boost::program_options::options_description& hiddenDesc) const
{
visibleDesc.add_options()
- ("keyfile", po::value<std::string>(), "Key file path")
+ ("keyfile", po::value<std::string>(), "Key file path (input)")
("certfile", po::value<std::string>(), "Certificate file path (input + output)")
("cafile", po::value<std::string>(), "CA file path (output)")
+ ("trustedfile", po::value<std::string>(), "Trusted certificate file path (input)")
("host", po::value<std::string>(), "Icinga 2 host")
("port", po::value<std::string>(), "Icinga 2 port")
("ticket", po::value<std::string>(), "Icinga 2 PKI ticket");
std::vector<String> PKIRequestCommand::GetArgumentSuggestions(const String& argument, const String& word) const
{
- if (argument == "keyfile" || argument == "certfile" || argument == "cafile")
+ if (argument == "keyfile" || argument == "certfile" || argument == "cafile" || argument == "trustedfile")
return GetBashCompletionSuggestions("file", word);
else if (argument == "host")
return GetBashCompletionSuggestions("hostname", word);
return 1;
}
+ if (!vm.count("trustedfile")) {
+ Log(LogCritical, "cli", "Trusted certificate file path (--trustedfile) must be specified.");
+ return 1;
+ }
+
if (!vm.count("ticket")) {
Log(LogCritical, "cli", "Ticket (--ticket) must be specified.");
return 1;
stream->Handshake();
+ shared_ptr<X509> peerCert = stream->GetPeerCertificate();
+ shared_ptr<X509> trustedCert = GetX509Certificate(vm["trustedfile"].as<std::string>());
+
+ if (CertificateToString(peerCert) != CertificateToString(trustedCert)) {
+ Log(LogCritical, "cli", "Peer certificate does not match trusted certificate.");
+ return 1;
+ }
+
Dictionary::Ptr request = make_shared<Dictionary>();
String msgid = Utility::NewUniqueID();