Standardized printing of certificate information
authorAndreas Steffen <andreas.steffen@strongswan.org>
Sun, 6 Dec 2015 12:28:03 +0000 (13:28 +0100)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Fri, 11 Dec 2015 17:26:53 +0000 (18:26 +0100)
The certificate_printer class allows the printing of certificate
information to a text file (usually stdout). This class is used
by the pki --print and swanctl --list-certs commands as well as
by the stroke plugin.

src/libcharon/plugins/stroke/stroke_list.c
src/libstrongswan/Makefile.am
src/libstrongswan/credentials/certificates/certificate_printer.c [new file with mode: 0644]
src/libstrongswan/credentials/certificates/certificate_printer.h [new file with mode: 0644]
src/pki/commands/print.c

index c0192b5..e312ae1 100644 (file)
@@ -2,6 +2,9 @@
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
 #include <collections/linked_list.h>
 #include <plugins/plugin.h>
 #include <credentials/certificates/x509.h>
-#include <credentials/certificates/ac.h>
-#include <credentials/certificates/crl.h>
 #include <credentials/certificates/pgp_certificate.h>
+#include <credentials/certificates/certificate_printer.h>
 #include <config/peer_cfg.h>
-#include <asn1/asn1.h>
-#include <asn1/oid.h>
-
-/* warning intervals for list functions */
-#define CERT_WARNING_INTERVAL  30      /* days */
-#define CRL_WARNING_INTERVAL   7       /* days */
-#define AC_WARNING_INTERVAL            1       /* day */
 
 typedef struct private_stroke_list_t private_stroke_list_t;
 
@@ -738,14 +733,20 @@ static linked_list_t* create_unique_cert_list(certificate_type_t type)
 }
 
 /**
- * Print a single public key.
+ * Is there a matching private key?
  */
-static void list_public_key(public_key_t *public, FILE *out)
+static bool has_privkey(certificate_t *cert)
 {
+       public_key_t *public;
        private_key_t *private = NULL;
        chunk_t keyid;
        identification_t *id;
 
+       public = cert->get_public_key(cert);
+       if (!public)
+       {
+               return FALSE;
+       }
        if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &keyid))
        {
                id = identification_create_from_encoding(ID_KEY_ID, keyid);
@@ -753,99 +754,23 @@ static void list_public_key(public_key_t *public, FILE *out)
                                                                        public->get_type(public), id, NULL);
                id->destroy(id);
        }
-
-       fprintf(out, "  pubkey:    %N %d bits%s\n",
-                       key_type_names, public->get_type(public),
-                       public->get_keysize(public),
-                       private ? ", has private key" : "");
-       if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid))
-       {
-               fprintf(out, "  keyid:     %#B\n", &keyid);
-       }
-       if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &keyid))
-       {
-               fprintf(out, "  subjkey:   %#B\n", &keyid);
-       }
+       public->destroy(public);
        DESTROY_IF(private);
-}
-
-/**
- * list all raw public keys
- */
-static void stroke_list_pubkeys(linked_list_t *list, bool utc, FILE *out)
-{
-       bool first = TRUE;
-       time_t now = time(NULL), notBefore, notAfter;
-       enumerator_t *enumerator;
-       certificate_t *cert;
-
-       enumerator = list->create_enumerator(list);
-       while (enumerator->enumerate(enumerator, (void**)&cert))
-       {
-               identification_t *subject = cert->get_subject(cert);
-               public_key_t *public = cert->get_public_key(cert);
-
-               if (public)
-               {
-                       if (first)
-                       {
-                               fprintf(out, "\n");
-                               fprintf(out, "List of Raw Public Keys:\n");
-                               first = FALSE;
-                       }
-                       fprintf(out, "\n");
-
-                       /* list subject if available */
-                       if (subject->get_type(subject) != ID_KEY_ID)
-                       {
-                               fprintf(out, "  subject:   %#Y\n", subject);
-                       }
-
-                       /* list validity if available*/
-                       cert->get_validity(cert, &now, &notBefore, &notAfter);
-                       if (notBefore != UNDEFINED_TIME && notAfter != UNDEFINED_TIME)
-                       {
-                               fprintf(out, "  validity:  not before %T, ", &notBefore, utc);
-                               if (now < notBefore)
-                               {
-                                       fprintf(out, "not valid yet (valid in %V)\n", &now, &notBefore);
-                               }
-                               else
-                               {
-                                       fprintf(out, "ok\n");
-                               }
-                               fprintf(out, "             not after  %T, ", &notAfter, utc);
-                               if (now > notAfter)
-                               {
-                                       fprintf(out, "expired (%V ago)\n", &now, &notAfter);
-                               }
-                               else
-                               {
-                                       fprintf(out, "ok");
-                                       if (now > notAfter - CERT_WARNING_INTERVAL * 60 * 60 * 24)
-                                       {
-                                               fprintf(out, " (expires in %V)", &now, &notAfter);
-                                       }
-                                       fprintf(out, " \n");
-                               }
-                       }
 
-                       list_public_key(public, out);
-                       public->destroy(public);
-               }
-       }
-       enumerator->destroy(enumerator);
+       return (private != NULL);
 }
 
 /**
  * list OpenPGP certificates
  */
-static void stroke_list_pgp(linked_list_t *list,bool utc, FILE *out)
+static void stroke_list_pgp_certs(linked_list_t *list, char *label,
+                                                                 bool utc, FILE *out)
 {
        bool first = TRUE;
        time_t now = time(NULL);
        enumerator_t *enumerator = list->create_enumerator(list);
        certificate_t *cert;
+       chunk_t keyid;
 
        while (enumerator->enumerate(enumerator, (void**)&cert))
        {
@@ -856,14 +781,12 @@ static void stroke_list_pgp(linked_list_t *list,bool utc, FILE *out)
 
                if (first)
                {
-
                        fprintf(out, "\n");
-                               fprintf(out, "List of PGP End Entity Certificates:\n");
-                               first = FALSE;
+                       fprintf(out, "List of %ss:\n", label);
+                       first = FALSE;
                }
                fprintf(out, "\n");
                fprintf(out, "  userid:   '%Y'\n", cert->get_subject(cert));
-
                fprintf(out, "  digest:    %#B\n", &fingerprint);
 
                /* list validity */
@@ -875,7 +798,19 @@ static void stroke_list_pgp(linked_list_t *list,bool utc, FILE *out)
                public = cert->get_public_key(cert);
                if (public)
                {
-                       list_public_key(public, out);
+                       fprintf(out, "  pubkey:    %N %d bits%s\n",
+                                       key_type_names, public->get_type(public),
+                                       public->get_keysize(public),
+                                       has_privkey(cert) ? ", has private key" : "");
+
+                       if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid))
+                       {
+                               fprintf(out, "  keyid:     %#B\n", &keyid);
+                       }
+                       if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &keyid))
+                       {
+                               fprintf(out, "  subjkey:   %#B\n", &keyid);
+                       }
                        public->destroy(public);
                }
        }
@@ -885,15 +820,17 @@ static void stroke_list_pgp(linked_list_t *list,bool utc, FILE *out)
 /**
  * list all X.509 certificates matching the flags
  */
-static void stroke_list_certs(linked_list_t *list, char *label,
-                                                         x509_flag_t flags, bool utc, FILE *out)
+static void stroke_list_x509_certs(linked_list_t *list, char *label,
+                                                                  x509_flag_t flags, bool utc, FILE *out)
 {
        bool first = TRUE;
-       time_t now = time(NULL);
        enumerator_t *enumerator;
        certificate_t *cert;
+       certificate_printer_t *printer;
        x509_flag_t flag_mask;
 
+       printer = certificate_printer_create(out, TRUE, utc),
+
        /* mask all auxiliary flags */
        flag_mask = ~(X509_SERVER_AUTH | X509_CLIENT_AUTH | X509_IKE_INTERMEDIATE |
                                  X509_SELF_SIGNED | X509_IP_ADDR_BLOCKS);
@@ -907,367 +844,49 @@ static void stroke_list_certs(linked_list_t *list, char *label,
                /* list only if flag is set or flag == 0 */
                if ((x509_flags & flags) || (x509_flags == flags))
                {
-                       enumerator_t *enumerator;
-                       identification_t *altName;
-                       bool first_altName = TRUE;
-                       u_int pathlen;
-                       chunk_t serial, authkey;
-                       time_t notBefore, notAfter;
-                       public_key_t *public;
-
                        if (first)
                        {
                                fprintf(out, "\n");
-                               fprintf(out, "List of %s:\n", label);
+                               fprintf(out, "List of %ss:\n", label);
                                first = FALSE;
                        }
                        fprintf(out, "\n");
-
-                       /* list subjectAltNames */
-                       enumerator = x509->create_subjectAltName_enumerator(x509);
-                       while (enumerator->enumerate(enumerator, (void**)&altName))
-                       {
-                               if (first_altName)
-                               {
-                                       fprintf(out, "  altNames:  ");
-                                       first_altName = FALSE;
-                               }
-                               else
-                               {
-                                       fprintf(out, ", ");
-                               }
-                               fprintf(out, "%Y", altName);
-                       }
-                       if (!first_altName)
-                       {
-                               fprintf(out, "\n");
-                       }
-                       enumerator->destroy(enumerator);
-
-                       fprintf(out, "  subject:  \"%Y\"\n", cert->get_subject(cert));
-                       fprintf(out, "  issuer:   \"%Y\"\n", cert->get_issuer(cert));
-                       serial = chunk_skip_zero(x509->get_serial(x509));
-                       fprintf(out, "  serial:    %#B\n", &serial);
-
-                       /* list validity */
-                       cert->get_validity(cert, &now, &notBefore, &notAfter);
-                       fprintf(out, "  validity:  not before %T, ", &notBefore, utc);
-                       if (now < notBefore)
-                       {
-                               fprintf(out, "not valid yet (valid in %V)\n", &now, &notBefore);
-                       }
-                       else
-                       {
-                               fprintf(out, "ok\n");
-                       }
-                       fprintf(out, "             not after  %T, ", &notAfter, utc);
-                       if (now > notAfter)
-                       {
-                               fprintf(out, "expired (%V ago)\n", &now, &notAfter);
-                       }
-                       else
-                       {
-                               fprintf(out, "ok");
-                               if (now > notAfter - CERT_WARNING_INTERVAL * 60 * 60 * 24)
-                               {
-                                       fprintf(out, " (expires in %V)", &now, &notAfter);
-                               }
-                               fprintf(out, " \n");
-                       }
-
-                       public = cert->get_public_key(cert);
-                       if (public)
-                       {
-                               list_public_key(public, out);
-                               public->destroy(public);
-                       }
-
-                       /* list optional authorityKeyIdentifier */
-                       authkey = x509->get_authKeyIdentifier(x509);
-                       if (authkey.ptr)
-                       {
-                               fprintf(out, "  authkey:   %#B\n", &authkey);
-                       }
-
-                       /* list optional pathLenConstraint */
-                       pathlen = x509->get_constraint(x509, X509_PATH_LEN);
-                       if (pathlen != X509_NO_CONSTRAINT)
-                       {
-                               fprintf(out, "  pathlen:   %u\n", pathlen);
-                       }
-
-                       /* list optional ipAddrBlocks */
-                       if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
-                       {
-                               traffic_selector_t *ipAddrBlock;
-                               bool first_ipAddrBlock = TRUE;
-
-                               fprintf(out, "  addresses: ");
-                               enumerator = x509->create_ipAddrBlock_enumerator(x509);
-                               while (enumerator->enumerate(enumerator, &ipAddrBlock))
-                               {
-                                       if (first_ipAddrBlock)
-                                       {
-                                               first_ipAddrBlock = FALSE;
-                                       }
-                                       else
-                                       {
-                                               fprintf(out, ", ");
-                                       }
-                                       fprintf(out, "%R", ipAddrBlock);
-                               }
-                               enumerator->destroy(enumerator);
-                               fprintf(out, "\n");
-                       }
+                       printer->print(printer, cert, has_privkey(cert));
                }
        }
        enumerator->destroy(enumerator);
+
+       printer->destroy(printer);
 }
 
 /**
- * list all X.509 attribute certificates
+ * list all other certificates types
  */
-static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out)
+static void stroke_list_other_certs(linked_list_t *list, char *label,
+                                                                       bool utc, FILE *out)
 {
        bool first = TRUE;
-       time_t notBefore, notAfter, now = time(NULL);
        enumerator_t *enumerator;
        certificate_t *cert;
+       certificate_printer_t *printer;
+
+       printer = certificate_printer_create(out, TRUE, utc),
 
