pki.load =
Plugins to load in the pki tool.
+pki.scep.http_bind
+ Source IP address to bind for HTTP operations.
+
+pki.scep.http_timeout = 30s
+ Timeout for HTTP operations.
+
pki.scep.renewal_via_pkcs_req = no
Some SCEP servers (e.g. openxpki) are incorrectly doing certificate renewal
via messageType PKCSReq (19) instead of RenewalReq (17).
linked_list_t *san;
enumerator_t *enumerator;
int status = 1;
- bool ok, stored = FALSE;
-
- scep_http_params_t http_params = {
- .get_request = FALSE, .timeout = 30, .bind = NULL
- };
+ bool ok, http_post = FALSE, stored = FALSE;
bool pss = lib->settings->get_bool(lib->settings,
"%s.rsa_pss", FALSE, lib->ns);
public = private->get_public_key(private);
/* Request capabilities from SCEP server */
- if (!scep_http_request(url, chunk_empty, SCEP_GET_CA_CAPS, &http_params,
+ if (!scep_http_request(url, chunk_empty, SCEP_GET_CA_CAPS, FALSE,
&scep_response))
{
DBG1(DBG_APP, "did not receive a valid scep response");
if ((caps_flags & SCEP_CAPS_POSTPKIOPERATION) ||
(caps_flags & SCEP_CAPS_SCEPSTANDARD))
{
- http_params.get_request = FALSE;
+ http_post = TRUE;
}
- DBG2(DBG_APP, "HTTP POST %ssupported",
- http_params.get_request ? "not " : "");
+ DBG2(DBG_APP, "HTTP POST %ssupported", http_post ? "" : "not ");
scheme = get_signature_scheme(private, digest_alg, pss);
if (!scheme)
goto end;
}
- if (!scep_http_request(url, pkcs7_req, SCEP_PKI_OPERATION, &http_params,
+ if (!scep_http_request(url, pkcs7_req, SCEP_PKI_OPERATION, http_post,
&scep_response))
{
DBG1(DBG_APP, "did not receive a valid SCEP response");
DBG1(DBG_APP, "failed to build SCEP certPoll request");
goto end;
}
- if (!scep_http_request(url, certPoll, SCEP_PKI_OPERATION,
- &http_params, &scep_response))
+ if (!scep_http_request(url, certPoll, SCEP_PKI_OPERATION, http_post,
+ &scep_response))
{
DBG1(DBG_APP, "did not receive a valid SCEP response");
goto end;
int cert_type_count[] = { 0, 0, 0 };
- scep_http_params_t http_params = {
- .get_request = TRUE, .timeout = 30, .bind = NULL
- };
-
while (TRUE)
{
switch (command_getopt(&arg))
return command_usage("--url is required");
}
- if (!scep_http_request(url, chunk_empty, SCEP_GET_CA_CERT, &http_params,
+ if (!scep_http_request(url, chunk_empty, SCEP_GET_CA_CERT, FALSE,
&scep_response))
{
DBG1(DBG_APP, "did not receive a valid scep response");
* Send a SCEP request via HTTP and wait for a response
*/
bool scep_http_request(const char *url, chunk_t msg, scep_op_t op,
- scep_http_params_t *http_params, chunk_t *response)
+ bool http_post, chunk_t *response)
{
int len;
status_t status;
const char *operation;
host_t *srcip = NULL;
- /* initialize response */
- *response = chunk_empty;
+ uint32_t http_timeout = lib->settings->get_time(lib->settings,
+ "%s.scep.http_timeout", 30, lib->ns);
- if (http_params->bind)
+ char *http_bind = lib->settings->get_str(lib->settings,
+ "%s.scep.http_bind", NULL, lib->ns);
+
+ if (http_bind)
{
- srcip = host_create_from_string(http_params->bind, 0);
+ srcip = host_create_from_string(http_bind, 0);
}
DBG2(DBG_APP, "sending scep request to '%s'", url);
+ /* initialize response */
+ *response = chunk_empty;
+
operation = operations[op];
switch (op)
{
case SCEP_PKI_OPERATION:
default:
- if (http_params->get_request)
+ if (http_post)
+ {
+ /* form complete url */
+ len = strlen(url) + 11 + strlen(operation) + 1;
+ complete_url = malloc(len);
+ snprintf(complete_url, len, "%s?operation=%s", url, operation);
+
+ status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
+ FETCH_TIMEOUT, http_timeout,
+ FETCH_REQUEST_DATA, msg,
+ FETCH_REQUEST_TYPE, "",
+ FETCH_REQUEST_HEADER, "Expect:",
+ FETCH_SOURCEIP, srcip,
+ FETCH_END);
+ }
+ else /* HTTP_GET */
{
char *escaped_req = escape_http_request(msg);
free(escaped_req);
status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
- FETCH_TIMEOUT, http_params->timeout,
+ FETCH_TIMEOUT, http_timeout,
FETCH_REQUEST_HEADER, "Pragma:",
FETCH_REQUEST_HEADER, "Host:",
FETCH_REQUEST_HEADER, "Accept:",
FETCH_SOURCEIP, srcip,
FETCH_END);
}
- else /* HTTP_POST */
- {
- /* form complete url */
- len = strlen(url) + 11 + strlen(operation) + 1;
- complete_url = malloc(len);
- snprintf(complete_url, len, "%s?operation=%s", url, operation);
-
- status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
- FETCH_TIMEOUT, http_params->timeout,
- FETCH_REQUEST_DATA, msg,
- FETCH_REQUEST_TYPE, "",
- FETCH_REQUEST_HEADER, "Expect:",
- FETCH_SOURCEIP, srcip,
- FETCH_END);
- }
break;
case SCEP_GET_CA_CERT:
case SCEP_GET_CA_CAPS:
snprintf(complete_url, len, "%s?operation=%s", url, operation);
status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
- FETCH_TIMEOUT, http_params->timeout,
+ FETCH_TIMEOUT, http_timeout,
FETCH_SOURCEIP, srcip,
FETCH_END);
}
chunk_t recipientNonce;
} scep_attributes_t;
-/* SCEP http parameters */
-typedef struct {
- bool get_request;
- u_int timeout;
- char *bind;
-} scep_http_params_t;
-
/* SCEP CA Capabilities */
typedef enum {
SCEP_CAPS_AES = 0,
size_t key_size, certificate_t *signer_cert,
hash_algorithm_t digest_alg, private_key_t *private_key);
-bool scep_http_request(const char *url, chunk_t msg, scep_op_t op,
- scep_http_params_t *http_params, chunk_t *response);
+bool scep_http_request(const char *url, chunk_t msg, scep_op_t op, bool use_post,
+ chunk_t *response);
bool scep_parse_response(chunk_t response, chunk_t transID, container_t **out,
scep_attributes_t *attrs);
projects / thirdparty / strongswan.git / commitdiff
