ARG_ENABL_SET([medsrv], [enable mediation server web frontend and daemon plugin.])
ARG_ENABL_SET([nm], [enable NetworkManager backend.])
ARG_DISBL_SET([pki], [disable pki certificate utility.])
-ARG_DISBL_SET([scepclient], [disable SCEP client tool.])
ARG_DISBL_SET([scripts], [disable additional utilities (found in directory scripts).])
ARG_ENABL_SET([svc], [enable charon Windows service.])
ARG_ENABL_SET([systemd], [enable systemd specific IKE daemon charon-systemd.])
starter_plugins=
pool_plugins=
attest_plugins=
-scepclient_plugins=
pki_plugins=
scripts_plugins=
fuzz_plugins=
t_plugins=
p_plugins=
-ADD_PLUGIN([test-vectors], [s charon scepclient pki])
+ADD_PLUGIN([test-vectors], [s charon pki])
ADD_PLUGIN([unbound], [s charon scripts])
-ADD_PLUGIN([ldap], [s charon scepclient scripts nm cmd])
+ADD_PLUGIN([ldap], [s charon scripts nm cmd])
ADD_PLUGIN([pkcs11], [s charon pki nm cmd])
ADD_PLUGIN([tpm], [p charon pki nm cmd])
-ADD_PLUGIN([aesni], [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
-ADD_PLUGIN([aes], [s charon scepclient pki scripts nm cmd])
-ADD_PLUGIN([des], [s charon scepclient pki scripts nm cmd])
-ADD_PLUGIN([blowfish], [s charon scepclient pki scripts nm cmd])
-ADD_PLUGIN([rc2], [s charon scepclient pki scripts nm cmd])
-ADD_PLUGIN([sha2], [s charon scepclient pki scripts medsrv attest nm cmd aikgen fuzz])
-ADD_PLUGIN([sha3], [s charon scepclient pki scripts medsrv attest nm cmd aikgen fuzz])
-ADD_PLUGIN([sha1], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen fuzz])
-ADD_PLUGIN([md4], [s charon scepclient pki nm cmd])
-ADD_PLUGIN([md5], [s charon scepclient pki scripts attest nm cmd aikgen])
-ADD_PLUGIN([mgf1], [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
-ADD_PLUGIN([rdrand], [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
-ADD_PLUGIN([random], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
+ADD_PLUGIN([aesni], [s charon pki scripts medsrv attest nm cmd aikgen])
+ADD_PLUGIN([aes], [s charon pki scripts nm cmd])
+ADD_PLUGIN([des], [s charon pki scripts nm cmd])
+ADD_PLUGIN([blowfish], [s charon pki scripts nm cmd])
+ADD_PLUGIN([rc2], [s charon pki scripts nm cmd])
+ADD_PLUGIN([sha2], [s charon pki scripts medsrv attest nm cmd aikgen fuzz])
+ADD_PLUGIN([sha3], [s charon pki scripts medsrv attest nm cmd aikgen fuzz])
+ADD_PLUGIN([sha1], [s charon pki scripts manager medsrv attest nm cmd aikgen fuzz])
+ADD_PLUGIN([md4], [s charon pki nm cmd])
+ADD_PLUGIN([md5], [s charon pki scripts attest nm cmd aikgen])
+ADD_PLUGIN([mgf1], [s charon pki scripts medsrv attest nm cmd aikgen])
+ADD_PLUGIN([rdrand], [s charon pki scripts medsrv attest nm cmd aikgen])
+ADD_PLUGIN([random], [s charon pki scripts manager medsrv attest nm cmd aikgen])
ADD_PLUGIN([nonce], [s charon nm cmd aikgen])
-ADD_PLUGIN([x509], [s charon scepclient pki scripts attest nm cmd aikgen fuzz])
+ADD_PLUGIN([x509], [s charon pki scripts attest nm cmd aikgen fuzz])
ADD_PLUGIN([revocation], [s charon pki nm cmd])
ADD_PLUGIN([constraints], [s charon nm cmd])
ADD_PLUGIN([acert], [s charon])
ADD_PLUGIN([pubkey], [s charon pki cmd aikgen])
-ADD_PLUGIN([pkcs1], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen fuzz])
-ADD_PLUGIN([pkcs7], [s charon scepclient pki scripts nm cmd])
-ADD_PLUGIN([pkcs12], [s charon scepclient pki scripts cmd])
+ADD_PLUGIN([pkcs1], [s charon pki scripts manager medsrv attest nm cmd aikgen fuzz])
+ADD_PLUGIN([pkcs7], [s charon pki scripts nm cmd])
+ADD_PLUGIN([pkcs12], [s charon pki scripts cmd])
ADD_PLUGIN([pgp], [s charon])
ADD_PLUGIN([dnskey], [s charon pki])
ADD_PLUGIN([sshkey], [s charon pki nm cmd])
ADD_PLUGIN([dnscert], [c charon])
ADD_PLUGIN([ipseckey], [c charon])
-ADD_PLUGIN([pem], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen fuzz])
+ADD_PLUGIN([pem], [s charon pki scripts manager medsrv attest nm cmd aikgen fuzz])
ADD_PLUGIN([padlock], [s charon])
-ADD_PLUGIN([openssl], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
-ADD_PLUGIN([wolfssl], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
-ADD_PLUGIN([gcrypt], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
-ADD_PLUGIN([botan], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
-ADD_PLUGIN([pkcs8], [s charon scepclient pki scripts manager medsrv attest nm cmd])
-ADD_PLUGIN([af-alg], [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
+ADD_PLUGIN([openssl], [s charon pki scripts manager medsrv attest nm cmd aikgen])
+ADD_PLUGIN([wolfssl], [s charon pki scripts manager medsrv attest nm cmd aikgen])
+ADD_PLUGIN([gcrypt], [s charon pki scripts manager medsrv attest nm cmd aikgen])
+ADD_PLUGIN([botan], [s charon pki scripts manager medsrv attest nm cmd aikgen])
+ADD_PLUGIN([pkcs8], [s charon pki scripts manager medsrv attest nm cmd])
+ADD_PLUGIN([af-alg], [s charon pki scripts medsrv attest nm cmd aikgen])
ADD_PLUGIN([fips-prf], [s charon nm cmd])
-ADD_PLUGIN([gmp], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen fuzz])
+ADD_PLUGIN([gmp], [s charon pki scripts manager medsrv attest nm cmd aikgen fuzz])
ADD_PLUGIN([curve25519], [s charon pki scripts nm cmd])
ADD_PLUGIN([agent], [s charon nm cmd])
ADD_PLUGIN([keychain], [s charon cmd])
ADD_PLUGIN([drbg], [s charon pki scripts nm cmd])
ADD_PLUGIN([newhope], [s charon scripts nm cmd])
ADD_PLUGIN([bliss], [s charon pki scripts nm cmd])
-ADD_PLUGIN([curl], [s charon scepclient pki scripts nm cmd])
-ADD_PLUGIN([files], [s charon scepclient pki scripts nm cmd])
+ADD_PLUGIN([curl], [s charon pki scripts nm cmd])
+ADD_PLUGIN([files], [s charon pki scripts nm cmd])
ADD_PLUGIN([winhttp], [s charon pki scripts])
ADD_PLUGIN([soup], [s charon pki scripts nm cmd])
ADD_PLUGIN([mysql], [s charon pool manager medsrv attest])
AM_CONDITIONAL(USE_CHARON, test x$charon = xtrue)
AM_CONDITIONAL(USE_NM, test x$nm = xtrue)
AM_CONDITIONAL(USE_PKI, test x$pki = xtrue)
-AM_CONDITIONAL(USE_SCEPCLIENT, test x$scepclient = xtrue)
AM_CONDITIONAL(USE_SCRIPTS, test x$scripts = xtrue)
AM_CONDITIONAL(USE_FUZZING, test x$fuzzing = xtrue)
AM_CONDITIONAL(USE_CONFTEST, test x$conftest = xtrue)
-AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$pki = xtrue -o x$scepclient = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$tls = xtrue -o x$tnc_tnccs = xtrue -o x$aikgen = xtrue -o x$svc = xtrue -o x$systemd = xtrue)
+AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$pki = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$tls = xtrue -o x$tnc_tnccs = xtrue -o x$aikgen = xtrue -o x$svc = xtrue -o x$systemd = xtrue)
AM_CONDITIONAL(USE_LIBCHARON, test x$charon = xtrue -o x$conftest = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$svc = xtrue -o x$systemd = xtrue)
AM_CONDITIONAL(USE_LIBIPSEC, test x$libipsec = xtrue)
AM_CONDITIONAL(USE_LIBNTTFFT, test x$bliss = xtrue -o x$newhope = xtrue)
AM_CONDITIONAL(USE_LIBPTTLS, test x$tnc_tnccs = xtrue)
AM_CONDITIONAL(USE_LIBTPMTSS, test x$tss_trousers = xtrue -o x$tss_tss2 = xtrue -o x$tpm = xtrue -o x$aikgen = xtrue -o x$imcv = xtrue)
AM_CONDITIONAL(USE_FILE_CONFIG, test x$stroke = xtrue)
-AM_CONDITIONAL(USE_IPSEC_SCRIPT, test x$stroke = xtrue -o x$scepclient = xtrue -o x$conftest = xtrue)
+AM_CONDITIONAL(USE_IPSEC_SCRIPT, test x$stroke = xtrue -o x$conftest = xtrue)
AM_CONDITIONAL(USE_LIBCAP, test x$capabilities = xlibcap)
AM_CONDITIONAL(USE_VSTR, test x$printf_hooks = xvstr)
AM_CONDITIONAL(USE_BUILTIN_PRINTF, test x$printf_hooks = xbuiltin)
AM_COND_IF([USE_LIBTNCCS], [strongswan_options=${strongswan_options}" tnc"])
AM_COND_IF([USE_MANAGER], [strongswan_options=${strongswan_options}" manager"])
AM_COND_IF([USE_MEDSRV], [strongswan_options=${strongswan_options}" medsrv"])
-AM_COND_IF([USE_SCEPCLIENT], [strongswan_options=${strongswan_options}" scepclient"])
AM_COND_IF([USE_PKI], [strongswan_options=${strongswan_options}" pki"])
AM_COND_IF([USE_SWANCTL], [strongswan_options=${strongswan_options}" swanctl"])
AM_COND_IF([USE_SYSTEMD], [strongswan_options=${strongswan_options}" charon-systemd"])
src/starter/Makefile
src/starter/tests/Makefile
src/_updown/Makefile
- src/scepclient/Makefile
src/aikgen/Makefile
src/tpm_extendpcr/Makefile
src/pki/Makefile
+++ /dev/null
-/*
- * Copyright (C) 2012 Tobias Brunner
- * Copyright (C) 2005 Jan Hutter, Martin Willi
- *
- * Copyright (C) secunet Security Networks AG
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include <string.h>
-#include <stdlib.h>
-
-#include <library.h>
-#include <utils/debug.h>
-#include <asn1/asn1.h>
-#include <asn1/asn1_parser.h>
-#include <asn1/oid.h>
-#include <crypto/rngs/rng.h>
-#include <crypto/hashers/hasher.h>
-
-#include "scep.h"
-
-static const char *pkiStatus_values[] = { "0", "2", "3" };
-
-static const char *pkiStatus_names[] = {
- "SUCCESS",
- "FAILURE",
- "PENDING",
- "UNKNOWN"
-};
-
-static const char *msgType_values[] = { "3", "19", "20", "21", "22" };
-
-static const char *msgType_names[] = {
- "CertRep",
- "PKCSReq",
- "GetCertInitial",
- "GetCert",
- "GetCRL",
- "Unknown"
-};
-
-static const char *failInfo_reasons[] = {
- "badAlg - unrecognized or unsupported algorithm identifier",
- "badMessageCheck - integrity check failed",
- "badRequest - transaction not permitted or supported",
- "badTime - Message time field was not sufficiently close to the system time",
- "badCertId - No certificate could be identified matching the provided criteria"
-};
-
-const scep_attributes_t empty_scep_attributes = {
- SCEP_Unknown_MSG , /* msgType */
- SCEP_UNKNOWN , /* pkiStatus */
- SCEP_unknown_REASON, /* failInfo */
- { NULL, 0 } , /* transID */
- { NULL, 0 } , /* senderNonce */
- { NULL, 0 } , /* recipientNonce */
-};
-
-/**
- * Extract X.501 attributes
- */
-void extract_attributes(pkcs7_t *pkcs7, enumerator_t *enumerator,
- scep_attributes_t *attrs)
-{
- chunk_t attr;
-
- if (pkcs7->get_attribute(pkcs7, OID_PKI_MESSAGE_TYPE, enumerator, &attr))
- {
- scep_msg_t m;
-
- for (m = SCEP_CertRep_MSG; m < SCEP_Unknown_MSG; m++)
- {
- if (strncmp(msgType_values[m], attr.ptr, attr.len) == 0)
- {
- attrs->msgType = m;
- }
- }
- DBG2(DBG_APP, "messageType: %s", msgType_names[attrs->msgType]);
- free(attr.ptr);
- }
- if (pkcs7->get_attribute(pkcs7, OID_PKI_STATUS, enumerator, &attr))
- {
- pkiStatus_t s;
-
- for (s = SCEP_SUCCESS; s < SCEP_UNKNOWN; s++)
- {
- if (strncmp(pkiStatus_values[s], attr.ptr, attr.len) == 0)
- {
- attrs->pkiStatus = s;
- }
- }
- DBG2(DBG_APP, "pkiStatus: %s", pkiStatus_names[attrs->pkiStatus]);
- free(attr.ptr);
- }
- if (pkcs7->get_attribute(pkcs7, OID_PKI_FAIL_INFO, enumerator, &attr))
- {
- if (attr.len == 1 && *attr.ptr >= '0' && *attr.ptr <= '4')
- {
- attrs->failInfo = (failInfo_t)(*attr.ptr - '0');
- }
- if (attrs->failInfo != SCEP_unknown_REASON)
- {
- DBG1(DBG_APP, "failInfo: %s", failInfo_reasons[attrs->failInfo]);
- }
- free(attr.ptr);
- }
-
- pkcs7->get_attribute(pkcs7, OID_PKI_SENDER_NONCE, enumerator,
- &attrs->senderNonce);
- pkcs7->get_attribute(pkcs7, OID_PKI_RECIPIENT_NONCE, enumerator,
- &attrs->recipientNonce);
- pkcs7->get_attribute(pkcs7, OID_PKI_TRANS_ID, enumerator,
- &attrs->transID);
-}
-
-/**
- * Generates a unique fingerprint of the pkcs10 request
- * by computing an MD5 hash over it
- */
-chunk_t scep_generate_pkcs10_fingerprint(chunk_t pkcs10)
-{
- chunk_t digest = chunk_alloca(HASH_SIZE_MD5);
- hasher_t *hasher;
-
- hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
- if (!hasher || !hasher->get_hash(hasher, pkcs10, digest.ptr))
- {
- DESTROY_IF(hasher);
- return chunk_empty;
- }
- hasher->destroy(hasher);
-
- return chunk_to_hex(digest, NULL, FALSE);
-}
-
-/**
- * Generate a transaction id as the MD5 hash of an public key
- * the transaction id is also used as a unique serial number
- */
-void scep_generate_transaction_id(public_key_t *key, chunk_t *transID,
- chunk_t *serialNumber)
-{
- chunk_t digest = chunk_alloca(HASH_SIZE_MD5);
- chunk_t keyEncoding = chunk_empty, keyInfo;
- hasher_t *hasher;
- int zeros = 0, msb_set = 0;
-
- key->get_encoding(key, PUBKEY_ASN1_DER, &keyEncoding);
-
- keyInfo = asn1_wrap(ASN1_SEQUENCE, "mm",
- asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
- asn1_bitstring("m", keyEncoding));
-
- hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
- if (!hasher || !hasher->get_hash(hasher, keyInfo, digest.ptr))
- {
- memset(digest.ptr, 0, digest.len);
- }
- DESTROY_IF(hasher);
- free(keyInfo.ptr);
-
- /* the serialNumber should be valid ASN1 integer content:
- * remove leading zeros, add one if MSB is set (two's complement) */
- while (zeros < digest.len)
- {
- if (digest.ptr[zeros])
- {
- if (digest.ptr[zeros] & 0x80)
- {
- msb_set = 1;
- }
- break;
- }
- zeros++;
- }
- *serialNumber = chunk_alloc(digest.len - zeros + msb_set);
- if (msb_set)
- {
- serialNumber->ptr[0] = 0x00;
- }
- memcpy(serialNumber->ptr + msb_set, digest.ptr + zeros,
- digest.len - zeros);
-
- /* the transaction id is the serial number in hex format */
- *transID = chunk_to_hex(digest, NULL, TRUE);
-}
-
-/**
- * Builds a pkcs7 enveloped and signed scep request
- */
-chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg,
- certificate_t *enc_cert, encryption_algorithm_t enc_alg,
- size_t key_size, certificate_t *signer_cert,
- hash_algorithm_t digest_alg, private_key_t *private_key)
-{
- chunk_t request;
- container_t *container;
- char nonce[16];
- rng_t *rng;
- chunk_t senderNonce, msgType;
-
- /* generate senderNonce */
- rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
- if (!rng || !rng->get_bytes(rng, sizeof(nonce), nonce))
- {
- DESTROY_IF(rng);
- return chunk_empty;
- }
- rng->destroy(rng);
-
- /* encrypt data in enveloped-data PKCS#7 */
- container = lib->creds->create(lib->creds,
- CRED_CONTAINER, CONTAINER_PKCS7_ENVELOPED_DATA,
- BUILD_BLOB, data,
- BUILD_CERT, enc_cert,
- BUILD_ENCRYPTION_ALG, enc_alg,
- BUILD_KEY_SIZE, (int)key_size,
- BUILD_END);
- if (!container)
- {
- return chunk_empty;
- }
- if (!container->get_encoding(container, &request))
- {
- container->destroy(container);
- return chunk_empty;
- }
- container->destroy(container);
-
- /* sign enveloped-data in a signed-data PKCS#7 */
- senderNonce = asn1_wrap(ASN1_OCTET_STRING, "c", chunk_from_thing(nonce));
- transID = asn1_wrap(ASN1_PRINTABLESTRING, "c", transID);
- msgType = asn1_wrap(ASN1_PRINTABLESTRING, "c",
- chunk_create((char*)msgType_values[msg],
- strlen(msgType_values[msg])));
-
- container = lib->creds->create(lib->creds,
- CRED_CONTAINER, CONTAINER_PKCS7_SIGNED_DATA,
- BUILD_BLOB, request,
- BUILD_SIGNING_CERT, signer_cert,
- BUILD_SIGNING_KEY, private_key,
- BUILD_DIGEST_ALG, digest_alg,
- BUILD_PKCS7_ATTRIBUTE, OID_PKI_SENDER_NONCE, senderNonce,
- BUILD_PKCS7_ATTRIBUTE, OID_PKI_TRANS_ID, transID,
- BUILD_PKCS7_ATTRIBUTE, OID_PKI_MESSAGE_TYPE, msgType,
- BUILD_END);
-
- free(request.ptr);
- free(senderNonce.ptr);
- free(transID.ptr);
- free(msgType.ptr);
-
- if (!container)
- {
- return chunk_empty;
- }
- if (!container->get_encoding(container, &request))
- {
- container->destroy(container);
- return chunk_empty;
- }
- container->destroy(container);
-
- return request;
-}
-
-/**
- * Converts a binary request to base64 with 64 characters per line
- * newline and '+' characters are escaped by %0A and %2B, respectively
- */
-static char* escape_http_request(chunk_t req)
-{
- char *escaped_req = NULL;
- char *p1, *p2;
- int lines = 0;
- int plus = 0;
- int n = 0;
-
- /* compute and allocate the size of the base64-encoded request */
- int len = 1 + 4 * ((req.len + 2) / 3);
- char *encoded_req = malloc(len);
-
- /* do the base64 conversion */
- chunk_t base64 = chunk_to_base64(req, encoded_req);
- len = base64.len + 1;
-
- /* compute newline characters to be inserted every 64 characters */
- lines = (len - 2) / 64;
-
- /* count number of + characters to be escaped */
- p1 = encoded_req;
- while (*p1 != '\0')
- {
- if (*p1++ == '+')
- {
- plus++;
- }
- }
-
- escaped_req = malloc(len + 3 * (lines + plus));
-
- /* escape special characters in the request */
- p1 = encoded_req;
- p2 = escaped_req;
- while (*p1 != '\0')
- {
- if (n == 64)
- {
- memcpy(p2, "%0A", 3);
- p2 += 3;
- n = 0;
- }
- if (*p1 == '+')
- {
- memcpy(p2, "%2B", 3);
- p2 += 3;
- }
- else
- {
- *p2++ = *p1;
- }
- p1++;
- n++;
- }
- *p2 = '\0';
- free(encoded_req);
- return escaped_req;
-}
-
-/**
- * Send a SCEP request via HTTP and wait for a response
- */
-bool scep_http_request(const char *url, chunk_t msg, scep_op_t op,
- bool http_get_request, u_int timeout, char *src,
- chunk_t *response)
-{
- int len;
- status_t status;
- char *complete_url = NULL;
- host_t *srcip = NULL;
-
- /* initialize response */
- *response = chunk_empty;
-
- if (src)
- {
- srcip = host_create_from_string(src, 0);
- }
-
- DBG2(DBG_APP, "sending scep request to '%s'", url);
-
- if (op == SCEP_PKI_OPERATION)
- {
- const char operation[] = "PKIOperation";
-
- if (http_get_request)
- {
- char *escaped_req = escape_http_request(msg);
-
- /* form complete url */
- len = strlen(url) + 20 + strlen(operation) + strlen(escaped_req) + 1;
- complete_url = malloc(len);
- snprintf(complete_url, len, "%s?operation=%s&message=%s"
- , url, operation, escaped_req);
- free(escaped_req);
-
- status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
- FETCH_HTTP_VERSION_1_0,
- FETCH_TIMEOUT, timeout,
- FETCH_REQUEST_HEADER, "Pragma:",
- FETCH_REQUEST_HEADER, "Host:",
- FETCH_REQUEST_HEADER, "Accept:",
- FETCH_SOURCEIP, srcip,
- FETCH_END);
- }
- else /* HTTP_POST */
- {
- /* form complete url */
- len = strlen(url) + 11 + strlen(operation) + 1;
- complete_url = malloc(len);
- snprintf(complete_url, len, "%s?operation=%s", url, operation);
-
- status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
- FETCH_HTTP_VERSION_1_0,
- FETCH_TIMEOUT, timeout,
- FETCH_REQUEST_DATA, msg,
- FETCH_REQUEST_TYPE, "",
- FETCH_REQUEST_HEADER, "Expect:",
- FETCH_SOURCEIP, srcip,
- FETCH_END);
- }
- }
- else /* SCEP_GET_CA_CERT */
- {
- const char operation[] = "GetCACert";
- int i;
-
- /* escape spaces, TODO: complete URL escape */
- for (i = 0; i < msg.len; i++)
- {
- if (msg.ptr[i] == ' ')
- {
- msg.ptr[i] = '+';
- }
- }
-
- /* form complete url */
- len = strlen(url) + 32 + strlen(operation) + msg.len + 1;
- complete_url = malloc(len);
- snprintf(complete_url, len, "%s?operation=%s&message=%.*s",
- url, operation, (int)msg.len, msg.ptr);
-
- status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
- FETCH_HTTP_VERSION_1_0,
- FETCH_TIMEOUT, timeout,
- FETCH_SOURCEIP, srcip,
- FETCH_END);
- }
-
- DESTROY_IF(srcip);
- free(complete_url);
- return (status == SUCCESS);
-}
-
-err_t scep_parse_response(chunk_t response, chunk_t transID,
- container_t **out, scep_attributes_t *attrs)
-{
- enumerator_t *enumerator;
- bool verified = FALSE;
- container_t *container;
- auth_cfg_t *auth;
-
- container = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7,
- BUILD_BLOB_ASN1_DER, response, BUILD_END);
- if (!container)
- {
- return "error parsing the scep response";
- }
- if (container->get_type(container) != CONTAINER_PKCS7_SIGNED_DATA)
- {
- container->destroy(container);
- return "scep response is not PKCS#7 signed-data";
- }
-
- enumerator = container->create_signature_enumerator(container);
- while (enumerator->enumerate(enumerator, &auth))
- {
- verified = TRUE;
- extract_attributes((pkcs7_t*)container, enumerator, attrs);
- if (!chunk_equals(transID, attrs->transID))
- {
- enumerator->destroy(enumerator);
- container->destroy(container);
- return "transaction ID of scep response does not match";
- }
- }
- enumerator->destroy(enumerator);
- if (!verified)
