New upstream version 5.5.1

author: Yves-Alexis Perez <corsac@debian.org> 2016-10-20 16:18:38 +0200
committer: Yves-Alexis Perez <corsac@debian.org> 2016-10-20 16:18:38 +0200
commit: 25663e04c3ab01ef8dc9f906608282319cfea2db (patch)
tree: a0ca5e70f66d74dbe552c996a4f3a285cdfc35e4 /src/pki/commands
parent: bf372706c469764d59e9f29c39e3ecbebd72b8d2 (diff)
download: vyos-strongswan-25663e04c3ab01ef8dc9f906608282319cfea2db.tar.gz
vyos-strongswan-25663e04c3ab01ef8dc9f906608282319cfea2db.zip
8 files changed, 80 insertions, 28 deletions
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index fdc43d705..b15f90199 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -117,6 +117,11 @@ static int issue()
 					type = CRED_PRIVATE_KEY;
 					subtype = KEY_BLISS;
 				}
+				else if (streq(arg, "priv"))
+				{
+					type = CRED_PRIVATE_KEY;
+					subtype = KEY_ANY;
+				}
 				else if (!streq(arg, "pub"))
 				{
 					error = "invalid input type";
@@ -580,7 +585,7 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		issue, 'i', "issue",
 		"issue a certificate using a CA certificate and key",
-		{"[--in file] [--type pub|pkcs10|rsa|ecdsa|bliss] --cakey file|--cakeyid hex",
+		{"[--in file] [--type pub|pkcs10|priv|rsa|ecdsa|bliss] --cakey file|--cakeyid hex",
 		 " --cacert file [--dn subject-dn] [--san subjectAltName]+",
 		 "[--lifetime days] [--serial hex] [--ca] [--pathlen len]",
 		 "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+",
diff --git a/src/pki/commands/keyid.c b/src/pki/commands/keyid.c
index 3bc62e74d..f79120b31 100644
--- a/src/pki/commands/keyid.c
+++ b/src/pki/commands/keyid.c
@@ -26,7 +26,7 @@
 static int keyid()
 {
 	credential_type_t type = CRED_PRIVATE_KEY;
-	int subtype = KEY_RSA;
+	int subtype = KEY_ANY;
 	certificate_t *cert;
 	private_key_t *private;
 	public_key_t *public;
@@ -42,21 +42,29 @@ static int keyid()
 			case 'h':
 				return command_usage(NULL);
 			case 't':
-				if (streq(arg, "rsa-priv"))
+				if (streq(arg, "rsa") ||
+					streq(arg, "rsa-priv"))
 				{
 					type = CRED_PRIVATE_KEY;
 					subtype = KEY_RSA;
 				}
-				else if (streq(arg, "ecdsa-priv"))
+				else if (streq(arg, "ecdsa") ||
+						 streq(arg, "ecdsa-priv"))
 				{
 					type = CRED_PRIVATE_KEY;
 					subtype = KEY_ECDSA;
 				}
-				else if (streq(arg, "bliss-priv"))
+				else if (streq(arg, "bliss") ||
+						 streq(arg, "bliss-priv"))
 				{
 					type = CRED_PRIVATE_KEY;
 					subtype = KEY_BLISS;
 				}
+				else if (streq(arg, "priv"))
+				{
+					type = CRED_PRIVATE_KEY;
+					subtype = KEY_ANY;
+				}
 				else if (streq(arg, "pub"))
 				{
 					type = CRED_PUBLIC_KEY;
@@ -169,11 +177,11 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t)
 		{ keyid, 'k', "keyid",
 		"calculate key identifiers of a key/certificate",
-		{"[--in file] [--type rsa-priv|ecdsa-priv|bliss-priv|pub|pkcs10|x509]"},
+		{"[--in file] [--type priv|rsa|ecdsa|bliss|pub|pkcs10|x509]"},
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "input file, default: stdin"},
-			{"type",	't', 1, "type of key, default: rsa-priv"},
+			{"type",	't', 1, "type of key, default: priv"},
 		}
 	});
 }
diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c
index c367a21a9..8cb0a7b5d 100644
--- a/src/pki/commands/print.c
+++ b/src/pki/commands/print.c
@@ -89,17 +89,25 @@ static int print()
 					type = CRED_CERTIFICATE;
 					subtype = CERT_TRUSTED_PUBKEY;
 				}
-				else if (streq(arg, "rsa-priv"))
+				else if (streq(arg, "priv"))
+				{
+					type = CRED_PRIVATE_KEY;
+					subtype = KEY_ANY;
+				}
+				else if (streq(arg, "rsa") ||
+						 streq(arg, "rsa-priv"))
 				{
 					type = CRED_PRIVATE_KEY;
 					subtype = KEY_RSA;
 				}
-				else if (streq(arg, "ecdsa-priv"))
+				else if (streq(arg, "ecdsa") ||
