diff options
author | Tobias Brunner <tobias@strongswan.org> | 2012-05-11 20:31:19 +0200 |
---|---|---|
committer | Tobias Brunner <tobias@strongswan.org> | 2012-06-11 17:09:19 +0200 |
commit | c6a2aa49b4893c9de71fb68f4b822a4abdfc46d4 (patch) | |
tree | 39f27b9cf504029d9497f4e76a0f5ff3801fe581 /src | |
parent | ea92d4f305964f6f533fb7540467361ee3e33c4a (diff) | |
download | strongswan-c6a2aa49b4893c9de71fb68f4b822a4abdfc46d4.tar.bz2 strongswan-c6a2aa49b4893c9de71fb68f4b822a4abdfc46d4.tar.xz |
scepclient: Use pkcs7_t and pkcs9_t, remove all dependencies to pluto/libfreeswan.
Diffstat (limited to 'src')
-rw-r--r-- | src/scepclient/Makefile.am | 35 | ||||
-rw-r--r-- | src/scepclient/scep.c | 287 | ||||
-rw-r--r-- | src/scepclient/scep.h | 15 | ||||
-rw-r--r-- | src/scepclient/scepclient.c | 71 |
4 files changed, 119 insertions, 289 deletions
diff --git a/src/scepclient/Makefile.am b/src/scepclient/Makefile.am index f764339d3..b10a56a16 100644 --- a/src/scepclient/Makefile.am +++ b/src/scepclient/Makefile.am @@ -3,34 +3,16 @@ scepclient_SOURCES = scepclient.c scep.c scep.h scepclient.o : $(top_builddir)/config.status -PLUTODIR=$(top_srcdir)/src/pluto -OPENACDIR=$(top_srcdir)/src/openac -WHACKDIR=$(top_srcdir)/src/whack -LIBFREESWANDIR=$(top_srcdir)/src/libfreeswan -LIBSTRONGSWANDIR=$(top_srcdir)/src/libstrongswan -LIBHYDRADIR=$(top_srcdir)/src/libhydra -LIBCRYPTODIR=$(top_srcdir)/src/libcrypto - INCLUDES = \ --I$(LIBFREESWANDIR) \ --I$(LIBSTRONGSWANDIR) \ --I$(LIBHYDRADIR) \ --I$(PLUTODIR) \ --I$(LIBCRYPTODIR) \ --I$(WHACKDIR) +-I$(top_srcdir)/src/libstrongswan \ +-I$(top_srcdir)/src/libhydra AM_CFLAGS = \ -DIPSEC_CONFDIR=\"${sysconfdir}\" \ --DPLUGINS=\""${scepclient_plugins}\"" \ --DNO_PLUTO - -LIBSTRONGSWANBUILDDIR=$(top_builddir)/src/libstrongswan -LIBFREESWANBUILDDIR=$(top_builddir)/src/libfreeswan +-DPLUGINS=\""${scepclient_plugins}\"" scepclient_LDADD = \ -constants.o defs.o pkcs7.o \ -$(LIBSTRONGSWANBUILDDIR)/libstrongswan.la \ -$(LIBFREESWANBUILDDIR)/libfreeswan.a +$(top_builddir)/src/libstrongswan/libstrongswan.la # This compile option activates smartcard support if USE_SMARTCARD @@ -40,12 +22,3 @@ endif dist_man_MANS = scepclient.8 -constants.o : $(PLUTODIR)/constants.c $(PLUTODIR)/constants.h - $(COMPILE) $(INCLUDES) -c -o $@ $< - -defs.o : $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h - $(COMPILE) $(INCLUDES) -c -o $@ $< - -pkcs7.o : $(PLUTODIR)/pkcs7.c $(PLUTODIR)/pkcs7.h - $(COMPILE) $(INCLUDES) -c -o $@ $< - diff --git a/src/scepclient/scep.c b/src/scepclient/scep.c index 5cf640fba..433fc6bf9 100644 --- a/src/scepclient/scep.c +++ b/src/scepclient/scep.c @@ -17,20 +17,15 @@ #include <string.h> #include <stdlib.h> -#include <freeswan.h> - #include <library.h> #include <debug.h> #include <asn1/asn1.h> #include <asn1/asn1_parser.h> #include <asn1/oid.h> +#include <crypto/pkcs9.h> #include <crypto/rngs/rng.h> #include <crypto/hashers/hasher.h> -#include "../pluto/constants.h" -#include "../pluto/defs.h" -#include "../pluto/fetch.h" - #include "scep.h" static const char *pkiStatus_values[] = { "0", "2", "3" }; @@ -70,178 +65,60 @@ const scep_attributes_t empty_scep_attributes = { { NULL, 0 } , /* recipientNonce */ }; -/* ASN.1 definition of the X.501 atttribute type */ - -static const asn1Object_t attributesObjects[] = { - { 0, "attributes", ASN1_SET, ASN1_LOOP }, /* 0 */ - { 1, "attribute", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */ - { 2, "type", ASN1_OID, ASN1_BODY }, /* 2 */ - { 2, "values", ASN1_SET, ASN1_LOOP }, /* 3 */ - { 3, "value", ASN1_EOC, ASN1_RAW }, /* 4 */ - { 2, "end loop", ASN1_EOC, ASN1_END }, /* 5 */ - { 0, "end loop", ASN1_EOC, ASN1_END }, /* 6 */ - { 0, "exit", ASN1_EOC, ASN1_EXIT } -}; -#define ATTRIBUTE_OBJ_TYPE 2 -#define ATTRIBUTE_OBJ_VALUE 4 - /** - * Extract and store an attribute + * Extract X.501 attributes */ -static bool extract_attribute(int oid, chunk_t object, u_int level, - scep_attributes_t *attrs) +void extract_attributes(pkcs7_t *pkcs7, scep_attributes_t *attrs) { - asn1_t type = ASN1_EOC; - const char *name = "none"; + pkcs9_t *attributes = pkcs7->get_attributes(pkcs7); + chunk_t attr; - switch (oid) + attr = attributes->get_attribute(attributes, OID_PKI_MESSAGE_TYPE); + if (attr.ptr) { - case OID_PKCS9_CONTENT_TYPE: - type = ASN1_OID; - name = "contentType"; - break; - case OID_PKCS9_SIGNING_TIME: - type = ASN1_UTCTIME; - name = "signingTime"; - break; - case OID_PKCS9_MESSAGE_DIGEST: - type = ASN1_OCTET_STRING; - name = "messageDigest"; - break; - case OID_PKI_MESSAGE_TYPE: - type = ASN1_PRINTABLESTRING; - name = "messageType"; - break; - case OID_PKI_STATUS: - type = ASN1_PRINTABLESTRING; - name = "pkiStatus"; - break; - case OID_PKI_FAIL_INFO: - type = ASN1_PRINTABLESTRING; - name = "failInfo"; - break; - case OID_PKI_SENDER_NONCE: - type = ASN1_OCTET_STRING; - name = "senderNonce"; - break; - case OID_PKI_RECIPIENT_NONCE: - type = ASN1_OCTET_STRING; - name = "recipientNonce"; - break; - case OID_PKI_TRANS_ID: - type = ASN1_PRINTABLESTRING; - name = "transID"; - break; - default: - break; - } + scep_msg_t m; - if (type == ASN1_EOC) - { - return TRUE; - } - - if (!asn1_parse_simple_object(&object, type, level+1, name)) - { - return FALSE; - } - - switch (oid) - { - case OID_PKCS9_CONTENT_TYPE: - break; - case OID_PKCS9_SIGNING_TIME: - break; - case OID_PKCS9_MESSAGE_DIGEST: - break; - case OID_PKI_MESSAGE_TYPE: + for (m = SCEP_CertRep_MSG; m < SCEP_Unknown_MSG; m++) { - scep_msg_t m; - - for (m = SCEP_CertRep_MSG; m < SCEP_Unknown_MSG; m++) + if (strncmp(msgType_values[m], attr.ptr, attr.len) == 0) { - if (strncmp(msgType_values[m], object.ptr, object.len) == 0) - attrs->msgType = m; + attrs->msgType = m; } - DBG2(DBG_APP, "messageType: %s", msgType_names[attrs->msgType]); - break; } - case OID_PKI_STATUS: - { - pkiStatus_t s; + DBG2(DBG_APP, "messageType: %s", msgType_names[attrs->msgType]); + } + attr = attributes->get_attribute(attributes, OID_PKI_STATUS); + if (attr.ptr) + { + pkiStatus_t s; - for (s = SCEP_SUCCESS; s < SCEP_UNKNOWN; s++) - { - if (strncmp(pkiStatus_values[s], object.ptr, object.len) == 0) - { - attrs->pkiStatus = s; - } - } - DBG2(DBG_APP, "pkiStatus: %s", pkiStatus_names[attrs->pkiStatus]); - break; - } - case OID_PKI_FAIL_INFO: + for (s = SCEP_SUCCESS; s < SCEP_UNKNOWN; s++) { - if (object.len == 1 && - *object.ptr >= '0' && *object.ptr <= '4') + if (strncmp(pkiStatus_values[s], attr.ptr, attr.len) == 0) { - attrs->failInfo = (failInfo_t)(*object.ptr - '0'); + attrs->pkiStatus = s; } - if (attrs->failInfo != SCEP_unknown_REASON) - { - DBG1(DBG_APP, "failInfo: %s", failInfo_reasons[attrs->failInfo]); - } - break; } - case OID_PKI_SENDER_NONCE: - attrs->senderNonce = object; - break; - case OID_PKI_RECIPIENT_NONCE: - attrs->recipientNonce = object; - break; - case OID_PKI_TRANS_ID: - attrs->transID = object; - break; + DBG2(DBG_APP, "pkiStatus: %s", pkiStatus_names[attrs->pkiStatus]); } - return TRUE; -} - -/** - * Parse X.501 attributes - */ -bool parse_attributes(chunk_t blob, scep_attributes_t *attrs) -{ - asn1_parser_t *parser; - chunk_t object; - int oid = OID_UNKNOWN; - int objectID; - bool success = FALSE; - - parser = asn1_parser_create(attributesObjects, blob); - DBG3(DBG_APP, "parsing attributes"); - - while (parser->iterate(parser, &objectID, &object)) + attr = attributes->get_attribute(attributes, OID_PKI_FAIL_INFO); + if (attr.ptr) { - switch (objectID) + if (attr.len == 1 && *attr.ptr >= '0' && *attr.ptr <= '4') { - case ATTRIBUTE_OBJ_TYPE: - oid = asn1_known_oid(object); - break; - case ATTRIBUTE_OBJ_VALUE: - { - if (!extract_attribute(oid, object, parser->get_level(parser), attrs)) - { - goto end; - } - break; - } + attrs->failInfo = (failInfo_t)(*attr.ptr - '0'); + } + if (attrs->failInfo != SCEP_unknown_REASON) + { + DBG1(DBG_APP, "failInfo: %s", failInfo_reasons[attrs->failInfo]); } } - success = parser->success(parser); - -end: - parser->destroy(parser); - return success; + attrs->senderNonce = attributes->get_attribute(attributes, + OID_PKI_SENDER_NONCE); + attrs->recipientNonce = attributes->get_attribute(attributes, + OID_PKI_RECIPIENT_NONCE); + attrs->transID = attributes->get_attribute(attributes, + OID_PKI_TRANS_ID); } /** @@ -304,36 +181,9 @@ void scep_generate_transaction_id(public_key_t *key, chunk_t *transID, } /** - * Builds a transId attribute - */ -chunk_t scep_transId_attribute(chunk_t transID) -{ - return asn1_wrap(ASN1_SEQUENCE, "cm", - asn1_build_known_oid(OID_PKI_TRANS_ID), - asn1_wrap(ASN1_SET, "m", - asn1_simple_object(ASN1_PRINTABLESTRING, transID))); -} - -/** - * Builds a messageType attribute - */ -chunk_t scep_messageType_attribute(scep_msg_t m) -{ - chunk_t msgType = { - (u_char*)msgType_values[m], - strlen(msgType_values[m]) - }; - - return asn1_wrap(ASN1_SEQUENCE, "mm", - asn1_build_known_oid(OID_PKI_MESSAGE_TYPE), - asn1_wrap(ASN1_SET, "m", - asn1_simple_object(ASN1_PRINTABLESTRING, msgType))); -} - -/** - * Builds a senderNonce attribute + * Adds a senderNonce attribute to the given pkcs9 attribute list */ -chunk_t scep_senderNonce_attribute(void) +static void add_senderNonce_attribute(pkcs9_t *pkcs9) { const size_t nonce_len = 16; u_char nonce_buf[nonce_len]; @@ -344,35 +194,45 @@ chunk_t scep_senderNonce_attribute(void) rng->get_bytes(rng, nonce_len, nonce_buf); rng->destroy(rng); - return asn1_wrap(ASN1_SEQUENCE, "cm", - asn1_build_known_oid(OID_PKI_SENDER_NONCE), - asn1_wrap(ASN1_SET, "m", - asn1_simple_object(ASN1_OCTET_STRING, senderNonce))); + pkcs9->set_attribute(pkcs9, OID_PKI_SENDER_NONCE, senderNonce); } /** * Builds a pkcs7 enveloped and signed scep request */ chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg, - certificate_t *enc_cert, int enc_alg, - certificate_t *signer_cert, int digest_alg, - private_key_t *private_key) + certificate_t *enc_cert, encryption_algorithm_t enc_alg, + size_t key_size, certificate_t *signer_cert, + hash_algorithm_t digest_alg, private_key_t *private_key) { - chunk_t envelopedData, attributes, request; + chunk_t request, msgType = { + (u_char*)msgType_values[msg], + strlen(msgType_values[msg]), + }; + pkcs7_t *pkcs7; + pkcs9_t *pkcs9; - envelopedData = pkcs7_build_envelopedData(data, enc_cert, enc_alg); + pkcs7 = pkcs7_create_from_data(data); + if (!pkcs7->build_envelopedData(pkcs7, enc_cert, enc_alg, key_size)) + { + pkcs7->destroy(pkcs7); + return chunk_empty; + } - attributes = asn1_wrap(ASN1_SET, "mmmmm", - pkcs7_contentType_attribute(), - pkcs7_messageDigest_attribute(envelopedData, digest_alg), - scep_transId_attribute(transID), - scep_messageType_attribute(msg), - scep_senderNonce_attribute()); + pkcs9 = pkcs9_create(); + pkcs9->set_attribute(pkcs9, OID_PKI_TRANS_ID, transID); + pkcs9->set_attribute(pkcs9, OID_PKI_MESSAGE_TYPE, msgType); + add_senderNonce_attribute(pkcs9); - request = pkcs7_build_signedData(envelopedData, attributes, - signer_cert, digest_alg, private_key); - free(envelopedData.ptr); - free(attributes.ptr); + pkcs7->set_attributes(pkcs7, pkcs9); + pkcs7->set_certificate(pkcs7, signer_cert->get_ref(signer_cert)); + if (!pkcs7->build_signedData(pkcs7, private_key, digest_alg)) + { + pkcs7->destroy(pkcs7); + return chunk_empty; + } + request = pkcs7->get_contentInfo(pkcs7); + pkcs7->destroy(pkcs7); return request; } @@ -508,22 +368,23 @@ bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op, return (status == SUCCESS); } -err_t scep_parse_response(chunk_t response, chunk_t transID, contentInfo_t *data, +err_t scep_parse_response(chunk_t response, chunk_t transID, pkcs7_t **data, scep_attributes_t *attrs, certificate_t *signer_cert) { - chunk_t attributes; + pkcs7_t *pkcs7; - if (!pkcs7_parse_signedData(response, data, NULL, &attributes, signer_cert)) + pkcs7 = pkcs7_create_from_chunk(response, 0); + if (!pkcs7 || !pkcs7->parse_signedData(pkcs7, signer_cert)) { + DESTROY_IF(pkcs7); return "error parsing the scep response"; } - if (!parse_attributes(attributes, attrs)) - { - return "error parsing the scep response attributes"; - } + extract_attributes(pkcs7, attrs); if (!chunk_equals(transID, attrs->transID)) { + pkcs7->destroy(pkcs7); return "transaction ID of scep response does not match"; } + *data = pkcs7; return NULL; } diff --git a/src/scepclient/scep.h b/src/scepclient/scep.h index 76bf21033..6227faba4 100644 --- a/src/scepclient/scep.h +++ b/src/scepclient/scep.h @@ -1,4 +1,5 @@ /* + * Copyright (C) 2012 Tobias Brunner * Copyright (C) 2005 Jan Hutter, Martin Willi * Hochschule fuer Technik Rapperswil * @@ -16,11 +17,9 @@ #ifndef _SCEP_H #define _SCEP_H +#include <crypto/pkcs7.h> #include <credentials/certificates/certificate.h> -#include "../pluto/defs.h" -#include "../pluto/pkcs7.h" - /* supported SCEP operation types */ typedef enum { SCEP_PKI_OPERATION, @@ -76,13 +75,13 @@ chunk_t scep_transId_attribute(chunk_t transaction_id); chunk_t scep_messageType_attribute(scep_msg_t m); chunk_t scep_senderNonce_attribute(void); chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg, - certificate_t *enc_cert, int enc_alg, - certificate_t *signer_cert, int digest_alg, - private_key_t *private_key); + certificate_t *enc_cert, encryption_algorithm_t enc_alg, + size_t key_size, certificate_t *signer_cert, + hash_algorithm_t digest_alg, private_key_t *private_key); bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op, - bool http_get_request, chunk_t *response); + bool http_get_request, chunk_t *response); err_t scep_parse_response(chunk_t response, chunk_t transID, - contentInfo_t *data, scep_attributes_t *attrs, + pkcs7_t **data, scep_attributes_t *attrs, certificate_t *signer_cert); #endif /* _SCEP_H */ diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c index fa2982f35..d502fc250 100644 --- a/src/scepclient/scepclient.c +++ b/src/scepclient/scepclient.c @@ -25,8 +25,6 @@ #include <limits.h> #include <syslog.h> -#include <freeswan.h> - #include <library.h> #include <debug.h> #include <asn1/asn1.h> @@ -44,11 +42,6 @@ #include <credentials/certificates/pkcs10.h> #include <plugins/plugin.h> -#include "../pluto/constants.h" -#include "../pluto/defs.h" -#include "../pluto/certs.h" -#include "../pluto/pkcs7.h" - #include "scep.h" /* @@ -97,6 +90,9 @@ /* default distinguished name */ #define DEFAULT_DN "C=CH, O=Linux strongSwan, CN=" +/* minimum RSA key size */ +#define RSA_MIN_OCTETS (512 / BITS_PER_BYTE) + /* challenge password buffer size */ #define MAX_PASSWORD_LENGTH 256 @@ -401,10 +397,11 @@ int main(int argc, char **argv) char challenge_password_buffer[MAX_PASSWORD_LENGTH]; /* symmetric encryption algorithm used by pkcs7, default is 3DES */ - int pkcs7_symmetric_cipher = OID_3DES_EDE_CBC; + encryption_algorithm_t pkcs7_symmetric_cipher = ENCR_3DES; + size_t pkcs7_key_size = 0; /* digest algorithm used by pkcs7, default is SHA-1 */ - int pkcs7_digest_alg = OID_SHA1; + hash_algorithm_t pkcs7_digest_alg = HASH_SHA1; /* signature algorithm used by pkcs10, default is SHA-1 */ hash_algorithm_t pkcs10_signature_alg = HASH_SHA1; @@ -767,9 +764,10 @@ int main(int argc, char **argv) { usage("invalid algorithm specified"); } - pkcs7_symmetric_cipher = encryption_algorithm_to_oid( - token->algorithm, token->keysize); - if (pkcs7_symmetric_cipher == OID_UNKNOWN) + pkcs7_symmetric_cipher = token->algorithm; + pkcs7_key_size = token->keysize; + if (encryption_algorithm_to_oid(token->algorithm, + token->keysize) == OID_UNKNOWN) { usage("unsupported encryption algorithm specified"); } @@ -1043,9 +1041,13 @@ int main(int