2006-04-28 07:14:48 +00:00
|
|
|
/*
|
|
|
|
* Copyright (C) 2005 Jan Hutter, Martin Willi
|
|
|
|
* Hochschule fuer Technik Rapperswil
|
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
|
|
* under the terms of the GNU General Public License as published by the
|
|
|
|
* Free Software Foundation; either version 2 of the License, or (at your
|
|
|
|
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful, but
|
|
|
|
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
|
|
|
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
|
|
* for more details.
|
|
|
|
*/
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @file main.c
|
|
|
|
* @brief scepclient main program
|
|
|
|
*/
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @mainpage SCEP for Linux strongSwan
|
|
|
|
*
|
|
|
|
* Documentation of SCEP for Linux StrongSwan
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <stdarg.h>
|
|
|
|
#include <stdio.h>
|
|
|
|
#include <stdlib.h>
|
|
|
|
#include <string.h>
|
|
|
|
#include <getopt.h>
|
|
|
|
#include <ctype.h>
|
|
|
|
#include <unistd.h>
|
|
|
|
#include <time.h>
|
|
|
|
|
|
|
|
#include <freeswan.h>
|
2009-04-30 18:31:48 +00:00
|
|
|
|
2009-04-18 14:50:31 +00:00
|
|
|
#include <library.h>
|
|
|
|
#include <debug.h>
|
2009-04-20 20:53:38 +00:00
|
|
|
#include <asn1/asn1.h>
|
2007-08-15 08:29:55 +00:00
|
|
|
#include <asn1/oid.h>
|
2009-04-18 17:43:28 +00:00
|
|
|
#include <utils/optionsfrom.h>
|
2009-04-21 18:48:58 +00:00
|
|
|
#include <utils/enumerator.h>
|
2009-06-20 10:09:36 +00:00
|
|
|
#include <crypto/crypters/crypter.h>
|
|
|
|
#include <crypto/proposal/proposal_keywords.h>
|
2009-06-05 19:14:31 +00:00
|
|
|
#include <credentials/keys/private_key.h>
|
|
|
|
#include <credentials/keys/public_key.h>
|
2006-04-28 07:14:48 +00:00
|
|
|
|
|
|
|
#include "../pluto/constants.h"
|
|
|
|
#include "../pluto/defs.h"
|
|
|
|
#include "../pluto/log.h"
|
|
|
|
#include "../pluto/pkcs7.h"
|
|
|
|
#include "../pluto/certs.h"
|
|
|
|
|
|
|
|
#include "pkcs10.h"
|
|
|
|
#include "scep.h"
|
|
|
|
|
|
|
|
/*
|
|
|
|
* definition of some defaults
|
|
|
|
*/
|
|
|
|
|
|
|
|
/* default name of DER-encoded PKCS#1 private key file */
|
2009-04-19 19:16:09 +00:00
|
|
|
#define DEFAULT_FILENAME_PKCS1 "myKey.der"
|
2006-04-28 07:14:48 +00:00
|
|
|
|
|
|
|
/* default name of DER-encoded PKCS#10 certificate request file */
|
2009-04-19 19:16:09 +00:00
|
|
|
#define DEFAULT_FILENAME_PKCS10 "myReq.der"
|
2006-04-28 07:14:48 +00:00
|
|
|
|
|
|
|
/* default name of DER-encoded PKCS#7 file */
|
2009-04-19 19:16:09 +00:00
|
|
|
#define DEFAULT_FILENAME_PKCS7 "pkcs7.der"
|
2006-04-28 07:14:48 +00:00
|
|
|
|
|
|
|
/* default name of DER-encoded self-signed X.509 certificate file */
|
2009-04-19 19:16:09 +00:00
|
|
|
#define DEFAULT_FILENAME_CERT_SELF "selfCert.der"
|
2006-04-28 07:14:48 +00:00
|
|
|
|
|
|
|
/* default name of DER-encoded X.509 certificate file */
|
2009-04-19 19:16:09 +00:00
|
|
|
#define DEFAULT_FILENAME_CERT "myCert.der"
|
2006-04-28 07:14:48 +00:00
|
|
|
|
|
|
|
/* default name of DER-encoded CA cert file used for key encipherment */
|
2009-04-19 19:16:09 +00:00
|
|
|
#define DEFAULT_FILENAME_CACERT_ENC "caCert.der"
|
2006-04-28 07:14:48 +00:00
|
|
|
|
|
|
|
/* default name of the der encoded CA cert file used for signature verification */
|
2009-04-19 19:16:09 +00:00
|
|
|
#define DEFAULT_FILENAME_CACERT_SIG "caCert.der"
|
2006-04-28 07:14:48 +00:00
|
|
|
|
|
|
|
/* default prefix of the der encoded CA certificates received from the SCEP server */
|
2009-04-19 19:16:09 +00:00
|
|
|
#define DEFAULT_FILENAME_PREFIX_CACERT "caCert.der"
|
2006-04-28 07:14:48 +00:00
|
|
|
|
|
|
|
/* default certificate validity */
|
2009-04-19 19:16:09 +00:00
|
|
|
#define DEFAULT_CERT_VALIDITY 5 * 3600 * 24 * 365 /* seconds */
|
2006-04-28 07:14:48 +00:00
|
|
|
|
|
|
|
/* default polling time interval in SCEP manual mode */
|
2009-04-19 19:16:09 +00:00
|
|
|
#define DEFAULT_POLL_INTERVAL 20 /* seconds */
|
2006-04-28 07:14:48 +00:00
|
|
|
|
|
|
|
/* default key length for self-generated RSA keys */
|
2009-04-19 19:16:09 +00:00
|
|
|
#define DEFAULT_RSA_KEY_LENGTH 2048 /* bits */
|
2006-04-28 07:14:48 +00:00
|
|
|
|
|
|
|
/* default distinguished name */
|
|
|
|
#define DEFAULT_DN "C=CH, O=Linux strongSwan, CN="
|
|
|
|
|
|
|
|
/* challenge password buffer size */
|
|
|
|
#define MAX_PASSWORD_LENGTH 256
|
|
|
|
|
|
|
|
/* Max length of filename for tempfile */
|
|
|
|
#define MAX_TEMP_FILENAME_LENGTH 256
|
|
|
|
|
|
|
|
|
|
|
|
/* current scepclient version */
|
|
|
|
static const char *scepclient_version = "1.0";
|
|
|
|
|
|
|
|
/* by default the CRL policy is lenient */
|
|
|
|
bool strict_crl_policy = FALSE;
|
|
|
|
|
|
|
|
/* by default pluto does not check crls dynamically */
|
|
|
|
long crl_check_interval = 0;
|
|
|
|
|
|
|
|
/* by default pluto logs out after every smartcard use */
|
|
|
|
bool pkcs11_keep_state = FALSE;
|
|
|
|
|
2009-04-18 17:43:28 +00:00
|
|
|
/* options read by optionsfrom */
|
|
|
|
options_t *options;
|
2006-04-28 07:14:48 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Global variables
|
|
|
|
*/
|
|
|
|
|
2009-06-05 19:14:31 +00:00
|
|
|
private_key_t *private_key = NULL;
|
|
|
|
public_key_t *public_key = NULL;
|
2006-04-28 07:14:48 +00:00
|
|
|
|
|
|
|
chunk_t pkcs1;
|
|
|
|
chunk_t pkcs7;
|
|
|
|
chunk_t subject;
|
|
|
|
chunk_t challengePassword;
|
|
|
|
chunk_t serialNumber;
|
|
|
|
chunk_t transID;
|
|
|
|
chunk_t fingerprint;
|
|
|
|
chunk_t issuerAndSubject;
|
|
|
|
chunk_t getCertInitial;
|
|
|
|
chunk_t scep_response;
|
|
|
|
cert_t cert;
|
|
|
|
|
|
|
|
x509cert_t *x509_signer = NULL;
|
|
|
|
x509cert_t *x509_ca_enc = NULL;
|
|
|
|
x509cert_t *x509_ca_sig = NULL;
|
|
|
|
generalName_t *subjectAltNames = NULL;
|
|
|
|
pkcs10_t *pkcs10 = NULL;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @brief exit scepclient
|
|
|
|
*
|
|
|
|
* @param status 0 = OK, 1 = general discomfort
|
|
|
|
*/
|
|
|
|
static void
|
|
|
|
exit_scepclient(err_t message, ...)
