Problem with enrollment on cisco router

[Drig69]

I tried to make a lab with an IpSec VPN between 2 Cisco 2800 routers (old, with only SHA1 hash) with a scep auto enrollment. I have to use an Ubuntu server for the CA so i decided to use smallstep CA to provide a scep server. I've managed to get the CA certificate with the Cisco command 'crypto pki authenticate trustpoint_name' but when i tried to enroll the trustpoint, it failed with this message on the CA console :
ERRO[0136] duration="891.927µs" duration-ns=891927 error="scep get request failed: failed parsing SCEP request: pkcs7: cannot decrypt data: only RSA, DES, DES-EDE3, AES-256-CBC and AES-128-GCM supported" fields.time="2024-12-10T17:15:46+01:00" method=GET name=ca path="/scep/myscep/pkiclient.exe?operation=PKIOperation&message=MIIJIQYJKoZIhvcNAQcCoIIJEjCCCQ4CAQExDjAMBggqhkiG9w0CBQUAMIIEUQYJ%0AKoZIhvcNAQcBoIIEQgSCBD4wggQ6BgkqhkiG9w0BBw.............D%0A" protocol=HTTP/1.0 referer= remote-address=10.0.0.1 request-id=a619b201-9f6f-421b-a2a4-bc4387dfa81d size=145 status=500 user-agent= user-id=

I tried with an sscep client on computer and it worked.

My cisco pki configuration :
crypto pki trustpoint ubo

enrollment url http://10.0.0.3:8080/scep/myscep

password 7 071F205F5D1E161713

subject-name CN=testubo

revocation-check none

My ca.json configuration :
{
"root": "/root/.step/certs/root_ca.crt",
"federatedRoots": null,
"crt": "/root/.step/certs/intermediate_ca.crt",
"key": "/root/.step/secrets/intermediate_ca_key",
"address": "127.0.0.1:2016",
"insecureAddress": ":8080",
"dnsNames": [
"127.0.0.1"
],
"logger": {
"format": "text"
},
"db": {
"type": "badgerv2",
"dataSource": "/root/.step/db",
"badgerFileLoadingMode": ""
},
"authority": {
"provisioners": [
{
"type": "JWK",
"name": "hadri",
"key": {
"use": "sig",
"kty": "EC",
"kid": "ZKDSXDysfztANIZueMO_096snANaOuEUtWl9cgai5fE",
"crv": "P-256",
"alg": "ES256",
"x": "tn9PZeoUKL2vXKwFLXWd8LZch77-zOMrm93nQJFTlCg",
"y": "T0PH8G9lyD8oWtK18bsPuZmPiPjQY87dSUH7i8rvJcg"
},
"encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiaUFfZWkwVGlydmxOaTM3OXBCMlJKdyJ9.lsY8nFtzYh307PTpGs5C5pwhPGcDg1ZxVFz55ARZ3XkkHZ7pR-QpJw.9G2TSpkmvOCtr9a6.ra_JlginsSciJ6DDvCGS-uF74jWsKGXV5qGoXocVI7Ky9aqrX0_WI0cz2X7aBZt0Fvj6Wv_hfzyKjPPC3vgONx_2dZENWpoP0dGUyHyajzSILQGVnGINtLVnFFFv-REAgN0eCTqt1QyFUCULVbT3v59h1g2phGYf59iVOBeCmVGmU9wHW_BRvKHUA6xOA8uH2HqCKYyriFFs3rq0GieN-4zKXmYKWsEoLK5Dw7KfuYDFSP8HIcrnfnhmopk-MsLLzpTHuyT_GZ2tSlqG-5C0pgbahKqzfVNOXc3Avmpjk6vStfM8hSo_skJUtFWWzVlQVUaWD-OboRsy4_EIj8E.AkgSCuulaRt9-myVvr5kVg"
},
{
"type": "SCEP",
"name": "myscep",
"minimumPublicKeyLength": 1024,
"encryptionAlgorithmIdentifier": 2,
"challenge":"pipi",
"forceCN": true,
"options": {
"x509": {},
"ssh": {}
},
"claims": {
"enableSSHCA": true,
"disableRenewal": false,
"allowRenewalAfterExpiry": false,
"disableSmallstepExtensions": false
}
}
],
"template": {},
"backdate": "1m0s"
},
"tls": {
"cipherSuites": [
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
],
"minVersion": 1.2,
"maxVersion": 1.3,
"renegotiation": false
},
"commonName": "Step Online CA"
}

The error from the router :
Dec 10 17:16:26.619: CRYPTO_PKI: unlocked trustpoint ubo, refcount is e

Dec 10 17:16:26.623: CRYPTO_PKI: locked trustpoint ubo, refcount is 1

Dec 10 17:16:26.627: CRYPTO_PKI: unlocked trustpoint ubo , refcount is

Dec 10 17:16:26.627: CRYPTO_PKI: received msg of 367 bytes

Dec 10 17:16:26.627: CRYPTO PKI: HTTP header:

HTTP/1.0 500 Internal Server Error

Content-Type: text/plain; charset=utf-8

X-Content-Type-Options: nosniff

X-Request-Id: a619b201-9f6f-421b-a2a4-bc4387dfa81d

Date: Tue, 10 Dec 2024 16:15:46 GMT

Content-Length: 145

Dec 10 17:16:26.627: CRYPTO PKI: Received pki message (PKCS7) for trustpoint ubo: 145 bytes

