Refactored certificate management for the vici and stroke interfaces
This commit is contained in:
parent
4df09fe563
commit
02d431022c
|
@ -31,7 +31,6 @@
|
|||
#include <collections/linked_list.h>
|
||||
#include <plugins/plugin.h>
|
||||
#include <credentials/certificates/x509.h>
|
||||
#include <credentials/certificates/pgp_certificate.h>
|
||||
#include <credentials/certificates/certificate_printer.h>
|
||||
#include <config/peer_cfg.h>
|
||||
|
||||
|
@ -63,6 +62,11 @@ struct private_stroke_list_t {
|
|||
stroke_attribute_t *attribute;
|
||||
};
|
||||
|
||||
/**
|
||||
* Static certificate printer object
|
||||
*/
|
||||
static certificate_printer_t *cert_printer = NULL;
|
||||
|
||||
/**
|
||||
* Log tasks of a specific queue to out
|
||||
*/
|
||||
|
@ -760,133 +764,50 @@ static bool has_privkey(certificate_t *cert)
|
|||
return (private != NULL);
|
||||
}
|
||||
|
||||
/**
|
||||
* list OpenPGP certificates
|
||||
*/
|
||||
static void stroke_list_pgp_certs(linked_list_t *list, char *label,
|
||||
bool utc, FILE *out)
|
||||
{
|
||||
bool first = TRUE;
|
||||
time_t now = time(NULL);
|
||||
enumerator_t *enumerator = list->create_enumerator(list);
|
||||
certificate_t *cert;
|
||||
chunk_t keyid;
|
||||
|
||||
while (enumerator->enumerate(enumerator, (void**)&cert))
|
||||
{
|
||||
time_t created, until;
|
||||
public_key_t *public;
|
||||
pgp_certificate_t *pgp_cert = (pgp_certificate_t*)cert;
|
||||
chunk_t fingerprint = pgp_cert->get_fingerprint(pgp_cert);
|
||||
|
||||
if (first)
|
||||
{
|
||||
fprintf(out, "\n");
|
||||
fprintf(out, "List of %ss:\n", label);
|
||||
first = FALSE;
|
||||
}
|
||||
fprintf(out, "\n");
|
||||
fprintf(out, " userid: '%Y'\n", cert->get_subject(cert));
|
||||
fprintf(out, " digest: %#B\n", &fingerprint);
|
||||
|
||||
/* list validity */
|
||||
cert->get_validity(cert, &now, &created, &until);
|
||||
fprintf(out, " created: %T\n", &created, utc);
|
||||
fprintf(out, " until: %T%s\n", &until, utc,
|
||||
(until == TIME_32_BIT_SIGNED_MAX) ? " (expires never)":"");
|
||||
|
||||
public = cert->get_public_key(cert);
|
||||
if (public)
|
||||
{
|
||||
fprintf(out, " pubkey: %N %d bits%s\n",
|
||||
key_type_names, public->get_type(public),
|
||||
public->get_keysize(public),
|
||||
has_privkey(cert) ? ", has private key" : "");
|
||||
|
||||
if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid))
|
||||
{
|
||||
fprintf(out, " keyid: %#B\n", &keyid);
|
||||
}
|
||||
if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &keyid))
|
||||
{
|
||||
fprintf(out, " subjkey: %#B\n", &keyid);
|
||||
}
|
||||
public->destroy(public);
|
||||
}
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
}
|
||||
|
||||
/**
|
||||
* list all X.509 certificates matching the flags
|
||||
*/
|
||||
static void stroke_list_x509_certs(linked_list_t *list, char *label,
|
||||
x509_flag_t flags, bool utc, FILE *out)
|
||||
static void stroke_list_x509_certs(linked_list_t *list, x509_flag_t flag)
|
||||
{
|
||||
bool first = TRUE;
|
||||
enumerator_t *enumerator;
|
||||
certificate_t *cert;
|
||||
certificate_printer_t *printer;
|
||||
x509_flag_t flag_mask;
|
||||
|
||||
printer = certificate_printer_create(out, TRUE, utc),
|
||||
|
||||
/* mask all auxiliary flags */
|
||||
flag_mask = ~(X509_SERVER_AUTH | X509_CLIENT_AUTH | X509_IKE_INTERMEDIATE |
|
||||
X509_SELF_SIGNED | X509_IP_ADDR_BLOCKS);
|
||||
|
||||
enumerator = list->create_enumerator(list);
|
||||
while (enumerator->enumerate(enumerator, (void**)&cert))
|
||||
{
|
||||
x509_t *x509 = (x509_t*)cert;
|
||||
x509_flag_t x509_flags = x509->get_flags(x509) & flag_mask;
|
||||
x509_flag_t flags = x509->get_flags(x509) & X509_ANY;
|
||||
|
||||
/* list only if flag is set or flag == 0 */
|
||||
if ((x509_flags & flags) || (x509_flags == flags))
|
||||
if ((flags & flag) || flags == flag)
|
||||
{
|
||||
if (first)
|
||||
{
|
||||
fprintf(out, "\n");
|
||||
fprintf(out, "List of %ss:\n", label);
|
||||
first = FALSE;
|
||||
}
|
||||
fprintf(out, "\n");
|
||||
printer->print(printer, cert, has_privkey(cert));
|
||||
cert_printer->print_caption(cert_printer, CERT_X509, flag);
|
||||
cert_printer->print(cert_printer, cert, has_privkey(cert));
|
||||
}
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
|
||||
printer->destroy(printer);
|
||||
}
|
||||
|
||||
/**
|
||||
* list all other certificates types
|
||||
*/
|
||||
static void stroke_list_other_certs(linked_list_t *list, char *label,
|
||||
bool utc, FILE *out)
|
||||
static void stroke_list_other_certs(certificate_type_t type)
|
||||
{
|
||||
bool first = TRUE;
|
||||
enumerator_t *enumerator;
|
||||
certificate_t *cert;
|
||||
certificate_printer_t *printer;
|
||||
linked_list_t *list;
|
||||
|
||||
printer = certificate_printer_create(out, TRUE, utc),
|
||||
list = create_unique_cert_list(type);
|
||||
|
||||
enumerator = list->create_enumerator(list);
|
||||
while (enumerator->enumerate(enumerator, &cert))
|
||||
{
|
||||
if (first)
|
||||
{
|
||||
fprintf(out, "\n");
|
||||
fprintf(out, "List of %ss:\n", label);
|
||||
first = FALSE;
|
||||
}
|
||||
fprintf(out, "\n");
|
||||
