diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c index c0192b5c0..e312ae152 100644 --- a/src/libcharon/plugins/stroke/stroke_list.c +++ b/src/libcharon/plugins/stroke/stroke_list.c @@ -2,6 +2,9 @@ * Copyright (C) 2008 Martin Willi * Hochschule fuer Technik Rapperswil * + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your @@ -28,17 +31,9 @@ #include #include #include -#include -#include #include +#include #include -#include -#include - -/* warning intervals for list functions */ -#define CERT_WARNING_INTERVAL 30 /* days */ -#define CRL_WARNING_INTERVAL 7 /* days */ -#define AC_WARNING_INTERVAL 1 /* day */ typedef struct private_stroke_list_t private_stroke_list_t; @@ -738,14 +733,20 @@ static linked_list_t* create_unique_cert_list(certificate_type_t type) } /** - * Print a single public key. + * Is there a matching private key? */ -static void list_public_key(public_key_t *public, FILE *out) +static bool has_privkey(certificate_t *cert) { + public_key_t *public; private_key_t *private = NULL; chunk_t keyid; identification_t *id; + public = cert->get_public_key(cert); + if (!public) + { + return FALSE; + } if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &keyid)) { id = identification_create_from_encoding(ID_KEY_ID, keyid); @@ -753,99 +754,23 @@ static void list_public_key(public_key_t *public, FILE *out) public->get_type(public), id, NULL); id->destroy(id); } - - fprintf(out, " pubkey: %N %d bits%s\n", - key_type_names, public->get_type(public), - public->get_keysize(public), - private ? ", has private key" : ""); - if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid)) - { - fprintf(out, " keyid: %#B\n", &keyid); - } - if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &keyid)) - { - fprintf(out, " subjkey: %#B\n", &keyid); - } + public->destroy(public); DESTROY_IF(private); -} -/** - * list all raw public keys - */ -static void stroke_list_pubkeys(linked_list_t *list, bool utc, FILE *out) -{ - bool first = TRUE; - time_t now = time(NULL), notBefore, notAfter; - enumerator_t *enumerator; - certificate_t *cert; - - enumerator = list->create_enumerator(list); - while (enumerator->enumerate(enumerator, (void**)&cert)) - { - identification_t *subject = cert->get_subject(cert); - public_key_t *public = cert->get_public_key(cert); - - if (public) - { - if (first) - { - fprintf(out, "\n"); - fprintf(out, "List of Raw Public Keys:\n"); - first = FALSE; - } - fprintf(out, "\n"); - - /* list subject if available */ - if (subject->get_type(subject) != ID_KEY_ID) - { - fprintf(out, " subject: %#Y\n", subject); - } - - /* list validity if available*/ - cert->get_validity(cert, &now, ¬Before, ¬After); - if (notBefore != UNDEFINED_TIME && notAfter != UNDEFINED_TIME) - { - fprintf(out, " validity: not before %T, ", ¬Before, utc); - if (now < notBefore) - { - fprintf(out, "not valid yet (valid in %V)\n", &now, ¬Before); - } - else - { - fprintf(out, "ok\n"); - } - fprintf(out, " not after %T, ", ¬After, utc); - if (now > notAfter) - { - fprintf(out, "expired (%V ago)\n", &now, ¬After); - } - else - { - fprintf(out, "ok"); - if (now > notAfter - CERT_WARNING_INTERVAL * 60 * 60 * 24) - { - fprintf(out, " (expires in %V)", &now, ¬After); - } - fprintf(out, " \n"); - } - } - - list_public_key(public, out); - public->destroy(public); - } - } - enumerator->destroy(enumerator); + return (private != NULL); } /** * list OpenPGP certificates */ -static void stroke_list_pgp(linked_list_t *list,bool utc, FILE *out) +static void stroke_list_pgp_certs(linked_list_t *list, char *label, + bool utc, FILE *out) { bool first = TRUE; time_t now = time(NULL); enumerator_t *enumerator = list->create_enumerator(list); certificate_t *cert; + chunk_t keyid; while (enumerator->enumerate(enumerator, (void**)&cert)) { @@ -856,14 +781,12 @@ static void stroke_list_pgp(linked_list_t *list,bool utc, FILE *out) if (first) { - fprintf(out, "\n"); - fprintf(out, "List of PGP End Entity Certificates:\n"); - first = FALSE; + fprintf(out, "List of %ss:\n", label); + first = FALSE; } fprintf(out, "\n"); fprintf(out, " userid: '%Y'\n", cert->get_subject(cert)); - fprintf(out, " digest: %#B\n", &fingerprint); /* list validity */ @@ -875,7 +798,19 @@ static void stroke_list_pgp(linked_list_t *list,bool utc, FILE *out) public = cert->get_public_key(cert); if (public) { - list_public_key(public, out); + fprintf(out, " pubkey: %N %d bits%s\n", + key_type_names, public->get_type(public), + public->get_keysize(public), + has_privkey(cert) ? ", has private key" : ""); + + if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid)) + { + fprintf(out, " keyid: %#B\n", &keyid); + } + if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &keyid)) + { + fprintf(out, " subjkey: %#B\n", &keyid); + } public->destroy(public); } } @@ -885,15 +820,17 @@ static void stroke_list_pgp(linked_list_t *list,bool utc, FILE *out) /** * list all X.509 certificates matching the flags */ -static void stroke_list_certs(linked_list_t *list, char *label, - x509_flag_t flags, bool utc, FILE *out) +static void stroke_list_x509_certs(linked_list_t *list, char *label, + x509_flag_t flags, bool utc, FILE *out) { bool first = TRUE; - time_t now = time(NULL); enumerator_t *enumerator; certificate_t *cert; + certificate_printer_t *printer; x509_flag_t flag_mask; + printer = certificate_printer_create(out, TRUE, utc), + /* mask all auxiliary flags */ flag_mask = ~(X509_SERVER_AUTH | X509_CLIENT_AUTH | X509_IKE_INTERMEDIATE | X509_SELF_SIGNED | X509_IP_ADDR_BLOCKS); @@ -907,367 +844,49 @@ static void stroke_list_certs(linked_list_t *list, char *label, /* list only if flag is set or flag == 0 */ if ((x509_flags & flags) || (x509_flags == flags)) { - enumerator_t *enumerator; - identification_t *altName; - bool first_altName = TRUE; - u_int pathlen; - chunk_t serial, authkey; - time_t notBefore, notAfter; - public_key_t *public; - if (first) { fprintf(out, "\n"); - fprintf(out, "List of %s:\n", label); + fprintf(out, "List of %ss:\n", label); first = FALSE; } fprintf(out, "\n"); - - /* list subjectAltNames */ - enumerator = x509->create_subjectAltName_enumerator(x509); - while (enumerator->enumerate(enumerator, (void**)&altName)) - { - if (first_altName) - { - fprintf(out, " altNames: "); - first_altName = FALSE; - } - else - { - fprintf(out, ", "); - } - fprintf(out, "%Y", altName); - } - if (!first_altName) - { - fprintf(out, "\n"); - } - enumerator->destroy(enumerator); - - fprintf(out, " subject: \"%Y\"\n", cert->get_subject(cert)); - fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert)); - serial = chunk_skip_zero(x509->get_serial(x509)); - fprintf(out, " serial: %#B\n", &serial); - - /* list validity */ - cert->get_validity(cert, &now, ¬Before, ¬After); - fprintf(out, " validity: not before %T, ", ¬Before, utc); - if (now < notBefore) - { - fprintf(out, "not valid yet (valid in %V)\n", &now, ¬Before); - } - else - { - fprintf(out, "ok\n"); - } - fprintf(out, " not after %T, ", ¬After, utc); - if (now > notAfter) - { - fprintf(out, "expired (%V ago)\n", &now, ¬After); - } - else - { - fprintf(out, "ok"); - if (now > notAfter - CERT_WARNING_INTERVAL * 60 * 60 * 24) - { - fprintf(out, " (expires in %V)", &now, ¬After); - } - fprintf(out, " \n"); - } - - public = cert->get_public_key(cert); - if (public) - { - list_public_key(public, out); - public->destroy(public); - } - - /* list optional authorityKeyIdentifier */ - authkey = x509->get_authKeyIdentifier(x509); - if (authkey.ptr) - { - fprintf(out, " authkey: %#B\n", &authkey); - } - - /* list optional pathLenConstraint */ - pathlen = x509->get_constraint(x509, X509_PATH_LEN); - if (pathlen != X509_NO_CONSTRAINT) - { - fprintf(out, " pathlen: %u\n", pathlen); - } - - /* list optional ipAddrBlocks */ - if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS) - { - traffic_selector_t *ipAddrBlock; - bool first_ipAddrBlock = TRUE; - - fprintf(out, " addresses: "); - enumerator = x509->create_ipAddrBlock_enumerator(x509); - while (enumerator->enumerate(enumerator, &ipAddrBlock)) - { - if (first_ipAddrBlock) - { - first_ipAddrBlock = FALSE; - } - else - { - fprintf(out, ", "); - } - fprintf(out, "%R", ipAddrBlock); - } - enumerator->destroy(enumerator); - fprintf(out, "\n"); - } + printer->print(printer, cert, has_privkey(cert)); } } enumerator->destroy(enumerator); + + printer->destroy(printer); } /** - * list all X.509 attribute certificates + * list all other certificates types */ -static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out) +static void stroke_list_other_certs(linked_list_t *list, char *label, + bool utc, FILE *out) { bool first = TRUE; - time_t notBefore, notAfter, now = time(NULL); enumerator_t *enumerator; certificate_t *cert; + certificate_printer_t *printer; + + printer = certificate_printer_create(out, TRUE, utc), enumerator = list->create_enumerator(list); while (enumerator->enumerate(enumerator, &cert)) { - ac_t *ac = (ac_t*)cert; - ac_group_type_t type; - identification_t *id; - enumerator_t *groups; - chunk_t chunk; - bool firstgroup = TRUE; - if (first) { fprintf(out, "\n"); - fprintf(out, "List of X.509 Attribute Certificates:\n"); + fprintf(out, "List of %ss:\n", label); first = FALSE; } fprintf(out, "\n"); - - id = cert->get_subject(cert); - if (id) - { - fprintf(out, " holder: \"%Y\"\n", id); - } - id = ac->get_holderIssuer(ac); - if (id) - { - fprintf(out, " hissuer: \"%Y\"\n", id); - } - chunk = chunk_skip_zero(ac->get_holderSerial(ac)); - if (chunk.ptr) - { - fprintf(out, " hserial: %#B\n", &chunk); - } - groups = ac->create_group_enumerator(ac); - while (groups->enumerate(groups, &type, &chunk)) - { - int oid; - char *str; - - if (firstgroup) - { - fprintf(out, " groups: "); - firstgroup = FALSE; - } - else - { - fprintf(out, " "); - } - switch (type) - { - case AC_GROUP_TYPE_STRING: - fprintf(out, "%.*s", (int)chunk.len, chunk.ptr); - break; - case AC_GROUP_TYPE_OID: - oid = asn1_known_oid(chunk); - if (oid == OID_UNKNOWN) - { - str = asn1_oid_to_string(chunk); - if (str) - { - fprintf(out, "%s", str); - free(str); - } - else - { - fprintf(out, "OID:%#B", &chunk); - } - } - else - { - fprintf(out, "%s", oid_names[oid].name); - } - break; - case AC_GROUP_TYPE_OCTETS: - fprintf(out, "%#B", &chunk); - break; - } - fprintf(out, "\n"); - } - groups->destroy(groups); - fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert)); - chunk = chunk_skip_zero(ac->get_serial(ac)); - fprintf(out, " serial: %#B\n", &chunk); - - /* list validity */ - cert->get_validity(cert, &now, ¬Before, ¬After); - fprintf(out, " validity: not before %T, ", ¬Before, utc); - if (now < notBefore) - { - fprintf(out, "not valid yet (valid in %V)\n", &now, ¬Before); - } - else - { - fprintf(out, "ok\n"); - } - fprintf(out, " not after %T, ", ¬After, utc); - if (now > notAfter) - { - fprintf(out, "expired (%V ago)\n", &now, ¬After); - } - else - { - fprintf(out, "ok"); - if (now > notAfter - AC_WARNING_INTERVAL * 60 * 60 * 24) - { - fprintf(out, " (expires in %V)", &now, ¬After); - } - fprintf(out, " \n"); - } - - /* list optional authorityKeyIdentifier */ - chunk = ac->get_authKeyIdentifier(ac); - if (chunk.ptr) - { - fprintf(out, " authkey: %#B\n", &chunk); - } + printer->print(printer, cert, has_privkey(cert)); } enumerator->destroy(enumerator); -} -/** - * list all X.509 CRLs - */ -static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out) -{ - bool first = TRUE; - time_t thisUpdate, nextUpdate, now = time(NULL); - enumerator_t *enumerator = list->create_enumerator(list); - certificate_t *cert; - - while (enumerator->enumerate(enumerator, (void**)&cert)) - { - crl_t *crl = (crl_t*)cert; - chunk_t chunk; - - if (first) - { - fprintf(out, "\n"); - fprintf(out, "List of X.509 CRLs:\n"); - first = FALSE; - } - fprintf(out, "\n"); - - fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert)); - - /* list optional crlNumber */ - chunk = chunk_skip_zero(crl->get_serial(crl)); - if (chunk.ptr) - { - fprintf(out, " serial: %#B\n", &chunk); - } - if (crl->is_delta_crl(crl, &chunk)) - { - chunk = chunk_skip_zero(chunk); - fprintf(out, " delta for: %#B\n", &chunk); - } - - /* count the number of revoked certificates */ - { - int count = 0; - enumerator_t *enumerator = crl->create_enumerator(crl); - - while (enumerator->enumerate(enumerator, NULL, NULL, NULL)) - { - count++; - } - fprintf(out, " revoked: %d certificate%s\n", count, - (count == 1)? "" : "s"); - enumerator->destroy(enumerator); - } - - /* list validity */ - cert->get_validity(cert, &now, &thisUpdate, &nextUpdate); - fprintf(out, " updates: this %T\n", &thisUpdate, utc); - fprintf(out, " next %T, ", &nextUpdate, utc); - if (now > nextUpdate) - { - fprintf(out, "expired (%V ago)\n", &now, &nextUpdate); - } - else - { - fprintf(out, "ok"); - if (now > nextUpdate - CRL_WARNING_INTERVAL * 60 * 60 * 24) - { - fprintf(out, " (expires in %V)", &now, &nextUpdate); - } - fprintf(out, " \n"); - } - - /* list optional authorityKeyIdentifier */ - chunk = crl->get_authKeyIdentifier(crl); - if (chunk.ptr) - { - fprintf(out, " authkey: %#B\n", &chunk); - } - } - enumerator->destroy(enumerator); -} - -/** - * list all OCSP responses - */ -static void stroke_list_ocsp(linked_list_t* list, bool utc, FILE *out) -{ - bool first = TRUE, ok; - enumerator_t *enumerator = list->create_enumerator(list); - certificate_t *cert; - time_t produced, usable, now = time(NULL); - - while (enumerator->enumerate(enumerator, (void**)&cert)) - { - if (first) - { - fprintf(out, "\n"); - fprintf(out, "List of OCSP responses:\n"); - fprintf(out, "\n"); - first = FALSE; - } - fprintf(out, " signer: \"%Y\"\n", cert->get_issuer(cert)); - - /* check validity */ - ok = cert->get_validity(cert, &now, &produced, &usable); - fprintf(out, " validity: produced at %T\n", &produced, utc); - fprintf(out, " usable till %T, ", &usable, utc); - if (ok) - { - fprintf(out, "ok\n"); - } - else - { - fprintf(out, "expired (%V ago)\n", &now, &usable); - } - } - enumerator->destroy(enumerator); + printer->destroy(printer); } /** @@ -1443,14 +1062,16 @@ METHOD(stroke_list_t, list, void, { linked_list_t *pubkey_list = create_unique_cert_list(CERT_TRUSTED_PUBKEY); - stroke_list_pubkeys(pubkey_list, msg->list.utc, out); + stroke_list_other_certs(pubkey_list, "Raw Public Key", + msg->list.utc, out); pubkey_list->destroy_offset(pubkey_list, offsetof(certificate_t, destroy)); } if (msg->list.flags & LIST_CERTS) { linked_list_t *pgp_list = create_unique_cert_list(CERT_GPG); - stroke_list_pgp(pgp_list, msg->list.utc, out); + stroke_list_pgp_certs(pgp_list, "PGP End Entity Certificate", + msg->list.utc, out); pgp_list->destroy_offset(pgp_list, offsetof(certificate_t, destroy)); } if (msg->list.flags & (LIST_CERTS | LIST_CACERTS | LIST_OCSPCERTS | LIST_AACERTS)) @@ -1459,23 +1080,23 @@ METHOD(stroke_list_t, list, void, } if (msg->list.flags & LIST_CERTS) { - stroke_list_certs(cert_list, "X.509 End Entity Certificates", - X509_NONE, msg->list.utc, out); + stroke_list_x509_certs(cert_list, "X.509 End Entity Certificate", + X509_NONE, msg->list.utc, out); } if (msg->list.flags & LIST_CACERTS) { - stroke_list_certs(cert_list, "X.509 CA Certificates", - X509_CA, msg->list.utc, out); + stroke_list_x509_certs(cert_list, "X.509 CA Certificate", + X509_CA, msg->list.utc, out); } if (msg->list.flags & LIST_OCSPCERTS) { - stroke_list_certs(cert_list, "X.509 OCSP Signer Certificates", - X509_OCSP_SIGNER, msg->list.utc, out); + stroke_list_x509_certs(cert_list, "X.509 OCSP Signer Certificate", + X509_OCSP_SIGNER, msg->list.utc, out); } if (msg->list.flags & LIST_AACERTS) { - stroke_list_certs(cert_list, "X.509 AA Certificates", - X509_AA, msg->list.utc, out); + stroke_list_x509_certs(cert_list, "X.509 AA Certificate", + X509_AA, msg->list.utc, out); } DESTROY_OFFSET_IF(cert_list, offsetof(certificate_t, destroy)); @@ -1483,22 +1104,24 @@ METHOD(stroke_list_t, list, void, { linked_list_t *ac_list = create_unique_cert_list(CERT_X509_AC); - stroke_list_acerts(ac_list, msg->list.utc, out); + stroke_list_other_certs(ac_list, "X.509 Attribute Certificate", + msg->list.utc, out); ac_list->destroy_offset(ac_list, offsetof(certificate_t, destroy)); } if (msg->list.flags & LIST_CRLS) { linked_list_t *crl_list = create_unique_cert_list(CERT_X509_CRL); - stroke_list_crls(crl_list, msg->list.utc, out); + stroke_list_other_certs(crl_list, "X.509 CRL", + msg->list.utc, out); crl_list->destroy_offset(crl_list, offsetof(certificate_t, destroy)); } if (msg->list.flags & LIST_OCSP) { linked_list_t *ocsp_list = create_unique_cert_list(CERT_X509_OCSP_RESPONSE); - stroke_list_ocsp(ocsp_list, msg->list.utc, out); - + stroke_list_other_certs(ocsp_list, "OCSP Response", + msg->list.utc, out); ocsp_list->destroy_offset(ocsp_list, offsetof(certificate_t, destroy)); } if (msg->list.flags & LIST_ALGS) diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am index ed3b85dd4..1851ff59d 100644 --- a/src/libstrongswan/Makefile.am +++ b/src/libstrongswan/Makefile.am @@ -20,6 +20,7 @@ credentials/cred_encoding.c credentials/keys/private_key.c \ credentials/keys/public_key.c credentials/keys/shared_key.c \ credentials/certificates/certificate.c credentials/certificates/crl.c \ credentials/certificates/ocsp_response.c \ +credentials/certificates/certificate_printer.c \ credentials/containers/container.c credentials/containers/pkcs12.c \ credentials/credential_manager.c \ credentials/sets/auth_cfg_wrapper.c credentials/sets/ocsp_response_wrapper.c \ @@ -83,6 +84,7 @@ credentials/certificates/ac.h credentials/certificates/crl.h \ credentials/certificates/pkcs10.h credentials/certificates/ocsp_request.h \ credentials/certificates/ocsp_response.h \ credentials/certificates/pgp_certificate.h \ +credentials/certificates/certificate_printer.h \ credentials/containers/container.h credentials/containers/pkcs7.h \ credentials/containers/pkcs12.h \ credentials/credential_manager.h credentials/sets/auth_cfg_wrapper.h \ diff --git a/src/libstrongswan/credentials/certificates/certificate_printer.c b/src/libstrongswan/credentials/certificates/certificate_printer.c new file mode 100644 index 000000000..84dab8566 --- /dev/null +++ b/src/libstrongswan/credentials/certificates/certificate_printer.c @@ -0,0 +1,591 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "certificate_printer.h" +#include "x509.h" +#include "crl.h" +#include "ac.h" + +#include +#include +#include + +#include + +typedef struct private_certificate_printer_t private_certificate_printer_t; + +/** + * Private data of an certificate_printer_t object. + */ +struct private_certificate_printer_t { + + /** + * Public certificate_printer_t interface. + */ + certificate_printer_t public; + + /** + * File to print to + */ + FILE *f; + + /** + * Print detailed certificate information + */ + bool detailed; + + /** + * Print time information in UTC + */ + bool utc; +}; + +/** + * Print X509 specific certificate information + */ +static void print_x509(private_certificate_printer_t *this, x509_t *x509) +{ + enumerator_t *enumerator; + identification_t *id; + traffic_selector_t *block; + chunk_t chunk; + bool first; + char *uri; + int len, explicit, inhibit; + x509_flag_t flags; + x509_cdp_t *cdp; + x509_cert_policy_t *policy; + x509_policy_mapping_t *mapping; + FILE *f = this->f; + + chunk = chunk_skip_zero(x509->get_serial(x509)); + fprintf(f, " serial: %#B\n", &chunk); + + first = TRUE; + enumerator = x509->create_subjectAltName_enumerator(x509); + while (enumerator->enumerate(enumerator, &id)) + { + if (first) + { + fprintf(f, " altNames: "); + first = FALSE; + } + else + { + fprintf(f, ", "); + } + fprintf(f, "%Y", id); + } + if (!first) + { + fprintf(f, "\n"); + } + enumerator->destroy(enumerator); + + if (this->detailed) + { + flags = x509->get_flags(x509); + if (flags != X509_NONE) + { + fprintf(f, " flags: "); + if (flags & X509_CA) + { + fprintf(f, "CA "); + } + if (flags & X509_CRL_SIGN) + { + fprintf(f, "CRLSign "); + } + if (flags & X509_OCSP_SIGNER) + { + fprintf(f, "ocspSigning "); + } + if (flags & X509_SERVER_AUTH) + { + fprintf(f, "serverAuth "); + } + if (flags & X509_CLIENT_AUTH) + { + fprintf(f, "clientAuth "); + } + if (flags & X509_IKE_INTERMEDIATE) + { + fprintf(f, "ikeIntermediate "); + } + if (flags & X509_MS_SMARTCARD_LOGON) + { + fprintf(f, "msSmartcardLogon"); + } + if (flags & X509_SELF_SIGNED) + { + fprintf(f, "self-signed "); + } + fprintf(f, "\n"); + } + + first = TRUE; + enumerator = x509->create_crl_uri_enumerator(x509); + while (enumerator->enumerate(enumerator, &cdp)) + { + if (first) + { + fprintf(f, " CRL URIs: %s", cdp->uri); + first = FALSE; + } + else + { + fprintf(f, " %s", cdp->uri); + } + if (cdp->issuer) + { + fprintf(f, " (CRL issuer: %Y)", cdp->issuer); + } + fprintf(f, "\n"); + } + enumerator->destroy(enumerator); + + first = TRUE; + enumerator = x509->create_ocsp_uri_enumerator(x509); + while (enumerator->enumerate(enumerator, &uri)) + { + if (first) + { + fprintf(f, " OCSP URIs: %s\n", uri); + first = FALSE; + } + else + { + fprintf(f, " %s\n", uri); + } + } + enumerator->destroy(enumerator); + + len = x509->get_constraint(x509, X509_PATH_LEN); + if (len != X509_NO_CONSTRAINT) + { + fprintf(f, " pathlen: %d\n", len); + } + + first = TRUE; + enumerator = x509->create_name_constraint_enumerator(x509, TRUE); + while (enumerator->enumerate(enumerator, &id)) + { + if (first) + { + fprintf(f, " permitted nameConstraints:\n"); + first = FALSE; + } + fprintf(f, " %Y\n", id); + } + enumerator->destroy(enumerator); + + first = TRUE; + enumerator = x509->create_name_constraint_enumerator(x509, FALSE); + while (enumerator->enumerate(enumerator, &id)) + { + if (first) + { + fprintf(f, " excluded nameConstraints:\n"); + first = FALSE; + } + fprintf(f, " %Y\n", id); + } + enumerator->destroy(enumerator); + + first = TRUE; + enumerator = x509->create_cert_policy_enumerator(x509); + while (enumerator->enumerate(enumerator, &policy)) + { + char *oid; + + if (first) + { + fprintf(f, " certificatePolicies:\n"); + first = FALSE; + } + oid = asn1_oid_to_string(policy->oid); + if (oid) + { + fprintf(f, " %s\n", oid); + free(oid); + } + else + { + fprintf(f, " %#B\n", &policy->oid); + } + if (policy->cps_uri) + { + fprintf(f, " CPS: %s\n", policy->cps_uri); + } + if (policy->unotice_text) + { + fprintf(f, " Notice: %s\n", policy->unotice_text); + } + } + enumerator->destroy(enumerator); + + first = TRUE; + enumerator = x509->create_policy_mapping_enumerator(x509); + while (enumerator->enumerate(enumerator, &mapping)) + { + char *issuer_oid, *subject_oid; + + if (first) + { + fprintf(f, " policyMappings:\n"); + first = FALSE; + } + issuer_oid = asn1_oid_to_string(mapping->issuer); + subject_oid = asn1_oid_to_string(mapping->subject); + fprintf(f, " %s => %s\n", issuer_oid, subject_oid); + free(issuer_oid); + free(subject_oid); + } + enumerator->destroy(enumerator); + + explicit = x509->get_constraint(x509, X509_REQUIRE_EXPLICIT_POLICY); + inhibit = x509->get_constraint(x509, X509_INHIBIT_POLICY_MAPPING); + len = x509->get_constraint(x509, X509_INHIBIT_ANY_POLICY); + + if (explicit != X509_NO_CONSTRAINT || inhibit != X509_NO_CONSTRAINT || + len != X509_NO_CONSTRAINT) + { + fprintf(f, " policyConstraints:\n"); + if (explicit != X509_NO_CONSTRAINT) + { + fprintf(f, " requireExplicitPolicy: %d\n", explicit); + } + if (inhibit != X509_NO_CONSTRAINT) + { + fprintf(f, " inhibitPolicyMapping: %d\n", inhibit); + } + if (len != X509_NO_CONSTRAINT) + { + fprintf(f, " inhibitAnyPolicy: %d\n", len); + } + } + + if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS) + { + first = TRUE; + fprintf(f, " addresses: "); + enumerator = x509->create_ipAddrBlock_enumerator(x509); + while (enumerator->enumerate(enumerator, &block)) + { + if (first) + { + first = FALSE; + } + else + { + fprintf(f, ", "); + } + fprintf(f, "%R", block); + } + enumerator->destroy(enumerator); + fprintf(f, "\n"); + } + } + + chunk = x509->get_authKeyIdentifier(x509); + if (chunk.ptr) + { + fprintf(f, " authkeyId: %#B\n", &chunk); + } + + chunk = x509->get_subjectKeyIdentifier(x509); + if (chunk.ptr) + { + fprintf(f, " subjkeyId: %#B\n", &chunk); + } +} + +/** + * Print CRL specific information + */ +static void print_crl(private_certificate_printer_t *this, crl_t *crl) +{ + enumerator_t *enumerator; + time_t ts; + crl_reason_t reason; + chunk_t chunk; + int count = 0; + bool first; + char buf[64]; + x509_cdp_t *cdp; + FILE *f = this->f; + + chunk = chunk_skip_zero(crl->get_serial(crl)); + fprintf(f, " serial: %#B\n", &chunk); + + if (crl->is_delta_crl(crl, &chunk)) + { + chunk = chunk_skip_zero(chunk); + fprintf(f, " delta CRL: for serial %#B\n", &chunk); + } + chunk = crl->get_authKeyIdentifier(crl); + fprintf(f, " authKeyId: %#B\n", &chunk); + + first = TRUE; + enumerator = crl->create_delta_crl_uri_enumerator(crl); + while (enumerator->enumerate(enumerator, &cdp)) + { + if (first) + { + fprintf(f, " freshest: %s", cdp->uri); + first = FALSE; + } + else + { + fprintf(f, " %s", cdp->uri); + } + if (cdp->issuer) + { + fprintf(f, " (CRL issuer: %Y)", cdp->issuer); + } + fprintf(f, "\n"); + } + enumerator->destroy(enumerator); + + enumerator = crl->create_enumerator(crl); + while (enumerator->enumerate(enumerator, &chunk, &ts, &reason)) + { + count++; + } + enumerator->destroy(enumerator); + + fprintf(f, " %d revoked certificate%s%s\n", count, (count == 1) ? "" : "s", + (count && this->detailed) ? ":" : ""); + + if (this->detailed) + { + enumerator = crl->create_enumerator(crl); + while (enumerator->enumerate(enumerator, &chunk, &ts, &reason)) + { + chunk = chunk_skip_zero(chunk); + fprintf(f, " %#B: %T, %N\n", &chunk, &ts, this->utc, + crl_reason_names, reason); + } + enumerator->destroy(enumerator); + } +} + +/** + * Print AC specific information + */ +static void print_ac(private_certificate_printer_t *this, ac_t *ac) +{ + ac_group_type_t type; + identification_t *id; + enumerator_t *groups; + chunk_t chunk; + bool first = TRUE; + FILE *f = this->f; + + chunk = chunk_skip_zero(ac->get_serial(ac)); + fprintf(f, " serial: %#B\n", &chunk); + + id = ac->get_holderIssuer(ac); + if (id) + { + fprintf(f, " hissuer: \"%Y\"\n", id); + } + chunk = chunk_skip_zero(ac->get_holderSerial(ac)); + if (chunk.ptr) + { + fprintf(f, " hserial: %#B\n", &chunk); + } + groups = ac->create_group_enumerator(ac); + while (groups->enumerate(groups, &type, &chunk)) + { + int oid; + char *str; + + if (first) + { + fprintf(f, " groups: "); + first = FALSE; + } + else + { + fprintf(f, " "); + } + switch (type) + { + case AC_GROUP_TYPE_STRING: + fprintf(f, "%.*s", (int)chunk.len, chunk.ptr); + break; + case AC_GROUP_TYPE_OID: + oid = asn1_known_oid(chunk); + if (oid == OID_UNKNOWN) + { + str = asn1_oid_to_string(chunk); + if (str) + { + fprintf(f, "%s", str); + free(str); + } + else + { + fprintf(f, "OID:%#B", &chunk); + } + } + else + { + fprintf(f, "%s", oid_names[oid].name); + } + break; + case AC_GROUP_TYPE_OCTETS: + fprintf(f, "%#B", &chunk); + break; + } + fprintf(f, "\n"); + } + groups->destroy(groups); + + chunk = ac->get_authKeyIdentifier(ac); + if (chunk.ptr) + { + fprintf(f, " authkey: %#B\n", &chunk); + } +} + +/** + * Print public key information + */ +static void print_pubkey(private_certificate_printer_t *this, public_key_t *key, + bool has_privkey) +{ + chunk_t chunk; + FILE *f = this->f; + + fprintf(f, " pubkey: %N %d bits", key_type_names, key->get_type(key), + key->get_keysize(key)); + if (has_privkey) + { + fprintf(f, ", has private key"); + } + fprintf(f, "\n"); + if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &chunk)) + { + fprintf(f, " keyid: %#B\n", &chunk); + } + if (key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &chunk)) + { + fprintf(f, " subjkey: %#B\n", &chunk); + } +} + +METHOD(certificate_printer_t, print, void, + private_certificate_printer_t *this, certificate_t *cert, bool has_privkey) +{ + time_t now, notAfter, notBefore; + certificate_type_t type; + identification_t *subject; + public_key_t *key; + FILE *f = this->f; + + now = time(NULL); + type = cert->get_type(cert); + subject = cert->get_subject(cert); + + if ((type != CERT_X509_CRL && type != CERT_X509_OCSP_RESPONSE && + type != CERT_TRUSTED_PUBKEY) || + (type == CERT_TRUSTED_PUBKEY && subject->get_type(subject) != ID_KEY_ID)) + { + fprintf(f, " subject: \"%Y\"\n", subject); + } + if (cert->get_type(cert) != CERT_TRUSTED_PUBKEY) + { + fprintf(f, " issuer: \"%Y\"\n", cert->get_issuer(cert)); + } + + /* list validity if set */ + cert->get_validity(cert, &now, ¬Before, ¬After); + if (notBefore != UNDEFINED_TIME && notAfter != UNDEFINED_TIME) + { + fprintf(f, " validity: not before %T, ", ¬Before, this->utc); + if (now < notBefore) + { + fprintf(f, "not valid yet (valid in %V)\n", &now, ¬Before); + } + else + { + fprintf(f, "ok\n"); + } + fprintf(f, " not after %T, ", ¬After, this->utc); + if (now > notAfter) + { + fprintf(f, "expired (%V ago)\n", &now, ¬After); + } + else + { + fprintf(f, "ok (expires in %V)\n", &now, ¬After); + } + } + + switch (cert->get_type(cert)) + { + case CERT_X509: + print_x509(this, (x509_t*)cert); + break; + case CERT_X509_CRL: + print_crl(this, (crl_t*)cert); + break; + case CERT_X509_AC: + print_ac(this, (ac_t*)cert); + break; + case CERT_X509_OCSP_RESPONSE: + case CERT_TRUSTED_PUBKEY: + default: + break; + } + key = cert->get_public_key(cert); + if (key) + { + print_pubkey(this, key, has_privkey); + key->destroy(key); + } +} + +METHOD(certificate_printer_t, destroy, void, + private_certificate_printer_t *this) +{ + free(this); +} + +/** + * See header + */ +certificate_printer_t *certificate_printer_create(FILE *f, bool detailed, + bool utc) +{ + private_certificate_printer_t *this; + + INIT(this, + .public = { + .print = _print, + .destroy = _destroy, + }, + .f = f, + .detailed = detailed, + .utc = utc, + ); + + return &this->public; +} diff --git a/src/libstrongswan/credentials/certificates/certificate_printer.h b/src/libstrongswan/credentials/certificates/certificate_printer.h new file mode 100644 index 000000000..f11b77ef6 --- /dev/null +++ b/src/libstrongswan/credentials/certificates/certificate_printer.h @@ -0,0 +1,60 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup certificate_printer certificate_printer + * @{ @ingroup certificates + */ + +#ifndef CERTIFICATE_PRINTER_H_ +#define CERTIFICATE_PRINTER_H_ + +typedef struct certificate_printer_t certificate_printer_t; + +#include "credentials/certificates/certificate.h" + +#include + +/** + * An object for printing certificate information. + */ +struct certificate_printer_t { + + /** + * Print a certificate. + * + * @cert certificate to be printed + * @has_privkey indicates that certificate has a matching private key + */ + void (*print)(certificate_printer_t *this, certificate_t *cert, + bool has_privkey); + + /** + * Destroy the certificate_printer object. + */ + void (*destroy)(certificate_printer_t *this); +}; + +/** + * Create a certificate_printer object + * + * @param f file where print output is directed to (usually stdout) + * @param detailed print more detailed certificate information + * @param utc print time inforamtion in UTC + */ +certificate_printer_t* certificate_printer_create(FILE *f, bool detailed, + bool utc); + +#endif /** CERTIFICATE_PRINTER_H_ @}*/ diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c index fa69de133..c367a21a9 100644 --- a/src/pki/commands/print.c +++ b/src/pki/commands/print.c @@ -2,6 +2,9 @@ * Copyright (C) 2010 Martin Willi * Copyright (C) 2010 revosec AG * + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your @@ -15,51 +18,32 @@ #include "pki.h" -#include -#include #include -#include -#include -#include -#include +#include -#include #include -/** - * Print public key information - */ -static void print_pubkey(public_key_t *key) -{ - chunk_t chunk; - key_type_t type; - - type = key->get_type(key); - printf("pubkey: %N %d bits%s\n", key_type_names, type, - key->get_keysize(key), (type == KEY_BLISS) ? " strength" : ""); - - if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &chunk)) - { - printf("keyid: %#B\n", &chunk); - } - if (key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &chunk)) - { - printf("subjkey: %#B\n", &chunk); - } -} - /** * Print private key information */ static void print_key(private_key_t *key) { public_key_t *public; + chunk_t chunk; public = key->get_public_key(key); if (public) { - printf("private key with:\n"); - print_pubkey(public); + printf(" privkey: %N %d bits\n", key_type_names, + public->get_type(public), public->get_keysize(public)); + if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &chunk)) + { + printf(" keyid: %#B\n", &chunk); + } + if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &chunk)) + { + printf(" subjkey: %#B\n", &chunk); + } public->destroy(public); } else @@ -68,490 +52,6 @@ static void print_key(private_key_t *key) } } -/** - * Get a prefix for a named constraint identity type - */ -static char* get_type_pfx(identification_t *id) -{ - switch (id->get_type(id)) - { - case ID_RFC822_ADDR: - return "email:"; - case ID_FQDN: - return "dns:"; - default: - return ""; - } -} - -/** - * Print X509 specific certificate information - */ -static void print_x509(x509_t *x509) -{ - enumerator_t *enumerator; - identification_t *id; - traffic_selector_t *block; - chunk_t chunk; - bool first; - char *uri; - int len, explicit, inhibit; - x509_flag_t flags; - x509_cdp_t *cdp; - x509_cert_policy_t *policy; - x509_policy_mapping_t *mapping; - - chunk = chunk_skip_zero(x509->get_serial(x509)); - printf("serial: %#B\n", &chunk); - - first = TRUE; - enumerator = x509->create_subjectAltName_enumerator(x509); - while (enumerator->enumerate(enumerator, &id)) - { - if (first) - { - printf("altNames: "); - first = FALSE; - } - else - { - printf(", "); - } - printf("%Y", id); - } - if (!first) - { - printf("\n"); - } - enumerator->destroy(enumerator); - - flags = x509->get_flags(x509); - printf("flags: "); - if (flags & X509_CA) - { - printf("CA "); - } - if (flags & X509_CRL_SIGN) - { - printf("CRLSign "); - } - if (flags & X509_AA) - { - printf("AA "); - } - if (flags & X509_OCSP_SIGNER) - { - printf("OCSP "); - } - if (flags & X509_AA) - { - printf("AA "); - } - if (flags & X509_SERVER_AUTH) - { - printf("serverAuth "); - } - if (flags & X509_CLIENT_AUTH) - { - printf("clientAuth "); - } - if (flags & X509_IKE_INTERMEDIATE) - { - printf("iKEIntermediate "); - } - if (flags & X509_MS_SMARTCARD_LOGON) - { - printf("msSmartcardLogon "); - } - if (flags & X509_SELF_SIGNED) - { - printf("self-signed "); - } - printf("\n"); - - first = TRUE; - enumerator = x509->create_crl_uri_enumerator(x509); - while (enumerator->enumerate(enumerator, &cdp)) - { - if (first) - { - printf("CRL URIs: %s", cdp->uri); - first = FALSE; - } - else - { - printf(" %s", cdp->uri); - } - if (cdp->issuer) - { - printf(" (CRL issuer: %Y)", cdp->issuer); - } - printf("\n"); - } - enumerator->destroy(enumerator); - - first = TRUE; - enumerator = x509->create_ocsp_uri_enumerator(x509); - while (enumerator->enumerate(enumerator, &uri)) - { - if (first) - { - printf("OCSP URIs: %s\n", uri); - first = FALSE; - } - else - { - printf(" %s\n", uri); - } - } - enumerator->destroy(enumerator); - - len = x509->get_constraint(x509, X509_PATH_LEN); - if (len != X509_NO_CONSTRAINT) - { - printf("pathlen: %d\n", len); - } - - first = TRUE; - enumerator = x509->create_name_constraint_enumerator(x509, TRUE); - while (enumerator->enumerate(enumerator, &id)) - { - if (first) - { - printf("Permitted NameConstraints:\n"); - first = FALSE; - } - printf(" %s%Y\n", get_type_pfx(id), id); - } - enumerator->destroy(enumerator); - first = TRUE; - enumerator = x509->create_name_constraint_enumerator(x509, FALSE); - while (enumerator->enumerate(enumerator, &id)) - { - if (first) - { - printf("Excluded NameConstraints:\n"); - first = FALSE; - } - printf(" %s%Y\n", get_type_pfx(id), id); - } - enumerator->destroy(enumerator); - - first = TRUE; - enumerator = x509->create_cert_policy_enumerator(x509); - while (enumerator->enumerate(enumerator, &policy)) - { - char *oid; - - if (first) - { - printf("CertificatePolicies:\n"); - first = FALSE; - } - oid = asn1_oid_to_string(policy->oid); - if (oid) - { - printf(" %s\n", oid); - free(oid); - } - else - { - printf(" %#B\n", &policy->oid); - } - if (policy->cps_uri) - { - printf(" CPS: %s\n", policy->cps_uri); - } - if (policy->unotice_text) - { - printf(" Notice: %s\n", policy->unotice_text); - - } - } - enumerator->destroy(enumerator); - - first = TRUE; - enumerator = x509->create_policy_mapping_enumerator(x509); - while (enumerator->enumerate(enumerator, &mapping)) - { - char *issuer_oid, *subject_oid; - - if (first) - { - printf("PolicyMappings:\n"); - first = FALSE; - } - issuer_oid = asn1_oid_to_string(mapping->issuer); - subject_oid = asn1_oid_to_string(mapping->subject); - printf(" %s => %s\n", issuer_oid, subject_oid); - free(issuer_oid); - free(subject_oid); - } - enumerator->destroy(enumerator); - - explicit = x509->get_constraint(x509, X509_REQUIRE_EXPLICIT_POLICY); - inhibit = x509->get_constraint(x509, X509_INHIBIT_POLICY_MAPPING); - len = x509->get_constraint(x509, X509_INHIBIT_ANY_POLICY); - - if (explicit != X509_NO_CONSTRAINT || inhibit != X509_NO_CONSTRAINT || - len != X509_NO_CONSTRAINT) - { - printf("PolicyConstraints:\n"); - if (explicit != X509_NO_CONSTRAINT) - { - printf(" requireExplicitPolicy: %d\n", explicit); - } - if (inhibit != X509_NO_CONSTRAINT) - { - printf(" inhibitPolicyMapping: %d\n", inhibit); - } - if (len != X509_NO_CONSTRAINT) - { - printf(" inhibitAnyPolicy: %d\n", len); - } - } - - chunk = x509->get_authKeyIdentifier(x509); - if (chunk.ptr) - { - printf("authkeyId: %#B\n", &chunk); - } - - chunk = x509->get_subjectKeyIdentifier(x509); - if (chunk.ptr) - { - printf("subjkeyId: %#B\n", &chunk); - } - if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS) - { - first = TRUE; - printf("addresses: "); - enumerator = x509->create_ipAddrBlock_enumerator(x509); - while (enumerator->enumerate(enumerator, &block)) - { - if (first) - { - first = FALSE; - } - else - { - printf(", "); - } - printf("%R", block); - } - enumerator->destroy(enumerator); - printf("\n"); - } -} - -/** - * Print CRL specific information - */ -static void print_crl(crl_t *crl) -{ - enumerator_t *enumerator; - time_t ts; - crl_reason_t reason; - chunk_t chunk; - int count = 0; - bool first; - char buf[64]; - struct tm tm; - x509_cdp_t *cdp; - - chunk = chunk_skip_zero(crl->get_serial(crl)); - printf("serial: %#B\n", &chunk); - - if (crl->is_delta_crl(crl, &chunk)) - { - chunk = chunk_skip_zero(chunk); - printf("delta CRL: for serial %#B\n", &chunk); - } - chunk = crl->get_authKeyIdentifier(crl); - printf("authKeyId: %#B\n", &chunk); - - first = TRUE; - enumerator = crl->create_delta_crl_uri_enumerator(crl); - while (enumerator->enumerate(enumerator, &cdp)) - { - if (first) - { - printf("freshest: %s", cdp->uri); - first = FALSE; - } - else - { - printf(" %s", cdp->uri); - } - if (cdp->issuer) - { - printf(" (CRL issuer: %Y)", cdp->issuer); - } - printf("\n"); - } - enumerator->destroy(enumerator); - - enumerator = crl->create_enumerator(crl); - while (enumerator->enumerate(enumerator, &chunk, &ts, &reason)) - { - count++; - } - enumerator->destroy(enumerator); - - printf("%d revoked certificate%s%s\n", count, - count == 1 ? "" : "s", count ? ":" : ""); - enumerator = crl->create_enumerator(crl); - while (enumerator->enumerate(enumerator, &chunk, &ts, &reason)) - { - chunk = chunk_skip_zero(chunk); - localtime_r(&ts, &tm); - strftime(buf, sizeof(buf), "%F %T", &tm); - printf(" %#B %N %s\n", &chunk, crl_reason_names, reason, buf); - count++; - } - enumerator->destroy(enumerator); -} - -/** - * Print AC specific information - */ -static void print_ac(ac_t *ac) -{ - ac_group_type_t type; - identification_t *id; - enumerator_t *groups; - chunk_t chunk; - bool first = TRUE; - - chunk = chunk_skip_zero(ac->get_serial(ac)); - printf("serial: %#B\n", &chunk); - - id = ac->get_holderIssuer(ac); - if (id) - { - printf("hissuer: \"%Y\"\n", id); - } - chunk = chunk_skip_zero(ac->get_holderSerial(ac)); - if (chunk.ptr) - { - printf("hserial: %#B\n", &chunk); - } - groups = ac->create_group_enumerator(ac); - while (groups->enumerate(groups, &type, &chunk)) - { - int oid; - char *str; - - if (first) - { - printf("groups: "); - first = FALSE; - } - else - { - printf(" "); - } - switch (type) - { - case AC_GROUP_TYPE_STRING: - printf("%.*s", (int)chunk.len, chunk.ptr); - break; - case AC_GROUP_TYPE_OID: - oid = asn1_known_oid(chunk); - if (oid == OID_UNKNOWN) - { - str = asn1_oid_to_string(chunk); - if (str) - { - printf("%s", str); - free(str); - } - else - { - printf("OID:%#B", &chunk); - } - } - else - { - printf("%s", oid_names[oid].name); - } - break; - case AC_GROUP_TYPE_OCTETS: - printf("%#B", &chunk); - break; - } - printf("\n"); - } - groups->destroy(groups); - - chunk = ac->get_authKeyIdentifier(ac); - if (chunk.ptr) - { - printf("authkey: %#B\n", &chunk); - } -} - -/** - * Print certificate information - */ -static void print_cert(certificate_t *cert) -{ - time_t now, notAfter, notBefore; - public_key_t *key; - - now = time(NULL); - - printf("cert: %N\n", certificate_type_names, cert->get_type(cert)); - if (cert->get_type(cert) != CERT_X509_CRL) - { - printf("subject: \"%Y\"\n", cert->get_subject(cert)); - } - printf("issuer: \"%Y\"\n", cert->get_issuer(cert)); - - cert->get_validity(cert, &now, ¬Before, ¬After); - printf("validity: not before %T, ", ¬Before, FALSE); - if (now < notBefore) - { - printf("not valid yet (valid in %V)\n", &now, ¬Before); - } - else - { - printf("ok\n"); - } - printf(" not after %T, ", ¬After, FALSE); - if (now > notAfter) - { - printf("expired (%V ago)\n", &now, ¬After); - } - else - { - printf("ok (expires in %V)\n", &now, ¬After); - } - - switch (cert->get_type(cert)) - { - case CERT_X509: - print_x509((x509_t*)cert); - break; - case CERT_X509_CRL: - print_crl((crl_t*)cert); - break; - case CERT_X509_AC: - print_ac((ac_t*)cert); - break; - default: - printf("parsing certificate subtype %N not implemented\n", - certificate_type_names, cert->get_type(cert)); - break; - } - key = cert->get_public_key(cert); - if (key) - { - print_pubkey(key); - key->destroy(key); - } -} - /** * Print a credential in a human readable form */ @@ -586,8 +86,8 @@ static int print() } else if (streq(arg, "pub")) { - type = CRED_PUBLIC_KEY; - subtype = KEY_ANY; + type = CRED_CERTIFICATE; + subtype = CERT_TRUSTED_PUBKEY; } else if (streq(arg, "rsa-priv")) { @@ -647,17 +147,13 @@ static int print() if (type == CRED_CERTIFICATE) { certificate_t *cert = (certificate_t*)cred; + certificate_printer_t *printer; - print_cert(cert); + printer = certificate_printer_create(stdout, TRUE, FALSE); + printer->print(printer, cert, FALSE); + printer->destroy(printer); cert->destroy(cert); } - if (type == CRED_PUBLIC_KEY) - { - public_key_t *key = (public_key_t*)cred; - - print_pubkey(key); - key->destroy(key); - } if (type == CRED_PRIVATE_KEY) { private_key_t *key = (private_key_t*)cred; @@ -665,6 +161,7 @@ static int print() print_key(key); key->destroy(key); } + return 0; }