int main (int argc, char **argv) { starter_config_t *cfg = NULL; starter_config_t *new_cfg; starter_conn_t *conn, *conn2; starter_ca_t *ca, *ca2; struct sigaction action; struct stat stb; int i; int id = 1; struct timespec ts; unsigned long auto_update = 0; time_t last_reload; bool no_fork = FALSE; bool attach_gdb = FALSE; bool load_warning = FALSE; library_init(NULL); atexit(library_deinit); libhydra_init("starter"); atexit(libhydra_deinit); /* parse command line */ for (i = 1; i < argc; i++) { if (streq(argv[i], "--debug")) { current_loglevel = 2; } else if (streq(argv[i], "--debug-more")) { current_loglevel = 3; } else if (streq(argv[i], "--debug-all")) { current_loglevel = 4; } else if (streq(argv[i], "--nolog")) { current_loglevel = 0; } else if (streq(argv[i], "--nofork")) { no_fork = TRUE; } else if (streq(argv[i], "--attach-gdb")) { no_fork = TRUE; attach_gdb = TRUE; } else if (streq(argv[i], "--auto-update") && i+1 < argc) { auto_update = atoi(argv[++i]); if (!auto_update) usage(argv[0]); } else if (streq(argv[i], "--daemon") && i+1 < argc) { daemon_name = argv[++i]; } else { usage(argv[0]); } } if (!set_daemon_name()) { DBG1(DBG_APP, "unable to set daemon name"); exit(LSB_RC_FAILURE); } init_log("ipsec_starter"); DBG1(DBG_APP, "Starting %sSwan "VERSION" IPsec [starter]...", lib->settings->get_bool(lib->settings, "charon.i_dont_care_about_security_and_use_aggressive_mode_psk", FALSE) ? "weak" : "strong"); #ifdef LOAD_WARNING load_warning = TRUE; #endif if (lib->settings->get_bool(lib->settings, "starter.load_warning", load_warning)) { if (lib->settings->get_str(lib->settings, "charon.load", NULL)) { DBG1(DBG_APP, "!! Your strongswan.conf contains manual plugin load options for charon."); DBG1(DBG_APP, "!! This is recommended for experts only, see"); DBG1(DBG_APP, "!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad"); } } /* verify that we can start */ if (getuid() != 0) { DBG1(DBG_APP, "permission denied (must be superuser)"); cleanup(); exit(LSB_RC_NOT_ALLOWED); } if (check_pid(pid_file)) { DBG1(DBG_APP, "%s is already running (%s exists) -- skipping daemon start", daemon_name, pid_file); } else { _action_ |= FLAG_ACTION_START_CHARON; } if (stat(DEV_RANDOM, &stb) != 0) { DBG1(DBG_APP, "unable to start strongSwan IPsec -- no %s!", DEV_RANDOM); cleanup(); exit(LSB_RC_FAILURE); } if (stat(DEV_URANDOM, &stb)!= 0) { DBG1(DBG_APP, "unable to start strongSwan IPsec -- no %s!", DEV_URANDOM); cleanup(); exit(LSB_RC_FAILURE); } cfg = confread_load(CONFIG_FILE); if (cfg == NULL || cfg->err > 0) { DBG1(DBG_APP, "unable to start strongSwan -- fatal errors in config"); if (cfg) { confread_free(cfg); } cleanup(); exit(LSB_RC_INVALID_ARGUMENT); } /* determine if we have a native netkey IPsec stack */ if (!starter_netkey_init()) { DBG1(DBG_APP, "no netkey IPsec stack detected"); if (!starter_klips_init()) { DBG1(DBG_APP, "no KLIPS IPsec stack detected"); DBG1(DBG_APP, "no known IPsec stack detected, ignoring!"); } } last_reload = time_monotonic(NULL); if (check_pid(starter_pid_file)) { DBG1(DBG_APP, "starter is already running (%s exists) -- no fork done", starter_pid_file); confread_free(cfg); cleanup(); exit(LSB_RC_SUCCESS); } #ifdef GENERATE_SELFCERT generate_selfcert(); #endif /* fork if we're not debugging stuff */ if (!no_fork) { log_to_stderr = FALSE; switch (fork()) { case 0: { int fnull; close_log(); closefrom(3); fnull = open("/dev/null", O_RDWR); if (fnull >= 0) { dup2(fnull, STDIN_FILENO); dup2(fnull, STDOUT_FILENO); dup2(fnull, STDERR_FILENO); close(fnull); } setsid(); init_log("ipsec_starter"); } break; case -1: DBG1(DBG_APP, "can't fork: %s", strerror(errno)); break; default: confread_free(cfg); cleanup(); exit(LSB_RC_SUCCESS); } } /* save pid file in /var/run/starter[.daemon_name].pid */ { FILE *fd = fopen(starter_pid_file, "w"); if (fd) { fprintf(fd, "%u\n", getpid()); fclose(fd); } } /* we handle these signals only in pselect() */ memset(&action, 0, sizeof(action)); sigemptyset(&action.sa_mask); sigaddset(&action.sa_mask, SIGHUP); sigaddset(&action.sa_mask, SIGINT); sigaddset(&action.sa_mask, SIGTERM); sigaddset(&action.sa_mask, SIGQUIT); sigaddset(&action.sa_mask, SIGALRM); sigaddset(&action.sa_mask, SIGUSR1); pthread_sigmask(SIG_SETMASK, &action.sa_mask, NULL); /* install a handler for fatal signals */ action.sa_handler = fatal_signal_handler; sigaction(SIGSEGV, &action, NULL); sigaction(SIGILL, &action, NULL); sigaction(SIGBUS, &action, NULL); action.sa_handler = SIG_IGN; sigaction(SIGPIPE, &action, NULL); /* install main signal handler */ action.sa_handler = signal_handler; sigaction(SIGHUP, &action, NULL); sigaction(SIGINT, &action, NULL); sigaction(SIGTERM, &action, NULL); sigaction(SIGQUIT, &action, NULL); sigaction(SIGALRM, &action, NULL); sigaction(SIGUSR1, &action, NULL); /* this is not blocked above as we want to receive it asynchronously */ sigaction(SIGCHLD, &action, NULL); /* empty mask for pselect() call below */ sigemptyset(&action.sa_mask); for (;;) { /* * Stop charon (if started) and exit */ if (_action_ & FLAG_ACTION_QUIT) { if (starter_charon_pid()) { starter_stop_charon(); } starter_netkey_cleanup(); confread_free(cfg); unlink(starter_pid_file); cleanup(); DBG1(DBG_APP, "ipsec starter stopped"); close_log(); exit(LSB_RC_SUCCESS); } /* * Delete all connections. Will be added below */ if (_action_ & FLAG_ACTION_RELOAD) { if (starter_charon_pid()) { for (conn = cfg->conn_first; conn; conn = conn->next) { if (conn->state == STATE_ADDED) { if (starter_charon_pid()) { if (conn->startup == STARTUP_ROUTE) { starter_stroke_unroute_conn(conn); } starter_stroke_del_conn(conn); } conn->state = STATE_TO_ADD; } } for (ca = cfg->ca_first; ca; ca = ca->next) { if (ca->state == STATE_ADDED) { if (starter_charon_pid()) { starter_stroke_del_ca(ca); } ca->state = STATE_TO_ADD; } } } _action_ &= ~FLAG_ACTION_RELOAD; } /* * Update configuration */ if (_action_ & FLAG_ACTION_UPDATE) { DBG2(DBG_APP, "Reloading config..."); new_cfg = confread_load(CONFIG_FILE); if (new_cfg && (new_cfg->err == 0)) { /* Switch to new config. New conn will be loaded below */ /* Look for new connections that are already loaded */ for (conn = cfg->conn_first; conn; conn = conn->next) { if (conn->state == STATE_ADDED) { for (conn2 = new_cfg->conn_first; conn2; conn2 = conn2->next) { if (conn2->state == STATE_TO_ADD && starter_cmp_conn(conn, conn2)) { conn->state = STATE_REPLACED; conn2->state = STATE_ADDED; conn2->id = conn->id; break; } } } } /* Remove conn sections that have become unused */ for (conn = cfg->conn_first; conn; conn = conn->next) { if (conn->state == STATE_ADDED) { if (starter_charon_pid()) { if (conn->startup == STARTUP_ROUTE) { starter_stroke_unroute_conn(conn); } starter_stroke_del_conn(conn); } } } /* Look for new ca sections that are already loaded */ for (ca = cfg->ca_first; ca; ca = ca->next) { if (ca->state == STATE_ADDED) { for (ca2 = new_cfg->ca_first; ca2; ca2 = ca2->next) { if (ca2->state == STATE_TO_ADD && starter_cmp_ca(ca, ca2)) { ca->state = STATE_REPLACED; ca2->state = STATE_ADDED; break; } } } } /* Remove ca sections that have become unused */ for (ca = cfg->ca_first; ca; ca = ca->next) { if (ca->state == STATE_ADDED) { if (starter_charon_pid()) { starter_stroke_del_ca(ca); } } } confread_free(cfg); cfg = new_cfg; } else { DBG1(DBG_APP, "can't reload config file due to errors -- keeping old one"); if (new_cfg) { confread_free(new_cfg); } } _action_ &= ~FLAG_ACTION_UPDATE; last_reload = time_monotonic(NULL); } /* * Start daemon */ if (_action_ & FLAG_ACTION_START_CHARON) { if (cfg->setup.charonstart && !starter_charon_pid()) { DBG2(DBG_APP, "Attempting to start %s...", daemon_name); if (starter_start_charon(cfg, no_fork, attach_gdb)) { /* schedule next try */ alarm(CHARON_RESTART_DELAY); } starter_stroke_configure(cfg); } _action_ &= ~FLAG_ACTION_START_CHARON; for (ca = cfg->ca_first; ca; ca = ca->next) { if (ca->state == STATE_ADDED) { ca->state = STATE_TO_ADD; } } for (conn = cfg->conn_first; conn; conn = conn->next) { if (conn->state == STATE_ADDED) { conn->state = STATE_TO_ADD; } } } /* * Add stale conn and ca sections */ if (starter_charon_pid()) { for (ca = cfg->ca_first; ca; ca = ca->next) { if (ca->state == STATE_TO_ADD) { if (starter_charon_pid()) { starter_stroke_add_ca(ca); } ca->state = STATE_ADDED; } } for (conn = cfg->conn_first; conn; conn = conn->next) { if (conn->state == STATE_TO_ADD) { if (conn->id == 0) { /* affect new unique id */ conn->id = id++; } if (starter_charon_pid()) { starter_stroke_add_conn(cfg, conn); } conn->state = STATE_ADDED; if (conn->startup == STARTUP_START) { if (starter_charon_pid()) { starter_stroke_initiate_conn(conn); } } else if (conn->startup == STARTUP_ROUTE) { if (starter_charon_pid()) { starter_stroke_route_conn(conn); } } } } } /* * If auto_update activated, when to stop select */ if (auto_update) { time_t now = time_monotonic(NULL); ts.tv_sec = (now < last_reload + auto_update) ? (last_reload + auto_update - now) : 0; ts.tv_nsec = 0; } /* * Wait for something to happen */ if (!_action_ && pselect(0, NULL, NULL, NULL, auto_update ? &ts : NULL, &action.sa_mask) == 0) { /* timeout -> auto_update */ _action_ |= FLAG_ACTION_UPDATE; } } exit(LSB_RC_SUCCESS); }
int CCAMMenuHandler::handleCamMsg(const neutrino_msg_t msg, neutrino_msg_data_t data, int &msgret, bool from_menu) { char str[255]; char cnt[5]; int i; MMI_MENU_LIST_INFO Menu; MMI_ENQUIRY_INFO MmiEnquiry; MMI_MENU_LIST_INFO *pMenu = &Menu; MMI_ENQUIRY_INFO *pMmiEnquiry = &MmiEnquiry; CA_MESSAGE Msg, *rMsg; //printf("CCAMMenuHandler::handleCamMsg: msg %x data %x from %s\n", msg, data, from_menu ? "menu" : "neutrino"); msgret = messages_return::unhandled; if ((msg == NeutrinoMessages::EVT_TIMER) && (data == close_timer)) { printf("CCAMMenuHandler::handleCamMsg: EVT_TIMER close_timer %d\n", close_timer); g_RCInput->killTimer(close_timer); msgret = messages_return::cancel_info; } if (msg != NeutrinoMessages::EVT_CA_MESSAGE) return 1; msgret = messages_return::handled; rMsg = (CA_MESSAGE *)data; if (!rMsg) return -1; Msg = *rMsg; delete rMsg; u32 MsgId = Msg.MsgId; CA_SLOT_TYPE SlotType = Msg.SlotType; int curslot = Msg.Slot; printf("CCAMMenuHandler::handleCamMsg: CA msg %x from %s\n", MsgId, from_menu ? "menu" : "neutrino"); if (g_settings.ci_ignore_messages && !from_menu) return 1; hideHintBox(); if (SlotType != CA_SLOT_TYPE_SMARTCARD && SlotType != CA_SLOT_TYPE_CI) return -1; if(MsgId == CA_MESSAGE_MSG_INSERTED) { snprintf(str, sizeof(str), "%s %d", g_Locale->getText(SlotType == CA_SLOT_TYPE_CI ? LOCALE_CI_INSERTED : LOCALE_SC_INSERTED), (int)curslot+1); printf("CCAMMenuHandler::handleCamMsg: %s\n", str); ShowHint(LOCALE_MESSAGEBOX_INFO, str, 450, 3); if (in_menu) msgret = messages_return::cancel_all; } else if (MsgId == CA_MESSAGE_MSG_REMOVED) { snprintf(str, sizeof(str), "%s %d", g_Locale->getText(SlotType == CA_SLOT_TYPE_CI ? LOCALE_CI_REMOVED : LOCALE_SC_REMOVED), (int)curslot+1); printf("CCAMMenuHandler::handleCamMsg: %s\n", str); ShowHint(LOCALE_MESSAGEBOX_INFO, str, 450, 3); #if 0 if (menu_slot == curslot && menu_type == SlotType) return 3; #endif if (in_menu) msgret = messages_return::cancel_all; } else if(MsgId == CA_MESSAGE_MSG_INIT_OK) { char name[255] = "Unknown"; if (ca) ca->ModuleName(SlotType, curslot, name); snprintf(str, sizeof(str), "%s %d: %s", g_Locale->getText(SlotType == CA_SLOT_TYPE_CI ? LOCALE_CI_INIT_OK : LOCALE_SC_INIT_OK), (int)curslot+1, name); printf("CCAMMenuHandler::handleCamMsg: %s\n", str); CCamManager::getInstance()->Start(CZapit::getInstance()->GetCurrentChannelID(), CCamManager::PLAY, true); ShowHint(LOCALE_MESSAGEBOX_INFO, str, 450, 3); } else if(MsgId == CA_MESSAGE_MSG_INIT_FAILED) { char name[255] = "Unknown"; if (ca) ca->ModuleName(SlotType, curslot, name); snprintf(str, sizeof(str), "%s %d: %s", g_Locale->getText(SlotType == CA_SLOT_TYPE_CI ? LOCALE_CI_INIT_FAILED : LOCALE_SC_INIT_FAILED), (int)curslot+1, name); printf("CCAMMenuHandler::handleCamMsg: %s\n", str); ShowHint(LOCALE_MESSAGEBOX_INFO, str, 450, 3); } else if(MsgId == CA_MESSAGE_MSG_MMI_MENU || MsgId == CA_MESSAGE_MSG_MMI_LIST) { bool sublevel = false; if(MsgId != CA_MESSAGE_MSG_MMI_MENU) sublevel = true; if (!(Msg.Flags & CA_MESSAGE_HAS_PARAM1_DATA)) return -1; memmove(pMenu, (MMI_MENU_LIST_INFO*)Msg.Msg.Data[0], sizeof(MMI_MENU_LIST_INFO)); free((void *)Msg.Msg.Data[0]); printf("CCAMMenuHandler::handleCamMsg: slot %d menu ready, title %s choices %d\n", curslot, convertDVBUTF8(pMenu->title, strlen(pMenu->title), 0).c_str(), pMenu->choice_nb); int menuret = menu_return::RETURN_REPAINT; int selected = -1; if(pMenu->choice_nb && from_menu) { CMenuWidget* menu = new CMenuWidget(convertDVBUTF8(pMenu->title, strlen(pMenu->title), 0).c_str(), NEUTRINO_ICON_SETTINGS); menu->enableSaveScreen(true); CMenuSelectorTarget * selector = new CMenuSelectorTarget(&selected); int slen = strlen(pMenu->subtitle); if(slen) { char * sptr = pMenu->subtitle; char * tptr = sptr; int bpos = 0; for(int li = 0; li < slen; li++) { if((tptr[li] == 0x8A) || ((bpos > 38) && (tptr[li] == 0x20)) ) { bpos = 0; tptr[li] = 0; printf("CCAMMenuHandler::handleCamMsg: subtitle: %s\n", sptr); menu->addItem(new CMenuForwarder(convertDVBUTF8(sptr, strlen(sptr), 0).c_str(), false)); sptr = &tptr[li+1]; } bpos++; } if(strlen(sptr)) { printf("CCAMMenuHandler::handleCamMsg: subtitle: %s\n", sptr); menu->addItem(new CMenuForwarder(convertDVBUTF8(sptr, strlen(sptr), 0).c_str(), false)); } } for(i = 0; (i < pMenu->choice_nb) && (i < MAX_MMI_ITEMS); i++) { snprintf(cnt, sizeof(cnt), "%d", i); if(sublevel) menu->addItem(new CMenuForwarder(convertDVBUTF8(pMenu->choice_item[i], strlen(pMenu->choice_item[i]), 0).c_str(), true, NULL, selector, cnt)); else menu->addItem(new CMenuForwarder(convertDVBUTF8(pMenu->choice_item[i], strlen(pMenu->choice_item[i]), 0).c_str(), true, NULL, selector, cnt, CRCInput::convertDigitToKey(i+1))); } slen = strlen(pMenu->bottom); if(slen) { printf("CCAMMenuHandler::handleCamMsg: bottom: %s\n", pMenu->bottom); menu->addItem(new CMenuForwarder(convertDVBUTF8(pMenu->bottom, slen, 0).c_str(), false)); } menuret = menu->exec(NULL, ""); delete menu; delete selector; } else { char lstr[255]; int slen = 0; if(strlen(pMenu->title)) slen += snprintf(&lstr[slen], 255-slen, "%s\n", pMenu->title); if(strlen(pMenu->subtitle)) slen += snprintf(&lstr[slen], 255-slen, "%s\n", pMenu->subtitle); if(strlen(pMenu->bottom)) slen += snprintf(&lstr[slen], 255-slen, "%s\n", pMenu->bottom); for(i = 0; (i < pMenu->choice_nb) && (i < MAX_MMI_ITEMS); i++) slen += snprintf(&lstr[slen], 255-slen, "%s\n", pMenu->choice_item[i]); ShowHint(LOCALE_MESSAGEBOX_INFO, convertDVBUTF8(lstr, slen, 0).c_str()); return 0; } if(sublevel) return menuret == menu_return::RETURN_EXIT_ALL ? 3 : 0; if(selected >= 0) { printf("CCAMMenuHandler::handleCamMsg: selected %d:%s sublevel %s\n", selected, pMenu->choice_item[i], sublevel ? "yes" : "no"); ca->MenuAnswer(SlotType, curslot, selected+1); timeoutEnd = CRCInput::calcTimeoutEnd(10); return 1; } else { return menuret == menu_return::RETURN_EXIT_ALL ? 3 : 2; } } else if(MsgId == CA_MESSAGE_MSG_MMI_REQ_INPUT) { if (!