#include <string.h>
#include <stdlib.h>
-#include <freeswan.h>
-
#include <library.h>
#include <debug.h>
#include <asn1/asn1.h>
#include <asn1/asn1_parser.h>
#include <asn1/oid.h>
+#include <crypto/pkcs9.h>
#include <crypto/rngs/rng.h>
#include <crypto/hashers/hasher.h>
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-#include "../pluto/fetch.h"
-
#include "scep.h"
static const char *pkiStatus_values[] = { "0", "2", "3" };
{ NULL, 0 } , /* recipientNonce */
};
-/* ASN.1 definition of the X.501 atttribute type */
-
-static const asn1Object_t attributesObjects[] = {
- { 0, "attributes", ASN1_SET, ASN1_LOOP }, /* 0 */
- { 1, "attribute", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
- { 2, "type", ASN1_OID, ASN1_BODY }, /* 2 */
- { 2, "values", ASN1_SET, ASN1_LOOP }, /* 3 */
- { 3, "value", ASN1_EOC, ASN1_RAW }, /* 4 */
- { 2, "end loop", ASN1_EOC, ASN1_END }, /* 5 */
- { 0, "end loop", ASN1_EOC, ASN1_END }, /* 6 */
- { 0, "exit", ASN1_EOC, ASN1_EXIT }
-};
-#define ATTRIBUTE_OBJ_TYPE 2
-#define ATTRIBUTE_OBJ_VALUE 4
-
/**
- * Extract and store an attribute
+ * Extract X.501 attributes
*/
-static bool extract_attribute(int oid, chunk_t object, u_int level,
- scep_attributes_t *attrs)
+void extract_attributes(pkcs7_t *pkcs7, scep_attributes_t *attrs)
{
- asn1_t type = ASN1_EOC;
- const char *name = "none";
+ pkcs9_t *attributes = pkcs7->get_attributes(pkcs7);
+ chunk_t attr;
- switch (oid)
+ attr = attributes->get_attribute(attributes, OID_PKI_MESSAGE_TYPE);
+ if (attr.ptr)
{
- case OID_PKCS9_CONTENT_TYPE:
- type = ASN1_OID;
- name = "contentType";
- break;
- case OID_PKCS9_SIGNING_TIME:
- type = ASN1_UTCTIME;
- name = "signingTime";
- break;
- case OID_PKCS9_MESSAGE_DIGEST:
- type = ASN1_OCTET_STRING;
- name = "messageDigest";
- break;
- case OID_PKI_MESSAGE_TYPE:
- type = ASN1_PRINTABLESTRING;
- name = "messageType";
- break;
- case OID_PKI_STATUS:
- type = ASN1_PRINTABLESTRING;
- name = "pkiStatus";
- break;
- case OID_PKI_FAIL_INFO:
- type = ASN1_PRINTABLESTRING;
- name = "failInfo";
- break;
- case OID_PKI_SENDER_NONCE:
- type = ASN1_OCTET_STRING;
- name = "senderNonce";
- break;
- case OID_PKI_RECIPIENT_NONCE:
- type = ASN1_OCTET_STRING;
- name = "recipientNonce";
- break;
- case OID_PKI_TRANS_ID:
- type = ASN1_PRINTABLESTRING;
- name = "transID";
- break;
- default:
- break;
- }
+ scep_msg_t m;
- if (type == ASN1_EOC)
- {
- return TRUE;
- }
-
- if (!asn1_parse_simple_object(&object, type, level+1, name))
- {
- return FALSE;
- }
-
- switch (oid)
- {
- case OID_PKCS9_CONTENT_TYPE:
- break;
- case OID_PKCS9_SIGNING_TIME:
- break;
- case OID_PKCS9_MESSAGE_DIGEST:
- break;
- case OID_PKI_MESSAGE_TYPE:
+ for (m = SCEP_CertRep_MSG; m < SCEP_Unknown_MSG; m++)
{
- scep_msg_t m;
-
- for (m = SCEP_CertRep_MSG; m < SCEP_Unknown_MSG; m++)
+ if (strncmp(msgType_values[m], attr.ptr, attr.len) == 0)
{
- if (strncmp(msgType_values[m], object.ptr, object.len) == 0)
- attrs->msgType = m;
+ attrs->msgType = m;
}
- DBG2(DBG_APP, "messageType: %s", msgType_names[attrs->msgType]);
- break;
}
- case OID_PKI_STATUS:
- {
- pkiStatus_t s;
+ DBG2(DBG_APP, "messageType: %s", msgType_names[attrs->msgType]);
+ }
+ attr = attributes->get_attribute(attributes, OID_PKI_STATUS);
+ if (attr.ptr)
+ {
+ pkiStatus_t s;
- for (s = SCEP_SUCCESS; s < SCEP_UNKNOWN; s++)
- {
- if (strncmp(pkiStatus_values[s], object.ptr, object.len) == 0)
- {
