[strongSwan] "ipsec purgecrls" vs VICI clear-creds

Noel Kuntze noel.kuntze at thermi.consulting
Wed Aug 4 20:21:30 CEST 2021 

Hello Philip,

The answer is implicite.
It answered the following question:

 > If a CRL is a credential, does clear-creds duplicate the "ipsec purgcrls" command, making the separate command redundant?

A CRL is not a credential, so calling clear-creds does not inherently duplicate it, given the description from the help message.

The description in README.md in the vici plugin directory is the following (for the interesting things):


### flush-certs() ###

Flushes the certificate cache. The optional type argument allows to flush
only certificates of a given type, e.g. all cached CRLs.

     {
         type = <certificate type to filter for, X509|X509_AC|X509_CRL|
                                                 OCSP_RESPONSE|PUBKEY or ANY>
     } => {
         success = <yes or no>
         errmsg = <error string on failure>
     }

### clear-creds() ###

Clear all loaded certificate, private key and shared key credentials. This
affects only credentials loaded over vici, but additionally flushes the
credential cache.

     {} => {
         success = <yes or no>
         errmsg = <error string on failure>
     }

The description of "flush-certs" indicates it flushes the certificate cache, and can be told ot only flush certain types of certificates.
It implies CRLs were a type of certificate (they're actually not, they're a signed list of certificates. They don't certify any identity.).

The description of "clear-creds" indicates that it flushes all loaded certificates, private keys, and shared key credentials.
Given the implication of the description of "flush-certs", this pertains CRLs, too.

But let's look at the code.

There are the clear-creds and flush-certs requests that are usable via VICI. Sending these requests make the daemon execute the following code respectively (see first parameter to CALLBACK for the name of the function that is declared)[1]:

CALLBACK(clear_creds, vici_message_t*,
     private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
{
     this->creds->clear(this->creds);
     this->authority->clear_ca_certs(this->authority);
     lib->credmgr->flush_cache(lib->credmgr, CERT_ANY);

     return create_reply(NULL);
}

CALLBACK(flush_certs, vici_message_t*,
     private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
{
     certificate_type_t type = CERT_ANY;
     x509_flag_t flag = X509_NONE;
     char *str;

     str = message->get_str(message, NULL, "type");
     if (str && !enum_from_name(certificate_type_names, str, &type) &&
                !vici_cert_info_from_str(str, &type, &flag))
     {
         return create_reply("invalid certificate type '%s'", str);
     }
     lib->credmgr->flush_cache(lib->credmgr, type);

     return create_reply(NULL);
}

We can see that "clear-creds" flushes all creds in the daemon, all ca certificates, and all cached certificates.
"flush-certs" flushes all either the given type of "certificate" (or CRL), or any certificate and all CRLs.

IMHO the description should be changed to indicate it pertains CRLs, too.

End result: You can replace the call to purgecrls with a VICI request for "flush-certs" with type "x509crl"[2].

Kind regards
Noel

[1] from vici_cred.c
[2] from vici_cert_info.c


Am 04.08.21 um 19:27 schrieb Taylor, Philip (Space & Defence):
> Noel,
> Thanks for responding.
>
> Your response does not answer my question, so I modify my question. Everything is loaded via VICI , nothing is loaded with ipsec commands or with configuration files.
>
> Does the application need both commands when all certificates and CRLs are installed via VICI?
>
> PhilT
>
>
> Public
>
> -----Original Message-----
> From: Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting>
> Sent: 04 August 2021 15:50
> To: Taylor, Philip (Space & Defence) <ph.taylor at cgi.com>; Users at lists.strongswan.org
> Subject: Re: [strongSwan] "ipsec purgecrls" vs VICI clear-creds
>
> Hi Philip,
>
> CRLs are Certificate Revocation Lists.
> They're not secrets.
>
> Kind regards
> Noel
>
> Am 04.08.21 um 14:29 schrieb Taylor, Philip (Space & Defence):
>> I am looking at some old application code that executes the command "ipsec purgecrls" and then sends the VICI command clear-creds.
>>
>> Man ipsec purgecrls reveals
>>
>>                   Purgecrls - purges all cached CRLS
>>
>> VICI protocola web page describes clear-creds as
>>
>> Clear all loaded certificates, private key and shared key credentials.
>>
>> This affects only credentials loaded over vici, but additionally flushes the credential store.
>>
>> If a CRL is a credential, does clear-creds duplicate the "ipsec purgcrls" command, making the separate command redundant?
>>
>> Does the code need to send both commands?
>>
>> *Philip Taylor*
>>
>>
>> Public
>>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210804/82ce0c25/attachment-0001.sig>

More information about the Users mailing list