73 63 65 70 20 67 65 74 20 72 65 71 75 65 73 74

20 66 61 69 60 65 64 3A 20 66 61 69 60 65 64 20

70 61 72 73

75 65 73 74

69 68 67 20 53 43 45 50 20 72 65 71

3A 20 70 68 63 73 37 3A 28 63 61 6E

6E 6F 74 20 64 65 63 72 79 70 74 20 64 61 74 61

3A 20 6F 6E 6C 79 20 52 53 41 20 20 44 45 53 20

20 44 45 53 20 45 44 45 33 20 20 41 45 53 20 32

35 36 20 43 42 43 20 61 6E 64 20 41 45 53 2D 31

32 38 20 47 43 40 20 73 75 70 70 6F 72 74 65.64

BA

Dec 10 17:16:26.631: CRYPTO PKI: make trustedCerts list for ubo

Dec 10 17:16:26.631: CRYPTO_PKI: subject="cn=intermediate CA" serial number 51 DA IF 95 EA 29 C5 C8 A8 49 24 35 60 OF 20 FE

Dec 18 17:16:26.635: E/cert-c/source/p7contnt.c(167): Error #703h

Dec 10 17:16:26.635: pkcs7 verify data returned status 0x703

Dec 10 17:16:26.635: CRYPTO PKI: status 1795: failed to verify

Dec 10 17:16:26.635: CRYPTO PKI: status 1795: failed to process the inner content

Dec 10 17:16:26.635: %PKI-6-CERTFAIL: Certificate enrollment failed.

Dec 10 17:16:26:635: CRYPTO_PKI: All enrollment requests completed for trustpoint ubo.

Dec 18 17:16:26.635: CRYPTO PKI: All enrollment requests completed for trustpoint ubo.

Dec 10 17:16:26.635: CRYPTO PKI: All enrollment requests completed for trustpoint ubo.

Dec 10 17:16:26.639: CRYPTO_PKI: All enrollment requests completed for trustpoint ubo.

Thanks by advance.

[hslatman]

Are you using an RSA intermediate CA? If you don't know, can you show the output of step certificate inspect /root/.step/certs/intermediate_ca.crt? If sscep worked I think the answer is yes, but I just want to verify.

Can you try if you can get the contents of the request (the whole message=... part) and share it? It sounds like the message may be encrypted using an algorithm that our server doesn't currently support.

[Drig69]

Are you using an RSA intermediate CA? If you don't know, can you show the output of step certificate inspect /root/.step/certs/intermediate_ca.crt? If sscep worked I think the answer is yes, but I just want to verify.

Can you try if you can get the contents of the request (the whole message=... part) and share it? It sounds like the message may be encrypted using an algorithm that our server doesn't currently support.

Hello, yes im using an RSA intermediate CA, here the output of the command :
root@pipi-VirtualBox:/home/pipi# step certificate inspect /root/.step/certs/intermediate_ca.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 108800029005902698219868613108430733566 (0x51da1f95ea29c5c8a8492435600f00fe)
Signature Algorithm: SHA1-RSA
Issuer: CN=Root_CA
Validity
Not Before: Dec 9 15:35:42 2024 UTC
Not After : Dec 10 03:35:39 2034 UTC
Subject: CN=intermediate_CA
Subject Public Key Info:
Public Key Algorithm: RSA
Public-Key: (2048 bit)
Modulus:
b9:1a:e1:ce:5c:ac:f3:fb:67:e4:7f:71:4f:05:79:
f0:0e:bb:26:dd:f2:03:de:16:13:8d:45:05:9d:83:
5f:1b:8d:03:44:b6:42:f1:da:df:96:23:e7:a9:35:
fb:16:fc:86:9d:d6:15:58:62:7f:1f:2f:3a:c6:a7:
38:f8:51:90:34:cd:06:3c:3f:84:d7:b1:3b:96:a5:
36:7d:c9:e1:c6:7c:10:ad:ae:55:cc:11:dc:6b:19:
87:86:07:49:26:9f:c5:16:ef:53:f3:5c:f4:ee:65:
d6:3f:cb:f5:49:2a:44:7a:4d:11:7d:ed:d1:af:8d:
06:87:a9:c4:f1:db:c2:0a:48:e7:c9:bb:33:43:43:
9a:6c:06:a9:41:2e:05:bf:3d:f5:39:be:02:e7:fc:
a5:21:c2:c6:5e:05:2f:f8:02:38:c9:fb:f4:f9:d9:
62:c7:cd:dc:44:93:0e:17:cb:1e:a2:67:39:b0:f8:
4a:07:5e:39:7e:f8:89:fc:9a:25:3d:3f:e9:3c:70:
d2:9a:7c:75:df:d9:d4:2e:a8:c4:3c:92:be:13:5d:
80:18:c5:3c:35:de:68:3b:4d:01:30:5b:f0:9a:b3:
90:61:22:8c:a0:f5:c7:03:44:eb:85:b9:1e:bd:a7:
df:4c:01:47:12:43:c0:59:28:66:15:b5:1a:99:fd:
31
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Subject Key Identifier:
17:B8:6A:91:58:22:84:2D:DB:08:1B:F2:D2:65:7F:7C:A9:88:47:37
X509v3 Authority Key Identifier:
keyid:6F:EE:15:FD:38:14:5C:2B:E7:13:F5:F3:BD:71:DF:8B:5F:DF:62:2C
Signature Algorithm: SHA1-RSA
8a:2c:ee:37:ee:e5:bf:2d:94:9e:0e:a5:a9:b8:6f:ff:ec:92:
f3:1c:4a:68:44:17:95:18:1b:fb:b4:4b:b8:54:dd:0e:19:1a:
57:a0:e7:3c:cb:ba:e2:5b:12:c7:da:af:39:f4:6a:8a:0f:bf:
01:99:e5:18:44:a9:ad:2a:9c:4d:82:35:56:cc:95:41:0b:96:
62:18:1d:6d:2f:81:d5:4f:07:ef:d4:9c:08:4d:7d:67:dd:0f:
59:6b:a3:ea:95:89:50:9d:cd:a1:61:66:5d:ce:14:bb:81:e1:
40:fe:d1:38:a2:8a:71:15:f4:31:33:25:aa:49:cb:2c:50:62:
2e:56:4c:f5:3d:8f:b5:b3:f9:70:66:29:88:28:6f:3c:e3:24:
67:7e:df:5d:c0:79:49:dd:82:a3:cc:fc:da:2b:9f:e9:6b:23:
aa:4d:80:8c:e8:43:55:01:56:5e:b4:c4:6c:64:de:a0:ca:79:
ca:44:37:1d:99:33:cb:ce:38:24:b0:f6:f5:9f:d2:92:1f:0c:
7d:59:27:30:85:d3:fa:e5:3d:53:ce:be:89:1a:1b:92:dd:e7:
c6:57:24:8f:f8:b2:41:38:a5:dd:65:93:68:1e:d3:61:72:c9:
3e:f9:58:74:4b:3d:d1:ad:d0:a2:24:c0:f4:41:65:49:14:18:
34:2a:1d:86

