New upstream version 5.5.2

author: Yves-Alexis Perez <corsac@corsac.net> 2017-04-01 16:26:44 +0200
committer: Yves-Alexis Perez <corsac@corsac.net> 2017-04-01 16:26:44 +0200
commit: 05ddd767992d68bb38c7f16ece142e8c2e9ae016 (patch)
tree: 302c618be306d4ed3c7f9fc58a1f6aaad4dd252f /src/pki
parent: 25663e04c3ab01ef8dc9f906608282319cfea2db (diff)
download: vyos-strongswan-05ddd767992d68bb38c7f16ece142e8c2e9ae016.tar.gz
vyos-strongswan-05ddd767992d68bb38c7f16ece142e8c2e9ae016.zip
22 files changed, 199 insertions, 47 deletions
diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in
index d9ffbf8cf..72d554a48 100644
--- a/src/pki/Makefile.in
+++ b/src/pki/Makefile.in
@@ -378,7 +378,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -413,6 +412,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/pki/commands/acert.c b/src/pki/commands/acert.c
index 4f850d6d1..9e6e80938 100644
--- a/src/pki/commands/acert.c
+++ b/src/pki/commands/acert.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2009 Martin Willi
- * Copyright (C) 2015 Andreas Steffen
+ * Copyright (C) 2015-2017 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -286,7 +286,7 @@ static void __attribute__ ((constructor))reg()
 			{"group",			'm', 1, "group membership string to include"},
 			{"issuercert",		'c', 1, "issuer certificate file"},
 			{"issuerkey",		'k', 1, "issuer private key file"},
-			{"issuerkeyid",		'x', 1, "keyid on smartcard of issuer private key"},
+			{"issuerkeyid",		'x', 1, "smartcard or TPM issuer private key object handle"},
 			{"serial",			's', 1, "serial number in hex, default: random"},
 			{"lifetime",		'l', 1, "hours the acert is valid, default: 24"},
 			{"not-before",		'F', 1, "date/time the validity of the AC starts"},
diff --git a/src/pki/commands/gen.c b/src/pki/commands/gen.c
index 8b11854ad..6f14b5276 100644
--- a/src/pki/commands/gen.c
+++ b/src/pki/commands/gen.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2009 Martin Willi
- * Copyright (C) 2014-2015 Andreas Steffen
+ * Copyright (C) 2014-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -44,6 +44,10 @@ static int gen()
 				{
 					type = KEY_ECDSA;
 				}
+				else if (streq(arg, "ed25519"))
+				{
+					type = KEY_ED25519;
+				}
 				else if (streq(arg, "bliss"))
 				{
 					type = KEY_BLISS;
@@ -101,6 +105,9 @@ static int gen()
 			case KEY_ECDSA:
 				size = 384;
 				break;
+			case KEY_ED25519:
+				size = 256;
+				break;
 			case KEY_BLISS:
 				size = 1;
 				break;
@@ -159,7 +166,7 @@ static void __attribute__ ((constructor))reg()
 {
 	command_register((command_t) {
 		gen, 'g', "gen", "generate a new private key",
-		{"  [--type rsa|ecdsa|bliss] [--size bits] [--safe-primes]",
+		{"  [--type rsa|ecdsa|ed25519|bliss] [--size bits] [--safe-primes]",
 		 "[--shares n] [--threshold l] [--outform der|pem]"},
 		{
 			{"help",		'h', 0, "show usage information"},
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index b15f90199..b0399c78b 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2009 Martin Willi
- * Copyright (C) 2015 Andreas Steffen
+ * Copyright (C) 2015-2017 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -71,6 +71,7 @@ static int issue()
 	char *error = NULL, *keyid = NULL;
 	identification_t *id = NULL;
 	linked_list_t *san, *cdps, *ocsp, *permitted, *excluded, *policies, *mappings;
+	linked_list_t *addrblocks;
 	int pathlen = X509_NO_CONSTRAINT, inhibit_any = X509_NO_CONSTRAINT;
 	int inhibit_mapping = X509_NO_CONSTRAINT, require_explicit = X509_NO_CONSTRAINT;
 	chunk_t serial = chunk_empty;
@@ -81,6 +82,7 @@ static int issue()
 	x509_t *x509;
 	x509_cdp_t *cdp = NULL;
 	x509_cert_policy_t *policy = NULL;
+	traffic_selector_t *ts;
 	char *arg;
 
 	san = linked_list_create();
@@ -90,6 +92,7 @@ static int issue()
 	excluded = linked_list_create();
 	policies = linked_list_create();
 	mappings = linked_list_create();
+	addrblocks = linked_list_create();
 
 	while (TRUE)
 	{
@@ -112,6 +115,11 @@ static int issue()
 					type = CRED_PRIVATE_KEY;
 					subtype = KEY_ECDSA;
 				}
