handle plugin loading failures
[strongswan.git] / src / scepclient / scepclient.c
1 /*
2 * Copyright (C) 2005 Jan Hutter, Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 /**
17 * @file main.c
18 * @brief scepclient main program
19 */
20
21 /**
22 * @mainpage SCEP for Linux strongSwan
23 *
24 * Documentation of SCEP for Linux StrongSwan
25 */
26
27 #include <stdarg.h>
28 #include <stdio.h>
29 #include <stdlib.h>
30 #include <string.h>
31 #include <getopt.h>
32 #include <ctype.h>
33 #include <unistd.h>
34 #include <time.h>
35
36 #include <freeswan.h>
37
38 #include <library.h>
39 #include <debug.h>
40 #include <asn1/asn1.h>
41 #include <asn1/oid.h>
42 #include <utils/optionsfrom.h>
43 #include <utils/enumerator.h>
44 #include <crypto/crypters/crypter.h>
45 #include <crypto/proposal/proposal_keywords.h>
46 #include <credentials/keys/private_key.h>
47 #include <credentials/keys/public_key.h>
48
49 #include "../pluto/constants.h"
50 #include "../pluto/defs.h"
51 #include "../pluto/log.h"
52 #include "../pluto/pkcs7.h"
53 #include "../pluto/certs.h"
54
55 #include "pkcs10.h"
56 #include "scep.h"
57
58 /*
59 * definition of some defaults
60 */
61
62 /* default name of DER-encoded PKCS#1 private key file */
63 #define DEFAULT_FILENAME_PKCS1 "myKey.der"
64
65 /* default name of DER-encoded PKCS#10 certificate request file */
66 #define DEFAULT_FILENAME_PKCS10 "myReq.der"
67
68 /* default name of DER-encoded PKCS#7 file */
69 #define DEFAULT_FILENAME_PKCS7 "pkcs7.der"
70
71 /* default name of DER-encoded self-signed X.509 certificate file */
72 #define DEFAULT_FILENAME_CERT_SELF "selfCert.der"
73
74 /* default name of DER-encoded X.509 certificate file */
75 #define DEFAULT_FILENAME_CERT "myCert.der"
76
77 /* default name of DER-encoded CA cert file used for key encipherment */
78 #define DEFAULT_FILENAME_CACERT_ENC "caCert.der"
79
80 /* default name of the der encoded CA cert file used for signature verification */
81 #define DEFAULT_FILENAME_CACERT_SIG "caCert.der"
82
83 /* default prefix of the der encoded CA certificates received from the SCEP server */
84 #define DEFAULT_FILENAME_PREFIX_CACERT "caCert.der"
85
86 /* default certificate validity */
87 #define DEFAULT_CERT_VALIDITY 5 * 3600 * 24 * 365 /* seconds */
88
89 /* default polling time interval in SCEP manual mode */
90 #define DEFAULT_POLL_INTERVAL 20 /* seconds */
91
92 /* default key length for self-generated RSA keys */
93 #define DEFAULT_RSA_KEY_LENGTH 2048 /* bits */
94
95 /* default distinguished name */
96 #define DEFAULT_DN "C=CH, O=Linux strongSwan, CN="
97
98 /* challenge password buffer size */
99 #define MAX_PASSWORD_LENGTH 256
100
101 /* Max length of filename for tempfile */
102 #define MAX_TEMP_FILENAME_LENGTH 256
103
104
105 /* current scepclient version */
106 static const char *scepclient_version = "1.0";
107
108 /* by default the CRL policy is lenient */
109 bool strict_crl_policy = FALSE;
110
111 /* by default pluto does not check crls dynamically */
112 long crl_check_interval = 0;
113
114 /* by default pluto logs out after every smartcard use */
115 bool pkcs11_keep_state = FALSE;
116
117 /* options read by optionsfrom */
118 options_t *options;
119
120 /*
121 * Global variables
122 */
123
124 private_key_t *private_key = NULL;
125 public_key_t *public_key = NULL;
126
127 chunk_t pkcs1;
128 chunk_t pkcs7;
129 chunk_t subject;
130 chunk_t challengePassword;
131 chunk_t serialNumber;
132 chunk_t transID;
133 chunk_t fingerprint;
134 chunk_t issuerAndSubject;
135 chunk_t getCertInitial;
136 chunk_t scep_response;
137 cert_t cert;
138
139 x509cert_t *x509_signer = NULL;
140 x509cert_t *x509_ca_enc = NULL;
141 x509cert_t *x509_ca_sig = NULL;
142 generalName_t *subjectAltNames = NULL;
143 pkcs10_t *pkcs10 = NULL;
144
145 /**
146 * @brief exit scepclient
147 *
148 * @param status 0 = OK, 1 = general discomfort
149 */
150 static void
151 exit_scepclient(err_t message, ...)
