]>
Commit | Line | Data |
---|---|---|
997358a6 MW |
1 | /* |
2 | * Copyright (C) 2005 Jan Hutter, Martin Willi | |
3 | * Hochschule fuer Technik Rapperswil | |
4 | * | |
5 | * This program is free software; you can redistribute it and/or modify it | |
6 | * under the terms of the GNU General Public License as published by the | |
7 | * Free Software Foundation; either version 2 of the License, or (at your | |
8 | * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. | |
9 | * | |
10 | * This program is distributed in the hope that it will be useful, but | |
11 | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY | |
12 | * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | |
13 | * for more details. | |
14 | */ | |
15 | ||
16 | /** | |
17 | * @file main.c | |
18 | * @brief scepclient main program | |
19 | */ | |
20 | ||
21 | /** | |
22 | * @mainpage SCEP for Linux strongSwan | |
23 | * | |
24 | * Documentation of SCEP for Linux StrongSwan | |
25 | */ | |
26 | ||
27 | #include <stdarg.h> | |
28 | #include <stdio.h> | |
29 | #include <stdlib.h> | |
30 | #include <string.h> | |
31 | #include <getopt.h> | |
32 | #include <ctype.h> | |
33 | #include <unistd.h> | |
34 | #include <time.h> | |
997358a6 MW |
35 | |
36 | #include <freeswan.h> | |
bc2e33ca | 37 | |
a6e3ec13 AS |
38 | #include <library.h> |
39 | #include <debug.h> | |
08b2d288 | 40 | #include <asn1/asn1.h> |
96cc677c | 41 | #include <asn1/oid.h> |
54c4de63 | 42 | #include <utils/optionsfrom.h> |
6e9fe153 | 43 | #include <utils/enumerator.h> |
0eff9f65 AS |
44 | #include <utils/linked_list.h> |
45 | #include <crypto/hashers/hasher.h> | |
71e725d3 AS |
46 | #include <crypto/crypters/crypter.h> |
47 | #include <crypto/proposal/proposal_keywords.h> | |
8b799d55 AS |
48 | #include <credentials/keys/private_key.h> |
49 | #include <credentials/keys/public_key.h> | |
0eff9f65 AS |
50 | #include <credentials/certificates/certificate.h> |
51 | #include <credentials/certificates/x509.h> | |
52 | #include <credentials/certificates/pkcs10.h> | |
997358a6 MW |
53 | |
54 | #include "../pluto/constants.h" | |
55 | #include "../pluto/defs.h" | |
56 | #include "../pluto/log.h" | |
997358a6 | 57 | #include "../pluto/certs.h" |
17722d44 | 58 | #include "../pluto/pkcs7.h" |
997358a6 | 59 | |
997358a6 MW |
60 | #include "scep.h" |
61 | ||
62 | /* | |
63 | * definition of some defaults | |
64 | */ | |
65 | ||
66 | /* default name of DER-encoded PKCS#1 private key file */ | |
3d7a244b | 67 | #define DEFAULT_FILENAME_PKCS1 "myKey.der" |
997358a6 MW |
68 | |
69 | /* default name of DER-encoded PKCS#10 certificate request file */ | |
3d7a244b | 70 | #define DEFAULT_FILENAME_PKCS10 "myReq.der" |
997358a6 MW |
71 | |
72 | /* default name of DER-encoded PKCS#7 file */ | |
3d7a244b | 73 | #define DEFAULT_FILENAME_PKCS7 "pkcs7.der" |
997358a6 MW |
74 | |
75 | /* default name of DER-encoded self-signed X.509 certificate file */ | |
3d7a244b | 76 | #define DEFAULT_FILENAME_CERT_SELF "selfCert.der" |
997358a6 MW |
77 | |
78 | /* default name of DER-encoded X.509 certificate file */ | |
3d7a244b | 79 | #define DEFAULT_FILENAME_CERT "myCert.der" |
997358a6 MW |
80 | |
81 | /* default name of DER-encoded CA cert file used for key encipherment */ | |
3d7a244b | 82 | #define DEFAULT_FILENAME_CACERT_ENC "caCert.der" |
997358a6 MW |
83 | |
84 | /* default name of the der encoded CA cert file used for signature verification */ | |
3d7a244b | 85 | #define DEFAULT_FILENAME_CACERT_SIG "caCert.der" |
997358a6 MW |
86 | |
87 | /* default prefix of the der encoded CA certificates received from the SCEP server */ | |
3d7a244b | 88 | #define DEFAULT_FILENAME_PREFIX_CACERT "caCert.der" |
997358a6 MW |
89 | |
90 | /* default certificate validity */ | |
3d7a244b | 91 | #define DEFAULT_CERT_VALIDITY 5 * 3600 * 24 * 365 /* seconds */ |
997358a6 MW |
92 | |
93 | /* default polling time interval in SCEP manual mode */ | |
3d7a244b | 94 | #define DEFAULT_POLL_INTERVAL 20 /* seconds */ |
997358a6 MW |
95 | |
96 | /* default key length for self-generated RSA keys */ | |
3d7a244b | 97 | #define DEFAULT_RSA_KEY_LENGTH 2048 /* bits */ |
997358a6 MW |
98 | |
99 | /* default distinguished name */ | |
100 | #define DEFAULT_DN "C=CH, O=Linux strongSwan, CN=" | |
101 | ||
102 | /* challenge password buffer size */ | |
103 | #define MAX_PASSWORD_LENGTH 256 | |
104 | ||
105 | /* Max length of filename for tempfile */ | |
106 | #define MAX_TEMP_FILENAME_LENGTH 256 | |
107 | ||
108 | ||
109 | /* current scepclient version */ | |
110 | static const char *scepclient_version = "1.0"; | |
111 | ||
112 | /* by default the CRL policy is lenient */ | |
113 | bool strict_crl_policy = FALSE; | |
114 | ||
115 | /* by default pluto does not check crls dynamically */ | |
116 | long crl_check_interval = 0; | |
117 | ||
118 | /* by default pluto logs out after every smartcard use */ | |
119 | bool pkcs11_keep_state = FALSE; | |
120 | ||
54c4de63 AS |
121 | /* options read by optionsfrom */ |
122 | options_t *options; | |
997358a6 MW |
123 | |
124 | /* | |
125 | * Global variables | |
126 | */ | |
127 | ||
997358a6 MW |
128 | chunk_t pkcs1; |
129 | chunk_t pkcs7; | |
997358a6 MW |
130 | chunk_t challengePassword; |
131 | chunk_t serialNumber; | |
132 | chunk_t transID; | |
133 | chunk_t fingerprint; | |
0eff9f65 AS |
