vici: strongswan.conf cache_crls = yes saves fetched CRLs to disk
[strongswan.git] / src / libcharon / plugins / vici / vici_cred.c
1 /*
2 * Copyright (C) 2014 Martin Willi
3 * Copyright (C) 2014 revosec AG
4 *
5 * Copyright (C) 2015-2016 Andreas Steffen
6 * HSR Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #include "vici_cred.h"
20 #include "vici_builder.h"
21 #include "vici_cert_info.h"
22
23 #include <credentials/sets/mem_cred.h>
24 #include <credentials/certificates/ac.h>
25 #include <credentials/certificates/crl.h>
26 #include <credentials/certificates/x509.h>
27
28 #include <errno.h>
29
30 typedef struct private_vici_cred_t private_vici_cred_t;
31
32 /**
33 * Directory for saved X.509 CRLs
34 */
35 #define CRL_DIR SWANCTLDIR "/x509crl"
36
37 /**
38 * Private data of an vici_cred_t object.
39 */
40 struct private_vici_cred_t {
41
42 /**
43 * Public vici_cred_t interface.
44 */
45 vici_cred_t public;
46
47 /**
48 * Dispatcher
49 */
50 vici_dispatcher_t *dispatcher;
51
52 /**
53 * credentials
54 */
55 mem_cred_t *creds;
56
57 /**
58 * cache CRLs to disk?
59 */
60 bool cachecrl;
61
62 };
63
64 METHOD(credential_set_t, cache_cert, void,
65 private_vici_cred_t *this, certificate_t *cert)
66 {
67 if (cert->get_type(cert) == CERT_X509_CRL && this->cachecrl)
68 {
69 /* CRLs get written to /etc/swanctl/x509crl/<authkeyId>.crl */
70 crl_t *crl = (crl_t*)cert;
71
72 cert->get_ref(cert);
73 if (this->creds->add_crl(this->creds, crl))
74 {
75 char buf[BUF_LEN];
76 chunk_t chunk, hex;
77
78 chunk = crl->get_authKeyIdentifier(crl);
79 hex = chunk_to_hex(chunk, NULL, FALSE);
80 snprintf(buf, sizeof(buf), "%s/%s.crl", CRL_DIR, hex.ptr);
81 free(hex.ptr);
82
83 if (cert->get_encoding(cert, CERT_ASN1_DER, &chunk))
84 {
85 if (chunk_write(chunk, buf, 022, TRUE))
86 {
87 DBG1(DBG_CFG, " written crl file '%s' (%d bytes)",
88 buf, chunk.len);
89 }
90 else
91 {
92 DBG1(DBG_CFG, " writing crl file '%s' failed: %s",
93 buf, strerror(errno));
94 }
95 free(chunk.ptr);
96 }
97 }
98 }
99 }
100
101 /**
102 * Create a (error) reply message
103 */
104 static vici_message_t* create_reply(char *fmt, ...)
105 {
106 vici_builder_t *builder;
107 va_list args;
108
109 builder = vici_builder_create();
110 builder->add_kv(builder, "success", fmt ? "no" : "yes");
111 if (fmt)
112 {
113 va_start(args, fmt);
114 builder->vadd_kv(builder, "errmsg", fmt, args);
115 va_end(args);
116 }
117 return builder->finalize(builder);
118 }
119
120 CALLBACK(load_cert, vici_message_t*,
121 private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
122 {
123 certificate_t *cert;
124 certificate_type_t type;
125 x509_flag_t ext_flag, flag = X509_NONE;
126 x509_t *x509;
127 chunk_t data;
128 bool trusted = TRUE;
129 char *str;
130
131 str = message->get_str(message, NULL, "type");
132 if (!str)
133 {
134 return create_reply("certificate type missing");
135 }
136 if (enum_from_name(certificate_type_names, str, &type))
137 {
138 if (type == CERT_X509)
139 {
140 str = message->get_str(message, "NONE", "flag");
141 if (!enum_from_name(x509_flag_names, str, &flag))
142 {
143 return create_reply("invalid certificate flag '%s'", str);
144 }
145 }
146 }
147 else if (!vici_cert_info_from_str(str, &type, &flag))
148 {
149 return create_reply("invalid certificate type '%s'", str);
150 }
151
152 data = message->get_value(message, chunk_empty, "data");
153 if (!data.len)
154 {
155 return create_reply("certificate data missing");
156 }
157
158 /* do not set CA flag externally */
