Refactored certificate management for the vici and stroke interfaces 5.4.0dr1
authorAndreas Steffen <andreas.steffen@strongswan.org>
Fri, 11 Dec 2015 17:24:58 +0000 (18:24 +0100)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Fri, 11 Dec 2015 23:19:24 +0000 (00:19 +0100)
12 files changed:
src/libcharon/plugins/stroke/stroke_list.c
src/libcharon/plugins/vici/Makefile.am
src/libcharon/plugins/vici/README.md
src/libcharon/plugins/vici/perl/Vici-Session/README.pod
src/libcharon/plugins/vici/vici_cred.c
src/libcharon/plugins/vici/vici_query.c
src/libstrongswan/credentials/certificates/certificate_printer.c
src/libstrongswan/credentials/certificates/certificate_printer.h
src/stroke/stroke.c
src/swanctl/command.h
src/swanctl/commands/list_certs.c
src/swanctl/commands/load_creds.c

index e312ae1..2cc755e 100644 (file)
@@ -31,7 +31,6 @@
 #include <collections/linked_list.h>
 #include <plugins/plugin.h>
 #include <credentials/certificates/x509.h>
-#include <credentials/certificates/pgp_certificate.h>
 #include <credentials/certificates/certificate_printer.h>
 #include <config/peer_cfg.h>
 
@@ -64,6 +63,11 @@ struct private_stroke_list_t {
 };
 
 /**
+ * Static certificate printer object
+ */
+static certificate_printer_t *cert_printer = NULL;
+
+/**
  * Log tasks of a specific queue to out
  */
 static void log_task_q(FILE *out, ike_sa_t *ike_sa, task_queue_t q, char *name)
@@ -761,132 +765,49 @@ static bool has_privkey(certificate_t *cert)
 }
 
 /**
- * list OpenPGP certificates
- */
-static void stroke_list_pgp_certs(linked_list_t *list, char *label,
-                                                                 bool utc, FILE *out)
-{
-       bool first = TRUE;
-       time_t now = time(NULL);
-       enumerator_t *enumerator = list->create_enumerator(list);
-       certificate_t *cert;
-       chunk_t keyid;
-
-       while (enumerator->enumerate(enumerator, (void**)&cert))
-       {
-               time_t created, until;
-               public_key_t *public;
-               pgp_certificate_t *pgp_cert = (pgp_certificate_t*)cert;
-               chunk_t fingerprint = pgp_cert->get_fingerprint(pgp_cert);
-
-               if (first)
-               {
-                       fprintf(out, "\n");
-                       fprintf(out, "List of %ss:\n", label);
-                       first = FALSE;
-               }
-               fprintf(out, "\n");
-               fprintf(out, "  userid:   '%Y'\n", cert->get_subject(cert));
-               fprintf(out, "  digest:    %#B\n", &fingerprint);
-
-               /* list validity */
-               cert->get_validity(cert, &now, &created, &until);
-               fprintf(out, "  created:   %T\n", &created, utc);
-               fprintf(out, "  until:     %T%s\n", &until, utc,
-                       (until == TIME_32_BIT_SIGNED_MAX) ? " (expires never)":"");
-
-               public = cert->get_public_key(cert);
-               if (public)
-               {
-                       fprintf(out, "  pubkey:    %N %d bits%s\n",
-                                       key_type_names, public->get_type(public),
-                                       public->get_keysize(public),
-                                       has_privkey(cert) ? ", has private key" : "");
-
-                       if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid))
-                       {
-                               fprintf(out, "  keyid:     %#B\n", &keyid);
-                       }
-                       if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &keyid))
-                       {
-                               fprintf(out, "  subjkey:   %#B\n", &keyid);
-                       }
-                       public->destroy(public);
-               }
-       }
-       enumerator->destroy(enumerator);
-}
-
-/**
  * list all X.509 certificates matching the flags
  */
-static void stroke_list_x509_certs(linked_list_t *list, char *label,
-                                                                  x509_flag_t flags, bool utc, FILE *out)
+static void stroke_list_x509_certs(linked_list_t *list, x509_flag_t flag)
 {
-       bool first = TRUE;
        enumerator_t *enumerator;
        certificate_t *cert;
-       certificate_printer_t *printer;
-       x509_flag_t flag_mask;
-
-       printer = certificate_printer_create(out, TRUE, utc),
-
-       /* mask all auxiliary flags */
-       flag_mask = ~(X509_SERVER_AUTH | X509_CLIENT_AUTH | X509_IKE_INTERMEDIATE |
-                                 X509_SELF_SIGNED | X509_IP_ADDR_BLOCKS);
 
        enumerator = list->create_enumerator(list);
        while (enumerator->enumerate(enumerator, (void**)&cert))
        {
                x509_t *x509 = (x509_t*)cert;
-               x509_flag_t x509_flags = x509->get_flags(x509) & flag_mask;
+               x509_flag_t flags = x509->get_flags(x509) & X509_ANY;
 
                /* list only if flag is set or flag == 0 */
-               if ((x509_flags & flags) || (x509_flags == flags))
+               if ((flags & flag) || flags == flag)
                {
-                       if (first)
-                       {
-                               fprintf(out, "\n");
-                               fprintf(out, "List of %ss:\n", label);
-                               first = FALSE;
-                       }
-                       fprintf(out, "\n");
-                       printer->print(printer, cert, has_privkey(cert));
+                       cert_printer->print_caption(cert_printer, CERT_X509, flag);
+                       cert_printer->print(cert_printer, cert, has_privkey(cert));
                }
        }
        enumerator->destroy(enumerator);
-
-       printer->destroy(printer);
 }
 
 /**
  * list all other certificates types
  */
-static void stroke_list_other_certs(linked_list_t *list, char *label,
-                                                                       bool utc, FILE *out)
+static void stroke_list_other_certs(certificate_type_t type)
 {
-       bool first = TRUE;
        enumerator_t *enumerator;
        certificate_t *cert;
-       certificate_printer_t *printer;
+       linked_list_t *list;
 
-       printer = certificate_printer_create(out, TRUE, utc),
+       list = create_unique_cert_list(type);
 
        enumerator = list->create_enumerator(list);
        while (enumerator->enumerate(enumerator, &cert))
        {
-               if (first)
-               {
-                       fprintf(out, "\n");
-                       fprintf(out, "List of %ss:\n", label);
-                       first = FALSE;
-               }
-               fprintf(out, "\n");
-               printer->print(printer, cert, has_privkey(cert));
+               cert_printer->print_caption(cert_printer, cert->get_type(cert), X509_NONE);
+               cert_printer->print(cert_printer, cert, has_privkey(cert));
        }
        enumerator->destroy(enumerator);
 
-       printer->destroy(printer);
+       list->destroy_offset(list, offsetof(certificate_t, destroy));
 }
 
 /**
@@ -1058,21 +979,15 @@ METHOD(stroke_list_t, list, void,
 {
        linked_list_t *cert_list = NULL;
 
+       cert_printer = certificate_printer_create(out, TRUE, msg->list.utc);
+
        if (msg->list.flags & LIST_PUBKEYS)
        {
-               linked_list_t *pubkey_list = create_unique_cert_list(CERT_TRUSTED_PUBKEY);
-
-               stroke_list_other_certs(pubkey_list, "Raw Public Key",
-                                                               msg->list.utc, out);
-               pubkey_list->destroy_offset(pubkey_list, offsetof(certificate_t, destroy));
+               stroke_list_other_certs(CERT_TRUSTED_PUBKEY);
        }
        if (msg->list.flags & LIST_CERTS)
        {
-               linked_list_t *pgp_list = create_unique_cert_list(CERT_GPG);
-
-               stroke_list_pgp_certs(pgp_list, "PGP End Entity Certificate",
-                                                         msg->list.utc, out);
-               pgp_list->destroy_offset(pgp_list, offsetof(certificate_t, destroy));
+               stroke_list_other_certs(CERT_GPG);
        }
        if (msg->list.flags & (LIST_CERTS | LIST_CACERTS | LIST_OCSPCERTS | LIST_AACERTS))
        {
@@ -1080,49 +995,33 @@ METHOD(stroke_list_t, list, void,
        }
        if (msg->list.flags & LIST_CERTS)
        {
-               stroke_list_x509_certs(cert_list, "X.509 End Entity Certificate",
-                                                          X509_NONE, msg->list.utc, out);
+               stroke_list_x509_certs(cert_list, X509_NONE);
        }
        if (msg->list.flags & LIST_CACERTS)
        {
-               stroke_list_x509_certs(cert_list, "X.509 CA Certificate",
-                                                          X509_CA, msg->list.utc, out);
+               stroke_list_x509_certs(cert_list, X509_CA);
        }
        if (msg->list.flags & LIST_OCSPCERTS)
        {
-               stroke_list_x509_certs(cert_list, "X.509 OCSP Signer Certificate",
-                                                          X509_OCSP_SIGNER, msg->list.utc, out);
+               stroke_list_x509_certs(cert_list, X509_OCSP_SIGNER);
        }
        if (msg->list.flags & LIST_AACERTS)
        {
-               stroke_list_x509_certs(cert_list, "X.509 AA Certificate",
-                                                          X509_AA, msg->list.utc, out);
+               stroke_list_x509_certs(cert_list, X509_AA);
        }
        DESTROY_OFFSET_IF(cert_list, offsetof(certificate_t, destroy));
 
        if (msg->list.flags & LIST_ACERTS)
        {
-               linked_list_t *ac_list = create_unique_cert_list(CERT_X509_AC);
-
-               stroke_list_other_certs(ac_list, "X.509 Attribute Certificate",
-                                                               msg->list.utc, out);
-               ac_list->destroy_offset(ac_list, offsetof(certificate_t, destroy));
+               stroke_list_other_certs(CERT_X509_AC);
        }
        if (msg->list.flags & LIST_CRLS)
        {
-               linked_list_t *crl_list = create_unique_cert_list(CERT_X509_CRL);
-
-               stroke_list_other_certs(crl_list, "X.509 CRL",
-                                                               msg->list.utc, out);
-               crl_list->destroy_offset(crl_list, offsetof(certificate_t, destroy));
+               stroke_list_other_certs(CERT_X509_CRL);
        }
        if (msg->list.flags & LIST_OCSP)
        {
-               linked_list_t *ocsp_list = create_unique_cert_list(CERT_X509_OCSP_RESPONSE);
-
-               stroke_list_other_certs(ocsp_list, "OCSP Response",
-                                                               msg->list.utc, out);
-               ocsp_list->destroy_offset(ocsp_list, offsetof(certificate_t, destroy));
+               stroke_list_other_certs(CERT_X509_OCSP_RESPONSE);
        }
        if (msg->list.flags & LIST_ALGS)
        {
@@ -1132,6 +1031,8 @@ METHOD(stroke_list_t, list, void,
        {
                list_plugins(out);
        }
+       cert_printer->destroy(cert_printer);
+       cert_printer = NULL;
 }
 
 /**
index 99acc76..f51670d 100644 (file)
@@ -18,7 +18,7 @@ libstrongswan_vici_la_SOURCES = \
        vici_message.h vici_message.c \
        vici_builder.h vici_builder.c \
        vici_dispatcher.h vici_dispatcher.c \
-       vici_cert_info.c vici_cert_info.h \
+       vici_cert_info.h vici_cert_info.c \
        vici_query.h vici_query.c \
        vici_control.h vici_control.c \
        vici_config.h vici_config.c \
@@ -39,7 +39,7 @@ ipseclib_LTLIBRARIES = libvici.la
 libvici_la_SOURCES = \
        vici_message.c vici_message.h \
        vici_builder.c vici_builder.h \
-       vici_cert_info.c vici_cert_info.h \
+       vici_cert_info.h vici_cert_info.c \
        libvici.c libvici.h
 
 libvici_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
index b7e2a5e..133d9ae 100644 (file)
@@ -369,7 +369,9 @@ call includes all certificates known by the daemon, not only those loaded
 over vici.
 