134 | chunk_t encoding; |
135 | chunk_t pkcs10_encoding; | |
997358a6 MW |
136 | chunk_t issuerAndSubject; |
137 | chunk_t getCertInitial; | |
138 | chunk_t scep_response; | |
997358a6 | 139 | |
0eff9f65 AS |
140 | linked_list_t *subjectAltNames; |
141 | ||
142 | identification_t *subject = NULL; | |
143 | private_key_t *private_key = NULL; | |
144 | public_key_t *public_key = NULL; | |
145 | certificate_t *x509_signer = NULL; | |
146 | certificate_t *x509_ca_enc = NULL; | |
147 | certificate_t *x509_ca_sig = NULL; | |
148 | certificate_t *pkcs10_req = NULL; | |
997358a6 MW |
149 | |
150 | /** | |
151 | * @brief exit scepclient | |
152 | * | |
997358a6 MW |
153 | * @param status 0 = OK, 1 = general discomfort |
154 | */ | |
155 | static void | |
156 | exit_scepclient(err_t message, ...) | |
157 | { | |
3d7a244b AS |
158 | int status = 0; |
159 | ||
0eff9f65 | 160 | DESTROY_IF(subject); |
8b799d55 AS |
161 | DESTROY_IF(private_key); |
162 | DESTROY_IF(public_key); | |
0eff9f65 AS |
163 | DESTROY_IF(x509_signer); |
164 | DESTROY_IF(x509_ca_enc); | |
165 | DESTROY_IF(x509_ca_sig); | |
166 | DESTROY_IF(pkcs10_req); | |
167 | subjectAltNames->destroy_offset(subjectAltNames, | |
168 | offsetof(identification_t, destroy)); | |
3d7a244b AS |
169 | free(pkcs1.ptr); |
170 | free(pkcs7.ptr); | |
3d7a244b AS |
171 | free(serialNumber.ptr); |
172 | free(transID.ptr); | |
173 | free(fingerprint.ptr); | |
0eff9f65 AS |
174 | free(encoding.ptr); |
175 | free(pkcs10_encoding.ptr); | |
3d7a244b AS |
176 | free(issuerAndSubject.ptr); |
177 | free(getCertInitial.ptr); | |
178 | free(scep_response.ptr); | |
3d7a244b AS |
179 | options->destroy(options); |
180 | ||
181 | /* print any error message to stderr */ | |
182 | if (message != NULL && *message != '\0') | |
183 | { | |
184 | va_list args; | |
185 | char m[LOG_WIDTH]; /* longer messages will be truncated */ | |
186 | ||
187 | va_start(args, message); | |
188 | vsnprintf(m, sizeof(m), message, args); | |
189 | va_end(args); | |
190 | ||
191 | fprintf(stderr, "error: %s\n", m); | |
192 | status = -1; | |
193 | } | |
194 | library_deinit(); | |
195 | close_log(); | |
196 | exit(status); | |
997358a6 MW |
197 | } |
198 | ||
199 | /** | |
200 | * @brief prints the program version and exits | |
201 | * | |
202 | */ | |
203 | static void | |
204 | version(void) | |
205 | { | |
3d7a244b AS |
206 | printf("scepclient %s\n", scepclient_version); |
207 | exit_scepclient(NULL); | |
997358a6 MW |
208 | } |
209 | ||
210 | /** | |
211 | * @brief prints the usage of the program to the stderr output | |
212 | * | |
213 | * If message is set, program is exitet with 1 (error) | |
214 | * @param message message in case of an error | |
215 | */ | |
216 | static void | |
217 | usage(const char *message) | |
218 | { | |
3d7a244b AS |
219 | fprintf(stderr, |
220 | "Usage: scepclient\n" | |
221 | " --help (-h) show usage and exit\n" | |
222 | " --version (-v) show version and exit\n" | |
223 | " --quiet (-q) do not write log output to stderr\n" | |
224 | " --in (-i) <type>[=<filename>] use <filename> of <type> for input \n" | |
225 | " <type> = pkcs1 | cacert-enc | cacert-sig\n" | |
226 | " - if no pkcs1 input is defined, a \n" | |
227 | " RSA key will be generated\n" | |
228 | " - if no filename is given, default is used\n" | |
229 | " --out (-o) <type>[=<filename>] write output of <type> to <filename>\n" | |
230 | " multiple outputs are allowed\n" | |
231 | " <type> = pkcs1 | pkcs10 | pkcs7 | cert-self | cert | cacert\n" | |
232 | " - type cacert defines filename prefix of\n" | |
233 | " received CA certificate(s)\n" | |
234 | " - if no filename is given, default is used\n" | |
235 | " --optionsfrom (-+) <filename> reads additional options from given file\n" | |
236 | " --force (-f) force existing file(s)\n" | |
237 | "\n" | |
238 | "Options for key generation (pkcs1):\n" | |
239 | " --keylength (-k) <bits> key length for RSA key generation\n" | |
240 | "(default: 2048 bits)\n" | |
241 | "\n" | |
242 | "Options for validity:\n" | |
243 | " --days (-D) <days> validity in days\n" | |
244 | " --startdate (-S) <YYMMDDHHMMSS>Z not valid before date\n" | |
245 | " --enddate (-E) <YYMMDDHHMMSS>Z not valid after date\n" | |
246 | "\n" | |
247 | "Options for request generation (pkcs10):\n" | |
248 | " --dn (-d) <dn> comma separated list of distinguished names\n" | |
249 | " --subjectAltName (-s) <t>=<v> include subjectAltName in certificate request\n" | |
250 | " <t> = email | dns | ip \n" | |
251 | " --password (-p) <pw> challenge password\n" | |
252 | " - if pw is '%%prompt', password gets prompted for\n" | |
253 | " --algorithm (-a) <algo> use specified algorithm for PKCS#7 encryption\n" | |
71e725d3 AS |
254 | " <algo> = des | 3des (default) | aes128| aes192 | \n" |
255 | " aes256 | camellia128 | camellia192 | camellia256\n" | |
3d7a244b AS |
256 | "\n" |
257 | "Options for enrollment (cert):\n" | |
258 | " --url (-u) <url> url of the SCEP server\n" | |
259 | " --method (-m) post | get http request type\n" | |
260 | " --interval (-t) <seconds> manual mode poll interval in seconds (default 20s)\n" | |
261 | " --maxpolltime (-x) <seconds> max poll time in seconds when in manual mode\n" | |
262 | " (default: unlimited)\n" | |
997358a6 | 263 | #ifdef DEBUG |
3d7a244b AS |
264 | "\n" |
265 | "Debugging output:\n" | |
