* Copyright (C) 2008 Martin Willi
* Hochschule fuer Technik Rapperswil
*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
#include <collections/linked_list.h>
#include <plugins/plugin.h>
#include <credentials/certificates/x509.h>
-#include <credentials/certificates/ac.h>
-#include <credentials/certificates/crl.h>
#include <credentials/certificates/pgp_certificate.h>
+#include <credentials/certificates/certificate_printer.h>
#include <config/peer_cfg.h>
-#include <asn1/asn1.h>
-#include <asn1/oid.h>
-
-/* warning intervals for list functions */
-#define CERT_WARNING_INTERVAL 30 /* days */
-#define CRL_WARNING_INTERVAL 7 /* days */
-#define AC_WARNING_INTERVAL 1 /* day */
typedef struct private_stroke_list_t private_stroke_list_t;
}
/**
- * Print a single public key.
+ * Is there a matching private key?
*/
-static void list_public_key(public_key_t *public, FILE *out)
+static bool has_privkey(certificate_t *cert)
{
+ public_key_t *public;
private_key_t *private = NULL;
chunk_t keyid;
identification_t *id;
+ public = cert->get_public_key(cert);
+ if (!public)
+ {
+ return FALSE;
+ }
if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &keyid))
{
id = identification_create_from_encoding(ID_KEY_ID, keyid);
public->get_type(public), id, NULL);
id->destroy(id);
}
-
- fprintf(out, " pubkey: %N %d bits%s\n",
- key_type_names, public->get_type(public),
- public->get_keysize(public),
- private ? ", has private key" : "");
- if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid))
- {
- fprintf(out, " keyid: %#B\n", &keyid);
- }
- if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &keyid))
- {
- fprintf(out, " subjkey: %#B\n", &keyid);
- }
+ public->destroy(public);
DESTROY_IF(private);
-}
-
-/**
- * list all raw public keys
- */
-static void stroke_list_pubkeys(linked_list_t *list, bool utc, FILE *out)
-{
- bool first = TRUE;
- time_t now = time(NULL), notBefore, notAfter;
- enumerator_t *enumerator;
- certificate_t *cert;
-
- enumerator = list->create_enumerator(list);
- while (enumerator->enumerate(enumerator, (void**)&cert))
- {
- identification_t *subject = cert->get_subject(cert);
- public_key_t *public = cert->get_public_key(cert);
-
- if (public)
- {
- if (first)
- {
- fprintf(out, "\n");
- fprintf(out, "List of Raw Public Keys:\n");
- first = FALSE;
- }
- fprintf(out, "\n");
-
- /* list subject if available */
- if (subject->get_type(subject) != ID_KEY_ID)
- {
- fprintf(out, " subject: %#Y\n", subject);
- }
-
- /* list validity if available*/
- cert->get_validity(cert, &now, ¬Before, ¬After);
- if (notBefore != UNDEFINED_TIME && notAfter != UNDEFINED_TIME)
- {
- fprintf(out, " validity: not before %T, ", ¬Before, utc);
- if (now < notBefore)
- {
- fprintf(out, "not valid yet (valid in %V)\n", &now, ¬Before);
- }
- else
- {
- fprintf(out, "ok\n");
- }
- fprintf(out, " not after %T, ", ¬After, utc);
- if (now > notAfter)
- {
- fprintf(out, "expired (%V ago)\n", &now, ¬After);
- }
- else
- {
- fprintf(out, "ok");
- if (now > notAfter - CERT_WARNING_INTERVAL * 60 * 60 * 24)
- {
- fprintf(out, " (expires in %V)", &now, ¬After);
- }
- fprintf(out, " \n");
- }
- }
- list_public_key(public, out);
- public->destroy(public);
- }
- }
- enumerator->destroy(enumerator);
+ return (private != NULL);
}
/**
* list OpenPGP certificates
*/
-static void stroke_list_pgp(linked_list_t *list,bool utc, FILE *out)
+static void stroke_list_pgp_certs(linked_list_t *list, char *label,
+ bool utc, FILE *out)
{
bool first = TRUE;
time_t now = time(NULL);
enumerator_t *enumerator = list->create_enumerator(list);
certificate_t *cert;
+ chunk_t keyid;
while (enumerator->enumerate(enumerator, (void**)&cert))
{
if (first)
{
-
fprintf(out, "\n");
- fprintf(out, "List of PGP End Entity Certificates:\n");
- first = FALSE;
+ fprintf(out, "List of %ss:\n", label);
+ first = FALSE;
}
fprintf(out, "\n");
fprintf(out, " userid: '%Y'\n", cert->get_subject(cert));
-
fprintf(out, " digest: %#B\n", &fingerprint);
/* list validity */
public = cert->get_public_key(cert);
if (public)
{
- list_public_key(public, out);
+ fprintf(out, " pubkey: %N %d bits%s\n",
+ key_type_names, public->get_type(public),
+ public->get_keysize(public),
+ has_privkey(cert) ? ", has private key" : "");
+
+ if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid))
+ {
+ fprintf(out, " keyid: %#B\n", &keyid);
+ }
+ if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &keyid))
+ {
+ fprintf(out, " subjkey: %#B\n", &keyid);
+ }
public->destroy(public);
}
}
/**
* list all X.509 certificates matching the flags
*/
-static void stroke_list_certs(linked_list_t *list, char *label,
- x509_flag_t flags, bool utc, FILE *out)
+static void stroke_list_x509_certs(linked_list_t *list, char *label,
+ x509_flag_t flags, bool utc, FILE *out)
{
bool first = TRUE;
- time_t now = time(NULL);
enumerator_t *enumerator;
certificate_t *cert;
+ certificate_printer_t *printer;
x509_flag_t flag_mask;
+ printer = certificate_printer_create(out, TRUE, utc),
+
/* mask all auxiliary flags */
flag_mask = ~(X509_SERVER_AUTH | X509_CLIENT_AUTH | X509_IKE_INTERMEDIATE |
X509_SELF_SIGNED | X509_IP_ADDR_BLOCKS);
/* list only if flag is set or flag == 0 */
if ((x509_flags & flags) || (x509_flags == flags))
{
- enumerator_t *enumerator;
- identification_t *altName;
- bool first_altName = TRUE;
- u_int pathlen;
- chunk_t serial, authkey;
- time_t notBefore, notAfter;
- public_key_t *public;
-
if (first)
{
fprintf(out, "\n");
- fprintf(out, "List of %s:\n", label);
+ fprintf(out, "List of %ss:\n", label);
first = FALSE;
}
fprintf(out, "\n");
-
- /* list subjectAltNames */
- enumerator = x509->create_subjectAltName_enumerator(x509);
- while (enumerator->enumerate(enumerator, (void**)&altName))
- {
- if (first_altName)
- {
- fprintf(out, " altNames: ");
