ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

Refactored certificate management for the vici and stroke interfaces

This commit is contained in:
Andreas Steffen 2015-12-11 18:24:58 +01:00
parent 4df09fe563
commit 02d431022c
12 changed files with 287 additions and 308 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

157
src/libcharon/plugins/stroke/stroke_list.c
View File

@ -31,7 +31,6 @@
#include <collections/linked_list.h> #include <collections/linked_list.h>
#include <plugins/plugin.h> #include <plugins/plugin.h>
#include <credentials/certificates/x509.h> #include <credentials/certificates/x509.h>
#include <credentials/certificates/pgp_certificate.h>
#include <credentials/certificates/certificate_printer.h> #include <credentials/certificates/certificate_printer.h>
#include <config/peer_cfg.h> #include <config/peer_cfg.h>
@ -63,6 +62,11 @@ struct private_stroke_list_t {
stroke_attribute_t *attribute; stroke_attribute_t *attribute;
}; };
/**
* Static certificate printer object
*/
static certificate_printer_t *cert_printer = NULL;
/** /**
* Log tasks of a specific queue to out * Log tasks of a specific queue to out
*/ */
@ -760,133 +764,50 @@ static bool has_privkey(certificate_t *cert)
return (private != NULL); return (private != NULL);
} }
/**
* list OpenPGP certificates
*/
static void stroke_list_pgp_certs(linked_list_t *list, char *label,
bool utc, FILE *out)
{
bool first = TRUE;
time_t now = time(NULL);
enumerator_t *enumerator = list->create_enumerator(list);
certificate_t *cert;
chunk_t keyid;
while (enumerator->enumerate(enumerator, (void**)&cert))
{
time_t created, until;
public_key_t *public;
pgp_certificate_t *pgp_cert = (pgp_certificate_t*)cert;
chunk_t fingerprint = pgp_cert->get_fingerprint(pgp_cert);
if (first)
{
fprintf(out, "\n");
fprintf(out, "List of %ss:\n", label);
first = FALSE;
}
fprintf(out, "\n");
fprintf(out, " userid: '%Y'\n", cert->get_subject(cert));
fprintf(out, " digest: %#B\n", &fingerprint);
/* list validity */
cert->get_validity(cert, &now, &created, &until);
fprintf(out, " created: %T\n", &created, utc);
fprintf(out, " until: %T%s\n", &until, utc,
(until == TIME_32_BIT_SIGNED_MAX) ? " (expires never)":"");
public = cert->get_public_key(cert);
if (public)
{
fprintf(out, " pubkey: %N %d bits%s\n",
key_type_names, public->get_type(public),
public->get_keysize(public),
has_privkey(cert) ? ", has private key" : "");
if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid))
{
fprintf(out, " keyid: %#B\n", &keyid);
}
if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &keyid))
{
fprintf(out, " subjkey: %#B\n", &keyid);
}
public->destroy(public);
}
}
enumerator->destroy(enumerator);
}
/** /**
* list all X.509 certificates matching the flags * list all X.509 certificates matching the flags
*/ */
static void stroke_list_x509_certs(linked_list_t *list, char *label, static void stroke_list_x509_certs(linked_list_t *list, x509_flag_t flag)
x509_flag_t flags, bool utc, FILE *out)
{ {
bool first = TRUE;
enumerator_t *enumerator; enumerator_t *enumerator;
certificate_t *cert; certificate_t *cert;
certificate_printer_t *printer;
x509_flag_t flag_mask;
printer = certificate_printer_create(out, TRUE, utc),
/* mask all auxiliary flags */
flag_mask = ~(X509_SERVER_AUTH | X509_CLIENT_AUTH | X509_IKE_INTERMEDIATE |
X509_SELF_SIGNED | X509_IP_ADDR_BLOCKS);
enumerator = list->create_enumerator(list); enumerator = list->create_enumerator(list);
while (enumerator->enumerate(enumerator, (void**)&cert)) while (enumerator->enumerate(enumerator, (void**)&cert))
{ {
x509_t *x509 = (x509_t*)cert; x509_t *x509 = (x509_t*)cert;
x509_flag_t x509_flags = x509->get_flags(x509) & flag_mask; x509_flag_t flags = x509->get_flags(x509) & X509_ANY;
/* list only if flag is set or flag == 0 */ /* list only if flag is set or flag == 0 */
if ((x509_flags & flags) || (x509_flags == flags)) if ((flags & flag) || flags == flag)
{ {
if (first) cert_printer->print_caption(cert_printer, CERT_X509, flag);
{ cert_printer->print(cert_printer, cert, has_privkey(cert));
fprintf(out, "\n");
fprintf(out, "List of %ss:\n", label);
first = FALSE;
}
fprintf(out, "\n");
printer->print(printer, cert, has_privkey(cert));
} }
} }
enumerator->destroy(enumerator); enumerator->destroy(enumerator);
printer->destroy(printer);
} }
/** /**
* list all other certificates types * list all other certificates types
*/ */