and here the full content error message :
ERRO[0136] duration="891.927µs" duration-ns=891927 error="scep get request failed: failed parsing SCEP request: pkcs7: cannot decrypt data: only RSA, DES, DES-EDE3, AES-256-CBC and AES-128-GCM supported" fields.time="2024-12-10T17:15:46+01:00" method=GET name=ca path="/scep/myscep/pkiclient.exe?operation=PKIOperation&message=MIIJIQYJKoZIhvcNAQcCoIIJEjCCCQ4CAQExDjAMBggqhkiG9w0CBQUAMIIEUQYJ%0AKoZIhvcNAQcBoIIEQgSCBD4wggQ6BgkqhkiG9w0BBwOgggQrMIIEJwIBADGCAUIw%0AggE%2BAgEAMCYwEjEQMA4GA1UEAwwHUm9vdF9DQQIQUdofleopxcioSSQ1YA8A%2FjAN%0ABgkqhkiG9w0BAQEFAASCAQAMSD%2FfLntfEyYGC7TiPaRE3t%2BBWKEh37tbgYWqnxmo%0ABNNClnUTZU9YY%2FEcTXDExK5Vvr%2FrjN9XTmvTZnqCpf3LSCOZ7PRwoVSobmyXTcPf%0A95Sx9uY8rMo%2B8WVK59QN8pIFyP1rlbNTmcFJ%2FgV7KYiXQm4z7CwT2xLv8EZUDvVP%0Aa6KKQ8TZzBlR1Lt9tcF5DCyQS02lD1QBPel1406seaZ5EC2IsQX8AQhAJku7nptI%0ARkBLDc2q0019iLTi7skltrL8PsD%2BW73OYgJx00c7G9CtSaFIiFHcTJd1nB%2Bx%2FeO%2F%0A6ePxjbAleK71zjN0fRoVRa%2BfymA1c3yLT2QR2Odoog1xMIIC2gYJKoZIhvcNAQcB%0AMBEGBSsOAwIHBAjeZdhhCcAAmICCArhL7mKrmkaK2bMquFj4vm%2FjCwXgpzwb4AY1%0AVKxMJfx4jkaWWmbZgPHFp56eJJ2qHj5BNLgkfh8968EOkignKDNnZta8PZgAmLNd%0Ai%2BpclZk1u5os4YaeenkBWfv0LV4k%2FwtTG0UxjhririYiiD%2BstFXCMf9OjTlufbSo%0Ad8uXeDMFRBWlmhAR7S6xzq3hRlSRWIakmaBbHUI6NFUJpQsNwJZLU1kHyR3Uuzmg%0A4H5lrn3XR%2BYIlPxdMj4YmlBuukeveLeg%2FFEhs03P359nQsxj7JDc4SUWt1Fo3%2BVb%0A3ea4%2FLIY09zTRSjwEKbewZk8QxvImQwhEITsCLpESDEn8U%2FaZBnJxhIc0Ba0ATfQ%0AeqFKtz18Mr6WLn94Giluy8J2RMuUMZW61MXe2qzv1Bzb6mkacWn1W%2BdlzPFVXEE7%0A3qoB5GhkQyyl2PYxscI5drEI07EiIzwAzMyoCbrfYaMY6vkYAj%2FcPCxEGLrAyh9y%0AUW1l%2FoiewNyG5HBs1wETEMeiu0eP5HYwSFaQtbj%2BWs3jlW%2Bi%2B2fsee%2FjetP48p7q%0AKTQFeXyi4AJy6lhsblSyOLbaq9Rw9WIgvA3sfqRSbtjNecc8oY7i2ZC6NW99DD3f%0A3AFq%2FXcbWA89zrjzvpK3PnUQIQ2KG8wxI63hnHhvXZnquxWFbJ3grKn4kVgaiDnm%0ATEBzWKst5ti2pRm2oQI13IIpuvQA4k2yUisWkhNFrDka2LiXNFVbcDGITjdJP0Tu%0AgGgadjvYp%2BuA5CUYZSvUpmee1dw4mui5WhFzTwFajgMURrYjuUXD8WXvPlU3M5hO%0AL7P0%2FzBwZFxlaHQiVJDCe5Xj7m4ORTf7wToV1ZFSwo5qQoZKk04JKSzYr28ynraj%0A10mdhCFHfDBhBugOvOUjD08OImDRCQ9Zc%2FgWtymxZCQBp9S2Jgk8TX9uq9sDkhmg%0AggKuMIICqjCCAZICAQcwDQYJKoZIhvcNAQEEBQAwGzEZMBcGCSqGSIb3DQEJAhYK%0AdWJvLnViby5mcjAeFw0yNDEyMTAxNzE2MjNaFw0zNDEyMDgxNzE2MjNaMBsxGTAX%0ABgkqhkiG9w0BCQIWCnViby51Ym8uZnIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw%0AggEKAoIBAQCxaFsKwajboZsbMFvZs7hrw94VKoD2YSN5GLY8pNWTGNSz3SrAG3FY%0AEGwBA%2F%2FgTL11eXYldXnCLaUds6lWEoTkiN5qpzs37O7N%2FYOG6BKCghnULlXMCTY0%0AY92l61%2BOK6lX6afL62OkK1oI%2Bq0YqbGGfKEhXnXkRGYhUr0p8j4MJU5RAC2gfphy%0Azwo1Kcxn9WwdeTCIoyr3Lditj6skPLqHEHdb3wpwHP62qinnHmVWPNcsk9lnFtfd%0Ak0e%2B1sScL%2BW%2FPl6qaOZylFlK3mEgX8O1%2Bi7X8gii2zK%2B%2Bw8M%2Bf93hroDuTDSLeQv%0AGcTZ%2F8P1jtcunvmK9ALt2OjFbU%2F%2BC%2BiPAgMBAAEwDQYJKoZIhvcNAQEEBQADggEB%0AAJatOOxLJ%2B1Fm4tHrdQ%2BPgC2KXaccKg9e4qfPVzvBqK5GAuwhp3Y5YnuujWdDRjb%0Asp2MU4mEWv%2BUFTp8D97SfLwl9rgYW0fo2ROUbu5G4JNbIZOdfZIkb2ImlQjlh%2FpX%0AVdU%2FDIsCWkIVv8%2BQPat2hR17%2FJS9zBUi2KmtnyFE7d5P3P5jTK8fAZO69JXohXys%0AtqKZLLj4U5Yu3L8U70fkanQTjXYcbGg5rs3cWBt5s8TCmdVH43AUp9hwh8XPdgao%0AtVIV%2FCu5j69iPGMLxeQrHBbqNTt0rYJg%2Ffgmty4JzIe5E5lDBRqNdp6RHIJrAr8e%0AHCpKXI%2FuX%2F9VWxFA3UuZ%2Bz4xggHwMIIB7AIBATAgMBsxGTAXBgkqhkiG9w0BCQIW%0ACnViby51Ym8uZnICAQcwDAYIKoZIhvcNAgUFAKCBozASBgpghkgBhvhFAQkCMQQT%0AAjE5MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHwYJKoZIhvcNAQkEMRIEEJ%2Fq%0A6RNwhjHhHXhDzf9oliMwIAYKYIZIAYb4RQEJBTESBBCZHQtFs6Ln2R8l9%2FvbUMrr%0AMDAGCmCGSAGG%2BEUBCQcxIhMgRTk2RjhGMjM4N0U5RTdDQjREOEQwQjdFQUQwNjJC%0AQTgwDQYJKoZIhvcNAQEBBQAEggEAfxFMk1QD0uYeZXSnkrEiZbueT27pBVgkoZPn%0A%2BPdHjNXkRm%2FW2mOBomkW1q5Z%2FvN44NMZifbaT9TzYiZCLMk4vRmfxMTkEJ%2F9S7SI%0Agh1z3ja2dWGs6%2BOFqLpFYjuD0nE%2BEtZD4Kfz0c71%2FXqC9m9gxkG5BVyOv17jtXx7%0AonuMsCRUwJ7nZ4oGC%2FmFT3o3tDcEY0PfMqiuHH%2B4jSbBImZO5IKYQkv2XFxd2yDt%0An1azc29Zwl2TW5bSImIY2MOMv7XAg08aad%2FkWi%2B1vMA4XX2IDIh%2BS2MIcCnThQl6%0ArLRbpCxPcd09MKFa27LDLeAV9LKg%2BywskW%2BmPxu8806zb3%2B4pA%3D%3D%0A" protocol=HTTP/1.0 referer= remote-address=10.0.0.1 request-id=a619b201-9f6f-421b-a2a4-bc4387dfa81d size=145 status=500 user-agent= user-id=

