scepclient: Use pkcs7_t and pkcs9_t, remove all dependencies to pluto/libfreeswan.
authorTobias Brunner <tobias@strongswan.org>
Fri, 11 May 2012 18:31:19 +0000 (20:31 +0200)
committerTobias Brunner <tobias@strongswan.org>
Mon, 11 Jun 2012 15:09:19 +0000 (17:09 +0200)
src/scepclient/Makefile.am
src/scepclient/scep.c
src/scepclient/scep.h
src/scepclient/scepclient.c

index f764339..b10a56a 100644 (file)
@@ -3,34 +3,16 @@ scepclient_SOURCES = scepclient.c scep.c scep.h
 
 scepclient.o : $(top_builddir)/config.status
 
-PLUTODIR=$(top_srcdir)/src/pluto
-OPENACDIR=$(top_srcdir)/src/openac
-WHACKDIR=$(top_srcdir)/src/whack
-LIBFREESWANDIR=$(top_srcdir)/src/libfreeswan
-LIBSTRONGSWANDIR=$(top_srcdir)/src/libstrongswan
-LIBHYDRADIR=$(top_srcdir)/src/libhydra
-LIBCRYPTODIR=$(top_srcdir)/src/libcrypto
-
 INCLUDES = \
--I$(LIBFREESWANDIR) \
--I$(LIBSTRONGSWANDIR) \
--I$(LIBHYDRADIR) \
--I$(PLUTODIR) \
--I$(LIBCRYPTODIR) \
--I$(WHACKDIR)
+-I$(top_srcdir)/src/libstrongswan \
+-I$(top_srcdir)/src/libhydra
 
 AM_CFLAGS = \
 -DIPSEC_CONFDIR=\"${sysconfdir}\" \
--DPLUGINS=\""${scepclient_plugins}\"" \
--DNO_PLUTO
-
-LIBSTRONGSWANBUILDDIR=$(top_builddir)/src/libstrongswan
-LIBFREESWANBUILDDIR=$(top_builddir)/src/libfreeswan
+-DPLUGINS=\""${scepclient_plugins}\""
 
 scepclient_LDADD = \
-constants.o defs.o pkcs7.o \
-$(LIBSTRONGSWANBUILDDIR)/libstrongswan.la \
-$(LIBFREESWANBUILDDIR)/libfreeswan.a
+$(top_builddir)/src/libstrongswan/libstrongswan.la
 
 # This compile option activates smartcard support
 if USE_SMARTCARD
@@ -40,12 +22,3 @@ endif
 
 dist_man_MANS = scepclient.8
 
-constants.o :  $(PLUTODIR)/constants.c $(PLUTODIR)/constants.h
-               $(COMPILE) $(INCLUDES) -c -o $@ $<
-
-defs.o :       $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
-               $(COMPILE) $(INCLUDES) -c -o $@ $<
-
-pkcs7.o :      $(PLUTODIR)/pkcs7.c $(PLUTODIR)/pkcs7.h
-               $(COMPILE) $(INCLUDES) -c -o $@ $<
-
index 5cf640f..433fc6b 100644 (file)
 #include <string.h>
 #include <stdlib.h>
 
-#include <freeswan.h>
-
 #include <library.h>
 #include <debug.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
 #include <asn1/oid.h>
+#include <crypto/pkcs9.h>
 #include <crypto/rngs/rng.h>
 #include <crypto/hashers/hasher.h>
 
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-#include "../pluto/fetch.h"
-
 #include "scep.h"
 
 static const char *pkiStatus_values[] = { "0", "2", "3" };
@@ -70,178 +65,60 @@ const scep_attributes_t empty_scep_attributes = {
        { NULL, 0 }        , /* recipientNonce */
 };
 
-/* ASN.1 definition of the X.501 atttribute type */
-
-static const asn1Object_t attributesObjects[] = {
-       { 0, "attributes",    ASN1_SET,       ASN1_LOOP }, /* 0 */
-       { 1,   "attribute",   ASN1_SEQUENCE,  ASN1_NONE }, /* 1 */
-       { 2,     "type",      ASN1_OID,       ASN1_BODY }, /* 2 */
-       { 2,     "values",    ASN1_SET,       ASN1_LOOP }, /* 3 */
-       { 3,       "value",   ASN1_EOC,       ASN1_RAW  }, /* 4 */
-       { 2,     "end loop",  ASN1_EOC,       ASN1_END  }, /* 5 */
-       { 0, "end loop",      ASN1_EOC,       ASN1_END  }, /* 6 */
-       { 0, "exit",          ASN1_EOC,       ASN1_EXIT }
-};
-#define ATTRIBUTE_OBJ_TYPE      2
-#define ATTRIBUTE_OBJ_VALUE     4
-
 /**
- * Extract and store an attribute
+ * Extract X.501 attributes
  */
-static bool extract_attribute(int oid, chunk_t object, u_int level,
-                                                         scep_attributes_t *attrs)
+void extract_attributes(pkcs7_t *pkcs7, scep_attributes_t *attrs)
 {
-       asn1_t type = ASN1_EOC;
-       const char *name = "none";
+       pkcs9_t *attributes = pkcs7->get_attributes(pkcs7);
+       chunk_t attr;
 
-       switch (oid)
+       attr = attributes->get_attribute(attributes, OID_PKI_MESSAGE_TYPE);
+       if (attr.ptr)
        {
-               case OID_PKCS9_CONTENT_TYPE:
-                       type = ASN1_OID;
-                       name = "contentType";
-                       break;
-               case OID_PKCS9_SIGNING_TIME:
-                       type = ASN1_UTCTIME;
-                       name = "signingTime";
-                       break;
-               case OID_PKCS9_MESSAGE_DIGEST:
-                       type = ASN1_OCTET_STRING;
-                       name = "messageDigest";
-                       break;
-               case OID_PKI_MESSAGE_TYPE:
-                       type = ASN1_PRINTABLESTRING;
-                       name = "messageType";
-                       break;
-               case OID_PKI_STATUS:
-                       type = ASN1_PRINTABLESTRING;
-                       name = "pkiStatus";
-                       break;
-               case OID_PKI_FAIL_INFO:
-                       type = ASN1_PRINTABLESTRING;
-                       name = "failInfo";
-                       break;
-               case OID_PKI_SENDER_NONCE:
-                       type = ASN1_OCTET_STRING;
-                       name = "senderNonce";
-                        break;
-               case OID_PKI_RECIPIENT_NONCE:
-                       type = ASN1_OCTET_STRING;
-                       name = "recipientNonce";
-                       break;
-               case OID_PKI_TRANS_ID:
-                       type = ASN1_PRINTABLESTRING;
-                       name = "transID";
-                       break;
-               default:
-                       break;
-       }
+               scep_msg_t m;
 
-       if (type == ASN1_EOC)
-       {
-               return TRUE;
-       }
-
-       if (!asn1_parse_simple_object(&object, type, level+1, name))
-       {
-               return FALSE;
-       }
-
-       switch (oid)
-       {
-               case OID_PKCS9_CONTENT_TYPE:
-                       break;
-               case OID_PKCS9_SIGNING_TIME:
-                       break;
-               case OID_PKCS9_MESSAGE_DIGEST:
-                       break;
-               case OID_PKI_MESSAGE_TYPE:
+               for (m = SCEP_CertRep_MSG; m < SCEP_Unknown_MSG; m++)
                {
-                       scep_msg_t m;
-
-                       for (m = SCEP_CertRep_MSG; m < SCEP_Unknown_MSG; m++)
+                       if (strncmp(msgType_values[m], attr.ptr, attr.len) == 0)
                        {
-                               if (strncmp(msgType_values[m], object.ptr, object.len) == 0)
-                                       attrs->msgType = m;
+                               attrs->msgType = m;
                        }
-                       DBG2(DBG_APP, "messageType:  %s", msgType_names[attrs->msgType]);
-                       break;
                }
-               case OID_PKI_STATUS:
-               {
-                       pkiStatus_t s;
+               DBG2(DBG_APP, "messageType:  %s", msgType_names[attrs->msgType]);
+       }
+       attr = attributes->get_attribute(attributes, OID_PKI_STATUS);
+       if (attr.ptr)
+       {
+               pkiStatus_t s;
 
-                       for (s = SCEP_SUCCESS; s < SCEP_UNKNOWN; s++)
-                       {
-                               if (strncmp(pkiStatus_values[s], object.ptr, object.len) == 0)
-                               {
-                                       attrs->pkiStatus = s;
-                               }
-                       }
-                       DBG2(DBG_APP, "pkiStatus:    %s", pkiStatus_names[attrs->pkiStatus]);
-                       break;
-               }
-               case OID_PKI_FAIL_INFO:
+               for (s = SCEP_SUCCESS; s < SCEP_UNKNOWN; s++)
                {
-                       if (object.len == 1 &&
-                               *object.ptr >= '0' && *object.ptr <= '4')
+                       if (strncmp(pkiStatus_values[s], attr.ptr, attr.len) == 0)
                        {
-                               attrs->failInfo = (failInfo_t)(*object.ptr - '0');
+                               attrs->pkiStatus = s;
                        }
-                       if (attrs->failInfo != SCEP_unknown_REASON)
-                       {
-                               DBG1(DBG_APP, "failInfo:     %s", failInfo_reasons[attrs->failInfo]);
-                       }
-                       break;
                }
-               case OID_PKI_SENDER_NONCE:
-                       attrs->senderNonce = object;
-                       break;
-               case OID_PKI_RECIPIENT_NONCE:
-                       attrs->recipientNonce = object;
-                       break;
-               case OID_PKI_TRANS_ID:
-                       attrs->transID = object;
-                       break;
+               DBG2(DBG_APP, "pkiStatus:    %s", pkiStatus_names[attrs->pkiStatus]);
        }
-       return TRUE;
-}
-
-/**
- * Parse X.501 attributes
- */
-bool parse_attributes(chunk_t blob, scep_attributes_t *attrs)
-{
-       asn1_parser_t *parser;
-       chunk_t object;
-       int oid = OID_UNKNOWN;
-       int objectID;
-       bool success = FALSE;
-
-       parser = asn1_parser_create(attributesObjects, blob);
-       DBG3(DBG_APP, "parsing attributes");
-
-       while (parser->iterate(parser, &objectID, &object))
+       attr = attributes->get_attribute(attributes, OID_PKI_FAIL_INFO);
+       if (attr.ptr)
        {
-               switch (objectID)
+               if (attr.len == 1 && *attr.ptr >= '0' && *attr.ptr <= '4')
                {
-                       case ATTRIBUTE_OBJ_TYPE:
-                               oid = asn1_known_oid(object);
-                               break;
-                       case ATTRIBUTE_OBJ_VALUE:
-                       {
-                               if (!extract_attribute(oid, object, parser->get_level(parser), attrs))
-                               {
-                                       goto end;
-                               }
-                               break;
-                       }
+                       attrs->failInfo = (failInfo_t)(*attr.ptr - '0');
+               }
+               if (attrs->failInfo != SCEP_unknown_REASON)
+               {
+                       DBG1(DBG_APP, "failInfo:     %s", failInfo_reasons[attrs->failInfo]);
                }
        }
-       success = parser->success(parser);
-
-end:
-       parser->destroy(parser);
-       return success;
+       attrs->senderNonce = attributes->get_attribute(attributes,
+                                                                                       OID_PKI_SENDER_NONCE);
+       attrs->recipientNonce = attributes->get_attribute(attributes,
+                                                                                       OID_PKI_RECIPIENT_NONCE);
+       attrs->transID = attributes->get_attribute(attributes,
+                                                                                       OID_PKI_TRANS_ID);
 }
 
 /**
@@ -304,36 +181,9 @@ void scep_generate_transaction_id(public_key_t *key, chunk_t *transID,
 }
 
 /**
- * Builds a transId attribute
- */
-chunk_t scep_transId_attribute(chunk_t transID)
-{
-       return asn1_wrap(ASN1_SEQUENCE, "cm",
-                               asn1_build_known_oid(OID_PKI_TRANS_ID),
-                               asn1_wrap(ASN1_SET, "m",
-                                       asn1_simple_object(ASN1_PRINTABLESTRING, transID)));
-}
-
-/**
- * Builds a messageType attribute
- */
-chunk_t scep_messageType_attribute(scep_msg_t m)
-{
-       chunk_t msgType = {
-               (u_char*)msgType_values[m],
-               strlen(msgType_values[m])
-       };
-
-       return asn1_wrap(ASN1_SEQUENCE, "mm",
-                               asn1_build_known_oid(OID_PKI_MESSAGE_TYPE),
-                               asn1_wrap(ASN1_SET, "m",
-                                       asn1_simple_object(ASN1_PRINTABLESTRING, msgType)));
-}
-
-/**
- * Builds a senderNonce attribute
+ * Adds a senderNonce attribute to the given pkcs9 attribute list
  */
-chunk_t scep_senderNonce_attribute(void)
+static void add_senderNonce_attribute(pkcs9_t *pkcs9)
 {
        const size_t nonce_len = 16;
        u_char nonce_buf[nonce_len];
@@ -344,35 +194,45 @@ chunk_t scep_senderNonce_attribute(void)
        rng->get_bytes(rng, nonce_len, nonce_buf);
        rng->destroy(rng);
 
