I have a problem and I need your advice.
I create CSR with CN=Test User, and after enroll I get receive certificate with subject like: (/C=US/ST=Qwerty/L=Asdfg/O=Test organization/CN=Test User)
And when sscep compared subjects I have a false:

X509_NAME_cmp() workaround: strcmp request subject (/CN=Test User) to cert subject (/C=US/ST=Qwerty/L=Asdfg/O=Test organization/CN=Test User)

How I can check if certificate subject contain request subject?

Currently, the RPMs are created from two separate spec files. It might be better to have just a single spec file like many other projects (e.g.: perl) do. In addition, the preferred package (sscep-static) could be renamed to 'sscep' and the other package could continue to be called 'sscep-dyn'.

I'm trying to use sscep to sign certs from a Microsoft CA with NDES. I just want to send the CSR to the CA and get a signed cert. The enroll operation requires a -k parameter for the private key, but the sscep caller does not have access to the private key corresponding to the public key in the CSR. Is there a way to get the cert signed without the private key? Thank you.

We have recently downloaded and compiled version 20081211 of sscep.c In testing we note that it is configured to issues certificates from a self-signed Root CA rather than an intermediate Issuing CA.

Can we recommend a change to the code base that will allow intermediate Issuing CAs to be supported?

For version 20081211 of sscep this would mean changing line 551 from “X509_get_issuer_name(cacert))) {“ to “X509_get_subject_name(cacert))) {“.

Note we believe this to be a typo where issuer & subject names are identical values within a self-signed Root CA but would different values for an intermediate Issuing CA.

It appears that the HTTP Host Header isn't used and therefore servers using virtual hosts aren't supported.

sscep will segfault or exit with a Bus Error when the getca command is used.

The getca command seems to work if the following modifications to sscep.c are implemented.

Instead of passing c_char to PEM_write_X509, pass cacert.
https://github.com/certnanny/sscep/blob/master/sscep.c#L612

The program should exit at line 622 instead of continuing with a break. If it doesn't, pkcs7_wrap is eventually called even though it's not designed to handle a GETCA command.
https://github.com/certnanny/sscep/blob/master/sscep.c#L622

sscep enroll -S sha1 fails on a server that is in FIPS mode, because the transaction ID is generated using MD5 regardless of the -S option. Please see https://github.com/certnanny/sscep/blob/v0.6.1/sceputils.c#L36

What is the right request to make to get subject alternative names
mkrequest -dns alias1 {{ca_enrollment_pass}} is for alias1

What is the command to get my alias2 and alias3 there? Do we need a comma? Do we need multiple times -dns? Something else?

Thanks!

The develop branch (currently in rad1us repo) segfaults during enrollment on debian 6 and ubuntu 13.04.

c37524d -> works
f481654/f654a22 -> dont build due to unmet references (windows stuff)?
b9618e8 -> segfaults

output of entrollment script
/home/oliwel/workspace/OpenXPKI/bulkenrollment/enrollrequests: Zeile 132: 29067 Speicherzugriffsfehler (Speicherabzug geschrieben) /home/oliwel/workspace/OpenXPKI/sscep/sscep enroll -u http://x.x.x.x/cgi-bin/scep/scep -c /tmp/scepcacert-0 -r scep-spool/scep-signer.test.openxpki.org.req -k /tmp/key.vXdvWf -l scep-spool/scep-signer.test.openxpki.org-cert.pem -t 10 -n 1 > /dev/null 2>&1

with sctrace:
open("/tmp/scepcacert-0", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0664, st_size=1346, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f1828b9a000
read(3, "-----BEGIN CERTIFICATE-----\nMIID"..., 4096) = 1346
close(3) = 0
munmap(0x7f1828b9a000, 4096) = 0
--- SIGSEGV (Segmentation fault) @ 0 (0) ---

The "getca" and "getcert" need timeout options analogous to the "enroll" operation.

When trying to build sscep together with openssl 1.1.2 (the latest version available on Github as of today), the error message

../openssl/include/openssl/asn1_mac.h:10:2: error: #error "This file is obsolete; please update your software."

occurs. What could be done to solve this? Is it just a configuration error on my side?

Presently, it looks like we have the ability to choose aes as cipher. However, it would be good to be able to specify the exact level of AES so that we can meet organizational restrictions.

After using a few tools, it has been nice to be able to support https connections after being provided the CA certificate through some valid mechanism.

This is particularly true when talking to old/legacy systems that happen to be able to talk https but can't use AES ciphers.

To Link my sscp build against openssl i need to adapt the OPENSSL Path String in the Makefile

-OPENSSL = ../openssl
+OPENSSL = ../openssl-1.0.1m

I'm looking at the develop branch:

git log -1
commit 039f9d2
Merge: 0400cf4 f9beb16
Author: Andreas Leibl [email protected]
Date: Fri Dec 20 06:42:16 2013 -0800

Merge pull request #20 from aleibl/develop

Changed misleading filenames of AIX pre-/post-install scripts

I'm running on Ubuntu 12.04 64-bit although I don't think this is operating system specific. On line 611 of sscep.c the line currently is:

if (PEM_write_X509(fp, c_char) != 1) {

I believe the second paramater of PEM_write_X509() is a X509* so I imagine the line probably was meant to be:

if (PEM_write_X509(fp, cacert) != 1) {

Build fails when building with libressl.

gcc -Wall -O  -I ../openssl/include    -c -o ias.o ias.c
ias.c: In function 'pkcs7_issuer_and_subject_new':
ias.c:46:2: warning: implicit declaration of function 'M_ASN1_New_Malloc' [-Wimplicit-function-declaration]
  M_ASN1_New_Malloc(ret,pkcs7_issuer_and_subject);
  ^~~~~~~~~~~~~~~~~
ias.c:46:24: error: expected expression before 'pkcs7_issuer_and_subject'
  M_ASN1_New_Malloc(ret,pkcs7_issuer_and_subject);
                        ^~~~~~~~~~~~~~~~~~~~~~~~
ias.c:47:2: warning: implicit declaration of function 'M_ASN1_New' [-Wimplicit-function-declaration]
  M_ASN1_New(ret->issuer,X509_NAME_new);
  ^~~~~~~~~~
ias.c:50:2: warning: implicit declaration of function 'M_ASN1_New_Error' [-Wimplicit-function-declaration]
  M_ASN1_New_Error(199);
  ^~~~~~~~~~~~~~~~
ias.c:45:11: warning: unused variable 'c' [-Wunused-variable]
  ASN1_CTX c;
           ^
make: *** [<builtin>: ias.o] Error 1

Dockerfile to reproduce:

FROM alpine:3.8
RUN apk add git make gcc libc-dev libressl-dev
RUN git clone https://github.com/certnanny/sscep.git
RUN cd sscep && ./Configure  && make

Hi,

I am trying to use SSCEP with Windows2008 server CA. (please note it is 2008 and not 2000)
I following instruction as define in the tutorial, i create a key and csr using mkrequest
i also managed to get ca certificate when running
./sscep_dyn getca -f sscep.conf

however, when i am trying to enroll certificate i am getting the below error:

ute@UTE-LX-a01:~/netanel/sscep/sscepStable/sscep-masterupdates$ ./sscep_dyn enroll -f sscep.conf
./sscep_dyn: Found private key ./local.key as file. If the engine can handle it, loading the file
./sscep_dyn: selfsigned certificate written as ./selfsigned.crt
./sscep_dyn: sending certificate request
./sscep_dyn: valid response from server
./sscep_dyn: reply transaction id: 6AD7A727B67BD2AF62298DAEF48D4D4A
./sscep_dyn: pkistatus: FAILURE
./sscep_dyn: reason: Integrity check failed

i know that others in my company manged to create certificate on this server (using proprietary code).

Any idea what I have done wrong ? (BTW, i am using the sscep-masterupdates branch, i had problem building the other two)

Thanks, Gal.

Hello,

I'm sorry, but I'm a complete newbie in compiling tools from source.
Until now I've used a compiled version of sscep 0.5 which I found in internet.
It was running fine on Ubuntu 14.04 but after upgrading to 14.10 I get
a segmentation fault.

I downloaded actual sscep-develop from this site and tried to compile sscep from source but I get
the message:

(I moved to "Linux" - Folder of sscep-develop and entered "make")
"No rule to make target 'sscep.o', needed by 'sscep_static'" . Schluss

I'm completely lost which path and which version I have to use for parameter
OPENSSL in Linux\Makefile

Thanks a lot for your help

Toni

Upcoming repository rebase!

Beware early next year we will rebase the sscep repository and prepare for CertNanny's 1.0 release.
Please make sure to send any pull requests if you have anything to contribute to sscep in the next 2 weeks. You will have to rebase / checkout your fork early next year from the new code basis.

Marry christmas everyone!

Hello,

I am trying to use sscep from Centos 7 (FIPS enabled) to enroll with windows NDES.

The CSR doesn't seem to be finalized and it is failing as following :

sudo sscep enroll -E aes128 -S sha1 -c /etc/pki/cert.crt-0 -e/etc/pki/cert.crt-1 -O /etc/pki/certsignedby CA -K /etc/pki/local2.key -k local.key -r local.csr -l $(hostname).crt -u 'http://SERVER..local/certsrv/mscep/mscep.dll/pkiclient.exe?' -d

error log:
-----END PKCS7-----
sscep: creating outer PKCS#7
sscep: signature added successfully
sscep: adding signed attributes
sscep: adding string attribute transId
sscep: adding string attribute messageType
sscep: adding octet attribute senderNonce
sscep: PKCS#7 data written successfully
sscep: error finalizing outer PKCS#7
139998786868912:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:324:group= name=fips_path
139998786868912:error:0D074041:asn1 encoding routines:ASN1_i2d_bio:malloc failure:a_i2d_fp.c:92:
139998786868912:error:3207B06D:lib(50):B_HASH_NEW:cr new:b_hash.c:74:
139998786868912:error:3207A06D:lib(50):B_HASH_init:cr new:b_hash.c:103:
139998786868912:error:3207B06D:lib(50):B_HASH_NEW:cr new:b_hash.c:74:
139998786868912:error:3207C06D:lib(50):B_HASH_Update:cr new:b_hash.c:148:
139998786868912:error:3207B06D:lib(50):B_HASH_NEW:cr new:b_hash.c:74:
139998786868912:error:3207906D:lib(50):B_HASH_Final:cr new:b_hash.c:186:
139998786868912:error:3207B06D:lib(50):B_HASH_NEW:cr new:b_hash.c:74:
139998786868912:error:3207A06D:lib(50):B_HASH_init:cr new:b_hash.c:103:
139998786868912:error:3207B06D:lib(50):B_HASH_NEW:cr new:b_hash.c:74:
139998786868912:error:3207C06D:lib(50):B_HASH_Update:cr new:b_hash.c:148:
139998786868912:error:3207B06D:lib(50):B_HASH_NEW:cr new:b_hash.c:74:
139998786868912:error:3207906D:lib(50):B_HASH_Final:cr new:b_hash.c:186:
139998786868912:error:3208906D:lib(50):B_RSA_sign:cr new:b_rsa.c:416:
[root@NW11HEAD anchors]#

Please advise about his issue. Could it be becuase FIPS is enabled.

Build process fails.
gcc -Wall -O -I ../openssl/include -o sscep_static sscep.o init.o net.o sceputils.o pkcs7.o ias.o fileutils.o configuration.o engine.o ../openssl/libcrypto.a -ldl gcc -Wall -O -I ../openssl/include -o sscep_dyn sscep.o init.o net.o sceputils.o pkcs7.o ias.o fileutils.o configuration.o engine.o -lcrypto -L../openssl ../openssl/libcrypto.a(dso_dlfcn.o): In function dlfcn_globallookup':
(.text+0x11): undefined reference to dlopen' ../openssl/libcrypto.a(dso_dlfcn.o): In function dlfcn_globallookup':
(.text+0x24): undefined reference to dlsym' ../openssl/libcrypto.a(dso_dlfcn.o): In function dlfcn_globallookup':
(.text+0x2f): undefined reference to dlclose' ../openssl/libcrypto.a(dso_dlfcn.o): In function dlfcn_bind_func':
(.text+0x324): undefined reference to dlsym' ../openssl/libcrypto.a(dso_dlfcn.o): In function dlfcn_bind_func':
(.text+0x3cb): undefined reference to dlerror' ../openssl/libcrypto.a(dso_dlfcn.o): In function dlfcn_bind_var':
(.text+0x444): undefined reference to dlsym' ../openssl/libcrypto.a(dso_dlfcn.o): In function dlfcn_bind_var':
(.text+0x4eb): undefined reference to dlerror' ../openssl/libcrypto.a(dso_dlfcn.o): In function dlfcn_load':
(.text+0x559): undefined reference to dlopen' ../openssl/libcrypto.a(dso_dlfcn.o): In function dlfcn_load':
(.text+0x5bb): undefined reference to dlclose' ../openssl/libcrypto.a(dso_dlfcn.o): In function dlfcn_load':
(.text+0x5f3): undefined reference to dlerror' ../openssl/libcrypto.a(dso_dlfcn.o): In function dlfcn_pathbyaddr':
(.text+0x68f): undefined reference to dladdr' ../openssl/libcrypto.a(dso_dlfcn.o): In function dlfcn_pathbyaddr':
(.text+0x6f9): undefined reference to dlerror' ../openssl/libcrypto.a(dso_dlfcn.o): In function dlfcn_unload':
(.text+0x752): undefined reference to dlclose' collect2: error: ld returned 1 exit status Makefile:26: recipe for target 'sscep_dyn' failed make: *** [sscep_dyn] Error 1
Can ear help me? Thank you very much for your support.
Stefan Harbich

sscep don't compile on ubuntu 14.04. I executed these commands:

1. I executed ./Configure
2. I installed openssl from https://github.com/openssl/openssl
3. I Modified the OPENSSL reference into the Makefile with path of my openssl
4. I executed make
   I had these errors:

gcc -Wall -O -g -I /home/forensor/Scaricati/openssl/include -c -o pkcs7.o pkcs7.c
pkcs7.c: In function ‘pkcs7_wrap’:
pkcs7.c:89:4: warning: passing argument 1 of ‘ASN1_i2d_bio’ from incompatible pointer type [enabled by default]
if ((rc = i2d_pkcs7_issuer_and_subject_bio(databio,
^
In file included from /home/forensor/Scaricati/openssl/include/openssl/objects.h:15:0,
from /home/forensor/Scaricati/openssl/include/openssl/evp.h:28,
from sscep.h:50,
from pkcs7.c:9:
/home/forensor/Scaricati/openssl/include/openssl/asn1.h:742:5: note: expected ‘int (*)(void , unsigned char **)’ but argument is of type ‘int ()(struct pkcs7_issuer_and_subject *, unsigned char **)’
int ASN1_i2d_bio(i2d_of_void *i2d, BIO *out, unsigned char x);
^
pkcs7.c:108:4: warning: passing argument 1 of ‘ASN1_i2d_bio’ from incompatible pointer type [enabled by default]
if ((rc = i2d_PKCS7_ISSUER_AND_SERIAL_bio(databio,^
In file included from /home/forensor/Scaricati/openssl/include/openssl/objects.h:15:0,
from /home/forensor/Scaricati/openssl/include/openssl/evp.h:28,
from sscep.h:50,
from pkcs7.c:9:
/home/forensor/Scaricati/openssl/include/openssl/asn1.h:742:5: note: expected ‘int ()(void , unsigned char **)’ but argument is of type ‘int ()(struct PKCS7_ISSUER_AND_SERIAL *, unsigned char **)’
int ASN1_i2d_bio(i2d_of_void *i2d, BIO *out, unsigned char x);
^
pkcs7.c:127:4: warning: passing argument 1 of ‘ASN1_i2d_bio’ from incompatible pointer type [enabled by default]
if ((rc = i2d_PKCS7_ISSUER_AND_SERIAL_bio(databio,^
In file included from /home/forensor/Scaricati/openssl/include/openssl/objects.h:15:0,
from /home/forensor/Scaricati/openssl/include/openssl/evp.h:28,
from sscep.h:50,
from pkcs7.c:9:
/home/forensor/Scaricati/openssl/include/openssl/asn1.h:742:5: note: expected ‘int ()(void , unsigned char **)’ but argument is of type ‘int ()(struct PKCS7_ISSUER_AND_SERIAL *, unsigned char **)’
int ASN1_i2d_bio(i2d_of_void *i2d, BIO *out, unsigned char *x);
^
pkcs7.c:185:3: warning: too many arguments for format [-Wformat-extra-args]
printf("\n %s: hexdump request payload \n", pname , i);
^
In file included from /home/forensor/Scaricati/openssl/include/openssl/conf.h:13:0,
from configuration.h:13,
from sscep.h:22,
from pkcs7.c:9:
/home/forensor/Scaricati/openssl/include/openssl/bio.h:491:34: warning: value computed is not used [-Wunused-value]

define BIO_flush(b) (int)BIO_ctrl(b,BIO_CTRL_FLUSH,0,NULL)^

pkcs7.c:218:2: note: in expansion of macro ‘BIO_flush’
BIO_flush(memorybio);
^
pkcs7.c:263:4: warning: pointer targets in passing argument 3 of ‘add_attribute_octet’ differ in signedness [-Wpointer-sign]
s->sender_nonce_len);
^
In file included from pkcs7.c:9:0:
sscep.h:340:5: note: expected ‘char *’ but argument is of type ‘unsigned char *’
int add_attribute_octet(STACK_OF(X509_ATTRIBUTE) *, int, char *, int);
^
In file included from /home/forensor/Scaricati/openssl/include/openssl/conf.h:13:0,
from configuration.h:13,
from sscep.h:22,
from pkcs7.c:9:
/home/forensor/Scaricati/openssl/include/openssl/bio.h:491:34: warning: value computed is not used [-Wunused-value]

define BIO_flush(b) (int)BIO_ctrl(b,BIO_CTRL_FLUSH,0,NULL)^

pkcs7.c:320:2: note: in expansion of macro ‘BIO_flush’
BIO_flush(outbio);
^
pkcs7.c:34:12: warning: unused variable ‘reqcsr’ [-Wunused-variable]
X509_REQ *reqcsr = NULL;^
In file included from /home/forensor/Scaricati/openssl/include/openssl/conf.h:13:0,
from configuration.h:13,
from sscep.h:22,
from pkcs7.c:9:
pkcs7.c: In function ‘pkcs7_verify_unwrap’:
/home/forensor/Scaricati/openssl/include/openssl/bio.h:491:34: warning: value computed is not used [-Wunused-value]

define BIO_flush(b) (int)BIO_ctrl(b,BIO_CTRL_FLUSH,0,NULL)

                              ^

pkcs7.c:397:2: note: in expansion of macro ‘BIO_flush’
BIO_flush(outbio);
^
pkcs7.c:344:14: warning: unused variable ‘recipientkey’ [-Wunused-variable]
EVP_PKEY *recipientkey; ^
pkcs7.c:343:11: warning: unused variable ‘recipientcert’ [-Wunused-variable]
X509 *recipientcert;
^
pkcs7.c:341:11: warning: unused variable ‘p’ [-Wunused-variable]
char *p;
^
pkcs7.c:340:28: warning: unused variable ‘attribs’ [-Wunused-variable]
STACK_OF(X509_ATTRIBUTE) *attribs;
^
pkcs7.c:338:12: warning: unused variable ‘p7’ [-Wunused-variable]
PKCS7 *p7;
^
pkcs7.c:336:9: warning: unused variable ‘i’ [-Wunused-variable]
int i, len, bytes, used;
^
In file included from /home/forensor/Scaricati/openssl/include/openssl/conf.h:13:0,
from configuration.h:13,
from sscep.h:22,
from pkcs7.c:9:
pkcs7.c: In function ‘pkcs7_unwrap’:
/home/forensor/Scaricati/openssl/include/openssl/bio.h:491:34: warning: value computed is not used [-Wunused-value]

define BIO_flush(b) (int)BIO_ctrl(b,BIO_CTRL_FLUSH,0,NULL)

                              ^

pkcs7.c:559:2: note: in expansion of macro ‘BIO_flush’
BIO_flush(outbio);
^
pkcs7.c:628:24: warning: pointer targets in assignment differ in signedness [-Wpointer-sign]
s->reply_sender_nonce = p;
^
pkcs7.c:641:27: warning: pointer targets in assignment differ in signedness [-Wpointer-sign]
s->reply_recipient_nonce = p;
^
In file included from /home/forensor/Scaricati/openssl/include/openssl/conf.h:13:0,
from configuration.h:13,
from sscep.h:22,
from pkcs7.c:9:
/home/forensor/Scaricati/openssl/include/openssl/bio.h:491:34: warning: value computed is not used [-Wunused-value]

define BIO_flush(b) (int)BIO_ctrl(b,BIO_CTRL_FLUSH,0,NULL)

                              ^

pkcs7.c:773:2: note: in expansion of macro ‘BIO_flush’
BIO_flush(outbio);
^
pkcs7.c: In function ‘get_signed_attribute’:
pkcs7.c:868:2: warning: ‘ASN1_STRING_data’ is deprecated (declared at /home/forensor/Scaricati/openssl/include/openssl/asn1.h:555) [-Wdeprecated-declarations]
memcpy(*buffer, ASN1_STRING_data(asn1_type->value.asn1_string), len);
^
pkcs7.c: In function ‘get_attribute’:
pkcs7.c:898:26: error: dereferencing pointer to incomplete type
if (OBJ_cmp(x509_attrib->object, asn1_obj) == 0) {
^
pkcs7.c:899:20: error: dereferencing pointer to incomplete type
if ((x509_attrib->value.set) &&
^
pkcs7.c:900:35: error: dereferencing pointer to incomplete type
(sk_ASN1_TYPE_num(x509_attrib->value.set) != 0)) {
^
pkcs7.c:907:35: error: dereferencing pointer to incomplete type
sk_ASN1_TYPE_value(x509_attrib->value.set, 0);
^
make: *** [pkcs7.o] Errore 1

Im trying to enroll my CSR using sscep with NDES+ADCS. In the CA logs I can see that my CSR is signed by CA and Certificate is issued successfully. But sscep is not able to extract the signed certificate from the NDES response.

./sscep enroll -f my_conf > debug_tongs.log
./sscep: error verifying signature
31760:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100:
31760:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:fips_rsa_eay.c:748:
31760:error:21071069:PKCS7 routines:PKCS7_signatureVerify:signature failure:pk7_doit.c:981:

Hi there,

I've an encrypted private key by using a passphrase and now i would like to get a certificate.
Is there a parameter or flag to enabled in order to get a certificate without prompting this passphrase from command line?

Regards.

Having some issues when trying to do a make. I currently have OpenSSL_1_0_2 installed, and need to get sscep installed as well. Can anyone help me out?

I have tried with both the develop and master branch

~/sscep-develop# make
gcc -O -I /home/cisco/openssl-OpenSSL_1_0_2-stable/include -o sscep_dyn sscep.o init.o net.o sceputils.o pkcs7.o ias.o fileutils.o configuration.o engine.o -lcrypto -L/home/cisco/openssl-OpenSSL_1_0_2-stable
/home/cisco/openssl-OpenSSL_1_0_2-stable/libcrypto.a(dso_dlfcn.o): In function dlfcn_globallookup': dso_dlfcn.c:(.text+0x11): undefined reference to dlopen'
dso_dlfcn.c:(.text+0x24): undefined reference to dlsym' dso_dlfcn.c:(.text+0x2f): undefined reference to dlclose'
/home/cisco/openssl-OpenSSL_1_0_2-stable/libcrypto.a(dso_dlfcn.o): In function dlfcn_bind_func': dso_dlfcn.c:(.text+0x334): undefined reference to dlsym'
dso_dlfcn.c:(.text+0x3db): undefined reference to dlerror' /home/cisco/openssl-OpenSSL_1_0_2-stable/libcrypto.a(dso_dlfcn.o): In function dlfcn_bind_var':
dso_dlfcn.c:(.text+0x454): undefined reference to dlsym' dso_dlfcn.c:(.text+0x4fb): undefined reference to dlerror'
/home/cisco/openssl-OpenSSL_1_0_2-stable/libcrypto.a(dso_dlfcn.o): In function dlfcn_load': dso_dlfcn.c:(.text+0x569): undefined reference to dlopen'
dso_dlfcn.c:(.text+0x5cb): undefined reference to dlclose' dso_dlfcn.c:(.text+0x603): undefined reference to dlerror'
/home/cisco/openssl-OpenSSL_1_0_2-stable/libcrypto.a(dso_dlfcn.o): In function dlfcn_pathbyaddr': dso_dlfcn.c:(.text+0x68f): undefined reference to dladdr'
dso_dlfcn.c:(.text+0x6f1): undefined reference to dlerror' /home/cisco/openssl-OpenSSL_1_0_2-stable/libcrypto.a(dso_dlfcn.o): In function dlfcn_unload':
dso_dlfcn.c:(.text+0x742): undefined reference to `dlclose'
collect2: error: ld returned 1 exit status
make: *** [sscep_dyn] Error 1

On a CentOS 7.0 machine I’m testing the recent EPEL7-test release of the SSCEP client, which is based on the CertNanny/SSCEP 0.6.1 code. For transparency it is worth sharing historically I’ve only previously successfully deployed and used version 20081211 (0.6?).

Initially I’m only trying to exercise the GetCA certificate message to download a trust anchor, the Root CA.

While the generated GetCA request message is valid (seen via wireshark), as is the response I believe, the OpenSSL ASN1parsing of the returned GetCA message generates a core dump indicating an issue regards tasn_utl.c.

Any ideas?

See example anonymised request and core dump below. I can share actual request privately if required to reproduce the issue.

GetCA Request

sscep getca -v -d -u $SCEP_RESPONDER_URL -i $RootCA_Identifier -c $RootCA_target_file

GNU Debugger output

out=out@entry=0x0, pval=pval@entry=0x7fff6d658791, 
it=it@entry=0x7ff753179480 <X509_CINF_it>) at tasn_utl.c:190

190 if (!enc || enc->modified)
(gdb)

I have been using sscep client with Windows 2012R2 NDES without any issue. The problem started when my client machine upgraded from Redhat 7.2 to 7.5.
The sscep unable to enroll cert. In the pkcs7 message it has error illegal size of payload.

anyone can provide fix here will very much appreciated.

n8aeGXvDkeLEZOLFzHrZi77DPSDyBaxNR752Tz6S+ZaE/fGMeD+MUWnau45+Sud1
l7YnjiYMiPb7VOHh
**-----END PKCS7-----
sscep: applying base64 encoding
sscep: base64 encoded payload size: 3462 bytes
sscep: scep msg: GET /certsrv/mscep/mscep.dll/pkiclient.exe??**operation=PKIOperation&message=MIIJ%2BAYJKoZIhvcNAQcCoIIJ6TCCCeUCAQExDjAMBggqhkiG9w0CBQUAMIIE1gYJ%0AKoZIhvcNAQcBoIIExwSCBMMwggS/BgkqhkiG9w0BBwOgggSwMIIErAIBADGCAa8w%0AggGrAgEAMIGSMHsxEzARBgoJkiaJk/IsZAEZFgNjb20xEzARBgoJkiaJk/IsZAEZ%0AFgNkYnMx

OILbno/Gsscep: illegal size of payload

FIXED: I finally found solution and issue.
There were two issues, I'm using Microsoft NDES which running on IIS. scep client sending the encoded base64 message to IIS has exceed the 2048 MaxQuery string of IIS.
Solution: Increase the IIS MaxqueryString and MaxBytes
Second issue was CSR generated by mkrequest is make used of openssl in OS level. Linux 7.5 has changed openssl standard. I add one line under [ req ] section. It works just fine.
[ req ]
string_mask = nombstr

hi,

i have been trying to install sscep in my linux machine,as i got somany errors i coudnt install that on my machine.can anyone please help me with this ?...below are the errors which i got during installation...plz rply me asap.....thanks in advance....
engine.h:7:1: error: unknown type name ‘ENGINE’
ENGINE _scep_engine_init(ENGINE *e);
^
engine.h:7:26: error: unknown type name ‘ENGINE’
ENGINE *scep_engine_init(ENGINE *e);
^
engine.h:8:1: error: unknown type name ‘ENGINE’
ENGINE *scep_engine_load_dynamic(ENGINE *e);
^
engine.h:8:34: error: unknown type name ‘ENGINE’
ENGINE *scep_engine_load_dynamic(ENGINE *e);
^
engine.h:9:28: error: unknown type name ‘EVP_PKEY’
void sscep_engine_read_key(EVP_PKEY *_key, char _id, ENGINE *e);
^
engine.h:9:54: error: unknown type name ‘ENGINE’
void sscep_engine_read_key(EVP_PKEY *_key, char _id, ENGINE *e);
^
engine.h:10:32: error: unknown type name ‘EVP_PKEY’
void sscep_engine_read_key_old(EVP_PKEY *_key, char _id, ENGINE *e);
^
engine.h:10:58: error: unknown type name ‘ENGINE’
void sscep_engine_read_key_old(EVP_PKEY *_key, char _id, ENGINE *e);
^
engine.h:11:32: error: unknown type name ‘EVP_PKEY’
void sscep_engine_read_key_new(EVP_PKEY *_key, char _id, ENGINE *e);
^
engine.h:11:58: error: unknown type name ‘ENGINE’
void sscep_engine_read_key_new(EVP_PKEY *_key, char _id, ENGINE *e);
^
engine.h:14:33: error: unknown type name ‘EVP_PKEY’
void sscep_engine_read_key_capi(EVP_PKEY *_key, char _id, ENGINE *e, char *storename);
^
engine.h:14:59: error: unknown type name ‘ENGINE’
void sscep_engine_read_key_capi(EVP_PKEY *key, char id, ENGINE *e, char *storename);
^
sscep.c: In function ‘main’:
sscep.c:324:3: warning: implicit declaration of function ‘scep_engine_init’ [-Wimplicit-function-declaration]
scep_t.e = scep_engine_init(scep_t.e);
^
sscep.c:324:12: warning: assignment makes pointer from integer without a cast [enabled by default]
scep_t.e = scep_engine_init(scep_t.e);
^
sscep.c:612:4: warning: passing argument 2 of ‘PEM_write_X509’ from incompatible pointer type [enabled by default]
if (PEM_write_X509(fp, c_char) != 1) {
^
In file included from sscep.h:60:0,
from sscep.c:11:
../openssl/include/openssl/pem.h:294:6: note: expected ‘struct X509 *’ but argument is of type ‘char *’
int PEM_write##name(FILE *fp, type *x);
^
../openssl/include/openssl/pem.h:323:2: note: in expansion of macro ‘DECLARE_PEM_write_fp’
DECLARE_PEM_write_fp(name, type)
^
../openssl/include/openssl/pem.h:335:2: note: in expansion of macro ‘DECLARE_PEM_write’
DECLARE_PEM_write(name, type)
^
../openssl/include/openssl/pem.h:541:1: note: in expansion of macro ‘DECLARE_PEM_rw’
DECLARE_PEM_rw(X509, X509)
^
sscep.c:688:27: warning: pointer targets in assignment differ in signedness [-Wpointer-sign]
scep_t.reply_payload = reply.payload;
^
sscep.c:776:5: warning: implicit declaration of function ‘sscep_engine_read_key_new’ [-Wimplicit-function-declaration]
sscep_engine_read_key_new(&rsa, k_char, scep_t.e);
^
sscep.c:790:6: warning: implicit declaration of function ‘sscep_engine_read_key_old’ [-Wimplicit-function-declaration]
sscep_engine_read_key_old(&renewal_key, K_char, scep_t.e);
^
sscep.c:79:8: warning: variable ‘p7’ set but not used [-Wunused-but-set-variable]
PKCS7 p7;
^
make: ** [sscep.o] Error 1

What is the license for SSCEP? I see third-party licenses mentioned, but I don't see the license cleared stated for SSCEP itself.

It seems like the file asn1_mac isn't used anymore:

OpenSSL: OpenSSL 1.1.0c
GCC: 6.2.1 20161124

[paultag@nyx:~/dev/local/sscep][07:25 PM] ♥  git branch
* develop
  master
[paultag@nyx:~/dev/local/sscep][07:25 PM] ♥  make
gcc -Wall -O  -I ../openssl/include    -c -o sscep.o sscep.c
In file included from sscep.h:64:0,
                 from sscep.c:11:
/usr/include/openssl/asn1_mac.h:10:2: error: #error "This file is obsolete; please update your software."
 #error "This file is obsolete; please update your software."
  ^~~~~
sscep.c: In function ‘main’:
sscep.c:612:27: warning: passing argument 2 of ‘PEM_write_X509’ from incompatible pointer type [-Wincompatible-pointer-types]
    if (PEM_write_X509(fp, c_char) != 1) {
                           ^~~~~~
In file included from sscep.h:60:0,
                 from sscep.c:11:
/usr/include/openssl/pem.h:331:1: note: expected ‘X509 * {aka struct x509_st *}’ but argument is of type ‘char *’
 DECLARE_PEM_rw(X509, X509)
 ^
sscep.c:688:27: warning: pointer targets in assignment differ in signedness [-Wpointer-sign]
      scep_t.reply_payload = reply.payload;
                           ^
sscep.c:79:8: warning: variable ‘p7’ set but not used [-Wunused-but-set-variable]
  PKCS7 p7;
        ^~
<builtin>: recipe for target 'sscep.o' failed
make: *** [sscep.o] Error 1

Hello,

I observe a issue on this cmd:

sscep getca -f /etc/sscep.conf
sscep: Error in /etc/sscep.conf on line 22
3068937424:error:0E079065:configuration file routines:DEF_LOAD_BIO:missing equal sign:conf_def.c:346:line 22

my sscep.conf is the default one, I only changed the SCEP Url

URL of the SCEP server.
URL http://192.168.1.100/cgi-bin/scep/scep

sscep getca -c cert -u http://192.168.1.100:80/cgi-bin/scep/scep
is working like expected.

some ideas?

The options for the getcert operation are not clear. Here is an excerpt of the options for both getcert and enroll, with my comments in square brackets.

OPTIONS for getcert:

-l Local certificate file [signature certificate for SCEP request]
-w Write certificate in file [destination for received cert]

Options for enroll:

-l Write enrolled certificate in file [destination of received cert]
-O Signature certificate (used instead of self-signed) [signature certificate for SCEP request]

If the opts can't be changed due to backwards compatibility, at least the README should be updated to clarify that the '-l' option for getcert is the signature certificate for the SCEP request.

The use of sha1 is generally discouraged at this point but appears to be all that can be used in sscep.

SHA-256, 384, and 512 should also be provided as options

[mmalysz@orch-aaa-vm sscep]$ make
gcc -Wall -O -I ../openssl/include -o sscep_static sscep.o init.o net.o sceputils.o pkcs7.o ias.o fileutils.o configuration.o engine.o ../openssl/libcrypto.a -ldl
sscep.o: In function main': sscep.c:(.text+0x14bb): undefined reference to sk_num'
sscep.c:(.text+0x1502): undefined reference to sk_value' sscep.c:(.text+0x1679): undefined reference to sk_num'
sceputils.o: In function init_scep': sceputils.c:(.text+0x378): undefined reference to OPENSSL_add_all_algorithms_noconf'
sceputils.c:(.text+0x37d): undefined reference to ERR_load_crypto_strings' pkcs7.o: In function pkcs7_verify_unwrap':
pkcs7.c:(.text+0x27c): undefined reference to sk_value' pkcs7.o: In function add_attribute_string':
pkcs7.c:(.text+0x5bd): undefined reference to sk_push' pkcs7.o: In function add_attribute_octet':
pkcs7.c:(.text+0x670): undefined reference to sk_push' pkcs7.o: In function pkcs7_wrap':
pkcs7.c:(.text+0xa15): undefined reference to sk_new' pkcs7.c:(.text+0xa68): undefined reference to sk_push'
pkcs7.c:(.text+0xaae): undefined reference to sk_push' pkcs7.c:(.text+0xe44): undefined reference to sk_new_null'
pkcs7.o: In function get_attribute': pkcs7.c:(.text+0x11b8): undefined reference to sk_value'
pkcs7.c:(.text+0x11d8): undefined reference to sk_num' pkcs7.c:(.text+0x1217): undefined reference to sk_value'
pkcs7.c:(.text+0x1225): undefined reference to sk_num' pkcs7.o: In function pkcs7_unwrap':
pkcs7.c:(.text+0x1608): undefined reference to sk_value' ias.o: In function d2i_pkcs7_issuer_and_subject':
ias.c:(.text+0x1b9): undefined reference to asn1_add_error' ias.c:(.text+0x1f4): undefined reference to asn1_GetSequence'
ias.c:(.text+0x282): undefined reference to asn1_const_Finish' ias.c:(.text+0x2d5): undefined reference to asn1_add_error'
fileutils.o: In function write_crl': fileutils.c:(.text+0x1b): undefined reference to sk_value'
fileutils.o: In function write_local_cert': fileutils.c:(.text+0x168): undefined reference to sk_num'
fileutils.c:(.text+0x18d): undefined reference to sk_value' fileutils.c:(.text+0x397): undefined reference to sk_num'
fileutils.o: In function write_other_cert': fileutils.c:(.text+0x4ef): undefined reference to sk_value'
fileutils.c:(.text+0x58c): undefined reference to sk_num' fileutils.o: In function write_ca_ra':
fileutils.c:(.text+0x7b1): undefined reference to sk_value' fileutils.c:(.text+0xa4c): undefined reference to sk_num'
configuration.o: In function scep_conf_load': configuration.c:(.text+0x1042): undefined reference to sk_num'
configuration.c:(.text+0x109f): undefined reference to sk_value' engine.o: In function sscep_engine_report_error':
engine.c:(.text+0x5): undefined reference to ERR_load_crypto_strings' engine.c:(.text+0x16): undefined reference to ERR_free_strings'
engine.o: In function scep_engine_init': engine.c:(.text+0x29b): undefined reference to ENGINE_load_dynamic'
../openssl/libcrypto.a(libcrypto-lib-threads_pthread.o): In function CRYPTO_THREAD_lock_new': threads_pthread.c:(.text+0x45): undefined reference to pthread_rwlock_init'
../openssl/libcrypto.a(libcrypto-lib-threads_pthread.o): In function CRYPTO_THREAD_read_lock': threads_pthread.c:(.text+0x85): undefined reference to pthread_rwlock_rdlock'
../openssl/libcrypto.a(libcrypto-lib-threads_pthread.o): In function CRYPTO_THREAD_write_lock': threads_pthread.c:(.text+0xa5): undefined reference to pthread_rwlock_wrlock'
../openssl/libcrypto.a(libcrypto-lib-threads_pthread.o): In function CRYPTO_THREAD_unlock': threads_pthread.c:(.text+0xc5): undefined reference to pthread_rwlock_unlock'
../openssl/libcrypto.a(libcrypto-lib-threads_pthread.o): In function CRYPTO_THREAD_lock_free': threads_pthread.c:(.text+0xea): undefined reference to pthread_rwlock_destroy'
../openssl/libcrypto.a(libcrypto-lib-threads_pthread.o): In function CRYPTO_THREAD_run_once': threads_pthread.c:(.text+0x115): undefined reference to pthread_once'
../openssl/libcrypto.a(libcrypto-lib-threads_pthread.o): In function CRYPTO_THREAD_init_local': threads_pthread.c:(.text+0x135): undefined reference to pthread_key_create'
../openssl/libcrypto.a(libcrypto-lib-threads_pthread.o): In function CRYPTO_THREAD_set_local': threads_pthread.c:(.text+0x167): undefined reference to pthread_setspecific'
../openssl/libcrypto.a(libcrypto-lib-threads_pthread.o): In function CRYPTO_THREAD_cleanup_local': threads_pthread.c:(.text+0x187): undefined reference to pthread_key_delete'
../openssl/libcrypto.a(libcrypto-lib-threads_pthread.o): In function openssl_init_fork_handlers': threads_pthread.c:(.text+0x1e3): undefined reference to pthread_once'
../openssl/libcrypto.a(libcrypto-lib-threads_pthread.o): In function fork_once_func': threads_pthread.c:(.text+0x16): undefined reference to pthread_atfork'
../openssl/libcrypto.a(libcrypto-lib-threads_pthread.o): In function CRYPTO_THREAD_get_local': threads_pthread.c:(.text+0x153): undefined reference to pthread_getspecific'
collect2: error: ld returned 1 exit status
make: *** [sscep_static] Error 1

I am having trouble getting sscep working over https. Is this supported?

I am installing latest version of sscep (0.6.1) on Debian jessie 8.11 x64.
libssl-dev is already installed on the machine.
./Configure runs fine but make gives following error
gcc -Wall -O -I ../openssl/include -o sscep_static sscep.o init.o net.o sceputils.o pkcs7.o ias.o fileutils.o configuration.o engine.o ../openssl/libcrypto.a -ldl
gcc: error: ../openssl/libcrypto.a: No such file or directory
Makefile:23: recipe for target 'sscep_static' failed
make: *** [sscep_static] Error 1

Hi all
I have a problem with the NDES, I cannot get a certificate.

I use openscep client (on CentOS) to send a CSR to an Issuing CA (windows server 2012 R2) with NDES installed.

From the command line I use the follwong:
./sscep_dyn enroll -v -u http://192.168.236.88/CertSrv/mscep/mscep.dll -k try -r try33.csr -l certificato.crt -c IntermediateCA2.cer

try is the key generated using openssl
try33.csr is the CSR needed to be signed
IntermediateCA2.cer is the Issuer CA certificate manually imported

Error on the client:
./sscep_dyn: wrong (or missing) MIME content type

Error on the Issuer CA side (event viewer):
"The Network Device Enrollment Service cannot decrypt the client's PKCS7 message (0x80090005). Bad Data."

