commands/print.c \
commands/pub.c \
commands/req.c \
+ commands/scepca.c \
commands/self.c \
commands/signcrl.c \
- commands/verify.c
+ commands/verify.c \
+ scep/scep.h scep/scep.c
pki_LDADD = \
$(top_builddir)/src/libstrongswan/libstrongswan.la \
/**
* Maximum number of commands (+1).
*/
-#define MAX_COMMANDS 14
+#define MAX_COMMANDS 15
/**
* Maximum number of options in a command (+3)
--- /dev/null
+/*
+ * Copyright (C) 2005 Jan Hutter, Martin Willi
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2022 Andreas Steffen, strongSec GmbH
+ *
+ * Copyright (C) secunet Security Networks AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <errno.h>
+
+#include "pki.h"
+#include "scep/scep.h"
+
+#include <credentials/certificates/certificate.h>
+#include <credentials/certificates/x509.h>
+#include <credentials/sets/mem_cred.h>
+
+
+typedef enum {
+ CERT_TYPE_ROOT_CA,
+ CERT_TYPE_SUB_CA,
+ CERT_TYPE_RA
+} cert_type_t;
+
+static char *cert_type_label[] = { "Root CA", "Sub CA", "RA" };
+
+/**
+ * Determine certificate type based on X.509 certificate flags
+ */
+static cert_type_t get_cert_type(certificate_t *cert)
+{
+ x509_t *x509;
+ x509_flag_t flags;
+
+ x509 = (x509_t*)cert;
+ flags = x509->get_flags(x509);
+
+ if (flags & X509_CA)
+ {
+ if (flags & X509_SELF_SIGNED)
+ {
+ return CERT_TYPE_ROOT_CA;
+ }
+ else
+ {
+ return CERT_TYPE_SUB_CA;
+ }
+ }
+ else
+ {
+ return CERT_TYPE_RA;
+ }
+}
+
+/**
+ * Output cert type, subject as well as SHA256 and SHA1 fingerprints
+ */
+static bool print_cert_info(certificate_t *cert, cert_type_t cert_type)
+{
+ hasher_t *hasher = NULL;
+ char digest_buf[HASH_SIZE_SHA256];
+ char base64_buf[HASH_SIZE_SHA256];
+ chunk_t cert_digest = {digest_buf, HASH_SIZE_SHA256};
+ chunk_t cert_id, encoding = chunk_empty;
+ bool success = FALSE;
+
+ DBG1(DBG_APP, "%s cert \"%Y\"", cert_type_label[cert_type],
+ cert->get_subject(cert));
+
+ if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
+ {
+ DBG1(DBG_APP, "could not get certificate encoding");
+ return FALSE;
+ }
+
+ /* SHA256 certificate digest */
+ hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA256);
+ if (!hasher)
+ {
+ DBG1(DBG_APP, "could not create SHA256 hasher");
+ goto end;
+ }
+ if (!hasher->get_hash(hasher, encoding, digest_buf))
+ {
+ DBG1(DBG_APP, "could not compute SHA256 hash");
+ goto end;
+ }
+ hasher->destroy(hasher);
+
+ DBG1(DBG_APP, " SHA256: %#B", &cert_digest);
+
+ /* SHA1 certificate digest */
+ hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+ if (!hasher)
+ {
+ DBG1(DBG_APP, "could not create SHA1 hasher");
+ goto end;
+ }
+ if (!hasher->get_hash(hasher, encoding, digest_buf))
+ {
+ DBG1(DBG_APP, "could not compute SHA1 hash");
+ goto end;
+ }
+ cert_digest.len = HASH_SIZE_SHA1;
+ cert_id = chunk_to_base64(cert_digest, base64_buf);
+
+ DBG1(DBG_APP, " SHA1 : %#B (%.*s)", &cert_digest,
+ cert_id.len-1, cert_id.ptr);
+ success = TRUE;
+
+end:
+ DESTROY_IF(hasher);
+ chunk_free(&encoding);
+
+ return success;
+}
+