+				else if (streq(arg, "ed25519"))
+				{
+					type = CRED_PRIVATE_KEY;
+					subtype = KEY_ED25519;
+				}
 				else if (streq(arg, "bliss"))
 				{
 					type = CRED_PRIVATE_KEY;
@@ -179,6 +187,15 @@ static int issue()
 			case 'p':
 				pathlen = atoi(arg);
 				continue;
+			case 'B':
+				ts = parse_ts(arg);
+				if (!ts)
+				{
+					error = "invalid addressBlock";
+					goto usage;
+				}
+				addrblocks->insert_last(addrblocks, ts);
+				continue;
 			case 'n':
 				permitted->insert_last(permitted,
 									   identification_create_from_string(arg));
@@ -514,7 +531,7 @@ static int issue()
 					BUILD_NOT_BEFORE_TIME, not_before, BUILD_DIGEST_ALG, digest,
 					BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial,
 					BUILD_SUBJECT_ALTNAMES, san, BUILD_X509_FLAG, flags,
-					BUILD_PATHLEN, pathlen,
+					BUILD_PATHLEN, pathlen, BUILD_ADDRBLOCKS, addrblocks,
 					BUILD_CRL_DISTRIBUTION_POINTS, cdps,
 					BUILD_OCSP_ACCESS_LOCATIONS, ocsp,
 					BUILD_PERMITTED_NAME_CONSTRAINTS, permitted,
@@ -552,6 +569,7 @@ end:
 	san->destroy_offset(san, offsetof(identification_t, destroy));
 	permitted->destroy_offset(permitted, offsetof(identification_t, destroy));
 	excluded->destroy_offset(excluded, offsetof(identification_t, destroy));
+	addrblocks->destroy_offset(addrblocks, offsetof(traffic_selector_t, destroy));
 	policies->destroy_function(policies, (void*)destroy_cert_policy);
 	mappings->destroy_function(mappings, (void*)destroy_policy_mapping);
 	cdps->destroy_function(cdps, (void*)destroy_cdp);
@@ -570,6 +588,7 @@ usage:
 	san->destroy_offset(san, offsetof(identification_t, destroy));
 	permitted->destroy_offset(permitted, offsetof(identification_t, destroy));
 	excluded->destroy_offset(excluded, offsetof(identification_t, destroy));
+	addrblocks->destroy_offset(addrblocks, offsetof(traffic_selector_t, destroy));
 	policies->destroy_function(policies, (void*)destroy_cert_policy);
 	mappings->destroy_function(mappings, (void*)destroy_policy_mapping);
 	cdps->destroy_function(cdps, (void*)destroy_cdp);
@@ -585,7 +604,7 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		issue, 'i', "issue",
 		"issue a certificate using a CA certificate and key",
-		{"[--in file] [--type pub|pkcs10|priv|rsa|ecdsa|bliss] --cakey file|--cakeyid hex",
+		{"[--in file] [--type pub|pkcs10|priv|rsa|ecdsa|ed25519|bliss] --cakey file|--cakeyid hex",
 		 " --cacert file [--dn subject-dn] [--san subjectAltName]+",
 		 "[--lifetime days] [--serial hex] [--ca] [--pathlen len]",
 		 "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+",
@@ -601,7 +620,7 @@ static void __attribute__ ((constructor))reg()
 			{"type",			't', 1, "type of input, default: pub"},
 			{"cacert",			'c', 1, "CA certificate file"},
 			{"cakey",			'k', 1, "CA private key file"},
-			{"cakeyid",			'x', 1, "keyid on smartcard of CA private key"},
+			{"cakeyid",			'x', 1, "smartcard or TPM CA private key object handle"},
 			{"dn",				'd', 1, "distinguished name to include as subject"},
 			{"san",				'a', 1, "subjectAltName to include in certificate"},
 			{"lifetime",		'l', 1, "days the certificate is valid, default: 1095"},
@@ -611,6 +630,7 @@ static void __attribute__ ((constructor))reg()
 			{"serial",			's', 1, "serial number in hex, default: random"},
 			{"ca",				'b', 0, "include CA basicConstraint, default: no"},
 			{"pathlen",			'p', 1, "set path length constraint"},
+			{"addrblock",		'B', 1, "RFC 3779 addrBlock to include"},
 			{"nc-permitted",	'n', 1, "add permitted NameConstraint"},
 			{"nc-excluded",		'N', 1, "add excluded NameConstraint"},
 			{"cert-policy",		'P', 1, "certificatePolicy OID to include"},
diff --git a/src/pki/commands/keyid.c b/src/pki/commands/keyid.c
index f79120b31..001b9ff5c 100644
--- a/src/pki/commands/keyid.c
+++ b/src/pki/commands/keyid.c
@@ -1,6 +1,7 @@
 /*
  * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2017 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -30,7 +31,7 @@ static int keyid()
 	certificate_t *cert;
 	private_key_t *private;
 	public_key_t *public;
-	char *file = NULL;