+						 streq(arg, "ecdsa-priv"))
 				{
 					type = CRED_PRIVATE_KEY;
 					subtype = KEY_ECDSA;
 				}
-				else if (streq(arg, "bliss-priv"))
+				else if (streq(arg, "bliss") ||
+						 streq(arg, "bliss-priv"))
 				{
 					type = CRED_PRIVATE_KEY;
 					subtype = KEY_BLISS;
@@ -173,7 +181,7 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t)
 		{ print, 'a', "print",
 		"print a credential in a human readable form",
-		{"[--in file] [--type rsa-priv|ecdsa-priv|bliss-priv|pub|x509|crl|ac]"},
+		{"[--in file] [--type x509|crl|ac|pub|priv|rsa|ecdsa|bliss]"},
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "input file, default: stdin"},
diff --git a/src/pki/commands/pub.c b/src/pki/commands/pub.c
index ccc3c4251..1d876f6f7 100644
--- a/src/pki/commands/pub.c
+++ b/src/pki/commands/pub.c
@@ -28,7 +28,7 @@ static int pub()
 {
 	cred_encoding_type_t form = PUBKEY_SPKI_ASN1_DER;
 	credential_type_t type = CRED_PRIVATE_KEY;
-	int subtype = KEY_RSA;
+	int subtype = KEY_ANY;
 	certificate_t *cert;
 	private_key_t *private;
 	public_key_t *public;
@@ -59,6 +59,11 @@ static int pub()
 					type = CRED_PRIVATE_KEY;
 					subtype = KEY_BLISS;
 				}
+				else if (streq(arg, "priv"))
+				{
+					type = CRED_PRIVATE_KEY;
+					subtype = KEY_ANY;
+				}
 				else if (streq(arg, "pub"))
 				{
 					type = CRED_PUBLIC_KEY;
@@ -189,13 +194,13 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		pub, 'p', "pub",
 		"extract the public key from a private key/certificate",
-		{"[--in file|--keyid hex] [--type rsa|ecdsa|bliss|pub|pkcs10|x509]",
+		{"[--in file|--keyid hex] [--type rsa|ecdsa|bliss|priv|pub|pkcs10|x509]",
 		 "[--outform der|pem|dnskey|sshkey]"},
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "input file, default: stdin"},
 			{"keyid",	'x', 1, "keyid on smartcard of private key"},
-			{"type",	't', 1, "type of credential, default: rsa"},
+			{"type",	't', 1, "type of credential, default: priv"},
 			{"outform",	'f', 1, "encoding of extracted public key, default: der"},
 		}
 	});
diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c
index 68d611250..23d07a28d 100644
--- a/src/pki/commands/req.c
+++ b/src/pki/commands/req.c
@@ -30,7 +30,7 @@
 static int req()
 {
 	cred_encoding_type_t form = CERT_ASN1_DER;
-	key_type_t type = KEY_RSA;
+	key_type_t type = KEY_ANY;
 	hash_algorithm_t digest = HASH_UNKNOWN;
 	certificate_t *cert = NULL;
 	private_key_t *private = NULL;
@@ -62,6 +62,10 @@ static int req()
 				{
 					type = KEY_BLISS;
 				}
+				else if (streq(arg, "priv"))
+				{
+					type = KEY_ANY;
+				}
 				else
 				{
 					error = "invalid input type";
@@ -194,14 +198,14 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		req, 'r', "req",
 		"create a PKCS#10 certificate request",
-		{"  [--in file] [--type rsa|ecdsa|bliss] --dn distinguished-name",
+		{"  [--in file] [--type rsa|ecdsa|bliss|priv] --dn distinguished-name",
 		 "[--san subjectAltName]+ [--password challengePassword]",
 		 "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
 		 "[--outform der|pem]"},
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "private key input file, default: stdin"},
-			{"type",	't', 1, "type of input key, default: rsa"},
+			{"type",	't', 1, "type of input key, default: priv"},
 			{"dn",		'd', 1, "subject distinguished name"},
 			{"san",		'a', 1, "subjectAltName to include in cert request"},
 			{"password",'p', 1, "challengePassword to include in cert request"},
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index f4e83c76c..6fb7b75ae 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -94,6 +94,10 @@ static int self()
 				{
 					type = KEY_BLISS;
 				}
+				else if (streq(arg, "priv"))
+				{
+					type = KEY_ANY;
+				}
 				else
 				{
