nonceg: Insert id mapping when allocating nonce
[strongswan.git] / src / scepclient / scepclient.c
1 /*
2 * Copyright (C) 2012 Tobias Brunner
3 * Copyright (C) 2005 Jan Hutter, Martin Willi
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <stdarg.h>
18 #include <stdio.h>
19 #include <stdlib.h>
20 #include <string.h>
21 #include <getopt.h>
22 #include <ctype.h>
23 #include <unistd.h>
24 #include <time.h>
25 #include <limits.h>
26 #include <syslog.h>
27
28 #include <library.h>
29 #include <utils/debug.h>
30 #include <asn1/asn1.h>
31 #include <asn1/oid.h>
32 #include <utils/optionsfrom.h>
33 #include <collections/enumerator.h>
34 #include <collections/linked_list.h>
35 #include <crypto/hashers/hasher.h>
36 #include <crypto/crypters/crypter.h>
37 #include <crypto/proposal/proposal_keywords.h>
38 #include <credentials/keys/private_key.h>
39 #include <credentials/keys/public_key.h>
40 #include <credentials/certificates/certificate.h>
41 #include <credentials/certificates/x509.h>
42 #include <credentials/certificates/pkcs10.h>
43 #include <credentials/sets/mem_cred.h>
44 #include <plugins/plugin.h>
45
46 #include "scep.h"
47
48 /*
49 * definition of some defaults
50 */
51
52 /* some paths */
53 #define REQ_PATH IPSEC_CONFDIR "/ipsec.d/reqs"
54 #define HOST_CERT_PATH IPSEC_CONFDIR "/ipsec.d/certs"
55 #define CA_CERT_PATH IPSEC_CONFDIR "/ipsec.d/cacerts"
56 #define PRIVATE_KEY_PATH IPSEC_CONFDIR "/ipsec.d/private"
57
58 /* default name of DER-encoded PKCS#1 private key file */
59 #define DEFAULT_FILENAME_PKCS1 "myKey.der"
60
61 /* default name of DER-encoded PKCS#10 certificate request file */
62 #define DEFAULT_FILENAME_PKCS10 "myReq.der"
63
64 /* default name of DER-encoded PKCS#7 file */
65 #define DEFAULT_FILENAME_PKCS7 "pkcs7.der"
66
67 /* default name of DER-encoded self-signed X.509 certificate file */
68 #define DEFAULT_FILENAME_CERT_SELF "selfCert.der"
69
70 /* default name of DER-encoded X.509 certificate file */
71 #define DEFAULT_FILENAME_CERT "myCert.der"
72
73 /* default name of DER-encoded CA cert file used for key encipherment */
74 #define DEFAULT_FILENAME_CACERT_ENC "caCert.der"
75
76 /* default name of the der encoded CA cert file used for signature verification */
77 #define DEFAULT_FILENAME_CACERT_SIG "caCert.der"
78
79 /* default prefix of the der encoded CA certificates received from the SCEP server */
80 #define DEFAULT_FILENAME_PREFIX_CACERT "caCert.der"
81
82 /* default certificate validity */
83 #define DEFAULT_CERT_VALIDITY 5 * 3600 * 24 * 365 /* seconds */
84
85 /* default polling time interval in SCEP manual mode */
86 #define DEFAULT_POLL_INTERVAL 20 /* seconds */
87
88 /* default key length for self-generated RSA keys */
89 #define DEFAULT_RSA_KEY_LENGTH 2048 /* bits */
90
91 /* default distinguished name */
92 #define DEFAULT_DN "C=CH, O=Linux strongSwan, CN="
93
94 /* minimum RSA key size */
95 #define RSA_MIN_OCTETS (512 / BITS_PER_BYTE)
96
97 /* challenge password buffer size */
98 #define MAX_PASSWORD_LENGTH 256
99
100 /* Max length of filename for tempfile */
101 #define MAX_TEMP_FILENAME_LENGTH 256
102
103
104 /* current scepclient version */
105 static const char *scepclient_version = "1.0";
106
107 /* by default the CRL policy is lenient */
108 bool strict_crl_policy = FALSE;
109
110 /* by default pluto does not check crls dynamically */
111 long crl_check_interval = 0;
112
113 /* by default pluto logs out after every smartcard use */
114 bool pkcs11_keep_state = FALSE;
115
116 /* by default HTTP fetch timeout is 30s */
117 static u_int http_timeout = 30;
118
119 /* options read by optionsfrom */
120 options_t *options;
121
122 /*
123 * Global variables
124 */
125 chunk_t pkcs1;
126 chunk_t pkcs7;
127 chunk_t challengePassword;
128 chunk_t serialNumber;
129 chunk_t transID;
130 chunk_t fingerprint;
131 chunk_t encoding;
132 chunk_t pkcs10_encoding;
133 chunk_t issuerAndSubject;
134 chunk_t getCertInitial;
135 chunk_t scep_response;
136
137 linked_list_t *subjectAltNames;
138
139 identification_t *subject = NULL;
140 private_key_t *private_key = NULL;
141 public_key_t *public_key = NULL;
142 certificate_t *x509_signer = NULL;
143 certificate_t *x509_ca_enc = NULL;
144 certificate_t *x509_ca_sig = NULL;
145 certificate_t *pkcs10_req = NULL;
146
147 mem_cred_t *creds = NULL;
148
149 /* logging */
150 static bool log_to_stderr = TRUE;
151 static bool log_to_syslog = TRUE;
152 static level_t default_loglevel = 1;
153
154 /**
155 * logging function for scepclient
156 */
157 static void scepclient_dbg(debug_t group, level_t level, char *fmt, ...)