266 | " --debug-all (-A) show everything except private\n" | |
267 | " --debug-parsing (-P) show parsing relevant stuff\n" | |
268 | " --debug-raw (-R) show raw hex dumps\n" | |
269 | " --debug-control (-C) show control flow output\n" | |
270 | " --debug-controlmore (-M) show more control flow\n" | |
271 | " --debug-private (-X) show sensitive data (private keys, etc.)\n" | |
997358a6 | 272 | #endif |
3d7a244b AS |
273 | ); |
274 | exit_scepclient(message); | |
997358a6 MW |
275 | } |
276 | ||
a6e3ec13 | 277 | /** |
6e9fe153 | 278 | * Log loaded plugins |
a6e3ec13 | 279 | */ |
6e9fe153 | 280 | static void print_plugins() |
a6e3ec13 | 281 | { |
6e9fe153 AS |
282 | char buf[BUF_LEN], *plugin; |
283 | int len = 0; | |
284 | enumerator_t *enumerator; | |
7daf5226 | 285 | |
6e9fe153 AS |
286 | enumerator = lib->plugins->create_plugin_enumerator(lib->plugins); |
287 | while (len < BUF_LEN && enumerator->enumerate(enumerator, &plugin)) | |
a6e3ec13 | 288 | { |
6e9fe153 | 289 | len += snprintf(&buf[len], BUF_LEN-len, "%s ", plugin); |
a6e3ec13 | 290 | } |
6e9fe153 | 291 | enumerator->destroy(enumerator); |
8b0e0910 | 292 | DBG1(DBG_LIB, " loaded plugins: %s", buf); |
a6e3ec13 | 293 | } |
6e9fe153 | 294 | |
997358a6 MW |
295 | /** |
296 | * @brief main of scepclient | |
297 | * | |
298 | * @param argc number of arguments | |
299 | * @param argv pointer to the argument values | |
300 | */ | |
301 | int main(int argc, char **argv) | |
302 | { | |
3d7a244b AS |
303 | /* external values */ |
304 | extern char * optarg; | |
305 | extern int optind; | |
306 | ||
307 | /* type of input and output files */ | |
308 | typedef enum { | |
309 | PKCS1 = 0x01, | |
310 | PKCS10 = 0x02, | |
311 | PKCS7 = 0x04, | |
312 | CERT_SELF = 0x08, | |
313 | CERT = 0x10, | |
314 | CACERT_ENC = 0x20, | |
315 | CACERT_SIG = 0x40 | |
316 | } scep_filetype_t; | |
317 | ||
318 | /* filetype to read from, defaults to "generate a key" */ | |
319 | scep_filetype_t filetype_in = 0; | |
320 | ||
321 | /* filetype to write to, no default here */ | |
322 | scep_filetype_t filetype_out = 0; | |
323 | ||
324 | /* input files */ | |
325 | char *file_in_pkcs1 = DEFAULT_FILENAME_PKCS1; | |
326 | char *file_in_cacert_enc = DEFAULT_FILENAME_CACERT_ENC; | |
327 | char *file_in_cacert_sig = DEFAULT_FILENAME_CACERT_SIG; | |
328 | ||
329 | /* output files */ | |
330 | char *file_out_pkcs1 = DEFAULT_FILENAME_PKCS1; | |
331 | char *file_out_pkcs10 = DEFAULT_FILENAME_PKCS10; | |
332 | char *file_out_pkcs7 = DEFAULT_FILENAME_PKCS7; | |
333 | char *file_out_cert_self = DEFAULT_FILENAME_CERT_SELF; | |
334 | char *file_out_cert = DEFAULT_FILENAME_CERT; | |
335 | char *file_out_prefix_cacert = DEFAULT_FILENAME_PREFIX_CACERT; | |
336 | ||
337 | /* by default user certificate is requested */ | |
338 | bool request_ca_certificate = FALSE; | |
339 | ||
340 | /* by default existing files are not overwritten */ | |
341 | bool force = FALSE; | |
342 | ||
343 | /* length of RSA key in bits */ | |
344 | u_int rsa_keylength = DEFAULT_RSA_KEY_LENGTH; | |
345 | ||
346 | /* validity of self-signed certificate */ | |
347 | time_t validity = DEFAULT_CERT_VALIDITY; | |
348 | time_t notBefore = 0; | |
349 | time_t notAfter = 0; | |
350 | ||
351 | /* distinguished name for requested certificate, ASCII format */ | |
352 | char *distinguishedName = NULL; | |
353 | ||
354 | /* challenge password */ | |
355 | char challenge_password_buffer[MAX_PASSWORD_LENGTH]; | |
356 | ||
357 | /* symmetric encryption algorithm used by pkcs7, default is 3DES */ | |
358 | int pkcs7_symmetric_cipher = OID_3DES_EDE_CBC; | |
359 | ||
e67197a7 AS |
360 | /* digest algorithm used by pkcs7, default is SHA-1 */ |
361 | int pkcs7_digest_alg = OID_SHA1; | |
3d7a244b | 362 | |
0eff9f65 AS |
363 | /* signature algorithm used by pkcs10, default is SHA-1 */ |
364 | hash_algorithm_t pkcs10_signature_alg = HASH_SHA1; | |
3d7a244b AS |
365 | |
366 | /* URL of the SCEP-Server */ | |
367 | char *scep_url = NULL; | |
368 | ||
369 | /* http request method, default is GET */ | |
e67197a7 | 370 | bool http_get_request = TRUE; |
3d7a244b AS |
371 | |
372 | /* poll interval time in manual mode in seconds */ | |
373 | u_int poll_interval = DEFAULT_POLL_INTERVAL; | |
374 | ||
375 | /* maximum poll time */ | |
376 | u_int max_poll_time = 0; | |
377 | ||
378 | err_t ugh = NULL; | |
379 | ||
2f5b1e0e | 380 | /* initialize library */ |
356b2b27 | 381 | if (!library_init(NULL)) |
2f5b1e0e AS |
382 | { |
383 | library_deinit(); | |
384 | exit(SS_RC_LIBSTRONGSWAN_INTEGRITY); | |
385 | } | |
bde541ac AS |
386 | if (lib->integrity && |
387 | !lib->integrity->check_file(lib->integrity, "scepclient", argv[0])) | |
388 | { | |
389 | fprintf(stderr, "integrity check of scepclient failed\n"); | |
390 | library_deinit(); | |
391 | exit(SS_RC_DAEMON_INTEGRITY); | |
392 | } | |
2f5b1e0e | 393 | |
0eff9f65 AS |
394 | /* initialize global variables */ |
395 | pkcs1 = chunk_empty; | |
396 | pkcs7 = chunk_empty; | |
397 | serialNumber = chunk_empty; | |
398 | transID = chunk_empty; | |
399 | fingerprint = chunk_empty; | |
400 | encoding = chunk_empty; | |
da9724e6 | 401 | pkcs10_encoding = chunk_empty; |
0eff9f65 AS |
402 | issuerAndSubject = chunk_empty; |
403 | challengePassword = chunk_empty; | |
404 | getCertInitial = chunk_empty; | |