+static bool build_pathname(char **path, cert_type_t cert_type, int *cert_type_count,
+ char *caout, char *raout, cred_encoding_type_t form)
+{
+ char *basename, *extension, *dot, *suffix;
+ int count, len;
+ bool number;
+
+ basename = caout;
+ extension = "";
+ suffix = (form == CERT_ASN1_DER) ? "der" : "pem";
+
+ count = cert_type_count[cert_type];
+ number = count > 1;
+
+ switch (cert_type)
+ {
+ default:
+ case CERT_TYPE_ROOT_CA:
+ if (count > 1)
+ {
+ extension = "-root";
+ }
+ break;
+ case CERT_TYPE_SUB_CA:
+ number = TRUE;
+ break;
+ case CERT_TYPE_RA:
+ if (raout)
+ {
+ basename = raout;
+ }
+ else
+ {
+ extension = "-ra";
+ }
+ break;
+ }
+
+ /* skip if no path is defined */
+ if (!basename)
+ {
+ *path = NULL;
+ return TRUE;
+ }
+
+ /* check for a file suffix */
+ dot = strrchr(basename, '.');
+ len = dot ? (dot - basename) : strlen(basename);
+ if (dot && (dot[1] != '\0'))
+ {
+ suffix = dot + 1;
+ }
+
+ if (number)
+ {
+ return asprintf(path, "%.*s%s-%d.%s", len, basename, extension,
+ count, suffix) > 0;
+ }
+ else
+ {
+ return asprintf(path, "%.*s%s.%s", len, basename, extension, suffix) > 0;
+ }
+}
+
+/**
+ * Writo CA/RA certificate to file in DER or PEM format
+ */
+static bool write_cert(certificate_t *cert, cert_type_t cert_type, bool trusted,
+ char *path, cred_encoding_type_t form, bool force)
+{
+ chunk_t encoding = chunk_empty;
+ time_t until;
+ bool written, valid;
+
+ if (path)
+ {
+ if (!cert->get_encoding(cert, form, &encoding))
+ {
+ DBG1(DBG_APP, "could not get certificate encoding");
+ return FALSE;
+ }
+
+ written = chunk_write(encoding, path, 0022, force);
+ chunk_free(&encoding);
+
+ if (!written)
+ {
+ DBG1(DBG_APP, "could not write cert file '%s': %s",
+ path, strerror(errno));
+ return FALSE;
+ }
+ }
+ valid = cert->get_validity(cert, NULL, NULL, &until);
+ DBG1(DBG_APP, "%s cert is %strusted, %s %T, %s'%s'",
+ cert_type_label[cert_type], trusted ? "" : "un",
+ valid ? "valid until" : "invalid since", &until, FALSE,
+ path ? "written to " : "", path ? path : "not written");
+
+ return TRUE;
+}
+
+/**
+ * Get CA certificate[s] from a SCEP server (RFC 8894)
+ */
+static int scepca()
+{
+ cred_encoding_type_t form = CERT_ASN1_DER;
+ chunk_t scep_response = chunk_empty;
+ mem_cred_t *creds = NULL;
+ certificate_t *cert;
+ cert_type_t cert_type;
+ pkcs7_t *pkcs7 = NULL;
+ bool force = FALSE, written = FALSE;
+ char *arg, *url = NULL, *caout = NULL, *raout = NULL, *path = NULL;
+ int status = 1;
+
+ int cert_type_count[] = { 0, 0, 0 };
+
+ scep_http_params_t http_params = {
+ .get_request = TRUE, .timeout = 30, .bind = NULL
+ };
+
+ while (TRUE)
+ {
+ switch (command_getopt(&arg))
+ {
+ case 'h':
+ return command_usage(NULL);
+ case 'u':
+ url = arg;
+ continue;
+ case 'c':
+ caout = arg;
+ continue;
+ case 'r':
+ raout = arg;
+ continue;
+ case 'f':
+ if (!get_form(arg, &form, CRED_CERTIFICATE))
+ {
+ return command_usage("invalid certificate output format");
+ }
+ continue;
+ case 'F':
+ force = TRUE;
+ continue;
+ case EOF:
+ break;
+ default:
+ return command_usage("invalid --scepca option");
+ }
+ break;
+ }
+
+ if (!url)
+ {
+ return command_usage("--url is required");
+ }
+
+ if (!scep_http_request(url, chunk_empty, SCEP_GET_CA_CERT, &http_params,
+ &scep_response))
+ {
+ DBG1(DBG_APP, "did not receive a valid scep response");
+ return 1;
+ }
+
+ creds = mem_cred_create();
+ lib->credmgr->add_set(lib->credmgr, &creds->set);
+
+ pkcs7 = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7,
+ BUILD_BLOB_ASN1_DER, scep_response, BUILD_END);
+ if (!pkcs7)
+ { /* no PKCS#7 encoded CA+RA certificates, assume single root CA cert */
+
+ cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+ BUILD_BLOB, scep_response, BUILD_END);
+ if (!cert)
+ {
+ DBG1(DBG_APP, "could not parse single CA certificate");
+ goto end;
+ }
+ cert_type = get_cert_type(cert);
+ cert_type_count[cert_type]++;
+
+ if (print_cert_info(cert, cert_type) &&
+ build_pathname(&path, cert_type, cert_type_count, caout, raout, form))
+ {
+ written = write_cert(cert, cert_type, FALSE, path, form, force);
+ }
+ }
+ else
+ {
+ enumerator_t *enumerator;
+
+ enumerator = pkcs7->create_cert_enumerator(pkcs7);
+ while (enumerator->enumerate(enumerator, &cert))
+ {
+ cert_type = get_cert_type(cert);
+ if (cert_type == CERT_TYPE_ROOT_CA)
+ {
+ /* trust in root CA has to be established manuallly */
+ creds->add_cert(creds, TRUE, cert->get_ref(cert));
+
+ cert_type_count[cert_type]++;
+
+ if (!print_cert_info(cert, cert_type))
+ {
+ goto end;
+ }
+ if (build_pathname(&path, cert_type, cert_type_count,
+ caout, raout, form))
+ {
+ written = write_cert(cert, cert_type, FALSE, path, form, force);
+ free(path);
+ }
+ if (!written)
+ {
+ break;
+ }
+ }
+ else
+ {
+ /* trust relative to root CA will be established in round 2 */
+ creds->add_cert(creds, FALSE, cert->get_ref(cert));
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ if (!written)
+ {
+ goto end;
+ }
+
+ enumerator = pkcs7->create_cert_enumerator(pkcs7);
+ while (enumerator->enumerate(enumerator, &cert))
+ {
+ written = FALSE;
+
+ cert_type = get_cert_type(cert);
+ if (cert_type != CERT_TYPE_ROOT_CA)
+ {
+ enumerator_t *certs;
+ bool trusted;
+
+ if (!print_cert_info(cert, cert_type))
+ {
+ break;
+ }
+
+ /* establish trust relativ to root CA */
+ certs = lib->credmgr->create_trusted_enumerator(lib->credmgr,
+ KEY_RSA, cert->get_subject(cert), FALSE);
+ trusted = certs->enumerate(certs, &cert, NULL);
+ certs->destroy(certs);
+
+ cert_type_count[cert_type]++;
+
+ if (build_pathname(&path, cert_type, cert_type_count,
+ caout, raout, form))
+ {
+ written = write_cert(cert, cert_type, trusted, path, form, force);
+ free(path);
+ }
+ if (!written)
+ {
+ break;
+ }
+ }
+ }
+ enumerator->destroy(enumerator);
+ }
+ status = written ? 0 : 1;
+
+end:
+ /* cleanup */
+ lib->credmgr->remove_set(lib->credmgr, &creds->set);
+ creds->destroy(creds);
+ free(scep_response.ptr);
+ if (pkcs7)
+ {
+ container_t *container = &pkcs7->container;
+
+ container->destroy(container);
+ }
+
+ return status;
+}
+
+/**
+ * Register the command.
+ */
+static void __attribute__ ((constructor))reg()
+{
+ command_register((command_t) {
+ scepca, 'C', "scepca",
+ "get CA [and RA] certificate[s] from a SCEP server",
+ {"--url url [--caout file] [--raout file] [--outform der|pem] [--force]"},
+ {
+ {"help", 'h', 0, "show usage information"},
+ {"url", 'u', 1, "URL of the SCEP server"},
+ {"caout", 'c', 1, "CA certificate [template]"},
+ {"raout", 'r', 1, "RA certificate [template]"},
+ {"outform", 'f', 1, "encoding of stored certificates, default: der"},
+ {"force", 'F', 0, "force overwrite of existing files"},
+ }
+ });
+}
--- /dev/null
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2005 Jan Hutter, Martin Willi
+ * Copyright (C) 2022 Andreas Steffen, strongSec GmbH
+ *
+ * Copyright (C) secunet Security Networks AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+#include <stdlib.h>
+
+#include <library.h>
+#include <utils/debug.h>
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+#include <asn1/oid.h>
+#include <crypto/rngs/rng.h>
+#include <crypto/hashers/hasher.h>
+
+#include "scep.h"
+
+static const char *pkiStatus_values[] = { "0", "2", "3" };
+
+static const char *pkiStatus_names[] = {
+ "SUCCESS",
+ "FAILURE",
+ "PENDING",
+ "UNKNOWN"
+};
+
+static const char *msgType_values[] = { "3", "17", "19", "20", "21", "22" };
+
+static const char *msgType_names[] = {
+ "CertRep",
+ "RenewalReq",
+ "PKCSReq",
+ "CertPoll",
+ "GetCert",
+ "GetCRL",
+ "Unknown"
+};
+
+static const char *failInfo_reasons[] = {
+ "badAlg - unrecognized or unsupported algorithm identifier",
+ "badMessageCheck - integrity check failed",
+ "badRequest - transaction not permitted or supported",
+ "badTime - Message time field was not sufficiently close to the system time",
+ "badCertId - No certificate could be identified matching the provided criteria"
+};
+
+const scep_attributes_t empty_scep_attributes = {
+ SCEP_Unknown_MSG , /* msgType */
+ SCEP_UNKNOWN , /* pkiStatus */
+ SCEP_unknown_REASON, /* failInfo */
+ { NULL, 0 } , /* transID */
+ { NULL, 0 } , /* senderNonce */
+ { NULL, 0 } , /* recipientNonce */
+};
+
+/**
+ * Extract X.501 attributes
+ */
+void extract_attributes(pkcs7_t *pkcs7, enumerator_t *enumerator,
+ scep_attributes_t *attrs)
+{
+ chunk_t attr;
+
+ if (pkcs7->get_attribute(pkcs7, OID_PKI_MESSAGE_TYPE, enumerator, &attr))
+ {
+ scep_msg_t m;
+
+ for (m = SCEP_CertRep_MSG; m < SCEP_Unknown_MSG; m++)
+ {
+ if (strncmp(msgType_values[m], attr.ptr, attr.len) == 0)
+ {
+ attrs->msgType = m;
+ }
+ }
+ DBG2(DBG_APP, "messageType: %s", msgType_names[attrs->msgType]);
+ free(attr.ptr);
+ }
+ if (pkcs7->get_attribute(pkcs7, OID_PKI_STATUS, enumerator, &attr))
+ {
+ pkiStatus_t s;
+
+ for (s = SCEP_SUCCESS; s < SCEP_UNKNOWN; s++)
+ {
+ if (strncmp(pkiStatus_values[s], attr.ptr, attr.len) == 0)
+ {
+ attrs->pkiStatus = s;
+ }
+ }
