Share vici_cert_info.c with vici_cred.c
authorAndreas Steffen <andreas.steffen@strongswan.org>
Sat, 5 Dec 2015 22:15:47 +0000 (23:15 +0100)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Fri, 11 Dec 2015 17:26:55 +0000 (18:26 +0100)
src/libcharon/plugins/vici/vici_cert_info.c
src/libcharon/plugins/vici/vici_cred.c
src/libcharon/plugins/vici/vici_query.c
src/swanctl/Makefile.am
src/swanctl/commands/load_creds.c
src/swanctl/swanctl.h

index ce07960..9afaf05 100644 (file)
@@ -31,6 +31,8 @@ static vici_cert_info_t vici_cert_infos[] = {
        { "x509crl", "X.509 CRL",                      CERT_X509_CRL,
                                                                                                   X509_NONE                },
        { "ocsp", "OCSP Response",                     CERT_X509_OCSP_RESPONSE,
+                                                                                                  X509_NONE                },
+       { "pubkey", "Raw Public Key",                  CERT_TRUSTED_PUBKEY,
                                                                                                   X509_NONE                }
 };
 
index 6631184..e2aa5a9 100644 (file)
@@ -15,6 +15,7 @@
 
 #include "vici_cred.h"
 #include "vici_builder.h"
+#include "vici_cert_info.h"
 
 #include <credentials/sets/mem_cred.h>
 #include <credentials/certificates/ac.h>
@@ -66,9 +67,9 @@ static vici_message_t* create_reply(char *fmt, ...)
 CALLBACK(load_cert, vici_message_t*,
        private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
 {
-       certificate_type_t type;
-       x509_flag_t required_flags = 0, additional_flags = 0;
+       vici_cert_info_t *cert_info;
        certificate_t *cert;
+       x509_flag_t flag;
        x509_t *x509;
        chunk_t data;
        bool trusted = TRUE;
@@ -79,61 +80,47 @@ CALLBACK(load_cert, vici_message_t*,
        {
                return create_reply("certificate type missing");
        }
-       if (strcaseeq(str, "x509"))
-       {
-               type = CERT_X509;
-       }
-       else if (strcaseeq(str, "x509ca"))
-       {
-               type = CERT_X509;
-               required_flags = X509_CA;
-       }
-       else if (strcaseeq(str, "x509aa"))
-       {
-               type = CERT_X509;
-               additional_flags = X509_AA;
-       }
-       else if (strcaseeq(str, "x509crl"))
-       {
-               type = CERT_X509_CRL;
-       }
-       else if (strcaseeq(str, "x509ac"))
-       {
-               type = CERT_X509_AC;
-               trusted = FALSE;
-       }
-       else
+
+       cert_info = vici_cert_info_retrieve(str);
+       if (!cert_info)
        {
-               return create_reply("invalid certificate type: %s", str);
+               return create_reply("invalid certificate type '%s'", str);
        }
+
        data = message->get_value(message, chunk_empty, "data");
        if (!data.len)
        {
                return create_reply("certificate data missing");
        }
-       cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
+
+       /* do not set CA flag externally */
+       flag = (cert_info->flag & X509_CA) ? X509_NONE : cert_info->flag;
+
+       cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, cert_info->type,
                                                          BUILD_BLOB_PEM, data,
-                                                         BUILD_X509_FLAG, additional_flags,
+                                                         BUILD_X509_FLAG, flag,
                                                          BUILD_END);
        if (!cert)
        {
                return create_reply("parsing %N certificate failed",
-                                                       certificate_type_names, type);
+                                                       certificate_type_names, cert_info->type);
        }
-       if (cert->get_type(cert) == CERT_X509)
+       DBG1(DBG_CFG, "loaded certificate '%Y'", cert->get_subject(cert));
+
+       /* check if CA certificate has CA basic constraint set */
+       if (cert_info->flag & X509_CA)
        {
+               char err_msg[] = "ca certificate lacks CA basic constraint, rejected";
                x509 = (x509_t*)cert;
 
-               if ((required_flags & x509->get_flags(x509)) != required_flags)
+               if (!(x509->get_flags(x509) & X509_CA))
                {
                        cert->destroy(cert);
-                       return create_reply("certificate misses required flag, rejected");
+                       DBG1(DBG_CFG, "  %s", err_msg);
+                       return create_reply(err_msg);
                }
        }
-
-       DBG1(DBG_CFG, "loaded certificate '%Y'", cert->get_subject(cert));
-
-       if (type == CERT_X509_CRL)
+       if (cert_info->type == CERT_X509_CRL)
        {
                this->creds->add_crl(this->creds, (crl_t*)cert);
        }
@@ -169,6 +156,10 @@ CALLBACK(load_key, vici_message_t*,
        {
                type = KEY_ECDSA;
        }
+       else if (strcaseeq(str, "bliss"))
+       {
+               type = KEY_BLISS;
+       }
        else
        {
                return create_reply("invalid key type: %s", str);
index d5d973f..2ea9228 100644 (file)
@@ -900,6 +900,10 @@ static void enum_others(private_vici_query_t *this, u_int id,
                                b->add_kv(b, "vici", "%N", vici_version_names, VICI_VERSION);
                                b->add_kv(b, "type", "%s", cert_type);
                        }
+                       if (has_privkey(cert))
+                       {
+                               b->add_kv(b, "has_privkey", "yes");
+                       }
                        b->add(b, VICI_KEY_VALUE, "data", encoding);
                        free(encoding.ptr);
 
@@ -1016,6 +1020,7 @@ CALLBACK(list_certs, vici_message_t*,
        {
                filter.subject = identification_create_from_string(str);
        }
+       enum_certs(this, id, &filter, CERT_TRUSTED_PUBKEY, "pubkey");
        enum_certs(this, id, &filter, CERT_X509, "x509");
        enum_certs(this, id, &filter, CERT_X509_AC, "x509ac");
        enum_certs(this, id, &filter, CERT_X509_CRL, "x509crl");
index 0000c4c..5b6b8e4 100644 (file)
@@ -64,10 +64,13 @@ install-data-local: swanctl.conf
        test -e "$(DESTDIR)$(swanctldir)/x509" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509" || true
        test -e "$(DESTDIR)$(swanctldir)/x509ca" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ca" || true
        test -e "$(DESTDIR)$(swanctldir)/x509aa" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509aa" || true
+       test -e "$(DESTDIR)$(swanctldir)/x509ocsp" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ocsp" || true
        test -e "$(DESTDIR)$(swanctldir)/x509crl" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509crl" || true
        test -e "$(DESTDIR)$(swanctldir)/x509ac" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ac" || true
+       test -e "$(DESTDIR)$(swanctldir)/pubkey" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/pubkey" || true
        test -e "$(DESTDIR)$(swanctldir)/rsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/rsa" || true
        test -e "$(DESTDIR)$(swanctldir)/ecdsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/ecdsa" || true
+       test -e "$(DESTDIR)$(swanctldir)/bliss" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/bliss" || true
        test -e "$(DESTDIR)$(swanctldir)/pkcs8" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/pkcs8" || true
        test -e "$(DESTDIR)$(swanctldir)/pkcs12" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/pkcs12" || true
        test -e "$(DESTDIR)$(swanctldir)/swanctl.conf" || $(INSTALL) -m 640 $(srcdir)/swanctl.conf $(DESTDIR)$(swanctldir)/swanctl.conf || true
index d2ebc22..d27b0fb 100644 (file)
@@ -2,6 +2,9 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
@@ -171,6 +174,9 @@ static bool load_key_anytype(vici_conn_t *conn, command_format_options_t format,
                case KEY_ECDSA:
                        loaded = load_key(conn, format, path, "ecdsa", encoding);
                        break;
+               case KEY_BLISS:
+                       loaded = load_key(conn, format, path, "bliss", encoding);
+                       break;
                default:
                        fprintf(stderr, "unsupported key type in '%s'\n", path);
                        break;
@@ -237,6 +243,7 @@ static bool determine_credtype(char *type, credential_type_t *credtype,
                { "pkcs8",                      CRED_PRIVATE_KEY,               KEY_ANY,                        },
                { "rsa",                        CRED_PRIVATE_KEY,               KEY_RSA,                        },
                { "ecdsa",                      CRED_PRIVATE_KEY,               KEY_ECDSA,                      },
+               { "bliss",                      CRED_PRIVATE_KEY,               KEY_BLISS,                      },
                { "pkcs12",                     CRED_CONTAINER,                 CONTAINER_PKCS12,       },
        };
        int i;
@@ -548,6 +555,7 @@ static bool load_secret(vici_conn_t *conn, settings_t *cfg,
                "ike",
                "rsa",
                "ecdsa",
+               "bliss",
                "pkcs8",
                "pkcs12",
        };
@@ -672,14 +680,17 @@ int load_creds_cfg(vici_conn_t *conn, command_format_options_t format,
                }
        }
 
-       load_certs(conn, format, "x509", SWANCTL_X509DIR);
-       load_certs(conn, format, "x509ca", SWANCTL_X509CADIR);
-       load_certs(conn, format, "x509aa", SWANCTL_X509AADIR);
-       load_certs(conn, format, "x509crl", SWANCTL_X509CRLDIR);
-       load_certs(conn, format, "x509ac", SWANCTL_X509ACDIR);
+       load_certs(conn, format, "x509",     SWANCTL_X509DIR);
+       load_certs(conn, format, "x509ca",   SWANCTL_X509CADIR);
+       load_certs(conn, format, "x509aa",   SWANCTL_X509AADIR);
+       load_certs(conn, format, "x509crl",  SWANCTL_X509CRLDIR);
+       load_certs(conn, format, "x509ac",   SWANCTL_X509ACDIR);
+       load_certs(conn, format, "x509ocsp", SWANCTL_X509OCSPDIR);
+       load_certs(conn, format, "pubkey",   SWANCTL_PUBKEYDIR);
 
-       load_keys(conn, format, noprompt, cfg, "rsa", SWANCTL_RSADIR);
+       load_keys(conn, format, noprompt, cfg, "rsa",   SWANCTL_RSADIR);
        load_keys(conn, format, noprompt, cfg, "ecdsa", SWANCTL_ECDSADIR);
+       load_keys(conn, format, noprompt, cfg, "bliss", SWANCTL_BLISSDIR);
        load_keys(conn, format, noprompt, cfg, "pkcs8", SWANCTL_PKCS8DIR);
 
        load_containers(conn, format, noprompt, cfg, "pkcs12", SWANCTL_PKCS12DIR);
index cb570cd..560e895 100644 (file)
@@ -2,6 +2,9 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
 #define SWANCTL_X509AADIR SWANCTLDIR "/x509aa"
 
 /**
+ * Directory for X.509 OCSP Signer certs
+ */
+#define SWANCTL_X509OCSPDIR SWANCTLDIR "/x509ocsp"
+
+/**
  * Directory for X.509 CRLs
  */
 #define SWANCTL_X509CRLDIR SWANCTLDIR "/x509crl"
 #define SWANCTL_X509ACDIR SWANCTLDIR "/x509ac"
 
 /**
+ * Directory for raw public keys
+ */
+#define SWANCTL_PUBKEYDIR SWANCTLDIR "/pubkey"
+
+/**
  * Directory for RSA private keys
  */
 #define SWANCTL_RSADIR SWANCTLDIR "/rsa"
 #define SWANCTL_ECDSADIR SWANCTLDIR "/ecdsa"
 
 /**
+ * Directory for BLISS private keys
+ */
+#define SWANCTL_BLISSDIR SWANCTLDIR "/bliss"
+
+/**
  * Directory for PKCS#8 encoded private keys
  */
 #define SWANCTL_PKCS8DIR SWANCTLDIR "/pkcs8"