158 {
159 char buffer[8192];
160 char *current = buffer, *next;
161 va_list args;
162
163 if (level <= default_loglevel)
164 {
165 if (log_to_stderr)
166 {
167 va_start(args, fmt);
168 vfprintf(stderr, fmt, args);
169 va_end(args);
170 fprintf(stderr, "\n");
171 }
172 if (log_to_syslog)
173 {
174 /* write in memory buffer first */
175 va_start(args, fmt);
176 vsnprintf(buffer, sizeof(buffer), fmt, args);
177 va_end(args);
178
179 /* do a syslog with every line */
180 while (current)
181 {
182 next = strchr(current, '\n');
183 if (next)
184 {
185 *(next++) = '\0';
186 }
187 syslog(LOG_INFO, "%s\n", current);
188 current = next;
189 }
190 }
191 }
192 }
193
194 /**
195 * Initialize logging to stderr/syslog
196 */
197 static void init_log(const char *program)
198 {
199 dbg = scepclient_dbg;
200
201 if (log_to_stderr)
202 {
203 setbuf(stderr, NULL);
204 }
205 if (log_to_syslog)
206 {
207 openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV);
208 }
209 }
210
211 /**
212 * join two paths if filename is not absolute
213 */
214 static void join_paths(char *target, size_t target_size, char *parent,
215 char *filename)
216 {
217 if (*filename == '/' || *filename == '.')
218 {
219 snprintf(target, target_size, "%s", filename);
220 }
221 else
222 {
223 snprintf(target, target_size, "%s/%s", parent, filename);
224 }
225 }
226
227 /**
228 * add a suffix to a given filename, properly handling extensions like '.der'
229 */
230 static void add_path_suffix(char *target, size_t target_size, char *filename,
231 char *suffix_fmt, ...)
232 {
233 char suffix[PATH_MAX], *start, *dot;
234 va_list args;
235
236 va_start(args, suffix_fmt);
237 vsnprintf(suffix, sizeof(suffix), suffix_fmt, args);
238 va_end(args);
239
240 start = strrchr(filename, '/');
241 start = start ?: filename;
242 dot = strrchr(start, '.');
243
244 if (!dot || dot == start || dot[1] == '\0')
245 { /* no extension add suffix at the end */
246 snprintf(target, target_size, "%s%s", filename, suffix);
247 }
248 else
249 { /* add the suffix between the filename and the extension */
250 snprintf(target, target_size, "%.*s%s%s", (int)(dot - filename),
251 filename, suffix, dot);
252 }
253 }
254
255 /**
256 * @brief exit scepclient
257 *
258 * @param status 0 = OK, 1 = general discomfort
259 */
260 static void exit_scepclient(err_t message, ...)
261 {
262 int status = 0;
263
264 if (creds)
265 {
266 lib->credmgr->remove_set(lib->credmgr, &creds->set);
267 creds->destroy(creds);
268 }
269
270 DESTROY_IF(subject);
271 DESTROY_IF(private_key);
272 DESTROY_IF(public_key);
273 DESTROY_IF(x509_signer);
274 DESTROY_IF(x509_ca_enc);
275 DESTROY_IF(x509_ca_sig);
276 DESTROY_IF(pkcs10_req);
277 subjectAltNames->destroy_offset(subjectAltNames,
278 offsetof(identification_t, destroy));
279 free(pkcs1.ptr);
280 free(pkcs7.ptr);
281 free(serialNumber.ptr);
282 free(transID.ptr);
283 free(fingerprint.ptr);
284 free(encoding.ptr);
285 free(pkcs10_encoding.ptr);
286 free(issuerAndSubject.ptr);
287 free(getCertInitial.ptr);
288 free(scep_response.ptr);
289 options->destroy(options);
290
291 /* print any error message to stderr */
292 if (message != NULL && *message != '\0')
293 {
294 va_list args;
295 char m[8192];
296
297 va_start(args, message);
298 vsnprintf(m, sizeof(m), message, args);
299 va_end(args);
300
301 fprintf(stderr, "error: %s\n", m);
302 status = -1;
303 }
304 library_deinit();
305 exit(status);
306 }
307
308 /**
309 * @brief prints the program version and exits
310 *
311 */
312 static void version(void)
313 {
314 printf("scepclient %s\n", scepclient_version);
315 exit_scepclient(NULL);
316 }
317
318 /**
319 * @brief prints the usage of the program to the stderr output
320 *
321 * If message is set, program is exitet with 1 (error)
322 * @param message message in case of an error
323 */
324 static void usage(const char *message)
325 {
326 fprintf(stderr,
327 "Usage: scepclient\n"
328 " --help (-h) show usage and exit\n"
329 " --version (-v) show version and exit\n"
330 " --quiet (-q) do not write log output to stderr\n"
331 " --in (-i) <type>[=<filename>] use <filename> of <type> for input\n"
332 " <type> = pkcs1 | pkcs10 | cert-self\n"
333 " cacert-enc | cacert-sig\n"
334 " - if no pkcs1 input is defined, an RSA\n"
335 " key will be generated\n"
336 " - if no pkcs10 input is defined, a\n"
337 " PKCS#10 request will be generated\n"
338 " - if no cert-self input is defined, a\n"
339 " self-signed certificate will be generated\n"
340 " - if no filename is given, default is used\n"
341 " --out (-o) <type>[=<filename>] write output of <type> to <filename>\n"
342 " multiple outputs are allowed\n"
343 " <type> = pkcs1 | pkcs10 | pkcs7 | cert-self |\n"
344 " cert | cacert\n"
345 " - type cacert defines filename prefix of\n"
346 " received CA certificate(s)\n"
347 " - if no filename is given, default is used\n"
348 " --optionsfrom (-+) <filename> reads additional options from given file\n"
349 " --force (-f) force existing file(s)\n"
350 " --httptimeout (-T) timeout for HTTP operations (default: 30s)\n"
351 "\n"
352 "Options for key generation (pkcs1):\n"
353 " --keylength (-k) <bits> key length for RSA key generation\n"
354 " (default: 2048 bits)\n"
355 "\n"
356 "Options for validity:\n"
357 " --days (-D) <days> validity in days\n"
358 " --startdate (-S) <YYMMDDHHMMSS>Z not valid before date\n"
359 " --enddate (-E) <YYMMDDHHMMSS>Z not valid after date\n"
360 "\n"
361 "Options for request generation (pkcs10):\n"
362 " --dn (-d) <dn> comma separated list of distinguished names\n"
363 " --subjectAltName (-s) <t>=<v> include subjectAltName in certificate request\n"
364 " <t> = email | dns | ip \n"
365 " --password (-p) <pw> challenge password\n"
366 " - use '%%prompt' as pw for a password prompt\n"
367 " --algorithm (-a) [<type>=]<algo> algorithm to be used for PKCS#7 encryption,\n"
368 " PKCS#7 digest or PKCS#10 signature\n"
369 " <type> = enc | dgst | sig\n"
370 " - if no type is given enc is assumed\n"
371 " <algo> = des (default) | 3des | aes128 |\n"
372 " aes192 | aes256 | camellia128 |\n"
373 " camellia192 | camellia256\n"
374 " <algo> = md5 (default) | sha1 | sha256 |\n"
375 " sha384 | sha512\n"
376 "\n"
377 "Options for CA certificate acquisition:\n"
378 " --caname (-c) <name> name of CA to fetch CA certificate(s)\n"
379 " (default: CAIdentifier)\n"
380 "Options for enrollment (cert):\n"
381 " --url (-u) <url> url of the SCEP server\n"
382 " --method (-m) post | get http request type\n"
383 " --interval (-t) <seconds> poll interval in seconds (default 20s)\n"
384 " --maxpolltime (-x) <seconds> max poll time in seconds when in manual mode\n"
385 " (default: unlimited)\n"
386 "\n"
387 "Debugging output:\n"
388 " --debug (-l) <level> changes the log level (-1..4, default: 1)\n"
389 );
390 exit_scepclient(message);
391 }
392
393 /**
394 * @brief main of scepclient
395 *
396 * @param argc number of arguments
397 * @param argv pointer to the argument values
398 */
399 int main(int argc, char **argv)
400 {
401 /* external values */
402 extern char * optarg;
403 extern int optind;
404
405 /* type of input and output files */
406 typedef enum {
407 PKCS1 = 0x01,
408 PKCS10 = 0x02,
409 PKCS7 = 0x04,
410 CERT_SELF = 0x08,
411 CERT = 0x10,
412 CACERT_ENC = 0x20,
413 CACERT_SIG = 0x40,
414 } scep_filetype_t;
415
416 /* filetype to read from, defaults to "generate a key" */
417 scep_filetype_t filetype_in = 0;
418
419 /* filetype to write to, no default here */
420 scep_filetype_t filetype_out = 0;
421
422 /* input files */
423 char *file_in_pkcs1 = DEFAULT_FILENAME_PKCS1;
424 char *file_in_pkcs10 = DEFAULT_FILENAME_PKCS10;
425 char *file_in_cert_self = DEFAULT_FILENAME_CERT_SELF;
426 char *file_in_cacert_enc = DEFAULT_FILENAME_CACERT_ENC;
427 char *file_in_cacert_sig = DEFAULT_FILENAME_CACERT_SIG;
428
429 /* output files */
430 char *file_out_pkcs1 = DEFAULT_FILENAME_PKCS1;
431 char *file_out_pkcs10 = DEFAULT_FILENAME_PKCS10;
432 char *file_out_pkcs7 = DEFAULT_FILENAME_PKCS7;
433 char *file_out_cert_self = DEFAULT_FILENAME_CERT_SELF;
434 char *file_out_cert = DEFAULT_FILENAME_CERT;
435 char *file_out_ca_cert = DEFAULT_FILENAME_CACERT_ENC;
436
437 /* by default user certificate is requested */
438 bool request_ca_certificate = FALSE;
439
440 /* by default existing files are not overwritten */
441 bool force = FALSE;
442
443 /* length of RSA key in bits */
444 u_int rsa_keylength = DEFAULT_RSA_KEY_LENGTH;
445
446 /* validity of self-signed certificate */
447 time_t validity = DEFAULT_CERT_VALIDITY;
448 time_t notBefore = 0;
449 time_t notAfter = 0;
450
451 /* distinguished name for requested certificate, ASCII format */
452 char *distinguishedName = NULL;
453
454 /* challenge password */
455 char challenge_password_buffer[MAX_PASSWORD_LENGTH];
456
457 /* symmetric encryption algorithm used by pkcs7, default is DES */
458 encryption_algorithm_t pkcs7_symmetric_cipher = ENCR_DES;
459 size_t pkcs7_key_size = 0;
460
461 /* digest algorithm used by pkcs7, default is MD5 */
462 hash_algorithm_t pkcs7_digest_alg = HASH_MD5;
463
464 /* signature algorithm used by pkcs10, default is MD5 */
465 hash_algorithm_t pkcs10_signature_alg = HASH_MD5;
466
467 /* URL of the SCEP-Server */
468 char *scep_url = NULL;
469
470 /* Name of CA to fetch CA certs for */
471 char *ca_name = "CAIdentifier";
472
473 /* http request method, default is GET */
474 bool http_get_request = TRUE;
475
476 /* poll interval time in manual mode in seconds */
477 u_int poll_interval = DEFAULT_POLL_INTERVAL;
478
479 /* maximum poll time */
480 u_int max_poll_time = 0;
481
482 err_t ugh = NULL;
483
484 /* initialize library */
485 if (!library_init(NULL))
486 {
487 library_deinit();
488 exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
489 }
490 if (lib->integrity &&
491 !lib->integrity->check_file(lib->integrity, "scepclient", argv[0]))
492 {
493 fprintf(stderr, "integrity check of scepclient failed\n");
494 library_deinit();
495 exit(SS_RC_DAEMON_INTEGRITY);
496 }
