vici: Add commands to enumerate and remove private keys

They are identified by their SHA-1 key identifier.
2016-11-09 11:49:32 +01:00 · 2016-11-09 11:49:32 +01:00 · 2a56acf501
parent dd5ee9d415
commit 2a56acf501
2 changed files with 75 additions and 2 deletions
--- a/src/libcharon/plugins/vici/README.md
+++ b/src/libcharon/plugins/vici/README.md
@ -466,6 +466,28 @@ Load a private key into the daemon.
 		errmsg = <error string on failure>
 	}

+### unload-key() ###
+
+Unload the private key with the given key identifier.
+
+	{
+		id = <hex-encoded SHA-1 key identifier of the private key to unload>
+	} => {
+		success = <yes or no>
+		errmsg = <error string on failure>
+	}
+
+### get-keys() ###
+
+Return a list of identifiers of private keys loaded exclusively over vici, not
+including keys found in other backends.
+
+	{} => {
+		keys = [
+			<list of hex-encoded SHA-1 key identifiers>
+		]
+	}
+
 ### load-shared() ###

 Load a shared IKE PSK, EAP or XAuth secret into the daemon.
--- a/src/libcharon/plugins/vici/vici_cred.c
+++ b/src/libcharon/plugins/vici/vici_cred.c
@ -1,9 +1,11 @@
 /*
+ * Copyright (C) 2015-2016 Andreas Steffen
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
 * Copyright (C) 2014 Martin Willi
 * Copyright (C) 2014 revosec AG
 *
- * Copyright (C) 2015-2016 Andreas Steffen
- * HSR Hochschule fuer Technik Rapperswil
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
@ -249,6 +251,53 @@ CALLBACK(load_key, vici_message_t*,
 	return create_reply(NULL);
 }

+CALLBACK(unload_key, vici_message_t*,
+	private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
+{
+	chunk_t keyid;
+	char *hex, *msg = NULL;
+
+	hex = message->get_str(message, NULL, "id");
+	if (!hex)
+	{
+		return create_reply("key id missing");
+	}
+	keyid = chunk_from_hex(chunk_from_str(hex), NULL);
+	DBG1(DBG_CFG, "unloaded private key with id %+B", &keyid);
+	if (!this->creds->remove_key(this->creds, keyid))
+	{
+		msg = "key not found";
+	}
+	chunk_free(&keyid);
+	return create_reply(msg);
+}
+
+CALLBACK(get_keys, vici_message_t*,
+	private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
+{
+	vici_builder_t *builder;
+	enumerator_t *enumerator;
+	private_key_t *private;
+	chunk_t keyid;
+
+	builder = vici_builder_create();
+	builder->begin_list(builder, "keys");
+
+	enumerator = this->creds->set.create_private_enumerator(&this->creds->set,
+															KEY_ANY, NULL);
+	while (enumerator->enumerate(enumerator, &private))
+	{
+		if (private->get_fingerprint(private, KEYID_PUBKEY_SHA1, &keyid))
+		{
+			builder->add_li(builder, "%+B", &keyid);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	builder->end_list(builder);
+	return builder->finalize(builder);
+}
+
 CALLBACK(shared_owners, bool,
 	linked_list_t *owners, vici_message_t *message, char *name, chunk_t value)
 {
@ -374,6 +423,8 @@ static void manage_commands(private_vici_cred_t *this, bool reg)
 	manage_command(this, "flush-certs", flush_certs, reg);
 	manage_command(this, "load-cert", load_cert, reg);
 	manage_command(this, "load-key", load_key, reg);
+	manage_command(this, "unload-key", unload_key, reg);
+	manage_command(this, "get-keys", get_keys, reg);
 	manage_command(this, "load-shared", load_shared, reg);
 }