Does anyone has any idea about this issue or a hint about troubleshoot that?

Thanks
Cristian

OS: fedora 16
NDES: windows 2008r2
I can enroll without challenge password(EnforcePassword=0), but when I enabled this feature, I always get
"The password in the certificate request cannot be verified. It may have been used already. Obtain a new password to submit with this request."
Even when I change "UseSinglePassword" to 1, still get the same error message.
I use following code to generate csr:
openssl req -new -key %s -out %s -subj %s -config openssl.conf
This is my openssl.conf for challenge password:
[req]
prompt = no
distinguished_name = req_distinguished_name
attributes = req_attributes
req_extensions = v3_req

[req_attributes]
challengePassword=00F7FC7937B5366F2231AC891472998C

[req_distinguished_name]
C=CN
CN=sceptest.com
ST=Shanghai

[v3_req]

basicConstraints = CA:FALSE

keyUsage = digitalSignature, keyEncipherment

This is the generated certificate request file:
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=CN, CN=sceptest.com, ST=Shanghai
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c1:48:66:3f:72:f4:46:86:5b:4e:33:a7:5f:ba:
c5:d3:78:92:9c:b7:ad:e5:05:28:6a:89:11:65:16:
8b:83:6c:70:ae:2d:0e:03:e4:70:1b:ca:4e:e9:8a:
a0:99:81:a4:1b:ee:0e:16:b2:bf:6a:87:a2:05:81:
8a:e9:86:0a:34:d2:a4:8f:55:27:65:5b:ae:35:b1:
99:78:55:d8:49:ca:5d:e4:c4:61:21:05:1f:98:fb:
c7:02:18:0e:30:dd:40:29:72:cb:7f:5d:1a:a3:6b:
6c:5e:27:a1:28:ab:e2:e8:23:f5:9d:e9:99:d2:c6:
1f:bb:40:28:9d:e4:2a:f4:31:5e:b3:35:b3:64:3d:
ff:6a:63:bf:d5:08:c0:cc:bd:cd:14:c8:f9:ab:04:
c2:ee:fe:91:0b:8f:ed:8c:29:34:46:68:66:da:d0:
40:e8:d8:ae:a7:64:0e:f8:8b:ef:e6:c1:61:bf:da:
81:7e:3a:a1:01:3e:b5:17:64:4b:94:d3:b3:93:78:
7f:49:9b:09:2c:1b:47:ab:04:2a:c2:03:31:d1:d8:
e8:ba:42:5b:ea:87:d4:b1:77:ac:5d:51:e8:a9:d0:
3c:59:dd:71:2e:4a:fb:68:cc:c8:11:8c:86:c0:d0:
00:4d:a1:b7:21:ef:3d:ed:50:b5:9f:85:1f:01:fe:
26:ff
Exponent: 65537 (0x10001)
Attributes:
challengePassword :unable to print attribute
Requested Extensions:
X509v3 Key Usage:
Digital Signature, Key Encipherment
Signature Algorithm: sha1WithRSAEncryption
13:dc:93:7c:cd:9c:35:17:fd:8d:3e:63:91:90:72:ef:87:ec:
e6:22:ec:60:66:0a:3f:fe:91:43:75:08:73:43:34:a0:cc:1a:
f0:67:82:45:29:41:be:b9:b5:b2:7d:c7:d7:c5:e1:06:49:26:
5a:40:fc:8f:c0:b8:60:7a:a2:54:8b:ce:3b:9f:78:0a:a9:d6:
39:4a:b8:11:49:a8:a9:98:88:52:58:67:bc:ad:5b:7f:a0:5a:
71:1f:c3:19:bc:c9:fd:11:87:c2:aa:09:8b:4f:b8:fb:ab:cd:
1e:da:c4:f9:9e:29:08:28:9c:29:14:7d:80:76:20:17:12:30:
91:9a:d7:5b:92:3a:25:21:d1:c0:31:4d:54:60:39:19:29:ed:
35:54:90:88:34:ce:b7:95:52:cd:2c:7b:b8:63:b9:7f:5c:34:
37:8d:38:ef:32:6c:97:b6:94:87:b4:b5:70:bd:68:8f:15:a3:
25:d7:89:a8:fd:d3:5f:97:e3:be:69:ae:3b:86:2d:53:77:cc:
82:00:09:32:12:39:f0:ad:d8:11:be:d2:9d:94:c9:2d:0c:a4:
15:80:71:d0:13:52:83:7a:e3:8c:9f:a2:d2:09:87:eb:2d:2f:
26:0b:09:d5:80:3d:9a:f6:fe:e3:3c:80:c6:dc:24:2f:37:08:
98:eb:68:ec

And I use following command to enroll:
sscep enroll -v -u http://10.75.212.202/CertSrv/mscep/mscep.dll -k private.key -r server.csr -l server.crt -c ca.pem-0 -e ca.pem-1
This is the output of the enroll:
/usr/bin/sscep: illegal size of payload
/usr/bin/sscep: starting sscep, version 0.6
/usr/bin/sscep: new transaction
/usr/bin/sscep: transaction id: D41D8CD98F00B204E9800998ECF8427E
/usr/bin/sscep: hostname: 10.75.212.202
/usr/bin/sscep: directory: CertSrv/mscep/mscep.dll
/usr/bin/sscep: port: 80
/usr/bin/sscep: Read request with transaction id: 677F6ADF3BBD1777855A30266E90E748
/usr/bin/sscep: generating selfsigned certificate
/usr/bin/sscep: SCEP_OPERATION_ENROLL
/usr/bin/sscep: sending certificate request
/usr/bin/sscep: creating inner PKCS#7
/usr/bin/sscep: inner PKCS#7 in mem BIO
/usr/bin/sscep: request data dump
-----BEGIN CERTIFICATE REQUEST-----
MIICyzCCAbMCAQAwNzELMAkGA1UEBhMCQ04xFTATBgNVBAMMDGVkZ2V0ZXN0LmNv
bTERMA8GA1UECAwIU2hhbmdoYWkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDBSGY/cvRGhltOM6dfusXTeJKct63lBShqiRFlFouDbHCuLQ4D5HAbyk7p
iqCZgaQb7g4Wsr9qh6IFgYrphgo00qSPVSdlW641sZl4VdhJyl3kxGEhBR+Y+8cC
GA4w3UApcst/XRqja2xeJ6Eoq+LoI/Wd6ZnSxh+7QCid5Cr0MV6zNbNkPf9qY7/V
CMDMvc0UyPmrBMLu/pELj+2MKTRGaGba0EDo2K6nZA74i+/mwWG/2oF+OqEBPrUX
ZEuU07OTeH9JmwksG0erBCrCAzHR2Oi6Qlvqh9Sxd6xdUeip0DxZ3XEuSvtozMgR
jIbA0ABNobch7z3tULWfhR8B/ib/AgMBAAGgTzAcBgkqhkiG9w0BCQ4xDzANMAsG
A1UdDwQEAwIFoDAvBgkqhkiG9w0BCQcxIgwgMDBGN0ZDNzkzN0I1MzY2RjIyMzFB
Qzg5MTQ3Mjk5OEMwDQYJKoZIhvcNAQEFBQADggEBABPck3zNnDUX/Y0+Y5GQcu+H
7OYi7GBmCj/+kUN1CHNDNKDMGvBngkUpQb65tbJ9x9fF4QZJJlpA/I/AuGB6olSL
zjufeAqp1jlKuBFJqKmYiFJYZ7ytW3+gWnEfwxm8yf0Rh8KqCYtPuPurzR7axPme
KQgonCkUfYB2IBcSMJGa11uSOiUh0cAxTVRgORkp7TVUkIg0zreVUs0se7hjuX9c
NDeNOO8ybJe2lIe0tXC9aI8VoyXXiaj901+X475prjuGLVN3zIIACTISOfCt2BG+
0p2UyS0MpBWAcdATUoN644yfotIJh+stLyYLCdWAPZr2/uM8gMbcJC83CJjraOw=
-----END CERTIFICATE REQUEST-----
/usr/bin/sscep: data payload size: 719 bytes
/usr/bin/sscep: successfully encrypted payload
/usr/bin/sscep: envelope size: 1175 bytes
/usr/bin/sscep: creating outer PKCS#7
/usr/bin/sscep: signature added successfully
/usr/bin/sscep: adding signed attributes
/usr/bin/sscep: adding string attribute transId
/usr/bin/sscep: adding string attribute messageType
/usr/bin/sscep: adding octet attribute senderNonce
/usr/bin/sscep: PKCS#7 data written successfully
/usr/bin/sscep: applying base64 encoding
/usr/bin/sscep: base64 encoded payload size: 3539 bytes
/usr/bin/sscep: server returned status code 200
/usr/bin/sscep: MIME header: x-pki-message
/usr/bin/sscep: valid response from server
/usr/bin/sscep: reading outer PKCS#7
/usr/bin/sscep: PKCS#7 payload size: 700 bytes
/usr/bin/sscep: PKCS#7 contains 1 bytes of enveloped data
/usr/bin/sscep: verifying signature
/usr/bin/sscep: signature ok
/usr/bin/sscep: finding signed attributes
/usr/bin/sscep: finding attribute transId
/usr/bin/sscep: allocating 32 bytes for attribute
/usr/bin/sscep: reply transaction id: 677F6ADF3BBD1777855A30266E90E748
/usr/bin/sscep: finding attribute messageType
/usr/bin/sscep: allocating 1 bytes for attribute
/usr/bin/sscep: reply message type is good
/usr/bin/sscep: finding attribute senderNonce
/usr/bin/sscep: allocating 16 bytes for attribute
/usr/bin/sscep: senderNonce in reply: F3AC0EC41E761C4785735394C91C8712
/usr/bin/sscep: finding attribute recipientNonce
/usr/bin/sscep: allocating 16 bytes for attribute
/usr/bin/sscep: recipientNonce in reply: 12C9526F8DE6DBD51B4D9FB2CA302C1B
/usr/bin/sscep: finding attribute pkiStatus
/usr/bin/sscep: allocating 1 bytes for attribute
/usr/bin/sscep: pkistatus: FAILURE
/usr/bin/sscep: finding attribute failInfo
/usr/bin/sscep: allocating 1 bytes for attribute
/usr/bin/sscep: reason: Transaction not permitted or supported

Unable to create package on Linux - as the sh file refers to sscep_static which seems to be missing.
Could you please help me out?

