vici: Add a load-shared command to load shared IKE and EAP secrets
[strongswan.git] / src / libcharon / plugins / vici / vici_cred.c
1 /*
2 * Copyright (C) 2014 Martin Willi
3 * Copyright (C) 2014 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "vici_cred.h"
17 #include "vici_builder.h"
18
19 #include <credentials/sets/mem_cred.h>
20 #include <credentials/certificates/ac.h>
21 #include <credentials/certificates/crl.h>
22 #include <credentials/certificates/x509.h>
23
24 typedef struct private_vici_cred_t private_vici_cred_t;
25
26 /**
27 * Private data of an vici_cred_t object.
28 */
29 struct private_vici_cred_t {
30
31 /**
32 * Public vici_cred_t interface.
33 */
34 vici_cred_t public;
35
36 /**
37 * Dispatcher
38 */
39 vici_dispatcher_t *dispatcher;
40
41 /**
42 * credentials
43 */
44 mem_cred_t *creds;
45 };
46
47 /**
48 * Create a (error) reply message
49 */
50 static vici_message_t* create_reply(char *fmt, ...)
51 {
52 vici_builder_t *builder;
53 va_list args;
54
55 builder = vici_builder_create();
56 builder->add_kv(builder, "success", fmt ? "no" : "yes");
57 if (fmt)
58 {
59 va_start(args, fmt);
60 builder->vadd_kv(builder, "errmsg", fmt, args);
61 va_end(args);
62 }
63 return builder->finalize(builder);
64 }
65
66 CALLBACK(load_cert, vici_message_t*,
67 private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
68 {
69 certificate_type_t type;
70 x509_flag_t required_flags = 0, additional_flags = 0;
71 certificate_t *cert;
72 x509_t *x509;
73 chunk_t data;
74 char *str;
75
76 str = message->get_str(message, NULL, "type");
77 if (!str)
78 {
79 return create_reply("certificate type missing");
80 }
81 if (strcaseeq(str, "x509"))
82 {
83 type = CERT_X509;
84 }
85 else if (strcaseeq(str, "x509ca"))
86 {
87 type = CERT_X509;
88 required_flags = X509_CA;
89 }
90 else if (strcaseeq(str, "x509aa"))
91 {
92 type = CERT_X509;
93 additional_flags = X509_AA;
94 }
95 else if (strcaseeq(str, "x509crl"))
96 {
97 type = CERT_X509_CRL;
98 }
99 else if (strcaseeq(str, "x509ac"))
100 {
101 type = CERT_X509_AC;
102 }
103 else
104 {
105 return create_reply("invalid certificate type: %s", str);
106 }
107 data = message->get_value(message, chunk_empty, "data");
108 if (!data.len)
109 {
110 return create_reply("certificate data missing");
111 }
112 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
113 BUILD_BLOB_PEM, data,
114 BUILD_X509_FLAG, additional_flags,
115 BUILD_END);
116 if (!cert)
117 {
118 return create_reply("parsing %N certificate failed",
119 certificate_type_names, type);
120 }
121 if (cert->get_type(cert) == CERT_X509)
122 {
123 x509 = (x509_t*)cert;
124
125 if ((required_flags & x509->get_flags(x509)) != required_flags)
126 {
127 cert->destroy(cert);
128 return create_reply("certificate misses required flag, rejected");
129 }
130 }
131
132 DBG1(DBG_CFG, "loaded certificate '%Y'", cert->get_subject(cert));
133
134 this->creds->add_cert(this->creds, TRUE, cert);
135
136 return create_reply(NULL);
137 }
138
139 CALLBACK(load_key, vici_message_t*,
140 private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
141 {
142 key_type_t type;
143 private_key_t *key;
144 chunk_t data;
145 char *str;
146
147 str = message->get_str(message, NULL, "type");
148 if (!str)
149 {
150 return create_reply("key type missing");
151 }
152 if (strcaseeq(str, "any"))
153 {
154 type = KEY_ANY;
155 }
156 else if (strcaseeq(str, "rsa"))
157 {
158 type = KEY_RSA;
159 }
160 else if (strcaseeq(str, "ecdsa"))
161 {
162 type = KEY_ECDSA;
163 }
164 else
165 {
166 return create_reply("invalid key type: %s", str);
167 }
168 data = message->get_value(message, chunk_empty, "data");
169 if (!data.len)
170 {
171 return create_reply("key data missing");
172 }
173 key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
174 BUILD_BLOB_PEM, data, BUILD_END);
175 if (!key)
176 {
177 return create_reply("parsing %N private key failed",
178 key_type_names, type);
179 }
180
181 DBG1(DBG_CFG, "loaded %N private key", key_type_names, type);
182
183 this->creds->add_key(this->creds, key);
184
185 return create_reply(NULL);
186 }
187
188 CALLBACK(shared_owners, bool,
189 linked_list_t *owners, vici_message_t *message, char *name, chunk_t value)
190 {
191 if (streq(name, "owners"))
192 {
193 char buf[256];
194
195 if (!vici_stringify(value, buf, sizeof(buf)))
196 {
197 return FALSE;
198 }
199 owners->insert_last(owners, identification_create_from_string(buf));
200 }
201 return TRUE;
202 }
203
204 CALLBACK(load_shared, vici_message_t*,
205 private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
206 {
207 shared_key_type_t type;
208 linked_list_t *owners;
209 chunk_t data;
210 char *str;
211
212 str = message->get_str(message, NULL, "type");
213 if (!str)
214 {
215 return create_reply("shared key type missing");
216 }
217 if (strcaseeq(str, "ike"))
218 {
219 type = SHARED_IKE;
220 }
221 else if (strcaseeq(str, "eap"))
222 {
223 type = SHARED_EAP;
224 }
225 else
226 {
227 return create_reply("invalid shared key type: %s", str);
228 }
229 data = message->get_value(message, chunk_empty, "data");
230 if (!data.len)
231 {
232 return create_reply("shared key data missing");
233 }
234
235 owners = linked_list_create();
236 if (!message->parse(message, NULL, NULL, NULL, shared_owners, owners))
237 {
238 owners->destroy_offset(owners, offsetof(identification_t, destroy));
239 return create_reply("parsing shared key owners failed");
240 }
241 if (owners->get_count(owners) == 0)
242 {
243 owners->insert_last(owners, identification_create_from_string("%any"));
244 }
245
246 DBG1(DBG_CFG, "loaded %N shared key", shared_key_type_names, type);
247
248 this->creds->add_shared_list(this->creds,
249 shared_key_create(type, chunk_clone(data)), owners);
250
251 return create_reply(NULL);
252 }
253
254 CALLBACK(clear_creds, vici_message_t*,
255 private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
256 {
257 vici_builder_t *builder;
258
259 this->creds->clear(this->creds);
260 lib->credmgr->flush_cache(lib->credmgr, CERT_ANY);
261
262 builder = vici_builder_create();
263 return builder->finalize(builder);
264 }
265
266 static void manage_command(private_vici_cred_t *this,
267 char *name, vici_command_cb_t cb, bool reg)
268 {
269 this->dispatcher->manage_command(this->dispatcher, name,
270 reg ? cb : NULL, this);
271 }
272
273 /**
274 * (Un-)register dispatcher functions
275 */
276 static void manage_commands(private_vici_cred_t *this, bool reg)
277 {
278 manage_command(this, "clear-creds", clear_creds, reg);
279 manage_command(this, "load-cert", load_cert, reg);
280 manage_command(this, "load-key", load_key, reg);
281 manage_command(this, "load-shared", load_shared, reg);
282 }
283
284 METHOD(vici_cred_t, destroy, void,
285 private_vici_cred_t *this)
286 {
287 manage_commands(this, FALSE);
288
289 lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
290 this->creds->destroy(this->creds);
291 free(this);
292 }
293
294 /**
295 * See header
296 */
297 vici_cred_t *vici_cred_create(vici_dispatcher_t *dispatcher)
298 {
299 private_vici_cred_t *this;
300
301 INIT(this,
302 .public = {
303 .destroy = _destroy,
304 },
305 .dispatcher = dispatcher,
306 .creds = mem_cred_create(),
307 );
308
309 lib->credmgr->add_set(lib->credmgr, &this->creds->set);
310
311 manage_commands(this, TRUE);
312
313 return &this->public;
314 }