char *handle;
uint32_t slot;
char *module;
+ char *file;
} cert_data_t;
/**
{
free(data->handle);
free(data->module);
+ free(data->file);
free(data);
}
{ "handle", parse_string, &cert->handle },
{ "slot", parse_uint32, &cert->slot },
{ "module", parse_string, &cert->module },
+ { "file", parse_string, &cert->file },
};
return parse_rules(rules, countof(rules), name, value,
free_cert_data(data);
return FALSE;
}
- if (!data->handle)
+ if (!data->handle && !data->file)
{
- auth->request->reply = create_reply("CKA_ID missing: %s", name);
+ auth->request->reply = create_reply("handle or file path missing: "
+ "%s", name);
+ free_cert_data(data);
+ return FALSE;
+ }
+ else if (data->handle && data->file)
+ {
+ auth->request->reply = create_reply("handle and file path given: "
+ "%s", name);
free_cert_data(data);
return FALSE;
}
- handle = chunk_from_hex(chunk_from_str(data->handle), NULL);
- if (data->slot != -1)
+ if (data->file)
{
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
- BUILD_PKCS11_KEYID, handle,
- BUILD_PKCS11_SLOT, data->slot,
- data->module ? BUILD_PKCS11_MODULE : BUILD_END,
- data->module, BUILD_END);
+ BUILD_FROM_FILE, data->file, BUILD_END);
}
else
{
- cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
- BUILD_PKCS11_KEYID, handle,
- data->module ? BUILD_PKCS11_MODULE : BUILD_END,
- data->module, BUILD_END);
+ handle = chunk_from_hex(chunk_from_str(data->handle), NULL);
+ if (data->slot != -1)
+ {
+ cert = lib->creds->create(lib->creds, CRED_CERTIFICATE,
+ CERT_X509, BUILD_PKCS11_KEYID, handle,
+ BUILD_PKCS11_SLOT, data->slot,
+ data->module ? BUILD_PKCS11_MODULE : BUILD_END,
+ data->module, BUILD_END);
+ }
+ else
+ {
+ cert = lib->creds->create(lib->creds, CRED_CERTIFICATE,
+ CERT_X509, BUILD_PKCS11_KEYID, handle,
+ data->module ? BUILD_PKCS11_MODULE : BUILD_END,
+ data->module, BUILD_END);
+ }
+ chunk_free(&handle);
}
- chunk_free(&handle);
free_cert_data(data);
if (!cert)
{
in _certs_ are transmitted as binary blobs, these sections offer more
flexibility.
+connections.<conn>.local<suffix>.cert<suffix>.file =
+ Absolute path to the certificate to load.
+
+ Absolute path to the certificate to load. Passed as-is to the daemon, so it
+ must be readable by it.
+
+ Configure either this or _handle_, but not both, in one section.
+
connections.<conn>.local<suffix>.cert<suffix>.handle =
Hex-encoded CKA_ID of the certificate on a token.
+ Hex-encoded CKA_ID of the certificate on a token.
+
+ Configure either this or _file_, but not both, in one section.
+
connections.<conn>.local<suffix>.cert<suffix>.slot =
Optional slot number of the token that stores the certificate.
in _certs_ are transmitted as binary blobs, these sections offer more
flexibility.
+connections.<conn>.remote<suffix>.cert<suffix>.file =
+ Absolute path to the certificate to load.
+
+ Absolute path to the certificate to load. Passed as-is to the daemon, so it
+ must be readable by it.
+
+ Configure either this or _handle_, but not both, in one section.
+
connections.<conn>.remote<suffix>.cert<suffix>.handle =
Hex-encoded CKA_ID of the certificate on a token.
+ Hex-encoded CKA_ID of the certificate on a token.
+
+ Configure either this or _file_, but not both, in one section.
+
connections.<conn>.remote<suffix>.cert<suffix>.slot =
Optional slot number of the token that stores the certificate.
in _cacerts_ are transmitted as binary blobs, these sections offer more
flexibility.
+connections.<conn>.remote<suffix>.cacert<suffix>.file =
+ Absolute path to the certificate to load.
+
+ Absolute path to the certificate to load. Passed as-is to the daemon, so it
+ must be readable by it.
+
+ Configure either this or _handle_, but not both, in one section.
+
connections.<conn>.remote<suffix>.cacert<suffix>.handle =
Hex-encoded CKA_ID of the CA certificate on a token.
+ Hex-encoded CKA_ID of the CA certificate on a token.
+
+ Configure either this or _file_, but not both, in one section.
+
connections.<conn>.remote<suffix>.cacert<suffix>.slot =
Optional slot number of the token that stores the CA certificate.
projects / thirdparty / strongswan.git / commitdiff
