int main (int argc, char **argv)
{
starter_config_t *cfg = NULL;
starter_config_t *new_cfg;
starter_conn_t *conn, *conn2;
starter_ca_t *ca, *ca2;
struct sigaction action;
struct stat stb;
int i;
int id = 1;
struct timespec ts;
unsigned long auto_update = 0;
time_t last_reload;
bool no_fork = FALSE;
bool attach_gdb = FALSE;
bool load_warning = FALSE;
library_init(NULL);
atexit(library_deinit);
libhydra_init("starter");
atexit(libhydra_deinit);
/* parse command line */
for (i = 1; i < argc; i++)
{
if (streq(argv[i], "--debug"))
{
current_loglevel = 2;
}
else if (streq(argv[i], "--debug-more"))
{
current_loglevel = 3;
}
else if (streq(argv[i], "--debug-all"))
{
current_loglevel = 4;
}
else if (streq(argv[i], "--nolog"))
{
current_loglevel = 0;
}
else if (streq(argv[i], "--nofork"))
{
no_fork = TRUE;
}
else if (streq(argv[i], "--attach-gdb"))
{
no_fork = TRUE;
attach_gdb = TRUE;
}
else if (streq(argv[i], "--auto-update") && i+1 < argc)
{
auto_update = atoi(argv[++i]);
if (!auto_update)
usage(argv[0]);
}
else if (streq(argv[i], "--daemon") && i+1 < argc)
{
daemon_name = argv[++i];
}
else
{
usage(argv[0]);
}
}
if (!set_daemon_name())
{
DBG1(DBG_APP, "unable to set daemon name");
exit(LSB_RC_FAILURE);
}
init_log("ipsec_starter");
DBG1(DBG_APP, "Starting %sSwan "VERSION" IPsec [starter]...",
lib->settings->get_bool(lib->settings,
"charon.i_dont_care_about_security_and_use_aggressive_mode_psk",
FALSE) ? "weak" : "strong");
#ifdef LOAD_WARNING
load_warning = TRUE;
#endif
if (lib->settings->get_bool(lib->settings, "starter.load_warning", load_warning))
{
if (lib->settings->get_str(lib->settings, "charon.load", NULL))
{
DBG1(DBG_APP, "!! Your strongswan.conf contains manual plugin load options for charon.");
DBG1(DBG_APP, "!! This is recommended for experts only, see");
DBG1(DBG_APP, "!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad");
}
}
/* verify that we can start */
if (getuid() != 0)
{
DBG1(DBG_APP, "permission denied (must be superuser)");
cleanup();
exit(LSB_RC_NOT_ALLOWED);
}
if (check_pid(pid_file))
{
DBG1(DBG_APP, "%s is already running (%s exists) -- skipping daemon start",
daemon_name, pid_file);
}
else
{
_action_ |= FLAG_ACTION_START_CHARON;
}
if (stat(DEV_RANDOM, &stb) != 0)
{
DBG1(DBG_APP, "unable to start strongSwan IPsec -- no %s!", DEV_RANDOM);
cleanup();
exit(LSB_RC_FAILURE);
}
if (stat(DEV_URANDOM, &stb)!= 0)
{
DBG1(DBG_APP, "unable to start strongSwan IPsec -- no %s!", DEV_URANDOM);
cleanup();
exit(LSB_RC_FAILURE);
}
cfg = confread_load(CONFIG_FILE);
if (cfg == NULL || cfg->err > 0)
{
DBG1(DBG_APP, "unable to start strongSwan -- fatal errors in config");
if (cfg)
{
confread_free(cfg);
}
cleanup();
exit(LSB_RC_INVALID_ARGUMENT);
}
/* determine if we have a native netkey IPsec stack */
if (!starter_netkey_init())
{
DBG1(DBG_APP, "no netkey IPsec stack detected");
if (!starter_klips_init())
{
DBG1(DBG_APP, "no KLIPS IPsec stack detected");
DBG1(DBG_APP, "no known IPsec stack detected, ignoring!");
}
}
last_reload = time_monotonic(NULL);
if (check_pid(starter_pid_file))
{
DBG1(DBG_APP, "starter is already running (%s exists) -- no fork done",
starter_pid_file);
confread_free(cfg);
cleanup();
exit(LSB_RC_SUCCESS);
}
#ifdef GENERATE_SELFCERT
generate_selfcert();
#endif
/* fork if we're not debugging stuff */
if (!no_fork)
{
log_to_stderr = FALSE;
switch (fork())
{
case 0:
{
int fnull;
close_log();
closefrom(3);
fnull = open("/dev/null", O_RDWR);
if (fnull >= 0)
{
dup2(fnull, STDIN_FILENO);
dup2(fnull, STDOUT_FILENO);
dup2(fnull, STDERR_FILENO);
close(fnull);
}
setsid();
init_log("ipsec_starter");
}
break;
case -1:
DBG1(DBG_APP, "can't fork: %s", strerror(errno));
break;
default:
confread_free(cfg);
cleanup();
exit(LSB_RC_SUCCESS);
}
}
/* save pid file in /var/run/starter[.daemon_name].pid */
{
FILE *fd = fopen(starter_pid_file, "w");
if (fd)
{
fprintf(fd, "%u\n", getpid());
fclose(fd);
}
}
/* we handle these signals only in pselect() */
memset(&action, 0, sizeof(action));
sigemptyset(&action.sa_mask);
sigaddset(&action.sa_mask, SIGHUP);
sigaddset(&action.sa_mask, SIGINT);
sigaddset(&action.sa_mask, SIGTERM);
sigaddset(&action.sa_mask, SIGQUIT);
sigaddset(&action.sa_mask, SIGALRM);
sigaddset(&action.sa_mask, SIGUSR1);
pthread_sigmask(SIG_SETMASK, &action.sa_mask, NULL);
/* install a handler for fatal signals */
action.sa_handler = fatal_signal_handler;
sigaction(SIGSEGV, &action, NULL);
sigaction(SIGILL, &action, NULL);
sigaction(SIGBUS, &action, NULL);
action.sa_handler = SIG_IGN;
