6631184b56fde0002ab59a192314fa2347632993
[strongswan.git] / src / libcharon / plugins / vici / vici_cred.c
1 /*
2 * Copyright (C) 2014 Martin Willi
3 * Copyright (C) 2014 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "vici_cred.h"
17 #include "vici_builder.h"
18
19 #include <credentials/sets/mem_cred.h>
20 #include <credentials/certificates/ac.h>
21 #include <credentials/certificates/crl.h>
22 #include <credentials/certificates/x509.h>
23
24 typedef struct private_vici_cred_t private_vici_cred_t;
25
26 /**
27 * Private data of an vici_cred_t object.
28 */
29 struct private_vici_cred_t {
30
31 /**
32 * Public vici_cred_t interface.
33 */
34 vici_cred_t public;
35
36 /**
37 * Dispatcher
38 */
39 vici_dispatcher_t *dispatcher;
40
41 /**
42 * credentials
43 */
44 mem_cred_t *creds;
45 };
46
47 /**
48 * Create a (error) reply message
49 */
50 static vici_message_t* create_reply(char *fmt, ...)
51 {
52 vici_builder_t *builder;
53 va_list args;
54
55 builder = vici_builder_create();
56 builder->add_kv(builder, "success", fmt ? "no" : "yes");
57 if (fmt)
58 {
59 va_start(args, fmt);
60 builder->vadd_kv(builder, "errmsg", fmt, args);
61 va_end(args);
62 }
63 return builder->finalize(builder);
64 }
65
66 CALLBACK(load_cert, vici_message_t*,
67 private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
68 {
69 certificate_type_t type;
70 x509_flag_t required_flags = 0, additional_flags = 0;
71 certificate_t *cert;
72 x509_t *x509;
73 chunk_t data;
74 bool trusted = TRUE;
75 char *str;
76
77 str = message->get_str(message, NULL, "type");
78 if (!str)
79 {
80 return create_reply("certificate type missing");
81 }
82 if (strcaseeq(str, "x509"))
83 {
84 type = CERT_X509;
85 }
86 else if (strcaseeq(str, "x509ca"))
87 {
88 type = CERT_X509;
89 required_flags = X509_CA;
90 }
91 else if (strcaseeq(str, "x509aa"))
92 {
93 type = CERT_X509;
94 additional_flags = X509_AA;
95 }
96 else if (strcaseeq(str, "x509crl"))
97 {
98 type = CERT_X509_CRL;
99 }
100 else if (strcaseeq(str, "x509ac"))
101 {
102 type = CERT_X509_AC;
103 trusted = FALSE;
104 }
105 else
106 {
107 return create_reply("invalid certificate type: %s", str);
108 }
109 data = message->get_value(message, chunk_empty, "data");
110 if (!data.len)
111 {
112 return create_reply("certificate data missing");
113 }
114 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
115 BUILD_BLOB_PEM, data,
116 BUILD_X509_FLAG, additional_flags,
117 BUILD_END);
118 if (!cert)
119 {
120 return create_reply("parsing %N certificate failed",
121 certificate_type_names, type);
122 }
123 if (cert->get_type(cert) == CERT_X509)
124 {
125 x509 = (x509_t*)cert;
126
127 if ((required_flags & x509->get_flags(x509)) != required_flags)
128 {
129 cert->destroy(cert);
130 return create_reply("certificate misses required flag, rejected");
131 }
132 }
133
134 DBG1(DBG_CFG, "loaded certificate '%Y'", cert->get_subject(cert));
135
136 if (type == CERT_X509_CRL)
137 {
138 this->creds->add_crl(this->creds, (crl_t*)cert);
139 }
140 else
141 {
142 this->creds->add_cert(this->creds, trusted, cert);
143 }
144 return create_reply(NULL);
145 }
146
147 CALLBACK(load_key, vici_message_t*,
148 private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
149 {
150 key_type_t type;
151 private_key_t *key;
152 chunk_t data;
153 char *str;
154
155 str = message->get_str(message, NULL, "type");
156 if (!str)
157 {
158 return create_reply("key type missing");
159 }
160 if (strcaseeq(str, "any"))
161 {
162 type = KEY_ANY;
163 }
164 else if (strcaseeq(str, "rsa"))
165 {
166 type = KEY_RSA;
167 }
168 else if (strcaseeq(str, "ecdsa"))
169 {
170 type = KEY_ECDSA;
171 }
172 else
173 {
174 return create_reply("invalid key type: %s", str);
175 }
176 data = message->get_value(message, chunk_empty, "data");
177 if (!data.len)
178 {
179 return create_reply("key data missing");
180 }
181 key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
182 BUILD_BLOB_PEM, data, BUILD_END);
183 if (!key)
184 {
185 return create_reply("parsing %N private key failed",
186 key_type_names, type);
187 }
188
189 DBG1(DBG_CFG, "loaded %N private key", key_type_names, type);
190
191 this->creds->add_key(this->creds, key);
192
193 return create_reply(NULL);
194 }
195
196 CALLBACK(shared_owners, bool,
197 linked_list_t *owners, vici_message_t *message, char *name, chunk_t value)
198 {
199 if (streq(name, "owners"))
200 {
201 char buf[256];
202
203 if (!vici_stringify(value, buf, sizeof(buf)))
204 {
205 return FALSE;
206 }
207 owners->insert_last(owners, identification_create_from_string(buf));
208 }
209 return TRUE;
210 }
211
212 CALLBACK(load_shared, vici_message_t*,
213 private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
214 {
215 shared_key_type_t type;
216 linked_list_t *owners;
217 chunk_t data;
218 char *str, buf[512] = "";
219 enumerator_t *enumerator;
220 identification_t *owner;
221 int len;
222
223 str = message->get_str(message, NULL, "type");
224 if (!str)
225 {
226 return create_reply("shared key type missing");
227 }
228 if (strcaseeq(str, "ike"))
229 {
230 type = SHARED_IKE;
231 }
232 else if (strcaseeq(str, "eap") || streq(str, "xauth"))
233 {
234 type = SHARED_EAP;
235 }
236 else
237 {
238 return create_reply("invalid shared key type: %s", str);
239 }
240 data = message->get_value(message, chunk_empty, "data");
241 if (!data.len)
242 {
243 return create_reply("shared key data missing");
244 }
245
246 owners = linked_list_create();
247 if (!message->parse(message, NULL, NULL, NULL, shared_owners, owners))
248 {
249 owners->destroy_offset(owners, offsetof(identification_t, destroy));
250 return create_reply("parsing shared key owners failed");
251 }
252 if (owners->get_count(owners) == 0)
253 {
254 owners->insert_last(owners, identification_create_from_string("%any"));
255 }
256
257 enumerator = owners->create_enumerator(owners);
258 while (enumerator->enumerate(enumerator, &owner))
259 {
260 len = strlen(buf);
261 if (len < sizeof(buf))
262 {
263 snprintf(buf + len, sizeof(buf) - len, "%s'%Y'",
264 len ? ", " : "", owner);
265 }
266 }
267 enumerator->destroy(enumerator);
268
269 DBG1(DBG_CFG, "loaded %N shared key for: %s",
270 shared_key_type_names, type, buf);
271
272 this->creds->add_shared_list(this->creds,
273 shared_key_create(type, chunk_clone(data)), owners);
274
275 return create_reply(NULL);
276 }
277
278 CALLBACK(clear_creds, vici_message_t*,
279 private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
280 {
281 this->creds->clear(this->creds);
282 lib->credmgr->flush_cache(lib->credmgr, CERT_ANY);
283
284 return create_reply(NULL);
285 }
286
287 static void manage_command(private_vici_cred_t *this,
288 char *name, vici_command_cb_t cb, bool reg)
289 {
290 this->dispatcher->manage_command(this->dispatcher, name,
291 reg ? cb : NULL, this);
292 }
293
294 /**
295 * (Un-)register dispatcher functions
296 */
297 static void manage_commands(private_vici_cred_t *this, bool reg)
298 {
299 manage_command(this, "clear-creds", clear_creds, reg);
300 manage_command(this, "load-cert", load_cert, reg);
301 manage_command(this, "load-key", load_key, reg);
302 manage_command(this, "load-shared", load_shared, reg);
303 }
304
305 METHOD(vici_cred_t, add_cert, certificate_t*,
306 private_vici_cred_t *this, certificate_t *cert)
307 {
308 return this->creds->get_cert_ref(this->creds, cert);
309 }
310
311 METHOD(vici_cred_t, destroy, void,
312 private_vici_cred_t *this)
313 {
314 manage_commands(this, FALSE);
315
316 lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
317 this->creds->destroy(this->creds);
318 free(this);
319 }
320
321 /**
322 * See header
323 */
324 vici_cred_t *vici_cred_create(vici_dispatcher_t *dispatcher)
325 {
326 private_vici_cred_t *this;
327
328 INIT(this,
329 .public = {
330 .add_cert = _add_cert,
331 .destroy = _destroy,
332 },
333 .dispatcher = dispatcher,
334 .creds = mem_cred_create(),
335 );
336
337 lib->credmgr->add_set(lib->credmgr, &this->creds->set);
338
339 manage_commands(this, TRUE);
340
341 return &this->public;
342 }