2 * Copyright (C) 2005 Jan Hutter, Martin Willi
3 * Hochschule fuer Technik Rapperswil
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * @brief scepclient main program
22 * @mainpage SCEP for Linux strongSwan
24 * Documentation of SCEP for Linux StrongSwan
40 #include <asn1/asn1.h>
42 #include <utils/optionsfrom.h>
43 #include <utils/enumerator.h>
44 #include <utils/linked_list.h>
45 #include <crypto/hashers/hasher.h>
46 #include <crypto/crypters/crypter.h>
47 #include <crypto/proposal/proposal_keywords.h>
48 #include <credentials/keys/private_key.h>
49 #include <credentials/keys/public_key.h>
50 #include <credentials/certificates/certificate.h>
51 #include <credentials/certificates/x509.h>
52 #include <credentials/certificates/pkcs10.h>
53 #include <plugins/plugin.h>
55 #include "../pluto/constants.h"
56 #include "../pluto/defs.h"
57 #include "../pluto/log.h"
58 #include "../pluto/certs.h"
59 #include "../pluto/pkcs7.h"
64 * definition of some defaults
67 /* default name of DER-encoded PKCS#1 private key file */
68 #define DEFAULT_FILENAME_PKCS1 "myKey.der"
70 /* default name of DER-encoded PKCS#10 certificate request file */
71 #define DEFAULT_FILENAME_PKCS10 "myReq.der"
73 /* default name of DER-encoded PKCS#7 file */
74 #define DEFAULT_FILENAME_PKCS7 "pkcs7.der"
76 /* default name of DER-encoded self-signed X.509 certificate file */
77 #define DEFAULT_FILENAME_CERT_SELF "selfCert.der"
79 /* default name of DER-encoded X.509 certificate file */
80 #define DEFAULT_FILENAME_CERT "myCert.der"
82 /* default name of DER-encoded CA cert file used for key encipherment */
83 #define DEFAULT_FILENAME_CACERT_ENC "caCert.der"
85 /* default name of the der encoded CA cert file used for signature verification */
86 #define DEFAULT_FILENAME_CACERT_SIG "caCert.der"
88 /* default prefix of the der encoded CA certificates received from the SCEP server */
89 #define DEFAULT_FILENAME_PREFIX_CACERT "caCert.der"
91 /* default certificate validity */
92 #define DEFAULT_CERT_VALIDITY 5 * 3600 * 24 * 365 /* seconds */
94 /* default polling time interval in SCEP manual mode */
95 #define DEFAULT_POLL_INTERVAL 20 /* seconds */
97 /* default key length for self-generated RSA keys */
98 #define DEFAULT_RSA_KEY_LENGTH 2048 /* bits */
100 /* default distinguished name */
101 #define DEFAULT_DN "C=CH, O=Linux strongSwan, CN="
103 /* challenge password buffer size */
104 #define MAX_PASSWORD_LENGTH 256
106 /* Max length of filename for tempfile */
107 #define MAX_TEMP_FILENAME_LENGTH 256
110 /* current scepclient version */
111 static const char *scepclient_version
= "1.0";
113 /* by default the CRL policy is lenient */
114 bool strict_crl_policy
= FALSE
;
116 /* by default pluto does not check crls dynamically */
117 long crl_check_interval
= 0;
119 /* by default pluto logs out after every smartcard use */
120 bool pkcs11_keep_state
= FALSE
;
122 /* options read by optionsfrom */
131 chunk_t challengePassword
;
132 chunk_t serialNumber
;
136 chunk_t pkcs10_encoding
;
137 chunk_t issuerAndSubject
;
138 chunk_t getCertInitial
;
139 chunk_t scep_response
;
141 linked_list_t
*subjectAltNames
;
143 identification_t
*subject
= NULL
;
144 private_key_t
*private_key
= NULL
;
145 public_key_t
*public_key
= NULL
;
146 certificate_t
*x509_signer
= NULL
;
147 certificate_t
*x509_ca_enc
= NULL
;
148 certificate_t
*x509_ca_sig
= NULL
;
149 certificate_t
*pkcs10_req
= NULL
;
152 * @brief exit scepclient
154 * @param status 0 = OK, 1 = general discomfort
157 exit_scepclient(err_t message
, ...)
