scepclient: Don't use a block-scope buffer for the default DN
[strongswan.git] / src / scepclient / scepclient.c
1 /*
2 * Copyright (C) 2012 Tobias Brunner
3 * Copyright (C) 2005 Jan Hutter, Martin Willi
4 * HSR Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <stdarg.h>
18 #include <stdio.h>
19 #include <stdlib.h>
20 #include <string.h>
21 #include <getopt.h>
22 #include <ctype.h>
23 #include <unistd.h>
24 #include <time.h>
25 #include <limits.h>
26 #include <syslog.h>
27 #include <errno.h>
28
29 #include <library.h>
30 #include <utils/debug.h>
31 #include <asn1/asn1.h>
32 #include <asn1/oid.h>
33 #include <utils/optionsfrom.h>
34 #include <collections/enumerator.h>
35 #include <collections/linked_list.h>
36 #include <crypto/hashers/hasher.h>
37 #include <crypto/crypters/crypter.h>
38 #include <crypto/proposal/proposal_keywords.h>
39 #include <credentials/keys/private_key.h>
40 #include <credentials/keys/public_key.h>
41 #include <credentials/certificates/certificate.h>
42 #include <credentials/certificates/x509.h>
43 #include <credentials/certificates/pkcs10.h>
44 #include <credentials/sets/mem_cred.h>
45 #include <plugins/plugin.h>
46
47 #include "scep.h"
48
49 /*
50 * definition of some defaults
51 */
52
53 /* some paths */
54 #define REQ_PATH IPSEC_CONFDIR "/ipsec.d/reqs"
55 #define HOST_CERT_PATH IPSEC_CONFDIR "/ipsec.d/certs"
56 #define CA_CERT_PATH IPSEC_CONFDIR "/ipsec.d/cacerts"
57 #define PRIVATE_KEY_PATH IPSEC_CONFDIR "/ipsec.d/private"
58
59 /* default name of DER-encoded PKCS#1 private key file */
60 #define DEFAULT_FILENAME_PKCS1 "myKey.der"
61
62 /* default name of DER-encoded PKCS#10 certificate request file */
63 #define DEFAULT_FILENAME_PKCS10 "myReq.der"
64
65 /* default name of DER-encoded PKCS#7 file */
66 #define DEFAULT_FILENAME_PKCS7 "pkcs7.der"
67
68 /* default name of DER-encoded self-signed X.509 certificate file */
69 #define DEFAULT_FILENAME_CERT_SELF "selfCert.der"
70
71 /* default name of DER-encoded X.509 certificate file */
72 #define DEFAULT_FILENAME_CERT "myCert.der"
73
74 /* default name of DER-encoded CA cert file used for key encipherment */
75 #define DEFAULT_FILENAME_CACERT_ENC "caCert.der"
76
77 /* default name of the der encoded CA cert file used for signature verification */
78 #define DEFAULT_FILENAME_CACERT_SIG "caCert.der"
79
80 /* default prefix of the der encoded CA certificates received from the SCEP server */
81 #define DEFAULT_FILENAME_PREFIX_CACERT "caCert.der"
82
83 /* default certificate validity */
84 #define DEFAULT_CERT_VALIDITY 5 * 3600 * 24 * 365 /* seconds */
85
86 /* default polling time interval in SCEP manual mode */
87 #define DEFAULT_POLL_INTERVAL 20 /* seconds */
88
89 /* default key length for self-generated RSA keys */
90 #define DEFAULT_RSA_KEY_LENGTH 2048 /* bits */
91
92 /* default distinguished name */
93 #define DEFAULT_DN "C=CH, O=Linux strongSwan, CN="
94
95 /* minimum RSA key size */
96 #define RSA_MIN_OCTETS (512 / BITS_PER_BYTE)
97
98 /* challenge password buffer size */
99 #define MAX_PASSWORD_LENGTH 256
100
101 /* Max length of filename for tempfile */
102 #define MAX_TEMP_FILENAME_LENGTH 256
103
104
105 /* current scepclient version */
106 static const char *scepclient_version = "1.0";
107
108 /* by default the CRL policy is lenient */
109 bool strict_crl_policy = FALSE;
110
111 /* by default pluto does not check crls dynamically */
112 long crl_check_interval = 0;
113
114 /* by default pluto logs out after every smartcard use */
115 bool pkcs11_keep_state = FALSE;
116
117 /* by default HTTP fetch timeout is 30s */
118 static u_int http_timeout = 30;
119
120 /* address to bind for HTTP fetches */
121 static char* http_bind = NULL;
122
123 /* options read by optionsfrom */
124 options_t *options;
125
126 /*
127 * Global variables
128 */
129 chunk_t pkcs1;
130 chunk_t pkcs7;
131 chunk_t challengePassword;
132 chunk_t serialNumber;
133 chunk_t transID;
134 chunk_t fingerprint;
135 chunk_t encoding;
136 chunk_t pkcs10_encoding;
137 chunk_t issuerAndSubject;
138 chunk_t getCertInitial;
139 chunk_t scep_response;
140
141 linked_list_t *subjectAltNames;
142
143 identification_t *subject = NULL;
144 private_key_t *private_key = NULL;
145 public_key_t *public_key = NULL;
146 certificate_t *x509_signer = NULL;
147 certificate_t *x509_ca_enc = NULL;
148 certificate_t *x509_ca_sig = NULL;
149 certificate_t *pkcs10_req = NULL;
150
151 mem_cred_t *creds = NULL;
152
153 /* logging */
154 static bool log_to_stderr = TRUE;
155 static bool log_to_syslog = TRUE;
156 static level_t default_loglevel = 1;
157
158 /**
159 * logging function for scepclient
160 */
161 static void scepclient_dbg(debug_t group, level_t level, char *fmt, ...)
