10 files changed, 40 insertions, 59 deletions
diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in
index f9c417658..609ab345b 100644
--- a/src/pki/Makefile.in
+++ b/src/pki/Makefile.in
@@ -50,6 +50,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__installdirs = "$(DESTDIR)$(ipsecdir)"
@@ -60,7 +61,7 @@ am_pki_OBJECTS = pki.$(OBJEXT) command.$(OBJEXT) gen.$(OBJEXT) \
 	verify.$(OBJEXT)
 pki_OBJECTS = $(am_pki_OBJECTS)
 pki_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
@@ -86,6 +87,7 @@ AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
@@ -180,11 +182,14 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -201,11 +206,12 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -221,6 +227,7 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
 p_plugins = @p_plugins@
@@ -230,7 +237,6 @@ pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
diff --git a/src/pki/command.c b/src/pki/command.c
index 07ba5bb1d..43328575c 100644
--- a/src/pki/command.c
+++ b/src/pki/command.c
@@ -144,7 +144,7 @@ void command_register(command_t command)
 	/* append default options, but not to --help */
 	if (!active)
 	{
-		for (i = 0; i < countof(cmds[registered].options); i++)
+		for (i = 0; i < countof(cmds[registered].options) - 1; i++)
 		{
 			if (cmds[registered].options[i].name)
 			{
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index 20163edf2..47e668b6c 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -105,8 +105,8 @@ static int issue()
 				}
 				continue;
 			case 'g':
-				digest = get_digest(arg);
-				if (digest == HASH_UNKNOWN)
+				digest = enum_from_name(hash_algorithm_short_names, arg);
+				if (digest == -1)
 				{
 					error = "invalid --digest type";
 					goto usage;
@@ -229,6 +229,10 @@ static int issue()
 				{
 					flags |= X509_CLIENT_AUTH;
 				}
+				else if (streq(arg, "ikeIntermediate"))
+				{
+					flags |= X509_IKE_INTERMEDIATE;
+				}
 				else if (streq(arg, "crlSign"))
 				{
 					flags |= X509_CRL_SIGN;
@@ -352,11 +356,11 @@ static int issue()
 			error = "no random number generator found";
 			goto end;
 		}
-		rng->allocate_bytes(rng, 8, &serial);
-		while (*serial.ptr == 0x00)
+		if (!rng_allocate_bytes_not_zero(rng, 8, &serial, FALSE))
 		{
-			/* we don't accept a serial number with leading zeroes */
-			rng->get_bytes(rng, 1, serial.ptr);
+			error = "failed to generate serial number";
+			rng->destroy(rng);
+			goto end;
 		}
 		rng->destroy(rng);
 	}
diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c
index a7f02bfac..90cf254c8 100644
--- a/src/pki/commands/print.c
+++ b/src/pki/commands/print.c
@@ -133,6 +133,10 @@ static void print_x509(x509_t *x509)
 	{
 		printf("clientAuth ");
 	}
+	if (flags & X509_IKE_INTERMEDIATE)
+	{
+		printf("iKEIntermediate ");
+	}
 	if (flags & X509_SELF_SIGNED)
 	{
 		printf("self-signed ");
diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c
index 087a97b3e..d050c7032 100644
--- a/src/pki/commands/req.c
+++ b/src/pki/commands/req.c
@@ -63,8 +63,8 @@ static int req()
 				}
 				continue;
 			case 'g':
-				digest = get_digest(arg);
-				if (digest == HASH_UNKNOWN)
+				digest = enum_from_name(hash_algorithm_short_names, arg);
+				if (digest == -1)
 				{
 					error = "invalid --digest type";
 					goto usage;
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index c4508a671..4a50aa463 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -94,8 +94,8 @@ static int self()
 				}
 				continue;
 			case 'g':
-				digest = get_digest(arg);
-				if (digest == HASH_UNKNOWN)
+				digest = enum_from_name(hash_algorithm_short_names, arg);
+				if (digest == -1)
 				{
 					error = "invalid --digest type";
 					goto usage;
@@ -212,6 +212,10 @@ static int self()
 				{
 					flags |= X509_CLIENT_AUTH;
 				}
+				else if (streq(arg, "ikeIntermediate"))
+				{
+					flags |= X509_IKE_INTERMEDIATE;
+				}
 				else if (streq(arg, "crlSign"))
 				{
 					flags |= X509_CRL_SIGN;
@@ -294,11 +298,11 @@ static int self()
 			error = "no random number generator found";
 			goto end;
 		}
-		rng->allocate_bytes(rng, 8, &serial);
-		while (*serial.ptr == 0x00)
+		if (!rng_allocate_bytes_not_zero(rng, 8, &serial, FALSE))
 		{
-			/* we don't accept a serial number with leading zeroes */
-			rng->get_bytes(rng, 1, serial.ptr);
+			error = "failed to generate serial number";
+			rng->destroy(rng);
+			goto end;
 		}
 		rng->destroy(rng);
 	}
diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c
index 153734f53..4ada120ed 100644
--- a/src/pki/commands/signcrl.c
+++ b/src/pki/commands/signcrl.c
@@ -141,8 +141,8 @@ static int sign_crl()
 			case 'h':
 				goto usage;
 			case 'g':
-				digest = get_digest(arg);
-				if (digest == HASH_UNKNOWN)
+				digest = enum_from_name(hash_algorithm_short_names, arg);
+				if (digest == -1)
 				{
 					error = "invalid --digest type";
 					goto usage;
diff --git a/src/pki/commands/verify.c b/src/pki/commands/verify.c
index bbcc53891..3e983d3ec 100644
--- a/src/pki/commands/verify.c
+++ b/src/pki/commands/verify.c
@@ -77,7 +77,7 @@ static int verify()
 	{
 		ca = cert;
 	}
-	if (cert->issued_by(cert, ca))
+	if (cert->issued_by(cert, ca, NULL))
 	{
 		if (cert->get_validity(cert, NULL, NULL, NULL))
 		{
diff --git a/src/pki/pki.c b/src/pki/pki.c
index 3005d2fcd..e28bf1595 100644
--- a/src/pki/pki.c
+++ b/src/pki/pki.c
@@ -80,38 +80,6 @@ bool get_form(char *form, cred_encoding_type_t *enc, credential_type_t type)
 }
 
 /**
- * Convert a digest string to a hash algorithm
- */
-hash_algorithm_t get_digest(char *name)
-{
-	if (streq(name, "md5"))
-	{
-		return HASH_MD5;
-	}
-	if (streq(name, "sha1"))
-	{
-		return HASH_SHA1;
-	}
-	if (streq(name, "sha224"))
-	{
-		return HASH_SHA224;
-	}
-	if (streq(name, "sha256"))
-	{
-		return HASH_SHA256;
-	}
-	if (streq(name, "sha384"))
-	{
-		return HASH_SHA384;
-	}
-	if (streq(name, "sha512"))
-	{
-		return HASH_SHA512;
-	}
-	return HASH_UNKNOWN;
-}
-
-/**
  * Callback credential set pki uses
  */
 static callback_cred_t *cb_set;
diff --git a/src/pki/pki.h b/src/pki/pki.h
index 9c145cdc0..f72b1804c 100644
--- a/src/pki/pki.h
+++ b/src/pki/pki.h
@@ -31,9 +31,4 @@
  */
 bool get_form(char *form, cred_encoding_type_t *enc, credential_type_t type);
 
-/**
- * Convert a digest string to a hash algorithm
- */
-hash_algorithm_t get_digest(char *name);
-
 #endif /** PKI_H_ @}*/