- {
- container->destroy(container);
- return "unable to verify PKCS#7 container";
- }
- *out = container;
- return NULL;
-}
+++ /dev/null
-/*
- * Copyright (C) 2012 Tobias Brunner
- * Copyright (C) 2005 Jan Hutter, Martin Willi
- *
- * Copyright (C) secunet Security Networks AG
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <getopt.h>
-#include <ctype.h>
-#include <unistd.h>
-#include <time.h>
-#include <limits.h>
-#include <syslog.h>
-#include <errno.h>
-
-#include <library.h>
-#include <utils/debug.h>
-#include <asn1/asn1.h>
-#include <asn1/oid.h>
-#include <utils/optionsfrom.h>
-#include <collections/enumerator.h>
-#include <collections/linked_list.h>
-#include <crypto/hashers/hasher.h>
-#include <crypto/crypters/crypter.h>
-#include <crypto/proposal/proposal_keywords.h>
-#include <credentials/keys/private_key.h>
-#include <credentials/keys/public_key.h>
-#include <credentials/certificates/certificate.h>
-#include <credentials/certificates/x509.h>
-#include <credentials/certificates/pkcs10.h>
-#include <credentials/sets/mem_cred.h>
-#include <plugins/plugin.h>
-
-#include "scep.h"
-
-/*
- * definition of some defaults
- */
-
-/* some paths */
-#define REQ_PATH IPSEC_CONFDIR "/ipsec.d/reqs"
-#define HOST_CERT_PATH IPSEC_CONFDIR "/ipsec.d/certs"
-#define CA_CERT_PATH IPSEC_CONFDIR "/ipsec.d/cacerts"
-#define PRIVATE_KEY_PATH IPSEC_CONFDIR "/ipsec.d/private"
-
-/* default name of DER-encoded PKCS#1 private key file */
-#define DEFAULT_FILENAME_PKCS1 "myKey.der"
-
-/* default name of DER-encoded PKCS#10 certificate request file */
-#define DEFAULT_FILENAME_PKCS10 "myReq.der"
-
-/* default name of DER-encoded PKCS#7 file */
-#define DEFAULT_FILENAME_PKCS7 "pkcs7.der"
-
-/* default name of DER-encoded self-signed X.509 certificate file */
-#define DEFAULT_FILENAME_CERT_SELF "selfCert.der"
-
-/* default name of DER-encoded X.509 certificate file */
-#define DEFAULT_FILENAME_CERT "myCert.der"
-
-/* default name of DER-encoded CA cert file used for key encipherment */
-#define DEFAULT_FILENAME_CACERT_ENC "caCert.der"
-
-/* default name of the der encoded CA cert file used for signature verification */
-#define DEFAULT_FILENAME_CACERT_SIG "caCert.der"
-
-/* default prefix of the der encoded CA certificates received from the SCEP server */
-#define DEFAULT_FILENAME_PREFIX_CACERT "caCert.der"
-
-/* default certificate validity */
-#define DEFAULT_CERT_VALIDITY 5 * 3600 * 24 * 365 /* seconds */
-
-/* default polling time interval in SCEP manual mode */
-#define DEFAULT_POLL_INTERVAL 20 /* seconds */
-
-/* default key length for self-generated RSA keys */
-#define DEFAULT_RSA_KEY_LENGTH 2048 /* bits */
-
-/* default distinguished name */
-#define DEFAULT_DN "C=CH, O=Linux strongSwan, CN="
-
-/* minimum RSA key size */
-#define RSA_MIN_OCTETS (512 / BITS_PER_BYTE)
-
-/* challenge password buffer size */
-#define MAX_PASSWORD_LENGTH 256
-
-/* Max length of filename for tempfile */
-#define MAX_TEMP_FILENAME_LENGTH 256
-
-
-/* current scepclient version */
-static const char *scepclient_version = "1.0";
-
-/* by default the CRL policy is lenient */
-bool strict_crl_policy = FALSE;
-
-/* by default pluto does not check crls dynamically */
-long crl_check_interval = 0;
-
-/* by default pluto logs out after every smartcard use */
-bool pkcs11_keep_state = FALSE;
-
-/* by default HTTP fetch timeout is 30s */
-static u_int http_timeout = 30;
-
-/* address to bind for HTTP fetches */
-static char* http_bind = NULL;
-
-/* options read by optionsfrom */
-options_t *options;
-
-/*
- * Global variables
- */
-chunk_t pkcs1;
-chunk_t pkcs7;
-chunk_t challengePassword;
-chunk_t serialNumber;
-chunk_t transID;
-chunk_t fingerprint;
-chunk_t encoding;
-chunk_t pkcs10_encoding;
-chunk_t issuerAndSubject;
-chunk_t getCertInitial;
-chunk_t scep_response;
-
-linked_list_t *subjectAltNames;
-
-identification_t *subject = NULL;
-private_key_t *private_key = NULL;
-public_key_t *public_key = NULL;
-certificate_t *x509_signer = NULL;
-certificate_t *x509_ca_enc = NULL;
-certificate_t *x509_ca_sig = NULL;
-certificate_t *pkcs10_req = NULL;
-
-mem_cred_t *creds = NULL;
-
-/* logging */
-static bool log_to_stderr = TRUE;
-static bool log_to_syslog = TRUE;
-static level_t default_loglevel = 1;
-
-/**
- * logging function for scepclient
- */
-static void scepclient_dbg(debug_t group, level_t level, char *fmt, ...)
-{
- char buffer[8192];
- char *current = buffer, *next;
- va_list args;
-
- if (level <= default_loglevel)
- {
- if (log_to_stderr)
- {
- va_start(args, fmt);
- vfprintf(stderr, fmt, args);
- va_end(args);
- fprintf(stderr, "\n");
- }
- if (log_to_syslog)
- {
- /* write in memory buffer first */
- va_start(args, fmt);
- vsnprintf(buffer, sizeof(buffer), fmt, args);
- va_end(args);
-
- /* do a syslog with every line */
- while (current)
- {
- next = strchr(current, '\n');
- if (next)
- {
- *(next++) = '\0';
- }
- syslog(LOG_INFO, "%s\n", current);
- current = next;
- }
- }
- }
-}
-
-/**
- * Initialize logging to stderr/syslog
- */
-static void init_log(const char *program)
-{
- dbg = scepclient_dbg;
-
- if (log_to_stderr)
- {
- setbuf(stderr, NULL);
- }
- if (log_to_syslog)
- {
- openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV);
- }
-}
-
-/**
- * join two paths if filename is not absolute
- */
-static void join_paths(char *target, size_t target_size, char *parent,
- char *filename)
-{
- if (*filename == '/' || *filename == '.')
- {
- snprintf(target, target_size, "%s", filename);
- }
- else
- {
- snprintf(target, target_size, "%s/%s", parent, filename);
- }
-}
-
-/**
- * add a suffix to a given filename, properly handling extensions like '.der'
- */
-static void add_path_suffix(char *target, size_t target_size, char *filename,
- char *suffix_fmt, ...)
-{
- char suffix[PATH_MAX], *start, *dot;
- va_list args;
-
- va_start(args, suffix_fmt);
- vsnprintf(suffix, sizeof(suffix), suffix_fmt, args);
- va_end(args);
-
- start = strrchr(filename, '/');
- start = start ?: filename;
- dot = strrchr(start, '.');
-
- if (!dot || dot == start || dot[1] == '\0')
- { /* no extension add suffix at the end */
- snprintf(target, target_size, "%s%s", filename, suffix);
- }
- else
- { /* add the suffix between the filename and the extension */
- snprintf(target, target_size, "%.*s%s%s", (int)(dot - filename),
- filename, suffix, dot);
- }
-}
-
-/**
- * @brief exit scepclient
- *
- * @param status 0 = OK, 1 = general discomfort
- */
-static void exit_scepclient(err_t message, ...)
-{
- int status = 0;
-
- if (creds)
- {
- lib->credmgr->remove_set(lib->credmgr, &creds->set);
- creds->destroy(creds);
- }
-
- DESTROY_IF(subject);
- DESTROY_IF(private_key);
- DESTROY_IF(public_key);
- DESTROY_IF(x509_signer);
- DESTROY_IF(x509_ca_enc);
- DESTROY_IF(x509_ca_sig);
- DESTROY_IF(pkcs10_req);
- subjectAltNames->destroy_offset(subjectAltNames,
- offsetof(identification_t, destroy));
- free(pkcs1.ptr);
- free(pkcs7.ptr);
- free(serialNumber.ptr);
- free(transID.ptr);
- free(fingerprint.ptr);
- free(encoding.ptr);
- free(pkcs10_encoding.ptr);
- free(issuerAndSubject.ptr);
- free(getCertInitial.ptr);
- free(scep_response.ptr);
- options->destroy(options);
-
- /* print any error message to stderr */
- if (message != NULL && *message != '\0')
- {
- va_list args;
- char m[8192];
-
- va_start(args, message);
- vsnprintf(m, sizeof(m), message, args);
- va_end(args);
-
- fprintf(stderr, "error: %s\n", m);
- status = -1;
- }
- library_deinit();
- exit(status);
-}
-
-/**
- * @brief prints the program version and exits
- *
- */
-static void version(void)
-{
- printf("scepclient %s\n", scepclient_version);
- exit_scepclient(NULL);
-}
-
-/**
- * @brief prints the usage of the program to the stderr output
- *
- * If message is set, program is exited with 1 (error)
- * @param message message in case of an error
- */
-static void usage(const char *message)
-{
- fprintf(stderr,
- "Usage: scepclient\n"
- " --help (-h) show usage and exit\n"
- " --version (-v) show version and exit\n"
- " --quiet (-q) do not write log output to stderr\n"
- " --in (-i) <type>[=<filename>] use <filename> of <type> for input\n"
- " <type> = pkcs1 | pkcs10 | cert-self\n"
- " cacert-enc | cacert-sig\n"
- " - if no pkcs1 input is defined, an RSA\n"
- " key will be generated\n"
- " - if no pkcs10 input is defined, a\n"
- " PKCS#10 request will be generated\n"
- " - if no cert-self input is defined, a\n"
- " self-signed certificate will be generated\n"
- " - if no filename is given, default is used\n"
- " --out (-o) <type>[=<filename>] write output of <type> to <filename>\n"
- " multiple outputs are allowed\n"
- " <type> = pkcs1 | pkcs10 | pkcs7 | cert-self |\n"
- " cert | cacert\n"
- " - type cacert defines filename prefix of\n"
- " received CA certificate(s)\n"
- " - if no filename is given, default is used\n"
- " --optionsfrom (-+) <filename> reads additional options from given file\n"
- " --force (-f) force existing file(s)\n"
- " --httptimeout (-T) timeout for HTTP operations (default: 30s)\n"
- " --bind (-b) source address to bind for HTTP operations\n"
- "\n"
- "Options for key generation (pkcs1):\n"
- " --keylength (-k) <bits> key length for RSA key generation\n"
- " (default: 2048 bits)\n"
- "\n"
- "Options for validity:\n"
- " --days (-D) <days> validity in days\n"
- " --startdate (-S) <YYMMDDHHMMSS>Z not valid before date\n"
- " --enddate (-E) <YYMMDDHHMMSS>Z not valid after date\n"
- "\n"
- "Options for request generation (pkcs10):\n"
- " --dn (-d) <dn> comma separated list of distinguished names\n"
- " --subjectAltName (-s) <t>=<v> include subjectAltName in certificate request\n"
- " <t> = email | dns | ip \n"
- " --password (-p) <pw> challenge password\n"
- " - use '%%prompt' as pw for a password prompt\n"
- " --algorithm (-a) [<type>=]<algo> algorithm to be used for PKCS#7 encryption,\n"
- " PKCS#7 digest or PKCS#10 signature\n"
- " <type> = enc | dgst | sig\n"
- " - if no type is given enc is assumed\n"
- " <algo> = des (default) | 3des | aes128 |\n"
- " aes192 | aes256 | camellia128 |\n"
- " camellia192 | camellia256\n"
- " <algo> = md5 (default) | sha1 | sha256 |\n"
- " sha384 | sha512\n"
- "\n"
- "Options for CA certificate acquisition:\n"
- " --caname (-c) <name> name of CA to fetch CA certificate(s)\n"
- " (default: CAIdentifier)\n"
- "Options for enrollment (cert):\n"
- " --url (-u) <url> url of the SCEP server\n"
- " --method (-m) post | get http request type\n"
- " --interval (-t) <seconds> poll interval in seconds (default 20s)\n"
- " --maxpolltime (-x) <seconds> max poll time in seconds when in manual mode\n"
- " (default: unlimited)\n"
- "\n"
- "Debugging output:\n"
- " --debug (-l) <level> changes the log level (-1..4, default: 1)\n"
- );
- exit_scepclient(message);
-}
-
-/**
- * @brief main of scepclient
- *
- * @param argc number of arguments
- * @param argv pointer to the argument values
- */
-int main(int argc, char **argv)
-{
- /* external values */
- extern char * optarg;
- extern int optind;
-
- /* type of input and output files */
- typedef enum {
- PKCS1 = 0x01,
- PKCS10 = 0x02,
- PKCS7 = 0x04,
- CERT_SELF = 0x08,
- CERT = 0x10,
- CACERT_ENC = 0x20,
- CACERT_SIG = 0x40,
- } scep_filetype_t;
-
- /* filetype to read from, defaults to "generate a key" */
- scep_filetype_t filetype_in = 0;
-
- /* filetype to write to, no default here */
- scep_filetype_t filetype_out = 0;
-
- /* input files */
- char *file_in_pkcs1 = DEFAULT_FILENAME_PKCS1;
- char *file_in_pkcs10 = DEFAULT_FILENAME_PKCS10;
- char *file_in_cert_self = DEFAULT_FILENAME_CERT_SELF;
- char *file_in_cacert_enc = DEFAULT_FILENAME_CACERT_ENC;
- char *file_in_cacert_sig = DEFAULT_FILENAME_CACERT_SIG;
-
- /* output files */
- char *file_out_pkcs1 = DEFAULT_FILENAME_PKCS1;
- char *file_out_pkcs10 = DEFAULT_FILENAME_PKCS10;
- char *file_out_pkcs7 = DEFAULT_FILENAME_PKCS7;
- char *file_out_cert_self = DEFAULT_FILENAME_CERT_SELF;
- char *file_out_cert = DEFAULT_FILENAME_CERT;
- char *file_out_ca_cert = DEFAULT_FILENAME_CACERT_ENC;
-
- /* by default user certificate is requested */
- bool request_ca_certificate = FALSE;
-
- /* by default existing files are not overwritten */
- bool force = FALSE;
-
- /* length of RSA key in bits */
- u_int rsa_keylength = DEFAULT_RSA_KEY_LENGTH;
-
- /* validity of self-signed certificate */
- time_t validity = DEFAULT_CERT_VALIDITY;
- time_t notBefore = 0;
- time_t notAfter = 0;
-
- /* distinguished name for requested certificate, ASCII format */
- char *distinguishedName = NULL;
- char default_distinguished_name[BUF_LEN];
-
- /* challenge password */
- char challenge_password_buffer[MAX_PASSWORD_LENGTH];
-
- /* symmetric encryption algorithm used by pkcs7, default is DES */
- encryption_algorithm_t pkcs7_symmetric_cipher = ENCR_DES;
- size_t pkcs7_key_size = 0;
-
- /* digest algorithm used by pkcs7, default is MD5 */
- hash_algorithm_t pkcs7_digest_alg = HASH_MD5;
-
- /* signature algorithm used by pkcs10, default is MD5 */
- hash_algorithm_t pkcs10_signature_alg = HASH_MD5;
-
- /* URL of the SCEP-Server */
- char *scep_url = NULL;
-
- /* Name of CA to fetch CA certs for */
- char *ca_name = "CAIdentifier";
-
- /* http request method, default is GET */
- bool http_get_request = TRUE;
-
- /* poll interval time in manual mode in seconds */
- u_int poll_interval = DEFAULT_POLL_INTERVAL;
-
- /* maximum poll time */
- u_int max_poll_time = 0;
-
- err_t ugh = NULL;
-
- /* initialize library */
- if (!library_init(NULL, "scepclient"))
- {
- library_deinit();
- exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
- }
- if (lib->integrity &&
- !lib->integrity->check_file(lib->integrity, "scepclient", argv[0]))
- {
- fprintf(stderr, "integrity check of scepclient failed\n");
- library_deinit();
- exit(SS_RC_DAEMON_INTEGRITY);
- }
-
- /* initialize global variables */
- pkcs1 = chunk_empty;
- pkcs7 = chunk_empty;
- serialNumber = chunk_empty;
- transID = chunk_empty;
- fingerprint = chunk_empty;
- encoding = chunk_empty;
- pkcs10_encoding = chunk_empty;
- issuerAndSubject = chunk_empty;
- challengePassword = chunk_empty;
- getCertInitial = chunk_empty;
- scep_response = chunk_empty;
- subjectAltNames = linked_list_create();
- options = options_create();
-
- for (;;)
- {
- static const struct option long_opts[] = {
- /* name, has_arg, flag, val */
- { "help", no_argument, NULL, 'h' },
- { "version", no_argument, NULL, 'v' },
- { "optionsfrom", required_argument, NULL, '+' },
- { "quiet", no_argument, NULL, 'q' },
- { "debug", required_argument, NULL, 'l' },
- { "in", required_argument, NULL, 'i' },
- { "out", required_argument, NULL, 'o' },
- { "force", no_argument, NULL, 'f' },
- { "httptimeout", required_argument, NULL, 'T' },
- { "bind", required_argument, NULL, 'b' },
- { "keylength", required_argument, NULL, 'k' },
- { "dn", required_argument, NULL, 'd' },
- { "days", required_argument, NULL, 'D' },
- { "startdate", required_argument, NULL, 'S' },
- { "enddate", required_argument, NULL, 'E' },
