From: Andreas Steffen Date: Fri, 11 Dec 2015 17:24:58 +0000 (+0100) Subject: Refactored certificate management for the vici and stroke interfaces X-Git-Tag: 5.4.0dr1^0 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=02d431022c45cf9638b13aa84c0d485a655d370b;p=thirdparty%2Fstrongswan.git Refactored certificate management for the vici and stroke interfaces --- diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c index e312ae1527..2cc755e774 100644 --- a/src/libcharon/plugins/stroke/stroke_list.c +++ b/src/libcharon/plugins/stroke/stroke_list.c @@ -31,7 +31,6 @@ #include #include #include -#include #include #include @@ -63,6 +62,11 @@ struct private_stroke_list_t { stroke_attribute_t *attribute; }; +/** + * Static certificate printer object + */ +static certificate_printer_t *cert_printer = NULL; + /** * Log tasks of a specific queue to out */ @@ -760,133 +764,50 @@ static bool has_privkey(certificate_t *cert) return (private != NULL); } -/** - * list OpenPGP certificates - */ -static void stroke_list_pgp_certs(linked_list_t *list, char *label, - bool utc, FILE *out) -{ - bool first = TRUE; - time_t now = time(NULL); - enumerator_t *enumerator = list->create_enumerator(list); - certificate_t *cert; - chunk_t keyid; - - while (enumerator->enumerate(enumerator, (void**)&cert)) - { - time_t created, until; - public_key_t *public; - pgp_certificate_t *pgp_cert = (pgp_certificate_t*)cert; - chunk_t fingerprint = pgp_cert->get_fingerprint(pgp_cert); - - if (first) - { - fprintf(out, "\n"); - fprintf(out, "List of %ss:\n", label); - first = FALSE; - } - fprintf(out, "\n"); - fprintf(out, " userid: '%Y'\n", cert->get_subject(cert)); - fprintf(out, " digest: %#B\n", &fingerprint); - - /* list validity */ - cert->get_validity(cert, &now, &created, &until); - fprintf(out, " created: %T\n", &created, utc); - fprintf(out, " until: %T%s\n", &until, utc, - (until == TIME_32_BIT_SIGNED_MAX) ? " (expires never)":""); - - public = cert->get_public_key(cert); - if (public) - { - fprintf(out, " pubkey: %N %d bits%s\n", - key_type_names, public->get_type(public), - public->get_keysize(public), - has_privkey(cert) ? ", has private key" : ""); - - if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid)) - { - fprintf(out, " keyid: %#B\n", &keyid); - } - if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &keyid)) - { - fprintf(out, " subjkey: %#B\n", &keyid); - } - public->destroy(public); - } - } - enumerator->destroy(enumerator); -} - /** * list all X.509 certificates matching the flags */ -static void stroke_list_x509_certs(linked_list_t *list, char *label, - x509_flag_t flags, bool utc, FILE *out) +static void stroke_list_x509_certs(linked_list_t *list, x509_flag_t flag) { - bool first = TRUE; enumerator_t *enumerator; certificate_t *cert; - certificate_printer_t *printer; - x509_flag_t flag_mask; - - printer = certificate_printer_create(out, TRUE, utc), - - /* mask all auxiliary flags */ - flag_mask = ~(X509_SERVER_AUTH | X509_CLIENT_AUTH | X509_IKE_INTERMEDIATE | - X509_SELF_SIGNED | X509_IP_ADDR_BLOCKS); enumerator = list->create_enumerator(list); while (enumerator->enumerate(enumerator, (void**)&cert)) { x509_t *x509 = (x509_t*)cert; - x509_flag_t x509_flags = x509->get_flags(x509) & flag_mask; + x509_flag_t flags = x509->get_flags(x509) & X509_ANY; /* list only if flag is set or flag == 0 */ - if ((x509_flags & flags) || (x509_flags == flags)) + if ((flags & flag) || flags == flag) { - if (first) - { - fprintf(out, "\n"); - fprintf(out, "List of %ss:\n", label); - first = FALSE; - } - fprintf(out, "\n"); - printer->print(printer, cert, has_privkey(cert)); + cert_printer->print_caption(cert_printer, CERT_X509, flag); + cert_printer->print(cert_printer, cert, has_privkey(cert)); } } enumerator->destroy(enumerator); - - printer->destroy(printer); } /** * list all other certificates types */ -static void stroke_list_other_certs(linked_list_t *list, char *label, - bool utc, FILE *out) +static void stroke_list_other_certs(certificate_type_t type) { - bool first = TRUE; enumerator_t *enumerator; certificate_t *cert; - certificate_printer_t *printer; + linked_list_t *list; - printer = certificate_printer_create(out, TRUE, utc), + list = create_unique_cert_list(type); enumerator = list->create_enumerator(list); while (enumerator->enumerate(enumerator, &cert)) { - if (first) - { - fprintf(out, "\n"); - fprintf(out, "List of %ss:\n", label); - first = FALSE; - } - fprintf(out, "\n"); - printer->print(printer, cert, has_privkey(cert)); + cert_printer->print_caption(cert_printer, cert->get_type(cert), X509_NONE); + cert_printer->print(cert_printer, cert, has_privkey(cert)); } enumerator->destroy(enumerator); - printer->destroy(printer); + list->destroy_offset(list, offsetof(certificate_t, destroy)); } /** @@ -1058,21 +979,15 @@ METHOD(stroke_list_t, list, void, { linked_list_t *cert_list = NULL; + cert_printer = certificate_printer_create(out, TRUE, msg->list.utc); + if (msg->list.flags & LIST_PUBKEYS) { - linked_list_t *pubkey_list = create_unique_cert_list(CERT_TRUSTED_PUBKEY); - - stroke_list_other_certs(pubkey_list, "Raw Public Key", - msg->list.utc, out); - pubkey_list->destroy_offset(pubkey_list, offsetof(certificate_t, destroy)); + stroke_list_other_certs(CERT_TRUSTED_PUBKEY); } if (msg->list.flags & LIST_CERTS) { - linked_list_t *pgp_list = create_unique_cert_list(CERT_GPG); - - stroke_list_pgp_certs(pgp_list, "PGP End Entity Certificate", - msg->list.utc, out); - pgp_list->destroy_offset(pgp_list, offsetof(certificate_t, destroy)); + stroke_list_other_certs(CERT_GPG); } if (msg->list.flags & (LIST_CERTS | LIST_CACERTS | LIST_OCSPCERTS | LIST_AACERTS)) { @@ -1080,49 +995,33 @@ METHOD(stroke_list_t, list, void, } if (msg->list.flags & LIST_CERTS) { - stroke_list_x509_certs(cert_list, "X.509 End Entity Certificate", - X509_NONE, msg->list.utc, out); + stroke_list_x509_certs(cert_list, X509_NONE); } if (msg->list.flags & LIST_CACERTS) { - stroke_list_x509_certs(cert_list, "X.509 CA Certificate", - X509_CA, msg->list.utc, out); + stroke_list_x509_certs(cert_list, X509_CA); } if (msg->list.flags & LIST_OCSPCERTS) { - stroke_list_x509_certs(cert_list, "X.509 OCSP Signer Certificate", - X509_OCSP_SIGNER, msg->list.utc, out); + stroke_list_x509_certs(cert_list, X509_OCSP_SIGNER); } if (msg->list.flags & LIST_AACERTS) { - stroke_list_x509_certs(cert_list, "X.509 AA Certificate", - X509_AA, msg->list.utc, out); + stroke_list_x509_certs(cert_list, X509_AA); } DESTROY_OFFSET_IF(cert_list, offsetof(certificate_t, destroy)); if (msg->list.flags & LIST_ACERTS) { - linked_list_t *ac_list = create_unique_cert_list(CERT_X509_AC); - - stroke_list_other_certs(ac_list, "X.509 Attribute Certificate", - msg->list.utc, out); - ac_list->destroy_offset(ac_list, offsetof(certificate_t, destroy)); + stroke_list_other_certs(CERT_X509_AC); } if (msg->list.flags & LIST_CRLS) { - linked_list_t *crl_list = create_unique_cert_list(CERT_X509_CRL); - - stroke_list_other_certs(crl_list, "X.509 CRL", - msg->list.utc, out); - crl_list->destroy_offset(crl_list, offsetof(certificate_t, destroy)); + stroke_list_other_certs(CERT_X509_CRL); } if (msg->list.flags & LIST_OCSP) { - linked_list_t *ocsp_list = create_unique_cert_list(CERT_X509_OCSP_RESPONSE); - - stroke_list_other_certs(ocsp_list, "OCSP Response", - msg->list.utc, out); - ocsp_list->destroy_offset(ocsp_list, offsetof(certificate_t, destroy)); + stroke_list_other_certs(CERT_X509_OCSP_RESPONSE); } if (msg->list.flags & LIST_ALGS) { @@ -1132,6 +1031,8 @@ METHOD(stroke_list_t, list, void, { list_plugins(out); } + cert_printer->destroy(cert_printer); + cert_printer = NULL; } /** diff --git a/src/libcharon/plugins/vici/Makefile.am b/src/libcharon/plugins/vici/Makefile.am index 99acc767e8..f51670de4b 100644 --- a/src/libcharon/plugins/vici/Makefile.am +++ b/src/libcharon/plugins/vici/Makefile.am @@ -18,7 +18,7 @@ libstrongswan_vici_la_SOURCES = \ vici_message.h vici_message.c \ vici_builder.h vici_builder.c \ vici_dispatcher.h vici_dispatcher.c \ - vici_cert_info.c vici_cert_info.h \ + vici_cert_info.h vici_cert_info.c \ vici_query.h vici_query.c \ vici_control.h vici_control.c \ vici_config.h vici_config.c \ @@ -39,7 +39,7 @@ ipseclib_LTLIBRARIES = libvici.la libvici_la_SOURCES = \ vici_message.c vici_message.h \ vici_builder.c vici_builder.h \ - vici_cert_info.c vici_cert_info.h \ + vici_cert_info.h vici_cert_info.c \ libvici.c libvici.h libvici_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md index b7e2a5e64c..133d9aee41 100644 --- a/src/libcharon/plugins/vici/README.md +++ b/src/libcharon/plugins/vici/README.md @@ -369,7 +369,9 @@ call includes all certificates known by the daemon, not only those loaded over vici. { - type = + type = + flag = subject = } => { # completes after streaming list-cert events @@ -427,7 +429,8 @@ Unload a previously loaded connection definition by name. Load a certificate into the daemon. { - type = + type = + flag = data = } => { success = @@ -753,7 +756,8 @@ The _list-cert_ event is issued to stream loaded certificates during an active _list-certs_ command. { - type = + type = + flag = has_privkey = data = } diff --git a/src/libcharon/plugins/vici/perl/Vici-Session/README.pod b/src/libcharon/plugins/vici/perl/Vici-Session/README.pod index 9bfd3ff0ed..de73a03f81 100644 --- a/src/libcharon/plugins/vici/perl/Vici-Session/README.pod +++ b/src/libcharon/plugins/vici/perl/Vici-Session/README.pod @@ -164,13 +164,13 @@ print $version->raw(), "\n"; loads a certificate into the daemon. - my %vars = ( type => 'X509CA', data => $ca_cert ); + my %vars = ( type => 'X509', flag => 'CA', data => $ca_cert ); my ($res, $errmsg) = $session->load_cert(Vici::Message->new(\%vars)); =cut print "----- load-cert -----\n"; -my %vars = ( type => 'X509CA', data => $ca_cert ); +my %vars = ( type => 'X509', flag => 'CA', data => $ca_cert ); my ($res, $errmsg) = $session->load_cert(Vici::Message->new(\%vars)); print $res ? "ok\n" : "failed: $errmsg\n"; diff --git a/src/libcharon/plugins/vici/vici_cred.c b/src/libcharon/plugins/vici/vici_cred.c index e2aa5a9b2c..fa3158fa9a 100644 --- a/src/libcharon/plugins/vici/vici_cred.c +++ b/src/libcharon/plugins/vici/vici_cred.c @@ -2,6 +2,9 @@ * Copyright (C) 2014 Martin Willi * Copyright (C) 2014 revosec AG * + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your @@ -67,9 +70,9 @@ static vici_message_t* create_reply(char *fmt, ...) CALLBACK(load_cert, vici_message_t*, private_vici_cred_t *this, char *name, u_int id, vici_message_t *message) { - vici_cert_info_t *cert_info; certificate_t *cert; - x509_flag_t flag; + certificate_type_t type; + x509_flag_t ext_flag, flag = X509_NONE; x509_t *x509; chunk_t data; bool trusted = TRUE; @@ -80,9 +83,18 @@ CALLBACK(load_cert, vici_message_t*, { return create_reply("certificate type missing"); } - - cert_info = vici_cert_info_retrieve(str); - if (!cert_info) + if (enum_from_name(certificate_type_names, str, &type)) + { + if (type == CERT_X509) + { + str = message->get_str(message, "NONE", "flag"); + if (!enum_from_name(x509_flag_names, str, &flag)) + { + return create_reply("invalid certificate flag '%s'", str); + } + } + } + else if (!vici_cert_info_from_str(str, &type, &flag)) { return create_reply("invalid certificate type '%s'", str); } @@ -94,21 +106,21 @@ CALLBACK(load_cert, vici_message_t*, } /* do not set CA flag externally */ - flag = (cert_info->flag & X509_CA) ? X509_NONE : cert_info->flag; + ext_flag = (flag & X509_CA) ? X509_NONE : flag; - cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, cert_info->type, + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type, BUILD_BLOB_PEM, data, - BUILD_X509_FLAG, flag, + BUILD_X509_FLAG, ext_flag, BUILD_END); if (!cert) { return create_reply("parsing %N certificate failed", - certificate_type_names, cert_info->type); + certificate_type_names, type); } DBG1(DBG_CFG, "loaded certificate '%Y'", cert->get_subject(cert)); /* check if CA certificate has CA basic constraint set */ - if (cert_info->flag & X509_CA) + if (flag & X509_CA) { char err_msg[] = "ca certificate lacks CA basic constraint, rejected"; x509 = (x509_t*)cert; @@ -120,7 +132,7 @@ CALLBACK(load_cert, vici_message_t*, return create_reply(err_msg); } } - if (cert_info->type == CERT_X509_CRL) + if (type == CERT_X509_CRL) { this->creds->add_crl(this->creds, (crl_t*)cert); } diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c index 2ea9228513..76cfb52f94 100644 --- a/src/libcharon/plugins/vici/vici_query.c +++ b/src/libcharon/plugins/vici/vici_query.c @@ -40,8 +40,6 @@ #include "vici_query.h" #include "vici_builder.h" -#include "vici_version.h" -#include "vici_cert_info.h" #include #include @@ -53,6 +51,8 @@ #endif #include +#include +#include typedef struct private_vici_query_t private_vici_query_t; @@ -809,7 +809,6 @@ static bool has_privkey(certificate_t *cert) * Store cert filter data */ typedef struct { - vici_version_t version; certificate_type_t type; x509_flag_t flag; identification_t *subject; @@ -820,27 +819,25 @@ typedef struct { */ static void enum_x509(private_vici_query_t *this, u_int id, linked_list_t *certs, cert_filter_t *filter, - x509_flag_t flag, char *cert_type) + x509_flag_t flag) { enumerator_t *enumerator; certificate_t *cert; vici_builder_t *b; chunk_t encoding; - x509_flag_t mask; x509_t *x509; - if (filter->type != CERT_ANY && filter->version != VICI_1_0 && + if (filter->type != CERT_ANY && filter->flag != X509_ANY && filter->flag != flag) { return; } - mask = X509_CA | X509_AA | X509_OCSP_SIGNER; enumerator = certs->create_enumerator(certs); while (enumerator->enumerate(enumerator, &cert)) { x509 = (x509_t*)cert; - if ((x509->get_flags(x509) & mask) != flag) + if ((x509->get_flags(x509) & X509_ANY) != flag) { continue; } @@ -848,16 +845,8 @@ static void enum_x509(private_vici_query_t *this, u_int id, if (cert->get_encoding(cert, CERT_ASN1_DER, &encoding)) { b = vici_builder_create(); - if (filter->version == VICI_1_0) - { - b->add_kv(b, "type", "%N", certificate_type_names, - cert->get_type(cert)); - } - else - { - b->add_kv(b, "vici", "%N", vici_version_names, VICI_VERSION); - b->add_kv(b, "type", "%s", cert_type); - } + b->add_kv(b, "type", "%N", certificate_type_names, CERT_X509); + b->add_kv(b, "flag", "%N", x509_flag_names, flag); if (has_privkey(cert)) { b->add_kv(b, "has_privkey", "yes"); @@ -876,8 +865,7 @@ static void enum_x509(private_vici_query_t *this, u_int id, * Enumerate all non-X.509 certificate types */ static void enum_others(private_vici_query_t *this, u_int id, - linked_list_t *certs, cert_filter_t *filter, - char *cert_type) + linked_list_t *certs, cert_filter_t *filter) { enumerator_t *enumerator; certificate_t *cert; @@ -890,16 +878,8 @@ static void enum_others(private_vici_query_t *this, u_int id, if (cert->get_encoding(cert, CERT_ASN1_DER, &encoding)) { b = vici_builder_create(); - if (filter->version == VICI_1_0) - { - b->add_kv(b, "type", "%N", certificate_type_names, - cert->get_type(cert)); - } - else - { - b->add_kv(b, "vici", "%N", vici_version_names, VICI_VERSION); - b->add_kv(b, "type", "%s", cert_type); - } + b->add_kv(b, "type", "%N", certificate_type_names, + cert->get_type(cert)); if (has_privkey(cert)) { b->add_kv(b, "has_privkey", "yes"); @@ -918,8 +898,7 @@ static void enum_others(private_vici_query_t *this, u_int id, * Enumerate all certificates of a given type */ static void enum_certs(private_vici_query_t *this, u_int id, - cert_filter_t *filter, certificate_type_t type, - char *cert_type) + cert_filter_t *filter, certificate_type_t type) { enumerator_t *e1, *e2; certificate_t *cert, *current; @@ -958,14 +937,14 @@ static void enum_certs(private_vici_query_t *this, u_int id, if (type == CERT_X509) { - enum_x509(this, id, certs, filter, X509_NONE, "x509"); - enum_x509(this, id, certs, filter, X509_CA, "x509ca"); - enum_x509(this, id, certs, filter, X509_AA, "x509ac"); - enum_x509(this, id, certs, filter, X509_OCSP_SIGNER, "x509ocsp"); + enum_x509(this, id, certs, filter, X509_NONE); + enum_x509(this, id, certs, filter, X509_CA); + enum_x509(this, id, certs, filter, X509_AA); + enum_x509(this, id, certs, filter, X509_OCSP_SIGNER); } else { - enum_others(this, id, certs, filter, cert_type); + enum_others(this, id, certs, filter); } certs->destroy_offset(certs, offsetof(certificate_t, destroy)); } @@ -974,43 +953,25 @@ CALLBACK(list_certs, vici_message_t*, private_vici_query_t *this, char *name, u_int id, vici_message_t *request) { cert_filter_t filter = { - .version = VICI_1_0, .type = CERT_ANY, - .flag = X509_NONE, + .flag = X509_ANY, .subject = NULL }; vici_builder_t *b; char *str; - str = request->get_str(request, "1.0", "vici"); - if (!enum_from_name(vici_version_names, str, &filter.version)) - { - DBG1(DBG_CFG, "unsupported vici version '%s'", str); - goto finalize; - } str = request->get_str(request, "ANY", "type"); - - if (filter.version == VICI_1_0) + if (!enum_from_name(certificate_type_names, str, &filter.type)) { - if (!enum_from_name(certificate_type_names, str, &filter.type)) - { - DBG1(DBG_CFG, "invalid certificate type '%s'", str); - goto finalize; - } + DBG1(DBG_CFG, "invalid certificate type '%s'", str); + goto finalize; } - else /* VICI 2.0 */ + if (filter.type == CERT_X509) { - vici_cert_info_t *cert_info; - - cert_info = vici_cert_info_retrieve(str); - if (cert_info) + str = request->get_str(request, "ANY", "flag"); + if (!enum_from_name(x509_flag_names, str, &filter.flag)) { - filter.type = cert_info->type; - filter.flag = cert_info->flag; - } - else - { - DBG1(DBG_CFG, "invalid certificate type '%s'", str); + DBG1(DBG_CFG, "invalid certificate flag '%s'", str); goto finalize; } } @@ -1020,11 +981,12 @@ CALLBACK(list_certs, vici_message_t*, { filter.subject = identification_create_from_string(str); } - enum_certs(this, id, &filter, CERT_TRUSTED_PUBKEY, "pubkey"); - enum_certs(this, id, &filter, CERT_X509, "x509"); - enum_certs(this, id, &filter, CERT_X509_AC, "x509ac"); - enum_certs(this, id, &filter, CERT_X509_CRL, "x509crl"); - enum_certs(this, id, &filter, CERT_X509_OCSP_RESPONSE, "ocsp"); + + enum_certs(this, id, &filter, CERT_TRUSTED_PUBKEY); + enum_certs(this, id, &filter, CERT_X509); + enum_certs(this, id, &filter, CERT_X509_AC); + enum_certs(this, id, &filter, CERT_X509_CRL); + enum_certs(this, id, &filter, CERT_X509_OCSP_RESPONSE); DESTROY_IF(filter.subject); finalize: @@ -1140,8 +1102,6 @@ CALLBACK(version, vici_message_t*, vici_builder_t *b; b = vici_builder_create(); - - b->add_kv(b, "vici", "%N", vici_version_names, VICI_VERSION); b->add_kv(b, "daemon", "%s", lib->ns); b->add_kv(b, "version", "%s", VERSION); diff --git a/src/libstrongswan/credentials/certificates/certificate_printer.c b/src/libstrongswan/credentials/certificates/certificate_printer.c index 4326950ceb..c618e80bf7 100644 --- a/src/libstrongswan/credentials/certificates/certificate_printer.c +++ b/src/libstrongswan/credentials/certificates/certificate_printer.c @@ -17,10 +17,11 @@ */ #include "certificate_printer.h" -#include "x509.h" -#include "crl.h" -#include "ac.h" -#include "ocsp_response.h" +#include "credentials/certificates/x509.h" +#include "credentials/certificates/crl.h" +#include "credentials/certificates/ac.h" +#include "credentials/certificates/ocsp_response.h" +#include "credentials/certificates/pgp_certificate.h" #include #include @@ -54,6 +55,17 @@ struct private_certificate_printer_t { * Print time information in UTC */ bool utc; + + /** + * Previous certificate type + */ + certificate_type_t type; + + /** + * Previous X.509 certificate flag + */ + x509_flag_t flag; + }; /** @@ -568,7 +580,7 @@ METHOD(certificate_printer_t, print, void, { fprintf(f, " subject: \"%Y\"\n", subject); } - if (cert->get_type(cert) != CERT_TRUSTED_PUBKEY) + if (type != CERT_TRUSTED_PUBKEY && type != CERT_GPG) { fprintf(f, " issuer: \"%Y\"\n", cert->get_issuer(cert)); } @@ -577,35 +589,44 @@ METHOD(certificate_printer_t, print, void, cert->get_validity(cert, &now, ¬Before, ¬After); if (notBefore != UNDEFINED_TIME && notAfter != UNDEFINED_TIME) { - if (type == CERT_X509_CRL || type == CERT_X509_OCSP_RESPONSE) - { - t0 = "update: "; - t1 = "this on"; - t2 = "next on"; - } - else - { - t0 = "validity:"; - t1 = "not before"; - t2 = "not after "; - } - fprintf(f, " %s %s %T, ", t0, t1, ¬Before, this->utc); - if (now < notBefore) - { - fprintf(f, "not valid yet (valid in %V)\n", &now, ¬Before); - } - else - { - fprintf(f, "ok\n"); - } - fprintf(f, " %s %T, ", t2, ¬After, this->utc); - if (now > notAfter) + if (type == CERT_GPG) { - fprintf(f, "expired (%V ago)\n", &now, ¬After); + fprintf(f, " created: %T\n", ¬Before, this->utc); + fprintf(f, " until: %T%s\n", ¬After, this->utc, + (notAfter == TIME_32_BIT_SIGNED_MAX) ?" expires never" : ""); } else { - fprintf(f, "ok (expires in %V)\n", &now, ¬After); + if (type == CERT_X509_CRL || type == CERT_X509_OCSP_RESPONSE) + { + t0 = "update: "; + t1 = "this on"; + t2 = "next on"; + } + else + { + t0 = "validity:"; + t1 = "not before"; + t2 = "not after "; + } + fprintf(f, " %s %s %T, ", t0, t1, ¬Before, this->utc); + if (now < notBefore) + { + fprintf(f, "not valid yet (valid in %V)\n", &now, ¬Before); + } + else + { + fprintf(f, "ok\n"); + } + fprintf(f, " %s %T, ", t2, ¬After, this->utc); + if (now > notAfter) + { + fprintf(f, "expired (%V ago)\n", &now, ¬After); + } + else + { + fprintf(f, "ok (expires in %V)\n", &now, ¬After); + } } } @@ -627,6 +648,13 @@ METHOD(certificate_printer_t, print, void, default: break; } + if (type == CERT_GPG) + { + pgp_certificate_t *pgp_cert = (pgp_certificate_t*)cert; + chunk_t fingerprint = pgp_cert->get_fingerprint(pgp_cert); + + fprintf(f, " pgpDigest: %#B\n", &fingerprint); + } key = cert->get_public_key(cert); if (key) { @@ -635,6 +663,65 @@ METHOD(certificate_printer_t, print, void, } } +METHOD(certificate_printer_t, print_caption, void, + private_certificate_printer_t *this, certificate_type_t type, + x509_flag_t flag) +{ + char *caption; + + if (type != this->type || (type == CERT_X509 && flag != this->flag)) + { + switch (type) + { + case CERT_X509: + switch (flag) + { + case X509_NONE: + caption = "X.509 End Entity Certificate"; + break; + case X509_CA: + caption = "X.509 CA Certificate"; + break; + case X509_AA: + caption = "X.509 AA Certificate"; + break; + case X509_OCSP_SIGNER: + caption = "X.509 OCSP Signer Certificate"; + break; + default: + return; + } + break; + case CERT_X509_AC: + caption = "X.509 Attribute Certificate"; + break; + case CERT_X509_CRL: + caption = "X.509 CRL"; + break; + case CERT_X509_OCSP_RESPONSE: + caption = "OCSP Response"; + break; + case CERT_TRUSTED_PUBKEY: + caption = "Raw Public Key"; + break; + case CERT_GPG: + caption = "PGP End Entity Certificate"; + break; + default: + return; + } + fprintf(this->f, "\nList of %ss\n", caption); + + /* Update to current type and flag value */ + this->type = type; + if (type == CERT_X509) + { + this->flag = flag; + } + } + fprintf(this->f, "\n"); +} + METHOD(certificate_printer_t, destroy, void, private_certificate_printer_t *this) { @@ -652,11 +739,14 @@ certificate_printer_t *certificate_printer_create(FILE *f, bool detailed, INIT(this, .public = { .print = _print, + .print_caption = _print_caption, .destroy = _destroy, }, .f = f, .detailed = detailed, .utc = utc, + .type = CERT_ANY, + .flag = X509_ANY, ); return &this->public; diff --git a/src/libstrongswan/credentials/certificates/certificate_printer.h b/src/libstrongswan/credentials/certificates/certificate_printer.h index f11b77ef60..480b1d966f 100644 --- a/src/libstrongswan/credentials/certificates/certificate_printer.h +++ b/src/libstrongswan/credentials/certificates/certificate_printer.h @@ -24,6 +24,7 @@ typedef struct certificate_printer_t certificate_printer_t; #include "credentials/certificates/certificate.h" +#include "credentials/certificates/x509.h" #include @@ -41,6 +42,15 @@ struct certificate_printer_t { void (*print)(certificate_printer_t *this, certificate_t *cert, bool has_privkey); + /** + * Print a caption if the certificate type changed. + * + * @type certificate type + * @flag X.509 certificate flag + */ + void (*print_caption)(certificate_printer_t *this, certificate_type_t type, + x509_flag_t flag); + /** * Destroy the certificate_printer object. */ diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c index 2dfb66d7c7..ccf1f7cf32 100644 --- a/src/stroke/stroke.c +++ b/src/stroke/stroke.c @@ -433,9 +433,9 @@ static int usage(char *error) fprintf(out, " Show extended status information without blocking:\n"); fprintf(out, " stroke statusall-nb\n"); fprintf(out, " Show list of authority and attribute certificates:\n"); - fprintf(out, " stroke listcacerts|listocspcerts|listaacerts|listacerts\n"); + fprintf(out, " stroke listcacerts|listocspcerts|listaacerts|listacerts [--utc]\n"); fprintf(out, " Show list of end entity certificates, ca info records and crls:\n"); - fprintf(out, " stroke listcerts|listcainfos|listcrls|listall\n"); + fprintf(out, " stroke listcerts|listcainfos|listcrls|listall [--utc]\n"); fprintf(out, " Show list of supported algorithms:\n"); fprintf(out, " stroke listalgs\n"); fprintf(out, " Reload authority and attribute certificates:\n"); diff --git a/src/swanctl/command.h b/src/swanctl/command.h index b7c6e4d852..7eb11a68d1 100644 --- a/src/swanctl/command.h +++ b/src/swanctl/command.h @@ -2,9 +2,6 @@ * Copyright (C) 2009 Martin Willi * Hochschule fuer Technik Rapperswil * - * Copyright (C) 2015 Andreas Steffen - * HSR Hochschule fuer Technik Rapperswil - * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your @@ -35,7 +32,7 @@ /** * Maximum number of options in a command (+3) */ -#define MAX_OPTIONS 32 +#define MAX_OPTIONS 34 /** * Maximum number of usage summary lines (+1) @@ -82,12 +79,10 @@ struct command_t { * Command format options */ enum command_format_options_t { - COMMAND_FORMAT_NONE = 0, + COMMAND_FORMAT_NONE = 0, COMMAND_FORMAT_RAW = (1<<0), COMMAND_FORMAT_PRETTY = (1<<1), COMMAND_FORMAT_PEM = (1<<2), - COMMAND_FORMAT_SHORT = (1<<3), - COMMAND_FORMAT_UTC = (1<<4), }; /** diff --git a/src/swanctl/commands/list_certs.c b/src/swanctl/commands/list_certs.c index f3821a5588..b2ff3b5c75 100644 --- a/src/swanctl/commands/list_certs.c +++ b/src/swanctl/commands/list_certs.c @@ -27,15 +27,12 @@ #include #include -#include -#include - #include "command.h" /** - * Current certificate type info + * Static certificate printer object */ -static vici_cert_info_t *current_cert_info = NULL; +static certificate_printer_t *cert_printer = NULL; /** * Print PEM encoding of a certificate @@ -59,11 +56,10 @@ CALLBACK(list_cb, void, command_format_options_t *format, char *name, vici_res_t *res) { certificate_t *cert; - certificate_printer_t *printer; - vici_version_t version; - vici_cert_info_t *cert_info; - bool detailed, utc, has_privkey, first = FALSE; - char *version_str, *type_str; + certificate_type_t type; + x509_flag_t flag = X509_NONE; + bool has_privkey; + char *str; void *buf; int len; @@ -74,14 +70,6 @@ CALLBACK(list_cb, void, return; } - version_str = vici_find_str(res, "1.0", "vici"); - if (!enum_from_name(vici_version_names, version_str, &version) || - version == VICI_1_0) - { - fprintf(stderr, "unsupported vici version '%s'\n", version_str); - return; - } - buf = vici_find(res, &len, "data"); if (!buf) { @@ -90,23 +78,24 @@ CALLBACK(list_cb, void, } has_privkey = streq(vici_find_str(res, "no", "has_privkey"), "yes"); - type_str = vici_find_str(res, "any", "type"); - cert_info = vici_cert_info_retrieve(type_str); - if (!cert_info || cert_info->type == CERT_ANY) + str = vici_find_str(res, "ANY", "type"); + if (!enum_from_name(certificate_type_names, str, &type) || type == CERT_ANY) { - fprintf(stderr, "unsupported certificate type '%s'\n", type_str); + fprintf(stderr, "unsupported certificate type '%s'\n", str); return; } - - /* Detect change of certificate type */ - if (cert_info != current_cert_info) + if (type == CERT_X509) { - first = TRUE; - current_cert_info = cert_info; + str = vici_find_str(res, "ANY", "flag"); + if (!enum_from_name(x509_flag_names, str, &flag) || flag == X509_ANY) + { + fprintf(stderr, "unsupported certificate flag '%s'\n", str); + return; + } } /* Parse certificate data blob */ - cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, cert_info->type, + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type, BUILD_BLOB_ASN1_DER, chunk_create(buf, len), BUILD_END); if (cert) @@ -117,16 +106,8 @@ CALLBACK(list_cb, void, } else { - if (first) - { - printf("\nList of %ss:\n", cert_info->caption); - } - printf("\n"); - detailed = !(*format & COMMAND_FORMAT_SHORT); - utc = *format & COMMAND_FORMAT_UTC; - printer = certificate_printer_create(stdout, detailed, utc); - printer->print(printer, cert, has_privkey); - printer->destroy(printer); + cert_printer->print_caption(cert_printer, type, flag); + cert_printer->print(cert_printer, cert, has_privkey); } cert->destroy(cert); } @@ -141,7 +122,8 @@ static int list_certs(vici_conn_t *conn) vici_req_t *req; vici_res_t *res; command_format_options_t format = COMMAND_FORMAT_NONE; - char *arg, *subject = NULL, *type = NULL; + char *arg, *subject = NULL, *type = NULL, *flag = NULL; + bool detailed = TRUE, utc = FALSE; int ret; while (TRUE) @@ -156,6 +138,9 @@ static int list_certs(vici_conn_t *conn) case 't': type = arg; continue; + case 'f': + flag = arg; + continue; case 'p': format |= COMMAND_FORMAT_PEM; continue; @@ -166,10 +151,10 @@ static int list_certs(vici_conn_t *conn) format |= COMMAND_FORMAT_RAW; continue; case 'S': - format |= COMMAND_FORMAT_SHORT; + detailed = FALSE; continue; case 'U': - format |= COMMAND_FORMAT_UTC; + utc = TRUE; continue; case EOF: break; @@ -186,22 +171,28 @@ static int list_certs(vici_conn_t *conn) return ret; } req = vici_begin("list-certs"); - vici_add_version(req, VICI_VERSION); if (type) { vici_add_key_valuef(req, "type", "%s", type); } + if (flag) + { + vici_add_key_valuef(req, "flag", "%s", flag); + } if (subject) { vici_add_key_valuef(req, "subject", "%s", subject); } + cert_printer = certificate_printer_create(stdout, detailed, utc); res = vici_submit(req, conn); if (!res) { ret = errno; fprintf(stderr, "list-certs request failed: %s\n", strerror(errno)); + cert_printer->destroy(cert_printer); + cert_printer = NULL; return ret; } if (format & COMMAND_FORMAT_RAW) @@ -210,6 +201,9 @@ static int list_certs(vici_conn_t *conn) stdout); } vici_free_res(res); + + cert_printer->destroy(cert_printer); + cert_printer = NULL; return 0; } @@ -221,12 +215,14 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { list_certs, 'x', "list-certs", "list stored certificates", {"[--subject ] " - "[--type x509|x509ca|x509aa|x509ac|x509crl|x509ocsp|ocsp] " + "[--type x509|x509_ac|x509_crl|ocsp_response|pubkey]\n " + "[--flag none|ca|aa|ocsp|any] " "[--pem] [--raw|--pretty|--short|--utc]"}, { {"help", 'h', 0, "show usage information"}, {"subject", 's', 1, "filter by certificate subject"}, {"type", 't', 1, "filter by certificate type"}, + {"flag", 'f', 1, "filter by X.509 certificate flag"}, {"pem", 'p', 0, "print PEM encoding of certificate"}, {"raw", 'r', 0, "dump raw response message"}, {"pretty", 'P', 0, "dump raw response message in pretty print"}, diff --git a/src/swanctl/commands/load_creds.c b/src/swanctl/commands/load_creds.c index d27b0fbf39..81204ca44d 100644 --- a/src/swanctl/commands/load_creds.c +++ b/src/swanctl/commands/load_creds.c @@ -30,11 +30,14 @@ #include #include +#include + /** * Load a single certificate over vici */ static bool load_cert(vici_conn_t *conn, command_format_options_t format, - char *dir, char *type, chunk_t data) + char *dir, certificate_type_t type, x509_flag_t flag, + chunk_t data) { vici_req_t *req; vici_res_t *res; @@ -42,7 +45,11 @@ static bool load_cert(vici_conn_t *conn, command_format_options_t format, req = vici_begin("load-cert"); - vici_add_key_valuef(req, "type", "%s", type); + vici_add_key_valuef(req, "type", "%N", certificate_type_names, type); + if (type == CERT_X509) + { + vici_add_key_valuef(req, "flag", "%N", x509_flag_names, flag); + } vici_add_key_value(req, "data", data.ptr, data.len); res = vici_submit(req, conn); @@ -64,7 +71,7 @@ static bool load_cert(vici_conn_t *conn, command_format_options_t format, } else { - printf("loaded %s certificate from '%s'\n", type, dir); + printf("loaded certificate from '%s'\n", dir); } vici_free_res(res); return ret; @@ -74,13 +81,17 @@ static bool load_cert(vici_conn_t *conn, command_format_options_t format, * Load certficiates from a directory */ static void load_certs(vici_conn_t *conn, command_format_options_t format, - char *type, char *dir) + char *type_str, char *dir) { enumerator_t *enumerator; + certificate_type_t type; + x509_flag_t flag; struct stat st; chunk_t *map; char *path; + vici_cert_info_from_str(type_str, &type, &flag); + enumerator = enumerator_create_directory(dir); if (enumerator) { @@ -91,7 +102,7 @@ static void load_certs(vici_conn_t *conn, command_format_options_t format, map = chunk_map(path, FALSE); if (map) { - load_cert(conn, format, path, type, *map); + load_cert(conn, format, path, type, flag, *map); chunk_unmap(map); } else @@ -446,7 +457,8 @@ static bool load_pkcs12(vici_conn_t *conn, command_format_options_t format, loaded = FALSE; if (cert->get_encoding(cert, CERT_ASN1_DER, &encoding)) { - loaded = load_cert(conn, format, path, "x509", encoding); + loaded = load_cert(conn, format, path, CERT_X509, X509_NONE, + encoding); if (loaded) { fprintf(stderr, " %Y\n", cert->get_subject(cert)); @@ -682,11 +694,10 @@ int load_creds_cfg(vici_conn_t *conn, command_format_options_t format, load_certs(conn, format, "x509", SWANCTL_X509DIR); load_certs(conn, format, "x509ca", SWANCTL_X509CADIR); + load_certs(conn, format, "x509ocsp", SWANCTL_X509OCSPDIR); load_certs(conn, format, "x509aa", SWANCTL_X509AADIR); - load_certs(conn, format, "x509crl", SWANCTL_X509CRLDIR); load_certs(conn, format, "x509ac", SWANCTL_X509ACDIR); - load_certs(conn, format, "x509ocsp", SWANCTL_X509OCSPDIR); - load_certs(conn, format, "pubkey", SWANCTL_PUBKEYDIR); + load_certs(conn, format, "x509crl", SWANCTL_X509CRLDIR); load_keys(conn, format, noprompt, cfg, "rsa", SWANCTL_RSADIR); load_keys(conn, format, noprompt, cfg, "ecdsa", SWANCTL_ECDSADIR);