From 09d8215d3feca18a8a7f986ffcec4036ae44d3bc Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 18 Aug 2016 18:07:21 +0200
Subject: [PATCH] pki: Allow to load CRLs from files in --verify

---
 src/pki/commands/verify.c     | 18 ++++++++++++++++--
 src/pki/man/pki---verify.1.in |  6 +++++-
 2 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/src/pki/commands/verify.c b/src/pki/commands/verify.c
index 8cc633a..dd667fb 100644
--- a/src/pki/commands/verify.c
+++ b/src/pki/commands/verify.c
@@ -1,6 +1,7 @@
 /*
+ * Copyright (C) 2016 Tobias Brunner
  * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -59,6 +60,18 @@ static int verify()
 				has_ca = TRUE;
 				creds->add_cert(creds, TRUE, cert);
 				continue;
+			case 'l':
+				cert = lib->creds->create(lib->creds,
+										  CRED_CERTIFICATE, CERT_X509_CRL,
+										  BUILD_FROM_FILE, arg, BUILD_END);
+				if (!cert)
+				{
+					fprintf(stderr, "parsing CRL failed\n");
+					goto end;
+				}
+				online = TRUE;
+				creds->add_crl(creds, (crl_t*)cert);
+				continue;
 			case 'o':
 				online = TRUE;
 				continue;
@@ -173,11 +186,12 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		verify, 'v', "verify",
 		"verify a certificate using the CA certificate",
-		{"[--in file] [--cacert file]"},
+		{"[--in file] [--cacert file] [--crl file]"},
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "X.509 certificate to verify, default: stdin"},
 			{"cacert",	'c', 1, "CA certificate for trustchain verification"},
+			{"crl",		'l', 1, "CRL for trustchain verification"},
 			{"online",	'o', 0, "enable online CRL/OCSP revocation checking"},
 		}
 	});
diff --git a/src/pki/man/pki---verify.1.in b/src/pki/man/pki---verify.1.in
index dd0c0e9..74adaf1 100644
--- a/src/pki/man/pki---verify.1.in
+++ b/src/pki/man/pki---verify.1.in
@@ -1,4 +1,4 @@
-.TH "PKI \-\-VERIFY" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.TH "PKI \-\-VERIFY" 1 "2016-08-19" "@PACKAGE_VERSION@" "strongSwan"
 .
 .SH "NAME"
 .
@@ -9,6 +9,7 @@ pki \-\-verify \- Verify a certificate using a CA certificate
 .SY pki\ \-\-verify
 .OP \-\-in file
 .OP \-\-cacert file
+.OP \-\-crl file
 .OP \-\-debug level
 .OP \-\-online
 .YS
@@ -48,6 +49,9 @@ X.509 certificate to verify. If not given it is read from \fISTDIN\fR.
 CA certificate to use for trustchain verification. If not given the certificate
 is assumed to be self\-signed.
 .TP
+.BI "\-l, \-\-crl " file
+Local CRL to use for trustchain verification. Implies \fB-o\fR.
+.TP
 .BI "\-o, \-\-online
 Enable online CRL/OCSP revocation checking.
 .
-- 
2.7.4