summaryrefslogtreecommitdiff
path: root/src/scepclient/scep.c
diff options
context:
space:
mode:
authorYves-Alexis Perez <corsac@debian.org>2013-01-02 14:18:20 +0100
committerYves-Alexis Perez <corsac@debian.org>2013-01-02 14:18:20 +0100
commitc1343b3278cdf99533b7902744d15969f9d6fdc1 (patch)
treed5ed3dc5677a59260ec41cd39bb284d3e94c91b3 /src/scepclient/scep.c
parentb34738ed08c2227300d554b139e2495ca5da97d6 (diff)
downloadvyos-strongswan-c1343b3278cdf99533b7902744d15969f9d6fdc1.tar.gz
vyos-strongswan-c1343b3278cdf99533b7902744d15969f9d6fdc1.zip
Imported Upstream version 5.0.1
Diffstat (limited to 'src/scepclient/scep.c')
-rw-r--r--src/scepclient/scep.c360
1 files changed, 112 insertions, 248 deletions
diff --git a/src/scepclient/scep.c b/src/scepclient/scep.c
index 29f6eab70..8b2fd179a 100644
--- a/src/scepclient/scep.c
+++ b/src/scepclient/scep.c
@@ -1,11 +1,5 @@
-/**
- * @file scep.c
- * @brief SCEP specific functions
- *
- * Contains functions to build SCEP request's and to parse SCEP reply's.
- */
-
/*
+ * Copyright (C) 2012 Tobias Brunner
* Copyright (C) 2005 Jan Hutter, Martin Willi
* Hochschule fuer Technik Rapperswil
*
@@ -23,32 +17,17 @@
#include <string.h>
#include <stdlib.h>
-#include <freeswan.h>
-
#include <library.h>
+#include <debug.h>
#include <asn1/asn1.h>
#include <asn1/asn1_parser.h>
#include <asn1/oid.h>
+#include <crypto/pkcs9.h>
#include <crypto/rngs/rng.h>
#include <crypto/hashers/hasher.h>
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-#include "../pluto/fetch.h"
-#include "../pluto/log.h"
-
#include "scep.h"
-static const chunk_t ASN1_messageType_oid = chunk_from_chars(
- 0x06, 0x0A, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x02
-);
-static const chunk_t ASN1_senderNonce_oid = chunk_from_chars(
- 0x06, 0x0A, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x05
-);
-static const chunk_t ASN1_transId_oid = chunk_from_chars(
- 0x06, 0x0A, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x07
-);
-
static const char *pkiStatus_values[] = { "0", "2", "3" };
static const char *pkiStatus_names[] = {
@@ -86,170 +65,60 @@ const scep_attributes_t empty_scep_attributes = {
{ NULL, 0 } , /* recipientNonce */
};
-/* ASN.1 definition of the X.501 atttribute type */
-
-static const asn1Object_t attributesObjects[] = {
- { 0, "attributes", ASN1_SET, ASN1_LOOP }, /* 0 */
- { 1, "attribute", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
- { 2, "type", ASN1_OID, ASN1_BODY }, /* 2 */
- { 2, "values", ASN1_SET, ASN1_LOOP }, /* 3 */
- { 3, "value", ASN1_EOC, ASN1_RAW }, /* 4 */
- { 2, "end loop", ASN1_EOC, ASN1_END }, /* 5 */
- { 0, "end loop", ASN1_EOC, ASN1_END }, /* 6 */
- { 0, "exit", ASN1_EOC, ASN1_EXIT }
-};
-#define ATTRIBUTE_OBJ_TYPE 2
-#define ATTRIBUTE_OBJ_VALUE 4
-
/**
- * Extract and store an attribute
+ * Extract X.501 attributes
*/
-static bool extract_attribute(int oid, chunk_t object, u_int level,
