]> git.saurik.com Git - apple/security.git/blob - OSX/sec/Security/Tool/scep.c
Security-58286.200.222.tar.gz
[apple/security.git] / OSX / sec / Security / Tool / scep.c
1 /*
2 * Copyright (c) 2003-2004,2006-2007,2009-2010,2013-2014 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 *
23 * scep.c
24 */
25
26 #include <TargetConditionals.h>
27 #if TARGET_OS_EMBEDDED
28
29 #include "SecurityCommands.h"
30
31 #include <unistd.h>
32 #include <uuid/uuid.h>
33 #include <AssertMacros.h>
34
35 #include <Security/SecItem.h>
36 #include <Security/SecCertificateRequest.h>
37 #include <Security/SecCertificatePriv.h>
38 #include <Security/SecIdentityPriv.h>
39 #include <Security/SecSCEP.h>
40 #include <Security/SecCMS.h>
41
42 #include <utilities/array_size.h>
43 #include <utilities/SecIOFormat.h>
44
45 #include <CommonCrypto/CommonDigest.h>
46
47 #include <CFNetwork/CFNetwork.h>
48 #include "SecBase64.h"
49 #include <utilities/SecCFRelease.h>
50
51
52 #include <fcntl.h>
53 static inline void write_data(const char * path, CFDataRef data)
54 {
55 int data_file = open(path, O_CREAT|O_WRONLY|O_TRUNC, 0644);
56 write(data_file, CFDataGetBytePtr(data), CFDataGetLength(data));
57 close(data_file);
58 }
59
60 #define BUFSIZE 1024
61
62 static CF_RETURNS_RETAINED CFHTTPMessageRef load_request(CFHTTPMessageRef request, CFMutableDataRef data, int retry, bool validate_cert)
63 {
64 CFHTTPMessageRef result = NULL;
65
66 if (retry < 0)
67 return result;
68
69 CFReadStreamRef rs;
70 rs = CFReadStreamCreateForHTTPRequest(NULL, request);
71
72 if (!validate_cert) {
73 const void *keys[] = {
74 kCFStreamSSLValidatesCertificateChain,
75 };
76 const void *values[] = {
77 kCFBooleanFalse,
78 };
79 CFDictionaryRef dict = CFDictionaryCreate(NULL, keys, values,
80 array_size(keys),
81 &kCFTypeDictionaryKeyCallBacks,
82 &kCFTypeDictionaryValueCallBacks);
83 CFReadStreamSetProperty(rs, kCFStreamPropertySSLSettings, dict);
84 CFRelease(dict);
85 CFReadStreamSetProperty(rs, kCFStreamPropertyHTTPAttemptPersistentConnection, kCFBooleanTrue);
86 }
87
88 if (CFReadStreamOpen(rs)) {
89 do {
90 UInt8 buf[BUFSIZE];
91 CFIndex bytesRead = CFReadStreamRead(rs, buf, BUFSIZE);
92 if (bytesRead > 0) {
93 CFDataAppendBytes(data, buf, bytesRead);
94 } else if (bytesRead == 0) {
95 result = (CFHTTPMessageRef)CFReadStreamCopyProperty(rs, kCFStreamPropertyHTTPResponseHeader);
96 break;
97 } else {
98 CFStreamStatus status = CFReadStreamGetStatus(rs);
99 CFStreamError error = CFReadStreamGetError(rs);
100 fprintf(stderr, "CFReadStreamRead status=%ld error(domain=%" PRIdCFIndex " error=%ld)\n",
101 status, error.domain, (long) error.error);
102 break;
103 }
104 } while (true);
105 } else {
106 CFStreamStatus status = CFReadStreamGetStatus(rs);
107 CFStreamError error = CFReadStreamGetError(rs);
108 fprintf(stderr, "CFReadStreamRead status=%ld error(domain=%" PRIdCFIndex " error=%ld)\n",
109 status, error.domain, (long) error.error);
110 }
111
112 CFReadStreamClose(rs);
113 CFRelease(rs);
114 return result;
115 }
116
117 static CF_RETURNS_RETAINED CFDataRef MCNetworkLoadRequest(CFURLRef url, CFDataRef content, CFStringRef type,
118 CFStringRef *contentType, bool validate_cert)
119 {
