Standardized printing of certificate information
The certificate_printer class allows the printing of certificate information to a text file (usually stdout). This class is used by the pki --print and swanctl --list-certs commands as well as by the stroke plugin.
This commit is contained in:
parent
36d42daf4d
commit
3317d0e77b
|
@ -2,6 +2,9 @@
|
|||
* Copyright (C) 2008 Martin Willi
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* Copyright (C) 2015 Andreas Steffen
|
||||
* HSR Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
|
@ -28,17 +31,9 @@
|
|||
#include <collections/linked_list.h>
|
||||
#include <plugins/plugin.h>
|
||||
#include <credentials/certificates/x509.h>
|
||||
#include <credentials/certificates/ac.h>
|
||||
#include <credentials/certificates/crl.h>
|
||||
#include <credentials/certificates/pgp_certificate.h>
|
||||
#include <credentials/certificates/certificate_printer.h>
|
||||
#include <config/peer_cfg.h>
|
||||
#include <asn1/asn1.h>
|
||||
#include <asn1/oid.h>
|
||||
|
||||
/* warning intervals for list functions */
|
||||
#define CERT_WARNING_INTERVAL 30 /* days */
|
||||
#define CRL_WARNING_INTERVAL 7 /* days */
|
||||
#define AC_WARNING_INTERVAL 1 /* day */
|
||||
|
||||
typedef struct private_stroke_list_t private_stroke_list_t;
|
||||
|
||||
|
@ -738,14 +733,20 @@ static linked_list_t* create_unique_cert_list(certificate_type_t type)
|
|||
}
|
||||
|
||||
/**
|
||||
* Print a single public key.
|
||||
* Is there a matching private key?
|
||||
*/
|
||||
static void list_public_key(public_key_t *public, FILE *out)
|
||||
static bool has_privkey(certificate_t *cert)
|
||||
{
|
||||
public_key_t *public;
|
||||
private_key_t *private = NULL;
|
||||
chunk_t keyid;
|
||||
identification_t *id;
|
||||
|
||||
public = cert->get_public_key(cert);
|
||||
if (!public)
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &keyid))
|
||||
{
|
||||
id = identification_create_from_encoding(ID_KEY_ID, keyid);
|
||||
|
@ -753,99 +754,23 @@ static void list_public_key(public_key_t *public, FILE *out)
|
|||
public->get_type(public), id, NULL);
|
||||
id->destroy(id);
|
||||
}
|
||||
|
||||
fprintf(out, " pubkey: %N %d bits%s\n",
|
||||
key_type_names, public->get_type(public),
|
||||
public->get_keysize(public),
|
||||
private ? ", has private key" : "");
|
||||
if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid))
|
||||
{
|
||||
fprintf(out, " keyid: %#B\n", &keyid);
|
||||
}
|
||||
if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &keyid))
|
||||
{
|
||||
fprintf(out, " subjkey: %#B\n", &keyid);
|
||||
}
|
||||
public->destroy(public);
|
||||
DESTROY_IF(private);
|
||||
}
|
||||
|
||||
/**
|
||||
* list all raw public keys
|
||||
*/
|
||||
static void stroke_list_pubkeys(linked_list_t *list, bool utc, FILE *out)
|
||||
{
|
||||
bool first = TRUE;
|
||||
time_t now = time(NULL), notBefore, notAfter;
|
||||
enumerator_t *enumerator;
|
||||
certificate_t *cert;
|
||||
|
||||
enumerator = list->create_enumerator(list);
|
||||
while (enumerator->enumerate(enumerator, (void**)&cert))
|
||||
{
|
||||
identification_t *subject = cert->get_subject(cert);
|
||||
public_key_t *public = cert->get_public_key(cert);
|
||||
|
||||
if (public)
|
||||
{
|
||||
if (first)
|
||||
{
|
||||
fprintf(out, "\n");
|
||||
fprintf(out, "List of Raw Public Keys:\n");
|
||||
first = FALSE;
|
||||
}
|
||||
fprintf(out, "\n");
|
||||
|
||||
/* list subject if available */
|
||||
if (subject->get_type(subject) != ID_KEY_ID)
|
||||
{
|
||||
fprintf(out, " subject: %#Y\n", subject);
|
||||
}
|
||||
|
||||
/* list validity if available*/
|
||||
cert->get_validity(cert, &now, ¬Before, ¬After);
|
||||
if (notBefore != UNDEFINED_TIME && notAfter != UNDEFINED_TIME)
|
||||
{
|
||||
fprintf(out, " validity: not before %T, ", ¬Before, utc);
|
||||
if (now < notBefore)
|
||||
{
|
||||
fprintf(out, "not valid yet (valid in %V)\n", &now, ¬Before);
|
||||
}
|
||||
else
|
||||
{
|
||||
fprintf(out, "ok\n");
|
||||
}
|
||||
fprintf(out, " not after %T, ", ¬After, utc);
|
||||
if (now > notAfter)
|
||||
{
|
||||
fprintf(out, "expired (%V ago)\n", &now, ¬After);
|
||||
}
|
||||
else
|
||||
{
|
||||
fprintf(out, "ok");
|
||||
if (now > notAfter - CERT_WARNING_INTERVAL * 60 * 60 * 24)
|
||||
{
|
||||
fprintf(out, " (expires in %V)", &now, ¬After);
|
||||
}
|
||||
fprintf(out, " \n");
|
||||
}
|
||||
}
|
||||
|
||||
list_public_key(public, out);
|
||||
public->destroy(public);
|
||||
}
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
return (private != NULL);
|
||||
}
|
||||
|
||||
/**
|
||||
* list OpenPGP certificates
|
||||
*/
|
||||
static void stroke_list_pgp(linked_list_t *list,bool utc, FILE *out)
|
||||
static void stroke_list_pgp_certs(linked_list_t *list, char *label,
|
||||
bool utc, FILE *out)
|
||||
{
|
||||
bool first = TRUE;
|
||||
time_t now = time(NULL);
|
||||
enumerator_t *enumerator = list->create_enumerator(list);
|
||||
certificate_t *cert;
|
||||
chunk_t keyid;
|
||||
|
||||
while (enumerator->enumerate(enumerator, (void**)&cert))
|
||||
{
|
||||
|
@ -856,14 +781,12 @@ static void stroke_list_pgp(linked_list_t *list,bool utc, FILE *out)
|
|||
|
||||
if (first)
|
||||
{
|
||||
|
||||
fprintf(out, "\n");
|
||||
fprintf(out, "List of PGP End Entity Certificates:\n");
|
||||
first = FALSE;
|
||||
fprintf(out, "List of %ss:\n", label);
|
||||
first = FALSE;
|
||||
}
|
||||
fprintf(out, "\n");
|
||||
fprintf(out, " userid: '%Y'\n", cert->get_subject(cert));
|
||||
|
||||
fprintf(out, " digest: %#B\n", &fingerprint);
|
||||
|
||||
/* list validity */
|
||||
|
@ -875,7 +798,19 @@ static void stroke_list_pgp(linked_list_t *list,bool utc, FILE *out)
|
|||
public = cert->get_public_key(cert);
|
||||
if (public)
|
||||
{
|
||||
list_public_key(public, out);
|
||||
fprintf(out, " pubkey: %N %d bits%s\n",
|
||||
key_type_names, public->get_type(public),
|
||||
public->get_keysize(public),
|
||||
has_privkey(cert) ? ", has private key" : "");
|
||||
|
||||
if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid))
|
||||
{
|
||||
fprintf(out, " keyid: %#B\n", &keyid);
|
||||
}
|
||||
if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &keyid))
|
||||
{
|
||||
fprintf(out, " subjkey: %#B\n", &keyid);
|
||||
}
|
||||
public->destroy(public);
|
||||
}
|
||||
}
|
||||
|
@ -885,15 +820,17 @@ static void stroke_list_pgp(linked_list_t *list,bool utc, FILE *out)
|
|||
/**
|
||||
* list all X.509 certificates matching the flags
|
||||
*/
|
||||
static void stroke_list_certs(linked_list_t *list, char *label,
|
||||
x509_flag_t flags, bool utc, FILE *out)
|
||||
static void stroke_list_x509_certs(linked_list_t *list, char *label,
|
||||
x509_flag_t flags, bool utc, FILE *out)
|
||||
{
|
||||
bool first = TRUE;
|
||||
time_t now = time(NULL);
|
||||
enumerator_t *enumerator;
|
||||
certificate_t *cert;
|
||||
certificate_printer_t *printer;
|
||||
x509_flag_t flag_mask;
|
||||
|
||||
printer = certificate_printer_create(out, TRUE, utc),
|
||||
|
||||
/* mask all auxiliary flags */
|
||||
flag_mask = ~(X509_SERVER_AUTH | X509_CLIENT_AUTH | X509_IKE_INTERMEDIATE |
|
||||
X509_SELF_SIGNED | X509_IP_ADDR_BLOCKS);
|
||||
|
@ -907,367 +844,49 @@ static void stroke_list_certs(linked_list_t *list, char *label,
|
|||
/* list only if flag is set or flag == 0 */
|
||||
if ((x509_flags & flags) || (x509_flags == flags))
|
||||
{
|
||||
enumerator_t *enumerator;
|
||||
identification_t *altName;
|
||||
bool first_altName = TRUE;
|
||||
u_int pathlen;
|
||||
chunk_t serial, authkey;
|
||||
time_t notBefore, notAfter;
|
||||
public_key_t *public;
|
||||
|
||||
if (first)
|
||||
{
|
||||
fprintf(out, "\n");
|
||||
fprintf(out, "List of %s:\n", label);
|
||||
fprintf(out, "List of %ss:\n", label);
|
||||
first = FALSE;
|
||||
}
|
||||
fprintf(out, "\n");
|
||||
|
||||
/* list subjectAltNames */
|
||||
enumerator = x509->create_subjectAltName_enumerator(x509);
|
||||
while (enumerator->enumerate(enumerator, (void**)&altName))
|
||||
{
|
||||
if (first_altName)
|
||||
{
|
||||
fprintf(out, " altNames: ");
|
||||
first_altName = FALSE;
|
||||
}
|
||||
else
|
||||
{
|
||||
fprintf(out, ", ");
|
||||
}
|
||||
fprintf(out, "%Y", altName);
|
||||
}
|
||||
if (!first_altName)
|
||||
{
|
||||
fprintf(out, "\n");
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
|
||||
fprintf(out, " subject: \"%Y\"\n", cert->get_subject(cert));
|
||||
fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert));
|
||||
serial = chunk_skip_zero(x509->get_serial(x509));
|
||||
fprintf(out, " serial: %#B\n", &serial);
|
||||
|
||||
/* list validity */
|
||||
cert->get_validity(cert, &now, ¬Before, ¬After);
|
||||
fprintf(out, " validity: not before %T, ", ¬Before, utc);
|
||||
if (now < notBefore)
|
||||
{
|
||||
fprintf(out, "not valid yet (valid in %V)\n", &now, ¬Before);
|
||||
}
|
||||
else
|
||||
{
|
||||
fprintf(out, "ok\n");
|
||||
}
|
||||
fprintf(out, " not after %T, ", ¬After, utc);
|
||||
if (now > notAfter)
|
||||
{
|
||||
fprintf(out, "expired (%V ago)\n", &now, ¬After);
|
||||
}
|
||||
else
|
||||
{
|
||||
fprintf(out, "ok");
|
||||
if (now > notAfter - CERT_WARNING_INTERVAL * 60 * 60 * 24)
|
||||
{
|
||||
fprintf(out, " (expires in %V)", &now, ¬After);
|
||||
}
|
||||
fprintf(out, " \n");
|
||||
}
|
||||
|
||||
public = cert->get_public_key(cert);
|
||||
if (public)
|
||||
{
|
||||
list_public_key(public, out);
|
||||
public->destroy(public);
|
||||
}
|
||||
|
||||
/* list optional authorityKeyIdentifier */
|
||||
authkey = x509->get_authKeyIdentifier(x509);
|
||||
if (authkey.ptr)
|
||||
{
|
||||
fprintf(out, " authkey: %#B\n", &authkey);
|
||||
}
|
||||
|
||||
/* list optional pathLenConstraint */
|
||||
pathlen = x509->get_constraint(x509, X509_PATH_LEN);
|
||||
if (pathlen != X509_NO_CONSTRAINT)
|
||||
{
|
||||
fprintf(out, " pathlen: %u\n", pathlen);
|
||||
}
|
||||
|
||||
/* list optional ipAddrBlocks */
|
||||
if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
|
||||
{
|
||||
traffic_selector_t *ipAddrBlock;
|
||||
bool first_ipAddrBlock = TRUE;
|
||||
|
||||
fprintf(out, " addresses: ");
|
||||
enumerator = x509->create_ipAddrBlock_enumerator(x509);
|
||||
while (enumerator->enumerate(enumerator, &ipAddrBlock))
|
||||
{
|
||||
if (first_ipAddrBlock)
|
||||
{
|
||||
first_ipAddrBlock = FALSE;
|
||||
}
|
||||
else
|
||||
{
|
||||
fprintf(out, ", ");
|
||||
}
|
||||
fprintf(out, "%R", ipAddrBlock);
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
fprintf(out, "\n");
|
||||
}
|
||||
printer->print(printer, cert, has_privkey(cert));
|
||||
}
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
|
||||
printer->destroy(printer);
|
||||
}
|
||||
|
||||
/**
|
||||
* list all X.509 attribute certificates
|
||||
* list all other certificates types
|
||||
*/
|
||||
static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out)
|
||||
static void stroke_list_other_certs(linked_list_t *list, char *label,
|
||||
bool utc, FILE *out)
|
||||
{
|
||||
bool first = TRUE;
|
||||
time_t notBefore, notAfter, now = time(NULL);
|
||||
enumerator_t *enumerator;
|
||||
certificate_t *cert;
|
||||
certificate_printer_t *printer;
|
||||
|
||||
printer = certificate_printer_create(out, TRUE, utc),
|
||||
|
||||
enumerator = list->create_enumerator(list);
|
||||
while (enumerator->enumerate(enumerator, &cert))
|
||||
{
|
||||
ac_t *ac = (ac_t*)cert;
|
||||
ac_group_type_t type;
|
||||
identification_t *id;
|
||||
enumerator_t *groups;
|
||||
chunk_t chunk;
|
||||
bool firstgroup = TRUE;
|
||||
|
||||
if (first)
|
||||
{
|
||||
fprintf(out, "\n");
|
||||
fprintf(out, "List of X.509 Attribute Certificates:\n");
|
||||
fprintf(out, "List of %ss:\n", label);
|
||||
first = FALSE;
|
||||
}
|
||||
fprintf(out, "\n");
|
||||
|
||||
id = cert->get_subject(cert);
|
||||
if (id)
|
||||
{
|
||||
fprintf(out, " holder: \"%Y\"\n", id);
|
||||
}
|
||||
id = ac->get_holderIssuer(ac);
|
||||
if (id)
|
||||
{
|
||||
fprintf(out, " hissuer: \"%Y\"\n", id);
|
||||
}
|
||||
chunk = chunk_skip_zero(ac->get_holderSerial(ac));
|
||||
if (chunk.ptr)
|
||||
{
|
||||
fprintf(out, " hserial: %#B\n", &chunk);
|
||||
}
|
||||
groups = ac->create_group_enumerator(ac);
|
||||
while (groups->enumerate(groups, &type, &chunk))
|
||||
{
|
||||
int oid;
|
||||
char *str;
|
||||
|
||||
if (firstgroup)
|
||||
{
|
||||
fprintf(out, " groups: ");
|
||||
firstgroup = FALSE;
|
||||
}
|
||||
else
|
||||
{
|
||||
fprintf(out, " ");
|
||||
}
|
||||
switch (type)
|
||||
{
|
||||
case AC_GROUP_TYPE_STRING:
|
||||
fprintf(out, "%.*s", (int)chunk.len, chunk.ptr);
|
||||
break;
|
||||
case AC_GROUP_TYPE_OID:
|
||||
oid = asn1_known_oid(chunk);
|
||||
if (oid == OID_UNKNOWN)
|
||||
{
|
||||
str = asn1_oid_to_string(chunk);
|
||||
if (str)
|
||||
{
|
||||
fprintf(out, "%s", str);
|
||||
free(str);
|
||||
}
|
||||
else
|
||||
{
|
||||
fprintf(out, "OID:%#B", &chunk);
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
fprintf(out, "%s", oid_names[oid].name);
|
||||
}
|
||||
break;
|
||||
case AC_GROUP_TYPE_OCTETS:
|
||||
fprintf(out, "%#B", &chunk);
|
||||
break;
|
||||
}
|
||||
fprintf(out, "\n");
|
||||
}
|
||||
groups->destroy(groups);
|
||||
fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert));
|
||||
chunk = chunk_skip_zero(ac->get_serial(ac));
|
||||
fprintf(out, " serial: %#B\n", &chunk);
|
||||
|
||||
/* list validity */
|
||||
cert->get_validity(cert, &now, ¬Before, ¬After);
|
||||
fprintf(out, " validity: not before %T, ", ¬Before, utc);
|
||||
if (now < notBefore)
|
||||
{
|
||||
fprintf(out, "not valid yet (valid in %V)\n", &now, ¬Before);
|
||||
}
|
||||
else
|
||||
{
|
||||
fprintf(out, "ok\n");
|
||||
}
|
||||
fprintf(out, " not after %T, ", ¬After, utc);
|
||||
if (now > notAfter)
|
||||
{
|
||||
fprintf(out, "expired (%V ago)\n", &now, ¬After);
|
||||
}
|
||||
else
|
||||
{
|
||||
fprintf(out, "ok");
|
||||
if (now > notAfter - AC_WARNING_INTERVAL * 60 * 60 * 24)
|
||||
{
|
||||
fprintf(out, " (expires in %V)", &now, ¬After);
|
||||
}
|
||||
fprintf(out, " \n");
|
||||
}
|
||||
|
||||
/* list optional authorityKeyIdentifier */
|
||||
chunk = ac->get_authKeyIdentifier(ac);
|
||||
if (chunk.ptr)
|
||||
{
|
||||
fprintf(out, " authkey: %#B\n", &chunk);
|
||||
}
|
||||
printer->print(printer, cert, has_privkey(cert));
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
}
|
||||
|
||||
/**
|
||||
* list all X.509 CRLs
|
||||
*/
|
||||
static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out)
|
||||
{
|
||||
bool first = TRUE;
|
||||
time_t thisUpdate, nextUpdate, now = time(NULL);
|
||||
enumerator_t *enumerator = list->create_enumerator(list);
|
||||
certificate_t *cert;
|
||||
|
||||
while (enumerator->enumerate(enumerator, (void**)&cert))
|
||||
{
|
||||
crl_t *crl = (crl_t*)cert;
|
||||
chunk_t chunk;
|
||||
|
||||
if (first)
|
||||
{
|
||||
fprintf(out, "\n");
|
||||
fprintf(out, "List of X.509 CRLs:\n");
|
||||
first = FALSE;
|
||||
}
|
||||
fprintf(out, "\n");
|
||||
|
||||
fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert));
|
||||
|
||||
/* list optional crlNumber */
|
||||
chunk = chunk_skip_zero(crl->get_serial(crl));
|
||||
if (chunk.ptr)
|
||||
{
|
||||
fprintf(out, " serial: %#B\n", &chunk);
|
||||
}
|
||||
if (crl->is_delta_crl(crl, &chunk))
|
||||
{
|
||||
chunk = chunk_skip_zero(chunk);
|
||||
fprintf(out, " delta for: %#B\n", &chunk);
|
||||
}
|
||||
|
||||
/* count the number of revoked certificates */
|
||||
{
|
||||
int count = 0;
|
||||
enumerator_t *enumerator = crl->create_enumerator(crl);
|
||||
|
||||
while (enumerator->enumerate(enumerator, NULL, NULL, NULL))
|
||||
{
|
||||
count++;
|
||||
}
|
||||
fprintf(out, " revoked: %d certificate%s\n", count,
|
||||
(count == 1)? "" : "s");
|
||||
enumerator->destroy(enumerator);
|
||||
}
|
||||
|
||||
/* list validity */
|
||||
cert->get_validity(cert, &now, &thisUpdate, &nextUpdate);
|
||||
fprintf(out, " updates: this %T\n", &thisUpdate, utc);
|
||||
fprintf(out, " next %T, ", &nextUpdate, utc);
|
||||
if (now > nextUpdate)
|
||||
{
|
||||
fprintf(out, "expired (%V ago)\n", &now, &nextUpdate);
|
||||
}
|
||||
else
|
||||
{
|
||||
fprintf(out, "ok");
|
||||
if (now > nextUpdate - CRL_WARNING_INTERVAL * 60 * 60 * 24)
|
||||
{
|
||||
fprintf(out, " (expires in %V)", &now, &nextUpdate);
|
||||
}
|
||||
fprintf(out, " \n");
|
||||
}
|
||||
|
||||
/* list optional authorityKeyIdentifier */
|
||||
chunk = crl->get_authKeyIdentifier(crl);
|
||||
if (chunk.ptr)
|
||||
{
|
||||
fprintf(out, " authkey: %#B\n", &chunk);
|
||||
}
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
}
|
||||
|
||||
/**
|
||||
* list all OCSP responses
|
||||
*/
|
||||
static void stroke_list_ocsp(linked_list_t* list, bool utc, FILE *out)
|
||||
{
|
||||
bool first = TRUE, ok;
|
||||
enumerator_t *enumerator = list->create_enumerator(list);
|
||||
certificate_t *cert;
|
||||
time_t produced, usable, now = time(NULL);
|
||||
|
||||
while (enumerator->enumerate(enumerator, (void**)&cert))
|
||||
{
|
||||
if (first)
|
||||
{
|
||||
fprintf(out, "\n");
|
||||
fprintf(out, "List of OCSP responses:\n");
|
||||
fprintf(out, "\n");
|
||||
first = FALSE;
|
||||
}
|
||||
fprintf(out, " signer: \"%Y\"\n", cert->get_issuer(cert));
|
||||
|
||||
/* check validity */
|
||||
ok = cert->get_validity(cert, &now, &produced, &usable);
|
||||
fprintf(out, " validity: produced at %T\n", &produced, utc);
|
||||
fprintf(out, " usable till %T, ", &usable, utc);
|
||||
if (ok)
|
||||
{
|
||||
fprintf(out, "ok\n");
|
||||
}
|
||||
else
|
||||
{
|
||||
fprintf(out, "expired (%V ago)\n", &now, &usable);
|
||||
}
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
printer->destroy(printer);
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -1443,14 +1062,16 @@ METHOD(stroke_list_t, list, void,
|
|||
{
|
||||
linked_list_t *pubkey_list = create_unique_cert_list(CERT_TRUSTED_PUBKEY);
|
||||
|
||||
stroke_list_pubkeys(pubkey_list, msg->list.utc, out);
|
||||
stroke_list_other_certs(pubkey_list, "Raw Public Key",
|
||||
msg->list.utc, out);
|
||||
pubkey_list->destroy_offset(pubkey_list, offsetof(certificate_t, destroy));
|
||||
}
|
||||
if (msg->list.flags & LIST_CERTS)
|
||||
{
|
||||
linked_list_t *pgp_list = create_unique_cert_list(CERT_GPG);
|
||||
|
||||
stroke_list_pgp(pgp_list, msg->list.utc, out);
|
||||
stroke_list_pgp_certs(pgp_list, "PGP End Entity Certificate",
|
||||
msg->list.utc, out);
|
||||
pgp_list->destroy_offset(pgp_list, offsetof(certificate_t, destroy));
|
||||
}
|
||||
if (msg->list.flags & (LIST_CERTS | LIST_CACERTS | LIST_OCSPCERTS | LIST_AACERTS))
|
||||
|
@ -1459,23 +1080,23 @@ METHOD(stroke_list_t, list, void,
|
|||
}
|
||||
if (msg->list.flags & LIST_CERTS)
|
||||
{
|
||||
stroke_list_certs(cert_list, "X.509 End Entity Certificates",
|
||||
X509_NONE, msg->list.utc, out);
|
||||
stroke_list_x509_certs(cert_list, "X.509 End Entity Certificate",
|
||||
X509_NONE, msg->list.utc, out);
|
||||
}
|
||||
if (msg->list.flags & LIST_CACERTS)
|
||||
{
|
||||
stroke_list_certs(cert_list, "X.509 CA Certificates",
|
||||
X509_CA, msg->list.utc, out);
|
||||
stroke_list_x509_certs(cert_list, "X.509 CA Certificate",
|
||||
X509_CA, msg->list.utc, out);
|
||||
}
|
||||
if (msg->list.flags & LIST_OCSPCERTS)
|
||||
{
|
||||
stroke_list_certs(cert_list, "X.509 OCSP Signer Certificates",
|
||||
X509_OCSP_SIGNER, msg->list.utc, out);
|
||||
stroke_list_x509_certs(cert_list, "X.509 OCSP Signer Certificate",
|
||||
X509_OCSP_SIGNER, msg->list.utc, out);
|
||||
}
|
||||
if (msg->list.flags & LIST_AACERTS)
|
||||
{
|
||||
stroke_list_certs(cert_list, "X.509 AA Certificates",
|
||||
X509_AA, msg->list.utc, out);
|
||||
stroke_list_x509_certs(cert_list, "X.509 AA Certificate",
|
||||
X509_AA, msg->list.utc, out);
|
||||
}
|
||||
DESTROY_OFFSET_IF(cert_list, offsetof(certificate_t, destroy));
|
||||
|
||||
|
@ -1483,22 +1104,24 @@ METHOD(stroke_list_t, list, void,
|
|||
{
|
||||
linked_list_t *ac_list = create_unique_cert_list(CERT_X509_AC);
|
||||
|
||||
stroke_list_acerts(ac_list, msg->list.utc, out);
|
||||
stroke_list_other_certs(ac_list, "X.509 Attribute Certificate",
|
||||
msg->list.utc, out);
|
||||
ac_list->destroy_offset(ac_list, offsetof(certificate_t, destroy));
|
||||
}
|
||||
if (msg->list.flags & LIST_CRLS)
|
||||
{
|
||||
linked_list_t *crl_list = create_unique_cert_list(CERT_X509_CRL);
|
||||
|
||||
stroke_list_crls(crl_list, msg->list.utc, out);
|
||||
stroke_list_other_certs(crl_list, "X.509 CRL",
|
||||
msg->list.utc, out);
|
||||
crl_list->destroy_offset(crl_list, offsetof(certificate_t, destroy));
|
||||
}
|
||||
if (msg->list.flags & LIST_OCSP)
|
||||
{
|
||||
linked_list_t *ocsp_list = create_unique_cert_list(CERT_X509_OCSP_RESPONSE);
|
||||
|
||||
stroke_list_ocsp(ocsp_list, msg->list.utc, out);
|
||||
|
||||
stroke_list_other_certs(ocsp_list, "OCSP Response",
|
||||
msg->list.utc, out);
|
||||
ocsp_list->destroy_offset(ocsp_list, offsetof(certificate_t, destroy));
|
||||
}
|
||||
if (msg->list.flags & LIST_ALGS)
|
||||
|
|
|
@ -20,6 +20,7 @@ credentials/cred_encoding.c credentials/keys/private_key.c \
|
|||
credentials/keys/public_key.c credentials/keys/shared_key.c \
|
||||
credentials/certificates/certificate.c credentials/certificates/crl.c \
|
||||
credentials/certificates/ocsp_response.c \
|
||||
credentials/certificates/certificate_printer.c \
|
||||
credentials/containers/container.c credentials/containers/pkcs12.c \
|
||||
credentials/credential_manager.c \
|
||||
credentials/sets/auth_cfg_wrapper.c credentials/sets/ocsp_response_wrapper.c \
|
||||
|
@ -83,6 +84,7 @@ credentials/certificates/ac.h credentials/certificates/crl.h \
|
|||
credentials/certificates/pkcs10.h credentials/certificates/ocsp_request.h \
|
||||
credentials/certificates/ocsp_response.h \
|
||||
credentials/certificates/pgp_certificate.h \
|
||||
credentials/certificates/certificate_printer.h \
|
||||
credentials/containers/container.h credentials/containers/pkcs7.h \
|
||||
credentials/containers/pkcs12.h \
|
||||
credentials/credential_manager.h credentials/sets/auth_cfg_wrapper.h \
|
||||
|
|
|
@ -0,0 +1,591 @@
|
|||
/*
|
||||
* Copyright (C) 2015 Andreas Steffen
|
||||
* HSR Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* Copyright (C) 2010 Martin Willi
|
||||
* Copyright (C) 2010 revosec AG
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
#include "certificate_printer.h"
|
||||
#include "x509.h"
|
||||
#include "crl.h"
|
||||
#include "ac.h"
|
||||
|
||||
#include <asn1/asn1.h>
|
||||
#include <asn1/oid.h>
|
||||
#include <selectors/traffic_selector.h>
|
||||
|
||||
#include <time.h>
|
||||
|
||||
typedef struct private_certificate_printer_t private_certificate_printer_t;
|
||||
|
||||
/**
|
||||
* Private data of an certificate_printer_t object.
|
||||
*/
|
||||
struct private_certificate_printer_t {
|
||||
|
||||
/**
|
||||
* Public certificate_printer_t interface.
|
||||
*/
|
||||
certificate_printer_t public;
|
||||
|
||||
/**
|
||||
* File to print to
|
||||
*/
|
||||
FILE *f;
|
||||
|
||||
/**
|
||||
* Print detailed certificate information
|
||||
*/
|
||||
bool detailed;
|
||||
|
||||
/**
|
||||
* Print time information in UTC
|
||||
*/
|
||||
bool utc;
|
||||
};
|
||||
|
||||
/**
|
||||
* Print X509 specific certificate information
|
||||
*/
|
||||
static void print_x509(private_certificate_printer_t *this, x509_t *x509)
|
||||
{
|
||||
enumerator_t *enumerator;
|
||||
identification_t *id;
|
||||
traffic_selector_t *block;
|
||||
chunk_t chunk;
|
||||
bool first;
|
||||
char *uri;
|
||||
int len, explicit, inhibit;
|
||||
x509_flag_t flags;
|
||||
x509_cdp_t *cdp;
|
||||
x509_cert_policy_t *policy;
|
||||
x509_policy_mapping_t *mapping;
|
||||
FILE *f = this->f;
|
||||
|
||||
chunk = chunk_skip_zero(x509->get_serial(x509));
|
||||
fprintf(f, " serial: %#B\n", &chunk);
|
||||
|
||||
first = TRUE;
|
||||
enumerator = x509->create_subjectAltName_enumerator(x509);
|
||||
while (enumerator->enumerate(enumerator, &id))
|
||||
{
|
||||
if (first)
|
||||
{
|
||||
fprintf(f, " altNames: ");
|
||||
first = FALSE;
|
||||
}
|
||||
else
|
||||
{
|
||||
fprintf(f, ", ");
|
||||
}
|
||||
fprintf(f, "%Y", id);
|
||||
}
|
||||
if (!first)
|
||||
{
|
||||
fprintf(f, "\n");
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
|
||||
if (this->detailed)
|
||||
{
|
||||
flags = x509->get_flags(x509);
|
||||
if (flags != X509_NONE)
|
||||
{
|
||||
fprintf(f, " flags: ");
|
||||
if (flags & X509_CA)
|
||||
{
|
||||
fprintf(f, "CA ");
|
||||
}
|
||||
if (flags & X509_CRL_SIGN)
|
||||
{
|
||||
fprintf(f, "CRLSign ");
|
||||
}
|
||||
if (flags & X509_OCSP_SIGNER)
|
||||
{
|
||||
fprintf(f, "ocspSigning ");
|
||||
}
|
||||
if (flags & X509_SERVER_AUTH)
|
||||
{
|
||||
fprintf(f, "serverAuth ");
|
||||
}
|
||||
if (flags & X509_CLIENT_AUTH)
|
||||
{
|
||||
fprintf(f, "clientAuth ");
|
||||
}
|
||||
if (flags & X509_IKE_INTERMEDIATE)
|
||||
{
|
||||
fprintf(f, "ikeIntermediate ");
|
||||
}
|
||||
if (flags & X509_MS_SMARTCARD_LOGON)
|
||||
{
|
||||
fprintf(f, "msSmartcardLogon");
|
||||
}
|
||||
if (flags & X509_SELF_SIGNED)
|
||||
{
|
||||
fprintf(f, "self-signed ");
|
||||
}
|
||||
fprintf(f, "\n");
|
||||
}
|
||||
|
||||
first = TRUE;
|
||||
enumerator = x509->create_crl_uri_enumerator(x509);
|
||||
while (enumerator->enumerate(enumerator, &cdp))
|
||||
{
|
||||
if (first)
|
||||
{
|
||||
fprintf(f, " CRL URIs: %s", cdp->uri);
|
||||
first = FALSE;
|
||||
}
|
||||
else
|
||||
{
|
||||
fprintf(f, " %s", cdp->uri);
|
||||
}
|
||||
if (cdp->issuer)
|
||||
{
|
||||
fprintf(f, " (CRL issuer: %Y)", cdp->issuer);
|
||||
}
|
||||
fprintf(f, "\n");
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
|
||||
first = TRUE;
|
||||
enumerator = x509->create_ocsp_uri_enumerator(x509);
|
||||
while (enumerator->enumerate(enumerator, &uri))
|
||||
{
|
||||
if (first)
|
||||
{
|
||||
fprintf(f, " OCSP URIs: %s\n", uri);
|
||||
first = FALSE;
|
||||
}
|
||||
else
|
||||
{
|
||||
fprintf(f, " %s\n", uri);
|
||||
}
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
|
||||
len = x509->get_constraint(x509, X509_PATH_LEN);
|
||||
if (len != X509_NO_CONSTRAINT)
|
||||
{
|
||||
fprintf(f, " pathlen: %d\n", len);
|
||||
}
|
||||
|
||||
first = TRUE;
|
||||
enumerator = x509->create_name_constraint_enumerator(x509, TRUE);
|
||||
while (enumerator->enumerate(enumerator, &id))
|
||||
{
|
||||
if (first)
|
||||
{
|
||||
fprintf(f, " permitted nameConstraints:\n");
|
||||
first = FALSE;
|
||||
}
|
||||
fprintf(f, " %Y\n", id);
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
|
||||
first = TRUE;
|
||||
enumerator = x509->create_name_constraint_enumerator(x509, FALSE);
|
||||
while (enumerator->enumerate(enumerator, &id))
|
||||
{
|
||||
if (first)
|
||||
{
|
||||
fprintf(f, " excluded nameConstraints:\n");
|
||||
first = FALSE;
|
||||
}
|
||||
fprintf(f, " %Y\n", id);
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
|
||||
first = TRUE;
|
||||
enumerator = x509->create_cert_policy_enumerator(x509);
|
||||
while (enumerator->enumerate(enumerator, &policy))
|
||||
{
|
||||
char *oid;
|
||||
|
||||
if (first)
|
||||
{
|
||||
fprintf(f, " certificatePolicies:\n");
|
||||
first = FALSE;
|
||||
}
|
||||
oid = asn1_oid_to_string(policy->oid);
|
||||
if (oid)
|
||||
{
|
||||
fprintf(f, " %s\n", oid);
|
||||
free(oid);
|
||||
}
|
||||
else
|
||||
{
|
||||
fprintf(f, " %#B\n", &policy->oid);
|
||||
}
|
||||
if (policy->cps_uri)
|
||||
{
|
||||
fprintf(f, " CPS: %s\n", policy->cps_uri);
|
||||
}
|
||||
if (policy->unotice_text)
|
||||
{
|
||||
fprintf(f, " Notice: %s\n", policy->unotice_text);
|
||||
}
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
|
||||
first = TRUE;
|
||||
enumerator = x509->create_policy_mapping_enumerator(x509);
|
||||
while (enumerator->enumerate(enumerator, &mapping))
|
||||
{
|
||||
char *issuer_oid, *subject_oid;
|
||||
|
||||
if (first)
|
||||
{
|
||||
fprintf(f, " policyMappings:\n");
|
||||
first = FALSE;
|
||||
}
|
||||
issuer_oid = asn1_oid_to_string(mapping->issuer);
|
||||
subject_oid = asn1_oid_to_string(mapping->subject);
|
||||
fprintf(f, " %s => %s\n", issuer_oid, subject_oid);
|
||||
free(issuer_oid);
|
||||
free(subject_oid);
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
|
||||
explicit = x509->get_constraint(x509, X509_REQUIRE_EXPLICIT_POLICY);
|
||||
inhibit = x509->get_constraint(x509, X509_INHIBIT_POLICY_MAPPING);
|
||||
len = x509->get_constraint(x509, X509_INHIBIT_ANY_POLICY);
|
||||
|
||||
if (explicit != X509_NO_CONSTRAINT || inhibit != X509_NO_CONSTRAINT ||
|
||||
len != X509_NO_CONSTRAINT)
|
||||
{
|
||||
fprintf(f, " policyConstraints:\n");
|
||||
if (explicit != X509_NO_CONSTRAINT)
|
||||
{
|
||||
fprintf(f, " requireExplicitPolicy: %d\n", explicit);
|
||||
}
|
||||
if (inhibit != X509_NO_CONSTRAINT)
|
||||
{
|
||||
fprintf(f, " inhibitPolicyMapping: %d\n", inhibit);
|
||||
}
|
||||
if (len != X509_NO_CONSTRAINT)
|
||||
{
|
||||
fprintf(f, " inhibitAnyPolicy: %d\n", len);
|
||||
}
|
||||
}
|
||||
|
||||
if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
|
||||
{
|
||||
first = TRUE;
|
||||
fprintf(f, " addresses: ");
|
||||
enumerator = x509->create_ipAddrBlock_enumerator(x509);
|
||||
while (enumerator->enumerate(enumerator, &block))
|
||||
{
|
||||
if (first)
|
||||
{
|
||||
first = FALSE;
|
||||
}
|
||||
else
|
||||
{
|
||||
fprintf(f, ", ");
|
||||
}
|
||||
fprintf(f, "%R", block);
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
fprintf(f, "\n");
|
||||
}
|
||||
}
|
||||
|
||||
chunk = x509->get_authKeyIdentifier(x509);
|
||||
if (chunk.ptr)
|
||||
{
|
||||
fprintf(f, " authkeyId: %#B\n", &chunk);
|
||||
}
|
||||
|
||||
chunk = x509->get_subjectKeyIdentifier(x509);
|
||||
if (chunk.ptr)
|
||||
{
|
||||
fprintf(f, " subjkeyId: %#B\n", &chunk);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Print CRL specific information
|
||||
*/
|
||||
static void print_crl(private_certificate_printer_t *this, crl_t *crl)
|
||||
{
|
||||
enumerator_t *enumerator;
|
||||
time_t ts;
|
||||
crl_reason_t reason;
|
||||
chunk_t chunk;
|
||||
int count = 0;
|
||||
bool first;
|
||||
char buf[64];
|
||||
x509_cdp_t *cdp;
|
||||
FILE *f = this->f;
|
||||
|
||||
chunk = chunk_skip_zero(crl->get_serial(crl));
|
||||
fprintf(f, " serial: %#B\n", &chunk);
|
||||
|
||||
if (crl->is_delta_crl(crl, &chunk))
|
||||
{
|
||||
chunk = chunk_skip_zero(chunk);
|
||||
fprintf(f, " delta CRL: for serial %#B\n", &chunk);
|
||||
}
|
||||
chunk = crl->get_authKeyIdentifier(crl);
|
||||
fprintf(f, " authKeyId: %#B\n", &chunk);
|
||||
|
||||
first = TRUE;
|
||||
enumerator = crl->create_delta_crl_uri_enumerator(crl);
|
||||
while (enumerator->enumerate(enumerator, &cdp))
|
||||
{
|
||||
if (first)
|
||||
{
|
||||
fprintf(f, " freshest: %s", cdp->uri);
|
||||
first = FALSE;
|
||||
}
|
||||
else
|
||||
{
|
||||
fprintf(f, " %s", cdp->uri);
|
||||
}
|
||||
if (cdp->issuer)
|
||||
{
|
||||
fprintf(f, " (CRL issuer: %Y)", cdp->issuer);
|
||||
}
|
||||
fprintf(f, "\n");
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
|
||||
enumerator = crl->create_enumerator(crl);
|
||||
while (enumerator->enumerate(enumerator, &chunk, &ts, &reason))
|
||||
{
|
||||
count++;
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
|
||||
fprintf(f, " %d revoked certificate%s%s\n", count, (count == 1) ? "" : "s",
|
||||
(count && this->detailed) ? ":" : "");
|
||||
|
||||
if (this->detailed)
|
||||
{
|
||||
enumerator = crl->create_enumerator(crl);
|
||||
while (enumerator->enumerate(enumerator, &chunk, &ts, &reason))
|
||||
{
|
||||
chunk = chunk_skip_zero(chunk);
|
||||
fprintf(f, " %#B: %T, %N\n", &chunk, &ts, this->utc,
|
||||
crl_reason_names, reason);
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Print AC specific information
|
||||
*/
|
||||
static void print_ac(private_certificate_printer_t *this, ac_t *ac)
|
||||
{
|
||||
ac_group_type_t type;
|
||||
identification_t *id;
|
||||
enumerator_t *groups;
|
||||
chunk_t chunk;
|
||||
bool first = TRUE;
|
||||
FILE *f = this->f;
|
||||
|
||||
chunk = chunk_skip_zero(ac->get_serial(ac));
|
||||
fprintf(f, " serial: %#B\n", &chunk);
|
||||
|
||||
id = ac->get_holderIssuer(ac);
|
||||
if (id)
|
||||
{
|
||||
fprintf(f, " hissuer: \"%Y\"\n", id);
|
||||
}
|
||||
chunk = chunk_skip_zero(ac->get_holderSerial(ac));
|
||||
if (chunk.ptr)
|
||||
{
|
||||
fprintf(f, " hserial: %#B\n", &chunk);
|
||||
}
|
||||
groups = ac->create_group_enumerator(ac);
|
||||
while (groups->enumerate(groups, &type, &chunk))
|
||||
{
|
||||
int oid;
|
||||
char *str;
|
||||
|
||||
if (first)
|
||||
{
|
||||
fprintf(f, " groups: ");
|
||||
first = FALSE;
|
||||
}
|
||||
else
|
||||
{
|
||||
fprintf(f, " ");
|
||||
}
|
||||
switch (type)
|
||||
{
|
||||
case AC_GROUP_TYPE_STRING:
|
||||
fprintf(f, "%.*s", (int)chunk.len, chunk.ptr);
|
||||
break;
|
||||
case AC_GROUP_TYPE_OID:
|
||||
oid = asn1_known_oid(chunk);
|
||||
if (oid == OID_UNKNOWN)
|
||||
{
|
||||
str = asn1_oid_to_string(chunk);
|
||||
if (str)
|
||||
{
|
||||
fprintf(f, "%s", str);
|
||||
free(str);
|
||||
}
|
||||
else
|
||||
{
|
||||
fprintf(f, "OID:%#B", &chunk);
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
fprintf(f, "%s", oid_names[oid].name);
|
||||
}
|
||||
break;
|
||||
case AC_GROUP_TYPE_OCTETS:
|
||||
fprintf(f, "%#B", &chunk);
|
||||
break;
|
||||
}
|
||||
fprintf(f, "\n");
|
||||
}
|
||||
groups->destroy(groups);
|
||||
|
||||
chunk = ac->get_authKeyIdentifier(ac);
|
||||
if (chunk.ptr)
|
||||
{
|
||||
fprintf(f, " authkey: %#B\n", &chunk);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Print public key information
|
||||
*/
|
||||
static void print_pubkey(private_certificate_printer_t *this, public_key_t *key,
|
||||
bool has_privkey)
|
||||
{
|
||||
chunk_t chunk;
|
||||
FILE *f = this->f;
|
||||
|
||||
fprintf(f, " pubkey: %N %d bits", key_type_names, key->get_type(key),
|
||||
key->get_keysize(key));
|
||||
if (has_privkey)
|
||||
{
|
||||
fprintf(f, ", has private key");
|
||||
}
|
||||
fprintf(f, "\n");
|
||||
if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &chunk))
|
||||
{
|
||||
fprintf(f, " keyid: %#B\n", &chunk);
|
||||
}
|
||||
if (key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &chunk))
|
||||
{
|
||||
fprintf(f, " subjkey: %#B\n", &chunk);
|
||||
}
|
||||
}
|
||||
|
||||
METHOD(certificate_printer_t, print, void,
|
||||
private_certificate_printer_t *this, certificate_t *cert, bool has_privkey)
|
||||
{
|
||||
time_t now, notAfter, notBefore;
|
||||
certificate_type_t type;
|
||||
identification_t *subject;
|
||||
public_key_t *key;
|
||||
FILE *f = this->f;
|
||||
|
||||
now = time(NULL);
|
||||
type = cert->get_type(cert);
|
||||
subject = cert->get_subject(cert);
|
||||
|
||||
if ((type != CERT_X509_CRL && type != CERT_X509_OCSP_RESPONSE &&
|
||||
type != CERT_TRUSTED_PUBKEY) ||
|
||||
(type == CERT_TRUSTED_PUBKEY && subject->get_type(subject) != ID_KEY_ID))
|
||||
{
|
||||
fprintf(f, " subject: \"%Y\"\n", subject);
|
||||
}
|
||||
if (cert->get_type(cert) != CERT_TRUSTED_PUBKEY)
|
||||
{
|
||||
fprintf(f, " issuer: \"%Y\"\n", cert->get_issuer(cert));
|
||||
}
|
||||
|
||||
/* list validity if set */
|
||||
cert->get_validity(cert, &now, ¬Before, ¬After);
|
||||
if (notBefore != UNDEFINED_TIME && notAfter != UNDEFINED_TIME)
|
||||
{
|
||||
fprintf(f, " validity: not before %T, ", ¬Before, this->utc);
|
||||
if (now < notBefore)
|
||||
{
|
||||
fprintf(f, "not valid yet (valid in %V)\n", &now, ¬Before);
|
||||
}
|
||||
else
|
||||
{
|
||||
fprintf(f, "ok\n");
|
||||
}
|
||||
fprintf(f, " not after %T, ", ¬After, this->utc);
|
||||
if (now > notAfter)
|
||||
{
|
||||
fprintf(f, "expired (%V ago)\n", &now, ¬After);
|
||||
}
|
||||
else
|
||||
{
|
||||
fprintf(f, "ok (expires in %V)\n", &now, ¬After);
|
||||
}
|
||||
}
|
||||
|
||||
switch (cert->get_type(cert))
|
||||
{
|
||||
case CERT_X509:
|
||||
print_x509(this, (x509_t*)cert);
|
||||
break;
|
||||
case CERT_X509_CRL:
|
||||
print_crl(this, (crl_t*)cert);
|
||||
break;
|
||||
case CERT_X509_AC:
|
||||
print_ac(this, (ac_t*)cert);
|
||||
break;
|
||||
case CERT_X509_OCSP_RESPONSE:
|
||||
case CERT_TRUSTED_PUBKEY:
|
||||
default:
|
||||
break;
|
||||
}
|
||||
key = cert->get_public_key(cert);
|
||||
if (key)
|
||||
{
|
||||
print_pubkey(this, key, has_privkey);
|
||||
key->destroy(key);
|
||||
}
|
||||
}
|
||||
|
||||
METHOD(certificate_printer_t, destroy, void,
|
||||
private_certificate_printer_t *this)
|
||||
{
|
||||
free(this);
|
||||
}
|
||||
|
||||
/**
|
||||
* See header
|
||||
*/
|
||||
certificate_printer_t *certificate_printer_create(FILE *f, bool detailed,
|
||||
bool utc)
|
||||
{
|
||||
private_certificate_printer_t *this;
|
||||
|
||||
INIT(this,
|
||||
.public = {
|
||||
.print = _print,
|
||||
.destroy = _destroy,
|
||||
},
|
||||
.f = f,
|
||||
.detailed = detailed,
|
||||
.utc = utc,
|
||||
);
|
||||
|
||||
return &this->public;
|
||||
}
|
|
@ -0,0 +1,60 @@
|
|||
/*
|
||||
* Copyright (C) 2015 Andreas Steffen
|
||||
* HSR Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
/**
|
||||
* @defgroup certificate_printer certificate_printer
|
||||
* @{ @ingroup certificates
|
||||
*/
|
||||
|
||||
#ifndef CERTIFICATE_PRINTER_H_
|
||||
#define CERTIFICATE_PRINTER_H_
|
||||
|
||||
typedef struct certificate_printer_t certificate_printer_t;
|
||||
|
||||
#include "credentials/certificates/certificate.h"
|
||||
|
||||
#include <stdio.h>
|
||||
|
||||
/**
|
||||
* An object for printing certificate information.
|
||||
*/
|
||||
struct certificate_printer_t {
|
||||
|
||||
/**
|
||||
* Print a certificate.
|
||||
*
|
||||
* @cert certificate to be printed
|
||||
* @has_privkey indicates that certificate has a matching private key
|
||||
*/
|
||||
void (*print)(certificate_printer_t *this, certificate_t *cert,
|
||||
bool has_privkey);
|
||||
|
||||
/**
|
||||
* Destroy the certificate_printer object.
|
||||
*/
|
||||
void (*destroy)(certificate_printer_t *this);
|
||||
};
|
||||
|
||||
/**
|
||||
* Create a certificate_printer object
|
||||
*
|
||||
* @param f file where print output is directed to (usually stdout)
|
||||
* @param detailed print more detailed certificate information
|
||||
* @param utc print time inforamtion in UTC
|
||||
*/
|
||||
certificate_printer_t* certificate_printer_create(FILE *f, bool detailed,
|
||||
bool utc);
|
||||
|
||||
#endif /** CERTIFICATE_PRINTER_H_ @}*/
|
|
@ -2,6 +2,9 @@
|
|||
* Copyright (C) 2010 Martin Willi
|
||||
* Copyright (C) 2010 revosec AG
|
||||
*
|
||||
* Copyright (C) 2015 Andreas Steffen
|
||||
* HSR Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
|
@ -15,51 +18,32 @@
|
|||
|
||||
#include "pki.h"
|
||||
|
||||
#include <asn1/asn1.h>
|
||||
#include <asn1/oid.h>
|
||||
#include <credentials/certificates/certificate.h>
|
||||
#include <credentials/certificates/x509.h>
|
||||
#include <credentials/certificates/crl.h>
|
||||
#include <credentials/certificates/ac.h>
|
||||
#include <selectors/traffic_selector.h>
|
||||
#include <credentials/certificates/certificate_printer.h>
|
||||
|
||||
#include <time.h>
|
||||
#include <errno.h>
|
||||
|
||||
/**
|
||||
* Print public key information
|
||||
*/
|
||||
static void print_pubkey(public_key_t *key)
|
||||
{
|
||||
chunk_t chunk;
|
||||
key_type_t type;
|
||||
|
||||
type = key->get_type(key);
|
||||
printf("pubkey: %N %d bits%s\n", key_type_names, type,
|
||||
key->get_keysize(key), (type == KEY_BLISS) ? " strength" : "");
|
||||
|
||||
if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &chunk))
|
||||
{
|
||||
printf("keyid: %#B\n", &chunk);
|
||||
}
|
||||
if (key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &chunk))
|
||||
{
|
||||
printf("subjkey: %#B\n", &chunk);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Print private key information
|
||||
*/
|
||||
static void print_key(private_key_t *key)
|
||||
{
|
||||
public_key_t *public;
|
||||
chunk_t chunk;
|
||||
|
||||
public = key->get_public_key(key);
|
||||
if (public)
|
||||
{
|
||||
printf("private key with:\n");
|
||||
print_pubkey(public);
|
||||
printf(" privkey: %N %d bits\n", key_type_names,
|
||||
public->get_type(public), public->get_keysize(public));
|
||||
if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &chunk))
|
||||
{
|
||||
