From: Andreas Steffen Date: Wed, 7 Feb 2024 06:55:10 +0000 (+0100) Subject: pki: Added key and cert handles to --ocsp command X-Git-Tag: android-2.5.0~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ad08ced8b23d79afcd2849abba4b61531f5a92f7;p=thirdparty%2Fstrongswan.git pki: Added key and cert handles to --ocsp command --- diff --git a/src/pki/commands/ocsp.c b/src/pki/commands/ocsp.c index 85ab673384..3b010470d1 100644 --- a/src/pki/commands/ocsp.c +++ b/src/pki/commands/ocsp.c @@ -233,7 +233,7 @@ static int ocsp() ocsp_responder_t *index_responder = NULL; linked_list_t *responses = NULL; array_t *index_responders = NULL; - chunk_t encoding = chunk_empty, nonce = chunk_empty; + chunk_t encoding = chunk_empty, nonce = chunk_empty, handle = chunk_empty; chunk_t issuerNameHash, issuerKeyHash, serialNumber; hash_algorithm_t hashAlgorithm = HASH_SHA1, digest = HASH_UNKNOWN; signature_params_t *scheme = NULL; @@ -257,15 +257,15 @@ static int ocsp() { switch (command_getopt(&arg)) { - case 'h': + case 'h': /* --help */ goto usage; - case 'i': + case 'i': /* --in */ file = arg; continue; - case 'r': + case 'r': /* --respond */ op = OP_RESPOND; continue; - case 'k': + case 'k': /* --key */ key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY, BUILD_FROM_FILE, arg, BUILD_END); @@ -276,7 +276,20 @@ static int ocsp() } creds->add_key(creds, key); continue; - case 'c': + case 'K': /* --keyid */ + handle = chunk_from_hex(chunk_create(arg, strlen(arg)), NULL); + key = lib->creds->create(lib->creds, + CRED_PRIVATE_KEY, KEY_ANY, + BUILD_PKCS11_KEYID, handle, BUILD_END); + chunk_free(&handle); + if (!key) + { + DBG1(DBG_APP, "attaching to private key handle %s failed", arg); + goto usage; + } + creds->add_key(creds, key); + continue; + case 'c': /* --cert */ cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_FROM_FILE, arg, BUILD_END); @@ -287,7 +300,20 @@ static int ocsp() } creds->add_cert(creds, TRUE, cert); continue; - case 'C': + case 'X': /* --certid */ + handle = chunk_from_hex(chunk_create(arg, strlen(arg)), NULL); + cert = lib->creds->create(lib->creds, + CRED_CERTIFICATE, CERT_X509, + BUILD_PKCS11_KEYID, handle, BUILD_END); + chunk_free(&handle); + if (!cert) + { + DBG1(DBG_APP, "attaching to certificate handle %s failed", arg); + goto usage; + } + creds->add_cert(creds, TRUE, cert); + continue; + case 'C': /* --cacert */ DESTROY_IF(cacert); cacert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, @@ -299,7 +325,7 @@ static int ocsp() } cacert = creds->add_cert_ref(creds, TRUE, cacert); continue; - case 'l': + case 'l': /* --lifetime */ lifetime = atoi(arg) * 60; if (!lifetime) { @@ -307,21 +333,21 @@ static int ocsp() goto usage; } continue; - case 'g': + case 'g': /* --digest */ if (!enum_from_name(hash_algorithm_short_names, arg, &digest)) { error = "invalid --digest type"; goto usage; } continue; - case 'R': + case 'R': /* --rsa-padding */ if (!parse_rsa_padding(arg, &pss)) { error = "invalid RSA padding"; goto usage; } continue; - case 'x': + case 'x': /* --help */ if (!cacert) { error = "--index must follow --cacert of corresponding CA"; @@ -598,7 +624,7 @@ static void __attribute__ ((constructor))reg() { command_register((command_t) { ocsp, 'o', "ocsp", "OCSP responder", - {"[--in file] [--respond] [--cert file]+ [--key file]+ ", + {"[--in file] [--respond] [--cert file|--certid hex]+ [--key file|--keyid hex]+ ", "[--cacert file [--index file]]+", "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]", "[--rsa-padding pkcs1|pss] [--lifetime minutes]"}, @@ -607,7 +633,9 @@ static void __attribute__ ((constructor))reg() {"respond", 'r', 0, "respond to OCSP request with OCSP response"}, {"in", 'i', 1, "input file, default: stdin"}, {"key", 'k', 1, "path to OCSP signing private key (can be used multiple times)"}, + {"keyid", 'K', 1, "smartcard or TPM private key object handle (can be used multiple times)"}, {"cert", 'c', 1, "path to OCSP signing certificate (can be used multiple times"}, + {"certid", 'X', 1, "smartcard or TPM certificate object handle (can be used multiple times)" }, {"cacert", 'C', 1, "CA certificate (can be used multiple times"}, {"index", 'x', 1, "OpenSSL-style index.txt to check status of certificates"}, {"digest", 'g', 1, "digest for signature creation, default: key-specific"}, diff --git a/src/pki/man/pki---ocsp.1.in b/src/pki/man/pki---ocsp.1.in index 94475544c4..8055054456 100644 --- a/src/pki/man/pki---ocsp.1.in +++ b/src/pki/man/pki---ocsp.1.in @@ -16,8 +16,12 @@ pki \-\-ocsp \- OCSP request parser and OCSP responder. .BI \-\-respond .OP \-\-in file .BI \-\-cacert\~ file -.BI \-\-key\~ file -.OP \-\-cert file +.RB [ \-\-key +.IR file | \fB\-\-keyid\fR +.IB hex ] +.RB [ \-\-cert +.IR file | \fB\-\-certid\fR +.IB hex ] .OP \-\-index file .OP \-\-lifetime minutes .OP \-\-digest digest @@ -80,10 +84,18 @@ trust chain. Can be used multiple times. .BI "\-k, \-\-key " file OCSP signer key. Can be used multiple times. .TP +.BI "\-K, \-\-keyid " hex +Smartcard or TPM 2.0 OCSP signer key object handle. Can be used +multiple times. +.TP .BI "\-c, \-\-cert " file OCSP signer certificate (if it is not a CA certificate). Can be used multiple times. .TP +.BI "\-X, \-\-certid " hex +Smartcard or TPM 2.0 OCSP signer certificate object handle. Can be used +multiple times. +.TP .BI "\-x, \-\-index " file OpenSSL-style index.txt providing information about the status of certificates issued by the CA certificate loaded immediately before. Can be used multiple