5 files changed, 80 insertions, 2 deletions
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
index 18afa5af4..fc54472ee 100644
--- a/src/libcharon/plugins/stroke/stroke_socket.c
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
@@ -353,6 +353,37 @@ static void stroke_purge(private_stroke_socket_t *this,
 }
 
 /**
+ * Export in-memory credentials
+ */
+static void stroke_export(private_stroke_socket_t *this,
+						  stroke_msg_t *msg, FILE *out)
+{
+	pop_string(msg, &msg->export.selector);
+
+	if (msg->purge.flags & EXPORT_X509)
+	{
+		enumerator_t *enumerator;
+		identification_t *id;
+		certificate_t *cert;
+		chunk_t encoded;
+
+		id = identification_create_from_string(msg->export.selector);
+		enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
+												CERT_X509, KEY_ANY, id, FALSE);
+		while (enumerator->enumerate(enumerator, &cert))
+		{
+			if (cert->get_encoding(cert, CERT_PEM, &encoded))
+			{
+				fprintf(out, "%.*s", encoded.len, encoded.ptr);
+				free(encoded.ptr);
+			}
+		}
+		enumerator->destroy(enumerator);
+		id->destroy(id);
+	}
+}
+
+/**
  * list pool leases
  */
 static void stroke_leases(private_stroke_socket_t *this,
@@ -525,6 +556,9 @@ static job_requeue_t process(stroke_job_context_t *ctx)
 		case STR_PURGE:
 			stroke_purge(this, msg, out);
 			break;
+		case STR_EXPORT:
+			stroke_export(this, msg, out);
+			break;
 		case STR_LEASES:
 			stroke_leases(this, msg, out);
 			break;
diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c
index 32e628df1..103617f08 100644
--- a/src/stroke/stroke.c
+++ b/src/stroke/stroke.c
@@ -288,9 +288,23 @@ static int purge(stroke_keyword_t kw)
 	return send_stroke_msg(&msg);
 }
 
-static int leases(stroke_keyword_t kw, char *pool, char *address)
+static int export_flags[] = {
+	EXPORT_X509,
+};
+
+static int export(stroke_keyword_t kw, char *selector)
 {
+	stroke_msg_t msg;
 
+	msg.type = STR_EXPORT;
+	msg.length = offsetof(stroke_msg_t, buffer);
+	msg.export.selector = push_string(&msg, selector);
+	msg.export.flags = export_flags[kw - STROKE_EXPORT_FIRST];
+	return send_stroke_msg(&msg);
+}
+
+static int leases(stroke_keyword_t kw, char *pool, char *address)
+{
 	stroke_msg_t msg;
 
 	msg.type = STR_LEASES;
@@ -361,6 +375,8 @@ static void exit_usage(char *error)
 	printf("    stroke purgeocsp\n");
 	printf("  Purge IKE_SAs without a CHILD_SA:\n");
 	printf("    stroke purgeike\n");
+	printf("  Export credentials to the console:\n");
+	printf("    stroke exportx509 DN\n");
 	printf("  Show leases of a pool:\n");
 	printf("    stroke leases [POOL [ADDRESS]]\n");
 	exit_error(error);
@@ -478,6 +494,13 @@ int main(int argc, char *argv[])
 		case STROKE_PURGE_IKE:
 			res = purge(token->kw);
 			break;
+		case STROKE_EXPORT_X509:
+			if (argc != 3)
+			{
+				exit_usage("\"exportx509\" needs a distinguished name");
+			}
+			res = export(token->kw, argv[2]);
+			break;
 		case STROKE_LEASES:
 			res = leases(token->kw, argc > 2 ? argv[2] : NULL,
 						 argc > 3 ? argv[3] : NULL);
diff --git a/src/stroke/stroke_keywords.h b/src/stroke/stroke_keywords.h
index 6332000db..4a3826536 100644
--- a/src/stroke/stroke_keywords.h
+++ b/src/stroke/stroke_keywords.h
@@ -49,12 +49,14 @@ typedef enum {
 	STROKE_REREAD_ALL,
 	STROKE_PURGE_OCSP,
 	STROKE_PURGE_IKE,
-	STROKE_LEASES
+	STROKE_EXPORT_X509,
+	STROKE_LEASES,
 } stroke_keyword_t;
 
 #define STROKE_LIST_FIRST		STROKE_LIST_PUBKEYS
 #define STROKE_REREAD_FIRST		STROKE_REREAD_SECRETS
 #define STROKE_PURGE_FIRST		STROKE_PURGE_OCSP
+#define STROKE_EXPORT_FIRST		STROKE_EXPORT_X509
 
 typedef struct stroke_token stroke_token_t;
 
diff --git a/src/stroke/stroke_keywords.txt b/src/stroke/stroke_keywords.txt
index 96fa0bf3a..0b8092985 100644
--- a/src/stroke/stroke_keywords.txt
+++ b/src/stroke/stroke_keywords.txt
@@ -56,4 +56,5 @@ rereadcrls,      STROKE_REREAD_CRLS
 rereadall,       STROKE_REREAD_ALL
 purgeocsp,       STROKE_PURGE_OCSP
 purgeike,        STROKE_PURGE_IKE
+exportx509,      STROKE_EXPORT_X509
 leases,          STROKE_LEASES
diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h
index a36cc9038..9e2300d05 100644
--- a/src/stroke/stroke_msg.h
+++ b/src/stroke/stroke_msg.h
@@ -109,6 +109,16 @@ enum purge_flag_t {
 	PURGE_IKE =			0x0002,
 };
 
+typedef enum export_flag_t export_flag_t;
+
+/**
+ * Definition of the export flags
+ */
+enum export_flag_t {
+	/** export an X509 certificate */
+	EXPORT_X509 =		0x0001,
+};
+
 /**
  * CRL certificate validation policy
  */
@@ -193,6 +203,8 @@ struct stroke_msg_t {
 		STR_PURGE,
 		/* show pool leases */
 		STR_LEASES,
+		/* export credentials */
+		STR_EXPORT,
 		/* more to come */
 	} type;
 
@@ -301,6 +313,12 @@ struct stroke_msg_t {
 			purge_flag_t flags;
 		} purge;
 
+		/* data for STR_EXPORT */
+		struct {
+			export_flag_t flags;
+			char *selector;
+		} export;
+
 		/* data for STR_LEASES */
 		struct {
 			char *pool;