1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 * 21 * Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved. 22 */ 23 24 #include <stdio.h> 25 #include <strings.h> 26 #include <ctype.h> 27 #include <libgen.h> 28 #include <libintl.h> 29 #include <errno.h> 30 #include <sys/stat.h> 31 #include <kmfapiP.h> 32 #include "util.h" 33 34 #define LIB_NSS_PATH "/usr/lib/mps/libnss3.so" 35 #define LIB_NSPR_PATH "/usr/lib/mps/libnspr4.so" 36 37 static void 38 show_policy(KMF_POLICY_RECORD *plc) 39 { 40 int i; 41 if (plc == NULL) 42 return; 43 44 (void) printf("Name: %s\n", plc->name); 45 46 (void) printf(gettext("Ignore Date: %s\n"), 47 plc->ignore_date ? gettext("true") : gettext("false")); 48 49 (void) printf(gettext("Ignore Unknown EKUs: %s\n"), 50 plc->ignore_unknown_ekus ? gettext("true") : gettext("false")); 51 52 (void) printf(gettext("Ignore TA: %s\n"), 53 plc->ignore_trust_anchor ? gettext("true") : gettext("false")); 54 55 (void) printf(gettext("Validity Adjusted Time: %s\n"), 56 plc->validity_adjusttime ? plc->validity_adjusttime : "<null>"); 57 58 if (plc->ta_name == NULL && plc->ta_serial == NULL) { 59 (void) printf(gettext("Trust Anchor Certificate: <null>\n")); 60 } else { 61 (void) printf(gettext("Trust Anchor Certificate:\n")); 62 (void) printf(gettext("\tName: %s\n"), 63 plc->ta_name ? plc->ta_name : "<null>"); 64 (void) printf(gettext("\tSerial Number: %s\n"), 65 plc->ta_serial ? plc->ta_serial : "<null>"); 66 } 67 68 if (plc->ku_bits != 0) { 69 (void) printf(gettext("Key Usage Bits: ")); 70 for (i = KULOWBIT; i <= KUHIGHBIT; i++) { 71 char *s = kmf_ku_to_string( 72 (plc->ku_bits & (1<<i))); 73 if (s != NULL) { 74 (void) printf("%s ", s); 75 } 76 } 77 (void) printf("\n"); 78 } else { 79 (void) printf(gettext("Key Usage Bits: 0\n")); 80 } 81 82 if (plc->eku_set.eku_count > 0) { 83 (void) printf(gettext("Extended Key Usage Values:\n")); 84 for (i = 0; i < plc->eku_set.eku_count; i++) { 85 char *s = kmf_oid_to_ekuname( 86 &plc->eku_set.ekulist[i]); 87 (void) printf("\t%s\t(%s)\n", 88 kmf_oid_to_string(&plc->eku_set.ekulist[i]), 89 s ? s : "unknown"); 90 } 91 } else { 92 (void) printf(gettext("Extended Key Usage Values: <null>\n")); 93 } 94 95 (void) printf(gettext("Validation Policy Information:\n")); 96 97 if (plc->revocation & KMF_REVOCATION_METHOD_OCSP) { 98 (void) printf(gettext(" OCSP:\n")); 99 100 (void) printf(gettext("\tResponder URI: %s\n"), 101 plc->VAL_OCSP_BASIC.responderURI ? 102 plc->VAL_OCSP_BASIC.responderURI : "<null>"); 103 104 (void) printf(gettext("\tProxy: %s\n"), 105 plc->VAL_OCSP_BASIC.proxy ? 106 plc->VAL_OCSP_BASIC.proxy : "<null>"); 107 108 (void) printf(gettext("\tUse ResponderURI from Certificate: " 109 "%s\n"), plc->VAL_OCSP_BASIC.uri_from_cert ? 110 gettext("true") : gettext("false")); 111 112 (void) printf(gettext("\tResponse lifetime: %s\n"), 113 plc->VAL_OCSP_BASIC.response_lifetime ? 114 plc->VAL_OCSP_BASIC.response_lifetime : "<null>"); 115 116 (void) printf(gettext("\tIgnore Response signature: %s\n"), 117 plc->VAL_OCSP_BASIC.ignore_response_sign ? 118 gettext("true") : gettext("false")); 119 120 if (!plc->VAL_OCSP.has_resp_cert) { 121 (void) printf(gettext("\tResponder Certificate:" 122 " <null>\n")); 123 } else { 124 (void) printf(gettext("\tResponder Certificate:\n")); 125 (void) printf(gettext("\t\tName: %s\n"), 126 plc->VAL_OCSP_RESP_CERT.name ? 127 plc->VAL_OCSP_RESP_CERT.name : "<null>"); 128 (void) printf(gettext("\t\tSerial: %s\n"), 129 plc->VAL_OCSP_RESP_CERT.serial ? 130 plc->VAL_OCSP_RESP_CERT.serial : "<null>"); 131 } 132 } 133 134 if (plc->revocation & KMF_REVOCATION_METHOD_CRL) { 135 (void) printf(gettext(" CRL:\n")); 136 137 (void) printf(gettext("\tBase filename: %s\n"), 138 plc->validation_info.crl_info.basefilename ? 139 plc->validation_info.crl_info.basefilename : "<null>"); 140 141 (void) printf(gettext("\tDirectory: %s\n"), 142 plc->validation_info.crl_info.directory ? 143 plc->validation_info.crl_info.directory : "<null>"); 144 145 (void) printf(gettext("\tDownload and cache CRL: %s\n"), 146 plc->validation_info.crl_info.get_crl_uri ? 147 gettext("true") : gettext("false")); 148 149 (void) printf(gettext("\tProxy: %s\n"), 150 plc->validation_info.crl_info.proxy ? 151 plc->validation_info.crl_info.proxy : "<null>"); 152 153 (void) printf(gettext("\tIgnore CRL signature: %s\n"), 154 plc->validation_info.crl_info.ignore_crl_sign ? 155 gettext("true") : gettext("false")); 156 157 (void) printf(gettext("\tIgnore CRL validity date: %s\n"), 158 plc->validation_info.crl_info.ignore_crl_date ? 159 gettext("true") : gettext("false")); 160 } 161 (void) printf(gettext("Mapper name: %s\n"), 162 plc->mapper.mapname ? plc->mapper.mapname : "<null>"); 163 (void) printf(gettext("Mapper pathname: %s\n"), 164 plc->mapper.pathname ? plc->mapper.pathname : "<null>"); 165 (void) printf(gettext("Mapper directory: %s\n"), 166 plc->mapper.dir ? plc->mapper.dir : "<null>"); 167 (void) printf(gettext("Mapper options: %s\n"), 168 plc->mapper.options ? plc->mapper.options : "<null>"); 169 170 (void) printf("\n"); 171 } 172 173 void 174 show_plugin(void) 175 { 176 conf_entrylist_t *phead = NULL; 177 struct stat statbuf; 178 179 (void) printf(gettext("KMF plugin information:\n")); 180 (void) printf(gettext("-----------------------\n")); 181 182 /* List the built-in plugins */ 183 (void) printf("pkcs11:kmf_pkcs11.so.1 (built-in)\n"); 184 (void) printf("file:kmf_openssl.so.1 (built-in)\n"); 185 186 /* 187 * If the NSS libraries are not installed in the system, 188 * then we will not show the nss plugin either. 189 */ 190 if (stat(LIB_NSS_PATH, &statbuf) == 0 && 191 stat(LIB_NSPR_PATH, &statbuf) == 0) { 192 (void) printf("nss:kmf_nss.so.1 (built-in)\n"); 193 } 194 195 /* List non-default plugins, if there is any. */ 196 if (get_entrylist(&phead) == KMF_OK) { 197 while (phead != NULL) { 198 (void) printf("%s:%s", phead->entry->keystore, 199 phead->entry->modulepath); 200 201 if (phead->entry->option == NULL) 202 (void) printf("\n"); 203 else 204 (void) printf(";option=%s\n", 205 phead->entry->option); 206 phead = phead->next; 207 } 208 free_entrylist(phead); 209 } 210 } 211 212 213 int 214 kc_list(int argc, char *argv[]) 215 { 216 int rv = KC_OK; 217 int opt, found = 0; 218 extern int optind_av; 219 extern char *optarg_av; 220 char *filename = NULL; 221 char *policyname = NULL; 222 POLICY_LIST *plclist = NULL, *pnode; 223 int sanity_err = 0; 224 boolean_t list_plugin = B_FALSE; 225 226 while ((opt = getopt_av(argc, argv, "i:(dbfile)p:(policy)m(plugin)")) 227 != EOF) { 228 switch (opt) { 229 case 'i': 230 if (list_plugin) 231 rv = KC_ERR_USAGE; 232 else { 233 filename = get_string(optarg_av, &rv); 234 if (filename == NULL) { 235 (void) fprintf(stderr, 236 gettext("Error dbfile input.\n")); 237 } 238 } 239 break; 240 case 'p': 241 if (list_plugin) 242 rv = KC_ERR_USAGE; 243 else { 244 policyname = get_string(optarg_av, &rv); 245 if (policyname == NULL) { 246 (void) fprintf(stderr, 247 gettext("Error policy name.\n")); 248 } 249 } 250 break; 251 case 'm': 252 list_plugin = B_TRUE; 253 break; 254 default: 255 (void) fprintf(stderr, 256 gettext("Error input option.\n")); 257 rv = KC_ERR_USAGE; 258 break; 259 } 260 if (rv != KC_OK) 261 goto out; 262 } 263 264 /* No additional args allowed. */ 265 argc -= optind_av; 266 if (argc) { 267 (void) fprintf(stderr, 268 gettext("Error input option\n")); 269 rv = KC_ERR_USAGE; 270 goto out; 271 } 272 273 if (list_plugin) { 274 show_plugin(); 275 goto out; 276 } 277 278 if (filename == NULL) { 279 filename = strdup(KMF_DEFAULT_POLICY_FILE); 280 if (filename == NULL) { 281 rv = KC_ERR_MEMORY; 282 goto out; 283 } 284 } 285 286 /* Check the access permission of the policy DB */ 287 if (access(filename, R_OK) < 0) { 288 int err = errno; 289 (void) fprintf(stderr, 290 gettext("Cannot access \"%s\" for list - %s\n"), filename, 291 strerror(err)); 292 rv = KC_ERR_ACCESS; 293 goto out; 294 } 295 296 rv = load_policies(filename, &plclist); 297 if (rv != KMF_OK) { 298 goto out; 299 } 300 301 pnode = plclist; 302 while (pnode != NULL) { 303 if (policyname == NULL || 304 strcmp(policyname, pnode->plc.name) == 0) { 305 KMF_POLICY_RECORD *plc = &pnode->plc; 306 307 found++; 308 rv = kmf_verify_policy(plc); 309 if (rv != KMF_OK) { 310 (void) fprintf(stderr, gettext( 311 "Policy Name: '%s' is invalid\n"), 312 plc->name); 313 sanity_err++; 314 } else { 315 show_policy(&pnode->plc); 316 } 317 } 318 pnode = pnode->next; 319 } 320 321 free_policy_list(plclist); 322 323 if (!found) { 324 if (policyname) 325 (void) fprintf(stderr, gettext( 326 "Cannot find policy '%s'\n"), policyname); 327 else 328 (void) fprintf(stderr, gettext("Cannot find " 329 "any policies to display\n")); 330 rv = KC_ERR_FIND_POLICY; 331 } else if (sanity_err) { 332 rv = KC_ERR_VERIFY_POLICY; 333 } 334 335 out: 336 337 if (filename != NULL) 338 free(filename); 339 340 if (policyname != NULL) 341 free(policyname); 342 343 return (rv); 344 } 345