The -M option (passing additional URL parameters) should be more user friendly - and explicitly NOT use reserved shell meta characters (&).
Instead of passing multiple URL parameters via "-M foo=bar&baz=blurb" the invocation should instead look like "-M foo=bar -M baz=blurb"

Hello
While enrolment i am getting below error

<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
  <h2>403 - Forbidden: Access is denied.</h2>
  <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
 </fieldset></div>
</div>
</body>
</html>
/usr/sbin/sscep: wrong (or missing) MIME content type
/usr/sbin/sscep: error while sending message

Hi Everyone,

I am facing an issue when doing a Enroll request with NDES server, We are getting 200 status code and payload but while doing the pkcs_unwrap we are seeing issue, which is listed below for reference.
Request you to help us to resolve this issue.
Thanks in advance.

Logs for reference:

./sscep: server returned status code 200
./sscep: MIME header: x-pki-message
./sscep: valid response from server
./sscep: reading outer PKCS#7
./sscep: PKCS#7 payload size: 713 bytes
./sscep: printing PEM fomatted PKCS#7
./sscep: PKCS#7 contains 1 bytes of enveloped data
./sscep: verifying signature
./sscep: signature ok
./sscep: finding signed attributes
./sscep: finding attribute transId
./sscep: allocating 32 bytes for attribute
./sscep: reply transaction id: 3144EDBD9AA4A9D9FFD8C82693C4C2E8
./sscep: finding attribute messageType
./sscep: allocating 1 bytes for attribute
./sscep: reply message type is good
./sscep: finding attribute senderNonce
./sscep: allocating 16 bytes for attribute
./sscep: senderNonce in reply: 46A5BA0F22DD3C4BBB1781EB22119225
./sscep: finding attribute recipientNonce
./sscep: allocating 16 bytes for attribute
./sscep: recipientNonce in reply: 8E2F075218421ADDC6D1E2668CAD0C7E
./sscep: finding attribute pkiStatus
./sscep: allocating 1 bytes for attribute
./sscep: pkistatus: FAILURE
./sscep: finding attribute failInfo
./sscep: allocating 1 bytes for attribute
./sscep: reason: Integrity check failed
./sscep: illegal size of payload

To cross-compile sscep for my ARM architecture I need to adapt the Linux/Makefile

-CC = gcc
+CC = arm-v5te-linux-gnueabi-gcc

is there a way to generalize that for other architectures?

Hi,
I am geting following error while compiling static scep

gcc -Wall -O -I ../openssl-1.0.2n/include -o sscep_static sscep.o init.o net.o sceputils.o pkcs7.o ias.o fileutils.o configuration.o engine.o ../openssl-1.0.2n/libcrypto.a -ldl
/usr/bin/ld: ../openssl-1.0.2n/libcrypto.a(mem.o): Relocations in generic ELF (EM: 40)
/usr/bin/ld: ../openssl-1.0.2n/libcrypto.a(mem.o): Relocations in generic ELF (EM: 40)
/usr/bin/ld: ../openssl-1.0.2n/libcrypto.a(mem.o): Relocations in generic ELF (EM: 40)
../openssl-1.0.2n/libcrypto.a: could not read symbols: File in wrong format

Thanks

Hi,
i try to use sscep with softhsm2 and p11-kit for pkcs11
sscep is compiled on a Ubuntu 17.10 with Makefile changed to use libssl-dev:amd64 1.0.2g-1ubuntu13.2 for static.

both dyn and static crash with Segmentation fault

strace ./sscep_dyn enroll -u http://openxpki/scep/scep -k "pkcs11:token=lhm;object=802.1X;type=private" -r tmp/scep-test.csr -c tmp/cacert-0 -l tmp/scep-test.crt -t 10 -n 1 -v -g pkcs11

[12330.397793] sscep_dyn[4704]: segfault at 0 ip 000055d1b8b0102b sp 00007fff343ca9c0 error 4 in sscep_dyn[55d1b8af4000+12000]

strace (last part)
fstat(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 5), ...}) = 0
write(1, "./sscep_dyn: starting sscep, ver"..., 43./sscep_dyn: starting sscep, version 0.6.1
) = 43
write(1, "./sscep_dyn: new transaction\n", 29./sscep_dyn: new transaction
) = 29
write(1, "./sscep_dyn: transaction id: D41"..., 62./sscep_dyn: transaction id: D41D8CD98F00B204E9800998ECF8427E
) = 62
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libpkcs11.so", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320<\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=75248, ...}) = 0
mmap(NULL, 2170448, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f626d88c000
mprotect(0x7f626d89d000, 2093056, PROT_NONE) = 0
mmap(0x7f626da9c000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x10000) = 0x7f626da9c000
close(3) = 0
mprotect(0x7f626da9c000, 4096, PROT_READ) = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} ---
+++ killed by SIGSEGV (core dumped) +++
Segmentation fault (core dumped)

I have been unable to build sscep in either windows or linux. No arrangement of openssl libs that I have found satisfies the build process. What does it take on a new install to call make and have it build?

Hi all,
Check if the service is working properly at all: sscep_static getca -c tmp/cacert -u http://myhost/scep/scep The following error message is displayed ./sscep_static: cannot open cert file for writing. In the "sceep.log" the following error message is displayed 2016/12/05 22:18:21 INFO:29793 Incoming request from 192.168.30.67 with 2016/12/05 22:18:38 DEBUG:29818 Starting logger from config with config /etc/openxpki/scep/log.conf, facility client.scep 2016/12/05 22:18:38 DEBUG:29818 Config for service scep loaded 2016/12/05 22:18:38 INFO:29818 SCEP handler initialized 2016/12/05 22:18:38 DEBUG:29818 Autodetect config file for service scep: %3Cany%20value%3E.conf 2016/12/05 22:18:38 DEBUG:29818 No config file found, falling back to default Since what seems to be wrong with the configuration file? Can you help me?
Thanks for replay, by Stefan Harbich

I can download .crl file via option available in a web browser (http://a.b.c.d/certsrv/....). But when I use sscep, the server response back with Bad Request status and sscep prints out this "illegal size of payload" line.

/* If FAILURE or PENDING, we can return /
if (s->pki_status != SCEP_PKISTATUS_SUCCESS) {
/ There shouldn't be any more data... */
if (v_flag && (used != 0)) {
fprintf(stderr, "%s: illegal size of payload \n", pname);
}
return (0);
}

Is it because something is wrong on the server side or the client side? I'm using Microsoft Server 2012 R2. Here is the log:

oem@oem-XPS-13-9343:~/Downloads/sscep-master/out$ ./sscep_static getcrl -f sscep.conf -c ca.crt-0 -e ca.crt-1 -d -l local.crt -k local.key -w crl.crl
./sscep_static: No engine section specified, not loading an engine
./sscep_static: starting sscep, version 0.6.1
./sscep_static: new transaction
./sscep_static: transaction id: SSCEP transactionId
./sscep_static: hostname: 134.134.161.77
./sscep_static: directory: certsrv/mscep/mscep.dll
./sscep_static: port: 80
./sscep_static: Pivate key local.key could not be loaded via engine, trying file load
./sscep_static: Found private key local.key as file. If the engine can handle it, loading the file
./sscep_static: SCEP_OPERATION_GETCRL
./sscep_static: requesting crl
./sscep_static: request data dump
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
./sscep_static: data payload size: 188 bytes

