Rewrite SCEP integration tests to only use the HTTPS endpoint

test/integration/scep/common_test.go

@@ -0,0 +1,254 @@
+package sceptest
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"io"
+	"math/big"
+	"net"
+	"net/http"
+	"net/url"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/smallstep/pkcs7"
+	"github.com/smallstep/scep"
+	"go.step.sm/crypto/minica"
+	"go.step.sm/crypto/x509util"
+
+	"github.com/smallstep/certificates/cas/apiv1"
+)
+
+// reservePort "reserves" a TCP port by opening a listener on a random
+// port and immediately closing it. The port can then be assumed to be
+// available for running a server on.
+func reservePort(t *testing.T) (host, port string) {
+	t.Helper()
+	l, err := net.Listen("tcp", ":0")
+	require.NoError(t, err)
+
+	address := l.Addr().String()
+	err = l.Close()
+	require.NoError(t, err)
+
+	host, port, err = net.SplitHostPort(address)
+	require.NoError(t, err)
+
+	return
+}
+
+type client struct {
+	caURL      string
+	caCert     *x509.Certificate
+	httpClient *http.Client
+}
+
+func createSCEPClient(t *testing.T, caURL string, root *x509.Certificate) (*client, error) {
+	t.Helper()
+	trustedRoots := x509.NewCertPool()
+	trustedRoots.AddCert(root)
+	transport := http.DefaultTransport.(*http.Transport).Clone()
+	transport.TLSClientConfig = &tls.Config{
+		RootCAs: trustedRoots,
+	}
+	httpClient := &http.Client{
+		Transport: transport,
+	}
+	return &client{
+		caURL:      caURL,
+		httpClient: httpClient,
+	}, nil
+}
+
+func (c *client) getCACert(t *testing.T) error {
+	// return early if CA certificate already available
+	if c.caCert != nil {
+		return nil
+	}
+
+	resp, err := c.httpClient.Get(fmt.Sprintf("%s?operation=GetCACert&message=test", c.caURL))
+	if err != nil {
+		return fmt.Errorf("failed get request: %w", err)
+	}
+	defer resp.Body.Close()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return fmt.Errorf("failed reading response body: %w", err)
+	}
+
+	t.Log(string(body))
+
+	// SCEP CA/RA certificate selection. If there's only a single certificate, it will
+	// be used as the CA certificate at all times. If there's multiple, the first certificate
+	// is assumed to be the certificate of the recipient to encrypt messages to.
+	switch ct := resp.Header.Get("Content-Type"); ct {
+	case "application/x-x509-ca-cert":
+		cert, err := x509.ParseCertificate(body)
+		if err != nil {
+			return fmt.Errorf("failed parsing response body: %w", err)
+		}
+		if _, ok := cert.PublicKey.(*rsa.PublicKey); !ok {
+			return fmt.Errorf("certificate has unexpected public key type %T", cert.PublicKey)
+		}
+		c.caCert = cert
+	case "application/x-x509-ca-ra-cert":
+		certs, err := scep.CACerts(body)
+		if err != nil {
+			return fmt.Errorf("failed parsing response body: %w", err)
+		}
+		cert := certs[0]
+		if _, ok := cert.PublicKey.(*rsa.PublicKey); !ok {
+			return fmt.Errorf("certificate has unexpected public key type %T", cert.PublicKey)
+		}
+		c.caCert = cert
+	default:
+		fmt.Println("body", string(body))
+
+		return fmt.Errorf("unexpected content-type value %q", ct)
+	}
+
+	return nil
+}
+
+func (c *client) requestCertificate(t *testing.T, commonName string, sans []string) (*x509.Certificate, error) {
+	if err := c.getCACert(t); err != nil {
+		return nil, fmt.Errorf("failed getting CA certificate: %w", err)
+	}
+
+	signer, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, fmt.Errorf("failed creating SCEP private key: %w", err)
+	}
+
+	csr, err := x509util.CreateCertificateRequest(commonName, sans, signer)
+	if err != nil {
+		return nil, fmt.Errorf("failed creating CSR: %w", err)
+	}
+
+	tmpl := &x509.Certificate{
+		Subject:        csr.Subject,
+		PublicKey:      signer.Public(),
+		SerialNumber:   big.NewInt(1),
+		NotBefore:      time.Now().Add(-1 * time.Hour),
+		NotAfter:       time.Now().Add(1 * time.Hour),
+		DNSNames:       csr.DNSNames,
+		IPAddresses:    csr.IPAddresses,
+		EmailAddresses: csr.EmailAddresses,
+		URIs:           csr.URIs,
+	}
+
+	selfSigned, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, signer.Public(), signer)
+	if err != nil {
+		return nil, fmt.Errorf("failed creating self signed certificate: %w", err)
+	}
+	selfSignedCertificate, err := x509.ParseCertificate(selfSigned)
+	if err != nil {
+		return nil, fmt.Errorf("failed parsing self signed certificate: %w", err)
+	}
+
+	msgTmpl := &scep.PKIMessage{
+		TransactionID: "test-1",
+		MessageType:   scep.PKCSReq,
+		SenderNonce:   []byte("test-nonce-1"),
+		Recipients:    []*x509.Certificate{c.caCert},
+		SignerCert:    selfSignedCertificate,
+		SignerKey:     signer,
+	}
+
+	msg, err := scep.NewCSRRequest(csr, msgTmpl)
+	if err != nil {
+		return nil, fmt.Errorf("failed creating SCEP PKCSReq message: %w", err)
+	}
+
+	t.Log(string(msg.Raw))
+
+	u, err := url.Parse(c.caURL)
+	if err != nil {
+		return nil, fmt.Errorf("failed parsing CA URL: %w", err)
+	}
+
+	opURL := u.ResolveReference(&url.URL{RawQuery: fmt.Sprintf("operation=PKIOperation&message=%s", url.QueryEscape(base64.StdEncoding.EncodeToString(msg.Raw)))})
+	resp, err := c.httpClient.Get(opURL.String())
+	if err != nil {
+		return nil, fmt.Errorf("failed get request: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if ct := resp.Header.Get("Content-Type"); ct != "application/x-pki-message" {
+		return nil, fmt.Errorf("received unexpected content type %q", ct)
+	}
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("failed reading response body: %w", err)
+	}
+
+	t.Log(string(body))
+
+	signedData, err := pkcs7.Parse(body)
+	if err != nil {
+		return nil, fmt.Errorf("failed parsing response body: %w", err)
+	}
+
+	// TODO: verify the signature?
+
+	p7, err := pkcs7.Parse(signedData.Content)
+	if err != nil {
+		return nil, fmt.Errorf("failed decrypting inner p7: %w", err)
+	}
+
+	content, err := p7.Decrypt(selfSignedCertificate, signer)
+	if err != nil {
+		return nil, fmt.Errorf("failed decrypting response: %w", err)
+	}
+
+	p7, err = pkcs7.Parse(content)
+	if err != nil {
+		return nil, fmt.Errorf("failed parsing p7 content: %w", err)
+	}
+
+	cert := p7.Certificates[0]
+
+	return cert, nil
+}
+
+type testCAS struct {
+	ca *minica.CA
+}
+
+func (c *testCAS) CreateCertificate(req *apiv1.CreateCertificateRequest) (*apiv1.CreateCertificateResponse, error) {
+	cert, err := c.ca.SignCSR(req.CSR)
+	if err != nil {
+		return nil, fmt.Errorf("failed signing CSR: %w", err)
+	}
+
+	return &apiv1.CreateCertificateResponse{
+		Certificate:      cert,
+		CertificateChain: []*x509.Certificate{cert, c.ca.Intermediate},
+	}, nil
+}
