13089Swyllys /*
23089Swyllys * CDDL HEADER START
33089Swyllys *
43089Swyllys * The contents of this file are subject to the terms of the
53089Swyllys * Common Development and Distribution License (the "License").
63089Swyllys * You may not use this file except in compliance with the License.
73089Swyllys *
83089Swyllys * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
93089Swyllys * or http://www.opensolaris.org/os/licensing.
103089Swyllys * See the License for the specific language governing permissions
113089Swyllys * and limitations under the License.
123089Swyllys *
133089Swyllys * When distributing Covered Code, include this CDDL HEADER in each
143089Swyllys * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
153089Swyllys * If applicable, add the following below this CDDL HEADER, with the
163089Swyllys * fields enclosed by brackets "[]" replaced with your own identifying
173089Swyllys * information: Portions Copyright [yyyy] [name of copyright owner]
183089Swyllys *
193089Swyllys * CDDL HEADER END
203089Swyllys *
2112611SJan.Pechanec@Sun.COM * Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved.
223089Swyllys */
233089Swyllys
243089Swyllys #include <stdio.h>
253089Swyllys #include <strings.h>
263089Swyllys #include <ctype.h>
273089Swyllys #include <libgen.h>
283089Swyllys #include <libintl.h>
293089Swyllys #include <errno.h>
305626Shylee #include <sys/stat.h>
313089Swyllys #include <kmfapiP.h>
325626Shylee #include "util.h"
333089Swyllys
345626Shylee #define LIB_NSS_PATH "/usr/lib/mps/libnss3.so"
355626Shylee #define LIB_NSPR_PATH "/usr/lib/mps/libnspr4.so"
363089Swyllys
373089Swyllys static void
show_policy(KMF_POLICY_RECORD * plc)383089Swyllys show_policy(KMF_POLICY_RECORD *plc)
393089Swyllys {
403089Swyllys int i;
413089Swyllys if (plc == NULL)
423089Swyllys return;
433089Swyllys
443089Swyllys (void) printf("Name: %s\n", plc->name);
453089Swyllys
463089Swyllys (void) printf(gettext("Ignore Date: %s\n"),
475051Swyllys plc->ignore_date ? gettext("true") : gettext("false"));
483089Swyllys
493089Swyllys (void) printf(gettext("Ignore Unknown EKUs: %s\n"),
505051Swyllys plc->ignore_unknown_ekus ? gettext("true") : gettext("false"));
513089Swyllys
523089Swyllys (void) printf(gettext("Ignore TA: %s\n"),
535051Swyllys plc->ignore_trust_anchor ? gettext("true") : gettext("false"));
543089Swyllys
553089Swyllys (void) printf(gettext("Validity Adjusted Time: %s\n"),
565051Swyllys plc->validity_adjusttime ? plc->validity_adjusttime : "<null>");
573089Swyllys
583089Swyllys if (plc->ta_name == NULL && plc->ta_serial == NULL) {
593089Swyllys (void) printf(gettext("Trust Anchor Certificate: <null>\n"));
60*12919Swyllys.ingersoll@sun.com } else if (strcasecmp(plc->ta_name, "search") == 0) {
61*12919Swyllys.ingersoll@sun.com (void) printf(gettext("Trust Anchor Certificate: "
62*12919Swyllys.ingersoll@sun.com "Search by Issuer\n"));
633089Swyllys } else {
643089Swyllys (void) printf(gettext("Trust Anchor Certificate:\n"));
653089Swyllys (void) printf(gettext("\tName: %s\n"),
665051Swyllys plc->ta_name ? plc->ta_name : "<null>");
673089Swyllys (void) printf(gettext("\tSerial Number: %s\n"),
685051Swyllys plc->ta_serial ? plc->ta_serial : "<null>");
693089Swyllys }
703089Swyllys
713089Swyllys if (plc->ku_bits != 0) {
723089Swyllys (void) printf(gettext("Key Usage Bits: "));
733089Swyllys for (i = KULOWBIT; i <= KUHIGHBIT; i++) {
745051Swyllys char *s = kmf_ku_to_string(
755051Swyllys (plc->ku_bits & (1<<i)));
763089Swyllys if (s != NULL) {
773089Swyllys (void) printf("%s ", s);
783089Swyllys }
793089Swyllys }
803089Swyllys (void) printf("\n");
813089Swyllys } else {
823089Swyllys (void) printf(gettext("Key Usage Bits: 0\n"));
833089Swyllys }
843089Swyllys
853089Swyllys if (plc->eku_set.eku_count > 0) {
863089Swyllys (void) printf(gettext("Extended Key Usage Values:\n"));
873089Swyllys for (i = 0; i < plc->eku_set.eku_count; i++) {
886051Swyllys char *s = kmf_oid_to_ekuname(
895051Swyllys &plc->eku_set.ekulist[i]);
903089Swyllys (void) printf("\t%s\t(%s)\n",
915051Swyllys kmf_oid_to_string(&plc->eku_set.ekulist[i]),
925051Swyllys s ? s : "unknown");
933089Swyllys }
943089Swyllys } else {
953089Swyllys (void) printf(gettext("Extended Key Usage Values: <null>\n"));
963089Swyllys }
973089Swyllys
983089Swyllys (void) printf(gettext("Validation Policy Information:\n"));
993089Swyllys
1003089Swyllys if (plc->revocation & KMF_REVOCATION_METHOD_OCSP) {
1013089Swyllys (void) printf(gettext(" OCSP:\n"));
1023089Swyllys
1033089Swyllys (void) printf(gettext("\tResponder URI: %s\n"),
1043089Swyllys plc->VAL_OCSP_BASIC.responderURI ?
1053089Swyllys plc->VAL_OCSP_BASIC.responderURI : "<null>");
1063089Swyllys
1073089Swyllys (void) printf(gettext("\tProxy: %s\n"),
1083089Swyllys plc->VAL_OCSP_BASIC.proxy ?
1093089Swyllys plc->VAL_OCSP_BASIC.proxy : "<null>");
1103089Swyllys
1113089Swyllys (void) printf(gettext("\tUse ResponderURI from Certificate: "
1123089Swyllys "%s\n"), plc->VAL_OCSP_BASIC.uri_from_cert ?
1133089Swyllys gettext("true") : gettext("false"));
1143089Swyllys
1153089Swyllys (void) printf(gettext("\tResponse lifetime: %s\n"),
1163089Swyllys plc->VAL_OCSP_BASIC.response_lifetime ?
1173089Swyllys plc->VAL_OCSP_BASIC.response_lifetime : "<null>");
1183089Swyllys
1193089Swyllys (void) printf(gettext("\tIgnore Response signature: %s\n"),
1203089Swyllys plc->VAL_OCSP_BASIC.ignore_response_sign ?
1213089Swyllys gettext("true") : gettext("false"));
1223089Swyllys
1233089Swyllys if (!plc->VAL_OCSP.has_resp_cert) {
1243089Swyllys (void) printf(gettext("\tResponder Certificate:"
1253089Swyllys " <null>\n"));
1263089Swyllys } else {
1273089Swyllys (void) printf(gettext("\tResponder Certificate:\n"));
1283089Swyllys (void) printf(gettext("\t\tName: %s\n"),
1293089Swyllys plc->VAL_OCSP_RESP_CERT.name ?
1303089Swyllys plc->VAL_OCSP_RESP_CERT.name : "<null>");
1313089Swyllys (void) printf(gettext("\t\tSerial: %s\n"),
1323089Swyllys plc->VAL_OCSP_RESP_CERT.serial ?
1333089Swyllys plc->VAL_OCSP_RESP_CERT.serial : "<null>");
1343089Swyllys }
1353089Swyllys }
1363089Swyllys
1373089Swyllys if (plc->revocation & KMF_REVOCATION_METHOD_CRL) {
1383089Swyllys (void) printf(gettext(" CRL:\n"));
1393089Swyllys
1403089Swyllys (void) printf(gettext("\tBase filename: %s\n"),
1413089Swyllys plc->validation_info.crl_info.basefilename ?
1423089Swyllys plc->validation_info.crl_info.basefilename : "<null>");
1433089Swyllys
1443089Swyllys (void) printf(gettext("\tDirectory: %s\n"),
1453089Swyllys plc->validation_info.crl_info.directory ?
1463089Swyllys plc->validation_info.crl_info.directory : "<null>");
1473089Swyllys
1483089Swyllys (void) printf(gettext("\tDownload and cache CRL: %s\n"),
1495051Swyllys plc->validation_info.crl_info.get_crl_uri ?
1505051Swyllys gettext("true") : gettext("false"));
1513089Swyllys
1523089Swyllys (void) printf(gettext("\tProxy: %s\n"),
1533089Swyllys plc->validation_info.crl_info.proxy ?
1543089Swyllys plc->validation_info.crl_info.proxy : "<null>");
1553089Swyllys
1563089Swyllys (void) printf(gettext("\tIgnore CRL signature: %s\n"),
1575051Swyllys plc->validation_info.crl_info.ignore_crl_sign ?
1585051Swyllys gettext("true") : gettext("false"));
1593089Swyllys
1603089Swyllys (void) printf(gettext("\tIgnore CRL validity date: %s\n"),
1615051Swyllys plc->validation_info.crl_info.ignore_crl_date ?
1625051Swyllys gettext("true") : gettext("false"));
1633089Swyllys }
16412611SJan.Pechanec@Sun.COM (void) printf(gettext("Mapper name: %s\n"),
16512611SJan.Pechanec@Sun.COM plc->mapper.mapname ? plc->mapper.mapname : "<null>");
16612611SJan.Pechanec@Sun.COM (void) printf(gettext("Mapper pathname: %s\n"),
16712611SJan.Pechanec@Sun.COM plc->mapper.pathname ? plc->mapper.pathname : "<null>");
16812611SJan.Pechanec@Sun.COM (void) printf(gettext("Mapper directory: %s\n"),
16912611SJan.Pechanec@Sun.COM plc->mapper.dir ? plc->mapper.dir : "<null>");
17012611SJan.Pechanec@Sun.COM (void) printf(gettext("Mapper options: %s\n"),
17112611SJan.Pechanec@Sun.COM plc->mapper.options ? plc->mapper.options : "<null>");
1723089Swyllys
1733089Swyllys (void) printf("\n");
1743089Swyllys }
1753089Swyllys
1765626Shylee void
show_plugin(void)1775626Shylee show_plugin(void)
1785626Shylee {
1795626Shylee conf_entrylist_t *phead = NULL;
1805626Shylee struct stat statbuf;
1815626Shylee
1825626Shylee (void) printf(gettext("KMF plugin information:\n"));
1835626Shylee (void) printf(gettext("-----------------------\n"));
1845626Shylee
1855626Shylee /* List the built-in plugins */
1865626Shylee (void) printf("pkcs11:kmf_pkcs11.so.1 (built-in)\n");
1875626Shylee (void) printf("file:kmf_openssl.so.1 (built-in)\n");
1885626Shylee
1895626Shylee /*
1905626Shylee * If the NSS libraries are not installed in the system,
1915626Shylee * then we will not show the nss plugin either.
1925626Shylee */
1935626Shylee if (stat(LIB_NSS_PATH, &statbuf) == 0 &&
1945626Shylee stat(LIB_NSPR_PATH, &statbuf) == 0) {
1955626Shylee (void) printf("nss:kmf_nss.so.1 (built-in)\n");
1965626Shylee }
1975626Shylee
1985626Shylee /* List non-default plugins, if there is any. */
1995626Shylee if (get_entrylist(&phead) == KMF_OK) {
2005626Shylee while (phead != NULL) {
2015626Shylee (void) printf("%s:%s", phead->entry->keystore,
2025626Shylee phead->entry->modulepath);
2035626Shylee
2045626Shylee if (phead->entry->option == NULL)
2055626Shylee (void) printf("\n");
2065626Shylee else
2075626Shylee (void) printf(";option=%s\n",
2085626Shylee phead->entry->option);
2095626Shylee phead = phead->next;
2105626Shylee }
2115626Shylee free_entrylist(phead);
2125626Shylee }
2135626Shylee }
2145626Shylee
2155626Shylee
2163089Swyllys int
kc_list(int argc,char * argv[])2173089Swyllys kc_list(int argc, char *argv[])
2183089Swyllys {
2193089Swyllys int rv = KC_OK;
2203089Swyllys int opt, found = 0;
2213089Swyllys extern int optind_av;
2223089Swyllys extern char *optarg_av;
2233089Swyllys char *filename = NULL;
2243089Swyllys char *policyname = NULL;
2253089Swyllys POLICY_LIST *plclist = NULL, *pnode;
2263089Swyllys int sanity_err = 0;
2275626Shylee boolean_t list_plugin = B_FALSE;
2283089Swyllys
2295626Shylee while ((opt = getopt_av(argc, argv, "i:(dbfile)p:(policy)m(plugin)"))
2305626Shylee != EOF) {
2313089Swyllys switch (opt) {
2325626Shylee case 'i':
2335626Shylee if (list_plugin)
2345626Shylee rv = KC_ERR_USAGE;
2355626Shylee else {
2363089Swyllys filename = get_string(optarg_av, &rv);
2373089Swyllys if (filename == NULL) {
2383089Swyllys (void) fprintf(stderr,
2393089Swyllys gettext("Error dbfile input.\n"));
