From: Andreas Steffen <andreas.steffen@strongswan.org>
Date: Sun, 14 Aug 2022 02:29:44 +0000 (+0200)
Subject: pki: Clean up SCEP functions
X-Git-Tag: 5.9.8dr1~2^2~15
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b16c0e928e02abadee8bbc6e298b60921bdbee45;p=thirdparty%2Fstrongswan.git

pki: Clean up SCEP functions
---

diff --git a/src/pki/scep/scep.c b/src/pki/scep/scep.c
index fbc6e1cfab..0b3772dca7 100644
--- a/src/pki/scep/scep.c
+++ b/src/pki/scep/scep.c
@@ -89,65 +89,34 @@ const scep_attributes_t empty_scep_attributes = {
 };
 
 /**
- * Extract X.501 attributes
+ * Parse CA Capabilities of SCEP server
  */
-void extract_attributes(pkcs7_t *pkcs7, enumerator_t *enumerator,
-						scep_attributes_t *attrs)
+uint32_t scep_parse_caps(chunk_t response)
 {
-	chunk_t attr;
+	uint32_t caps_flags = 0;
+	chunk_t line;
 
-	if (pkcs7->get_attribute(pkcs7, OID_PKI_MESSAGE_TYPE, enumerator, &attr))
-	{
-		scep_msg_t m;
+	DBG2(DBG_APP, "CA Capabilities:");
 
-		for (m = SCEP_CertRep_MSG; m < SCEP_Unknown_MSG; m++)
-		{
-			if (strncmp(msgType_values[m], attr.ptr, attr.len) == 0)
-			{
-				attrs->msgType = m;
-			}
-		}
-		DBG2(DBG_APP, "messageType:  %s", msgType_names[attrs->msgType]);
-		free(attr.ptr);
-	}
-	if (pkcs7->get_attribute(pkcs7, OID_PKI_STATUS, enumerator, &attr))
+	while (fetchline(&response, &line))
 	{
-		pkiStatus_t s;
+		int i;
 
-		for (s = SCEP_SUCCESS; s < SCEP_UNKNOWN; s++)
+		for (i = 0; i < countof(caps_names); i++)
 		{
-			if (strncmp(pkiStatus_values[s], attr.ptr, attr.len) == 0)
+			if (strncaseeq(caps_names[i], line.ptr, line.len))
 			{
-				attrs->pkiStatus = s;
+				DBG2(DBG_APP, "  %s", caps_names[i]);
+				caps_flags |= (1 << i);
 			}
 		}
-		DBG2(DBG_APP, "pkiStatus:    %s", pkiStatus_names[attrs->pkiStatus]);
-		free(attr.ptr);
-	}
-	if (pkcs7->get_attribute(pkcs7, OID_PKI_FAIL_INFO, enumerator, &attr))
-	{
-		if (attr.len == 1 && *attr.ptr >= '0' && *attr.ptr <= '4')
-		{
-			attrs->failInfo = (failInfo_t)(*attr.ptr - '0');
-		}
-		if (attrs->failInfo != SCEP_unknown_REASON)
-		{
-			DBG1(DBG_APP, "failInfo:     %s", failInfo_reasons[attrs->failInfo]);
-		}
-		free(attr.ptr);
 	}
-
-	pkcs7->get_attribute(pkcs7, OID_PKI_SENDER_NONCE, enumerator,
-						 &attrs->senderNonce);
-	pkcs7->get_attribute(pkcs7, OID_PKI_RECIPIENT_NONCE, enumerator,
-						 &attrs->recipientNonce);
-	pkcs7->get_attribute(pkcs7, OID_PKI_TRANS_ID, enumerator,
-						 &attrs->transID);
+	return caps_flags;
 }
 
 /**
  * Generate a transaction ID as the SHA-1 hash of the publicKeyInfo
- * the transaction ID is also used as a unique serial number
+ * The transaction ID is also used as a unique serial number
  */
 bool scep_generate_transaction_id(public_key_t *public,
 								  chunk_t *transId, chunk_t *serialNumber)
@@ -189,7 +158,7 @@ bool scep_generate_transaction_id(public_key_t *public,
 }
 
 /**
- * Builds a pkcs7 enveloped and signed scep request
+ * Builds a PKCS#7 enveloped and signed SCEP request
  */
 chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg,
 					certificate_t *enc_cert, encryption_algorithm_t enc_alg,
@@ -421,6 +390,66 @@ bool scep_http_request(const char *url, scep_op_t op, bool http_post,
 	return (status == SUCCESS);
 }
 