./sscep_static: hexdump request payload
3081b93081a1310b3009060355040613025553310f300d060355040813064f7265676f6e311230100603550407130948696c6c73626f726f311a3018060355040a131154435420456e7465727461696e6d656e7431123010060355040b13094d61726b6574696e67311d301b0603550403131454494e412d4c4150544f502d4d534345502d5241311e301c06092a864886f70d010901160f696e666f4074687579656e2e636f6d02131000000002a9090c98e58cc18d000000000002
./sscep_static: hexdump payload 188
./sscep_static: successfully encrypted payload
./sscep_static: envelope size: 656 bytes
./sscep_static: printing PEM fomatted PKCS#7
-----BEGIN PKCS7-----
MIICjAYJKoZIhvcNAQcDoIICfTCCAnkCAQAxggGOMIIBigIBADByMFsxFTATBgoJ
kiaJk/IsZAEZFgVsb2NhbDEcMBoGCgmSJomT8ixkARkWDHRodXllbmRvbWFpbjEk
MCIGA1UEAxMbdGh1eWVuZG9tYWluLVRJTkEtTEFQVE9QLUNBAhMQAAAAA+KigikE
l4SdAAAAAAADMA0GCSqGSIb3DQEBAQUABIIBAKQEGu+wY7Ix5E7yoiJlA1lU7gvH
rn4L0s71KyVmFFI+d2Fg4Gj8xA/Ch4ZLfBU3/RP+EZwpEi7ZNQHTa9SiemjXDiol
2nWcT17fLFlV47T26+GjtKeDLyOUmsKMeV7OYplF8K9yTf+zByxtptS/MGK77p+3
z4+DhC4al1AqSIXR+eij5otd7vLshcbvFDcEiPu4vzzSY7F3iipsL7/DZ0eddgwN
bvANpWM/VIEI+C+Tk7cjwmlKpbP1DDuMR5O1WxY/vXl2Ufq5z2U0t13KZnNTazfH
iAmCuNRQrFeblzl9IdfcNW22kZFTwBEmf63c3lrbcfAHTQXP/SBukkrnJdwwgeEG
CSqGSIb3DQEHATARBgUrDgMCBwQI+yVLetGIleGAgcBYbji590f5w4tS0K9/y4LU
tfQYWrhN0ark7dgKtCbRMGKy1Qy7WAAU9xjNUI+HBDeXc4kL38Yp68dsKpV3yZwU
iJZR15R4C7swYwsWaS+ublNphmoW5PbP77dcKZm68dEJe4hD0ZJ0eB61HVVuOIoD
WUTeepKNMqy+9durSdhMT6ZbiJc6SnfstCzQm/A+iepOYdZHXcOJ6pMvJwA8pMLT
84b3pzNHaAqPggrelYE+3nGyOw5ErHhW+Ps4hHmxbNo=
-----END PKCS7-----
./sscep_static: creating outer PKCS#7
./sscep_static: signature added successfully
./sscep_static: adding signed attributes
./sscep_static: adding string attribute transId
./sscep_static: adding string attribute messageType
./sscep_static: adding octet attribute senderNonce
./sscep_static: PKCS#7 data written successfully
./sscep_static: printing PEM fomatted PKCS#7
-----BEGIN PKCS7-----
MIILiwYJKoZIhvcNAQcCoIILfDCCC3gCAQExDjAMBggqhkiG9w0CBQUAMIICowYJ
KoZIhvcNAQcBoIIClASCApAwggKMBgkqhkiG9w0BBwOgggJ9MIICeQIBADGCAY4w
ggGKAgEAMHIwWzEVMBMGCgmSJomT8ixkARkWBWxvY2FsMRwwGgYKCZImiZPyLGQB
GRYMdGh1eWVuZG9tYWluMSQwIgYDVQQDExt0aHV5ZW5kb21haW4tVElOQS1MQVBU
T1AtQ0ECExAAAAAD4qKCKQSXhJ0AAAAAAAMwDQYJKoZIhvcNAQEBBQAEggEApAQa
77BjsjHkTvKiImUDWVTuC8eufgvSzvUrJWYUUj53YWDgaPzED8KHhkt8FTf9E/4R
nCkSLtk1AdNr1KJ6aNcOKiXadZxPXt8sWVXjtPbr4aO0p4MvI5Sawox5Xs5imUXw
r3JN/7MHLG2m1L8wYrvun7fPj4OELhqXUCpIhdH56KPmi13u8uyFxu8UNwSI+7i/
PNJjsXeKKmwvv8NnR512DA1u8A2lYz9UgQj4L5OTtyPCaUqls/UMO4xHk7VbFj+9
eXZR+rnPZTS3Xcpmc1NrN8eICYK41FCsV5uXOX0h19w1bbaRkVPAESZ/rdzeWttx
8AdNBc/9IG6SSucl3DCB4QYJKoZIhvcNAQcBMBEGBSsOAwIHBAj7JUt60YiV4YCB
wFhuOLn3R/nDi1LQr3/LgtS19BhauE3RquTt2Aq0JtEwYrLVDLtYABT3GM1Qj4cE
N5dziQvfxinrx2wqlXfJnBSIllHXlHgLuzBjCxZpL65uU2mGahbk9s/vt1wpmbrx
0Ql7iEPRknR4HrUdVW44igNZRN56ko0yrL7126tJ2ExPpluIlzpKd+y0LNCb8D6J
6k5h1kddw4nqky8nADykwtPzhvenM0doCo+CCt6VgT7ecbI7DkSseFb4+ziEebFs
2qCCBmMwggZfMIIFR6ADAgECAhMQAAAAHE6vDm6Jy+dMAAAAAAAcMA0GCSqGSIb3
DQEBBQUAMFsxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEcMBoGCgmSJomT8ixkARkW
DHRodXllbmRvbWFpbjEkMCIGA1UEAxMbdGh1eWVuZG9tYWluLVRJTkEtTEFQVE9Q
LUNBMB4XDTE2MDQyNjAxNTczNVoXDTE3MDQyNjAyMDczNVowEjEQMA4GA1UEAxMH
MS4yLjMuNDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALMqfsuu41bo
Cci+gneVv7kwdFt9H9mAZcfbu5AOlFubXHNyRh1EYGjunRg9oEruSWVi411FBm4/
ojFPOqxI86PP0L6rV2aOMHBQXfMuruMUOHOQoIqiO1mniAwieR6D1LmFbNtKGK35
LxcUMHNiitrjN7pVgdjvAS8O1V5Ja6EnR2T3YioBBcD2y0iUsqf3bcMz0aRD5TXc
t4h62t1ptGmeNz6FCa3rtIHPH2WiJz0hD10U56xsrSFQb4ky5mNe7N4yn0dcc0zj
6CRNpSFhoPKa8obFq9ByHcue+vXxpUHD/La2m8u+rAWE3NgXAH5TOXzLob1YALhR
ik/HeHnMYXMCAwEAAaOCA2MwggNfMBIGA1UdEQEB/wQIMAaHBAECAwQwHQYDVR0O
BBYEFDKWdyaqBZ1iLAqyLtE8WBM7aBx1MB8GA1UdIwQYMBaAFP1m4Lctkw5Y7PI6
8bCOERVdPCS3MIIBfwYDVR0fBIIBdjCCAXIwggFuoIIBaqCCAWaGgc1sZGFwOi8v
L0NOPXRodXllbmRvbWFpbi1USU5BLUxBUFRPUC1DQSxDTj1USU5BLUxBUFRPUCxD
Tj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049
Q29uZmlndXJhdGlvbixEQz10aHV5ZW5kb21haW4sREM9bG9jYWw/Y2VydGlmaWNh
dGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlv
blBvaW50hlJmaWxlOi8vLy9USU5BLUxBUFRPUC50aHV5ZW5kb21haW4ubG9jYWwv
Q2VydEVucm9sbC90aHV5ZW5kb21haW4tVElOQS1MQVBUT1AtQ0EuY3JshkBodHRw
Oi8vMTM0LjEzNC4xNjEuNzcvQ2VydEVucm9sbC90aHV5ZW5kb21haW4tVElOQS1M
QVBUT1AtQ0EuY3JsMIIBQwYIKwYBBQUHAQEEggE1MIIBMTCBwQYIKwYBBQUHMAKG
gbRsZGFwOi8vL0NOPXRodXllbmRvbWFpbi1USU5BLUxBUFRPUC1DQSxDTj1BSUEs
Q049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmln
dXJhdGlvbixEQz10aHV5ZW5kb21haW4sREM9bG9jYWw/Y0FDZXJ0aWZpY2F0ZT9i
YXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwawYIKwYBBQUH
MAKGX2h0dHA6Ly8xMzQuMTM0LjE2MS43Ny9DZXJ0RW5yb2xsL1RJTkEtTEFQVE9Q
LnRodXllbmRvbWFpbi5sb2NhbF90aHV5ZW5kb21haW4tVElOQS1MQVBUT1AtQ0Eu
Y3J0MD8GCSsGAQQBgjcUAgQyHjAASQBQAFMARQBDAEkAbgB0AGUAcgBtAGUAZABp
AGEAdABlAE8AZgBmAGwAaQBuAGUwDQYJKoZIhvcNAQEFBQADggEBACi+VrhroWyl
NsOckstNvHH5ZmDJpiZ3EfsG/RJTQ5H/yaHhenGrmm2wpFPRT4wEMY8ap7QdW9iS
ncWddhhqaAxl5itlwHby9FaDILCqMOo1S7xOmizGQcI3HePTYJ8+wvRBGXtwkqCi
mufAG14b45fchDKxdbNYNVPfk7Kwd82Dp+3EecvsyCHciNLwZYbatFx4UNCYzR96
eaNz+V78ijJXuzxk814MEomCXHFzJsLKN43y2B+WZAdqvEKPNH7Wx+JGZy7zuHdx
W24/nIIerLnz2FyWUuwRqeJMoypIVNPLLCRZLXlc0kOmtahPg2t4BI/k+iQbAVmq
GkWOtOiIrdwxggJTMIICTwIBATByMFsxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEc
MBoGCgmSJomT8ixkARkWDHRodXllbmRvbWFpbjEkMCIGA1UEAxMbdGh1eWVuZG9t
YWluLVRJTkEtTEFQVE9QLUNBAhMQAAAAHE6vDm6Jy+dMAAAAAAAcMAwGCCqGSIb3
DQIFBQCggbQwEgYKYIZIAYb4RQEJAjEEEwIyMjAYBgkqhkiG9w0BCQMxCwYJKoZI
hvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjA0MjYwMzU1NDdaMB8GCSqGSIb3DQEJ
BDESBBAsMdCacaEFeXURF4+3gz8QMCAGCmCGSAGG+EUBCQUxEgQQ5pZDOEy539RS
6Hp3pAxTnzAjBgpghkgBhvhFAQkHMRUTE1NTQ0VQIHRyYW5zYWN0aW9uSWQwDQYJ
KoZIhvcNAQEBBQAEggEAjLReOVEPZfp3RNa24yvaI9szNJ1ZR9aIBILhTZXeAr6W
8Fe/iUkA44ZwWwjQhp3Iwpfn/buk4Po+GvIDqzBPLVhXmzy5NV5WF/vcCg1LzL0j
ybnliPXtkaUfuj0TySPU+y9S7QV4oiQys13zdZSdRCVX1a1PlyScSfQp2C4Mu4MM
Zhioxs0K+uCmhGrP8HAmOCfLVuGfDfyIgJz1Gj7ronFOxWwPdZ2NdqkfyIz0I4jI
Ib0FilDsvDNTg3nA0wOHwNN1hZte5q4F6MKQVIyJ88LrdIQKORPeCblbBBsAemG0
l2xvHKiri3u/pAEndsrSJF81iMkUMQL+FQaK6Gs9bQ==
-----END PKCS7-----
./sscep_static: applying base64 encoding
./sscep_static: base64 encoded payload size: 4010 bytes
./sscep_static: scep msg: GET /certsrv/mscep/mscep.dll?operation=PKIOperation&message=MIILiwYJKoZIhvcNAQcCoIILfDCCC3gCAQExDjAMBggqhkiG9w0CBQUAMIICowYJ%0AKoZIhvcNAQcBoIIClASCApAwggKMBgkqhkiG9w0BBwOgggJ9MIICeQIBADGCAY4w%0AggGKAgEAMHIwWzEVMBMGCgmSJomT8ixkARkWBWxvY2FsMRwwGgYKCZImiZPyLGQB%0AGRYMdGh1eWVuZG9tYWluMSQwIgYDVQQDExt0aHV5ZW5kb21haW4tVElOQS1MQVBU%0AT1AtQ0ECExAAAAAD4qKCKQSXhJ0AAAAAAAMwDQYJKoZIhvcNAQEBBQAEggEApAQa%0A77BjsjHkTvKiImUDWVTuC8eufgvSzvUrJWYUUj53YWDgaPzED8KHhkt8FTf9E/4R%0AnCkSLtk1AdNr1KJ6aNcOKiXadZxPXt8sWVXjtPbr4aO0p4MvI5Sawox5Xs5imUXw%0Ar3JN/7MHLG2m1L8wYrvun7fPj4OELhqXUCpIhdH56KPmi13u8uyFxu8UNwSI%2B7i/%0APNJjsXeKKmwvv8NnR512DA1u8A2lYz9UgQj4L5OTtyPCaUqls/UMO4xHk7VbFj%2B9%0AeXZR%2BrnPZTS3Xcpmc1NrN8eICYK41FCsV5uXOX0h19w1bbaRkVPAESZ/rdzeWttx%0A8AdNBc/9IG6SSucl3DCB4QYJKoZIhvcNAQcBMBEGBSsOAwIHBAj7JUt60YiV4YCB%0AwFhuOLn3R/nDi1LQr3/LgtS19BhauE3RquTt2Aq0JtEwYrLVDLtYABT3GM1Qj4cE%0AN5dziQvfxinrx2wqlXfJnBSIllHXlHgLuzBjCxZpL65uU2mGahbk9s/vt1wpmbrx%0A0Ql7iEPRknR4HrUdVW44igNZRN56ko0yrL7126tJ2ExPpluIlzpKd%2By0LNCb8D6J%0A6k5h1kddw4nqky8nADykwtPzhvenM0doCo%2BCCt6VgT7ecbI7DkSseFb4%2BziEebFs%0A2qCCBmMwggZfMIIFR6ADAgECAhMQAAAAHE6vDm6Jy%2BdMAAAAAAAcMA0GCSqGSIb3%0ADQEBBQUAMFsxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEcMBoGCgmSJomT8ixkARkW%0ADHRodXllbmRvbWFpbjEkMCIGA1UEAxMbdGh1eWVuZG9tYWluLVRJTkEtTEFQVE9Q%0ALUNBMB4XDTE2MDQyNjAxNTczNVoXDTE3MDQyNjAyMDczNVowEjEQMA4GA1UEAxMH%0AMS4yLjMuNDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALMqfsuu41bo%0ACci%2BgneVv7kwdFt9H9mAZcfbu5AOlFubXHNyRh1EYGjunRg9oEruSWVi411FBm4/%0AojFPOqxI86PP0L6rV2aOMHBQXfMuruMUOHOQoIqiO1mniAwieR6D1LmFbNtKGK35%0ALxcUMHNiitrjN7pVgdjvAS8O1V5Ja6EnR2T3YioBBcD2y0iUsqf3bcMz0aRD5TXc%0At4h62t1ptGmeNz6FCa3rtIHPH2WiJz0hD10U56xsrSFQb4ky5mNe7N4yn0dcc0zj%0A6CRNpSFhoPKa8obFq9ByHcue%2BvXxpUHD/La2m8u%2BrAWE3NgXAH5TOXzLob1YALhR%0Aik/HeHnMYXMCAwEAAaOCA2MwggNfMBIGA1UdEQEB/wQIMAaHBAECAwQwHQYDVR0O%0ABBYEFDKWdyaqBZ1iLAqyLtE8WBM7aBx1MB8GA1UdIwQYMBaAFP1m4Lctkw5Y7PI6%0A8bCOERVdPCS3MIIBfwYDVR0fBIIBdjCCAXIwggFuoIIBaqCCAWaGgc1sZGFwOi8v%0AL0NOPXRodXllbmRvbWFpbi1USU5BLUxBUFRPUC1DQSxDTj1USU5BLUxBUFRPUCxD%0ATj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049%0AQ29uZmlndXJhdGlvbixEQz10aHV5ZW5kb21haW4sREM9bG9jYWw/Y2VydGlmaWNh%0AdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlv%0AblBvaW50hlJmaWxlOi8vLy9USU5BLUxBUFRPUC50aHV5ZW5kb21haW4ubG9jYWwv%0AQ2VydEVucm9sbC90aHV5ZW5kb21haW4tVElOQS1MQVBUT1AtQ0EuY3JshkBodHRw%0AOi8vMTM0LjEzNC4xNjEuNzcvQ2VydEVucm9sbC90aHV5ZW5kb21haW4tVElOQS1M%0AQVBUT1AtQ0EuY3JsMIIBQwYIKwYBBQUHAQEEggE1MIIBMTCBwQYIKwYBBQUHMAKG%0AgbRsZGFwOi8vL0NOPXRodXllbmRvbWFpbi1USU5BLUxBUFRPUC1DQSxDTj1BSUEs%0AQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmln%0AdXJhdGlvbixEQz10aHV5ZW5kb21haW4sREM9bG9jYWw/Y0FDZXJ0aWZpY2F0ZT9i%0AYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwawYIKwYBBQUH%0AMAKGX2h0dHA6Ly8xMzQuMTM0LjE2MS43Ny9DZXJ0RW5yb2xsL1RJTkEtTEFQVE9Q%0ALnRodXllbmRvbWFpbi5sb2NhbF90aHV5ZW5kb21haW4tVElOQS1MQVBUT1AtQ0Eu%0AY3J0MD8GCSsGAQQBgjcUAgQyHjAASQBQAFMARQBDAEkAbgB0AGUAcgBtAGUAZABp%0AAGEAdABlAE8AZgBmAGwAaQBuAGUwDQYJKoZIhvcNAQEFBQADggEBACi%2BVrhroWyl%0ANsOckstNvHH5ZmDJpiZ3EfsG/RJTQ5H/yaHhenGrmm2wpFPRT4wEMY8ap7QdW9iS%0AncWddhhqaAxl5itlwHby9FaDILCqMOo1S7xOmizGQcI3HePTYJ8%2BwvRBGXtwkqCi%0AmufAG14b45fchDKxdbNYNVPfk7Kwd82Dp%2B3EecvsyCHciNLwZYbatFx4UNCYzR96%0AeaNz%2BV78ijJXuzxk814MEomCXHFzJsLKN43y2B%2BWZAdqvEKPNH7Wx%2BJGZy7zuHdx%0AW24/nIIerLnz2FyWUuwRqeJMoypIVNPLLCRZLXlc0kOmtahPg2t4BI/k%2BiQbAVmq%0AGkWOtOiIrdwxggJTMIICTwIBATByMFsxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEc%0AMBoGCgmSJomT8ixkARkWDHRodXllbmRvbWFpbjEkMCIGA1UEAxMbdGh1eWVuZG9t%0AYWluLVRJTkEtTEFQVE9QLUNBAhMQAAAAHE6vDm6Jy%2BdMAAAAAAAcMAwGCCqGSIb3%0ADQIFBQCggbQwEgYKYIZIAYb4RQEJAjEEEwIyMjAYBgkqhkiG9w0BCQMxCwYJKoZI%0AhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjA0MjYwMzU1NDdaMB8GCSqGSIb3DQEJ%0ABDESBBAsMdCacaEFeXURF4%2B3gz8QMCAGCmCGSAGG%2BEUBCQUxEgQQ5pZDOEy539RS%0A6Hp3pAxTnzAjBgpghkgBhvhFAQkHMRUTE1NTQ0VQIHRyYW5zYWN0aW9uSWQwDQYJ%0AKoZIhvcNAQEBBQAEggEAjLReOVEPZfp3RNa24yvaI9szNJ1ZR9aIBILhTZXeAr6W%0A8Fe/iUkA44ZwWwjQhp3Iwpfn/buk4Po%2BGvIDqzBPLVhXmzy5NV5WF/vcCg1LzL0j%0AybnliPXtkaUfuj0TySPU%2By9S7QV4oiQys13zdZSdRCVX1a1PlyScSfQp2C4Mu4MM%0AZhioxs0K%2BuCmhGrP8HAmOCfLVuGfDfyIgJz1Gj7ronFOxWwPdZ2NdqkfyIz0I4jI%0AIb0FilDsvDNTg3nA0wOHwNN1hZte5q4F6MKQVIyJ88LrdIQKORPeCblbBBsAemG0%0Al2xvHKiri3u/pAEndsrSJF81iMkUMQL%2BFQaK6Gs9bQ%3D%3D%0A HTTP/1.0

