Refactored certificate management for the vici and stroke interfaces
[strongswan.git] / src / libcharon / plugins / vici / vici_cred.c
1 /*
2 * Copyright (C) 2014 Martin Willi
3 * Copyright (C) 2014 revosec AG
4 *
5 * Copyright (C) 2015 Andreas Steffen
6 * HSR Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #include "vici_cred.h"
20 #include "vici_builder.h"
21 #include "vici_cert_info.h"
22
23 #include <credentials/sets/mem_cred.h>
24 #include <credentials/certificates/ac.h>
25 #include <credentials/certificates/crl.h>
26 #include <credentials/certificates/x509.h>
27
28 typedef struct private_vici_cred_t private_vici_cred_t;
29
30 /**
31 * Private data of an vici_cred_t object.
32 */
33 struct private_vici_cred_t {
34
35 /**
36 * Public vici_cred_t interface.
37 */
38 vici_cred_t public;
39
40 /**
41 * Dispatcher
42 */
43 vici_dispatcher_t *dispatcher;
44
45 /**
46 * credentials
47 */
48 mem_cred_t *creds;
49 };
50
51 /**
52 * Create a (error) reply message
53 */
54 static vici_message_t* create_reply(char *fmt, ...)
55 {
56 vici_builder_t *builder;
57 va_list args;
58
59 builder = vici_builder_create();
60 builder->add_kv(builder, "success", fmt ? "no" : "yes");
61 if (fmt)
62 {
63 va_start(args, fmt);
64 builder->vadd_kv(builder, "errmsg", fmt, args);
65 va_end(args);
66 }
67 return builder->finalize(builder);
68 }
69
70 CALLBACK(load_cert, vici_message_t*,
71 private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
72 {
73 certificate_t *cert;
74 certificate_type_t type;
75 x509_flag_t ext_flag, flag = X509_NONE;
76 x509_t *x509;
77 chunk_t data;
78 bool trusted = TRUE;
79 char *str;
80
81 str = message->get_str(message, NULL, "type");
82 if (!str)
83 {
84 return create_reply("certificate type missing");
85 }
86 if (enum_from_name(certificate_type_names, str, &type))
87 {
88 if (type == CERT_X509)
89 {
90 str = message->get_str(message, "NONE", "flag");
91 if (!enum_from_name(x509_flag_names, str, &flag))
92 {
93 return create_reply("invalid certificate flag '%s'", str);
94 }
95 }
96 }
97 else if (!vici_cert_info_from_str(str, &type, &flag))
98 {
99 return create_reply("invalid certificate type '%s'", str);
100 }
101
102 data = message->get_value(message, chunk_empty, "data");
103 if (!data.len)
104 {
105 return create_reply("certificate data missing");
106 }
107
108 /* do not set CA flag externally */
109 ext_flag = (flag & X509_CA) ? X509_NONE : flag;
110
111 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
112 BUILD_BLOB_PEM, data,
113 BUILD_X509_FLAG, ext_flag,
114 BUILD_END);
115 if (!cert)
116 {
117 return create_reply("parsing %N certificate failed",
118 certificate_type_names, type);
119 }
120 DBG1(DBG_CFG, "loaded certificate '%Y'", cert->get_subject(cert));
121
122 /* check if CA certificate has CA basic constraint set */
123 if (flag & X509_CA)
124 {
125 char err_msg[] = "ca certificate lacks CA basic constraint, rejected";
126 x509 = (x509_t*)cert;
127
128 if (!(x509->get_flags(x509) & X509_CA))
129 {
130 cert->destroy(cert);
131 DBG1(DBG_CFG, " %s", err_msg);
132 return create_reply(err_msg);
133 }
134 }
135 if (type == CERT_X509_CRL)
136 {
137 this->creds->add_crl(this->creds, (crl_t*)cert);
138 }
139 else
140 {
141 this->creds->add_cert(this->creds, trusted, cert);
142 }
143 return create_reply(NULL);
144 }
145
146 CALLBACK(load_key, vici_message_t*,
147 private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
148 {
149 key_type_t type;
150 private_key_t *key;
151 chunk_t data;
152 char *str;
153
154 str = message->get_str(message, NULL, "type");
155 if (!str)
156 {
157 return create_reply("key type missing");
158 }
159 if (strcaseeq(str, "any"))
160 {
161 type = KEY_ANY;
162 }
163 else if (strcaseeq(str, "rsa"))
164 {
165 type = KEY_RSA;
166 }
167 else if (strcaseeq(str, "ecdsa"))
168 {
169 type = KEY_ECDSA;
170 }
171 else if (strcaseeq(str, "bliss"))
172 {
173 type = KEY_BLISS;
174 }
175 else
176 {
177 return create_reply("invalid key type: %s", str);
178 }
179 data = message->get_value(message, chunk_empty, "data");
180 if (!data.len)
181 {
182 return create_reply("key data missing");
183 }
184 key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
185 BUILD_BLOB_PEM, data, BUILD_END);
186 if (!key)
187 {
188 return create_reply("parsing %N private key failed",
189 key_type_names, type);
190 }
191
192 DBG1(DBG_CFG, "loaded %N private key", key_type_names, type);
193
194 this->creds->add_key(this->creds, key);
195
196 return create_reply(NULL);
197 }
198
199 CALLBACK(shared_owners, bool,
200 linked_list_t *owners, vici_message_t *message, char *name, chunk_t value)
201 {
202 if (streq(name, "owners"))
203 {
204 char buf[256];
205
206 if (!vici_stringify(value, buf, sizeof(buf)))
207 {
208 return FALSE;
209 }
210 owners->insert_last(owners, identification_create_from_string(buf));
211 }
212 return TRUE;
213 }
214
215 CALLBACK(load_shared, vici_message_t*,
216 private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
217 {
218 shared_key_type_t type;
219 linked_list_t *owners;
220 chunk_t data;
221 char *str, buf[512] = "";
222 enumerator_t *enumerator;
223 identification_t *owner;
224 int len;
225
226 str = message->get_str(message, NULL, "type");
227 if (!str)
228 {
229 return create_reply("shared key type missing");
230 }
231 if (strcaseeq(str, "ike"))
232 {
233 type = SHARED_IKE;
234 }
235 else if (strcaseeq(str, "eap") || streq(str, "xauth"))
236 {
237 type = SHARED_EAP;
238 }
239 else
240 {
241 return create_reply("invalid shared key type: %s", str);
242 }
243 data = message->get_value(message, chunk_empty, "data");
244 if (!data.len)
245 {
246 return create_reply("shared key data missing");
247 }
248
249 owners = linked_list_create();
250 if (!message->parse(message, NULL, NULL, NULL, shared_owners, owners))
251 {
252 owners->destroy_offset(owners, offsetof(identification_t, destroy));
253 return create_reply("parsing shared key owners failed");
254 }
255 if (owners->get_count(owners) == 0)
256 {
257 owners->insert_last(owners, identification_create_from_string("%any"));
258 }
259
260 enumerator = owners->create_enumerator(owners);
261 while (enumerator->enumerate(enumerator, &owner))
262 {
263 len = strlen(buf);
264 if (len < sizeof(buf))
265 {
266 snprintf(buf + len, sizeof(buf) - len, "%s'%Y'",
267 len ? ", " : "", owner);
268 }
269 }
270 enumerator->destroy(enumerator);
271
272 DBG1(DBG_CFG, "loaded %N shared key for: %s",
273 shared_key_type_names, type, buf);
274
275 this->creds->add_shared_list(this->creds,
276 shared_key_create(type, chunk_clone(data)), owners);
277
278 return create_reply(NULL);
279 }
280
281 CALLBACK(clear_creds, vici_message_t*,
282 private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
283 {
284 this->creds->clear(this->creds);
285 lib->credmgr->flush_cache(lib->credmgr, CERT_ANY);
286
287 return create_reply(NULL);
288 }
289
290 static void manage_command(private_vici_cred_t *this,
291 char *name, vici_command_cb_t cb, bool reg)
292 {
293 this->dispatcher->manage_command(this->dispatcher, name,
294 reg ? cb : NULL, this);
295 }
296
297 /**
298 * (Un-)register dispatcher functions
299 */
300 static void manage_commands(private_vici_cred_t *this, bool reg)
301 {
302 manage_command(this, "clear-creds", clear_creds, reg);
303 manage_command(this, "load-cert", load_cert, reg);
304 manage_command(this, "load-key", load_key, reg);
305 manage_command(this, "load-shared", load_shared, reg);
306 }
307
308 METHOD(vici_cred_t, add_cert, certificate_t*,
309 private_vici_cred_t *this, certificate_t *cert)
310 {
311 return this->creds->get_cert_ref(this->creds, cert);
312 }
313
314 METHOD(vici_cred_t, destroy, void,
315 private_vici_cred_t *this)
316 {
317 manage_commands(this, FALSE);
318
319 lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
320 this->creds->destroy(this->creds);
321 free(this);
322 }
323
324 /**
325 * See header
326 */
327 vici_cred_t *vici_cred_create(vici_dispatcher_t *dispatcher)
328 {
329 private_vici_cred_t *this;
330
331 INIT(this,
332 .public = {
333 .add_cert = _add_cert,
334 .destroy = _destroy,
335 },
336 .dispatcher = dispatcher,
337 .creds = mem_cred_create(),
338 );
339
340 lib->credmgr->add_set(lib->credmgr, &this->creds->set);
341
342 manage_commands(this, TRUE);
343
344 return &this->public;
345 }