diff options
| author | Tobias Brunner <tobias@strongswan.org> | 2016-08-18 18:07:21 +0200 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2016-08-25 11:07:35 +0200 |
| commit | 09d8215d3feca18a8a7f986ffcec4036ae44d3bc (patch) | |
| tree | 080a425c22b1a15dc749884f7a9529cf352042cc | |
| parent | 17ecc104fb65b0190b0e5136362fd8c9bd4abf4e (diff) | |
| download | strongswan-09d8215d3feca18a8a7f986ffcec4036ae44d3bc.tar.bz2 strongswan-09d8215d3feca18a8a7f986ffcec4036ae44d3bc.tar.xz | |
pki: Allow to load CRLs from files in --verify
| -rw-r--r-- | src/pki/commands/verify.c | 18 | ||||
| -rw-r--r-- | src/pki/man/pki---verify.1.in | 6 |
2 files changed, 21 insertions, 3 deletions
diff --git a/src/pki/commands/verify.c b/src/pki/commands/verify.c index 8cc633a95..dd667fb34 100644 --- a/src/pki/commands/verify.c +++ b/src/pki/commands/verify.c @@ -1,6 +1,7 @@ /* + * Copyright (C) 2016 Tobias Brunner * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -59,6 +60,18 @@ static int verify() has_ca = TRUE; creds->add_cert(creds, TRUE, cert); continue; + case 'l': + cert = lib->creds->create(lib->creds, + CRED_CERTIFICATE, CERT_X509_CRL, + BUILD_FROM_FILE, arg, BUILD_END); + if (!cert) + { + fprintf(stderr, "parsing CRL failed\n"); + goto end; + } + online = TRUE; + creds->add_crl(creds, (crl_t*)cert); + continue; case 'o': online = TRUE; continue; @@ -173,11 +186,12 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { verify, 'v', "verify", "verify a certificate using the CA certificate", - {"[--in file] [--cacert file]"}, + {"[--in file] [--cacert file] [--crl file]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "X.509 certificate to verify, default: stdin"}, {"cacert", 'c', 1, "CA certificate for trustchain verification"}, + {"crl", 'l', 1, "CRL for trustchain verification"}, {"online", 'o', 0, "enable online CRL/OCSP revocation checking"}, } }); diff --git a/src/pki/man/pki---verify.1.in b/src/pki/man/pki---verify.1.in index dd0c0e928..74adaf150 100644 --- a/src/pki/man/pki---verify.1.in +++ b/src/pki/man/pki---verify.1.in @@ -1,4 +1,4 @@ -.TH "PKI \-\-VERIFY" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan" +.TH "PKI \-\-VERIFY" 1 "2016-08-19" "@PACKAGE_VERSION@" "strongSwan" . .SH "NAME" . @@ -9,6 +9,7 @@ pki \-\-verify \- Verify a certificate using a CA certificate .SY pki\ \-\-verify .OP \-\-in file .OP \-\-cacert file +.OP \-\-crl file .OP \-\-debug level .OP \-\-online .YS @@ -48,6 +49,9 @@ X.509 certificate to verify. If not given it is read from \fISTDIN\fR. CA certificate to use for trustchain verification. If not given the certificate is assumed to be self\-signed. .TP +.BI "\-l, \-\-crl " file +Local CRL to use for trustchain verification. Implies \fB-o\fR. +.TP .BI "\-o, \-\-online Enable online CRL/OCSP revocation checking. . |