From: Andreas Steffen Date: Sat, 5 Dec 2015 22:15:47 +0000 (+0100) Subject: Share vici_cert_info.c with vici_cred.c X-Git-Tag: 5.4.0dr1~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=334119b843d7ac1f1987f74834b8fedf52964a25;p=thirdparty%2Fstrongswan.git Share vici_cert_info.c with vici_cred.c --- diff --git a/src/libcharon/plugins/vici/vici_cert_info.c b/src/libcharon/plugins/vici/vici_cert_info.c index ce079603bf..9afaf05a19 100644 --- a/src/libcharon/plugins/vici/vici_cert_info.c +++ b/src/libcharon/plugins/vici/vici_cert_info.c @@ -31,6 +31,8 @@ static vici_cert_info_t vici_cert_infos[] = { { "x509crl", "X.509 CRL", CERT_X509_CRL, X509_NONE }, { "ocsp", "OCSP Response", CERT_X509_OCSP_RESPONSE, + X509_NONE }, + { "pubkey", "Raw Public Key", CERT_TRUSTED_PUBKEY, X509_NONE } }; diff --git a/src/libcharon/plugins/vici/vici_cred.c b/src/libcharon/plugins/vici/vici_cred.c index 6631184b56..e2aa5a9b2c 100644 --- a/src/libcharon/plugins/vici/vici_cred.c +++ b/src/libcharon/plugins/vici/vici_cred.c @@ -15,6 +15,7 @@ #include "vici_cred.h" #include "vici_builder.h" +#include "vici_cert_info.h" #include #include @@ -66,9 +67,9 @@ static vici_message_t* create_reply(char *fmt, ...) CALLBACK(load_cert, vici_message_t*, private_vici_cred_t *this, char *name, u_int id, vici_message_t *message) { - certificate_type_t type; - x509_flag_t required_flags = 0, additional_flags = 0; + vici_cert_info_t *cert_info; certificate_t *cert; + x509_flag_t flag; x509_t *x509; chunk_t data; bool trusted = TRUE; @@ -79,61 +80,47 @@ CALLBACK(load_cert, vici_message_t*, { return create_reply("certificate type missing"); } - if (strcaseeq(str, "x509")) - { - type = CERT_X509; - } - else if (strcaseeq(str, "x509ca")) - { - type = CERT_X509; - required_flags = X509_CA; - } - else if (strcaseeq(str, "x509aa")) - { - type = CERT_X509; - additional_flags = X509_AA; - } - else if (strcaseeq(str, "x509crl")) - { - type = CERT_X509_CRL; - } - else if (strcaseeq(str, "x509ac")) - { - type = CERT_X509_AC; - trusted = FALSE; - } - else + + cert_info = vici_cert_info_retrieve(str); + if (!cert_info) { - return create_reply("invalid certificate type: %s", str); + return create_reply("invalid certificate type '%s'", str); } + data = message->get_value(message, chunk_empty, "data"); if (!data.len) { return create_reply("certificate data missing"); } - cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type, + + /* do not set CA flag externally */ + flag = (cert_info->flag & X509_CA) ? X509_NONE : cert_info->flag; + + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, cert_info->type, BUILD_BLOB_PEM, data, - BUILD_X509_FLAG, additional_flags, + BUILD_X509_FLAG, flag, BUILD_END); if (!cert) { return create_reply("parsing %N certificate failed", - certificate_type_names, type); + certificate_type_names, cert_info->type); } - if (cert->get_type(cert) == CERT_X509) + DBG1(DBG_CFG, "loaded certificate '%Y'", cert->get_subject(cert)); + + /* check if CA certificate has CA basic constraint set */ + if (cert_info->flag & X509_CA) { + char err_msg[] = "ca certificate lacks CA basic constraint, rejected"; x509 = (x509_t*)cert; - if ((required_flags & x509->get_flags(x509)) != required_flags) + if (!