Refactored certificate management for the vici and stroke interfaces
This commit is contained in:
parent
4df09fe563
commit
02d431022c
|
@ -31,7 +31,6 @@
|
||||||
#include <collections/linked_list.h>
|
#include <collections/linked_list.h>
|
||||||
#include <plugins/plugin.h>
|
#include <plugins/plugin.h>
|
||||||
#include <credentials/certificates/x509.h>
|
#include <credentials/certificates/x509.h>
|
||||||
#include <credentials/certificates/pgp_certificate.h>
|
|
||||||
#include <credentials/certificates/certificate_printer.h>
|
#include <credentials/certificates/certificate_printer.h>
|
||||||
#include <config/peer_cfg.h>
|
#include <config/peer_cfg.h>
|
||||||
|
|
||||||
|
@ -63,6 +62,11 @@ struct private_stroke_list_t {
|
||||||
stroke_attribute_t *attribute;
|
stroke_attribute_t *attribute;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Static certificate printer object
|
||||||
|
*/
|
||||||
|
static certificate_printer_t *cert_printer = NULL;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Log tasks of a specific queue to out
|
* Log tasks of a specific queue to out
|
||||||
*/
|
*/
|
||||||
|
@ -760,133 +764,50 @@ static bool has_privkey(certificate_t *cert)
|
||||||
return (private != NULL);
|
return (private != NULL);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* list OpenPGP certificates
|
|
||||||
*/
|
|
||||||
static void stroke_list_pgp_certs(linked_list_t *list, char *label,
|
|
||||||
bool utc, FILE *out)
|
|
||||||
{
|
|
||||||
bool first = TRUE;
|
|
||||||
time_t now = time(NULL);
|
|
||||||
enumerator_t *enumerator = list->create_enumerator(list);
|
|
||||||
certificate_t *cert;
|
|
||||||
chunk_t keyid;
|
|
||||||
|
|
||||||
while (enumerator->enumerate(enumerator, (void**)&cert))
|
|
||||||
{
|
|
||||||
time_t created, until;
|
|
||||||
public_key_t *public;
|
|
||||||
pgp_certificate_t *pgp_cert = (pgp_certificate_t*)cert;
|
|
||||||
chunk_t fingerprint = pgp_cert->get_fingerprint(pgp_cert);
|
|
||||||
|
|
||||||
if (first)
|
|
||||||
{
|
|
||||||
fprintf(out, "\n");
|
|
||||||
fprintf(out, "List of %ss:\n", label);
|
|
||||||
first = FALSE;
|
|
||||||
}
|
|
||||||
fprintf(out, "\n");
|
|
||||||
fprintf(out, " userid: '%Y'\n", cert->get_subject(cert));
|
|
||||||
fprintf(out, " digest: %#B\n", &fingerprint);
|
|
||||||
|
|
||||||
/* list validity */
|
|
||||||
cert->get_validity(cert, &now, &created, &until);
|
|
||||||
fprintf(out, " created: %T\n", &created, utc);
|
|
||||||
fprintf(out, " until: %T%s\n", &until, utc,
|
|
||||||
(until == TIME_32_BIT_SIGNED_MAX) ? " (expires never)":"");
|
|
||||||
|
|
||||||
public = cert->get_public_key(cert);
|
|
||||||
if (public)
|
|
||||||
{
|
|
||||||
fprintf(out, " pubkey: %N %d bits%s\n",
|
|
||||||
key_type_names, public->get_type(public),
|
|
||||||
public->get_keysize(public),
|
|
||||||
has_privkey(cert) ? ", has private key" : "");
|
|
||||||
|
|
||||||
if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid))
|
|
||||||
{
|
|
||||||
fprintf(out, " keyid: %#B\n", &keyid);
|
|
||||||
}
|
|
||||||
if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &keyid))
|
|
||||||
{
|
|
||||||
fprintf(out, " subjkey: %#B\n", &keyid);
|
|
||||||
}
|
|
||||||
public->destroy(public);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
enumerator->destroy(enumerator);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* list all X.509 certificates matching the flags
|
* list all X.509 certificates matching the flags
|
||||||
*/
|
*/
|
||||||
static void stroke_list_x509_certs(linked_list_t *list, char *label,
|
static void stroke_list_x509_certs(linked_list_t *list, x509_flag_t flag)
|
||||||
x509_flag_t flags, bool utc, FILE *out)
|
|
||||||
{
|
{
|
||||||
bool first = TRUE;
|
|
||||||
enumerator_t *enumerator;
|
enumerator_t *enumerator;
|
||||||
certificate_t *cert;
|
certificate_t *cert;
|
||||||
certificate_printer_t *printer;
|
|
||||||
x509_flag_t flag_mask;
|
|
||||||
|
|
||||||
printer = certificate_printer_create(out, TRUE, utc),
|
|
||||||
|
|
||||||
/* mask all auxiliary flags */
|
|
||||||
flag_mask = ~(X509_SERVER_AUTH | X509_CLIENT_AUTH | X509_IKE_INTERMEDIATE |
|
|
||||||
X509_SELF_SIGNED | X509_IP_ADDR_BLOCKS);
|
|
||||||
|
|
||||||
enumerator = list->create_enumerator(list);
|
enumerator = list->create_enumerator(list);
|
||||||
while (enumerator->enumerate(enumerator, (void**)&cert))
|
while (enumerator->enumerate(enumerator, (void**)&cert))
|
||||||
{
|
{
|
||||||
x509_t *x509 = (x509_t*)cert;
|
x509_t *x509 = (x509_t*)cert;
|
||||||
x509_flag_t x509_flags = x509->get_flags(x509) & flag_mask;
|
x509_flag_t flags = x509->get_flags(x509) & X509_ANY;
|
||||||
|
|
||||||
/* list only if flag is set or flag == 0 */
|
/* list only if flag is set or flag == 0 */
|
||||||
if ((x509_flags & flags) || (x509_flags == flags))
|
if ((flags & flag) || flags == flag)
|
||||||
{
|
{
|
||||||
if (first)
|
cert_printer->print_caption(cert_printer, CERT_X509, flag);
|
||||||
{
|
cert_printer->print(cert_printer, cert, has_privkey(cert));
|
||||||
fprintf(out, "\n");
|
|
||||||
fprintf(out, "List of %ss:\n", label);
|
|
||||||
first = FALSE;
|
|
||||||
}
|
|
||||||
fprintf(out, "\n");
|
|
||||||
printer->print(printer, cert, has_privkey(cert));
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
enumerator->destroy(enumerator);
|
enumerator->destroy(enumerator);
|
||||||
|
|
||||||
printer->destroy(printer);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* list all other certificates types
|
* list all other certificates types
|
||||||
*/
|
*/
|
||||||
static void stroke_list_other_certs(linked_list_t *list, char *label,
|
static void stroke_list_other_certs(certificate_type_t type)
|
||||||
bool utc, FILE *out)
|
|
||||||
{
|
{
|
||||||
bool first = TRUE;
|
|
||||||
enumerator_t *enumerator;
|
enumerator_t *enumerator;
|
||||||
certificate_t *cert;
|
certificate_t *cert;
|
||||||
certificate_printer_t *printer;
|
linked_list_t *list;
|
||||||
|
|
||||||
printer = certificate_printer_create(out, TRUE, utc),
|
list = create_unique_cert_list(type);
|
||||||
|
|
||||||
enumerator = list->create_enumerator(list);
|
enumerator = list->create_enumerator(list);
|
||||||
while (enumerator->enumerate(enumerator, &cert))
|
while (enumerator->enumerate(enumerator, &cert))
|
||||||
{
|
{
|
||||||
if (first)
|
cert_printer->print_caption(cert_printer, cert->get_type(cert), X509_NONE);
|
||||||
{
|
cert_printer->print(cert_printer, cert, has_privkey(cert));
|
||||||
fprintf(out, "\n");
|
|
||||||
fprintf(out, "List of %ss:\n", label);
|
|
||||||
first = FALSE;
|
|
||||||
}
|
|
||||||
fprintf(out, "\n");
|
|
||||||
printer->print(printer, cert, has_privkey(cert));
|
|
||||||
}
|
}
|
||||||
enumerator->destroy(enumerator);
|
enumerator->destroy(enumerator);
|
||||||
|
|
||||||
printer->destroy(printer);
|
list->destroy_offset(list, offsetof(certificate_t, destroy));
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -1058,21 +979,15 @@ METHOD(stroke_list_t, list, void,
|
||||||
{
|
{
|
||||||
linked_list_t *cert_list = NULL;
|
linked_list_t *cert_list = NULL;
|
||||||
|
|
||||||
|
cert_printer = certificate_printer_create(out, TRUE, msg->list.utc);
|
||||||
|
|
||||||
if (msg->list.flags & LIST_PUBKEYS)
|
if (msg->list.flags & LIST_PUBKEYS)
|
||||||
{
|
{
|
||||||
linked_list_t *pubkey_list = create_unique_cert_list(CERT_TRUSTED_PUBKEY);
|
stroke_list_other_certs(CERT_TRUSTED_PUBKEY);
|
||||||
|
|
||||||
stroke_list_other_certs(pubkey_list, "Raw Public Key",
|
|
||||||
msg->list.utc, out);
|
|
||||||
pubkey_list->destroy_offset(pubkey_list, offsetof(certificate_t, destroy));
|
|
||||||
}
|
}
|
||||||
if (msg->list.flags & LIST_CERTS)
|
if (msg->list.flags & LIST_CERTS)
|
||||||
{
|
{
|
||||||
linked_list_t *pgp_list = create_unique_cert_list(CERT_GPG);
|
stroke_list_other_certs(CERT_GPG);
|
||||||
|
|
||||||
stroke_list_pgp_certs(pgp_list, "PGP End Entity Certificate",
|
|
||||||
msg->list.utc, out);
|
|
||||||
pgp_list->destroy_offset(pgp_list, offsetof(certificate_t, destroy));
|
|
||||||
}
|
}
|
||||||
if (msg->list.flags & (LIST_CERTS | LIST_CACERTS | LIST_OCSPCERTS | LIST_AACERTS))
|
if (msg->list.flags & (LIST_CERTS | LIST_CACERTS | LIST_OCSPCERTS | LIST_AACERTS))
|
||||||
{
|
{
|
||||||
|
@ -1080,49 +995,33 @@ METHOD(stroke_list_t, list, void,
|
||||||
}
|
}
|
||||||
if (msg->list.flags & LIST_CERTS)
|
if (msg->list.flags & LIST_CERTS)
|
||||||
{
|
{
|
||||||
stroke_list_x509_certs(cert_list, "X.509 End Entity Certificate",
|
stroke_list_x509_certs(cert_list, X509_NONE);
|
||||||
X509_NONE, msg->list.utc, out);
|
|
||||||
}
|
}
|
||||||
if (msg->list.flags & LIST_CACERTS)
|
if (msg->list.flags & LIST_CACERTS)
|
||||||
{
|
{
|
||||||
stroke_list_x509_certs(cert_list, "X.509 CA Certificate",
|
stroke_list_x509_certs(cert_list, X509_CA);
|
||||||
X509_CA, msg->list.utc, out);
|
|
||||||
}
|
}
|
||||||
if (msg->list.flags & LIST_OCSPCERTS)
|
if (msg->list.flags & LIST_OCSPCERTS)
|
||||||
{
|
{
|
||||||
stroke_list_x509_certs(cert_list, "X.509 OCSP Signer Certificate",
|
stroke_list_x509_certs(cert_list, X509_OCSP_SIGNER);
|
||||||
X509_OCSP_SIGNER, msg->list.utc, out);
|
|
||||||
}
|
}
|
||||||
if (msg->list.flags & LIST_AACERTS)
|
if (msg->list.flags & LIST_AACERTS)
|
||||||
{
|
{
|
||||||
stroke_list_x509_certs(cert_list, "X.509 AA Certificate",
|
stroke_list_x509_certs(cert_list, X509_AA);
|
||||||
X509_AA, msg->list.utc, out);
|
|
||||||
}
|
}
|
||||||
DESTROY_OFFSET_IF(cert_list, offsetof(certificate_t, destroy));
|
DESTROY_OFFSET_IF(cert_list, offsetof(certificate_t, destroy));
|
||||||
|
|
||||||
if (msg->list.flags & LIST_ACERTS)
|
if (msg->list.flags & LIST_ACERTS)
|
||||||
{
|
{
|
||||||
linked_list_t *ac_list = create_unique_cert_list(CERT_X509_AC);
|
stroke_list_other_certs(CERT_X509_AC);
|
||||||
|
|
||||||
stroke_list_other_certs(ac_list, "X.509 Attribute Certificate",
|
|
||||||
msg->list.utc, out);
|
|
||||||
ac_list->destroy_offset(ac_list, offsetof(certificate_t, destroy));
|
|
||||||
}
|
}
|
||||||
if (msg->list.flags & LIST_CRLS)
|
if (msg->list.flags & LIST_CRLS)
|
||||||
{
|
{
|
||||||
linked_list_t *crl_list = create_unique_cert_list(CERT_X509_CRL);
|
stroke_list_other_certs(CERT_X509_CRL);
|
||||||
|
|
||||||
stroke_list_other_certs(crl_list, "X.509 CRL",
|
|
||||||
msg->list.utc, out);
|
|
||||||
crl_list->destroy_offset(crl_list, offsetof(certificate_t, destroy));
|
|
||||||
}
|
}
|
||||||
if (msg->list.flags & LIST_OCSP)
|
if (msg->list.flags & LIST_OCSP)
|
||||||
{
|
{
|
||||||
linked_list_t *ocsp_list = create_unique_cert_list(CERT_X509_OCSP_RESPONSE);
|
stroke_list_other_certs(CERT_X509_OCSP_RESPONSE);
|
||||||
|
|
||||||
stroke_list_other_certs(ocsp_list, "OCSP Response",
|
|
||||||
msg->list.utc, out);
|
|
||||||
ocsp_list->destroy_offset(ocsp_list, offsetof(certificate_t, destroy));
|
|
||||||
}
|
}
|
||||||
if (msg->list.flags & LIST_ALGS)
|
if (msg->list.flags & LIST_ALGS)
|
||||||
{
|
{
|
||||||
|
@ -1132,6 +1031,8 @@ METHOD(stroke_list_t, list, void,
|
||||||
{
|
{
|
||||||
list_plugins(out);
|
list_plugins(out);
|
||||||
}
|
}
|
||||||
|
cert_printer->destroy(cert_printer);
|
||||||
|
cert_printer = NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
@ -18,7 +18,7 @@ libstrongswan_vici_la_SOURCES = \
|
||||||
vici_message.h vici_message.c \
|
vici_message.h vici_message.c \
|
||||||
vici_builder.h vici_builder.c \
|
vici_builder.h vici_builder.c \
|
||||||
vici_dispatcher.h vici_dispatcher.c \
|
vici_dispatcher.h vici_dispatcher.c \
|
||||||
vici_cert_info.c vici_cert_info.h \
|
vici_cert_info.h vici_cert_info.c \
|
||||||
vici_query.h vici_query.c \
|
vici_query.h vici_query.c \
|
||||||
vici_control.h vici_control.c \
|
vici_control.h vici_control.c \
|
||||||
vici_config.h vici_config.c \
|
vici_config.h vici_config.c \
|
||||||
|
@ -39,7 +39,7 @@ ipseclib_LTLIBRARIES = libvici.la
|
||||||
libvici_la_SOURCES = \
|
libvici_la_SOURCES = \
|
||||||
vici_message.c vici_message.h \
|
vici_message.c vici_message.h \
|
||||||
vici_builder.c vici_builder.h \
|
vici_builder.c vici_builder.h \
|
||||||
vici_cert_info.c vici_cert_info.h \
|
vici_cert_info.h vici_cert_info.c \
|
||||||
libvici.c libvici.h
|
libvici.c libvici.h
|
||||||
|
|
||||||
libvici_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
|
libvici_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
|
||||||
|
|
|
@ -369,7 +369,9 @@ call includes all certificates known by the daemon, not only those loaded
|
||||||
over vici.
|
over vici.
|
||||||
|
|
||||||
{
|
{
|
||||||
type = <certificate type to filter for, or ANY>
|
type = <certificate type to filter for, X509|X509_AC|X509_CRL|
|
||||||
|
OCSP_RESPONSE|PUBKEY or ANY>
|
||||||
|
flag = <X.509 certificate flag to filter for, NONE|CA|AA|OCSP or ANY>
|
||||||
subject = <set to list only certificates having subject>
|
subject = <set to list only certificates having subject>
|
||||||
} => {
|
} => {
|
||||||
# completes after streaming list-cert events
|
# completes after streaming list-cert events
|
||||||
|
@ -427,7 +429,8 @@ Unload a previously loaded connection definition by name.
|
||||||
Load a certificate into the daemon.
|
Load a certificate into the daemon.
|
||||||
|
|
||||||
{
|
{
|
||||||
type = <certificate type, X509|X509CA|X509AA|X509CRL|X509AC>
|
type = <certificate type, X509|X509_AC|X509_CRL>
|
||||||
|
flag = <X.509 certificate flag, NONE|CA|AA|OCSP>
|
||||||
data = <PEM or DER encoded certificate data>
|
data = <PEM or DER encoded certificate data>
|
||||||
} => {
|
} => {
|
||||||
success = <yes or no>
|
success = <yes or no>
|
||||||
|
@ -753,7 +756,8 @@ The _list-cert_ event is issued to stream loaded certificates during an active
|
||||||
_list-certs_ command.
|
_list-certs_ command.
|
||||||
|
|
||||||
{
|
{
|
||||||
type = <certificate type>
|
type = <certificate type, X509|X509_AC|X509_CRL|OCSP_RESPONSE|PUBKEY>
|
||||||
|
flag = <X.509 certificate flag, NONE|CA|AA|OCSP>
|
||||||
has_privkey = <set if a private key for the certificate is available>
|
has_privkey = <set if a private key for the certificate is available>
|
||||||
data = <ASN1 encoded certificate data>
|
data = <ASN1 encoded certificate data>
|
||||||
}
|
}
|
||||||
|
|
|
@ -164,13 +164,13 @@ print $version->raw(), "\n";
|
||||||
|
|
||||||
loads a certificate into the daemon.
|
loads a certificate into the daemon.
|
||||||
|
|
||||||
my %vars = ( type => 'X509CA', data => $ca_cert );
|
my %vars = ( type => 'X509', flag => 'CA', data => $ca_cert );
|
||||||
my ($res, $errmsg) = $session->load_cert(Vici::Message->new(\%vars));
|
my ($res, $errmsg) = $session->load_cert(Vici::Message->new(\%vars));
|
||||||
|
|
||||||
=cut
|
=cut
|
||||||
|
|
||||||
print "----- load-cert -----\n";
|
print "----- load-cert -----\n";
|
||||||
my %vars = ( type => 'X509CA', data => $ca_cert );
|
my %vars = ( type => 'X509', flag => 'CA', data => $ca_cert );
|
||||||
my ($res, $errmsg) = $session->load_cert(Vici::Message->new(\%vars));
|
my ($res, $errmsg) = $session->load_cert(Vici::Message->new(\%vars));
|
||||||
print $res ? "ok\n" : "failed: $errmsg\n";
|
print $res ? "ok\n" : "failed: $errmsg\n";
|
||||||
|
|
||||||
|
|
|
@ -2,6 +2,9 @@
|
||||||
* Copyright (C) 2014 Martin Willi
|
* Copyright (C) 2014 Martin Willi
|
||||||
* Copyright (C) 2014 revosec AG
|
* Copyright (C) 2014 revosec AG
|
||||||
*
|
*
|
||||||
|
* Copyright (C) 2015 Andreas Steffen
|
||||||
|
* HSR Hochschule fuer Technik Rapperswil
|
||||||
|
*
|
||||||
* This program is free software; you can redistribute it and/or modify it
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
* under the terms of the GNU General Public License as published by the
|
* under the terms of the GNU General Public License as published by the
|
||||||
* Free Software Foundation; either version 2 of the License, or (at your
|
* Free Software Foundation; either version 2 of the License, or (at your
|
||||||
|
@ -67,9 +70,9 @@ static vici_message_t* create_reply(char *fmt, ...)
|
||||||
CALLBACK(load_cert, vici_message_t*,
|
CALLBACK(load_cert, vici_message_t*,
|
||||||
private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
|
private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
|
||||||
{
|
{
|
||||||
vici_cert_info_t *cert_info;
|
|
||||||
certificate_t *cert;
|
certificate_t *cert;
|
||||||
x509_flag_t flag;
|
certificate_type_t type;
|
||||||
|
x509_flag_t ext_flag, flag = X509_NONE;
|
||||||
x509_t *x509;
|
x509_t *x509;
|
||||||
chunk_t data;
|
chunk_t data;
|
||||||
bool trusted = TRUE;
|
bool trusted = TRUE;
|
||||||
|
@ -80,9 +83,18 @@ CALLBACK(load_cert, vici_message_t*,
|
||||||
{
|
{
|
||||||
return create_reply("certificate type missing");
|
return create_reply("certificate type missing");
|
||||||
}
|
}
|
||||||
|
if (enum_from_name(certificate_type_names, str, &type))
|
||||||
cert_info = vici_cert_info_retrieve(str);
|
{
|
||||||
if (!cert_info)
|
if (type == CERT_X509)
|
||||||
|
{
|
||||||
|
str = message->get_str(message, "NONE", "flag");
|
||||||
|
if (!enum_from_name(x509_flag_names, str, &flag))
|
||||||
|
{
|
||||||
|
return create_reply("invalid certificate flag '%s'", str);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else if (!vici_cert_info_from_str(str, &type, &flag))
|
||||||
{
|
{
|
||||||
return create_reply("invalid certificate type '%s'", str);
|
return create_reply("invalid certificate type '%s'", str);
|
||||||
}
|
}
|
||||||
|
@ -94,21 +106,21 @@ CALLBACK(load_cert, vici_message_t*,
|
||||||
}
|
}
|
||||||
|
|
||||||
/* do not set CA flag externally */
|
/* do not set CA flag externally */
|
||||||
flag = (cert_info->flag & X509_CA) ? X509_NONE : cert_info->flag;
|
ext_flag = (flag & X509_CA) ? X509_NONE : flag;
|
||||||
|
|
||||||
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, cert_info->type,
|
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
|
||||||
BUILD_BLOB_PEM, data,
|
BUILD_BLOB_PEM, data,
|
||||||
BUILD_X509_FLAG, flag,
|
BUILD_X509_FLAG, ext_flag,
|
||||||
BUILD_END);
|
BUILD_END);
|
||||||
if (!cert)
|
if (!cert)
|
||||||
{
|
{
|
||||||
return create_reply("parsing %N certificate failed",
|
return create_reply("parsing %N certificate failed",
|
||||||
certificate_type_names, cert_info->type);
|
certificate_type_names, type);
|
||||||
}
|
}
|
||||||
DBG1(DBG_CFG, "loaded certificate '%Y'", cert->get_subject(cert));
|
DBG1(DBG_CFG, "loaded certificate '%Y'", cert->get_subject(cert));
|
||||||
|
|
||||||
/* check if CA certificate has CA basic constraint set */
|
/* check if CA certificate has CA basic constraint set */
|
||||||
if (cert_info->flag & X509_CA)
|
if (flag & X509_CA)
|
||||||
{
|
{
|
||||||
char err_msg[] = "ca certificate lacks CA basic constraint, rejected";
|
char err_msg[] = "ca certificate lacks CA basic constraint, rejected";
|
||||||
x509 = (x509_t*)cert;
|
x509 = (x509_t*)cert;
|
||||||
|
@ -120,7 +132,7 @@ CALLBACK(load_cert, vici_message_t*,
|
||||||
return create_reply(err_msg);
|
return create_reply(err_msg);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (cert_info->type == CERT_X509_CRL)
|
if (type == CERT_X509_CRL)
|
||||||
{
|
{
|
||||||
this->creds->add_crl(this->creds, (crl_t*)cert);
|
this->creds->add_crl(this->creds, (crl_t*)cert);
|
||||||
}
|
}
|
||||||
|
|
|
@ -40,8 +40,6 @@
|
||||||
|
|
||||||
#include "vici_query.h"
|
#include "vici_query.h"
|
||||||
#include "vici_builder.h"
|
#include "vici_builder.h"
|
||||||
#include "vici_version.h"
|
|
||||||
#include "vici_cert_info.h"
|
|
||||||
|
|
||||||
#include <inttypes.h>
|
#include <inttypes.h>
|
||||||
#include <time.h>
|
#include <time.h>
|
||||||
|
@ -53,6 +51,8 @@
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#include <daemon.h>
|
#include <daemon.h>
|
||||||
|
#include <credentials/certificates/certificate.h>
|
||||||
|
#include <credentials/certificates/x509.h>
|
||||||
|
|
||||||
typedef struct private_vici_query_t private_vici_query_t;
|
typedef struct private_vici_query_t private_vici_query_t;
|
||||||
|
|
||||||
|
@ -809,7 +809,6 @@ static bool has_privkey(certificate_t *cert)
|
||||||
* Store cert filter data
|
* Store cert filter data
|
||||||
*/
|
*/
|
||||||
typedef struct {
|
typedef struct {
|
||||||
vici_version_t version;
|
|
||||||
certificate_type_t type;
|
certificate_type_t type;
|
||||||
x509_flag_t flag;
|
x509_flag_t flag;
|
||||||
identification_t *subject;
|
identification_t *subject;
|
||||||
|
@ -820,27 +819,25 @@ typedef struct {
|
||||||
*/
|
*/
|
||||||
static void enum_x509(private_vici_query_t *this, u_int id,
|
static void enum_x509(private_vici_query_t *this, u_int id,
|
||||||
linked_list_t *certs, cert_filter_t *filter,
|
linked_list_t *certs, cert_filter_t *filter,
|
||||||
x509_flag_t flag, char *cert_type)
|
x509_flag_t flag)
|
||||||
{
|
{
|
||||||
enumerator_t *enumerator;
|
enumerator_t *enumerator;
|
||||||
certificate_t *cert;
|
certificate_t *cert;
|
||||||
vici_builder_t *b;
|
vici_builder_t *b;
|
||||||
chunk_t encoding;
|
chunk_t encoding;
|
||||||
x509_flag_t mask;
|
|
||||||
x509_t *x509;
|
x509_t *x509;
|
||||||
|
|
||||||
if (filter->type != CERT_ANY && filter->version != VICI_1_0 &&
|
if (filter->type != CERT_ANY && filter->flag != X509_ANY &&
|
||||||
filter->flag != flag)
|
filter->flag != flag)
|
||||||
{
|
{
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
mask = X509_CA | X509_AA | X509_OCSP_SIGNER;
|
|
||||||
|
|
||||||
enumerator = certs->create_enumerator(certs);
|
enumerator = certs->create_enumerator(certs);
|
||||||
while (enumerator->enumerate(enumerator, &cert))
|
while (enumerator->enumerate(enumerator, &cert))
|
||||||
{
|
{
|
||||||
x509 = (x509_t*)cert;
|
x509 = (x509_t*)cert;
|
||||||
if ((x509->get_flags(x509) & mask) != flag)
|
if ((x509->get_flags(x509) & X509_ANY) != flag)
|
||||||
{
|
{
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
@ -848,16 +845,8 @@ static void enum_x509(private_vici_query_t *this, u_int id,
|
||||||
if (cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
|
if (cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
|
||||||
{
|
{
|
||||||
b = vici_builder_create();
|
b = vici_builder_create();
|
||||||
if (filter->version == VICI_1_0)
|
b->add_kv(b, "type", "%N", certificate_type_names, CERT_X509);
|
||||||
{
|
b->add_kv(b, "flag", "%N", x509_flag_names, flag);
|
||||||
b->add_kv(b, "type", "%N", certificate_type_names,
|
|
||||||
cert->get_type(cert));
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
b->add_kv(b, "vici", "%N", vici_version_names, VICI_VERSION);
|
|
||||||
b->add_kv(b, "type", "%s", cert_type);
|
|
||||||
}
|
|
||||||
if (has_privkey(cert))
|
if (has_privkey(cert))
|
||||||
{
|
{
|
||||||
b->add_kv(b, "has_privkey", "yes");
|
b->add_kv(b, "has_privkey", "yes");
|
||||||
|
@ -876,8 +865,7 @@ static void enum_x509(private_vici_query_t *this, u_int id,
|
||||||
* Enumerate all non-X.509 certificate types
|
* Enumerate all non-X.509 certificate types
|
||||||
*/
|
*/
|
||||||
static void enum_others(private_vici_query_t *this, u_int id,
|
static void enum_others(private_vici_query_t *this, u_int id,
|
||||||
linked_list_t *certs, cert_filter_t *filter,
|
linked_list_t *certs, cert_filter_t *filter)
|
||||||
char *cert_type)
|
|
||||||
{
|
{
|
||||||
enumerator_t *enumerator;
|
enumerator_t *enumerator;
|
||||||
certificate_t *cert;
|
certificate_t *cert;
|
||||||
|
@ -890,16 +878,8 @@ static void enum_others(private_vici_query_t *this, u_int id,
|
||||||
if (cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
|
if (cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
|
||||||
{
|
{
|
||||||
b = vici_builder_create();
|
b = vici_builder_create();
|
||||||
if (filter->version == VICI_1_0)
|
b->add_kv(b, "type", "%N", certificate_type_names,
|
||||||
{
|
cert->get_type(cert));
|
||||||
b->add_kv(b, "type", "%N", certificate_type_names,
|
|
||||||
cert->get_type(cert));
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
b->add_kv(b, "vici", "%N", vici_version_names, VICI_VERSION);
|
|
||||||
b->add_kv(b, "type", "%s", cert_type);
|
|
||||||
}
|
|
||||||
if (has_privkey(cert))
|
if (has_privkey(cert))
|
||||||
{
|
{
|
||||||
b->add_kv(b, "has_privkey", "yes");
|
b->add_kv(b, "has_privkey", "yes");
|
||||||
|
@ -918,8 +898,7 @@ static void enum_others(private_vici_query_t *this, u_int id,
|
||||||
* Enumerate all certificates of a given type
|
* Enumerate all certificates of a given type
|
||||||
*/
|
*/
|
||||||
static void enum_certs(private_vici_query_t *this, u_int id,
|
static void enum_certs(private_vici_query_t *this, u_int id,
|
||||||
cert_filter_t *filter, certificate_type_t type,
|
cert_filter_t *filter, certificate_type_t type)
|
||||||
char *cert_type)
|
|
||||||
{
|
{
|
||||||
enumerator_t *e1, *e2;
|
enumerator_t *e1, *e2;
|
||||||
certificate_t *cert, *current;
|
certificate_t *cert, *current;
|
||||||
|
@ -958,14 +937,14 @@ static void enum_certs(private_vici_query_t *this, u_int id,
|
||||||
|
|
||||||
if (type == CERT_X509)
|
if (type == CERT_X509)
|
||||||
{
|
{
|
||||||
enum_x509(this, id, certs, filter, X509_NONE, "x509");
|
enum_x509(this, id, certs, filter, X509_NONE);
|
||||||
enum_x509(this, id, certs, filter, X509_CA, "x509ca");
|
enum_x509(this, id, certs, filter, X509_CA);
|
||||||
enum_x509(this, id, certs, filter, X509_AA, "x509ac");
|
enum_x509(this, id, certs, filter, X509_AA);
|
||||||
enum_x509(this, id, certs, filter, X509_OCSP_SIGNER, "x509ocsp");
|
enum_x509(this, id, certs, filter, X509_OCSP_SIGNER);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
enum_others(this, id, certs, filter, cert_type);
|
enum_others(this, id, certs, filter);
|
||||||
}
|
}
|
||||||
certs->destroy_offset(certs, offsetof(certificate_t, destroy));
|
certs->destroy_offset(certs, offsetof(certificate_t, destroy));
|
||||||
}
|
}
|
||||||
|
@ -974,43 +953,25 @@ CALLBACK(list_certs, vici_message_t*,
|
||||||
private_vici_query_t *this, char *name, u_int id, vici_message_t *request)
|
private_vici_query_t *this, char *name, u_int id, vici_message_t *request)
|
||||||
{
|
{
|
||||||
cert_filter_t filter = {
|
cert_filter_t filter = {
|
||||||
.version = VICI_1_0,
|
|
||||||
.type = CERT_ANY,
|
.type = CERT_ANY,
|
||||||
.flag = X509_NONE,
|
.flag = X509_ANY,
|
||||||
.subject = NULL
|
.subject = NULL
|
||||||
};
|
};
|
||||||
vici_builder_t *b;
|
vici_builder_t *b;
|
||||||
char *str;
|
char *str;
|
||||||
|
|
||||||
str = request->get_str(request, "1.0", "vici");
|
str = request->get_str(request, "ANY", "type");
|
||||||
if (!enum_from_name(vici_version_names, str, &filter.version))
|
if (!enum_from_name(certificate_type_names, str, &filter.type))
|
||||||
{
|
{
|
||||||
DBG1(DBG_CFG, "unsupported vici version '%s'", str);
|
DBG1(DBG_CFG, "invalid certificate type '%s'", str);
|
||||||
goto finalize;
|
goto finalize;
|
||||||
}
|
}
|
||||||
str = request->get_str(request, "ANY", "type");
|
if (filter.type == CERT_X509)
|
||||||
|
|
||||||
if (filter.version == VICI_1_0)
|
|
||||||
{
|
{
|
||||||
if (!enum_from_name(certificate_type_names, str, &filter.type))
|
str = request->get_str(request, "ANY", "flag");
|
||||||
|
if (!enum_from_name(x509_flag_names, str, &filter.flag))
|
||||||
{
|
{
|
||||||
DBG1(DBG_CFG, "invalid certificate type '%s'", str);
|
DBG1(DBG_CFG, "invalid certificate flag '%s'", str);
|
||||||
goto finalize;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
else /* VICI 2.0 */
|
|
||||||
{
|
|
||||||
vici_cert_info_t *cert_info;
|
|
||||||
|
|
||||||
cert_info = vici_cert_info_retrieve(str);
|
|
||||||
if (cert_info)
|
|
||||||
{
|
|
||||||
filter.type = cert_info->type;
|
|
||||||
filter.flag = cert_info->flag;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
DBG1(DBG_CFG, "invalid certificate type '%s'", str);
|
|
||||||
goto finalize;
|
goto finalize;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -1020,11 +981,12 @@ CALLBACK(list_certs, vici_message_t*,
|
||||||
{
|
{
|
||||||
filter.subject = identification_create_from_string(str);
|
filter.subject = identification_create_from_string(str);
|
||||||
}
|
}
|
||||||
enum_certs(this, id, &filter, CERT_TRUSTED_PUBKEY, "pubkey");
|
|
||||||
enum_certs(this, id, &filter, CERT_X509, "x509");
|
enum_certs(this, id, &filter, CERT_TRUSTED_PUBKEY);
|
||||||
enum_certs(this, id, &filter, CERT_X509_AC, "x509ac");
|
enum_certs(this, id, &filter, CERT_X509);
|
||||||
enum_certs(this, id, &filter, CERT_X509_CRL, "x509crl");
|
enum_certs(this, id, &filter, CERT_X509_AC);
|
||||||
enum_certs(this, id, &filter, CERT_X509_OCSP_RESPONSE, "ocsp");
|
enum_certs(this, id, &filter, CERT_X509_CRL);
|
||||||
|
enum_certs(this, id, &filter, CERT_X509_OCSP_RESPONSE);
|
||||||
DESTROY_IF(filter.subject);
|
DESTROY_IF(filter.subject);
|
||||||
|
|
||||||
finalize:
|
finalize:
|
||||||
|
@ -1140,8 +1102,6 @@ CALLBACK(version, vici_message_t*,
|
||||||
vici_builder_t *b;
|
vici_builder_t *b;
|
||||||
|
|
||||||
b = vici_builder_create();
|
b = vici_builder_create();
|
||||||
|
|
||||||
b->add_kv(b, "vici", "%N", vici_version_names, VICI_VERSION);
|
|
||||||
b->add_kv(b, "daemon", "%s", lib->ns);
|
b->add_kv(b, "daemon", "%s", lib->ns);
|
||||||
b->add_kv(b, "version", "%s", VERSION);
|
b->add_kv(b, "version", "%s", VERSION);
|
||||||
|
|
||||||
|
|
|
@ -17,10 +17,11 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include "certificate_printer.h"
|
#include "certificate_printer.h"
|
||||||
#include "x509.h"
|
#include "credentials/certificates/x509.h"
|
||||||
#include "crl.h"
|
#include "credentials/certificates/crl.h"
|
||||||
#include "ac.h"
|
#include "credentials/certificates/ac.h"
|
||||||
#include "ocsp_response.h"
|
#include "credentials/certificates/ocsp_response.h"
|
||||||
|
#include "credentials/certificates/pgp_certificate.h"
|
||||||
|
|
||||||
#include <asn1/asn1.h>
|
#include <asn1/asn1.h>
|
||||||
#include <asn1/oid.h>
|
#include <asn1/oid.h>
|
||||||
|
@ -54,6 +55,17 @@ struct private_certificate_printer_t {
|
||||||
* Print time information in UTC
|
* Print time information in UTC
|
||||||
*/
|
*/
|
||||||
bool utc;
|
bool utc;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Previous certificate type
|
||||||
|
*/
|
||||||
|
certificate_type_t type;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Previous X.509 certificate flag
|
||||||
|
*/
|
||||||
|
x509_flag_t flag;
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -568,7 +580,7 @@ METHOD(certificate_printer_t, print, void,
|
||||||
{
|
{
|
||||||
fprintf(f, " subject: \"%Y\"\n", subject);
|
fprintf(f, " subject: \"%Y\"\n", subject);
|
||||||
}
|
}
|
||||||
if (cert->get_type(cert) != CERT_TRUSTED_PUBKEY)
|
if (type != CERT_TRUSTED_PUBKEY && type != CERT_GPG)
|
||||||
{
|
{
|
||||||
fprintf(f, " issuer: \"%Y\"\n", cert->get_issuer(cert));
|
fprintf(f, " issuer: \"%Y\"\n", cert->get_issuer(cert));
|
||||||
}
|
}
|
||||||
|
@ -577,35 +589,44 @@ METHOD(certificate_printer_t, print, void,
|
||||||
cert->get_validity(cert, &now, ¬Before, ¬After);
|
cert->get_validity(cert, &now, ¬Before, ¬After);
|
||||||
if (notBefore != UNDEFINED_TIME && notAfter != UNDEFINED_TIME)
|
if (notBefore != UNDEFINED_TIME && notAfter != UNDEFINED_TIME)
|
||||||
{
|
{
|
||||||
if (type == CERT_X509_CRL || type == CERT_X509_OCSP_RESPONSE)
|
if (type == CERT_GPG)
|
||||||
{
|
{
|
||||||
t0 = "update: ";
|
fprintf(f, " created: %T\n", ¬Before, this->utc);
|
||||||
t1 = "this on";
|
fprintf(f, " until: %T%s\n", ¬After, this->utc,
|
||||||
t2 = "next on";
|
(notAfter == TIME_32_BIT_SIGNED_MAX) ?" expires never" : "");
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
t0 = "validity:";
|
if (type == CERT_X509_CRL || type == CERT_X509_OCSP_RESPONSE)
|
||||||
t1 = "not before";
|
{
|
||||||
t2 = "not after ";
|
t0 = "update: ";
|
||||||
}
|
t1 = "this on";
|
||||||
fprintf(f, " %s %s %T, ", t0, t1, ¬Before, this->utc);
|
t2 = "next on";
|
||||||
if (now < notBefore)
|
}
|
||||||
{
|
else
|
||||||
fprintf(f, "not valid yet (valid in %V)\n", &now, ¬Before);
|
{
|
||||||
}
|
t0 = "validity:";
|
||||||
else
|
t1 = "not before";
|
||||||
{
|
t2 = "not after ";
|
||||||
fprintf(f, "ok\n");
|
}
|
||||||
}
|
fprintf(f, " %s %s %T, ", t0, t1, ¬Before, this->utc);
|
||||||
fprintf(f, " %s %T, ", t2, ¬After, this->utc);
|
if (now < notBefore)
|
||||||
if (now > notAfter)
|
{
|
||||||
{
|
fprintf(f, "not valid yet (valid in %V)\n", &now, ¬Before);
|
||||||
fprintf(f, "expired (%V ago)\n", &now, ¬After);
|
}
|
||||||
}
|
else
|
||||||
else
|
{
|
||||||
{
|
fprintf(f, "ok\n");
|
||||||
fprintf(f, "ok (expires in %V)\n", &now, ¬After);
|
}
|
||||||
|
fprintf(f, " %s %T, ", t2, ¬After, this->utc);
|
||||||
|
if (now > notAfter)
|
||||||
|
{
|
||||||
|
fprintf(f, "expired (%V ago)\n", &now, ¬After);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
fprintf(f, "ok (expires in %V)\n", &now, ¬After);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -627,6 +648,13 @@ METHOD(certificate_printer_t, print, void,
|
||||||
default:
|
default:
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
if (type == CERT_GPG)
|
||||||
|
{
|
||||||
|
pgp_certificate_t *pgp_cert = (pgp_certificate_t*)cert;
|
||||||
|
chunk_t fingerprint = pgp_cert->get_fingerprint(pgp_cert);
|
||||||
|
|
||||||
|
fprintf(f, " pgpDigest: %#B\n", &fingerprint);
|
||||||
|
}
|
||||||
key = cert->get_public_key(cert);
|
key = cert->get_public_key(cert);
|
||||||
if (key)
|
if (key)
|
||||||
{
|
{
|
||||||
|
@ -635,6 +663,65 @@ METHOD(certificate_printer_t, print, void,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
METHOD(certificate_printer_t, print_caption, void,
|
||||||
|
private_certificate_printer_t *this, certificate_type_t type,
|
||||||
|
x509_flag_t flag)
|
||||||
|
{
|
||||||
|
char *caption;
|
||||||
|
|
||||||
|
if (type != this->type || (type == CERT_X509 && flag != this->flag))
|
||||||
|
{
|
||||||
|
switch (type)
|
||||||
|
{
|
||||||
|
case CERT_X509:
|
||||||
|
switch (flag)
|
||||||
|
{
|
||||||
|
case X509_NONE:
|
||||||
|
caption = "X.509 End Entity Certificate";
|
||||||
|
break;
|
||||||
|
case X509_CA:
|
||||||
|
caption = "X.509 CA Certificate";
|
||||||
|
break;
|
||||||
|
case X509_AA:
|
||||||
|
caption = "X.509 AA Certificate";
|
||||||
|
break;
|
||||||
|
case X509_OCSP_SIGNER:
|
||||||
|
caption = "X.509 OCSP Signer Certificate";
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
case CERT_X509_AC:
|
||||||
|
caption = "X.509 Attribute Certificate";
|
||||||
|
break;
|
||||||
|
case CERT_X509_CRL:
|
||||||
|
caption = "X.509 CRL";
|
||||||
|
break;
|
||||||
|
case CERT_X509_OCSP_RESPONSE:
|
||||||
|
caption = "OCSP Response";
|
||||||
|
break;
|
||||||
|
case CERT_TRUSTED_PUBKEY:
|
||||||
|
caption = "Raw Public Key";
|
||||||
|
break;
|
||||||
|
case CERT_GPG:
|
||||||
|
caption = "PGP End Entity Certificate";
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
fprintf(this->f, "\nList of %ss\n", caption);
|
||||||
|
|
||||||
|
/* Update to current type and flag value */
|
||||||
|
this->type = type;
|
||||||
|
if (type == CERT_X509)
|
||||||
|
{
|
||||||
|
this->flag = flag;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
fprintf(this->f, "\n");
|
||||||
|
}
|
||||||
|
|
||||||
METHOD(certificate_printer_t, destroy, void,
|
METHOD(certificate_printer_t, destroy, void,
|
||||||
private_certificate_printer_t *this)
|
private_certificate_printer_t *this)
|
||||||
{
|
{
|
||||||
|
@ -652,11 +739,14 @@ certificate_printer_t *certificate_printer_create(FILE *f, bool detailed,
|
||||||
INIT(this,
|
INIT(this,
|
||||||
.public = {
|
.public = {
|
||||||
.print = _print,
|
.print = _print,
|
||||||
|
.print_caption = _print_caption,
|
||||||
.destroy = _destroy,
|
.destroy = _destroy,
|
||||||
},
|
},
|
||||||
.f = f,
|
.f = f,
|
||||||
.detailed = detailed,
|
.detailed = detailed,
|
||||||
.utc = utc,
|
.utc = utc,
|
||||||
|
.type = CERT_ANY,
|
||||||
|
.flag = X509_ANY,
|
||||||
);
|
);
|
||||||
|
|
||||||
return &this->public;
|
return &this->public;
|
||||||
|
|
|
@ -24,6 +24,7 @@
|
||||||
typedef struct certificate_printer_t certificate_printer_t;
|
typedef struct certificate_printer_t certificate_printer_t;
|
||||||
|
|
||||||
#include "credentials/certificates/certificate.h"
|
#include "credentials/certificates/certificate.h"
|
||||||
|
#include "credentials/certificates/x509.h"
|
||||||
|
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
|
|
||||||
|
@ -41,6 +42,15 @@ struct certificate_printer_t {
|
||||||
void (*print)(certificate_printer_t *this, certificate_t *cert,
|
void (*print)(certificate_printer_t *this, certificate_t *cert,
|
||||||
bool has_privkey);
|
bool has_privkey);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Print a caption if the certificate type changed.
|
||||||
|
*
|
||||||
|
* @type certificate type
|
||||||
|
* @flag X.509 certificate flag
|
||||||
|
*/
|
||||||
|
void (*print_caption)(certificate_printer_t *this, certificate_type_t type,
|
||||||
|
x509_flag_t flag);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Destroy the certificate_printer object.
|
* Destroy the certificate_printer object.
|
||||||
*/
|
*/
|
||||||
|
|
|
@ -433,9 +433,9 @@ static int usage(char *error)
|
||||||
fprintf(out, " Show extended status information without blocking:\n");
|
fprintf(out, " Show extended status information without blocking:\n");
|
||||||
fprintf(out, " stroke statusall-nb\n");
|
fprintf(out, " stroke statusall-nb\n");
|
||||||
fprintf(out, " Show list of authority and attribute certificates:\n");
|
fprintf(out, " Show list of authority and attribute certificates:\n");
|
||||||
fprintf(out, " stroke listcacerts|listocspcerts|listaacerts|listacerts\n");
|
fprintf(out, " stroke listcacerts|listocspcerts|listaacerts|listacerts [--utc]\n");
|
||||||
fprintf(out, " Show list of end entity certificates, ca info records and crls:\n");
|
fprintf(out, " Show list of end entity certificates, ca info records and crls:\n");
|
||||||
fprintf(out, " stroke listcerts|listcainfos|listcrls|listall\n");
|
fprintf(out, " stroke listcerts|listcainfos|listcrls|listall [--utc]\n");
|
||||||
fprintf(out, " Show list of supported algorithms:\n");
|
fprintf(out, " Show list of supported algorithms:\n");
|
||||||
fprintf(out, " stroke listalgs\n");
|
fprintf(out, " stroke listalgs\n");
|
||||||
fprintf(out, " Reload authority and attribute certificates:\n");
|
fprintf(out, " Reload authority and attribute certificates:\n");
|
||||||
|
|
|
@ -2,9 +2,6 @@
|
||||||
* Copyright (C) 2009 Martin Willi
|
* Copyright (C) 2009 Martin Willi
|
||||||
* Hochschule fuer Technik Rapperswil
|
* Hochschule fuer Technik Rapperswil
|
||||||
*
|
*
|
||||||
* Copyright (C) 2015 Andreas Steffen
|
|
||||||
* HSR Hochschule fuer Technik Rapperswil
|
|
||||||
*
|
|
||||||
* This program is free software; you can redistribute it and/or modify it
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
* under the terms of the GNU General Public License as published by the
|
* under the terms of the GNU General Public License as published by the
|
||||||
* Free Software Foundation; either version 2 of the License, or (at your
|
* Free Software Foundation; either version 2 of the License, or (at your
|
||||||
|
@ -35,7 +32,7 @@
|
||||||
/**
|
/**
|
||||||
* Maximum number of options in a command (+3)
|
* Maximum number of options in a command (+3)
|
||||||
*/
|
*/
|
||||||
#define MAX_OPTIONS 32
|
#define MAX_OPTIONS 34
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Maximum number of usage summary lines (+1)
|
* Maximum number of usage summary lines (+1)
|
||||||
|
@ -82,12 +79,10 @@ struct command_t {
|
||||||
* Command format options
|
* Command format options
|
||||||
*/
|
*/
|
||||||
enum command_format_options_t {
|
enum command_format_options_t {
|
||||||
COMMAND_FORMAT_NONE = 0,
|
COMMAND_FORMAT_NONE = 0,
|
||||||
COMMAND_FORMAT_RAW = (1<<0),
|
COMMAND_FORMAT_RAW = (1<<0),
|
||||||
COMMAND_FORMAT_PRETTY = (1<<1),
|
COMMAND_FORMAT_PRETTY = (1<<1),
|
||||||
COMMAND_FORMAT_PEM = (1<<2),
|
COMMAND_FORMAT_PEM = (1<<2),
|
||||||
COMMAND_FORMAT_SHORT = (1<<3),
|
|
||||||
COMMAND_FORMAT_UTC = (1<<4),
|
|
||||||
};
|
};
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
@ -27,15 +27,12 @@
|
||||||
#include <credentials/certificates/certificate_printer.h>
|
#include <credentials/certificates/certificate_printer.h>
|
||||||
#include <selectors/traffic_selector.h>
|
#include <selectors/traffic_selector.h>
|
||||||
|
|
||||||
#include <vici_version.h>
|
|
||||||
#include <vici_cert_info.h>
|
|
||||||
|
|
||||||
#include "command.h"
|
#include "command.h"
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Current certificate type info
|
* Static certificate printer object
|
||||||
*/
|
*/
|
||||||
static vici_cert_info_t *current_cert_info = NULL;
|
static certificate_printer_t *cert_printer = NULL;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Print PEM encoding of a certificate
|
* Print PEM encoding of a certificate
|
||||||
|
@ -59,11 +56,10 @@ CALLBACK(list_cb, void,
|
||||||
command_format_options_t *format, char *name, vici_res_t *res)
|
command_format_options_t *format, char *name, vici_res_t *res)
|
||||||
{
|
{
|
||||||
certificate_t *cert;
|
certificate_t *cert;
|
||||||
certificate_printer_t *printer;
|
certificate_type_t type;
|
||||||
vici_version_t version;
|
x509_flag_t flag = X509_NONE;
|
||||||
vici_cert_info_t *cert_info;
|
bool has_privkey;
|
||||||
bool detailed, utc, has_privkey, first = FALSE;
|
char *str;
|
||||||
char *version_str, *type_str;
|
|
||||||
void *buf;
|
void *buf;
|
||||||
int len;
|
int len;
|
||||||
|
|
||||||
|
@ -74,14 +70,6 @@ CALLBACK(list_cb, void,
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
version_str = vici_find_str(res, "1.0", "vici");
|
|
||||||
if (!enum_from_name(vici_version_names, version_str, &version) ||
|
|
||||||
version == VICI_1_0)
|
|
||||||
{
|
|
||||||
fprintf(stderr, "unsupported vici version '%s'\n", version_str);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
buf = vici_find(res, &len, "data");
|
buf = vici_find(res, &len, "data");
|
||||||
if (!buf)
|
if (!buf)
|
||||||
{
|
{
|
||||||
|
@ -90,23 +78,24 @@ CALLBACK(list_cb, void,
|
||||||
}
|
}
|
||||||
has_privkey = streq(vici_find_str(res, "no", "has_privkey"), "yes");
|
has_privkey = streq(vici_find_str(res, "no", "has_privkey"), "yes");
|
||||||
|
|
||||||
type_str = vici_find_str(res, "any", "type");
|
str = vici_find_str(res, "ANY", "type");
|
||||||
cert_info = vici_cert_info_retrieve(type_str);
|
if (!enum_from_name(certificate_type_names, str, &type) || type == CERT_ANY)
|
||||||
if (!cert_info || cert_info->type == CERT_ANY)
|
|
||||||
{
|
{
|
||||||
fprintf(stderr, "unsupported certificate type '%s'\n", type_str);
|
fprintf(stderr, "unsupported certificate type '%s'\n", str);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
if (type == CERT_X509)
|
||||||
/* Detect change of certificate type */
|
|
||||||
if (cert_info != current_cert_info)
|
|
||||||
{
|
{
|
||||||
first = TRUE;
|
str = vici_find_str(res, "ANY", "flag");
|
||||||
current_cert_info = cert_info;
|
if (!enum_from_name(x509_flag_names, str, &flag) || flag == X509_ANY)
|
||||||
|
{
|
||||||
|
fprintf(stderr, "unsupported certificate flag '%s'\n", str);
|
||||||
|
return;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Parse certificate data blob */
|
/* Parse certificate data blob */
|
||||||
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, cert_info->type,
|
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
|
||||||
BUILD_BLOB_ASN1_DER, chunk_create(buf, len),
|
BUILD_BLOB_ASN1_DER, chunk_create(buf, len),
|
||||||
BUILD_END);
|
BUILD_END);
|
||||||
if (cert)
|
if (cert)
|
||||||
|
@ -117,16 +106,8 @@ CALLBACK(list_cb, void,
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
if (first)
|
cert_printer->print_caption(cert_printer, type, flag);
|
||||||
{
|
cert_printer->print(cert_printer, cert, has_privkey);
|
||||||
printf("\nList of %ss:\n", cert_info->caption);
|
|
||||||
}
|
|
||||||
printf("\n");
|
|
||||||
detailed = !(*format & COMMAND_FORMAT_SHORT);
|
|
||||||
utc = *format & COMMAND_FORMAT_UTC;
|
|
||||||
printer = certificate_printer_create(stdout, detailed, utc);
|
|
||||||
printer->print(printer, cert, has_privkey);
|
|
||||||
printer->destroy(printer);
|
|
||||||
}
|
}
|
||||||
cert->destroy(cert);
|
cert->destroy(cert);
|
||||||
}
|
}
|
||||||
|
@ -141,7 +122,8 @@ static int list_certs(vici_conn_t *conn)
|
||||||
vici_req_t *req;
|
vici_req_t *req;
|
||||||
vici_res_t *res;
|
vici_res_t *res;
|
||||||
command_format_options_t format = COMMAND_FORMAT_NONE;
|
command_format_options_t format = COMMAND_FORMAT_NONE;
|
||||||
char *arg, *subject = NULL, *type = NULL;
|
char *arg, *subject = NULL, *type = NULL, *flag = NULL;
|
||||||
|
bool detailed = TRUE, utc = FALSE;
|
||||||
int ret;
|
int ret;
|
||||||
|
|
||||||
while (TRUE)
|
while (TRUE)
|
||||||
|
@ -156,6 +138,9 @@ static int list_certs(vici_conn_t *conn)
|
||||||
case 't':
|
case 't':
|
||||||
type = arg;
|
type = arg;
|
||||||
continue;
|
continue;
|
||||||
|
case 'f':
|
||||||
|
flag = arg;
|
||||||
|
continue;
|
||||||
case 'p':
|
case 'p':
|
||||||
format |= COMMAND_FORMAT_PEM;
|
format |= COMMAND_FORMAT_PEM;
|
||||||
continue;
|
continue;
|
||||||
|
@ -166,10 +151,10 @@ static int list_certs(vici_conn_t *conn)
|
||||||
format |= COMMAND_FORMAT_RAW;
|
format |= COMMAND_FORMAT_RAW;
|
||||||
continue;
|
continue;
|
||||||
case 'S':
|
case 'S':
|
||||||
format |= COMMAND_FORMAT_SHORT;
|
detailed = FALSE;
|
||||||
continue;
|
continue;
|
||||||
case 'U':
|
case 'U':
|
||||||
format |= COMMAND_FORMAT_UTC;
|
utc = TRUE;
|
||||||
continue;
|
continue;
|
||||||
case EOF:
|
case EOF:
|
||||||
break;
|
break;
|
||||||
|
@ -186,22 +171,28 @@ static int list_certs(vici_conn_t *conn)
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
req = vici_begin("list-certs");
|
req = vici_begin("list-certs");
|
||||||
vici_add_version(req, VICI_VERSION);
|
|
||||||
|
|
||||||
if (type)
|
if (type)
|
||||||
{
|
{
|
||||||
vici_add_key_valuef(req, "type", "%s", type);
|
vici_add_key_valuef(req, "type", "%s", type);
|
||||||
}
|
}
|
||||||
|
if (flag)
|
||||||
|
{
|
||||||
|
vici_add_key_valuef(req, "flag", "%s", flag);
|
||||||
|
}
|
||||||
if (subject)
|
if (subject)
|
||||||
{
|
{
|
||||||
vici_add_key_valuef(req, "subject", "%s", subject);
|
vici_add_key_valuef(req, "subject", "%s", subject);
|
||||||
}
|
}
|
||||||
|
cert_printer = certificate_printer_create(stdout, detailed, utc);
|
||||||
|
|
||||||
res = vici_submit(req, conn);
|
res = vici_submit(req, conn);
|
||||||
if (!res)
|
if (!res)
|
||||||
{
|
{
|
||||||
ret = errno;
|
ret = errno;
|
||||||
fprintf(stderr, "list-certs request failed: %s\n", strerror(errno));
|
fprintf(stderr, "list-certs request failed: %s\n", strerror(errno));
|
||||||
|
cert_printer->destroy(cert_printer);
|
||||||
|
cert_printer = NULL;
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
if (format & COMMAND_FORMAT_RAW)
|
if (format & COMMAND_FORMAT_RAW)
