aboutsummaryrefslogtreecommitdiffstats
path: root/src/scepclient
diff options
context:
space:
mode:
authorAndreas Steffen <andreas.steffen@strongswan.org>2009-04-19 19:16:09 +0000
committerAndreas Steffen <andreas.steffen@strongswan.org>2009-04-19 19:16:09 +0000
commit3d7a244b5470e104539580c7bc489d7b581430eb (patch)
treedb1d6a47dc7d040610f94351af857ef83f05ed39 /src/scepclient
parentd940c7638cb964aaa66bdf96af803c678c5522c3 (diff)
downloadstrongswan-3d7a244b5470e104539580c7bc489d7b581430eb.tar.bz2
strongswan-3d7a244b5470e104539580c7bc489d7b581430eb.tar.xz
conversion from 8 spaces to 4 spaces per tab
Diffstat (limited to 'src/scepclient')
-rw-r--r--src/scepclient/loglite.c292
-rw-r--r--src/scepclient/pkcs10.c216
-rw-r--r--src/scepclient/pkcs10.h18
-rw-r--r--src/scepclient/rsakey.c482
-rw-r--r--src/scepclient/rsakey.h2
-rw-r--r--src/scepclient/scep.c758
-rw-r--r--src/scepclient/scep.h34
-rw-r--r--src/scepclient/scepclient.c1806
8 files changed, 1804 insertions, 1804 deletions
diff --git a/src/scepclient/loglite.c b/src/scepclient/loglite.c
index 4219eb707..029b6dfcd 100644
--- a/src/scepclient/loglite.c
+++ b/src/scepclient/loglite.c
@@ -23,7 +23,7 @@
#include <errno.h>
#include <string.h>
#include <unistd.h>
-#include <signal.h> /* used only if MSG_NOSIGNAL not defined */
+#include <signal.h> /* used only if MSG_NOSIGNAL not defined */
#include <libgen.h>
#include <sys/stat.h>
#include <sys/types.h>
@@ -36,118 +36,118 @@
#include <whack.h>
bool
- log_to_stderr = FALSE, /* should log go to stderr? */
- log_to_syslog = TRUE; /* should log go to syslog? */
+ log_to_stderr = FALSE, /* should log go to stderr? */
+ log_to_syslog = TRUE; /* should log go to syslog? */
void
init_log(const char *program)
{
- if (log_to_stderr)
- setbuf(stderr, NULL);
- if (log_to_syslog)
- openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV);
+ if (log_to_stderr)
+ setbuf(stderr, NULL);
+ if (log_to_syslog)
+ openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV);
}
void
close_log(void)
{
- if (log_to_syslog)
- closelog();
+ if (log_to_syslog)
+ closelog();
}
void
plog(const char *message, ...)
{
- va_list args;
- char m[LOG_WIDTH]; /* longer messages will be truncated */
+ va_list args;
+ char m[LOG_WIDTH]; /* longer messages will be truncated */
- va_start(args, message);
- vsnprintf(m, sizeof(m), message, args);
- va_end(args);
+ va_start(args, message);
+ vsnprintf(m, sizeof(m), message, args);
+ va_end(args);
- if (log_to_stderr)
- fprintf(stderr, "%s\n", m);
- if (log_to_syslog)
- syslog(LOG_WARNING, "%s", m);
+ if (log_to_stderr)
+ fprintf(stderr, "%s\n", m);
+ if (log_to_syslog)
+ syslog(LOG_WARNING, "%s", m);
}
void
loglog(int mess_no, const char *message, ...)
{
- va_list args;
- char m[LOG_WIDTH]; /* longer messages will be truncated */
+ va_list args;
+ char m[LOG_WIDTH]; /* longer messages will be truncated */
- va_start(args, message);
- vsnprintf(m, sizeof(m), message, args);
- va_end(args);
+ va_start(args, message);
+ vsnprintf(m, sizeof(m), message, args);
+ va_end(args);
- if (log_to_stderr)
- fprintf(stderr, "%s\n", m);
- if (log_to_syslog)
- syslog(LOG_WARNING, "%s", m);
+ if (log_to_stderr)
+ fprintf(stderr, "%s\n", m);
+ if (log_to_syslog)
+ syslog(LOG_WARNING, "%s", m);
}
void
log_errno_routine(int e, const char *message, ...)
{
- va_list args;
- char m[LOG_WIDTH]; /* longer messages will be truncated */
+ va_list args;
+ char m[LOG_WIDTH]; /* longer messages will be truncated */
- va_start(args, message);
- vsnprintf(m, sizeof(m), message, args);
- va_end(args);
+ va_start(args, message);
+ vsnprintf(m, sizeof(m), message, args);
+ va_end(args);
- if (log_to_stderr)
- fprintf(stderr, "ERROR: %s. Errno %d: %s\n", m, e, strerror(e));
- if (log_to_syslog)
- syslog(LOG_ERR, "ERROR: %s. Errno %d: %s", m, e, strerror(e));
+ if (log_to_stderr)
+ fprintf(stderr, "ERROR: %s. Errno %d: %s\n", m, e, strerror(e));
+ if (log_to_syslog)
+ syslog(LOG_ERR, "ERROR: %s. Errno %d: %s", m, e, strerror(e));
}
void
exit_log(const char *message, ...)
{
- va_list args;
- char m[LOG_WIDTH]; /* longer messages will be truncated */
-
- va_start(args, message);
- vsnprintf(m, sizeof(m), message, args);
- va_end(args);
-
- if (log_to_stderr)
- fprintf(stderr, "FATAL ERROR: %s\n", m);
- if (log_to_syslog)
- syslog(LOG_ERR, "FATAL ERROR: %s", m);
- exit(1);
+ va_list args;
+ char m[LOG_WIDTH]; /* longer messages will be truncated */
+
+ va_start(args, message);
+ vsnprintf(m, sizeof(m), message, args);
+ va_end(args);
+
+ if (log_to_stderr)
+ fprintf(stderr, "FATAL ERROR: %s\n", m);
+ if (log_to_syslog)
+ syslog(LOG_ERR, "FATAL ERROR: %s", m);
+ exit(1);
}
void
exit_log_errno_routine(int e, const char *message, ...)
{
- va_list args;
- char m[LOG_WIDTH]; /* longer messages will be truncated */
-
- va_start(args, message);
- vsnprintf(m, sizeof(m), message, args);
- va_end(args);
-
- if (log_to_stderr)
- fprintf(stderr, "FATAL ERROR: %s. Errno %d: %s\n", m, e, strerror(e));
- if (log_to_syslog)
- syslog(LOG_ERR, "FATAL ERROR: %s. Errno %d: %s", m, e, strerror(e));
- exit(1);
+ va_list args;
+ char m[LOG_WIDTH]; /* longer messages will be truncated */
+
+ va_start(args, message);
+ vsnprintf(m, sizeof(m), message, args);
+ va_end(args);
+
+ if (log_to_stderr)
+ fprintf(stderr, "FATAL ERROR: %s. Errno %d: %s\n", m, e, strerror(e));
+ if (log_to_syslog)
+ syslog(LOG_ERR, "FATAL ERROR: %s. Errno %d: %s", m, e, strerror(e));
+ exit(1);
}
void
whack_log(int mess_no, const char *message, ...)
{
- va_list args;
- char m[LOG_WIDTH]; /* longer messages will be truncated */
+ va_list args;
+ char m[LOG_WIDTH]; /* longer messages will be truncated */
- va_start(args, message);
- vsnprintf(m, sizeof(m), message, args);
- va_end(args);
+ va_start(args, message);
+ vsnprintf(m, sizeof(m), message, args);
+ va_end(args);
- fprintf(stderr, "%s\n", m);
+ fprintf(stderr, "%s\n", m);
}
/* Build up a diagnostic in a static buffer.
@@ -165,16 +165,16 @@ char diag_space[sizeof(diag_space)];
err_t
builddiag(const char *fmt, ...)
{
- static char diag_space[LOG_WIDTH]; /* longer messages will be truncated */
- char t[sizeof(diag_space)]; /* build result here first */
- va_list args;
-
- va_start(args, fmt);
- t[0] = '\0'; /* in case nothing terminates string */
- vsnprintf(t, sizeof(t), fmt, args);
- va_end(args);
- strcpy(diag_space, t);
- return diag_space;
+ static char diag_space[LOG_WIDTH]; /* longer messages will be truncated */
+ char t[sizeof(diag_space)]; /* build result here first */
+ va_list args;
+
+ va_start(args, fmt);
+ t[0] = '\0'; /* in case nothing terminates string */
+ vsnprintf(t, sizeof(t), fmt, args);
+ va_end(args);
+ strcpy(diag_space, t);
+ return diag_space;
}
/* Debugging message support */
@@ -184,29 +184,29 @@ builddiag(const char *fmt, ...)
void
switch_fail(int n, const char *file_str, unsigned long line_no)
{
- char buf[30];
+ char buf[30];
- snprintf(buf, sizeof(buf), "case %d unexpected", n);
- passert_fail(buf, file_str, line_no);
+ snprintf(buf, sizeof(buf), "case %d unexpected", n);
+ passert_fail(buf, file_str, line_no);
}
void
passert_fail(const char *pred_str, const char *file_str, unsigned long line_no)
{
- /* we will get a possibly unplanned prefix. Hope it works */
- loglog(RC_LOG_SERIOUS, "ASSERTION FAILED at %s:%lu: %s", file_str, line_no, pred_str);
- abort(); /* exiting correctly doesn't always work */
+ /* we will get a possibly unplanned prefix. Hope it works */
+ loglog(RC_LOG_SERIOUS, "ASSERTION FAILED at %s:%lu: %s", file_str, line_no, pred_str);
+ abort(); /* exiting correctly doesn't always work */
}
lset_t
- base_debugging = DBG_NONE, /* default to reporting nothing */
- cur_debugging = DBG_NONE;
+ base_debugging = DBG_NONE, /* default to reporting nothing */
+ cur_debugging = DBG_NONE;
void
pexpect_log(const char *pred_str, const char *file_str, unsigned long line_no)
{
- /* we will get a possibly unplanned prefix. Hope it works */
- loglog(RC_LOG_SERIOUS, "EXPECTATION FAILED at %s:%lu: %s", file_str, line_no, pred_str);
+ /* we will get a possibly unplanned prefix. Hope it works */
+ loglog(RC_LOG_SERIOUS, "EXPECTATION FAILED at %s:%lu: %s", file_str, line_no, pred_str);
}
/* log a debugging message (prefixed by "| ") */
@@ -214,17 +214,17 @@ pexpect_log(const char *pred_str, const char *file_str, unsigned long line_no)
void
DBG_log(const char *message, ...)
{
- va_list args;
- char m[LOG_WIDTH]; /* longer messages will be truncated */
+ va_list args;
+ char m[LOG_WIDTH]; /* longer messages will be truncated */
- va_start(args, message);
- vsnprintf(m, sizeof(m), message, args);
- va_end(args);
+ va_start(args, message);
+ vsnprintf(m, sizeof(m), message, args);
+ va_end(args);
- if (log_to_stderr)
- fprintf(stderr, "| %s\n", m);
- if (log_to_syslog)
- syslog(LOG_DEBUG, "| %s", m);
+ if (log_to_stderr)
+ fprintf(stderr, "| %s\n", m);
+ if (log_to_syslog)
+ syslog(LOG_DEBUG, "| %s", m);
}
/* dump raw bytes in hex to stderr (for lack of any better destination) */
@@ -232,62 +232,62 @@ DBG_log(const char *message, ...)
void
DBG_dump(const char *label, const void *p, size_t len)
{
-# define DUMP_LABEL_WIDTH 20 /* arbitrary modest boundary */
-# define DUMP_WIDTH (4 * (1 + 4 * 3) + 1)
- char buf[DUMP_LABEL_WIDTH + DUMP_WIDTH];
- char *bp;
- const unsigned char *cp = p;
-
- bp = buf;
+# define DUMP_LABEL_WIDTH 20 /* arbitrary modest boundary */
+# define DUMP_WIDTH (4 * (1 + 4 * 3) + 1)
+ char buf[DUMP_LABEL_WIDTH + DUMP_WIDTH];
+ char *bp;
+ const unsigned char *cp = p;
- if (label != NULL && label[0] != '\0')
- {
- /* Handle the label. Care must be taken to avoid buffer overrun. */
- size_t llen = strlen(label);
+ bp = buf;
- if (llen + 1 > sizeof(buf))
- {
- DBG_log("%s", label);
- }
- else
+ if (label != NULL && label[0] != '\0')
{
- strcpy(buf, label);
- if (buf[llen-1] == '\n')
- {
- buf[llen-1] = '\0'; /* get rid of newline */
- DBG_log("%s", buf);
- }
- else if (llen < DUMP_LABEL_WIDTH)
- {
- bp = buf + llen;
- }
- else
- {
- DBG_log("%s", buf);
- }
+ /* Handle the label. Care must be taken to avoid buffer overrun. */
+ size_t llen = strlen(label);
+
+ if (llen + 1 > sizeof(buf))
+ {
+ DBG_log("%s", label);
+ }
+ else
+ {
+ strcpy(buf, label);
+ if (buf[llen-1] == '\n')
+ {
+ buf[llen-1] = '\0'; /* get rid of newline */
+ DBG_log("%s", buf);
+ }
+ else if (llen < DUMP_LABEL_WIDTH)
+ {
+ bp = buf + llen;
+ }
+ else
+ {
+ DBG_log("%s", buf);
+ }
+ }
}
- }
- do {
- int i, j;
-
- for (i = 0; len!=0 && i!=4; i++)
- {
- *bp++ = ' ';
- for (j = 0; len!=0 && j!=4; len--, j++)
- {
- static const char hexdig[] = "0123456789abcdef";
-
- *bp++ = ' ';
- *bp++ = hexdig[(*cp >> 4) & 0xF];
- *bp++ = hexdig[*cp & 0xF];
- cp++;
- }
- }
- *bp = '\0';
- DBG_log("%s", buf);
- bp = buf;
- } while (len != 0);
+ do {
+ int i, j;
+
+ for (i = 0; len!=0 && i!=4; i++)
+ {
+ *bp++ = ' ';
+ for (j = 0; len!=0 && j!=4; len--, j++)
+ {
+ static const char hexdig[] = "0123456789abcdef";
+
+ *bp++ = ' ';
+ *bp++ = hexdig[(*cp >> 4) & 0xF];
+ *bp++ = hexdig[*cp & 0xF];
+ cp++;
+ }
+ }
+ *bp = '\0';
+ DBG_log("%s", buf);
+ bp = buf;
+ } while (len != 0);
# undef DUMP_LABEL_WIDTH
# undef DUMP_WIDTH
}
diff --git a/src/scepclient/pkcs10.c b/src/scepclient/pkcs10.c
index f7c4cca36..d6b53d8d0 100644
--- a/src/scepclient/pkcs10.c
+++ b/src/scepclient/pkcs10.c
@@ -40,13 +40,13 @@
/* some pre-coded OIDs */
static u_char ASN1_challengePassword_oid_str[] = {
- 0x06,0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x07
+ 0x06,0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x07
};
static const chunk_t ASN1_challengePassword_oid = chunk_from_buf(ASN1_challengePassword_oid_str);
static u_char ASN1_extensionRequest_oid_str[] = {
- 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x0E
+ 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x0E
};
static const chunk_t ASN1_extensionRequest_oid = chunk_from_buf(ASN1_extensionRequest_oid_str);
@@ -54,52 +54,52 @@ static const chunk_t ASN1_extensionRequest_oid = chunk_from_buf(ASN1_extensionRe
/**
* @brief Adds a subjectAltName in DER-coded form to a linked list
*
- * @param[in,out] subjectAltNames head of the linked list of subjectAltNames
- * @param[in] kind type of the subjectAltName (which is a generalName)
- * @param[in] value value of the subjectAltName as an ASCII string
+ * @param[in,out] subjectAltNames head of the linked list of subjectAltNames
+ * @param[in] kind type of the subjectAltName (which is a generalName)
+ * @param[in] value value of the subjectAltName as an ASCII string
*/
void
pkcs10_add_subjectAltName(generalName_t **subjectAltNames, generalNames_t kind
, char *value)
{
- generalName_t *gn;
- asn1_t asn1_type = ASN1_EOC;
- chunk_t name = { value, strlen(value) };
-
- switch (kind)
- {
- case GN_RFC822_NAME:
- asn1_type = ASN1_CONTEXT_S_1;
- break;
- case GN_DNS_NAME:
- asn1_type = ASN1_CONTEXT_S_2;
- break;
- case GN_IP_ADDRESS:
+ generalName_t *gn;
+ asn1_t asn1_type = ASN1_EOC;
+ chunk_t name = { value, strlen(value) };
+
+ switch (kind)
{
- struct in_addr addr;
-
- /* convert an ASCII dotted IPv4 address (e.g. 123.456.78.90)
- * to a byte representation in network order
- */
- if (!inet_aton(value, &addr))
- {
- fprintf(stderr, "error in IPv4 subjectAltName\n");
- return;
- }
- asn1_type = ASN1_CONTEXT_S_7;
- name.ptr = (u_char *) &addr.s_addr;
- name.len = sizeof(addr.s_addr);
- break;
- }
- default:
- break;
- }
-
- gn = malloc_thing(generalName_t);
- gn->kind = kind;
- gn->name = asn1_simple_object(asn1_type, name);
- gn->next = *subjectAltNames;
- *subjectAltNames = gn;
+ case GN_RFC822_NAME:
+ asn1_type = ASN1_CONTEXT_S_1;
+ break;
+ case GN_DNS_NAME:
+ asn1_type = ASN1_CONTEXT_S_2;
+ break;
+ case GN_IP_ADDRESS:
+ {
+ struct in_addr addr;
+
+ /* convert an ASCII dotted IPv4 address (e.g. 123.456.78.90)
+ * to a byte representation in network order
+ */
+ if (!inet_aton(value, &addr))
+ {
+ fprintf(stderr, "error in IPv4 subjectAltName\n");
+ return;
+ }
+ asn1_type = ASN1_CONTEXT_S_7;
+ name.ptr = (u_char *) &addr.s_addr;
+ name.len = sizeof(addr.s_addr);
+ break;
+ }
+ default:
+ break;
+ }
+
+ gn = malloc_thing(generalName_t);
+ gn->kind = kind;
+ gn->name = asn1_simple_object(asn1_type, name);
+ gn->next = *subjectAltNames;
+ *subjectAltNames = gn;
}
/**
@@ -108,71 +108,71 @@ pkcs10_add_subjectAltName(generalName_t **subjectAltNames, generalNames_t kind
* challenge password ans subjectAltNames are only included,
* when avaiable in given #pkcs10_t structure
*
- * @param[in] pkcs10 Pointer to a #pkcs10_t structure
- * @return 1 if succeeded, 0 otherwise
+ * @param[in] pkcs10 Pointer to a #pkcs10_t structure
+ * @return 1 if succeeded, 0 otherwise
*/
static chunk_t
build_req_info_attributes(pkcs10_t* pkcs10)
{
- chunk_t subjectAltNames = chunk_empty;
- chunk_t challengePassword = chunk_empty;
-
- if (pkcs10->subjectAltNames != NULL)
- {
-
- subjectAltNames = asn1_wrap(ASN1_SEQUENCE, "cm"
- , ASN1_extensionRequest_oid
- , asn1_wrap(ASN1_SET, "m"
- , asn1_wrap(ASN1_SEQUENCE, "m"
- , build_subjectAltNames(pkcs10->subjectAltNames)
- )
- )
- );
- }
-
- if (pkcs10->challengePassword.len > 0)
- {
- asn1_t type = is_printablestring(pkcs10->challengePassword)
- ? ASN1_PRINTABLESTRING : ASN1_T61STRING;
-
- challengePassword = asn1_wrap(ASN1_SEQUENCE, "cm"
- , ASN1_challengePassword_oid
- , asn1_wrap(ASN1_SET, "m"
- , asn1_simple_object(type, pkcs10->challengePassword)
- )
- );
- }
-
- return asn1_wrap(ASN1_CONTEXT_C_0, "mm"
- , subjectAltNames
- , challengePassword);
+ chunk_t subjectAltNames = chunk_empty;
+ chunk_t challengePassword = chunk_empty;
+
+ if (pkcs10->subjectAltNames != NULL)
+ {
+
+ subjectAltNames = asn1_wrap(ASN1_SEQUENCE, "cm"
+ , ASN1_extensionRequest_oid
+ , asn1_wrap(ASN1_SET, "m"
+ , asn1_wrap(ASN1_SEQUENCE, "m"
+ , build_subjectAltNames(pkcs10->subjectAltNames)
+ )
+ )
+ );
+ }
+
+ if (pkcs10->challengePassword.len > 0)
+ {
+ asn1_t type = is_printablestring(pkcs10->challengePassword)
+ ? ASN1_PRINTABLESTRING : ASN1_T61STRING;
+
+ challengePassword = asn1_wrap(ASN1_SEQUENCE, "cm"
+ , ASN1_challengePassword_oid
+ , asn1_wrap(ASN1_SET, "m"
+ , asn1_simple_object(type, pkcs10->challengePassword)
+ )
+ );
+ }
+
+ return asn1_wrap(ASN1_CONTEXT_C_0, "mm"
+ , subjectAltNames
+ , challengePassword);
}
/**
* @brief Builds a DER-code pkcs#10 certificate request
*
- * @param[in] pkcs10 pointer to a pkcs10_t struct
- * @return DER-code pkcs10 request
+ * @param[in] pkcs10 pointer to a pkcs10_t struct
+ * @return DER-code pkcs10 request
*/
static chunk_t
pkcs10_build_request(pkcs10_t *pkcs10, int signature_alg)
{
- RSA_public_key_t *rsak = (RSA_public_key_t *) pkcs10->private_key;
+ RSA_public_key_t *rsak = (RSA_public_key_t *) pkcs10->private_key;
- chunk_t cert_req_info = asn1_wrap(ASN1_SEQUENCE, "ccmm"
- , ASN1_INTEGER_0
- , pkcs10->subject
- , pkcs1_build_publicKeyInfo(rsak)
- , build_req_info_attributes(pkcs10));
+ chunk_t cert_req_info = asn1_wrap(ASN1_SEQUENCE, "ccmm"
+ , ASN1_INTEGER_0
+ , pkcs10->subject
+ , pkcs1_build_publicKeyInfo(rsak)
+ , build_req_info_attributes(pkcs10));
- chunk_t signature = pkcs1_build_signature(cert_req_info
- , signature_alg, pkcs10->private_key, TRUE);
+ chunk_t signature = pkcs1_build_signature(cert_req_info
+ , signature_alg, pkcs10->private_key, TRUE);
- return asn1_wrap(ASN1_SEQUENCE, "mcm"
- , cert_req_info
- , asn1_algorithmIdentifier(signature_alg)
- , signature);
+ return asn1_wrap(ASN1_SEQUENCE, "mcm"
+ , cert_req_info
+ , asn1_algorithmIdentifier(signature_alg)
+ , signature);
}
/**
@@ -183,38 +183,38 @@ pkcs10_build_request(pkcs10_t *pkcs10, int signature_alg)
* (e.g. commonName, organization) are needed. An optional challenge
* password or some subjectAltNames may be included.
*
- * @param[in] key rsakey of type #rsakey_t
- * @param[in] subject DER-coded subject distinguished name
- * @param[in] challengePassword challenge password or chunk_empty
- * @param[in] subjectAltNames linked list of subjectAltNames or NULL
- * @return pointer to a #pkcs10_t object
+ * @param[in] key rsakey of type #rsakey_t
+ * @param[in] subject DER-coded subject distinguished name
+ * @param[in] challengePassword challenge password or chunk_empty
+ * @param[in] subjectAltNames linked list of subjectAltNames or NULL
+ * @return pointer to a #pkcs10_t object
*/
pkcs10_t*
pkcs10_build(RSA_private_key_t *key, chunk_t subject, chunk_t challengePassword
, generalName_t *subjectAltNames, int signature_alg)
{
- pkcs10_t *pkcs10 = malloc_thing(pkcs10_t);
+ pkcs10_t *pkcs10 = malloc_thing(pkcs10_t);
- pkcs10->subject = subject;
- pkcs10->private_key = key;
- pkcs10->challengePassword = challengePassword;
- pkcs10->subjectAltNames = subjectAltNames;
+ pkcs10->subject = subject;
+ pkcs10->private_key = key;
+ pkcs10->challengePassword = challengePassword;
+ pkcs10->subjectAltNames = subjectAltNames;
- pkcs10->request = pkcs10_build_request(pkcs10, signature_alg);
- return pkcs10;
+ pkcs10->request = pkcs10_build_request(pkcs10, signature_alg);
+ return pkcs10;
}
/**
* @brief Frees the resources used by an #pkcs10_t object
*
- * @param[in] pkcs10 #pkcs10_t to free
+ * @param[in] pkcs10 #pkcs10_t to free
*/
void
pkcs10_free(pkcs10_t *pkcs10)
{
- if (pkcs10 != NULL)
- {
- free(pkcs10->request.ptr);
- free(pkcs10);
- }
+ if (pkcs10 != NULL)
+ {
+ free(pkcs10->request.ptr);
+ free(pkcs10);
+ }
}
diff --git a/src/scepclient/pkcs10.h b/src/scepclient/pkcs10.h
index c2a4c1b92..a48dd7c2e 100644
--- a/src/scepclient/pkcs10.h
+++ b/src/scepclient/pkcs10.h
@@ -4,7 +4,7 @@
*
* Contains functions to build DER encoded pkcs#10 certificate requests
*/
-
+
/*
* Copyright (C) 2005 Jan Hutter, Martin Willi
* Hochschule fuer Technik Rapperswil
@@ -38,20 +38,20 @@ typedef struct pkcs10_struct pkcs10_t;
* The RSA private key is needed to compute the signature of the given request
*/
struct pkcs10_struct {
- RSA_private_key_t *private_key;
- chunk_t request;
- chunk_t subject;
- chunk_t challengePassword;
- generalName_t *subjectAltNames;
+ RSA_private_key_t *private_key;
+ chunk_t request;
+ chunk_t subject;
+ chunk_t challengePassword;
+ generalName_t *subjectAltNames;
};
extern const pkcs10_t empty_pkcs10;
extern void pkcs10_add_subjectAltName(generalName_t **subjectAltNames
- , generalNames_t kind, char *value);
+ , generalNames_t kind, char *value);
extern pkcs10_t* pkcs10_build(RSA_private_key_t *key, chunk_t subject
- , chunk_t challengePassword, generalName_t *subjectAltNames
- , int signature_alg);
+ , chunk_t challengePassword, generalName_t *subjectAltNames
+ , int signature_alg);
extern void pkcs10_free(pkcs10_t *pkcs10);
#endif /* _PKCS10_H */
diff --git a/src/scepclient/rsakey.c b/src/scepclient/rsakey.c
index dff405f59..87ec37cb2 100644
--- a/src/scepclient/rsakey.c
+++ b/src/scepclient/rsakey.c
@@ -20,7 +20,7 @@
*
* $Id: rsakey.c,v 1.5 2006/01/04 21:16:30 as Exp $
*/
-
+
#include <stdlib.h>
#include <sys/types.h>
@@ -42,62 +42,62 @@
#include "rsakey.h"
/* Number of times the probabilistic primality test is applied */
-#define PRIMECHECK_ROUNDS 30
+#define PRIMECHECK_ROUNDS 30
/* Public exponent used for signature key generation */
-#define PUBLIC_EXPONENT 0x10001
+#define PUBLIC_EXPONENT 0x10001
#ifndef DEV_RANDOM
-#define DEV_RANDOM "/dev/random"
+#define DEV_RANDOM "/dev/random"
#endif
/**
* @brief Reads a specific number of bytes from a given device/file
*
- * @param[in] nbytes number of bytes to read from random device
- * @param[out] buf pointer to buffer where to write the data in.
- * size of buffer has to be at least nbytes.
- * @return TRUE, if succeeded, FALSE otherwise
+ * @param[in] nbytes number of bytes to read from random device
+ * @param[out] buf pointer to buffer where to write the data in.
+ * size of buffer has to be at least nbytes.
+ * @return TRUE, if succeeded, FALSE otherwise
*/
static bool
get_true_random_bytes(size_t nbytes, char *buf)
{
- size_t ndone;
- size_t got;
- char *device = DEV_RANDOM;
-
- int dev = open(DEV_RANDOM, 0);
-
- if (dev < 0)
- {
- fprintf(stderr, "could not open random device %s", device);
- return FALSE;
- }
-
- DBG(DBG_CONTROL,
- DBG_log("getting %d bytes from %s...", (int) nbytes, device)
- )
-
- ndone = 0;
- while (ndone < nbytes)
- {
- got = read(dev, buf + ndone, nbytes - ndone);
- if (got < 0)
+ size_t ndone;
+ size_t got;
+ char *device = DEV_RANDOM;
+
+ int dev = open(DEV_RANDOM, 0);
+
+ if (dev < 0)
{
- fprintf(stderr, "read error on %s", device);
- return FALSE;
+ fprintf(stderr, "could not open random device %s", device);
+ return FALSE;
}
- if (got == 0)
+
+ DBG(DBG_CONTROL,
+ DBG_log("getting %d bytes from %s...", (int) nbytes, device)
+ )
+
+ ndone = 0;
+ while (ndone < nbytes)
{
- fprintf(stderr, "eof on %s", device);
- return FALSE;
+ got = read(dev, buf + ndone, nbytes - ndone);
+ if (got < 0)
+ {
+ fprintf(stderr, "read error on %s", device);
+ return FALSE;
+ }
+ if (got == 0)
+ {
+ fprintf(stderr, "eof on %s", device);
+ return FALSE;
+ }
+ ndone += got;
}
- ndone += got;
- }
- close(dev);
- return TRUE;
+ close(dev);
+ return TRUE;
}
/**
@@ -109,25 +109,25 @@ get_true_random_bytes(size_t nbytes, char *buf)
* Note that highmost and lowmost bits are forced on -- highmost to give a
* number of exactly the specified length, lowmost so it is an odd number.
*
- * @param[out] var uninitialized mpz_t to store th random number in
- * @param[in] nbits length of var in bits (known to be a multiple of BITS_PER_BYTE)
- * @return TRUE on success, FALSE otherwise
+ * @param[out] var uninitialized mpz_t to store th random number in
+ * @param[in] nbits length of var in bits (known to be a multiple of BITS_PER_BYTE)
+ * @return TRUE on success, FALSE otherwise
*/
static bool
init_random(mpz_t var, int nbits)
{
- size_t nbytes = (size_t)(nbits/BITS_PER_BYTE);
- char random_buf[RSA_MAX_OCTETS/2];
-
- assert(nbytes <= sizeof(random_buf));
-
- if (!get_true_random_bytes(nbytes, random_buf))
- return FALSE;
-
- random_buf[0] |= 01 << (BITS_PER_BYTE-1); /* force high bit on */
- random_buf[nbytes-1] |= 01; /* force low bit on */
- n_to_mpz(var, random_buf, nbytes);
- return TRUE;
+ size_t nbytes = (size_t)(nbits/BITS_PER_BYTE);
+ char random_buf[RSA_MAX_OCTETS/2];
+
+ assert(nbytes <= sizeof(random_buf));
+
+ if (!get_true_random_bytes(nbytes, random_buf))
+ return FALSE;
+
+ random_buf[0] |= 01 << (BITS_PER_BYTE-1); /* force high bit on */
+ random_buf[nbytes-1] |= 01; /* force low bit on */
+ n_to_mpz(var, random_buf, nbytes);
+ return TRUE;
}
/**
@@ -136,54 +136,54 @@ init_random(mpz_t var, int nbits)
* Efficiency tweak: we reject candidates that are 1 higher than a multiple
* of e, since they will make the internal modulus not relatively prime to e.
*
- * @param[out] var mpz_t variable to initialize
- * @param[in] nbits length of given prime in bits (known to be a multiple of BITS_PER_BYTE)
- * @param[in] eval E-Value, 0 means don't bother w. tweak
- * @return 1 on success, 0 otherwise
+ * @param[out] var mpz_t variable to initialize
+ * @param[in] nbits length of given prime in bits (known to be a multiple of BITS_PER_BYTE)
+ * @param[in] eval E-Value, 0 means don't bother w. tweak
+ * @return 1 on success, 0 otherwise
*/
static bool
init_prime(mpz_t var, int nbits, int eval)
{
- unsigned long tries;
- size_t len;
-
- /* get a random value of nbits length */
- if (!init_random(var, nbits))
- return FALSE;
-
- /* check if odd number */
- assert(mpz_fdiv_ui(var, 2) == 1);
- DBG(DBG_CONTROLMORE,
- DBG_log("looking for a prime starting there (can take a while)...")
- )
-
- tries = 1;
- while (mpz_fdiv_ui(var, eval) == 1
- || !mpz_probab_prime_p(var, PRIMECHECK_ROUNDS))
- {
- /* not a prime, increase by 2 */
- mpz_add_ui(var, var, 2);
- tries++;
- }
-
- len = mpz_sizeinbase(var, 2);
-
- /* check bit length of primee */
- assert(len == (size_t)nbits || len == (size_t)(nbits+1));
-
- if (len == (size_t)(nbits+1))
- {
+ unsigned long tries;
+ size_t len;
+
+ /* get a random value of nbits length */
+ if (!init_random(var, nbits))
+ return FALSE;
+
+ /* check if odd number */
+ assert(mpz_fdiv_ui(var, 2) == 1);
DBG(DBG_CONTROLMORE,
- DBG_log("carry out occurred (!), retrying...")
+ DBG_log("looking for a prime starting there (can take a while)...")
)
- mpz_clear(var);
- /* recursive call */
- return init_prime(var, nbits, eval);
- }
- DBG(DBG_CONTROLMORE,
- DBG_log("found it after %lu tries.",tries)
- )
- return TRUE;
+
+ tries = 1;
+ while (mpz_fdiv_ui(var, eval) == 1
+ || !mpz_probab_prime_p(var, PRIMECHECK_ROUNDS))
+ {
+ /* not a prime, increase by 2 */
+ mpz_add_ui(var, var, 2);
+ tries++;
+ }
+
+ len = mpz_sizeinbase(var, 2);
+
+ /* check bit length of primee */
+ assert(len == (size_t)nbits || len == (size_t)(nbits+1));
+
+ if (len == (size_t)(nbits+1))
+ {
+ DBG(DBG_CONTROLMORE,
+ DBG_log("carry out occurred (!), retrying...")
+ )
+ mpz_clear(var);
+ /* recursive call */
+ return init_prime(var, nbits, eval);
+ }
+ DBG(DBG_CONTROLMORE,
+ DBG_log("found it after %lu tries.",tries)
+ )
+ return TRUE;
}
/**
@@ -194,158 +194,158 @@ init_prime(mpz_t var, int nbits, int eval)
* These mpz_t parameters must not be initialized and have
* to be cleared with mpz_clear after using.
