vici: list-cert sends subject, not-before and not-after attributes for pubkeys
authorAndreas Steffen <andreas.steffen@strongswan.org>
Tue, 5 Jan 2016 04:34:12 +0000 (05:34 +0100)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Sat, 9 Jan 2016 06:23:30 +0000 (07:23 +0100)
src/libcharon/plugins/vici/README.md
src/libcharon/plugins/vici/vici_query.c
src/libstrongswan/asn1/asn1.h
src/swanctl/commands/list_certs.c

index 133d9ae..405cfba 100644 (file)
@@ -760,6 +760,9 @@ _list-certs_ command.
                flag = <X.509 certificate flag, NONE|CA|AA|OCSP>
                has_privkey = <set if a private key for the certificate is available>
                data = <ASN1 encoded certificate data>
+               subject = <subject string if defined and certificate type is PUBKEY>
+               not-before = <time string if defined and certificate type is PUBKEY>
+               not-after  = <time string if defined and certificate type is PUBKEY>
        }
 
 ### list-authority ###
index 99cd348..512c2ba 100644 (file)
@@ -52,6 +52,7 @@
 #endif
 
 #include <daemon.h>
+#include <asn1/asn1.h>
 #include <credentials/certificates/certificate.h>
 #include <credentials/certificates/x509.h>
 
@@ -866,8 +867,10 @@ static void enum_others(private_vici_query_t *this, u_int id,
        enumerator_t *enumerator;
        certificate_t *cert;
        vici_builder_t *b;
-       chunk_t encoding;
+       chunk_t encoding, t_ch;
        cred_encoding_type_t encoding_type;
+       identification_t *subject;
+       time_t not_before, not_after;
 
        encoding_type = (type == CERT_TRUSTED_PUBKEY) ? PUBKEY_SPKI_ASN1_DER :
                                                                                                        CERT_ASN1_DER;
@@ -886,6 +889,27 @@ static void enum_others(private_vici_query_t *this, u_int id,
                        b->add(b, VICI_KEY_VALUE, "data", encoding);
                        free(encoding.ptr);
 
+                       if (type == CERT_TRUSTED_PUBKEY)
+                       {
+                               subject = cert->get_subject(cert);
+                               if (subject->get_type(subject) != ID_KEY_ID)
+                               {
+                                       b->add_kv(b, "subject", "%Y", cert->get_subject(cert));
+                               }
+                               cert->get_validity(cert, NULL, &not_before, &not_after);
+                               if (not_before != UNDEFINED_TIME)
+                               {
+                                       t_ch = asn1_from_time(&not_before, ASN1_GENERALIZEDTIME);
+                                       b->add(b, VICI_KEY_VALUE, "not-before", chunk_skip(t_ch, 2));
+                                       chunk_free(&t_ch);
+                               }
+                               if (not_after != UNDEFINED_TIME)
+                               {
+                                       t_ch = asn1_from_time(&not_after, ASN1_GENERALIZEDTIME);
+                                       b->add(b, VICI_KEY_VALUE, "not-after", chunk_skip(t_ch, 2));
+                                       chunk_free(&t_ch);
+                               }
+                       }
                        this->dispatcher->raise_event(this->dispatcher, "list-cert", id,
                                                                                  b->finalize(b));
                }
index 7a48292..8ac0056 100644 (file)
@@ -26,6 +26,7 @@
 #include <stdarg.h>
 
 #include <library.h>
+#include <asn1/asn1.h>
 
 /**
  * Definition of some primitive ASN1 types
index 2c314d8..e9c9647 100644 (file)
@@ -58,6 +58,10 @@ CALLBACK(list_cb, void,
        certificate_t *cert;
        certificate_type_t type;
        x509_flag_t flag = X509_NONE;
+       identification_t *subject = NULL;
+       time_t not_before = UNDEFINED_TIME;
+       time_t not_after  = UNDEFINED_TIME;
+       chunk_t t_ch;
        bool has_privkey;
        char *str;
        void *buf;
@@ -93,11 +97,38 @@ CALLBACK(list_cb, void,
                        return;
                }
        }
-
-       /* Parse certificate data blob */
-       cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
-                                                         BUILD_BLOB_ASN1_DER, chunk_create(buf, len),
-                                                         BUILD_END);
+       if (type == CERT_TRUSTED_PUBKEY)
+       {
+               str = vici_find_str(res, NULL, "subject");
+               if (str)
+               {
+                       subject = identification_create_from_string(str);
+               }
+               str = vici_find_str(res, NULL, "not-before");
+               if (str)
+               {
+                       t_ch = chunk_from_str(str);
+                       not_before = asn1_to_time(&t_ch, ASN1_GENERALIZEDTIME);
+               }
+               str = vici_find_str(res, NULL, "not-after");
+               if (str)
+               {
+                       t_ch = chunk_from_str(str);
+                       not_after = asn1_to_time(&t_ch, ASN1_GENERALIZEDTIME);
+               }
+               cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
+                                                                 BUILD_BLOB_ASN1_DER, chunk_create(buf, len),
+                                                                 BUILD_NOT_BEFORE_TIME, not_before,
+                                                                 BUILD_NOT_AFTER_TIME, not_after,
+                                                                 BUILD_SUBJECT, subject, BUILD_END);
+               DESTROY_IF(subject);
+       }
+       else
+       {
+               cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
+                                                                 BUILD_BLOB_ASN1_DER, chunk_create(buf, len),
+                                                                 BUILD_END);
+       }
        if (cert)
        {
                if (*format & COMMAND_FORMAT_PEM)