Refactored certificate management for the vici and stroke interfaces
[strongswan.git] / src / libcharon / plugins / vici / vici_cred.c
index 95446e5..fa3158f 100644 (file)
@@ -2,6 +2,9 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
@@ -15,6 +18,7 @@
 
 #include "vici_cred.h"
 #include "vici_builder.h"
+#include "vici_cert_info.h"
 
 #include <credentials/sets/mem_cred.h>
 #include <credentials/certificates/ac.h>
@@ -66,11 +70,12 @@ static vici_message_t* create_reply(char *fmt, ...)
 CALLBACK(load_cert, vici_message_t*,
        private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
 {
-       certificate_type_t type;
-       x509_flag_t required_flags = 0, additional_flags = 0;
        certificate_t *cert;
+       certificate_type_t type;
+       x509_flag_t ext_flag, flag = X509_NONE;
        x509_t *x509;
        chunk_t data;
+       bool trusted = TRUE;
        char *str;
 
        str = message->get_str(message, NULL, "type");
@@ -78,73 +83,208 @@ CALLBACK(load_cert, vici_message_t*,
        {
                return create_reply("certificate type missing");
        }
-       if (strcaseeq(str, "x509"))
-       {
-               type = CERT_X509;
-       }
-       else if (strcaseeq(str, "x509ca"))
-       {
-               type = CERT_X509;
-               required_flags = X509_CA;
-       }
-       else if (strcaseeq(str, "x509aa"))
+       if (enum_from_name(certificate_type_names, str, &type))
        {
-               type = CERT_X509;
-               additional_flags = X509_AA;
-       }
-       else if (strcaseeq(str, "x509crl"))
-       {
-               type = CERT_X509_CRL;
-       }
-       else if (strcaseeq(str, "x509ac"))
-       {
-               type = CERT_X509_AC;
+               if (type == CERT_X509)
+               {
+                       str = message->get_str(message, "NONE", "flag");
+                       if (!enum_from_name(x509_flag_names, str, &flag))
+                       {
+                               return create_reply("invalid certificate flag '%s'", str);
+                       }
+               }
        }
-       else
+       else if (!vici_cert_info_from_str(str, &type, &flag))
        {
-               return create_reply("invalid certificate type: %s", str);
+               return create_reply("invalid certificate type '%s'", str);
        }
+
        data = message->get_value(message, chunk_empty, "data");
        if (!data.len)
        {
                return create_reply("certificate data missing");
        }
+
+       /* do not set CA flag externally */
+       ext_flag = (flag & X509_CA) ? X509_NONE : flag;
+
        cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
                                                          BUILD_BLOB_PEM, data,
-                                                         BUILD_X509_FLAG, additional_flags,
+                                                         BUILD_X509_FLAG, ext_flag,
                                                          BUILD_END);
        if (!cert)
        {
                return create_reply("parsing %N certificate failed",
                                                        certificate_type_names, type);
        }
-       if (cert->get_type(cert) == CERT_X509)
+       DBG1(DBG_CFG, "loaded certificate '%Y'", cert->get_subject(cert));
+
+       /* check if CA certificate has CA basic constraint set */
+       if (flag & X509_CA)
        {
+               char err_msg[] = "ca certificate lacks CA basic constraint, rejected";
                x509 = (x509_t*)cert;
 
-               if ((required_flags & x509->get_flags(x509)) != required_flags)
+               if (!(x509->get_flags(x509) & X509_CA))
                {
                        cert->destroy(cert);
-                       return create_reply("certificate misses required flag, rejected");
+                       DBG1(DBG_CFG, "  %s", err_msg);
+                       return create_reply(err_msg);
                }
        }
+       if (type == CERT_X509_CRL)
+       {
+               this->creds->add_crl(this->creds, (crl_t*)cert);
+       }
+       else
+       {
+               this->creds->add_cert(this->creds, trusted, cert);
+       }
+       return create_reply(NULL);
+}
 
-       DBG1(DBG_CFG, "loaded certificate '%Y'", cert->get_subject(cert));
+CALLBACK(load_key, vici_message_t*,
+       private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
+{
+       key_type_t type;
+       private_key_t *key;
+       chunk_t data;
+       char *str;
+
+       str = message->get_str(message, NULL, "type");
+       if (!str)
+       {
+               return create_reply("key type missing");
+       }
+       if (strcaseeq(str, "any"))
+       {
+               type = KEY_ANY;
+       }
+       else if (strcaseeq(str, "rsa"))
+       {
+               type = KEY_RSA;
+       }
+       else if (strcaseeq(str, "ecdsa"))
+       {
+               type = KEY_ECDSA;
+       }
+       else if (strcaseeq(str, "bliss"))
+       {
+               type = KEY_BLISS;
+       }
+       else
+       {
+               return create_reply("invalid key type: %s", str);
+       }
+       data = message->get_value(message, chunk_empty, "data");
+       if (!data.len)
+       {
+               return create_reply("key data missing");
+       }
+       key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
+                                                        BUILD_BLOB_PEM, data, BUILD_END);
+       if (!key)
+       {
+               return create_reply("parsing %N private key failed",
+                                                       key_type_names, type);
+       }
 
-       this->creds->add_cert(this->creds, TRUE, cert);
+       DBG1(DBG_CFG, "loaded %N private key", key_type_names, type);
+
+       this->creds->add_key(this->creds, key);
 
        return create_reply(NULL);
 }
 
-CALLBACK(clear_creds, vici_message_t*,
+CALLBACK(shared_owners, bool,
+       linked_list_t *owners, vici_message_t *message, char *name, chunk_t value)
+{
+       if (streq(name, "owners"))
+       {
+               char buf[256];
+
+               if (!vici_stringify(value, buf, sizeof(buf)))
+               {
+                       return FALSE;
+               }
+               owners->insert_last(owners, identification_create_from_string(buf));
+       }
+       return TRUE;
+}
+
+CALLBACK(load_shared, vici_message_t*,
        private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
 {
-       vici_builder_t *builder;
+       shared_key_type_t type;
+       linked_list_t *owners;
+       chunk_t data;
+       char *str, buf[512] = "";
+       enumerator_t *enumerator;
+       identification_t *owner;
+       int len;
+
+       str = message->get_str(message, NULL, "type");
+       if (!str)
+       {
+               return create_reply("shared key type missing");
+       }
+       if (strcaseeq(str, "ike"))
+       {
+               type = SHARED_IKE;
+       }
+       else if (strcaseeq(str, "eap") || streq(str, "xauth"))
+       {
+               type = SHARED_EAP;
+       }
+       else
+       {
+               return create_reply("invalid shared key type: %s", str);
+       }
+       data = message->get_value(message, chunk_empty, "data");
+       if (!data.len)
+       {
+               return create_reply("shared key data missing");
+       }
+
+       owners = linked_list_create();
+       if (!message->parse(message, NULL, NULL, NULL, shared_owners, owners))
+       {
+               owners->destroy_offset(owners, offsetof(identification_t, destroy));
+               return create_reply("parsing shared key owners failed");
+       }
+       if (owners->get_count(owners) == 0)
+       {
+               owners->insert_last(owners, identification_create_from_string("%any"));
+       }
+
+       enumerator = owners->create_enumerator(owners);
+       while (enumerator->enumerate(enumerator, &owner))
+       {
+               len = strlen(buf);
+               if (len < sizeof(buf))
+               {
+                       snprintf(buf + len, sizeof(buf) - len, "%s'%Y'",
+                                        len ? ", " : "", owner);
+               }
+       }
+       enumerator->destroy(enumerator);
+
+       DBG1(DBG_CFG, "loaded %N shared key for: %s",
+                shared_key_type_names, type, buf);
 
+       this->creds->add_shared_list(this->creds,
+                                               shared_key_create(type, chunk_clone(data)), owners);
+
+       return create_reply(NULL);
+}
+
+CALLBACK(clear_creds, vici_message_t*,
+       private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
+{
        this->creds->clear(this->creds);
+       lib->credmgr->flush_cache(lib->credmgr, CERT_ANY);
 
-       builder = vici_builder_create();
-       return builder->finalize(builder);
+       return create_reply(NULL);
 }
 
 static void manage_command(private_vici_cred_t *this,
@@ -161,6 +301,14 @@ static void manage_commands(private_vici_cred_t *this, bool reg)
 {
        manage_command(this, "clear-creds", clear_creds, reg);
        manage_command(this, "load-cert", load_cert, reg);
+       manage_command(this, "load-key", load_key, reg);
+       manage_command(this, "load-shared", load_shared, reg);
+}
+
+METHOD(vici_cred_t, add_cert, certificate_t*,
+       private_vici_cred_t *this, certificate_t *cert)
+{
+       return this->creds->get_cert_ref(this->creds, cert);
 }
 
 METHOD(vici_cred_t, destroy, void,
@@ -182,6 +330,7 @@ vici_cred_t *vici_cred_create(vici_dispatcher_t *dispatcher)
 
        INIT(this,
                .public = {
+                       .add_cert = _add_cert,
                        .destroy = _destroy,
                },
                .dispatcher = dispatcher,