        enumerator = list->create_enumerator(list);
        while (enumerator->enumerate(enumerator, &cert))
        {
-               ac_t *ac = (ac_t*)cert;
-               ac_group_type_t type;
-               identification_t *id;
-               enumerator_t *groups;
-               chunk_t chunk;
-               bool firstgroup = TRUE;
-
-               if (first)
-               {
-                       fprintf(out, "\n");
-                       fprintf(out, "List of X.509 Attribute Certificates:\n");
-                       first = FALSE;
-               }
-               fprintf(out, "\n");
-
-               id = cert->get_subject(cert);
-               if (id)
-               {
-                       fprintf(out, "  holder:   \"%Y\"\n", id);
-               }
-               id = ac->get_holderIssuer(ac);
-               if (id)
-               {
-                       fprintf(out, "  hissuer:  \"%Y\"\n", id);
-               }
-               chunk = chunk_skip_zero(ac->get_holderSerial(ac));
-               if (chunk.ptr)
-               {
-                       fprintf(out, "  hserial:   %#B\n", &chunk);
-               }
-               groups = ac->create_group_enumerator(ac);
-               while (groups->enumerate(groups, &type, &chunk))
-               {
-                       int oid;
-                       char *str;
-
-                       if (firstgroup)
-                       {
-                               fprintf(out, "  groups:    ");
-                               firstgroup = FALSE;
-                       }
-                       else
-                       {
-                               fprintf(out, "             ");
-                       }
-                       switch (type)
-                       {
-                               case AC_GROUP_TYPE_STRING:
-                                       fprintf(out, "%.*s", (int)chunk.len, chunk.ptr);
-                                       break;
-                               case AC_GROUP_TYPE_OID:
-                                       oid = asn1_known_oid(chunk);
-                                       if (oid == OID_UNKNOWN)
-                                       {
-                                               str = asn1_oid_to_string(chunk);
-                                               if (str)
-                                               {
-                                                       fprintf(out, "%s", str);
-                                                       free(str);
-                                               }
-                                               else
-                                               {
-                                                       fprintf(out, "OID:%#B", &chunk);
-                                               }
-                                       }
-                                       else
-                                       {
-                                               fprintf(out, "%s", oid_names[oid].name);
-                                       }
-                                       break;
-                               case AC_GROUP_TYPE_OCTETS:
-                                       fprintf(out, "%#B", &chunk);
-                                       break;
-                       }
-                       fprintf(out, "\n");
-               }
-               groups->destroy(groups);
-               fprintf(out, "  issuer:   \"%Y\"\n", cert->get_issuer(cert));
-               chunk  = chunk_skip_zero(ac->get_serial(ac));
-               fprintf(out, "  serial:    %#B\n", &chunk);
-
-               /* list validity */
-               cert->get_validity(cert, &now, &notBefore, &notAfter);
-               fprintf(out, "  validity:  not before %T, ", &notBefore, utc);
-               if (now < notBefore)
-               {
-                       fprintf(out, "not valid yet (valid in %V)\n", &now, &notBefore);
-               }
-               else
-               {
-                       fprintf(out, "ok\n");
-               }
-               fprintf(out, "             not after  %T, ", &notAfter, utc);
-               if (now > notAfter)
-               {
-                       fprintf(out, "expired (%V ago)\n", &now, &notAfter);
-               }
-               else
-               {
-                       fprintf(out, "ok");
-                       if (now > notAfter - AC_WARNING_INTERVAL * 60 * 60 * 24)
-                       {
-                               fprintf(out, " (expires in %V)", &now, &notAfter);
-                       }
-                       fprintf(out, " \n");
-               }
-
-               /* list optional authorityKeyIdentifier */
-               chunk = ac->get_authKeyIdentifier(ac);
-               if (chunk.ptr)
-               {
-                       fprintf(out, "  authkey:   %#B\n", &chunk);
-               }
-       }
-       enumerator->destroy(enumerator);
-}
-
-/**
- * list all X.509 CRLs
- */
-static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out)
-{
-       bool first = TRUE;
-       time_t thisUpdate, nextUpdate, now = time(NULL);
-       enumerator_t *enumerator = list->create_enumerator(list);
-       certificate_t *cert;
-
-       while (enumerator->enumerate(enumerator, (void**)&cert))
-       {
-               crl_t *crl = (crl_t*)cert;
-               chunk_t chunk;
-
                if (first)
                {
                        fprintf(out, "\n");
-                       fprintf(out, "List of X.509 CRLs:\n");
+                       fprintf(out, "List of %ss:\n", label);
                        first = FALSE;
                }
                fprintf(out, "\n");
-
-               fprintf(out, "  issuer:   \"%Y\"\n", cert->get_issuer(cert));
-
-               /* list optional crlNumber */
-               chunk = chunk_skip_zero(crl->get_serial(crl));
-               if (chunk.ptr)
-               {
-                       fprintf(out, "  serial:    %#B\n", &chunk);
-               }
-               if (crl->is_delta_crl(crl, &chunk))
-               {
-                       chunk = chunk_skip_zero(chunk);
-                       fprintf(out, "  delta for: %#B\n", &chunk);
-               }
-
-               /* count the number of revoked certificates */
-               {
-                       int count = 0;
-                       enumerator_t *enumerator = crl->create_enumerator(crl);
-
-                       while (enumerator->enumerate(enumerator, NULL, NULL, NULL))
-                       {
-                               count++;
-                       }
-                       fprintf(out, "  revoked:   %d certificate%s\n", count,
-                                                       (count == 1)? "" : "s");
-                       enumerator->destroy(enumerator);
-               }
-
-               /* list validity */
-               cert->get_validity(cert, &now, &thisUpdate, &nextUpdate);
-               fprintf(out, "  updates:   this %T\n",  &thisUpdate, utc);
-               fprintf(out, "             next %T, ", &nextUpdate, utc);
-               if (now > nextUpdate)
-               {
-                       fprintf(out, "expired (%V ago)\n", &now, &nextUpdate);
-               }
-               else
-               {
-                       fprintf(out, "ok");
-                       if (now > nextUpdate - CRL_WARNING_INTERVAL * 60 * 60 * 24)
-                       {
-                               fprintf(out, " (expires in %V)", &now, &nextUpdate);
-                       }
-                       fprintf(out, " \n");
-               }
-
-               /* list optional authorityKeyIdentifier */
-               chunk = crl->get_authKeyIdentifier(crl);
-               if (chunk.ptr)
-               {
-                       fprintf(out, "  authkey:   %#B\n", &chunk);
-               }
+               printer->print(printer, cert, has_privkey(cert));
        }
        enumerator->destroy(enumerator);
-}
-
-/**
- * list all OCSP responses
- */
-static void stroke_list_ocsp(linked_list_t* list, bool utc, FILE *out)
-{
-       bool first = TRUE, ok;
-       enumerator_t *enumerator = list->create_enumerator(list);
-       certificate_t *cert;
-       time_t produced, usable, now = time(NULL);
-
-       while (enumerator->enumerate(enumerator, (void**)&cert))
-       {
-               if (first)
-               {
-                       fprintf(out, "\n");
-                       fprintf(out, "List of OCSP responses:\n");
-                       fprintf(out, "\n");
-                       first = FALSE;
-               }
-               fprintf(out, "  signer:   \"%Y\"\n", cert->get_issuer(cert));
 
-               /* check validity */
-               ok = cert->get_validity(cert, &now, &produced, &usable);
-               fprintf(out, "  validity:  produced at %T\n", &produced, utc);
-               fprintf(out, "             usable till %T, ", &usable, utc);
-               if (ok)
-               {
-                       fprintf(out, "ok\n");
-               }
-               else
-               {
-                       fprintf(out, "expired (%V ago)\n", &now, &usable);
-               }
-       }
-       enumerator->destroy(enumerator);
+       printer->destroy(printer);
 }
 
 /**
@@ -1443,14 +1062,16 @@ METHOD(stroke_list_t, list, void,
        {
                linked_list_t *pubkey_list = create_unique_cert_list(CERT_TRUSTED_PUBKEY);
 
-               stroke_list_pubkeys(pubkey_list, msg->list.utc, out);
+               stroke_list_other_certs(pubkey_list, "Raw Public Key",
+                                                               msg->list.utc, out);
                pubkey_list->destroy_offset(pubkey_list, offsetof(certificate_t, destroy));
        }
        if (msg->list.flags & LIST_CERTS)
        {
                linked_list_t *pgp_list = create_unique_cert_list(CERT_GPG);
 
-               stroke_list_pgp(pgp_list, msg->list.utc, out);
+               stroke_list_pgp_certs(pgp_list, "PGP End Entity Certificate",
+                                                         msg->list.utc, out);
                pgp_list->destroy_offset(pgp_list, offsetof(certificate_t, destroy));
        }
        if (msg->list.flags & (LIST_CERTS | LIST_CACERTS | LIST_OCSPCERTS | LIST_AACERTS))
@@ -1459,23 +1080,23 @@ METHOD(stroke_list_t, list, void,
        }
        if (msg->list.flags & LIST_CERTS)
        {
-               stroke_list_certs(cert_list, "X.509 End Entity Certificates",
-                                                 X509_NONE, msg->list.utc, out);
+               stroke_list_x509_certs(cert_list, "X.509 End Entity Certificate",
+                                                          X509_NONE, msg->list.utc, out);
        }
        if (msg->list.flags & LIST_CACERTS)
        {
-               stroke_list_certs(cert_list, "X.509 CA Certificates",
-                                                 X509_CA, msg->list.utc, out);
+               stroke_list_x509_certs(cert_list, "X.509 CA Certificate",
+                                                          X509_CA, msg->list.utc, out);
        }
        if (msg->list.flags & LIST_OCSPCERTS)
        {
-               stroke_list_certs(cert_list, "X.509 OCSP Signer Certificates",
-                                                 X509_OCSP_SIGNER, msg->list.utc, out);
+               stroke_list_x509_certs(cert_list, "X.509 OCSP Signer Certificate",
+                                                          X509_OCSP_SIGNER, msg->list.utc, out);
        }
        if (msg->list.flags & LIST_AACERTS)
        {
-               stroke_list_certs(cert_list, "X.509 AA Certificates",
-                                                 X509_AA, msg->list.utc, out);
+               stroke_list_x509_certs(cert_list, "X.509 AA Certificate",
+                                                          X509_AA, msg->list.utc, out);
        }
        DESTROY_OFFSET_IF(cert_list, offsetof(certificate_t, destroy));
 
@@ -1483,22 +1104,24 @@ METHOD(stroke_list_t, list, void,
        {
                linked_list_t *ac_list = create_unique_cert_list(CERT_X509_AC);
 
-               stroke_list_acerts(ac_list, msg->list.utc, out);
+               stroke_list_other_certs(ac_list, "X.509 Attribute Certificate",
+                                                               msg->list.utc, out);
                ac_list->destroy_offset(ac_list, offsetof(certificate_t, destroy));
        }
        if (msg->list.flags & LIST_CRLS)
        {
                linked_list_t *crl_list = create_unique_cert_list(CERT_X509_CRL);
 
-               stroke_list_crls(crl_list, msg->list.utc, out);
+               stroke_list_other_certs(crl_list, "X.509 CRL",
+                                                               msg->list.utc, out);
                crl_list->destroy_offset(crl_list, offsetof(certificate_t, destroy));
        }
        if (msg->list.flags & LIST_OCSP)
        {
                linked_list_t *ocsp_list = create_unique_cert_list(CERT_X509_OCSP_RESPONSE);
 
-               stroke_list_ocsp(ocsp_list, msg->list.utc, out);
-
+               stroke_list_other_certs(ocsp_list, "OCSP Response",
+                                                               msg->list.utc, out);
                ocsp_list->destroy_offset(ocsp_list, offsetof(certificate_t, destroy));
        }
        if (msg->list.flags & LIST_ALGS)
index ed3b85d..1851ff5 100644 (file)
@@ -20,6 +20,7 @@ credentials/cred_encoding.c credentials/keys/private_key.c \
 credentials/keys/public_key.c credentials/keys/shared_key.c \
 credentials/certificates/certificate.c credentials/certificates/crl.c \
 credentials/certificates/ocsp_response.c \
+credentials/certificates/certificate_printer.c \
 credentials/containers/container.c credentials/containers/pkcs12.c \
 credentials/credential_manager.c \
 credentials/sets/auth_cfg_wrapper.c credentials/sets/ocsp_response_wrapper.c \
@@ -83,6 +84,7 @@ credentials/certificates/ac.h credentials/certificates/crl.h \
 credentials/certificates/pkcs10.h credentials/certificates/ocsp_request.h \
 credentials/certificates/ocsp_response.h \
 credentials/certificates/pgp_certificate.h \
+credentials/certificates/certificate_printer.h \
 credentials/containers/container.h credentials/containers/pkcs7.h \
 credentials/containers/pkcs12.h \
 credentials/credential_manager.h credentials/sets/auth_cfg_wrapper.h \
diff --git a/src/libstrongswan/credentials/certificates/certificate_printer.c b/src/libstrongswan/credentials/certificates/certificate_printer.c
new file mode 100644 (file)
index 0000000..84dab85
--- /dev/null
@@ -0,0 +1,591 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "certificate_printer.h"
+#include "x509.h"
+#include "crl.h"
+#include "ac.h"
+
+#include <asn1/asn1.h>
+#include <asn1/oid.h>
+#include <selectors/traffic_selector.h>
+
+#include <time.h>
+
+typedef struct private_certificate_printer_t private_certificate_printer_t;
+
+/**
+ * Private data of an certificate_printer_t object.
+ */
+struct private_certificate_printer_t {
+
+       /**
+        * Public certificate_printer_t interface.
+        */
+       certificate_printer_t public;
+
+       /**
+        * File to print to
+        */
+       FILE *f;
+
+       /**
+        * Print detailed certificate information
+        */
+       bool detailed;
+
+       /**
+        * Print time information in UTC
+        */
+       bool utc;
+};
+
+/**
+ * Print X509 specific certificate information
+ */
+static void print_x509(private_certificate_printer_t *this, x509_t *x509)
+{
+       enumerator_t *enumerator;
+       identification_t *id;
+       traffic_selector_t *block;
+       chunk_t chunk;
+       bool first;
+       char *uri;
+       int len, explicit, inhibit;
+       x509_flag_t flags;
+       x509_cdp_t *cdp;
+       x509_cert_policy_t *policy;
+       x509_policy_mapping_t *mapping;
+       FILE *f = this->f;
+
+       chunk = chunk_skip_zero(x509->get_serial(x509));
+       fprintf(f, "  serial:    %#B\n", &chunk);
+
+       first = TRUE;
+       enumerator = x509->create_subjectAltName_enumerator(x509);
+       while (enumerator->enumerate(enumerator, &id))
+       {
+               if (first)
+               {
+                       fprintf(f, "  altNames:  ");
+                       first = FALSE;
+               }
+               else
+               {
+                       fprintf(f, ", ");
+               }
+               fprintf(f, "%Y", id);
+       }
+       if (!first)
+       {
+               fprintf(f, "\n");
+       }
+       enumerator->destroy(enumerator);
+
+       if (this->detailed)
+       {
+               flags = x509->get_flags(x509);
+               if (flags != X509_NONE)
+               {
+                       fprintf(f, "  flags:     ");
+                       if (flags & X509_CA)
+                       {
+                               fprintf(f, "CA ");
+                       }
+                       if (flags & X509_CRL_SIGN)
+                       {
+                               fprintf(f, "CRLSign ");
+                       }
+                       if (flags & X509_OCSP_SIGNER)
+                       {
+                               fprintf(f, "ocspSigning ");
+                       }
+                       if (flags & X509_SERVER_AUTH)
+                       {
+                               fprintf(f, "serverAuth ");
+                       }
+                       if (flags & X509_CLIENT_AUTH)
+                       {
+                               fprintf(f, "clientAuth ");
+                       }
+                       if (flags & X509_IKE_INTERMEDIATE)
+                       {
+                               fprintf(f, "ikeIntermediate ");
+                       }
+                       if (flags & X509_MS_SMARTCARD_LOGON)
+                       {
+                               fprintf(f, "msSmartcardLogon");
+                       }
+                       if (flags & X509_SELF_SIGNED)
+                       {
+                               fprintf(f, "self-signed ");
+                       }
+                       fprintf(f, "\n");
+               }
+
+               first = TRUE;
+               enumerator = x509->create_crl_uri_enumerator(x509);
+               while (enumerator->enumerate(enumerator, &cdp))
+               {
+                       if (first)
+                       {
+                               fprintf(f, "  CRL URIs:  %s", cdp->uri);
+                               first = FALSE;
+                       }
+                       else
+                       {
+                               fprintf(f, "           %s", cdp->uri);
+                       }
+                       if (cdp->issuer)
+                       {
+                               fprintf(f, " (CRL issuer: %Y)", cdp->issuer);
+                       }
+                       fprintf(f, "\n");
+               }
+               enumerator->destroy(enumerator);
+
+               first = TRUE;
+               enumerator = x509->create_ocsp_uri_enumerator(x509);
+               while (enumerator->enumerate(enumerator, &uri))
+               {
+                       if (first)
+                       {
+                               fprintf(f, "  OCSP URIs: %s\n", uri);
+                               first = FALSE;
+                       }
+                       else
+                       {
+                               fprintf(f, "           %s\n", uri);
+                       }
+               }
+               enumerator->destroy(enumerator);
+
+               len = x509->get_constraint(x509, X509_PATH_LEN);
+               if (len != X509_NO_CONSTRAINT)
+               {
+                       fprintf(f, "  pathlen:   %d\n", len);
+               }
+
+               first = TRUE;
+               enumerator = x509->create_name_constraint_enumerator(x509, TRUE);
+               while (enumerator->enumerate(enumerator, &id))
+               {
+                       if (first)
+                       {
+                               fprintf(f, "  permitted nameConstraints:\n");
+                               first = FALSE;
+                       }
+                       fprintf(f, "           %Y\n", id);
+               }
+               enumerator->destroy(enumerator);
+
+               first = TRUE;
+               enumerator = x509->create_name_constraint_enumerator(x509, FALSE);
+               while (enumerator->enumerate(enumerator, &id))
+               {
+                       if (first)
+                       {
+                               fprintf(f, "  excluded nameConstraints:\n");
+                               first = FALSE;
+                       }
+                       fprintf(f, "           %Y\n", id);
+               }
+               enumerator->destroy(enumerator);
+
+               first = TRUE;
+               enumerator = x509->create_cert_policy_enumerator(x509);
+               while (enumerator->enumerate(enumerator, &policy))
+               {
+                       char *oid;
+
+                       if (first)
+                       {
+                               fprintf(f, "  certificatePolicies:\n");
+                               first = FALSE;
+                       }
+                       oid = asn1_oid_to_string(policy->oid);
+                       if (oid)
+                       {
+                               fprintf(f, "             %s\n", oid);
+                               free(oid);
+                       }
+                       else
+                       {
+                               fprintf(f, "             %#B\n", &policy->oid);
+                       }
+                       if (policy->cps_uri)
+                       {
+                               fprintf(f, "             CPS: %s\n", policy->cps_uri);
+                       }
+                       if (policy->unotice_text)
+                       {
+                               fprintf(f, "             Notice: %s\n", policy->unotice_text);
+                       }
+               }
+               enumerator->destroy(enumerator);
+
+               first = TRUE;
+               enumerator = x509->create_policy_mapping_enumerator(x509);
+               while (enumerator->enumerate(enumerator, &mapping))
+               {
+                       char *issuer_oid, *subject_oid;
+
+                       if (first)
+                       {
+                               fprintf(f, "  policyMappings:\n");
+                               first = FALSE;
+                       }
+                       issuer_oid = asn1_oid_to_string(mapping->issuer);
+                       subject_oid = asn1_oid_to_string(mapping->subject);
+                       fprintf(f, "           %s => %s\n", issuer_oid, subject_oid);
+                       free(issuer_oid);
+                       free(subject_oid);
+               }
+               enumerator->destroy(enumerator);
+
+               explicit = x509->get_constraint(x509, X509_REQUIRE_EXPLICIT_POLICY);
+               inhibit = x509->get_constraint(x509, X509_INHIBIT_POLICY_MAPPING);
+               len = x509->get_constraint(x509, X509_INHIBIT_ANY_POLICY);
+
+               if (explicit != X509_NO_CONSTRAINT || inhibit != X509_NO_CONSTRAINT ||
+                       len != X509_NO_CONSTRAINT)
+               {
+                       fprintf(f, "  policyConstraints:\n");
+                       if (explicit != X509_NO_CONSTRAINT)
+                       {
+                               fprintf(f, "           requireExplicitPolicy: %d\n", explicit);
+                       }
+                       if (inhibit != X509_NO_CONSTRAINT)
+                       {
+                               fprintf(f, "           inhibitPolicyMapping: %d\n", inhibit);
+                       }
+                       if (len != X509_NO_CONSTRAINT)
+                       {
+                               fprintf(f, "           inhibitAnyPolicy: %d\n", len);
+                       }
+               }
+
+               if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
+               {
+                       first = TRUE;
+                       fprintf(f, "  addresses: ");
+                       enumerator = x509->create_ipAddrBlock_enumerator(x509);
+                       while (enumerator->enumerate(enumerator, &block))
+                       {
+                               if (first)
+                               {
+                                       first = FALSE;
+                               }
+                               else
+                               {
+                                       fprintf(f, ", ");
+                               }
+                               fprintf(f, "%R", block);
+                       }
+                       enumerator->destroy(enumerator);
+                       fprintf(f, "\n");
+               }
+       }
+
+       chunk = x509->get_authKeyIdentifier(x509);
+       if (chunk.ptr)
+       {
+               fprintf(f, "  authkeyId: %#B\n", &chunk);
+       }
+
+       chunk = x509->get_subjectKeyIdentifier(x509);
+       if (chunk.ptr)
+       {
+               fprintf(f, "  subjkeyId: %#B\n", &chunk);
+       }
+}
+
+/**
+ * Print CRL specific information
+ */
+static void print_crl(private_certificate_printer_t *this, crl_t *crl)
+{
+       enumerator_t *enumerator;
+       time_t ts;
+       crl_reason_t reason;
+       chunk_t chunk;
+       int count = 0;
+       bool first;
+       char buf[64];
+       x509_cdp_t *cdp;
+       FILE *f = this->f;
+
+       chunk = chunk_skip_zero(crl->get_serial(crl));
+       fprintf(f, "  serial:    %#B\n", &chunk);
+
+       if (crl->is_delta_crl(crl, &chunk))
+       {
+               chunk = chunk_skip_zero(chunk);
+               fprintf(f, "  delta CRL: for serial %#B\n", &chunk);
+       }
+       chunk = crl->get_authKeyIdentifier(crl);
+       fprintf(f, "  authKeyId: %#B\n", &chunk);
+
+       first = TRUE;
+       enumerator = crl->create_delta_crl_uri_enumerator(crl);
+       while (enumerator->enumerate(enumerator, &cdp))
+       {
+               if (first)
+               {
+                       fprintf(f, "  freshest:  %s", cdp->uri);
+                       first = FALSE;
+               }
+               else
+               {
+                       fprintf(f, "             %s", cdp->uri);
+               }
+               if (cdp->issuer)
+               {
+                       fprintf(f, " (CRL issuer: %Y)", cdp->issuer);
+               }
+               fprintf(f, "\n");
+       }
+       enumerator->destroy(enumerator);
+
+       enumerator = crl->create_enumerator(crl);
+       while (enumerator->enumerate(enumerator, &chunk, &ts, &reason))
+       {
+               count++;
+       }
+       enumerator->destroy(enumerator);
+
+       fprintf(f, "  %d revoked certificate%s%s\n", count, (count == 1) ? "" : "s",
+                               (count && this->detailed) ? ":" : "");
+
+       if (this->detailed)
+       {
+               enumerator = crl->create_enumerator(crl);
+               while (enumerator->enumerate(enumerator, &chunk, &ts, &reason))
+               {
+                       chunk = chunk_skip_zero(chunk);
+                       fprintf(f, "    %#B: %T, %N\n", &chunk, &ts, this->utc,
+                                                                                       crl_reason_names, reason);
+               }
+               enumerator->destroy(enumerator);
+       }
+}
+
+/**
+ * Print AC specific information
+ */
+static void print_ac(private_certificate_printer_t *this, ac_t *ac)
+{
+       ac_group_type_t type;
+       identification_t *id;
+       enumerator_t *groups;
+       chunk_t chunk;
+       bool first = TRUE;
+       FILE *f = this->f;
+
+       chunk = chunk_skip_zero(ac->get_serial(ac));
+       fprintf(f, "  serial:    %#B\n", &chunk);
+
+       id = ac->get_holderIssuer(ac);
+       if (id)
+       {
+               fprintf(f, "  hissuer:  \"%Y\"\n", id);
+       }
+       chunk = chunk_skip_zero(ac->get_holderSerial(ac));
+       if (chunk.ptr)
+       {
+               fprintf(f, "  hserial:   %#B\n", &chunk);
+       }
+       groups = ac->create_group_enumerator(ac);
+       while (groups->enumerate(groups, &type, &chunk))
+       {
+               int oid;
+               char *str;
+
+               if (first)
+               {
+                       fprintf(f, "  groups:    ");
+                       first = FALSE;
+               }
+               else
+               {
+                       fprintf(f, "             ");
+               }
+               switch (type)
+               {
+                       case AC_GROUP_TYPE_STRING:
+                               fprintf(f, "%.*s", (int)chunk.len, chunk.ptr);
+                               break;
+                       case AC_GROUP_TYPE_OID:
+                               oid = asn1_known_oid(chunk);
+                               if (oid == OID_UNKNOWN)
+                               {
+                                       str = asn1_oid_to_string(chunk);
+                                       if (str)
+                                       {
+                                               fprintf(f, "%s", str);
+                                               free(str);
+                                       }
+                                       else
+                                       {
+                                               fprintf(f, "OID:%#B", &chunk);
+                                       }
+                               }
+                               else
+                               {
+                                       fprintf(f, "%s", oid_names[oid].name);
+                               }
+                               break;
+                       case AC_GROUP_TYPE_OCTETS:
+                               fprintf(f, "%#B", &chunk);
+                               break;
+               }
+               fprintf(f, "\n");
+       }
+       groups->destroy(groups);
+
+       chunk = ac->get_authKeyIdentifier(ac);
+       if (chunk.ptr)
+       {
+               fprintf(f, "  authkey:  %#B\n", &chunk);
+       }
+}
+
+/**
+ * Print public key information
+ */
+static void print_pubkey(private_certificate_printer_t *this, public_key_t *key,
+                                                bool has_privkey)
+{
+       chunk_t chunk;
+       FILE *f = this->f;
+
+       fprintf(f, "  pubkey:    %N %d bits", key_type_names, key->get_type(key),
+                               key->get_keysize(key));
+       if (has_privkey)
+       {
+               fprintf(f, ", has private key");
+       }
+       fprintf(f, "\n");
+       if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &chunk))
+       {
+               fprintf(f, "  keyid:     %#B\n", &chunk);
+       }
+       if (key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &chunk))
+       {
+               fprintf(f, "  subjkey:   %#B\n", &chunk);
+       }
+}
+
+METHOD(certificate_printer_t, print, void,
+       private_certificate_printer_t *this, certificate_t *cert, bool has_privkey)
+{
+       time_t now, notAfter, notBefore;
+       certificate_type_t type;
+       identification_t *subject;
+       public_key_t *key;
+       FILE *f = this->f;
+
+       now = time(NULL);
+       type = cert->get_type(cert);
+       subject = cert->get_subject(cert);
+
+       if ((type != CERT_X509_CRL && type != CERT_X509_OCSP_RESPONSE &&
+                type != CERT_TRUSTED_PUBKEY) ||
+           (type == CERT_TRUSTED_PUBKEY && subject->get_type(subject) != ID_KEY_ID))
+       {
+               fprintf(f, "  subject:  \"%Y\"\n", subject);
+       }
+       if (cert->get_type(cert) != CERT_TRUSTED_PUBKEY)
+       {
+               fprintf(f, "  issuer:   \"%Y\"\n", cert->get_issuer(cert));
+       }
+
+       /* list validity if set */
+       cert->get_validity(cert, &now, &notBefore, &notAfter);
+       if (notBefore != UNDEFINED_TIME && notAfter != UNDEFINED_TIME)
+       {
+               fprintf(f, "  validity:  not before %T, ", &notBefore, this->utc);
+               if (now < notBefore)
+               {
+                       fprintf(f, "not valid yet (valid in %V)\n", &now, &notBefore);
+               }
+               else
+               {
+                       fprintf(f, "ok\n");
+               }
+               fprintf(f, "             not after  %T, ", &notAfter, this->utc);
+               if (now > notAfter)
+               {
+                       fprintf(f, "expired (%V ago)\n", &now, &notAfter);
+               }
+               else
+               {
+                       fprintf(f, "ok (expires in %V)\n", &now, &notAfter);
+               }
+       }
+
+       switch (cert->get_type(cert))
+       {
+               case CERT_X509:
+                       print_x509(this, (x509_t*)cert);
+                       break;
+               case CERT_X509_CRL:
+                       print_crl(this, (crl_t*)cert);
+                       break;
+               case CERT_X509_AC:
+                       print_ac(this, (ac_t*)cert);
+                       break;
+               case CERT_X509_OCSP_RESPONSE:
+               case CERT_TRUSTED_PUBKEY:
+               default:
+                       break;
+       }
+       key = cert->get_public_key(cert);
+       if (key)
+       {
+               print_pubkey(this, key, has_privkey);
+               key->destroy(key);
+       }
+}
+
+METHOD(certificate_printer_t, destroy, void,
+       private_certificate_printer_t *this)
+{
+       free(this);
+}
+
+/**
+ * See header
+ */
+certificate_printer_t *certificate_printer_create(FILE *f, bool detailed,
+                                                                                                 bool utc)
+{
+       private_certificate_printer_t *this;
+
+       INIT(this,
+               .public = {
+                       .print = _print,
+                       .destroy = _destroy,
+               },
+               .f = f,
+               .detailed = detailed,
+               .utc = utc,
+       );
+
+       return &this->public;
+}
diff --git a/src/libstrongswan/credentials/certificates/certificate_printer.h b/src/libstrongswan/credentials/certificates/certificate_printer.h
new file mode 100644 (file)
index 0000000..f11b77e
--- /dev/null
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup certificate_printer certificate_printer
+ * @{ @ingroup certificates
+ */
+
+#ifndef CERTIFICATE_PRINTER_H_
+#define CERTIFICATE_PRINTER_H_
+
+typedef struct certificate_printer_t certificate_printer_t;
+
+#include "credentials/certificates/certificate.h"
+
+#include <stdio.h>
+
+/**
+ * An object for printing certificate information.
+ */
+struct certificate_printer_t {
+
+       /**
+        * Print a certificate.
+        *
+        * @cert                        certificate to be printed
+        * @has_privkey         indicates that certificate has a matching private key
+        */
+       void (*print)(certificate_printer_t *this, certificate_t *cert,
+                                 bool has_privkey);
+
+       /**
+        * Destroy the certificate_printer object.
+        */
+       void (*destroy)(certificate_printer_t *this);
+};
+
+/**
+ * Create a certificate_printer object
+ *
+ * @param f                            file where print output is directed to (usually stdout)
+ * @param detailed             print more detailed certificate information
+ * @param utc                  print time inforamtion in UTC
+ */
+certificate_printer_t* certificate_printer_create(FILE *f, bool detailed,
+                                                                                                                  bool utc);
+
+#endif /** CERTIFICATE_PRINTER_H_ @}*/
index fa69de1..c367a21 100644 (file)
@@ -2,6 +2,9 @@
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  *
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
 
 #include "pki.h"
 
-#include <asn1/asn1.h>
-#include <asn1/oid.h>
 #include <credentials/certificates/certificate.h>
-#include <credentials/certificates/x509.h>
-#include <credentials/certificates/crl.h>
-#include <credentials/certificates/ac.h>
-#include <selectors/traffic_selector.h>
+#include <credentials/certificates/certificate_printer.h>
 
-#include <time.h>
 #include <errno.h>
 
 /**
- * Print public key information
- */
-static void print_pubkey(public_key_t *key)
-{
-       chunk_t chunk;
-       key_type_t type;
-
-       type = key->get_type(key);
-       printf("pubkey:    %N %d bits%s\n", key_type_names, type,
-                       key->get_keysize(key), (type == KEY_BLISS) ? " strength" : "");
-
-       if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &chunk))
-       {
-               printf("keyid:     %#B\n", &chunk);
-       }
-       if (key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &chunk))
-       {
-               printf("subjkey:   %#B\n", &chunk);
-       }
-}
-
-/**
  * Print private key information
  */
 static void print_key(private_key_t *key)
 {
        public_key_t *public;
+       chunk_t chunk;
 
        public = key->get_public_key(key);
        if (public)
        {
-               printf("private key with:\n");
-               print_pubkey(public);
-               public->destroy(public);
-       }
-       else
-       {
-               printf("extracting public from private key failed\n");
-       }
-}
-
-/**
- * Get a prefix for a named constraint identity type
- */
-static char* get_type_pfx(identification_t *id)
-{
-       switch (id->get_type(id))
-       {
-               case ID_RFC822_ADDR:
-                       return "email:";
-               case ID_FQDN:
-                       return "dns:";
-               default:
-                       return "";
-       }
-}
-
-/**
- * Print X509 specific certificate information
- */
-static void print_x509(x509_t *x509)
-{
-       enumerator_t *enumerator;
-       identification_t *id;
-       traffic_selector_t *block;
-       chunk_t chunk;
-       bool first;
-       char *uri;
-       int len, explicit, inhibit;
-       x509_flag_t flags;
-       x509_cdp_t *cdp;
-       x509_cert_policy_t *policy;
-       x509_policy_mapping_t *mapping;
-
-       chunk = chunk_skip_zero(x509->get_serial(x509));
-       printf("serial:    %#B\n", &chunk);
-
-       first = TRUE;
-       enumerator = x509->create_subjectAltName_enumerator(x509);
-       while (enumerator->enumerate(enumerator, &id))
-       {
-               if (first)
-               {
-                       printf("altNames:  ");
-                       first = FALSE;
-               }
-               else
-               {
-                       printf(", ");
-               }
-               printf("%Y", id);
-       }
-       if (!first)
-       {
-               printf("\n");
-       }
-       enumerator->destroy(enumerator);
-
-       flags = x509->get_flags(x509);
-       printf("flags:     ");
-       if (flags & X509_CA)
-       {
-               printf("CA ");
-       }
-       if (flags & X509_CRL_SIGN)
-       {
-               printf("CRLSign ");
-       }
-       if (flags & X509_AA)
-       {
-               printf("AA ");
-       }
-       if (flags & X509_OCSP_SIGNER)
-       {
-               printf("OCSP ");
-       }
-       if (flags & X509_AA)
-       {
-               printf("AA ");
-       }
-       if (flags & X509_SERVER_AUTH)
-       {
-               printf("serverAuth ");
-       }
-       if (flags & X509_CLIENT_AUTH)
-       {
-               printf("clientAuth ");
-       }
-       if (flags & X509_IKE_INTERMEDIATE)
-       {
-               printf("iKEIntermediate ");
-       }
-       if (flags & X509_MS_SMARTCARD_LOGON)
-       {
-               printf("msSmartcardLogon ");
-       }
-       if (flags & X509_SELF_SIGNED)
-       {
-               printf("self-signed ");
-       }
-       printf("\n");
-
-       first = TRUE;
-       enumerator = x509->create_crl_uri_enumerator(x509);
-       while (enumerator->enumerate(enumerator, &cdp))
-       {
-               if (first)
-               {
-                       printf("CRL URIs:  %s", cdp->uri);
-                       first = FALSE;
-               }
-               else
-               {
-                       printf("           %s", cdp->uri);
-               }
-               if (cdp->issuer)
-               {
-                       printf(" (CRL issuer: %Y)", cdp->issuer);
-               }
-               printf("\n");
-       }
-       enumerator->destroy(enumerator);
-
-       first = TRUE;
-       enumerator = x509->create_ocsp_uri_enumerator(x509);
-       while (enumerator->enumerate(enumerator, &uri))
-       {
-               if (first)
-               {
-                       printf("OCSP URIs: %s\n", uri);
-                       first = FALSE;
-               }
-               else
-               {
-                       printf("           %s\n", uri);
-               }
-       }
-       enumerator->destroy(enumerator);
-
-       len = x509->get_constraint(x509, X509_PATH_LEN);
-       if (len != X509_NO_CONSTRAINT)
-       {
-               printf("pathlen:   %d\n", len);
-       }
-
-       first = TRUE;
-       enumerator = x509->create_name_constraint_enumerator(x509, TRUE);
-       while (enumerator->enumerate(enumerator, &id))
-       {
-               if (first)
-               {
-                       printf("Permitted NameConstraints:\n");
-                       first = FALSE;
-               }
-               printf("           %s%Y\n", get_type_pfx(id), id);
-       }
-       enumerator->destroy(enumerator);
-       first = TRUE;
-       enumerator = x509->create_name_constraint_enumerator(x509, FALSE);
-       while (enumerator->enumerate(enumerator, &id))
-       {
-               if (first)
-               {
-                       printf("Excluded NameConstraints:\n");
-                       first = FALSE;
-               }
-               printf("           %s%Y\n", get_type_pfx(id), id);
-       }
-       enumerator->destroy(enumerator);
-
-       first = TRUE;
-       enumerator = x509->create_cert_policy_enumerator(x509);
-       while (enumerator->enumerate(enumerator, &policy))
-       {
-               char *oid;
-
-               if (first)
-               {
-                       printf("CertificatePolicies:\n");
-                       first = FALSE;
-               }
-               oid = asn1_oid_to_string(policy->oid);
-               if (oid)
-               {
-                       printf("           %s\n", oid);
-                       free(oid);
-               }
-               else
-               {
-                       printf("           %#B\n", &policy->oid);
-               }
-               if (policy->cps_uri)
-               {
-                       printf("             CPS: %s\n", policy->cps_uri);
-               }
-               if (policy->unotice_text)
-               {
-                       printf("             Notice: %s\n", policy->unotice_text);
-
-               }
-       }
-       enumerator->destroy(enumerator);
-
-       first = TRUE;
-       enumerator = x509->create_policy_mapping_enumerator(x509);
-       while (enumerator->enumerate(enumerator, &mapping))
-       {
-               char *issuer_oid, *subject_oid;
-
-               if (first)
-               {
-                       printf("PolicyMappings:\n");
-                       first = FALSE;
-               }
-               issuer_oid = asn1_oid_to_string(mapping->issuer);
-               subject_oid = asn1_oid_to_string(mapping->subject);
-               printf("           %s => %s\n", issuer_oid, subject_oid);
-               free(issuer_oid);
-               free(subject_oid);
-       }
-       enumerator->destroy(enumerator);
-
-       explicit = x509->get_constraint(x509, X509_REQUIRE_EXPLICIT_POLICY);
-       inhibit = x509->get_constraint(x509, X509_INHIBIT_POLICY_MAPPING);
-       len = x509->get_constraint(x509, X509_INHIBIT_ANY_POLICY);
-
-       if (explicit != X509_NO_CONSTRAINT || inhibit != X509_NO_CONSTRAINT ||
-               len != X509_NO_CONSTRAINT)
-       {
-               printf("PolicyConstraints:\n");
-               if (explicit != X509_NO_CONSTRAINT)
-               {
-                       printf("           requireExplicitPolicy: %d\n", explicit);
-               }
-               if (inhibit != X509_NO_CONSTRAINT)
-               {
-                       printf("           inhibitPolicyMapping: %d\n", inhibit);
-               }
-               if (len != X509_NO_CONSTRAINT)
-               {
-                       printf("           inhibitAnyPolicy: %d\n", len);
-               }
-       }
-
-       chunk = x509->get_authKeyIdentifier(x509);
-       if (chunk.ptr)
-       {
-               printf("authkeyId: %#B\n", &chunk);
-       }
-
-       chunk = x509->get_subjectKeyIdentifier(x509);
-       if (chunk.ptr)
-       {
-               printf("subjkeyId: %#B\n", &chunk);
-       }
-       if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
-       {
