bee5fda27a34790d7b85a7649300f31c5885dc5d
[strongswan.git] / src / swanctl / commands / list_certs.c
1 /*
2 * Copyright (C) 2014 Martin Willi
3 * Copyright (C) 2014 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #define _GNU_SOURCE
17 #include <stdio.h>
18 #include <errno.h>
19 #include <time.h>
20
21 #include <asn1/asn1.h>
22 #include <asn1/oid.h>
23 #include <credentials/certificates/certificate.h>
24 #include <credentials/certificates/x509.h>
25 #include <credentials/certificates/crl.h>
26 #include <credentials/certificates/ac.h>
27 #include <selectors/traffic_selector.h>
28
29 #include "command.h"
30
31 /**
32 * Print PEM encoding of a certificate
33 */
34 static void print_pem(certificate_t *cert)
35 {
36 chunk_t encoding;
37
38 if (cert->get_encoding(cert, CERT_PEM, &encoding))
39 {
40 printf("%.*s", (int)encoding.len, encoding.ptr);
41 free(encoding.ptr);
42 }
43 else
44 {
45 fprintf(stderr, "PEM encoding certificate failed\n");
46 }
47 }
48
49 /**
50 * Print public key information
51 */
52 static void print_pubkey(public_key_t *key, bool has_privkey)
53 {
54 chunk_t chunk;
55
56 printf("pubkey: %N %d bits", key_type_names, key->get_type(key),
57 key->get_keysize(key));
58 if (has_privkey)
59 {
60 printf(", has private key");
61 }
62 printf("\n");
63 if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &chunk))
64 {
65 printf("keyid: %#B\n", &chunk);
66 }
67 if (key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &chunk))
68 {
69 printf("subjkey: %#B\n", &chunk);
70 }
71 }
72
73 /**
74 * Print X509 specific certificate information
75 */
76 static void print_x509(x509_t *x509)
77 {
78 enumerator_t *enumerator;
79 identification_t *id;
80 traffic_selector_t *block;
81 chunk_t chunk;
82 bool first;
83 char *uri;
84 int len, explicit, inhibit;
85 x509_flag_t flags;
86 x509_cdp_t *cdp;
87 x509_cert_policy_t *policy;
88 x509_policy_mapping_t *mapping;
89
90 chunk = chunk_skip_zero(x509->get_serial(x509));
91 printf("serial: %#B\n", &chunk);
92
93 first = TRUE;
94 enumerator = x509->create_subjectAltName_enumerator(x509);
95 while (enumerator->enumerate(enumerator, &id))
96 {
97 if (first)
98 {
99 printf("altNames: ");
100 first = FALSE;
101 }
102 else
103 {
104 printf(", ");
105 }
106 printf("%Y", id);
107 }
108 if (!first)
109 {
110 printf("\n");
111 }
112 enumerator->destroy(enumerator);
113
114 flags = x509->get_flags(x509);
115 printf("flags: ");
116 if (flags & X509_CA)
117 {
118 printf("CA ");
119 }
120 if (flags & X509_CRL_SIGN)
121 {
122 printf("CRLSign ");
123 }
124 if (flags & X509_AA)
125 {
126 printf("AA ");
127 }
128 if (flags & X509_OCSP_SIGNER)
129 {
130 printf("OCSP ");
131 }
132 if (flags & X509_AA)
133 {
134 printf("AA ");
135 }
136 if (flags & X509_SERVER_AUTH)
137 {
138 printf("serverAuth ");
139 }
140 if (flags & X509_CLIENT_AUTH)
141 {
142 printf("clientAuth ");
143 }
144 if (flags & X509_IKE_INTERMEDIATE)
145 {
146 printf("iKEIntermediate ");
147 }
148 if (flags & X509_SELF_SIGNED)
149 {
150 printf("self-signed ");
151 }
152 printf("\n");
153
154 first = TRUE;
155 enumerator = x509->create_crl_uri_enumerator(x509);
156 while (enumerator->enumerate(enumerator, &cdp))
157 {
158 if (first)
159 {
160 printf("CRL URIs: %s", cdp->uri);
161 first = FALSE;
162 }
163 else
164 {
165 printf(" %s", cdp->uri);
166 }
167 if (cdp->issuer)
168 {
169 printf(" (CRL issuer: %Y)", cdp->issuer);
170 }
171 printf("\n");
172 }
173 enumerator->destroy(enumerator);
174
175 first = TRUE;
176 enumerator = x509->create_ocsp_uri_enumerator(x509);
177 while (enumerator->enumerate(enumerator, &uri))
178 {
179 if (first)
180 {
181 printf("OCSP URIs: %s\n", uri);
182 first = FALSE;
183 }
184 else
185 {
