scepclient: Use pkcs7_t and pkcs9_t, remove all dependencies to pluto/libfreeswan.

4 files changed, 119 insertions, 289 deletions

diff --git a/src/scepclient/Makefile.am b/src/scepclient/Makefile.am
index f764339d3..b10a56a16 100644
--- a/src/scepclient/Makefile.am
+++ b/src/scepclient/Makefile.am
@@ -3,34 +3,16 @@ scepclient_SOURCES = scepclient.c scep.c scep.h
 
 scepclient.o :	$(top_builddir)/config.status
 
-PLUTODIR=$(top_srcdir)/src/pluto
-OPENACDIR=$(top_srcdir)/src/openac
-WHACKDIR=$(top_srcdir)/src/whack
-LIBFREESWANDIR=$(top_srcdir)/src/libfreeswan
-LIBSTRONGSWANDIR=$(top_srcdir)/src/libstrongswan
-LIBHYDRADIR=$(top_srcdir)/src/libhydra
-LIBCRYPTODIR=$(top_srcdir)/src/libcrypto
-
 INCLUDES = \
--I$(LIBFREESWANDIR) \
--I$(LIBSTRONGSWANDIR) \
--I$(LIBHYDRADIR) \
--I$(PLUTODIR) \
--I$(LIBCRYPTODIR) \
--I$(WHACKDIR)
+-I$(top_srcdir)/src/libstrongswan \
+-I$(top_srcdir)/src/libhydra
 
 AM_CFLAGS = \
 -DIPSEC_CONFDIR=\"${sysconfdir}\" \
--DPLUGINS=\""${scepclient_plugins}\"" \
--DNO_PLUTO
-
-LIBSTRONGSWANBUILDDIR=$(top_builddir)/src/libstrongswan
-LIBFREESWANBUILDDIR=$(top_builddir)/src/libfreeswan
+-DPLUGINS=\""${scepclient_plugins}\""
 
 scepclient_LDADD = \
-constants.o defs.o pkcs7.o \
-$(LIBSTRONGSWANBUILDDIR)/libstrongswan.la \
-$(LIBFREESWANBUILDDIR)/libfreeswan.a
+$(top_builddir)/src/libstrongswan/libstrongswan.la
 
 # This compile option activates smartcard support
 if USE_SMARTCARD
@@ -40,12 +22,3 @@ endif
 
 dist_man_MANS = scepclient.8
 
-constants.o :	$(PLUTODIR)/constants.c $(PLUTODIR)/constants.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
-defs.o : 	$(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
-pkcs7.o :	$(PLUTODIR)/pkcs7.c $(PLUTODIR)/pkcs7.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
diff --git a/src/scepclient/scep.c b/src/scepclient/scep.c
index 5cf640fba..433fc6bf9 100644
--- a/src/scepclient/scep.c
+++ b/src/scepclient/scep.c
@@ -17,20 +17,15 @@
 #include <string.h>
 #include <stdlib.h>
 
-#include <freeswan.h>
-
 #include <library.h>
 #include <debug.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
 #include <asn1/oid.h>
+#include <crypto/pkcs9.h>
 #include <crypto/rngs/rng.h>
 #include <crypto/hashers/hasher.h>
 
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-#include "../pluto/fetch.h"
-
 #include "scep.h"
 
 static const char *pkiStatus_values[] = { "0", "2", "3" };
@@ -70,178 +65,60 @@ const scep_attributes_t empty_scep_attributes = {
 	{ NULL, 0 }        , /* recipientNonce */
 };
 
-/* ASN.1 definition of the X.501 atttribute type */
-
-static const asn1Object_t attributesObjects[] = {
-	{ 0, "attributes",    ASN1_SET,       ASN1_LOOP }, /* 0 */
-	{ 1,   "attribute",   ASN1_SEQUENCE,  ASN1_NONE }, /* 1 */
-	{ 2,     "type",      ASN1_OID,       ASN1_BODY }, /* 2 */
-	{ 2,     "values",    ASN1_SET,       ASN1_LOOP }, /* 3 */
-	{ 3,       "value",   ASN1_EOC,       ASN1_RAW  }, /* 4 */
-	{ 2,     "end loop",  ASN1_EOC,       ASN1_END  }, /* 5 */
-	{ 0, "end loop",      ASN1_EOC,       ASN1_END  }, /* 6 */
-	{ 0, "exit",          ASN1_EOC,       ASN1_EXIT	}
-};
-#define ATTRIBUTE_OBJ_TYPE      2
-#define ATTRIBUTE_OBJ_VALUE     4
-
 /**
- * Extract and store an attribute
+ * Extract X.501 attributes
  */
-static bool extract_attribute(int oid, chunk_t object, u_int level,
-							  scep_attributes_t *attrs)
+void extract_attributes(pkcs7_t *pkcs7, scep_attributes_t *attrs)
 {
-	asn1_t type = ASN1_EOC;
-	const char *name = "none";
+	pkcs9_t *attributes = pkcs7->get_attributes(pkcs7);
+	chunk_t attr;
 