(Msg.Flags & CA_MESSAGE_HAS_PARAM1_DATA)) return -1; memmove(pMmiEnquiry, (MMI_ENQUIRY_INFO *)Msg.Msg.Data[0], sizeof(MMI_ENQUIRY_INFO)); free((void *)Msg.Msg.Data[0]); printf("CCAMMenuHandler::handleCamMsg: slot %d input request, text %s\n", curslot, convertDVBUTF8(pMmiEnquiry->enquiryText, strlen(pMmiEnquiry->enquiryText), 0).c_str()); std::string ENQAnswer; if (/* !from_menu && */ g_settings.ci_save_pincode && pMmiEnquiry->blind != 0 && (int) g_settings.ci_pincode.length() == pMmiEnquiry->answerlen) { static int acount = 0; static time_t last_ask = 0; ENQAnswer = g_settings.ci_pincode; printf("CCAMMenuHandler::handleCamMsg: using saved answer [%s] (#%d, time diff %d)\n", ENQAnswer.c_str(), acount, (int) (time_monotonic() - last_ask)); if ((time_monotonic() - last_ask) < 10) { acount++; if (acount > 4) g_settings.ci_pincode.clear(); } else { last_ask = time_monotonic(); acount = 0; } } else { CEnquiryInput *Inquiry = new CEnquiryInput((char *)convertDVBUTF8(pMmiEnquiry->enquiryText, strlen(pMmiEnquiry->enquiryText), 0).c_str(), &ENQAnswer, pMmiEnquiry->answerlen, pMmiEnquiry->blind != 0, NONEXISTANT_LOCALE); Inquiry->exec(NULL, ""); delete Inquiry; g_settings.ci_pincode = ENQAnswer; } printf("CCAMMenuHandler::handleCamMsg: input=[%s]\n", ENQAnswer.c_str()); if((int) ENQAnswer.length() != pMmiEnquiry->answerlen) { printf("CCAMMenuHandler::handleCamMsg: wrong input len\n"); ca->InputAnswer(SlotType, curslot, (unsigned char *)ENQAnswer.c_str(), 0); return 1; //FIXME } else { ca->InputAnswer(SlotType, curslot, (unsigned char *)ENQAnswer.c_str(), pMmiEnquiry->answerlen); return 1; } } else if(MsgId == CA_MESSAGE_MSG_MMI_CLOSE) { int timeout = 0; if (Msg.Flags & CA_MESSAGE_HAS_PARAM1_INT) timeout = Msg.Msg.Param[0]; printf("CCAMMenuHandler::handleCamMsg: close request slot: %d (timeout %d)\n", curslot, timeout); //ca->MenuClose(SlotType, curslot); if (timeout) close_timer = g_RCInput->addTimer(timeout*1000*1000, true); else msgret = messages_return::cancel_info; return 0; } else if(MsgId == CA_MESSAGE_MSG_MMI_TEXT) { printf("CCAMMenuHandler::handleCamMsg: text\n"); } else if(MsgId == CA_MESSAGE_MSG_CHANNEL_CHANGE) { if (!(Msg.Flags & CA_MESSAGE_HAS_PARAM1_LONG)) return -1; t_channel_id chid = Msg.Msg.ParamLong[0]; printf("CCAMMenuHandler::handleCamMsg: CA_MESSAGE_MSG_CHANNEL_CHANGE: %" PRIx64 "\n", chid); CZapitChannel * channel = CServiceManager::getInstance()->FindChannel48(chid); if (!channel) { printf("CCAMMenuHandler::handleCamMsg: channel %" PRIx64 "not found\n", chid); return -1; } CNeutrinoApp::getInstance()->zapTo(channel->getChannelID()); } return 1; }
/** * @brief main of scepclient * * @param argc number of arguments * @param argv pointer to the argument values */ int main(int argc, char **argv) { /* external values */ extern char * optarg; extern int optind; /* type of input and output files */ typedef enum { PKCS1 = 0x01, PKCS10 = 0x02, PKCS7 = 0x04, CERT_SELF = 0x08, CERT = 0x10, CACERT_ENC = 0x20, CACERT_SIG = 0x40, } scep_filetype_t; /* filetype to read from, defaults to "generate a key" */ scep_filetype_t filetype_in = 0; /* filetype to write to, no default here */ scep_filetype_t filetype_out = 0; /* input files */ char *file_in_pkcs1 = DEFAULT_FILENAME_PKCS1; char *file_in_pkcs10 = DEFAULT_FILENAME_PKCS10; char *file_in_cert_self = DEFAULT_FILENAME_CERT_SELF; char *file_in_cacert_enc = DEFAULT_FILENAME_CACERT_ENC; char *file_in_cacert_sig = DEFAULT_FILENAME_CACERT_SIG; /* output files */ char *file_out_pkcs1 = DEFAULT_FILENAME_PKCS1; char *file_out_pkcs10 = DEFAULT_FILENAME_PKCS10; char *file_out_pkcs7 = DEFAULT_FILENAME_PKCS7; char *file_out_cert_self = DEFAULT_FILENAME_CERT_SELF; char *file_out_cert = DEFAULT_FILENAME_CERT; char *file_out_ca_cert = DEFAULT_FILENAME_CACERT_ENC; /* by default user certificate is requested */ bool request_ca_certificate = FALSE; /* by default existing files are not overwritten */ bool force = FALSE; /* length of RSA key in bits */ u_int rsa_keylength = DEFAULT_RSA_KEY_LENGTH; /* validity of self-signed certificate */ time_t validity = DEFAULT_CERT_VALIDITY; time_t notBefore = 0; time_t notAfter = 0; /* distinguished name for requested certificate, ASCII format */ char *distinguishedName = NULL; /* challenge password */ char challenge_password_buffer[MAX_PASSWORD_LENGTH]; /* symmetric encryption algorithm used by pkcs7, default is DES */ encryption_algorithm_t pkcs7_symmetric_cipher = ENCR_DES; size_t pkcs7_key_size = 0; /* digest algorithm used by pkcs7, default is MD5 */ hash_algorithm_t pkcs7_digest_alg = HASH_MD5; /* signature algorithm used by pkcs10, default is MD5 */ hash_algorithm_t pkcs10_signature_alg = HASH_MD5; /* URL of the SCEP-Server */ char *scep_url = NULL; /* Name of CA to fetch CA certs for */ char *ca_name = "CAIdentifier"; /* http request method, default is GET */ bool http_get_request = TRUE; /* poll interval time in manual mode in seconds */ u_int poll_interval = DEFAULT_POLL_INTERVAL; /* maximum poll time */ u_int max_poll_time = 0; err_t ugh = NULL; /* initialize library */ if (!library_init(NULL)) { library_deinit(); exit(SS_RC_LIBSTRONGSWAN_INTEGRITY); } if (lib->integrity && !lib->integrity->check_file(lib->integrity, "scepclient", argv[0])) { fprintf(stderr, "integrity check of scepclient failed\n"); library_deinit(); exit(SS_RC_DAEMON_INTEGRITY); } /* initialize global variables */ pkcs1 = chunk_empty; pkcs7 = chunk_empty; serialNumber = chunk_empty; transID = chunk_empty; fingerprint = chunk_empty; encoding = chunk_empty; pkcs10_encoding = chunk_empty; issuerAndSubject = chunk_empty; challengePassword = chunk_empty; getCertInitial = chunk_empty; scep_response = chunk_empty; subjectAltNames = linked_list_create(); options = options_create(); for (;;) { static const struct option long_opts[] = { /* name, has_arg, flag, val */ { "help", no_argument, NULL, 'h' }, { "version", no_argument, NULL, 'v' }, { "optionsfrom", required_argument, NULL, '+' }, { "quiet", no_argument, NULL, 'q' }, { "debug", required_argument, NULL, 'l' }, { "in", required_argument, NULL, 'i' }, { "out", required_argument, NULL, 'o' }, { "force", no_argument, NULL, 'f' }, { "httptimeout", required_argument, NULL, 'T' }, { "keylength", required_argument, NULL, 'k' }, { "dn", required_argument, NULL, 'd' }, { "days", required_argument, NULL, 'D' }, { "startdate", required_argument, NULL, 'S' }, { "enddate", required_argument, NULL, 'E' }, { "subjectAltName", required_argument, NULL, 's' }, { "password", required_argument, NULL, 'p' }, { "algorithm", required_argument, NULL, 'a' }, { "url", required_argument, NULL, 'u' }, { "caname", required_argument, NULL, 'c'}, { "method", required_argument, NULL, 'm' }, { "interval", required_argument, NULL, 't' }, { "maxpolltime", required_argument, NULL, 'x' }, { 0,0,0,0 } }; /* parse next option */ int c = getopt_long(argc, argv, "hv+:qi:o:fk:d:s:p:a:u:c:m:t:x:APRCMS", long_opts, NULL); switch (c) { case EOF: /* end of flags */ break; case 'h': /* --help */ usage(NULL); case 'v': /* --version */ version(); case 'q': /* --quiet */ log_to_stderr = FALSE; continue; case 'l': /* --debug <level> */ default_loglevel = atoi(optarg); continue; case 'i': /* --in <type> [= <filename>] */ { char *filename = strstr(optarg, "="); if (filename) { /* replace '=' by '\0' */ *filename = '\0'; /* set pointer to start of filename */ filename++; } if (strcaseeq("pkcs1", optarg)) { filetype_in |= PKCS1; if (filename) file_in_pkcs1 = filename; } else if (strcaseeq("pkcs10", optarg)) { filetype_in |= PKCS10; if (filename) file_in_pkcs10 = filename; } else if (strcaseeq("cacert-enc", optarg)) { filetype_in |= CACERT_ENC; if (filename) file_in_cacert_enc = filename; } else if (strcaseeq("cacert-sig", optarg)) { filetype_in |= CACERT_SIG; if (filename) file_in_cacert_sig = filename; } else if (strcaseeq("cert-self", optarg)) { filetype_in |= CERT_SELF; if (filename) file_in_cert_self = filename; } else { usage("invalid --in file type"); } continue; } case 'o': /* --out <type> [= <filename>] */ { char *filename = strstr(optarg, "="); if (filename) { /* replace '=' by '\0' */ *filename = '\0'; /* set pointer to start of filename */ filename++; } if (strcaseeq("pkcs1", optarg)) { filetype_out |= PKCS1; if (filename) file_out_pkcs1 = filename; } else if (strcaseeq("pkcs10", optarg)) { filetype_out |= PKCS10; if (filename) file_out_pkcs10 = filename; } else if (strcaseeq("pkcs7", optarg)) { filetype_out |= PKCS7; if (filename) file_out_pkcs7 = filename; } else if (strcaseeq("cert-self", optarg)) { filetype_out |= CERT_SELF; if (filename) file_out_cert_self = filename; } else if (strcaseeq("cert", optarg)) { filetype_out |= CERT; if (filename) file_out_cert = filename; } else if (strcaseeq("cacert", optarg)) { request_ca_certificate = TRUE; if (filename) file_out_ca_cert = filename; } else { usage("invalid --out file type"); } continue; } case 'f': /* --force */ force = TRUE; continue; case 'T': /* --httptimeout */ http_timeout = atoi(optarg); if (http_timeout <= 0) { usage("invalid httptimeout specified"); } continue; case '+': /* --optionsfrom <filename> */ if (!options->from(options, optarg, &argc, &argv, optind)) { exit_scepclient("optionsfrom failed"); } continue; case 'k': /* --keylength <length> */ { div_t q; rsa_keylength = atoi(optarg); if (rsa_keylength == 0) usage("invalid keylength"); /* check if key length is a multiple of 8 bits */ q = div(rsa_keylength, 2*BITS_PER_BYTE); if (q.rem != 0) { exit_scepclient("keylength is not a multiple of %d bits!" , 2*BITS_PER_BYTE); } continue; } case 'D': /* --days */ if (optarg == NULL || !isdigit(optarg[0])) { usage("missing number of days"); } else { char *endptr; long days = strtol(optarg, &endptr, 0); if (*endptr != '\0' || endptr == optarg || days <= 0) usage("<days> must be a positive number"); validity = 24*3600*days; } continue; case 'S': /* --startdate */ if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z') { usage("date format must be YYMMDDHHMMSSZ"); } else { chunk_t date = { optarg, 13 }; notBefore = asn1_to_time(&date, ASN1_UTCTIME); } continue; case 'E': /* --enddate */ if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z') { usage("date format must be YYMMDDHHMMSSZ"); } else { chunk_t date = { optarg, 13 }; notAfter = asn1_to_time(&date, ASN1_UTCTIME); } continue; case 'd': /* --dn */ if (distinguishedName) { usage("only one distinguished name allowed"); } distinguishedName = optarg; continue; case 's': /* --subjectAltName */ { char *value = strstr(optarg, "="); if (value) { /* replace '=' by '\0' */ *value = '\0'; /* set pointer to start of value */ value++; } if (strcaseeq("email", optarg) || strcaseeq("dns", optarg) || strcaseeq("ip", optarg)) { subjectAltNames->insert_last(subjectAltNames, identification_create_from_string(value)); continue; } else { usage("invalid --subjectAltName type"); continue; } } case 'p': /* --password */ if (challengePassword.len > 0) { usage("only one challenge password allowed"); } if (strcaseeq("%prompt", optarg)) { printf("Challenge password: "******"challenge password could not be read"); } } else { challengePassword.ptr = optarg; challengePassword.len = strlen(optarg); } continue; case 'u': /* -- url */ if (scep_url) { usage("only one URL argument allowed"); } scep_url = optarg; continue; case 'c': /* -- caname */ ca_name = optarg; continue; case 'm': /* --method */ if (strcaseeq("get", optarg)) { http_get_request = TRUE; } else if (strcaseeq("post", optarg)) { http_get_request = FALSE; } else { usage("invalid http request method specified"); } continue; case 't': /* --interval */ poll_interval = atoi(optarg); if (poll_interval <= 0) { usage("invalid interval specified"); } continue; case 'x': /* --maxpolltime */ max_poll_time = atoi(optarg); continue; case 'a': /*--algorithm [<type>=]algo */ { const proposal_token_t *token; char *type = optarg; char *algo = strstr(optarg, "="); if (algo) { *algo = '\0'; algo++; } else { type = "enc"; algo = optarg; } if (strcaseeq("enc", type)) { token = lib->proposal->get_token(lib->proposal, algo); if (token == NULL || token->type != ENCRYPTION_ALGORITHM) { usage("invalid algorithm specified"); } pkcs7_symmetric_cipher = token->algorithm; pkcs7_key_size = token->keysize; if (encryption_algorithm_to_oid(token->algorithm, token->keysize) == OID_UNKNOWN) { usage("unsupported encryption algorithm specified"); } } else if (strcaseeq("dgst", type) || strcaseeq("sig", type)) { hash_algorithm_t hash; token = lib->proposal->get_token(lib->proposal, algo); if (token == NULL || token->type != INTEGRITY_ALGORITHM) { usage("invalid algorithm specified"); } hash = hasher_algorithm_from_integrity(token->algorithm, NULL); if (hash == OID_UNKNOWN) { usage("invalid algorithm specified"); } if (strcaseeq("dgst", type)) { pkcs7_digest_alg = hash; } else { pkcs10_signature_alg = hash; } } else { usage("invalid --algorithm type"); } continue; } default: usage("unknown option"); } /* break from loop */ break; } init_log("scepclient"); /* load plugins, further infrastructure may need it */ if (!lib->plugins->load(lib->plugins, NULL, lib->settings->get_str(lib->settings, "scepclient.load", PLUGINS))) { exit_scepclient("plugin loading failed"); } DBG1(DBG_APP, " loaded plugins: %s", lib->plugins->loaded_plugins(lib->plugins)); if ((filetype_out == 0) && (!request_ca_certificate)) { usage("--out filetype required"); } if (request_ca_certificate && (filetype_out > 0 || filetype_in > 0)) { usage("in CA certificate request, no other --in or --out option allowed"); } /* check if url is given, if cert output defined */ if (((filetype_out & CERT) || request_ca_certificate) && !scep_url) { usage("URL of SCEP server required"); } /* check for sanity of --in/--out */ if (!filetype_in && (filetype_in > filetype_out)) { usage("cannot generate --out of given --in!"); } /* get CA cert */ if (request_ca_certificate) { char ca_path[PATH_MAX]; container_t *container; pkcs7_t *pkcs7; if (!scep_http_request(scep_url, chunk_create(ca_name, strlen(ca_name)), SCEP_GET_CA_CERT, http_get_request, http_timeout, &scep_response)) { exit_scepclient("did not receive a valid scep response"); } join_paths(ca_path, sizeof(ca_path), CA_CERT_PATH, file_out_ca_cert); pkcs7 = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7, BUILD_BLOB_ASN1_DER, scep_response, BUILD_END); if (!pkcs7) { /* no PKCS#7 encoded CA+RA certificates, assume simple CA cert */ DBG1(DBG_APP, "unable to parse PKCS#7, assuming plain CA cert"); if (!chunk_write(scep_response, ca_path, "ca cert", 0022, force)) { exit_scepclient("could not write ca cert file '%s'", ca_path); } } else { enumerator_t *enumerator; certificate_t *cert; int ra_certs = 0, ca_certs = 0; int ra_index = 1, ca_index = 1; enumerator = pkcs7->create_cert_enumerator(pkcs7); while (enumerator->enumerate(enumerator, &cert)) { x509_t *x509 = (x509_t*)cert; if (x509->get_flags(x509) & X509_CA) { ca_certs++; } else { ra_certs++; } } enumerator->destroy(enumerator); enumerator = pkcs7->create_cert_enumerator(pkcs7); while (enumerator->enumerate(enumerator, &cert)) { x509_t *x509 = (x509_t*)cert; bool ca_cert = x509->get_flags(x509) & X509_CA; char cert_path[PATH_MAX], *path = ca_path; if (ca_cert && ca_certs > 1) { add_path_suffix(cert_path, sizeof(cert_path), ca_path, "-%.1d", ca_index++); path = cert_path; } else if (!ca_cert) { /* use CA name as base for RA certs */ if (ra_certs > 1) { add_path_suffix(cert_path, sizeof(cert_path), ca_path, "-ra-%.1d", ra_index++); } else { add_path_suffix(cert_path, sizeof(cert_path), ca_path, "-ra"); } path = cert_path; } if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding) || !chunk_write(encoding, path, ca_cert ? "ca cert" : "ra cert", 0022, force)) { exit_scepclient("could not write cert file '%s'", path); } chunk_free(&encoding); } enumerator->destroy(enumerator); container = &pkcs7->container; container->destroy(container); } exit_scepclient(NULL); /* no further output required */ } creds = mem_cred_create(); lib->credmgr->add_set(lib->credmgr, &creds->set); /* * input of PKCS#1 file */ if (filetype_in & PKCS1) /* load an RSA key pair from file */ { char path[PATH_MAX]; join_paths(path, sizeof(path), PRIVATE_KEY_PATH, file_in_pkcs1); private_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, BUILD_FROM_FILE, path, BUILD_END); } else /* generate an RSA key pair */ { private_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, BUILD_KEY_SIZE, rsa_keylength, BUILD_END); } if (private_key == NULL) { exit_scepclient("no RSA private key available"); } creds->add_key(creds, private_key->get_ref(private_key)); public_key = private_key->get_public_key(private_key); /* check for minimum key length */ if (private_key->get_keysize(private_key) < RSA_MIN_OCTETS / BITS_PER_BYTE) { exit_scepclient("length of RSA key has to be at least %d bits", RSA_MIN_OCTETS * BITS_PER_BYTE); } /* * input of PKCS#10 file */ if (filetype_in & PKCS10) { char path[PATH_MAX]; join_paths(path, sizeof(path), REQ_PATH, file_in_pkcs10); pkcs10_req = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST, BUILD_FROM_FILE, path, BUILD_END); if (!pkcs10_req) { exit_scepclient("could not read certificate request '%s'", path); } subject = pkcs10_req->get_subject(pkcs10_req); subject = subject->clone(subject); } else { if (distinguishedName == NULL) { char buf[BUF_LEN]; int n = sprintf(buf, DEFAULT_DN); /* set the common name to the hostname */ if (gethostname(buf + n, BUF_LEN - n) || strlen(buf) == n) { exit_scepclient("no hostname defined, use " "--dn <distinguished name> option"); } distinguishedName = buf; } DBG2(DBG_APP, "dn: '%s'", distinguishedName); subject = identification_create_from_string(distinguishedName); if (subject->get_type(subject) != ID_DER_ASN1_DN) { exit_scepclient("parsing of distinguished name failed"); } DBG2(DBG_APP, "building pkcs10 object:"); pkcs10_req = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST, BUILD_SIGNING_KEY, private_key, BUILD_SUBJECT, subject, BUILD_SUBJECT_ALTNAMES, subjectAltNames, BUILD_CHALLENGE_PWD, challengePassword, BUILD_DIGEST_ALG, pkcs10_signature_alg, BUILD_END); if (!pkcs10_req) { exit_scepclient("generating pkcs10 request failed"); } } pkcs10_req->get_encoding(pkcs10_req, CERT_ASN1_DER, &pkcs10_encoding); fingerprint = scep_generate_pkcs10_fingerprint(pkcs10_encoding); DBG1(DBG_APP, " fingerprint: %s", fingerprint.ptr); /* * output of PKCS#10 file */ if (filetype_out & PKCS10) { char path[PATH_MAX]; join_paths(path, sizeof(path), REQ_PATH, file_out_pkcs10); if (!chunk_write(pkcs10_encoding, path, "pkcs10", 0022, force)) { exit_scepclient("could not write pkcs10 file '%s'", path); } filetype_out &= ~PKCS10; /* delete PKCS10 flag */ } if (!filetype_out) { exit_scepclient(NULL); /* no further output required */ } /* * output of PKCS#1 file */ if (filetype_out & PKCS1) { char path[PATH_MAX]; join_paths(path, sizeof(path), PRIVATE_KEY_PATH, file_out_pkcs1); DBG2(DBG_APP, "building pkcs1 object:"); if (!private_key->get_encoding(private_key, PRIVKEY_ASN1_DER, &pkcs1) || !chunk_write(pkcs1, path, "pkcs1", 0066, force)) { exit_scepclient("could not write pkcs1 file '%s'", path); } filetype_out &= ~PKCS1; /* delete PKCS1 flag */ } if (!filetype_out) { exit_scepclient(NULL); /* no further output required */ } scep_generate_transaction_id(public_key, &transID, &serialNumber); DBG1(DBG_APP, " transaction ID: %.*s", (int)transID.len, transID.ptr); /* * read or generate self-signed X.509 certificate */ if (filetype_in & CERT_SELF) { char path[PATH_MAX]; join_paths(path, sizeof(path), HOST_CERT_PATH, file_in_cert_self); x509_signer = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_FROM_FILE, path, BUILD_END); if (!x509_signer) { exit_scepclient("could not read certificate file '%s'", path); } } else { notBefore = notBefore ? notBefore : time(NULL); notAfter = notAfter ? notAfter : (notBefore + validity); x509_signer = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_SIGNING_KEY, private_key, BUILD_PUBLIC_KEY, public_key, BUILD_SUBJECT, subject, BUILD_NOT_BEFORE_TIME, notBefore, BUILD_NOT_AFTER_TIME, notAfter, BUILD_SERIAL, serialNumber, BUILD_SUBJECT_ALTNAMES, subjectAltNames, BUILD_END); if (!x509_signer) { exit_scepclient("generating certificate failed"); } } creds->add_cert(creds, TRUE, x509_signer->get_ref(x509_signer)); /* * output of self-signed X.509 certificate file */ if (filetype_out & CERT_SELF) { char path[PATH_MAX]; join_paths(path, sizeof(path), HOST_CERT_PATH, file_out_cert_self); if (!x509_signer->get_encoding(x509_signer, CERT_ASN1_DER, &encoding)) { exit_scepclient("encoding certificate failed"); } if (!chunk_write(encoding, path, "self-signed cert", 0022, force)) { exit_scepclient("could not write self-signed cert file '%s'", path); } chunk_free(&encoding); filetype_out &= ~CERT_SELF; /* delete CERT_SELF flag */ } if (!filetype_out) { exit_scepclient(NULL); /* no further output required */ } /* * load ca encryption certificate */ { char path[PATH_MAX]; join_paths(path, sizeof(path), CA_CERT_PATH, file_in_cacert_enc); x509_ca_enc = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_FROM_FILE, path, BUILD_END); if (!x509_ca_enc) { exit_scepclient("could not load encryption cacert file '%s'", path); } } /* * input of PKCS#7 file */ if (filetype_in & PKCS7) { /* user wants to load a pkcs7 encrypted request * operation is not yet supported! * would require additional parsing of transaction-id pkcs7 = pkcs7_read_from_file(file_in_pkcs7); */ } else { DBG2(DBG_APP, "building pkcs7 request"); pkcs7 = scep_build_request(pkcs10_encoding, transID, SCEP_PKCSReq_MSG, x509_ca_enc, pkcs7_symmetric_cipher, pkcs7_key_size, x509_signer, pkcs7_digest_alg, private_key); if (!pkcs7.ptr) { exit_scepclient("failed to build pkcs7 request"); } } /* * output pkcs7 encrypted and signed certificate request */ if (filetype_out & PKCS7) { char path[PATH_MAX]; join_paths(path, sizeof(path), REQ_PATH, file_out_pkcs7); if (!chunk_write(pkcs7, path, "pkcs7 encrypted request", 0022, force)) { exit_scepclient("could not write pkcs7 file '%s'", path); } filetype_out &= ~PKCS7; /* delete PKCS7 flag */ } if (!filetype_out) { exit_scepclient(NULL); /* no further output required */ } /* * output certificate fetch from SCEP server */ if (filetype_out & CERT) { bool stored = FALSE; certificate_t *cert; enumerator_t *enumerator; char path[PATH_MAX]; time_t poll_start = 0; pkcs7_t *p7; container_t *container = NULL; chunk_t chunk; scep_attributes_t attrs = empty_scep_attributes; join_paths(path, sizeof(path), CA_CERT_PATH, file_in_cacert_sig); x509_ca_sig = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_FROM_FILE, path, BUILD_END); if (!x509_ca_sig) { exit_scepclient("could not load signature cacert file '%s'", path); } creds->add_cert(creds, TRUE, x509_ca_sig->get_ref(x509_ca_sig)); if (!scep_http_request(scep_url, pkcs7, SCEP_PKI_OPERATION, http_get_request, http_timeout, &scep_response)) { exit_scepclient("did not receive a valid scep response"); } ugh = scep_parse_response(scep_response, transID, &container, &attrs); if (ugh != NULL) { exit_scepclient(ugh); } /* in case of manual mode, we are going into a polling loop */ if (attrs.pkiStatus == SCEP_PENDING) { identification_t *issuer = x509_ca_sig->get_subject(x509_ca_sig); DBG1(DBG_APP, " scep request pending, polling every %d seconds", poll_interval); poll_start = time_monotonic(NULL); issuerAndSubject = asn1_wrap(ASN1_SEQUENCE, "cc", issuer->get_encoding(issuer), subject); } while (attrs.pkiStatus == SCEP_PENDING) { if (max_poll_time > 0 && (time_monotonic(NULL) - poll_start >= max_poll_time)) { exit_scepclient("maximum poll time reached: %d seconds" , max_poll_time); } DBG2(DBG_APP, "going to sleep for %d seconds", poll_interval); sleep(poll_interval); free(scep_response.ptr); container->destroy(container); DBG2(DBG_APP, "fingerprint: %.*s", (int)fingerprint.len, fingerprint.ptr); DBG2(DBG_APP, "transaction ID: %.*s", (int)transID.len, transID.ptr); chunk_free(&getCertInitial); getCertInitial = scep_build_request(issuerAndSubject, transID, SCEP_GetCertInitial_MSG, x509_ca_enc, pkcs7_symmetric_cipher, pkcs7_key_size, x509_signer, pkcs7_digest_alg, private_key); if (!getCertInitial.ptr) { exit_scepclient("failed to build scep request"); } if (!scep_http_request(scep_url, getCertInitial, SCEP_PKI_OPERATION, http_get_request, http_timeout, &scep_response)) { exit_scepclient("did not receive a valid scep response"); } ugh = scep_parse_response(scep_response, transID, &container, &attrs); if (ugh != NULL) { exit_scepclient(ugh); } } if (attrs.pkiStatus != SCEP_SUCCESS) { container->destroy(container); exit_scepclient("reply status is not 'SUCCESS'"); } if (!container->get_data(container, &chunk)) { container->destroy(container); exit_scepclient("extracting signed-data failed"); } container->destroy(container); /* decrypt enveloped-data container */ container = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7, BUILD_BLOB_ASN1_DER, chunk, BUILD_END); free(chunk.ptr); if (!container) { exit_scepclient("could not decrypt envelopedData"); } if (!container->get_data(container, &chunk)) { container->destroy(container); exit_scepclient("extracting encrypted-data failed"); } container->destroy(container); /* parse signed-data container */ container = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7, BUILD_BLOB_ASN1_DER, chunk, BUILD_END); free(chunk.ptr); if (!container) { exit_scepclient("could not parse singed-data"); } /* no need to verify the signed-data container, the signature does NOT * cover the contained certificates */ /* store the end entity certificate */ join_paths(path, sizeof(path), HOST_CERT_PATH, file_out_cert); p7 = (pkcs7_t*)container; enumerator = p7->create_cert_enumerator(p7); while (enumerator->enumerate(enumerator, &cert)) { x509_t *x509 = (x509_t*)cert; if (!(x509->get_flags(x509) & X509_CA)) { if (stored) { exit_scepclient("multiple certs received, only first stored"); } if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding) || !chunk_write(encoding, path, "requested cert", 0022, force)) { exit_scepclient("could not write cert file '%s'", path); } chunk_free(&encoding); stored = TRUE; } } enumerator->destroy(enumerator); container->destroy(container); chunk_free(&attrs.transID); chunk_free(&attrs.senderNonce); chunk_free(&attrs.recipientNonce); filetype_out &= ~CERT; /* delete CERT flag */ } exit_scepclient(NULL); return -1; /* should never be reached */ }