186 printf(" %s\n", uri);
187 }
188 }
189 enumerator->destroy(enumerator);
190
191 len = x509->get_constraint(x509, X509_PATH_LEN);
192 if (len != X509_NO_CONSTRAINT)
193 {
194 printf("pathlen: %d\n", len);
195 }
196
197 first = TRUE;
198 enumerator = x509->create_name_constraint_enumerator(x509, TRUE);
199 while (enumerator->enumerate(enumerator, &id))
200 {
201 if (first)
202 {
203 printf("Permitted NameConstraints:\n");
204 first = FALSE;
205 }
206 printf(" %Y\n", id);
207 }
208 enumerator->destroy(enumerator);
209 first = TRUE;
210 enumerator = x509->create_name_constraint_enumerator(x509, FALSE);
211 while (enumerator->enumerate(enumerator, &id))
212 {
213 if (first)
214 {
215 printf("Excluded NameConstraints:\n");
216 first = FALSE;
217 }
218 printf(" %Y\n", id);
219 }
220 enumerator->destroy(enumerator);
221
222 first = TRUE;
223 enumerator = x509->create_cert_policy_enumerator(x509);
224 while (enumerator->enumerate(enumerator, &policy))
225 {
226 char *oid;
227
228 if (first)
229 {
230 printf("CertificatePolicies:\n");
231 first = FALSE;
232 }
233 oid = asn1_oid_to_string(policy->oid);
234 if (oid)
235 {
236 printf(" %s\n", oid);
237 free(oid);
238 }
239 else
240 {
241 printf(" %#B\n", &policy->oid);
242 }
243 if (policy->cps_uri)
244 {
245 printf(" CPS: %s\n", policy->cps_uri);
246 }
247 if (policy->unotice_text)
248 {
249 printf(" Notice: %s\n", policy->unotice_text);
250
251 }
252 }
253 enumerator->destroy(enumerator);
254
255 first = TRUE;
256 enumerator = x509->create_policy_mapping_enumerator(x509);
257 while (enumerator->enumerate(enumerator, &mapping))
258 {
259 char *issuer_oid, *subject_oid;
260
261 if (first)
262 {
263 printf("PolicyMappings:\n");
264 first = FALSE;
265 }
266 issuer_oid = asn1_oid_to_string(mapping->issuer);
267 subject_oid = asn1_oid_to_string(mapping->subject);
268 printf(" %s => %s\n", issuer_oid, subject_oid);
269 free(issuer_oid);
270 free(subject_oid);
271 }
272 enumerator->destroy(enumerator);
273
274 explicit = x509->get_constraint(x509, X509_REQUIRE_EXPLICIT_POLICY);
275 inhibit = x509->get_constraint(x509, X509_INHIBIT_POLICY_MAPPING);
276 len = x509->get_constraint(x509, X509_INHIBIT_ANY_POLICY);
277
278 if (explicit != X509_NO_CONSTRAINT || inhibit != X509_NO_CONSTRAINT ||
279 len != X509_NO_CONSTRAINT)
280 {
281 printf("PolicyConstraints:\n");
282 if (explicit != X509_NO_CONSTRAINT)
283 {
284 printf(" requireExplicitPolicy: %d\n", explicit);
285 }
286 if (inhibit != X509_NO_CONSTRAINT)
287 {
288 printf(" inhibitPolicyMapping: %d\n", inhibit);
289 }
290 if (len != X509_NO_CONSTRAINT)
291 {
292 printf(" inhibitAnyPolicy: %d\n", len);
293 }
294 }
295
296 chunk = x509->get_authKeyIdentifier(x509);
297 if (chunk.ptr)
298 {
299 printf("authkeyId: %#B\n", &chunk);
300 }
301
302 chunk = x509->get_subjectKeyIdentifier(x509);
303 if (chunk.ptr)
304 {
305 printf("subjkeyId: %#B\n", &chunk);
306 }
307 if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
308 {
309 first = TRUE;
310 printf("addresses: ");
311 enumerator = x509->create_ipAddrBlock_enumerator(x509);
312 while (enumerator->enumerate(enumerator, &block))
313 {
314 if (first)
315 {
316 first = FALSE;
317 }
318 else
319 {
320 printf(", ");
321 }
322 printf("%R", block);
323 }
324 enumerator->destroy(enumerator);
325 printf("\n");
326 }
327 }
328
329 /**
330 * Print CRL specific information
331 */
332 static void print_crl(crl_t *crl)
333 {
334 enumerator_t *enumerator;
335 time_t ts;
336 crl_reason_t reason;
337 chunk_t chunk;
338 int count = 0;
339 bool first;
340 char buf[64];
341 struct tm tm;
342 x509_cdp_t *cdp;
343
344 chunk = chunk_skip_zero(crl->get_serial(crl));
345 printf("serial: %#B\n", &chunk);
346
347 if (crl->is_delta_crl(crl, &chunk))
348 {
349 chunk = chunk_skip_zero(chunk);
350 printf("delta CRL: for serial %#B\n", &chunk);
351 }
352 chunk = crl->get_authKeyIdentifier(crl);
353 printf("authKeyId: %#B\n", &chunk);
354
355 first = TRUE;
356 enumerator = crl->create_delta_crl_uri_enumerator(crl);
357 while (enumerator->enumerate(enumerator, &cdp))
358 {
359 if (first)
360 {
361 printf("freshest: %s", cdp->uri);
362 first = FALSE;
363 }
364 else
365 {
366 printf(" %s", cdp->uri);
367 }
368 if (cdp->issuer)
369 {
370 printf(" (CRL issuer: %Y)", cdp->issuer);
371 }
372 printf("\n");
373 }
374 enumerator->destroy(enumerator);
375
376 enumerator = crl->create_enumerator(crl);
377 while (enumerator->enumerate(enumerator, &chunk, &ts, &reason))
378 {
379 count++;
380 }
381 enumerator->destroy(enumerator);
382
383 printf("%d revoked certificate%s%s\n", count,
384 count == 1 ? "" : "s", count ? ":" : "");
385 enumerator = crl->create_enumerator(crl);
386 while (enumerator->enumerate(enumerator, &chunk, &ts, &reason))
387 {
388 chunk = chunk_skip_zero(chunk);
389 localtime_r(&ts, &tm);
390 strftime(buf, sizeof(buf), "%F %T", &tm);
391 printf(" %#B %N %s\n", &chunk, crl_reason_names, reason, buf);
392 count++;
393 }
394 enumerator->destroy(enumerator);
395 }
396
397 /**
398 * Print AC specific information
399 */
400 static void print_ac(ac_t *ac)
401 {
402 ac_group_type_t type;
403 identification_t *id;
404 enumerator_t *groups;
405 chunk_t chunk;
406 bool first = TRUE;
407
408 chunk = chunk_skip_zero(ac->get_serial(ac));
409 printf("serial: %#B\n", &chunk);
410
411 id = ac->get_holderIssuer(ac);
412 if (id)
413 {
414 printf("hissuer: \"%Y\"\n", id);
415 }
416 chunk = chunk_skip_zero(ac->get_holderSerial(ac));
417 if (chunk.ptr)
418 {
419 printf("hserial: %#B\n", &chunk);
420 }
421 groups = ac->create_group_enumerator(ac);
422 while (groups->enumerate(groups, &type, &chunk))
423 {
424 int oid;
425 char *str;
426
427 if (first)
428 {
429 printf("groups: ");
430 first = FALSE;
431 }
432 else
433 {
434 printf(" ");
435 }
436 switch (type)
437 {
438 case AC_GROUP_TYPE_STRING:
439 printf("%.*s", (int)chunk.len, chunk.ptr);
440 break;
441 case AC_GROUP_TYPE_OID:
442 oid = asn1_known_oid(chunk);
443 if (oid == OID_UNKNOWN)
444 {
445 str = asn1_oid_to_string(chunk);
446 if (str)
447 {
448 printf("%s", str);
449 free(str);
450 }
451 else
452 {
453 printf("OID:%#B", &chunk);
454 }
455 }
456 else
457 {
458 printf("%s", oid_names[oid].name);
459 }
460 break;
461 case AC_GROUP_TYPE_OCTETS:
462 printf("%#B", &chunk);
463 break;
464 }
465 printf("\n");
466 }
467 groups->destroy(groups);
468
469 chunk = ac->get_authKeyIdentifier(ac);
470 if (chunk.ptr)
471 {
472 printf("authkey: %#B\n", &chunk);
473 }
474 }
475
476 /**
477 * Print certificate information
478 */
479 static void print_cert(certificate_t *cert, bool has_privkey)
480 {
481 time_t now, notAfter, notBefore;
482 public_key_t *key;
483
484 now = time(NULL);
485
486 printf("cert: %N\n", certificate_type_names, cert->get_type(cert));
487 if (cert->get_type(cert) != CERT_X509_CRL)
488 {
489 printf("subject: \"%Y\"\n", cert->get_subject(cert));
490 }
491 printf("issuer: \"%Y\"\n", cert->get_issuer(cert));
492
493 cert->get_validity(cert, &now, &notBefore, &notAfter);
494 printf("validity: not before %T, ", &notBefore, FALSE);
495 if (now < notBefore)
496 {
497 printf("not valid yet (valid in %V)\n", &now, &notBefore);
498 }
499 else
500 {
501 printf("ok\n");
502 }
503 printf(" not after %T, ", &notAfter, FALSE);
504 if (now > notAfter)
505 {
506 printf("expired (%V ago)\n", &now, &notAfter);
507 }
508 else
509 {
510 printf("ok (expires in %V)\n", &now, &notAfter);
511 }
512
513 switch (cert->get_type(cert))
514 {
515 case CERT_X509:
516 print_x509((x509_t*)cert);
517 break;
518 case CERT_X509_CRL:
519 print_crl((crl_t*)cert);
520 break;
521 case CERT_X509_AC:
522 print_ac((ac_t*)cert);
523 break;
524 default:
525 fprintf(stderr, "parsing certificate subtype %N not implemented\n",
526 certificate_type_names, cert->get_type(cert));
527 break;
528 }
529 key = cert->get_public_key(cert);
530 if (key)
531 {
532 print_pubkey(key, has_privkey);
533 key->destroy(key);
534 }
535 printf("\n");
536 }
537
538 CALLBACK(list_cb, void,
539 command_format_options_t *format, char *name, vici_res_t *res)
540 {
541 if (*format & COMMAND_FORMAT_RAW)
542 {
543 vici_dump(res, "list-cert event", *format & COMMAND_FORMAT_PRETTY,
544 stdout);
545 }
546 else
547 {
548 certificate_type_t type;
549 certificate_t *cert;
550 void *buf;
551 int len;
552 bool has_privkey;
553
554 buf = vici_find(res, &len, "data");
555 has_privkey = streq(vici_find_str(res, "no", "has_privkey"), "yes");
556 if (enum_from_name(certificate_type_names,
557 vici_find_str(res, "ANY", "type"), &type) &&
558 type != CERT_ANY && buf)
559 {
560 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
561 BUILD_BLOB_ASN1_DER, chunk_create(buf, len),
562 BUILD_END);
563 if (cert)
564 {
565 if (*format & COMMAND_FORMAT_PEM)
566 {
567 print_pem(cert);
568 }
569 else
570 {
571 print_cert(cert, has_privkey);
572 }
573 cert->destroy(cert);
574 }
575 else
576 {
577 fprintf(stderr, "parsing certificate failed\n");
578 }
579 }
580 else
581 {
582 fprintf(stderr, "received incomplete certificate data\n");
583 }
584 }
585 }
586
587 static int list_certs(vici_conn_t *conn)
588 {
589 vici_req_t *req;
590 vici_res_t *res;
591 command_format_options_t format = COMMAND_FORMAT_NONE;
592 char *arg, *subject = NULL, *type = NULL;
593
594 while (TRUE)
595 {
596 switch (command_getopt(&arg))
597 {
598 case 'h':
599 return command_usage(NULL);
600 case 's':
601 subject = arg;
602 continue;
603 case 't':
604 type = arg;
605 continue;
606 case 'p':
607 format |= COMMAND_FORMAT_PEM;
608 continue;
609 case 'P':
610 format |= COMMAND_FORMAT_PRETTY;
611 /* fall through to raw */
612 case 'r':
613 format |= COMMAND_FORMAT_RAW;
614 continue;
615 case EOF:
616 break;
617 default:
618 return command_usage("invalid --list-certs option");
619 }
620 break;
621 }
622 if (vici_register(conn, "list-cert", list_cb, &format) != 0)
623 {
624 fprintf(stderr, "registering for certificates failed: %s\n",
625 strerror(errno));
626 return errno;
627 }
628 req = vici_begin("list-certs");
629 if (type)
630 {
631 vici_add_key_valuef(req, "type", "%s", type);
632 }
633 if (subject)
634 {
635 vici_add_key_valuef(req, "subject", "%s", subject);
636 }
637 res = vici_submit(req, conn);
638 if (!res)
639 {
640 fprintf(stderr, "list-certs request failed: %s\n", strerror(errno));
641 return errno;
642 }
643 if (format & COMMAND_FORMAT_RAW)
644 {
645 vici_dump(res, "list-certs reply", format & COMMAND_FORMAT_PRETTY,
646 stdout);
647 }
648 vici_free_res(res);
649 return 0;
650 }
651
652 /**
653 * Register the command.
654 */
655 static void __attribute__ ((constructor))reg()
656 {
657 command_register((command_t) {
658 list_certs, 'x', "list-certs", "list stored certificates",
659 {"[--subject <dn/san>] [--type X509|X509_AC|X509_CRL] [--pem] "
660 "[--raw|--pretty]"},
661 {
662 {"help", 'h', 0, "show usage information"},
663 {"subject", 's', 1, "filter by certificate subject"},
664 {"type", 't', 1, "filter by certificate type"},
665 {"pem", 'p', 0, "print PEM encoding of certificate"},
666 {"raw", 'r', 0, "dump raw response message"},
667 {"pretty", 'P', 0, "dump raw response message in pretty print"},
668 }
669 });
670 }