sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-07 00:01:49 -04:00
Code Issues Projects Releases Wiki Activity

pki: Allow to load CRLs from files in --verify

Browse Source
This commit is contained in:
Tobias Brunner 2016-08-18 18:07:21 +02:00
parent 17ecc104fb
commit 09d8215d3f
2 changed files with 21 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/pki/commands/verify.c
View File

@ -1,6 +1,7 @@
/* /*
* Copyright (C) 2016 Tobias Brunner
* Copyright (C) 2009 Martin Willi * Copyright (C) 2009 Martin Willi
* Hochschule fuer Technik Rapperswil * HSR Hochschule fuer Technik Rapperswil
* *
* This program is free software; you can redistribute it and/or modify it * This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the * under the terms of the GNU General Public License as published by the
@ -59,6 +60,18 @@ static int verify()
has_ca = TRUE; has_ca = TRUE;
creds->add_cert(creds, TRUE, cert); creds->add_cert(creds, TRUE, cert);
continue; continue;
case 'l':
cert = lib->creds->create(lib->creds,
CRED_CERTIFICATE, CERT_X509_CRL,
BUILD_FROM_FILE, arg, BUILD_END);
if (!cert)
{
fprintf(stderr, "parsing CRL failed\n");
goto end;
}
online = TRUE;
creds->add_crl(creds, (crl_t*)cert);
continue;
case 'o': case 'o':
online = TRUE; online = TRUE;
continue; continue;
@ -173,11 +186,12 @@ static void __attribute__ ((constructor))reg()
command_register((command_t) { command_register((command_t) {
verify, 'v', "verify", verify, 'v', "verify",
"verify a certificate using the CA certificate", "verify a certificate using the CA certificate",
{"[--in file] [--cacert file]"}, {"[--in file] [--cacert file] [--crl file]"},
{ {
{"help", 'h', 0, "show usage information"}, {"help", 'h', 0, "show usage information"},
{"in", 'i', 1, "X.509 certificate to verify, default: stdin"}, {"in", 'i', 1, "X.509 certificate to verify, default: stdin"},
{"cacert", 'c', 1, "CA certificate for trustchain verification"}, {"cacert", 'c', 1, "CA certificate for trustchain verification"},
{"crl", 'l', 1, "CRL for trustchain verification"},
{"online", 'o', 0, "enable online CRL/OCSP revocation checking"}, {"online", 'o', 0, "enable online CRL/OCSP revocation checking"},
} }
}); });

6
src/pki/man/pki---verify.1.in
View File

@ -1,4 +1,4 @@
.TH "PKI \-\-VERIFY" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan" .TH "PKI \-\-VERIFY" 1 "2016-08-19" "@PACKAGE_VERSION@" "strongSwan"
. .
.SH "NAME" .SH "NAME"
. .
@ -9,6 +9,7 @@ pki \-\-verify \- Verify a certificate using a CA certificate
.SY pki\ \-\-verify .SY pki\ \-\-verify
.OP \-\-in file .OP \-\-in file
.OP \-\-cacert file .OP \-\-cacert file
.OP \-\-crl file
.OP \-\-debug level .OP \-\-debug level
.OP \-\-online .OP \-\-online
.YS .YS
@ -48,6 +49,9 @@ X.509 certificate to verify. If not given it is read from \fISTDIN\fR.
CA certificate to use for trustchain verification. If not given the certificate CA certificate to use for trustchain verification. If not given the certificate
is assumed to be self\-signed. is assumed to be self\-signed.
.TP .TP
.BI "\-l, \-\-crl " file
Local CRL to use for trustchain verification. Implies \fB-o\fR.
.TP
.BI "\-o, \-\-online .BI "\-o, \-\-online
Enable online CRL/OCSP revocation checking. Enable online CRL/OCSP revocation checking.
. .