+/**
+ * Extract X.501 attributes
+ */
+void extract_attributes(pkcs7_t *pkcs7, enumerator_t *enumerator,
+						scep_attributes_t *attrs)
+{
+	chunk_t attr;
+
+	if (pkcs7->get_attribute(pkcs7, OID_PKI_MESSAGE_TYPE, enumerator, &attr))
+	{
+		scep_msg_t m;
+
+		for (m = SCEP_CertRep_MSG; m < SCEP_Unknown_MSG; m++)
+		{
+			if (strncmp(msgType_values[m], attr.ptr, attr.len) == 0)
+			{
+				attrs->msgType = m;
+			}
+		}
+		DBG2(DBG_APP, "messageType:  %s", msgType_names[attrs->msgType]);
+		free(attr.ptr);
+	}
+	if (pkcs7->get_attribute(pkcs7, OID_PKI_STATUS, enumerator, &attr))
+	{
+		pkiStatus_t s;
+
+		for (s = SCEP_SUCCESS; s < SCEP_UNKNOWN; s++)
+		{
+			if (strncmp(pkiStatus_values[s], attr.ptr, attr.len) == 0)
+			{
+				attrs->pkiStatus = s;
+			}
+		}
+		DBG2(DBG_APP, "pkiStatus:    %s", pkiStatus_names[attrs->pkiStatus]);
+		free(attr.ptr);
+	}
+	if (pkcs7->get_attribute(pkcs7, OID_PKI_FAIL_INFO, enumerator, &attr))
+	{
+		if (attr.len == 1 && *attr.ptr >= '0' && *attr.ptr <= '4')
+		{
+			attrs->failInfo = (failInfo_t)(*attr.ptr - '0');
+		}
+		if (attrs->failInfo != SCEP_unknown_REASON)
+		{
+			DBG1(DBG_APP, "failInfo:     %s", failInfo_reasons[attrs->failInfo]);
+		}
+		free(attr.ptr);
+	}
+
+	pkcs7->get_attribute(pkcs7, OID_PKI_SENDER_NONCE, enumerator,
+						 &attrs->senderNonce);
+	pkcs7->get_attribute(pkcs7, OID_PKI_RECIPIENT_NONCE, enumerator,
+						 &attrs->recipientNonce);
+	pkcs7->get_attribute(pkcs7, OID_PKI_TRANS_ID, enumerator,
+						 &attrs->transID);
+}
+
+/**
+ * Parse PKCS#7 encoded SCEP response
+ */
 bool scep_parse_response(chunk_t response, chunk_t transID,
 						  container_t **out, scep_attributes_t *attrs)
 {
@@ -471,26 +500,3 @@ error:
 	container->destroy(container);
 	return FALSE;
 }
-
-uint32_t scep_parse_caps(chunk_t response)
-{
-	uint32_t caps_flags = 0;
-	chunk_t line;
-
-	DBG2(DBG_APP, "CA Capabilities:");
-
-	while (fetchline(&response, &line))
-	{
-		int i;
-
-		for (i = 0; i < countof(caps_names); i++)
-		{
-			if (strncaseeq(caps_names[i], line.ptr, line.len))
-			{
-				DBG2(DBG_APP, "  %s", caps_names[i]);
-				caps_flags |= (1 << i);
-			}
-		}
-	}
-	return caps_flags;
-}
\ No newline at end of file
diff --git a/src/pki/scep/scep.h b/src/pki/scep/scep.h
index b24cb622a4..922747f1f9 100644
--- a/src/pki/scep/scep.h
+++ b/src/pki/scep/scep.h
@@ -85,17 +85,21 @@ typedef enum {
 
 extern const scep_attributes_t empty_scep_attributes;
 
-bool parse_attributes(chunk_t blob, scep_attributes_t *attrs);
+/**
+ * Parse SCEP CA Capabilities
+ */
+uint32_t scep_parse_caps(chunk_t response);
 
+/**
+ * Generate a transaction ID as the SHA-1 hash of the publicKeyInfo
+ * The transaction ID is also used as a unique serial number
+ */
 bool scep_generate_transaction_id(public_key_t *key,
 								  chunk_t *transId, chunk_t *serialNumber);
 
-chunk_t scep_transId_attribute(chunk_t transaction_id);
-
-chunk_t scep_messageType_attribute(scep_msg_t m);
-
-chunk_t scep_senderNonce_attribute(void);
-
+/**
+ * Builds a PKCS#7 enveloped and signed SCEP request
+ */
 chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg,
 						certificate_t *enc_cert, encryption_algorithm_t enc_alg,
 						size_t key_size, certificate_t *signer_cert,
@@ -107,9 +111,10 @@ chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg,
 bool scep_http_request(const char *url, scep_op_t op, bool http_post,
 					   chunk_t data, chunk_t *response, u_int *http_code);
 
+/**
+ * Parse PKCS#7 encoded SCEP response
+ */
 bool scep_parse_response(chunk_t response, chunk_t transID, container_t **out,
 						 scep_attributes_t *attrs);
 
-uint32_t scep_parse_caps(chunk_t response);
-
 #endif /* _SCEP_H */