certexpire: add an option to enforce exporting trustchains having a private key

diff --git a/src/libcharon/plugins/certexpire/certexpire_export.c b/src/libcharon/plugins/certexpire/certexpire_export.c
index e339b80042b83918333e89fc0ba74c8fb79a6268..f1205cfd8d6e5dc146e071c8a881255f0487eb28 100644 (file)
--- a/src/libcharon/plugins/certexpire/certexpire_export.c
+++ b/src/libcharon/plugins/certexpire/certexpire_export.c
@@ -88,6 +88,11 @@ struct private_certexpire_export_t {
         * String to use in empty fields, if using fixed_fields
         */
        char *empty_string;
+
+       /**
+        * Force export of all trustchains we have a private key for
+        */
+       bool force;
 };
 
 /**
@@ -184,21 +189,6 @@ static void export_csv(private_certexpire_export_t *this, char *path,
        }
 }
 
-/**
- * Export cached trustchain expiration dates to CSV files
- */
-static void cron_export(private_certexpire_export_t *this)
-{
-       if (this->local_path)
-       {
-               export_csv(this, this->local_path, this->local);
-       }
-       if (this->remote_path)
-       {
-               export_csv(this, this->remote_path, this->remote);
-       }
-}
-
 METHOD(certexpire_export_t, add, void,
        private_certexpire_export_t *this, linked_list_t *trustchain, bool local)
 {
@@ -320,6 +310,81 @@ METHOD(certexpire_export_t, add, void,
        enumerator->destroy(enumerator);
 }
 
+/**
+ * Add trustchains we have a private key for to the list
+ */
+static void add_local_certs(private_certexpire_export_t *this)
+{
+       enumerator_t *enumerator;
+       certificate_t *cert;
+
+       enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
+                                                                                       CERT_X509, KEY_ANY, NULL, FALSE);
+       while (enumerator->enumerate(enumerator, &cert))
+       {
+               linked_list_t *trustchain;
+               private_key_t *private;
+               public_key_t *public;
+               identification_t *keyid;
+               chunk_t chunk;
+               x509_t *x509 = (x509_t*)cert;
+
+               trustchain = linked_list_create();
+
+               public = cert->get_public_key(cert);
+               if (public)
+               {
+                       if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &chunk))
+                       {
+                               keyid = identification_create_from_encoding(ID_KEY_ID, chunk);
+                               private = lib->credmgr->get_private(lib->credmgr,
+                                                                               public->get_type(public), keyid, NULL);
+                               keyid->destroy(keyid);
+                               if (private)
+                               {
+                                       trustchain->insert_last(trustchain, cert->get_ref(cert));
+
+                                       while (!(x509->get_flags(x509) & X509_SELF_SIGNED))
+                                       {
+                                               cert = lib->credmgr->get_cert(lib->credmgr, CERT_X509,
+                                                                               KEY_ANY, cert->get_issuer(cert), FALSE);
+                                               if (!cert)
+                                               {
+                                                       break;
+                                               }
+                                               x509 = (x509_t*)cert;
+                                               trustchain->insert_last(trustchain, cert);
+                                       }
+                                       private->destroy(private);
+                               }
+                       }
+                       public->destroy(public);
+               }
+               add(this, trustchain, TRUE);
+               trustchain->destroy_offset(trustchain, offsetof(certificate_t, destroy));
+       }
+       enumerator->destroy(enumerator);
+}
+
+/**
+ * Export cached trustchain expiration dates to CSV files
+ */
+static void cron_export(private_certexpire_export_t *this)
+{
+       if (this->local_path)
+       {
+               if (this->force)
+               {
+                       add_local_certs(this);
+               }
+               export_csv(this, this->local_path, this->local);
+       }
+       if (this->remote_path)
+       {
+               export_csv(this, this->remote_path, this->remote);
+       }
+}
+
 METHOD(certexpire_export_t, destroy, void,
        private_certexpire_export_t *this)
 {
@@ -382,6 +447,9 @@ certexpire_export_t *certexpire_export_create()
                .empty_string = lib->settings->get_str(lib->settings,
                                                                "%s.plugins.certexpire.csv.empty_string",
                                                                "", charon->name),
+               .force = lib->settings->get_bool(lib->settings,
+                                                               "%s.plugins.certexpire.csv.force",
+                                                               TRUE, charon->name),
        );
 
        cron = lib->settings->get_str(lib->settings,