- { "subjectAltName", required_argument, NULL, 's' },
- { "password", required_argument, NULL, 'p' },
- { "algorithm", required_argument, NULL, 'a' },
- { "url", required_argument, NULL, 'u' },
- { "caname", required_argument, NULL, 'c'},
- { "method", required_argument, NULL, 'm' },
- { "interval", required_argument, NULL, 't' },
- { "maxpolltime", required_argument, NULL, 'x' },
- { 0,0,0,0 }
- };
-
- /* parse next option */
- int c = getopt_long(argc, argv, "hv+:ql:i:o:fT:k:d:s:p:a:u:c:m:t:x:APRCMS", long_opts, NULL);
-
- switch (c)
- {
- case EOF: /* end of flags */
- break;
-
- case 'h': /* --help */
- usage(NULL);
-
- case 'v': /* --version */
- version();
-
- case 'q': /* --quiet */
- log_to_stderr = FALSE;
- continue;
-
- case 'l': /* --debug <level> */
- default_loglevel = atoi(optarg);
- continue;
-
- case 'i': /* --in <type> [= <filename>] */
- {
- char *filename = strstr(optarg, "=");
-
- if (filename)
- {
- /* replace '=' by '\0' */
- *filename = '\0';
- /* set pointer to start of filename */
- filename++;
- }
- if (strcaseeq("pkcs1", optarg))
- {
- filetype_in |= PKCS1;
- if (filename)
- file_in_pkcs1 = filename;
- }
- else if (strcaseeq("pkcs10", optarg))
- {
- filetype_in |= PKCS10;
- if (filename)
- file_in_pkcs10 = filename;
- }
- else if (strcaseeq("cacert-enc", optarg))
- {
- filetype_in |= CACERT_ENC;
- if (filename)
- file_in_cacert_enc = filename;
- }
- else if (strcaseeq("cacert-sig", optarg))
- {
- filetype_in |= CACERT_SIG;
- if (filename)
- file_in_cacert_sig = filename;
- }
- else if (strcaseeq("cert-self", optarg))
- {
- filetype_in |= CERT_SELF;
- if (filename)
- file_in_cert_self = filename;
- }
- else
- {
- usage("invalid --in file type");
- }
- continue;
- }
-
- case 'o': /* --out <type> [= <filename>] */
- {
- char *filename = strstr(optarg, "=");
-
- if (filename)
- {
- /* replace '=' by '\0' */
- *filename = '\0';
- /* set pointer to start of filename */
- filename++;
- }
- if (strcaseeq("pkcs1", optarg))
- {
- filetype_out |= PKCS1;
- if (filename)
- file_out_pkcs1 = filename;
- }
- else if (strcaseeq("pkcs10", optarg))
- {
- filetype_out |= PKCS10;
- if (filename)
- file_out_pkcs10 = filename;
- }
- else if (strcaseeq("pkcs7", optarg))
- {
- filetype_out |= PKCS7;
- if (filename)
- file_out_pkcs7 = filename;
- }
- else if (strcaseeq("cert-self", optarg))
- {
- filetype_out |= CERT_SELF;
- if (filename)
- file_out_cert_self = filename;
- }
- else if (strcaseeq("cert", optarg))
- {
- filetype_out |= CERT;
- if (filename)
- file_out_cert = filename;
- }
- else if (strcaseeq("cacert", optarg))
- {
- request_ca_certificate = TRUE;
- if (filename)
- file_out_ca_cert = filename;
- }
- else
- {
- usage("invalid --out file type");
- }
- continue;
- }
-
- case 'f': /* --force */
- force = TRUE;
- continue;
-
- case 'T': /* --httptimeout */
- http_timeout = atoi(optarg);
- if (http_timeout <= 0)
- {
- usage("invalid httptimeout specified");
- }
- continue;
-
- case 'b': /* --bind */
- http_bind = optarg;
- continue;
-
- case '+': /* --optionsfrom <filename> */
- if (!options->from(options, optarg, &argc, &argv, optind))
- {
- exit_scepclient("optionsfrom failed");
- }
- continue;
-
- case 'k': /* --keylength <length> */
- {
- div_t q;
-
- rsa_keylength = atoi(optarg);
- if (rsa_keylength == 0)
- usage("invalid keylength");
-
- /* check if key length is a multiple of 8 bits */
- q = div(rsa_keylength, 2*BITS_PER_BYTE);
- if (q.rem != 0)
- {
- exit_scepclient("keylength is not a multiple of %d bits!"
- , 2*BITS_PER_BYTE);
- }
- continue;
- }
-
- case 'D': /* --days */
- if (optarg == NULL || !isdigit(optarg[0]))
- {
- usage("missing number of days");
- }
- else
- {
- char *endptr;
- long days = strtol(optarg, &endptr, 0);
-
- if (*endptr != '\0' || endptr == optarg
- || days <= 0)
- usage("<days> must be a positive number");
- validity = 24*3600*days;
- }
- continue;
-
- case 'S': /* --startdate */
- if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z')
- {
- usage("date format must be YYMMDDHHMMSSZ");
- }
- else
- {
- chunk_t date = { optarg, 13 };
- notBefore = asn1_to_time(&date, ASN1_UTCTIME);
- }
- continue;
-
- case 'E': /* --enddate */
- if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z')
- {
- usage("date format must be YYMMDDHHMMSSZ");
- }
- else
- {
- chunk_t date = { optarg, 13 };
- notAfter = asn1_to_time(&date, ASN1_UTCTIME);
- }
- continue;
-
- case 'd': /* --dn */
- if (distinguishedName)
- {
- usage("only one distinguished name allowed");
- }
- distinguishedName = optarg;
- continue;
-
- case 's': /* --subjectAltName */
- {
- char *value = strstr(optarg, "=");
-
- if (value)
- {
- /* replace '=' by '\0' */
- *value = '\0';
- /* set pointer to start of value */
- value++;
- }
-
- if (strcaseeq("email", optarg) ||
- strcaseeq("dns", optarg) ||
- strcaseeq("ip", optarg))
- {
- subjectAltNames->insert_last(subjectAltNames,
- identification_create_from_string(value));
- continue;
- }
- else
- {
- usage("invalid --subjectAltName type");
- continue;
- }
- }
-
- case 'p': /* --password */
- if (challengePassword.len > 0)
- {
- usage("only one challenge password allowed");
- }
- if (strcaseeq("%prompt", optarg))
- {
- printf("Challenge password: ");
- if (fgets(challenge_password_buffer,
- sizeof(challenge_password_buffer) - 1, stdin))
- {
- challengePassword.ptr = challenge_password_buffer;
- /* discard the terminating '\n' from the input */
- challengePassword.len = strlen(challenge_password_buffer) - 1;
- }
- else
- {
- usage("challenge password could not be read");
- }
- }
- else
- {
- challengePassword.ptr = optarg;
- challengePassword.len = strlen(optarg);
- }
- continue;
-
- case 'u': /* -- url */
- if (scep_url)
- {
- usage("only one URL argument allowed");
- }
- scep_url = optarg;
- continue;
-
- case 'c': /* -- caname */
- ca_name = optarg;
- continue;
-
- case 'm': /* --method */
- if (strcaseeq("get", optarg))
- {
- http_get_request = TRUE;
- }
- else if (strcaseeq("post", optarg))
- {
- http_get_request = FALSE;
- }
- else
- {
- usage("invalid http request method specified");
- }
- continue;
-
- case 't': /* --interval */
- poll_interval = atoi(optarg);
- if (poll_interval <= 0)
- {
- usage("invalid interval specified");
- }
- continue;
-
- case 'x': /* --maxpolltime */
- max_poll_time = atoi(optarg);
- continue;
-
- case 'a': /*--algorithm [<type>=]algo */
- {
- const proposal_token_t *token;
- char *type = optarg;
- char *algo = strstr(optarg, "=");
-
- if (algo)
- {
- *algo = '\0';
- algo++;
- }
- else
- {
- type = "enc";
- algo = optarg;
- }
-
- if (strcaseeq("enc", type))
- {
- token = lib->proposal->get_token(lib->proposal, algo);
- if (token == NULL || token->type != ENCRYPTION_ALGORITHM)
- {
- usage("invalid algorithm specified");
- }
- pkcs7_symmetric_cipher = token->algorithm;
- pkcs7_key_size = token->keysize;
- if (encryption_algorithm_to_oid(token->algorithm,
- token->keysize) == OID_UNKNOWN)
- {
- usage("unsupported encryption algorithm specified");
- }
- }
- else if (strcaseeq("dgst", type) ||
- strcaseeq("sig", type))
- {
- hash_algorithm_t hash;
-
- token = lib->proposal->get_token(lib->proposal, algo);
- if (token == NULL || token->type != INTEGRITY_ALGORITHM)
- {
- usage("invalid algorithm specified");
- }
- hash = hasher_algorithm_from_integrity(token->algorithm,
- NULL);
- if (hash == (hash_algorithm_t)OID_UNKNOWN)
- {
- usage("invalid algorithm specified");
- }
- if (strcaseeq("dgst", type))
- {
- pkcs7_digest_alg = hash;
- }
- else
- {
- pkcs10_signature_alg = hash;
- }
- }
- else
- {
- usage("invalid --algorithm type");
- }
- continue;
- }
- default:
- usage("unknown option");
- }
- /* break from loop */
- break;
- }
-
- init_log("scepclient");
-
- /* load plugins, further infrastructure may need it */
- if (!lib->plugins->load(lib->plugins,
- lib->settings->get_str(lib->settings, "scepclient.load", PLUGINS)))
- {
- exit_scepclient("plugin loading failed");
- }
- lib->plugins->status(lib->plugins, LEVEL_DIAG);
-
- if ((filetype_out == 0) && (!request_ca_certificate))
- {
- usage("--out filetype required");
- }
- if (request_ca_certificate && (filetype_out > 0 || filetype_in > 0))
- {
- usage("in CA certificate request, no other --in or --out option allowed");
- }
-
- /* check if url is given, if cert output defined */
- if (((filetype_out & CERT) || request_ca_certificate) && !scep_url)
- {
- usage("URL of SCEP server required");
- }
-
- /* check for sanity of --in/--out */
