diff options
Diffstat (limited to 'src/scepclient')
| -rw-r--r-- | src/scepclient/Makefile.am | 55 | ||||
| -rw-r--r-- | src/scepclient/Makefile.in | 90 | ||||
| -rw-r--r-- | src/scepclient/loglite.c | 406 | ||||
| -rw-r--r-- | src/scepclient/pkcs10.c | 234 | ||||
| -rw-r--r-- | src/scepclient/pkcs10.h | 27 | ||||
| -rw-r--r-- | src/scepclient/rsakey.c | 349 | ||||
| -rw-r--r-- | src/scepclient/rsakey.h | 31 | ||||
| -rw-r--r-- | src/scepclient/scep.c | 884 | ||||
| -rw-r--r-- | src/scepclient/scep.h | 46 | ||||
| -rw-r--r-- | src/scepclient/scepclient.8 | 8 | ||||
| -rw-r--r-- | src/scepclient/scepclient.c | 1753 |
11 files changed, 1792 insertions, 2091 deletions
diff --git a/src/scepclient/Makefile.am b/src/scepclient/Makefile.am index 86220d71b..20bf76065 100644 --- a/src/scepclient/Makefile.am +++ b/src/scepclient/Makefile.am @@ -1,5 +1,5 @@ ipsec_PROGRAMS = scepclient -scepclient_SOURCES = scepclient.c rsakey.c rsakey.h pkcs10.c pkcs10.h scep.c scep.h loglite.c +scepclient_SOURCES = scepclient.c pkcs10.c pkcs10.h scep.c scep.h loglite.c PLUTODIR=$(top_srcdir)/src/pluto OPENACDIR=$(top_srcdir)/src/openac @@ -15,34 +15,30 @@ INCLUDES = \ -I$(LIBCRYPTODIR) \ -I$(WHACKDIR) -AM_CFLAGS = -DDEBUG -DNO_PLUTO -DIPSEC_CONFDIR=\"${confdir}\" +AM_CFLAGS = \ +-DIPSEC_CONFDIR=\"${confdir}\" \ +-DIPSEC_PLUGINDIR=\"${plugindir}\" \ +-DPLUGINS=\""${pluto_plugins}\"" \ +-DSTRONGSWAN_CONF=\"${strongswan_conf}\" \ +-DDEBUG -DNO_PLUTO +LIBSTRONGSWANBUILDDIR=$(top_builddir)/src/libstrongswan LIBFREESWANBUILDDIR=$(top_builddir)/src/libfreeswan -LIBCRYPTOBUILDDIR=$(top_builddir)/src/libcrypto -scepclient_LDADD = asn1.o ca.o crl.o certs.o constants.o defs.o fetch.o id.o \ - keys.o lex.o md2.o md5.o mp_defs.o ocsp.o oid.o pem.o pgp.o \ - pkcs1.o pkcs7.o rnd.o sha1.o smartcard.o x509.o \ - $(LIBFREESWANBUILDDIR)/libfreeswan.a $(LIBCRYPTOBUILDDIR)/libcrypto.a \ - -lgmp +scepclient_LDADD = \ +ca.o crl.o certs.o constants.o defs.o fetch.o id.o keys.o lex.o \ +ocsp.o pem.o pgpcert.o pkcs7.o smartcard.o x509.o \ +$(LIBSTRONGSWANBUILDDIR)/libstrongswan.la \ +$(LIBFREESWANBUILDDIR)/libfreeswan.a # This compile option activates smartcard support if USE_SMARTCARD AM_CFLAGS += -DSMARTCARD - scepclient_LDADD += -ldl -endif - -# This compile option activates dynamic URL fetching using libcurl -if USE_CURL - AM_CFLAGS += -DLIBCURL - scepclient_LDADD += -lcurl + scepclient_LDADD += $(DLLIB) endif dist_man_MANS = scepclient.8 -asn1.o : $(PLUTODIR)/asn1.c $(PLUTODIR)/asn1.h - $(COMPILE) $(INCLUDES) -c -o $@ $< - ca.o : $(PLUTODIR)/ca.c $(PLUTODIR)/ca.h $(COMPILE) $(INCLUDES) -c -o $@ $< @@ -58,9 +54,6 @@ crl.o : $(PLUTODIR)/crl.c $(PLUTODIR)/crl.h defs.o : $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h $(COMPILE) $(INCLUDES) -c -o $@ $< -mp_defs.o : $(PLUTODIR)/mp_defs.c $(PLUTODIR)/mp_defs.h - $(COMPILE) $(INCLUDES) -c -o $@ $< - fetch.o : $(PLUTODIR)/fetch.c $(PLUTODIR)/fetch.h $(COMPILE) $(INCLUDES) -c -o $@ $< @@ -73,36 +66,18 @@ keys.o : $(PLUTODIR)/keys.c $(PLUTODIR)/keys.h lex.o : $(PLUTODIR)/lex.c $(PLUTODIR)/lex.h $(COMPILE) $(INCLUDES) -c -o $@ $< -md2.o : $(PLUTODIR)/md2.c $(PLUTODIR)/md2.h - $(COMPILE) $(INCLUDES) -c -o $@ $< - -md5.o : $(PLUTODIR)/md5.c $(PLUTODIR)/md5.h - $(COMPILE) $(INCLUDES) -c -o $@ $< - ocsp.o : $(PLUTODIR)/ocsp.c $(PLUTODIR)/ocsp.h $(COMPILE) $(INCLUDES) -c -o $@ $< -oid.o : $(LIBSTRONGSWANDIR)/asn1/oid.c $(LIBSTRONGSWANDIR)/asn1/oid.h - $(COMPILE) -c -o $@ $< - pem.o : $(PLUTODIR)/pem.c $(PLUTODIR)/pem.h $(COMPILE) $(INCLUDES) -c -o $@ $< -pgp.o : $(PLUTODIR)/pgp.c $(PLUTODIR)/pgp.h - $(COMPILE) $(INCLUDES) -c -o $@ $< - -pkcs1.o : $(PLUTODIR)/pkcs1.c $(PLUTODIR)/pkcs1.h +pgpcert.o : $(PLUTODIR)/pgpcert.c $(PLUTODIR)/pgpcert.h $(COMPILE) $(INCLUDES) -c -o $@ $< pkcs7.o : $(PLUTODIR)/pkcs7.c $(PLUTODIR)/pkcs7.h $(COMPILE) $(INCLUDES) -c -o $@ $< -rnd.o : $(PLUTODIR)/rnd.c $(PLUTODIR)/rnd.h - $(COMPILE) $(INCLUDES) -c -o $@ $< - -sha1.o : $(PLUTODIR)/sha1.c $(PLUTODIR)/sha1.h - $(COMPILE) $(INCLUDES) -c -o $@ $< - smartcard.o : $(PLUTODIR)/smartcard.c $(PLUTODIR)/smartcard.h $(COMPILE) $(INCLUDES) -c -o $@ $< diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in index a15b65697..3919583ef 100644 --- a/src/scepclient/Makefile.in +++ b/src/scepclient/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.10.1 from Makefile.am. +# Makefile.in generated by automake 1.10.2 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -36,11 +36,7 @@ ipsec_PROGRAMS = scepclient$(EXEEXT) # This compile option activates smartcard support @USE_SMARTCARD_TRUE@am__append_1 = -DSMARTCARD -@USE_SMARTCARD_TRUE@am__append_2 = -ldl - -# This compile option activates dynamic URL fetching using libcurl -@USE_CURL_TRUE@am__append_3 = -DLIBCURL -@USE_CURL_TRUE@am__append_4 = -lcurl +@USE_SMARTCARD_TRUE@am__append_2 = $(DLLIB) subdir = src/scepclient DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.am \ $(srcdir)/Makefile.in @@ -53,16 +49,15 @@ CONFIG_CLEAN_FILES = am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)" ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) PROGRAMS = $(ipsec_PROGRAMS) -am_scepclient_OBJECTS = scepclient.$(OBJEXT) rsakey.$(OBJEXT) \ - pkcs10.$(OBJEXT) scep.$(OBJEXT) loglite.$(OBJEXT) +am_scepclient_OBJECTS = scepclient.$(OBJEXT) pkcs10.$(OBJEXT) \ + scep.$(OBJEXT) loglite.$(OBJEXT) scepclient_OBJECTS = $(am_scepclient_OBJECTS) am__DEPENDENCIES_1 = -scepclient_DEPENDENCIES = asn1.o ca.o crl.o certs.o constants.o defs.o \ - fetch.o id.o keys.o lex.o md2.o md5.o mp_defs.o ocsp.o oid.o \ - pem.o pgp.o pkcs1.o pkcs7.o rnd.o sha1.o smartcard.o x509.o \ - $(LIBFREESWANBUILDDIR)/libfreeswan.a \ - $(LIBCRYPTOBUILDDIR)/libcrypto.a $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) +@USE_SMARTCARD_TRUE@am__DEPENDENCIES_2 = $(am__DEPENDENCIES_1) +scepclient_DEPENDENCIES = ca.o crl.o certs.o constants.o defs.o \ + fetch.o id.o keys.o lex.o ocsp.o pem.o pgpcert.o pkcs7.o \ + smartcard.o x509.o $(LIBSTRONGSWANBUILDDIR)/libstrongswan.la \ + $(LIBFREESWANBUILDDIR)/libfreeswan.a $(am__DEPENDENCIES_2) DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles @@ -98,6 +93,7 @@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -120,6 +116,9 @@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@ +LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@ +LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ @@ -131,6 +130,7 @@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ NM = @NM@ NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ @@ -144,6 +144,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ @@ -204,6 +206,7 @@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ piddir = @piddir@ plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -215,11 +218,12 @@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ -scepclient_SOURCES = scepclient.c rsakey.c rsakey.h pkcs10.c pkcs10.h scep.c scep.h loglite.c +scepclient_SOURCES = scepclient.c pkcs10.c pkcs10.h scep.c scep.h loglite.c PLUTODIR = $(top_srcdir)/src/pluto OPENACDIR = $(top_srcdir)/src/openac WHACKDIR = $(top_srcdir)/src/whack @@ -233,16 +237,17 @@ INCLUDES = \ -I$(LIBCRYPTODIR) \ -I$(WHACKDIR) -AM_CFLAGS = -DDEBUG -DNO_PLUTO -DIPSEC_CONFDIR=\"${confdir}\" \ - $(am__append_1) $(am__append_3) +AM_CFLAGS = -DIPSEC_CONFDIR=\"${confdir}\" \ + -DIPSEC_PLUGINDIR=\"${plugindir}\" \ + -DPLUGINS=\""${pluto_plugins}\"" \ + -DSTRONGSWAN_CONF=\"${strongswan_conf}\" -DDEBUG -DNO_PLUTO \ + $(am__append_1) +LIBSTRONGSWANBUILDDIR = $(top_builddir)/src/libstrongswan LIBFREESWANBUILDDIR = $(top_builddir)/src/libfreeswan -LIBCRYPTOBUILDDIR = $(top_builddir)/src/libcrypto -scepclient_LDADD = asn1.o ca.o crl.o certs.o constants.o defs.o \ - fetch.o id.o keys.o lex.o md2.o md5.o mp_defs.o ocsp.o oid.o \ - pem.o pgp.o pkcs1.o pkcs7.o rnd.o sha1.o smartcard.o x509.o \ - $(LIBFREESWANBUILDDIR)/libfreeswan.a \ - $(LIBCRYPTOBUILDDIR)/libcrypto.a -lgmp $(am__append_2) \ - $(am__append_4) +scepclient_LDADD = ca.o crl.o certs.o constants.o defs.o fetch.o id.o \ + keys.o lex.o ocsp.o pem.o pgpcert.o pkcs7.o smartcard.o x509.o \ + $(LIBSTRONGSWANBUILDDIR)/libstrongswan.la \ + $(LIBFREESWANBUILDDIR)/libfreeswan.a $(am__append_2) dist_man_MANS = scepclient.8 all: all-am @@ -252,8 +257,8 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ @@ -317,7 +322,6 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/loglite.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs10.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rsakey.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/scep.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/scepclient.Po@am__quote@ @@ -358,8 +362,8 @@ install-man8: $(man8_MANS) $(man_MANS) esac; \ done; \ for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ + if test -f $$i; then file=$$i; \ + else file=$(srcdir)/$$i; fi; \ ext=`echo $$i | sed -e 's/^.*\\.//'`; \ case "$$ext" in \ 8*) ;; \ @@ -398,7 +402,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in files) print i; }; }'`; \ mkid -fID $$unique tags: TAGS @@ -576,9 +580,6 @@ uninstall-man: uninstall-man8 uninstall-man uninstall-man8 -asn1.o : $(PLUTODIR)/asn1.c $(PLUTODIR)/asn1.h - $(COMPILE) $(INCLUDES) -c -o $@ $< - ca.o : $(PLUTODIR)/ca.c $(PLUTODIR)/ca.h $(COMPILE) $(INCLUDES) -c -o $@ $< @@ -594,9 +595,6 @@ crl.o : $(PLUTODIR)/crl.c $(PLUTODIR)/crl.h defs.o : $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h $(COMPILE) $(INCLUDES) -c -o $@ $< -mp_defs.o : $(PLUTODIR)/mp_defs.c $(PLUTODIR)/mp_defs.h - $(COMPILE) $(INCLUDES) -c -o $@ $< - fetch.o : $(PLUTODIR)/fetch.c $(PLUTODIR)/fetch.h $(COMPILE) $(INCLUDES) -c -o $@ $< @@ -609,36 +607,18 @@ keys.o : $(PLUTODIR)/keys.c $(PLUTODIR)/keys.h lex.o : $(PLUTODIR)/lex.c $(PLUTODIR)/lex.h $(COMPILE) $(INCLUDES) -c -o $@ $< -md2.o : $(PLUTODIR)/md2.c $(PLUTODIR)/md2.h - $(COMPILE) $(INCLUDES) -c -o $@ $< - -md5.o : $(PLUTODIR)/md5.c $(PLUTODIR)/md5.h - $(COMPILE) $(INCLUDES) -c -o $@ $< - ocsp.o : $(PLUTODIR)/ocsp.c $(PLUTODIR)/ocsp.h $(COMPILE) $(INCLUDES) -c -o $@ $< -oid.o : $(LIBSTRONGSWANDIR)/asn1/oid.c $(LIBSTRONGSWANDIR)/asn1/oid.h - $(COMPILE) -c -o $@ $< - pem.o : $(PLUTODIR)/pem.c $(PLUTODIR)/pem.h $(COMPILE) $(INCLUDES) -c -o $@ $< -pgp.o : $(PLUTODIR)/pgp.c $(PLUTODIR)/pgp.h - $(COMPILE) $(INCLUDES) -c -o $@ $< - -pkcs1.o : $(PLUTODIR)/pkcs1.c $(PLUTODIR)/pkcs1.h +pgpcert.o : $(PLUTODIR)/pgpcert.c $(PLUTODIR)/pgpcert.h $(COMPILE) $(INCLUDES) -c -o $@ $< pkcs7.o : $(PLUTODIR)/pkcs7.c $(PLUTODIR)/pkcs7.h $(COMPILE) $(INCLUDES) -c -o $@ $< -rnd.o : $(PLUTODIR)/rnd.c $(PLUTODIR)/rnd.h - $(COMPILE) $(INCLUDES) -c -o $@ $< - -sha1.o : $(PLUTODIR)/sha1.c $(PLUTODIR)/sha1.h - $(COMPILE) $(INCLUDES) -c -o $@ $< - smartcard.o : $(PLUTODIR)/smartcard.c $(PLUTODIR)/smartcard.h $(COMPILE) $(INCLUDES) -c -o $@ $< diff --git a/src/scepclient/loglite.c b/src/scepclient/loglite.c index 4219eb707..b14e72ecb 100644 --- a/src/scepclient/loglite.c +++ b/src/scepclient/loglite.c @@ -11,8 +11,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * RCSID $Id: loglite.c,v 1.2 2005/07/11 18:38:16 as Exp $ */ #include <stdio.h> @@ -23,12 +21,13 @@ #include <errno.h> #include <string.h> #include <unistd.h> -#include <signal.h> /* used only if MSG_NOSIGNAL not defined */ +#include <signal.h> /* used only if MSG_NOSIGNAL not defined */ #include <libgen.h> #include <sys/stat.h> #include <sys/types.h> #include <freeswan.h> +#include <debug.h> #include <constants.h> #include <defs.h> @@ -36,118 +35,179 @@ #include <whack.h> bool - log_to_stderr = FALSE, /* should log go to stderr? */ - log_to_syslog = TRUE; /* should log go to syslog? */ + log_to_stderr = FALSE, /* should log go to stderr? */ + log_to_syslog = TRUE; /* should log go to syslog? */ -void -init_log(const char *program) +/** + * @brief scepclient dbg function + */ +static void scepclient_dbg(int level, char *fmt, ...) { - if (log_to_stderr) - setbuf(stderr, NULL); - if (log_to_syslog) - openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV); + int priority = LOG_INFO; + int debug_level; + char buffer[8192]; + char *current = buffer, *next; + va_list args; + + if (cur_debugging & DBG_PRIVATE) + { + debug_level = 4; + } + else if (cur_debugging & DBG_RAW) + { + debug_level = 3; + } + else if (cur_debugging & DBG_PARSING) + { + debug_level = 2; + } + else + { + debug_level = 1; + } + + if (level <= debug_level) + { + va_start(args, fmt); + + if (log_to_stderr) + { + if (level > 1) + { + fprintf(stderr, "| "); + } + vfprintf(stderr, fmt, args); + fprintf(stderr, "\n"); + } + if (log_to_syslog) + { + /* write in memory buffer first */ + vsnprintf(buffer, sizeof(buffer), fmt, args); + + /* do a syslog with every line */ + while (current) + { + next = strchr(current, '\n'); + if (next) + { + *(next++) = '\0'; + } + syslog(priority, "%s%s\n", (level > 1)? "| ":"", current); + current = next; + } + } + va_end(args); + } } -void -close_log(void) +void init_log(const char *program) { - if (log_to_syslog) - closelog(); + /* enable scepclient bugging hook */ + dbg = scepclient_dbg; + + if (log_to_stderr) + { + setbuf(stderr, NULL); + } + if (log_to_syslog) + { + openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV); + } } -void -plog(const char *message, ...) +void close_log(void) { - va_list args; - char m[LOG_WIDTH]; /* longer messages will be truncated */ + if (log_to_syslog) + closelog(); +} - va_start(args, message); - vsnprintf(m, sizeof(m), message, args); - va_end(args); +void plog(const char *message, ...) +{ + va_list args; + char m[LOG_WIDTH]; /* longer messages will be truncated */ - if (log_to_stderr) - fprintf(stderr, "%s\n", m); - if (log_to_syslog) - syslog(LOG_WARNING, "%s", m); + va_start(args, message); + vsnprintf(m, sizeof(m), message, args); + va_end(args); + + if (log_to_stderr) + fprintf(stderr, "%s\n", m); + if (log_to_syslog) + syslog(LOG_WARNING, "%s", m); } -void -loglog(int mess_no, const char *message, ...) +void loglog(int mess_no, const char *message, ...) { - va_list args; - char m[LOG_WIDTH]; /* longer messages will be truncated */ + va_list args; + char m[LOG_WIDTH]; /* longer messages will be truncated */ - va_start(args, message); - vsnprintf(m, sizeof(m), message, args); - va_end(args); + va_start(args, message); + vsnprintf(m, sizeof(m), message, args); + va_end(args); - if (log_to_stderr) - fprintf(stderr, "%s\n", m); - if (log_to_syslog) - syslog(LOG_WARNING, "%s", m); + if (log_to_stderr) + fprintf(stderr, "%s\n", m); + if (log_to_syslog) + syslog(LOG_WARNING, "%s", m); } -void -log_errno_routine(int e, const char *message, ...) +void log_errno_routine(int e, const char *message, ...) { - va_list args; - char m[LOG_WIDTH]; /* longer messages will be truncated */ + va_list args; + char m[LOG_WIDTH]; /* longer messages will be truncated */ - va_start(args, message); - vsnprintf(m, sizeof(m), message, args); - va_end(args); + va_start(args, message); + vsnprintf(m, sizeof(m), message, args); + va_end(args); - if (log_to_stderr) - fprintf(stderr, "ERROR: %s. Errno %d: %s\n", m, e, strerror(e)); - if (log_to_syslog) - syslog(LOG_ERR, "ERROR: %s. Errno %d: %s", m, e, strerror(e)); + if (log_to_stderr) + fprintf(stderr, "ERROR: %s. Errno %d: %s\n", m, e, strerror(e)); + if (log_to_syslog) + syslog(LOG_ERR, "ERROR: %s. Errno %d: %s", m, e, strerror(e)); } -void -exit_log(const char *message, ...) +void exit_log(const char *message, ...) { - va_list args; - char m[LOG_WIDTH]; /* longer messages will be truncated */ - - va_start(args, message); - vsnprintf(m, sizeof(m), message, args); - va_end(args); - - if (log_to_stderr) - fprintf(stderr, "FATAL ERROR: %s\n", m); - if (log_to_syslog) - syslog(LOG_ERR, "FATAL ERROR: %s", m); - exit(1); + va_list args; + char m[LOG_WIDTH]; /* longer messages will be truncated */ + + va_start(args, message); + vsnprintf(m, sizeof(m), message, args); + va_end(args); + + if (log_to_stderr) + fprintf(stderr, "FATAL ERROR: %s\n", m); + if (log_to_syslog) + syslog(LOG_ERR, "FATAL ERROR: %s", m); + exit(1); } -void -exit_log_errno_routine(int e, const char *message, ...) +void exit_log_errno_routine(int e, const char *message, ...) { - va_list args; - char m[LOG_WIDTH]; /* longer messages will be truncated */ - - va_start(args, message); - vsnprintf(m, sizeof(m), message, args); - va_end(args); - - if (log_to_stderr) - fprintf(stderr, "FATAL ERROR: %s. Errno %d: %s\n", m, e, strerror(e)); - if (log_to_syslog) - syslog(LOG_ERR, "FATAL ERROR: %s. Errno %d: %s", m, e, strerror(e)); - exit(1); + va_list args; + char m[LOG_WIDTH]; /* longer messages will be truncated */ + + va_start(args, message); + vsnprintf(m, sizeof(m), message, args); + va_end(args); + + if (log_to_stderr) + fprintf(stderr, "FATAL ERROR: %s. Errno %d: %s\n", m, e, strerror(e)); + if (log_to_syslog) + syslog(LOG_ERR, "FATAL ERROR: %s. Errno %d: %s", m, e, strerror(e)); + exit(1); } -void -whack_log(int mess_no, const char *message, ...) +void whack_log(int mess_no, const char *message, ...) { - va_list args; - char m[LOG_WIDTH]; /* longer messages will be truncated */ + va_list args; + char m[LOG_WIDTH]; /* longer messages will be truncated */ - va_start(args, message); - vsnprintf(m, sizeof(m), message, args); - va_end(args); + va_start(args, message); + vsnprintf(m, sizeof(m), message, args); + va_end(args); - fprintf(stderr, "%s\n", m); + fprintf(stderr, "%s\n", m); } /* Build up a diagnostic in a static buffer. @@ -162,132 +222,126 @@ whack_log(int mess_no, const char *message, ...) */ char diag_space[sizeof(diag_space)]; -err_t -builddiag(const char *fmt, ...) +err_t builddiag(const char *fmt, ...) { - static char diag_space[LOG_WIDTH]; /* longer messages will be truncated */ - char t[sizeof(diag_space)]; /* build result here first */ - va_list args; - - va_start(args, fmt); - t[0] = '\0'; /* in case nothing terminates string */ - vsnprintf(t, sizeof(t), fmt, args); - va_end(args); - strcpy(diag_space, t); - return diag_space; + static char diag_space[LOG_WIDTH]; /* longer messages will be truncated */ + char t[sizeof(diag_space)]; /* build result here first */ + va_list args; + + va_start(args, fmt); + t[0] = '\0'; /* in case nothing terminates string */ + vsnprintf(t, sizeof(t), fmt, args); + va_end(args); + strcpy(diag_space, t); + return diag_space; } /* Debugging message support */ #ifdef DEBUG -void -switch_fail(int n, const char *file_str, unsigned long line_no) +void switch_fail(int n, const char *file_str, unsigned long line_no) { - char buf[30]; + char buf[30]; - snprintf(buf, sizeof(buf), "case %d unexpected", n); - passert_fail(buf, file_str, line_no); + snprintf(buf, sizeof(buf), "case %d unexpected", n); + passert_fail(buf, file_str, line_no); } -void -passert_fail(const char *pred_str, const char *file_str, unsigned long line_no) +void passert_fail(const char *pred_str, const char *file_str, unsigned long line_no) { - /* we will get a possibly unplanned prefix. Hope it works */ - loglog(RC_LOG_SERIOUS, "ASSERTION FAILED at %s:%lu: %s", file_str, line_no, pred_str); - abort(); /* exiting correctly doesn't always work */ + /* we will get a possibly unplanned prefix. Hope it works */ + loglog(RC_LOG_SERIOUS, "ASSERTION FAILED at %s:%lu: %s", file_str, line_no, pred_str); + abort(); /* exiting correctly doesn't always work */ } lset_t - base_debugging = DBG_NONE, /* default to reporting nothing */ - cur_debugging = DBG_NONE; + base_debugging = DBG_NONE, /* default to reporting nothing */ + cur_debugging = DBG_NONE; -void -pexpect_log(const char *pred_str, const char *file_str, unsigned long line_no) +void pexpect_log(const char *pred_str, const char *file_str, unsigned long line_no) { - /* we will get a possibly unplanned prefix. Hope it works */ - loglog(RC_LOG_SERIOUS, "EXPECTATION FAILED at %s:%lu: %s", file_str, line_no, pred_str); + /* we will get a possibly unplanned prefix. Hope it works */ + loglog(RC_LOG_SERIOUS, "EXPECTATION FAILED at %s:%lu: %s", file_str, line_no, pred_str); } /* log a debugging message (prefixed by "| ") */ -void -DBG_log(const char *message, ...) +void DBG_log(const char *message, ...) { - va_list args; - char m[LOG_WIDTH]; /* longer messages will be truncated */ + va_list args; + char m[LOG_WIDTH]; /* longer messages will be truncated */ - va_start(args, message); - vsnprintf(m, sizeof(m), message, args); - va_end(args); + va_start(args, message); + vsnprintf(m, sizeof(m), message, args); + va_end(args); - if (log_to_stderr) - fprintf(stderr, "| %s\n", m); - if (log_to_syslog) - syslog(LOG_DEBUG, "| %s", m); + if (log_to_stderr) + fprintf(stderr, "| %s\n", m); + if (log_to_syslog) + syslog(LOG_DEBUG, "| %s", m); } /* dump raw bytes in hex to stderr (for lack of any better destination) */ -void -DBG_dump(const char *label, const void *p, size_t len) +void DBG_dump(const char *label, const void *p, size_t len) { -# define DUMP_LABEL_WIDTH 20 /* arbitrary modest boundary */ -# define DUMP_WIDTH (4 * (1 + 4 * 3) + 1) - char buf[DUMP_LABEL_WIDTH + DUMP_WIDTH]; - char *bp; - const unsigned char *cp = p; - - bp = buf; +# define DUMP_LABEL_WIDTH 20 /* arbitrary modest boundary */ +# define DUMP_WIDTH (4 * (1 + 4 * 3) + 1) + char buf[DUMP_LABEL_WIDTH + DUMP_WIDTH]; + char *bp; + const unsigned char *cp = p; - if (label != NULL && label[0] != '\0') - { - /* Handle the label. Care must be taken to avoid buffer overrun. */ - size_t llen = strlen(label); + bp = buf; - if (llen + 1 > sizeof(buf)) + if (label != NULL && label[0] != '\0') { - DBG_log("%s", label); + /* Handle the label. Care must be taken to avoid buffer overrun. */ + size_t llen = strlen(label); + + if (llen + 1 > sizeof(buf)) + { + DBG_log("%s", label); + } + else + { + strcpy(buf, label); + if (buf[llen-1] == '\n') + { + buf[llen-1] = '\0'; /* get rid of newline */ + DBG_log("%s", buf); + } + else if (llen < DUMP_LABEL_WIDTH) + { + bp = buf + llen; + } + else + { + DBG_log("%s", buf); + } + } } - else - { - strcpy(buf, label); - if (buf[llen-1] == '\n') - { - buf[llen-1] = '\0'; /* get rid of newline */ - DBG_log("%s", buf); - } - else if (llen < DUMP_LABEL_WIDTH) - { - bp = buf + llen; - } - else - { - DBG_log("%s", buf); - } - } - } - - do { - int i, j; - for (i = 0; len!=0 && i!=4; i++) - { - *bp++ = ' '; - for (j = 0; len!=0 && j!=4; len--, j++) - { - static const char hexdig[] = "0123456789abcdef"; - - *bp++ = ' '; - *bp++ = hexdig[(*cp >> 4) & 0xF]; - *bp++ = hexdig[*cp & 0xF]; - cp++; - } - } - *bp = '\0'; - DBG_log("%s", buf); - bp = buf; - } while (len != 0); + do { + int i, j; + + for (i = 0; len!=0 && i!=4; i++) + { + *bp++ = ' '; + for (j = 0; len!=0 && j!=4; len--, j++) + { + static const char hexdig[] = "0123456789abcdef"; + + *bp++ = ' '; + *bp++ = hexdig[(*cp >> 4) & 0xF]; + *bp++ = hexdig[*cp & 0xF]; + cp++; + } + } + *bp = '\0'; + DBG_log("%s", buf); + bp = buf; + } while (len != 0); # undef DUMP_LABEL_WIDTH # undef DUMP_WIDTH } diff --git a/src/scepclient/pkcs10.c b/src/scepclient/pkcs10.c index 86267f508..cdd68431e 100644 --- a/src/scepclient/pkcs10.c +++ b/src/scepclient/pkcs10.c @@ -26,12 +26,11 @@ #include <arpa/inet.h> #include <freeswan.h> +#include <asn1/asn1.h> #include <asn1/oid.h> #include "../pluto/constants.h" #include "../pluto/defs.h" -#include "../pluto/asn1.h" -#include "../pluto/pkcs1.h" #include "../pluto/log.h" #include "../pluto/x509.h" @@ -40,66 +39,66 @@ /* some pre-coded OIDs */ static u_char ASN1_challengePassword_oid_str[] = { - 0x06,0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x07 + 0x06,0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x07 }; -static const chunk_t ASN1_challengePassword_oid = strchunk(ASN1_challengePassword_oid_str); +static const chunk_t ASN1_challengePassword_oid = chunk_from_buf(ASN1_challengePassword_oid_str); static u_char ASN1_extensionRequest_oid_str[] = { - 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x0E + 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x0E }; -static const chunk_t ASN1_extensionRequest_oid = strchunk(ASN1_extensionRequest_oid_str); +static const chunk_t ASN1_extensionRequest_oid = chunk_from_buf(ASN1_extensionRequest_oid_str); /** * @brief Adds a subjectAltName in DER-coded form to a linked list * - * @param[in,out] subjectAltNames head of the linked list of subjectAltNames - * @param[in] kind type of the subjectAltName (which is a generalName) - * @param[in] value value of the subjectAltName as an ASCII string + * @param[in,out] subjectAltNames head of the linked list of subjectAltNames + * @param[in] kind type of the subjectAltName (which is a generalName) + * @param[in] value value of the subjectAltName as an ASCII string */ void pkcs10_add_subjectAltName(generalName_t **subjectAltNames, generalNames_t kind , char *value) { - generalName_t *gn; - asn1_t asn1_type = ASN1_EOC; - chunk_t name = { value, strlen(value) }; - - switch (kind) - { - case GN_RFC822_NAME: - asn1_type = ASN1_CONTEXT_S_1; - break; - case GN_DNS_NAME: - asn1_type = ASN1_CONTEXT_S_2; - break; - case GN_IP_ADDRESS: + generalName_t *gn; + asn1_t asn1_type = ASN1_EOC; + chunk_t name = { value, strlen(value) }; + + switch (kind) { - struct in_addr addr; - - /* convert an ASCII dotted IPv4 address (e.g. 123.456.78.90) - * to a byte representation in network order - */ - if (!inet_aton(value, &addr)) - { - fprintf(stderr, "error in IPv4 subjectAltName\n"); - return; - } - asn1_type = ASN1_CONTEXT_S_7; - name.ptr = (u_char *) &addr.s_addr; - name.len = sizeof(addr.s_addr); - break; - } - default: - break; - } - - gn = alloc_thing(generalName_t, "subjectAltName"); - gn->kind = kind; - gn->name = asn1_simple_object(asn1_type, name); - gn->next = *subjectAltNames; - *subjectAltNames = gn; + case GN_RFC822_NAME: + asn1_type = ASN1_CONTEXT_S_1; + break; + case GN_DNS_NAME: + asn1_type = ASN1_CONTEXT_S_2; + break; + case GN_IP_ADDRESS: + { + struct in_addr addr; + + /* convert an ASCII dotted IPv4 address (e.g. 123.456.78.90) + * to a byte representation in network order + */ + if (!inet_aton(value, &addr)) + { + fprintf(stderr, "error in IPv4 subjectAltName\n"); + return; + } + asn1_type = ASN1_CONTEXT_S_7; + name.ptr = (u_char *) &addr.s_addr; + name.len = sizeof(addr.s_addr); + break; + } + default: + break; + } + + gn = malloc_thing(generalName_t); + gn->kind = kind; + gn->name = asn1_simple_object(asn1_type, name); + gn->next = *subjectAltNames; + *subjectAltNames = gn; } /** @@ -108,71 +107,75 @@ pkcs10_add_subjectAltName(generalName_t **subjectAltNames, generalNames_t kind * challenge password ans subjectAltNames are only included, * when avaiable in given #pkcs10_t structure * - * @param[in] pkcs10 Pointer to a #pkcs10_t structure - * @return 1 if succeeded, 0 otherwise + * @param[in] pkcs10 Pointer to a #pkcs10_t structure + * @return 1 if succeeded, 0 otherwise */ static chunk_t build_req_info_attributes(pkcs10_t* pkcs10) { - chunk_t subjectAltNames = empty_chunk; - chunk_t challengePassword = empty_chunk; - - if (pkcs10->subjectAltNames != NULL) - { - - subjectAltNames = asn1_wrap(ASN1_SEQUENCE, "cm" - , ASN1_extensionRequest_oid - , asn1_wrap(ASN1_SET, "m" - , asn1_wrap(ASN1_SEQUENCE, "m" - , build_subjectAltNames(pkcs10->subjectAltNames) - ) - ) - ); - } - - if (pkcs10->challengePassword.len > 0) - { - asn1_t type = is_printablestring(pkcs10->challengePassword) - ? ASN1_PRINTABLESTRING : ASN1_T61STRING; - - challengePassword = asn1_wrap(ASN1_SEQUENCE, "cm" - , ASN1_challengePassword_oid - , asn1_wrap(ASN1_SET, "m" - , asn1_simple_object(type, pkcs10->challengePassword) - ) - ); - } - - return asn1_wrap(ASN1_CONTEXT_C_0, "mm" - , subjectAltNames - , challengePassword); + chunk_t subjectAltNames = chunk_empty; + chunk_t challengePassword = chunk_empty; + + if (pkcs10->subjectAltNames != NULL) + { + + subjectAltNames = asn1_wrap(ASN1_SEQUENCE, "cm" + , ASN1_extensionRequest_oid + , asn1_wrap(ASN1_SET, "m" + , asn1_wrap(ASN1_SEQUENCE, "m" + , build_subjectAltNames(pkcs10->subjectAltNames) + ) + ) + ); + } + + if (pkcs10->challengePassword.len > 0) + { + asn1_t type = asn1_is_printablestring(pkcs10->challengePassword) + ? ASN1_PRINTABLESTRING : ASN1_T61STRING; + + challengePassword = asn1_wrap(ASN1_SEQUENCE, "cm" + , ASN1_challengePassword_oid + , asn1_wrap(ASN1_SET, "m" + , asn1_simple_object(type, pkcs10->challengePassword) + ) + ); + } + + return asn1_wrap(ASN1_CONTEXT_C_0, "mm" + , subjectAltNames + , challengePassword); } /** * @brief Builds a DER-code pkcs#10 certificate request * - * @param[in] pkcs10 pointer to a pkcs10_t struct - * @return DER-code pkcs10 request + * @param[in] pkcs10 pointer to a pkcs10_t struct + * @return DER-code pkcs10 request */ static chunk_t pkcs10_build_request(pkcs10_t *pkcs10, int signature_alg) { - RSA_public_key_t *rsak = (RSA_public_key_t *) pkcs10->private_key; + chunk_t key = pkcs10->public_key->get_encoding(pkcs10->public_key); + + chunk_t keyInfo = asn1_wrap(ASN1_SEQUENCE, "cm", + asn1_algorithmIdentifier(OID_RSA_ENCRYPTION), + asn1_bitstring("m", key)); - chunk_t cert_req_info = asn1_wrap(ASN1_SEQUENCE, "ccmm" - , ASN1_INTEGER_0 - , pkcs10->subject - , pkcs1_build_publicKeyInfo(rsak) - , build_req_info_attributes(pkcs10)); + chunk_t cert_req_info = asn1_wrap(ASN1_SEQUENCE, "ccmm", + ASN1_INTEGER_0, + pkcs10->subject, + keyInfo, + build_req_info_attributes(pkcs10)); - chunk_t signature = pkcs1_build_signature(cert_req_info - , signature_alg, pkcs10->private_key, TRUE); + chunk_t signature = x509_build_signature(cert_req_info, signature_alg, + pkcs10->private_key, TRUE); - return asn1_wrap(ASN1_SEQUENCE, "mcm" - , cert_req_info - , asn1_algorithmIdentifier(signature_alg) - , signature); + return asn1_wrap(ASN1_SEQUENCE, "mcm", + cert_req_info, + asn1_algorithmIdentifier(signature_alg), + signature); } /** @@ -183,38 +186,39 @@ pkcs10_build_request(pkcs10_t *pkcs10, int signature_alg) * (e.g. commonName, organization) are needed. An optional challenge * password or some subjectAltNames may be included. * - * @param[in] key rsakey of type #rsakey_t - * @param[in] subject DER-coded subject distinguished name - * @param[in] challengePassword challenge password or empty_chunk - * @param[in] subjectAltNames linked list of subjectAltNames or NULL - * @return pointer to a #pkcs10_t object + * @param[in] key rsakey of type #rsakey_t + * @param[in] subject DER-coded subject distinguished name + * @param[in] challengePassword challenge password or chunk_empty + * @param[in] subjectAltNames linked list of subjectAltNames or NULL + * @return pointer to a #pkcs10_t object */ -pkcs10_t* -pkcs10_build(RSA_private_key_t *key, chunk_t subject, chunk_t challengePassword -, generalName_t *subjectAltNames, int signature_alg) +pkcs10_t* pkcs10_build(private_key_t *private, public_key_t *public, + chunk_t subject, chunk_t challengePassword, + generalName_t *subjectAltNames, int signature_alg) { - pkcs10_t *pkcs10 = alloc_thing(pkcs10_t, "pkcs10_t"); + pkcs10_t *pkcs10 = malloc_thing(pkcs10_t); - pkcs10->subject = subject; - pkcs10->private_key = key; - pkcs10->challengePassword = challengePassword; - pkcs10->subjectAltNames = subjectAltNames; + pkcs10->subject = subject; + pkcs10->private_key = private; + pkcs10->public_key = public; + pkcs10->challengePassword = challengePassword; + pkcs10->subjectAltNames = subjectAltNames; - pkcs10->request = pkcs10_build_request(pkcs10, signature_alg); - return pkcs10; + pkcs10->request = pkcs10_build_request(pkcs10, signature_alg); + return pkcs10; } /** * @brief Frees the resources used by an #pkcs10_t object * - * @param[in] pkcs10 #pkcs10_t to free + * @param[in] pkcs10 #pkcs10_t to free */ void pkcs10_free(pkcs10_t *pkcs10) { - if (pkcs10 != NULL) - { - freeanychunk(pkcs10->request); - pfree(pkcs10); - } + if (pkcs10 != NULL) + { + free(pkcs10->request.ptr); + free(pkcs10); + } } diff --git a/src/scepclient/pkcs10.h b/src/scepclient/pkcs10.h index c2a4c1b92..3f29f019a 100644 --- a/src/scepclient/pkcs10.h +++ b/src/scepclient/pkcs10.h @@ -4,7 +4,7 @@ * * Contains functions to build DER encoded pkcs#10 certificate requests */ - + /* * Copyright (C) 2005 Jan Hutter, Martin Willi * Hochschule fuer Technik Rapperswil @@ -23,8 +23,10 @@ #ifndef _PKCS10_H #define _PKCS10_H +#include <credentials/keys/private_key.h> +#include <credentials/keys/public_key.h> + #include "../pluto/defs.h" -#include "../pluto/pkcs1.h" #include "../pluto/x509.h" typedef struct pkcs10_struct pkcs10_t; @@ -38,20 +40,21 @@ typedef struct pkcs10_struct pkcs10_t; * The RSA private key is needed to compute the signature of the given request */ struct pkcs10_struct { - RSA_private_key_t *private_key; - chunk_t request; - chunk_t subject; - chunk_t challengePassword; - generalName_t *subjectAltNames; + private_key_t *private_key; + public_key_t *public_key; + chunk_t request; + chunk_t subject; + chunk_t challengePassword; + generalName_t *subjectAltNames; }; extern const pkcs10_t empty_pkcs10; -extern void pkcs10_add_subjectAltName(generalName_t **subjectAltNames - , generalNames_t kind, char *value); -extern pkcs10_t* pkcs10_build(RSA_private_key_t *key, chunk_t subject - , chunk_t challengePassword, generalName_t *subjectAltNames - , int signature_alg); +extern void pkcs10_add_subjectAltName(generalName_t **subjectAltNames, + generalNames_t kind, char *value); +extern pkcs10_t* pkcs10_build(private_key_t *private, public_key_t *public, + chunk_t subject, chunk_t challengePassword, + generalName_t *subjectAltNames, int signature_alg); extern void pkcs10_free(pkcs10_t *pkcs10); #endif /* _PKCS10_H */ diff --git a/src/scepclient/rsakey.c b/src/scepclient/rsakey.c deleted file mode 100644 index a7c6321f5..000000000 --- a/src/scepclient/rsakey.c +++ /dev/null @@ -1,349 +0,0 @@ -/** - * @file rsakey.c - * @brief Functions for RSA key generation - */ - -/* - * Copyright (C) 1999, 2000, 2001 Henry Spencer. - * Copyright (C) 2005 Jan Hutter, Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - * - * $Id: rsakey.c,v 1.5 2006/01/04 21:16:30 as Exp $ - */ - - -#include <stdlib.h> -#include <sys/types.h> -#include <sys/stat.h> -#include <fcntl.h> -#include <unistd.h> -#include <assert.h> -#include <gmp.h> - -#include <freeswan.h> - -#include "../pluto/constants.h" -#include "../pluto/defs.h" -#include "../pluto/mp_defs.h" -#include "../pluto/log.h" -#include "../pluto/asn1.h" -#include "../pluto/pkcs1.h" - -#include "rsakey.h" - -/* Number of times the probabilistic primality test is applied */ -#define PRIMECHECK_ROUNDS 30 - -/* Public exponent used for signature key generation */ -#define PUBLIC_EXPONENT 0x10001 - -#ifndef DEV_RANDOM -#define DEV_RANDOM "/dev/random" -#endif - - -/** - * @brief Reads a specific number of bytes from a given device/file - * - * @param[in] nbytes number of bytes to read from random device - * @param[out] buf pointer to buffer where to write the data in. - * size of buffer has to be at least nbytes. - * @return TRUE, if succeeded, FALSE otherwise - */ - -static bool -get_true_random_bytes(size_t nbytes, char *buf) -{ - size_t ndone; - size_t got; - char *device = DEV_RANDOM; - - int dev = open(DEV_RANDOM, 0); - - if (dev < 0) - { - fprintf(stderr, "could not open random device %s", device); - return FALSE; - } - - DBG(DBG_CONTROL, - DBG_log("getting %d bytes from %s...", (int) nbytes, device) - ) - - ndone = 0; - while (ndone < nbytes) - { - got = read(dev, buf + ndone, nbytes - ndone); - if (got < 0) - { - fprintf(stderr, "read error on %s", device); - return FALSE; - } - if (got == 0) - { - fprintf(stderr, "eof on %s", device); - return FALSE; - } - ndone += got; - } - close(dev); - return TRUE; -} - -/** - * @brief initialize an mpz_t to a random number, specified bit count - * - * Converting the random value in a value of type mpz_t is done - * by creating a hexbuffer. - * Converting via hex is a bit weird, but it's the best route GMP gives us. - * Note that highmost and lowmost bits are forced on -- highmost to give a - * number of exactly the specified length, lowmost so it is an odd number. - * - * @param[out] var uninitialized mpz_t to store th random number in - * @param[in] nbits length of var in bits (known to be a multiple of BITS_PER_BYTE) - * @return TRUE on success, FALSE otherwise - */ -static bool -init_random(mpz_t var, int nbits) -{ - size_t nbytes = (size_t)(nbits/BITS_PER_BYTE); - char random_buf[RSA_MAX_OCTETS/2]; - - assert(nbytes <= sizeof(random_buf)); - - if (!get_true_random_bytes(nbytes, random_buf)) - return FALSE; - - random_buf[0] |= 01 << (BITS_PER_BYTE-1); /* force high bit on */ - random_buf[nbytes-1] |= 01; /* force low bit on */ - n_to_mpz(var, random_buf, nbytes); - return TRUE; -} - -/** - * @brief initialize an mpz_t to a random prime of specified size - * - * Efficiency tweak: we reject candidates that are 1 higher than a multiple - * of e, since they will make the internal modulus not relatively prime to e. - * - * @param[out] var mpz_t variable to initialize - * @param[in] nbits length of given prime in bits (known to be a multiple of BITS_PER_BYTE) - * @param[in] eval E-Value, 0 means don't bother w. tweak - * @return 1 on success, 0 otherwise - */ -static bool -init_prime(mpz_t var, int nbits, int eval) -{ - unsigned long tries; - size_t len; - - /* get a random value of nbits length */ - if (!init_random(var, nbits)) - return FALSE; - - /* check if odd number */ - assert(mpz_fdiv_ui(var, 2) == 1); - DBG(DBG_CONTROLMORE, - DBG_log("looking for a prime starting there (can take a while)...") - ) - - tries = 1; - while (mpz_fdiv_ui(var, eval) == 1 - || !mpz_probab_prime_p(var, PRIMECHECK_ROUNDS)) - { - /* not a prime, increase by 2 */ - mpz_add_ui(var, var, 2); - tries++; - } - - len = mpz_sizeinbase(var, 2); - - /* check bit length of primee */ - assert(len == (size_t)nbits || len == (size_t)(nbits+1)); - - if (len == (size_t)(nbits+1)) - { - DBG(DBG_CONTROLMORE, - DBG_log("carry out occurred (!), retrying...") - ) - mpz_clear(var); - /* recursive call */ - return init_prime(var, nbits, eval); - } - DBG(DBG_CONTROLMORE, - DBG_log("found it after %lu tries.",tries) - ) - return TRUE; -} - -/** - * @brief Generate a RSA key usable for encryption - * - * Generate an RSA key usable for encryption. All the - * values of the RSA key are filled into mpz_t parameters. - * These mpz_t parameters must not be initialized and have - * to be cleared with mpz_clear after using. - * - * @param[in] nbits size of rsa key in bits - * @return RSA_public_key_t containing the generated RSA key - */ -err_t -generate_rsa_private_key(int nbits, RSA_private_key_t *key) -{ - mpz_t p, q, n, e, d, exp1, exp2, coeff; - mpz_t m, q1, t; /* temporary variables*/ - - DBG(DBG_CONTROL, - DBG_log("generating %d bit RSA key:", nbits) - ) - - if (nbits <= 0) - return "negative rsa key length!"; - - /* Get values of primes p and q */ - DBG(DBG_CONTROLMORE, - DBG_log("initialize prime p") - ) - if (!init_prime(p, nbits/2, PUBLIC_EXPONENT)) - return "could not generate prime p"; - - DBG(DBG_CONTROLMORE, - DBG_log("initialize prime q") - ) - if (!init_prime(q, nbits/2, PUBLIC_EXPONENT)) - return "could not generate prime q"; - - mpz_init(t); - - /* Swapping primes so p is larger then q */ - if (mpz_cmp(p, q) < 0) - { - DBG(DBG_CONTROLMORE, - DBG_log("swapping primes so p is the larger...") - ); - mpz_set(t, p); - mpz_set(p, q); - mpz_set(q, t); - } - - DBG(DBG_CONTROLMORE, - DBG_log("computing modulus...") - ) - mpz_init(n); - /* n = p*q */ - mpz_mul(n, p, q); - - /* Assign e the value of defined PUBLIC_EXPONENT */ - mpz_init_set_ui(e, PUBLIC_EXPONENT); - - DBG(DBG_CONTROLMORE, - DBG_log("computing lcm(p-1, q-1)...") - ) - /* m = p */ - mpz_init_set(m, p); - /* m = m-1 */ - mpz_sub_ui(m, m, 1); - /* q1 = q */ - mpz_init_set(q1, q); - /* q1 = q1-1 */ - mpz_sub_ui(q1, q1, 1); - /* t = gcd(p-1, q-1) */ - mpz_gcd(t, m, q1); - /* m = (p-1)*(q-1) */ - mpz_mul(m, m, q1); - /* m = m / t */ - mpz_divexact(m, m, t); - /* t = gcd(m, e) (greatest common divisor) */ - mpz_gcd(t, m, e); - /* m and e relatively prime */ - assert(mpz_cmp_ui(t, 1) == 0); - - /* decryption key */ - DBG(DBG_CONTROLMORE, - DBG_log("computing d...") - ) - mpz_init(d); - /* e has an inverse mod m */ - assert(mpz_invert(d, e, m)); - - /* make sure d is positive */ - if (mpz_cmp_ui(d, 0) < 0) - mpz_add(d, d, m); - - /* d has to be positive */ - assert(mpz_cmp(d, m) < 0); - - /* the speedup hacks */ - DBG(DBG_CONTROLMORE, - DBG_log("computing exp1, exp1, coeff...") - ) - mpz_init(exp1); - /* t = p-1 */ - mpz_sub_ui(t, p, 1); - /* exp1 = d mod p-1 */ - mpz_mod(exp1, d, t); - - mpz_init(exp2); - /* t = q-1 */ - mpz_sub_ui(t, q, 1); - /* exp2 = d mod q-1 */ - mpz_mod(exp2, d, t); - - mpz_init(coeff); - /* coeff = q^-1 mod p */ - mpz_invert(coeff, q, p); - - /* make sure coeff is positive */ - if (mpz_cmp_ui(coeff, 0) < 0) - mpz_add(coeff, coeff, p); - - /* coeff has to be positive */ - assert(mpz_cmp(coeff, p) < 0); - - /* Clear temporary variables */ - mpz_clear(q1); - mpz_clear(m); - mpz_clear(t); - - /* form FreeS/WAN keyid */ - { - size_t e_len = (mpz_sizeinbase(e,2)+BITS_PER_BYTE-1)/BITS_PER_BYTE; - size_t n_len = (mpz_sizeinbase(n,2)+BITS_PER_BYTE-1)/BITS_PER_BYTE; - chunk_t e_ch = mpz_to_n(e, e_len); - chunk_t n_ch = mpz_to_n(n, n_len); - form_keyid(e_ch, n_ch, key->pub.keyid, &key->pub.k); - freeanychunk(e_ch); - freeanychunk(n_ch); - } - /* fill in the elements of the RSA private key */ - key->p = *p; - key->q = *q; - key->pub.n = *n; - key->pub.e = *e; - key->d = *d; - key->dP = *exp1; - key->dQ = *exp2; - key->qInv = *coeff; - - DBG(DBG_CONTROL, - DBG_log("RSA key *%s generated with %d bits", key->pub.keyid - , (int)mpz_sizeinbase(n,2)) - ) - -#ifdef DEBUG - DBG(DBG_PRIVATE, - RSA_show_private_key(key) - ) -#endif - return NULL; -} diff --git a/src/scepclient/rsakey.h b/src/scepclient/rsakey.h deleted file mode 100644 index 3e3156d81..000000000 --- a/src/scepclient/rsakey.h +++ /dev/null @@ -1,31 +0,0 @@ -/** - * @file rsakey.h - * @brief Functions for RSA key generation - */ - -/* - * Copyright (C) 1999, 2000, 2001 Henry Spencer. - * Copyright (C) 2005 Jan Hutter, Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - * - * $Id: rsakey.h,v 1.2 2005/08/11 21:52:56 as Exp $ - */ - -#ifndef RSAKEY_H_ -#define RSAKEY_H_ - -#include "../pluto/pkcs1.h" - -extern err_t generate_rsa_private_key(int nbits, RSA_private_key_t *key); - -#endif // RSAKEY_H_ diff --git a/src/scepclient/scep.c b/src/scepclient/scep.c index 1b01044df..a788c6f41 100644 --- a/src/scepclient/scep.c +++ b/src/scepclient/scep.c @@ -24,575 +24,533 @@ #include <stdlib.h> #include <freeswan.h> -#include <asn1/oid.h> -#ifdef LIBCURL -#include <curl/curl.h> -#endif +#include <library.h> +#include <asn1/asn1.h> +#include <asn1/asn1_parser.h> +#include <asn1/oid.h> +#include <crypto/rngs/rng.h> +#include <crypto/hashers/hasher.h> #include "../pluto/constants.h" #include "../pluto/defs.h" -#include "../pluto/rnd.h" -#include "../pluto/asn1.h" -#include "../pluto/pkcs1.h" #include "../pluto/fetch.h" #include "../pluto/log.h" #include "scep.h" static char ASN1_messageType_oid_str[] = { - 0x06, 0x0A, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x02 + 0x06, 0x0A, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x02 }; static char ASN1_senderNonce_oid_str[] = { - 0x06, 0x0A, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x05 + 0x06, 0x0A, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x05 }; static char ASN1_transId_oid_str[] = { - 0x06, 0x0A, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x07 + 0x06, 0x0A, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x07 }; static const chunk_t ASN1_messageType_oid = - strchunk(ASN1_messageType_oid_str); + chunk_from_buf(ASN1_messageType_oid_str); static const chunk_t ASN1_senderNonce_oid = - strchunk(ASN1_senderNonce_oid_str); + chunk_from_buf(ASN1_senderNonce_oid_str); static const chunk_t ASN1_transId_oid = - strchunk(ASN1_transId_oid_str); + chunk_from_buf(ASN1_transId_oid_str); static const char *pkiStatus_values[] = { "0", "2", "3" }; static const char *pkiStatus_names[] = { - "SUCCESS", - "FAILURE", - "PENDING", - "UNKNOWN" + "SUCCESS", + "FAILURE", + "PENDING", + "UNKNOWN" }; static const char *msgType_values[] = { "3", "19", "20", "21", "22" }; static const char *msgType_names[] = { - "CertRep", - "PKCSReq", - "GetCertInitial", - "GetCert", - "GetCRL", - "Unknown" + "CertRep", + "PKCSReq", + "GetCertInitial", + "GetCert", + "GetCRL", + "Unknown" }; static const char *failInfo_reasons[] = { - "badAlg - unrecognized or unsupported algorithm identifier", - "badMessageCheck - integrity check failed", - "badRequest - transaction not permitted or supported", - "badTime - Message time field was not sufficiently close to the system time", - "badCertId - No certificate could be identified matching the provided criteria" + "badAlg - unrecognized or unsupported algorithm identifier", + "badMessageCheck - integrity check failed", + "badRequest - transaction not permitted or supported", + "badTime - Message time field was not sufficiently close to the system time", + "badCertId - No certificate could be identified matching the provided criteria" }; const scep_attributes_t empty_scep_attributes = { - SCEP_Unknown_MSG , /* msgType */ - SCEP_UNKNOWN , /* pkiStatus */ - SCEP_unknown_REASON, /* failInfo */ - { NULL, 0 } , /* transID */ - { NULL, 0 } , /* senderNonce */ - { NULL, 0 } , /* recipientNonce */ + SCEP_Unknown_MSG , /* msgType */ + SCEP_UNKNOWN , /* pkiStatus */ + SCEP_unknown_REASON, /* failInfo */ + { NULL, 0 } , /* transID */ + { NULL, 0 } , /* senderNonce */ + { NULL, 0 } , /* recipientNonce */ }; /* ASN.1 definition of the X.501 atttribute type */ static const asn1Object_t attributesObjects[] = { - { 0, "attributes", ASN1_SET, ASN1_LOOP }, /* 0 */ - { 1, "attribute", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */ - { 2, "type", ASN1_OID, ASN1_BODY }, /* 2 */ - { 2, "values", ASN1_SET, ASN1_LOOP }, /* 3 */ - { 3, "value", ASN1_EOC, ASN1_RAW }, /* 4 */ - { 2, "end loop", ASN1_EOC, ASN1_END }, /* 5 */ - { 0, "end loop", ASN1_EOC, ASN1_END }, /* 6 */ + { 0, "attributes", ASN1_SET, ASN1_LOOP }, /* 0 */ + { 1, "attribute", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */ + { 2, "type", ASN1_OID, ASN1_BODY }, /* 2 */ + { 2, "values", ASN1_SET, ASN1_LOOP }, /* 3 */ + { 3, "value", ASN1_EOC, ASN1_RAW }, /* 4 */ + { 2, "end loop", ASN1_EOC, ASN1_END }, /* 5 */ + { 0, "end loop", ASN1_EOC, ASN1_END }, /* 6 */ + { 0, "exit", ASN1_EOC, ASN1_EXIT } }; +#define ATTRIBUTE_OBJ_TYPE 2 +#define ATTRIBUTE_OBJ_VALUE 4 -#define ATTRIBUTE_OBJ_TYPE 2 -#define ATTRIBUTE_OBJ_VALUE 4 -#define ATTRIBUTE_OBJ_ROOF 7 - -/* - * extract and store an attribute +/** + * Extract and store an attribute */ -static bool -extract_attribute(int oid, chunk_t object, u_int level -, scep_attributes_t *attrs) +static bool extract_attribute(int oid, chunk_t object, u_int level, + scep_attributes_t *attrs) { - asn1_t type = ASN1_EOC; - const char *name = "none"; - - switch (oid) - { - case OID_PKCS9_CONTENT_TYPE: - type = ASN1_OID; - name = "contentType"; - break; - case OID_PKCS9_SIGNING_TIME: - type = ASN1_UTCTIME; - name = "signingTime"; - break; - case OID_PKCS9_MESSAGE_DIGEST: - type = ASN1_OCTET_STRING; - name = "messageDigest"; - break; - case OID_PKI_MESSAGE_TYPE: - type = ASN1_PRINTABLESTRING; - name = "messageType"; - break; - case OID_PKI_STATUS: - type = ASN1_PRINTABLESTRING; - name = "pkiStatus"; - break; - case OID_PKI_FAIL_INFO: - type = ASN1_PRINTABLESTRING; - name = "failInfo"; - break; - case OID_PKI_SENDER_NONCE: - type = ASN1_OCTET_STRING; - name = "senderNonce"; - break; - case OID_PKI_RECIPIENT_NONCE: - type = ASN1_OCTET_STRING; - name = "recipientNonce"; - break; - case OID_PKI_TRANS_ID: - type = ASN1_PRINTABLESTRING; - name = "transID"; - break; - default: - break; - } - - if (type == ASN1_EOC) - return TRUE; + asn1_t type = ASN1_EOC; + const char *name = "none"; - if (!parse_asn1_simple_object(&object, type, level+1, name)) - return FALSE; - - switch (oid) - { - case OID_PKCS9_CONTENT_TYPE: - break; - case OID_PKCS9_SIGNING_TIME: - break; - case OID_PKCS9_MESSAGE_DIGEST: - break; - case OID_PKI_MESSAGE_TYPE: - { - scep_msg_t m; - - for (m = SCEP_CertRep_MSG; m < SCEP_Unknown_MSG; m++) - { - if (strncmp(msgType_values[m], object.ptr, object.len) == 0) - attrs->msgType = m; - } - DBG(DBG_CONTROL, - DBG_log("messageType: %s", msgType_names[attrs->msgType]) - ) - } - break; - case OID_PKI_STATUS: + switch (oid) { - pkiStatus_t s; - - for (s = SCEP_SUCCESS; s < SCEP_UNKNOWN; s++) - { - if (strncmp(pkiStatus_values[s], object.ptr, object.len) == 0) - attrs->pkiStatus = s; - } - DBG(DBG_CONTROL, - DBG_log("pkiStatus: %s", pkiStatus_names[attrs->pkiStatus]) - ) + case OID_PKCS9_CONTENT_TYPE: + type = ASN1_OID; + name = "contentType"; + break; + case OID_PKCS9_SIGNING_TIME: + type = ASN1_UTCTIME; + name = "signingTime"; + break; + case OID_PKCS9_MESSAGE_DIGEST: + type = ASN1_OCTET_STRING; + name = "messageDigest"; + break; + case OID_PKI_MESSAGE_TYPE: + type = ASN1_PRINTABLESTRING; + name = "messageType"; + break; + case OID_PKI_STATUS: + type = ASN1_PRINTABLESTRING; + name = "pkiStatus"; + break; + case OID_PKI_FAIL_INFO: + type = ASN1_PRINTABLESTRING; + name = "failInfo"; + break; + case OID_PKI_SENDER_NONCE: + type = ASN1_OCTET_STRING; + name = "senderNonce"; + break; + case OID_PKI_RECIPIENT_NONCE: + type = ASN1_OCTET_STRING; + name = "recipientNonce"; + break; + case OID_PKI_TRANS_ID: + type = ASN1_PRINTABLESTRING; + name = "transID"; + break; + default: + break; } - break; - case OID_PKI_FAIL_INFO: - if (object.len == 1 - && *object.ptr >= '0' && *object.ptr <= '4') + + if (type == ASN1_EOC) + return TRUE; + + if (!asn1_parse_simple_object(&object, type, level+1, name)) + return FALSE; + + switch (oid) { - attrs->failInfo = (failInfo_t)(*object.ptr - '0'); + case OID_PKCS9_CONTENT_TYPE: + break; + case OID_PKCS9_SIGNING_TIME: + break; + case OID_PKCS9_MESSAGE_DIGEST: + break; + case OID_PKI_MESSAGE_TYPE: + { + scep_msg_t m; + + for (m = SCEP_CertRep_MSG; m < SCEP_Unknown_MSG; m++) + { + if (strncmp(msgType_values[m], object.ptr, object.len) == 0) + attrs->msgType = m; + } + DBG(DBG_CONTROL, + DBG_log("messageType: %s", msgType_names[attrs->msgType]) + ) + } + break; + case OID_PKI_STATUS: + { + pkiStatus_t s; + + for (s = SCEP_SUCCESS; s < SCEP_UNKNOWN; s++) + { + if (strncmp(pkiStatus_values[s], object.ptr, object.len) == 0) + attrs->pkiStatus = s; + } + DBG(DBG_CONTROL, + DBG_log("pkiStatus: %s", pkiStatus_names[attrs->pkiStatus]) + ) + } + break; + case OID_PKI_FAIL_INFO: + if (object.len == 1 + && *object.ptr >= '0' && *object.ptr <= '4') + { + attrs->failInfo = (failInfo_t)(*object.ptr - '0'); + } + if (attrs->failInfo != SCEP_unknown_REASON) + plog("failInfo: %s", failInfo_reasons[attrs->failInfo]); + break; + case OID_PKI_SENDER_NONCE: + attrs->senderNonce = object; + break; + case OID_PKI_RECIPIENT_NONCE: + attrs->recipientNonce = object; + break; + case OID_PKI_TRANS_ID: + attrs->transID = object; } - if (attrs->failInfo != SCEP_unknown_REASON) - plog("failInfo: %s", failInfo_reasons[attrs->failInfo]); - break; - case OID_PKI_SENDER_NONCE: - attrs->senderNonce = object; - break; - case OID_PKI_RECIPIENT_NONCE: - attrs->recipientNonce = object; - break; - case OID_PKI_TRANS_ID: - attrs->transID = object; - } - return TRUE; + return TRUE; } -/* - * parse X.501 attributes +/** + * Parse X.501 attributes */ -bool -parse_attributes(chunk_t blob, scep_attributes_t *attrs) +bool parse_attributes(chunk_t blob, scep_attributes_t *attrs) { - asn1_ctx_t ctx; - chunk_t object; - u_int level; - int oid = OID_UNKNOWN; - int objectID = 0; - - asn1_init(&ctx, blob, 0, FALSE, DBG_RAW); - - DBG(DBG_CONTROL | DBG_PARSING, - DBG_log("parsing attributes") - ) - while (objectID < ATTRIBUTE_OBJ_ROOF) - { - if (!extract_object(attributesObjects, &objectID - , &object, &level, &ctx)) - return FALSE; - - switch (objectID) + asn1_parser_t *parser; + chunk_t object; + int oid = OID_UNKNOWN; + int objectID; + bool success = FALSE; + + parser = asn1_parser_create(attributesObjects, blob); + DBG(DBG_CONTROL | DBG_PARSING, + DBG_log("parsing attributes") + ) + + while (parser->iterate(parser, &objectID, &object)) { - case ATTRIBUTE_OBJ_TYPE: - oid = known_oid(object); - break; - case ATTRIBUTE_OBJ_VALUE: - if (!extract_attribute(oid, object, level, attrs)) - return FALSE; + switch (objectID) + { + case ATTRIBUTE_OBJ_TYPE: + oid = asn1_known_oid(object); + break; + case ATTRIBUTE_OBJ_VALUE: + if (!extract_attribute(oid, object, parser->get_level(parser), attrs)) + { + goto end; + } + } } - objectID++; - } - return TRUE; + success = parser->success(parser); + +end: + parser->destroy(parser); + return success; } -/* generates a unique fingerprint of the pkcs10 request +/** + * Generates a unique fingerprint of the pkcs10 request * by computing an MD5 hash over it */ -void -scep_generate_pkcs10_fingerprint(chunk_t pkcs10, chunk_t *fingerprint) +chunk_t scep_generate_pkcs10_fingerprint(chunk_t pkcs10) { - char buf[MD5_DIGEST_SIZE]; - chunk_t digest = { buf, sizeof(buf) }; - - /* the fingerprint is the MD5 hash in hexadecimal format */ - compute_digest(pkcs10, OID_MD5, &digest); - fingerprint->len = 2*digest.len; - fingerprint->ptr = alloc_bytes(fingerprint->len + 1, "fingerprint"); - datatot(digest.ptr, digest.len, 16, fingerprint->ptr, fingerprint->len + 1); + char digest_buf[HASH_SIZE_MD5]; + chunk_t digest = chunk_from_buf(digest_buf); + hasher_t *hasher; + + hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5); + hasher->get_hash(hasher, pkcs10, digest_buf); + hasher->destroy(hasher); + + return chunk_to_hex(digest, NULL, FALSE); } -/* generate a transaction id as the MD5 hash of an public key +/** + * Generate a transaction id as the MD5 hash of an public key * the transaction id is also used as a unique serial number */ -void -scep_generate_transaction_id(const RSA_public_key_t *rsak -, chunk_t *transID, chunk_t *serialNumber) +void scep_generate_transaction_id(public_key_t *key, chunk_t *transID, + chunk_t *serialNumber) { - char buf[MD5_DIGEST_SIZE]; - - chunk_t digest = { buf, sizeof(buf) }; - chunk_t public_key = pkcs1_build_publicKeyInfo(rsak); + char digest_buf[HASH_SIZE_MD5]; + chunk_t digest = chunk_from_buf(digest_buf); + chunk_t keyEncoding, keyInfo; + hasher_t *hasher; + bool msb_set; + u_char *pos; + + keyEncoding = key->get_encoding(key); - bool msb_set; - u_char *pos; + keyInfo = asn1_wrap(ASN1_SEQUENCE, "cm", + asn1_algorithmIdentifier(OID_RSA_ENCRYPTION), + asn1_bitstring("m", keyEncoding)); - compute_digest(public_key, OID_MD5, &digest); - pfree(public_key.ptr); + hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5); + hasher->get_hash(hasher, keyInfo, digest_buf); + hasher->destroy(hasher); + free(keyInfo.ptr); - /* is the most significant bit of the digest set? */ - msb_set = (*digest.ptr & 0x80) == 0x80; + /* is the most significant bit of the digest set? */ + msb_set = (*digest.ptr & 0x80) == 0x80; - /* allocate space for the serialNumber */ - serialNumber->len = msb_set + digest.len; - serialNumber->ptr = alloc_bytes(serialNumber->len, "serialNumber"); + /* allocate space for the serialNumber */ + serialNumber->len = msb_set + digest.len; + serialNumber->ptr = malloc(serialNumber->len); - /* the serial number as the two's complement of the digest */ - pos = serialNumber->ptr; - if (msb_set) - { - *pos++ = 0x00; - } - memcpy(pos, digest.ptr, digest.len); + /* the serial number as the two's complement of the digest */ + pos = serialNumber->ptr; + if (msb_set) + { + *pos++ = 0x00; + } + memcpy(pos, digest.ptr, digest.len); - /* the transaction id is the serial number in hex format */ - transID->len = 2*digest.len; - transID->ptr = alloc_bytes(transID->len + 1, "transID"); - datatot(digest.ptr, digest.len, 16, transID->ptr, transID->len + 1); + /* the transaction id is the serial number in hex format */ + transID->len = 2*digest.len; + transID->ptr = malloc(transID->len + 1); + datatot(digest.ptr, digest.len, 16, transID->ptr, transID->len + 1); } -/* - * builds a transId attribute +/** + * Builds a transId attribute */ -chunk_t -scep_transId_attribute(chunk_t transID) +chunk_t scep_transId_attribute(chunk_t transID) { - return asn1_wrap(ASN1_SEQUENCE, "cm" - , ASN1_transId_oid - , asn1_wrap(ASN1_SET, "m" - , asn1_simple_object(ASN1_PRINTABLESTRING, transID) - ) - ); + return asn1_wrap(ASN1_SEQUENCE, "cm" + , ASN1_transId_oid + , asn1_wrap(ASN1_SET, "m" + , asn1_simple_object(ASN1_PRINTABLESTRING, transID) + ) + ); } -/* - * builds a messageType attribute +/** + * Builds a messageType attribute */ -chunk_t -scep_messageType_attribute(scep_msg_t m) +chunk_t scep_messageType_attribute(scep_msg_t m) { - chunk_t msgType = { - (u_char*)msgType_values[m], - strlen(msgType_values[m]) - }; - - return asn1_wrap(ASN1_SEQUENCE, "cm" - , ASN1_messageType_oid - , asn1_wrap(ASN1_SET, "m" - , asn1_simple_object(ASN1_PRINTABLESTRING, msgType) - ) - ); + chunk_t msgType = { + (u_char*)msgType_values[m], + strlen(msgType_values[m]) + }; + + return asn1_wrap(ASN1_SEQUENCE, "cm" + , ASN1_messageType_oid + , asn1_wrap(ASN1_SET, "m" + , asn1_simple_object(ASN1_PRINTABLESTRING, msgType) + ) + ); } -/* - * builds a senderNonce attribute +/** + * Builds a senderNonce attribute */ -chunk_t -scep_senderNonce_attribute(void) +chunk_t scep_senderNonce_attribute(void) { - const size_t nonce_len = 16; - u_char nonce_buf[nonce_len]; - chunk_t senderNonce = { nonce_buf, nonce_len }; - - get_rnd_bytes(nonce_buf, nonce_len); - - return asn1_wrap(ASN1_SEQUENCE, "cm" - , ASN1_senderNonce_oid - , asn1_wrap(ASN1_SET, "m" - , asn1_simple_object(ASN1_OCTET_STRING, senderNonce) - ) - ); + const size_t nonce_len = 16; + u_char nonce_buf[nonce_len]; + chunk_t senderNonce = { nonce_buf, nonce_len }; + rng_t *rng; + + rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); + rng->get_bytes(rng, nonce_len, nonce_buf); + rng->destroy(rng); + + return asn1_wrap(ASN1_SEQUENCE, "cm" + , ASN1_senderNonce_oid + , asn1_wrap(ASN1_SET, "m" + , asn1_simple_object(ASN1_OCTET_STRING, senderNonce) + ) + ); } -/* - * builds a pkcs7 enveloped and signed scep request +/** + * Builds a pkcs7 enveloped and signed scep request */ -chunk_t -scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg -, const x509cert_t *enc_cert, int enc_alg -, const x509cert_t *signer_cert, int digest_alg -, const RSA_private_key_t *private_key) +chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg, + const x509cert_t *enc_cert, int enc_alg, + const x509cert_t *signer_cert, int digest_alg, + private_key_t *private_key) { - chunk_t envelopedData, attributes, request; - - envelopedData = pkcs7_build_envelopedData(data, enc_cert, enc_alg); - - attributes = asn1_wrap(ASN1_SET, "mmmmm" - , pkcs7_contentType_attribute() - , pkcs7_messageDigest_attribute(envelopedData - , digest_alg) - , scep_transId_attribute(transID) - , scep_messageType_attribute(msg) - , scep_senderNonce_attribute()); - - request = pkcs7_build_signedData(envelopedData, attributes - , signer_cert, digest_alg, private_key); - freeanychunk(envelopedData); - freeanychunk(attributes); - return request; + chunk_t envelopedData, attributes, request; + + envelopedData = pkcs7_build_envelopedData(data, enc_cert, enc_alg); + + attributes = asn1_wrap(ASN1_SET, "mmmmm" + , pkcs7_contentType_attribute() + , pkcs7_messageDigest_attribute(envelopedData + , digest_alg) + , scep_transId_attribute(transID) + , scep_messageType_attribute(msg) + , scep_senderNonce_attribute()); + + request = pkcs7_build_signedData(envelopedData, attributes + , signer_cert, digest_alg, private_key); + free(envelopedData.ptr); + free(attributes.ptr); + return request; } -#ifdef LIBCURL -/* converts a binary request to base64 with 64 characters per line +/** + * Converts a binary request to base64 with 64 characters per line * newline and '+' characters are escaped by %0A and %2B, respectively */ -static char* -escape_http_request(chunk_t req) +static char* escape_http_request(chunk_t req) { - char *escaped_req = NULL; - char *p1, *p2; - int lines = 0; - int plus = 0; - int n = 0; - - /* compute and allocate the size of the base64-encoded request */ - int len = 1 + 4*((req.len + 2)/3); - char *encoded_req = alloc_bytes(len, "encoded request"); - - /* do the base64 conversion */ - len = datatot(req.ptr, req.len, 64, encoded_req, len); - - /* compute newline characters to be inserted every 64 characters */ - lines = (len - 2) / 64; - - /* count number of + characters to be escaped */ - p1 = encoded_req; - while (*p1 != '\0') - { - if (*p1++ == '+') - plus++; - } - - escaped_req = alloc_bytes(len + 3*(lines + plus), "escaped request"); - - /* escape special characters in the request */ - p1 = encoded_req; - p2 = escaped_req; - while (*p1 != '\0') - { - if (n == 64) - { - memcpy(p2, "%0A", 3); - p2 += 3; - n = 0; - } - if (*p1 == '+') + char *escaped_req = NULL; + char *p1, *p2; + int lines = 0; + int plus = 0; + int n = 0; + + /* compute