162 {
163 char buffer[8192];
164 char *current = buffer, *next;
165 va_list args;
166
167 if (level <= default_loglevel)
168 {
169 if (log_to_stderr)
170 {
171 va_start(args, fmt);
172 vfprintf(stderr, fmt, args);
173 va_end(args);
174 fprintf(stderr, "\n");
175 }
176 if (log_to_syslog)
177 {
178 /* write in memory buffer first */
179 va_start(args, fmt);
180 vsnprintf(buffer, sizeof(buffer), fmt, args);
181 va_end(args);
182
183 /* do a syslog with every line */
184 while (current)
185 {
186 next = strchr(current, '\n');
187 if (next)
188 {
189 *(next++) = '\0';
190 }
191 syslog(LOG_INFO, "%s\n", current);
192 current = next;
193 }
194 }
195 }
196 }
197
198 /**
199 * Initialize logging to stderr/syslog
200 */
201 static void init_log(const char *program)
202 {
203 dbg = scepclient_dbg;
204
205 if (log_to_stderr)
206 {
207 setbuf(stderr, NULL);
208 }
209 if (log_to_syslog)
210 {
211 openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV);
212 }
213 }
214
215 /**
216 * join two paths if filename is not absolute
217 */
218 static void join_paths(char *target, size_t target_size, char *parent,
219 char *filename)
220 {
221 if (*filename == '/' || *filename == '.')
222 {
223 snprintf(target, target_size, "%s", filename);
224 }
225 else
226 {
227 snprintf(target, target_size, "%s/%s", parent, filename);
228 }
229 }
230
231 /**
232 * add a suffix to a given filename, properly handling extensions like '.der'
233 */
234 static void add_path_suffix(char *target, size_t target_size, char *filename,
235 char *suffix_fmt, ...)
236 {
237 char suffix[PATH_MAX], *start, *dot;
238 va_list args;
239
240 va_start(args, suffix_fmt);
241 vsnprintf(suffix, sizeof(suffix), suffix_fmt, args);
242 va_end(args);
243
244 start = strrchr(filename, '/');
245 start = start ?: filename;
246 dot = strrchr(start, '.');
247
248 if (!dot || dot == start || dot[1] == '\0')
249 { /* no extension add suffix at the end */
250 snprintf(target, target_size, "%s%s", filename, suffix);
251 }
252 else
253 { /* add the suffix between the filename and the extension */
254 snprintf(target, target_size, "%.*s%s%s", (int)(dot - filename),
255 filename, suffix, dot);
256 }
257 }
258
259 /**
260 * @brief exit scepclient
261 *
262 * @param status 0 = OK, 1 = general discomfort
263 */
264 static void exit_scepclient(err_t message, ...)
265 {
266 int status = 0;
267
268 if (creds)
269 {
270 lib->credmgr->remove_set(lib->credmgr, &creds->set);
271 creds->destroy(creds);
272 }
273
274 DESTROY_IF(subject);
275 DESTROY_IF(private_key);
276 DESTROY_IF(public_key);
277 DESTROY_IF(x509_signer);
278 DESTROY_IF(x509_ca_enc);
279 DESTROY_IF(x509_ca_sig);
280 DESTROY_IF(pkcs10_req);
281 subjectAltNames->destroy_offset(subjectAltNames,
282 offsetof(identification_t, destroy));
283 free(pkcs1.ptr);
284 free(pkcs7.ptr);
285 free(serialNumber.ptr);
286 free(transID.ptr);
287 free(fingerprint.ptr);
288 free(encoding.ptr);
289 free(pkcs10_encoding.ptr);
290 free(issuerAndSubject.ptr);
291 free(getCertInitial.ptr);
292 free(scep_response.ptr);
293 options->destroy(options);
294
295 /* print any error message to stderr */
296 if (message != NULL && *message != '\0')
297 {
298 va_list args;
299 char m[8192];
300
301 va_start(args, message);
302 vsnprintf(m, sizeof(m), message, args);
303 va_end(args);
304
305 fprintf(stderr, "error: %s\n", m);
306 status = -1;
307 }
308 library_deinit();
309 exit(status);
310 }
311
312 /**
313 * @brief prints the program version and exits
314 *
315 */
316 static void version(void)
317 {
318 printf("scepclient %s\n", scepclient_version);
319 exit_scepclient(NULL);
320 }
321
322 /**
323 * @brief prints the usage of the program to the stderr output
324 *
325 * If message is set, program is exitet with 1 (error)
326 * @param message message in case of an error
327 */
328 static void usage(const char *message)
329 {
330 fprintf(stderr,
331 "Usage: scepclient\n"
332 " --help (-h) show usage and exit\n"
333 " --version (-v) show version and exit\n"
334 " --quiet (-q) do not write log output to stderr\n"
335 " --in (-i) <type>[=<filename>] use <filename> of <type> for input\n"
336 " <type> = pkcs1 | pkcs10 | cert-self\n"
337 " cacert-enc | cacert-sig\n"
338 " - if no pkcs1 input is defined, an RSA\n"
339 " key will be generated\n"
340 " - if no pkcs10 input is defined, a\n"
341 " PKCS#10 request will be generated\n"
342 " - if no cert-self input is defined, a\n"
343 " self-signed certificate will be generated\n"
344 " - if no filename is given, default is used\n"
345 " --out (-o) <type>[=<filename>] write output of <type> to <filename>\n"
346 " multiple outputs are allowed\n"
347 " <type> = pkcs1 | pkcs10 | pkcs7 | cert-self |\n"
348 " cert | cacert\n"
349 " - type cacert defines filename prefix of\n"
350 " received CA certificate(s)\n"
351 " - if no filename is given, default is used\n"
352 " --optionsfrom (-+) <filename> reads additional options from given file\n"
353 " --force (-f) force existing file(s)\n"
354 " --httptimeout (-T) timeout for HTTP operations (default: 30s)\n"
