scepclient: Also number CA certificates in case there is more than one.
authorTobias Brunner <tobias@strongswan.org>
Fri, 11 May 2012 07:47:56 +0000 (09:47 +0200)
committerTobias Brunner <tobias@strongswan.org>
Mon, 11 Jun 2012 15:09:19 +0000 (17:09 +0200)
Also, only number them if there are multiple certificates.

src/scepclient/scepclient.8
src/scepclient/scepclient.c

index 2fe17e6..c2068f6 100644 (file)
@@ -62,7 +62,9 @@ Do not write log output to stderr.
 .SS Options for CA Certificate Acquisition
 .B \-o, \-\-out cacert[=\fIfilename\fP]
 .RS 4
-Output file of acquired CA certificate. If more then one CA certificate is available, \fIfilename\fP is used as prefix for the resulting files.
+Output file of acquired CA certificate. If more then one CA certificate is
+available, \fIfilename\fP is used as prefix for the resulting files (refer to
+EXAMPLES below for details).
 .br
 The default \fIfilename\fP is $CONFDIR/ipsec.d/cacerts/caCert.der.
 .RE
@@ -230,9 +232,11 @@ Changes the log level (-1..4, default: 1)
 .B  ipsec scepclient \-\-out caCert \-\-url http://scepserver/cgi\-bin/pkiclient.exe \-f
 .RS 4
 Acquire CA certificate from SCEP server and store it in the default file $CONFDIR/ipsec.d/cacerts/caCert.der.
-If more then one CA certificate is returned, store them in files named caCert.der\-1', caCert.der\-2', etc.
-.br
-Existing files are overwritten.
+If more then one CA certificate is returned, store them in files named
+\'caCert\-1.der\', \'caCert\-2.der\', etc.
+If an RA certificate is returned, store it in a file named \'caCert\-ra.der\'.
+If more than one RA certificate is returned, store them in files named
+\'caCert\-ra\-1.der\', \'caCert\-ra\-2.der\', etc.
 .RE
 .PP
 .B  ipsec scepclient \-\-out pkcs1=joeKey.der \-k 1024
index c66cf42..59a4ee6 100644 (file)
@@ -222,9 +222,14 @@ static void join_paths(char *target, size_t target_size, char *parent,
  * add a suffix to a given filename, properly handling extensions like '.der'
  */
 static void add_path_suffix(char *target, size_t target_size, char *filename,
-                                                       char *suffix)
+                                                       char *suffix_fmt, ...)
 {
-       char *start, *dot;
+       char suffix[PATH_MAX], *start, *dot;
+       va_list args;
+
+       va_start(args, suffix_fmt);
+       vsnprintf(suffix, sizeof(suffix), suffix_fmt, args);
+       va_end(args);
 
        start = strrchr(filename, '/');
        start = start ?: filename;
@@ -862,22 +867,50 @@ int main(int argc, char **argv)
                {
                        enumerator_t *enumerator;
                        certificate_t *cert;
-                       int i = 1;
+                       int ra_certs = 0, ca_certs = 0;
+                       int ra_index = 1, ca_index = 1;
+
+                       enumerator = pkcs7->create_certificate_enumerator(pkcs7);
+                       while (enumerator->enumerate(enumerator, &cert))
+                       {
+                               x509_t *x509 = (x509_t*)cert;
+                               if (x509->get_flags(x509) & X509_CA)
+                               {
+                                       ca_certs++;
+                               }
+                               else
+                               {
+                                       ra_certs++;
+                               }
+                       }
+                       enumerator->destroy(enumerator);
 
                        enumerator = pkcs7->create_certificate_enumerator(pkcs7);
                        while (enumerator->enumerate(enumerator, &cert))
                        {
                                x509_t *x509 = (x509_t*)cert;
                                bool ca_cert = x509->get_flags(x509) & X509_CA;
-                               char *path = ca_path;
+                               char cert_path[PATH_MAX], *path = ca_path;
 
-                               if (!ca_cert)
+                               if (ca_cert && ca_certs > 1)
+                               {
+                                       add_path_suffix(cert_path, sizeof(cert_path), ca_path,
+                                                                       "-%.1d", ca_index++);
+                                       path = cert_path;
+                               }
+                               else if (!ca_cert)
                                {       /* use CA name as base for RA certs */
-                                       char suffix[6], ra_path[PATH_MAX];
-
-                                       snprintf(suffix, sizeof(suffix), "-ra%0.2d", i++);
-                                       add_path_suffix(ra_path, sizeof(ra_path), ca_path, suffix);
-                                       path = ra_path;
+                                       if (ra_certs > 1)
+                                       {
+                                               add_path_suffix(cert_path, sizeof(cert_path), ca_path,
+                                                                               "-ra-%.1d", ra_index++);
+                                       }
+                                       else
+                                       {
+                                               add_path_suffix(cert_path, sizeof(cert_path), ca_path,
+                                                                               "-ra");
+                                       }
+                                       path = cert_path;
                                }
 
                                if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding) ||