diff options
author | Yves-Alexis Perez <corsac@debian.org> | 2018-06-04 09:59:21 +0200 |
---|---|---|
committer | Yves-Alexis Perez <corsac@debian.org> | 2018-06-04 09:59:21 +0200 |
commit | 51a71ee15c1bcf0e82f363a16898f571e211f9c3 (patch) | |
tree | 2a03e117d072c55cfe2863d26b73e64d933e7ad8 /src/pki/commands/verify.c | |
parent | 7793611ee71b576dd9c66dee327349fa64e38740 (diff) | |
download | vyos-strongswan-51a71ee15c1bcf0e82f363a16898f571e211f9c3.tar.gz vyos-strongswan-51a71ee15c1bcf0e82f363a16898f571e211f9c3.zip |
New upstream version 5.6.3
Diffstat (limited to 'src/pki/commands/verify.c')
-rw-r--r-- | src/pki/commands/verify.c | 106 |
1 files changed, 88 insertions, 18 deletions
diff --git a/src/pki/commands/verify.c b/src/pki/commands/verify.c index dd667fb34..88ef448b5 100644 --- a/src/pki/commands/verify.c +++ b/src/pki/commands/verify.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2016 Tobias Brunner + * Copyright (C) 2016-2018 Tobias Brunner * Copyright (C) 2009 Martin Willi * HSR Hochschule fuer Technik Rapperswil * @@ -14,6 +14,9 @@ * for more details. */ +#include <sys/types.h> +#include <sys/stat.h> +#include <unistd.h> #include <errno.h> #include "pki.h" @@ -23,6 +26,84 @@ #include <credentials/sets/mem_cred.h> /** + * Load a CA or CRL and add it to the credential set + */ +static bool load_cert(mem_cred_t *creds, char *path, certificate_type_t subtype) +{ + certificate_t *cert; + char *credname; + + switch (subtype) + { + case CERT_X509: + credname = "CA certificate"; + break; + case CERT_X509_CRL: + credname = "CRL"; + break; + default: + return FALSE; + } + cert = lib->creds->create(lib->creds, + CRED_CERTIFICATE, subtype, + BUILD_FROM_FILE, path, BUILD_END); + if (!cert) + { + fprintf(stderr, "parsing %s from '%s' failed\n", credname, path); + return FALSE; + } + if (subtype == CERT_X509_CRL) + { + creds->add_crl(creds, (crl_t*)cert); + } + else + { + creds->add_cert(creds, TRUE, cert); + } + return TRUE; +} + +/** + * Load CA cert or CRL either from a file or a path + */ +static bool load_certs(mem_cred_t *creds, char *path, + certificate_type_t subtype) +{ + enumerator_t *enumerator; + struct stat st; + bool loaded = FALSE; + + if (stat(path, &st)) + { + fprintf(stderr, "failed to access '%s': %s\n", path, strerror(errno)); + return FALSE; + } + if (S_ISDIR(st.st_mode)) + { + enumerator = enumerator_create_directory(path); + if (!enumerator) + { + fprintf(stderr, "directory '%s' can not be opened: %s", + path, strerror(errno)); + return FALSE; + } + while (enumerator->enumerate(enumerator, NULL, &path, &st)) + { + if (S_ISREG(st.st_mode) && load_cert(creds, path, subtype)) + { + loaded = TRUE; + } + } + enumerator->destroy(enumerator); + } + else + { + loaded = load_cert(creds, path, subtype); + } + return loaded; +} + +/** * Verify a certificate signature */ static int verify() @@ -49,28 +130,16 @@ static int verify() file = arg; continue; case 'c': - cert = lib->creds->create(lib->creds, - CRED_CERTIFICATE, CERT_X509, - BUILD_FROM_FILE, arg, BUILD_END); - if (!cert) + if (load_certs(creds, arg, CERT_X509)) { - fprintf(stderr, "parsing CA certificate failed\n"); - goto end; + has_ca = TRUE; } - has_ca = TRUE; - creds->add_cert(creds, TRUE, cert); continue; case 'l': - cert = lib->creds->create(lib->creds, - CRED_CERTIFICATE, CERT_X509_CRL, - BUILD_FROM_FILE, arg, BUILD_END); - if (!cert) + if (load_certs(creds, arg, CERT_X509_CRL)) { - fprintf(stderr, "parsing CRL failed\n"); - goto end; + online = TRUE; } - online = TRUE; - creds->add_crl(creds, (crl_t*)cert); continue; case 'o': online = TRUE; @@ -108,7 +177,7 @@ static int verify() fprintf(stderr, "parsing certificate failed\n"); goto end; } - creds->add_cert(creds, !has_ca, cert); + cert = creds->add_cert_ref(creds, !has_ca, cert); enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr, KEY_ANY, cert->get_subject(cert), online); @@ -153,6 +222,7 @@ static int verify() printf("\n"); } enumerator->destroy(enumerator); + cert->destroy(cert); if (!trusted) { |