diff options
| author | Reyk Floeter <reyk@cvs.openbsd.org> | 2010-10-07 13:30:51 +0000 |
|---|---|---|
| committer | Reyk Floeter <reyk@cvs.openbsd.org> | 2010-10-07 13:30:51 +0000 |
| commit | ef93c654eac834fd282ce76a89d4d398fa8778dd (patch) | |
| tree | a44a4351fabb27badf563ea213caf7ecf463903a /usr.sbin | |
| parent | 742b87c9dcf5fbf8cea1902b83fd6faf9ba28167 (diff) | |
Allow to specify the export password on the command line (optionally, for
scripting). The "peer" argument now needs to be preceded with the "peer"
keyword, eg. ... export peer 10.1.1.1 instead of export 10.1.1.1.
Diffstat (limited to 'usr.sbin')
| -rw-r--r-- | usr.sbin/ikectl/ikeca.c | 24 | ||||
| -rw-r--r-- | usr.sbin/ikectl/ikectl.8 | 10 | ||||
| -rw-r--r-- | usr.sbin/ikectl/ikectl.c | 6 | ||||
| -rw-r--r-- | usr.sbin/ikectl/parser.c | 41 | ||||
| -rw-r--r-- | usr.sbin/ikectl/parser.h | 4 |
5 files changed, 52 insertions, 33 deletions
diff --git a/usr.sbin/ikectl/ikeca.c b/usr.sbin/ikectl/ikeca.c index 99db0c35914..7aedd8496bc 100644 --- a/usr.sbin/ikectl/ikeca.c +++ b/usr.sbin/ikectl/ikeca.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikeca.c,v 1.12 2010/10/07 12:23:14 reyk Exp $ */ +/* $OpenBSD: ikeca.c,v 1.13 2010/10/07 13:30:50 reyk Exp $ */ /* $vantronix: ikeca.c,v 1.13 2010/06/03 15:52:52 reyk Exp $ */ /* @@ -458,7 +458,7 @@ rm_dir(char *path) } int -ca_export(struct ca *ca, char *keyname, char *myname) +ca_export(struct ca *ca, char *keyname, char *myname, char *password) { DIR *dexp; struct dirent *de; @@ -496,14 +496,18 @@ ca_export(struct ca *ca, char *keyname, char *myname) while ((p = strchr(oname, ':')) != NULL) *p = '_'; - pass = getpass("Export passphrase:"); - if (pass == NULL || *pass == '\0') - err(1, "password not set"); - - strlcpy(prev, pass, sizeof(prev)); - pass = getpass("Retype export passphrase:"); - if (pass == NULL || strcmp(prev, pass) != 0) - errx(1, "passphrase does not match!"); + if (password != NULL) + pass = password; + else { + pass = getpass("Export passphrase:"); + if (pass == NULL || *pass == '\0') + err(1, "password not set"); + + strlcpy(prev, pass, sizeof(prev)); + pass = getpass("Retype export passphrase:"); + if (pass == NULL || strcmp(prev, pass) != 0) + errx(1, "passphrase does not match!"); + } if (keyname != NULL) { snprintf(cmd, sizeof(cmd), "env EXPASS=%s %s pkcs12 -export" diff --git a/usr.sbin/ikectl/ikectl.8 b/usr.sbin/ikectl/ikectl.8 index 0121f4307c7..5fe9c178c74 100644 --- a/usr.sbin/ikectl/ikectl.8 +++ b/usr.sbin/ikectl/ikectl.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ikectl.8,v 1.11 2010/10/07 12:33:58 reyk Exp $ +.\" $OpenBSD: ikectl.8,v 1.12 2010/10/07 13:30:50 reyk Exp $ .\" $vantronix: ikectl.8,v 1.11 2010/06/03 15:55:51 reyk Exp $ .\" .\" Copyright (c) 2007, 2008, 2009, 2010 Reyk Floeter <reyk@vantronix.net> @@ -104,7 +104,7 @@ The following commands are available to control the CA: .Bl -tag -width Ds .It Xo .Cm ca Ar name Cm create -.Op Ar password +.Op Cm password Ar password .Xc Create a new certificate authority with the specified .Ar name . @@ -120,7 +120,8 @@ Delete the certificate authority with the specified .Ar name . .It Xo .Cm ca Ar name Cm export -.Op Ar peer +.Op Cm peer Ar peer +.Op Cm password Ar password .Xc Export the certificate authority with the specified .Ar name @@ -168,7 +169,8 @@ Deletes the private key and and certificates associated with .It Xo .Cm ca Ar name Cm certificate Ar host .Cm export -.Op Ar peer +.Op Cm peer Ar peer +.Op Cm password Ar password .Xc Export key files for .Ar host diff --git a/usr.sbin/ikectl/ikectl.c b/usr.sbin/ikectl/ikectl.c index 000ece6113c..b3331401ab6 100644 --- a/usr.sbin/ikectl/ikectl.c +++ b/usr.sbin/ikectl/ikectl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikectl.c,v 1.7 2010/10/07 13:28:46 jmc Exp $ */ +/* $OpenBSD: ikectl.c,v 1.8 2010/10/07 13:30:50 reyk Exp $ */ /* * Copyright (c) 2007, 2008 Reyk Floeter <reyk@vantronix.net> @@ -97,7 +97,7 @@ ca_opt(struct parse_result *res) ca_install(ca); break; case CA_EXPORT: - ca_export(ca, NULL, res->peer); + ca_export(ca, NULL, res->peer, res->pass); break; case CA_CERT_CREATE: case CA_SERVER: @@ -111,7 +111,7 @@ ca_opt(struct parse_result *res) ca_cert_install(ca, res->host); break; case CA_CERT_EXPORT: - ca_export(ca, res->host, res->peer); + ca_export(ca, res->host, res->peer, res->pass); break; case CA_CERT_REVOKE: ca_revoke(ca, res->host); diff --git a/usr.sbin/ikectl/parser.c b/usr.sbin/ikectl/parser.c index 752c775c4d4..3d4151ec72e 100644 --- a/usr.sbin/ikectl/parser.c +++ b/usr.sbin/ikectl/parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: parser.c,v 1.6 2010/10/07 12:23:14 reyk Exp $ */ +/* $OpenBSD: parser.c,v 1.7 2010/10/07 13:30:50 reyk Exp $ */ /* * Copyright (c) 2010 Reyk Floeter <reyk@vantronix.net> @@ -61,7 +61,10 @@ static const struct token t_log[]; static const struct token t_load[]; static const struct token t_ca[]; static const struct token t_ca_pass[]; +static const struct token t_ca_pass_val[]; +static const struct token t_ca_export[]; static const struct token t_ca_ex_peer[]; +static const struct token t_ca_ex_pass[]; static const struct token t_ca_modifiers[]; static const struct token t_ca_cert[]; static const struct token t_ca_cert_extusage[]; @@ -120,20 +123,36 @@ static const struct token t_ca_modifiers[] = { { KEYWORD, "install", CA_INSTALL, NULL }, { KEYWORD, "certificate", CA_CERTIFICATE, t_ca_cert }, { KEYWORD, "key", NONE, t_ca_key }, - { KEYWORD, "export", CA_EXPORT, t_ca_ex_peer }, + { KEYWORD, "export", CA_EXPORT, t_ca_export }, { ENDTOKEN, "", NONE, NULL } }; +static const struct token t_ca_pass_val[] = { + { PASSWORD, "", NONE, NULL }, + { ENDTOKEN, "", NONE, NULL } +}; + static const struct token t_ca_pass[] = { { NOTOKEN, "", NONE, NULL }, - { PASSWORD, "", NONE, NULL }, - { ENDTOKEN, "", NONE, NULL }, + { KEYWORD, "password", NONE, t_ca_pass_val }, + { ENDTOKEN, "", NONE, NULL } +}; + +static const struct token t_ca_export[] = { + { NOTOKEN, "", NONE, NULL }, + { KEYWORD, "peer", NONE, t_ca_ex_peer }, + { KEYWORD, "password", NONE, t_ca_ex_pass }, + { ENDTOKEN, "", NONE, NULL } }; static const struct token t_ca_ex_peer[] = { - { NOTOKEN, "", NONE, NULL}, - { PEER, "", NONE, NULL }, - { ENDTOKEN, "", NONE, NULL }, + { PEER, "", NONE, t_ca_export }, + { ENDTOKEN, "", NONE, NULL } +}; + +static const struct token t_ca_ex_pass[] = { + { PASSWORD, "", NONE, t_ca_export }, + { ENDTOKEN, "", NONE, NULL } }; static const struct token t_ca_cert[] = { @@ -146,17 +165,11 @@ static const struct token t_ca_cert_modifiers[] = { { KEYWORD, "create", CA_CERT_CREATE, t_ca_cert_extusage }, { KEYWORD, "delete", CA_CERT_DELETE, NULL }, { KEYWORD, "install", CA_CERT_INSTALL, NULL }, - { KEYWORD, "export", CA_CERT_EXPORT, t_ca_cert_ex_peer }, + { KEYWORD, "export", CA_CERT_EXPORT, t_ca_export }, { KEYWORD, "revoke", CA_CERT_REVOKE, NULL }, { ENDTOKEN, "", NONE, NULL } }; -static const struct token t_ca_cert_ex_peer[] = { - { NOTOKEN, "", NONE, NULL}, - { PEER, "", NONE, NULL }, - { ENDTOKEN, "", NONE, NULL }, -}; - static const struct token t_ca_cert_extusage[] = { { NOTOKEN, "", NONE, NULL}, { KEYWORD, "server", CA_SERVER, NULL }, diff --git a/usr.sbin/ikectl/parser.h b/usr.sbin/ikectl/parser.h index f89a7b20929..0cd1e62a614 100644 --- a/usr.sbin/ikectl/parser.h +++ b/usr.sbin/ikectl/parser.h @@ -1,4 +1,4 @@ -/* $OpenBSD: parser.h,v 1.6 2010/10/07 12:23:14 reyk Exp $ */ +/* $OpenBSD: parser.h,v 1.7 2010/10/07 13:30:50 reyk Exp $ */ /* * Copyright (c) 2007, 2008 Reyk Floeter <reyk@vantronix.net> @@ -76,7 +76,7 @@ struct parse_result *parse(int, char *[]); struct ca *ca_setup(char *, int, int, char *); int ca_create(struct ca *); int ca_certificate(struct ca *, char *, int, int); -int ca_export(struct ca *, char *, char *); +int ca_export(struct ca *, char *, char *, char *); int ca_revoke(struct ca *, char *); int ca_delete(struct ca *); int ca_delkey(struct ca *, char *); |