e2aa5a9b2c12846bd6ea277e16f023014a8c6ae9
[strongswan.git] / src / libcharon / plugins / vici / vici_cred.c
1 /*
2 * Copyright (C) 2014 Martin Willi
3 * Copyright (C) 2014 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "vici_cred.h"
17 #include "vici_builder.h"
18 #include "vici_cert_info.h"
19
20 #include <credentials/sets/mem_cred.h>
21 #include <credentials/certificates/ac.h>
22 #include <credentials/certificates/crl.h>
23 #include <credentials/certificates/x509.h>
24
25 typedef struct private_vici_cred_t private_vici_cred_t;
26
27 /**
28 * Private data of an vici_cred_t object.
29 */
30 struct private_vici_cred_t {
31
32 /**
33 * Public vici_cred_t interface.
34 */
35 vici_cred_t public;
36
37 /**
38 * Dispatcher
39 */
40 vici_dispatcher_t *dispatcher;
41
42 /**
43 * credentials
44 */
45 mem_cred_t *creds;
46 };
47
48 /**
49 * Create a (error) reply message
50 */
51 static vici_message_t* create_reply(char *fmt, ...)
52 {
53 vici_builder_t *builder;
54 va_list args;
55
56 builder = vici_builder_create();
57 builder->add_kv(builder, "success", fmt ? "no" : "yes");
58 if (fmt)
59 {
60 va_start(args, fmt);
61 builder->vadd_kv(builder, "errmsg", fmt, args);
62 va_end(args);
63 }
64 return builder->finalize(builder);
65 }
66
67 CALLBACK(load_cert, vici_message_t*,
68 private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
69 {
70 vici_cert_info_t *cert_info;
71 certificate_t *cert;
72 x509_flag_t flag;
73 x509_t *x509;
74 chunk_t data;
75 bool trusted = TRUE;
76 char *str;
77
78 str = message->get_str(message, NULL, "type");
79 if (!str)
80 {
81 return create_reply("certificate type missing");
82 }
83
84 cert_info = vici_cert_info_retrieve(str);
85 if (!cert_info)
86 {
87 return create_reply("invalid certificate type '%s'", str);
88 }
89
90 data = message->get_value(message, chunk_empty, "data");
91 if (!data.len)
92 {
93 return create_reply("certificate data missing");
94 }
95
96 /* do not set CA flag externally */
97 flag = (cert_info->flag & X509_CA) ? X509_NONE : cert_info->flag;
98
99 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, cert_info->type,
100 BUILD_BLOB_PEM, data,
101 BUILD_X509_FLAG, flag,
102 BUILD_END);
103 if (!cert)
104 {
105 return create_reply("parsing %N certificate failed",
106 certificate_type_names, cert_info->type);
107 }
108 DBG1(DBG_CFG, "loaded certificate '%Y'", cert->get_subject(cert));
109
110 /* check if CA certificate has CA basic constraint set */
111 if (cert_info->flag & X509_CA)
112 {
113 char err_msg[] = "ca certificate lacks CA basic constraint, rejected";
114 x509 = (x509_t*)cert;
115
116 if (!(x509->get_flags(x509) & X509_CA))
117 {
118 cert->destroy(cert);
119 DBG1(DBG_CFG, " %s", err_msg);
120 return create_reply(err_msg);
121 }
122 }
123 if (cert_info->type == CERT_X509_CRL)
124 {
125 this->creds->add_crl(this->creds, (crl_t*)cert);
126 }
127 else
128 {
129 this->creds->add_cert(this->creds, trusted, cert);
130 }
131 return create_reply(NULL);
132 }
133
134 CALLBACK(load_key, vici_message_t*,
135 private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
136 {
137 key_type_t type;
138 private_key_t *key;
139 chunk_t data;
140 char *str;
141
142 str = message->get_str(message, NULL, "type");
143 if (!str)
144 {
145 return create_reply("key type missing");
146 }
147 if (strcaseeq(str, "any"))
148 {
149 type = KEY_ANY;
150 }
151 else if (strcaseeq(str, "rsa"))
152 {
153 type = KEY_RSA;
154 }
155 else if (strcaseeq(str, "ecdsa"))
156 {
157 type = KEY_ECDSA;
158 }
159 else if (strcaseeq(str, "bliss"))
160 {
161 type = KEY_BLISS;
162 }
163 else
164 {
165 return create_reply("invalid key type: %s", str);
166 }
167 data = message->get_value(message, chunk_empty, "data");
168 if (!data.len)
169 {
170 return create_reply("key data missing");
171 }
172 key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
173 BUILD_BLOB_PEM, data, BUILD_END);
174 if (!key)
175 {
176 return create_reply("parsing %N private key failed",
177 key_type_names, type);
178 }
179
180 DBG1(DBG_CFG, "loaded %N private key", key_type_names, type);
181
182 this->creds->add_key(this->creds, key);
183
184 return create_reply(NULL);
185 }
186
187 CALLBACK(shared_owners, bool,
188 linked_list_t *owners, vici_message_t *message, char *name, chunk_t value)
189 {
190 if (streq(name, "owners"))
191 {
192 char buf[256];
193
194 if (!vici_stringify(value, buf, sizeof(buf)))
195 {
196 return FALSE;
197 }
198 owners->insert_last(owners, identification_create_from_string(buf));
199 }
200 return TRUE;
201 }
202
203 CALLBACK(load_shared, vici_message_t*,
204 private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
205 {
206 shared_key_type_t type;
207 linked_list_t *owners;
208 chunk_t data;
209 char *str, buf[512] = "";
210 enumerator_t *enumerator;
211 identification_t *owner;
212 int len;
213
214 str = message->get_str(message, NULL, "type");
215 if (!str)
216 {
217 return create_reply("shared key type missing");
218 }
219 if (strcaseeq(str, "ike"))
220 {
221 type = SHARED_IKE;
222 }
223 else if (strcaseeq(str, "eap") || streq(str, "xauth"))
224 {
225 type = SHARED_EAP;
226 }
227 else
228 {
229 return create_reply("invalid shared key type: %s", str);
230 }
231 data = message->get_value(message, chunk_empty, "data");
232 if (!data.len)
233 {
234 return create_reply("shared key data missing");
235 }
236
237 owners = linked_list_create();
238 if (!message->parse(message, NULL, NULL, NULL, shared_owners, owners))
239 {
240 owners->destroy_offset(owners, offsetof(identification_t, destroy));
241 return create_reply("parsing shared key owners failed");
242 }
243 if (owners->get_count(owners) == 0)
244 {
245 owners->insert_last(owners, identification_create_from_string("%any"));
246 }
247
248 enumerator = owners->create_enumerator(owners);
249 while (enumerator->enumerate(enumerator, &owner))
250 {
251 len = strlen(buf);
252 if (len < sizeof(buf))
253 {
254 snprintf(buf + len, sizeof(buf) - len, "%s'%Y'",
255 len ? ", " : "", owner);
256 }
257 }
258 enumerator->destroy(enumerator);
259
260 DBG1(DBG_CFG, "loaded %N shared key for: %s",
261 shared_key_type_names, type, buf);
262
263 this->creds->add_shared_list(this->creds,
264 shared_key_create(type, chunk_clone(data)), owners);
265
266 return create_reply(NULL);
267 }
268
269 CALLBACK(clear_creds, vici_message_t*,
270 private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
271 {
272 this->creds->clear(this->creds);
273 lib->credmgr->flush_cache(lib->credmgr, CERT_ANY);
274
275 return create_reply(NULL);
276 }
277
278 static void manage_command(private_vici_cred_t *this,
279 char *name, vici_command_cb_t cb, bool reg)
280 {
281 this->dispatcher->manage_command(this->dispatcher, name,
282 reg ? cb : NULL, this);
283 }
284
285 /**
286 * (Un-)register dispatcher functions
287 */
288 static void manage_commands(private_vici_cred_t *this, bool reg)
289 {
290 manage_command(this, "clear-creds", clear_creds, reg);
291 manage_command(this, "load-cert", load_cert, reg);
292 manage_command(this, "load-key", load_key, reg);
293 manage_command(this, "load-shared", load_shared, reg);
294 }
295
296 METHOD(vici_cred_t, add_cert, certificate_t*,
297 private_vici_cred_t *this, certificate_t *cert)
298 {
299 return this->creds->get_cert_ref(this->creds, cert);
300 }
301
302 METHOD(vici_cred_t, destroy, void,
303 private_vici_cred_t *this)
304 {
305 manage_commands(this, FALSE);
306
307 lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
308 this->creds->destroy(this->creds);
309 free(this);
310 }
311
312 /**
313 * See header
314 */
315 vici_cred_t *vici_cred_create(vici_dispatcher_t *dispatcher)
316 {
317 private_vici_cred_t *this;
318
319 INIT(this,
320 .public = {
321 .add_cert = _add_cert,
322 .destroy = _destroy,
323 },
324 .dispatcher = dispatcher,
325 .creds = mem_cred_create(),
326 );
327
328 lib->credmgr->add_set(lib->credmgr, &this->creds->set);
329
330 manage_commands(this, TRUE);
331
332 return &this->public;
333 }