From 518dd33c94e041db0444c7d1f33da363bb8e3faf Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Thu, 24 Mar 2016 11:59:32 +0100 Subject: Imported Upstream version 5.4.0 --- src/pki/Makefile.am | 5 +- src/pki/Makefile.in | 12 +- src/pki/command.c | 11 +- src/pki/command.h | 2 +- src/pki/commands/print.c | 543 ++--------------------------------------------- src/pki/man/Makefile.in | 2 + 6 files changed, 47 insertions(+), 528 deletions(-) (limited to 'src/pki') diff --git a/src/pki/Makefile.am b/src/pki/Makefile.am index a3da0ab04..261e41c16 100644 --- a/src/pki/Makefile.am +++ b/src/pki/Makefile.am @@ -17,7 +17,10 @@ pki_SOURCES = pki.c pki.h command.c command.h \ commands/signcrl.c \ commands/verify.c -pki_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +pki_LDADD = \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(PTHREADLIB) $(DLLIB) + pki.o : $(top_builddir)/config.status AM_CPPFLAGS = \ diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in index b4829f777..4b206c9c9 100644 --- a/src/pki/Makefile.in +++ b/src/pki/Makefile.in @@ -111,7 +111,9 @@ am_pki_OBJECTS = pki.$(OBJEXT) command.$(OBJEXT) \ commands/self.$(OBJEXT) commands/signcrl.$(OBJEXT) \ commands/verify.$(OBJEXT) pki_OBJECTS = $(am_pki_OBJECTS) -pki_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la +am__DEPENDENCIES_1 = +pki_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent @@ -431,6 +433,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ @@ -460,7 +464,10 @@ pki_SOURCES = pki.c pki.h command.c command.h \ commands/signcrl.c \ commands/verify.c -pki_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +pki_LDADD = \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(PTHREADLIB) $(DLLIB) + AM_CPPFLAGS = \ -I$(top_srcdir)/src/libstrongswan \ -DPLUGINS=\""${pki_plugins}\"" @@ -919,6 +926,7 @@ uninstall-am: uninstall-binPROGRAMS mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ uninstall-am uninstall-binPROGRAMS + pki.o : $(top_builddir)/config.status # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/src/pki/command.c b/src/pki/command.c index 13e81404c..ce704dbb8 100644 --- a/src/pki/command.c +++ b/src/pki/command.c @@ -172,6 +172,15 @@ void command_register(command_t command) "options", '+', 1, "read command line options from file" }; } + for (i = 0; cmds[registered].line[i]; i++) + { + if (i == MAX_LINES - 1) + { + fprintf(stderr, "command '%s' specifies too many usage summary " + "lines, please increase MAX_LINES\n", command.cmd); + break; + } + } } registered++; } @@ -208,7 +217,7 @@ int command_usage(char *error) } else { - for (i = 0; cmds[active].line[i]; i++) + for (i = 0; i < MAX_LINES && cmds[active].line[i]; i++) { if (i == 0) { diff --git a/src/pki/command.h b/src/pki/command.h index e55c579e4..449252eb8 100644 --- a/src/pki/command.h +++ b/src/pki/command.h @@ -34,7 +34,7 @@ /** * Maximum number of usage summary lines (+1) */ -#define MAX_LINES 10 +#define MAX_LINES 11 typedef struct command_t command_t; typedef struct command_option_t command_option_t; diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c index fa69de133..c367a21a9 100644 --- a/src/pki/commands/print.c +++ b/src/pki/commands/print.c @@ -2,6 +2,9 @@ * Copyright (C) 2010 Martin Willi * Copyright (C) 2010 revosec AG * + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your @@ -15,540 +18,37 @@ #include "pki.h" -#include -#include #include -#include -#include -#include -#include +#include -#include #include -/** - * Print public key information - */ -static void print_pubkey(public_key_t *key) -{ - chunk_t chunk; - key_type_t type; - - type = key->get_type(key); - printf("pubkey: %N %d bits%s\n", key_type_names, type, - key->get_keysize(key), (type == KEY_BLISS) ? " strength" : ""); - - if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &chunk)) - { - printf("keyid: %#B\n", &chunk); - } - if (key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &chunk)) - { - printf("subjkey: %#B\n", &chunk); - } -} - /** * Print private key information */ static void print_key(private_key_t *key) { public_key_t *public; + chunk_t chunk; public = key->get_public_key(key); if (public) { - printf("private key with:\n"); - print_pubkey(public); - public->destroy(public); - } - else - { - printf("extracting public from private key failed\n"); - } -} - -/** - * Get a prefix for a named constraint identity type - */ -static char* get_type_pfx(identification_t *id) -{ - switch (id->get_type(id)) - { - case ID_RFC822_ADDR: - return "email:"; - case ID_FQDN: - return "dns:"; - default: - return ""; - } -} - -/** - * Print X509 specific certificate information - */ -static void print_x509(x509_t *x509) -{ - enumerator_t *enumerator; - identification_t *id; - traffic_selector_t *block; - chunk_t chunk; - bool first; - char *uri; - int len, explicit, inhibit; - x509_flag_t flags; - x509_cdp_t *cdp; - x509_cert_policy_t *policy; - x509_policy_mapping_t *mapping; - - chunk = chunk_skip_zero(x509->get_serial(x509)); - printf("serial: %#B\n", &chunk); - - first = TRUE; - enumerator = x509->create_subjectAltName_enumerator(x509); - while (enumerator->enumerate(enumerator, &id)) - { - if (first) - { - printf("altNames: "); - first = FALSE; - } - else - { - printf(", "); - } - printf("%Y", id); - } - if (!first) - { - printf("\n"); - } - enumerator->destroy(enumerator); - - flags = x509->get_flags(x509); - printf("flags: "); - if (flags & X509_CA) - { - printf("CA "); - } - if (flags & X509_CRL_SIGN) - { - printf("CRLSign "); - } - if (flags & X509_AA) - { - printf("AA "); - } - if (flags & X509_OCSP_SIGNER) - { - printf("OCSP "); - } - if (flags & X509_AA) - { - printf("AA "); - } - if (flags & X509_SERVER_AUTH) - { - printf("serverAuth "); - } - if (flags & X509_CLIENT_AUTH) - { - printf("clientAuth "); - } - if (flags & X509_IKE_INTERMEDIATE) - { - printf("iKEIntermediate "); - } - if (flags & X509_MS_SMARTCARD_LOGON) - { - printf("msSmartcardLogon "); - } - if (flags & X509_SELF_SIGNED) - { - printf("self-signed "); - } - printf("\n"); - - first = TRUE; - enumerator = x509->create_crl_uri_enumerator(x509); - while (enumerator->enumerate(enumerator, &cdp)) - { - if (first) - { - printf("CRL URIs: %s", cdp->uri); - first = FALSE; - } - else - { - printf(" %s", cdp->uri); - } - if (cdp->issuer) - { - printf(" (CRL issuer: %Y)", cdp->issuer); - } - printf("\n"); - } - enumerator->destroy(enumerator); - - first = TRUE; - enumerator = x509->create_ocsp_uri_enumerator(x509); - while (enumerator->enumerate(enumerator, &uri)) - { - if (first) - { - printf("OCSP URIs: %s\n", uri); - first = FALSE; - } - else - { - printf(" %s\n", uri); - } - } - enumerator->destroy(enumerator); - - len = x509->get_constraint(x509, X509_PATH_LEN); - if (len != X509_NO_CONSTRAINT) - { - printf("pathlen: %d\n", len); - } - - first = TRUE; - enumerator = x509->create_name_constraint_enumerator(x509, TRUE); - while (enumerator->enumerate(enumerator, &id)) - { - if (first) - { - printf("Permitted NameConstraints:\n"); - first = FALSE; - } - printf(" %s%Y\n", get_type_pfx(id), id); - } - enumerator->destroy(enumerator); - first = TRUE; - enumerator = x509->create_name_constraint_enumerator(x509, FALSE); - while (enumerator->enumerate(enumerator, &id)) - { - if (first) - { - printf("Excluded NameConstraints:\n"); - first = FALSE; - } - printf(" %s%Y\n", get_type_pfx(id), id); - } - enumerator->destroy(enumerator); - - first = TRUE; - enumerator = x509->create_cert_policy_enumerator(x509); - while (enumerator->enumerate(enumerator, &policy)) - { - char *oid; - - if (first) - { - printf("CertificatePolicies:\n"); - first = FALSE; - } - oid = asn1_oid_to_string(policy->oid); - if (oid) - { - printf(" %s\n", oid); - free(oid); - } - else - { - printf(" %#B\n", &policy->oid); - } - if (policy->cps_uri) - { - printf(" CPS: %s\n", policy->cps_uri); - } - if (policy->unotice_text) - { - printf(" Notice: %s\n", policy->unotice_text); - - } - } - enumerator->destroy(enumerator); - - first = TRUE; - enumerator = x509->create_policy_mapping_enumerator(x509); - while (enumerator->enumerate(enumerator, &mapping)) - { - char *issuer_oid, *subject_oid; - - if (first) - { - printf("PolicyMappings:\n"); - first = FALSE; - } - issuer_oid = asn1_oid_to_string(mapping->issuer); - subject_oid = asn1_oid_to_string(mapping->subject); - printf(" %s => %s\n", issuer_oid, subject_oid); - free(issuer_oid); - free(subject_oid); - } - enumerator->destroy(enumerator); - - explicit = x509->get_constraint(x509, X509_REQUIRE_EXPLICIT_POLICY); - inhibit = x509->get_constraint(x509, X509_INHIBIT_POLICY_MAPPING); - len = x509->get_constraint(x509, X509_INHIBIT_ANY_POLICY); - - if (explicit != X509_NO_CONSTRAINT || inhibit != X509_NO_CONSTRAINT || - len != X509_NO_CONSTRAINT) - { - printf("PolicyConstraints:\n"); - if (explicit != X509_NO_CONSTRAINT) - { - printf(" requireExplicitPolicy: %d\n", explicit); - } - if (inhibit != X509_NO_CONSTRAINT) - { - printf(" inhibitPolicyMapping: %d\n", inhibit); - } - if (len != X509_NO_CONSTRAINT) - { - printf(" inhibitAnyPolicy: %d\n", len); - } - } - - chunk = x509->get_authKeyIdentifier(x509); - if (chunk.ptr) - { - printf("authkeyId: %#B\n", &chunk); - } - - chunk = x509->get_subjectKeyIdentifier(x509); - if (chunk.ptr) - { - printf("subjkeyId: %#B\n", &chunk); - } - if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS) - { - first = TRUE; - printf("addresses: "); - enumerator = x509->create_ipAddrBlock_enumerator(x509); - while (enumerator->enumerate(enumerator, &block)) - { - if (first) - { - first = FALSE; - } - else - { - printf(", "); - } - printf("%R", block); - } - enumerator->destroy(enumerator); - printf("\n"); - } -} - -/** - * Print CRL specific information - */ -static void print_crl(crl_t *crl) -{ - enumerator_t *enumerator; - time_t ts; - crl_reason_t reason; - chunk_t chunk; - int count = 0; - bool first; - char buf[64]; - struct tm tm; - x509_cdp_t *cdp; - - chunk = chunk_skip_zero(crl->get_serial(crl)); - printf("serial: %#B\n", &chunk); - - if (crl->is_delta_crl(crl, &chunk)) - { - chunk = chunk_skip_zero(chunk); - printf("delta CRL: for serial %#B\n", &chunk); - } - chunk = crl->get_authKeyIdentifier(crl); - printf("authKeyId: %#B\n", &chunk); - - first = TRUE; - enumerator = crl->create_delta_crl_uri_enumerator(crl); - while (enumerator->enumerate(enumerator, &cdp)) - { - if (first) - { - printf("freshest: %s", cdp->uri); - first = FALSE; - } - else - { - printf(" %s", cdp->uri); - } - if (cdp->issuer) - { - printf(" (CRL issuer: %Y)", cdp->issuer); - } - printf("\n"); - } - enumerator->destroy(enumerator); - - enumerator = crl->create_enumerator(crl); - while (enumerator->enumerate(enumerator, &chunk, &ts, &reason)) - { - count++; - } - enumerator->destroy(enumerator); - - printf("%d revoked certificate%s%s\n", count, - count == 1 ? "" : "s", count ? ":" : ""); - enumerator = crl->create_enumerator(crl); - while (enumerator->enumerate(enumerator, &chunk, &ts, &reason)) - { - chunk = chunk_skip_zero(chunk); - localtime_r(&ts, &tm); - strftime(buf, sizeof(buf), "%F %T", &tm); - printf(" %#B %N %s\n", &chunk, crl_reason_names, reason, buf); - count++; - } - enumerator->destroy(enumerator); -} - -/** - * Print AC specific information - */ -static void print_ac(ac_t *ac) -{ - ac_group_type_t type; - identification_t *id; - enumerator_t *groups; - chunk_t chunk; - bool first = TRUE; - - chunk = chunk_skip_zero(ac->get_serial(ac)); - printf("serial: %#B\n", &chunk); - - id = ac->get_holderIssuer(ac); - if (id) - { - printf("hissuer: \"%Y\"\n", id); - } - chunk = chunk_skip_zero(ac->get_holderSerial(ac)); - if (chunk.ptr) - { - printf("hserial: %#B\n", &chunk); - } - groups = ac->create_group_enumerator(ac); - while (groups->enumerate(groups, &type, &chunk)) - { - int oid; - char *str; - - if (first) + printf(" privkey: %N %d bits\n", key_type_names, + public->get_type(public), public->get_keysize(public)); + if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &chunk)) { - printf("groups: "); - first = FALSE; + printf(" keyid: %#B\n", &chunk); } - else + if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &chunk)) { - printf(" "); + printf(" subjkey: %#B\n", &chunk); } - switch (type) - { - case AC_GROUP_TYPE_STRING: - printf("%.*s", (int)chunk.len, chunk.ptr); - break; - case AC_GROUP_TYPE_OID: - oid = asn1_known_oid(chunk); - if (oid == OID_UNKNOWN) - { - str = asn1_oid_to_string(chunk); - if (str) - { - printf("%s", str); - free(str); - } - else - { - printf("OID:%#B", &chunk); - } - } - else - { - printf("%s", oid_names[oid].name); - } - break; - case AC_GROUP_TYPE_OCTETS: - printf("%#B", &chunk); - break; - } - printf("\n"); - } - groups->destroy(groups); - - chunk = ac->get_authKeyIdentifier(ac); - if (chunk.ptr) - { - printf("authkey: %#B\n", &chunk); - } -} - -/** - * Print certificate information - */ -static void print_cert(certificate_t *cert) -{ - time_t now, notAfter, notBefore; - public_key_t *key; - - now = time(NULL); - - printf("cert: %N\n", certificate_type_names, cert->get_type(cert)); - if (cert->get_type(cert) != CERT_X509_CRL) - { - printf("subject: \"%Y\"\n", cert->get_subject(cert)); - } - printf("issuer: \"%Y\"\n", cert->get_issuer(cert)); - - cert->get_validity(cert, &now, ¬Before, ¬After); - printf("validity: not before %T, ", ¬Before, FALSE); - if (now < notBefore) - { - printf("not valid yet (valid in %V)\n", &now, ¬Before); - } - else - { - printf("ok\n"); - } - printf(" not after %T, ", ¬After, FALSE); - if (now > notAfter) - { - printf("expired (%V ago)\n", &now, ¬After); + public->destroy(public); } else { - printf("ok (expires in %V)\n", &now, ¬After); - } - - switch (cert->get_type(cert)) - { - case CERT_X509: - print_x509((x509_t*)cert); - break; - case CERT_X509_CRL: - print_crl((crl_t*)cert); - break; - case CERT_X509_AC: - print_ac((ac_t*)cert); - break; - default: - printf("parsing certificate subtype %N not implemented\n", - certificate_type_names, cert->get_type(cert)); - break; - } - key = cert->get_public_key(cert); - if (key) - { - print_pubkey(key); - key->destroy(key); + printf("extracting public from private key failed\n"); } } @@ -586,8 +86,8 @@ static int print() } else if (streq(arg, "pub")) { - type = CRED_PUBLIC_KEY; - subtype = KEY_ANY; + type = CRED_CERTIFICATE; + subtype = CERT_TRUSTED_PUBKEY; } else if (streq(arg, "rsa-priv")) { @@ -647,17 +147,13 @@ static int print() if (type == CRED_CERTIFICATE) { certificate_t *cert = (certificate_t*)cred; + certificate_printer_t *printer; - print_cert(cert); + printer = certificate_printer_create(stdout, TRUE, FALSE); + printer->print(printer, cert, FALSE); + printer->destroy(printer); cert->destroy(cert); } - if (type == CRED_PUBLIC_KEY) - { - public_key_t *key = (public_key_t*)cred; - - print_pubkey(key); - key->destroy(key); - } if (type == CRED_PRIVATE_KEY) { private_key_t *key = (private_key_t*)cred; @@ -665,6 +161,7 @@ static int print() print_key(key); key->destroy(key); } + return 0; } diff --git a/src/pki/man/Makefile.in b/src/pki/man/Makefile.in index 62942d108..e61230929 100644 --- a/src/pki/man/Makefile.in +++ b/src/pki/man/Makefile.in @@ -370,6 +370,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ -- cgit v1.2.3