152 {
153 int status = 0;
154
155 DESTROY_IF(private_key);
156 DESTROY_IF(public_key);
157 free(pkcs1.ptr);
158 free(pkcs7.ptr);
159 free(subject.ptr);
160 free(serialNumber.ptr);
161 free(transID.ptr);
162 free(fingerprint.ptr);
163 free(issuerAndSubject.ptr);
164 free(getCertInitial.ptr);
165 free(scep_response.ptr);
166
167 free_generalNames(subjectAltNames, TRUE);
168 if (x509_signer != NULL)
169 {
170 x509_signer->subjectAltName = NULL;
171 }
172 free_x509cert(x509_signer);
173 free_x509cert(x509_ca_enc);
174 free_x509cert(x509_ca_sig);
175 pkcs10_free(pkcs10);
176 options->destroy(options);
177
178 /* print any error message to stderr */
179 if (message != NULL && *message != '\0')
180 {
181 va_list args;
182 char m[LOG_WIDTH]; /* longer messages will be truncated */
183
184 va_start(args, message);
185 vsnprintf(m, sizeof(m), message, args);
186 va_end(args);
187
188 fprintf(stderr, "error: %s\n", m);
189 status = -1;
190 }
191 library_deinit();
192 close_log();
193 exit(status);
194 }
195
196 /**
197 * @brief prints the program version and exits
198 *
199 */
200 static void
201 version(void)
202 {
203 printf("scepclient %s\n", scepclient_version);
204 exit_scepclient(NULL);
205 }
206
207 /**
208 * @brief prints the usage of the program to the stderr output
209 *
210 * If message is set, program is exitet with 1 (error)
211 * @param message message in case of an error
212 */
213 static void
214 usage(const char *message)
215 {
216 fprintf(stderr,
217 "Usage: scepclient\n"
218 " --help (-h) show usage and exit\n"
219 " --version (-v) show version and exit\n"
220 " --quiet (-q) do not write log output to stderr\n"
221 " --in (-i) <type>[=<filename>] use <filename> of <type> for input \n"
222 " <type> = pkcs1 | cacert-enc | cacert-sig\n"
223 " - if no pkcs1 input is defined, a \n"
224 " RSA key will be generated\n"
225 " - if no filename is given, default is used\n"
226 " --out (-o) <type>[=<filename>] write output of <type> to <filename>\n"
227 " multiple outputs are allowed\n"
228 " <type> = pkcs1 | pkcs10 | pkcs7 | cert-self | cert | cacert\n"
229 " - type cacert defines filename prefix of\n"
230 " received CA certificate(s)\n"
231 " - if no filename is given, default is used\n"
232 " --optionsfrom (-+) <filename> reads additional options from given file\n"
233 " --force (-f) force existing file(s)\n"
234 "\n"
235 "Options for key generation (pkcs1):\n"
236 " --keylength (-k) <bits> key length for RSA key generation\n"
237 "(default: 2048 bits)\n"
238 "\n"
239 "Options for validity:\n"
240 " --days (-D) <days> validity in days\n"
241 " --startdate (-S) <YYMMDDHHMMSS>Z not valid before date\n"
242 " --enddate (-E) <YYMMDDHHMMSS>Z not valid after date\n"
243 "\n"
244 "Options for request generation (pkcs10):\n"
245 " --dn (-d) <dn> comma separated list of distinguished names\n"
246 " --subjectAltName (-s) <t>=<v> include subjectAltName in certificate request\n"
247 " <t> = email | dns | ip \n"
248 " --password (-p) <pw> challenge password\n"
249 " - if pw is '%%prompt', password gets prompted for\n"
250 " --algorithm (-a) <algo> use specified algorithm for PKCS#7 encryption\n"
251 " <algo> = des | 3des (default) | aes128| aes192 | \n"
252 " aes256 | camellia128 | camellia192 | camellia256\n"
253 "\n"
254 "Options for enrollment (cert):\n"
255 " --url (-u) <url> url of the SCEP server\n"
256 " --method (-m) post | get http request type\n"
257 " --interval (-t) <seconds> manual mode poll interval in seconds (default 20s)\n"
258 " --maxpolltime (-x) <seconds> max poll time in seconds when in manual mode\n"
259 " (default: unlimited)\n"
260 #ifdef DEBUG
261 "\n"
262 "Debugging output:\n"
263 " --debug-all (-A) show everything except private\n"
264 " --debug-parsing (-P) show parsing relevant stuff\n"
265 " --debug-raw (-R) show raw hex dumps\n"
266 " --debug-control (-C) show control flow output\n"
267 " --debug-controlmore (-M) show more control flow\n"
268 " --debug-private (-X) show sensitive data (private keys, etc.)\n"
269 #endif
270 );
271 exit_scepclient(message);
272 }
273
274 /**
275 * Log loaded plugins
276 */
277 static void print_plugins()
278 {
279 char buf[BUF_LEN], *plugin;
280 int len = 0;
281 enumerator_t *enumerator;
282
283 enumerator = lib->plugins->create_plugin_enumerator(lib->plugins);
284 while (len < BUF_LEN && enumerator->enumerate(enumerator, &plugin))
285 {
286 len += snprintf(&buf[len], BUF_LEN-len, "%s ", plugin);
287 }
288 enumerator->destroy(enumerator);
289 DBG1(" loaded plugins: %s", buf);
290 }
291
292 /**
293 * @brief main of scepclient
294 *
295 * @param argc number of arguments
296 * @param argv pointer to the argument values
297 */
298 int main(int argc, char **argv)
299 {
300 /* external values */
301 extern char * optarg;
302 extern int optind;
303
304 /* type of input and output files */
305 typedef enum {
306 PKCS1 = 0x01,
307 PKCS10 = 0x02,
308 PKCS7 = 0x04,
309 CERT_SELF = 0x08,
310 CERT = 0x10,
311 CACERT_ENC = 0x20,
312 CACERT_SIG = 0x40
313 } scep_filetype_t;
314
315 /* filetype to read from, defaults to "generate a key" */
316 scep_filetype_t filetype_in = 0;
317
318 /* filetype to write to, no default here */
319 scep_filetype_t filetype_out = 0;
320
321 /* input files */
322 char *file_in_pkcs1 = DEFAULT_FILENAME_PKCS1;
323 char *file_in_cacert_enc = DEFAULT_FILENAME_CACERT_ENC;
324 char *file_in_cacert_sig = DEFAULT_FILENAME_CACERT_SIG;
325
326 /* output files */
327 char *file_out_pkcs1 = DEFAULT_FILENAME_PKCS1;
328 char *file_out_pkcs10 = DEFAULT_FILENAME_PKCS10;
329 char *file_out_pkcs7 = DEFAULT_FILENAME_PKCS7;
330 char *file_out_cert_self = DEFAULT_FILENAME_CERT_SELF;
331 char *file_out_cert = DEFAULT_FILENAME_CERT;
332 char *file_out_prefix_cacert = DEFAULT_FILENAME_PREFIX_CACERT;
333
334 /* by default user certificate is requested */
335 bool request_ca_certificate = FALSE;
336
337 /* by default existing files are not overwritten */
338 bool force = FALSE;
339
340 /* length of RSA key in bits */
341 u_int rsa_keylength = DEFAULT_RSA_KEY_LENGTH;
342
343 /* validity of self-signed certificate */
344 time_t validity = DEFAULT_CERT_VALIDITY;
345 time_t notBefore = 0;
346 time_t notAfter = 0;
347
348 /* distinguished name for requested certificate, ASCII format */
349 char *distinguishedName = NULL;
350
351 /* challenge password */
352 char challenge_password_buffer[MAX_PASSWORD_LENGTH];
353
354 /* symmetric encryption algorithm used by pkcs7, default is 3DES */
355 int pkcs7_symmetric_cipher = OID_3DES_EDE_CBC;
356
357 /* digest algorithm used by pkcs7, default is SHA-1 */
358 int pkcs7_digest_alg = OID_SHA1;
359
360 /* signature algorithm used by pkcs10, default is SHA-1 with RSA encryption */
361 int pkcs10_signature_alg = OID_SHA1;
362
363 /* URL of the SCEP-Server */
364 char *scep_url = NULL;
365
366 /* http request method, default is GET */
367 bool http_get_request = TRUE;
368
369 /* poll interval time in manual mode in seconds */
370 u_int poll_interval = DEFAULT_POLL_INTERVAL;
371
372 /* maximum poll time */
373 u_int max_poll_time = 0;
374
375 err_t ugh = NULL;
376
377 /* initialize global variables */
378 pkcs1 = chunk_empty;
379 pkcs7 = chunk_empty;
380 serialNumber = chunk_empty;
381 transID = chunk_empty;
382 fingerprint = chunk_empty;
383 issuerAndSubject = chunk_empty;
384 challengePassword = chunk_empty;
385 getCertInitial = chunk_empty;
386 scep_response = chunk_empty;
387 log_to_stderr = TRUE;
388
389 /* initialize library */
390 if (!library_init(STRONGSWAN_CONF))
391 {
392 library_deinit();
393 exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
394 }
395 if (lib->integrity &&
396 !lib->integrity->check_file(lib->integrity, "scepclient", argv[0]))
397 {
398 fprintf(stderr, "integrity check of scepclient failed\n");
399 library_deinit();
400 exit(SS_RC_DAEMON_INTEGRITY);
401 }
402
403 /* initialize optionsfrom */
404 options = options_create();
405
406 for (;;)
407 {
408 static const struct option long_opts[] = {
409 /* name, has_arg, flag, val */
410 { "help", no_argument, NULL, 'h' },
