vici: Certification Authority support added.
authorAndreas Steffen <andreas.steffen@strongswan.org>
Tue, 14 Jul 2015 12:41:27 +0000 (14:41 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Tue, 21 Jul 2015 11:02:30 +0000 (13:02 +0200)
CDP and OCSP URIs for a one or multiple certification authorities
can be added via the VICI interface. swanctl allows to read
definitions from a new authorities section.

19 files changed:
NEWS
src/libcharon/plugins/vici/Makefile.am
src/libcharon/plugins/vici/README.md
src/libcharon/plugins/vici/vici_authority.c [new file with mode: 0644]
src/libcharon/plugins/vici/vici_authority.h [new file with mode: 0644]
src/libcharon/plugins/vici/vici_config.c
src/libcharon/plugins/vici/vici_config.h
src/libcharon/plugins/vici/vici_cred.c
src/libcharon/plugins/vici/vici_cred.h
src/libcharon/plugins/vici/vici_plugin.c
src/swanctl/Makefile.am
src/swanctl/command.c
src/swanctl/command.h
src/swanctl/commands/list_authorities.c [new file with mode: 0644]
src/swanctl/commands/load_all.c
src/swanctl/commands/load_authorities.c [new file with mode: 0644]
src/swanctl/commands/load_authorities.h [new file with mode: 0644]
src/swanctl/swanctl.8.in
src/swanctl/swanctl.opt

diff --git a/NEWS b/NEWS
index b2191b6..e054024 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,6 @@
+strongswan-5.3.3
+----------------
+
 - Added support for the ChaCha20/Poly1305 AEAD cipher specified in RFC7539 and
   draft-ietf-ipsecme-chacha20-poly1305 using the chacha20poly1305 ike/esp
   proposal keyword. The new chapoly plugin implements the cipher, optionally
@@ -5,6 +8,9 @@
   strongSwan libipsec ESP backend. On Linux 4.2 or newer the kernel-netlink
   plugin can configure the cipher for ESP SAs.
 
+- The vici interface now supports the configuration of auxiliary certification
+  authority information as CRL and OCSP URIs
 
 strongswan-5.3.2
 ----------------
index b253960..c99d23e 100644 (file)
@@ -23,6 +23,7 @@ libstrongswan_vici_la_SOURCES = \
        vici_config.h vici_config.c \
        vici_cred.h vici_cred.c \
        vici_attribute.h vici_attribute.c \
+       vici_authority.h vici_authority.c \
        vici_logger.h vici_logger.c \
        vici_plugin.h vici_plugin.c
 
index 0ce4271..db7ce4e 100644 (file)
@@ -366,6 +366,27 @@ over vici.
                # completes after streaming list-cert events
        }
 
+### list-authorities() ###
+
+List currently loaded certification authority information by streaming
+_list-authority_ events.
+
+       {
+               name = <list certification authority of a given name>
+       } => {
+               # completes after streaming list-authority events
+       }
+
+### get-authorities() ###
+
+Return a list of currently loaded certification authority names.
+
+       {} => {
+               authorities = [
+                       <list of certification authority names>
+               ]
+       }
+
 ### load-conn() ###
 
 Load a single connection definition into the daemon. An existing connection
@@ -442,6 +463,32 @@ credential cache.
                errmsg = <error string on failure>
        }
 
+### load-authority() ###
+
+Load a single certification authority definition into the daemon. An existing
+authority with the same name gets replaced.
+
+       {
+               <certification authority name> = {
+                       # certification authority parameters
+                       # refer to swanctl.conf(5) for details.
+               } => {
+                       success = <yes or no>
+                       errmsg = <error string on failure>
+               }
+       }
+
+### unload-authority() ###
+
+Unload a previously loaded certification authority definition by name.
+
+       {
+               name = <certification authority name>
+       } => {
+               success = <yes or no>
+               errmsg = <error string on failure>
+       }
+
 ### load-pool() ###
 
 Load an in-memory virtual IP and configuration attribute pool. Existing
@@ -673,6 +720,23 @@ _list-certs_ command.
                data = <ASN1 encoded certificate data>
        }
 
+### list-authority ###
+
+The _list-authority_ event is issued to stream loaded certification authority
+information during an active_list-authorities_ command.
+
+       {
+               <certification authority name> = {
+                       cacert = <subject distinguished name of CA certificate>
+                       crl_uris = [
+                               <CRL URI (http, ldap or file)>
+                       ]
+                       ocsp_uris = [
+                               <OCSP URI (http)>
+                       ]
+                       cert_uri_base = <base URI for download of hash-and-URL certificates>
+               }
+       }
 
