Refactored certificate management for the vici and stroke interfaces

[strongswan.git] / src / swanctl / commands / list_certs.c
diff --git a/src/swanctl/commands/list_certs.c b/src/swanctl/commands/list_certs.c

index ecb6528..b2ff3b5 100644 (file)
--- a/src/swanctl/commands/list_certs.c
+++ b/src/swanctl/commands/list_certs.c
@@ -2,6 +2,9 @@
   * Copyright (C) 2014 Martin Willi
   * Copyright (C) 2014 revosec AG
   *
   * Copyright (C) 2014 Martin Willi
   * Copyright (C) 2014 revosec AG
   *
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
   * This program is free software; you can redistribute it and/or modify it
   * under the terms of the GNU General Public License as published by the
   * Free Software Foundation; either version 2 of the License, or (at your
   * This program is free software; you can redistribute it and/or modify it
   * under the terms of the GNU General Public License as published by the
   * Free Software Foundation; either version 2 of the License, or (at your
@@ -21,14 +24,17 @@
  #include <asn1/asn1.h>
  #include <asn1/oid.h>
  #include <credentials/certificates/certificate.h>
  #include <asn1/asn1.h>
  #include <asn1/oid.h>
  #include <credentials/certificates/certificate.h>
-#include <credentials/certificates/x509.h>
-#include <credentials/certificates/crl.h>
-#include <credentials/certificates/ac.h>
+#include <credentials/certificates/certificate_printer.h>
  #include <selectors/traffic_selector.h>
  
  #include "command.h"
  
  /**
  #include <selectors/traffic_selector.h>
  
  #include "command.h"
  
  /**
+ * Static certificate printer object
+ */
+static certificate_printer_t *cert_printer = NULL;
+
+/**
   * Print PEM encoding of a certificate
   */
  static void print_pem(certificate_t *cert)
   * Print PEM encoding of a certificate
   */
  static void print_pem(certificate_t *cert)
@@ -46,541 +52,68 @@ static void print_pem(certificate_t *cert)
         }
  }
  
