From 3b900cc06485b5e16135a14d8a44e7b86fed3404 Mon Sep 17 00:00:00 2001
From: Steffen Vogel <post@steffenvogel.de>
Date: Thu, 22 Aug 2024 20:02:17 +0200
Subject: [PATCH] Use AES128-CBC instead of DES-CBC cipher fro pkcs7 envelopes

---
 scep.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/scep.go b/scep.go
index 2184fb6..6c3ba3e 100644
--- a/scep.go
+++ b/scep.go
@@ -486,6 +486,7 @@ func (msg *PKIMessage) Success(crtAuth *x509.Certificate, keyAuth crypto.Private
 	}
 
 	// encrypt degenerate data using the original messages recipients
+  pkcs7.ContentEncryptionAlgorithm = pkcs7.EncryptionAlgorithmAES128CBC // Default is DES-CBC
 	e7, err := pkcs7.Encrypt(deg, msg.p7.Certificates)
 	if err != nil {
 		return nil, err
@@ -591,6 +592,8 @@ func NewCSRRequest(csr *x509.CertificateRequest, tmpl *PKIMessage, opts ...Optio
 		}
 		return nil, errors.New("scep: no CA/RA recipients")
 	}
+
+  pkcs7.ContentEncryptionAlgorithm = pkcs7.EncryptionAlgorithmAES128CBC // Default is DES-CBC
 	e7, err := pkcs7.Encrypt(derBytes, recipients)
 	if err != nil {
 		return nil, err