diff options
Diffstat (limited to 'src/scepclient')
| -rw-r--r-- | src/scepclient/Makefile.am | 9 | ||||
| -rw-r--r-- | src/scepclient/pkcs10.c | 38 | ||||
| -rw-r--r-- | src/scepclient/pkcs10.h | 25 | ||||
| -rw-r--r-- | src/scepclient/rsakey.c | 313 | ||||
| -rw-r--r-- | src/scepclient/rsakey.h | 29 | ||||
| -rw-r--r-- | src/scepclient/scep.c | 47 | ||||
| -rw-r--r-- | src/scepclient/scep.h | 26 | ||||
| -rw-r--r-- | src/scepclient/scepclient.c | 49 |
8 files changed, 102 insertions, 434 deletions
diff --git a/src/scepclient/Makefile.am b/src/scepclient/Makefile.am index f7cfc7355..a6e43a4f1 100644 --- a/src/scepclient/Makefile.am +++ b/src/scepclient/Makefile.am @@ -1,5 +1,5 @@ ipsec_PROGRAMS = scepclient -scepclient_SOURCES = scepclient.c rsakey.c rsakey.h pkcs10.c pkcs10.h scep.c scep.h loglite.c +scepclient_SOURCES = scepclient.c pkcs10.c pkcs10.h scep.c scep.h loglite.c PLUTODIR=$(top_srcdir)/src/pluto OPENACDIR=$(top_srcdir)/src/openac @@ -28,7 +28,7 @@ LIBCRYPTOBUILDDIR=$(top_builddir)/src/libcrypto scepclient_LDADD = \ ca.o crl.o certs.o constants.o defs.o fetch.o id.o keys.o lex.o \ -mp_defs.o ocsp.o pem.o pgp.o pkcs1.o pkcs7.o smartcard.o x509.o \ +mp_defs.o ocsp.o pem.o pgpcert.o pkcs7.o smartcard.o x509.o \ $(LIBSTRONGSWANBUILDDIR)/libstrongswan.la \ $(LIBFREESWANBUILDDIR)/libfreeswan.a \ -lgmp @@ -77,10 +77,7 @@ ocsp.o : $(PLUTODIR)/ocsp.c $(PLUTODIR)/ocsp.h pem.o : $(PLUTODIR)/pem.c $(PLUTODIR)/pem.h $(COMPILE) $(INCLUDES) -c -o $@ $< -pgp.o : $(PLUTODIR)/pgp.c $(PLUTODIR)/pgp.h - $(COMPILE) $(INCLUDES) -c -o $@ $< - -pkcs1.o : $(PLUTODIR)/pkcs1.c $(PLUTODIR)/pkcs1.h +pgpcert.o : $(PLUTODIR)/pgpcert.c $(PLUTODIR)/pgpcert.h $(COMPILE) $(INCLUDES) -c -o $@ $< pkcs7.o : $(PLUTODIR)/pkcs7.c $(PLUTODIR)/pkcs7.h diff --git a/src/scepclient/pkcs10.c b/src/scepclient/pkcs10.c index 6933adaf8..cdd68431e 100644 --- a/src/scepclient/pkcs10.c +++ b/src/scepclient/pkcs10.c @@ -31,7 +31,6 @@ #include "../pluto/constants.h" #include "../pluto/defs.h" -#include "../pluto/pkcs1.h" #include "../pluto/log.h" #include "../pluto/x509.h" @@ -158,21 +157,25 @@ build_req_info_attributes(pkcs10_t* pkcs10) static chunk_t pkcs10_build_request(pkcs10_t *pkcs10, int signature_alg) { - RSA_public_key_t *rsak = (RSA_public_key_t *) pkcs10->private_key; + chunk_t key = pkcs10->public_key->get_encoding(pkcs10->public_key); - chunk_t cert_req_info = asn1_wrap(ASN1_SEQUENCE, "ccmm" - , ASN1_INTEGER_0 - , pkcs10->subject - , pkcs1_build_publicKeyInfo(rsak) - , build_req_info_attributes(pkcs10)); + chunk_t keyInfo = asn1_wrap(ASN1_SEQUENCE, "cm", + asn1_algorithmIdentifier(OID_RSA_ENCRYPTION), + asn1_bitstring("m", key)); - chunk_t signature = pkcs1_build_signature(cert_req_info - , signature_alg, pkcs10->private_key, TRUE); + chunk_t cert_req_info = asn1_wrap(ASN1_SEQUENCE, "ccmm", + ASN1_INTEGER_0, + pkcs10->subject, + keyInfo, + build_req_info_attributes(pkcs10)); - return asn1_wrap(ASN1_SEQUENCE, "mcm" - , cert_req_info - , asn1_algorithmIdentifier(signature_alg) - , signature); + chunk_t signature = x509_build_signature(cert_req_info, signature_alg, + pkcs10->private_key, TRUE); + + return