162 DESTROY_IF(private_key
);
163 DESTROY_IF(public_key
);
164 DESTROY_IF(x509_signer
);
165 DESTROY_IF(x509_ca_enc
);
166 DESTROY_IF(x509_ca_sig
);
167 DESTROY_IF(pkcs10_req
);
168 subjectAltNames
->destroy_offset(subjectAltNames
,
169 offsetof(identification_t
, destroy
));
172 free(serialNumber
.ptr
);
174 free(fingerprint
.ptr
);
176 free(pkcs10_encoding
.ptr
);
177 free(issuerAndSubject
.ptr
);
178 free(getCertInitial
.ptr
);
179 free(scep_response
.ptr
);
180 options
->destroy(options
);
182 /* print any error message to stderr */
183 if (message
!= NULL
&& *message
!= '\0')
186 char m
[LOG_WIDTH
]; /* longer messages will be truncated */
188 va_start(args
, message
);
189 vsnprintf(m
, sizeof(m
), message
, args
);
192 fprintf(stderr
, "error: %s\n", m
);
201 * @brief prints the program version and exits
207 printf("scepclient %s\n", scepclient_version
);
208 exit_scepclient(NULL
);
212 * @brief prints the usage of the program to the stderr output
214 * If message is set, program is exitet with 1 (error)
215 * @param message message in case of an error
218 usage(const char *message
)
221 "Usage: scepclient\n"
222 " --help (-h) show usage and exit\n"
223 " --version (-v) show version and exit\n"
224 " --quiet (-q) do not write log output to stderr\n"
225 " --in (-i) <type>[=<filename>] use <filename> of <type> for input \n"
226 " <type> = pkcs1 | cacert-enc | cacert-sig\n"
227 " - if no pkcs1 input is defined, a \n"
228 " RSA key will be generated\n"
229 " - if no filename is given, default is used\n"
230 " --out (-o) <type>[=<filename>] write output of <type> to <filename>\n"
231 " multiple outputs are allowed\n"
232 " <type> = pkcs1 | pkcs10 | pkcs7 | cert-self | cert | cacert\n"
233 " - type cacert defines filename prefix of\n"
234 " received CA certificate(s)\n"
235 " - if no filename is given, default is used\n"
236 " --optionsfrom (-+) <filename> reads additional options from given file\n"
237 " --force (-f) force existing file(s)\n"
239 "Options for key generation (pkcs1):\n"
240 " --keylength (-k) <bits> key length for RSA key generation\n"
241 "(default: 2048 bits)\n"
243 "Options for validity:\n"
244 " --days (-D) <days> validity in days\n"
245 " --startdate (-S) <YYMMDDHHMMSS>Z not valid before date\n"
246 " --enddate (-E) <YYMMDDHHMMSS>Z not valid after date\n"
248 "Options for request generation (pkcs10):\n"
249 " --dn (-d) <dn> comma separated list of distinguished names\n"
250 " --subjectAltName (-s) <t>=<v> include subjectAltName in certificate request\n"
251 " <t> = email | dns | ip \n"
252 " --password (-p) <pw> challenge password\n"
253 " - if pw is '%%prompt', password gets prompted for\n"
254 " --algorithm (-a) <algo> use specified algorithm for PKCS#7 encryption\n"
255 " <algo> = des | 3des (default) | aes128| aes192 | \n"
256 " aes256 | camellia128 | camellia192 | camellia256\n"
258 "Options for enrollment (cert):\n"
259 " --url (-u) <url> url of the SCEP server\n"
260 " --method (-m) post | get http request type\n"
261 " --interval (-t) <seconds> manual mode poll interval in seconds (default 20s)\n"
262 " --maxpolltime (-x) <seconds> max poll time in seconds when in manual mode\n"
263 " (default: unlimited)\n"
266 "Debugging output:\n"
267 " --debug-all (-A) show everything except private\n"
268 " --debug-parsing (-P) show parsing relevant stuff\n"
269 " --debug-raw (-R) show raw hex dumps\n"
270 " --debug-control (-C) show control flow output\n"