         }
  }
  
-/**
- * Print public key information
- */
-static void print_pubkey(public_key_t *key, bool has_privkey)
-{
-       chunk_t chunk;
-
-       printf("pubkey:    %N %d bits", key_type_names, key->get_type(key),
-                  key->get_keysize(key));
-       if (has_privkey)
-       {
-               printf(", has private key");
-       }
-       printf("\n");
-       if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &chunk))
-       {
-               printf("keyid:     %#B\n", &chunk);
-       }
-       if (key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &chunk))
-       {
-               printf("subjkey:   %#B\n", &chunk);
-       }
-}
-
-/**
- * Print X509 specific certificate information
- */
-static void print_x509(x509_t *x509)
+CALLBACK(list_cb, void,
+       command_format_options_t *format, char *name, vici_res_t *res)
  {
  {
-       enumerator_t *enumerator;
-       identification_t *id;
-       traffic_selector_t *block;
-       chunk_t chunk;
-       bool first;
-       char *uri;
-       int len, explicit, inhibit;
-       x509_flag_t flags;
-       x509_cdp_t *cdp;
-       x509_cert_policy_t *policy;
-       x509_policy_mapping_t *mapping;
-
-       chunk = chunk_skip_zero(x509->get_serial(x509));
-       printf("serial:    %#B\n", &chunk);
-
-       first = TRUE;
-       enumerator = x509->create_subjectAltName_enumerator(x509);
-       while (enumerator->enumerate(enumerator, &id))
-       {
-               if (first)
-               {
-                       printf("altNames:  ");
-                       first = FALSE;
-               }
-               else
-               {
-                       printf(", ");
-               }
-               printf("%Y", id);
-       }
-       if (!first)
-       {
-               printf("\n");
-       }
-       enumerator->destroy(enumerator);
-
-       flags = x509->get_flags(x509);
-       printf("flags:     ");
-       if (flags & X509_CA)
-       {
-               printf("CA ");
-       }
-       if (flags & X509_CRL_SIGN)
-       {
-               printf("CRLSign ");
-       }
-       if (flags & X509_AA)
-       {
-               printf("AA ");
-       }
-       if (flags & X509_OCSP_SIGNER)
-       {
-               printf("OCSP ");
-       }
-       if (flags & X509_AA)
-       {
-               printf("AA ");
-       }
-       if (flags & X509_SERVER_AUTH)
-       {
-               printf("serverAuth ");
-       }
-       if (flags & X509_CLIENT_AUTH)
-       {
-               printf("clientAuth ");
-       }
-       if (flags & X509_IKE_INTERMEDIATE)
-       {
-               printf("iKEIntermediate ");
-       }
-       if (flags & X509_SELF_SIGNED)
-       {
-               printf("self-signed ");
-       }
-       printf("\n");
-
-       first = TRUE;
-       enumerator = x509->create_crl_uri_enumerator(x509);
-       while (enumerator->enumerate(enumerator, &cdp))
-       {
-               if (first)
-               {
-                       printf("CRL URIs:  %s", cdp->uri);
-                       first = FALSE;
-               }
-               else
-               {
-                       printf("           %s", cdp->uri);
-               }
-               if (cdp->issuer)
-               {
-                       printf(" (CRL issuer: %Y)", cdp->issuer);
-               }
-               printf("\n");
-       }
-       enumerator->destroy(enumerator);
-
-       first = TRUE;
-       enumerator = x509->create_ocsp_uri_enumerator(x509);
-       while (enumerator->enumerate(enumerator, &uri))
-       {
-               if (first)
-               {
-                       printf("OCSP URIs: %s\n", uri);
-                       first = FALSE;
-               }
-               else
-               {
-                       printf("           %s\n", uri);
-               }
-       }
-       enumerator->destroy(enumerator);
-
-       len = x509->get_constraint(x509, X509_PATH_LEN);
-       if (len != X509_NO_CONSTRAINT)
-       {
-               printf("pathlen:   %d\n", len);
-       }
-
-       first = TRUE;
-       enumerator = x509->create_name_constraint_enumerator(x509, TRUE);
-       while (enumerator->enumerate(enumerator, &id))
-       {
-               if (first)
-               {
-                       printf("Permitted NameConstraints:\n");
-                       first = FALSE;
-               }
-               printf("           %Y\n", id);
-       }
-       enumerator->destroy(enumerator);
-       first = TRUE;
-       enumerator = x509->create_name_constraint_enumerator(x509, FALSE);
-       while (enumerator->enumerate(enumerator, &id))
-       {
-               if (first)
-               {
-                       printf("Excluded NameConstraints:\n");
-                       first = FALSE;
-               }
-               printf("           %Y\n", id);
-       }
-       enumerator->destroy(enumerator);
-
-       first = TRUE;
-       enumerator = x509->create_cert_policy_enumerator(x509);
-       while (enumerator->enumerate(enumerator, &policy))
-       {
-               char *oid;
-
-               if (first)
-               {
-                       printf("CertificatePolicies:\n");
-                       first = FALSE;
-               }
-               oid = asn1_oid_to_string(policy->oid);
-               if (oid)
-               {
-                       printf("           %s\n", oid);
-                       free(oid);
-               }
-               else
-               {
-                       printf("           %#B\n", &policy->oid);
-               }
-               if (policy->cps_uri)
-               {
-                       printf("             CPS: %s\n", policy->cps_uri);
-               }
-               if (policy->unotice_text)
-               {
-                       printf("             Notice: %s\n", policy->unotice_text);
-
-               }
-       }
-       enumerator->destroy(enumerator);
-
-       first = TRUE;
-       enumerator = x509->create_policy_mapping_enumerator(x509);
-       while (enumerator->enumerate(enumerator, &mapping))
-       {
-               char *issuer_oid, *subject_oid;
-
-               if (first)
-               {
-                       printf("PolicyMappings:\n");
-                       first = FALSE;
-               }
-               issuer_oid = asn1_oid_to_string(mapping->issuer);
-               subject_oid = asn1_oid_to_string(mapping->subject);
-               printf("           %s => %s\n", issuer_oid, subject_oid);
-               free(issuer_oid);
-               free(subject_oid);
-       }
-       enumerator->destroy(enumerator);
-
-       explicit = x509->get_constraint(x509, X509_REQUIRE_EXPLICIT_POLICY);
-       inhibit = x509->get_constraint(x509, X509_INHIBIT_POLICY_MAPPING);
-       len = x509->get_constraint(x509, X509_INHIBIT_ANY_POLICY);
+       certificate_t *cert;
+       certificate_type_t type;
+       x509_flag_t flag = X509_NONE;
+       bool has_privkey;
+       char *str;
+       void *buf;
+       int len;
  
