Short certificate listing by default

Also add -a option to list all databases

Author: lnussel

src/efi_hash.c

@@ -67,7 +67,7 @@ signature_size (const efi_guid_t *hash_type)
 
 int
 print_hash_array (const efi_guid_t *hash_type, const void *hash_array,
-		  const uint32_t array_size)
+		  const uint32_t array_size, int verbose)
 {
 	uint32_t hash_size, remain;
 	uint32_t sig_size;
@@ -90,27 +90,40 @@ print_hash_array (const efi_guid_t *hash_type, const void *hash_array,
 	hash_size = efi_hash_size (hash_type);
 	sig_size = hash_size + sizeof(efi_guid_t);
 
-	printf ("  [%s]\n", name);
-	free(name);
+	if (verbose)
+		printf ("  [%s]\n", name);
+
 	remain = array_size;
 	hash = (uint8_t *)hash_array;
 
 	while (remain > 0) {
 		if (remain < sig_size) {
 			fprintf (stderr, "invalid array size\n");
-			return -1;
+			goto err;
+		}
+
+		if (verbose) {
+			printf ("  ");
+			hash += sizeof(efi_guid_t);
+			for (unsigned int i = 0; i<hash_size; i++)
+				printf ("%02x", *(hash + i));
+			printf ("\n");
+		} else {
+			hash += sizeof(efi_guid_t);
+			for (unsigned int i = 0; i<5; i++)
+				printf ("%02x", *(hash + i));
+			printf (" (%s)\n", name);
 		}
 
-		printf ("  ");
-		hash += sizeof(efi_guid_t);
-		for (unsigned int i = 0; i<hash_size; i++)
-			printf ("%02x", *(hash + i));
-		printf ("\n");
 		hash += hash_size;
 		remain -= sig_size;
 	}
 
 	return 0;
+
+err:
+	free(name);
+	return -1;
 }
 
 /* match the hash in the hash array and return the index if matched */

src/efi_hash.h

@@ -40,7 +40,7 @@
 uint32_t efi_hash_size (const efi_guid_t *hash_type);
 uint32_t signature_size (const efi_guid_t *hash_type);
 int print_hash_array (const efi_guid_t *hash_type, const void *hash_array,
-		      const uint32_t array_size);
+		      const uint32_t array_size, int verbose);
 int match_hash_array (const efi_guid_t *hash_type, const void *hash,
 		      const void *hash_array, const uint32_t array_size);
 int identify_hash_type (const char *hash_str, efi_guid_t *type);

src/efi_x509.c

@@ -35,32 +35,23 @@
 
 #include "efi_x509.h"
 
-int
-print_x509 (const uint8_t *cert, const int cert_size)
+static int
+x509_calculate_fingerprint(const uint8_t *cert, const int cert_size,
+		unsigned char* ret_fingerprint, unsigned int *ret_md_len)
 {
-	X509 *X509cert;
-	EVP_MD_CTX *ctx;
 	const EVP_MD *md;
-	unsigned int md_len;
-	const unsigned char *in = (const unsigned char *)cert;
-	unsigned char fingerprint[EVP_MAX_MD_SIZE];
-
-	X509cert = d2i_X509 (NULL, &in, cert_size);
-	if (X509cert == NULL) {
-		fprintf (stderr, "Invalid X509 certificate\n");
-		return -1;
-	}
+	EVP_MD_CTX *ctx;
 
 	md = EVP_get_digestbyname ("SHA1");
 	if(md == NULL) {
 		fprintf (stderr, "Failed to get SHA1 digest\n");
-		goto cleanup_cert;
+		goto err;
 	}
 
 	ctx = EVP_MD_CTX_create ();
 	if (ctx == NULL) {
 		fprintf (stderr, "Failed to create digest context\n");
-	        goto cleanup_cert;
+	        goto err;
 	}
 
 	if (!EVP_DigestInit_ex (ctx, md, NULL)) {
@@ -73,23 +64,65 @@ print_x509 (const uint8_t *cert, const int cert_size)
 		goto cleanup_ctx;
 	}
 