|
|
|
|
{
|
2009-04-19 19:16:09 +00:00
|
|
|
int status = 0;
|
|
|
|
|
2009-06-05 19:14:31 +00:00
|
|
|
DESTROY_IF(private_key);
|
|
|
|
DESTROY_IF(public_key);
|
2009-04-19 19:16:09 +00:00
|
|
|
free(pkcs1.ptr);
|
|
|
|
free(pkcs7.ptr);
|
|
|
|
free(subject.ptr);
|
|
|
|
free(serialNumber.ptr);
|
|
|
|
free(transID.ptr);
|
|
|
|
free(fingerprint.ptr);
|
|
|
|
free(issuerAndSubject.ptr);
|
|
|
|
free(getCertInitial.ptr);
|
|
|
|
free(scep_response.ptr);
|
|
|
|
|
|
|
|
free_generalNames(subjectAltNames, TRUE);
|
|
|
|
if (x509_signer != NULL)
|
|
|
|
{
|
|
|
|
x509_signer->subjectAltName = NULL;
|
|
|
|
}
|
|
|
|
free_x509cert(x509_signer);
|
|
|
|
free_x509cert(x509_ca_enc);
|
|
|
|
free_x509cert(x509_ca_sig);
|
|
|
|
pkcs10_free(pkcs10);
|
|
|
|
options->destroy(options);
|
|
|
|
|
|
|
|
/* print any error message to stderr */
|
|
|
|
if (message != NULL && *message != '\0')
|
|
|
|
{
|
|
|
|
va_list args;
|
|
|
|
char m[LOG_WIDTH]; /* longer messages will be truncated */
|
|
|
|
|
|
|
|
va_start(args, message);
|
|
|
|
vsnprintf(m, sizeof(m), message, args);
|
|
|
|
va_end(args);
|
|
|
|
|
|
|
|
fprintf(stderr, "error: %s\n", m);
|
|
|
|
status = -1;
|
|
|
|
}
|
|
|
|
library_deinit();
|
|
|
|
close_log();
|
|
|
|
exit(status);
|
2006-04-28 07:14:48 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @brief prints the program version and exits
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
static void
|
|
|
|
version(void)
|
|
|
|
{
|
2009-04-19 19:16:09 +00:00
|
|
|
printf("scepclient %s\n", scepclient_version);
|
|
|
|
exit_scepclient(NULL);
|
2006-04-28 07:14:48 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @brief prints the usage of the program to the stderr output
|
|
|
|
*
|
|
|
|
* If message is set, program is exitet with 1 (error)
|
|
|
|
* @param message message in case of an error
|
|
|
|
*/
|
|
|
|
static void
|
|
|
|
usage(const char *message)
|
|
|
|
{
|
2009-04-19 19:16:09 +00:00
|
|
|
fprintf(stderr,
|
|
|
|
"Usage: scepclient\n"
|
|
|
|
" --help (-h) show usage and exit\n"
|
|
|
|
" --version (-v) show version and exit\n"
|
|
|
|
" --quiet (-q) do not write log output to stderr\n"
|
|
|
|
" --in (-i) <type>[=<filename>] use <filename> of <type> for input \n"
|
|
|
|
" <type> = pkcs1 | cacert-enc | cacert-sig\n"
|
|
|
|
" - if no pkcs1 input is defined, a \n"
|
|
|
|
" RSA key will be generated\n"
|
|
|
|
" - if no filename is given, default is used\n"
|
|
|
|
" --out (-o) <type>[=<filename>] write output of <type> to <filename>\n"
|
|
|
|
" multiple outputs are allowed\n"
|
|
|
|
" <type> = pkcs1 | pkcs10 | pkcs7 | cert-self | cert | cacert\n"
|
|
|
|
" - type cacert defines filename prefix of\n"
|
|
|
|
" received CA certificate(s)\n"
|
|
|
|
" - if no filename is given, default is used\n"
|
|
|
|
" --optionsfrom (-+) <filename> reads additional options from given file\n"
|
|
|
|
" --force (-f) force existing file(s)\n"
|
|
|
|
"\n"
|
|
|
|
"Options for key generation (pkcs1):\n"
|
|
|
|
" --keylength (-k) <bits> key length for RSA key generation\n"
|
|
|
|
"(default: 2048 bits)\n"
|
|
|
|
"\n"
|
|
|
|
"Options for validity:\n"
|
|
|
|
" --days (-D) <days> validity in days\n"
|
|
|
|
" --startdate (-S) <YYMMDDHHMMSS>Z not valid before date\n"
|
|
|
|
" --enddate (-E) <YYMMDDHHMMSS>Z not valid after date\n"
|
|
|
|
"\n"
|
|
|
|
"Options for request generation (pkcs10):\n"
|
|
|
|
" --dn (-d) <dn> comma separated list of distinguished names\n"
|
|
|
|
" --subjectAltName (-s) <t>=<v> include subjectAltName in certificate request\n"
|
|
|
|
" <t> = email | dns | ip \n"
|
|
|
|
" --password (-p) <pw> challenge password\n"
|
|
|
|
" - if pw is '%%prompt', password gets prompted for\n"
|
|
|
|
" --algorithm (-a) <algo> use specified algorithm for PKCS#7 encryption\n"
|
2009-06-20 10:09:36 +00:00
|
|
|
" <algo> = des | 3des (default) | aes128| aes192 | \n"
|
|
|
|
" aes256 | camellia128 | camellia192 | camellia256\n"
|
2009-04-19 19:16:09 +00:00
|
|
|
"\n"
|
|
|
|
"Options for enrollment (cert):\n"
|
|
|
|
" --url (-u) <url> url of the SCEP server\n"
|
|
|
|
" --method (-m) post | get http request type\n"
|
|
|
|
" --interval (-t) <seconds> manual mode poll interval in seconds (default 20s)\n"
|
|
|
|
" --maxpolltime (-x) <seconds> max poll time in seconds when in manual mode\n"
|
|
|
|
" (default: unlimited)\n"
|
2006-04-28 07:14:48 +00:00
|
|
|
#ifdef DEBUG
|
2009-04-19 19:16:09 +00:00
|
|
|
"\n"
|
|
|
|
"Debugging output:\n"
|
|
|
|
" --debug-all (-A) show everything except private\n"
|
|
|
|
" --debug-parsing (-P) show parsing relevant stuff\n"
|
|
|
|
" --debug-raw (-R) show raw hex dumps\n"
|
|
|
|
" --debug-control (-C) show control flow output\n"
|
|
|
|
" --debug-controlmore (-M) show more control flow\n"
|
|
|
|
" --debug-private (-X) show sensitive data (private keys, etc.)\n"
|
2006-04-28 07:14:48 +00:00
|
|
|
#endif
|
2009-04-19 19:16:09 +00:00
|
|
|
);
|
|
|
|
exit_scepclient(message);
|
2006-04-28 07:14:48 +00:00
