diff options
Diffstat (limited to 'src/scepclient/scep.c')
| -rw-r--r-- | src/scepclient/scep.c | 287 |
1 files changed, 74 insertions, 213 deletions
diff --git a/src/scepclient/scep.c b/src/scepclient/scep.c index 5cf640fba..433fc6bf9 100644 --- a/src/scepclient/scep.c +++ b/src/scepclient/scep.c @@ -17,20 +17,15 @@ #include <string.h> #include <stdlib.h> -#include <freeswan.h> - #include <library.h> #include <debug.h> #include <asn1/asn1.h> #include <asn1/asn1_parser.h> #include <asn1/oid.h> +#include <crypto/pkcs9.h> #include <crypto/rngs/rng.h> #include <crypto/hashers/hasher.h> -#include "../pluto/constants.h" -#include "../pluto/defs.h" -#include "../pluto/fetch.h" - #include "scep.h" static const char *pkiStatus_values[] = { "0", "2", "3" }; @@ -70,178 +65,60 @@ const scep_attributes_t empty_scep_attributes = { { NULL, 0 } , /* recipientNonce */ }; -/* ASN.1 definition of the X.501 atttribute type */ - -static const asn1Object_t attributesObjects[] = { - { 0, "attributes", ASN1_SET, ASN1_LOOP }, /* 0 */ - { 1, "attribute", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */ - { 2, "type", ASN1_OID, ASN1_BODY }, /* 2 */ - { 2, "values", ASN1_SET, ASN1_LOOP }, /* 3 */ - { 3, "value", ASN1_EOC, ASN1_RAW }, /* 4 */ - { 2, "end loop", ASN1_EOC, ASN1_END }, /* 5 */ - { 0, "end loop", ASN1_EOC, ASN1_END }, /* 6 */ - { 0, "exit", ASN1_EOC, ASN1_EXIT } -}; -#define ATTRIBUTE_OBJ_TYPE 2 -#define ATTRIBUTE_OBJ_VALUE 4 - /** - * Extract and store an attribute + * Extract X.501 attributes */ -static bool extract_attribute(int oid, chunk_t object, u_int level, - scep_attributes_t *attrs) +void extract_attributes(pkcs7_t *pkcs7, scep_attributes_t *attrs) { - asn1_t type = ASN1_EOC; - const char *name = "none"; + pkcs9_t *attributes = pkcs7->get_attributes(pkcs7); + chunk_t attr; - switch (oid) + attr = attributes->get_attribute(attributes, OID_PKI_MESSAGE_TYPE); + if (attr.ptr) { - case OID_PKCS9_CONTENT_TYPE: - type = ASN1_OID; - name = "contentType"; - break; - case OID_PKCS9_SIGNING_TIME: - type = ASN1_UTCTIME; - name = "signingTime"; - break; - case OID_PKCS9_MESSAGE_DIGEST: - type = ASN1_OCTET_STRING; - name = "messageDigest"; - break; - case OID_PKI_MESSAGE_TYPE: - type = ASN1_PRINTABLESTRING; - name = "messageType"; - break; - case OID_PKI_STATUS: - type = ASN1_PRINTABLESTRING; - name = "pkiStatus"; - break; - case OID_PKI_FAIL_INFO: - type = ASN1_PRINTABLESTRING; - name = "failInfo"; - break; - case OID_PKI_SENDER_NONCE: - type = ASN1_OCTET_STRING; - name = "senderNonce"; - break; - case OID_PKI_RECIPIENT_NONCE: - type = ASN1_OCTET_STRING; - name = "recipientNonce"; - break; - case OID_PKI_TRANS_ID: - type = ASN1_PRINTABLESTRING; - name = "transID"; - break; - default: - break; - } + scep_msg_t m; - if (type == ASN1_EOC) - { - return TRUE; - } - - if (!asn1_parse_simple_object(&object, type, level+1, name)) - { - return FALSE; - } - - switch (oid) - { - case OID_PKCS9_CONTENT_TYPE: - break; - case OID_PKCS9_SIGNING_TIME: - break; - case OID_PKCS9_MESSAGE_DIGEST: - break; - case OID_PKI_MESSAGE_TYPE: + for (m = SCEP_CertRep_MSG; m < SCEP_Unknown_MSG; m++) { - scep_msg_t m; - - for (m = SCEP_CertRep_MSG; m < SCEP_Unknown_MSG; m++) + if (strncmp(msgType_values[m], attr.ptr, attr.len) == 0) { - if (strncmp(msgType_values[m], object.ptr, object.len) == 0) - attrs->msgType = m; + attrs->msgType = m; } - DBG2(DBG_APP, "messageType: %s", msgType_names[attrs->msgType]); - break; } - case OID_PKI_STATUS: - { - pkiStatus_t s; + DBG2(DBG_APP, "messageType: %s", msgType_names[attrs->msgType]); + } + attr = attributes->get_attribute(attributes, OID_PKI_STATUS); + if (attr.ptr) + { + pkiStatus_t s; - for (s = SCEP_SUCCESS; s < SCEP_UNKNOWN; s++) - { - if (strncmp(pkiStatus_values[s], object.ptr, object.len) == 0) - { - attrs->pkiStatus = s; - } - } - DBG2(DBG_APP, "pkiStatus: %s", pkiStatus_names[attrs->pkiStatus]); - break; - } - case OID_PKI_FAIL_INFO: + for (s = SCEP_SUCCESS; s < SCEP_UNKNOWN; s++) { - if (object.len == 1 && - *object.ptr >= '0' && *object.ptr <= '4') + if (strncmp(pkiStatus_values[s], attr.ptr, attr.len) == 0) { - attrs->failInfo = (failInfo_t)(*object.ptr - '0'); + attrs->pkiStatus = s; } - if (attrs->failInfo != SCEP_unknown_REASON) - { - DBG1(DBG_APP, "failInfo: %s", failInfo_reasons[attrs->failInfo]); - } - break; } - case OID_PKI_SENDER_NONCE: - attrs->senderNonce = object; - break; - case OID_PKI_RECIPIENT_NONCE: - attrs->recipientNonce = object; - break; - case OID_PKI_TRANS_ID: - attrs->transID = object; - break; + DBG2(DBG_APP, "pkiStatus: %s", pkiStatus_names[attrs->pkiStatus]); } - return TRUE; -} - -/** - * Parse X.501 attributes - */ -bool parse_attributes(chunk_t blob, scep_attributes_t *attrs) -{ - asn1_parser_t *parser; - chunk_t object; - int oid = OID_UNKNOWN; - int objectID; - bool success = FALSE; - - parser = asn1_parser_create(attributesObjects, blob); - DBG3(DBG_APP, "parsing attributes"); - - while (parser->iterate(parser, &objectID, &object)) + attr = attributes->get_attribute(attributes, OID_PKI_FAIL_INFO); + if (attr.ptr) { - switch (objectID) + if (attr.len == 1 && *attr.ptr >= '0' && *attr.ptr <= '4') { - case ATTRIBUTE_OBJ_TYPE: - oid = asn1_known_oid(object); - break; - case ATTRIBUTE_OBJ_VALUE: - { - if (!extract_attribute(oid, object, parser->get_level(parser), attrs)) - { - goto end; - } - break; - } + attrs->failInfo = (failInfo_t)(*attr.ptr - '0'); + } + if (attrs->failInfo != SCEP_unknown_REASON) + { + DBG1(DBG_APP, "failInfo: %s", failInfo_reasons[attrs->failInfo]); } } - success = parser->success(parser); - -end: - parser->destroy(parser); - return success; + attrs->senderNonce = attributes->get_attribute(attributes, + OID_PKI_SENDER_NONCE); + attrs->recipientNonce = attributes->get_attribute(attributes, + OID_PKI_RECIPIENT_NONCE); + attrs->transID = attributes->get_attribute(attributes, + OID_PKI_TRANS_ID); } /** @@ -304,36 +181,9 @@ void scep_generate_transaction_id(public_key_t *key, chunk_t *transID, } /** - * Builds a transId attribute - */ -chunk_t scep_transId_attribute(chunk_t transID) -{ - return asn1_wrap(ASN1_SEQUENCE, "cm", - asn1_build_known_oid(OID_PKI_TRANS_ID), - asn1_wrap(ASN1_SET, "m", - asn1_simple_object(ASN1_PRINTABLESTRING, transID))); -} - -/** - * Builds a messageType attribute - */ -chunk_t scep_messageType_attribute(scep_msg_t m) -{ - chunk_t msgType = { - (u_char*)msgType_values[m], - strlen(msgType_values[m]) - }; - - return asn1_wrap(ASN1_SEQUENCE, "mm", - asn1_build_known_oid(OID_PKI_MESSAGE_TYPE), - asn1_wrap(ASN1_SET, "m", - asn1_simple_object(ASN1_PRINTABLESTRING, msgType))); -} - -/** - * Builds a senderNonce attribute + * Adds a senderNonce attribute to the given pkcs9 attribute list */ -chunk_t scep_senderNonce_attribute(void) +static void add_senderNonce_attribute(pkcs9_t *pkcs9) { const size_t nonce_len = 16; u_char nonce_buf[nonce_len]; @@ -344,35 +194,45 @@ chunk_t scep_senderNonce_attribute(void) rng->get_bytes(rng, nonce_len, nonce_buf); rng->destroy(rng); - return asn1_wrap(ASN1_SEQUENCE, "cm", - asn1_build_known_oid(OID_PKI_SENDER_NONCE), - asn1_wrap(ASN1_SET, "m", - asn1_simple_object(ASN1_OCTET_STRING, senderNonce))); + pkcs9->set_attribute(pkcs9, OID_PKI_SENDER_NONCE, senderNonce); } /** * Builds a pkcs7 enveloped and signed scep request */ chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg, - certificate_t *enc_cert, int enc_alg, - certificate_t *signer_cert, int digest_alg, - private_key_t *private_key) + certificate_t *enc_cert, encryption_algorithm_t enc_alg, + size_t key_size, certificate_t *signer_cert, + hash_algorithm_t digest_alg, private_key_t *private_key) { - chunk_t envelopedData, attributes, request; + chunk_t request, msgType = { + (u_char*)msgType_values[msg], + strlen(msgType_values[msg]), + }; + pkcs7_t *pkcs7; + pkcs9_t *pkcs9; - envelopedData = pkcs7_build_envelopedData(data, enc_cert, enc_alg); + pkcs7 = pkcs7_create_from_data(data); + if (!pkcs7->build_envelopedData(pkcs7, enc_cert, enc_alg, key_size)) + { + pkcs7->destroy(pkcs7); + return chunk_empty; + } - attributes = asn1_wrap(ASN1_SET, "mmmmm", - pkcs7_contentType_attribute(), - pkcs7_messageDigest_attribute(envelopedData, digest_alg), - scep_transId_attribute(transID), - scep_messageType_attribute(msg), - scep_senderNonce_attribute()); + pkcs9 = pkcs9_create(); + pkcs9->set_attribute(pkcs9, OID_PKI_TRANS_ID, transID); + pkcs9->set_attribute(pkcs9, OID_PKI_MESSAGE_TYPE, msgType); + add_senderNonce_attribute(pkcs9); - request = pkcs7_build_signedData(envelopedData, attributes, - signer_cert, digest_alg, private_key); - free(envelopedData.ptr); - free(attributes.ptr); + pkcs7->set_attributes(pkcs7, pkcs9); + pkcs7->set_certificate(pkcs7, signer_cert->get_ref(signer_cert)); + if (!pkcs7->build_signedData(pkcs7, private_key, digest_alg)) + { + pkcs7->destroy(pkcs7); + return chunk_empty; + } + request = pkcs7->get_contentInfo(pkcs7); + pkcs7->destroy(pkcs7); return request; } @@ -508,22 +368,23 @@ bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op, return (status == SUCCESS); } -err_t scep_parse_response(chunk_t response, chunk_t transID, contentInfo_t *data, +err_t scep_parse_response(chunk_t response, chunk_t transID, pkcs7_t **data, scep_attributes_t *attrs, certificate_t *signer_cert) { - chunk_t attributes; + pkcs7_t *pkcs7; - if (!pkcs7_parse_signedData(response, data, NULL, &attributes, signer_cert)) + pkcs7 = pkcs7_create_from_chunk(response, 0); + if (!pkcs7 || !pkcs7->parse_signedData(pkcs7, signer_cert)) { + DESTROY_IF(pkcs7); return "error parsing the scep response"; } - if (!parse_attributes(attributes, attrs)) - { - return "error parsing the scep response attributes"; - } + extract_attributes(pkcs7, attrs); if (!chunk_equals(transID, attrs->transID)) { + pkcs7->destroy(pkcs7); return "transaction ID of scep response does not match"; } + *data = pkcs7; return NULL; } |