- scep_attributes_t *attrs)
+void extract_attributes(pkcs7_t *pkcs7, scep_attributes_t *attrs)
{
- asn1_t type = ASN1_EOC;
- const char *name = "none";
+ pkcs9_t *attributes = pkcs7->get_attributes(pkcs7);
+ chunk_t attr;
- switch (oid)
+ attr = attributes->get_attribute(attributes, OID_PKI_MESSAGE_TYPE);
+ if (attr.ptr)
{
- case OID_PKCS9_CONTENT_TYPE:
- type = ASN1_OID;
- name = "contentType";
- break;
- case OID_PKCS9_SIGNING_TIME:
- type = ASN1_UTCTIME;
- name = "signingTime";
- break;
- case OID_PKCS9_MESSAGE_DIGEST:
- type = ASN1_OCTET_STRING;
- name = "messageDigest";
- break;
- case OID_PKI_MESSAGE_TYPE:
- type = ASN1_PRINTABLESTRING;
- name = "messageType";
- break;
- case OID_PKI_STATUS:
- type = ASN1_PRINTABLESTRING;
- name = "pkiStatus";
- break;
- case OID_PKI_FAIL_INFO:
- type = ASN1_PRINTABLESTRING;
- name = "failInfo";
- break;
- case OID_PKI_SENDER_NONCE:
- type = ASN1_OCTET_STRING;
- name = "senderNonce";
- break;
- case OID_PKI_RECIPIENT_NONCE:
- type = ASN1_OCTET_STRING;
- name = "recipientNonce";
- break;
- case OID_PKI_TRANS_ID:
- type = ASN1_PRINTABLESTRING;
- name = "transID";
- break;
- default:
- break;
- }
-
- if (type == ASN1_EOC)
- return TRUE;
-
- if (!asn1_parse_simple_object(&object, type, level+1, name))
- return FALSE;
+ scep_msg_t m;
- switch (oid)
- {
- case OID_PKCS9_CONTENT_TYPE:
- break;
- case OID_PKCS9_SIGNING_TIME:
- break;
- case OID_PKCS9_MESSAGE_DIGEST:
- break;
- case OID_PKI_MESSAGE_TYPE:
+ for (m = SCEP_CertRep_MSG; m < SCEP_Unknown_MSG; m++)
{
- scep_msg_t m;
-
- for (m = SCEP_CertRep_MSG; m < SCEP_Unknown_MSG; m++)
+ if (strncmp(msgType_values[m], attr.ptr, attr.len) == 0)
{
- if (strncmp(msgType_values[m], object.ptr, object.len) == 0)
- attrs->msgType = m;
+ attrs->msgType = m;
}
- DBG(DBG_CONTROL,
- DBG_log("messageType: %s", msgType_names[attrs->msgType])
- )
}
- break;
- case OID_PKI_STATUS:
- {
- pkiStatus_t s;
+ DBG2(DBG_APP, "messageType: %s", msgType_names[attrs->msgType]);
+ }
+ attr = attributes->get_attribute(attributes, OID_PKI_STATUS);
+ if (attr.ptr)
+ {
+ pkiStatus_t s;
- for (s = SCEP_SUCCESS; s < SCEP_UNKNOWN; s++)
+ for (s = SCEP_SUCCESS; s < SCEP_UNKNOWN; s++)
+ {
+ if (strncmp(pkiStatus_values[s], attr.ptr, attr.len) == 0)
{
- if (strncmp(pkiStatus_values[s], object.ptr, object.len) == 0)
- attrs->pkiStatus = s;
+ attrs->pkiStatus = s;
}
- DBG(DBG_CONTROL,
- DBG_log("pkiStatus: %s", pkiStatus_names[attrs->pkiStatus])
- )
}
- break;
- case OID_PKI_FAIL_INFO:
- if (object.len == 1
- && *object.ptr >= '0' && *object.ptr <= '4')
+ DBG2(DBG_APP, "pkiStatus: %s", pkiStatus_names[attrs->pkiStatus]);
+ }
+ attr = attributes->get_attribute(attributes, OID_PKI_FAIL_INFO);
+ if (attr.ptr)
+ {
+ if (attr.len == 1 && *attr.ptr >= '0' && *attr.ptr <= '4')
{
- attrs->failInfo = (failInfo_t)(*object.ptr - '0');
+ attrs->failInfo = (failInfo_t)(*attr.ptr - '0');
}
if (attrs->failInfo != SCEP_unknown_REASON)
- plog("failInfo: %s", failInfo_reasons[attrs->failInfo]);
- break;
- case OID_PKI_SENDER_NONCE:
- attrs->senderNonce = object;
- break;
- case OID_PKI_RECIPIENT_NONCE:
- attrs->recipientNonce = object;
- break;
- case OID_PKI_TRANS_ID:
- attrs->transID = object;
- }
- return TRUE;
-}
-
-/**
- * Parse X.501 attributes
- */
-bool parse_attributes(chunk_t blob, scep_attributes_t *attrs)
-{
- asn1_parser_t *parser;
- chunk_t object;
- int oid = OID_UNKNOWN;
- int objectID;
- bool success = FALSE;
-
- parser = asn1_parser_create(attributesObjects, blob);
- DBG(DBG_CONTROL | DBG_PARSING,
- DBG_log("parsing attributes")
- )
-
- while (parser->iterate(parser, &objectID, &object))
- {
- switch (objectID)
{
- case ATTRIBUTE_OBJ_TYPE:
- oid = asn1_known_oid(object);
- break;
- case ATTRIBUTE_OBJ_VALUE:
- if (!extract_attribute(oid, object, parser->get_level(parser), attrs))
- {
- goto end;
- }
+ DBG1(DBG_APP, "failInfo: %s", failInfo_reasons[attrs->failInfo]);
}
}
- success = parser->success(parser);
-
-end:
- parser->destroy(parser);
- return success;
+ attrs->senderNonce = attributes->get_attribute(attributes,
+ OID_PKI_SENDER_NONCE);
+ attrs->recipientNonce = attributes->get_attribute(attributes,
+ OID_PKI_RECIPIENT_NONCE);
+ attrs->transID = attributes->get_attribute(attributes,
+ OID_PKI_TRANS_ID);
}
/**
@@ -262,7 +131,11 @@ chunk_t scep_generate_pkcs10_fingerprint(chunk_t pkcs10)
hasher_t *hasher;
hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
- hasher->get_hash(hasher, pkcs10, digest.ptr);
+ if (!hasher || !hasher->get_hash(hasher, pkcs10, digest.ptr))
+ {
+ DESTROY_IF(hasher);
+ return chunk_empty;
+ }
hasher->destroy(hasher);
return chunk_to_hex(digest, NULL, FALSE);
@@ -288,8 +161,11 @@ void scep_generate_transaction_id(public_key_t *key, chunk_t *transID,
asn1_bitstring("m", keyEncoding));
hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
- hasher->get_hash(hasher, keyInfo, digest.ptr);
- hasher->destroy(hasher);
+ if (!hasher || !hasher->get_hash(hasher, keyInfo, digest.ptr))
+ {
+ memset(digest.ptr, 0, digest.len);
+ }
+ DESTROY_IF(hasher);
free(keyInfo.ptr);
/* is the most significant bit of the digest set? */
@@ -308,46 +184,13 @@ void scep_generate_transaction_id(public_key_t *key, chunk_t *transID,
memcpy(pos, digest.ptr, digest.len);
/* the transaction id is the serial number in hex format */
- transID->len = 2*digest.len;
- transID->ptr = malloc(transID->len + 1);
- datatot(digest.ptr, digest.len, 16, transID->ptr, transID->len + 1);
+ *transID = chunk_to_hex(digest, NULL, TRUE);
}
/**
- * Builds a transId attribute
+ * Adds a senderNonce attribute to the given pkcs9 attribute list
*/
-chunk_t scep_transId_attribute(chunk_t transID)
-{
- return asn1_wrap(ASN1_SEQUENCE, "cm"
- , ASN1_transId_oid
- , asn1_wrap(ASN1_SET, "m"
- , asn1_simple_object(ASN1_PRINTABLESTRING, transID)
- )
- );
-}
-
-/**
- * Builds a messageType attribute
- */
-chunk_t scep_messageType_attribute(scep_msg_t m)
-{
- chunk_t msgType = {
- (u_char*)msgType_values[m],
- strlen(msgType_values[m])
- };
-
- return asn1_wrap(ASN1_SEQUENCE, "cm"
- , ASN1_messageType_oid
- , asn1_wrap(ASN1_SET, "m"
- , asn1_simple_object(ASN1_PRINTABLESTRING, msgType)
- )
- );
-}
-
-/**
- * Builds a senderNonce attribute
- */
-chunk_t scep_senderNonce_attribute(void)
+static bool add_senderNonce_attribute(pkcs9_t *pkcs9)
{
const size_t nonce_len = 16;
u_char nonce_buf[nonce_len];
@@ -355,41 +198,58 @@ chunk_t scep_senderNonce_attribute(void)
rng_t *rng;
rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
- rng->get_bytes(rng, nonce_len, nonce_buf);
+ if (!rng || !rng->get_bytes(rng, nonce_len, nonce_buf))
+ {
+ DESTROY_IF(rng);
+ return FALSE;
+ }
rng->destroy(rng);
- return asn1_wrap(ASN1_SEQUENCE, "cm"
- , ASN1_senderNonce_oid
- , asn1_wrap(ASN1_SET, "m"
- , asn1_simple_object(ASN1_OCTET_STRING, senderNonce)
- )
- );
+ pkcs9->set_attribute(pkcs9, OID_PKI_SENDER_NONCE, senderNonce);
+ return TRUE;
}
/**
* Builds a pkcs7 enveloped and signed scep request
*/
chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg,
- certificate_t *enc_cert, int enc_alg,
- certificate_t *signer_cert, int digest_alg,
- private_key_t *private_key)
+ certificate_t *enc_cert, encryption_algorithm_t enc_alg,
+ size_t key_size, certificate_t *signer_cert,
+ hash_algorithm_t digest_alg, private_key_t *private_key)
{
- chunk_t envelopedData, attributes, request;
-
- envelopedData = pkcs7_build_envelopedData(data, enc_cert, enc_alg);
-
- attributes = asn1_wrap(ASN1_SET, "mmmmm"
- , pkcs7_contentType_attribute()
- , pkcs7_messageDigest_attribute(envelopedData
- , digest_alg)
- , scep_transId_attribute(transID)
- , scep_messageType_attribute(msg)
- , scep_senderNonce_attribute());
-
- request = pkcs7_build_signedData(envelopedData, attributes
- , signer_cert, digest_alg, private_key);
- free(envelopedData.ptr);
- free(attributes.ptr);
+ chunk_t request, msgType = {
+ (u_char*)msgType_values[msg],
+ strlen(msgType_values[msg]),
+ };
+ pkcs7_t *pkcs7;
+ pkcs9_t *pkcs9;
+
+ pkcs7 = pkcs7_create_from_data(data);
+ if (!pkcs7->build_envelopedData(pkcs7, enc_cert, enc_alg, key_size))
+ {
+ pkcs7->destroy(pkcs7);
+ return chunk_empty;
+ }
+
+ pkcs9 = pkcs9_create();
+ pkcs9->set_attribute(pkcs9, OID_PKI_TRANS_ID, transID);
+ pkcs9->set_attribute(pkcs9, OID_PKI_MESSAGE_TYPE, msgType);
+ if (!add_senderNonce_attribute(pkcs9))
+ {
+ pkcs9->destroy(pkcs9);
+ pkcs7->destroy(pkcs7);
+ return chunk_empty;
+ }
+
+ pkcs7->set_attributes(pkcs7, pkcs9);
+ pkcs7->set_certificate(pkcs7, signer_cert->get_ref(signer_cert));
+ if (!pkcs7->build_signedData(pkcs7, private_key, digest_alg))
+ {
+ pkcs7->destroy(pkcs7);
+ return chunk_empty;
