tyler.durden
/
icinga2
mirror of https://github.com/Icinga/icinga2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Allow specifying a CRL in `icinga2 pki verify`

This commit is contained in:
Julian Brost 2020-12-08 09:55:18 +01:00 committed by Noah Hilverling
parent e86bd24348
commit 4c0247c02d
1 changed files with 15 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
lib/cli/pkiverifycommand.cpp
View File

@ -28,12 +28,13 @@ void PKIVerifyCommand::InitParameters(boost::program_options::options_descriptio
visibleDesc.add_options() visibleDesc.add_options()
("cn", po::value<std::string>(), "Common Name (optional). Use with '--cert' to check the CN in the certificate.") ("cn", po::value<std::string>(), "Common Name (optional). Use with '--cert' to check the CN in the certificate.")
("cert", po::value<std::string>(), "Certificate file path (optional). Standalone: print certificate. With '--cacert': Verify against CA.") ("cert", po::value<std::string>(), "Certificate file path (optional). Standalone: print certificate. With '--cacert': Verify against CA.")
("cacert", po::value<std::string>(), "CA certificate file path (optional). If passed standalone, verifies whether this is a CA certificate"); ("cacert", po::value<std::string>(), "CA certificate file path (optional). If passed standalone, verifies whether this is a CA certificate")
("crl", po::value<std::string>(), "CRL file path (optional). Check the certificate against this revocation list when verifying against CA.");
} }
std::vector<String> PKIVerifyCommand::GetArgumentSuggestions(const String& argument, const String& word) const std::vector<String> PKIVerifyCommand::GetArgumentSuggestions(const String& argument, const String& word) const
{ {
if (argument == "cert" || argument == "cacert") if (argument == "cert" || argument == "cacert" || argument == "crl")
return GetBashCompletionSuggestions("file", word); return GetBashCompletionSuggestions("file", word);
else else
return CLICommand::GetArgumentSuggestions(argument, word); return CLICommand::GetArgumentSuggestions(argument, word);
@ -46,7 +47,7 @@ std::vector<String> PKIVerifyCommand::GetArgumentSuggestions(const String& argum
*/ */
int PKIVerifyCommand::Run(const boost::program_options::variables_map& vm, const std::vector<std::string>& ap) const int PKIVerifyCommand::Run(const boost::program_options::variables_map& vm, const std::vector<std::string>& ap) const
{ {
String cn, certFile, caCertFile; String cn, certFile, caCertFile, crlFile;
if (vm.count("cn")) if (vm.count("cn"))
cn = vm["cn"].as<std::string>(); cn = vm["cn"].as<std::string>();
@ -57,6 +58,9 @@ int PKIVerifyCommand::Run(const boost::program_options::variables_map& vm, const
if (vm.count("cacert")) if (vm.count("cacert"))
caCertFile = vm["cacert"].as<std::string>(); caCertFile = vm["cacert"].as<std::string>();
if (vm.count("crl"))
crlFile = vm["crl"].as<std::string>();
/* Verify CN in certificate. */ /* Verify CN in certificate. */
if (!cn.IsEmpty() && !certFile.IsEmpty()) { if (!cn.IsEmpty() && !certFile.IsEmpty()) {
std::shared_ptr<X509> cert; std::shared_ptr<X509> cert;
@ -126,10 +130,15 @@ int PKIVerifyCommand::Run(const boost::program_options::variables_map& vm, const
bool signedByCA; bool signedByCA;
try { try {
signedByCA = VerifyCertificate(cacert, cert, String()); signedByCA = VerifyCertificate(cacert, cert, crlFile);
} catch (const std::exception& ex) { } catch (const std::exception& ex) {
Log(LogCritical, "cli") Log logmsg (LogCritical, "cli");
<< "CRITICAL: Certificate with CN '" << certCN << "' is NOT signed by CA: " << DiagnosticInformation(ex, false); logmsg << "CRITICAL: Certificate with CN '" << certCN << "' is NOT signed by CA: ";
if (const unsigned long *openssl_code = boost::get_error_info<errinfo_openssl_error>(ex)) {
logmsg << X509_verify_cert_error_string(*openssl_code) << " (code " << *openssl_code << ")";
} else {
logmsg << DiagnosticInformation(ex, false);
}
return ServiceCritical; return ServiceCritical;
} }