 					error = "invalid input type";
@@ -417,7 +421,7 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		self, 's', "self",
 		"create a self signed certificate",
-		{" [--in file|--keyid hex] [--type rsa|ecdsa|bliss]",
+		{" [--in file|--keyid hex] [--type rsa|ecdsa|bliss|priv]",
 		 " --dn distinguished-name [--san subjectAltName]+",
 		 "[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+",
 		 "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+",
@@ -431,7 +435,7 @@ static void __attribute__ ((constructor))reg()
 			{"help",			'h', 0, "show usage information"},
 			{"in",				'i', 1, "private key input file, default: stdin"},
 			{"keyid",			'x', 1, "keyid on smartcard of private key"},
-			{"type",			't', 1, "type of input key, default: rsa"},
+			{"type",			't', 1, "type of input key, default: priv"},
 			{"dn",				'd', 1, "subject and issuer distinguished name"},
 			{"san",				'a', 1, "subjectAltName to include in certificate"},
 			{"lifetime",		'l', 1, "days the certificate is valid, default: 1095"},
diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c
index 6c27289f9..b9cf9c466 100644
--- a/src/pki/commands/signcrl.c
+++ b/src/pki/commands/signcrl.c
@@ -369,18 +369,22 @@ static int sign_crl()
 	}
 	else
 	{
-		crl_serial = chunk_from_chars(0x00);
+		if (!crl_serial.ptr)
+		{
+			crl_serial = chunk_from_chars(0x00);
+		}
 		lastenum = enumerator_create_empty();
 	}
 
-	/* remove superfluous leading zeros */
-	while (crl_serial.len > 1 && crl_serial.ptr[0] == 0x00 &&
-		  (crl_serial.ptr[1] & 0x80) == 0x00)
+	if (!crl_serial.len || crl_serial.ptr[0] & 0x80)
+	{	/* add leading 0x00 to handle potential overflow if serial is encoded
+		 * incorrectly */
+		crl_serial = chunk_cat("cc", chunk_from_chars(0x00), crl_serial);
+	}
+	else
 	{
-		crl_serial = chunk_skip_zero(crl_serial);
+		crl_serial = chunk_clone(crl_serial);
 	}
-	crl_serial = chunk_clone(crl_serial);
-
 	/* increment the serial number by one */
 	chunk_increment(crl_serial);
 
diff --git a/src/pki/commands/verify.c b/src/pki/commands/verify.c
index 8cc633a95..dd667fb34 100644
--- a/src/pki/commands/verify.c
+++ b/src/pki/commands/verify.c
@@ -1,6 +1,7 @@
 /*
+ * Copyright (C) 2016 Tobias Brunner
  * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -59,6 +60,18 @@ static int verify()
 				has_ca = TRUE;
 				creds->add_cert(creds, TRUE, cert);
 				continue;
+			case 'l':
+				cert = lib->creds->create(lib->creds,
+										  CRED_CERTIFICATE, CERT_X509_CRL,
+										  BUILD_FROM_FILE, arg, BUILD_END);
+				if (!cert)
+				{
+					fprintf(stderr, "parsing CRL failed\n");
+					goto end;
+				}
+				online = TRUE;
+				creds->add_crl(creds, (crl_t*)cert);
+				continue;
 			case 'o':
 				online = TRUE;
 				continue;
@@ -173,11 +186,12 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		verify, 'v', "verify",
 		"verify a certificate using the CA certificate",
-		{"[--in file] [--cacert file]"},
+		{"[--in file] [--cacert file] [--crl file]"},
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "X.509 certificate to verify, default: stdin"},
 			{"cacert",	'c', 1, "CA certificate for trustchain verification"},
+			{"crl",		'l', 1, "CRL for trustchain verification"},
 			{"online",	'o', 0, "enable online CRL/OCSP revocation checking"},
 		}
 	});
author	Yves-Alexis Perez <corsac@debian.org>	2016-10-20 16:18:38 +0200
committer	Yves-Alexis Perez <corsac@debian.org>	2016-10-20 16:18:38 +0200
commit	25663e04c3ab01ef8dc9f906608282319cfea2db (patch)
tree	a0ca5e70f66d74dbe552c996a4f3a285cdfc35e4 /src/pki/commands
parent	bf372706c469764d59e9f29c39e3ecbebd72b8d2 (diff)
download	vyos-strongswan-25663e04c3ab01ef8dc9f906608282319cfea2db.tar.gz vyos-strongswan-25663e04c3ab01ef8dc9f906608282319cfea2db.zip