Hello Philip, The answer is implicite. It answered the following question:
> If a CRL is a credential, does clear-creds duplicate the "ipsec purgcrls"
command, making the separate command redundant?
A CRL is not a credential, so calling clear-creds does not inherently duplicate
it, given the description from the help message.
The description in README.md in the vici plugin directory is the following (for
the interesting things):
### flush-certs() ###
Flushes the certificate cache. The optional type argument allows to flush
only certificates of a given type, e.g. all cached CRLs.
{
type = <certificate type to filter for, X509|X509_AC|X509_CRL|
OCSP_RESPONSE|PUBKEY or ANY>
} => {
success = <yes or no>
errmsg = <error string on failure>
}
### clear-creds() ###
Clear all loaded certificate, private key and shared key credentials. This
affects only credentials loaded over vici, but additionally flushes the
credential cache.
{} => {
success = <yes or no>
errmsg = <error string on failure>
}
The description of "flush-certs" indicates it flushes the certificate cache,
and can be told ot only flush certain types of certificates.
It implies CRLs were a type of certificate (they're actually not, they're a
signed list of certificates. They don't certify any identity.).
The description of "clear-creds" indicates that it flushes all loaded
certificates, private keys, and shared key credentials.
Given the implication of the description of "flush-certs", this pertains CRLs,
too.
But let's look at the code.
There are the clear-creds and flush-certs requests that are usable via VICI.
Sending these requests make the daemon execute the following code respectively
(see first parameter to CALLBACK for the name of the function that is
declared)[1]:
CALLBACK(clear_creds, vici_message_t*,
private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
{
this->creds->clear(this->creds);
this->authority->clear_ca_certs(this->authority);
lib->credmgr->flush_cache(lib->credmgr, CERT_ANY);
return create_reply(NULL);
}
CALLBACK(flush_certs, vici_message_t*,
private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
{
certificate_type_t type = CERT_ANY;
x509_flag_t flag = X509_NONE;
char *str;
str = message->get_str(message, NULL, "type");
if (str && !enum_from_name(certificate_type_names, str, &type) &&
!vici_cert_info_from_str(str, &type, &flag))
{
return create_reply("invalid certificate type '%s'", str);
}
lib->credmgr->flush_cache(lib->credmgr, type);
return create_reply(NULL);
}
We can see that "clear-creds" flushes all creds in the daemon, all ca
certificates, and all cached certificates.
"flush-certs" flushes all either the given type of "certificate" (or CRL), or
any certificate and all CRLs.
IMHO the description should be changed to indicate it pertains CRLs, too.
End result: You can replace the call to purgecrls with a VICI request for "flush-certs"
with type "x509crl"[2].
Kind regards
Noel
[1] from vici_cred.c
[2] from vici_cert_info.c
Am 04.08.21 um 19:27 schrieb Taylor, Philip (Space & Defence):
Noel, Thanks for responding. Your response does not answer my question, so I modify my question. Everything is loaded via VICI , nothing is loaded with ipsec commands or with configuration files. Does the application need both commands when all certificates and CRLs are installed via VICI? PhilT Public -----Original Message----- From: Noel Kuntze <noel.kuntze+strongswan-users-ml@thermi.consulting> Sent: 04 August 2021 15:50 To: Taylor, Philip (Space & Defence) <ph.tay...@cgi.com>; Users@lists.strongswan.org Subject: Re: [strongSwan] "ipsec purgecrls" vs VICI clear-creds Hi Philip, CRLs are Certificate Revocation Lists. They're not secrets. Kind regards Noel Am 04.08.21 um 14:29 schrieb Taylor, Philip (Space & Defence):I am looking at some old application code that executes the command "ipsec purgecrls" and then sends the VICI command clear-creds. Man ipsec purgecrls reveals Purgecrls - purges all cached CRLS VICI protocola web page describes clear-creds as Clear all loaded certificates, private key and shared key credentials. This affects only credentials loaded over vici, but additionally flushes the credential store. If a CRL is a credential, does clear-creds duplicate the "ipsec purgcrls" command, making the separate command redundant? Does the code need to send both commands? *Philip Taylor* Public
OpenPGP_signature
Description: OpenPGP digital signature
