sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-04 00:00:14 -04:00
Code Issues Projects Releases Wiki Activity

pki: Clean up SCEP functions

Browse Source
This commit is contained in:
Andreas Steffen 2022-08-14 04:29:44 +02:00
parent ba76a9f5ff
commit b16c0e928e
2 changed files with 89 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

144
src/pki/scep/scep.c
View File

@ -89,65 +89,34 @@ const scep_attributes_t empty_scep_attributes = {
};
/**
* Extract X.501 attributes
* Parse CA Capabilities of SCEP server
*/
void extract_attributes(pkcs7_t *pkcs7, enumerator_t *enumerator,
scep_attributes_t *attrs)
uint32_t scep_parse_caps(chunk_t response)
{
chunk_t attr;
uint32_t caps_flags = 0;
chunk_t line;
if (pkcs7->get_attribute(pkcs7, OID_PKI_MESSAGE_TYPE, enumerator, &attr))
DBG2(DBG_APP, "CA Capabilities:");
while (fetchline(&response, &line))
{
scep_msg_t m;
int i;
for (m = SCEP_CertRep_MSG; m < SCEP_Unknown_MSG; m++)
for (i = 0; i < countof(caps_names); i++)
{
if (strncmp(msgType_values[m], attr.ptr, attr.len) == 0)
if (strncaseeq(caps_names[i], line.ptr, line.len))
{
attrs->msgType = m;
DBG2(DBG_APP, " %s", caps_names[i]);
caps_flags |= (1 << i);
}
}
DBG2(DBG_APP, "messageType: %s", msgType_names[attrs->msgType]);
free(attr.ptr);
}
if (pkcs7->get_attribute(pkcs7, OID_PKI_STATUS, enumerator, &attr))
{
pkiStatus_t s;
for (s = SCEP_SUCCESS; s < SCEP_UNKNOWN; s++)
{
if (strncmp(pkiStatus_values[s], attr.ptr, attr.len) == 0)
{
attrs->pkiStatus = s;
}
}
DBG2(DBG_APP, "pkiStatus: %s", pkiStatus_names[attrs->pkiStatus]);
free(attr.ptr);
}
if (pkcs7->get_attribute(pkcs7, OID_PKI_FAIL_INFO, enumerator, &attr))
{
if (attr.len == 1 && *attr.ptr >= '0' && *attr.ptr <= '4')
{
attrs->failInfo = (failInfo_t)(*attr.ptr - '0');
}
if (attrs->failInfo != SCEP_unknown_REASON)
{
DBG1(DBG_APP, "failInfo: %s", failInfo_reasons[attrs->failInfo]);
}
free(attr.ptr);
}
pkcs7->get_attribute(pkcs7, OID_PKI_SENDER_NONCE, enumerator,
&attrs->senderNonce);
pkcs7->get_attribute(pkcs7, OID_PKI_RECIPIENT_NONCE, enumerator,
&attrs->recipientNonce);
pkcs7->get_attribute(pkcs7, OID_PKI_TRANS_ID, enumerator,
&attrs->transID);
return caps_flags;
}
/**
* Generate a transaction ID as the SHA-1 hash of the publicKeyInfo
* the transaction ID is also used as a unique serial number
* The transaction ID is also used as a unique serial number
*/
bool scep_generate_transaction_id(public_key_t *public,
chunk_t *transId, chunk_t *serialNumber)
@ -189,7 +158,7 @@ bool scep_generate_transaction_id(public_key_t *public,
}
/**
* Builds a pkcs7 enveloped and signed scep request
* Builds a PKCS#7 enveloped and signed SCEP request
*/
chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg,
certificate_t *enc_cert, encryption_algorithm_t enc_alg,
@ -421,6 +390,66 @@ bool scep_http_request(const char *url, scep_op_t op, bool http_post,
return (status == SUCCESS);
}
/**
* Extract X.501 attributes
*/
void extract_attributes(pkcs7_t *pkcs7, enumerator_t *enumerator,
scep_attributes_t *attrs)
{
chunk_t attr;
if (pkcs7->get_attribute(pkcs7, OID_PKI_MESSAGE_TYPE, enumerator, &attr))
{
scep_msg_t m;
for (m = SCEP_CertRep_MSG; m < SCEP_Unknown_MSG; m++)
{
if (strncmp(msgType_values[m], attr.ptr, attr.len) == 0)
{
attrs->msgType = m;
}
}
DBG2(DBG_APP, "messageType: %s", msgType_names[attrs->msgType]);
free(attr.ptr);
}
if (pkcs7->get_attribute(pkcs7, OID_PKI_STATUS, enumerator, &attr))
{
pkiStatus_t s;
for (s = SCEP_SUCCESS; s < SCEP_UNKNOWN; s++)
{
if (strncmp(pkiStatus_values[s], attr.ptr, attr.len) == 0)
{
attrs->pkiStatus = s;
}
}
DBG2(DBG_APP, "pkiStatus: %s", pkiStatus_names[attrs->pkiStatus]);
free(attr.ptr);
}
if (pkcs7->get_attribute(pkcs7, OID_PKI_FAIL_INFO, enumerator, &attr))
{
if (attr.len == 1 && *attr.ptr >= '0' && *attr.ptr <= '4')
{
attrs->failInfo = (failInfo_t)(*attr.ptr - '0');
}
if (attrs->failInfo != SCEP_unknown_REASON)
{
DBG1(DBG_APP, "failInfo: %s", failInfo_reasons[attrs->failInfo]);
}
free(attr.ptr);
}
pkcs7->get_attribute(pkcs7, OID_PKI_SENDER_NONCE, enumerator,
&attrs->senderNonce);
pkcs7->get_attribute(pkcs7, OID_PKI_RECIPIENT_NONCE, enumerator,
&attrs->recipientNonce);
pkcs7->get_attribute(pkcs7, OID_PKI_TRANS_ID, enumerator,
&attrs->transID);
}
/**
* Parse PKCS#7 encoded SCEP response
*/
bool scep_parse_response(chunk_t response, chunk_t transID,
container_t **out, scep_attributes_t *attrs)
{
@ -471,26 +500,3 @@ error:
container->destroy(container);
return FALSE;
}
uint32_t scep_parse_caps(chunk_t response)
{
uint32_t caps_flags = 0;
chunk_t line;
DBG2(DBG_APP, "CA Capabilities:");
while (fetchline(&response, &line))
{
int i;
for (i = 0; i < countof(caps_names); i++)
{
if (strncaseeq(caps_names[i], line.ptr, line.len))
{
DBG2(DBG_APP, " %s", caps_names[i]);
caps_flags |= (1 << i);
}
}
}
return caps_flags;
}

23
src/pki/scep/scep.h
View File

@ -85,17 +85,21 @@ typedef enum {
extern const scep_attributes_t empty_scep_attributes;
bool parse_attributes(chunk_t blob, scep_attributes_t *attrs);
/**
* Parse SCEP CA Capabilities
*/
uint32_t scep_parse_caps(chunk_t response);
/**
* Generate a transaction ID as the SHA-1 hash of the publicKeyInfo
* The transaction ID is also used as a unique serial number
*/
bool scep_generate_transaction_id(public_key_t *key,
chunk_t *transId, chunk_t *serialNumber);
chunk_t scep_transId_attribute(chunk_t transaction_id);
chunk_t scep_messageType_attribute(scep_msg_t m);
chunk_t scep_senderNonce_attribute(void);
/**
* Builds a PKCS#7 enveloped and signed SCEP request
*/
chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg,
certificate_t *enc_cert, encryption_algorithm_t enc_alg,
size_t key_size, certificate_t *signer_cert,
@ -107,9 +111,10 @@ chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg,
bool scep_http_request(const char *url, scep_op_t op, bool http_post,
chunk_t data, chunk_t *response, u_int *http_code);
/**
* Parse PKCS#7 encoded SCEP response
*/
bool scep_parse_response(chunk_t response, chunk_t transID, container_t **out,
scep_attributes_t *attrs);
uint32_t scep_parse_caps(chunk_t response);
#endif /* _SCEP_H */