vici: Keep track of all CA certificates in vici_authority_t
This way we only have one reference for each CA certificate, whether it is loaded in an authority section, a connection or via load-certs() command. It also avoids enumerating CA certificates multiple times if they are loaded in different ways.
This commit is contained in:
parent
3d3d5235aa
commit
3c5e7eaa88
|
@ -44,10 +44,15 @@ struct private_vici_authority_t {
|
|||
vici_dispatcher_t *dispatcher;
|
||||
|
||||
/**
|
||||
* List of certification authorities
|
||||
* List of certification authorities (authority_t*)
|
||||
*/
|
||||
linked_list_t *authorities;
|
||||
|
||||
/**
|
||||
* List of CA certificates (ca_cert_t*)
|
||||
*/
|
||||
linked_list_t *certs;
|
||||
|
||||
/**
|
||||
* rwlock to lock access to certification authorities
|
||||
*/
|
||||
|
@ -104,10 +109,8 @@ static authority_t *authority_create(char *name)
|
|||
return authority;
|
||||
}
|
||||
|
||||
/**
|
||||
* destroy a certification authority
|
||||
*/
|
||||
static void authority_destroy(authority_t *this)
|
||||
CALLBACK(authority_destroy, void,
|
||||
authority_t *this)
|
||||
{
|
||||
this->crl_uris->destroy_function(this->crl_uris, free);
|
||||
this->ocsp_uris->destroy_function(this->ocsp_uris, free);
|
||||
|
@ -117,6 +120,108 @@ static void authority_destroy(authority_t *this)
|
|||
free(this);
|
||||
}
|
||||
|
||||
typedef struct ca_cert_t ca_cert_t;
|
||||
|
||||
/**
|
||||
* Loaded CA certificate.
|
||||
*/
|
||||
struct ca_cert_t {
|
||||
|
||||
/**
|
||||
* Reference to certificate.
|
||||
*/
|
||||
certificate_t *cert;
|
||||
|
||||
/**
|
||||
* The number of authority sections referring to this certificate.
|
||||
*/
|
||||
u_int count;
|
||||
|
||||
/**
|
||||
* TRUE if this certificate was (also) added externally.
|
||||
*/
|
||||
bool external;
|
||||
};
|
||||
|
||||
/**
|
||||
* Destroy a CA certificate entry
|
||||
*/
|
||||
CALLBACK(ca_cert_destroy, void,
|
||||
ca_cert_t *this)
|
||||
{
|
||||
this->cert->destroy(this->cert);
|
||||
free(this);
|
||||
}
|
||||
|
||||
CALLBACK(match_cert, bool,
|
||||
ca_cert_t *item, va_list args)
|
||||
{
|
||||
certificate_t *cert;
|
||||
|
||||
VA_ARGS_VGET(args, cert);
|
||||
return cert->equals(cert, item->cert);
|
||||
}
|
||||
|
||||
/**
|
||||
* Add a CA certificate to the local store
|
||||
*/
|
||||
static certificate_t *add_cert_internal(private_vici_authority_t *this,
|
||||
certificate_t *cert, bool external)
|
||||
{
|
||||
ca_cert_t *found;
|
||||
|
||||
if (this->certs->find_first(this->certs, match_cert, (void**)&found, cert))
|
||||
{
|
||||
cert->destroy(cert);
|
||||
cert = found->cert->get_ref(found->cert);
|
||||
}
|
||||
else
|
||||
{
|
||||
INIT(found,
|
||||
.cert = cert->get_ref(cert)
|
||||
);
|
||||
this->certs->insert_first(this->certs, found);
|
||||
}
|
||||
if (external)
|
||||
{
|
||||
found->external = TRUE;
|
||||
}
|
||||
else
|
||||
{
|
||||
found->count++;
|
||||
}
|
||||
return cert;
|
||||
}
|
||||
|
||||
CALLBACK(remove_external_certs, bool,
|
||||
ca_cert_t *item, void *unused)
|
||||
{
|
||||
if (item->external)
|
||||
{
|
||||
item->external = FALSE;
|
||||
|
||||
if (!item->count)
|
||||
{
|
||||
ca_cert_destroy(item);
|
||||
return TRUE;
|
||||
}
|
||||
}
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
CALLBACK2(remove_cert, bool,
|
||||
ca_cert_t *item, certificate_t *cert)
|
||||
{
|
||||
if (cert == item->cert)
|
||||
{
|
||||
if (--item->count == 0 && !item->external)
|
||||
{
|
||||
ca_cert_destroy(item);
|
||||
return TRUE;
|
||||
}
|
||||
}
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
/**
|
||||
* Create a (error) reply message
|
||||
|
@ -431,6 +536,9 @@ CALLBACK(authority_sn, bool,
|
|||
|
||||
request->this->lock->write_lock(request->this->lock);
|
||||
|
||||
data->authority->cert = add_cert_internal(request->this,
|
||||
data->authority->cert, FALSE);
