1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 * 21 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 22 * Use is subject to license terms. 23 */ 24 25 #pragma ident "%Z%%M% %I% %E% SMI" 26 27 #include <stdio.h> 28 #include <strings.h> 29 #include <ctype.h> 30 #include <libgen.h> 31 #include <libintl.h> 32 #include <errno.h> 33 #include <kmfapiP.h> 34 35 #include "util.h" 36 37 static void 38 show_policy(KMF_POLICY_RECORD *plc) 39 { 40 int i; 41 if (plc == NULL) 42 return; 43 44 (void) printf("Name: %s\n", plc->name); 45 46 (void) printf(gettext("Ignore Date: %s\n"), 47 plc->ignore_date ? gettext("true") : gettext("false")); 48 49 (void) printf(gettext("Ignore Unknown EKUs: %s\n"), 50 plc->ignore_unknown_ekus ? gettext("true") : gettext("false")); 51 52 (void) printf(gettext("Ignore TA: %s\n"), 53 plc->ignore_trust_anchor ? gettext("true") : gettext("false")); 54 55 (void) printf(gettext("Validity Adjusted Time: %s\n"), 56 plc->validity_adjusttime ? plc->validity_adjusttime : "<null>"); 57 58 if (plc->ta_name == NULL && plc->ta_serial == NULL) { 59 (void) printf(gettext("Trust Anchor Certificate: <null>\n")); 60 } else { 61 (void) printf(gettext("Trust Anchor Certificate:\n")); 62 (void) printf(gettext("\tName: %s\n"), 63 plc->ta_name ? plc->ta_name : "<null>"); 64 (void) printf(gettext("\tSerial Number: %s\n"), 65 plc->ta_serial ? plc->ta_serial : "<null>"); 66 } 67 68 if (plc->ku_bits != 0) { 69 (void) printf(gettext("Key Usage Bits: ")); 70 for (i = KULOWBIT; i <= KUHIGHBIT; i++) { 71 char *s = kmf_ku_to_string( 72 (plc->ku_bits & (1<<i))); 73 if (s != NULL) { 74 (void) printf("%s ", s); 75 } 76 } 77 (void) printf("\n"); 78 } else { 79 (void) printf(gettext("Key Usage Bits: 0\n")); 80 } 81 82 if (plc->eku_set.eku_count > 0) { 83 (void) printf(gettext("Extended Key Usage Values:\n")); 84 for (i = 0; i < plc->eku_set.eku_count; i++) { 85 char *s = kmf_oid_to_eku_string( 86 &plc->eku_set.ekulist[i]); 87 (void) printf("\t%s\t(%s)\n", 88 kmf_oid_to_string(&plc->eku_set.ekulist[i]), 89 s ? s : "unknown"); 90 } 91 } else { 92 (void) printf(gettext("Extended Key Usage Values: <null>\n")); 93 } 94 95 (void) printf(gettext("Validation Policy Information:\n")); 96 97 if (plc->revocation & KMF_REVOCATION_METHOD_OCSP) { 98 (void) printf(gettext(" OCSP:\n")); 99 100 (void) printf(gettext("\tResponder URI: %s\n"), 101 plc->VAL_OCSP_BASIC.responderURI ? 102 plc->VAL_OCSP_BASIC.responderURI : "<null>"); 103 104 (void) printf(gettext("\tProxy: %s\n"), 105 plc->VAL_OCSP_BASIC.proxy ? 106 plc->VAL_OCSP_BASIC.proxy : "<null>"); 107 108 (void) printf(gettext("\tUse ResponderURI from Certificate: " 109 "%s\n"), plc->VAL_OCSP_BASIC.uri_from_cert ? 110 gettext("true") : gettext("false")); 111 112 (void) printf(gettext("\tResponse lifetime: %s\n"), 113 plc->VAL_OCSP_BASIC.response_lifetime ? 114 plc->VAL_OCSP_BASIC.response_lifetime : "<null>"); 115 116 (void) printf(gettext("\tIgnore Response signature: %s\n"), 117 plc->VAL_OCSP_BASIC.ignore_response_sign ? 118 gettext("true") : gettext("false")); 119 120 if (!plc->VAL_OCSP.has_resp_cert) { 121 (void) printf(gettext("\tResponder Certificate:" 122 " <null>\n")); 123 } else { 124 (void) printf(gettext("\tResponder Certificate:\n")); 125 (void) printf(gettext("\t\tName: %s\n"), 126 plc->VAL_OCSP_RESP_CERT.name ? 127 plc->VAL_OCSP_RESP_CERT.name : "<null>"); 128 (void) printf(gettext("\t\tSerial: %s\n"), 129 plc->VAL_OCSP_RESP_CERT.serial ? 130 plc->VAL_OCSP_RESP_CERT.serial : "<null>"); 131 } 132 } 133 134 if (plc->revocation & KMF_REVOCATION_METHOD_CRL) { 135 (void) printf(gettext(" CRL:\n")); 136 137 (void) printf(gettext("\tBase filename: %s\n"), 138 plc->validation_info.crl_info.basefilename ? 139 plc->validation_info.crl_info.basefilename : "<null>"); 140 141 (void) printf(gettext("\tDirectory: %s\n"), 142 plc->validation_info.crl_info.directory ? 143 plc->validation_info.crl_info.directory : "<null>"); 144 145 (void) printf(gettext("\tDownload and cache CRL: %s\n"), 146 plc->validation_info.crl_info.get_crl_uri ? 147 gettext("true") : gettext("false")); 148 149 (void) printf(gettext("\tProxy: %s\n"), 150 plc->validation_info.crl_info.proxy ? 151 plc->validation_info.crl_info.proxy : "<null>"); 152 153 (void) printf(gettext("\tIgnore CRL signature: %s\n"), 154 plc->validation_info.crl_info.ignore_crl_sign ? 155 gettext("true") : gettext("false")); 156 157 (void) printf(gettext("\tIgnore CRL validity date: %s\n"), 158 plc->validation_info.crl_info.ignore_crl_date ? 159 gettext("true") : gettext("false")); 160 } 161 162 (void) printf("\n"); 163 } 164 165 int 166 kc_list(int argc, char *argv[]) 167 { 168 int rv = KC_OK; 169 int opt, found = 0; 170 extern int optind_av; 171 extern char *optarg_av; 172 char *filename = NULL; 173 char *policyname = NULL; 174 POLICY_LIST *plclist = NULL, *pnode; 175 int sanity_err = 0; 176 177 while ((opt = getopt_av(argc, argv, "i:(dbfile)p:(policy)")) != EOF) { 178 switch (opt) { 179 case 'i': 180 filename = get_string(optarg_av, &rv); 181 if (filename == NULL) { 182 (void) fprintf(stderr, 183 gettext("Error dbfile input.\n")); 184 } 185 break; 186 case 'p': 187 policyname = get_string(optarg_av, &rv); 188 if (policyname == NULL) { 189 (void) fprintf(stderr, 190 gettext("Error policy name.\n")); 191 } 192 break; 193 default: 194 (void) fprintf(stderr, 195 gettext("Error input option.\n")); 196 rv = KC_ERR_USAGE; 197 break; 198 } 199 if (rv != KC_OK) 200 goto out; 201 } 202 203 /* No additional args allowed. */ 204 argc -= optind_av; 205 if (argc) { 206 (void) fprintf(stderr, 207 gettext("Error input option\n")); 208 rv = KC_ERR_USAGE; 209 goto out; 210 } 211 212 if (filename == NULL) { 213 filename = strdup(KMF_DEFAULT_POLICY_FILE); 214 if (filename == NULL) { 215 rv = KC_ERR_MEMORY; 216 goto out; 217 } 218 } 219 220 /* Check the access permission of the policy DB */ 221 if (access(filename, R_OK) < 0) { 222 int err = errno; 223 (void) fprintf(stderr, 224 gettext("Cannot access \"%s\" for list - %s\n"), filename, 225 strerror(err)); 226 rv = KC_ERR_ACCESS; 227 goto out; 228 } 229 230 rv = load_policies(filename, &plclist); 231 if (rv != KMF_OK) { 232 goto out; 233 } 234 235 pnode = plclist; 236 while (pnode != NULL) { 237 if (policyname == NULL || 238 strcmp(policyname, pnode->plc.name) == 0) { 239 KMF_POLICY_RECORD *plc = &pnode->plc; 240 241 found++; 242 rv = kmf_verify_policy(plc); 243 if (rv != KMF_OK) { 244 (void) fprintf(stderr, gettext( 245 "Policy Name: '%s' is invalid\n"), 246 plc->name); 247 sanity_err++; 248 } else { 249 show_policy(&pnode->plc); 250 } 251 } 252 pnode = pnode->next; 253 } 254 255 free_policy_list(plclist); 256 257 if (!found) { 258 if (policyname) 259 (void) fprintf(stderr, gettext( 260 "Cannot find policy '%s'\n"), policyname); 261 else 262 (void) fprintf(stderr, gettext("Cannot find " 263 "any policies to display\n")); 264 rv = KC_ERR_FIND_POLICY; 265 } else if (sanity_err) { 266 rv = KC_ERR_VERIFY_POLICY; 267 } 268 269 out: 270 271 if (filename != NULL) 272 free(filename); 273 274 if (policyname != NULL) 275 free(policyname); 276 277 return (rv); 278 } 279