and allocate the size of the base64-encoded request */ + int len = 1 + 4*((req.len + 2)/3); + char *encoded_req = malloc(len); + + /* do the base64 conversion */ + len = datatot(req.ptr, req.len, 64, encoded_req, len); + + /* compute newline characters to be inserted every 64 characters */ + lines = (len - 2) / 64; + + /* count number of + characters to be escaped */ + p1 = encoded_req; + while (*p1 != '\0') { - memcpy(p2, "%2B", 3); - p2 += 3; + if (*p1++ == '+') + plus++; } - else + + escaped_req = malloc(len + 3*(lines + plus)); + + /* escape special characters in the request */ + p1 = encoded_req; + p2 = escaped_req; + while (*p1 != '\0') { - *p2++ = *p1; + if (n == 64) + { + memcpy(p2, "%0A", 3); + p2 += 3; + n = 0; + } + if (*p1 == '+') + { + memcpy(p2, "%2B", 3); + p2 += 3; + } + else + { + *p2++ = *p1; + } + p1++; + n++; } - p1++; - n++; - } - *p2 = '\0'; - pfreeany(encoded_req); - return escaped_req; + *p2 = '\0'; + free(encoded_req); + return escaped_req; } -#endif -/* - * send a SCEP request via HTTP and wait for a response +/** + * Send a SCEP request via HTTP and wait for a response */ -bool -scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op -, fetch_request_t req_type, chunk_t *response) +bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op, + bool http_get_request, chunk_t *response) { -#ifdef LIBCURL - char errorbuffer[CURL_ERROR_SIZE] = ""; - char *complete_url = NULL; - struct curl_slist *headers = NULL; - CURL *curl; - CURLcode res; - - /* initialize response */ - *response = empty_chunk; - - /* initialize curl context */ - curl = curl_easy_init(); - if (curl == NULL) - { - plog("could not initialize curl context"); - return FALSE; - } - - if (op == SCEP_PKI_OPERATION) - { - const char operation[] = "PKIOperation"; - - if (req_type == FETCH_GET) + int len; + status_t status; + char *complete_url = NULL; + + /* initialize response */ + *response = chunk_empty; + + DBG(DBG_CONTROL, + DBG_log("sending scep request to '%s'", url) + ) + + if (op == SCEP_PKI_OPERATION) { - char *escaped_req = escape_http_request(pkcs7); - - /* form complete url */ - int len = strlen(url) + 20 + strlen(operation) + strlen(escaped_req) + 1; - - complete_url = alloc_bytes(len, "complete url"); - snprintf(complete_url, len, "%s?operation=%s&message=%s" - , url, operation, escaped_req); - pfreeany(escaped_req); - - curl_easy_setopt(curl, CURLOPT_HTTPGET, TRUE); - headers = curl_slist_append(headers, "Pragma:"); - headers = curl_slist_append(headers, "Host:"); - headers = curl_slist_append(headers, "Accept:"); - curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers); - curl_easy_setopt(curl, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0); + const char operation[] = "PKIOperation"; + + if (http_get_request) + { + char *escaped_req = escape_http_request(pkcs7); + + /* form complete url */ + len = strlen(url) + 20 + strlen(operation) + strlen(escaped_req) + 1; + complete_url = malloc(len); + snprintf(complete_url, len, "%s?operation=%s&message=%s" + , url, operation, escaped_req); + free(escaped_req); + + status = lib->fetcher->fetch(lib->fetcher, complete_url, response, + FETCH_HTTP_VERSION_1_0, + FETCH_REQUEST_HEADER, "Pragma:", + FETCH_REQUEST_HEADER, "Host:", + FETCH_REQUEST_HEADER, "Accept:", + FETCH_END); + } + else /* HTTP_POST */ + { + /* form complete url */ + len = strlen(url) + 11 + strlen(operation) + 1; + complete_url = malloc(len); + snprintf(complete_url, len, "%s?operation=%s", url, operation); + + status = lib->fetcher->fetch(lib->fetcher, complete_url, response, + FETCH_REQUEST_DATA, pkcs7, + FETCH_REQUEST_TYPE, "", + FETCH_REQUEST_HEADER, "Expect:", + FETCH_END); + } } - else /* HTTP_POST */ + else /* SCEP_GET_CA_CERT */ { - /* form complete url */ - int len = strlen(url) + 11 + strlen(operation) + 1; - - complete_url = alloc_bytes(len, "complete url"); - snprintf(complete_url, len, "%s?operation=%s", url, operation); - - curl_easy_setopt(curl, CURLOPT_HTTPGET, FALSE); - headers = curl_slist_append(headers, "Content-Type:"); - headers = curl_slist_append(headers, "Expect:"); - curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers); - curl_easy_setopt(curl, CURLOPT_POSTFIELDS, (char*)pkcs7.ptr); - curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, pkcs7.len); + const char operation[] = "GetCACert"; + + /* form complete url */ + len = strlen(url) + 32 + strlen(operation) + 1; + complete_url = malloc(len); + snprintf(complete_url, len, "%s?operation=%s&message=CAIdentifier" + , url, operation); + + status = lib->fetcher->fetch(lib->fetcher, complete_url, response, + FETCH_END); } - } - else /* SCEP_GET_CA_CERT */ - { - const char operation[] = "GetCACert"; - - /* form complete url */ - int len = strlen(url) + 32 + strlen(operation) + 1; - - complete_url = alloc_bytes(len, "complete url"); - snprintf(complete_url, len, "%s?operation=%s&message=CAIdentifier" - , url, operation); - - curl_easy_setopt(curl, CURLOPT_HTTPGET, TRUE); - } - - curl_easy_setopt(curl, CURLOPT_URL, complete_url); - curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_buffer); - curl_easy_setopt(curl, CURLOPT_WRITEDATA, (void *)response); - curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, errorbuffer); - curl_easy_setopt(curl, CURLOPT_FAILONERROR, TRUE); - curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, FETCH_CMD_TIMEOUT); - - DBG(DBG_CONTROL, - DBG_log("sending scep request to '%s'", url) - ) - res = curl_easy_perform(curl); - - if (res == CURLE_OK) - { - DBG(DBG_CONTROL, - DBG_log("received scep response") - ) - DBG(DBG_RAW, - DBG_dump_chunk("SCEP response:\n", *response) - ) - } - else - { - plog("failed to fetch scep response from '%s': %s", url, errorbuffer); - } - curl_slist_free_all(headers); - curl_easy_cleanup(curl); - pfreeany(complete_url); - - return (res == CURLE_OK); -#else /* !LIBCURL */ - plog("scep error: pluto wasn't compiled with libcurl support"); - return FALSE; -#endif /* !LIBCURL */ + + free(complete_url); + return (status == SUCCESS); } -err_t -scep_parse_response(chunk_t response, chunk_t transID, contentInfo_t *data -, scep_attributes_t *attrs, x509cert_t *signer_cert) +err_t scep_parse_response(chunk_t response, chunk_t transID, contentInfo_t *data, + scep_attributes_t *attrs, x509cert_t *signer_cert) { - chunk_t attributes; - - if (!pkcs7_parse_signedData(response, data, NULL, &attributes, signer_cert)) - { - return "error parsing the scep response"; - } - if (!parse_attributes(attributes, attrs)) - { - return "error parsing the scep response attributes"; - } - if (!same_chunk(transID, attrs->transID)) - { - return "transaction ID of scep response does not match"; - } - return NULL; + chunk_t attributes; + + if (!pkcs7_parse_signedData(response, data, NULL, &attributes, signer_cert)) + { + return "error parsing the scep response"; + } + if (!parse_attributes(attributes, attrs)) + { + return "error parsing the scep response attributes"; + } + if (!chunk_equals(transID, attrs->transID)) + { + return "transaction ID of scep response does not match"; + } + return NULL; } diff --git a/src/scepclient/scep.h b/src/scepclient/scep.h index 81e5d1a4b..e8dc87591 100644 --- a/src/scepclient/scep.h +++ b/src/scepclient/scep.h @@ -4,7 +4,7 @@ * * Contains functions to build and parse SCEP requests and replies */ - + /* * Copyright (C) 2005 Jan Hutter, Martin Willi * Hochschule fuer Technik Rapperswil @@ -19,18 +19,17 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. */ - + #ifndef _SCEP_H #define _SCEP_H #include "../pluto/defs.h" -#include "../pluto/pkcs1.h" #include "../pluto/pkcs7.h" /* supported SCEP operation types */ typedef enum { - SCEP_PKI_OPERATION, - SCEP_GET_CA_CERT + SCEP_PKI_OPERATION, + SCEP_GET_CA_CERT } scep_op_t; /* SCEP pkiStatus values */ @@ -63,31 +62,32 @@ typedef enum { /* SCEP attributes */ typedef struct { - scep_msg_t msgType; - pkiStatus_t pkiStatus; - failInfo_t failInfo; - chunk_t transID; - chunk_t senderNonce; - chunk_t recipientNonce; + scep_msg_t msgType; + pkiStatus_t pkiStatus; + failInfo_t failInfo; + chunk_t transID; + chunk_t senderNonce; + chunk_t recipientNonce; } scep_attributes_t; extern const scep_attributes_t empty_scep_attributes; extern bool parse_attributes(chunk_t blob, scep_attributes_t *attrs); -extern void scep_generate_pkcs10_fingerprint(chunk_t pkcs10 - , chunk_t *fingerprint); -extern void scep_generate_transaction_id(const RSA_public_key_t *rsak - , chunk_t *transID, chunk_t *serialNumber); +extern void scep_generate_transaction_id(public_key_t *key, + chunk_t *transID, + chunk_t *serialNumber); +extern chunk_t scep_generate_pkcs10_fingerprint(chunk_t pkcs10); extern chunk_t scep_transId_attribute(chunk_t transaction_id); extern chunk_t scep_messageType_attribute(scep_msg_t m); extern chunk_t scep_senderNonce_attribute(void); -extern chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg - , const x509cert_t *enc_cert, int enc_alg - , const x509cert_t *signer_cert, int digest_alg - , const RSA_private_key_t *private_key); -extern bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op - , fetch_request_t request_type, chunk_t *response); -extern err_t scep_parse_response(chunk_t response, chunk_t transID - , contentInfo_t *data, scep_attributes_t *attrs, x509cert_t *signer_cert); +extern chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg, + const x509cert_t *enc_cert, int enc_alg, + const x509cert_t *signer_cert, int digest_alg, + private_key_t *private_key); +extern bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op, + bool http_get_request, chunk_t *response); +extern err_t scep_parse_response(chunk_t response, chunk_t transID, + contentInfo_t *data, scep_attributes_t *attrs, + x509cert_t *signer_cert); #endif /* _SCEP_H */ diff --git a/src/scepclient/scepclient.8 b/src/scepclient/scepclient.8 index 0d6364ef2..d9bf8e4cc 100644 --- a/src/scepclient/scepclient.8 +++ b/src/scepclient/scepclient.8 @@ -152,7 +152,13 @@ Supported values for \fIalgo\fP: .IP "\fBdes\-cbc\fP" 12 DES CBC encryption (key size = 56 bit). .IP "\fB3des\-cbc\fP" 12 -Triple DES CBC encryption (key size = 168 bit). +Triple DES-EDE-CBC encryption (key size = 168 bit). +.IP "\fBaes128\-cbc\fP" 12 +AES-CBC encryption (key size = 128 bit). +.IP "\fBaes192\-cbc\fP" 12 +AES-CBC encryption (key size = 192 bit). +.IP "\fBaes256\-cbc\fP" 12 +AES-CBC encryption (key size = 256 bit). .RE .PP .B \-o, \-\-out \fItype\fP[=\fIfilename\fP] diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c index f4afe0b8f..0e7ae3e40 100644 --- a/src/scepclient/scepclient.c +++ b/src/scepclient/scepclient.c @@ -32,22 +32,24 @@ #include <ctype.h> #include <unistd.h> #include <time.h> -#include <gmp.h> #include <freeswan.h> + +#include <library.h> +#include <debug.h> +#include <asn1/asn1.h> #include <asn1/oid.h> +#include <utils/optionsfrom.h> +#include <utils/enumerator.h> +#include <credentials/keys/private_key.h> +#include <credentials/keys/public_key.h> #include "../pluto/constants.h" #include "../pluto/defs.h" #include "../pluto/log.h" -#include "../pluto/asn1.h" -#include "../pluto/pkcs1.h" #include "../pluto/pkcs7.h" #include "../pluto/certs.h" -#include "../pluto/fetch.h" -#include "../pluto/rnd.h" -#include "rsakey.h" #include "pkcs10.h" #include "scep.h" @@ -56,37 +58,37 @@ */ /* default name of DER-encoded PKCS#1 private key file */ -#define DEFAULT_FILENAME_PKCS1 "myKey.der" +#define DEFAULT_FILENAME_PKCS1 "myKey.der" /* default name of DER-encoded PKCS#10 certificate request file */ -#define DEFAULT_FILENAME_PKCS10 "myReq.der" +#define DEFAULT_FILENAME_PKCS10 "myReq.der" /* default name of DER-encoded PKCS#7 file */ -#define DEFAULT_FILENAME_PKCS7 "pkcs7.der" +#define DEFAULT_FILENAME_PKCS7 "pkcs7.der" /* default name of DER-encoded self-signed X.509 certificate file */ -#define DEFAULT_FILENAME_CERT_SELF "selfCert.der" +#define DEFAULT_FILENAME_CERT_SELF "selfCert.der" /* default name of DER-encoded X.509 certificate file */ -#define DEFAULT_FILENAME_CERT "myCert.der" +#define DEFAULT_FILENAME_CERT "myCert.der" /* default name of DER-encoded CA cert file used for key encipherment */ -#define DEFAULT_FILENAME_CACERT_ENC "caCert.der" +#define DEFAULT_FILENAME_CACERT_ENC "caCert.der" /* default name of the der encoded CA cert file used for signature verification */ -#define DEFAULT_FILENAME_CACERT_SIG "caCert.der" +#define DEFAULT_FILENAME_CACERT_SIG "caCert.der" /* default prefix of the der encoded CA certificates received from the SCEP server */ -#define DEFAULT_FILENAME_PREFIX_CACERT "caCert.der" +#define DEFAULT_FILENAME_PREFIX_CACERT "caCert.der" /* default certificate validity */ -#define DEFAULT_CERT_VALIDITY 5 * 3600 * 24 * 365 /* seconds */ +#define DEFAULT_CERT_VALIDITY 5 * 3600 * 24 * 365 /* seconds */ /* default polling time interval in SCEP manual mode */ -#define DEFAULT_POLL_INTERVAL 20 /* seconds */ +#define DEFAULT_POLL_INTERVAL 20 /* seconds */ /* default key length for self-generated RSA keys */ -#define DEFAULT_RSA_KEY_LENGTH 2048 /* bits */ +#define DEFAULT_RSA_KEY_LENGTH 2048 /* bits */ /* default distinguished name */ #define DEFAULT_DN "C=CH, O=Linux strongSwan, CN=" @@ -110,12 +112,15 @@ long crl_check_interval = 0; /* by default pluto logs out after every smartcard use */ bool pkcs11_keep_state = FALSE; +/* options read by optionsfrom */ +options_t *options; /* * Global variables */ -RSA_private_key_t *private_key = NULL; +private_key_t *private_key = NULL; +public_key_t *public_key = NULL; chunk_t pkcs1; chunk_t pkcs7; @@ -138,58 +143,52 @@ pkcs10_t *pkcs10 = NULL; /** * @brief exit scepclient * - * The log is closed and leaks are reported - * if LEAK_DETECTIVE is activated - * * @param status 0 = OK, 1 = general discomfort */ static void exit_scepclient(err_t message, ...) { - if (private_key != NULL) - { - free_RSA_private_content(private_key); - pfree(private_key); - } - freeanychunk(pkcs1); - freeanychunk(pkcs7); - freeanychunk(subject); - freeanychunk(serialNumber); - freeanychunk(transID); - freeanychunk(fingerprint); - freeanychunk(issuerAndSubject); - freeanychunk(getCertInitial); - if (scep_response.ptr != NULL) + int status = 0; + + DESTROY_IF(private_key); + DESTROY_IF(public_key); + free(pkcs1.ptr); + free(pkcs7.ptr); + free(subject.ptr); + free(serialNumber.ptr); + free(transID.ptr); + free(fingerprint.ptr); + free(issuerAndSubject.ptr); + free(getCertInitial.ptr); free(scep_response.ptr); - free_generalNames(subjectAltNames, TRUE); - if (x509_signer != NULL) - x509_signer->subjectAltName = NULL; - - free_x509cert(x509_signer); - free_x509cert(x509_ca_enc); - free_x509cert(x509_ca_sig); - pkcs10_free(pkcs10); - -#ifdef LEAK_DETECTIVE - report_leaks(); -#endif /* LEAK_DETECTIVE */ - close_log(); - - /* print any error message to stderr */ - if (message != NULL && *message != '\0') - { - va_list args; - char m[LOG_WIDTH]; /* longer messages will be truncated */ - - va_start(args, message); - vsnprintf(m, sizeof(m), message, args); - va_end(args); - - fprintf(stderr, "error: %s\n", m); - exit(-1); - } - exit(0); + free_generalNames(subjectAltNames, TRUE); + if (x509_signer != NULL) + { + x509_signer->subjectAltName = NULL; + } + free_x509cert(x509_signer); + free_x509cert(x509_ca_enc); + free_x509cert(x509_ca_sig); + pkcs10_free(pkcs10); + options->destroy(options); + + /* print any error message to stderr */ + if (message != NULL && *message != '\0') + { + va_list args; + char m[LOG_WIDTH]; /* longer messages will be truncated */ + + va_start(args, message); + vsnprintf(m, sizeof(m), message, args); + va_end(args); + + fprintf(stderr, "error: %s\n", m); + status = -1; + } + library_deinit(); + close_log(); + exit(status); } /** @@ -199,8 +198,8 @@ exit_scepclient(err_t message, ...) static void version(void) { - printf("scepclient %s\n", scepclient_version); - exit_scepclient(NULL); + printf("scepclient %s\n", scepclient_version); + exit_scepclient(NULL); } /** @@ -212,61 +211,81 @@ version(void) static void usage(const char *message) { - fprintf(stderr, - "Usage: scepclient\n" - " --help (-h) show usage and exit\n" - " --version (-v) show version and exit\n" - " --quiet (-q) do not write log output to stderr\n" - " --in (-i) <type>[=<filename>] use <filename> of <type> for input \n" - " <type> = pkcs1 | cacert-enc | cacert-sig\n" - " - if no pkcs1 input is defined, a \n" - " RSA key will be generated\n" - " - if no filename is given, default is used\n" - " --out (-o) <type>[=<filename>] write output of <type> to <filename>\n" - " multiple outputs are allowed\n" - " <type> = pkcs1 | pkcs10 | pkcs7 | cert-self | cert | cacert\n" - " - type cacert defines filename prefix of\n" - " received CA certificate(s)\n" - " - if no filename is given, default is used\n" - " --optionsfrom (-+) <filename> reads additional options from given file\n" - " --force (-f) force existing file(s)\n" - "\n" - "Options for key generation (pkcs1):\n" - " --keylength (-k) <bits> key length for RSA key generation\n" - "(default: 2048 bits)\n" - "\n" - "Options for validity:\n" - " --days (-D) <days> validity in days\n" - " --startdate (-S) <YYMMDDHHMMSS>Z not valid before date\n" - " --enddate (-E) <YYMMDDHHMMSS>Z not valid after date\n" - "\n" - "Options for request generation (pkcs10):\n" - " --dn (-d) <dn> comma separated list of distinguished names\n" - " --subjectAltName (-s) <t>=<v> include subjectAltName in certificate request\n" - " <t> = email | dns | ip \n" - " --password (-p) <pw> challenge password\n" - " - if pw is '%%prompt', password gets prompted for\n" - " --algorithm (-a) <algo> use specified algorithm for PKCS#7 encryption\n" - " <algo> = des-cbc | 3des-cbc (default: 3des-cbc)\n" - "\n" - "Options for enrollment (cert):\n" - " --url (-u) <url> url of the SCEP server\n" - " --method (-m) post | get http request type\n" - " --interval (-t) <seconds> manual mode poll interval in seconds (default 20s)\n" - " --maxpolltime (-x) <seconds> max poll time in seconds when in manual mode\n" - " (default: unlimited)\n" + fprintf(stderr, + "Usage: scepclient\n" + " --help (-h) show usage and exit\n" + " --version (-v) show version and exit\n" + " --quiet (-q) do not write log output to stderr\n" + " --in (-i) <type>[=<filename>] use <filename> of <type> for input \n" + " <type> = pkcs1 | cacert-enc | cacert-sig\n" + " - if no pkcs1 input is defined, a \n" + " RSA key will be generated\n" + " - if no filename is given, default is used\n" + " --out (-o) <type>[=<filename>] write output of <type> to <filename>\n" + " multiple outputs are allowed\n" + " <type> = pkcs1 | pkcs10 | pkcs7 | cert-self | cert | cacert\n" + " - type cacert defines filename prefix of\n" + " received CA certificate(s)\n" + " - if no filename is given, default is used\n" + " --optionsfrom (-+) <filename> reads additional options from given file\n" + " --force (-f) force existing file(s)\n" + "\n" + "Options for key generation (pkcs1):\n" + " --keylength (-k) <bits> key length for RSA key generation\n" + "(default: 2048 bits)\n" + "\n" + "Options for validity:\n" + " --days (-D) <days> validity in days\n" + " --startdate (-S) <YYMMDDHHMMSS>Z not valid before date\n" + " --enddate (-E) <YYMMDDHHMMSS>Z not valid after date\n" + "\n" + "Options for request generation (pkcs10):\n" + " --dn (-d) <dn> comma separated list of distinguished names\n" + " --subjectAltName (-s) <t>=<v> include subjectAltName in certificate request\n" + " <t> = email | dns | ip \n" + " --password (-p) <pw> challenge password\n" + " - if pw is '%%prompt', password gets prompted for\n" + " --algorithm (-a) <algo> use specified algorithm for PKCS#7 encryption\n" + " <algo> = des-cbc | 3des-cbc (default) | \n" + " aes128-cbc | aes192-cbc | aes256-cbc | \n" + " camellia128-cbc | camellia192-cbc | camellia256-cbc\n" + "\n" + "Options for enrollment (cert):\n" + " --url (-u) <url> url of the SCEP server\n" + " --method (-m) post | get http request type\n" + " --interval (-t) <seconds> manual mode poll interval in seconds (default 20s)\n" + " --maxpolltime (-x) <seconds> max poll time in seconds when in manual mode\n" + " (default: unlimited)\n" #ifdef DEBUG - "\n" - "Debugging output:\n" - " --debug-all (-A) show everything except private\n" - " --debug-parsing (-P) show parsing relevant stuff\n" - " --debug-raw (-R) show raw hex dumps\n" - " --debug-control (-C) show control flow output\n" - " --debug-controlmore (-M) show more control flow\n" - " --debug-private (-X) show sensitive data (private keys, etc.)\n" + "\n" + "Debugging output:\n" + " --debug-all (-A) show everything except private\n" + " --debug-parsing (-P) show parsing relevant stuff\n" + " --debug-raw (-R) show raw hex dumps\n" + " --debug-control (-C) show control flow output\n" + " --debug-controlmore (-M) show more control flow\n" + " --debug-private (-X) show sensitive data (private keys, etc.)\n" #endif - ); - exit_scepclient(message); + ); + exit_scepclient(message); +} + +/** + * Log loaded plugins + */ +static void print_plugins() +{ + char buf[BUF_LEN], *plugin; + int len = 0; + enumerator_t *enumerator; + + enumerator = lib->plugins->create_plugin_enumerator(lib->plugins); + while (len < BUF_LEN && enumerator->enumerate(enumerator, &plugin)) + { + len += snprintf(&buf[len], BUF_LEN-len, "%s ", plugin); + } + enumerator->destroy(enumerator); + DBG1(" loaded plugins: %s", buf); } /** @@ -277,760 +296,842 @@ usage(const char *message) */ int main(int argc, char **argv) { - /* external values */ - extern char * optarg; - extern int optind; - - /* type of input and output files */ - typedef enum { - PKCS1 = 0x01, - PKCS10 = 0x02, - PKCS7 = 0x04, - CERT_SELF = 0x08, - CERT = 0x10, - CACERT_ENC = 0x20, - CACERT_SIG = 0x40 - } scep_filetype_t; - - /* filetype to read from, defaults to "generate a key" */ - scep_filetype_t filetype_in = 0; - - /* filetype to write to, no default here */ - scep_filetype_t filetype_out = 0; - - /* input files */ - char *file_in_pkcs1 = DEFAULT_FILENAME_PKCS1; - char *file_in_cacert_enc = DEFAULT_FILENAME_CACERT_ENC; - char *file_in_cacert_sig = DEFAULT_FILENAME_CACERT_SIG; - - /* output files */ - char *file_out_pkcs1 = DEFAULT_FILENAME_PKCS1; - char *file_out_pkcs10 = DEFAULT_FILENAME_PKCS10; - char *file_out_pkcs7 = DEFAULT_FILENAME_PKCS7; - char *file_out_cert_self = DEFAULT_FILENAME_CERT_SELF; - char *file_out_cert = DEFAULT_FILENAME_CERT; - char *file_out_prefix_cacert = DEFAULT_FILENAME_PREFIX_CACERT; - - /* by default user certificate is requested */ - bool request_ca_certificate = FALSE; - - /* by default existing files are not overwritten */ - bool force = FALSE; - - /* length of RSA key in bits */ - u_int rsa_keylength = DEFAULT_RSA_KEY_LENGTH; - - /* validity of self-signed certificate */ - time_t validity = DEFAULT_CERT_VALIDITY; - time_t notBefore = 0; - time_t notAfter = 0; - - /* distinguished name for requested certificate, ASCII format */ - char *distinguishedName = NULL; - - /* challenge password */ - char challenge_password_buffer[MAX_PASSWORD_LENGTH]; - - /* symmetric encryption algorithm used by pkcs7, default is 3DES */ - int pkcs7_symmetric_cipher = OID_3DES_EDE_CBC; - - /* digest algorithm used by pkcs7, default is MD5 */ - int pkcs7_digest_alg = OID_MD5; - - /* signature algorithm used by pkcs10, default is MD5 with RSA encryption */ - int pkcs10_signature_alg = OID_MD5; - - /* URL of the SCEP-Server */ - char *scep_url = NULL; - - /* http request method, default is GET */ - fetch_request_t request_type = FETCH_GET; - - /* poll interval time in manual mode in seconds */ - u_int poll_interval = DEFAULT_POLL_INTERVAL; - - /* maximum poll time */ - u_int max_poll_time = 0; - - err_t ugh = NULL; - - /* initialize global variables */ - pkcs1 = empty_chunk; - pkcs7 = empty_chunk; - serialNumber = empty_chunk; - transID = empty_chunk; - fingerprint = empty_chunk; - issuerAndSubject = empty_chunk; - challengePassword = empty_chunk; - getCertInitial = empty_chunk; - scep_response = empty_chunk; - log_to_stderr = TRUE; - - for (;;) - { - static const struct option long_opts[] = { - /* name, has_arg, flag, val */ - { "help", no_argument, NULL, 'h' }, - { "version", no_argument, NULL, 'v' }, - { "optionsfrom", required_argument, NULL, '+' }, - { "quiet", no_argument, NULL, 'q' }, - { "in", required_argument, NULL, 'i' }, - { "out", required_argument, NULL, 'o' }, - { "force", no_argument, NULL, 'f' }, - { "keylength", required_argument, NULL, 'k' }, - { "dn", required_argument, NULL, 'd' }, - { "days", required_argument, NULL, 'D' }, - { "startdate", required_argument, NULL, 'S' }, - { "enddate", required_argument, NULL, 'E' }, - { "subjectAltName", required_argument, NULL, 's' }, - { "password", required_argument, NULL, 'p' }, - { "algorithm", required_argument, NULL, 'a' }, - { "url", required_argument, NULL, 'u' }, - { "method", required_argument, NULL, 'm' }, - { "interval", required_argument, NULL, 't' }, - { "maxpolltime", required_argument, NULL, 'x' }, + /* external values */ + extern char * optarg; + extern int optind; + + /* type of input and output files */ + typedef enum { + PKCS1 = 0x01, + PKCS10 = 0x02, + PKCS7 = 0x04, + CERT_SELF = 0x08, + CERT = 0x10, + CACERT_ENC = 0x20, + CACERT_SIG = 0x40 + } scep_filetype_t; + + /* filetype to read from, defaults to "generate a key" */ + scep_filetype_t filetype_in = 0; + + /* filetype to write to, no default here */ + scep_filetype_t filetype_out = 0; + + /* input files */ + char *file_in_pkcs1 = DEFAULT_FILENAME_PKCS1; + char *file_in_cacert_enc = DEFAULT_FILENAME_CACERT_ENC; + char *file_in_cacert_sig = DEFAULT_FILENAME_CACERT_SIG; + + /* output files */ + char *file_out_pkcs1 = DEFAULT_FILENAME_PKCS1; + char *file_out_pkcs10 = DEFAULT_FILENAME_PKCS10; + char *file_out_pkcs7 = DEFAULT_FILENAME_PKCS7; + char *file_out_cert_self = DEFAULT_FILENAME_CERT_SELF; + char *file_out_cert = DEFAULT_FILENAME_CERT; + char *file_out_prefix_cacert = DEFAULT_FILENAME_PREFIX_CACERT; + + /* by default user certificate is requested */ + bool request_ca_certificate = FALSE; + + /* by default existing files are not overwritten */ + bool force = FALSE; + + /* length of RSA key in bits */ + u_int rsa_keylength = DEFAULT_RSA_KEY_LENGTH; + + /* validity of self-signed certificate */ + time_t validity = DEFAULT_CERT_VALIDITY; + time_t notBefore = 0; + time_t notAfter = 0; + + /* distinguished name for requested certificate, ASCII format */ + char *distinguishedName = NULL; + + /* challenge password */ + char challenge_password_buffer[MAX_PASSWORD_LENGTH]; + + /* symmetric encryption algorithm used by pkcs7, default is 3DES */ + int pkcs7_symmetric_cipher = OID_3DES_EDE_CBC; + + /* digest algorithm used by pkcs7, default is SHA-1 */ + int pkcs7_digest_alg = OID_SHA1; + + /* signature algorithm used by pkcs10, default is SHA-1 with RSA encryption */ + int pkcs10_signature_alg = OID_SHA1; + + /* URL of the SCEP-Server */ + char *scep_url = NULL; + + /* http request method, default is GET */ + bool http_get_request = TRUE; + + /* poll interval time in manual mode in seconds */ + u_int poll_interval = DEFAULT_POLL_INTERVAL; + + /* maximum poll time */ + u_int max_poll_time = 0; + + err_t ugh = NULL; + + /* initialize global variables */ + pkcs1 = chunk_empty; + pkcs7 = chunk_empty; + serialNumber = chunk_empty; + transID = chunk_empty; + fingerprint = chunk_empty; + issuerAndSubject = chunk_empty; + challengePassword = chunk_empty; + getCertInitial = chunk_empty; + scep_response = chunk_empty; + log_to_stderr = TRUE; + + /* initialize library and optionsfrom */ + library_init(STRONGSWAN_CONF); + options = options_create(); + + for (;;) + { + static const struct option long_opts[] = { + /* name, has_arg, flag, val */ + { "help", no_argument, NULL, 'h' }, + { "version", no_argument, NULL, 'v' }, + { "optionsfrom", required_argument, NULL, '+' }, + { "quiet", no_argument, NULL, 'q' }, + { "in", required_argument, NULL, 'i' }, + { "out", required_argument, NULL, 'o' }, + { "force", no_argument, NULL, 'f' }, + { "keylength", required_argument, NULL, 'k' }, + { "dn", required_argument, NULL, 'd' }, + { "days", required_argument, NULL, 'D' }, + { "startdate", required_argument, NULL, 'S' }, + { "enddate", required_argument, NULL, 'E' }, + { "subjectAltName", required_argument, NULL, 's' }, + { "password", required_argument, NULL, 'p' }, + { "algorithm", required_argument, NULL, 'a' }, + { "url", required_argument, NULL, 'u' }, + { "method", required_argument, NULL, 'm' }, + { "interval", required_argument, NULL, 't' }, + { "maxpolltime", required_argument, NULL, 'x' }, +#ifdef DEBUG + { "debug-all", no_argument, NULL, 'A' }, + { "debug-parsing", no_argument, NULL, 'P'}, + { "debug-raw", no_argument, NULL, 'R'}, + { "debug-control", no_argument, NULL, 'C'}, + { "debug-controlmore", no_argument, NULL, 'M'}, + { "debug-private", no_argument, NULL, 'X'}, +#endif + { 0,0,0,0 } + }; + + /* parse next option */ + int c = getopt_long(argc, argv, "hv+:qi:o:fk:d:s:p:a:u:m:t:x:APRCMS", long_opts, NULL); + + switch (c) + { + case EOF: /* end of flags */ + break; + + case 'h': /* --help */ + usage(NULL); + + case 'v': /* --version */ + version(); + + case 'q': /* --quiet */ + log_to_stderr = FALSE; + continue; + + case 'i': /* --in <type> [= <filename>] */ + { + char *filename = strstr(optarg, "="); + + if (filename) + { + /* replace '=' by '\0' */ + *filename = '\0'; + /* set pointer to start of filename */ + filename++; + } + if (strcaseeq("pkcs1", optarg)) + { + filetype_in |= PKCS1; + if (filename) + file_in_pkcs1 = filename; + } + else if (strcaseeq("cacert-enc", optarg)) + { + filetype_in |= CACERT_ENC; + if (filename) + file_in_cacert_enc = filename; + } + else if (strcaseeq("cacert-sig", optarg)) + { + filetype_in |= CACERT_SIG; + if (filename) + file_in_cacert_sig = filename; + } + else + { + usage("invalid --in file type"); + } + continue; + } + + case 'o': /* --out <type> [= <filename>] */ + { + char *filename = strstr(optarg, "="); + + if (filename) + { + /* replace '=' by '\0' */ + *filename = '\0'; + /* set pointer to start of filename */ + filename++; + } + if (strcaseeq("pkcs1", optarg)) + { + filetype_out |= PKCS1; + if (filename) + file_out_pkcs1 = filename; + } + else if (strcaseeq("pkcs10", optarg)) + { + filetype_out |= PKCS10; + if (filename) + file_out_pkcs10 = filename; + } + else if (strcaseeq("pkcs7", optarg)) + { + filetype_out |= PKCS7; + if (filename) + file_out_pkcs7 = filename; + } + else if (strcaseeq("cert-self", optarg)) + { + filetype_out |= CERT_SELF; + if (filename) + file_out_cert_self = filename; + } + else if (strcaseeq("cert", optarg)) + { + filetype_out |= CERT; + if (filename) + file_out_cert = filename; + } + else if (strcaseeq("cacert", optarg)) + { + request_ca_certificate = TRUE; + if (filename) + file_out_prefix_cacert = filename; + } + else + { + usage("invalid --out file type"); + } + continue; + } + + case 'f': /* --force */ + force = TRUE; + continue; + + case '+': /* --optionsfrom <filename> */ + if (!options->from(options, optarg, &argc, &argv, optind)) + { + exit_scepclient("optionsfrom failed"); + } + continue; + + case 'k': /* --keylength <length> */ + { + div_t q; + + rsa_keylength = atoi(optarg); + if (rsa_keylength == 0) + usage("invalid keylength"); + + /* check if key length is a multiple of 8 bits */ + q = div(rsa_keylength, 2*BITS_PER_BYTE); + if (q.rem != 0) + { + exit_scepclient("keylength is not a multiple of %d bits!" + , 2*BITS_PER_BYTE); + } + continue; + } + + case 'D': /* --days */ + if (optarg == NULL || !isdigit(optarg[0])) + usage("missing number of days"); + { + char *endptr; + long days = strtol(optarg, &endptr, 0); + + if (*endptr != '\0' || endptr == optarg + || days <= 0) + usage("<days> must be a positive number"); + validity = 24*3600*days; + } + continue; + + case 'S': /* --startdate */ + if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z') + usage("date format must be YYMMDDHHMMSSZ"); + { + chunk_t date = { optarg, 13 }; + notBefore = asn1_to_time(&date, ASN1_UTCTIME); + } + continue; + + case 'E': /* --enddate */ + if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z') + usage("date format must be YYMMDDHHMMSSZ"); + { + chunk_t date = { optarg, 13 }; + notAfter = asn1_to_time(&date, ASN1_UTCTIME); + } + continue; + + case 'd': /* --dn */ + if (distinguishedName) + usage("only one distinguished name allowed"); + distinguishedName = optarg; + continue; + + case 's': /* --subjectAltName */ + { + generalNames_t kind; + char *value = strstr(optarg, "="); + + if (value) + { + /* replace '=' by '\0' */ + *value = '\0'; + /* set pointer to start of value */ + value++; + } + + if (strcaseeq("email", optarg)) + { + kind = GN_RFC822_NAME; + } + else if (strcaseeq("dns", optarg)) + { + kind = GN_DNS_NAME; + } + else if (strcaseeq("ip", optarg)) + { + kind = GN_IP_ADDRESS; + } + else + { + usage("invalid --subjectAltName type"); + continue; + } + pkcs10_add_subjectAltName(&subjectAltNames, kind, value); + continue; + } + + case 'p': /* --password */ + if (challengePassword.len > 0) + { + usage("only one challenge password allowed"); + } + if (strcaseeq("%prompt", optarg)) + { + printf("Challenge password: "); + if (fgets(challenge_password_buffer, sizeof(challenge_password_buffer)-1, stdin)) + { + challengePassword.ptr = challenge_password_buffer; + /* discard the terminating '\n' from the input */ + challengePassword.len = strlen(challenge_password_buffer) - 1; + } + else + { + usage("challenge password could not be read"); + } + } + else + { + challengePassword.ptr = optarg; + challengePassword.len = strlen(optarg); + } + continue; + + case 'u': /* -- url */ + if (scep_url) + { + usage("only one URL argument allowed"); + } + scep_url = optarg; + continue; + + case 'm': /* --method */ + if (strcaseeq("get", optarg)) + { + http_get_request = TRUE; + } + else if (strcaseeq("post", optarg)) + { + http_get_request = FALSE; + } + else + { + usage("invalid http request method specified"); + } + continue; + + case 't': /* --interval */ + poll_interval = atoi(optarg); + if (poll_interval <= 0) + { + usage("invalid interval specified"); + } + continue; + + case 'x': /* --maxpolltime */ + max_poll_time = atoi(optarg); + if (max_poll_time < 0) + { + usage("invalid maxpolltime specified"); + } + continue; + + case 'a': /*--algorithm */ + if (strcaseeq("des-cbc", optarg)) + { + pkcs7_symmetric_cipher = OID_DES_CBC; + } + else if (strcaseeq("3des-cbc", optarg)) + { + pkcs7_symmetric_cipher = OID_3DES_EDE_CBC; + } + else if (strcaseeq("aes128-cbc", optarg)) + { + pkcs7_symmetric_cipher = OID_AES128_CBC; + } + else if (strcaseeq("aes192-cbc", optarg)) + { + pkcs7_symmetric_cipher = OID_AES192_CBC; + } + else if (strcaseeq("aes256-cbc", optarg)) + { + pkcs7_symmetric_cipher = OID_AES256_CBC; + } + else if (strcaseeq("camellia128-cbc", optarg)) + { + pkcs7_symmetric_cipher = OID_CAMELLIA128_CBC; + } + else if (strcaseeq("camellia192-cbc", optarg)) + { + pkcs7_symmetric_cipher = OID_CAMELLIA192_CBC; + } + else if (strcaseeq("camellia256-cbc", optarg)) + { + pkcs7_symmetric_cipher = OID_CAMELLIA256_CBC; + } + else + { + usage("invalid encryption algorithm specified"); + } + continue; #ifdef DEBUG - { "debug-all", no_argument, NULL, 'A' }, - { "debug-parsing", no_argument, NULL, 'P'}, - { "debug-raw", no_argument, NULL, 'R'}, - { "debug-control", no_argument, NULL, 'C'}, - { "debug-controlmore", no_argument, NULL, 'M'}, - { "debug-private", no_argument, NULL, 'X'}, + case 'A': /* --debug-all */ + base_debugging |= DBG_ALL; + continue; + case 'P': /* debug parsing */ + base_debugging |= DBG_PARSING; + continue; + case 'R': /* debug raw */ + base_debugging |= DBG_RAW; + continue; + case 'C': /* debug control */ + base_debugging |= DBG_CONTROL; + continue; + case 'M': /* debug control more */ + base_debugging |= DBG_CONTROLMORE; + continue; + case 'X': /* debug private */ + base_debugging |= DBG_PRIVATE; + continue; #endif - { 0,0,0,0 } - }; + default: + usage("unknown option"); + } + /* break from loop */ + break; + } + cur_debugging = base_debugging; + + init_log("scepclient"); - /* parse next option */ - int c = getopt_long(argc, argv, "hv+:qi:o:fk:d:s:p:a:u:m:t:x:APRCMS", long_opts, NULL); + /* load plugins, further infrastructure may need it */ + lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR, + lib->settings->get_str(lib->settings, "scepclient.load", PLUGINS)); + print_plugins(); - switch (c) + if ((filetype_out == 0) && (!request_ca_certificate)) + { + usage ("--out filetype required"); + } + if (request_ca_certificate && (filetype_out > 0 || filetype_in > 0)) { - case EOF: /* end of flags */ - break; + usage("in CA certificate request, no other --in or --out option allowed"); + } - case 'h': /* --help */ - usage(NULL); + /* check if url is given, if cert output defined */ + if (((filetype_out & CERT) || request_ca_certificate) && !scep_url) + { + usage("URL of SCEP server required"); + } - case 'v': /* --version */ - version(); + /* check for sanity of --in/--out */ + if (!filetype_in && (filetype_in > filetype_out)) + { + usage("cannot generate --out of given --in!"); + } - case 'q': /* --quiet */ - log_to_stderr = FALSE; - continue; + /* + * input of PKCS#1 file + */ + if (filetype_in & PKCS1) /* load an RSA key pair from file */ + { + prompt_pass_t pass = { "", FALSE, STDIN_FILENO }; + char *path = concatenate_paths(PRIVATE_KEY_PATH, file_in_pkcs1); - case 'i': /* --in <type> [= <filename>] */ - { - char *filename = strstr(optarg, "="); + private_key = load_private_key(path, &pass, KEY_RSA); + } + else /* generate an RSA key pair */ + { + private_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, + BUILD_KEY_SIZE, rsa_keylength, + BUILD_END); + } + if (private_key == NULL) + { + exit_scepclient("no RSA private key available"); + } + public_key = private_key->get_public_key(private_key); - if (filename) - { - /* replace '=' by '\0' */ - *filename = '\0'; - /* set pointer to start of filename */ - filename++; - } - if (strcasecmp("pkcs1", optarg) == 0) - { - filetype_in |= PKCS1; - if (filename) - file_in_pkcs1 = filename; - } - else if (strcasecmp("cacert-enc", optarg) == 0) - { - filetype_in |= CACERT_ENC; - if (filename) - file_in_cacert_enc = filename; - } - else if (strcasecmp("cacert-sig", optarg) == 0) - { - filetype_in |= CACERT_SIG; - if (filename) - file_in_cacert_sig = filename; - } - else - { - usage("invalid --in file type"); - } - continue; - } + /* check for minimum key length */ + if (private_key->get_keysize(private_key) < RSA_MIN_OCTETS) + { + exit_scepclient("length of RSA key has to be at least %d bits" + ,RSA_MIN_OCTETS * BITS_PER_BYTE); + } - case 'o': /* --out <type> [= <filename>] */ - { - char *filename = strstr(optarg, "="); + /* + * input of PKCS#10 file + */ + if (filetype_in & PKCS10) + { + /* user wants to load a pkcs10 request + * operation is not yet supported + * would require a PKCS#10 parsing function - if (filename) - { - /* replace '=' by '\0' */ - *filename = '\0'; - /* set pointer to start of filename */ - filename++; - } - if (strcasecmp("pkcs1", optarg) == 0) - { - filetype_out |= PKCS1; - if (filename) - file_out_pkcs1 = filename; - } - else if (strcasecmp("pkcs10", optarg) == 0) - { - filetype_out |= PKCS10; - if (filename) - file_out_pkcs10 = filename; - } - else if (strcasecmp("pkcs7", optarg) == 0) - { - filetype_out |= PKCS7; - if (filename) - file_out_pkcs7 = filename; - } - else if (strcasecmp("cert-self", optarg) == 0) - { - filetype_out |= CERT_SELF; - if (filename) - file_out_cert_self = filename; - } - else if (strcasecmp("cert", optarg) == 0) - { - filetype_out |= CERT; - if (filename) - file_out_cert = filename; - } - else if (strcasecmp("cacert", optarg) == 0) - { - request_ca_certificate = TRUE; - if (filename) - file_out_prefix_cacert = filename; - } - else - { - usage("invalid --out file type"); - } - continue; - } - - case 'f': /* --force */ - force = TRUE; - continue; - - case '+': /* --optionsfrom <filename> */ - optionsfrom(optarg, &argc, &argv, optind, stderr); - /* does not return on error */ - continue; - - case 'k': /* --keylength <length> */ - { - div_t q; - - rsa_keylength = atoi(optarg); - if (rsa_keylength == 0) - usage("invalid keylength"); - - /* check if key length is a multiple of 8 bits */ - q = div(rsa_keylength, 2*BITS_PER_BYTE); - if (q.rem != 0) - { - exit_scepclient("keylength is not a multiple of %d bits!" - , 2*BITS_PER_BYTE); - } - continue; - } - - case 'D': /* --days */ - if (optarg == NULL || !isdigit(optarg[0])) - usage("missing number of days"); - { - char *endptr; - long days = strtol(optarg, &endptr, 0); - - if (*endptr != '\0' || endptr == optarg - || days <= 0) - usage("<days> must be a positive number"); - validity = 24*3600*days; - } - continue; - - case 'S': /* --startdate */ - if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z') - usage("date format must be YYMMDDHHMMSSZ"); - { - chunk_t date = { optarg, 13 }; - notBefore = asn1totime(&date, ASN1_UTCTIME); - } - continue; - - case 'E': /* --enddate */ - if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z') - usage("date format must be YYMMDDHHMMSSZ"); - { - chunk_t date = { optarg, 13 }; - notAfter = asn1totime(&date, ASN1_UTCTIME); - } - continue; - - case 'd': /* --dn */ - if (distinguishedName) - usage("only one distinguished name allowed"); - distinguishedName = optarg; - continue; - - case 's': /* --subjectAltName */ - { - generalNames_t kind; - char *value = strstr(optarg, "="); - - if (value) - { - /* replace '=' by '\0' */ - *value = '\0'; - /* set pointer to start of value */ - value++; - } + pkcs10 = pkcs10_read_from_file(file_in_pkcs10); - if (!strcasecmp("email", optarg)) - kind = GN_RFC822_NAME; - else if (!strcasecmp("dns", optarg)) - kind = GN_DNS_NAME; - else if (!strcasecmp("ip", optarg)) - kind = GN_IP_ADDRESS; - else - { - usage("invalid --subjectAltName type"); - continue; - } - pkcs10_add_subjectAltName(&subjectAltNames, kind, value); - continue; - } - - case 'p': /* --password */ - if (challengePassword.len > 0) - usage("only one challenge password allowed"); - - if (strcasecmp("%prompt", optarg) == 0) - { - printf("Challenge password: "); - if (fgets(challenge_password_buffer, sizeof(challenge_password_buffer)-1, stdin)) + */ + } + else + { + char buf[IDTOA_BUF]; + chunk_t dn = chunk_empty; + + dn.ptr = buf; + + if (distinguishedName == NULL) { - challengePassword.ptr = challenge_password_buffer; - /* discard the terminating '\n' from the input */ - challengePassword.len = strlen(challenge_password_buffer) - 1; + char buf[BUF_LEN]; + int n = sprintf(buf, DEFAULT_DN); + + /* set the common name to the hostname */ + if (gethostname(buf + n, BUF_LEN - n) || strlen(buf) == n) + { + exit_scepclient("no hostname defined, use " + "--dn <distinguished name> option"); + } + distinguishedName = buf; } - else + + DBG(DBG_CONTROL, + DBG_log("dn: '%s'", distinguishedName); + ) + ugh = atodn(distinguishedName, &dn); + if (ugh != NULL) { - usage("challenge password could not be read"); + exit_scepclient(ugh); } - } - else - { - challengePassword.ptr = optarg; - challengePassword.len = strlen(optarg); - } - continue; - - case 'u': /* -- url */ - if (scep_url) - usage("only one URL argument allowed"); - scep_url = optarg; - continue; - - case 'm': /* --method */ - if (strcasecmp("post", optarg) == 0) - request_type = FETCH_POST; - else if (strcasecmp("get", optarg) == 0) - request_type = FETCH_GET; - else - usage("invalid http request method specified"); - continue; - - case 't': /* --interval */ - poll_interval = atoi(optarg); - if (poll_interval <= 0) - usage("invalid interval specified"); - continue; - - case 'x': /* --maxpolltime */ - max_poll_time = atoi(optarg); - if (max_poll_time < 0) - usage("invalid maxpolltime specified"); - continue; - - case 'a': /*--algorithm */ - if (strcasecmp("des-cbc", optarg) == 0) - pkcs7_symmetric_cipher = OID_DES_CBC; - else if (strcasecmp("3des-cbc", optarg) == 0) - pkcs7_symmetric_cipher = OID_3DES_EDE_CBC; - else - usage("invalid encryption algorithm specified"); - continue; -#ifdef DEBUG - case 'A': /* --debug-all */ - base_debugging |= DBG_ALL; - continue; - case 'P': /* debug parsing */ - base_debugging |= DBG_PARSING; - continue; - case 'R': /* debug raw */ - base_debugging |= DBG_RAW; - continue; - case 'C': /* debug control */ - base_debugging |= DBG_CONTROL; - continue; - case 'M': /* debug control more */ - base_debugging |= DBG_CONTROLMORE; - continue; - case 'X': /* debug private */ - base_debugging |= DBG_PRIVATE; - continue; -#endif - default: - usage("unknown option"); + + subject = chunk_clone(dn); + + DBG(DBG_CONTROL, + DBG_log("building pkcs10 object:") + ) + pkcs10 = pkcs10_build(private_key, public_key, subject, + challengePassword, subjectAltNames, + pkcs10_signature_alg); + fingerprint = scep_generate_pkcs10_fingerprint(pkcs10->request); + plog(" fingerprint: %s", fingerprint.ptr); } - /* break from loop */ - break; - } - init_log("scepclient"); - cur_debugging = base_debugging; - init_rnd_pool(); - init_fetch(); + /* + * output of PKCS#10 file + */ + if (filetype_out & PKCS10) + { + char *path = concatenate_paths(REQ_PATH, file_out_pkcs10); - if ((filetype_out == 0) && (!request_ca_certificate)) - usage ("--out filetype required"); + if (!chunk_write(pkcs10->request, path, "pkcs10", 0022, force)) + exit_scepclient("could not write pkcs10 file '%s'", path); - if (request_ca_certificate && (filetype_out > 0 || filetype_in > 0)) - usage("in CA certificate request, no other --in or --out option allowed"); + filetype_out &= ~PKCS10; /* delete PKCS10 flag */ + } - /* check if url is given, if cert output defined */ - if (((filetype_out & CERT) || request_ca_certificate) && !scep_url) - usage("URL of SCEP server required"); + if (!filetype_out) + { + exit_scepclient(NULL); /* no further output required */ + } - /* check for sanity of --in/--out */ - if (!filetype_in && (filetype_in > filetype_out)) - usage("cannot generate --out of given --in!"); - - /* - * input of PKCS#1 file - */ - private_key = alloc_thing(RSA_private_key_t, "RSA_private_key_t"); - - if (filetype_in & PKCS1) /* load an RSA key pair from file */ - { - prompt_pass_t pass = { "", FALSE, STDIN_FILENO }; - const char *path = concatenate_paths(PRIVATE_KEY_PATH, file_in_pkcs1); - - ugh = load_rsa_private_key(path, &pass, private_key); - } - else /* generate an RSA key pair */ - { - ugh = generate_rsa_private_key(rsa_keylength, private_key); - } - if (ugh != NULL) - exit_scepclient(ugh); - - /* check for minimum key length */ - if ((private_key->pub.k) < RSA_MIN_OCTETS) - { - exit_scepclient("length of RSA key has to be at least %d bits" - ,RSA_MIN_OCTETS * BITS_PER_BYTE); - } - - /* - * input of PKCS#10 file - */ - if (filetype_in & PKCS10) - { - /* user wants to load a pkcs10 request - * operation is not yet supported - * would require a PKCS#10 parsing function - - pkcs10 = pkcs10_read_from_file(file_in_pkcs10); - - */ - } - else - { - char buf[IDTOA_BUF]; - chunk_t dn = empty_chunk; - - dn.ptr = buf; - - if (distinguishedName == NULL) + /* + * output of PKCS#1 file + */ + if (filetype_out & PKCS1) { - char buf[BUF_LEN]; - int n = sprintf(buf, DEFAULT_DN); - - /* set the common name to the hostname */ - if (gethostname(buf + n, BUF_LEN - n) || strlen(buf) == n) - { - exit_scepclient("no hostname defined, use " - "--dn <distinguished name> option"); - } - distinguishedName = buf; + char *path = concatenate_paths(PRIVATE_KEY_PATH, file_out_pkcs1); + + DBG(DBG_CONTROL, + DBG_log("building pkcs1 object:") + ) + pkcs1 = private_key->get_encoding(private_key); + + if (!chunk_write(pkcs1, path, "pkcs1", 0066, force)) + exit_scepclient("could not write pkcs1 file '%s'", path); + + filetype_out &= ~PKCS1; /* delete PKCS1 flag */ } - DBG(DBG_CONTROL, - DBG_log("dn: '%s'", distinguishedName); - ) - ugh = atodn(distinguishedName, &dn); - if (ugh != NULL) - exit_scepclient(ugh); - - clonetochunk(subject, dn.ptr, dn.len, "subject dn"); - - DBG(DBG_CONTROL, - DBG_log("building pkcs10 object:") - ) - pkcs10 = pkcs10_build(private_key, subject, challengePassword - , subjectAltNames, pkcs10_signature_alg); - scep_generate_pkcs10_fingerprint(pkcs10->request, &fingerprint); - plog(" fingerprint: %.*s", (int)fingerprint.len, fingerprint.ptr); - } - - /* - * output of PKCS#10 file - */ - if (filetype_out & PKCS10) - { - const char *path = concatenate_paths(REQ_PATH, file_out_pkcs10); - - if (!write_chunk(path, "pkcs10", pkcs10->request, 0022, force)) - exit_scepclient("could not write pkcs10 file '%s'", path); - - filetype_out &= ~PKCS10; /* delete PKCS10 flag */ - } - - if (!filetype_out) - exit_scepclient(NULL); /* no further output required */ - - /* - * output of PKCS#1 file - */ - if (filetype_out & PKCS1) - { - const char *path = concatenate_paths(PRIVATE_KEY_PATH, file_out_pkcs1); - - DBG(DBG_CONTROL, - DBG_log("building pkcs1 object:") - ) - pkcs1 = pkcs1_build_private_key(private_key); - - if (!write_chunk(path, "pkcs1", pkcs1, 0066, force)) - exit_scepclient("could not write pkcs1 file '%s'", path); - - filetype_out &= ~PKCS1; /* delete PKCS1 flag */ - } - - if (!filetype_out) - exit_scepclient(NULL); /* no further output required */ - - scep_generate_transaction_id((const RSA_public_key_t *)private_key - , &transID, &serialNumber); - plog(" transaction ID: %.*s", (int)transID.len, transID.ptr); - - /* generate a self-signed X.509 certificate */ - x509_signer = alloc_thing(x509cert_t, "signer cert"); - *x509_signer = empty_x509cert; - x509_signer->serialNumber = serialNumber; - x509_signer->sigAlg = OID_SHA1_WITH_RSA; - x509_signer->issuer = subject; - x509_signer->notBefore = (notBefore)? notBefore - : time(NULL); - x509_signer->notAfter = (notAfter)? notAfter - : x509_signer->notBefore + validity; - x509_signer->subject = subject; - x509_signer->subjectAltName = subjectAltNames; - - build_x509cert(x509_signer, (const RSA_public_key_t *)private_key - , private_key); - - /* - * output of self-signed X.509 certificate file - */ - if (filetype_out & CERT_SELF) - { - const char *path = concatenate_paths(HOST_CERT_PATH, file_out_cert_self); - - if (!write_chunk(path, "self-signed cert", x509_signer->certificate, 0022, force)) - exit_scepclient("could not write self-signed cert file '%s'", path); -; - filetype_out &= ~CERT_SELF; /* delete CERT_SELF flag */ - } - - if (!filetype_out) - exit_scepclient(NULL); /* no further output required */ - - /* - * load ca encryption certificate - */ - { - const char *path = concatenate_paths(CA_CERT_PATH, file_in_cacert_enc); - cert_t cert; - - if (!load_cert(path, "encryption cacert", &cert)) - exit_scepclient("could not load encryption cacert file '%s'", path); - x509_ca_enc = cert.u.x509; - } - - /* - * input of PKCS#7 file - */ - if (filetype_in & PKCS7) - { - /* user wants to load a pkcs7 encrypted request - * operation is not yet supported! - * would require additional parsing of transaction-id - - pkcs7 = pkcs7_read_from_file(file_in_pkcs7); + if (!filetype_out) + { + exit_scepclient(NULL); /* no further output required */ + } + scep_generate_transaction_id(public_key, &transID, &serialNumber); + plog(" transaction ID: %.*s", (int)transID.len, transID.ptr); + + /* generate a self-signed X.509 certificate */ + x509_signer = malloc_thing(x509cert_t); + *x509_signer = empty_x509cert; + x509_signer->serialNumber = serialNumber; + x509_signer->sigAlg = OID_SHA1_WITH_RSA; + x509_signer->issuer = subject; + x509_signer->notBefore = (notBefore)? notBefore + : time(NULL); + x509_signer->notAfter = (notAfter)? notAfter + : x509_signer->notBefore + validity; + x509_signer->subject = subject; + x509_signer->subjectAltName = subjectAltNames; + build_x509cert(x509_signer, public_key, private_key); + + /* + * output of self-signed X.509 certificate file */ - } - else - { - DBG(DBG_CONTROL, - DBG_log("building pkcs7 request") - ) - pkcs7 = scep_build_request(pkcs10->request - , transID, SCEP_PKCSReq_MSG - , x509_ca_enc, pkcs7_symmetric_cipher - , x509_signer, pkcs7_digest_alg, private_key); - } - - /* - * output pkcs7 encrypted and signed certificate request - */ - if (filetype_out & PKCS7) - { - const char *path = concatenate_paths(REQ_PATH, file_out_pkcs7); - - if (!write_chunk(path, "pkcs7 encrypted request", pkcs7, 0022, force)) - exit_scepclient("could not write pkcs7 file '%s'", path); -; - filetype_out &= ~PKCS7; /* delete PKCS7 flag */ - } - - if (!filetype_out) - exit_scepclient(NULL); /* no further output required */ - - /* - * output certificate fetch from SCEP server - */ - if (filetype_out & CERT) - { - const char *path = concatenate_paths(CA_CERT_PATH, file_in_cacert_sig); - cert_t cert; - time_t poll_start; - - x509cert_t *certs = NULL; - chunk_t envelopedData = empty_chunk; - chunk_t certData = empty_chunk; - contentInfo_t data = empty_contentInfo; - scep_attributes_t attrs = empty_scep_attributes; - - if (!load_cert(path, "signature cacert", &cert)) - exit_scepclient("could not load signature cacert file '%s'", path); - x509_ca_sig = cert.u.x509; - - if (!scep_http_request(scep_url, pkcs7, SCEP_PKI_OPERATION - , request_type, &scep_response)) + if (filetype_out & CERT_SELF) { - exit_scepclient("did not receive a valid scep response"); + char *path = concatenate_paths(HOST_CERT_PATH, file_out_cert_self); + + if (!chunk_write(x509_signer->certificate, path, "self-signed cert", 0022, force)) + exit_scepclient("could not write self-signed cert file '%s'", path); +; + filetype_out &= ~CERT_SELF; /* delete CERT_SELF flag */ } - ugh = scep_parse_response(scep_response, transID, &data, &attrs - , x509_ca_sig); - if (ugh != NULL) - exit_scepclient(ugh); - /* in case of manual mode, we are going into a polling loop */ - if (attrs.pkiStatus == SCEP_PENDING) + if (!filetype_out) { - plog(" scep request pending, polling every %d seconds" - , poll_interval); - time(&poll_start); - issuerAndSubject = asn1_wrap(ASN1_SEQUENCE, "cc" - , x509_ca_sig->subject - , subject); + exit_scepclient(NULL); /* no further output required */ } - while (attrs.pkiStatus == SCEP_PENDING) + + /* + * load ca encryption certificate + */ { - if (max_poll_time > 0 - && (time(NULL) - poll_start >= max_poll_time)) - { - exit_scepclient("maximum poll time reached: %d seconds" - , max_poll_time); - } - DBG(DBG_CONTROL, - DBG_log("going to sleep for %d seconds", poll_interval) - ) - sleep(poll_interval); - free(scep_response.ptr); - - DBG(DBG_CONTROL, - DBG_log("fingerprint: %.*s", (int)fingerprint.len, fingerprint.ptr); - DBG_log("transaction ID: %.*s", (int)transID.len, transID.ptr) - ) - - freeanychunk(getCertInitial); - getCertInitial = scep_build_request(issuerAndSubject - , transID, SCEP_GetCertInitial_MSG - , x509_ca_enc, pkcs7_symmetric_cipher - , x509_signer, pkcs7_digest_alg, private_key); - - if (!scep_http_request(scep_url, getCertInitial, SCEP_PKI_OPERATION - , request_type, &scep_response)) - { - exit_scepclient("did not receive a valid scep response"); - } - ugh = scep_parse_response(scep_response, transID, &data, &attrs - , x509_ca_sig); - if (ugh != NULL) - exit_scepclient(ugh); + char *path = concatenate_paths(CA_CERT_PATH, file_in_cacert_enc); + cert_t cert; + + if (!load_cert(path, "encryption cacert", &cert)) + { + exit_scepclient("could not load encryption cacert file '%s'", path); + } + x509_ca_enc = cert.u.x509; } - if (attrs.pkiStatus != SCEP_SUCCESS) + /* + * input of PKCS#7 file + */ + if (filetype_in & PKCS7) { - exit_scepclient("reply status is not 'SUCCESS'"); - } + /* user wants to load a pkcs7 encrypted request + * operation is not yet supported! + * would require additional parsing of transaction-id - envelopedData = data.content; + pkcs7 = pkcs7_read_from_file(file_in_pkcs7); - if (data.type != OID_PKCS7_DATA - || !parse_asn1_simple_object(&envelopedData, ASN1_OCTET_STRING, 0, "data")) + */ + } + else { - exit_scepclient("contentInfo is not of type 'data'"); + DBG(DBG_CONTROL, + DBG_log("building pkcs7 request") + ) + pkcs7 = scep_build_request(pkcs10->request + , transID, SCEP_PKCSReq_MSG + , x509_ca_enc, pkcs7_symmetric_cipher + , x509_signer, pkcs7_digest_alg, private_key); } - if (!pkcs7_parse_envelopedData(envelopedData, &certData - , serialNumber, private_key)) + + /* + * output pkcs7 encrypted and signed certificate request + */ + if (filetype_out & PKCS7) { - exit_scepclient("could not decrypt envelopedData"); + char *path = concatenate_paths(REQ_PATH, file_out_pkcs7); + + if (!chunk_write(pkcs7, path, "pkcs7 encrypted request", 0022, force)) + exit_scepclient("could not write pkcs7 file '%s'", path); +; + filetype_out &= ~PKCS7; /* delete PKCS7 flag */ } - if (!pkcs7_parse_signedData(certData, NULL, &certs, NULL, NULL)) - { - exit_scepclient("error parsing the scep response"); + + if (!filetype_out) + { + exit_scepclient(NULL); /* no further output required */ } - freeanychunk(certData); - - /* store the end entity certificate */ - path = concatenate_paths(HOST_CERT_PATH, file_out_cert); - while (certs != NULL) - { - bool stored = FALSE; - x509cert_t *cert = certs; - - if (!cert->isCA) - { - if (stored) - exit_scepclient("multiple certs received, only first stored"); - if (!write_chunk(path, "requested cert", cert->certificate, 0022, force)) - exit_scepclient("could not write cert file '%s'", path); - stored = TRUE; - } - certs = certs->next; - free_x509cert(cert); + + /* + * output certificate fetch from SCEP server + */ + if (filetype_out & CERT) + { + char *path = concatenate_paths(CA_CERT_PATH, file_in_cacert_sig); + cert_t cert; + time_t poll_start; + + x509cert_t *certs = NULL; + chunk_t envelopedData = chunk_empty; + chunk_t certData = chunk_empty; + contentInfo_t data = empty_contentInfo; + scep_attributes_t attrs = empty_scep_attributes; + + if (!load_cert(path, "signature cacert", &cert)) + exit_scepclient("could not load signature cacert file '%s'", path); + x509_ca_sig = cert.u.x509; + + if (!scep_http_request(scep_url, pkcs7, SCEP_PKI_OPERATION, + http_get_request, &scep_response)) + { + exit_scepclient("did not receive a valid scep response"); + } + ugh = scep_parse_response(scep_response, transID, &data, &attrs + , x509_ca_sig); + if (ugh != NULL) + { + exit_scepclient(ugh); + } + + /* in case of manual mode, we are going into a polling loop */ + if (attrs.pkiStatus == SCEP_PENDING) + { + plog(" scep request pending, polling every %d seconds" + , poll_interval); + time(&poll_start); + issuerAndSubject = asn1_wrap(ASN1_SEQUENCE, "cc" + , x509_ca_sig->subject + , subject); + } + while (attrs.pkiStatus == SCEP_PENDING) + { + if (max_poll_time > 0 + && (time(NULL) - poll_start >= max_poll_time)) + { + exit_scepclient("maximum poll time reached: %d seconds" + , max_poll_time); + } + DBG(DBG_CONTROL, + DBG_log("going to sleep for %d seconds", poll_interval) + ) + sleep(poll_interval); + free(scep_response.ptr); + + DBG(DBG_CONTROL, + DBG_log("fingerprint: %.*s", (int)fingerprint.len, fingerprint.ptr); + DBG_log("transaction ID: %.*s", (int)transID.len, transID.ptr) + ) + + chunk_free(&getCertInitial); + getCertInitial = scep_build_request(issuerAndSubject + , transID, SCEP_GetCertInitial_MSG + , x509_ca_enc, pkcs7_symmetric_cipher + , x509_signer, pkcs7_digest_alg, private_key); + + if (!scep_http_request(scep_url, getCertInitial, SCEP_PKI_OPERATION, + http_get_request, &scep_response)) + { + exit_scepclient("did not receive a valid scep response"); + } + ugh = scep_parse_response(scep_response, transID, &data, &attrs + , x509_ca_sig); + if (ugh != NULL) + { + exit_scepclient(ugh); + } + } + + if (attrs.pkiStatus != SCEP_SUCCESS) + { + exit_scepclient("reply status is not 'SUCCESS'"); + } + + envelopedData = data.content; + + if (data.type != OID_PKCS7_DATA + || !asn1_parse_simple_object(&envelopedData, ASN1_OCTET_STRING, 0, "data")) + { + exit_scepclient("contentInfo is not of type 'data'"); + } + if (!pkcs7_parse_envelopedData(envelopedData, &certData + , serialNumber, private_key)) + { + exit_scepclient("could not decrypt envelopedData"); + } + if (!pkcs7_parse_signedData(certData, NULL, &certs, NULL, NULL)) + { + exit_scepclient("error parsing the scep response"); + } + chunk_free(&certData); + + /* store the end entity certificate */ + path = concatenate_paths(HOST_CERT_PATH, file_out_cert); + while (certs != NULL) + { + bool stored = FALSE; + x509cert_t *cert = certs; + + if (!cert->isCA) + { + if (stored) + exit_scepclient("multiple certs received, only first stored"); + if (!chunk_write(cert->certificate, path, "requested cert", 0022, force)) + exit_scepclient("could not write cert file '%s'", path); + stored = TRUE; + } + certs = certs->next; + free_x509cert(cert); + } + filetype_out &= ~CERT; /* delete CERT flag */ } - filetype_out &= ~CERT; /* delete CERT flag */ - } - exit_scepclient(NULL); - return -1; /* should never be reached */ + exit_scepclient(NULL); + return -1; /* should never be reached */ } |