diff options
Diffstat (limited to 'src/scepclient/scep.c')
| -rw-r--r-- | src/scepclient/scep.c | 360 |
1 files changed, 112 insertions, 248 deletions
diff --git a/src/scepclient/scep.c b/src/scepclient/scep.c index 29f6eab70..8b2fd179a 100644 --- a/src/scepclient/scep.c +++ b/src/scepclient/scep.c @@ -1,11 +1,5 @@ -/** - * @file scep.c - * @brief SCEP specific functions - * - * Contains functions to build SCEP request's and to parse SCEP reply's. - */ - /* + * Copyright (C) 2012 Tobias Brunner * Copyright (C) 2005 Jan Hutter, Martin Willi * Hochschule fuer Technik Rapperswil * @@ -23,32 +17,17 @@ #include <string.h> #include <stdlib.h> -#include <freeswan.h> - #include <library.h> +#include <debug.h> #include <asn1/asn1.h> #include <asn1/asn1_parser.h> #include <asn1/oid.h> +#include <crypto/pkcs9.h> #include <crypto/rngs/rng.h> #include <crypto/hashers/hasher.h> -#include "../pluto/constants.h" -#include "../pluto/defs.h" -#include "../pluto/fetch.h" -#include "../pluto/log.h" - #include "scep.h" -static const chunk_t ASN1_messageType_oid = chunk_from_chars( - 0x06, 0x0A, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x02 -); -static const chunk_t ASN1_senderNonce_oid = chunk_from_chars( - 0x06, 0x0A, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x05 -); -static const chunk_t ASN1_transId_oid = chunk_from_chars( - 0x06, 0x0A, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x07 -); - static const char *pkiStatus_values[] = { "0", "2", "3" }; static const char *pkiStatus_names[] = { @@ -86,170 +65,60 @@ const scep_attributes_t empty_scep_attributes = { { NULL, 0 } , /* recipientNonce */ }; -/* ASN.1 definition of the X.501 atttribute type */ - -static const asn1Object_t attributesObjects[] = { - { 0, "attributes", ASN1_SET, ASN1_LOOP }, /* 0 */ - { 1, "attribute", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */ - { 2, "type", ASN1_OID, ASN1_BODY }, /* 2 */ - { 2, "values", ASN1_SET, ASN1_LOOP }, /* 3 */ - { 3, "value", ASN1_EOC, ASN1_RAW }, /* 4 */ - { 2, "end loop", ASN1_EOC, ASN1_END }, /* 5 */ - { 0, "end loop", ASN1_EOC, ASN1_END }, /* 6 */ - { 0, "exit", ASN1_EOC, ASN1_EXIT } -}; -#define ATTRIBUTE_OBJ_TYPE 2 -#define ATTRIBUTE_OBJ_VALUE 4 - /** - * Extract and store an attribute + * Extract X.501 attributes */ -static bool extract_attribute(int oid, chunk_t object, u_int level, - scep_attributes_t *attrs) +void extract_attributes(pkcs7_t *pkcs7, scep_attributes_t *attrs) { - asn1_t type = ASN1_EOC; - const char *name = "none"; + pkcs9_t *attributes = pkcs7->get_attributes(pkcs7); + chunk_t attr; - switch (oid) + attr = attributes->get_attribute(attributes, OID_PKI_MESSAGE_TYPE); + if (attr.ptr) { - case OID_PKCS9_CONTENT_TYPE: - type = ASN1_OID; - name = "contentType"; - break; - case OID_PKCS9_SIGNING_TIME: - type = ASN1_UTCTIME; - name = "signingTime"; - break; - case OID_PKCS9_MESSAGE_DIGEST: - type = ASN1_OCTET_STRING; - name = "messageDigest"; - break; - case OID_PKI_MESSAGE_TYPE: - type = ASN1_PRINTABLESTRING; - name = "messageType"; - break; - case OID_PKI_STATUS: - type = ASN1_PRINTABLESTRING; - name = "pkiStatus"; - break; - case OID_PKI_FAIL_INFO: - type = ASN1_PRINTABLESTRING; - name = "failInfo"; - break; - case OID_PKI_SENDER_NONCE: - type = ASN1_OCTET_STRING; - name = "senderNonce"; - break; - case OID_PKI_RECIPIENT_NONCE: - type = ASN1_OCTET_STRING; - name = "recipientNonce"; - break; - case OID_PKI_TRANS_ID: - type = ASN1_PRINTABLESTRING; - name = "transID"; - break; - default: - break; - } - - if (type == ASN1_EOC) - return TRUE; - - if (!asn1_parse_simple_object(&object, type, level+1, name)) - return FALSE; + scep_msg_t m; - switch (oid) - { - case OID_PKCS9_CONTENT_TYPE: - break; - case OID_PKCS9_SIGNING_TIME: - break; - case OID_PKCS9_MESSAGE_DIGEST: - break; - case OID_PKI_MESSAGE_TYPE: + for (m = SCEP_CertRep_MSG; m < SCEP_Unknown_MSG; m++) { - scep_msg_t m; - - for (m = SCEP_CertRep_MSG; m < SCEP_Unknown_MSG; m++) + if (strncmp(msgType_values[m], attr.ptr, attr.len) == 0) { - if (strncmp(msgType_values[m], object.ptr, object.len) == 0) - attrs->msgType = m; + attrs->msgType = m; } - DBG(DBG_CONTROL, - DBG_log("messageType: %s", msgType_names[attrs->msgType]) - ) } - break; - case OID_PKI_STATUS: - { - pkiStatus_t s; + DBG2(DBG_APP, "messageType: %s", msgType_names[attrs->msgType]); + } + attr = attributes->get_attribute(attributes, OID_PKI_STATUS); + if (attr.ptr) + { + pkiStatus_t s; - for (s = SCEP_SUCCESS; s < SCEP_UNKNOWN; s++) + for (s = SCEP_SUCCESS; s < SCEP_UNKNOWN; s++) + { + if (strncmp(pkiStatus_values[s], attr.ptr, attr.len) == 0) { - if (strncmp(pkiStatus_values[s], object.ptr, object.len) == 0) - attrs->pkiStatus = s; + attrs->pkiStatus = s; } - DBG(DBG_CONTROL, - DBG_log("pkiStatus: %s", pkiStatus_names[attrs->pkiStatus]) - ) } - break; - case OID_PKI_FAIL_INFO: - if (object.len == 1 - && *object.ptr >= '0' && *object.ptr <= '4') + DBG2(DBG_APP, "pkiStatus: %s", pkiStatus_names[attrs->pkiStatus]); + } + attr = attributes->get_attribute(attributes, OID_PKI_FAIL_INFO); + if (attr.ptr) + { + if (attr.len == 1 && *attr.ptr >= '0' && *attr.ptr <= '4') { - attrs->failInfo = (failInfo_t)(*object.ptr - '0'); + attrs->failInfo = (failInfo_t)(*attr.ptr - '0'); } if (attrs->failInfo != SCEP_unknown_REASON) - plog("failInfo: %s", failInfo_reasons[attrs->failInfo]); - break; - case OID_PKI_SENDER_NONCE: - attrs->senderNonce = object; - break; - case OID_PKI_RECIPIENT_NONCE: - attrs->recipientNonce = object; - break; - case OID_PKI_TRANS_ID: - attrs->transID = object; - } - return TRUE; -} - -/** - * Parse X.501 attributes - */ -bool parse_attributes(chunk_t blob, scep_attributes_t *attrs) -{ - asn1_parser_t *parser; - chunk_t object; - int oid = OID_UNKNOWN; - int objectID; - bool success = FALSE; - - parser = asn1_parser_create(attributesObjects, blob); - DBG(DBG_CONTROL | DBG_PARSING, - DBG_log("parsing attributes") - ) - - while (parser->iterate(parser, &objectID, &object)) - { - switch (objectID) { - case ATTRIBUTE_OBJ_TYPE: - oid = asn1_known_oid(object); - break; - case ATTRIBUTE_OBJ_VALUE: - if (!extract_attribute(oid, object, parser->get_level(parser), attrs)) - { - goto end; - } + DBG1(DBG_APP, "failInfo: %s", failInfo_reasons[attrs->failInfo]); } } - success = parser->success(parser); - -end: - parser->destroy(parser); - return success; + attrs->senderNonce = attributes->get_attribute(attributes, + OID_PKI_SENDER_NONCE); + attrs->recipientNonce = attributes->get_attribute(attributes, + OID_PKI_RECIPIENT_NONCE); + attrs->transID = attributes->get_attribute(attributes, + OID_PKI_TRANS_ID); } /** @@ -262,7 +131,11 @@ chunk_t scep_generate_pkcs10_fingerprint(chunk_t pkcs10) hasher_t *hasher; hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5); - hasher->get_hash(hasher, pkcs10, digest.ptr); + if (!hasher || !hasher->get_hash(hasher, pkcs10, digest.ptr)) + { + DESTROY_IF(hasher); + return chunk_empty; + } hasher->destroy(hasher); return