From 71cf3d709aedfaeb2916152dca8400df7d765a41 Mon Sep 17 00:00:00 2001 From: Andreas Steffen Date: Tue, 5 Dec 2017 20:41:43 +0100 Subject: [PATCH] pt-tls-client: Load certificates via handle from smartcard or TPM --- src/pt-tls-client/pt-tls-client.1.in | 9 +++++++-- src/pt-tls-client/pt-tls-client.c | 30 ++++++++++++++++++++++------ 2 files changed, 31 insertions(+), 8 deletions(-) diff --git a/src/pt-tls-client/pt-tls-client.1.in b/src/pt-tls-client/pt-tls-client.1.in index 795054c807..3e14cbe374 100644 --- a/src/pt-tls-client/pt-tls-client.1.in +++ b/src/pt-tls-client/pt-tls-client.1.in @@ -10,7 +10,8 @@ pt-tls-client \- Simple client using PT-TLS to collect integrity information .BI \-\-connect .IR hostname |\fIaddress .OP \-\-port hex -.RB [ \-\-cert +.RB [ \-\-certid +.IR hex |\fB\-\-cert .IR file ]+ .RB [ \-\-keyid .IR hex |\fB\-\-key @@ -64,6 +65,10 @@ Set the port of the PT-TLS server, default: 271. Set the path to an X.509 certificate file. This option can be repeated to load multiple client and CA certificates. .TP +.BI "\-X, \-\-certid " hex +Set the handle of the certificate stored in a smartcard or a TPM 2.0 Trusted +Platform Module. +.TP .BI "\-k, \-\-key " file Set the path to the client's PKCS#1 or PKCS#8 private key file .TP @@ -71,7 +76,7 @@ Set the path to the client's PKCS#1 or PKCS#8 private key file Define the type of the private key if stored in PKCS#1 format. Can be omitted with PKCS#8 keys. .TP -.BI "\-x, \-\-keyid " hex +.BI "\-K, \-\-keyid " hex Set the keyid of the private key stored in a smartcard or a TPM 2.0 Trusted Platform Module. .TP diff --git a/src/pt-tls-client/pt-tls-client.c b/src/pt-tls-client/pt-tls-client.c index 841724eb3d..d31e162200 100644 --- a/src/pt-tls-client/pt-tls-client.c +++ b/src/pt-tls-client/pt-tls-client.c @@ -42,7 +42,7 @@ static void usage(FILE *out) { fprintf(out, "Usage: pt-tls --connect [--port ]\n" - " [--cert ]+ [--keyid |--key ]\n" + " [--certid |--cert ]+ [--keyid |--key ]\n" " [--key-type rsa|ecdsa] [--client ]\n" " [--secret ] [--mutual] [--quiet]\n" " [--debug ] [--options ]\n"); @@ -104,15 +104,26 @@ static mem_cred_t *creds; /** * Load certificate from file */ -static bool load_certificate(char *filename) +static bool load_certificate(char *certid, char *filename) { certificate_t *cert; + chunk_t chunk; - cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, - BUILD_FROM_FILE, filename, BUILD_END); + if (certid) + { + chunk = chunk_from_hex(chunk_create(certid, strlen(certid)), NULL); + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_PKCS11_KEYID, chunk, BUILD_END); + } + else + { + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_FROM_FILE, filename, BUILD_END); + } if (!cert) { - DBG1(DBG_TLS, "loading certificate from '%s' failed", filename); + DBG1(DBG_TLS, "loading certificate from '%s' failed", + certid ? certid : filename); return FALSE; } creds->add_cert(creds, TRUE, cert); @@ -282,6 +293,7 @@ int main(int argc, char *argv[]) {"client", required_argument, NULL, 'i' }, {"secret", required_argument, NULL, 's' }, {"port", required_argument, NULL, 'p' }, + {"certid", required_argument, NULL, 'X' }, {"cert", required_argument, NULL, 'x' }, {"keyid", required_argument, NULL, 'K' }, {"key", required_argument, NULL, 'k' }, @@ -301,8 +313,14 @@ int main(int argc, char *argv[]) case 'h': /* --help */ usage(stdout); return 0; + case 'X': /* --certid */ + if (!load_certificate(optarg, NULL)) + { + return 1; + } + continue; case 'x': /* --cert */ - if (!load_certificate(optarg)) + if (!load_certificate(NULL, optarg)) { return 1; } -- 2.47.3