diff --git a/scep/api/api.go b/scep/api/api.go index 9977e55a..bab60302 100644 --- a/scep/api/api.go +++ b/scep/api/api.go @@ -14,7 +14,7 @@ import ( "github.com/go-chi/chi/v5" "github.com/smallstep/pkcs7" - microscep "github.com/smallstep/scep" + smallscep "github.com/smallstep/scep" "github.com/smallstep/certificates/api" "github.com/smallstep/certificates/api/log" @@ -320,7 +320,7 @@ func GetCACert(ctx context.Context) (Response, error) { // create degenerate pkcs7 certificate structure, according to // https://tools.ietf.org/html/rfc8894#section-4.2.1.2, because // not signed or encrypted data has to be returned. - data, err := microscep.DegenerateCertificates(certs) + data, err := smallscep.DegenerateCertificates(certs) if err != nil { return Response{}, err } @@ -345,16 +345,16 @@ func GetCACaps(ctx context.Context) (Response, error) { // PKIOperation performs PKI operations and returns a SCEP response func PKIOperation(ctx context.Context, req request) (Response, error) { - // parse the message using microscep implementation - microMsg, err := microscep.ParsePKIMessage(req.Message) + // parse the message using smallscep implementation + microMsg, err := smallscep.ParsePKIMessage(req.Message) if err != nil { // return the error, because we can't use the msg for creating a CertRep return Response{}, err } - // this is essentially doing the same as microscep.ParsePKIMessage, but + // this is essentially doing the same as smallscep.ParsePKIMessage, but // gives us access to the p7 itself in scep.PKIMessage. Essentially a small - // wrapper for the microscep implementation. + // wrapper for the smallscep implementation. p7, err := pkcs7.Parse(microMsg.Raw) if err != nil { return Response{}, err @@ -384,12 +384,12 @@ func PKIOperation(ctx context.Context, req request) (Response, error) { // even if using the renewal flow as described in the README.md. MicroMDM SCEP client also only does PKCSreq by default, unless // a certificate exists; then it will use RenewalReq. Adding the challenge check here may be a small breaking change for clients. // We'll have to see how it works out. - if msg.MessageType == microscep.PKCSReq || msg.MessageType == microscep.RenewalReq { + if msg.MessageType == smallscep.PKCSReq || msg.MessageType == smallscep.RenewalReq { if err := auth.ValidateChallenge(ctx, csr, challengePassword, transactionID); err != nil { if errors.Is(err, provisioner.ErrSCEPChallengeInvalid) { - return createFailureResponse(ctx, csr, msg, microscep.BadRequest, err) + return createFailureResponse(ctx, csr, msg, smallscep.BadRequest, err) } - return createFailureResponse(ctx, csr, msg, microscep.BadRequest, errors.New("failed validating challenge password")) + return createFailureResponse(ctx, csr, msg, smallscep.BadRequest, errors.New("failed validating challenge password")) } } @@ -407,7 +407,7 @@ func PKIOperation(ctx context.Context, req request) (Response, error) { // TODO(hs): ignore this error case? It's not critical if the notification fails; but logging it might be good _ = notifyErr } - return createFailureResponse(ctx, csr, msg, microscep.BadRequest, fmt.Errorf("error when signing new certificate: %w", err)) + return createFailureResponse(ctx, csr, msg, smallscep.BadRequest, fmt.Errorf("error when signing new certificate: %w", err)) } if notifyErr := auth.NotifySuccess(ctx, csr, certRep.Certificate, transactionID); notifyErr != nil { @@ -448,7 +448,7 @@ func fail(w http.ResponseWriter, err error) { http.Error(w, err.Error(), http.StatusInternalServerError) } -func createFailureResponse(ctx context.Context, csr *x509.CertificateRequest, msg *scep.PKIMessage, info microscep.FailInfo, failError error) (Response, error) { +func createFailureResponse(ctx context.Context, csr *x509.CertificateRequest, msg *scep.PKIMessage, info smallscep.FailInfo, failError error) (Response, error) { auth := scep.MustFromContext(ctx) certRepMsg, err := auth.CreateFailureResponse(ctx, csr, msg, scep.FailInfoName(info), failError.Error()) if err != nil { diff --git a/scep/authority.go b/scep/authority.go index 185513ef..85faba07 100644 --- a/scep/authority.go +++ b/scep/authority.go @@ -9,8 +9,8 @@ import ( "sync" "github.com/smallstep/pkcs7" - microscep "github.com/smallstep/scep" - microx509util "github.com/smallstep/scep/x509util" + smallscep "github.com/smallstep/scep" + smallscepx509util "github.com/smallstep/scep/x509util" "go.step.sm/crypto/x509util" @@ -203,14 +203,14 @@ func (a *Authority) DecryptPKIEnvelope(ctx context.Context, msg *PKIMessage) err msg.pkiEnvelope = envelope switch msg.MessageType { - case microscep.CertRep: - certs, err := microscep.CACerts(msg.pkiEnvelope) + case smallscep.CertRep: + certs, err := smallscep.CACerts(msg.pkiEnvelope) if err != nil { return fmt.Errorf("error extracting CA certs from pkcs7 degenerate data: %w", err) } msg.CertRepMessage.Certificate = certs[0] return nil - case microscep.PKCSReq, microscep.UpdateReq, microscep.RenewalReq: + case smallscep.PKCSReq, smallscep.UpdateReq, smallscep.RenewalReq: csr, err := x509.ParseCertificateRequest(msg.pkiEnvelope) if err != nil { return fmt.Errorf("parse CSR from pkiEnvelope: %w", err) @@ -219,17 +219,17 @@ func (a *Authority) DecryptPKIEnvelope(ctx context.Context, msg *PKIMessage) err return fmt.Errorf("invalid CSR signature; %w", err) } // extract the challenge password - cp, err := microx509util.ParseChallengePassword(msg.pkiEnvelope) + cp, err := smallscepx509util.ParseChallengePassword(msg.pkiEnvelope) if err != nil { return fmt.Errorf("parse challenge password in pkiEnvelope: %w", err) } - msg.CSRReqMessage = µscep.CSRReqMessage{ + msg.CSRReqMessage = &smallscep.CSRReqMessage{ RawDecrypted: msg.pkiEnvelope, CSR: csr, ChallengePassword: cp, } return nil - case microscep.GetCRL, microscep.GetCert, microscep.CertPoll: + case smallscep.GetCRL, smallscep.GetCert, smallscep.CertPoll: return errors.New("not implemented") } @@ -312,7 +312,7 @@ func (a *Authority) SignCSR(ctx context.Context, csr *x509.CertificateRequest, m cert := certChain[0] // and create a degenerate cert structure - deg, err := microscep.DegenerateCertificates([]*x509.Certificate{cert}) + deg, err := smallscep.DegenerateCertificates([]*x509.Certificate{cert}) if err != nil { return nil, fmt.Errorf("failed generating degenerate certificate: %w", err) } @@ -331,11 +331,11 @@ func (a *Authority) SignCSR(ctx context.Context, csr *x509.CertificateRequest, m }, { Type: oidSCEPpkiStatus, - Value: microscep.SUCCESS, + Value: smallscep.SUCCESS, }, { Type: oidSCEPmessageType, - Value: microscep.CertRep, + Value: smallscep.CertRep, }, { Type: oidSCEPrecipientNonce, @@ -374,8 +374,8 @@ func (a *Authority) SignCSR(ctx context.Context, csr *x509.CertificateRequest, m } cr := &CertRepMessage{ - PKIStatus: microscep.SUCCESS, - RecipientNonce: microscep.RecipientNonce(msg.SenderNonce), + PKIStatus: smallscep.SUCCESS, + RecipientNonce: smallscep.RecipientNonce(msg.SenderNonce), Certificate: cert, degenerate: deg, } @@ -384,7 +384,7 @@ func (a *Authority) SignCSR(ctx context.Context, csr *x509.CertificateRequest, m crepMsg := &PKIMessage{ Raw: certRepBytes, TransactionID: msg.TransactionID, - MessageType: microscep.CertRep, + MessageType: smallscep.CertRep, CertRepMessage: cr, } @@ -423,7 +423,7 @@ func (a *Authority) CreateFailureResponse(ctx context.Context, _ *x509.Certifica }, { Type: oidSCEPpkiStatus, - Value: microscep.FAILURE, + Value: smallscep.FAILURE, }, { Type: oidSCEPfailInfo, @@ -435,7 +435,7 @@ func (a *Authority) CreateFailureResponse(ctx context.Context, _ *x509.Certifica }, { Type: oidSCEPmessageType, - Value: microscep.CertRep, + Value: smallscep.CertRep, }, { Type: oidSCEPsenderNonce, @@ -469,16 +469,16 @@ func (a *Authority) CreateFailureResponse(ctx context.Context, _ *x509.Certifica } cr := &CertRepMessage{ - PKIStatus: microscep.FAILURE, - FailInfo: microscep.FailInfo(info), - RecipientNonce: microscep.RecipientNonce(msg.SenderNonce), + PKIStatus: smallscep.FAILURE, + FailInfo: smallscep.FailInfo(info), + RecipientNonce: smallscep.RecipientNonce(msg.SenderNonce), } // create a CertRep message from the original crepMsg := &PKIMessage{ Raw: certRepBytes, TransactionID: msg.TransactionID, - MessageType: microscep.CertRep, + MessageType: smallscep.CertRep, CertRepMessage: cr, } diff --git a/scep/scep.go b/scep/scep.go index 2cb4dc3f..b89ed0ac 100644 --- a/scep/scep.go +++ b/scep/scep.go @@ -6,11 +6,11 @@ import ( "encoding/asn1" "github.com/smallstep/pkcs7" - microscep "github.com/smallstep/scep" + smallscep "github.com/smallstep/scep" ) // FailInfoName models the name/value of failInfo -type FailInfoName microscep.FailInfo +type FailInfoName smallscep.FailInfo // FailInfo models a failInfo object consisting of a // name/identifier and a failInfoText, the latter of @@ -35,10 +35,10 @@ var ( // PKIMessage defines the possible SCEP message types type PKIMessage struct { - microscep.TransactionID - microscep.MessageType - microscep.SenderNonce - *microscep.CSRReqMessage + smallscep.TransactionID + smallscep.MessageType + smallscep.SenderNonce + *smallscep.CSRReqMessage *CertRepMessage @@ -57,9 +57,9 @@ type PKIMessage struct { // CertRepMessage is a type of PKIMessage type CertRepMessage struct { - microscep.PKIStatus - microscep.RecipientNonce - microscep.FailInfo + smallscep.PKIStatus + smallscep.RecipientNonce + smallscep.FailInfo Certificate *x509.Certificate