+ DBG2(DBG_APP, "pkiStatus: %s", pkiStatus_names[attrs->pkiStatus]);
+ free(attr.ptr);
+ }
+ if (pkcs7->get_attribute(pkcs7, OID_PKI_FAIL_INFO, enumerator, &attr))
+ {
+ if (attr.len == 1 && *attr.ptr >= '0' && *attr.ptr <= '4')
+ {
+ attrs->failInfo = (failInfo_t)(*attr.ptr - '0');
+ }
+ if (attrs->failInfo != SCEP_unknown_REASON)
+ {
+ DBG1(DBG_APP, "failInfo: %s", failInfo_reasons[attrs->failInfo]);
+ }
+ free(attr.ptr);
+ }
+
+ pkcs7->get_attribute(pkcs7, OID_PKI_SENDER_NONCE, enumerator,
+ &attrs->senderNonce);
+ pkcs7->get_attribute(pkcs7, OID_PKI_RECIPIENT_NONCE, enumerator,
+ &attrs->recipientNonce);
+ pkcs7->get_attribute(pkcs7, OID_PKI_TRANS_ID, enumerator,
+ &attrs->transID);
+}
+
+/**
+ * Generates a unique fingerprint of the pkcs10 request
+ * by computing an MD5 hash over it
+ */
+chunk_t scep_generate_pkcs10_fingerprint(chunk_t pkcs10)
+{
+ chunk_t digest = chunk_alloca(HASH_SIZE_MD5);
+ hasher_t *hasher;
+
+ hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
+ if (!hasher || !hasher->get_hash(hasher, pkcs10, digest.ptr))
+ {
+ DESTROY_IF(hasher);
+ return chunk_empty;
+ }
+ hasher->destroy(hasher);
+
+ return chunk_to_hex(digest, NULL, FALSE);
+}
+
+/**
+ * Generate a transaction id as the MD5 hash of an public key
+ * the transaction id is also used as a unique serial number
+ */
+void scep_generate_transaction_id(public_key_t *key, chunk_t *transID,
+ chunk_t *serialNumber)
+{
+ chunk_t digest = chunk_alloca(HASH_SIZE_MD5);
+ chunk_t keyEncoding = chunk_empty, keyInfo;
+ hasher_t *hasher;
+ int zeros = 0, msb_set = 0;
+
+ key->get_encoding(key, PUBKEY_ASN1_DER, &keyEncoding);
+
+ keyInfo = asn1_wrap(ASN1_SEQUENCE, "mm",
+ asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
+ asn1_bitstring("m", keyEncoding));
+
+ hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
+ if (!hasher || !hasher->get_hash(hasher, keyInfo, digest.ptr))
+ {
+ memset(digest.ptr, 0, digest.len);
+ }
+ DESTROY_IF(hasher);
+ free(keyInfo.ptr);
+
+ /* the serialNumber should be valid ASN1 integer content:
+ * remove leading zeros, add one if MSB is set (two's complement) */
+ while (zeros < digest.len)
+ {
+ if (digest.ptr[zeros])
+ {
+ if (digest.ptr[zeros] & 0x80)
+ {
+ msb_set = 1;
+ }
+ break;
+ }
+ zeros++;
+ }
+ *serialNumber = chunk_alloc(digest.len - zeros + msb_set);
+ if (msb_set)
+ {
+ serialNumber->ptr[0] = 0x00;
+ }
+ memcpy(serialNumber->ptr + msb_set, digest.ptr + zeros,
+ digest.len - zeros);
+
+ /* the transaction id is the serial number in hex format */
+ *transID = chunk_to_hex(digest, NULL, TRUE);
+}
+
+/**
+ * Builds a pkcs7 enveloped and signed scep request
+ */
+chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg,
+ certificate_t *enc_cert, encryption_algorithm_t enc_alg,
+ size_t key_size, certificate_t *signer_cert,
+ hash_algorithm_t digest_alg, private_key_t *private_key)
+{