[hslatman]

According to the request parsed, it seems DES-CBC is used as the encryption algorithm. Its OID seems to be in the list of supported algorithms, but somehow it fails to be seen as a supported algorithm.

I'll try to see if I can debug using pkcs7 directly.

Also see the below:

https://lapo.it/asn1js/#MIIJIQYJKoZIhvcNAQcCoIIJEjCCCQ4CAQExDjAMBggqhkiG9w0CBQUAMIIEUQYJKoZIhvcNAQcBoIIEQgSCBD4wggQ6BgkqhkiG9w0BBwOgggQrMIIEJwIBADGCAUIwggE-AgEAMCYwEjEQMA4GA1UEAwwHUm9vdF9DQQIQUdofleopxcioSSQ1YA8A_jANBgkqhkiG9w0BAQEFAASCAQAMSD_fLntfEyYGC7TiPaRE3t-BWKEh37tbgYWqnxmoBNNClnUTZU9YY_EcTXDExK5Vvr_rjN9XTmvTZnqCpf3LSCOZ7PRwoVSobmyXTcPf95Sx9uY8rMo-8WVK59QN8pIFyP1rlbNTmcFJ_gV7KYiXQm4z7CwT2xLv8EZUDvVPa6KKQ8TZzBlR1Lt9tcF5DCyQS02lD1QBPel1406seaZ5EC2IsQX8AQhAJku7nptIRkBLDc2q0019iLTi7skltrL8PsD-W73OYgJx00c7G9CtSaFIiFHcTJd1nB-x_eO_6ePxjbAleK71zjN0fRoVRa-fymA1c3yLT2QR2Odoog1xMIIC2gYJKoZIhvcNAQcBMBEGBSsOAwIHBAjeZdhhCcAAmICCArhL7mKrmkaK2bMquFj4vm_jCwXgpzwb4AY1VKxMJfx4jkaWWmbZgPHFp56eJJ2qHj5BNLgkfh8968EOkignKDNnZta8PZgAmLNdi-pclZk1u5os4YaeenkBWfv0LV4k_wtTG0UxjhririYiiD-stFXCMf9OjTlufbSod8uXeDMFRBWlmhAR7S6xzq3hRlSRWIakmaBbHUI6NFUJpQsNwJZLU1kHyR3Uuzmg4H5lrn3XR-YIlPxdMj4YmlBuukeveLeg_FEhs03P359nQsxj7JDc4SUWt1Fo3-Vb3ea4_LIY09zTRSjwEKbewZk8QxvImQwhEITsCLpESDEn8U_aZBnJxhIc0Ba0ATfQeqFKtz18Mr6WLn94Giluy8J2RMuUMZW61MXe2qzv1Bzb6mkacWn1W-dlzPFVXEE73qoB5GhkQyyl2PYxscI5drEI07EiIzwAzMyoCbrfYaMY6vkYAj_cPCxEGLrAyh9yUW1l_oiewNyG5HBs1wETEMeiu0eP5HYwSFaQtbj-Ws3jlW-i-2fsee_jetP48p7qKTQFeXyi4AJy6lhsblSyOLbaq9Rw9WIgvA3sfqRSbtjNecc8oY7i2ZC6NW99DD3f3AFq_XcbWA89zrjzvpK3PnUQIQ2KG8wxI63hnHhvXZnquxWFbJ3grKn4kVgaiDnmTEBzWKst5ti2pRm2oQI13IIpuvQA4k2yUisWkhNFrDka2LiXNFVbcDGITjdJP0TugGgadjvYp-uA5CUYZSvUpmee1dw4mui5WhFzTwFajgMURrYjuUXD8WXvPlU3M5hOL7P0_zBwZFxlaHQiVJDCe5Xj7m4ORTf7wToV1ZFSwo5qQoZKk04JKSzYr28ynraj10mdhCFHfDBhBugOvOUjD08OImDRCQ9Zc_gWtymxZCQBp9S2Jgk8TX9uq9sDkhmgggKuMIICqjCCAZICAQcwDQYJKoZIhvcNAQEEBQAwGzEZMBcGCSqGSIb3DQEJAhYKdWJvLnViby5mcjAeFw0yNDEyMTAxNzE2MjNaFw0zNDEyMDgxNzE2MjNaMBsxGTAXBgkqhkiG9w0BCQIWCnViby51Ym8uZnIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxaFsKwajboZsbMFvZs7hrw94VKoD2YSN5GLY8pNWTGNSz3SrAG3FYEGwBA__gTL11eXYldXnCLaUds6lWEoTkiN5qpzs37O7N_YOG6BKCghnULlXMCTY0Y92l61-OK6lX6afL62OkK1oI-q0YqbGGfKEhXnXkRGYhUr0p8j4MJU5RAC2gfphyzwo1Kcxn9WwdeTCIoyr3Lditj6skPLqHEHdb3wpwHP62qinnHmVWPNcsk9lnFtfdk0e-1sScL-W_Pl6qaOZylFlK3mEgX8O1-i7X8gii2zK--w8M-f93hroDuTDSLeQvGcTZ_8P1jtcunvmK9ALt2OjFbU_-C-iPAgMBAAEwDQYJKoZIhvcNAQEEBQADggEBAJatOOxLJ-1Fm4tHrdQ-PgC2KXaccKg9e4qfPVzvBqK5GAuwhp3Y5YnuujWdDRjbsp2MU4mEWv-UFTp8D97SfLwl9rgYW0fo2ROUbu5G4JNbIZOdfZIkb2ImlQjlh_pXVdU_DIsCWkIVv8-QPat2hR17_JS9zBUi2KmtnyFE7d5P3P5jTK8fAZO69JXohXystqKZLLj4U5Yu3L8U70fkanQTjXYcbGg5rs3cWBt5s8TCmdVH43AUp9hwh8XPdgaotVIV_Cu5j69iPGMLxeQrHBbqNTt0rYJg_fgmty4JzIe5E5lDBRqNdp6RHIJrAr8eHCpKXI_uX_9VWxFA3UuZ-z4xggHwMIIB7AIBATAgMBsxGTAXBgkqhkiG9w0BCQIWCnViby51Ym8uZnICAQcwDAYIKoZIhvcNAgUFAKCBozASBgpghkgBhvhFAQkCMQQTAjE5MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHwYJKoZIhvcNAQkEMRIEEJ_q6RNwhjHhHXhDzf9oliMwIAYKYIZIAYb4RQEJBTESBBCZHQtFs6Ln2R8l9_vbUMrrMDAGCmCGSAGG-EUBCQcxIhMgRTk2RjhGMjM4N0U5RTdDQjREOEQwQjdFQUQwNjJCQTgwDQYJKoZIhvcNAQEBBQAEggEAfxFMk1QD0uYeZXSnkrEiZbueT27pBVgkoZPn-PdHjNXkRm_W2mOBomkW1q5Z_vN44NMZifbaT9TzYiZCLMk4vRmfxMTkEJ_9S7SIgh1z3ja2dWGs6-OFqLpFYjuD0nE-EtZD4Kfz0c71_XqC9m9gxkG5BVyOv17jtXx7onuMsCRUwJ7nZ4oGC_mFT3o3tDcEY0PfMqiuHH-4jSbBImZO5IKYQkv2XFxd2yDtn1azc29Zwl2TW5bSImIY2MOMv7XAg08aad_kWi-1vMA4XX2IDIh-S2MIcCnThQl6rLRbpCxPcd09MKFa27LDLeAV9LKg-ywskW-mPxu8806zb3-4pA