*
- * @param[in] nbits size of rsa key in bits
- * @return RSA_public_key_t containing the generated RSA key
+ * @param[in] nbits size of rsa key in bits
+ * @return RSA_public_key_t containing the generated RSA key
*/
err_t
generate_rsa_private_key(int nbits, RSA_private_key_t *key)
{
- mpz_t p, q, n, e, d, exp1, exp2, coeff;
- mpz_t m, q1, t; /* temporary variables*/
-
- DBG(DBG_CONTROL,
- DBG_log("generating %d bit RSA key:", nbits)
- )
-
- if (nbits <= 0)
- return "negative rsa key length!";
-
- /* Get values of primes p and q */
- DBG(DBG_CONTROLMORE,
- DBG_log("initialize prime p")
- )
- if (!init_prime(p, nbits/2, PUBLIC_EXPONENT))
- return "could not generate prime p";
-
- DBG(DBG_CONTROLMORE,
- DBG_log("initialize prime q")
- )
- if (!init_prime(q, nbits/2, PUBLIC_EXPONENT))
- return "could not generate prime q";
-
- mpz_init(t);
-
- /* Swapping primes so p is larger then q */
- if (mpz_cmp(p, q) < 0)
- {
+ mpz_t p, q, n, e, d, exp1, exp2, coeff;
+ mpz_t m, q1, t; /* temporary variables*/
+
+ DBG(DBG_CONTROL,
+ DBG_log("generating %d bit RSA key:", nbits)
+ )
+
+ if (nbits <= 0)
+ return "negative rsa key length!";
+
+ /* Get values of primes p and q */
+ DBG(DBG_CONTROLMORE,
+ DBG_log("initialize prime p")
+ )
+ if (!init_prime(p, nbits/2, PUBLIC_EXPONENT))
+ return "could not generate prime p";
+
+ DBG(DBG_CONTROLMORE,
+ DBG_log("initialize prime q")
+ )
+ if (!init_prime(q, nbits/2, PUBLIC_EXPONENT))
+ return "could not generate prime q";
+
+ mpz_init(t);
+
+ /* Swapping primes so p is larger then q */
+ if (mpz_cmp(p, q) < 0)
+ {
+ DBG(DBG_CONTROLMORE,
+ DBG_log("swapping primes so p is the larger...")
+ );
+ mpz_set(t, p);
+ mpz_set(p, q);
+ mpz_set(q, t);
+ }
+
DBG(DBG_CONTROLMORE,
- DBG_log("swapping primes so p is the larger...")
- );
- mpz_set(t, p);
- mpz_set(p, q);
- mpz_set(q, t);
- }
-
- DBG(DBG_CONTROLMORE,
- DBG_log("computing modulus...")
- )
- mpz_init(n);
- /* n = p*q */
- mpz_mul(n, p, q);
-
- /* Assign e the value of defined PUBLIC_EXPONENT */
- mpz_init_set_ui(e, PUBLIC_EXPONENT);
-
- DBG(DBG_CONTROLMORE,
- DBG_log("computing lcm(p-1, q-1)...")
- )
- /* m = p */
- mpz_init_set(m, p);
- /* m = m-1 */
- mpz_sub_ui(m, m, 1);
- /* q1 = q */
- mpz_init_set(q1, q);
- /* q1 = q1-1 */
- mpz_sub_ui(q1, q1, 1);
- /* t = gcd(p-1, q-1) */
- mpz_gcd(t, m, q1);
- /* m = (p-1)*(q-1) */
- mpz_mul(m, m, q1);
- /* m = m / t */
- mpz_divexact(m, m, t);
- /* t = gcd(m, e) (greatest common divisor) */
- mpz_gcd(t, m, e);
- /* m and e relatively prime */
- assert(mpz_cmp_ui(t, 1) == 0);
-
- /* decryption key */
- DBG(DBG_CONTROLMORE,
- DBG_log("computing d...")
- )
- mpz_init(d);
- /* e has an inverse mod m */
- assert(mpz_invert(d, e, m));
-
- /* make sure d is positive */
- if (mpz_cmp_ui(d, 0) < 0)
- mpz_add(d, d, m);
-
- /* d has to be positive */
- assert(mpz_cmp(d, m) < 0);
-
- /* the speedup hacks */
- DBG(DBG_CONTROLMORE,
- DBG_log("computing exp1, exp1, coeff...")
- )
- mpz_init(exp1);
- /* t = p-1 */
- mpz_sub_ui(t, p, 1);
- /* exp1 = d mod p-1 */
- mpz_mod(exp1, d, t);
-
- mpz_init(exp2);
- /* t = q-1 */
- mpz_sub_ui(t, q, 1);
- /* exp2 = d mod q-1 */
- mpz_mod(exp2, d, t);
-
- mpz_init(coeff);
- /* coeff = q^-1 mod p */
- mpz_invert(coeff, q, p);
-
- /* make sure coeff is positive */
- if (mpz_cmp_ui(coeff, 0) < 0)
- mpz_add(coeff, coeff, p);
-
- /* coeff has to be positive */
- assert(mpz_cmp(coeff, p) < 0);
-
- /* Clear temporary variables */
- mpz_clear(q1);
- mpz_clear(m);
- mpz_clear(t);
-
- /* form FreeS/WAN keyid */
- {
- size_t e_len = (mpz_sizeinbase(e,2)+BITS_PER_BYTE-1)/BITS_PER_BYTE;
- size_t n_len = (mpz_sizeinbase(n,2)+BITS_PER_BYTE-1)/BITS_PER_BYTE;
- chunk_t e_ch = mpz_to_n(e, e_len);
- chunk_t n_ch = mpz_to_n(n, n_len);
-
- form_keyid(e_ch, n_ch, key->pub.keyid, &key->pub.k);
- free(e_ch.ptr);
- free(n_ch.ptr);
- }
-
- /* fill in the elements of the RSA private key */
- key->p = *p;
- key->q = *q;
- key->pub.n = *n;
- key->pub.e = *e;
- key->d = *d;
- key->dP = *exp1;
- key->dQ = *exp2;
- key->qInv = *coeff;
-
- DBG(DBG_CONTROL,
- DBG_log("RSA key *%s generated with %d bits", key->pub.keyid
- , (int)mpz_sizeinbase(n,2))
- )
+ DBG_log("computing modulus...")
+ )
+ mpz_init(n);
+ /* n = p*q */
+ mpz_mul(n, p, q);
+
+ /* Assign e the value of defined PUBLIC_EXPONENT */
+ mpz_init_set_ui(e, PUBLIC_EXPONENT);
+
+ DBG(DBG_CONTROLMORE,
+ DBG_log("computing lcm(p-1, q-1)...")
+ )
+ /* m = p */
+ mpz_init_set(m, p);
+ /* m = m-1 */
+ mpz_sub_ui(m, m, 1);
+ /* q1 = q */
+ mpz_init_set(q1, q);
+ /* q1 = q1-1 */
+ mpz_sub_ui(q1, q1, 1);
+ /* t = gcd(p-1, q-1) */
+ mpz_gcd(t, m, q1);
+ /* m = (p-1)*(q-1) */
+ mpz_mul(m, m, q1);
+ /* m = m / t */
+ mpz_divexact(m, m, t);
+ /* t = gcd(m, e) (greatest common divisor) */
+ mpz_gcd(t, m, e);
+ /* m and e relatively prime */
+ assert(mpz_cmp_ui(t, 1) == 0);
+
+ /* decryption key */
+ DBG(DBG_CONTROLMORE,
+ DBG_log("computing d...")
+ )
+ mpz_init(d);
+ /* e has an inverse mod m */
+ assert(mpz_invert(d, e, m));
+
+ /* make sure d is positive */
+ if (mpz_cmp_ui(d, 0) < 0)
+ mpz_add(d, d, m);
+
+ /* d has to be positive */
+ assert(mpz_cmp(d, m) < 0);
+
+ /* the speedup hacks */
+ DBG(DBG_CONTROLMORE,
+ DBG_log("computing exp1, exp1, coeff...")
+ )
+ mpz_init(exp1);
+ /* t = p-1 */
+ mpz_sub_ui(t, p, 1);
+ /* exp1 = d mod p-1 */
+ mpz_mod(exp1, d, t);
+
+ mpz_init(exp2);
+ /* t = q-1 */
+ mpz_sub_ui(t, q, 1);
+ /* exp2 = d mod q-1 */
+ mpz_mod(exp2, d, t);
+
+ mpz_init(coeff);
+ /* coeff = q^-1 mod p */
+ mpz_invert(coeff, q, p);
+
+ /* make sure coeff is positive */
+ if (mpz_cmp_ui(coeff, 0) < 0)
+ mpz_add(coeff, coeff, p);
+
+ /* coeff has to be positive */
+ assert(mpz_cmp(coeff, p) < 0);
+
+ /* Clear temporary variables */
+ mpz_clear(q1);
+ mpz_clear(m);
+ mpz_clear(t);
+
+ /* form FreeS/WAN keyid */
+ {
+ size_t e_len = (mpz_sizeinbase(e,2)+BITS_PER_BYTE-1)/BITS_PER_BYTE;
+ size_t n_len = (mpz_sizeinbase(n,2)+BITS_PER_BYTE-1)/BITS_PER_BYTE;
+ chunk_t e_ch = mpz_to_n(e, e_len);
+ chunk_t n_ch = mpz_to_n(n, n_len);
+
+ form_keyid(e_ch, n_ch, key->pub.keyid, &key->pub.k);
+ free(e_ch.ptr);
+ free(n_ch.ptr);
+ }
+
+ /* fill in the elements of the RSA private key */
+ key->p = *p;
+ key->q = *q;
+ key->pub.n = *n;
+ key->pub.e = *e;
+ key->d = *d;
+ key->dP = *exp1;
+ key->dQ = *exp2;
+ key->qInv = *coeff;
+
+ DBG(DBG_CONTROL,
+ DBG_log("RSA key *%s generated with %d bits", key->pub.keyid
+ , (int)mpz_sizeinbase(n,2))
+ )
#ifdef DEBUG
- DBG(DBG_PRIVATE,
- RSA_show_private_key(key)
- )
+ DBG(DBG_PRIVATE,
+ RSA_show_private_key(key)
+ )
#endif
- return NULL;
+ return NULL;
}
diff --git a/src/scepclient/rsakey.h b/src/scepclient/rsakey.h
index 3e3156d81..f523f3af0 100644
--- a/src/scepclient/rsakey.h
+++ b/src/scepclient/rsakey.h
@@ -20,7 +20,7 @@
*
* $Id: rsakey.h,v 1.2 2005/08/11 21:52:56 as Exp $
*/
-
+
#ifndef RSAKEY_H_
#define RSAKEY_H_
diff --git a/src/scepclient/scep.c b/src/scepclient/scep.c
index f603b5c29..1d921ba99 100644
--- a/src/scepclient/scep.c
+++ b/src/scepclient/scep.c
@@ -41,23 +41,23 @@
#include "scep.h"
static char ASN1_messageType_oid_str[] = {
- 0x06, 0x0A, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x02
+ 0x06, 0x0A, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x02
};
static char ASN1_senderNonce_oid_str[] = {
- 0x06, 0x0A, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x05
+ 0x06, 0x0A, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x05
};
static char ASN1_transId_oid_str[] = {
- 0x06, 0x0A, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x07
+ 0x06, 0x0A, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x07
};
static const chunk_t ASN1_messageType_oid =
- chunk_from_buf(ASN1_messageType_oid_str);
+ chunk_from_buf(ASN1_messageType_oid_str);
static const chunk_t ASN1_senderNonce_oid =
- chunk_from_buf(ASN1_senderNonce_oid_str);
+ chunk_from_buf(ASN1_senderNonce_oid_str);
static const chunk_t ASN1_transId_oid =
- chunk_from_buf(ASN1_transId_oid_str);
+ chunk_from_buf(ASN1_transId_oid_str);
static const char *pkiStatus_values[] = { "0", "2", "3" };
@@ -99,18 +99,18 @@ const scep_attributes_t empty_scep_attributes = {
/* ASN.1 definition of the X.501 atttribute type */
static const asn1Object_t attributesObjects[] = {
- { 0, "attributes", ASN1_SET, ASN1_LOOP }, /* 0 */
- { 1, "attribute", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
- { 2, "type", ASN1_OID, ASN1_BODY }, /* 2 */
- { 2, "values", ASN1_SET, ASN1_LOOP }, /* 3 */
- { 3, "value", ASN1_EOC, ASN1_RAW }, /* 4 */
- { 2, "end loop", ASN1_EOC, ASN1_END }, /* 5 */
- { 0, "end loop", ASN1_EOC, ASN1_END }, /* 6 */
+ { 0, "attributes", ASN1_SET, ASN1_LOOP }, /* 0 */
+ { 1, "attribute", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
+ { 2, "type", ASN1_OID, ASN1_BODY }, /* 2 */
+ { 2, "values", ASN1_SET, ASN1_LOOP }, /* 3 */
+ { 3, "value", ASN1_EOC, ASN1_RAW }, /* 4 */
+ { 2, "end loop", ASN1_EOC, ASN1_END }, /* 5 */
+ { 0, "end loop", ASN1_EOC, ASN1_END }, /* 6 */
};
-#define ATTRIBUTE_OBJ_TYPE 2
-#define ATTRIBUTE_OBJ_VALUE 4
-#define ATTRIBUTE_OBJ_ROOF 7
+#define ATTRIBUTE_OBJ_TYPE 2
+#define ATTRIBUTE_OBJ_VALUE 4
+#define ATTRIBUTE_OBJ_ROOF 7
/*
* extract and store an attribute
@@ -119,112 +119,112 @@ static bool
extract_attribute(int oid, chunk_t object, u_int level
, scep_attributes_t *attrs)
{
- asn1_t type = ASN1_EOC;
- const char *name = "none";
-
- switch (oid)
- {
- case OID_PKCS9_CONTENT_TYPE:
- type = ASN1_OID;
- name = "contentType";
- break;
- case OID_PKCS9_SIGNING_TIME:
- type = ASN1_UTCTIME;
- name = "signingTime";
- break;
- case OID_PKCS9_MESSAGE_DIGEST:
- type = ASN1_OCTET_STRING;
- name = "messageDigest";
- break;
- case OID_PKI_MESSAGE_TYPE:
- type = ASN1_PRINTABLESTRING;
- name = "messageType";
- break;
- case OID_PKI_STATUS:
- type = ASN1_PRINTABLESTRING;
- name = "pkiStatus";
- break;
- case OID_PKI_FAIL_INFO:
- type = ASN1_PRINTABLESTRING;
- name = "failInfo";
- break;
- case OID_PKI_SENDER_NONCE:
- type = ASN1_OCTET_STRING;
- name = "senderNonce";
- break;
- case OID_PKI_RECIPIENT_NONCE:
- type = ASN1_OCTET_STRING;
- name = "recipientNonce";
- break;
- case OID_PKI_TRANS_ID:
- type = ASN1_PRINTABLESTRING;
- name = "transID";
- break;
- default:
- break;
- }
-
- if (type == ASN1_EOC)
- return TRUE;
-
- if (!parse_asn1_simple_object(&object, type, level+1, name))
- return FALSE;
+ asn1_t type = ASN1_EOC;
+ const char *name = "none";
- switch (oid)
- {
- case OID_PKCS9_CONTENT_TYPE:
- break;
- case OID_PKCS9_SIGNING_TIME:
- break;
- case OID_PKCS9_MESSAGE_DIGEST:
- break;
- case OID_PKI_MESSAGE_TYPE:
+ switch (oid)
{
- scep_msg_t m;
-
- for (m = SCEP_CertRep_MSG; m < SCEP_Unknown_MSG; m++)
- {
- if (strncmp(msgType_values[m], object.ptr, object.len) == 0)
- attrs->msgType = m;
- }
- DBG(DBG_CONTROL,
- DBG_log("messageType: %s", msgType_names[attrs->msgType])
- )
+ case OID_PKCS9_CONTENT_TYPE:
+ type = ASN1_OID;
+ name = "contentType";
+ break;
+ case OID_PKCS9_SIGNING_TIME:
+ type = ASN1_UTCTIME;
+ name = "signingTime";
+ break;
+ case OID_PKCS9_MESSAGE_DIGEST:
+ type = ASN1_OCTET_STRING;
+ name = "messageDigest";
+ break;
+ case OID_PKI_MESSAGE_TYPE:
+ type = ASN1_PRINTABLESTRING;
+ name = "messageType";
+ break;
+ case OID_PKI_STATUS:
+ type = ASN1_PRINTABLESTRING;
+ name = "pkiStatus";
+ break;
+ case OID_PKI_FAIL_INFO:
+ type = ASN1_PRINTABLESTRING;
+ name = "failInfo";
+ break;
+ case OID_PKI_SENDER_NONCE:
+ type = ASN1_OCTET_STRING;
+ name = "senderNonce";
+ break;
+ case OID_PKI_RECIPIENT_NONCE:
+ type = ASN1_OCTET_STRING;
+ name = "recipientNonce";
+ break;
+ case OID_PKI_TRANS_ID:
+ type = ASN1_PRINTABLESTRING;
+ name = "transID";
+ break;
+ default:
+ break;
}
- break;
- case OID_PKI_STATUS:
- {
- pkiStatus_t s;
-
- for (s = SCEP_SUCCESS; s < SCEP_UNKNOWN; s++)
- {
- if (strncmp(pkiStatus_values[s], object.ptr, object.len) == 0)
- attrs->pkiStatus = s;
- }
- DBG(DBG_CONTROL,
- DBG_log("pkiStatus: %s", pkiStatus_names[attrs->pkiStatus])
- )
- }
- break;
- case OID_PKI_FAIL_INFO:
- if (object.len == 1
- && *object.ptr >= '0' && *object.ptr <= '4')
+
+ if (type == ASN1_EOC)
+ return TRUE;
+
+ if (!parse_asn1_simple_object(&object, type, level+1, name))
+ return FALSE;
+
+ switch (oid)
{
- attrs->failInfo = (failInfo_t)(*object.ptr - '0');
+ case OID_PKCS9_CONTENT_TYPE:
+ break;
+ case OID_PKCS9_SIGNING_TIME:
+ break;
+ case OID_PKCS9_MESSAGE_DIGEST:
+ break;
+ case OID_PKI_MESSAGE_TYPE:
+ {
+ scep_msg_t m;
+
+ for (m = SCEP_CertRep_MSG; m < SCEP_Unknown_MSG; m++)
+ {
+ if (strncmp(msgType_values[m], object.ptr, object.len) == 0)
+ attrs->msgType = m;
+ }
+ DBG(DBG_CONTROL,
+ DBG_log("messageType: %s", msgType_names[attrs->msgType])
+ )
+ }
+ break;
+ case OID_PKI_STATUS:
+ {
+ pkiStatus_t s;
+
+ for (s = SCEP_SUCCESS; s < SCEP_UNKNOWN; s++)
+ {
+ if (strncmp(pkiStatus_values[s], object.ptr, object.len) == 0)
+ attrs->pkiStatus = s;
+ }
+ DBG(DBG_CONTROL,
+ DBG_log("pkiStatus: %s", pkiStatus_names[attrs->pkiStatus])
+ )
+ }
+ break;
+ case OID_PKI_FAIL_INFO:
+ if (object.len == 1
+ && *object.ptr >= '0' && *object.ptr <= '4')
+ {
+ attrs->failInfo = (failInfo_t)(*object.ptr - '0');
+ }
+ if (attrs->failInfo != SCEP_unknown_REASON)
+ plog("failInfo: %s", failInfo_reasons[attrs->failInfo]);
+ break;
+ case OID_PKI_SENDER_NONCE:
+ attrs->senderNonce = object;
+ break;
+ case OID_PKI_RECIPIENT_NONCE:
+ attrs->recipientNonce = object;
+ break;
+ case OID_PKI_TRANS_ID:
+ attrs->transID = object;
}
- if (attrs->failInfo != SCEP_unknown_REASON)
- plog("failInfo: %s", failInfo_reasons[attrs->failInfo]);
- break;
- case OID_PKI_SENDER_NONCE:
- attrs->senderNonce = object;
- break;
- case OID_PKI_RECIPIENT_NONCE:
- attrs->recipientNonce = object;
- break;
- case OID_PKI_TRANS_ID:
- attrs->transID = object;
- }
- return TRUE;
+ return TRUE;
}
/*
@@ -233,35 +233,35 @@ extract_attribute(int oid, chunk_t object, u_int level
bool
parse_attributes(chunk_t blob, scep_attributes_t *attrs)