-       return asn1_wrap(ASN1_SEQUENCE, "cm",
-                               asn1_build_known_oid(OID_PKI_SENDER_NONCE),
-                               asn1_wrap(ASN1_SET, "m",
-                                       asn1_simple_object(ASN1_OCTET_STRING, senderNonce)));
+       pkcs9->set_attribute(pkcs9, OID_PKI_SENDER_NONCE, senderNonce);
 }
 
 /**
  * Builds a pkcs7 enveloped and signed scep request
  */
 chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg,
-                                                  certificate_t *enc_cert, int enc_alg,
-                                                  certificate_t *signer_cert, int digest_alg,
-                                                  private_key_t *private_key)
+                                       certificate_t *enc_cert, encryption_algorithm_t enc_alg,
+                                       size_t key_size, certificate_t *signer_cert,
+                                       hash_algorithm_t digest_alg, private_key_t *private_key)
 {
-       chunk_t envelopedData, attributes, request;
+       chunk_t request, msgType = {
+               (u_char*)msgType_values[msg],
+               strlen(msgType_values[msg]),
+       };
+       pkcs7_t *pkcs7;
+       pkcs9_t *pkcs9;
 
-       envelopedData = pkcs7_build_envelopedData(data, enc_cert, enc_alg);
+       pkcs7 = pkcs7_create_from_data(data);
+       if (!pkcs7->build_envelopedData(pkcs7, enc_cert, enc_alg, key_size))
+       {
+               pkcs7->destroy(pkcs7);
+               return chunk_empty;
+       }
 
-       attributes = asn1_wrap(ASN1_SET, "mmmmm",
-                                       pkcs7_contentType_attribute(),
-                                       pkcs7_messageDigest_attribute(envelopedData, digest_alg),
-                                       scep_transId_attribute(transID),
-                                       scep_messageType_attribute(msg),
-                                       scep_senderNonce_attribute());
+       pkcs9 = pkcs9_create();
+       pkcs9->set_attribute(pkcs9, OID_PKI_TRANS_ID, transID);
+       pkcs9->set_attribute(pkcs9, OID_PKI_MESSAGE_TYPE, msgType);
+       add_senderNonce_attribute(pkcs9);
 
-       request = pkcs7_build_signedData(envelopedData, attributes,
-                                                                        signer_cert, digest_alg, private_key);
-       free(envelopedData.ptr);
-       free(attributes.ptr);
+       pkcs7->set_attributes(pkcs7, pkcs9);
+       pkcs7->set_certificate(pkcs7, signer_cert->get_ref(signer_cert));
+       if (!pkcs7->build_signedData(pkcs7, private_key, digest_alg))
+       {
+               pkcs7->destroy(pkcs7);
+               return chunk_empty;
+       }
+       request = pkcs7->get_contentInfo(pkcs7);
+       pkcs7->destroy(pkcs7);
        return request;
 }
 
@@ -508,22 +368,23 @@ bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
        return (status == SUCCESS);
 }
 
-err_t scep_parse_response(chunk_t response, chunk_t transID, contentInfo_t *data,
+err_t scep_parse_response(chunk_t response, chunk_t transID, pkcs7_t **data,
                                                  scep_attributes_t *attrs, certificate_t *signer_cert)
 {
-       chunk_t attributes;
+       pkcs7_t *pkcs7;
 
-       if (!pkcs7_parse_signedData(response, data, NULL, &attributes, signer_cert))
+       pkcs7 = pkcs7_create_from_chunk(response, 0);
+       if (!pkcs7 || !pkcs7->parse_signedData(pkcs7, signer_cert))
        {
+               DESTROY_IF(pkcs7);
                return "error parsing the scep response";
        }
-       if (!parse_attributes(attributes, attrs))
-       {
-               return "error parsing the scep response attributes";
-       }
+       extract_attributes(pkcs7, attrs);
        if (!chunk_equals(transID, attrs->transID))
        {
+               pkcs7->destroy(pkcs7);
                return "transaction ID of scep response does not match";
        }
+       *data = pkcs7;
        return NULL;
 }
index 76bf210..6227fab 100644 (file)
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2005 Jan Hutter, Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
 #ifndef _SCEP_H
 #define _SCEP_H
 
+#include <crypto/pkcs7.h>
 #include <credentials/certificates/certificate.h>
 
-#include "../pluto/defs.h"
-#include "../pluto/pkcs7.h"
-
 /* supported SCEP operation types */
 typedef enum {
        SCEP_PKI_OPERATION,
@@ -76,13 +75,13 @@ chunk_t scep_transId_attribute(chunk_t transaction_id);
 chunk_t scep_messageType_attribute(scep_msg_t m);
 chunk_t scep_senderNonce_attribute(void);
 chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg,
-                                                  certificate_t *enc_cert, int enc_alg,
-                                                  certificate_t *signer_cert, int digest_alg,
-                                                  private_key_t *private_key);
+                                               certificate_t *enc_cert, encryption_algorithm_t enc_alg,
+                                               size_t key_size, certificate_t *signer_cert,
+                                               hash_algorithm_t digest_alg, private_key_t *private_key);
 bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
-                                                         bool http_get_request, chunk_t *response);
+                                          bool http_get_request, chunk_t *response);
 err_t scep_parse_response(chunk_t response, chunk_t transID,
-                                                 contentInfo_t *data, scep_attributes_t *attrs,
+                                                 pkcs7_t **data, scep_attributes_t *attrs,
                                                  certificate_t *signer_cert);
 
 #endif /* _SCEP_H */
index fa2982f..d502fc2 100644 (file)
@@ -25,8 +25,6 @@
 #include <limits.h>
 #include <syslog.h>
 
-#include <freeswan.h>
-
 #include <library.h>
 #include <debug.h>
 #include <asn1/asn1.h>
 #include <credentials/certificates/pkcs10.h>
 #include <plugins/plugin.h>
 
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-#include "../pluto/certs.h"
-#include "../pluto/pkcs7.h"
-
 #include "scep.h"
 
 /*
@@ -97,6 +90,9 @@
 /* default distinguished name */
 #define DEFAULT_DN "C=CH, O=Linux strongSwan, CN="
 
+/* minimum RSA key size */
+#define RSA_MIN_OCTETS (512 / BITS_PER_BYTE)
+
 /* challenge password buffer size */
 #define MAX_PASSWORD_LENGTH 256
 
@@ -401,10 +397,11 @@ int main(int argc, char **argv)
        char challenge_password_buffer[MAX_PASSWORD_LENGTH];
 
        /* symmetric encryption algorithm used by pkcs7, default is 3DES */
-       int pkcs7_symmetric_cipher = OID_3DES_EDE_CBC;
+       encryption_algorithm_t pkcs7_symmetric_cipher = ENCR_3DES;
+       size_t pkcs7_key_size = 0;
 
        /* digest algorithm used by pkcs7, default is SHA-1 */
-       int pkcs7_digest_alg = OID_SHA1;
+       hash_algorithm_t pkcs7_digest_alg = HASH_SHA1;
 
        /* signature algorithm used by pkcs10, default is SHA-1 */
        hash_algorithm_t pkcs10_signature_alg = HASH_SHA1;
@@ -767,9 +764,10 @@ int main(int argc, char **argv)
                                {
                                        usage("invalid algorithm specified");
                                }
-                               pkcs7_symmetric_cipher = encryption_algorithm_to_oid(
-                                                                                       token->algorithm, token->keysize);
-                               if (pkcs7_symmetric_cipher == OID_UNKNOWN)
+                               pkcs7_symmetric_cipher = token->algorithm;
+                               pkcs7_key_size = token->keysize;
+                               if (encryption_algorithm_to_oid(token->algorithm,
+                                                                                               token->keysize) == OID_UNKNOWN)
                                {
                                        usage("unsupported encryption algorithm specified");
                                }
@@ -1043,9 +1041,13 @@ int main(int argc, char **argv)
        {
                DBG2(DBG_APP, "building pkcs7 request");
                pkcs7 = scep_build_request(pkcs10_encoding,
-                                                                  transID, SCEP_PKCSReq_MSG,
-                                                                  x509_ca_enc, pkcs7_symmetric_cipher,
+                                                                  transID, SCEP_PKCSReq_MSG, x509_ca_enc,
+                                                                  pkcs7_symmetric_cipher, pkcs7_key_size,
                                                                   x509_signer, pkcs7_digest_alg, private_key);
+               if (!pkcs7.ptr)
+               {
+                       exit_scepclient("failed to build pkcs7 request");
+               }
        }
 
