From: tobhe <tobhe@openbsd.org>
Date: Sun, 21 Nov 2021 22:44:08 +0000 (+0000)
Subject: Add 'ikectl show certinfo' to show trusted CAs and certificates.
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=6cf0fa19301883f7fbb583c7fceee8c7920c78a5;p=openbsd

Add 'ikectl show certinfo' to show trusted CAs and certificates.
This helps debug authentication issues with x509 certificates.

ok markus@
---

diff --git a/sbin/iked/ca.c b/sbin/iked/ca.c
index 36749457247..c7ea248dbd2 100644
--- a/sbin/iked/ca.c
+++ b/sbin/iked/ca.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ca.c,v 1.78 2021/02/24 22:17:48 tobhe Exp $	*/
+/*	$OpenBSD: ca.c,v 1.79 2021/11/21 22:44:08 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
@@ -73,10 +73,13 @@ int	 ca_x509_subjectaltname_log(X509 *, const char *);
 int	 ca_x509_subjectaltname_get(X509 *cert, struct iked_id *);
 int	 ca_dispatch_parent(int, struct privsep_proc *, struct imsg *);
 int	 ca_dispatch_ikev2(int, struct privsep_proc *, struct imsg *);
+int	 ca_dispatch_control(int, struct privsep_proc *, struct imsg *);
+void 	 ca_store_info(struct iked *, const char *, X509_STORE *);
 
 static struct privsep_proc procs[] = {
 	{ "parent",	PROC_PARENT,	ca_dispatch_parent },
-	{ "ikev2",	PROC_IKEV2,	ca_dispatch_ikev2 }
+	{ "ikev2",	PROC_IKEV2,	ca_dispatch_ikev2 },
+	{ "control",	PROC_CONTROL,	ca_dispatch_control }
 };
 
 struct ca_store {
@@ -259,6 +262,27 @@ ca_dispatch_ikev2(int fd, struct privsep_proc *p, struct imsg *imsg)
 	return (0);
 }
 
+int
+ca_dispatch_control(int fd, struct privsep_proc *p, struct imsg *imsg)
+{
+	struct iked	*env = p->p_env;
+	struct ca_store	*store = env->sc_priv;
+
+	switch (imsg->hdr.type) {
+	case IMSG_CTL_SHOW_CERTSTORE:
+		ca_store_info(env, "CA", store->ca_cas);
+		ca_store_info(env, "CERT", store->ca_certs);
+		/* Send empty reply to indicate end of information. */
+		proc_compose(&env->sc_ps, PROC_CONTROL, IMSG_CTL_SHOW_CERTSTORE,
+		    NULL, 0);
+		break;
+	default:
+		return (-1);
+	}
+
+	return (0);
+}
+
 int
 ca_setcert(struct iked *env, struct iked_sahdr *sh, struct iked_id *id,
     uint8_t type, uint8_t *data, size_t len, enum privsep_procid procid)
@@ -1051,6 +1075,37 @@ ca_subjectpubkey_digest(X509 *x509, uint8_t *md, unsigned int *size)
 	return (0);
 }
 
+void
+ca_store_info(struct iked *env, const char *msg, X509_STORE *ctx)
+{
+	STACK_OF(X509_OBJECT)	*h;
+	X509_OBJECT		*xo;
+	X509			*cert;
+	int			 i;
+	X509_NAME		*subject;
+	char			*name;
+	char			*buf;
+	size_t			 buflen;
+
+	h = X509_STORE_get0_objects(ctx);
+	for (i = 0; i < sk_X509_OBJECT_num(h); i++) {
+		xo = sk_X509_OBJECT_value(h, i);
+		if (X509_OBJECT_get_type(xo) != X509_LU_X509)
+			continue;
+		cert = X509_OBJECT_get0_X509(xo);
+		if ((subject = X509_get_subject_name(cert)) == NULL ||
+		    (name = X509_NAME_oneline(subject, NULL, 0)) == NULL)
+			continue;
+		buflen = asprintf(&buf, "%s: %s\n", msg, name);
+		free(name);
+		if (buf == NULL)
+			continue;
+		proc_compose(&env->sc_ps, PROC_CONTROL, IMSG_CTL_SHOW_CERTSTORE,
+		    buf, buflen + 1);
+		free(buf);
+	}
+}
+
 struct ibuf *
 ca_x509_serialize(X509 *x509)
 {
diff --git a/sbin/iked/control.c b/sbin/iked/control.c
index 17b72805de0..828d68e7a71 100644
--- a/sbin/iked/control.c
+++ b/sbin/iked/control.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: control.c,v 1.31 2021/04/20 21:11:56 dv Exp $	*/
+/*	$OpenBSD: control.c,v 1.32 2021/11/21 22:44:08 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
@@ -47,10 +47,12 @@ void	 control_dispatch_parent(int, short, void *);
 void	 control_imsg_forward(struct imsg *);
 void	 control_run(struct privsep *, struct privsep_proc *, void *);
 int	 control_dispatch_ikev2(int, struct privsep_proc *, struct imsg *);
+int	 control_dispatch_ca(int, struct privsep_proc *, struct imsg *);
 
 static struct privsep_proc procs[] = {
 	{ "parent",	PROC_PARENT, NULL },
 	{ "ikev2",	PROC_IKEV2, control_dispatch_ikev2 },
+	{ "ca",		PROC_CERT, control_dispatch_ca },
 };
 
