Return to scepclient.c CVS log | Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / scepclient |
1.1 ! misho 1: /* ! 2: * Copyright (C) 2012 Tobias Brunner ! 3: * Copyright (C) 2005 Jan Hutter, Martin Willi ! 4: * HSR Hochschule fuer Technik Rapperswil ! 5: * ! 6: * This program is free software; you can redistribute it and/or modify it ! 7: * under the terms of the GNU General Public License as published by the ! 8: * Free Software Foundation; either version 2 of the License, or (at your ! 9: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. ! 10: * ! 11: * This program is distributed in the hope that it will be useful, but ! 12: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ! 13: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ! 14: * for more details. ! 15: */ ! 16: ! 17: #include <stdarg.h> ! 18: #include <stdio.h> ! 19: #include <stdlib.h> ! 20: #include <string.h> ! 21: #include <getopt.h> ! 22: #include <ctype.h> ! 23: #include <unistd.h> ! 24: #include <time.h> ! 25: #include <limits.h> ! 26: #include <syslog.h> ! 27: #include <errno.h> ! 28: ! 29: #include <library.h> ! 30: #include <utils/debug.h> ! 31: #include <asn1/asn1.h> ! 32: #include <asn1/oid.h> ! 33: #include <utils/optionsfrom.h> ! 34: #include <collections/enumerator.h> ! 35: #include <collections/linked_list.h> ! 36: #include <crypto/hashers/hasher.h> ! 37: #include <crypto/crypters/crypter.h> ! 38: #include <crypto/proposal/proposal_keywords.h> ! 39: #include <credentials/keys/private_key.h> ! 40: #include <credentials/keys/public_key.h> ! 41: #include <credentials/certificates/certificate.h> ! 42: #include <credentials/certificates/x509.h> ! 43: #include <credentials/certificates/pkcs10.h> ! 44: #include <credentials/sets/mem_cred.h> ! 45: #include <plugins/plugin.h> ! 46: ! 47: #include "scep.h" ! 48: ! 49: /* ! 50: * definition of some defaults ! 51: */ ! 52: ! 53: /* some paths */ ! 54: #define REQ_PATH IPSEC_CONFDIR "/ipsec.d/reqs" ! 55: #define HOST_CERT_PATH IPSEC_CONFDIR "/ipsec.d/certs" ! 56: #define CA_CERT_PATH IPSEC_CONFDIR "/ipsec.d/cacerts" ! 57: #define PRIVATE_KEY_PATH IPSEC_CONFDIR "/ipsec.d/private" ! 58: ! 59: /* default name of DER-encoded PKCS#1 private key file */ ! 60: #define DEFAULT_FILENAME_PKCS1 "myKey.der" ! 61: ! 62: /* default name of DER-encoded PKCS#10 certificate request file */ ! 63: #define DEFAULT_FILENAME_PKCS10 "myReq.der" ! 64: ! 65: /* default name of DER-encoded PKCS#7 file */ ! 66: #define DEFAULT_FILENAME_PKCS7 "pkcs7.der" ! 67: ! 68: /* default name of DER-encoded self-signed X.509 certificate file */ ! 69: #define DEFAULT_FILENAME_CERT_SELF "selfCert.der" ! 70: ! 71: /* default name of DER-encoded X.509 certificate file */ ! 72: #define DEFAULT_FILENAME_CERT "myCert.der" ! 73: ! 74: /* default name of DER-encoded CA cert file used for key encipherment */ ! 75: #define DEFAULT_FILENAME_CACERT_ENC "caCert.der" ! 76: ! 77: /* default name of the der encoded CA cert file used for signature verification */ ! 78: #define DEFAULT_FILENAME_CACERT_SIG "caCert.der" ! 79: ! 80: /* default prefix of the der encoded CA certificates received from the SCEP server */ ! 81: #define DEFAULT_FILENAME_PREFIX_CACERT "caCert.der" ! 82: ! 83: /* default certificate validity */ ! 84: #define DEFAULT_CERT_VALIDITY 5 * 3600 * 24 * 365 /* seconds */ ! 85: ! 86: /* default polling time interval in SCEP manual mode */ ! 87: #define DEFAULT_POLL_INTERVAL 20 /* seconds */ ! 88: ! 89: /* default key length for self-generated RSA keys */ ! 90: #define DEFAULT_RSA_KEY_LENGTH 2048 /* bits */ ! 91: ! 92: /* default distinguished name */ ! 93: #define DEFAULT_DN "C=CH, O=Linux strongSwan, CN=" ! 94: ! 95: /* minimum RSA key size */ ! 96: #define RSA_MIN_OCTETS (512 / BITS_PER_BYTE) ! 97: ! 98: /* challenge password buffer size */ ! 99: #define MAX_PASSWORD_LENGTH 256 ! 100: ! 101: /* Max length of filename for tempfile */ ! 102: #define MAX_TEMP_FILENAME_LENGTH 256 ! 103: ! 104: ! 105: /* current scepclient version */ ! 106: static const char *scepclient_version = "1.0"; ! 107: ! 108: /* by default the CRL policy is lenient */ ! 109: bool strict_crl_policy = FALSE; ! 110: ! 111: /* by default pluto does not check crls dynamically */ ! 112: long crl_check_interval = 0; ! 113: ! 114: /* by default pluto logs out after every smartcard use */ ! 115: bool pkcs11_keep_state = FALSE; ! 116: ! 117: /* by default HTTP fetch timeout is 30s */ ! 118: static u_int http_timeout = 30; ! 119: ! 120: /* address to bind for HTTP fetches */ ! 121: static char* http_bind = NULL; ! 122: ! 123: /* options read by optionsfrom */ ! 124: options_t *options; ! 125: ! 126: /* ! 127: * Global variables ! 128: */ ! 129: chunk_t pkcs1; ! 130: chunk_t pkcs7; ! 131: chunk_t challengePassword; ! 132: chunk_t serialNumber; ! 133: chunk_t transID; ! 134: chunk_t fingerprint; ! 135: chunk_t encoding; ! 136: chunk_t pkcs10_encoding; ! 137: chunk_t issuerAndSubject; ! 138: chunk_t getCertInitial; ! 139: chunk_t scep_response; ! 140: ! 141: linked_list_t *subjectAltNames; ! 142: ! 143: identification_t *subject = NULL; ! 144: private_key_t *private_key = NULL; ! 145: public_key_t *public_key = NULL; ! 146: certificate_t *x509_signer = NULL; ! 147: certificate_t *x509_ca_enc = NULL; ! 148: certificate_t *x509_ca_sig = NULL; ! 149: certificate_t *pkcs10_req = NULL; ! 150: ! 151: mem_cred_t *creds = NULL; ! 152: ! 153: /* logging */ ! 154: static bool log_to_stderr = TRUE; ! 155: static bool log_to_syslog = TRUE; ! 156: static level_t default_loglevel = 1; ! 157: ! 158: /** ! 159: * logging function for scepclient ! 160: */ ! 161: static void scepclient_dbg(debug_t group, level_t level, char *fmt, ...) ! 162: { ! 163: char buffer[8192]; ! 