- attrs->pkiStatus = s;
- }
- }
- DBG2(DBG_APP, "pkiStatus: %s", pkiStatus_names[attrs->pkiStatus]);
- break;
- }
- case OID_PKI_FAIL_INFO:
+ for (s = SCEP_SUCCESS; s < SCEP_UNKNOWN; s++)
{
- if (object.len == 1 &&
- *object.ptr >= '0' && *object.ptr <= '4')
+ if (strncmp(pkiStatus_values[s], attr.ptr, attr.len) == 0)
{
- attrs->failInfo = (failInfo_t)(*object.ptr - '0');
+ attrs->pkiStatus = s;
}
- if (attrs->failInfo != SCEP_unknown_REASON)
- {
- DBG1(DBG_APP, "failInfo: %s", failInfo_reasons[attrs->failInfo]);
- }
- break;
}
- case OID_PKI_SENDER_NONCE:
- attrs->senderNonce = object;
- break;
- case OID_PKI_RECIPIENT_NONCE:
- attrs->recipientNonce = object;
- break;
- case OID_PKI_TRANS_ID:
- attrs->transID = object;
- break;
+ DBG2(DBG_APP, "pkiStatus: %s", pkiStatus_names[attrs->pkiStatus]);
}
- return TRUE;
-}
-
-/**
- * Parse X.501 attributes
- */
-bool parse_attributes(chunk_t blob, scep_attributes_t *attrs)
-{
- asn1_parser_t *parser;
- chunk_t object;
- int oid = OID_UNKNOWN;
- int objectID;
- bool success = FALSE;
-
- parser = asn1_parser_create(attributesObjects, blob);
- DBG3(DBG_APP, "parsing attributes");
-
- while (parser->iterate(parser, &objectID, &object))
+ attr = attributes->get_attribute(attributes, OID_PKI_FAIL_INFO);
+ if (attr.ptr)
{
- switch (objectID)
+ if (attr.len == 1 && *attr.ptr >= '0' && *attr.ptr <= '4')
{
- case ATTRIBUTE_OBJ_TYPE:
- oid = asn1_known_oid(object);
- break;
- case ATTRIBUTE_OBJ_VALUE:
- {
- if (!extract_attribute(oid, object, parser->get_level(parser), attrs))
- {
- goto end;
- }
- break;
- }
+ attrs->failInfo = (failInfo_t)(*attr.ptr - '0');
+ }
+ if (attrs->failInfo != SCEP_unknown_REASON)
+ {
+ DBG1(DBG_APP, "failInfo: %s", failInfo_reasons[attrs->failInfo]);
}
}
- success = parser->success(parser);
-
-end:
- parser->destroy(parser);
- return success;
+ attrs->senderNonce = attributes->get_attribute(attributes,
+ OID_PKI_SENDER_NONCE);
+ attrs->recipientNonce = attributes->get_attribute(attributes,
+ OID_PKI_RECIPIENT_NONCE);
+ attrs->transID = attributes->get_attribute(attributes,
+ OID_PKI_TRANS_ID);
}
/**
}
/**
- * Builds a transId attribute
- */
-chunk_t scep_transId_attribute(chunk_t transID)
-{
- return asn1_wrap(ASN1_SEQUENCE, "cm",
- asn1_build_known_oid(OID_PKI_TRANS_ID),
- asn1_wrap(ASN1_SET, "m",
- asn1_simple_object(ASN1_PRINTABLESTRING, transID)));
-}
-
-/**
- * Builds a messageType attribute
- */
-chunk_t scep_messageType_attribute(scep_msg_t m)
-{
- chunk_t msgType = {
- (u_char*)msgType_values[m],
- strlen(msgType_values[m])
- };
-
- return asn1_wrap(ASN1_SEQUENCE, "mm",
- asn1_build_known_oid(OID_PKI_MESSAGE_TYPE),
- asn1_wrap(ASN1_SET, "m",
- asn1_simple_object(ASN1_PRINTABLESTRING, msgType)));
-}
-
-/**
- * Builds a senderNonce attribute
+ * Adds a senderNonce attribute to the given pkcs9 attribute list
*/
-chunk_t scep_senderNonce_attribute(void)
+static void add_senderNonce_attribute(pkcs9_t *pkcs9)
{
const size_t nonce_len = 16;
u_char nonce_buf[nonce_len];
rng->get_bytes(rng, nonce_len, nonce_buf);
rng->destroy(rng);
- return asn1_wrap(ASN1_SEQUENCE, "cm",
- asn1_build_known_oid(OID_PKI_SENDER_NONCE),
- asn1_wrap(ASN1_SET, "m",
- asn1_simple_object(ASN1_OCTET_STRING, senderNonce)));
+ pkcs9->set_attribute(pkcs9, OID_PKI_SENDER_NONCE, senderNonce);
}
/**
* Builds a pkcs7 enveloped and signed scep request
*/
chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg,
- certificate_t *enc_cert, int enc_alg,
- certificate_t *signer_cert, int digest_alg,
- private_key_t *private_key)
+ certificate_t *enc_cert, encryption_algorithm_t enc_alg,
+ size_t key_size, certificate_t *signer_cert,
+ hash_algorithm_t digest_alg, private_key_t *private_key)
{
- chunk_t envelopedData, attributes, request;
+ chunk_t request, msgType = {
+ (u_char*)msgType_values[msg],
+ strlen(msgType_values[msg]),
+ };
+ pkcs7_t *pkcs7;
+ pkcs9_t *pkcs9;
- envelopedData = pkcs7_build_envelopedData(data, enc_cert, enc_alg);
+ pkcs7 = pkcs7_create_from_data(data);
+ if (!pkcs7->build_envelopedData(pkcs7, enc_cert, enc_alg, key_size))
+ {
+ pkcs7->destroy(pkcs7);
+ return chunk_empty;
+ }
- attributes = asn1_wrap(ASN1_SET, "mmmmm",
- pkcs7_contentType_attribute(),
- pkcs7_messageDigest_attribute(envelopedData, digest_alg),
- scep_transId_attribute(transID),
- scep_messageType_attribute(msg),
- scep_senderNonce_attribute());
+ pkcs9 = pkcs9_create();
+ pkcs9->set_attribute(pkcs9, OID_PKI_TRANS_ID, transID);
+ pkcs9->set_attribute(pkcs9, OID_PKI_MESSAGE_TYPE, msgType);
+ add_senderNonce_attribute(pkcs9);
- request = pkcs7_build_signedData(envelopedData, attributes,
- signer_cert, digest_alg, private_key);
- free(envelopedData.ptr);
- free(attributes.ptr);
+ pkcs7->set_attributes(pkcs7, pkcs9);
+ pkcs7->set_certificate(pkcs7, signer_cert->get_ref(signer_cert));
+ if (!pkcs7->build_signedData(pkcs7, private_key, digest_alg))
+ {
+ pkcs7->destroy(pkcs7);
+ return chunk_empty;
+ }
+ request = pkcs7->get_contentInfo(pkcs7);
+ pkcs7->destroy(pkcs7);
return request;
}
return (status == SUCCESS);
}
-err_t scep_parse_response(chunk_t response, chunk_t transID, contentInfo_t *data,
+err_t scep_parse_response(chunk_t response, chunk_t transID, pkcs7_t **data,
scep_attributes_t *attrs, certificate_t *signer_cert)
{
- chunk_t attributes;
+ pkcs7_t *pkcs7;
- if (!pkcs7_parse_signedData(response, data, NULL, &attributes, signer_cert))
+ pkcs7 = pkcs7_create_from_chunk(response, 0);
+ if (!pkcs7 || !pkcs7->parse_signedData(pkcs7, signer_cert))
{
+ DESTROY_IF(pkcs7);
return "error parsing the scep response";
}
- if (!parse_attributes(attributes, attrs))
- {
- return "error parsing the scep response attributes";
- }
+ extract_attributes(pkcs7, attrs);
if (!chunk_equals(transID, attrs->transID))
{
+ pkcs7->destroy(pkcs7);
return "transaction ID of scep response does not match";
}
+ *data = pkcs7;
return NULL;
}
#include <limits.h>
#include <syslog.h>
-#include <freeswan.h>
-
#include <library.h>
#include <debug.h>
#include <asn1/asn1.h>
#include <credentials/certificates/pkcs10.h>
#include <plugins/plugin.h>
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-#include "../pluto/certs.h"
-#include "../pluto/pkcs7.h"
-
#include "scep.h"
/*
/* default distinguished name */
#define DEFAULT_DN "C=CH, O=Linux strongSwan, CN="
+/* minimum RSA key size */
+#define RSA_MIN_OCTETS (512 / BITS_PER_BYTE)
+
/* challenge password buffer size */
#define MAX_PASSWORD_LENGTH 256
char challenge_password_buffer[MAX_PASSWORD_LENGTH];
/* symmetric encryption algorithm used by pkcs7, default is 3DES */
- int pkcs7_symmetric_cipher = OID_3DES_EDE_CBC;
+ encryption_algorithm_t pkcs7_symmetric_cipher = ENCR_3DES;
+ size_t pkcs7_key_size = 0;
/* digest algorithm used by pkcs7, default is SHA-1 */
- int pkcs7_digest_alg = OID_SHA1;
+ hash_algorithm_t pkcs7_digest_alg = HASH_SHA1;
/* signature algorithm used by pkcs10, default is SHA-1 */
hash_algorithm_t pkcs10_signature_alg = HASH_SHA1;
{
usage("invalid algorithm specified");
}
- pkcs7_symmetric_cipher = encryption_algorithm_to_oid(
- token->algorithm, token->keysize);
- if (pkcs7_symmetric_cipher == OID_UNKNOWN)
+ pkcs7_symmetric_cipher = token->algorithm;
+ pkcs7_key_size = token->keysize;
+ if (encryption_algorithm_to_oid(token->algorithm,
+ token->keysize) == OID_UNKNOWN)
{
usage("unsupported encryption algorithm specified");
}
{
DBG2(DBG_APP, "building pkcs7 request");
pkcs7 = scep_build_request(pkcs10_encoding,
- transID, SCEP_PKCSReq_MSG,
- x509_ca_enc, pkcs7_symmetric_cipher,
+ transID, SCEP_PKCSReq_MSG, x509_ca_enc,
+ pkcs7_symmetric_cipher, pkcs7_key_size,
x509_signer, pkcs7_digest_alg, private_key);
+ if (!pkcs7.ptr)
+ {
+ exit_scepclient("failed to build pkcs7 request");
+ }
}
/*
enumerator_t *enumerator;
char path[PATH_MAX];
time_t poll_start = 0;
-
- linked_list_t *certs = linked_list_create();
- chunk_t envelopedData = chunk_empty;
- chunk_t certData = chunk_empty;
- contentInfo_t data = empty_contentInfo;
- scep_attributes_t attrs = empty_scep_attributes;
+ pkcs7_t *data = NULL;
+ scep_attributes_t attrs = empty_scep_attributes;
join_paths(path, sizeof(path), CA_CERT_PATH, file_in_cacert_sig);
DBG2(DBG_APP, "going to sleep for %d seconds", poll_interval);
sleep(poll_interval);
free(scep_response.ptr);
+ data->destroy(data);
DBG2(DBG_APP, "fingerprint: %.*s",
(int)fingerprint.len, fingerprint.ptr);
chunk_free(&getCertInitial);
getCertInitial = scep_build_request(issuerAndSubject,
- transID, SCEP_GetCertInitial_MSG,
- x509_ca_enc, pkcs7_symmetric_cipher,
- x509_signer, pkcs7_digest_alg, private_key);
-
+ transID, SCEP_GetCertInitial_MSG, x509_ca_enc,
+ pkcs7_symmetric_cipher, pkcs7_key_size,
+ x509_signer, pkcs7_digest_alg, private_key);
+ if (!getCertInitial.ptr)
+ {
+ exit_scepclient("failed to build scep request");
+ }
if (!scep_http_request(scep_url, getCertInitial, SCEP_PKI_OPERATION,
http_get_request, &scep_response))
{
if (attrs.pkiStatus != SCEP_SUCCESS)
{
+ data->destroy(data);
exit_scepclient("reply status is not 'SUCCESS'");
}
- envelopedData = data.content;
-
- if (data.type != OID_PKCS7_DATA ||
- !asn1_parse_simple_object(&envelopedData, ASN1_OCTET_STRING, 0, "data"))
- {
- exit_scepclient("contentInfo is not of type 'data'");
- }
- if (!pkcs7_parse_envelopedData(envelopedData, &certData,
- serialNumber, private_key))
+ if (!data->parse_envelopedData(data, serialNumber, private_key))
{
+ data->destroy(data);
exit_scepclient("could not decrypt envelopedData");
}
- if (!pkcs7_parse_signedData(certData, NULL, certs, NULL, NULL))
+ if (!data->parse_signedData(data, NULL))
{
+ data->destroy(data);
exit_scepclient("error parsing the scep response");
}
- chunk_free(&certData);
/* store the end entity certificate */
join_paths(path, sizeof(path), HOST_CERT_PATH, file_out_cert);
- enumerator = certs->create_enumerator(certs);
+ enumerator = data->create_certificate_enumerator(data);
while (enumerator->enumerate(enumerator, &cert))
{
x509_t *x509 = (x509_t*)cert;
stored = TRUE;
}
}
- certs->destroy_offset(certs, offsetof(certificate_t, destroy));
+ enumerator->destroy(enumerator);
+ data->destroy(data);
filetype_out &= ~CERT; /* delete CERT flag */
}
projects / thirdparty / strongswan.git / commitdiff