411 { "version", no_argument, NULL, 'v' },
412 { "optionsfrom", required_argument, NULL, '+' },
413 { "quiet", no_argument, NULL, 'q' },
414 { "in", required_argument, NULL, 'i' },
415 { "out", required_argument, NULL, 'o' },
416 { "force", no_argument, NULL, 'f' },
417 { "keylength", required_argument, NULL, 'k' },
418 { "dn", required_argument, NULL, 'd' },
419 { "days", required_argument, NULL, 'D' },
420 { "startdate", required_argument, NULL, 'S' },
421 { "enddate", required_argument, NULL, 'E' },
422 { "subjectAltName", required_argument, NULL, 's' },
423 { "password", required_argument, NULL, 'p' },
424 { "algorithm", required_argument, NULL, 'a' },
425 { "url", required_argument, NULL, 'u' },
426 { "method", required_argument, NULL, 'm' },
427 { "interval", required_argument, NULL, 't' },
428 { "maxpolltime", required_argument, NULL, 'x' },
429 #ifdef DEBUG
430 { "debug-all", no_argument, NULL, 'A' },
431 { "debug-parsing", no_argument, NULL, 'P'},
432 { "debug-raw", no_argument, NULL, 'R'},
433 { "debug-control", no_argument, NULL, 'C'},
434 { "debug-controlmore", no_argument, NULL, 'M'},
435 { "debug-private", no_argument, NULL, 'X'},
436 #endif
437 { 0,0,0,0 }
438 };
439
440 /* parse next option */
441 int c = getopt_long(argc, argv, "hv+:qi:o:fk:d:s:p:a:u:m:t:x:APRCMS", long_opts, NULL);
442
443 switch (c)
444 {
445 case EOF: /* end of flags */
446 break;
447
448 case 'h': /* --help */
449 usage(NULL);
450
451 case 'v': /* --version */
452 version();
453
454 case 'q': /* --quiet */
455 log_to_stderr = FALSE;
456 continue;
457
458 case 'i': /* --in <type> [= <filename>] */
459 {
460 char *filename = strstr(optarg, "=");
461
462 if (filename)
463 {
464 /* replace '=' by '\0' */
465 *filename = '\0';
466 /* set pointer to start of filename */
467 filename++;
468 }
469 if (strcaseeq("pkcs1", optarg))
470 {
471 filetype_in |= PKCS1;
472 if (filename)
473 file_in_pkcs1 = filename;
474 }
475 else if (strcaseeq("cacert-enc", optarg))
476 {
477 filetype_in |= CACERT_ENC;
478 if (filename)
479 file_in_cacert_enc = filename;
480 }
481 else if (strcaseeq("cacert-sig", optarg))
482 {
483 filetype_in |= CACERT_SIG;
484 if (filename)
485 file_in_cacert_sig = filename;
486 }
487 else
488 {
489 usage("invalid --in file type");
490 }
491 continue;
492 }
493
494 case 'o': /* --out <type> [= <filename>] */
495 {
496 char *filename = strstr(optarg, "=");
497
498 if (filename)
499 {
500 /* replace '=' by '\0' */
501 *filename = '\0';
502 /* set pointer to start of filename */
503 filename++;
504 }
505 if (strcaseeq("pkcs1", optarg))
506 {
507 filetype_out |= PKCS1;
508 if (filename)
509 file_out_pkcs1 = filename;
510 }
511 else if (strcaseeq("pkcs10", optarg))
512 {
513 filetype_out |= PKCS10;
514 if (filename)
515 file_out_pkcs10 = filename;
516 }
517 else if (strcaseeq("pkcs7", optarg))
518 {
519 filetype_out |= PKCS7;
520 if (filename)
521 file_out_pkcs7 = filename;
522 }
523 else if (strcaseeq("cert-self", optarg))
524 {
525 filetype_out |= CERT_SELF;
526 if (filename)
527 file_out_cert_self = filename;
528 }
529 else if (strcaseeq("cert", optarg))
530 {
531 filetype_out |= CERT;
532 if (filename)
533 file_out_cert = filename;
534 }
535 else if (strcaseeq("cacert", optarg))
536 {
537 request_ca_certificate = TRUE;
538 if (filename)
539 file_out_prefix_cacert = filename;
540 }
541 else
542 {
543 usage("invalid --out file type");
544 }
545 continue;
546 }
547
548 case 'f': /* --force */
549 force = TRUE;
550 continue;
551
552 case '+': /* --optionsfrom <filename> */
553 if (!options->from(options, optarg, &argc, &argv, optind))
554 {
555 exit_scepclient("optionsfrom failed");
556 }
557 continue;
558
559 case 'k': /* --keylength <length> */
560 {
561 div_t q;
562
563 rsa_keylength = atoi(optarg);
564 if (rsa_keylength == 0)
565 usage("invalid keylength");
566
567 /* check if key length is a multiple of 8 bits */
568 q = div(rsa_keylength, 2*BITS_PER_BYTE);
569 if (q.rem != 0)
570 {
571 exit_scepclient("keylength is not a multiple of %d bits!"
572 , 2*BITS_PER_BYTE);
573 }
574 continue;
575 }
576
577 case 'D': /* --days */
578 if (optarg == NULL || !isdigit(optarg[0]))
579 usage("missing number of days");
580 {
581 char *endptr;
582 long days = strtol(optarg, &endptr, 0);
583
584 if (*endptr != '\0' || endptr == optarg
585 || days <= 0)
586 usage("<days> must be a positive number");
587 validity = 24*3600*days;
588 }
589 continue;
590
591 case 'S': /* --startdate */
592 if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z')
593 usage("date format must be YYMMDDHHMMSSZ");
594 {
595 chunk_t date = { optarg, 13 };
596 notBefore = asn1_to_time(&date, ASN1_UTCTIME);
597 }
598 continue;
599
600 case 'E': /* --enddate */
601 if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z')
602 usage("date format must be YYMMDDHHMMSSZ");
603 {
604 chunk_t date = { optarg, 13 };
605 notAfter = asn1_to_time(&date, ASN1_UTCTIME);
606 }
607 continue;
608
609 case 'd': /* --dn */
610 if (distinguishedName)
611 usage("only one distinguished name allowed");
612 distinguishedName = optarg;
613 continue;
614
615 case 's': /* --subjectAltName */
616 {
617 generalNames_t kind;
618 char *value = strstr(optarg, "=");
619
620 if (value)
621 {
622 /* replace '=' by '\0' */
623 *value = '\0';
624 /* set pointer to start of value */
625 value++;
626 }
627
628 if (strcaseeq("email", optarg))
629 {
630 kind = GN_RFC822_NAME;
631 }
632 else if (strcaseeq("dns", optarg))
633 {
634 kind = GN_DNS_NAME;
635 }
636 else if (strcaseeq("ip", optarg))
637 {
638 kind = GN_IP_ADDRESS;
639 }
640 else
641 {
642 usage("invalid --subjectAltName type");
643 continue;
644 }
645 pkcs10_add_subjectAltName(&subjectAltNames, kind, value);
646 continue;
647 }
648
649 case 'p': /* --password */
650 if (challengePassword.len > 0)
651 {
652 usage("only one challenge password allowed");
653 }
654 if (strcaseeq("%prompt", optarg))
655 {
656 printf("Challenge password: ");
657 if (fgets(challenge_password_buffer, sizeof(challenge_password_buffer)-1, stdin))
658 {
659 challengePassword.ptr = challenge_password_buffer;
660 /* discard the terminating '\n' from the input */
661 challengePassword.len = strlen(challenge_password_buffer) - 1;
662 }
663 else
664 {
665 usage("challenge password could not be read");
666 }
667 }
668 else
669 {
670 challengePassword.ptr = optarg;
671 challengePassword.len = strlen(optarg);
672 }
673 continue;
674
675 case 'u': /* -- url */
676 if (scep_url)
677 {
678 usage("only one URL argument allowed");
679 }
680 scep_url = optarg;
681 continue;
682
683 case 'm': /* --method */
684 if (strcaseeq("get", optarg))
685 {
686 http_get_request = TRUE;
687 }
688 else if (strcaseeq("post", optarg))
689 {
690 http_get_request = FALSE;
691 }
692 else
693 {
694 usage("invalid http request method specified");
695 }
696 continue;
697
698 case 't': /* --interval */
699 poll_interval = atoi(optarg);
700 if (poll_interval <= 0)
701 {
702 usage("invalid interval specified");
703 }
704 continue;
705
706 case 'x': /* --maxpolltime */
707 max_poll_time = atoi(optarg);
708 if (max_poll_time < 0)
709 {
710 usage("invalid maxpolltime specified");
711 }
712 continue;
713
714 case 'a': /*--algorithm */
715 {
716 const proposal_token_t *token;
717
718 token = proposal_get_token(optarg, strlen(optarg));
719 if (token == NULL || token->type != ENCRYPTION_ALGORITHM)
720 {
721 usage("invalid algorithm specified");
722 }
723 pkcs7_symmetric_cipher = encryption_algorithm_to_oid(
724 token->algorithm, token->keysize);
725 if (pkcs7_symmetric_cipher == OID_UNKNOWN)
726 {
727 usage("unsupported encryption algorithm specified");
728 }
729 continue;
730 }
731 #ifdef DEBUG
732 case 'A': /* --debug-all */
733 base_debugging |= DBG_ALL;
734 continue;
735 case 'P': /* debug parsing */
736 base_debugging |= DBG_PARSING;
737 continue;
738 case 'R': /* debug raw */
739 base_debugging |= DBG_RAW;
740 continue;
741 case 'C': /* debug control */
742 base_debugging |= DBG_CONTROL;
743 continue;
744 case 'M': /* debug control more */
745 base_debugging |= DBG_CONTROLMORE;
746 continue;
747 case 'X': /* debug private */
748 base_debugging |= DBG_PRIVATE;
749 continue;
750 #endif
751 default:
752 usage("unknown option");
753 }
754 /* break from loop */
755 break;
756 }
757 cur_debugging = base_debugging;
758
759 init_log("scepclient");
760
761 /* load plugins, further infrastructure may need it */
762 if (!lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR,
763 lib->settings->get_str(lib->settings, "scepclient.load", PLUGINS)))
764 {
765 exit_scepclient("plugin loading failed");
766 }
767 print_plugins();
768
769 if ((filetype_out == 0) && (!request_ca_certificate))
770 {
771 usage ("--out filetype required");
772 }
773 if (request_ca_certificate && (filetype_out > 0 || filetype_in > 0))
774 {
775 usage("in CA certificate request, no other --in or --out option allowed");
776 }
777
778 /* check if url is given, if cert output defined */
779 if (((filetype_out & CERT) || request_ca_certificate) && !scep_url)
780 {
781 usage("URL of SCEP server required");
782 }
783
784 /* check for sanity of --in/--out */
785 if (!filetype_in && (filetype_in > filetype_out))
786 {
787 usage("cannot generate --out of given --in!");
788 }
789
790 /*
791 * input of PKCS#1 file
792 */
793 if (filetype_in & PKCS1) /* load an RSA key pair from file */
794 {
795 prompt_pass_t pass = { "", FALSE, STDIN_FILENO };
796 char *path = concatenate_paths(PRIVATE_KEY_PATH, file_in_pkcs1);
797
798 private_key = load_private_key(path, &pass, KEY_RSA);
799 }
800 else /* generate an RSA key pair */
801 {
802 private_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
803 BUILD_KEY_SIZE, rsa_keylength,
804 BUILD_END);
805 }
806 if (private_key == NULL)
807 {
808 exit_scepclient("no RSA private key available");
809 }
810 public_key = private_key->get_public_key(private_key);
811
812 /* check for minimum key length */
813 if (private_key->get_keysize(private_key) < RSA_MIN_OCTETS)
814 {
815 exit_scepclient("length of RSA key has to be at least %d bits"
816 ,RSA_MIN_OCTETS * BITS_PER_BYTE);
817 }
818
819 /*
820 * input of PKCS#10 file
821 */
822 if (filetype_in & PKCS10)
823 {
824 /* user wants to load a pkcs10 request
825 * operation is not yet supported
826 * would require a PKCS#10 parsing function
827
828 pkcs10 = pkcs10_read_from_file(file_in_pkcs10);
829
830 */
831 }
832 else
833 {
834 char buf[IDTOA_BUF];
835 chunk_t dn = chunk_empty;
836
837 dn.ptr = buf;
838
839 if (distinguishedName == NULL)
840 {
841 char buf[BUF_LEN];
842 int n = sprintf(buf, DEFAULT_DN);
843
844 /* set the common name to the hostname */
845 if (gethostname(buf + n, BUF_LEN - n) || strlen(buf) == n)
846 {
847 exit_scepclient("no hostname defined, use "
848 "--dn <distinguished name> option");
849 }
850 distinguishedName = buf;
851 }
852
853 DBG(DBG_CONTROL,
854 DBG_log("dn: '%s'", distinguishedName);
855 )
856 ugh = atodn(distinguishedName, &dn);
857 if (ugh != NULL)
858 {
859 exit_scepclient(ugh);
860 }
861
862 subject = chunk_clone(dn);
863
864 DBG(DBG_CONTROL,
865 DBG_log("building pkcs10 object:")
866 )
867 pkcs10 = pkcs10_build(private_key, public_key, subject,
868 challengePassword, subjectAltNames,
869 pkcs10_signature_alg);
870 fingerprint = scep_generate_pkcs10_fingerprint(pkcs10->request);
871 plog(" fingerprint: %s", fingerprint.ptr);
872 }
873
874 /*
875 * output of PKCS#10 file
876 */
877 if (filetype_out & PKCS10)
878 {
879 char *path = concatenate_paths(REQ_PATH, file_out_pkcs10);
880
881 if (!chunk_write(pkcs10->request, path, "pkcs10", 0022, force))
882 exit_scepclient("could not write pkcs10 file '%s'", path);
883
884 filetype_out &= ~PKCS10; /* delete PKCS10 flag */
885 }
886
887 if (!filetype_out)
888 {
889 exit_scepclient(NULL); /* no further output required */
890 }
891
892 /*
893 * output of PKCS#1 file
894 */
895 if (filetype_out & PKCS1)
896 {
897 char *path = concatenate_paths(PRIVATE_KEY_PATH, file_out_pkcs1);
898
899 DBG(DBG_CONTROL,
900 DBG_log("building pkcs1 object:")
901 )
902 if (!private_key->get_encoding(private_key, KEY_PRIV_ASN1_DER, &pkcs1) ||
903 !chunk_write(pkcs1, path, "pkcs1", 0066, force))
904 exit_scepclient("could not write pkcs1 file '%s'", path);
905
906 filetype_out &= ~PKCS1; /* delete PKCS1 flag */
907 }
908
909 if (!filetype_out)
910 {
911 exit_scepclient(NULL); /* no further output required */
912 }
913
914 scep_generate_transaction_id(public_key, &transID, &serialNumber);
915 plog(" transaction ID: %.*s", (int)transID.len, transID.ptr);
916
917 /* generate a self-signed X.509 certificate */
918 x509_signer = malloc_thing(x509cert_t);
919 *x509_signer = empty_x509cert;
920 x509_signer->serialNumber = serialNumber;
921 x509_signer->sigAlg = OID_SHA1_WITH_RSA;
922 x509_signer->issuer = subject;
923 x509_signer->notBefore = (notBefore)? notBefore
924 : time(NULL);
925 x509_signer->notAfter = (notAfter)? notAfter
926 : x509_signer->notBefore + validity;
927 x509_signer->subject = subject;
928 x509_signer->subjectAltName = subjectAltNames;
929 build_x509cert(x509_signer, public_key, private_key);
930
931 /*
932 * output of self-signed X.509 certificate file
933 */
934 if (filetype_out & CERT_SELF)
935 {
936 char *path = concatenate_paths(HOST_CERT_PATH, file_out_cert_self);
937
938 if (!chunk_write(x509_signer->certificate, path, "self-signed cert", 0022, force))
939 exit_scepclient("could not write self-signed cert file '%s'", path);
940 ;
941 filetype_out &= ~CERT_SELF; /* delete CERT_SELF flag */
942 }
943
944 if (!filetype_out)
945 {
946 exit_scepclient(NULL); /* no further output required */
947 }
948
949 /*
950 * load ca encryption certificate
951 */
952 {
953 char *path = concatenate_paths(CA_CERT_PATH, file_in_cacert_enc);
954 cert_t cert;
955
956 if (!load_cert(path, "encryption cacert", &cert))
957 {
958 exit_scepclient("could not load encryption cacert file '%s'", path);
959 }
960 x509_ca_enc = cert.u.x509;
961 }
962
963 /*
964 * input of PKCS#7 file
965 */
966 if (filetype_in & PKCS7)
967 {
968 /* user wants to load a pkcs7 encrypted request
969 * operation is not yet supported!