        {
-               type = <certificate type to filter for, or ANY>
+               type = <certificate type to filter for, X509|X509_AC|X509_CRL|
+                                                                                               OCSP_RESPONSE|PUBKEY  or ANY>
+               flag = <X.509 certificate flag to filter for, NONE|CA|AA|OCSP or ANY>
                subject = <set to list only certificates having subject>
        } => {
                # completes after streaming list-cert events
@@ -427,7 +429,8 @@ Unload a previously loaded connection definition by name.
 Load a certificate into the daemon.
 
        {
-               type = <certificate type, X509|X509CA|X509AA|X509CRL|X509AC>
+               type = <certificate type, X509|X509_AC|X509_CRL>
+               flag = <X.509 certificate flag, NONE|CA|AA|OCSP>
                data = <PEM or DER encoded certificate data>
        } => {
                success = <yes or no>
@@ -753,7 +756,8 @@ The _list-cert_ event is issued to stream loaded certificates during an active
 _list-certs_ command.
 
        {
-               type = <certificate type>
+               type = <certificate type, X509|X509_AC|X509_CRL|OCSP_RESPONSE|PUBKEY>
+               flag = <X.509 certificate flag, NONE|CA|AA|OCSP>
                has_privkey = <set if a private key for the certificate is available>
                data = <ASN1 encoded certificate data>
        }
index 9bfd3ff..de73a03 100644 (file)
@@ -164,13 +164,13 @@ print $version->raw(), "\n";
 
 loads a certificate into the daemon.
 
-  my %vars = ( type => 'X509CA', data => $ca_cert );
+  my %vars = ( type => 'X509', flag => 'CA', data => $ca_cert );
   my ($res, $errmsg) = $session->load_cert(Vici::Message->new(\%vars));
 
 =cut
 
 print "----- load-cert -----\n";
-my %vars = ( type => 'X509CA', data => $ca_cert ); 
+my %vars = ( type => 'X509', flag => 'CA', data => $ca_cert );
 my ($res, $errmsg) = $session->load_cert(Vici::Message->new(\%vars));
 print $res ? "ok\n" : "failed: $errmsg\n";
 
index e2aa5a9..fa3158f 100644 (file)
@@ -2,6 +2,9 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
@@ -67,9 +70,9 @@ static vici_message_t* create_reply(char *fmt, ...)
 CALLBACK(load_cert, vici_message_t*,
        private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
 {
-       vici_cert_info_t *cert_info;
        certificate_t *cert;
-       x509_flag_t flag;
+       certificate_type_t type;
+       x509_flag_t ext_flag, flag = X509_NONE;
        x509_t *x509;
        chunk_t data;
        bool trusted = TRUE;
@@ -80,9 +83,18 @@ CALLBACK(load_cert, vici_message_t*,
        {
                return create_reply("certificate type missing");
        }
-
-       cert_info = vici_cert_info_retrieve(str);
-       if (!cert_info)
+       if (enum_from_name(certificate_type_names, str, &type))
+       {
+               if (type == CERT_X509)
+               {
+                       str = message->get_str(message, "NONE", "flag");
+                       if (!enum_from_name(x509_flag_names, str, &flag))
+                       {
+                               return create_reply("invalid certificate flag '%s'", str);
+                       }
+               }
+       }
+       else if (!vici_cert_info_from_str(str, &type, &flag))
        {
                return create_reply("invalid certificate type '%s'", str);
        }
@@ -94,21 +106,21 @@ CALLBACK(load_cert, vici_message_t*,
        }
 
        /* do not set CA flag externally */
-       flag = (cert_info->flag & X509_CA) ? X509_NONE : cert_info->flag;
+       ext_flag = (flag & X509_CA) ? X509_NONE : flag;
 
-       cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, cert_info->type,
+       cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
                                                          BUILD_BLOB_PEM, data,
-                                                         BUILD_X509_FLAG, flag,
+                                                         BUILD_X509_FLAG, ext_flag,
                                                          BUILD_END);
        if (!cert)
        {
                return create_reply("parsing %N certificate failed",
-                                                       certificate_type_names, cert_info->type);
+                                                       certificate_type_names, type);
        }
        DBG1(DBG_CFG, "loaded certificate '%Y'", cert->get_subject(cert));
 
        /* check if CA certificate has CA basic constraint set */
-       if (cert_info->flag & X509_CA)
+       if (flag & X509_CA)
        {
                char err_msg[] = "ca certificate lacks CA basic constraint, rejected";
                x509 = (x509_t*)cert;
@@ -120,7 +132,7 @@ CALLBACK(load_cert, vici_message_t*,
                        return create_reply(err_msg);
                }
        }
-       if (cert_info->type == CERT_X509_CRL)
+       if (type == CERT_X509_CRL)
        {
                this->creds->add_crl(this->creds, (crl_t*)cert);
        }
index 2ea9228..76cfb52 100644 (file)
@@ -40,8 +40,6 @@
 
 #include "vici_query.h"
 #include "vici_builder.h"
-#include "vici_version.h"
-#include "vici_cert_info.h"
 