printer->print(printer, cert, has_privkey(cert));
|
||||
cert_printer->print_caption(cert_printer, cert->get_type(cert), X509_NONE);
|
||||
cert_printer->print(cert_printer, cert, has_privkey(cert));
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
|
||||
printer->destroy(printer);
|
||||
list->destroy_offset(list, offsetof(certificate_t, destroy));
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -1058,21 +979,15 @@ METHOD(stroke_list_t, list, void,
|
|||
{
|
||||
linked_list_t *cert_list = NULL;
|
||||
|
||||
cert_printer = certificate_printer_create(out, TRUE, msg->list.utc);
|
||||
|
||||
if (msg->list.flags & LIST_PUBKEYS)
|
||||
{
|
||||
linked_list_t *pubkey_list = create_unique_cert_list(CERT_TRUSTED_PUBKEY);
|
||||
|
||||
stroke_list_other_certs(pubkey_list, "Raw Public Key",
|
||||
msg->list.utc, out);
|
||||
pubkey_list->destroy_offset(pubkey_list, offsetof(certificate_t, destroy));
|
||||
stroke_list_other_certs(CERT_TRUSTED_PUBKEY);
|
||||
}
|
||||
if (msg->list.flags & LIST_CERTS)
|
||||
{
|
||||
linked_list_t *pgp_list = create_unique_cert_list(CERT_GPG);
|
||||
|
||||
stroke_list_pgp_certs(pgp_list, "PGP End Entity Certificate",
|
||||
msg->list.utc, out);
|
||||
pgp_list->destroy_offset(pgp_list, offsetof(certificate_t, destroy));
|
||||
stroke_list_other_certs(CERT_GPG);
|
||||
}
|
||||
if (msg->list.flags & (LIST_CERTS | LIST_CACERTS | LIST_OCSPCERTS | LIST_AACERTS))
|
||||
{
|
||||
|
@ -1080,49 +995,33 @@ METHOD(stroke_list_t, list, void,
|
|||
}
|
||||
if (msg->list.flags & LIST_CERTS)
|
||||
{
|
||||
stroke_list_x509_certs(cert_list, "X.509 End Entity Certificate",
|
||||
X509_NONE, msg->list.utc, out);
|
||||
stroke_list_x509_certs(cert_list, X509_NONE);
|
||||
}
|
||||
if (msg->list.flags & LIST_CACERTS)
|
||||
{
|
||||
stroke_list_x509_certs(cert_list, "X.509 CA Certificate",
|
||||
X509_CA, msg->list.utc, out);
|
||||
stroke_list_x509_certs(cert_list, X509_CA);
|
||||
}
|
||||
if (msg->list.flags & LIST_OCSPCERTS)
|
||||
{
|
||||
stroke_list_x509_certs(cert_list, "X.509 OCSP Signer Certificate",
|
||||
X509_OCSP_SIGNER, msg->list.utc, out);
|
||||
stroke_list_x509_certs(cert_list, X509_OCSP_SIGNER);
|
||||
}
|
||||
if (msg->list.flags & LIST_AACERTS)
|
||||
{
|
||||
stroke_list_x509_certs(cert_list, "X.509 AA Certificate",
|
||||
X509_AA, msg->list.utc, out);
|
||||
stroke_list_x509_certs(cert_list, X509_AA);
|
||||
}
|
||||
DESTROY_OFFSET_IF(cert_list, offsetof(certificate_t, destroy));
|
||||
|
||||
if (msg->list.flags & LIST_ACERTS)
|
||||
{
|
||||
linked_list_t *ac_list = create_unique_cert_list(CERT_X509_AC);
|
||||
|
||||
stroke_list_other_certs(ac_list, "X.509 Attribute Certificate",
|
||||
msg->list.utc, out);
|
||||
ac_list->destroy_offset(ac_list, offsetof(certificate_t, destroy));
|
||||
stroke_list_other_certs(CERT_X509_AC);
|
||||
}
|
||||
if (msg->list.flags & LIST_CRLS)
|
||||
{
|
||||
linked_list_t *crl_list = create_unique_cert_list(CERT_X509_CRL);
|
||||
|
||||
stroke_list_other_certs(crl_list, "X.509 CRL",
|
||||
msg->list.utc, out);
|
||||
crl_list->destroy_offset(crl_list, offsetof(certificate_t, destroy));
|
||||
stroke_list_other_certs(CERT_X509_CRL);
|
||||
}
|
||||
if (msg->list.flags & LIST_OCSP)
|
||||
{
|
||||
linked_list_t *ocsp_list = create_unique_cert_list(CERT_X509_OCSP_RESPONSE);
|
||||
|
||||
stroke_list_other_certs(ocsp_list, "OCSP Response",
|
||||
msg->list.utc, out);
|
||||
ocsp_list->destroy_offset(ocsp_list, offsetof(certificate_t, destroy));
|
||||
stroke_list_other_certs(CERT_X509_OCSP_RESPONSE);
|
||||
}
|
||||
if (msg->list.flags & LIST_ALGS)
|
||||
{
|
||||
|
@ -1132,6 +1031,8 @@ METHOD(stroke_list_t, list, void,
|
|||
{
|
||||
list_plugins(out);
|
||||
}
|
||||
cert_printer->destroy(cert_printer);
|
||||
cert_printer = NULL;
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
@ -18,7 +18,7 @@ libstrongswan_vici_la_SOURCES = \
|
|||
vici_message.h vici_message.c \
|
||||
vici_builder.h vici_builder.c \
|
||||
vici_dispatcher.h vici_dispatcher.c \
|
||||
vici_cert_info.c vici_cert_info.h \
|
||||
vici_cert_info.h vici_cert_info.c \
|
||||
vici_query.h vici_query.c \
|
||||
vici_control.h vici_control.c \
|
||||
vici_config.h vici_config.c \
|
||||
|
@ -39,7 +39,7 @@ ipseclib_LTLIBRARIES = libvici.la
|
|||
libvici_la_SOURCES = \
|
||||
vici_message.c vici_message.h \
|
||||
vici_builder.c vici_builder.h \
|
||||
vici_cert_info.c vici_cert_info.h \
|
||||
vici_cert_info.h vici_cert_info.c \
|
||||
libvici.c libvici.h
|
||||
|
||||
libvici_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
|
||||
|
|
|
@ -369,7 +369,9 @@ call includes all certificates known by the daemon, not only those loaded
|
|||
over vici.
|
||||
|
||||
{
|
||||
type = <certificate type to filter for, or ANY>
|
||||
type = <certificate type to filter for, X509|X509_AC|X509_CRL|
|
||||
OCSP_RESPONSE|PUBKEY or ANY>
|
||||
flag = <X.509 certificate flag to filter for, NONE|CA|AA|OCSP or ANY>
|
||||
subject = <set to list only certificates having subject>
|
||||
} => {
|
||||
# completes after streaming list-cert events
|
||||
|
@ -427,7 +429,8 @@ Unload a previously loaded connection definition by name.
|
|||
Load a certificate into the daemon.
|
||||
|
||||
{
|
||||
type = <certificate type, X509|X509CA|X509AA|X509CRL|X509AC>
|
||||
type = <certificate type, X509|X509_AC|X509_CRL>
|
||||
flag = <X.509 certificate flag, NONE|CA|AA|OCSP>
|
||||
data = <PEM or DER encoded certificate data>
|
||||
} => {
|
||||
success = <yes or no>
|
||||
|
@ -753,7 +756,8 @@ The _list-cert_ event is issued to stream loaded certificates during an active
|
|||
_list-certs_ command.
|
||||
|
||||
{
|
||||
type = <certificate type>
|
||||
type = <certificate type, X509|X509_AC|X509_CRL|OCSP_RESPONSE|PUBKEY>
|
||||
flag = <X.509 certificate flag, NONE|CA|AA|OCSP>
|
||||
has_privkey = <set if a private key for the certificate is available>
|
||||
data = <ASN1 encoded certificate data>
|
||||
}
|
||||
|
|
|
@ -164,13 +164,13 @@ print $version->raw(), "\n";
|
|||
|
||||
loads a certificate into the daemon.
|
||||
|
||||
my %vars = ( type => 'X509CA', data => $ca_cert );
|
||||
my %vars = ( type => 'X509', flag => 'CA', data => $ca_cert );
|
||||
my ($res, $errmsg) = $session->load_cert(Vici::Message->new(\%vars));
|
||||
|
||||
=cut
|
||||
|
||||
print "----- load-cert -----\n";
|
||||
my %vars = ( type => 'X509CA', data => $ca_cert );
|
||||
my %vars = ( type => 'X509', flag => 'CA', data => $ca_cert );
|
||||
my ($res, $errmsg) = $session->load_cert(Vici::Message->new(\%vars));
|
||||
print $res ? "ok\n" : "failed: $errmsg\n";
|
||||
|
||||
|
|
|
@ -2,6 +2,9 @@
|
|||
* Copyright (C) 2014 Martin Willi
|
||||
* Copyright (C) 2014 revosec AG
|
||||
*
|
||||
* Copyright (C) 2015 Andreas Steffen
|
||||
* HSR Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
|
@ -67,9 +70,9 @@ static vici_message_t* create_reply(char *fmt, ...)
|
|||
CALLBACK(load_cert, vici_message_t*,
|
||||
private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
|
||||
{
|
||||
vici_cert_info_t *cert_info;
|
||||
certificate_t *cert;
|
||||
x509_flag_t flag;
|
||||
certificate_type_t type;
|
||||
x509_flag_t ext_flag, flag = X509_NONE;
|
||||
x509_t *x509;
|
||||
chunk_t data;
|
||||
bool trusted = TRUE;
|
||||
|
@ -80,9 +83,18 @@ CALLBACK(load_cert, vici_message_t*,
|
|||
{
|
||||
return create_reply("certificate type missing");
|
||||
}
|
||||
|
||||
cert_info = vici_cert_info_retrieve(str);
|
||||
if (!cert_info)
|
||||
if (enum_from_name(certificate_type_names, str, &type))
|
||||
{
|
||||
if (type == CERT_X509)
|
||||
{
|
||||
str = message->get_str(message, "NONE", "flag");
|
||||
if (!enum_from_name(x509_flag_names, str, &flag))
|
||||
{
|
||||
return create_reply("invalid certificate flag '%s'", str);
|
||||
}
|
||||
}
|
||||
}
|
||||
else if (!vici_cert_info_from_str(str, &type, &flag))
|
||||
{
|
||||
return create_reply("invalid certificate type '%s'", str);
|
||||
}
|
||||
|
@ -94,21 +106,21 @@ CALLBACK(load_cert, vici_message_t*,
|
|||
}
|
||||
|
||||
/* do not set CA flag externally */
|
||||
flag = (cert_info->flag & X509_CA) ? X509_NONE : cert_info->flag;
|
||||
ext_flag = (flag & X509_CA) ? X509_NONE : flag;
|
||||
|
||||
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, cert_info->type,
|
||||
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
|
||||
BUILD_BLOB_PEM, data,
|
||||
BUILD_X509_FLAG, flag,
|
||||
BUILD_X509_FLAG, ext_flag,
|
||||
BUILD_END);
|
||||
if (!cert)
|
||||
{
|
||||
return create_reply("parsing %N certificate failed",
|
||||
certificate_type_names, cert_info->type);
|
||||
certificate_type_names, type);
|
||||
}
|
||||
DBG1(DBG_CFG, "loaded certificate '%Y'", cert->get_subject(cert));
|
||||
|
||||
/* check if CA certificate has CA basic constraint set */
|
||||
if (cert_info->flag & X509_CA)
|
||||
if (flag & X509_CA)
|
||||
{
|
||||
char err_msg[] = "ca certificate lacks CA basic constraint, rejected";
|
||||
x509 = (x509_t*)cert;
|
||||
|
@ -120,7 +132,7 @@ CALLBACK(load_cert, vici_message_t*,
|
|||
return create_reply(err_msg);
|
||||
}
|
||||
}
|
||||
if (cert_info->type == CERT_X509_CRL)
|
||||
if (type == CERT_X509_CRL)
|
||||
{
|
||||
this->creds->add_crl(this->creds, (crl_t*)cert);
|
||||
}
|
||||
|
|
|
@ -40,8 +40,6 @@
|
|||
|
||||
#include "vici_query.h"
|
||||
#include "vici_builder.h"
|
||||
#include "vici_version.h"
|
||||
#include "vici_cert_info.h"
|
||||
|
||||
#include <inttypes.h>
|
||||
#include <time.h>
|
||||
|
@ -53,6 +51,8 @@
|
|||
#endif
|
||||
|
||||
#include <daemon.h>
|
||||
#include <credentials/certificates/certificate.h>
|
||||
#include <credentials/certificates/x509.h>
|
||||
|
||||
typedef struct private_vici_query_t private_vici_query_t;
|
||||
|
||||
|
@ -809,7 +809,6 @@ static bool has_privkey(certificate_t *cert)
|
|||
* Store cert filter data
|
||||
*/
|
||||
typedef struct {
|
||||
vici_version_t version;
|
||||
certificate_type_t type;
|
||||
x509_flag_t flag;
|
||||
identification_t *subject;
|
||||
|
@ -820,27 +819,25 @@ typedef struct {
|
|||
*/
|
||||
static void enum_x509(private_vici_query_t *this, u_int id,
