scepclient: Option added to read self-signed certificate from a file.

2025-12-15 00:00:26 -05:00 · 2012-06-01 14:43:12 +02:00 · 2012-06-01 14:43:12 +02:00 · cea9bf563a
commit cea9bf563a
parent 3a7c6b39b5
2 changed files with 53 additions and 21 deletions
--- a/src/scepclient/scepclient.8
+++ b/src/scepclient/scepclient.8
@ -73,7 +73,7 @@ The default \fIfilename\fP is $CONFDIR/ipsec.d/cacerts/caCert.der.
 .B \-i, \-\-in \fItype\fP[=\fIfilename\fP]
 .RS 4
 Input file for certificate enrollment. This option can be specified multiple times to specify input files for every \fItype\fP.
-Input files can bei either DER or PEM encoded.
+Input files can be either DER or PEM encoded.
 .PP
 Supported values for \fItype\fP:
 .IP "\fBpkcs1\fP" 12
@ -88,6 +88,11 @@ The default \fIfilename\fP is $CONFDIR/ipsec.d/cacerts/caCert.der.
 CA certificate to check signature of SCEP reply. Has to be specified for certificate enrollment.
 .br
 The default \fIfilename\fP is $CONFDIR/ipsec.d/cacerts/caCert.der.
+.IP "\fBcert-self\fP" 12
+Certificate to be used in the SCEP request.  If it is not specified a
+self-signed certificate is generated automatically.
+.br
+The default \fIfilename\fP is $CONFDIR/ipsec.d/certs/selfCert.der.
 .RE
 .PP
 .B \-k, \-\-keylength \fIbits\fP
--- a/src/scepclient/scepclient.c
+++ b/src/scepclient/scepclient.c
@ -317,9 +317,12 @@ static void usage(const char *message)
 		" --version (-v)                    show version and exit\n"
 		" --quiet (-q)                      do not write log output to stderr\n"
 		" --in (-i) <type>[=<filename>]     use <filename> of <type> for input \n"
-		"                                   <type> = pkcs1 | cacert-enc | cacert-sig\n"
-		"                                   - if no pkcs1 input is defined, a \n"
-		"                                     RSA key will be generated\n"
+		"                                   <type> = pkcs1 | cacert-enc | cacert-sig |\n"
+		"                                            cert-self\n"
+		"                                   - if no pkcs1 input is defined, an RSA\n"
+		"                                     key will be generated\n"
+		"                                   - if no cert-self input is defined, a\n"
+		"                                     self-signed certificate will be generated\n"
 		"                                   - if no filename is given, default is used\n"
 		" --out (-o) <type>[=<filename>]    write output of <type> to <filename>\n"
 		"                                   multiple outputs are allowed\n"
@ -389,7 +392,7 @@ int main(int argc, char **argv)
 		CERT_SELF  =  0x08,
 		CERT       =  0x10,
 		CACERT_ENC =  0x20,
-		CACERT_SIG =  0x40
+		CACERT_SIG =  0x40,
 	} scep_filetype_t;

 	/* filetype to read from, defaults to "generate a key" */
@ -400,6 +403,7 @@ int main(int argc, char **argv)

 	/* input files */
 	char *file_in_pkcs1      = DEFAULT_FILENAME_PKCS1;
+	char *file_in_cert_self  = DEFAULT_FILENAME_CERT_SELF;
 	char *file_in_cacert_enc = DEFAULT_FILENAME_CACERT_ENC;
 	char *file_in_cacert_sig = DEFAULT_FILENAME_CACERT_SIG;

@ -560,7 +564,13 @@ int main(int argc, char **argv)
 				{
 					filetype_in |= CACERT_SIG;
 					if (filename)
-						 file_in_cacert_sig = filename;
+						file_in_cacert_sig = filename;
+				}
+				else if (strcaseeq("cert-self", optarg))
+				{
+					filetype_in |= CERT_SELF;
+					if (filename)
+						file_in_cert_self = filename;
 				}
 				else
 				{
@ -1110,22 +1120,39 @@ int main(int argc, char **argv)
 	scep_generate_transaction_id(public_key, &transID, &serialNumber);
 	DBG1(DBG_APP, "  transaction ID: %.*s", (int)transID.len, transID.ptr);

-	notBefore = notBefore ? notBefore : time(NULL);
-	notAfter  = notAfter  ? notAfter  : (notBefore + validity);
-
-	/* generate a self-signed X.509 certificate */
-	x509_signer = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-									 BUILD_SIGNING_KEY, private_key,
-									 BUILD_PUBLIC_KEY, public_key,
-									 BUILD_SUBJECT, subject,
-									 BUILD_NOT_BEFORE_TIME, notBefore,
-									 BUILD_NOT_AFTER_TIME, notAfter,
-									 BUILD_SERIAL, serialNumber,
-									 BUILD_SUBJECT_ALTNAMES, subjectAltNames,
-									 BUILD_END);
-	if (!x509_signer)
+	/*
+	 * read or generate self-signed X.509 certificate
+	 */
+	if (filetype_in & CERT_SELF)
 	{
-		exit_scepclient("generating certificate failed");
+		char path[PATH_MAX];
+
+		join_paths(path, sizeof(path), HOST_CERT_PATH, file_in_cert_self);
+
+		x509_signer = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+										 BUILD_FROM_FILE, path, BUILD_END);
+		if (!x509_signer)
+		{
+			exit_scepclient("could not read certificate file '%s'", path);
+		}
+	}
+	else
+	{
+		notBefore = notBefore ? notBefore : time(NULL);
+		notAfter  = notAfter  ? notAfter  : (notBefore + validity);
+		x509_signer = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+										 BUILD_SIGNING_KEY, private_key,
+										 BUILD_PUBLIC_KEY, public_key,
+										 BUILD_SUBJECT, subject,
+										 BUILD_NOT_BEFORE_TIME, notBefore,
+										 BUILD_NOT_AFTER_TIME, notAfter,
+										 BUILD_SERIAL, serialNumber,
+										 BUILD_SUBJECT_ALTNAMES, subjectAltNames,
+										 BUILD_END);
+		if (!x509_signer)
+		{
+			exit_scepclient("generating certificate failed");
+		}
 	}

 	/*