From f912fedc9b02c591cadf3aa16df7a7c8ccc4e0d9 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Fri, 11 May 2012 09:47:56 +0200 Subject: scepclient: Also number CA certificates in case there is more than one. Also, only number them if there are multiple certificates. --- src/scepclient/scepclient.8 | 12 ++++++---- src/scepclient/scepclient.c | 53 ++++++++++++++++++++++++++++++++++++--------- 2 files changed, 51 insertions(+), 14 deletions(-) (limited to 'src') diff --git a/src/scepclient/scepclient.8 b/src/scepclient/scepclient.8 index 2fe17e6c5..c2068f6cd 100644 --- a/src/scepclient/scepclient.8 +++ b/src/scepclient/scepclient.8 @@ -62,7 +62,9 @@ Do not write log output to stderr. .SS Options for CA Certificate Acquisition .B \-o, \-\-out cacert[=\fIfilename\fP] .RS 4 -Output file of acquired CA certificate. If more then one CA certificate is available, \fIfilename\fP is used as prefix for the resulting files. +Output file of acquired CA certificate. If more then one CA certificate is +available, \fIfilename\fP is used as prefix for the resulting files (refer to +EXAMPLES below for details). .br The default \fIfilename\fP is $CONFDIR/ipsec.d/cacerts/caCert.der. .RE @@ -230,9 +232,11 @@ Changes the log level (-1..4, default: 1) .B ipsec scepclient \-\-out caCert \-\-url http://scepserver/cgi\-bin/pkiclient.exe \-f .RS 4 Acquire CA certificate from SCEP server and store it in the default file $CONFDIR/ipsec.d/cacerts/caCert.der. -If more then one CA certificate is returned, store them in files named caCert.der\-1', caCert.der\-2', etc. -.br -Existing files are overwritten. +If more then one CA certificate is returned, store them in files named +\'caCert\-1.der\', \'caCert\-2.der\', etc. +If an RA certificate is returned, store it in a file named \'caCert\-ra.der\'. +If more than one RA certificate is returned, store them in files named +\'caCert\-ra\-1.der\', \'caCert\-ra\-2.der\', etc. .RE .PP .B ipsec scepclient \-\-out pkcs1=joeKey.der \-k 1024 diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c index c66cf42d8..59a4ee64d 100644 --- a/src/scepclient/scepclient.c +++ b/src/scepclient/scepclient.c @@ -222,9 +222,14 @@ static void join_paths(char *target, size_t target_size, char *parent, * add a suffix to a given filename, properly handling extensions like '.der' */ static void add_path_suffix(char *target, size_t target_size, char *filename, - char *suffix) + char *suffix_fmt, ...) { - char *start, *dot; + char suffix[PATH_MAX], *start, *dot; + va_list args; + + va_start(args, suffix_fmt); + vsnprintf(suffix, sizeof(suffix), suffix_fmt, args); + va_end(args); start = strrchr(filename, '/'); start = start ?: filename; @@ -862,22 +867,50 @@ int main(int argc, char **argv) { enumerator_t *enumerator; certificate_t *cert; - int i = 1; + int ra_certs = 0, ca_certs = 0; + int ra_index = 1, ca_index = 1; + + enumerator = pkcs7->create_certificate_enumerator(pkcs7); + while (enumerator->enumerate(enumerator, &cert)) + { + x509_t *x509 = (x509_t*)cert; + if (x509->get_flags(x509) & X509_CA) + { + ca_certs++; + } + else + { + ra_certs++; + } + } + enumerator->destroy(enumerator); enumerator = pkcs7->create_certificate_enumerator(pkcs7); while (enumerator->enumerate(enumerator, &cert)) { x509_t *x509 = (x509_t*)cert; bool ca_cert = x509->get_flags(x509) & X509_CA; - char *path = ca_path; + char cert_path[PATH_MAX], *path = ca_path; - if (!ca_cert) + if (ca_cert && ca_certs > 1) + { + add_path_suffix(cert_path, sizeof(cert_path), ca_path, + "-%.1d", ca_index++); + path = cert_path; + } + else if (!ca_cert) { /* use CA name as base for RA certs */ - char suffix[6], ra_path[PATH_MAX]; - - snprintf(suffix, sizeof(suffix), "-ra%0.2d", i++); - add_path_suffix(ra_path, sizeof(ra_path), ca_path, suffix); - path = ra_path; + if (ra_certs > 1) + { + add_path_suffix(cert_path, sizeof(cert_path), ca_path, + "-ra-%.1d", ra_index++); + } + else + { + add_path_suffix(cert_path, sizeof(cert_path), ca_path, + "-ra"); + } + path = cert_path; } if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding) || -- cgit v1.2.3