From a6d0957a5445c6eff0fda2e7afe9b19737c3e95e Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Feb 17 2015 15:25:00 +0000 Subject: Verify SCEP requests, start parsing SCEP replies --- diff --git a/src/Makefile.am b/src/Makefile.am index 4de1fdb..ea95ec3 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -217,7 +217,7 @@ dogtag_submit_LDADD = $(CURL_LIBS) $(XML_LIBS) $(NSS_LIBS) \ $(GMP_LIBS) $(UUID_LIBS) $(LTLIBICONV) scep_submit_CFLAGS = $(AM_CFLAGS) $(XML_CFLAGS) $(NSS_CFLAGS) $(CURL_CFLAGS) scep_submit_SOURCES = scep.c scep.h \ - submit-h.c submit-h.h util-m.c util-m.h util-n.c util-n.h \ + submit-h.c submit-h.h util-m.c util-m.h util-o.c util-o.h \ submit-u.c submit-u.h submit-e.h util.c util.h log.c log.h \ pkcs7.c pkcs7.h store.h store-gen.c tm.c tm.h prefs.c prefs.h \ prefs-o.c prefs-o.h scep-o.c scep-o.h env.h env-system.c diff --git a/src/cadata.c b/src/cadata.c index a9cc4ce..f9d671a 100644 --- a/src/cadata.c +++ b/src/cadata.c @@ -437,6 +437,7 @@ parse_encryption_certs(struct cm_store_ca *ca, struct cm_cadata_state *state, oldei = ca->cm_ca_encryption_issuer_cert; ca->cm_ca_encryption_cert = talloc_strdup(ca, msg); ca->cm_ca_encryption_issuer_cert = NULL; + ca->cm_ca_encryption_cert_pool = NULL; p = strstr(ca->cm_ca_encryption_cert, "-----END CERTIFICATE-----"); if (p != NULL) { p += strcspn(p, "\r\n"); @@ -452,6 +453,9 @@ parse_encryption_certs(struct cm_store_ca *ca, struct cm_cadata_state *state, if (p != NULL) { p += strcspn(p, "\r\n"); p += strspn(p, "\r\n"); + if (strstr(p, "-----END CERTIFICATE-----") != NULL) { + ca->cm_ca_encryption_cert_pool = talloc_strdup(ca, p); + } *p = '\0'; } } @@ -467,6 +471,12 @@ parse_encryption_certs(struct cm_store_ca *ca, struct cm_cadata_state *state, ca->cm_ca_encryption_issuer_cert = NULL; } } + if (ca->cm_ca_encryption_cert_pool != NULL) { + if (strspn(ca->cm_ca_encryption_cert_pool, "\r\n \t") == + strlen(ca->cm_ca_encryption_cert_pool)) { + ca->cm_ca_encryption_cert_pool = NULL; + } + } if ((olde == NULL) && (ca->cm_ca_encryption_cert == NULL)) { if ((oldei == NULL) && (ca->cm_ca_encryption_issuer_cert == NULL)) { state->modified = 0; diff --git a/src/iterate.c b/src/iterate.c index e851d8a..84063bb 100644 --- a/src/iterate.c +++ b/src/iterate.c @@ -1048,7 +1048,7 @@ cm_iterate_entry(struct cm_store_entry *entry, struct cm_store_ca *ca, "need to generate SCEP data.\n", entry->cm_busname, entry->cm_nickname); entry->cm_state = CM_NEED_SCEP_DATA; - *when = cm_time_soon; + *when = cm_time_now; } else { /* Don't know what's going on. HELP! */ cm_log(1, diff --git a/src/pkcs7.c b/src/pkcs7.c index 88c19ee..7f69d86 100644 --- a/src/pkcs7.c +++ b/src/pkcs7.c @@ -836,6 +836,22 @@ get_ostring_attribute(void *parent, STACK_OF(X509_ATTRIBUTE) *attrs, int nid, return NULL; } +static int +ignore_purpose_errors(int ok, X509_STORE_CTX *ctx) +{ + switch (X509_STORE_CTX_get_error(ctx)) { + case X509_V_ERR_INVALID_PURPOSE: + case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE: + /* Ignore purpose and usage checks. */ + return 1; + break; + default: + /* Otherwise go with the library's default behavior. */ + return ok; + break; + } +} + int cm_pkcs7_verify_signed(unsigned char *data, size_t length, const char **roots, const char **othercerts, @@ -905,6 +921,13 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length, store = X509_STORE_new(); if (store == NULL) { cm_log(1, "Out of memory.