pt-tls-client: Load certificates via handle from smartcard or TPM
This commit is contained in:
parent
e850d000b8
commit
71cf3d709a
|
@ -10,7 +10,8 @@ pt-tls-client \- Simple client using PT-TLS to collect integrity information
|
|||
.BI \-\-connect
|
||||
.IR hostname |\fIaddress
|
||||
.OP \-\-port hex
|
||||
.RB [ \-\-cert
|
||||
.RB [ \-\-certid
|
||||
.IR hex |\fB\-\-cert
|
||||
.IR file ]+
|
||||
.RB [ \-\-keyid
|
||||
.IR hex |\fB\-\-key
|
||||
|
@ -64,6 +65,10 @@ Set the port of the PT-TLS server, default: 271.
|
|||
Set the path to an X.509 certificate file. This option can be repeated to load
|
||||
multiple client and CA certificates.
|
||||
.TP
|
||||
.BI "\-X, \-\-certid " hex
|
||||
Set the handle of the certificate stored in a smartcard or a TPM 2.0 Trusted
|
||||
Platform Module.
|
||||
.TP
|
||||
.BI "\-k, \-\-key " file
|
||||
Set the path to the client's PKCS#1 or PKCS#8 private key file
|
||||
.TP
|
||||
|
@ -71,7 +76,7 @@ Set the path to the client's PKCS#1 or PKCS#8 private key file
|
|||
Define the type of the private key if stored in PKCS#1 format. Can be omitted
|
||||
with PKCS#8 keys.
|
||||
.TP
|
||||
.BI "\-x, \-\-keyid " hex
|
||||
.BI "\-K, \-\-keyid " hex
|
||||
Set the keyid of the private key stored in a smartcard or a TPM 2.0 Trusted
|
||||
Platform Module.
|
||||
.TP
|
||||
|
|
|
@ -42,7 +42,7 @@ static void usage(FILE *out)
|
|||
{
|
||||
fprintf(out,
|
||||
"Usage: pt-tls --connect <hostname|address> [--port <port>]\n"
|
||||
" [--cert <file>]+ [--keyid <hex>|--key <file>]\n"
|
||||
" [--certid <hex>|--cert <file>]+ [--keyid <hex>|--key <file>]\n"
|
||||
" [--key-type rsa|ecdsa] [--client <client-id>]\n"
|
||||
" [--secret <password>] [--mutual] [--quiet]\n"
|
||||
" [--debug <level>] [--options <filename>]\n");
|
||||
|
@ -104,15 +104,26 @@ static mem_cred_t *creds;
|
|||
/**
|
||||
* Load certificate from file
|
||||
*/
|
||||
static bool load_certificate(char *filename)
|
||||
static bool load_certificate(char *certid, char *filename)
|
||||
{
|
||||
certificate_t *cert;
|
||||
chunk_t chunk;
|
||||
|
||||
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
|
||||
BUILD_FROM_FILE, filename, BUILD_END);
|
||||
if (certid)
|
||||
{
|
||||
chunk = chunk_from_hex(chunk_create(certid, strlen(certid)), NULL);
|
||||
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
|
||||
BUILD_PKCS11_KEYID, chunk, BUILD_END);
|
||||
}
|
||||
else
|
||||
{
|
||||
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
|
||||
BUILD_FROM_FILE, filename, BUILD_END);
|
||||
}
|
||||
if (!cert)
|
||||
{
|
||||
DBG1(DBG_TLS, "loading certificate from '%s' failed", filename);
|
||||
DBG1(DBG_TLS, "loading certificate from '%s' failed",
|
||||
certid ? certid : filename);
|
||||
return FALSE;
|
||||
}
|
||||
creds->add_cert(creds, TRUE, cert);
|
||||
|
@ -282,6 +293,7 @@ int main(int argc, char *argv[])
|
|||
{"client", required_argument, NULL, 'i' },
|
||||
{"secret", required_argument, NULL, 's' },
|
||||
{"port", required_argument, NULL, 'p' },
|
||||
{"certid", required_argument, NULL, 'X' },
|
||||
{"cert", required_argument, NULL, 'x' },
|
||||
{"keyid", required_argument, NULL, 'K' },
|
||||
{"key", required_argument, NULL, 'k' },
|
||||
|
@ -301,8 +313,14 @@ int main(int argc, char *argv[])
|
|||
case 'h': /* --help */
|
||||
usage(stdout);
|
||||
return 0;
|
||||
case 'X': /* --certid <hex> */
|
||||
if (!load_certificate(optarg, NULL))
|
||||
{
|
||||
return 1;
|
||||
}
|
||||
continue;
|
||||
case 'x': /* --cert <file> */
|
||||
if (!load_certificate(optarg))
|
||||
if (!load_certificate(NULL, optarg))
|
||||
{
|
||||
return 1;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue