diff options
| author | Yves-Alexis Perez <corsac@debian.org> | 2013-02-07 13:27:27 +0100 |
|---|---|---|
| committer | Yves-Alexis Perez <corsac@debian.org> | 2013-02-07 13:27:27 +0100 |
| commit | 7585facf05d927eb6df3929ce09ed5e60d905437 (patch) | |
| tree | e4d14b4dc180db20356b6b01ce0112f3a2d7897e /src/scepclient | |
| parent | c1343b3278cdf99533b7902744d15969f9d6fdc1 (diff) | |
| download | vyos-strongswan-7585facf05d927eb6df3929ce09ed5e60d905437.tar.gz vyos-strongswan-7585facf05d927eb6df3929ce09ed5e60d905437.zip | |
Imported Upstream version 5.0.2
Diffstat (limited to 'src/scepclient')
| -rw-r--r-- | src/scepclient/Makefile.in | 36 | ||||
| -rw-r--r-- | src/scepclient/scep.c | 198 | ||||
| -rw-r--r-- | src/scepclient/scep.h | 7 | ||||
| -rw-r--r-- | src/scepclient/scepclient.c | 116 |
4 files changed, 238 insertions, 119 deletions
diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in index c2814a4e6..e67c8ebc3 100644 --- a/src/scepclient/Makefile.in +++ b/src/scepclient/Makefile.in @@ -1,9 +1,9 @@ -# Makefile.in generated by automake 1.11.1 from Makefile.am. +# Makefile.in generated by automake 1.11.3 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, -# Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software +# Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -96,6 +96,12 @@ am__nobase_list = $(am__nobase_strip_setup); \ am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } man8dir = $(mandir)/man8 NROFF = nroff MANS = $(dist_man_MANS) @@ -121,6 +127,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -148,6 +155,7 @@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ MKDIR_P = @MKDIR_P@ MYSQLCFLAG = @MYSQLCFLAG@ MYSQLCONFIG = @MYSQLCONFIG@ @@ -175,6 +183,7 @@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ RUBYINCLUDE = @RUBYINCLUDE@ +RUBYLIB = @RUBYLIB@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ @@ -187,6 +196,7 @@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ @@ -240,7 +250,6 @@ libexecdir = @libexecdir@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ -lt_ECHO = @lt_ECHO@ maemo_CFLAGS = @maemo_CFLAGS@ maemo_LIBS = @maemo_LIBS@ manager_plugins = @manager_plugins@ @@ -379,7 +388,7 @@ clean-ipsecPROGRAMS: list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ echo " rm -f" $$list; \ rm -f $$list -scepclient$(EXEEXT): $(scepclient_OBJECTS) $(scepclient_DEPENDENCIES) +scepclient$(EXEEXT): $(scepclient_OBJECTS) $(scepclient_DEPENDENCIES) $(EXTRA_scepclient_DEPENDENCIES) @rm -f scepclient$(EXEEXT) $(LINK) $(scepclient_OBJECTS) $(scepclient_LDADD) $(LIBS) @@ -453,9 +462,7 @@ uninstall-man8: sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ - test -z "$$files" || { \ - echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \ - cd "$(DESTDIR)$(man8dir)" && rm -f $$files; } + dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir) ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ @@ -569,10 +576,15 @@ install-am: all-am installcheck: installcheck-am install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi mostlyclean-generic: clean-generic: diff --git a/src/scepclient/scep.c b/src/scepclient/scep.c index 8b2fd179a..f2090274c 100644 --- a/src/scepclient/scep.c +++ b/src/scepclient/scep.c @@ -18,11 +18,10 @@ #include <stdlib.h> #include <library.h> -#include <debug.h> +#include <utils/debug.h> #include <asn1/asn1.h> #include <asn1/asn1_parser.h> #include <asn1/oid.h> -#include <crypto/pkcs9.h> #include <crypto/rngs/rng.h> #include <crypto/hashers/hasher.h> @@ -68,13 +67,12 @@ const scep_attributes_t empty_scep_attributes = { /** * Extract X.501 attributes */ -void extract_attributes(pkcs7_t *pkcs7, scep_attributes_t *attrs) +void extract_attributes(pkcs7_t *pkcs7, enumerator_t *enumerator, + scep_attributes_t *attrs) { - pkcs9_t *attributes = pkcs7->get_attributes(pkcs7); chunk_t attr; - attr = attributes->get_attribute(attributes, OID_PKI_MESSAGE_TYPE); - if (attr.ptr) + if (pkcs7->get_attribute(pkcs7, OID_PKI_MESSAGE_TYPE, enumerator, &attr)) { scep_msg_t m; @@ -86,9 +84,9 @@ void extract_attributes(pkcs7_t *pkcs7, scep_attributes_t *attrs) } } DBG2(DBG_APP, "messageType: %s", msgType_names[attrs->msgType]); + free(attr.ptr); } - attr = attributes->get_attribute(attributes, OID_PKI_STATUS); - if (attr.ptr) + if (pkcs7->get_attribute(pkcs7, OID_PKI_STATUS, enumerator, &attr)) { pkiStatus_t s; @@ -100,9 +98,9 @@ void extract_attributes(pkcs7_t *pkcs7, scep_attributes_t *attrs) } } DBG2(DBG_APP, "pkiStatus: %s", pkiStatus_names[attrs->pkiStatus]); + free(attr.ptr); } - attr = attributes->get_attribute(attributes, OID_PKI_FAIL_INFO); - if (attr.ptr) + if (pkcs7->get_attribute(pkcs7, OID_PKI_FAIL_INFO, enumerator, &attr)) { if (attr.len == 1 && *attr.ptr >= '0' && *attr.ptr <= '4') { @@ -112,13 +110,15 @@ void extract_attributes(pkcs7_t *pkcs7, scep_attributes_t *attrs) { DBG1(DBG_APP, "failInfo: %s", failInfo_reasons[attrs->failInfo]); } + free(attr.ptr); } - attrs->senderNonce = attributes->get_attribute(attributes, - OID_PKI_SENDER_NONCE); - attrs->recipientNonce = attributes->get_attribute(attributes, - OID_PKI_RECIPIENT_NONCE); - attrs->transID = attributes->get_attribute(attributes, - OID_PKI_TRANS_ID); + + pkcs7->get_attribute(pkcs7, OID_PKI_SENDER_NONCE, enumerator, + &attrs->senderNonce); + pkcs7->get_attribute(pkcs7, OID_PKI_RECIPIENT_NONCE, enumerator, + &attrs->recipientNonce); + pkcs7->get_attribute(pkcs7, OID_PKI_TRANS_ID, enumerator, + &attrs->transID); } /** @@ -188,68 +188,81 @@ void scep_generate_transaction_id(public_key_t *key, chunk_t *transID, } /** - * Adds a senderNonce attribute to the given pkcs9 attribute list + * Builds a pkcs7 enveloped and signed scep request */ -static bool add_senderNonce_attribute(pkcs9_t *pkcs9) +chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg, + certificate_t *enc_cert, encryption_algorithm_t enc_alg, + size_t key_size, certificate_t *signer_cert, + hash_algorithm_t digest_alg, private_key_t *private_key) { - const size_t nonce_len = 16; - u_char nonce_buf[nonce_len]; - chunk_t senderNonce = { nonce_buf, nonce_len }; + chunk_t request; + container_t *container; + char nonce[16]; rng_t *rng; + chunk_t senderNonce, msgType; + /* generate senderNonce */ rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); - if (!rng || !rng->get_bytes(rng, nonce_len, nonce_buf)) + if (!rng || !rng->get_bytes(rng, sizeof(nonce), nonce)) { DESTROY_IF(rng); - return FALSE; + return chunk_empty; } rng->destroy(rng); - pkcs9->set_attribute(pkcs9, OID_PKI_SENDER_NONCE, senderNonce); - return TRUE; -} - -/** - * Builds a pkcs7 enveloped and signed scep request - */ -chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg, - certificate_t *enc_cert, encryption_algorithm_t enc_alg, - size_t key_size, certificate_t *signer_cert, - hash_algorithm_t digest_alg, private_key_t *private_key) -{ - chunk_t request, msgType = { - (u_char*)msgType_values[msg], - strlen(msgType_values[msg]), - }; - pkcs7_t *pkcs7; - pkcs9_t *pkcs9; - - pkcs7 = pkcs7_create_from_data(data); - if (!pkcs7->build_envelopedData(pkcs7, enc_cert, enc_alg, key_size)) + /* encrypt data in enveloped-data PKCS#7 */ + container = lib->creds->create(lib->creds, + CRED_CONTAINER, CONTAINER_PKCS7_ENVELOPED_DATA, + BUILD_BLOB, data, + BUILD_CERT, enc_cert, + BUILD_ENCRYPTION_ALG, enc_alg, + BUILD_KEY_SIZE, (int)key_size, + BUILD_END); + if (!container) { - pkcs7->destroy(pkcs7); return chunk_empty; } - - pkcs9 = pkcs9_create(); - pkcs9->set_attribute(pkcs9, OID_PKI_TRANS_ID, transID); - pkcs9->set_attribute(pkcs9, OID_PKI_MESSAGE_TYPE, msgType); - if (!add_senderNonce_attribute(pkcs9)) + if (!container->get_encoding(container, &request)) { - pkcs9->destroy(pkcs9); - pkcs7->destroy(pkcs7); + container->destroy(container); return chunk_empty; } - - pkcs7->set_attributes(pkcs7, pkcs9); - pkcs7->set_certificate(pkcs7, signer_cert->get_ref(signer_cert)); - if (!pkcs7->build_signedData(pkcs7, private_key, digest_alg)) + container->destroy(container); + + /* sign enveloped-data in a signed-data PKCS#7 */ + senderNonce = asn1_wrap(ASN1_OCTET_STRING, "c", chunk_from_thing(nonce)); + transID = asn1_wrap(ASN1_PRINTABLESTRING, "c", transID); + msgType = asn1_wrap(ASN1_PRINTABLESTRING, "c", + chunk_create((char*)msgType_values[msg], + strlen(msgType_values[msg]))); + + container = lib->creds->create(lib->creds, + CRED_CONTAINER, CONTAINER_PKCS7_SIGNED_DATA, + BUILD_BLOB, request, + BUILD_SIGNING_CERT, signer_cert, + BUILD_SIGNING_KEY, private_key, + BUILD_DIGEST_ALG, digest_alg, + BUILD_PKCS7_ATTRIBUTE, OID_PKI_SENDER_NONCE, senderNonce, + BUILD_PKCS7_ATTRIBUTE, OID_PKI_TRANS_ID, transID, + BUILD_PKCS7_ATTRIBUTE, OID_PKI_MESSAGE_TYPE, msgType, + BUILD_END); + + free(request.ptr); + free(senderNonce.ptr); + free(transID.ptr); + free(msgType.ptr); + + if (!container) { - pkcs7->destroy(pkcs7); return chunk_empty; } - request = pkcs7->get_contentInfo(pkcs7); - pkcs7->destroy(pkcs7); + if (!container->get_encoding(container, &request)) + { + container->destroy(container); + return chunk_empty; + } + container->destroy(container); + return request; } @@ -319,7 +332,7 @@ static char* escape_http_request(chunk_t req) /** * Send a SCEP request via HTTP and wait for a response */ -bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op, +bool scep_http_request(const char *url, chunk_t msg, scep_op_t op, bool http_get_request, chunk_t *response) { int len; @@ -337,7 +350,7 @@ bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op, if (http_get_request) { - char *escaped_req = escape_http_request(pkcs7); + char *escaped_req = escape_http_request(msg); /* form complete url */ len = strlen(url) + 20 + strlen(operation) + strlen(escaped_req) + 1; @@ -362,7 +375,7 @@ bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op, status = lib->fetcher->fetch(lib->fetcher, complete_url, response, FETCH_HTTP_VERSION_1_0, - FETCH_REQUEST_DATA, pkcs7, + FETCH_REQUEST_DATA, msg, FETCH_REQUEST_TYPE, "", FETCH_REQUEST_HEADER, "Expect:", FETCH_END); @@ -371,12 +384,22 @@ bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op, else /* SCEP_GET_CA_CERT */ { const char operation[] = "GetCACert"; + int i; + + /* escape spaces, TODO: complete URL escape */ + for (i = 0; i < msg.len; i++) + { + if (msg.ptr[i] == ' ') + { + msg.ptr[i] = '+'; + } + } /* form complete url */ - len = strlen(url) + 32 + strlen(operation) + 1; + len = strlen(url) + 32 + strlen(operation) + msg.len + 1; complete_url = malloc(len); - snprintf(complete_url, len, "%s?operation=%s&message=CAIdentifier", - url, operation); + snprintf(complete_url, len, "%s?operation=%s&message=%.*s", + url, operation, (int)msg.len, msg.ptr); status = lib->fetcher->fetch(lib->fetcher, complete_url, response, FETCH_HTTP_VERSION_1_0, @@ -387,23 +410,44 @@ bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op, return (status == SUCCESS); } -err_t scep_parse_response(chunk_t response, chunk_t transID, pkcs7_t **data, - scep_attributes_t *attrs, certificate_t *signer_cert) +err_t scep_parse_response(chunk_t response, chunk_t transID, + container_t **out, scep_attributes_t *attrs) { - pkcs7_t *pkcs7; - - pkcs7 = pkcs7_create_from_chunk(response, 0); - if (!pkcs7 || !pkcs7->parse_signedData(pkcs7, signer_cert)) + enumerator_t *enumerator; + bool verified = FALSE; + container_t *container; + auth_cfg_t *auth; + + container = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7, + BUILD_BLOB_ASN1_DER, response, BUILD_END); + if (!container) { - DESTROY_IF(pkcs7); return "error parsing the scep response"; } - extract_attributes(pkcs7, attrs); - if (!chunk_equals(transID, attrs->transID)) + if (container->get_type(container) != CONTAINER_PKCS7_SIGNED_DATA) + { + container->destroy(container); + return "scep response is not PKCS#7 signed-data"; + } + + enumerator = container->create_signature_enumerator(container); + while (enumerator->enumerate(enumerator, &auth)) + { + verified = TRUE; + extract_attributes((pkcs7_t*)container, enumerator, attrs); + if (!chunk_equals(transID, attrs->transID)) + { + enumerator->destroy(enumerator); + container->destroy(container); + return "transaction ID of scep response does not match"; + } + } + enumerator->destroy(enumerator); + if (!verified) { - pkcs7->destroy(pkcs7); - return "transaction ID of scep response does not match"; + container->destroy(container); + return "unable to verify PKCS#7 container"; } - *data = pkcs7; + *out = container; return NULL; } diff --git a/src/scepclient/scep.h b/src/scepclient/scep.h index 6227faba4..30551d2db 100644 --- a/src/scepclient/scep.h +++ b/src/scepclient/scep.h @@ -17,7 +17,7 @@ #ifndef _SCEP_H #define _SCEP_H -#include <crypto/pkcs7.h> +#include <credentials/containers/pkcs7.h> #include <credentials/certificates/certificate.h> /* supported SCEP operation types */ @@ -78,10 +78,9 @@ chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg, certificate_t *enc_cert, encryption_algorithm_t enc_alg, size_t key_size, certificate_t *signer_cert, hash_algorithm_t digest_alg, private_key_t *private_key); -bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op, +bool scep_http_request(const char *url, chunk_t message, scep_op_t op, bool http_get_request, chunk_t *response); err_t scep_parse_response(chunk_t response, chunk_t transID, - pkcs7_t **data, scep_attributes_t *attrs, - certificate_t *signer_cert); + container_t **out, scep_attributes_t *attrs); #endif /* _SCEP_H */ diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c index 78b0d7e7a..83b5d6219 100644 --- a/src/scepclient/scepclient.c +++ b/src/scepclient/scepclient.c @@ -26,12 +26,12 @@ #include <syslog.h> #include <library.h> -#include <debug.h> +#include <utils/debug.h> #include <asn1/asn1.h> #include <asn1/oid.h> #include <utils/optionsfrom.h> -#include <utils/enumerator.h> -#include <utils/linked_list.h> +#include <collections/enumerator.h> +#include <collections/linked_list.h> #include <crypto/hashers/hasher.h> #include <crypto/crypters/crypter.h> #include <crypto/proposal/proposal_keywords.h> @@ -40,6 +40,7 @@ #include <credentials/certificates/certificate.h> #include <credentials/certificates/x509.h> #include <credentials/certificates/pkcs10.h> +#include <credentials/sets/mem_cred.h> #include <plugins/plugin.h> #include "scep.h" @@ -140,6 +141,8 @@ certificate_t *x509_ca_enc = NULL; certificate_t *x509_ca_sig = NULL; certificate_t *pkcs10_req = NULL; +mem_cred_t *creds = NULL; + /* logging */ static bool log_to_stderr = TRUE; static bool log_to_syslog = TRUE; @@ -255,6 +258,12 @@ static void exit_scepclient(err_t message, ...) { int status = 0; + if (creds) + { + lib->credmgr->remove_set(lib->credmgr, &creds->set); + creds->destroy(creds); + } + DESTROY_IF(subject); DESTROY_IF(private_key); DESTROY_IF(public_key); @@ -361,6 +370,9 @@ static void usage(const char *message) " <algo> = md5 (default) | sha1 | sha256 |\n" " sha384 | sha512\n" "\n" + "Options for CA certificate acquisition:\n" + " --caname (-c) <name> name of CA to fetch CA certificate(s)\n" + " (default: CAIdentifier)\n" "Options for enrollment (cert):\n" " --url (-u) <url> url of the SCEP server\n" " --method (-m) post | get http request type\n" @@ -451,6 +463,9 @@ int main(int argc, char **argv) /* URL of the SCEP-Server */ char *scep_url = NULL; + /* Name of CA to fetch CA certs for */ + char *ca_name = "CAIdentifier"; + /* http request method, default is GET */ bool http_get_request = TRUE; @@ -512,6 +527,7 @@ int main(int argc, char **argv) { "password", required_argument, NULL, 'p' }, { "algorithm", required_argument, NULL, 'a' }, { "url", required_argument, NULL, 'u' }, + { "caname", required_argument, NULL, 'c'}, { "method", required_argument, NULL, 'm' }, { "interval", required_argument, NULL, 't' }, { "maxpolltime", required_argument, NULL, 'x' }, @@ -519,7 +535,7 @@ int main(int argc, char **argv) }; /* parse next option */ - int c = getopt_long(argc, argv, "hv+:qi:o:fk:d:s:p:a:u:m:t:x:APRCMS", long_opts, NULL); + int c = getopt_long(argc, argv, "hv+:qi:o:fk:d:s:p:a:u:c:m:t:x:APRCMS", long_opts, NULL); switch (c) { @@ -782,6 +798,10 @@ int main(int argc, char **argv) scep_url = optarg; continue; + case 'c': /* -- caname */ + ca_name = optarg; + continue; + case 'm': /* --method */ if (strcaseeq("get", optarg)) { @@ -915,20 +935,24 @@ int main(int argc, char **argv) if (request_ca_certificate) { char ca_path[PATH_MAX]; + container_t *container; pkcs7_t *pkcs7; - if (!scep_http_request(scep_url, chunk_empty, SCEP_GET_CA_CERT, - http_get_request, &scep_response)) + if (!scep_http_request(scep_url, chunk_create(ca_name, strlen(ca_name)), + SCEP_GET_CA_CERT, http_get_request, &scep_response)) { exit_scepclient("did not receive a valid scep response"); } join_paths(ca_path, sizeof(ca_path), CA_CERT_PATH, file_out_ca_cert); - pkcs7 = pkcs7_create_from_chunk(scep_response, 0); - if (!pkcs7 || !pkcs7->parse_signedData(pkcs7, NULL)) + pkcs7 = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7, + BUILD_BLOB_ASN1_DER, scep_response, BUILD_END); + + if (!pkcs7) { /* no PKCS#7 encoded CA+RA certificates, assume simple CA cert */ - DESTROY_IF(pkcs7); + + DBG1(DBG_APP, "unable to parse PKCS#7, assuming plain CA cert"); if (!chunk_write(scep_response, ca_path, "ca cert", 0022, force)) { exit_scepclient("could not write ca cert file '%s'", ca_path); @@ -941,7 +965,7 @@ int main(int argc, char **argv) int ra_certs = 0, ca_certs = 0; int ra_index = 1, ca_index = 1; - enumerator = pkcs7->create_certificate_enumerator(pkcs7); + enumerator = pkcs7->create_cert_enumerator(pkcs7); while (enumerator->enumerate(enumerator, &cert)) { x509_t *x509 = (x509_t*)cert; @@ -956,7 +980,7 @@ int main(int argc, char **argv) } enumerator->destroy(enumerator); - enumerator = pkcs7->create_certificate_enumerator(pkcs7); + enumerator = pkcs7->create_cert_enumerator(pkcs7); while (enumerator->enumerate(enumerator, &cert)) { x509_t *x509 = (x509_t*)cert; @@ -993,11 +1017,15 @@ int main(int argc, char **argv) chunk_free(&encoding); } enumerator->destroy(enumerator); - pkcs7->destroy(pkcs7); + container = &pkcs7->container; + container->destroy(container); } exit_scepclient(NULL); /* no further output required */ } + creds = mem_cred_create(); + lib->credmgr->add_set(lib->credmgr, &creds->set); + /* * input of PKCS#1 file */ @@ -1020,6 +1048,7 @@ int main(int argc, char **argv) { exit_scepclient("no RSA private key available"); } + creds->add_key(creds, private_key->get_ref(private_key)); public_key = private_key->get_public_key(private_key); /* check for minimum key length */ @@ -1170,6 +1199,7 @@ int main(int argc, char **argv) exit_scepclient("generating certificate failed"); } } + creds->add_cert(creds, TRUE, x509_signer->get_ref(x509_signer)); /* * output of self-signed X.509 certificate file @@ -1270,7 +1300,9 @@ int main(int argc, char **argv) enumerator_t *enumerator; char path[PATH_MAX]; time_t poll_start = 0; - pkcs7_t *data = NULL; + pkcs7_t *p7; + container_t *container = NULL; + chunk_t chunk; scep_attributes_t attrs = empty_scep_attributes; join_paths(path, sizeof(path), CA_CERT_PATH, file_in_cacert_sig); @@ -1282,13 +1314,14 @@ int main(int argc, char **argv) exit_scepclient("could not load signature cacert file '%s'", path); } + creds->add_cert(creds, TRUE, x509_ca_sig->get_ref(x509_ca_sig)); + if (!scep_http_request(scep_url, pkcs7, SCEP_PKI_OPERATION, http_get_request, &scep_response)) { exit_scepclient("did not receive a valid scep response"); } - ugh = scep_parse_response(scep_response, transID, &data, &attrs, - x509_ca_sig); + ugh = scep_parse_response(scep_response, transID, &container, &attrs); if (ugh != NULL) { exit_scepclient(ugh); @@ -1317,7 +1350,7 @@ int main(int argc, char **argv) DBG2(DBG_APP, "going to sleep for %d seconds", poll_interval); sleep(poll_interval); free(scep_response.ptr); - data->destroy(data); + container->destroy(container); DBG2(DBG_APP, "fingerprint: %.*s", (int)fingerprint.len, fingerprint.ptr); @@ -1338,8 +1371,7 @@ int main(int argc, char **argv) { exit_scepclient("did not receive a valid scep response"); } - ugh = scep_parse_response(scep_response, transID, &data, &attrs, - x509_ca_sig); + ugh = scep_parse_response(scep_response, transID, &container, &attrs); if (ugh != NULL) { exit_scepclient(ugh); @@ -1348,25 +1380,53 @@ int main(int argc, char **argv) if (attrs.pkiStatus != SCEP_SUCCESS) { - data->destroy(data); + container->destroy(container); exit_scepclient("reply status is not 'SUCCESS'"); } - if (!data->parse_envelopedData(data, serialNumber, private_key)) + if (!container->get_data(container, &chunk)) + { + container->destroy(container); + exit_scepclient("extracting signed-data failed"); + } + container->destroy(container); + + /* decrypt enveloped-data container */ + container = lib->creds->create(lib->creds, + CRED_CONTAINER, CONTAINER_PKCS7, + BUILD_BLOB_ASN1_DER, chunk, + BUILD_END); + free(chunk.ptr); + if (!container) { - data->destroy(data); exit_scepclient("could not decrypt envelopedData"); } - if (!data->parse_signedData(data, NULL)) + + if (!container->get_data(container, &chunk)) + { + container->destroy(container); + exit_scepclient("extracting encrypted-data failed"); + } + container->destroy(container); + + /* parse signed-data container */ + container = lib->creds->create(lib->creds, + CRED_CONTAINER, CONTAINER_PKCS7, + BUILD_BLOB_ASN1_DER, chunk, + BUILD_END); + free(chunk.ptr); + if (!container) { - data->destroy(data); - exit_scepclient("error parsing the scep response"); + exit_scepclient("could not parse singed-data"); } + /* no need to verify the signed-data container, the signature does NOT + * cover the contained certificates */ /* store the end entity certificate */ join_paths(path, sizeof(path), HOST_CERT_PATH, file_out_cert); - enumerator = data->create_certificate_enumerator(data); + p7 = (pkcs7_t*)container; + enumerator = p7->create_cert_enumerator(p7); while (enumerator->enumerate(enumerator, &cert)) { x509_t *x509 = (x509_t*)cert; @@ -1387,7 +1447,11 @@ int main(int argc, char **argv) } } enumerator->destroy(enumerator); - data->destroy(data); + container->destroy(container); + chunk_free(&attrs.transID); + chunk_free(&attrs.senderNonce); + chunk_free(&attrs.recipientNonce); + filetype_out &= ~CERT; /* delete CERT flag */ } |