On 2/12/2018 6:37 AM, Tobias Brunner wrote:
2- "pki --verify --in certfile " change it to use the "default" trust
store if no additional arguments are supplied
There is no "default" trust store. It very much depends on the
configuration backend used by the daemon from where certificates are
loaded automatically (if at all).
I understand the limitation here, that is why I quoted "default"
Independent of the first choice above, we can add new commands line
options to point to the paths of where
CA/crls are stored:
3-"pki --verify --in certfile --capath path-to-ca's --crlpath path-to-crls
4-Or we can change existing options --cacert and --crl such the if the
supplied argument is a directory we treat them as such and load whatever
CA's CRLs needed for verification.
Both are simple enough to implement, the latter can be found in the
pki-verify-dirs branch. I guess you could also just wrap calls to pki
--verify with a script and add --cacert/crl arguments as appropriate
(then you'd have more control if the CA certs and CRLs are e.g. stored
in the same directory with different file extensions).
I did write a script that does that but I thought it is very inefficient
since you have to sweep through CAs/CRLs with pki --print to figure out
the correct chain in order to use them with pki --verify. Thanks for
letting me know abot pki-verify-dirs. Sounds like what I'm looking for.
I wish I knew it exists before wasting time on scripting :-).
Is that branch going to be merged any time soon?