asn1_wrap(ASN1_SEQUENCE, "mcm", + cert_req_info, + asn1_algorithmIdentifier(signature_alg), + signature); } /** @@ -189,14 +192,15 @@ pkcs10_build_request(pkcs10_t *pkcs10, int signature_alg) * @param[in] subjectAltNames linked list of subjectAltNames or NULL * @return pointer to a #pkcs10_t object */ -pkcs10_t* -pkcs10_build(RSA_private_key_t *key, chunk_t subject, chunk_t challengePassword -, generalName_t *subjectAltNames, int signature_alg) +pkcs10_t* pkcs10_build(private_key_t *private, public_key_t *public, + chunk_t subject, chunk_t challengePassword, + generalName_t *subjectAltNames, int signature_alg) { pkcs10_t *pkcs10 = malloc_thing(pkcs10_t); pkcs10->subject = subject; - pkcs10->private_key = key; + pkcs10->private_key = private; + pkcs10->public_key = public; pkcs10->challengePassword = challengePassword; pkcs10->subjectAltNames = subjectAltNames; diff --git a/src/scepclient/pkcs10.h b/src/scepclient/pkcs10.h index a48dd7c2e..3f29f019a 100644 --- a/src/scepclient/pkcs10.h +++ b/src/scepclient/pkcs10.h @@ -23,8 +23,10 @@ #ifndef _PKCS10_H #define _PKCS10_H +#include <credentials/keys/private_key.h> +#include <credentials/keys/public_key.h> + #include "../pluto/defs.h" -#include "../pluto/pkcs1.h" #include "../pluto/x509.h" typedef struct pkcs10_struct pkcs10_t; @@ -38,20 +40,21 @@ typedef struct pkcs10_struct pkcs10_t; * The RSA private key is needed to compute the signature of the given request */ struct pkcs10_struct { - RSA_private_key_t *private_key; - chunk_t request; - chunk_t subject; - chunk_t challengePassword; - generalName_t *subjectAltNames; + private_key_t *private_key; + public_key_t *public_key; + chunk_t request; + chunk_t subject; + chunk_t challengePassword; + generalName_t *subjectAltNames; }; extern const pkcs10_t empty_pkcs10; -extern void pkcs10_add_subjectAltName(generalName_t **subjectAltNames - , generalNames_t kind, char *value); -extern pkcs10_t* pkcs10_build(RSA_private_key_t *key, chunk_t subject - , chunk_t challengePassword, generalName_t *subjectAltNames - , int signature_alg); +extern void pkcs10_add_subjectAltName(generalName_t **subjectAltNames, + generalNames_t kind, char *value); +extern pkcs10_t* pkcs10_build(private_key_t *private, public_key_t *public, + chunk_t subject, chunk_t challengePassword, + generalName_t *subjectAltNames, int signature_alg); extern void pkcs10_free(pkcs10_t *pkcs10); #endif /* _PKCS10_H */ diff --git a/src/scepclient/rsakey.c b/src/scepclient/rsakey.c deleted file mode 100644 index e7e4a47f5..000000000 --- a/src/scepclient/rsakey.c +++ /dev/null @@ -1,313 +0,0 @@ -/** - * @file rsakey.c - * @brief Functions for RSA key generation - */ - -/* - * Copyright (C) 1999, 2000, 2001 Henry Spencer. - * Copyright (C) 2005 Jan Hutter, Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - - -#include <stdlib.h> -#include <sys/types.h> -#include <sys/stat.h> -#include <fcntl.h> -#include <unistd.h> -#include <assert.h> -#include <gmp.h> - -#include <freeswan.h> - -#include <library.h> -#include <crypto/rngs/rng.h> - -#include "../pluto/constants.h" -#include "../pluto/defs.h" -#include "../pluto/mp_defs.h" -#include "../pluto/log.h" -#include "../pluto/pkcs1.h" - -#include "rsakey.h" - -/* Number of times the probabilistic primality test is applied */ -#define PRIMECHECK_ROUNDS 30 - -/* Public exponent used for signature key generation */ -#define PUBLIC_EXPONENT 0x10001 - -#ifndef DEV_RANDOM -#define DEV_RANDOM "/dev/random" -#endif - - -/** - * @brief Reads a specific number of bytes from a given device/file - * - * @param[in] nbytes number of bytes to read from random device - * @param[out] buf pointer to buffer where to write the data in. - * size of buffer has to be at least nbytes. - * @return TRUE, if succeeded, FALSE otherwise - */ - -/** - * @brief initialize an mpz_t to a random number, specified bit count - * - * Converting the random value in a value of type mpz_t is done - * by creating a hexbuffer. - * Converting via hex is a bit weird, but it's the best route GMP gives us. - * Note that highmost and lowmost bits are forced on -- highmost to give a - * number of exactly the specified length, lowmost so it is an odd number. - * - * @param[out] var uninitialized mpz_t to store th random number in - * @param[in] nbits length of var in bits (known to be a multiple of BITS_PER_BYTE) - * @return TRUE on success, FALSE otherwise - */ -static bool init_random(mpz_t var, int nbits) -{ - size_t nbytes = (size_t)(nbits/BITS_PER_BYTE); - char random_buf[RSA_MAX_OCTETS/2]; - rng_t *rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE); - - if (!rng) - { - return FALSE; - } - assert(nbytes <= sizeof(random_buf)); - rng->get_bytes(rng, nbytes, random_buf); - rng->destroy(rng); - - random_buf[0] |= 01 << (BITS_PER_BYTE-1); /* force high bit on */ - random_buf[nbytes-1] |= 01; /* force low bit on */ - n_to_mpz(var, random_buf, nbytes); - return TRUE; -} - -/** - * @brief initialize an mpz_t to a random prime of specified size - * - * Efficiency tweak: we reject candidates that are 1 higher than a multiple - * of e, since they will make the internal modulus not relatively prime to e. - * - * @param[out] var mpz_t variable to initialize - * @param[in] nbits length of given prime in bits (known to be a multiple of BITS_PER_BYTE) - * @param[in] eval E-Value, 0 means don't bother w. tweak - * @return 1 on success, 0 otherwise - */ -static bool init_prime(mpz_t var, int nbits, int eval) -{ - unsigned long tries; - size_t len; - - /* get a random value of nbits length */ - if (!init_random(var, nbits)) - return FALSE; - - /* check if odd number */ - assert(mpz_fdiv_ui(var, 2) == 1); - DBG(DBG_CONTROLMORE, - DBG_log("looking for a prime starting there (can take a while)...") - ) - - tries = 1; - while (mpz_fdiv_ui(var, eval) == 1 - || !mpz_probab_prime_p(var, PRIMECHECK_ROUNDS)) - { - /* not a prime, increase by 2 */ - mpz_add_ui(var, var, 2); - tries++; - } - - len = mpz_sizeinbase(var, 2); - - /* check bit length of primee */ - assert(len == (size_t)nbits || len == (size_t)(nbits+1)); - - if (len == (size_t)(nbits+1)) - { - DBG(DBG_CONTROLMORE, - DBG_log("carry out occurred (!), retrying...") - ) - mpz_clear(var); - /* recursive call */ - return init_prime(var, nbits, eval); - } - DBG(DBG_CONTROLMORE, - DBG_log("found it after %lu tries.",tries) - ) - return TRUE; -} - -/** - * @brief Generate a RSA key usable for encryption - * - * Generate an RSA key usable for encryption. All the - * values of the RSA key are filled into mpz_t parameters. - * These mpz_t parameters must not be initialized and have - * to be cleared with mpz_clear after using. - * - * @param[in] nbits size of rsa key in bits - * @return RSA_public_key_t containing the generated RSA key - */ -err_t generate_rsa_private_key(int nbits, RSA_private_key_t *key) -{ - mpz_t p, q, n, e, d, exp1, exp2, coeff; - mpz_t m, q1, t; /* temporary variables*/ - - DBG(DBG_CONTROL, - DBG_log("generating %d bit RSA key:", nbits) - ) - - if (nbits <= 0) - return "negative rsa key length!"; - - /* Get values of primes p and q */ - DBG(DBG_CONTROLMORE, - DBG_log("initialize prime p") - ) - if (!init_prime(p, nbits/2, PUBLIC_EXPONENT)) - return "could not generate prime p"; - - DBG(DBG_CONTROLMORE, - DBG_log("initialize prime q") - ) - if (!init_prime(q, nbits/2, PUBLIC_EXPONENT)) - return "could not generate prime q"; - - mpz_init(t); - - /* Swapping primes so p is larger then q */ - if (mpz_cmp(p, q) < 0) - { - DBG(DBG_CONTROLMORE, - DBG_log("swapping primes so p is the larger...") - ); - mpz_set(t, p); - mpz_set(p, q); - mpz_set(q, t); - } - - DBG(DBG_CONTROLMORE, - DBG_log("computing modulus...") - ) - mpz_init(n); - /* n = p*q */ - mpz_mul(n, p, q); - - /* Assign e the value of defined PUBLIC_EXPONENT */ - mpz_init_set_ui(e, PUBLIC_EXPONENT); - - DBG(DBG_CONTROLMORE, - DBG_log("computing lcm(p-1, q-1)...") - ) - /* m = p */ - mpz_init_set(m, p); - /* m = m-1 */ - mpz_sub_ui(m, m, 1); - /* q1 = q */ - mpz_init_set(q1, q); - /* q1 = q1-1 */ - mpz_sub_ui(q1, q1, 1); - /* t = gcd(p-1, q-1) */ - mpz_gcd(t, m, q1); - /* m = (p-1)*(q-1) */ - mpz_mul(m, m, q1); - /* m = m / t */ - mpz_divexact(m, m, t); - /* t = gcd(m, e) (greatest common divisor) */ - mpz_gcd(t, m, e); - /* m and e relatively prime */ - assert(mpz_cmp_ui(t, 1) == 0); - - /* decryption key */ - DBG(DBG_CONTROLMORE, - DBG_log("computing d...") - ) - mpz_init(d); - /* e has an inverse mod m */ - assert(mpz_invert(d, e, m)); - - /* make sure d is positive */ - if (mpz_cmp_ui(d, 0) < 0) - mpz_add(d, d, m); - - /* d has to be positive */ - assert(mpz_cmp(d, m) < 0); - - /* the speedup hacks */ - DBG(DBG_CONTROLMORE, - DBG_log("computing exp1, exp1, coeff...") - ) - mpz_init(exp1); - /* t = p-1 */ - mpz_sub_ui(t, p, 1); - /* exp1 = d mod p-1 */ - mpz_mod(exp1, d, t); - - mpz_init(exp2); - /* t = q-1 */ - mpz_sub_ui(t, q, 1); - /* exp2 = d mod q-1 */ - mpz_mod(exp2, d, t); - - mpz_init(coeff); - /* coeff = q^-1 mod p */ - mpz_invert(coeff, q, p); - - /* make sure coeff is positive */ - if (mpz_cmp_ui(coeff, 0) < 0) - mpz_add(coeff, coeff, p); - - /* coeff has to be positive */ - assert(mpz_cmp(coeff, p) < 0); - - /* Clear temporary variables */ - mpz_clear(q1); - mpz_clear(m); - mpz_clear(t); - - /* form FreeS/WAN keyid */ - { - size_t e_len = (mpz_sizeinbase(e,2)+BITS_PER_BYTE-1)/BITS_PER_BYTE; - size_t n_len = (mpz_sizeinbase(n,2)+BITS_PER_BYTE-1)/BITS_PER_BYTE; - chunk_t e_ch = mpz_to_n(e, e_len); - chunk_t