  
-       if (explicit != X509_NO_CONSTRAINT || inhibit != X509_NO_CONSTRAINT ||
-               len != X509_NO_CONSTRAINT)
+       if (*format & COMMAND_FORMAT_RAW)
         {
         {
-               printf("PolicyConstraints:\n");
-               if (explicit != X509_NO_CONSTRAINT)
-               {
-                       printf("           requireExplicitPolicy: %d\n", explicit);
-               }
-               if (inhibit != X509_NO_CONSTRAINT)
-               {
-                       printf("           inhibitPolicyMapping: %d\n", inhibit);
-               }
-               if (len != X509_NO_CONSTRAINT)
-               {
-                       printf("           inhibitAnyPolicy: %d\n", len);
-               }
+               vici_dump(res, "list-cert event", *format & COMMAND_FORMAT_PRETTY,
+                                 stdout);
+               return;
         }
  
         }
  
-       chunk = x509->get_authKeyIdentifier(x509);
-       if (chunk.ptr)
+       buf = vici_find(res, &len, "data");
+       if (!buf)
         {
         {
-               printf("authkeyId: %#B\n", &chunk);
+               fprintf(stderr, "received incomplete certificate data\n");
+               return;
         }
         }
+       has_privkey = streq(vici_find_str(res, "no", "has_privkey"), "yes");
  
  
-       chunk = x509->get_subjectKeyIdentifier(x509);
-       if (chunk.ptr)
+       str = vici_find_str(res, "ANY", "type");
+       if (!enum_from_name(certificate_type_names, str, &type) || type == CERT_ANY)
         {
         {
-               printf("subjkeyId: %#B\n", &chunk);
+               fprintf(stderr, "unsupported certificate type '%s'\n", str);
+               return;
         }
         }
-       if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
+       if (type == CERT_X509)
         {
         {
-               first = TRUE;
-               printf("addresses: ");
-               enumerator = x509->create_ipAddrBlock_enumerator(x509);
-               while (enumerator->enumerate(enumerator, &block))
+               str = vici_find_str(res, "ANY", "flag");
+               if (!enum_from_name(x509_flag_names, str, &flag) || flag == X509_ANY)
                 {
                 {
-                       if (first)
-                       {
-                               first = FALSE;
-                       }
-                       else
-                       {
-                               printf(", ");
-                       }
-                       printf("%R", block);
+                       fprintf(stderr, "unsupported certificate flag '%s'\n", str);
+                       return;
                 }
                 }
-               enumerator->destroy(enumerator);
-               printf("\n");
-       }
-}
-
-/**
- * Print CRL specific information
- */
-static void print_crl(crl_t *crl)
-{
-       enumerator_t *enumerator;
-       time_t ts;
-       crl_reason_t reason;
-       chunk_t chunk;
-       int count = 0;
-       bool first;
-       char buf[64];
-       struct tm tm;
-       x509_cdp_t *cdp;
-
-       chunk = chunk_skip_zero(crl->get_serial(crl));
-       printf("serial:    %#B\n", &chunk);
-
-       if (crl->is_delta_crl(crl, &chunk))
-       {
-               chunk = chunk_skip_zero(chunk);
-               printf("delta CRL: for serial %#B\n", &chunk);
         }
         }
-       chunk = crl->get_authKeyIdentifier(crl);
-       printf("authKeyId: %#B\n", &chunk);
  