        /*
@@ -1079,12 +1081,8 @@ int main(int argc, char **argv)
                enumerator_t  *enumerator;
                char path[PATH_MAX];
                time_t poll_start = 0;
-
-               linked_list_t    *certs         = linked_list_create();
-               chunk_t           envelopedData = chunk_empty;
-               chunk_t           certData      = chunk_empty;
-               contentInfo_t     data          = empty_contentInfo;
-               scep_attributes_t attrs         = empty_scep_attributes;
+               pkcs7_t *data = NULL;
+               scep_attributes_t attrs = empty_scep_attributes;
 
                join_paths(path, sizeof(path), CA_CERT_PATH, file_in_cacert_sig);
 
@@ -1130,6 +1128,7 @@ int main(int argc, char **argv)
                        DBG2(DBG_APP, "going to sleep for %d seconds", poll_interval);
                        sleep(poll_interval);
                        free(scep_response.ptr);
+                       data->destroy(data);
 
                        DBG2(DBG_APP, "fingerprint:    %.*s",
                                 (int)fingerprint.len, fingerprint.ptr);
@@ -1138,10 +1137,13 @@ int main(int argc, char **argv)
 
                        chunk_free(&getCertInitial);
                        getCertInitial = scep_build_request(issuerAndSubject,
-                                                                       transID, SCEP_GetCertInitial_MSG,
-                                                                       x509_ca_enc, pkcs7_symmetric_cipher,
-                                                                       x509_signer, pkcs7_digest_alg, private_key);
-
+                                                               transID, SCEP_GetCertInitial_MSG, x509_ca_enc,
+                                                               pkcs7_symmetric_cipher, pkcs7_key_size,
+                                                               x509_signer, pkcs7_digest_alg, private_key);
+                       if (!getCertInitial.ptr)
+                       {
+                               exit_scepclient("failed to build scep request");
+                       }
                        if (!scep_http_request(scep_url, getCertInitial, SCEP_PKI_OPERATION,
                                http_get_request, &scep_response))
                        {
@@ -1157,31 +1159,25 @@ int main(int argc, char **argv)
 
                if (attrs.pkiStatus != SCEP_SUCCESS)
                {
+                       data->destroy(data);
                        exit_scepclient("reply status is not 'SUCCESS'");
                }
 
-               envelopedData = data.content;
-
-               if (data.type != OID_PKCS7_DATA ||
-                       !asn1_parse_simple_object(&envelopedData, ASN1_OCTET_STRING, 0, "data"))
-               {
-                       exit_scepclient("contentInfo is not of type 'data'");
-               }
-               if (!pkcs7_parse_envelopedData(envelopedData, &certData,
-                               serialNumber, private_key))
+               if (!data->parse_envelopedData(data, serialNumber, private_key))
                {
+                       data->destroy(data);
                        exit_scepclient("could not decrypt envelopedData");
                }
-               if (!pkcs7_parse_signedData(certData, NULL, certs, NULL, NULL))
+               if (!data->parse_signedData(data, NULL))
                {
+                       data->destroy(data);
                        exit_scepclient("error parsing the scep response");
                }
-               chunk_free(&certData);
 
                /* store the end entity certificate */
                join_paths(path, sizeof(path), HOST_CERT_PATH, file_out_cert);
 
-               enumerator = certs->create_enumerator(certs);
+               enumerator = data->create_certificate_enumerator(data);
                while (enumerator->enumerate(enumerator, &cert))
                {
                        x509_t *x509 = (x509_t*)cert;
@@ -1201,7 +1197,8 @@ int main(int argc, char **argv)
                                stored = TRUE;
                        }
                }
-               certs->destroy_offset(certs, offsetof(certificate_t, destroy));
+               enumerator->destroy(enumerator);
+               data->destroy(data);
                filetype_out &= ~CERT;   /* delete CERT flag */
        }