argc, char **argv) { DBG2(DBG_APP, "building pkcs7 request"); pkcs7 = scep_build_request(pkcs10_encoding, - transID, SCEP_PKCSReq_MSG, - x509_ca_enc, pkcs7_symmetric_cipher, + transID, SCEP_PKCSReq_MSG, x509_ca_enc, + pkcs7_symmetric_cipher, pkcs7_key_size, x509_signer, pkcs7_digest_alg, private_key); + if (!pkcs7.ptr) + { + exit_scepclient("failed to build pkcs7 request"); + } } /* @@ -1079,12 +1081,8 @@ int main(int argc, char **argv) enumerator_t *enumerator; char path[PATH_MAX]; time_t poll_start = 0; - - linked_list_t *certs = linked_list_create(); - chunk_t envelopedData = chunk_empty; - chunk_t certData = chunk_empty; - contentInfo_t data = empty_contentInfo; - scep_attributes_t attrs = empty_scep_attributes; + pkcs7_t *data = NULL; + scep_attributes_t attrs = empty_scep_attributes; join_paths(path, sizeof(path), CA_CERT_PATH, file_in_cacert_sig); @@ -1130,6 +1128,7 @@ int main(int argc, char **argv) DBG2(DBG_APP, "going to sleep for %d seconds", poll_interval); sleep(poll_interval); free(scep_response.ptr); + data->destroy(data); DBG2(DBG_APP, "fingerprint: %.*s", (int)fingerprint.len, fingerprint.ptr); @@ -1138,10 +1137,13 @@ int main(int argc, char **argv) chunk_free(&getCertInitial); getCertInitial = scep_build_request(issuerAndSubject, - transID, SCEP_GetCertInitial_MSG, - x509_ca_enc, pkcs7_symmetric_cipher, - x509_signer, pkcs7_digest_alg, private_key); - + transID, SCEP_GetCertInitial_MSG, x509_ca_enc, + pkcs7_symmetric_cipher, pkcs7_key_size, + x509_signer, pkcs7_digest_alg, private_key); + if (!getCertInitial.ptr) + { + exit_scepclient("failed to build scep request"); + } if (!scep_http_request(scep_url, getCertInitial, SCEP_PKI_OPERATION, http_get_request, &scep_response)) { @@ -1157,31 +1159,25 @@ int main(int argc, char **argv) if (attrs.pkiStatus != SCEP_SUCCESS) { + data->destroy(data); exit_scepclient("reply status is not 'SUCCESS'"); } - envelopedData = data.content; - - if (data.type != OID_PKCS7_DATA || - !asn1_parse_simple_object(&envelopedData, ASN1_OCTET_STRING, 0, "data")) - { - exit_scepclient("contentInfo is not of type 'data'"); - } - if (!pkcs7_parse_envelopedData(envelopedData, &certData, - serialNumber, private_key)) + if (!data->parse_envelopedData(data, serialNumber, private_key)) { + data->destroy(data); exit_scepclient("could not decrypt envelopedData"); } - if (!pkcs7_parse_signedData(certData, NULL, certs, NULL, NULL)) + if (!data->parse_signedData(data, NULL)) { + data->destroy(data); exit_scepclient("error parsing the scep response"); } - chunk_free(&certData); /* store the end entity certificate */ join_paths(path, sizeof(path), HOST_CERT_PATH, file_out_cert); - enumerator = certs->create_enumerator(certs); + enumerator = data->create_certificate_enumerator(data); while (enumerator->enumerate(enumerator, &cert)) { x509_t *x509 = (x509_t*)cert; @@ -1201,7 +1197,8 @@ int main(int argc, char **argv) stored = TRUE; } } - certs->destroy_offset(certs, offsetof(certificate_t, destroy)); + enumerator->destroy(enumerator); + data->destroy(data); filetype_out &= ~CERT; /* delete CERT flag */ } |