static void stroke_list_other_certs(linked_list_t *list, char *label, static void stroke_list_other_certs(certificate_type_t type)
bool utc, FILE *out)
{ {
bool first = TRUE;
enumerator_t *enumerator; enumerator_t *enumerator;
certificate_t *cert; certificate_t *cert;
certificate_printer_t *printer; linked_list_t *list;
printer = certificate_printer_create(out, TRUE, utc), list = create_unique_cert_list(type);
enumerator = list->create_enumerator(list); enumerator = list->create_enumerator(list);
while (enumerator->enumerate(enumerator, &cert)) while (enumerator->enumerate(enumerator, &cert))
{ {
if (first) cert_printer->print_caption(cert_printer, cert->get_type(cert), X509_NONE);
{ cert_printer->print(cert_printer, cert, has_privkey(cert));
fprintf(out, "\n");
fprintf(out, "List of %ss:\n", label);
first = FALSE;
}
fprintf(out, "\n");
printer->print(printer, cert, has_privkey(cert));
} }
enumerator->destroy(enumerator); enumerator->destroy(enumerator);
printer->destroy(printer); list->destroy_offset(list, offsetof(certificate_t, destroy));
} }
/** /**
@ -1058,21 +979,15 @@ METHOD(stroke_list_t, list, void,
{ {
linked_list_t *cert_list = NULL; linked_list_t *cert_list = NULL;
cert_printer = certificate_printer_create(out, TRUE, msg->list.utc);
if (msg->list.flags & LIST_PUBKEYS) if (msg->list.flags & LIST_PUBKEYS)
{ {
linked_list_t *pubkey_list = create_unique_cert_list(CERT_TRUSTED_PUBKEY); stroke_list_other_certs(CERT_TRUSTED_PUBKEY);
stroke_list_other_certs(pubkey_list, "Raw Public Key",
msg->list.utc, out);
pubkey_list->destroy_offset(pubkey_list, offsetof(certificate_t, destroy));
} }
if (msg->list.flags & LIST_CERTS) if (msg->list.flags & LIST_CERTS)
{ {
linked_list_t *pgp_list = create_unique_cert_list(CERT_GPG); stroke_list_other_certs(CERT_GPG);
stroke_list_pgp_certs(pgp_list, "PGP End Entity Certificate",
msg->list.utc, out);
pgp_list->destroy_offset(pgp_list, offsetof(certificate_t, destroy));
} }
if (msg->list.flags & (LIST_CERTS | LIST_CACERTS | LIST_OCSPCERTS | LIST_AACERTS)) if (msg->list.flags & (LIST_CERTS | LIST_CACERTS | LIST_OCSPCERTS | LIST_AACERTS))
{ {
@ -1080,49 +995,33 @@ METHOD(stroke_list_t, list, void,
} }
if (msg->list.flags & LIST_CERTS) if (msg->list.flags & LIST_CERTS)
{ {
stroke_list_x509_certs(cert_list, "X.509 End Entity Certificate", stroke_list_x509_certs(cert_list, X509_NONE);
X509_NONE, msg->list.utc, out);
} }
if (msg->list.flags & LIST_CACERTS) if (msg->list.flags & LIST_CACERTS)
{ {
stroke_list_x509_certs(cert_list, "X.509 CA Certificate", stroke_list_x509_certs(cert_list, X509_CA);
X509_CA, msg->list.utc, out);
} }
if (msg->list.flags & LIST_OCSPCERTS) if (msg->list.flags & LIST_OCSPCERTS)
{ {
stroke_list_x509_certs(cert_list, "X.509 OCSP Signer Certificate", stroke_list_x509_certs(cert_list, X509_OCSP_SIGNER);
X509_OCSP_SIGNER, msg->list.utc, out);
} }
if (msg->list.flags & LIST_AACERTS) if (msg->list.flags & LIST_AACERTS)
{ {
stroke_list_x509_certs(cert_list, "X.509 AA Certificate", stroke_list_x509_certs(cert_list, X509_AA);
X509_AA, msg->list.utc, out);
} }
DESTROY_OFFSET_IF(cert_list, offsetof(certificate_t, destroy)); DESTROY_OFFSET_IF(cert_list, offsetof(certificate_t, destroy));
if (msg->list.flags & LIST_ACERTS) if (msg->list.flags & LIST_ACERTS)
{ {
linked_list_t *ac_list = create_unique_cert_list(CERT_X509_AC); stroke_list_other_certs(CERT_X509_AC);
stroke_list_other_certs(ac_list, "X.509 Attribute Certificate",
msg->list.utc, out);
ac_list->destroy_offset(ac_list, offsetof(certificate_t, destroy));
} }
if (msg->list.flags & LIST_CRLS) if (msg->list.flags & LIST_CRLS)
{ {
linked_list_t *crl_list = create_unique_cert_list(CERT_X509_CRL); stroke_list_other_certs(CERT_X509_CRL);
stroke_list_other_certs(crl_list, "X.509 CRL",
msg->list.utc, out);
crl_list->destroy_offset(crl_list, offsetof(certificate_t, destroy));
} }
if (msg->list.flags & LIST_OCSP) if (msg->list.flags & LIST_OCSP)
{ {
linked_list_t *ocsp_list = create_unique_cert_list(CERT_X509_OCSP_RESPONSE); stroke_list_other_certs(CERT_X509_OCSP_RESPONSE);
stroke_list_other_certs(ocsp_list, "OCSP Response",
msg->list.utc, out);
ocsp_list->destroy_offset(ocsp_list, offsetof(certificate_t, destroy));
} }
if (msg->list.flags & LIST_ALGS) if (msg->list.flags & LIST_ALGS)
{ {
@ -1132,6 +1031,8 @@ METHOD(stroke_list_t, list, void,
{ {
list_plugins(out); list_plugins(out);
} }
cert_printer->destroy(cert_printer);
cert_printer = NULL;
} }
/** /**

