diff options
author | Yves-Alexis Perez <corsac@debian.org> | 2018-06-04 09:59:21 +0200 |
---|---|---|
committer | Yves-Alexis Perez <corsac@debian.org> | 2018-06-04 09:59:21 +0200 |
commit | 51a71ee15c1bcf0e82f363a16898f571e211f9c3 (patch) | |
tree | 2a03e117d072c55cfe2863d26b73e64d933e7ad8 /src/pki | |
parent | 7793611ee71b576dd9c66dee327349fa64e38740 (diff) | |
download | vyos-strongswan-51a71ee15c1bcf0e82f363a16898f571e211f9c3.tar.gz vyos-strongswan-51a71ee15c1bcf0e82f363a16898f571e211f9c3.zip |
New upstream version 5.6.3
Diffstat (limited to 'src/pki')
-rw-r--r-- | src/pki/command.c | 2 | ||||
-rw-r--r-- | src/pki/command.h | 2 | ||||
-rw-r--r-- | src/pki/commands/dn.c | 2 | ||||
-rw-r--r-- | src/pki/commands/pkcs12.c | 2 | ||||
-rw-r--r-- | src/pki/commands/verify.c | 106 | ||||
-rw-r--r-- | src/pki/man/pki---verify.1.in | 7 |
6 files changed, 97 insertions, 24 deletions
diff --git a/src/pki/command.c b/src/pki/command.c index f425af7e8..4ad4339a8 100644 --- a/src/pki/command.c +++ b/src/pki/command.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/pki/command.h b/src/pki/command.h index a7dade758..353f5141c 100644 --- a/src/pki/command.h +++ b/src/pki/command.h @@ -1,6 +1,6 @@ /* * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/pki/commands/dn.c b/src/pki/commands/dn.c index 75585fc16..96ce5326e 100644 --- a/src/pki/commands/dn.c +++ b/src/pki/commands/dn.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2015 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/pki/commands/pkcs12.c b/src/pki/commands/pkcs12.c index dcd1496ba..e218c4c89 100644 --- a/src/pki/commands/pkcs12.c +++ b/src/pki/commands/pkcs12.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2014 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/pki/commands/verify.c b/src/pki/commands/verify.c index dd667fb34..88ef448b5 100644 --- a/src/pki/commands/verify.c +++ b/src/pki/commands/verify.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2016 Tobias Brunner + * Copyright (C) 2016-2018 Tobias Brunner * Copyright (C) 2009 Martin Willi * HSR Hochschule fuer Technik Rapperswil * @@ -14,6 +14,9 @@ * for more details. */ +#include <sys/types.h> +#include <sys/stat.h> +#include <unistd.h> #include <errno.h> #include "pki.h" @@ -23,6 +26,84 @@ #include <credentials/sets/mem_cred.h> /** + * Load a CA or CRL and add it to the credential set + */ +static bool load_cert(mem_cred_t *creds, char *path, certificate_type_t subtype) +{ + certificate_t *cert; + char *credname; + + switch (subtype) + { + case CERT_X509: + credname = "CA certificate"; + break; + case CERT_X509_CRL: + credname = "CRL"; + break; + default: + return FALSE; + } + cert = lib->creds->create(lib->creds, + CRED_CERTIFICATE, subtype, + BUILD_FROM_FILE, path, BUILD_END); + if (!cert) + { + fprintf(stderr, "parsing %s from '%s' failed\n", credname, path); + return FALSE; + } + if (subtype == CERT_X509_CRL) + { + creds->add_crl(creds, (crl_t*)cert); + } + else + { + creds->add_cert(creds, TRUE, cert); + } + return TRUE; +} + +/** + * Load CA cert or CRL either from a file or a path + */ +static bool load_certs(mem_cred_t *creds, char *path, + certificate_type_t subtype) +{ + enumerator_t *enumerator; + struct stat st; + bool loaded = FALSE; + + if (stat(path, &st)) + { + fprintf(stderr, "failed to access '%s': %s\n", path, strerror(errno)); + return FALSE; + } + if (S_ISDIR(st.st_mode)) + { + enumerator = enumerator_create_directory(path); + if (!enumerator) + { + fprintf(stderr, "directory '%s' can not be opened: %s", + path, strerror(errno)); + return FALSE; + } + while (enumerator->enumerate(enumerator, NULL, &path, &st)) + { + if (S_ISREG(st.st_mode) && load_cert(creds, path, subtype)) + { + loaded = TRUE; + } + } + enumerator->destroy(enumerator); + } + else + { + loaded = load_cert(creds, path, subtype); + } + return loaded; +} + +/** * Verify a certificate signature */ static int verify() @@ -49,28 +130,16 @@ static int verify() file = arg; continue; case 'c': - cert = lib->creds->create(lib->creds, - CRED_CERTIFICATE, CERT_X509, - BUILD_FROM_FILE, arg, BUILD_END); - if (!cert) + if (load_certs(creds, arg, CERT_X509)) { - fprintf(stderr, "parsing CA certificate failed\n"); - goto end; + has_ca = TRUE; } - has_ca = TRUE; - creds->add_cert(creds, TRUE, cert); continue; case 'l': - cert = lib->creds->create(lib->creds, - CRED_CERTIFICATE, CERT_X509_CRL, - BUILD_FROM_FILE, arg, BUILD_END); - if (!cert) + if (load_certs(creds, arg, CERT_X509_CRL)) { - fprintf(stderr, "parsing CRL failed\n"); - goto end; + online = TRUE; } - online = TRUE; - creds->add_crl(creds, (crl_t*)cert); continue; case 'o': online = TRUE; @@ -108,7 +177,7 @@ static int verify() fprintf(stderr, "parsing certificate failed\n"); goto end; } - creds->add_cert(creds, !has_ca, cert); + cert = creds->add_cert_ref(creds, !has_ca, cert); enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr, KEY_ANY, cert->get_subject(cert), online); @@ -153,6 +222,7 @@ static int verify() printf("\n"); } enumerator->destroy(enumerator); + cert->destroy(cert); if (!trusted) { diff --git a/src/pki/man/pki---verify.1.in b/src/pki/man/pki---verify.1.in index 74adaf150..a655858a1 100644 --- a/src/pki/man/pki---verify.1.in +++ b/src/pki/man/pki---verify.1.in @@ -47,10 +47,13 @@ X.509 certificate to verify. If not given it is read from \fISTDIN\fR. .TP .BI "\-c, \-\-cacert " file CA certificate to use for trustchain verification. If not given the certificate -is assumed to be self\-signed. +is assumed to be self\-signed. May optionally be a path to a directory from +which CA certificates are loaded. Can be used multiple times. .TP .BI "\-l, \-\-crl " file -Local CRL to use for trustchain verification. Implies \fB-o\fR. +Local CRL to use for trustchain verification. May optionally be a path to a +directory from which CRLs are loaded. Can be used multiple times. +Implies \fB-o\fR. .TP .BI "\-o, \-\-online Enable online CRL/OCSP revocation checking. |