Expand description
CMS message-level authentication for EST (RFC 8295).
When TLS termination happens at a proxy, EST can still provide message-level security using CMS (Cryptographic Message Syntax):
-
Request authentication: CMS SignedData wraps the PKCS#10 CSR. The signer certificate is verified against the EST truststore.
-
Response confidentiality: CMS EnvelopedData encrypts the issued certificate to the client’s public key extracted from the CSR or the CMS SignedData signer certificate.
RFC 8295 §3: The EST server MUST verify the CMS SignedData signature and extract the signer’s certificate for identity verification.
Structs§
- CmsVerification
Result - Result of verifying a CMS SignedData message (RFC 8295 §3.1).
Enums§
- Supported
Content Encryption - Content encryption algorithms supported for CMS EnvelopedData.
Functions§
- build_
cms_ enveloped_ data - Build a CMS EnvelopedData message to encrypt a response payload.
- extract_
signer_ identity - Convert a CMS verification result into the standard
AuthResult. - validate_
content_ encryption - Validate a content encryption algorithm string and map it to a supported variant.
- verify_
cms_ signed_ data - Verify a CMS SignedData message and extract the payload.