 # libvici C client library #
 
diff --git a/src/libcharon/plugins/vici/vici_authority.c b/src/libcharon/plugins/vici/vici_authority.c
new file mode 100644 (file)
index 0000000..94a7f68
--- /dev/null
@@ -0,0 +1,750 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+
+#include "vici_authority.h"
+#include "vici_builder.h"
+
+#include <threading/rwlock.h>
+#include <collections/linked_list.h>
+#include <credentials/certificates/x509.h>
+#include <utils/debug.h>
+
+#include <stdio.h>
+
+typedef struct private_vici_authority_t private_vici_authority_t;
+
+/**
+ * Private data of an vici_authority_t object.
+ */
+struct private_vici_authority_t {
+
+       /**
+        * Public vici_authority_t interface.
+        */
+       vici_authority_t public;
+
+       /**
+        * Dispatcher
+        */
+       vici_dispatcher_t *dispatcher;
+
+       /**
+        * credential backend managed by VICI used for our ca certificates
+        */
+       vici_cred_t *cred;
+
+       /**
+        * List of certification authorities
+        */
+       linked_list_t *authorities;
+
+       /**
+        * rwlock to lock access to certification authorities
+        */
+       rwlock_t *lock;
+
+};
+
+typedef struct authority_t authority_t;
+
+/**
+ * loaded certification authorities
+ */
+struct authority_t {
+
+       /**
+        * Name of the certification authoritiy
+        */
+       char *name;
+
+       /**
+        * Reference to CA certificate
+        */
+       certificate_t *cert;
+
+       /**
+        * CRL URIs
+        */
+       linked_list_t *crl_uris;
+
+       /**
+        * OCSP URIs
+        */
+       linked_list_t *ocsp_uris;
+
+       /**
+        * Hashes of certificates issued by this CA
+        */
+       linked_list_t *hashes;
+
+       /**
+        * Base URI used for certificates from this CA
+        */
+       char *cert_uri_base;
+};
+
+/**
+ * create a new certification authority
+ */
+static authority_t *authority_create(char *name)
+{
+       authority_t *authority;
+
+       INIT(authority,
+               .name = strdup(name),
+               .crl_uris = linked_list_create(),
+               .ocsp_uris = linked_list_create(),
+               .hashes = linked_list_create(),
+       );
+
+       return authority;
+}
+
+/**
+ * destroy a certification authority
+ */
+static void authority_destroy(authority_t *this)
+{
+       this->crl_uris->destroy_function(this->crl_uris, free);
+       this->ocsp_uris->destroy_function(this->ocsp_uris, free);
+       this->hashes->destroy_offset(this->hashes, offsetof(identification_t, destroy));
+       DESTROY_IF(this->cert);
+       free(this->cert_uri_base);
+       free(this->name);
+       free(this);
+}
+
+
+/**
+ * Create a (error) reply message
+ */
+static vici_message_t* create_reply(char *fmt, ...)
+{
+       vici_builder_t *builder;
+       va_list args;
+
+       builder = vici_builder_create();
+       builder->add_kv(builder, "success", fmt ? "no" : "yes");
+       if (fmt)
+       {
+               va_start(args, fmt);
+               builder->vadd_kv(builder, "errmsg", fmt, args);
+               va_end(args);
+       }
+       return builder->finalize(builder);
+}
+
+/**
+ * A rule to parse a key/value or list item
+ */
+typedef struct {
+       /** name of the key/value or list */
+       char *name;
+       /** function to parse value */
+       bool (*parse)(void *out, chunk_t value);
+       /** result, passed to parse() */
+       void *out;
+} parse_rule_t;
+
+/**
+ * Parse key/values using a rule-set
+ */
+static bool parse_rules(parse_rule_t *rules, int count, char *name,
+                                               chunk_t value, vici_message_t **reply)
+{
+       int i;
+
+       for (i = 0; i < count; i++)
+       {
+               if (streq(name, rules[i].name))
+               {
+                       if (rules[i].parse(rules[i].out, value))
+                       {
+                               return TRUE;
+                       }
+                       *reply = create_reply("invalid value for: %s, authority discarded",
+                                                                 name);
+                       return FALSE;
+               }
+       }
+       *reply = create_reply("unknown option: %s, authority discarded", name);
+       return FALSE;
+}
+
+/**
+ * Parse callback data, passed to each callback
+ */
+typedef struct {
+       private_vici_authority_t *this;
+       vici_message_t *reply;
+} request_data_t;
+
+/**
+ * Data associated with an authority load
+ */
+typedef struct {
+       request_data_t *request;
+       authority_t *authority;
+} load_data_t;
+
+/**
+ * Parse a string
+ */
+CALLBACK(parse_string, bool,
+       char **str, chunk_t v)
+{
+       if (!chunk_printable(v, NULL, ' '))
+       {
+               return FALSE;
+       }
+       *str = strndup(v.ptr, v.len);
+
+       return TRUE;
+}
+
+/**
+ * Parse list of URIs
+ */
+CALLBACK(parse_uris, bool,
+       linked_list_t *out, chunk_t v)
+{
+       char *uri;
+
+       if (!chunk_printable(v, NULL, ' '))
+       {
+               return FALSE;
+       }
+       uri = strndup(v.ptr, v.len);
+       out->insert_last(out, uri);
+
+       return TRUE;
+}
+
+/**
+ * Parse a CA certificate
+ */
+CALLBACK(parse_cacert, bool,
+       certificate_t **cacert, chunk_t v)
+{
+       certificate_t *cert;
+       x509_t *x509;
+
+       cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+                                                                                 BUILD_BLOB_PEM, v, BUILD_END);
+       if (!cert)
+       {
+               return create_reply("parsing %N certificate failed",
+                                                       certificate_type_names, CERT_X509);
+       }
+       x509 = (x509_t*)cert;
+
+       if ((x509->get_flags(x509) & X509_CA) != X509_CA)
+       {
+               cert->destroy(cert);
+               return create_reply("certificate without CA flag, rejected");
+       }
+       *cacert = cert;
+
+       return TRUE;
+}
+
+CALLBACK(authority_kv, bool,
+       load_data_t *data, vici_message_t *message, char *name, chunk_t value)
+{
+       parse_rule_t rules[] = {
+               { "cacert",                     parse_cacert, &data->authority->cert          },
+               { "cert_uri_base",      parse_string, &data->authority->cert_uri_base },
+       };
+
+       return parse_rules(rules, countof(rules), name, value,
+                                          &data->request->reply);
+}
+
+CALLBACK(authority_li, bool,
+       load_data_t *data, vici_message_t *message, char *name, chunk_t value)
+{
+       parse_rule_t rules[] = {
+               { "crl_uris",   parse_uris, data->authority->crl_uris  },
+               { "ocsp_uris",  parse_uris, data->authority->ocsp_uris },
+       };
+
+       return parse_rules(rules, countof(rules), name, value,
+                                          &data->request->reply);
+}
+
+static void log_authority_data(authority_t *authority)
+{
+       enumerator_t *enumerator;
+       identification_t *subject;
+       bool first = TRUE;
+       char *uri;
+
+       subject = authority->cert->get_subject(authority->cert);
+       DBG2(DBG_CFG, "  cacert = %Y", subject);
+
+       enumerator = authority->crl_uris->create_enumerator(authority->crl_uris);
+       while (enumerator->enumerate(enumerator, &uri))
+       {
+               if (first)
+               {
+                       DBG2(DBG_CFG, "  crl_uris = %s", uri);
+                       first = FALSE;
+               }
+               else
+               {
+                       DBG2(DBG_CFG, "             %s", uri);
+               }
+       }
+       enumerator->destroy(enumerator);
+
+       first = TRUE;
+       enumerator = authority->ocsp_uris->create_enumerator(authority->ocsp_uris);
+       while (enumerator->enumerate(enumerator, &uri))
+       {
+               if (first)
+               {
+                       DBG2(DBG_CFG, "  ocsp_uris = %s", uri);
+                       first = FALSE;
+               }
+               else
+               {
+                       DBG2(DBG_CFG, "              %s", uri);
+               }
+       }
+       enumerator->destroy(enumerator);
+
+       if (authority->cert_uri_base)
+       {
+               DBG2(DBG_CFG, "  cert_uri_base = %s", authority->cert_uri_base);
+       }
+}
+
+CALLBACK(authority_sn, bool,
+       request_data_t *request, vici_message_t *message,
+       vici_parse_context_t *ctx, char *name)
+{
+       enumerator_t *enumerator;
+       linked_list_t *authorities;
+       authority_t *authority;
+       vici_cred_t *cred;
+
+       load_data_t data = {
+               .request = request,
+               .authority = authority_create(name),
+       };
+
+       DBG2(DBG_CFG, " authority %s:", name);
+
+       if (!message->parse(message, ctx, NULL, authority_kv, authority_li, &data) ||
+               !data.authority->cert)
+       {
+               authority_destroy(data.authority);
+               return FALSE;
+       }
+       log_authority_data(data.authority);
+
+       request->this->lock->write_lock(request->this->lock);
+
+       authorities = request->this->authorities;
+       enumerator = authorities->create_enumerator(authorities);
+       while (enumerator->enumerate(enumerator, &authority))
+       {
+               if (streq(authority->name, name))
+               {
+                       /* remove the old authority definition */
+                       authorities->remove_at(authorities, enumerator);
+                       authority_destroy(authority);
+                       break;
+               }
+       }
+       enumerator->destroy(enumerator);
+       authorities->insert_last(authorities, data.authority);
+
+       cred = request->this->cred;
+       data.authority->cert = cred->add_cert(cred, data.authority->cert);
+
+       request->this->lock->unlock(request->this->lock);
+
+       return TRUE;
+}
+
+CALLBACK(load_authority, vici_message_t*,
+       private_vici_authority_t *this, char *name, u_int id, vici_message_t *message)
+{
+       request_data_t request = {
+               .this = this,
+       };
+
+       if (!message->parse(message, NULL, authority_sn, NULL, NULL, &request))
+       {
+               if (request.reply)
+               {
+                       return request.reply;
+               }
+               return create_reply("parsing request failed");
+       }
+       return create_reply(NULL);
+}
+
+CALLBACK(unload_authority, vici_message_t*,
+       private_vici_authority_t *this, char *name, u_int id, vici_message_t *message)
+{
+       enumerator_t *enumerator;
+       authority_t *authority;
+       char *authority_name;
+       bool found = FALSE;
+
+       authority_name = message->get_str(message, NULL, "name");
+       if (!authority_name)
+       {
+               return create_reply("unload: missing authority name");
+       }
+
+       this->lock->write_lock(this->lock);
+       enumerator = this->authorities->create_enumerator(this->authorities);
+       while (enumerator->enumerate(enumerator, &authority))
+       {
+               if (streq(authority->name, authority_name))
+               {
+                       this->authorities->remove_at(this->authorities, enumerator);
+                       authority_destroy(authority);
+                       found = TRUE;
+                       break;
+               }
+       }
+       enumerator->destroy(enumerator);
+       this->lock->unlock(this->lock);
+
+       if (!found)
+       {
+               return create_reply("unload: authority '%s' not found", authority_name);
+       }
+       return create_reply(NULL);
+}
+
+CALLBACK(get_authorities, vici_message_t*,
+       private_vici_authority_t *this, char *name, u_int id,
+       vici_message_t *message)
+{
+       vici_builder_t *builder;
+       enumerator_t *enumerator;
+       authority_t *authority;
+
+       builder = vici_builder_create();
+       builder->begin_list(builder, "authorities");
+
+       this->lock->read_lock(this->lock);
+       enumerator = this->authorities->create_enumerator(this->authorities);
+       while (enumerator->enumerate(enumerator, &authority))
+       {
+               builder->add_li(builder, "%s", authority->name);
+       }
+       enumerator->destroy(enumerator);
+       this->lock->unlock(this->lock);
+
+       builder->end_list(builder);
+
+       return builder->finalize(builder);
+}
+
+CALLBACK(list_authorities, vici_message_t*,
+       private_vici_authority_t *this, char *name, u_int id, vici_message_t *request)
+{
+       enumerator_t *enumerator, *e;
+       authority_t *authority;
+       vici_builder_t *b;
+       char *str, *uri;
+
+       str = request->get_str(request, NULL, "name");
+
+       this->lock->read_lock(this->lock);
+       enumerator = this->authorities->create_enumerator(this->authorities);
+       while (enumerator->enumerate(enumerator, &authority))
+       {
+               if (str && !streq(str, authority->name))
+               {
+                       continue;
+               }
+               b = vici_builder_create();
+
+               /* open authority section */
+               b->begin_section(b, authority->name);
+
+               /* subject DN of cacert */
+               b->add_kv(b, "cacert", "%Y",
+                                         authority->cert->get_subject(authority->cert));
+
+               /* list of crl_uris */
+               b->begin_list(b, "crl_uris");
+               e = authority->crl_uris->create_enumerator(authority->crl_uris);
+               while (e->enumerate(e, &uri))
+               {
+                       b->add_li(b, "%s", uri);
+               }
+               e->destroy(e);
+               b->end_list(b);
+
+               /* list of ocsp_uris */
+               b->begin_list(b, "ocsp_uris");
+               e = authority->ocsp_uris->create_enumerator(authority->ocsp_uris);
+               while (e->enumerate(e, &uri))
+               {
+                       b->add_li(b, "%s", uri);
+               }
+               e->destroy(e);
+               b->end_list(b);
+
+               /* cert_uri_base */
+               if (authority->cert_uri_base)
+               {
+                       b->add_kv(b, "cert_uri_base", "%s", authority->cert_uri_base);
+               }
+
+               /* close authority and raise event */
+               b->end_section(b);
+               this->dispatcher->raise_event(this->dispatcher, "list-authority", id,
+                                                                         b->finalize(b));
+       }
+       enumerator->destroy(enumerator);
+       this->lock->unlock(this->lock);
+
+       b = vici_builder_create();
+       return b->finalize(b);
+}
+
+static void manage_command(private_vici_authority_t *this,
+                                                  char *name, vici_command_cb_t cb, bool reg)
+{
+       this->dispatcher->manage_command(this->dispatcher, name,
+                                                                        reg ? cb : NULL, this);
+}
+
+/**
+ * (Un-)register dispatcher functions
+ */
+static void manage_commands(private_vici_authority_t *this, bool reg)
+{
+       this->dispatcher->manage_event(this->dispatcher, "list-authority", reg);
+
+       manage_command(this, "load-authority", load_authority, reg);
+       manage_command(this, "unload-authority", unload_authority, reg);
+       manage_command(this, "get-authorities", get_authorities, reg);
+       manage_command(this, "list-authorities", list_authorities, reg);
+}
+
+/**
+ * data to pass to create_inner_cdp
+ */
+typedef struct {
+       private_vici_authority_t *this;
+       certificate_type_t type;
+       identification_t *id;
+} cdp_data_t;
+
+/**
+ * destroy cdp enumerator data and unlock list
+ */
+static void cdp_data_destroy(cdp_data_t *data)
+{
+       data->this->lock->unlock(data->this->lock);
+       free(data);
+}
+
+/**
+ * inner enumerator constructor for CDP URIs
+ */
+static enumerator_t *create_inner_cdp(authority_t *authority, cdp_data_t *data)
+{
+       public_key_t *public;
+       enumerator_t *enumerator = NULL;
+       linked_list_t *list;
+
+       if (data->type == CERT_X509_OCSP_RESPONSE)
+       {
+               list = authority->ocsp_uris;
+       }
+       else
+       {
+               list = authority->crl_uris;
+       }
+
+       public = authority->cert->get_public_key(authority->cert);
+       if (public)
+       {
+               if (!data->id)
+               {
+                       enumerator = list->create_enumerator(list);
+               }
+               else
+               {
+                       if (public->has_fingerprint(public, data->id->get_encoding(data->id)))
+                       {
+                               enumerator = list->create_enumerator(list);
+                       }
+               }
+               public->destroy(public);
+       }
+       return enumerator;
+}
+
+/**
+ * inner enumerator constructor for "Hash and URL"
+ */
+static enumerator_t *create_inner_cdp_hashandurl(authority_t *authority,
+                                                                                                cdp_data_t *data)
+{
+       enumerator_t *enumerator = NULL, *hash_enum;
+       identification_t *current;
+
+       if (!data->id || !authority->cert_uri_base)
+       {
+               return NULL;
+       }
+
+       hash_enum = authority->hashes->create_enumerator(authority->hashes);
+       while (hash_enum->enumerate(hash_enum, &current))
+       {
+               if (current->matches(current, data->id))
+               {
+                       char *url, *hash;
+
+                       url = malloc(strlen(authority->cert_uri_base) + 40 + 1);
+                       strcpy(url, authority->cert_uri_base);
+                       hash = chunk_to_hex(current->get_encoding(current), NULL, FALSE).ptr;
+                       strncat(url, hash, 40);
+                       free(hash);
+
+                       enumerator = enumerator_create_single(url, free);
+                       break;
+               }
+       }
+       hash_enum->destroy(hash_enum);
+       return enumerator;
+}
+
+METHOD(credential_set_t, create_cdp_enumerator, enumerator_t*,
+       private_vici_authority_t *this, certificate_type_t type,
+       identification_t *id)
+{
+       cdp_data_t *data;
+
+       switch (type)
+       {       /* we serve CRLs, OCSP responders and URLs for "Hash and URL" */
+               case CERT_X509:
+               case CERT_X509_CRL:
+               case CERT_X509_OCSP_RESPONSE:
+               case CERT_ANY:
+                       break;
+               default:
+                       return NULL;
+       }
+       data = malloc_thing(cdp_data_t);
+       data->this = this;
+       data->type = type;
+       data->id = id;
+
+       this->lock->read_lock(this->lock);
+
+       return enumerator_create_nested(
+                       this->authorities->create_enumerator(this->authorities),
+                       (type == CERT_X509) ? (void*)create_inner_cdp_hashandurl :
+                       (void*)create_inner_cdp, data, (void*)cdp_data_destroy);
+}
+
+METHOD(vici_authority_t, check_for_hash_and_url, void,
+       private_vici_authority_t *this, certificate_t* cert)
+{
+       authority_t *authority;
+       enumerator_t *enumerator;
+       hasher_t *hasher;
+
+       hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+       if (hasher == NULL)
+       {
+               DBG1(DBG_CFG, "unable to use hash-and-url: sha1 not supported");
+               return;
+       }
+
+       this->lock->write_lock(this->lock);
+       enumerator = this->authorities->create_enumerator(this->authorities);
+       while (enumerator->enumerate(enumerator, &authority))
+       {
+               if (authority->cert_uri_base &&
+                       cert->issued_by(cert, authority->cert, NULL))
+               {
+                       chunk_t hash, encoded;
+
+                       if (cert->get_encoding(cert, CERT_ASN1_DER, &encoded))
+                       {
+                               if (hasher->allocate_hash(hasher, encoded, &hash))
+                               {
+                                       authority->hashes->insert_last(authority->hashes,
+                                               identification_create_from_encoding(ID_KEY_ID, hash));
+                                       chunk_free(&hash);
+                               }
+                               chunk_free(&encoded);
+                       }
+                       break;
+               }
+       }
+       enumerator->destroy(enumerator);
+       this->lock->unlock(this->lock);
+
+       hasher->destroy(hasher);
+}
+
+METHOD(vici_authority_t, destroy, void,
+       private_vici_authority_t *this)
+{
+       manage_commands(this, FALSE);
+
+       this->authorities->destroy_function(this->authorities,
+                                                                          (void*)authority_destroy);
+       this->lock->destroy(this->lock);
+       free(this);
+}
+
+/**
+ * See header
+ */
+vici_authority_t *vici_authority_create(vici_dispatcher_t *dispatcher,
+                                                                               vici_cred_t *cred)
+{
+       private_vici_authority_t *this;
+
+       INIT(this,
+               .public = {
+                       .set = {
+                               .create_private_enumerator = (void*)return_null,
+                               .create_cert_enumerator = (void*)return_null,
+                               .create_shared_enumerator = (void*)return_null,
+                               .create_cdp_enumerator = _create_cdp_enumerator,
+                               .cache_cert = (void*)nop,
+                       },
+                       .check_for_hash_and_url = _check_for_hash_and_url,
+                       .destroy = _destroy,
+               },
+               .dispatcher = dispatcher,
+               .cred = cred,
+               .authorities = linked_list_create(),
+               .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+       );
+
+       manage_commands(this, TRUE);
+
+       return &this->public;
+}
diff --git a/src/libcharon/plugins/vici/vici_authority.h b/src/libcharon/plugins/vici/vici_authority.h
new file mode 100644 (file)
index 0000000..dbeabae
--- /dev/null
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup vici_authority vici_authority
+ * @{ @ingroup vici
+ */
+
+#ifndef VICI_AUTHORITY_H_
+#define VICI_AUTHORITY_H_
+
+#include "vici_dispatcher.h"
+#include "vici_cred.h"
+
+typedef struct vici_authority_t vici_authority_t;
+
+/**
+ * In-memory certification authority backend, managed by VICI.
+ */
+struct vici_authority_t {
+
+       /**
+        * Implements credential_set_t
+        */
+       credential_set_t set;
+
+       /**
+        * Check if a certificate can be made available through hash and URL.
+        *
+        * @param cert          end entity certificate
+        */
+       void (*check_for_hash_and_url)(vici_authority_t *this, certificate_t* cert);
+
+       /**
+        * Destroy a vici_authority_t.
+        */
+       void (*destroy)(vici_authority_t *this);
+};
+
+/**
+ * Create a vici_authority instance.
+ *
+ * @param dispatcher           dispatcher to receive requests from
+ * @param cred                         in-memory credential backend managed by VICI
+ * @return                                     authority backend
+ */
+vici_authority_t *vici_authority_create(vici_dispatcher_t *dispatcher,
+                                                                               vici_cred_t *cred);
+
+#endif /** VICI_AUTHORITY_H_ @}*/
index a1b9586..139616f 100644 (file)
@@ -96,6 +96,12 @@ struct private_vici_config_t {
         * Lock for conns list
         */
        rwlock_t *lock;
+
+       /**
+        * Auxiliary certification authority information
+        */
+       vici_authority_t *authority;
+
 };
 
 METHOD(backend_t, create_peer_cfg_enumerator, enumerator_t*,
@@ -1043,15 +1049,21 @@ CALLBACK(parse_group, bool,
 /**
  * Parse a certificate; add as auth rule to config
  */
-static bool parse_cert(auth_cfg_t *cfg, auth_rule_t rule, chunk_t v)
+static bool parse_cert(auth_data_t *auth, auth_rule_t rule, chunk_t v)
 {
+       vici_authority_t *authority;
        certificate_t *cert;
 
        cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
                                                          BUILD_BLOB_PEM, v, BUILD_END);
        if (cert)
        {
-               cfg->add(cfg, rule, cert);
+               if (rule == AUTH_RULE_SUBJECT_CERT)
+               {
+                       authority = auth->request->this->authority;
+                       authority->check_for_hash_and_url(authority, cert);
+               }
+               auth->cfg->add(auth->cfg, rule, cert);
                return TRUE;
        }
        return FALSE;
@@ -1061,18 +1073,18 @@ static bool parse_cert(auth_cfg_t *cfg, auth_rule_t rule, chunk_t v)
  * Parse subject certificates
  */
 CALLBACK(parse_certs, bool,
-       auth_cfg_t *cfg, chunk_t v)
+       auth_data_t *auth, chunk_t v)
 {
-       return parse_cert(cfg, AUTH_RULE_SUBJECT_CERT, v);
+       return parse_cert(auth, AUTH_RULE_SUBJECT_CERT, v);
 }
 
 /**
  * Parse CA certificates
  */
 CALLBACK(parse_cacerts, bool,
-       auth_cfg_t *cfg, chunk_t v)
+       auth_data_t *auth, chunk_t v)
 {
-       return parse_cert(cfg, AUTH_RULE_CA_CERT, v);
+       return parse_cert(auth, AUTH_RULE_CA_CERT, v);
 }
 
 /**
@@ -1267,8 +1279,8 @@ CALLBACK(auth_li, bool,
 {
        parse_rule_t rules[] = {
                { "groups",                     parse_group,            auth->cfg                                       },
-               { "certs",                      parse_certs,            auth->cfg                                       },
-               { "cacerts",            parse_cacerts,          auth->cfg                                       },
+               { "certs",                      parse_certs,            auth                                            },
+               { "cacerts",            parse_cacerts,          auth                                            },
        };
 
        return parse_rules(rules, countof(rules), name, value,
@@ -2056,7 +2068,8 @@ METHOD(vici_config_t, destroy, void,
 /**
  * See header
  */
-vici_config_t *vici_config_create(vici_dispatcher_t *dispatcher)
+vici_config_t *vici_config_create(vici_dispatcher_t *dispatcher,
+                                                                 vici_authority_t *authority)
 {
        private_vici_config_t *this;
 
@@ -2072,6 +2085,7 @@ vici_config_t *vici_config_create(vici_dispatcher_t *dispatcher)
                .dispatcher = dispatcher,
                .conns = linked_list_create(),
                .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+               .authority = authority,
        );
 
        manage_commands(this, TRUE);
index 820d5f3..c3245bf 100644 (file)
@@ -2,6 +2,9 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
@@ -22,6 +25,7 @@
 #define VICI_CONFIG_H_
 
 #include "vici_dispatcher.h"
+#include "vici_authority.h"
 
 #include <config/backend.h>
 
@@ -46,8 +50,10 @@ struct vici_config_t {
  * Create a vici_config instance.
  *
  * @param dispatcher           dispatcher to receive requests from
+ * @param authority                    Auxiliary certification authority information
  * @return                                     config backend
  */
-vici_config_t *vici_config_create(vici_dispatcher_t *dispatcher);
+vici_config_t *vici_config_create(vici_dispatcher_t *dispatcher,
+                                                                 vici_authority_t *authority);
 
 #endif /** VICI_CONFIG_H_ @}*/
index d4c02de..ffdc034 100644 (file)
@@ -294,6 +294,12 @@ static void manage_commands(private_vici_cred_t *this, bool reg)
        manage_command(this, "load-shared", load_shared, reg);
 }
 
+METHOD(vici_cred_t, add_cert, certificate_t*,
+       private_vici_cred_t *this, certificate_t *cert)
+{
+       return this->creds->get_cert_ref(this->creds, cert);
+}
+
 METHOD(vici_cred_t, destroy, void,
        private_vici_cred_t *this)
 {
@@ -313,6 +319,7 @@ vici_cred_t *vici_cred_create(vici_dispatcher_t *dispatcher)
 
        INIT(this,
                .public = {
+                       .add_cert = _add_cert,
                        .destroy = _destroy,
                },
                .dispatcher = dispatcher,
index e109a27..8359c0e 100644 (file)
@@ -31,6 +31,14 @@ typedef struct vici_cred_t vici_cred_t;
 struct vici_cred_t {
 
        /**
+        * Add a certificate to the certificate store
+        *
+        * @param cert  certificate to be added to store
+        * @return              reference to certificate or cached copy
+        */
+       certificate_t* (*add_cert)(vici_cred_t *this, certificate_t *cert);
+
+       /**
         * Destroy a vici_cred_t.
         */
        void (*destroy)(vici_cred_t *this);
index 7ae58a3..53ed8cd 100644 (file)
@@ -2,6 +2,9 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
@@ -42,6 +45,7 @@
 #include "vici_cred.h"
 #include "vici_config.h"
 #include "vici_attribute.h"
+#include "vici_authority.h"
 #include "vici_logger.h"
 
 #include <library.h>
@@ -80,6 +84,11 @@ struct private_vici_plugin_t {
        vici_cred_t *cred;
 
        /**
+        * Certification Authority backend
+        */
+       vici_authority_t *authority;
+
+       /**
         * Configuration backend
         */
        vici_config_t *config;
@@ -119,7 +128,10 @@ static bool register_vici(private_vici_plugin_t *this,
                        this->query = vici_query_create(this->dispatcher);
                        this->control = vici_control_create(this->dispatcher);
                        this->cred = vici_cred_create(this->dispatcher);
-                       this->config = vici_config_create(this->dispatcher);
+                       this->authority = vici_authority_create(this->dispatcher,
+                                                                                                       this->cred);
+                       lib->credmgr->add_set(lib->credmgr, &this->authority->set);
+                       this->config = vici_config_create(this->dispatcher, this->authority);
                        this->attrs = vici_attribute_create(this->dispatcher);
                        this->logger = vici_logger_create(this->dispatcher);
 
@@ -145,6 +157,8 @@ static bool register_vici(private_vici_plugin_t *this,
                this->logger->destroy(this->logger);
                this->attrs->destroy(this->attrs);
                this->config->destroy(this->config);
+               lib->credmgr->remove_set(lib->credmgr, &this->authority->set);
+               this->authority->destroy(this->authority);
                this->cred->destroy(this->cred);
                this->control->destroy(this->control);
                this->query->destroy(this->query);
index f4f9fdf..abf067a 100644 (file)
@@ -7,10 +7,12 @@ swanctl_SOURCES = \
        commands/install.c \
        commands/list_sas.c \
        commands/list_pols.c \
+       commands/list_authorities.c \
        commands/list_conns.c \
        commands/list_certs.c \
        commands/list_pools.c \
        commands/load_all.c \
+       commands/load_authorities.h  commands/load_authorities.c \
        commands/load_conns.c commands/load_conns.h \
        commands/load_creds.c commands/load_creds.h \
        commands/load_pools.c commands/load_pools.h \
index 03cd8b9..26c4134 100644 (file)
@@ -211,7 +211,7 @@ int command_usage(char *error, ...)
        {
                for (i = 0; i < MAX_COMMANDS && cmds[i].cmd; i++)
                {
-                       fprintf(out, "  swanctl --%-15s (-%c)  %s\n",
+                       fprintf(out, "  swanctl --%-16s (-%c)  %s\n",
                                        cmds[i].cmd, cmds[i].op, cmds[i].description);
                }
        }
index ffc3190..0760d13 100644 (file)
@@ -27,7 +27,7 @@
 /**
  * Maximum number of commands (+1).
  */
-#define MAX_COMMANDS 19
+#define MAX_COMMANDS 21
 
 /**
  * Maximum number of options in a command (+3)
diff --git a/src/swanctl/commands/list_authorities.c b/src/swanctl/commands/list_authorities.c
new file mode 100644 (file)
index 0000000..8bff6f9
--- /dev/null
@@ -0,0 +1,169 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <errno.h>
+
+#include "command.h"
+
+#define LABELED_CRL_URI                (1 << 0)
+#define LABELED_OCSP_URI       (1 << 1)
+
+CALLBACK(authority_kv, int,
+       void *null, vici_res_t *res, char *name, void *value, int len)
+{
+       chunk_t chunk;
+
+       chunk = chunk_create(value, len);
+       if (chunk_printable(chunk, NULL, ' '))
+       {
+               printf("  %s: %.*s\n", name, len, value);
+       }
+
+       return 0;
+}
+
+
+CALLBACK(authority_list, int,
+       int *labeled, vici_res_t *res, char *name, void *value, int len)
+{
+       chunk_t chunk;
+
+       chunk = chunk_create(value, len);
+       if (chunk_printable(chunk, NULL, ' '))
+       {
+               if (streq(name, "crl_uris"))
+               {
+                       printf("  %s %.*s\n",
+                                 (*labeled & LABELED_CRL_URI)  ? "          " : "crl_uris: ", 
+                                 len, value);
+                       *labeled |= LABELED_CRL_URI;
+               }
+               if (streq(name, "ocsp_uris"))
+               {
+                       printf("  %s %.*s\n",
+                                 (*labeled & LABELED_OCSP_URI) ? "          " : "ocsp_uris:",
+                                 len, value);
+                       *labeled %= LABELED_OCSP_URI;
+               }
+       }
+       return 0;
+}
+
+CALLBACK(authorities, int,
+       void *null, vici_res_t *res, char *name)
+{
+       int labeled = 0;
+
+       printf("%s:\n", name);
+
+       return vici_parse_cb(res, NULL, authority_kv, authority_list, &labeled);
+}
+
+CALLBACK(list_cb, void,
+       command_format_options_t *format, char *name, vici_res_t *res)
+{
+       if (*format & COMMAND_FORMAT_RAW)
+       {
+               vici_dump(res, "list-authorities event", *format & COMMAND_FORMAT_PRETTY,
+                                 stdout);
+       }
+       else
+       {
+               if (vici_parse_cb(res, authorities, NULL, NULL, NULL) != 0)
+               {
+                       fprintf(stderr, "parsing authority event failed: %s\n",
+                                       strerror(errno));
+               }
+       }
+}
+
+static int list_authorities(vici_conn_t *conn)
+{
+       vici_req_t *req;
+       vici_res_t *res;
+       command_format_options_t format = COMMAND_FORMAT_NONE;
+       char *arg, *ca_name = NULL;;
+       int ret = 0;
+
+       while (TRUE)
+       {
+               switch (command_getopt(&arg))
+               {
+                       case 'h':
+                               return command_usage(NULL);
+                       case 'n':
+                               ca_name = arg;
+                               continue;
+                       case 'P':
+                               format |= COMMAND_FORMAT_PRETTY;
+                               /* fall through to raw */
+                       case 'r':
+                               format |= COMMAND_FORMAT_RAW;
+                               continue;
+                       case EOF:
+                               break;
+                       default:
+                               return command_usage("invalid --list-authorities option");
+               }
+               break;
+       }
+       if (vici_register(conn, "list-authority", list_cb, &format) != 0)
+       {
+               ret = errno;
+               fprintf(stderr, "registering for authorities failed: %s\n",
+                               strerror(errno));
+               return ret;
+       }
+
+       req = vici_begin("list-authorities");
+       if (ca_name)
+       {
+               vici_add_key_valuef(req, "name", "%s", ca_name);
+       }
+       res = vici_submit(req, conn);
+       if (!res)
+       {
+               ret = errno;
+               fprintf(stderr, "list-authorities request failed: %s\n", strerror(errno));
+               return ret;
+       }
+       if (format & COMMAND_FORMAT_RAW)
+       {
+               vici_dump(res, "list-authorities reply", format & COMMAND_FORMAT_PRETTY,
+                                 stdout);
+       }
+       vici_free_res(res);
+       return 0;
+}
+
+/**
+ * Register the command.
+ */
+static void __attribute__ ((constructor))reg()
+{
+       command_register((command_t) {
+               list_authorities, 'B', "list-authorities",
+               "list loaded authority configurations",
+               {"[--raw|--pretty]"},
+               {
+                       {"help",                'h', 0, "show usage information"},
+                       {"name",                'n', 1, "filter by authority name"},
+                       {"raw",                 'r', 0, "dump raw response message"},
+                       {"pretty",              'P', 0, "dump raw response message in pretty print"},
+               }
+       });
+}
index f47fee5..0010ce1 100644 (file)
@@ -22,6 +22,7 @@
 #include "command.h"
 #include "swanctl.h"
 #include "load_creds.h"
+#include "load_authorities.h"
 #include "load_pools.h"
 #include "load_conns.h"
 
@@ -72,6 +73,10 @@ static int load_all(vici_conn_t *conn)
        }
        if (ret == 0)
        {
+               ret = load_authorities_cfg(conn, format, cfg);
+       }
+       if (ret == 0)
+       {
                ret = load_pools_cfg(conn, format, cfg);
        }
        if (ret == 0)
@@ -90,7 +95,8 @@ static int load_all(vici_conn_t *conn)
 static void __attribute__ ((constructor))reg()
 {
        command_register((command_t) {
-               load_all, 'q', "load-all", "load credentials, pools and connections",
+               load_all, 'q', "load-all",
+               "load credentials, authorities, pools and connections",
                {"[--raw|--pretty] [--clear] [--noprompt]"},
                {
                        {"help",                'h', 0, "show usage information"},
diff --git a/src/swanctl/commands/load_authorities.c b/src/swanctl/commands/load_authorities.c
new file mode 100644 (file)
index 0000000..88dde6a
--- /dev/null
@@ -0,0 +1,365 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <errno.h>
+#include <limits.h>
+
+#include "command.h"
+#include "swanctl.h"
+#include "load_authorities.h"
+
+/**
+ * Add a vici list from a comma separated string value
+ */
+static void add_list_key(vici_req_t *req, char *key, char *value)
+{
+       enumerator_t *enumerator;
+       char *token;
+
+       vici_begin_list(req, key);
+       enumerator = enumerator_create_token(value, ",", " ");
+       while (enumerator->enumerate(enumerator, &token))
+       {
+               vici_add_list_itemf(req, "%s", token);
+       }
+       enumerator->destroy(enumerator);
+       vici_end_list(req);
+}
+
+/**
+ * Add a vici certificate blob value given by its file patch
+ */
+static bool add_file_key_value(vici_req_t *req, char *key, char *value)
+{
+       chunk_t *map;
+       char *path, buf[PATH_MAX];
+
+       if (path_absolute(value))
+       {
+               path = value;
+       }
+       else
+       {
+               path = buf;
+               snprintf(path, PATH_MAX, "%s%s%s",
+                                SWANCTL_X509CADIR, DIRECTORY_SEPARATOR, value);
+       }
+       map = chunk_map(path, FALSE);
+
+       if (map)
+       {
+               vici_add_key_value(req, key, map->ptr, map->len);
+               chunk_unmap(map);
+               return TRUE;
+       }
+       else
+       {
+               fprintf(stderr, "loading ca certificate '%s' failed: %s\n",
+                               path, strerror(errno));
+               return FALSE;
+       }
+}
+
+/**
+ * Translate sletting key/values from a section into vici key-values/lists
+ */
+static bool add_key_values(vici_req_t *req, settings_t *cfg, char *section)
+{
+       enumerator_t *enumerator;
+       char *key, *value;
+       bool ret = TRUE;
+
+       enumerator = cfg->create_key_value_enumerator(cfg, section);
+       while (enumerator->enumerate(enumerator, &key, &value))
+       {
+               /* pool subnet is encoded as key/value, all other attributes as list */
+               if (streq(key, "cacert"))
+               {
+                       ret = add_file_key_value(req, key, value);
+               }
+               else if (streq(key, "cert_uri_base"))
+               {
+                       vici_add_key_valuef(req, key, "%s", value);
+               }
+               else
+               {
+                       add_list_key(req, key, value);
+               }
+               if (!ret)
+               {
+                       break;
+               }
+       }
+       enumerator->destroy(enumerator);
+
+       return ret;
+}
+
+/**
+ * Load an authority configuration
+ */
+static bool load_authority(vici_conn_t *conn, settings_t *cfg,
+                                                  char *section, command_format_options_t format)
+{
+       vici_req_t *req;
+       vici_res_t *res;
+       bool ret = TRUE;
+       char buf[128];
+
+       snprintf(buf, sizeof(buf), "%s.%s", "authorities", section);
+
+       req = vici_begin("load-authority");
+
+       vici_begin_section(req, section);
+       if (!add_key_values(req, cfg, buf))
+       {
+               vici_free_req(req);
+               return FALSE;
+       }
+       vici_end_section(req);
+
+       res = vici_submit(req, conn);
+       if (!res)
+       {
+               fprintf(stderr, "load-authority request failed: %s\n", strerror(errno));
+               return FALSE;
+       }
+       if (format & COMMAND_FORMAT_RAW)
+       {
+               vici_dump(res, "load-authority reply", format & COMMAND_FORMAT_PRETTY,
+                                 stdout);
+       }
+       else if (!streq(vici_find_str(res, "no", "success"), "yes"))
+       {
+               fprintf(stderr, "loading authority '%s' failed: %s\n",
+                               section, vici_find_str(res, "", "errmsg"));
+               ret = FALSE;
+       }
+       else
+       {
+               printf("loaded authority '%s'\n", section);
+       }
+       vici_free_res(res);
+       return ret;
+}
+
+CALLBACK(list_authority, int,
+       linked_list_t *list, vici_res_t *res, char *name, void *value, int len)
+{
+       if (streq(name, "authorities"))
+       {
+               char *str;
+
+               if (asprintf(&str, "%.*s", len, value) != -1)
+               {
+                       list->insert_last(list, str);
+               }
+       }
+       return 0;
+}
+
+/**
+ * Create a list of currently loaded authorities
+ */
+static linked_list_t* list_authorities(vici_conn_t *conn,
+                                                                          command_format_options_t format)
+{
+       linked_list_t *list;
+       vici_res_t *res;
+
+       list = linked_list_create();
+
+       res = vici_submit(vici_begin("get-authorities"), conn);
+       if (res)
+       {
+               if (format & COMMAND_FORMAT_RAW)
+               {
+                       vici_dump(res, "get-authorities reply", format & COMMAND_FORMAT_PRETTY,
+                                         stdout);
+               }
+               vici_parse_cb(res, NULL, NULL, list_authority, list);
+               vici_free_res(res);
+       }
+       return list;
+}
+
+/**
+ * Remove and free a string from a list
+ */
+static void remove_from_list(linked_list_t *list, char *str)
+{
+       enumerator_t *enumerator;
+       char *current;
+
+       enumerator = list->create_enumerator(list);
+       while (enumerator->enumerate(enumerator, &current))
+       {
+               if (streq(current, str))
+               {
+                       list->remove_at(list, enumerator);
+                       free(current);
+               }
+       }
+       enumerator->destroy(enumerator);
+}
+
+/**
+ * Unload a authority by name
+ */
+static bool unload_authority(vici_conn_t *conn, char *name,
+                                                        command_format_options_t format)
+{
+       vici_req_t *req;
+       vici_res_t *res;
+       bool ret = TRUE;
+
+       req = vici_begin("unload-authority");
+       vici_add_key_valuef(req, "name", "%s", name);
+       res = vici_submit(req, conn);
+       if (!res)
+       {
+               fprintf(stderr, "unload-authority request failed: %s\n", strerror(errno));
+               return FALSE;
+       }
+       if (format & COMMAND_FORMAT_RAW)
+       {
+               vici_dump(res, "unload-authority reply", format & COMMAND_FORMAT_PRETTY,
+                                 stdout);
+       }
+       else if (!streq(vici_find_str(res, "no", "success"), "yes"))
+       {
+               fprintf(stderr, "unloading authority '%s' failed: %s\n",
+                               name, vici_find_str(res, "", "errmsg"));
+               ret = FALSE;
+       }
+       vici_free_res(res);
+       return ret;
+}
+
+/**
+ * See header.
+ */
+int load_authorities_cfg(vici_conn_t *conn, command_format_options_t format,
+                                                settings_t *cfg)
+{
+       u_int found = 0, loaded = 0, unloaded = 0;
+       char *section;
+       enumerator_t *enumerator;
+       linked_list_t *authorities;
+
+       authorities = list_authorities(conn, format);
+
+       enumerator = cfg->create_section_enumerator(cfg, "authorities");
+       while (enumerator->enumerate(enumerator, &section))
+       {
+               remove_from_list(authorities, section);
+               found++;
+               if (load_authority(conn, cfg, section, format))
+               {
+                       loaded++;
+               }
+       }
+       enumerator->destroy(enumerator);
+
+       /* unload all authorities in daemon, but not in file */
+       while (authorities->remove_first(authorities, (void**)&section) == SUCCESS)
+       {
+               if (unload_authority(conn, section, format))
+               {
+                       unloaded++;
+               }
+               free(section);
+       }
+       authorities->destroy(authorities);
+
+       if (format & COMMAND_FORMAT_RAW)
+       {
+               return 0;
+       }
+       if (found == 0)
+       {
+               printf("no authorities found, %u unloaded\n", unloaded);
+               return 0;
+       }
+       if (loaded == found)
+       {
+               printf("successfully loaded %u authorities, %u unloaded\n",
+                          loaded, unloaded);
+               return 0;
+       }
+       fprintf(stderr, "loaded %u of %u authorities, %u failed to load, "
+                       "%u unloaded\n", loaded, found, found - loaded, unloaded);
+       return EINVAL;
+}
+
+static int load_authorities(vici_conn_t *conn)
+{
+       command_format_options_t format = COMMAND_FORMAT_NONE;
+       settings_t *cfg;
+       char *arg;
+       int ret;
+
+       while (TRUE)
+       {
+               switch (command_getopt(&arg))
+               {
+                       case 'h':
+                               return command_usage(NULL);
+                       case 'P':
+                               format |= COMMAND_FORMAT_PRETTY;
+                               /* fall through to raw */
+                       case 'r':
+                               format |= COMMAND_FORMAT_RAW;
+                               continue;
+                       case EOF:
+                               break;
+                       default:
+                               return command_usage("invalid --load-authorities option");
+               }
+               break;
+       }
+
+       cfg = settings_create(SWANCTL_CONF);
+       if (!cfg)
+       {
+               fprintf(stderr, "parsing '%s' failed\n", SWANCTL_CONF);
+               return EINVAL;
+       }
+
+       ret = load_authorities_cfg(conn, format, cfg);
+
+       cfg->destroy(cfg);
+
+       return ret;
+}
+
+/**
+ * Register the command.
+ */
+static void __attribute__ ((constructor))reg()
+{
+       command_register((command_t) {
+               load_authorities, 'b',
+               "load-authorities", "(re-)load authority configuration",
+               {"[--raw|--pretty]"},
+               {
+                       {"help",                'h', 0, "show usage information"},
+                       {"raw",                 'r', 0, "dump raw response message"},
+                       {"pretty",              'P', 0, "dump raw response message in pretty print"},
+               }
+       });
+}
diff --git a/src/swanctl/commands/load_authorities.h b/src/swanctl/commands/load_authorities.h
new file mode 100644 (file)
index 0000000..d4be214
--- /dev/null
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2015 Andreas Stefffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "command.h"
+
+/**
+ * Load all certification authority definitions from configuration file
+ *
+ * @param conn         vici connection to load to
+ * @param format       output format
+ * @param cfg          configuration to load from
+ */
+int load_authorities_cfg(vici_conn_t *conn, command_format_options_t format,
+                                                settings_t *cfg);
index 543c10a..cd033f9 100644 (file)
@@ -53,9 +53,15 @@ list currently active IKE_SAs
 .B "\-P, \-\-list\-pols"
 list currently installed policies
 .TP
+.B "\-b, \-\-load\-authorities"
+(re\-)load certification authorities information
+.TP
 .B "\-L, \-\-list\-conns"
 list loaded configurations
 .TP
+.B "\-B, \-\-list\-authorities"
+list loaded certification authorities information
+.TP
 .B "\-x, \-\-list\-certs"
 list stored certificates
 .TP
@@ -63,7 +69,7 @@ list stored certificates
 list loaded pool configurations
 .TP
 .B "\-q, \-\-load\-all"
-(re\-)load credentials, pools and connections
+(re\-)load credentials, pools, authorities and connections
 .TP
 .B "\-c, \-\-load\-conns"
 (re\-)load connection configuration
index b6ef175..0bdb6a1 100644 (file)
@@ -810,3 +810,35 @@ pools.<name>.<attr> =
        subnets for the corresponding attribute types. Alternatively, **<attr>** can
        be a numerical identifier, for which string attribute values are accepted
        as well.
+
+authorities { # }
+       Section defining attributes of certification authorities.
+
+authorities.<name> { # }
+       Section defining a certification authority with a unique name.
+
+authorities.<name>.cacert =
+       CA certificate belonging to the certification authority.
+
+       The certificates may use a relative path from the **swanctl** _x509ca_
+       directory, or an absolute path.
+
+authorities.<name>.crl_uris =
+       Comma-separated list of CRL distribution points
+
+       Comma-separated list of CRL distribution points (ldap, http, or file URI)
+
+authorities.<name>.ocsp_uris =
+       Comma-separated list of OCSP URIs
+
+       Comma-separated list of OCSP URIs
+
+authorities.<name>.cert_uri_base =
+       Defines the base URI for the Hash and URL feature supported by IKEv2.
+
+       Defines the base URI for the Hash and URL feature supported by IKEv2.
+       Instead of exchanging complete certificates, IKEv2 allows one to send an
+       URI that resolves to the DER encoded certificate. The certificate URIs are
+       built by appending the SHA1 hash of the DER encoded certificates to this
+       base URI.
+