pt-tls-client: Load certificates via handle from smartcard or TPM
This commit is contained in:
parent
e850d000b8
commit
71cf3d709a
|
@ -10,7 +10,8 @@ pt-tls-client \- Simple client using PT-TLS to collect integrity information
|
||||||
.BI \-\-connect
|
.BI \-\-connect
|
||||||
.IR hostname |\fIaddress
|
.IR hostname |\fIaddress
|
||||||
.OP \-\-port hex
|
.OP \-\-port hex
|
||||||
.RB [ \-\-cert
|
.RB [ \-\-certid
|
||||||
|
.IR hex |\fB\-\-cert
|
||||||
.IR file ]+
|
.IR file ]+
|
||||||
.RB [ \-\-keyid
|
.RB [ \-\-keyid
|
||||||
.IR hex |\fB\-\-key
|
.IR hex |\fB\-\-key
|
||||||
|
@ -64,6 +65,10 @@ Set the port of the PT-TLS server, default: 271.
|
||||||
Set the path to an X.509 certificate file. This option can be repeated to load
|
Set the path to an X.509 certificate file. This option can be repeated to load
|
||||||
multiple client and CA certificates.
|
multiple client and CA certificates.
|
||||||
.TP
|
.TP
|
||||||
|
.BI "\-X, \-\-certid " hex
|
||||||
|
Set the handle of the certificate stored in a smartcard or a TPM 2.0 Trusted
|
||||||
|
Platform Module.
|
||||||
|
.TP
|
||||||
.BI "\-k, \-\-key " file
|
.BI "\-k, \-\-key " file
|
||||||
Set the path to the client's PKCS#1 or PKCS#8 private key file
|
Set the path to the client's PKCS#1 or PKCS#8 private key file
|
||||||
.TP
|
.TP
|
||||||
|
@ -71,7 +76,7 @@ Set the path to the client's PKCS#1 or PKCS#8 private key file
|
||||||
Define the type of the private key if stored in PKCS#1 format. Can be omitted
|
Define the type of the private key if stored in PKCS#1 format. Can be omitted
|
||||||
with PKCS#8 keys.
|
with PKCS#8 keys.
|
||||||
.TP
|
.TP
|
||||||
.BI "\-x, \-\-keyid " hex
|
.BI "\-K, \-\-keyid " hex
|
||||||
Set the keyid of the private key stored in a smartcard or a TPM 2.0 Trusted
|
Set the keyid of the private key stored in a smartcard or a TPM 2.0 Trusted
|
||||||
Platform Module.
|
Platform Module.
|
||||||
.TP
|
.TP
|
||||||
|
|
|
@ -42,7 +42,7 @@ static void usage(FILE *out)
|
||||||
{
|
{
|
||||||
fprintf(out,
|
fprintf(out,
|
||||||
"Usage: pt-tls --connect <hostname|address> [--port <port>]\n"
|
"Usage: pt-tls --connect <hostname|address> [--port <port>]\n"
|
||||||
" [--cert <file>]+ [--keyid <hex>|--key <file>]\n"
|
" [--certid <hex>|--cert <file>]+ [--keyid <hex>|--key <file>]\n"
|
||||||
" [--key-type rsa|ecdsa] [--client <client-id>]\n"
|
" [--key-type rsa|ecdsa] [--client <client-id>]\n"
|
||||||
" [--secret <password>] [--mutual] [--quiet]\n"
|
" [--secret <password>] [--mutual] [--quiet]\n"
|
||||||
" [--debug <level>] [--options <filename>]\n");
|
" [--debug <level>] [--options <filename>]\n");
|
||||||
|
@ -104,15 +104,26 @@ static mem_cred_t *creds;
|
||||||
/**
|
/**
|
||||||
* Load certificate from file
|
* Load certificate from file
|
||||||
*/
|
*/
|
||||||
static bool load_certificate(char *filename)
|
static bool load_certificate(char *certid, char *filename)
|
||||||
{
|
{
|
||||||
certificate_t *cert;
|
certificate_t *cert;
|
||||||
|
chunk_t chunk;
|
||||||
|
|
||||||
|
if (certid)
|
||||||
|
{
|
||||||
|
chunk = chunk_from_hex(chunk_create(certid, strlen(certid)), NULL);
|
||||||
|
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
|
||||||
|
BUILD_PKCS11_KEYID, chunk, BUILD_END);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
|
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
|
||||||
BUILD_FROM_FILE, filename, BUILD_END);
|
BUILD_FROM_FILE, filename, BUILD_END);
|
||||||
|
}
|
||||||
if (!cert)
|
if (!cert)
|
||||||
{
|
{
|
||||||
DBG1(DBG_TLS, "loading certificate from '%s' failed", filename);
|
DBG1(DBG_TLS, "loading certificate from '%s' failed",
|
||||||
|
certid ? certid : filename);
|
||||||
return FALSE;
|
return FALSE;
|
||||||
}
|
}
|
||||||
creds->add_cert(creds, TRUE, cert);
|
creds->add_cert(creds, TRUE, cert);
|
||||||
|
@ -282,6 +293,7 @@ int main(int argc, char *argv[])
|
||||||
{"client", required_argument, NULL, 'i' },
|
{"client", required_argument, NULL, 'i' },
|
||||||
{"secret", required_argument, NULL, 's' },
|
{"secret", required_argument, NULL, 's' },
|
||||||
{"port", required_argument, NULL, 'p' },
|
{"port", required_argument, NULL, 'p' },
|
||||||
|
{"certid", required_argument, NULL, 'X' },
|
||||||
{"cert", required_argument, NULL, 'x' },
|
{"cert", required_argument, NULL, 'x' },
|
||||||
{"keyid", required_argument, NULL, 'K' },
|
{"keyid", required_argument, NULL, 'K' },
|
||||||
{"key", required_argument, NULL, 'k' },
|
{"key", required_argument, NULL, 'k' },
|
||||||
|
@ -301,8 +313,14 @@ int main(int argc, char *argv[])
|
||||||
case 'h': /* --help */
|
case 'h': /* --help */
|
||||||
usage(stdout);
|
usage(stdout);
|
||||||
return 0;
|
return 0;
|
||||||
|
case 'X': /* --certid <hex> */
|
||||||
|
if (!load_certificate(optarg, NULL))
|
||||||
|
{
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
continue;
|
||||||
case 'x': /* --cert <file> */
|
case 'x': /* --cert <file> */
|
||||||
if (!load_certificate(optarg))
|
if (!load_certificate(NULL, optarg))
|
||||||
{
|
{
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue