diff options
| author | Martin Willi <martin@revosec.ch> | 2013-06-14 11:22:14 +0200 |
|---|---|---|
| committer | Martin Willi <martin@revosec.ch> | 2013-06-19 16:27:19 +0200 |
| commit | de2debf8e0759c974c734cacab9549451eceb236 (patch) | |
| tree | 82d0b764bebc3d4693e6baacf6255eeb3679c51b /src/libcharon/plugins | |
| parent | a485320393b08fee15c286c639468d00fe9184b0 (diff) | |
| download | strongswan-de2debf8e0759c974c734cacab9549451eceb236.tar.bz2 strongswan-de2debf8e0759c974c734cacab9549451eceb236.tar.xz | |
stroke: add exportconn{cert,chain} commands in addition to exportx509
The new commands either export a single end entity certificate or the
full trust chain for a specific connection name.
Diffstat (limited to 'src/libcharon/plugins')
| -rw-r--r-- | src/libcharon/plugins/stroke/stroke_socket.c | 71 |
1 files changed, 65 insertions, 6 deletions
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c index aa5c73b8b..d152ecd70 100644 --- a/src/libcharon/plugins/stroke/stroke_socket.c +++ b/src/libcharon/plugins/stroke/stroke_socket.c @@ -432,6 +432,20 @@ static void stroke_purge(private_stroke_socket_t *this, } /** + * Print a certificate in PEM to out + */ +static void print_pem_cert(FILE *out, certificate_t *cert) +{ + chunk_t encoded; + + if (cert->get_encoding(cert, CERT_PEM, &encoded)) + { + fprintf(out, "%.*s", (int)encoded.len, encoded.ptr); + free(encoded.ptr); + } +} + +/** * Export in-memory credentials */ static void stroke_export(private_stroke_socket_t *this, @@ -444,22 +458,67 @@ static void stroke_export(private_stroke_socket_t *this, enumerator_t *enumerator; identification_t *id; certificate_t *cert; - chunk_t encoded; id = identification_create_from_string(msg->export.selector); enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr, CERT_X509, KEY_ANY, id, FALSE); while (enumerator->enumerate(enumerator, &cert)) { - if (cert->get_encoding(cert, CERT_PEM, &encoded)) - { - fprintf(out, "%.*s", (int)encoded.len, encoded.ptr); - free(encoded.ptr); - } + print_pem_cert(out, cert); } enumerator->destroy(enumerator); id->destroy(id); } + + if (msg->export.flags & (EXPORT_CONN_CERT | EXPORT_CONN_CHAIN)) + { + enumerator_t *sas, *auths, *certs; + ike_sa_t *ike_sa; + auth_cfg_t *auth; + certificate_t *cert; + auth_rule_t rule; + + sas = charon->ike_sa_manager->create_enumerator( + charon->ike_sa_manager, TRUE); + while (sas->enumerate(sas, &ike_sa)) + { + if (streq(msg->export.selector, ike_sa->get_name(ike_sa))) + { + auths = ike_sa->create_auth_cfg_enumerator(ike_sa, FALSE); + while (auths->enumerate(auths, &auth)) + { + bool got_subject = FALSE; + + certs = auth->create_enumerator(auth); + while (certs->enumerate(certs, &rule, &cert)) + { + switch (rule) + { + case AUTH_RULE_CA_CERT: + case AUTH_RULE_IM_CERT: + if (msg->export.flags & EXPORT_CONN_CHAIN) + { + print_pem_cert(out, cert); + } + break; + case AUTH_RULE_SUBJECT_CERT: + if (!got_subject) + { + print_pem_cert(out, cert); + got_subject = TRUE; + } + break; + default: + break; + } + } + certs->destroy(certs); + } + auths->destroy(auths); + } + } + sas->destroy(sas); + } } /** |