123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304 |
- /*
- * Copyright (C) 2016 Michael Brown <mbrown@fensystems.co.uk>.
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License as
- * published by the Free Software Foundation; either version 2 of the
- * License, or any later version.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- * 02110-1301, USA.
- *
- * You can also choose to distribute this program under the terms of
- * the Unmodified Binary Distribution Licence (as given in the file
- * COPYING.UBDL), provided that you have satisfied its requirements.
- */
-
- FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
-
- #include <stdio.h>
- #include <errno.h>
- #include <getopt.h>
- #include <ipxe/x509.h>
- #include <ipxe/certstore.h>
- #include <ipxe/image.h>
- #include <ipxe/command.h>
- #include <ipxe/parseopt.h>
- #include <usr/imgmgmt.h>
- #include <usr/certmgmt.h>
-
- /** @file
- *
- * Certificate management commands
- *
- */
-
- /** "cert<xxx>" options */
- struct cert_options {
- /** Certificate subject name */
- char *name;
- /** Keep certificate file after parsing */
- int keep;
- };
-
- /** "cert<xxx>" option list */
- static union {
- /* "certstore" takes both options */
- struct option_descriptor certstore[2];
- /* "certstat" takes only --subject */
- struct option_descriptor certstat[1];
- /* "certfree" takes only --subject */
- struct option_descriptor certfree[1];
- } opts = {
- .certstore = {
- OPTION_DESC ( "subject", 's', required_argument,
- struct cert_options, name, parse_string ),
- OPTION_DESC ( "keep", 'k', no_argument,
- struct cert_options, keep, parse_flag ),
- },
- };
-
- /** A "cert<xxx>" command descriptor */
- struct cert_command_descriptor {
- /** Command descriptor */
- struct command_descriptor cmd;
- /** Payload
- *
- * @v cert X.509 certificate
- * @ret rc Return status code
- */
- int ( * payload ) ( struct x509_certificate *cert );
- };
-
- /**
- * Construct "cert<xxx>" command descriptor
- *
- * @v _struct Options structure type
- * @v _options Option descriptor array
- * @v _min_args Minimum number of non-option arguments
- * @v _max_args Maximum number of non-option arguments
- * @v _usage Command usage
- * @v _payload Payload method
- * @ret _command Command descriptor
- */
- #define CERT_COMMAND_DESC( _struct, _options, _min_args, _max_args, \
- _usage, _payload ) \
- { \
- .cmd = COMMAND_DESC ( _struct, _options, _min_args, \
- _max_args, _usage ), \
- .payload = _payload, \
- }
-
- /**
- * Execute "cert<xxx>" command
- *
- * @v argc Argument count
- * @v argv Argument list
- * @v certcmd Command descriptor
- * @ret rc Return status code
- */
- static int cert_exec ( int argc, char **argv,
- struct cert_command_descriptor *certcmd ) {
- struct command_descriptor *cmd = &certcmd->cmd;
- struct cert_options opts;
- struct image *image = NULL;
- struct x509_certificate *cert;
- struct x509_certificate *tmp;
- unsigned int count = 0;
- size_t offset = 0;
- int next;
- int rc;
-
- /* Parse options */
- if ( ( rc = parse_options ( argc, argv, cmd, &opts ) ) != 0 )
- goto err_parse;
-
- /* Acquire image, if applicable */
- if ( ( optind < argc ) &&
- ( ( rc = imgacquire ( argv[optind], 0, &image ) ) != 0 ) )
- goto err_acquire;
-
- /* Get first entry in certificate store */
- tmp = list_first_entry ( &certstore.links, struct x509_certificate,
- store.list );
-
- /* Iterate over certificates */
- while ( 1 ) {
-
- /* Get next certificate from image or store as applicable */
- if ( image ) {
-
- /* Get next certificate from image */
- if ( offset >= image->len )
- break;
- next = image_x509 ( image, offset, &cert );
- if ( next < 0 ) {
- rc = next;
- printf ( "Could not parse certificate: %s\n",
- strerror ( rc ) );
- goto err_x509;
- }
- offset = next;
-
- } else {
-
- /* Get next certificate from store */
- cert = tmp;
- if ( ! cert )
- break;
- tmp = list_next_entry ( tmp, &certstore.links,
- store.list );
- x509_get ( cert );
- }
-
- /* Skip non-matching names, if a name was specified */
- if ( opts.name && ( x509_check_name ( cert, opts.name ) != 0 )){
- x509_put ( cert );
- continue;
- }
-
- /* Execute payload */
- if ( ( rc = certcmd->payload ( cert ) ) != 0 ) {
- x509_put ( cert );
- goto err_payload;
- }
-
- /* Count number of certificates processed */
- count++;
-
- /* Drop reference to certificate */
- x509_put ( cert );
- }
-
- /* Fail if a name was specified and no matching certificates
- * were found.