[hslatman]

Got it: apparently the error is also returned when MD5 is used as the digest algorithm. This seems to be true for your request: algorithm OBJECT IDENTIFIER 1.2.840.113549.2.5 md5. MD5 is not supported in our pkcs7 library, and it's unlikely we'll add it (without additional guardrails). Is there an option to use a different hashing algorithm in your SCEP client?

It's a bit unfortunate that this error is returned in this case. It seems to be leftover from before we forked the repository at https://github.com/smallstep/pkcs7. I might fix that sometime soon.

[Drig69]

Thanks for the fast answer, my client is a old cisco router so i cant change the hashing and encryption algorithm, do you know when it can be patch.
Im asking because Im currently woking on a project where i need this kind of solution with an deadline.
Thanks again

[hslatman]

Thanks for the fast answer, my client is a old cisco router so i cant change the hashing and encryption algorithm, do you know when it can be patch. Im asking because Im currently woking on a project where i need this kind of solution with an deadline. Thanks again

It's unlikely that we'll add support for MD5 in pkcs7, so unfortunately that part won't be fixed soon. I can see an option in which the supported algorithms could be made more dynamic, but that would be a larger scope, and thus take longer (if we'd do it at all). If you really need MD5 quick, I'd suggest you to fork https://github.com/smallstep/pkcs7, add it there, and build your own step-ca binary (at least for now).

[Drig69]

Thanks, I would like to try the option u mentioned, i never used go, im newbie in coding, im more in network part, do you have some tips on the part of the file i have to modify or things like that ?
Thanks n'y advance

[hslatman]

@Drig69 general guidelines for working step-ca can be found here: https://github.com/smallstep/certificates/blob/master/CONTRIBUTING.md. Some parts do not apply, as the changes you're going to make are not intended to be added to the official step-ca, though.

You'll also need to check out https://github.com/smallstep/pkcs7, and set a replace in the go.mod file (or another method to change which exact dependency is used when building step-ca) pointing to your local copy of pkcs7 in the certificates repo. It'll look something like this in the certificates go.mod file:

replace github.com/smallstep/pkcs7 => /path/to/local/pkcs7

The exact changes you need are a bit too much to spell out completely, but you'll have to start with adding support for md5 in this type switch: https://github.com/smallstep/pkcs7/blob/fbab67b7673f9b78780d48d2f5757dac5da5509e/pkcs7.go#L94-L108. You should work your way up from there.

After patching the pkcs7 library, try compiling and running step-ca again.

[Drig69]

