Add a scepclient option to specify a CA identifier to fetch certs for
authorMartin Willi <martin@revosec.ch>
Wed, 24 Oct 2012 14:28:17 +0000 (16:28 +0200)
committerMartin Willi <martin@revosec.ch>
Wed, 24 Oct 2012 14:28:58 +0000 (16:28 +0200)
src/scepclient/scep.c
src/scepclient/scep.h
src/scepclient/scepclient.c

index 855af39..938340d 100644 (file)
@@ -319,7 +319,7 @@ static char* escape_http_request(chunk_t req)
 /**
  * Send a SCEP request via HTTP and wait for a response
  */
-bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
+bool scep_http_request(const char *url, chunk_t msg, scep_op_t op,
                                           bool http_get_request, chunk_t *response)
 {
        int len;
@@ -337,7 +337,7 @@ bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
 
                if (http_get_request)
                {
-                       char *escaped_req = escape_http_request(pkcs7);
+                       char *escaped_req = escape_http_request(msg);
 
                        /* form complete url */
                        len = strlen(url) + 20 + strlen(operation) + strlen(escaped_req) + 1;
@@ -362,7 +362,7 @@ bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
 
                        status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
                                                                                 FETCH_HTTP_VERSION_1_0,
-                                                                                FETCH_REQUEST_DATA, pkcs7,
+                                                                                FETCH_REQUEST_DATA, msg,
                                                                                 FETCH_REQUEST_TYPE, "",
                                                                                 FETCH_REQUEST_HEADER, "Expect:",
                                                                                 FETCH_END);
@@ -371,12 +371,22 @@ bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
        else  /* SCEP_GET_CA_CERT */
        {
                const char operation[] = "GetCACert";
+               int i;
+
+               /* escape spaces, TODO: complete URL escape */
+               for (i = 0; i < msg.len; i++)
+               {
+                       if (msg.ptr[i] == ' ')
+                       {
+                               msg.ptr[i] = '+';
+                       }
+               }
 
                /* form complete url */
-               len = strlen(url) + 32 + strlen(operation) + 1;
+               len = strlen(url) + 32 + strlen(operation) + msg.len + 1;
                complete_url = malloc(len);
-               snprintf(complete_url, len, "%s?operation=%s&message=CAIdentifier",
-                                url, operation);
+               snprintf(complete_url, len, "%s?operation=%s&message=%.*s",
+                                url, operation, (int)msg.len, msg.ptr);
 
                status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
                                                                         FETCH_HTTP_VERSION_1_0,
index 6227fab..f0c180a 100644 (file)
@@ -78,7 +78,7 @@ chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg,
                                                certificate_t *enc_cert, encryption_algorithm_t enc_alg,
                                                size_t key_size, certificate_t *signer_cert,
                                                hash_algorithm_t digest_alg, private_key_t *private_key);
-bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
+bool scep_http_request(const char *url, chunk_t message, scep_op_t op,
                                           bool http_get_request, chunk_t *response);
 err_t scep_parse_response(chunk_t response, chunk_t transID,
                                                  pkcs7_t **data, scep_attributes_t *attrs,
index f57afca..e339345 100644 (file)
@@ -361,6 +361,9 @@ static void usage(const char *message)
                "                                   <algo> = md5 (default) | sha1 | sha256 |\n"
                "                                            sha384 | sha512\n"
                "\n"
+               "Options for CA certificate acquisition:\n"
+               " --caname (-c) <name>              name of CA to fetch CA certificate(s)\n"
+               "                                   (default: CAIdentifier)\n"
                "Options for enrollment (cert):\n"
                " --url (-u) <url>                  url of the SCEP server\n"
                " --method (-m) post | get          http request type\n"
@@ -451,6 +454,9 @@ int main(int argc, char **argv)
        /* URL of the SCEP-Server */
        char *scep_url = NULL;
 
+       /* Name of CA to fetch CA certs for */
+       char *ca_name = "CAIdentifier";
+
        /* http request method, default is GET */
        bool http_get_request = TRUE;
 
@@ -512,6 +518,7 @@ int main(int argc, char **argv)
                        { "password", required_argument, NULL, 'p' },
                        { "algorithm", required_argument, NULL, 'a' },
                        { "url", required_argument, NULL, 'u' },
+                       { "caname", required_argument, NULL, 'c'},
                        { "method", required_argument, NULL, 'm' },
                        { "interval", required_argument, NULL, 't' },
                        { "maxpolltime", required_argument, NULL, 'x' },
@@ -519,7 +526,7 @@ int main(int argc, char **argv)
                };
 
                /* parse next option */
-               int c = getopt_long(argc, argv, "hv+:qi:o:fk:d:s:p:a:u:m:t:x:APRCMS", long_opts, NULL);
+               int c = getopt_long(argc, argv, "hv+:qi:o:fk:d:s:p:a:u:c:m:t:x:APRCMS", long_opts, NULL);
 
                switch (c)
                {
@@ -782,6 +789,10 @@ int main(int argc, char **argv)
                                scep_url = optarg;
                                continue;
 
+                       case 'c':       /* -- caname */
+                               ca_name = optarg;
+                               continue;
+
                        case 'm':       /* --method */
                                if (strcaseeq("get", optarg))
                                {
@@ -917,8 +928,8 @@ int main(int argc, char **argv)
                char ca_path[PATH_MAX];
                pkcs7_t *pkcs7;
 
-               if (!scep_http_request(scep_url, chunk_empty, SCEP_GET_CA_CERT,
-                                                          http_get_request, &scep_response))
+               if (!scep_http_request(scep_url, chunk_create(ca_name, strlen(ca_name)),
+                                                       SCEP_GET_CA_CERT, http_get_request, &scep_response))
                {
                        exit_scepclient("did not receive a valid scep response");
                }