497
498 /* initialize global variables */
499 pkcs1 = chunk_empty;
500 pkcs7 = chunk_empty;
501 serialNumber = chunk_empty;
502 transID = chunk_empty;
503 fingerprint = chunk_empty;
504 encoding = chunk_empty;
505 pkcs10_encoding = chunk_empty;
506 issuerAndSubject = chunk_empty;
507 challengePassword = chunk_empty;
508 getCertInitial = chunk_empty;
509 scep_response = chunk_empty;
510 subjectAltNames = linked_list_create();
511 options = options_create();
512
513 for (;;)
514 {
515 static const struct option long_opts[] = {
516 /* name, has_arg, flag, val */
517 { "help", no_argument, NULL, 'h' },
518 { "version", no_argument, NULL, 'v' },
519 { "optionsfrom", required_argument, NULL, '+' },
520 { "quiet", no_argument, NULL, 'q' },
521 { "debug", required_argument, NULL, 'l' },
522 { "in", required_argument, NULL, 'i' },
523 { "out", required_argument, NULL, 'o' },
524 { "force", no_argument, NULL, 'f' },
525 { "httptimeout", required_argument, NULL, 'T' },
526 { "keylength", required_argument, NULL, 'k' },
527 { "dn", required_argument, NULL, 'd' },
528 { "days", required_argument, NULL, 'D' },
529 { "startdate", required_argument, NULL, 'S' },
530 { "enddate", required_argument, NULL, 'E' },
531 { "subjectAltName", required_argument, NULL, 's' },
532 { "password", required_argument, NULL, 'p' },
533 { "algorithm", required_argument, NULL, 'a' },
534 { "url", required_argument, NULL, 'u' },
535 { "caname", required_argument, NULL, 'c'},
536 { "method", required_argument, NULL, 'm' },
537 { "interval", required_argument, NULL, 't' },
538 { "maxpolltime", required_argument, NULL, 'x' },
539 { 0,0,0,0 }
540 };
541
542 /* parse next option */
543 int c = getopt_long(argc, argv, "hv+:qi:o:fk:d:s:p:a:u:c:m:t:x:APRCMS", long_opts, NULL);
544
545 switch (c)
546 {
547 case EOF: /* end of flags */
548 break;
549
550 case 'h': /* --help */
551 usage(NULL);
552
553 case 'v': /* --version */
554 version();
555
556 case 'q': /* --quiet */
557 log_to_stderr = FALSE;
558 continue;
559
560 case 'l': /* --debug <level> */
561 default_loglevel = atoi(optarg);
562 continue;
563
564 case 'i': /* --in <type> [= <filename>] */
565 {
566 char *filename = strstr(optarg, "=");
567
568 if (filename)
569 {
570 /* replace '=' by '\0' */
571 *filename = '\0';
572 /* set pointer to start of filename */
573 filename++;
574 }
575 if (strcaseeq("pkcs1", optarg))
576 {
577 filetype_in |= PKCS1;
578 if (filename)
579 file_in_pkcs1 = filename;
580 }
581 else if (strcaseeq("pkcs10", optarg))
582 {
583 filetype_in |= PKCS10;
584 if (filename)
585 file_in_pkcs10 = filename;
586 }
587 else if (strcaseeq("cacert-enc", optarg))
588 {
589 filetype_in |= CACERT_ENC;
590 if (filename)
591 file_in_cacert_enc = filename;
592 }
593 else if (strcaseeq("cacert-sig", optarg))
594 {
595 filetype_in |= CACERT_SIG;
596 if (filename)
597 file_in_cacert_sig = filename;
598 }
599 else if (strcaseeq("cert-self", optarg))
600 {
601 filetype_in |= CERT_SELF;
602 if (filename)
603 file_in_cert_self = filename;
604 }
605 else
606 {
607 usage("invalid --in file type");
608 }
609 continue;
610 }
611
612 case 'o': /* --out <type> [= <filename>] */
613 {
614 char *filename = strstr(optarg, "=");
615
616 if (filename)
617 {
618 /* replace '=' by '\0' */
619 *filename = '\0';
620 /* set pointer to start of filename */
621 filename++;
622 }
623 if (strcaseeq("pkcs1", optarg))
624 {
625 filetype_out |= PKCS1;
626 if (filename)
627 file_out_pkcs1 = filename;
628 }
629 else if (strcaseeq("pkcs10", optarg))
630 {
631 filetype_out |= PKCS10;
632 if (filename)
633 file_out_pkcs10 = filename;
634 }
635 else if (strcaseeq("pkcs7", optarg))
636 {
637 filetype_out |= PKCS7;
638 if (filename)
639 file_out_pkcs7 = filename;
640 }
641 else if (strcaseeq("cert-self", optarg))
642 {
643 filetype_out |= CERT_SELF;
644 if (filename)
645 file_out_cert_self = filename;
646 }
647 else if (strcaseeq("cert", optarg))
648 {
649 filetype_out |= CERT;
650 if (filename)
651 file_out_cert = filename;
652 }
653 else if (strcaseeq("cacert", optarg))
654 {
655 request_ca_certificate = TRUE;
656 if (filename)
657 file_out_ca_cert = filename;
658 }
659 else
660 {
661 usage("invalid --out file type");
662 }
663 continue;
664 }
665
666 case 'f': /* --force */
667 force = TRUE;
668 continue;
669
670 case 'T': /* --httptimeout */
671 http_timeout = atoi(optarg);
672 if (http_timeout <= 0)
673 {
674 usage("invalid httptimeout specified");
675 }
676 continue;
677
678 case '+': /* --optionsfrom <filename> */
679 if (!options->from(options, optarg, &argc, &argv, optind))
680 {
681 exit_scepclient("optionsfrom failed");
682 }
683 continue;
684
685 case 'k': /* --keylength <length> */
686 {
687 div_t q;
688
689 rsa_keylength = atoi(optarg);
690 if (rsa_keylength == 0)
691 usage("invalid keylength");
692
693 /* check if key length is a multiple of 8 bits */
694 q = div(rsa_keylength, 2*BITS_PER_BYTE);
695 if (q.rem != 0)
696 {
697 exit_scepclient("keylength is not a multiple of %d bits!"