\n"); + goto done; + } + X509_STORE_set_verify_cb_func(store, &ignore_purpose_errors); + certs = sk_X509_new(cert_cmp); + if (certs == NULL) { + cm_log(1, "Out of memory.\n"); + goto done; } for (i = 0; (roots != NULL) && (roots [i] != NULL); i++) { s = talloc_strdup(parent, roots[i]); @@ -925,16 +948,10 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length, goto done; } X509_STORE_add_cert(store, x); + sk_X509_push(certs, X509_dup(x)); X509_free(x); } for (i = 0; (othercerts != NULL) && (othercerts[i] != NULL); i++) { - if (certs == NULL) { - certs = sk_X509_new(cert_cmp); - if (certs == NULL) { - cm_log(1, "Out of memory.\n"); - goto done; - } - } s = talloc_strdup(parent, othercerts[i]); if (s == NULL) { cm_log(1, "Out of memory.\n"); @@ -959,13 +976,15 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length, cm_log(1, "Out of memory.\n"); goto done; } - if (PKCS7_verify(p7, certs, store, NULL, out, 0) != 1) { - cm_log(1, "Message failed verification.\n"); - goto done; + if (roots != NULL) { + if (PKCS7_verify(p7, certs, store, NULL, out, 0) != 1) { + cm_log(1, "Message failed verification.\n"); + goto done; + } } p7s = p7->d.sign; if (sk_PKCS7_SIGNER_INFO_num(p7s->signer_info) != 1) { - cm_log(1, "Number of signers != 1.\n"); + cm_log(1, "Number of PKCS#7 signed-data signers != 1.\n"); goto done; } si = sk_PKCS7_SIGNER_INFO_value(p7s->signer_info, 0); @@ -973,7 +992,7 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length, encapsulated = p7s->contents; if (expected_content_type != NID_undef) { if (encapsulated == NULL) { - cm_log(1, "Error parsing encapsulated content.\n"); + cm_log(1, "Error parsing PKCS#7 encapsulated content.\n"); goto done; } if ((encapsulated->type == NULL) || @@ -987,7 +1006,7 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length, } } if (attrs == NULL) { - cm_log(1, "No signed attributes!\n"); + cm_log(1, "PKCS#7 signed-data contains no signed attributes.\n"); goto done; } ret = 0; diff --git a/src/scep.c b/src/scep.c index e78ba31..1318691 100644 --- a/src/scep.c +++ b/src/scep.c @@ -30,8 +30,8 @@ #include -#include -#include +#include +#include #include @@ -40,13 +40,14 @@ #include "log.h" #include "pkcs7.h" #include "prefs.h" +#include "scep.h" #include "store.h" #include "submit-e.h" #include "submit-h.h" #include "submit-u.h" #include "util.h" #include "util-m.h" -#include "util-n.h" +#include "util-o.h" #ifdef ENABLE_NLS #include @@ -81,6 +82,7 @@ help(const char *cmd) "\t[-p]\tsend a PKCS request (submit)\n" "\t[-r racert]\n" "\t[-R cacert]\n" + "\t[-I othercerts]\n" "\t[-v]\n", strchr(cmd, '/') ? strrchr(cmd, '/') + 1 : cmd); } @@ -90,15 +92,24 @@ main(int argc, char **argv) { const char *url = NULL, *results = NULL, *results2 = NULL; struct cm_submit_h_context *hctx; - int c, verbose = 0, results_length = 0, results_length2 = 0; - NSSInitContext *nctx; + int c, verbose = 0, results_length = 0, results_length2 = 0, i; enum known_ops op = op_unset; - const char *es, *id, *message = NULL, *base64, *pem; + const char *id, *message = NULL; const char *mode = NULL, *content_type = NULL, *content_type2 = NULL; void *ctx; char *params = "", *params2 = NULL, *racert = NULL, *cacert = NULL; - char **othercerts = NULL; - PRBool missing_args = PR_FALSE; + char **othercerts = NULL, *cert1 = NULL, *cert2 = NULL, *certs = NULL; + char buf[LINE_MAX] = ""; + const char *cacerts[3], **racerts; + dbus_bool_t missing_args = FALSE; + char *sent_tx, *tx, *msgtype, *pkistatus, *failinfo, *s, *tmp1, *tmp2; + unsigned char *sent_nonce, *sender_nonce, *recipient_nonce, *payload; + size_t sent_nonce_length, sender_nonce_length, recipient_nonce_length; + size_t payload_length; + long error; + + util_o_init(); + ERR_load_crypto_strings(); id = getenv(CM_SUBMIT_SCEP_CA_IDENTIFIER_ENV); if (id == NULL) { @@ -106,6 +117,7 @@ main(int argc, char **argv) } racert = getenv(CM_SUBMIT_SCEP_RA_CERTIFICATE_ENV); cacert = getenv(CM_SUBMIT_SCEP_CA_CERTIFICATE_ENV); + certs = getenv(CM_SUBMIT_SCEP_CERTIFICATES_ENV); if (getenv(CM_SUBMIT_OPERATION_ENV) != NULL) { mode = getenv(CM_SUBMIT_OPERATION_ENV); @@ -152,7 +164,7 @@ main(int argc, char **argv) bindtextdomain(PACKAGE, MYLOCALEDIR); #endif - while ((c = getopt(argc, argv, "u:i:vcCgpr:")) != -1) { + while ((c = getopt(argc, argv, "u:i:vcCgpr:R:I:")) != -1) { switch (c) { case 'u': url = optarg; @@ -179,12 +191,13 @@ main(int argc, char **argv) op = op_pkcsreq; break; case 'r': - /* XXX - read RA cert from the named file */ - racert = NULL; + racert = cm_submit_u_from_file(optarg); break; case 'R': - /* XXX - read CA cert from the named file */ - cacert = NULL; + cacert = cm_submit_u_from_file(optarg); + break; + case 'I': + certs = cm_submit_u_from_file(optarg); break; default: help(argv[0]); @@ -194,22 +207,8 @@ main(int argc, char **argv) } umask(S_IRWXG | S_IRWXO); - - nctx = NSS_InitContext(CM_DEFAULT_CERT_STORAGE_LOCATION, - NULL, NULL, NULL, NULL, - NSS_INIT_NOCERTDB | - NSS_INIT_READONLY | - NSS_INIT_NOROOTINIT | - NSS_INIT_NOMODDB); - if (nctx == NULL) { - cm_log(1, "Unable to initialize NSS.\n"); - _exit(1); - } - es = util_n_fips_hook(); - if (es != NULL) { - cm_log(1, "Error putting NSS into FIPS mode: %s\n", es); - _exit(1); - } + cm_log_set_method(cm_log_stderr); + cm_log_set_level(verbose); ctx = talloc_new(NULL); @@ -244,44 +243,82 @@ main(int argc, char **argv) } break; case op_get_initial_cert: - if (racert == NULL) { + if ((racert == NULL) || (strlen(racert) == 0)) { printf(_("No RA certificate (-r) given, and no default known.\n")); missing_args = TRUE; } else { - /* XXX - read a PKCS7 Signed Data message (pkiMessage) from either stdin or a named file. */ - if (message == NULL) { + if ((message == NULL) || (strlen(message) == 0)) { + message = cm_submit_u_from_file(argv[optind]); + } + if ((message == NULL) || (strlen(message) == 0)) { + printf(_("Error reading request, expected PKCS7 data.\n")); return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES; } - message = cm_submit_u_base64_from_text(message); - message = cm_submit_u_url_encode(message); - params = talloc_asprintf(ctx, "operation=" OP_GET_INITIAL_CERT "&message=%s", message); + tmp1 = cm_submit_u_base64_from_text(message); + tmp2 = cm_submit_u_url_encode(tmp1); + params = talloc_asprintf(ctx, "operation=" OP_GET_INITIAL_CERT "&message=%s", tmp2); } break; case op_pkcsreq: - if (racert == NULL) { + if ((racert == NULL) || (strlen(racert) == 0)) { printf(_("No RA certificate (-r) given, and no default known.\n")); missing_args = TRUE; } else { - /* XXX - read a PKCS7 Signed Data message (pkiMessage) from either stdin or a named file. */ - if (message == NULL) { + if ((message == NULL) || (strlen(message) == 0)) { + message = cm_submit_u_from_file(argv[optind]); + } + if ((message == NULL) || (strlen(message) == 0)) { + printf(_("Error reading request, expected PKCS7 data.\n")); return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES; } - message = cm_submit_u_base64_from_text(message); - message = cm_submit_u_url_encode(message); - params = talloc_asprintf(ctx, "operation=" OP_PKCSREQ "&message=%s", message); + tmp1 = cm_submit_u_base64_from_text(message); + tmp2 = cm_submit_u_url_encode(tmp1); + params = talloc_asprintf(ctx, "operation=" OP_PKCSREQ "&message=%s", tmp2); } break; } + if ((message != NULL) && (strlen(message) != 0)) { + tmp1 = cm_submit_u_base64_from_text(message); + tmp2 = cm_store_base64_as_bin(ctx, tmp1, -1, &c); + cm_pkcs7_verify_signed((unsigned char *) tmp2, c, + NULL, NULL, NID_pkcs7_data, ctx, + &sent_tx, &msgtype, NULL, NULL, + &sent_nonce, &sent_nonce_length, + NULL, NULL, NULL, NULL); + if ((msgtype == NULL) || + ((strcmp(msgtype, SCEP_MSGTYPE_PKCSREQ) != 0) && + (strcmp(msgtype, SCEP_MSGTYPE_GETCERTINITIAL) != 0))) { + if (msgtype == NULL) { + fprintf(stderr, _("Warning: request is neither " + "a PKCSReq nor a " + "GetInitialCert request.\n")); + } else { + fprintf(stderr, _("Warning: request type \"%s\"" + "is neither a PKCSReq nor a " + "GetInitialCert request.\n"), + msgtype); + } + } + if (sent_tx == NULL) { + fprintf(stderr, _("Warning: request is missing " + "transactionId.\n")); + } + if (sent_nonce == NULL) { + fprintf(stderr, _("Warning: request is missing " + "senderNonce.\n")); + } + } else { + sent_tx = NULL; + sent_nonce = NULL; + sent_nonce_length = 0; + } + /* Supply help output, if it's needed. */ if (missing_args) { help(argv[0]); return CM_SUBMIT_STATUS_UNCONFIGURED; } - if (NSS_ShutdownContext(nctx) != SECSuccess) { - printf(_("Error shutting down NSS.\n")); - return CM_SUBMIT_STATUS_UNREACHABLE; - } /* Submit the request. */ hctx = cm_submit_h_init(ctx, "GET", url, params, NULL, NULL, @@ -367,7 +404,7 @@ main(int argc, char **argv) return CM_SUBMIT_STATUS_ISSUED; break; case op_get_ca_certs: - if (cm_pkcs7_parse(CM_PKCS7_LEAF_PREFER_ENCRYPT, NULL, + if (cm_pkcs7_parse(CM_PKCS7_LEAF_PREFER_ENCRYPT, ctx, &racert, &cacert, &othercerts, (const unsigned char *) results, results_length, @@ -396,27 +433,141 @@ main(int argc, char **argv) } break; case op_get_initial_cert: - /* XXX - verify that the reply is Signed-Data (a CertRep pkiMessage), signed by the RA cert, with a nonce matching the message we sent, and output an Enveloped-Data wrapped in a ContentInfo, if there is one in the Signed-Data. */ - if (strcasecmp(content_type, - "application/x-pki-message") == 0) { - base64 = cm_store_base64_from_bin(NULL, - (unsigned char *) results, - results_length); - pem = cm_submit_u_pem_from_base64("PKCS7", 0, base64); - printf("%s", pem); - } else { - printf("%.*s", results_length, results); - } - break; case op_pkcsreq: - /* XXX - verify that the reply is Signed-Data (a CertRep pkiMessage), signed by the RA cert, with a nonce matching the message we sent, and output an Enveloped-Data wrapped in a ContentInfo, if there is one in the Signed-Data. */ if (strcasecmp(content_type, "application/x-pki-message") == 0) { - base64 = cm_store_base64_from_bin(NULL, - (unsigned char *) results, - results_length); - pem = cm_submit_u_pem_from_base64("PKCS7", 0, base64); - printf("%s\n", pem); + memset(&cacerts, 0, sizeof(cacerts)); + cacerts[0] = cacert ? cacert : racert; + cacerts[1] = cacert ? racert : NULL; + cacerts[2] = NULL; + racerts = NULL; + if ((certs != NULL) && + (cm_pkcs7_parse(0, ctx, + &cert1, &cert2, &othercerts, + (const unsigned char *) certs, + strlen(certs), NULL) == 0)) { + for (c = 0; + (othercerts != NULL) && + (othercerts[c] != NULL); + c++) { + continue; + } + racerts = talloc_array_ptrtype(ctx, racerts, c + 5); + for (c = 0; + (othercerts != NULL) && + (othercerts[c] != NULL); + c++) { + racerts[c] = othercerts[c]; + } + if (cacert != NULL) { + racerts[c++] = cacert; + } + if (cert1 != NULL) { + racerts[c++] = cert1; + } + if (cert2 != NULL) { + racerts[c++] = cert2; + } + if (racert != NULL) { + racerts[c++] = racert; + } + racerts[c++] = NULL; + } + ERR_clear_error(); + i = cm_pkcs7_verify_signed((unsigned char *) results, results_length, + cacerts, racerts, + NID_pkcs7_data, ctx, + &tx, &msgtype, &pkistatus, &failinfo, + &sender_nonce, &sender_nonce_length, + &recipient_nonce, &recipient_nonce_length, + &payload, &payload_length); + if (i != 0) { + printf(_("Error: failed to verify signature on " + "server response.\n")); + while ((error = ERR_get_error()) != 0) { + memset(buf, '\0', sizeof(buf)); + ERR_error_string_n(error, buf, sizeof(buf)); + cm_log(1, "%s\n", buf); + } + s = cm_store_base64_from_bin(ctx, (unsigned char *) results, + results_length); + s = cm_submit_u_pem_from_base64("PKCS7", 0, s); + fprintf(stderr, "%s", s); + return CM_SUBMIT_STATUS_UNREACHABLE; + } + if ((msgtype == NULL) || + (strcmp(msgtype, SCEP_MSGTYPE_CERTREP) != 0)) { + printf(_("Error: reply was not a CertRep (%s).\n"), + msgtype ? msgtype : "none"); + return CM_SUBMIT_STATUS_UNREACHABLE; + } + if (tx == NULL) { + printf(_("Error: reply is missing transactionId.\n")); + return CM_SUBMIT_STATUS_UNREACHABLE; + } + if (sent_tx != NULL) { + if (strcmp(sent_tx, tx) != 0) { + printf(_("Error: reply contains a " + "different transactionId.\n")); + return CM_SUBMIT_STATUS_UNREACHABLE; + } + } + if (pkistatus == NULL) { + printf(_("Error: reply is missing pkiStatus.\n")); + return CM_SUBMIT_STATUS_UNREACHABLE; + } + if (recipient_nonce == NULL) { + printf(_("Error: reply is missing recipientNonce.