+	char *file = NULL, *keyid = NULL;
 	void *cred;
 	chunk_t id;
 	char *arg;
@@ -88,6 +89,9 @@ static int keyid()
 			case 'i':
 				file = arg;
 				continue;
+			case 'x':
+				keyid = arg;
+				continue;
 			case EOF:
 				break;
 			default:
@@ -100,6 +104,15 @@ static int keyid()
 		cred = lib->creds->create(lib->creds, type, subtype,
 								  BUILD_FROM_FILE, file, BUILD_END);
 	}
+	else if (keyid)
+	{
+		chunk_t chunk;
+
+		chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL);
+		cred = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
+								  BUILD_PKCS11_KEYID, chunk, BUILD_END);
+		free(chunk.ptr);
+	}
 	else
 	{
 		chunk_t chunk;
@@ -177,10 +190,11 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t)
 		{ keyid, 'k', "keyid",
 		"calculate key identifiers of a key/certificate",
-		{"[--in file] [--type priv|rsa|ecdsa|bliss|pub|pkcs10|x509]"},
+		{"[--in file|--keyid hex] [--type priv|rsa|ecdsa|bliss|pub|pkcs10|x509]"},
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "input file, default: stdin"},
+			{"keyid",	'x', 1, "smartcard or TPM private key object handle"},
 			{"type",	't', 1, "type of key, default: priv"},
 		}
 	});
diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c
index 8cb0a7b5d..80210166a 100644
--- a/src/pki/commands/print.c
+++ b/src/pki/commands/print.c
@@ -2,7 +2,7 @@
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  *
- * Copyright (C) 2015 Andreas Steffen
+ * Copyright (C) 2015-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -106,6 +106,12 @@ static int print()
 					type = CRED_PRIVATE_KEY;
 					subtype = KEY_ECDSA;
 				}
+				else if (streq(arg, "ed25519") ||
+						 streq(arg, "ed25519-priv"))
+				{
+					type = CRED_PRIVATE_KEY;
+					subtype = KEY_ED25519;
+				}
 				else if (streq(arg, "bliss") ||
 						 streq(arg, "bliss-priv"))
 				{
@@ -181,7 +187,7 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t)
 		{ print, 'a', "print",
 		"print a credential in a human readable form",
-		{"[--in file] [--type x509|crl|ac|pub|priv|rsa|ecdsa|bliss]"},
+		{"[--in file] [--type x509|crl|ac|pub|priv|rsa|ecdsa|ed25519|bliss]"},
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "input file, default: stdin"},
diff --git a/src/pki/commands/pub.c b/src/pki/commands/pub.c
index 1d876f6f7..1f9f3e03c 100644
--- a/src/pki/commands/pub.c
+++ b/src/pki/commands/pub.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2009 Martin Willi
- * Copyright (C) 2015 Andreas Steffen
+ * Copyright (C) 2015-2017 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -199,7 +199,7 @@ static void __attribute__ ((constructor))reg()
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "input file, default: stdin"},
-			{"keyid",	'x', 1, "keyid on smartcard of private key"},
+			{"keyid",	'x', 1, "smartcard or TPM private key object handle"},
 			{"type",	't', 1, "type of credential, default: priv"},
 			{"outform",	'f', 1, "encoding of extracted public key, default: der"},
 		}
diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c
index 23d07a28d..7b87e6ca6 100644
--- a/src/pki/commands/req.c
+++ b/src/pki/commands/req.c
@@ -1,8 +1,6 @@
 /*
  * Copyright (C) 2009 Martin Willi
- * Copyright (C) 2009-2015 Andreas Steffen
- * HSR Hochschule fuer Technik Rapperswil
- *
+ * Copyright (C) 2009-2017 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -34,7 +32,7 @@ static int req()
 	hash_algorithm_t digest = HASH_UNKNOWN;
 	certificate_t *cert = NULL;
 	private_key_t *private = NULL;
-	char *file = NULL, *dn = NULL, *error = NULL;
+	char *file = NULL, *keyid = NULL, *dn = NULL, *error = NULL;
 	identification_t *id = NULL;
 	linked_list_t *san;
 	chunk_t encoding = chunk_empty;
@@ -98,6 +96,9 @@ static int req()
 					goto usage;
 				}
 				continue;
+			case 'x':
+				keyid = arg;
+				continue;
 			case EOF:
 				break;
 			default:
@@ -123,6 +124,15 @@ static int req()
 		private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
 									 BUILD_FROM_FILE, file, BUILD_END);
 	}
+	else if (keyid)
+	{
+		chunk_t chunk;
+