+func (c *testCAS) RenewCertificate(req *apiv1.RenewCertificateRequest) (*apiv1.RenewCertificateResponse, error) {
+	return nil, errors.New("not implemented")
+}
+
+func (c *testCAS) RevokeCertificate(req *apiv1.RevokeCertificateRequest) (*apiv1.RevokeCertificateResponse, error) {
+	return nil, errors.New("not implemented")
+}
+
+func (c *testCAS) GetCertificateAuthority(req *apiv1.GetCertificateAuthorityRequest) (*apiv1.GetCertificateAuthorityResponse, error) {
+	return &apiv1.GetCertificateAuthorityResponse{
+		RootCertificate:          c.ca.Root,
+		IntermediateCertificates: []*x509.Certificate{c.ca.Intermediate},
+	}, nil
+}
+
+var _ apiv1.CertificateAuthorityService = (*testCAS)(nil)
+var _ apiv1.CertificateAuthorityGetter = (*testCAS)(nil)

test/integration/scep/decrypter_cas_test.go

@@ -0,0 +1,162 @@
+package sceptest
+
+import (
+	"context"
+	"crypto"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/json"
+	"encoding/pem"
+	"fmt"
+	"math/big"
+	"net"
+	"net/http"
+	"path/filepath"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"go.step.sm/crypto/keyutil"
+	"go.step.sm/crypto/minica"
+	"go.step.sm/crypto/pemutil"
+
+	"github.com/smallstep/certificates/authority/config"
+	"github.com/smallstep/certificates/authority/provisioner"
+	"github.com/smallstep/certificates/ca"
+	"github.com/smallstep/certificates/cas/apiv1"
+)
+
+func TestIssuesCertificateUsingSCEPWithDecrypterAndUpstreamCAS(t *testing.T) {
+	signer, err := keyutil.GenerateSigner("EC", "P-256", 0)
+	require.NoError(t, err)
+
+	dir := t.TempDir()
+	m, err := minica.New(minica.WithName("Step E2E | SCEP Decrypter w/ Upstream CAS"), minica.WithGetSignerFunc(func() (crypto.Signer, error) {
+		return signer, nil
+	}))
+	require.NoError(t, err)
+
+	rootFilepath := filepath.Join(dir, "root.crt")
+	_, err = pemutil.Serialize(m.Root, pemutil.WithFilename(rootFilepath))
+	require.NoError(t, err)
+
+	intermediateCertFilepath := filepath.Join(dir, "intermediate.crt")
+	_, err = pemutil.Serialize(m.Intermediate, pemutil.WithFilename(intermediateCertFilepath))
+	require.NoError(t, err)
+
+	intermediateKeyFilepath := filepath.Join(dir, "intermediate.key")
+	_, err = pemutil.Serialize(m.Signer, pemutil.WithFilename(intermediateKeyFilepath))
+	require.NoError(t, err)
+
+	decrypterKey, err := keyutil.GenerateKey("RSA", "", 2048)
+	require.NoError(t, err)
+
+	decrypter, ok := decrypterKey.(crypto.Decrypter)
+	require.True(t, ok)
+
+	decrypterCertifiate, err := m.Sign(&x509.Certificate{
+		Subject:      pkix.Name{CommonName: "decrypter"},
+		PublicKey:    decrypter.Public(),
+		SerialNumber: big.NewInt(1),
+		NotBefore:    time.Now().Add(-1 * time.Hour),
+		NotAfter:     time.Now().Add(1 * time.Hour),
+		DNSNames:     []string{"decrypter"},
+	})
+	require.NoError(t, err)
+
+	b, err := pemutil.Serialize(decrypterCertifiate)
+	require.NoError(t, err)
+	decrypterCertificatePEMBytes := pem.EncodeToMemory(b)
+
+	b, err = pemutil.Serialize(decrypter, pemutil.WithPassword([]byte("1234")))
+	require.NoError(t, err)
+	decrypterKeyPEMBytes := pem.EncodeToMemory(b)
+
+	// get a random address to listen on and connect to; currently no nicer way to get one before starting the server
+	// TODO(hs): find/implement a nicer way to expose the CA URL, similar to how e.g. httptest.Server exposes it?