sigaction(SIGPIPE, &action, NULL);
/* install main signal handler */
action.sa_handler = signal_handler;
sigaction(SIGHUP, &action, NULL);
sigaction(SIGINT, &action, NULL);
sigaction(SIGTERM, &action, NULL);
sigaction(SIGQUIT, &action, NULL);
sigaction(SIGALRM, &action, NULL);
sigaction(SIGUSR1, &action, NULL);
/* this is not blocked above as we want to receive it asynchronously */
sigaction(SIGCHLD, &action, NULL);
/* empty mask for pselect() call below */
sigemptyset(&action.sa_mask);
for (;;)
{
/*
* Stop charon (if started) and exit
*/
if (_action_ & FLAG_ACTION_QUIT)
{
if (starter_charon_pid())
{
starter_stop_charon();
}
starter_netkey_cleanup();
confread_free(cfg);
unlink(starter_pid_file);
cleanup();
DBG1(DBG_APP, "ipsec starter stopped");
close_log();
exit(LSB_RC_SUCCESS);
}
/*
* Delete all connections. Will be added below
*/
if (_action_ & FLAG_ACTION_RELOAD)
{
if (starter_charon_pid())
{
for (conn = cfg->conn_first; conn; conn = conn->next)
{
if (conn->state == STATE_ADDED)
{
if (starter_charon_pid())
{
if (conn->startup == STARTUP_ROUTE)
{
starter_stroke_unroute_conn(conn);
}
starter_stroke_del_conn(conn);
}
conn->state = STATE_TO_ADD;
}
}
for (ca = cfg->ca_first; ca; ca = ca->next)
{
if (ca->state == STATE_ADDED)
{
if (starter_charon_pid())
{
starter_stroke_del_ca(ca);
}
ca->state = STATE_TO_ADD;
}
}
}
_action_ &= ~FLAG_ACTION_RELOAD;
}
/*
* Update configuration
*/
if (_action_ & FLAG_ACTION_UPDATE)
{
DBG2(DBG_APP, "Reloading config...");
new_cfg = confread_load(CONFIG_FILE);
if (new_cfg && (new_cfg->err == 0))
{
/* Switch to new config. New conn will be loaded below */
/* Look for new connections that are already loaded */
for (conn = cfg->conn_first; conn; conn = conn->next)
{
if (conn->state == STATE_ADDED)
{
for (conn2 = new_cfg->conn_first; conn2; conn2 = conn2->next)
{
if (conn2->state == STATE_TO_ADD && starter_cmp_conn(conn, conn2))
{
conn->state = STATE_REPLACED;
conn2->state = STATE_ADDED;
conn2->id = conn->id;
break;
}
}
}
}
/* Remove conn sections that have become unused */
for (conn = cfg->conn_first; conn; conn = conn->next)
{
if (conn->state == STATE_ADDED)
{
if (starter_charon_pid())
{
if (conn->startup == STARTUP_ROUTE)
{
starter_stroke_unroute_conn(conn);
}
starter_stroke_del_conn(conn);
}
}
}
/* Look for new ca sections that are already loaded */
for (ca = cfg->ca_first; ca; ca = ca->next)
{
if (ca->state == STATE_ADDED)
{
for (ca2 = new_cfg->ca_first; ca2; ca2 = ca2->next)
{
if (ca2->state == STATE_TO_ADD && starter_cmp_ca(ca, ca2))
{
ca->state = STATE_REPLACED;
ca2->state = STATE_ADDED;
break;
}
}
}
}
/* Remove ca sections that have become unused */
for (ca = cfg->ca_first; ca; ca = ca->next)
{
if (ca->state == STATE_ADDED)
{
if (starter_charon_pid())
{
starter_stroke_del_ca(ca);
}
}
}
confread_free(cfg);
cfg = new_cfg;
}
else
{
DBG1(DBG_APP, "can't reload config file due to errors -- keeping old one");
if (new_cfg)
{
confread_free(new_cfg);
}
}
_action_ &= ~FLAG_ACTION_UPDATE;
last_reload = time_monotonic(NULL);
}
/*
* Start daemon
*/
if (_action_ & FLAG_ACTION_START_CHARON)
{
if (cfg->setup.charonstart && !starter_charon_pid())
{
DBG2(DBG_APP, "Attempting to start %s...", daemon_name);
if (starter_start_charon(cfg, no_fork, attach_gdb))
{
/* schedule next try */
alarm(CHARON_RESTART_DELAY);
}
starter_stroke_configure(cfg);
}
_action_ &= ~FLAG_ACTION_START_CHARON;
for (ca = cfg->ca_first; ca; ca = ca->next)
{
if (ca->state == STATE_ADDED)
{
ca->state = STATE_TO_ADD;
}
}
for (conn = cfg->conn_first; conn; conn = conn->next)
{
if (conn->state == STATE_ADDED)
{
conn->state = STATE_TO_ADD;
}
}
}
/*
* Add stale conn and ca sections
*/
if (starter_charon_pid())
{
for (ca = cfg->ca_first; ca; ca = ca->next)
{
if (ca->state == STATE_TO_ADD)
{
if (starter_charon_pid())
{
starter_stroke_add_ca(ca);
}
ca->state = STATE_ADDED;
}
}
for (conn = cfg->conn_first; conn; conn = conn->next)
{
if (conn->state == STATE_TO_ADD)
{
if (conn->id == 0)
{
/* affect new unique id */
conn->id = id++;
}
if (starter_charon_pid())
{
starter_stroke_add_conn(cfg, conn);
}
conn->state = STATE_ADDED;
if (conn->startup == STARTUP_START)
{
if (starter_charon_pid())
{
starter_stroke_initiate_conn(conn);
}
}
else if (conn->startup == STARTUP_ROUTE)
{
if (starter_charon_pid())
{
starter_stroke_route_conn(conn);
}
}
}
}
}
/*
* If auto_update activated, when to stop select
*/
if (auto_update)
{
time_t now = time_monotonic(NULL);
ts.tv_sec = (now < last_reload + auto_update) ?
(last_reload + auto_update - now) : 0;
ts.tv_nsec = 0;
}
/*
* Wait for something to happen
*/
if (!_action_ &&
pselect(0, NULL, NULL, NULL, auto_update ? &ts : NULL,
&action.sa_mask) == 0)
{
/* timeout -> auto_update */
_action_ |= FLAG_ACTION_UPDATE;
}
}
exit(LSB_RC_SUCCESS);
}
int CCAMMenuHandler::handleCamMsg(const neutrino_msg_t msg, neutrino_msg_data_t data, int &msgret, bool from_menu)
{
char str[255];
char cnt[5];
int i;
MMI_MENU_LIST_INFO Menu;
MMI_ENQUIRY_INFO MmiEnquiry;
MMI_MENU_LIST_INFO *pMenu = &Menu;
MMI_ENQUIRY_INFO *pMmiEnquiry = &MmiEnquiry;
CA_MESSAGE Msg, *rMsg;
//printf("CCAMMenuHandler::handleCamMsg: msg %x data %x from %s\n", msg, data, from_menu ? "menu" : "neutrino");
msgret = messages_return::unhandled;
if ((msg == NeutrinoMessages::EVT_TIMER) && (data == close_timer)) {
printf("CCAMMenuHandler::handleCamMsg: EVT_TIMER close_timer %d\n", close_timer);
g_RCInput->killTimer(close_timer);
msgret = messages_return::cancel_info;
}
if (msg != NeutrinoMessages::EVT_CA_MESSAGE)
return 1;
msgret = messages_return::handled;
rMsg = (CA_MESSAGE *)data;
if (!rMsg)
return -1;
Msg = *rMsg;
delete rMsg;
u32 MsgId = Msg.MsgId;
CA_SLOT_TYPE SlotType = Msg.SlotType;
int curslot = Msg.Slot;
printf("CCAMMenuHandler::handleCamMsg: CA msg %x from %s\n", MsgId, from_menu ? "menu" : "neutrino");
if (g_settings.ci_ignore_messages && !from_menu)
return 1;
hideHintBox();
if (SlotType != CA_SLOT_TYPE_SMARTCARD && SlotType != CA_SLOT_TYPE_CI)
return -1;
if(MsgId == CA_MESSAGE_MSG_INSERTED) {
snprintf(str, sizeof(str), "%s %d",
g_Locale->getText(SlotType == CA_SLOT_TYPE_CI ? LOCALE_CI_INSERTED : LOCALE_SC_INSERTED), (int)curslot+1);
printf("CCAMMenuHandler::handleCamMsg: %s\n", str);
ShowHint(LOCALE_MESSAGEBOX_INFO, str, 450, 3);
if (in_menu)
msgret = messages_return::cancel_all;
} else if (MsgId == CA_MESSAGE_MSG_REMOVED) {
snprintf(str, sizeof(str), "%s %d",
g_Locale->getText(SlotType == CA_SLOT_TYPE_CI ? LOCALE_CI_REMOVED : LOCALE_SC_REMOVED), (int)curslot+1);
printf("CCAMMenuHandler::handleCamMsg: %s\n", str);
ShowHint(LOCALE_MESSAGEBOX_INFO, str, 450, 3);
#if 0
if (menu_slot == curslot && menu_type == SlotType)
return 3;
#endif
if (in_menu)
msgret = messages_return::cancel_all;
} else if(MsgId == CA_MESSAGE_MSG_INIT_OK) {
char name[255] = "Unknown";
if (ca)
ca->ModuleName(SlotType, curslot, name);
snprintf(str, sizeof(str), "%s %d: %s",
g_Locale->getText(SlotType == CA_SLOT_TYPE_CI ? LOCALE_CI_INIT_OK : LOCALE_SC_INIT_OK), (int)curslot+1, name);
printf("CCAMMenuHandler::handleCamMsg: %s\n", str);
CCamManager::getInstance()->Start(CZapit::getInstance()->GetCurrentChannelID(), CCamManager::PLAY, true);
ShowHint(LOCALE_MESSAGEBOX_INFO, str, 450, 3);
} else if(MsgId == CA_MESSAGE_MSG_INIT_FAILED) {
char name[255] = "Unknown";
if (ca)
ca->ModuleName(SlotType, curslot, name);
snprintf(str, sizeof(str), "%s %d: %s",
g_Locale->getText(SlotType == CA_SLOT_TYPE_CI ? LOCALE_CI_INIT_FAILED : LOCALE_SC_INIT_FAILED), (int)curslot+1, name);
printf("CCAMMenuHandler::handleCamMsg: %s\n", str);
ShowHint(LOCALE_MESSAGEBOX_INFO, str, 450, 3);
} else if(MsgId == CA_MESSAGE_MSG_MMI_MENU || MsgId == CA_MESSAGE_MSG_MMI_LIST) {
bool sublevel = false;
if(MsgId != CA_MESSAGE_MSG_MMI_MENU)
sublevel = true;
if (!(Msg.Flags & CA_MESSAGE_HAS_PARAM1_DATA))
return -1;
memmove(pMenu, (MMI_MENU_LIST_INFO*)Msg.Msg.Data[0], sizeof(MMI_MENU_LIST_INFO));
free((void *)Msg.Msg.Data[0]);
printf("CCAMMenuHandler::handleCamMsg: slot %d menu ready, title %s choices %d\n", curslot, convertDVBUTF8(pMenu->title, strlen(pMenu->title), 0).c_str(), pMenu->choice_nb);
int menuret = menu_return::RETURN_REPAINT;
int selected = -1;
if(pMenu->choice_nb && from_menu) {
CMenuWidget* menu = new CMenuWidget(convertDVBUTF8(pMenu->title, strlen(pMenu->title), 0).c_str(), NEUTRINO_ICON_SETTINGS);
menu->enableSaveScreen(true);
CMenuSelectorTarget * selector = new CMenuSelectorTarget(&selected);
int slen = strlen(pMenu->subtitle);
if(slen) {
char * sptr = pMenu->subtitle;
char * tptr = sptr;
int bpos = 0;
for(int li = 0; li < slen; li++) {
if((tptr[li] == 0x8A) || ((bpos > 38) && (tptr[li] == 0x20)) ) {
bpos = 0;
tptr[li] = 0;
printf("CCAMMenuHandler::handleCamMsg: subtitle: %s\n", sptr);
menu->addItem(new CMenuForwarder(convertDVBUTF8(sptr, strlen(sptr), 0).c_str(), false));
sptr = &tptr[li+1];
}
bpos++;
}
if(strlen(sptr)) {
printf("CCAMMenuHandler::handleCamMsg: subtitle: %s\n", sptr);
menu->addItem(new CMenuForwarder(convertDVBUTF8(sptr, strlen(sptr), 0).c_str(), false));
}
}
for(i = 0; (i < pMenu->choice_nb) && (i < MAX_MMI_ITEMS); i++) {
snprintf(cnt, sizeof(cnt), "%d", i);
if(sublevel)
menu->addItem(new CMenuForwarder(convertDVBUTF8(pMenu->choice_item[i], strlen(pMenu->choice_item[i]), 0).c_str(), true, NULL, selector, cnt));
else
menu->addItem(new CMenuForwarder(convertDVBUTF8(pMenu->choice_item[i], strlen(pMenu->choice_item[i]), 0).c_str(), true, NULL, selector, cnt, CRCInput::convertDigitToKey(i+1)));
}
slen = strlen(pMenu->bottom);
if(slen) {
printf("CCAMMenuHandler::handleCamMsg: bottom: %s\n", pMenu->bottom);
menu->addItem(new CMenuForwarder(convertDVBUTF8(pMenu->bottom, slen, 0).c_str(), false));
}
menuret = menu->exec(NULL, "");
delete menu;
delete selector;
} else {
char lstr[255];
int slen = 0;
if(strlen(pMenu->title))
slen += snprintf(&lstr[slen], 255-slen, "%s\n", pMenu->title);
if(strlen(pMenu->subtitle))
slen += snprintf(&lstr[slen], 255-slen, "%s\n", pMenu->subtitle);
if(strlen(pMenu->bottom))
slen += snprintf(&lstr[slen], 255-slen, "%s\n", pMenu->bottom);
for(i = 0; (i < pMenu->choice_nb) && (i < MAX_MMI_ITEMS); i++)
slen += snprintf(&lstr[slen], 255-slen, "%s\n", pMenu->choice_item[i]);
ShowHint(LOCALE_MESSAGEBOX_INFO, convertDVBUTF8(lstr, slen, 0).c_str());
return 0;
}
if(sublevel)
return menuret == menu_return::RETURN_EXIT_ALL ? 3 : 0;
if(selected >= 0) {
printf("CCAMMenuHandler::handleCamMsg: selected %d:%s sublevel %s\n", selected, pMenu->choice_item[i], sublevel ? "yes" : "no");
ca->MenuAnswer(SlotType, curslot, selected+1);
timeoutEnd = CRCInput::calcTimeoutEnd(10);
return 1;
} else {
return menuret == menu_return::RETURN_EXIT_ALL ? 3 : 2;
}
}
else if(MsgId == CA_MESSAGE_MSG_MMI_REQ_INPUT) {
if (!(Msg.Flags & CA_MESSAGE_HAS_PARAM1_DATA))
return -1;
memmove(pMmiEnquiry, (MMI_ENQUIRY_INFO *)Msg.Msg.Data[0], sizeof(MMI_ENQUIRY_INFO));
free((void *)Msg.Msg.Data[0]);
printf("CCAMMenuHandler::handleCamMsg: slot %d input request, text %s\n", curslot, convertDVBUTF8(pMmiEnquiry->enquiryText, strlen(pMmiEnquiry->enquiryText), 0).c_str());
std::string ENQAnswer;
if (/* !from_menu && */ g_settings.ci_save_pincode && pMmiEnquiry->blind != 0 && (int) g_settings.ci_pincode.length() == pMmiEnquiry->answerlen) {
static int acount = 0;
static time_t last_ask = 0;
ENQAnswer = g_settings.ci_pincode;
printf("CCAMMenuHandler::handleCamMsg: using saved answer [%s] (#%d, time diff %d)\n", ENQAnswer.c_str(), acount, (int) (time_monotonic() - last_ask));
if ((time_monotonic() - last_ask) < 10) {
acount++;
if (acount > 4)
g_settings.ci_pincode.clear();
} else {
last_ask = time_monotonic();
acount = 0;
}
} else {
CEnquiryInput *Inquiry = new CEnquiryInput((char *)convertDVBUTF8(pMmiEnquiry->enquiryText, strlen(pMmiEnquiry->enquiryText), 0).c_str(), &ENQAnswer, pMmiEnquiry->answerlen, pMmiEnquiry->blind != 0, NONEXISTANT_LOCALE);
Inquiry->exec(NULL, "");
delete Inquiry;
g_settings.ci_pincode = ENQAnswer;
}
printf("CCAMMenuHandler::handleCamMsg: input=[%s]\n", ENQAnswer.c_str());
if((int) ENQAnswer.length() != pMmiEnquiry->answerlen) {
printf("CCAMMenuHandler::handleCamMsg: wrong input len\n");
ca->InputAnswer(SlotType, curslot, (unsigned char *)ENQAnswer.c_str(), 0);
return 1; //FIXME
} else {
ca->InputAnswer(SlotType, curslot, (unsigned char *)ENQAnswer.c_str(), pMmiEnquiry->answerlen);
return 1;
}
}
else if(MsgId == CA_MESSAGE_MSG_MMI_CLOSE) {
int timeout = 0;
if (Msg.Flags & CA_MESSAGE_HAS_PARAM1_INT)
timeout = Msg.Msg.Param[0];
printf("CCAMMenuHandler::handleCamMsg: close request slot: %d (timeout %d)\n", curslot, timeout);
//ca->MenuClose(SlotType, curslot);
if (timeout)
close_timer = g_RCInput->addTimer(timeout*1000*1000, true);
else
msgret = messages_return::cancel_info;
return 0;
}
else if(MsgId == CA_MESSAGE_MSG_MMI_TEXT) {
printf("CCAMMenuHandler::handleCamMsg: text\n");
}
else if(MsgId == CA_MESSAGE_MSG_CHANNEL_CHANGE) {
if (!(Msg.Flags & CA_MESSAGE_HAS_PARAM1_LONG))
return -1;
t_channel_id chid = Msg.Msg.ParamLong[0];
printf("CCAMMenuHandler::handleCamMsg: CA_MESSAGE_MSG_CHANNEL_CHANGE: %" PRIx64 "\n", chid);
CZapitChannel * channel = CServiceManager::getInstance()->FindChannel48(chid);
if (!channel) {
printf("CCAMMenuHandler::handleCamMsg: channel %" PRIx64 "not found\n", chid);
return -1;
}
CNeutrinoApp::getInstance()->zapTo(channel->getChannelID());
}
return 1;
}
/**
* @brief main of scepclient
*
* @param argc number of arguments
* @param argv pointer to the argument values
*/
int main(int argc, char **argv)
{
/* external values */
extern char * optarg;
extern int optind;
/* type of input and output files */
typedef enum {
PKCS1 = 0x01,
PKCS10 = 0x02,
PKCS7 = 0x04,
CERT_SELF = 0x08,
CERT = 0x10,
CACERT_ENC = 0x20,
CACERT_SIG = 0x40,
} scep_filetype_t;
/* filetype to read from, defaults to "generate a key" */
scep_filetype_t filetype_in = 0;
/* filetype to write to, no default here */
scep_filetype_t filetype_out = 0;
/* input files */
char *file_in_pkcs1 = DEFAULT_FILENAME_PKCS1;
char *file_in_pkcs10 = DEFAULT_FILENAME_PKCS10;
char *file_in_cert_self = DEFAULT_FILENAME_CERT_SELF;
char *file_in_cacert_enc = DEFAULT_FILENAME_CACERT_ENC;
char *file_in_cacert_sig = DEFAULT_FILENAME_CACERT_SIG;
/* output files */
char *file_out_pkcs1 = DEFAULT_FILENAME_PKCS1;
char *file_out_pkcs10 = DEFAULT_FILENAME_PKCS10;
char *file_out_pkcs7 = DEFAULT_FILENAME_PKCS7;
char *file_out_cert_self = DEFAULT_FILENAME_CERT_SELF;
char *file_out_cert = DEFAULT_FILENAME_CERT;
char *file_out_ca_cert = DEFAULT_FILENAME_CACERT_ENC;
/* by default user certificate is requested */
bool request_ca_certificate = FALSE;
/* by default existing files are not overwritten */
bool force = FALSE;
/* length of RSA key in bits */
u_int rsa_keylength = DEFAULT_RSA_KEY_LENGTH;
/* validity of self-signed certificate */
time_t validity = DEFAULT_CERT_VALIDITY;
time_t notBefore = 0;
time_t notAfter = 0;
/* distinguished name for requested certificate, ASCII format */
char *distinguishedName = NULL;
/* challenge password */
char challenge_password_buffer[MAX_PASSWORD_LENGTH];
