diff options
Diffstat (limited to 'src/libstrongswan/credentials/certificates/certificate_printer.c')
| -rw-r--r-- | src/libstrongswan/credentials/certificates/certificate_printer.c | 753 |
1 files changed, 753 insertions, 0 deletions
diff --git a/src/libstrongswan/credentials/certificates/certificate_printer.c b/src/libstrongswan/credentials/certificates/certificate_printer.c new file mode 100644 index 000000000..c618e80bf --- /dev/null +++ b/src/libstrongswan/credentials/certificates/certificate_printer.c @@ -0,0 +1,753 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "certificate_printer.h" +#include "credentials/certificates/x509.h" +#include "credentials/certificates/crl.h" +#include "credentials/certificates/ac.h" +#include "credentials/certificates/ocsp_response.h" +#include "credentials/certificates/pgp_certificate.h" + +#include <asn1/asn1.h> +#include <asn1/oid.h> +#include <selectors/traffic_selector.h> + +#include <time.h> + +typedef struct private_certificate_printer_t private_certificate_printer_t; + +/** + * Private data of an certificate_printer_t object. + */ +struct private_certificate_printer_t { + + /** + * Public certificate_printer_t interface. + */ + certificate_printer_t public; + + /** + * File to print to + */ + FILE *f; + + /** + * Print detailed certificate information + */ + bool detailed; + + /** + * Print time information in UTC + */ + bool utc; + + /** + * Previous certificate type + */ + certificate_type_t type; + + /** + * Previous X.509 certificate flag + */ + x509_flag_t flag; + +}; + +/** + * Print X509 specific certificate information + */ +static void print_x509(private_certificate_printer_t *this, x509_t *x509) +{ + enumerator_t *enumerator; + identification_t *id; + traffic_selector_t *block; + chunk_t chunk; + bool first; + char *uri; + int len, explicit, inhibit; + x509_flag_t flags; + x509_cdp_t *cdp; + x509_cert_policy_t *policy; + x509_policy_mapping_t *mapping; + FILE *f = this->f; + + chunk = chunk_skip_zero(x509->get_serial(x509)); + fprintf(f, " serial: %#B\n", &chunk); + + first = TRUE; + enumerator = x509->create_subjectAltName_enumerator(x509); + while (enumerator->enumerate(enumerator, &id)) + { + if (first) + { + fprintf(f, " altNames: "); + first = FALSE; + } + else + { + fprintf(f, ", "); + } + fprintf(f, "%Y", id); + } + if (!first) + { + fprintf(f, "\n"); + } + enumerator->destroy(enumerator); + + if (this->detailed) + { + flags = x509->get_flags(x509); + if (flags != X509_NONE) + { + fprintf(f, " flags: "); + if (flags & X509_CA) + { + fprintf(f, "CA "); + } + if (flags & X509_CRL_SIGN) + { + fprintf(f, "CRLSign "); + } + if (flags & X509_OCSP_SIGNER) + { + fprintf(f, "ocspSigning "); + } + if (flags & X509_SERVER_AUTH) + { + fprintf(f, "serverAuth "); + } + if (flags & X509_CLIENT_AUTH) + { + fprintf(f, "clientAuth "); + } + if (flags & X509_IKE_INTERMEDIATE) + { + fprintf(f, "ikeIntermediate "); + } + if (flags & X509_MS_SMARTCARD_LOGON) + { + fprintf(f, "msSmartcardLogon"); + } + if (flags & X509_SELF_SIGNED) + { + fprintf(f, "self-signed "); + } + fprintf(f, "\n"); + } + + first = TRUE; + enumerator = x509->create_crl_uri_enumerator(x509); + while (enumerator->enumerate(enumerator, &cdp)) + { + if (first) + { + fprintf(f, " CRL URIs: %s", cdp->uri); + first = FALSE; + } + else + { + fprintf(f, " %s", cdp->uri); + } + if (cdp->issuer) + { + fprintf(f, " (CRL issuer: %Y)", cdp->issuer); + } + fprintf(f, "\n"); + } + enumerator->destroy(enumerator); + + first = TRUE; + enumerator = x509->create_ocsp_uri_enumerator(x509); + while (enumerator->enumerate(enumerator, &uri)) + { + if (first) + { + fprintf(f, " OCSP URIs: %s\n", uri); + first = FALSE; + } + else + { + fprintf(f, " %s\n", uri); + } + } + enumerator->destroy(enumerator); + + len = x509->get_constraint(x509, X509_PATH_LEN); + if (len != X509_NO_CONSTRAINT) + { + fprintf(f, " pathlen: %d\n", len); + } + + first = TRUE; + enumerator = x509->create_name_constraint_enumerator(x509, TRUE); + while (enumerator->enumerate(enumerator, &id)) + { + if (first) + { + fprintf(f, " permitted nameConstraints:\n"); + first = FALSE; + } + fprintf(f, " %Y\n", id); + } + enumerator->destroy(enumerator); + + first = TRUE; + enumerator = x509->create_name_constraint_enumerator(x509, FALSE); + while (enumerator->enumerate(enumerator, &id)) + { + if (first) + { + fprintf(f, " excluded nameConstraints:\n"); + first = FALSE; + } + fprintf(f, " %Y\n", id); + } + enumerator->destroy(enumerator); + + first = TRUE; + enumerator = x509->create_cert_policy_enumerator(x509); + while (enumerator->enumerate(enumerator, &policy)) + { + char *oid; + + if (first) + { + fprintf(f, " certificatePolicies:\n"); + first = FALSE; + } + oid = asn1_oid_to_string(policy->oid); + if (oid) + { + fprintf(f, " %s\n", oid); + free(oid); + } + else + { + fprintf(f, " %#B\n", &policy->oid); + } + if (policy->cps_uri) + { + fprintf(f, " CPS: %s\n", policy->cps_uri); + } + if (policy->unotice_text) + { + fprintf(f, " Notice: %s\n", policy->unotice_text); + } + } + enumerator->destroy(enumerator); + + first = TRUE; + enumerator = x509->create_policy_mapping_enumerator(x509); + while (enumerator->enumerate(enumerator, &mapping)) + { + char *issuer_oid, *subject_oid; + + if (first) + { + fprintf(f, " policyMappings:\n"); + first = FALSE; + } + issuer_oid = asn1_oid_to_string(mapping->issuer); + subject_oid = asn1_oid_to_string(mapping->subject); + fprintf(f, " %s => %s\n", issuer_oid, subject_oid); + free(issuer_oid); + free(subject_oid); + } + enumerator->destroy(enumerator); + + explicit = x509->get_constraint(x509, X509_REQUIRE_EXPLICIT_POLICY); + inhibit = x509->get_constraint(x509, X509_INHIBIT_POLICY_MAPPING); + len = x509->get_constraint(x509, X509_INHIBIT_ANY_POLICY); + + if (explicit != X509_NO_CONSTRAINT || inhibit != X509_NO_CONSTRAINT || + len != X509_NO_CONSTRAINT) + { + fprintf(f, " policyConstraints:\n"); + if (explicit != X509_NO_CONSTRAINT) + { + fprintf(f, " requireExplicitPolicy: %d\n", explicit); + } + if (inhibit != X509_NO_CONSTRAINT) + { + fprintf(f, " inhibitPolicyMapping: %d\n", inhibit); + } + if (len != X509_NO_CONSTRAINT) + { + fprintf(f, " inhibitAnyPolicy: %d\n", len); + } + } + + if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS) + { + first = TRUE; + fprintf(f, " addresses: "); + enumerator = x509->create_ipAddrBlock_enumerator(x509); + while (enumerator->enumerate(enumerator, &block)) + { + if (first) + { + first = FALSE; + } + else + { + fprintf(f, ", "); + } + fprintf(f, "%R", block); + } + enumerator->destroy(enumerator); + fprintf(f, "\n"); + } + } + + chunk = x509->get_authKeyIdentifier(x509); + if (chunk.ptr) + { + fprintf(f, " authkeyId: %#B\n", &chunk); + } + + chunk = x509->get_subjectKeyIdentifier(x509); + if (chunk.ptr) + { + fprintf(f, " subjkeyId: %#B\n", &chunk); + } +} + +/** + * Print CRL specific information + */ +static void print_crl(private_certificate_printer_t *this, crl_t *crl) +{ + enumerator_t *enumerator; + time_t ts; + crl_reason_t reason; + chunk_t chunk; + int count = 0; + bool first; + x509_cdp_t *cdp; + FILE *f = this->f; + + chunk = chunk_skip_zero(crl->get_serial(crl)); + fprintf(f, " serial: %#B\n", &chunk); + + if (crl->is_delta_crl(crl, &chunk)) + { + chunk = chunk_skip_zero(chunk); + fprintf(f, " delta CRL: for serial %#B\n", &chunk); + } + chunk = crl->get_authKeyIdentifier(crl); + fprintf(f, " authKeyId: %#B\n", &chunk); + + first = TRUE; + enumerator = crl->create_delta_crl_uri_enumerator(crl); + while (enumerator->enumerate(enumerator, &cdp)) + { + if (first) + { + fprintf(f, " freshest: %s", cdp->uri); + first = FALSE; + } + else + { + fprintf(f, " %s", cdp->uri); + } + if (cdp->issuer) + { + fprintf(f, " (CRL issuer: %Y)", cdp->issuer); + } + fprintf(f, "\n"); + } + enumerator->destroy(enumerator); + + enumerator = crl->create_enumerator(crl); + while (enumerator->enumerate(enumerator, &chunk, &ts, &reason)) + { + count++; + } + enumerator->destroy(enumerator); + + fprintf(f, " %d revoked certificate%s%s\n", count, (count == 1) ? "" : "s", + (count && this->detailed) ? ":" : ""); + + if (this->detailed) + { + enumerator = crl->create_enumerator(crl); + while (enumerator->enumerate(enumerator, &chunk, &ts, &reason)) + { + chunk = chunk_skip_zero(chunk); + fprintf(f, " %#B: %T, %N\n", &chunk, &ts, this->utc, + crl_reason_names, reason); + } + enumerator->destroy(enumerator); + } +} + +/** + * Print AC specific information + */ +static void print_ac(private_certificate_printer_t *this, ac_t *ac) +{ + ac_group_type_t type; + identification_t *id; + enumerator_t *groups; + chunk_t chunk; + bool first = TRUE; + FILE *f = this->f; + + chunk = chunk_skip_zero(ac->get_serial(ac)); + fprintf(f, " serial: %#B\n", &chunk); + + id = ac->get_holderIssuer(ac); + if (id) + { + fprintf(f, " hissuer: \"%Y\"\n", id); + } + chunk = chunk_skip_zero(ac->get_holderSerial(ac)); + if (chunk.ptr) + { + fprintf(f, " hserial: %#B\n", &chunk); + } + groups = ac->create_group_enumerator(ac); + while (groups->enumerate(groups, &type, &chunk)) + { + int oid; + char *str; + + if (first) + { + fprintf(f, " groups: "); + first = FALSE; + } + else + { + fprintf(f, " "); + } + switch (type) + { + case AC_GROUP_TYPE_STRING: + fprintf(f, "%.*s", (int)chunk.len, chunk.ptr); + break; + case AC_GROUP_TYPE_OID: + oid = asn1_known_oid(chunk); + if (oid == OID_UNKNOWN) + { + str = asn1_oid_to_string(chunk); + if (str) + { + fprintf(f, "%s", str); + free(str); + } + else + { + fprintf(f, "OID:%#B", &chunk); + } + } + else + { + fprintf(f, "%s", oid_names[oid].name); + } + break; + case AC_GROUP_TYPE_OCTETS: + fprintf(f, "%#B", &chunk); + break; + } + fprintf(f, "\n"); + } + groups->destroy(groups); + + chunk = ac->get_authKeyIdentifier(ac); + if (chunk.ptr) + { + fprintf(f, " authkey: %#B\n", &chunk); + } +} + +/** + * Print OCSP response specific information + */ +static void print_ocsp_response(private_certificate_printer_t *this, + ocsp_response_t *ocsp_response) +{ + enumerator_t *enumerator; + chunk_t serialNumber; + cert_validation_t status; + char *status_text; + time_t revocationTime; + crl_reason_t *revocationReason; + bool first = TRUE; + FILE *f = this->f; + + if (this->detailed) + { + fprintf(f, " responses: "); + + enumerator = ocsp_response->create_response_enumerator(ocsp_response); + while (enumerator->enumerate(enumerator, &serialNumber, &status, + &revocationTime, &revocationReason)) + { + if (first) + { + first = FALSE; + } + else + { + fprintf(f, " "); + } + serialNumber = chunk_skip_zero(serialNumber); + + switch (status) + { + case VALIDATION_GOOD: + status_text = "good"; + break; + case VALIDATION_REVOKED: + status_text = "revoked"; + break; + default: + status_text = "unknown"; + } + fprintf(f, "%#B: %s", &serialNumber, status_text); + + if (status == VALIDATION_REVOKED) + { + fprintf(f, " on %T, %N", &revocationTime, this->utc, + crl_reason_names, revocationReason); + } + fprintf(f, "\n"); + } + enumerator->destroy(enumerator); + } +} + +/** + * Print public key information + */ +static void print_pubkey(private_certificate_printer_t *this, public_key_t *key, + bool has_privkey) +{ + chunk_t chunk; + FILE *f = this->f; + + fprintf(f, " pubkey: %N %d bits", key_type_names, key->get_type(key), + key->get_keysize(key)); + if (has_privkey) + { + fprintf(f, ", has private key"); + } + fprintf(f, "\n"); + if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &chunk)) + { + fprintf(f, " keyid: %#B\n", &chunk); + } + if (key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &chunk)) + { + fprintf(f, " subjkey: %#B\n", &chunk); + } +} + +METHOD(certificate_printer_t, print, void, + private_certificate_printer_t *this, certificate_t *cert, bool has_privkey) +{ + time_t now, notAfter, notBefore; + certificate_type_t type; + identification_t *subject; + char *t0, *t1, *t2; + public_key_t *key; + FILE *f = this->f; + + now = time(NULL); + type = cert->get_type(cert); + subject = cert->get_subject(cert); + + if ((type != CERT_X509_CRL && type != CERT_X509_OCSP_RESPONSE && + type != CERT_TRUSTED_PUBKEY) || + (type == CERT_TRUSTED_PUBKEY && subject->get_type(subject) != ID_KEY_ID)) + { + fprintf(f, " subject: \"%Y\"\n", subject); + } + if (type != CERT_TRUSTED_PUBKEY && type != CERT_GPG) + { + fprintf(f, " issuer: \"%Y\"\n", cert->get_issuer(cert)); + } + + /* list validity if set */ + cert->get_validity(cert, &now, ¬Before, ¬After); + if (notBefore != UNDEFINED_TIME && notAfter != UNDEFINED_TIME) + { + if (type == CERT_GPG) + { + fprintf(f, " created: %T\n", ¬Before, this->utc); + fprintf(f, " until: %T%s\n", ¬After, this->utc, + (notAfter == TIME_32_BIT_SIGNED_MAX) ?" expires never" : ""); + } + else + { + if (type == CERT_X509_CRL || type == CERT_X509_OCSP_RESPONSE) + { + t0 = "update: "; + t1 = "this on"; + t2 = "next on"; + } + else + { + t0 = "validity:"; + t1 = "not before"; + t2 = "not after "; + } + fprintf(f, " %s %s %T, ", t0, t1, ¬Before, this->utc); + if (now < notBefore) + { + fprintf(f, "not valid yet (valid in %V)\n", &now, ¬Before); + } + else + { + fprintf(f, "ok\n"); + } + fprintf(f, " %s %T, ", t2, ¬After, this->utc); + if (now > notAfter) + { + fprintf(f, "expired (%V ago)\n", &now, ¬After); + } + else + { + fprintf(f, "ok (expires in %V)\n", &now, ¬After); + } + } + } + + switch (cert->get_type(cert)) + { + case CERT_X509: + print_x509(this, (x509_t*)cert); + break; + case CERT_X509_CRL: + print_crl(this, (crl_t*)cert); + break; + case CERT_X509_AC: + print_ac(this, (ac_t*)cert); + break; + case CERT_X509_OCSP_RESPONSE: + print_ocsp_response(this, (ocsp_response_t*)cert); + break; + case CERT_TRUSTED_PUBKEY: + default: + break; + } + if (type == CERT_GPG) + { + pgp_certificate_t *pgp_cert = (pgp_certificate_t*)cert; + chunk_t fingerprint = pgp_cert->get_fingerprint(pgp_cert); + + fprintf(f, " pgpDigest: %#B\n", &fingerprint); + } + key = cert->get_public_key(cert); + if (key) + { + print_pubkey(this, key, has_privkey); + key->destroy(key); + } +} + +METHOD(certificate_printer_t, print_caption, void, + private_certificate_printer_t *this, certificate_type_t type, + x509_flag_t flag) +{ + char *caption; + + if (type != this->type || (type == CERT_X509 && flag != this->flag)) + { + switch (type) + { + case CERT_X509: + switch (flag) + { + case X509_NONE: + caption = "X.509 End Entity Certificate"; + break; + case X509_CA: + caption = "X.509 CA Certificate"; + break; + case X509_AA: + caption = "X.509 AA Certificate"; + break; + case X509_OCSP_SIGNER: + caption = "X.509 OCSP Signer Certificate"; + break; + default: + return; + } + break; + case CERT_X509_AC: + caption = "X.509 Attribute Certificate"; + break; + case CERT_X509_CRL: + caption = "X.509 CRL"; + break; + case CERT_X509_OCSP_RESPONSE: + caption = "OCSP Response"; + break; + case CERT_TRUSTED_PUBKEY: + caption = "Raw Public Key"; + break; + case CERT_GPG: + caption = "PGP End Entity Certificate"; + break; + default: + return; + } + fprintf(this->f, "\nList of %ss\n", caption); + + /* Update to current type and flag value */ + this->type = type; + if (type == CERT_X509) + { + this->flag = flag; + } + } + fprintf(this->f, "\n"); +} + +METHOD(certificate_printer_t, destroy, void, + private_certificate_printer_t *this) +{ + free(this); +} + +/** + * See header + */ +certificate_printer_t *certificate_printer_create(FILE *f, bool detailed, + bool utc) +{ + private_certificate_printer_t *this; + + INIT(this, + .public = { + .print = _print, + .print_caption = _print_caption, + .destroy = _destroy, + }, + .f = f, + .detailed = detailed, + .utc = utc, + .type = CERT_ANY, + .flag = X509_ANY, + ); + + return &this->public; +} |