120 CFMutableDataRef out_data = CFDataCreateMutable(kCFAllocatorDefault, 0);
121 CFHTTPMessageRef response = NULL;
122 CFStringRef request_type = content ? CFSTR("POST") : CFSTR("GET");
123 CFHTTPMessageRef request = CFHTTPMessageCreateRequest(kCFAllocatorDefault,
124 request_type, url, kCFHTTPVersion1_0);
125 if (content)
126 CFHTTPMessageSetBody(request, content);
127 CFHTTPMessageSetHeaderFieldValue(request, CFSTR("Content-Type"), type);
128
129 int retries = 1;
130 do {
131 response = load_request(request, out_data, 1, validate_cert);
132 if (!response && retries) {
133 sleep(5);
134 CFDataSetLength(out_data, 0);
135 }
136 } while (!response && retries--);
137
138 CFRelease(request);
139
140 CFIndex status_code = response ? CFHTTPMessageGetResponseStatusCode(response) : 0;
141 if (!response || (200 != status_code)) {
142 CFStringRef url_string = CFURLGetString(url);
143 if (url_string && request_type && out_data)
144 fprintf(stderr, "MCNetworkLoadRequest failed to load\n");
145
146 CFReleaseNull(out_data);
147 goto out;
148 }
149
150 if (contentType)
151 *contentType = CFHTTPMessageCopyHeaderFieldValue(response, CFSTR("Content-Type"));
152 out:
153 CFReleaseSafe(response);
154 return out_data;
155 }
156
157 static void _query_string_apply(CFMutableStringRef query_string, const void *key, const void *value)
158 {
159 CFStringRef escaped_key =
160 CFURLCreateStringByAddingPercentEscapes(kCFAllocatorDefault,
161 (CFStringRef)key, NULL, CFSTR("+/="), kCFStringEncodingUTF8);
162 CFStringRef escaped_value =
163 CFURLCreateStringByAddingPercentEscapes(kCFAllocatorDefault,
164 (CFStringRef)value, NULL, CFSTR("+/="), kCFStringEncodingUTF8);
165
166 if (CFStringGetLength(query_string) > 1)
167 CFStringAppend(query_string, CFSTR("&"));
168
169 CFStringAppendFormat(query_string, NULL, CFSTR("%@=%@"), escaped_key, escaped_value);
170 CFRelease(escaped_key);
171 CFRelease(escaped_value);
172 }
173
174 static CF_RETURNS_RETAINED CFURLRef scep_url_operation(CFStringRef base, CFStringRef operation, CFStringRef message)
175 {
176 CFURLRef url = NULL, base_url = NULL;
177 CFMutableStringRef query_string =
178 CFStringCreateMutableCopy(kCFAllocatorDefault, 0, CFSTR("?"));
179 require(query_string, out);
180 require(operation, out);
181 _query_string_apply(query_string, CFSTR("operation"), operation);
182 if (message)
183 _query_string_apply(query_string, CFSTR("message"), message);
184 base_url = CFURLCreateWithString(kCFAllocatorDefault, base, NULL);
185 url = CFURLCreateWithString(kCFAllocatorDefault, query_string, base_url);
186 out:
187 if (query_string)
188 CFRelease(query_string);
189 if (base_url)
190 CFRelease(base_url);
191 return url;
192 }
193
194 static CF_RETURNS_RETAINED CFDataRef perform_pki_op(CFStringRef scep_base_url, CFDataRef scep_request, bool scep_can_use_post, bool validate_cert)
195 {
196 CFDataRef scep_reply = NULL;
197 CFURLRef pki_op = NULL;
198 if (scep_can_use_post) {
199 pki_op = scep_url_operation(scep_base_url, CFSTR("PKIOperation"), NULL);
200 scep_reply = MCNetworkLoadRequest(pki_op, scep_request, CFSTR("application/x-pki-message"), NULL, validate_cert);
201 } else {
202 SecBase64Result base64_result;
203 size_t buffer_length = CFDataGetLength(scep_request)*2+1;