-	if (!EVP_DigestFinal_ex (ctx, fingerprint, &md_len)) {
+	if (!EVP_DigestFinal_ex (ctx, ret_fingerprint, ret_md_len)) {
 		fprintf (stderr, "Failed to get digest value\n");
 		goto cleanup_ctx;
 	}
 
-	printf ("SHA1 Fingerprint: ");
-	for (unsigned int i = 0; i < md_len; i++) {
-		printf ("%02x", fingerprint[i]);
-		if (i < md_len - 1)
-			printf (":");
-	}
-	printf ("\n");
-	X509_print_fp (stdout, X509cert);
+	return 0;
 
 cleanup_ctx:
 	EVP_MD_CTX_destroy (ctx);
-cleanup_cert:
+err:
+	return -1;
+}
+
+
+int
+print_x509 (const uint8_t *cert, const int cert_size, int verbose)
+{
+	X509 *X509cert;
+	unsigned int md_len;
+	const unsigned char *in = (const unsigned char *)cert;
+	unsigned char fingerprint[EVP_MAX_MD_SIZE];
+
+	if (x509_calculate_fingerprint(cert, cert_size, fingerprint, &md_len) < 0)
+		return -1;
+
+	X509cert = d2i_X509 (NULL, &in, cert_size);
+	if (X509cert == NULL) {
+		fprintf (stderr, "Invalid X509 certificate\n");
+		return -1;
+	}
+
+	if (verbose) {
+		printf ("SHA1 Fingerprint: ");
+		for (unsigned int i = 0; i < md_len; i++) {
+			printf ("%02x", fingerprint[i]);
+			if (i < md_len - 1)
+				printf (":");
+		}
+		printf ("\n");
+		X509_print_fp (stdout, X509cert);
+	} else {
+		X509_NAME* nm = X509_get_subject_name(X509cert);
+		int r = X509_NAME_get_index_by_NID(nm, NID_commonName, -1);
+
+		for (unsigned int i = 0; i < 5; i++)
+			printf ("%02x", fingerprint[i]);
+		fputs(" ", stdout);
+
+		if (r == -1)
+			X509_NAME_print_ex_fp(stdout, nm, 0, XN_FLAG_ONELINE & ~ASN1_STRFLGS_ESC_MSB & ~XN_FLAG_SPC_EQ);
+		else {
+			X509_NAME_ENTRY *e;
+			e = X509_NAME_get_entry(nm, r);
+			ASN1_STRING *val = X509_NAME_ENTRY_get_data(e);
+			ASN1_STRING_print_ex_fp(stdout, val, ASN1_STRFLGS_RFC2253 & ~ASN1_STRFLGS_ESC_MSB);
+		}
+		fputs("\n", stdout);
+	}
+
 	X509_free (X509cert);
 
 	return 0;

src/efi_x509.h

@@ -34,7 +34,7 @@
 
 #include <stdint.h>
 
-int print_x509 (const uint8_t *cert, const int cert_size);
+int print_x509 (const uint8_t *cert, const int cert_size, int verbose);
 int is_valid_cert (const uint8_t *cert, const uint32_t cert_size);
 int is_immediate_ca (const uint8_t *cert, const uint32_t cert_size,
 		     const uint8_t *ca_cert, const uint32_t ca_cert_size);

src/mokutil.c

@@ -97,6 +97,10 @@
 
 static int force_ca_check;
 static int check_keyring;
+static int opt_verbose_listing;
+static int opt_list_all;
+
+static const char* const db_names[] = { "MokListRT", "MokListXRT", "PK", "KEK", "db", "dbx" };
 
 typedef struct {
 	uint32_t mok_toggle_state;
@@ -172,22 +176,24 @@ list_keys (const uint8_t *data, const size_t data_size)
 	for (unsigned int i = 0; i < mok_num; i++) {
 		char *owner_str = NULL;
 		int ret;
-		printf ("[key %d]\n", i+1);
+		if (opt_verbose_listing) {
+			printf ("[key %d]\n", i+1);
 
