}
else
{
- printf("loaded %s certificate '%s'\n", type, dir);
+ printf("loaded %s certificate from '%s'\n", type, dir);
}
vici_free_res(res);
return ret;
req = vici_begin("load-key");
- vici_add_key_valuef(req, "type", "%s", type);
+ if (streq(type, "pkcs8"))
+ { /* as used by vici */
+ vici_add_key_valuef(req, "type", "any");
+ }
+ else
+ {
+ vici_add_key_valuef(req, "type", "%s", type);
+ }
vici_add_key_value(req, "data", data.ptr, data.len);
res = vici_submit(req, conn);
}
else
{
- printf("loaded %s key '%s'\n", type, dir);
+ printf("loaded %s key from '%s'\n", type, dir);
}
vici_free_res(res);
return ret;
}
/**
+ * Load a private key of any type to vici
+ */
+static bool load_key_anytype(vici_conn_t *conn, command_format_options_t format,
+ char *path, private_key_t *private)
+{
+ bool loaded = FALSE;
+ chunk_t encoding;
+
+ if (!private->get_encoding(private, PRIVKEY_ASN1_DER, &encoding))
+ {
+ fprintf(stderr, "encoding private key from '%s' failed\n", path);
+ return FALSE;
+ }
+ switch (private->get_type(private))
+ {
+ case KEY_RSA:
+ loaded = load_key(conn, format, path, "rsa", encoding);
+ break;
+ case KEY_ECDSA:
+ loaded = load_key(conn, format, path, "ecdsa", encoding);
+ break;
+ default:
+ fprintf(stderr, "unsupported key type in '%s'\n", path);
+ break;
+ }
+ chunk_clear(&encoding);
+ return loaded;
+}
+
+/**
* Callback function to prompt for private key passwords
*/
CALLBACK(password_cb, shared_key_t*,
}
/**
- * Try to parse a potentially encrypted private key using password prompt
+ * Determine credential type and subtype from a type string
*/
-static private_key_t* decrypt_key(char *name, char *type, chunk_t encoding)
+static bool determine_credtype(char *type, credential_type_t *credtype,
+ int *subtype)
{
- key_type_t kt = KEY_ANY;
- private_key_t *private;
- callback_cred_t *cb;
- char buf[128];
+ struct {
+ char *type;
+ credential_type_t credtype;
+ int subtype;
+ } map[] = {
+ { "pkcs8", CRED_PRIVATE_KEY, KEY_ANY, },
+ { "rsa", CRED_PRIVATE_KEY, KEY_RSA, },
+ { "ecdsa", CRED_PRIVATE_KEY, KEY_ECDSA, },
+ };
+ int i;
- if (streq(type, "rsa"))
+ for (i = 0; i < countof(map); i++)
{
- kt = KEY_RSA;
+ if (streq(map[i].type, type))
+ {
+ *credtype = map[i].credtype;
+ *subtype = map[i].subtype;
+ return TRUE;
+ }
}
- else if (streq(type, "ecdsa"))
+ return FALSE;
+}
+
+/**
+ * Try to parse a potentially encrypted credential using password prompt
+ */
+static void* decrypt(char *name, char *type, chunk_t encoding)
+{
+ credential_type_t credtype;
+ int subtype;
+ void *cred;
+ callback_cred_t *cb;
+ char buf[128];
+
+ if (!determine_credtype(type, &credtype, &subtype))
{
- kt = KEY_ECDSA;
+ return NULL;
}
- snprintf(buf, sizeof(buf), "Password for '%s': ", name);
+ snprintf(buf, sizeof(buf), "Password for %s file '%s': ", type, name);
cb = callback_cred_create_shared(password_cb, buf);
lib->credmgr->add_set(lib->credmgr, &cb->set);
- private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, kt,
- BUILD_BLOB_PEM, encoding, BUILD_END);
+ cred = lib->creds->create(lib->creds, credtype, subtype,
+ BUILD_BLOB_PEM, encoding, BUILD_END);
lib->credmgr->remove_set(lib->credmgr, &cb->set);
cb->destroy(cb);
- return private;
+ return cred;
}
/**
- * Try to parse a potentially encrypted private key using configured secret
+ * Try to parse a potentially encrypted credential using configured secret
*/
-static private_key_t* decrypt_key_with_config(settings_t *cfg, char *name,
- char *type, chunk_t encoding)
-{ key_type_t kt = KEY_ANY;
+static void* decrypt_with_config(settings_t *cfg, char *name, char *type,
+ chunk_t encoding)
+{
+ credential_type_t credtype;
+ int subtype;
enumerator_t *enumerator, *secrets;
char *section, *key, *value, *file, buf[128];
shared_key_t *shared;
- private_key_t *private = NULL;
+ void *cred = NULL;
mem_cred_t *mem = NULL;
- if (streq(type, "rsa"))
- {
- kt = KEY_RSA;
- }
- else if (streq(type, "ecdsa"))
- {
- kt = KEY_ECDSA;
- }
- else
+ if (!determine_credtype(type, &credtype, &subtype))
{
- type = "pkcs8";
+ return NULL;
}
/* load all secrets for this key type */
{
lib->credmgr->add_local_set(lib->credmgr, &mem->set, FALSE);
- private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, kt,
- BUILD_BLOB_PEM, encoding, BUILD_END);
+ cred = lib->creds->create(lib->creds, credtype, subtype,
+ BUILD_BLOB_PEM, encoding, BUILD_END);
lib->credmgr->remove_local_set(lib->credmgr, &mem->set);
- if (!private)
+ if (!cred)
{
fprintf(stderr, "configured decryption secret for '%s' invalid\n",
name);
mem->destroy(mem);
}
- return private;
+ return cred;
}
/**
{
private_key_t *private;
bool loaded = FALSE;
- chunk_t encoding;
- private = decrypt_key_with_config(cfg, rel, type, data);
+ private = decrypt_with_config(cfg, rel, type, data);
if (!private && !noprompt)
{
- private = decrypt_key(rel, type, data);
+ private = decrypt(rel, type, data);
}
if (private)
{
- if (private->get_encoding(private, PRIVKEY_ASN1_DER, &encoding))
- {
- switch (private->get_type(private))
- {
- case KEY_RSA:
- loaded = load_key(conn, format, path, "rsa", encoding);
- break;
- case KEY_ECDSA:
- loaded = load_key(conn, format, path, "ecdsa", encoding);
- break;
- default:
- break;
- }
- chunk_clear(&encoding);
- }
+ loaded = load_key_anytype(conn, format, path, private);
private->destroy(private);
}
return loaded;
load_keys(conn, format, noprompt, cfg, "rsa", SWANCTL_RSADIR);
load_keys(conn, format, noprompt, cfg, "ecdsa", SWANCTL_ECDSADIR);
- load_keys(conn, format, noprompt, cfg, "any", SWANCTL_PKCS8DIR);
+ load_keys(conn, format, noprompt, cfg, "pkcs8", SWANCTL_PKCS8DIR);
enumerator = cfg->create_section_enumerator(cfg, "secrets");
while (enumerator->enumerate(enumerator, §ion))