DES default

[dirkx]

The DES default is getting a bit long in the tooth; and I am seeing the first OpenSSL 3 based SCEP counterparts starting to no longer support it.

May be as simple as going AES; or a flag

diff --git a/scep/scep.go b/scep/scep.go
index c01f9bd..d617230 100644
--- a/scep/scep.go
+++ b/scep/scep.go
@@ -466,6 +466,7 @@ func (msg *PKIMessage) Success(crtAuth *x509.Certificate, keyAuth *rsa.PrivateKe
        }
 
        // encrypt degenerate data using the original messages recipients
+        pkcs7.ContentEncryptionAlgorithm = pkcs7.EncryptionAlgorithmAES128CBC // default is DES,CBC
        e7, err := pkcs7.Encrypt(deg, msg.p7.Certificates)
        if err != nil {
                return nil, err
@@ -571,6 +572,7 @@ func NewCSRRequest(csr *x509.CertificateRequest, tmpl *PKIMessage, opts ...Optio
                }
                return nil, errors.New("no CA/RA recipients")
        }
+        pkcs7.ContentEncryptionAlgorithm = pkcs7.EncryptionAlgorithmAES128CBC // default is DES,CBC
        e7, err := pkcs7.Encrypt(derBytes, recipients)
        if err != nil {
                return nil, err

[stv0g]

After #233 has been merged, this is not relevant for this repo anymore.

@dirkx Can you close this issue? I will open one in https://github.com/smallstep/scep

[dirkx]

Replaced/moved to smallstep/scep#16