diff options
author | Yves-Alexis Perez <corsac@debian.org> | 2016-10-20 16:18:38 +0200 |
---|---|---|
committer | Yves-Alexis Perez <corsac@debian.org> | 2016-10-20 16:18:38 +0200 |
commit | 25663e04c3ab01ef8dc9f906608282319cfea2db (patch) | |
tree | a0ca5e70f66d74dbe552c996a4f3a285cdfc35e4 /src/pki | |
parent | bf372706c469764d59e9f29c39e3ecbebd72b8d2 (diff) | |
download | vyos-strongswan-25663e04c3ab01ef8dc9f906608282319cfea2db.tar.gz vyos-strongswan-25663e04c3ab01ef8dc9f906608282319cfea2db.zip |
New upstream version 5.5.1
Diffstat (limited to 'src/pki')
-rw-r--r-- | src/pki/Makefile.in | 5 | ||||
-rw-r--r-- | src/pki/commands/issue.c | 7 | ||||
-rw-r--r-- | src/pki/commands/keyid.c | 20 | ||||
-rw-r--r-- | src/pki/commands/print.c | 16 | ||||
-rw-r--r-- | src/pki/commands/pub.c | 11 | ||||
-rw-r--r-- | src/pki/commands/req.c | 10 | ||||
-rw-r--r-- | src/pki/commands/self.c | 8 | ||||
-rw-r--r-- | src/pki/commands/signcrl.c | 18 | ||||
-rw-r--r-- | src/pki/commands/verify.c | 18 | ||||
-rw-r--r-- | src/pki/man/Makefile.in | 5 | ||||
-rw-r--r-- | src/pki/man/pki---issue.1.in | 7 | ||||
-rw-r--r-- | src/pki/man/pki---keyid.1.in | 7 | ||||
-rw-r--r-- | src/pki/man/pki---print.1.in | 9 | ||||
-rw-r--r-- | src/pki/man/pki---pub.1.in | 7 | ||||
-rw-r--r-- | src/pki/man/pki---req.1.in | 3 | ||||
-rw-r--r-- | src/pki/man/pki---self.1.in | 3 | ||||
-rw-r--r-- | src/pki/man/pki---verify.1.in | 6 |
17 files changed, 109 insertions, 51 deletions
diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in index 7b900f238..d9ffbf8cf 100644 --- a/src/pki/Makefile.in +++ b/src/pki/Makefile.in @@ -371,7 +371,6 @@ clearsilver_LIBS = @clearsilver_LIBS@ cmd_plugins = @cmd_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ -dbusservicedir = @dbusservicedir@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ @@ -405,8 +404,6 @@ libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ -maemo_CFLAGS = @maemo_CFLAGS@ -maemo_LIBS = @maemo_LIBS@ manager_plugins = @manager_plugins@ mandir = @mandir@ medsrv_plugins = @medsrv_plugins@ @@ -460,6 +457,8 @@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ +tss2_CFLAGS = @tss2_CFLAGS@ +tss2_LIBS = @tss2_LIBS@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c index fdc43d705..b15f90199 100644 --- a/src/pki/commands/issue.c +++ b/src/pki/commands/issue.c @@ -117,6 +117,11 @@ static int issue() type = CRED_PRIVATE_KEY; subtype = KEY_BLISS; } + else if (streq(arg, "priv")) + { + type = CRED_PRIVATE_KEY; + subtype = KEY_ANY; + } else if (!streq(arg, "pub")) { error = "invalid input type"; @@ -580,7 +585,7 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { issue, 'i', "issue", "issue a certificate using a CA certificate and key", - {"[--in file] [--type pub|pkcs10|rsa|ecdsa|bliss] --cakey file|--cakeyid hex", + {"[--in file] [--type pub|pkcs10|priv|rsa|ecdsa|bliss] --cakey file|--cakeyid hex", " --cacert file [--dn subject-dn] [--san subjectAltName]+", "[--lifetime days] [--serial hex] [--ca] [--pathlen len]", "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+", diff --git a/src/pki/commands/keyid.c b/src/pki/commands/keyid.c index 3bc62e74d..f79120b31 100644 --- a/src/pki/commands/keyid.c +++ b/src/pki/commands/keyid.c @@ -26,7 +26,7 @@ static int keyid() { credential_type_t type = CRED_PRIVATE_KEY; - int subtype = KEY_RSA; + int subtype = KEY_ANY; certificate_t *cert; private_key_t *private; public_key_t *public; @@ -42,21 +42,29 @@ static int keyid() case 'h': return command_usage(NULL); case 't': - if (streq(arg, "rsa-priv")) + if (streq(arg, "rsa") || + streq(arg, "rsa-priv")) { type = CRED_PRIVATE_KEY; subtype = KEY_RSA; } - else if (streq(arg, "ecdsa-priv")) + else if (streq(arg, "ecdsa") || + streq(arg, "ecdsa-priv")) { type = CRED_PRIVATE_KEY; subtype = KEY_ECDSA; } - else if (streq(arg, "bliss-priv")) + else if (streq(arg, "bliss") || + streq(arg, "bliss-priv")) { type = CRED_PRIVATE_KEY; subtype = KEY_BLISS; } + else if (streq(arg, "priv")) + { + type = CRED_PRIVATE_KEY; + subtype = KEY_ANY; + } else if (streq(arg, "pub")) { type = CRED_PUBLIC_KEY; @@ -169,11 +177,11 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { keyid, 'k', "keyid", "calculate key identifiers of a key/certificate", - {"[--in file] [--type rsa-priv|ecdsa-priv|bliss-priv|pub|pkcs10|x509]"}, + {"[--in file] [--type priv|rsa|ecdsa|bliss|pub|pkcs10|x509]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "input file, default: stdin"}, - {"type", 't', 1, "type of key, default: rsa-priv"}, + {"type", 't', 1, "type of key, default: priv"}, } }); } diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c index c367a21a9..8cb0a7b5d 100644 --- a/src/pki/commands/print.c +++ b/src/pki/commands/print.c @@ -89,17 +89,25 @@ static int print() type = CRED_CERTIFICATE; subtype = CERT_TRUSTED_PUBKEY; } - else if (streq(arg, "rsa-priv")) + else if (streq(arg, "priv")) + { + type = CRED_PRIVATE_KEY; + subtype = KEY_ANY; + } + else if (streq(arg, "rsa") || + streq(arg, "rsa-priv")) { type = CRED_PRIVATE_KEY; subtype = KEY_RSA; } - else if (streq(arg, "ecdsa-priv")) + else if (streq(arg, "ecdsa") || + streq(arg, "ecdsa-priv")) { type = CRED_PRIVATE_KEY; subtype = KEY_ECDSA; } - else if (streq(arg, "bliss-priv")) + else if (streq(arg, "bliss") || + streq(arg, "bliss-priv")) { type = CRED_PRIVATE_KEY; subtype = KEY_BLISS; @@ -173,7 +181,7 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { print, 'a', "print", "print a credential in a human readable form", - {"[--in file] [--type rsa-priv|ecdsa-priv|bliss-priv|pub|x509|crl|ac]"}, + {"[--in file] [--type x509|crl|ac|pub|priv|rsa|ecdsa|bliss]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "input file, default: stdin"}, diff --git a/src/pki/commands/pub.c b/src/pki/commands/pub.c index ccc3c4251..1d876f6f7 100644 --- a/src/pki/commands/pub.c +++ b/src/pki/commands/pub.c @@ -28,7 +28,7 @@ static int pub() { cred_encoding_type_t form = PUBKEY_SPKI_ASN1_DER; credential_type_t type = CRED_PRIVATE_KEY; - int subtype = KEY_RSA; + int subtype = KEY_ANY; certificate_t *cert; private_key_t *private; public_key_t *public; @@ -59,6 +59,11 @@ static int pub() type = CRED_PRIVATE_KEY; subtype = KEY_BLISS; } + else if (streq(arg, "priv")) + { + type = CRED_PRIVATE_KEY; + subtype = KEY_ANY; + } else if (streq(arg, "pub")) { type = CRED_PUBLIC_KEY; @@ -189,13 +194,13 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { pub, 'p', "pub", "extract the public key from a private key/certificate", - {"[--in file|--keyid hex] [--type rsa|ecdsa|bliss|pub|pkcs10|x509]", + {"[--in file|--keyid hex] [--type rsa|ecdsa|bliss|priv|pub|pkcs10|x509]", "[--outform der|pem|dnskey|sshkey]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "input file, default: stdin"}, {"keyid", 'x', 1, "keyid on smartcard of private key"}, - {"type", 't', 1, "type of credential, default: rsa"}, + {"type", 't', 1, "type of credential, default: priv"}, {"outform", 'f', 1, "encoding of extracted public key, default: der"}, } }); diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c index 68d611250..23d07a28d 100644 --- a/src/pki/commands/req.c +++ b/src/pki/commands/req.c @@ -30,7 +30,7 @@ static int req() { cred_encoding_type_t form = CERT_ASN1_DER; - key_type_t type = KEY_RSA; + key_type_t