make use of the pem helper plugin to load credentials
authorMartin Willi <martin@strongswan.org>
Wed, 12 Aug 2009 12:40:16 +0000 (14:40 +0200)
committerMartin Willi <martin@strongswan.org>
Wed, 26 Aug 2009 09:23:49 +0000 (11:23 +0200)
src/charon/plugins/nm/nm_service.c
src/charon/plugins/stroke/stroke_cred.c
src/libstrongswan/crypto/pkcs7.c
src/libstrongswan/crypto/pkcs7.h
src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
src/libstrongswan/plugins/pubkey/pubkey_public_key.c
src/libstrongswan/plugins/x509/x509_ac.c
src/libstrongswan/plugins/x509/x509_cert.c
src/libstrongswan/plugins/x509/x509_crl.c
src/openac/openac.c

index 88a3cc9..95e4751 100644 (file)
@@ -18,7 +18,6 @@
 #include "nm_service.h"
 
 #include <daemon.h>
-#include <asn1/pem.h>
 #include <utils/host.h>
 #include <utils/identification.h>
 #include <config/peer_cfg.h>
@@ -366,20 +365,16 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
                        str = nm_setting_vpn_get_data_item(vpn, "userkey");
                        if (!agent && str)
                        {
-                               chunk_t secret, chunk;
-                               bool pgp = FALSE;
+                               chunk_t secret;
                                
                                secret.ptr = (char*)nm_setting_vpn_get_secret(vpn, "password");
                                if (secret.ptr)
                                {
                                        secret.len = strlen(secret.ptr);
                                }
-                               if (pem_asn1_load_file((char*)str, &secret, &chunk, &pgp))
-                               {
-                                       private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
-                                                               KEY_RSA, BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
-                                       free(chunk.ptr);
-                               }
+                               private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
+                                                               KEY_RSA, BUILD_FROM_FILE, str,
+                                                               BUILD_PASSPHRASE, secret, BUILD_END);
                                if (!private)
                                {
                                        g_set_error(err, NM_VPN_PLUGIN_ERROR,
@@ -491,8 +486,6 @@ static gboolean need_secrets(NMVPNPlugin *plugin, NMConnection *connection,
 {
        NMSettingVPN *settings;
        const char *method, *path;
-       chunk_t secret = chunk_empty, key;
-       bool pgp = FALSE;
        
        settings = NM_SETTING_VPN(nm_connection_get_setting(connection,
                                                                                                                NM_TYPE_SETTING_VPN));
@@ -518,14 +511,21 @@ static gboolean need_secrets(NMVPNPlugin *plugin, NMConnection *connection,
                        path = nm_setting_vpn_get_data_item(settings, "userkey");
                        if (path)
                        {
+                               private_key_t *key;
+                               chunk_t secret;
+                               
                                secret.ptr = (char*)nm_setting_vpn_get_secret(settings, "password");
                                if (secret.ptr)
                                {
                                        secret.len = strlen(secret.ptr);
                                }
-                               if (pem_asn1_load_file((char*)path, &secret, &key, &pgp))
+                               /* try to load/decrypt the private key */
+                               key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
+                                                               KEY_RSA, BUILD_FROM_FILE, path,
+                                                               BUILD_PASSPHRASE, secret, BUILD_END);
+                               if (key)
                                {
-                                       free(key.ptr);
+                                       key->destroy(key);
                                        return FALSE;
                                }
                        }
index 31bcfe9..43046b1 100644 (file)
@@ -28,7 +28,6 @@
 #include <utils/linked_list.h>
 #include <utils/lexparser.h>
 #include <utils/mutex.h>
-#include <asn1/pem.h>
 #include <daemon.h>
 
 /* configuration directories and files */
@@ -391,9 +390,9 @@ static certificate_t* load_ca(private_stroke_cred_t *this, char *filename)
                
                if (!(x509->get_flags(x509) & X509_CA))
                {
+                       DBG1(DBG_CFG, "  ca certificate '%Y' misses ca basic constraint, "
+                                "discarded", cert->get_subject(cert));
                        cert->destroy(cert);
-                       DBG1(DBG_CFG, "  ca certificate must have ca basic constraint set, "
-                                "discarded");
                        return NULL;
                }
                return (certificate_t*)add_cert(this, cert);
@@ -500,8 +499,12 @@ static certificate_t* load_peer(private_stroke_cred_t *this, char *filename)
        if (cert)
        {
                cert = add_cert(this, cert);
+               DBG1(DBG_CFG, "  loaded certificate '%Y' from "
+                                "file '%s'", cert->get_subject(cert), filename);
                return cert->get_ref(cert);
        }
+       DBG1(DBG_CFG, "  loading certificate from file "
+                "'%s' failed", filename);
        return NULL;
 }
 
@@ -546,11 +549,22 @@ static void load_certdir(private_stroke_cred_t *this, char *path,
                                                
                                                if (!(x509->get_flags(x509) & X509_CA))
                                                {
-                                                       DBG1(DBG_CFG, "  ca certificate must have ca "
-                                                                "basic constraint set, discarded");
+                                                       DBG1(DBG_CFG, "  ca certificate '%Y' misses "
+                                                                "ca basic constraint, discarded",
+                                                                cert->get_subject(cert));
                                                        cert->destroy(cert);
                                                        cert = NULL;
                                                }
+                                               else
+                                               {
+                                                       DBG1(DBG_CFG, "  loaded CA certificate '%Y' from "
+                                                                "file '%s'", cert->get_subject(cert), file);
+                                               }
+                                       }
+                                       else
+                                       {
+                                               DBG1(DBG_CFG, "  loading CA certificate from file "
+                                                        "'%s' failed", file);
                                        }
                                }
                                else
@@ -559,6 +573,16 @@ static void load_certdir(private_stroke_cred_t *this, char *path,
                                                                                CRED_CERTIFICATE, CERT_X509,
                                                                                BUILD_FROM_FILE, file,
                                                                                BUILD_X509_FLAG, flag, BUILD_END);
+                                       if (cert)
+                                       {
+                                               DBG1(DBG_CFG, "  loaded certificate '%Y' from "
+                                                                "file '%s'", cert->get_subject(cert), file);
+                                       }
+                                       else
+                                       {
+                                               DBG1(DBG_CFG, "  loading certificate from file "
+                                                        "'%s' failed", file);
+                                       }
                                }
                                if (cert)
                                {
@@ -573,6 +597,11 @@ static void load_certdir(private_stroke_cred_t *this, char *path,
                                if (cert)
                                {
                                        add_crl(this, (crl_t*)cert);
+                                       DBG1(DBG_CFG, "  loaded crl from file '%s'",  file);
+                               }
+                               else
+                               {
+                                       DBG1(DBG_CFG, "  loading crl from file '%s' failed", file);
                                }
                                break;
                        case CERT_X509_AC:
@@ -583,10 +612,17 @@ static void load_certdir(private_stroke_cred_t *this, char *path,
                                if (cert)
                                {
                                        add_ac(this, (ac_t*)cert);
+                                       DBG1(DBG_CFG, "  loaded attribute certificate from "
+                                                "file '%s'", file);
+                               }
+                               else
+                               {
+                                       DBG1(DBG_CFG, "  loading attribute certificate from "
+                                                "file '%s' failed", file);
                                }
                                break;
                        default:
-                               break;  
+                               break;
                }
        }
        enumerator->destroy(enumerator);
@@ -838,8 +874,6 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
                        chunk_t filename;
                        chunk_t secret = chunk_empty;
                        private_key_t *key;
-                       bool pgp = FALSE;
-                       chunk_t chunk = chunk_empty;
                        key_type_t key_type = match("RSA", &token) ? KEY_RSA : KEY_ECDSA;
 