 pid_t
@@ -312,6 +314,10 @@ control_dispatch_imsg(int fd, short event, void *arg)
 			proc_forward_imsg(&env->sc_ps, &imsg, PROC_IKEV2, -1);
 			c->flags |= CTL_CONN_NOTIFY;
 			break;
+		case IMSG_CTL_SHOW_CERTSTORE:
+			proc_forward_imsg(&env->sc_ps, &imsg, PROC_CERT, -1);
+			c->flags |= CTL_CONN_NOTIFY;
+			break;
 		default:
 			log_debug("%s: error handling imsg %d",
 			    __func__, imsg.hdr.type);
@@ -348,3 +354,17 @@ control_dispatch_ikev2(int fd, struct privsep_proc *p, struct imsg *imsg)
 
 	return (-1);
 }
+
+int
+control_dispatch_ca(int fd, struct privsep_proc *p, struct imsg *imsg)
+{
+	switch (imsg->hdr.type) {
+	case IMSG_CTL_SHOW_CERTSTORE:
+		control_imsg_forward(imsg);
+		return (0);
+	default:
+		break;
+	}
+
+	return (-1);
+}
diff --git a/sbin/iked/types.h b/sbin/iked/types.h
index dd81c3e6cc1..5fb3c99ca05 100644
--- a/sbin/iked/types.h
+++ b/sbin/iked/types.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: types.h,v 1.46 2021/10/26 17:31:22 tobhe Exp $	*/
+/*	$OpenBSD: types.h,v 1.47 2021/11/21 22:44:08 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -126,7 +126,8 @@ enum imsg_type {
 	IMSG_OCSP_CFG,
 	IMSG_AUTH,
 	IMSG_PRIVKEY,
-	IMSG_PUBKEY
+	IMSG_PUBKEY,
+	IMSG_CTL_SHOW_CERTSTORE
 };
 
 enum privsep_procid {
diff --git a/usr.sbin/ikectl/ikectl.c b/usr.sbin/ikectl/ikectl.c
index 0a81a79ebfa..6ba3b25ebe3 100644
--- a/usr.sbin/ikectl/ikectl.c
+++ b/usr.sbin/ikectl/ikectl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikectl.c,v 1.26 2020/06/10 17:44:44 kn Exp $	*/
+/*	$OpenBSD: ikectl.c,v 1.27 2021/11/21 22:44:08 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2007-2013 Reyk Floeter <reyk@openbsd.org>
@@ -59,6 +59,7 @@ struct imsgname imsgs[] = {
 	{ IMSG_CTL_RELOAD,		"reload",		NULL },
 	{ IMSG_CTL_RESET,		"reset",		NULL },
 	{ IMSG_CTL_SHOW_SA,		"show sa",		NULL },
+	{ IMSG_CTL_SHOW_CERTSTORE,	"show certstore",	NULL },
 	{ 0,				NULL,			NULL }
 
 };
@@ -302,6 +303,10 @@ main(int argc, char *argv[])
 		imsg_compose(ibuf, IMSG_CTL_SHOW_SA, 0, 0, -1, NULL, 0);
 		done = 0;
 		break;
+	case SHOW_CERTSTORE:
+		imsg_compose(ibuf, IMSG_CTL_SHOW_CERTSTORE, 0, 0, -1, NULL, 0);
+		done = 0;
+		break;
 	case RELOAD:
 		imsg_compose(ibuf, IMSG_CTL_RELOAD, 0, 0, -1, NULL, 0);
 		break;
@@ -350,6 +355,7 @@ main(int argc, char *argv[])
 				done = monitor(&imsg);
 				break;
 			case SHOW_SA:
+			case SHOW_CERTSTORE:
 				done = show_string(&imsg);
 				break;
 			default:
@@ -401,9 +407,13 @@ show_string(struct imsg *imsg)
 {
 	int	done = 0;
 
-	if (imsg->hdr.type != IMSG_CTL_SHOW_SA)
+	switch (imsg->hdr.type) {
+	case IMSG_CTL_SHOW_SA:
+	case IMSG_CTL_SHOW_CERTSTORE:
+		break;
+	default:
 		return (done);
-
+	}
 	if (IMSG_DATA_SIZE(imsg) > 0)
 		printf("%s", (char *)imsg->data);
 	else
diff --git a/usr.sbin/ikectl/parser.c b/usr.sbin/ikectl/parser.c
index fceb60d3d58..008f986ba6f 100644
--- a/usr.sbin/ikectl/parser.c
+++ b/usr.sbin/ikectl/parser.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parser.c,v 1.19 2020/03/22 15:59:05 tobhe Exp $	*/
+/*	$OpenBSD: parser.c,v 1.20 2021/11/21 22:44:08 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
@@ -214,6 +214,7 @@ static const struct token t_ca_key_path[] = {
 static const struct token t_show[] = {
 	{ KEYWORD,	"ca",		SHOW_CA,	t_show_ca },
 	{ KEYWORD,	"sa",		SHOW_SA,	NULL },
+	{ KEYWORD,	"certstore",	SHOW_CERTSTORE,NULL },
 	{ ENDTOKEN,	"",		NONE,		NULL }
 };
 
diff --git a/usr.sbin/ikectl/parser.h b/usr.sbin/ikectl/parser.h
index e69096ab2cd..cd20e793fef 100644
--- a/usr.sbin/ikectl/parser.h
+++ b/usr.sbin/ikectl/parser.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parser.h,v 1.16 2020/03/22 15:59:05 tobhe Exp $	*/
+/*	$OpenBSD: parser.h,v 1.17 2021/11/21 22:44:08 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2007-2013 Reyk Floeter <reyk@openbsd.org>
@@ -56,7 +56,8 @@ enum actions {
 	SHOW_CA,
 	SHOW_CA_CERTIFICATES,
 	SHOW_SA,
-	RESET_ID
+	RESET_ID,
+	SHOW_CERTSTORE
 };
 
 struct parse_result {