{
- asn1_ctx_t ctx;
- chunk_t object;
- u_int level;
- int oid = OID_UNKNOWN;
- int objectID = 0;
-
- asn1_init(&ctx, blob, 0, FALSE, DBG_RAW);
-
- DBG(DBG_CONTROL | DBG_PARSING,
- DBG_log("parsing attributes")
- )
- while (objectID < ATTRIBUTE_OBJ_ROOF)
- {
- if (!extract_object(attributesObjects, &objectID
- , &object, &level, &ctx))
- return FALSE;
-
- switch (objectID)
+ asn1_ctx_t ctx;
+ chunk_t object;
+ u_int level;
+ int oid = OID_UNKNOWN;
+ int objectID = 0;
+
+ asn1_init(&ctx, blob, 0, FALSE, DBG_RAW);
+
+ DBG(DBG_CONTROL | DBG_PARSING,
+ DBG_log("parsing attributes")
+ )
+ while (objectID < ATTRIBUTE_OBJ_ROOF)
{
- case ATTRIBUTE_OBJ_TYPE:
- oid = asn1_known_oid(object);
- break;
- case ATTRIBUTE_OBJ_VALUE:
- if (!extract_attribute(oid, object, level, attrs))
- return FALSE;
+ if (!extract_object(attributesObjects, &objectID
+ , &object, &level, &ctx))
+ return FALSE;
+
+ switch (objectID)
+ {
+ case ATTRIBUTE_OBJ_TYPE:
+ oid = asn1_known_oid(object);
+ break;
+ case ATTRIBUTE_OBJ_VALUE:
+ if (!extract_attribute(oid, object, level, attrs))
+ return FALSE;
+ }
+ objectID++;
}
- objectID++;
- }
- return TRUE;
+ return TRUE;
}
/* generates a unique fingerprint of the pkcs10 request
@@ -270,14 +270,14 @@ parse_attributes(chunk_t blob, scep_attributes_t *attrs)
void
scep_generate_pkcs10_fingerprint(chunk_t pkcs10, chunk_t *fingerprint)
{
- char buf[MD5_DIGEST_SIZE];
- chunk_t digest = { buf, sizeof(buf) };
-
- /* the fingerprint is the MD5 hash in hexadecimal format */
- compute_digest(pkcs10, OID_MD5, &digest);
- fingerprint->len = 2*digest.len;
- fingerprint->ptr = malloc(fingerprint->len + 1);
- datatot(digest.ptr, digest.len, 16, fingerprint->ptr, fingerprint->len + 1);
+ char buf[MD5_DIGEST_SIZE];
+ chunk_t digest = { buf, sizeof(buf) };
+
+ /* the fingerprint is the MD5 hash in hexadecimal format */
+ compute_digest(pkcs10, OID_MD5, &digest);
+ fingerprint->len = 2*digest.len;
+ fingerprint->ptr = malloc(fingerprint->len + 1);
+ datatot(digest.ptr, digest.len, 16, fingerprint->ptr, fingerprint->len + 1);
}
/* generate a transaction id as the MD5 hash of an public key
@@ -287,36 +287,36 @@ void
scep_generate_transaction_id(const RSA_public_key_t *rsak
, chunk_t *transID, chunk_t *serialNumber)
{
- char buf[MD5_DIGEST_SIZE];
+ char buf[MD5_DIGEST_SIZE];
- chunk_t digest = { buf, sizeof(buf) };
- chunk_t public_key = pkcs1_build_publicKeyInfo(rsak);
+ chunk_t digest = { buf, sizeof(buf) };
+ chunk_t public_key = pkcs1_build_publicKeyInfo(rsak);
- bool msb_set;
- u_char *pos;
+ bool msb_set;
+ u_char *pos;
- compute_digest(public_key, OID_MD5, &digest);
- free(public_key.ptr);
+ compute_digest(public_key, OID_MD5, &digest);
+ free(public_key.ptr);
- /* is the most significant bit of the digest set? */
- msb_set = (*digest.ptr & 0x80) == 0x80;
+ /* is the most significant bit of the digest set? */
+ msb_set = (*digest.ptr & 0x80) == 0x80;
- /* allocate space for the serialNumber */
- serialNumber->len = msb_set + digest.len;
- serialNumber->ptr = malloc(serialNumber->len);
+ /* allocate space for the serialNumber */
+ serialNumber->len = msb_set + digest.len;
+ serialNumber->ptr = malloc(serialNumber->len);
- /* the serial number as the two's complement of the digest */
- pos = serialNumber->ptr;
- if (msb_set)
- {
- *pos++ = 0x00;
- }
- memcpy(pos, digest.ptr, digest.len);
+ /* the serial number as the two's complement of the digest */
+ pos = serialNumber->ptr;
+ if (msb_set)
+ {
+ *pos++ = 0x00;
+ }
+ memcpy(pos, digest.ptr, digest.len);
- /* the transaction id is the serial number in hex format */
- transID->len = 2*digest.len;
- transID->ptr = malloc(transID->len + 1);
- datatot(digest.ptr, digest.len, 16, transID->ptr, transID->len + 1);
+ /* the transaction id is the serial number in hex format */
+ transID->len = 2*digest.len;
+ transID->ptr = malloc(transID->len + 1);
+ datatot(digest.ptr, digest.len, 16, transID->ptr, transID->len + 1);
}
/*
@@ -325,12 +325,12 @@ scep_generate_transaction_id(const RSA_public_key_t *rsak
chunk_t
scep_transId_attribute(chunk_t transID)
{
- return asn1_wrap(ASN1_SEQUENCE, "cm"
- , ASN1_transId_oid
- , asn1_wrap(ASN1_SET, "m"
- , asn1_simple_object(ASN1_PRINTABLESTRING, transID)
- )
- );
+ return asn1_wrap(ASN1_SEQUENCE, "cm"
+ , ASN1_transId_oid
+ , asn1_wrap(ASN1_SET, "m"
+ , asn1_simple_object(ASN1_PRINTABLESTRING, transID)
+ )
+ );
}
/*
@@ -339,17 +339,17 @@ scep_transId_attribute(chunk_t transID)
chunk_t
scep_messageType_attribute(scep_msg_t m)
{
- chunk_t msgType = {
- (u_char*)msgType_values[m],
- strlen(msgType_values[m])
- };
-
- return asn1_wrap(ASN1_SEQUENCE, "cm"
- , ASN1_messageType_oid
- , asn1_wrap(ASN1_SET, "m"
- , asn1_simple_object(ASN1_PRINTABLESTRING, msgType)
- )
- );
+ chunk_t msgType = {
+ (u_char*)msgType_values[m],
+ strlen(msgType_values[m])
+ };
+
+ return asn1_wrap(ASN1_SEQUENCE, "cm"
+ , ASN1_messageType_oid
+ , asn1_wrap(ASN1_SET, "m"
+ , asn1_simple_object(ASN1_PRINTABLESTRING, msgType)
+ )
+ );
}
/*
@@ -358,18 +358,18 @@ scep_messageType_attribute(scep_msg_t m)
chunk_t
scep_senderNonce_attribute(void)
{
- const size_t nonce_len = 16;
- u_char nonce_buf[nonce_len];
- chunk_t senderNonce = { nonce_buf, nonce_len };
-
- get_rnd_bytes(nonce_buf, nonce_len);
-
- return asn1_wrap(ASN1_SEQUENCE, "cm"
- , ASN1_senderNonce_oid
- , asn1_wrap(ASN1_SET, "m"
- , asn1_simple_object(ASN1_OCTET_STRING, senderNonce)
- )
- );
+ const size_t nonce_len = 16;
+ u_char nonce_buf[nonce_len];
+ chunk_t senderNonce = { nonce_buf, nonce_len };
+
+ get_rnd_bytes(nonce_buf, nonce_len);
+
+ return asn1_wrap(ASN1_SEQUENCE, "cm"
+ , ASN1_senderNonce_oid
+ , asn1_wrap(ASN1_SET, "m"
+ , asn1_simple_object(ASN1_OCTET_STRING, senderNonce)
+ )
+ );
}
/*
@@ -381,23 +381,23 @@ scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg
, const x509cert_t *signer_cert, int digest_alg
, const RSA_private_key_t *private_key)
{
- chunk_t envelopedData, attributes, request;
-
- envelopedData = pkcs7_build_envelopedData(data, enc_cert, enc_alg);
-
- attributes = asn1_wrap(ASN1_SET, "mmmmm"
- , pkcs7_contentType_attribute()
- , pkcs7_messageDigest_attribute(envelopedData
- , digest_alg)
- , scep_transId_attribute(transID)
- , scep_messageType_attribute(msg)
- , scep_senderNonce_attribute());
-
- request = pkcs7_build_signedData(envelopedData, attributes
- , signer_cert, digest_alg, private_key);
- free(envelopedData.ptr);
- free(attributes.ptr);
- return request;
+ chunk_t envelopedData, attributes, request;
+
+ envelopedData = pkcs7_build_envelopedData(data, enc_cert, enc_alg);
+
+ attributes = asn1_wrap(ASN1_SET, "mmmmm"
+ , pkcs7_contentType_attribute()
+ , pkcs7_messageDigest_attribute(envelopedData
+ , digest_alg)
+ , scep_transId_attribute(transID)
+ , scep_messageType_attribute(msg)
+ , scep_senderNonce_attribute());
+
+ request = pkcs7_build_signedData(envelopedData, attributes
+ , signer_cert, digest_alg, private_key);
+ free(envelopedData.ptr);
+ free(attributes.ptr);
+ return request;
}
#ifdef LIBCURL
@@ -407,58 +407,58 @@ scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg
static char*
escape_http_request(chunk_t req)
{
- char *escaped_req = NULL;
- char *p1, *p2;
- int lines = 0;
- int plus = 0;
- int n = 0;
-
- /* compute and allocate the size of the base64-encoded request */
- int len = 1 + 4*((req.len + 2)/3);
- char *encoded_req = malloc(len);
-
- /* do the base64 conversion */
- len = datatot(req.ptr, req.len, 64, encoded_req, len);
-
- /* compute newline characters to be inserted every 64 characters */
- lines = (len - 2) / 64;
-
- /* count number of + characters to be escaped */
- p1 = encoded_req;
- while (*p1 != '\0')
- {
- if (*p1++ == '+')
- plus++;
- }
-
- escaped_req = malloc(len + 3*(lines + plus));
-
- /* escape special characters in the request */
- p1 = encoded_req;
- p2 = escaped_req;
- while (*p1 != '\0')
- {
- if (n == 64)
- {
- memcpy(p2, "%0A", 3);
- p2 += 3;
- n = 0;
- }
- if (*p1 == '+')
+ char *escaped_req = NULL;
+ char *p1, *p2;
+ int lines = 0;
+ int plus = 0;
+ int n = 0;
+
+ /* compute and allocate the size of the base64-encoded request */
+ int len = 1 + 4*((req.len + 2)/3);
+ char *encoded_req = malloc(len);
+
+ /* do the base64 conversion */
+ len = datatot(req.ptr, req.len, 64, encoded_req, len);
+
+ /* compute newline characters to be inserted every 64 characters */
+ lines = (len - 2) / 64;
+
+ /* count number of + characters to be escaped */
+ p1 = encoded_req;
+ while (*p1 != '\0')
{
- memcpy(p2, "%2B", 3);
- p2 += 3;
+ if (*p1++ == '+')
+ plus++;
}
- else
+
+ escaped_req = malloc(len + 3*(lines + plus));
+
+ /* escape special characters in the request */
+ p1 = encoded_req;
+ p2 = escaped_req;
+ while (*p1 != '\0')
{
- *p2++ = *p1;
+ if (n == 64)
+ {
+ memcpy(p2, "%0A", 3);
+ p2 += 3;
+ n = 0;
+ }
+ if (*p1 == '+')
+ {
+ memcpy(p2, "%2B", 3);
+ p2 += 3;
+ }
+ else
+ {
+ *p2++ = *p1;
+ }
+ p1++;
+ n++;
}
- p1++;
- n++;
- }
- *p2 = '\0';
- free(encoded_req);
- return escaped_req;
+ *p2 = '\0';
+ free(encoded_req);
+ return escaped_req;
}
#endif
@@ -470,109 +470,109 @@ scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op
, fetch_request_t req_type, chunk_t *response)
{
#ifdef LIBCURL
- char errorbuffer[CURL_ERROR_SIZE] = "";
- char *complete_url = NULL;
- struct curl_slist *headers = NULL;
- CURL *curl;
- CURLcode res;
-
- /* initialize response */
- *response = chunk_empty;
-
- /* initialize curl context */
- curl = curl_easy_init();
- if (curl == NULL)
- {
- plog("could not initialize curl context");
- return FALSE;
- }
-
- if (op == SCEP_PKI_OPERATION)
- {
- const char operation[] = "PKIOperation";
+ char errorbuffer[CURL_ERROR_SIZE] = "";
+ char *complete_url = NULL;
+ struct curl_slist *headers = NULL;
+ CURL *curl;
+ CURLcode res;
+
+ /* initialize response */
+ *response = chunk_empty;
+
+ /* initialize curl context */
+ curl = curl_easy_init();
+ if (curl == NULL)
+ {
+ plog("could not initialize curl context");
+ return FALSE;
+ }
- if (req_type == FETCH_GET)
+ if (op == SCEP_PKI_OPERATION)
{
- char *escaped_req = escape_http_request(pkcs7);
-
- /* form complete url */
- int len = strlen(url) + 20 + strlen(operation) + strlen(escaped_req) + 1;
-
- complete_url = malloc(len);
- snprintf(complete_url, len, "%s?operation=%s&message=%s"
- , url, operation, escaped_req);
- free(escaped_req);
-
- curl_easy_setopt(curl, CURLOPT_HTTPGET, TRUE);
- headers = curl_slist_append(headers, "Pragma:");
- headers = curl_slist_append(headers, "Host:");
- headers = curl_slist_append(headers, "Accept:");
- curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers);
- curl_easy_setopt(curl, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0);
+ const char operation[] = "PKIOperation";
+
+ if (req_type == FETCH_GET)
+ {
+ char *escaped_req = escape_http_request(pkcs7);
+
+ /* form complete url */
+ int len = strlen(url) + 20 + strlen(operation) + strlen(escaped_req) + 1;
+
+ complete_url = malloc(len);
+ snprintf(complete_url, len, "%s?operation=%s&message=%s"
+ , url, operation, escaped_req);
+ free(escaped_req);
+
+ curl_easy_setopt(curl, CURLOPT_HTTPGET, TRUE);
+ headers = curl_slist_append(headers, "Pragma:");
+ headers = curl_slist_append(headers, "Host:");
+ headers = curl_slist_append(headers, "Accept:");
+ curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers);
+ curl_easy_setopt(curl, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0);
+ }
+ else /* HTTP_POST */
+ {
+ /* form complete url */
+ int len = strlen(url) + 11 + strlen(operation) + 1;
+
+ complete_url = malloc(len);
+ snprintf(complete_url, len, "%s?operation=%s", url, operation);
+
+ curl_easy_setopt(curl, CURLOPT_HTTPGET, FALSE);
+ headers = curl_slist_append(headers, "Content-Type:");
+ headers = curl_slist_append(headers, "Expect:");
+ curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers);
+ curl_easy_setopt(curl, CURLOPT_POSTFIELDS, (char*)pkcs7.ptr);
+ curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, pkcs7.len);
+ }
}
- else /* HTTP_POST */
+ else /* SCEP_GET_CA_CERT */
{
- /* form complete url */
- int len = strlen(url) + 11 + strlen(operation) + 1;
-
- complete_url = malloc(len);
- snprintf(complete_url, len, "%s?operation=%s", url, operation);
-
- curl_easy_setopt(curl, CURLOPT_HTTPGET, FALSE);
- headers = curl_slist_append(headers, "Content-Type:");
- headers = curl_slist_append(headers, "Expect:");
- curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers);
- curl_easy_setopt(curl, CURLOPT_POSTFIELDS, (char*)pkcs7.ptr);
- curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, pkcs7.len);
+ const char operation[] = "GetCACert";
+
+ /* form complete url */
+ int len = strlen(url) + 32 + strlen(operation) + 1;
+
+ complete_url = malloc(len);
+ snprintf(complete_url, len, "%s?operation=%s&message=CAIdentifier"
+ , url, operation);
+
+ curl_easy_setopt(curl, CURLOPT_HTTPGET, TRUE);
}
- }
- else /* SCEP_GET_CA_CERT */
- {
- const char operation[] = "GetCACert";
-
- /* form complete url */
- int len = strlen(url) + 32 + strlen(operation) + 1;
-
- complete_url = malloc(len);
- snprintf(complete_url, len, "%s?operation=%s&message=CAIdentifier"
- , url, operation);
-
- curl_easy_setopt(curl, CURLOPT_HTTPGET, TRUE);
- }
-
- curl_easy_setopt(curl, CURLOPT_URL, complete_url);
- curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_buffer);
- curl_easy_setopt(curl, CURLOPT_WRITEDATA, (void *)response);
- curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, errorbuffer);
- curl_easy_setopt(curl, CURLOPT_FAILONERROR, TRUE);
- curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, FETCH_CMD_TIMEOUT);
-
- DBG(DBG_CONTROL,
- DBG_log("sending scep request to '%s'", url)
- )
- res = curl_easy_perform(curl);
-
- if (res == CURLE_OK)
- {
+
+ curl_easy_setopt(curl, CURLOPT_URL, complete_url);
+ curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_buffer);
+ curl_easy_setopt(curl, CURLOPT_WRITEDATA, (void *)response);
+ curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, errorbuffer);
+ curl_easy_setopt(curl, CURLOPT_FAILONERROR, TRUE);
+ curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, FETCH_CMD_TIMEOUT);
+
DBG(DBG_CONTROL,
- DBG_log("received scep response")
+ DBG_log("sending scep request to '%s'", url)
)
- DBG(DBG_RAW,
- DBG_dump_chunk("SCEP response:\n", *response)
- )
- }
- else
- {
- plog("failed to fetch scep response from '%s': %s", url, errorbuffer);
- }
- curl_slist_free_all(headers);
- curl_easy_cleanup(curl);
- free(complete_url);
-
- return (res == CURLE_OK);
+ res = curl_easy_perform(curl);
+
+ if (res == CURLE_OK)
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("received scep response")
+ )
+ DBG(DBG_RAW,
+ DBG_dump_chunk("SCEP response:\n", *response)
+ )
+ }
+ else
+ {
+ plog("failed to fetch scep response from '%s': %s", url, errorbuffer);
+ }
+ curl_slist_free_all(headers);
+ curl_easy_cleanup(curl);
+ free(complete_url);
+
+ return (res == CURLE_OK);
#else /* !LIBCURL */
- plog("scep error: pluto wasn't compiled with libcurl support");
- return FALSE;
+ plog("scep error: pluto wasn't compiled with libcurl support");
+ return FALSE;
#endif /* !LIBCURL */
}
@@ -580,19 +580,19 @@ err_t
scep_parse_response(chunk_t response, chunk_t transID, contentInfo_t *data
, scep_attributes_t *attrs, x509cert_t *signer_cert)
{
- chunk_t attributes;
-
- if (!pkcs7_parse_signedData(response, data, NULL, &attributes, signer_cert))
- {
- return "error parsing the scep response";
- }
- if (!parse_attributes(attributes, attrs))
- {
- return "error parsing the scep response attributes";
- }
- if (!chunk_equals(transID, attrs->transID))
- {
- return "transaction ID of scep response does not match";
- }
- return NULL;
+ chunk_t attributes;
+
+ if (!pkcs7_parse_signedData(response, data, NULL, &attributes, signer_cert))
+ {
+ return "error parsing the scep response";
+ }
+ if (!parse_attributes(attributes, attrs))
+ {
+ return "error parsing the scep response attributes";
+ }
+ if (!chunk_equals(transID, attrs->transID))
+ {
+ return "transaction ID of scep response does not match";
+ }
+ return NULL;
}
diff --git a/src/scepclient/scep.h b/src/scepclient/scep.h
index 81e5d1a4b..0586a29cb 100644
--- a/src/scepclient/scep.h
+++ b/src/scepclient/scep.h
@@ -4,7 +4,7 @@
*
* Contains functions to build and parse SCEP requests and replies
*/
-
+
/*
* Copyright (C) 2005 Jan Hutter, Martin Willi
* Hochschule fuer Technik Rapperswil
@@ -19,7 +19,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
#ifndef _SCEP_H
#define _SCEP_H
@@ -29,8 +29,8 @@
/* supported SCEP operation types */
typedef enum {
- SCEP_PKI_OPERATION,
- SCEP_GET_CA_CERT
+ SCEP_PKI_OPERATION,
+ SCEP_GET_CA_CERT
} scep_op_t;
/* SCEP pkiStatus values */
@@ -63,31 +63,31 @@ typedef enum {
/* SCEP attributes */
typedef struct {
- scep_msg_t msgType;
- pkiStatus_t pkiStatus;
- failInfo_t failInfo;
- chunk_t transID;
- chunk_t senderNonce;
- chunk_t recipientNonce;
+ scep_msg_t msgType;
+ pkiStatus_t pkiStatus;
+ failInfo_t failInfo;
+ chunk_t transID;
+ chunk_t senderNonce;
+ chunk_t recipientNonce;
} scep_attributes_t;
extern const scep_attributes_t empty_scep_attributes;
extern bool parse_attributes(chunk_t blob, scep_attributes_t *attrs);
extern void scep_generate_pkcs10_fingerprint(chunk_t pkcs10
- , chunk_t *fingerprint);
+ , chunk_t *fingerprint);
extern void scep_generate_transaction_id(const RSA_public_key_t *rsak
- , chunk_t *transID, chunk_t *serialNumber);
+ , chunk_t *transID, chunk_t *serialNumber);
extern chunk_t scep_transId_attribute(chunk_t transaction_id);
extern chunk_t scep_messageType_attribute(scep_msg_t m);
extern chunk_t scep_senderNonce_attribute(void);
extern chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg
- , const x509cert_t *enc_cert, int enc_alg
- , const x509cert_t *signer_cert, int digest_alg
- , const RSA_private_key_t *private_key);
+ , const x509cert_t *enc_cert, int enc_alg
+ , const x509cert_t *signer_cert, int digest_alg
+ , const RSA_private_key_t *private_key);
extern bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op
- , fetch_request_t request_type, chunk_t *response);
+ , fetch_request_t request_type, chunk_t *response);
extern err_t scep_parse_response(chunk_t response, chunk_t transID
- , contentInfo_t *data, scep_attributes_t *attrs, x509cert_t *signer_cert);
+ , contentInfo_t *data, scep_attributes_t *attrs, x509cert_t *signer_cert);
#endif /* _SCEP_H */
diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c
index 27882ad63..f4a63bfbf 100644
--- a/src/scepclient/scepclient.c
+++ b/src/scepclient/scepclient.c
@@ -60,37 +60,37 @@
*/
/* default name of DER-encoded PKCS#1 private key file */
-#define DEFAULT_FILENAME_PKCS1 "myKey.der"
+#define DEFAULT_FILENAME_PKCS1 "myKey.der"
/* default name of DER-encoded PKCS#10 certificate request file */
-#define DEFAULT_FILENAME_PKCS10 "myReq.der"
+#define DEFAULT_FILENAME_PKCS10 "myReq.der"
/* default name of DER-encoded PKCS#7 file */
-#define DEFAULT_FILENAME_PKCS7 "pkcs7.der"
+#define DEFAULT_FILENAME_PKCS7 "pkcs7.der"
/* default name of DER-encoded self-signed X.509 certificate file */
-#define DEFAULT_FILENAME_CERT_SELF "selfCert.der"
+#define DEFAULT_FILENAME_CERT_SELF "selfCert.der"
/* default name of DER-encoded X.509 certificate file */
-#define DEFAULT_FILENAME_CERT "myCert.der"
+#define DEFAULT_FILENAME_CERT "myCert.der"
/* default name of DER-encoded CA cert file used for key encipherment */
-#define DEFAULT_FILENAME_CACERT_ENC "caCert.der"
+#define DEFAULT_FILENAME_CACERT_ENC "caCert.der"
/* default name of the der encoded CA cert file used for signature verification */
-#define DEFAULT_FILENAME_CACERT_SIG "caCert.der"
+#define DEFAULT_FILENAME_CACERT_SIG "caCert.der"
/* default prefix of the der encoded CA certificates received from the SCEP server */
-#define DEFAULT_FILENAME_PREFIX_CACERT "caCert.der"
+#define DEFAULT_FILENAME_PREFIX_CACERT "caCert.der"
/* default certificate validity */
-#define DEFAULT_CERT_VALIDITY 5 * 3600 * 24 * 365 /* seconds */
+#define DEFAULT_CERT_VALIDITY 5 * 3600 * 24 * 365 /* seconds */
/* default polling time interval in SCEP manual mode */
-#define DEFAULT_POLL_INTERVAL 20 /* seconds */
+#define DEFAULT_POLL_INTERVAL 20 /* seconds */
/* default key length for self-generated RSA keys */
-#define DEFAULT_RSA_KEY_LENGTH 2048 /* bits */
+#define DEFAULT_RSA_KEY_LENGTH 2048 /* bits */
/* default distinguished name */
#define DEFAULT_DN "C=CH, O=Linux strongSwan, CN="
@@ -149,50 +149,50 @@ pkcs10_t *pkcs10 = NULL;
static void
exit_scepclient(err_t message, ...)
{
- int status = 0;
-
- if (private_key != NULL)
- {
- free_RSA_private_content(private_key);
- free(private_key);
- }
- free(pkcs1.ptr);
- free(pkcs7.ptr);
- free(subject.ptr);
- free(serialNumber.ptr);
- free(transID.ptr);
- free(fingerprint.ptr);
- free(issuerAndSubject.ptr);
- free(getCertInitial.ptr);
- free(scep_response.ptr);
-
- free_generalNames(subjectAltNames, TRUE);
- if (x509_signer != NULL)
- {
- x509_signer->subjectAltName = NULL;
- }
- free_x509cert(x509_signer);
- free_x509cert(x509_ca_enc);
- free_x509cert(x509_ca_sig);
- pkcs10_free(pkcs10);
- options->destroy(options);
-
- /* print any error message to stderr */
- if (message != NULL && *message != '\0')
- {
- va_list args;
- char m[LOG_WIDTH]; /* longer messages will be truncated */
-
- va_start(args, message);
- vsnprintf(m, sizeof(m), message, args);
- va_end(args);
-
- fprintf(stderr, "error: %s\n", m);
- status = -1;
- }
- library_deinit();
- close_log();
- exit(status);
+ int status = 0;
+
+ if (private_key != NULL)
+ {
+ free_RSA_private_content(private_key);
+ free(private_key);
+ }
+ free(pkcs1.ptr);
+ free(pkcs7.ptr);
+ free(subject.ptr);
+ free(serialNumber.ptr);
+ free(transID.ptr);
+ free(fingerprint.ptr);
+ free(issuerAndSubject.ptr);
+ free(getCertInitial.ptr);
+ free(scep_response.ptr);
+
+ free_generalNames(subjectAltNames, TRUE);
+ if (x509_signer != NULL)
+ {
+ x509_signer->subjectAltName = NULL;
+ }
+ free_x509cert(x509_signer);
+ free_x509cert(x509_ca_enc);
+ free_x509cert(x509_ca_sig);
+ pkcs10_free(pkcs10);
+ options->destroy(options);
+
+ /* print any error message to stderr */
+ if (message != NULL && *message != '\0')
+ {
+ va_list args;
+ char m[LOG_WIDTH]; /* longer messages will be truncated */
+
+ va_start(args, message);
+ vsnprintf(m, sizeof(m), message, args);
+ va_end(args);
+
+ fprintf(stderr, "error: %s\n", m);
+ status = -1;
+ }
+ library_deinit();
+ close_log();
+ exit(status);
}
/**
@@ -202,8 +202,8 @@ exit_scepclient(err_t message, ...)
static void
version(void)
{
- printf("scepclient %s\n", scepclient_version);
- exit_scepclient(NULL);
+ printf("scepclient %s\n", scepclient_version);
+ exit_scepclient(NULL);
}
/**
@@ -215,61 +215,61 @@ version(void)
static void
usage(const char *message)
{
- fprintf(stderr,
- "Usage: scepclient\n"
- " --help (-h) show usage and exit\n"
- " --version (-v) show version and exit\n"
- " --quiet (-q) do not write log output to stderr\n"
- " --in (-i) <type>[=<filename>] use <filename> of <type> for input \n"
- " <type> = pkcs1 | cacert-enc | cacert-sig\n"
- " - if no pkcs1 input is defined, a \n"
- " RSA key will be generated\n"
- " - if no filename is given, default is used\n"
- " --out (-o) <type>[=<filename>] write output of <type> to <filename>\n"
- " multiple outputs are allowed\n"
- " <type> = pkcs1 | pkcs10 | pkcs7 | cert-self | cert | cacert\n"
- " - type cacert defines filename prefix of\n"
- " received CA certificate(s)\n"
- " - if no filename is given, default is used\n"
- " --optionsfrom (-+) <filename> reads additional options from given file\n"
- " --force (-f) force existing file(s)\n"
- "\n"
- "Options for key generation (pkcs1):\n"
- " --keylength (-k) <bits> key length for RSA key generation\n"
- "(default: 2048 bits)\n"
- "\n"
- "Options for validity:\n"
- " --days (-D) <days> validity in days\n"
- " --startdate (-S) <YYMMDDHHMMSS>Z not valid before date\n"
- " --enddate (-E) <YYMMDDHHMMSS>Z not valid after date\n"
- "\n"
- "Options for request generation (pkcs10):\n"
- " --dn (-d) <dn> comma separated list of distinguished names\n"
- " --subjectAltName (-s) <t>=<v> include subjectAltName in certificate request\n"
- " <t> = email | dns | ip \n"
- " --password (-p) <pw> challenge password\n"
- " - if pw is '%%prompt', password gets prompted for\n"
- " --algorithm (-a) <algo> use specified algorithm for PKCS#7 encryption\n"
- " <algo> = des-cbc | 3des-cbc (default: 3des-cbc)\n"
- "\n"
- "Options for enrollment (cert):\n"
- " --url (-u) <url> url of the SCEP server\n"
- " --method (-m) post | get http request type\n"
- " --interval (-t) <seconds> manual mode poll interval in seconds (default 20s)\n"
- " --maxpolltime (-x) <seconds> max poll time in seconds when in manual mode\n"
- " (default: unlimited)\n"
+ fprintf(stderr,
+ "Usage: scepclient\n"
+ " --help (-h) show usage and exit\n"
+ " --version (-v) show version and exit\n"
+ " --quiet (-q) do not write log output to stderr\n"
+ " --in (-i) <type>[=<filename>] use <filename> of <type> for input \n"
+ " <type> = pkcs1 | cacert-enc | cacert-sig\n"
+ " - if no pkcs1 input is defined, a \n"
+ " RSA key will be generated\n"
+ " - if no filename is given, default is used\n"
+ " --out (-o) <type>[=<filename>] write output of <type> to <filename>\n"
+ " multiple outputs are allowed\n"
+ " <type> = pkcs1 | pkcs10 | pkcs7 | cert-self | cert | cacert\n"
+ " - type cacert defines filename prefix of\n"
+ " received CA certificate(s)\n"
+ " - if no filename is given, default is used\n"
+ " --optionsfrom (-+) <filename> reads additional options from given file\n"
+ " --force (-f) force existing file(s)\n"
+ "\n"
+ "Options for key generation (pkcs1):\n"
+ " --keylength (-k) <bits> key length for RSA key generation\n"
+ "(default: 2048 bits)\n"
+ "\n"
+ "Options for validity:\n"
+ " --days (-D) <days> validity in days\n"
+ " --startdate (-S) <YYMMDDHHMMSS>Z not valid before date\n"
+ " --enddate (-E) <YYMMDDHHMMSS>Z not valid after date\n"
+ "\n"
+ "Options for request generation (pkcs10):\n"
+ " --dn (-d) <dn> comma separated list of distinguished names\n"
+ " --subjectAltName (-s) <t>=<v> include subjectAltName in certificate request\n"
+ " <t> = email | dns | ip \n"
+ " --password (-p) <pw> challenge password\n"
+ " - if pw is '%%prompt', password gets prompted for\n"
+ " --algorithm (-a) <algo> use specified algorithm for PKCS#7 encryption\n"
+ " <algo> = des-cbc | 3des-cbc (default: 3des-cbc)\n"
+ "\n"
+ "Options for enrollment (cert):\n"
+ " --url (-u) <url> url of the SCEP server\n"
+ " --method (-m) post | get http request type\n"
+ " --interval (-t) <seconds> manual mode poll interval in seconds (default 20s)\n"
+ " --maxpolltime (-x) <seconds> max poll time in seconds when in manual mode\n"
+ " (default: unlimited)\n"
#ifdef DEBUG
- "\n"
- "Debugging output:\n"
- " --debug-all (-A) show everything except private\n"
- " --debug-parsing (-P) show parsing relevant stuff\n"
- " --debug-raw (-R) show raw hex dumps\n"
- " --debug-control (-C) show control flow output\n"
- " --debug-controlmore (-M) show more control flow\n"
- " --debug-private (-X) show sensitive data (private keys, etc.)\n"
+ "\n"
+ "Debugging output:\n"
+ " --debug-all (-A) show everything except private\n"
+ " --debug-parsing (-P) show parsing relevant stuff\n"
+ " --debug-raw (-R) show raw hex dumps\n"
+ " --debug-control (-C) show control flow output\n"
+ " --debug-controlmore (-M) show more control flow\n"
+ " --debug-private (-X) show sensitive data (private keys, etc.)\n"
#endif
- );
- exit_scepclient(message);
+ );
+ exit_scepclient(message);
}
static int debug_level = 1;
@@ -279,39 +279,39 @@ static int debug_level = 1;
*/
static void scepclient_dbg(int level, char *fmt, ...)
