Device can be member of multiple groups
[strongswan.git] / src / scepclient / scepclient.c
1 /*
2 * Copyright (C) 2012 Tobias Brunner
3 * Copyright (C) 2005 Jan Hutter, Martin Willi
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <stdarg.h>
18 #include <stdio.h>
19 #include <stdlib.h>
20 #include <string.h>
21 #include <getopt.h>
22 #include <ctype.h>
23 #include <unistd.h>
24 #include <time.h>
25 #include <limits.h>
26 #include <syslog.h>
27
28 #include <library.h>
29 #include <utils/debug.h>
30 #include <asn1/asn1.h>
31 #include <asn1/oid.h>
32 #include <utils/optionsfrom.h>
33 #include <collections/enumerator.h>
34 #include <collections/linked_list.h>
35 #include <crypto/hashers/hasher.h>
36 #include <crypto/crypters/crypter.h>
37 #include <crypto/proposal/proposal_keywords.h>
38 #include <credentials/keys/private_key.h>
39 #include <credentials/keys/public_key.h>
40 #include <credentials/certificates/certificate.h>
41 #include <credentials/certificates/x509.h>
42 #include <credentials/certificates/pkcs10.h>
43 #include <credentials/sets/mem_cred.h>
44 #include <plugins/plugin.h>
45
46 #include "scep.h"
47
48 /*
49 * definition of some defaults
50 */
51
52 /* some paths */
53 #define REQ_PATH IPSEC_CONFDIR "/ipsec.d/reqs"
54 #define HOST_CERT_PATH IPSEC_CONFDIR "/ipsec.d/certs"
55 #define CA_CERT_PATH IPSEC_CONFDIR "/ipsec.d/cacerts"
56 #define PRIVATE_KEY_PATH IPSEC_CONFDIR "/ipsec.d/private"
57
58 /* default name of DER-encoded PKCS#1 private key file */
59 #define DEFAULT_FILENAME_PKCS1 "myKey.der"
60
61 /* default name of DER-encoded PKCS#10 certificate request file */
62 #define DEFAULT_FILENAME_PKCS10 "myReq.der"
63
64 /* default name of DER-encoded PKCS#7 file */
65 #define DEFAULT_FILENAME_PKCS7 "pkcs7.der"
66
67 /* default name of DER-encoded self-signed X.509 certificate file */
68 #define DEFAULT_FILENAME_CERT_SELF "selfCert.der"
69
70 /* default name of DER-encoded X.509 certificate file */
71 #define DEFAULT_FILENAME_CERT "myCert.der"
72
73 /* default name of DER-encoded CA cert file used for key encipherment */
74 #define DEFAULT_FILENAME_CACERT_ENC "caCert.der"
75
76 /* default name of the der encoded CA cert file used for signature verification */
77 #define DEFAULT_FILENAME_CACERT_SIG "caCert.der"
78
79 /* default prefix of the der encoded CA certificates received from the SCEP server */
80 #define DEFAULT_FILENAME_PREFIX_CACERT "caCert.der"
81
82 /* default certificate validity */
83 #define DEFAULT_CERT_VALIDITY 5 * 3600 * 24 * 365 /* seconds */
84
85 /* default polling time interval in SCEP manual mode */
86 #define DEFAULT_POLL_INTERVAL 20 /* seconds */
87
88 /* default key length for self-generated RSA keys */
89 #define DEFAULT_RSA_KEY_LENGTH 2048 /* bits */
90
91 /* default distinguished name */
92 #define DEFAULT_DN "C=CH, O=Linux strongSwan, CN="
93
94 /* minimum RSA key size */
95 #define RSA_MIN_OCTETS (512 / BITS_PER_BYTE)
96
97 /* challenge password buffer size */
98 #define MAX_PASSWORD_LENGTH 256
99
100 /* Max length of filename for tempfile */
101 #define MAX_TEMP_FILENAME_LENGTH 256
102
103
104 /* current scepclient version */
105 static const char *scepclient_version = "1.0";
106
107 /* by default the CRL policy is lenient */
108 bool strict_crl_policy = FALSE;
109
110 /* by default pluto does not check crls dynamically */
111 long crl_check_interval = 0;
112
113 /* by default pluto logs out after every smartcard use */
114 bool pkcs11_keep_state = FALSE;
115
116 /* by default HTTP fetch timeout is 30s */
117 static u_int http_timeout = 30;
118
119 /* address to bind for HTTP fetches */
120 static char* http_bind = NULL;
121
122 /* options read by optionsfrom */
123 options_t *options;
124
125 /*
126 * Global variables
127 */
128 chunk_t pkcs1;
129 chunk_t pkcs7;
130 chunk_t challengePassword;
131 chunk_t serialNumber;
132 chunk_t transID;
133 chunk_t fingerprint;
134 chunk_t encoding;
135 chunk_t pkcs10_encoding;
136 chunk_t issuerAndSubject;
137 chunk_t getCertInitial;
138 chunk_t scep_response;
139
140 linked_list_t *subjectAltNames;
141
142 identification_t *subject = NULL;
143 private_key_t *private_key = NULL;
144 public_key_t *public_key = NULL;
145 certificate_t *x509_signer = NULL;
146 certificate_t *x509_ca_enc = NULL;
147 certificate_t *x509_ca_sig = NULL;
148 certificate_t *pkcs10_req = NULL;
149
150 mem_cred_t *creds = NULL;
151
152 /* logging */
153 static bool log_to_stderr = TRUE;
154 static bool log_to_syslog = TRUE;
155 static level_t default_loglevel = 1;
156
157 /**
158 * logging function for scepclient
159 */
160 static void scepclient_dbg(debug_t group, level_t level, char *fmt, ...)
161 {
162 char buffer[8192];
163 char *current = buffer, *next;
164 va_list args;
165
166 if (level <= default_loglevel)
167 {
168 if (log_to_stderr)
169 {
170 va_start(args, fmt);
171 vfprintf(stderr, fmt, args);
172 va_end(args);
173 fprintf(stderr, "\n");
174 }
175 if (log_to_syslog)
176 {
177 /* write in memory buffer first */
178 va_start(args, fmt);
179 vsnprintf(buffer, sizeof(buffer), fmt, args);
180 va_end(args);
181
182 /* do a syslog with every line */
183 while (current)
184 {
185 next = strchr(current, '\n');
186 if (next)
187 {
188 *(next++) = '\0';
189 }
190 syslog(LOG_INFO, "%s\n", current);
191 current = next;
192 }
193 }
194 }
195 }
196
197 /**
198 * Initialize logging to stderr/syslog
199 */
200 static void init_log(const char *program)
201 {
202 dbg = scepclient_dbg;
203
204 if (log_to_stderr)
205 {
206 setbuf(stderr, NULL);
207 }
208 if (log_to_syslog)
209 {
210 openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV);
211 }
212 }
213
214 /**
215 * join two paths if filename is not absolute
216 */
217 static void join_paths(char *target, size_t target_size, char *parent,
218 char *filename)
219 {
220 if (*filename == '/' || *filename == '.')
221 {
222 snprintf(target, target_size, "%s", filename);
223 }
224 else
225 {
226 snprintf(target, target_size, "%s/%s", parent, filename);
227 }
228 }
229
230 /**
231 * add a suffix to a given filename, properly handling extensions like '.der'
232 */
233 static void add_path_suffix(char *target, size_t target_size, char *filename,
234 char *suffix_fmt, ...)
235 {
236 char suffix[PATH_MAX], *start, *dot;
237 va_list args;
238
239 va_start(args, suffix_fmt);
240 vsnprintf(suffix, sizeof(suffix), suffix_fmt, args);
241 va_end(args);
242
243 start = strrchr(filename, '/');
244 start = start ?: filename;
245 dot = strrchr(start, '.');
246
247 if (!dot || dot == start || dot[1] == '\0')
248 { /* no extension add suffix at the end */
249 snprintf(target, target_size, "%s%s", filename, suffix);
250 }
251 else
252 { /* add the suffix between the filename and the extension */
253 snprintf(target, target_size, "%.*s%s%s", (int)(dot - filename),
254 filename, suffix, dot);
255 }
256 }
257
258 /**
259 * @brief exit scepclient
260 *
261 * @param status 0 = OK, 1 = general discomfort
262 */
263 static void exit_scepclient(err_t message, ...)
264 {
265 int status = 0;
266
267 if (creds)
268 {
269 lib->credmgr->remove_set(lib->credmgr, &creds->set);
270 creds->destroy(creds);
271 }
272
273 DESTROY_IF(subject);
274 DESTROY_IF(private_key);
275 DESTROY_IF(public_key);
276 DESTROY_IF(x509_signer);
277 DESTROY_IF(x509_ca_enc);
278 DESTROY_IF(x509_ca_sig);
279 DESTROY_IF(pkcs10_req);
280 subjectAltNames->destroy_offset(subjectAltNames,
281 offsetof(identification_t, destroy));
282 free(pkcs1.ptr);
283 free(pkcs7.ptr);
284 free(serialNumber.ptr);
285 free(transID.ptr);
286 free(fingerprint.ptr);
287 free(encoding.ptr);
288 free(pkcs10_encoding.ptr);
289 free(issuerAndSubject.ptr);
290 free(getCertInitial.ptr);
291 free(scep_response.ptr);
292 options->destroy(options);
293
294 /* print any error message to stderr */
295 if (message != NULL && *message != '\0')
296 {
297 va_list args;
298 char m[8192];
299
300 va_start(args, message);
301 vsnprintf(m, sizeof(m), message, args);
302 va_end(args);
303
304 fprintf(stderr, "error: %s\n", m);
305 status = -1;
306 }
307 library_deinit();
308 exit(status);
309 }
310
311 /**
312 * @brief prints the program version and exits
313 *
314 */
315 static void version(void)
316 {
317 printf("scepclient %s\n", scepclient_version);
318 exit_scepclient(NULL);
319 }
320
321 /**
322 * @brief prints the usage of the program to the stderr output
323 *
324 * If message is set, program is exitet with 1 (error)
325 * @param message message in case of an error
326 */
327 static void usage(const char *message)
328 {
329 fprintf(stderr,
330 "Usage: scepclient\n"
331 " --help (-h) show usage and exit\n"
332 " --version (-v) show version and exit\n"
333 " --quiet (-q) do not write log output to stderr\n"
334 " --in (-i) <type>[=<filename>] use <filename> of <type> for input\n"
335 " <type> = pkcs1 | pkcs10 | cert-self\n"
336 " cacert-enc | cacert-sig\n"
337 " - if no pkcs1 input is defined, an RSA\n"
338 " key will be generated\n"
339 " - if no pkcs10 input is defined, a\n"
340 " PKCS#10 request will be generated\n"
341 " - if no cert-self input is defined, a\n"
342 " self-signed certificate will be generated\n"
343 " - if no filename is given, default is used\n"
344 " --out (-o) <type>[=<filename>] write output of <type> to <filename>\n"
345 " multiple outputs are allowed\n"
346 " <type> = pkcs1 | pkcs10 | pkcs7 | cert-self |\n"
347 " cert | cacert\n"
348 " - type cacert defines filename prefix of\n"
349 " received CA certificate(s)\n"
350 " - if no filename is given, default is used\n"
351 " --optionsfrom (-+) <filename> reads additional options from given file\n"
352 " --force (-f) force existing file(s)\n"
353 " --httptimeout (-T) timeout for HTTP operations (default: 30s)\n"
354 " --bind (-b) source address to bind for HTTP operations\n"
355 "\n"
356 "Options for key generation (pkcs1):\n"
357 " --keylength (-k) <bits> key length for RSA key generation\n"
358 " (default: 2048 bits)\n"
359 "\n"
360 "Options for validity:\n"
361 " --days (-D) <days> validity in days\n"
362 " --startdate (-S) <YYMMDDHHMMSS>Z not valid before date\n"
363 " --enddate (-E) <YYMMDDHHMMSS>Z not valid after date\n"
364 "\n"
365 "Options for request generation (pkcs10):\n"
366 " --dn (-d) <dn> comma separated list of distinguished names\n"
367 " --subjectAltName (-s) <t>=<v> include subjectAltName in certificate request\n"
368 " <t> = email | dns | ip \n"
369 " --password (-p) <pw> challenge password\n"
370 " - use '%%prompt' as pw for a password prompt\n"
371 " --algorithm (-a) [<type>=]<algo> algorithm to be used for PKCS#7 encryption,\n"
372 " PKCS#7 digest or PKCS#10 signature\n"
373 " <type> = enc | dgst | sig\n"
374 " - if no type is given enc is assumed\n"
375 " <algo> = des (default) | 3des | aes128 |\n"
376 " aes192 | aes256 | camellia128 |\n"
377 " camellia192 | camellia256\n"
378 " <algo> = md5 (default) | sha1 | sha256 |\n"
379 " sha384 | sha512\n"
380 "\n"
381 "Options for CA certificate acquisition:\n"
382 " --caname (-c) <name> name of CA to fetch CA certificate(s)\n"
383 " (default: CAIdentifier)\n"
384 "Options for enrollment (cert):\n"
385 " --url (-u) <url> url of the SCEP server\n"
386 " --method (-m) post | get http request type\n"
387 " --interval (-t) <seconds> poll interval in seconds (default 20s)\n"
388 " --maxpolltime (-x) <seconds> max poll time in seconds when in manual mode\n"
389 " (default: unlimited)\n"
390 "\n"
391 "Debugging output:\n"
392 " --debug (-l) <level> changes the log level (-1..4, default: 1)\n"
393 );
394 exit_scepclient(message);
395 }
396
397 /**
398 * @brief main of scepclient
399 *
400 * @param argc number of arguments
401 * @param argv pointer to the argument values
402 */
403 int main(int argc, char **argv)
404 {
405 /* external values */
406 extern char * optarg;
407 extern int optind;
408
409 /* type of input and output files */
410 typedef enum {
411 PKCS1 = 0x01,
412 PKCS10 = 0x02,
413 PKCS7 = 0x04,
414 CERT_SELF = 0x08,
415 CERT = 0x10,
416 CACERT_ENC = 0x20,
417 CACERT_SIG = 0x40,
418 } scep_filetype_t;
419
420 /* filetype to read from, defaults to "generate a key" */
421 scep_filetype_t filetype_in = 0;
422
423 /* filetype to write to, no default here */
424 scep_filetype_t filetype_out = 0;
425
426 /* input files */
427 char *file_in_pkcs1 = DEFAULT_FILENAME_PKCS1;
428 char *file_in_pkcs10 = DEFAULT_FILENAME_PKCS10;
429 char *file_in_cert_self = DEFAULT_FILENAME_CERT_SELF;
430 char *file_in_cacert_enc = DEFAULT_FILENAME_CACERT_ENC;
431 char *file_in_cacert_sig = DEFAULT_FILENAME_CACERT_SIG;
432
433 /* output files */
434 char *file_out_pkcs1 = DEFAULT_FILENAME_PKCS1;
435 char *file_out_pkcs10 = DEFAULT_FILENAME_PKCS10;
436 char *file_out_pkcs7 = DEFAULT_FILENAME_PKCS7;
437 char *file_out_cert_self = DEFAULT_FILENAME_CERT_SELF;
438 char *file_out_cert = DEFAULT_FILENAME_CERT;
439 char *file_out_ca_cert = DEFAULT_FILENAME_CACERT_ENC;
440
441 /* by default user certificate is requested */
442 bool request_ca_certificate = FALSE;
443
444 /* by default existing files are not overwritten */
445 bool force = FALSE;
446
447 /* length of RSA key in bits */
448 u_int rsa_keylength = DEFAULT_RSA_KEY_LENGTH;
449
450 /* validity of self-signed certificate */
451 time_t validity = DEFAULT_CERT_VALIDITY;
452 time_t notBefore = 0;
453 time_t notAfter = 0;
454
455 /* distinguished name for requested certificate, ASCII format */
456 char *distinguishedName = NULL;
457
458 /* challenge password */
459 char challenge_password_buffer[MAX_PASSWORD_LENGTH];
460
461 /* symmetric encryption algorithm used by pkcs7, default is DES */
462 encryption_algorithm_t pkcs7_symmetric_cipher = ENCR_DES;
463 size_t pkcs7_key_size = 0;
464
465 /* digest algorithm used by pkcs7, default is MD5 */
466 hash_algorithm_t pkcs7_digest_alg = HASH_MD5;
467
468 /* signature algorithm used by pkcs10, default is MD5 */
469 hash_algorithm_t pkcs10_signature_alg = HASH_MD5;
470
471 /* URL of the SCEP-Server */
472 char *scep_url = NULL;
473
474 /* Name of CA to fetch CA certs for */
475 char *ca_name = "CAIdentifier";
476
477 /* http request method, default is GET */
478 bool http_get_request = TRUE;
479
480 /* poll interval time in manual mode in seconds */
481 u_int poll_interval = DEFAULT_POLL_INTERVAL;
482
483 /* maximum poll time */
484 u_int max_poll_time = 0;
485
486 err_t ugh = NULL;
487
488 /* initialize library */
489 if (!library_init(NULL))
490 {
491 library_deinit();
492 exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
493 }
494 if (lib->integrity &&
495 !lib->integrity->check_file(lib->integrity, "scepclient", argv[0]))
496 {
497 fprintf(stderr, "integrity check of scepclient failed\n");
498 library_deinit();
499 exit(SS_RC_DAEMON_INTEGRITY);
500 }
501
502 /* initialize global variables */
503 pkcs1 = chunk_empty;