|
|
|
}
|
|
|
|
|
2009-04-18 14:50:31 +00:00
|
|
|
/**
|
2009-04-21 18:48:58 +00:00
|
|
|
* Log loaded plugins
|
2009-04-18 14:50:31 +00:00
|
|
|
*/
|
2009-04-21 18:48:58 +00:00
|
|
|
static void print_plugins()
|
2009-04-18 14:50:31 +00:00
|
|
|
{
|
2009-04-21 18:48:58 +00:00
|
|
|
char buf[BUF_LEN], *plugin;
|
|
|
|
int len = 0;
|
|
|
|
enumerator_t *enumerator;
|
|
|
|
|
|
|
|
enumerator = lib->plugins->create_plugin_enumerator(lib->plugins);
|
|
|
|
while (len < BUF_LEN && enumerator->enumerate(enumerator, &plugin))
|
2009-04-18 14:50:31 +00:00
|
|
|
{
|
2009-04-21 18:48:58 +00:00
|
|
|
len += snprintf(&buf[len], BUF_LEN-len, "%s ", plugin);
|
2009-04-18 14:50:31 +00:00
|
|
|
}
|
2009-04-21 18:48:58 +00:00
|
|
|
enumerator->destroy(enumerator);
|
|
|
|
DBG1(" loaded plugins: %s", buf);
|
2009-04-18 14:50:31 +00:00
|
|
|
}
|
2009-04-21 18:48:58 +00:00
|
|
|
|
2006-04-28 07:14:48 +00:00
|
|
|
/**
|
|
|
|
* @brief main of scepclient
|
|
|
|
*
|
|
|
|
* @param argc number of arguments
|
|
|
|
* @param argv pointer to the argument values
|
|
|
|
*/
|
|
|
|
int main(int argc, char **argv)
|
|
|
|
{
|
2009-04-19 19:16:09 +00:00
|
|
|
/* external values */
|
|
|
|
extern char * optarg;
|
|
|
|
extern int optind;
|
|
|
|
|
|
|
|
/* type of input and output files */
|
|
|
|
typedef enum {
|
|
|
|
PKCS1 = 0x01,
|
|
|
|
PKCS10 = 0x02,
|
|
|
|
PKCS7 = 0x04,
|
|
|
|
CERT_SELF = 0x08,
|
|
|
|
CERT = 0x10,
|
|
|
|
CACERT_ENC = 0x20,
|
|
|
|
CACERT_SIG = 0x40
|
|
|
|
} scep_filetype_t;
|
|
|
|
|
|
|
|
/* filetype to read from, defaults to "generate a key" */
|
|
|
|
scep_filetype_t filetype_in = 0;
|
|
|
|
|
|
|
|
/* filetype to write to, no default here */
|
|
|
|
scep_filetype_t filetype_out = 0;
|
|
|
|
|
|
|
|
/* input files */
|
|
|
|
char *file_in_pkcs1 = DEFAULT_FILENAME_PKCS1;
|
|
|
|
char *file_in_cacert_enc = DEFAULT_FILENAME_CACERT_ENC;
|
|
|
|
char *file_in_cacert_sig = DEFAULT_FILENAME_CACERT_SIG;
|
|
|
|
|
|
|
|
/* output files */
|
|
|
|
char *file_out_pkcs1 = DEFAULT_FILENAME_PKCS1;
|
|
|
|
char *file_out_pkcs10 = DEFAULT_FILENAME_PKCS10;
|
|
|
|
char *file_out_pkcs7 = DEFAULT_FILENAME_PKCS7;
|
|
|
|
char *file_out_cert_self = DEFAULT_FILENAME_CERT_SELF;
|
|
|
|
char *file_out_cert = DEFAULT_FILENAME_CERT;
|
|
|
|
char *file_out_prefix_cacert = DEFAULT_FILENAME_PREFIX_CACERT;
|
|
|
|
|
|
|
|
/* by default user certificate is requested */
|
|
|
|
bool request_ca_certificate = FALSE;
|
|
|
|
|
|
|
|
/* by default existing files are not overwritten */
|
|
|
|
bool force = FALSE;
|
|
|
|
|
|
|
|
/* length of RSA key in bits */
|
|
|
|
u_int rsa_keylength = DEFAULT_RSA_KEY_LENGTH;
|
|
|
|
|
|
|
|
/* validity of self-signed certificate */
|
|
|
|
time_t validity = DEFAULT_CERT_VALIDITY;
|
|
|
|
time_t notBefore = 0;
|
|
|
|
time_t notAfter = 0;
|
|
|
|
|
|
|
|
/* distinguished name for requested certificate, ASCII format */
|
|
|
|
char *distinguishedName = NULL;
|
|
|
|
|
|
|
|
/* challenge password */
|
|
|
|
char challenge_password_buffer[MAX_PASSWORD_LENGTH];
|
|
|
|
|
|
|
|
/* symmetric encryption algorithm used by pkcs7, default is 3DES */
|
|
|
|
int pkcs7_symmetric_cipher = OID_3DES_EDE_CBC;
|
|
|
|
|
2009-04-29 08:09:35 +00:00
|
|
|
/* digest algorithm used by pkcs7, default is SHA-1 */
|
|
|
|
int pkcs7_digest_alg = OID_SHA1;
|
2009-04-19 19:16:09 +00:00
|
|
|
|
2009-04-29 08:09:35 +00:00
|
|
|
/* signature algorithm used by pkcs10, default is SHA-1 with RSA encryption */
|
|
|
|
int pkcs10_signature_alg = OID_SHA1;
|
2009-04-19 19:16:09 +00:00
|
|
|
|
|
|
|
/* URL of the SCEP-Server */
|
|
|
|
char *scep_url = NULL;
|
|
|
|
|
|
|
|
/* http request method, default is GET */
|
2009-04-29 08:09:35 +00:00
|
|
|
bool http_get_request = TRUE;
|
2009-04-19 19:16:09 +00:00
|
|
|
|
|
|
|
/* poll interval time in manual mode in seconds */
|
|
|
|
u_int poll_interval = DEFAULT_POLL_INTERVAL;
|
|
|
|
|
|
|
|
/* maximum poll time */
|
|
|
|
u_int max_poll_time = 0;
|
|
|
|
|
|
|
|
err_t ugh = NULL;
|
|
|
|
|
|
|
|
/* initialize global variables */
|
|
|
|
pkcs1 = chunk_empty;
|
|
|
|
pkcs7 = chunk_empty;
|
|
|
|
serialNumber = chunk_empty;
|
|
|
|
transID = chunk_empty;
|
|
|
|
fingerprint = chunk_empty;
|
|
|
|
issuerAndSubject = chunk_empty;
|
|
|
|
challengePassword = chunk_empty;
|
|
|
|
getCertInitial = chunk_empty;
|
|
|
|
scep_response = chunk_empty;
|
|
|
|
log_to_stderr = TRUE;
|
|
|
|
|
2009-08-14 20:13:51 +00:00
|
|
|
/* initialize library */
|
|
|
|
if (!library_init(STRONGSWAN_CONF))
|
|
|
|
{
|
|
|
|
library_deinit();
|
|
|
|
exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
|
|
|
|
}
|
2009-08-17 12:25:18 +00:00
|
|
|
if (lib->integrity &&
|
|
|
|
!lib->integrity->check_file(lib->integrity, "scepclient", argv[0]))
|
|
|
|
{
|
|
|
|
fprintf(stderr, "integrity check of scepclient failed\n");
|
|
|
|
library_deinit();
|
|
|
|
exit(SS_RC_DAEMON_INTEGRITY);
|
|
|
|
}
|
2009-08-14 20:13:51 +00:00
|
|
|
|
|
|
|
/* initialize optionsfrom */