405 | scep_response = chunk_empty; | |
406 | subjectAltNames = linked_list_create(); | |
407 | options = options_create(); | |
408 | log_to_stderr = TRUE; | |
3d7a244b AS |
409 | |
410 | for (;;) | |
411 | { | |
412 | static const struct option long_opts[] = { | |
413 | /* name, has_arg, flag, val */ | |
414 | { "help", no_argument, NULL, 'h' }, | |
415 | { "version", no_argument, NULL, 'v' }, | |
416 | { "optionsfrom", required_argument, NULL, '+' }, | |
417 | { "quiet", no_argument, NULL, 'q' }, | |
418 | { "in", required_argument, NULL, 'i' }, | |
419 | { "out", required_argument, NULL, 'o' }, | |
420 | { "force", no_argument, NULL, 'f' }, | |
421 | { "keylength", required_argument, NULL, 'k' }, | |
422 | { "dn", required_argument, NULL, 'd' }, | |
423 | { "days", required_argument, NULL, 'D' }, | |
424 | { "startdate", required_argument, NULL, 'S' }, | |
425 | { "enddate", required_argument, NULL, 'E' }, | |
426 | { "subjectAltName", required_argument, NULL, 's' }, | |
427 | { "password", required_argument, NULL, 'p' }, | |
428 | { "algorithm", required_argument, NULL, 'a' }, | |
429 | { "url", required_argument, NULL, 'u' }, | |
430 | { "method", required_argument, NULL, 'm' }, | |
431 | { "interval", required_argument, NULL, 't' }, | |
432 | { "maxpolltime", required_argument, NULL, 'x' }, | |
433 | #ifdef DEBUG | |
434 | { "debug-all", no_argument, NULL, 'A' }, | |
435 | { "debug-parsing", no_argument, NULL, 'P'}, | |
436 | { "debug-raw", no_argument, NULL, 'R'}, | |
437 | { "debug-control", no_argument, NULL, 'C'}, | |
438 | { "debug-controlmore", no_argument, NULL, 'M'}, | |
439 | { "debug-private", no_argument, NULL, 'X'}, | |
440 | #endif | |
441 | { 0,0,0,0 } | |
442 | }; | |
443 | ||
444 | /* parse next option */ | |
445 | int c = getopt_long(argc, argv, "hv+:qi:o:fk:d:s:p:a:u:m:t:x:APRCMS", long_opts, NULL); | |
446 | ||
447 | switch (c) | |
448 | { | |
449 | case EOF: /* end of flags */ | |
450 | break; | |
451 | ||
452 | case 'h': /* --help */ | |
453 | usage(NULL); | |
454 | ||
455 | case 'v': /* --version */ | |
456 | version(); | |
457 | ||
458 | case 'q': /* --quiet */ | |
459 | log_to_stderr = FALSE; | |
460 | continue; | |
461 | ||
462 | case 'i': /* --in <type> [= <filename>] */ | |
463 | { | |
464 | char *filename = strstr(optarg, "="); | |
465 | ||
466 | if (filename) | |
467 | { | |
468 | /* replace '=' by '\0' */ | |
469 | *filename = '\0'; | |
470 | /* set pointer to start of filename */ | |
471 | filename++; | |
472 | } | |
473 | if (strcaseeq("pkcs1", optarg)) | |
474 | { | |
475 | filetype_in |= PKCS1; | |
476 | if (filename) | |
477 | file_in_pkcs1 = filename; | |
478 | } | |
479 | else if (strcaseeq("cacert-enc", optarg)) | |
480 | { | |
481 | filetype_in |= CACERT_ENC; | |
482 | if (filename) | |
483 | file_in_cacert_enc = filename; | |
484 | } | |
485 | else if (strcaseeq("cacert-sig", optarg)) | |
486 | { | |
487 | filetype_in |= CACERT_SIG; | |
488 | if (filename) | |
489 | file_in_cacert_sig = filename; | |
490 | } | |
491 | else | |
492 | { | |
493 | usage("invalid --in file type"); | |
494 | } | |
495 | continue; | |
496 | } | |
497 | ||
498 | case 'o': /* --out <type> [= <filename>] */ | |
499 | { | |
500 | char *filename = strstr(optarg, "="); | |
501 | ||
502 | if (filename) | |
503 | { | |
504 | /* replace '=' by '\0' */ | |
505 | *filename = '\0'; | |
506 | /* set pointer to start of filename */ | |
507 | filename++; | |
508 | } | |
509 | if (strcaseeq("pkcs1", optarg)) | |
510 | { | |
511 | filetype_out |= PKCS1; | |
512 | if (filename) | |
513 | file_out_pkcs1 = filename; | |
514 | } | |
515 | else if (strcaseeq("pkcs10", optarg)) | |
516 | { | |
517 | filetype_out |= PKCS10; | |
518 | if (filename) | |
519 | file_out_pkcs10 = filename; | |
520 | } | |
521 | else if (strcaseeq("pkcs7", optarg)) | |
522 | { | |
523 | filetype_out |= PKCS7; | |
524 | if (filename) | |
525 | file_out_pkcs7 = filename; | |
526 | } | |
527 | else if (strcaseeq("cert-self", optarg)) | |
528 | { | |
529 | filetype_out |= CERT_SELF; | |
530 | if (filename) | |
531 | file_out_cert_self = filename; | |
532 | } | |
533 | else if (strcaseeq("cert", optarg)) | |
534 | { | |
535 | filetype_out |= CERT; | |
536 | if (filename) | |
537 | file_out_cert = filename; | |
538 | } | |
539 | else if (strcaseeq("cacert", optarg)) | |
540 | { | |
541 | request_ca_certificate = TRUE; | |
542 | if (filename) | |
543 | file_out_prefix_cacert = filename; | |
544 | } | |
545 | else | |
546 | { | |
547 | usage("invalid --out file type"); | |
548 | } | |
549 | continue; | |
550 | } | |
7daf5226 | 551 | |
3d7a244b AS |
552 | case 'f': /* --force */ |
553 | force = TRUE; | |
554 | continue; | |
555 | ||
556 | case '+': /* --optionsfrom <filename> */ | |
557 | if (!options->from(options, optarg, &argc, &argv, optind)) | |
558 | { | |
559 | exit_scepclient("optionsfrom failed"); | |
560 | } | |
561 | continue; | |
562 | ||
563 | case 'k': /* --keylength <length> */ | |
564 | { | |
565 | div_t q; | |
566 | ||
567 | rsa_keylength = atoi(optarg); | |
568 | if (rsa_keylength == 0) | |
569 | usage("invalid keylength"); | |
570 | ||
571 | /* check if key length is a multiple of 8 bits */ | |
572 | q = div(rsa_keylength, 2*BITS_PER_BYTE); | |
573 | if (q.rem != 0) | |
574 | { | |
