199ebb4caSwyllys /* 299ebb4caSwyllys * CDDL HEADER START 399ebb4caSwyllys * 499ebb4caSwyllys * The contents of this file are subject to the terms of the 599ebb4caSwyllys * Common Development and Distribution License (the "License"). 699ebb4caSwyllys * You may not use this file except in compliance with the License. 799ebb4caSwyllys * 899ebb4caSwyllys * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 999ebb4caSwyllys * or http://www.opensolaris.org/os/licensing. 1099ebb4caSwyllys * See the License for the specific language governing permissions 1199ebb4caSwyllys * and limitations under the License. 1299ebb4caSwyllys * 1399ebb4caSwyllys * When distributing Covered Code, include this CDDL HEADER in each 1499ebb4caSwyllys * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 1599ebb4caSwyllys * If applicable, add the following below this CDDL HEADER, with the 1699ebb4caSwyllys * fields enclosed by brackets "[]" replaced with your own identifying 1799ebb4caSwyllys * information: Portions Copyright [yyyy] [name of copyright owner] 1899ebb4caSwyllys * 1999ebb4caSwyllys * CDDL HEADER END 2099ebb4caSwyllys * 21*d00756ccSwyllys * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 2299ebb4caSwyllys * Use is subject to license terms. 2399ebb4caSwyllys */ 2499ebb4caSwyllys 2599ebb4caSwyllys #pragma ident "%Z%%M% %I% %E% SMI" 2699ebb4caSwyllys 2799ebb4caSwyllys #include <stdio.h> 2899ebb4caSwyllys #include <strings.h> 2999ebb4caSwyllys #include <ctype.h> 3099ebb4caSwyllys #include <libgen.h> 3199ebb4caSwyllys #include <libintl.h> 3299ebb4caSwyllys #include <errno.h> 33431deaa0Shylee #include <sys/stat.h> 3499ebb4caSwyllys #include <kmfapiP.h> 3599ebb4caSwyllys #include "util.h" 3699ebb4caSwyllys 37431deaa0Shylee #define LIB_NSS_PATH "/usr/lib/mps/libnss3.so" 38431deaa0Shylee #define LIB_NSPR_PATH "/usr/lib/mps/libnspr4.so" 39431deaa0Shylee 4099ebb4caSwyllys static void 4199ebb4caSwyllys show_policy(KMF_POLICY_RECORD *plc) 4299ebb4caSwyllys { 4399ebb4caSwyllys int i; 4499ebb4caSwyllys if (plc == NULL) 4599ebb4caSwyllys return; 4699ebb4caSwyllys 4799ebb4caSwyllys (void) printf("Name: %s\n", plc->name); 4899ebb4caSwyllys 4999ebb4caSwyllys (void) printf(gettext("Ignore Date: %s\n"), 5030a5e8faSwyllys plc->ignore_date ? gettext("true") : gettext("false")); 5199ebb4caSwyllys 5299ebb4caSwyllys (void) printf(gettext("Ignore Unknown EKUs: %s\n"), 5330a5e8faSwyllys plc->ignore_unknown_ekus ? gettext("true") : gettext("false")); 5499ebb4caSwyllys 5599ebb4caSwyllys (void) printf(gettext("Ignore TA: %s\n"), 5630a5e8faSwyllys plc->ignore_trust_anchor ? gettext("true") : gettext("false")); 5799ebb4caSwyllys 5899ebb4caSwyllys (void) printf(gettext("Validity Adjusted Time: %s\n"), 5930a5e8faSwyllys plc->validity_adjusttime ? plc->validity_adjusttime : "<null>"); 6099ebb4caSwyllys 6199ebb4caSwyllys if (plc->ta_name == NULL && plc->ta_serial == NULL) { 6299ebb4caSwyllys (void) printf(gettext("Trust Anchor Certificate: <null>\n")); 6399ebb4caSwyllys } else { 6499ebb4caSwyllys (void) printf(gettext("Trust Anchor Certificate:\n")); 6599ebb4caSwyllys (void) printf(gettext("\tName: %s\n"), 6630a5e8faSwyllys plc->ta_name ? plc->ta_name : "<null>"); 6799ebb4caSwyllys (void) printf(gettext("\tSerial Number: %s\n"), 6830a5e8faSwyllys plc->ta_serial ? plc->ta_serial : "<null>"); 6999ebb4caSwyllys } 7099ebb4caSwyllys 7199ebb4caSwyllys if (plc->ku_bits != 0) { 7299ebb4caSwyllys (void) printf(gettext("Key Usage Bits: ")); 7399ebb4caSwyllys for (i = KULOWBIT; i <= KUHIGHBIT; i++) { 7430a5e8faSwyllys char *s = kmf_ku_to_string( 7530a5e8faSwyllys (plc->ku_bits & (1<<i))); 7699ebb4caSwyllys if (s != NULL) { 7799ebb4caSwyllys (void) printf("%s ", s); 7899ebb4caSwyllys } 7999ebb4caSwyllys } 8099ebb4caSwyllys (void) printf("\n"); 8199ebb4caSwyllys } else { 8299ebb4caSwyllys (void) printf(gettext("Key Usage Bits: 0\n")); 8399ebb4caSwyllys } 8499ebb4caSwyllys 8599ebb4caSwyllys if (plc->eku_set.eku_count > 0) { 8699ebb4caSwyllys (void) printf(gettext("Extended Key Usage Values:\n")); 8799ebb4caSwyllys for (i = 0; i < plc->eku_set.eku_count; i++) { 88*d00756ccSwyllys char *s = kmf_oid_to_ekuname( 8930a5e8faSwyllys &plc->eku_set.ekulist[i]); 9099ebb4caSwyllys (void) printf("\t%s\t(%s)\n", 9130a5e8faSwyllys kmf_oid_to_string(&plc->eku_set.ekulist[i]), 9230a5e8faSwyllys s ? s : "unknown"); 9399ebb4caSwyllys } 9499ebb4caSwyllys } else { 9599ebb4caSwyllys (void) printf(gettext("Extended Key Usage Values: <null>\n")); 9699ebb4caSwyllys } 9799ebb4caSwyllys 9899ebb4caSwyllys (void) printf(gettext("Validation Policy Information:\n")); 9999ebb4caSwyllys 10099ebb4caSwyllys if (plc->revocation & KMF_REVOCATION_METHOD_OCSP) { 10199ebb4caSwyllys (void) printf(gettext(" OCSP:\n")); 10299ebb4caSwyllys 10399ebb4caSwyllys (void) printf(gettext("\tResponder URI: %s\n"), 10499ebb4caSwyllys plc->VAL_OCSP_BASIC.responderURI ? 10599ebb4caSwyllys plc->VAL_OCSP_BASIC.responderURI : "<null>"); 10699ebb4caSwyllys 10799ebb4caSwyllys (void) printf(gettext("\tProxy: %s\n"), 10899ebb4caSwyllys plc->VAL_OCSP_BASIC.proxy ? 10999ebb4caSwyllys plc->VAL_OCSP_BASIC.proxy : "<null>"); 11099ebb4caSwyllys 11199ebb4caSwyllys (void) printf(gettext("\tUse ResponderURI from Certificate: " 11299ebb4caSwyllys "%s\n"), plc->VAL_OCSP_BASIC.uri_from_cert ? 11399ebb4caSwyllys gettext("true") : gettext("false")); 11499ebb4caSwyllys 11599ebb4caSwyllys (void) printf(gettext("\tResponse lifetime: %s\n"), 11699ebb4caSwyllys plc->VAL_OCSP_BASIC.response_lifetime ? 11799ebb4caSwyllys plc->VAL_OCSP_BASIC.response_lifetime : "<null>"); 11899ebb4caSwyllys 11999ebb4caSwyllys (void) printf(gettext("\tIgnore Response signature: %s\n"), 12099ebb4caSwyllys plc->VAL_OCSP_BASIC.ignore_response_sign ? 