printf(" keyid: %#B\n", &chunk);
|
||||
}
|
||||
if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &chunk))
|
||||
{
|
||||
printf(" subjkey: %#B\n", &chunk);
|
||||
}
|
||||
public->destroy(public);
|
||||
}
|
||||
else
|
||||
|
@ -68,490 +52,6 @@ static void print_key(private_key_t *key)
|
|||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Get a prefix for a named constraint identity type
|
||||
*/
|
||||
static char* get_type_pfx(identification_t *id)
|
||||
{
|
||||
switch (id->get_type(id))
|
||||
{
|
||||
case ID_RFC822_ADDR:
|
||||
return "email:";
|
||||
case ID_FQDN:
|
||||
return "dns:";
|
||||
default:
|
||||
return "";
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Print X509 specific certificate information
|
||||
*/
|
||||
static void print_x509(x509_t *x509)
|
||||
{
|
||||
enumerator_t *enumerator;
|
||||
identification_t *id;
|
||||
traffic_selector_t *block;
|
||||
chunk_t chunk;
|
||||
bool first;
|
||||
char *uri;
|
||||
int len, explicit, inhibit;
|
||||
x509_flag_t flags;
|
||||
x509_cdp_t *cdp;
|
||||
x509_cert_policy_t *policy;
|
||||
x509_policy_mapping_t *mapping;
|
||||
|
||||
chunk = chunk_skip_zero(x509->get_serial(x509));
|
||||
printf("serial: %#B\n", &chunk);
|
||||
|
||||
first = TRUE;
|
||||
enumerator = x509->create_subjectAltName_enumerator(x509);
|
||||
while (enumerator->enumerate(enumerator, &id))
|
||||
{
|
||||
if (first)
|
||||
{
|
||||
printf("altNames: ");
|
||||
first = FALSE;
|
||||
}
|
||||
else
|
||||
{
|
||||
printf(", ");
|
||||
}
|
||||
printf("%Y", id);
|
||||
}
|
||||
if (!first)
|
||||
{
|
||||
printf("\n");
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
|
||||
flags = x509->get_flags(x509);
|
||||
printf("flags: ");
|
||||
if (flags & X509_CA)
|
||||
{
|
||||
printf("CA ");
|
||||
}
|
||||
if (flags & X509_CRL_SIGN)
|
||||
{
|
||||
printf("CRLSign ");
|
||||
}
|
||||
if (flags & X509_AA)
|
||||
{
|
||||
printf("AA ");
|
||||
}
|
||||
if (flags & X509_OCSP_SIGNER)
|
||||
{
|
||||
printf("OCSP ");
|
||||
}
|
||||
if (flags & X509_AA)
|
||||
{
|
||||
printf("AA ");
|
||||
}
|
||||
if (flags & X509_SERVER_AUTH)
|
||||
{
|
||||
printf("serverAuth ");
|
||||
}
|
||||
if (flags & X509_CLIENT_AUTH)
|
||||
{
|
||||
printf("clientAuth ");
|
||||
}
|
||||
if (flags & X509_IKE_INTERMEDIATE)
|
||||
{
|
||||
printf("iKEIntermediate ");
|
||||
}
|
||||
if (flags & X509_MS_SMARTCARD_LOGON)
|
||||
{
|
||||
printf("msSmartcardLogon ");
|
||||
}
|
||||
if (flags & X509_SELF_SIGNED)
|
||||
{
|
||||
printf("self-signed ");
|
||||
}
|
||||
printf("\n");
|
||||
|
||||
first = TRUE;
|
||||
enumerator = x509->create_crl_uri_enumerator(x509);
|
||||
while (enumerator->enumerate(enumerator, &cdp))
|
||||
{
|
||||
if (first)
|
||||
{
|
||||
printf("CRL URIs: %s", cdp->uri);
|
||||
first = FALSE;
|
||||
}
|
||||
else
|
||||
{
|
||||
printf(" %s", cdp->uri);
|
||||
}
|
||||
if (cdp->issuer)
|
||||
{
|
||||
printf(" (CRL issuer: %Y)", cdp->issuer);
|
||||
}
|
||||
printf("\n");
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
|
||||
first = TRUE;
|
||||
enumerator = x509->create_ocsp_uri_enumerator(x509);
|
||||
while (enumerator->enumerate(enumerator, &uri))
|
||||
{
|
||||
if (first)
|
||||
{
|
||||
printf("OCSP URIs: %s\n", uri);
|
||||
first = FALSE;
|
||||
}
|
||||
else
|
||||
{
|
||||
printf(" %s\n", uri);
|
||||
}
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
|
||||
len = x509->get_constraint(x509, X509_PATH_LEN);
|
||||
if (len != X509_NO_CONSTRAINT)
|
||||
{
|
||||
printf("pathlen: %d\n", len);
|
||||
}
|
||||
|
||||
first = TRUE;
|
||||
enumerator = x509->create_name_constraint_enumerator(x509, TRUE);
|
||||
while (enumerator->enumerate(enumerator, &id))
|
||||
{
|
||||
if (first)
|
||||
{
|
||||
printf("Permitted NameConstraints:\n");
|
||||
first = FALSE;
|
||||
}
|
||||
printf(" %s%Y\n", get_type_pfx(id), id);
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
first = TRUE;
|
||||
enumerator = x509->create_name_constraint_enumerator(x509, FALSE);
|
||||
while (enumerator->enumerate(enumerator, &id))
|
||||
{
|
||||
if (first)
|
||||
{
|
||||
printf("Excluded NameConstraints:\n");
|
||||
first = FALSE;
|
||||
}
|
||||
printf(" %s%Y\n", get_type_pfx(id), id);
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
|
||||
first = TRUE;
|
||||
enumerator = x509->create_cert_policy_enumerator(x509);
|
||||
while (enumerator->enumerate(enumerator, &policy))
|
||||
{
|
||||
char *oid;
|
||||
|
||||
if (first)
|
||||
{
|
||||
printf("CertificatePolicies:\n");
|
||||
first = FALSE;
|
||||
}
|
||||
oid = asn1_oid_to_string(policy->oid);
|
||||
if (oid)
|
||||
{
|
||||
printf(" %s\n", oid);
|
||||
free(oid);
|
||||
}
|
||||
else
|
||||
{
|
||||
printf(" %#B\n", &policy->oid);
|
||||
}
|
||||
if (policy->cps_uri)
|
||||
{
|
||||
printf(" CPS: %s\n", policy->cps_uri);
|
||||
}
|
||||
if (policy->unotice_text)
|
||||
{
|
||||
printf(" Notice: %s\n", policy->unotice_text);
|
||||
|
||||
}
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
|
||||
first = TRUE;
|
||||
enumerator = x509->create_policy_mapping_enumerator(x509);
|
||||
while (enumerator->enumerate(enumerator, &mapping))
|
||||
{
|
||||
char *issuer_oid, *subject_oid;
|
||||
|
||||
if (first)
|
||||
{
|
||||
printf("PolicyMappings:\n");
|
||||
first = FALSE;
|
||||
}
|
||||
issuer_oid = asn1_oid_to_string(mapping->issuer);
|
||||
subject_oid = asn1_oid_to_string(mapping->subject);
|
||||
printf(" %s => %s\n", issuer_oid, subject_oid);
|
||||
free(issuer_oid);
|
||||
free(subject_oid);
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
|
||||
explicit = x509->get_constraint(x509, X509_REQUIRE_EXPLICIT_POLICY);
|
||||
inhibit = x509->get_constraint(x509, X509_INHIBIT_POLICY_MAPPING);
|
||||
len = x509->get_constraint(x509, X509_INHIBIT_ANY_POLICY);
|
||||
|
||||
if (explicit != X509_NO_CONSTRAINT || inhibit != X509_NO_CONSTRAINT ||
|
||||
len != X509_NO_CONSTRAINT)
|
||||
{
|
||||
printf("PolicyConstraints:\n");
|
||||
if (explicit != X509_NO_CONSTRAINT)
|
||||
{
|
||||
printf(" requireExplicitPolicy: %d\n", explicit);
|
||||
}
|
||||
if (inhibit != X509_NO_CONSTRAINT)
|
||||
{
|
||||
printf(" inhibitPolicyMapping: %d\n", inhibit);
|
||||
}
|
||||
if (len != X509_NO_CONSTRAINT)
|
||||
{
|
||||
printf(" inhibitAnyPolicy: %d\n", len);
|
||||
}
|
||||
}
|
||||
|
||||
chunk = x509->get_authKeyIdentifier(x509);
|
||||
if (chunk.ptr)
|
||||
{
|
||||
printf("authkeyId: %#B\n", &chunk);
|
||||
}
|
||||
|
||||
chunk = x509->get_subjectKeyIdentifier(x509);
|
||||
if (chunk.ptr)
|
||||
{
|
||||
printf("subjkeyId: %#B\n", &chunk);
|
||||
}
|
||||
if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
|
||||
{
|
||||
first = TRUE;
|
||||
printf("addresses: ");
