updated mediation database to public key authentication

added mysql table definition, test data
testcase

10 files changed, 409 insertions, 62 deletions

diff --git a/src/charon/plugins/med_db/Makefile.am b/src/charon/plugins/med_db/Makefile.am
index f7608da05..86f770f0e 100644
--- a/src/charon/plugins/med_db/Makefile.am
+++ b/src/charon/plugins/med_db/Makefile.am
@@ -5,6 +5,7 @@ AM_CFLAGS = -rdynamic
 
 plugin_LTLIBRARIES = libcharon-med-db.la
 libcharon_med_db_la_SOURCES = med_db_plugin.h med_db_plugin.c \
-			      med_db_creds.h med_db_creds.c
+			      med_db_creds.h med_db_creds.c \
+			      med_db_pubkey.h med_db_pubkey.c
 libcharon_med_db_la_LDFLAGS = -module
 
diff --git a/src/charon/plugins/med_db/med_db_creds.c b/src/charon/plugins/med_db/med_db_creds.c
index ad6e6665f..364e039ed 100644
--- a/src/charon/plugins/med_db/med_db_creds.c
+++ b/src/charon/plugins/med_db/med_db_creds.c
@@ -16,6 +16,7 @@
  */
 
 #include "med_db_creds.h"
+#include "med_db_pubkey.h"
 
 #include <daemon.h>
 #include <library.h>
@@ -40,86 +41,90 @@ struct private_med_db_creds_t {
 };
 
 /**
- * data passed between enumerate calls
+ * enumerator over certificates
  */
-typedef struct  {
-	/** current shared key */
-	shared_key_t *current;
-} data_t;
+typedef struct {
+	/** implements enumerator */
+	enumerator_t public;
+	/** inner SQL enumerator */
+	enumerator_t *inner;
+	/** currently enumerated cert */
+	certificate_t *current;
+	/** type of requested key */
+	key_type_t type;
+} cert_enumerator_t;
 
-typedef struct private_shared_key_t private_shared_key_t;
 /**
- * shared key implementation
+ * Implementation of cert_enumerator_t.public.enumerate
  */
-struct private_shared_key_t {
-	/** implements shared_key_t*/
-	shared_key_t public;
-	/** data of the key */
-	chunk_t key;
-	/** reference counter */
-	refcount_t ref;
-};
-
-/**
- * Destroy allocated data_t struct
- */
-static void data_destroy(data_t *this)
+static bool cert_enumerator_enumerate(cert_enumerator_t *this,
+									  certificate_t **cert)
 {
+	public_key_t *public;
+	chunk_t chunk;
+
 	DESTROY_IF(this->current);
-	free(this);
+	while (this->inner->enumerate(this->inner, &chunk))
+	{
+		public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+									BUILD_BLOB_ASN1_DER, chunk_clone(chunk),
+									BUILD_END);
+		if (public)
+		{
+			if (this->type == KEY_ANY || this->type == public->get_type(public))
+			{
+				*cert = this->current = (certificate_t*)med_db_pubkey_create(public);
+				return TRUE;
+			}
+			public->destroy(public);
+		}
+	}
+	this->current = NULL;
+	return FALSE;
 }
 
 /**
- * filter for enumerator, returns for each SQL result a shared key and match
+ * Implementation of cert_enumerator_t.public.destroy
  */
-static bool filter(data_t *this, chunk_t *chunk, shared_key_t **out,
-				   void **unused1, id_match_t *match_me,
-				   void **unused2, id_match_t *match_other)
+static void cert_enumerator_destroy(cert_enumerator_t *this)
 {
 	DESTROY_IF(this->current);
-	this->current = shared_key_create(SHARED_IKE, *chunk);
-	*out = this->current;
-	/* we have unique matches only, but do not compare own ID */
-	if (match_me)
-	{
-		*match_me = ID_MATCH_ANY;
-	}
-	if (match_other)
-	{
-		*match_other = ID_MATCH_PERFECT;
-	}
-	return TRUE;
+	this->inner->destroy(this->inner);
+	free(this);
 }
 
-
 /**
- * Implements credential_set_t.create_shared_enumerator
+ * Implementation of credential_set_t.create_cert_enumerator.
  */
-static enumerator_t* create_shared_enumerator(private_med_db_creds_t *this, 
-							shared_key_type_t type,	identification_t *me,
-							identification_t *other)
+static enumerator_t* create_cert_enumerator(private_med_db_creds_t *this,
+										certificate_type_t cert, key_type_t key,
+										identification_t *id, bool trusted)
 {
-	enumerator_t *enumerator;
-	data_t *data;
+	cert_enumerator_t *e;
 	
-	if (type != SHARED_IKE)
+	if ((cert != CERT_TRUSTED_PUBKEY && cert != CERT_ANY) ||
+		id == NULL || id->get_type(id) != ID_KEY_ID)
 	{
 		return NULL;
 	}
-	enumerator = this->db->query(this->db,
-								 "SELECT Psk FROM Peer WHERE PeerId = ?",
-								 DB_BLOB, other->get_encoding(other),
-								 DB_BLOB);
-	if (enumerator)
+	
+	e = malloc_thing(cert_enumerator_t);
+	e->current = NULL;
+	e->type = key;
+	e->public.enumerate = (void*)cert_enumerator_enumerate;
+	e->public.destroy = (void*)cert_enumerator_destroy;
+	e->inner = this->db->query(this->db,
+							   "SELECT PublicKey FROM Peer WHERE KeyId = ?",
+							   DB_BLOB, id->get_encoding(id),
+							   DB_BLOB);
+	if (!e->inner)
 	{
-		data = malloc_thing(data_t);
-		data->current = NULL;
-		return enumerator_create_filter(enumerator,	(void*)filter,
-										data, (void*)data_destroy);
+		free(e);
+		return NULL;
 	}
-	return NULL;
+	return &e->public;
 }
-	
+
 /**
  * Implementation of backend_t.destroy.
  */
@@ -136,8 +141,8 @@ med_db_creds_t *med_db_creds_create(database_t *db)
 	private_med_db_creds_t *this = malloc_thing(private_med_db_creds_t);
 
 	this->public.set.create_private_enumerator = (void*)return_null;
-	this->public.set.create_cert_enumerator = (void*)return_null;
-	this->public.set.create_shared_enumerator = (void*)create_shared_enumerator;
+	this->public.set.create_cert_enumerator = (void*)create_cert_enumerator;
+	this->public.set.create_shared_enumerator = (void*)return_null;
 	this->public.set.create_cdp_enumerator = (void*)return_null;
 
 	this->public.destroy = (void (*)(med_db_creds_t*))destroy;
diff --git a/src/charon/plugins/med_db/med_db_plugin.c b/src/charon/plugins/med_db/med_db_plugin.c
index 033ec91c7..8b9e21ad5 100644
--- a/src/charon/plugins/med_db/med_db_plugin.c
+++ b/src/charon/plugins/med_db/med_db_plugin.c
@@ -51,6 +51,7 @@ static void destroy(private_med_db_plugin_t *this)
 {
 	charon->credentials->remove_set(charon->credentials, &this->creds->set);
 	this->creds->destroy(this->creds);
+	this->db->destroy(this->db);
 	free(this);
 }
 
@@ -64,7 +65,8 @@ plugin_t *plugin_create()
 	
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
 	
-	uri = lib->settings->get_str(lib->settings, "plugins.med_db.database", NULL);
+	uri = lib->settings->get_str(lib->settings,
+								 "charon.plugins.med_db.database", NULL);
 	if (!uri)
 	{
 		DBG1(DBG_CFG, "mediation database URI not defined, skipped");
@@ -72,6 +74,7 @@ plugin_t *plugin_create()
 		return NULL;
 	}
 	