|
2009-04-19 19:16:09 +00:00
|
|
|
options = options_create();
|
|
|
|
|
|
|
|
for (;;)
|
|
|
|
{
|
|
|
|
static const struct option long_opts[] = {
|
|
|
|
/* name, has_arg, flag, val */
|
|
|
|
{ "help", no_argument, NULL, 'h' },
|
|
|
|
{ "version", no_argument, NULL, 'v' },
|
|
|
|
{ "optionsfrom", required_argument, NULL, '+' },
|
|
|
|
{ "quiet", no_argument, NULL, 'q' },
|
|
|
|
{ "in", required_argument, NULL, 'i' },
|
|
|
|
{ "out", required_argument, NULL, 'o' },
|
|
|
|
{ "force", no_argument, NULL, 'f' },
|
|
|
|
{ "keylength", required_argument, NULL, 'k' },
|
|
|
|
{ "dn", required_argument, NULL, 'd' },
|
|
|
|
{ "days", required_argument, NULL, 'D' },
|
|
|
|
{ "startdate", required_argument, NULL, 'S' },
|
|
|
|
{ "enddate", required_argument, NULL, 'E' },
|
|
|
|
{ "subjectAltName", required_argument, NULL, 's' },
|
|
|
|
{ "password", required_argument, NULL, 'p' },
|
|
|
|
{ "algorithm", required_argument, NULL, 'a' },
|
|
|
|
{ "url", required_argument, NULL, 'u' },
|
|
|
|
{ "method", required_argument, NULL, 'm' },
|
|
|
|
{ "interval", required_argument, NULL, 't' },
|
|
|
|
{ "maxpolltime", required_argument, NULL, 'x' },
|
|
|
|
#ifdef DEBUG
|
|
|
|
{ "debug-all", no_argument, NULL, 'A' },
|
|
|
|
{ "debug-parsing", no_argument, NULL, 'P'},
|
|
|
|
{ "debug-raw", no_argument, NULL, 'R'},
|
|
|
|
{ "debug-control", no_argument, NULL, 'C'},
|
|
|
|
{ "debug-controlmore", no_argument, NULL, 'M'},
|
|
|
|
{ "debug-private", no_argument, NULL, 'X'},
|
|
|
|
#endif
|
|
|
|
{ 0,0,0,0 }
|
|
|
|
};
|
|
|
|
|
|
|
|
/* parse next option */
|
|
|
|
int c = getopt_long(argc, argv, "hv+:qi:o:fk:d:s:p:a:u:m:t:x:APRCMS", long_opts, NULL);
|
|
|
|
|
|
|
|
switch (c)
|
|
|
|
{
|
|
|
|
case EOF: /* end of flags */
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 'h': /* --help */
|
|
|
|
usage(NULL);
|
|
|
|
|
|
|
|
case 'v': /* --version */
|
|
|
|
version();
|
|
|
|
|
|
|
|
case 'q': /* --quiet */
|
|
|
|
log_to_stderr = FALSE;
|
|
|
|
continue;
|
|
|
|
|
|
|
|
case 'i': /* --in <type> [= <filename>] */
|
|
|
|
{
|
|
|
|
char *filename = strstr(optarg, "=");
|
|
|
|
|
|
|
|
if (filename)
|
|
|
|
{
|
|
|
|
/* replace '=' by '\0' */
|
|
|
|
*filename = '\0';
|
|
|
|
/* set pointer to start of filename */
|
|
|
|
filename++;
|
|
|
|
}
|
|
|
|
if (strcaseeq("pkcs1", optarg))
|
|
|
|
{
|
|
|
|
filetype_in |= PKCS1;
|
|
|
|
if (filename)
|
|
|
|
file_in_pkcs1 = filename;
|
|
|
|
}
|
|
|
|
else if (strcaseeq("cacert-enc", optarg))
|
|
|
|
{
|
|
|
|
filetype_in |= CACERT_ENC;
|
|
|
|
if (filename)
|
|
|
|
file_in_cacert_enc = filename;
|
|
|
|
}
|
|
|
|
else if (strcaseeq("cacert-sig", optarg))
|
|
|
|
{
|
|
|
|
filetype_in |= CACERT_SIG;
|
|
|
|
if (filename)
|
|
|
|
file_in_cacert_sig = filename;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
usage("invalid --in file type");
|
|
|
|
}
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
case 'o': /* --out <type> [= <filename>] */
|
|
|
|
{
|
|
|
|
char *filename = strstr(optarg, "=");
|
|
|
|
|
|
|
|
if (filename)
|
|
|
|
{
|
|
|
|
/* replace '=' by '\0' */
|
|
|
|
*filename = '\0';
|
|
|
|
/* set pointer to start of filename */
|
|
|
|
filename++;
|
|
|
|
}
|
|
|
|
if (strcaseeq("pkcs1", optarg))
|
|
|
|
{
|
|
|
|
filetype_out |= PKCS1;
|
|
|
|
if (filename)
|
|
|
|
file_out_pkcs1 = filename;
|
|
|
|
}
|
|
|
|
else if (strcaseeq("pkcs10", optarg))
|
|
|
|
{
|
|
|
|
filetype_out |= PKCS10;
|
|
|
|
if (filename)
|
|
|
|
file_out_pkcs10 = filename;
|
|
|
|
}
|
|
|
|
else if (strcaseeq("pkcs7", optarg))
|
|
|
|
{
|
|
|
|
filetype_out |= PKCS7;
|
|
|
|
if (filename)
|
|
|
|
file_out_pkcs7 = filename;
|
|
|
|
}
|
|
|
|
else if (strcaseeq("cert-self", optarg))
|
|
|
|
{
|
|
|
|
filetype_out |= CERT_SELF;
|
|
|
|
if (filename)
|
|
|
|
file_out_cert_self = filename;
|
|
|
|
}
|
|
|
|
else if (strcaseeq("cert", optarg))
|
|
|
|
{
|
|
|
|
filetype_out |= CERT;
|
|
|
|
if (filename)
|
|
|
|
file_out_cert = filename;
|
|
|
|
}
|
|
|
|
else if (strcaseeq("cacert", optarg))
|
|
|
|
{
|
|
|
|
request_ca_certificate = TRUE;
|
|
|
|
if (filename)
|
|
|
|
file_out_prefix_cacert = filename;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
usage("invalid --out file type");
|
|
|
|
}
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
case 'f': /* --force */
|
|
|
|
force = TRUE;
|
|
|
|
continue;
|
|
|
|
|
|
|
|
case '+': /* --optionsfrom <filename> */
|
|
|
|
if (!options->from(options, optarg, &argc, &argv, optind))
|
|
|
|
{
|
|
|
|
exit_scepclient("optionsfrom failed");
|
|
|
|
}
|
|
|
|
continue;
|
|
|
|
|
|
|
|
case 'k': /* --keylength <length> */
|
|
|
|
{
|
|
|
|
div_t q;
|
|
|
|
|
|
|
|
rsa_keylength = atoi(optarg);
|
|
|
|
if (rsa_keylength == 0)
|
|
|
|
usage("invalid keylength");
|
|
|
|
|
|
|
|
/* check if key length is a multiple of 8 bits */
|
|
|
|
q = div(rsa_keylength, 2*BITS_PER_BYTE);
|
|
|
|
if (q.rem != 0)
|
|
|
|
{
|
|
|
|
exit_scepclient("keylength is not a multiple of %d bits!"
