From: Andreas Steffen Date: Fri, 30 Sep 2016 06:05:20 +0000 (+0200) Subject: Save both base and delta CRLs to disk X-Git-Tag: 5.5.1rc1~1^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=85b5a6ace2a7c220c9ed54c1f5c1d33d9395a5cc;p=thirdparty%2Fstrongswan.git Save both base and delta CRLs to disk --- diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c index 44be512c03..77911c7b08 100644 --- a/src/libcharon/plugins/stroke/stroke_cred.c +++ b/src/libcharon/plugins/stroke/stroke_cred.c @@ -575,10 +575,14 @@ METHOD(credential_set_t, cache_cert, void, { char buf[BUF_LEN]; chunk_t chunk, hex; + bool is_delta_crl; + + is_delta_crl = crl->is_delta_crl(crl, NULL); chunk = crl->get_authKeyIdentifier(crl); hex = chunk_to_hex(chunk, NULL, FALSE); - snprintf(buf, sizeof(buf), "%s/%s.crl", CRL_DIR, hex.ptr); + snprintf(buf, sizeof(buf), "%s/%s%s.crl", CRL_DIR, hex.ptr, + is_delta_crl ? "_delta" : ""); free(hex.ptr); if (cert->get_encoding(cert, CERT_ASN1_DER, &chunk)) diff --git a/src/libcharon/plugins/vici/vici_cred.c b/src/libcharon/plugins/vici/vici_cred.c index 453b743a1c..baf285fb89 100644 --- a/src/libcharon/plugins/vici/vici_cred.c +++ b/src/libcharon/plugins/vici/vici_cred.c @@ -74,10 +74,13 @@ METHOD(credential_set_t, cache_cert, void, { char buf[BUF_LEN]; chunk_t chunk, hex; + bool is_delta_crl; + is_delta_crl = crl->is_delta_crl(crl, NULL); chunk = crl->get_authKeyIdentifier(crl); hex = chunk_to_hex(chunk, NULL, FALSE); - snprintf(buf, sizeof(buf), "%s/%s.crl", CRL_DIR, hex.ptr); + snprintf(buf, sizeof(buf), "%s/%s%s.crl", CRL_DIR, hex.ptr, + is_delta_crl ? "_delta" : ""); free(hex.ptr); if (cert->get_encoding(cert, CERT_ASN1_DER, &chunk)) diff --git a/testing/hosts/winnetou/etc/openssl/generate-crl b/testing/hosts/winnetou/etc/openssl/generate-crl index 89534e4229..1a375e0512 100755 --- a/testing/hosts/winnetou/etc/openssl/generate-crl +++ b/testing/hosts/winnetou/etc/openssl/generate-crl @@ -31,6 +31,12 @@ cp index.html ${ROOT} # revoke moon's current CERT pki --signcrl --cacert strongswanCert.pem --cakey strongswanKey.pem --lifetime 30 --reason key-compromise --cert newcerts/2B.pem --lastcrl strongswan.crl > strongswan_moon_revoked.crl cp strongswan_moon_revoked.crl ${ROOT} +# generate a base CRL +pki --signcrl --lastcrl strongswan.crl --cacert strongswanCert.der --cakey strongswanKey.pem --lifetime 30 --crluri http://crl.strongswan.org/strongswan_delta.crl --digest sha256 > strongswan_base.crl +cp strongswan_base.crl ${ROOT} +# generate a delta CRL revoking moon's current cert +pki --signcrl --basecrl strongswan_base.crl --reason key-compromise --cert newcerts/2B.pem --cacert strongswanCert.der --cakey strongswanKey.pem --lifetime 10 --digest sha256 > strongswan_delta.crl +cp strongswan_delta.crl ${ROOT} cd /etc/openssl/research openssl ca -gencrl -crldays 15 -config /etc/openssl/research/openssl.cnf -out crl.pem openssl crl -in crl.pem -outform der -out research.crl diff --git a/testing/tests/swanctl/crl-to-cache/description.txt b/testing/tests/swanctl/crl-to-cache/description.txt index 9f542e73d5..0e6f1cbd69 100644 --- a/testing/tests/swanctl/crl-to-cache/description.txt +++ b/testing/tests/swanctl/crl-to-cache/description.txt @@ -1,6 +1,8 @@ -By setting cachecrls=yes in ipsec.conf, a copy of the CRL fetched -via http from the web server winnetou is saved locally in the -directory /etc/ipsec.d/crls on both the roadwarrior carol -and the gateway moon when the IPsec connection is set up. The -subjectKeyIdentifier of the issuing CA plus the suffix .crl -is used as a unique filename for the cached CRL. +By setting cache_crls = yes in /etc/strongswan.conf, a copy of +both the base CRL and the latest delta CRL fetched via http from +the web server winnetou is saved locally in the directory +/etc/swanctl/x509crl on both the roadwarrior carol and the +gateway moon when the IPsec connection is set up. +The subjectKeyIdentifier of the issuing CA plus the suffixes +.crl and _delta.crl are used as unique filename for the +cached base CRL and delta CRL, respectively. diff --git a/testing/tests/swanctl/crl-to-cache/evaltest.dat b/testing/tests/swanctl/crl-to-cache/evaltest.dat index 1bdd666ba6..fa61f19fbf 100644 --- a/testing/tests/swanctl/crl-to-cache/evaltest.dat +++ b/testing/tests/swanctl/crl-to-cache/evaltest.dat @@ -1,4 +1,8 @@ -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org::NO +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org::NO moon:: cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES +moon:: cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/5da7dd700651327ee7b66db3b5e5e060ea2e4def_delta.crl::YES carol::cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES +carol::cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/5da7dd700651327ee7b66db3b5e5e060ea2e4def_delta.crl::YES +carol::cat /var/log/daemon.log::certificate was revoked::YES +carol::cat /var/log/daemon.log::no trusted RSA public key found for.*moon.strongswan.org::YES diff --git a/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/swanctl/x509/carolCert.pem b/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/swanctl/x509/carolCert.pem new file mode 100644 index 0000000000..60c368794e --- /dev/null +++ b/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/swanctl/x509/carolCert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDoDCCAoigAwIBAgIBMDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTE0MDgyNzE1MDUzNloXDTE5MDgyNjE1MDUzNlowWjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMR0wGwYDVQQDDBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALfz1DcXyt/sOALi1IZ/RcuPa5m+4fiSST2wVWWr +lw3hUjeiwLfgoLrtKaGX4i+At82Zol2mdbEXFpO+9qxXliP2u0fexqP4mBuZus3E +LA82EOL0lQ2ahAi8O3qafkDMBSgvoeJpEwNe00Ugh53g7hT7dw8tSgcPGqQkWutI +IKT9T6e/HbHNjRtYlw9ZlHsp8gSYjg/Q6vV6ofttueMUD9NRv8w2Y76rnRRmUGf3 +GlNFFmgxZntCJRuYltnxV7VcCFoppyauYt/fPmjAxbPRuhHKacnzIzq83Ixf5fSj +MTlluGCfWFX/NGENXamBqChkRLHmuCHNexxRp9s2F1S10hECAwEAAaOBhTCBgjAf +BgNVHSMEGDAWgBRdp91wBlEyfue2bbO15eBg6i5N7zAfBgNVHREEGDAWgRRjYXJv +bEBzdHJvbmdzd2FuLm9yZzA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vY3JsLnN0 +cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fYmFzZS5jcmwwDQYJKoZIhvcNAQELBQAD +ggEBABxfR7BK9IlDFdycldmYVfL2W2U/2b5tEZx/n943wEhc+AM+J1bba3yTeo61 +6AOEhO7QeaNnsAY9ZIRHfH827Lk1dWjub88ze/rS7qmozStF23Rzs4BimeiMQ6xI +f1hJA1OiNXja2/lLijprevBY824Cd2iEq8LdU+9PIstsYKoLaSD/Ohilk4PGHIqX +unhdasBKogtvS/PxKWSq+qdEFgHjM70uaf1Tx6QnPS9sqo/qxAQqxKOLstRmXRd6 +ojkTNWRO1miG1rOQkMcc4L2nbsb8nYFrUFLw7PjeJ1ugPL6R+tVjp32OWqCwvWtP +SGaAJ/regpHs89VLbTKz1ybcqhw= +-----END CERTIFICATE----- diff --git a/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/swanctl/x509/moonCert.pem b/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/swanctl/x509/moonCert.pem new file mode 100644 index 0000000000..ce570cef7b --- /dev/null +++ b/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/swanctl/x509/moonCert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDoDCCAoigAwIBAgIBKzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTE0MDgyNzE0NDQ1NloXDTE5MDgyNjE0NDQ1NlowRjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAMTE21vb24u +c3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCk +fAX6xRdB0f5bBjN08zOmO7CEYa8eCyYFqHUhCw+x10v2BnKB6vOlMzW+9DiRtG68 +TdJlYt/24oRuJBX0gAGvzsv0kC9rnoQcgCJQy4bxaLNVsgoiFCVlzxLaYjABbQlz +oSaegm/2PoX+1UP37rG8wlvAcuLSHsFQ720FUs/LvZh4Y0FjoKhvgKs64U4nIAJ7 +MnuL29n5fM5+dem7uovQOBg/+faZo8QkYSK9MW6eQkP+YnwN5zItNBxyGwKPbXXw +Ey5/aqNWfhRY8IEG6HJgrnCwBMHUA14C2UV+Af7Cy4eNnC1Mmu7TmUYcFncXaFn0 +87ryFUdshlmPpIHxfjufAgMBAAGjgZkwgZYwHwYDVR0jBBgwFoAUXafdcAZRMn7n +tm2zteXgYOouTe8wHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzATBgNV +HSUEDDAKBggrBgEFBQcDATA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vY3JsLnN0 +cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fYmFzZS5jcmwwDQYJKoZIhvcNAQELBQAD +ggEBAD7YFpbQoRC0nte5t/hpoaxiOwE4Wm+rKexOt8zbYhUc0Yrw6a89LELdqoa8 +vuSAxeHAUY4VmeWLOy7rSf/wURmjdMGO2su3Db+ZaOcrA8J5Oqxv3IAhdBcO4PUz +e0Lu2+f8RyKhKUQGpkSJBIlHhv0APN6TBX0R8cvvZ5XnFKj+GNd7fT4RN5Qjp+9H +f8kZboA3/Rg2+JcWOWgNu9sjqevoqjSJiDV8s3n5QO1VRZi32DAgSMAWWorDdKtd +uMPizLDy7W1nSQGf/vhXDkE95g689Md04dul6vAerCdsf389ckjthCIUqAPoLWn7 +XZnkIiV5xba29D9dTq0QElCzU+M= +-----END CERTIFICATE----- diff --git a/testing/tests/swanctl/crl-to-cache/posttest.dat b/testing/tests/swanctl/crl-to-cache/posttest.dat index b0dd703230..210685a90c 100644 --- a/testing/tests/swanctl/crl-to-cache/posttest.dat +++ b/testing/tests/swanctl/crl-to-cache/posttest.dat @@ -1,4 +1,3 @@ -carol::swanctl --terminate --ike home carol::service charon stop 2> /dev/null moon::service charon stop 2> /dev/null moon::rm /etc/swanctl/x509crl/*