|
||||
linked_list_t *certs, cert_filter_t *filter,
|
||||
x509_flag_t flag, char *cert_type)
|
||||
x509_flag_t flag)
|
||||
{
|
||||
enumerator_t *enumerator;
|
||||
certificate_t *cert;
|
||||
vici_builder_t *b;
|
||||
chunk_t encoding;
|
||||
x509_flag_t mask;
|
||||
x509_t *x509;
|
||||
|
||||
if (filter->type != CERT_ANY && filter->version != VICI_1_0 &&
|
||||
if (filter->type != CERT_ANY && filter->flag != X509_ANY &&
|
||||
filter->flag != flag)
|
||||
{
|
||||
return;
|
||||
}
|
||||
mask = X509_CA | X509_AA | X509_OCSP_SIGNER;
|
||||
|
||||
enumerator = certs->create_enumerator(certs);
|
||||
while (enumerator->enumerate(enumerator, &cert))
|
||||
{
|
||||
x509 = (x509_t*)cert;
|
||||
if ((x509->get_flags(x509) & mask) != flag)
|
||||
if ((x509->get_flags(x509) & X509_ANY) != flag)
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
@ -848,16 +845,8 @@ static void enum_x509(private_vici_query_t *this, u_int id,
|
|||
if (cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
|
||||
{
|
||||
b = vici_builder_create();
|
||||
if (filter->version == VICI_1_0)
|
||||
{
|
||||
b->add_kv(b, "type", "%N", certificate_type_names,
|
||||
cert->get_type(cert));
|
||||
}
|
||||
else
|
||||
{
|
||||
b->add_kv(b, "vici", "%N", vici_version_names, VICI_VERSION);
|
||||
b->add_kv(b, "type", "%s", cert_type);
|
||||
}
|
||||
b->add_kv(b, "type", "%N", certificate_type_names, CERT_X509);
|
||||
b->add_kv(b, "flag", "%N", x509_flag_names, flag);
|
||||
if (has_privkey(cert))
|
||||
{
|
||||
b->add_kv(b, "has_privkey", "yes");
|
||||
|
@ -876,8 +865,7 @@ static void enum_x509(private_vici_query_t *this, u_int id,
|
|||
* Enumerate all non-X.509 certificate types
|
||||
*/
|
||||
static void enum_others(private_vici_query_t *this, u_int id,
|
||||
linked_list_t *certs, cert_filter_t *filter,
|
||||
char *cert_type)
|
||||
linked_list_t *certs, cert_filter_t *filter)
|
||||
{
|
||||
enumerator_t *enumerator;
|
||||
certificate_t *cert;
|
||||
|
@ -890,16 +878,8 @@ static void enum_others(private_vici_query_t *this, u_int id,
|
|||
if (cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
|
||||
{
|
||||
b = vici_builder_create();
|
||||
if (filter->version == VICI_1_0)
|
||||
{
|
||||
b->add_kv(b, "type", "%N", certificate_type_names,
|
||||
cert->get_type(cert));
|
||||
}
|
||||
else
|
||||
{
|
||||
b->add_kv(b, "vici", "%N", vici_version_names, VICI_VERSION);
|
||||
b->add_kv(b, "type", "%s", cert_type);
|
||||
}
|
||||
b->add_kv(b, "type", "%N", certificate_type_names,
|
||||
cert->get_type(cert));
|
||||
if (has_privkey(cert))
|
||||
{
|
||||
b->add_kv(b, "has_privkey", "yes");
|
||||
|
@ -918,8 +898,7 @@ static void enum_others(private_vici_query_t *this, u_int id,
|
|||
* Enumerate all certificates of a given type
|
||||
*/
|
||||
static void enum_certs(private_vici_query_t *this, u_int id,
|
||||
cert_filter_t *filter, certificate_type_t type,
|
||||
char *cert_type)
|
||||
cert_filter_t *filter, certificate_type_t type)
|
||||
{
|
||||
enumerator_t *e1, *e2;
|
||||
certificate_t *cert, *current;
|
||||
|
@ -958,14 +937,14 @@ static void enum_certs(private_vici_query_t *this, u_int id,
|
|||
|
||||
if (type == CERT_X509)
|
||||
{
|
||||
enum_x509(this, id, certs, filter, X509_NONE, "x509");
|
||||
enum_x509(this, id, certs, filter, X509_CA, "x509ca");
|
||||
enum_x509(this, id, certs, filter, X509_AA, "x509ac");
|
||||
enum_x509(this, id, certs, filter, X509_OCSP_SIGNER, "x509ocsp");
|
||||
enum_x509(this, id, certs, filter, X509_NONE);
|
||||
enum_x509(this, id, certs, filter, X509_CA);
|
||||
enum_x509(this, id, certs, filter, X509_AA);
|
||||
enum_x509(this, id, certs, filter, X509_OCSP_SIGNER);
|
||||
}
|
||||
else
|
||||
{
|
||||
enum_others(this, id, certs, filter, cert_type);
|
||||
enum_others(this, id, certs, filter);
|
||||
}
|
||||
certs->destroy_offset(certs, offsetof(certificate_t, destroy));
|
||||
}
|
||||
|
@ -974,43 +953,25 @@ CALLBACK(list_certs, vici_message_t*,
|
|||
private_vici_query_t *this, char *name, u_int id, vici_message_t *request)
|
||||
{
|
||||
cert_filter_t filter = {
|
||||
.version = VICI_1_0,
|
||||
.type = CERT_ANY,
|
||||
.flag = X509_NONE,
|
||||
.flag = X509_ANY,
|
||||
.subject = NULL
|
||||
};
|
||||
vici_builder_t *b;
|
||||
char *str;
|
||||
|
||||
str = request->get_str(request, "1.0", "vici");
|
||||
if (!enum_from_name(vici_version_names, str, &filter.version))
|
||||
str = request->get_str(request, "ANY", "type");
|
||||
if (!enum_from_name(certificate_type_names, str, &filter.type))
|
||||
{
|
||||
DBG1(DBG_CFG, "unsupported vici version '%s'", str);
|
||||
DBG1(DBG_CFG, "invalid certificate type '%s'", str);
|
||||
goto finalize;
|
||||
}
|
||||
str = request->get_str(request, "ANY", "type");
|
||||
|
||||
if (filter.version == VICI_1_0)
|
||||
if (filter.type == CERT_X509)
|
||||
{
|
||||
if (!enum_from_name(certificate_type_names, str, &filter.type))
|
||||
str = request->get_str(request, "ANY", "flag");