|
|
|
|
, 2*BITS_PER_BYTE);
|
|
|
|
}
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
case 'D': /* --days */
|
|
|
|
if (optarg == NULL || !isdigit(optarg[0]))
|
|
|
|
usage("missing number of days");
|
|
|
|
{
|
|
|
|
char *endptr;
|
|
|
|
long days = strtol(optarg, &endptr, 0);
|
|
|
|
|
|
|
|
if (*endptr != '\0' || endptr == optarg
|
|
|
|
|| days <= 0)
|
|
|
|
usage("<days> must be a positive number");
|
|
|
|
validity = 24*3600*days;
|
|
|
|
}
|
|
|
|
continue;
|
|
|
|
|
|
|
|
case 'S': /* --startdate */
|
|
|
|
if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z')
|
|
|
|
usage("date format must be YYMMDDHHMMSSZ");
|
|
|
|
{
|
|
|
|
chunk_t date = { optarg, 13 };
|
2009-04-20 20:53:38 +00:00
|
|
|
notBefore = asn1_to_time(&date, ASN1_UTCTIME);
|
2009-04-19 19:16:09 +00:00
|
|
|
}
|
|
|
|
continue;
|
|
|
|
|
|
|
|
case 'E': /* --enddate */
|
|
|
|
if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z')
|
|
|
|
usage("date format must be YYMMDDHHMMSSZ");
|
|
|
|
{
|
|
|
|
chunk_t date = { optarg, 13 };
|
2009-04-20 20:53:38 +00:00
|
|
|
notAfter = asn1_to_time(&date, ASN1_UTCTIME);
|
2009-04-19 19:16:09 +00:00
|
|
|
}
|
|
|
|
continue;
|
|
|
|
|
|
|
|
case 'd': /* --dn */
|
|
|
|
if (distinguishedName)
|
|
|
|
usage("only one distinguished name allowed");
|
|
|
|
distinguishedName = optarg;
|
|
|
|
continue;
|
|
|
|
|
|
|
|
case 's': /* --subjectAltName */
|
|
|
|
{
|
|
|
|
generalNames_t kind;
|
|
|
|
char *value = strstr(optarg, "=");
|
|
|
|
|
|
|
|
if (value)
|
|
|
|
{
|
|
|
|
/* replace '=' by '\0' */
|
|
|
|
*value = '\0';
|
|
|
|
/* set pointer to start of value */
|
|
|
|
value++;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (strcaseeq("email", optarg))
|
|
|
|
{
|
|
|
|
kind = GN_RFC822_NAME;
|
|
|
|
}
|
|
|
|
else if (strcaseeq("dns", optarg))
|
|
|
|
{
|
|
|
|
kind = GN_DNS_NAME;
|
|
|
|
}
|
|
|
|
else if (strcaseeq("ip", optarg))
|
|
|
|
{
|
|
|
|
kind = GN_IP_ADDRESS;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
usage("invalid --subjectAltName type");
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
pkcs10_add_subjectAltName(&subjectAltNames, kind, value);
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
case 'p': /* --password */
|
|
|
|
if (challengePassword.len > 0)
|
|
|
|
{
|
|
|
|
usage("only one challenge password allowed");
|
|
|
|
}
|
|
|
|
if (strcaseeq("%prompt", optarg))
|
|
|
|
{
|
|
|
|
printf("Challenge password: ");
|
|
|
|
if (fgets(challenge_password_buffer, sizeof(challenge_password_buffer)-1, stdin))
|
|
|
|
{
|
|
|
|
challengePassword.ptr = challenge_password_buffer;
|
|
|
|
/* discard the terminating '\n' from the input */
|
|
|
|
challengePassword.len = strlen(challenge_password_buffer) - 1;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
usage("challenge password could not be read");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
challengePassword.ptr = optarg;
|
|
|
|
challengePassword.len = strlen(optarg);
|
|
|
|
}
|
|
|
|
continue;
|
|
|
|
|
|
|
|
case 'u': /* -- url */
|
|
|
|
if (scep_url)
|
|
|
|
{
|
|
|
|
usage("only one URL argument allowed");
|
|
|
|
}
|
|
|
|
scep_url = optarg;
|
|
|
|
continue;
|
|
|
|
|
|
|
|
case 'm': /* --method */
|
2009-04-29 08:09:35 +00:00
|
|
|
if (strcaseeq("get", optarg))
|
2009-04-19 19:16:09 +00:00
|
|
|
{
|
2009-04-29 08:09:35 +00:00
|
|
|
http_get_request = TRUE;
|
2009-04-19 19:16:09 +00:00
|
|
|
}
|
2009-04-29 08:09:35 +00:00
|
|
|
else if (strcaseeq("post", optarg))
|
2009-04-19 19:16:09 +00:00
|
|
|
{
|
2009-04-29 08:09:35 +00:00
|
|
|
http_get_request = FALSE;
|
2009-04-19 19:16:09 +00:00
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
usage("invalid http request method specified");
|
|
|
|
}
|
|
|
|
continue;
|
|
|
|
|
|
|
|
case 't': /* --interval */
|
|
|
|
poll_interval = atoi(optarg);
|
|
|
|
if (poll_interval <= 0)
|
|
|
|
{
|
|
|
|
usage("invalid interval specified");
|
|
|
|
}
|
|
|
|
continue;
|
|
|
|
|
|
|
|
case 'x': /* --maxpolltime */
|
|
|
|
max_poll_time = atoi(optarg);
|
|
|
|
if (max_poll_time < 0)
|
|
|
|
{
|
|
|
|
usage("invalid maxpolltime specified");
|
|
|
|
}
|
|
|
|
continue;
|
|
|
|
|
|
|
|
case 'a': /*--algorithm */
|
2009-06-20 10:09:36 +00:00
|
|
|
{
|
|
|
|
const proposal_token_t *token;
|
|
|
|
|
|
|
|
token = proposal_get_token(optarg, strlen(optarg));
|
|
|
|
if (token == NULL || token->type != ENCRYPTION_ALGORITHM)
|
2009-06-17 12:42:57 +00:00
|
|
|
{
|
2009-06-20 10:09:36 +00:00
|
|
|
usage("invalid algorithm specified");
|
2009-06-17 12:42:57 +00:00
|
|
|
}
|
2009-06-20 10:09:36 +00:00
|
|
|
pkcs7_symmetric_cipher = encryption_algorithm_to_oid(
|
|
|
|
token->algorithm, token->keysize);
|
|
|
|
if (pkcs7_symmetric_cipher == OID_UNKNOWN)
|
2009-04-19 19:16:09 +00:00
|
|
|
{
|
2009-06-20 10:09:36 +00:00
|
|
|
usage("unsupported encryption algorithm specified");
|
2009-04-19 19:16:09 +00:00
|
|
|
}
|
|
|
|
continue;
|
2009-06-20 10:09:36 +00:00
|
|
|
}
|
2006-04-28 07:14:48 +00:00
