summaryrefslogtreecommitdiff
path: root/src/pki
diff options
context:
space:
mode:
authorYves-Alexis Perez <corsac@debian.org>2016-10-20 16:18:38 +0200
committerYves-Alexis Perez <corsac@debian.org>2016-10-20 16:18:38 +0200
commit25663e04c3ab01ef8dc9f906608282319cfea2db (patch)
treea0ca5e70f66d74dbe552c996a4f3a285cdfc35e4 /src/pki
parentbf372706c469764d59e9f29c39e3ecbebd72b8d2 (diff)
downloadvyos-strongswan-25663e04c3ab01ef8dc9f906608282319cfea2db.tar.gz
vyos-strongswan-25663e04c3ab01ef8dc9f906608282319cfea2db.zip
New upstream version 5.5.1
Diffstat (limited to 'src/pki')
-rw-r--r--src/pki/Makefile.in5
-rw-r--r--src/pki/commands/issue.c7
-rw-r--r--src/pki/commands/keyid.c20
-rw-r--r--src/pki/commands/print.c16
-rw-r--r--src/pki/commands/pub.c11
-rw-r--r--src/pki/commands/req.c10
-rw-r--r--src/pki/commands/self.c8
-rw-r--r--src/pki/commands/signcrl.c18
-rw-r--r--src/pki/commands/verify.c18
-rw-r--r--src/pki/man/Makefile.in5
-rw-r--r--src/pki/man/pki---issue.1.in7
-rw-r--r--src/pki/man/pki---keyid.1.in7
-rw-r--r--src/pki/man/pki---print.1.in9
-rw-r--r--src/pki/man/pki---pub.1.in7
-rw-r--r--src/pki/man/pki---req.1.in3
-rw-r--r--src/pki/man/pki---self.1.in3
-rw-r--r--src/pki/man/pki---verify.1.in6
17 files changed, 109 insertions, 51 deletions
diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in
index 7b900f238..d9ffbf8cf 100644
--- a/src/pki/Makefile.in
+++ b/src/pki/Makefile.in
@@ -371,7 +371,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
cmd_plugins = @cmd_plugins@
datadir = @datadir@
datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
dev_headers = @dev_headers@
docdir = @docdir@
dvidir = @dvidir@
@@ -405,8 +404,6 @@ libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
manager_plugins = @manager_plugins@
mandir = @mandir@
medsrv_plugins = @medsrv_plugins@
@@ -460,6 +457,8 @@ target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
urandom_device = @urandom_device@
xml_CFLAGS = @xml_CFLAGS@
xml_LIBS = @xml_LIBS@
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index fdc43d705..b15f90199 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -117,6 +117,11 @@ static int issue()
type = CRED_PRIVATE_KEY;
subtype = KEY_BLISS;
}
+ else if (streq(arg, "priv"))
+ {
+ type = CRED_PRIVATE_KEY;
+ subtype = KEY_ANY;
+ }
else if (!streq(arg, "pub"))
{
error = "invalid input type";
@@ -580,7 +585,7 @@ static void __attribute__ ((constructor))reg()
command_register((command_t) {
issue, 'i', "issue",
"issue a certificate using a CA certificate and key",
- {"[--in file] [--type pub|pkcs10|rsa|ecdsa|bliss] --cakey file|--cakeyid hex",
+ {"[--in file] [--type pub|pkcs10|priv|rsa|ecdsa|bliss] --cakey file|--cakeyid hex",
" --cacert file [--dn subject-dn] [--san subjectAltName]+",
"[--lifetime days] [--serial hex] [--ca] [--pathlen len]",
"[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+",
diff --git a/src/pki/commands/keyid.c b/src/pki/commands/keyid.c
index 3bc62e74d..f79120b31 100644
--- a/src/pki/commands/keyid.c
+++ b/src/pki/commands/keyid.c
@@ -26,7 +26,7 @@
static int keyid()
{
credential_type_t type = CRED_PRIVATE_KEY;
- int subtype = KEY_RSA;
+ int subtype = KEY_ANY;
certificate_t *cert;
