summaryrefslogtreecommitdiff
path: root/src/pki
diff options
context:
space:
mode:
authorYves-Alexis Perez <corsac@debian.org>2018-06-04 09:59:21 +0200
committerYves-Alexis Perez <corsac@debian.org>2018-06-04 09:59:21 +0200
commit51a71ee15c1bcf0e82f363a16898f571e211f9c3 (patch)
tree2a03e117d072c55cfe2863d26b73e64d933e7ad8 /src/pki
parent7793611ee71b576dd9c66dee327349fa64e38740 (diff)
downloadvyos-strongswan-51a71ee15c1bcf0e82f363a16898f571e211f9c3.tar.gz
vyos-strongswan-51a71ee15c1bcf0e82f363a16898f571e211f9c3.zip
New upstream version 5.6.3
Diffstat (limited to 'src/pki')
-rw-r--r--src/pki/command.c2
-rw-r--r--src/pki/command.h2
-rw-r--r--src/pki/commands/dn.c2
-rw-r--r--src/pki/commands/pkcs12.c2
-rw-r--r--src/pki/commands/verify.c106
-rw-r--r--src/pki/man/pki---verify.1.in7
6 files changed, 97 insertions, 24 deletions
diff --git a/src/pki/command.c b/src/pki/command.c
index f425af7e8..4ad4339a8 100644
--- a/src/pki/command.c
+++ b/src/pki/command.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/pki/command.h b/src/pki/command.h
index a7dade758..353f5141c 100644
--- a/src/pki/command.h
+++ b/src/pki/command.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/pki/commands/dn.c b/src/pki/commands/dn.c
index 75585fc16..96ce5326e 100644
--- a/src/pki/commands/dn.c
+++ b/src/pki/commands/dn.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2015 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/pki/commands/pkcs12.c b/src/pki/commands/pkcs12.c
index dcd1496ba..e218c4c89 100644
--- a/src/pki/commands/pkcs12.c
+++ b/src/pki/commands/pkcs12.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2014 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/pki/commands/verify.c b/src/pki/commands/verify.c
index dd667fb34..88ef448b5 100644
--- a/src/pki/commands/verify.c
+++ b/src/pki/commands/verify.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2016 Tobias Brunner
+ * Copyright (C) 2016-2018 Tobias Brunner
* Copyright (C) 2009 Martin Willi
* HSR Hochschule fuer Technik Rapperswil
*
@@ -14,6 +14,9 @@
* for more details.
*/
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
#include <errno.h>
#include "pki.h"
@@ -23,6 +26,84 @@
#include <credentials/sets/mem_cred.h>
/**
+ * Load a CA or CRL and add it to the credential set
+ */
+static bool load_cert(mem_cred_t *creds, char *path, certificate_type_t subtype)
+{
+ certificate_t *cert;
+ char *credname;
+
+ switch (subtype)
+ {
+ case CERT_X509:
+ credname = "CA certificate";
+ break;
+ case CERT_X509_CRL:
+ credname = "CRL";
+ break;
+ default:
+ return FALSE;
+ }
+ cert = lib->creds->create(lib->creds,
+ CRED_CERTIFICATE, subtype,
+ BUILD_FROM_FILE, path, BUILD_END);
+ if (!cert)
+ {
+ fprintf(stderr, "parsing %s from '%s' failed\n", credname, path);
+ return FALSE;
+ }
+ if (subtype == CERT_X509_CRL)
+ {
+ creds->add_crl(creds, (crl_t*)cert);
+ }
+ else
+ {
+ creds->add_cert(creds, TRUE, cert);
+ }
+ return TRUE;
+}
+
+/**
+ * Load CA cert or CRL either from a file or a path
+ */
+static bool load_certs(mem_cred_t *creds, char *path,
+ certificate_type_t subtype)
+{
+ enumerator_t *enumerator;
+ struct stat st;
+ bool loaded = FALSE;
+
+ if (stat(path, &st))
+ {
+ fprintf(stderr, "failed to access '%s': %s\n", path, strerror(errno));
+ return FALSE;
+ }
+ if (S_ISDIR(st.st_mode))
+ {
+ enumerator = enumerator_create_directory(path);
+ if (!enumerator)
+ {
+ fprintf(stderr, "directory '%s' can not be opened: %s",
+ path, strerror(errno));
+ return FALSE;
+ }
+ while (enumerator->enumerate(enumerator, NULL, &path, &st))
+ {
+ if (S_ISREG(st.st_mode) && load_cert(creds, path, subtype))
+ {
+ loaded = TRUE;
+ }
+ }
+ enumerator->destroy(enumerator);
+ }
+ else
+ {
+ loaded = load_cert(creds, path, subtype);
+ }
+ return loaded;
+}
+
+/**
* Verify a certificate signature
*/
static int verify()
@@ -49,28 +130,16 @@ static int verify()
file = arg;
continue;
case 'c':
- cert = lib->creds->create(lib->creds,
- CRED_CERTIFICATE, CERT_X509,
- BUILD_FROM_FILE, arg, BUILD_END);
- if (!cert)
+ if (load_certs(creds, arg, CERT_X509))
{
- fprintf(stderr, "parsing CA certificate failed\n");
- goto end;
+ has_ca = TRUE;
}
- has_ca = TRUE;
- creds->add_cert(creds, TRUE, cert);
continue;
case 'l':
- cert = lib->creds->create(lib->creds,
- CRED_CERTIFICATE, CERT_X509_CRL,
- BUILD_FROM_FILE, arg, BUILD_END);
- if (!cert)
+ if (load_certs(creds, arg, CERT_X509_CRL))
{
- fprintf(stderr, "parsing CRL failed\n");
- goto end;
+ online = TRUE;
}
- online = TRUE;
- creds->add_crl(creds, (crl_t*)cert);
continue;
case 'o':
online = TRUE;
@@ -108,7 +177,7 @@ static int verify()
fprintf(stderr, "parsing certificate failed\n");
goto end;
}
- creds->add_cert(creds, !has_ca, cert);
+ cert = creds->add_cert_ref(creds, !has_ca, cert);
enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr,
KEY_ANY, cert->get_subject(cert), online);
@@ -153,6 +222,7 @@ static int verify()
printf("\n");
}
enumerator->destroy(enumerator);
+ cert->destroy(cert);
if (!trusted)
{
diff --git a/src/pki/man/pki---verify.1.in b/src/pki/man/pki---verify.1.in
index 74adaf150..a655858a1 100644
--- a/src/pki/man/pki---verify.1.in
+++ b/src/pki/man/pki---verify.1.in
@@ -47,10 +47,13 @@ X.509 certificate to verify. If not given it is read from \fISTDIN\fR.
.TP
.BI "\-c, \-\-cacert " file
CA certificate to use for trustchain verification. If not given the certificate
-is assumed to be self\-signed.
+is assumed to be self\-signed. May optionally be a path to a directory from
+which CA certificates are loaded. Can be used multiple times.
.TP
.BI "\-l, \-\-crl " file
-Local CRL to use for trustchain verification. Implies \fB-o\fR.
+Local CRL to use for trustchain verification. May optionally be a path to a
+directory from which CRLs are loaded. Can be used multiple times.
+Implies \fB-o\fR.
.TP
.BI "\-o, \-\-online
Enable online CRL/OCSP revocation checking.