+	this->db = lib->db->create(lib->db, uri);
 	if (this->db == NULL)
 	{
 		DBG1(DBG_CFG, "opening mediation server database failed");
diff --git a/src/charon/plugins/med_db/med_db_pubkey.c b/src/charon/plugins/med_db/med_db_pubkey.c
new file mode 100644
index 000000000..d0dc41f13
--- /dev/null
+++ b/src/charon/plugins/med_db/med_db_pubkey.c
@@ -0,0 +1,211 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "med_db_pubkey.h"
+
+typedef struct private_med_db_pubkey_t private_med_db_pubkey_t;
+
+/**
+ * private data of med_db_pubkey
+ */
+struct private_med_db_pubkey_t {
+
+	/**
+	 * public functions
+	 */
+	med_db_pubkey_t public;
+	
+	/**
+	 * wrapped public key
+	 */
+	public_key_t *key;
+	
+	/**
+	 * dummy issuer id, ID_ANY
+	 */
+	identification_t *issuer;
+	
+	/**
+	 * reference count
+	 */
+	refcount_t ref;
+};
+
+/**
+ * Implementation of certificate_t.get_type
+ */
+static certificate_type_t get_type(private_med_db_pubkey_t *this)
+{
+	return CERT_TRUSTED_PUBKEY;
+}
+
+/**
+ * Implementation of certificate_t.get_subject
+ */
+static identification_t* get_subject(private_med_db_pubkey_t *this)
+{
+	return this->key->get_id(this->key, ID_PUBKEY_SHA1);
+}
+
+/**
+ * Implementation of certificate_t.get_issuer
+ */
+static identification_t* get_issuer(private_med_db_pubkey_t *this)
+{
+	return this->issuer;
+}
+
+/**
+ * Implementation of certificate_t.has_subject.
+ */
+static id_match_t has_subject(private_med_db_pubkey_t *this,
+							  identification_t *subject)
+{
+	identification_t *id;
+	
+	id = this->key->get_id(this->key, subject->get_type(subject));
+	if (id)
+	{
+		return id->matches(id, subject);
+	}
+	return ID_MATCH_NONE;	
+}
+
+/**
+ * Implementation of certificate_t.has_subject.
+ */
+static id_match_t has_issuer(private_med_db_pubkey_t *this,
+							 identification_t *issuer)
+{
+	return ID_MATCH_NONE;
+}
+
+/**
+ * Implementation of certificate_t.equals.
+ */
+static bool equals(private_med_db_pubkey_t *this, certificate_t *other)
+{
+	if (this == (private_med_db_pubkey_t*)other)
+	{
+		return TRUE;
+	}
+	if (other->get_type(other) != CERT_TRUSTED_PUBKEY)
+	{
+		return FALSE;
+	}
+	return other->has_subject(other, this->key->get_id(this->key, ID_PUBKEY_SHA1));
+}
+
+/**
+ * Implementation of certificate_t.issued_by
+ */
+static bool issued_by(private_med_db_pubkey_t *this, certificate_t *issuer)
+{
+	return equals(this, issuer);
+}
+
+/**
+ * Implementation of certificate_t.get_public_key
+ */
+static public_key_t* get_public_key(private_med_db_pubkey_t *this)
+{
+	this->key->get_ref(this->key);
+	return this->key;
+}
+/**
+ * Implementation of certificate_t.get_validity.
+ */
+static bool get_validity(private_med_db_pubkey_t *this, time_t *when,
+						 time_t *not_before, time_t *not_after)
+{
+	if (not_before)
+	{
+		*not_before = 0;
+	}
+	if (not_after)
+	{
+		*not_after = ~0;
+	}
+	return TRUE;
+}
+
+/**
+ * Implementation of certificate_t.is_newer.
+ */
+static bool is_newer(certificate_t *this, certificate_t *that)
+{
+	return FALSE;
+}
+	
+/**
+ * Implementation of certificate_t.get_encoding.
+ */
+static chunk_t get_encoding(private_med_db_pubkey_t *this)
+{
+	return this->key->get_encoding(this->key);
+}
+
+/**
+ * Implementation of certificate_t.get_ref
+ */
+static private_med_db_pubkey_t* get_ref(private_med_db_pubkey_t *this)
+{
+	ref_get(&this->ref);
+	return this;
+}
+
+/**
+ * Implementation of med_db_pubkey_t.destroy
+ */
+static void destroy(private_med_db_pubkey_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		this->issuer->destroy(this->issuer);
+		this->key->destroy(this->key);
+		free(this);
+	}
+}
+
+/*
+ * see header file
+ */
+med_db_pubkey_t *med_db_pubkey_create(public_key_t *key)
+{
+	private_med_db_pubkey_t *this = malloc_thing(private_med_db_pubkey_t);
+	