-		ret = efi_guid_to_str(&list[i].owner, &owner_str);
-		if (ret > 0) {
-			printf ("Owner: %s\n", owner_str);
-			free (owner_str);
+			ret = efi_guid_to_str(&list[i].owner, &owner_str);
+			if (ret > 0) {
+				printf ("Owner: %s\n", owner_str);
+				free (owner_str);
+			}
 		}
 
 		efi_guid_t sigtype = list[i].header->SignatureType;
 		if (efi_guid_cmp (&sigtype, &efi_guid_x509_cert) == 0) {
-			print_x509 (list[i].mok, list[i].mok_size);
+			print_x509 (list[i].mok, list[i].mok_size, opt_verbose_listing);
 		} else {
 			print_hash_array (&sigtype,
-					  list[i].mok, list[i].mok_size);
+					  list[i].mok, list[i].mok_size, opt_verbose_listing);
 		}
-		if (i < mok_num - 1)
+		if (opt_verbose_listing && i < mok_num - 1)
 			printf ("\n");
 	}
 
@@ -1220,6 +1226,8 @@ export_db_keys (const DBName db_name)
 		case DBX:
 			guid = efi_guid_security;
 			break;
+		case _DB_NAME_MAX:
+			return -1;
 	};
 
 	db_var_name = get_db_var_name(db_name);
@@ -1774,6 +1782,8 @@ list_db (const DBName db_name)
 			return list_keys_in_var ("db", efi_guid_security);
 		case DBX:
 			return list_keys_in_var ("dbx", efi_guid_security);
+		case _DB_NAME_MAX:
+			return -1;
 	}
 
 	return -1;
@@ -1873,11 +1883,13 @@ main (int argc, char *argv[])
 			{"ca-check",           no_argument,       0, 0  },
 			{"ignore-keyring",     no_argument,       0, 0  },
 			{"version",            no_argument,       0, 'v'},
+			{"verbose-listing",    no_argument,       0, 0},
+			{"all",                no_argument,       0, 'a'},
 			{0, 0, 0, 0}
 		};
 
 		int option_index = 0;
-		c = getopt_long (argc, argv, "cd:f:g::hi:lmpt:xDNPXv",
+		c = getopt_long (argc, argv, "acd:f:g::hi:lmpt:xDNPXv",
 				 long_options, &option_index);
 
 		if (c == -1)
@@ -2009,8 +2021,13 @@ main (int argc, char *argv[])
 				force_ca_check = 1;
 			} else if (strcmp (option, "ignore-keyring") == 0) {
 				check_keyring = 0;
+			} else if (strcmp (option, "verbose-listing") == 0) {
+				opt_verbose_listing = 1;
 			}
 
+			break;
+		case 'a':
+			opt_list_all = 1;
 			break;
 		case 'l':
 			command |= LIST_ENROLLED;
@@ -2170,7 +2187,18 @@ main (int argc, char *argv[])
 	switch (command) {
 		case LIST_ENROLLED:
 		case LIST_ENROLLED | MOKX:
-			ret = list_db (db_name);
+			if (opt_list_all) {
+				ret = 0;
+				for (DBName db = MOK_LIST_RT; db < _DB_NAME_MAX; ++db) {
+					int r;
+					printf("[%s]\n", db_names[db]);
+					r = list_db (db);
+					if (r)
+						ret = r;
+				}
+			} else {
+				ret = list_db (db_name);
+			}
 			break;
 		case LIST_NEW:
 			ret = list_keys_in_var ("MokNew", efi_guid_shim);

src/mokutil.h

@@ -56,6 +56,7 @@ typedef enum {
 	KEK,
 	DB,
 	DBX,
+	_DB_NAME_MAX,
 } DBName;
 
 typedef struct {