return -1;
}
-static int check_certificate_expiry(struct openconnect_info *vpninfo, gnutls_x509_crt_t cert)
+static int check_certificate_expiry(struct openconnect_info *vpninfo, struct cert_info *certinfo,
+ gnutls_x509_crt_t cert)
{
const char *reason = NULL;
time_t expires = gnutls_x509_crt_get_expiration_time(cert);
}
if (expires < now)
- reason = _("Client certificate has expired at");
+ reason = certinfo_string(certinfo, _("Client certificate has expired at"),
+ _("Secondary client certificate has expired at"));
else if (expires < now + vpninfo->cert_expire_warning)
- reason = _("Client certificate expires soon at");
+ reason = certinfo_string(certinfo, _("Client certificate expires soon at"),
+ _("Secondary client certificate expires soon at"));
if (reason) {
char buf[80];
_("Failed to decrypt PKCS#12 certificate file\n"));
free_pass(&pass);
certinfo->password = NULL;
- err = request_passphrase(vpninfo, "openconnect_pkcs12", &pass,
- _("Enter PKCS#12 pass phrase:"));
+ err = request_passphrase(vpninfo,
+ certinfo_string(certinfo, "openconnect_pkcs12",
+ "openconnect_secondary_pkcs12"),
+ &pass,
+ certinfo_string(certinfo, _("Enter PKCS#12 pass phrase:"),
+ _("Enter secondary PKCS#12 pass phrase:")));
if (err) {
gnutls_pkcs12_deinit(p12);
return -EINVAL;
gnutls_pkcs12_deinit(p12);
if (err) {
vpn_progress(vpninfo, PRG_ERR,
- _("Failed to load PKCS#12 certificate: %s\n"),
+ certinfo_string(certinfo, _("Failed to load PKCS#12 certificate: %s\n"),
+ _("Failed to load secondary PKCS#12 certificate: %s\n")),
gnutls_strerror(err));
return -EINVAL;
}
vpn_progress(vpninfo, PRG_ERR, _("Decrypting PEM key failed\n"));
free_pass(&pass);
}
- err = request_passphrase(vpninfo, "openconnect_pem",
- &pass, _("Enter PEM pass phrase:"));
+ err = request_passphrase(vpninfo,
+ certinfo_string(certinfo, "openconnect_pem",
+ "openconnect_secondary_pem"),
+ &pass,
+ certinfo_string(certinfo, _("Enter PEM pass phrase:"),
+ _("Enter secondary PEM pass phrase:")));
if (err) {
ret = -EINVAL;
goto out;
/* OK, not a PKCS#11 certificate so it must be coming from a file... */
vpn_progress(vpninfo, PRG_DEBUG,
- _("Using certificate file %s\n"), certinfo->cert);
+ certinfo_string(certinfo, _("Using certificate file %s\n"),
+ _("Using secondary certificate file %s\n")),
+ certinfo->cert);
/* Load file contents */
ret = load_datum(vpninfo, &fdata, certinfo->cert);
reason = gnutls_strerror(err);
vpn_progress(vpninfo, PRG_ERR,
- _("Loading certificate failed: %s\n"),
+ certinfo_string(certinfo, _("Loading certificate failed: %s\n"),
+ _("Loading secondary certificate failed: %s\n")),
reason);
nr_extra_certs = 0;
ret = -EINVAL;
#ifdef HAVE_GNUTLS_SYSTEM_KEYS
if (key_is_sys) {
vpn_progress(vpninfo, PRG_DEBUG,
- _("Using system key %s\n"), certinfo->key);
+ certinfo_string(certinfo, _("Using system key %s\n"),
+ _("Using secondary system key %s\n")),
+ certinfo->key);
err = gnutls_privkey_init(&gci->pkey);
if (err) {
/* We shouldn't reach this. It means that we didn't find *any* matching cert */
vpn_progress(vpninfo, PRG_ERR,
- _("No SSL certificate found to match private key\n"));
+ certinfo_string(certinfo, _("No SSL certificate found to match private key\n"),
+ _("No secondary certificate found to match private key\n")));
ret = -EINVAL;
goto out;
/* Now we have a key in either 'key' or 'pkey', a matching cert in 'cert',
and potentially a list of other certs in 'extra_certs[]'. If we loaded
a PKCS#12 file we may have a trust chain in 'gci->certs[]' too. */
- check_certificate_expiry(vpninfo, cert);
+ check_certificate_expiry(vpninfo, certinfo, cert);
get_cert_name(cert, name, sizeof(name));
- vpn_progress(vpninfo, PRG_INFO, _("Using client certificate '%s'\n"),
+ vpn_progress(vpninfo, PRG_INFO,
+ certinfo_string(certinfo, _("Using client certificate '%s'\n"),
+ _("Using secondary certificate '%s'\n")),
name);
/* OpenSSL has problems with certificate chains — if there are
}
memset(&f, 0, sizeof(f));
- f.auth_id = (char *)"pkcs11_pin";
+ f.auth_id = (char *)certinfo_string(certinfo, "pkcs11_pin",
+ "secondary_pkcs11_pin");
f.opts = &o;
message[sizeof(message)-1] = 0;
reauth:
if (certinfo->tpm2->need_ownerauth) {
char *pass = NULL;
- if (request_passphrase(vpninfo, "openconnect_tpm2_hierarchy", &pass,
- _("Enter TPM2 %s hierarchy password:"), hierarchy_name))
+ if (request_passphrase(vpninfo,
+ certinfo_string(certinfo, "openconnect_tpm2_hierarchy",
+ "openconnect_secondary_tpm2_hierarchy"),
+ &pass,
+ _("Enter TPM2 %s hierarchy password:"), hierarchy_name))
return -EPERM;
install_tpm_passphrase(vpninfo, &certinfo->tpm2->ownerauth, pass);
certinfo->tpm2->need_ownerauth = 0;
reauth:
if (certinfo->tpm2->need_ownerauth) {
char *pass = NULL;
- if (request_passphrase(vpninfo, "openconnect_tpm2_parent", &pass,
- _("Enter TPM2 parent key password:")))
+ if (request_passphrase(vpninfo,
+ certinfo_string(certinfo, "openconnect_tpm2_parent",
+ "openconnect_secondary_tpm2_parent"),
+ &pass,
+ certinfo_string(certinfo, _("Enter TPM2 parent key password:"),
+ _("Enter secondary TPM2 parent key password:"))))
return -EPERM;
install_tpm_passphrase(vpninfo, &certinfo->tpm2->ownerauth, pass);
certinfo->tpm2->need_ownerauth = 0;
pass = certinfo->password;
certinfo->password = NULL;
} else {
- int err = request_passphrase(vpninfo, "openconnect_tpm2_key",
- &pass, _("Enter TPM2 key password:"));
+ int err = request_passphrase(vpninfo,
+ certinfo_string(certinfo, "openconnect_tpm2_key",
+ "openconnect_secondary_tpm2_key"),
+ &pass,
+ certinfo_string(certinfo, _("Enter TPM2 key password:"),
+ _("Enter secondary TPM2 key password:")));
if (err)
return err;
}
}
-static TPM_HANDLE tpm2_load_key(struct openconnect_info *vpninfo, TSS_CONTEXT **tsscp)
+static TPM_HANDLE tpm2_load_key(struct openconnect_info *vpninfo, struct cert_info *certinfo, TSS_CONTEXT **tsscp)
{
TSS_CONTEXT *tssContext;
Load_In in;
rc = tpm2_load_srk(vpninfo, tssContext, &in.parentHandle, pass, certinfo->tpm2->parent, certinfo->tpm2->legacy_srk);
if (rc == KEY_AUTH_FAILED) {
free_pass(&pass);
- if (!request_passphrase(vpninfo, "openconnect_tpm2_hierarchy", &pass,
+ if (!request_passphrase(vpninfo,
+ certinfo_string(certinfo, "openconnect_tpm2_hierarchy",
+ "openconnect_secondary_tpm2_hierarchy"),
+ &pass,
_("Enter TPM2 %s hierarchy password:"), "owner")) {
goto reauth_srk;
}
memcpy(&in.inPrivate, &certinfo->tpm2->priv, sizeof(in.inPrivate));
if (need_pw && !pass) {
reauth_parent:
- if (request_passphrase(vpninfo, "openconnect_tpm2_parent", &pass,
- _("Enter TPM2 parent key password:"))) {
+ if (request_passphrase(vpninfo,
+ certinfo_string(certinfo, "openconnect_tpm2_parent",
+ "openconnect_secondary_tpm2_parent"),
+ &pass,
+ certinfo_string(certinfo, _("Enter TPM2 parent key password:"),
+ _("Enter secondary TPM2 parent key password:")))) {
tpm2_flush_handle(tssContext, session);
goto out_flush_srk;
}
return GNUTLS_E_PK_SIGN_FAILED;
in.inScheme.scheme = TPM_ALG_NULL;
- in.keyHandle = tpm2_load_key(vpninfo, &tssContext);
+ in.keyHandle = tpm2_load_key(vpninfo, certinfo, &tssContext);
in.label.t.size = 0;
if (!in.keyHandle)
return GNUTLS_E_PK_SIGN_FAILED;
TPM_RH_NULL, NULL, 0);
if (rc == KEY_AUTH_FAILED) {
free_pass(&pass);
- if (!request_passphrase(vpninfo, "openconnect_tpm2_key",
- &pass, _("Enter TPM2 key password:")))
+ if (!request_passphrase(vpninfo,
+ certinfo_string(certinfo, "openconnect_tpm2_key",
+ "openconnect_secondary_tpm2_key"),
+ &pass,
+ certinfo_string(certinfo, _("Enter TPM2 key password:"),
+ _("Enter secondary TPM2 key password:"))))
goto reauth;
}
if (rc) {
in.validation.hierarchy = TPM_RH_NULL;
in.validation.digest.t.size = 0;
- in.keyHandle = tpm2_load_key(vpninfo, &tssContext);
+ in.keyHandle = tpm2_load_key(vpninfo, certinfo, &tssContext);
if (!in.keyHandle)
return GNUTLS_E_PK_SIGN_FAILED;
projects / users / dwmw2 / openconnect.git / commitdiff