504 pkcs7 = chunk_empty;
505 serialNumber = chunk_empty;
506 transID = chunk_empty;
507 fingerprint = chunk_empty;
508 encoding = chunk_empty;
509 pkcs10_encoding = chunk_empty;
510 issuerAndSubject = chunk_empty;
511 challengePassword = chunk_empty;
512 getCertInitial = chunk_empty;
513 scep_response = chunk_empty;
514 subjectAltNames = linked_list_create();
515 options = options_create();
516
517 for (;;)
518 {
519 static const struct option long_opts[] = {
520 /* name, has_arg, flag, val */
521 { "help", no_argument, NULL, 'h' },
522 { "version", no_argument, NULL, 'v' },
523 { "optionsfrom", required_argument, NULL, '+' },
524 { "quiet", no_argument, NULL, 'q' },
525 { "debug", required_argument, NULL, 'l' },
526 { "in", required_argument, NULL, 'i' },
527 { "out", required_argument, NULL, 'o' },
528 { "force", no_argument, NULL, 'f' },
529 { "httptimeout", required_argument, NULL, 'T' },
530 { "bind", required_argument, NULL, 'b' },
531 { "keylength", required_argument, NULL, 'k' },
532 { "dn", required_argument, NULL, 'd' },
533 { "days", required_argument, NULL, 'D' },
534 { "startdate", required_argument, NULL, 'S' },
535 { "enddate", required_argument, NULL, 'E' },
536 { "subjectAltName", required_argument, NULL, 's' },
537 { "password", required_argument, NULL, 'p' },
538 { "algorithm", required_argument, NULL, 'a' },
539 { "url", required_argument, NULL, 'u' },
540 { "caname", required_argument, NULL, 'c'},
541 { "method", required_argument, NULL, 'm' },
542 { "interval", required_argument, NULL, 't' },
543 { "maxpolltime", required_argument, NULL, 'x' },
544 { 0,0,0,0 }
545 };
546
547 /* parse next option */
548 int c = getopt_long(argc, argv, "hv+:qi:o:fk:d:s:p:a:u:c:m:t:x:APRCMS", long_opts, NULL);
549
550 switch (c)
551 {
552 case EOF: /* end of flags */
553 break;
554
555 case 'h': /* --help */
556 usage(NULL);
557
558 case 'v': /* --version */
559 version();
560
561 case 'q': /* --quiet */
562 log_to_stderr = FALSE;
563 continue;
564
565 case 'l': /* --debug <level> */
566 default_loglevel = atoi(optarg);
567 continue;
568
569 case 'i': /* --in <type> [= <filename>] */
570 {
571 char *filename = strstr(optarg, "=");
572
573 if (filename)
574 {
575 /* replace '=' by '\0' */
576 *filename = '\0';
577 /* set pointer to start of filename */
578 filename++;
579 }
580 if (strcaseeq("pkcs1", optarg))
581 {
582 filetype_in |= PKCS1;
583 if (filename)
584 file_in_pkcs1 = filename;
585 }
586 else if (strcaseeq("pkcs10", optarg))
587 {
588 filetype_in |= PKCS10;
589 if (filename)
590 file_in_pkcs10 = filename;
591 }
592 else if (strcaseeq("cacert-enc", optarg))
593 {
594 filetype_in |= CACERT_ENC;
595 if (filename)
596 file_in_cacert_enc = filename;
597 }
598 else if (strcaseeq("cacert-sig", optarg))
599 {
600 filetype_in |= CACERT_SIG;
601 if (filename)
602 file_in_cacert_sig = filename;
603 }
604 else if (strcaseeq("cert-self", optarg))
605 {
606 filetype_in |= CERT_SELF;
607 if (filename)
608 file_in_cert_self = filename;
609 }
610 else
611 {
612 usage("invalid --in file type");
613 }
614 continue;
615 }
616
617 case 'o': /* --out <type> [= <filename>] */
618 {
619 char *filename = strstr(optarg, "=");
620
621 if (filename)
622 {
623 /* replace '=' by '\0' */
624 *filename = '\0';
625 /* set pointer to start of filename */
626 filename++;
627 }
628 if (strcaseeq("pkcs1", optarg))
629 {
630 filetype_out |= PKCS1;
631 if (filename)
632 file_out_pkcs1 = filename;
633 }
634 else if (strcaseeq("pkcs10", optarg))
635 {
636 filetype_out |= PKCS10;
637 if (filename)
638 file_out_pkcs10 = filename;
639 }
640 else if (strcaseeq("pkcs7", optarg))
641 {
642 filetype_out |= PKCS7;
643 if (filename)
644 file_out_pkcs7 = filename;
645 }
646 else if (strcaseeq("cert-self", optarg))
647 {
648 filetype_out |= CERT_SELF;
649 if (filename)
650 file_out_cert_self = filename;
651 }
652 else if (strcaseeq("cert", optarg))
653 {
654 filetype_out |= CERT;
655 if (filename)
656 file_out_cert = filename;
657 }
658 else if (strcaseeq("cacert", optarg))
659 {
660 request_ca_certificate = TRUE;
661 if (filename)
662 file_out_ca_cert = filename;
663 }
664 else
665 {
666 usage("invalid --out file type");
667 }
668 continue;
669 }
670
671 case 'f': /* --force */
672 force = TRUE;
673 continue;
674
675 case 'T': /* --httptimeout */
676 http_timeout = atoi(optarg);
677 if (http_timeout <= 0)
678 {
679 usage("invalid httptimeout specified");
680 }
681 continue;
682
683 case 'b': /* --bind */
684 http_bind = optarg;
685 continue;
686
687 case '+': /* --optionsfrom <filename> */
688 if (!options->from(options, optarg, &argc, &argv, optind))
689 {
690 exit_scepclient("optionsfrom failed");
691 }
692 continue;
693
694 case 'k': /* --keylength <length> */
695 {
696 div_t q;
697
698 rsa_keylength = atoi(optarg);
699 if (rsa_keylength == 0)
700 usage("invalid keylength");
701
702 /* check if key length is a multiple of 8 bits */
703 q = div(rsa_keylength, 2*BITS_PER_BYTE);
704 if (q.rem != 0)
705 {
706 exit_scepclient("keylength is not a multiple of %d bits!"
707 , 2*BITS_PER_BYTE);
708 }
709 continue;
710 }
711
712 case 'D': /* --days */
713 if (optarg == NULL || !isdigit(optarg[0]))
714 {
715 usage("missing number of days");
716 }
717 else
718 {
719 char *endptr;
720 long days = strtol(optarg, &endptr, 0);
721
722 if (*endptr != '\0' || endptr == optarg
723 || days <= 0)
724 usage("<days> must be a positive number");
725 validity = 24*3600*days;
726 }
727 continue;
728
729 case 'S': /* --startdate */
730 if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z')
731 {
732 usage("date format must be YYMMDDHHMMSSZ");
733 }
734 else
735 {
736 chunk_t date = { optarg, 13 };
737 notBefore = asn1_to_time(&date, ASN1_UTCTIME);
738 }
739 continue;
740
741 case 'E': /* --enddate */
742 if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z')
743 {
744 usage("date format must be YYMMDDHHMMSSZ");
745 }
746 else
747 {
748 chunk_t date = { optarg, 13 };
749 notAfter = asn1_to_time(&date, ASN1_UTCTIME);
750 }
751 continue;
752
753 case 'd': /* --dn */
754 if (distinguishedName)
755 {
756 usage("only one distinguished name allowed");
757 }
758 distinguishedName = optarg;
759 continue;
760
761 case 's': /* --subjectAltName */
762 {
763 char *value = strstr(optarg, "=");
764
765 if (value)
766 {
767 /* replace '=' by '\0' */
768 *value = '\0';
769 /* set pointer to start of value */
770 value++;
771 }
772
773 if (strcaseeq("email", optarg) ||
774 strcaseeq("dns", optarg) ||
775 strcaseeq("ip", optarg))
776 {
777 subjectAltNames->insert_last(subjectAltNames,
778 identification_create_from_string(value));
779 continue;
780 }
781 else
782 {
783 usage("invalid --subjectAltName type");
784 continue;
785 }
786 }
787
788 case 'p': /* --password */
789 if (challengePassword.len > 0)
790 {
791 usage("only one challenge password allowed");
792 }
793 if (strcaseeq("%prompt", optarg))
794 {
795 printf("Challenge password: ");
796 if (fgets(challenge_password_buffer,
797 sizeof(challenge_password_buffer) - 1, stdin))
798 {
799 challengePassword.ptr = challenge_password_buffer;
800 /* discard the terminating '\n' from the input */
801 challengePassword.len = strlen(challenge_password_buffer) - 1;
802 }
803 else
804 {
805 usage("challenge password could not be read");
806 }
807 }
808 else
809 {
810 challengePassword.ptr = optarg;
811 challengePassword.len = strlen(optarg);
812 }
813 continue;
814
815 case 'u': /* -- url */
816 if (scep_url)
817 {
818 usage("only one URL argument allowed");
819 }
820 scep_url = optarg;
821 continue;
822
823 case 'c': /* -- caname */
824 ca_name = optarg;
825 continue;
826
827 case 'm': /* --method */
828 if (strcaseeq("get", optarg))
829 {
830 http_get_request = TRUE;
831 }
832 else if (strcaseeq("post", optarg))
833 {
834 http_get_request = FALSE;
835 }
836 else
837 {
838 usage("invalid http request method specified");
839 }
840 continue;
841
842 case 't': /* --interval */
843 poll_interval = atoi(optarg);
844 if (poll_interval <= 0)
845 {
846 usage("invalid interval specified");
847 }
848 continue;
849
850 case 'x': /* --maxpolltime */
851 max_poll_time = atoi(optarg);
852 continue;
853
854 case 'a': /*--algorithm [<type>=]algo */
855 {
856 const proposal_token_t *token;
857 char *type = optarg;
858 char *algo = strstr(optarg, "=");
859
860 if (algo)
861 {
862 *algo = '\0';
863 algo++;
864 }
865 else
866 {
867 type = "enc";
868 algo = optarg;
869 }
870
871 if (strcaseeq("enc", type))
872 {
873 token = lib->proposal->get_token(lib->proposal, algo);
874 if (token == NULL || token->type != ENCRYPTION_ALGORITHM)
875 {
876 usage("invalid algorithm specified");
877 }
878 pkcs7_symmetric_cipher = token->algorithm;
879 pkcs7_key_size = token->keysize;
880 if (encryption_algorithm_to_oid(token->algorithm,
881 token->keysize) == OID_UNKNOWN)
882 {
883 usage("unsupported encryption algorithm specified");
884 }
885 }
886 else if (strcaseeq("dgst", type) ||
887 strcaseeq("sig", type))
888 {
889 hash_algorithm_t hash;
890
891 token = lib->proposal->get_token(lib->proposal, algo);
892 if (token == NULL || token->type != INTEGRITY_ALGORITHM)
893 {
894 usage("invalid algorithm specified");
895 }
896 hash = hasher_algorithm_from_integrity(token->algorithm,
897 NULL);
898 if (hash == OID_UNKNOWN)
899 {
900 usage("invalid algorithm specified");
901 }
902 if (strcaseeq("dgst", type))
903 {
904 pkcs7_digest_alg = hash;
905 }
906 else
907 {
908 pkcs10_signature_alg = hash;
909 }
910 }
911 else
912 {
913 usage("invalid --algorithm type");
914 }
915 continue;
916 }
917 default:
918 usage("unknown option");
919 }
920 /* break from loop */
921 break;
922 }
923
924 init_log("scepclient");
925
926 /* load plugins, further infrastructure may need it */
927 if (!lib->plugins->load(lib->plugins, NULL,
928 lib->settings->get_str(lib->settings, "scepclient.load", PLUGINS)))
929 {
930 exit_scepclient("plugin loading failed");
931 }
932 lib->plugins->status(lib->plugins, LEVEL_DIAG);
933
934 if ((filetype_out == 0) && (!request_ca_certificate))
935 {
936 usage("--out filetype required");
937 }
938 if (request_ca_certificate && (filetype_out > 0 || filetype_in > 0))
939 {
940 usage("in CA certificate request, no other --in or --out option allowed");
941 }
942
943 /* check if url is given, if cert output defined */
944 if (((filetype_out & CERT) || request_ca_certificate) && !scep_url)
945 {
946 usage("URL of SCEP server required");
947 }
948
949 /* check for sanity of --in/--out */
950 if (!filetype_in && (filetype_in > filetype_out))
951 {
952 usage("cannot generate --out of given --in!");
953 }
954
955 /* get CA cert */
956 if (request_ca_certificate)
957 {
958 char ca_path[PATH_MAX];
959 container_t *container;
960 pkcs7_t *pkcs7;
961
962 if (!scep_http_request(scep_url, chunk_create(ca_name, strlen(ca_name)),
963 SCEP_GET_CA_CERT, http_get_request,
964 http_timeout, http_bind, &scep_response))
965 {
966 exit_scepclient("did not receive a valid scep response");
967 }
968
969 join_paths(ca_path, sizeof(ca_path), CA_CERT_PATH, file_out_ca_cert);
970
971 pkcs7 = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7,
972 BUILD_BLOB_ASN1_DER, scep_response, BUILD_END);
973
974 if (!pkcs7)
975 { /* no PKCS#7 encoded CA+RA certificates, assume simple CA cert */
976
977 DBG1(DBG_APP, "unable to parse PKCS#7, assuming plain CA cert");
978 if (!chunk_write(scep_response, ca_path, "ca cert", 0022, force))
979 {
980 exit_scepclient("could not write ca cert file '%s'", ca_path);
981 }
982 }
983 else
984 {
985 enumerator_t *enumerator;
986 certificate_t *cert;
987 int ra_certs = 0, ca_certs = 0;
988 int ra_index = 1, ca_index = 1;
989
990 enumerator = pkcs7->create_cert_enumerator(pkcs7);
991 while (enumerator->enumerate(enumerator, &cert))
992 {
993 x509_t *x509 = (x509_t*)cert;
994 if (x509->get_flags(x509) & X509_CA)
995 {
996 ca_certs++;
997 }
998 else
999 {
1000 ra_certs++;
1001 }
1002 }
1003 enumerator->destroy(enumerator);
1004
1005 enumerator = pkcs7->create_cert_enumerator(pkcs7);
1006 while (enumerator->enumerate(enumerator, &cert))
1007 {
1008 x509_t *x509 = (x509_t*)cert;
1009 bool ca_cert = x509->get_flags(x509) & X509_CA;
1010 char cert_path[PATH_MAX], *path = ca_path;
1011
1012 if (ca_cert && ca_certs > 1)
1013 {
1014 add_path_suffix(cert_path, sizeof(cert_path), ca_path,
1015 "-%.1d", ca_index++);
1016 path = cert_path;
1017 }
1018 else if (!ca_cert)
1019 { /* use CA name as base for RA certs */
1020 if (ra_certs > 1)
1021 {
1022 add_path_suffix(cert_path, sizeof(cert_path), ca_path,
1023 "-ra-%.1d", ra_index++);
1024 }
1025 else
1026 {
1027 add_path_suffix(cert_path, sizeof(cert_path), ca_path,
1028 "-ra");
1029 }
1030 path = cert_path;
1031 }
1032
1033 if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding) ||
1034 !chunk_write(encoding, path,
1035 ca_cert ? "ca cert" : "ra cert", 0022, force))
1036 {
1037 exit_scepclient("could not write cert file '%s'", path);
1038 }
1039 chunk_free(&encoding);
1040 }
1041 enumerator->destroy(enumerator);
1042 container = &pkcs7->container;
1043 container->destroy(container);
1044 }
1045 exit_scepclient(NULL); /* no further output required */
1046 }
1047
1048 creds = mem_cred_create();
1049 lib->credmgr->add_set(lib->credmgr, &creds->set);
1050
1051 /*
1052 * input of PKCS#1 file
1053 */
1054 if (filetype_in & PKCS1) /* load an RSA key pair from file */
1055 {
1056 char path[PATH_MAX];
1057
1058 join_paths(path, sizeof(path), PRIVATE_KEY_PATH, file_in_pkcs1);
1059
1060 private_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
1061 BUILD_FROM_FILE, path, BUILD_END);
1062 }
1063 else /* generate an RSA key pair */
1064 {
1065 private_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
1066 BUILD_KEY_SIZE, rsa_keylength,
1067 BUILD_END);
1068 }
1069 if (private_key == NULL)
1070 {
1071 exit_scepclient("no RSA private key available");
1072 }
1073 creds->add_key(creds, private_key->get_ref(private_key));
1074 public_key = private_key->get_public_key(private_key);
1075
1076 /* check for minimum key length */
1077 if (private_key->get_keysize(private_key) < RSA_MIN_OCTETS / BITS_PER_BYTE)
1078 {
1079 exit_scepclient("length of RSA key has to be at least %d bits",
1080 RSA_MIN_OCTETS * BITS_PER_BYTE);
1081 }
1082
1083 /*
1084 * input of PKCS#10 file
1085 */
1086 if (filetype_in & PKCS10)
1087 {
1088 char path[PATH_MAX];
1089
1090 join_paths(path, sizeof(path), REQ_PATH, file_in_pkcs10);
1091
1092 pkcs10_req = lib->creds->create(lib->creds, CRED_CERTIFICATE,
1093 CERT_PKCS10_REQUEST, BUILD_FROM_FILE,
1094 path, BUILD_END);
1095 if (!pkcs10_req)
1096 {
1097 exit_scepclient("could not read certificate request '%s'", path);
1098 }
1099 subject = pkcs10_req->get_subject(pkcs10_req);
1100 subject = subject->clone(subject);
1101 }
1102 else
1103 {
1104 if (distinguishedName == NULL)
1105 {
1106 char buf[BUF_LEN];
1107 int n = sprintf(buf, DEFAULT_DN);
1108
1109 /* set the common name to the hostname */
1110 if (gethostname(buf + n, BUF_LEN - n) || strlen(buf) == n)
1111 {
1112 exit_scepclient("no hostname defined, use "
1113 "--dn <distinguished name> option");
1114 }
1115 distinguishedName = buf;
1116 }
1117
1118 DBG2(DBG_APP, "dn: '%s'", distinguishedName);
1119 subject = identification_create_from_string(distinguishedName);
1120 if (subject->get_type(subject) != ID_DER_ASN1_DN)
1121 {
1122 exit_scepclient("parsing of distinguished name failed");
1123 }
1124
1125 DBG2(DBG_APP, "building pkcs10 object:");
1126 pkcs10_req = lib->creds->create(lib->creds, CRED_CERTIFICATE,
1127 CERT_PKCS10_REQUEST,
1128 BUILD_SIGNING_KEY, private_key,
1129 BUILD_SUBJECT, subject,
1130 BUILD_SUBJECT_ALTNAMES, subjectAltNames,
1131 BUILD_CHALLENGE_PWD, challengePassword,
1132 BUILD_DIGEST_ALG, pkcs10_signature_alg,
1133 BUILD_END);
1134 if (!pkcs10_req)
1135 {
1136 exit_scepclient("generating pkcs10 request failed");
1137 }
1138 }
1139 pkcs10_req->get_encoding(pkcs10_req, CERT_ASN1_DER, &pkcs10_encoding);
1140 fingerprint = scep_generate_pkcs10_fingerprint(pkcs10_encoding);
1141 DBG1(DBG_APP, " fingerprint: %s", fingerprint.ptr);
1142
1143 /*
1144 * output of PKCS#10 file
1145 */
1146 if (filetype_out & PKCS10)
1147 {
1148 char path[PATH_MAX];
1149
1150 join_paths(path, sizeof(path), REQ_PATH, file_out_pkcs10);
1151
1152 if (!chunk_write(pkcs10_encoding, path, "pkcs10", 0022, force))
1153 {
1154 exit_scepclient("could not write pkcs10 file '%s'", path);
1155 }
1156 filetype_out &= ~PKCS10; /* delete PKCS10 flag */
1157 }
1158
1159 if (!filetype_out)
1160 {
1161 exit_scepclient(NULL); /* no further output required */
1162 }
1163
1164 /*
1165 * output of PKCS#1 file
1166 */
1167 if (filetype_out & PKCS1)
1168 {
1169 char path[PATH_MAX];
1170
1171 join_paths(path, sizeof(path), PRIVATE_KEY_PATH, file_out_pkcs1);
1172
1173 DBG2(DBG_APP, "building pkcs1 object:");
1174 if (!private_key->get_encoding(private_key, PRIVKEY_ASN1_DER, &pkcs1) ||
1175 !chunk_write(pkcs1, path, "pkcs1", 0066, force))
1176 {
1177 exit_scepclient("could not write pkcs1 file '%s'", path);
1178 }
1179 filetype_out &= ~PKCS1; /* delete PKCS1 flag */
1180 }
1181
1182 if (!filetype_out)
1183 {
1184 exit_scepclient(NULL); /* no further output required */
1185 }
1186
1187 scep_generate_transaction_id(public_key, &transID, &serialNumber);
1188 DBG1(DBG_APP, " transaction ID: %.*s", (int)transID.len, transID.ptr);
1189
1190 /*
1191 * read or generate self-signed X.509 certificate
1192 */
1193 if (filetype_in & CERT_SELF)
1194 {
1195 char path[PATH_MAX];
1196
1197 join_paths(path, sizeof(path), HOST_CERT_PATH, file_in_cert_self);
1198
1199 x509_signer = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
1200 BUILD_FROM_FILE, path, BUILD_END);
1201 if (!x509_signer)
1202 {
1203 exit_scepclient("could not read certificate file '%s'", path);
1204 }
1205 }
1206 else
1207 {
1208 notBefore = notBefore ? notBefore : time(NULL);
1209 notAfter = notAfter ? notAfter : (notBefore + validity);
1210 x509_signer = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
1211 BUILD_SIGNING_KEY, private_key,
1212 BUILD_PUBLIC_KEY, public_key,
1213 BUILD_SUBJECT, subject,
1214 BUILD_NOT_BEFORE_TIME, notBefore,
1215 BUILD_NOT_AFTER_TIME, notAfter,
1216 BUILD_SERIAL, serialNumber,
1217 BUILD_SUBJECT_ALTNAMES, subjectAltNames,
1218 BUILD_END);
1219 if (!x509_signer)
1220 {
1221 exit_scepclient("generating certificate failed");
1222 }
1223 }
1224 creds->add_cert(creds, TRUE, x509_signer->get_ref(x509_signer));
1225
1226 /*
1227 * output of self-signed X.509 certificate file
1228 */
1229 if (filetype_out & CERT_SELF)
1230 {
1231 char path[PATH_MAX];
1232
1233 join_paths(path, sizeof(path), HOST_CERT_PATH, file_out_cert_self);
1234
1235 if (!x509_signer->get_encoding(x509_signer, CERT_ASN1_DER, &encoding))
1236 {
1237 exit_scepclient("encoding certificate failed");
1238 }
1239 if (!chunk_write(encoding, path, "self-signed cert", 0022, force))
1240 {
1241 exit_scepclient("could not write self-signed cert file '%s'", path);
1242 }
1243 chunk_free(&encoding);
1244 filetype_out &= ~CERT_SELF; /* delete CERT_SELF flag */
1245 }
1246
1247 if (!filetype_out)
1248 {
1249 exit_scepclient(NULL); /* no further output required */
1250 }
1251
1252 /*
1253 * load ca encryption certificate
1254 */
1255 {
1256 char path[PATH_MAX];
1257
1258 join_paths(path, sizeof(path), CA_CERT_PATH, file_in_cacert_enc);
1259
1260 x509_ca_enc = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
1261 BUILD_FROM_FILE, path, BUILD_END);
1262 if (!x509_ca_enc)
1263 {
1264 exit_scepclient("could not load encryption cacert file '%s'", path);
1265 }
1266 }
1267
1268 /*
1269 * input of PKCS#7 file
1270 */
1271 if (filetype_in & PKCS7)
1272 {
1273 /* user wants to load a pkcs7 encrypted request
1274 * operation is not yet supported!