- if (!filetype_in && (filetype_in > filetype_out))
- {
- usage("cannot generate --out of given --in!");
- }
-
- /* get CA cert */
- if (request_ca_certificate)
- {
- char ca_path[PATH_MAX];
- container_t *container;
- pkcs7_t *p7;
-
- if (!scep_http_request(scep_url, chunk_create(ca_name, strlen(ca_name)),
- SCEP_GET_CA_CERT, http_get_request,
- http_timeout, http_bind, &scep_response))
- {
- exit_scepclient("did not receive a valid scep response");
- }
-
- join_paths(ca_path, sizeof(ca_path), CA_CERT_PATH, file_out_ca_cert);
-
- p7 = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7,
- BUILD_BLOB_ASN1_DER, scep_response, BUILD_END);
-
- if (!p7)
- { /* no PKCS#7 encoded CA+RA certificates, assume simple CA cert */
-
- DBG1(DBG_APP, "unable to parse PKCS#7, assuming plain CA cert");
- if (!chunk_write(scep_response, ca_path, 0022, force))
- {
- exit_scepclient("could not write ca cert file '%s': %s",
- ca_path, strerror(errno));
- }
- }
- else
- {
- enumerator_t *enumerator;
- certificate_t *cert;
- int ra_certs = 0, ca_certs = 0;
- int ra_index = 1, ca_index = 1;
-
- enumerator = p7->create_cert_enumerator(p7);
- while (enumerator->enumerate(enumerator, &cert))
- {
- x509_t *x509 = (x509_t*)cert;
- if (x509->get_flags(x509) & X509_CA)
- {
- ca_certs++;
- }
- else
- {
- ra_certs++;
- }
- }
- enumerator->destroy(enumerator);
-
- enumerator = p7->create_cert_enumerator(p7);
- while (enumerator->enumerate(enumerator, &cert))
- {
- x509_t *x509 = (x509_t*)cert;
- bool ca_cert = x509->get_flags(x509) & X509_CA;
- char cert_path[PATH_MAX], *path = ca_path;
-
- if (ca_cert && ca_certs > 1)
- {
- add_path_suffix(cert_path, sizeof(cert_path), ca_path,
- "-%.1d", ca_index++);
- path = cert_path;
- }
- else if (!ca_cert)
- { /* use CA name as base for RA certs */
- if (ra_certs > 1)
- {
- add_path_suffix(cert_path, sizeof(cert_path), ca_path,
- "-ra-%.1d", ra_index++);
- }
- else
- {
- add_path_suffix(cert_path, sizeof(cert_path), ca_path,
- "-ra");
- }
- path = cert_path;
- }
-
- if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding) ||
- !chunk_write(encoding, path, 0022, force))
- {
- exit_scepclient("could not write cert file '%s': %s",
- path, strerror(errno));
- }
- chunk_free(&encoding);
- }
- enumerator->destroy(enumerator);
- container = &p7->container;
- container->destroy(container);
- }
- exit_scepclient(NULL); /* no further output required */
- }
-
- creds = mem_cred_create();
- lib->credmgr->add_set(lib->credmgr, &creds->set);
-
- /*
- * input of PKCS#1 file
- */
- if (filetype_in & PKCS1) /* load an RSA key pair from file */
- {
- char path[PATH_MAX];
-
- join_paths(path, sizeof(path), PRIVATE_KEY_PATH, file_in_pkcs1);
-
- private_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
- BUILD_FROM_FILE, path, BUILD_END);
- }
- else /* generate an RSA key pair */
- {
- private_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
- BUILD_KEY_SIZE, rsa_keylength,
- BUILD_END);
- }
- if (private_key == NULL)
- {
- exit_scepclient("no RSA private key available");
- }
- creds->add_key(creds, private_key->get_ref(private_key));
- public_key = private_key->get_public_key(private_key);
-
- /* check for minimum key length */
- if (private_key->get_keysize(private_key) < RSA_MIN_OCTETS / BITS_PER_BYTE)
- {
- exit_scepclient("length of RSA key has to be at least %d bits",
- RSA_MIN_OCTETS * BITS_PER_BYTE);
- }
-
- /*
- * input of PKCS#10 file
- */
- if (filetype_in & PKCS10)
- {
- char path[PATH_MAX];
-
- join_paths(path, sizeof(path), REQ_PATH, file_in_pkcs10);
-
- pkcs10_req = lib->creds->create(lib->creds, CRED_CERTIFICATE,
- CERT_PKCS10_REQUEST, BUILD_FROM_FILE,
- path, BUILD_END);
- if (!pkcs10_req)
- {
- exit_scepclient("could not read certificate request '%s'", path);
- }
- subject = pkcs10_req->get_subject(pkcs10_req);
- subject = subject->clone(subject);
- }
- else
- {
- if (distinguishedName == NULL)
- {
- int n = sprintf(default_distinguished_name, DEFAULT_DN);
-
- /* set the common name to the hostname */
- if (gethostname(default_distinguished_name + n, BUF_LEN - n) ||
- strlen(default_distinguished_name) == n)
- {
- exit_scepclient("no hostname defined, use "
- "--dn <distinguished name> option");
- }
- distinguishedName = default_distinguished_name;
- }
-
- DBG2(DBG_APP, "dn: '%s'", distinguishedName);
- subject = identification_create_from_string(distinguishedName);
- if (subject->get_type(subject) != ID_DER_ASN1_DN)
- {
- exit_scepclient("parsing of distinguished name failed");
- }
-
- DBG2(DBG_APP, "building pkcs10 object:");
- pkcs10_req = lib->creds->create(lib->creds, CRED_CERTIFICATE,
- CERT_PKCS10_REQUEST,
- BUILD_SIGNING_KEY, private_key,
- BUILD_SUBJECT, subject,
- BUILD_SUBJECT_ALTNAMES, subjectAltNames,
- BUILD_CHALLENGE_PWD, challengePassword,
- BUILD_DIGEST_ALG, pkcs10_signature_alg,
- BUILD_END);
- if (!pkcs10_req)
- {
- exit_scepclient("generating pkcs10 request failed");
- }
- }
- pkcs10_req->get_encoding(pkcs10_req, CERT_ASN1_DER, &pkcs10_encoding);
- fingerprint = scep_generate_pkcs10_fingerprint(pkcs10_encoding);
- DBG1(DBG_APP, " fingerprint: %s", fingerprint.ptr);
-
- /*
- * output of PKCS#10 file
- */
- if (filetype_out & PKCS10)
- {
- char path[PATH_MAX];
-
- join_paths(path, sizeof(path), REQ_PATH, file_out_pkcs10);
-
- if (!chunk_write(pkcs10_encoding, path, 0022, force))
- {
- exit_scepclient("could not write pkcs10 file '%s': %s",
- path, strerror(errno));
- }
- filetype_out &= ~PKCS10; /* delete PKCS10 flag */
- }
-
- if (!filetype_out)
- {
- exit_scepclient(NULL); /* no further output required */
- }
-
- /*
- * output of PKCS#1 file
- */
- if (filetype_out & PKCS1)
- {
- char path[PATH_MAX];
-
- join_paths(path, sizeof(path), PRIVATE_KEY_PATH, file_out_pkcs1);
-
- DBG2(DBG_APP, "building pkcs1 object:");
- if (!private_key->get_encoding(private_key, PRIVKEY_ASN1_DER, &pkcs1) ||
- !chunk_write(pkcs1, path, 0066, force))
- {
- exit_scepclient("could not write pkcs1 file '%s': %s",
- path, strerror(errno));
- }
- filetype_out &= ~PKCS1; /* delete PKCS1 flag */
- }
-
- if (!filetype_out)
- {
- exit_scepclient(NULL); /* no further output required */
- }
-
- scep_generate_transaction_id(public_key, &transID, &serialNumber);
- DBG1(DBG_APP, " transaction ID: %.*s", (int)transID.len, transID.ptr);
-
- /*
- * read or generate self-signed X.509 certificate
- */
- if (filetype_in & CERT_SELF)
- {
- char path[PATH_MAX];
-
- join_paths(path, sizeof(path), HOST_CERT_PATH, file_in_cert_self);
-
- x509_signer = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
- BUILD_FROM_FILE, path, BUILD_END);
- if (!x509_signer)
- {
- exit_scepclient("could not read certificate file '%s'", path);
- }
- }
- else
- {
- notBefore = notBefore ? notBefore : time(NULL);
- notAfter = notAfter ? notAfter : (notBefore + validity);
- x509_signer = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
- BUILD_SIGNING_KEY, private_key,
- BUILD_PUBLIC_KEY, public_key,
- BUILD_SUBJECT, subject,
- BUILD_NOT_BEFORE_TIME, notBefore,
- BUILD_NOT_AFTER_TIME, notAfter,
- BUILD_SERIAL, serialNumber,
- BUILD_SUBJECT_ALTNAMES, subjectAltNames,
- BUILD_END);
- if (!x509_signer)
- {
- exit_scepclient("generating certificate failed");
- }
- }
- creds->add_cert(creds, TRUE, x509_signer->get_ref(x509_signer));
-
- /*
- * output of self-signed X.509 certificate file
- */
- if (filetype_out & CERT_SELF)
- {
- char path[PATH_MAX];
-
- join_paths(path, sizeof(path), HOST_CERT_PATH, file_out_cert_self);
-
- if (!x509_signer->get_encoding(x509_signer, CERT_ASN1_DER, &encoding))
- {
- exit_scepclient("encoding certificate failed");
- }
- if (!chunk_write(encoding, path, 0022, force))
- {
- exit_scepclient("could not write self-signed cert file '%s': %s",
- path, strerror(errno));
- }
- chunk_free(&encoding);
- filetype_out &= ~CERT_SELF; /* delete CERT_SELF flag */
- }
-
- if (!filetype_out)
- {
- exit_scepclient(NULL); /* no further output required */
- }
-
- /*
- * load ca encryption certificate
- */
- {
- char path[PATH_MAX];
-
- join_paths(path, sizeof(path), CA_CERT_PATH, file_in_cacert_enc);
-
- x509_ca_enc = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
- BUILD_FROM_FILE, path, BUILD_END);
- if (!x509_ca_enc)
- {
- exit_scepclient("could not load encryption cacert file '%s'", path);
- }
- }
-
- /*
- * input of PKCS#7 file
- */
- if (filetype_in & PKCS7)
- {
- /* user wants to load a pkcs7 encrypted request
- * operation is not yet supported!
- * would require additional parsing of transaction-id
-
- pkcs7 = pkcs7_read_from_file(file_in_pkcs7);
-
- */
- }
- else
- {
- DBG2(DBG_APP, "building pkcs7 request");
- pkcs7 = scep_build_request(pkcs10_encoding,
- transID, SCEP_PKCSReq_MSG, x509_ca_enc,
- pkcs7_symmetric_cipher, pkcs7_key_size,
- x509_signer, pkcs7_digest_alg, private_key);
- if (!pkcs7.ptr)
- {
- exit_scepclient("failed to build pkcs7 request");
- }
- }
-
- /*
- * output pkcs7 encrypted and signed certificate request
- */
- if (filetype_out & PKCS7)
- {
- char path[PATH_MAX];
-
- join_paths(path, sizeof(path), REQ_PATH, file_out_pkcs7);
-
- if (!chunk_write(pkcs7, path, 0022, force))
- {
- exit_scepclient("could not write pkcs7 file '%s': %s",
- path, strerror(errno));
- }
- filetype_out &= ~PKCS7; /* delete PKCS7 flag */
- }
-
- if (!filetype_out)
- {
- exit_scepclient(NULL); /* no further output required */
- }
-
- /*
- * output certificate fetch from SCEP server
- */
- if (filetype_out & CERT)
- {
- bool stored = FALSE;
- certificate_t *cert;
- enumerator_t *enumerator;
- char path[PATH_MAX];
- time_t poll_start = 0;
- pkcs7_t *p7;
- container_t *container = NULL;
- chunk_t chunk;
- scep_attributes_t attrs = empty_scep_attributes;
-
- join_paths(path, sizeof(path), CA_CERT_PATH, file_in_cacert_sig);
-
- x509_ca_sig = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
- BUILD_FROM_FILE, path, BUILD_END);
- if (!x509_ca_sig)
- {
- exit_scepclient("could not load signature cacert file '%s'", path);
- }
-
- creds->add_cert(creds, TRUE, x509_ca_sig->get_ref(x509_ca_sig));
-
- if (!scep_http_request(scep_url, pkcs7, SCEP_PKI_OPERATION,
- http_get_request, http_timeout, http_bind, &scep_response))
- {
- exit_scepclient("did not receive a valid scep response");
- }
- ugh = scep_parse_response(scep_response, transID, &container, &attrs);
- if (ugh != NULL)
- {
- exit_scepclient(ugh);
- }
-
- /* in case of manual mode, we are going into a polling loop */
- if (attrs.pkiStatus == SCEP_PENDING)
- {
- identification_t *issuer = x509_ca_sig->get_subject(x509_ca_sig);
-
- DBG1(DBG_APP, " scep request pending, polling every %d seconds",
- poll_interval);
- poll_start = time_monotonic(NULL);
- issuerAndSubject = asn1_wrap(ASN1_SEQUENCE, "cc",
- issuer->get_encoding(issuer),
- subject->get_encoding(subject));
- }
- while (attrs.pkiStatus == SCEP_PENDING)
- {
- if (max_poll_time > 0 &&
- (time_monotonic(NULL) - poll_start >= max_poll_time))
- {
- exit_scepclient("maximum poll time reached: %d seconds"
- , max_poll_time);
- }
- DBG2(DBG_APP, "going to sleep for %d seconds", poll_interval);
- sleep(poll_interval);
- free(scep_response.ptr);
- container->destroy(container);
-
- DBG2(DBG_APP, "fingerprint: %.*s",
- (int)fingerprint.len, fingerprint.ptr);
- DBG2(DBG_APP, "transaction ID: %.*s",
- (int)transID.len, transID.ptr);
-
- chunk_free(&getCertInitial);
- getCertInitial = scep_build_request(issuerAndSubject,
- transID, SCEP_GetCertInitial_MSG, x509_ca_enc,
- pkcs7_symmetric_cipher, pkcs7_key_size,
- x509_signer, pkcs7_digest_alg, private_key);
- if (!getCertInitial.ptr)
- {
- exit_scepclient("failed to build scep request");
- }
- if (!scep_http_request(scep_url, getCertInitial, SCEP_PKI_OPERATION,
- http_get_request, http_timeout, http_bind, &scep_response))
- {
- exit_scepclient("did not receive a valid scep response");
- }
- ugh = scep_parse_response(scep_response, transID, &container, &attrs);
- if (ugh != NULL)
- {
- exit_scepclient(ugh);
- }
- }
-
- if (attrs.pkiStatus != SCEP_SUCCESS)
- {
- container->destroy(container);
- exit_scepclient("reply status is not 'SUCCESS'");
- }
-
- if (!container->get_data(container, &chunk))
- {
- container->destroy(container);
- exit_scepclient("extracting signed-data failed");
- }
- container->destroy(container);
-
- /* decrypt enveloped-data container */
- container = lib->creds->create(lib->creds,
- CRED_CONTAINER, CONTAINER_PKCS7,
- BUILD_BLOB_ASN1_DER, chunk,
- BUILD_END);
- free(chunk.ptr);
- if (!container)
- {
- exit_scepclient("could not decrypt envelopedData");
- }
-
- if (!container->get_data(container, &chunk))
- {
- container->destroy(container);
- exit_scepclient("extracting encrypted-data failed");
- }
- container->destroy(container);
-
- /* parse signed-data container */
- container = lib->creds->create(lib->creds,
- CRED_CONTAINER, CONTAINER_PKCS7,
- BUILD_BLOB_ASN1_DER, chunk,
- BUILD_END);
- free(chunk.ptr);
- if (!container)
- {
- exit_scepclient("could not parse singed-data");
- }
- /* no need to verify the signed-data container, the signature does NOT
- * cover the contained certificates */
-
- /* store the end entity certificate */
- join_paths(path, sizeof(path), HOST_CERT_PATH, file_out_cert);
-
- p7 = (pkcs7_t*)container;
- enumerator = p7->create_cert_enumerator(p7);
- while (enumerator->enumerate(enumerator, &cert))
- {
- x509_t *x509 = (x509_t*)cert;
-
- if (!(x509->get_flags(x509) & X509_CA))
- {
- if (stored)
- {
- exit_scepclient("multiple certs received, only first stored");
- }
- if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding) ||
- !chunk_write(encoding, path, 0022, force))
- {
- exit_scepclient("could not write cert file '%s': %s",
- path, strerror(errno));
- }
- chunk_free(&encoding);
- stored = TRUE;
- }
- }
- enumerator->destroy(enumerator);
- container->destroy(container);
- chunk_free(&attrs.transID);
- chunk_free(&attrs.senderNonce);
- chunk_free(&attrs.recipientNonce);
-
- filetype_out &= ~CERT; /* delete CERT flag */
- }
-
- exit_scepclient(NULL);
- return -1; /* should never be reached */
-}