164: char *current = buffer, *next; ! 165: va_list args; ! 166: ! 167: if (level <= default_loglevel) ! 168: { ! 169: if (log_to_stderr) ! 170: { ! 171: va_start(args, fmt); ! 172: vfprintf(stderr, fmt, args); ! 173: va_end(args); ! 174: fprintf(stderr, "\n"); ! 175: } ! 176: if (log_to_syslog) ! 177: { ! 178: /* write in memory buffer first */ ! 179: va_start(args, fmt); ! 180: vsnprintf(buffer, sizeof(buffer), fmt, args); ! 181: va_end(args); ! 182: ! 183: /* do a syslog with every line */ ! 184: while (current) ! 185: { ! 186: next = strchr(current, '\n'); ! 187: if (next) ! 188: { ! 189: *(next++) = '\0'; ! 190: } ! 191: syslog(LOG_INFO, "%s\n", current); ! 192: current = next; ! 193: } ! 194: } ! 195: } ! 196: } ! 197: ! 198: /** ! 199: * Initialize logging to stderr/syslog ! 200: */ ! 201: static void init_log(const char *program) ! 202: { ! 203: dbg = scepclient_dbg; ! 204: ! 205: if (log_to_stderr) ! 206: { ! 207: setbuf(stderr, NULL); ! 208: } ! 209: if (log_to_syslog) ! 210: { ! 211: openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV); ! 212: } ! 213: } ! 214: ! 215: /** ! 216: * join two paths if filename is not absolute ! 217: */ ! 218: static void join_paths(char *target, size_t target_size, char *parent, ! 219: char *filename) ! 220: { ! 221: if (*filename == '/' || *filename == '.') ! 222: { ! 223: snprintf(target, target_size, "%s", filename); ! 224: } ! 225: else ! 226: { ! 227: snprintf(target, target_size, "%s/%s", parent, filename); ! 228: } ! 229: } ! 230: ! 231: /** ! 232: * add a suffix to a given filename, properly handling extensions like '.der' ! 233: */ ! 234: static void add_path_suffix(char *target, size_t target_size, char *filename, ! 235: char *suffix_fmt, ...) ! 236: { ! 237: char suffix[PATH_MAX], *start, *dot; ! 238: va_list args; ! 239: ! 240: va_start(args, suffix_fmt); ! 241: vsnprintf(suffix, sizeof(suffix), suffix_fmt, args); ! 242: va_end(args); ! 243: ! 244: start = strrchr(filename, '/'); ! 245: start = start ?: filename; ! 246: dot = strrchr(start, '.'); ! 247: ! 248: if (!dot || dot == start || dot[1] == '\0') ! 249: { /* no extension add suffix at the end */ ! 250: snprintf(target, target_size, "%s%s", filename, suffix); ! 251: } ! 252: else ! 253: { /* add the suffix between the filename and the extension */ ! 254: snprintf(target, target_size, "%.*s%s%s", (int)(dot - filename), ! 255: filename, suffix, dot); ! 256: } ! 257: } ! 258: ! 259: /** ! 260: * @brief exit scepclient ! 261: * ! 262: * @param status 0 = OK, 1 = general discomfort ! 263: */ ! 264: static void exit_scepclient(err_t message, ...) ! 265: { ! 266: int status = 0; ! 267: ! 268: if (creds) ! 269: { ! 270: lib->credmgr->remove_set(lib->credmgr, &creds->set); ! 271: creds->destroy(creds); ! 272: } ! 273: ! 274: DESTROY_IF(subject); ! 275: DESTROY_IF(private_key); ! 276: DESTROY_IF(public_key); ! 277: DESTROY_IF(x509_signer); ! 278: DESTROY_IF(x509_ca_enc); ! 279: DESTROY_IF(x509_ca_sig); ! 280: DESTROY_IF(pkcs10_req); ! 281: subjectAltNames->destroy_offset(subjectAltNames, ! 282: offsetof(identification_t, destroy)); ! 283: free(pkcs1.ptr); ! 284: free(pkcs7.ptr); ! 285: free(serialNumber.ptr); ! 286: free(transID.ptr); ! 287: free(fingerprint.ptr); ! 288: free(encoding.ptr); ! 289: free(pkcs10_encoding.ptr); ! 290: free(issuerAndSubject.ptr); ! 291: free(getCertInitial.ptr); ! 292: free(scep_response.ptr); ! 293: options->destroy(options); ! 294: ! 295: /* print any error message to stderr */ ! 296: if (message != NULL && *message != '\0') ! 297: { ! 298: va_list args; ! 299: char m[8192]; ! 300: ! 301: va_start(args, message); ! 302: vsnprintf(m, sizeof(m), message, args); ! 303: va_end(args); ! 304: ! 305: fprintf(stderr, "error: %s\n", m); ! 306: status = -1; ! 307: } ! 308: library_deinit(); ! 309: exit(status); ! 310: } ! 311: ! 312: /** ! 313: * @brief prints the program version and exits ! 314: * ! 315: */ ! 316: static void version(void) ! 317: { ! 318: printf("scepclient %s\n", scepclient_version); ! 319: exit_scepclient(NULL); ! 320: } ! 321: ! 322: /** ! 323: * @brief prints the usage of the program to the stderr output ! 324: * ! 325: * If message is set, program is exited with 1 (error) ! 326: * @param message message in case of an error ! 327: */ ! 328: static void usage(const char *message) ! 329: { ! 330: fprintf(stderr, ! 331: "Usage: scepclient\n" ! 332: " --help (-h) show usage and exit\n" ! 333: " --version (-v) show version and exit\n" ! 334: " --quiet (-q) do not write log output to stderr\n" ! 335: " --in (-i) <type>[=<filename>] use <filename> of <type> for input\n" ! 336: " <type> = pkcs1 | pkcs10 | cert-self\n" ! 337: " cacert-enc | cacert-sig\n" ! 338: " - if no pkcs1 input is defined, an RSA\n" ! 339: " key will be generated\n" ! 340: " - if no pkcs10 input is defined, a\n" ! 341: " PKCS#10 request will be generated\n" ! 342: " - if no cert-self input is defined, a\n" ! 343: " self-signed certificate will be generated\n" ! 344: " - if no filename is given, default is used\n" ! 345: " --out (-o) <type>[=<filename>] write output of <type> to <filename>\n" ! 346: " multiple outputs are allowed\n" ! 347: " <type> = pkcs1 | pkcs10 | pkcs7 | cert-self |\n" ! 348: " cert | cacert\n" ! 349: " - type cacert defines filename prefix of\n" ! 350: " received CA certificate(s)\n" ! 351: " - if no filename is given, default is used\n" ! 352: " --optionsfrom (-+) <filename> reads additional options from given file\n" ! 353: " --force (-f) force existing file(s)\n" ! 354: " --httptimeout (-T) timeout for HTTP operations (default: 30s)\n" ! 355: " --bind (-b) source address to bind for HTTP operations\n" ! 356: "\n" ! 357: "Options for key generation (pkcs1):\n" ! 