Merge branch 'vici-ca-certs'

These changes store all CA certificates in vici_authority_t, which avoids
issues with unloading authority sections or clearing credentials.

Closes strongswan/strongswan#172.
This commit is contained in:
Tobias Brunner 2020-07-20 14:07:47 +02:00
commit 6f9d5ea0f1
11 changed files with 323 additions and 132 deletions

View File

@ -175,46 +175,15 @@ CALLBACK(certs_filter, bool,
cert_data_t *data, enumerator_t *orig, va_list args)
{
ca_cert_t *cacert;
public_key_t *public;
certificate_t **out;
VA_ARGS_VGET(args, out);
while (orig->enumerate(orig, &cacert))
{
certificate_t *cert = cacert->cert;
if (data->cert != CERT_ANY && data->cert != cert->get_type(cert))
if (certificate_matches(cacert->cert, data->cert, data->key, data->id))
{
continue;
}
public = cert->get_public_key(cert);
if (public)
{
if (data->key == KEY_ANY || data->key == public->get_type(public))
{
if (data->id && public->has_fingerprint(public,
data->id->get_encoding(data->id)))
{
public->destroy(public);
*out = cert;
return TRUE;
}
}
else
{
public->destroy(public);
continue;
}
public->destroy(public);
}
else if (data->key != KEY_ANY)
{
continue;
}
if (!data->id || cert->has_subject(cert, data->id))
{
*out = cert;
*out = cacert->cert;
return TRUE;
}
}

View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2016-2019 Tobias Brunner
* Copyright (C) 2016-2020 Tobias Brunner
* Copyright (C) 2015 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
@ -44,15 +44,15 @@ struct private_vici_authority_t {
vici_dispatcher_t *dispatcher;
/**
* credential backend managed by VICI used for our ca certificates
*/
vici_cred_t *cred;
/**
* List of certification authorities
* List of certification authorities (authority_t*)
*/
linked_list_t *authorities;
/**
* List of CA certificates (ca_cert_t*)
*/
linked_list_t *certs;
/**
* rwlock to lock access to certification authorities
*/
@ -109,10 +109,8 @@ static authority_t *authority_create(char *name)
return authority;
}
/**
* destroy a certification authority
*/
static void authority_destroy(authority_t *this)
CALLBACK(authority_destroy, void,
authority_t *this)
{
this->crl_uris->destroy_function(this->crl_uris, free);
this->ocsp_uris->destroy_function(this->ocsp_uris, free);
@ -122,6 +120,108 @@ static void authority_destroy(authority_t *this)
free(this);
}
typedef struct ca_cert_t ca_cert_t;
/**
* Loaded CA certificate.
*/
struct ca_cert_t {
/**
* Reference to certificate.
*/
certificate_t *cert;
/**
* The number of authority sections referring to this certificate.
*/
u_int count;
/**
* TRUE if this certificate was (also) added externally.
*/
bool external;
};
/**
* Destroy a CA certificate entry
*/
CALLBACK(ca_cert_destroy, void,
ca_cert_t *this)
{
this->cert->destroy(this->cert);
free(this);
}
CALLBACK(match_cert, bool,
ca_cert_t *item, va_list args)
{
certificate_t *cert;
VA_ARGS_VGET(args, cert);
return cert->equals(cert, item->cert);
}
/**
* Add a CA certificate to the local store
*/
static certificate_t *add_cert_internal(private_vici_authority_t *this,
certificate_t *cert, bool external)
{
ca_cert_t *found;
if (this->certs->find_first(this->certs, match_cert, (void**)&found, cert))
{
cert->destroy(cert);
cert = found->cert->get_ref(found->cert);
}
else
{
INIT(found,
.cert = cert->get_ref(cert)
);
this->certs->insert_first(this->certs, found);
}
if (external)
{
found->external = TRUE;
}
else
{
found->count++;
}
return cert;
}
CALLBACK(remove_external_certs, bool,
ca_cert_t *item, void *unused)
{
if (item->external)
{
item->external = FALSE;
if (!item->count)
{
ca_cert_destroy(item);
return TRUE;
}
}
return FALSE;
}
CALLBACK2(remove_cert, bool,
ca_cert_t *item, certificate_t *cert)
{
if (cert == item->cert)
{
if (--item->count == 0 && !item->external)
{
ca_cert_destroy(item);
return TRUE;
}
}
return FALSE;
}
/**
* Create a (error) reply message
@ -379,7 +479,6 @@ CALLBACK(authority_sn, bool,
enumerator_t *enumerator;
linked_list_t *authorities;
authority_t *authority;
vici_cred_t *cred;
load_data_t *data;
chunk_t handle;
@ -437,6 +536,9 @@ CALLBACK(authority_sn, bool,
request->this->lock->write_lock(request->this->lock);
data->authority->cert = add_cert_internal(request->this,
data->authority->cert, FALSE);
authorities = request->this->authorities;
enumerator = authorities->create_enumerator(authorities);
while (enumerator->enumerate(enumerator, &authority))
@ -452,11 +554,8 @@ CALLBACK(authority_sn, bool,
enumerator->destroy(enumerator);
authorities->insert_last(authorities, data->authority);
cred = request->this->cred;
data->authority->cert = cred->add_cert(cred, data->authority->cert);
data->authority = NULL;
request->this->lock->unlock(request->this->lock);
data->authority = NULL;
free_load_data(data);
return TRUE;
@ -501,6 +600,7 @@ CALLBACK(unload_authority, vici_message_t*,
if (streq(authority->name, authority_name))
{
this->authorities->remove_at(this->authorities, enumerator);
this->certs->remove(this->certs, authority->cert, remove_cert);
authority_destroy(authority);
found = TRUE;
break;
@ -513,6 +613,7 @@ CALLBACK(unload_authority, vici_message_t*,
{
return create_reply("unload: authority '%s' not found", authority_name);
}
lib->credmgr->flush_cache(lib->credmgr, CERT_ANY);
return create_reply(NULL);
}
@ -627,27 +728,63 @@ static void manage_commands(private_vici_authority_t *this, bool reg)
}
/**
* data to pass to create_inner_cdp
* Data for the certificate and CDP enumerator
*/
typedef struct {
private_vici_authority_t *this;
certificate_type_t type;
key_type_t key;
identification_t *id;
} cdp_data_t;
} cert_data_t;
/**
* destroy cdp enumerator data and unlock list
*/
static void cdp_data_destroy(cdp_data_t *data)
CALLBACK(cert_data_destroy, void,
cert_data_t *data)
{
data->this->lock->unlock(data->this->lock);
free(data);
}
/**
* inner enumerator constructor for CDP URIs
*/
static enumerator_t *create_inner_cdp(authority_t *authority, cdp_data_t *data)
CALLBACK(certs_filter, bool,
cert_data_t *data, enumerator_t *orig, va_list args)
{
ca_cert_t *ca;
certificate_t **out;
VA_ARGS_VGET(args, out);
while (orig->enumerate(orig, &ca))
{
if (certificate_matches(ca->cert, data->type, data->key, data->id))
{
*out = ca->cert;
return TRUE;
}
}
return FALSE;
}
METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
private_vici_authority_t *this, certificate_type_t cert, key_type_t key,
identification_t *id, bool trusted)
{
enumerator_t *enumerator;
cert_data_t *data;
INIT(data,
.this = this,
.type = cert,
.key = key,
.id = id,
);
this->lock->read_lock(this->lock);
enumerator = this->certs->create_enumerator(this->certs);
return enumerator_create_filter(enumerator, certs_filter, data,
cert_data_destroy);
}
CALLBACK(create_inner_cdp, enumerator_t*,
authority_t *authority, cert_data_t *data)
{
public_key_t *public;
enumerator_t *enumerator = NULL;
@ -671,7 +808,8 @@ static enumerator_t *create_inner_cdp(authority_t *authority, cdp_data_t *data)
}
else
{
if (public->has_fingerprint(public, data->id->get_encoding(data->id)))
if (public->has_fingerprint(public,
data->id->get_encoding(data->id)))
{
enumerator = list->create_enumerator(list);
}
@ -681,11 +819,8 @@ static enumerator_t *create_inner_cdp(authority_t *authority, cdp_data_t *data)
return enumerator;
}
/**
* inner enumerator constructor for "Hash and URL"
*/
static enumerator_t *create_inner_cdp_hashandurl(authority_t *authority,
cdp_data_t *data)
CALLBACK(create_inner_cdp_hashandurl, enumerator_t*,
authority_t *authority, cert_data_t *data)
{
enumerator_t *enumerator = NULL;
@ -694,7 +829,8 @@ static enumerator_t *create_inner_cdp_hashandurl(authority_t *authority,
return NULL;
}
if (authority->cert->has_subject(authority->cert, data->id) != ID_MATCH_NONE)
if (authority->cert->has_subject(authority->cert,
data->id) != ID_MATCH_NONE)
{
enumerator = enumerator_create_single(strdup(authority->cert_uri_base),
free);
@ -706,7 +842,7 @@ METHOD(credential_set_t, create_cdp_enumerator, enumerator_t*,
private_vici_authority_t *this, certificate_type_t type,
identification_t *id)
{
cdp_data_t *data;
cert_data_t *data;
switch (type)
{ /* we serve CRLs, OCSP responders and URLs for "Hash and URL" */
@ -718,17 +854,35 @@ METHOD(credential_set_t, create_cdp_enumerator, enumerator_t*,
default:
return NULL;
}
data = malloc_thing(cdp_data_t);
data->this = this;
data->type = type;
data->id = id;
INIT(data,
.this = this,
.type = type,
.id = id,
);
this->lock->read_lock(this->lock);
return enumerator_create_nested(
this->authorities->create_enumerator(this->authorities),
(type == CERT_X509) ? (void*)create_inner_cdp_hashandurl :
(void*)create_inner_cdp, data, (void*)cdp_data_destroy);
(void*)create_inner_cdp, data, cert_data_destroy);
}
METHOD(vici_authority_t, add_ca_cert, certificate_t*,
private_vici_authority_t *this, certificate_t *cert)
{
this->lock->write_lock(this->lock);
cert = add_cert_internal(this, cert, TRUE);
this->lock->unlock(this->lock);
return cert;
}
METHOD(vici_authority_t, clear_ca_certs, void,
private_vici_authority_t *this)
{
this->lock->write_lock(this->lock);
this->certs->remove(this->certs, NULL, remove_external_certs);
this->lock->unlock(this->lock);
}
METHOD(vici_authority_t, destroy, void,
@ -738,6 +892,7 @@ METHOD(vici_authority_t, destroy, void,
this->authorities->destroy_function(this->authorities,
(void*)authority_destroy);
this->certs->destroy_function(this->certs, ca_cert_destroy);
this->lock->destroy(this->lock);
free(this);
}
@ -745,8 +900,7 @@ METHOD(vici_authority_t, destroy, void,
/**
* See header
*/
vici_authority_t *vici_authority_create(vici_dispatcher_t *dispatcher,
vici_cred_t *cred)
vici_authority_t *vici_authority_create(vici_dispatcher_t *dispatcher)
{
private_vici_authority_t *this;
@ -754,16 +908,18 @@ vici_authority_t *vici_authority_create(vici_dispatcher_t *dispatcher,
.public = {
.set = {
.create_private_enumerator = (void*)return_null,
.create_cert_enumerator = (void*)return_null,
.create_cert_enumerator = _create_cert_enumerator,
.create_shared_enumerator = (void*)return_null,
.create_cdp_enumerator = _create_cdp_enumerator,
.cache_cert = (void*)nop,
},
.add_ca_cert = _add_ca_cert,
.clear_ca_certs = _clear_ca_certs,
.destroy = _destroy,
},
.dispatcher = dispatcher,
.cred = cred,
.authorities = linked_list_create(),
.certs = linked_list_create(),
.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
);

View File

@ -1,4 +1,5 @@
/*
* Copyright (C) 2020 Tobias Brunner
* Copyright (C) 2015 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
@ -22,7 +23,6 @@
#define VICI_AUTHORITY_H_
#include "vici_dispatcher.h"
#include "vici_cred.h"
typedef struct vici_authority_t vici_authority_t;
@ -36,6 +36,20 @@ struct vici_authority_t {
*/
credential_set_t set;
/**
* Add a CA certificate and return a reference if it is already stored,
* otherwise returns the same certificate.
*
* @param cert certificate to check
* @return reference to stored CA certificate, or original
*/
certificate_t *(*add_ca_cert)(vici_authority_t *this, certificate_t *cert);
/**
* Remove CA certificates added via add_ca_cert().
*/
void (*clear_ca_certs)(vici_authority_t *this);
/**
* Destroy a vici_authority_t.
*/
@ -46,10 +60,8 @@ struct vici_authority_t {
* Create a vici_authority instance.
*
* @param dispatcher dispatcher to receive requests from
* @param cred in-memory credential backend managed by VICI
* @return authority backend
*/
vici_authority_t *vici_authority_create(vici_dispatcher_t *dispatcher,
vici_cred_t *cred);
vici_authority_t *vici_authority_create(vici_dispatcher_t *dispatcher);
#endif /** VICI_AUTHORITY_H_ @}*/