355 " --bind (-b) source address to bind for HTTP operations\n"
356 "\n"
357 "Options for key generation (pkcs1):\n"
358 " --keylength (-k) <bits> key length for RSA key generation\n"
359 " (default: 2048 bits)\n"
360 "\n"
361 "Options for validity:\n"
362 " --days (-D) <days> validity in days\n"
363 " --startdate (-S) <YYMMDDHHMMSS>Z not valid before date\n"
364 " --enddate (-E) <YYMMDDHHMMSS>Z not valid after date\n"
365 "\n"
366 "Options for request generation (pkcs10):\n"
367 " --dn (-d) <dn> comma separated list of distinguished names\n"
368 " --subjectAltName (-s) <t>=<v> include subjectAltName in certificate request\n"
369 " <t> = email | dns | ip \n"
370 " --password (-p) <pw> challenge password\n"
371 " - use '%%prompt' as pw for a password prompt\n"
372 " --algorithm (-a) [<type>=]<algo> algorithm to be used for PKCS#7 encryption,\n"
373 " PKCS#7 digest or PKCS#10 signature\n"
374 " <type> = enc | dgst | sig\n"
375 " - if no type is given enc is assumed\n"
376 " <algo> = des (default) | 3des | aes128 |\n"
377 " aes192 | aes256 | camellia128 |\n"
378 " camellia192 | camellia256\n"
379 " <algo> = md5 (default) | sha1 | sha256 |\n"
380 " sha384 | sha512\n"
381 "\n"
382 "Options for CA certificate acquisition:\n"
383 " --caname (-c) <name> name of CA to fetch CA certificate(s)\n"
384 " (default: CAIdentifier)\n"
385 "Options for enrollment (cert):\n"
386 " --url (-u) <url> url of the SCEP server\n"
387 " --method (-m) post | get http request type\n"
388 " --interval (-t) <seconds> poll interval in seconds (default 20s)\n"
389 " --maxpolltime (-x) <seconds> max poll time in seconds when in manual mode\n"
390 " (default: unlimited)\n"
391 "\n"
392 "Debugging output:\n"
393 " --debug (-l) <level> changes the log level (-1..4, default: 1)\n"
394 );
395 exit_scepclient(message);
396 }
397
398 /**
399 * @brief main of scepclient
400 *
401 * @param argc number of arguments
402 * @param argv pointer to the argument values
403 */
404 int main(int argc, char **argv)
405 {
406 /* external values */
407 extern char * optarg;
408 extern int optind;
409
410 /* type of input and output files */
411 typedef enum {
412 PKCS1 = 0x01,
413 PKCS10 = 0x02,
414 PKCS7 = 0x04,
415 CERT_SELF = 0x08,
416 CERT = 0x10,
417 CACERT_ENC = 0x20,
418 CACERT_SIG = 0x40,
419 } scep_filetype_t;
420
421 /* filetype to read from, defaults to "generate a key" */
422 scep_filetype_t filetype_in = 0;
423
424 /* filetype to write to, no default here */
425 scep_filetype_t filetype_out = 0;
426
427 /* input files */
428 char *file_in_pkcs1 = DEFAULT_FILENAME_PKCS1;
429 char *file_in_pkcs10 = DEFAULT_FILENAME_PKCS10;
430 char *file_in_cert_self = DEFAULT_FILENAME_CERT_SELF;
431 char *file_in_cacert_enc = DEFAULT_FILENAME_CACERT_ENC;
432 char *file_in_cacert_sig = DEFAULT_FILENAME_CACERT_SIG;
433
434 /* output files */
435 char *file_out_pkcs1 = DEFAULT_FILENAME_PKCS1;
436 char *file_out_pkcs10 = DEFAULT_FILENAME_PKCS10;
437 char *file_out_pkcs7 = DEFAULT_FILENAME_PKCS7;
438 char *file_out_cert_self = DEFAULT_FILENAME_CERT_SELF;
439 char *file_out_cert = DEFAULT_FILENAME_CERT;
440 char *file_out_ca_cert = DEFAULT_FILENAME_CACERT_ENC;
441
442 /* by default user certificate is requested */
443 bool request_ca_certificate = FALSE;
444
445 /* by default existing files are not overwritten */
446 bool force = FALSE;
447
448 /* length of RSA key in bits */
449 u_int rsa_keylength = DEFAULT_RSA_KEY_LENGTH;
450
451 /* validity of self-signed certificate */
452 time_t validity = DEFAULT_CERT_VALIDITY;
453 time_t notBefore = 0;
454 time_t notAfter = 0;
455
456 /* distinguished name for requested certificate, ASCII format */
457 char *distinguishedName = NULL;
458 char default_distinguished_name[BUF_LEN];
459
460 /* challenge password */
461 char challenge_password_buffer[MAX_PASSWORD_LENGTH];
462
463 /* symmetric encryption algorithm used by pkcs7, default is DES */
464 encryption_algorithm_t pkcs7_symmetric_cipher = ENCR_DES;
465 size_t pkcs7_key_size = 0;
466
467 /* digest algorithm used by pkcs7, default is MD5 */
468 hash_algorithm_t pkcs7_digest_alg = HASH_MD5;
469
470 /* signature algorithm used by pkcs10, default is MD5 */
471 hash_algorithm_t pkcs10_signature_alg = HASH_MD5;
472
473 /* URL of the SCEP-Server */
474 char *scep_url = NULL;
475
476 /* Name of CA to fetch CA certs for */
477 char *ca_name = "CAIdentifier";
478
479 /* http request method, default is GET */
480 bool http_get_request = TRUE;
481
482 /* poll interval time in manual mode in seconds */
483 u_int poll_interval = DEFAULT_POLL_INTERVAL;
484
485 /* maximum poll time */
486 u_int max_poll_time = 0;
487
488 err_t ugh = NULL;
489
490 /* initialize library */
491 if (!library_init(NULL, "scepclient"))
492 {
493 library_deinit();
494 exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
495 }
496 if (lib->integrity &&
497 !lib->integrity->check_file(lib->integrity, "scepclient", argv[0]))
498 {
499 fprintf(stderr, "integrity check of scepclient failed\n");
500 library_deinit();
501 exit(SS_RC_DAEMON_INTEGRITY);
502 }
503
504 /* initialize global variables */