159 ext_flag = (flag & X509_CA) ? X509_NONE : flag;
160
161 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
162 BUILD_BLOB_PEM, data,
163 BUILD_X509_FLAG, ext_flag,
164 BUILD_END);
165 if (!cert)
166 {
167 return create_reply("parsing %N certificate failed",
168 certificate_type_names, type);
169 }
170 DBG1(DBG_CFG, "loaded certificate '%Y'", cert->get_subject(cert));
171
172 /* check if CA certificate has CA basic constraint set */
173 if (flag & X509_CA)
174 {
175 char err_msg[] = "ca certificate lacks CA basic constraint, rejected";
176 x509 = (x509_t*)cert;
177
178 if (!(x509->get_flags(x509) & X509_CA))
179 {
180 cert->destroy(cert);
181 DBG1(DBG_CFG, " %s", err_msg);
182 return create_reply(err_msg);
183 }
184 }
185 if (type == CERT_X509_CRL)
186 {
187 this->creds->add_crl(this->creds, (crl_t*)cert);
188 }
189 else
190 {
191 this->creds->add_cert(this->creds, trusted, cert);
192 }
193 return create_reply(NULL);
194 }
195
196 CALLBACK(load_key, vici_message_t*,
197 private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
198 {
199 key_type_t type;
200 private_key_t *key;
201 chunk_t data;
202 char *str;
203
204 str = message->get_str(message, NULL, "type");
205 if (!str)
206 {
207 return create_reply("key type missing");
208 }
209 if (strcaseeq(str, "any"))
210 {
211 type = KEY_ANY;
212 }
213 else if (strcaseeq(str, "rsa"))
214 {
215 type = KEY_RSA;
216 }
217 else if (strcaseeq(str, "ecdsa"))
218 {
219 type = KEY_ECDSA;
220 }
221 else if (strcaseeq(str, "bliss"))
222 {
223 type = KEY_BLISS;
224 }
225 else
226 {
227 return create_reply("invalid key type: %s", str);
228 }
229 data = message->get_value(message, chunk_empty, "data");
230 if (!data.len)
231 {
232 return create_reply("key data missing");
233 }
234 key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
235 BUILD_BLOB_PEM, data, BUILD_END);
236 if (!key)
237 {
238 return create_reply("parsing %N private key failed",
239 key_type_names, type);
240 }
241
242 DBG1(DBG_CFG, "loaded %N private key", key_type_names, type);
243
244 this->creds->add_key(this->creds, key);
245
246 return create_reply(NULL);
247 }
248
249 CALLBACK(shared_owners, bool,
250 linked_list_t *owners, vici_message_t *message, char *name, chunk_t value)
251 {
252 if (streq(name, "owners"))
253 {
254 char buf[256];
255
256 if (!vici_stringify(value, buf, sizeof(buf)))
257 {
258 return FALSE;
259 }
260 owners->insert_last(owners, identification_create_from_string(buf));
261 }
262 return TRUE;
263 }
264
265 CALLBACK(load_shared, vici_message_t*,
266 private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
267 {
268 shared_key_type_t type;
269 linked_list_t *owners;
270 chunk_t data;
271 char *str, buf[512] = "";
272 enumerator_t *enumerator;
273 identification_t *owner;
274 int len;
275
276 str = message->get_str(message, NULL, "type");
277 if (!str)
278 {
279 return create_reply("shared key type missing");
280 }
281 if (strcaseeq(str, "ike"))
282 {
283 type = SHARED_IKE;
284 }
285 else if (strcaseeq(str, "eap") || streq(str, "xauth"))
286 {
287 type = SHARED_EAP;
288 }
289 else
290 {
291 return create_reply("invalid shared key type: %s", str);
292 }
293 data = message->get_value(message, chunk_empty, "data");
294 if (!data.len)
295 {
296 return create_reply("shared key data missing");
297 }
298
299 owners = linked_list_create();
300 if (!message->parse(message, NULL, NULL, NULL, shared_owners, owners))
301 {
302 owners->destroy_offset(owners, offsetof(identification_t, destroy));
303 return create_reply("parsing shared key owners failed");
304 }
305 if (owners->get_count(owners) == 0)
306 {
307 owners->insert_last(owners, identification_create_from_string("%any"));
308 }
309
310 enumerator = owners->create_enumerator(owners);
311 while (enumerator->enumerate(enumerator, &owner))
312 {
313 len = strlen(buf);
314 if (len < sizeof(buf))
315 {
316 snprintf(buf + len, sizeof(buf) - len, "%s'%Y'",
317 len ? ", " : "", owner);
318 }
319 }
320 enumerator->destroy(enumerator);
321
322 DBG1(DBG_CFG, "loaded %N shared key for: %s",
323 shared_key_type_names, type, buf);
324
325 this->creds->add_shared_list(this->creds,
326 shared_key_create(type, chunk_clone(data)), owners);
327
328 return create_reply(NULL);
329 }
330
331 CALLBACK(clear_creds, vici_message_t*,
332 private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
333 {
334 this->creds->clear(this->creds);
335 lib->credmgr->flush_cache(lib->credmgr, CERT_ANY);
336
337 return create_reply(NULL);
338 }
339
340 CALLBACK(flush_certs, vici_message_t*,
341 private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
342 {
343 certificate_type_t type = CERT_ANY;
344 x509_flag_t flag = X509_NONE;
345 char *str;
346
347 str = message->get_str(message, NULL, "type");
348 if (str && !enum_from_name(certificate_type_names, str, &type) &&
349 !vici_cert_info_from_str(str, &type, &flag))
350 {
351 return create_reply("invalid certificate type '%s'", str);
352 }
353 lib->credmgr->flush_cache(lib->credmgr, type);
354
355 return create_reply(NULL);
356 }
357
358 static void manage_command(private_vici_cred_t *this,
359 char *name, vici_command_cb_t cb, bool reg)
360 {
361 this->dispatcher->manage_command(this->dispatcher, name,
362 reg ? cb : NULL, this);
363 }
364
365 /**
366 * (Un-)register dispatcher functions
367 */
368 static void manage_commands(private_vici_cred_t *this, bool reg)
369 {
370 manage_command(this, "clear-creds", clear_creds, reg);
371 manage_command(this, "flush-certs", flush_certs, reg);
372 manage_command(this, "load-cert", load_cert, reg);
373 manage_command(this, "load-key", load_key, reg);
374 manage_command(this, "load-shared", load_shared, reg);
375 }
376
377 METHOD(vici_cred_t, add_cert, certificate_t*,
378 private_vici_cred_t *this, certificate_t *cert)
379 {
380 return this->creds->add_cert_ref(this->creds, TRUE, cert);
381 }
382
383 METHOD(vici_cred_t, destroy, void,
384 private_vici_cred_t *this)
385 {
386 manage_commands(this, FALSE);
387
388 lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
389 this->creds->destroy(this->creds);
390 free(this);
391 }
392
393 /**
394 * See header
395 */
396 vici_cred_t *vici_cred_create(vici_dispatcher_t *dispatcher)
397 {
398 private_vici_cred_t *this;
399
400 INIT(this,
401 .public = {
402 .set = {
403 .create_private_enumerator = (void*)return_null,
404 .create_cert_enumerator = (void*)return_null,
405 .create_shared_enumerator = (void*)return_null,
406 .create_cdp_enumerator = (void*)return_null,
407 .cache_cert = (void*)_cache_cert,
408 },
409 .add_cert = _add_cert,
410 .destroy = _destroy,
411 },
412 .dispatcher = dispatcher,
413 .creds = mem_cred_create(),
414 );
415
416 if (lib->settings->get_bool(lib->settings, "%s.cache_crls", FALSE, lib->ns))
417 {
418 this->cachecrl = TRUE;
419 DBG1(DBG_CFG, "crl caching to %s enabled", CRL_DIR);
420 }
421 lib->credmgr->add_set(lib->credmgr, &this->creds->set);
422
423 manage_commands(this, TRUE);
424
425 return &this->public;
426 }