271 " --debug-controlmore (-M) show more control flow\n"
272 " --debug-private (-X) show sensitive data (private keys, etc.)\n"
275 exit_scepclient(message
);
281 static void print_plugins()
286 enumerator_t
*enumerator
;
288 enumerator
= lib
->plugins
->create_plugin_enumerator(lib
->plugins
);
289 while (len
< BUF_LEN
&& enumerator
->enumerate(enumerator
, &plugin
, NULL
))
291 len
+= snprintf(&buf
[len
], BUF_LEN
-len
, "%s ", plugin
->get_name(plugin
));
293 enumerator
->destroy(enumerator
);
294 DBG1(DBG_LIB
, " loaded plugins: %s", buf
);
298 * @brief main of scepclient
300 * @param argc number of arguments
301 * @param argv pointer to the argument values
303 int main(int argc
, char **argv
)
305 /* external values */
306 extern char * optarg
;
309 /* type of input and output files */
320 /* filetype to read from, defaults to "generate a key" */
321 scep_filetype_t filetype_in
= 0;
323 /* filetype to write to, no default here */
324 scep_filetype_t filetype_out
= 0;
327 char *file_in_pkcs1
= DEFAULT_FILENAME_PKCS1
;
328 char *file_in_cacert_enc
= DEFAULT_FILENAME_CACERT_ENC
;
329 char *file_in_cacert_sig
= DEFAULT_FILENAME_CACERT_SIG
;
332 char *file_out_pkcs1
= DEFAULT_FILENAME_PKCS1
;
333 char *file_out_pkcs10
= DEFAULT_FILENAME_PKCS10
;
334 char *file_out_pkcs7
= DEFAULT_FILENAME_PKCS7
;
335 char *file_out_cert_self
= DEFAULT_FILENAME_CERT_SELF
;
336 char *file_out_cert
= DEFAULT_FILENAME_CERT
;
337 char *file_out_ca_cert
= DEFAULT_FILENAME_CACERT_ENC
;
339 /* by default user certificate is requested */
340 bool request_ca_certificate
= FALSE
;
342 /* by default existing files are not overwritten */
345 /* length of RSA key in bits */
346 u_int rsa_keylength
= DEFAULT_RSA_KEY_LENGTH
;
348 /* validity of self-signed certificate */
349 time_t validity
= DEFAULT_CERT_VALIDITY
;
350 time_t notBefore
= 0;
353 /* distinguished name for requested certificate, ASCII format */
354 char *distinguishedName
= NULL
;
356 /* challenge password */
357 char challenge_password_buffer
[MAX_PASSWORD_LENGTH
];
359 /* symmetric encryption algorithm used by pkcs7, default is 3DES */
360 int pkcs7_symmetric_cipher
= OID_3DES_EDE_CBC
;
362 /* digest algorithm used by pkcs7, default is SHA-1 */
363 int pkcs7_digest_alg
= OID_SHA1
;
365 /* signature algorithm used by pkcs10, default is SHA-1 */
366 hash_algorithm_t pkcs10_signature_alg
= HASH_SHA1
;
368 /* URL of the SCEP-Server */
369 char *scep_url
= NULL
;
371 /* http request method, default is GET */
372 bool http_get_request
= TRUE
;
374 /* poll interval time in manual mode in seconds */
375 u_int poll_interval
= DEFAULT_POLL_INTERVAL
;
377 /* maximum poll time */
378 u_int max_poll_time
= 0;
382 /* initialize library */
383 if (!library_init(NULL
))
386 exit(SS_RC_LIBSTRONGSWAN_INTEGRITY
);
388 if (lib
->integrity
&&
389 !lib
->integrity
->check_file(lib
->integrity
, "scepclient", argv
[0]))
391 fprintf(stderr
, "integrity check of scepclient failed\n");
393 exit(SS_RC_DAEMON_INTEGRITY
);
396 /* initialize global variables */
399 serialNumber
= chunk_empty
;
400 transID
= chunk_empty
;
401 fingerprint
= chunk_empty
;
402 encoding
= chunk_empty
;
403 pkcs10_encoding
= chunk_empty
;
404 issuerAndSubject
= chunk_empty
;
405 challengePassword
= chunk_empty
;
406 getCertInitial
= chunk_empty
;
407 scep_response
= chunk_empty
;
408 subjectAltNames
= linked_list_create();
409 options
= options_create();
410 log_to_stderr
= TRUE