\n")); + return CM_SUBMIT_STATUS_UNREACHABLE; + } + if ((recipient_nonce_length != sent_nonce_length) || + (memcmp(recipient_nonce, sent_nonce, + sent_nonce_length) != 0)) { + printf(_("Error: reply nonce doesn't match request.\n")); + return CM_SUBMIT_STATUS_UNREACHABLE; + } + if (sender_nonce == NULL) { + printf(_("Error: reply is missing senderNonce.\n")); + return CM_SUBMIT_STATUS_UNREACHABLE; + } + if (strcmp(pkistatus, SCEP_PKISTATUS_PENDING) == 0) { + s = cm_store_base64_from_bin(ctx, sender_nonce, + sender_nonce_length); + printf("%s\n", s); + return CM_SUBMIT_STATUS_WAIT; + } else + if (strcmp(pkistatus, SCEP_PKISTATUS_FAILURE) == 0) { + if (failinfo == NULL) { + printf(_("Unspecified failure at server.\n")); + } else + if (strcmp(failinfo, SCEP_FAILINFO_BAD_ALG) == 0) { + printf(_("Unrecognized or unsupported algorithm identifier.\n")); + } else + if (strcmp(failinfo, SCEP_FAILINFO_BAD_MESSAGE_CHECK) == 0) { + printf(_("Integrity check failed at server.\n")); + } else + if (strcmp(failinfo, SCEP_FAILINFO_BAD_REQUEST) == 0) { + printf(_("Transaction not permitted or supported by server.\n")); + } else + if (strcmp(failinfo, SCEP_FAILINFO_BAD_TIME) == 0) { + printf(_("Clock skew too great.\n")); + } else { + printf(_("Server returned failure code \"%s\".\n"), + failinfo); + } + return CM_SUBMIT_STATUS_REJECTED; + } else + if (strcmp(pkistatus, SCEP_PKISTATUS_SUCCESS) == 0) { + s = cm_store_base64_from_bin(ctx, payload, + payload_length); + s = cm_submit_u_pem_from_base64("PKCS7", 0, s); + printf("%s", s); + return CM_SUBMIT_STATUS_ISSUED; + } else { + printf(_("Error: pkiStatus \"%s\" not recognized.\n"), + pkistatus); + return CM_SUBMIT_STATUS_UNREACHABLE; + } } else { printf("%.*s", results_length, results); } diff --git a/src/store-files.c b/src/store-files.c index 6c6e21f..4566580 100644 --- a/src/store-files.c +++ b/src/store-files.c @@ -193,6 +193,7 @@ enum cm_store_file_field { cm_store_ca_field_scep_ca_identifier, cm_store_ca_field_encryption_cert, cm_store_ca_field_encryption_issuer_cert, + cm_store_ca_field_encryption_cert_pool, cm_store_file_field_invalid_high, }; @@ -355,6 +356,7 @@ static struct cm_store_file_field_list { {cm_store_ca_field_scep_ca_identifier, "scep_ca_identifier"}, {cm_store_ca_field_encryption_cert, "ca_encryption_cert"}, {cm_store_ca_field_encryption_issuer_cert, "ca_encryption_issuer_cert"}, + {cm_store_ca_field_encryption_cert_pool, "ca_encryption_cert_pool"}, }; static enum cm_store_file_field @@ -658,6 +660,7 @@ cm_store_entry_read(void *parent, const char *filename, FILE *fp) case cm_store_ca_field_scep_ca_identifier: case cm_store_ca_field_encryption_cert: case cm_store_ca_field_encryption_issuer_cert: + case cm_store_ca_field_encryption_cert_pool: break; case cm_store_file_field_id: ret->cm_nickname = free_if_empty(p); @@ -1387,6 +1390,10 @@ cm_store_ca_read(void *parent, const char *filename, FILE *fp) ret->cm_ca_encryption_issuer_cert = free_if_empty(p); break; + case cm_store_ca_field_encryption_cert_pool: + ret->cm_ca_encryption_cert_pool = + free_if_empty(p); + break; } } if (ret->cm_ca_internal_serial == NULL) { @@ -2142,6 +2149,8 @@ cm_store_ca_write(FILE *fp, struct cm_store_ca *ca) ca->cm_ca_encryption_cert); cm_store_file_write_str(fp, cm_store_ca_field_encryption_issuer_cert, ca->cm_ca_encryption_issuer_cert); + cm_store_file_write_str(fp, cm_store_ca_field_encryption_cert_pool, + ca->cm_ca_encryption_cert_pool); if (ferror(fp)) { return -1; } @@ -2643,6 +2652,8 @@ cm_store_ca_dup(void *parent, struct cm_store_ca *ca) cm_store_maybe_strdup(ret, ca->cm_ca_encryption_cert); ret->cm_ca_encryption_issuer_cert = cm_store_maybe_strdup(ret, ca->cm_ca_encryption_issuer_cert); + ret->cm_ca_encryption_cert_pool = + cm_store_maybe_strdup(ret, ca->cm_ca_encryption_cert_pool); return ret; } diff --git a/src/store-int.h b/src/store-int.h index eb98d5f..a75ff93 100644 --- a/src/store-int.h +++ b/src/store-int.h @@ -341,6 +341,9 @@ struct cm_store_ca { /* The CA's SCEP CA certificate, if it's different from the RA's * certificate. Currently only used for SCEP. */ char *cm_ca_encryption_issuer_cert; + /* The CA's SCEP certificate pool, used for other SCEP-related + * certificates. A concatenated list of PEM-format certificates. */ + char *cm_ca_encryption_cert_pool; }; const char *cm_store_state_as_string(enum cm_state state); diff --git a/src/submit-e.c b/src/submit-e.c index 10bfb4f..2257212 100644 --- a/src/submit-e.c +++ b/src/submit-e.c @@ -419,11 +419,6 @@ cm_submit_e_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, if ((entry->cm_cert != NULL) && (strlen(entry->cm_cert) > 0)) { setenv(CM_SUBMIT_CERTIFICATE_ENV, entry->cm_cert, 1); } - if ((entry->cm_scep_nonce != NULL) && - (strlen(entry->cm_scep_nonce) > 0)) { - setenv(CM_SUBMIT_SCEP_SENDER_NONCE_ENV, entry->cm_scep_nonce, - 1); - } if ((ca->cm_ca_scep_ca_identifier != NULL) && (strlen(ca->cm_ca_scep_ca_identifier) > 0)) { setenv(CM_SUBMIT_SCEP_CA_IDENTIFIER_ENV, @@ -439,6 +434,11 @@ cm_submit_e_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, setenv(CM_SUBMIT_SCEP_CA_CERTIFICATE_ENV, ca->cm_ca_encryption_issuer_cert, 1); } + if ((ca->cm_ca_encryption_cert_pool != NULL) && + (strlen(ca->cm_ca_encryption_cert_pool) > 0)) { + setenv(CM_SUBMIT_SCEP_CERTIFICATES_ENV, + ca->cm_ca_encryption_cert_pool, 1); + } if ((entry->cm_scep_req != NULL) && (strlen(entry->cm_scep_req) > 0)) { p = cm_submit_u_pem_from_base64("PKCS7", 0, diff --git a/src/submit-e.h b/src/submit-e.h index 1dc1720..0c948a6 100644 --- a/src/submit-e.h +++ b/src/submit-e.h @@ -47,10 +47,10 @@ const char *cm_submit_e_status_text(enum cm_external_status status); #define CM_SUBMIT_CA_NICKNAME_ENV "CERTMONGER_CA_NICKNAME" #define CM_SUBMIT_PROFILE_ENV "CERTMONGER_CA_PROFILE" #define CM_SUBMIT_CERTIFICATE_ENV "CERTMONGER_CERTIFICATE" -#define CM_SUBMIT_SCEP_SENDER_NONCE_ENV "CERTMONGER_SCEP_NONCE" #define CM_SUBMIT_SCEP_CA_IDENTIFIER_ENV "CERTMONGER_SCEP_CA_IDENTIFIER" #define CM_SUBMIT_SCEP_RA_CERTIFICATE_ENV "CERTMONGER_SCEP_RA_CERTIFICATE" #define CM_SUBMIT_SCEP_CA_CERTIFICATE_ENV "CERTMONGER_SCEP_CA_CERTIFICATE" +#define CM_SUBMIT_SCEP_CERTIFICATES_ENV "CERTMONGER_SCEP_CERTIFICATES" #define CM_SUBMIT_SCEP_PKCSREQ_ENV "CERTMONGER_PKCSREQ" #define CM_SUBMIT_SCEP_PKCSREQ_REKEY_ENV "CERTMONGER_PKCSREQ_REKEY" #define CM_SUBMIT_SCEP_GETCERTINITIAL_ENV "CERTMONGER_GETCERTINITIAL"