculatorProviderBuilder()
                    .build();
            SignerInfoGeneratorBuilder infoGenBuilder = new SignerInfoGeneratorBuilder(
                    digestProvider);
            X509CertificateHolder certHolder = new X509CertificateHolder(
                    getSigner().getEncoded());
            ContentSigner contentSigner = new JcaContentSignerBuilder(
                    "SHA1withRSA").build(getSignerKey());
            SignerInfoGenerator infoGen = infoGenBuilder.build(contentSigner,
                    certHolder);
            outerGenerator.addSignerInfoGenerator(infoGen);
            JcaCertStore signerStore = ...;  // Generate a JcaCertStore from the signer certificate & chain
            outerGenerator.addCertificates(signerStore);

            CMSSignedData outerSd = outerGenerator.generate(
                new CMSProcessableByteArray(degenerateSd.getEncoded()), true);
            byte[] bytes = outerSd.getEncoded();

            res.getOutputStream().write(bytes);
            res.getOutputStream().close();

[seize-the-dave]

Can you provide a pull request please?

[ngaya-ll]

Yes, but it'll take me a little while. I'd like to update the client and tests as well.

[ngaya-ll]

Not sure why this was closed, I didn't get a chance to provide a PR but this is still a bug, the server implementation is not compliant with the spec.

[seize-the-dave]

Thanks @ngaya-ll. I'll keep it open.

[dscreve]

Any news about this issue ?