Refactored certificate management for the vici and stroke interfaces
[strongswan.git] / src / swanctl / commands / list_certs.c
1 /*
2 * Copyright (C) 2014 Martin Willi
3 * Copyright (C) 2014 revosec AG
4 *
5 * Copyright (C) 2015 Andreas Steffen
6 * HSR Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #define _GNU_SOURCE
20 #include <stdio.h>
21 #include <errno.h>
22 #include <time.h>
23
24 #include <asn1/asn1.h>
25 #include <asn1/oid.h>
26 #include <credentials/certificates/certificate.h>
27 #include <credentials/certificates/certificate_printer.h>
28 #include <selectors/traffic_selector.h>
29
30 #include "command.h"
31
32 /**
33 * Static certificate printer object
34 */
35 static certificate_printer_t *cert_printer = NULL;
36
37 /**
38 * Print PEM encoding of a certificate
39 */
40 static void print_pem(certificate_t *cert)
41 {
42 chunk_t encoding;
43
44 if (cert->get_encoding(cert, CERT_PEM, &encoding))
45 {
46 printf("%.*s", (int)encoding.len, encoding.ptr);
47 free(encoding.ptr);
48 }
49 else
50 {
51 fprintf(stderr, "PEM encoding certificate failed\n");
52 }
53 }
54
55 CALLBACK(list_cb, void,
56 command_format_options_t *format, char *name, vici_res_t *res)
57 {
58 certificate_t *cert;
59 certificate_type_t type;
60 x509_flag_t flag = X509_NONE;
61 bool has_privkey;
62 char *str;
63 void *buf;
64 int len;
65
66 if (*format & COMMAND_FORMAT_RAW)
67 {
68 vici_dump(res, "list-cert event", *format & COMMAND_FORMAT_PRETTY,
69 stdout);
70 return;
71 }
72
73 buf = vici_find(res, &len, "data");
74 if (!buf)
75 {
76 fprintf(stderr, "received incomplete certificate data\n");
77 return;
78 }
79 has_privkey = streq(vici_find_str(res, "no", "has_privkey"), "yes");
80
81 str = vici_find_str(res, "ANY", "type");
82 if (!enum_from_name(certificate_type_names, str, &type) || type == CERT_ANY)
83 {
84 fprintf(stderr, "unsupported certificate type '%s'\n", str);
85 return;
86 }
87 if (type == CERT_X509)
88 {
89 str = vici_find_str(res, "ANY", "flag");
90 if (!enum_from_name(x509_flag_names, str, &flag) || flag == X509_ANY)
91 {
92 fprintf(stderr, "unsupported certificate flag '%s'\n", str);
93 return;
94 }
95 }
96
97 /* Parse certificate data blob */
98 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
99 BUILD_BLOB_ASN1_DER, chunk_create(buf, len),
100 BUILD_END);
101 if (cert)
102 {
103 if (*format & COMMAND_FORMAT_PEM)
104 {
105 print_pem(cert);
106 }
107 else
108 {
109 cert_printer->print_caption(cert_printer, type, flag);
110 cert_printer->print(cert_printer, cert, has_privkey);
111 }
112 cert->destroy(cert);
113 }
114 else
115 {
116 fprintf(stderr, "parsing certificate failed\n");
117 }
118 }
119
120 static int list_certs(vici_conn_t *conn)
121 {
122 vici_req_t *req;
123 vici_res_t *res;
124 command_format_options_t format = COMMAND_FORMAT_NONE;
125 char *arg, *subject = NULL, *type = NULL, *flag = NULL;
126 bool detailed = TRUE, utc = FALSE;
127 int ret;
128
129 while (TRUE)
130 {
131 switch (command_getopt(&arg))
132 {
133 case 'h':
134 return command_usage(NULL);
135 case 's':
136 subject = arg;
137 continue;
138 case 't':
139 type = arg;
140 continue;
141 case 'f':
142 flag = arg;
143 continue;
144 case 'p':
145 format |= COMMAND_FORMAT_PEM;
146 continue;
147 case 'P':
148 format |= COMMAND_FORMAT_PRETTY;
149 /* fall through to raw */
150 case 'r':
151 format |= COMMAND_FORMAT_RAW;
152 continue;
153 case 'S':
154 detailed = FALSE;
155 continue;
156 case 'U':
157 utc = TRUE;
158 continue;
159 case EOF:
160 break;
161 default:
162 return command_usage("invalid --list-certs option");
163 }
164 break;
165 }
166 if (vici_register(conn, "list-cert", list_cb, &format) != 0)
167 {
168 ret = errno;
169 fprintf(stderr, "registering for certificates failed: %s\n",
170 strerror(errno));
171 return ret;
172 }
173 req = vici_begin("list-certs");
174
175 if (type)
176 {
177 vici_add_key_valuef(req, "type", "%s", type);
178 }
179 if (flag)
180 {
181 vici_add_key_valuef(req, "flag", "%s", flag);
182 }
183 if (subject)
184 {
185 vici_add_key_valuef(req, "subject", "%s", subject);
186 }
187 cert_printer = certificate_printer_create(stdout, detailed, utc);
188
189 res = vici_submit(req, conn);
190 if (!res)
191 {
192 ret = errno;
193 fprintf(stderr, "list-certs request failed: %s\n", strerror(errno));
194 cert_printer->destroy(cert_printer);
195 cert_printer = NULL;
196 return ret;
197 }
198 if (format & COMMAND_FORMAT_RAW)
199 {
200 vici_dump(res, "list-certs reply", format & COMMAND_FORMAT_PRETTY,
201 stdout);
202 }
203 vici_free_res(res);
204
205 cert_printer->destroy(cert_printer);
206 cert_printer = NULL;
207 return 0;
208 }
209
210 /**
211 * Register the command.
212 */
213 static void __attribute__ ((constructor))reg()
214 {
215 command_register((command_t) {
216 list_certs, 'x', "list-certs", "list stored certificates",
217 {"[--subject <dn/san>] "
218 "[--type x509|x509_ac|x509_crl|ocsp_response|pubkey]\n "
219 "[--flag none|ca|aa|ocsp|any] "
220 "[--pem] [--raw|--pretty|--short|--utc]"},
221 {
222 {"help", 'h', 0, "show usage information"},
223 {"subject", 's', 1, "filter by certificate subject"},
224 {"type", 't', 1, "filter by certificate type"},
225 {"flag", 'f', 1, "filter by X.509 certificate flag"},
226 {"pem", 'p', 0, "print PEM encoding of certificate"},
227 {"raw", 'r', 0, "dump raw response message"},
228 {"pretty", 'P', 0, "dump raw response message in pretty print"},
229 {"short", 'S', 0, "omit some certificate details"},
230 {"utc", 'U', 0, "use UTC for time fields"},
231 }
232 });
233 }