 #include <inttypes.h>
 #include <time.h>
@@ -53,6 +51,8 @@
 #endif
 
 #include <daemon.h>
+#include <credentials/certificates/certificate.h>
+#include <credentials/certificates/x509.h>
 
 typedef struct private_vici_query_t private_vici_query_t;
 
@@ -809,7 +809,6 @@ static bool has_privkey(certificate_t *cert)
  * Store cert filter data
  */
 typedef struct {
-       vici_version_t version;
        certificate_type_t type;
        x509_flag_t flag;
        identification_t *subject;
@@ -820,27 +819,25 @@ typedef struct {
  */
 static void enum_x509(private_vici_query_t *this, u_int id,
                                          linked_list_t *certs, cert_filter_t *filter,
-                                         x509_flag_t flag, char *cert_type)
+                                         x509_flag_t flag)
 {
        enumerator_t *enumerator;
        certificate_t *cert;
        vici_builder_t *b;
        chunk_t encoding;
-       x509_flag_t mask;
        x509_t *x509;
 
-       if (filter->type != CERT_ANY && filter->version != VICI_1_0 &&
+       if (filter->type != CERT_ANY && filter->flag != X509_ANY &&
                filter->flag != flag)
        {
                return;
        }
-       mask = X509_CA | X509_AA | X509_OCSP_SIGNER;
 
        enumerator = certs->create_enumerator(certs);
        while (enumerator->enumerate(enumerator, &cert))
        {
                x509 = (x509_t*)cert;
-               if ((x509->get_flags(x509) & mask) != flag)
+               if ((x509->get_flags(x509) & X509_ANY) != flag)
                {
                        continue;
                }
@@ -848,16 +845,8 @@ static void enum_x509(private_vici_query_t *this, u_int id,
                if (cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
                {
                        b = vici_builder_create();
-                       if (filter->version == VICI_1_0)
-                       {
-                               b->add_kv(b, "type", "%N", certificate_type_names,
-                                                                                  cert->get_type(cert));
-                       }
-                       else
-                       {
-                               b->add_kv(b, "vici", "%N", vici_version_names, VICI_VERSION);
-                               b->add_kv(b, "type", "%s", cert_type);
-                       }
+                       b->add_kv(b, "type", "%N", certificate_type_names, CERT_X509);
+                       b->add_kv(b, "flag", "%N", x509_flag_names, flag);
                        if (has_privkey(cert))
                        {
                                b->add_kv(b, "has_privkey", "yes");
@@ -876,8 +865,7 @@ static void enum_x509(private_vici_query_t *this, u_int id,
  * Enumerate all non-X.509 certificate types
  */
 static void enum_others(private_vici_query_t *this, u_int id,
-                                               linked_list_t *certs, cert_filter_t *filter,
-                                               char *cert_type)
+                                               linked_list_t *certs, cert_filter_t *filter)
 {
        enumerator_t *enumerator;
        certificate_t *cert;
@@ -890,16 +878,8 @@ static void enum_others(private_vici_query_t *this, u_int id,
                if (cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
                {
                        b = vici_builder_create();
-                       if (filter->version == VICI_1_0)
-                       {
-                               b->add_kv(b, "type", "%N", certificate_type_names,
-                                                                                  cert->get_type(cert));
-                       }
-                       else
-                       {
-                               b->add_kv(b, "vici", "%N", vici_version_names, VICI_VERSION);
-                               b->add_kv(b, "type", "%s", cert_type);
-                       }
+                       b->add_kv(b, "type", "%N", certificate_type_names,
+                                                                          cert->get_type(cert));
                        if (has_privkey(cert))
                        {
                                b->add_kv(b, "has_privkey", "yes");
@@ -918,8 +898,7 @@ static void enum_others(private_vici_query_t *this, u_int id,
  * Enumerate all certificates of a given type
  */
 static void enum_certs(private_vici_query_t *this,     u_int id,
-                                          cert_filter_t *filter, certificate_type_t type,
-                                          char *cert_type)
+                                          cert_filter_t *filter, certificate_type_t type)
 {
        enumerator_t *e1, *e2;
        certificate_t *cert, *current;
@@ -958,14 +937,14 @@ static void enum_certs(private_vici_query_t *this,        u_int id,
 
        if (type == CERT_X509)
        {
-               enum_x509(this, id, certs, filter, X509_NONE, "x509");
-               enum_x509(this, id, certs, filter, X509_CA, "x509ca");
-               enum_x509(this, id, certs, filter, X509_AA, "x509ac");
-               enum_x509(this, id, certs, filter, X509_OCSP_SIGNER, "x509ocsp");
+               enum_x509(this, id, certs, filter, X509_NONE);
+               enum_x509(this, id, certs, filter, X509_CA);
+               enum_x509(this, id, certs, filter, X509_AA);
+               enum_x509(this, id, certs, filter, X509_OCSP_SIGNER);
        }
        else
        {
-               enum_others(this, id, certs, filter, cert_type);
+               enum_others(this, id, certs, filter);
        }
        certs->destroy_offset(certs, offsetof(certificate_t, destroy));
 }
@@ -974,43 +953,25 @@ CALLBACK(list_certs, vici_message_t*,
        private_vici_query_t *this, char *name, u_int id, vici_message_t *request)
 {
        cert_filter_t filter = {
-               .version = VICI_1_0,
                .type = CERT_ANY,
-               .flag = X509_NONE,
+               .flag = X509_ANY,
                .subject = NULL
        };
        vici_builder_t *b;
        char *str;
 