/* symmetric encryption algorithm used by pkcs7, default is DES */
encryption_algorithm_t pkcs7_symmetric_cipher = ENCR_DES;
size_t pkcs7_key_size = 0;
/* digest algorithm used by pkcs7, default is MD5 */
hash_algorithm_t pkcs7_digest_alg = HASH_MD5;
/* signature algorithm used by pkcs10, default is MD5 */
hash_algorithm_t pkcs10_signature_alg = HASH_MD5;
/* URL of the SCEP-Server */
char *scep_url = NULL;
/* Name of CA to fetch CA certs for */
char *ca_name = "CAIdentifier";
/* http request method, default is GET */
bool http_get_request = TRUE;
/* poll interval time in manual mode in seconds */
u_int poll_interval = DEFAULT_POLL_INTERVAL;
/* maximum poll time */
u_int max_poll_time = 0;
err_t ugh = NULL;
/* initialize library */
if (!library_init(NULL))
{
library_deinit();
exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
}
if (lib->integrity &&
!lib->integrity->check_file(lib->integrity, "scepclient", argv[0]))
{
fprintf(stderr, "integrity check of scepclient failed\n");
library_deinit();
exit(SS_RC_DAEMON_INTEGRITY);
}
/* initialize global variables */
pkcs1 = chunk_empty;
pkcs7 = chunk_empty;
serialNumber = chunk_empty;
transID = chunk_empty;
fingerprint = chunk_empty;
encoding = chunk_empty;
pkcs10_encoding = chunk_empty;
issuerAndSubject = chunk_empty;
challengePassword = chunk_empty;
getCertInitial = chunk_empty;
scep_response = chunk_empty;
subjectAltNames = linked_list_create();
options = options_create();
for (;;)
{
static const struct option long_opts[] = {
/* name, has_arg, flag, val */
{ "help", no_argument, NULL, 'h' },
{ "version", no_argument, NULL, 'v' },
{ "optionsfrom", required_argument, NULL, '+' },
{ "quiet", no_argument, NULL, 'q' },
{ "debug", required_argument, NULL, 'l' },
{ "in", required_argument, NULL, 'i' },
{ "out", required_argument, NULL, 'o' },
{ "force", no_argument, NULL, 'f' },
{ "httptimeout", required_argument, NULL, 'T' },
{ "keylength", required_argument, NULL, 'k' },
{ "dn", required_argument, NULL, 'd' },
{ "days", required_argument, NULL, 'D' },
{ "startdate", required_argument, NULL, 'S' },
{ "enddate", required_argument, NULL, 'E' },
{ "subjectAltName", required_argument, NULL, 's' },
{ "password", required_argument, NULL, 'p' },
{ "algorithm", required_argument, NULL, 'a' },
{ "url", required_argument, NULL, 'u' },
{ "caname", required_argument, NULL, 'c'},
{ "method", required_argument, NULL, 'm' },
{ "interval", required_argument, NULL, 't' },
{ "maxpolltime", required_argument, NULL, 'x' },
{ 0,0,0,0 }
};
/* parse next option */
int c = getopt_long(argc, argv, "hv+:qi:o:fk:d:s:p:a:u:c:m:t:x:APRCMS", long_opts, NULL);
switch (c)
{
case EOF: /* end of flags */
break;
case 'h': /* --help */
usage(NULL);
case 'v': /* --version */
version();
case 'q': /* --quiet */
log_to_stderr = FALSE;
continue;
case 'l': /* --debug <level> */
default_loglevel = atoi(optarg);
continue;
case 'i': /* --in <type> [= <filename>] */
{
char *filename = strstr(optarg, "=");
if (filename)
{
/* replace '=' by '\0' */
*filename = '\0';
/* set pointer to start of filename */
filename++;
}
if (strcaseeq("pkcs1", optarg))
{
filetype_in |= PKCS1;
if (filename)
file_in_pkcs1 = filename;
}
else if (strcaseeq("pkcs10", optarg))
{
filetype_in |= PKCS10;
if (filename)
file_in_pkcs10 = filename;
}
else if (strcaseeq("cacert-enc", optarg))
{
filetype_in |= CACERT_ENC;
if (filename)
file_in_cacert_enc = filename;
}
else if (strcaseeq("cacert-sig", optarg))
{
filetype_in |= CACERT_SIG;
if (filename)
file_in_cacert_sig = filename;
}
else if (strcaseeq("cert-self", optarg))
{
filetype_in |= CERT_SELF;
if (filename)
file_in_cert_self = filename;
}
else
{
usage("invalid --in file type");
}
continue;
}
case 'o': /* --out <type> [= <filename>] */
{
char *filename = strstr(optarg, "=");
if (filename)
{
/* replace '=' by '\0' */
*filename = '\0';
/* set pointer to start of filename */
filename++;
}
if (strcaseeq("pkcs1", optarg))
{
filetype_out |= PKCS1;
if (filename)
file_out_pkcs1 = filename;
}
else if (strcaseeq("pkcs10", optarg))
{
filetype_out |= PKCS10;
if (filename)
file_out_pkcs10 = filename;
}
else if (strcaseeq("pkcs7", optarg))
{
filetype_out |= PKCS7;
if (filename)
file_out_pkcs7 = filename;
}
else if (strcaseeq("cert-self", optarg))
{
filetype_out |= CERT_SELF;
if (filename)
file_out_cert_self = filename;
}
else if (strcaseeq("cert", optarg))
{
filetype_out |= CERT;
if (filename)
file_out_cert = filename;
}
else if (strcaseeq("cacert", optarg))
{
request_ca_certificate = TRUE;
if (filename)
file_out_ca_cert = filename;
}
else
{
usage("invalid --out file type");
}
continue;
}
case 'f': /* --force */
force = TRUE;
continue;
case 'T': /* --httptimeout */
http_timeout = atoi(optarg);
if (http_timeout <= 0)
{
usage("invalid httptimeout specified");
}
continue;
case '+': /* --optionsfrom <filename> */
if (!options->from(options, optarg, &argc, &argv, optind))
{
exit_scepclient("optionsfrom failed");
}
continue;
case 'k': /* --keylength <length> */
{
div_t q;
rsa_keylength = atoi(optarg);
if (rsa_keylength == 0)
usage("invalid keylength");
/* check if key length is a multiple of 8 bits */
q = div(rsa_keylength, 2*BITS_PER_BYTE);
if (q.rem != 0)
{
exit_scepclient("keylength is not a multiple of %d bits!"
, 2*BITS_PER_BYTE);
}
continue;
}
case 'D': /* --days */
if (optarg == NULL || !isdigit(optarg[0]))
{
usage("missing number of days");
}
else
{
char *endptr;
long days = strtol(optarg, &endptr, 0);
if (*endptr != '\0' || endptr == optarg
|| days <= 0)
usage("<days> must be a positive number");
validity = 24*3600*days;
}
continue;
case 'S': /* --startdate */
if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z')
{
usage("date format must be YYMMDDHHMMSSZ");
}
else
{
chunk_t date = { optarg, 13 };
notBefore = asn1_to_time(&date, ASN1_UTCTIME);
}
continue;
case 'E': /* --enddate */
if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z')
{
usage("date format must be YYMMDDHHMMSSZ");
}
else
{
chunk_t date = { optarg, 13 };
notAfter = asn1_to_time(&date, ASN1_UTCTIME);
}
continue;
case 'd': /* --dn */
if (distinguishedName)
{
usage("only one distinguished name allowed");
}
distinguishedName = optarg;
continue;
case 's': /* --subjectAltName */
{
char *value = strstr(optarg, "=");
if (value)
{
/* replace '=' by '\0' */
*value = '\0';
/* set pointer to start of value */
value++;
}
if (strcaseeq("email", optarg) ||
strcaseeq("dns", optarg) ||
strcaseeq("ip", optarg))
{
subjectAltNames->insert_last(subjectAltNames,
identification_create_from_string(value));
continue;
}
else
{
usage("invalid --subjectAltName type");
continue;
}
}
case 'p': /* --password */
if (challengePassword.len > 0)
{
usage("only one challenge password allowed");
}
if (strcaseeq("%prompt", optarg))
{
printf("Challenge password: "******"challenge password could not be read");
}
}
else
{
challengePassword.ptr = optarg;
challengePassword.len = strlen(optarg);
}
continue;
case 'u': /* -- url */
if (scep_url)
{
usage("only one URL argument allowed");
}
scep_url = optarg;
continue;
case 'c': /* -- caname */
ca_name = optarg;
continue;
case 'm': /* --method */
if (strcaseeq("get", optarg))
{
http_get_request = TRUE;
}
else if (strcaseeq("post", optarg))
{
http_get_request = FALSE;
}
else
{
usage("invalid http request method specified");
}
continue;
case 't': /* --interval */
poll_interval = atoi(optarg);
if (poll_interval <= 0)
{
usage("invalid interval specified");
}
continue;
case 'x': /* --maxpolltime */
max_poll_time = atoi(optarg);
continue;
case 'a': /*--algorithm [<type>=]algo */
{
const proposal_token_t *token;
char *type = optarg;
char *algo = strstr(optarg, "=");
if (algo)
{
*algo = '\0';
algo++;
}
else
{
type = "enc";
algo = optarg;
}
if (strcaseeq("enc", type))
{
token = lib->proposal->get_token(lib->proposal, algo);
if (token == NULL || token->type != ENCRYPTION_ALGORITHM)
{
usage("invalid algorithm specified");
}
pkcs7_symmetric_cipher = token->algorithm;
pkcs7_key_size = token->keysize;
if (encryption_algorithm_to_oid(token->algorithm,
token->keysize) == OID_UNKNOWN)
{
usage("unsupported encryption algorithm specified");
}
}
else if (strcaseeq("dgst", type) ||
strcaseeq("sig", type))
{
hash_algorithm_t hash;
token = lib->proposal->get_token(lib->proposal, algo);
if (token == NULL || token->type != INTEGRITY_ALGORITHM)
{
usage("invalid algorithm specified");
}
hash = hasher_algorithm_from_integrity(token->algorithm,
NULL);
if (hash == OID_UNKNOWN)
{
usage("invalid algorithm specified");
}
if (strcaseeq("dgst", type))
{
pkcs7_digest_alg = hash;
}
else
{
pkcs10_signature_alg = hash;
}
}
else
{
usage("invalid --algorithm type");
}
continue;
}
default:
usage("unknown option");
}
/* break from loop */
break;
}
init_log("scepclient");
/* load plugins, further infrastructure may need it */
if (!lib->plugins->load(lib->plugins, NULL,
lib->settings->get_str(lib->settings, "scepclient.load", PLUGINS)))
{
exit_scepclient("plugin loading failed");
}
DBG1(DBG_APP, " loaded plugins: %s",
lib->plugins->loaded_plugins(lib->plugins));
if ((filetype_out == 0) && (!request_ca_certificate))
{
usage("--out filetype required");
}
if (request_ca_certificate && (filetype_out > 0 || filetype_in > 0))
{
usage("in CA certificate request, no other --in or --out option allowed");
}
/* check if url is given, if cert output defined */
if (((filetype_out & CERT) || request_ca_certificate) && !scep_url)
{
usage("URL of SCEP server required");
}
/* check for sanity of --in/--out */
if (!filetype_in && (filetype_in > filetype_out))
{
usage("cannot generate --out of given --in!");
}
/* get CA cert */
if (request_ca_certificate)
{
char ca_path[PATH_MAX];
container_t *container;
pkcs7_t *pkcs7;
if (!scep_http_request(scep_url, chunk_create(ca_name, strlen(ca_name)),
SCEP_GET_CA_CERT, http_get_request,
http_timeout, &scep_response))
{
exit_scepclient("did not receive a valid scep response");
}
join_paths(ca_path, sizeof(ca_path), CA_CERT_PATH, file_out_ca_cert);
pkcs7 = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7,
BUILD_BLOB_ASN1_DER, scep_response, BUILD_END);
if (!pkcs7)
{ /* no PKCS#7 encoded CA+RA certificates, assume simple CA cert */
DBG1(DBG_APP, "unable to parse PKCS#7, assuming plain CA cert");
if (!chunk_write(scep_response, ca_path, "ca cert", 0022, force))
{
exit_scepclient("could not write ca cert file '%s'", ca_path);
}
}
else
{
enumerator_t *enumerator;
certificate_t *cert;
int ra_certs = 0, ca_certs = 0;
int ra_index = 1, ca_index = 1;
enumerator = pkcs7->create_cert_enumerator(pkcs7);
while (enumerator->enumerate(enumerator, &cert))
{
x509_t *x509 = (x509_t*)cert;
if (x509->get_flags(x509) & X509_CA)
{
ca_certs++;
}
else
{
ra_certs++;
}
}
enumerator->destroy(enumerator);
enumerator = pkcs7->create_cert_enumerator(pkcs7);
while (enumerator->enumerate(enumerator, &cert))
{
x509_t *x509 = (x509_t*)cert;
bool ca_cert = x509->get_flags(x509) & X509_CA;
char cert_path[PATH_MAX], *path = ca_path;
if (ca_cert && ca_certs > 1)
{
add_path_suffix(cert_path, sizeof(cert_path), ca_path,
"-%.1d", ca_index++);
path = cert_path;
}
else if (!ca_cert)
{ /* use CA name as base for RA certs */
if (ra_certs > 1)
{
add_path_suffix(cert_path, sizeof(cert_path), ca_path,
"-ra-%.1d", ra_index++);
}
else
{
add_path_suffix(cert_path, sizeof(cert_path), ca_path,
"-ra");
}
path = cert_path;
}
if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding) ||
!chunk_write(encoding, path,
ca_cert ? "ca cert" : "ra cert", 0022, force))
{
exit_scepclient("could not write cert file '%s'", path);
}
chunk_free(&encoding);
}
enumerator->destroy(enumerator);
container = &pkcs7->container;
container->destroy(container);
}
exit_scepclient(NULL); /* no further output required */
}
creds = mem_cred_create();
lib->credmgr->add_set(lib->credmgr, &creds->set);
/*
* input of PKCS#1 file
*/
if (filetype_in & PKCS1) /* load an RSA key pair from file */
{
char path[PATH_MAX];
join_paths(path, sizeof(path), PRIVATE_KEY_PATH, file_in_pkcs1);
private_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
BUILD_FROM_FILE, path, BUILD_END);
}
else /* generate an RSA key pair */
{
private_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
BUILD_KEY_SIZE, rsa_keylength,
BUILD_END);
}
if (private_key == NULL)
{
exit_scepclient("no RSA private key available");
}
creds->add_key(creds, private_key->get_ref(private_key));
public_key = private_key->get_public_key(private_key);
/* check for minimum key length */
if (private_key->get_keysize(private_key) < RSA_MIN_OCTETS / BITS_PER_BYTE)
{
exit_scepclient("length of RSA key has to be at least %d bits",
RSA_MIN_OCTETS * BITS_PER_BYTE);
}
/*
* input of PKCS#10 file
*/
if (filetype_in & PKCS10)
{
char path[PATH_MAX];
join_paths(path, sizeof(path), REQ_PATH, file_in_pkcs10);
pkcs10_req = lib->creds->create(lib->creds, CRED_CERTIFICATE,
CERT_PKCS10_REQUEST, BUILD_FROM_FILE,
path, BUILD_END);
if (!pkcs10_req)
{
exit_scepclient("could not read certificate request '%s'", path);
}
subject = pkcs10_req->get_subject(pkcs10_req);
subject = subject->clone(subject);
}
else
{
if (distinguishedName == NULL)
{
char buf[BUF_LEN];
int n = sprintf(buf, DEFAULT_DN);
/* set the common name to the hostname */
if (gethostname(buf + n, BUF_LEN - n) || strlen(buf) == n)
{
exit_scepclient("no hostname defined, use "
"--dn <distinguished name> option");
}
distinguishedName = buf;
}
DBG2(DBG_APP, "dn: '%s'", distinguishedName);
subject = identification_create_from_string(distinguishedName);
if (subject->get_type(subject) != ID_DER_ASN1_DN)
{
exit_scepclient("parsing of distinguished name failed");
}
DBG2(DBG_APP, "building pkcs10 object:");
pkcs10_req = lib->creds->create(lib->creds, CRED_CERTIFICATE,
CERT_PKCS10_REQUEST,
BUILD_SIGNING_KEY, private_key,
BUILD_SUBJECT, subject,
BUILD_SUBJECT_ALTNAMES, subjectAltNames,
BUILD_CHALLENGE_PWD, challengePassword,
BUILD_DIGEST_ALG, pkcs10_signature_alg,
BUILD_END);
if (!pkcs10_req)
{
exit_scepclient("generating pkcs10 request failed");
}
}
pkcs10_req->get_encoding(pkcs10_req, CERT_ASN1_DER, &pkcs10_encoding);
fingerprint = scep_generate_pkcs10_fingerprint(pkcs10_encoding);
DBG1(DBG_APP, " fingerprint: %s", fingerprint.ptr);
/*
* output of PKCS#10 file
*/
if (filetype_out & PKCS10)
{
char path[PATH_MAX];
join_paths(path, sizeof(path), REQ_PATH, file_out_pkcs10);
if (!chunk_write(pkcs10_encoding, path, "pkcs10", 0022, force))
{
exit_scepclient("could not write pkcs10 file '%s'", path);
}
filetype_out &= ~PKCS10; /* delete PKCS10 flag */
}
if (!filetype_out)
{
exit_scepclient(NULL); /* no further output required */
}
/*
* output of PKCS#1 file
*/
if (filetype_out & PKCS1)
{
char path[PATH_MAX];
join_paths(path, sizeof(path), PRIVATE_KEY_PATH, file_out_pkcs1);
DBG2(DBG_APP, "building pkcs1 object:");
if (!private_key->get_encoding(private_key, PRIVKEY_ASN1_DER, &pkcs1) ||
!chunk_write(pkcs1, path, "pkcs1", 0066, force))
{
exit_scepclient("could not write pkcs1 file '%s'", path);
}
filetype_out &= ~PKCS1; /* delete PKCS1 flag */
}
if (!filetype_out)
{
exit_scepclient(NULL); /* no further output required */
}
scep_generate_transaction_id(public_key, &transID, &serialNumber);
DBG1(DBG_APP, " transaction ID: %.*s", (int)transID.len, transID.ptr);
/*
* read or generate self-signed X.509 certificate
*/
if (filetype_in & CERT_SELF)
{
char path[PATH_MAX];
join_paths(path, sizeof(path), HOST_CERT_PATH, file_in_cert_self);
x509_signer = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
BUILD_FROM_FILE, path, BUILD_END);
if (!x509_signer)
{
exit_scepclient("could not read certificate file '%s'", path);
}
}
else
{
notBefore = notBefore ? notBefore : time(NULL);
notAfter = notAfter ? notAfter : (notBefore + validity);
x509_signer = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
BUILD_SIGNING_KEY, private_key,
BUILD_PUBLIC_KEY, public_key,
BUILD_SUBJECT, subject,
BUILD_NOT_BEFORE_TIME, notBefore,
BUILD_NOT_AFTER_TIME, notAfter,
BUILD_SERIAL, serialNumber,
BUILD_SUBJECT_ALTNAMES, subjectAltNames,
BUILD_END);
if (!x509_signer)
{
exit_scepclient("generating certificate failed");
}
}
creds->add_cert(creds, TRUE, x509_signer->get_ref(x509_signer));
/*
* output of self-signed X.509 certificate file
*/
if (filetype_out & CERT_SELF)
{
char path[PATH_MAX];
join_paths(path, sizeof(path), HOST_CERT_PATH, file_out_cert_self);
if (!x509_signer->get_encoding(x509_signer, CERT_ASN1_DER, &encoding))
{
exit_scepclient("encoding certificate failed");
}
if (!chunk_write(encoding, path, "self-signed cert", 0022, force))
{
exit_scepclient("could not write self-signed cert file '%s'", path);
}
chunk_free(&encoding);
filetype_out &= ~CERT_SELF; /* delete CERT_SELF flag */
}
if (!filetype_out)
{
exit_scepclient(NULL); /* no further output required */
}
/*
* load ca encryption certificate
*/
{
char path[PATH_MAX];
join_paths(path, sizeof(path), CA_CERT_PATH, file_in_cacert_enc);
x509_ca_enc = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
BUILD_FROM_FILE, path, BUILD_END);
if (!x509_ca_enc)
{
exit_scepclient("could not load encryption cacert file '%s'", path);
}
}
/*
* input of PKCS#7 file
*/
if (filetype_in & PKCS7)
{
/* user wants to load a pkcs7 encrypted request
* operation is not yet supported!