|
|
|
#ifdef DEBUG
|
2009-04-19 19:16:09 +00:00
|
|
|
case 'A': /* --debug-all */
|
|
|
|
base_debugging |= DBG_ALL;
|
|
|
|
continue;
|
|
|
|
case 'P': /* debug parsing */
|
|
|
|
base_debugging |= DBG_PARSING;
|
|
|
|
continue;
|
|
|
|
case 'R': /* debug raw */
|
|
|
|
base_debugging |= DBG_RAW;
|
|
|
|
continue;
|
|
|
|
case 'C': /* debug control */
|
|
|
|
base_debugging |= DBG_CONTROL;
|
|
|
|
continue;
|
|
|
|
case 'M': /* debug control more */
|
|
|
|
base_debugging |= DBG_CONTROLMORE;
|
|
|
|
continue;
|
|
|
|
case 'X': /* debug private */
|
|
|
|
base_debugging |= DBG_PRIVATE;
|
|
|
|
continue;
|
2006-04-28 07:14:48 +00:00
|
|
|
#endif
|
2009-04-19 19:16:09 +00:00
|
|
|
default:
|
|
|
|
usage("unknown option");
|
|
|
|
}
|
|
|
|
/* break from loop */
|
|
|
|
break;
|
|
|
|
}
|
2009-04-21 18:48:58 +00:00
|
|
|
cur_debugging = base_debugging;
|
2006-04-28 07:14:48 +00:00
|
|
|
|
2009-04-19 19:16:09 +00:00
|
|
|
init_log("scepclient");
|
2009-04-21 18:48:58 +00:00
|
|
|
|
|
|
|
/* load plugins, further infrastructure may need it */
|
2009-09-01 14:20:45 +00:00
|
|
|
if (!lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR,
|
|
|
|
lib->settings->get_str(lib->settings, "scepclient.load", PLUGINS)))
|
|
|
|
{
|
|
|
|
exit_scepclient("plugin loading failed");
|
|
|
|
}
|
2009-04-21 18:48:58 +00:00
|
|
|
print_plugins();
|
|
|
|
|
2009-04-19 19:16:09 +00:00
|
|
|
if ((filetype_out == 0) && (!request_ca_certificate))
|
2006-04-28 07:14:48 +00:00
|
|
|
{
|
2009-04-19 19:16:09 +00:00
|
|
|
usage ("--out filetype required");
|
|
|
|
}
|
|
|
|
if (request_ca_certificate && (filetype_out > 0 || filetype_in > 0))
|
|
|
|
{
|
|
|
|
usage("in CA certificate request, no other --in or --out option allowed");
|
|
|
|
}
|
2006-04-28 07:14:48 +00:00
|
|
|
|
2009-04-19 19:16:09 +00:00
|
|
|
/* check if url is given, if cert output defined */
|
|
|
|
if (((filetype_out & CERT) || request_ca_certificate) && !scep_url)
|
|
|
|
{
|
|
|
|
usage("URL of SCEP server required");
|
|
|
|
}
|
2006-04-28 07:14:48 +00:00
|
|
|
|
2009-04-19 19:16:09 +00:00
|
|
|
/* check for sanity of --in/--out */
|
|
|
|
if (!filetype_in && (filetype_in > filetype_out))
|
|
|
|
{
|
|
|
|
usage("cannot generate --out of given --in!");
|
|
|
|
}
|
2006-04-28 07:14:48 +00:00
|
|
|
|
2009-04-19 19:16:09 +00:00
|
|
|
/*
|
|
|
|
* input of PKCS#1 file
|
|
|
|
*/
|
|
|
|
if (filetype_in & PKCS1) /* load an RSA key pair from file */
|
|
|
|
{
|
|
|
|
prompt_pass_t pass = { "", FALSE, STDIN_FILENO };
|
2009-04-20 20:53:38 +00:00
|
|
|
char *path = concatenate_paths(PRIVATE_KEY_PATH, file_in_pkcs1);
|
2006-04-28 07:14:48 +00:00
|
|
|
|
2009-06-05 19:14:31 +00:00
|
|
|
private_key = load_private_key(path, &pass, KEY_RSA);
|
2009-04-19 19:16:09 +00:00
|
|
|
}
|
|
|
|
else /* generate an RSA key pair */
|
|
|
|
{
|
2009-06-05 19:14:31 +00:00
|
|
|
private_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
|
|
|
|
BUILD_KEY_SIZE, rsa_keylength,
|
|
|
|
BUILD_END);
|
2009-04-19 19:16:09 +00:00
|
|
|
}
|
2009-06-05 19:14:31 +00:00
|
|
|
if (private_key == NULL)
|
|
|
|
{
|
|
|
|
exit_scepclient("no RSA private key available");
|
|
|
|
}
|
|
|
|
public_key = private_key->get_public_key(private_key);
|
2006-04-28 07:14:48 +00:00
|
|
|
|
2009-04-19 19:16:09 +00:00
|
|
|
/* check for minimum key length */
|
2009-06-05 19:14:31 +00:00
|
|
|
if (private_key->get_keysize(private_key) < RSA_MIN_OCTETS)
|
2009-04-19 19:16:09 +00:00
|
|
|
{
|
|
|
|
exit_scepclient("length of RSA key has to be at least %d bits"
|
|
|
|
,RSA_MIN_OCTETS * BITS_PER_BYTE);
|
|
|
|
}
|
2006-04-28 07:14:48 +00:00
|
|
|
|
2009-04-19 19:16:09 +00:00
|
|
|
/*
|
|
|
|
* input of PKCS#10 file
|
|
|
|
*/
|
|
|
|
if (filetype_in & PKCS10)
|
|
|
|
{
|
|
|
|
/* user wants to load a pkcs10 request
|
|
|
|
* operation is not yet supported
|
|
|
|
* would require a PKCS#10 parsing function
|
2006-04-28 07:14:48 +00:00
|
|
|
|
2009-04-19 19:16:09 +00:00
|
|
|
pkcs10 = pkcs10_read_from_file(file_in_pkcs10);
|
|
|
|
|
|
|
|
*/
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
char buf[IDTOA_BUF];
|
|
|
|
chunk_t dn = chunk_empty;
|
|
|
|
|
|
|
|
dn.ptr = buf;
|
|
|
|
|
|
|
|
if (distinguishedName == NULL)
|
2006-04-28 07:14:48 +00:00
|
|
|
{
|
2009-04-19 19:16:09 +00:00
|
|
|
char buf[BUF_LEN];
|
|
|
|
int n = sprintf(buf, DEFAULT_DN);
|
|
|
|
|
|
|
|
/* set the common name to the hostname */
|
|
|
|
if (gethostname(buf + n, BUF_LEN - n) || strlen(buf) == n)
|
|
|
|
{
|
|
|
|
exit_scepclient("no hostname defined, use "
|
|
|
|
"--dn <distinguished name> option");
|
|
|
|
}
|
|
|
|
distinguishedName = buf;
|
2006-04-28 07:14:48 +00:00
|
|
|
}
|
2009-04-19 19:16:09 +00:00
|
|
|
|
|
|
|
DBG(DBG_CONTROL,
|
|
|
|
DBG_log("dn: '%s'", distinguishedName);
|
|
|
|
)
|
|
|
|
ugh = atodn(distinguishedName, &dn);
|
|
|
|
if (ugh != NULL)
|
2006-04-28 07:14:48 +00:00
|
|
|
{
|
2009-04-19 19:16:09 +00:00
|
|
|
exit_scepclient(ugh);
|
2006-04-28 07:14:48 +00:00
