summaryrefslogtreecommitdiff
path: root/usr.sbin/ikectl
diff options
context:
space:
mode:
Diffstat (limited to 'usr.sbin/ikectl')
-rw-r--r--usr.sbin/ikectl/ikeca.c65
-rw-r--r--usr.sbin/ikectl/ikectl.820
-rw-r--r--usr.sbin/ikectl/ikectl.c22
-rw-r--r--usr.sbin/ikectl/parser.c25
-rw-r--r--usr.sbin/ikectl/parser.h6
5 files changed, 126 insertions, 12 deletions
diff --git a/usr.sbin/ikectl/ikeca.c b/usr.sbin/ikectl/ikeca.c
index 8fd9865a4f0..5f2b4d97250 100644
--- a/usr.sbin/ikectl/ikeca.c
+++ b/usr.sbin/ikectl/ikeca.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ikeca.c,v 1.4 2010/06/10 16:14:04 jsg Exp $ */
+/* $OpenBSD: ikeca.c,v 1.5 2010/06/14 17:41:18 jsg Exp $ */
/* $vantronix: ikeca.c,v 1.13 2010/06/03 15:52:52 reyk Exp $ */
/*
@@ -65,12 +65,15 @@ struct ca {
struct ca *ca_setup(char *, int);
int ca_create(struct ca *);
int ca_delete(struct ca *);
-int ca_key(char *, char *, char *);
int ca_delkey(struct ca *, char *);
int ca_sign(struct ca *, char *, int);
int ca_request(char *, char *, char *);
int ca_certificate(struct ca *, char *, int);
int ca_cert_install(struct ca *, char *);
+int ca_key_install(struct ca *, char *);
+int ca_key_create(struct ca *, char *);
+int ca_key_delete(struct ca *, char *);
+int ca_key_import(struct ca *, char *, char *);
int ca_newpass(char *);
int ca_export(struct ca *, char *);
int ca_revoke(struct ca *, char *);
@@ -87,12 +90,18 @@ ca_delete(struct ca *ca)
}
int
-ca_key(char *sslpath, char *caname, char *keyname)
+ca_key_create(struct ca *ca, char *keyname)
{
+ struct stat st;
char cmd[PATH_MAX * 2];
char path[PATH_MAX];
- snprintf(path, sizeof(path), "%s/private/%s.key", sslpath, keyname);
+ snprintf(path, sizeof(path), "%s/private/%s.key", ca->sslpath, keyname);
+
+ /* don't recreate key if one is already present */
+ if (stat(path, &st) == 0) {
+ return (0);
+ }
snprintf(cmd, sizeof(cmd),
"%s genrsa -out %s 2048",
@@ -104,6 +113,34 @@ ca_key(char *sslpath, char *caname, char *keyname)
}
int
+ca_key_import(struct ca *ca, char *keyname, char *import)
+{
+ struct stat st;
+ char dst[PATH_MAX];
+
+ if (stat(import, &st) != 0) {
+ warn("could not access keyfile %s", import);
+ return (1);
+ }
+
+ snprintf(dst, sizeof(dst), "%s/private/%s.key", ca->sslpath, keyname);
+ fcopy(import, dst, 0600);
+
+ return (0);
+}
+
+int
+ca_key_delete(struct ca *ca, char *keyname)
+{
+ char path[PATH_MAX];
+
+ snprintf(path, sizeof(path), "%s/private/%s.key", ca->sslpath, keyname);
+ unlink(path);
+
+ return (0);
+}
+
+int
ca_delkey(struct ca *ca, char *keyname)
{
char file[PATH_MAX];
@@ -180,7 +217,7 @@ ca_sign(struct ca *ca, char *keyname, int type)
int
ca_certificate(struct ca *ca, char *keyname, int type)
{
- ca_key(ca->sslpath, ca->caname, keyname);
+ ca_key_create(ca, keyname);
ca_request(ca->sslpath, ca->sslcnf, keyname);
ca_sign(ca, keyname, type);
@@ -188,7 +225,7 @@ ca_certificate(struct ca *ca, char *keyname, int type)
}
int
-ca_cert_install(struct ca *ca, char *keyname)
+ca_key_install(struct ca *ca, char *keyname)
