From 8716f7c03c6193b1cb53837243177f36280ff4f7 Mon Sep 17 00:00:00 2001 From: Andreas Steffen Date: Tue, 9 Aug 2022 10:15:36 +0200 Subject: [PATCH] scepclient: Removal and replacement by pki subcommands The "ipsec scepclient" tool has been removed and replaced by the pki subcommands "pki --scep" and "pki --scepca" which implement the new SCEP RFC 8894 standard that was released in September 2020 and which supports trusted "certificate renewal" based on the existing client certificate. --- configure.ac | 67 +- src/Makefile.am | 4 - src/checksum/Makefile.am | 4 - src/scepclient/.gitignore | 1 - src/scepclient/Android.mk | 28 - src/scepclient/Makefile.am | 16 - src/scepclient/README.md | 18 + src/scepclient/scep.c | 474 ----------- src/scepclient/scep.h | 88 --- src/scepclient/scepclient.8 | 293 ------- src/scepclient/scepclient.c | 1491 ----------------------------------- 11 files changed, 49 insertions(+), 2435 deletions(-) delete mode 100644 src/scepclient/.gitignore delete mode 100644 src/scepclient/Android.mk delete mode 100644 src/scepclient/Makefile.am create mode 100644 src/scepclient/README.md delete mode 100644 src/scepclient/scep.c delete mode 100644 src/scepclient/scep.h delete mode 100644 src/scepclient/scepclient.8 delete mode 100644 src/scepclient/scepclient.c diff --git a/configure.ac b/configure.ac index fd885ccb16..40252e79da 100644 --- a/configure.ac +++ b/configure.ac @@ -302,7 +302,6 @@ ARG_ENABL_SET([medcli], [enable mediation client configuration database ARG_ENABL_SET([medsrv], [enable mediation server web frontend and daemon plugin.]) ARG_ENABL_SET([nm], [enable NetworkManager backend.]) ARG_DISBL_SET([pki], [disable pki certificate utility.]) -ARG_DISBL_SET([scepclient], [disable SCEP client tool.]) ARG_DISBL_SET([scripts], [disable additional utilities (found in directory scripts).]) ARG_ENABL_SET([svc], [enable charon Windows service.]) ARG_ENABL_SET([systemd], [enable systemd specific IKE daemon charon-systemd.]) @@ -1483,7 +1482,6 @@ charon_plugins= starter_plugins= pool_plugins= attest_plugins= -scepclient_plugins= pki_plugins= scripts_plugins= fuzz_plugins= @@ -1500,48 +1498,48 @@ s_plugins= t_plugins= p_plugins= -ADD_PLUGIN([test-vectors], [s charon scepclient pki]) +ADD_PLUGIN([test-vectors], [s charon pki]) ADD_PLUGIN([unbound], [s charon scripts]) -ADD_PLUGIN([ldap], [s charon scepclient scripts nm cmd]) +ADD_PLUGIN([ldap], [s charon scripts nm cmd]) ADD_PLUGIN([pkcs11], [s charon pki nm cmd]) ADD_PLUGIN([tpm], [p charon pki nm cmd]) -ADD_PLUGIN([aesni], [s charon scepclient pki scripts medsrv attest nm cmd aikgen]) -ADD_PLUGIN([aes], [s charon scepclient pki scripts nm cmd]) -ADD_PLUGIN([des], [s charon scepclient pki scripts nm cmd]) -ADD_PLUGIN([blowfish], [s charon scepclient pki scripts nm cmd]) -ADD_PLUGIN([rc2], [s charon scepclient pki scripts nm cmd]) -ADD_PLUGIN([sha2], [s charon scepclient pki scripts medsrv attest nm cmd aikgen fuzz]) -ADD_PLUGIN([sha3], [s charon scepclient pki scripts medsrv attest nm cmd aikgen fuzz]) -ADD_PLUGIN([sha1], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen fuzz]) -ADD_PLUGIN([md4], [s charon scepclient pki nm cmd]) -ADD_PLUGIN([md5], [s charon scepclient pki scripts attest nm cmd aikgen]) -ADD_PLUGIN([mgf1], [s charon scepclient pki scripts medsrv attest nm cmd aikgen]) -ADD_PLUGIN([rdrand], [s charon scepclient pki scripts medsrv attest nm cmd aikgen]) -ADD_PLUGIN([random], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen]) +ADD_PLUGIN([aesni], [s charon pki scripts medsrv attest nm cmd aikgen]) +ADD_PLUGIN([aes], [s charon pki scripts nm cmd]) +ADD_PLUGIN([des], [s charon pki scripts nm cmd]) +ADD_PLUGIN([blowfish], [s charon pki scripts nm cmd]) +ADD_PLUGIN([rc2], [s charon pki scripts nm cmd]) +ADD_PLUGIN([sha2], [s charon pki scripts medsrv attest nm cmd aikgen fuzz]) +ADD_PLUGIN([sha3], [s charon pki scripts medsrv attest nm cmd aikgen fuzz]) +ADD_PLUGIN([sha1], [s charon pki scripts manager medsrv attest nm cmd aikgen fuzz]) +ADD_PLUGIN([md4], [s charon pki nm cmd]) +ADD_PLUGIN([md5], [s charon pki scripts attest nm cmd aikgen]) +ADD_PLUGIN([mgf1], [s charon pki scripts medsrv attest nm cmd aikgen]) +ADD_PLUGIN([rdrand], [s charon pki scripts medsrv attest nm cmd aikgen]) +ADD_PLUGIN([random], [s charon pki scripts manager medsrv attest nm cmd aikgen]) ADD_PLUGIN([nonce], [s charon nm cmd aikgen]) -ADD_PLUGIN([x509], [s charon scepclient pki scripts attest nm cmd aikgen fuzz]) +ADD_PLUGIN([x509], [s charon pki scripts attest nm cmd aikgen fuzz]) ADD_PLUGIN([revocation], [s charon pki nm cmd]) ADD_PLUGIN([constraints], [s charon nm cmd]) ADD_PLUGIN([acert], [s charon]) ADD_PLUGIN([pubkey], [s charon pki cmd aikgen]) -ADD_PLUGIN([pkcs1], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen fuzz]) -ADD_PLUGIN([pkcs7], [s charon scepclient pki scripts nm cmd]) -ADD_PLUGIN([pkcs12], [s charon scepclient pki scripts cmd]) +ADD_PLUGIN([pkcs1], [s charon pki scripts manager medsrv attest nm cmd aikgen fuzz]) +ADD_PLUGIN([pkcs7], [s charon pki scripts nm cmd]) +ADD_PLUGIN([pkcs12], [s charon pki scripts cmd]) ADD_PLUGIN([pgp], [s charon]) ADD_PLUGIN([dnskey], [s charon pki]) ADD_PLUGIN([sshkey], [s charon pki nm cmd]) ADD_PLUGIN([dnscert], [c charon]) ADD_PLUGIN([ipseckey], [c charon]) -ADD_PLUGIN([pem], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen fuzz]) +ADD_PLUGIN([pem], [s charon pki scripts manager medsrv attest nm cmd aikgen fuzz]) ADD_PLUGIN([padlock], [s charon]) -ADD_PLUGIN([openssl], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen]) -ADD_PLUGIN([wolfssl], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen]) -ADD_PLUGIN([gcrypt], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen]) -ADD_PLUGIN([botan], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen]) -ADD_PLUGIN([pkcs8], [s charon scepclient pki scripts manager medsrv attest nm cmd]) -ADD_PLUGIN([af-alg], [s charon scepclient pki scripts medsrv attest nm cmd aikgen]) +ADD_PLUGIN([openssl], [s charon pki scripts manager medsrv attest nm cmd aikgen]) +ADD_PLUGIN([wolfssl], [s charon pki scripts manager medsrv attest nm cmd aikgen]) +ADD_PLUGIN([gcrypt], [s charon pki scripts manager medsrv attest nm cmd aikgen]) +ADD_PLUGIN([botan], [s charon pki scripts manager medsrv attest nm cmd aikgen]) +ADD_PLUGIN([pkcs8], [s charon pki scripts manager medsrv attest nm cmd]) +ADD_PLUGIN([af-alg], [s charon pki scripts medsrv attest nm cmd aikgen]) ADD_PLUGIN([fips-prf], [s charon nm cmd]) -ADD_PLUGIN([gmp], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen fuzz]) +ADD_PLUGIN([gmp], [s charon pki scripts manager medsrv attest nm cmd aikgen fuzz]) ADD_PLUGIN([curve25519], [s charon pki scripts nm cmd]) ADD_PLUGIN([agent], [s charon nm cmd]) ADD_PLUGIN([keychain], [s charon cmd]) @@ -1557,8 +1555,8 @@ ADD_PLUGIN([ntru], [s charon scripts nm cmd]) ADD_PLUGIN([drbg], [s charon pki scripts nm cmd]) ADD_PLUGIN([newhope], [s charon scripts nm cmd]) ADD_PLUGIN([bliss], [s charon pki scripts nm cmd]) -ADD_PLUGIN([curl], [s charon scepclient pki scripts nm cmd]) -ADD_PLUGIN([files], [s charon scepclient pki scripts nm cmd]) +ADD_PLUGIN([curl], [s charon pki scripts nm cmd]) +ADD_PLUGIN([files], [s charon pki scripts nm cmd]) ADD_PLUGIN([winhttp], [s charon pki scripts]) ADD_PLUGIN([soup], [s charon pki scripts nm cmd]) ADD_PLUGIN([mysql], [s charon pool manager medsrv attest]) @@ -1838,11 +1836,10 @@ AM_CONDITIONAL(USE_ADNS, test x$adns = xtrue) AM_CONDITIONAL(USE_CHARON, test x$charon = xtrue) AM_CONDITIONAL(USE_NM, test x$nm = xtrue) AM_CONDITIONAL(USE_PKI, test x$pki = xtrue) -AM_CONDITIONAL(USE_SCEPCLIENT, test x$scepclient = xtrue) AM_CONDITIONAL(USE_SCRIPTS, test x$scripts = xtrue) AM_CONDITIONAL(USE_FUZZING, test x$fuzzing = xtrue) AM_CONDITIONAL(USE_CONFTEST, test x$conftest = xtrue) -AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$pki = xtrue -o x$scepclient = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$tls = xtrue -o x$tnc_tnccs = xtrue -o x$aikgen = xtrue -o x$svc = xtrue -o x$systemd = xtrue) +AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$pki = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$tls = xtrue -o x$tnc_tnccs = xtrue -o x$aikgen = xtrue -o x$svc = xtrue -o x$systemd = xtrue) AM_CONDITIONAL(USE_LIBCHARON, test x$charon = xtrue -o x$conftest = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$svc = xtrue -o x$systemd = xtrue) AM_CONDITIONAL(USE_LIBIPSEC, test x$libipsec = xtrue) AM_CONDITIONAL(USE_LIBNTTFFT, test x$bliss = xtrue -o x$newhope = xtrue) @@ -1851,7 +1848,7 @@ AM_CONDITIONAL(USE_LIBTNCCS, test x$tnc_tnccs = xtrue) AM_CONDITIONAL(USE_LIBPTTLS, test x$tnc_tnccs = xtrue) AM_CONDITIONAL(USE_LIBTPMTSS, test x$tss_trousers = xtrue -o x$tss_tss2 = xtrue -o x$tpm = xtrue -o x$aikgen = xtrue -o x$imcv = xtrue) AM_CONDITIONAL(USE_FILE_CONFIG, test x$stroke = xtrue) -AM_CONDITIONAL(USE_IPSEC_SCRIPT, test x$stroke = xtrue -o x$scepclient = xtrue -o x$conftest = xtrue) +AM_CONDITIONAL(USE_IPSEC_SCRIPT, test x$stroke = xtrue -o x$conftest = xtrue) AM_CONDITIONAL(USE_LIBCAP, test x$capabilities = xlibcap) AM_CONDITIONAL(USE_VSTR, test x$printf_hooks = xvstr) AM_CONDITIONAL(USE_BUILTIN_PRINTF, test x$printf_hooks = xbuiltin) @@ -1927,7 +1924,6 @@ AM_COND_IF([USE_IMV_SWIMA], [strongswan_options=${strongswan_options}" sec-updat AM_COND_IF([USE_LIBTNCCS], [strongswan_options=${strongswan_options}" tnc"]) AM_COND_IF([USE_MANAGER], [strongswan_options=${strongswan_options}" manager"]) AM_COND_IF([USE_MEDSRV], [strongswan_options=${strongswan_options}" medsrv"]) -AM_COND_IF([USE_SCEPCLIENT], [strongswan_options=${strongswan_options}" scepclient"]) AM_COND_IF([USE_PKI], [strongswan_options=${strongswan_options}" pki"]) AM_COND_IF([USE_SWANCTL], [strongswan_options=${strongswan_options}" swanctl"]) AM_COND_IF([USE_SYSTEMD], [strongswan_options=${strongswan_options}" charon-systemd"]) @@ -2134,7 +2130,6 @@ AC_CONFIG_FILES([ src/starter/Makefile src/starter/tests/Makefile src/_updown/Makefile - src/scepclient/Makefile src/aikgen/Makefile src/tpm_extendpcr/Makefile src/pki/Makefile diff --git a/src/Makefile.am b/src/Makefile.am index 16699f11c2..2e3af366d0 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -75,10 +75,6 @@ if USE_UPDOWN SUBDIRS += _updown endif -if USE_SCEPCLIENT - SUBDIRS += scepclient -endif - if USE_PKI SUBDIRS += pki endif diff --git a/src/checksum/Makefile.am b/src/checksum/Makefile.am index 107b26c31c..6c1224daca 100644 --- a/src/checksum/Makefile.am +++ b/src/checksum/Makefile.am @@ -102,10 +102,6 @@ if USE_SYSTEMD exes += $(DESTDIR)$(sbindir)/charon-systemd endif -if USE_SCEPCLIENT - exes += $(DESTDIR)$(ipsecdir)/scepclient -endif - if USE_PKI exes += $(DESTDIR)$(bindir)/pki endif diff --git a/src/scepclient/.gitignore b/src/scepclient/.gitignore deleted file mode 100644 index 0cc9ec6262..0000000000 --- a/src/scepclient/.gitignore +++ /dev/null @@ -1 +0,0 @@ -scepclient diff --git a/src/scepclient/Android.mk b/src/scepclient/Android.mk deleted file mode 100644 index bec3d77ffb..0000000000 --- a/src/scepclient/Android.mk +++ /dev/null @@ -1,28 +0,0 @@ -LOCAL_PATH := $(call my-dir) -include $(CLEAR_VARS) - -# copy-n-paste from Makefile.am -scepclient_SOURCES := \ -scepclient.c scep.c scep.h - -LOCAL_SRC_FILES := $(filter %.c,$(scepclient_SOURCES)) - -# build scepclient ------------------------------------------------------------- - -LOCAL_C_INCLUDES += \ - $(strongswan_PATH)/src/libstrongswan - -LOCAL_CFLAGS := $(strongswan_CFLAGS) \ - -DPLUGINS='"$(strongswan_SCEPCLIENT_PLUGINS)"' - -LOCAL_MODULE := scepclient - -LOCAL_MODULE_TAGS := optional - -LOCAL_ARM_MODE := arm - -LOCAL_PRELINK_MODULE := false - -LOCAL_SHARED_LIBRARIES += libstrongswan - -include $(BUILD_EXECUTABLE) \ No newline at end of file diff --git a/src/scepclient/Makefile.am b/src/scepclient/Makefile.am deleted file mode 100644 index 13116723bb..0000000000 --- a/src/scepclient/Makefile.am +++ /dev/null @@ -1,16 +0,0 @@ -ipsec_PROGRAMS = scepclient -scepclient_SOURCES = \ -scepclient.c scep.c scep.h - -scepclient.o : $(top_builddir)/config.status - -AM_CPPFLAGS = \ - -I$(top_srcdir)/src/libstrongswan \ - -DIPSEC_CONFDIR=\"${sysconfdir}\" \ - -DPLUGINS=\""${scepclient_plugins}\"" - -scepclient_LDADD = \ -$(top_builddir)/src/libstrongswan/libstrongswan.la - -dist_man_MANS = scepclient.8 -EXTRA_DIST = Android.mk diff --git a/src/scepclient/README.md b/src/scepclient/README.md new file mode 100644 index 0000000000..18526cf117 --- /dev/null +++ b/src/scepclient/README.md @@ -0,0 +1,18 @@ +# ipsec scepclient # + +## Description ## + +The `ipsec scepclient` tool was an early client implementation of the +_Simple Certificate Enrollment Protocol_ (SCEP). + +The tool was written in 2005 and only got marginal updates since then. Hence it +implemented an old version of the SCEP Internet Draft (version 10/11 of +`draft-nourse-scep` and used the broken `MD5` hash and single `DES` encryption +algorithms as defaults. + +## Obsolescence ## + +With strongSwan version 5.9.8 `*ipsec scepclient*` has been removed and replaced +by the `pki` subcommands `pki --scep` and `pki --scepca` which implement the new +SCEP RFC 8894 standard that was released in September 2020 and which supports +trusted **certificate renewal** based on the existing client certificate. diff --git a/src/scepclient/scep.c b/src/scepclient/scep.c deleted file mode 100644 index 01ae450aac..0000000000 --- a/src/scepclient/scep.c +++ /dev/null @@ -1,474 +0,0 @@ -/* - * Copyright (C) 2012 Tobias Brunner - * Copyright (C) 2005 Jan Hutter, Martin Willi - * - * Copyright (C) secunet Security Networks AG - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include -#include - -#include -#include -#include -#include -#include -#include -#include - -#include "scep.h" - -static const char *pkiStatus_values[] = { "0", "2", "3" }; - -static const char *pkiStatus_names[] = { - "SUCCESS", - "FAILURE", - "PENDING", - "UNKNOWN" -}; - -static const char *msgType_values[] = { "3", "19", "20", "21", "22" }; - -static const char *msgType_names[] = { - "CertRep", - "PKCSReq", - "GetCertInitial", - "GetCert", - "GetCRL", - "Unknown" -}; - -static const char *failInfo_reasons[] = { - "badAlg - unrecognized or unsupported algorithm identifier", - "badMessageCheck - integrity check failed", - "badRequest - transaction not permitted or supported", - "badTime - Message time field was not sufficiently close to the system time", - "badCertId - No certificate could be identified matching the provided criteria" -}; - -const scep_attributes_t empty_scep_attributes = { - SCEP_Unknown_MSG , /* msgType */ - SCEP_UNKNOWN , /* pkiStatus */ - SCEP_unknown_REASON, /* failInfo */ - { NULL, 0 } , /* transID */ - { NULL, 0 } , /* senderNonce */ - { NULL, 0 } , /* recipientNonce */ -}; - -/** - * Extract X.501 attributes - */ -void extract_attributes(pkcs7_t *pkcs7, enumerator_t *enumerator, - scep_attributes_t *attrs) -{ - chunk_t attr; - - if (pkcs7->get_attribute(pkcs7, OID_PKI_MESSAGE_TYPE, enumerator, &attr)) - { - scep_msg_t m; - - for (m = SCEP_CertRep_MSG; m < SCEP_Unknown_MSG; m++) - { - if (strncmp(msgType_values[m], attr.ptr, attr.len) == 0) - { - attrs->msgType = m; - } - } - DBG2(DBG_APP, "messageType: %s", msgType_names[attrs->msgType]); - free(attr.ptr); - } - if (pkcs7->get_attribute(pkcs7, OID_PKI_STATUS, enumerator, &attr)) - { - pkiStatus_t s; - - for (s = SCEP_SUCCESS; s < SCEP_UNKNOWN; s++) - { - if (strncmp(pkiStatus_values[s], attr.ptr, attr.len) == 0) - { - attrs->pkiStatus = s; - } - } - DBG2(DBG_APP, "pkiStatus: %s", pkiStatus_names[attrs->pkiStatus]); - free(attr.ptr); - } - if (pkcs7->get_attribute(pkcs7, OID_PKI_FAIL_INFO, enumerator, &attr)) - { - if (attr.len == 1 && *attr.ptr >= '0' && *attr.ptr <= '4') - { - attrs->failInfo = (failInfo_t)(*attr.ptr - '0'); - } - if (attrs->failInfo != SCEP_unknown_REASON) - { - DBG1(DBG_APP, "failInfo: %s", failInfo_reasons[attrs->failInfo]); - } - free(attr.ptr); - } - - pkcs7->get_attribute(pkcs7, OID_PKI_SENDER_NONCE, enumerator, - &attrs->senderNonce); - pkcs7->get_attribute(pkcs7, OID_PKI_RECIPIENT_NONCE, enumerator, - &attrs->recipientNonce); - pkcs7->get_attribute(pkcs7, OID_PKI_TRANS_ID, enumerator, - &attrs->transID); -} - -/** - * Generates a unique fingerprint of the pkcs10 request - * by computing an MD5 hash over it - */ -chunk_t scep_generate_pkcs10_fingerprint(chunk_t pkcs10) -{ - chunk_t digest = chunk_alloca(HASH_SIZE_MD5); - hasher_t *hasher; - - hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5); - if (!hasher || !hasher->get_hash(hasher, pkcs10, digest.ptr)) - { - DESTROY_IF(hasher); - return chunk_empty; - } - hasher->destroy(hasher); - - return chunk_to_hex(digest, NULL, FALSE); -} - -/** - * Generate a transaction id as the MD5 hash of an public key - * the transaction id is also used as a unique serial number - */ -void scep_generate_transaction_id(public_key_t *key, chunk_t *transID, - chunk_t *serialNumber) -{ - chunk_t digest = chunk_alloca(HASH_SIZE_MD5); - chunk_t keyEncoding = chunk_empty, keyInfo; - hasher_t *hasher; - int zeros = 0, msb_set = 0; - - key->get_encoding(key, PUBKEY_ASN1_DER, &keyEncoding); - - keyInfo = asn1_wrap(ASN1_SEQUENCE, "mm", - asn1_algorithmIdentifier(OID_RSA_ENCRYPTION), - asn1_bitstring("m", keyEncoding)); - - hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5); - if (!hasher || !hasher->get_hash(hasher, keyInfo, digest.ptr)) - { - memset(digest.ptr, 0, digest.len); - } - DESTROY_IF(hasher); - free(keyInfo.ptr); - - /* the serialNumber should be valid ASN1 integer content: - * remove leading zeros, add one if MSB is set (two's complement) */ - while (zeros < digest.len) - { - if (digest.ptr[zeros]) - { - if (digest.ptr[zeros] & 0x80) - { - msb_set = 1; - } - break; - } - zeros++; - } - *serialNumber = chunk_alloc(digest.len - zeros + msb_set); - if (msb_set) - { - serialNumber->ptr[0] = 0x00; - } - memcpy(serialNumber->ptr + msb_set, digest.ptr + zeros, - digest.len - zeros); - - /* the transaction id is the serial number in hex format */ - *transID = chunk_to_hex(digest, NULL, TRUE); -} - -/** - * Builds a pkcs7 enveloped and signed scep request - */ -chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg, - certificate_t *enc_cert, encryption_algorithm_t enc_alg, - size_t key_size, certificate_t *signer_cert, - hash_algorithm_t digest_alg, private_key_t *private_key) -{ - chunk_t request; - container_t *container; - char nonce[16]; - rng_t *rng; - chunk_t senderNonce, msgType; - - /* generate senderNonce */ - rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); - if (!rng || !rng->get_bytes(rng, sizeof(nonce), nonce)) - { - DESTROY_IF(rng); - return chunk_empty; - } - rng->destroy(rng); - - /* encrypt data in enveloped-data PKCS#7 */ - container = lib->creds->create(lib->creds, - CRED_CONTAINER, CONTAINER_PKCS7_ENVELOPED_DATA, - BUILD_BLOB, data, - BUILD_CERT, enc_cert, - BUILD_ENCRYPTION_ALG, enc_alg, - BUILD_KEY_SIZE, (int)key_size, - BUILD_END); - if (!container) - { - return chunk_empty; - } - if (!container->get_encoding(container, &request)) - { - container->destroy(container); - return chunk_empty; - } - container->destroy(container); - - /* sign enveloped-data in a signed-data PKCS#7 */ - senderNonce = asn1_wrap(ASN1_OCTET_STRING, "c", chunk_from_thing(nonce)); - transID = asn1_wrap(ASN1_PRINTABLESTRING, "c", transID); - msgType = asn1_wrap(ASN1_PRINTABLESTRING, "c", - chunk_create((char*)msgType_values[msg], - strlen(msgType_values[msg]))); - - container = lib->creds->create(lib->creds, - CRED_CONTAINER, CONTAINER_PKCS7_SIGNED_DATA, - BUILD_BLOB, request, - BUILD_SIGNING_CERT, signer_cert, - BUILD_SIGNING_KEY, private_key, - BUILD_DIGEST_ALG, digest_alg, - BUILD_PKCS7_ATTRIBUTE, OID_PKI_SENDER_NONCE, senderNonce, - BUILD_PKCS7_ATTRIBUTE, OID_PKI_TRANS_ID, transID, - BUILD_PKCS7_ATTRIBUTE, OID_PKI_MESSAGE_TYPE, msgType, - BUILD_END); - - free(request.ptr); - free(senderNonce.ptr); - free(transID.ptr); - free(msgType.ptr); - - if (!container) - { - return chunk_empty; - } - if (!container->get_encoding(container, &request)) - { - container->destroy(container); - return chunk_empty; - } - container->destroy(container); - - return request; -} - -/** - * Converts a binary request to base64 with 64 characters per line - * newline and '+' characters are escaped by %0A and %2B, respectively - */ -static char* escape_http_request(chunk_t req) -{ - char *escaped_req = NULL; - char *p1, *p2; - int lines = 0; - int plus = 0; - int n = 0; - - /* compute and allocate the size of the base64-encoded request */ - int len = 1 + 4 * ((req.len + 2) / 3); - char *encoded_req = malloc(len); - - /* do the base64 conversion */ - chunk_t base64 = chunk_to_base64(req, encoded_req); - len = base64.len + 1; - - /* compute newline characters to be inserted every 64 characters */ - lines = (len - 2) / 64; - - /* count number of + characters to be escaped */ - p1 = encoded_req; - while (*p1 != '\0') - { - if (*p1++ == '+') - { - plus++; - } - } - - escaped_req = malloc(len + 3 * (lines + plus)); - - /* escape special characters in the request */ - p1 = encoded_req; - p2 = escaped_req; - while (*p1 != '\0') - { - if (n == 64) - { - memcpy(p2, "%0A", 3); - p2 += 3; - n = 0; - } - if (*p1 == '+') - { - memcpy(p2, "%2B", 3); - p2 += 3; - } - else - { - *p2++ = *p1; - } - p1++; - n++; - } - *p2 = '\0'; - free(encoded_req); - return escaped_req; -} - -/** - * Send a SCEP request via HTTP and wait for a response - */ -bool scep_http_request(const char *url, chunk_t msg, scep_op_t op, - bool http_get_request, u_int timeout, char *src, - chunk_t *response) -{ - int len; - status_t status; - char *complete_url = NULL; - host_t *srcip = NULL; - - /* initialize response */ - *response = chunk_empty; - - if (src) - { - srcip = host_create_from_string(src, 0); - } - - DBG2(DBG_APP, "sending scep request to '%s'", url); - - if (op == SCEP_PKI_OPERATION) - { - const char operation[] = "PKIOperation"; - - if (http_get_request) - { - char *escaped_req = escape_http_request(msg); - - /* form complete url */ - len = strlen(url) + 20 + strlen(operation) + strlen(escaped_req) + 1; - complete_url = malloc(len); - snprintf(complete_url, len, "%s?operation=%s&message=%s" - , url, operation, escaped_req); - free(escaped_req); - - status = lib->fetcher->fetch(lib->fetcher, complete_url, response, - FETCH_HTTP_VERSION_1_0, - FETCH_TIMEOUT, timeout, - FETCH_REQUEST_HEADER, "Pragma:", - FETCH_REQUEST_HEADER, "Host:", - FETCH_REQUEST_HEADER, "Accept:", - FETCH_SOURCEIP, srcip, - FETCH_END); - } - else /* HTTP_POST */ - { - /* form complete url */ - len = strlen(url) + 11 + strlen(operation) + 1; - complete_url = malloc(len); - snprintf(complete_url, len, "%s?operation=%s", url, operation); - - status = lib->fetcher->fetch(lib->fetcher, complete_url, response, - FETCH_HTTP_VERSION_1_0, - FETCH_TIMEOUT, timeout, - FETCH_REQUEST_DATA, msg, - FETCH_REQUEST_TYPE, "", - FETCH_REQUEST_HEADER, "Expect:", - FETCH_SOURCEIP, srcip, - FETCH_END); - } - } - else /* SCEP_GET_CA_CERT */ - { - const char operation[] = "GetCACert"; - int i; - - /* escape spaces, TODO: complete URL escape */ - for (i = 0; i < msg.len; i++) - { - if (msg.ptr[i] == ' ') - { - msg.ptr[i] = '+'; - } - } - - /* form complete url */ - len = strlen(url) + 32 + strlen(operation) + msg.len + 1; - complete_url = malloc(len); - snprintf(complete_url, len, "%s?operation=%s&message=%.*s", - url, operation, (int)msg.len, msg.ptr); - - status = lib->fetcher->fetch(lib->fetcher, complete_url, response, - FETCH_HTTP_VERSION_1_0, - FETCH_TIMEOUT, timeout, - FETCH_SOURCEIP, srcip, - FETCH_END); - } - - DESTROY_IF(srcip); - free(complete_url); - return (status == SUCCESS); -} - -err_t scep_parse_response(chunk_t response, chunk_t transID, - container_t **out, scep_attributes_t *attrs) -{ - enumerator_t *enumerator; - bool verified = FALSE; - container_t *container; - auth_cfg_t *auth; - - container = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7, - BUILD_BLOB_ASN1_DER, response, BUILD_END); - if (!container) - { - return "error parsing the scep response"; - } - if (container->get_type(container) != CONTAINER_PKCS7_SIGNED_DATA) - { - container->destroy(container); - return "scep response is not PKCS#7 signed-data"; - } - - enumerator = container->create_signature_enumerator(container); - while (enumerator->enumerate(enumerator, &auth)) - { - verified = TRUE; - extract_attributes((pkcs7_t*)container, enumerator, attrs); - if (!chunk_equals(transID, attrs->transID)) - { - enumerator->destroy(enumerator); - container->destroy(container); - return "transaction ID of scep response does not match"; - } - } - enumerator->destroy(enumerator); - if (!verified) - { - container->destroy(container); - return "unable to verify PKCS#7 container"; - } - *out = container; - return NULL; -} diff --git a/src/scepclient/scep.h b/src/scepclient/scep.h deleted file mode 100644 index d5ad2a3bde..0000000000 --- a/src/scepclient/scep.h +++ /dev/null @@ -1,88 +0,0 @@ -/* - * Copyright (C) 2012 Tobias Brunner - * Copyright (C) 2005 Jan Hutter, Martin Willi - * - * Copyright (C) secunet Security Networks AG - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef _SCEP_H -#define _SCEP_H - -#include -#include - -/* supported SCEP operation types */ -typedef enum { - SCEP_PKI_OPERATION, - SCEP_GET_CA_CERT -} scep_op_t; - -/* SCEP pkiStatus values */ -typedef enum { - SCEP_SUCCESS, - SCEP_FAILURE, - SCEP_PENDING, - SCEP_UNKNOWN -} pkiStatus_t; - -/* SCEP messageType values */ -typedef enum { - SCEP_CertRep_MSG, - SCEP_PKCSReq_MSG, - SCEP_GetCertInitial_MSG, - SCEP_GetCert_MSG, - SCEP_GetCRL_MSG, - SCEP_Unknown_MSG -} scep_msg_t; - -/* SCEP failure reasons */ -typedef enum { - SCEP_badAlg_REASON = 0, - SCEP_badMessageCheck_REASON = 1, - SCEP_badRequest_REASON = 2, - SCEP_badTime_REASON = 3, - SCEP_badCertId_REASON = 4, - SCEP_unknown_REASON = 5 -} failInfo_t; - -/* SCEP attributes */ -typedef struct { - scep_msg_t msgType; - pkiStatus_t pkiStatus; - failInfo_t failInfo; - chunk_t transID; - chunk_t senderNonce; - chunk_t recipientNonce; -} scep_attributes_t; - -extern const scep_attributes_t empty_scep_attributes; - -bool parse_attributes(chunk_t blob, scep_attributes_t *attrs); -void scep_generate_transaction_id(public_key_t *key, - chunk_t *transID, - chunk_t *serialNumber); -chunk_t scep_generate_pkcs10_fingerprint(chunk_t pkcs10); -chunk_t scep_transId_attribute(chunk_t transaction_id); -chunk_t scep_messageType_attribute(scep_msg_t m); -chunk_t scep_senderNonce_attribute(void); -chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg, - certificate_t *enc_cert, encryption_algorithm_t enc_alg, - size_t key_size, certificate_t *signer_cert, - hash_algorithm_t digest_alg, private_key_t *private_key); -bool scep_http_request(const char *url, chunk_t msg, scep_op_t op, - bool http_get_request, u_int timeout, char *src, - chunk_t *response); -err_t scep_parse_response(chunk_t response, chunk_t transID, - container_t **out, scep_attributes_t *attrs); - -#endif /* _SCEP_H */ diff --git a/src/scepclient/scepclient.8 b/src/scepclient/scepclient.8 deleted file mode 100644 index a9d3bd9936..0000000000 --- a/src/scepclient/scepclient.8 +++ /dev/null @@ -1,293 +0,0 @@ -.