+ chunk_t request;
+ container_t *container;
+ char nonce[16];
+ rng_t *rng;
+ chunk_t senderNonce, msgType;
+
+ /* generate senderNonce */
+ rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+ if (!rng || !rng->get_bytes(rng, sizeof(nonce), nonce))
+ {
+ DESTROY_IF(rng);
+ return chunk_empty;
+ }
+ rng->destroy(rng);
+
+ /* encrypt data in enveloped-data PKCS#7 */
+ container = lib->creds->create(lib->creds,
+ CRED_CONTAINER, CONTAINER_PKCS7_ENVELOPED_DATA,
+ BUILD_BLOB, data,
+ BUILD_CERT, enc_cert,
+ BUILD_ENCRYPTION_ALG, enc_alg,
+ BUILD_KEY_SIZE, (int)key_size,
+ BUILD_END);
+ if (!container)
+ {
+ return chunk_empty;
+ }
+ if (!container->get_encoding(container, &request))
+ {
+ container->destroy(container);
+ return chunk_empty;
+ }
+ container->destroy(container);
+
+ /* sign enveloped-data in a signed-data PKCS#7 */
+ senderNonce = asn1_wrap(ASN1_OCTET_STRING, "c", chunk_from_thing(nonce));
+ transID = asn1_wrap(ASN1_PRINTABLESTRING, "c", transID);
+ msgType = asn1_wrap(ASN1_PRINTABLESTRING, "c",
+ chunk_create((char*)msgType_values[msg],
+ strlen(msgType_values[msg])));
+
+ container = lib->creds->create(lib->creds,
+ CRED_CONTAINER, CONTAINER_PKCS7_SIGNED_DATA,
+ BUILD_BLOB, request,
+ BUILD_SIGNING_CERT, signer_cert,
+ BUILD_SIGNING_KEY, private_key,
+ BUILD_DIGEST_ALG, digest_alg,
+ BUILD_PKCS7_ATTRIBUTE, OID_PKI_SENDER_NONCE, senderNonce,
+ BUILD_PKCS7_ATTRIBUTE, OID_PKI_TRANS_ID, transID,
+ BUILD_PKCS7_ATTRIBUTE, OID_PKI_MESSAGE_TYPE, msgType,
+ BUILD_END);
+
+ free(request.ptr);
+ free(senderNonce.ptr);
+ free(transID.ptr);
+ free(msgType.ptr);
+
+ if (!container)
+ {
+ return chunk_empty;
+ }
+ if (!container->get_encoding(container, &request))
+ {
+ container->destroy(container);
+ return chunk_empty;
+ }
+ container->destroy(container);
+
+ return request;
+}
+
+/**
+ * Converts a binary request to base64 with 64 characters per line
+ * newline and '+' characters are escaped by %0A and %2B, respectively
+ */
+static char* escape_http_request(chunk_t req)
+{
+ char *escaped_req = NULL;
+ char *p1, *p2;
+ int lines = 0;
+ int plus = 0;
+ int n = 0;
+
+ /* compute and allocate the size of the base64-encoded request */
+ int len = 1 + 4 * ((req.len + 2) / 3);
+ char *encoded_req = malloc(len);
+
+ /* do the base64 conversion */
+ chunk_t base64 = chunk_to_base64(req, encoded_req);
+ len = base64.len + 1;
+
+ /* compute newline characters to be inserted every 64 characters */
+ lines = (len - 2) / 64;
+
+ /* count number of + characters to be escaped */
+ p1 = encoded_req;
+ while (*p1 != '\0')
+ {
+ if (*p1++ == '+')
+ {
+ plus++;
+ }
+ }
+
+ escaped_req = malloc(len + 3 * (lines + plus));
+
+ /* escape special characters in the request */
+ p1 = encoded_req;
+ p2 = escaped_req;
+ while (*p1 != '\0')
+ {
+ if (n == 64)
+ {
+ memcpy(p2, "%0A", 3);
+ p2 += 3;
+ n = 0;
+ }
+ if (*p1 == '+')
+ {
+ memcpy(p2, "%2B", 3);
+ p2 += 3;
+ }
+ else
+ {
+ *p2++ = *p1;
+ }
+ p1++;
+ n++;
+ }
+ *p2 = '\0';
+ free(encoded_req);
+ return escaped_req;
+}
+
+/**
+ * Send a SCEP request via HTTP and wait for a response
+ */
+bool scep_http_request(const char *url, chunk_t msg, scep_op_t op,
+ scep_http_params_t *http_params, chunk_t *response)
+{
+ int len;
+ status_t status;
+ char *complete_url = NULL;
+ host_t *srcip = NULL;
+
+ /* initialize response */
+ *response = chunk_empty;
+
+ if (http_params->bind)
+ {
+ srcip = host_create_from_string(http_params->bind, 0);
+ }
+
+ DBG2(DBG_APP, "sending scep request to '%s'", url);
+
+ if (op == SCEP_PKI_OPERATION)
+ {
+ const char operation[] = "PKIOperation";
+
+ if (http_params->get_request)
+ {
+ char *escaped_req = escape_http_request(msg);
+
+ /* form complete url */
+ len = strlen(url) + 20 + strlen(operation) + strlen(escaped_req) + 1;
+ complete_url = malloc(len);
+ snprintf(complete_url, len, "%s?operation=%s&message=%s"
+ , url, operation, escaped_req);
+ free(escaped_req);
+
+ status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
+ FETCH_TIMEOUT, http_params->timeout,
+ FETCH_REQUEST_HEADER, "Pragma:",
+ FETCH_REQUEST_HEADER, "Host:",
+ FETCH_REQUEST_HEADER, "Accept:",
+ FETCH_SOURCEIP, srcip,
+ FETCH_END);
+ }
+ else /* HTTP_POST */
+ {
+ /* form complete url */
+ len = strlen(url) + 11 + strlen(operation) + 1;
+ complete_url = malloc(len);
+ snprintf(complete_url, len, "%s?operation=%s", url, operation);
+
+ status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
+ FETCH_TIMEOUT, http_params->timeout,
+ FETCH_REQUEST_DATA, msg,
+ FETCH_REQUEST_TYPE, "",
+ FETCH_REQUEST_HEADER, "Expect:",
+ FETCH_SOURCEIP, srcip,
+ FETCH_END);
+ }
+ }
+ else /* SCEP_GET_CA_CERT */
+ {
+ const char operation[] = "GetCACert";
+
+ /* form complete url */
+ len = strlen(url) + 11 + strlen(operation) + 1;
+ complete_url = malloc(len);
+ snprintf(complete_url, len, "%s?operation=%s", url, operation);
+
+ status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
+ FETCH_TIMEOUT, http_params->timeout,
+ FETCH_SOURCEIP, srcip,
+ FETCH_END);
+ }
+
+ DESTROY_IF(srcip);
+ free(complete_url);
+ return (status == SUCCESS);
+}
+
+err_t scep_parse_response(chunk_t response, chunk_t transID,
+ container_t **out, scep_attributes_t *attrs)
+{
+ enumerator_t *enumerator;
+ bool verified = FALSE;
+ container_t *container;
+ auth_cfg_t *auth;
+
+ container = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7,
+ BUILD_BLOB_ASN1_DER, response, BUILD_END);
+ if (!container)
+ {
+ return "error parsing the scep response";
+ }
+ if (container->get_type(container) != CONTAINER_PKCS7_SIGNED_DATA)
+ {
+ container->destroy(container);
+ return "scep response is not PKCS#7 signed-data";
+ }
+
+ enumerator = container->create_signature_enumerator(container);
