diff options
author | Jack Lloyd <[email protected]> | 2018-03-24 05:42:20 -0400 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2018-03-24 05:42:20 -0400 |
commit | 04729be983f3090595f92c2d4752081487ea7c4d (patch) | |
tree | 3b20d85a3fbaf0d520b78839ad64b328fc9dc162 /src | |
parent | 8cbcc468ee8a1767f091b7aa73ab3a3b08bde253 (diff) |
Add some options to tls_client cli to control trusted CAs
Diffstat (limited to 'src')
-rw-r--r-- | src/cli/credentials.h | 24 | ||||
-rw-r--r-- | src/cli/tls_client.cpp | 19 |
2 files changed, 28 insertions, 15 deletions
diff --git a/src/cli/credentials.h b/src/cli/credentials.h index 3b46c239c..da21dd842 100644 --- a/src/cli/credentials.h +++ b/src/cli/credentials.h @@ -29,9 +29,24 @@ inline bool value_exists(const std::vector<std::string>& vec, class Basic_Credentials_Manager : public Botan::Credentials_Manager { public: - Basic_Credentials_Manager() + Basic_Credentials_Manager(bool use_system_store, + const std::string& ca_paths) { - load_certstores(); + std::vector<std::string> paths; + + if(ca_paths.empty() == false) + paths.push_back(ca_paths); + + if(use_system_store) + { + paths.push_back("/etc/ssl/certs"); + paths.push_back("/usr/share/ca-certificates"); + } + + if(paths.empty() == false) + { + load_certstores(paths); + } } Basic_Credentials_Manager(Botan::RandomNumberGenerator& rng, @@ -59,13 +74,10 @@ class Basic_Credentials_Manager : public Botan::Credentials_Manager m_creds.push_back(cert); } - void load_certstores() + void load_certstores(const std::vector<std::string>& paths) { try { - // TODO: make path configurable - const std::vector<std::string> paths = { "/etc/ssl/certs", "/usr/share/ca-certificates" }; - for(auto const& path : paths) { std::shared_ptr<Botan::Certificate_Store> cs(new Botan::Certificate_Store_In_Memory(path)); diff --git a/src/cli/tls_client.cpp b/src/cli/tls_client.cpp index f3fe0c266..55be7e671 100644 --- a/src/cli/tls_client.cpp +++ b/src/cli/tls_client.cpp @@ -37,6 +37,7 @@ class TLS_Client final : public Command, public Botan::TLS::Callbacks TLS_Client() : Command("tls_client host --port=443 --print-certs --policy= " "--tls1.0 --tls1.1 --tls1.2 " + "--skip-system-cert-store --trusted-cas= " "--session-db= --session-db-pass= --next-protocols= --type=tcp") { init_sockets(); @@ -64,6 +65,13 @@ class TLS_Client final : public Command, public Botan::TLS::Callbacks std::unique_ptr<Botan::TLS::Session_Manager> session_mgr; const std::string sessions_db = get_arg("session-db"); + const std::string host = get_arg("host"); + const uint16_t port = get_arg_sz("port"); + const std::string transport = get_arg("type"); + const std::string next_protos = get_arg("next-protocols"); + std::string policy_file = get_arg("policy"); + const bool use_system_cert_store = flag_set("skip-system-cert-store") == false; + const std::string trusted_CAs = get_arg("trusted-cas"); if(!sessions_db.empty()) { @@ -80,8 +88,6 @@ class TLS_Client final : public Command, public Botan::TLS::Callbacks session_mgr.reset(new Botan::TLS::Session_Manager_In_Memory(rng())); } - std::string policy_file = get_arg("policy"); - std::unique_ptr<Botan::TLS::Policy> policy; if(policy_file.size() > 0) @@ -100,13 +106,6 @@ class TLS_Client final : public Command, public Botan::TLS::Callbacks policy.reset(new Botan::TLS::Policy); } - Basic_Credentials_Manager creds; - - const std::string host = get_arg("host"); - const uint16_t port = get_arg_sz("port"); - const std::string transport = get_arg("type"); - const std::string next_protos = get_arg("next-protocols"); - if(transport != "tcp" && transport != "udp") { throw CLI_Usage_Error("Invalid transport type '" + transport + "' for TLS"); @@ -140,6 +139,8 @@ class TLS_Client final : public Command, public Botan::TLS::Callbacks hostname = host; } + Basic_Credentials_Manager creds(use_system_cert_store, trusted_CAs); + Botan::TLS::Client client(*this, *session_mgr, creds, *policy, rng(), Botan::TLS::Server_Information(hostname, port), version, protocols_to_offer); |