pki: Allow to load CRLs from files in --verify
This commit is contained in:
parent
17ecc104fb
commit
09d8215d3f
|
@ -1,6 +1,7 @@
|
|||
/*
|
||||
* Copyright (C) 2016 Tobias Brunner
|
||||
* Copyright (C) 2009 Martin Willi
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
* HSR Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
|
@ -59,6 +60,18 @@ static int verify()
|
|||
has_ca = TRUE;
|
||||
creds->add_cert(creds, TRUE, cert);
|
||||
continue;
|
||||
case 'l':
|
||||
cert = lib->creds->create(lib->creds,
|
||||
CRED_CERTIFICATE, CERT_X509_CRL,
|
||||
BUILD_FROM_FILE, arg, BUILD_END);
|
||||
if (!cert)
|
||||
{
|
||||
fprintf(stderr, "parsing CRL failed\n");
|
||||
goto end;
|
||||
}
|
||||
online = TRUE;
|
||||
creds->add_crl(creds, (crl_t*)cert);
|
||||
continue;
|
||||
case 'o':
|
||||
online = TRUE;
|
||||
continue;
|
||||
|
@ -173,11 +186,12 @@ static void __attribute__ ((constructor))reg()
|
|||
command_register((command_t) {
|
||||
verify, 'v', "verify",
|
||||
"verify a certificate using the CA certificate",
|
||||
{"[--in file] [--cacert file]"},
|
||||
{"[--in file] [--cacert file] [--crl file]"},
|
||||
{
|
||||
{"help", 'h', 0, "show usage information"},
|
||||
{"in", 'i', 1, "X.509 certificate to verify, default: stdin"},
|
||||
{"cacert", 'c', 1, "CA certificate for trustchain verification"},
|
||||
{"crl", 'l', 1, "CRL for trustchain verification"},
|
||||
{"online", 'o', 0, "enable online CRL/OCSP revocation checking"},
|
||||
}
|
||||
});
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.TH "PKI \-\-VERIFY" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
|
||||
.TH "PKI \-\-VERIFY" 1 "2016-08-19" "@PACKAGE_VERSION@" "strongSwan"
|
||||
.
|
||||
.SH "NAME"
|
||||
.
|
||||
|
@ -9,6 +9,7 @@ pki \-\-verify \- Verify a certificate using a CA certificate
|
|||
.SY pki\ \-\-verify
|
||||
.OP \-\-in file
|
||||
.OP \-\-cacert file
|
||||
.OP \-\-crl file
|
||||
.OP \-\-debug level
|
||||
.OP \-\-online
|
||||
.YS
|
||||
|
@ -48,6 +49,9 @@ X.509 certificate to verify. If not given it is read from \fISTDIN\fR.
|
|||
CA certificate to use for trustchain verification. If not given the certificate
|
||||
is assumed to be self\-signed.
|
||||
.TP
|
||||
.BI "\-l, \-\-crl " file
|
||||
Local CRL to use for trustchain verification. Implies \fB-o\fR.
|
||||
.TP
|
||||
.BI "\-o, \-\-online
|
||||
Enable online CRL/OCSP revocation checking.
|
||||
.
|
||||
|
|
Loading…
Reference in New Issue