358: " --keylength (-k) <bits> key length for RSA key generation\n" ! 359: " (default: 2048 bits)\n" ! 360: "\n" ! 361: "Options for validity:\n" ! 362: " --days (-D) <days> validity in days\n" ! 363: " --startdate (-S) <YYMMDDHHMMSS>Z not valid before date\n" ! 364: " --enddate (-E) <YYMMDDHHMMSS>Z not valid after date\n" ! 365: "\n" ! 366: "Options for request generation (pkcs10):\n" ! 367: " --dn (-d) <dn> comma separated list of distinguished names\n" ! 368: " --subjectAltName (-s) <t>=<v> include subjectAltName in certificate request\n" ! 369: " <t> = email | dns | ip \n" ! 370: " --password (-p) <pw> challenge password\n" ! 371: " - use '%%prompt' as pw for a password prompt\n" ! 372: " --algorithm (-a) [<type>=]<algo> algorithm to be used for PKCS#7 encryption,\n" ! 373: " PKCS#7 digest or PKCS#10 signature\n" ! 374: " <type> = enc | dgst | sig\n" ! 375: " - if no type is given enc is assumed\n" ! 376: " <algo> = des (default) | 3des | aes128 |\n" ! 377: " aes192 | aes256 | camellia128 |\n" ! 378: " camellia192 | camellia256\n" ! 379: " <algo> = md5 (default) | sha1 | sha256 |\n" ! 380: " sha384 | sha512\n" ! 381: "\n" ! 382: "Options for CA certificate acquisition:\n" ! 383: " --caname (-c) <name> name of CA to fetch CA certificate(s)\n" ! 384: " (default: CAIdentifier)\n" ! 385: "Options for enrollment (cert):\n" ! 386: " --url (-u) <url> url of the SCEP server\n" ! 387: " --method (-m) post | get http request type\n" ! 388: " --interval (-t) <seconds> poll interval in seconds (default 20s)\n" ! 389: " --maxpolltime (-x) <seconds> max poll time in seconds when in manual mode\n" ! 390: " (default: unlimited)\n" ! 391: "\n" ! 392: "Debugging output:\n" ! 393: " --debug (-l) <level> changes the log level (-1..4, default: 1)\n" ! 394: ); ! 395: exit_scepclient(message); ! 396: } ! 397: ! 398: /** ! 399: * @brief main of scepclient ! 400: * ! 401: * @param argc number of arguments ! 402: * @param argv pointer to the argument values ! 403: */ ! 404: int main(int argc, char **argv) ! 405: { ! 406: /* external values */ ! 407: extern char * optarg; ! 408: extern int optind; ! 409: ! 410: /* type of input and output files */ ! 411: typedef enum { ! 412: PKCS1 = 0x01, ! 413: PKCS10 = 0x02, ! 414: PKCS7 = 0x04, ! 415: CERT_SELF = 0x08, ! 416: CERT = 0x10, ! 417: CACERT_ENC = 0x20, ! 418: CACERT_SIG = 0x40, ! 419: } scep_filetype_t; ! 420: ! 421: /* filetype to read from, defaults to "generate a key" */ ! 422: scep_filetype_t filetype_in = 0; ! 423: ! 424: /* filetype to write to, no default here */ ! 425: scep_filetype_t filetype_out = 0; ! 426: ! 427: /* input files */ ! 428: char *file_in_pkcs1 = DEFAULT_FILENAME_PKCS1; ! 429: char *file_in_pkcs10 = DEFAULT_FILENAME_PKCS10; ! 430: char *file_in_cert_self = DEFAULT_FILENAME_CERT_SELF; ! 431: char *file_in_cacert_enc = DEFAULT_FILENAME_CACERT_ENC; ! 432: char *file_in_cacert_sig = DEFAULT_FILENAME_CACERT_SIG; ! 433: ! 434: /* output files */ ! 435: char *file_out_pkcs1 = DEFAULT_FILENAME_PKCS1; ! 436: char *file_out_pkcs10 = DEFAULT_FILENAME_PKCS10; ! 437: char *file_out_pkcs7 = DEFAULT_FILENAME_PKCS7; ! 438: char *file_out_cert_self = DEFAULT_FILENAME_CERT_SELF; ! 439: char *file_out_cert = DEFAULT_FILENAME_CERT; ! 440: char *file_out_ca_cert = DEFAULT_FILENAME_CACERT_ENC; ! 441: ! 442: /* by default user certificate is requested */ ! 443: bool request_ca_certificate = FALSE; ! 444: ! 445: /* by default existing files are not overwritten */ ! 446: bool force = FALSE; ! 447: ! 448: /* length of RSA key in bits */ ! 449: u_int rsa_keylength = DEFAULT_RSA_KEY_LENGTH; ! 450: ! 451: /* validity of self-signed certificate */ ! 452: time_t validity = DEFAULT_CERT_VALIDITY; ! 453: time_t notBefore = 0; ! 454: time_t notAfter = 0; ! 455: ! 456: /* distinguished name for requested certificate, ASCII format */ ! 457: char *distinguishedName = NULL; ! 458: char default_distinguished_name[BUF_LEN]; ! 459: ! 460: /* challenge password */ ! 461: char challenge_password_buffer[MAX_PASSWORD_LENGTH]; ! 462: ! 463: /* symmetric encryption algorithm used by pkcs7, default is DES */ ! 464: encryption_algorithm_t pkcs7_symmetric_cipher = ENCR_DES; ! 465: size_t pkcs7_key_size = 0; ! 466: ! 467: /* digest algorithm used by pkcs7, default is MD5 */ ! 468: hash_algorithm_t pkcs7_digest_alg = HASH_MD5; ! 469: ! 470: /* signature algorithm used by pkcs10, default is MD5 */ ! 471: hash_algorithm_t pkcs10_signature_alg = HASH_MD5; ! 472: ! 473: /* URL of the SCEP-Server */ ! 474: char *scep_url = NULL; ! 475: ! 476: /* Name of CA to fetch CA certs for */ ! 477: char *ca_name = "CAIdentifier"; ! 478: ! 479: /* http request method, default is GET */ ! 480: bool http_get_request = TRUE; ! 481: ! 482: /* poll interval time in manual mode in seconds */ ! 483: u_int poll_interval = DEFAULT_POLL_INTERVAL; ! 484: ! 485: /* maximum poll time */ ! 486: u_int max_poll_time = 0; ! 487: ! 488: err_t ugh = NULL; ! 489: ! 490: /* initialize library */ ! 491: if (!library_init(NULL, "scepclient")) ! 492: { ! 493: library_deinit(); ! 494: exit(SS_RC_LIBSTRONGSWAN_INTEGRITY); ! 495: } ! 496: if (lib->integrity && ! 497: !lib->integrity->check_file(lib->integrity, "scepclient", argv[0])) ! 498: { ! 499: fprintf(stderr, "integrity check of scepclient failed\n"); ! 500: library_deinit(); ! 501: exit(SS_RC_DAEMON_INTEGRITY); ! 502: } ! 503: ! 504: /* initialize global variables */ ! 505: pkcs1 = chunk_empty; ! 506: pkcs7 = chunk_empty; ! 507: serialNumber = chunk_empty; ! 508: transID = chunk_empty; ! 509: fingerprint = chunk_empty; ! 510: encoding = chunk_empty; ! 511: pkcs10_encoding = chunk_empty; ! 512: issuerAndSubject = chunk_empty; ! 513: challengePassword = chunk_empty; ! 514: getCertInitial = chunk_empty; ! 515: scep_response = chunk_empty; ! 