12199ebb4caSwyllys gettext("true") : gettext("false")); 12299ebb4caSwyllys 12399ebb4caSwyllys if (!plc->VAL_OCSP.has_resp_cert) { 12499ebb4caSwyllys (void) printf(gettext("\tResponder Certificate:" 12599ebb4caSwyllys " <null>\n")); 12699ebb4caSwyllys } else { 12799ebb4caSwyllys (void) printf(gettext("\tResponder Certificate:\n")); 12899ebb4caSwyllys (void) printf(gettext("\t\tName: %s\n"), 12999ebb4caSwyllys plc->VAL_OCSP_RESP_CERT.name ? 13099ebb4caSwyllys plc->VAL_OCSP_RESP_CERT.name : "<null>"); 13199ebb4caSwyllys (void) printf(gettext("\t\tSerial: %s\n"), 13299ebb4caSwyllys plc->VAL_OCSP_RESP_CERT.serial ? 13399ebb4caSwyllys plc->VAL_OCSP_RESP_CERT.serial : "<null>"); 13499ebb4caSwyllys } 13599ebb4caSwyllys } 13699ebb4caSwyllys 13799ebb4caSwyllys if (plc->revocation & KMF_REVOCATION_METHOD_CRL) { 13899ebb4caSwyllys (void) printf(gettext(" CRL:\n")); 13999ebb4caSwyllys 14099ebb4caSwyllys (void) printf(gettext("\tBase filename: %s\n"), 14199ebb4caSwyllys plc->validation_info.crl_info.basefilename ? 14299ebb4caSwyllys plc->validation_info.crl_info.basefilename : "<null>"); 14399ebb4caSwyllys 14499ebb4caSwyllys (void) printf(gettext("\tDirectory: %s\n"), 14599ebb4caSwyllys plc->validation_info.crl_info.directory ? 14699ebb4caSwyllys plc->validation_info.crl_info.directory : "<null>"); 14799ebb4caSwyllys 14899ebb4caSwyllys (void) printf(gettext("\tDownload and cache CRL: %s\n"), 14930a5e8faSwyllys plc->validation_info.crl_info.get_crl_uri ? 15030a5e8faSwyllys gettext("true") : gettext("false")); 15199ebb4caSwyllys 15299ebb4caSwyllys (void) printf(gettext("\tProxy: %s\n"), 15399ebb4caSwyllys plc->validation_info.crl_info.proxy ? 15499ebb4caSwyllys plc->validation_info.crl_info.proxy : "<null>"); 15599ebb4caSwyllys 15699ebb4caSwyllys (void) printf(gettext("\tIgnore CRL signature: %s\n"), 15730a5e8faSwyllys plc->validation_info.crl_info.ignore_crl_sign ? 15830a5e8faSwyllys gettext("true") : gettext("false")); 15999ebb4caSwyllys 16099ebb4caSwyllys (void) printf(gettext("\tIgnore CRL validity date: %s\n"), 16130a5e8faSwyllys plc->validation_info.crl_info.ignore_crl_date ? 16230a5e8faSwyllys gettext("true") : gettext("false")); 16399ebb4caSwyllys } 16499ebb4caSwyllys 16599ebb4caSwyllys (void) printf("\n"); 16699ebb4caSwyllys } 16799ebb4caSwyllys 168431deaa0Shylee void 169431deaa0Shylee show_plugin(void) 170431deaa0Shylee { 171431deaa0Shylee conf_entrylist_t *phead = NULL; 172431deaa0Shylee struct stat statbuf; 173431deaa0Shylee 174431deaa0Shylee (void) printf(gettext("KMF plugin information:\n")); 175431deaa0Shylee (void) printf(gettext("-----------------------\n")); 176431deaa0Shylee 177431deaa0Shylee /* List the built-in plugins */ 178431deaa0Shylee (void) printf("pkcs11:kmf_pkcs11.so.1 (built-in)\n"); 179431deaa0Shylee (void) printf("file:kmf_openssl.so.1 (built-in)\n"); 180431deaa0Shylee 181431deaa0Shylee /* 182431deaa0Shylee * If the NSS libraries are not installed in the system, 183431deaa0Shylee * then we will not show the nss plugin either. 