make use of the pem helper plugin to load credentials

11 files changed, 93 insertions, 244 deletions

diff --git a/src/charon/plugins/nm/nm_service.c b/src/charon/plugins/nm/nm_service.c
index 88a3cc95e..95e4751ed 100644
--- a/src/charon/plugins/nm/nm_service.c
+++ b/src/charon/plugins/nm/nm_service.c
@@ -18,7 +18,6 @@
 #include "nm_service.h"
 
 #include <daemon.h>
-#include <asn1/pem.h>
 #include <utils/host.h>
 #include <utils/identification.h>
 #include <config/peer_cfg.h>
@@ -366,20 +365,16 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 			str = nm_setting_vpn_get_data_item(vpn, "userkey");
 			if (!agent && str)
 			{
-				chunk_t secret, chunk;
-				bool pgp = FALSE;
+				chunk_t secret;
 				
 				secret.ptr = (char*)nm_setting_vpn_get_secret(vpn, "password");
 				if (secret.ptr)
 				{
 					secret.len = strlen(secret.ptr);
 				}
-				if (pem_asn1_load_file((char*)str, &secret, &chunk, &pgp))
-				{
-					private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
-								KEY_RSA, BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
-					free(chunk.ptr);
-				}
+				private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
+								KEY_RSA, BUILD_FROM_FILE, str,
+								BUILD_PASSPHRASE, secret, BUILD_END);
 				if (!private)
 				{
 					g_set_error(err, NM_VPN_PLUGIN_ERROR,
@@ -491,8 +486,6 @@ static gboolean need_secrets(NMVPNPlugin *plugin, NMConnection *connection,
 {
 	NMSettingVPN *settings;
 	const char *method, *path;
-	chunk_t secret = chunk_empty, key;
-	bool pgp = FALSE;
 	
 	settings = NM_SETTING_VPN(nm_connection_get_setting(connection,
 														NM_TYPE_SETTING_VPN));
@@ -518,14 +511,21 @@ static gboolean need_secrets(NMVPNPlugin *plugin, NMConnection *connection,
 			path = nm_setting_vpn_get_data_item(settings, "userkey");
 			if (path)
 			{
+				private_key_t *key;
+				chunk_t secret;
+				
 				secret.ptr = (char*)nm_setting_vpn_get_secret(settings, "password");
 				if (secret.ptr)
 				{
 					secret.len = strlen(secret.ptr);
 				}
-				if (pem_asn1_load_file((char*)path, &secret, &key, &pgp))
+				/* try to load/decrypt the private key */
+				key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
+								KEY_RSA, BUILD_FROM_FILE, path,
+								BUILD_PASSPHRASE, secret, BUILD_END);
+				if (key)
 				{
-					free(key.ptr);
+					key->destroy(key);
 					return FALSE;
 				}
 			}
diff --git a/src/charon/plugins/stroke/stroke_cred.c b/src/charon/plugins/stroke/stroke_cred.c
index 31bcfe9f4..43046b1cc 100644
--- a/src/charon/plugins/stroke/stroke_cred.c
+++ b/src/charon/plugins/stroke/stroke_cred.c
@@ -28,7 +28,6 @@
 #include <utils/linked_list.h>
 #include <utils/lexparser.h>
 #include <utils/mutex.h>
-#include <asn1/pem.h>
 #include <daemon.h>
 
 /* configuration directories and files */
@@ -391,9 +390,9 @@ static certificate_t* load_ca(private_stroke_cred_t *this, char *filename)
 		
 		if (!(x509->get_flags(x509) & X509_CA))
 		{
+			DBG1(DBG_CFG, "  ca certificate '%Y' misses ca basic constraint, "
+				 "discarded", cert->get_subject(cert));
 			cert->destroy(cert);
-			DBG1(DBG_CFG, "  ca certificate must have ca basic constraint set, "
-				 "discarded");
 			return NULL;
 		}
 		return (certificate_t*)add_cert(this, cert);
@@ -500,8 +499,12 @@ static certificate_t* load_peer(private_stroke_cred_t *this, char *filename)
 	if (cert)
 	{
 		cert = add_cert(this, cert);
+		DBG1(DBG_CFG, "  loaded certificate '%Y' from "
+				 "file '%s'", cert->get_subject(cert), filename);
 		return cert->get_ref(cert);
 	}
+	DBG1(DBG_CFG, "  loading certificate from file "
+		 "'%s' failed", filename);
 	return NULL;
 }
 
@@ -546,11 +549,22 @@ static void load_certdir(private_stroke_cred_t *this, char *path,
 						
 						if (!(x509->get_flags(x509) & X509_CA))
 						{
-							DBG1(DBG_CFG, "  ca certificate must have ca "
-								 "basic constraint set, discarded");
+							DBG1(DBG_CFG, "  ca certificate '%Y' misses "
+								 "ca basic constraint, discarded",
+								 cert->get_subject(cert));
 							cert->destroy(cert);
 							cert = NULL;
 						}
+						else
+						{
+							DBG1(DBG_CFG, "  loaded CA certificate '%Y' from "
+								 "file '%s'", cert->get_subject(cert), file);
+						}
+					}
+					else
+					{
+						DBG1(DBG_CFG, "  loading CA certificate from file "
+							 "'%s' failed", file);
 					}
 				}
 				else
@@ -559,6 +573,16 @@ static void load_certdir(private_stroke_cred_t *this, char *path,
 										CRED_CERTIFICATE, CERT_X509,
 										BUILD_FROM_FILE, file,
 										BUILD_X509_FLAG, flag, BUILD_END);
+					if (cert)
+					{
+						DBG1(DBG_CFG, "  loaded certificate '%Y' from "
+								 "file '%s'", cert->get_subject(cert), file);
+					}
+					else
+					{
+						DBG1(DBG_CFG, "  loading certificate from file "
+							 "'%s' failed", file);
+					}
 				}
 				if (cert)
 				{
@@ -573,6 +597,11 @@ static void load_certdir(private_stroke_cred_t *this, char *path,
 				if (cert)
 				{
 					add_crl(this, (crl_t*)cert);
+					DBG1(DBG_CFG, "  loaded crl from file '%s'",  file);
+				}
+				else
+				{
+					DBG1(DBG_CFG, "  loading crl from file '%s' failed", file);
 				}
 				break;
 			case CERT_X509_AC:
@@ -583,10 +612,17 @@ static void load_certdir(private_stroke_cred_t *this, char *path,
 				if (cert)
 				{
 					add_ac(this, (ac_t*)cert);
+					DBG1(DBG_CFG, "  loaded attribute certificate from "
+						 "file '%s'", file);
+				}
+				else
+				{
+					DBG1(DBG_CFG, "  loading attribute certificate from "
+						 "file '%s' failed", file);
 				}
 				break;
 			default:
-				break;	
+				break;
 		}
 	}
 	enumerator->destroy(enumerator);
@@ -838,8 +874,6 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
 			chunk_t filename;
 			chunk_t secret = chunk_empty;
 			private_key_t *key;
-			bool pgp = FALSE;
-			chunk_t chunk = chunk_empty;
 			key_type_t key_type = match("RSA", &token) ? KEY_RSA : KEY_ECDSA;
 
 			err_t ugh = extract_value(&filename, &line);
@@ -876,17 +910,14 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
 					goto error;
 				}
 			}
-
-			if (pem_asn1_load_file(path, &secret, &chunk, &pgp))
+			key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type,
+									 BUILD_FROM_FILE, path,
+									 BUILD_PASSPHRASE, secret,BUILD_END);
+			if (key)
 			{
-				key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type,
-										 BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
-				free(chunk.ptr);
-				if (key)
-				{
-					DBG1(DBG_CFG, "  loaded private key file '%s'", path);
-					this->private->insert_last(this->private, key);
-				}
+				DBG1(DBG_CFG, "  loaded %N private key file '%s'",
+					 key_type_names, key->get_type(key), path);
+				this->private->insert_last(this->private, key);
 			}
 			chunk_clear(&secret);
 		}
diff --git a/src/libstrongswan/crypto/pkcs7.c b/src/libstrongswan/crypto/pkcs7.c
index 0039bab94..7da1ca98d 100644
--- a/src/libstrongswan/crypto/pkcs7.c
+++ b/src/libstrongswan/crypto/pkcs7.c
@@ -1066,24 +1066,3 @@ pkcs7_t *pkcs7_create_from_data(chunk_t data)
 	return &this->public;
 }
 
-/*
- * Described in header.
- */
-pkcs7_t *pkcs7_create_from_file(const char *filename, const char *label)
-{
-	bool pgp = FALSE;
-	chunk_t chunk = chunk_empty;
-	char cert_label[BUF_LEN];
-	pkcs7_t *pkcs7;
-
-	snprintf(cert_label, BUF_LEN, "%s pkcs7", label);
-
-	if (!pem_asn1_load_file(filename, NULL, cert_label, &chunk, &pgp))
-	{
-		return NULL;
-	}
-
-	pkcs7 = pkcs7_create_from_chunk(chunk, 0);
-	free(chunk.ptr);
-	return pkcs7;
-}
diff --git a/src/libstrongswan/crypto/pkcs7.h b/src/libstrongswan/crypto/pkcs7.h
index ac4006e71..49684f3f8 100644
--- a/src/libstrongswan/crypto/pkcs7.h
+++ b/src/libstrongswan/crypto/pkcs7.h
@@ -166,13 +166,4 @@ pkcs7_t *pkcs7_create_from_chunk(chunk_t chunk, u_int level);
  */
 pkcs7_t *pkcs7_create_from_data(chunk_t data);
 
-/**
- * Read a X.509 certificate from a DER encoded file.
- * 
- * @param filename 	file containing DER encoded data
- * @param label		label describing kind of PKCS#7 file
- * @return 			created pkcs7_t object, or NULL if invalid.
- */
-pkcs7_t *pkcs7_create_from_file(const char *filename, const char *label);
-
 #endif /** PKCS7_H_ @}*/
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
index 4d9c88c6d..d6426e4d6 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
@@ -21,7 +21,6 @@
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
-#include <asn1/pem.h>
 #include <crypto/hashers/hasher.h>
 
 typedef struct private_gcrypt_rsa_public_key_t private_gcrypt_rsa_public_key_t;
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
index c26187c64..3c1b512e4 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
@@ -26,7 +26,6 @@
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
-#include <asn1/pem.h>
 #include <crypto/hashers/hasher.h>
 #include <pgp/pgp.h>
 
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_public_key.c b/src/libstrongswan/plugins/pubkey/pubkey_public_key.c
index afe200fec..77b53ffe0 100644
--- a/src/libstrongswan/plugins/pubkey/pubkey_public_key.c
+++ b/src/libstrongswan/plugins/pubkey/pubkey_public_key.c
@@ -18,7 +18,6 @@
 #include "pubkey_public_key.h"
 
 #include <debug.h>
-#include <asn1/pem.h>
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
@@ -137,21 +136,6 @@ static void add(private_builder_t *this, builder_part_t part, ...)
 				va_end(args);
 				return;
 			}
-			case BUILD_BLOB_PEM:
-			{
-				bool pgp;
-				
-				va_start(args, part);
-				blob = va_arg(args, chunk_t);
-				blob = chunk_clone(blob);
-				if (pem_to_bin(&blob, chunk_empty, &pgp) == SUCCESS)
-				{
-					this->key = pubkey_public_key_load(chunk_clone(blob));
-				}
-				free(blob.ptr);
-				va_end(args);
-				return;
-			}
 			default:
 				break;
 		}
diff --git a/src/libstrongswan/plugins/x509/x509_ac.c b/src/libstrongswan/plugins/x509/x509_ac.c
index 638f96b44..f8052eedb 100644
--- a/src/libstrongswan/plugins/x509/x509_ac.c
+++ b/src/libstrongswan/plugins/x509/x509_ac.c
@@ -26,7 +26,6 @@
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
-#include <asn1/pem.h>
 #include <utils/identification.h>
 #include <utils/linked_list.h>
 #include <credentials/certificates/x509.h>
@@ -966,33 +965,8 @@ static private_x509_ac_t* create_from_chunk(chunk_t chunk)
 		return NULL;
 	}
 	return this;
-}	
-
-/**
- * create X.509 crl from a file
- */
-static private_x509_ac_t* create_from_file(char *path)
-{
-	bool pgp = FALSE;
-	chunk_t chunk;
-	private_x509_ac_t *this;
-	
-	if (!pem_asn1_load_file(path, NULL, &chunk, &pgp))
-	{
-		return NULL;
-	}
-
-	this = create_from_chunk(chunk);
-
-	if (this == NULL)
-	{
-		DBG1("  could not parse loaded attribute certificate file '%s'", path);
-		return NULL;
-	}
-	DBG1("  loaded attribute certificate file '%s'", path);
-	return this;
 }
-	
+
 typedef struct private_builder_t private_builder_t;
 /**
  * Builder implementation for certificate loading
@@ -1042,13 +1016,6 @@ static void add(private_builder_t *this, builder_part_t part, ...)
 	va_start(args, part);
 	switch (part)
 	{
-		case BUILD_FROM_FILE:
-			if (this->ac)
-			{
-				destroy(this->ac);
-			}
-			this->ac = create_from_file(va_arg(args, char*));
-			break;
 		case BUILD_BLOB_ASN1_DER:
 			if (this->ac)
 			{
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 6fe1809c2..32627ebef 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -33,7 +33,6 @@
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
-#include <asn1/pem.h>
 #include <crypto/hashers/hasher.h>
 #include <credentials/keys/private_key.h>
 #include <utils/linked_list.h>
@@ -1184,31 +1183,6 @@ static private_x509_cert_t *create_from_chunk(chunk_t chunk)
 	return this;
 }
 
-/**
- * create an X.509 certificate from a file
- */
-static private_x509_cert_t *create_from_file(char *path)
-{
-	bool pgp = FALSE;
-	chunk_t chunk;
-	private_x509_cert_t *this;
-	
-	if (!pem_asn1_load_file(path, NULL, &chunk, &pgp))
-	{
-		return NULL;
-	}
-
-	this = create_from_chunk(chunk);
-
-	if (this == NULL)
-	{
-		DBG1("  could not parse loaded certificate file '%s'",path);
-		return NULL;
-	}
-	DBG1("  loaded certificate file '%s'",  path);
-	return this;
-}
-
 typedef struct private_builder_t private_builder_t;
 /**
  * Builder implementation for certificate loading
@@ -1362,9 +1336,6 @@ static void add(private_builder_t *this, builder_part_t part, ...)
 	va_start(args, part);
 	switch (part)
 	{
-		case BUILD_FROM_FILE:
-			this->cert = create_from_file(va_arg(args, char*));
-			break;
 		case BUILD_BLOB_ASN1_DER:
 			chunk = va_arg(args, chunk_t);
 			this->cert = create_from_chunk(chunk_clone(chunk));
diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c
index f502668cb..93203bafe 100644
--- a/src/libstrongswan/plugins/x509/x509_crl.c
+++ b/src/libstrongswan/plugins/x509/x509_crl.c
@@ -25,7 +25,6 @@ typedef struct revoked_t revoked_t;
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
-#include <asn1/pem.h>
 #include <credentials/certificates/x509.h>
 #include <utils/linked_list.h>
 
@@ -605,47 +604,6 @@ static private_x509_crl_t* create_empty(void)
 	return this;
 }
 
-/**
- * create an X.509 crl from a chunk
- */
-static private_x509_crl_t* create_from_chunk(chunk_t chunk)
-{
-	private_x509_crl_t *this = create_empty();
-
-	this->encoding = chunk;
-	if (!parse(this))
-	{
-		destroy(this);
-		return NULL;
-	}
-	return this;
-}
-
-/**
- * create an X.509 crl from a file
- */
-static private_x509_crl_t* create_from_file(char *path)
-{
-	bool pgp = FALSE;
-	chunk_t chunk;
-	private_x509_crl_t *this;
-	
-	if (!pem_asn1_load_file(path, NULL, &chunk, &pgp))
-	{
-		return NULL;
-	}
-
-	this = create_from_chunk(chunk);
-
-	if (this == NULL)
-	{
-		DBG1("  could not parse loaded crl file '%s'",path);
-		return NULL;
-	}
-	DBG1("  loaded crl file '%s'",  path);
-	return this;
-}
-
 typedef struct private_builder_t private_builder_t;
 /**
  * Builder implementation for certificate loading
@@ -653,8 +611,8 @@ typedef struct private_builder_t private_builder_t;
 struct private_builder_t {
 	/** implements the builder interface */
 	builder_t public;
-	/** loaded CRL */
-	private_x509_crl_t *crl;
+	/** CRL chunk to build from */
+	chunk_t blob;
 };
 
