Merge branch 'cache-crls'
[strongswan.git] / src / libcharon / plugins / vici / vici_cred.c
1 /*
2 * Copyright (C) 2014 Martin Willi
3 * Copyright (C) 2014 revosec AG
4 *
5 * Copyright (C) 2015-2016 Andreas Steffen
6 * HSR Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #include "vici_cred.h"
20 #include "vici_builder.h"
21 #include "vici_cert_info.h"
22
23 #include <credentials/sets/mem_cred.h>
24 #include <credentials/certificates/ac.h>
25 #include <credentials/certificates/crl.h>
26 #include <credentials/certificates/x509.h>
27
28 #include <errno.h>
29
30 typedef struct private_vici_cred_t private_vici_cred_t;
31
32 /**
33 * Directory for saved X.509 CRLs
34 */
35 #define CRL_DIR SWANCTLDIR "/x509crl"
36
37 /**
38 * Private data of an vici_cred_t object.
39 */
40 struct private_vici_cred_t {
41
42 /**
43 * Public vici_cred_t interface.
44 */
45 vici_cred_t public;
46
47 /**
48 * Dispatcher
49 */
50 vici_dispatcher_t *dispatcher;
51
52 /**
53 * credentials
54 */
55 mem_cred_t *creds;
56
57 /**
58 * cache CRLs to disk?
59 */
60 bool cachecrl;
61
62 };
63
64 METHOD(credential_set_t, cache_cert, void,
65 private_vici_cred_t *this, certificate_t *cert)
66 {
67 if (cert->get_type(cert) == CERT_X509_CRL && this->cachecrl)
68 {
69 /* CRLs get written to /etc/swanctl/x509crl/<authkeyId>.crl */
70 crl_t *crl = (crl_t*)cert;
71
72 cert->get_ref(cert);
73 if (this->creds->add_crl(this->creds, crl))
74 {
75 char buf[BUF_LEN];
76 chunk_t chunk, hex;
77 bool is_delta_crl;
78
79 is_delta_crl = crl->is_delta_crl(crl, NULL);
80 chunk = crl->get_authKeyIdentifier(crl);
81 hex = chunk_to_hex(chunk, NULL, FALSE);
82 snprintf(buf, sizeof(buf), "%s/%s%s.crl", CRL_DIR, hex.ptr,
83 is_delta_crl ? "_delta" : "");
84 free(hex.ptr);
85
86 if (cert->get_encoding(cert, CERT_ASN1_DER, &chunk))
87 {
88 if (chunk_write(chunk, buf, 022, TRUE))
89 {
90 DBG1(DBG_CFG, " written crl file '%s' (%d bytes)",
91 buf, chunk.len);
92 }
93 else
94 {
95 DBG1(DBG_CFG, " writing crl file '%s' failed: %s",
96 buf, strerror(errno));
97 }
98 free(chunk.ptr);
99 }
100 }
101 }
102 }
103
104 /**
105 * Create a (error) reply message
106 */
107 static vici_message_t* create_reply(char *fmt, ...)
108 {
109 vici_builder_t *builder;
110 va_list args;
111
112 builder = vici_builder_create();
113 builder->add_kv(builder, "success", fmt ? "no" : "yes");
114 if (fmt)
115 {
116 va_start(args, fmt);
117 builder->vadd_kv(builder, "errmsg", fmt, args);
118 va_end(args);
119 }
120 return builder->finalize(builder);
121 }
122
123 CALLBACK(load_cert, vici_message_t*,
124 private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
125 {
126 certificate_t *cert;
127 certificate_type_t type;
128 x509_flag_t ext_flag, flag = X509_NONE;
129 x509_t *x509;
130 chunk_t data;
131 bool trusted = TRUE;
132 char *str;
133
134 str = message->get_str(message, NULL, "type");
135 if (!str)
136 {
137 return create_reply("certificate type missing");
138 }
139 if (enum_from_name(certificate_type_names, str, &type))
140 {
141 if (type == CERT_X509)
142 {
143 str = message->get_str(message, "NONE", "flag");
144 if (!enum_from_name(x509_flag_names, str, &flag))
145 {
146 return create_reply("invalid certificate flag '%s'", str);
147 }
148 }
149 }
150 else if (!vici_cert_info_from_str(str, &type, &flag))
151 {
152 return create_reply("invalid certificate type '%s'", str);
153 }
154
155 data = message->get_value(message, chunk_empty, "data");
156 if (!data.len)
157 {
158 return create_reply("certificate data missing");
159 }
160
161 /* do not set CA flag externally */
162 ext_flag = (flag & X509_CA) ? X509_NONE : flag;
163
164 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
165 BUILD_BLOB_PEM, data,
166 BUILD_X509_FLAG, ext_flag,
167 BUILD_END);
168 if (!cert)
169 {
170 return create_reply("parsing %N certificate failed",
171 certificate_type_names, type);
172 }
173 DBG1(DBG_CFG, "loaded certificate '%Y'", cert->get_subject(cert));
174
175 /* check if CA certificate has CA basic constraint set */
176 if (flag & X509_CA)
177 {
178 char err_msg[] = "ca certificate lacks CA basic constraint, rejected";
179 x509 = (x509_t*)cert;
180
181 if (!(x509->get_flags(x509) & X509_CA))
182 {
183 cert->destroy(cert);
184 DBG1(DBG_CFG, " %s", err_msg);
185 return create_reply(err_msg);
186 }
187 }
188 if (type == CERT_X509_CRL)
189 {
190 this->creds->add_crl(this->creds, (crl_t*)cert);
191 }
192 else
193 {
194 this->creds->add_cert(this->creds, trusted, cert);
195 }
196 return create_reply(NULL);
197 }
198
199 CALLBACK(load_key, vici_message_t*,
200 private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
201 {
202 key_type_t type;
203 private_key_t *key;
204 chunk_t data;
205 char *str;
206
207 str = message->get_str(message, NULL, "type");
208 if (!str)
209 {
210 return create_reply("key type missing");
211 }
212 if (strcaseeq(str, "any"))
213 {
214 type = KEY_ANY;
215 }
216 else if (strcaseeq(str, "rsa"))
217 {
218 type = KEY_RSA;
219 }
220 else if (strcaseeq(str, "ecdsa"))
221 {
222 type = KEY_ECDSA;
223 }
224 else if (strcaseeq(str, "bliss"))
225 {
226 type = KEY_BLISS;
227 }
228 else
229 {
230 return create_reply("invalid key type: %s", str);
231 }
232 data = message->get_value(message, chunk_empty, "data");
233 if (!data.len)
234 {
235 return create_reply("key data missing");
236 }
237 key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
238 BUILD_BLOB_PEM, data, BUILD_END);
239 if (!key)
240 {
241 return create_reply("parsing %N private key failed",
242 key_type_names, type);
243 }
244
245 DBG1(DBG_CFG, "loaded %N private key", key_type_names, type);
246
247 this->creds->add_key(this->creds, key);
248
249 return create_reply(NULL);
250 }
251
252 CALLBACK(shared_owners, bool,
253 linked_list_t *owners, vici_message_t *message, char *name, chunk_t value)
254 {
255 if (streq(name, "owners"))
256 {
257 char buf[256];
258
259 if (!vici_stringify(value, buf, sizeof(buf)))
260 {
261 return FALSE;
262 }
263 owners->insert_last(owners, identification_create_from_string(buf));
264 }
265 return TRUE;
266 }
267
268 CALLBACK(load_shared, vici_message_t*,
269 private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
270 {
271 shared_key_type_t type;
272 linked_list_t *owners;
273 chunk_t data;
274 char *str, buf[512] = "";
275 enumerator_t *enumerator;
276 identification_t *owner;
277 int len;
278