* would require additional parsing of transaction-id
pkcs7 = pkcs7_read_from_file(file_in_pkcs7);
*/
}
else
{
DBG2(DBG_APP, "building pkcs7 request");
pkcs7 = scep_build_request(pkcs10_encoding,
transID, SCEP_PKCSReq_MSG, x509_ca_enc,
pkcs7_symmetric_cipher, pkcs7_key_size,
x509_signer, pkcs7_digest_alg, private_key);
if (!pkcs7.ptr)
{
exit_scepclient("failed to build pkcs7 request");
}
}
/*
* output pkcs7 encrypted and signed certificate request
*/
if (filetype_out & PKCS7)
{
char path[PATH_MAX];
join_paths(path, sizeof(path), REQ_PATH, file_out_pkcs7);
if (!chunk_write(pkcs7, path, "pkcs7 encrypted request", 0022, force))
{
exit_scepclient("could not write pkcs7 file '%s'", path);
}
filetype_out &= ~PKCS7; /* delete PKCS7 flag */
}
if (!filetype_out)
{
exit_scepclient(NULL); /* no further output required */
}
/*
* output certificate fetch from SCEP server
*/
if (filetype_out & CERT)
{
bool stored = FALSE;
certificate_t *cert;
enumerator_t *enumerator;
char path[PATH_MAX];
time_t poll_start = 0;
pkcs7_t *p7;
container_t *container = NULL;
chunk_t chunk;
scep_attributes_t attrs = empty_scep_attributes;
join_paths(path, sizeof(path), CA_CERT_PATH, file_in_cacert_sig);
x509_ca_sig = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
BUILD_FROM_FILE, path, BUILD_END);
if (!x509_ca_sig)
{
exit_scepclient("could not load signature cacert file '%s'", path);
}
creds->add_cert(creds, TRUE, x509_ca_sig->get_ref(x509_ca_sig));
if (!scep_http_request(scep_url, pkcs7, SCEP_PKI_OPERATION,
http_get_request, http_timeout, &scep_response))
{
exit_scepclient("did not receive a valid scep response");
}
ugh = scep_parse_response(scep_response, transID, &container, &attrs);
if (ugh != NULL)
{
exit_scepclient(ugh);
}
/* in case of manual mode, we are going into a polling loop */
if (attrs.pkiStatus == SCEP_PENDING)
{
identification_t *issuer = x509_ca_sig->get_subject(x509_ca_sig);
DBG1(DBG_APP, " scep request pending, polling every %d seconds",
poll_interval);
poll_start = time_monotonic(NULL);
issuerAndSubject = asn1_wrap(ASN1_SEQUENCE, "cc",
issuer->get_encoding(issuer),
subject);
}
while (attrs.pkiStatus == SCEP_PENDING)
{
if (max_poll_time > 0 &&
(time_monotonic(NULL) - poll_start >= max_poll_time))
{
exit_scepclient("maximum poll time reached: %d seconds"
, max_poll_time);
}
DBG2(DBG_APP, "going to sleep for %d seconds", poll_interval);
sleep(poll_interval);
free(scep_response.ptr);
container->destroy(container);
DBG2(DBG_APP, "fingerprint: %.*s",
(int)fingerprint.len, fingerprint.ptr);
DBG2(DBG_APP, "transaction ID: %.*s",
(int)transID.len, transID.ptr);
chunk_free(&getCertInitial);
getCertInitial = scep_build_request(issuerAndSubject,
transID, SCEP_GetCertInitial_MSG, x509_ca_enc,
pkcs7_symmetric_cipher, pkcs7_key_size,
x509_signer, pkcs7_digest_alg, private_key);
if (!getCertInitial.ptr)
{
exit_scepclient("failed to build scep request");
}
if (!scep_http_request(scep_url, getCertInitial, SCEP_PKI_OPERATION,
http_get_request, http_timeout, &scep_response))
{
exit_scepclient("did not receive a valid scep response");
}
ugh = scep_parse_response(scep_response, transID, &container, &attrs);
if (ugh != NULL)
{
exit_scepclient(ugh);
}
}
if (attrs.pkiStatus != SCEP_SUCCESS)
{
container->destroy(container);
exit_scepclient("reply status is not 'SUCCESS'");
}
if (!container->get_data(container, &chunk))
{
container->destroy(container);
exit_scepclient("extracting signed-data failed");
}
container->destroy(container);
/* decrypt enveloped-data container */
container = lib->creds->create(lib->creds,
CRED_CONTAINER, CONTAINER_PKCS7,
BUILD_BLOB_ASN1_DER, chunk,
BUILD_END);
free(chunk.ptr);
if (!container)
{
exit_scepclient("could not decrypt envelopedData");
}
if (!container->get_data(container, &chunk))
{
container->destroy(container);
exit_scepclient("extracting encrypted-data failed");
}
container->destroy(container);
/* parse signed-data container */
container = lib->creds->create(lib->creds,
CRED_CONTAINER, CONTAINER_PKCS7,
BUILD_BLOB_ASN1_DER, chunk,
BUILD_END);
free(chunk.ptr);
if (!container)
{
exit_scepclient("could not parse singed-data");
}
/* no need to verify the signed-data container, the signature does NOT
* cover the contained certificates */
/* store the end entity certificate */
join_paths(path, sizeof(path), HOST_CERT_PATH, file_out_cert);
p7 = (pkcs7_t*)container;
enumerator = p7->create_cert_enumerator(p7);
while (enumerator->enumerate(enumerator, &cert))
{
x509_t *x509 = (x509_t*)cert;
if (!(x509->get_flags(x509) & X509_CA))
{
if (stored)
{
exit_scepclient("multiple certs received, only first stored");
}
if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding) ||
!chunk_write(encoding, path, "requested cert", 0022, force))
{
exit_scepclient("could not write cert file '%s'", path);
}
chunk_free(&encoding);
stored = TRUE;
}
}
enumerator->destroy(enumerator);
container->destroy(container);
chunk_free(&attrs.transID);
chunk_free(&attrs.senderNonce);
chunk_free(&attrs.recipientNonce);
filetype_out &= ~CERT; /* delete CERT flag */
}
exit_scepclient(NULL);
return -1; /* should never be reached */
}
