pt-tls-client: Load certificates via handle from smartcard or TPM

2017-12-05 20:41:43 +01:00 · 2017-12-05 20:41:43 +01:00 · 71cf3d709a
parent e850d000b8
commit 71cf3d709a
2 changed files with 31 additions and 8 deletions
--- a/src/pt-tls-client/pt-tls-client.1.in
+++ b/src/pt-tls-client/pt-tls-client.1.in
@ -10,7 +10,8 @@ pt-tls-client \- Simple client using PT-TLS to collect integrity information
 .BI \-\-connect
 .IR hostname |\fIaddress
 .OP \-\-port hex
-.RB [ \-\-cert
+.RB [ \-\-certid
+.IR hex |\fB\-\-cert
 .IR file ]+
 .RB [ \-\-keyid
 .IR hex |\fB\-\-key
@ -64,6 +65,10 @@ Set the port of the PT-TLS server, default: 271.
 Set the path to an X.509 certificate file. This option can be repeated to load
 multiple client and CA certificates.
 .TP
+.BI "\-X, \-\-certid " hex
+Set the handle of the certificate stored in a smartcard or a TPM 2.0 Trusted
+Platform Module.
+.TP
 .BI "\-k, \-\-key " file
 Set the path to the client's PKCS#1 or PKCS#8 private key file
 .TP
@ -71,7 +76,7 @@ Set the path to the client's PKCS#1 or PKCS#8 private key file
 Define the type of the private key if stored in PKCS#1 format. Can be omitted
 with PKCS#8 keys.
 .TP
-.BI "\-x, \-\-keyid " hex
+.BI "\-K, \-\-keyid " hex
 Set the keyid of the private key stored in a smartcard or a TPM 2.0 Trusted
 Platform Module.
 .TP
--- a/src/pt-tls-client/pt-tls-client.c
+++ b/src/pt-tls-client/pt-tls-client.c
@ -42,7 +42,7 @@ static void usage(FILE *out)
 {
 	fprintf(out,
 		"Usage: pt-tls  --connect <hostname|address> [--port <port>]\n"
-		"              [--cert <file>]+ [--keyid <hex>|--key <file>]\n"
+		"              [--certid <hex>|--cert <file>]+ [--keyid <hex>|--key <file>]\n"
 		"              [--key-type rsa|ecdsa] [--client <client-id>]\n"
 		"              [--secret <password>] [--mutual] [--quiet]\n"
 		"              [--debug <level>] [--options <filename>]\n");
@ -104,15 +104,26 @@ static mem_cred_t *creds;
 /**
 * Load certificate from file
 */
-static bool load_certificate(char *filename)
+static bool load_certificate(char *certid, char *filename)
 {
 	certificate_t *cert;
+	chunk_t chunk;

-	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-							  BUILD_FROM_FILE, filename, BUILD_END);
+	if (certid)
+	{
+		chunk = chunk_from_hex(chunk_create(certid, strlen(certid)), NULL);
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+								  BUILD_PKCS11_KEYID, chunk, BUILD_END);
+	}
+	else
+	{
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+								  BUILD_FROM_FILE, filename, BUILD_END);
+	}
 	if (!cert)
 	{
-		DBG1(DBG_TLS, "loading certificate from '%s' failed", filename);
+		DBG1(DBG_TLS, "loading certificate from '%s' failed",
+					   certid ? certid : filename);
 		return FALSE;
 	}
 	creds->add_cert(creds, TRUE, cert);
@ -282,6 +293,7 @@ int main(int argc, char *argv[])
 			{"client",		required_argument,		NULL,		'i' },
 			{"secret",		required_argument,		NULL,		's' },
 			{"port",		required_argument,		NULL,		'p' },
+			{"certid",		required_argument,		NULL,		'X' },
 			{"cert",		required_argument,		NULL,		'x' },
 			{"keyid",		required_argument,		NULL,		'K' },
 			{"key",			required_argument,		NULL,		'k' },
@ -301,8 +313,14 @@ int main(int argc, char *argv[])
 			case 'h':			/* --help */
 				usage(stdout);
 				return 0;
+			case 'X':			/* --certid <hex> */
+				if (!load_certificate(optarg, NULL))
+				{
+					return 1;
+				}
+				continue;
 			case 'x':			/* --cert <file> */
-				if (!load_certificate(optarg))
+				if (!load_certificate(NULL, optarg))
 				{
 					return 1;
 				}