516: subjectAltNames = linked_list_create(); ! 517: options = options_create(); ! 518: ! 519: for (;;) ! 520: { ! 521: static const struct option long_opts[] = { ! 522: /* name, has_arg, flag, val */ ! 523: { "help", no_argument, NULL, 'h' }, ! 524: { "version", no_argument, NULL, 'v' }, ! 525: { "optionsfrom", required_argument, NULL, '+' }, ! 526: { "quiet", no_argument, NULL, 'q' }, ! 527: { "debug", required_argument, NULL, 'l' }, ! 528: { "in", required_argument, NULL, 'i' }, ! 529: { "out", required_argument, NULL, 'o' }, ! 530: { "force", no_argument, NULL, 'f' }, ! 531: { "httptimeout", required_argument, NULL, 'T' }, ! 532: { "bind", required_argument, NULL, 'b' }, ! 533: { "keylength", required_argument, NULL, 'k' }, ! 534: { "dn", required_argument, NULL, 'd' }, ! 535: { "days", required_argument, NULL, 'D' }, ! 536: { "startdate", required_argument, NULL, 'S' }, ! 537: { "enddate", required_argument, NULL, 'E' }, ! 538: { "subjectAltName", required_argument, NULL, 's' }, ! 539: { "password", required_argument, NULL, 'p' }, ! 540: { "algorithm", required_argument, NULL, 'a' }, ! 541: { "url", required_argument, NULL, 'u' }, ! 542: { "caname", required_argument, NULL, 'c'}, ! 543: { "method", required_argument, NULL, 'm' }, ! 544: { "interval", required_argument, NULL, 't' }, ! 545: { "maxpolltime", required_argument, NULL, 'x' }, ! 546: { 0,0,0,0 } ! 547: }; ! 548: ! 549: /* parse next option */ ! 550: int c = getopt_long(argc, argv, "hv+:ql:i:o:fT:k:d:s:p:a:u:c:m:t:x:APRCMS", long_opts, NULL); ! 551: ! 552: switch (c) ! 553: { ! 554: case EOF: /* end of flags */ ! 555: break; ! 556: ! 557: case 'h': /* --help */ ! 558: usage(NULL); ! 559: ! 560: case 'v': /* --version */ ! 561: version(); ! 562: ! 563: case 'q': /* --quiet */ ! 564: log_to_stderr = FALSE; ! 565: continue; ! 566: ! 567: case 'l': /* --debug <level> */ ! 568: default_loglevel = atoi(optarg); ! 569: continue; ! 570: ! 571: case 'i': /* --in <type> [= <filename>] */ ! 572: { ! 573: char *filename = strstr(optarg, "="); ! 574: ! 575: if (filename) ! 576: { ! 577: /* replace '=' by '\0' */ ! 578: *filename = '\0'; ! 579: /* set pointer to start of filename */ ! 580: filename++; ! 581: } ! 582: if (strcaseeq("pkcs1", optarg)) ! 583: { ! 584: filetype_in |= PKCS1; ! 585: if (filename) ! 586: file_in_pkcs1 = filename; ! 587: } ! 588: else if (strcaseeq("pkcs10", optarg)) ! 589: { ! 590: filetype_in |= PKCS10; ! 591: if (filename) ! 592: file_in_pkcs10 = filename; ! 593: } ! 594: else if (strcaseeq("cacert-enc", optarg)) ! 595: { ! 596: filetype_in |= CACERT_ENC; ! 597: if (filename) ! 598: file_in_cacert_enc = filename; ! 599: } ! 600: else if (strcaseeq("cacert-sig", optarg)) ! 601: { ! 602: filetype_in |= CACERT_SIG; ! 603: if (filename) ! 604: file_in_cacert_sig = filename; ! 605: } ! 606: else if (strcaseeq("cert-self", optarg)) ! 607: { ! 608: filetype_in |= CERT_SELF; ! 609: if (filename) ! 610: file_in_cert_self = filename; ! 611: } ! 612: else ! 613: { ! 614: usage("invalid --in file type"); ! 615: } ! 616: continue; ! 617: } ! 618: ! 619: case 'o': /* --out <type> [= <filename>] */ ! 620: { ! 621: char *filename = strstr(optarg, "="); ! 622: ! 623: if (filename) ! 624: { ! 625: /* replace '=' by '\0' */ ! 626: *filename = '\0'; ! 627: /* set pointer to start of filename */ ! 628: filename++; ! 629: } ! 630: if (strcaseeq("pkcs1", optarg)) ! 631: { ! 632: filetype_out |= PKCS1; ! 633: if (filename) ! 634: file_out_pkcs1 = filename; ! 635: } ! 636: else if (strcaseeq("pkcs10", optarg)) ! 637: { ! 638: filetype_out |= PKCS10; ! 639: if (filename) ! 640: file_out_pkcs10 = filename; ! 641: } ! 642: else if (strcaseeq("pkcs7", optarg)) ! 643: { ! 644: filetype_out |= PKCS7; ! 645: if (filename) ! 646: file_out_pkcs7 = filename; ! 647: } ! 648: else if (strcaseeq("cert-self", optarg)) ! 649: { ! 650: filetype_out |= CERT_SELF; ! 651: if (filename) ! 652: file_out_cert_self = filename; ! 653: } ! 654: else if (strcaseeq("cert", optarg)) ! 655: { ! 656: filetype_out |= CERT; ! 657: if (filename) ! 658: file_out_cert = filename; ! 659: } ! 660: else if (strcaseeq("cacert", optarg)) ! 661: { ! 662: request_ca_certificate = TRUE; ! 663: if (filename) ! 664: file_out_ca_cert = filename; ! 665: } ! 666: else ! 667: { ! 668: usage("invalid --out file type"); ! 669: } ! 670: continue; ! 671: } ! 672: ! 673: case 'f': /* --force */ ! 674: force = TRUE; ! 675: continue; ! 676: ! 677: case 'T': /* --httptimeout */ ! 678: http_timeout = atoi(optarg); ! 679: if (http_timeout <= 0) ! 680: { ! 681: usage("invalid httptimeout specified"); ! 682: } ! 683: continue; ! 684: ! 685: case 'b': /* --bind */ ! 686: http_bind = optarg; ! 687: continue; ! 688: ! 689: case '+': /* --optionsfrom <filename> */ ! 690: if (!options->from(options, optarg, &argc, &argv, optind)) ! 691: { ! 692: exit_scepclient("optionsfrom failed"); ! 693: } ! 694: continue; ! 695: ! 696: case 'k': /* --keylength <length> */ ! 697: { ! 698: div_t q; ! 699: ! 700: rsa_keylength = atoi(optarg); ! 701: if (rsa_keylength == 0) ! 702: usage("invalid keylength"); ! 703: ! 704: /* check if key length is a multiple of 8 bits */ ! 705: q = div(rsa_keylength, 2*BITS_PER_BYTE); ! 706: if (q.rem != 0) ! 707: { ! 708: exit_scepclient("keylength is not a multiple of %d bits!" ! 709: , 2*BITS_PER_BYTE); ! 710: } ! 711: continue; ! 712: } ! 713: ! 714: case 'D': /* --days */ ! 715: if (optarg == NULL || !isdigit(optarg[0])) ! 716: { ! 717: usage("missing number of days"); ! 718: } ! 719: else ! 720: { ! 721: char *endptr; ! 722: long days = strtol(optarg, &endptr, 0); ! 723: ! 724: if (*endptr != '\0' || endptr == optarg ! 725: || days <= 0) ! 726: usage("<days> must be a positive number"); ! 