chunk_to_hex(digest, NULL, FALSE); @@ -288,8 +161,11 @@ void scep_generate_transaction_id(public_key_t *key, chunk_t *transID, asn1_bitstring("m", keyEncoding)); hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5); - hasher->get_hash(hasher, keyInfo, digest.ptr); - hasher->destroy(hasher); + if (!hasher || !hasher->get_hash(hasher, keyInfo, digest.ptr)) + { + memset(digest.ptr, 0, digest.len); + } + DESTROY_IF(hasher); free(keyInfo.ptr); /* is the most significant bit of the digest set? */ @@ -308,46 +184,13 @@ void scep_generate_transaction_id(public_key_t *key, chunk_t *transID, memcpy(pos, digest.ptr, digest.len); /* the transaction id is the serial number in hex format */ - transID->len = 2*digest.len; - transID->ptr = malloc(transID->len + 1); - datatot(digest.ptr, digest.len, 16, transID->ptr, transID->len + 1); + *transID = chunk_to_hex(digest, NULL, TRUE); } /** - * Builds a transId attribute + * Adds a senderNonce attribute to the given pkcs9 attribute list */ -chunk_t scep_transId_attribute(chunk_t transID) -{ - return asn1_wrap(ASN1_SEQUENCE, "cm" - , ASN1_transId_oid - , asn1_wrap(ASN1_SET, "m" - , asn1_simple_object(ASN1_PRINTABLESTRING, transID) - ) - ); -} - -/** - * Builds a messageType attribute - */ -chunk_t scep_messageType_attribute(scep_msg_t m) -{ - chunk_t msgType = { - (u_char*)msgType_values[m], - strlen(msgType_values[m]) - }; - - return asn1_wrap(ASN1_SEQUENCE, "cm" - , ASN1_messageType_oid - , asn1_wrap(ASN1_SET, "m" - , asn1_simple_object(ASN1_PRINTABLESTRING, msgType) - ) - ); -} - -/** - * Builds a senderNonce attribute - */ -chunk_t scep_senderNonce_attribute(void) +static bool add_senderNonce_attribute(pkcs9_t *pkcs9) { const size_t nonce_len = 16; u_char nonce_buf[nonce_len]; @@ -355,41 +198,58 @@ chunk_t scep_senderNonce_attribute(void) rng_t *rng; rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); - rng->get_bytes(rng, nonce_len, nonce_buf); + if (!rng || !rng->get_bytes(rng, nonce_len, nonce_buf)) + { + DESTROY_IF(rng); + return FALSE; + } rng->destroy(rng); - return asn1_wrap(ASN1_SEQUENCE, "cm" - , ASN1_senderNonce_oid - , asn1_wrap(ASN1_SET, "m" - , asn1_simple_object(ASN1_OCTET_STRING, senderNonce) - ) - ); + pkcs9->set_attribute(pkcs9, OID_PKI_SENDER_NONCE, senderNonce); + return TRUE; } /** * Builds a pkcs7 enveloped and signed scep request */ chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg, - certificate_t *enc_cert, int enc_alg, - certificate_t *signer_cert, int digest_alg, - private_key_t *private_key) + certificate_t *enc_cert, encryption_algorithm_t enc_alg, + size_t key_size, certificate_t *signer_cert, + hash_algorithm_t digest_alg, private_key_t *private_key) { - chunk_t envelopedData, attributes, request; - - envelopedData = pkcs7_build_envelopedData(data, enc_cert, enc_alg); - - attributes = asn1_wrap(ASN1_SET, "mmmmm" - , pkcs7_contentType_attribute() - , pkcs7_messageDigest_attribute(envelopedData - , digest_alg) - , scep_transId_attribute(transID) - , scep_messageType_attribute(msg) - , scep_senderNonce_attribute()); - - request = pkcs7_build_signedData(envelopedData, attributes - , signer_cert, digest_alg, private_key); - free(envelopedData.ptr); - free(attributes.ptr); + chunk_t request, msgType = { + (u_char*)msgType_values[msg], + strlen(msgType_values[msg]), + }; + pkcs7_t *pkcs7; + pkcs9_t *pkcs9; + + pkcs7 = pkcs7_create_from_data(data); + if (!pkcs7->build_envelopedData(pkcs7, enc_cert, enc_alg, key_size)) + { + pkcs7->destroy(pkcs7); + return chunk_empty; + } + + pkcs9 = pkcs9_create(); + pkcs9->set_attribute(pkcs9, OID_PKI_TRANS_ID, transID); + pkcs9->set_attribute(pkcs9, OID_PKI_MESSAGE_TYPE, msgType); + if (!add_senderNonce_attribute(pkcs9)) + { + pkcs9->destroy(pkcs9); + pkcs7->destroy(pkcs7); + return chunk_empty; + } + + pkcs7->set_attributes(pkcs7, pkcs9); + pkcs7->set_certificate(pkcs7, signer_cert->get_ref(signer_cert)); + if (!pkcs7->build_signedData(pkcs7, private_key, digest_alg)) + { + pkcs7->destroy(pkcs7); + return chunk_empty; + } + request = pkcs7->get_contentInfo(pkcs7); + pkcs7->destroy(pkcs7); return request; } @@ -406,11 +266,12 @@ static char* escape_http_request(chunk_t req) int n = 0; /* compute and allocate the size of the base64-encoded request */ - int len = 1 + 4*((req.len + 2)/3); + int len = 1 + 4 * ((req.len + 2) / 3); char *encoded_req = malloc(len); /* do the base64 conversion */ - len = datatot(req.ptr, req.len, 64, encoded_req, len); + chunk_t base64 = chunk_to_base64(req, encoded_req); + len = base64.len + 1; /* compute newline characters to be inserted every 64 characters */ lines = (len - 2) / 64; @@ -420,10 +281,12 @@ static char* escape_http_request(chunk_t req) while (*p1 != '\0') { if (*p1++ == '+') + { plus++; + } } - escaped_req = malloc(len + 3*(lines + plus)); + escaped_req = malloc(len + 3 * (lines + plus)); /* escape special characters in the request */ p1 = encoded_req; @@ -466,9 +329,7 @@ bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op, /* initialize response */ *response = chunk_empty; - DBG(DBG_CONTROL, - DBG_log("sending scep request to '%s'", url) - ) + DBG2(DBG_APP, "sending scep request to '%s'", url); if (op == SCEP_PKI_OPERATION) { @@ -500,6 +361,7 @@ bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op, snprintf(complete_url, len, "%s?operation=%s", url, operation); status = lib->fetcher->fetch(lib->fetcher, complete_url, response, + FETCH_HTTP_VERSION_1_0, FETCH_REQUEST_DATA, pkcs7, FETCH_REQUEST_TYPE, "", FETCH_REQUEST_HEADER, "Expect:", @@ -513,10 +375,11 @@ bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op, /* form complete url */ len = strlen(url) + 32 + strlen(operation) + 1; complete_url = malloc(len); - snprintf(complete_url, len, "%s?operation=%s&message=CAIdentifier" - , url, operation); + snprintf(complete_url, len, "%s?operation=%s&message=CAIdentifier", + url, operation); status = lib->fetcher->fetch(lib->fetcher, complete_url, response, + FETCH_HTTP_VERSION_1_0, FETCH_END); } @@ -524,22 +387,23 @@ bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op, return (status == SUCCESS); } -err_t scep_parse_response(chunk_t response, chunk_t transID, contentInfo_t *data, +err_t scep_parse_response(chunk_t response, chunk_t transID, pkcs7_t **data, scep_attributes_t *attrs, certificate_t *signer_cert) { - chunk_t attributes; + pkcs7_t *pkcs7; - if (!pkcs7_parse_signedData(response, data, NULL, &attributes, signer_cert)) + pkcs7 = pkcs7_create_from_chunk(response, 0); + if (!pkcs7 || !pkcs7->parse_signedData(pkcs7, signer_cert)) { + DESTROY_IF(pkcs7); return "error parsing the scep response"; } - if (!parse_attributes(attributes, attrs)) - { - return "error parsing the scep response attributes"; - } + extract_attributes(pkcs7, attrs); if (!chunk_equals(transID, attrs->transID)) { + pkcs7->destroy(pkcs7); return "transaction ID of scep response does not match"; } + *data = pkcs7; return NULL; } |