4
src/libcharon/plugins/vici/Makefile.am
View File

@ -18,7 +18,7 @@ libstrongswan_vici_la_SOURCES = \
vici_message.h vici_message.c \ vici_message.h vici_message.c \
vici_builder.h vici_builder.c \ vici_builder.h vici_builder.c \
vici_dispatcher.h vici_dispatcher.c \ vici_dispatcher.h vici_dispatcher.c \
vici_cert_info.c vici_cert_info.h \ vici_cert_info.h vici_cert_info.c \
vici_query.h vici_query.c \ vici_query.h vici_query.c \
vici_control.h vici_control.c \ vici_control.h vici_control.c \
vici_config.h vici_config.c \ vici_config.h vici_config.c \
@ -39,7 +39,7 @@ ipseclib_LTLIBRARIES = libvici.la
libvici_la_SOURCES = \ libvici_la_SOURCES = \
vici_message.c vici_message.h \ vici_message.c vici_message.h \
vici_builder.c vici_builder.h \ vici_builder.c vici_builder.h \
vici_cert_info.c vici_cert_info.h \ vici_cert_info.h vici_cert_info.c \
libvici.c libvici.h libvici.c libvici.h
libvici_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la libvici_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la

10
src/libcharon/plugins/vici/README.md
View File

@ -369,7 +369,9 @@ call includes all certificates known by the daemon, not only those loaded
over vici. over vici.
{ {
type = <certificate type to filter for, or ANY> type = <certificate type to filter for, X509|X509_AC|X509_CRL|
OCSP_RESPONSE|PUBKEY or ANY>
flag = <X.509 certificate flag to filter for, NONE|CA|AA|OCSP or ANY>
subject = <set to list only certificates having subject> subject = <set to list only certificates having subject>
} => { } => {
# completes after streaming list-cert events # completes after streaming list-cert events
@ -427,7 +429,8 @@ Unload a previously loaded connection definition by name.
Load a certificate into the daemon. Load a certificate into the daemon.
{ {
type = <certificate type, X509|X509CA|X509AA|X509CRL|X509AC> type = <certificate type, X509|X509_AC|X509_CRL>
flag = <X.509 certificate flag, NONE|CA|AA|OCSP>
data = <PEM or DER encoded certificate data> data = <PEM or DER encoded certificate data>
} => { } => {
success = <yes or no> success = <yes or no>
@ -753,7 +756,8 @@ The _list-cert_ event is issued to stream loaded certificates during an active
_list-certs_ command. _list-certs_ command.
{ {
type = <certificate type> type = <certificate type, X509|X509_AC|X509_CRL|OCSP_RESPONSE|PUBKEY>
flag = <X.509 certificate flag, NONE|CA|AA|OCSP>
has_privkey = <set if a private key for the certificate is available> has_privkey = <set if a private key for the certificate is available>
data = <ASN1 encoded certificate data> data = <ASN1 encoded certificate data>
} }

4
src/libcharon/plugins/vici/perl/Vici-Session/README.pod
View File

@ -164,13 +164,13 @@ print $version->raw(), "\n";
loads a certificate into the daemon. loads a certificate into the daemon.
my %vars = ( type => 'X509CA', data => $ca_cert ); my %vars = ( type => 'X509', flag => 'CA', data => $ca_cert );
my ($res, $errmsg) = $session->load_cert(Vici::Message->new(\%vars)); my ($res, $errmsg) = $session->load_cert(Vici::Message->new(\%vars));
=cut =cut
print "----- load-cert -----\n"; print "----- load-cert -----\n";
my %vars = ( type => 'X509CA', data => $ca_cert ); my %vars = ( type => 'X509', flag => 'CA', data => $ca_cert );
my ($res, $errmsg) = $session->load_cert(Vici::Message->new(\%vars)); my ($res, $errmsg) = $session->load_cert(Vici::Message->new(\%vars));
print $res ? "ok\n" : "failed: $errmsg\n"; print $res ? "ok\n" : "failed: $errmsg\n";

34
src/libcharon/plugins/vici/vici_cred.c
View File

@ -2,6 +2,9 @@
* Copyright (C) 2014 Martin Willi * Copyright (C) 2014 Martin Willi
* Copyright (C) 2014 revosec AG * Copyright (C) 2014 revosec AG
* *
* Copyright (C) 2015 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it * This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the * under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your * Free Software Foundation; either version 2 of the License, or (at your
@ -67,9 +70,9 @@ static vici_message_t* create_reply(char *fmt, ...)
CALLBACK(load_cert, vici_message_t*, CALLBACK(load_cert, vici_message_t*,
private_vici_cred_t *this, char *name, u_int id, vici_message_t *message) private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
{ {
vici_cert_info_t *cert_info;
certificate_t *cert; certificate_t *cert;
x509_flag_t flag; certificate_type_t type;
x509_flag_t ext_flag, flag = X509_NONE;
x509_t *x509; x509_t *x509;
chunk_t data; chunk_t data;
bool trusted = TRUE; bool trusted = TRUE;
@ -80,9 +83,18 @@ CALLBACK(load_cert, vici_message_t*,
{ {
return create_reply("certificate type missing"); return create_reply("certificate type missing");
} }
if (enum_from_name(certificate_type_names, str, &type))
cert_info = vici_cert_info_retrieve(str); {
if (!cert_info) if (type == CERT_X509)
{
str = message->get_str(message, "NONE", "flag");
if (!enum_from_name(x509_flag_names, str, &flag))
{
return create_reply("invalid certificate flag '%s'", str);
}
}
}
else if (!vici_cert_info_from_str(str, &type, &flag))
{ {
return create_reply("invalid certificate type '%s'", str); return create_reply("invalid certificate type '%s'", str);
} }
@ -94,21 +106,21 @@ CALLBACK(load_cert, vici_message_t*,
} }
/* do not set CA flag externally */ /* do not set CA flag externally */
flag = (cert_info->flag & X509_CA) ? X509_NONE : cert_info->flag; ext_flag = (flag & X509_CA) ? X509_NONE : flag;
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, cert_info->type, cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
BUILD_BLOB_PEM, data, BUILD_BLOB_PEM, data,
BUILD_X509_FLAG, flag, BUILD_X509_FLAG, ext_flag,
BUILD_END); BUILD_END);
if (!cert) if (!cert)
{ {
return create_reply("parsing %N certificate failed", return create_reply("parsing %N certificate failed",
certificate_type_names, cert_info->type); certificate_type_names, type);
} }
DBG1(DBG_CFG, "loaded certificate '%Y'", cert->get_subject(cert)); DBG1(DBG_CFG, "loaded certificate '%Y'", cert->get_subject(cert));
/* check if CA certificate has CA basic constraint set */ /* check if CA certificate has CA basic constraint set */
if (cert_info->flag & X509_CA) if (flag & X509_CA)
{ {
char err_msg[] = "ca certificate lacks CA basic constraint, rejected"; char err_msg[] = "ca certificate lacks CA basic constraint, rejected";
x509 = (x509_t*)cert; x509 = (x509_t*)cert;
@ -120,7 +132,7 @@ CALLBACK(load_cert, vici_message_t*,
return create_reply(err_msg); return create_reply(err_msg);
} }
} }
if (cert_info->type == CERT_X509_CRL) if (type == CERT_X509_CRL)
{ {
this->creds->add_crl(this->creds, (crl_t*)cert); this->creds->add_crl(this->creds, (crl_t*)cert);
} }

100
src/libcharon/plugins/vici/vici_query.c
View File

@ -40,8 +40,6 @@
#include "vici_query.h" #include "vici_query.h"
#include "vici_builder.h" #include "vici_builder.h"
#include "vici_version.h"
#include "vici_cert_info.h"
#include <inttypes.h> #include <inttypes.h>
#include <time.h> #include <time.h>
@ -53,6 +51,8 @@
#endif #endif
#include <daemon.h> #include <daemon.h>
#include <credentials/certificates/certificate.h>
#include <credentials/certificates/x509.h>
typedef struct private_vici_query_t private_vici_query_t; typedef struct private_vici_query_t private_vici_query_t;
@ -809,7 +809,6 @@ static bool has_privkey(certificate_t *cert)
* Store cert filter data * Store cert filter data
*/ */
typedef struct { typedef struct {
vici_version_t version;
certificate_type_t type; certificate_type_t type;
x509_flag_t flag; x509_flag_t flag;
identification_t *subject; identification_t *subject;
@ -820,27 +819,25 @@ typedef struct {
*/ */
static void enum_x509(private_vici_query_t *this, u_int id, static void enum_x509(private_vici_query_t *this, u_int id,
linked_list_t *certs, cert_filter_t *filter, linked_list_t *certs, cert_filter_t *filter,
x509_flag_t flag, char *cert_type) x509_flag_t flag)
{ {
enumerator_t *enumerator; enumerator_t *enumerator;
certificate_t *cert; certificate_t *cert;
vici_builder_t *b; vici_builder_t *b;
chunk_t encoding; chunk_t encoding;
x509_flag_t mask;
x509_t *x509; x509_t *x509;
if (filter->type != CERT_ANY && filter->version != VICI_1_0 && if (filter->type != CERT_ANY && filter->flag != X509_ANY &&
filter->flag != flag) filter->flag != flag)
{ {
return; return;
} }
mask = X509_CA | X509_AA | X509_OCSP_SIGNER;
enumerator = certs->create_enumerator(certs); enumerator = certs->create_enumerator(certs);
while (enumerator->enumerate(enumerator, &cert)) while (enumerator->enumerate(enumerator, &cert))
{ {
x509 = (x509_t*)cert; x509 = (x509_t*)cert;
if ((x509->get_flags(x509) & mask) != flag) if ((x509->get_flags(x509) & X509_ANY) != flag)
{ {
continue; continue;
} }
@ -848,16 +845,8 @@ static void enum_x509(private_vici_query_t *this, u_int id,
if (cert->get_encoding(cert, CERT_ASN1_DER, &encoding)) if (cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
{ {
b = vici_builder_create(); b = vici_builder_create();
if (filter->version == VICI_1_0) b->add_kv(b, "type", "%N", certificate_type_names, CERT_X509);
{ b->add_kv(b, "flag", "%N", x509_flag_names, flag);
b->add_kv(b, "type", "%N", certificate_type_names,
cert->get_type(cert));
}
else
{
b->add_kv(b, "vici", "%N", vici_version_names, VICI_VERSION);
b->add_kv(b, "type", "%s", cert_type);
}
if (has_privkey(cert)) if (has_privkey(cert))
{ {
b->add_kv(b, "has_privkey", "yes"); b->add_kv(b, "has_privkey", "yes");
@ -876,8 +865,7 @@ static void enum_x509(private_vici_query_t *this, u_int id,
* Enumerate all non-X.509 certificate types * Enumerate all non-X.509 certificate types
*/ */
static void enum_others(private_vici_query_t *this, u_int id, static void enum_others(private_vici_query_t *this, u_int id,
linked_list_t *certs, cert_filter_t *filter, linked_list_t *certs, cert_filter_t *filter)
char *cert_type)
{ {
enumerator_t *enumerator; enumerator_t *enumerator;
certificate_t *cert; certificate_t *cert;
@ -890,16 +878,8 @@ static void enum_others(private_vici_query_t *this, u_int id,
if (cert->get_encoding(cert, CERT_ASN1_DER, &encoding)) if (cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
{ {
b = vici_builder_create(); b = vici_builder_create();
if (filter->version == VICI_1_0) b->add_kv(b, "type", "%N", certificate_type_names,
{ cert->get_type(cert));
b->add_kv(b, "type", "%N", certificate_type_names,
cert->get_type(cert));
}
else
{
b->add_kv(b, "vici", "%N", vici_version_names, VICI_VERSION);
b->add_kv(b, "type", "%s", cert_type);
}
if (has_privkey(cert)) if (has_privkey(cert))
{ {
b->add_kv(b, "has_privkey", "yes"); b->add_kv(b, "has_privkey", "yes");
@ -918,8 +898,7 @@ static void enum_others(private_vici_query_t *this, u_int id,
* Enumerate all certificates of a given type * Enumerate all certificates of a given type
*/ */
static void enum_certs(private_vici_query_t *this, u_int id, static void enum_certs(private_vici_query_t *this, u_int id,
cert_filter_t *filter, certificate_type_t type, cert_filter_t *filter, certificate_type_t type)
char *cert_type)
{ {
enumerator_t *e1, *e2; enumerator_t *e1, *e2;
certificate_t *cert, *current; certificate_t *cert, *current;
@ -958,14 +937,14 @@ static void enum_certs(private_vici_query_t *this, u_int id,
if (type == CERT_X509) if (type == CERT_X509)
{ {
enum_x509(this, id, certs, filter, X509_NONE, "x509"); enum_x509(this, id, certs, filter, X509_NONE);
enum_x509(this, id, certs, filter, X509_CA, "x509ca"); enum_x509(this, id, certs, filter, X509_CA);
enum_x509(this, id, certs, filter, X509_AA, "x509ac"); enum_x509(this, id, certs, filter, X509_AA);
enum_x509(this, id, certs, filter, X509_OCSP_SIGNER, "x509ocsp"); enum_x509(this, id, certs, filter, X509_OCSP_SIGNER);
} }
else else
{ {
enum_others(this, id, certs, filter, cert_type); enum_others(this, id, certs, filter);
} }
certs->destroy_offset(certs, offsetof(certificate_t, destroy)); certs->destroy_offset(certs, offsetof(certificate_t, destroy));
} }
@ -974,43 +953,25 @@ CALLBACK(list_certs, vici_message_t*,
private_vici_query_t *this, char *name, u_int id, vici_message_t *request) private_vici_query_t *this, char *name, u_int id, vici_message_t *request)
{ {
cert_filter_t filter = { cert_filter_t filter = {
.version = VICI_1_0,
.type = CERT_ANY, .type = CERT_ANY,
.flag = X509_NONE, .flag = X509_ANY,
.subject = NULL .subject = NULL
}; };
vici_builder_t *b; vici_builder_t *b;
char *str; char *str;
str = request->get_str(request, "1.0", "vici"); str = request->get_str(request, "ANY", "type");
if (!enum_from_name(vici_version_names, str, &filter.version)) if (!enum_from_name(certificate_type_names, str, &filter.type))
{ {
DBG1(DBG_CFG, "unsupported vici version '%s'", str); DBG1(DBG_CFG, "invalid certificate type '%s'", str);
goto finalize; goto finalize;
} }
str = request->get_str(request, "ANY", "type"); if (filter.type == CERT_X509)
if (filter.version == VICI_1_0)
{ {
if (!enum_from_name(certificate_type_names, str, &filter.type)) str = request->get_str(request, "ANY", "flag");
if (!enum_from_name(x509_flag_names, str, &filter.flag))
{ {
DBG1(DBG_CFG, "invalid certificate type '%s'", str); DBG1(DBG_CFG, "invalid certificate flag '%s'", str);
goto finalize;
}
}
else /* VICI 2.0 */
{
vici_cert_info_t *cert_info;
cert_info = vici_cert_info_retrieve(str);
if (cert_info)
{
filter.type = cert_info->type;
filter.flag = cert_info->flag;
}
else
{
DBG1(DBG_CFG, "invalid certificate type '%s'", str);
goto finalize; goto finalize;
} }
} }
@ -1020,11 +981,12 @@ CALLBACK(list_certs, vici_message_t*,
{ {
filter.subject = identification_create_from_string(str); filter.subject = identification_create_from_string(str);
} }
enum_certs(this, id, &filter, CERT_TRUSTED_PUBKEY, "pubkey");
enum_certs(this, id, &filter, CERT_X509, "x509"); enum_certs(this, id, &filter, CERT_TRUSTED_PUBKEY);
enum_certs(this, id, &filter, CERT_X509_AC, "x509ac"); enum_certs(this, id, &filter, CERT_X509);
enum_certs(this, id, &filter, CERT_X509_CRL, "x509crl"); enum_certs(this, id, &filter, CERT_X509_AC);
enum_certs(this, id, &filter, CERT_X509_OCSP_RESPONSE, "ocsp"); enum_certs(this, id, &filter, CERT_X509_CRL);
enum_certs(this, id, &filter, CERT_X509_OCSP_RESPONSE);
DESTROY_IF(filter.subject); DESTROY_IF(filter.subject);
finalize: finalize:
@ -1140,8 +1102,6 @@ CALLBACK(version, vici_message_t*,
vici_builder_t *b; vici_builder_t *b;
b = vici_builder_create(); b = vici_builder_create();
b->add_kv(b, "vici", "%N", vici_version_names, VICI_VERSION);
b->add_kv(b, "daemon", "%s", lib->ns); b->add_kv(b, "daemon", "%s", lib->ns);
b->add_kv(b, "version", "%s", VERSION); b->add_kv(b, "version", "%s", VERSION);