n_ch = mpz_to_n(n, n_len); - - form_keyid(e_ch, n_ch, key->pub.keyid, &key->pub.k); - free(e_ch.ptr); - free(n_ch.ptr); - } - - /* fill in the elements of the RSA private key */ - key->p = *p; - key->q = *q; - key->pub.n = *n; - key->pub.e = *e; - key->d = *d; - key->dP = *exp1; - key->dQ = *exp2; - key->qInv = *coeff; - - DBG(DBG_CONTROL, - DBG_log("RSA key *%s generated with %d bits", key->pub.keyid - , (int)mpz_sizeinbase(n,2)) - ) - -#ifdef DEBUG - DBG(DBG_PRIVATE, - RSA_show_private_key(key) - ) -#endif - return NULL; -} diff --git a/src/scepclient/rsakey.h b/src/scepclient/rsakey.h deleted file mode 100644 index f9245d25b..000000000 --- a/src/scepclient/rsakey.h +++ /dev/null @@ -1,29 +0,0 @@ -/** - * @file rsakey.h - * @brief Functions for RSA key generation - */ - -/* - * Copyright (C) 1999, 2000, 2001 Henry Spencer. - * Copyright (C) 2005 Jan Hutter, Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef RSAKEY_H_ -#define RSAKEY_H_ - -#include "../pluto/pkcs1.h" - -extern err_t generate_rsa_private_key(int nbits, RSA_private_key_t *key); - -#endif // RSAKEY_H_ diff --git a/src/scepclient/scep.c b/src/scepclient/scep.c index dd16dff1b..a788c6f41 100644 --- a/src/scepclient/scep.c +++ b/src/scepclient/scep.c @@ -34,7 +34,6 @@ #include "../pluto/constants.h" #include "../pluto/defs.h" -#include "../pluto/pkcs1.h" #include "../pluto/fetch.h" #include "../pluto/log.h" @@ -266,35 +265,43 @@ end: * Generates a unique fingerprint of the pkcs10 request * by computing an MD5 hash over it */ -void scep_generate_pkcs10_fingerprint(chunk_t pkcs10, chunk_t *fingerprint) +chunk_t scep_generate_pkcs10_fingerprint(chunk_t pkcs10) { - char buf[HASH_SIZE_MD5]; - chunk_t digest = { buf, sizeof(buf) }; - - /* the fingerprint is the MD5 hash in hexadecimal format */ - compute_digest(pkcs10, OID_MD5, &digest); - fingerprint->len = 2*digest.len; - fingerprint->ptr = malloc(fingerprint->len + 1); - datatot(digest.ptr, digest.len, 16, fingerprint->ptr, fingerprint->len + 1); + char digest_buf[HASH_SIZE_MD5]; + chunk_t digest = chunk_from_buf(digest_buf); + hasher_t *hasher; + + hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5); + hasher->get_hash(hasher, pkcs10, digest_buf); + hasher->destroy(hasher); + + return chunk_to_hex(digest, NULL, FALSE); } /** * Generate a transaction id as the MD5 hash of an public key * the transaction id is also used as a unique serial number */ -void scep_generate_transaction_id(const RSA_public_key_t *rsak, - chunk_t *transID, chunk_t *serialNumber) +void scep_generate_transaction_id(public_key_t *key, chunk_t *transID, + chunk_t *serialNumber) { - char buf[HASH_SIZE_MD5]; - - chunk_t digest = { buf, sizeof(buf) }; - chunk_t public_key = pkcs1_build_publicKeyInfo(rsak); - + char digest_buf[HASH_SIZE_MD5]; + chunk_t digest = chunk_from_buf(digest_buf); + chunk_t keyEncoding, keyInfo; + hasher_t *hasher; bool msb_set; u_char *pos; + + keyEncoding = key->get_encoding(key); + + keyInfo = asn1_wrap(ASN1_SEQUENCE, "cm", + asn1_algorithmIdentifier(OID_RSA_ENCRYPTION), + asn1_bitstring("m", keyEncoding)); - compute_digest(public_key, OID_MD5, &digest); - free(public_key.ptr); + hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5); + hasher->get_hash(hasher, keyInfo, digest_buf); + hasher->destroy(hasher); + free(keyInfo.ptr); /* is the most significant bit of the digest set? */ msb_set = (*digest.ptr & 0x80) == 0x80; @@ -376,7 +383,7 @@ chunk_t scep_senderNonce_attribute(void) chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg, const x509cert_t *enc_cert, int enc_alg, const x509cert_t *signer_cert, int digest_alg, - const RSA_private_key_t *private_key) + private_key_t *private_key) { chunk_t envelopedData, attributes, request; diff --git a/src/scepclient/scep.h b/src/scepclient/scep.h index 2a11a246e..e8dc87591 100644 --- a/src/scepclient/scep.h +++ b/src/scepclient/scep.h @@ -24,7 +24,6 @@ #define _SCEP_H #include "../pluto/defs.h" -#include "../pluto/pkcs1.h" #include "../pluto/pkcs7.h" /* supported SCEP operation types */ @@ -74,20 +73,21 @@ typedef struct { extern const scep_attributes_t empty_scep_attributes; extern bool parse_attributes(chunk_t blob, scep_attributes_t *attrs); -extern void scep_generate_pkcs10_fingerprint(chunk_t pkcs10 - , chunk_t *fingerprint); -extern void scep_generate_transaction_id(const RSA_public_key_t *rsak - , chunk_t *transID, chunk_t *serialNumber); +extern void scep_generate_transaction_id(public_key_t *key, + chunk_t *transID, + chunk_t *serialNumber); +extern chunk_t scep_generate_pkcs10_fingerprint(chunk_t pkcs10); extern chunk_t scep_transId_attribute(chunk_t transaction_id); extern chunk_t scep_messageType_attribute(scep_msg_t m); extern chunk_t scep_senderNonce_attribute(void); -extern chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg - , const x509cert_t *enc_cert, int enc_alg - , const x509cert_t *signer_cert, int digest_alg - , const RSA_private_key_t *private_key); -extern bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op - , bool http_get_request, chunk_t *response); -extern err_t scep_parse_response(chunk_t response, chunk_t transID - , contentInfo_t *data, scep_attributes_t *attrs, x509cert_t *signer_cert); +extern chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg, + const x509cert_t *enc_cert, int enc_alg, + const x509cert_t *signer_cert, int digest_alg, + private_key_t *private_key); +extern bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op, + bool http_get_request, chunk_t *response); +extern err_t scep_parse_response(chunk_t response, chunk_t transID, + contentInfo_t *data, scep_attributes_t *attrs, + x509cert_t *signer_cert); #endif /* _SCEP_H */ diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c index 96853e948..eb3197689 100644 --- a/src/scepclient/scepclient.c +++ b/src/scepclient/scepclient.c @@ -42,15 +42,15 @@ #include <asn1/oid.h> #include <utils/optionsfrom.h> #include <utils/enumerator.h> +#include <credentials/keys/private_key.h> +#include <credentials/keys/public_key.h> #include "../pluto/constants.h" #include "../pluto/defs.h" #include "../pluto/log.h" -#include "../pluto/pkcs1.h" #include "../pluto/pkcs7.h" #include "../pluto/certs.h" -#include "rsakey.h" #include "pkcs10.h" #include "scep.h" @@ -120,7 +120,8 @@ options_t *options; * Global variables */ -RSA_private_key_t *private_key = NULL; +private_key_t *private_key = NULL; +public_key_t *public_key = NULL; chunk_t pkcs1; chunk_t pkcs7; @@ -150,11 +151,8 @@ exit_scepclient(err_t message, ...) { int status = 0; - if (private_key != NULL) - { - free_RSA_private_content(private_key); - free(private_key); - } + DESTROY_IF(private_key); + DESTROY_IF(public_key); free(pkcs1.ptr); free(pkcs7.ptr); free(subject.ptr); @@ -784,24 +782,27 @@ int main(int argc, char **argv) /* * input of PKCS#1 file */ - private_key = malloc_thing(RSA_private_key_t); - if (filetype_in & PKCS1) /* load an RSA key pair from file */ { prompt_pass_t pass = { "", FALSE, STDIN_FILENO }; char *path = concatenate_paths(PRIVATE_KEY_PATH, file_in_pkcs1); - ugh = load_rsa_private_key(path, &pass, private_key); + private_key = load_private_key(path, &pass, KEY_RSA); } else /* generate an RSA key pair */ { - ugh = generate_rsa_private_key(rsa_keylength, private_key); + private_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, + BUILD_KEY_SIZE, rsa_keylength, + BUILD_END); } - if (ugh != NULL) - exit_scepclient(ugh); + if (private_key == NULL) + { + exit_scepclient("no RSA private key available"); + } + public_key = private_key->get_public_key(private_key); /* check for minimum key length */ - if ((private_key->pub.k) < RSA_MIN_OCTETS) + if (private_key->get_keysize(private_key) < RSA_MIN_OCTETS) { exit_scepclient("length of RSA key has to be at least %d bits" ,RSA_MIN_OCTETS * BITS_PER_BYTE); @@ -855,10 +856,11 @@ int main(int argc, char **argv) DBG(DBG_CONTROL, DBG_log("building pkcs10 object:") ) - pkcs10 = pkcs10_build(private_key, subject, challengePassword - , subjectAltNames, pkcs10_signature_alg); - scep_generate_pkcs10_fingerprint(pkcs10->request, &fingerprint); - plog(" fingerprint: %.*s", (int)fingerprint.len, fingerprint.ptr); + pkcs10 = pkcs10_build(private_key, public_key, subject, + challengePassword, subjectAltNames, + pkcs10_signature_alg); + fingerprint = scep_generate_pkcs10_fingerprint(pkcs10->request); + plog(" fingerprint: %s", fingerprint.ptr); } /* @@ -889,7 +891,7 @@ int main(int argc, char **argv) DBG(DBG_CONTROL, DBG_log("building pkcs1 object:") ) - pkcs1 = pkcs1_build_private_key(private_key); + pkcs1 = private_key->get_encoding(private_key); if (!chunk_write(pkcs1, path, "pkcs1", 0066, force)) exit_scepclient("could not write pkcs1 file '%s'", path); @@ -902,8 +904,7 @@ int main(int argc, char **argv) exit_scepclient(NULL); /* no further output required */ } - scep_generate_transaction_id((const RSA_public_key_t *)private_key - , &transID, &serialNumber); + scep_generate_transaction_id(public_key, &transID, &serialNumber); plog(" transaction ID: %.*s", (int)transID.len, transID.ptr); /* generate a self-signed X.509 certificate */ @@ -918,9 +919,7 @@ int main(int argc, char **argv) : x509_signer->notBefore + validity; x509_signer->subject = subject; x509_signer->subjectAltName = subjectAltNames; - - build_x509cert(x509_signer, (const RSA_public_key_t *)private_key - , private_key); + build_x509cert(x509_signer, public_key, private_key); /* * output of self-signed X.509 certificate file |