  
-       first = TRUE;
-       enumerator = crl->create_delta_crl_uri_enumerator(crl);
-       while (enumerator->enumerate(enumerator, &cdp))
+       /* Parse certificate data blob */
+       cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
+                                                         BUILD_BLOB_ASN1_DER, chunk_create(buf, len),
+                                                         BUILD_END);
+       if (cert)
         {
         {
-               if (first)
+               if (*format & COMMAND_FORMAT_PEM)
                 {
                 {
-                       printf("freshest:  %s", cdp->uri);
-                       first = FALSE;
+                       print_pem(cert);
                 }
                 else
                 {
                 }
                 else
                 {
-                       printf("           %s", cdp->uri);
-               }
-               if (cdp->issuer)
-               {
-                       printf(" (CRL issuer: %Y)", cdp->issuer);
+                       cert_printer->print_caption(cert_printer, type, flag);
+                       cert_printer->print(cert_printer, cert, has_privkey);
                 }
                 }
-               printf("\n");
-       }
-       enumerator->destroy(enumerator);
-
-       enumerator = crl->create_enumerator(crl);
-       while (enumerator->enumerate(enumerator, &chunk, &ts, &reason))
-       {
-               count++;
-       }
-       enumerator->destroy(enumerator);
-
-       printf("%d revoked certificate%s%s\n", count,
-                  count == 1 ? "" : "s", count ? ":" : "");
-       enumerator = crl->create_enumerator(crl);
-       while (enumerator->enumerate(enumerator, &chunk, &ts, &reason))
-       {
-               chunk = chunk_skip_zero(chunk);
-               localtime_r(&ts, &tm);
-               strftime(buf, sizeof(buf), "%F %T", &tm);
-               printf("    %#B %N %s\n", &chunk, crl_reason_names, reason, buf);
-               count++;
-       }
-       enumerator->destroy(enumerator);
-}
-
-/**
- * Print AC specific information
- */
-static void print_ac(ac_t *ac)
-{
-       ac_group_type_t type;
-       identification_t *id;
-       enumerator_t *groups;
-       chunk_t chunk;
-       bool first = TRUE;
-
-       chunk = chunk_skip_zero(ac->get_serial(ac));
-       printf("serial:    %#B\n", &chunk);
-
-       id = ac->get_holderIssuer(ac);
-       if (id)
-       {
-               printf("hissuer:  \"%Y\"\n", id);
-       }
-       chunk = chunk_skip_zero(ac->get_holderSerial(ac));
-       if (chunk.ptr)
-       {
-               printf("hserial:   %#B\n", &chunk);
-       }
-       groups = ac->create_group_enumerator(ac);
-       while (groups->enumerate(groups, &type, &chunk))
-       {
-               int oid;
-               char *str;
-
-               if (first)
-               {
-                       printf("groups:    ");
-                       first = FALSE;
-               }
-               else
-               {
-                       printf("           ");
-               }
-               switch (type)
-               {
-                       case AC_GROUP_TYPE_STRING:
-                               printf("%.*s", (int)chunk.len, chunk.ptr);
-                               break;
-                       case AC_GROUP_TYPE_OID:
-                               oid = asn1_known_oid(chunk);
-                               if (oid == OID_UNKNOWN)
-                               {
-                                       str = asn1_oid_to_string(chunk);
-                                       if (str)
-                                       {
-                                               printf("%s", str);
-                                               free(str);
-                                       }
-                                       else
-                                       {
-                                               printf("OID:%#B", &chunk);
-                                       }
-                               }
-                               else
-                               {
-                                       printf("%s", oid_names[oid].name);
-                               }
-                               break;
-                       case AC_GROUP_TYPE_OCTETS:
-                               printf("%#B", &chunk);
-                               break;
-               }
-               printf("\n");
-       }
-       groups->destroy(groups);
-
-       chunk = ac->get_authKeyIdentifier(ac);
-       if (chunk.ptr)
-       {
-               printf("authkey:  %#B\n", &chunk);
-       }
-}
-
-/**
- * Print certificate information
- */
-static void print_cert(certificate_t *cert, bool has_privkey)
-{
-       time_t now, notAfter, notBefore;
-       public_key_t *key;
-
-       now = time(NULL);
-
-       printf("cert:      %N\n", certificate_type_names, cert->get_type(cert));
-       if (cert->get_type(cert) != CERT_X509_CRL)
-       {
-               printf("subject:  \"%Y\"\n", cert->get_subject(cert));
-       }
-       printf("issuer:   \"%Y\"\n", cert->get_issuer(cert));
-
-       cert->get_validity(cert, &now, &notBefore, &notAfter);
-       printf("validity:  not before %T, ", &notBefore, FALSE);
-       if (now < notBefore)
-       {
-               printf("not valid yet (valid in %V)\n", &now, &notBefore);
+               cert->destroy(cert);
         }
         else
         {
         }
         else
         {
-               printf("ok\n");
-       }
-       printf("           not after  %T, ", &notAfter, FALSE);
-       if (now > notAfter)
-       {
-               printf("expired (%V ago)\n", &now, &notAfter);
-       }
-       else
-       {
-               printf("ok (expires in %V)\n", &now, &notAfter);
-       }
-
-       switch (cert->get_type(cert))
-       {
-               case CERT_X509:
-                       print_x509((x509_t*)cert);
-                       break;
-               case CERT_X509_CRL:
-                       print_crl((crl_t*)cert);
-                       break;
-               case CERT_X509_AC:
-                       print_ac((ac_t*)cert);
-                       break;
-               default:
-                       fprintf(stderr, "parsing certificate subtype %N not implemented\n",
-                                       certificate_type_names, cert->get_type(cert));
-                       break;
-       }
-       key = cert->get_public_key(cert);
-       if (key)
-       {
-               print_pubkey(key, has_privkey);
-               key->destroy(key);
-       }
-       printf("\n");
-}
-
-CALLBACK(list_cb, void,
-       command_format_options_t *format, char *name, vici_res_t *res)
-{
-       if (*format & COMMAND_FORMAT_RAW)
-       {
-               vici_dump(res, "list-cert event", *format & COMMAND_FORMAT_PRETTY,
-                                 stdout);
-       }
-       else
-       {
-               certificate_type_t type;
-               certificate_t *cert;
-               void *buf;
-               int len;
-               bool has_privkey;
-
-               buf = vici_find(res, &len, "data");
-               has_privkey = streq(vici_find_str(res, "no", "has_privkey"), "yes");
-               if (enum_from_name(certificate_type_names,
-                                                  vici_find_str(res, "ANY", "type"), &type) &&
-                       type != CERT_ANY && buf)
-               {
-                       cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
-                                                                       BUILD_BLOB_ASN1_DER, chunk_create(buf, len),
-                                                                       BUILD_END);
-                       if (cert)
-                       {
-                               if (*format & COMMAND_FORMAT_PEM)
-                               {
-                                       print_pem(cert);
-                               }
-                               else
-                               {
-                                       print_cert(cert, has_privkey);
-                               }
-                               cert->destroy(cert);
-                       }
-                       else
-                       {
-                               fprintf(stderr, "parsing certificate failed\n");
-                       }
-               }
-               else
-               {
-                       fprintf(stderr, "received incomplete certificate data\n");
-               }
+               fprintf(stderr, "parsing certificate failed\n");
         }
  }
  