150
src/libstrongswan/credentials/certificates/certificate_printer.c
View File

@ -17,10 +17,11 @@
*/ */
#include "certificate_printer.h" #include "certificate_printer.h"
#include "x509.h" #include "credentials/certificates/x509.h"
#include "crl.h" #include "credentials/certificates/crl.h"
#include "ac.h" #include "credentials/certificates/ac.h"
#include "ocsp_response.h" #include "credentials/certificates/ocsp_response.h"
#include "credentials/certificates/pgp_certificate.h"
#include <asn1/asn1.h> #include <asn1/asn1.h>
#include <asn1/oid.h> #include <asn1/oid.h>
@ -54,6 +55,17 @@ struct private_certificate_printer_t {
* Print time information in UTC * Print time information in UTC
*/ */
bool utc; bool utc;
/**
* Previous certificate type
*/
certificate_type_t type;
/**
* Previous X.509 certificate flag
*/
x509_flag_t flag;
}; };
/** /**
@ -568,7 +580,7 @@ METHOD(certificate_printer_t, print, void,
{ {
fprintf(f, " subject: \"%Y\"\n", subject); fprintf(f, " subject: \"%Y\"\n", subject);
} }
if (cert->get_type(cert) != CERT_TRUSTED_PUBKEY) if (type != CERT_TRUSTED_PUBKEY && type != CERT_GPG)
{ {
fprintf(f, " issuer: \"%Y\"\n", cert->get_issuer(cert)); fprintf(f, " issuer: \"%Y\"\n", cert->get_issuer(cert));
} }
@ -577,35 +589,44 @@ METHOD(certificate_printer_t, print, void,
cert->get_validity(cert, &now, &notBefore, &notAfter); cert->get_validity(cert, &now, &notBefore, &notAfter);
if (notBefore != UNDEFINED_TIME && notAfter != UNDEFINED_TIME) if (notBefore != UNDEFINED_TIME && notAfter != UNDEFINED_TIME)
{ {
if (type == CERT_X509_CRL || type == CERT_X509_OCSP_RESPONSE) if (type == CERT_GPG)
{ {
t0 = "update: "; fprintf(f, " created: %T\n", &notBefore, this->utc);
t1 = "this on"; fprintf(f, " until: %T%s\n", &notAfter, this->utc,
t2 = "next on"; (notAfter == TIME_32_BIT_SIGNED_MAX) ?" expires never" : "");
} }
else else
{ {
t0 = "validity:"; if (type == CERT_X509_CRL || type == CERT_X509_OCSP_RESPONSE)
t1 = "not before"; {
t2 = "not after "; t0 = "update: ";
} t1 = "this on";
fprintf(f, " %s %s %T, ", t0, t1, &notBefore, this->utc); t2 = "next on";
if (now < notBefore) }
{ else
fprintf(f, "not valid yet (valid in %V)\n", &now, &notBefore); {
} t0 = "validity:";
else t1 = "not before";
{ t2 = "not after ";
fprintf(f, "ok\n"); }
} fprintf(f, " %s %s %T, ", t0, t1, &notBefore, this->utc);
fprintf(f, " %s %T, ", t2, &notAfter, this->utc); if (now < notBefore)
if (now > notAfter) {
{ fprintf(f, "not valid yet (valid in %V)\n", &now, &notBefore);
fprintf(f, "expired (%V ago)\n", &now, &notAfter); }
} else
else {
{ fprintf(f, "ok\n");
fprintf(f, "ok (expires in %V)\n", &now, &notAfter); }
fprintf(f, " %s %T, ", t2, &notAfter, this->utc);
if (now > notAfter)
{
fprintf(f, "expired (%V ago)\n", &now, &notAfter);
}
else
{
fprintf(f, "ok (expires in %V)\n", &now, &notAfter);
}
} }
} }
@ -627,6 +648,13 @@ METHOD(certificate_printer_t, print, void,
default: default:
break; break;
} }
if (type == CERT_GPG)
{
pgp_certificate_t *pgp_cert = (pgp_certificate_t*)cert;
chunk_t fingerprint = pgp_cert->get_fingerprint(pgp_cert);
fprintf(f, " pgpDigest: %#B\n", &fingerprint);
}
key = cert->get_public_key(cert); key = cert->get_public_key(cert);
if (key) if (key)
{ {
@ -635,6 +663,65 @@ METHOD(certificate_printer_t, print, void,
} }
} }
METHOD(certificate_printer_t, print_caption, void,
private_certificate_printer_t *this, certificate_type_t type,
x509_flag_t flag)
{
char *caption;
if (type != this->type || (type == CERT_X509 && flag != this->flag))
{
switch (type)
{
case CERT_X509:
switch (flag)
{
case X509_NONE:
caption = "X.509 End Entity Certificate";
break;
case X509_CA:
caption = "X.509 CA Certificate";
break;
case X509_AA:
caption = "X.509 AA Certificate";
break;
case X509_OCSP_SIGNER:
caption = "X.509 OCSP Signer Certificate";
break;
default:
return;
}
break;
case CERT_X509_AC:
caption = "X.509 Attribute Certificate";
break;
case CERT_X509_CRL:
caption = "X.509 CRL";
break;
case CERT_X509_OCSP_RESPONSE:
caption = "OCSP Response";
break;
case CERT_TRUSTED_PUBKEY:
caption = "Raw Public Key";
break;
case CERT_GPG:
caption = "PGP End Entity Certificate";
break;
default:
return;
}
fprintf(this->f, "\nList of %ss\n", caption);
/* Update to current type and flag value */
this->type = type;
if (type == CERT_X509)
{
this->flag = flag;
}
}
fprintf(this->f, "\n");
}
METHOD(certificate_printer_t, destroy, void, METHOD(certificate_printer_t, destroy, void,
private_certificate_printer_t *this) private_certificate_printer_t *this)
{ {
@ -652,11 +739,14 @@ certificate_printer_t *certificate_printer_create(FILE *f, bool detailed,
INIT(this, INIT(this,
.public = { .public = {
.print = _print, .print = _print,
.print_caption = _print_caption,
.destroy = _destroy, .destroy = _destroy,
}, },
.f = f, .f = f,
.detailed = detailed, .detailed = detailed,
.utc = utc, .utc = utc,
.type = CERT_ANY,
.flag = X509_ANY,
); );
return &this->public; return &this->public;

