xref: /titanic_50/usr/src/cmd/cmd-crypto/kmfcfg/list.c (revision 2df1fe9ca32bb227b9158c67f5c00b54c20b10fd)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  *
21  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
22  * Use is subject to license terms.
23  */
24 
25 #pragma ident	"%Z%%M%	%I%	%E% SMI"
26 
27 #include <stdio.h>
28 #include <strings.h>
29 #include <ctype.h>
30 #include <libgen.h>
31 #include <libintl.h>
32 #include <errno.h>
33 #include <kmfapiP.h>
34 
35 #include "util.h"
36 
37 static void
38 show_policy(KMF_POLICY_RECORD *plc)
39 {
40 	int i;
41 	if (plc == NULL)
42 		return;
43 
44 	(void) printf("Name: %s\n", plc->name);
45 
46 	(void) printf(gettext("Ignore Date: %s\n"),
47 	    plc->ignore_date ? gettext("true") : gettext("false"));
48 
49 	(void) printf(gettext("Ignore Unknown EKUs: %s\n"),
50 	    plc->ignore_unknown_ekus ? gettext("true") : gettext("false"));
51 
52 	(void) printf(gettext("Ignore TA: %s\n"),
53 	    plc->ignore_trust_anchor ? gettext("true") : gettext("false"));
54 
55 	(void) printf(gettext("Validity Adjusted Time: %s\n"),
56 	    plc->validity_adjusttime ? plc->validity_adjusttime : "<null>");
57 
58 	if (plc->ta_name == NULL && plc->ta_serial == NULL) {
59 		(void) printf(gettext("Trust Anchor Certificate: <null>\n"));
60 	} else {
61 		(void) printf(gettext("Trust Anchor Certificate:\n"));
62 		(void) printf(gettext("\tName: %s\n"),
63 		    plc->ta_name ? plc->ta_name : "<null>");
64 		(void) printf(gettext("\tSerial Number: %s\n"),
65 		    plc->ta_serial ? plc->ta_serial : "<null>");
66 	}
67 
68 	if (plc->ku_bits != 0) {
69 		(void) printf(gettext("Key Usage Bits: "));
70 		for (i = KULOWBIT; i <= KUHIGHBIT; i++) {
71 			char *s = kmf_ku_to_string(
72 			    (plc->ku_bits & (1<<i)));
73 			if (s != NULL) {
74 				(void) printf("%s ", s);
75 			}
76 		}
77 		(void) printf("\n");
78 	} else {
79 		(void) printf(gettext("Key Usage Bits: 0\n"));
80 	}
81 
82 	if (plc->eku_set.eku_count > 0) {
83 		(void) printf(gettext("Extended Key Usage Values:\n"));
84 		for (i = 0; i < plc->eku_set.eku_count; i++) {
85 			char *s = kmf_oid_to_eku_string(
86 			    &plc->eku_set.ekulist[i]);
87 			(void) printf("\t%s\t(%s)\n",
88 			    kmf_oid_to_string(&plc->eku_set.ekulist[i]),
89 			    s ? s : "unknown");
90 		}
91 	} else {
92 		(void) printf(gettext("Extended Key Usage Values: <null>\n"));
93 	}
94 
95 	(void) printf(gettext("Validation Policy Information:\n"));
96 
97 	if (plc->revocation & KMF_REVOCATION_METHOD_OCSP) {
98 		(void) printf(gettext("    OCSP:\n"));
99 
100 		(void) printf(gettext("\tResponder URI: %s\n"),
101 		    plc->VAL_OCSP_BASIC.responderURI ?
102 		    plc->VAL_OCSP_BASIC.responderURI : "<null>");
103 
104 		(void) printf(gettext("\tProxy: %s\n"),
105 		    plc->VAL_OCSP_BASIC.proxy ?
106 		    plc->VAL_OCSP_BASIC.proxy : "<null>");
107 
108 		(void) printf(gettext("\tUse ResponderURI from Certificate: "
109 		    "%s\n"), plc->VAL_OCSP_BASIC.uri_from_cert ?
110 		    gettext("true") : gettext("false"));
111 
112 		(void) printf(gettext("\tResponse lifetime: %s\n"),
113 		    plc->VAL_OCSP_BASIC.response_lifetime ?
114 		    plc->VAL_OCSP_BASIC.response_lifetime : "<null>");
115 
116 		(void) printf(gettext("\tIgnore Response signature: %s\n"),
117 		    plc->VAL_OCSP_BASIC.ignore_response_sign ?
118 		    gettext("true") : gettext("false"));
119 
120 		if (!plc->VAL_OCSP.has_resp_cert) {
121 			(void) printf(gettext("\tResponder Certificate:"
122 			    " <null>\n"));
123 		} else {
124 			(void) printf(gettext("\tResponder Certificate:\n"));
125 			(void) printf(gettext("\t\tName: %s\n"),
126 			    plc->VAL_OCSP_RESP_CERT.name ?
127 			    plc->VAL_OCSP_RESP_CERT.name : "<null>");
128 			(void) printf(gettext("\t\tSerial: %s\n"),
129 			    plc->VAL_OCSP_RESP_CERT.serial ?
130 			    plc->VAL_OCSP_RESP_CERT.serial : "<null>");
131 		}
132 	}
133 
134 	if (plc->revocation & KMF_REVOCATION_METHOD_CRL) {
135 		(void) printf(gettext("    CRL:\n"));
136 
137 		(void) printf(gettext("\tBase filename: %s\n"),
138 		    plc->validation_info.crl_info.basefilename ?
139 		    plc->validation_info.crl_info.basefilename : "<null>");
140 
141 		(void) printf(gettext("\tDirectory: %s\n"),
142 		    plc->validation_info.crl_info.directory ?
143 		    plc->validation_info.crl_info.directory : "<null>");
144 
145 		(void) printf(gettext("\tDownload and cache CRL: %s\n"),
146 		    plc->validation_info.crl_info.get_crl_uri ?
147 		    gettext("true") : gettext("false"));
148 
149 		(void) printf(gettext("\tProxy: %s\n"),
150 		    plc->validation_info.crl_info.proxy ?
151 		    plc->validation_info.crl_info.proxy : "<null>");
152 
153 		(void) printf(gettext("\tIgnore CRL signature: %s\n"),
154 		    plc->validation_info.crl_info.ignore_crl_sign ?
155 		    gettext("true") : gettext("false"));
156 
157 		(void) printf(gettext("\tIgnore CRL validity date: %s\n"),
158 		    plc->validation_info.crl_info.ignore_crl_date ?
159 		    gettext("true") : gettext("false"));
160 	}
161 
162 	(void) printf("\n");
163 }
164 
165 int
166 kc_list(int argc, char *argv[])
167 {
168 	int 		rv = KC_OK;
169 	int		opt, found = 0;
170 	extern int	optind_av;
171 	extern char	*optarg_av;
172 	char		*filename = NULL;
173 	char		*policyname = NULL;
174 	POLICY_LIST	*plclist = NULL, *pnode;
175 	int		sanity_err = 0;
176 
177 	while ((opt = getopt_av(argc, argv, "i:(dbfile)p:(policy)")) != EOF) {
178 		switch (opt) {
179 			case 'i':
180 				filename = get_string(optarg_av, &rv);
181 				if (filename == NULL) {
182 					(void) fprintf(stderr,
183 					    gettext("Error dbfile input.\n"));
184 				}
185 				break;
186 			case 'p':
187 				policyname = get_string(optarg_av, &rv);
188 				if (policyname == NULL) {
189 					(void) fprintf(stderr,
190 					    gettext("Error policy name.\n"));
191 				}
192 				break;
193 			default:
194 				(void) fprintf(stderr,
195 				    gettext("Error input option.\n"));
196 				rv = KC_ERR_USAGE;
197 				break;
198 		}
199 		if (rv != KC_OK)
200 			goto out;
201 	}
202 
203 	/* No additional args allowed. */
204 	argc -= optind_av;
205 	if (argc) {
206 		(void) fprintf(stderr,
207 		    gettext("Error input option\n"));
208 		rv = KC_ERR_USAGE;
209 		goto out;
210 	}
211 
212 	if (filename == NULL) {
213 		filename = strdup(KMF_DEFAULT_POLICY_FILE);
214 		if (filename == NULL) {
215 			rv = KC_ERR_MEMORY;
216 			goto out;
217 		}
218 	}
219 
220 	/* Check the access permission of the policy DB */
221 	if (access(filename, R_OK) < 0) {
222 		int err = errno;
223 		(void) fprintf(stderr,
224 		    gettext("Cannot access \"%s\" for list - %s\n"), filename,
225 		    strerror(err));
226 		rv = KC_ERR_ACCESS;
227 		goto out;
228 	}
229 
230 	rv = load_policies(filename, &plclist);
231 	if (rv != KMF_OK) {
232 		goto out;
233 	}
234 
235 	pnode = plclist;
236 	while (pnode != NULL) {
237 		if (policyname == NULL ||
238 		    strcmp(policyname, pnode->plc.name) == 0) {
239 			KMF_POLICY_RECORD *plc = &pnode->plc;
240 
241 			found++;
242 			rv = kmf_verify_policy(plc);
243 			if (rv != KMF_OK) {
244 				(void) fprintf(stderr, gettext(
245 				    "Policy Name: '%s' is invalid\n"),
246 				    plc->name);
247 				sanity_err++;
248 			} else {
249 				show_policy(&pnode->plc);
250 			}
251 		}
252 		pnode = pnode->next;
253 	}
254 
255 	free_policy_list(plclist);
256 
257 	if (!found) {
258 		if (policyname)
259 			(void) fprintf(stderr, gettext(
260 			    "Cannot find policy '%s'\n"), policyname);
261 		else
262 			(void) fprintf(stderr, gettext("Cannot find "
263 			    "any policies to display\n"));
264 		rv = KC_ERR_FIND_POLICY;
265 	} else if (sanity_err) {
266 		rv = KC_ERR_VERIFY_POLICY;
267 	}
268 
269 out:
270 
271 	if (filename != NULL)
272 		free(filename);
273 
274 	if (policyname != NULL)
275 		free(policyname);
276 
277 	return (rv);
278 }
279