pki: Allow to load CRLs from files in --verify

2016-08-18 18:07:21 +02:00 · 2016-08-18 18:07:21 +02:00 · 09d8215d3f
parent 17ecc104fb
commit 09d8215d3f
2 changed files with 21 additions and 3 deletions
--- a/src/pki/commands/verify.c
+++ b/src/pki/commands/verify.c
@ -1,6 +1,7 @@
 /*
+ * Copyright (C) 2016 Tobias Brunner
 * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
@ -59,6 +60,18 @@ static int verify()
 				has_ca = TRUE;
 				creds->add_cert(creds, TRUE, cert);
 				continue;
+			case 'l':
+				cert = lib->creds->create(lib->creds,
+										  CRED_CERTIFICATE, CERT_X509_CRL,
+										  BUILD_FROM_FILE, arg, BUILD_END);
+				if (!cert)
+				{
+					fprintf(stderr, "parsing CRL failed\n");
+					goto end;
+				}
+				online = TRUE;
+				creds->add_crl(creds, (crl_t*)cert);
+				continue;
 			case 'o':
 				online = TRUE;
 				continue;
@ -173,11 +186,12 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		verify, 'v', "verify",
 		"verify a certificate using the CA certificate",
-		{"[--in file] [--cacert file]"},
+		{"[--in file] [--cacert file] [--crl file]"},
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "X.509 certificate to verify, default: stdin"},
 			{"cacert",	'c', 1, "CA certificate for trustchain verification"},
+			{"crl",		'l', 1, "CRL for trustchain verification"},
 			{"online",	'o', 0, "enable online CRL/OCSP revocation checking"},
 		}
 	});
--- a/src/pki/man/pki---verify.1.in
+++ b/src/pki/man/pki---verify.1.in
@ -1,4 +1,4 @@
-.TH "PKI \-\-VERIFY" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.TH "PKI \-\-VERIFY" 1 "2016-08-19" "@PACKAGE_VERSION@" "strongSwan"
 .
 .SH "NAME"
 .
@ -9,6 +9,7 @@ pki \-\-verify \- Verify a certificate using a CA certificate
 .SY pki\ \-\-verify
 .OP \-\-in file
 .OP \-\-cacert file
+.OP \-\-crl file
 .OP \-\-debug level
 .OP \-\-online
 .YS
@ -48,6 +49,9 @@ X.509 certificate to verify. If not given it is read from \fISTDIN\fR.
 CA certificate to use for trustchain verification. If not given the certificate
 is assumed to be self\-signed.
 .TP
+.BI "\-l, \-\-crl " file
+Local CRL to use for trustchain verification. Implies \fB-o\fR.
+.TP
 .BI "\-o, \-\-online
 Enable online CRL/OCSP revocation checking.
 .