diff options
author | Tobias Brunner <tobias@strongswan.org> | 2012-06-01 14:43:12 +0200 |
---|---|---|
committer | Tobias Brunner <tobias@strongswan.org> | 2012-06-11 17:33:29 +0200 |
commit | cea9bf563a83a229f68fbc68116cea7fc40c6ca1 (patch) | |
tree | 38f274efe7ed36b100f37cfa056c7df7c7a1f32c /src | |
parent | 3a7c6b39b530a5671b8bac8e9f117b3d38224a3f (diff) | |
download | strongswan-cea9bf563a83a229f68fbc68116cea7fc40c6ca1.tar.bz2 strongswan-cea9bf563a83a229f68fbc68116cea7fc40c6ca1.tar.xz |
scepclient: Option added to read self-signed certificate from a file.
Diffstat (limited to 'src')
-rw-r--r-- | src/scepclient/scepclient.8 | 7 | ||||
-rw-r--r-- | src/scepclient/scepclient.c | 67 |
2 files changed, 53 insertions, 21 deletions
diff --git a/src/scepclient/scepclient.8 b/src/scepclient/scepclient.8 index 1bcc4ef44..89f86e371 100644 --- a/src/scepclient/scepclient.8 +++ b/src/scepclient/scepclient.8 @@ -73,7 +73,7 @@ The default \fIfilename\fP is $CONFDIR/ipsec.d/cacerts/caCert.der. .B \-i, \-\-in \fItype\fP[=\fIfilename\fP] .RS 4 Input file for certificate enrollment. This option can be specified multiple times to specify input files for every \fItype\fP. -Input files can bei either DER or PEM encoded. +Input files can be either DER or PEM encoded. .PP Supported values for \fItype\fP: .IP "\fBpkcs1\fP" 12 @@ -88,6 +88,11 @@ The default \fIfilename\fP is $CONFDIR/ipsec.d/cacerts/caCert.der. CA certificate to check signature of SCEP reply. Has to be specified for certificate enrollment. .br The default \fIfilename\fP is $CONFDIR/ipsec.d/cacerts/caCert.der. +.IP "\fBcert-self\fP" 12 +Certificate to be used in the SCEP request. If it is not specified a +self-signed certificate is generated automatically. +.br +The default \fIfilename\fP is $CONFDIR/ipsec.d/certs/selfCert.der. .RE .PP .B \-k, \-\-keylength \fIbits\fP diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c index 2df6d7a5f..40fbc8502 100644 --- a/src/scepclient/scepclient.c +++ b/src/scepclient/scepclient.c @@ -317,9 +317,12 @@ static void usage(const char *message) " --version (-v) show version and exit\n" " --quiet (-q) do not write log output to stderr\n" " --in (-i) <type>[=<filename>] use <filename> of <type> for input \n" - " <type> = pkcs1 | cacert-enc | cacert-sig\n" - " - if no pkcs1 input is defined, a \n" - " RSA key will be generated\n" + " <type> = pkcs1 | cacert-enc | cacert-sig |\n" + " cert-self\n" + " - if no pkcs1 input is defined, an RSA\n" + " key will be generated\n" + " - if no cert-self input is defined, a\n" + " self-signed certificate will be generated\n" " - if no filename is given, default is used\n" " --out (-o) <type>[=<filename>] write output of <type> to <filename>\n" " multiple outputs are allowed\n" @@ -389,7 +392,7 @@ int main(int argc, char **argv) CERT_SELF = 0x08, CERT = 0x10, CACERT_ENC = 0x20, - CACERT_SIG = 0x40 + CACERT_SIG = 0x40, } scep_filetype_t; /* filetype to read from, defaults to "generate a key" */ @@ -400,6 +403,7 @@ int main(int argc, char **argv) /* input files */ char *file_in_pkcs1 = DEFAULT_FILENAME_PKCS1; + char *file_in_cert_self = DEFAULT_FILENAME_CERT_SELF; char *file_in_cacert_enc = DEFAULT_FILENAME_CACERT_ENC; char *file_in_cacert_sig = DEFAULT_FILENAME_CACERT_SIG; @@ -560,7 +564,13 @@ int main(int argc, char **argv) { filetype_in |= CACERT_SIG; if (filename) - file_in_cacert_sig = filename; + file_in_cacert_sig = filename; + } + else if (strcaseeq("cert-self", optarg)) + { + filetype_in |= CERT_SELF; + if (filename) + file_in_cert_self = filename; } else { @@ -1110,22 +1120,39 @@ int main(int argc, char **argv) scep_generate_transaction_id(public_key, &transID, &serialNumber); DBG1(DBG_APP, " transaction ID: %.*s", (int)transID.len, transID.ptr); - notBefore = notBefore ? notBefore : time(NULL); - notAfter = notAfter ? notAfter : (notBefore + validity); - - /* generate a self-signed X.509 certificate */ - x509_signer = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, - BUILD_SIGNING_KEY, private_key, - BUILD_PUBLIC_KEY, public_key, - BUILD_SUBJECT, subject, - BUILD_NOT_BEFORE_TIME, notBefore, - BUILD_NOT_AFTER_TIME, notAfter, - BUILD_SERIAL, serialNumber, - BUILD_SUBJECT_ALTNAMES, subjectAltNames, - BUILD_END); - if (!x509_signer) + /* + * read or generate self-signed X.509 certificate + */ + if (filetype_in & CERT_SELF) + { + char path[PATH_MAX]; + + join_paths(path, sizeof(path), HOST_CERT_PATH, file_in_cert_self); + + x509_signer = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_FROM_FILE, path, BUILD_END); + if (!x509_signer) + { + exit_scepclient("could not read certificate file '%s'", path); + } + } + else { - exit_scepclient("generating certificate failed"); + notBefore = notBefore ? notBefore : time(NULL); + notAfter = notAfter ? notAfter : (notBefore + validity); + x509_signer = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_SIGNING_KEY, private_key, + BUILD_PUBLIC_KEY, public_key, + BUILD_SUBJECT, subject, + BUILD_NOT_BEFORE_TIME, notBefore, + BUILD_NOT_AFTER_TIME, notAfter, + BUILD_SERIAL, serialNumber, + BUILD_SUBJECT_ALTNAMES, subjectAltNames, + BUILD_END); + if (!x509_signer) + { + exit_scepclient("generating certificate failed"); + } } /* |