\" -.TH "IPSEC_SCEPCLIENT" "8" "2012-05-11" "strongSwan" "" -.SH "NAME" -ipsec scepclient \- Client for the SCEP protocol -.SH "SYNOPSIS" -.B ipsec scepclient [argument ...] -.sp -.B ipsec scepclient -.B \-\-help -.br -.B ipsec scepclient -.B \-\-version -.SH "DESCRIPTION" -.BR scepclient -is a client implementation of Cisco System's Simple Certificate Enrollment Protocol (SCEP) written for Linux strongSwan . -.BR scepclient -is designed to be used for certificate enrollment on machines using the OpenSource IPsec solution -.I strongSwan. -.SH "FEATURES" -.BR scepclient -implements the following features of SCEP: -.br -.IP "\-" 4 -Automatic enrollment of client certificate using a preshared secret -.IP "\-" 4 -Manual enrollment of client certificate. Offline fingerprint check required! -.IP "\-" 4 -Acquisition of CA certificate(s) -.SH "OPTIONS" -.SS Basic Startup Options -.B \-v, \-\-version -.RS 4 -Display the version of ipsec scepclient. -.PP -.RE -.B \-h, \-\-help -.RS 4 -Display usage of ipsec scepclient. -.RE - -.SS General Options -.B \-u, \-\-url \fIurl\fP -.RS 4 -Full HTTP URL of the SCEP server to be used for certificate enrollment and CA certificate acquisition. -.RE -.PP -.B \-+, \-\-optionsfrom \fIfilename\fP -.RS 4 -Reads additional options from \fIfilename\fP. -.RE -.PP -.B \-f, \-\-force -.RS 4 -Overwrite existing output file[s]. -.RE -.PP -.B \-q, \-\-quiet -.RS 4 -Do not write log output to stderr. -.RE - -.SS Options for CA Certificate Acquisition -.B \-o, \-\-out cacert[=\fIfilename\fP] -.RS 4 -Output file of acquired CA certificate. If more then one CA certificate is -available, \fIfilename\fP is used as prefix for the resulting files (refer to -EXAMPLES below for details). -.br -The default \fIfilename\fP is $CONFDIR/ipsec.d/cacerts/caCert.der. -.RE - -.SS Options For Certificate Enrollment -.B \-i, \-\-in \fItype\fP[=\fIfilename\fP] -.RS 4 -Input file for certificate enrollment. This option can be specified multiple times to specify input files for every \fItype\fP. -Input files can be either DER or PEM encoded. -.PP -Supported values for \fItype\fP: -.IP "\fBpkcs1\fP" 12 -RSA private key in PKCS#1 file format. If no input of this type is specified, a RSA key gets generated. -.br -The default \fIfilename\fP is $CONFDIR/ipsec.d/private/myKey.der. -.IP "\fBpkcs10\fP" 12 -PKCS#10 certificate request to be used in the SCEP request. If no input of this type is specified, a request is generated. -.br -The default \fIfilename\fP is $CONFDIR/ipsec.d/req/myReq.der. -.IP "\fBcacert\-enc\fP" 12 -CA certificate to encrypt the SCEP request. Has to be specified for certificate enrollment. -.br -The default \fIfilename\fP is $CONFDIR/ipsec.d/cacerts/caCert.der. -.IP "\fBcacert\-sig\fP" 12 -CA certificate to check signature of SCEP reply. Has to be specified for certificate enrollment. -.br -The default \fIfilename\fP is $CONFDIR/ipsec.d/cacerts/caCert.der. -.IP "\fBcert-self\fP" 12 -Certificate to be used in the SCEP request. If it is not specified a -self-signed certificate is generated automatically. -.br -The default \fIfilename\fP is $CONFDIR/ipsec.d/certs/selfCert.der. -.RE -.PP -.B \-k, \-\-keylength \fIbits\fP -.RS 4 -sets the key length for RSA key generation. The default length for a generated rsa key is set to 2048 bit. -.RE -.PP -.B \-D, \-\-days \fIdays\fP -.RS 4 -Validity of the self-signed X.509 certificate in days. The default is 1825 days (5 years). -.RE -.PP -.B \-S, \-\-startdate \fIYYMMDDHHMMSS\fPZ -.RS 4 -defines the \fBnotBefore\fP date when the X.509 certificate becomes valid. -The date has the format \fIYYMMDDHHMMSS\fP and must be specified in UTC (Zulu time). -If the \fB--startdate\fP option is not specified then the current date is taken as a default. -.RE -.PP -.B \-E, \-\-enddate \fIYYMMDDHHMMSS\fPZ -.RS 4 -defines the \fBnotAfter\fP date when the X.509 certificate will expire. -The date has the format \fIYYMMDDHHMMSS\fP and must be specified in UTC (Zulu time). -If the \fB--enddate\fP option is not specified then the default \fBnotAfter\fP value is computed by -adding the validity interval specified by the \fB--days\fP option to the \fBnotBefore\fP date. -.RE -.PP -.B \-d, \-\-dn \fIdn\fP -.RS 4 -Distinguished name as comma separated list of relative distinguished names. Use quotation marks for a distinguished name containing spaces. If the \fB\-\-dn\fP parameter is missing then the default "C=CH, O=Linux strongSwan, CN=\fIhostname\fP" -is used with \fIhostname\fP being the return value of the \fIgethostname\fP() function. -.RE -.PP -.B \-s, \-\-subjectAltName \fItype\fP=\fIvalue\fP -.RS 4 -Include subjectAltName in certificate request. This option can be specified multiple times to specify a subjectAltName -for every \fItype\fP. -.PP -Supported values for \fItype\fP: -.IP "\fBemail\fP" 12 -subjectAltName is a email address. -.IP "\fBdns\fP" 12 -subjectAltName is a hostname. -.IP "\fBip\fP" 12 -subjectAltName is a IP address. -.RE -.PP -.B \-p, \-\-password \fIpw\fP -.RS 4 -Password to be included as a \fIchallenge password\fP in SCEP request. -If \fIpw\fP is \fB%prompt\fP', the password gets prompted for on the command line. -.IP -\- In automatic mode, this password corresponds to the preshared secret for the given enrollment. -.IP -\- In manual mode, this password can be used to later revoke the corresponding certificate. -.RE -.PP -.B \-a, \-\-algorithm [\fItype\fP=]\fIalgo\fP -.RS 4 -Change the algorithms to be used when generating and transporting (PKCS#7) -certificate requests (PKCS#10). -.PP -Supported values for \fItype\fP: -.IP "\fBenc\fP" 12 -symmetric encryption algorithm in PKCS#7 -.IP "\fBdgst\fP" 12 -hash algorithm for message digest in PKCS#7 -.IP "\fBsig\fP" 12 -hash algorithm for the signature in PKCS#10 -.PP -If \fItype\fP is not specified \fBenc\fP is assumed. -.PP -Supported values for \fIalgo\fP (\fBenc\fP): -.IP "\fBdes\fP" 12 -DES-CBC encryption (key size = 56 bit). Default. -.IP "\fB3des\fP" 12 -Triple DES-EDE-CBC encryption (key size = 168 bit). -.IP "\fBaes128\fP" 12 -AES-CBC encryption (key size = 128 bit). -.IP "\fBaes192\fP" 12 -AES-CBC encryption (key size = 192 bit). -.IP "\fBaes256\fP" 12 -AES-CBC encryption (key size = 256 bit). -.IP "\fBcamellia128\fP" 12 -Camellia-CBC encryption (key size = 128 bit). -.IP "\fBcamellia192\fP" 12 -Camellia-CBC encryption (key size = 192 bit). -.IP "\fBcamellia256\fP" 12 -Camellia-CBC encryption (key size = 256 bit). -.PP -Supported values for \fIalgo\fP (\fBdgst\fP or \fBsig\fP): -.PP -\fBmd5\fP (default), \fBsha1\fP, \fBsha256\fP, \fBsha384\fP, \fBsha512\fP -.RE -.PP -.B \-o, \-\-out \fItype\fP[=\fIfilename\fP] -.RS 4 -Output file for certificate enrollment. This option can be specified multiple times to specify output files for every \fItype\fP. -.PP -Supported values for \fItype\fP: -.IP "\fBpkcs1\fP" 12 -RSA private key in PKCS#1 file format. If specified, the RSA key used for enrollment is stored in file \fIfilename\fP. -If none of the \fItypes\fP listed below are specified, \fBscepclient\fP will stop after outputting this file. -.br -The default \fIfilename\fP is $CONFDIR/ipsec.d/private/myKey.der. -.IP "\fBpkcs10\fP" 12 -PKCS#10 certificate request. If specified, the PKCS#10 request used or certificate enrollment is stored in file \fIfilename\fP. -If none of the \fItypes\fP listed below are specified, \fBscepclient\fP will stop after outputting this file. -.br -The default \fIfilename\fP is $CONFDIR/ipsec.d/req/myReq.der. -.IP "\fBpkcs7\fP" 12 -PKCS#7 SCEP request as it is sent using HTTP to the SCEP server. If specified, this SCEP request is stored in file \fIfilename\fP. -If none of \fItypes\fP listed below is not specified, \fBscepclient\fP will stop after outputting this file. -.br -The default \fIfilename\fP is $CONFDIR/ipsec.d/req/pkcs7.der. -.IP "\fBcert-self\fP" 12 -Self-signed certificate. If specified the self-signed certificate is stored in file \fIfilename\fP. -.br -The default \fIfilename\fP is $CONFDIR/ipsec.d/certs/selfCert.der. -.IP "\fBcert\fP" 12 -Enrolled certificate. This \fItype\fP must be specified for certificate enrollment. -The enrolled certificate is stored in file \fIfilename\fP. -.br -The default \fIfilename\fP is set to $CONFDIR/ipsec.d/certs/myCert.der. -.RE -.PP -.B \-m, \-\-method \fImethod\fP -.RS 4 -Change HTTP request method for certificate enrollment. Default is \fBget\fP. -.PP -Supported values for \fImethod\fP: -.IP "\fBpost\fP" 12 -Certificate enrollment using HTTP POST. Must be supported by the given SCEP server. -.IP "\fBget\fP" 12 -Certificate enrollment using HTTP GET. -.RE -.PP -.B \-t, \-\-interval \fIseconds\fP -.RS 4 -Set interval time in seconds when polling in manual mode. -The default interval is set to 5 seconds. -.RE -.PP -.B \-x, \-\-maxpolltime \fIseconds\fP -.RS 4 -Set max time in seconds to poll in manual mode. -The default max time is set to unlimited. -.RE - -.SS Debugging Output Options: -.B \-l, \-\-debug \fIlevel\fP -.RS 4 -Changes the log level (-1..4, default: 1) -.RE -.SH "EXAMPLES" -.B ipsec scepclient \-\-out caCert \-\-url http://scepserver/cgi\-bin/pkiclient.exe \-f -.RS 4 -Acquire CA certificate from SCEP server and store it in the default file $CONFDIR/ipsec.d/cacerts/caCert.der. -If more then one CA certificate is returned, store them in files named -\'caCert\-1.der\', \'caCert\-2.der\', etc. -If an RA certificate is returned, store it in a file named \'caCert\-ra.der\'. -If more than one RA certificate is returned, store them in files named -\'caCert\-ra\-1.der\', \'caCert\-ra\-2.der\', etc. -.RE -.PP -.B ipsec scepclient \-\-out pkcs1=joeKey.der \-k 1024 -.RS 4 -Generate RSA private key with key length of 1024 bit and store it in file joeKey.der. -.RE -.PP -.B ipsec scepclient \-\-in pkcs1=joeKey.der \-\-out pkcs10=joeReq.der \e -.br -.B \-\-dn \*(rqC=AT, CN=John Doe\*(rq \-s email=john@doe.com \-p mypassword -.RS 4 -Generate a PKCS#10 request and store it in file joeReq.der. Use the RSA private key joeKey.der -created earlier to sign the PKCS#10\-Request. In addition to the distinguished name include a -email\-subjectAltName and a challenge password in the request. -.RE -.PP -.B ipsec scepclient \-\-out pkcs1=joeKey.der \-\-out cert==joeCert.der \e -.br -.B \-\-dn \*(rqC=CH, CN=John Doe\*(rq \-k 512 \-p 5xH2pnT7wq \e -.br -.B \-\-url http://scep.hsr.ch/cgi\-bin/pkiclient.exe \e -.br -.B \-\-in cacert\-enc=caCert.der \-\-in cacert\-sig=caCert.der -.RS 4 -Generate a new RSA key for the request and store it in joeKey.der. Then enroll a certificate and store as joeCert.der. -The challenge password is '5xH2pnT7wq'. The encryption and signature check has to be made with the same CA certificate -caCert.der. -.RE - -.SH "BUGS" -\fB\-\-optionsfrom\fP seems to have parsing problems reading option files containing strings in quotation marks. diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c deleted file mode 100644 index 1c5e242377..0000000000 --- a/src/scepclient/scepclient.c +++ /dev/null @@ -1,1491 +0,0 @@ -/* - * Copyright (C) 2012 Tobias Brunner - * Copyright (C) 2005 Jan Hutter, Martin Willi - * - * Copyright (C) secunet Security Networks AG - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include "scep.h" - -/* - * definition of some defaults - */ - -/* some paths */ -#define REQ_PATH IPSEC_CONFDIR "/ipsec.d/reqs" -#define HOST_CERT_PATH IPSEC_CONFDIR "/ipsec.d/certs" -#define CA_CERT_PATH IPSEC_CONFDIR "/ipsec.d/cacerts" -#define PRIVATE_KEY_PATH IPSEC_CONFDIR "/ipsec.d/private" - -/* default name of DER-encoded PKCS#1 private key file */ -#define DEFAULT_FILENAME_PKCS1 "myKey.der" - -/* default name of DER-encoded PKCS#10 certificate request file */ -#define DEFAULT_FILENAME_PKCS10 "myReq.der" - -/* default name of DER-encoded PKCS#7 file */ -#define DEFAULT_FILENAME_PKCS7 "pkcs7.der" - -/* default name of DER-encoded self-signed X.509 certificate file */ -#define DEFAULT_FILENAME_CERT_SELF "selfCert.der" - -/* default name of DER-encoded X.509 certificate file */ -#define DEFAULT_FILENAME_CERT "myCert.der" - -/* default name of DER-encoded CA cert file used for key encipherment */ -#define DEFAULT_FILENAME_CACERT_ENC "caCert.der" - -/* default name of the der encoded CA cert file used for signature verification */ -#define DEFAULT_FILENAME_CACERT_SIG "caCert.der" - -/* default prefix of the der encoded CA certificates received from the SCEP server */ -#define DEFAULT_FILENAME_PREFIX_CACERT "caCert.der" - -/* default certificate validity */ -#define DEFAULT_CERT_VALIDITY 5 * 3600 * 24 * 365 /* seconds */ - -/* default polling time interval in SCEP manual mode */ -#define DEFAULT_POLL_INTERVAL 20 /* seconds */ - -/* default key length for self-generated RSA keys */ -#define DEFAULT_RSA_KEY_LENGTH 2048 /* bits */ - -/* default distinguished name */ -#define DEFAULT_DN "C=CH, O=Linux strongSwan, CN=" - -/* minimum RSA key size */ -#define RSA_MIN_OCTETS (512 / BITS_PER_BYTE) - -/* challenge password buffer size */ -#define MAX_PASSWORD_LENGTH 256 - -/* Max length of filename for tempfile */ -#define MAX_TEMP_FILENAME_LENGTH 256 - - -/* current scepclient version */ -static const char *scepclient_version = "1.0"; - -/* by default the CRL policy is lenient */ -bool strict_crl_policy = FALSE; - -/* by default pluto does not check crls dynamically */ -long crl_check_interval = 0; - -/* by default pluto logs out after every smartcard use */ -bool pkcs11_keep_state = FALSE; - -/* by default HTTP fetch timeout is 30s */ -static u_int http_timeout = 30; - -/* address to bind for HTTP fetches */ -static char* http_bind = NULL; - -/* options read by optionsfrom */ -options_t *options; - -/* - * Global variables - */ -chunk_t pkcs1; -chunk_t pkcs7; -chunk_t challengePassword; -chunk_t serialNumber; -chunk_t transID; -chunk_t fingerprint; -chunk_t encoding; -chunk_t pkcs10_encoding; -chunk_t issuerAndSubject; -chunk_t getCertInitial; -chunk_t scep_response; - -linked_list_t *subjectAltNames; - -identification_t *subject = NULL; -private_key_t *private_key = NULL; -public_key_t *public_key = NULL; -certificate_t *x509_signer = NULL; -certificate_t *x509_ca_enc = NULL; -certificate_t *x509_ca_sig = NULL; -certificate_t *pkcs10_req = NULL; - -mem_cred_t *creds = NULL; - -/* logging */ -static bool log_to_stderr = TRUE; -static bool log_to_syslog = TRUE; -static level_t default_loglevel = 1; - -/** - * logging function for scepclient - */ -static void scepclient_dbg(debug_t group, level_t level, char *fmt, ...) -{ - char buffer[8192]; - char *current = buffer, *next; - va_list args; - - if (level <= default_loglevel) - { - if (log_to_stderr) - { - va_start(args, fmt); - vfprintf(stderr, fmt, args); - va_end(args); - fprintf(stderr, "\n"); - } - if (log_to_syslog) - { - /* write in memory buffer first */ - va_start(args, fmt); - vsnprintf(buffer, sizeof(buffer), fmt, args); - va_end(args); - - /* do a syslog with every line */ - while (current) - { - next = strchr(current, '\n'); - if (next) - { - *(next++) = '\0'; - } - syslog(LOG_INFO, "%s\n", current); - current = next; - } - } - } -} - -/** - * Initialize logging to stderr/syslog - */ -static void init_log(const char *program) -{ - dbg = scepclient_dbg; - - if (log_to_stderr) - { - setbuf(stderr, NULL); - } - if (log_to_syslog) - { - openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV); - } -} - -/** - * join two paths if filename is not absolute - */ -static void join_paths(char *target, size_t target_size, char *parent, - char *filename) -{ - if (*filename == '/' || *filename == '.') - { - snprintf(target, target_size, "%s", filename); - } - else - { - snprintf(target, target_size, "%s/%s", parent, filename); - } -} - -/** - * add a suffix to a given filename, properly handling extensions like '.der' - */ -static void add_path_suffix(char *target, size_t target_size, char *filename, - char *suffix_fmt, ...) -{ - char suffix[PATH_MAX], *start, *dot; - va_list args; - - va_start(args, suffix_fmt); - vsnprintf(suffix, sizeof(suffix), suffix_fmt, args); - va_end(args); - - start = strrchr(filename, '/'); - start = start ?: filename; - dot = strrchr(start, '.'); - - if (!dot || dot == start || dot[1] == '\0') - { /* no extension add suffix at the end */ - snprintf(target, target_size, "%s%s", filename, suffix); - } - else - { /* add the suffix between the filename and the extension */ - snprintf(target, target_size, "%.*s%s%s", (int)(dot - filename), - filename, suffix, dot); - } -} - -/** - * @brief exit scepclient - * - * @param status 0 = OK, 1 = general discomfort - */ -static void exit_scepclient(err_t message, ...) -{ - int status = 0; - - if (creds) - { - lib->credmgr->remove_set(lib->credmgr, &creds->set); - creds->destroy(creds); - } - - DESTROY_IF(subject); - DESTROY_IF(private_key); - DESTROY_IF(public_key); - DESTROY_IF(x509_signer); - DESTROY_IF(x509_ca_enc); - DESTROY_IF(x509_ca_sig); - DESTROY_IF(pkcs10_req); - subjectAltNames->destroy_offset(subjectAltNames, - offsetof(identification_t, destroy)); - free(pkcs1.ptr); - free(pkcs7.ptr); - free(serialNumber.ptr); - free(transID.ptr); - free(fingerprint.ptr); - free(encoding.ptr); - free(pkcs10_encoding.ptr); - free(issuerAndSubject.ptr); - free(getCertInitial.ptr); - free(scep_response.ptr); - options->destroy(options); - - /* print any error message to stderr */ - if (message != NULL && *message != '\0') - { - va_list args; - char m[8192]; - - va_start(args, message); - vsnprintf(m, sizeof(m), message, args); - va_end(args); - - fprintf(stderr, "error: %s\n", m); - status = -1; - } - library_deinit(); - exit(status); -} - -/** - * @brief prints the program version and exits - * - */ -static void version(void) -{ - printf("scepclient %s\n", scepclient_version); - exit_scepclient(NULL); -} - -/** - * @brief prints the usage of the program to the stderr output - * - * If message is set, program is exited with 1 (error) - * @param message message in case of an error - */ -static void usage(const char *message) -{ - fprintf(stderr, - "Usage: scepclient\n" - " --help (-h) show usage and exit\n" - " --version (-v) show version and exit\n" - " --quiet (-q) do not write log output to stderr\n" - " --in (-i) [=] use of for input\n" - " = pkcs1 | pkcs10 | cert-self\n" - " cacert-enc | cacert-sig\n" - " - if no pkcs1 input is defined, an RSA\n" - " key will be generated\n" - " - if no pkcs10 input is defined, a\n" - " PKCS#10 request will be generated\n" - " - if no cert-self input is defined, a\n" - " self-signed certificate will be generated\n" - " - if no filename is given, default is used\n" - " --out (-o) [=] write output of to \n" - " multiple outputs are allowed\n" - " = pkcs1 | pkcs10 | pkcs7 | cert-self |\n" - " cert | cacert\n" - " - type cacert defines filename prefix of\n" - " received CA certificate(s)\n" - " - if no filename is given, default is used\n" - " --optionsfrom (-+) reads additional options from given file\n" - " --force (-f) force existing file(s)\n" - " --httptimeout (-T) timeout for HTTP operations (default: 30s)\n" - " --bind (-b) source address to bind for HTTP operations\n" - "\n" - "Options for key generation (pkcs1):\n" - " --keylength (-k) key length for RSA key generation\n" - " (default: 2048 bits)\n" - "\n" - "Options for validity:\n" - " --days (-D) validity in days\n" - " --startdate (-S) Z not valid before date\n" - " --enddate (-E) Z not valid after date\n" - "\n" - "Options for request generation (pkcs10):\n" - " --dn (-d) comma separated list of distinguished names\n" - " --subjectAltName (-s) = include subjectAltName in certificate request\n" - " = email | dns | ip \n" - " --password (-p) challenge password\n" - " - use '%%prompt' as pw for a password prompt\n" - " --algorithm (-a) [=] algorithm to be used for PKCS#7 encryption,\n" - " PKCS#7 digest or PKCS#10 signature\n" - " = enc | dgst | sig\n" - " - if no type is given enc is assumed\n" - " = des (default) | 3des | aes128 |\n" - " aes192 | aes256 | camellia128 |\n" - " camellia192 | camellia256\n" - " = md5 (default) | sha1 | sha256 |\n" - " sha384 | sha512\n" - "\n" - "Options for CA certificate acquisition:\n" - " --caname (-c) name of CA to fetch CA certificate(s)\n" - " (default: CAIdentifier)\n" - "Options for enrollment (cert):\n" - " --url (-u) url of the SCEP server\n" - " --method (-m) post | get http request type\n" - " --interval (-t) poll interval in seconds (default 20s)\n" - " --maxpolltime (-x) max poll time in seconds when in manual mode\n" - " (default: unlimited)\n" - "\n" - "Debugging output:\n" - " --debug (-l) changes the log level (-1..4, default: 1)\n" - ); - exit_scepclient(message); -} - -/** - * @brief main of scepclient - * - * @param argc number of arguments - * @param argv pointer to the argument values - */ -int main(int argc, char **argv) -{ - /* external values */ - extern char * optarg; - extern int optind; - - /* type of input and output files */ - typedef enum { - PKCS1 = 0x01, - PKCS10 = 0x02, - PKCS7 = 0x04, - CERT_SELF = 0x08, - CERT = 0x10, - CACERT_ENC = 0x20, - CACERT_SIG = 0x40, - } scep_filetype_t; - - /* filetype to read from, defaults to "generate a key" */ - scep_filetype_t filetype_in = 0; - - /* filetype to write to, no default here */ - scep_filetype_t filetype_out = 0; - - /* input files */ - char *file_in_pkcs1 = DEFAULT_FILENAME_PKCS1; - char *file_in_pkcs10 = DEFAULT_FILENAME_PKCS10; - char *file_in_cert_self = DEFAULT_FILENAME_CERT_SELF; - char *file_in_cacert_enc = DEFAULT_FILENAME_CACERT_ENC; - char *file_in_cacert_sig = DEFAULT_FILENAME_CACERT_SIG; - - /* output files */ - char *file_out_pkcs1 = DEFAULT_FILENAME_PKCS1; - char *file_out_pkcs10 = DEFAULT_FILENAME_PKCS10; - char *file_out_pkcs7 = DEFAULT_FILENAME_PKCS7; - char *file_out_cert_self = DEFAULT_FILENAME_CERT_SELF; - char *file_out_cert = DEFAULT_FILENAME_CERT; - char *file_out_ca_cert = DEFAULT_FILENAME_CACERT_ENC; - - /* by default user certificate is requested */ - bool request_ca_certificate = FALSE; - - /* by default existing files are not overwritten */ - bool force = FALSE; - - /* length of RSA key in bits */ - u_int rsa_keylength = DEFAULT_RSA_KEY_LENGTH; - - /* validity of self-signed certificate */ - time_t validity = DEFAULT_CERT_VALIDITY; - time_t notBefore = 0; - time_t notAfter = 0; - - /* distinguished name for requested certificate, ASCII format */ - char *distinguishedName = NULL; - char default_distinguished_name[BUF_LEN]; - - /* challenge password */ - char challenge_password_buffer[MAX_PASSWORD_LENGTH]; - - /* symmetric encryption algorithm used by pkcs7, default is DES */ - encryption_algorithm_t pkcs7_symmetric_cipher = ENCR_DES; - size_t pkcs7_key_size = 0; - - /* digest algorithm used by pkcs7, default is MD5 */ - hash_algorithm_t pkcs7_digest_alg = HASH_MD5; - - /* signature algorithm used by pkcs10, default is MD5 */ - hash_algorithm_t pkcs10_signature_alg = HASH_MD5; - - /* URL of the SCEP-Server */ - char *scep_url = NULL; - - /* Name of CA to fetch CA certs for */ - char *ca_name = "CAIdentifier"; - - /* http request method, default is GET */ - bool http_get_request = TRUE; - - /* poll interval time in manual mode in seconds */ - u_int poll_interval = DEFAULT_POLL_INTERVAL; - - /* maximum poll time */ - u_int max_poll_time = 0; - - err_t ugh = NULL; - - /* initialize library */ - if (!library_init(NULL, "scepclient")) - { - library_deinit(); - exit(SS_RC_LIBSTRONGSWAN_INTEGRITY); - } - if (lib->integrity && - !lib->integrity->check_file(lib->integrity, "scepclient", argv[0])) - { - fprintf(stderr, "integrity check of scepclient failed\n"); - library_deinit(); - exit(SS_RC_DAEMON_INTEGRITY); - } - - /* initialize global variables */ - pkcs1 = chunk_empty; - pkcs7 = chunk_empty; - serialNumber = chunk_empty; - transID = chunk_empty; - fingerprint = chunk_empty; - encoding = chunk_empty; - pkcs10_encoding = chunk_empty; - issuerAndSubject = chunk_empty; - challengePassword = chunk_empty; - getCertInitial = chunk_empty; - scep_response = chunk_empty; - subjectAltNames = linked_list_create(); - options = options_create(); - - for (;;) - { - static const struct option long_opts[] = { - /* name, has_arg, flag, val */ - { "help", no_argument, NULL, 'h' }, - { "version", no_argument, NULL, 'v' }, - { "optionsfrom", required_argument, NULL, '+' }, - { "quiet", no_argument, NULL, 'q' }, - { "debug", required_argument, NULL, 'l' }, - { "in", required_argument, NULL, 'i' }, - { "out", required_argument, NULL, 'o' }, - { "force", no_argument, NULL, 'f' }, - { "httptimeout", required_argument, NULL, 'T' }, - { "bind", required_argument, NULL, 'b' }, - { "keylength", required_argument, NULL, 'k' }, - { "dn", required_argument, NULL, 'd' }, - { "days", required_argument, NULL, 'D' }, - { "startdate", required_argument, NULL, 'S' }, - { "enddate", required_argument, NULL, 'E' }, - { "subjectAltName", required_argument, NULL, 's' }, - { "password", required_argument, NULL, 'p' }, - { "algorithm", required_argument, NULL, 'a' }, - { "url", required_argument, NULL, 'u' }, - { "caname", required_argument, NULL, 'c'}, - { "method", required_argument, NULL, 'm' }, - { "interval", required_argument, NULL, 't' }, - { "maxpolltime", required_argument, NULL, 'x' }, - { 0,0,0,0 } - }; - - /* parse next option */ - int c = getopt_long(argc, argv, "hv+:ql:i:o:fT:k:d:s:p:a:u:c:m:t:x:APRCMS", long_opts, NULL); - - switch (c) - { - case EOF: /* end of flags */ - break; - - case 'h': /* --help */ - usage(NULL); - - case 'v': /* --version */ - version(); - - case 'q': /* --quiet */ - log_to_stderr = FALSE; - continue; - - case 'l': /* --debug */ - default_loglevel = atoi(optarg); - continue; - - case 'i': /* --in [= ] */ - { - char *filename = strstr(optarg, "="); - - if (filename) - { - /* replace '=' by '\0' */ - *filename = '\0'; - /* set pointer to start of filename */ - filename++; - } - if (strcaseeq("pkcs1", optarg)) - { - filetype_in |= PKCS1; - if (filename) - file_in_pkcs1 = filename; - } - else if (strcaseeq("pkcs10", optarg)) - { - filetype_in |= PKCS10; - if (filename) - file_in_pkcs10 = filename; - } - else if (strcaseeq("cacert-enc", optarg)) - { - filetype_in |= CACERT_ENC; - if (filename) - file_in_cacert_enc = filename; - } - else if (strcaseeq("cacert-sig", optarg)) - { - filetype_in |= CACERT_SIG; - if (filename) - file_in_cacert_sig = filename; - } - else if (strcaseeq("cert-self", optarg)) - { - filetype_in |= CERT_SELF; - if (filename) - file_in_cert_self = filename; - } - else - { - usage("invalid --in file type"); - } - continue; - } - - case 'o': /* --out [= ] */ - { - char *filename = strstr(optarg, "="); - - if (filename) - { - /* replace '=' by '\0' */ - *filename = '\0'; - /* set pointer to start of filename */ - filename++; - } - if (strcaseeq("pkcs1", optarg)) - { - filetype_out |= PKCS1; - if (filename) - file_out_pkcs1 = filename; - } - else if (strcaseeq("pkcs10", optarg)) - { - filetype_out |= PKCS10; - if (filename) - file_out_pkcs10 = filename; - } - else if (strcaseeq("pkcs7", optarg)) - { - filetype_out |= PKCS7; - if (filename) - file_out_pkcs7 = filename; - } - else if (strcaseeq("cert-self", optarg)) - { - filetype_out |= CERT_SELF; - if (filename) - file_out_cert_self = filename; - } - else if (strcaseeq("cert", optarg)) - { - filetype_out |= CERT; - if (filename) - file_out_cert = filename; - } - else if (strcaseeq("cacert", optarg)) - { - request_ca_certificate = TRUE; - if (filename) - file_out_ca_cert = filename; - } - else - { - usage("invalid --out file type"); - } - continue; - } - - case 'f': /* --force */ - force = TRUE; - continue; - - case 'T': /* --httptimeout */ - http_timeout = atoi(optarg); - if (http_timeout <= 0) - { - usage("invalid httptimeout specified"); - } - continue; - - case 'b': /* --bind */ - http_bind = optarg; - continue; - - case '+': /* --optionsfrom */ - if (!options->from(options, optarg, &argc, &argv, optind)) - { - exit_scepclient("optionsfrom failed"); - } - continue; - - case 'k': /* --keylength */ - { - div_t q; - - rsa_keylength = atoi(optarg); - if (rsa_keylength == 0) - usage("invalid keylength"); - - /* check if key length is a multiple of 8 bits */ - q = div(rsa_keylength, 2*BITS_PER_BYTE); - if (q.rem != 0) - { - exit_scepclient("keylength is not a multiple of %d bits!" - , 2*BITS_PER_BYTE); - } - continue; - } - - case 'D': /* --days */ - if (optarg == NULL || !isdigit(optarg[0])) - { - usage("missing number of days"); - } - else - { - char *endptr; - long days = strtol(optarg, &endptr, 0); - - if (*endptr != '\0' || endptr == optarg - || days <= 0) - usage(" must be a positive number"); - validity = 24*3600*days; - } - continue; - - case 'S': /* --startdate */ - if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z') - { - usage("date format must be YYMMDDHHMMSSZ"); - } - else - { - chunk_t date = { optarg, 13 }; - notBefore = asn1_to_time(&date, ASN1_UTCTIME); - } - continue; - - case 'E': /* --enddate */ - if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z') - { - usage("date format must be YYMMDDHHMMSSZ"); - } - else - { - chunk_t date = { optarg, 13 }; - notAfter = asn1_to_time(&date, ASN1_UTCTIME); - } - continue; - - case 'd': /* --dn */ - if (distinguishedName) - { - usage("only one distinguished name allowed"); - } - distinguishedName = optarg; - continue; - - case 's': /* --subjectAltName */ - { - char *value = strstr(optarg, "="); - - if (value) - { - /* replace '=' by '\0' */ - *value = '\0'; - /* set pointer to start of value */ - value++; - } - - if (strcaseeq("email", optarg) || - strcaseeq("dns", optarg) || - strcaseeq("ip", optarg)) - { - subjectAltNames->insert_last(subjectAltNames, - identification_create_from_string(value)); - continue; - } - else - { - usage("invalid --subjectAltName type"); - continue; - } - } - - case 'p': /* --password */ - if (challengePassword.len > 0) - { - usage("only one challenge password allowed"); - } - if (strcaseeq("%prompt", optarg)) - { - printf("Challenge password: "); - if (fgets(challenge_password_buffer, - sizeof(challenge_password_buffer) - 1, stdin)) - { - challengePassword.ptr = challenge_password_buffer; - /* discard the terminating '\n' from the input */ - challengePassword.len = strlen(challenge_password_buffer) - 1; - } - else - { - usage("challenge password could not be read"); - } - } - else - { - challengePassword.ptr = optarg; - challengePassword.len = strlen(optarg); - } - continue; - - case 'u': /* -- url */ - if (scep_url) - { - usage("only one URL argument allowed"); - } - scep_url = optarg; - continue; - - case 'c': /* -- caname */ - ca_name = optarg; - continue; - - case 'm': /* --method */ - if (strcaseeq("get", optarg)) - { - http_get_request = TRUE; - } - else if (strcaseeq("post", optarg)) - { - http_get_request = FALSE; - } - else - { - usage("invalid http request method specified"); - } - continue; - - case 't': /* --interval */ - poll_interval = atoi(optarg); - if (poll_interval <= 0) - { - usage("invalid interval specified"); - } - continue; - - case 'x': /* --maxpolltime */ - max_poll_time = atoi(optarg); - continue; - - case 'a': /*--algorithm [=]algo */ - { - const proposal_token_t *token; - char *type = optarg; - char *algo = strstr(optarg, "="); - - if (algo) - { - *algo = '\0'; - algo++; - } - else - { - type = "enc"; - algo = optarg; - } - - if (strcaseeq("enc", type)) - { - token = lib->proposal->get_token(lib->proposal, algo); - if (token == NULL || token->type != ENCRYPTION_ALGORITHM) - { - usage("invalid algorithm specified"); - } - pkcs7_symmetric_cipher = token->algorithm; - pkcs7_key_size = token->keysize; - if (encryption_algorithm_to_oid(token->algorithm, - token->keysize) == OID_UNKNOWN) - { - usage("unsupported encryption algorithm specified"); - } - } - else if (strcaseeq("dgst", type) || - strcaseeq("sig", type)) - { - hash_algorithm_t hash; - - token = lib->proposal->get_token(lib->proposal, algo); - if (token == NULL || token->type != INTEGRITY_ALGORITHM) - { - usage("invalid algorithm specified"); - } - hash = hasher_algorithm_from_integrity(token->algorithm, - NULL); - if (hash == (hash_algorithm_t)OID_UNKNOWN) - { - usage("invalid algorithm specified"); - } - if (strcaseeq("dgst", type)) - { - pkcs7_digest_alg = hash; - } - else - { - pkcs10_signature_alg = hash; - } - } - else - { - usage("invalid --algorithm type"); - } - continue; - } - default: - usage("unknown option"); - } - /* break from loop */ - break; - } - - init_log("scepclient"); - - /* load plugins, further infrastructure may need it */ - if (!lib->plugins->load(lib->plugins, - lib->settings->get_str(lib->settings, "scepclient.load", PLUGINS))) - { - exit_scepclient("plugin loading failed"); - } - lib->plugins->status(lib->plugins, LEVEL_DIAG); - - if ((filetype_out == 0) && (!request_ca_certificate)) - { - usage("--out filetype required"); - } - if (request_ca_certificate && (filetype_out > 0 || filetype_in > 0)) - { - usage("in CA certificate request, no other --in or --out option allowed"); - } - - /* check if url is given, if cert output defined */ - if (((filetype_out & CERT) || request_ca_certificate) && !scep_url) - { - usage("URL of SCEP server required"); - } - - /* check for sanity of --in/--out */ - if (!filetype_in && (filetype_in > filetype_out)) - { - usage("cannot generate --out of given --in!"); - } - - /* get CA cert */ - if (request_ca_certificate) - { - char ca_path[PATH_MAX]; - container_t *container; - pkcs7_t *p7; - - if (!scep_http_request(scep_url, chunk_create(ca_name, strlen(ca_name)), - SCEP_GET_CA_CERT, http_get_request, - http_timeout, http_bind, &scep_response)) - { - exit_scepclient("did not receive a valid scep response"); - } - - join_paths(ca_path, sizeof(ca_path), CA_CERT_PATH, file_out_ca_cert); - - p7 = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7, - BUILD_BLOB_ASN1_DER, scep_response, BUILD_END); - - if (!p7) - { /* no PKCS#7 encoded CA+RA certificates, assume simple CA cert */ - - DBG1(DBG_APP, "unable to parse PKCS#7, assuming plain CA cert"); - if (!chunk_write(scep_response, ca_path, 0022, force)) - { - exit_scepclient("could not write ca cert file '%s': %s", - ca_path, strerror(errno)); - } - } - else - { - enumerator_t *enumerator; - certificate_t *cert; - int ra_certs = 0, ca_certs = 0; - int ra_index = 1, ca_index = 1; - - enumerator = p7->create_cert_enumerator(p7); - while (enumerator->enumerate(enumerator, &cert)) - { - x509_t *x509 = (x509_t*)cert; - if (x509->get_flags(x509) & X509_CA) - { - ca_certs++; - } - else - { - ra_certs++; - } - } - enumerator->destroy(enumerator); - - enumerator = p7->create_cert_enumerator(p7); - while (enumerator->enumerate(enumerator, &cert)) - { - x509_t *x509 = (x509_t*)cert; - bool ca_cert = x509->get_flags(x509) & X509_CA; - char cert_path[PATH_MAX], *path = ca_path; - - if (ca_cert && ca_certs > 1) - { - add_path_suffix(cert_path, sizeof(cert_path), ca_path, - "-%.1d", ca_index++); - path = cert_path; - } - else if (!ca_cert) - { /* use CA name as base for RA certs */ - if (ra_certs > 1) - { - add_path_suffix(cert_path, sizeof(cert_path), ca_path, - "-ra-%.1d", ra_index++); - } - else - { - add_path_suffix(cert_path, sizeof(cert_path), ca_path, - "-ra"); - } - path = cert_path; - } - - if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding) || - !chunk_write(encoding, path, 0022, force)) - { - exit_scepclient("could not write cert file '%s': %s", - path, strerror(errno)); - } - chunk_free(&encoding); - } - enumerator->destroy(enumerator); - container = &p7->container; - container->destroy(container); - } - exit_scepclient(NULL); /* no further output required */ - } - - creds = mem_cred_create(); - lib->credmgr->add_set(lib->credmgr, &creds->set); - - /* - * input of PKCS#1 file - */ - if (filetype_in & PKCS1) /* load an RSA key pair from file */ - { - char path[PATH_MAX]; - - join_paths(path, sizeof(path), PRIVATE_KEY_PATH, file_in_pkcs1); - - private_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, - BUILD_FROM_FILE, path, BUILD_END); - } - else /* generate an RSA key pair */ - { - private_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, - BUILD_KEY_SIZE, rsa_keylength, - BUILD_END); - } - if (private_key == NULL) - { - exit_scepclient("no RSA private key available"); - } - creds->add_key(creds, private_key->get_ref(private_key)); - public_key = private_key->get_public_key(private_key); - - /* check for minimum key length */ - if (private_key->get_keysize(private_key) < RSA_MIN_OCTETS / BITS_PER_BYTE) - { - exit_scepclient("length of RSA key has to be at least %d bits", - RSA_MIN_OCTETS * BITS_PER_BYTE); - } - - /* - * input of PKCS#10 file - */ - if (filetype_in & PKCS10) - { - char path[PATH_MAX]; - - join_paths(path, sizeof(path), REQ_PATH, file_in_pkcs10); - - pkcs10_req = lib->creds->create(lib->creds, CRED_CERTIFICATE, - CERT_PKCS10_REQUEST, BUILD_FROM_FILE, - path, BUILD_END); - if (!pkcs10_req) - { - exit_scepclient("could not read certificate request '%s'", path); - } - subject = pkcs10_req->get_subject(pkcs10_req); - subject = subject->clone(subject); - } - else - { - if (distinguishedName == NULL) - { - int n = sprintf(default_distinguished_name, DEFAULT_DN); - - /* set the common name to the hostname */ - if (gethostname(default_distinguished_name + n, BUF_LEN - n) || - strlen(default_distinguished_name) == n) - { - exit_scepclient("no hostname defined, use " - "--dn option"); - } - distinguishedName = default_distinguished_name; - } - - DBG2(DBG_APP, "dn: '%s'", distinguishedName); - subject = identification_create_from_string(distinguishedName); - if (subject->get_type(subject) != ID_DER_ASN1_DN) - { - exit_scepclient("parsing of distinguished name failed"); - } - - DBG2(DBG_APP, "building pkcs10 object:"); - pkcs10_req = lib->creds->create(lib->creds, CRED_CERTIFICATE, - CERT_PKCS10_REQUEST, - BUILD_SIGNING_KEY, private_key, - BUILD_SUBJECT, subject, - BUILD_SUBJECT_ALTNAMES, subjectAltNames, - BUILD_CHALLENGE_PWD, challengePassword, - BUILD_DIGEST_ALG, pkcs10_signature_alg, - BUILD_END); - if (!pkcs10_req) - { - exit_scepclient("generating pkcs10 request failed"); - } - } - pkcs10_req->get_encoding(pkcs10_req, CERT_ASN1_DER, &pkcs10_encoding); - fingerprint = scep_generate_pkcs10_fingerprint(pkcs10_encoding); - DBG1(DBG_APP, " fingerprint: %s", fingerprint.ptr); - - /* - * output of PKCS#10 file - */ - if (filetype_out & PKCS10) - { - char path[PATH_MAX]; - - join_paths(path, sizeof(path), REQ_PATH, file_out_pkcs10); - - if (!chunk_write(pkcs10_encoding, path, 0022, force)) - { - exit_scepclient("could not write pkcs10 file '%s': %s", - path, strerror(errno)); - } - filetype_out &= ~PKCS10; /* delete PKCS10 flag */ - } - - if (!filetype_out) - { - exit_scepclient(NULL); /* no further output required */ - } - - /* - * output of PKCS#1 file - */ - if (filetype_out & PKCS1) - { - char path[PATH_MAX]; - - join_paths(path, sizeof(path), PRIVATE_KEY_PATH, file_out_pkcs1); - - DBG2(DBG_APP, "building pkcs1 object:"); - if (!private_key->get_encoding(private_key, PRIVKEY_ASN1_DER, &pkcs1) || - !chunk_write(pkcs1, path, 0066, force)) - { - exit_scepclient("could not write pkcs1 file '%s': %s", - path, strerror(errno)); - } - filetype_out &= ~PKCS1; /* delete PKCS1 flag */ - } - - if (!filetype_out) - { - exit_scepclient(NULL); /* no further output required */ - } - - scep_generate_transaction_id(public_key, &transID, &serialNumber); - DBG1(DBG_APP, " transaction ID: %.*s", (int)transID.len, transID.ptr); - - /* - * read or generate self-signed X.509 certificate - */ - if (filetype_in & CERT_SELF) - { - char path[PATH_MAX]; - - join_paths(path, sizeof(path), HOST_CERT_PATH, file_in_cert_self); - - x509_signer = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, - BUILD_FROM_FILE, path, BUILD_END); - if (!x509_signer) - { - exit_scepclient("could not read certificate file '%s'", path); - } - } - else - { - notBefore = notBefore ? notBefore : time(NULL); - notAfter = notAfter ? notAfter : (notBefore + validity); - x509_signer = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, - BUILD_SIGNING_KEY, private_key, - BUILD_PUBLIC_KEY, public_key, - BUILD_SUBJECT, subject, - BUILD_NOT_BEFORE_TIME, notBefore, - BUILD_NOT_AFTER_TIME, notAfter, - BUILD_SERIAL, serialNumber, - BUILD_SUBJECT_ALTNAMES, subjectAltNames, - BUILD_END); - if (!x509_signer) - { - exit_scepclient("generating certificate failed"); - } - } - creds->add_cert(creds, TRUE, x509_signer->get_ref(x509_signer)); - - /* - * output of self-signed X.509 certificate file - */ - if (filetype_out & CERT_SELF) - { - char path[PATH_MAX]; - - join_paths(path, sizeof(path), HOST_CERT_PATH, file_out_cert_self); - - if (!x509_signer->get_encoding(x509_signer, CERT_ASN1_DER, &encoding)) - { - exit_scepclient("encoding certificate failed"); - } - if (!chunk_write(encoding, path, 0022, force)) - { - exit_scepclient("could not write self-signed cert file '%s': %s", - path, strerror(errno)); - } - chunk_free(&encoding); - filetype_out &= ~CERT_SELF; /* delete CERT_SELF flag */ - } - - if (!filetype_out) - { - exit_scepclient(NULL); /* no further output required */ - } - - /* - * load ca encryption certificate - */ - { - char path[PATH_MAX]; - - join_paths(path, sizeof(path), CA_CERT_PATH, file_in_cacert_enc); - - x509_ca_enc = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, - BUILD_FROM_FILE, path, BUILD_END); - if (!x509_ca_enc) - { - exit_scepclient("could not load encryption cacert file '%s'", path); - } - } - - /* - * input of PKCS#7 file - */ - if (filetype_in & PKCS7) - { - /* user wants to load a pkcs7 encrypted request - * operation is not yet supported! - * would require additional parsing of transaction-id - - pkcs7 = pkcs7_read_from_file(file_in_pkcs7); - - */ - } - else - { - DBG2(DBG_APP, "building pkcs7 request"); - pkcs7 = scep_build_request(pkcs10_encoding, - transID, SCEP_PKCSReq_MSG, x509_ca_enc, - pkcs7_symmetric_cipher, pkcs7_key_size, - x509_signer, pkcs7_digest_alg, private_key); - if (!pkcs7.ptr) - { - exit_scepclient("failed to build pkcs7 request"); - } - } - - /* - * output pkcs7 encrypted and signed certificate request - */ - if (filetype_out & PKCS7) - { - char path[PATH_MAX]; - - join_paths(path, sizeof(path), REQ_PATH, file_out_pkcs7); - - if (!chunk_write(pkcs7, path, 0022, force)) - { - exit_scepclient("could not write pkcs7 file '%s': %s", - path, strerror(errno)); - } - filetype_out &= ~PKCS7; /* delete PKCS7 flag */ - } - - if (!filetype_out) - { - exit_scepclient(NULL); /* no further output required */ - } - - /* - * output certificate fetch from SCEP server - */ - if (filetype_out & CERT) - { - bool stored = FALSE; - certificate_t *cert; - enumerator_t *enumerator; - char path[PATH_MAX]; - time_t poll_start = 0; - pkcs7_t *p7; - container_t *container = NULL; - chunk_t chunk; - scep_attributes_t attrs = empty_scep_attributes; - - join_paths(path, sizeof(path), CA_CERT_PATH, file_in_cacert_sig); - - x509_ca_sig = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, - BUILD_FROM_FILE, path, BUILD_END); - if (!x509_ca_sig) - { - exit_scepclient("could not load signature cacert file '%s'", path); - } - - creds->add_cert(creds, TRUE, x509_ca_sig->get_ref(x509_ca_sig)); - - if (!scep_http_request(scep_url, pkcs7, SCEP_PKI_OPERATION, - http_get_request, http_timeout, http_bind, &scep_response)) - { - exit_scepclient("did not receive a valid scep response"); - } - ugh = scep_parse_response(scep_response, transID, &container, &attrs); - if (ugh != NULL) - { - exit_scepclient(ugh); - } - - /* in case of manual mode, we are going into a polling loop */ - if (attrs.pkiStatus == SCEP_PENDING) - { - identification_t *issuer = x509_ca_sig->get_subject(x509_ca_sig); - - DBG1(DBG_APP, " scep request pending, polling every %d seconds", - poll_interval); - poll_start = time_monotonic(NULL); - issuerAndSubject = asn1_wrap(ASN1_SEQUENCE, "cc", - issuer->get_encoding(issuer), - subject->get_encoding(subject)); - } - while (attrs.pkiStatus == SCEP_PENDING) - { - if (max_poll_time > 0 && - (time_monotonic(NULL) - poll_start >= max_poll_time)) - { - exit_scepclient("maximum poll time reached: %d seconds" - , max_poll_time); - } - DBG2(DBG_APP, "going to sleep for %d seconds", poll_interval); - sleep(poll_interval); - free(scep_response.ptr); - container->destroy(container); - - DBG2(DBG_APP, "fingerprint: %.*s", - (int)fingerprint.len, fingerprint.ptr); - DBG2(DBG_APP, "transaction ID: %.*s", - (int)transID.len, transID.ptr); - - chunk_free(&getCertInitial); - getCertInitial = scep_build_request(issuerAndSubject, - transID, SCEP_GetCertInitial_MSG, x509_ca_enc, - pkcs7_symmetric_cipher, pkcs7_key_size, - x509_signer, pkcs7_digest_alg, private_key); - if (!getCertInitial.ptr) - { - exit_scepclient("failed to build scep request"); - } - if (!scep_http_request(scep_url, getCertInitial, SCEP_PKI_OPERATION, - http_get_request, http_timeout, http_bind, &scep_response)) - { - exit_scepclient("did not receive a valid scep response"); - } - ugh = scep_parse_response(scep_response, transID, &container, &attrs); - if (ugh != NULL) - { - exit_scepclient(ugh); - } - } - - if (attrs.pkiStatus != SCEP_SUCCESS) - { - container->destroy(container); - exit_scepclient("reply status is not 'SUCCESS'"); - } - - if (!container->get_data(container, &chunk)) - { - container->destroy(container); - exit_scepclient("extracting signed-data failed"); - } - container->destroy(container); - - /* decrypt enveloped-data container */ - container = lib->creds->create(lib->creds, - CRED_CONTAINER, CONTAINER_PKCS7, - BUILD_BLOB_ASN1_DER, chunk, - BUILD_END); - free(chunk.ptr); - if (!container) - { - exit_scepclient("could not decrypt envelopedData"); - } - - if (!container->get_data(container, &chunk)) - { - container->destroy(container); - exit_scepclient("extracting encrypted-data failed"); - } - container->destroy(container); - - /* parse signed-data container */ - container = lib->creds->create(lib->creds, - CRED_CONTAINER, CONTAINER_PKCS7, - BUILD_BLOB_ASN1_DER, chunk, - BUILD_END); - free(chunk.ptr); - if (!container) - { - exit_scepclient("could not parse singed-data"); - } - /* no need to verify the signed-data container, the signature does NOT - * cover the contained certificates */ - - /* store the end entity certificate */ - join_paths(path, sizeof(path), HOST_CERT_PATH, file_out_cert); - - p7 = (pkcs7_t*)container; - enumerator = p7->create_cert_enumerator(p7); - while (enumerator->enumerate(enumerator, &cert)) - { - x509_t *x509 = (x509_t*)cert; - - if (!(x509->get_flags(x509) & X509_CA)) - { - if (stored) - { - exit_scepclient("multiple certs received, only first stored"); - } - if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding) || - !chunk_write(encoding, path, 0022, force)) - { - exit_scepclient("could not write cert file '%s': %s", - path, strerror(errno)); - } - chunk_free(&encoding); - stored = TRUE; - } - } - enumerator->destroy(enumerator); - container->destroy(container); - chunk_free(&attrs.transID); - chunk_free(&attrs.senderNonce); - chunk_free(&attrs.recipientNonce); - - filetype_out &= ~CERT; /* delete CERT flag */ - } - - exit_scepclient(NULL); - return -1; /* should never be reached */ -} -- 2.39.2