From 489e3da0eab6c0fb829b2954c01a3300399c4346 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Wed, 2 Apr 2008 12:25:14 +0000 Subject: [PATCH] updated mediation database to public key authentication added mysql table definition, test data testcase --- src/charon/plugins/med_db/Makefile.am | 3 +- src/charon/plugins/med_db/med_db_creds.c | 135 +++++------ src/charon/plugins/med_db/med_db_plugin.c | 5 +- src/charon/plugins/med_db/med_db_pubkey.c | 211 ++++++++++++++++++ src/charon/plugins/med_db/med_db_pubkey.h | 52 +++++ src/charon/plugins/med_db/mysql.sql | 12 + src/charon/plugins/med_db/test.sql | 9 + src/charon/plugins/unit_tester/Makefile.am | 3 +- src/charon/plugins/unit_tester/tests.h | 3 +- .../plugins/unit_tester/tests/test_med_db.c | 52 +++++ 10 files changed, 416 insertions(+), 69 deletions(-) create mode 100644 src/charon/plugins/med_db/med_db_pubkey.c create mode 100644 src/charon/plugins/med_db/med_db_pubkey.h create mode 100644 src/charon/plugins/med_db/mysql.sql create mode 100644 src/charon/plugins/med_db/test.sql create mode 100644 src/charon/plugins/unit_tester/tests/test_med_db.c diff --git a/src/charon/plugins/med_db/Makefile.am b/src/charon/plugins/med_db/Makefile.am index f7608da05..86f770f0e 100644 --- a/src/charon/plugins/med_db/Makefile.am +++ b/src/charon/plugins/med_db/Makefile.am @@ -5,6 +5,7 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libcharon-med-db.la libcharon_med_db_la_SOURCES = med_db_plugin.h med_db_plugin.c \ - med_db_creds.h med_db_creds.c + med_db_creds.h med_db_creds.c \ + med_db_pubkey.h med_db_pubkey.c libcharon_med_db_la_LDFLAGS = -module diff --git a/src/charon/plugins/med_db/med_db_creds.c b/src/charon/plugins/med_db/med_db_creds.c index ad6e6665f..364e039ed 100644 --- a/src/charon/plugins/med_db/med_db_creds.c +++ b/src/charon/plugins/med_db/med_db_creds.c @@ -16,6 +16,7 @@ */ #include "med_db_creds.h" +#include "med_db_pubkey.h" #include #include @@ -40,86 +41,90 @@ struct private_med_db_creds_t { }; /** - * data passed between enumerate calls + * enumerator over certificates */ -typedef struct { - /** current shared key */ - shared_key_t *current; -} data_t; - -typedef struct private_shared_key_t private_shared_key_t; -/** - * shared key implementation - */ -struct private_shared_key_t { - /** implements shared_key_t*/ - shared_key_t public; - /** data of the key */ - chunk_t key; - /** reference counter */ - refcount_t ref; -}; +typedef struct { + /** implements enumerator */ + enumerator_t public; + /** inner SQL enumerator */ + enumerator_t *inner; + /** currently enumerated cert */ + certificate_t *current; + /** type of requested key */ + key_type_t type; +} cert_enumerator_t; /** - * Destroy allocated data_t struct + * Implementation of cert_enumerator_t.public.enumerate */ -static void data_destroy(data_t *this) +static bool cert_enumerator_enumerate(cert_enumerator_t *this, + certificate_t **cert) +{ + public_key_t *public; + chunk_t chunk; + + DESTROY_IF(this->current); + while (this->inner->enumerate(this->inner, &chunk)) + { + public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, + BUILD_BLOB_ASN1_DER, chunk_clone(chunk), + BUILD_END); + if (public) + { + if (this->type == KEY_ANY || this->type == public->get_type(public)) + { + *cert = this->current = (certificate_t*)med_db_pubkey_create(public); + return TRUE; + } + public->destroy(public); + } + } + this->current = NULL; + return