698 , 2*BITS_PER_BYTE);
699 }
700 continue;
701 }
702
703 case 'D': /* --days */
704 if (optarg == NULL || !isdigit(optarg[0]))
705 {
706 usage("missing number of days");
707 }
708 else
709 {
710 char *endptr;
711 long days = strtol(optarg, &endptr, 0);
712
713 if (*endptr != '\0' || endptr == optarg
714 || days <= 0)
715 usage("<days> must be a positive number");
716 validity = 24*3600*days;
717 }
718 continue;
719
720 case 'S': /* --startdate */
721 if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z')
722 {
723 usage("date format must be YYMMDDHHMMSSZ");
724 }
725 else
726 {
727 chunk_t date = { optarg, 13 };
728 notBefore = asn1_to_time(&date, ASN1_UTCTIME);
729 }
730 continue;
731
732 case 'E': /* --enddate */
733 if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z')
734 {
735 usage("date format must be YYMMDDHHMMSSZ");
736 }
737 else
738 {
739 chunk_t date = { optarg, 13 };
740 notAfter = asn1_to_time(&date, ASN1_UTCTIME);
741 }
742 continue;
743
744 case 'd': /* --dn */
745 if (distinguishedName)
746 {
747 usage("only one distinguished name allowed");
748 }
749 distinguishedName = optarg;
750 continue;
751
752 case 's': /* --subjectAltName */
753 {
754 char *value = strstr(optarg, "=");
755
756 if (value)
757 {
758 /* replace '=' by '\0' */
759 *value = '\0';
760 /* set pointer to start of value */
761 value++;
762 }
763
764 if (strcaseeq("email", optarg) ||
765 strcaseeq("dns", optarg) ||
766 strcaseeq("ip", optarg))
767 {
768 subjectAltNames->insert_last(subjectAltNames,
769 identification_create_from_string(value));
770 continue;
771 }
772 else
773 {
774 usage("invalid --subjectAltName type");
775 continue;
776 }
777 }
778
779 case 'p': /* --password */
780 if (challengePassword.len > 0)
781 {
782 usage("only one challenge password allowed");
783 }
784 if (strcaseeq("%prompt", optarg))
785 {
786 printf("Challenge password: ");
787 if (fgets(challenge_password_buffer,
788 sizeof(challenge_password_buffer) - 1, stdin))
789 {
790 challengePassword.ptr = challenge_password_buffer;
791 /* discard the terminating '\n' from the input */
792 challengePassword.len = strlen(challenge_password_buffer) - 1;
793 }
794 else
795 {
796 usage("challenge password could not be read");
797 }
798 }
799 else
800 {
801 challengePassword.ptr = optarg;
802 challengePassword.len = strlen(optarg);
803 }
804 continue;
805
806 case 'u': /* -- url */
807 if (scep_url)
808 {
809 usage("only one URL argument allowed");
810 }
811 scep_url = optarg;
812 continue;
813
814 case 'c': /* -- caname */
815 ca_name = optarg;
816 continue;
817
818 case 'm': /* --method */
819 if (strcaseeq("get", optarg))
820 {
821 http_get_request = TRUE;
822 }
823 else if (strcaseeq("post", optarg))
824 {
825 http_get_request = FALSE;
826 }
827 else
828 {
829 usage("invalid http request method specified");
830 }
831 continue;
832
833 case 't': /* --interval */
834 poll_interval = atoi(optarg);
835 if (poll_interval <= 0)
836 {
837 usage("invalid interval specified");
838 }
839 continue;
840
841 case 'x': /* --maxpolltime */
842 max_poll_time = atoi(optarg);
843 continue;
844
845 case 'a': /*--algorithm [<type>=]algo */
846 {
847 const proposal_token_t *token;
848 char *type = optarg;
849 char *algo = strstr(optarg, "=");
850
851 if (algo)
852 {
853 *algo = '\0';
854 algo++;
855 }
856 else
857 {
858 type = "enc";
859 algo = optarg;
860 }
861
862 if (strcaseeq("enc", type))
863 {
864 token = lib->proposal->get_token(lib->proposal, algo);
865 if (token == NULL || token->type != ENCRYPTION_ALGORITHM)
866 {
867 usage("invalid algorithm specified");
868 }
869 pkcs7_symmetric_cipher = token->algorithm;
870 pkcs7_key_size = token->keysize;
871 if (encryption_algorithm_to_oid(token->algorithm,
872 token->keysize) == OID_UNKNOWN)
873 {
874 usage("unsupported encryption algorithm specified");
875 }
876 }
877 else if (strcaseeq("dgst", type) ||
878 strcaseeq("sig", type))
879 {
880 hash_algorithm_t hash;
881
882 token = lib->proposal->get_token(lib->proposal, algo);
883 if (token == NULL || token->type != INTEGRITY_ALGORITHM)
884 {
885 usage("invalid algorithm specified");
886 }
887 hash = hasher_algorithm_from_integrity(token->algorithm,
888 NULL);
889 if (hash == OID_UNKNOWN)
890 {
891 usage("invalid algorithm specified");
892 }
893 if (strcaseeq("dgst", type))
894 {
895 pkcs7_digest_alg = hash;
896 }
897 else
898 {
899 pkcs10_signature_alg = hash;
900 }
901 }
902 else
903 {
904 usage("invalid --algorithm type");
905 }
906 continue;
907 }
908 default:
909 usage("unknown option");
910 }
911 /* break from loop */
912 break;
913 }
914
915 init_log("scepclient");
916
917 /* load plugins, further infrastructure may need it */
918 if (!lib->plugins->load(lib->plugins, NULL,
919 lib->settings->get_str(lib->settings, "scepclient.load", PLUGINS)))
920 {
921 exit_scepclient("plugin loading failed");
922 }
923 DBG1(DBG_APP, " loaded plugins: %s",
924 lib->plugins->loaded_plugins(lib->plugins));
925
926 if ((filetype_out == 0) && (!request_ca_certificate))
927 {
928 usage("--out filetype required");
929 }
930 if (request_ca_certificate && (filetype_out > 0 || filetype_in > 0))
931 {
932 usage("in CA certificate request, no other --in or --out option allowed");
933 }
934
935 /* check if url is given, if cert output defined */
936 if (((filetype_out & CERT) || request_ca_certificate) && !scep_url)
937 {
938 usage("URL of SCEP server required");
939 }
940
941 /* check for sanity of --in/--out */
942 if (!filetype_in && (filetype_in > filetype_out))
943 {
944 usage("cannot generate --out of given --in!");
945 }
946
947 /* get CA cert */
948 if (request_ca_certificate)
949 {
950 char ca_path[PATH_MAX];
951 container_t *container;
952 pkcs7_t *pkcs7;
953
954 if (!scep_http_request(scep_url, chunk_create(ca_name, strlen(ca_name)),
955 SCEP_GET_CA_CERT, http_get_request,
956 http_timeout, &scep_response))
957 {
958 exit_scepclient("did not receive a valid scep response");
959 }
960
961 join_paths(ca_path, sizeof(ca_path), CA_CERT_PATH, file_out_ca_cert);
962
963 pkcs7 = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7,
964 BUILD_BLOB_ASN1_DER, scep_response, BUILD_END);
965
966 if (!pkcs7)
967 { /* no PKCS#7 encoded CA+RA certificates, assume simple CA cert */
968
969 DBG1(DBG_APP, "unable to parse PKCS#7, assuming plain CA cert");
970 if (!chunk_write(scep_response, ca_path, "ca cert", 0022, force))
971 {
972 exit_scepclient("could not write ca cert file '%s'", ca_path);
973 }
974 }
975 else
976 {
977 enumerator_t *enumerator;
978 certificate_t *cert;
979 int ra_certs = 0, ca_certs = 0;
980 int ra_index = 1, ca_index = 1;
981
982 enumerator = pkcs7->create_cert_enumerator(pkcs7);
983 while (enumerator->enumerate(enumerator, &cert))
984 {
985 x509_t *x509 = (x509_t*)cert;
986 if (x509->get_flags(x509) & X509_CA)
987 {
988 ca_certs++;
989 }
990 else
991 {
992 ra_certs++;
993 }
994 }
995 enumerator->destroy(enumerator);
996
997 enumerator = pkcs7->create_cert_enumerator(pkcs7);
998 while (enumerator->enumerate(enumerator, &cert))
999 {
1000 x509_t *x509 = (x509_t*)cert;
1001 bool ca_cert = x509->get_flags(x509) & X509_CA;
1002 char cert_path[PATH_MAX], *path = ca_path;
1003
1004 if (ca_cert && ca_certs > 1)
1005 {
1006 add_path_suffix(cert_path, sizeof(cert_path), ca_path,
1007 "-%.1d", ca_index++);
1008 path = cert_path;
1009 }
1010 else if (!ca_cert)
1011 { /* use CA name as base for RA certs */
1012 if (ra_certs > 1)
1013 {
1014 add_path_suffix(cert_path, sizeof(cert_path), ca_path,
1015 "-ra-%.1d", ra_index++);
1016 }
1017 else
1018 {
1019 add_path_suffix(cert_path, sizeof(cert_path), ca_path,
1020 "-ra");
1021 }
1022 path = cert_path;
1023 }
1024
1025 if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding) ||
1026 !chunk_write(encoding, path,
1027 ca_cert ? "ca cert" : "ra cert", 0022, force))
1028 {
1029 exit_scepclient("could not write cert file '%s'", path);
1030 }
1031 chunk_free(&encoding);
1032 }
1033 enumerator->destroy(enumerator);
1034 container = &pkcs7->container;
1035 container->destroy(container);
1036 }
1037 exit_scepclient(NULL); /* no further output required */
1038 }
1039
1040 creds = mem_cred_create();
1041 lib->credmgr->add_set(lib->credmgr, &creds->set);
1042
1043 /*
1044 * input of PKCS#1 file
1045 */
1046 if (filetype_in & PKCS1) /* load an RSA key pair from file */
1047 {
1048 char path[PATH_MAX];
1049
1050 join_paths(path, sizeof(path), PRIVATE_KEY_PATH, file_in_pkcs1);
1051
1052 private_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
1053 BUILD_FROM_FILE, path, BUILD_END);
1054 }
1055 else /* generate an RSA key pair */
1056 {
1057 private_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
1058 BUILD_KEY_SIZE, rsa_keylength,
1059 BUILD_END);
1060 }
1061 if (private_key == NULL)
1062 {
1063 exit_scepclient("no RSA private key available");
1064 }
1065 creds->add_key(creds, private_key->get_ref(private_key));
1066 public_key = private_key->get_public_key(private_key);
1067
1068 /* check for minimum key length */
1069 if (private_key->get_keysize(private_key) < RSA_MIN_OCTETS / BITS_PER_BYTE)
1070 {
1071 exit_scepclient("length of RSA key has to be at least %d bits",
1072 RSA_MIN_OCTETS * BITS_PER_BYTE);
1073 }
1074
1075 /*
1076 * input of PKCS#10 file
1077 */
1078 if (filetype_in & PKCS10)
1079 {
1080 char path[PATH_MAX];
1081
1082 join_paths(path, sizeof(path), REQ_PATH, file_in_pkcs10);
1083
1084 pkcs10_req = lib->creds->create(lib->creds, CRED_CERTIFICATE,
1085 CERT_PKCS10_REQUEST, BUILD_FROM_FILE,
1086 path, BUILD_END);
1087 if (!pkcs10_req)
1088 {
1089 exit_scepclient("could not read certificate request '%s'", path);
1090 }
1091 subject = pkcs10_req->get_subject(pkcs10_req);
1092 subject = subject->clone(subject);
1093 }
1094 else
1095 {
1096 if (distinguishedName == NULL)
1097 {
1098 char buf[BUF_LEN];
1099 int n = sprintf(buf, DEFAULT_DN);
1100
1101 /* set the common name to the hostname */
1102 if (gethostname(buf + n, BUF_LEN - n) || strlen(buf) == n)
1103 {
1104 exit_scepclient("no hostname defined, use "
1105 "--dn <distinguished name> option");
1106 }
1107 distinguishedName = buf;
1108 }
1109
1110 DBG2(DBG_APP, "dn: '%s'", distinguishedName);
1111 subject = identification_create_from_string(distinguishedName);
1112 if (subject->get_type(subject) != ID_DER_ASN1_DN)
1113 {
1114 exit_scepclient("parsing of distinguished name failed");
1115 }
1116
1117 DBG2(DBG_APP, "building pkcs10 object:");
1118 pkcs10_req = lib->creds->create(lib->creds, CRED_CERTIFICATE,
1119 CERT_PKCS10_REQUEST,
1120 BUILD_SIGNING_KEY, private_key,
1121 BUILD_SUBJECT, subject,
1122 BUILD_SUBJECT_ALTNAMES, subjectAltNames,
1123 BUILD_CHALLENGE_PWD, challengePassword,
1124 BUILD_DIGEST_ALG, pkcs10_signature_alg,
1125 BUILD_END);
1126 if (!pkcs10_req)
1127 {
1128 exit_scepclient("generating pkcs10 request failed");
1129 }
1130 }
1131 pkcs10_req->get_encoding(pkcs10_req, CERT_ASN1_DER, &pkcs10_encoding);
1132 fingerprint = scep_generate_pkcs10_fingerprint(pkcs10_encoding);
1133 DBG1(DBG_APP, " fingerprint: %s", fingerprint.ptr);
1134
1135 /*
1136 * output of PKCS#10 file
1137 */
1138 if (filetype_out & PKCS10)
1139 {
1140 char path[PATH_MAX];
1141
1142 join_paths(path, sizeof(path), REQ_PATH, file_out_pkcs10);
1143
1144 if (!chunk_write(pkcs10_encoding, path, "pkcs10", 0022, force))
1145 {
1146 exit_scepclient("could not write pkcs10 file '%s'", path);
1147 }
1148 filetype_out &= ~PKCS10; /* delete PKCS10 flag */
1149 }
1150
1151 if (!filetype_out)
1152 {
1153 exit_scepclient(NULL); /* no further output required */
1154 }
1155
1156 /*
1157 * output of PKCS#1 file
1158 */
1159 if (filetype_out & PKCS1)
1160 {
1161 char path[PATH_MAX];
1162
1163 join_paths(path, sizeof(path), PRIVATE_KEY_PATH, file_out_pkcs1);
1164
1165 DBG2(DBG_APP, "building pkcs1 object:");
1166 if (!private_key->get_encoding(private_key, PRIVKEY_ASN1_DER, &pkcs1) ||
1167 !chunk_write(pkcs1, path, "pkcs1", 0066, force))
1168 {
1169 exit_scepclient("could not write pkcs1 file '%s'", path);
1170 }
1171 filetype_out &= ~PKCS1; /* delete PKCS1 flag */
1172 }
1173
1174 if (!filetype_out)
1175 {
1176 exit_scepclient(NULL); /* no further output required */
1177 }
1178
1179 scep_generate_transaction_id(public_key, &transID, &serialNumber);
1180 DBG1(DBG_APP, " transaction ID: %.*s", (int)transID.len, transID.ptr);
1181
1182 /*
1183 * read or generate self-signed X.509 certificate
1184 */
1185 if (filetype_in & CERT_SELF)
1186 {
1187 char path[PATH_MAX];
1188
1189 join_paths(path, sizeof(path), HOST_CERT_PATH, file_in_cert_self);
1190
1191 x509_signer = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
1192 BUILD_FROM_FILE, path, BUILD_END);
1193 if (!x509_signer)
1194 {
1195 exit_scepclient("could not read certificate file '%s'", path);
1196 }
1197 }
1198 else
1199 {
1200 notBefore = notBefore ? notBefore : time(NULL);
1201 notAfter = notAfter ? notAfter : (notBefore + validity);
1202 x509_signer = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
1203 BUILD_SIGNING_KEY, private_key,
1204 BUILD_PUBLIC_KEY, public_key,
1205 BUILD_SUBJECT, subject,
1206 BUILD_NOT_BEFORE_TIME, notBefore,
1207 BUILD_NOT_AFTER_TIME, notAfter,
1208 BUILD_SERIAL, serialNumber,
1209 BUILD_SUBJECT_ALTNAMES, subjectAltNames,
1210 BUILD_END);
1211 if (!x509_signer)
1212 {
1213 exit_scepclient("generating certificate failed");
1214 }
1215 }
1216 creds->add_cert(creds, TRUE, x509_signer->get_ref(x509_signer));
1217
1218 /*
1219 * output of self-signed X.509 certificate file
1220 */
1221 if (filetype_out & CERT_SELF)
1222 {
1223 char path[PATH_MAX];
1224
1225 join_paths(path, sizeof(path), HOST_CERT_PATH, file_out_cert_self);
1226
1227 if (!x509_signer->get_encoding(x509_signer, CERT_ASN1_DER, &encoding))
1228 {
1229 exit_scepclient("encoding certificate failed");
1230 }
1231 if (!chunk_write(encoding, path, "self-signed cert", 0022, force))
1232 {
1233 exit_scepclient("could not write self-signed cert file '%s'", path);
1234 }
1235 chunk_free(&encoding);
1236 filetype_out &= ~CERT_SELF; /* delete CERT_SELF flag */
1237 }
1238
1239 if (!filetype_out)
1240 {
1241 exit_scepclient(NULL); /* no further output required */
1242 }
1243
1244 /*
1245 * load ca encryption certificate
1246 */
1247 {
1248 char path[PATH_MAX];
1249
1250 join_paths(path, sizeof(path), CA_CERT_PATH, file_in_cacert_enc);
1251
1252 x509_ca_enc = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
1253 BUILD_FROM_FILE, path, BUILD_END);
1254 if (!x509_ca_enc)
1255 {
1256 exit_scepclient("could not load encryption cacert file '%s'", path);
1257 }
1258 }
1259
1260 /*
1261 * input of PKCS#7 file
1262 */
1263 if (filetype_in & PKCS7)
1264 {
1265 /* user wants to load a pkcs7 encrypted request
1266 * operation is not yet supported!