970 * would require additional parsing of transaction-id
971
972 pkcs7 = pkcs7_read_from_file(file_in_pkcs7);
973
974 */
975 }
976 else
977 {
978 DBG(DBG_CONTROL,
979 DBG_log("building pkcs7 request")
980 )
981 pkcs7 = scep_build_request(pkcs10->request
982 , transID, SCEP_PKCSReq_MSG
983 , x509_ca_enc, pkcs7_symmetric_cipher
984 , x509_signer, pkcs7_digest_alg, private_key);
985 }
986
987 /*
988 * output pkcs7 encrypted and signed certificate request
989 */
990 if (filetype_out & PKCS7)
991 {
992 char *path = concatenate_paths(REQ_PATH, file_out_pkcs7);
993
994 if (!chunk_write(pkcs7, path, "pkcs7 encrypted request", 0022, force))
995 exit_scepclient("could not write pkcs7 file '%s'", path);
996 ;
997 filetype_out &= ~PKCS7; /* delete PKCS7 flag */
998 }
999
1000 if (!filetype_out)
1001 {
1002 exit_scepclient(NULL); /* no further output required */
1003 }
1004
1005 /*
1006 * output certificate fetch from SCEP server
1007 */
1008 if (filetype_out & CERT)
1009 {
1010 char *path = concatenate_paths(CA_CERT_PATH, file_in_cacert_sig);
1011 cert_t cert;
1012 time_t poll_start = 0;
1013
1014 x509cert_t *certs = NULL;
1015 chunk_t envelopedData = chunk_empty;
1016 chunk_t certData = chunk_empty;
1017 contentInfo_t data = empty_contentInfo;
1018 scep_attributes_t attrs = empty_scep_attributes;
1019
1020 if (!load_cert(path, "signature cacert", &cert))
1021 exit_scepclient("could not load signature cacert file '%s'", path);
1022 x509_ca_sig = cert.u.x509;
1023
1024 if (!scep_http_request(scep_url, pkcs7, SCEP_PKI_OPERATION,
1025 http_get_request, &scep_response))
1026 {
1027 exit_scepclient("did not receive a valid scep response");
1028 }
1029 ugh = scep_parse_response(scep_response, transID, &data, &attrs
1030 , x509_ca_sig);
1031 if (ugh != NULL)
1032 {
1033 exit_scepclient(ugh);
1034 }
1035
1036 /* in case of manual mode, we are going into a polling loop */
1037 if (attrs.pkiStatus == SCEP_PENDING)
1038 {
1039 plog(" scep request pending, polling every %d seconds"
1040 , poll_interval);
1041 poll_start = time_monotonic(NULL);
1042 issuerAndSubject = asn1_wrap(ASN1_SEQUENCE, "cc"
1043 , x509_ca_sig->subject
1044 , subject);
1045 }
1046 while (attrs.pkiStatus == SCEP_PENDING)
1047 {
1048 if (max_poll_time > 0
1049 && (time_monotonic(NULL) - poll_start >= max_poll_time))
1050 {
1051 exit_scepclient("maximum poll time reached: %d seconds"
1052 , max_poll_time);
1053 }
1054 DBG(DBG_CONTROL,
1055 DBG_log("going to sleep for %d seconds", poll_interval)
1056 )
1057 sleep(poll_interval);
1058 free(scep_response.ptr);
1059
1060 DBG(DBG_CONTROL,
1061 DBG_log("fingerprint: %.*s", (int)fingerprint.len, fingerprint.ptr);
1062 DBG_log("transaction ID: %.*s", (int)transID.len, transID.ptr)
1063 )
1064
1065 chunk_free(&getCertInitial);
1066 getCertInitial = scep_build_request(issuerAndSubject
1067 , transID, SCEP_GetCertInitial_MSG
1068 , x509_ca_enc, pkcs7_symmetric_cipher
1069 , x509_signer, pkcs7_digest_alg, private_key);
1070
1071 if (!scep_http_request(scep_url, getCertInitial, SCEP_PKI_OPERATION,
1072 http_get_request, &scep_response))
1073 {
1074 exit_scepclient("did not receive a valid scep response");
1075 }
1076 ugh = scep_parse_response(scep_response, transID, &data, &attrs
1077 , x509_ca_sig);
1078 if (ugh != NULL)
1079 {
1080 exit_scepclient(ugh);
1081 }
1082 }
1083
1084 if (attrs.pkiStatus != SCEP_SUCCESS)
1085 {
1086 exit_scepclient("reply status is not 'SUCCESS'");
1087 }
1088
1089 envelopedData = data.content;
1090
1091 if (data.type != OID_PKCS7_DATA
1092 || !asn1_parse_simple_object(&envelopedData, ASN1_OCTET_STRING, 0, "data"))
1093 {
1094 exit_scepclient("contentInfo is not of type 'data'");
1095 }
1096 if (!pkcs7_parse_envelopedData(envelopedData, &certData
1097 , serialNumber, private_key))
1098 {
1099 exit_scepclient("could not decrypt envelopedData");
1100 }
1101 if (!pkcs7_parse_signedData(certData, NULL, &certs, NULL, NULL))
1102 {
1103 exit_scepclient("error parsing the scep response");
1104 }
1105 chunk_free(&certData);
1106
1107 /* store the end entity certificate */
1108 path = concatenate_paths(HOST_CERT_PATH, file_out_cert);
1109 while (certs != NULL)
1110 {
1111 bool stored = FALSE;
1112 x509cert_t *cert = certs;
1113
1114 if (!cert->isCA)
1115 {
1116 if (stored)
1117 exit_scepclient("multiple certs received, only first stored");
1118 if (!chunk_write(cert->certificate, path, "requested cert", 0022, force))
1119 exit_scepclient("could not write cert file '%s'", path);
1120 stored = TRUE;
1121 }
1122 certs = certs->next;
1123 free_x509cert(cert);
1124 }
1125 filetype_out &= ~CERT; /* delete CERT flag */
1126 }
1127
1128 exit_scepclient(NULL);
1129 return -1; /* should never be reached */
1130 }
1131
1132