+		chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL);
+		private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
+									  BUILD_PKCS11_KEYID, chunk, BUILD_END);
+		free(chunk.ptr);
+	}
 	else
 	{
 		chunk_t chunk;
@@ -198,13 +208,14 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		req, 'r', "req",
 		"create a PKCS#10 certificate request",
-		{"  [--in file] [--type rsa|ecdsa|bliss|priv] --dn distinguished-name",
+		{"  [--in file|--keyid hex] [--type rsa|ecdsa|bliss|priv] --dn distinguished-name",
 		 "[--san subjectAltName]+ [--password challengePassword]",
 		 "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
 		 "[--outform der|pem]"},
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "private key input file, default: stdin"},
+			{"keyid",	'x', 1, "smartcard or TPM private key object handle"},
 			{"type",	't', 1, "type of input key, default: priv"},
 			{"dn",		'd', 1, "subject distinguished name"},
 			{"san",		'a', 1, "subjectAltName to include in cert request"},
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index 6fb7b75ae..bdb22463e 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2009 Martin Willi
- * Copyright (C) 2015 Andreas Steffen
+ * Copyright (C) 2015-2017 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -22,6 +22,7 @@
 #include <collections/linked_list.h>
 #include <credentials/certificates/certificate.h>
 #include <credentials/certificates/x509.h>
+#include <selectors/traffic_selector.h>
 #include <asn1/asn1.h>
 
 /**
@@ -49,7 +50,7 @@ static void destroy_policy_mapping(x509_policy_mapping_t *mapping)
 static int self()
 {
 	cred_encoding_type_t form = CERT_ASN1_DER;
-	key_type_t type = KEY_RSA;
+	key_type_t type = KEY_ANY;
 	hash_algorithm_t digest = HASH_UNKNOWN;
 	certificate_t *cert = NULL;
 	private_key_t *private = NULL;
@@ -57,6 +58,7 @@ static int self()
 	char *file = NULL, *dn = NULL, *hex = NULL, *error = NULL, *keyid = NULL;
 	identification_t *id = NULL;
 	linked_list_t *san, *ocsp, *permitted, *excluded, *policies, *mappings;
+	linked_list_t *addrblocks;
 	int pathlen = X509_NO_CONSTRAINT, inhibit_any = X509_NO_CONSTRAINT;
 	int inhibit_mapping = X509_NO_CONSTRAINT;
 	int require_explicit = X509_NO_CONSTRAINT;
@@ -66,6 +68,7 @@ static int self()
 	char *datenb = NULL, *datena = NULL, *dateform = NULL;
 	x509_flag_t flags = 0;
 	x509_cert_policy_t *policy = NULL;
+	traffic_selector_t *ts;
 	char *arg;
 
 	san = linked_list_create();
@@ -74,6 +77,7 @@ static int self()
 	excluded = linked_list_create();
 	policies = linked_list_create();
 	mappings = linked_list_create();
+	addrblocks = linked_list_create();
 
 	while (TRUE)
 	{
@@ -90,6 +94,10 @@ static int self()
 				{
 					type = KEY_ECDSA;
 				}
+				else if (streq(arg, "ed25519"))
+				{
+					type = KEY_ED25519;
+				}
 				else if (streq(arg, "bliss"))
 				{
 					type = KEY_BLISS;
@@ -149,6 +157,15 @@ static int self()
 			case 'p':
 				pathlen = atoi(arg);
 				continue;
+			case 'B':
+				ts = parse_ts(arg);
+				if (!ts)
+				{
+					error = "invalid addressBlock";
+					goto usage;
+				}
+				addrblocks->insert_last(addrblocks, ts);
+				continue;
 			case 'n':
 				permitted->insert_last(permitted,
 									   identification_create_from_string(arg));
@@ -356,6 +373,7 @@ static int self()
 						BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial,
 						BUILD_DIGEST_ALG, digest, BUILD_X509_FLAG, flags,
 						BUILD_PATHLEN, pathlen, BUILD_SUBJECT_ALTNAMES, san,
+						BUILD_ADDRBLOCKS, addrblocks,
 						BUILD_OCSP_ACCESS_LOCATIONS, ocsp,
 						BUILD_PERMITTED_NAME_CONSTRAINTS, permitted,
 						BUILD_EXCLUDED_NAME_CONSTRAINTS, excluded,
@@ -390,6 +408,7 @@ end:
 	san->destroy_offset(san, offsetof(identification_t, destroy));
 	permitted->destroy_offset(permitted, offsetof(identification_t, destroy));
 	excluded->destroy_offset(excluded, offsetof(identification_t, destroy));
+	addrblocks->destroy_offset(addrblocks, offsetof(traffic_selector_t, destroy));
 	policies->destroy_function(policies, (void*)destroy_cert_policy);