 /**
@@ -662,8 +620,18 @@ struct private_builder_t {
  */
 static private_x509_crl_t *build(private_builder_t *this)
 {
-	private_x509_crl_t *crl = this->crl;
+	private_x509_crl_t *crl = NULL;
 	
+	if (this->blob.len && this->blob.ptr)
+	{
+		crl = create_empty();
+		crl->encoding = chunk_clone(this->blob);
+		if (!parse(crl))
+		{
+			destroy(crl);
+			crl = NULL;
+		}
+	}
 	free(this);
 	return crl;
 }
@@ -673,35 +641,19 @@ static private_x509_crl_t *build(private_builder_t *this)
  */
 static void add(private_builder_t *this, builder_part_t part, ...)
 {
-	if (!this->crl)
-	{
-		va_list args;
-		chunk_t chunk;
+	va_list args;
 	
-		switch (part)
+	switch (part)
+	{
+		case BUILD_BLOB_ASN1_DER:
 		{
-			case BUILD_FROM_FILE:
-			{
-				va_start(args, part);
-				this->crl = create_from_file(va_arg(args, char*));
-				va_end(args);
-				return;
-			}
-			case BUILD_BLOB_ASN1_DER:
-			{
-				va_start(args, part);
-				chunk = va_arg(args, chunk_t);
-				this->crl = create_from_chunk(chunk_clone(chunk));
-				va_end(args);
-				return;
-			}
-			default:
-				break;
+			va_start(args, part);
+			this->blob = va_arg(args, chunk_t);
+			va_end(args);
+			return;
 		}
-	}
-	if (this->crl)
-	{
-		destroy(this->crl);
+		default:
+			break;
 	}
 	builder_cancel(&this->public);
 }
@@ -717,13 +669,13 @@ builder_t *x509_crl_builder(certificate_type_t type)
 	{
 		return NULL;
 	}
-	
 	this = malloc_thing(private_builder_t);
 	
-	this->crl = NULL;
 	this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
 	this->public.build = (void*(*)(builder_t *this))build;
 	
+	this->blob = chunk_empty;
+	
 	return &this->public;
 }
 
diff --git a/src/openac/openac.c b/src/openac/openac.c
index a8f75e093..49b376fe4 100755
--- a/src/openac/openac.c
+++ b/src/openac/openac.c
@@ -34,7 +34,6 @@
 #include <library.h>
 #include <debug.h>
 #include <asn1/asn1.h>
-#include <asn1/pem.h>
 #include <credentials/certificates/x509.h>
 #include <credentials/certificates/ac.h>
 #include <credentials/keys/private_key.h>
@@ -174,32 +173,6 @@ static void write_serial(chunk_t serial)
 }
 
 /**
- * Load and parse a private key file
- */
-static private_key_t* private_key_create_from_file(char *path, chunk_t *secret)
-{
-	bool pgp = FALSE;
-	chunk_t chunk = chunk_empty;
-	private_key_t *key = NULL;
-
-	if (!pem_asn1_load_file(path, secret, &chunk, &pgp))
-	{
-		DBG1("  could not load private key file '%s'", path);
-		return NULL;
-	}
-	key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
-							 BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
-	free(chunk.ptr);
-	if (key == NULL)
-	{
-		DBG1("  could not parse loaded private key file '%s'", path);
-		return NULL;
-	}
-	DBG1("  loaded private key file '%s'", path);
-	return key;
-}
-
-/**
  * global variables accessible by both main() and build.c
  */
 
@@ -492,12 +465,15 @@ int main(int argc, char **argv)
 	/* load the signer's RSA private key */
 	if (keyfile != NULL)
 	{
-		signerKey = private_key_create_from_file(keyfile, &passphrase);
-
+		signerKey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+									   BUILD_FROM_FILE, keyfile,
+									   BUILD_PASSPHRASE, passphrase,
+									   BUILD_END);
 		if (signerKey == NULL)
 		{
 			goto end;
 		}
+		DBG1("  loaded private key file '%s'", keyfile);
 	}
 
 	/* load the signer's X.509 certificate */