2403089Swyllys }
2415626Shylee }
2425626Shylee break;
2435626Shylee case 'p':
2445626Shylee if (list_plugin)
2455626Shylee rv = KC_ERR_USAGE;
2465626Shylee else {
2473089Swyllys policyname = get_string(optarg_av, &rv);
2483089Swyllys if (policyname == NULL) {
2493089Swyllys (void) fprintf(stderr,
2503089Swyllys gettext("Error policy name.\n"));
2513089Swyllys }
2525626Shylee }
2535626Shylee break;
2545626Shylee case 'm':
2555626Shylee list_plugin = B_TRUE;
2565626Shylee break;
2575626Shylee default:
2585626Shylee (void) fprintf(stderr,
2595626Shylee gettext("Error input option.\n"));
2605626Shylee rv = KC_ERR_USAGE;
2615626Shylee break;
2623089Swyllys }
2633089Swyllys if (rv != KC_OK)
2643089Swyllys goto out;
2653089Swyllys }
2663089Swyllys
2673089Swyllys /* No additional args allowed. */
2683089Swyllys argc -= optind_av;
2693089Swyllys if (argc) {
2703089Swyllys (void) fprintf(stderr,
2713089Swyllys gettext("Error input option\n"));
2723089Swyllys rv = KC_ERR_USAGE;
2733089Swyllys goto out;
2743089Swyllys }
2753089Swyllys
2765626Shylee if (list_plugin) {
2775626Shylee show_plugin();
2785626Shylee goto out;
2795626Shylee }
2805626Shylee
2813089Swyllys if (filename == NULL) {
2823089Swyllys filename = strdup(KMF_DEFAULT_POLICY_FILE);
2833089Swyllys if (filename == NULL) {
2843089Swyllys rv = KC_ERR_MEMORY;
2853089Swyllys goto out;
2863089Swyllys }
2873089Swyllys }
2883089Swyllys
2893089Swyllys /* Check the access permission of the policy DB */
2903089Swyllys if (access(filename, R_OK) < 0) {
2913089Swyllys int err = errno;
2923089Swyllys (void) fprintf(stderr,
2933089Swyllys gettext("Cannot access \"%s\" for list - %s\n"), filename,
2943089Swyllys strerror(err));
2953089Swyllys rv = KC_ERR_ACCESS;
2963089Swyllys goto out;
2973089Swyllys }
2983089Swyllys
2993089Swyllys rv = load_policies(filename, &plclist);
3003089Swyllys if (rv != KMF_OK) {
3013089Swyllys goto out;
3023089Swyllys }
3033089Swyllys
3043089Swyllys pnode = plclist;
3053089Swyllys while (pnode != NULL) {
3063089Swyllys if (policyname == NULL ||
3075051Swyllys strcmp(policyname, pnode->plc.name) == 0) {
3083089Swyllys KMF_POLICY_RECORD *plc = &pnode->plc;
3093089Swyllys
3103089Swyllys found++;
3115051Swyllys rv = kmf_verify_policy(plc);
3123089Swyllys if (rv != KMF_OK) {
3133089Swyllys (void) fprintf(stderr, gettext(
3143089Swyllys "Policy Name: '%s' is invalid\n"),
3153089Swyllys plc->name);
3163089Swyllys sanity_err++;
3173089Swyllys } else {
3183089Swyllys show_policy(&pnode->plc);
3193089Swyllys }
3203089Swyllys }
3213089Swyllys pnode = pnode->next;
3223089Swyllys }
3233089Swyllys
3243089Swyllys free_policy_list(plclist);
3253089Swyllys
3263089Swyllys if (!found) {
3273089Swyllys if (policyname)
3283089Swyllys (void) fprintf(stderr, gettext(
3293089Swyllys "Cannot find policy '%s'\n"), policyname);
3303089Swyllys else
3313089Swyllys (void) fprintf(stderr, gettext("Cannot find "
3323089Swyllys "any policies to display\n"));
3333089Swyllys rv = KC_ERR_FIND_POLICY;
3343089Swyllys } else if (sanity_err) {
3353089Swyllys rv = KC_ERR_VERIFY_POLICY;
3363089Swyllys }
3373089Swyllys
3383089Swyllys out:
3393089Swyllys
3403089Swyllys if (filename != NULL)
3413089Swyllys free(filename);
3423089Swyllys
3433089Swyllys if (policyname != NULL)
3443089Swyllys free(policyname);
3453089Swyllys
3463089Swyllys return (rv);
3473089Swyllys }
348