I tried to do it with a git clone, and did what u said and when i tried to compile with make bootstrap && make i have the following error :
root@pipi-VirtualBox:/home/pipi/Téléchargements/certificates-master# make bootstrap && make
./.version.sh: 4: Bad substitution
golangci/golangci-lint info checking GitHub for tag 'latest'
golangci/golangci-lint info found version: 1.62.2 for v1.62.2/linux/amd64
golangci/golangci-lint info installed /root/go/bin/golangci-lint
./.version.sh: 4: Bad substitution
ca/tls.go:135:2: SA1019: tr.DialTLS has been deprecated since Go 1.14: Use DialTLSContext instead, which allows the transport to cancel dials as soon as they are no longer needed. If both are set, DialTLSContext takes priority. (staticcheck)
tr.DialTLS = c.buildDialTLS(tlsCtx)
^
ca/tls.go:182:2: SA1019: tr.DialTLS has been deprecated since Go 1.14: Use DialTLSContext instead, which allows the transport to cancel dials as soon as they are no longer needed. If both are set, DialTLSContext takes priority. (staticcheck)
tr.DialTLS = c.buildDialTLS(tlsCtx)
^
test/integration/scep/internal/x509/oid.go:83:22: G115: integer overflow conversion int -> uint (gosec)
o := byte(n >> uint(i*7))
^
test/integration/scep/internal/x509/parser.go:279:11: SA1019: elliptic.Unmarshal has been deprecated since Go 1.21: for ECDH, use the crypto/ecdh package. This function accepts an encoding equivalent to that of the NewPublicKey methods in crypto/ecdh. (staticcheck)
x, y := elliptic.Unmarshal(namedCurve, der)
^
test/integration/scep/internal/x509/parser.go:10:2: SA1019: "crypto/dsa" has been deprecated since Go 1.16 because it shouldn't be used: DSA is a legacy algorithm, and modern alternatives such as Ed25519 (implemented by package crypto/ed25519) should be used instead. Keys with 1024-bit moduli (L1024N160 parameters) are cryptographically weak, while bigger keys are not widely supported. Note that FIPS 186-5 no longer approves DSA for signature generation. (staticcheck)
"crypto/dsa"
^
acme/linker.go:89:77: G602: slice index out of range (gosec)
return fmt.Sprintf("/%s/%s/%s/%s", provisionerName, typ, inputs[0], inputs[1])
^
acme/challenge.go:230:16: G115: integer overflow conversion uint64 -> uint8 (gosec)
return uint8(v.Uint())
^
acme/challenge.go:1105:32: G115: integer overflow conversion int64 -> int32 (gosec)
switch coseAlgorithmIdentifier(alg) {
^
scripts/badger-migration/main.go:309:18: G115: integer overflow conversion int -> uint16 (gosec)
length = uint16(len(bk))
^
scripts/badger-migration/main.go:311:11: G115: integer overflow conversion int -> uint16 (gosec)
if uint16(len(bk)) < start {
^
cas/cloudcas/certificate.go:253:25: G115: integer overflow conversion int -> int32 (gosec)
maxPathLength = int32(cert.MaxPathLen)
^
cas/cloudcas/certificate.go:307:17: G115: integer overflow conversion int -> int32 (gosec)
ret[i] = int32(v)
^
authority/provisioner/collection.go:213:39: G115: integer overflow conversion int -> uint32 (gosec)
binary.BigEndian.PutUint32(bi, uint32(c.sorted.Len()))
^
authority/provisioner/controller.go:192:19: G115: integer overflow conversion uint64 -> int64 (gosec)
if after := int64(cert.ValidAfter); after < 0 || unixNow < int64(cert.ValidAfter) {
^
authority/provisioner/controller.go:195:20: G115: integer overflow conversion uint64 -> int64 (gosec)
if before := int64(cert.ValidBefore); cert.ValidBefore != uint64(ssh.CertTimeInfinity) && (unixNow >= before || before < 0) && !p.Claimer.AllowRenewalAfterExpiry() {
^
authority/provisioner/jwk.go:280:63: G115: integer overflow conversion int64 -> uint64 (gosec)
signOptions = append(signOptions, sshCertValidBeforeModifier(opts.ValidBefore.RelativeTime(t).Unix()))
^
authority/provisioner/jwk.go:277:62: G115: integer overflow conversion int64 -> uint64 (gosec)
signOptions = append(signOptions, sshCertValidAfterModifier(opts.ValidAfter.RelativeTime(t).Unix()))
^
authority/provisioner/nebula.go:243:64: G115: integer overflow conversion int64 -> uint64 (gosec)
signOptions = append(signOptions, sshCertValidBeforeModifier(opts.ValidBefore.RelativeTime(t).Unix()))
^
authority/provisioner/nebula.go:240:63: G115: integer overflow conversion int64 -> uint64 (gosec)
signOptions = append(signOptions, sshCertValidAfterModifier(opts.ValidAfter.RelativeTime(t).Unix()))
^
authority/provisioner/sign_ssh_options.go:109:28: G115: integer overflow conversion int64 -> uint64 (gosec)
cert.ValidBefore = uint64(o.ValidBefore.RelativeTime(t).Unix())
^
authority/provisioner/sign_ssh_options.go:106:27: G115: integer overflow conversion int64 -> uint64 (gosec)
cert.ValidAfter = uint64(o.ValidAfter.RelativeTime(t).Unix())
^
authority/provisioner/sign_ssh_options.go:170:20: G115: integer overflow conversion int64 -> uint64 (gosec)
backdate = uint64(o.Backdate / time.Second)
^
authority/provisioner/sign_ssh_options.go:171:27: G115: integer overflow conversion int64 -> uint64 (gosec)
cert.ValidAfter = uint64(now().Truncate(time.Second).Unix())
^
authority/provisioner/sign_ssh_options.go:174:46: G115: integer overflow conversion int64 -> uint64 (gosec)
cert.ValidBefore = cert.ValidAfter + uint64(d/time.Second)
^
authority/provisioner/sign_ssh_options.go:209:20: G115: integer overflow conversion int64 -> uint64 (gosec)