505 pkcs1 = chunk_empty;
506 pkcs7 = chunk_empty;
507 serialNumber = chunk_empty;
508 transID = chunk_empty;
509 fingerprint = chunk_empty;
510 encoding = chunk_empty;
511 pkcs10_encoding = chunk_empty;
512 issuerAndSubject = chunk_empty;
513 challengePassword = chunk_empty;
514 getCertInitial = chunk_empty;
515 scep_response = chunk_empty;
516 subjectAltNames = linked_list_create();
517 options = options_create();
518
519 for (;;)
520 {
521 static const struct option long_opts[] = {
522 /* name, has_arg, flag, val */
523 { "help", no_argument, NULL, 'h' },
524 { "version", no_argument, NULL, 'v' },
525 { "optionsfrom", required_argument, NULL, '+' },
526 { "quiet", no_argument, NULL, 'q' },
527 { "debug", required_argument, NULL, 'l' },
528 { "in", required_argument, NULL, 'i' },
529 { "out", required_argument, NULL, 'o' },
530 { "force", no_argument, NULL, 'f' },
531 { "httptimeout", required_argument, NULL, 'T' },
532 { "bind", required_argument, NULL, 'b' },
533 { "keylength", required_argument, NULL, 'k' },
534 { "dn", required_argument, NULL, 'd' },
535 { "days", required_argument, NULL, 'D' },
536 { "startdate", required_argument, NULL, 'S' },
537 { "enddate", required_argument, NULL, 'E' },
538 { "subjectAltName", required_argument, NULL, 's' },
539 { "password", required_argument, NULL, 'p' },
540 { "algorithm", required_argument, NULL, 'a' },
541 { "url", required_argument, NULL, 'u' },
542 { "caname", required_argument, NULL, 'c'},
543 { "method", required_argument, NULL, 'm' },
544 { "interval", required_argument, NULL, 't' },
545 { "maxpolltime", required_argument, NULL, 'x' },
546 { 0,0,0,0 }
547 };
548
549 /* parse next option */
550 int c = getopt_long(argc, argv, "hv+:qi:o:fk:d:s:p:a:u:c:m:t:x:APRCMS", long_opts, NULL);
551
552 switch (c)
553 {
554 case EOF: /* end of flags */
555 break;
556
557 case 'h': /* --help */
558 usage(NULL);
559
560 case 'v': /* --version */
561 version();
562
563 case 'q': /* --quiet */
564 log_to_stderr = FALSE;
565 continue;
566
567 case 'l': /* --debug <level> */
568 default_loglevel = atoi(optarg);
569 continue;
570
571 case 'i': /* --in <type> [= <filename>] */
572 {
573 char *filename = strstr(optarg, "=");
574
575 if (filename)
576 {
577 /* replace '=' by '\0' */
578 *filename = '\0';
579 /* set pointer to start of filename */
580 filename++;
581 }
582 if (strcaseeq("pkcs1", optarg))
583 {
584 filetype_in |= PKCS1;
585 if (filename)
586 file_in_pkcs1 = filename;
587 }
588 else if (strcaseeq("pkcs10", optarg))
589 {
590 filetype_in |= PKCS10;
591 if (filename)
592 file_in_pkcs10 = filename;
593 }
594 else if (strcaseeq("cacert-enc", optarg))
595 {
596 filetype_in |= CACERT_ENC;
597 if (filename)
598 file_in_cacert_enc = filename;
599 }
600 else if (strcaseeq("cacert-sig", optarg))
601 {
602 filetype_in |= CACERT_SIG;
603 if (filename)
604 file_in_cacert_sig = filename;
605 }
606 else if (strcaseeq("cert-self", optarg))
607 {
608 filetype_in |= CERT_SELF;
609 if (filename)
610 file_in_cert_self = filename;
611 }
612 else
613 {
614 usage("invalid --in file type");
615 }
616 continue;
617 }
618
619 case 'o': /* --out <type> [= <filename>] */
620 {
621 char *filename = strstr(optarg, "=");
622
623 if (filename)
624 {
625 /* replace '=' by '\0' */
626 *filename = '\0';
627 /* set pointer to start of filename */
628 filename++;
629 }
630 if (strcaseeq("pkcs1", optarg))
631 {
632 filetype_out |= PKCS1;
633 if (filename)
634 file_out_pkcs1 = filename;
635 }
636 else if (strcaseeq("pkcs10", optarg))
637 {
638 filetype_out |= PKCS10;
639 if (filename)
640 file_out_pkcs10 = filename;
641 }
642 else if (strcaseeq("pkcs7", optarg))
643 {
644 filetype_out |= PKCS7;
645 if (filename)
646 file_out_pkcs7 = filename;
647 }
648 else if (strcaseeq("cert-self", optarg))
649 {
650 filetype_out |= CERT_SELF;
651 if (filename)
652 file_out_cert_self = filename;
653 }
654 else if (strcaseeq("cert", optarg))
655 {
656 filetype_out |= CERT;
657 if (filename)
658 file_out_cert = filename;
659 }
660 else if (strcaseeq("cacert", optarg))
661 {
662 request_ca_certificate = TRUE;
663 if (filename)
664 file_out_ca_cert = filename;
665 }
666 else
667 {
668 usage("invalid --out file type");
669 }
670 continue;
671 }
672
673 case 'f': /* --force */
674 force = TRUE;
675 continue;
676
677 case 'T': /* --httptimeout */
678 http_timeout = atoi(optarg);
679 if (http_timeout <= 0)
680 {
681 usage("invalid httptimeout specified");
682 }
683 continue;
684
685 case 'b': /* --bind */
686 http_bind = optarg;
687 continue;
688
689 case '+': /* --optionsfrom <filename> */
690 if (!options->from(options, optarg, &argc, &argv, optind))
691 {
692 exit_scepclient("optionsfrom failed");
693 }
694 continue;
695
696 case 'k': /* --keylength <length> */
697 {
698 div_t q;
699
700 rsa_keylength = atoi(optarg);
701 if (rsa_keylength == 0)
702 usage("invalid keylength");
703
704 /* check if key length is a multiple of 8 bits */
705 q = div(rsa_keylength, 2*BITS_PER_BYTE);
706 if (q.rem != 0)
707 {
708 exit_scepclient("keylength is not a multiple of %d bits!"
709 , 2*BITS_PER_BYTE);
710 }
711 continue;
712 }
713
714 case 'D': /* --days */
715 if (optarg == NULL || !isdigit(optarg[0]))
716 {
717 usage("missing number of days");
718 }
719 else
720 {
721 char *endptr;
722 long days = strtol(optarg, &endptr, 0);
723
724 if (*endptr != '\0' || endptr == optarg
725 || days <= 0)
726 usage("<days> must be a positive number");
727 validity = 24*3600*days;
728 }
729 continue;
730
731 case 'S': /* --startdate */
732 if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z')
733 {
734 usage("date format must be YYMMDDHHMMSSZ");
735 }
736 else
737 {
738 chunk_t date = { optarg, 13 };
739 notBefore = asn1_to_time(&date, ASN1_UTCTIME);
740 }
741 continue;
742
743 case 'E': /* --enddate */
744 if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z')
745 {
746 usage("date format must be YYMMDDHHMMSSZ");
747 }
748 else
749 {
750 chunk_t date = { optarg, 13 };
751 notAfter = asn1_to_time(&date, ASN1_UTCTIME);
752 }
753 continue;
754
755 case 'd': /* --dn */
756 if (distinguishedName)
757 {
758 usage("only one distinguished name allowed");
759 }
760 distinguishedName = optarg;
761 continue;
762
763 case 's': /* --subjectAltName */
764 {
765 char *value = strstr(optarg, "=");
766
767 if (value)
768 {
769 /* replace '=' by '\0' */
770 *value = '\0';
771 /* set pointer to start of value */
772 value++;
773 }
774
775 if (strcaseeq("email", optarg) ||
776 strcaseeq("dns", optarg) ||
777 strcaseeq("ip", optarg))
778 {
779 subjectAltNames->insert_last(subjectAltNames,
780 identification_create_from_string(value));
781 continue;
782 }
783 else
784 {
785 usage("invalid --subjectAltName type");
786 continue;
787 }
788 }
789
790 case 'p': /* --password */
791 if (challengePassword.len > 0)
792 {
793 usage("only one challenge password allowed");
794 }
795 if (strcaseeq("%prompt", optarg))
796 {
797 printf("Challenge password: ");
798 if (fgets(challenge_password_buffer,
799 sizeof(challenge_password_buffer) - 1, stdin))
800 {
801 challengePassword.ptr = challenge_password_buffer;
802 /* discard the terminating '\n' from the input */
803 challengePassword.len = strlen(challenge_password_buffer) - 1;
804 }
805 else
806 {
807 usage("challenge password could not be read");
808 }
809 }
810 else
811 {
812 challengePassword.ptr = optarg;
813 challengePassword.len = strlen(optarg);
814 }
815 continue;
816
817 case 'u': /* -- url */
818 if (scep_url)
819 {
820 usage("only one URL argument allowed");
821 }
822 scep_url = optarg;
823 continue;
824
825 case 'c': /* -- caname */
826 ca_name = optarg;
827 continue;
828
829 case 'm': /* --method */
830 if (strcaseeq("get", optarg))
831 {
832 http_get_request = TRUE;
833 }
834 else if (strcaseeq("post", optarg))
835 {
836 http_get_request = FALSE;
837 }
838 else
839 {
840 usage("invalid http request method specified");
841 }
842 continue;
843
844 case 't': /* --interval */
845 poll_interval = atoi(optarg);
846 if (poll_interval <= 0)
847 {
848 usage("invalid interval specified");
849 }
850 continue;
851
852 case 'x': /* --maxpolltime */
853 max_poll_time = atoi(optarg);
854 continue;
855
856 case 'a': /*--algorithm [<type>=]algo */
857 {
858 const proposal_token_t *token;
859 char *type = optarg;
860 char *algo = strstr(optarg, "=");
861
862 if (algo)
863 {
864 *algo = '\0';
865 algo++;
866 }
867 else
868 {
869 type = "enc";
870 algo = optarg;
871 }
872
873 if (strcaseeq("enc", type))
874 {
875 token = lib->proposal->get_token(lib->proposal, algo);
876 if (token == NULL || token->type != ENCRYPTION_ALGORITHM)
877 {
878 usage("invalid algorithm specified");
879 }
880 pkcs7_symmetric_cipher = token->algorithm;
881 pkcs7_key_size = token->keysize;
882 if (encryption_algorithm_to_oid(token->algorithm,
883 token->keysize) == OID_UNKNOWN)
884 {
885 usage("unsupported encryption algorithm specified");
886 }
887 }
888 else if (strcaseeq("dgst", type) ||
889 strcaseeq("sig", type))
890 {
891 hash_algorithm_t hash;
892
893 token = lib->proposal->get_token(lib->proposal, algo);
894 if (token == NULL || token->type != INTEGRITY_ALGORITHM)
895 {
896 usage("invalid algorithm specified");
897 }
898 hash = hasher_algorithm_from_integrity(token->algorithm,
899 NULL);
900 if (hash == (hash_algorithm_t)OID_UNKNOWN)
901 {
902 usage("invalid algorithm specified");
903 }
904 if (strcaseeq("dgst", type))
905 {
906 pkcs7_digest_alg = hash;
907 }
908 else
909 {
910 pkcs10_signature_alg = hash;
911 }
912 }
913 else
914 {
915 usage("invalid --algorithm type");
916 }
917 continue;
918 }
919 default:
920 usage("unknown option");
921 }
922 /* break from loop */
923 break;
924 }
925
926 init_log("scepclient");
927
928 /* load plugins, further infrastructure may need it */
929 if (!lib->plugins->load(lib->plugins,
930 lib->settings->get_str(lib->settings, "scepclient.load", PLUGINS)))
931 {
932 exit_scepclient("plugin loading failed");
933 }
934 lib->plugins->status(lib->plugins, LEVEL_DIAG);
935
