Add support for CertPoll messages and PENDING responses

[l4rkin]

Name of feature:

Add support for the parsing of CertPoll messages, and the issuing of PENDING responses.

Pain or issue this feature alleviates:

According to the SCEP protocol spec, if a request requires manual verification the SCEP server should issue a PENDING response while this verification takes place. The client should then periodically send CertPoll messages to check on the status of its original request, until it receives either a SUCCESS or a FAILURE result.

Currently, the library does not provide means to create PENDING responses, and rejects CertPoll messages with a not-yet-implemented error. This essentially limits its use to scenarios where synchronous request verification and certificate issuing is possible, which is not always the case.

Is there documentation on how to use this feature? If so, where?

No, but I'm happy to write some up if you can point me towards the best place to do it. The usage is essentially the same as the existing SUCCESS and FAILURE responses however.

In what environments or workflows is this feature supported?

This has been tested to work with the original micromdm/scep client*, and with a macOS device issued with a SCEP profile. However, this should work in any environment that can utilise CertPoll messages and/or PENDING responses.

*(The original client (unlike macOS) doesn't actually respond to PENDING messages with a CertPoll as per the spec, instead opting to resend an identical PKCSReq.)

If you've got any comments/concerns please let me know - thanks!

[hslatman]

Hey @l4rkin,

Thank you for opening the PR. I'll take a better look soon, but from a quick skim looks reasonable 🙂

[l4rkin]

Thanks!