AM_CPPFLAGS = \
-I$(top_srcdir)/src/libstrongswan \
+ -I$(top_srcdir)/src/libstrongswan/plugins/pubkey \
-I$(top_srcdir)/src/libhydra \
-I$(top_srcdir)/src/libcharon \
-DIPSEC_PIDDIR=\"${piddir}\"
#include <collections/array.h>
#include <collections/linked_list.h>
+#include <pubkey_cert.h>
+
#include <stdio.h>
/**
*/
rwlock_t *lock;
+ /**
+ * Credential backend managed by VICI used for our certificates
+ */
+ vici_cred_t *cred;
+
/**
* Auxiliary certification authority information
*/
static bool parse_cert(auth_data_t *auth, auth_rule_t rule, chunk_t v)
{
vici_authority_t *authority;
+ vici_cred_t *cred;
certificate_t *cert;
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
authority = auth->request->this->authority;
authority->check_for_hash_and_url(authority, cert);
}
+ cred = auth->request->this->cred;
+ cert = cred->add_cert(cred, cert);
auth->cfg->add(auth->cfg, rule, cert);
return TRUE;
}
return parse_cert(auth, AUTH_RULE_CA_CERT, v);
}
+/**
+ * Parse raw public keys
+ */
+CALLBACK(parse_pubkeys, bool,
+ auth_data_t *auth, chunk_t v)
+{
+ vici_cred_t *cred;
+ certificate_t *cert;
+
+ cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_TRUSTED_PUBKEY,
+ BUILD_BLOB_PEM, v, BUILD_END);
+ if (cert)
+ {
+ cred = auth->request->this->cred;
+ cert = cred->add_cert(cred, cert);
+ auth->cfg->add(auth->cfg, AUTH_RULE_SUBJECT_CERT, cert);
+ return TRUE;
+ }
+ return FALSE;
+}
+
/**
* Parse revocation status
*/
{ "groups", parse_group, auth->cfg },
{ "certs", parse_certs, auth },
{ "cacerts", parse_cacerts, auth },
+ { "pubkeys", parse_pubkeys, auth },
};
return parse_rules(rules, countof(rules), name, value,
.request = peer->request,
.cfg = auth_cfg_create(),
};
+ certificate_t *cert;
+ identification_t *id;
if (!message->parse(message, ctx, NULL, auth_kv, auth_li, &auth))
{
auth.cfg->destroy(auth.cfg);
return FALSE;
}
+ cert = auth.cfg->get(auth.cfg, AUTH_RULE_SUBJECT_CERT);
+ id = auth.cfg->get(auth.cfg, AUTH_RULE_IDENTITY);
- if (!auth.cfg->get(auth.cfg, AUTH_RULE_IDENTITY))
+ if (cert)
{
- identification_t *id;
- certificate_t *cert;
+ if (id)
+ {
+ if (cert->get_type(cert) == CERT_TRUSTED_PUBKEY &&
+ id->get_type != ID_ANY)
+ {
+ pubkey_cert_t *pubkey_cert;
- cert = auth.cfg->get(auth.cfg, AUTH_RULE_SUBJECT_CERT);
- if (cert)
+ /* the id is set for informational purposes, only */
+ pubkey_cert = (pubkey_cert_t*)cert;
+ pubkey_cert->set_subject(pubkey_cert, id);
+ }
+ }
+ else
{
id = cert->get_subject(cert);
DBG1(DBG_CFG, " id not specified, defaulting to cert id '%Y'",
* See header
*/
vici_config_t *vici_config_create(vici_dispatcher_t *dispatcher,
- vici_authority_t *authority)
+ vici_authority_t *authority,
+ vici_cred_t *cred)
{
private_vici_config_t *this;
.conns = linked_list_create(),
.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
.authority = authority,
+ .cred = cred,
);
manage_commands(this, TRUE);
#include "vici_dispatcher.h"
#include "vici_authority.h"
+#include "vici_cred.h"
#include <config/backend.h>
*
* @param dispatcher dispatcher to receive requests from
* @param authority Auxiliary certification authority information
+ * @param cred in-memory credential backend managed by VICI
* @return config backend
*/
vici_config_t *vici_config_create(vici_dispatcher_t *dispatcher,
- vici_authority_t *authority);
+ vici_authority_t *authority,
+ vici_cred_t *cred);
#endif /** VICI_CONFIG_H_ @}*/
METHOD(vici_cred_t, add_cert, certificate_t*,
private_vici_cred_t *this, certificate_t *cert)
{
- return this->creds->get_cert_ref(this->creds, cert);
+ return this->creds->add_cert_ref(this->creds, TRUE, cert);
}
METHOD(vici_cred_t, destroy, void,
this->authority = vici_authority_create(this->dispatcher,
this->cred);
lib->credmgr->add_set(lib->credmgr, &this->authority->set);
- this->config = vici_config_create(this->dispatcher, this->authority);
+ this->config = vici_config_create(this->dispatcher, this->authority,
+ this->cred);
this->attrs = vici_attribute_create(this->dispatcher);
this->logger = vici_logger_create(this->dispatcher);
}
}
+METHOD(pubkey_cert_t, set_subject, void,
+ private_pubkey_cert_t *this, identification_t *subject)
+{
+ DESTROY_IF(this->subject);
+ this->subject = subject->clone(subject);
+}
+
/*
* see header file
*/
.get_ref = _get_ref,
.destroy = _destroy,
},
+ .set_subject = _set_subject,
},
.ref = 1,
.key = key,
* Implements certificate_t.
*/
certificate_t interface;
+
+ /**
+ * Set the subject of the trusted public key.
+ *
+ * @param subject subject to be set
+ */
+ void (*set_subject)(pubkey_cert_t *this, identification_t *subject);
};
/**
char *keys[] = {
"certs",
"cacerts",
+ "pubkeys"
};
int i;
SWANCTL_X509DIR, DIRECTORY_SEPARATOR, token);
token = buf;
}
- if (streq(key, "cacerts"))
+ else if (streq(key, "cacerts"))
{
snprintf(buf, sizeof(buf), "%s%s%s",
SWANCTL_X509CADIR, DIRECTORY_SEPARATOR, token);
token = buf;
}
+ else if (streq(key, "pubkeys"))
+ {
+ snprintf(buf, sizeof(buf), "%s%s%s",
+ SWANCTL_PUBKEYDIR, DIRECTORY_SEPARATOR, token);
+ token = buf;
+ }
}
map = chunk_map(token, FALSE);
Comma separated list of certificate candidates to use for authentication.
The certificates may use a relative path from the **swanctl** _x509_
- directory, or an absolute path.
+ directory or an absolute path.
The certificate used for authentication is selected based on the received
certificate request payloads. If no appropriate CA can be located, the
first certificate is used.
+connections.<conn>.local<suffix>.pubkeys =
+ Comma separated list of raw public key candidates to use for authentication.
+
+ Comma separated list of raw public key candidates to use for authentication.
+ The public keys may use a relative path from the **swanctl** _pubkey_
+ directory or an absolute path.
+
+ Even though multiple local public keys could be defined in principle, only
+ the first public key in the list is used for authentication.
+
connections.<conn>.local<suffix>.auth = pubkey
Authentication to perform locally (_pubkey_, _psk_, _xauth[-backend]_ or
_eap[-method]_).
Comma separated list of certificates to accept for authentication.
The certificates may use a relative path from the **swanctl** _x509_
- directory, or an absolute path.
+ directory or an absolute path.
connections.<conn>.remote<suffix>.cacerts =
Comma separated list of CA certificates to accept for authentication.
Comma separated list of CA certificates to accept for authentication.
The certificates may use a relative path from the **swanctl** _x509ca_
- directory, or an absolute path.
+ directory or an absolute path.
+
+connections.<conn>.remote<suffix>.pubkeys =
+ Comma separated list of raw public keys to accept for authentication.
+
+ Comma separated list of raw public keys to accept for authentication.
+ The public keys may use a relative path from the **swanctl** _x509_
+ directory or an absolute path.
connections.<conn>.remote<suffix>.revocation = relaxed
Certificate revocation policy, (_strict_, _ifuri_ or _relaxed_).
Both _transport_ and _beet_ modes are subject to mode negotiation; _tunnel_
mode is negotiated if the preferred mode is not available.
- _pass_ and _drop_ are used to install shunt policies, which explicitly
- bypass the defined traffic from IPsec processing, or drop it, respectively.
+ _pass_ and _drop_ are used to install shunt policies which explicitly
+ bypass the defined traffic from IPsec processing or drop it, respectively.
connections.<conn>.children.<child>.policies = yes
Whether to install IPsec policies or not.
It is not recommended to define any private key decryption passphrases,
as then there is no real security benefit in having encrypted keys. Either
- store the key unencrypted, or enter the keys manually when loading
+ store the key unencrypted or enter the keys manually when loading
credentials.
secrets.eap<suffix> { # }
Value of the EAP/XAuth secret.
Value of the EAP/XAuth secret. It may either be an ASCII string, a hex
- encoded string if it has a _0x_ prefix, or a Base64 encoded string if it
+ encoded string if it has a _0x_ prefix or a Base64 encoded string if it
has a _0s_ prefix in its value.
secrets.eap<suffix>.id<suffix> =
Value of the IKE preshared secret.
Value of the IKE preshared secret. It may either be an ASCII string,
- a hex encoded string if it has a _0x_ prefix, or a Base64 encoded string if
+ a hex encoded string if it has a _0x_ prefix or a Base64 encoded string if
it has a _0s_ prefix in its value.
secrets.ike<suffix>.id<suffix> =
Addresses allocated in pool.
Subnet or range defining addresses allocated in pool. Accepts a single CIDR
- subnet defining the pool to allocate addresses from, or an address range
+ subnet defining the pool to allocate addresses from or an address range
(<from>-<to>). Pools must be unique and non-overlapping.
pools.<name>.<attr> =
CA certificate belonging to the certification authority.
The certificates may use a relative path from the **swanctl** _x509ca_
- directory, or an absolute path.
+ directory or an absolute path.
authorities.<name>.crl_uris =
Comma-separated list of CRL distribution points