;
414 static const struct option long_opts
[] = {
415 /* name, has_arg, flag, val */
416 { "help", no_argument
, NULL
, 'h' },
417 { "version", no_argument
, NULL
, 'v' },
418 { "optionsfrom", required_argument
, NULL
, '+' },
419 { "quiet", no_argument
, NULL
, 'q' },
420 { "in", required_argument
, NULL
, 'i' },
421 { "out", required_argument
, NULL
, 'o' },
422 { "force", no_argument
, NULL
, 'f' },
423 { "keylength", required_argument
, NULL
, 'k' },
424 { "dn", required_argument
, NULL
, 'd' },
425 { "days", required_argument
, NULL
, 'D' },
426 { "startdate", required_argument
, NULL
, 'S' },
427 { "enddate", required_argument
, NULL
, 'E' },
428 { "subjectAltName", required_argument
, NULL
, 's' },
429 { "password", required_argument
, NULL
, 'p' },
430 { "algorithm", required_argument
, NULL
, 'a' },
431 { "url", required_argument
, NULL
, 'u' },
432 { "method", required_argument
, NULL
, 'm' },
433 { "interval", required_argument
, NULL
, 't' },
434 { "maxpolltime", required_argument
, NULL
, 'x' },
436 { "debug-all", no_argument
, NULL
, 'A' },
437 { "debug-parsing", no_argument
, NULL
, 'P'},
438 { "debug-raw", no_argument
, NULL
, 'R'},
439 { "debug-control", no_argument
, NULL
, 'C'},
440 { "debug-controlmore", no_argument
, NULL
, 'M'},
441 { "debug-private", no_argument
, NULL
, 'X'},
446 /* parse next option */
447 int c
= getopt_long(argc
, argv
, "hv+:qi:o:fk:d:s:p:a:u:m:t:x:APRCMS", long_opts
, NULL
);
451 case EOF
: /* end of flags */
454 case 'h': /* --help */
457 case 'v': /* --version */
460 case 'q': /* --quiet */
461 log_to_stderr
= FALSE
;
464 case 'i': /* --in <type> [= <filename>] */
466 char *filename
= strstr(optarg
, "=");
470 /* replace '=' by '\0' */
472 /* set pointer to start of filename */
475 if (strcaseeq("pkcs1", optarg
))
477 filetype_in
|= PKCS1
;
479 file_in_pkcs1
= filename
;
481 else if (strcaseeq("cacert-enc", optarg
))
483 filetype_in
|= CACERT_ENC
;
485 file_in_cacert_enc
= filename
;
487 else if (strcaseeq("cacert-sig", optarg
))
489 filetype_in
|= CACERT_SIG
;
491 file_in_cacert_sig
= filename
;
495 usage("invalid --in file type");
500 case 'o': /* --out <type> [= <filename>] */
502 char *filename
= strstr(optarg
, "=");
506 /* replace '=' by '\0' */
508 /* set pointer to start of filename */
511 if (strcaseeq("pkcs1", optarg
))
513 filetype_out
|= PKCS1
;
515 file_out_pkcs1
= filename
;
517 else if (strcaseeq("pkcs10", optarg
))
519 filetype_out
|= PKCS10
;
521 file_out_pkcs10
= filename
;
523 else if (strcaseeq("pkcs7", optarg
))
525 filetype_out
|= PKCS7
;
527 file_out_pkcs7
= filename
;
529 else if (strcaseeq("cert-self", optarg
))
531 filetype_out
|= CERT_SELF
;
533 file_out_cert_self
= filename
;
535 else if (strcaseeq("cert", optarg
))
537 filetype_out
|= CERT
;
539 file_out_cert
= filename
;
541 else if (strcaseeq("cacert", optarg
))
543 request_ca_certificate
= TRUE
;
545 file_out_ca_cert
= filename
;
549 usage("invalid --out file type");
554 case 'f': /* --force */
558 case '+': /* --optionsfrom <filename> */
559 if (!options
->from(options
, optarg
, &argc
, &argv
, optind
))
561 exit_scepclient("optionsfrom failed");
565 case 'k': /* --keylength <length> */
569 rsa_keylength
= atoi(optarg
);
570 if (rsa_keylength
== 0)
571 usage("invalid keylength");
573 /* check if key length is a multiple of 8 bits */
574 q
= div(rsa_keylength
, 2*BITS_PER_BYTE
);
577 exit_scepclient("keylength is not a multiple of %d bits!"
583 case 'D': /* --days */
584 if (optarg
== NULL
|| !isdigit(optarg
[0]))
585 usage("missing number of days");
588 long days
= strtol(optarg
, &endptr
, 0);
590 if (*endptr
!= '\0' || endptr
== optarg
592 usage("<days> must be a positive number");
593 validity
= 24*3600*days
;
597 case 'S': /* --startdate */
598 if (optarg
== NULL
|| strlen(optarg
) != 13 || optarg
[12] != 'Z')
599 usage("date format must be YYMMDDHHMMSSZ");
601 chunk_t date
= { optarg
, 13 };
602 notBefore
= asn1_to_time(&date
, ASN1_UTCTIME
);
606 case 'E': /* --enddate */
607 if (optarg
== NULL
|| strlen(optarg
) != 13 || optarg
[12] != 'Z')
608 usage("date format must be YYMMDDHHMMSSZ");
610 chunk_t date
= { optarg
, 13 };
611 notAfter
= asn1_to_time(&date
, ASN1_UTCTIME
);
616 if (distinguishedName
)
617 usage("only one distinguished name allowed");
618 distinguishedName
= optarg
;
621 case 's': /* --subjectAltName */
623 char *value
= strstr(optarg
, "=");
627 /* replace '=' by '\0' */
629 /* set pointer to start of value */
633 if (strcaseeq("email", optarg
) ||
634 strcaseeq("dns", optarg
) ||
635 strcaseeq("ip", optarg
))
637 subjectAltNames
->insert_last(subjectAltNames
,
638 identification_create_from_string(value
));
643 usage("invalid --subjectAltName type");
648 case 'p': /* --password */
649 if (challengePassword
.len
> 0)
651 usage("only one challenge password allowed");
653 if (strcaseeq("%prompt", optarg
))
655 printf("Challenge password: ");
656 if (fgets(challenge_password_buffer
, sizeof(challenge_password_buffer
)-1, stdin
))
658 challengePassword
.ptr
= challenge_password_buffer
;
659 /* discard the terminating '\n' from the input */
660 challengePassword
.len
= strlen(challenge_password_buffer
) - 1;
664 usage("challenge password could not be read");
669 challengePassword
.ptr
= optarg
;
670 challengePassword
.len
= strlen(optarg
);
674 case 'u': /* -- url */
677 usage("only one URL argument allowed");
682 case 'm': /* --method */
683 if (strcaseeq("get", optarg
))
685 http_get_request
= TRUE
;
687 else if (strcaseeq("post", optarg
))
689 http_get_request
= FALSE
;
693 usage("invalid http request method specified");
697 case 't': /* --interval */
698 poll_interval
= atoi(optarg
);
699 if (poll_interval
<= 0)
701 usage("invalid interval specified");
705 case 'x': /* --maxpolltime */
706 max_poll_time
= atoi(optarg
);
707 if (max_poll_time
< 0)
709 usage("invalid maxpolltime specified");
713 case 'a': /*--algorithm */
715 const proposal_token_t
*token
;
717 token
= proposal_get_token(optarg
, strlen(optarg
));
718 if (token
== NULL
|| token
->type
!= ENCRYPTION_ALGORITHM
)
720 usage("invalid algorithm specified");
722 pkcs7_symmetric_cipher
= encryption_algorithm_to_oid(
723 token
->algorithm
, token
->keysize
);
724 if (pkcs7_symmetric_cipher
== OID_UNKNOWN
)
726 usage("unsupported encryption algorithm specified");
731 case 'A': /* --debug-all */
732 base_debugging
|= DBG_ALL
;
734 case 'P': /* debug parsing */
735 base_debugging
|= DBG_PARSING
;
737 case 'R': /* debug raw */
738 base_debugging
|= DBG_RAW
;
740 case 'C': /* debug control */
741 base_debugging
|= DBG_CONTROL
;
743 case 'M': /* debug control more */
744 base_debugging
|= DBG_CONTROLMORE
;
746 case 'X': /* debug private */
747 base_debugging
|= DBG_PRIVATE
;
751 usage("unknown option");
753 /* break from loop */
756 cur_debugging
= base_debugging
;
758 init_log("scepclient");
760 /* load plugins, further infrastructure may need it */
761 if (!lib
->plugins
->load(lib
->plugins
, NULL
,
762 lib
->settings
->get_str(lib
->settings
, "scepclient.load", PLUGINS
)))
764 exit_scepclient("plugin loading failed");
768 if ((filetype_out
== 0) && (!request_ca_certificate
))
770 usage ("--out filetype required");
772 if (request_ca_certificate
&& (filetype_out
> 0 || filetype_in
> 0))
774 usage("in CA certificate request, no other --in or --out option allowed");
777 /* check if url is given, if cert output defined */
778 if (((filetype_out
& CERT
) || request_ca_certificate
) && !scep_url
)
780 usage("URL of SCEP server required");
783 /* check for sanity of --in/--out */
784 if (!filetype_in
&& (filetype_in
> filetype_out
))
786 usage("cannot generate --out of given --in!");
790 if (request_ca_certificate
)
792 char *path
= concatenate_paths(CA_CERT_PATH
, file_out_ca_cert
);
794 if (!scep_http_request(scep_url
, chunk_empty
, SCEP_GET_CA_CERT
,
795 http_get_request
, &scep_response
))
797 exit_scepclient("did not receive a valid scep response");
800 if (!chunk_write(scep_response
, path
, "ca cert", 0022, force
))
802 exit_scepclient("could not write ca cert file '%s'", path
);
804 exit_scepclient(NULL
); /* no further output required */
808 * input of PKCS#1 file
810 if (filetype_in
& PKCS1
) /* load an RSA key pair from file */
812 char *path
= concatenate_paths(PRIVATE_KEY_PATH
, file_in_pkcs1
);
814 private_key
= lib
->creds
->create(lib
->creds
, CRED_PRIVATE_KEY
, KEY_RSA
,
815 BUILD_FROM_FILE
, path
, BUILD_END
);
817 else /* generate an RSA key pair */
819 private_key
= lib
->creds
->create(lib
->creds
, CRED_PRIVATE_KEY
, KEY_RSA
,
820 BUILD_KEY_SIZE
, rsa_keylength
,
823 if (private_key
== NULL
)
825 exit_scepclient("no RSA private key available");
827 public_key
= private_key
->get_public_key(private_key
);
829 /* check for minimum key length */
830 if (private_key
->get_keysize(private_key
) < RSA_MIN_OCTETS
/ BITS_PER_BYTE
)
832 exit_scepclient("length of RSA key has to be at least %d bits"
833 ,RSA_MIN_OCTETS
* BITS_PER_BYTE
);
837 * input of PKCS#10 file
839 if (filetype_in
& PKCS10
)
841 /* user wants to load a pkcs10 request
842 * operation is not yet supported
843 * would require a PKCS#10 parsing function
845 pkcs10 = pkcs10_read_from_file(file_in_pkcs10);
851 if (distinguishedName
== NULL
)
854 int n
= sprintf(buf
, DEFAULT_DN
);
856 /* set the common name to the hostname */
857 if (gethostname(buf
+ n
, BUF_LEN
- n
) || strlen(buf
) == n
)
859 exit_scepclient("no hostname defined, use "
860 "--dn <distinguished name> option");
862 distinguishedName
= buf
;
866 DBG_log("dn: '%s'", distinguishedName
);
868 subject
= identification_create_from_string(distinguishedName
);
869 if (subject
->get_type(subject
) != ID_DER_ASN1_DN
)
871 exit_scepclient("parsing of distinguished name failed");
875 DBG_log("building pkcs10 object:")
877 pkcs10_req
= lib
->creds
->create(lib
->creds
, CRED_CERTIFICATE
,
879 BUILD_SIGNING_KEY
, private_key
,
880 BUILD_SUBJECT
, subject
,
881 BUILD_SUBJECT_ALTNAMES
, subjectAltNames
,
882 BUILD_CHALLENGE_PWD
, challengePassword
,
883 BUILD_DIGEST_ALG
, pkcs10_signature_alg
,
887 exit_scepclient("generating pkcs10 request failed");
889 pkcs10_req
->get_encoding(pkcs10_req
, CERT_ASN1_DER
, &pkcs10_encoding
);
890 fingerprint
= scep_generate_pkcs10_fingerprint(pkcs10_encoding
);
891 plog(" fingerprint: %s", fingerprint
.ptr
);
895 * output of PKCS#10 file
897 if (filetype_out
& PKCS10
)
899 char *path
= concatenate_paths(REQ_PATH
, file_out_pkcs10
);
901 if (!chunk_write(pkcs10_encoding
, path
, "pkcs10", 0022, force
))
903 exit_scepclient("could not write pkcs10 file '%s'", path
);
905 filetype_out
&= ~PKCS10
; /* delete PKCS10 flag */
910 exit_scepclient(NULL
); /* no further output required */
914 * output of PKCS#1 file
916 if (filetype_out
& PKCS1
)
918 char *path
= concatenate_paths(PRIVATE_KEY_PATH
, file_out_pkcs1
);
921 DBG_log("building pkcs1 object:")
923 if (!private_key
->get_encoding(private_key
, PRIVKEY_ASN1_DER
, &pkcs1
) ||
924 !chunk_write(pkcs1
, path
, "pkcs1", 0066, force
))
926 exit_scepclient("could not write pkcs1 file '%s'", path
);
928 filetype_out
&= ~PKCS1
; /* delete PKCS1 flag */
933 exit_scepclient(NULL
); /* no further output required */
936 scep_generate_transaction_id(public_key
, &transID
, &serialNumber
);
937 plog(" transaction ID: %.*s", (int)transID
.len
, transID
.ptr
);
939 notBefore
= notBefore
? notBefore
: time(NULL
);
940 notAfter
= notAfter
? notAfter
: (notBefore
+ validity
);
942 /* generate a self-signed X.509 certificate */
943 x509_signer
= lib
->creds
->create(lib
->creds
, CRED_CERTIFICATE
, CERT_X509
,
944 BUILD_SIGNING_KEY
, private_key
,
945 BUILD_PUBLIC_KEY
, public_key
,
946 BUILD_SUBJECT
, subject
,
947 BUILD_NOT_BEFORE_TIME
, notBefore
,
948 BUILD_NOT_AFTER_TIME
, notAfter
,
949 BUILD_SERIAL
, serialNumber
,
950 BUILD_SUBJECT_ALTNAMES
, subjectAltNames
,
954 exit_scepclient("generating certificate failed");
958 * output of self-signed X.509 certificate file
960 if (filetype_out
& CERT_SELF
)
962 char *path
= concatenate_paths(HOST_CERT_PATH
, file_out_cert_self
);
964 if (!x509_signer
->get_encoding(x509_signer
, CERT_ASN1_DER
, &encoding
))
966 exit_scepclient("encoding certificate failed");
968 if (!chunk_write(encoding
, path
, "self-signed cert", 0022, force
))
970 exit_scepclient("could not write self-signed cert file '%s'", path
);
972 chunk_free(&encoding
);
973 filetype_out
&= ~CERT_SELF
; /* delete CERT_SELF flag */
978 exit_scepclient(NULL
); /* no further output required */
982 * load ca encryption certificate
985 char *path
= concatenate_paths(CA_CERT_PATH
, file_in_cacert_enc
);
987 x509_ca_enc
= lib
->creds
->create(lib
->creds
, CRED_CERTIFICATE
, CERT_X509
,
988 BUILD_FROM_FILE
, path
, BUILD_END
);
991 exit_scepclient("could not load encryption cacert file '%s'", path
);
996 * input of PKCS#7 file
998 if (filetype_in
& PKCS7
)
1000 /* user wants to load a pkcs7 encrypted request
1001 * operation is not yet supported!
1002 * would require additional parsing of transaction-id
1004 pkcs7 = pkcs7_read_from_file(file_in_pkcs7);
1011 DBG_log("building pkcs7 request")
1013 pkcs7
= scep_build_request(pkcs10_encoding
,
1014 transID
, SCEP_PKCSReq_MSG
,
1015 x509_ca_enc
, pkcs7_symmetric_cipher
,
1016 x509_signer
, pkcs7_digest_alg
, private_key
);
1020 * output pkcs7 encrypted and signed certificate request
1022 if (filetype_out
& PKCS7
)
1024 char *path
= concatenate_paths(REQ_PATH
, file_out_pkcs7
);
1026 if (!chunk_write(pkcs7
, path
, "pkcs7 encrypted request", 0022, force
))
1027 exit_scepclient("could not write pkcs7 file '%s'", path
);
1029 filetype_out
&= ~PKCS7
; /* delete PKCS7 flag */
1034 exit_scepclient(NULL
); /* no further output required */
1038 * output certificate fetch from SCEP server
1040 if (filetype_out
& CERT
)
1042 bool stored
= FALSE
;
1043 certificate_t
*cert
;
1044 enumerator_t
*enumerator
;
1045 char *path
= concatenate_paths(CA_CERT_PATH
, file_in_cacert_sig
);
1046 time_t poll_start
= 0;
1048 linked_list_t
*certs
= linked_list_create();
1049 chunk_t envelopedData
= chunk_empty
;
1050 chunk_t certData
= chunk_empty
;
1051 contentInfo_t data
= empty_contentInfo
;
1052 scep_attributes_t attrs
= empty_scep_attributes
;
1054 x509_ca_sig
= lib
->creds
->create(lib
->creds
, CRED_CERTIFICATE
, CERT_X509
,
1055 BUILD_FROM_FILE
, path
, BUILD_END
);
1058 exit_scepclient("could not load signature cacert file '%s'", path
);
1061 if (!scep_http_request(scep_url
, pkcs7
, SCEP_PKI_OPERATION
,
1062 http_get_request
, &scep_response
))
1064 exit_scepclient("did not receive a valid scep response");
1066 ugh
= scep_parse_response(scep_response
, transID
, &data
, &attrs
1070 exit_scepclient(ugh
);
1073 /* in case of manual mode, we are going into a polling loop */
1074 if (attrs
.pkiStatus
== SCEP_PENDING
)
1076 identification_t
*issuer
= x509_ca_sig
->get_subject(x509_ca_sig
);
1078 plog(" scep request pending, polling every %d seconds"
1080 poll_start
= time_monotonic(NULL
);
1081 issuerAndSubject
= asn1_wrap(ASN1_SEQUENCE
, "cc",
1082 issuer
->get_encoding(issuer
),
1085 while (attrs
.pkiStatus
== SCEP_PENDING
)
1087 if (max_poll_time
> 0
1088 && (time_monotonic(NULL
) - poll_start
>= max_poll_time
))
1090 exit_scepclient("maximum poll time reached: %d seconds"
1094 DBG_log("going to sleep for %d seconds", poll_interval
)
1096 sleep(poll_interval
);
1097 free(scep_response
.ptr
);
1100 DBG_log("fingerprint: %.*s", (int)fingerprint
.len
, fingerprint
.ptr
);
1101 DBG_log("transaction ID: %.*s", (int)transID
.len
, transID
.ptr
)
1104 chunk_free(&getCertInitial
);
1105 getCertInitial
= scep_build_request(issuerAndSubject
1106 , transID
, SCEP_GetCertInitial_MSG
1107 , x509_ca_enc
, pkcs7_symmetric_cipher
1108 , x509_signer
, pkcs7_digest_alg
, private_key
);
1110 if (!scep_http_request(scep_url
, getCertInitial
, SCEP_PKI_OPERATION
,
1111 http_get_request
, &scep_response
))
1113 exit_scepclient("did not receive a valid scep response");
1115 ugh
= scep_parse_response(scep_response
, transID
, &data
, &attrs
1119 exit_scepclient(ugh
);
1123 if (attrs
.pkiStatus
!= SCEP_SUCCESS
)
1125 exit_scepclient("reply status is not 'SUCCESS'");
1128 envelopedData
= data
.content
;
1130 if (data
.type
!= OID_PKCS7_DATA
1131 || !asn1_parse_simple_object(&envelopedData
, ASN1_OCTET_STRING
, 0, "data"))
1133 exit_scepclient("contentInfo is not of type 'data'");
1135 if (!pkcs7_parse_envelopedData(envelopedData
, &certData
1136 , serialNumber
, private_key
))
1138 exit_scepclient("could not decrypt envelopedData");
1140 if (!pkcs7_parse_signedData(certData
, NULL
, certs
, NULL
, NULL
))
1142 exit_scepclient("error parsing the scep response");
1144 chunk_free(&certData
);
1146 /* store the end entity certificate */
1147 path
= concatenate_paths(HOST_CERT_PATH
, file_out_cert
);
1149 enumerator
= certs
->create_enumerator(certs
);
1150 while (enumerator
->enumerate(enumerator
, &cert
))
1152 x509_t
*x509
= (x509_t
*)cert
;
1154 if (!(x509
->get_flags(x509
) & X509_CA
))
1158 exit_scepclient("multiple certs received, only first stored");
1160 if (!cert
->get_encoding(cert
, CERT_ASN1_DER
, &encoding
) ||
1161 !chunk_write(encoding
, path
, "requested cert", 0022, force
))
1163 exit_scepclient("could not write cert file '%s'", path
);
1165 chunk_free(&encoding
);
1169 certs
->destroy_offset(certs
, offsetof(certificate_t
, destroy
));
1170 filetype_out
&= ~CERT
; /* delete CERT flag */
1173 exit_scepclient(NULL
);
1174 return -1; /* should never be reached */