|
||||
if (!enum_from_name(x509_flag_names, str, &filter.flag))
|
||||
{
|
||||
DBG1(DBG_CFG, "invalid certificate type '%s'", str);
|
||||
goto finalize;
|
||||
}
|
||||
}
|
||||
else /* VICI 2.0 */
|
||||
{
|
||||
vici_cert_info_t *cert_info;
|
||||
|
||||
cert_info = vici_cert_info_retrieve(str);
|
||||
if (cert_info)
|
||||
{
|
||||
filter.type = cert_info->type;
|
||||
filter.flag = cert_info->flag;
|
||||
}
|
||||
else
|
||||
{
|
||||
DBG1(DBG_CFG, "invalid certificate type '%s'", str);
|
||||
DBG1(DBG_CFG, "invalid certificate flag '%s'", str);
|
||||
goto finalize;
|
||||
}
|
||||
}
|
||||
|
@ -1020,11 +981,12 @@ CALLBACK(list_certs, vici_message_t*,
|
|||
{
|
||||
filter.subject = identification_create_from_string(str);
|
||||
}
|
||||
enum_certs(this, id, &filter, CERT_TRUSTED_PUBKEY, "pubkey");
|
||||
enum_certs(this, id, &filter, CERT_X509, "x509");
|
||||
enum_certs(this, id, &filter, CERT_X509_AC, "x509ac");
|
||||
enum_certs(this, id, &filter, CERT_X509_CRL, "x509crl");
|
||||
enum_certs(this, id, &filter, CERT_X509_OCSP_RESPONSE, "ocsp");
|
||||
|
||||
enum_certs(this, id, &filter, CERT_TRUSTED_PUBKEY);
|
||||
enum_certs(this, id, &filter, CERT_X509);
|
||||
enum_certs(this, id, &filter, CERT_X509_AC);
|
||||
enum_certs(this, id, &filter, CERT_X509_CRL);
|
||||
enum_certs(this, id, &filter, CERT_X509_OCSP_RESPONSE);
|
||||
DESTROY_IF(filter.subject);
|
||||
|
||||
finalize:
|
||||
|
@ -1140,8 +1102,6 @@ CALLBACK(version, vici_message_t*,
|
|||
vici_builder_t *b;
|
||||
|
||||
b = vici_builder_create();
|
||||
|
||||
b->add_kv(b, "vici", "%N", vici_version_names, VICI_VERSION);
|
||||
b->add_kv(b, "daemon", "%s", lib->ns);
|
||||
b->add_kv(b, "version", "%s", VERSION);
|
||||
|
||||
|
|
|
@ -17,10 +17,11 @@
|
|||
*/
|
||||
|
||||
#include "certificate_printer.h"
|
||||
#include "x509.h"
|
||||
#include "crl.h"
|
||||
#include "ac.h"
|
||||
#include "ocsp_response.h"
|
||||
#include "credentials/certificates/x509.h"
|
||||
#include "credentials/certificates/crl.h"
|
||||
#include "credentials/certificates/ac.h"
|
||||
#include "credentials/certificates/ocsp_response.h"
|
||||
#include "credentials/certificates/pgp_certificate.h"
|
||||
|
||||
#include <asn1/asn1.h>
|
||||
#include <asn1/oid.h>
|
||||
|
@ -54,6 +55,17 @@ struct private_certificate_printer_t {
|
|||
* Print time information in UTC
|
||||
*/
|
||||
bool utc;
|
||||
|
||||
/**
|
||||
* Previous certificate type
|
||||
*/
|
||||
certificate_type_t type;
|
||||
|
||||
/**
|
||||
* Previous X.509 certificate flag
|
||||
*/
|
||||
x509_flag_t flag;
|
||||
|
||||
};
|
||||
|
||||
/**
|
||||
|
@ -568,7 +580,7 @@ METHOD(certificate_printer_t, print, void,
|
|||
{
|
||||
fprintf(f, " subject: \"%Y\"\n", subject);
|
||||
}
|
||||
if (cert->get_type(cert) != CERT_TRUSTED_PUBKEY)
|
||||
if (type != CERT_TRUSTED_PUBKEY && type != CERT_GPG)
|
||||
{
|
||||
fprintf(f, " issuer: \"%Y\"\n", cert->get_issuer(cert));
|
||||
}
|
||||
|
@ -577,35 +589,44 @@ METHOD(certificate_printer_t, print, void,
|
|||
cert->get_validity(cert, &now, ¬Before, ¬After);
|
||||
if (notBefore != UNDEFINED_TIME && notAfter != UNDEFINED_TIME)
|
||||
{
|
||||
if (type == CERT_X509_CRL || type == CERT_X509_OCSP_RESPONSE)
|
||||
if (type == CERT_GPG)
|
||||
{
|
||||
t0 = "update: ";
|
||||
t1 = "this on";
|
||||
t2 = "next on";
|
||||
fprintf(f, " created: %T\n", ¬Before, this->utc);
|
||||
fprintf(f, " until: %T%s\n", ¬After, this->utc,
|
||||
(notAfter == TIME_32_BIT_SIGNED_MAX) ?" expires never" : "");
|
||||
}
|
||||
else
|
||||
{
|
||||
t0 = "validity:";
|
||||
t1 = "not before";
|
||||
t2 = "not after ";
|
||||
}
|
||||
fprintf(f, " %s %s %T, ", t0, t1, ¬Before, this->utc);
|
||||
if (now < notBefore)
|
||||
{
|
||||
fprintf(f, "not valid yet (valid in %V)\n", &now, ¬Before);
|
||||
}
|
||||
else
|
||||
{
|
||||
fprintf(f, "ok\n");
|
||||
}
|
||||
fprintf(f, " %s %T, ", t2, ¬After, this->utc);
|
||||
if (now > notAfter)
|
||||
{
|
||||
fprintf(f, "expired (%V ago)\n", &now, ¬After);
|
||||
}
|
||||
else
|
||||
{
|
||||
fprintf(f, "ok (expires in %V)\n", &now, ¬After);
|
||||
if (type == CERT_X509_CRL || type == CERT_X509_OCSP_RESPONSE)
|
||||
{
|
||||
t0 = "update: ";
|
||||
t1 = "this on";
|
||||
t2 = "next on";
|
||||
}
|
||||
else
|
||||
{
|
||||
t0 = "validity:";
|
||||
t1 = "not before";
|
||||
t2 = "not after ";
|
||||
}
|
||||
fprintf(f, " %s %s %T, ", t0, t1, ¬Before, this->utc);
|
||||
if (now < notBefore)
|
||||
{
|
||||
fprintf(f, "not valid yet (valid in %V)\n", &now, ¬Before);
|
||||
}
|
||||
else
|
||||
{
|
||||
fprintf(f, "ok\n");
|
||||
}
|
||||
fprintf(f, " %s %T, ", t2, ¬After, this->utc);
|
||||
if (now > notAfter)
|
||||
{
|
||||
fprintf(f, "expired (%V ago)\n", &now, ¬After);
|
||||
}
|
||||
else
|
||||
{
|
||||
fprintf(f, "ok (expires in %V)\n", &now, ¬After);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -627,6 +648,13 @@ METHOD(certificate_printer_t, print, void,
