From: Andreas Steffen <andreas.steffen@strongswan.org>
Date: Sun, 1 Jan 2023 10:53:27 +0000 (+0100)
Subject: pki: Added nextca option to pki --scep
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=74197d928a27968b9e729218eca7e0acf82dece3;p=thirdparty%2Fstrongswan.git

pki: Added nextca option to pki --scep
---

diff --git a/src/pki/commands/scepca.c b/src/pki/commands/scepca.c
index 9ba72d41cf..d48fa5cd0c 100644
--- a/src/pki/commands/scepca.c
+++ b/src/pki/commands/scepca.c
@@ -30,7 +30,7 @@ static int scepca()
 	cred_encoding_type_t form = CERT_ASN1_DER;
 	chunk_t scep_response = chunk_empty;
 	char *arg, *url = NULL, *caout = NULL, *raout = NULL;
-	bool force = FALSE, success;
+	bool force = FALSE, success, next_ca = FALSE;
 	u_int http_code = 0;
 
 	while (TRUE)
@@ -48,6 +48,9 @@ static int scepca()
 			case 'r':       /* --raout */
 				raout = arg;
 				continue;
+			case 'n':       /* --nextca */
+				next_ca = TRUE;
+				continue;
 			case 'f':       /* --form */
 				if (!get_form(arg, &form, CRED_CERTIFICATE))
 				{
@@ -70,8 +73,8 @@ static int scepca()
 		return command_usage("--url is required");
 	}
 
-	if (!scep_http_request(url, SCEP_GET_CA_CERT, FALSE, chunk_empty,
-						   &scep_response, &http_code))
+	if (!scep_http_request(url, next_ca ? SCEP_GET_NEXT_CA_CERT : SCEP_GET_CA_CERT,
+						   FALSE, chunk_empty, &scep_response, &http_code))
 	{
 		DBG1(DBG_APP, "did not receive a valid SCEP response: HTTP %u", http_code);
 		return 1;
@@ -92,12 +95,13 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		scepca, 'C', "scepca",
 		"get CA [and RA] certificate[s] from a SCEP server",
-		{"--url url [--caout file] [--raout file] [--outform der|pem] [--force]"},
+		{"--url url [--caout file] [--raout file] [--nextca] [--outform der|pem] [--force]"},
 		{
 			{"help",    'h', 0, "show usage information"},
 			{"url",     'u', 1, "URL of the SCEP server"},
 			{"caout",   'c', 1, "CA certificate [template]"},
 			{"raout",   'r', 1, "RA certificate [template]"},
+			{"nextca",  'n', 0, "get next CA if available"},
 			{"outform", 'f', 1, "encoding of stored certificates, default: der"},
 			{"force",   'F', 0, "force overwrite of existing files"},
 		}
diff --git a/src/pki/scep/scep.c b/src/pki/scep/scep.c
index 7bbef72eec..24a32830c9 100644
--- a/src/pki/scep/scep.c
+++ b/src/pki/scep/scep.c
@@ -33,7 +33,8 @@
 static const char *operations[] = {
 	"PKIOperation",
 	"GetCACert",
-	"GetCACaps"
+	"GetCACaps",
+	"GetNextCACert"
 };
 
 static const char *pkiStatus_values[] = { "0", "2", "3" };
@@ -373,6 +374,7 @@ bool scep_http_request(const char *url, scep_op_t op, bool http_post,
 			break;
 		case SCEP_GET_CA_CERT:
 		case SCEP_GET_CA_CAPS:
+		case SCEP_GET_NEXT_CA_CERT:
 		{
 			/* form complete url */
 			len = strlen(url) + 11 + strlen(operation)  + 1;
diff --git a/src/pki/scep/scep.h b/src/pki/scep/scep.h
index 4e97110136..185b73a3f9 100644
--- a/src/pki/scep/scep.h
+++ b/src/pki/scep/scep.h
@@ -31,7 +31,8 @@
 typedef enum {
 	SCEP_PKI_OPERATION,
 	SCEP_GET_CA_CERT,
-	SCEP_GET_CA_CAPS
+	SCEP_GET_CA_CAPS,
+	SCEP_GET_NEXT_CA_CERT
 } scep_op_t;
 
 /* SCEP pkiStatus values */