 	mappings->destroy_function(mappings, (void*)destroy_policy_mapping);
 	ocsp->destroy(ocsp);
@@ -407,6 +426,7 @@ usage:
 	san->destroy_offset(san, offsetof(identification_t, destroy));
 	permitted->destroy_offset(permitted, offsetof(identification_t, destroy));
 	excluded->destroy_offset(excluded, offsetof(identification_t, destroy));
+	addrblocks->destroy_offset(addrblocks, offsetof(traffic_selector_t, destroy));
 	policies->destroy_function(policies, (void*)destroy_cert_policy);
 	mappings->destroy_function(mappings, (void*)destroy_policy_mapping);
 	ocsp->destroy(ocsp);
@@ -421,7 +441,7 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		self, 's', "self",
 		"create a self signed certificate",
-		{" [--in file|--keyid hex] [--type rsa|ecdsa|bliss|priv]",
+		{" [--in file|--keyid hex] [--type rsa|ecdsa|ed25519|bliss|priv]",
 		 " --dn distinguished-name [--san subjectAltName]+",
 		 "[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+",
 		 "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+",
@@ -434,7 +454,7 @@ static void __attribute__ ((constructor))reg()
 		{
 			{"help",			'h', 0, "show usage information"},
 			{"in",				'i', 1, "private key input file, default: stdin"},
-			{"keyid",			'x', 1, "keyid on smartcard of private key"},
+			{"keyid",			'x', 1, "smartcard or TPM private key object handle"},
 			{"type",			't', 1, "type of input key, default: priv"},
 			{"dn",				'd', 1, "subject and issuer distinguished name"},
 			{"san",				'a', 1, "subjectAltName to include in certificate"},
@@ -445,6 +465,7 @@ static void __attribute__ ((constructor))reg()
 			{"serial",			's', 1, "serial number in hex, default: random"},
 			{"ca",				'b', 0, "include CA basicConstraint, default: no"},
 			{"pathlen",			'p', 1, "set path length constraint"},
+			{"addrblock",		'B', 1, "RFC 3779 addrBlock to include"},
 			{"nc-permitted",	'n', 1, "add permitted NameConstraint"},
 			{"nc-excluded",		'N', 1, "add excluded NameConstraint"},
 			{"cert-policy",		'P', 1, "certificatePolicy OID to include"},
diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c
index b9cf9c466..6bccf1b09 100644
--- a/src/pki/commands/signcrl.c
+++ b/src/pki/commands/signcrl.c
@@ -2,6 +2,9 @@
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  *
+ * Copyright (C) 2017 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
@@ -461,7 +464,7 @@ static void __attribute__ ((constructor))reg()
 			{"help",		'h', 0, "show usage information"},
 			{"cacert",		'c', 1, "CA certificate file"},
 			{"cakey",		'k', 1, "CA private key file"},
-			{"cakeyid",		'x', 1, "keyid on smartcard of CA private key"},
+			{"cakeyid",		'x', 1, "smartcard or TPM CA private key object handle"},
 			{"lifetime",	'l', 1, "days the CRL gets a nextUpdate, default: 15"},
 			{"this-update",	'F', 1, "date/time the validity of the CRL starts"},
 			{"next-update",	'T', 1, "date/time the validity of the CRL ends"},
diff --git a/src/pki/man/Makefile.in b/src/pki/man/Makefile.in
index 030d6be53..e40aca3b4 100644
--- a/src/pki/man/Makefile.in
+++ b/src/pki/man/Makefile.in
@@ -315,7 +315,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -350,6 +349,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/pki/man/pki---acert.1.in b/src/pki/man/pki---acert.1.in
index d7460fd1f..c6ecbb989 100644
--- a/src/pki/man/pki---acert.1.in
+++ b/src/pki/man/pki---acert.1.in
@@ -63,7 +63,8 @@ Issuer private key file. Either this or
 is required.
 .TP
 .BI "\-x, \-\-issuerkeyid " hex
-Key ID of a issuer private key on a smartcard. Either this or
+Smartcard or TPM issuer private key object handle in hex format with an optional
+h0x prefix. Either this or
 .B \-\-issuerkey
 is required.
 .TP
diff --git a/src/pki/man/pki---gen.1.in b/src/pki/man/pki---gen.1.in
index 138ab6122..4c61ead9c 100644
--- a/src/pki/man/pki---gen.1.in
+++ b/src/pki/man/pki---gen.1.in
@@ -1,4 +1,4 @@
-.TH "PKI \-\-GEN" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.TH "PKI \-\-GEN" 1 "2016-12-13" "@PACKAGE_VERSION@" "strongSwan"
 .
 .SH "NAME"
 .
@@ -45,7 +45,8 @@ Set debug level, default: 1.