|
||||||
|
@ -210,6 +201,9 @@ static int list_certs(vici_conn_t *conn)
|
||||||
stdout);
|
stdout);
|
||||||
}
|
}
|
||||||
vici_free_res(res);
|
vici_free_res(res);
|
||||||
|
|
||||||
|
cert_printer->destroy(cert_printer);
|
||||||
|
cert_printer = NULL;
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -221,12 +215,14 @@ static void __attribute__ ((constructor))reg()
|
||||||
command_register((command_t) {
|
command_register((command_t) {
|
||||||
list_certs, 'x', "list-certs", "list stored certificates",
|
list_certs, 'x', "list-certs", "list stored certificates",
|
||||||
{"[--subject <dn/san>] "
|
{"[--subject <dn/san>] "
|
||||||
"[--type x509|x509ca|x509aa|x509ac|x509crl|x509ocsp|ocsp] "
|
"[--type x509|x509_ac|x509_crl|ocsp_response|pubkey]\n "
|
||||||
|
"[--flag none|ca|aa|ocsp|any] "
|
||||||
"[--pem] [--raw|--pretty|--short|--utc]"},
|
"[--pem] [--raw|--pretty|--short|--utc]"},
|
||||||
{
|
{
|
||||||
{"help", 'h', 0, "show usage information"},
|
{"help", 'h', 0, "show usage information"},
|
||||||
{"subject", 's', 1, "filter by certificate subject"},
|
{"subject", 's', 1, "filter by certificate subject"},
|
||||||
{"type", 't', 1, "filter by certificate type"},
|
{"type", 't', 1, "filter by certificate type"},
|
||||||
|
{"flag", 'f', 1, "filter by X.509 certificate flag"},
|
||||||
{"pem", 'p', 0, "print PEM encoding of certificate"},
|
{"pem", 'p', 0, "print PEM encoding of certificate"},
|
||||||
{"raw", 'r', 0, "dump raw response message"},
|
{"raw", 'r', 0, "dump raw response message"},
|
||||||
{"pretty", 'P', 0, "dump raw response message in pretty print"},
|
{"pretty", 'P', 0, "dump raw response message in pretty print"},
|
||||||
|
|
|
@ -30,11 +30,14 @@
|
||||||
#include <credentials/sets/callback_cred.h>
|
#include <credentials/sets/callback_cred.h>
|
||||||
#include <credentials/containers/pkcs12.h>
|
#include <credentials/containers/pkcs12.h>
|
||||||
|
|
||||||
|
#include <vici_cert_info.h>
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Load a single certificate over vici
|
* Load a single certificate over vici
|
||||||
*/
|
*/
|
||||||
static bool load_cert(vici_conn_t *conn, command_format_options_t format,
|
static bool load_cert(vici_conn_t *conn, command_format_options_t format,
|
||||||
char *dir, char *type, chunk_t data)
|
char *dir, certificate_type_t type, x509_flag_t flag,
|
||||||
|
chunk_t data)
|
||||||
{
|
{
|
||||||
vici_req_t *req;
|
vici_req_t *req;
|
||||||
vici_res_t *res;
|
vici_res_t *res;
|
||||||
|
@ -42,7 +45,11 @@ static bool load_cert(vici_conn_t *conn, command_format_options_t format,
|
||||||
|
|
||||||
req = vici_begin("load-cert");
|
req = vici_begin("load-cert");
|
||||||
|
|
||||||
vici_add_key_valuef(req, "type", "%s", type);
|
vici_add_key_valuef(req, "type", "%N", certificate_type_names, type);
|
||||||
|
if (type == CERT_X509)
|
||||||
|
{
|
||||||
|
vici_add_key_valuef(req, "flag", "%N", x509_flag_names, flag);
|
||||||
|
}
|
||||||
vici_add_key_value(req, "data", data.ptr, data.len);
|
vici_add_key_value(req, "data", data.ptr, data.len);
|
||||||
|
|
||||||
res = vici_submit(req, conn);
|
res = vici_submit(req, conn);
|
||||||
|
@ -64,7 +71,7 @@ static bool load_cert(vici_conn_t *conn, command_format_options_t format,
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
printf("loaded %s certificate from '%s'\n", type, dir);
|
printf("loaded certificate from '%s'\n", dir);
|
||||||
}
|
}
|
||||||
vici_free_res(res);
|
vici_free_res(res);
|
||||||
return ret;
|
return ret;
|
||||||
|
@ -74,13 +81,17 @@ static bool load_cert(vici_conn_t *conn, command_format_options_t format,
|
||||||
* Load certficiates from a directory
|
* Load certficiates from a directory
|
||||||
*/
|
*/
|
||||||
static void load_certs(vici_conn_t *conn, command_format_options_t format,
|
static void load_certs(vici_conn_t *conn, command_format_options_t format,
|
||||||
char *type, char *dir)
|
char *type_str, char *dir)
|
||||||
{
|
{
|
||||||
enumerator_t *enumerator;
|
enumerator_t *enumerator;
|
||||||
|
certificate_type_t type;
|
||||||
|
x509_flag_t flag;
|
||||||
struct stat st;
|
struct stat st;
|
||||||
chunk_t *map;
|
chunk_t *map;
|
||||||
char *path;
|
char *path;
|
||||||
|
|
||||||
|
vici_cert_info_from_str(type_str, &type, &flag);
|
||||||
|
|
||||||
enumerator = enumerator_create_directory(dir);
|
enumerator = enumerator_create_directory(dir);
|
||||||
if (enumerator)
|
if (enumerator)
|
||||||
{
|
{
|
||||||
|
@ -91,7 +102,7 @@ static void load_certs(vici_conn_t *conn, command_format_options_t format,
|
||||||
map = chunk_map(path, FALSE);
|
map = chunk_map(path, FALSE);
|
||||||
if (map)
|
if (map)
|
||||||
{
|
{
|
||||||
load_cert(conn, format, path, type, *map);
|
load_cert(conn, format, path, type, flag, *map);
|
||||||
chunk_unmap(map);
|
chunk_unmap(map);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
|
@ -446,7 +457,8 @@ static bool load_pkcs12(vici_conn_t *conn, command_format_options_t format,
|
||||||
loaded = FALSE;
|
loaded = FALSE;
|
||||||
if (cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
|
if (cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
|
||||||
{
|
{
|
||||||
loaded = load_cert(conn, format, path, "x509", encoding);
|
loaded = load_cert(conn, format, path, CERT_X509, X509_NONE,
|
||||||
|
encoding);
|
||||||
if (loaded)
|
if (loaded)
|
||||||
{
|
{
|
||||||
fprintf(stderr, " %Y\n", cert->get_subject(cert));
|
fprintf(stderr, " %Y\n", cert->get_subject(cert));
|
||||||
|
@ -682,11 +694,10 @@ int load_creds_cfg(vici_conn_t *conn, command_format_options_t format,
|
||||||
|
|
||||||
load_certs(conn, format, "x509", SWANCTL_X509DIR);
|
load_certs(conn, format, "x509", SWANCTL_X509DIR);
|
||||||
load_certs(conn, format, "x509ca", SWANCTL_X509CADIR);
|
load_certs(conn, format, "x509ca", SWANCTL_X509CADIR);
|
||||||
load_certs(conn, format, "x509aa", SWANCTL_X509AADIR);
|
|
||||||
load_certs(conn, format, "x509crl", SWANCTL_X509CRLDIR);
|
|
||||||
load_certs(conn, format, "x509ac", SWANCTL_X509ACDIR);
|
|
||||||
load_certs(conn, format, "x509ocsp", SWANCTL_X509OCSPDIR);
|
load_certs(conn, format, "x509ocsp", SWANCTL_X509OCSPDIR);
|
||||||
load_certs(conn, format, "pubkey", SWANCTL_PUBKEYDIR);
|
load_certs(conn, format, "x509aa", SWANCTL_X509AADIR);
|
||||||
|
load_certs(conn, format, "x509ac", SWANCTL_X509ACDIR);
|
||||||
|
load_certs(conn, format, "x509crl", SWANCTL_X509CRLDIR);
|
||||||
|
|
||||||
load_keys(conn, format, noprompt, cfg, "rsa", SWANCTL_RSADIR);
|
load_keys(conn, format, noprompt, cfg, "rsa", SWANCTL_RSADIR);
|
||||||
load_keys(conn, format, noprompt, cfg, "ecdsa", SWANCTL_ECDSADIR);
|
load_keys(conn, format, noprompt, cfg, "ecdsa", SWANCTL_ECDSADIR);
|
||||||
|
|
Loading…
Reference in New Issue