10
src/libstrongswan/credentials/certificates/certificate_printer.h
View File

@ -24,6 +24,7 @@
typedef struct certificate_printer_t certificate_printer_t; typedef struct certificate_printer_t certificate_printer_t;
#include "credentials/certificates/certificate.h" #include "credentials/certificates/certificate.h"
#include "credentials/certificates/x509.h"
#include <stdio.h> #include <stdio.h>
@ -41,6 +42,15 @@ struct certificate_printer_t {
void (*print)(certificate_printer_t *this, certificate_t *cert, void (*print)(certificate_printer_t *this, certificate_t *cert,
bool has_privkey); bool has_privkey);
/**
* Print a caption if the certificate type changed.
*
* @type certificate type
* @flag X.509 certificate flag
*/
void (*print_caption)(certificate_printer_t *this, certificate_type_t type,
x509_flag_t flag);
/** /**
* Destroy the certificate_printer object. * Destroy the certificate_printer object.
*/ */

4
src/stroke/stroke.c
View File

@ -433,9 +433,9 @@ static int usage(char *error)
fprintf(out, " Show extended status information without blocking:\n"); fprintf(out, " Show extended status information without blocking:\n");
fprintf(out, " stroke statusall-nb\n"); fprintf(out, " stroke statusall-nb\n");
fprintf(out, " Show list of authority and attribute certificates:\n"); fprintf(out, " Show list of authority and attribute certificates:\n");
fprintf(out, " stroke listcacerts|listocspcerts|listaacerts|listacerts\n"); fprintf(out, " stroke listcacerts|listocspcerts|listaacerts|listacerts [--utc]\n");
fprintf(out, " Show list of end entity certificates, ca info records and crls:\n"); fprintf(out, " Show list of end entity certificates, ca info records and crls:\n");
fprintf(out, " stroke listcerts|listcainfos|listcrls|listall\n"); fprintf(out, " stroke listcerts|listcainfos|listcrls|listall [--utc]\n");
fprintf(out, " Show list of supported algorithms:\n"); fprintf(out, " Show list of supported algorithms:\n");
fprintf(out, " stroke listalgs\n"); fprintf(out, " stroke listalgs\n");
fprintf(out, " Reload authority and attribute certificates:\n"); fprintf(out, " Reload authority and attribute certificates:\n");

9
src/swanctl/command.h
View File

@ -2,9 +2,6 @@
* Copyright (C) 2009 Martin Willi * Copyright (C) 2009 Martin Willi
* Hochschule fuer Technik Rapperswil * Hochschule fuer Technik Rapperswil
* *
* Copyright (C) 2015 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it * This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the * under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your * Free Software Foundation; either version 2 of the License, or (at your
@ -35,7 +32,7 @@
/** /**
* Maximum number of options in a command (+3) * Maximum number of options in a command (+3)
*/ */
#define MAX_OPTIONS 32 #define MAX_OPTIONS 34
/** /**
* Maximum number of usage summary lines (+1) * Maximum number of usage summary lines (+1)
@ -82,12 +79,10 @@ struct command_t {
* Command format options * Command format options
*/ */
enum command_format_options_t { enum command_format_options_t {
COMMAND_FORMAT_NONE = 0, COMMAND_FORMAT_NONE = 0,
COMMAND_FORMAT_RAW = (1<<0), COMMAND_FORMAT_RAW = (1<<0),
COMMAND_FORMAT_PRETTY = (1<<1), COMMAND_FORMAT_PRETTY = (1<<1),
COMMAND_FORMAT_PEM = (1<<2), COMMAND_FORMAT_PEM = (1<<2),
COMMAND_FORMAT_SHORT = (1<<3),
COMMAND_FORMAT_UTC = (1<<4),
}; };
/** /**

82
src/swanctl/commands/list_certs.c
View File

@ -27,15 +27,12 @@
#include <credentials/certificates/certificate_printer.h> #include <credentials/certificates/certificate_printer.h>
#include <selectors/traffic_selector.h> #include <selectors/traffic_selector.h>
#include <vici_version.h>
#include <vici_cert_info.h>
#include "command.h" #include "command.h"
/** /**
* Current certificate type info * Static certificate printer object
*/ */
static vici_cert_info_t *current_cert_info = NULL; static certificate_printer_t *cert_printer = NULL;
/** /**
* Print PEM encoding of a certificate * Print PEM encoding of a certificate
@ -59,11 +56,10 @@ CALLBACK(list_cb, void,
command_format_options_t *format, char *name, vici_res_t *res) command_format_options_t *format, char *name, vici_res_t *res)
{ {
certificate_t *cert; certificate_t *cert;
certificate_printer_t *printer; certificate_type_t type;
vici_version_t version; x509_flag_t flag = X509_NONE;
vici_cert_info_t *cert_info; bool has_privkey;
bool detailed, utc, has_privkey, first = FALSE; char *str;
char *version_str, *type_str;
void *buf; void *buf;
int len; int len;
@ -74,14 +70,6 @@ CALLBACK(list_cb, void,
return; return;
} }
version_str = vici_find_str(res, "1.0", "vici");
if (!enum_from_name(vici_version_names, version_str, &version) ||
version == VICI_1_0)
{
fprintf(stderr, "unsupported vici version '%s'\n", version_str);
return;
}
buf = vici_find(res, &len, "data"); buf = vici_find(res, &len, "data");
if (!buf) if (!buf)
{ {
@ -90,23 +78,24 @@ CALLBACK(list_cb, void,
} }
has_privkey = streq(vici_find_str(res, "no", "has_privkey"), "yes"); has_privkey = streq(vici_find_str(res, "no", "has_privkey"), "yes");
type_str = vici_find_str(res, "any", "type"); str = vici_find_str(res, "ANY", "type");
cert_info = vici_cert_info_retrieve(type_str); if (!enum_from_name(certificate_type_names, str, &type) || type == CERT_ANY)
if (!cert_info || cert_info->type == CERT_ANY)
{ {
fprintf(stderr, "unsupported certificate type '%s'\n", type_str); fprintf(stderr, "unsupported certificate type '%s'\n", str);
return; return;
} }
if (type == CERT_X509)
/* Detect change of certificate type */
if (cert_info != current_cert_info)
{ {
first = TRUE; str = vici_find_str(res, "ANY", "flag");
current_cert_info = cert_info; if (!enum_from_name(x509_flag_names, str, &flag) || flag == X509_ANY)
{
fprintf(stderr, "unsupported certificate flag '%s'\n", str);
return;
}
} }
/* Parse certificate data blob */ /* Parse certificate data blob */
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, cert_info->type, cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
BUILD_BLOB_ASN1_DER, chunk_create(buf, len), BUILD_BLOB_ASN1_DER, chunk_create(buf, len),
BUILD_END); BUILD_END);
if (cert) if (cert)
@ -117,16 +106,8 @@ CALLBACK(list_cb, void,
} }
else else
{ {
if (first) cert_printer->print_caption(cert_printer, type, flag);
{ cert_printer->print(cert_printer, cert, has_privkey);
printf("\nList of %ss:\n", cert_info->caption);
}
printf("\n");
detailed = !(*format & COMMAND_FORMAT_SHORT);
utc = *format & COMMAND_FORMAT_UTC;
printer = certificate_printer_create(stdout, detailed, utc);
printer->print(printer, cert, has_privkey);
printer->destroy(printer);
} }
cert->destroy(cert); cert->destroy(cert);
} }
@ -141,7 +122,8 @@ static int list_certs(vici_conn_t *conn)
vici_req_t *req; vici_req_t *req;
vici_res_t *res; vici_res_t *res;
command_format_options_t format = COMMAND_FORMAT_NONE; command_format_options_t format = COMMAND_FORMAT_NONE;
char *arg, *subject = NULL, *type = NULL; char *arg, *subject = NULL, *type = NULL, *flag = NULL;
bool detailed = TRUE, utc = FALSE;
int ret; int ret;
while (TRUE) while (TRUE)
@ -156,6 +138,9 @@ static int list_certs(vici_conn_t *conn)
case 't': case 't':
type = arg; type = arg;
continue; continue;
case 'f':
flag = arg;
continue;
case 'p': case 'p':
format |= COMMAND_FORMAT_PEM; format |= COMMAND_FORMAT_PEM;
continue; continue;
@ -166,10 +151,10 @@ static int list_certs(vici_conn_t *conn)
format |= COMMAND_FORMAT_RAW; format |= COMMAND_FORMAT_RAW;
continue; continue;
case 'S': case 'S':
format |= COMMAND_FORMAT_SHORT; detailed = FALSE;
continue; continue;
case 'U': case 'U':
format |= COMMAND_FORMAT_UTC; utc = TRUE;
continue; continue;
case EOF: case EOF:
break; break;
@ -186,22 +171,28 @@ static int list_certs(vici_conn_t *conn)
return ret; return ret;
} }
req = vici_begin("list-certs"); req = vici_begin("list-certs");
vici_add_version(req, VICI_VERSION);
if (type) if (type)
{ {
vici_add_key_valuef(req, "type", "%s", type); vici_add_key_valuef(req, "type", "%s", type);
} }
if (flag)
{
vici_add_key_valuef(req, "flag", "%s", flag);
}
if (subject) if (subject)
{ {
vici_add_key_valuef(req, "subject", "%s", subject); vici_add_key_valuef(req, "subject", "%s", subject);
} }
cert_printer = certificate_printer_create(stdout, detailed, utc);
res = vici_submit(req, conn); res = vici_submit(req, conn);
if (!res) if (!res)
{ {
ret = errno; ret = errno;
fprintf(stderr, "list-certs request failed: %s\n", strerror(errno)); fprintf(stderr, "list-certs request failed: %s\n", strerror(errno));
cert_printer->destroy(cert_printer);
cert_printer = NULL;
return ret; return ret;
} }
if (format & COMMAND_FORMAT_RAW) if (format & COMMAND_FORMAT_RAW)
@ -210,6 +201,9 @@ static int list_certs(vici_conn_t *conn)
stdout); stdout);
} }
vici_free_res(res); vici_free_res(res);
cert_printer->destroy(cert_printer);
cert_printer = NULL;
return 0; return 0;
} }
@ -221,12 +215,14 @@ static void __attribute__ ((constructor))reg()
command_register((command_t) { command_register((command_t) {
list_certs, 'x', "list-certs", "list stored certificates", list_certs, 'x', "list-certs", "list stored certificates",
{"[--subject <dn/san>] " {"[--subject <dn/san>] "
"[--type x509|x509ca|x509aa|x509ac|x509crl|x509ocsp|ocsp] " "[--type x509|x509_ac|x509_crl|ocsp_response|pubkey]\n "
"[--flag none|ca|aa|ocsp|any] "
"[--pem] [--raw|--pretty|--short|--utc]"}, "[--pem] [--raw|--pretty|--short|--utc]"},
{ {
{"help", 'h', 0, "show usage information"}, {"help", 'h', 0, "show usage information"},
{"subject", 's', 1, "filter by certificate subject"}, {"subject", 's', 1, "filter by certificate subject"},
{"type", 't', 1, "filter by certificate type"}, {"type", 't', 1, "filter by certificate type"},
{"flag", 'f', 1, "filter by X.509 certificate flag"},
{"pem", 'p', 0, "print PEM encoding of certificate"}, {"pem", 'p', 0, "print PEM encoding of certificate"},
{"raw", 'r', 0, "dump raw response message"}, {"raw", 'r', 0, "dump raw response message"},
{"pretty", 'P', 0, "dump raw response message in pretty print"}, {"pretty", 'P', 0, "dump raw response message in pretty print"},