+	host, port := reservePort(t)
+
+	prov := &provisioner.SCEP{
+		ID:                            "scep",
+		Name:                          "scep",
+		Type:                          "SCEP",
+		ForceCN:                       false,
+		ChallengePassword:             "",
+		EncryptionAlgorithmIdentifier: 2,
+		MinimumPublicKeyLength:        2048,
+		Claims:                        &config.GlobalProvisionerClaims,
+		DecrypterCertificate:          decrypterCertificatePEMBytes,
+		DecrypterKeyPEM:               decrypterKeyPEMBytes,
+		DecrypterKeyPassword:          "1234",
+	}
+
+	err = prov.Init(provisioner.Config{})
+	require.NoError(t, err)
+
+	apiv1.Register("test-scep-cas", func(_ context.Context, opts apiv1.Options) (apiv1.CertificateAuthorityService, error) {
+		return &testCAS{
+			ca: m,
+		}, nil
+	})
+
+	cfg := &config.Config{
+		Address:  net.JoinHostPort(host, port), // reuse the address that was just "reserved"
+		DNSNames: []string{"127.0.0.1", "[::1]", "localhost"},
+		AuthorityConfig: &config.AuthConfig{
+			Options: &apiv1.Options{
+				AuthorityID:          "stepca-test-scep",
+				Type:                 "test-scep-cas",
+				CertificateAuthority: "test-cas",
+			},
+			AuthorityID:    "stepca-test-scep",
+			DeploymentType: "standalone-test",
+			Provisioners:   provisioner.List{prov},
+		},
+		Logger: json.RawMessage(`{"format": "text"}`),
+	}
+	c, err := ca.New(cfg)
+	require.NoError(t, err)
+
+	// instantiate a client for the CA running at the random address
+	caClient, err := ca.NewClient(
+		fmt.Sprintf("https://localhost:%s", port),
+		ca.WithRootFile(rootFilepath),
+	)
+	require.NoError(t, err)
+
+	var wg sync.WaitGroup
+	wg.Add(1)
+
+	go func() {
+		defer wg.Done()
+		err = c.Run()
+		require.ErrorIs(t, err, http.ErrServerClosed)
+	}()
+
+	// require OK health response as the baseline
+	ctx := context.Background()
+	healthResponse, err := caClient.HealthWithContext(ctx)
+	require.NoError(t, err)
+	if assert.NotNil(t, healthResponse) {
+		require.Equal(t, "ok", healthResponse.Status)
+	}
+
+	scepClient, err := createSCEPClient(t, fmt.Sprintf("https://localhost:%s/scep/scep", port), m.Root)
+	require.NoError(t, err)
+
+	cert, err := scepClient.requestCertificate(t, "test.localhost", []string{"test.localhost"})
+	assert.NoError(t, err)
+	require.NotNil(t, cert)
+
+	assert.Equal(t, "test.localhost", cert.Subject.CommonName)
+	assert.Equal(t, "Step E2E | SCEP Decrypter w/ Upstream CAS Intermediate CA", cert.Issuer.CommonName)
+
+	// done testing; stop and wait for the server to quit
+	err = c.Stop()
+	require.NoError(t, err)
+
+	wg.Wait()
+}

test/integration/scep/decrypter_test.go

@@ -0,0 +1,153 @@
+package sceptest
+
+import (
+	"context"
+	"crypto"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/json"
+	"encoding/pem"
+	"fmt"
+	"math/big"
+	"net"
+	"net/http"
+	"path/filepath"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"go.step.sm/crypto/keyutil"
+	"go.step.sm/crypto/minica"
+	"go.step.sm/crypto/pemutil"
+
+	"github.com/smallstep/certificates/authority/config"
+	"github.com/smallstep/certificates/authority/provisioner"
+	"github.com/smallstep/certificates/ca"
+)
+
+func TestIssuesCertificateUsingSCEPWithDecrypter(t *testing.T) {
+	signer, err := keyutil.GenerateSigner("EC", "P-256", 0)
+	require.NoError(t, err)
+
+	dir := t.TempDir()
+	m, err := minica.New(minica.WithName("Step E2E | SCEP Decrypter"), minica.WithGetSignerFunc(func() (crypto.Signer, error) {
+		return signer, nil
+	}))
+	require.NoError(t, err)
+
+	rootFilepath := filepath.Join(dir, "root.crt")
+	_, err = pemutil.Serialize(m.Root, pemutil.WithFilename(rootFilepath))
+	require.NoError(t, err)
+
+	intermediateCertFilepath := filepath.Join(dir, "intermediate.crt")
+	_, err = pemutil.Serialize(m.Intermediate, pemutil.WithFilename(intermediateCertFilepath))
+	require.NoError(t, err)
+
+	intermediateKeyFilepath := filepath.Join(dir, "intermediate.key")
+	_, err = pemutil.Serialize(m.Signer, pemutil.WithFilename(intermediateKeyFilepath))
+	require.NoError(t, err)
+
+	decrypterKey, err := keyutil.GenerateKey("RSA", "", 2048)
+	require.NoError(t, err)
+
+	decrypter, ok := decrypterKey.(crypto.Decrypter)
+	require.True(t, ok)
+
+	decrypterCertifiate, err := m.Sign(&x509.Certificate{
+		Subject:      pkix.Name{CommonName: "decrypter"},
+		PublicKey:    decrypter.Public(),
+		SerialNumber: big.NewInt(1),
+		NotBefore:    time.Now().Add(-1 * time.Hour),
+		NotAfter:     time.Now().Add(1 * time.Hour),
+		DNSNames:     []string{"decrypter"},
+	})
+	require.NoError(t, err)
+
+	b, err := pemutil.Serialize(decrypterCertifiate)
+	require.NoError(t, err)
+	decrypterCertificatePEMBytes := pem.EncodeToMemory(b)
+
+	b, err = pemutil.Serialize(decrypter, pemutil.WithPassword([]byte("1234")))
+	require.NoError(t, err)
+	decrypterKeyPEMBytes := pem.EncodeToMemory(b)
+
+	// get a random address to listen on and connect to; currently no nicer way to get one before starting the server
+	// TODO(hs): find/implement a nicer way to expose the CA URL, similar to how e.g. httptest.Server exposes it?