-               first = TRUE;
-               printf("addresses: ");
-               enumerator = x509->create_ipAddrBlock_enumerator(x509);
-               while (enumerator->enumerate(enumerator, &block))
-               {
-                       if (first)
-                       {
-                               first = FALSE;
-                       }
-                       else
-                       {
-                               printf(", ");
-                       }
-                       printf("%R", block);
-               }
-               enumerator->destroy(enumerator);
-               printf("\n");
-       }
-}
-
-/**
- * Print CRL specific information
- */
-static void print_crl(crl_t *crl)
-{
-       enumerator_t *enumerator;
-       time_t ts;
-       crl_reason_t reason;
-       chunk_t chunk;
-       int count = 0;
-       bool first;
-       char buf[64];
-       struct tm tm;
-       x509_cdp_t *cdp;
-
-       chunk = chunk_skip_zero(crl->get_serial(crl));
-       printf("serial:    %#B\n", &chunk);
-
-       if (crl->is_delta_crl(crl, &chunk))
-       {
-               chunk = chunk_skip_zero(chunk);
-               printf("delta CRL: for serial %#B\n", &chunk);
-       }
-       chunk = crl->get_authKeyIdentifier(crl);
-       printf("authKeyId: %#B\n", &chunk);
-
-       first = TRUE;
-       enumerator = crl->create_delta_crl_uri_enumerator(crl);
-       while (enumerator->enumerate(enumerator, &cdp))
-       {
-               if (first)
-               {
-                       printf("freshest:  %s", cdp->uri);
-                       first = FALSE;
-               }
-               else
-               {
-                       printf("           %s", cdp->uri);
-               }
-               if (cdp->issuer)
-               {
-                       printf(" (CRL issuer: %Y)", cdp->issuer);
-               }
-               printf("\n");
-       }
-       enumerator->destroy(enumerator);
-
-       enumerator = crl->create_enumerator(crl);
-       while (enumerator->enumerate(enumerator, &chunk, &ts, &reason))
-       {
-               count++;
-       }
-       enumerator->destroy(enumerator);
-
-       printf("%d revoked certificate%s%s\n", count,
-                  count == 1 ? "" : "s", count ? ":" : "");
-       enumerator = crl->create_enumerator(crl);
-       while (enumerator->enumerate(enumerator, &chunk, &ts, &reason))
-       {
-               chunk = chunk_skip_zero(chunk);
-               localtime_r(&ts, &tm);
-               strftime(buf, sizeof(buf), "%F %T", &tm);
-               printf("    %#B %N %s\n", &chunk, crl_reason_names, reason, buf);
-               count++;
-       }
-       enumerator->destroy(enumerator);
-}
-
-/**
- * Print AC specific information
- */
-static void print_ac(ac_t *ac)
-{
-       ac_group_type_t type;
-       identification_t *id;
-       enumerator_t *groups;
-       chunk_t chunk;
-       bool first = TRUE;
-
-       chunk = chunk_skip_zero(ac->get_serial(ac));
-       printf("serial:    %#B\n", &chunk);
-
-       id = ac->get_holderIssuer(ac);
-       if (id)
-       {
-               printf("hissuer:  \"%Y\"\n", id);
-       }
-       chunk = chunk_skip_zero(ac->get_holderSerial(ac));
-       if (chunk.ptr)
-       {
-               printf("hserial:   %#B\n", &chunk);
-       }
-       groups = ac->create_group_enumerator(ac);
-       while (groups->enumerate(groups, &type, &chunk))
-       {
-               int oid;
-               char *str;
-
-               if (first)
+               printf("  privkey:   %N %d bits\n", key_type_names,
+                          public->get_type(public), public->get_keysize(public));
+               if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &chunk))
                {
-                       printf("groups:    ");
-                       first = FALSE;
+                       printf("  keyid:     %#B\n", &chunk);
                }
-               else
+               if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &chunk))
                {
-                       printf("           ");
+                       printf("  subjkey:   %#B\n", &chunk);
                }
-               switch (type)
-               {
-                       case AC_GROUP_TYPE_STRING:
-                               printf("%.*s", (int)chunk.len, chunk.ptr);
-                               break;
-                       case AC_GROUP_TYPE_OID:
-                               oid = asn1_known_oid(chunk);
-                               if (oid == OID_UNKNOWN)
-                               {
-                                       str = asn1_oid_to_string(chunk);
-                                       if (str)
-                                       {
-                                               printf("%s", str);
-                                               free(str);
-                                       }
-                                       else
-                                       {
-                                               printf("OID:%#B", &chunk);
-                                       }
-                               }
-                               else
-                               {
-                                       printf("%s", oid_names[oid].name);
-                               }
-                               break;
-                       case AC_GROUP_TYPE_OCTETS:
-                               printf("%#B", &chunk);
-                               break;
-               }
-               printf("\n");
-       }
-       groups->destroy(groups);
-
-       chunk = ac->get_authKeyIdentifier(ac);
-       if (chunk.ptr)
-       {
-               printf("authkey:  %#B\n", &chunk);
-       }
-}
-
-/**
- * Print certificate information
- */
-static void print_cert(certificate_t *cert)
-{
-       time_t now, notAfter, notBefore;
-       public_key_t *key;
-
-       now = time(NULL);
-
-       printf("cert:      %N\n", certificate_type_names, cert->get_type(cert));
-       if (cert->get_type(cert) != CERT_X509_CRL)
-       {
-               printf("subject:  \"%Y\"\n", cert->get_subject(cert));
-       }
-       printf("issuer:   \"%Y\"\n", cert->get_issuer(cert));
-
-       cert->get_validity(cert, &now, &notBefore, &notAfter);
-       printf("validity:  not before %T, ", &notBefore, FALSE);
-       if (now < notBefore)
-       {
-               printf("not valid yet (valid in %V)\n", &now, &notBefore);
-       }
-       else
-       {
-               printf("ok\n");
-       }
-       printf("           not after  %T, ", &notAfter, FALSE);
-       if (now > notAfter)
-       {
-               printf("expired (%V ago)\n", &now, &notAfter);
+               public->destroy(public);
        }
        else
        {
-               printf("ok (expires in %V)\n", &now, &notAfter);
-       }
-
-       switch (cert->get_type(cert))
-       {
-               case CERT_X509:
-                       print_x509((x509_t*)cert);
-                       break;
-               case CERT_X509_CRL:
-                       print_crl((crl_t*)cert);
-                       break;
-               case CERT_X509_AC:
-                       print_ac((ac_t*)cert);
-                       break;
-               default:
-                       printf("parsing certificate subtype %N not implemented\n",
-                                  certificate_type_names, cert->get_type(cert));
-                       break;
-       }
-       key = cert->get_public_key(cert);
-       if (key)
-       {
-               print_pubkey(key);
-               key->destroy(key);
+               printf("extracting public from private key failed\n");
        }
 }
 
@@ -586,8 +86,8 @@ static int print()
                                }
                                else if (streq(arg, "pub"))
                                {
-                                       type = CRED_PUBLIC_KEY;
-                                       subtype = KEY_ANY;
+                                       type = CRED_CERTIFICATE;
+                                       subtype = CERT_TRUSTED_PUBKEY;
                                }
                                else if (streq(arg, "rsa-priv"))
                                {
@@ -647,17 +147,13 @@ static int print()
        if (type == CRED_CERTIFICATE)
        {
                certificate_t *cert = (certificate_t*)cred;
+               certificate_printer_t *printer;
 
-               print_cert(cert);
+               printer = certificate_printer_create(stdout, TRUE, FALSE);
+               printer->print(printer, cert, FALSE);
+               printer->destroy(printer);
                cert->destroy(cert);
        }
-       if (type == CRED_PUBLIC_KEY)
-       {
-               public_key_t *key = (public_key_t*)cred;
-
-               print_pubkey(key);
-               key->destroy(key);
-       }
        if (type == CRED_PRIVATE_KEY)
        {
                private_key_t *key = (private_key_t*)cred;
@@ -665,6 +161,7 @@ static int print()
                print_key(key);
                key->destroy(key);
        }
+
        return 0;
 }