(x509->get_flags(x509) & X509_CA)) { cert->destroy(cert); - return create_reply("certificate misses required flag, rejected"); + DBG1(DBG_CFG, " %s", err_msg); + return create_reply(err_msg); } } - - DBG1(DBG_CFG, "loaded certificate '%Y'", cert->get_subject(cert)); - - if (type == CERT_X509_CRL) + if (cert_info->type == CERT_X509_CRL) { this->creds->add_crl(this->creds, (crl_t*)cert); } @@ -169,6 +156,10 @@ CALLBACK(load_key, vici_message_t*, { type = KEY_ECDSA; } + else if (strcaseeq(str, "bliss")) + { + type = KEY_BLISS; + } else { return create_reply("invalid key type: %s", str); diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c index d5d973f6b5..2ea9228513 100644 --- a/src/libcharon/plugins/vici/vici_query.c +++ b/src/libcharon/plugins/vici/vici_query.c @@ -900,6 +900,10 @@ static void enum_others(private_vici_query_t *this, u_int id, b->add_kv(b, "vici", "%N", vici_version_names, VICI_VERSION); b->add_kv(b, "type", "%s", cert_type); } + if (has_privkey(cert)) + { + b->add_kv(b, "has_privkey", "yes"); + } b->add(b, VICI_KEY_VALUE, "data", encoding); free(encoding.ptr); @@ -1016,6 +1020,7 @@ CALLBACK(list_certs, vici_message_t*, { filter.subject = identification_create_from_string(str); } + enum_certs(this, id, &filter, CERT_TRUSTED_PUBKEY, "pubkey"); enum_certs(this, id, &filter, CERT_X509, "x509"); enum_certs(this, id, &filter, CERT_X509_AC, "x509ac"); enum_certs(this, id, &filter, CERT_X509_CRL, "x509crl"); diff --git a/src/swanctl/Makefile.am b/src/swanctl/Makefile.am index 0000c4cb3c..5b6b8e4bef 100644 --- a/src/swanctl/Makefile.am +++ b/src/swanctl/Makefile.am @@ -64,10 +64,13 @@ install-data-local: swanctl.conf test -e "$(DESTDIR)$(swanctldir)/x509" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509" || true test -e "$(DESTDIR)$(swanctldir)/x509ca" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ca" || true test -e "$(DESTDIR)$(swanctldir)/x509aa" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509aa" || true + test -e "$(DESTDIR)$(swanctldir)/x509ocsp" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ocsp" || true test -e "$(DESTDIR)$(swanctldir)/x509crl" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509crl" || true test -e "$(DESTDIR)$(swanctldir)/x509ac" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ac" || true + test -e "$(DESTDIR)$(swanctldir)/pubkey" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/pubkey" || true test -e "$(DESTDIR)$(swanctldir)/rsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/rsa" || true test -e "$(DESTDIR)$(swanctldir)/ecdsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/ecdsa" || true + test -e "$(DESTDIR)$(swanctldir)/bliss" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/bliss" || true test -e "$(DESTDIR)$(swanctldir)/pkcs8" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/pkcs8" || true test -e "$(DESTDIR)$(swanctldir)/pkcs12" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/pkcs12" || true test -e "$(DESTDIR)$(swanctldir)/swanctl.conf" || $(INSTALL) -m 640 $(srcdir)/swanctl.conf $(DESTDIR)$(swanctldir)/swanctl.conf || true diff --git a/src/swanctl/commands/load_creds.c b/src/swanctl/commands/load_creds.c index d2ebc22eb4..d27b0fbf39 100644 --- a/src/swanctl/commands/load_creds.c +++ b/src/swanctl/commands/load_creds.c @@ -2,6 +2,9 @@ * Copyright (C) 2014 Martin Willi * Copyright (C) 2014 revosec AG * + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your @@ -171,6 +174,9 @@ static bool load_key_anytype(vici_conn_t *conn, command_format_options_t format, case KEY_ECDSA: loaded = load_key(conn, format, path, "ecdsa", encoding); break; + case KEY_BLISS: + loaded = load_key(conn, format, path, "bliss", encoding); + break; default: fprintf(stderr, "unsupported key type in '%s'\n", path); break; @@ -237,6 +243,7 @@ static bool determine_credtype(char *type, credential_type_t *credtype, { "pkcs8", CRED_PRIVATE_KEY, KEY_ANY, }, { "rsa", CRED_PRIVATE_KEY, KEY_RSA, }, { "ecdsa", CRED_PRIVATE_KEY, KEY_ECDSA, }, + { "bliss", CRED_PRIVATE_KEY, KEY_BLISS, }, { "pkcs12", CRED_CONTAINER, CONTAINER_PKCS12, }, }; int i; @@ -548,6 +555,7 @@ static bool load_secret(vici_conn_t *conn, settings_t *cfg, "ike", "rsa", "ecdsa", + "bliss", "pkcs8", "pkcs12", }; @@ -672,14 +680,17 @@ int load_creds_cfg(vici_conn_t *conn, command_format_options_t format, } } - load_certs(conn, format, "x509", SWANCTL_X509DIR); - load_certs(conn, format, "x509ca", SWANCTL_X509CADIR); - load_certs(conn, format, "x509aa", SWANCTL_X509AADIR); - load_certs(conn, format, "x509crl", SWANCTL_X509CRLDIR); - load_certs(conn, format, "x509ac", SWANCTL_X509ACDIR); + load_certs(conn, format, "x509", SWANCTL_X509DIR); + load_certs(conn, format, "x509ca", SWANCTL_X509CADIR); + load_certs(conn, format, "x509aa", SWANCTL_X509AADIR); + load_certs(conn, format, "x509crl", SWANCTL_X509CRLDIR); + load_certs(conn, format, "x509ac", SWANCTL_X509ACDIR); + load_certs(conn, format, "x509ocsp", SWANCTL_X509OCSPDIR); + load_certs(conn, format, "pubkey", SWANCTL_PUBKEYDIR); - load_keys(conn, format, noprompt, cfg, "rsa", SWANCTL_RSADIR); + load_keys(conn, format, noprompt, cfg, "rsa", SWANCTL_RSADIR); load_keys(conn, format, noprompt, cfg, "ecdsa", SWANCTL_ECDSADIR); + load_keys(conn, format, noprompt, cfg, "bliss", SWANCTL_BLISSDIR); load_keys(conn, format, noprompt, cfg, "pkcs8", SWANCTL_PKCS8DIR); load_containers(conn, format, noprompt, cfg, "pkcs12", SWANCTL_PKCS12DIR); diff --git a/src/swanctl/swanctl.h b/src/swanctl/swanctl.h index cb570cd340..560e895132 100644 --- a/src/swanctl/swanctl.h +++ b/src/swanctl/swanctl.h @@ -2,6 +2,9 @@ * Copyright (C) 2014 Martin Willi * Copyright (C) 2014 revosec AG * + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your @@ -41,6 +44,11 @@ */ #define SWANCTL_X509AADIR SWANCTLDIR "/x509aa" +/** + * Directory for X.509 OCSP Signer certs + */ +#define SWANCTL_X509OCSPDIR SWANCTLDIR "/x509ocsp" + /** * Directory for X.509 CRLs */ @@ -51,6 +59,11 @@ */ #define SWANCTL_X509ACDIR SWANCTLDIR "/x509ac" +/** + * Directory for raw public keys + */ +#define SWANCTL_PUBKEYDIR SWANCTLDIR "/pubkey" + /** * Directory for RSA private keys */ @@ -61,6 +74,11 @@ */ #define SWANCTL_ECDSADIR SWANCTLDIR "/ecdsa" +/** + * Directory for BLISS private keys + */ +#define SWANCTL_BLISSDIR SWANCTLDIR "/bliss" + /** * Directory for PKCS#8 encoded private keys */