727: validity = 24*3600*days; ! 728: } ! 729: continue; ! 730: ! 731: case 'S': /* --startdate */ ! 732: if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z') ! 733: { ! 734: usage("date format must be YYMMDDHHMMSSZ"); ! 735: } ! 736: else ! 737: { ! 738: chunk_t date = { optarg, 13 }; ! 739: notBefore = asn1_to_time(&date, ASN1_UTCTIME); ! 740: } ! 741: continue; ! 742: ! 743: case 'E': /* --enddate */ ! 744: if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z') ! 745: { ! 746: usage("date format must be YYMMDDHHMMSSZ"); ! 747: } ! 748: else ! 749: { ! 750: chunk_t date = { optarg, 13 }; ! 751: notAfter = asn1_to_time(&date, ASN1_UTCTIME); ! 752: } ! 753: continue; ! 754: ! 755: case 'd': /* --dn */ ! 756: if (distinguishedName) ! 757: { ! 758: usage("only one distinguished name allowed"); ! 759: } ! 760: distinguishedName = optarg; ! 761: continue; ! 762: ! 763: case 's': /* --subjectAltName */ ! 764: { ! 765: char *value = strstr(optarg, "="); ! 766: ! 767: if (value) ! 768: { ! 769: /* replace '=' by '\0' */ ! 770: *value = '\0'; ! 771: /* set pointer to start of value */ ! 772: value++; ! 773: } ! 774: ! 775: if (strcaseeq("email", optarg) || ! 776: strcaseeq("dns", optarg) || ! 777: strcaseeq("ip", optarg)) ! 778: { ! 779: subjectAltNames->insert_last(subjectAltNames, ! 780: identification_create_from_string(value)); ! 781: continue; ! 782: } ! 783: else ! 784: { ! 785: usage("invalid --subjectAltName type"); ! 786: continue; ! 787: } ! 788: } ! 789: ! 790: case 'p': /* --password */ ! 791: if (challengePassword.len > 0) ! 792: { ! 793: usage("only one challenge password allowed"); ! 794: } ! 795: if (strcaseeq("%prompt", optarg)) ! 796: { ! 797: printf("Challenge password: "); ! 798: if (fgets(challenge_password_buffer, ! 799: sizeof(challenge_password_buffer) - 1, stdin)) ! 800: { ! 801: challengePassword.ptr = challenge_password_buffer; ! 802: /* discard the terminating '\n' from the input */ ! 803: challengePassword.len = strlen(challenge_password_buffer) - 1; ! 804: } ! 805: else ! 806: { ! 807: usage("challenge password could not be read"); ! 808: } ! 809: } ! 810: else ! 811: { ! 812: challengePassword.ptr = optarg; ! 813: challengePassword.len = strlen(optarg); ! 814: } ! 815: continue; ! 816: ! 817: case 'u': /* -- url */ ! 818: if (scep_url) ! 819: { ! 820: usage("only one URL argument allowed"); ! 821: } ! 822: scep_url = optarg; ! 823: continue; ! 824: ! 825: case 'c': /* -- caname */ ! 826: ca_name = optarg; ! 827: continue; ! 828: ! 829: case 'm': /* --method */ ! 830: if (strcaseeq("get", optarg)) ! 831: { ! 832: http_get_request = TRUE; ! 833: } ! 834: else if (strcaseeq("post", optarg)) ! 835: { ! 836: http_get_request = FALSE; ! 837: } ! 838: else ! 839: { ! 840: usage("invalid http request method specified"); ! 841: } ! 842: continue; ! 843: ! 844: case 't': /* --interval */ ! 845: poll_interval = atoi(optarg); ! 846: if (poll_interval <= 0) ! 847: { ! 848: usage("invalid interval specified"); ! 849: } ! 850: continue; ! 851: ! 852: case 'x': /* --maxpolltime */ ! 853: max_poll_time = atoi(optarg); ! 854: continue; ! 855: ! 856: case 'a': /*--algorithm [<type>=]algo */ ! 857: { ! 858: const proposal_token_t *token; ! 859: char *type = optarg; ! 860: char *algo = strstr(optarg, "="); ! 861: ! 862: if (algo) ! 863: { ! 864: *algo = '\0'; ! 865: algo++; ! 866: } ! 867: else ! 868: { ! 869: type = "enc"; ! 870: algo = optarg; ! 871: } ! 872: ! 873: if (strcaseeq("enc", type)) ! 874: { ! 875: token = lib->proposal->get_token(lib->proposal, algo); ! 876: if (token == NULL || token->type != ENCRYPTION_ALGORITHM) ! 877: { ! 878: usage("invalid algorithm specified"); ! 879: } ! 880: pkcs7_symmetric_cipher = token->algorithm; ! 881: pkcs7_key_size = token->keysize; ! 882: if (encryption_algorithm_to_oid(token->algorithm, ! 883: token->keysize) == OID_UNKNOWN) ! 884: { ! 885: usage("unsupported encryption algorithm specified"); ! 886: } ! 887: } ! 888: else if (strcaseeq("dgst", type) || ! 889: strcaseeq("sig", type)) ! 890: { ! 891: hash_algorithm_t hash; ! 892: ! 893: token = lib->proposal->get_token(lib->proposal, algo); ! 894: if (token == NULL || token->type != INTEGRITY_ALGORITHM) ! 895: { ! 896: usage("invalid algorithm specified"); ! 897: } ! 898: hash = hasher_algorithm_from_integrity(token->algorithm, ! 899: NULL); ! 900: if (hash == (hash_algorithm_t)OID_UNKNOWN) ! 901: { ! 902: usage("invalid algorithm specified"); ! 903: } ! 904: if (strcaseeq("dgst", type)) ! 905: { ! 906: pkcs7_digest_alg = hash; ! 907: } ! 908: else ! 909: { ! 910: pkcs10_signature_alg = hash; ! 911: } ! 912: } ! 913: else ! 914: { ! 915: usage("invalid --algorithm type"); ! 916: } ! 917: continue; ! 918: } ! 919: default: ! 920: usage("unknown option"); ! 921: } ! 922: /* break from loop */ ! 923: break; ! 924: } ! 925: ! 926: init_log("scepclient"); ! 927: ! 928: /* load plugins, further infrastructure may need it */ ! 929: if (!lib->plugins->load(lib->plugins, ! 930: lib->settings->get_str(lib->settings, "scepclient.load", PLUGINS))) ! 931: { ! 932: exit_scepclient("plugin loading failed"); ! 933: } ! 934: lib->plugins->status(lib->plugins, LEVEL_DIAG); ! 935: ! 936: if ((filetype_out == 0) && (!request_ca_certificate)) ! 937: { ! 938: usage("--out filetype required"); ! 939: } ! 940: if (request_ca_certificate && (filetype_out > 0 || filetype_in > 0)) ! 941: { ! 942: usage("in CA certificate request, no other --in or --out option allowed"); ! 943: } ! 944: ! 945: /* check if url is given, if cert output defined */ ! 946: if (((filetype_out & CERT) || request_ca_certificate) && !scep_url) ! 947: { ! 948: usage("URL of SCEP server required"); ! 949: } ! 950: ! 951: /* check for sanity of --in/--out */ ! 