575 | exit_scepclient("keylength is not a multiple of %d bits!" | |
576 | , 2*BITS_PER_BYTE); | |
577 | } | |
578 | continue; | |
579 | } | |
580 | ||
581 | case 'D': /* --days */ | |
582 | if (optarg == NULL || !isdigit(optarg[0])) | |
583 | usage("missing number of days"); | |
584 | { | |
585 | char *endptr; | |
586 | long days = strtol(optarg, &endptr, 0); | |
587 | ||
588 | if (*endptr != '\0' || endptr == optarg | |
589 | || days <= 0) | |
590 | usage("<days> must be a positive number"); | |
591 | validity = 24*3600*days; | |
592 | } | |
593 | continue; | |
594 | ||
595 | case 'S': /* --startdate */ | |
596 | if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z') | |
597 | usage("date format must be YYMMDDHHMMSSZ"); | |
598 | { | |
599 | chunk_t date = { optarg, 13 }; | |
08b2d288 | 600 | notBefore = asn1_to_time(&date, ASN1_UTCTIME); |
3d7a244b AS |
601 | } |
602 | continue; | |
603 | ||
604 | case 'E': /* --enddate */ | |
605 | if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z') | |
606 | usage("date format must be YYMMDDHHMMSSZ"); | |
607 | { | |
608 | chunk_t date = { optarg, 13 }; | |
08b2d288 | 609 | notAfter = asn1_to_time(&date, ASN1_UTCTIME); |
3d7a244b AS |
610 | } |
611 | continue; | |
612 | ||
613 | case 'd': /* --dn */ | |
614 | if (distinguishedName) | |
615 | usage("only one distinguished name allowed"); | |
616 | distinguishedName = optarg; | |
617 | continue; | |
618 | ||
619 | case 's': /* --subjectAltName */ | |
620 | { | |
3d7a244b AS |
621 | char *value = strstr(optarg, "="); |
622 | ||
623 | if (value) | |
624 | { | |
625 | /* replace '=' by '\0' */ | |
626 | *value = '\0'; | |
627 | /* set pointer to start of value */ | |
628 | value++; | |
629 | } | |
630 | ||
0eff9f65 AS |
631 | if (strcaseeq("email", optarg) || |
632 | strcaseeq("dns", optarg) || | |
633 | strcaseeq("ip", optarg)) | |
3d7a244b | 634 | { |
0eff9f65 AS |
635 | subjectAltNames->insert_last(subjectAltNames, |
636 | identification_create_from_string(value)); | |
637 | continue; | |
3d7a244b AS |
638 | } |
639 | else | |
640 | { | |
641 | usage("invalid --subjectAltName type"); | |
642 | continue; | |
643 | } | |
3d7a244b AS |
644 | } |
645 | ||
646 | case 'p': /* --password */ | |
647 | if (challengePassword.len > 0) | |
648 | { | |
649 | usage("only one challenge password allowed"); | |
650 | } | |
651 | if (strcaseeq("%prompt", optarg)) | |
652 | { | |
653 | printf("Challenge password: "); | |
654 | if (fgets(challenge_password_buffer, sizeof(challenge_password_buffer)-1, stdin)) | |
655 | { | |
656 | challengePassword.ptr = challenge_password_buffer; | |
657 | /* discard the terminating '\n' from the input */ | |
658 | challengePassword.len = strlen(challenge_password_buffer) - 1; | |
659 | } | |
660 | else | |
661 | { | |
662 | usage("challenge password could not be read"); | |
663 | } | |
664 | } | |
665 | else | |
666 | { | |
667 | challengePassword.ptr = optarg; | |
668 | challengePassword.len = strlen(optarg); | |
669 | } | |
670 | continue; | |
671 | ||
672 | case 'u': /* -- url */ | |
673 | if (scep_url) | |
674 | { | |
675 | usage("only one URL argument allowed"); | |
676 | } | |
677 | scep_url = optarg; | |
678 | continue; | |
679 | ||
680 | case 'm': /* --method */ | |
e67197a7 | 681 | if (strcaseeq("get", optarg)) |
3d7a244b | 682 | { |
e67197a7 | 683 | http_get_request = TRUE; |
3d7a244b | 684 | } |
e67197a7 | 685 | else if (strcaseeq("post", optarg)) |
3d7a244b | 686 | { |
e67197a7 | 687 | http_get_request = FALSE; |
3d7a244b AS |
688 | } |
689 | else | |
690 | { | |
691 | usage("invalid http request method specified"); | |
692 | } | |
693 | continue; | |
694 | ||
695 | case 't': /* --interval */ | |
696 | poll_interval = atoi(optarg); | |
697 | if (poll_interval <= 0) | |
698 | { | |
699 | usage("invalid interval specified"); | |
700 | } | |
701 | continue; | |
702 | ||
703 | case 'x': /* --maxpolltime */ | |
704 | max_poll_time = atoi(optarg); | |
705 | if (max_poll_time < 0) | |
706 | { | |
707 | usage("invalid maxpolltime specified"); | |
708 | } | |
709 | continue; | |
710 | ||
711 | case 'a': /*--algorithm */ | |
71e725d3 AS |
712 | { |
713 | const proposal_token_t *token; | |
714 | ||
715 | token = proposal_get_token(optarg, strlen(optarg)); | |
716 | if (token == NULL || token->type != ENCRYPTION_ALGORITHM) | |
46ec5309 | 717 | { |
71e725d3 | 718 | usage("invalid algorithm specified"); |
46ec5309 | 719 | } |
71e725d3 AS |
720 | pkcs7_symmetric_cipher = encryption_algorithm_to_oid( |
721 | token->algorithm, token->keysize); | |
722 | if (pkcs7_symmetric_cipher == OID_UNKNOWN) | |
3d7a244b | 723 | { |
71e725d3 | 724 | usage("unsupported encryption algorithm specified"); |
3d7a244b AS |
725 | } |
726 | continue; | |
71e725d3 | 727 | } |
997358a6 | 728 | #ifdef DEBUG |
3d7a244b AS |
729 | case 'A': /* --debug-all */ |
730 | base_debugging |= DBG_ALL; | |
731 | continue; | |
732 | case 'P': /* debug parsing */ | |
733 | base_debugging |= DBG_PARSING; | |
734 | continue; | |
735 | case 'R': /* debug raw */ | |
736 | base_debugging |= DBG_RAW; | |
737 | continue; | |
738 | case 'C': /* debug control */ | |
739 | base_debugging |= DBG_CONTROL; | |
740 | continue; | |
741 | case 'M': /* debug control more */ | |
742 | base_debugging |= DBG_CONTROLMORE; | |
743 | continue; | |
744 | case 'X': /* debug private */ | |
