diff options
| author | Tobias Heider <tobhe@cvs.openbsd.org> | 2021-11-21 22:44:09 +0000 |
|---|---|---|
| committer | Tobias Heider <tobhe@cvs.openbsd.org> | 2021-11-21 22:44:09 +0000 |
| commit | 26021626be9b16b9c843214f9a83343276f24216 (patch) | |
| tree | 031523991acc4f6b5d14e5564551bf97e3dd18d0 /sbin/iked/ca.c | |
| parent | d409305d0caaffe079b49d8339bfddcf0721f9c9 (diff) | |
Add 'ikectl show certinfo' to show trusted CAs and certificates.
This helps debug authentication issues with x509 certificates.
ok markus@
Diffstat (limited to 'sbin/iked/ca.c')
| -rw-r--r-- | sbin/iked/ca.c | 59 |
1 files changed, 57 insertions, 2 deletions
diff --git a/sbin/iked/ca.c b/sbin/iked/ca.c index 36749457247..c7ea248dbd2 100644 --- a/sbin/iked/ca.c +++ b/sbin/iked/ca.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ca.c,v 1.78 2021/02/24 22:17:48 tobhe Exp $ */ +/* $OpenBSD: ca.c,v 1.79 2021/11/21 22:44:08 tobhe Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> @@ -73,10 +73,13 @@ int ca_x509_subjectaltname_log(X509 *, const char *); int ca_x509_subjectaltname_get(X509 *cert, struct iked_id *); int ca_dispatch_parent(int, struct privsep_proc *, struct imsg *); int ca_dispatch_ikev2(int, struct privsep_proc *, struct imsg *); +int ca_dispatch_control(int, struct privsep_proc *, struct imsg *); +void ca_store_info(struct iked *, const char *, X509_STORE *); static struct privsep_proc procs[] = { { "parent", PROC_PARENT, ca_dispatch_parent }, - { "ikev2", PROC_IKEV2, ca_dispatch_ikev2 } + { "ikev2", PROC_IKEV2, ca_dispatch_ikev2 }, + { "control", PROC_CONTROL, ca_dispatch_control } }; struct ca_store { @@ -260,6 +263,27 @@ ca_dispatch_ikev2(int fd, struct privsep_proc *p, struct imsg *imsg) } int +ca_dispatch_control(int fd, struct privsep_proc *p, struct imsg *imsg) +{ + struct iked *env = p->p_env; + struct ca_store *store = env->sc_priv; + + switch (imsg->hdr.type) { + case IMSG_CTL_SHOW_CERTSTORE: + ca_store_info(env, "CA", store->ca_cas); + ca_store_info(env, "CERT", store->ca_certs); + /* Send empty reply to indicate end of information. */ + proc_compose(&env->sc_ps, PROC_CONTROL, IMSG_CTL_SHOW_CERTSTORE, + NULL, 0); + break; + default: + return (-1); + } + + return (0); +} + +int ca_setcert(struct iked *env, struct iked_sahdr *sh, struct iked_id *id, uint8_t type, uint8_t *data, size_t len, enum privsep_procid procid) { @@ -1051,6 +1075,37 @@ ca_subjectpubkey_digest(X509 *x509, uint8_t *md, unsigned int *size) return (0); } +void +ca_store_info(struct iked *env, const char *msg, X509_STORE *ctx) +{ + STACK_OF(X509_OBJECT) *h; + X509_OBJECT *xo; + X509 *cert; + int i; + X509_NAME *subject; + char *name; + char *buf; + size_t buflen; + + h = X509_STORE_get0_objects(ctx); + for (i = 0; i < sk_X509_OBJECT_num(h); i++) { + xo = sk_X509_OBJECT_value(h, i); + if (X509_OBJECT_get_type(xo) != X509_LU_X509) + continue; + cert = X509_OBJECT_get0_X509(xo); + if ((subject = X509_get_subject_name(cert)) == NULL || + (name = X509_NAME_oneline(subject, NULL, 0)) == NULL) + continue; + buflen = asprintf(&buf, "%s: %s\n", msg, name); + free(name); + if (buf == NULL) + continue; + proc_compose(&env->sc_ps, PROC_CONTROL, IMSG_CTL_SHOW_CERTSTORE, + buf, buflen + 1); + free(buf); + } +} + struct ibuf * ca_x509_serialize(X509 *x509) { |