Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-50294

sscep enrollment fails when using AES256 encryption

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • rhel-10.0
    • rhel-10.0.beta
    • pki-core
    • None
    • None
    • None
    • rhel-sst-idm-cs
    • ssg_idm
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • x86_64
    • None

      What were you trying to do that didn't work?

      Enroll a certificate using SSCEP client using AES-256 encryption algorithm with the below procedure:
      https://github.com/dogtagpki/sscep/wiki/Certificate-Enrollment-with-SSCEP

      The sscep command --help states that the option -E aes256 is used to specify AES-256 encryption:

      1. sscep --help
        . . .
        -E <name> PKCS#7 encryption algorithm (des|3des|blowfish|aes[128]|aes192|aes256)
        . . .

      Please provide the package NVR for which bug is seen:

      sscep-0.10.0-1.x86_64
      python3-idm-pki-11.5.3-1.el10.noarch
      idm-pki-base-11.5.3-1.el10.noarch
      idm-jss-5.5.0-2.el10.x86_64
      idm-ldapjdk-5.5.0-2.el10.noarch
      idm-jss-tomcat-5.5.0-2.el10.x86_64
      idm-pki-java-11.5.3-1.el10.noarch
      idm-pki-tools-11.5.3-1.el10.x86_64
      idm-pki-server-11.5.3-1.el10.noarch
      idm-pki-ca-11.5.3-1.el10.noarch
      idm-pki-kra-11.5.3-1.el10.noarch

      How reproducible:

      Always

      Steps to reproduce

      1. Setup DS and CA instance
      2. Install sscep package
      3. Update password file with desired UID and PWD entries
      4. Create cert request with mkrequest command
      5. Export CA cert with sscep getca command
      6. Set the following in CA's CS.cfg file and restart the instance:

      ca.scep.allowedEncryptionAlgorithms=AES
      ca.scep.encryptionAlgorithm=AES

      Note: the AES value should work for AES 256, but setting to AES256 also does not work.
      7. Enroll a cert using sscep enroll command

      Expected results

      sscep enrollment should be successful

      Actual results

      Enrollment fails with 500 error:
      sscep: connecting to pki1.example.com:20080
      sscep: server response status code: 500, MIME header: text/html
      sscep: wrong (or missing) MIME content type
      sscep: error while sending message

      Debug log shows the below error:
      2024-07-23 13:33:13 [http-nio-20080-exec-14] SEVERE: CRSEnrollmenet: P10 encrypted alg is not supported (not DES):

      {2 16 840 1 101 3 4 1 42}
      java.lang.Exception: P10 encrypted alg is not supported (not DES): {2 16 840 1 101 3 4 1 42}

      at com.netscape.cmsutil.scep.CRSPKIMessage.decodeED(CRSPKIMessage.java:809)
      at com.netscape.cmsutil.scep.CRSPKIMessage.decodeSD(CRSPKIMessage.java:774)
      at com.netscape.cmsutil.scep.CRSPKIMessage.decodeCRSPKIMessage(CRSPKIMessage.java:730)
      at com.netscape.cmsutil.scep.CRSPKIMessage.<init>(CRSPKIMessage.java:739)

      . . .

      2024-07-23 13:33:13 [http-nio-20080-exec-14] SEVERE: CRSEnrollmenet: P10 encrypted alg is not supported (not DES):

      {2 16 840 1 101 3 4 1 42}
      java.lang.Exception: P10 encrypted alg is not supported (not DES): {2 16 840 1 101 3 4 1 42}

      . . .

      2024-07-23 13:33:13 [http-nio-20080-exec-14] SEVERE: CRSEnrollmenet: P10 encrypted alg is not supported (not DES):

      {2 16 840 1 101 3 4 1 42}
      java.lang.Exception: P10 encrypted alg is not supported (not DES): {2 16 840 1 101 3 4 1 42}

              Unassigned Unassigned
              rh-ee-taherrin Taylor Herring
              RHCS Maintenance RHCS Maintenance
              IdM CS QE IdM CS QE
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: