/*
+ * Copyright (C) 2012 Tobias Brunner
* Copyright (C) 2005 Jan Hutter, Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* for more details.
*/
-/**
- * @file main.c
- * @brief scepclient main program
- */
-
-/**
- * @mainpage SCEP for Linux strongSwan
- *
- * Documentation of SCEP for Linux StrongSwan
- */
-
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
-#include <syslog.h>
#include <string.h>
#include <getopt.h>
#include <ctype.h>
#include <unistd.h>
#include <time.h>
-#include <gmp.h>
+#include <limits.h>
+#include <syslog.h>
+#include <errno.h>
-#include <freeswan.h>
#include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
+#include <asn1/asn1.h>
#include <asn1/oid.h>
+#include <utils/optionsfrom.h>
+#include <collections/enumerator.h>
+#include <collections/linked_list.h>
+#include <crypto/hashers/hasher.h>
+#include <crypto/crypters/crypter.h>
+#include <crypto/proposal/proposal_keywords.h>
+#include <credentials/keys/private_key.h>
+#include <credentials/keys/public_key.h>
+#include <credentials/certificates/certificate.h>
+#include <credentials/certificates/x509.h>
+#include <credentials/certificates/pkcs10.h>
+#include <credentials/sets/mem_cred.h>
+#include <plugins/plugin.h>
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-#include "../pluto/log.h"
-#include "../pluto/asn1.h"
-#include "../pluto/pkcs1.h"
-#include "../pluto/pkcs7.h"
-#include "../pluto/certs.h"
-#include "../pluto/fetch.h"
-#include "../pluto/rnd.h"
-
-#include "rsakey.h"
-#include "pkcs10.h"
#include "scep.h"
/*
* definition of some defaults
*/
+/* some paths */
+#define REQ_PATH IPSEC_CONFDIR "/ipsec.d/reqs"
+#define HOST_CERT_PATH IPSEC_CONFDIR "/ipsec.d/certs"
+#define CA_CERT_PATH IPSEC_CONFDIR "/ipsec.d/cacerts"
+#define PRIVATE_KEY_PATH IPSEC_CONFDIR "/ipsec.d/private"
+
/* default name of DER-encoded PKCS#1 private key file */
-#define DEFAULT_FILENAME_PKCS1 "myKey.der"
+#define DEFAULT_FILENAME_PKCS1 "myKey.der"
/* default name of DER-encoded PKCS#10 certificate request file */
-#define DEFAULT_FILENAME_PKCS10 "myReq.der"
+#define DEFAULT_FILENAME_PKCS10 "myReq.der"
/* default name of DER-encoded PKCS#7 file */
-#define DEFAULT_FILENAME_PKCS7 "pkcs7.der"
+#define DEFAULT_FILENAME_PKCS7 "pkcs7.der"
/* default name of DER-encoded self-signed X.509 certificate file */
-#define DEFAULT_FILENAME_CERT_SELF "selfCert.der"
+#define DEFAULT_FILENAME_CERT_SELF "selfCert.der"
/* default name of DER-encoded X.509 certificate file */
-#define DEFAULT_FILENAME_CERT "myCert.der"
+#define DEFAULT_FILENAME_CERT "myCert.der"
/* default name of DER-encoded CA cert file used for key encipherment */
-#define DEFAULT_FILENAME_CACERT_ENC "caCert.der"
+#define DEFAULT_FILENAME_CACERT_ENC "caCert.der"
/* default name of the der encoded CA cert file used for signature verification */
-#define DEFAULT_FILENAME_CACERT_SIG "caCert.der"
+#define DEFAULT_FILENAME_CACERT_SIG "caCert.der"
/* default prefix of the der encoded CA certificates received from the SCEP server */
-#define DEFAULT_FILENAME_PREFIX_CACERT "caCert.der"
+#define DEFAULT_FILENAME_PREFIX_CACERT "caCert.der"
/* default certificate validity */
-#define DEFAULT_CERT_VALIDITY 5 * 3600 * 24 * 365 /* seconds */
+#define DEFAULT_CERT_VALIDITY 5 * 3600 * 24 * 365 /* seconds */
/* default polling time interval in SCEP manual mode */
-#define DEFAULT_POLL_INTERVAL 20 /* seconds */
+#define DEFAULT_POLL_INTERVAL 20 /* seconds */
/* default key length for self-generated RSA keys */
-#define DEFAULT_RSA_KEY_LENGTH 2048 /* bits */
+#define DEFAULT_RSA_KEY_LENGTH 2048 /* bits */
/* default distinguished name */
#define DEFAULT_DN "C=CH, O=Linux strongSwan, CN="
+/* minimum RSA key size */
+#define RSA_MIN_OCTETS (512 / BITS_PER_BYTE)
+
/* challenge password buffer size */
#define MAX_PASSWORD_LENGTH 256
/* by default pluto logs out after every smartcard use */
bool pkcs11_keep_state = FALSE;
+/* by default HTTP fetch timeout is 30s */
+static u_int http_timeout = 30;
+
+/* address to bind for HTTP fetches */
+static char* http_bind = NULL;
+
+/* options read by optionsfrom */
+options_t *options;
/*
* Global variables
*/
-
-RSA_private_key_t *private_key = NULL;
-
chunk_t pkcs1;
chunk_t pkcs7;
-chunk_t subject;
chunk_t challengePassword;
chunk_t serialNumber;
chunk_t transID;
chunk_t fingerprint;
+chunk_t encoding;
+chunk_t pkcs10_encoding;
chunk_t issuerAndSubject;
chunk_t getCertInitial;
chunk_t scep_response;
-cert_t cert;
-x509cert_t *x509_signer = NULL;
-x509cert_t *x509_ca_enc = NULL;
-x509cert_t *x509_ca_sig = NULL;
-generalName_t *subjectAltNames = NULL;
-pkcs10_t *pkcs10 = NULL;
+linked_list_t *subjectAltNames;
+
+identification_t *subject = NULL;
+private_key_t *private_key = NULL;
+public_key_t *public_key = NULL;
+certificate_t *x509_signer = NULL;
+certificate_t *x509_ca_enc = NULL;
+certificate_t *x509_ca_sig = NULL;
+certificate_t *pkcs10_req = NULL;
+
+mem_cred_t *creds = NULL;
+
+/* logging */
+static bool log_to_stderr = TRUE;
+static bool log_to_syslog = TRUE;
+static level_t default_loglevel = 1;
/**
- * @brief exit scepclient
- *
- * @param status 0 = OK, 1 = general discomfort
+ * logging function for scepclient
*/
-static void
-exit_scepclient(err_t message, ...)
+static void scepclient_dbg(debug_t group, level_t level, char *fmt, ...)
{
- if (private_key != NULL)
- {
- free_RSA_private_content(private_key);
- free(private_key);
- }
- free(pkcs1.ptr);
- free(pkcs7.ptr);
- free(subject.ptr);
- free(serialNumber.ptr);
- free(transID.ptr);
- free(fingerprint.ptr);
- free(issuerAndSubject.ptr);
- free(getCertInitial.ptr);
- free(scep_response.ptr);
-
- free_generalNames(subjectAltNames, TRUE);
- if (x509_signer != NULL)
- {
- x509_signer->subjectAltName = NULL;
- }
- free_x509cert(x509_signer);
- free_x509cert(x509_ca_enc);
- free_x509cert(x509_ca_sig);
- pkcs10_free(pkcs10);
- library_deinit();
- close_log();
-
- /* print any error message to stderr */
- if (message != NULL && *message != '\0')
- {
+ char buffer[8192];
+ char *current = buffer, *next;
va_list args;
- char m[LOG_WIDTH]; /* longer messages will be truncated */
-
- va_start(args, message);
- vsnprintf(m, sizeof(m), message, args);
- va_end(args);
- fprintf(stderr, "error: %s\n", m);
- exit(-1);
- }
- exit(0);
+ if (level <= default_loglevel)
+ {
+ if (log_to_stderr)
+ {
+ va_start(args, fmt);
+ vfprintf(stderr, fmt, args);
+ va_end(args);
+ fprintf(stderr, "\n");
+ }
+ if (log_to_syslog)
+ {
+ /* write in memory buffer first */
+ va_start(args, fmt);
+ vsnprintf(buffer, sizeof(buffer), fmt, args);
+ va_end(args);
+
+ /* do a syslog with every line */
+ while (current)
+ {
+ next = strchr(current, '\n');
+ if (next)
+ {
+ *(next++) = '\0';
+ }
+ syslog(LOG_INFO, "%s\n", current);
+ current = next;
+ }
+ }
+ }
}
/**
- * @brief prints the program version and exits
- *
+ * Initialize logging to stderr/syslog
*/
-static void
-version(void)
+static void init_log(const char *program)
{
- printf("scepclient %s\n", scepclient_version);
- exit_scepclient(NULL);
+ dbg = scepclient_dbg;
+
+ if (log_to_stderr)
+ {
+ setbuf(stderr, NULL);
+ }
+ if (log_to_syslog)
+ {
+ openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV);
+ }
}
/**
- * @brief prints the usage of the program to the stderr output
- *
- * If message is set, program is exitet with 1 (error)
- * @param message message in case of an error
+ * join two paths if filename is not absolute
*/
-static void
-usage(const char *message)
+static void join_paths(char *target, size_t target_size, char *parent,
+ char *filename)
{
- fprintf(stderr,
- "Usage: scepclient\n"
- " --help (-h) show usage and exit\n"
- " --version (-v) show version and exit\n"
- " --quiet (-q) do not write log output to stderr\n"
- " --in (-i) <type>[=<filename>] use <filename> of <type> for input \n"
- " <type> = pkcs1 | cacert-enc | cacert-sig\n"
- " - if no pkcs1 input is defined, a \n"
- " RSA key will be generated\n"
- " - if no filename is given, default is used\n"
- " --out (-o) <type>[=<filename>] write output of <type> to <filename>\n"
- " multiple outputs are allowed\n"
- " <type> = pkcs1 | pkcs10 | pkcs7 | cert-self | cert | cacert\n"
- " - type cacert defines filename prefix of\n"
- " received CA certificate(s)\n"
- " - if no filename is given, default is used\n"
- " --optionsfrom (-+) <filename> reads additional options from given file\n"
- " --force (-f) force existing file(s)\n"
- "\n"
- "Options for key generation (pkcs1):\n"
- " --keylength (-k) <bits> key length for RSA key generation\n"
- "(default: 2048 bits)\n"
- "\n"
- "Options for validity:\n"
- " --days (-D) <days> validity in days\n"
- " --startdate (-S) <YYMMDDHHMMSS>Z not valid before date\n"
- " --enddate (-E) <YYMMDDHHMMSS>Z not valid after date\n"
- "\n"
- "Options for request generation (pkcs10):\n"
- " --dn (-d) <dn> comma separated list of distinguished names\n"
- " --subjectAltName (-s) <t>=<v> include subjectAltName in certificate request\n"
- " <t> = email | dns | ip \n"
- " --password (-p) <pw> challenge password\n"
- " - if pw is '%%prompt', password gets prompted for\n"
- " --algorithm (-a) <algo> use specified algorithm for PKCS#7 encryption\n"
- " <algo> = des-cbc | 3des-cbc (default: 3des-cbc)\n"
- "\n"
- "Options for enrollment (cert):\n"
- " --url (-u) <url> url of the SCEP server\n"
- " --method (-m) post | get http request type\n"
- " --interval (-t) <seconds> manual mode poll interval in seconds (default 20s)\n"
- " --maxpolltime (-x) <seconds> max poll time in seconds when in manual mode\n"
- " (default: unlimited)\n"
-#ifdef DEBUG
- "\n"
- "Debugging output:\n"
- " --debug-all (-A) show everything except private\n"
- " --debug-parsing (-P) show parsing relevant stuff\n"
- " --debug-raw (-R) show raw hex dumps\n"
- " --debug-control (-C) show control flow output\n"
- " --debug-controlmore (-M) show more control flow\n"
- " --debug-private (-X) show sensitive data (private keys, etc.)\n"
-#endif
- );
- exit_scepclient(message);
+ if (*filename == '/' || *filename == '.')
+ {
+ snprintf(target, target_size, "%s", filename);
+ }
+ else
+ {
+ snprintf(target, target_size, "%s/%s", parent, filename);
+ }
}
-static int debug_level = 1;
+/**
+ * add a suffix to a given filename, properly handling extensions like '.der'
+ */
+static void add_path_suffix(char *target, size_t target_size, char *filename,
+ char *suffix_fmt, ...)
+{
+ char suffix[PATH_MAX], *start, *dot;
+ va_list args;
+
+ va_start(args, suffix_fmt);
+ vsnprintf(suffix, sizeof(suffix), suffix_fmt, args);
+ va_end(args);
+
+ start = strrchr(filename, '/');
+ start = start ?: filename;
+ dot = strrchr(start, '.');
+
+ if (!dot || dot == start || dot[1] == '\0')
+ { /* no extension add suffix at the end */
+ snprintf(target, target_size, "%s%s", filename, suffix);
+ }
+ else
+ { /* add the suffix between the filename and the extension */
+ snprintf(target, target_size, "%.*s%s%s", (int)(dot - filename),
+ filename, suffix, dot);
+ }
+}
/**
- * @brief scepclient dbg function
+ * @brief exit scepclient
+ *
+ * @param status 0 = OK, 1 = general discomfort
*/
-static void scepclient_dbg(int level, char *fmt, ...)
+static void exit_scepclient(err_t message, ...)
{
- int priority = LOG_INFO;
- char buffer[8192];
- char *current = buffer, *next;
- va_list args;
-
- if (level <= debug_level)
- {
- va_start(args, fmt);
+ int status = 0;
- if (log_to_stderr)
+ if (creds)
{
- vfprintf(stderr, fmt, args);
- fprintf(stderr, "\n");
+ lib->credmgr->remove_set(lib->credmgr, &creds->set);
+ creds->destroy(creds);
}
- if (log_to_syslog)
+
+ DESTROY_IF(subject);
+ DESTROY_IF(private_key);
+ DESTROY_IF(public_key);
+ DESTROY_IF(x509_signer);
+ DESTROY_IF(x509_ca_enc);
+ DESTROY_IF(x509_ca_sig);
+ DESTROY_IF(pkcs10_req);
+ subjectAltNames->destroy_offset(subjectAltNames,
+ offsetof(identification_t, destroy));
+ free(pkcs1.ptr);
+ free(pkcs7.ptr);
+ free(serialNumber.ptr);
+ free(transID.ptr);
+ free(fingerprint.ptr);
+ free(encoding.ptr);
+ free(pkcs10_encoding.ptr);
+ free(issuerAndSubject.ptr);
+ free(getCertInitial.ptr);
+ free(scep_response.ptr);
+ options->destroy(options);
+
+ /* print any error message to stderr */
+ if (message != NULL && *message != '\0')
{
- /* write in memory buffer first */
- vsnprintf(buffer, sizeof(buffer), fmt, args);
-
- /* do a syslog with every line */
- while (current)
- {
- next = strchr(current, '\n');
- if (next)
- {
- *(next++) = '\0';
- }
- syslog(priority, "%s\n", current);
- current = next;
- }
+ va_list args;
+ char m[8192];
+
+ va_start(args, message);
+ vsnprintf(m, sizeof(m), message, args);
+ va_end(args);
+
+ fprintf(stderr, "error: %s\n", m);
+ status = -1;
}
- va_end(args);
- }
+ library_deinit();
+ exit(status);
+}
+
+/**
+ * @brief prints the program version and exits
+ *
+ */
+static void version(void)
+{
+ printf("scepclient %s\n", scepclient_version);
+ exit_scepclient(NULL);
+}
+
+/**
+ * @brief prints the usage of the program to the stderr output
+ *
+ * If message is set, program is exitet with 1 (error)
+ * @param message message in case of an error
+ */
+static void usage(const char *message)
+{
+ fprintf(stderr,
+ "Usage: scepclient\n"
+ " --help (-h) show usage and exit\n"
+ " --version (-v) show version and exit\n"
+ " --quiet (-q) do not write log output to stderr\n"
+ " --in (-i) <type>[=<filename>] use <filename> of <type> for input\n"
+ " <type> = pkcs1 | pkcs10 | cert-self\n"
+ " cacert-enc | cacert-sig\n"
+ " - if no pkcs1 input is defined, an RSA\n"
+ " key will be generated\n"
+ " - if no pkcs10 input is defined, a\n"
+ " PKCS#10 request will be generated\n"
+ " - if no cert-self input is defined, a\n"
+ " self-signed certificate will be generated\n"
+ " - if no filename is given, default is used\n"
+ " --out (-o) <type>[=<filename>] write output of <type> to <filename>\n"
+ " multiple outputs are allowed\n"
+ " <type> = pkcs1 | pkcs10 | pkcs7 | cert-self |\n"
+ " cert | cacert\n"
+ " - type cacert defines filename prefix of\n"
+ " received CA certificate(s)\n"
+ " - if no filename is given, default is used\n"
+ " --optionsfrom (-+) <filename> reads additional options from given file\n"
+ " --force (-f) force existing file(s)\n"
+ " --httptimeout (-T) timeout for HTTP operations (default: 30s)\n"
+ " --bind (-b) source address to bind for HTTP operations\n"
+ "\n"
+ "Options for key generation (pkcs1):\n"
+ " --keylength (-k) <bits> key length for RSA key generation\n"
+ " (default: 2048 bits)\n"
+ "\n"
+ "Options for validity:\n"
+ " --days (-D) <days> validity in days\n"
+ " --startdate (-S) <YYMMDDHHMMSS>Z not valid before date\n"
+ " --enddate (-E) <YYMMDDHHMMSS>Z not valid after date\n"
+ "\n"
+ "Options for request generation (pkcs10):\n"
+ " --dn (-d) <dn> comma separated list of distinguished names\n"
+ " --subjectAltName (-s) <t>=<v> include subjectAltName in certificate request\n"
+ " <t> = email | dns | ip \n"
+ " --password (-p) <pw> challenge password\n"
+ " - use '%%prompt' as pw for a password prompt\n"
+ " --algorithm (-a) [<type>=]<algo> algorithm to be used for PKCS#7 encryption,\n"
+ " PKCS#7 digest or PKCS#10 signature\n"
+ " <type> = enc | dgst | sig\n"
+ " - if no type is given enc is assumed\n"
+ " <algo> = des (default) | 3des | aes128 |\n"
+ " aes192 | aes256 | camellia128 |\n"
+ " camellia192 | camellia256\n"
+ " <algo> = md5 (default) | sha1 | sha256 |\n"
+ " sha384 | sha512\n"
+ "\n"
+ "Options for CA certificate acquisition:\n"
+ " --caname (-c) <name> name of CA to fetch CA certificate(s)\n"
+ " (default: CAIdentifier)\n"
+ "Options for enrollment (cert):\n"
+ " --url (-u) <url> url of the SCEP server\n"
+ " --method (-m) post | get http request type\n"
+ " --interval (-t) <seconds> poll interval in seconds (default 20s)\n"
+ " --maxpolltime (-x) <seconds> max poll time in seconds when in manual mode\n"
+ " (default: unlimited)\n"
+ "\n"
+ "Debugging output:\n"
+ " --debug (-l) <level> changes the log level (-1..4, default: 1)\n"
+ );
+ exit_scepclient(message);
}
+
/**
* @brief main of scepclient
*
*/
int main(int argc, char **argv)
{
- /* external values */
- extern char * optarg;
- extern int optind;
-
- /* type of input and output files */
- typedef enum {
- PKCS1 = 0x01,
- PKCS10 = 0x02,
- PKCS7 = 0x04,
- CERT_SELF = 0x08,
- CERT = 0x10,
- CACERT_ENC = 0x20,
- CACERT_SIG = 0x40
- } scep_filetype_t;
-
- /* filetype to read from, defaults to "generate a key" */
- scep_filetype_t filetype_in = 0;
-
- /* filetype to write to, no default here */
- scep_filetype_t filetype_out = 0;
-
- /* input files */
- char *file_in_pkcs1 = DEFAULT_FILENAME_PKCS1;
- char *file_in_cacert_enc = DEFAULT_FILENAME_CACERT_ENC;
- char *file_in_cacert_sig = DEFAULT_FILENAME_CACERT_SIG;
-
- /* output files */
- char *file_out_pkcs1 = DEFAULT_FILENAME_PKCS1;
- char *file_out_pkcs10 = DEFAULT_FILENAME_PKCS10;
- char *file_out_pkcs7 = DEFAULT_FILENAME_PKCS7;
- char *file_out_cert_self = DEFAULT_FILENAME_CERT_SELF;
- char *file_out_cert = DEFAULT_FILENAME_CERT;
- char *file_out_prefix_cacert = DEFAULT_FILENAME_PREFIX_CACERT;
-
- /* by default user certificate is requested */
- bool request_ca_certificate = FALSE;
-
- /* by default existing files are not overwritten */
- bool force = FALSE;
-
- /* length of RSA key in bits */
- u_int rsa_keylength = DEFAULT_RSA_KEY_LENGTH;
-
- /* validity of self-signed certificate */
- time_t validity = DEFAULT_CERT_VALIDITY;
- time_t notBefore = 0;
- time_t notAfter = 0;
-
- /* distinguished name for requested certificate, ASCII format */
- char *distinguishedName = NULL;
-
- /* challenge password */
- char challenge_password_buffer[MAX_PASSWORD_LENGTH];
-
- /* symmetric encryption algorithm used by pkcs7, default is 3DES */
- int pkcs7_symmetric_cipher = OID_3DES_EDE_CBC;
-
- /* digest algorithm used by pkcs7, default is MD5 */
- int pkcs7_digest_alg = OID_MD5;
-
- /* signature algorithm used by pkcs10, default is MD5 with RSA encryption */
- int pkcs10_signature_alg = OID_MD5;
-
- /* URL of the SCEP-Server */
- char *scep_url = NULL;
-
- /* http request method, default is GET */
- fetch_request_t request_type = FETCH_GET;
-
- /* poll interval time in manual mode in seconds */
- u_int poll_interval = DEFAULT_POLL_INTERVAL;
-
- /* maximum poll time */
- u_int max_poll_time = 0;
-
- err_t ugh = NULL;
-
- /* initialize global variables */
- pkcs1 = chunk_empty;
- pkcs7 = chunk_empty;
- serialNumber = chunk_empty;
- transID = chunk_empty;
- fingerprint = chunk_empty;
- issuerAndSubject = chunk_empty;
- challengePassword = chunk_empty;
- getCertInitial = chunk_empty;
- scep_response = chunk_empty;
- log_to_stderr = TRUE;
-
- library_init(STRONGSWAN_CONF);
-
- for (;;)
- {
- static const struct option long_opts[] = {
- /* name, has_arg, flag, val */
- { "help", no_argument, NULL, 'h' },
- { "version", no_argument, NULL, 'v' },
- { "optionsfrom", required_argument, NULL, '+' },
- { "quiet", no_argument, NULL, 'q' },
- { "in", required_argument, NULL, 'i' },
- { "out", required_argument, NULL, 'o' },
- { "force", no_argument, NULL, 'f' },
- { "keylength", required_argument, NULL, 'k' },
- { "dn", required_argument, NULL, 'd' },
- { "days", required_argument, NULL, 'D' },
- { "startdate", required_argument, NULL, 'S' },
- { "enddate", required_argument, NULL, 'E' },
- { "subjectAltName", required_argument, NULL, 's' },
- { "password", required_argument, NULL, 'p' },
- { "algorithm", required_argument, NULL, 'a' },
- { "url", required_argument, NULL, 'u' },
- { "method", required_argument, NULL, 'm' },
- { "interval", required_argument, NULL, 't' },
- { "maxpolltime", required_argument, NULL, 'x' },
-#ifdef DEBUG
- { "debug-all", no_argument, NULL, 'A' },
- { "debug-parsing", no_argument, NULL, 'P'},
- { "debug-raw", no_argument, NULL, 'R'},
- { "debug-control", no_argument, NULL, 'C'},
- { "debug-controlmore", no_argument, NULL, 'M'},
- { "debug-private", no_argument, NULL, 'X'},
-#endif
- { 0,0,0,0 }
- };
-
- /* parse next option */
- int c = getopt_long(argc, argv, "hv+:qi:o:fk:d:s:p:a:u:m:t:x:APRCMS", long_opts, NULL);
-
- switch (c)
- {
- case EOF: /* end of flags */
- break;
+ /* external values */
+ extern char * optarg;
+ extern int optind;
- case 'h': /* --help */
- usage(NULL);
+ /* type of input and output files */
+ typedef enum {
+ PKCS1 = 0x01,
+ PKCS10 = 0x02,
+ PKCS7 = 0x04,
+ CERT_SELF = 0x08,
+ CERT = 0x10,
+ CACERT_ENC = 0x20,
+ CACERT_SIG = 0x40,
+ } scep_filetype_t;
- case 'v': /* --version */
- version();
+ /* filetype to read from, defaults to "generate a key" */
+ scep_filetype_t filetype_in = 0;
- case 'q': /* --quiet */
- log_to_stderr = FALSE;
- continue;
+ /* filetype to write to, no default here */
+ scep_filetype_t filetype_out = 0;
- case 'i': /* --in <type> [= <filename>] */
- {
- char *filename = strstr(optarg, "=");
+ /* input files */
+ char *file_in_pkcs1 = DEFAULT_FILENAME_PKCS1;
+ char *file_in_pkcs10 = DEFAULT_FILENAME_PKCS10;
+ char *file_in_cert_self = DEFAULT_FILENAME_CERT_SELF;
+ char *file_in_cacert_enc = DEFAULT_FILENAME_CACERT_ENC;
+ char *file_in_cacert_sig = DEFAULT_FILENAME_CACERT_SIG;
- if (filename)
- {
- /* replace '=' by '\0' */
- *filename = '\0';
- /* set pointer to start of filename */
- filename++;
- }
- if (strcaseeq("pkcs1", optarg))
+ /* output files */
+ char *file_out_pkcs1 = DEFAULT_FILENAME_PKCS1;
+ char *file_out_pkcs10 = DEFAULT_FILENAME_PKCS10;
+ char *file_out_pkcs7 = DEFAULT_FILENAME_PKCS7;
+ char *file_out_cert_self = DEFAULT_FILENAME_CERT_SELF;
+ char *file_out_cert = DEFAULT_FILENAME_CERT;
+ char *file_out_ca_cert = DEFAULT_FILENAME_CACERT_ENC;
+
+ /* by default user certificate is requested */
+ bool request_ca_certificate = FALSE;
+
+ /* by default existing files are not overwritten */
+ bool force = FALSE;
+
+ /* length of RSA key in bits */
+ u_int rsa_keylength = DEFAULT_RSA_KEY_LENGTH;
+
+ /* validity of self-signed certificate */
+ time_t validity = DEFAULT_CERT_VALIDITY;
+ time_t notBefore = 0;
+ time_t notAfter = 0;
+
+ /* distinguished name for requested certificate, ASCII format */
+ char *distinguishedName = NULL;
+ char default_distinguished_name[BUF_LEN];
+
+ /* challenge password */
+ char challenge_password_buffer[MAX_PASSWORD_LENGTH];
+
+ /* symmetric encryption algorithm used by pkcs7, default is DES */
+ encryption_algorithm_t pkcs7_symmetric_cipher = ENCR_DES;
+ size_t pkcs7_key_size = 0;
+
+ /* digest algorithm used by pkcs7, default is MD5 */
+ hash_algorithm_t pkcs7_digest_alg = HASH_MD5;
+
+ /* signature algorithm used by pkcs10, default is MD5 */
+ hash_algorithm_t pkcs10_signature_alg = HASH_MD5;
+
+ /* URL of the SCEP-Server */
+ char *scep_url = NULL;
+
+ /* Name of CA to fetch CA certs for */
+ char *ca_name = "CAIdentifier";
+
+ /* http request method, default is GET */
+ bool http_get_request = TRUE;
+
+ /* poll interval time in manual mode in seconds */
+ u_int poll_interval = DEFAULT_POLL_INTERVAL;
+
+ /* maximum poll time */
+ u_int max_poll_time = 0;
+
+ err_t ugh = NULL;
+
+ /* initialize library */
+ if (!library_init(NULL, "scepclient"))
+ {
+ library_deinit();
+ exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
+ }
+ if (lib->integrity &&
+ !lib->integrity->check_file(lib->integrity, "scepclient", argv[0]))
+ {
+ fprintf(stderr, "integrity check of scepclient failed\n");
+ library_deinit();
+ exit(SS_RC_DAEMON_INTEGRITY);
+ }
+
+ /* initialize global variables */
+ pkcs1 = chunk_empty;
+ pkcs7 = chunk_empty;
+ serialNumber = chunk_empty;
+ transID = chunk_empty;
+ fingerprint = chunk_empty;
+ encoding = chunk_empty;
+ pkcs10_encoding = chunk_empty;
+ issuerAndSubject = chunk_empty;
+ challengePassword = chunk_empty;
+ getCertInitial = chunk_empty;
+ scep_response = chunk_empty;
+ subjectAltNames = linked_list_create();
+ options = options_create();
+
+ for (;;)
+ {
+ static const struct option long_opts[] = {
+ /* name, has_arg, flag, val */
+ { "help", no_argument, NULL, 'h' },
+ { "version", no_argument, NULL, 'v' },
+ { "optionsfrom", required_argument, NULL, '+' },
+ { "quiet", no_argument, NULL, 'q' },
+ { "debug", required_argument, NULL, 'l' },
+ { "in", required_argument, NULL, 'i' },
+ { "out", required_argument, NULL, 'o' },
+ { "force", no_argument, NULL, 'f' },
+ { "httptimeout", required_argument, NULL, 'T' },
+ { "bind", required_argument, NULL, 'b' },
+ { "keylength", required_argument, NULL, 'k' },
+ { "dn", required_argument, NULL, 'd' },
+ { "days", required_argument, NULL, 'D' },
+ { "startdate", required_argument, NULL, 'S' },
+ { "enddate", required_argument, NULL, 'E' },
+ { "subjectAltName", required_argument, NULL, 's' },
+ { "password", required_argument, NULL, 'p' },
+ { "algorithm", required_argument, NULL, 'a' },
+ { "url", required_argument, NULL, 'u' },
+ { "caname", required_argument, NULL, 'c'},
+ { "method", required_argument, NULL, 'm' },
+ { "interval", required_argument, NULL, 't' },
+ { "maxpolltime", required_argument, NULL, 'x' },
+ { 0,0,0,0 }
+ };
+
+ /* parse next option */
+ int c = getopt_long(argc, argv, "hv+:qi:o:fk:d:s:p:a:u:c:m:t:x:APRCMS", long_opts, NULL);
+
+ switch (c)
{
- filetype_in |= PKCS1;
- if (filename)
- file_in_pkcs1 = filename;
+ case EOF: /* end of flags */
+ break;
+
+ case 'h': /* --help */
+ usage(NULL);
+
+ case 'v': /* --version */
+ version();
+
+ case 'q': /* --quiet */
+ log_to_stderr = FALSE;
+ continue;
+
+ case 'l': /* --debug <level> */
+ default_loglevel = atoi(optarg);
+ continue;
+
+ case 'i': /* --in <type> [= <filename>] */
+ {
+ char *filename = strstr(optarg, "=");
+
+ if (filename)
+ {
+ /* replace '=' by '\0' */
+ *filename = '\0';
+ /* set pointer to start of filename */
+ filename++;
+ }
+ if (strcaseeq("pkcs1", optarg))
+ {
+ filetype_in |= PKCS1;
+ if (filename)
+ file_in_pkcs1 = filename;
+ }
+ else if (strcaseeq("pkcs10", optarg))
+ {
+ filetype_in |= PKCS10;
+ if (filename)
+ file_in_pkcs10 = filename;
+ }
+ else if (strcaseeq("cacert-enc", optarg))
+ {
+ filetype_in |= CACERT_ENC;
+ if (filename)
+ file_in_cacert_enc = filename;
+ }
+ else if (strcaseeq("cacert-sig", optarg))
+ {
+ filetype_in |= CACERT_SIG;
+ if (filename)
+ file_in_cacert_sig = filename;
+ }
+ else if (strcaseeq("cert-self", optarg))
+ {
+ filetype_in |= CERT_SELF;
+ if (filename)
+ file_in_cert_self = filename;
+ }
+ else
+ {
+ usage("invalid --in file type");
+ }
+ continue;
+ }
+
+ case 'o': /* --out <type> [= <filename>] */
+ {
+ char *filename = strstr(optarg, "=");
+
+ if (filename)
+ {
+ /* replace '=' by '\0' */
+ *filename = '\0';
+ /* set pointer to start of filename */
+ filename++;
+ }
+ if (strcaseeq("pkcs1", optarg))
+ {
+ filetype_out |= PKCS1;
+ if (filename)
+ file_out_pkcs1 = filename;
+ }
+ else if (strcaseeq("pkcs10", optarg))
+ {
+ filetype_out |= PKCS10;
+ if (filename)
+ file_out_pkcs10 = filename;
+ }
+ else if (strcaseeq("pkcs7", optarg))
+ {
+ filetype_out |= PKCS7;
+ if (filename)
+ file_out_pkcs7 = filename;
+ }
+ else if (strcaseeq("cert-self", optarg))
+ {
+ filetype_out |= CERT_SELF;
+ if (filename)
+ file_out_cert_self = filename;
+ }
+ else if (strcaseeq("cert", optarg))
+ {
+ filetype_out |= CERT;
+ if (filename)
+ file_out_cert = filename;
+ }
+ else if (strcaseeq("cacert", optarg))
+ {
+ request_ca_certificate = TRUE;
+ if (filename)
+ file_out_ca_cert = filename;
+ }
+ else
+ {
+ usage("invalid --out file type");
+ }
+ continue;
+ }
+
+ case 'f': /* --force */
+ force = TRUE;
+ continue;
+
+ case 'T': /* --httptimeout */
+ http_timeout = atoi(optarg);
+ if (http_timeout <= 0)
+ {
+ usage("invalid httptimeout specified");
+ }
+ continue;
+
+ case 'b': /* --bind */
+ http_bind = optarg;
+ continue;
+
+ case '+': /* --optionsfrom <filename> */
+ if (!options->from(options, optarg, &argc, &argv, optind))
+ {
+ exit_scepclient("optionsfrom failed");
+ }
+ continue;
+
+ case 'k': /* --keylength <length> */
+ {
+ div_t q;
+
+ rsa_keylength = atoi(optarg);
+ if (rsa_keylength == 0)
+ usage("invalid keylength");
+
+ /* check if key length is a multiple of 8 bits */
+ q = div(rsa_keylength, 2*BITS_PER_BYTE);
+ if (q.rem != 0)
+ {
+ exit_scepclient("keylength is not a multiple of %d bits!"
+ , 2*BITS_PER_BYTE);
+ }
+ continue;
+ }
+
+ case 'D': /* --days */
+ if (optarg == NULL || !isdigit(optarg[0]))
+ {
+ usage("missing number of days");
+ }
+ else
+ {
+ char *endptr;
+ long days = strtol(optarg, &endptr, 0);
+
+ if (*endptr != '\0' || endptr == optarg
+ || days <= 0)
+ usage("<days> must be a positive number");
+ validity = 24*3600*days;
+ }
+ continue;
+
+ case 'S': /* --startdate */
+ if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z')
+ {
+ usage("date format must be YYMMDDHHMMSSZ");
+ }
+ else
+ {
+ chunk_t date = { optarg, 13 };
+ notBefore = asn1_to_time(&date, ASN1_UTCTIME);
+ }
+ continue;
+
+ case 'E': /* --enddate */
+ if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z')
+ {
+ usage("date format must be YYMMDDHHMMSSZ");
+ }
+ else
+ {
+ chunk_t date = { optarg, 13 };
+ notAfter = asn1_to_time(&date, ASN1_UTCTIME);
+ }
+ continue;
+
+ case 'd': /* --dn */
+ if (distinguishedName)
+ {
+ usage("only one distinguished name allowed");
+ }
+ distinguishedName = optarg;
+ continue;
+
+ case 's': /* --subjectAltName */
+ {
+ char *value = strstr(optarg, "=");
+
+ if (value)
+ {
+ /* replace '=' by '\0' */
+ *value = '\0';
+ /* set pointer to start of value */
+ value++;
+ }
+
+ if (strcaseeq("email", optarg) ||
+ strcaseeq("dns", optarg) ||
+ strcaseeq("ip", optarg))
+ {
+ subjectAltNames->insert_last(subjectAltNames,
+ identification_create_from_string(value));
+ continue;
+ }
+ else
+ {
+ usage("invalid --subjectAltName type");
+ continue;
+ }
+ }
+
+ case 'p': /* --password */
+ if (challengePassword.len > 0)
+ {
+ usage("only one challenge password allowed");
+ }
+ if (strcaseeq("%prompt", optarg))
+ {
+ printf("Challenge password: ");
+ if (fgets(challenge_password_buffer,
+ sizeof(challenge_password_buffer) - 1, stdin))
+ {
+ challengePassword.ptr = challenge_password_buffer;
+ /* discard the terminating '\n' from the input */
+ challengePassword.len = strlen(challenge_password_buffer) - 1;
+ }
+ else
+ {
+ usage("challenge password could not be read");
+ }
+ }
+ else
+ {
+ challengePassword.ptr = optarg;
+ challengePassword.len = strlen(optarg);
+ }
+ continue;
+
+ case 'u': /* -- url */
+ if (scep_url)
+ {
+ usage("only one URL argument allowed");
+ }
+ scep_url = optarg;
+ continue;
+
+ case 'c': /* -- caname */
+ ca_name = optarg;
+ continue;
+
+ case 'm': /* --method */
+ if (strcaseeq("get", optarg))
+ {
+ http_get_request = TRUE;
+ }
+ else if (strcaseeq("post", optarg))
+ {
+ http_get_request = FALSE;
+ }
+ else
+ {
+ usage("invalid http request method specified");
+ }
+ continue;
+
+ case 't': /* --interval */
+ poll_interval = atoi(optarg);
+ if (poll_interval <= 0)
+ {
+ usage("invalid interval specified");
+ }
+ continue;
+
+ case 'x': /* --maxpolltime */
+ max_poll_time = atoi(optarg);
+ continue;
+
+ case 'a': /*--algorithm [<type>=]algo */
+ {
+ const proposal_token_t *token;
+ char *type = optarg;
+ char *algo = strstr(optarg, "=");
+
+ if (algo)
+ {
+ *algo = '\0';
+ algo++;
+ }
+ else
+ {
+ type = "enc";
+ algo = optarg;
+ }
+
+ if (strcaseeq("enc", type))
+ {
+ token = lib->proposal->get_token(lib->proposal, algo);
+ if (token == NULL || token->type != ENCRYPTION_ALGORITHM)
+ {
+ usage("invalid algorithm specified");
+ }
+ pkcs7_symmetric_cipher = token->algorithm;
+ pkcs7_key_size = token->keysize;
+ if (encryption_algorithm_to_oid(token->algorithm,
+ token->keysize) == OID_UNKNOWN)
+ {
+ usage("unsupported encryption algorithm specified");
+ }
+ }
+ else if (strcaseeq("dgst", type) ||
+ strcaseeq("sig", type))
+ {
+ hash_algorithm_t hash;
+
+ token = lib->proposal->get_token(lib->proposal, algo);
+ if (token == NULL || token->type != INTEGRITY_ALGORITHM)
+ {
+ usage("invalid algorithm specified");
+ }
+ hash = hasher_algorithm_from_integrity(token->algorithm,
+ NULL);
+ if (hash == (hash_algorithm_t)OID_UNKNOWN)
+ {
+ usage("invalid algorithm specified");
+ }
+ if (strcaseeq("dgst", type))
+ {
+ pkcs7_digest_alg = hash;
+ }
+ else
+ {
+ pkcs10_signature_alg = hash;
+ }
+ }
+ else
+ {
+ usage("invalid --algorithm type");
+ }
+ continue;
+ }
+ default:
+ usage("unknown option");
}
- else if (strcaseeq("cacert-enc", optarg))
+ /* break from loop */
+ break;
+ }
+
+ init_log("scepclient");
+
+ /* load plugins, further infrastructure may need it */
+ if (!lib->plugins->load(lib->plugins,
+ lib->settings->get_str(lib->settings, "scepclient.load", PLUGINS)))
+ {
+ exit_scepclient("plugin loading failed");
+ }
+ lib->plugins->status(lib->plugins, LEVEL_DIAG);
+
+ if ((filetype_out == 0) && (!request_ca_certificate))
+ {
+ usage("--out filetype required");
+ }
+ if (request_ca_certificate && (filetype_out > 0 || filetype_in > 0))
+ {
+ usage("in CA certificate request, no other --in or --out option allowed");
+ }
+
+ /* check if url is given, if cert output defined */
+ if (((filetype_out & CERT) || request_ca_certificate) && !scep_url)
+ {
+ usage("URL of SCEP server required");
+ }
+
+ /* check for sanity of --in/--out */
+ if (!filetype_in && (filetype_in > filetype_out))
+ {
+ usage("cannot generate --out of given --in!");
+ }
+
+ /* get CA cert */
+ if (request_ca_certificate)
+ {
+ char ca_path[PATH_MAX];
+ container_t *container;
+ pkcs7_t *pkcs7;
+
+ if (!scep_http_request(scep_url, chunk_create(ca_name, strlen(ca_name)),
+ SCEP_GET_CA_CERT, http_get_request,
+ http_timeout, http_bind, &scep_response))
{
- filetype_in |= CACERT_ENC;
- if (filename)
- file_in_cacert_enc = filename;
+ exit_scepclient("did not receive a valid scep response");
}
- else if (strcaseeq("cacert-sig", optarg))
- {
- filetype_in |= CACERT_SIG;
- if (filename)
- file_in_cacert_sig = filename;
+
+ join_paths(ca_path, sizeof(ca_path), CA_CERT_PATH, file_out_ca_cert);
+
+ pkcs7 = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7,
+ BUILD_BLOB_ASN1_DER, scep_response, BUILD_END);
+
+ if (!pkcs7)
+ { /* no PKCS#7 encoded CA+RA certificates, assume simple CA cert */
+
+ DBG1(DBG_APP, "unable to parse PKCS#7, assuming plain CA cert");
+ if (!chunk_write(scep_response, ca_path, 0022, force))
+ {
+ exit_scepclient("could not write ca cert file '%s': %s",
+ ca_path, strerror(errno));
+ }
}
else
{
- usage("invalid --in file type");
+ enumerator_t *enumerator;
+ certificate_t *cert;
+ int ra_certs = 0, ca_certs = 0;
+ int ra_index = 1, ca_index = 1;
+
+ enumerator = pkcs7->create_cert_enumerator(pkcs7);
+ while (enumerator->enumerate(enumerator, &cert))
+ {
+ x509_t *x509 = (x509_t*)cert;
+ if (x509->get_flags(x509) & X509_CA)
+ {
+ ca_certs++;
+ }
+ else
+ {
+ ra_certs++;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ enumerator = pkcs7->create_cert_enumerator(pkcs7);
+ while (enumerator->enumerate(enumerator, &cert))
+ {
+ x509_t *x509 = (x509_t*)cert;
+ bool ca_cert = x509->get_flags(x509) & X509_CA;
+ char cert_path[PATH_MAX], *path = ca_path;
+
+ if (ca_cert && ca_certs > 1)
+ {
+ add_path_suffix(cert_path, sizeof(cert_path), ca_path,
+ "-%.1d", ca_index++);
+ path = cert_path;
+ }
+ else if (!ca_cert)
+ { /* use CA name as base for RA certs */
+ if (ra_certs > 1)
+ {
+ add_path_suffix(cert_path, sizeof(cert_path), ca_path,
+ "-ra-%.1d", ra_index++);
+ }
+ else
+ {
+ add_path_suffix(cert_path, sizeof(cert_path), ca_path,
+ "-ra");
+ }
+ path = cert_path;
+ }
+
+ if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding) ||
+ !chunk_write(encoding, path, 0022, force))
+ {
+ exit_scepclient("could not write cert file '%s': %s",
+ path, strerror(errno));
+ }
+ chunk_free(&encoding);
+ }
+ enumerator->destroy(enumerator);
+ container = &pkcs7->container;
+ container->destroy(container);
}
- continue;
- }
+ exit_scepclient(NULL); /* no further output required */
+ }
- case 'o': /* --out <type> [= <filename>] */
- {
- char *filename = strstr(optarg, "=");
+ creds = mem_cred_create();
+ lib->credmgr->add_set(lib->credmgr, &creds->set);
- if (filename)
- {
- /* replace '=' by '\0' */
- *filename = '\0';
- /* set pointer to start of filename */
- filename++;
- }
- if (strcaseeq("pkcs1", optarg))
- {
- filetype_out |= PKCS1;
- if (filename)
- file_out_pkcs1 = filename;
- }
- else if (strcaseeq("pkcs10", optarg))
- {
- filetype_out |= PKCS10;
- if (filename)
- file_out_pkcs10 = filename;
- }
- else if (strcaseeq("pkcs7", optarg))
- {
- filetype_out |= PKCS7;
- if (filename)
- file_out_pkcs7 = filename;
- }
- else if (strcaseeq("cert-self", optarg))
- {
- filetype_out |= CERT_SELF;
- if (filename)
- file_out_cert_self = filename;
- }
- else if (strcaseeq("cert", optarg))
+ /*
+ * input of PKCS#1 file
+ */
+ if (filetype_in & PKCS1) /* load an RSA key pair from file */
+ {
+ char path[PATH_MAX];
+
+ join_paths(path, sizeof(path), PRIVATE_KEY_PATH, file_in_pkcs1);
+
+ private_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+ BUILD_FROM_FILE, path, BUILD_END);
+ }
+ else /* generate an RSA key pair */
+ {
+ private_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+ BUILD_KEY_SIZE, rsa_keylength,
+ BUILD_END);
+ }
+ if (private_key == NULL)
+ {
+ exit_scepclient("no RSA private key available");
+ }
+ creds->add_key(creds, private_key->get_ref(private_key));
+ public_key = private_key->get_public_key(private_key);
+
+ /* check for minimum key length */
+ if (private_key->get_keysize(private_key) < RSA_MIN_OCTETS / BITS_PER_BYTE)
+ {
+ exit_scepclient("length of RSA key has to be at least %d bits",
+ RSA_MIN_OCTETS * BITS_PER_BYTE);
+ }
+
+ /*
+ * input of PKCS#10 file
+ */
+ if (filetype_in & PKCS10)
+ {
+ char path[PATH_MAX];
+
+ join_paths(path, sizeof(path), REQ_PATH, file_in_pkcs10);
+
+ pkcs10_req = lib->creds->create(lib->creds, CRED_CERTIFICATE,
+ CERT_PKCS10_REQUEST, BUILD_FROM_FILE,
+ path, BUILD_END);
+ if (!pkcs10_req)
{
- filetype_out |= CERT;
- if (filename)
- file_out_cert = filename;
+ exit_scepclient("could not read certificate request '%s'", path);
}
- else if (strcaseeq("cacert", optarg))
+ subject = pkcs10_req->get_subject(pkcs10_req);
+ subject = subject->clone(subject);
+ }
+ else
+ {
+ if (distinguishedName == NULL)
{
- request_ca_certificate = TRUE;
- if (filename)
- file_out_prefix_cacert = filename;
+ int n = sprintf(default_distinguished_name, DEFAULT_DN);
+
+ /* set the common name to the hostname */
+ if (gethostname(default_distinguished_name + n, BUF_LEN - n) ||
+ strlen(default_distinguished_name) == n)
+ {
+ exit_scepclient("no hostname defined, use "
+ "--dn <distinguished name> option");
+ }
+ distinguishedName = default_distinguished_name;
}
- else
+
+ DBG2(DBG_APP, "dn: '%s'", distinguishedName);
+ subject = identification_create_from_string(distinguishedName);
+ if (subject->get_type(subject) != ID_DER_ASN1_DN)
{
- usage("invalid --out file type");
+ exit_scepclient("parsing of distinguished name failed");
}
- continue;
- }
-
- case 'f': /* --force */
- force = TRUE;
- continue;
-
- case '+': /* --optionsfrom <filename> */
- optionsfrom(optarg, &argc, &argv, optind, stderr);
- /* does not return on error */
- continue;
-
- case 'k': /* --keylength <length> */
- {
- div_t q;
-
- rsa_keylength = atoi(optarg);
- if (rsa_keylength == 0)
- usage("invalid keylength");
-
- /* check if key length is a multiple of 8 bits */
- q = div(rsa_keylength, 2*BITS_PER_BYTE);
- if (q.rem != 0)
+
+ DBG2(DBG_APP, "building pkcs10 object:");
+ pkcs10_req = lib->creds->create(lib->creds, CRED_CERTIFICATE,
+ CERT_PKCS10_REQUEST,
+ BUILD_SIGNING_KEY, private_key,
+ BUILD_SUBJECT, subject,
+ BUILD_SUBJECT_ALTNAMES, subjectAltNames,
+ BUILD_CHALLENGE_PWD, challengePassword,
+ BUILD_DIGEST_ALG, pkcs10_signature_alg,
+ BUILD_END);
+ if (!pkcs10_req)
{
- exit_scepclient("keylength is not a multiple of %d bits!"
- , 2*BITS_PER_BYTE);
+ exit_scepclient("generating pkcs10 request failed");
}
- continue;
- }
-
- case 'D': /* --days */
- if (optarg == NULL || !isdigit(optarg[0]))
- usage("missing number of days");
- {
- char *endptr;
- long days = strtol(optarg, &endptr, 0);
-
- if (*endptr != '\0' || endptr == optarg
- || days <= 0)
- usage("<days> must be a positive number");
- validity = 24*3600*days;
- }
- continue;
-
- case 'S': /* --startdate */
- if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z')
- usage("date format must be YYMMDDHHMMSSZ");
- {
- chunk_t date = { optarg, 13 };
- notBefore = asn1totime(&date, ASN1_UTCTIME);
- }
- continue;
-
- case 'E': /* --enddate */
- if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z')
- usage("date format must be YYMMDDHHMMSSZ");
- {
- chunk_t date = { optarg, 13 };
- notAfter = asn1totime(&date, ASN1_UTCTIME);
- }
- continue;
-
- case 'd': /* --dn */
- if (distinguishedName)
- usage("only one distinguished name allowed");
- distinguishedName = optarg;
- continue;
-
- case 's': /* --subjectAltName */
- {
- generalNames_t kind;
- char *value = strstr(optarg, "=");
-
- if (value)
+ }
+ pkcs10_req->get_encoding(pkcs10_req, CERT_ASN1_DER, &pkcs10_encoding);
+ fingerprint = scep_generate_pkcs10_fingerprint(pkcs10_encoding);
+ DBG1(DBG_APP, " fingerprint: %s", fingerprint.ptr);
+
+ /*
+ * output of PKCS#10 file
+ */
+ if (filetype_out & PKCS10)
+ {
+ char path[PATH_MAX];
+
+ join_paths(path, sizeof(path), REQ_PATH, file_out_pkcs10);
+
+ if (!chunk_write(pkcs10_encoding, path, 0022, force))
{
- /* replace '=' by '\0' */
- *value = '\0';
- /* set pointer to start of value */
- value++;
+ exit_scepclient("could not write pkcs10 file '%s': %s",
+ path, strerror(errno));
}
+ filetype_out &= ~PKCS10; /* delete PKCS10 flag */
+ }
- if (strcaseeq("email", optarg))
- {
- kind = GN_RFC822_NAME;
- }
- else if (strcaseeq("dns", optarg))
+ if (!filetype_out)
+ {
+ exit_scepclient(NULL); /* no further output required */
+ }
+
+ /*
+ * output of PKCS#1 file
+ */
+ if (filetype_out & PKCS1)
+ {
+ char path[PATH_MAX];
+
+ join_paths(path, sizeof(path), PRIVATE_KEY_PATH, file_out_pkcs1);
+
+ DBG2(DBG_APP, "building pkcs1 object:");
+ if (!private_key->get_encoding(private_key, PRIVKEY_ASN1_DER, &pkcs1) ||
+ !chunk_write(pkcs1, path, 0066, force))
{
- kind = GN_DNS_NAME;
+ exit_scepclient("could not write pkcs1 file '%s': %s",
+ path, strerror(errno));
}
- else if (strcaseeq("ip", optarg))
+ filetype_out &= ~PKCS1; /* delete PKCS1 flag */
+ }
+
+ if (!filetype_out)
+ {
+ exit_scepclient(NULL); /* no further output required */
+ }
+
+ scep_generate_transaction_id(public_key, &transID, &serialNumber);
+ DBG1(DBG_APP, " transaction ID: %.*s", (int)transID.len, transID.ptr);
+
+ /*
+ * read or generate self-signed X.509 certificate
+ */
+ if (filetype_in & CERT_SELF)
+ {
+ char path[PATH_MAX];
+
+ join_paths(path, sizeof(path), HOST_CERT_PATH, file_in_cert_self);
+
+ x509_signer = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+ BUILD_FROM_FILE, path, BUILD_END);
+ if (!x509_signer)
{
- kind = GN_IP_ADDRESS;
+ exit_scepclient("could not read certificate file '%s'", path);
}
- else
+ }
+ else
+ {
+ notBefore = notBefore ? notBefore : time(NULL);
+ notAfter = notAfter ? notAfter : (notBefore + validity);
+ x509_signer = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+ BUILD_SIGNING_KEY, private_key,
+ BUILD_PUBLIC_KEY, public_key,
+ BUILD_SUBJECT, subject,
+ BUILD_NOT_BEFORE_TIME, notBefore,
+ BUILD_NOT_AFTER_TIME, notAfter,
+ BUILD_SERIAL, serialNumber,
+ BUILD_SUBJECT_ALTNAMES, subjectAltNames,
+ BUILD_END);
+ if (!x509_signer)
{
- usage("invalid --subjectAltName type");
- continue;
+ exit_scepclient("generating certificate failed");
}
- pkcs10_add_subjectAltName(&subjectAltNames, kind, value);
- continue;
- }
-
- case 'p': /* --password */
- if (challengePassword.len > 0)
- {
- usage("only one challenge password allowed");
- }
- if (strcaseeq("%prompt", optarg))
- {
- printf("Challenge password: ");
- if (fgets(challenge_password_buffer, sizeof(challenge_password_buffer)-1, stdin))
+ }
+ creds->add_cert(creds, TRUE, x509_signer->get_ref(x509_signer));
+
+ /*
+ * output of self-signed X.509 certificate file
+ */
+ if (filetype_out & CERT_SELF)
+ {
+ char path[PATH_MAX];
+
+ join_paths(path, sizeof(path), HOST_CERT_PATH, file_out_cert_self);
+
+ if (!x509_signer->get_encoding(x509_signer, CERT_ASN1_DER, &encoding))
{
- challengePassword.ptr = challenge_password_buffer;
- /* discard the terminating '\n' from the input */
- challengePassword.len = strlen(challenge_password_buffer) - 1;
+ exit_scepclient("encoding certificate failed");
}
- else
+ if (!chunk_write(encoding, path, 0022, force))
{
- usage("challenge password could not be read");
+ exit_scepclient("could not write self-signed cert file '%s': %s",
+ path, strerror(errno));
}
- }
- else
- {
- challengePassword.ptr = optarg;
- challengePassword.len = strlen(optarg);
- }
- continue;
-
- case 'u': /* -- url */
- if (scep_url)
- {
- usage("only one URL argument allowed");
- }
- scep_url = optarg;
- continue;
-
- case 'm': /* --method */
- if (strcaseeq("post", optarg))
- {
- request_type = FETCH_POST;
- }
- else if (strcaseeq("get", optarg))
- {
- request_type = FETCH_GET;
- }
- else
- {
- usage("invalid http request method specified");
- }
- continue;
-
- case 't': /* --interval */
- poll_interval = atoi(optarg);
- if (poll_interval <= 0)
- {
- usage("invalid interval specified");
- }
- continue;
-
- case 'x': /* --maxpolltime */
- max_poll_time = atoi(optarg);
- if (max_poll_time < 0)
- {
- usage("invalid maxpolltime specified");
- }
- continue;
-
- case 'a': /*--algorithm */
- if (strcaseeq("des-cbc", optarg))
- {
- pkcs7_symmetric_cipher = OID_DES_CBC;
- }
- else if (strcaseeq("3des-cbc", optarg))
- {
- pkcs7_symmetric_cipher = OID_3DES_EDE_CBC;
- }
- else
- {
- usage("invalid encryption algorithm specified");
- }
- continue;
-#ifdef DEBUG
- case 'A': /* --debug-all */
- base_debugging |= DBG_ALL;
- continue;
- case 'P': /* debug parsing */
- base_debugging |= DBG_PARSING;
- continue;
- case 'R': /* debug raw */
- base_debugging |= DBG_RAW;
- continue;
- case 'C': /* debug control */
- base_debugging |= DBG_CONTROL;
- continue;
- case 'M': /* debug control more */
- base_debugging |= DBG_CONTROLMORE;
- continue;
- case 'X': /* debug private */
- base_debugging |= DBG_PRIVATE;
- continue;
-#endif
- default:
- usage("unknown option");
- }
- /* break from loop */
- break;
- }
-
- /* enable scepclient bugging hook */
- dbg = scepclient_dbg;
-
- init_log("scepclient");
- cur_debugging = base_debugging;
- init_rnd_pool();
- init_fetch();
-
- if ((filetype_out == 0) && (!request_ca_certificate))
- {
- usage ("--out filetype required");
- }
- if (request_ca_certificate && (filetype_out > 0 || filetype_in > 0))
- {
- usage("in CA certificate request, no other --in or --out option allowed");
- }
-
- /* check if url is given, if cert output defined */
- if (((filetype_out & CERT) || request_ca_certificate) && !scep_url)
- {
- usage("URL of SCEP server required");
- }
-
- /* check for sanity of --in/--out */
- if (!filetype_in && (filetype_in > filetype_out))
- {
- usage("cannot generate --out of given --in!");
- }
-
- /*
- * input of PKCS#1 file
- */
- private_key = malloc_thing(RSA_private_key_t);
-
- if (filetype_in & PKCS1) /* load an RSA key pair from file */
- {
- prompt_pass_t pass = { "", FALSE, STDIN_FILENO };
- const char *path = concatenate_paths(PRIVATE_KEY_PATH, file_in_pkcs1);
-
- ugh = load_rsa_private_key(path, &pass, private_key);
- }
- else /* generate an RSA key pair */
- {
- ugh = generate_rsa_private_key(rsa_keylength, private_key);
- }
- if (ugh != NULL)
- exit_scepclient(ugh);
-
- /* check for minimum key length */
- if ((private_key->pub.k) < RSA_MIN_OCTETS)
- {
- exit_scepclient("length of RSA key has to be at least %d bits"
- ,RSA_MIN_OCTETS * BITS_PER_BYTE);
- }
-
- /*
- * input of PKCS#10 file
- */
- if (filetype_in & PKCS10)
- {
- /* user wants to load a pkcs10 request
- * operation is not yet supported
- * would require a PKCS#10 parsing function
-
- pkcs10 = pkcs10_read_from_file(file_in_pkcs10);
-
- */
- }
- else
- {
- char buf[IDTOA_BUF];
- chunk_t dn = chunk_empty;
-
- dn.ptr = buf;
-
- if (distinguishedName == NULL)
- {
- char buf[BUF_LEN];
- int n = sprintf(buf, DEFAULT_DN);
-
- /* set the common name to the hostname */
- if (gethostname(buf + n, BUF_LEN - n) || strlen(buf) == n)
- {
- exit_scepclient("no hostname defined, use "
- "--dn <distinguished name> option");
- }
- distinguishedName = buf;
+ chunk_free(&encoding);
+ filetype_out &= ~CERT_SELF; /* delete CERT_SELF flag */
}
- DBG(DBG_CONTROL,
- DBG_log("dn: '%s'", distinguishedName);
- )
- ugh = atodn(distinguishedName, &dn);
- if (ugh != NULL)
+ if (!filetype_out)
{
- exit_scepclient(ugh);
+ exit_scepclient(NULL); /* no further output required */
}
- subject = chunk_clone(dn);
-
- DBG(DBG_CONTROL,
- DBG_log("building pkcs10 object:")
- )
- pkcs10 = pkcs10_build(private_key, subject, challengePassword
- , subjectAltNames, pkcs10_signature_alg);
- scep_generate_pkcs10_fingerprint(pkcs10->request, &fingerprint);
- plog(" fingerprint: %.*s", (int)fingerprint.len, fingerprint.ptr);
- }
-
- /*
- * output of PKCS#10 file
- */
- if (filetype_out & PKCS10)
- {
- const char *path = concatenate_paths(REQ_PATH, file_out_pkcs10);
-
- if (!write_chunk(path, "pkcs10", pkcs10->request, 0022, force))
- exit_scepclient("could not write pkcs10 file '%s'", path);
-
- filetype_out &= ~PKCS10; /* delete PKCS10 flag */
- }
-
- if (!filetype_out)
- {
- exit_scepclient(NULL); /* no further output required */
- }
-
- /*
- * output of PKCS#1 file
- */
- if (filetype_out & PKCS1)
- {
- const char *path = concatenate_paths(PRIVATE_KEY_PATH, file_out_pkcs1);
-
- DBG(DBG_CONTROL,
- DBG_log("building pkcs1 object:")
- )
- pkcs1 = pkcs1_build_private_key(private_key);
-
- if (!write_chunk(path, "pkcs1", pkcs1, 0066, force))
- exit_scepclient("could not write pkcs1 file '%s'", path);
-
- filetype_out &= ~PKCS1; /* delete PKCS1 flag */
- }
-
- if (!filetype_out)
- {
- exit_scepclient(NULL); /* no further output required */
- }
-
- scep_generate_transaction_id((const RSA_public_key_t *)private_key
- , &transID, &serialNumber);
- plog(" transaction ID: %.*s", (int)transID.len, transID.ptr);
-
- /* generate a self-signed X.509 certificate */
- x509_signer = malloc_thing(x509cert_t);
- *x509_signer = empty_x509cert;
- x509_signer->serialNumber = serialNumber;
- x509_signer->sigAlg = OID_SHA1_WITH_RSA;
- x509_signer->issuer = subject;
- x509_signer->notBefore = (notBefore)? notBefore
- : time(NULL);
- x509_signer->notAfter = (notAfter)? notAfter
- : x509_signer->notBefore + validity;
- x509_signer->subject = subject;
- x509_signer->subjectAltName = subjectAltNames;
-
- build_x509cert(x509_signer, (const RSA_public_key_t *)private_key
- , private_key);
-
- /*
- * output of self-signed X.509 certificate file
- */
- if (filetype_out & CERT_SELF)
- {
- const char *path = concatenate_paths(HOST_CERT_PATH, file_out_cert_self);
-
- if (!write_chunk(path, "self-signed cert", x509_signer->certificate, 0022, force))
- exit_scepclient("could not write self-signed cert file '%s'", path);
-;
- filetype_out &= ~CERT_SELF; /* delete CERT_SELF flag */
- }
-
- if (!filetype_out)
- {
- exit_scepclient(NULL); /* no further output required */
- }
-
- /*
- * load ca encryption certificate
- */
- {
- const char *path = concatenate_paths(CA_CERT_PATH, file_in_cacert_enc);
- cert_t cert;
-
- if (!load_cert(path, "encryption cacert", &cert))
+ /*
+ * load ca encryption certificate
+ */
{
- exit_scepclient("could not load encryption cacert file '%s'", path);
- }
- x509_ca_enc = cert.u.x509;
- }
+ char path[PATH_MAX];
- /*
- * input of PKCS#7 file
- */
- if (filetype_in & PKCS7)
- {
- /* user wants to load a pkcs7 encrypted request
- * operation is not yet supported!
- * would require additional parsing of transaction-id
+ join_paths(path, sizeof(path), CA_CERT_PATH, file_in_cacert_enc);
- pkcs7 = pkcs7_read_from_file(file_in_pkcs7);
+ x509_ca_enc = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+ BUILD_FROM_FILE, path, BUILD_END);
+ if (!x509_ca_enc)
+ {
+ exit_scepclient("could not load encryption cacert file '%s'", path);
+ }
+ }
+ /*
+ * input of PKCS#7 file
*/
- }
- else
- {
- DBG(DBG_CONTROL,
- DBG_log("building pkcs7 request")
- )
- pkcs7 = scep_build_request(pkcs10->request
- , transID, SCEP_PKCSReq_MSG
- , x509_ca_enc, pkcs7_symmetric_cipher
- , x509_signer, pkcs7_digest_alg, private_key);
- }
-
- /*
- * output pkcs7 encrypted and signed certificate request
- */
- if (filetype_out & PKCS7)
- {
- const char *path = concatenate_paths(REQ_PATH, file_out_pkcs7);
-
- if (!write_chunk(path, "pkcs7 encrypted request", pkcs7, 0022, force))
- exit_scepclient("could not write pkcs7 file '%s'", path);
-;
- filetype_out &= ~PKCS7; /* delete PKCS7 flag */
- }
-
- if (!filetype_out)
- {
- exit_scepclient(NULL); /* no further output required */
- }
-
- /*
- * output certificate fetch from SCEP server
- */
- if (filetype_out & CERT)
- {
- const char *path = concatenate_paths(CA_CERT_PATH, file_in_cacert_sig);
- cert_t cert;
- time_t poll_start;
-
- x509cert_t *certs = NULL;
- chunk_t envelopedData = chunk_empty;
- chunk_t certData = chunk_empty;
- contentInfo_t data = empty_contentInfo;
- scep_attributes_t attrs = empty_scep_attributes;
-
- if (!load_cert(path, "signature cacert", &cert))
- exit_scepclient("could not load signature cacert file '%s'", path);
- x509_ca_sig = cert.u.x509;
-
- if (!scep_http_request(scep_url, pkcs7, SCEP_PKI_OPERATION
- , request_type, &scep_response))
+ if (filetype_in & PKCS7)
{
- exit_scepclient("did not receive a valid scep response");
+ /* user wants to load a pkcs7 encrypted request
+ * operation is not yet supported!
+ * would require additional parsing of transaction-id
+
+ pkcs7 = pkcs7_read_from_file(file_in_pkcs7);
+
+ */
}
- ugh = scep_parse_response(scep_response, transID, &data, &attrs
- , x509_ca_sig);
- if (ugh != NULL)
+ else
{
- exit_scepclient(ugh);
+ DBG2(DBG_APP, "building pkcs7 request");
+ pkcs7 = scep_build_request(pkcs10_encoding,
+ transID, SCEP_PKCSReq_MSG, x509_ca_enc,
+ pkcs7_symmetric_cipher, pkcs7_key_size,
+ x509_signer, pkcs7_digest_alg, private_key);
+ if (!pkcs7.ptr)
+ {
+ exit_scepclient("failed to build pkcs7 request");
+ }
}
- /* in case of manual mode, we are going into a polling loop */
- if (attrs.pkiStatus == SCEP_PENDING)
+ /*
+ * output pkcs7 encrypted and signed certificate request
+ */
+ if (filetype_out & PKCS7)
{
- plog(" scep request pending, polling every %d seconds"
- , poll_interval);
- time(&poll_start);
- issuerAndSubject = asn1_wrap(ASN1_SEQUENCE, "cc"
- , x509_ca_sig->subject
- , subject);
+ char path[PATH_MAX];
+
+ join_paths(path, sizeof(path), REQ_PATH, file_out_pkcs7);
+
+ if (!chunk_write(pkcs7, path, 0022, force))
+ {
+ exit_scepclient("could not write pkcs7 file '%s': %s",
+ path, strerror(errno));
+ }
+ filetype_out &= ~PKCS7; /* delete PKCS7 flag */
}
- while (attrs.pkiStatus == SCEP_PENDING)
+
+ if (!filetype_out)
{
- if (max_poll_time > 0
- && (time(NULL) - poll_start >= max_poll_time))
- {
- exit_scepclient("maximum poll time reached: %d seconds"
- , max_poll_time);
- }
- DBG(DBG_CONTROL,
- DBG_log("going to sleep for %d seconds", poll_interval)
- )
- sleep(poll_interval);
- free(scep_response.ptr);
-
- DBG(DBG_CONTROL,
- DBG_log("fingerprint: %.*s", (int)fingerprint.len, fingerprint.ptr);
- DBG_log("transaction ID: %.*s", (int)transID.len, transID.ptr)
- )
-
- chunk_free(&getCertInitial);
- getCertInitial = scep_build_request(issuerAndSubject
- , transID, SCEP_GetCertInitial_MSG
- , x509_ca_enc, pkcs7_symmetric_cipher
- , x509_signer, pkcs7_digest_alg, private_key);
-
- if (!scep_http_request(scep_url, getCertInitial, SCEP_PKI_OPERATION
- , request_type, &scep_response))
- {
- exit_scepclient("did not receive a valid scep response");
- }
- ugh = scep_parse_response(scep_response, transID, &data, &attrs
- , x509_ca_sig);
- if (ugh != NULL)
- {
- exit_scepclient(ugh);
- }
+ exit_scepclient(NULL); /* no further output required */
}
- if (attrs.pkiStatus != SCEP_SUCCESS)
+ /*
+ * output certificate fetch from SCEP server
+ */
+ if (filetype_out & CERT)
{
- exit_scepclient("reply status is not 'SUCCESS'");
- }
+ bool stored = FALSE;
+ certificate_t *cert;
+ enumerator_t *enumerator;
+ char path[PATH_MAX];
+ time_t poll_start = 0;
+ pkcs7_t *p7;
+ container_t *container = NULL;
+ chunk_t chunk;
+ scep_attributes_t attrs = empty_scep_attributes;
+
+ join_paths(path, sizeof(path), CA_CERT_PATH, file_in_cacert_sig);
+
+ x509_ca_sig = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+ BUILD_FROM_FILE, path, BUILD_END);
+ if (!x509_ca_sig)
+ {
+ exit_scepclient("could not load signature cacert file '%s'", path);
+ }
- envelopedData = data.content;
+ creds->add_cert(creds, TRUE, x509_ca_sig->get_ref(x509_ca_sig));
- if (data.type != OID_PKCS7_DATA
- || !parse_asn1_simple_object(&envelopedData, ASN1_OCTET_STRING, 0, "data"))
- {
- exit_scepclient("contentInfo is not of type 'data'");
- }
- if (!pkcs7_parse_envelopedData(envelopedData, &certData
- , serialNumber, private_key))
- {
- exit_scepclient("could not decrypt envelopedData");
- }
- if (!pkcs7_parse_signedData(certData, NULL, &certs, NULL, NULL))
- {
- exit_scepclient("error parsing the scep response");
- }
- chunk_free(&certData);
-
- /* store the end entity certificate */
- path = concatenate_paths(HOST_CERT_PATH, file_out_cert);
- while (certs != NULL)
- {
- bool stored = FALSE;
- x509cert_t *cert = certs;
-
- if (!cert->isCA)
- {
- if (stored)
- exit_scepclient("multiple certs received, only first stored");
- if (!write_chunk(path, "requested cert", cert->certificate, 0022, force))
- exit_scepclient("could not write cert file '%s'", path);
- stored = TRUE;
- }
- certs = certs->next;
- free_x509cert(cert);
- }
- filetype_out &= ~CERT; /* delete CERT flag */
- }
+ if (!scep_http_request(scep_url, pkcs7, SCEP_PKI_OPERATION,
+ http_get_request, http_timeout, http_bind, &scep_response))
+ {
+ exit_scepclient("did not receive a valid scep response");
+ }
+ ugh = scep_parse_response(scep_response, transID, &container, &attrs);
+ if (ugh != NULL)
+ {
+ exit_scepclient(ugh);
+ }
- exit_scepclient(NULL);
- return -1; /* should never be reached */
-}
+ /* in case of manual mode, we are going into a polling loop */
+ if (attrs.pkiStatus == SCEP_PENDING)
+ {
+ identification_t *issuer = x509_ca_sig->get_subject(x509_ca_sig);
+
+ DBG1(DBG_APP, " scep request pending, polling every %d seconds",
+ poll_interval);
+ poll_start = time_monotonic(NULL);
+ issuerAndSubject = asn1_wrap(ASN1_SEQUENCE, "cc",
+ issuer->get_encoding(issuer),
+ subject->get_encoding(subject));
+ }
+ while (attrs.pkiStatus == SCEP_PENDING)
+ {
+ if (max_poll_time > 0 &&
+ (time_monotonic(NULL) - poll_start >= max_poll_time))
+ {
+ exit_scepclient("maximum poll time reached: %d seconds"
+ , max_poll_time);
+ }
+ DBG2(DBG_APP, "going to sleep for %d seconds", poll_interval);
+ sleep(poll_interval);
+ free(scep_response.ptr);
+ container->destroy(container);
+
+ DBG2(DBG_APP, "fingerprint: %.*s",
+ (int)fingerprint.len, fingerprint.ptr);
+ DBG2(DBG_APP, "transaction ID: %.*s",
+ (int)transID.len, transID.ptr);
+
+ chunk_free(&getCertInitial);
+ getCertInitial = scep_build_request(issuerAndSubject,
+ transID, SCEP_GetCertInitial_MSG, x509_ca_enc,
+ pkcs7_symmetric_cipher, pkcs7_key_size,
+ x509_signer, pkcs7_digest_alg, private_key);
+ if (!getCertInitial.ptr)
+ {
+ exit_scepclient("failed to build scep request");
+ }
+ if (!scep_http_request(scep_url, getCertInitial, SCEP_PKI_OPERATION,
+ http_get_request, http_timeout, http_bind, &scep_response))
+ {
+ exit_scepclient("did not receive a valid scep response");
+ }
+ ugh = scep_parse_response(scep_response, transID, &container, &attrs);
+ if (ugh != NULL)
+ {
+ exit_scepclient(ugh);
+ }
+ }
+
+ if (attrs.pkiStatus != SCEP_SUCCESS)
+ {
+ container->destroy(container);
+ exit_scepclient("reply status is not 'SUCCESS'");
+ }
+ if (!container->get_data(container, &chunk))
+ {
+ container->destroy(container);
+ exit_scepclient("extracting signed-data failed");
+ }
+ container->destroy(container);
+
+ /* decrypt enveloped-data container */
+ container = lib->creds->create(lib->creds,
+ CRED_CONTAINER, CONTAINER_PKCS7,
+ BUILD_BLOB_ASN1_DER, chunk,
+ BUILD_END);
+ free(chunk.ptr);
+ if (!container)
+ {
+ exit_scepclient("could not decrypt envelopedData");
+ }
+
+ if (!container->get_data(container, &chunk))
+ {
+ container->destroy(container);
+ exit_scepclient("extracting encrypted-data failed");
+ }
+ container->destroy(container);
+
+ /* parse signed-data container */
+ container = lib->creds->create(lib->creds,
+ CRED_CONTAINER, CONTAINER_PKCS7,
+ BUILD_BLOB_ASN1_DER, chunk,
+ BUILD_END);
+ free(chunk.ptr);
+ if (!container)
+ {
+ exit_scepclient("could not parse singed-data");
+ }
+ /* no need to verify the signed-data container, the signature does NOT
+ * cover the contained certificates */
+
+ /* store the end entity certificate */
+ join_paths(path, sizeof(path), HOST_CERT_PATH, file_out_cert);
+
+ p7 = (pkcs7_t*)container;
+ enumerator = p7->create_cert_enumerator(p7);
+ while (enumerator->enumerate(enumerator, &cert))
+ {
+ x509_t *x509 = (x509_t*)cert;
+
+ if (!(x509->get_flags(x509) & X509_CA))
+ {
+ if (stored)
+ {
+ exit_scepclient("multiple certs received, only first stored");
+ }
+ if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding) ||
+ !chunk_write(encoding, path, 0022, force))
+ {
+ exit_scepclient("could not write cert file '%s': %s",
+ path, strerror(errno));
+ }
+ chunk_free(&encoding);
+ stored = TRUE;
+ }
+ }
+ enumerator->destroy(enumerator);
+ container->destroy(container);
+ chunk_free(&attrs.transID);
+ chunk_free(&attrs.senderNonce);
+ chunk_free(&attrs.recipientNonce);
+
+ filetype_out &= ~CERT; /* delete CERT flag */
+ }
+ exit_scepclient(NULL);
+ return -1; /* should never be reached */
+}