vici: Directly provide CA certificates in authority sections
With the previous approach, CA certificates that were not re-loaded via load-cert() (e.g. from tokens or via absolute paths) would not be available anymore after the clear-creds() command was used. This avoids this issue, but can cause duplicate CA certificates to get stored and enumerated, so there might be a scaling factor.
This commit is contained in:
parent
306c0c9f8e
commit
46ff268885
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (C) 2016-2019 Tobias Brunner
|
||||
* Copyright (C) 2016-2020 Tobias Brunner
|
||||
* Copyright (C) 2015 Andreas Steffen
|
||||
* HSR Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
|
@ -43,11 +43,6 @@ struct private_vici_authority_t {
|
|||
*/
|
||||
vici_dispatcher_t *dispatcher;
|
||||
|
||||
/**
|
||||
* credential backend managed by VICI used for our ca certificates
|
||||
*/
|
||||
vici_cred_t *cred;
|
||||
|
||||
/**
|
||||
* List of certification authorities
|
||||
*/
|
||||
|
@ -379,7 +374,6 @@ CALLBACK(authority_sn, bool,
|
|||
enumerator_t *enumerator;
|
||||
linked_list_t *authorities;
|
||||
authority_t *authority;
|
||||
vici_cred_t *cred;
|
||||
load_data_t *data;
|
||||
chunk_t handle;
|
||||
|
||||
|
@ -452,11 +446,8 @@ CALLBACK(authority_sn, bool,
|
|||
enumerator->destroy(enumerator);
|
||||
authorities->insert_last(authorities, data->authority);
|
||||
|
||||
cred = request->this->cred;
|
||||
data->authority->cert = cred->add_cert(cred, data->authority->cert);
|
||||
data->authority = NULL;
|
||||
|
||||
request->this->lock->unlock(request->this->lock);
|
||||
data->authority = NULL;
|
||||
free_load_data(data);
|
||||
|
||||
return TRUE;
|
||||
|
@ -627,27 +618,64 @@ static void manage_commands(private_vici_authority_t *this, bool reg)
|
|||
}
|
||||
|
||||
/**
|
||||
* data to pass to create_inner_cdp
|
||||
* Data for the certificate and CDP enumerator
|
||||
*/
|
||||
typedef struct {
|
||||
private_vici_authority_t *this;
|
||||
certificate_type_t type;
|
||||
key_type_t key;
|
||||
identification_t *id;
|
||||
} cdp_data_t;
|
||||
} cert_data_t;
|
||||
|
||||
/**
|
||||
* destroy cdp enumerator data and unlock list
|
||||
*/
|
||||
static void cdp_data_destroy(cdp_data_t *data)
|
||||
CALLBACK(cert_data_destroy, void,
|
||||
cert_data_t *data)
|
||||
{
|
||||
data->this->lock->unlock(data->this->lock);
|
||||
free(data);
|
||||
}
|
||||
|
||||
/**
|
||||
* inner enumerator constructor for CDP URIs
|
||||
*/
|
||||
static enumerator_t *create_inner_cdp(authority_t *authority, cdp_data_t *data)
|
||||
CALLBACK(certs_filter, bool,
|
||||
cert_data_t *data, enumerator_t *orig, va_list args)
|
||||
{
|
||||
authority_t *authority;
|
||||
certificate_t **out;
|
||||
|
||||
VA_ARGS_VGET(args, out);
|
||||
|
||||
while (orig->enumerate(orig, &authority))
|
||||
{
|
||||
if (certificate_matches(authority->cert, data->type, data->key,
|
||||
data->id))
|
||||
{
|
||||
*out = authority->cert;
|
||||
return TRUE;
|
||||
}
|
||||
}
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
|
||||
private_vici_authority_t *this, certificate_type_t cert, key_type_t key,
|
||||
identification_t *id, bool trusted)
|
||||
{
|
||||
enumerator_t *enumerator;
|
||||
cert_data_t *data;
|
||||
|
||||
INIT(data,
|
||||
.this = this,
|
||||
.type = cert,
|
||||
.key = key,
|
||||
.id = id,
|
||||
);
|
||||
|
||||
this->lock->read_lock(this->lock);
|
||||
enumerator = this->authorities->create_enumerator(this->authorities);
|
||||
return enumerator_create_filter(enumerator, certs_filter, data,
|
||||
cert_data_destroy);
|
||||
}
|
||||
|
||||
CALLBACK(create_inner_cdp, enumerator_t*,
|
||||
authority_t *authority, cert_data_t *data)
|
||||
{
|
||||
public_key_t *public;
|
||||
enumerator_t *enumerator = NULL;
|
||||
|
@ -671,7 +699,8 @@ static enumerator_t *create_inner_cdp(authority_t *authority, cdp_data_t *data)
|
|||
}
|
||||
else
|
||||
{
|
||||
if (public->has_fingerprint(public, data->id->get_encoding(data->id)))
|
||||
if (public->has_fingerprint(public,
|
||||
data->id->get_encoding(data->id)))
|
||||
{
|
||||
enumerator = list->create_enumerator(list);
|
||||
}
|
||||
|
@ -681,11 +710,8 @@ static enumerator_t *create_inner_cdp(authority_t *authority, cdp_data_t *data)
|
|||
return enumerator;
|
||||
}
|
||||
|
||||
/**
|
||||
* inner enumerator constructor for "Hash and URL"
|
||||
*/
|
||||
static enumerator_t *create_inner_cdp_hashandurl(authority_t *authority,
|
||||
cdp_data_t *data)
|
||||
CALLBACK(create_inner_cdp_hashandurl, enumerator_t*,
|
||||
authority_t *authority, cert_data_t *data)
|
||||
{
|
||||
enumerator_t *enumerator = NULL;
|
||||
|
||||
|
@ -694,7 +720,8 @@ static enumerator_t *create_inner_cdp_hashandurl(authority_t *authority,
|
|||
return NULL;
|
||||
}
|
||||
|
||||
if (authority->cert->has_subject(authority->cert, data->id) != ID_MATCH_NONE)
|
||||
if (authority->cert->has_subject(authority->cert,
|
||||
data->id) != ID_MATCH_NONE)
|
||||
{
|
||||
enumerator = enumerator_create_single(strdup(authority->cert_uri_base),
|
||||
free);
|
||||
|
@ -706,7 +733,7 @@ METHOD(credential_set_t, create_cdp_enumerator, enumerator_t*,
|
|||
private_vici_authority_t *this, certificate_type_t type,
|
||||
identification_t *id)
|
||||
{
|
||||
cdp_data_t *data;
|
||||
cert_data_t *data;
|
||||
|
||||
switch (type)
|
||||
{ /* we serve CRLs, OCSP responders and URLs for "Hash and URL" */
|
||||
|
@ -718,17 +745,18 @@ METHOD(credential_set_t, create_cdp_enumerator, enumerator_t*,
|
|||
default:
|
||||
return NULL;
|
||||
}
|
||||
data = malloc_thing(cdp_data_t);
|
||||
data->this = this;
|
||||
data->type = type;
|
||||
data->id = id;
|
||||
|
||||
INIT(data,
|
||||
.this = this,
|
||||
.type = type,
|
||||
.id = id,
|
||||
);
|
||||
|
||||
this->lock->read_lock(this->lock);
|
||||
|
||||
return enumerator_create_nested(
|
||||
this->authorities->create_enumerator(this->authorities),
|
||||
(type == CERT_X509) ? (void*)create_inner_cdp_hashandurl :
|
||||
(void*)create_inner_cdp, data, (void*)cdp_data_destroy);
|
||||
(void*)create_inner_cdp, data, cert_data_destroy);
|
||||
}
|
||||
|
||||
METHOD(vici_authority_t, destroy, void,
|
||||
|
@ -745,8 +773,7 @@ METHOD(vici_authority_t, destroy, void,
|
|||
/**
|
||||
* See header
|
||||
*/
|
||||
vici_authority_t *vici_authority_create(vici_dispatcher_t *dispatcher,
|
||||
vici_cred_t *cred)
|
||||
vici_authority_t *vici_authority_create(vici_dispatcher_t *dispatcher)
|
||||
{
|
||||
private_vici_authority_t *this;
|
||||
|
||||
|
@ -754,7 +781,7 @@ vici_authority_t *vici_authority_create(vici_dispatcher_t *dispatcher,
|
|||
.public = {
|
||||
.set = {
|
||||
.create_private_enumerator = (void*)return_null,
|
||||
.create_cert_enumerator = (void*)return_null,
|
||||
.create_cert_enumerator = _create_cert_enumerator,
|
||||
.create_shared_enumerator = (void*)return_null,
|
||||
.create_cdp_enumerator = _create_cdp_enumerator,
|
||||
.cache_cert = (void*)nop,
|
||||
|
@ -762,7 +789,6 @@ vici_authority_t *vici_authority_create(vici_dispatcher_t *dispatcher,
|
|||
.destroy = _destroy,
|
||||
},
|
||||
.dispatcher = dispatcher,
|
||||
.cred = cred,
|
||||
.authorities = linked_list_create(),
|
||||
.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
|
||||
);
|
||||
|
|
|
@ -46,10 +46,8 @@ struct vici_authority_t {
|
|||
* Create a vici_authority instance.
|
||||
*
|
||||
* @param dispatcher dispatcher to receive requests from
|
||||
* @param cred in-memory credential backend managed by VICI
|
||||
* @return authority backend
|
||||
*/
|
||||
vici_authority_t *vici_authority_create(vici_dispatcher_t *dispatcher,
|
||||
vici_cred_t *cred);
|
||||
vici_authority_t *vici_authority_create(vici_dispatcher_t *dispatcher);
|
||||
|
||||
#endif /** VICI_AUTHORITY_H_ @}*/
|
||||
|
|
|
@ -128,8 +128,7 @@ static bool register_vici(private_vici_plugin_t *this,
|
|||
this->query = vici_query_create(this->dispatcher);
|
||||
this->control = vici_control_create(this->dispatcher);
|
||||
this->cred = vici_cred_create(this->dispatcher);
|
||||
this->authority = vici_authority_create(this->dispatcher,
|
||||
this->cred);
|
||||
this->authority = vici_authority_create(this->dispatcher);
|
||||
lib->credmgr->add_set(lib->credmgr, &this->cred->set);
|
||||
lib->credmgr->add_set(lib->credmgr, &this->authority->set);
|
||||
this->config = vici_config_create(this->dispatcher, this->authority,
|
||||
|
|
Loading…
Reference in New Issue