FALSE; +} + +/** + * Implementation of cert_enumerator_t.public.destroy + */ +static void cert_enumerator_destroy(cert_enumerator_t *this) { DESTROY_IF(this->current); + this->inner->destroy(this->inner); free(this); } /** - * filter for enumerator, returns for each SQL result a shared key and match + * Implementation of credential_set_t.create_cert_enumerator. */ -static bool filter(data_t *this, chunk_t *chunk, shared_key_t **out, - void **unused1, id_match_t *match_me, - void **unused2, id_match_t *match_other) +static enumerator_t* create_cert_enumerator(private_med_db_creds_t *this, + certificate_type_t cert, key_type_t key, + identification_t *id, bool trusted) { - DESTROY_IF(this->current); - this->current = shared_key_create(SHARED_IKE, *chunk); - *out = this->current; - /* we have unique matches only, but do not compare own ID */ - if (match_me) - { - *match_me = ID_MATCH_ANY; - } - if (match_other) - { - *match_other = ID_MATCH_PERFECT; - } - return TRUE; -} - - -/** - * Implements credential_set_t.create_shared_enumerator - */ -static enumerator_t* create_shared_enumerator(private_med_db_creds_t *this, - shared_key_type_t type, identification_t *me, - identification_t *other) -{ - enumerator_t *enumerator; - data_t *data; + cert_enumerator_t *e; - if (type != SHARED_IKE) + if ((cert != CERT_TRUSTED_PUBKEY && cert != CERT_ANY) || + id == NULL || id->get_type(id) != ID_KEY_ID) { return NULL; } - enumerator = this->db->query(this->db, - "SELECT Psk FROM Peer WHERE PeerId = ?", - DB_BLOB, other->get_encoding(other), - DB_BLOB); - if (enumerator) - { - data = malloc_thing(data_t); - data->current = NULL; - return enumerator_create_filter(enumerator, (void*)filter, - data, (void*)data_destroy); - } - return NULL; -} + e = malloc_thing(cert_enumerator_t); + e->current = NULL; + e->type = key; + e->public.enumerate = (void*)cert_enumerator_enumerate; + e->public.destroy = (void*)cert_enumerator_destroy; + e->inner = this->db->query(this->db, + "SELECT PublicKey FROM Peer WHERE KeyId = ?", + DB_BLOB, id->get_encoding(id), + DB_BLOB); + if (!e->inner) + { + free(e); + return NULL; + } + return &e->public; +} + /** * Implementation of backend_t.destroy. */ @@ -136,8 +141,8 @@ med_db_creds_t *med_db_creds_create(database_t *db) private_med_db_creds_t *this = malloc_thing(private_med_db_creds_t); this->public.set.create_private_enumerator = (void*)return_null; - this->public.set.create_cert_enumerator = (void*)return_null; - this->public.set.create_shared_enumerator = (void*)create_shared_enumerator; + this->public.set.create_cert_enumerator = (void*)create_cert_enumerator; + this->public.set.create_shared_enumerator = (void*)return_null; this->public.set.create_cdp_enumerator = (void*)return_null; this->public.destroy = (void (*)(med_db_creds_t*))destroy; diff --git a/src/charon/plugins/med_db/med_db_plugin.c b/src/charon/plugins/med_db/med_db_plugin.c index 033ec91c7..8b9e21ad5 100644 --- a/src/charon/plugins/med_db/med_db_plugin.c +++ b/src/charon/plugins/med_db/med_db_plugin.c @@ -51,6 +51,7 @@ static void destroy(private_med_db_plugin_t *this) { charon->credentials->remove_set(charon->credentials, &this->creds->set); this->creds->destroy(this->creds); + this->db->destroy(this->db); free(this); } @@ -64,7 +65,8 @@ plugin_t *plugin_create() this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - uri = lib->settings->get_str(lib->settings, "plugins.med_db.database", NULL); + uri = lib->settings->get_str(lib->settings, + "charon.plugins.med_db.database", NULL); if (!uri) { DBG1(DBG_CFG, "mediation database URI not defined, skipped"); @@ -72,6 +74,7 @@ plugin_t *plugin_create() return NULL; } + this->db = lib->db->create(lib->db, uri); if (this->db == NULL) { DBG1(DBG_CFG, "opening mediation server database failed"); diff --git a/src/charon/plugins/med_db/med_db_pubkey.c b/src/charon/plugins/med_db/med_db_pubkey.c new file mode 100644 index 000000000..d0dc41f13 --- /dev/null +++ b/src/charon/plugins/med_db/med_db_pubkey.c @@ -0,0 +1,211 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id$ + */ + +#include "med_db_pubkey.h" + +typedef struct private_med_db_pubkey_t private_med_db_pubkey_t; + +/** + * private data of med_db_pubkey + */ +struct private_med_db_pubkey_t { + + /** + * public functions + */ + med_db_pubkey_t public; + + /** + * wrapped public key + */ + public_key_t *key; + + /** + * dummy issuer id, ID_ANY + */ + identification_t *issuer; + + /** + * reference count + */ + refcount_t ref; +}; + +/** + * Implementation of certificate_t.get_type + */ +static certificate_type_t get_type(private_med_db_pubkey_t *this) +{ + return CERT_TRUSTED_PUBKEY; +} + +/** + * Implementation of certificate_t.get_subject + */ +static identification_t* get_subject(private_med_db_pubkey_t *this) +{ + return this->key->get_id(this->key, ID_PUBKEY_SHA1); +} + +/** + * Implementation of certificate_t.get_issuer + */ +static identification_t* get_issuer(private_med_db_pubkey_t *this) +{ + return this->issuer; +} + +/** + * Implementation of certificate_t.has_subject. + */ +static id_match_t has_subject(private_med_db_pubkey_t *this, + identification_t *subject) +{ + identification_t *id; + + id = this->key->get_id(this->key, subject->get_type(subject)); + if (id) + { + return id->matches(id, subject); + } + return ID_MATCH_NONE; +} + +/** + * Implementation of certificate_t.has_subject. + */ +static id_match_t has_issuer(private_med_db_pubkey_t *this, + identification_t *issuer) +{ + return ID_MATCH_NONE; +} + +/** + * Implementation of certificate_t.equals. + */ +static bool equals(private_med_db_pubkey_t *this, certificate_t *other) +{ + if (this == (private_med_db_pubkey_t*)other) + { + return TRUE; + } + if (other->get_type(other) != CERT_TRUSTED_PUBKEY) + { + return FALSE; + } + return other->has_subject(other, this->key->get_id(this->key, ID_PUBKEY_SHA1)); +} + +/** + * Implementation of certificate_t.issued_by + */ +static bool issued_by(private_med_db_pubkey_t *this, certificate_t *issuer) +{ + return equals(this, issuer); +} + +/** + * Implementation of certificate_t.get_public_key + */ +static public_key_t* get_public_key(private_med_db_pubkey_t *this) +{ + this->key->get_ref(this->key); + return this->key; +} +/** + * Implementation of certificate_t.get_validity. + */ +static bool get_validity(private_med_db_pubkey_t *this, time_t *when, + time_t *not_before, time_t *not_after) +{ + if (not_before) + { + *not_before = 0; + } + if (not_after) + { + *not_after = ~0; + } + return TRUE; +} + +/** + * Implementation of certificate_t.is_newer. + */ +static bool is_newer(certificate_t *this, certificate_t *that) +{ + return FALSE; +} + +/** + * Implementation of certificate_t.get_encoding. + */ +static chunk_t get_encoding(private_med_db_pubkey_t *this) +{ + return this->key->get_encoding(this->key); +} + +/** + * Implementation of certificate_t.get_ref + */ +static private_med_db_pubkey_t* get_ref(private_med_db_pubkey_t *this) +{ + ref_get(&this->ref); + return this; +} + +/** + * Implementation of med_db_pubkey_t.destroy + */ +static void destroy(private_med_db_pubkey_t *this) +{ + if (ref_put(&this->ref)) + { + this->issuer->destroy(this->issuer); + this->key->destroy(this->key); + free(this); + } +} + +/* + * see header file + */ +med_db_pubkey_t *med_db_pubkey_create(public_key_t *key) +{ + private_med_db_pubkey_t *this = malloc_thing(private_med_db_pubkey_t); + + this->public.interface.get_type = (certificate_type_t (*)(certificate_t *this))get_type; + this->public.interface.get_subject = (identification_t* (*)(certificate_t *this))get_subject; + this->public.interface.get_issuer = (identification_t* (*)(certificate_t *this))get_issuer; + this->public.interface.has_subject = (id_match_t (*)(certificate_t*, identification_t *subject))has_subject; + this->public.interface.has_issuer = (id_match_t (*)(certificate_t*, identification_t *issuer))has_issuer; + this->public.interface.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer))issued_by; + this->public.interface.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key; + this->public.interface.get_validity = (bool (*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity; + this->public.interface.is_newer = (bool (*)(certificate_t*,certificate_t*))is_newer; + this->public.interface.get_encoding = (chunk_t (*)(certificate_t*))get_encoding; + this->public.interface.equals = (bool (*)(certificate_t*, certificate_t *other))equals; + this->public.interface.get_ref = (certificate_t* (*)(certificate_t *this))get_ref; + this->public.interface.destroy = (void (*)(certificate_t *this))destroy; + + this->ref = 1; + this->key = key; + this->issuer = identification_create_from_encoding(ID_ANY, chunk_empty); + + return &this->public; +} + diff --git a/src/charon/plugins/med_db/med_db_pubkey.h b/src/charon/plugins/med_db/med_db_pubkey.h new file mode 100644 index 000000000..f61f97bf7 --- /dev/null +++ b/src/charon/plugins/med_db/med_db_pubkey.h @@ -0,0 +1,52 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id$ + */ + +/** + * @defgroup med_db_pubkey med_db_pubkey + * @{ @ingroup med_db + */ + +#ifndef MED_DB_PUBKEY_H_ +#define MED_DB_PUBKEY_H_ + +#include +#include + +typedef struct med_db_pubkey_t med_db_pubkey_t; + +/** + * A trusted public key wrapped into certificate of type CERT_TRUSTED_PUBKEY. + */ +struct med_db_pubkey_t { + + /** + * Implements certificate_t. + */ + certificate_t interface; +}; + +/** + * Create a wrapped public key instance using a public_key. + * + * The certifcate uses the public_key ID as subject. + * + * @param key public key to wrap + * @return public key implementing certificate interface + */ +med_db_pubkey_t *med_db_pubkey_create(public_key_t *key); + +#endif /* MED_DB_PUBKEY_H_ @}*/ diff --git a/src/charon/plugins/med_db/mysql.sql b/src/charon/plugins/med_db/mysql.sql new file mode 100644 index 000000000..0fb60dbc6 --- /dev/null +++ b/src/charon/plugins/med_db/mysql.sql @@ -0,0 +1,12 @@ + +CREATE TABLE IF NOT EXISTS `Peer` ( + `IdPeer` int(10) unsigned NOT NULL auto_increment, + `IdUser` int(10) unsigned NOT NULL, + `Alias` varchar(30) collate utf8_unicode_ci NOT NULL, + `KeyId` varbinary(20) NOT NULL, + `PublicKey` blob NOT NULL, + PRIMARY KEY (`IdPeer`), + KEY `KeyId` (`KeyId`), + KEY `IdUser` (`IdUser`) +) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; + diff --git a/src/charon/plugins/med_db/test.sql b/src/charon/plugins/med_db/test.sql new file mode 100644 index 000000000..8ba33647c --- /dev/null +++ b/src/charon/plugins/med_db/test.sql @@ -0,0 +1,9 @@ + +INSERT INTO `Peer` ( + `IdPeer`, `IdUser`, `Alias`, `KeyId`, `PublicKey` +) VALUES ( + 1, 0, 'sidv150', + X'ed90e64feca21f4b6897992422e0de21b9d62629', + X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100cd946c229f7d52b21da1cb5384e7dcaf6529f760534a56355efd49e87a9c6f1ddd5ff303bd7eb49c23de03adc487456f41eb5f92947bdc8ff8dbe443f8d112e0da2c98145e7c4d1cd15cddd08577f4d4f3d0a2e1da3c08c94cd819758751931e7a9724cc43d73a11b8e176a268b4cdbbf3995cb09723abc9bfc477c25e714a4661a84c078be7404d8986be55f20437e3a6b278a3cc89aec085941f1a1aafaf4b22ae146fe4684d5567dc30658a32087d01b98515070cb1653311cb6102f82a83c638c2a79985dbb9600752e9cbc272014a5c547b4ab59130c3a948658bff794b6f202cf95939ffa73b10521f05c060cecb15f8597ed95d72b9e405ee31f1b5d90203010001' +); + diff --git a/src/charon/plugins/unit_tester/Makefile.am b/src/charon/plugins/unit_tester/Makefile.am index 9d9f4d79a..8d0070ac9 100644 --- a/src/charon/plugins/unit_tester/Makefile.am +++ b/src/charon/plugins/unit_tester/Makefile.am @@ -13,6 +13,7 @@ libcharon_unit_tester_la_SOURCES = unit_tester.c unit_tester.h \ tests/test_mysql.c \ tests/test_sqlite.c \ tests/test_mutex.c \ - tests/test_rsa_gen.c + tests/test_rsa_gen.c \ + tests/test_med_db.c libcharon_unit_tester_la_LDFLAGS = -module diff --git a/src/charon/plugins/unit_tester/tests.h b/src/charon/plugins/unit_tester/tests.h index a14946a42..18bd58c83 100644 --- a/src/charon/plugins/unit_tester/tests.h +++ b/src/charon/plugins/unit_tester/tests.h @@ -31,4 +31,5 @@ DEFINE_TEST("MySQL operations", test_mysql, FALSE) DEFINE_TEST("SQLite operations", test_sqlite, FALSE) DEFINE_TEST("mutex primitive", test_mutex, FALSE) DEFINE_TEST("RSA key generation", test_rsa_gen, FALSE) -DEFINE_TEST("RSA subjectPublicKeyInfo loading", test_rsa_load_any, TRUE) +DEFINE_TEST("RSA subjectPublicKeyInfo loading", test_rsa_load_any, FALSE) +DEFINE_TEST("Mediation database key fetch", test_med_db, TRUE) diff --git a/src/charon/plugins/unit_tester/tests/test_med_db.c b/src/charon/plugins/unit_tester/tests/test_med_db.c new file mode 100644 index 000000000..7ce280861 --- /dev/null +++ b/src/charon/plugins/unit_tester/tests/test_med_db.c @@ -0,0 +1,52 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include +#include +#include + +#include + +/******************************************************************************* + * fetch public key from mediation database + ******************************************************************************/ + +bool test_med_db() +{ + char keyid_buf[] = { + 0xed,0x90,0xe6,0x4f,0xec,0xa2,0x1f,0x4b, + 0x68,0x97,0x99,0x24,0x22,0xe0,0xde,0x21, + 0xb9,0xd6,0x26,0x29 + }; + chunk_t keyid = chunk_from_buf(keyid_buf); + identification_t *id, *found; + enumerator_t *enumerator; + auth_info_t *auth; + public_key_t *public; + bool good = FALSE; + + id = identification_create_from_encoding(ID_KEY_ID, keyid); + enumerator = charon->credentials->create_public_enumerator( + charon->credentials, KEY_ANY, id, NULL); + while (enumerator->enumerate(enumerator, &public, &auth)) + { + found = public->get_id(public, ID_PUBKEY_SHA1); + good = chunk_equals(id->get_encoding(id), found->get_encoding(found)); + } + enumerator->destroy(enumerator); + id->destroy(id); + return TRUE; +} +