type = KEY_ANY; hash_algorithm_t digest = HASH_UNKNOWN; certificate_t *cert = NULL; private_key_t *private = NULL; @@ -62,6 +62,10 @@ static int req() { type = KEY_BLISS; } + else if (streq(arg, "priv")) + { + type = KEY_ANY; + } else { error = "invalid input type"; @@ -194,14 +198,14 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { req, 'r', "req", "create a PKCS#10 certificate request", - {" [--in file] [--type rsa|ecdsa|bliss] --dn distinguished-name", + {" [--in file] [--type rsa|ecdsa|bliss|priv] --dn distinguished-name", "[--san subjectAltName]+ [--password challengePassword]", "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]", "[--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "private key input file, default: stdin"}, - {"type", 't', 1, "type of input key, default: rsa"}, + {"type", 't', 1, "type of input key, default: priv"}, {"dn", 'd', 1, "subject distinguished name"}, {"san", 'a', 1, "subjectAltName to include in cert request"}, {"password",'p', 1, "challengePassword to include in cert request"}, diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c index f4e83c76c..6fb7b75ae 100644 --- a/src/pki/commands/self.c +++ b/src/pki/commands/self.c @@ -94,6 +94,10 @@ static int self() { type = KEY_BLISS; } + else if (streq(arg, "priv")) + { + type = KEY_ANY; + } else { error = "invalid input type"; @@ -417,7 +421,7 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { self, 's', "self", "create a self signed certificate", - {" [--in file|--keyid hex] [--type rsa|ecdsa|bliss]", + {" [--in file|--keyid hex] [--type rsa|ecdsa|bliss|priv]", " --dn distinguished-name [--san subjectAltName]+", "[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+", "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+", @@ -431,7 +435,7 @@ static void __attribute__ ((constructor))reg() {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "private key input file, default: stdin"}, {"keyid", 'x', 1, "keyid on smartcard of private key"}, - {"type", 't', 1, "type of input key, default: rsa"}, + {"type", 't', 1, "type of input key, default: priv"}, {"dn", 'd', 1, "subject and issuer distinguished name"}, {"san", 'a', 1, "subjectAltName to include in certificate"}, {"lifetime", 'l', 1, "days the certificate is valid, default: 1095"}, diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c index 6c27289f9..b9cf9c466 100644 --- a/src/pki/commands/signcrl.c +++ b/src/pki/commands/signcrl.c @@ -369,18 +369,22 @@ static int sign_crl() } else { - crl_serial = chunk_from_chars(0x00); + if (!crl_serial.ptr) + { + crl_serial = chunk_from_chars(0x00); + } lastenum = enumerator_create_empty(); } - /* remove superfluous leading zeros */ - while (crl_serial.len > 1 && crl_serial.ptr[0] == 0x00 && - (crl_serial.ptr[1] & 0x80) == 0x00) + if (!crl_serial.len || crl_serial.ptr[0] & 0x80) + { /* add leading 0x00 to handle potential overflow if serial is encoded + * incorrectly */ + crl_serial = chunk_cat("cc", chunk_from_chars(0x00), crl_serial); + } + else { - crl_serial = chunk_skip_zero(crl_serial); + crl_serial = chunk_clone(crl_serial); } - crl_serial = chunk_clone(crl_serial); - /* increment the serial number by one */ chunk_increment(crl_serial); diff --git a/src/pki/commands/verify.c b/src/pki/commands/verify.c index 8cc633a95..dd667fb34 100644 --- a/src/pki/commands/verify.c +++ b/src/pki/commands/verify.c @@ -1,6 +1,7 @@ /* + * Copyright (C) 2016 Tobias Brunner * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -59,6 +60,18 @@ static int verify() has_ca = TRUE; creds->add_cert(creds, TRUE, cert); continue; + case 'l': + cert = lib->creds->create(lib->creds, + CRED_CERTIFICATE, CERT_X509_CRL, + BUILD_FROM_FILE, arg, BUILD_END); + if (!cert) + { + fprintf(stderr, "parsing CRL failed\n"); + goto end; + } + online = TRUE; + creds->add_crl(creds, (crl_t*)cert); + continue; case 'o': online = TRUE; continue; @@ -173,11 +186,12 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { verify, 'v', "verify", "verify a certificate using the CA certificate", - {"[--in file] [--cacert file]"}, + {"[--in file] [--cacert file] [--crl file]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "X.509 certificate to verify, default: stdin"}, {"cacert", 'c', 1, "CA certificate for trustchain verification"}, + {"crl", 'l', 1, "CRL for trustchain verification"}, {"online", 'o', 0, "enable online CRL/OCSP revocation checking"}, } }); diff --git a/src/pki/man/Makefile.in b/src/pki/man/Makefile.in index 982a1175f..030d6be53 100644 --- a/src/pki/man/Makefile.in +++ b/src/pki/man/Makefile.in @@ -308,7 +308,6 @@ clearsilver_LIBS = @clearsilver_LIBS@ cmd_plugins = @cmd_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ -dbusservicedir = @dbusservicedir@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ @@ -342,8 +341,6 @@ libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ -maemo_CFLAGS = @maemo_CFLAGS@ -maemo_LIBS = @maemo_LIBS@ manager_plugins = @manager_plugins@ mandir = @mandir@ medsrv_plugins = @medsrv_plugins@ @@ -397,6 +394,8 @@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ +tss2_CFLAGS = @tss2_CFLAGS@ +tss2_LIBS = @tss2_LIBS@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ diff --git a/src/pki/man/pki---issue.1.in b/src/pki/man/pki---issue.1.in index 20238b73d..bfc7bb1a5 100644 --- a/src/pki/man/pki---issue.1.in +++ b/src/pki/man/pki---issue.1.in @@ -67,9 +67,10 @@ Public key or PKCS#10 certificate request file to issue. If not given the key/request is read from \fISTDIN\fR. .TP .BI "\-t, \-\-type " type -Type of the input. One of \fIpub\fR (public key), \fIrsa\fR (RSA private key), -\fIecdsa\fR (ECDSA private key), or \fIpkcs10\fR (PKCS#10 certificate request), -defaults to \fIpub\fR. +Type of the input. One of \fIpub\fR (public key), \fIpriv\fR (private key), +\fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA private key), \fIbliss\fR (BLISS +private key) or \fIpkcs10\fR (PKCS#10 certificate request), defaults to +\fIpub\fR. .TP .BI "\-k, \-\-cakey " file CA private key file. Either this or diff --git a/src/pki/man/pki---keyid.1.in b/src/pki/man/pki---keyid.1.in index 490f7afea..c69f7cbc7 100644 --- a/src/pki/man/pki---keyid.1.in +++ b/src/pki/man/pki---keyid.1.in @@ -44,9 +44,10 @@ Read command line options from \fIfile\fR. Input file. If not given the input is read from \fISTDIN\fR. .TP .BI "\-t, \-\-type " type -Type of input. One of \fIrsa-priv\fR (RSA private key), \fIecdsa-priv\fR (ECDSA -private key), \fIpub\fR (public key), \fIpkcs10\fR (PKCS#10 certificate -request), \fIx509\fR (X.509 certificate), defaults to \fIrsa-priv\fR. +Type of input. One of \fIpriv\fR (private key), \fIrsa\fR (RSA private key), +\fIecdsa\fR (ECDSA private key), \fIbliss\fR (BLISS private key), +\fIpub\fR (public key), \fIpkcs10\fR (PKCS#10 certificate request), +\fIx509\fR (X.509 certificate), defaults to \fIpriv\fR. . .SH "EXAMPLES" . diff --git a/src/pki/man/pki---print.1.in b/src/pki/man/pki---print.1.in index 434d4ea16..09f81cdaa 100644 --- a/src/pki/man/pki---print.1.in +++ b/src/pki/man/pki---print.1.in @@ -44,10 +44,11 @@ Read command line options from \fIfile\fR. Input file. If not given the input is read from \fISTDIN\fR. .TP .BI "\-t, \-\-type " type -Type of input. One of \fIrsa-priv\fR (RSA private key), \fIecdsa-priv\fR (ECDSA -private key), \fIpub\fR (public key), \fIx509\fR (X.509 certificate), \fIcrl\fR -(Certificate Revocation List, CRL), \fIac\fR (Attribute Certificate), -defaults to \fIx509\fR. +Type of input. One of \fIx509\fR (X.509 certificate), \fIcrl\fR (Certificate +Revocation List, CRL), \fIac\fR (Attribute Certificate), \fIpub\fR (public key), +\fpriv\fR (private key), \fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA private +key), \fIbliss\fR (BLISS private key), \fIpriv\fR (private key), defaults to +\fIx509\fR. . .SH "SEE ALSO" . diff --git a/src/pki/man/pki---pub.1.in b/src/pki/man/pki---pub.1.in index c57e03a40..fe6c520f4 100644 --- a/src/pki/man/pki---pub.1.in +++ b/src/pki/man/pki---pub.1.in @@ -47,10 +47,9 @@ Read command line options from \fIfile\fR. Input file. If not given the input is read from \fISTDIN\fR. .TP .BI "\-t, \-\-type " type -Type of input. One of \fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA -private key), \fIpub\fR (public key), -\fIpkcs10\fR (PKCS#10 certificate request), or \fIx509\fR (X.509 certificate), -defaults to \fIrsa\fR. +Type of input. One of \fIpriv\fR (private key), \fIrsa\fR (RSA private key), +\fIecdsa\fR (ECDSA private key), \fIpub\fR (public key), \fIpkcs10\fR (PKCS#10 +certificate request), or \fIx509\fR (X.509 certificate), defaults to \fIpriv\fR. .TP .BI "\-f, \-\-outform " encoding Encoding of the extracted public key. One of \fIder\fR (ASN.1 DER), \fIpem\fR diff --git a/src/pki/man/pki---req.1.in b/src/pki/man/pki---req.1.in index a6f6a480a..4a39c5c94 100644 --- a/src/pki/man/pki---req.1.in +++ b/src/pki/man/pki---req.1.in @@ -49,7 +49,8 @@ Read command line options from \fIfile\fR. Private key input file. If not given the key is read from \fISTDIN\fR. .TP .BI "\-t, \-\-type " type -Type of the input key. Either \fIrsa\fR or \fIecdsa\fR, defaults to \fIrsa\fR. +Type of the input key. Either \fIpriv\fR, \fIrsa\fR, \fIecdsa\fR or \fIbliss\fR, +defaults to \fIpriv\fR. .TP .BI "\-d, \-\-dn " distinguished-name Subject distinguished name (DN). Required. diff --git a/src/pki/man/pki---self.1.in b/src/pki/man/pki---self.1.in index 53f53f816..9461e3eff 100644 --- a/src/pki/man/pki---self.1.in +++ b/src/pki/man/pki---self.1.in @@ -68,7 +68,8 @@ Private key input file. If not given the key is read from \fISTDIN\fR. Key ID of a private key on a smartcard. .TP .BI "\-t, \-\-type " type -Type of the input key. Either \fIrsa\fR or \fIecdsa\fR, defaults to \fIrsa\fR. +Type of the input key. Either \fIpriv\fR, \fIrsa\fR, \fIecdsa\fR or \fIbliss\fR, +defaults to \fIpriv\fR. .TP .BI "\-d, \-\-dn " distinguished-name Subject and issuer distinguished name (DN). Required. diff --git a/src/pki/man/pki---verify.1.in b/src/pki/man/pki---verify.1.in index dd0c0e928..74adaf150 100644 --- a/src/pki/man/pki---verify.1.in +++ b/src/pki/man/pki---verify.1.in @@ -1,4 +1,4 @@ -.TH "PKI \-\-VERIFY" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan" +.TH "PKI \-\-VERIFY" 1 "2016-08-19" "@PACKAGE_VERSION@" "strongSwan" . .SH "NAME" . @@ -9,6 +9,7 @@ pki \-\-verify \- Verify a certificate using a CA certificate .SY pki\ \-\-verify .OP \-\-in file .OP \-\-cacert file +.OP \-\-crl file .OP \-\-debug level .OP \-\-online .YS @@ -48,6 +49,9 @@ X.509 certificate to verify. If not given it is read from \fISTDIN\fR. CA certificate to use for trustchain verification. If not given the certificate is assumed to be self\-signed. .TP +.BI "\-l, \-\-crl " file +Local CRL to use for trustchain verification. Implies \fB-o\fR. +.TP .BI "\-o, \-\-online Enable online CRL/OCSP revocation checking. . |