31
src/swanctl/commands/load_creds.c
View File

@ -30,11 +30,14 @@
#include <credentials/sets/callback_cred.h> #include <credentials/sets/callback_cred.h>
#include <credentials/containers/pkcs12.h> #include <credentials/containers/pkcs12.h>
#include <vici_cert_info.h>
/** /**
* Load a single certificate over vici * Load a single certificate over vici
*/ */
static bool load_cert(vici_conn_t *conn, command_format_options_t format, static bool load_cert(vici_conn_t *conn, command_format_options_t format,
char *dir, char *type, chunk_t data) char *dir, certificate_type_t type, x509_flag_t flag,
chunk_t data)
{ {
vici_req_t *req; vici_req_t *req;
vici_res_t *res; vici_res_t *res;
@ -42,7 +45,11 @@ static bool load_cert(vici_conn_t *conn, command_format_options_t format,
req = vici_begin("load-cert"); req = vici_begin("load-cert");
vici_add_key_valuef(req, "type", "%s", type); vici_add_key_valuef(req, "type", "%N", certificate_type_names, type);
if (type == CERT_X509)
{
vici_add_key_valuef(req, "flag", "%N", x509_flag_names, flag);
}
vici_add_key_value(req, "data", data.ptr, data.len); vici_add_key_value(req, "data", data.ptr, data.len);
res = vici_submit(req, conn); res = vici_submit(req, conn);
@ -64,7 +71,7 @@ static bool load_cert(vici_conn_t *conn, command_format_options_t format,
} }
else else
{ {
printf("loaded %s certificate from '%s'\n", type, dir); printf("loaded certificate from '%s'\n", dir);
} }
vici_free_res(res); vici_free_res(res);
return ret; return ret;
@ -74,13 +81,17 @@ static bool load_cert(vici_conn_t *conn, command_format_options_t format,
* Load certficiates from a directory * Load certficiates from a directory
*/ */
static void load_certs(vici_conn_t *conn, command_format_options_t format, static void load_certs(vici_conn_t *conn, command_format_options_t format,
char *type, char *dir) char *type_str, char *dir)
{ {
enumerator_t *enumerator; enumerator_t *enumerator;
certificate_type_t type;
x509_flag_t flag;
struct stat st; struct stat st;
chunk_t *map; chunk_t *map;
char *path; char *path;
vici_cert_info_from_str(type_str, &type, &flag);
enumerator = enumerator_create_directory(dir); enumerator = enumerator_create_directory(dir);
if (enumerator) if (enumerator)
{ {
@ -91,7 +102,7 @@ static void load_certs(vici_conn_t *conn, command_format_options_t format,
map = chunk_map(path, FALSE); map = chunk_map(path, FALSE);
if (map) if (map)
{ {
load_cert(conn, format, path, type, *map); load_cert(conn, format, path, type, flag, *map);
chunk_unmap(map); chunk_unmap(map);
} }
else else
@ -446,7 +457,8 @@ static bool load_pkcs12(vici_conn_t *conn, command_format_options_t format,
loaded = FALSE; loaded = FALSE;
if (cert->get_encoding(cert, CERT_ASN1_DER, &encoding)) if (cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
{ {
loaded = load_cert(conn, format, path, "x509", encoding); loaded = load_cert(conn, format, path, CERT_X509, X509_NONE,
encoding);
if (loaded) if (loaded)
{ {
fprintf(stderr, " %Y\n", cert->get_subject(cert)); fprintf(stderr, " %Y\n", cert->get_subject(cert));
@ -682,11 +694,10 @@ int load_creds_cfg(vici_conn_t *conn, command_format_options_t format,
load_certs(conn, format, "x509", SWANCTL_X509DIR); load_certs(conn, format, "x509", SWANCTL_X509DIR);
load_certs(conn, format, "x509ca", SWANCTL_X509CADIR); load_certs(conn, format, "x509ca", SWANCTL_X509CADIR);
load_certs(conn, format, "x509aa", SWANCTL_X509AADIR);
load_certs(conn, format, "x509crl", SWANCTL_X509CRLDIR);
load_certs(conn, format, "x509ac", SWANCTL_X509ACDIR);
load_certs(conn, format, "x509ocsp", SWANCTL_X509OCSPDIR); load_certs(conn, format, "x509ocsp", SWANCTL_X509OCSPDIR);
load_certs(conn, format, "pubkey", SWANCTL_PUBKEYDIR); load_certs(conn, format, "x509aa", SWANCTL_X509AADIR);
load_certs(conn, format, "x509ac", SWANCTL_X509ACDIR);
load_certs(conn, format, "x509crl", SWANCTL_X509CRLDIR);
load_keys(conn, format, noprompt, cfg, "rsa", SWANCTL_RSADIR); load_keys(conn, format, noprompt, cfg, "rsa", SWANCTL_RSADIR);
load_keys(conn, format, noprompt, cfg, "ecdsa", SWANCTL_ECDSADIR); load_keys(conn, format, noprompt, cfg, "ecdsa", SWANCTL_ECDSADIR);