+ }
+ request = pkcs7->get_contentInfo(pkcs7);
+ pkcs7->destroy(pkcs7);
return request;
}
@@ -406,11 +266,12 @@ static char* escape_http_request(chunk_t req)
int n = 0;
/* compute and allocate the size of the base64-encoded request */
- int len = 1 + 4*((req.len + 2)/3);
+ int len = 1 + 4 * ((req.len + 2) / 3);
char *encoded_req = malloc(len);
/* do the base64 conversion */
- len = datatot(req.ptr, req.len, 64, encoded_req, len);
+ chunk_t base64 = chunk_to_base64(req, encoded_req);
+ len = base64.len + 1;
/* compute newline characters to be inserted every 64 characters */
lines = (len - 2) / 64;
@@ -420,10 +281,12 @@ static char* escape_http_request(chunk_t req)
while (*p1 != '\0')
{
if (*p1++ == '+')
+ {
plus++;
+ }
}
- escaped_req = malloc(len + 3*(lines + plus));
+ escaped_req = malloc(len + 3 * (lines + plus));
/* escape special characters in the request */
p1 = encoded_req;
@@ -466,9 +329,7 @@ bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
/* initialize response */
*response = chunk_empty;
- DBG(DBG_CONTROL,
- DBG_log("sending scep request to '%s'", url)
- )
+ DBG2(DBG_APP, "sending scep request to '%s'", url);
if (op == SCEP_PKI_OPERATION)
{
@@ -500,6 +361,7 @@ bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
snprintf(complete_url, len, "%s?operation=%s", url, operation);
status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
+ FETCH_HTTP_VERSION_1_0,
FETCH_REQUEST_DATA, pkcs7,
FETCH_REQUEST_TYPE, "",
FETCH_REQUEST_HEADER, "Expect:",
@@ -513,10 +375,11 @@ bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
/* form complete url */
len = strlen(url) + 32 + strlen(operation) + 1;
complete_url = malloc(len);
- snprintf(complete_url, len, "%s?operation=%s&message=CAIdentifier"
- , url, operation);
+ snprintf(complete_url, len, "%s?operation=%s&message=CAIdentifier",
+ url, operation);
status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
+ FETCH_HTTP_VERSION_1_0,
FETCH_END);
}
@@ -524,22 +387,23 @@ bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
return (status == SUCCESS);
}
-err_t scep_parse_response(chunk_t response, chunk_t transID, contentInfo_t *data,
+err_t scep_parse_response(chunk_t response, chunk_t transID, pkcs7_t **data,
scep_attributes_t *attrs, certificate_t *signer_cert)
{
- chunk_t attributes;
+ pkcs7_t *pkcs7;
- if (!pkcs7_parse_signedData(response, data, NULL, &attributes, signer_cert))
+ pkcs7 = pkcs7_create_from_chunk(response, 0);
+ if (!pkcs7 || !pkcs7->parse_signedData(pkcs7, signer_cert))
{
+ DESTROY_IF(pkcs7);
return "error parsing the scep response";
}
- if (!parse_attributes(attributes, attrs))
- {
- return "error parsing the scep response attributes";
- }
+ extract_attributes(pkcs7, attrs);
if (!chunk_equals(transID, attrs->transID))
{
+ pkcs7->destroy(pkcs7);
return "transaction ID of scep response does not match";
}
+ *data = pkcs7;
return NULL;
}