1267 * would require additional parsing of transaction-id
1268
1269 pkcs7 = pkcs7_read_from_file(file_in_pkcs7);
1270
1271 */
1272 }
1273 else
1274 {
1275 DBG2(DBG_APP, "building pkcs7 request");
1276 pkcs7 = scep_build_request(pkcs10_encoding,
1277 transID, SCEP_PKCSReq_MSG, x509_ca_enc,
1278 pkcs7_symmetric_cipher, pkcs7_key_size,
1279 x509_signer, pkcs7_digest_alg, private_key);
1280 if (!pkcs7.ptr)
1281 {
1282 exit_scepclient("failed to build pkcs7 request");
1283 }
1284 }
1285
1286 /*
1287 * output pkcs7 encrypted and signed certificate request
1288 */
1289 if (filetype_out & PKCS7)
1290 {
1291 char path[PATH_MAX];
1292
1293 join_paths(path, sizeof(path), REQ_PATH, file_out_pkcs7);
1294
1295 if (!chunk_write(pkcs7, path, "pkcs7 encrypted request", 0022, force))
1296 {
1297 exit_scepclient("could not write pkcs7 file '%s'", path);
1298 }
1299 filetype_out &= ~PKCS7; /* delete PKCS7 flag */
1300 }
1301
1302 if (!filetype_out)
1303 {
1304 exit_scepclient(NULL); /* no further output required */
1305 }
1306
1307 /*
1308 * output certificate fetch from SCEP server
1309 */
1310 if (filetype_out & CERT)
1311 {
1312 bool stored = FALSE;
1313 certificate_t *cert;
1314 enumerator_t *enumerator;
1315 char path[PATH_MAX];
1316 time_t poll_start = 0;
1317 pkcs7_t *p7;
1318 container_t *container = NULL;
1319 chunk_t chunk;
1320 scep_attributes_t attrs = empty_scep_attributes;
1321
1322 join_paths(path, sizeof(path), CA_CERT_PATH, file_in_cacert_sig);
1323
1324 x509_ca_sig = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
1325 BUILD_FROM_FILE, path, BUILD_END);
1326 if (!x509_ca_sig)
1327 {
1328 exit_scepclient("could not load signature cacert file '%s'", path);
1329 }
1330
1331 creds->add_cert(creds, TRUE, x509_ca_sig->get_ref(x509_ca_sig));
1332
1333 if (!scep_http_request(scep_url, pkcs7, SCEP_PKI_OPERATION,
1334 http_get_request, http_timeout, &scep_response))
1335 {
1336 exit_scepclient("did not receive a valid scep response");
1337 }
1338 ugh = scep_parse_response(scep_response, transID, &container, &attrs);
1339 if (ugh != NULL)
1340 {
1341 exit_scepclient(ugh);
1342 }
1343
1344 /* in case of manual mode, we are going into a polling loop */
1345 if (attrs.pkiStatus == SCEP_PENDING)
1346 {
1347 identification_t *issuer = x509_ca_sig->get_subject(x509_ca_sig);
1348
1349 DBG1(DBG_APP, " scep request pending, polling every %d seconds",
1350 poll_interval);
1351 poll_start = time_monotonic(NULL);
1352 issuerAndSubject = asn1_wrap(ASN1_SEQUENCE, "cc",
1353 issuer->get_encoding(issuer),
1354 subject->get_encoding(subject));
1355 }
1356 while (attrs.pkiStatus == SCEP_PENDING)
1357 {
1358 if (max_poll_time > 0 &&
1359 (time_monotonic(NULL) - poll_start >= max_poll_time))
1360 {
1361 exit_scepclient("maximum poll time reached: %d seconds"
1362 , max_poll_time);
1363 }
1364 DBG2(DBG_APP, "going to sleep for %d seconds", poll_interval);
1365 sleep(poll_interval);
1366 free(scep_response.ptr);
1367 container->destroy(container);
1368
1369 DBG2(DBG_APP, "fingerprint: %.*s",
1370 (int)fingerprint.len, fingerprint.ptr);
1371 DBG2(DBG_APP, "transaction ID: %.*s",
1372 (int)transID.len, transID.ptr);
1373
1374 chunk_free(&getCertInitial);
1375 getCertInitial = scep_build_request(issuerAndSubject,
1376 transID, SCEP_GetCertInitial_MSG, x509_ca_enc,
1377 pkcs7_symmetric_cipher, pkcs7_key_size,
1378 x509_signer, pkcs7_digest_alg, private_key);
1379 if (!getCertInitial.ptr)
1380 {
1381 exit_scepclient("failed to build scep request");
1382 }
1383 if (!scep_http_request(scep_url, getCertInitial, SCEP_PKI_OPERATION,
1384 http_get_request, http_timeout, &scep_response))
1385 {
1386 exit_scepclient("did not receive a valid scep response");
1387 }
1388 ugh = scep_parse_response(scep_response, transID, &container, &attrs);
1389 if (ugh != NULL)
1390 {
1391 exit_scepclient(ugh);
1392 }
1393 }
1394
1395 if (attrs.pkiStatus != SCEP_SUCCESS)
1396 {
1397 container->destroy(container);
1398 exit_scepclient("reply status is not 'SUCCESS'");
1399 }
1400
1401 if (!container->get_data(container, &chunk))
1402 {
1403 container->destroy(container);
1404 exit_scepclient("extracting signed-data failed");
1405 }
1406 container->destroy(container);
1407
1408 /* decrypt enveloped-data container */
1409 container = lib->creds->create(lib->creds,
1410 CRED_CONTAINER, CONTAINER_PKCS7,
1411 BUILD_BLOB_ASN1_DER, chunk,
1412 BUILD_END);
1413 free(chunk.ptr);
1414 if (!container)
1415 {
1416 exit_scepclient("could not decrypt envelopedData");
1417 }
1418
1419 if (!container->get_data(container, &chunk))
1420 {
1421 container->destroy(container);
1422 exit_scepclient("extracting encrypted-data failed");
1423 }
1424 container->destroy(container);
1425
1426 /* parse signed-data container */
1427 container = lib->creds->create(lib->creds,
1428 CRED_CONTAINER, CONTAINER_PKCS7,
1429 BUILD_BLOB_ASN1_DER, chunk,
1430 BUILD_END);
1431 free(chunk.ptr);
1432 if (!container)
1433 {
1434 exit_scepclient("could not parse singed-data");
1435 }
1436 /* no need to verify the signed-data container, the signature does NOT
1437 * cover the contained certificates */
1438
1439 /* store the end entity certificate */
1440 join_paths(path, sizeof(path), HOST_CERT_PATH, file_out_cert);
1441
1442 p7 = (pkcs7_t*)container;
1443 enumerator = p7->create_cert_enumerator(p7);
1444 while (enumerator->enumerate(enumerator, &cert))
1445 {
1446 x509_t *x509 = (x509_t*)cert;
1447
1448 if (!(x509->get_flags(x509) & X509_CA))
1449 {
1450 if (stored)
1451 {
1452 exit_scepclient("multiple certs received, only first stored");
1453 }
1454 if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding) ||
1455 !chunk_write(encoding, path, "requested cert", 0022, force))
1456 {
1457 exit_scepclient("could not write cert file '%s'", path);
1458 }
1459 chunk_free(&encoding);
1460 stored = TRUE;
1461 }
1462 }
1463 enumerator->destroy(enumerator);
1464 container->destroy(container);
1465 chunk_free(&attrs.transID);
1466 chunk_free(&attrs.senderNonce);
1467 chunk_free(&attrs.recipientNonce);
1468
1469 filetype_out &= ~CERT; /* delete CERT flag */
1470 }
1471
1472 exit_scepclient(NULL);
1473 return -1; /* should never be reached */
1474 }