745 | base_debugging |= DBG_PRIVATE; | |
746 | continue; | |
997358a6 | 747 | #endif |
7daf5226 | 748 | default: |
3d7a244b AS |
749 | usage("unknown option"); |
750 | } | |
751 | /* break from loop */ | |
752 | break; | |
753 | } | |
6e9fe153 | 754 | cur_debugging = base_debugging; |
997358a6 | 755 | |
3d7a244b | 756 | init_log("scepclient"); |
6e9fe153 AS |
757 | |
758 | /* load plugins, further infrastructure may need it */ | |
5b03a350 | 759 | if (!lib->plugins->load(lib->plugins, NULL, |
8fb4edc4 MW |
760 | lib->settings->get_str(lib->settings, "scepclient.load", PLUGINS))) |
761 | { | |
762 | exit_scepclient("plugin loading failed"); | |
763 | } | |
6e9fe153 AS |
764 | print_plugins(); |
765 | ||
3d7a244b | 766 | if ((filetype_out == 0) && (!request_ca_certificate)) |
997358a6 | 767 | { |
3d7a244b AS |
768 | usage ("--out filetype required"); |
769 | } | |
770 | if (request_ca_certificate && (filetype_out > 0 || filetype_in > 0)) | |
771 | { | |
772 | usage("in CA certificate request, no other --in or --out option allowed"); | |
773 | } | |
997358a6 | 774 | |
3d7a244b AS |
775 | /* check if url is given, if cert output defined */ |
776 | if (((filetype_out & CERT) || request_ca_certificate) && !scep_url) | |
777 | { | |
778 | usage("URL of SCEP server required"); | |
779 | } | |
997358a6 | 780 | |
3d7a244b AS |
781 | /* check for sanity of --in/--out */ |
782 | if (!filetype_in && (filetype_in > filetype_out)) | |
783 | { | |
784 | usage("cannot generate --out of given --in!"); | |
785 | } | |
997358a6 | 786 | |
3d7a244b AS |
787 | /* |
788 | * input of PKCS#1 file | |
789 | */ | |
7daf5226 | 790 | if (filetype_in & PKCS1) /* load an RSA key pair from file */ |
3d7a244b | 791 | { |
08b2d288 | 792 | char *path = concatenate_paths(PRIVATE_KEY_PATH, file_in_pkcs1); |
997358a6 | 793 | |
17722d44 AS |
794 | private_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, |
795 | BUILD_FROM_FILE, path, BUILD_END); | |
3d7a244b AS |
796 | } |
797 | else /* generate an RSA key pair */ | |
798 | { | |
8b799d55 AS |
799 | private_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, |
800 | BUILD_KEY_SIZE, rsa_keylength, | |
7b3814f7 | 801 | BUILD_END); |
3d7a244b | 802 | } |
8b799d55 AS |
803 | if (private_key == NULL) |
804 | { | |
805 | exit_scepclient("no RSA private key available"); | |
806 | } | |
807 | public_key = private_key->get_public_key(private_key); | |
997358a6 | 808 | |
3d7a244b | 809 | /* check for minimum key length */ |
8b799d55 | 810 | if (private_key->get_keysize(private_key) < RSA_MIN_OCTETS) |
3d7a244b AS |
811 | { |
812 | exit_scepclient("length of RSA key has to be at least %d bits" | |
813 | ,RSA_MIN_OCTETS * BITS_PER_BYTE); | |
814 | } | |
997358a6 | 815 | |
3d7a244b AS |
816 | /* |
817 | * input of PKCS#10 file | |
818 | */ | |
819 | if (filetype_in & PKCS10) | |
820 | { | |
821 | /* user wants to load a pkcs10 request | |
822 | * operation is not yet supported | |
823 | * would require a PKCS#10 parsing function | |
997358a6 | 824 | |
3d7a244b AS |
825 | pkcs10 = pkcs10_read_from_file(file_in_pkcs10); |
826 | ||
827 | */ | |
828 | } | |
829 | else | |
830 | { | |
3d7a244b | 831 | if (distinguishedName == NULL) |
997358a6 | 832 | { |
3d7a244b AS |
833 | char buf[BUF_LEN]; |
834 | int n = sprintf(buf, DEFAULT_DN); | |
835 | ||
836 | /* set the common name to the hostname */ | |
837 | if (gethostname(buf + n, BUF_LEN - n) || strlen(buf) == n) | |
838 | { | |
839 | exit_scepclient("no hostname defined, use " | |
840 | "--dn <distinguished name> option"); | |
841 | } | |
842 | distinguishedName = buf; | |
997358a6 | 843 | } |
3d7a244b AS |
844 | |
845 | DBG(DBG_CONTROL, | |
846 | DBG_log("dn: '%s'", distinguishedName); | |
847 | ) | |
0eff9f65 AS |
848 | subject = identification_create_from_string(distinguishedName); |
849 | if (subject->get_type(subject) != ID_DER_ASN1_DN) | |
997358a6 | 850 | { |
0eff9f65 | 851 | exit_scepclient("parsing of distinguished name failed"); |
997358a6 | 852 | } |
3d7a244b | 853 | |
3d7a244b AS |
854 | DBG(DBG_CONTROL, |
855 | DBG_log("building pkcs10 object:") | |
856 | ) | |
0eff9f65 AS |
857 | pkcs10_req = lib->creds->create(lib->creds, CRED_CERTIFICATE, |
858 | CERT_PKCS10_REQUEST, | |
859 | BUILD_SIGNING_KEY, private_key, | |
860 | BUILD_SUBJECT, subject, | |
861 | BUILD_SUBJECT_ALTNAMES, subjectAltNames, | |
862 | BUILD_PASSPHRASE, challengePassword, | |
863 | BUILD_DIGEST_ALG, pkcs10_signature_alg, | |
864 | BUILD_END); | |
865 | if (!pkcs10_req) | |
866 | { | |
867 | exit_scepclient("generating pkcs10 request failed"); | |
868 | } | |
0406eeaa | 869 | pkcs10_req->get_encoding(pkcs10_req, CERT_ASN1_DER, &pkcs10_encoding); |
0eff9f65 | 870 | fingerprint = scep_generate_pkcs10_fingerprint(pkcs10_encoding); |
8b799d55 | 871 | plog(" fingerprint: %s", fingerprint.ptr); |
997358a6 | 872 | } |
3d7a244b | 873 | |
7daf5226 | 874 | /* |
3d7a244b AS |
875 | * output of PKCS#10 file |
876 | */ | |
877 | if (filetype_out & PKCS10) | |
997358a6 | 878 | { |
08b2d288 | 879 | char *path = concatenate_paths(REQ_PATH, file_out_pkcs10); |
3d7a244b | 880 | |
0eff9f65 AS |
881 | if (!chunk_write(pkcs10_encoding, path, "pkcs10", 0022, force)) |
882 | { | |
3d7a244b | 883 | exit_scepclient("could not write pkcs10 file '%s'", path); |
0eff9f65 | 884 | } |