952: if (!filetype_in && (filetype_in > filetype_out)) ! 953: { ! 954: usage("cannot generate --out of given --in!"); ! 955: } ! 956: ! 957: /* get CA cert */ ! 958: if (request_ca_certificate) ! 959: { ! 960: char ca_path[PATH_MAX]; ! 961: container_t *container; ! 962: pkcs7_t *p7; ! 963: ! 964: if (!scep_http_request(scep_url, chunk_create(ca_name, strlen(ca_name)), ! 965: SCEP_GET_CA_CERT, http_get_request, ! 966: http_timeout, http_bind, &scep_response)) ! 967: { ! 968: exit_scepclient("did not receive a valid scep response"); ! 969: } ! 970: ! 971: join_paths(ca_path, sizeof(ca_path), CA_CERT_PATH, file_out_ca_cert); ! 972: ! 973: p7 = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7, ! 974: BUILD_BLOB_ASN1_DER, scep_response, BUILD_END); ! 975: ! 976: if (!p7) ! 977: { /* no PKCS#7 encoded CA+RA certificates, assume simple CA cert */ ! 978: ! 979: DBG1(DBG_APP, "unable to parse PKCS#7, assuming plain CA cert"); ! 980: if (!chunk_write(scep_response, ca_path, 0022, force)) ! 981: { ! 982: exit_scepclient("could not write ca cert file '%s': %s", ! 983: ca_path, strerror(errno)); ! 984: } ! 985: } ! 986: else ! 987: { ! 988: enumerator_t *enumerator; ! 989: certificate_t *cert; ! 990: int ra_certs = 0, ca_certs = 0; ! 991: int ra_index = 1, ca_index = 1; ! 992: ! 993: enumerator = p7->create_cert_enumerator(p7); ! 994: while (enumerator->enumerate(enumerator, &cert)) ! 995: { ! 996: x509_t *x509 = (x509_t*)cert; ! 997: if (x509->get_flags(x509) & X509_CA) ! 998: { ! 999: ca_certs++; ! 1000: } ! 1001: else ! 1002: { ! 1003: ra_certs++; ! 1004: } ! 1005: } ! 1006: enumerator->destroy(enumerator); ! 1007: ! 1008: enumerator = p7->create_cert_enumerator(p7); ! 1009: while (enumerator->enumerate(enumerator, &cert)) ! 1010: { ! 1011: x509_t *x509 = (x509_t*)cert; ! 1012: bool ca_cert = x509->get_flags(x509) & X509_CA; ! 1013: char cert_path[PATH_MAX], *path = ca_path; ! 1014: ! 1015: if (ca_cert && ca_certs > 1) ! 1016: { ! 1017: add_path_suffix(cert_path, sizeof(cert_path), ca_path, ! 1018: "-%.1d", ca_index++); ! 1019: path = cert_path; ! 1020: } ! 1021: else if (!ca_cert) ! 1022: { /* use CA name as base for RA certs */ ! 1023: if (ra_certs > 1) ! 1024: { ! 1025: add_path_suffix(cert_path, sizeof(cert_path), ca_path, ! 1026: "-ra-%.1d", ra_index++); ! 1027: } ! 1028: else ! 1029: { ! 1030: add_path_suffix(cert_path, sizeof(cert_path), ca_path, ! 1031: "-ra"); ! 1032: } ! 1033: path = cert_path; ! 1034: } ! 1035: ! 1036: if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding) || ! 1037: !chunk_write(encoding, path, 0022, force)) ! 1038: { ! 1039: exit_scepclient("could not write cert file '%s': %s", ! 1040: path, strerror(errno)); ! 1041: } ! 1042: chunk_free(&encoding); ! 1043: } ! 1044: enumerator->destroy(enumerator); ! 1045: container = &p7->container; ! 1046: container->destroy(container); ! 1047: } ! 1048: exit_scepclient(NULL); /* no further output required */ ! 1049: } ! 1050: ! 1051: creds = mem_cred_create(); ! 1052: lib->credmgr->add_set(lib->credmgr, &creds->set); ! 1053: ! 1054: /* ! 1055: * input of PKCS#1 file ! 1056: */ ! 1057: if (filetype_in & PKCS1) /* load an RSA key pair from file */ ! 1058: { ! 1059: char path[PATH_MAX]; ! 1060: ! 1061: join_paths(path, sizeof(path), PRIVATE_KEY_PATH, file_in_pkcs1); ! 1062: ! 1063: private_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, ! 1064: BUILD_FROM_FILE, path, BUILD_END); ! 1065: } ! 1066: else /* generate an RSA key pair */ ! 1067: { ! 1068: private_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, ! 1069: BUILD_KEY_SIZE, rsa_keylength, ! 1070: BUILD_END); ! 1071: } ! 1072: if (private_key == NULL) ! 1073: { ! 1074: exit_scepclient("no RSA private key available"); ! 1075: } ! 1076: creds->add_key(creds, private_key->get_ref(private_key)); ! 1077: public_key = private_key->get_public_key(private_key); ! 1078: ! 1079: /* check for minimum key length */ ! 1080: if (private_key->get_keysize(private_key) < RSA_MIN_OCTETS / BITS_PER_BYTE) ! 1081: { ! 1082: exit_scepclient("length of RSA key has to be at least %d bits", ! 1083: RSA_MIN_OCTETS * BITS_PER_BYTE); ! 1084: } ! 1085: ! 1086: /* ! 1087: * input of PKCS#10 file ! 1088: */ ! 1089: if (filetype_in & PKCS10) ! 1090: { ! 1091: char path[PATH_MAX]; ! 1092: ! 1093: join_paths(path, sizeof(path), REQ_PATH, file_in_pkcs10); ! 1094: ! 1095: pkcs10_req = lib->creds->create(lib->creds, CRED_CERTIFICATE, ! 1096: CERT_PKCS10_REQUEST, BUILD_FROM_FILE, ! 1097: path, BUILD_END); ! 1098: if (!pkcs10_req) ! 1099: { ! 1100: exit_scepclient("could not read certificate request '%s'", path); ! 1101: } ! 1102: subject = pkcs10_req->get_subject(pkcs10_req); ! 1103: subject = subject->clone(subject); ! 1104: } ! 1105: else ! 1106: { ! 1107: if (distinguishedName == NULL) ! 1108: { ! 1109: int n = sprintf(default_distinguished_name, DEFAULT_DN); ! 1110: ! 1111: /* set the common name to the hostname */ ! 1112: if (gethostname(default_distinguished_name + n, BUF_LEN - n) || ! 1113: strlen(default_distinguished_name) == n) ! 1114: { ! 1115: exit_scepclient("no hostname defined, use " ! 1116: "--dn <distinguished name> option"); ! 1117: } ! 1118: distinguishedName = default_distinguished_name; ! 1119: } ! 1120: ! 1121: DBG2(DBG_APP, "dn: '%s'", distinguishedName); ! 1122: subject = identification_create_from_string(distinguishedName); ! 1123: if (subject->get_type(subject) != ID_DER_ASN1_DN) ! 1124: { ! 1125: exit_scepclient("parsing of distinguished name failed"); ! 1126: } ! 1127: ! 1128: DBG2(DBG_APP, "building pkcs10 object:"); ! 1129: pkcs10_req = lib->creds->create(lib->creds, CRED_CERTIFICATE, ! 1130: CERT_PKCS10_REQUEST, ! 1131: BUILD_SIGNING_KEY, private_key, ! 1132: BUILD_SUBJECT, subject, ! 