-	switch (oid)
+	attr = attributes->get_attribute(attributes, OID_PKI_MESSAGE_TYPE);
+	if (attr.ptr)
 	{
-		case OID_PKCS9_CONTENT_TYPE:
-			type = ASN1_OID;
-			name = "contentType";
-			break;
-		case OID_PKCS9_SIGNING_TIME:
-			type = ASN1_UTCTIME;
-			name = "signingTime";
-			break;
-		case OID_PKCS9_MESSAGE_DIGEST:
-			type = ASN1_OCTET_STRING;
-			name = "messageDigest";
-			break;
-		case OID_PKI_MESSAGE_TYPE:
-			type = ASN1_PRINTABLESTRING;
-			name = "messageType";
-			break;
-		case OID_PKI_STATUS:
-			type = ASN1_PRINTABLESTRING;
-			name = "pkiStatus";
-			break;
-		case OID_PKI_FAIL_INFO:
-			type = ASN1_PRINTABLESTRING;
-			name = "failInfo";
-			break;
-		case OID_PKI_SENDER_NONCE:
-			type = ASN1_OCTET_STRING;
-			name = "senderNonce";
-			 break;
-		case OID_PKI_RECIPIENT_NONCE:
-			type = ASN1_OCTET_STRING;
-			name = "recipientNonce";
-			break;
-		case OID_PKI_TRANS_ID:
-			type = ASN1_PRINTABLESTRING;
-			name = "transID";
-			break;
-		default:
-			break;
-	}
+		scep_msg_t m;
 
-	if (type == ASN1_EOC)
-	{
-		return TRUE;
-	}
-
-	if (!asn1_parse_simple_object(&object, type, level+1, name))
-	{
-		return FALSE;
-	}
-
-	switch (oid)
-	{
-		case OID_PKCS9_CONTENT_TYPE:
-			break;
-		case OID_PKCS9_SIGNING_TIME:
-			break;
-		case OID_PKCS9_MESSAGE_DIGEST:
-			break;
-		case OID_PKI_MESSAGE_TYPE:
+		for (m = SCEP_CertRep_MSG; m < SCEP_Unknown_MSG; m++)
 		{
-			scep_msg_t m;
-
-			for (m = SCEP_CertRep_MSG; m < SCEP_Unknown_MSG; m++)
+			if (strncmp(msgType_values[m], attr.ptr, attr.len) == 0)
 			{
-				if (strncmp(msgType_values[m], object.ptr, object.len) == 0)
-					attrs->msgType = m;
+				attrs->msgType = m;
 			}
-			DBG2(DBG_APP, "messageType:  %s", msgType_names[attrs->msgType]);
-			break;
 		}
-		case OID_PKI_STATUS:
-		{
-			pkiStatus_t s;
+		DBG2(DBG_APP, "messageType:  %s", msgType_names[attrs->msgType]);
+	}
+	attr = attributes->get_attribute(attributes, OID_PKI_STATUS);
+	if (attr.ptr)
+	{
+		pkiStatus_t s;
 
-			for (s = SCEP_SUCCESS; s < SCEP_UNKNOWN; s++)
-			{
-				if (strncmp(pkiStatus_values[s], object.ptr, object.len) == 0)
-				{
-					attrs->pkiStatus = s;
-				}
-			}
-			DBG2(DBG_APP, "pkiStatus:    %s", pkiStatus_names[attrs->pkiStatus]);
-			break;
-		}
-		case OID_PKI_FAIL_INFO:
+		for (s = SCEP_SUCCESS; s < SCEP_UNKNOWN; s++)
 		{
-			if (object.len == 1 &&
-				*object.ptr >= '0' && *object.ptr <= '4')
+			if (strncmp(pkiStatus_values[s], attr.ptr, attr.len) == 0)
 			{
-				attrs->failInfo = (failInfo_t)(*object.ptr - '0');
+				attrs->pkiStatus = s;
 			}
-			if (attrs->failInfo != SCEP_unknown_REASON)
-			{
-				DBG1(DBG_APP, "failInfo:     %s", failInfo_reasons[attrs->failInfo]);
-			}
-			break;
 		}
-		case OID_PKI_SENDER_NONCE:
-			attrs->senderNonce = object;
-			break;
-		case OID_PKI_RECIPIENT_NONCE:
-			attrs->recipientNonce = object;
-			break;
-		case OID_PKI_TRANS_ID:
-			attrs->transID = object;
-			break;
+		DBG2(DBG_APP, "pkiStatus:    %s", pkiStatus_names[attrs->pkiStatus]);
 	}
-	return TRUE;
-}
-
-/**
- * Parse X.501 attributes
- */
-bool parse_attributes(chunk_t blob, scep_attributes_t *attrs)
-{
-	asn1_parser_t *parser;
-	chunk_t object;
-	int oid = OID_UNKNOWN;
-	int objectID;
-	bool success = FALSE;
-
-	parser = asn1_parser_create(attributesObjects, blob);
-	DBG3(DBG_APP, "parsing attributes");
-
-	while (parser->iterate(parser, &objectID, &object))
+	attr = attributes->get_attribute(attributes, OID_PKI_FAIL_INFO);
+	if (attr.ptr)
 	{
-		switch (objectID)
+		if (attr.len == 1 && *attr.ptr >= '0' && *attr.ptr <= '4')
 		{
-			case ATTRIBUTE_OBJ_TYPE:
-				oid = asn1_known_oid(object);
-				break;
-			case ATTRIBUTE_OBJ_VALUE:
-			{
-				if (!extract_attribute(oid, object, parser->get_level(parser), attrs))
-				{
-					goto end;
-				}
-				break;
-			}
+			attrs->failInfo = (failInfo_t)(*attr.ptr - '0');
+		}
+		if (attrs->failInfo != SCEP_unknown_REASON)
+		{
+			DBG1(DBG_APP, "failInfo:     %s", failInfo_reasons[attrs->failInfo]);
 		}
 	}
-	success = parser->success(parser);
-
-end:
-	parser->destroy(parser);
-	return success;
+	attrs->senderNonce = attributes->get_attribute(attributes,
+											OID_PKI_SENDER_NONCE);
+	attrs->recipientNonce = attributes->get_attribute(attributes,
+											OID_PKI_RECIPIENT_NONCE);
+	attrs->transID = attributes->get_attribute(attributes,
+											OID_PKI_TRANS_ID);
 }
 
 /**
@@ -304,36 +181,9 @@ void scep_generate_transaction_id(public_key_t *key, chunk_t *transID,
 }
 
 /**
- * Builds a transId attribute
- */
-chunk_t scep_transId_attribute(chunk_t transID)
-{
-	return asn1_wrap(ASN1_SEQUENCE, "cm",
-				asn1_build_known_oid(OID_PKI_TRANS_ID),
-				asn1_wrap(ASN1_SET, "m",
-					asn1_simple_object(ASN1_PRINTABLESTRING, transID)));
-}
-
-/**
- * Builds a messageType attribute
- */
-chunk_t scep_messageType_attribute(scep_msg_t m)
-{
-	chunk_t msgType = {
-		(u_char*)msgType_values[m],
-		strlen(msgType_values[m])
-	};
-
-	return asn1_wrap(ASN1_SEQUENCE, "mm",
-				asn1_build_known_oid(OID_PKI_MESSAGE_TYPE),
-				asn1_wrap(ASN1_SET, "m",
-					asn1_simple_object(ASN1_PRINTABLESTRING, msgType)));
-}
-
-/**
- * Builds a senderNonce attribute
+ * Adds a senderNonce attribute to the given pkcs9 attribute list
  */
-chunk_t scep_senderNonce_attribute(void)
+static void add_senderNonce_attribute(pkcs9_t *pkcs9)
 {
 	const size_t nonce_len = 16;
 	u_char nonce_buf[nonce_len];
@@ -344,35 +194,45 @@ chunk_t scep_senderNonce_attribute(void)
 	rng->get_bytes(rng, nonce_len, nonce_buf);
 	rng->destroy(rng);
 
-	return asn1_wrap(ASN1_SEQUENCE, "cm",
-				asn1_build_known_oid(OID_PKI_SENDER_NONCE),
-				asn1_wrap(ASN1_SET, "m",
-					asn1_simple_object(ASN1_OCTET_STRING, senderNonce)));
+	pkcs9->set_attribute(pkcs9, OID_PKI_SENDER_NONCE, senderNonce);
 }
 
 /**
  * Builds a pkcs7 enveloped and signed scep request
  */
 chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg,
-						   certificate_t *enc_cert, int enc_alg,
-						   certificate_t *signer_cert, int digest_alg,
-						   private_key_t *private_key)
+					certificate_t *enc_cert, encryption_algorithm_t enc_alg,
+					size_t key_size, certificate_t *signer_cert,
+					hash_algorithm_t digest_alg, private_key_t *private_key)
 {
-	chunk_t envelopedData, attributes, request;
+	chunk_t request, msgType = {
+		(u_char*)msgType_values[msg],
+		strlen(msgType_values[msg]),
+	};
+	pkcs7_t *pkcs7;
+	pkcs9_t *pkcs9;
 
-	envelopedData = pkcs7_build_envelopedData(data, enc_cert, enc_alg);
+	pkcs7 = pkcs7_create_from_data(data);
+	if (!pkcs7->build_envelopedData(pkcs7, enc_cert, enc_alg, key_size))
+	{
+		pkcs7->destroy(pkcs7);
+		return chunk_empty;
+	}
 
-	attributes = asn1_wrap(ASN1_SET, "mmmmm",
-					pkcs7_contentType_attribute(),
-					pkcs7_messageDigest_attribute(envelopedData, digest_alg),
-					scep_transId_attribute(transID),
-					scep_messageType_attribute(msg),
-					scep_senderNonce_attribute());
+	pkcs9 = pkcs9_create();
+	pkcs9->set_attribute(pkcs9, OID_PKI_TRANS_ID, transID);
+	pkcs9->set_attribute(pkcs9, OID_PKI_MESSAGE_TYPE, msgType);
+	add_senderNonce_attribute(pkcs9);
 
-	request = pkcs7_build_signedData(envelopedData, attributes,
-									 signer_cert, digest_alg, private_key);
-	free(envelopedData.ptr);
-	free(attributes.ptr);
+	pkcs7->set_attributes(pkcs7, pkcs9);
+	pkcs7->set_certificate(pkcs7, signer_cert->get_ref(signer_cert));
+	if (!pkcs7->build_signedData(pkcs7, private_key, digest_alg))
+	{
+		pkcs7->destroy(pkcs7);
+		return chunk_empty;
+	}
+	request = pkcs7->get_contentInfo(pkcs7);
+	pkcs7->destroy(pkcs7);
 	return request;
 }
 
@@ -508,22 +368,23 @@ bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
 	return (status == SUCCESS);
 }
 
-err_t scep_parse_response(chunk_t response, chunk_t transID, contentInfo_t *data,
+err_t scep_parse_response(chunk_t response, chunk_t transID, pkcs7_t **data,
 						  scep_attributes_t *attrs, certificate_t *signer_cert)
 {
-	chunk_t attributes;
+	pkcs7_t *pkcs7;
 
-	if (!pkcs7_parse_signedData(response, data, NULL, &attributes, signer_cert))
+	pkcs7 = pkcs7_create_from_chunk(response, 0);
+	if (!pkcs7 || !pkcs7->parse_signedData(pkcs7, signer_cert))
 	{
+		DESTROY_IF(pkcs7);
 		return "error parsing the scep response";
 	}
-	if (!parse_attributes(attributes, attrs))
-	{
-		return "error parsing the scep response attributes";
-	}
+	extract_attributes(pkcs7, attrs);
 	if (!chunk_equals(transID, attrs->transID))
 	{
+		pkcs7->destroy(pkcs7);
 		return "transaction ID of scep response does not match";
 	}
+	*data = pkcs7;
 	return NULL;
 }
diff --git a/src/scepclient/scep.h b/src/scepclient/scep.h
index 76bf21033..6227faba4 100644
--- a/src/scepclient/scep.h
+++ b/src/scepclient/scep.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2005 Jan Hutter, Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -16,11 +17,9 @@
 #ifndef _SCEP_H
 #define _SCEP_H
 
+#include <crypto/pkcs7.h>
 #include <credentials/certificates/certificate.h>
 
-#include "../pluto/defs.h"
-#include "../pluto/pkcs7.h"
-
 /* supported SCEP operation types */
 typedef enum {
 	SCEP_PKI_OPERATION,
@@ -76,13 +75,13 @@ chunk_t scep_transId_attribute(chunk_t transaction_id);
 chunk_t scep_messageType_attribute(scep_msg_t m);
 chunk_t scep_senderNonce_attribute(void);
 chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg,
-						   certificate_t *enc_cert, int enc_alg,
-						   certificate_t *signer_cert, int digest_alg,
-						   private_key_t *private_key);
+						certificate_t *enc_cert, encryption_algorithm_t enc_alg,
+						size_t key_size, certificate_t *signer_cert,
+						hash_algorithm_t digest_alg, private_key_t *private_key);
 bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
-							  bool http_get_request, chunk_t *response);
+					   bool http_get_request, chunk_t *response);
 err_t scep_parse_response(chunk_t response, chunk_t transID,
-						  contentInfo_t *data, scep_attributes_t *attrs,
+						  pkcs7_t **data, scep_attributes_t *attrs,
 						  certificate_t *signer_cert);
 
 #endif /* _SCEP_H */
diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c
index fa2982f35..d502fc250 100644
--- a/src/scepclient/scepclient.c
+++ b/src/scepclient/scepclient.c
@@ -25,8 +25,6 @@
 #include <limits.h>
 #include <syslog.h>
 
-#include <freeswan.h>
-
 #include <library.h>
 #include <debug.h>
 #include <asn1/asn1.h>
@@ -44,11 +42,6 @@
 #include <credentials/certificates/pkcs10.h>
 #include <plugins/plugin.h>
 
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-#include "../pluto/certs.h"
-#include "../pluto/pkcs7.h"
-
 #include "scep.h"
 
 /*
@@ -97,6 +90,9 @@
 /* default distinguished name */
 #define DEFAULT_DN "C=CH, O=Linux strongSwan, CN="
 
+/* minimum RSA key size */
+#define RSA_MIN_OCTETS (512 / BITS_PER_BYTE)
+
 /* challenge password buffer size */
 #define MAX_PASSWORD_LENGTH 256
 
@@ -401,10 +397,11 @@ int main(int argc, char **argv)
 	char challenge_password_buffer[MAX_PASSWORD_LENGTH];
 
 	/* symmetric encryption algorithm used by pkcs7, default is 3DES */
-	int pkcs7_symmetric_cipher = OID_3DES_EDE_CBC;
+	encryption_algorithm_t pkcs7_symmetric_cipher = ENCR_3DES;
+	size_t pkcs7_key_size = 0;
 
 	/* digest algorithm used by pkcs7, default is SHA-1 */
-	int pkcs7_digest_alg = OID_SHA1;
+	hash_algorithm_t pkcs7_digest_alg = HASH_SHA1;
 
 	/* signature algorithm used by pkcs10, default is SHA-1 */
 	hash_algorithm_t pkcs10_signature_alg = HASH_SHA1;
@@ -767,9 +764,10 @@ int main(int argc, char **argv)
 				{
 					usage("invalid algorithm specified");
 				}
-				pkcs7_symmetric_cipher = encryption_algorithm_to_oid(
-											token->algorithm, token->keysize);
-				if (pkcs7_symmetric_cipher == OID_UNKNOWN)
+				pkcs7_symmetric_cipher = token->algorithm;
+				pkcs7_key_size = token->keysize;
+				if (encryption_algorithm_to_oid(token->algorithm,
+												token->keysize) == OID_UNKNOWN)
 				{
 					usage("unsupported encryption algorithm specified");
 				}
@@ -1043,9 +1041,13 @@ int main(int argc, char **argv)
 	{
 		DBG2(DBG_APP, "building pkcs7 request");
 		pkcs7 = scep_build_request(pkcs10_encoding,
-								   transID, SCEP_PKCSReq_MSG,
-								   x509_ca_enc, pkcs7_symmetric_cipher,
+								   transID, SCEP_PKCSReq_MSG, x509_ca_enc,
+								   pkcs7_symmetric_cipher, pkcs7_key_size,
 								   x509_signer, pkcs7_digest_alg, private_key);
+		if (!pkcs7.ptr)
+		{
+			exit_scepclient("failed to build pkcs7 request");
+		}
 	}
 
 	/*
@@ -1079,12 +1081,8 @@ int main(int argc, char **argv)
 		enumerator_t  *enumerator;
 		char path[PATH_MAX];
 		time_t poll_start = 0;
-
-		linked_list_t    *certs         = linked_list_create();
-		chunk_t           envelopedData = chunk_empty;
-		chunk_t           certData      = chunk_empty;
-		contentInfo_t     data          = empty_contentInfo;
-		scep_attributes_t attrs         = empty_scep_attributes;
+		pkcs7_t *data = NULL;
+		scep_attributes_t attrs = empty_scep_attributes;
 
 		join_paths(path, sizeof(path), CA_CERT_PATH, file_in_cacert_sig);
 
@@ -1130,6 +1128,7 @@ int main(int argc, char **argv)
 			DBG2(DBG_APP, "going to sleep for %d seconds", poll_interval);
 			sleep(poll_interval);
 			free(scep_response.ptr);
+			data->destroy(data);
 
 			DBG2(DBG_APP, "fingerprint:    %.*s",
 				 (int)fingerprint.len, fingerprint.ptr);
@@ -1138,10 +1137,13 @@ int main(int argc, char **argv)
 
 			chunk_free(&getCertInitial);
 			getCertInitial = scep_build_request(issuerAndSubject,
-									transID, SCEP_GetCertInitial_MSG,
-									x509_ca_enc, pkcs7_symmetric_cipher,
-									x509_signer, pkcs7_digest_alg, private_key);
-
+								transID, SCEP_GetCertInitial_MSG, x509_ca_enc,
+								pkcs7_symmetric_cipher, pkcs7_key_size,
+								x509_signer, pkcs7_digest_alg, private_key);
+			if (!getCertInitial.ptr)
+			{
+				exit_scepclient("failed to build scep request");
+			}
 			if (!scep_http_request(scep_url, getCertInitial, SCEP_PKI_OPERATION,
 				http_get_request, &scep_response))
 			{
@@ -1157,31 +1159,25 @@ int main(int argc, char **argv)
 
 		if (attrs.pkiStatus != SCEP_SUCCESS)
 		{
+			data->destroy(data);
 			exit_scepclient("reply status is not 'SUCCESS'");
 		}
 
-		envelopedData = data.content;
-
-		if (data.type != OID_PKCS7_DATA ||
-			!asn1_parse_simple_object(&envelopedData, ASN1_OCTET_STRING, 0, "data"))
-		{
-			exit_scepclient("contentInfo is not of type 'data'");
-		}
-		if (!pkcs7_parse_envelopedData(envelopedData, &certData,
-				serialNumber, private_key))
+		if (!data->parse_envelopedData(data, serialNumber, private_key))
 		{
+			data->destroy(data);
 			exit_scepclient("could not decrypt envelopedData");
 		}
-		if (!pkcs7_parse_signedData(certData, NULL, certs, NULL, NULL))
+		if (!data->parse_signedData(data, NULL))
 		{
+			data->destroy(data);
 			exit_scepclient("error parsing the scep response");
 		}
-		chunk_free(&certData);
 
 		/* store the end entity certificate */
 		join_paths(path, sizeof(path), HOST_CERT_PATH, file_out_cert);
 
-		enumerator = certs->create_enumerator(certs);
+		enumerator = data->create_certificate_enumerator(data);
 		while (enumerator->enumerate(enumerator, &cert))
 		{
 			x509_t *x509 = (x509_t*)cert;
@@ -1201,7 +1197,8 @@ int main(int argc, char **argv)
 				stored = TRUE;
 			}
 		}
-		certs->destroy_offset(certs, offsetof(certificate_t, destroy));
+		enumerator->destroy(enumerator);
+		data->destroy(data);
 		filetype_out &= ~CERT;   /* delete CERT flag */
 	}