|
||||
|
||||
authorities = request->this->authorities;
|
||||
enumerator = authorities->create_enumerator(authorities);
|
||||
while (enumerator->enumerate(enumerator, &authority))
|
||||
|
@ -492,6 +600,7 @@ CALLBACK(unload_authority, vici_message_t*,
|
|||
if (streq(authority->name, authority_name))
|
||||
{
|
||||
this->authorities->remove_at(this->authorities, enumerator);
|
||||
this->certs->remove(this->certs, authority->cert, remove_cert);
|
||||
authority_destroy(authority);
|
||||
found = TRUE;
|
||||
break;
|
||||
|
@ -638,17 +747,16 @@ CALLBACK(cert_data_destroy, void,
|
|||
CALLBACK(certs_filter, bool,
|
||||
cert_data_t *data, enumerator_t *orig, va_list args)
|
||||
{
|
||||
authority_t *authority;
|
||||
ca_cert_t *ca;
|
||||
certificate_t **out;
|
||||
|
||||
VA_ARGS_VGET(args, out);
|
||||
|
||||
while (orig->enumerate(orig, &authority))
|
||||
while (orig->enumerate(orig, &ca))
|
||||
{
|
||||
if (certificate_matches(authority->cert, data->type, data->key,
|
||||
data->id))
|
||||
if (certificate_matches(ca->cert, data->type, data->key, data->id))
|
||||
{
|
||||
*out = authority->cert;
|
||||
*out = ca->cert;
|
||||
return TRUE;
|
||||
}
|
||||
}
|
||||
|
@ -670,7 +778,7 @@ METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
|
|||
);
|
||||
|
||||
this->lock->read_lock(this->lock);
|
||||
enumerator = this->authorities->create_enumerator(this->authorities);
|
||||
enumerator = this->certs->create_enumerator(this->certs);
|
||||
return enumerator_create_filter(enumerator, certs_filter, data,
|
||||
cert_data_destroy);
|
||||
}
|
||||
|
@ -760,6 +868,23 @@ METHOD(credential_set_t, create_cdp_enumerator, enumerator_t*,
|
|||
(void*)create_inner_cdp, data, cert_data_destroy);
|
||||
}
|
||||
|
||||
METHOD(vici_authority_t, add_ca_cert, certificate_t*,
|
||||
private_vici_authority_t *this, certificate_t *cert)
|
||||
{
|
||||
this->lock->write_lock(this->lock);
|
||||
cert = add_cert_internal(this, cert, TRUE);
|
||||
this->lock->unlock(this->lock);
|
||||
return cert;
|
||||
}
|
||||
|
||||
METHOD(vici_authority_t, clear_ca_certs, void,
|
||||
private_vici_authority_t *this)
|
||||
{
|
||||
this->lock->write_lock(this->lock);
|
||||
this->certs->remove(this->certs, NULL, remove_external_certs);
|
||||
this->lock->unlock(this->lock);
|
||||
}
|
||||
|
||||
METHOD(vici_authority_t, destroy, void,
|
||||
private_vici_authority_t *this)
|
||||
{
|
||||
|
@ -767,6 +892,7 @@ METHOD(vici_authority_t, destroy, void,
|
|||
|
||||
this->authorities->destroy_function(this->authorities,
|
||||
(void*)authority_destroy);
|
||||
this->certs->destroy_function(this->certs, ca_cert_destroy);
|
||||
this->lock->destroy(this->lock);
|
||||
free(this);
|
||||
}
|
||||
|
@ -787,10 +913,13 @@ vici_authority_t *vici_authority_create(vici_dispatcher_t *dispatcher)
|
|||
.create_cdp_enumerator = _create_cdp_enumerator,
|
||||
.cache_cert = (void*)nop,
|
||||
},
|
||||
.add_ca_cert = _add_ca_cert,
|
||||
.clear_ca_certs = _clear_ca_certs,
|
||||
.destroy = _destroy,
|
||||
},
|
||||
.dispatcher = dispatcher,
|
||||
.authorities = linked_list_create(),
|
||||
.certs = linked_list_create(),
|
||||
.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
|
||||
);
|
||||
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
/*
|
||||
* Copyright (C) 2020 Tobias Brunner
|
||||
* Copyright (C) 2015 Andreas Steffen
|
||||
* HSR Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
|
@ -22,7 +23,6 @@
|
|||
#define VICI_AUTHORITY_H_
|
||||
|
||||
#include "vici_dispatcher.h"
|
||||
#include "vici_cred.h"
|
||||
|
||||
typedef struct vici_authority_t vici_authority_t;
|
||||
|
||||
|
@ -36,6 +36,20 @@ struct vici_authority_t {
|
|||
*/
|
||||
credential_set_t set;
|
||||
|
||||
/**
|
||||
* Add a CA certificate and return a reference if it is already stored,
|
||||
* otherwise returns the same certificate.
|
||||
*
|
||||
* @param cert certificate to check
|
||||
* @return reference to stored CA certificate, or original
|
||||
*/
|
||||
certificate_t *(*add_ca_cert)(vici_authority_t *this, certificate_t *cert);
|
||||
|
||||
/**
|
||||
* Remove CA certificates added via add_ca_cert().
|
||||
*/
|
||||
void (*clear_ca_certs)(vici_authority_t *this);
|
||||
|
||||
/**
|
||||
* Destroy a vici_authority_t.
|
||||
*/
|
||||
|
|
|
@ -1444,10 +1444,19 @@ CALLBACK(parse_cert_policy, bool,
|
|||
*/
|
||||
static bool add_cert(auth_data_t *auth, auth_rule_t rule, certificate_t *cert)
|
||||
{
|
||||
vici_authority_t *authority;
|
||||
vici_cred_t *cred;
|
||||
|
||||
cred = auth->request->this->cred;
|
||||
cert = cred->add_cert(cred, cert);
|
||||
if (rule == AUTH_RULE_CA_CERT)
|
||||
{
|
||||
authority = auth->request->this->authority;
|
||||
cert = authority->add_ca_cert(authority, cert);
|
||||
}
|
||||
else
|
||||
{
|
||||
cred = auth->request->this->cred;
|
||||
cert = cred->add_cert(cred, cert);
|
||||
}
|
||||
auth->cfg->add(auth->cfg, rule, cert);
|
||||
return TRUE;
|
||||
}
|
||||
|
@ -1492,17 +1501,13 @@ CALLBACK(parse_cacerts, bool,
|
|||
CALLBACK(parse_pubkeys, bool,
|
||||
auth_data_t *auth, chunk_t v)
|
||||
{
|
||||
vici_cred_t *cred;
|
||||
certificate_t *cert;
|
||||
|
||||
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_TRUSTED_PUBKEY,
|
||||
BUILD_BLOB_PEM, v, BUILD_END);
|
||||
if (cert)
|
||||
{
|
||||
cred = auth->request->this->cred;
|
||||
cert = cred->add_cert(cred, cert);
|
||||
auth->cfg->add(auth->cfg, AUTH_RULE_SUBJECT_CERT, cert);
|
||||
return TRUE;
|
||||
return add_cert(auth, AUTH_RULE_SUBJECT_CERT, cert);
|
||||
}
|
||||
return FALSE;
|
||||
}
|
||||
|
|
|
@ -51,6 +51,11 @@ struct private_vici_cred_t {
|
|||
*/
|
||||
vici_dispatcher_t *dispatcher;
|
||||
|
||||
/**
|
||||
* CA certificate store
|
||||
*/
|
||||
vici_authority_t *authority;
|
||||
|
||||
/**
|
||||
* credentials
|
||||
*/
|
||||
|
@ -178,19 +183,24 @@ CALLBACK(load_cert, vici_message_t*,
|
|||
}
|
||||
DBG1(DBG_CFG, "loaded certificate '%Y'", cert->get_subject(cert));
|
||||
|
||||
/* check if CA certificate has CA basic constraint set */
|
||||
if (flag & X509_CA)
|
||||
if (type == CERT_X509)
|
||||
{
|
||||
char err_msg[] = "ca certificate lacks CA basic constraint, rejected";
|
||||
x509 = (x509_t*)cert;
|
||||
|
||||
if (!(x509->get_flags(x509) & X509_CA))
|
||||
if (x509->get_flags(x509) & X509_CA)
|
||||
{
|
||||
cert = this->authority->add_ca_cert(this->authority, cert);
|
||||
cert->destroy(cert);
|
||||
DBG1(DBG_CFG, " %s", err_msg);
|
||||
return create_reply(err_msg);
|