|
||||
enumerator = x509->create_ipAddrBlock_enumerator(x509);
|
||||
while (enumerator->enumerate(enumerator, &block))
|
||||
{
|
||||
if (first)
|
||||
{
|
||||
first = FALSE;
|
||||
}
|
||||
else
|
||||
{
|
||||
printf(", ");
|
||||
}
|
||||
printf("%R", block);
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
printf("\n");
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Print CRL specific information
|
||||
*/
|
||||
static void print_crl(crl_t *crl)
|
||||
{
|
||||
enumerator_t *enumerator;
|
||||
time_t ts;
|
||||
crl_reason_t reason;
|
||||
chunk_t chunk;
|
||||
int count = 0;
|
||||
bool first;
|
||||
char buf[64];
|
||||
struct tm tm;
|
||||
x509_cdp_t *cdp;
|
||||
|
||||
chunk = chunk_skip_zero(crl->get_serial(crl));
|
||||
printf("serial: %#B\n", &chunk);
|
||||
|
||||
if (crl->is_delta_crl(crl, &chunk))
|
||||
{
|
||||
chunk = chunk_skip_zero(chunk);
|
||||
printf("delta CRL: for serial %#B\n", &chunk);
|
||||
}
|
||||
chunk = crl->get_authKeyIdentifier(crl);
|
||||
printf("authKeyId: %#B\n", &chunk);
|
||||
|
||||
first = TRUE;
|
||||
enumerator = crl->create_delta_crl_uri_enumerator(crl);
|
||||
while (enumerator->enumerate(enumerator, &cdp))
|
||||
{
|
||||
if (first)
|
||||
{
|
||||
printf("freshest: %s", cdp->uri);
|
||||
first = FALSE;
|
||||
}
|
||||
else
|
||||
{
|
||||
printf(" %s", cdp->uri);
|
||||
}
|
||||
if (cdp->issuer)
|
||||
{
|
||||
printf(" (CRL issuer: %Y)", cdp->issuer);
|
||||
}
|
||||
printf("\n");
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
|
||||
enumerator = crl->create_enumerator(crl);
|
||||
while (enumerator->enumerate(enumerator, &chunk, &ts, &reason))
|
||||
{
|
||||
count++;
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
|
||||
printf("%d revoked certificate%s%s\n", count,
|
||||
count == 1 ? "" : "s", count ? ":" : "");
|
||||
enumerator = crl->create_enumerator(crl);
|
||||
while (enumerator->enumerate(enumerator, &chunk, &ts, &reason))
|
||||
{
|
||||
chunk = chunk_skip_zero(chunk);
|
||||
localtime_r(&ts, &tm);
|
||||
strftime(buf, sizeof(buf), "%F %T", &tm);
|
||||
printf(" %#B %N %s\n", &chunk, crl_reason_names, reason, buf);
|
||||
count++;
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
}
|
||||
|
||||
/**
|
||||
* Print AC specific information
|
||||
*/
|
||||
static void print_ac(ac_t *ac)
|
||||
{
|
||||
ac_group_type_t type;
|
||||
identification_t *id;
|
||||
enumerator_t *groups;
|
||||
chunk_t chunk;
|
||||
bool first = TRUE;
|
||||
|
||||
chunk = chunk_skip_zero(ac->get_serial(ac));
|
||||
printf("serial: %#B\n", &chunk);
|
||||
|
||||
id = ac->get_holderIssuer(ac);
|
||||
if (id)
|
||||
{
|
||||
printf("hissuer: \"%Y\"\n", id);
|
||||
}
|
||||
chunk = chunk_skip_zero(ac->get_holderSerial(ac));
|
||||
if (chunk.ptr)
|
||||
{
|
||||
printf("hserial: %#B\n", &chunk);
|
||||
}
|
||||
groups = ac->create_group_enumerator(ac);
|
||||
while (groups->enumerate(groups, &type, &chunk))
|
||||
{
|
||||
int oid;
|
||||
char *str;
|
||||
|
||||
if (first)
|
||||
{
|
||||
printf("groups: ");
|
||||
first = FALSE;
|
||||
}
|
||||
else
|
||||
{
|
||||
printf(" ");
|
||||
}
|
||||
switch (type)
|
||||
{
|
||||
case AC_GROUP_TYPE_STRING:
|
||||
printf("%.*s", (int)chunk.len, chunk.ptr);
|
||||
break;
|
||||
case AC_GROUP_TYPE_OID:
|
||||
oid = asn1_known_oid(chunk);
|
||||
if (oid == OID_UNKNOWN)
|
||||
{
|
||||
str = asn1_oid_to_string(chunk);
|
||||
if (str)
|
||||
{
|
||||
printf("%s", str);
|
||||
free(str);
|
||||
}
|
||||
else
|
||||
{
|
||||
printf("OID:%#B", &chunk);
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
printf("%s", oid_names[oid].name);
|
||||
}
|
||||
break;
|
||||
case AC_GROUP_TYPE_OCTETS:
|
||||
printf("%#B", &chunk);
|
||||
break;
|
||||
}
|
||||
printf("\n");
|
||||
}
|
||||
groups->destroy(groups);
|
||||
|
||||
chunk = ac->get_authKeyIdentifier(ac);
|
||||
if (chunk.ptr)
|
||||
{
|
||||
printf("authkey: %#B\n", &chunk);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Print certificate information
|
||||
*/
|
||||
static void print_cert(certificate_t *cert)
|
||||
{
|
||||
time_t now, notAfter, notBefore;
|
||||
public_key_t *key;
|
||||
|
||||
now = time(NULL);
|
||||
|
||||
printf("cert: %N\n", certificate_type_names, cert->get_type(cert));
|
||||
if (cert->get_type(cert) != CERT_X509_CRL)
|
||||
{
|
||||
printf("subject: \"%Y\"\n", cert->get_subject(cert));
|
||||
}
|
||||
printf("issuer: \"%Y\"\n", cert->get_issuer(cert));
|
||||
|
||||
cert->get_validity(cert, &now, ¬Before, ¬After);
|
||||
printf("validity: not before %T, ", ¬Before, FALSE);
|
||||
if (now < notBefore)
|
||||
{
|
||||
printf("not valid yet (valid in %V)\n", &now, ¬Before);
|
||||
}
|
||||
else
|
||||
{
|
||||
printf("ok\n");
|
||||
}
|
||||
printf(" not after %T, ", ¬After, FALSE);
|
||||
if (now > notAfter)
|
||||
{
|
||||
printf("expired (%V ago)\n", &now, ¬After);
|
||||
}
|
||||
else
|
||||
{
|
||||
printf("ok (expires in %V)\n", &now, ¬After);
|
||||
}
|
||||
|
||||
switch (cert->get_type(cert))
|
||||
{
|
||||
case CERT_X509:
|
||||
print_x509((x509_t*)cert);
|
||||
break;
|
||||
case CERT_X509_CRL:
|
||||
print_crl((crl_t*)cert);
|
||||
break;
|
||||
case CERT_X509_AC:
|
||||
print_ac((ac_t*)cert);
|
||||
break;
|
||||
default:
|
||||
printf("parsing certificate subtype %N not implemented\n",
|
||||
certificate_type_names, cert->get_type(cert));
|
||||
break;
|
||||
}
|
||||
key = cert->get_public_key(cert);
|
||||
if (key)
|
||||
{
|
||||
print_pubkey(key);
|
||||
key->destroy(key);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Print a credential in a human readable form
|
||||
*/
|
||||
|
@ -586,8 +86,8 @@ static int print()
|
|||
}
|
||||
else if (streq(arg, "pub"))
|
||||
{
|
||||
type = CRED_PUBLIC_KEY;
|
||||
subtype = KEY_ANY;
|
||||
type = CRED_CERTIFICATE;
|
||||
subtype = CERT_TRUSTED_PUBKEY;
|
||||
}
|
||||
else if (streq(arg, "rsa-priv"))
|
||||
{
|
||||
|
@ -647,17 +147,13 @@ static int print()
|
|||
if (type == CRED_CERTIFICATE)
|
||||
{
|
||||
certificate_t *cert = (certificate_t*)cred;
|
||||
certificate_printer_t *printer;
|
||||
|
||||
print_cert(cert);
|
||||
printer = certificate_printer_create(stdout, TRUE, FALSE);
|
||||
printer->print(printer, cert, FALSE);
|
||||
printer->destroy(printer);
|
||||
cert->destroy(cert);
|
||||
}
|
||||
if (type == CRED_PUBLIC_KEY)
|
||||
{
|
||||
public_key_t *key = (public_key_t*)cred;
|
||||
|
||||
print_pubkey(key);
|
||||
key->destroy(key);
|
||||
}
|
||||
if (type == CRED_PRIVATE_KEY)
|
||||
{
|
||||
private_key_t *key = (private_key_t*)cred;
|
||||
|
@ -665,6 +161,7 @@ static int print()
|
|||
print_key(key);
|
||||
key->destroy(key);
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue