pt-tls-client: Load certificates via handle from smartcard or TPM
authorAndreas Steffen <andreas.steffen@strongswan.org>
Tue, 5 Dec 2017 19:41:43 +0000 (20:41 +0100)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Tue, 5 Dec 2017 20:31:31 +0000 (21:31 +0100)
src/pt-tls-client/pt-tls-client.1.in
src/pt-tls-client/pt-tls-client.c

index 795054c..3e14cbe 100644 (file)
@@ -10,7 +10,8 @@ pt-tls-client \- Simple client using PT-TLS to collect integrity information
 .BI \-\-connect
 .IR hostname |\fIaddress
 .OP \-\-port hex
-.RB [ \-\-cert
+.RB [ \-\-certid
+.IR hex |\fB\-\-cert
 .IR file ]+
 .RB [ \-\-keyid
 .IR hex |\fB\-\-key
@@ -64,6 +65,10 @@ Set the port of the PT-TLS server, default: 271.
 Set the path to an X.509 certificate file. This option can be repeated to load
 multiple client and CA certificates.
 .TP
+.BI "\-X, \-\-certid " hex
+Set the handle of the certificate stored in a smartcard or a TPM 2.0 Trusted
+Platform Module.
+.TP
 .BI "\-k, \-\-key " file
 Set the path to the client's PKCS#1 or PKCS#8 private key file
 .TP
@@ -71,7 +76,7 @@ Set the path to the client's PKCS#1 or PKCS#8 private key file
 Define the type of the private key if stored in PKCS#1 format. Can be omitted
 with PKCS#8 keys.
 .TP
-.BI "\-x, \-\-keyid " hex
+.BI "\-K, \-\-keyid " hex
 Set the keyid of the private key stored in a smartcard or a TPM 2.0 Trusted
 Platform Module.
 .TP
index 841724e..d31e162 100644 (file)
@@ -42,7 +42,7 @@ static void usage(FILE *out)
 {
        fprintf(out,
                "Usage: pt-tls  --connect <hostname|address> [--port <port>]\n"
-               "              [--cert <file>]+ [--keyid <hex>|--key <file>]\n"
+               "              [--certid <hex>|--cert <file>]+ [--keyid <hex>|--key <file>]\n"
                "              [--key-type rsa|ecdsa] [--client <client-id>]\n"
                "              [--secret <password>] [--mutual] [--quiet]\n"
                "              [--debug <level>] [--options <filename>]\n");
@@ -104,15 +104,26 @@ static mem_cred_t *creds;
 /**
  * Load certificate from file
  */
-static bool load_certificate(char *filename)
+static bool load_certificate(char *certid, char *filename)
 {
        certificate_t *cert;
+       chunk_t chunk;
 
-       cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-                                                         BUILD_FROM_FILE, filename, BUILD_END);
+       if (certid)
+       {
+               chunk = chunk_from_hex(chunk_create(certid, strlen(certid)), NULL);
+               cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+                                                                 BUILD_PKCS11_KEYID, chunk, BUILD_END);
+       }
+       else
+       {
+               cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+                                                                 BUILD_FROM_FILE, filename, BUILD_END);
+       }
        if (!cert)
        {
-               DBG1(DBG_TLS, "loading certificate from '%s' failed", filename);
+               DBG1(DBG_TLS, "loading certificate from '%s' failed",
+                                          certid ? certid : filename);
                return FALSE;
        }
        creds->add_cert(creds, TRUE, cert);
@@ -282,6 +293,7 @@ int main(int argc, char *argv[])
                        {"client",              required_argument,              NULL,           'i' },
                        {"secret",              required_argument,              NULL,           's' },
                        {"port",                required_argument,              NULL,           'p' },
+                       {"certid",              required_argument,              NULL,           'X' },
                        {"cert",                required_argument,              NULL,           'x' },
                        {"keyid",               required_argument,              NULL,           'K' },
                        {"key",                 required_argument,              NULL,           'k' },
@@ -301,8 +313,14 @@ int main(int argc, char *argv[])
                        case 'h':                       /* --help */
                                usage(stdout);
                                return 0;
+                       case 'X':                       /* --certid <hex> */
+                               if (!load_certificate(optarg, NULL))
+                               {
+                                       return 1;
+                               }
+                               continue;
                        case 'x':                       /* --cert <file> */
-                               if (!load_certificate(optarg))
+                               if (!load_certificate(NULL, optarg))
                                {
                                        return 1;
                                }