+ while (enumerator->enumerate(enumerator, &auth))
+ {
+ verified = TRUE;
+ extract_attributes((pkcs7_t*)container, enumerator, attrs);
+ if (!chunk_equals(transID, attrs->transID))
+ {
+ enumerator->destroy(enumerator);
+ container->destroy(container);
+ return "transaction ID of scep response does not match";
+ }
+ }
+ enumerator->destroy(enumerator);
+ if (!verified)
+ {
+ container->destroy(container);
+ return "unable to verify PKCS#7 container";
+ }
+ *out = container;
+ return NULL;
+}
--- /dev/null
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2005 Jan Hutter, Martin Willi
+ * Copyright (C) 2022 Andreas Steffen, strongSec GmbH
+ *
+ * Copyright (C) secunet Security Networks AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef _SCEP_H
+#define _SCEP_H
+
+#include <credentials/containers/pkcs7.h>
+#include <credentials/certificates/certificate.h>
+
+/* supported SCEP operation types */
+typedef enum {
+ SCEP_PKI_OPERATION,
+ SCEP_GET_CA_CERT
+} scep_op_t;
+
+/* SCEP pkiStatus values */
+typedef enum {
+ SCEP_SUCCESS,
+ SCEP_FAILURE,
+ SCEP_PENDING,
+ SCEP_UNKNOWN
+} pkiStatus_t;
+
+/* SCEP messageType values */
+typedef enum {
+ SCEP_CertRep_MSG,
+ SCEP_RenewalReq_MSG,
+ SCEP_PKCSReq_MSG,
+ SCEP_CertPoll_MSG,
+ SCEP_GetCert_MSG,
+ SCEP_GetCRL_MSG,
+ SCEP_Unknown_MSG
+} scep_msg_t;
+
+/* SCEP failure reasons */
+typedef enum {
+ SCEP_badAlg_REASON = 0,
+ SCEP_badMessageCheck_REASON = 1,
+ SCEP_badRequest_REASON = 2,
+ SCEP_badTime_REASON = 3,
+ SCEP_badCertId_REASON = 4,
+ SCEP_unknown_REASON = 5
+} failInfo_t;
+
+/* SCEP attributes */
+typedef struct {
+ scep_msg_t msgType;
+ pkiStatus_t pkiStatus;
+ failInfo_t failInfo;
+ chunk_t transID;
+ chunk_t senderNonce;
+ chunk_t recipientNonce;
+} scep_attributes_t;
+
+/* SCEP http parameters */
+typedef struct {
+ bool get_request;
+ u_int timeout;
+ char *bind;
+} scep_http_params_t;
+
+extern const scep_attributes_t empty_scep_attributes;
+
+bool parse_attributes(chunk_t blob, scep_attributes_t *attrs);
+
+void scep_generate_transaction_id(public_key_t *key,
+ chunk_t *transID,
+ chunk_t *serialNumber);
+
+chunk_t scep_generate_pkcs10_fingerprint(chunk_t pkcs10);
+
+chunk_t scep_transId_attribute(chunk_t transaction_id);
+
+chunk_t scep_messageType_attribute(scep_msg_t m);
+
+chunk_t scep_senderNonce_attribute(void);
+
+chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg,
+ certificate_t *enc_cert, encryption_algorithm_t enc_alg,
+ size_t key_size, certificate_t *signer_cert,
+ hash_algorithm_t digest_alg, private_key_t *private_key);
+
+bool scep_http_request(const char *url, chunk_t msg, scep_op_t op,
+ scep_http_params_t *http_params, chunk_t *response);
+
+err_t scep_parse_response(chunk_t response, chunk_t transID,
+ container_t **out, scep_attributes_t *attrs);
+
+#endif /* _SCEP_H */
projects / thirdparty / strongswan.git / commitdiff