backdate = uint64(o.Backdate / time.Second)
^
authority/provisioner/sign_ssh_options.go:210:27: G115: integer overflow conversion int64 -> uint64 (gosec)
cert.ValidAfter = uint64(now().Truncate(time.Second).Unix())
^
authority/provisioner/sign_ssh_options.go:213:35: G115: integer overflow conversion uint64 -> int64 (gosec)
certValidAfter := time.Unix(int64(cert.ValidAfter), 0)
^
authority/provisioner/sign_ssh_options.go:224:28: G115: integer overflow conversion int64 -> uint64 (gosec)
cert.ValidBefore = uint64(certValidBefore.Unix())
^
authority/provisioner/sign_ssh_options.go:226:37: G115: integer overflow conversion uint64 -> int64 (gosec)
certValidBefore := time.Unix(int64(cert.ValidBefore), 0)
^
authority/provisioner/sign_ssh_options.go:280:32: G115: integer overflow conversion int64 -> uint64 (gosec)
case cert.ValidBefore < uint64(now().Unix()):
^
authority/provisioner/sign_ssh_options.go:302:22: G115: integer overflow conversion uint64 -> int64 (gosec)
dur := time.Duration(cert.ValidBefore-cert.ValidAfter) * time.Second
^
authority/provisioner/sign_ssh_options.go:335:32: G115: integer overflow conversion int64 -> uint64 (gosec)
case cert.ValidBefore < uint64(now().Unix()):
^
authority/provisioner/sign_ssh_options.go:465:11: G115: integer overflow conversion int -> uint32 (gosec)
if uint32(len(in)) < length {
^
authority/provisioner/sshpop.go:121:20: G115: integer overflow conversion uint64 -> int64 (gosec)
if after := int64(sshCert.ValidAfter); after < 0 || unixNow < int64(sshCert.ValidAfter) {
^
authority/provisioner/sshpop.go:124:21: G115: integer overflow conversion uint64 -> int64 (gosec)
if before := int64(sshCert.ValidBefore); sshCert.ValidBefore != uint64(ssh.CertTimeInfinity) && (unixNow >= before || before < 0) {
^
authority/provisioner/x5c.go:338:63: G115: integer overflow conversion int64 -> uint64 (gosec)
signOptions = append(signOptions, sshCertValidBeforeModifier(opts.ValidBefore.RelativeTime(t).Unix()))
^
authority/provisioner/x5c.go:335:62: G115: integer overflow conversion int64 -> uint64 (gosec)
signOptions = append(signOptions, sshCertValidAfterModifier(opts.ValidAfter.RelativeTime(t).Unix()))
^
db/db.go:468:21: G115: integer overflow conversion uint64 -> int64 (gosec)
if time.Unix(int64(data.Expiry), 0).After(time.Now()) {
^
authority/linkedca.go:339:48: G115: integer overflow conversion int -> int32 (gosec)
ReasonCode: linkedca.RevocationReasonCode(rci.ReasonCode),
^
authority/linkedca.go:353:45: G115: integer overflow conversion int -> int32 (gosec)
ReasonCode: linkedca.RevocationReasonCode(rci.ReasonCode),
^
authority/linkedca.go:406:34: G115: integer overflow conversion int -> int32 (gosec)
Type: linkedca.Provisioner_Type(p.GetType()),
^
authority/provisioners.go:1260:43: G115: integer overflow conversion int -> int32 (gosec)
MinimumPublicKeyLength: int32(p.MinimumPublicKeyLength),
^
authority/provisioners.go:1263:43: G115: integer overflow conversion int -> int32 (gosec)
EncryptionAlgorithmIdentifier: int32(p.EncryptionAlgorithmIdentifier),
^
authority/ssh.go:359:27: G115: integer overflow conversion uint64 -> int64 (gosec)
duration := time.Duration(oldCert.ValidBefore-oldCert.ValidAfter) * time.Second
^
authority/ssh.go:373:26: G115: integer overflow conversion int64 -> uint64 (gosec)
ValidAfter: uint64(va.Unix()),
^
authority/ssh.go:374:26: G115: integer overflow conversion int64 -> uint64 (gosec)
ValidBefore: uint64(vb.Unix()),
^
authority/ssh.go:439:27: G115: integer overflow conversion uint64 -> int64 (gosec)
duration := time.Duration(oldCert.ValidBefore-oldCert.ValidAfter) * time.Second
^
authority/ssh.go:453:26: G115: integer overflow conversion int64 -> uint64 (gosec)
ValidAfter: uint64(va.Unix()),
^
authority/ssh.go:454:26: G115: integer overflow conversion int64 -> uint64 (gosec)
ValidBefore: uint64(vb.Unix()),
^
api/api.go:598:39: G115: integer overflow conversion uint64 -> int64 (gosec)
"valid-from": time.Unix(int64(cert.ValidAfter), 0).Format(time.RFC3339),
^
api/api.go:599:39: G115: integer overflow conversion uint64 -> int64 (gosec)
"valid-to": time.Unix(int64(cert.ValidBefore), 0).Format(time.RFC3339),
^
api/ssh.go:334:30: G115: integer overflow conversion uint64 -> int64 (gosec)
NotBefore: time.Unix(int64(cert.ValidAfter), 0),
^
api/ssh.go:335:30: G115: integer overflow conversion uint64 -> int64 (gosec)
NotAfter: time.Unix(int64(cert.ValidBefore), 0),
^
api/sshRekey.go:83:30: G115: integer overflow conversion uint64 -> int64 (gosec)
notBefore := time.Unix(int64(oldCert.ValidAfter), 0)
^
api/api.go:7:2: SA1019: "crypto/dsa" has been deprecated since Go 1.16 because it shouldn't be used: DSA is a legacy algorithm, and modern alternatives such as Ed25519 (implemented by package crypto/ed25519) should be used instead. Keys with 1024-bit moduli (L1024N160 parameters) are cryptographically weak, while bigger keys are not widely supported. Note that FIPS 186-5 no longer approves DSA for signature generation. (staticcheck)
"crypto/dsa" // support legacy algorithms
^
make: *** [Makefile:141 : lint] Erreur 1

[hslatman]

@Drig69, try it without the Makefile, using go build -o bin/step-ca cmd/step-ca/main.go