                        err_t ugh = extract_value(&filename, &line);
@@ -876,17 +910,14 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
                                        goto error;
                                }
                        }
-
-                       if (pem_asn1_load_file(path, &secret, &chunk, &pgp))
+                       key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type,
+                                                                        BUILD_FROM_FILE, path,
+                                                                        BUILD_PASSPHRASE, secret,BUILD_END);
+                       if (key)
                        {
-                               key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type,
-                                                                                BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
-                               free(chunk.ptr);
-                               if (key)
-                               {
-                                       DBG1(DBG_CFG, "  loaded private key file '%s'", path);
-                                       this->private->insert_last(this->private, key);
-                               }
+                               DBG1(DBG_CFG, "  loaded %N private key file '%s'",
+                                        key_type_names, key->get_type(key), path);
+                               this->private->insert_last(this->private, key);
                        }
                        chunk_clear(&secret);
                }
index 0039bab..7da1ca9 100644 (file)
@@ -1066,24 +1066,3 @@ pkcs7_t *pkcs7_create_from_data(chunk_t data)
        return &this->public;
 }
 
-/*
- * Described in header.
- */
-pkcs7_t *pkcs7_create_from_file(const char *filename, const char *label)
-{
-       bool pgp = FALSE;
-       chunk_t chunk = chunk_empty;
-       char cert_label[BUF_LEN];
-       pkcs7_t *pkcs7;
-
-       snprintf(cert_label, BUF_LEN, "%s pkcs7", label);
-
-       if (!pem_asn1_load_file(filename, NULL, cert_label, &chunk, &pgp))
-       {
-               return NULL;
-       }
-
-       pkcs7 = pkcs7_create_from_chunk(chunk, 0);
-       free(chunk.ptr);
-       return pkcs7;
-}
index ac4006e..49684f3 100644 (file)
@@ -166,13 +166,4 @@ pkcs7_t *pkcs7_create_from_chunk(chunk_t chunk, u_int level);
  */
 pkcs7_t *pkcs7_create_from_data(chunk_t data);
 
-/**
- * Read a X.509 certificate from a DER encoded file.
- * 
- * @param filename     file containing DER encoded data
- * @param label                label describing kind of PKCS#7 file
- * @return                     created pkcs7_t object, or NULL if invalid.
- */
-pkcs7_t *pkcs7_create_from_file(const char *filename, const char *label);
-
 #endif /** PKCS7_H_ @}*/
index 4d9c88c..d6426e4 100644 (file)
@@ -21,7 +21,6 @@
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
-#include <asn1/pem.h>
 #include <crypto/hashers/hasher.h>
 
 typedef struct private_gcrypt_rsa_public_key_t private_gcrypt_rsa_public_key_t;
index c26187c..3c1b512 100644 (file)
@@ -26,7 +26,6 @@
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
-#include <asn1/pem.h>
 #include <crypto/hashers/hasher.h>
 #include <pgp/pgp.h>
 
index afe200f..77b53ff 100644 (file)
@@ -18,7 +18,6 @@
 #include "pubkey_public_key.h"
 
 #include <debug.h>
-#include <asn1/pem.h>
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
@@ -137,21 +136,6 @@ static void add(private_builder_t *this, builder_part_t part, ...)
                                va_end(args);
                                return;
                        }
-                       case BUILD_BLOB_PEM:
-                       {
-                               bool pgp;
-                               
-                               va_start(args, part);
-                               blob = va_arg(args, chunk_t);
-                               blob = chunk_clone(blob);
-                               if (pem_to_bin(&blob, chunk_empty, &pgp) == SUCCESS)
-                               {
-                                       this->key = pubkey_public_key_load(chunk_clone(blob));
-                               }
-                               free(blob.ptr);
-                               va_end(args);
-                               return;
-                       }
                        default:
                                break;
                }
index 638f96b..f8052ee 100644 (file)
@@ -26,7 +26,6 @@
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
-#include <asn1/pem.h>
 #include <utils/identification.h>
 #include <utils/linked_list.h>
 #include <credentials/certificates/x509.h>
@@ -966,33 +965,8 @@ static private_x509_ac_t* create_from_chunk(chunk_t chunk)
                return NULL;
        }
        return this;
-}      
-
-/**
- * create X.509 crl from a file
- */
-static private_x509_ac_t* create_from_file(char *path)
-{
-       bool pgp = FALSE;
-       chunk_t chunk;
-       private_x509_ac_t *this;
-       
-       if (!pem_asn1_load_file(path, NULL, &chunk, &pgp))
-       {
-               return NULL;
-       }
-
-       this = create_from_chunk(chunk);
-
-       if (this == NULL)
-       {
-               DBG1("  could not parse loaded attribute certificate file '%s'", path);
-               return NULL;
-       }
-       DBG1("  loaded attribute certificate file '%s'", path);
-       return this;
 }
-       
+
 typedef struct private_builder_t private_builder_t;
 /**
  * Builder implementation for certificate loading
@@ -1042,13 +1016,6 @@ static void add(private_builder_t *this, builder_part_t part, ...)
        va_start(args, part);
        switch (part)
        {
-               case BUILD_FROM_FILE:
-                       if (this->ac)
-                       {
-                               destroy(this->ac);
-                       }
-                       this->ac = create_from_file(va_arg(args, char*));
-                       break;
                case BUILD_BLOB_ASN1_DER:
                        if (this->ac)
                        {
index 6fe1809..32627eb 100644 (file)
@@ -33,7 +33,6 @@
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
-#include <asn1/pem.h>
 #include <crypto/hashers/hasher.h>
 #include <credentials/keys/private_key.h>
 #include <utils/linked_list.h>
@@ -1184,31 +1183,6 @@ static private_x509_cert_t *create_from_chunk(chunk_t chunk)
        return this;
 }
 
-/**
- * create an X.509 certificate from a file
- */
-static private_x509_cert_t *create_from_file(char *path)
-{
-       bool pgp = FALSE;
-       chunk_t chunk;
-       private_x509_cert_t *this;
-       
-       if (!pem_asn1_load_file(path, NULL, &chunk, &pgp))
-       {
-               return NULL;
-       }
-
-       this = create_from_chunk(chunk);
-
-       if (this == NULL)
-       {
-               DBG1("  could not parse loaded certificate file '%s'",path);
-               return NULL;
-       }
-       DBG1("  loaded certificate file '%s'",  path);
-       return this;
-}
-
 typedef struct private_builder_t private_builder_t;
 /**
  * Builder implementation for certificate loading
@@ -1362,9 +1336,6 @@ static void add(private_builder_t *this, builder_part_t part, ...)
        va_start(args, part);
        switch (part)
        {
-               case BUILD_FROM_FILE:
-                       this->cert = create_from_file(va_arg(args, char*));
-                       break;
                case BUILD_BLOB_ASN1_DER:
                        chunk = va_arg(args, chunk_t);
                        this->cert = create_from_chunk(chunk_clone(chunk));
index f502668..93203ba 100644 (file)
@@ -25,7 +25,6 @@ typedef struct revoked_t revoked_t;
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
-#include <asn1/pem.h>
 #include <credentials/certificates/x509.h>
 #include <utils/linked_list.h>
 
@@ -605,47 +604,6 @@ static private_x509_crl_t* create_empty(void)
        return this;
 }
 
-/**
- * create an X.509 crl from a chunk
- */
-static private_x509_crl_t* create_from_chunk(chunk_t chunk)
-{
-       private_x509_crl_t *this = create_empty();
-
-       this->encoding = chunk;
-       if (!parse(this))
-       {
-               destroy(this);
-               return NULL;
-       }
-       return this;
-}
-
-/**
- * create an X.509 crl from a file
- */
-static private_x509_crl_t* create_from_file(char *path)
-{
-       bool pgp = FALSE;
-       chunk_t chunk;
-       private_x509_crl_t *this;
-       
-       if (!pem_asn1_load_file(path, NULL, &chunk, &pgp))
-       {
-               return NULL;
-       }
-
-       this = create_from_chunk(chunk);
-
-       if (this == NULL)
-       {
-               DBG1("  could not parse loaded crl file '%s'",path);
-               return NULL;
-       }
-       DBG1("  loaded crl file '%s'",  path);
-       return this;
-}
-
 typedef struct private_builder_t private_builder_t;
 /**
  * Builder implementation for certificate loading
@@ -653,8 +611,8 @@ typedef struct private_builder_t private_builder_t;
 struct private_builder_t {
        /** implements the builder interface */
        builder_t public;
-       /** loaded CRL */
-       private_x509_crl_t *crl;
+       /** CRL chunk to build from */
+       chunk_t blob;
 };
 
 /**
@@ -662,8 +620,18 @@ struct private_builder_t {
  */
 static private_x509_crl_t *build(private_builder_t *this)
 {
-       private_x509_crl_t *crl = this->crl;
+       private_x509_crl_t *crl = NULL;
        
+       if (this->blob.len && this->blob.ptr)
+       {
+               crl = create_empty();
+               crl->encoding = chunk_clone(this->blob);
+               if (!parse(crl))
+               {
+                       destroy(crl);
+                       crl = NULL;
+               }
+       }
        free(this);
        return crl;
 }
@@ -673,35 +641,19 @@ static private_x509_crl_t *build(private_builder_t *this)
  */
 static void add(private_builder_t *this, builder_part_t part, ...)
 {
-       if (!this->crl)
-       {
-               va_list args;
-               chunk_t chunk;
+       va_list args;
        
-               switch (part)
+       switch (part)
+       {
+               case BUILD_BLOB_ASN1_DER:
                {
-                       case BUILD_FROM_FILE:
-                       {
-                               va_start(args, part);
-                               this->crl = create_from_file(va_arg(args, char*));
-                               va_end(args);
-                               return;
-                       }
-                       case BUILD_BLOB_ASN1_DER:
-                       {
-                               va_start(args, part);
-                               chunk = va_arg(args, chunk_t);
-                               this->crl = create_from_chunk(chunk_clone(chunk));
-                               va_end(args);
-                               return;
-                       }
-                       default:
-                               break;
+                       va_start(args, part);
+                       this->blob = va_arg(args, chunk_t);
+                       va_end(args);
+                       return;
                }
-       }
-       if (this->crl)
-       {
-               destroy(this->crl);
+               default:
+                       break;
        }
        builder_cancel(&this->public);
 }
@@ -717,13 +669,13 @@ builder_t *x509_crl_builder(certificate_type_t type)
        {
                return NULL;
        }
-       
        this = malloc_thing(private_builder_t);
        
-       this->crl = NULL;
        this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
        this->public.build = (void*(*)(builder_t *this))build;
        
+       this->blob = chunk_empty;
+       
        return &this->public;
 }
 
index a8f75e0..49b376f 100755 (executable)
@@ -34,7 +34,6 @@
 #include <library.h>
 #include <debug.h>
 #include <asn1/asn1.h>
-#include <asn1/pem.h>
 #include <credentials/certificates/x509.h>
 #include <credentials/certificates/ac.h>
 #include <credentials/keys/private_key.h>
@@ -174,32 +173,6 @@ static void write_serial(chunk_t serial)
 }
 
 /**
- * Load and parse a private key file
- */
-static private_key_t* private_key_create_from_file(char *path, chunk_t *secret)
-{
-       bool pgp = FALSE;
-       chunk_t chunk = chunk_empty;
-       private_key_t *key = NULL;
-
-       if (!pem_asn1_load_file(path, secret, &chunk, &pgp))
-       {
-               DBG1("  could not load private key file '%s'", path);
-               return NULL;
-       }
-       key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
-                                                        BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
-       free(chunk.ptr);
-       if (key == NULL)
-       {
-               DBG1("  could not parse loaded private key file '%s'", path);
-               return NULL;
-       }
-       DBG1("  loaded private key file '%s'", path);
-       return key;
-}
-
-/**
  * global variables accessible by both main() and build.c
  */
 
@@ -492,12 +465,15 @@ int main(int argc, char **argv)
        /* load the signer's RSA private key */
        if (keyfile != NULL)
        {
-               signerKey = private_key_create_from_file(keyfile, &passphrase);
-
+               signerKey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+                                                                          BUILD_FROM_FILE, keyfile,
+                                                                          BUILD_PASSPHRASE, passphrase,
+                                                                          BUILD_END);
                if (signerKey == NULL)
                {
                        goto end;
                }
+               DBG1("  loaded private key file '%s'", keyfile);
        }
 
        /* load the signer's X.509 certificate */