#include <asn1/asn1.h>
#include <asn1/oid.h>
#include <credentials/certificates/certificate.h>
-#include <credentials/certificates/x509.h>
-#include <credentials/certificates/crl.h>
-#include <credentials/certificates/ac.h>
+#include <credentials/certificates/certificate_printer.h>
#include <selectors/traffic_selector.h>
-#include <vici_version.h>
-#include <vici_cert_info.h>
-
#include "command.h"
/**
- * Current certificate type info
+ * Static certificate printer object
*/
-static vici_cert_info_t *current_cert_info = NULL;
+static certificate_printer_t *cert_printer = NULL;
/**
* Print PEM encoding of a certificate
}
}
-/**
- * Print public key information
- */
-static void print_pubkey(public_key_t *key, bool has_privkey)
-{
- chunk_t chunk;
-
- printf("pubkey: %N %d bits", key_type_names, key->get_type(key),
- key->get_keysize(key));
- if (has_privkey)
- {
- printf(", has private key");
- }
- printf("\n");
- if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &chunk))
- {
- printf("keyid: %#B\n", &chunk);
- }
- if (key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &chunk))
- {
- printf("subjkey: %#B\n", &chunk);
- }
-}
-
-/**
- * Print X509 specific certificate information
- */
-static void print_x509(x509_t *x509)
-{
- enumerator_t *enumerator;
- identification_t *id;
- traffic_selector_t *block;
- chunk_t chunk;
- bool first;
- char *uri;
- int len, explicit, inhibit;
- x509_flag_t flags;
- x509_cdp_t *cdp;
- x509_cert_policy_t *policy;
- x509_policy_mapping_t *mapping;
-
- chunk = chunk_skip_zero(x509->get_serial(x509));
- printf("serial: %#B\n", &chunk);
-
- first = TRUE;
- enumerator = x509->create_subjectAltName_enumerator(x509);
- while (enumerator->enumerate(enumerator, &id))
- {
- if (first)
- {
- printf("altNames: ");
- first = FALSE;
- }
- else
- {
- printf(", ");
- }
- printf("%Y", id);
- }
- if (!first)
- {
- printf("\n");
- }
- enumerator->destroy(enumerator);
-
- flags = x509->get_flags(x509);
- if (flags != X509_NONE)
- {
- printf("flags: ");
- if (flags & X509_CA)
- {
- printf("CA ");
- }
- if (flags & X509_CRL_SIGN)
- {
- printf("CRLSign ");
- }
- if (flags & X509_OCSP_SIGNER)
- {
- printf("ocspSigning ");
- }
- if (flags & X509_SERVER_AUTH)
- {
- printf("serverAuth ");
- }
- if (flags & X509_CLIENT_AUTH)
- {
- printf("clientAuth ");
- }
- if (flags & X509_IKE_INTERMEDIATE)
- {
- printf("ikeIntermediate ");
- }
- if (flags & X509_MS_SMARTCARD_LOGON)
- {
- printf("msSmartcardLogon");
- }
- if (flags & X509_SELF_SIGNED)
- {
- printf("self-signed ");
- }
- printf("\n");
- }
-
- first = TRUE;
- enumerator = x509->create_crl_uri_enumerator(x509);
- while (enumerator->enumerate(enumerator, &cdp))
- {
- if (first)
- {
- printf("CRL URIs: %s", cdp->uri);
- first = FALSE;
- }
- else
- {
- printf(" %s", cdp->uri);
- }
- if (cdp->issuer)
- {
- printf(" (CRL issuer: %Y)", cdp->issuer);
- }
- printf("\n");
- }
- enumerator->destroy(enumerator);
-
- first = TRUE;
- enumerator = x509->create_ocsp_uri_enumerator(x509);
- while (enumerator->enumerate(enumerator, &uri))
- {
- if (first)
- {
- printf("OCSP URIs: %s\n", uri);
- first = FALSE;
- }
- else
- {
- printf(" %s\n", uri);
- }
- }
- enumerator->destroy(enumerator);
-
- len = x509->get_constraint(x509, X509_PATH_LEN);
- if (len != X509_NO_CONSTRAINT)
- {
- printf("pathlen: %d\n", len);
- }
-
- first = TRUE;
- enumerator = x509->create_name_constraint_enumerator(x509, TRUE);
- while (enumerator->enumerate(enumerator, &id))
- {
- if (first)
- {
- printf("Permitted NameConstraints:\n");
- first = FALSE;
- }
- printf(" %Y\n", id);
- }
- enumerator->destroy(enumerator);
- first = TRUE;
- enumerator = x509->create_name_constraint_enumerator(x509, FALSE);
- while (enumerator->enumerate(enumerator, &id))
- {
- if (first)
- {
- printf("Excluded NameConstraints:\n");
- first = FALSE;
- }
- printf(" %Y\n", id);
- }
- enumerator->destroy(enumerator);
-
- first = TRUE;
- enumerator = x509->create_cert_policy_enumerator(x509);
- while (enumerator->enumerate(enumerator, &policy))
- {
- char *oid;
-
- if (first)
- {
- printf("CertificatePolicies:\n");
- first = FALSE;
- }
- oid = asn1_oid_to_string(policy->oid);
- if (oid)
- {
- printf(" %s\n", oid);
- free(oid);
- }
- else
- {
- printf(" %#B\n", &policy->oid);
- }
- if (policy->cps_uri)
- {
- printf(" CPS: %s\n", policy->cps_uri);
- }
- if (policy->unotice_text)
- {
- printf(" Notice: %s\n", policy->unotice_text);
-
- }
- }
- enumerator->destroy(enumerator);
-
- first = TRUE;
- enumerator = x509->create_policy_mapping_enumerator(x509);
- while (enumerator->enumerate(enumerator, &mapping))
- {
- char *issuer_oid, *subject_oid;
-
- if (first)
- {
- printf("PolicyMappings:\n");
- first = FALSE;
- }
- issuer_oid = asn1_oid_to_string(mapping->issuer);
- subject_oid = asn1_oid_to_string(mapping->subject);
- printf(" %s => %s\n", issuer_oid, subject_oid);
- free(issuer_oid);
- free(subject_oid);
- }
- enumerator->destroy(enumerator);
-
- explicit = x509->get_constraint(x509, X509_REQUIRE_EXPLICIT_POLICY);
- inhibit = x509->get_constraint(x509, X509_INHIBIT_POLICY_MAPPING);
- len = x509->get_constraint(x509, X509_INHIBIT_ANY_POLICY);
-
- if (explicit != X509_NO_CONSTRAINT || inhibit != X509_NO_CONSTRAINT ||
- len != X509_NO_CONSTRAINT)
- {
- printf("PolicyConstraints:\n");
- if (explicit != X509_NO_CONSTRAINT)
- {
- printf(" requireExplicitPolicy: %d\n", explicit);
- }
- if (inhibit != X509_NO_CONSTRAINT)
- {
- printf(" inhibitPolicyMapping: %d\n", inhibit);
- }
- if (len != X509_NO_CONSTRAINT)
- {
- printf(" inhibitAnyPolicy: %d\n", len);
- }
- }
-
- chunk = x509->get_authKeyIdentifier(x509);
- if (chunk.ptr)
- {
- printf("authkeyId: %#B\n", &chunk);
- }
-
- chunk = x509->get_subjectKeyIdentifier(x509);
- if (chunk.ptr)
- {
- printf("subjkeyId: %#B\n", &chunk);
- }
- if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
- {
- first = TRUE;
- printf("addresses: ");
- enumerator = x509->create_ipAddrBlock_enumerator(x509);
- while (enumerator->enumerate(enumerator, &block))
- {
- if (first)
- {
- first = FALSE;
- }
- else
- {
- printf(", ");
- }
- printf("%R", block);
- }
- enumerator->destroy(enumerator);
- printf("\n");
- }
-}
-
-/**
- * Print CRL specific information
- */
-static void print_crl(crl_t *crl)
-{
- enumerator_t *enumerator;
- time_t ts;
- crl_reason_t reason;
- chunk_t chunk;
- int count = 0;
- bool first;
- char buf[64];
- struct tm tm;
- x509_cdp_t *cdp;
-
- chunk = chunk_skip_zero(crl->get_serial(crl));
- printf("serial: %#B\n", &chunk);
-
- if (crl->is_delta_crl(crl, &chunk))
- {
- chunk = chunk_skip_zero(chunk);
- printf("delta CRL: for serial %#B\n", &chunk);
- }
- chunk = crl->get_authKeyIdentifier(crl);
- printf("authKeyId: %#B\n", &chunk);
-
- first = TRUE;
- enumerator = crl->create_delta_crl_uri_enumerator(crl);
- while (enumerator->enumerate(enumerator, &cdp))
- {
- if (first)
- {
- printf("freshest: %s", cdp->uri);
- first = FALSE;
- }
- else
- {
- printf(" %s", cdp->uri);
- }
- if (cdp->issuer)
- {
- printf(" (CRL issuer: %Y)", cdp->issuer);
- }
- printf("\n");
- }
- enumerator->destroy(enumerator);
-
- enumerator = crl->create_enumerator(crl);
- while (enumerator->enumerate(enumerator, &chunk, &ts, &reason))
- {
- count++;
- }
- enumerator->destroy(enumerator);
-
- printf("%d revoked certificate%s%s\n", count,
- count == 1 ? "" : "s", count ? ":" : "");
- enumerator = crl->create_enumerator(crl);
- while (enumerator->enumerate(enumerator, &chunk, &ts, &reason))
- {
- chunk = chunk_skip_zero(chunk);
- localtime_r(&ts, &tm);
- strftime(buf, sizeof(buf), "%F %T", &tm);
- printf(" %#B: %s, %N\n", &chunk, buf, crl_reason_names, reason);
- count++;
- }
- enumerator->destroy(enumerator);
-}
-
-/**
- * Print AC specific information
- */
-static void print_ac(ac_t *ac)
-{
- ac_group_type_t type;
- identification_t *id;
- enumerator_t *groups;
- chunk_t chunk;
- bool first = TRUE;
-
- chunk = chunk_skip_zero(ac->get_serial(ac));
- printf("serial: %#B\n", &chunk);
-
- id = ac->get_holderIssuer(ac);
- if (id)
- {
- printf("hissuer: \"%Y\"\n", id);
- }
- chunk = chunk_skip_zero(ac->get_holderSerial(ac));
- if (chunk.ptr)
- {
- printf("hserial: %#B\n", &chunk);
- }
- groups = ac->create_group_enumerator(ac);
- while (groups->enumerate(groups, &type, &chunk))
- {
- int oid;
- char *str;
-
- if (first)
- {
- printf("groups: ");
- first = FALSE;
- }
- else
- {
- printf(" ");
- }
- switch (type)
- {
- case AC_GROUP_TYPE_STRING:
- printf("%.*s", (int)chunk.len, chunk.ptr);
- break;
- case AC_GROUP_TYPE_OID:
- oid = asn1_known_oid(chunk);
- if (oid == OID_UNKNOWN)
- {
- str = asn1_oid_to_string(chunk);
- if (str)
- {
- printf("%s", str);
- free(str);
- }
- else
- {
- printf("OID:%#B", &chunk);
- }
- }
- else
- {
- printf("%s", oid_names[oid].name);
- }
- break;
- case AC_GROUP_TYPE_OCTETS:
- printf("%#B", &chunk);
- break;
- }
- printf("\n");
- }
- groups->destroy(groups);
-
- chunk = ac->get_authKeyIdentifier(ac);
- if (chunk.ptr)
- {
- printf("authkey: %#B\n", &chunk);
- }
-}
-
-/**
- * Print certificate information
- */
-static void print_cert(certificate_t *cert, bool has_privkey)
-{
- time_t now, notAfter, notBefore;
- public_key_t *key;
-
- now = time(NULL);
-
- if (cert->get_type(cert) != CERT_X509_CRL &&
- cert->get_type(cert) != CERT_X509_OCSP_RESPONSE)
- {
- printf("subject: \"%Y\"\n", cert->get_subject(cert));
- }
- printf("issuer: \"%Y\"\n", cert->get_issuer(cert));
-
- cert->get_validity(cert, &now, ¬Before, ¬After);
- printf("validity: not before %T, ", ¬Before, FALSE);
- if (now < notBefore)
- {
- printf("not valid yet (valid in %V)\n", &now, ¬Before);
- }
- else
- {
- printf("ok\n");
- }
- printf(" not after %T, ", ¬After, FALSE);
- if (now > notAfter)
- {
- printf("expired (%V ago)\n", &now, ¬After);
- }
- else
- {
- printf("ok (expires in %V)\n", &now, ¬After);
- }
-
- switch (cert->get_type(cert))
- {
- case CERT_X509:
- print_x509((x509_t*)cert);
- break;
- case CERT_X509_CRL:
- print_crl((crl_t*)cert);
- break;
- case CERT_X509_AC:
- print_ac((ac_t*)cert);
- break;
- default:
- fprintf(stderr, "parsing certificate subtype %N not implemented\n",
- certificate_type_names, cert->get_type(cert));
- break;
- }
- key = cert->get_public_key(cert);
- if (key)
- {
- print_pubkey(key, has_privkey);
- key->destroy(key);
- }
- printf("\n");
-}
-
CALLBACK(list_cb, void,
command_format_options_t *format, char *name, vici_res_t *res)
{
certificate_t *cert;
- vici_version_t version;
- vici_cert_info_t *cert_info;
- bool has_privkey, first = FALSE;
- char *version_str, *type_str;
+ certificate_type_t type;
+ x509_flag_t flag = X509_NONE;
+ bool has_privkey;
+ char *str;
void *buf;
int len;
return;
}
- version_str = vici_find_str(res, "1.0", "vici");
- if (!enum_from_name(vici_version_names, version_str, &version) ||
- version == VICI_1_0)
- {
- fprintf(stderr, "unsupported vici version '%s'\n", version_str);
- return;
- }
-
buf = vici_find(res, &len, "data");
if (!buf)
{
}
has_privkey = streq(vici_find_str(res, "no", "has_privkey"), "yes");
- type_str = vici_find_str(res, "any", "type");
- cert_info = vici_cert_info_retrieve(type_str);
- if (!cert_info || cert_info->type == CERT_ANY)
+ str = vici_find_str(res, "ANY", "type");
+ if (!enum_from_name(certificate_type_names, str, &type) || type == CERT_ANY)
{
- fprintf(stderr, "unsupported certificate type '%s'\n", type_str);
+ fprintf(stderr, "unsupported certificate type '%s'\n", str);
return;
}
-
- /* Detect change of certificate type */
- if (cert_info != current_cert_info)
+ if (type == CERT_X509)
{
- first = TRUE;
- current_cert_info = cert_info;
+ str = vici_find_str(res, "ANY", "flag");
+ if (!enum_from_name(x509_flag_names, str, &flag) || flag == X509_ANY)
+ {
+ fprintf(stderr, "unsupported certificate flag '%s'\n", str);
+ return;
+ }
}
/* Parse certificate data blob */
- cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, cert_info->type,
+ cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
BUILD_BLOB_ASN1_DER, chunk_create(buf, len),
BUILD_END);
if (cert)
}
else
{
- if (first)
- {
- printf("List of %ss:\n\n", cert_info->caption);
- }
- print_cert(cert, has_privkey);
+ cert_printer->print_caption(cert_printer, type, flag);
+ cert_printer->print(cert_printer, cert, has_privkey);
}
cert->destroy(cert);
}
vici_req_t *req;
vici_res_t *res;
command_format_options_t format = COMMAND_FORMAT_NONE;
- char *arg, *subject = NULL, *type = NULL;
+ char *arg, *subject = NULL, *type = NULL, *flag = NULL;
+ bool detailed = TRUE, utc = FALSE;
int ret;
while (TRUE)
case 't':
type = arg;
continue;
+ case 'f':
+ flag = arg;
+ continue;
case 'p':
format |= COMMAND_FORMAT_PEM;
continue;
case 'r':
format |= COMMAND_FORMAT_RAW;
continue;
+ case 'S':
+ detailed = FALSE;
+ continue;
+ case 'U':
+ utc = TRUE;
+ continue;
case EOF:
break;
default:
return ret;
}
req = vici_begin("list-certs");
- vici_add_version(req, VICI_VERSION);
if (type)
{
vici_add_key_valuef(req, "type", "%s", type);
}
+ if (flag)
+ {
+ vici_add_key_valuef(req, "flag", "%s", flag);
+ }
if (subject)
{
vici_add_key_valuef(req, "subject", "%s", subject);
}
+ cert_printer = certificate_printer_create(stdout, detailed, utc);
res = vici_submit(req, conn);
if (!res)
{
ret = errno;
fprintf(stderr, "list-certs request failed: %s\n", strerror(errno));
+ cert_printer->destroy(cert_printer);
+ cert_printer = NULL;
return ret;
}
if (format & COMMAND_FORMAT_RAW)
stdout);
}
vici_free_res(res);
+
+ cert_printer->destroy(cert_printer);
+ cert_printer = NULL;
return 0;
}
command_register((command_t) {
list_certs, 'x', "list-certs", "list stored certificates",
{"[--subject <dn/san>] "
- "[--type x509|x509ca|x509aa|x509ac|x509crl|x509ocsp|ocsp] "
- "[--pem] [--raw|--pretty]"},
+ "[--type x509|x509_ac|x509_crl|ocsp_response|pubkey]\n "
+ "[--flag none|ca|aa|ocsp|any] "
+ "[--pem] [--raw|--pretty|--short|--utc]"},
{
{"help", 'h', 0, "show usage information"},
{"subject", 's', 1, "filter by certificate subject"},
{"type", 't', 1, "filter by certificate type"},
+ {"flag", 'f', 1, "filter by X.509 certificate flag"},
{"pem", 'p', 0, "print PEM encoding of certificate"},
{"raw", 'r', 0, "dump raw response message"},
{"pretty", 'P', 0, "dump raw response message in pretty print"},
+ {"short", 'S', 0, "omit some certificate details"},
+ {"utc", 'U', 0, "use UTC for time fields"},
}
});
}
projects / strongswan.git / blobdiff