3d7a244b | 885 | filetype_out &= ~PKCS10; /* delete PKCS10 flag */ |
997358a6 MW |
886 | } |
887 | ||
3d7a244b | 888 | if (!filetype_out) |
63176bbc | 889 | { |
3d7a244b | 890 | exit_scepclient(NULL); /* no further output required */ |
63176bbc | 891 | } |
997358a6 | 892 | |
3d7a244b AS |
893 | /* |
894 | * output of PKCS#1 file | |
895 | */ | |
896 | if (filetype_out & PKCS1) | |
63176bbc | 897 | { |
08b2d288 | 898 | char *path = concatenate_paths(PRIVATE_KEY_PATH, file_out_pkcs1); |
997358a6 | 899 | |
3d7a244b AS |
900 | DBG(DBG_CONTROL, |
901 | DBG_log("building pkcs1 object:") | |
902 | ) | |
da9724e6 | 903 | if (!private_key->get_encoding(private_key, PRIVKEY_ASN1_DER, &pkcs1) || |
5bceb90c | 904 | !chunk_write(pkcs1, path, "pkcs1", 0066, force)) |
0eff9f65 | 905 | { |
3d7a244b | 906 | exit_scepclient("could not write pkcs1 file '%s'", path); |
0eff9f65 | 907 | } |
3d7a244b | 908 | filetype_out &= ~PKCS1; /* delete PKCS1 flag */ |
997358a6 | 909 | } |
3d7a244b AS |
910 | |
911 | if (!filetype_out) | |
63176bbc | 912 | { |
3d7a244b | 913 | exit_scepclient(NULL); /* no further output required */ |
63176bbc | 914 | } |
997358a6 | 915 | |
8b799d55 | 916 | scep_generate_transaction_id(public_key, &transID, &serialNumber); |
3d7a244b AS |
917 | plog(" transaction ID: %.*s", (int)transID.len, transID.ptr); |
918 | ||
0eff9f65 AS |
919 | notBefore = notBefore ? notBefore : time(NULL); |
920 | notAfter = notAfter ? notAfter : (notBefore + validity); | |
921 | ||
3d7a244b | 922 | /* generate a self-signed X.509 certificate */ |
0eff9f65 AS |
923 | x509_signer = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, |
924 | BUILD_SIGNING_KEY, private_key, | |
925 | BUILD_PUBLIC_KEY, public_key, | |
926 | BUILD_SUBJECT, subject, | |
927 | BUILD_NOT_BEFORE_TIME, notBefore, | |
928 | BUILD_NOT_AFTER_TIME, notAfter, | |
929 | BUILD_SERIAL, serialNumber, | |
930 | BUILD_SUBJECT_ALTNAMES, subjectAltNames, | |
931 | BUILD_END); | |
932 | if (!x509_signer) | |
933 | { | |
934 | exit_scepclient("generating certificate failed"); | |
935 | } | |
3d7a244b AS |
936 | |
937 | /* | |
938 | * output of self-signed X.509 certificate file | |
939 | */ | |
940 | if (filetype_out & CERT_SELF) | |
997358a6 | 941 | { |
08b2d288 | 942 | char *path = concatenate_paths(HOST_CERT_PATH, file_out_cert_self); |
3d7a244b | 943 | |
0406eeaa | 944 | if (!x509_signer->get_encoding(x509_signer, CERT_ASN1_DER, &encoding)) |
0eff9f65 AS |
945 | { |
946 | exit_scepclient("encoding certificate failed"); | |
947 | } | |
948 | if (!chunk_write(encoding, path, "self-signed cert", 0022, force)) | |
949 | { | |
3d7a244b | 950 | exit_scepclient("could not write self-signed cert file '%s'", path); |
0eff9f65 AS |
951 | } |
952 | chunk_free(&encoding); | |
3d7a244b | 953 | filetype_out &= ~CERT_SELF; /* delete CERT_SELF flag */ |
997358a6 | 954 | } |
3d7a244b AS |
955 | |
956 | if (!filetype_out) | |
997358a6 | 957 | { |
3d7a244b | 958 | exit_scepclient(NULL); /* no further output required */ |
997358a6 MW |
959 | } |
960 | ||
3d7a244b AS |
961 | /* |
962 | * load ca encryption certificate | |
963 | */ | |
997358a6 | 964 | { |
08b2d288 | 965 | char *path = concatenate_paths(CA_CERT_PATH, file_in_cacert_enc); |
da9724e6 | 966 | |
0eff9f65 AS |
967 | x509_ca_enc = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, |
968 | BUILD_FROM_FILE, path, BUILD_END); | |
969 | if (!x509_ca_enc) | |
3d7a244b AS |
970 | { |
971 | exit_scepclient("could not load encryption cacert file '%s'", path); | |
972 | } | |
997358a6 MW |
973 | } |
974 | ||
7daf5226 | 975 | /* |
3d7a244b AS |
976 | * input of PKCS#7 file |
977 | */ | |
978 | if (filetype_in & PKCS7) | |
979 | { | |
980 | /* user wants to load a pkcs7 encrypted request | |
981 | * operation is not yet supported! | |
982 | * would require additional parsing of transaction-id | |
997358a6 | 983 | |
3d7a244b AS |
984 | pkcs7 = pkcs7_read_from_file(file_in_pkcs7); |
985 | ||
986 | */ | |
987 | } | |
988 | else | |
997358a6 | 989 | { |
3d7a244b AS |
990 | DBG(DBG_CONTROL, |
991 | DBG_log("building pkcs7 request") | |
992 | ) | |
0eff9f65 AS |
993 | pkcs7 = scep_build_request(pkcs10_encoding, |
994 | transID, SCEP_PKCSReq_MSG, | |
995 | x509_ca_enc, pkcs7_symmetric_cipher, | |
996 | x509_signer, pkcs7_digest_alg, private_key); | |
997358a6 | 997 | } |
3d7a244b AS |
998 | |
999 | /* | |
1000 | * output pkcs7 encrypted and signed certificate request | |
1001 | */ | |
1002 | if (filetype_out & PKCS7) | |
997358a6 | 1003 | { |
08b2d288 | 1004 | char *path = concatenate_paths(REQ_PATH, file_out_pkcs7); |
3d7a244b | 1005 | |
3eb5042e | 1006 | if (!chunk_write(pkcs7, path, "pkcs7 encrypted request", 0022, force)) |
3d7a244b AS |
1007 | exit_scepclient("could not write pkcs7 file '%s'", path); |
1008 | ; | |
1009 | filetype_out &= ~PKCS7; /* delete PKCS7 flag */ | |
997358a6 | 1010 | } |
3d7a244b AS |
1011 | |
1012 | if (!filetype_out) | |
1013 | { | |
1014 | exit_scepclient(NULL); /* no further output required */ | |
997358a6 | 1015 | } |
3d7a244b AS |
1016 | |
1017 | /* | |
1018 | * output certificate fetch from SCEP server | |
1019 | */ | |
1020 | if (filetype_out & CERT) | |
1021 | { | |
17722d44 AS |
1022 | certificate_t *cert; |
1023 | enumerator_t *enumerator; | |
08b2d288 | 1024 | char *path = concatenate_paths(CA_CERT_PATH, file_in_cacert_sig); |