1275 * would require additional parsing of transaction-id
1276
1277 pkcs7 = pkcs7_read_from_file(file_in_pkcs7);
1278
1279 */
1280 }
1281 else
1282 {
1283 DBG2(DBG_APP, "building pkcs7 request");
1284 pkcs7 = scep_build_request(pkcs10_encoding,
1285 transID, SCEP_PKCSReq_MSG, x509_ca_enc,
1286 pkcs7_symmetric_cipher, pkcs7_key_size,
1287 x509_signer, pkcs7_digest_alg, private_key);
1288 if (!pkcs7.ptr)
1289 {
1290 exit_scepclient("failed to build pkcs7 request");
1291 }
1292 }
1293
1294 /*
1295 * output pkcs7 encrypted and signed certificate request
1296 */
1297 if (filetype_out & PKCS7)
1298 {
1299 char path[PATH_MAX];
1300
1301 join_paths(path, sizeof(path), REQ_PATH, file_out_pkcs7);
1302
1303 if (!chunk_write(pkcs7, path, "pkcs7 encrypted request", 0022, force))
1304 {
1305 exit_scepclient("could not write pkcs7 file '%s'", path);
1306 }
1307 filetype_out &= ~PKCS7; /* delete PKCS7 flag */
1308 }
1309
1310 if (!filetype_out)
1311 {
1312 exit_scepclient(NULL); /* no further output required */
1313 }
1314
1315 /*
1316 * output certificate fetch from SCEP server
1317 */
1318 if (filetype_out & CERT)
1319 {
1320 bool stored = FALSE;
1321 certificate_t *cert;
1322 enumerator_t *enumerator;
1323 char path[PATH_MAX];
1324 time_t poll_start = 0;
1325 pkcs7_t *p7;
1326 container_t *container = NULL;
1327 chunk_t chunk;
1328 scep_attributes_t attrs = empty_scep_attributes;
1329
1330 join_paths(path, sizeof(path), CA_CERT_PATH, file_in_cacert_sig);
1331
1332 x509_ca_sig = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
1333 BUILD_FROM_FILE, path, BUILD_END);
1334 if (!x509_ca_sig)
1335 {
1336 exit_scepclient("could not load signature cacert file '%s'", path);
1337 }
1338
1339 creds->add_cert(creds, TRUE, x509_ca_sig->get_ref(x509_ca_sig));
1340
1341 if (!scep_http_request(scep_url, pkcs7, SCEP_PKI_OPERATION,
1342 http_get_request, http_timeout, http_bind, &scep_response))
1343 {
1344 exit_scepclient("did not receive a valid scep response");
1345 }
1346 ugh = scep_parse_response(scep_response, transID, &container, &attrs);
1347 if (ugh != NULL)
1348 {
1349 exit_scepclient(ugh);
1350 }
1351
1352 /* in case of manual mode, we are going into a polling loop */
1353 if (attrs.pkiStatus == SCEP_PENDING)
1354 {
1355 identification_t *issuer = x509_ca_sig->get_subject(x509_ca_sig);
1356
1357 DBG1(DBG_APP, " scep request pending, polling every %d seconds",
1358 poll_interval);
1359 poll_start = time_monotonic(NULL);
1360 issuerAndSubject = asn1_wrap(ASN1_SEQUENCE, "cc",
1361 issuer->get_encoding(issuer),
1362 subject->get_encoding(subject));
1363 }
1364 while (attrs.pkiStatus == SCEP_PENDING)
1365 {
1366 if (max_poll_time > 0 &&
1367 (time_monotonic(NULL) - poll_start >= max_poll_time))
1368 {
1369 exit_scepclient("maximum poll time reached: %d seconds"
1370 , max_poll_time);
1371 }
1372 DBG2(DBG_APP, "going to sleep for %d seconds", poll_interval);
1373 sleep(poll_interval);
1374 free(scep_response.ptr);
1375 container->destroy(container);
1376
1377 DBG2(DBG_APP, "fingerprint: %.*s",
1378 (int)fingerprint.len, fingerprint.ptr);
1379 DBG2(DBG_APP, "transaction ID: %.*s",
1380 (int)transID.len, transID.ptr);
1381
1382 chunk_free(&getCertInitial);
1383 getCertInitial = scep_build_request(issuerAndSubject,
1384 transID, SCEP_GetCertInitial_MSG, x509_ca_enc,
1385 pkcs7_symmetric_cipher, pkcs7_key_size,
1386 x509_signer, pkcs7_digest_alg, private_key);
1387 if (!getCertInitial.ptr)
1388 {
1389 exit_scepclient("failed to build scep request");
1390 }
1391 if (!scep_http_request(scep_url, getCertInitial, SCEP_PKI_OPERATION,
1392 http_get_request, http_timeout, http_bind, &scep_response))
1393 {
1394 exit_scepclient("did not receive a valid scep response");
1395 }
1396 ugh = scep_parse_response(scep_response, transID, &container, &attrs);
1397 if (ugh != NULL)
1398 {
1399 exit_scepclient(ugh);
1400 }
1401 }
1402
1403 if (attrs.pkiStatus != SCEP_SUCCESS)
1404 {
1405 container->destroy(container);
1406 exit_scepclient("reply status is not 'SUCCESS'");
1407 }
1408
1409 if (!container->get_data(container, &chunk))
1410 {
1411 container->destroy(container);
1412 exit_scepclient("extracting signed-data failed");
1413 }
1414 container->destroy(container);
1415
1416 /* decrypt enveloped-data container */
1417 container = lib->creds->create(lib->creds,
1418 CRED_CONTAINER, CONTAINER_PKCS7,
1419 BUILD_BLOB_ASN1_DER, chunk,
1420 BUILD_END);
1421 free(chunk.ptr);
1422 if (!container)
1423 {
1424 exit_scepclient("could not decrypt envelopedData");
1425 }
1426
1427 if (!container->get_data(container, &chunk))
1428 {
1429 container->destroy(container);
1430 exit_scepclient("extracting encrypted-data failed");
1431 }
1432 container->destroy(container);
1433
1434 /* parse signed-data container */
1435 container = lib->creds->create(lib->creds,
1436 CRED_CONTAINER, CONTAINER_PKCS7,
1437 BUILD_BLOB_ASN1_DER, chunk,
1438 BUILD_END);
1439 free(chunk.ptr);
1440 if (!container)
1441 {
1442 exit_scepclient("could not parse singed-data");
1443 }
1444 /* no need to verify the signed-data container, the signature does NOT
1445 * cover the contained certificates */
1446
1447 /* store the end entity certificate */
1448 join_paths(path, sizeof(path), HOST_CERT_PATH, file_out_cert);
1449
1450 p7 = (pkcs7_t*)container;
1451 enumerator = p7->create_cert_enumerator(p7);
1452 while (enumerator->enumerate(enumerator, &cert))
1453 {
1454 x509_t *x509 = (x509_t*)cert;
1455
1456 if (!(x509->get_flags(x509) & X509_CA))
1457 {
1458 if (stored)
1459 {
1460 exit_scepclient("multiple certs received, only first stored");
1461 }
1462 if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding) ||
1463 !chunk_write(encoding, path, "requested cert", 0022, force))
1464 {
1465 exit_scepclient("could not write cert file '%s'", path);
1466 }
1467 chunk_free(&encoding);
1468 stored = TRUE;
1469 }
1470 }
1471 enumerator->destroy(enumerator);
1472 container->destroy(container);
1473 chunk_free(&attrs.transID);
1474 chunk_free(&attrs.senderNonce);
1475 chunk_free(&attrs.recipientNonce);
1476
1477 filetype_out &= ~CERT; /* delete CERT flag */
1478 }
1479
1480 exit_scepclient(NULL);
1481 return -1; /* should never be reached */
1482 }