 Read command line options from \fIfile\fR.
 .TP
 .BI "\-t, \-\-type " type
-Type of key to generate. Either \fIrsa\fR or \fIecdsa\fR, defaults to \fIrsa\fR.
+Type of key to generate. Either \fIrsa\fR, \fIecdsa\fR, \fIed25519\fR or
+\fIbliss\fR, defaults to \fIrsa\fR.
 .TP
 .BI "\-s, \-\-size " bits
 Key length in bits. Defaults to 2048 for \fIrsa\fR and 384 for \fIecdsa\fR.
diff --git a/src/pki/man/pki---issue.1.in b/src/pki/man/pki---issue.1.in
index bfc7bb1a5..99cc64fa5 100644
--- a/src/pki/man/pki---issue.1.in
+++ b/src/pki/man/pki---issue.1.in
@@ -1,4 +1,4 @@
-.TH "PKI \-\-ISSUE" 1 "2013-08-12" "@PACKAGE_VERSION@" "strongSwan"
+.TH "PKI \-\-ISSUE" 1 "2016-12-13" "@PACKAGE_VERSION@" "strongSwan"
 .
 .SH "NAME"
 .
@@ -24,6 +24,7 @@ pki \-\-issue \- Issue a certificate using a CA certificate and key
 .OP \-\-ocsp uri
 .OP \-\-pathlen len
 .OP \-\-nc-permitted name
+.OP \-\-addrblock block
 .OP \-\-nc-excluded name
 .OP \-\-policy\-mapping mapping
 .OP \-\-policy\-explicit len
@@ -68,9 +69,9 @@ key/request is read from \fISTDIN\fR.
 .TP
 .BI "\-t, \-\-type " type
 Type of the input. One of \fIpub\fR (public key), \fIpriv\fR (private key),
-\fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA private key), \fIbliss\fR (BLISS
-private key) or \fIpkcs10\fR (PKCS#10 certificate request), defaults to
-\fIpub\fR.
+\fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA private key),
+\fIed25519\fR (Ed25519 private key) \fIbliss\fR (BLISS private key) or
+\fIpkcs10\fR (PKCS#10 certificate request), defaults to \fIpub\fR.
 .TP
 .BI "\-k, \-\-cakey " file
 CA private key file. Either this or
@@ -78,7 +79,8 @@ CA private key file. Either this or
 is required.
 .TP
 .BI "\-x, \-\-cakeyid " hex
-Key ID of a CA private key on a smartcard. Either this or
+Smartcard or TPM CA private key object handle in hex format with an optional
+0x prefix. Either this or
 .B \-\-cakey
 is required.
 .TP
@@ -148,6 +150,14 @@ times.
 .BI "\-p, \-\-pathlen " len
 Set path length constraint.
 .TP
+.BI "\-B, \-\-addrblock " block
+RFC 3779 address block to include in certificate. \fIblock\fR is either a
+CIDR subnet (such as \fI10.0.0.0/8\fR) or an arbitrary address range
+(\fI192.168.1.7-192.168.1.13\fR). Can be repeated to include multiple blocks.
+Please note that the supplied blocks are included in the certificate as is,
+so for standards compliance, multiple blocks must be supplied in correct
+order and adjacent blocks must be combined. Refer to RFC 3779 for details.
+.TP
 .BI "\-n, \-\-nc-permitted " name
 Add permitted NameConstraint extension to certificate. For DNS or email
 constraints, the identity type is not always detectable by the given name. Use
diff --git a/src/pki/man/pki---keyid.1.in b/src/pki/man/pki---keyid.1.in
index c69f7cbc7..148b95ec3 100644
--- a/src/pki/man/pki---keyid.1.in
+++ b/src/pki/man/pki---keyid.1.in
@@ -7,7 +7,9 @@ pki \-\-keyid \- Calculate key identifiers of a key or certificate
 .SH "SYNOPSIS"
 .
 .SY pki\ \-\-keyid
-.OP \-\-in file
+.RB [ \-\-in
+.IR file | \fB\-\-keyid\fR
+.IR hex ]
 .OP \-\-type type
 .OP \-\-debug level
 .YS
@@ -43,6 +45,10 @@ Read command line options from \fIfile\fR.
 .BI "\-i, \-\-in " file
 Input file. If not given the input is read from \fISTDIN\fR.
 .TP
+.BI "\-x, \-\-keyid " hex
+Smartcard or TPM private key object handle in hex format with an optional
+0x prefix.
+.TP
 .BI "\-t, \-\-type " type
 Type of input. One of \fIpriv\fR (private key), \fIrsa\fR (RSA private key),
 \fIecdsa\fR (ECDSA private key), \fIbliss\fR (BLISS private key),
@@ -70,4 +76,4 @@ Calculate key identifiers of an X.509 certificate:
 .
 .SH "SEE ALSO"
 .
-.BR pki (1)
-\ No newline at end of file
+.BR pki (1)
diff --git a/src/pki/man/pki---print.1.in b/src/pki/man/pki---print.1.in
index 09f81cdaa..65fb8bc46 100644
--- a/src/pki/man/pki---print.1.in
+++ b/src/pki/man/pki---print.1.in
@@ -1,4 +1,4 @@
-.TH "PKI \-\-PRINT" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.TH "PKI \-\-PRINT" 1 "2016-12-13" "@PACKAGE_VERSION@" "strongSwan"
 .
 .SH "NAME"
 .
@@ -47,8 +47,8 @@ Input file. If not given the input is read from \fISTDIN\fR.
 Type of input. One of \fIx509\fR (X.509 certificate), \fIcrl\fR (Certificate
 Revocation List, CRL), \fIac\fR (Attribute Certificate), \fIpub\fR (public key),
 \fpriv\fR (private key), \fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA private
-key), \fIbliss\fR (BLISS private key), \fIpriv\fR (private key), defaults to
-\fIx509\fR.
+key), \fIed25519\fR (Ed25519 private key), \fIbliss\fR (BLISS private key),
+\fIpriv\fR (private key), defaults to \fIx509\fR.
 .
 .SH "SEE ALSO"
 .
diff --git a/src/pki/man/pki---pub.1.in b/src/pki/man/pki---pub.1.in
index fe6c520f4..006b7aefa 100644
--- a/src/pki/man/pki---pub.1.in
+++ b/src/pki/man/pki---pub.1.in
@@ -46,6 +46,10 @@ Read command line options from \fIfile\fR.
 .BI "\-i, \-\-in " file
 Input file. If not given the input is read from \fISTDIN\fR.
 .TP
+.BI "\-x, \-\-keyid " hex
+Smartcard or TPM private key object handle in hex format with an optional
+0x prefix.
+.TP
 .BI "\-t, \-\-type " type
 Type of input. One of \fIpriv\fR (private key), \fIrsa\fR (RSA private key),
 \fIecdsa\fR (ECDSA private key), \fIpub\fR (public key), \fIpkcs10\fR (PKCS#10
diff --git a/src/pki/man/pki---req.1.in b/src/pki/man/pki---req.1.in
index 4a39c5c94..09ef0862a 100644
--- a/src/pki/man/pki---req.1.in
+++ b/src/pki/man/pki---req.1.in
@@ -7,7 +7,9 @@ pki \-\-req \- Create a PKCS#10 certificate request
 .SH "SYNOPSIS"
 .
 .SY pki\ \-\-req
-.OP \-\-in file
+.RB [ \-\-in
+.IR file | \fB\-\-keyid\fR
+.IR hex ]
 .OP \-\-type type
 .BI \-\-dn\~ distinguished-name
 .OP \-\-san subjectAltName
@@ -48,6 +50,10 @@ Read command line options from \fIfile\fR.
 .BI "\-i, \-\-in " file
 Private key input file. If not given the key is read from \fISTDIN\fR.
 .TP
+.BI "\-x, \-\-keyid " hex
+Smartcard or TPM private key object handle in hex format with an optional
+0x prefix.
+.TP
 .BI "\-t, \-\-type " type
 Type of the input key. Either \fIpriv\fR, \fIrsa\fR, \fIecdsa\fR or \fIbliss\fR,
 defaults to \fIpriv\fR.
@@ -89,4 +95,4 @@ Generate a certificate request for an ECDSA key and a different digest:
 .
 .SH "SEE ALSO"
 .
-.BR pki (1)
-\ No newline at end of file
+.BR pki (1)
diff --git a/src/pki/man/pki---self.1.in b/src/pki/man/pki---self.1.in
index 9461e3eff..aa7e6fabe 100644
--- a/src/pki/man/pki---self.1.in
+++ b/src/pki/man/pki---self.1.in
@@ -1,4 +1,4 @@
-.TH "PKI \-\-SELF" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.TH "PKI \-\-SELF" 1 "2016-12-13" "@PACKAGE_VERSION@" "strongSwan"
 .
 .SH "NAME"
 .
@@ -22,6 +22,7 @@ pki \-\-self \- Create a self-signed certificate
 .OP \-\-ca
 .OP \-\-ocsp uri
 .OP \-\-pathlen len
+.OP \-\-addrblock block
 .OP \-\-nc-permitted name
 .OP \-\-nc-excluded name
 .OP \-\-policy\-mapping mapping
@@ -65,11 +66,12 @@ Read command line options from \fIfile\fR.
 Private key input file. If not given the key is read from \fISTDIN\fR.
 .TP
 .BI "\-x, \-\-keyid " hex
-Key ID of a private key on a smartcard.