||||
return create_reply(NULL);
|
||||
}
|
||||
else if (flag & X509_CA)
|
||||
{
|
||||
char msg[] = "ca certificate lacks CA basic constraint, rejected";
|
||||
cert->destroy(cert);
|
||||
DBG1(DBG_CFG, " %s", msg);
|
||||
return create_reply(msg);
|
||||
}
|
||||
}
|
||||
|
||||
if (type == CERT_X509_CRL)
|
||||
{
|
||||
this->creds->add_crl(this->creds, (crl_t*)cert);
|
||||
|
@ -535,6 +545,7 @@ CALLBACK(clear_creds, vici_message_t*,
|
|||
private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
|
||||
{
|
||||
this->creds->clear(this->creds);
|
||||
this->authority->clear_ca_certs(this->authority);
|
||||
lib->credmgr->flush_cache(lib->credmgr, CERT_ANY);
|
||||
|
||||
return create_reply(NULL);
|
||||
|
@ -603,7 +614,8 @@ METHOD(vici_cred_t, destroy, void,
|
|||
/**
|
||||
* See header
|
||||
*/
|
||||
vici_cred_t *vici_cred_create(vici_dispatcher_t *dispatcher)
|
||||
vici_cred_t *vici_cred_create(vici_dispatcher_t *dispatcher,
|
||||
vici_authority_t *authority)
|
||||
{
|
||||
private_vici_cred_t *this;
|
||||
|
||||
|
@ -620,6 +632,7 @@ vici_cred_t *vici_cred_create(vici_dispatcher_t *dispatcher)
|
|||
.destroy = _destroy,
|
||||
},
|
||||
.dispatcher = dispatcher,
|
||||
.authority = authority,
|
||||
.creds = mem_cred_create(),
|
||||
.pins = mem_cred_create(),
|
||||
);
|
||||
|
|
|
@ -25,6 +25,7 @@
|
|||
#define VICI_CRED_H_
|
||||
|
||||
#include "vici_dispatcher.h"
|
||||
#include "vici_authority.h"
|
||||
|
||||
#include <credentials/credential_set.h>
|
||||
|
||||
|
@ -58,8 +59,10 @@ struct vici_cred_t {
|
|||
* Create a vici_cred instance.
|
||||
*
|
||||
* @param dispatcher dispatcher to receive requests from
|
||||
* @param authority CA certificate storage
|
||||
* @return credential backend
|
||||
*/
|
||||
vici_cred_t *vici_cred_create(vici_dispatcher_t *dispatcher);
|
||||
vici_cred_t *vici_cred_create(vici_dispatcher_t *dispatcher,
|
||||
vici_authority_t *authority);
|
||||
|
||||
#endif /** VICI_CRED_H_ @}*/
|
||||
|
|
|
@ -127,8 +127,8 @@ static bool register_vici(private_vici_plugin_t *this,
|
|||
{
|
||||
this->query = vici_query_create(this->dispatcher);
|
||||
this->control = vici_control_create(this->dispatcher);
|
||||
this->cred = vici_cred_create(this->dispatcher);
|
||||
this->authority = vici_authority_create(this->dispatcher);
|
||||
this->cred = vici_cred_create(this->dispatcher, this->authority);
|
||||
lib->credmgr->add_set(lib->credmgr, &this->cred->set);
|
||||
lib->credmgr->add_set(lib->credmgr, &this->authority->set);
|
||||
this->config = vici_config_create(this->dispatcher, this->authority,
|
||||
|
|
Loading…
Reference in New Issue