         }
  }
  
@@ -589,7 +122,8 @@ static int list_certs(vici_conn_t *conn)
         vici_req_t *req;
         vici_res_t *res;
         command_format_options_t format = COMMAND_FORMAT_NONE;
         vici_req_t *req;
         vici_res_t *res;
         command_format_options_t format = COMMAND_FORMAT_NONE;
-       char *arg, *subject = NULL, *type = NULL;
+       char *arg, *subject = NULL, *type = NULL, *flag = NULL;
+       bool detailed = TRUE, utc = FALSE;
         int ret;
  
         while (TRUE)
         int ret;
  
         while (TRUE)
@@ -604,6 +138,9 @@ static int list_certs(vici_conn_t *conn)
                         case 't':
                                 type = arg;
                                 continue;
                         case 't':
                                 type = arg;
                                 continue;
+                       case 'f':
+                               flag = arg;
+                               continue;
                         case 'p':
                                 format |= COMMAND_FORMAT_PEM;
                                 continue;
                         case 'p':
                                 format |= COMMAND_FORMAT_PEM;
                                 continue;
@@ -613,6 +150,12 @@ static int list_certs(vici_conn_t *conn)
                         case 'r':
                                 format |= COMMAND_FORMAT_RAW;
                                 continue;
                         case 'r':
                                 format |= COMMAND_FORMAT_RAW;
                                 continue;
+                       case 'S':
+                               detailed = FALSE;
+                               continue;
+                       case 'U':
+                               utc = TRUE;
+                               continue;
                         case EOF:
                                 break;
                         default:
                         case EOF:
                                 break;
                         default:
@@ -628,19 +171,28 @@ static int list_certs(vici_conn_t *conn)
                 return ret;
         }
         req = vici_begin("list-certs");
                 return ret;
         }
         req = vici_begin("list-certs");
+
         if (type)
         {
                 vici_add_key_valuef(req, "type", "%s", type);
         }
         if (type)
         {
                 vici_add_key_valuef(req, "type", "%s", type);
         }
+       if (flag)
+       {
+               vici_add_key_valuef(req, "flag", "%s", flag);
+       }
         if (subject)
         {
                 vici_add_key_valuef(req, "subject", "%s", subject);
         }
         if (subject)
         {
                 vici_add_key_valuef(req, "subject", "%s", subject);
         }
+       cert_printer = certificate_printer_create(stdout, detailed, utc);
+
         res = vici_submit(req, conn);
         if (!res)
         {
                 ret = errno;
                 fprintf(stderr, "list-certs request failed: %s\n", strerror(errno));
         res = vici_submit(req, conn);
         if (!res)
         {
                 ret = errno;
                 fprintf(stderr, "list-certs request failed: %s\n", strerror(errno));
+               cert_printer->destroy(cert_printer);
+               cert_printer = NULL;
                 return ret;
         }
         if (format & COMMAND_FORMAT_RAW)
                 return ret;
         }
         if (format & COMMAND_FORMAT_RAW)
@@ -649,6 +201,9 @@ static int list_certs(vici_conn_t *conn)
                                   stdout);
         }
         vici_free_res(res);
                                   stdout);
         }
         vici_free_res(res);
+
+       cert_printer->destroy(cert_printer);
+       cert_printer = NULL;
         return 0;
  }
  
         return 0;
  }
  
@@ -659,15 +214,20 @@ static void __attribute__ ((constructor))reg()
  {
         command_register((command_t) {
                 list_certs, 'x', "list-certs", "list stored certificates",
  {
         command_register((command_t) {
                 list_certs, 'x', "list-certs", "list stored certificates",
-               {"[--subject <dn/san>] [--type X509|X509_AC|X509_CRL] [--pem] "
-                "[--raw|--pretty]"},
+               {"[--subject <dn/san>] "
+                "[--type x509|x509_ac|x509_crl|ocsp_response|pubkey]\n         "
+                "[--flag none|ca|aa|ocsp|any] "
+                "[--pem] [--raw|--pretty|--short|--utc]"},
                 {
                         {"help",                'h', 0, "show usage information"},
                         {"subject",             's', 1, "filter by certificate subject"},
                         {"type",                't', 1, "filter by certificate type"},
                 {
                         {"help",                'h', 0, "show usage information"},
                         {"subject",             's', 1, "filter by certificate subject"},
                         {"type",                't', 1, "filter by certificate type"},
+                       {"flag",                'f', 1, "filter by X.509 certificate flag"},
                         {"pem",                 'p', 0, "print PEM encoding of certificate"},
                         {"raw",                 'r', 0, "dump raw response message"},
                         {"pretty",              'P', 0, "dump raw response message in pretty print"},
                         {"pem",                 'p', 0, "print PEM encoding of certificate"},
                         {"raw",                 'r', 0, "dump raw response message"},
                         {"pretty",              'P', 0, "dump raw response message in pretty print"},
+                       {"short",               'S', 0, "omit some certificate details"},
+                       {"utc",                 'U', 0, "use UTC for time fields"},
                 }
         });
  }
                 }
         });
  }