private_key_t *private;
public_key_t *public;
@@ -42,21 +42,29 @@ static int keyid()
case 'h':
return command_usage(NULL);
case 't':
- if (streq(arg, "rsa-priv"))
+ if (streq(arg, "rsa") ||
+ streq(arg, "rsa-priv"))
{
type = CRED_PRIVATE_KEY;
subtype = KEY_RSA;
}
- else if (streq(arg, "ecdsa-priv"))
+ else if (streq(arg, "ecdsa") ||
+ streq(arg, "ecdsa-priv"))
{
type = CRED_PRIVATE_KEY;
subtype = KEY_ECDSA;
}
- else if (streq(arg, "bliss-priv"))
+ else if (streq(arg, "bliss") ||
+ streq(arg, "bliss-priv"))
{
type = CRED_PRIVATE_KEY;
subtype = KEY_BLISS;
}
+ else if (streq(arg, "priv"))
+ {
+ type = CRED_PRIVATE_KEY;
+ subtype = KEY_ANY;
+ }
else if (streq(arg, "pub"))
{
type = CRED_PUBLIC_KEY;
@@ -169,11 +177,11 @@ static void __attribute__ ((constructor))reg()
command_register((command_t)
{ keyid, 'k', "keyid",
"calculate key identifiers of a key/certificate",
- {"[--in file] [--type rsa-priv|ecdsa-priv|bliss-priv|pub|pkcs10|x509]"},
+ {"[--in file] [--type priv|rsa|ecdsa|bliss|pub|pkcs10|x509]"},
{
{"help", 'h', 0, "show usage information"},
{"in", 'i', 1, "input file, default: stdin"},
- {"type", 't', 1, "type of key, default: rsa-priv"},
+ {"type", 't', 1, "type of key, default: priv"},
}
});
}
diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c
index c367a21a9..8cb0a7b5d 100644
--- a/src/pki/commands/print.c
+++ b/src/pki/commands/print.c
@@ -89,17 +89,25 @@ static int print()
type = CRED_CERTIFICATE;
subtype = CERT_TRUSTED_PUBKEY;
}
- else if (streq(arg, "rsa-priv"))
+ else if (streq(arg, "priv"))
+ {
+ type = CRED_PRIVATE_KEY;
+ subtype = KEY_ANY;
+ }
+ else if (streq(arg, "rsa") ||
+ streq(arg, "rsa-priv"))
{
type = CRED_PRIVATE_KEY;
subtype = KEY_RSA;
}
- else if (streq(arg, "ecdsa-priv"))
+ else if (streq(arg, "ecdsa") ||
+ streq(arg, "ecdsa-priv"))
{
type = CRED_PRIVATE_KEY;
subtype = KEY_ECDSA;
}
- else if (streq(arg, "bliss-priv"))
+ else if (streq(arg, "bliss") ||
+ streq(arg, "bliss-priv"))
{
type = CRED_PRIVATE_KEY;
subtype = KEY_BLISS;
@@ -173,7 +181,7 @@ static void __attribute__ ((constructor))reg()
command_register((command_t)
{ print, 'a', "print",
"print a credential in a human readable form",
- {"[--in file] [--type rsa-priv|ecdsa-priv|bliss-priv|pub|x509|crl|ac]"},
+ {"[--in file] [--type x509|crl|ac|pub|priv|rsa|ecdsa|bliss]"},
{
{"help", 'h', 0, "show usage information"},
{"in", 'i', 1, "input file, default: stdin"},
diff --git a/src/pki/commands/pub.c b/src/pki/commands/pub.c
index ccc3c4251..1d876f6f7 100644
--- a/src/pki/commands/pub.c
+++ b/src/pki/commands/pub.c
@@ -28,7 +28,7 @@ static int pub()
{
cred_encoding_type_t form = PUBKEY_SPKI_ASN1_DER;
credential_type_t type = CRED_PRIVATE_KEY;
- int subtype = KEY_RSA;
+ int subtype = KEY_ANY;
certificate_t *cert;
private_key_t *private;
public_key_t *public;
@@ -59,6 +59,11 @@ static int pub()
type = CRED_PRIVATE_KEY;
subtype = KEY_BLISS;
}
+ else if (streq(arg, "priv"))
+ {
+ type = CRED_PRIVATE_KEY;
+ subtype = KEY_ANY;
+ }
else if (streq(arg, "pub"))
{
type = CRED_PUBLIC_KEY;
@@ -189,13 +194,13 @@ static void __attribute__ ((constructor))reg()
command_register((command_t) {
pub, 'p', "pub",
"extract the public key from a private key/certificate",
- {"[--in file|--keyid hex] [--type rsa|ecdsa|bliss|pub|pkcs10|x509]",
+ {"[--in file|--keyid hex] [--type rsa|ecdsa|bliss|priv|pub|pkcs10|x509]",
"[--outform der|pem|dnskey|sshkey]"},
{
{"help", 'h', 0, "show usage information"},
{"in", 'i', 1, "input file, default: stdin"},
{"keyid", 'x', 1, "keyid on smartcard of private key"},
- {"type", 't', 1, "type of credential, default: rsa"},
+ {"type", 't', 1, "type of credential, default: priv"},
{"outform", 'f', 1, "encoding of extracted public key, default: der"},
}
});
diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c
index 68d611250..23d07a28d 100644
--- a/src/pki/commands/req.c
+++ b/src/pki/commands/req.c
@@ -30,7 +30,7 @@
static int req()
{
cred_encoding_type_t form = CERT_ASN1_DER;
- key_type_t type = KEY_RSA;
+ key_type_t type = KEY_ANY;
hash_algorithm_t digest = HASH_UNKNOWN;
certificate_t *cert = NULL;
private_key_t *private = NULL;
@@ -62,6 +62,10 @@ static int req()
{
type = KEY_BLISS;
}
+ else if (streq(arg, "priv"))
+ {
+ type = KEY_ANY;
+ }
else
{
error = "invalid input type";
@@ -194,14 +198,14 @@ static void __attribute__ ((constructor))reg()
command_register((command_t) {
req, 'r', "req",
"create a PKCS#10 certificate request",
- {" [--in file] [--type rsa|ecdsa|bliss] --dn distinguished-name",
+ {" [--in file] [--type rsa|ecdsa|bliss|priv] --dn distinguished-name",
"[--san subjectAltName]+ [--password challengePassword]",
"[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
"[--outform der|pem]"},
{
{"help", 'h', 0, "show usage information"},
{"in", 'i', 1, "private key input file, default: stdin"},
- {"type", 't', 1, "type of input key, default: rsa"},
+ {"type", 't', 1, "type of input key, default: priv"},
{"dn", 'd', 1, "subject distinguished name"},
{"san", 'a', 1, "subjectAltName to include in cert request"},
{"password",'p', 1, "challengePassword to include in cert request"},
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index f4e83c76c..6fb7b75ae 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -94,6 +94,10 @@ static int self()
{
type = KEY_BLISS;
}
+ else if (streq(arg, "priv"))
+ {
+ type = KEY_ANY;
+ }
else
{
error = "invalid input type";
@@ -417,7 +421,7 @@ static void __attribute__ ((constructor))reg()
command_register((command_t) {
self, 's', "self",
"create a self signed certificate",
- {" [--in file|--keyid hex] [--type rsa|ecdsa|bliss]",
+ {" [--in file|--keyid hex] [--type rsa|ecdsa|bliss|priv]",
" --dn distinguished-name [--san subjectAltName]+",
"[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+",
"[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+",
@@ -431,7 +435,7 @@ static void __attribute__ ((constructor))reg()
{"help", 'h', 0, "show usage information"},
{"in", 'i', 1, "private key input file, default: stdin"},
{"keyid", 'x', 1, "keyid on smartcard of private key"},
- {"type", 't', 1, "type of input key, default: rsa"},
+ {"type", 't', 1, "type of input key, default: priv"},
{"dn", 'd', 1, "subject and issuer distinguished name"},
{"san", 'a', 1, "subjectAltName to include in certificate"},
{"lifetime", 'l', 1, "days the certificate is valid, default: 1095"},
diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c
index 6c27289f9..b9cf9c466 100644
--- a/src/pki/commands/signcrl.c
+++ b/src/pki/commands/signcrl.c
@@ -369,18 +369,22 @@ static int sign_crl()
}
else
{
- crl_serial = chunk_from_chars(0x00);
+ if (!crl_serial.ptr)
+ {
+ crl_serial = chunk_from_chars(0x00);
+ }
lastenum = enumerator_create_empty();
}
- /* remove superfluous leading zeros */
- while (crl_serial.len > 1 && crl_serial.ptr[0] == 0x00 &&
- (crl_serial.ptr[1] & 0x80) == 0x00)
+ if (!crl_serial.len || crl_serial.ptr[0] & 0x80)
+ { /* add leading 0x00 to handle potential overflow if serial is encoded
+ * incorrectly */
+ crl_serial = chunk_cat("cc", chunk_from_chars(0x00), crl_serial);
+ }
+ else
{
- crl_serial = chunk_skip_zero(crl_serial);
+ crl_serial = chunk_clone(crl_serial);
}
- crl_serial = chunk_clone(crl_serial);
-
/* increment the serial number by one */
chunk_increment(crl_serial);
diff --git a/src/pki/commands/verify.c b/src/pki/commands/verify.c
index 8cc633a95..dd667fb34 100644
--- a/src/pki/commands/verify.c
+++ b/src/pki/commands/verify.c
@@ -1,6 +1,7 @@
/*
+ * Copyright (C) 2016 Tobias Brunner
* Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -59,6 +60,18 @@ static int verify()
has_ca = TRUE;
creds->add_cert(creds, TRUE, cert);
continue;
+ case 'l':
+ cert = lib->creds->create(lib->creds,
+ CRED_CERTIFICATE, CERT_X509_CRL,
+ BUILD_FROM_FILE, arg, BUILD_END);
+ if (!cert)
+ {
+ fprintf(stderr, "parsing CRL failed\n");
+ goto end;
+ }
+ online = TRUE;
+ creds->add_crl(creds, (crl_t*)cert);
+ continue;
case 'o':
online = TRUE;
continue;
@@ -173,11 +186,12 @@ static void __attribute__ ((constructor))reg()
command_register((command_t) {
verify, 'v', "verify",
"verify a certificate using the CA certificate",
- {"[--in file] [--cacert file]"},
+ {"[--in file] [--cacert file] [--crl file]"},
{
{"help", 'h', 0, "show usage information"},
{"in", 'i', 1, "X.509 certificate to verify, default: stdin"},
{"cacert", 'c', 1, "CA certificate for trustchain verification"},
+ {"crl", 'l', 1, "CRL for trustchain verification"},
{"online", 'o', 0, "enable online CRL/OCSP revocation checking"},
}
});
diff --git a/src/pki/man/Makefile.in b/src/pki/man/Makefile.in
index 982a1175f..030d6be53 100644
--- a/src/pki/man/Makefile.in
+++ b/src/pki/man/Makefile.in
@@ -308,7 +308,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
cmd_plugins = @cmd_plugins@
datadir = @datadir@
datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
dev_headers = @dev_headers@
docdir = @docdir@
dvidir = @dvidir@
@@ -342,8 +341,6 @@ libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
manager_plugins = @manager_plugins@
mandir = @mandir@
medsrv_plugins = @medsrv_plugins@
@@ -397,6 +394,8 @@ target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
urandom_device = @urandom_device@
xml_CFLAGS = @xml_CFLAGS@
xml_LIBS = @xml_LIBS@
diff --git a/src/pki/man/pki---issue.1.in b/src/pki/man/pki---issue.1.in
index 20238b73d..bfc7bb1a5 100644
--- a/src/pki/man/pki---issue.1.in
+++ b/src/pki/man/pki---issue.1.in
@@ -67,9 +67,10 @@ Public key or PKCS#10 certificate request file to issue. If not given the
key/request is read from \fISTDIN\fR.
.TP
.BI "\-t, \-\-type " type
-Type of the input. One of \fIpub\fR (public key), \fIrsa\fR (RSA private key),
-\fIecdsa\fR (ECDSA private key), or \fIpkcs10\fR (PKCS#10 certificate request),
-defaults to \fIpub\fR.
+Type of the input. One of \fIpub\fR (public key), \fIpriv\fR (private key),
+\fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA private key), \fIbliss\fR (BLISS
+private key) or \fIpkcs10\fR (PKCS#10 certificate request), defaults to
+\fIpub\fR.
.TP
.BI "\-k, \-\-cakey " file
CA private key file. Either this or
diff --git a/src/pki/man/pki---keyid.1.in b/src/pki/man/pki---keyid.1.in
index 490f7afea..c69f7cbc7 100644
--- a/src/pki/man/pki---keyid.1.in
+++ b/src/pki/man/pki---keyid.1.in
@@ -44,9 +44,10 @@ Read command line options from \fIfile\fR.
Input file. If not given the input is read from \fISTDIN\fR.
.TP
.BI "\-t, \-\-type " type
-Type of input. One of \fIrsa-priv\fR (RSA private key), \fIecdsa-priv\fR (ECDSA
-private key), \fIpub\fR (public key), \fIpkcs10\fR (PKCS#10 certificate
-request), \fIx509\fR (X.509 certificate), defaults to \fIrsa-priv\fR.
+Type of input. One of \fIpriv\fR (private key), \fIrsa\fR (RSA private key),
+\fIecdsa\fR (ECDSA private key), \fIbliss\fR (BLISS private key),
+\fIpub\fR (public key), \fIpkcs10\fR (PKCS#10 certificate request),
+\fIx509\fR (X.509 certificate), defaults to \fIpriv\fR.
.
.SH "EXAMPLES"
.
diff --git a/src/pki/man/pki---print.1.in b/src/pki/man/pki---print.1.in
index 434d4ea16..09f81cdaa 100644
--- a/src/pki/man/pki---print.1.in
+++ b/src/pki/man/pki---print.1.in
@@ -44,10 +44,11 @@ Read command line options from \fIfile\fR.
Input file. If not given the input is read from \fISTDIN\fR.
.TP
.BI "\-t, \-\-type " type
-Type of input. One of \fIrsa-priv\fR (RSA private key), \fIecdsa-priv\fR (ECDSA
-private key), \fIpub\fR (public key), \fIx509\fR (X.509 certificate), \fIcrl\fR
-(Certificate Revocation List, CRL), \fIac\fR (Attribute Certificate),
-defaults to \fIx509\fR.
+Type of input. One of \fIx509\fR (X.509 certificate), \fIcrl\fR (Certificate
+Revocation List, CRL), \fIac\fR (Attribute Certificate), \fIpub\fR (public key),
+\fpriv\fR (private key), \fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA private
+key), \fIbliss\fR (BLISS private key), \fIpriv\fR (private key), defaults to
+\fIx509\fR.
.
.SH "SEE ALSO"
.
diff --git a/src/pki/man/pki---pub.1.in b/src/pki/man/pki---pub.1.in
index c57e03a40..fe6c520f4 100644
--- a/src/pki/man/pki---pub.1.in
+++ b/src/pki/man/pki---pub.1.in
@@ -47,10 +47,9 @@ Read command line options from \fIfile\fR.
Input file. If not given the input is read from \fISTDIN\fR.
.TP
.BI "\-t, \-\-type " type
-Type of input. One of \fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA
-private key), \fIpub\fR (public key),
-\fIpkcs10\fR (PKCS#10 certificate request), or \fIx509\fR (X.509 certificate),
-defaults to \fIrsa\fR.
+Type of input. One of \fIpriv\fR (private key), \fIrsa\fR (RSA private key),
+\fIecdsa\fR (ECDSA private key), \fIpub\fR (public key), \fIpkcs10\fR (PKCS#10
+certificate request), or \fIx509\fR (X.509 certificate), defaults to \fIpriv\fR.
.TP
.BI "\-f, \-\-outform " encoding
Encoding of the extracted public key. One of \fIder\fR (ASN.1 DER), \fIpem\fR
diff --git a/src/pki/man/pki---req.1.in b/src/pki/man/pki---req.1.in
index a6f6a480a..4a39c5c94 100644
--- a/src/pki/man/pki---req.1.in
+++ b/src/pki/man/pki---req.1.in
@@ -49,7 +49,8 @@ Read command line options from \fIfile\fR.
Private key input file. If not given the key is read from \fISTDIN\fR.
.TP
.BI "\-t, \-\-type " type
-Type of the input key. Either \fIrsa\fR or \fIecdsa\fR, defaults to \fIrsa\fR.
+Type of the input key. Either \fIpriv\fR, \fIrsa\fR, \fIecdsa\fR or \fIbliss\fR,
+defaults to \fIpriv\fR.
.TP
.BI "\-d, \-\-dn " distinguished-name
Subject distinguished name (DN). Required.
diff --git a/src/pki/man/pki---self.1.in b/src/pki/man/pki---self.1.in
index 53f53f816..9461e3eff 100644
--- a/src/pki/man/pki---self.1.in
+++ b/src/pki/man/pki---self.1.in
@@ -68,7 +68,8 @@ Private key input file. If not given the key is read from \fISTDIN\fR.
Key ID of a private key on a smartcard.
.TP
.BI "\-t, \-\-type " type
-Type of the input key. Either \fIrsa\fR or \fIecdsa\fR, defaults to \fIrsa\fR.
+Type of the input key. Either \fIpriv\fR, \fIrsa\fR, \fIecdsa\fR or \fIbliss\fR,
+defaults to \fIpriv\fR.
.TP
.BI "\-d, \-\-dn " distinguished-name
Subject and issuer distinguished name (DN). Required.
diff --git a/src/pki/man/pki---verify.1.in b/src/pki/man/pki---verify.1.in
index dd0c0e928..74adaf150 100644
--- a/src/pki/man/pki---verify.1.in
+++ b/src/pki/man/pki---verify.1.in
@@ -1,4 +1,4 @@
-.TH "PKI \-\-VERIFY" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.TH "PKI \-\-VERIFY" 1 "2016-08-19" "@PACKAGE_VERSION@" "strongSwan"
.
.SH "NAME"
.
@@ -9,6 +9,7 @@ pki \-\-verify \- Verify a certificate using a CA certificate
.SY pki\ \-\-verify
.OP \-\-in file
.OP \-\-cacert file
+.OP \-\-crl file
.OP \-\-debug level
.OP \-\-online
.YS
@@ -48,6 +49,9 @@ X.509 certificate to verify. If not given it is read from \fISTDIN\fR.
CA certificate to use for trustchain verification. If not given the certificate
is assumed to be self\-signed.
.TP
+.BI "\-l, \-\-crl " file
+Local CRL to use for trustchain verification. Implies \fB-o\fR.
+.TP
.BI "\-o, \-\-online
Enable online CRL/OCSP revocation checking.
.