{
struct stat st;
char cmd[PATH_MAX * 2];
@@ -212,6 +249,20 @@ ca_cert_install(struct ca *ca, char *keyname)
KEYBASE);
system(cmd);
+
+ return (1);
+}
+
+int
+ca_cert_install(struct ca *ca, char *keyname)
+{
+ char src[PATH_MAX];
+ char dst[PATH_MAX];
+ int r;
+
+ if ((r = ca_key_install(ca, keyname)) != 0)
+ return (r);
+
snprintf(src, sizeof(src), "%s/%s.crt", ca->sslpath, keyname);
snprintf(dst, sizeof(dst), "%s/certs/%s.crt", KEYBASE, keyname);
fcopy(src, dst, 0644);
@@ -348,7 +399,7 @@ fcopy(char *src, char *dst, mode_t mode)
if ((ifd = open(src, O_RDONLY)) == -1)
err(1, "open %s", src);
- if ((ofd = open(dst, O_WRONLY|O_CREAT, mode)) == -1) {
+ if ((ofd = open(dst, O_WRONLY|O_CREAT|O_TRUNC, mode)) == -1) {
close(ifd);
err(1, "open %s", dst);
}
diff --git a/usr.sbin/ikectl/ikectl.8 b/usr.sbin/ikectl/ikectl.8
index 75d34fdda45..2de05e34459 100644
--- a/usr.sbin/ikectl/ikectl.8
+++ b/usr.sbin/ikectl/ikectl.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ikectl.8,v 1.3 2010/06/10 16:14:04 jsg Exp $
+.\" $OpenBSD: ikectl.8,v 1.4 2010/06/14 17:41:18 jsg Exp $
.\" $vantronix: ikectl.8,v 1.11 2010/06/03 15:55:51 reyk Exp $
.\"
.\" Copyright (c) 2007, 2008, 2009, 2010 Reyk Floeter <reyk@vantronix.net>
@@ -15,7 +15,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd $Mdocdate: June 10 2010 $
+.Dd $Mdocdate: June 14 2010 $
.Dt IKECTL 8
.Os
.Sh NAME
@@ -134,6 +134,22 @@ and generate a new Certificate Revocation List (CRL).
.It Cm show Cm ca Ar name Cm certificates
Display a listing of certificates associated with CA
.Ar name .
+.It Cm ca Ar name Cm key Ar host Cm create
+Create a private key for
+.Ar host
+if one does not already exist.
+.It Cm ca Ar name Cm key Ar host Cm install
+Install the private and public keys for
+.Ar host
+into the active configuration.
+.It Cm ca Ar name Cm key Ar host Cm delete
+Delete the private key for
+.Ar host .
+.It Cm ca Ar name Cm key Ar host Cm import Cm file
+Source the private key for
+.Ar host
+from the named
+.Ar file .
.El
.Sh FILES
.Bl -tag -width "/var/run/iked.sockXX" -compact
diff --git a/usr.sbin/ikectl/ikectl.c b/usr.sbin/ikectl/ikectl.c
index 6c47bfd7cbd..87d6bcf2346 100644
--- a/usr.sbin/ikectl/ikectl.c
+++ b/usr.sbin/ikectl/ikectl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ikectl.c,v 1.3 2010/06/10 16:14:04 jsg Exp $ */
+/* $OpenBSD: ikectl.c,v 1.4 2010/06/14 17:41:18 jsg Exp $ */
/*
* Copyright (c) 2007, 2008 Reyk Floeter <reyk@vantronix.net>
@@ -60,6 +60,10 @@ int ca_delkey(struct ca *, char *);
int ca_install(struct ca *);
int ca_cert_install(struct ca *, char *);
int ca_show_certs(struct ca *);
+int ca_key_create(struct ca *, char *);
+int ca_key_delete(struct ca *, char *);
+int ca_key_install(struct ca *, char *);
+int ca_key_import(struct ca *, char *, char *);
struct imsgname imsgs[] = {
{ IMSG_CTL_OK, "ok", NULL },
@@ -123,6 +127,18 @@ ca_opt(struct parse_result *res)
case SHOW_CA_CERTIFICATES:
ca_show_certs(ca);
break;
+ case CA_KEY_CREATE:
+ ca_key_create(ca, res->host);
+ break;
+ case CA_KEY_DELETE:
+ ca_key_delete(ca, res->host);
+ break;
+ case CA_KEY_INSTALL:
+ ca_key_install(ca, res->host);
+ break;
+ case CA_KEY_IMPORT:
+ ca_key_import(ca, res->host, res->filename);
+ break;
default:
break;
}
@@ -174,6 +190,10 @@ main(int argc, char *argv[])
case CA_CERT_REVOKE:
case SHOW_CA:
case SHOW_CA_CERTIFICATES:
+ case CA_KEY_CREATE:
+ case CA_KEY_DELETE:
+ case CA_KEY_INSTALL:
+ case CA_KEY_IMPORT:
ca_opt(res);
break;
case NONE:
diff --git a/usr.sbin/ikectl/parser.c b/usr.sbin/ikectl/parser.c
index 2a5b28535f5..9989ef91569 100644
--- a/usr.sbin/ikectl/parser.c
+++ b/usr.sbin/ikectl/parser.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: parser.c,v 1.3 2010/06/10 16:14:04 jsg Exp $ */
+/* $OpenBSD: parser.c,v 1.4 2010/06/14 17:41:18 jsg Exp $ */
/*
* Copyright (c) 2010 Reyk Floeter <reyk@vantronix.net>
@@ -61,6 +61,9 @@ static const struct token t_ca[];
static const struct token t_ca_modifiers[];
static const struct token t_ca_cert[];
static const struct token t_ca_cert_modifiers[];
+static const struct token t_ca_key[];
+static const struct token t_ca_key_modifiers[];
+static const struct token t_ca_key_path[];
static const struct token t_show[];
static const struct token t_show_ca[];
static const struct token t_show_ca_modifiers[];
@@ -110,6 +113,7 @@ static const struct token t_ca_modifiers[] = {
{ KEYWORD, "delete", CA_DELETE, NULL },
{ KEYWORD, "install", CA_INSTALL, NULL },
{ KEYWORD, "certificate", CA_CERTIFICATE, t_ca_cert },
+ { KEYWORD, "key", NONE, t_ca_key },
{ ENDTOKEN, "", NONE, NULL }
};
@@ -128,6 +132,25 @@ static const struct token t_ca_cert_modifiers[] = {
{ ENDTOKEN, "", NONE, NULL }
};
+static const struct token t_ca_key[] = {
+ { ADDRESS, "", NONE, t_ca_key_modifiers },
+ { FQDN, "", NONE, t_ca_key_modifiers },
+ { ENDTOKEN, "", NONE, NULL }
+};
+
+static const struct token t_ca_key_modifiers[] = {
+ { KEYWORD, "create", CA_KEY_CREATE, NULL },
+ { KEYWORD, "delete", CA_KEY_DELETE, NULL },
+ { KEYWORD, "install", CA_KEY_INSTALL, NULL },
+ { KEYWORD, "import", CA_KEY_IMPORT, t_ca_key_path },
+ { ENDTOKEN, "", NONE, NULL }
+};
+
+static const struct token t_ca_key_path[] = {
+ { FILENAME, "", NONE, NULL },
+ { ENDTOKEN, "", NONE, NULL }
+};
+
static const struct token t_show[] = {
{ KEYWORD, "ca", SHOW_CA, t_show_ca },
{ ENDTOKEN, "", NONE, NULL }
diff --git a/usr.sbin/ikectl/parser.h b/usr.sbin/ikectl/parser.h
index e274e0af073..00f8b4b0698 100644
--- a/usr.sbin/ikectl/parser.h
+++ b/usr.sbin/ikectl/parser.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: parser.h,v 1.3 2010/06/10 16:14:04 jsg Exp $ */
+/* $OpenBSD: parser.h,v 1.4 2010/06/14 17:41:18 jsg Exp $ */
/*
* Copyright (c) 2007, 2008 Reyk Floeter <reyk@vantronix.net>
@@ -42,6 +42,10 @@ enum actions {
CA_CERT_INSTALL,
CA_CERT_EXPORT,
CA_CERT_REVOKE,
+ CA_KEY_CREATE,
+ CA_KEY_DELETE,
+ CA_KEY_INSTALL,
+ CA_KEY_IMPORT,
SHOW_CA,
SHOW_CA_CERTIFICATES
};
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-22 15:05:16 +0000