1133: BUILD_SUBJECT_ALTNAMES, subjectAltNames, ! 1134: BUILD_CHALLENGE_PWD, challengePassword, ! 1135: BUILD_DIGEST_ALG, pkcs10_signature_alg, ! 1136: BUILD_END); ! 1137: if (!pkcs10_req) ! 1138: { ! 1139: exit_scepclient("generating pkcs10 request failed"); ! 1140: } ! 1141: } ! 1142: pkcs10_req->get_encoding(pkcs10_req, CERT_ASN1_DER, &pkcs10_encoding); ! 1143: fingerprint = scep_generate_pkcs10_fingerprint(pkcs10_encoding); ! 1144: DBG1(DBG_APP, " fingerprint: %s", fingerprint.ptr); ! 1145: ! 1146: /* ! 1147: * output of PKCS#10 file ! 1148: */ ! 1149: if (filetype_out & PKCS10) ! 1150: { ! 1151: char path[PATH_MAX]; ! 1152: ! 1153: join_paths(path, sizeof(path), REQ_PATH, file_out_pkcs10); ! 1154: ! 1155: if (!chunk_write(pkcs10_encoding, path, 0022, force)) ! 1156: { ! 1157: exit_scepclient("could not write pkcs10 file '%s': %s", ! 1158: path, strerror(errno)); ! 1159: } ! 1160: filetype_out &= ~PKCS10; /* delete PKCS10 flag */ ! 1161: } ! 1162: ! 1163: if (!filetype_out) ! 1164: { ! 1165: exit_scepclient(NULL); /* no further output required */ ! 1166: } ! 1167: ! 1168: /* ! 1169: * output of PKCS#1 file ! 1170: */ ! 1171: if (filetype_out & PKCS1) ! 1172: { ! 1173: char path[PATH_MAX]; ! 1174: ! 1175: join_paths(path, sizeof(path), PRIVATE_KEY_PATH, file_out_pkcs1); ! 1176: ! 1177: DBG2(DBG_APP, "building pkcs1 object:"); ! 1178: if (!private_key->get_encoding(private_key, PRIVKEY_ASN1_DER, &pkcs1) || ! 1179: !chunk_write(pkcs1, path, 0066, force)) ! 1180: { ! 1181: exit_scepclient("could not write pkcs1 file '%s': %s", ! 1182: path, strerror(errno)); ! 1183: } ! 1184: filetype_out &= ~PKCS1; /* delete PKCS1 flag */ ! 1185: } ! 1186: ! 1187: if (!filetype_out) ! 1188: { ! 1189: exit_scepclient(NULL); /* no further output required */ ! 1190: } ! 1191: ! 1192: scep_generate_transaction_id(public_key, &transID, &serialNumber); ! 1193: DBG1(DBG_APP, " transaction ID: %.*s", (int)transID.len, transID.ptr); ! 1194: ! 1195: /* ! 1196: * read or generate self-signed X.509 certificate ! 1197: */ ! 1198: if (filetype_in & CERT_SELF) ! 1199: { ! 1200: char path[PATH_MAX]; ! 1201: ! 1202: join_paths(path, sizeof(path), HOST_CERT_PATH, file_in_cert_self); ! 1203: ! 1204: x509_signer = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, ! 1205: BUILD_FROM_FILE, path, BUILD_END); ! 1206: if (!x509_signer) ! 1207: { ! 1208: exit_scepclient("could not read certificate file '%s'", path); ! 1209: } ! 1210: } ! 1211: else ! 1212: { ! 1213: notBefore = notBefore ? notBefore : time(NULL); ! 1214: notAfter = notAfter ? notAfter : (notBefore + validity); ! 1215: x509_signer = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, ! 1216: BUILD_SIGNING_KEY, private_key, ! 1217: BUILD_PUBLIC_KEY, public_key, ! 1218: BUILD_SUBJECT, subject, ! 1219: BUILD_NOT_BEFORE_TIME, notBefore, ! 1220: BUILD_NOT_AFTER_TIME, notAfter, ! 1221: BUILD_SERIAL, serialNumber, ! 1222: BUILD_SUBJECT_ALTNAMES, subjectAltNames, ! 1223: BUILD_END); ! 1224: if (!x509_signer) ! 1225: { ! 1226: exit_scepclient("generating certificate failed"); ! 1227: } ! 1228: } ! 1229: creds->add_cert(creds, TRUE, x509_signer->get_ref(x509_signer)); ! 1230: ! 1231: /* ! 1232: * output of self-signed X.509 certificate file ! 1233: */ ! 1234: if (filetype_out & CERT_SELF) ! 1235: { ! 1236: char path[PATH_MAX]; ! 1237: ! 1238: join_paths(path, sizeof(path), HOST_CERT_PATH, file_out_cert_self); ! 1239: ! 1240: if (!x509_signer->get_encoding(x509_signer, CERT_ASN1_DER, &encoding)) ! 1241: { ! 1242: exit_scepclient("encoding certificate failed"); ! 1243: } ! 1244: if (!chunk_write(encoding, path, 0022, force)) ! 1245: { ! 1246: exit_scepclient("could not write self-signed cert file '%s': %s", ! 1247: path, strerror(errno)); ! 1248: } ! 1249: chunk_free(&encoding); ! 1250: filetype_out &= ~CERT_SELF; /* delete CERT_SELF flag */ ! 1251: } ! 1252: ! 1253: if (!filetype_out) ! 1254: { ! 1255: exit_scepclient(NULL); /* no further output required */ ! 1256: } ! 1257: ! 1258: /* ! 1259: * load ca encryption certificate ! 1260: */ ! 1261: { ! 1262: char path[PATH_MAX]; ! 1263: ! 1264: join_paths(path, sizeof(path), CA_CERT_PATH, file_in_cacert_enc); ! 1265: ! 1266: x509_ca_enc = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, ! 1267: BUILD_FROM_FILE, path, BUILD_END); ! 1268: if (!x509_ca_enc) ! 1269: { ! 1270: exit_scepclient("could not load encryption cacert file '%s'", path); ! 1271: } ! 1272: } ! 1273: ! 1274: /* ! 1275: * input of PKCS#7 file ! 1276: */ ! 1277: if (filetype_in & PKCS7) ! 1278: { ! 1279: /* user wants to load a pkcs7 encrypted request ! 1280: * operation is not yet supported! ! 1281: * would require additional parsing of transaction-id ! 1282: ! 1283: pkcs7 = pkcs7_read_from_file(file_in_pkcs7); ! 1284: ! 1285: */ ! 1286: } ! 1287: else ! 1288: { ! 1289: DBG2(DBG_APP, "building pkcs7 request"); ! 1290: pkcs7 = scep_build_request(pkcs10_encoding, ! 1291: transID, SCEP_PKCSReq_MSG, x509_ca_enc, ! 1292: pkcs7_symmetric_cipher, pkcs7_key_size, ! 1293: x509_signer, pkcs7_digest_alg, private_key); ! 1294: if (!pkcs7.ptr) ! 1295: { ! 1296: exit_scepclient("failed to build pkcs7 request"); ! 1297: } ! 1298: } ! 1299: ! 1300: /* ! 1301: * output pkcs7 encrypted and signed certificate request ! 1302: */ ! 1303: if (filetype_out & PKCS7) ! 1304: { ! 1305: char path[PATH_MAX]; ! 1306: ! 1307: join_paths(path, sizeof(path), REQ_PATH, file_out_pkcs7); ! 1308: ! 1309: if (!chunk_write(pkcs7, path, 0022, force)) ! 1310: { ! 1311: exit_scepclient("could not write pkcs7 file '%s': %s", ! 1312: path, strerror(errno)); ! 1313: } ! 1314: filetype_out &= ~PKCS7; /* delete PKCS7 flag */ ! 1315: } ! 1316: ! 1317: if (!filetype_out) ! 1318: { ! 1319: exit_scepclient(NULL); /* no further output required */ ! 1320: } ! 1321: ! 1322: /* ! 1323: * output certificate fetch from SCEP server ! 1324: */ ! 1325: if (filetype_out & CERT) ! 1326: { ! 1327: bool stored = FALSE; ! 1328: certificate_t *cert; ! 1329: enumerator_t *enumerator; ! 1330: char path[PATH_MAX]; ! 1331: time_t poll_start = 0; ! 1332: pkcs7_t *p7; ! 1333: container_t *container = NULL; ! 1334: chunk_t chunk; ! 1335: scep_attributes_t attrs = empty_scep_attributes; ! 1336: ! 1337: join_paths(path, sizeof(path), CA_CERT_PATH, file_in_cacert_sig); ! 1338: ! 1339: x509_ca_sig = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, ! 1340: BUILD_FROM_FILE, path, BUILD_END); ! 1341: if (!x509_ca_sig) ! 1342: { ! 1343: exit_scepclient("could not load signature cacert file '%s'", path); ! 1344: } ! 1345: ! 1346: creds->add_cert(creds, TRUE, x509_ca_sig->get_ref(x509_ca_sig)); ! 1347: ! 1348: if (!scep_http_request(scep_url, pkcs7, SCEP_PKI_OPERATION, ! 1349: http_get_request, http_timeout, http_bind, &scep_response)) ! 1350: { ! 1351: exit_scepclient("did not receive a valid scep response"); ! 1352: } ! 1353: ugh = scep_parse_response(scep_response, transID, &container, &attrs); ! 1354: if (ugh != NULL) ! 1355: { ! 1356: exit_scepclient(ugh); ! 1357: } ! 1358: ! 1359: /* in case of manual mode, we are going into a polling loop */ ! 1360: if (attrs.pkiStatus == SCEP_PENDING) ! 1361: { ! 1362: identification_t *issuer = x509_ca_sig->get_subject(x509_ca_sig); ! 1363: ! 1364: DBG1(DBG_APP, " scep request pending, polling every %d seconds", ! 1365: poll_interval); ! 1366: poll_start = time_monotonic(NULL); ! 1367: issuerAndSubject = asn1_wrap(ASN1_SEQUENCE, "cc", ! 1368: issuer->get_encoding(issuer), ! 1369: subject->get_encoding(subject)); ! 1370: } ! 1371: while (attrs.pkiStatus == SCEP_PENDING) ! 1372: { ! 1373: if (max_poll_time > 0 && ! 1374: (time_monotonic(NULL) - poll_start >= max_poll_time)) ! 1375: { ! 1376: exit_scepclient("maximum poll time reached: %d seconds" ! 1377: , max_poll_time); ! 1378: } ! 1379: DBG2(DBG_APP, "going to sleep for %d seconds", poll_interval); ! 1380: sleep(poll_interval); ! 1381: free(scep_response.ptr); ! 1382: container->destroy(container); ! 1383: ! 1384: DBG2(DBG_APP, "fingerprint: %.*s", ! 1385: (int)fingerprint.len, fingerprint.ptr); ! 1386: DBG2(DBG_APP, "transaction ID: %.*s", ! 1387: (int)transID.len, transID.ptr); ! 1388: ! 1389: chunk_free(&getCertInitial); ! 1390: getCertInitial = scep_build_request(issuerAndSubject, ! 1391: transID, SCEP_GetCertInitial_MSG, x509_ca_enc, ! 1392: pkcs7_symmetric_cipher, pkcs7_key_size, ! 1393: x509_signer, pkcs7_digest_alg, private_key); ! 1394: if (!getCertInitial.ptr) ! 1395: { ! 1396: exit_scepclient("failed to build scep request"); ! 1397: } ! 1398: if (!scep_http_request(scep_url, getCertInitial, SCEP_PKI_OPERATION, ! 1399: http_get_request, http_timeout, http_bind, &scep_response)) ! 1400: { ! 1401: exit_scepclient("did not receive a valid scep response"); ! 1402: } ! 1403: ugh = scep_parse_response(scep_response, transID, &container, &attrs); ! 1404: if (ugh != NULL) ! 1405: { ! 1406: exit_scepclient(ugh); ! 1407: } ! 1408: } ! 1409: ! 1410: if (attrs.pkiStatus != SCEP_SUCCESS) ! 1411: { ! 1412: container->destroy(container); ! 1413: exit_scepclient("reply status is not 'SUCCESS'"); ! 1414: } ! 1415: ! 1416: if (!container->get_data(container, &chunk)) ! 1417: { ! 1418: container->destroy(container); ! 1419: exit_scepclient("extracting signed-data failed"); ! 1420: } ! 1421: container->destroy(container); ! 1422: ! 1423: /* decrypt enveloped-data container */ ! 1424: container = lib->creds->create(lib->creds, ! 1425: CRED_CONTAINER, CONTAINER_PKCS7, ! 1426: BUILD_BLOB_ASN1_DER, chunk, ! 1427: BUILD_END); ! 1428: free(chunk.ptr); ! 1429: if (!container) ! 1430: { ! 1431: exit_scepclient("could not decrypt envelopedData"); ! 1432: } ! 1433: ! 1434: if (!container->get_data(container, &chunk)) ! 1435: { ! 1436: container->destroy(container); ! 1437: exit_scepclient("extracting encrypted-data failed"); ! 1438: } ! 1439: container->destroy(container); ! 1440: ! 1441: /* parse signed-data container */ ! 1442: container = lib->creds->create(lib->creds, ! 1443: CRED_CONTAINER, CONTAINER_PKCS7, ! 1444: BUILD_BLOB_ASN1_DER, chunk, ! 1445: BUILD_END); ! 1446: free(chunk.ptr); ! 1447: if (!container) ! 1448: { ! 1449: exit_scepclient("could not parse singed-data"); ! 1450: } ! 1451: /* no need to verify the signed-data container, the signature does NOT ! 1452: * cover the contained certificates */ ! 1453: ! 1454: /* store the end entity certificate */ ! 1455: join_paths(path, sizeof(path), HOST_CERT_PATH, file_out_cert); ! 1456: ! 1457: p7 = (pkcs7_t*)container; ! 1458: enumerator = p7->create_cert_enumerator(p7); ! 1459: while (enumerator->enumerate(enumerator, &cert)) ! 1460: { ! 1461: x509_t *x509 = (x509_t*)cert; ! 1462: ! 1463: if (!(x509->get_flags(x509) & X509_CA)) ! 1464: { ! 1465: if (stored) ! 1466: { ! 1467: exit_scepclient("multiple certs received, only first stored"); ! 1468: } ! 1469: if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding) || ! 1470: !chunk_write(encoding, path, 0022, force)) ! 1471: { ! 1472: exit_scepclient("could not write cert file '%s': %s", ! 1473: path, strerror(errno)); ! 1474: } ! 1475: chunk_free(&encoding); ! 1476: stored = TRUE; ! 1477: } ! 1478: } ! 1479: enumerator->destroy(enumerator); ! 1480: container->destroy(container); ! 1481: chunk_free(&attrs.transID); ! 1482: chunk_free(&attrs.senderNonce); ! 1483: chunk_free(&attrs.recipientNonce); ! 1484: ! 1485: filetype_out &= ~CERT; /* delete CERT flag */ ! 1486: } ! 1487: ! 1488: exit_scepclient(NULL); ! 1489: return -1; /* should never be reached */ ! 1490: }