+	host, port := reservePort(t)
+
+	prov := &provisioner.SCEP{
+		ID:                            "scep",
+		Name:                          "scep",
+		Type:                          "SCEP",
+		ForceCN:                       false,
+		ChallengePassword:             "",
+		EncryptionAlgorithmIdentifier: 2,
+		MinimumPublicKeyLength:        2048,
+		Claims:                        &config.GlobalProvisionerClaims,
+		DecrypterCertificate:          decrypterCertificatePEMBytes,
+		DecrypterKeyPEM:               decrypterKeyPEMBytes,
+		DecrypterKeyPassword:          "1234",
+	}
+
+	err = prov.Init(provisioner.Config{})
+	require.NoError(t, err)
+
+	cfg := &config.Config{
+		Root:             []string{rootFilepath},
+		IntermediateCert: intermediateCertFilepath,
+		IntermediateKey:  intermediateKeyFilepath,
+		Address:          net.JoinHostPort(host, port), // reuse the address that was just "reserved"
+		DNSNames:         []string{"127.0.0.1", "[::1]", "localhost"},
+		AuthorityConfig: &config.AuthConfig{
+			AuthorityID:    "stepca-test-scep",
+			DeploymentType: "standalone-test",
+			Provisioners:   provisioner.List{prov},
+		},
+		Logger: json.RawMessage(`{"format": "text"}`),
+	}
+	c, err := ca.New(cfg)
+	require.NoError(t, err)
+
+	// instantiate a client for the CA running at the random address
+	caClient, err := ca.NewClient(
+		fmt.Sprintf("https://localhost:%s", port),
+		ca.WithRootFile(rootFilepath),
+	)
+	require.NoError(t, err)
+
+	var wg sync.WaitGroup
+	wg.Add(1)
+
+	go func() {
+		defer wg.Done()
+		err = c.Run()
+		require.ErrorIs(t, err, http.ErrServerClosed)
+	}()
+
+	// require OK health response as the baseline
+	ctx := context.Background()
+	healthResponse, err := caClient.HealthWithContext(ctx)
+	require.NoError(t, err)
+	if assert.NotNil(t, healthResponse) {
+		require.Equal(t, "ok", healthResponse.Status)
+	}
+
+	scepClient, err := createSCEPClient(t, fmt.Sprintf("https://localhost:%s/scep/scep", port), m.Root)
+	require.NoError(t, err)
+
+	cert, err := scepClient.requestCertificate(t, "test.localhost", []string{"test.localhost"})
+	assert.NoError(t, err)
+	require.NotNil(t, cert)
+
+	assert.Equal(t, "test.localhost", cert.Subject.CommonName)
+	assert.Equal(t, "Step E2E | SCEP Decrypter Intermediate CA", cert.Issuer.CommonName)
+
+	// done testing; stop and wait for the server to quit
+	err = c.Stop()
+	require.NoError(t, err)
+
+	wg.Wait()
+}

test/integration/scep/regular_cas_test.go

@@ -0,0 +1,129 @@
+package sceptest
+
+import (
+	"context"
+	"crypto"
+	"encoding/json"
+	"fmt"
+	"net"
+	"net/http"
+	"path/filepath"
+	"sync"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"go.step.sm/crypto/keyutil"
+	"go.step.sm/crypto/minica"
+	"go.step.sm/crypto/pemutil"
+
+	"github.com/smallstep/certificates/authority/config"
+	"github.com/smallstep/certificates/authority/provisioner"
+	"github.com/smallstep/certificates/ca"
+	"github.com/smallstep/certificates/cas/apiv1"
+)
+
+func TestFailsIssuingCertificateUsingRegularSCEPWithUpstreamCAS(t *testing.T) {
+	signer, err := keyutil.GenerateSigner("RSA", "", 2048)
+	require.NoError(t, err)
+
+	dir := t.TempDir()
+	m, err := minica.New(minica.WithName("Step E2E | SCEP Regular w/ Upstream CAS"), minica.WithGetSignerFunc(func() (crypto.Signer, error) {
+		return signer, nil
+	}))
+	require.NoError(t, err)
+
+	rootFilepath := filepath.Join(dir, "root.crt")
+	_, err = pemutil.Serialize(m.Root, pemutil.WithFilename(rootFilepath))
+	require.NoError(t, err)
+
+	intermediateCertFilepath := filepath.Join(dir, "intermediate.crt")
+	_, err = pemutil.Serialize(m.Intermediate, pemutil.WithFilename(intermediateCertFilepath))
+	require.NoError(t, err)
+
+	intermediateKeyFilepath := filepath.Join(dir, "intermediate.key")
+	_, err = pemutil.Serialize(m.Signer, pemutil.WithFilename(intermediateKeyFilepath))
+	require.NoError(t, err)
+
+	// get a random address to listen on and connect to; currently no nicer way to get one before starting the server
+	// TODO(hs): find/implement a nicer way to expose the CA URL, similar to how e.g. httptest.Server exposes it?
+	host, port := reservePort(t)
+
+	prov := &provisioner.SCEP{
+		ID:                            "scep",
+		Name:                          "scep",
+		Type:                          "SCEP",
+		ForceCN:                       false,
+		ChallengePassword:             "",
+		EncryptionAlgorithmIdentifier: 2,
+		MinimumPublicKeyLength:        2048,
+		Claims:                        &config.GlobalProvisionerClaims,
+	}
+
+	err = prov.Init(provisioner.Config{})
+	require.NoError(t, err)
+
+	apiv1.Register("test-scep-cas", func(_ context.Context, opts apiv1.Options) (apiv1.CertificateAuthorityService, error) {
+		return &testCAS{
+			ca: m,
+		}, nil
+	})
+
+	cfg := &config.Config{
+		Address:  net.JoinHostPort(host, port), // reuse the address that was just "reserved"
+		DNSNames: []string{"127.0.0.1", "[::1]", "localhost"},
+		AuthorityConfig: &config.AuthConfig{
+			Options: &apiv1.Options{
+				AuthorityID:          "stepca-test-scep",
+				Type:                 "test-scep-cas",
+				CertificateAuthority: "test-cas",
+			},
+			AuthorityID:    "stepca-test-scep",
+			DeploymentType: "standalone-test",
+			Provisioners:   provisioner.List{prov},
+		},
+		Logger: json.RawMessage(`{"format": "text"}`),
+	}
+	c, err := ca.New(cfg)
+	require.NoError(t, err)
+
+	// instantiate a client for the CA running at the random address
+	caClient, err := ca.NewClient(
+		fmt.Sprintf("https://localhost:%s", port),
+		ca.WithRootFile(rootFilepath),
+	)
+	require.NoError(t, err)
+
+	var wg sync.WaitGroup
+	wg.Add(1)
+
+	go func() {
+		defer wg.Done()
+		err = c.Run()
+		require.ErrorIs(t, err, http.ErrServerClosed)
+	}()
+
+	// require OK health response as the baseline
+	ctx := context.Background()
+	healthResponse, err := caClient.HealthWithContext(ctx)
+	require.NoError(t, err)
+	if assert.NotNil(t, healthResponse) {
+		require.Equal(t, "ok", healthResponse.Status)
+	}
+
+	scepClient, err := createSCEPClient(t, fmt.Sprintf("https://localhost:%s/scep/scep", port), m.Root)
+	require.NoError(t, err)
+
+	// issuance is expected to fail when an upstream CAS is configured, as the current
+	// CAS interfaces do not support providing a decrypter.