|
|||
default:
|
||||
break;
|
||||
}
|
||||
if (type == CERT_GPG)
|
||||
{
|
||||
pgp_certificate_t *pgp_cert = (pgp_certificate_t*)cert;
|
||||
chunk_t fingerprint = pgp_cert->get_fingerprint(pgp_cert);
|
||||
|
||||
fprintf(f, " pgpDigest: %#B\n", &fingerprint);
|
||||
}
|
||||
key = cert->get_public_key(cert);
|
||||
if (key)
|
||||
{
|
||||
|
@ -635,6 +663,65 @@ METHOD(certificate_printer_t, print, void,
|
|||
}
|
||||
}
|
||||
|
||||
METHOD(certificate_printer_t, print_caption, void,
|
||||
private_certificate_printer_t *this, certificate_type_t type,
|
||||
x509_flag_t flag)
|
||||
{
|
||||
char *caption;
|
||||
|
||||
if (type != this->type || (type == CERT_X509 && flag != this->flag))
|
||||
{
|
||||
switch (type)
|
||||
{
|
||||
case CERT_X509:
|
||||
switch (flag)
|
||||
{
|
||||
case X509_NONE:
|
||||
caption = "X.509 End Entity Certificate";
|
||||
break;
|
||||
case X509_CA:
|
||||
caption = "X.509 CA Certificate";
|
||||
break;
|
||||
case X509_AA:
|
||||
caption = "X.509 AA Certificate";
|
||||
break;
|
||||
case X509_OCSP_SIGNER:
|
||||
caption = "X.509 OCSP Signer Certificate";
|
||||
break;
|
||||
default:
|
||||
return;
|
||||
}
|
||||
break;
|
||||
case CERT_X509_AC:
|
||||
caption = "X.509 Attribute Certificate";
|
||||
break;
|
||||
case CERT_X509_CRL:
|
||||
caption = "X.509 CRL";
|
||||
break;
|
||||
case CERT_X509_OCSP_RESPONSE:
|
||||
caption = "OCSP Response";
|
||||
break;
|
||||
case CERT_TRUSTED_PUBKEY:
|
||||
caption = "Raw Public Key";
|
||||
break;
|
||||
case CERT_GPG:
|
||||
caption = "PGP End Entity Certificate";
|
||||
break;
|
||||
default:
|
||||
return;
|
||||
}
|
||||
fprintf(this->f, "\nList of %ss\n", caption);
|
||||
|
||||
/* Update to current type and flag value */
|
||||
this->type = type;
|
||||
if (type == CERT_X509)
|
||||
{
|
||||
this->flag = flag;
|
||||
}
|
||||
}
|
||||
fprintf(this->f, "\n");
|
||||
}
|
||||
|
||||
METHOD(certificate_printer_t, destroy, void,
|
||||
private_certificate_printer_t *this)
|
||||
{
|
||||
|
@ -652,11 +739,14 @@ certificate_printer_t *certificate_printer_create(FILE *f, bool detailed,
|
|||
INIT(this,
|
||||
.public = {
|
||||
.print = _print,
|
||||
.print_caption = _print_caption,
|
||||
.destroy = _destroy,
|
||||
},
|
||||
.f = f,
|
||||
.detailed = detailed,
|
||||
.utc = utc,
|
||||
.type = CERT_ANY,
|
||||
.flag = X509_ANY,
|
||||
);
|
||||
|
||||
return &this->public;
|
||||
|
|
|
@ -24,6 +24,7 @@
|
|||
typedef struct certificate_printer_t certificate_printer_t;
|
||||
|
||||
#include "credentials/certificates/certificate.h"
|
||||
#include "credentials/certificates/x509.h"
|
||||
|
||||
#include <stdio.h>
|
||||
|
||||
|
@ -41,6 +42,15 @@ struct certificate_printer_t {
|
|||
void (*print)(certificate_printer_t *this, certificate_t *cert,
|
||||
bool has_privkey);
|
||||
|
||||
/**
|
||||
* Print a caption if the certificate type changed.
|
||||
*
|
||||
* @type certificate type
|
||||
* @flag X.509 certificate flag
|
||||
*/
|
||||
void (*print_caption)(certificate_printer_t *this, certificate_type_t type,
|
||||
x509_flag_t flag);
|
||||
|
||||
/**
|
||||
* Destroy the certificate_printer object.
|
||||
*/
|
||||
|
|
|
@ -433,9 +433,9 @@ static int usage(char *error)
|
|||
fprintf(out, " Show extended status information without blocking:\n");
|
||||
fprintf(out, " stroke statusall-nb\n");
|
||||
fprintf(out, " Show list of authority and attribute certificates:\n");
|
||||
fprintf(out, " stroke listcacerts|listocspcerts|listaacerts|listacerts\n");
|
||||
fprintf(out, " stroke listcacerts|listocspcerts|listaacerts|listacerts [--utc]\n");
|
||||
fprintf(out, " Show list of end entity certificates, ca info records and crls:\n");
|
||||
fprintf(out, " stroke listcerts|listcainfos|listcrls|listall\n");
|
||||
fprintf(out, " stroke listcerts|listcainfos|listcrls|listall [--utc]\n");
|
||||
fprintf(out, " Show list of supported algorithms:\n");
|
||||
fprintf(out, " stroke listalgs\n");
|
||||
fprintf(out, " Reload authority and attribute certificates:\n");
|
||||
|
|
|
@ -2,9 +2,6 @@
|
|||
* Copyright (C) 2009 Martin Willi
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* Copyright (C) 2015 Andreas Steffen
|
||||
* HSR Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
|
@ -35,7 +32,7 @@
|
|||
/**
|
||||
* Maximum number of options in a command (+3)
|
||||
*/
|
||||
#define MAX_OPTIONS 32
|
||||
#define MAX_OPTIONS 34
|
||||
|
||||
/**
|
||||
* Maximum number of usage summary lines (+1)
|
||||
|
@ -82,12 +79,10 @@ struct command_t {
|
|||
* Command format options
|
||||
*/
|
||||
enum command_format_options_t {
|
||||
COMMAND_FORMAT_NONE = 0,
|
||||
COMMAND_FORMAT_NONE = 0,
|
||||
COMMAND_FORMAT_RAW = (1<<0),
|
||||
COMMAND_FORMAT_PRETTY = (1<<1),
|
||||
COMMAND_FORMAT_PEM = (1<<2),
|
||||
COMMAND_FORMAT_SHORT = (1<<3),
|
||||
COMMAND_FORMAT_UTC = (1<<4),
|
||||
};
|
||||
|
||||
/**
|
||||
|
|
|
@ -27,15 +27,12 @@
|
|||