936 if ((filetype_out == 0) && (!request_ca_certificate))
937 {
938 usage("--out filetype required");
939 }
940 if (request_ca_certificate && (filetype_out > 0 || filetype_in > 0))
941 {
942 usage("in CA certificate request, no other --in or --out option allowed");
943 }
944
945 /* check if url is given, if cert output defined */
946 if (((filetype_out & CERT) || request_ca_certificate) && !scep_url)
947 {
948 usage("URL of SCEP server required");
949 }
950
951 /* check for sanity of --in/--out */
952 if (!filetype_in && (filetype_in > filetype_out))
953 {
954 usage("cannot generate --out of given --in!");
955 }
956
957 /* get CA cert */
958 if (request_ca_certificate)
959 {
960 char ca_path[PATH_MAX];
961 container_t *container;
962 pkcs7_t *pkcs7;
963
964 if (!scep_http_request(scep_url, chunk_create(ca_name, strlen(ca_name)),
965 SCEP_GET_CA_CERT, http_get_request,
966 http_timeout, http_bind, &scep_response))
967 {
968 exit_scepclient("did not receive a valid scep response");
969 }
970
971 join_paths(ca_path, sizeof(ca_path), CA_CERT_PATH, file_out_ca_cert);
972
973 pkcs7 = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7,
974 BUILD_BLOB_ASN1_DER, scep_response, BUILD_END);
975
976 if (!pkcs7)
977 { /* no PKCS#7 encoded CA+RA certificates, assume simple CA cert */
978
979 DBG1(DBG_APP, "unable to parse PKCS#7, assuming plain CA cert");
980 if (!chunk_write(scep_response, ca_path, 0022, force))
981 {
982 exit_scepclient("could not write ca cert file '%s': %s",
983 ca_path, strerror(errno));
984 }
985 }
986 else
987 {
988 enumerator_t *enumerator;
989 certificate_t *cert;
990 int ra_certs = 0, ca_certs = 0;
991 int ra_index = 1, ca_index = 1;
992
993 enumerator = pkcs7->create_cert_enumerator(pkcs7);
994 while (enumerator->enumerate(enumerator, &cert))
995 {
996 x509_t *x509 = (x509_t*)cert;
997 if (x509->get_flags(x509) & X509_CA)
998 {
999 ca_certs++;
1000 }
1001 else
1002 {
1003 ra_certs++;
1004 }
1005 }
1006 enumerator->destroy(enumerator);
1007
1008 enumerator = pkcs7->create_cert_enumerator(pkcs7);
1009 while (enumerator->enumerate(enumerator, &cert))
1010 {
1011 x509_t *x509 = (x509_t*)cert;
1012 bool ca_cert = x509->get_flags(x509) & X509_CA;
1013 char cert_path[PATH_MAX], *path = ca_path;
1014
1015 if (ca_cert && ca_certs > 1)
1016 {
1017 add_path_suffix(cert_path, sizeof(cert_path), ca_path,
1018 "-%.1d", ca_index++);
1019 path = cert_path;
1020 }
1021 else if (!ca_cert)
1022 { /* use CA name as base for RA certs */
1023 if (ra_certs > 1)
1024 {
1025 add_path_suffix(cert_path, sizeof(cert_path), ca_path,
1026 "-ra-%.1d", ra_index++);
1027 }
1028 else
1029 {
1030 add_path_suffix(cert_path, sizeof(cert_path), ca_path,
1031 "-ra");
1032 }
1033 path = cert_path;
1034 }
1035
1036 if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding) ||
1037 !chunk_write(encoding, path, 0022, force))
1038 {
1039 exit_scepclient("could not write cert file '%s': %s",
1040 path, strerror(errno));
1041 }
1042 chunk_free(&encoding);
1043 }
1044 enumerator->destroy(enumerator);
1045 container = &pkcs7->container;
1046 container->destroy(container);
1047 }
1048 exit_scepclient(NULL); /* no further output required */
1049 }
1050
1051 creds = mem_cred_create();
1052 lib->credmgr->add_set(lib->credmgr, &creds->set);
1053
1054 /*
1055 * input of PKCS#1 file
1056 */
1057 if (filetype_in & PKCS1) /* load an RSA key pair from file */
1058 {
1059 char path[PATH_MAX];
1060
1061 join_paths(path, sizeof(path), PRIVATE_KEY_PATH, file_in_pkcs1);
1062
1063 private_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
1064 BUILD_FROM_FILE, path, BUILD_END);
1065 }
1066 else /* generate an RSA key pair */
1067 {
1068 private_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
1069 BUILD_KEY_SIZE, rsa_keylength,
1070 BUILD_END);
1071 }
1072 if (private_key == NULL)
1073 {
1074 exit_scepclient("no RSA private key available");
1075 }
1076 creds->add_key(creds, private_key->get_ref(private_key));
1077 public_key = private_key->get_public_key(private_key);
1078
1079 /* check for minimum key length */
1080 if (private_key->get_keysize(private_key) < RSA_MIN_OCTETS / BITS_PER_BYTE)
1081 {
1082 exit_scepclient("length of RSA key has to be at least %d bits",
1083 RSA_MIN_OCTETS * BITS_PER_BYTE);
1084 }
1085
1086 /*
1087 * input of PKCS#10 file
1088 */
1089 if (filetype_in & PKCS10)
1090 {
1091 char path[PATH_MAX];
1092
1093 join_paths(path, sizeof(path), REQ_PATH, file_in_pkcs10);
1094
1095 pkcs10_req = lib->creds->create(lib->creds, CRED_CERTIFICATE,
1096 CERT_PKCS10_REQUEST, BUILD_FROM_FILE,
1097 path, BUILD_END);
1098 if (!pkcs10_req)
1099 {
1100 exit_scepclient("could not read certificate request '%s'", path);
1101 }
1102 subject = pkcs10_req->get_subject(pkcs10_req);
1103 subject = subject->clone(subject);
1104 }
1105 else
1106 {
1107 if (distinguishedName == NULL)
1108 {
1109 int n = sprintf(default_distinguished_name, DEFAULT_DN);
1110
1111 /* set the common name to the hostname */
