xref: /illumos-gate/usr/src/cmd/cmd-crypto/kmfcfg/list.c (revision 8d0c3d29bb99f6521f2dc5058a7e4debebad7899)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  *
21  * Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved.
22  */
23 
24 #include <stdio.h>
25 #include <strings.h>
26 #include <ctype.h>
27 #include <libgen.h>
28 #include <libintl.h>
29 #include <errno.h>
30 #include <sys/stat.h>
31 #include <kmfapiP.h>
32 #include "util.h"
33 
34 #define	LIB_NSS_PATH	"/usr/lib/mps/libnss3.so"
35 #define	LIB_NSPR_PATH	"/usr/lib/mps/libnspr4.so"
36 
37 static void
38 show_policy(KMF_POLICY_RECORD *plc)
39 {
40 	int i;
41 	if (plc == NULL)
42 		return;
43 
44 	(void) printf("Name: %s\n", plc->name);
45 
46 	(void) printf(gettext("Ignore Date: %s\n"),
47 	    plc->ignore_date ? gettext("true") : gettext("false"));
48 
49 	(void) printf(gettext("Ignore Unknown EKUs: %s\n"),
50 	    plc->ignore_unknown_ekus ? gettext("true") : gettext("false"));
51 
52 	(void) printf(gettext("Ignore TA: %s\n"),
53 	    plc->ignore_trust_anchor ? gettext("true") : gettext("false"));
54 
55 	(void) printf(gettext("Validity Adjusted Time: %s\n"),
56 	    plc->validity_adjusttime ? plc->validity_adjusttime : "<null>");
57 
58 	if (plc->ta_name == NULL && plc->ta_serial == NULL) {
59 		(void) printf(gettext("Trust Anchor Certificate: <null>\n"));
60 	} else {
61 		(void) printf(gettext("Trust Anchor Certificate:\n"));
62 		(void) printf(gettext("\tName: %s\n"),
63 		    plc->ta_name ? plc->ta_name : "<null>");
64 		(void) printf(gettext("\tSerial Number: %s\n"),
65 		    plc->ta_serial ? plc->ta_serial : "<null>");
66 	}
67 
68 	if (plc->ku_bits != 0) {
69 		(void) printf(gettext("Key Usage Bits: "));
70 		for (i = KULOWBIT; i <= KUHIGHBIT; i++) {
71 			char *s = kmf_ku_to_string(
72 			    (plc->ku_bits & (1<<i)));
73 			if (s != NULL) {
74 				(void) printf("%s ", s);
75 			}
76 		}
77 		(void) printf("\n");
78 	} else {
79 		(void) printf(gettext("Key Usage Bits: 0\n"));
80 	}
81 
82 	if (plc->eku_set.eku_count > 0) {
83 		(void) printf(gettext("Extended Key Usage Values:\n"));
84 		for (i = 0; i < plc->eku_set.eku_count; i++) {
85 			char *s = kmf_oid_to_ekuname(
86 			    &plc->eku_set.ekulist[i]);
87 			(void) printf("\t%s\t(%s)\n",
88 			    kmf_oid_to_string(&plc->eku_set.ekulist[i]),
89 			    s ? s : "unknown");
90 		}
91 	} else {
92 		(void) printf(gettext("Extended Key Usage Values: <null>\n"));
93 	}
94 
95 	(void) printf(gettext("Validation Policy Information:\n"));
96 
97 	if (plc->revocation & KMF_REVOCATION_METHOD_OCSP) {
98 		(void) printf(gettext("    OCSP:\n"));
99 
100 		(void) printf(gettext("\tResponder URI: %s\n"),
101 		    plc->VAL_OCSP_BASIC.responderURI ?
102 		    plc->VAL_OCSP_BASIC.responderURI : "<null>");
103 
104 		(void) printf(gettext("\tProxy: %s\n"),
105 		    plc->VAL_OCSP_BASIC.proxy ?
106 		    plc->VAL_OCSP_BASIC.proxy : "<null>");
107 
108 		(void) printf(gettext("\tUse ResponderURI from Certificate: "
109 		    "%s\n"), plc->VAL_OCSP_BASIC.uri_from_cert ?
110 		    gettext("true") : gettext("false"));
111 
112 		(void) printf(gettext("\tResponse lifetime: %s\n"),
113 		    plc->VAL_OCSP_BASIC.response_lifetime ?
114 		    plc->VAL_OCSP_BASIC.response_lifetime : "<null>");
115 
116 		(void) printf(gettext("\tIgnore Response signature: %s\n"),
117 		    plc->VAL_OCSP_BASIC.ignore_response_sign ?
118 		    gettext("true") : gettext("false"));
119 
120 		if (!plc->VAL_OCSP.has_resp_cert) {
121 			(void) printf(gettext("\tResponder Certificate:"
122 			    " <null>\n"));
123 		} else {
124 			(void) printf(gettext("\tResponder Certificate:\n"));
125 			(void) printf(gettext("\t\tName: %s\n"),
126 			    plc->VAL_OCSP_RESP_CERT.name ?
127 			    plc->VAL_OCSP_RESP_CERT.name : "<null>");
128 			(void) printf(gettext("\t\tSerial: %s\n"),
129 			    plc->VAL_OCSP_RESP_CERT.serial ?
130 			    plc->VAL_OCSP_RESP_CERT.serial : "<null>");
131 		}
132 	}
133 
134 	if (plc->revocation & KMF_REVOCATION_METHOD_CRL) {
135 		(void) printf(gettext("    CRL:\n"));
136 
137 		(void) printf(gettext("\tBase filename: %s\n"),
138 		    plc->validation_info.crl_info.basefilename ?
139 		    plc->validation_info.crl_info.basefilename : "<null>");
140 
141 		(void) printf(gettext("\tDirectory: %s\n"),
142 		    plc->validation_info.crl_info.directory ?
143 		    plc->validation_info.crl_info.directory : "<null>");
144 
145 		(void) printf(gettext("\tDownload and cache CRL: %s\n"),
146 		    plc->validation_info.crl_info.get_crl_uri ?
147 		    gettext("true") : gettext("false"));
148 
149 		(void) printf(gettext("\tProxy: %s\n"),
150 		    plc->validation_info.crl_info.proxy ?
151 		    plc->validation_info.crl_info.proxy : "<null>");
152 
153 		(void) printf(gettext("\tIgnore CRL signature: %s\n"),
154 		    plc->validation_info.crl_info.ignore_crl_sign ?
155 		    gettext("true") : gettext("false"));
156 
157 		(void) printf(gettext("\tIgnore CRL validity date: %s\n"),
158 		    plc->validation_info.crl_info.ignore_crl_date ?
159 		    gettext("true") : gettext("false"));
160 	}
161 	(void) printf(gettext("Mapper name: %s\n"),
162 	    plc->mapper.mapname ? plc->mapper.mapname : "<null>");
163 	(void) printf(gettext("Mapper pathname: %s\n"),
164 	    plc->mapper.pathname ? plc->mapper.pathname : "<null>");
165 	(void) printf(gettext("Mapper directory: %s\n"),
166 	    plc->mapper.dir ? plc->mapper.dir : "<null>");
167 	(void) printf(gettext("Mapper options: %s\n"),
168 	    plc->mapper.options ? plc->mapper.options : "<null>");
169 
170 	(void) printf("\n");
171 }
172 
173 void
174 show_plugin(void)
175 {
176 	conf_entrylist_t *phead = NULL;
177 	struct stat 	statbuf;
178 
179 	(void) printf(gettext("KMF plugin information:\n"));
180 	(void) printf(gettext("-----------------------\n"));
181 
182 	/* List the built-in plugins */
183 	(void) printf("pkcs11:kmf_pkcs11.so.1 (built-in)\n");
184 	(void) printf("file:kmf_openssl.so.1 (built-in)\n");
185 
186 	/*
187 	 * If the NSS libraries are not installed in the system,
188 	 * then we will not show the nss plugin either.
189 	 */
190 	if (stat(LIB_NSS_PATH, &statbuf) == 0 &&
191 	    stat(LIB_NSPR_PATH, &statbuf) == 0) {
192 		(void) printf("nss:kmf_nss.so.1 (built-in)\n");
193 	}
194 
195 	/* List non-default plugins, if there is any. */
196 	if (get_entrylist(&phead) == KMF_OK) {
197 		while (phead != NULL) {
198 			(void) printf("%s:%s", phead->entry->keystore,
199 			    phead->entry->modulepath);
200 
201 			if (phead->entry->option == NULL)
202 				(void) printf("\n");
203 			else
204 				(void) printf(";option=%s\n",
205 				    phead->entry->option);
206 			phead = phead->next;
207 		}
208 		free_entrylist(phead);
209 	}
210 }
211 
212 
213 int
214 kc_list(int argc, char *argv[])
215 {
216 	int 		rv = KC_OK;
217 	int		opt, found = 0;
218 	extern int	optind_av;
219 	extern char	*optarg_av;
220 	char		*filename = NULL;
221 	char		*policyname = NULL;
222 	POLICY_LIST	*plclist = NULL, *pnode;
223 	int		sanity_err = 0;
224 	boolean_t	list_plugin = B_FALSE;
225 
226 	while ((opt = getopt_av(argc, argv, "i:(dbfile)p:(policy)m(plugin)"))
227 	    != EOF) {
228 		switch (opt) {
229 		case 'i':
230 			if (list_plugin)
231 				rv = KC_ERR_USAGE;
232 			else {
233 				filename = get_string(optarg_av, &rv);
234 				if (filename == NULL) {
235 					(void) fprintf(stderr,
236 					    gettext("Error dbfile input.\n"));
237 				}
238 			}
239 			break;
240 		case 'p':
241 			if (list_plugin)
242 				rv = KC_ERR_USAGE;
243 			else {
244 				policyname = get_string(optarg_av, &rv);
245 				if (policyname == NULL) {
246 					(void) fprintf(stderr,
247 					    gettext("Error policy name.\n"));
248 				}
249 			}
250 			break;
251 		case 'm':
252 			list_plugin = B_TRUE;
253 			break;
254 		default:
255 			(void) fprintf(stderr,
256 			    gettext("Error input option.\n"));
257 			rv = KC_ERR_USAGE;
258 			break;
259 		}
260 		if (rv != KC_OK)
261 			goto out;
262 	}
263 
264 	/* No additional args allowed. */
265 	argc -= optind_av;
266 	if (argc) {
267 		(void) fprintf(stderr,
268 		    gettext("Error input option\n"));
269 		rv = KC_ERR_USAGE;
270 		goto out;
271 	}
272 
273 	if (list_plugin) {
274 		show_plugin();
275 		goto out;
276 	}
277 
278 	if (filename == NULL) {
279 		filename = strdup(KMF_DEFAULT_POLICY_FILE);
280 		if (filename == NULL) {
281 			rv = KC_ERR_MEMORY;
282 			goto out;
283 		}
284 	}
285 
286 	/* Check the access permission of the policy DB */
287 	if (access(filename, R_OK) < 0) {
288 		int err = errno;
289 		(void) fprintf(stderr,
290 		    gettext("Cannot access \"%s\" for list - %s\n"), filename,
291 		    strerror(err));
292 		rv = KC_ERR_ACCESS;
293 		goto out;
294 	}
295 
296 	rv = load_policies(filename, &plclist);
297 	if (rv != KMF_OK) {
298 		goto out;
299 	}
300 
301 	pnode = plclist;
302 	while (pnode != NULL) {
303 		if (policyname == NULL ||
304 		    strcmp(policyname, pnode->plc.name) == 0) {
305 			KMF_POLICY_RECORD *plc = &pnode->plc;
306 
307 			found++;
308 			rv = kmf_verify_policy(plc);
309 			if (rv != KMF_OK) {
310 				(void) fprintf(stderr, gettext(
311 				    "Policy Name: '%s' is invalid\n"),
312 				    plc->name);
313 				sanity_err++;
314 			} else {
315 				show_policy(&pnode->plc);
316 			}
317 		}
318 		pnode = pnode->next;
319 	}
320 
321 	free_policy_list(plclist);
322 
323 	if (!found) {
324 		if (policyname)
325 			(void) fprintf(stderr, gettext(
326 			    "Cannot find policy '%s'\n"), policyname);
327 		else
328 			(void) fprintf(stderr, gettext("Cannot find "
329 			    "any policies to display\n"));
330 		rv = KC_ERR_FIND_POLICY;
331 	} else if (sanity_err) {
332 		rv = KC_ERR_VERIFY_POLICY;
333 	}
334 
335 out:
336 
337 	if (filename != NULL)
338 		free(filename);
339 
340 	if (policyname != NULL)
341 		free(policyname);
342 
343 	return (rv);
344 }
345