pki: Additional pki.scep options for strongswan.conf

Author: strongX509

conf/options/pki.opt

@@ -1,6 +1,12 @@
 pki.load =
 	Plugins to load in the pki tool.
 
+pki.scep.http_bind
+	Source IP address to bind for HTTP operations.
+
+pki.scep.http_timeout = 30s
+	Timeout for HTTP operations.
+
 pki.scep.renewal_via_pkcs_req = no
 	Some SCEP servers (e.g. openxpki) are incorrectly doing certificate renewal
 	via messageType PKCSReq (19) instead of RenewalReq (17).

src/pki/commands/scep.c

@@ -76,11 +76,7 @@ static int scep()
 	linked_list_t *san;
 	enumerator_t *enumerator;
 	int status = 1;
-	bool ok, stored = FALSE;
-
-	scep_http_params_t http_params = {
-		.get_request = FALSE, .timeout = 30, .bind = NULL
-	};
+	bool ok, http_post = FALSE, stored = FALSE;
 
 	bool pss = lib->settings->get_bool(lib->settings,
 								"%s.rsa_pss", FALSE, lib->ns);
@@ -273,7 +269,7 @@ static int scep()
 	public = private->get_public_key(private);
 
 	/* Request capabilities from SCEP server */
-	if (!scep_http_request(url, chunk_empty, SCEP_GET_CA_CAPS, &http_params,
+	if (!scep_http_request(url, chunk_empty, SCEP_GET_CA_CAPS, FALSE,
 						   &scep_response))
 	{
 		DBG1(DBG_APP, "did not receive a valid scep response");
@@ -338,10 +334,9 @@ static int scep()
 	if ((caps_flags & SCEP_CAPS_POSTPKIOPERATION) ||
 	    (caps_flags & SCEP_CAPS_SCEPSTANDARD))
 	{
-		http_params.get_request = FALSE;
+		http_post = TRUE;
 	}
-	DBG2(DBG_APP, "HTTP POST %ssupported",
-				   http_params.get_request ? "not " : "");
+	DBG2(DBG_APP, "HTTP POST %ssupported", http_post ? "" : "not ");
 
 	scheme = get_signature_scheme(private, digest_alg, pss);
 	if (!scheme)
@@ -467,7 +462,7 @@ static int scep()
 		goto end;
 	}
 
-	if (!scep_http_request(url, pkcs7_req, SCEP_PKI_OPERATION, &http_params,
+	if (!scep_http_request(url, pkcs7_req, SCEP_PKI_OPERATION, http_post,
 						   &scep_response))
 	{
 		DBG1(DBG_APP, "did not receive a valid SCEP response");
@@ -526,8 +521,8 @@ static int scep()
 			DBG1(DBG_APP, "failed to build SCEP certPoll request");
 			goto end;
 		}
-		if (!scep_http_request(url, certPoll, SCEP_PKI_OPERATION,
-							   &http_params, &scep_response))
+		if (!scep_http_request(url, certPoll, SCEP_PKI_OPERATION, http_post,
+							   &scep_response))
 		{
 			DBG1(DBG_APP, "did not receive a valid SCEP response");
 			goto end;

src/pki/commands/scepca.c

@@ -248,10 +248,6 @@ static int scepca()
 
 	int cert_type_count[] = { 0, 0, 0 };
 
-	scep_http_params_t http_params = {
-		.get_request = TRUE, .timeout = 30, .bind = NULL
-	};
-
 	while (TRUE)
 	{
 		switch (command_getopt(&arg))
@@ -289,7 +285,7 @@ static int scepca()
 		return command_usage("--url is required");
 	}
 
-	if (!scep_http_request(url, chunk_empty, SCEP_GET_CA_CERT, &http_params,
+	if (!scep_http_request(url, chunk_empty, SCEP_GET_CA_CERT, FALSE,
 						   &scep_response))
 	{
 		DBG1(DBG_APP, "did not receive a valid scep response");

src/pki/scep/scep.c

@@ -334,29 +334,50 @@ static char* escape_http_request(chunk_t req)
  * Send a SCEP request via HTTP and wait for a response
  */
 bool scep_http_request(const char *url, chunk_t msg, scep_op_t op,
-					   scep_http_params_t *http_params, chunk_t *response)
+					   bool http_post, chunk_t *response)
 {
 	int len;
 	status_t status;
 	char *complete_url = NULL;
 	const char *operation;
 	host_t *srcip = NULL;
 
-	/* initialize response */
-	*response = chunk_empty;
+	uint32_t http_timeout = lib->settings->get_time(lib->settings,
+										"%s.scep.http_timeout", 30, lib->ns);
 
-	if (http_params->bind)
+	char *http_bind = lib->settings->get_str(lib->settings,
+										"%s.scep.http_bind", NULL, lib->ns);
+
+	if (http_bind)
 	{
-		srcip = host_create_from_string(http_params->bind, 0);
+		srcip = host_create_from_string(http_bind, 0);
 	}
 	DBG2(DBG_APP, "sending scep request to '%s'", url);
 
+	/* initialize response */
+	*response = chunk_empty;
+
 	operation = operations[op];
 	switch (op)
 	{
 		case SCEP_PKI_OPERATION:
 		default:
-			if (http_params->get_request)
+			if (http_post)
+			{
+				/* form complete url */
+				len = strlen(url) + 11 + strlen(operation) + 1;
+				complete_url = malloc(len);
+				snprintf(complete_url, len, "%s?operation=%s", url, operation);
+
+				status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
+										 FETCH_TIMEOUT, http_timeout,
+										 FETCH_REQUEST_DATA, msg,
+										 FETCH_REQUEST_TYPE, "",
+										 FETCH_REQUEST_HEADER, "Expect:",
+										 FETCH_SOURCEIP, srcip,
+										 FETCH_END);
+			}
+			else /* HTTP_GET */
 			{
 				char *escaped_req = escape_http_request(msg);
 
@@ -369,28 +390,13 @@ bool scep_http_request(const char *url, chunk_t msg, scep_op_t op,
 				free(escaped_req);
 
 				status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
-										 FETCH_TIMEOUT, http_params->timeout,
+										 FETCH_TIMEOUT, http_timeout,
 										 FETCH_REQUEST_HEADER, "Pragma:",
 										 FETCH_REQUEST_HEADER, "Host:",
 										 FETCH_REQUEST_HEADER, "Accept:",
 										 FETCH_SOURCEIP, srcip,
 										 FETCH_END);
 			}
-			else /* HTTP_POST */
-			{
-				/* form complete url */
-				len = strlen(url) + 11 + strlen(operation) + 1;
-				complete_url = malloc(len);
-				snprintf(complete_url, len, "%s?operation=%s", url, operation);
-
-				status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
-										 FETCH_TIMEOUT, http_params->timeout,
-										 FETCH_REQUEST_DATA, msg,
-										 FETCH_REQUEST_TYPE, "",
-										 FETCH_REQUEST_HEADER, "Expect:",
-										 FETCH_SOURCEIP, srcip,
-										 FETCH_END);
-			}
 			break;
 		case SCEP_GET_CA_CERT:
 		case SCEP_GET_CA_CAPS:
@@ -401,7 +407,7 @@ bool scep_http_request(const char *url, chunk_t msg, scep_op_t op,
 			snprintf(complete_url, len, "%s?operation=%s", url, operation);
 
 			status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
-									 FETCH_TIMEOUT, http_params->timeout,
+									 FETCH_TIMEOUT, http_timeout,
 									 FETCH_SOURCEIP, srcip,
 									 FETCH_END);
 		}

src/pki/scep/scep.h

@@ -68,13 +68,6 @@ typedef struct {
 	chunk_t     recipientNonce;
 } scep_attributes_t;
 
-/* SCEP http parameters */
-typedef struct {
-	bool  get_request;
-	u_int timeout;
-	char  *bind;
-} scep_http_params_t;
-
 /* SCEP CA Capabilities */
 typedef enum {
 	SCEP_CAPS_AES =              0,
@@ -108,8 +101,8 @@ chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg,
 						size_t key_size, certificate_t *signer_cert,
 						hash_algorithm_t digest_alg, private_key_t *private_key);
 
-bool scep_http_request(const char *url, chunk_t msg, scep_op_t op,
-					   scep_http_params_t *http_params, chunk_t *response);
+bool scep_http_request(const char *url, chunk_t msg, scep_op_t op, bool use_post,
+					   chunk_t *response);
 
 bool scep_parse_response(chunk_t response, chunk_t transID, container_t **out,
 						 scep_attributes_t *attrs);