{
- int priority = LOG_INFO;
- char buffer[8192];
- char *current = buffer, *next;
- va_list args;
-
- if (level <= debug_level)
- {
- va_start(args, fmt);
-
- if (log_to_stderr)
- {
- vfprintf(stderr, fmt, args);
- fprintf(stderr, "\n");
- }
- if (log_to_syslog)
+ int priority = LOG_INFO;
+ char buffer[8192];
+ char *current = buffer, *next;
+ va_list args;
+
+ if (level <= debug_level)
{
- /* write in memory buffer first */
- vsnprintf(buffer, sizeof(buffer), fmt, args);
-
- /* do a syslog with every line */
- while (current)
- {
- next = strchr(current, '\n');
- if (next)
- {
- *(next++) = '\0';
+ va_start(args, fmt);
+
+ if (log_to_stderr)
+ {
+ vfprintf(stderr, fmt, args);
+ fprintf(stderr, "\n");
}
- syslog(priority, "%s\n", current);
- current = next;
- }
+ if (log_to_syslog)
+ {
+ /* write in memory buffer first */
+ vsnprintf(buffer, sizeof(buffer), fmt, args);
+
+ /* do a syslog with every line */
+ while (current)
+ {
+ next = strchr(current, '\n');
+ if (next)
+ {
+ *(next++) = '\0';
+ }
+ syslog(priority, "%s\n", current);
+ current = next;
+ }
+ }
+ va_end(args);
}
- va_end(args);
- }
}
/**
* @brief main of scepclient
@@ -321,817 +321,817 @@ static void scepclient_dbg(int level, char *fmt, ...)
*/
int main(int argc, char **argv)
{
- /* external values */
- extern char * optarg;
- extern int optind;
-
- /* type of input and output files */
- typedef enum {
- PKCS1 = 0x01,
- PKCS10 = 0x02,
- PKCS7 = 0x04,
- CERT_SELF = 0x08,
- CERT = 0x10,
- CACERT_ENC = 0x20,
- CACERT_SIG = 0x40
- } scep_filetype_t;
-
- /* filetype to read from, defaults to "generate a key" */
- scep_filetype_t filetype_in = 0;
-
- /* filetype to write to, no default here */
- scep_filetype_t filetype_out = 0;
-
- /* input files */
- char *file_in_pkcs1 = DEFAULT_FILENAME_PKCS1;
- char *file_in_cacert_enc = DEFAULT_FILENAME_CACERT_ENC;
- char *file_in_cacert_sig = DEFAULT_FILENAME_CACERT_SIG;
-
- /* output files */
- char *file_out_pkcs1 = DEFAULT_FILENAME_PKCS1;
- char *file_out_pkcs10 = DEFAULT_FILENAME_PKCS10;
- char *file_out_pkcs7 = DEFAULT_FILENAME_PKCS7;
- char *file_out_cert_self = DEFAULT_FILENAME_CERT_SELF;
- char *file_out_cert = DEFAULT_FILENAME_CERT;
- char *file_out_prefix_cacert = DEFAULT_FILENAME_PREFIX_CACERT;
-
- /* by default user certificate is requested */
- bool request_ca_certificate = FALSE;
-
- /* by default existing files are not overwritten */
- bool force = FALSE;
-
- /* length of RSA key in bits */
- u_int rsa_keylength = DEFAULT_RSA_KEY_LENGTH;
-
- /* validity of self-signed certificate */
- time_t validity = DEFAULT_CERT_VALIDITY;
- time_t notBefore = 0;
- time_t notAfter = 0;
-
- /* distinguished name for requested certificate, ASCII format */
- char *distinguishedName = NULL;
-
- /* challenge password */
- char challenge_password_buffer[MAX_PASSWORD_LENGTH];
-
- /* symmetric encryption algorithm used by pkcs7, default is 3DES */
- int pkcs7_symmetric_cipher = OID_3DES_EDE_CBC;
-
- /* digest algorithm used by pkcs7, default is MD5 */
- int pkcs7_digest_alg = OID_MD5;
-
- /* signature algorithm used by pkcs10, default is MD5 with RSA encryption */
- int pkcs10_signature_alg = OID_MD5;
-
- /* URL of the SCEP-Server */
- char *scep_url = NULL;
-
- /* http request method, default is GET */
- fetch_request_t request_type = FETCH_GET;
-
- /* poll interval time in manual mode in seconds */
- u_int poll_interval = DEFAULT_POLL_INTERVAL;
-
- /* maximum poll time */
- u_int max_poll_time = 0;
-
- err_t ugh = NULL;
-
- /* initialize global variables */
- pkcs1 = chunk_empty;
- pkcs7 = chunk_empty;
- serialNumber = chunk_empty;
- transID = chunk_empty;
- fingerprint = chunk_empty;
- issuerAndSubject = chunk_empty;
- challengePassword = chunk_empty;
- getCertInitial = chunk_empty;
- scep_response = chunk_empty;
- log_to_stderr = TRUE;
-
- /* initialize library and optionsfrom */
- library_init(STRONGSWAN_CONF);
- options = options_create();
-
- for (;;)
- {
- static const struct option long_opts[] = {
- /* name, has_arg, flag, val */
- { "help", no_argument, NULL, 'h' },
- { "version", no_argument, NULL, 'v' },
- { "optionsfrom", required_argument, NULL, '+' },
- { "quiet", no_argument, NULL, 'q' },
- { "in", required_argument, NULL, 'i' },
- { "out", required_argument, NULL, 'o' },
- { "force", no_argument, NULL, 'f' },
- { "keylength", required_argument, NULL, 'k' },
- { "dn", required_argument, NULL, 'd' },
- { "days", required_argument, NULL, 'D' },
- { "startdate", required_argument, NULL, 'S' },
- { "enddate", required_argument, NULL, 'E' },
- { "subjectAltName", required_argument, NULL, 's' },
- { "password", required_argument, NULL, 'p' },
- { "algorithm", required_argument, NULL, 'a' },
- { "url", required_argument, NULL, 'u' },
- { "method", required_argument, NULL, 'm' },
- { "interval", required_argument, NULL, 't' },
- { "maxpolltime", required_argument, NULL, 'x' },
+ /* external values */
+ extern char * optarg;
+ extern int optind;
+
+ /* type of input and output files */
+ typedef enum {
+ PKCS1 = 0x01,
+ PKCS10 = 0x02,
+ PKCS7 = 0x04,
+ CERT_SELF = 0x08,
+ CERT = 0x10,
+ CACERT_ENC = 0x20,
+ CACERT_SIG = 0x40
+ } scep_filetype_t;
+
+ /* filetype to read from, defaults to "generate a key" */
+ scep_filetype_t filetype_in = 0;
+
+ /* filetype to write to, no default here */
+ scep_filetype_t filetype_out = 0;
+
+ /* input files */
+ char *file_in_pkcs1 = DEFAULT_FILENAME_PKCS1;
+ char *file_in_cacert_enc = DEFAULT_FILENAME_CACERT_ENC;
+ char *file_in_cacert_sig = DEFAULT_FILENAME_CACERT_SIG;
+
+ /* output files */
+ char *file_out_pkcs1 = DEFAULT_FILENAME_PKCS1;
+ char *file_out_pkcs10 = DEFAULT_FILENAME_PKCS10;
+ char *file_out_pkcs7 = DEFAULT_FILENAME_PKCS7;
+ char *file_out_cert_self = DEFAULT_FILENAME_CERT_SELF;
+ char *file_out_cert = DEFAULT_FILENAME_CERT;
+ char *file_out_prefix_cacert = DEFAULT_FILENAME_PREFIX_CACERT;
+
+ /* by default user certificate is requested */
+ bool request_ca_certificate = FALSE;
+
+ /* by default existing files are not overwritten */
+ bool force = FALSE;
+
+ /* length of RSA key in bits */
+ u_int rsa_keylength = DEFAULT_RSA_KEY_LENGTH;
+
+ /* validity of self-signed certificate */
+ time_t validity = DEFAULT_CERT_VALIDITY;
+ time_t notBefore = 0;
+ time_t notAfter = 0;
+
+ /* distinguished name for requested certificate, ASCII format */
+ char *distinguishedName = NULL;
+
+ /* challenge password */
+ char challenge_password_buffer[MAX_PASSWORD_LENGTH];
+
+ /* symmetric encryption algorithm used by pkcs7, default is 3DES */
+ int pkcs7_symmetric_cipher = OID_3DES_EDE_CBC;
+
+ /* digest algorithm used by pkcs7, default is MD5 */
+ int pkcs7_digest_alg = OID_MD5;
+
+ /* signature algorithm used by pkcs10, default is MD5 with RSA encryption */
+ int pkcs10_signature_alg = OID_MD5;
+
+ /* URL of the SCEP-Server */
+ char *scep_url = NULL;
+
+ /* http request method, default is GET */
+ fetch_request_t request_type = FETCH_GET;
+
+ /* poll interval time in manual mode in seconds */
+ u_int poll_interval = DEFAULT_POLL_INTERVAL;
+
+ /* maximum poll time */
+ u_int max_poll_time = 0;
+
+ err_t ugh = NULL;
+
+ /* initialize global variables */
+ pkcs1 = chunk_empty;
+ pkcs7 = chunk_empty;
+ serialNumber = chunk_empty;
+ transID = chunk_empty;
+ fingerprint = chunk_empty;
+ issuerAndSubject = chunk_empty;
+ challengePassword = chunk_empty;
+ getCertInitial = chunk_empty;
+ scep_response = chunk_empty;
+ log_to_stderr = TRUE;
+
+ /* initialize library and optionsfrom */
+ library_init(STRONGSWAN_CONF);
+ options = options_create();
+
+ for (;;)
+ {
+ static const struct option long_opts[] = {
+ /* name, has_arg, flag, val */
+ { "help", no_argument, NULL, 'h' },
+ { "version", no_argument, NULL, 'v' },
+ { "optionsfrom", required_argument, NULL, '+' },
+ { "quiet", no_argument, NULL, 'q' },
+ { "in", required_argument, NULL, 'i' },
+ { "out", required_argument, NULL, 'o' },
+ { "force", no_argument, NULL, 'f' },
+ { "keylength", required_argument, NULL, 'k' },
+ { "dn", required_argument, NULL, 'd' },
+ { "days", required_argument, NULL, 'D' },
+ { "startdate", required_argument, NULL, 'S' },
+ { "enddate", required_argument, NULL, 'E' },
+ { "subjectAltName", required_argument, NULL, 's' },
+ { "password", required_argument, NULL, 'p' },
+ { "algorithm", required_argument, NULL, 'a' },
+ { "url", required_argument, NULL, 'u' },
+ { "method", required_argument, NULL, 'm' },
+ { "interval", required_argument, NULL, 't' },
+ { "maxpolltime", required_argument, NULL, 'x' },
+#ifdef DEBUG
+ { "debug-all", no_argument, NULL, 'A' },
+ { "debug-parsing", no_argument, NULL, 'P'},
+ { "debug-raw", no_argument, NULL, 'R'},
+ { "debug-control", no_argument, NULL, 'C'},
+ { "debug-controlmore", no_argument, NULL, 'M'},
+ { "debug-private", no_argument, NULL, 'X'},
+#endif
+ { 0,0,0,0 }
+ };
+
+ /* parse next option */
+ int c = getopt_long(argc, argv, "hv+:qi:o:fk:d:s:p:a:u:m:t:x:APRCMS", long_opts, NULL);
+
+ switch (c)
+ {
+ case EOF: /* end of flags */
+ break;
+
+ case 'h': /* --help */
+ usage(NULL);
+
+ case 'v': /* --version */
+ version();
+
+ case 'q': /* --quiet */
+ log_to_stderr = FALSE;
+ continue;
+
+ case 'i': /* --in <type> [= <filename>] */
+ {
+ char *filename = strstr(optarg, "=");
+
+ if (filename)
+ {
+ /* replace '=' by '\0' */
+ *filename = '\0';
+ /* set pointer to start of filename */
+ filename++;
+ }
+ if (strcaseeq("pkcs1", optarg))
+ {
+ filetype_in |= PKCS1;
+ if (filename)
+ file_in_pkcs1 = filename;
+ }
+ else if (strcaseeq("cacert-enc", optarg))
+ {
+ filetype_in |= CACERT_ENC;
+ if (filename)
+ file_in_cacert_enc = filename;
+ }
+ else if (strcaseeq("cacert-sig", optarg))
+ {
+ filetype_in |= CACERT_SIG;
+ if (filename)
+ file_in_cacert_sig = filename;
+ }
+ else
+ {
+ usage("invalid --in file type");
+ }
+ continue;
+ }
+
+ case 'o': /* --out <type> [= <filename>] */
+ {
+ char *filename = strstr(optarg, "=");
+
+ if (filename)
+ {
+ /* replace '=' by '\0' */
+ *filename = '\0';
+ /* set pointer to start of filename */
+ filename++;
+ }
+ if (strcaseeq("pkcs1", optarg))
+ {
+ filetype_out |= PKCS1;
+ if (filename)
+ file_out_pkcs1 = filename;
+ }
+ else if (strcaseeq("pkcs10", optarg))
+ {
+ filetype_out |= PKCS10;
+ if (filename)
+ file_out_pkcs10 = filename;
+ }
+ else if (strcaseeq("pkcs7", optarg))
+ {
+ filetype_out |= PKCS7;
+ if (filename)
+ file_out_pkcs7 = filename;
+ }
+ else if (strcaseeq("cert-self", optarg))
+ {
+ filetype_out |= CERT_SELF;
+ if (filename)
+ file_out_cert_self = filename;
+ }
+ else if (strcaseeq("cert", optarg))
+ {
+ filetype_out |= CERT;
+ if (filename)
+ file_out_cert = filename;
+ }
+ else if (strcaseeq("cacert", optarg))
+ {
+ request_ca_certificate = TRUE;
+ if (filename)
+ file_out_prefix_cacert = filename;
+ }
+ else
+ {
+ usage("invalid --out file type");
+ }
+ continue;
+ }
+
+ case 'f': /* --force */
+ force = TRUE;
+ continue;
+
+ case '+': /* --optionsfrom <filename> */
+ if (!options->from(options, optarg, &argc, &argv, optind))
+ {
+ exit_scepclient("optionsfrom failed");
+ }
+ continue;
+
+ case 'k': /* --keylength <length> */
+ {
+ div_t q;
+
+ rsa_keylength = atoi(optarg);
+ if (rsa_keylength == 0)
+ usage("invalid keylength");
+
+ /* check if key length is a multiple of 8 bits */
+ q = div(rsa_keylength, 2*BITS_PER_BYTE);
+ if (q.rem != 0)
+ {
+ exit_scepclient("keylength is not a multiple of %d bits!"
+ , 2*BITS_PER_BYTE);
+ }
+ continue;
+ }
+
+ case 'D': /* --days */
+ if (optarg == NULL || !isdigit(optarg[0]))
+ usage("missing number of days");
+ {
+ char *endptr;
+ long days = strtol(optarg, &endptr, 0);
+
+ if (*endptr != '\0' || endptr == optarg
+ || days <= 0)
+ usage("<days> must be a positive number");
+ validity = 24*3600*days;
+ }
+ continue;
+
+ case 'S': /* --startdate */
+ if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z')
+ usage("date format must be YYMMDDHHMMSSZ");
+ {
+ chunk_t date = { optarg, 13 };
+ notBefore = asn1totime(&date, ASN1_UTCTIME);
+ }
+ continue;
+
+ case 'E': /* --enddate */
+ if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z')
+ usage("date format must be YYMMDDHHMMSSZ");
+ {
+ chunk_t date = { optarg, 13 };
+ notAfter = asn1totime(&date, ASN1_UTCTIME);
+ }
+ continue;
+
+ case 'd': /* --dn */
+ if (distinguishedName)
+ usage("only one distinguished name allowed");
+ distinguishedName = optarg;
+ continue;
+
+ case 's': /* --subjectAltName */
+ {
+ generalNames_t kind;
+ char *value = strstr(optarg, "=");
+
+ if (value)
+ {
+ /* replace '=' by '\0' */
+ *value = '\0';
+ /* set pointer to start of value */
+ value++;
+ }
+
+ if (strcaseeq("email", optarg))
+ {
+ kind = GN_RFC822_NAME;
+ }
+ else if (strcaseeq("dns", optarg))
+ {
+ kind = GN_DNS_NAME;
+ }
+ else if (strcaseeq("ip", optarg))
+ {
+ kind = GN_IP_ADDRESS;
+ }
+ else
+ {
+ usage("invalid --subjectAltName type");
+ continue;
+ }
+ pkcs10_add_subjectAltName(&subjectAltNames, kind, value);
+ continue;
+ }
+
+ case 'p': /* --password */
+ if (challengePassword.len > 0)
+ {
+ usage("only one challenge password allowed");
+ }
+ if (strcaseeq("%prompt", optarg))
+ {
+ printf("Challenge password: ");
+ if (fgets(challenge_password_buffer, sizeof(challenge_password_buffer)-1, stdin))
+ {
+ challengePassword.ptr = challenge_password_buffer;
+ /* discard the terminating '\n' from the input */
+ challengePassword.len = strlen(challenge_password_buffer) - 1;
+ }
+ else
+ {
+ usage("challenge password could not be read");
+ }
+ }
+ else
+ {
+ challengePassword.ptr = optarg;
+ challengePassword.len = strlen(optarg);
+ }
+ continue;
+
+ case 'u': /* -- url */
+ if (scep_url)
+ {
+ usage("only one URL argument allowed");
+ }
+ scep_url = optarg;
+ continue;
+
+ case 'm': /* --method */
+ if (strcaseeq("post", optarg))
+ {
+ request_type = FETCH_POST;
+ }
+ else if (strcaseeq("get", optarg))
+ {
+ request_type = FETCH_GET;
+ }
+ else
+ {
+ usage("invalid http request method specified");
+ }
+ continue;
+
+ case 't': /* --interval */
+ poll_interval = atoi(optarg);
+ if (poll_interval <= 0)
+ {
+ usage("invalid interval specified");
+ }
+ continue;
+
+ case 'x': /* --maxpolltime */
+ max_poll_time = atoi(optarg);
+ if (max_poll_time < 0)
+ {
+ usage("invalid maxpolltime specified");
+ }
+ continue;
+
+ case 'a': /*--algorithm */
+ if (strcaseeq("des-cbc", optarg))
+ {
+ pkcs7_symmetric_cipher = OID_DES_CBC;
+ }
+ else if (strcaseeq("3des-cbc", optarg))
+ {
+ pkcs7_symmetric_cipher = OID_3DES_EDE_CBC;
+ }
+ else
+ {
+ usage("invalid encryption algorithm specified");
+ }
+ continue;
#ifdef DEBUG
- { "debug-all", no_argument, NULL, 'A' },
- { "debug-parsing", no_argument, NULL, 'P'},
- { "debug-raw", no_argument, NULL, 'R'},
- { "debug-control", no_argument, NULL, 'C'},
- { "debug-controlmore", no_argument, NULL, 'M'},
- { "debug-private", no_argument, NULL, 'X'},
+ case 'A': /* --debug-all */
+ base_debugging |= DBG_ALL;
+ continue;
+ case 'P': /* debug parsing */
+ base_debugging |= DBG_PARSING;
+ continue;
+ case 'R': /* debug raw */
+ base_debugging |= DBG_RAW;
+ continue;
+ case 'C': /* debug control */
+ base_debugging |= DBG_CONTROL;
+ continue;
+ case 'M': /* debug control more */
+ base_debugging |= DBG_CONTROLMORE;
+ continue;
+ case 'X': /* debug private */
+ base_debugging |= DBG_PRIVATE;
+ continue;
#endif
- { 0,0,0,0 }
- };
+ default:
+ usage("unknown option");
+ }
+ /* break from loop */
+ break;
+ }
+
+ /* enable scepclient bugging hook */
+ dbg = scepclient_dbg;
- /* parse next option */
- int c = getopt_long(argc, argv, "hv+:qi:o:fk:d:s:p:a:u:m:t:x:APRCMS", long_opts, NULL);
+ init_log("scepclient");
+ cur_debugging = base_debugging;
+ init_rnd_pool();
+ init_fetch();
- switch (c)
+ if ((filetype_out == 0) && (!request_ca_certificate))
{
- case EOF: /* end of flags */
- break;
+ usage ("--out filetype required");
+ }
+ if (request_ca_certificate && (filetype_out > 0 || filetype_in > 0))
+ {
+ usage("in CA certificate request, no other --in or --out option allowed");
+ }
- case 'h': /* --help */
- usage(NULL);
+ /* check if url is given, if cert output defined */
+ if (((filetype_out & CERT) || request_ca_certificate) && !scep_url)
+ {
+ usage("URL of SCEP server required");
+ }
- case 'v': /* --version */
- version();
+ /* check for sanity of --in/--out */
+ if (!filetype_in && (filetype_in > filetype_out))
+ {
+ usage("cannot generate --out of given --in!");
+ }
- case 'q': /* --quiet */
- log_to_stderr = FALSE;
- continue;
+ /*
+ * input of PKCS#1 file
+ */
+ private_key = malloc_thing(RSA_private_key_t);
- case 'i': /* --in <type> [= <filename>] */
- {
- char *filename = strstr(optarg, "=");
+ if (filetype_in & PKCS1) /* load an RSA key pair from file */
+ {
+ prompt_pass_t pass = { "", FALSE, STDIN_FILENO };
+ const char *path = concatenate_paths(PRIVATE_KEY_PATH, file_in_pkcs1);
- if (filename)
- {
- /* replace '=' by '\0' */
- *filename = '\0';
- /* set pointer to start of filename */
- filename++;
- }
- if (strcaseeq("pkcs1", optarg))
- {
- filetype_in |= PKCS1;
- if (filename)
- file_in_pkcs1 = filename;
- }
- else if (strcaseeq("cacert-enc", optarg))
- {
- filetype_in |= CACERT_ENC;
- if (filename)
- file_in_cacert_enc = filename;
- }
- else if (strcaseeq("cacert-sig", optarg))
- {
- filetype_in |= CACERT_SIG;
- if (filename)
- file_in_cacert_sig = filename;
- }
- else
- {
- usage("invalid --in file type");
- }
- continue;
- }
+ ugh = load_rsa_private_key(path, &pass, private_key);
+ }
+ else /* generate an RSA key pair */
+ {
+ ugh = generate_rsa_private_key(rsa_keylength, private_key);
+ }
+ if (ugh != NULL)
+ exit_scepclient(ugh);
- case 'o': /* --out <type> [= <filename>] */
- {
- char *filename = strstr(optarg, "=");
+ /* check for minimum key length */
+ if ((private_key->pub.k) < RSA_MIN_OCTETS)
+ {
+ exit_scepclient("length of RSA key has to be at least %d bits"
+ ,RSA_MIN_OCTETS * BITS_PER_BYTE);
+ }
- if (filename)
- {
- /* replace '=' by '\0' */
- *filename = '\0';
- /* set pointer to start of filename */
- filename++;
- }
- if (strcaseeq("pkcs1", optarg))
- {
- filetype_out |= PKCS1;
- if (filename)
- file_out_pkcs1 = filename;
- }
- else if (strcaseeq("pkcs10", optarg))
- {
- filetype_out |= PKCS10;
- if (filename)
- file_out_pkcs10 = filename;
- }
- else if (strcaseeq("pkcs7", optarg))
- {
- filetype_out |= PKCS7;
- if (filename)
- file_out_pkcs7 = filename;
- }
- else if (strcaseeq("cert-self", optarg))
- {
- filetype_out |= CERT_SELF;
- if (filename)
- file_out_cert_self = filename;
- }
- else if (strcaseeq("cert", optarg))
- {
- filetype_out |= CERT;
- if (filename)
- file_out_cert = filename;
- }
- else if (strcaseeq("cacert", optarg))
- {
- request_ca_certificate = TRUE;
- if (filename)
- file_out_prefix_cacert = filename;
- }
- else
- {
- usage("invalid --out file type");
- }
- continue;
- }
-
- case 'f': /* --force */
- force = TRUE;
- continue;
-
- case '+': /* --optionsfrom <filename> */
- if (!options->from(options, optarg, &argc, &argv, optind))
- {
- exit_scepclient("optionsfrom failed");
- }
- continue;
-
- case 'k': /* --keylength <length> */
- {
- div_t q;
-
- rsa_keylength = atoi(optarg);
- if (rsa_keylength == 0)
- usage("invalid keylength");
-
- /* check if key length is a multiple of 8 bits */
- q = div(rsa_keylength, 2*BITS_PER_BYTE);
- if (q.rem != 0)
- {
- exit_scepclient("keylength is not a multiple of %d bits!"
- , 2*BITS_PER_BYTE);
- }
- continue;
- }
-
- case 'D': /* --days */
- if (optarg == NULL || !isdigit(optarg[0]))
- usage("missing number of days");
- {
- char *endptr;
- long days = strtol(optarg, &endptr, 0);
-
- if (*endptr != '\0' || endptr == optarg
- || days <= 0)
- usage("<days> must be a positive number");
- validity = 24*3600*days;
- }
- continue;
-
- case 'S': /* --startdate */
- if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z')
- usage("date format must be YYMMDDHHMMSSZ");
- {
- chunk_t date = { optarg, 13 };
- notBefore = asn1totime(&date, ASN1_UTCTIME);
- }
- continue;
-
- case 'E': /* --enddate */
- if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z')
- usage("date format must be YYMMDDHHMMSSZ");
- {
- chunk_t date = { optarg, 13 };
- notAfter = asn1totime(&date, ASN1_UTCTIME);
- }
- continue;
-
- case 'd': /* --dn */
- if (distinguishedName)
- usage("only one distinguished name allowed");
- distinguishedName = optarg;
- continue;
-
- case 's': /* --subjectAltName */
- {
- generalNames_t kind;
- char *value = strstr(optarg, "=");
-
- if (value)
- {
- /* replace '=' by '\0' */
- *value = '\0';
- /* set pointer to start of value */
- value++;
- }
+ /*
+ * input of PKCS#10 file
+ */
+ if (filetype_in & PKCS10)
+ {
+ /* user wants to load a pkcs10 request
+ * operation is not yet supported
+ * would require a PKCS#10 parsing function
- if (strcaseeq("email", optarg))
- {
- kind = GN_RFC822_NAME;
- }
- else if (strcaseeq("dns", optarg))
- {
- kind = GN_DNS_NAME;
- }
- else if (strcaseeq("ip", optarg))
- {
- kind = GN_IP_ADDRESS;
- }
- else
- {
- usage("invalid --subjectAltName type");
- continue;
- }
- pkcs10_add_subjectAltName(&subjectAltNames, kind, value);
- continue;
- }
-
- case 'p': /* --password */
- if (challengePassword.len > 0)
- {
- usage("only one challenge password allowed");
- }
- if (strcaseeq("%prompt", optarg))
- {
- printf("Challenge password: ");
- if (fgets(challenge_password_buffer, sizeof(challenge_password_buffer)-1, stdin))
+ pkcs10 = pkcs10_read_from_file(file_in_pkcs10);
+
+ */
+ }
+ else
+ {
+ char buf[IDTOA_BUF];
+ chunk_t dn = chunk_empty;
+
+ dn.ptr = buf;
+
+ if (distinguishedName == NULL)
{
- challengePassword.ptr = challenge_password_buffer;
- /* discard the terminating '\n' from the input */
- challengePassword.len = strlen(challenge_password_buffer) - 1;
+ char buf[BUF_LEN];
+ int n = sprintf(buf, DEFAULT_DN);
+
+ /* set the common name to the hostname */
+ if (gethostname(buf + n, BUF_LEN - n) || strlen(buf) == n)
+ {
+ exit_scepclient("no hostname defined, use "
+ "--dn <distinguished name> option");
+ }
+ distinguishedName = buf;
}
- else
+
+ DBG(DBG_CONTROL,
+ DBG_log("dn: '%s'", distinguishedName);
+ )
+ ugh = atodn(distinguishedName, &dn);
+ if (ugh != NULL)
{
- usage("challenge password could not be read");
+ exit_scepclient(ugh);
}
- }
- else
- {
- challengePassword.ptr = optarg;
- challengePassword.len = strlen(optarg);
- }
- continue;
-
- case 'u': /* -- url */
- if (scep_url)
- {
- usage("only one URL argument allowed");
- }
- scep_url = optarg;
- continue;
-
- case 'm': /* --method */
- if (strcaseeq("post", optarg))
- {
- request_type = FETCH_POST;
- }
- else if (strcaseeq("get", optarg))
- {
- request_type = FETCH_GET;
- }
- else
- {
- usage("invalid http request method specified");
- }
- continue;
-
- case 't': /* --interval */
- poll_interval = atoi(optarg);
- if (poll_interval <= 0)
- {
- usage("invalid interval specified");
- }
- continue;
-
- case 'x': /* --maxpolltime */
- max_poll_time = atoi(optarg);
- if (max_poll_time < 0)
- {
- usage("invalid maxpolltime specified");
- }
- continue;
-
- case 'a': /*--algorithm */
- if (strcaseeq("des-cbc", optarg))
- {
- pkcs7_symmetric_cipher = OID_DES_CBC;
- }
- else if (strcaseeq("3des-cbc", optarg))
- {
- pkcs7_symmetric_cipher = OID_3DES_EDE_CBC;
- }
- else
- {
- usage("invalid encryption algorithm specified");
- }
- continue;
-#ifdef DEBUG
- case 'A': /* --debug-all */
- base_debugging |= DBG_ALL;
- continue;
- case 'P': /* debug parsing */
- base_debugging |= DBG_PARSING;
- continue;
- case 'R': /* debug raw */
- base_debugging |= DBG_RAW;
- continue;
- case 'C': /* debug control */
- base_debugging |= DBG_CONTROL;
- continue;
- case 'M': /* debug control more */
- base_debugging |= DBG_CONTROLMORE;
- continue;
- case 'X': /* debug private */
- base_debugging |= DBG_PRIVATE;
- continue;
-#endif
- default:
- usage("unknown option");
+
+ subject = chunk_clone(dn);
+
+ DBG(DBG_CONTROL,
+ DBG_log("building pkcs10 object:")
+ )
+ pkcs10 = pkcs10_build(private_key, subject, challengePassword
+ , subjectAltNames, pkcs10_signature_alg);
+ scep_generate_pkcs10_fingerprint(pkcs10->request, &fingerprint);
+ plog(" fingerprint: %.*s", (int)fingerprint.len, fingerprint.ptr);
}
- /* break from loop */
- break;
- }
-
- /* enable scepclient bugging hook */
- dbg = scepclient_dbg;
-
- init_log("scepclient");
- cur_debugging = base_debugging;
- init_rnd_pool();
- init_fetch();
-
- if ((filetype_out == 0) && (!request_ca_certificate))
- {
- usage ("--out filetype required");
- }
- if (request_ca_certificate && (filetype_out > 0 || filetype_in > 0))
- {
- usage("in CA certificate request, no other --in or --out option allowed");
- }
-
- /* check if url is given, if cert output defined */
- if (((filetype_out & CERT) || request_ca_certificate) && !scep_url)
- {
- usage("URL of SCEP server required");
- }
-
- /* check for sanity of --in/--out */
- if (!filetype_in && (filetype_in > filetype_out))
- {
- usage("cannot generate --out of given --in!");
- }
-
- /*
- * input of PKCS#1 file
- */
- private_key = malloc_thing(RSA_private_key_t);
-
- if (filetype_in & PKCS1) /* load an RSA key pair from file */
- {
- prompt_pass_t pass = { "", FALSE, STDIN_FILENO };
- const char *path = concatenate_paths(PRIVATE_KEY_PATH, file_in_pkcs1);
-
- ugh = load_rsa_private_key(path, &pass, private_key);
- }
- else /* generate an RSA key pair */
- {
- ugh = generate_rsa_private_key(rsa_keylength, private_key);
- }
- if (ugh != NULL)
- exit_scepclient(ugh);
-
- /* check for minimum key length */
- if ((private_key->pub.k) < RSA_MIN_OCTETS)
- {
- exit_scepclient("length of RSA key has to be at least %d bits"
- ,RSA_MIN_OCTETS * BITS_PER_BYTE);
- }
-
- /*
- * input of PKCS#10 file
- */
- if (filetype_in & PKCS10)
- {
- /* user wants to load a pkcs10 request
- * operation is not yet supported
- * would require a PKCS#10 parsing function
-
- pkcs10 = pkcs10_read_from_file(file_in_pkcs10);
-
- */
- }
- else
- {
- char buf[IDTOA_BUF];
- chunk_t dn = chunk_empty;
-
- dn.ptr = buf;
-
- if (distinguishedName == NULL)
+
+ /*
+ * output of PKCS#10 file
+ */
+ if (filetype_out & PKCS10)
{
- char buf[BUF_LEN];
- int n = sprintf(buf, DEFAULT_DN);
-
- /* set the common name to the hostname */
- if (gethostname(buf + n, BUF_LEN - n) || strlen(buf) == n)
- {
- exit_scepclient("no hostname defined, use "
- "--dn <distinguished name> option");
- }
- distinguishedName = buf;
+ const char *path = concatenate_paths(REQ_PATH, file_out_pkcs10);
+
+ if (!write_chunk(path, "pkcs10", pkcs10->request, 0022, force))
+ exit_scepclient("could not write pkcs10 file '%s'", path);
+
+ filetype_out &= ~PKCS10; /* delete PKCS10 flag */
}
- DBG(DBG_CONTROL,
- DBG_log("dn: '%s'", distinguishedName);
- )
- ugh = atodn(distinguishedName, &dn);
- if (ugh != NULL)
+ if (!filetype_out)
{
- exit_scepclient(ugh);
+ exit_scepclient(NULL); /* no further output required */
}
- subject = chunk_clone(dn);
-
- DBG(DBG_CONTROL,
- DBG_log("building pkcs10 object:")
- )
- pkcs10 = pkcs10_build(private_key, subject, challengePassword
- , subjectAltNames, pkcs10_signature_alg);
- scep_generate_pkcs10_fingerprint(pkcs10->request, &fingerprint);
- plog(" fingerprint: %.*s", (int)fingerprint.len, fingerprint.ptr);
- }
-
- /*
- * output of PKCS#10 file
- */
- if (filetype_out & PKCS10)
- {
- const char *path = concatenate_paths(REQ_PATH, file_out_pkcs10);
-
- if (!write_chunk(path, "pkcs10", pkcs10->request, 0022, force))
- exit_scepclient("could not write pkcs10 file '%s'", path);
-
- filetype_out &= ~PKCS10; /* delete PKCS10 flag */
- }
-
- if (!filetype_out)
- {
- exit_scepclient(NULL); /* no further output required */
- }
-
- /*
- * output of PKCS#1 file
- */
- if (filetype_out & PKCS1)
- {
- const char *path = concatenate_paths(PRIVATE_KEY_PATH, file_out_pkcs1);
-
- DBG(DBG_CONTROL,
- DBG_log("building pkcs1 object:")
- )
- pkcs1 = pkcs1_build_private_key(private_key);
-
- if (!write_chunk(path, "pkcs1", pkcs1, 0066, force))
- exit_scepclient("could not write pkcs1 file '%s'", path);
-
- filetype_out &= ~PKCS1; /* delete PKCS1 flag */
- }
-
- if (!filetype_out)
- {
- exit_scepclient(NULL); /* no further output required */
- }
-
- scep_generate_transaction_id((const RSA_public_key_t *)private_key
- , &transID, &serialNumber);
- plog(" transaction ID: %.*s", (int)transID.len, transID.ptr);
-
- /* generate a self-signed X.509 certificate */
- x509_signer = malloc_thing(x509cert_t);
- *x509_signer = empty_x509cert;
- x509_signer->serialNumber = serialNumber;
- x509_signer->sigAlg = OID_SHA1_WITH_RSA;
- x509_signer->issuer = subject;
- x509_signer->notBefore = (notBefore)? notBefore
- : time(NULL);
- x509_signer->notAfter = (notAfter)? notAfter
- : x509_signer->notBefore + validity;
- x509_signer->subject = subject;
- x509_signer->subjectAltName = subjectAltNames;
-
- build_x509cert(x509_signer, (const RSA_public_key_t *)private_key
- , private_key);
-
- /*
- * output of self-signed X.509 certificate file
- */
- if (filetype_out & CERT_SELF)
- {
- const char *path = concatenate_paths(HOST_CERT_PATH, file_out_cert_self);
-
- if (!write_chunk(path, "self-signed cert", x509_signer->certificate, 0022, force))
- exit_scepclient("could not write self-signed cert file '%s'", path);
-;
- filetype_out &= ~CERT_SELF; /* delete CERT_SELF flag */
- }
-
- if (!filetype_out)
- {
- exit_scepclient(NULL); /* no further output required */
- }
-
- /*
- * load ca encryption certificate
- */
- {
- const char *path = concatenate_paths(CA_CERT_PATH, file_in_cacert_enc);
- cert_t cert;
-
- if (!load_cert(path, "encryption cacert", &cert))
+ /*
+ * output of PKCS#1 file
+ */
+ if (filetype_out & PKCS1)
{
- exit_scepclient("could not load encryption cacert file '%s'", path);
- }
- x509_ca_enc = cert.u.x509;
- }
+ const char *path = concatenate_paths(PRIVATE_KEY_PATH, file_out_pkcs1);
- /*
- * input of PKCS#7 file
- */
- if (filetype_in & PKCS7)
- {
- /* user wants to load a pkcs7 encrypted request
- * operation is not yet supported!
- * would require additional parsing of transaction-id
+ DBG(DBG_CONTROL,
+ DBG_log("building pkcs1 object:")
+ )
+ pkcs1 = pkcs1_build_private_key(private_key);
- pkcs7 = pkcs7_read_from_file(file_in_pkcs7);
+ if (!write_chunk(path, "pkcs1", pkcs1, 0066, force))
+ exit_scepclient("could not write pkcs1 file '%s'", path);
- */
- }
- else
- {
- DBG(DBG_CONTROL,
- DBG_log("building pkcs7 request")
- )
- pkcs7 = scep_build_request(pkcs10->request
- , transID, SCEP_PKCSReq_MSG
- , x509_ca_enc, pkcs7_symmetric_cipher
- , x509_signer, pkcs7_digest_alg, private_key);
- }
-
- /*
- * output pkcs7 encrypted and signed certificate request
- */
- if (filetype_out & PKCS7)
- {
- const char *path = concatenate_paths(REQ_PATH, file_out_pkcs7);
-
- if (!write_chunk(path, "pkcs7 encrypted request", pkcs7, 0022, force))
- exit_scepclient("could not write pkcs7 file '%s'", path);
-;
- filetype_out &= ~PKCS7; /* delete PKCS7 flag */
- }
-
- if (!filetype_out)
- {
- exit_scepclient(NULL); /* no further output required */
- }
-
- /*
- * output certificate fetch from SCEP server
- */
- if (filetype_out & CERT)
- {
- const char *path = concatenate_paths(CA_CERT_PATH, file_in_cacert_sig);
- cert_t cert;
- time_t poll_start;
-
- x509cert_t *certs = NULL;
- chunk_t envelopedData = chunk_empty;
- chunk_t certData = chunk_empty;
- contentInfo_t data = empty_contentInfo;
- scep_attributes_t attrs = empty_scep_attributes;
-
- if (!load_cert(path, "signature cacert", &cert))
- exit_scepclient("could not load signature cacert file '%s'", path);
- x509_ca_sig = cert.u.x509;
-
- if (!scep_http_request(scep_url, pkcs7, SCEP_PKI_OPERATION
- , request_type, &scep_response))
- {
- exit_scepclient("did not receive a valid scep response");
+ filetype_out &= ~PKCS1; /* delete PKCS1 flag */
}
- ugh = scep_parse_response(scep_response, transID, &data, &attrs
- , x509_ca_sig);
- if (ugh != NULL)
+
+ if (!filetype_out)
{
- exit_scepclient(ugh);
+ exit_scepclient(NULL); /* no further output required */
}
- /* in case of manual mode, we are going into a polling loop */
- if (attrs.pkiStatus == SCEP_PENDING)
+ scep_generate_transaction_id((const RSA_public_key_t *)private_key
+ , &transID, &serialNumber);
+ plog(" transaction ID: %.*s", (int)transID.len, transID.ptr);
+
+ /* generate a self-signed X.509 certificate */
+ x509_signer = malloc_thing(x509cert_t);
+ *x509_signer = empty_x509cert;
+ x509_signer->serialNumber = serialNumber;
+ x509_signer->sigAlg = OID_SHA1_WITH_RSA;
+ x509_signer->issuer = subject;
+ x509_signer->notBefore = (notBefore)? notBefore
+ : time(NULL);
+ x509_signer->notAfter = (notAfter)? notAfter
+ : x509_signer->notBefore + validity;
+ x509_signer->subject = subject;
+ x509_signer->subjectAltName = subjectAltNames;
+
+ build_x509cert(x509_signer, (const RSA_public_key_t *)private_key
+ , private_key);
+
+ /*
+ * output of self-signed X.509 certificate file
+ */
+ if (filetype_out & CERT_SELF)
{
- plog(" scep request pending, polling every %d seconds"
- , poll_interval);
- time(&poll_start);
- issuerAndSubject = asn1_wrap(ASN1_SEQUENCE, "cc"
- , x509_ca_sig->subject
- , subject);
+ const char *path = concatenate_paths(HOST_CERT_PATH, file_out_cert_self);
+
+ if (!write_chunk(path, "self-signed cert", x509_signer->certificate, 0022, force))
+ exit_scepclient("could not write self-signed cert file '%s'", path);
+;
+ filetype_out &= ~CERT_SELF; /* delete CERT_SELF flag */
}
- while (attrs.pkiStatus == SCEP_PENDING)
+
+ if (!filetype_out)
{
- if (max_poll_time > 0
- && (time(NULL) - poll_start >= max_poll_time))
- {
- exit_scepclient("maximum poll time reached: %d seconds"
- , max_poll_time);
- }
- DBG(DBG_CONTROL,
- DBG_log("going to sleep for %d seconds", poll_interval)
- )
- sleep(poll_interval);
- free(scep_response.ptr);
-
- DBG(DBG_CONTROL,
- DBG_log("fingerprint: %.*s", (int)fingerprint.len, fingerprint.ptr);
- DBG_log("transaction ID: %.*s", (int)transID.len, transID.ptr)
- )
-
- chunk_free(&getCertInitial);
- getCertInitial = scep_build_request(issuerAndSubject
- , transID, SCEP_GetCertInitial_MSG
- , x509_ca_enc, pkcs7_symmetric_cipher
- , x509_signer, pkcs7_digest_alg, private_key);
-
- if (!scep_http_request(scep_url, getCertInitial, SCEP_PKI_OPERATION
- , request_type, &scep_response))
- {
- exit_scepclient("did not receive a valid scep response");
- }
- ugh = scep_parse_response(scep_response, transID, &data, &attrs
- , x509_ca_sig);
- if (ugh != NULL)
- {
- exit_scepclient(ugh);
- }
+ exit_scepclient(NULL); /* no further output required */
}
- if (attrs.pkiStatus != SCEP_SUCCESS)
+ /*
+ * load ca encryption certificate
+ */
{
- exit_scepclient("reply status is not 'SUCCESS'");
+ const char *path = concatenate_paths(CA_CERT_PATH, file_in_cacert_enc);
+ cert_t cert;
+
+ if (!load_cert(path, "encryption cacert", &cert))
+ {
+ exit_scepclient("could not load encryption cacert file '%s'", path);
+ }
+ x509_ca_enc = cert.u.x509;
}
- envelopedData = data.content;
+ /*
+ * input of PKCS#7 file
+ */
+ if (filetype_in & PKCS7)
+ {
+ /* user wants to load a pkcs7 encrypted request
+ * operation is not yet supported!
+ * would require additional parsing of transaction-id
- if (data.type != OID_PKCS7_DATA
- || !parse_asn1_simple_object(&envelopedData, ASN1_OCTET_STRING, 0, "data"))
+ pkcs7 = pkcs7_read_from_file(file_in_pkcs7);
+
+ */
+ }
+ else
{
- exit_scepclient("contentInfo is not of type 'data'");
+ DBG(DBG_CONTROL,
+ DBG_log("building pkcs7 request")
+ )
+ pkcs7 = scep_build_request(pkcs10->request
+ , transID, SCEP_PKCSReq_MSG
+ , x509_ca_enc, pkcs7_symmetric_cipher
+ , x509_signer, pkcs7_digest_alg, private_key);
}
- if (!pkcs7_parse_envelopedData(envelopedData, &certData
- , serialNumber, private_key))
+
+ /*
+ * output pkcs7 encrypted and signed certificate request
+ */
+ if (filetype_out & PKCS7)
{
- exit_scepclient("could not decrypt envelopedData");
+ const char *path = concatenate_paths(REQ_PATH, file_out_pkcs7);
+
+ if (!write_chunk(path, "pkcs7 encrypted request", pkcs7, 0022, force))
+ exit_scepclient("could not write pkcs7 file '%s'", path);
+;
+ filetype_out &= ~PKCS7; /* delete PKCS7 flag */
}
- if (!pkcs7_parse_signedData(certData, NULL, &certs, NULL, NULL))
- {
- exit_scepclient("error parsing the scep response");
+
+ if (!filetype_out)
+ {
+ exit_scepclient(NULL); /* no further output required */
}
- chunk_free(&certData);
-
- /* store the end entity certificate */
- path = concatenate_paths(HOST_CERT_PATH, file_out_cert);
- while (certs != NULL)
- {
- bool stored = FALSE;
- x509cert_t *cert = certs;
-
- if (!cert->isCA)
- {
- if (stored)
- exit_scepclient("multiple certs received, only first stored");
- if (!write_chunk(path, "requested cert", cert->certificate, 0022, force))
- exit_scepclient("could not write cert file '%s'", path);
- stored = TRUE;
- }
- certs = certs->next;
- free_x509cert(cert);
+
+ /*
+ * output certificate fetch from SCEP server
+ */
+ if (filetype_out & CERT)
+ {
+ const char *path = concatenate_paths(CA_CERT_PATH, file_in_cacert_sig);
+ cert_t cert;
+ time_t poll_start;
+
+ x509cert_t *certs = NULL;
+ chunk_t envelopedData = chunk_empty;
+ chunk_t certData = chunk_empty;
+ contentInfo_t data = empty_contentInfo;
+ scep_attributes_t attrs = empty_scep_attributes;
+
+ if (!load_cert(path, "signature cacert", &cert))
+ exit_scepclient("could not load signature cacert file '%s'", path);
+ x509_ca_sig = cert.u.x509;
+
+ if (!scep_http_request(scep_url, pkcs7, SCEP_PKI_OPERATION
+ , request_type, &scep_response))
+ {
+ exit_scepclient("did not receive a valid scep response");
+ }
+ ugh = scep_parse_response(scep_response, transID, &data, &attrs
+ , x509_ca_sig);
+ if (ugh != NULL)
+ {
+ exit_scepclient(ugh);
+ }
+
+ /* in case of manual mode, we are going into a polling loop */
+ if (attrs.pkiStatus == SCEP_PENDING)
+ {
+ plog(" scep request pending, polling every %d seconds"
+ , poll_interval);
+ time(&poll_start);
+ issuerAndSubject = asn1_wrap(ASN1_SEQUENCE, "cc"
+ , x509_ca_sig->subject
+ , subject);
+ }
+ while (attrs.pkiStatus == SCEP_PENDING)
+ {
+ if (max_poll_time > 0
+ && (time(NULL) - poll_start >= max_poll_time))
+ {
+ exit_scepclient("maximum poll time reached: %d seconds"
+ , max_poll_time);
+ }
+ DBG(DBG_CONTROL,
+ DBG_log("going to sleep for %d seconds", poll_interval)
+ )
+ sleep(poll_interval);
+ free(scep_response.ptr);
+
+ DBG(DBG_CONTROL,
+ DBG_log("fingerprint: %.*s", (int)fingerprint.len, fingerprint.ptr);
+ DBG_log("transaction ID: %.*s", (int)transID.len, transID.ptr)
+ )
+
+ chunk_free(&getCertInitial);
+ getCertInitial = scep_build_request(issuerAndSubject
+ , transID, SCEP_GetCertInitial_MSG
+ , x509_ca_enc, pkcs7_symmetric_cipher
+ , x509_signer, pkcs7_digest_alg, private_key);
+
+ if (!scep_http_request(scep_url, getCertInitial, SCEP_PKI_OPERATION
+ , request_type, &scep_response))
+ {
+ exit_scepclient("did not receive a valid scep response");
+ }
+ ugh = scep_parse_response(scep_response, transID, &data, &attrs
+ , x509_ca_sig);
+ if (ugh != NULL)
+ {
+ exit_scepclient(ugh);
+ }
+ }
+
+ if (attrs.pkiStatus != SCEP_SUCCESS)
+ {
+ exit_scepclient("reply status is not 'SUCCESS'");
+ }
+
+ envelopedData = data.content;
+
+ if (data.type != OID_PKCS7_DATA
+ || !parse_asn1_simple_object(&envelopedData, ASN1_OCTET_STRING, 0, "data"))
+ {
+ exit_scepclient("contentInfo is not of type 'data'");
+ }
+ if (!pkcs7_parse_envelopedData(envelopedData, &certData
+ , serialNumber, private_key))
+ {
+ exit_scepclient("could not decrypt envelopedData");
+ }
+ if (!pkcs7_parse_signedData(certData, NULL, &certs, NULL, NULL))
+ {
+ exit_scepclient("error parsing the scep response");
+ }
+ chunk_free(&certData);
+
+ /* store the end entity certificate */
+ path = concatenate_paths(HOST_CERT_PATH, file_out_cert);
+ while (certs != NULL)
+ {
+ bool stored = FALSE;
+ x509cert_t *cert = certs;
+
+ if (!cert->isCA)
+ {
+ if (stored)
+ exit_scepclient("multiple certs received, only first stored");
+ if (!write_chunk(path, "requested cert", cert->certificate, 0022, force))
+ exit_scepclient("could not write cert file '%s'", path);
+ stored = TRUE;
+ }
+ certs = certs->next;
+ free_x509cert(cert);
+ }
+ filetype_out &= ~CERT; /* delete CERT flag */
}
- filetype_out &= ~CERT; /* delete CERT flag */
- }
- exit_scepclient(NULL);
- return -1; /* should never be reached */
+ exit_scepclient(NULL);
+ return -1; /* should never be reached */
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-03 16:17:09 +0000