204 char *buffer = malloc(buffer_length);
205 require(buffer, out);
206 size_t output_size = SecBase64Encode2(CFDataGetBytePtr(scep_request), CFDataGetLength(scep_request), buffer, buffer_length,
207 kSecB64_F_LINE_LEN_INFINITE, -1, &base64_result);
208 *(buffer + output_size) = '\0';
209 require(!base64_result, out);
210 CFStringRef message = CFStringCreateWithCString(kCFAllocatorDefault, buffer, kCFStringEncodingASCII);
211 require(message, out);
212 pki_op = scep_url_operation(scep_base_url, CFSTR("PKIOperation"), message);
213 CFRelease(message);
214 fprintf(stderr, "Performing PKIOperation using GET\n");
215 scep_reply = MCNetworkLoadRequest(pki_op, NULL, CFSTR("application/x-pki-message"), NULL, validate_cert);
216 }
217 out:
218 CFReleaseSafe(pki_op);
219 return scep_reply;
220 }
221
222
223 static inline CF_RETURNS_RETAINED CFStringRef uuid_cfstring()
224 {
225 char uuid_string[40] = "CN=";
226 uuid_t uuid;
227 uuid_generate_random(uuid);
228 uuid_unparse(uuid, uuid_string+3);
229 return CFStringCreateWithCString(kCFAllocatorDefault, uuid_string, kCFStringEncodingASCII);
230 }
231
232 /* /O=foo/CN=blah => [ [ [ O, foo ] ], [ [ CN, blah ] ] ] */
233 static void make_subject_pairs(const void *value, void *context)
234 {
235 CFArrayRef entries = NULL, array = NULL;
236 if (!CFStringGetLength(value))
237 return; /* skip '/'s that aren't separating key/vals */
238 entries = CFStringCreateArrayBySeparatingStrings(kCFAllocatorDefault, value, CFSTR("="));
239 require(entries, out);
240 if (CFArrayGetCount(entries)) {
241 array = CFArrayCreate(kCFAllocatorDefault, (const void **)&entries, 1, &kCFTypeArrayCallBacks);
242 require(array, out);
243 CFArrayAppendValue((CFMutableArrayRef)context, array);
244 }
245 out:
246 if (entries) CFRelease(entries);
247 if (array) CFRelease(array);
248 }
249
250 static CFArrayRef make_scep_subject(CFStringRef scep_subject_name)
251 {
252 CFMutableArrayRef subject = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
253 require(subject, out);
254 CFArrayRef entries = NULL;
255 entries = CFStringCreateArrayBySeparatingStrings(kCFAllocatorDefault, scep_subject_name, CFSTR("/"));
256 require(entries, out);
257 CFArrayApplyFunction(entries, CFRangeMake(0, CFArrayGetCount(entries)), make_subject_pairs, subject);
258 CFRelease(entries);
259 if (CFArrayGetCount(subject))
260 return subject;
261 out:
262 if (subject) CFRelease(subject);
263 return NULL;
264 }
265
266
267 extern int command_scep(int argc, char * const *argv)
268 {
269 int result = 1, verbose = 0;
270 char ch;
271 int key_usage = 1, key_bitsize = 1024;
272 bool validate_cert = true;
273 CFStringRef scep_challenge = NULL, scep_instance_name = NULL,
274 scep_subject_name = uuid_cfstring(), scep_subject_alt_name = NULL,
275 scep_capabilities = NULL;
276
277 while ((ch = getopt(argc, argv, "vu:b:c:n:s:h:xo:")) != -1)
278 {
279 switch (ch)
280 {
281 case 'v':
282 verbose++;
283 break;
284 case 'u':
285 key_usage = atoi(optarg);
286 break;
287 case 'b':
288 key_bitsize = atoi(optarg);
289 break;
290 case 'c':
291 scep_challenge = CFStringCreateWithCString(kCFAllocatorDefault, optarg, kCFStringEncodingUTF8);
292 break;
293 case 'n':
294 scep_instance_name = CFStringCreateWithCString(kCFAllocatorDefault, optarg, kCFStringEncodingUTF8);
295 break;
296 case 's':
297 CFReleaseNull(scep_subject_name);
298 scep_subject_name = CFStringCreateWithCString(kCFAllocatorDefault, optarg, kCFStringEncodingUTF8);
299 break;
300 case 'h':
301 scep_subject_alt_name = CFStringCreateWithCString(kCFAllocatorDefault, optarg, kCFStringEncodingUTF8);
302 break;
303 case 'x':
304 validate_cert = false;
305 break;
306 case 'o':
307 scep_capabilities = CFStringCreateWithCString(kCFAllocatorDefault, optarg, kCFStringEncodingUTF8);
308 break;
309 default:
310 return SHOW_USAGE_MESSAGE;
311 }
312 }
313
314 argc -= optind;
315 argv += optind;
316
317 if (argc != 1)
318 return SHOW_USAGE_MESSAGE;
319
320 CFDataRef scep_request = NULL;
321 CFArrayRef issued_certs = NULL;
322 SecCertificateRef leaf = NULL;
323 SecIdentityRef candidate_identity = NULL;
324 CFMutableDictionaryRef csr_parameters = NULL;
325 CFDataRef scep_reply = NULL;
326 SecKeyRef phone_publicKey = NULL, phone_privateKey = NULL;
327 CFStringRef scep_base_url = NULL;
328 CFDictionaryRef identity_add = NULL;
329
330 CFNumberRef scep_key_usage = NULL;
331 CFNumberRef scep_key_bitsize = NULL;
332
333 CFURLRef url = NULL;
334
335 CFDataRef data = NULL;
336 CFStringRef ctype = NULL;
337
338 scep_base_url = CFStringCreateWithCString(kCFAllocatorDefault, argv[0], kCFStringEncodingASCII);
339
340 #if 0
341 CFStringRef uuid_cfstr = uuid_cfstring();
342 require(uuid_cfstr, out);
343 const void * ca_cn[] = { kSecOidCommonName, uuid_cfstr };
344 CFArrayRef ca_cn_dn = CFArrayCreate(kCFAllocatorDefault, ca_cn, 2, NULL);
345 const void *ca_dn_array[1];
346 ca_dn_array[0] = CFArrayCreate(kCFAllocatorDefault, (const void **)&ca_cn_dn, 1, NULL);
347 CFArrayRef scep_subject = CFArrayCreate(kCFAllocatorDefault, ca_dn_array, array_size(ca_dn_array), NULL);
348 #else
349 CFArrayRef scep_subject = make_scep_subject(scep_subject_name);
350 require(scep_subject, out);
351 CFShow(scep_subject);
352 #endif
353
354 scep_key_usage = CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &key_usage);
355 scep_key_bitsize = CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &key_bitsize);
356
357 const void *keygen_keys[] = { kSecAttrKeyType, kSecAttrKeySizeInBits };
358 const void *keygen_vals[] = { kSecAttrKeyTypeRSA, scep_key_bitsize };
359 CFDictionaryRef keygen_parameters = CFDictionaryCreate(kCFAllocatorDefault,
360 keygen_keys, keygen_vals, array_size(keygen_vals),
361 &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks );
362 CFRelease(scep_key_bitsize);
363 require_noerr(SecKeyGeneratePair(keygen_parameters, &phone_publicKey, &phone_privateKey), out);
364 CFRelease(keygen_parameters);
365
366 /* GetCACert
367
368 A binary X.509 CA certificate is sent back as a MIME object with a
369 Content-Type of application/x-x509-ca-cert.
370
371 When an RA exists, both CA and RA certificates must be sent back in
372 the response to the GetCACert request. The RA certificate(s) must be
373 signed by the CA. A certificates-only PKCS#7 [RFC2315] SignedData is
374 used to carry the certificates to the requester, with a Content-Type
375 of application/x-x509-ca-ra-cert.
376 */
377 SecCertificateRef ca_certificate = NULL, ra_certificate = NULL;
378 SecCertificateRef ra_encryption_certificate = NULL;
379 CFArrayRef ra_certificates = NULL;
380 CFTypeRef scep_certificates = NULL;
381 SecCertificateRef scep_signing_certificate = NULL;
382
383 url = scep_url_operation(scep_base_url, CFSTR("GetCACert"), scep_instance_name);
384 data = MCNetworkLoadRequest(url, NULL, NULL, &ctype, validate_cert);
385
386 if (data && ctype) {
387 if (CFEqual(CFSTR("application/x-x509-ca-cert"), ctype)) {
388 ca_certificate = SecCertificateCreateWithData(kCFAllocatorDefault, (CFDataRef)data);
389 fprintf(stderr, "GetCACert returned a single CA certificate.\n");
390 } else if (CFEqual(ctype, CFSTR("application/x-x509-ca-ra-cert"))) {
391 CFArrayRef cert_array = SecCMSCertificatesOnlyMessageCopyCertificates(data);
392
393 require_noerr(SecSCEPValidateCACertMessage(cert_array,
394 NULL,
395 &ca_certificate,
396 &ra_certificate,
397 &ra_encryption_certificate), out);
398
399 if (ra_certificate && ra_encryption_certificate) {
400 const void *ra_certs[] = { ra_encryption_certificate, ra_certificate };
401 ra_certificates = CFArrayCreate(kCFAllocatorDefault, ra_certs, array_size(ra_certs), &kCFTypeArrayCallBacks);
402 fprintf(stderr, "GetCACert returned a separate signing and encryption certificates for RA.\n");
403 }
404 CFRelease(cert_array);
405 }
406 }
407
408 fprintf(stderr, "CA certificate to issue cert:\n");
409 CFShow(ca_certificate);
410
411 if (ra_certificates) {
412 scep_certificates = ra_certificates;
413 scep_signing_certificate = ra_certificate;
414 } else if (ra_certificate) {
415 scep_certificates = ra_certificate;
416 scep_signing_certificate = ra_certificate;
417 } else if (ca_certificate) {
418 scep_certificates = ca_certificate;
419 scep_signing_certificate = ca_certificate;
420 } else {
421 fprintf(stderr, "Unsupported GetCACert configuration: please file a bug.\n");
422 goto out;
423 }
424
425 (void) scep_signing_certificate; // Silence analyzer
426
427 #if 0
428 GetCACaps capabilities advertised by SCEP server:
429
430 +--------------------+----------------------------------------------+
431 | Keyword | Description |
432 +--------------------+----------------------------------------------+
433 | "GetNextCACert" | CA Supports the GetNextCACert message. |
434 | "POSTPKIOperation" | PKIOPeration messages may be sent via HTTP |
435 | | POST. |
436 | "Renewal" | Clients may use current certificate and key |
437 | | to authenticate an enrollment request for a |
438 | | new certificate. |
439 | "SHA-512" | CA Supports the SHA-512 hashing algorithm in |
440 | | signatures and fingerprints. |
441 | "SHA-256" | CA Supports the SHA-256 hashing algorithm in |
442 | | signatures and fingerprints. |
443 | "SHA-1" | CA Supports the SHA-1 hashing algorithm in |
444 | | signatures and fingerprints. |
445 | "DES3" | CA Supports triple-DES for encryption. |
446 +--------------------+----------------------------------------------+
447 #endif
448
449 bool scep_can_use_post = false;
450 bool scep_use_3des = false;
451 bool scep_can_use_sha1 = false;
452 bool scep_can_use_sha512 = false;
453 bool scep_can_use_sha256 = false;
454
455 CFArrayRef caps = NULL;
456 if (!scep_capabilities) {
457 CFURLRef ca_caps_url = scep_url_operation(scep_base_url, CFSTR("GetCACaps"), scep_instance_name);
458 require(ca_caps_url, out);
459 CFDataRef caps_data = MCNetworkLoadRequest(ca_caps_url, NULL, NULL, NULL, validate_cert);
460 CFRelease(ca_caps_url);
461 if (caps_data) {
462 CFStringRef caps_data_string = CFStringCreateFromExternalRepresentation(kCFAllocatorDefault, caps_data, kCFStringEncodingASCII);
463 require(caps_data_string, out);
464 caps = CFStringCreateArrayBySeparatingStrings(kCFAllocatorDefault, caps_data_string, CFSTR("\n"));
465 if (!caps) {
466 fprintf(stderr, "GetCACaps couldn't be parsed:\n");
467 CFShow(caps_data);
468 }
469 CFRelease(caps_data);
470 CFRelease(caps_data_string);
471 }
472 } else {
473 caps = CFStringCreateArrayBySeparatingStrings(kCFAllocatorDefault, scep_capabilities, CFSTR(","));
474 }
475
476 if (caps) {
477 fprintf(stderr, "GetCACaps advertised following capabilities:\n");
478 CFShow(caps);
479
480 CFRange caps_length = CFRangeMake(0, CFArrayGetCount(caps));
481 scep_can_use_post = CFArrayContainsValue(caps, caps_length, CFSTR("POSTPKIOperation"));
482 scep_use_3des = CFArrayContainsValue(caps, caps_length, CFSTR("DES3"));
483 scep_can_use_sha1 = CFArrayContainsValue(caps, caps_length, CFSTR("SHA-1"));
484 scep_can_use_sha256 = CFArrayContainsValue(caps, caps_length, CFSTR("SHA-256"));
485 scep_can_use_sha512 = CFArrayContainsValue(caps, caps_length, CFSTR("SHA-512"));
486
487 // We probably inteded these to be the values and not override them below..
488 // but for now to quiet the analyzer we reference them here. see <rdar://problem/15010402> scep.c, command_scep assumes 3des and sha1
489 (void) scep_use_3des;
490 (void) scep_can_use_sha1;
491 CFRelease(caps);
492 }
493
494 scep_use_3des = true;
495 scep_can_use_sha1 = true;
496
497 csr_parameters = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
498 &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
499 if (scep_key_usage)
500 CFDictionarySetValue(csr_parameters, kSecCertificateKeyUsage, scep_key_usage);
501 if (scep_challenge)
502 CFDictionarySetValue(csr_parameters, kSecCSRChallengePassword, scep_challenge);
503 else
504 fprintf(stderr, "No SCEP challenge provided, hope that's ok.\n");
505
506 if (!scep_use_3des) {
507 CFDictionarySetValue(csr_parameters, kSecCMSBulkEncryptionAlgorithm, kSecCMSEncryptionAlgorithmDESCBC);
508 fprintf(stderr, "SCEP server does not support 3DES, falling back to DES. You should reconfigure your server.\n");
509 }
510
511 if (scep_can_use_sha512) {
512 CFDictionarySetValue(csr_parameters, kSecCMSSignHashAlgorithm, kSecCMSHashingAlgorithmSHA512);
513 } else if (scep_can_use_sha256) {
514 CFDictionarySetValue(csr_parameters, kSecCMSSignHashAlgorithm, kSecCMSHashingAlgorithmSHA256);
515 } else if (scep_can_use_sha1) {
516 CFDictionarySetValue(csr_parameters, kSecCMSSignHashAlgorithm, kSecCMSHashingAlgorithmSHA1);
517 } else {
518 fprintf(stderr, "SCEP server does not support SHA-1. You must reconfigure your server.\n");
519 }
520
521 if (scep_subject_alt_name) {
522 fprintf(stderr, "Adding subjectAltName to request\n");
523 CFDictionaryRef subject_alt_name = CFDictionaryCreate(kCFAllocatorDefault,
524 (const void **)&kSecSubjectAltNameDNSName, (const void **)&scep_subject_alt_name,
525 1, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
526 CFDictionarySetValue(csr_parameters, kSecSubjectAltName, subject_alt_name);
527 }
528
529 SecIdentityRef self_signed_identity = SecSCEPCreateTemporaryIdentity(phone_publicKey, phone_privateKey);
530
531 // store encryption identity in the keychain because the decrypt function looks in there only
532 identity_add = CFDictionaryCreate(NULL,
533 (const void **)&kSecValueRef, (const void **)&self_signed_identity, 1, NULL, NULL);
534 require_noerr(SecItemAdd(identity_add, NULL), out);
535
536 require(scep_request = SecSCEPGenerateCertificateRequest((CFArrayRef)scep_subject,
537 csr_parameters, phone_publicKey, phone_privateKey, self_signed_identity,
538 scep_certificates), out);
539
540 fprintf(stderr, "storing scep_request.der\n");
541 write_data("scep_request.der", scep_request);
542
543 scep_reply = perform_pki_op(scep_base_url, scep_request, scep_can_use_post, validate_cert);
544 require(scep_reply, out);
545
546 require_action(CFDataGetLength(scep_reply), out, fprintf(stderr, "Empty scep_reply, exiting.\n"));
547 fprintf(stderr, "Storing scep_reply.der\n");
548 write_data("scep_reply.der", scep_reply);
549
550 CFErrorRef server_error = NULL;
551 int retry_count = 3;
552 while ( !(issued_certs = SecSCEPVerifyReply(scep_request, scep_reply, scep_certificates, &server_error)) &&
553 server_error &&
554 retry_count--)
555 {
556 CFDataRef retry_get_cert_initial = NULL;
557 CFDictionaryRef error_dict = CFErrorCopyUserInfo(server_error);
558 retry_get_cert_initial = SecSCEPGetCertInitial(ra_certificate ? ra_certificate : ca_certificate, scep_subject, NULL, error_dict, self_signed_identity, scep_certificates);
559 CFReleaseNull(scep_reply);
560 CFReleaseSafe(error_dict);
561 fprintf(stderr, "Waiting 10 seconds before trying a GetCertInitial\n");
562 sleep(10);
563 scep_reply = perform_pki_op(scep_base_url, retry_get_cert_initial, scep_can_use_post, validate_cert);
564 CFReleaseSafe(retry_get_cert_initial);
565 }
566
567 require(issued_certs, out);
568 require_string(CFArrayGetCount(issued_certs) > 0, out, "No certificates issued.");
569
570 leaf = (SecCertificateRef)CFArrayGetValueAtIndex(issued_certs, 0);
571 require(leaf, out);
572 CFDataRef leaf_data = SecCertificateCopyData(leaf);
573 if (leaf_data) {
574 fprintf(stderr, "Storing issued_cert.der\n");
575 write_data("issued_cert.der", leaf_data);
576 CFRelease(leaf_data);
577 }
578 CFShow(leaf);
579
580 candidate_identity = SecIdentityCreate(kCFAllocatorDefault, leaf, phone_privateKey);
581
582 const void *keys_ref_to_persist[] = {
583 /*kSecReturnPersistentRef, */kSecValueRef, kSecAttrLabel };
584 const void *values_ref_to_persist[] = {
585 /*kCFBooleanTrue, */candidate_identity, scep_subject_name };
586 CFDictionaryRef dict = CFDictionaryCreate(NULL,
587 (const void **)keys_ref_to_persist,
588 (const void **)values_ref_to_persist,
589 array_size(keys_ref_to_persist),
590 &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
591 OSStatus status = SecItemAdd(dict, NULL);
592 require_noerr_action(status, out, fprintf(stderr, "failed to store new identity, SecItemAdd: %" PRIdOSStatus, status));
593 result = 0;
594
595 out:
596 if (identity_add)
597 SecItemDelete(identity_add);
598 CFReleaseSafe(identity_add);
599 //if (uuid_cfstr) CFRelease(uuid_cfstr);
600 CFReleaseSafe(candidate_identity);
601 CFReleaseSafe(scep_request);
602 CFReleaseSafe(scep_reply);
603 CFReleaseSafe(scep_key_usage);
604 CFReleaseSafe(scep_key_bitsize);
605 CFReleaseSafe(csr_parameters);
606 CFReleaseSafe(scep_subject_name);
607 CFReleaseSafe(scep_base_url);
608 CFReleaseSafe(url);
609 CFReleaseSafe(issued_certs);
610 CFReleaseSafe(data);
611 CFReleaseSafe(ctype);
612
613 return result;
614 }
615
616
617 #endif // TARGET_OS_MAC