Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using ecc keys with sscep throws error #89

Closed
gkauraneja opened this issue Feb 28, 2019 · 2 comments
Closed

Using ecc keys with sscep throws error #89

gkauraneja opened this issue Feb 28, 2019 · 2 comments

Comments

@gkauraneja
Copy link

No description provided.

@gkauraneja
Copy link
Author

i am trying to use ecc keys for scep call to my server. Each time i am facing below error:

[root@localhost sscep]# ./sscep_static enroll -u http://10.97.57.229:8030/csrscep/CSRESEPA -k /root/ecc_certificates/key.pem -c ca.crt-0 ca.crt-1 ca.crt-2 -r /root/ecc_certificates/csr.csr -l local.crt -S sha1 -v
./sscep_static: starting sscep, version 0.6.1
./sscep_static: new transaction
./sscep_static: transaction id: D41D8CD98F00B204E9800998ECF8427E
./sscep_static: hostname: 10.97.57.229
./sscep_static: directory: csrscep/CSRESEPA
./sscep_static: port: 8030
./sscep_static: Read request with transaction id: A6358A3B391CC53F8C2E91CA8CF45F5C
./sscep_static: generating selfsigned certificate
./sscep_static: SCEP_OPERATION_ENROLL
./sscep_static: sending certificate request
./sscep_static: creating inner PKCS#7
./sscep_static: inner PKCS#7 in mem BIO
./sscep_static: request data dump
-----BEGIN CERTIFICATE REQUEST-----
MIIBSTCB8AIBADCBjTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB09udGFyaW8xETAP
BgNVBAcMCEJheXNob3JlMRAwDgYDVQQKDAdFbnRydXN0MRAwDgYDVQQLDAdJT1RS
VVNUMQswCQYDVQQDDAJDTjEoMCYGCSqGSIb3DQEJARYZZ3VycHJlZXQua2F1ckBl
bnRydXN0LmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABB6geve4NJUGxoPb
rO6t3C6BQVuH3GATrFjkd5qsm9nw0dGdvUSMvuZ6u43s1HCJ52kZfRZCcBfaFqB+
ZnrdzNKgADAKBggqhkjOPQQDAgNIADBFAiBcZP41hfNsxcagSPcQYh2T0B/Co2Vn
lX0pvbQAiE/7vgIhAItV8S22hUKjzr6ocWG055RRBgyxYLI71kweUHK5ZlC3
-----END CERTIFICATE REQUEST-----
./sscep_static: data payload size: 333 bytes
./sscep_static: request payload encrypt failed
140148955121328:error:21082096:PKCS7 routines:PKCS7_RECIP_INFO_set:encryption not supported for this key type:pk7_lib.c:541:
140148955121328:error:21073078:PKCS7 routines:PKCS7_encrypt:error adding recipient:pk7_smime.c:503:
[root@localhost sscep]#

Could you elaborate what could be done to make ecc keys work with it?

@gkauraneja gkauraneja changed the title E=Using ecc keys with sscep Using ecc keys with sscep throws error Feb 28, 2019
@mbartosch
Copy link
Contributor

40148955121328:error:21082096:PKCS7 routines:PKCS7_RECIP_INFO_set:encryption not supported for this key type:pk7_lib.c:541:

gives you the reason.

EC keys can be used for Digital Signatures but they are not (directly) usable for encryption. (This requires a workaround involving static ECDH parameters)
I suspect that the SCEP RA Server certificate ca.crt-0 is also an EC certificate. Try an RSA certificate for the SCEP server certificate instead. (I would be surprised if this actually works with an EC SCEP RA server certificate with the static ECDH parameters, though).

I also have never tried to use sscep with EC end entity keys. From your test and from a quick glance at the code it looks like it could work, but I would not bet on it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mbartosch @gkauraneja