#!/bin/sh # # Copyright 1999-2006 University of Chicago # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # # globus-cert-info # # Easily extract information from a user's cert. # openssl="/usr/bin/openssl" prefix="${GLOBUS_LOCATION-/usr}" exec_prefix="/usr" bindir="/usr/bin" sbindir="/usr/sbin" sysconfdir="/etc" PATH=${bindir}:${sbindir}:${PATH} PROGRAM_NAME=`echo $0 | sed 's|.*/||g'` PROGRAM_VERSION="9.16" VERSION="9.16" PACKAGE="globus_gsi_cert_utils" DIRT_TIMESTAMP="1483727772" DIRT_BRANCH_ID="85" short_usage="$PROGRAM_NAME [-help] [-file certfile] [-all] [-subject] [...]" long_usage () { cat >&2 <<EOF ${short_usage} Displays certificate information. Unless the optional -file argument is given, the default location of the file containing the certficate is assumed: -- The location pointed to by the X509_USER_CERT. -- If X509_USER_CERT not set, $HOME/.globus/usercert.pem. Several options can be given: The output of "grid-cert-info -subject -issuer" is equivalent to that of "grid-cert-info -subject ; grid-cert-info -issuer" Options -help, -usage Display usage -version Display version -file certfile |-f Use 'certfile' at non-default location -rfc2253 Print X.509 names in RFC-2253 form Options determining what to print from certificate -all Whole certificate -subject |-s Subject string of the cert -issuer |-i Issuer of the cert -issuerhash |-ih Hash of the issuer name -startdate |-sd Validity of cert: start date -enddate |-ed Validity of cert: end date EOF } # See http://www-unix.globus.org/toolkit/docs/4.0/admin/docbook/ch05.html#prewsaa-env-credentials find_default_credential() { if [ -n "$X509_USER_CERT" ]; then echo "$X509_USER_CERT" elif [ -r "${HOME}/.globus/usercert.pem" ]; then echo "${HOME}/.globus/usercert.pem" elif [ -r "${HOME}/.globus/usercred.p12" ]; then echo "${HOME}/.globus/usercred.p12" else echo "" fi } certificate_format() { testfile="$1" _format='' if test "$testfile" = ""; then : elif echo "$certfile" | grep '\.p12$' > /dev/null 2>&1 ; then _format=pkcs12 elif echo "$certfile" | grep '\.pem$' > /dev/null 2>&1 ; then _format=x509 elif grep -- '-----BEGIN' "$testfile" > /dev/null 2>&1 ; then _format="x509" else : fi echo $_format } if ! "$openssl" version > /dev/null 2> /dev/null; then echo "Unable to locate openssl binary in PATH" 1>&2 exit 1 fi # Default Generated Files cert_format=x509 openssl_options="" toprint="" # set default location of certificate (may be overridden by --file) # certfile=`find_default_credential` globus_args_short_usage() { cat 1>&2 <<EOF Syntax : ${short_usage} Use -help to display full usage. EOF } globus_args_option_error() { cat 1>&2 <<EOF ERROR: option $1 : $2 EOF globus_args_short_usage exit 1 } globus_args_unrecognized_option() { globus_args_option_error $1 "unrecognized option" exit 1 } while [ "X$1" != "X" ]; do case $1 in -help | -h | --help | -usage | --usage) long_usage exit 0 ;; -version|--version) if [ "X${PROGRAM_NAME}" != "X" -a \ "X${PROGRAM_VERSION}" != "X" ]; then echo "${PROGRAM_NAME}: ${PROGRAM_VERSION}" elif [ "X${PACKAGE}" != "X" -a \ "X${VERSION}" != "X" ]; then echo "${PACKAGE}: ${VERSION}" else echo "No version information available." fi exit 0 ;; -versions|--versions) __AT=@ if [ -n "${PACKAGE}" -a -n "${VERSION}" -a \ -n "${DIRT_TIMESTAMP}" -a -n "${DIRT_BRANCH_ID}" -a \ "X${DIRT_TIMESTAMP}" != "X${__AT}DIRT_TIMESTAMP${__AT}" -a \ "X${DIRT_BRANCH_ID}" != "X${__AT}DIRT_BRANCH_ID${__AT}" ]; then echo "${PACKAGE}: ${VERSION} (${DIRT_TIMESTAMP}-${DIRT_BRANCH_ID})" else echo "No DiRT information available." fi exit 0; ;; -file| -f | --file) if [ -n "$2" -a -f "$2" -a -r "$2" ]; then certfile=$2 else if [ -n "$2" ]; then globus_args_option_error "$1" "\"$2\" is not a valid filename" else globus_args_option_error "$1" "needs a file name argument" fi fi shift ;; -all | -all) toprint="$toprint -text" ;; -subject|-s | --subject) toprint="$toprint SUBJECT" ;; -issuerhash|-ih | --issuerhash) toprint="$toprint -issuer_hash" ;; -issuer|-i | --issuer) toprint="$toprint -issuer" ;; -startdate|-sd|--startdate) toprint="$toprint -startdate" ;; -enddate|-ed|--enddate) toprint="$toprint -enddate" ;; -rfc2253|--rfc2253) rfc2253=1 openssl_options='-nameopt rfc2253' ;; *) globus_args_unrecognized_option "$1" ;; esac shift done if [ "${rfc2253:-0}" != 1 ]; then openssl_options="$openssl_options -nameopt rfc2253,-dn_rev" fi cert_format=`certificate_format "$certfile"` if test "$cert_format" = ""; then echo "Error: Cannot locate certificate" 1>&2 exit 1; fi if [ "X$toprint" = "X" ]; then toprint="-text" fi if [ ! \( -f "${certfile}" -a -r "${certfile}" \) ]; then echo "ERROR: Cannot read certificate file ${certfile}" >&2 exit 1 fi if [ "$cert_format" = pkcs12 ]; then echo "Credentials are in pkcs12 format, OpenSSL will prompt for p12 password" cert_data="`"$openssl" pkcs12 -nokeys -clcerts -nomacver -in ${certfile}`" command_stub="\"$openssl\" x509 -noout $openssl_options" else command_stub="\"$openssl\" x509 -noout -in ${certfile} $openssl_options" fi # Will probably need this... if [ "$cert_format" = pkcs12 ]; then subject=`echo "$cert_data" | eval ${command_stub} -subject` else subject=`eval ${command_stub} -subject` fi if test $? -ne 0 ; then exit 1 fi subject=`echo ${subject} | sed 's%^subject=\ *%%'` if [ "${rfc2253:-0}" != 1 ]; then subject=$(echo "${subject}" | sed -e 's|^|/|' -e 's|,|/|g') fi eval set -- "$toprint" for i in "$@"; do case "$i" in -*) echo "$cert_data" | eval "{ ${command_stub} $i || exit $?; } | sed 's/^[a-zA-Z]*=[ ]*//'" ;; SUBJECT) # Do not show the proxy levels echo "${subject}" | sed -e 's%/CN=proxy%%g' -e 's%/CN=limited proxy%%g' ;; esac done