279 str = message->get_str(message, NULL, "type");
280 if (!str)
281 {
282 return create_reply("shared key type missing");
283 }
284 if (strcaseeq(str, "ike"))
285 {
286 type = SHARED_IKE;
287 }
288 else if (strcaseeq(str, "eap") || streq(str, "xauth"))
289 {
290 type = SHARED_EAP;
291 }
292 else
293 {
294 return create_reply("invalid shared key type: %s", str);
295 }
296 data = message->get_value(message, chunk_empty, "data");
297 if (!data.len)
298 {
299 return create_reply("shared key data missing");
300 }
301
302 owners = linked_list_create();
303 if (!message->parse(message, NULL, NULL, NULL, shared_owners, owners))
304 {
305 owners->destroy_offset(owners, offsetof(identification_t, destroy));
306 return create_reply("parsing shared key owners failed");
307 }
308 if (owners->get_count(owners) == 0)
309 {
310 owners->insert_last(owners, identification_create_from_string("%any"));
311 }
312
313 enumerator = owners->create_enumerator(owners);
314 while (enumerator->enumerate(enumerator, &owner))
315 {
316 len = strlen(buf);
317 if (len < sizeof(buf))
318 {
319 snprintf(buf + len, sizeof(buf) - len, "%s'%Y'",
320 len ? ", " : "", owner);
321 }
322 }
323 enumerator->destroy(enumerator);
324
325 DBG1(DBG_CFG, "loaded %N shared key for: %s",
326 shared_key_type_names, type, buf);
327
328 this->creds->add_shared_list(this->creds,
329 shared_key_create(type, chunk_clone(data)), owners);
330
331 return create_reply(NULL);
332 }
333
334 CALLBACK(clear_creds, vici_message_t*,
335 private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
336 {
337 this->creds->clear(this->creds);
338 lib->credmgr->flush_cache(lib->credmgr, CERT_ANY);
339
340 return create_reply(NULL);
341 }
342
343 CALLBACK(flush_certs, vici_message_t*,
344 private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
345 {
346 certificate_type_t type = CERT_ANY;
347 x509_flag_t flag = X509_NONE;
348 char *str;
349
350 str = message->get_str(message, NULL, "type");
351 if (str && !enum_from_name(certificate_type_names, str, &type) &&
352 !vici_cert_info_from_str(str, &type, &flag))
353 {
354 return create_reply("invalid certificate type '%s'", str);
355 }
356 lib->credmgr->flush_cache(lib->credmgr, type);
357
358 return create_reply(NULL);
359 }
360
361 static void manage_command(private_vici_cred_t *this,
362 char *name, vici_command_cb_t cb, bool reg)
363 {
364 this->dispatcher->manage_command(this->dispatcher, name,
365 reg ? cb : NULL, this);
366 }
367
368 /**
369 * (Un-)register dispatcher functions
370 */
371 static void manage_commands(private_vici_cred_t *this, bool reg)
372 {
373 manage_command(this, "clear-creds", clear_creds, reg);
374 manage_command(this, "flush-certs", flush_certs, reg);
375 manage_command(this, "load-cert", load_cert, reg);
376 manage_command(this, "load-key", load_key, reg);
377 manage_command(this, "load-shared", load_shared, reg);
378 }
379
380 METHOD(vici_cred_t, add_cert, certificate_t*,
381 private_vici_cred_t *this, certificate_t *cert)
382 {
383 return this->creds->add_cert_ref(this->creds, TRUE, cert);
384 }
385
386 METHOD(vici_cred_t, destroy, void,
387 private_vici_cred_t *this)
388 {
389 manage_commands(this, FALSE);
390
391 lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
392 this->creds->destroy(this->creds);
393 free(this);
394 }
395
396 /**
397 * See header
398 */
399 vici_cred_t *vici_cred_create(vici_dispatcher_t *dispatcher)
400 {
401 private_vici_cred_t *this;
402
403 INIT(this,
404 .public = {
405 .set = {
406 .create_private_enumerator = (void*)return_null,
407 .create_cert_enumerator = (void*)return_null,
408 .create_shared_enumerator = (void*)return_null,
409 .create_cdp_enumerator = (void*)return_null,
410 .cache_cert = (void*)_cache_cert,
411 },
412 .add_cert = _add_cert,
413 .destroy = _destroy,
414 },
415 .dispatcher = dispatcher,
416 .creds = mem_cred_create(),
417 );
418
419 if (lib->settings->get_bool(lib->settings, "%s.cache_crls", FALSE, lib->ns))
420 {
421 this->cachecrl = TRUE;
422 DBG1(DBG_CFG, "crl caching to %s enabled", CRL_DIR);
423 }
424 lib->credmgr->add_set(lib->credmgr, &this->creds->set);
425
426 manage_commands(this, TRUE);
427
428 return &this->public;
429 }