|
|
|
}
|
2009-04-19 19:16:09 +00:00
|
|
|
|
|
|
|
subject = chunk_clone(dn);
|
|
|
|
|
|
|
|
DBG(DBG_CONTROL,
|
|
|
|
DBG_log("building pkcs10 object:")
|
|
|
|
)
|
2009-06-05 19:14:31 +00:00
|
|
|
pkcs10 = pkcs10_build(private_key, public_key, subject,
|
|
|
|
challengePassword, subjectAltNames,
|
|
|
|
pkcs10_signature_alg);
|
|
|
|
fingerprint = scep_generate_pkcs10_fingerprint(pkcs10->request);
|
|
|
|
plog(" fingerprint: %s", fingerprint.ptr);
|
2006-04-28 07:14:48 +00:00
|
|
|
}
|
2009-04-19 19:16:09 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* output of PKCS#10 file
|
|
|
|
*/
|
|
|
|
if (filetype_out & PKCS10)
|
2006-04-28 07:14:48 +00:00
|
|
|
{
|
2009-04-20 20:53:38 +00:00
|
|
|
char *path = concatenate_paths(REQ_PATH, file_out_pkcs10);
|
2009-04-19 19:16:09 +00:00
|
|
|
|
2009-04-20 20:53:38 +00:00
|
|
|
if (!chunk_write(pkcs10->request, path, "pkcs10", 0022, force))
|
2009-04-19 19:16:09 +00:00
|
|
|
exit_scepclient("could not write pkcs10 file '%s'", path);
|
|
|
|
|
|
|
|
filetype_out &= ~PKCS10; /* delete PKCS10 flag */
|
2006-04-28 07:14:48 +00:00
|
|
|
}
|
|
|
|
|
2009-04-19 19:16:09 +00:00
|
|
|
if (!filetype_out)
|
2009-04-17 09:52:49 +00:00
|
|
|
{
|
2009-04-19 19:16:09 +00:00
|
|
|
exit_scepclient(NULL); /* no further output required */
|
2009-04-17 09:52:49 +00:00
|
|
|
}
|
2006-04-28 07:14:48 +00:00
|
|
|
|
2009-04-19 19:16:09 +00:00
|
|
|
/*
|
|
|
|
* output of PKCS#1 file
|
|
|
|
*/
|
|
|
|
if (filetype_out & PKCS1)
|
2009-04-17 09:52:49 +00:00
|
|
|
{
|
2009-04-20 20:53:38 +00:00
|
|
|
char *path = concatenate_paths(PRIVATE_KEY_PATH, file_out_pkcs1);
|
2006-04-28 07:14:48 +00:00
|
|
|
|
2009-04-19 19:16:09 +00:00
|
|
|
DBG(DBG_CONTROL,
|
|
|
|
DBG_log("building pkcs1 object:")
|
|
|
|
)
|
2009-08-24 12:19:16 +00:00
|
|
|
if (!private_key->get_encoding(private_key, KEY_PRIV_ASN1_DER, &pkcs1) ||
|
|
|
|
!chunk_write(pkcs1, path, "pkcs1", 0066, force))
|
2009-04-19 19:16:09 +00:00
|
|
|
exit_scepclient("could not write pkcs1 file '%s'", path);
|
2006-04-28 07:14:48 +00:00
|
|
|
|
2009-04-19 19:16:09 +00:00
|
|
|
filetype_out &= ~PKCS1; /* delete PKCS1 flag */
|
2006-04-28 07:14:48 +00:00
|
|
|
}
|
2009-04-19 19:16:09 +00:00
|
|
|
|
|
|
|
if (!filetype_out)
|
2009-04-17 09:52:49 +00:00
|
|
|
{
|
2009-04-19 19:16:09 +00:00
|
|
|
exit_scepclient(NULL); /* no further output required */
|
2009-04-17 09:52:49 +00:00
|
|
|
}
|
2006-04-28 07:14:48 +00:00
|
|
|
|
2009-06-05 19:14:31 +00:00
|
|
|
scep_generate_transaction_id(public_key, &transID, &serialNumber);
|
2009-04-19 19:16:09 +00:00
|
|
|
plog(" transaction ID: %.*s", (int)transID.len, transID.ptr);
|
|
|
|
|
|
|
|
/* generate a self-signed X.509 certificate */
|
|
|
|
x509_signer = malloc_thing(x509cert_t);
|
|
|
|
*x509_signer = empty_x509cert;
|
|
|
|
x509_signer->serialNumber = serialNumber;
|
|
|
|
x509_signer->sigAlg = OID_SHA1_WITH_RSA;
|
|
|
|
x509_signer->issuer = subject;
|
|
|
|
x509_signer->notBefore = (notBefore)? notBefore
|
|
|
|
: time(NULL);
|
|
|
|
x509_signer->notAfter = (notAfter)? notAfter
|
|
|
|
: x509_signer->notBefore + validity;
|
|
|
|
x509_signer->subject = subject;
|
|
|
|
x509_signer->subjectAltName = subjectAltNames;
|
2009-06-05 19:14:31 +00:00
|
|
|
build_x509cert(x509_signer, public_key, private_key);
|
2009-04-19 19:16:09 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* output of self-signed X.509 certificate file
|
|
|
|
*/
|
|
|
|
if (filetype_out & CERT_SELF)
|
2006-04-28 07:14:48 +00:00
|
|
|
{
|
2009-04-20 20:53:38 +00:00
|
|
|
char *path = concatenate_paths(HOST_CERT_PATH, file_out_cert_self);
|
2009-04-19 19:16:09 +00:00
|
|
|
|
2009-04-20 06:58:00 +00:00
|
|
|
if (!chunk_write(x509_signer->certificate, path, "self-signed cert", 0022, force))
|
2009-04-19 19:16:09 +00:00
|
|
|
exit_scepclient("could not write self-signed cert file '%s'", path);
|
|
|
|
;
|
|
|
|
filetype_out &= ~CERT_SELF; /* delete CERT_SELF flag */
|
2006-04-28 07:14:48 +00:00
|
|
|
}
|
2009-04-19 19:16:09 +00:00
|
|
|
|
|
|
|
if (!filetype_out)
|
2006-04-28 07:14:48 +00:00
|
|
|
{
|
2009-04-19 19:16:09 +00:00
|
|
|
exit_scepclient(NULL); /* no further output required */
|
2006-04-28 07:14:48 +00:00
|
|
|
}
|
|
|
|
|
2009-04-19 19:16:09 +00:00
|
|
|
/*
|
|
|
|
* load ca encryption certificate
|
|
|
|
*/
|
2006-04-28 07:14:48 +00:00
|
|
|
{
|
2009-04-20 20:53:38 +00:00
|
|
|
char *path = concatenate_paths(CA_CERT_PATH, file_in_cacert_enc);
|
2009-04-19 19:16:09 +00:00
|
|
|
cert_t cert;
|
|
|
|
|
|
|
|
if (!load_cert(path, "encryption cacert", &cert))
|
|
|
|
{
|
|
|
|
exit_scepclient("could not load encryption cacert file '%s'", path);
|
|
|
|
}
|
|
|
|
x509_ca_enc = cert.u.x509;
|
2006-04-28 07:14:48 +00:00
|
|
|
}
|
|
|
|
|
2009-04-19 19:16:09 +00:00
|
|
|
/*
|
|
|
|
* input of PKCS#7 file
|
|
|
|
*/
|
|
|
|
if (filetype_in & PKCS7)
|
|
|
|
{
|
|
|
|
/* user wants to load a pkcs7 encrypted request
|
|
|
|
* operation is not yet supported!
|
|
|
|
* would require additional parsing of transaction-id
|
2006-04-28 07:14:48 +00:00
|
|
|
|
2009-04-19 19:16:09 +00:00
|
|
|
pkcs7 = pkcs7_read_from_file(file_in_pkcs7);
|
|
|
|
|
|
|
|
*/
|
|
|
|
}
|
|
|
|
else
|
2006-04-28 07:14:48 +00:00
|
|
|
{
|
2009-04-19 19:16:09 +00:00
|
|
|
DBG(DBG_CONTROL,
|
|
|
|
DBG_log("building pkcs7 request")
|
|
|
|
)
|
|
|
|
pkcs7 = scep_build_request(pkcs10->request
|
|
|
|
, transID, SCEP_PKCSReq_MSG
|
|
|
|
, x509_ca_enc, pkcs7_symmetric_cipher
|
|
|
|
, x509_signer, pkcs7_digest_alg, private_key);
|
2006-04-28 07:14:48 +00:00
|
|
|
}
|
2009-04-19 19:16:09 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* output pkcs7 encrypted and signed certificate request
|
|
|
|
*/
|
|
|
|
if (filetype_out & PKCS7)
|
2006-04-28 07:14:48 +00:00
|
|
|
{
|
2009-04-20 20:53:38 +00:00
|
|
|
char *path = concatenate_paths(REQ_PATH, file_out_pkcs7);
|
2009-04-19 19:16:09 +00:00
|
|
|
|
2009-04-20 06:58:00 +00:00
|
|
|
if (!chunk_write(pkcs7, path, "pkcs7 encrypted request", 0022, force))
|
2009-04-19 19:16:09 +00:00
|
|
|
exit_scepclient("could not write pkcs7 file '%s'", path);
|
|
|
|
;
|
|
|
|
filetype_out &= ~PKCS7; /* delete PKCS7 flag */
|
2006-04-28 07:14:48 +00:00
|
|
|
}
|
2009-04-19 19:16:09 +00:00
|
|
|
|
|
|
|
if (!filetype_out)
|
|
|
|
{
|
|
|
|
exit_scepclient(NULL); /* no further output required */
|
2006-04-28 07:14:48 +00:00
|
|
|
}
|
2009-04-19 19:16:09 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* output certificate fetch from SCEP server
|
|
|
|
*/
|
|
|
|
if (filetype_out & CERT)
|
|
|
|
{
|
2009-04-20 20:53:38 +00:00
|
|
|
char *path = concatenate_paths(CA_CERT_PATH, file_in_cacert_sig);
|
2009-04-19 19:16:09 +00:00
|
|
|
cert_t cert;
|
2009-08-31 15:59:00 +00:00
|
|
|
time_t poll_start = 0;
|
2009-04-19 19:16:09 +00:00
|
|
|
|
|
|
|
x509cert_t *certs = NULL;
|
|
|
|
chunk_t envelopedData = chunk_empty;
|
|
|
|
chunk_t certData = chunk_empty;
|
|
|
|
contentInfo_t data = empty_contentInfo;
|
|
|
|
scep_attributes_t attrs = empty_scep_attributes;
|
|
|
|
|
|
|
|
if (!load_cert(path, "signature cacert", &cert))
|
|
|
|
exit_scepclient("could not load signature cacert file '%s'", path);
|
|
|
|
x509_ca_sig = cert.u.x509;
|
|
|
|
|
2009-04-29 08:09:35 +00:00
|
|
|
if (!scep_http_request(scep_url, pkcs7, SCEP_PKI_OPERATION,
|
|
|
|
http_get_request, &scep_response))
|
2009-04-19 19:16:09 +00:00
|
|
|
{
|
|
|
|
exit_scepclient("did not receive a valid scep response");
|
|
|
|
}
|
|
|
|
ugh = scep_parse_response(scep_response, transID, &data, &attrs
|
|
|
|
, x509_ca_sig);
|
|
|
|
if (ugh != NULL)
|
|
|
|
{
|
|
|
|
exit_scepclient(ugh);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* in case of manual mode, we are going into a polling loop */
|
|
|
|
if (attrs.pkiStatus == SCEP_PENDING)
|
|
|
|
{
|
|
|
|
plog(" scep request pending, polling every %d seconds"
|
|
|
|
, poll_interval);
|
2009-08-31 15:59:00 +00:00
|
|
|
poll_start = time_monotonic(NULL);
|
2009-04-19 19:16:09 +00:00
|
|
|
issuerAndSubject = asn1_wrap(ASN1_SEQUENCE, "cc"
|
|
|
|
, x509_ca_sig->subject
|
|
|
|
, subject);
|
|
|
|
}
|
|
|
|
while (attrs.pkiStatus == SCEP_PENDING)
|
|
|
|
{
|
|
|
|
if (max_poll_time > 0
|
2009-08-31 15:59:00 +00:00
|
|
|
&& (time_monotonic(NULL) - poll_start >= max_poll_time))
|
2009-04-19 19:16:09 +00:00
|
|
|
{
|
|
|
|
exit_scepclient("maximum poll time reached: %d seconds"
|
|
|
|
, max_poll_time);
|
|
|
|
}
|
|
|
|
DBG(DBG_CONTROL,
|
|
|
|
DBG_log("going to sleep for %d seconds", poll_interval)
|
|
|
|
)
|
|
|
|
sleep(poll_interval);
|
|
|
|
free(scep_response.ptr);
|
|
|
|
|
|
|
|
DBG(DBG_CONTROL,
|
|
|
|
DBG_log("fingerprint: %.*s", (int)fingerprint.len, fingerprint.ptr);
|
|
|
|
DBG_log("transaction ID: %.*s", (int)transID.len, transID.ptr)
|
|
|
|
)
|
|
|
|
|
|
|
|
chunk_free(&getCertInitial);
|
|
|
|
getCertInitial = scep_build_request(issuerAndSubject
|
|
|
|
, transID, SCEP_GetCertInitial_MSG
|
|
|
|
, x509_ca_enc, pkcs7_symmetric_cipher
|
|
|
|
, x509_signer, pkcs7_digest_alg, private_key);
|
|
|
|
|
2009-04-29 08:09:35 +00:00
|
|
|
if (!scep_http_request(scep_url, getCertInitial, SCEP_PKI_OPERATION,
|
|
|
|
http_get_request, &scep_response))
|
2009-04-19 19:16:09 +00:00
|
|
|
{
|
|
|
|
exit_scepclient("did not receive a valid scep response");
|
|
|
|
}
|
|
|
|
ugh = scep_parse_response(scep_response, transID, &data, &attrs
|
|
|
|
, x509_ca_sig);
|
|
|
|
if (ugh != NULL)
|
|
|
|
{
|
|
|
|
exit_scepclient(ugh);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (attrs.pkiStatus != SCEP_SUCCESS)
|
|
|
|
{
|
|
|
|
exit_scepclient("reply status is not 'SUCCESS'");
|
|
|
|
}
|
|
|
|
|
|
|
|
envelopedData = data.content;
|
|
|
|
|
|
|
|
if (data.type != OID_PKCS7_DATA
|
2009-04-20 20:53:38 +00:00
|
|
|
|| !asn1_parse_simple_object(&envelopedData, ASN1_OCTET_STRING, 0, "data"))
|
2009-04-19 19:16:09 +00:00
|
|
|
{
|
|
|
|
exit_scepclient("contentInfo is not of type 'data'");
|
|
|
|
}
|
|
|
|
if (!pkcs7_parse_envelopedData(envelopedData, &certData
|
|
|
|
, serialNumber, private_key))
|
|
|
|
{
|
|
|
|
exit_scepclient("could not decrypt envelopedData");
|
|
|
|
}
|
|
|
|
if (!pkcs7_parse_signedData(certData, NULL, &certs, NULL, NULL))
|
|
|
|
{
|
|
|
|
exit_scepclient("error parsing the scep response");
|
|
|
|
}
|
|
|
|
chunk_free(&certData);
|
|
|
|
|
|
|
|
/* store the end entity certificate */
|
|
|
|
path = concatenate_paths(HOST_CERT_PATH, file_out_cert);
|
|
|
|
while (certs != NULL)
|
|
|
|
{
|
|
|
|
bool stored = FALSE;
|
|
|
|
x509cert_t *cert = certs;
|
|
|
|
|
|
|
|
if (!cert->isCA)
|
|
|
|
{
|
|
|
|
if (stored)
|
|
|
|
exit_scepclient("multiple certs received, only first stored");
|
2009-04-20 06:58:00 +00:00
|
|
|
if (!chunk_write(cert->certificate, path, "requested cert", 0022, force))
|
2009-04-19 19:16:09 +00:00
|
|
|
exit_scepclient("could not write cert file '%s'", path);
|
|
|
|
stored = TRUE;
|
|
|
|
}
|
|
|
|
certs = certs->next;
|
|
|
|
free_x509cert(cert);
|
|
|
|
}
|
|
|
|
filetype_out &= ~CERT; /* delete CERT flag */
|
2006-04-28 07:14:48 +00:00
|
|
|
}
|
|
|
|
|
2009-04-19 19:16:09 +00:00
|
|
|
exit_scepclient(NULL);
|
|
|
|
return -1; /* should never be reached */
|
2006-04-28 07:14:48 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|