./sscep_static: server returned status code 200
./sscep_static: MIME header: x-pki-message
./sscep_static: valid response from server
./sscep_static: reading outer PKCS#7
./sscep_static: PKCS#7 payload size: 726 bytes
./sscep_static: printing PEM fomatted PKCS#7
-----BEGIN PKCS7-----
MIIC0gYJKoZIhvcNAQcCoIICwzCCAr8CAQExCzAJBgUrDgMCGgUAMBAGCSqGSIb3
DQEHAaADBAEAMYICmTCCApUCAQEwcjBbMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwx
HDAaBgoJkiaJk/IsZAEZFgx0aHV5ZW5kb21haW4xJDAiBgNVBAMTG3RodXllbmRv
bWFpbi1USU5BLUxBUFRPUC1DQQITEAAAAAKpCQyY5YzBjQAAAAAAAjAJBgUrDgMC
GgUAoIH9MBEGCmCGSAGG+EUBCQIxAxMBMzARBgpghkgBhvhFAQkDMQMTATIwEQYK
YIZIAYb4RQEJBDEDEwEyMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwGgYJKwYB
BAGCNxUhMQ0TCy0yMTQ2ODg1NjIzMCAGCmCGSAGG+EUBCQUxEgQQNQpK+ap3iEuu
Aymeo46njDAgBgpghkgBhvhFAQkGMRIEEOaWQzhMud/UUuh6d6QMU58wIwYJKoZI
hvcNAQkEMRYEFFupPJ2wz/k/UrUh10IOQ/btonhPMCMGCmCGSAGG+EUBCQcxFRMT
U1NDRVAgdHJhbnNhY3Rpb25JZDANBgkqhkiG9w0BAQEFAASCAQCCpdozv4TGA/n7
zhoFf56k7JxjSXAykmUjnKIcNjLL6tuJRwmAe39VICSQLVy2lx3fO7DCc/FJB6b+
awg57riEgNlQPmhmiphzkJNmm7LYFkDe+FAFg+1Ru9zvlpNEbUw7elhrR3z79URL
WHhJ7yi6O49Erea9AaOhY5KlYsBvEtfZ0bf9GkQUah48iNJKARTj0pB1udy7gOm2
wof/iuhIYIAzP3JFiJtsoMIp9vze8imtgfiXck67twyJ9UuHEw0mAOhrjFSlXXDU
uGz3KG4Bj3tb1NHnOBliXclbJCK2UufXLQIRioCGB322TTlYpzCP2cJOFl9hTTVK
YVBzVaz7
-----END PKCS7-----
./sscep_static: PKCS#7 contains 1 bytes of enveloped data
./sscep_static: verifying signature
./sscep_static: signature ok
./sscep_static: finding signed attributes
./sscep_static: finding attribute transId
./sscep_static: allocating 19 bytes for attribute
./sscep_static: reply transaction id: SSCEP transactionId
./sscep_static: finding attribute messageType
./sscep_static: allocating 1 bytes for attribute
./sscep_static: reply message type is good
./sscep_static: finding attribute senderNonce
./sscep_static: allocating 16 bytes for attribute
./sscep_static: senderNonce in reply: 350A4AF9AA77884BAE03299EA38EA78C
./sscep_static: finding attribute recipientNonce
./sscep_static: allocating 16 bytes for attribute
./sscep_static: recipientNonce in reply: E69643384CB9DFD452E87A77A40C539F
./sscep_static: finding attribute pkiStatus
./sscep_static: allocating 1 bytes for attribute
./sscep_static: pkistatus: FAILURE
./sscep_static: finding attribute failInfo
./sscep_static: allocating 1 bytes for attribute
./sscep_static: reason: Transaction not permitted or supported
./sscep_static: illegal size of payload