Share vici_cert_info.c with vici_cred.c

src/libcharon/plugins/vici/vici_cert_info.c

@@ -31,6 +31,8 @@ static vici_cert_info_t vici_cert_infos[] = {
 	{ "x509crl", "X.509 CRL",                      CERT_X509_CRL,
 											 	   X509_NONE                },
 	{ "ocsp", "OCSP Response",                     CERT_X509_OCSP_RESPONSE,
+												   X509_NONE                },
+	{ "pubkey", "Raw Public Key",                  CERT_TRUSTED_PUBKEY,
 												   X509_NONE                }
 };
 

src/libcharon/plugins/vici/vici_cred.c

@@ -15,6 +15,7 @@
 
 #include "vici_cred.h"
 #include "vici_builder.h"
+#include "vici_cert_info.h"
 
 #include <credentials/sets/mem_cred.h>
 #include <credentials/certificates/ac.h>
@@ -66,9 +67,9 @@ static vici_message_t* create_reply(char *fmt, ...)
 CALLBACK(load_cert, vici_message_t*,
 	private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
 {
-	certificate_type_t type;
-	x509_flag_t required_flags = 0, additional_flags = 0;
+	vici_cert_info_t *cert_info;
 	certificate_t *cert;
+	x509_flag_t flag;
 	x509_t *x509;
 	chunk_t data;
 	bool trusted = TRUE;
@@ -79,61 +80,47 @@ CALLBACK(load_cert, vici_message_t*,
 	{
 		return create_reply("certificate type missing");
 	}
-	if (strcaseeq(str, "x509"))
+
+	cert_info = vici_cert_info_retrieve(str);
+	if (!cert_info)
 	{
-		type = CERT_X509;
-	}
-	else if (strcaseeq(str, "x509ca"))
-	{
-		type = CERT_X509;
-		required_flags = X509_CA;
-	}
-	else if (strcaseeq(str, "x509aa"))
-	{
-		type = CERT_X509;
-		additional_flags = X509_AA;
-	}
-	else if (strcaseeq(str, "x509crl"))
-	{
-		type = CERT_X509_CRL;
-	}
-	else if (strcaseeq(str, "x509ac"))
-	{
-		type = CERT_X509_AC;
-		trusted = FALSE;
-	}
-	else
-	{
-		return create_reply("invalid certificate type: %s", str);
+		return create_reply("invalid certificate type '%s'", str);
 	}
+
 	data = message->get_value(message, chunk_empty, "data");
 	if (!data.len)
 	{
 		return create_reply("certificate data missing");
 	}
-	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
+
+	/* do not set CA flag externally */
+	flag = (cert_info->flag & X509_CA) ? X509_NONE : cert_info->flag;
+
+	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, cert_info->type,
 							  BUILD_BLOB_PEM, data,
-							  BUILD_X509_FLAG, additional_flags,
+							  BUILD_X509_FLAG, flag,
 							  BUILD_END);
 	if (!cert)
 	{
 		return create_reply("parsing %N certificate failed",
-							certificate_type_names, type);
+							certificate_type_names, cert_info->type);
 	}
-	if (cert->get_type(cert) == CERT_X509)
-	{
-		x509 = (x509_t*)cert;
-
-		if ((required_flags & x509->get_flags(x509)) != required_flags)
-		{
-			cert->destroy(cert);
-			return create_reply("certificate misses required flag, rejected");
-		}
-	}
-
 	DBG1(DBG_CFG, "loaded certificate '%Y'", cert->get_subject(cert));
 
-	if (type == CERT_X509_CRL)
+	/* check if CA certificate has CA basic constraint set */
+	if (cert_info->flag & X509_CA)
+	{
+		char err_msg[] = "ca certificate lacks CA basic constraint, rejected";
+		x509 = (x509_t*)cert;
+
+		if (!(x509->get_flags(x509) & X509_CA))
+		{
+			cert->destroy(cert);
+			DBG1(DBG_CFG, "  %s", err_msg);
+			return create_reply(err_msg);
+		}
+	}
+	if (cert_info->type == CERT_X509_CRL)
 	{
 		this->creds->add_crl(this->creds, (crl_t*)cert);
 	}
@@ -169,6 +156,10 @@ CALLBACK(load_key, vici_message_t*,
 	{
 		type = KEY_ECDSA;
 	}
+	else if (strcaseeq(str, "bliss"))
+	{
+		type = KEY_BLISS;
+	}
 	else
 	{
 		return create_reply("invalid key type: %s", str);

src/libcharon/plugins/vici/vici_query.c

@@ -900,6 +900,10 @@ static void enum_others(private_vici_query_t *this, u_int id,
 				b->add_kv(b, "vici", "%N", vici_version_names, VICI_VERSION);
 				b->add_kv(b, "type", "%s", cert_type);
 			}
+			if (has_privkey(cert))
+			{
+				b->add_kv(b, "has_privkey", "yes");
+			}
 			b->add(b, VICI_KEY_VALUE, "data", encoding);
 			free(encoding.ptr);
 
@@ -1016,6 +1020,7 @@ CALLBACK(list_certs, vici_message_t*,
 	{
 		filter.subject = identification_create_from_string(str);
 	}
+	enum_certs(this, id, &filter, CERT_TRUSTED_PUBKEY, "pubkey");
 	enum_certs(this, id, &filter, CERT_X509, "x509");
 	enum_certs(this, id, &filter, CERT_X509_AC, "x509ac");
 	enum_certs(this, id, &filter, CERT_X509_CRL, "x509crl");

src/swanctl/Makefile.am

@@ -64,10 +64,13 @@ install-data-local: swanctl.conf
 	test -e "$(DESTDIR)$(swanctldir)/x509" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509" || true
 	test -e "$(DESTDIR)$(swanctldir)/x509ca" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ca" || true
 	test -e "$(DESTDIR)$(swanctldir)/x509aa" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509aa" || true
+	test -e "$(DESTDIR)$(swanctldir)/x509ocsp" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ocsp" || true
 	test -e "$(DESTDIR)$(swanctldir)/x509crl" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509crl" || true
 	test -e "$(DESTDIR)$(swanctldir)/x509ac" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ac" || true
+	test -e "$(DESTDIR)$(swanctldir)/pubkey" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/pubkey" || true
 	test -e "$(DESTDIR)$(swanctldir)/rsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/rsa" || true
 	test -e "$(DESTDIR)$(swanctldir)/ecdsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/ecdsa" || true
+	test -e "$(DESTDIR)$(swanctldir)/bliss" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/bliss" || true
 	test -e "$(DESTDIR)$(swanctldir)/pkcs8" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/pkcs8" || true
 	test -e "$(DESTDIR)$(swanctldir)/pkcs12" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/pkcs12" || true
 	test -e "$(DESTDIR)$(swanctldir)/swanctl.conf" || $(INSTALL) -m 640 $(srcdir)/swanctl.conf $(DESTDIR)$(swanctldir)/swanctl.conf || true

src/swanctl/commands/load_creds.c

@@ -2,6 +2,9 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
@@ -171,6 +174,9 @@ static bool load_key_anytype(vici_conn_t *conn, command_format_options_t format,
 		case KEY_ECDSA:
 			loaded = load_key(conn, format, path, "ecdsa", encoding);
 			break;
+		case KEY_BLISS:
+			loaded = load_key(conn, format, path, "bliss", encoding);
+			break;
 		default:
 			fprintf(stderr, "unsupported key type in '%s'\n", path);
 			break;
@@ -237,6 +243,7 @@ static bool determine_credtype(char *type, credential_type_t *credtype,
 		{ "pkcs8",			CRED_PRIVATE_KEY,		KEY_ANY,			},
 		{ "rsa",			CRED_PRIVATE_KEY,		KEY_RSA,			},
 		{ "ecdsa",			CRED_PRIVATE_KEY,		KEY_ECDSA,			},
+		{ "bliss",			CRED_PRIVATE_KEY,		KEY_BLISS,			},
 		{ "pkcs12",			CRED_CONTAINER,			CONTAINER_PKCS12,	},
 	};
 	int i;
@@ -548,6 +555,7 @@ static bool load_secret(vici_conn_t *conn, settings_t *cfg,
 		"ike",
 		"rsa",
 		"ecdsa",
+		"bliss",
 		"pkcs8",
 		"pkcs12",
 	};
@@ -672,14 +680,17 @@ int load_creds_cfg(vici_conn_t *conn, command_format_options_t format,
 		}
 	}
 
-	load_certs(conn, format, "x509", SWANCTL_X509DIR);
-	load_certs(conn, format, "x509ca", SWANCTL_X509CADIR);
-	load_certs(conn, format, "x509aa", SWANCTL_X509AADIR);
-	load_certs(conn, format, "x509crl", SWANCTL_X509CRLDIR);
-	load_certs(conn, format, "x509ac", SWANCTL_X509ACDIR);
+	load_certs(conn, format, "x509",     SWANCTL_X509DIR);
+	load_certs(conn, format, "x509ca",   SWANCTL_X509CADIR);
+	load_certs(conn, format, "x509aa",   SWANCTL_X509AADIR);
+	load_certs(conn, format, "x509crl",  SWANCTL_X509CRLDIR);
+	load_certs(conn, format, "x509ac",   SWANCTL_X509ACDIR);
+	load_certs(conn, format, "x509ocsp", SWANCTL_X509OCSPDIR);
+	load_certs(conn, format, "pubkey",   SWANCTL_PUBKEYDIR);
 
-	load_keys(conn, format, noprompt, cfg, "rsa", SWANCTL_RSADIR);
+	load_keys(conn, format, noprompt, cfg, "rsa",   SWANCTL_RSADIR);
 	load_keys(conn, format, noprompt, cfg, "ecdsa", SWANCTL_ECDSADIR);
+	load_keys(conn, format, noprompt, cfg, "bliss", SWANCTL_BLISSDIR);
 	load_keys(conn, format, noprompt, cfg, "pkcs8", SWANCTL_PKCS8DIR);
 
 	load_containers(conn, format, noprompt, cfg, "pkcs12", SWANCTL_PKCS12DIR);

src/swanctl/swanctl.h

@@ -2,6 +2,9 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
@@ -41,6 +44,11 @@
  */
 #define SWANCTL_X509AADIR SWANCTLDIR "/x509aa"
 
+/**
+ * Directory for X.509 OCSP Signer certs
+ */
+#define SWANCTL_X509OCSPDIR SWANCTLDIR "/x509ocsp"
+
 /**
  * Directory for X.509 CRLs
  */
@@ -51,6 +59,11 @@
  */
 #define SWANCTL_X509ACDIR SWANCTLDIR "/x509ac"
 
+/**
+ * Directory for raw public keys
+ */
+#define SWANCTL_PUBKEYDIR SWANCTLDIR "/pubkey"
+
 /**
  * Directory for RSA private keys
  */
@@ -61,6 +74,11 @@
  */
 #define SWANCTL_ECDSADIR SWANCTLDIR "/ecdsa"
 
+/**
+ * Directory for BLISS private keys
+ */
+#define SWANCTL_BLISSDIR SWANCTLDIR "/bliss"
+
 /**
  * Directory for PKCS#8 encoded private keys
  */