184431deaa0Shylee */ 185431deaa0Shylee if (stat(LIB_NSS_PATH, &statbuf) == 0 && 186431deaa0Shylee stat(LIB_NSPR_PATH, &statbuf) == 0) { 187431deaa0Shylee (void) printf("nss:kmf_nss.so.1 (built-in)\n"); 188431deaa0Shylee } 189431deaa0Shylee 190431deaa0Shylee /* List non-default plugins, if there is any. */ 191431deaa0Shylee if (get_entrylist(&phead) == KMF_OK) { 192431deaa0Shylee while (phead != NULL) { 193431deaa0Shylee (void) printf("%s:%s", phead->entry->keystore, 194431deaa0Shylee phead->entry->modulepath); 195431deaa0Shylee 196431deaa0Shylee if (phead->entry->option == NULL) 197431deaa0Shylee (void) printf("\n"); 198431deaa0Shylee else 199431deaa0Shylee (void) printf(";option=%s\n", 200431deaa0Shylee phead->entry->option); 201431deaa0Shylee phead = phead->next; 202431deaa0Shylee } 203431deaa0Shylee free_entrylist(phead); 204431deaa0Shylee } 205431deaa0Shylee } 206431deaa0Shylee 207431deaa0Shylee 20899ebb4caSwyllys int 20999ebb4caSwyllys kc_list(int argc, char *argv[]) 21099ebb4caSwyllys { 21199ebb4caSwyllys int rv = KC_OK; 21299ebb4caSwyllys int opt, found = 0; 21399ebb4caSwyllys extern int optind_av; 21499ebb4caSwyllys extern char *optarg_av; 21599ebb4caSwyllys char *filename = NULL; 21699ebb4caSwyllys char *policyname = NULL; 21799ebb4caSwyllys POLICY_LIST *plclist = NULL, *pnode; 21899ebb4caSwyllys int sanity_err = 0; 219431deaa0Shylee boolean_t list_plugin = B_FALSE; 22099ebb4caSwyllys 221431deaa0Shylee while ((opt = getopt_av(argc, argv, "i:(dbfile)p:(policy)m(plugin)")) 222431deaa0Shylee != EOF) { 22399ebb4caSwyllys switch (opt) { 224431deaa0Shylee case 'i': 225431deaa0Shylee if (list_plugin) 226431deaa0Shylee rv = KC_ERR_USAGE; 227431deaa0Shylee else { 22899ebb4caSwyllys filename = get_string(optarg_av, &rv); 22999ebb4caSwyllys if (filename == NULL) { 23099ebb4caSwyllys (void) fprintf(stderr, 23199ebb4caSwyllys gettext("Error dbfile input.\n")); 23299ebb4caSwyllys } 233431deaa0Shylee } 234431deaa0Shylee break; 235431deaa0Shylee case 'p': 236431deaa0Shylee if (list_plugin) 237431deaa0Shylee rv = KC_ERR_USAGE; 238431deaa0Shylee else { 23999ebb4caSwyllys policyname = get_string(optarg_av, &rv); 24099ebb4caSwyllys if (policyname == NULL) { 24199ebb4caSwyllys (void) fprintf(stderr, 24299ebb4caSwyllys gettext("Error policy name.\n")); 24399ebb4caSwyllys } 244431deaa0Shylee } 245431deaa0Shylee break; 246431deaa0Shylee case 'm': 247431deaa0Shylee list_plugin = B_TRUE; 248431deaa0Shylee break; 249431deaa0Shylee default: 250431deaa0Shylee (void) fprintf(stderr, 251431deaa0Shylee gettext("Error input option.