-       str = request->get_str(request, "1.0", "vici");
-       if (!enum_from_name(vici_version_names, str, &filter.version))
-       {
-               DBG1(DBG_CFG, "unsupported vici version '%s'", str);
-               goto finalize;
-       }
        str = request->get_str(request, "ANY", "type");
-
-       if (filter.version == VICI_1_0)
+       if (!enum_from_name(certificate_type_names, str, &filter.type))
        {
-               if (!enum_from_name(certificate_type_names, str, &filter.type))
-               {
-                       DBG1(DBG_CFG, "invalid certificate type '%s'", str);
-                       goto finalize;
-               }
+               DBG1(DBG_CFG, "invalid certificate type '%s'", str);
+               goto finalize;
        }
-       else    /* VICI 2.0 */
+       if (filter.type == CERT_X509)
        {
-               vici_cert_info_t *cert_info;
-
-               cert_info = vici_cert_info_retrieve(str);
-               if (cert_info)
+               str = request->get_str(request, "ANY", "flag");
+               if (!enum_from_name(x509_flag_names, str, &filter.flag))
                {
-                       filter.type = cert_info->type;
-                       filter.flag = cert_info->flag;
-               }
-               else
-               {
-                       DBG1(DBG_CFG, "invalid certificate type '%s'", str);
+                       DBG1(DBG_CFG, "invalid certificate flag '%s'", str);
                        goto finalize;
                }
        }
@@ -1020,11 +981,12 @@ CALLBACK(list_certs, vici_message_t*,
        {
                filter.subject = identification_create_from_string(str);
        }
-       enum_certs(this, id, &filter, CERT_TRUSTED_PUBKEY, "pubkey");
-       enum_certs(this, id, &filter, CERT_X509, "x509");
-       enum_certs(this, id, &filter, CERT_X509_AC, "x509ac");
-       enum_certs(this, id, &filter, CERT_X509_CRL, "x509crl");
-       enum_certs(this, id, &filter, CERT_X509_OCSP_RESPONSE, "ocsp");
+
+       enum_certs(this, id, &filter, CERT_TRUSTED_PUBKEY);
+       enum_certs(this, id, &filter, CERT_X509);
+       enum_certs(this, id, &filter, CERT_X509_AC);
+       enum_certs(this, id, &filter, CERT_X509_CRL);
+       enum_certs(this, id, &filter, CERT_X509_OCSP_RESPONSE);
        DESTROY_IF(filter.subject);
 
 finalize:
@@ -1140,8 +1102,6 @@ CALLBACK(version, vici_message_t*,
        vici_builder_t *b;
 
        b = vici_builder_create();
-
-       b->add_kv(b, "vici", "%N", vici_version_names, VICI_VERSION);
        b->add_kv(b, "daemon", "%s", lib->ns);
        b->add_kv(b, "version", "%s", VERSION);
 
index 4326950..c618e80 100644 (file)
  */
 
 #include "certificate_printer.h"
-#include "x509.h"
-#include "crl.h"
-#include "ac.h"
-#include "ocsp_response.h"
+#include "credentials/certificates/x509.h"
+#include "credentials/certificates/crl.h"
+#include "credentials/certificates/ac.h"
+#include "credentials/certificates/ocsp_response.h"
+#include "credentials/certificates/pgp_certificate.h"
 
 #include <asn1/asn1.h>
 #include <asn1/oid.h>
@@ -54,6 +55,17 @@ struct private_certificate_printer_t {
         * Print time information in UTC
         */
        bool utc;
+
+       /**
+        * Previous certificate type
+        */
+       certificate_type_t type;
+
+       /**
+        * Previous X.509 certificate flag
+        */
+       x509_flag_t flag;
+
 };
 
 /**
@@ -568,7 +580,7 @@ METHOD(certificate_printer_t, print, void,
        {
                fprintf(f, "  subject:  \"%Y\"\n", subject);
        }
-       if (cert->get_type(cert) != CERT_TRUSTED_PUBKEY)
+       if (type != CERT_TRUSTED_PUBKEY && type != CERT_GPG)
        {
                fprintf(f, "  issuer:   \"%Y\"\n", cert->get_issuer(cert));
        }
@@ -577,35 +589,44 @@ METHOD(certificate_printer_t, print, void,
        cert->get_validity(cert, &now, &notBefore, &notAfter);
        if (notBefore != UNDEFINED_TIME && notAfter != UNDEFINED_TIME)
        {
-               if (type == CERT_X509_CRL || type == CERT_X509_OCSP_RESPONSE)
-               {
-                       t0 = "update:  ";
-                       t1 = "this on";
-                       t2 = "next on";
-               }
-               else
-               {
-                       t0 = "validity:";
-                       t1 = "not before";
-                       t2 = "not after ";
-               }
-               fprintf(f, "  %s  %s %T, ", t0, t1, &notBefore, this->utc);
-               if (now < notBefore)
-               {
-                       fprintf(f, "not valid yet (valid in %V)\n", &now, &notBefore);
-               }
-               else
-               {
-                       fprintf(f, "ok\n");
-               }
-               fprintf(f, "             %s %T, ", t2, &notAfter, this->utc);
-               if (now > notAfter)
+               if (type == CERT_GPG)
                {
-                       fprintf(f, "expired (%V ago)\n", &now, &notAfter);
+                       fprintf(f, "  created:   %T\n", &notBefore, this->utc);
+                       fprintf(f, "  until:     %T%s\n", &notAfter, this->utc,
+                               (notAfter == TIME_32_BIT_SIGNED_MAX) ?" expires never" : "");
                }
                else
                {
-                       fprintf(f, "ok (expires in %V)\n", &now, &notAfter);
+                        if (type == CERT_X509_CRL || type == CERT_X509_OCSP_RESPONSE)
+                       {
+                               t0 = "update:  ";
+                               t1 = "this on";
+                               t2 = "next on";
+                       }
+                       else
+                       {
+                               t0 = "validity:";
+                               t1 = "not before";
+                               t2 = "not after ";
+                       }
+                       fprintf(f, "  %s  %s %T, ", t0, t1, &notBefore, this->utc);
+                       if (now < notBefore)
+                       {
+                               fprintf(f, "not valid yet (valid in %V)\n", &now, &notBefore);
+                       }
+                       else
+                       {
+                               fprintf(f, "ok\n");
+                       }
+                       fprintf(f, "             %s %T, ", t2, &notAfter, this->utc);
+                       if (now > notAfter)
+                       {
+                               fprintf(f, "expired (%V ago)\n", &now, &notAfter);
+                       }
+                       else
+                       {
+                               fprintf(f, "ok (expires in %V)\n", &now, &notAfter);
+                       }
                }
        }
 
@@ -627,6 +648,13 @@ METHOD(certificate_printer_t, print, void,
                default:
                        break;
        }
+       if (type == CERT_GPG)
+       {
+               pgp_certificate_t *pgp_cert = (pgp_certificate_t*)cert;
+               chunk_t fingerprint = pgp_cert->get_fingerprint(pgp_cert);
+
+               fprintf(f, "  pgpDigest: %#B\n", &fingerprint);
+       }
        key = cert->get_public_key(cert);
        if (key)
        {
@@ -635,6 +663,65 @@ METHOD(certificate_printer_t, print, void,
        }
 }
 
+METHOD(certificate_printer_t, print_caption, void,
+       private_certificate_printer_t *this, certificate_type_t type,
+       x509_flag_t flag)
+{
+       char *caption;
+
+       if (type != this->type || (type == CERT_X509 && flag != this->flag))
+       {
+               switch (type)
+               {
+                       case CERT_X509:
+                               switch (flag)
+                               {
+                                       case X509_NONE:
+                                               caption = "X.509 End Entity Certificate";
+                                               break;
+                                       case X509_CA:
+                                               caption = "X.509 CA Certificate";
+                                               break;
+                                       case X509_AA:
+                                               caption = "X.509 AA Certificate";
+                                               break;
+                                       case X509_OCSP_SIGNER:
+                                               caption = "X.509 OCSP Signer Certificate";
+                                               break;
+                                       default:
+                                               return;
+                               }
+                               break;
+                       case CERT_X509_AC:
+                               caption = "X.509 Attribute Certificate";
+                               break;
+                       case CERT_X509_CRL:
+                               caption = "X.509 CRL";
+                               break;
+                       case CERT_X509_OCSP_RESPONSE:
+                               caption = "OCSP Response";
+                               break;
+                       case CERT_TRUSTED_PUBKEY:
+                               caption = "Raw Public Key";
+                               break;
+                       case CERT_GPG:
+                               caption = "PGP End Entity Certificate";
+                               break;
+                       default:
+                               return;
+               }
+               fprintf(this->f, "\nList of %ss\n", caption);
+
+               /* Update to current type and flag value */
+               this->type = type;
+               if (type == CERT_X509)
+               {
+                       this->flag = flag;
+               }
+       }
+       fprintf(this->f, "\n");
+}
+
 METHOD(certificate_printer_t, destroy, void,
        private_certificate_printer_t *this)
 {
@@ -652,11 +739,14 @@ certificate_printer_t *certificate_printer_create(FILE *f, bool detailed,
        INIT(this,
                .public = {
                        .print = _print,
+                       .print_caption = _print_caption,
                        .destroy = _destroy,
                },
                .f = f,
                .detailed = detailed,
                .utc = utc,
+               .type = CERT_ANY,
+               .flag = X509_ANY,
        );
 
        return &this->public;
index f11b77e..480b1d9 100644 (file)
@@ -24,6 +24,7 @@
 typedef struct certificate_printer_t certificate_printer_t;
 
 #include "credentials/certificates/certificate.h"
+#include "credentials/certificates/x509.h"
 
 #include <stdio.h>
 
@@ -42,6 +43,15 @@ struct certificate_printer_t {
                                  bool has_privkey);
 
        /**
+        * Print a caption if the certificate type changed.
+        *
+        * @type                        certificate type
+        * @flag                        X.509 certificate flag
+        */
+       void (*print_caption)(certificate_printer_t *this, certificate_type_t type,
+                                                 x509_flag_t flag);
+
+       /**
         * Destroy the certificate_printer object.
         */
        void (*destroy)(certificate_printer_t *this);
index 2dfb66d..ccf1f7c 100644 (file)
@@ -433,9 +433,9 @@ static int usage(char *error)
        fprintf(out, "  Show extended status information without blocking:\n");
        fprintf(out, "    stroke statusall-nb\n");
        fprintf(out, "  Show list of authority and attribute certificates:\n");
-       fprintf(out, "    stroke listcacerts|listocspcerts|listaacerts|listacerts\n");
+       fprintf(out, "    stroke listcacerts|listocspcerts|listaacerts|listacerts [--utc]\n");
        fprintf(out, "  Show list of end entity certificates, ca info records  and crls:\n");
-       fprintf(out, "    stroke listcerts|listcainfos|listcrls|listall\n");
+       fprintf(out, "    stroke listcerts|listcainfos|listcrls|listall [--utc]\n");
        fprintf(out, "  Show list of supported algorithms:\n");
        fprintf(out, "    stroke listalgs\n");
        fprintf(out, "  Reload authority and attribute certificates:\n");
index b7c6e4d..7eb11a6 100644 (file)
@@ -2,9 +2,6 @@
  * Copyright (C) 2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
- * Copyright (C) 2015 Andreas Steffen
- * HSR Hochschule fuer Technik Rapperswil
- *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
@@ -35,7 +32,7 @@
 /**
  * Maximum number of options in a command (+3)
  */
-#define MAX_OPTIONS 32
+#define MAX_OPTIONS 34
 
 /**
  * Maximum number of usage summary lines (+1)
@@ -82,12 +79,10 @@ struct command_t {
  * Command format options
 */
 enum command_format_options_t {
-       COMMAND_FORMAT_NONE   =  0,
+       COMMAND_FORMAT_NONE   = 0,
        COMMAND_FORMAT_RAW    = (1<<0),
        COMMAND_FORMAT_PRETTY = (1<<1),
        COMMAND_FORMAT_PEM    = (1<<2),
-       COMMAND_FORMAT_SHORT  = (1<<3),
-       COMMAND_FORMAT_UTC    = (1<<4),
 };
 
 /**
index f3821a5..b2ff3b5 100644 (file)
 #include <credentials/certificates/certificate_printer.h>
 #include <selectors/traffic_selector.h>
 
-#include <vici_version.h>
-#include <vici_cert_info.h>
-
 #include "command.h"
 
 /**
- * Current certificate type info
+ * Static certificate printer object
  */
-static vici_cert_info_t *current_cert_info = NULL;
+static certificate_printer_t *cert_printer = NULL;
 
 /**
  * Print PEM encoding of a certificate
@@ -59,11 +56,10 @@ CALLBACK(list_cb, void,
        command_format_options_t *format, char *name, vici_res_t *res)
 {
        certificate_t *cert;
-       certificate_printer_t *printer;
-       vici_version_t version;
-       vici_cert_info_t *cert_info;
-       bool detailed, utc, has_privkey, first = FALSE;
-       char *version_str, *type_str;
+       certificate_type_t type;
+       x509_flag_t flag = X509_NONE;
+       bool has_privkey;
+       char *str;
        void *buf;
        int len;
 
@@ -74,14 +70,6 @@ CALLBACK(list_cb, void,
                return;
        }
 
-       version_str = vici_find_str(res, "1.0", "vici");
-       if (!enum_from_name(vici_version_names, version_str, &version) ||
-               version == VICI_1_0)
-       {
-               fprintf(stderr, "unsupported vici version '%s'\n", version_str);
-               return;
-       }
-
        buf = vici_find(res, &len, "data");
        if (!buf)
        {
@@ -90,23 +78,24 @@ CALLBACK(list_cb, void,
        }
        has_privkey = streq(vici_find_str(res, "no", "has_privkey"), "yes");
 
-       type_str = vici_find_str(res, "any", "type");
-       cert_info = vici_cert_info_retrieve(type_str);
-       if (!cert_info || cert_info->type == CERT_ANY)
+       str = vici_find_str(res, "ANY", "type");
+       if (!enum_from_name(certificate_type_names, str, &type) || type == CERT_ANY)
        {
-               fprintf(stderr, "unsupported certificate type '%s'\n", type_str);
+               fprintf(stderr, "unsupported certificate type '%s'\n", str);
                return;
        }
-
-       /* Detect change of certificate type */
-       if (cert_info != current_cert_info)
+       if (type == CERT_X509)
        {
-               first = TRUE;
-               current_cert_info = cert_info;
+               str = vici_find_str(res, "ANY", "flag");
+               if (!enum_from_name(x509_flag_names, str, &flag) || flag == X509_ANY)
+               {
+                       fprintf(stderr, "unsupported certificate flag '%s'\n", str);
+                       return;
+               }
        }
 
        /* Parse certificate data blob */
-       cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, cert_info->type,
+       cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
                                                          BUILD_BLOB_ASN1_DER, chunk_create(buf, len),
                                                          BUILD_END);
        if (cert)
@@ -117,16 +106,8 @@ CALLBACK(list_cb, void,
                }
                else
                {
-                       if (first)
-                       {
-                               printf("\nList of %ss:\n", cert_info->caption);
-                       }
-                       printf("\n");
-                       detailed = !(*format & COMMAND_FORMAT_SHORT);
-                       utc = *format & COMMAND_FORMAT_UTC;
-                       printer = certificate_printer_create(stdout, detailed, utc);
-                       printer->print(printer, cert, has_privkey);
-                       printer->destroy(printer);
+                       cert_printer->print_caption(cert_printer, type, flag);
+                       cert_printer->print(cert_printer, cert, has_privkey);
                }
                cert->destroy(cert);
        }
@@ -141,7 +122,8 @@ static int list_certs(vici_conn_t *conn)
        vici_req_t *req;
        vici_res_t *res;
        command_format_options_t format = COMMAND_FORMAT_NONE;
-       char *arg, *subject = NULL, *type = NULL;
+       char *arg, *subject = NULL, *type = NULL, *flag = NULL;
+       bool detailed = TRUE, utc = FALSE;
        int ret;
 
        while (TRUE)
@@ -156,6 +138,9 @@ static int list_certs(vici_conn_t *conn)
                        case 't':
                                type = arg;
                                continue;
+                       case 'f':
+                               flag = arg;
+                               continue;
                        case 'p':
                                format |= COMMAND_FORMAT_PEM;
                                continue;
@@ -166,10 +151,10 @@ static int list_certs(vici_conn_t *conn)
                                format |= COMMAND_FORMAT_RAW;
                                continue;
                        case 'S':
-                               format |= COMMAND_FORMAT_SHORT;
+                               detailed = FALSE;
                                continue;
                        case 'U':
-                               format |= COMMAND_FORMAT_UTC;
+                               utc = TRUE;
                                continue;
                        case EOF:
                                break;
@@ -186,22 +171,28 @@ static int list_certs(vici_conn_t *conn)
                return ret;
        }
        req = vici_begin("list-certs");
-       vici_add_version(req, VICI_VERSION);
 
        if (type)
        {
                vici_add_key_valuef(req, "type", "%s", type);
        }
+       if (flag)
+       {
+               vici_add_key_valuef(req, "flag", "%s", flag);
+       }
        if (subject)
        {
                vici_add_key_valuef(req, "subject", "%s", subject);
        }
+       cert_printer = certificate_printer_create(stdout, detailed, utc);
 
        res = vici_submit(req, conn);
        if (!res)
        {
                ret = errno;
                fprintf(stderr, "list-certs request failed: %s\n", strerror(errno));
+               cert_printer->destroy(cert_printer);
+               cert_printer = NULL;
                return ret;
        }
        if (format & COMMAND_FORMAT_RAW)
@@ -210,6 +201,9 @@ static int list_certs(vici_conn_t *conn)
                                  stdout);
        }
        vici_free_res(res);
+
+       cert_printer->destroy(cert_printer);
+       cert_printer = NULL;
        return 0;
 }
 
@@ -221,12 +215,14 @@ static void __attribute__ ((constructor))reg()
        command_register((command_t) {
                list_certs, 'x', "list-certs", "list stored certificates",
                {"[--subject <dn/san>] "
-                "[--type x509|x509ca|x509aa|x509ac|x509crl|x509ocsp|ocsp] "
+                "[--type x509|x509_ac|x509_crl|ocsp_response|pubkey]\n         "
+                "[--flag none|ca|aa|ocsp|any] "
                 "[--pem] [--raw|--pretty|--short|--utc]"},
                {
                        {"help",                'h', 0, "show usage information"},
                        {"subject",             's', 1, "filter by certificate subject"},
                        {"type",                't', 1, "filter by certificate type"},
+                       {"flag",                'f', 1, "filter by X.509 certificate flag"},
                        {"pem",                 'p', 0, "print PEM encoding of certificate"},
                        {"raw",                 'r', 0, "dump raw response message"},
                        {"pretty",              'P', 0, "dump raw response message in pretty print"},
index d27b0fb..81204ca 100644 (file)
 #include <credentials/sets/callback_cred.h>
 #include <credentials/containers/pkcs12.h>
 
+#include <vici_cert_info.h>
+
 /**
  * Load a single certificate over vici
  */
 static bool load_cert(vici_conn_t *conn, command_format_options_t format,
-                                         char *dir, char *type, chunk_t data)
+                                         char *dir, certificate_type_t type, x509_flag_t flag,
+                                         chunk_t data)
 {
        vici_req_t *req;
        vici_res_t *res;
@@ -42,7 +45,11 @@ static bool load_cert(vici_conn_t *conn, command_format_options_t format,
 
        req = vici_begin("load-cert");
 
-       vici_add_key_valuef(req, "type", "%s", type);
+       vici_add_key_valuef(req, "type", "%N", certificate_type_names, type);
+       if (type == CERT_X509)
+       {
+               vici_add_key_valuef(req, "flag", "%N", x509_flag_names, flag);
+       }
        vici_add_key_value(req, "data", data.ptr, data.len);
 
        res = vici_submit(req, conn);
@@ -64,7 +71,7 @@ static bool load_cert(vici_conn_t *conn, command_format_options_t format,
        }
        else
        {
-               printf("loaded %s certificate from '%s'\n", type, dir);
+               printf("loaded certificate from '%s'\n", dir);
        }
        vici_free_res(res);
        return ret;
@@ -74,13 +81,17 @@ static bool load_cert(vici_conn_t *conn, command_format_options_t format,
  * Load certficiates from a directory
  */
 static void load_certs(vici_conn_t *conn, command_format_options_t format,
-                                          char *type, char *dir)
+                                          char *type_str, char *dir)
 {
        enumerator_t *enumerator;
+       certificate_type_t type;
+       x509_flag_t flag;
        struct stat st;
        chunk_t *map;
        char *path;
 
+       vici_cert_info_from_str(type_str, &type, &flag);
+
        enumerator = enumerator_create_directory(dir);
        if (enumerator)
        {
@@ -91,7 +102,7 @@ static void load_certs(vici_conn_t *conn, command_format_options_t format,
                                map = chunk_map(path, FALSE);
                                if (map)
                                {
-                                       load_cert(conn, format, path, type, *map);
+                                       load_cert(conn, format, path, type, flag, *map);
                                        chunk_unmap(map);
                                }
                                else
@@ -446,7 +457,8 @@ static bool load_pkcs12(vici_conn_t *conn, command_format_options_t format,
                loaded = FALSE;
                if (cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
                {
-                       loaded = load_cert(conn, format, path, "x509", encoding);
+                       loaded = load_cert(conn, format, path, CERT_X509, X509_NONE,
+                                                          encoding);
                        if (loaded)
                        {
                                fprintf(stderr, "  %Y\n", cert->get_subject(cert));
@@ -682,11 +694,10 @@ int load_creds_cfg(vici_conn_t *conn, command_format_options_t format,
 
        load_certs(conn, format, "x509",     SWANCTL_X509DIR);
        load_certs(conn, format, "x509ca",   SWANCTL_X509CADIR);
+       load_certs(conn, format, "x509ocsp", SWANCTL_X509OCSPDIR);
        load_certs(conn, format, "x509aa",   SWANCTL_X509AADIR);
-       load_certs(conn, format, "x509crl",  SWANCTL_X509CRLDIR);
        load_certs(conn, format, "x509ac",   SWANCTL_X509ACDIR);
-       load_certs(conn, format, "x509ocsp", SWANCTL_X509OCSPDIR);
-       load_certs(conn, format, "pubkey",   SWANCTL_PUBKEYDIR);
+       load_certs(conn, format, "x509crl",  SWANCTL_X509CRLDIR);
 
        load_keys(conn, format, noprompt, cfg, "rsa",   SWANCTL_RSADIR);
        load_keys(conn, format, noprompt, cfg, "ecdsa", SWANCTL_ECDSADIR);