scepclient: Options added to specify digest/signature algorithms.
authorTobias Brunner <tobias@strongswan.org>
Wed, 30 May 2012 12:54:51 +0000 (14:54 +0200)
committerTobias Brunner <tobias@strongswan.org>
Mon, 11 Jun 2012 15:33:28 +0000 (17:33 +0200)
Also changed the defaults to DES/MD5 as that's what should be used
if GetCACaps is not used to learn the issuers capabilities.

src/scepclient/scepclient.8
src/scepclient/scepclient.c

index c2068f6..1bcc4ef 100644 (file)
@@ -145,14 +145,24 @@ If \fIpw\fP is \fB%prompt\fP', the password gets prompted for on the command lin
 \- In manual mode, this password can be used to later revoke the corresponding certificate.
 .RE
 .PP
-.B \-a, \-\-algorithm \fIalgo\fP
+.B \-a, \-\-algorithm [\fItype\fP=]\fIalgo\fP
 .RS 4
-Change symmetric algorithm to use for encryption of certificate Request.
-The default is \fB3des\-cbc\fP.
+Change the algorithms to be used when generating and transporting (PKCS#7)
+certificate requests (PKCS#10).
 .PP
-Supported values for \fIalgo\fP:
+Supported values for \fItype\fP:
+.IP "\fBenc\fP" 12
+symmetric encryption algorithm in PKCS#7
+.IP "\fBdgst\fP" 12
+hash algorithm for message digest in PKCS#7
+.IP "\fBsig\fP" 12
+hash algorithm for the signature in PKCS#10
+.PP
+If \fItype\fP is not specified \fBenc\fP is assumed.
+.PP
+Supported values for \fIalgo\fP (\fBenc\fP):
 .IP "\fBdes\fP" 12
-DES-CBC encryption (key size = 56 bit).
+DES-CBC encryption (key size = 56 bit). Default.
 .IP "\fB3des\fP" 12
 Triple DES-EDE-CBC encryption (key size = 168 bit).
 .IP "\fBaes128\fP" 12
@@ -167,6 +177,10 @@ Camellia-CBC encryption (key size = 128 bit).
 Camelllia-CBC encryption (key size = 192 bit).
 .IP "\fBcamellia256\fP" 12
 Camellia-CBC encryption (key size = 256 bit).
+.PP
+Supported values for \fIalgo\fP (\fBdgst\fP or \fBsig\fP):
+.PP
+\fBmd5\fP (default), \fBsha1\fP, \fBsha256\fP, \fBsha384\fP, \fBsha512\fP
 .RE
 .PP
 .B \-o, \-\-out \fItype\fP[=\fIfilename\fP]
index 59a4ee6..2df6d7a 100644 (file)
@@ -317,13 +317,14 @@ static void usage(const char *message)
                " --version (-v)                    show version and exit\n"
                " --quiet (-q)                      do not write log output to stderr\n"
                " --in (-i) <type>[=<filename>]     use <filename> of <type> for input \n"
-               "                                   <type> = pkcs1 | cacert-enc |  cacert-sig\n"
+               "                                   <type> = pkcs1 | cacert-enc | cacert-sig\n"
                "                                   - if no pkcs1 input is defined, a \n"
                "                                     RSA key will be generated\n"
                "                                   - if no filename is given, default is used\n"
                " --out (-o) <type>[=<filename>]    write output of <type> to <filename>\n"
                "                                   multiple outputs are allowed\n"
-               "                                   <type> = pkcs1 | pkcs10 | pkcs7 | cert-self | cert | cacert\n"
+               "                                   <type> = pkcs1 | pkcs10 | pkcs7 | cert-self |\n"
+               "                                            cert | cacert\n"
                "                                   - type cacert defines filename prefix of\n"
                "                                     received CA certificate(s)\n"
                "                                   - if no filename is given, default is used\n"
@@ -344,15 +345,21 @@ static void usage(const char *message)
                " --subjectAltName (-s) <t>=<v>     include subjectAltName in certificate request\n"
                "                                   <t> =  email | dns | ip \n"
                " --password (-p) <pw>              challenge password\n"
-               "                                   - if pw is '%%prompt', password gets prompted for\n"
-               " --algorithm (-a) <algo>           use specified algorithm for PKCS#7 encryption\n"
-               "                                   <algo> = des | 3des (default) | aes128| aes192 | \n"
-               "                                   aes256 | camellia128 | camellia192 | camellia256\n"
+               "                                   - use '%%prompt' as pw for a password prompt\n"
+               " --algorithm (-a) [<type>=]<algo>  algorithm to be used for PKCS#7 encryption,\n"
+               "                                   PKCS#7 digest or PKCS#10 signature\n"
+               "                                   <type> = enc | dgst | sig\n"
+               "                                   - if no type is given enc is assumed\n"
+               "                                   <algo> = des (default) | 3des | aes128 |\n"
+               "                                            aes192 | aes256 | camellia128 |\n"
+               "                                            camellia192 | camellia256\n"
+               "                                   <algo> = md5 (default) | sha1 | sha256 |\n"
+               "                                            sha384 | sha512\n"
                "\n"
                "Options for enrollment (cert):\n"
                " --url (-u) <url>                  url of the SCEP server\n"
                " --method (-m) post | get          http request type\n"
-               " --interval (-t) <seconds>         manual mode poll interval in seconds (default 20s)\n"
+               " --interval (-t) <seconds>         poll interval in seconds (default 20s)\n"
                " --maxpolltime (-x) <seconds>      max poll time in seconds when in manual mode\n"
                "                                   (default: unlimited)\n"
                "\n"
@@ -424,15 +431,15 @@ int main(int argc, char **argv)
        /* challenge password */
        char challenge_password_buffer[MAX_PASSWORD_LENGTH];
 
-       /* symmetric encryption algorithm used by pkcs7, default is 3DES */
-       encryption_algorithm_t pkcs7_symmetric_cipher = ENCR_3DES;
+       /* symmetric encryption algorithm used by pkcs7, default is DES */
+       encryption_algorithm_t pkcs7_symmetric_cipher = ENCR_DES;
        size_t pkcs7_key_size = 0;
 
-       /* digest algorithm used by pkcs7, default is SHA-1 */
-       hash_algorithm_t pkcs7_digest_alg = HASH_SHA1;
+       /* digest algorithm used by pkcs7, default is MD5 */
+       hash_algorithm_t pkcs7_digest_alg = HASH_MD5;
 
-       /* signature algorithm used by pkcs10, default is SHA-1 */
-       hash_algorithm_t pkcs10_signature_alg = HASH_SHA1;
+       /* signature algorithm used by pkcs10, default is MD5 */
+       hash_algorithm_t pkcs10_signature_alg = HASH_MD5;
 
        /* URL of the SCEP-Server */
        char *scep_url = NULL;
@@ -783,21 +790,65 @@ int main(int argc, char **argv)
                                max_poll_time = atoi(optarg);
                                continue;
 
-                       case 'a':       /*--algorithm */
+                       case 'a':       /*--algorithm [<type>=]algo */
                        {
                                const proposal_token_t *token;
+                               char *type = optarg;
+                               char *algo = strstr(optarg, "=");
 
-                               token = proposal_get_token(optarg, strlen(optarg));
-                               if (token == NULL || token->type != ENCRYPTION_ALGORITHM)
+                               if (algo)
                                {
-                                       usage("invalid algorithm specified");
+                                       *algo = '\0';
+                                       algo++;
                                }
-                               pkcs7_symmetric_cipher = token->algorithm;
-                               pkcs7_key_size = token->keysize;
-                               if (encryption_algorithm_to_oid(token->algorithm,
-                                                                                               token->keysize) == OID_UNKNOWN)
+                               else
+                               {
+                                       type = "enc";
+                                       algo = optarg;
+                               }
+
+                               if (strcaseeq("enc", type))
+                               {
+                                       token = proposal_get_token(algo, strlen(algo));
+                                       if (token == NULL || token->type != ENCRYPTION_ALGORITHM)
+                                       {
+                                               usage("invalid algorithm specified");
+                                       }
+                                       pkcs7_symmetric_cipher = token->algorithm;
+                                       pkcs7_key_size = token->keysize;
+                                       if (encryption_algorithm_to_oid(token->algorithm,
+                                                               token->keysize) == OID_UNKNOWN)
+                                       {
+                                               usage("unsupported encryption algorithm specified");
+                                       }
+                               }
+                               else if (strcaseeq("dgst", type) ||
+                                                strcaseeq("sig", type))
+                               {
+                                       hash_algorithm_t hash;
+
+                                       token = proposal_get_token(algo, strlen(algo));
+                                       if (token == NULL || token->type != INTEGRITY_ALGORITHM)
+                                       {
+                                               usage("invalid algorithm specified");
+                                       }
+                                       hash = hasher_algorithm_from_integrity(token->algorithm);
+                                       if (hash == OID_UNKNOWN)
+                                       {
+                                               usage("invalid algorithm specified");
+                                       }
+                                       if (strcaseeq("dgst", type))
+                                       {
+                                               pkcs7_digest_alg = hash;
+                                       }
+                                       else
+                                       {
+                                               pkcs10_signature_alg = hash;
+                                       }
+                               }
+                               else
                                {
-                                       usage("unsupported encryption algorithm specified");
+                                       usage("invalid --algorithm type");
                                }
                                continue;
                        }