\n")); 252431deaa0Shylee rv = KC_ERR_USAGE; 253431deaa0Shylee break; 25499ebb4caSwyllys } 25599ebb4caSwyllys if (rv != KC_OK) 25699ebb4caSwyllys goto out; 25799ebb4caSwyllys } 25899ebb4caSwyllys 25999ebb4caSwyllys /* No additional args allowed. */ 26099ebb4caSwyllys argc -= optind_av; 26199ebb4caSwyllys if (argc) { 26299ebb4caSwyllys (void) fprintf(stderr, 26399ebb4caSwyllys gettext("Error input option\n")); 26499ebb4caSwyllys rv = KC_ERR_USAGE; 26599ebb4caSwyllys goto out; 26699ebb4caSwyllys } 26799ebb4caSwyllys 268431deaa0Shylee if (list_plugin) { 269431deaa0Shylee show_plugin(); 270431deaa0Shylee goto out; 271431deaa0Shylee } 272431deaa0Shylee 27399ebb4caSwyllys if (filename == NULL) { 27499ebb4caSwyllys filename = strdup(KMF_DEFAULT_POLICY_FILE); 27599ebb4caSwyllys if (filename == NULL) { 27699ebb4caSwyllys rv = KC_ERR_MEMORY; 27799ebb4caSwyllys goto out; 27899ebb4caSwyllys } 27999ebb4caSwyllys } 28099ebb4caSwyllys 28199ebb4caSwyllys /* Check the access permission of the policy DB */ 28299ebb4caSwyllys if (access(filename, R_OK) < 0) { 28399ebb4caSwyllys int err = errno; 28499ebb4caSwyllys (void) fprintf(stderr, 28599ebb4caSwyllys gettext("Cannot access \"%s\" for list - %s\n"), filename, 28699ebb4caSwyllys strerror(err)); 28799ebb4caSwyllys rv = KC_ERR_ACCESS; 28899ebb4caSwyllys goto out; 28999ebb4caSwyllys } 29099ebb4caSwyllys 29199ebb4caSwyllys rv = load_policies(filename, &plclist); 29299ebb4caSwyllys if (rv != KMF_OK) { 29399ebb4caSwyllys goto out; 29499ebb4caSwyllys } 29599ebb4caSwyllys 29699ebb4caSwyllys pnode = plclist; 29799ebb4caSwyllys while (pnode != NULL) { 29899ebb4caSwyllys if (policyname == NULL || 29930a5e8faSwyllys strcmp(policyname, pnode->plc.name) == 0) { 30099ebb4caSwyllys KMF_POLICY_RECORD *plc = &pnode->plc; 30199ebb4caSwyllys 30299ebb4caSwyllys found++; 30330a5e8faSwyllys rv = kmf_verify_policy(plc); 30499ebb4caSwyllys if (rv != KMF_OK) { 30599ebb4caSwyllys (void) fprintf(stderr, gettext( 30699ebb4caSwyllys "Policy Name: '%s' is invalid\n"), 30799ebb4caSwyllys plc->name); 30899ebb4caSwyllys sanity_err++; 30999ebb4caSwyllys } else { 31099ebb4caSwyllys show_policy(&pnode->plc); 31199ebb4caSwyllys } 31299ebb4caSwyllys } 31399ebb4caSwyllys pnode = pnode->next; 31499ebb4caSwyllys } 31599ebb4caSwyllys 31699ebb4caSwyllys free_policy_list(plclist); 31799ebb4caSwyllys 31899ebb4caSwyllys if (!found) { 31999ebb4caSwyllys if (policyname) 32099ebb4caSwyllys (void) fprintf(stderr, gettext( 32199ebb4caSwyllys "Cannot find policy '%s'\n"), policyname); 32299ebb4caSwyllys else 32399ebb4caSwyllys (void) fprintf(stderr, gettext("Cannot find " 32499ebb4caSwyllys "any policies to display\n")); 32599ebb4caSwyllys rv = KC_ERR_FIND_POLICY; 32699ebb4caSwyllys } else if (sanity_err) { 32799ebb4caSwyllys rv = KC_ERR_VERIFY_POLICY; 32899ebb4caSwyllys } 32999ebb4caSwyllys 33099ebb4caSwyllys out: 33199ebb4caSwyllys 33299ebb4caSwyllys if (filename != NULL) 33399ebb4caSwyllys free(filename); 33499ebb4caSwyllys 33599ebb4caSwyllys if (policyname != NULL) 33699ebb4caSwyllys free(policyname); 33799ebb4caSwyllys 33899ebb4caSwyllys return (rv); 33999ebb4caSwyllys } 340