- */
- if ( opts.name && ( count == 0 ) ) {
- printf ( "\"%s\" : no such certificate\n", opts.name );
- rc = -ENOENT;
- goto err_none;
- }
-
- err_none:
- err_payload:
- err_x509:
- if ( image && ( ! opts.keep ) )
- unregister_image ( image );
- err_acquire:
- err_parse:
- return rc;
- }
-
- /**
- * "certstat" payload
- *
- * @v cert X.509 certificate
- * @ret rc Return status code
- */
- static int certstat_payload ( struct x509_certificate *cert ) {
-
- certstat ( cert );
- return 0;
- }
-
- /** "certstat" command descriptor */
- static struct cert_command_descriptor certstat_cmd =
- CERT_COMMAND_DESC ( struct cert_options, opts.certstat, 0, 0, NULL,
- certstat_payload );
-
- /**
- * The "certstat" command
- *
- * @v argc Argument count
- * @v argv Argument list
- * @ret rc Return status code
- */
- static int certstat_exec ( int argc, char **argv ) {
-
- return cert_exec ( argc, argv, &certstat_cmd );
- }
-
- /**
- * "certstore" payload
- *
- * @v cert X.509 certificate
- * @ret rc Return status code
- */
- static int certstore_payload ( struct x509_certificate *cert ) {
-
- /* Mark certificate as having been added explicitly */
- cert->flags |= X509_FL_EXPLICIT;
-
- return 0;
- }
-
- /** "certstore" command descriptor */
- static struct cert_command_descriptor certstore_cmd =
- CERT_COMMAND_DESC ( struct cert_options, opts.certstore, 0, 1,
- "[<uri|image>]", certstore_payload );
-
- /**
- * The "certstore" command
- *
- * @v argc Argument count
- * @v argv Argument list
- * @ret rc Return status code
- */
- static int certstore_exec ( int argc, char **argv ) {
-
- return cert_exec ( argc, argv, &certstore_cmd );
- }
-
- /**
- * "certfree" payload
- *
- * @v cert X.509 certificate
- * @ret rc Return status code
- */
- static int certfree_payload ( struct x509_certificate *cert ) {
-
- /* Remove from certificate store */
- certstore_del ( cert );
-
- return 0;
- }
-
- /** "certfree" command descriptor */
- static struct cert_command_descriptor certfree_cmd =
- CERT_COMMAND_DESC ( struct cert_options, opts.certfree, 0, 0, NULL,
- certfree_payload );
-
- /**
- * The "certfree" command
- *
- * @v argc Argument count
- * @v argv Argument list
- * @ret rc Return status code
- */
- static int certfree_exec ( int argc, char **argv ) {
-
- return cert_exec ( argc, argv, &certfree_cmd );
- }
-
- /** Certificate management commands */
- struct command certmgmt_commands[] __command = {
- {
- .name = "certstat",
- .exec = certstat_exec,
- },
- {
- .name = "certstore",
- .exec = certstore_exec,
- },
- {
- .name = "certfree",
- .exec = certfree_exec,
- },
- };
|