- first_altName = FALSE;
- }
- else
- {
- fprintf(out, ", ");
- }
- fprintf(out, "%Y", altName);
- }
- if (!first_altName)
- {
- fprintf(out, "\n");
- }
- enumerator->destroy(enumerator);
-
- fprintf(out, " subject: \"%Y\"\n", cert->get_subject(cert));
- fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert));
- serial = chunk_skip_zero(x509->get_serial(x509));
- fprintf(out, " serial: %#B\n", &serial);
-
- /* list validity */
- cert->get_validity(cert, &now, ¬Before, ¬After);
- fprintf(out, " validity: not before %T, ", ¬Before, utc);
- if (now < notBefore)
- {
- fprintf(out, "not valid yet (valid in %V)\n", &now, ¬Before);
- }
- else
- {
- fprintf(out, "ok\n");
- }
- fprintf(out, " not after %T, ", ¬After, utc);
- if (now > notAfter)
- {
- fprintf(out, "expired (%V ago)\n", &now, ¬After);
- }
- else
- {
- fprintf(out, "ok");
- if (now > notAfter - CERT_WARNING_INTERVAL * 60 * 60 * 24)
- {
- fprintf(out, " (expires in %V)", &now, ¬After);
- }
- fprintf(out, " \n");
- }
-
- public = cert->get_public_key(cert);
- if (public)
- {
- list_public_key(public, out);
- public->destroy(public);
- }
-
- /* list optional authorityKeyIdentifier */
- authkey = x509->get_authKeyIdentifier(x509);
- if (authkey.ptr)
- {
- fprintf(out, " authkey: %#B\n", &authkey);
- }
-
- /* list optional pathLenConstraint */
- pathlen = x509->get_constraint(x509, X509_PATH_LEN);
- if (pathlen != X509_NO_CONSTRAINT)
- {
- fprintf(out, " pathlen: %u\n", pathlen);
- }
-
- /* list optional ipAddrBlocks */
- if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
- {
- traffic_selector_t *ipAddrBlock;
- bool first_ipAddrBlock = TRUE;
-
- fprintf(out, " addresses: ");
- enumerator = x509->create_ipAddrBlock_enumerator(x509);
- while (enumerator->enumerate(enumerator, &ipAddrBlock))
- {
- if (first_ipAddrBlock)
- {
- first_ipAddrBlock = FALSE;
- }
- else
- {
- fprintf(out, ", ");
- }
- fprintf(out, "%R", ipAddrBlock);
- }
- enumerator->destroy(enumerator);
- fprintf(out, "\n");
- }
+ printer->print(printer, cert, has_privkey(cert));
}
}
enumerator->destroy(enumerator);
+
+ printer->destroy(printer);
}
/**
- * list all X.509 attribute certificates
+ * list all other certificates types
*/
-static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out)
+static void stroke_list_other_certs(linked_list_t *list, char *label,
+ bool utc, FILE *out)
{
bool first = TRUE;
- time_t notBefore, notAfter, now = time(NULL);
enumerator_t *enumerator;
certificate_t *cert;
+ certificate_printer_t *printer;
+
+ printer = certificate_printer_create(out, TRUE, utc),
enumerator = list->create_enumerator(list);
while (enumerator->enumerate(enumerator, &cert))
{
- ac_t *ac = (ac_t*)cert;
- ac_group_type_t type;
- identification_t *id;
- enumerator_t *groups;
- chunk_t chunk;
- bool firstgroup = TRUE;
-
- if (first)
- {
- fprintf(out, "\n");
- fprintf(out, "List of X.509 Attribute Certificates:\n");
- first = FALSE;
- }
- fprintf(out, "\n");
-
- id = cert->get_subject(cert);
- if (id)
- {
- fprintf(out, " holder: \"%Y\"\n", id);
- }
- id = ac->get_holderIssuer(ac);
- if (id)
- {
- fprintf(out, " hissuer: \"%Y\"\n", id);
- }
- chunk = chunk_skip_zero(ac->get_holderSerial(ac));
- if (chunk.ptr)
- {
- fprintf(out, " hserial: %#B\n", &chunk);
- }
- groups = ac->create_group_enumerator(ac);
- while (groups->enumerate(groups, &type, &chunk))
- {
- int oid;
- char *str;
-
- if (firstgroup)
- {
- fprintf(out, " groups: ");
- firstgroup = FALSE;
- }
- else
- {
- fprintf(out, " ");
- }
- switch (type)
- {
- case AC_GROUP_TYPE_STRING:
- fprintf(out, "%.*s", (int)chunk.len, chunk.ptr);
- break;
- case AC_GROUP_TYPE_OID:
- oid = asn1_known_oid(chunk);
- if (oid == OID_UNKNOWN)
- {
- str = asn1_oid_to_string(chunk);
- if (str)
- {
- fprintf(out, "%s", str);
- free(str);
- }
- else
- {
- fprintf(out, "OID:%#B", &chunk);
- }
- }
- else
- {
- fprintf(out, "%s", oid_names[oid].name);
- }
- break;
- case AC_GROUP_TYPE_OCTETS:
- fprintf(out, "%#B", &chunk);
- break;
- }
- fprintf(out, "\n");
- }
- groups->destroy(groups);
- fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert));
- chunk = chunk_skip_zero(ac->get_serial(ac));
- fprintf(out, " serial: %#B\n", &chunk);
-
- /* list validity */
- cert->get_validity(cert, &now, ¬Before, ¬After);
- fprintf(out, " validity: not before %T, ", ¬Before, utc);
- if (now < notBefore)
- {
- fprintf(out, "not valid yet (valid in %V)\n", &now, ¬Before);
- }
- else
- {
- fprintf(out, "ok\n");
- }
- fprintf(out, " not after %T, ", ¬After, utc);
- if (now > notAfter)
- {
- fprintf(out, "expired (%V ago)\n", &now, ¬After);
- }
- else
- {
- fprintf(out, "ok");
- if (now > notAfter - AC_WARNING_INTERVAL * 60 * 60 * 24)
- {
- fprintf(out, " (expires in %V)", &now, ¬After);
- }
- fprintf(out, " \n");
- }
-
- /* list optional authorityKeyIdentifier */
- chunk = ac->get_authKeyIdentifier(ac);
- if (chunk.ptr)
- {
- fprintf(out, " authkey: %#B\n", &chunk);
- }
- }
- enumerator->destroy(enumerator);
-}
-
-/**
- * list all X.509 CRLs
- */
-static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out)
-{
- bool first = TRUE;
- time_t thisUpdate, nextUpdate, now = time(NULL);
- enumerator_t *enumerator = list->create_enumerator(list);
- certificate_t *cert;
-
- while (enumerator->enumerate(enumerator, (void**)&cert))
- {
- crl_t *crl = (crl_t*)cert;
- chunk_t chunk;
-
if (first)
{
fprintf(out, "\n");
- fprintf(out, "List of X.509 CRLs:\n");
+ fprintf(out, "List of %ss:\n", label);
first = FALSE;
}
fprintf(out, "\n");
-
- fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert));
-
- /* list optional crlNumber */
- chunk = chunk_skip_zero(crl->get_serial(crl));
- if (chunk.ptr)
- {
- fprintf(out, " serial: %#B\n", &chunk);
- }
- if (crl->is_delta_crl(crl, &chunk))
- {
- chunk = chunk_skip_zero(chunk);
- fprintf(out, " delta for: %#B\n", &chunk);
- }
-
- /* count the number of revoked certificates */
- {
- int count = 0;
- enumerator_t *enumerator = crl->create_enumerator(crl);
-
- while (enumerator->enumerate(enumerator, NULL, NULL, NULL))
- {
- count++;
- }
- fprintf(out, " revoked: %d certificate%s\n", count,
- (count == 1)? "" : "s");
- enumerator->destroy(enumerator);
- }
-
- /* list validity */
- cert->get_validity(cert, &now, &thisUpdate, &nextUpdate);
- fprintf(out, " updates: this %T\n", &thisUpdate, utc);
- fprintf(out, " next %T, ", &nextUpdate, utc);
- if (now > nextUpdate)
- {
- fprintf(out, "expired (%V ago)\n", &now, &nextUpdate);
- }
- else
- {
- fprintf(out, "ok");
- if (now > nextUpdate - CRL_WARNING_INTERVAL * 60 * 60 * 24)
- {
- fprintf(out, " (expires in %V)", &now, &nextUpdate);
- }
- fprintf(out, " \n");
- }
-
- /* list optional authorityKeyIdentifier */
- chunk = crl->get_authKeyIdentifier(crl);
- if (chunk.ptr)
- {
- fprintf(out, " authkey: %#B\n", &chunk);
- }
+ printer->print(printer, cert, has_privkey(cert));
}
enumerator->destroy(enumerator);
-}
-
-/**
- * list all OCSP responses
- */
-static void stroke_list_ocsp(linked_list_t* list, bool utc, FILE *out)
-{
- bool first = TRUE, ok;
- enumerator_t *enumerator = list->create_enumerator(list);
- certificate_t *cert;
- time_t produced, usable, now = time(NULL);
-
- while (enumerator->enumerate(enumerator, (void**)&cert))
- {
- if (first)
- {
- fprintf(out, "\n");
- fprintf(out, "List of OCSP responses:\n");
- fprintf(out, "\n");
- first = FALSE;
- }
- fprintf(out, " signer: \"%Y\"\n", cert->get_issuer(cert));
- /* check validity */
- ok = cert->get_validity(cert, &now, &produced, &usable);
- fprintf(out, " validity: produced at %T\n", &produced, utc);
- fprintf(out, " usable till %T, ", &usable, utc);
- if (ok)
- {
- fprintf(out, "ok\n");
- }
- else
- {
- fprintf(out, "expired (%V ago)\n", &now, &usable);
- }
- }
- enumerator->destroy(enumerator);
+ printer->destroy(printer);
}
/**
{
linked_list_t *pubkey_list = create_unique_cert_list(CERT_TRUSTED_PUBKEY);
- stroke_list_pubkeys(pubkey_list, msg->list.utc, out);
+ stroke_list_other_certs(pubkey_list, "Raw Public Key",
+ msg->list.utc, out);
pubkey_list->destroy_offset(pubkey_list, offsetof(certificate_t, destroy));
}
if (msg->list.flags & LIST_CERTS)
{
linked_list_t *pgp_list = create_unique_cert_list(CERT_GPG);
- stroke_list_pgp(pgp_list, msg->list.utc, out);
+ stroke_list_pgp_certs(pgp_list, "PGP End Entity Certificate",
+ msg->list.utc, out);
pgp_list->destroy_offset(pgp_list, offsetof(certificate_t, destroy));
}
if (msg->list.flags & (LIST_CERTS | LIST_CACERTS | LIST_OCSPCERTS | LIST_AACERTS))
}
if (msg->list.flags & LIST_CERTS)
{
- stroke_list_certs(cert_list, "X.509 End Entity Certificates",
- X509_NONE, msg->list.utc, out);
+ stroke_list_x509_certs(cert_list, "X.509 End Entity Certificate",
+ X509_NONE, msg->list.utc, out);
}
if (msg->list.flags & LIST_CACERTS)
{
- stroke_list_certs(cert_list, "X.509 CA Certificates",
- X509_CA, msg->list.utc, out);
+ stroke_list_x509_certs(cert_list, "X.509 CA Certificate",
+ X509_CA, msg->list.utc, out);
}
if (msg->list.flags & LIST_OCSPCERTS)
{
- stroke_list_certs(cert_list, "X.509 OCSP Signer Certificates",
- X509_OCSP_SIGNER, msg->list.utc, out);
+ stroke_list_x509_certs(cert_list, "X.509 OCSP Signer Certificate",
+ X509_OCSP_SIGNER, msg->list.utc, out);
}
if (msg->list.flags & LIST_AACERTS)
{
- stroke_list_certs(cert_list, "X.509 AA Certificates",
- X509_AA, msg->list.utc, out);
+ stroke_list_x509_certs(cert_list, "X.509 AA Certificate",
+ X509_AA, msg->list.utc, out);
}
DESTROY_OFFSET_IF(cert_list, offsetof(certificate_t, destroy));
{
linked_list_t *ac_list = create_unique_cert_list(CERT_X509_AC);
- stroke_list_acerts(ac_list, msg->list.utc, out);
+ stroke_list_other_certs(ac_list, "X.509 Attribute Certificate",
+ msg->list.utc, out);
ac_list->destroy_offset(ac_list, offsetof(certificate_t, destroy));
}
if (msg->list.flags & LIST_CRLS)
{
linked_list_t *crl_list = create_unique_cert_list(CERT_X509_CRL);
- stroke_list_crls(crl_list, msg->list.utc, out);
+ stroke_list_other_certs(crl_list, "X.509 CRL",
+ msg->list.utc, out);
crl_list->destroy_offset(crl_list, offsetof(certificate_t, destroy));
}
if (msg->list.flags & LIST_OCSP)
{
linked_list_t *ocsp_list = create_unique_cert_list(CERT_X509_OCSP_RESPONSE);
- stroke_list_ocsp(ocsp_list, msg->list.utc, out);
-
+ stroke_list_other_certs(ocsp_list, "OCSP Response",
+ msg->list.utc, out);
ocsp_list->destroy_offset(ocsp_list, offsetof(certificate_t, destroy));
}
if (msg->list.flags & LIST_ALGS)
credentials/keys/public_key.c credentials/keys/shared_key.c \
credentials/certificates/certificate.c credentials/certificates/crl.c \
credentials/certificates/ocsp_response.c \
+credentials/certificates/certificate_printer.c \
credentials/containers/container.c credentials/containers/pkcs12.c \
credentials/credential_manager.c \
credentials/sets/auth_cfg_wrapper.c credentials/sets/ocsp_response_wrapper.c \
credentials/certificates/pkcs10.h credentials/certificates/ocsp_request.h \
credentials/certificates/ocsp_response.h \
credentials/certificates/pgp_certificate.h \
+credentials/certificates/certificate_printer.h \
credentials/containers/container.h credentials/containers/pkcs7.h \
credentials/containers/pkcs12.h \
credentials/credential_manager.h credentials/sets/auth_cfg_wrapper.h \
--- /dev/null
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "certificate_printer.h"
+#include "x509.h"
+#include "crl.h"
+#include "ac.h"
+
+#include <asn1/asn1.h>
+#include <asn1/oid.h>
+#include <selectors/traffic_selector.h>
+
+#include <time.h>
+
+typedef struct private_certificate_printer_t private_certificate_printer_t;
+
+/**
+ * Private data of an certificate_printer_t object.
+ */
+struct private_certificate_printer_t {
+
+ /**
+ * Public certificate_printer_t interface.
+ */
+ certificate_printer_t public;
+
+ /**
+ * File to print to
+ */
+ FILE *f;
+
+ /**
+ * Print detailed certificate information
+ */
+ bool detailed;
+
+ /**
+ * Print time information in UTC
+ */
+ bool utc;
+};
+
+/**
+ * Print X509 specific certificate information
+ */
+static void print_x509(private_certificate_printer_t *this, x509_t *x509)
+{
+ enumerator_t *enumerator;
+ identification_t *id;
+ traffic_selector_t *block;
+ chunk_t chunk;
+ bool first;
+ char *uri;
+ int len, explicit, inhibit;
+ x509_flag_t flags;
+ x509_cdp_t *cdp;
+ x509_cert_policy_t *policy;
+ x509_policy_mapping_t *mapping;
+ FILE *f = this->f;
+
+ chunk = chunk_skip_zero(x509->get_serial(x509));
+ fprintf(f, " serial: %#B\n", &chunk);
+
+ first = TRUE;
+ enumerator = x509->create_subjectAltName_enumerator(x509);
+ while (enumerator->enumerate(enumerator, &id))
+ {
+ if (first)
+ {
+ fprintf(f, " altNames: ");
+ first = FALSE;
+ }
+ else
+ {
+ fprintf(f, ", ");
+ }
+ fprintf(f, "%Y", id);
+ }
+ if (!first)
+ {
+ fprintf(f, "\n");
+ }
+ enumerator->destroy(enumerator);
+
+ if (this->detailed)
+ {
+ flags = x509->get_flags(x509);
+ if (flags != X509_NONE)
+ {
+ fprintf(f, " flags: ");
+ if (flags & X509_CA)
+ {
+ fprintf(f, "CA ");
+ }
+ if (flags & X509_CRL_SIGN)
+ {
+ fprintf(f, "CRLSign ");
+ }
+ if (flags & X509_OCSP_SIGNER)
+ {
+ fprintf(f, "ocspSigning ");
+ }
+ if (flags & X509_SERVER_AUTH)
+ {
+ fprintf(f, "serverAuth ");
+ }
+ if (flags & X509_CLIENT_AUTH)
+ {
+ fprintf(f, "clientAuth ");
+ }
+ if (flags & X509_IKE_INTERMEDIATE)
+ {
+ fprintf(f, "ikeIntermediate ");
+ }
+ if (flags & X509_MS_SMARTCARD_LOGON)
+ {
+ fprintf(f, "msSmartcardLogon");
+ }
+ if (flags & X509_SELF_SIGNED)
+ {
+ fprintf(f, "self-signed ");
+ }
+ fprintf(f, "\n");
+ }
+
+ first = TRUE;
+ enumerator = x509->create_crl_uri_enumerator(x509);
+ while (enumerator->enumerate(enumerator, &cdp))
+ {
+ if (first)
+ {
+ fprintf(f, " CRL URIs: %s", cdp->uri);
+ first = FALSE;
+ }
+ else
+ {
+ fprintf(f, " %s", cdp->uri);
+ }
+ if (cdp->issuer)
+ {
+ fprintf(f, " (CRL issuer: %Y)", cdp->issuer);
+ }
+ fprintf(f, "\n");
+ }
+ enumerator->destroy(enumerator);
+
+ first = TRUE;
+ enumerator = x509->create_ocsp_uri_enumerator(x509);
+ while (enumerator->enumerate(enumerator, &uri))
+ {
+ if (first)
+ {
+ fprintf(f, " OCSP URIs: %s\n", uri);
+ first = FALSE;
+ }
+ else
+ {
+ fprintf(f, " %s\n", uri);
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ len = x509->get_constraint(x509, X509_PATH_LEN);
+ if (len != X509_NO_CONSTRAINT)
+ {
+ fprintf(f, " pathlen: %d\n", len);
+ }
+
+ first = TRUE;
+ enumerator = x509->create_name_constraint_enumerator(x509, TRUE);
+ while (enumerator->enumerate(enumerator, &id))
+ {
+ if (first)
+ {
+ fprintf(f, " permitted nameConstraints:\n");
+ first = FALSE;
+ }
+ fprintf(f, " %Y\n", id);
+ }
+ enumerator->destroy(enumerator);
+
+ first = TRUE;
+ enumerator = x509->create_name_constraint_enumerator(x509, FALSE);
+ while (enumerator->enumerate(enumerator, &id))
+ {
+ if (first)
+ {
+ fprintf(f, " excluded nameConstraints:\n");
+ first = FALSE;
+ }
+ fprintf(f, " %Y\n", id);
+ }
+ enumerator->destroy(enumerator);
+
+ first = TRUE;
+ enumerator = x509->create_cert_policy_enumerator(x509);
+ while (enumerator->enumerate(enumerator, &policy))
+ {
+ char *oid;
+
+ if (first)
+ {
+ fprintf(f, " certificatePolicies:\n");
+ first = FALSE;
+ }
+ oid = asn1_oid_to_string(policy->oid);
+ if (oid)
+ {
+ fprintf(f, " %s\n", oid);
+ free(oid);
+ }
+ else
+ {
+ fprintf(f, " %#B\n", &policy->oid);
+ }
+ if (policy->cps_uri)
+ {
+ fprintf(f, " CPS: %s\n", policy->cps_uri);
+ }
+ if (policy->unotice_text)
+ {
+ fprintf(f, " Notice: %s\n", policy->unotice_text);
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ first = TRUE;
+ enumerator = x509->create_policy_mapping_enumerator(x509);
+ while (enumerator->enumerate(enumerator, &mapping))
+ {
+ char *issuer_oid, *subject_oid;
+
+ if (first)
+ {
+ fprintf(f, " policyMappings:\n");
+ first = FALSE;
+ }
+ issuer_oid = asn1_oid_to_string(mapping->issuer);
+ subject_oid = asn1_oid_to_string(mapping->subject);
+ fprintf(f, " %s => %s\n", issuer_oid, subject_oid);
+ free(issuer_oid);
+ free(subject_oid);
+ }
+ enumerator->destroy(enumerator);
+
+ explicit = x509->get_constraint(x509, X509_REQUIRE_EXPLICIT_POLICY);
+ inhibit = x509->get_constraint(x509, X509_INHIBIT_POLICY_MAPPING);
+ len = x509->get_constraint(x509, X509_INHIBIT_ANY_POLICY);
+
+ if (explicit != X509_NO_CONSTRAINT || inhibit != X509_NO_CONSTRAINT ||
+ len != X509_NO_CONSTRAINT)
+ {
+ fprintf(f, " policyConstraints:\n");
+ if (explicit != X509_NO_CONSTRAINT)
+ {
+ fprintf(f, " requireExplicitPolicy: %d\n", explicit);
+ }
+ if (inhibit != X509_NO_CONSTRAINT)
+ {
+ fprintf(f, " inhibitPolicyMapping: %d\n", inhibit);
+ }
+ if (len != X509_NO_CONSTRAINT)
+ {
+ fprintf(f, " inhibitAnyPolicy: %d\n", len);
+ }
+ }
+
+ if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
+ {
+ first = TRUE;
+ fprintf(f, " addresses: ");
+ enumerator = x509->create_ipAddrBlock_enumerator(x509);
+ while (enumerator->enumerate(enumerator, &block))
+ {
+ if (first)
+ {
+ first = FALSE;
+ }
+ else
+ {
+ fprintf(f, ", ");
+ }
+ fprintf(f, "%R", block);
+ }
+ enumerator->destroy(enumerator);
+ fprintf(f, "\n");
+ }
+ }
+
+ chunk = x509->get_authKeyIdentifier(x509);
+ if (chunk.ptr)
+ {
+ fprintf(f, " authkeyId: %#B\n", &chunk);
+ }
+
+ chunk = x509->get_subjectKeyIdentifier(x509);
+ if (chunk.ptr)
+ {
+ fprintf(f, " subjkeyId: %#B\n", &chunk);
+ }
+}
+
+/**
+ * Print CRL specific information
+ */
+static void print_crl(private_certificate_printer_t *this, crl_t *crl)
+{
+ enumerator_t *enumerator;
+ time_t ts;
+ crl_reason_t reason;
+ chunk_t chunk;
+ int count = 0;
+ bool first;
+ char buf[64];
+ x509_cdp_t *cdp;
+ FILE *f = this->f;
+
+ chunk = chunk_skip_zero(crl->get_serial(crl));
+ fprintf(f, " serial: %#B\n", &chunk);
+
+ if (crl->is_delta_crl(crl, &chunk))
+ {
+ chunk = chunk_skip_zero(chunk);
+ fprintf(f, " delta CRL: for serial %#B\n", &chunk);
+ }
+ chunk = crl->get_authKeyIdentifier(crl);
+ fprintf(f, " authKeyId: %#B\n", &chunk);
+
+ first = TRUE;
+ enumerator = crl->create_delta_crl_uri_enumerator(crl);
+ while (enumerator->enumerate(enumerator, &cdp))
+ {
+ if (first)
+ {
+ fprintf(f, " freshest: %s", cdp->uri);
+ first = FALSE;
+ }
+ else
+ {
+ fprintf(f, " %s", cdp->uri);
+ }
+ if (cdp->issuer)
+ {
+ fprintf(f, " (CRL issuer: %Y)", cdp->issuer);
+ }
+ fprintf(f, "\n");
+ }
+ enumerator->destroy(enumerator);
+
+ enumerator = crl->create_enumerator(crl);
+ while (enumerator->enumerate(enumerator, &chunk, &ts, &reason))
+ {
+ count++;
+ }
+ enumerator->destroy(enumerator);
+
+ fprintf(f, " %d revoked certificate%s%s\n", count, (count == 1) ? "" : "s",
+ (count && this->detailed) ? ":" : "");
+
+ if (this->detailed)
+ {
+ enumerator = crl->create_enumerator(crl);
+ while (enumerator->enumerate(enumerator, &chunk, &ts, &reason))
+ {
+ chunk = chunk_skip_zero(chunk);
+ fprintf(f, " %#B: %T, %N\n", &chunk, &ts, this->utc,
+ crl_reason_names, reason);
+ }
+ enumerator->destroy(enumerator);
+ }
+}
+
+/**
+ * Print AC specific information
+ */
+static void print_ac(private_certificate_printer_t *this, ac_t *ac)
+{
+ ac_group_type_t type;
+ identification_t *id;
+ enumerator_t *groups;
+ chunk_t chunk;
+ bool first = TRUE;
+ FILE *f = this->f;
+
+ chunk = chunk_skip_zero(ac->get_serial(ac));
+ fprintf(f, " serial: %#B\n", &chunk);
+
+ id = ac->get_holderIssuer(ac);
+ if (id)
+ {
+ fprintf(f, " hissuer: \"%Y\"\n", id);
+ }
+ chunk = chunk_skip_zero(ac->get_holderSerial(ac));
+ if (chunk.ptr)
+ {
+ fprintf(f, " hserial: %#B\n", &chunk);
+ }
+ groups = ac->create_group_enumerator(ac);
+ while (groups->enumerate(groups, &type, &chunk))
+ {
+ int oid;
+ char *str;
+
+ if (first)
+ {
+ fprintf(f, " groups: ");
+ first = FALSE;
+ }
+ else
+ {
+ fprintf(f, " ");
+ }
+ switch (type)
+ {
+ case AC_GROUP_TYPE_STRING:
+ fprintf(f, "%.*s", (int)chunk.len, chunk.ptr);
+ break;
+ case AC_GROUP_TYPE_OID:
+ oid = asn1_known_oid(chunk);
+ if (oid == OID_UNKNOWN)
+ {
+ str = asn1_oid_to_string(chunk);
+ if (str)
+ {
+ fprintf(f, "%s", str);
+ free(str);
+ }
+ else
+ {
+ fprintf(f, "OID:%#B", &chunk);
+ }
+ }
+ else
+ {
+ fprintf(f, "%s", oid_names[oid].name);
+ }
+ break;
+ case AC_GROUP_TYPE_OCTETS:
+ fprintf(f, "%#B", &chunk);
+ break;
+ }
+ fprintf(f, "\n");
+ }
+ groups->destroy(groups);
+
+ chunk = ac->get_authKeyIdentifier(ac);
+ if (chunk.ptr)
+ {
+ fprintf(f, " authkey: %#B\n", &chunk);
+ }
+}
+
+/**
+ * Print public key information
+ */
+static void print_pubkey(private_certificate_printer_t *this, public_key_t *key,
+ bool has_privkey)
+{
+ chunk_t chunk;
+ FILE *f = this->f;
+
+ fprintf(f, " pubkey: %N %d bits", key_type_names, key->get_type(key),
+ key->get_keysize(key));
+ if (has_privkey)
+ {
+ fprintf(f, ", has private key");
+ }
+ fprintf(f, "\n");
+ if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &chunk))
+ {
+ fprintf(f, " keyid: %#B\n", &chunk);
+ }
+ if (key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &chunk))
+ {
+ fprintf(f, " subjkey: %#B\n", &chunk);
+ }
+}
+
+METHOD(certificate_printer_t, print, void,
+ private_certificate_printer_t *this, certificate_t *cert, bool has_privkey)
+{
+ time_t now, notAfter, notBefore;
+ certificate_type_t type;
+ identification_t *subject;
+ public_key_t *key;
+ FILE *f = this->f;
+
+ now = time(NULL);
+ type = cert->get_type(cert);
+ subject = cert->get_subject(cert);
+
+ if ((type != CERT_X509_CRL && type != CERT_X509_OCSP_RESPONSE &&
+ type != CERT_TRUSTED_PUBKEY) ||
+ (type == CERT_TRUSTED_PUBKEY && subject->get_type(subject) != ID_KEY_ID))
+ {
+ fprintf(f, " subject: \"%Y\"\n", subject);
+ }
+ if (cert->get_type(cert) != CERT_TRUSTED_PUBKEY)
+ {
+ fprintf(f, " issuer: \"%Y\"\n", cert->get_issuer(cert));
+ }
+
+ /* list validity if set */
+ cert->get_validity(cert, &now, ¬Before, ¬After);
+ if (notBefore != UNDEFINED_TIME && notAfter != UNDEFINED_TIME)
+ {
+ fprintf(f, " validity: not before %T, ", ¬Before, this->utc);
+ if (now < notBefore)
+ {
+ fprintf(f, "not valid yet (valid in %V)\n", &now, ¬Before);
+ }
+ else
+ {
+ fprintf(f, "ok\n");
+ }
+ fprintf(f, " not after %T, ", ¬After, this->utc);
+ if (now > notAfter)
+ {
+ fprintf(f, "expired (%V ago)\n", &now, ¬After);
+ }
+ else
+ {
+ fprintf(f, "ok (expires in %V)\n", &now, ¬After);
+ }
+ }
+
+ switch (cert->get_type(cert))
+ {
+ case CERT_X509:
+ print_x509(this, (x509_t*)cert);
+ break;
+ case CERT_X509_CRL:
+ print_crl(this, (crl_t*)cert);
+ break;
+ case CERT_X509_AC:
+ print_ac(this, (ac_t*)cert);
+ break;
+ case CERT_X509_OCSP_RESPONSE:
+ case CERT_TRUSTED_PUBKEY:
+ default:
+ break;
+ }
+ key = cert->get_public_key(cert);
+ if (key)
+ {
+ print_pubkey(this, key, has_privkey);
+ key->destroy(key);
+ }
+}
+
+METHOD(certificate_printer_t, destroy, void,
+ private_certificate_printer_t *this)
+{
+ free(this);
+}
+
+/**
+ * See header
+ */
+certificate_printer_t *certificate_printer_create(FILE *f, bool detailed,
+ bool utc)
+{
+ private_certificate_printer_t *this;
+
+ INIT(this,
+ .public = {
+ .print = _print,
+ .destroy = _destroy,
+ },
+ .f = f,
+ .detailed = detailed,
+ .utc = utc,
+ );
+
+ return &this->public;
+}
--- /dev/null
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup certificate_printer certificate_printer
+ * @{ @ingroup certificates
+ */
+
+#ifndef CERTIFICATE_PRINTER_H_
+#define CERTIFICATE_PRINTER_H_
+
+typedef struct certificate_printer_t certificate_printer_t;
+
+#include "credentials/certificates/certificate.h"
+
+#include <stdio.h>
+
+/**
+ * An object for printing certificate information.
+ */
+struct certificate_printer_t {
+
+ /**
+ * Print a certificate.
+ *
+ * @cert certificate to be printed
+ * @has_privkey indicates that certificate has a matching private key
+ */
+ void (*print)(certificate_printer_t *this, certificate_t *cert,
+ bool has_privkey);
+
+ /**
+ * Destroy the certificate_printer object.
+ */
+ void (*destroy)(certificate_printer_t *this);
+};
+
+/**
+ * Create a certificate_printer object
+ *
+ * @param f file where print output is directed to (usually stdout)
+ * @param detailed print more detailed certificate information
+ * @param utc print time inforamtion in UTC
+ */
+certificate_printer_t* certificate_printer_create(FILE *f, bool detailed,
+ bool utc);
+
+#endif /** CERTIFICATE_PRINTER_H_ @}*/
* Copyright (C) 2010 Martin Willi
* Copyright (C) 2010 revosec AG
*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
#include "pki.h"
-#include <asn1/asn1.h>
-#include <asn1/oid.h>
#include <credentials/certificates/certificate.h>
-#include <credentials/certificates/x509.h>
-#include <credentials/certificates/crl.h>
-#include <credentials/certificates/ac.h>
-#include <selectors/traffic_selector.h>
+#include <credentials/certificates/certificate_printer.h>
-#include <time.h>
#include <errno.h>
-/**
- * Print public key information
- */
-static void print_pubkey(public_key_t *key)
-{
- chunk_t chunk;
- key_type_t type;
-
- type = key->get_type(key);
- printf("pubkey: %N %d bits%s\n", key_type_names, type,
- key->get_keysize(key), (type == KEY_BLISS) ? " strength" : "");
-
- if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &chunk))
- {
- printf("keyid: %#B\n", &chunk);
- }
- if (key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &chunk))
- {
- printf("subjkey: %#B\n", &chunk);
- }
-}
-
/**
* Print private key information
*/
static void print_key(private_key_t *key)
{
public_key_t *public;
+ chunk_t chunk;
public = key->get_public_key(key);
if (public)
{
- printf("private key with:\n");
- print_pubkey(public);
- public->destroy(public);
- }
- else
- {
- printf("extracting public from private key failed\n");
- }
-}
-
-/**
- * Get a prefix for a named constraint identity type
- */
-static char* get_type_pfx(identification_t *id)
-{
- switch (id->get_type(id))
- {
- case ID_RFC822_ADDR:
- return "email:";
- case ID_FQDN:
- return "dns:";
- default:
- return "";
- }
-}
-
-/**
- * Print X509 specific certificate information
- */
-static void print_x509(x509_t *x509)
-{
- enumerator_t *enumerator;
- identification_t *id;
- traffic_selector_t *block;
- chunk_t chunk;
- bool first;
- char *uri;
- int len, explicit, inhibit;
- x509_flag_t flags;
- x509_cdp_t *cdp;
- x509_cert_policy_t *policy;
- x509_policy_mapping_t *mapping;
-
- chunk = chunk_skip_zero(x509->get_serial(x509));
- printf("serial: %#B\n", &chunk);
-
- first = TRUE;
- enumerator = x509->create_subjectAltName_enumerator(x509);
- while (enumerator->enumerate(enumerator, &id))
- {
- if (first)
- {
- printf("altNames: ");
- first = FALSE;
- }
- else
- {
- printf(", ");
- }
- printf("%Y", id);
- }
- if (!first)
- {
- printf("\n");
- }
- enumerator->destroy(enumerator);
-
- flags = x509->get_flags(x509);
- printf("flags: ");
- if (flags & X509_CA)
- {
- printf("CA ");
- }
- if (flags & X509_CRL_SIGN)
- {
- printf("CRLSign ");
- }
- if (flags & X509_AA)
- {
- printf("AA ");
- }
- if (flags & X509_OCSP_SIGNER)
- {
- printf("OCSP ");
- }
- if (flags & X509_AA)
- {
- printf("AA ");
- }
- if (flags & X509_SERVER_AUTH)
- {
- printf("serverAuth ");
- }
- if (flags & X509_CLIENT_AUTH)
- {
- printf("clientAuth ");
- }
- if (flags & X509_IKE_INTERMEDIATE)
- {
- printf("iKEIntermediate ");
- }
- if (flags & X509_MS_SMARTCARD_LOGON)
- {
- printf("msSmartcardLogon ");
- }
- if (flags & X509_SELF_SIGNED)
- {
- printf("self-signed ");
- }
- printf("\n");
-
- first = TRUE;
- enumerator = x509->create_crl_uri_enumerator(x509);
- while (enumerator->enumerate(enumerator, &cdp))
- {
- if (first)
- {
- printf("CRL URIs: %s", cdp->uri);
- first = FALSE;
- }
- else
- {
- printf(" %s", cdp->uri);
- }
- if (cdp->issuer)
- {
- printf(" (CRL issuer: %Y)", cdp->issuer);
- }
- printf("\n");
- }
- enumerator->destroy(enumerator);
-
- first = TRUE;
- enumerator = x509->create_ocsp_uri_enumerator(x509);
- while (enumerator->enumerate(enumerator, &uri))
- {
- if (first)
- {
- printf("OCSP URIs: %s\n", uri);
- first = FALSE;
- }
- else
- {
- printf(" %s\n", uri);
- }
- }
- enumerator->destroy(enumerator);
-
- len = x509->get_constraint(x509, X509_PATH_LEN);
- if (len != X509_NO_CONSTRAINT)
- {
- printf("pathlen: %d\n", len);
- }
-
- first = TRUE;
- enumerator = x509->create_name_constraint_enumerator(x509, TRUE);
- while (enumerator->enumerate(enumerator, &id))
- {
- if (first)
- {
- printf("Permitted NameConstraints:\n");
- first = FALSE;
- }
- printf(" %s%Y\n", get_type_pfx(id), id);
- }
- enumerator->destroy(enumerator);
- first = TRUE;
- enumerator = x509->create_name_constraint_enumerator(x509, FALSE);
- while (enumerator->enumerate(enumerator, &id))
- {
- if (first)
- {
- printf("Excluded NameConstraints:\n");
- first = FALSE;
- }
- printf(" %s%Y\n", get_type_pfx(id), id);
- }
- enumerator->destroy(enumerator);
-
- first = TRUE;
- enumerator = x509->create_cert_policy_enumerator(x509);
- while (enumerator->enumerate(enumerator, &policy))
- {
- char *oid;
-
- if (first)
- {
- printf("CertificatePolicies:\n");
- first = FALSE;
- }
- oid = asn1_oid_to_string(policy->oid);
- if (oid)
- {
- printf(" %s\n", oid);
- free(oid);
- }
- else
- {
- printf(" %#B\n", &policy->oid);
- }
- if (policy->cps_uri)
- {
- printf(" CPS: %s\n", policy->cps_uri);
- }
- if (policy->unotice_text)
- {
- printf(" Notice: %s\n", policy->unotice_text);
-
- }
- }
- enumerator->destroy(enumerator);
-
- first = TRUE;
- enumerator = x509->create_policy_mapping_enumerator(x509);
- while (enumerator->enumerate(enumerator, &mapping))
- {
- char *issuer_oid, *subject_oid;
-
- if (first)
- {
- printf("PolicyMappings:\n");
- first = FALSE;
- }
- issuer_oid = asn1_oid_to_string(mapping->issuer);
- subject_oid = asn1_oid_to_string(mapping->subject);
- printf(" %s => %s\n", issuer_oid, subject_oid);
- free(issuer_oid);
- free(subject_oid);
- }
- enumerator->destroy(enumerator);
-
- explicit = x509->get_constraint(x509, X509_REQUIRE_EXPLICIT_POLICY);
- inhibit = x509->get_constraint(x509, X509_INHIBIT_POLICY_MAPPING);
- len = x509->get_constraint(x509, X509_INHIBIT_ANY_POLICY);
-
- if (explicit != X509_NO_CONSTRAINT || inhibit != X509_NO_CONSTRAINT ||
- len != X509_NO_CONSTRAINT)
- {
- printf("PolicyConstraints:\n");
- if (explicit != X509_NO_CONSTRAINT)
- {
- printf(" requireExplicitPolicy: %d\n", explicit);
- }
- if (inhibit != X509_NO_CONSTRAINT)
- {
- printf(" inhibitPolicyMapping: %d\n", inhibit);
- }
- if (len != X509_NO_CONSTRAINT)
- {
- printf(" inhibitAnyPolicy: %d\n", len);
- }
- }
-
- chunk = x509->get_authKeyIdentifier(x509);
- if (chunk.ptr)
- {
- printf("authkeyId: %#B\n", &chunk);
- }
-
- chunk = x509->get_subjectKeyIdentifier(x509);
- if (chunk.ptr)
- {
- printf("subjkeyId: %#B\n", &chunk);
- }
- if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
- {
- first = TRUE;
- printf("addresses: ");
- enumerator = x509->create_ipAddrBlock_enumerator(x509);
- while (enumerator->enumerate(enumerator, &block))
- {
- if (first)
- {
- first = FALSE;
- }
- else
- {
- printf(", ");
- }
- printf("%R", block);
- }
- enumerator->destroy(enumerator);
- printf("\n");
- }
-}
-
-/**
- * Print CRL specific information
- */
-static void print_crl(crl_t *crl)
-{
- enumerator_t *enumerator;
- time_t ts;
- crl_reason_t reason;
- chunk_t chunk;
- int count = 0;
- bool first;
- char buf[64];
- struct tm tm;
- x509_cdp_t *cdp;
-
- chunk = chunk_skip_zero(crl->get_serial(crl));
- printf("serial: %#B\n", &chunk);
-
- if (crl->is_delta_crl(crl, &chunk))
- {
- chunk = chunk_skip_zero(chunk);
- printf("delta CRL: for serial %#B\n", &chunk);
- }
- chunk = crl->get_authKeyIdentifier(crl);
- printf("authKeyId: %#B\n", &chunk);
-
- first = TRUE;
- enumerator = crl->create_delta_crl_uri_enumerator(crl);
- while (enumerator->enumerate(enumerator, &cdp))
- {
- if (first)
- {
- printf("freshest: %s", cdp->uri);
- first = FALSE;
- }
- else
- {
- printf(" %s", cdp->uri);
- }
- if (cdp->issuer)
- {
- printf(" (CRL issuer: %Y)", cdp->issuer);
- }
- printf("\n");
- }
- enumerator->destroy(enumerator);
-
- enumerator = crl->create_enumerator(crl);
- while (enumerator->enumerate(enumerator, &chunk, &ts, &reason))
- {
- count++;
- }
- enumerator->destroy(enumerator);
-
- printf("%d revoked certificate%s%s\n", count,
- count == 1 ? "" : "s", count ? ":" : "");
- enumerator = crl->create_enumerator(crl);
- while (enumerator->enumerate(enumerator, &chunk, &ts, &reason))
- {
- chunk = chunk_skip_zero(chunk);
- localtime_r(&ts, &tm);
- strftime(buf, sizeof(buf), "%F %T", &tm);
- printf(" %#B %N %s\n", &chunk, crl_reason_names, reason, buf);
- count++;
- }
- enumerator->destroy(enumerator);
-}
-
-/**
- * Print AC specific information
- */
-static void print_ac(ac_t *ac)
-{
- ac_group_type_t type;
- identification_t *id;
- enumerator_t *groups;
- chunk_t chunk;
- bool first = TRUE;
-
- chunk = chunk_skip_zero(ac->get_serial(ac));
- printf("serial: %#B\n", &chunk);
-
- id = ac->get_holderIssuer(ac);
- if (id)
- {
- printf("hissuer: \"%Y\"\n", id);
- }
- chunk = chunk_skip_zero(ac->get_holderSerial(ac));
- if (chunk.ptr)
- {
- printf("hserial: %#B\n", &chunk);
- }
- groups = ac->create_group_enumerator(ac);
- while (groups->enumerate(groups, &type, &chunk))
- {
- int oid;
- char *str;
-
- if (first)
+ printf(" privkey: %N %d bits\n", key_type_names,
+ public->get_type(public), public->get_keysize(public));
+ if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &chunk))
{
- printf("groups: ");
- first = FALSE;
+ printf(" keyid: %#B\n", &chunk);
}
- else
+ if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &chunk))
{
- printf(" ");
+ printf(" subjkey: %#B\n", &chunk);
}
- switch (type)
- {
- case AC_GROUP_TYPE_STRING:
- printf("%.*s", (int)chunk.len, chunk.ptr);
- break;
- case AC_GROUP_TYPE_OID:
- oid = asn1_known_oid(chunk);
- if (oid == OID_UNKNOWN)
- {
- str = asn1_oid_to_string(chunk);
- if (str)
- {
- printf("%s", str);
- free(str);
- }
- else
- {
- printf("OID:%#B", &chunk);
- }
- }
- else
- {
- printf("%s", oid_names[oid].name);
- }
- break;
- case AC_GROUP_TYPE_OCTETS:
- printf("%#B", &chunk);
- break;
- }
- printf("\n");
- }
- groups->destroy(groups);
-
- chunk = ac->get_authKeyIdentifier(ac);
- if (chunk.ptr)
- {
- printf("authkey: %#B\n", &chunk);
- }
-}
-
-/**
- * Print certificate information
- */
-static void print_cert(certificate_t *cert)
-{
- time_t now, notAfter, notBefore;
- public_key_t *key;
-
- now = time(NULL);
-
- printf("cert: %N\n", certificate_type_names, cert->get_type(cert));
- if (cert->get_type(cert) != CERT_X509_CRL)
- {
- printf("subject: \"%Y\"\n", cert->get_subject(cert));
- }
- printf("issuer: \"%Y\"\n", cert->get_issuer(cert));
-
- cert->get_validity(cert, &now, ¬Before, ¬After);
- printf("validity: not before %T, ", ¬Before, FALSE);
- if (now < notBefore)
- {
- printf("not valid yet (valid in %V)\n", &now, ¬Before);
- }
- else
- {
- printf("ok\n");
- }
- printf(" not after %T, ", ¬After, FALSE);
- if (now > notAfter)
- {
- printf("expired (%V ago)\n", &now, ¬After);
+ public->destroy(public);
}
else
{
- printf("ok (expires in %V)\n", &now, ¬After);
- }
-
- switch (cert->get_type(cert))
- {
- case CERT_X509:
- print_x509((x509_t*)cert);
- break;
- case CERT_X509_CRL:
- print_crl((crl_t*)cert);
- break;
- case CERT_X509_AC:
- print_ac((ac_t*)cert);
- break;
- default:
- printf("parsing certificate subtype %N not implemented\n",
- certificate_type_names, cert->get_type(cert));
- break;
- }
- key = cert->get_public_key(cert);
- if (key)
- {
- print_pubkey(key);
- key->destroy(key);
+ printf("extracting public from private key failed\n");
}
}
}
else if (streq(arg, "pub"))
{
- type = CRED_PUBLIC_KEY;
- subtype = KEY_ANY;
+ type = CRED_CERTIFICATE;
+ subtype = CERT_TRUSTED_PUBKEY;
}
else if (streq(arg, "rsa-priv"))
{
if (type == CRED_CERTIFICATE)
{
certificate_t *cert = (certificate_t*)cred;
+ certificate_printer_t *printer;
- print_cert(cert);
+ printer = certificate_printer_create(stdout, TRUE, FALSE);
+ printer->print(printer, cert, FALSE);
+ printer->destroy(printer);
cert->destroy(cert);
}
- if (type == CRED_PUBLIC_KEY)
- {
- public_key_t *key = (public_key_t*)cred;
-
- print_pubkey(key);
- key->destroy(key);
- }
if (type == CRED_PRIVATE_KEY)
{
private_key_t *key = (private_key_t*)cred;
print_key(key);
key->destroy(key);
}
+
return 0;
}