aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorMartin Willi <martin@strongswan.org>2009-08-27 14:43:40 +0200
committerMartin Willi <martin@strongswan.org>2009-08-27 14:43:40 +0200
commit9436b31c94b9d14aabf5341485feaf730a05e81b (patch)
treeaaa92cae6fcdd83e2eebfd002ce6d209aa0ccf91 /src
parented75a4dd69bf0521c664729601489b182f91e579 (diff)
downloadstrongswan-9436b31c94b9d14aabf5341485feaf730a05e81b.tar.bz2
strongswan-9436b31c94b9d14aabf5341485feaf730a05e81b.tar.xz
PKI tool supports certificate verification
Diffstat (limited to 'src')
-rw-r--r--src/pki/pki.c110
1 files changed, 110 insertions, 0 deletions
diff --git a/src/pki/pki.c b/src/pki/pki.c
index 29c445bdc..2b79752ed 100644
--- a/src/pki/pki.c
+++ b/src/pki/pki.c
@@ -65,6 +65,10 @@ static int usage(char *error)
fprintf(out, " --dn subject and issuer distinguished name\n");
fprintf(out, " --lifetime days the certificate is valid, default: 1080\n");
fprintf(out, " --serial serial number in hex, default: random\n");
+ fprintf(out, " pki --verify [--in file] [--ca file]\n");
+ fprintf(out, " verify a certificate using the CA certificate\n");
+ fprintf(out, " --in x509 certifcate to verify, default: stdin\n");
+ fprintf(out, " --ca CA certificate, default: verify self signed\n");
return !!error;
}
@@ -582,6 +586,109 @@ static int self(int argc, char *argv[])
}
/**
+ * Verify a certificate signature
+ */
+static int verify(int argc, char *argv[])
+{
+ certificate_t *cert, *ca;
+ char *file = NULL, *cafile = NULL;
+ bool good = FALSE;
+
+ struct option long_opts[] = {
+ { "in", required_argument, NULL, 'i' },
+ { "ca", required_argument, NULL, 'c' },
+ { 0,0,0,0 }
+ };
+
+ while (TRUE)
+ {
+ switch (getopt_long(argc, argv, "", long_opts, NULL))
+ {
+ case 'i':
+ file = optarg;
+ continue;
+ case 'c':
+ cafile = optarg;
+ continue;
+ case EOF:
+ break;
+ default:
+ return usage("invalid --self option");
+ }
+ break;
+ }
+
+ if (file)
+ {
+ cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+ BUILD_FROM_FILE, file, BUILD_END);
+ }
+ else
+ {
+ cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+ BUILD_FROM_FD, 0, BUILD_END);
+ }
+ if (!cert)
+ {
+ fprintf(stderr, "parsing certificate failed\n");
+ return 1;
+ }
+ if (cafile)
+ {
+ ca = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+ BUILD_FROM_FILE, cafile,
+ BUILD_X509_FLAG, X509_CA,
+ BUILD_END);
+ if (!ca)
+ {
+ fprintf(stderr, "parsing CA certificate failed\n");
+ return 1;
+ }
+ }
+ else
+ {
+ ca = cert;
+ }
+ if (cert->issued_by(cert, ca))
+ {
+ if (cert->get_validity(cert, NULL, NULL, NULL))
+ {
+ if (cafile)
+ {
+ if (ca->get_validity(ca, NULL, NULL, NULL))
+ {
+ printf("signature good, certificates valid\n");
+ }
+ else
+ {
+ printf("signature good, CA certificates not valid now\n");
+ }
+ }
+ else
+ {
+ printf("signature good, certificate valid\n");
+ good = TRUE;
+ }
+ }
+ else
+ {
+ printf("certificate not valid now\n");
+ }
+ }
+ else
+ {
+ printf("signature invalid\n");
+ }
+ if (cafile)
+ {
+ ca->destroy(ca);
+ }
+ cert->destroy(cert);
+
+ return good ? 0 : 2;
+}
+
+/**
* Library initialization and operation parsing
*/
int main(int argc, char *argv[])
@@ -592,6 +699,7 @@ int main(int argc, char *argv[])
{ "pub", no_argument, NULL, 'p' },
{ "keyid", no_argument, NULL, 'k' },
{ "self", no_argument, NULL, 's' },
+ { "verify", no_argument, NULL, 'v' },
{ 0,0,0,0 }
};
@@ -621,6 +729,8 @@ int main(int argc, char *argv[])
return keyid(argc, argv);
case 's':
return self(argc, argv);
+ case 'v':
+ return verify(argc, argv);
default:
return usage("invalid operation");
}