View File

@ -1444,10 +1444,19 @@ CALLBACK(parse_cert_policy, bool,
*/
static bool add_cert(auth_data_t *auth, auth_rule_t rule, certificate_t *cert)
{
vici_authority_t *authority;
vici_cred_t *cred;
cred = auth->request->this->cred;
cert = cred->add_cert(cred, cert);
if (rule == AUTH_RULE_CA_CERT)
{
authority = auth->request->this->authority;
cert = authority->add_ca_cert(authority, cert);
}
else
{
cred = auth->request->this->cred;
cert = cred->add_cert(cred, cert);
}
auth->cfg->add(auth->cfg, rule, cert);
return TRUE;
}
@ -1492,17 +1501,13 @@ CALLBACK(parse_cacerts, bool,
CALLBACK(parse_pubkeys, bool,
auth_data_t *auth, chunk_t v)
{
vici_cred_t *cred;
certificate_t *cert;
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_TRUSTED_PUBKEY,
BUILD_BLOB_PEM, v, BUILD_END);
if (cert)
{
cred = auth->request->this->cred;
cert = cred->add_cert(cred, cert);
auth->cfg->add(auth->cfg, AUTH_RULE_SUBJECT_CERT, cert);
return TRUE;
return add_cert(auth, AUTH_RULE_SUBJECT_CERT, cert);
}
return FALSE;
}

View File

@ -51,6 +51,11 @@ struct private_vici_cred_t {
*/
vici_dispatcher_t *dispatcher;
/**
* CA certificate store
*/
vici_authority_t *authority;
/**
* credentials
*/
@ -135,7 +140,6 @@ CALLBACK(load_cert, vici_message_t*,
x509_flag_t ext_flag, flag = X509_NONE;
x509_t *x509;
chunk_t data;
bool trusted = TRUE;
char *str;
str = message->get_str(message, NULL, "type");
@ -179,26 +183,31 @@ CALLBACK(load_cert, vici_message_t*,
}
DBG1(DBG_CFG, "loaded certificate '%Y'", cert->get_subject(cert));
/* check if CA certificate has CA basic constraint set */
if (flag & X509_CA)
if (type == CERT_X509)
{
char err_msg[] = "ca certificate lacks CA basic constraint, rejected";
x509 = (x509_t*)cert;
if (!(x509->get_flags(x509) & X509_CA))
if (x509->get_flags(x509) & X509_CA)
{
cert = this->authority->add_ca_cert(this->authority, cert);
cert->destroy(cert);
DBG1(DBG_CFG, " %s", err_msg);
return create_reply(err_msg);
return create_reply(NULL);
}
else if (flag & X509_CA)
{
char msg[] = "ca certificate lacks CA basic constraint, rejected";
cert->destroy(cert);
DBG1(DBG_CFG, " %s", msg);
return create_reply(msg);
}
}
if (type == CERT_X509_CRL)
{
this->creds->add_crl(this->creds, (crl_t*)cert);
}
else
{
this->creds->add_cert(this->creds, trusted, cert);
this->creds->add_cert(this->creds, type != CERT_X509_AC, cert);
}
return create_reply(NULL);
}
@ -536,6 +545,7 @@ CALLBACK(clear_creds, vici_message_t*,
private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
{
this->creds->clear(this->creds);
this->authority->clear_ca_certs(this->authority);
lib->credmgr->flush_cache(lib->credmgr, CERT_ANY);
return create_reply(NULL);
@ -604,7 +614,8 @@ METHOD(vici_cred_t, destroy, void,
/**
* See header
*/
vici_cred_t *vici_cred_create(vici_dispatcher_t *dispatcher)
vici_cred_t *vici_cred_create(vici_dispatcher_t *dispatcher,
vici_authority_t *authority)
{
private_vici_cred_t *this;
@ -621,6 +632,7 @@ vici_cred_t *vici_cred_create(vici_dispatcher_t *dispatcher)
.destroy = _destroy,
},
.dispatcher = dispatcher,
.authority = authority,
.creds = mem_cred_create(),
.pins = mem_cred_create(),
);

View File

@ -25,6 +25,7 @@
#define VICI_CRED_H_
#include "vici_dispatcher.h"
#include "vici_authority.h"
#include <credentials/credential_set.h>
@ -58,8 +59,10 @@ struct vici_cred_t {
* Create a vici_cred instance.
*
* @param dispatcher dispatcher to receive requests from
* @param authority CA certificate storage
* @return credential backend
*/
vici_cred_t *vici_cred_create(vici_dispatcher_t *dispatcher);
vici_cred_t *vici_cred_create(vici_dispatcher_t *dispatcher,
vici_authority_t *authority);
#endif /** VICI_CRED_H_ @}*/

View File

@ -127,9 +127,8 @@ static bool register_vici(private_vici_plugin_t *this,
{
this->query = vici_query_create(this->dispatcher);
this->control = vici_control_create(this->dispatcher);
this->cred = vici_cred_create(this->dispatcher);
this->authority = vici_authority_create(this->dispatcher,
this->cred);
this->authority = vici_authority_create(this->dispatcher);
this->cred = vici_cred_create(this->dispatcher, this->authority);
lib->credmgr->add_set(lib->credmgr, &this->cred->set);
lib->credmgr->add_set(lib->credmgr, &this->authority->set);
this->config = vici_config_create(this->dispatcher, this->authority,

View File

@ -1,4 +1,5 @@
/*
* Copyright (C) 2020 Tobias Brunner
* Copyright (C) 2007 Martin Willi
* Copyright (C) 2015 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
@ -61,3 +62,40 @@ bool certificate_is_newer(certificate_t *this, certificate_t *other)
type, &that_update, FALSE, newer ? "replaced" : "retained");
return newer;
}
/*
* Described in header
*/
bool certificate_matches(certificate_t *cert, certificate_type_t type,
key_type_t key, identification_t *id)
{
public_key_t *public;
if (type != CERT_ANY && type != cert->get_type(cert))
{
return FALSE;
}
public = cert->get_public_key(cert);
if (public)
{
if (key == KEY_ANY || key == public->get_type(public))
{
if (id && public->has_fingerprint(public, id->get_encoding(id)))
{
public->destroy(public);
return TRUE;
}
}
else
{
public->destroy(public);
return FALSE;
}
public->destroy(public);
}
else if (key != KEY_ANY)
{
return FALSE;
}
return !id || cert->has_subject(cert, id);
}

View File

@ -1,4 +1,5 @@
/*
* Copyright (C) 2020 Tobias Brunner
* Copyright (C) 2007-2008 Martin Willi
* HSR Hochschule fuer Technik Rapperswil
*
@ -204,4 +205,18 @@ struct certificate_t {
*/
bool certificate_is_newer(certificate_t *cert, certificate_t *other);
/**
* Check if the given certificate matches the given type, key type and identity,
* all of which are optional.
*
* Note that the identity may also be a public key fingerprint.
*
* @param cert certificate
* @param type certificate type to match, or CERT_ANY
* @param key key type to match, or KEY_ANY
* @param id identity to match, or NULL
*/
bool certificate_matches(certificate_t *cert, certificate_type_t type,
key_type_t key, identification_t *id);
#endif /** CERTIFICATE_H_ @}*/

View File

@ -84,42 +84,13 @@ CALLBACK(cert_data_destroy, void,
CALLBACK(certs_filter, bool,
cert_data_t *data, enumerator_t *orig, va_list args)
{
public_key_t *public;
certificate_t *cert, **out;
VA_ARGS_VGET(args, out);
while (orig->enumerate(orig, &cert))
{
if (data->cert != CERT_ANY && data->cert != cert->get_type(cert))
{
continue;
}
public = cert->get_public_key(cert);
if (public)
{
if (data->key == KEY_ANY || data->key == public->get_type(public))
{
if (data->id && public->has_fingerprint(public,
data->id->get_encoding(data->id)))
{
public->destroy(public);
*out = cert;
return TRUE;
}
}
else
{
public->destroy(public);
continue;
}
public->destroy(public);
}
else if (data->key != KEY_ANY)
{
continue;
}
if (!data->id || cert->has_subject(cert, data->id))
if (certificate_matches(cert, data->cert, data->key, data->id))
{
*out = cert;
return TRUE;

View File

@ -123,4 +123,15 @@
static typeof(_cb_##name) *name = (typeof(_cb_##name)*)_cb_##name; \
static ret _cb_##name(param1, ##__VA_ARGS__)
/**
* Same as CALLBACK(), but for two void* arguments (e.g. for comparisons).
*/
#define CALLBACK2(name, ret, param1, param2, ...) \
static ret _cb_##name(union {void *_generic; param1;} \
__attribute__((transparent_union)), \
union {void *_generic; param2;} \
__attribute__((transparent_union)), ##__VA_ARGS__); \
static typeof(_cb_##name) *name = (typeof(_cb_##name)*)_cb_##name; \
static ret _cb_##name(param1, param2, ##__VA_ARGS__)
#endif /** OBJECT_H_ @} */