e8722f12cbfe75f765ca655ce6f08669bff6412a
[strongswan.git] / src / libcharon / plugins / ipseckey / ipseckey_cred.c
1 /*
2 * Copyright (C) 2012 Reto Guadagnini
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15 #define _GNU_SOURCE
16 #include <stdio.h>
17 #include <string.h>
18
19 #include "ipseckey_cred.h"
20 #include "ipseckey.h"
21
22 #include <bio/bio_reader.h>
23 #include <daemon.h>
24
25 typedef struct private_ipseckey_cred_t private_ipseckey_cred_t;
26
27 /**
28 * Private data of an ipseckey_cred_t object
29 */
30 struct private_ipseckey_cred_t {
31
32 /**
33 * Public part
34 */
35 ipseckey_cred_t public;
36
37 /**
38 * DNS resolver
39 */
40 resolver_t *res;
41 };
42
43 /**
44 * enumerator over certificates
45 */
46 typedef struct {
47 /** implements enumerator interface */
48 enumerator_t public;
49 /** inner enumerator (enumerates IPSECKEY resource records) */
50 enumerator_t *inner;
51 /** response of the DNS resolver which contains the IPSECKEYs */
52 resolver_response_t *response;
53 /* IPSECKEYs are not valid before this point in time */
54 time_t notBefore;
55 /* IPSECKEYs are not valid after this point in time */
56 time_t notAfter;
57 /* identity to which the IPSECKEY belongs */
58 identification_t *identity;
59 } cert_enumerator_t;
60
61 METHOD(enumerator_t, cert_enumerator_enumerate, bool,
62 cert_enumerator_t *this, certificate_t **cert)
63 {
64 rr_t *cur_rr = NULL;
65 ipseckey_t *cur_ipseckey = NULL;
66 chunk_t pub_key;
67 public_key_t * key = NULL;
68 bool supported_ipseckey_found = FALSE;
69
70 /* Get the next supported IPSECKEY using the inner enumerator. */
71 while (this->inner->enumerate(this->inner, &cur_rr) &&
72 !supported_ipseckey_found)
73 {
74 supported_ipseckey_found = TRUE;
75
76 cur_ipseckey = ipseckey_create_frm_rr(cur_rr);
77
78 if (!cur_ipseckey)
79 {
80 DBG1(DBG_CFG, "failed to parse ipseckey - skipping this key");
81 supported_ipseckey_found = FALSE;
82 }
83
84 if (cur_ipseckey &&
85 cur_ipseckey->get_algorithm(cur_ipseckey) != IPSECKEY_ALGORITHM_RSA)
86 {
87 DBG1(DBG_CFG, "unsupported ipseckey algorithm -skipping this key");
88 cur_ipseckey->destroy(cur_ipseckey);
89 supported_ipseckey_found = FALSE;
90 }
91 }
92
93 if (supported_ipseckey_found)
94 {
95 /*
96 * Wrap the key of the IPSECKEY in a certificate and return this
97 * certificate.
98 */
99 pub_key = cur_ipseckey->get_public_key(cur_ipseckey);
100
101 key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
102 BUILD_BLOB_DNSKEY, pub_key,
103 BUILD_END);
104
105 if (!key)
106 {
107 DBG1(DBG_CFG, "failed to create public key from ipseckey");
108 cur_ipseckey->destroy(cur_ipseckey);
109 return FALSE;
110 }
111
112 *cert = lib->creds->create(lib->creds, CRED_CERTIFICATE,
113 CERT_TRUSTED_PUBKEY,
114 BUILD_PUBLIC_KEY, key,
115 BUILD_SUBJECT, this->identity,
116 BUILD_NOT_BEFORE_TIME, this->notBefore,
117 BUILD_NOT_AFTER_TIME, this->notAfter,
118 BUILD_END);
119 return TRUE;
120 }
121
122 return FALSE;
123 }
124
125 METHOD(enumerator_t, cert_enumerator_destroy, void,
126 cert_enumerator_t *this)
127 {
128 this->inner->destroy(this->inner);
129 this->response->destroy(this->response);
130 free(this);
131 }
132
133 METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
134 private_ipseckey_cred_t *this, certificate_type_t cert, key_type_t key,
135 identification_t *id, bool trusted)
136 {
137 char *fqdn = NULL;
138 resolver_response_t *response = NULL;
139 rr_set_t *rrset = NULL;
140 enumerator_t *rrsig_enum = NULL;
141 rr_t *rrsig = NULL;
142 bio_reader_t *reader = NULL;
143 chunk_t ignore;
144 u_int32_t nBefore, nAfter;
145 cert_enumerator_t *e;
146
147 if (id && id->get_type(id) == ID_FQDN)
148 {
149 /** Query the DNS for the required IPSECKEY RRs */
150
151 if (0 >= asprintf(&fqdn, "%Y", id))
152 {
153 DBG1(DBG_CFG, "empty FQDN string");
154 return enumerator_create_empty();
155 }
156
157 DBG1(DBG_CFG, "performing a DNS query for IPSECKEY RRs of '%s'",
158 fqdn);
159 response = this->res->query(this->res, fqdn, RR_CLASS_IN,
160 RR_TYPE_IPSECKEY);
161 if (!response)
162 {
163 DBG1(DBG_CFG, " query for IPSECKEY RRs failed");
164 free(fqdn);
165 return enumerator_create_empty();
166 }
167
168 if (!response->has_data(response) ||
169 !response->query_name_exist(response))
170 {
171 DBG1(DBG_CFG, " unable to retrieve IPSECKEY RRs from the DNS");
172 response->destroy(response);
173 free(fqdn);
174 return enumerator_create_empty();
175 }
176
177 if (!(response->get_security_state(response) == SECURE))
178 {
179 DBG1(DBG_CFG, " DNSSEC state of IPSECKEY RRs is not secure");
180 response->destroy(response);
181 free(fqdn);
182 return enumerator_create_empty();
183 }
184
185 free(fqdn);
186
187 /** Determine the validity period of the retrieved IPSECKEYs
188 *
189 * We use the "Signature Inception" and "Signature Expiration" field
190 * of the first RRSIG RR to determine the validity period of the
191 * IPSECKEY RRs. TODO: Take multiple RRSIGs into account.
192 */
193 rrset = response->get_rr_set(response);
194 rrsig_enum = rrset->create_rrsig_enumerator(rrset);
195 if (!rrsig_enum || !rrsig_enum->enumerate(rrsig_enum, &rrsig))
196 {
197 DBG1(DBG_CFG, " unable to determine the validity period of "
198 "IPSECKEY RRs because no RRSIGs are present");
199 DESTROY_IF(rrsig_enum);
200 response->destroy(response);
201 return enumerator_create_empty();
202 }
203
204 /**
205 * Parse the RRSIG for its validity period (RFC 4034)
206 */
207 reader = bio_reader_create(rrsig->get_rdata(rrsig));
208 reader->read_data(reader, 8, &ignore);
209 reader->read_uint32(reader, &nAfter);
210 reader->read_uint32(reader, &nBefore);
211 reader->destroy(reader);
212
213 /*Create and return an iterator over the retrieved IPSECKEYs */
214 INIT(e,
215 .public = {
216 .enumerate = (void*)_cert_enumerator_enumerate,
217 .destroy = _cert_enumerator_destroy,
218 },
219 .inner = response->get_rr_set(response)->create_rr_enumerator(
220 response->get_rr_set(response)),
221 .response = response,
222 .notBefore = nBefore,
223 .notAfter = nAfter,
224 .identity = id,
225 );
226
227 return &e->public;
228 }
229
230
231 return enumerator_create_empty();
232 }
233
234 METHOD(ipseckey_cred_t, destroy, void,
235 private_ipseckey_cred_t *this)
236 {
237 this->res->destroy(this->res);
238 free(this);
239 }
240
241 /**
242 * Described in header.
243 */
244 ipseckey_cred_t *ipseckey_cred_create(resolver_t *res)
245 {
246 private_ipseckey_cred_t *this;
247
248 INIT(this,
249 .public = {
250 .set = {
251 .create_private_enumerator = (void*)return_null,
252 .create_cert_enumerator = _create_cert_enumerator,
253 .create_shared_enumerator = (void*)return_null,
254 .create_cdp_enumerator = (void*)return_null,
255 .cache_cert = (void*)nop,
256 },
257 .destroy = _destroy,
258 },
259 .res = res,
260 );
261
262 return &this->public;
263 }