3 files changed, 31 insertions, 10 deletions

diff --git a/src/scepclient/scep.c b/src/scepclient/scep.c
index 855af3965..938340d21 100644
--- a/src/scepclient/scep.c
+++ b/src/scepclient/scep.c
@@ -319,7 +319,7 @@ static char* escape_http_request(chunk_t req)
 /**
  * Send a SCEP request via HTTP and wait for a response
  */
-bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
+bool scep_http_request(const char *url, chunk_t msg, scep_op_t op,
 					   bool http_get_request, chunk_t *response)
 {
 	int len;
@@ -337,7 +337,7 @@ bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
 
 		if (http_get_request)
 		{
-			char *escaped_req = escape_http_request(pkcs7);
+			char *escaped_req = escape_http_request(msg);
 
 			/* form complete url */
 			len = strlen(url) + 20 + strlen(operation) + strlen(escaped_req) + 1;
@@ -362,7 +362,7 @@ bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
 
 			status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
 										 FETCH_HTTP_VERSION_1_0,
-										 FETCH_REQUEST_DATA, pkcs7,
+										 FETCH_REQUEST_DATA, msg,
 										 FETCH_REQUEST_TYPE, "",
 										 FETCH_REQUEST_HEADER, "Expect:",
 										 FETCH_END);
@@ -371,12 +371,22 @@ bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
 	else  /* SCEP_GET_CA_CERT */
 	{
 		const char operation[] = "GetCACert";
+		int i;
+
+		/* escape spaces, TODO: complete URL escape */
+		for (i = 0; i < msg.len; i++)
+		{
+			if (msg.ptr[i] == ' ')
+			{
+				msg.ptr[i] = '+';
+			}
+		}
 
 		/* form complete url */
-		len = strlen(url) + 32 + strlen(operation) + 1;
+		len = strlen(url) + 32 + strlen(operation) + msg.len + 1;
 		complete_url = malloc(len);
-		snprintf(complete_url, len, "%s?operation=%s&message=CAIdentifier",
-				 url, operation);
+		snprintf(complete_url, len, "%s?operation=%s&message=%.*s",
+				 url, operation, (int)msg.len, msg.ptr);
 
 		status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
 									 FETCH_HTTP_VERSION_1_0,
diff --git a/src/scepclient/scep.h b/src/scepclient/scep.h
index 6227faba4..f0c180a71 100644
--- a/src/scepclient/scep.h
+++ b/src/scepclient/scep.h
@@ -78,7 +78,7 @@ chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg,
 						certificate_t *enc_cert, encryption_algorithm_t enc_alg,
 						size_t key_size, certificate_t *signer_cert,
 						hash_algorithm_t digest_alg, private_key_t *private_key);
-bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
+bool scep_http_request(const char *url, chunk_t message, scep_op_t op,
 					   bool http_get_request, chunk_t *response);
 err_t scep_parse_response(chunk_t response, chunk_t transID,
 						  pkcs7_t **data, scep_attributes_t *attrs,
diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c
index f57afca28..e33934581 100644
--- a/src/scepclient/scepclient.c
+++ b/src/scepclient/scepclient.c
@@ -361,6 +361,9 @@ static void usage(const char *message)
 		"                                   <algo> = md5 (default) | sha1 | sha256 |\n"
 		"                                            sha384 | sha512\n"
 		"\n"
+		"Options for CA certificate acquisition:\n"
+		" --caname (-c) <name>              name of CA to fetch CA certificate(s)\n"
+		"                                   (default: CAIdentifier)\n"
 		"Options for enrollment (cert):\n"
 		" --url (-u) <url>                  url of the SCEP server\n"
 		" --method (-m) post | get          http request type\n"
@@ -451,6 +454,9 @@ int main(int argc, char **argv)
 	/* URL of the SCEP-Server */
 	char *scep_url = NULL;
 
+	/* Name of CA to fetch CA certs for */
+	char *ca_name = "CAIdentifier";
+
 	/* http request method, default is GET */
 	bool http_get_request = TRUE;
 
@@ -512,6 +518,7 @@ int main(int argc, char **argv)
 			{ "password", required_argument, NULL, 'p' },
 			{ "algorithm", required_argument, NULL, 'a' },
 			{ "url", required_argument, NULL, 'u' },
+			{ "caname", required_argument, NULL, 'c'},
 			{ "method", required_argument, NULL, 'm' },
 			{ "interval", required_argument, NULL, 't' },
 			{ "maxpolltime", required_argument, NULL, 'x' },
@@ -519,7 +526,7 @@ int main(int argc, char **argv)
 		};
 
 		/* parse next option */
-		int c = getopt_long(argc, argv, "hv+:qi:o:fk:d:s:p:a:u:m:t:x:APRCMS", long_opts, NULL);
+		int c = getopt_long(argc, argv, "hv+:qi:o:fk:d:s:p:a:u:c:m:t:x:APRCMS", long_opts, NULL);
 
 		switch (c)
 		{
@@ -782,6 +789,10 @@ int main(int argc, char **argv)
 				scep_url = optarg;
 				continue;
 
+			case 'c':       /* -- caname */
+				ca_name = optarg;
+				continue;
+
 			case 'm':       /* --method */
 				if (strcaseeq("get", optarg))
 				{
@@ -917,8 +928,8 @@ int main(int argc, char **argv)
 		char ca_path[PATH_MAX];
 		pkcs7_t *pkcs7;
 
-		if (!scep_http_request(scep_url, chunk_empty, SCEP_GET_CA_CERT,
-							   http_get_request, &scep_response))
+		if (!scep_http_request(scep_url, chunk_create(ca_name, strlen(ca_name)),
+							SCEP_GET_CA_CERT, http_get_request, &scep_response))
 		{
 			exit_scepclient("did not receive a valid scep response");
 		}