+	cert, err := scepClient.requestCertificate(t, "test.localhost", []string{"test.localhost"})
+	assert.Error(t, err)
+	assert.Nil(t, cert)
+
+	// done testing; stop and wait for the server to quit
+	err = c.Stop()
+	require.NoError(t, err)
+
+	wg.Wait()
+}

test/integration/scep/regular_test.go

@@ -0,0 +1,121 @@
+package sceptest
+
+import (
+	"context"
+	"crypto"
+	"encoding/json"
+	"fmt"
+	"net"
+	"net/http"
+	"path/filepath"
+	"sync"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"go.step.sm/crypto/keyutil"
+	"go.step.sm/crypto/minica"
+	"go.step.sm/crypto/pemutil"
+
+	"github.com/smallstep/certificates/authority/config"
+	"github.com/smallstep/certificates/authority/provisioner"
+	"github.com/smallstep/certificates/ca"
+)
+
+func TestIssuesCertificateUsingRegularSCEPConfiguration(t *testing.T) {
+	signer, err := keyutil.GenerateSigner("RSA", "", 2048)
+	require.NoError(t, err)
+
+	dir := t.TempDir()
+	m, err := minica.New(minica.WithName("Step E2E | SCEP Regular"), minica.WithGetSignerFunc(func() (crypto.Signer, error) {
+		return signer, nil
+	}))
+	require.NoError(t, err)
+
+	rootFilepath := filepath.Join(dir, "root.crt")
+	_, err = pemutil.Serialize(m.Root, pemutil.WithFilename(rootFilepath))
+	require.NoError(t, err)
+
+	intermediateCertFilepath := filepath.Join(dir, "intermediate.crt")
+	_, err = pemutil.Serialize(m.Intermediate, pemutil.WithFilename(intermediateCertFilepath))
+	require.NoError(t, err)
+
+	intermediateKeyFilepath := filepath.Join(dir, "intermediate.key")
+	_, err = pemutil.Serialize(m.Signer, pemutil.WithFilename(intermediateKeyFilepath))
+	require.NoError(t, err)
+
+	// get a random address to listen on and connect to; currently no nicer way to get one before starting the server
+	// TODO(hs): find/implement a nicer way to expose the CA URL, similar to how e.g. httptest.Server exposes it?
+	host, port := reservePort(t)
+
+	prov := &provisioner.SCEP{
+		ID:                            "scep",
+		Name:                          "scep",
+		Type:                          "SCEP",
+		ForceCN:                       false,
+		ChallengePassword:             "",
+		EncryptionAlgorithmIdentifier: 2,
+		MinimumPublicKeyLength:        2048,
+		Claims:                        &config.GlobalProvisionerClaims,
+	}
+
+	err = prov.Init(provisioner.Config{})
+	require.NoError(t, err)
+
+	cfg := &config.Config{
+		Root:             []string{rootFilepath},
+		IntermediateCert: intermediateCertFilepath,
+		IntermediateKey:  intermediateKeyFilepath,
+		Address:          net.JoinHostPort(host, port), // reuse the address that was just "reserved"
+		DNSNames:         []string{"127.0.0.1", "[::1]", "localhost"},
+		AuthorityConfig: &config.AuthConfig{
+			AuthorityID:    "stepca-test-scep",
+			DeploymentType: "standalone-test",
+			Provisioners:   provisioner.List{prov},
+		},
+		Logger: json.RawMessage(`{"format": "text"}`),
+	}
+	c, err := ca.New(cfg)
+	require.NoError(t, err)
+
+	// instantiate a client for the CA running at the random address
+	caClient, err := ca.NewClient(
+		fmt.Sprintf("https://localhost:%s", port),
+		ca.WithRootFile(rootFilepath),
+	)
+	require.NoError(t, err)
+
+	var wg sync.WaitGroup
+	wg.Add(1)
+
+	go func() {
+		defer wg.Done()
+		err = c.Run()
+		require.ErrorIs(t, err, http.ErrServerClosed)
+	}()
+
+	// require OK health response as the baseline
+	ctx := context.Background()
+	healthResponse, err := caClient.HealthWithContext(ctx)
+	require.NoError(t, err)
+	if assert.NotNil(t, healthResponse) {
+		require.Equal(t, "ok", healthResponse.Status)
+	}
+
+	scepClient, err := createSCEPClient(t, fmt.Sprintf("https://localhost:%s/scep/scep", port), m.Root)
+	require.NoError(t, err)
+
+	cert, err := scepClient.requestCertificate(t, "test.localhost", []string{"test.localhost"})
+	assert.NoError(t, err)
+	require.NotNil(t, cert)
+
+	assert.Equal(t, "test.localhost", cert.Subject.CommonName)
+	assert.Equal(t, "Step E2E | SCEP Regular Intermediate CA", cert.Issuer.CommonName)
+
+	// done testing; stop and wait for the server to quit
+	err = c.Stop()
+	require.NoError(t, err)
+
+	wg.Wait()
+}