#include <credentials/certificates/certificate_printer.h>
|
||||
#include <selectors/traffic_selector.h>
|
||||
|
||||
#include <vici_version.h>
|
||||
#include <vici_cert_info.h>
|
||||
|
||||
#include "command.h"
|
||||
|
||||
/**
|
||||
* Current certificate type info
|
||||
* Static certificate printer object
|
||||
*/
|
||||
static vici_cert_info_t *current_cert_info = NULL;
|
||||
static certificate_printer_t *cert_printer = NULL;
|
||||
|
||||
/**
|
||||
* Print PEM encoding of a certificate
|
||||
|
@ -59,11 +56,10 @@ CALLBACK(list_cb, void,
|
|||
command_format_options_t *format, char *name, vici_res_t *res)
|
||||
{
|
||||
certificate_t *cert;
|
||||
certificate_printer_t *printer;
|
||||
vici_version_t version;
|
||||
vici_cert_info_t *cert_info;
|
||||
bool detailed, utc, has_privkey, first = FALSE;
|
||||
char *version_str, *type_str;
|
||||
certificate_type_t type;
|
||||
x509_flag_t flag = X509_NONE;
|
||||
bool has_privkey;
|
||||
char *str;
|
||||
void *buf;
|
||||
int len;
|
||||
|
||||
|
@ -74,14 +70,6 @@ CALLBACK(list_cb, void,
|
|||
return;
|
||||
}
|
||||
|
||||
version_str = vici_find_str(res, "1.0", "vici");
|
||||
if (!enum_from_name(vici_version_names, version_str, &version) ||
|
||||
version == VICI_1_0)
|
||||
{
|
||||
fprintf(stderr, "unsupported vici version '%s'\n", version_str);
|
||||
return;
|
||||
}
|
||||
|
||||
buf = vici_find(res, &len, "data");
|
||||
if (!buf)
|
||||
{
|
||||
|
@ -90,23 +78,24 @@ CALLBACK(list_cb, void,
|
|||
}
|
||||
has_privkey = streq(vici_find_str(res, "no", "has_privkey"), "yes");
|
||||
|
||||
type_str = vici_find_str(res, "any", "type");
|
||||
cert_info = vici_cert_info_retrieve(type_str);
|
||||
if (!cert_info || cert_info->type == CERT_ANY)
|
||||
str = vici_find_str(res, "ANY", "type");
|
||||
if (!enum_from_name(certificate_type_names, str, &type) || type == CERT_ANY)
|
||||
{
|
||||
fprintf(stderr, "unsupported certificate type '%s'\n", type_str);
|
||||
fprintf(stderr, "unsupported certificate type '%s'\n", str);
|
||||
return;
|
||||
}
|
||||
|
||||
/* Detect change of certificate type */
|
||||
if (cert_info != current_cert_info)
|
||||
if (type == CERT_X509)
|
||||
{
|
||||
first = TRUE;
|
||||
current_cert_info = cert_info;
|
||||
str = vici_find_str(res, "ANY", "flag");
|
||||
if (!enum_from_name(x509_flag_names, str, &flag) || flag == X509_ANY)
|
||||
{
|
||||
fprintf(stderr, "unsupported certificate flag '%s'\n", str);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
/* Parse certificate data blob */
|
||||
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, cert_info->type,
|
||||
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
|
||||
BUILD_BLOB_ASN1_DER, chunk_create(buf, len),
|
||||
BUILD_END);
|
||||
if (cert)
|
||||
|
@ -117,16 +106,8 @@ CALLBACK(list_cb, void,
|
|||
}
|
||||
else
|
||||
{
|
||||
if (first)
|
||||
{
|
||||
printf("\nList of %ss:\n", cert_info->caption);
|
||||
}
|
||||
printf("\n");
|
||||
detailed = !(*format & COMMAND_FORMAT_SHORT);
|
||||
utc = *format & COMMAND_FORMAT_UTC;
|
||||
printer = certificate_printer_create(stdout, detailed, utc);
|
||||
printer->print(printer, cert, has_privkey);
|
||||
printer->destroy(printer);
|
||||
cert_printer->print_caption(cert_printer, type, flag);
|
||||
cert_printer->print(cert_printer, cert, has_privkey);
|
||||
}
|
||||
cert->destroy(cert);
|
||||
}
|
||||
|
@ -141,7 +122,8 @@ static int list_certs(vici_conn_t *conn)
|
|||
vici_req_t *req;
|
||||
vici_res_t *res;
|
||||
command_format_options_t format = COMMAND_FORMAT_NONE;
|
||||
char *arg, *subject = NULL, *type = NULL;
|
||||
char *arg, *subject = NULL, *type = NULL, *flag = NULL;
|
||||
bool detailed = TRUE, utc = FALSE;
|
||||
int ret;
|
||||
|
||||
while (TRUE)
|
||||
|
@ -156,6 +138,9 @@ static int list_certs(vici_conn_t *conn)
|
|||
case 't':
|
||||
type = arg;
|
||||
continue;
|
||||
case 'f':
|
||||
flag = arg;
|
||||
continue;
|
||||
case 'p':
|
||||
format |= COMMAND_FORMAT_PEM;
|
||||
continue;
|
||||
|
@ -166,10 +151,10 @@ static int list_certs(vici_conn_t *conn)
|
|||
format |= COMMAND_FORMAT_RAW;
|
||||
continue;
|
||||
case 'S':
|
||||
format |= COMMAND_FORMAT_SHORT;
|
||||
detailed = FALSE;
|
||||
continue;
|
||||
case 'U':
|
||||
format |= COMMAND_FORMAT_UTC;
|
||||
utc = TRUE;
|
||||
continue;
|
||||
case EOF:
|
||||
break;
|
||||
|
@ -186,22 +171,28 @@ static int list_certs(vici_conn_t *conn)
|
|||
return ret;
|
||||
}
|
||||
req = vici_begin("list-certs");
|
||||
vici_add_version(req, VICI_VERSION);
|
||||
|
||||
if (type)
|
||||
{
|
||||
vici_add_key_valuef(req, "type", "%s", type);
|
||||
}
|
||||
if (flag)
|
||||
{
|
||||
vici_add_key_valuef(req, "flag", "%s", flag);
|
||||
}
|
||||
if (subject)
|
||||
{
|
||||
vici_add_key_valuef(req, "subject", "%s", subject);
|
||||
}
|
||||
cert_printer = certificate_printer_create(stdout, detailed, utc);
|
||||
|
||||
res = vici_submit(req, conn);
|
||||
if (!res)
|
||||
{
|
||||
ret = errno;
|
||||
fprintf(stderr, "list-certs request failed: %s\n", strerror(errno));
|
||||
cert_printer->destroy(cert_printer);
|
||||
cert_printer = NULL;
|
||||
return ret;
|
||||
}
|
||||
if (format & COMMAND_FORMAT_RAW)
|
||||
|
@ -210,6 +201,9 @@ static int list_certs(vici_conn_t *conn)
|
|||
stdout);
|
||||
}
|
||||
vici_free_res(res);
|
||||
|
||||
cert_printer->destroy(cert_printer);
|
||||
cert_printer = NULL;
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -221,12 +215,14 @@ static void __attribute__ ((constructor))reg()
|
|||
command_register((command_t) {
|
||||
list_certs, 'x', "list-certs", "list stored certificates",
|
||||
{"[--subject <dn/san>] "
|
||||
"[--type x509|x509ca|x509aa|x509ac|x509crl|x509ocsp|ocsp] "
|
||||
"[--type x509|x509_ac|x509_crl|ocsp_response|pubkey]\n "
|
||||
"[--flag none|ca|aa|ocsp|any] "
|
||||
"[--pem] [--raw|--pretty|--short|--utc]"},
|
||||
{
|
||||
{"help", 'h', 0, "show usage information"},
|
||||
{"subject", 's', 1, "filter by certificate subject"},
|
||||
{"type", 't', 1, "filter by certificate type"},
|
||||
{"flag", 'f', 1, "filter by X.509 certificate flag"},
|
||||
{"pem", 'p', 0, "print PEM encoding of certificate"},
|
||||
{"raw", 'r', 0, "dump raw response message"},
|
||||
{"pretty", 'P', 0, "dump raw response message in pretty print"},
|
||||
|
|
|
@ -30,11 +30,14 @@
|
|||
#include <credentials/sets/callback_cred.h>
|
||||
#include <credentials/containers/pkcs12.h>
|
||||
|
||||
#include <vici_cert_info.h>
|
||||
|
||||
/**
|
||||
* Load a single certificate over vici
|
||||
*/
|
||||
static bool load_cert(vici_conn_t *conn, command_format_options_t format,
|
||||
char *dir, char *type, chunk_t data)
|
||||
char *dir, certificate_type_t type, x509_flag_t flag,
|
||||
chunk_t data)
|
||||
{
|
||||
vici_req_t *req;
|
||||
vici_res_t *res;
|
||||
|
@ -42,7 +45,11 @@ static bool load_cert(vici_conn_t *conn, command_format_options_t format,
|
|||
|
||||
req = vici_begin("load-cert");
|
||||
|
||||
vici_add_key_valuef(req, "type", "%s", type);
|
||||
vici_add_key_valuef(req, "type", "%N", certificate_type_names, type);
|
||||
if (type == CERT_X509)
|
||||
{
|
||||
vici_add_key_valuef(req, "flag", "%N", x509_flag_names, flag);
|
||||
}
|
||||
vici_add_key_value(req, "data", data.ptr, data.len);
|
||||
|
||||
res = vici_submit(req, conn);
|
||||
|
@ -64,7 +71,7 @@ static bool load_cert(vici_conn_t *conn, command_format_options_t format,
|
|||
}
|
||||
else
|
||||
{
|
||||
printf("loaded %s certificate from '%s'\n", type, dir);
|
||||
printf("loaded certificate from '%s'\n", dir);
|
||||
}
|
||||
vici_free_res(res);
|
||||
return ret;
|
||||
|
@ -74,13 +81,17 @@ static bool load_cert(vici_conn_t *conn, command_format_options_t format,
|
|||
* Load certficiates from a directory
|
||||
*/
|
||||
static void load_certs(vici_conn_t *conn, command_format_options_t format,
|
||||
char *type, char *dir)
|
||||
char *type_str, char *dir)
|
||||
{
|
||||
enumerator_t *enumerator;
|
||||
certificate_type_t type;
|
||||
x509_flag_t flag;
|
||||
struct stat st;
|
||||
chunk_t *map;
|
||||
char *path;
|
||||
|
||||
vici_cert_info_from_str(type_str, &type, &flag);
|
||||
|
||||
enumerator = enumerator_create_directory(dir);
|
||||
if (enumerator)
|
||||
{
|
||||
|
@ -91,7 +102,7 @@ static void load_certs(vici_conn_t *conn, command_format_options_t format,
|
|||
map = chunk_map(path, FALSE);
|
||||
if (map)
|
||||
{
|
||||
load_cert(conn, format, path, type, *map);
|
||||
load_cert(conn, format, path, type, flag, *map);
|
||||
chunk_unmap(map);
|
||||
}
|
||||
else
|
||||
|
@ -446,7 +457,8 @@ static bool load_pkcs12(vici_conn_t *conn, command_format_options_t format,
|
|||
loaded = FALSE;
|
||||
if (cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
|
||||
{
|
||||
loaded = load_cert(conn, format, path, "x509", encoding);
|
||||
loaded = load_cert(conn, format, path, CERT_X509, X509_NONE,
|
||||
encoding);
|
||||
if (loaded)
|
||||
{
|
||||
fprintf(stderr, " %Y\n", cert->get_subject(cert));
|
||||
|
@ -682,11 +694,10 @@ int load_creds_cfg(vici_conn_t *conn, command_format_options_t format,
|
|||
|
||||
load_certs(conn, format, "x509", SWANCTL_X509DIR);
|
||||
load_certs(conn, format, "x509ca", SWANCTL_X509CADIR);
|
||||
load_certs(conn, format, "x509aa", SWANCTL_X509AADIR);
|
||||
load_certs(conn, format, "x509crl", SWANCTL_X509CRLDIR);
|
||||
load_certs(conn, format, "x509ac", SWANCTL_X509ACDIR);
|
||||
load_certs(conn, format, "x509ocsp", SWANCTL_X509OCSPDIR);
|
||||
load_certs(conn, format, "pubkey", SWANCTL_PUBKEYDIR);
|
||||
load_certs(conn, format, "x509aa", SWANCTL_X509AADIR);
|
||||
load_certs(conn, format, "x509ac", SWANCTL_X509ACDIR);
|
||||
load_certs(conn, format, "x509crl", SWANCTL_X509CRLDIR);
|
||||
|
||||
load_keys(conn, format, noprompt, cfg, "rsa", SWANCTL_RSADIR);
|
||||
load_keys(conn, format, noprompt, cfg, "ecdsa", SWANCTL_ECDSADIR);
|
||||
|
|
Loading…
Reference in New Issue