+Smartcard or TPM private key object handle in hex format with an optional
+0x prefix.
 .TP
 .BI "\-t, \-\-type " type
-Type of the input key. Either \fIpriv\fR, \fIrsa\fR, \fIecdsa\fR or \fIbliss\fR,
-defaults to \fIpriv\fR.
+Type of the input key. Either \fIpriv\fR, \fIrsa\fR, \fIecdsa\fR, \fIed25519\fR
+or \fIbliss\fR, defaults to \fIpriv\fR.
 .TP
 .BI "\-d, \-\-dn " distinguished-name
 Subject and issuer distinguished name (DN). Required.
@@ -127,6 +129,14 @@ times.
 .BI "\-p, \-\-pathlen " len
 Set path length constraint.
 .TP
+.BI "\-B, \-\-addrblock " block
+RFC 3779 address block to include in certificate. \fIblock\fR is either a
+CIDR subnet (such as \fI10.0.0.0/8\fR) or an arbitrary address range
+(\fI192.168.1.7-192.168.1.13\fR). Can be repeated to include multiple blocks.
+Please note that the supplied blocks are included in the certificate as is,
+so for standards compliance, multiple blocks must be supplied in correct
+order and adjacent blocks must be combined. Refer to RFC 3779 for details.
+.TP
 .BI "\-n, \-\-nc-permitted " name
 Add permitted NameConstraint extension to certificate. For DNS or email
 constraints, the identity type is not always detectable by the given name. Use
diff --git a/src/pki/man/pki---signcrl.1.in b/src/pki/man/pki---signcrl.1.in
index b930bfa3c..b901ad084 100644
--- a/src/pki/man/pki---signcrl.1.in
+++ b/src/pki/man/pki---signcrl.1.in
@@ -56,7 +56,8 @@ CA private key file. Either this or
 is required.
 .TP
 .BI "\-x, \-\-cakeyid " hex
-Key ID of a CA private key on a smartcard. Either this or
+Smartcard or TPM CA private key object handle in hex format with an optional
+0x prefix. Either this or
 .B \-\-cakey
 is required.
 .TP
diff --git a/src/pki/pki.c b/src/pki/pki.c
index 472704945..0fdab2aab 100644
--- a/src/pki/pki.c
+++ b/src/pki/pki.c
@@ -258,6 +258,28 @@ hash_algorithm_t get_default_digest(private_key_t *private)
 	return alg == HASH_UNKNOWN ? HASH_SHA256 : alg;
 }
 
+/*
+ * Described in header
+ */
+traffic_selector_t* parse_ts(char *str)
+{
+	ts_type_t type = TS_IPV4_ADDR_RANGE;
+	char *to, from[64];
+
+	if (strchr(str, ':'))
+	{
+		type = TS_IPV6_ADDR_RANGE;
+	}
+	to = strchr(str, '-');
+	if (to)
+	{
+		snprintf(from, sizeof(from), "%.*s", (int)(to - str), str);
+		to++;
+		return traffic_selector_create_from_string(0, type, from, 0, to, 65535);
+	}
+	return traffic_selector_create_from_cidr(str, 0, 0, 65535);
+}
+
 /**
  * Callback credential set pki uses
  */
diff --git a/src/pki/pki.h b/src/pki/pki.h
index 017e61df6..54be59f8f 100644
--- a/src/pki/pki.h
+++ b/src/pki/pki.h
@@ -26,6 +26,7 @@
 #include "command.h"
 
 #include <library.h>
+#include <selectors/traffic_selector.h>
 #include <credentials/keys/private_key.h>
 
 /**
@@ -63,4 +64,12 @@ void set_file_mode(FILE *stream, cred_encoding_type_t enc);
  */
 hash_algorithm_t get_default_digest(private_key_t *private);
 
+/**
+ * Create a traffic selector from a CIDR or range string.
+ *
+ * @param str		input string, either a.b.c.d/e or a.b.c.d-e.f.g.h
+ * @return			traffic selector, NULL on error
+ */
+traffic_selector_t* parse_ts(char *str);
+
 #endif /** PKI_H_ @}*/
author	Yves-Alexis Perez <corsac@corsac.net>	2017-04-01 16:26:44 +0200
committer	Yves-Alexis Perez <corsac@corsac.net>	2017-04-01 16:26:44 +0200
commit	05ddd767992d68bb38c7f16ece142e8c2e9ae016 (patch)
tree	302c618be306d4ed3c7f9fc58a1f6aaad4dd252f /src/pki
parent	25663e04c3ab01ef8dc9f906608282319cfea2db (diff)
download	vyos-strongswan-05ddd767992d68bb38c7f16ece142e8c2e9ae016.tar.gz vyos-strongswan-05ddd767992d68bb38c7f16ece142e8c2e9ae016.zip