1112 if (gethostname(default_distinguished_name + n, BUF_LEN - n) ||
1113 strlen(default_distinguished_name) == n)
1114 {
1115 exit_scepclient("no hostname defined, use "
1116 "--dn <distinguished name> option");
1117 }
1118 distinguishedName = default_distinguished_name;
1119 }
1120
1121 DBG2(DBG_APP, "dn: '%s'", distinguishedName);
1122 subject = identification_create_from_string(distinguishedName);
1123 if (subject->get_type(subject) != ID_DER_ASN1_DN)
1124 {
1125 exit_scepclient("parsing of distinguished name failed");
1126 }
1127
1128 DBG2(DBG_APP, "building pkcs10 object:");
1129 pkcs10_req = lib->creds->create(lib->creds, CRED_CERTIFICATE,
1130 CERT_PKCS10_REQUEST,
1131 BUILD_SIGNING_KEY, private_key,
1132 BUILD_SUBJECT, subject,
1133 BUILD_SUBJECT_ALTNAMES, subjectAltNames,
1134 BUILD_CHALLENGE_PWD, challengePassword,
1135 BUILD_DIGEST_ALG, pkcs10_signature_alg,
1136 BUILD_END);
1137 if (!pkcs10_req)
1138 {
1139 exit_scepclient("generating pkcs10 request failed");
1140 }
1141 }
1142 pkcs10_req->get_encoding(pkcs10_req, CERT_ASN1_DER, &pkcs10_encoding);
1143 fingerprint = scep_generate_pkcs10_fingerprint(pkcs10_encoding);
1144 DBG1(DBG_APP, " fingerprint: %s", fingerprint.ptr);
1145
1146 /*
1147 * output of PKCS#10 file
1148 */
1149 if (filetype_out & PKCS10)
1150 {
1151 char path[PATH_MAX];
1152
1153 join_paths(path, sizeof(path), REQ_PATH, file_out_pkcs10);
1154
1155 if (!chunk_write(pkcs10_encoding, path, 0022, force))
1156 {
1157 exit_scepclient("could not write pkcs10 file '%s': %s",
1158 path, strerror(errno));
1159 }
1160 filetype_out &= ~PKCS10; /* delete PKCS10 flag */
1161 }
1162
1163 if (!filetype_out)
1164 {
1165 exit_scepclient(NULL); /* no further output required */
1166 }
1167
1168 /*
1169 * output of PKCS#1 file
1170 */
1171 if (filetype_out & PKCS1)
1172 {
1173 char path[PATH_MAX];
1174
1175 join_paths(path, sizeof(path), PRIVATE_KEY_PATH, file_out_pkcs1);
1176
1177 DBG2(DBG_APP, "building pkcs1 object:");
1178 if (!private_key->get_encoding(private_key, PRIVKEY_ASN1_DER, &pkcs1) ||
1179 !chunk_write(pkcs1, path, 0066, force))
1180 {
1181 exit_scepclient("could not write pkcs1 file '%s': %s",
1182 path, strerror(errno));
1183 }
1184 filetype_out &= ~PKCS1; /* delete PKCS1 flag */
1185 }
1186
1187 if (!filetype_out)
1188 {
1189 exit_scepclient(NULL); /* no further output required */
1190 }
1191
1192 scep_generate_transaction_id(public_key, &transID, &serialNumber);
1193 DBG1(DBG_APP, " transaction ID: %.*s", (int)transID.len, transID.ptr);
1194
1195 /*
1196 * read or generate self-signed X.509 certificate
1197 */
1198 if (filetype_in & CERT_SELF)
1199 {
1200 char path[PATH_MAX];
1201
1202 join_paths(path, sizeof(path), HOST_CERT_PATH, file_in_cert_self);
1203
1204 x509_signer = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
1205 BUILD_FROM_FILE, path, BUILD_END);
1206 if (!x509_signer)
1207 {
1208 exit_scepclient("could not read certificate file '%s'", path);
1209 }
1210 }
1211 else
1212 {
1213 notBefore = notBefore ? notBefore : time(NULL);
1214 notAfter = notAfter ? notAfter : (notBefore + validity);
1215 x509_signer = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
1216 BUILD_SIGNING_KEY, private_key,
1217 BUILD_PUBLIC_KEY, public_key,
1218 BUILD_SUBJECT, subject,
1219 BUILD_NOT_BEFORE_TIME, notBefore,
1220 BUILD_NOT_AFTER_TIME, notAfter,
1221 BUILD_SERIAL, serialNumber,
1222 BUILD_SUBJECT_ALTNAMES, subjectAltNames,
1223 BUILD_END);
1224 if (!x509_signer)
1225 {
1226 exit_scepclient("generating certificate failed");
1227 }
1228 }
1229 creds->add_cert(creds, TRUE, x509_signer->get_ref(x509_signer));
1230
1231 /*
1232 * output of self-signed X.509 certificate file
1233 */
1234 if (filetype_out & CERT_SELF)
1235 {
1236 char path[PATH_MAX];
1237
1238 join_paths(path, sizeof(path), HOST_CERT_PATH, file_out_cert_self);
1239
1240 if (!x509_signer->get_encoding(x509_signer, CERT_ASN1_DER, &encoding))
1241 {
1242 exit_scepclient("encoding certificate failed");
1243 }
1244 if (!chunk_write(encoding, path, 0022, force))
1245 {
1246 exit_scepclient("could not write self-signed cert file '%s': %s",
1247 path, strerror(errno));
1248 }
1249 chunk_free(&encoding);
1250 filetype_out &= ~CERT_SELF; /* delete CERT_SELF flag */
1251 }
1252
1253 if (!filetype_out)
1254 {
1255 exit_scepclient(NULL); /* no further output required */
1256 }
1257
1258 /*
1259 * load ca encryption certificate
1260 */
1261 {
1262 char path[PATH_MAX];
1263
1264 join_paths(path, sizeof(path), CA_CERT_PATH, file_in_cacert_enc);
1265
1266 x509_ca_enc = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
1267 BUILD_FROM_FILE, path, BUILD_END);
1268 if (!x509_ca_enc)
1269 {
1270 exit_scepclient("could not load encryption cacert file '%s'", path);
1271 }
1272 }
1273
1274 /*
1275 * input of PKCS#7 file
1276 */
1277 if (filetype_in & PKCS7)
1278 {
1279 /* user wants to load a pkcs7 encrypted request
1280 * operation is not yet supported!
1281 * would require additional parsing of transaction-id
1282
1283 pkcs7 = pkcs7_read_from_file(file_in_pkcs7);
1284
1285 */
1286 }
1287 else
1288 {
1289 DBG2(DBG_APP, "building pkcs7 request");
1290 pkcs7 = scep_build_request(pkcs10_encoding,
1291 transID, SCEP_PKCSReq_MSG, x509_ca_enc,
1292 pkcs7_symmetric_cipher, pkcs7_key_size,
1293 x509_signer, pkcs7_digest_alg, private_key);
1294 if (!pkcs7.ptr)
1295 {
1296 exit_scepclient("failed to build pkcs7 request");
1297 }
1298 }
1299
1300 /*
1301 * output pkcs7 encrypted and signed certificate request
1302 */
1303 if (filetype_out & PKCS7)
1304 {
1305 char path[PATH_MAX];
1306
1307 join_paths(path, sizeof(path), REQ_PATH, file_out_pkcs7);
1308
1309 if (!chunk_write(pkcs7, path, 0022, force))
1310 {
1311 exit_scepclient("could not write pkcs7 file '%s': %s",
1312 path, strerror(errno));
1313 }
1314 filetype_out &= ~PKCS7; /* delete PKCS7 flag */
1315 }
1316
1317 if (!filetype_out)
1318 {
1319 exit_scepclient(NULL); /* no further output required */
1320 }
1321
1322 /*
1323 * output certificate fetch from SCEP server
1324 */
1325 if (filetype_out & CERT)
1326 {
1327 bool stored = FALSE;
1328 certificate_t *cert;
1329 enumerator_t *enumerator;
1330 char path[PATH_MAX];
1331 time_t poll_start = 0;
1332 pkcs7_t *p7;
1333 container_t *container = NULL;
1334 chunk_t chunk;
1335 scep_attributes_t attrs = empty_scep_attributes;
1336
1337 join_paths(path, sizeof(path), CA_CERT_PATH, file_in_cacert_sig);
1338
1339 x509_ca_sig = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
1340 BUILD_FROM_FILE, path, BUILD_END);
1341 if (!x509_ca_sig)
1342 {
1343 exit_scepclient("could not load signature cacert file '%s'", path);
1344 }
1345
1346 creds->add_cert(creds, TRUE, x509_ca_sig->get_ref(x509_ca_sig));
1347
1348 if (!scep_http_request(scep_url, pkcs7, SCEP_PKI_OPERATION,
1349 http_get_request, http_timeout, http_bind, &scep_response))
1350 {
1351 exit_scepclient("did not receive a valid scep response");
1352 }
1353 ugh = scep_parse_response(scep_response, transID, &container, &attrs);
1354 if (ugh != NULL)
1355 {
1356 exit_scepclient(ugh);
1357 }
1358
1359 /* in case of manual mode, we are going into a polling loop */
1360 if (attrs.pkiStatus == SCEP_PENDING)
1361 {
1362 identification_t *issuer = x509_ca_sig->get_subject(x509_ca_sig);
1363
1364 DBG1(DBG_APP, " scep request pending, polling every %d seconds",
1365 poll_interval);
1366 poll_start = time_monotonic(NULL);
1367 issuerAndSubject = asn1_wrap(ASN1_SEQUENCE, "cc",
1368 issuer->get_encoding(issuer),
1369 subject->get_encoding(subject));
1370 }
1371 while (attrs.pkiStatus == SCEP_PENDING)
1372 {
1373 if (max_poll_time > 0 &&
1374 (time_monotonic(NULL) - poll_start >= max_poll_time))
1375 {
1376 exit_scepclient("maximum poll time reached: %d seconds"
1377 , max_poll_time);
1378 }
1379 DBG2(DBG_APP, "going to sleep for %d seconds", poll_interval);
1380 sleep(poll_interval);
1381 free(scep_response.ptr);
1382 container->destroy(container);
1383
1384 DBG2(DBG_APP, "fingerprint: %.*s",
1385 (int)fingerprint.len, fingerprint.ptr);
1386 DBG2(DBG_APP, "transaction ID: %.*s",
1387 (int)transID.len, transID.ptr);
1388
1389 chunk_free(&getCertInitial);
1390 getCertInitial = scep_build_request(issuerAndSubject,
1391 transID, SCEP_GetCertInitial_MSG, x509_ca_enc,
1392 pkcs7_symmetric_cipher, pkcs7_key_size,
1393 x509_signer, pkcs7_digest_alg, private_key);
1394 if (!getCertInitial.ptr)
1395 {
1396 exit_scepclient("failed to build scep request");
1397 }
1398 if (!scep_http_request(scep_url, getCertInitial, SCEP_PKI_OPERATION,
1399 http_get_request, http_timeout, http_bind, &scep_response))
1400 {
1401 exit_scepclient("did not receive a valid scep response");
1402 }
1403 ugh = scep_parse_response(scep_response, transID, &container, &attrs);
1404 if (ugh != NULL)
1405 {
1406 exit_scepclient(ugh);
1407 }
1408 }
1409
1410 if (attrs.pkiStatus != SCEP_SUCCESS)
1411 {
1412 container->destroy(container);
1413 exit_scepclient("reply status is not 'SUCCESS'");
1414 }
1415
1416 if (!container->get_data(container, &chunk))
1417 {
1418 container->destroy(container);
1419 exit_scepclient("extracting signed-data failed");
1420 }
1421 container->destroy(container);
1422
1423 /* decrypt enveloped-data container */
1424 container = lib->creds->create(lib->creds,
1425 CRED_CONTAINER, CONTAINER_PKCS7,
1426 BUILD_BLOB_ASN1_DER, chunk,
1427 BUILD_END);
1428 free(chunk.ptr);
1429 if (!container)
1430 {
1431 exit_scepclient("could not decrypt envelopedData");
1432 }
1433
1434 if (!container->get_data(container, &chunk))
1435 {
1436 container->destroy(container);
1437 exit_scepclient("extracting encrypted-data failed");
1438 }
1439 container->destroy(container);
1440
1441 /* parse signed-data container */
1442 container = lib->creds->create(lib->creds,
1443 CRED_CONTAINER, CONTAINER_PKCS7,
1444 BUILD_BLOB_ASN1_DER, chunk,
1445 BUILD_END);
1446 free(chunk.ptr);
1447 if (!container)
1448 {
1449 exit_scepclient("could not parse singed-data");
1450 }
1451 /* no need to verify the signed-data container, the signature does NOT
1452 * cover the contained certificates */
1453
1454 /* store the end entity certificate */
1455 join_paths(path, sizeof(path), HOST_CERT_PATH, file_out_cert);
1456
1457 p7 = (pkcs7_t*)container;
1458 enumerator = p7->create_cert_enumerator(p7);
1459 while (enumerator->enumerate(enumerator, &cert))
1460 {
1461 x509_t *x509 = (x509_t*)cert;
1462
1463 if (!(x509->get_flags(x509) & X509_CA))
1464 {
1465 if (stored)
1466 {
1467 exit_scepclient("multiple certs received, only first stored");
1468 }
1469 if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding) ||
1470 !chunk_write(encoding, path, 0022, force))
1471 {
1472 exit_scepclient("could not write cert file '%s': %s",
1473 path, strerror(errno));
1474 }
1475 chunk_free(&encoding);
1476 stored = TRUE;
1477 }
1478 }
1479 enumerator->destroy(enumerator);
1480 container->destroy(container);
1481 chunk_free(&attrs.transID);
1482 chunk_free(&attrs.senderNonce);
1483 chunk_free(&attrs.recipientNonce);
1484
1485 filetype_out &= ~CERT; /* delete CERT flag */
1486 }
1487
1488 exit_scepclient(NULL);
1489 return -1; /* should never be reached */
1490 }