6180a558 | 1025 | time_t poll_start = 0; |
3d7a244b | 1026 | |
17722d44 | 1027 | linked_list_t *certs = linked_list_create(); |
3d7a244b AS |
1028 | chunk_t envelopedData = chunk_empty; |
1029 | chunk_t certData = chunk_empty; | |
1030 | contentInfo_t data = empty_contentInfo; | |
1031 | scep_attributes_t attrs = empty_scep_attributes; | |
1032 | ||
0eff9f65 AS |
1033 | x509_ca_sig = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, |
1034 | BUILD_FROM_FILE, path, BUILD_END); | |
1035 | if (!x509_ca_sig) | |
1036 | { | |
3d7a244b | 1037 | exit_scepclient("could not load signature cacert file '%s'", path); |
0eff9f65 | 1038 | } |
3d7a244b | 1039 | |
e67197a7 AS |
1040 | if (!scep_http_request(scep_url, pkcs7, SCEP_PKI_OPERATION, |
1041 | http_get_request, &scep_response)) | |
3d7a244b AS |
1042 | { |
1043 | exit_scepclient("did not receive a valid scep response"); | |
1044 | } | |
1045 | ugh = scep_parse_response(scep_response, transID, &data, &attrs | |
1046 | , x509_ca_sig); | |
1047 | if (ugh != NULL) | |
1048 | { | |
1049 | exit_scepclient(ugh); | |
1050 | } | |
1051 | ||
1052 | /* in case of manual mode, we are going into a polling loop */ | |
1053 | if (attrs.pkiStatus == SCEP_PENDING) | |
1054 | { | |
0eff9f65 AS |
1055 | identification_t *issuer = x509_ca_sig->get_subject(x509_ca_sig); |
1056 | ||
3d7a244b AS |
1057 | plog(" scep request pending, polling every %d seconds" |
1058 | , poll_interval); | |
6180a558 | 1059 | poll_start = time_monotonic(NULL); |
0eff9f65 AS |
1060 | issuerAndSubject = asn1_wrap(ASN1_SEQUENCE, "cc", |
1061 | issuer->get_encoding(issuer), | |
1062 | subject); | |
3d7a244b AS |
1063 | } |
1064 | while (attrs.pkiStatus == SCEP_PENDING) | |
1065 | { | |
1066 | if (max_poll_time > 0 | |
6180a558 | 1067 | && (time_monotonic(NULL) - poll_start >= max_poll_time)) |
3d7a244b AS |
1068 | { |
1069 | exit_scepclient("maximum poll time reached: %d seconds" | |
1070 | , max_poll_time); | |
1071 | } | |
1072 | DBG(DBG_CONTROL, | |
1073 | DBG_log("going to sleep for %d seconds", poll_interval) | |
1074 | ) | |
1075 | sleep(poll_interval); | |
1076 | free(scep_response.ptr); | |
1077 | ||
1078 | DBG(DBG_CONTROL, | |
1079 | DBG_log("fingerprint: %.*s", (int)fingerprint.len, fingerprint.ptr); | |
1080 | DBG_log("transaction ID: %.*s", (int)transID.len, transID.ptr) | |
1081 | ) | |
1082 | ||
1083 | chunk_free(&getCertInitial); | |
1084 | getCertInitial = scep_build_request(issuerAndSubject | |
1085 | , transID, SCEP_GetCertInitial_MSG | |
1086 | , x509_ca_enc, pkcs7_symmetric_cipher | |
1087 | , x509_signer, pkcs7_digest_alg, private_key); | |
1088 | ||
e67197a7 AS |
1089 | if (!scep_http_request(scep_url, getCertInitial, SCEP_PKI_OPERATION, |
1090 | http_get_request, &scep_response)) | |
3d7a244b AS |
1091 | { |
1092 | exit_scepclient("did not receive a valid scep response"); | |
1093 | } | |
1094 | ugh = scep_parse_response(scep_response, transID, &data, &attrs | |
1095 | , x509_ca_sig); | |
1096 | if (ugh != NULL) | |
1097 | { | |
1098 | exit_scepclient(ugh); | |
1099 | } | |
1100 | } | |
1101 | ||
1102 | if (attrs.pkiStatus != SCEP_SUCCESS) | |
1103 | { | |
1104 | exit_scepclient("reply status is not 'SUCCESS'"); | |
1105 | } | |
1106 | ||
1107 | envelopedData = data.content; | |
1108 | ||
1109 | if (data.type != OID_PKCS7_DATA | |
08b2d288 | 1110 | || !asn1_parse_simple_object(&envelopedData, ASN1_OCTET_STRING, 0, "data")) |
3d7a244b AS |
1111 | { |
1112 | exit_scepclient("contentInfo is not of type 'data'"); | |
1113 | } | |
1114 | if (!pkcs7_parse_envelopedData(envelopedData, &certData | |
1115 | , serialNumber, private_key)) | |
1116 | { | |
1117 | exit_scepclient("could not decrypt envelopedData"); | |
1118 | } | |
17722d44 | 1119 | if (!pkcs7_parse_signedData(certData, NULL, certs, NULL, NULL)) |
3d7a244b AS |
1120 | { |
1121 | exit_scepclient("error parsing the scep response"); | |
1122 | } | |
1123 | chunk_free(&certData); | |
1124 | ||
1125 | /* store the end entity certificate */ | |
1126 | path = concatenate_paths(HOST_CERT_PATH, file_out_cert); | |
17722d44 AS |
1127 | |
1128 | enumerator = certs->create_enumerator(certs); | |
1129 | while (enumerator->enumerate(enumerator, &cert)) | |
3d7a244b AS |
1130 | { |
1131 | bool stored = FALSE; | |
17722d44 | 1132 | x509_t *x509 = (x509_t*)cert; |
3d7a244b | 1133 | |
0eff9f65 | 1134 | if (!(x509->get_flags(x509) & X509_CA)) |
3d7a244b AS |
1135 | { |
1136 | if (stored) | |
0eff9f65 | 1137 | { |
3d7a244b | 1138 | exit_scepclient("multiple certs received, only first stored"); |
0eff9f65 | 1139 | } |
0406eeaa MW |
1140 | if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding) || |
1141 | !chunk_write(encoding, path, "requested cert", 0022, force)) | |
0eff9f65 | 1142 | { |
3d7a244b | 1143 | exit_scepclient("could not write cert file '%s'", path); |
0eff9f65 AS |
1144 | } |
1145 | chunk_free(&encoding); | |
3d7a244b AS |
1146 | stored = TRUE; |
1147 | } | |
3d7a244b | 1148 | } |
17722d44 | 1149 | certs->destroy_offset(certs, offsetof(certificate_t, destroy)); |
3d7a244b | 1150 | filetype_out &= ~CERT; /* delete CERT flag */ |
997358a6 | 1151 | } |
997358a6 | 1152 | |
3d7a244b AS |
1153 | exit_scepclient(NULL); |
1154 | return -1; /* should never be reached */ | |
997358a6 MW |
1155 | } |
1156 | ||
1157 |