Share vici_cert_info.c with vici_cred.c
This commit is contained in:
parent
ef43df6cbe
commit
334119b843
|
@ -31,6 +31,8 @@ static vici_cert_info_t vici_cert_infos[] = {
|
|||
{ "x509crl", "X.509 CRL", CERT_X509_CRL,
|
||||
X509_NONE },
|
||||
{ "ocsp", "OCSP Response", CERT_X509_OCSP_RESPONSE,
|
||||
X509_NONE },
|
||||
{ "pubkey", "Raw Public Key", CERT_TRUSTED_PUBKEY,
|
||||
X509_NONE }
|
||||
};
|
||||
|
||||
|
|
|
@ -15,6 +15,7 @@
|
|||
|
||||
#include "vici_cred.h"
|
||||
#include "vici_builder.h"
|
||||
#include "vici_cert_info.h"
|
||||
|
||||
#include <credentials/sets/mem_cred.h>
|
||||
#include <credentials/certificates/ac.h>
|
||||
|
@ -66,9 +67,9 @@ static vici_message_t* create_reply(char *fmt, ...)
|
|||
CALLBACK(load_cert, vici_message_t*,
|
||||
private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
|
||||
{
|
||||
certificate_type_t type;
|
||||
x509_flag_t required_flags = 0, additional_flags = 0;
|
||||
vici_cert_info_t *cert_info;
|
||||
certificate_t *cert;
|
||||
x509_flag_t flag;
|
||||
x509_t *x509;
|
||||
chunk_t data;
|
||||
bool trusted = TRUE;
|
||||
|
@ -79,61 +80,47 @@ CALLBACK(load_cert, vici_message_t*,
|
|||
{
|
||||
return create_reply("certificate type missing");
|
||||
}
|
||||
if (strcaseeq(str, "x509"))
|
||||
|
||||
cert_info = vici_cert_info_retrieve(str);
|
||||
if (!cert_info)
|
||||
{
|
||||
type = CERT_X509;
|
||||
}
|
||||
else if (strcaseeq(str, "x509ca"))
|
||||
{
|
||||
type = CERT_X509;
|
||||
required_flags = X509_CA;
|
||||
}
|
||||
else if (strcaseeq(str, "x509aa"))
|
||||
{
|
||||
type = CERT_X509;
|
||||
additional_flags = X509_AA;
|
||||
}
|
||||
else if (strcaseeq(str, "x509crl"))
|
||||
{
|
||||
type = CERT_X509_CRL;
|
||||
}
|
||||
else if (strcaseeq(str, "x509ac"))
|
||||
{
|
||||
type = CERT_X509_AC;
|
||||
trusted = FALSE;
|
||||
}
|
||||
else
|
||||
{
|
||||
return create_reply("invalid certificate type: %s", str);
|
||||
return create_reply("invalid certificate type '%s'", str);
|
||||
}
|
||||
|
||||
data = message->get_value(message, chunk_empty, "data");
|
||||
if (!data.len)
|
||||
{
|
||||
return create_reply("certificate data missing");
|
||||
}
|
||||
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
|
||||
|
||||
/* do not set CA flag externally */
|
||||
flag = (cert_info->flag & X509_CA) ? X509_NONE : cert_info->flag;
|
||||
|
||||
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, cert_info->type,
|
||||
BUILD_BLOB_PEM, data,
|
||||
BUILD_X509_FLAG, additional_flags,
|
||||
BUILD_X509_FLAG, flag,
|
||||
BUILD_END);
|
||||
if (!cert)
|
||||
{
|
||||
return create_reply("parsing %N certificate failed",
|
||||
certificate_type_names, type);
|
||||
certificate_type_names, cert_info->type);
|
||||
}
|
||||
if (cert->get_type(cert) == CERT_X509)
|
||||
{
|
||||
x509 = (x509_t*)cert;
|
||||
|
||||
if ((required_flags & x509->get_flags(x509)) != required_flags)
|
||||
{
|
||||
cert->destroy(cert);
|
||||
return create_reply("certificate misses required flag, rejected");
|
||||
}
|
||||
}
|
||||
|
||||
DBG1(DBG_CFG, "loaded certificate '%Y'", cert->get_subject(cert));
|
||||
|
||||
if (type == CERT_X509_CRL)
|
||||
/* check if CA certificate has CA basic constraint set */
|
||||
if (cert_info->flag & X509_CA)
|
||||
{
|
||||
char err_msg[] = "ca certificate lacks CA basic constraint, rejected";
|
||||
x509 = (x509_t*)cert;
|
||||
|
||||
if (!(x509->get_flags(x509) & X509_CA))
|
||||
{
|
||||
cert->destroy(cert);
|
||||
DBG1(DBG_CFG, " %s", err_msg);
|
||||
return create_reply(err_msg);
|
||||
}
|
||||
}
|
||||
if (cert_info->type == CERT_X509_CRL)
|
||||
{
|
||||
this->creds->add_crl(this->creds, (crl_t*)cert);
|
||||
}
|
||||
|
@ -169,6 +156,10 @@ CALLBACK(load_key, vici_message_t*,
|
|||
{
|
||||
type = KEY_ECDSA;
|
||||
}
|
||||
else if (strcaseeq(str, "bliss"))
|
||||
{
|
||||
type = KEY_BLISS;
|
||||
}
|
||||
else
|
||||
{
|
||||
return create_reply("invalid key type: %s", str);
|
||||
|
|
|
@ -900,6 +900,10 @@ static void enum_others(private_vici_query_t *this, u_int id,
|
|||
b->add_kv(b, "vici", "%N", vici_version_names, VICI_VERSION);
|
||||
b->add_kv(b, "type", "%s", cert_type);
|
||||
}
|
||||
if (has_privkey(cert))
|
||||
{
|
||||
b->add_kv(b, "has_privkey", "yes");
|
||||
}
|
||||
b->add(b, VICI_KEY_VALUE, "data", encoding);
|
||||
free(encoding.ptr);
|
||||
|
||||
|
@ -1016,6 +1020,7 @@ CALLBACK(list_certs, vici_message_t*,
|
|||
{
|
||||
filter.subject = identification_create_from_string(str);
|
||||
}
|
||||
enum_certs(this, id, &filter, CERT_TRUSTED_PUBKEY, "pubkey");
|
||||
enum_certs(this, id, &filter, CERT_X509, "x509");
|
||||
enum_certs(this, id, &filter, CERT_X509_AC, "x509ac");
|
||||
enum_certs(this, id, &filter, CERT_X509_CRL, "x509crl");
|
||||
|
|
|
@ -64,10 +64,13 @@ install-data-local: swanctl.conf
|
|||
test -e "$(DESTDIR)$(swanctldir)/x509" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509" || true
|
||||
test -e "$(DESTDIR)$(swanctldir)/x509ca" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ca" || true
|
||||
test -e "$(DESTDIR)$(swanctldir)/x509aa" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509aa" || true
|
||||
test -e "$(DESTDIR)$(swanctldir)/x509ocsp" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ocsp" || true
|
||||
test -e "$(DESTDIR)$(swanctldir)/x509crl" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509crl" || true
|
||||
test -e "$(DESTDIR)$(swanctldir)/x509ac" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ac" || true
|
||||
test -e "$(DESTDIR)$(swanctldir)/pubkey" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/pubkey" || true
|
||||
test -e "$(DESTDIR)$(swanctldir)/rsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/rsa" || true
|
||||
test -e "$(DESTDIR)$(swanctldir)/ecdsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/ecdsa" || true
|
||||
test -e "$(DESTDIR)$(swanctldir)/bliss" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/bliss" || true
|
||||
test -e "$(DESTDIR)$(swanctldir)/pkcs8" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/pkcs8" || true
|
||||
test -e "$(DESTDIR)$(swanctldir)/pkcs12" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/pkcs12" || true
|
||||
test -e "$(DESTDIR)$(swanctldir)/swanctl.conf" || $(INSTALL) -m 640 $(srcdir)/swanctl.conf $(DESTDIR)$(swanctldir)/swanctl.conf || true
|
||||
|
|
|
@ -2,6 +2,9 @@
|
|||
* Copyright (C) 2014 Martin Willi
|
||||
* Copyright (C) 2014 revosec AG
|
||||
*
|
||||
* Copyright (C) 2015 Andreas Steffen
|
||||
* HSR Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
|
@ -171,6 +174,9 @@ static bool load_key_anytype(vici_conn_t *conn, command_format_options_t format,
|
|||
case KEY_ECDSA:
|
||||
loaded = load_key(conn, format, path, "ecdsa", encoding);
|
||||
break;
|
||||
case KEY_BLISS:
|
||||
loaded = load_key(conn, format, path, "bliss", encoding);
|
||||
break;
|
||||
default:
|
||||
fprintf(stderr, "unsupported key type in '%s'\n", path);
|
||||
break;
|
||||
|
@ -237,6 +243,7 @@ static bool determine_credtype(char *type, credential_type_t *credtype,
|
|||
{ "pkcs8", CRED_PRIVATE_KEY, KEY_ANY, },
|
||||
{ "rsa", CRED_PRIVATE_KEY, KEY_RSA, },
|
||||
{ "ecdsa", CRED_PRIVATE_KEY, KEY_ECDSA, },
|
||||
{ "bliss", CRED_PRIVATE_KEY, KEY_BLISS, },
|
||||
{ "pkcs12", CRED_CONTAINER, CONTAINER_PKCS12, },
|
||||
};
|
||||
int i;
|
||||
|
@ -548,6 +555,7 @@ static bool load_secret(vici_conn_t *conn, settings_t *cfg,
|
|||
"ike",
|
||||
"rsa",
|
||||
"ecdsa",
|
||||
"bliss",
|
||||
"pkcs8",
|
||||
"pkcs12",
|
||||
};
|
||||
|
@ -672,14 +680,17 @@ int load_creds_cfg(vici_conn_t *conn, command_format_options_t format,
|
|||
}
|
||||
}
|
||||
|
||||
load_certs(conn, format, "x509", SWANCTL_X509DIR);
|
||||
load_certs(conn, format, "x509ca", SWANCTL_X509CADIR);
|
||||
load_certs(conn, format, "x509aa", SWANCTL_X509AADIR);
|
||||
load_certs(conn, format, "x509crl", SWANCTL_X509CRLDIR);
|
||||
load_certs(conn, format, "x509ac", SWANCTL_X509ACDIR);
|
||||
load_certs(conn, format, "x509", SWANCTL_X509DIR);
|
||||
load_certs(conn, format, "x509ca", SWANCTL_X509CADIR);
|
||||
load_certs(conn, format, "x509aa", SWANCTL_X509AADIR);
|
||||
load_certs(conn, format, "x509crl", SWANCTL_X509CRLDIR);
|
||||
load_certs(conn, format, "x509ac", SWANCTL_X509ACDIR);
|
||||
load_certs(conn, format, "x509ocsp", SWANCTL_X509OCSPDIR);
|
||||
load_certs(conn, format, "pubkey", SWANCTL_PUBKEYDIR);
|
||||
|
||||
load_keys(conn, format, noprompt, cfg, "rsa", SWANCTL_RSADIR);
|
||||
load_keys(conn, format, noprompt, cfg, "rsa", SWANCTL_RSADIR);
|
||||
load_keys(conn, format, noprompt, cfg, "ecdsa", SWANCTL_ECDSADIR);
|
||||
load_keys(conn, format, noprompt, cfg, "bliss", SWANCTL_BLISSDIR);
|
||||
load_keys(conn, format, noprompt, cfg, "pkcs8", SWANCTL_PKCS8DIR);
|
||||
|
||||
load_containers(conn, format, noprompt, cfg, "pkcs12", SWANCTL_PKCS12DIR);
|
||||
|
|
|
@ -2,6 +2,9 @@
|
|||
* Copyright (C) 2014 Martin Willi
|
||||
* Copyright (C) 2014 revosec AG
|
||||
*
|
||||
* Copyright (C) 2015 Andreas Steffen
|
||||
* HSR Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
|
@ -41,6 +44,11 @@
|
|||
*/
|
||||
#define SWANCTL_X509AADIR SWANCTLDIR "/x509aa"
|
||||
|
||||
/**
|
||||
* Directory for X.509 OCSP Signer certs
|
||||
*/
|
||||
#define SWANCTL_X509OCSPDIR SWANCTLDIR "/x509ocsp"
|
||||
|
||||
/**
|
||||
* Directory for X.509 CRLs
|
||||
*/
|
||||
|
@ -51,6 +59,11 @@
|
|||
*/
|
||||
#define SWANCTL_X509ACDIR SWANCTLDIR "/x509ac"
|
||||
|
||||
/**
|
||||
* Directory for raw public keys
|
||||
*/
|
||||
#define SWANCTL_PUBKEYDIR SWANCTLDIR "/pubkey"
|
||||
|
||||
/**
|
||||
* Directory for RSA private keys
|
||||
*/
|
||||
|
@ -61,6 +74,11 @@
|
|||
*/
|
||||
#define SWANCTL_ECDSADIR SWANCTLDIR "/ecdsa"
|
||||
|
||||
/**
|
||||
* Directory for BLISS private keys
|
||||
*/
|
||||
#define SWANCTL_BLISSDIR SWANCTLDIR "/bliss"
|
||||
|
||||
/**
|
||||
* Directory for PKCS#8 encoded private keys
|
||||
*/
|
||||
|
|
Loading…
Reference in New Issue