SCEP provisioner always require challenge, can renew revoked certs

[michael-lincata]

I'm running step-ca in a local container, with a SCEP provisioner and RSA CA chain. I've built a Java test client based on XiPKI scep-client library that operates as follows:

• Enroll
  • create a key pair
  • create short-lived self-signed cert
  • use self-signed cert to sign the enroll request to step-ca
  • store key pair and received signed cert from step-ca (to be used for renewal)
• Renewal
  • load existing key pair and cert
  • create new key pair
  • create CSR with the new key pair
  • send renewal request to step-ca, using exiting key/cert for signing

I've noticed 2 behaviors that I'm not sure are expected:

1. step-ca requires the SCEP challenge password to be included in the renewal CSR, but I thought this was optional and the fact that the renewal request is signed by the existing cert would be authentication enough
2. if I revoke the existing cert, my Java client is still able to renew the certificate (note that because of point 1, the CSR used for renewal contains the challenge password)

Are these behaviors exepected, or am I doing something wrong?
Thanks.