+	this->public.interface.get_type = (certificate_type_t (*)(certificate_t *this))get_type;
+	this->public.interface.get_subject = (identification_t* (*)(certificate_t *this))get_subject;
+	this->public.interface.get_issuer = (identification_t* (*)(certificate_t *this))get_issuer;
+	this->public.interface.has_subject = (id_match_t (*)(certificate_t*, identification_t *subject))has_subject;
+	this->public.interface.has_issuer = (id_match_t (*)(certificate_t*, identification_t *issuer))has_issuer;
+	this->public.interface.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer))issued_by;
+	this->public.interface.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key;
+	this->public.interface.get_validity = (bool (*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity;
+	this->public.interface.is_newer = (bool (*)(certificate_t*,certificate_t*))is_newer;
+	this->public.interface.get_encoding = (chunk_t (*)(certificate_t*))get_encoding;
+	this->public.interface.equals = (bool (*)(certificate_t*, certificate_t *other))equals;
+	this->public.interface.get_ref = (certificate_t* (*)(certificate_t *this))get_ref;
+	this->public.interface.destroy = (void (*)(certificate_t *this))destroy;
+	
+	this->ref = 1;
+	this->key = key;
+	this->issuer = identification_create_from_encoding(ID_ANY, chunk_empty);
+	
+	return &this->public;
+}
+
diff --git a/src/charon/plugins/med_db/med_db_pubkey.h b/src/charon/plugins/med_db/med_db_pubkey.h
new file mode 100644
index 000000000..f61f97bf7
--- /dev/null
+++ b/src/charon/plugins/med_db/med_db_pubkey.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup med_db_pubkey med_db_pubkey
+ * @{ @ingroup med_db
+ */
+
+#ifndef MED_DB_PUBKEY_H_
+#define MED_DB_PUBKEY_H_
+
+#include <credentials/keys/public_key.h>
+#include <credentials/certificates/certificate.h>
+
+typedef struct med_db_pubkey_t med_db_pubkey_t;
+
+/**
+ * A trusted public key wrapped into certificate of type CERT_TRUSTED_PUBKEY.
+ */
+struct med_db_pubkey_t {
+
+	/**
+	 * Implements certificate_t.
+	 */
+	certificate_t interface;
+};
+
+/**
+ * Create a wrapped public key instance using a public_key.
+ *
+ * The certifcate uses the public_key ID as subject.
+ *
+ * @param key		public key to wrap
+ * @return			public key implementing certificate interface
+ */
+med_db_pubkey_t *med_db_pubkey_create(public_key_t *key);
+
+#endif /* MED_DB_PUBKEY_H_ @}*/
diff --git a/src/charon/plugins/med_db/mysql.sql b/src/charon/plugins/med_db/mysql.sql
new file mode 100644
index 000000000..0fb60dbc6
--- /dev/null
+++ b/src/charon/plugins/med_db/mysql.sql
@@ -0,0 +1,12 @@
+
+CREATE TABLE IF NOT EXISTS `Peer` (
+  `IdPeer` int(10) unsigned NOT NULL auto_increment,
+  `IdUser` int(10) unsigned NOT NULL,
+  `Alias` varchar(30) collate utf8_unicode_ci NOT NULL,
+  `KeyId` varbinary(20) NOT NULL,
+  `PublicKey` blob NOT NULL,
+  PRIMARY KEY  (`IdPeer`),
+  KEY `KeyId` (`KeyId`),
+  KEY `IdUser` (`IdUser`)
+) ENGINE=MyISAM  DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
diff --git a/src/charon/plugins/med_db/test.sql b/src/charon/plugins/med_db/test.sql
new file mode 100644
index 000000000..8ba33647c
--- /dev/null
+++ b/src/charon/plugins/med_db/test.sql
@@ -0,0 +1,9 @@
+
+INSERT INTO `Peer` (
+	`IdPeer`, `IdUser`, `Alias`, `KeyId`, `PublicKey`
+) VALUES (
+	1, 0, 'sidv150', 
+	X'ed90e64feca21f4b6897992422e0de21b9d62629',
+	X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100cd946c229f7d52b21da1cb5384e7dcaf6529f760534a56355efd49e87a9c6f1ddd5ff303bd7eb49c23de03adc487456f41eb5f92947bdc8ff8dbe443f8d112e0da2c98145e7c4d1cd15cddd08577f4d4f3d0a2e1da3c08c94cd819758751931e7a9724cc43d73a11b8e176a268b4cdbbf3995cb09723abc9bfc477c25e714a4661a84c078be7404d8986be55f20437e3a6b278a3cc89aec085941f1a1aafaf4b22ae146fe4684d5567dc30658a32087d01b98515070cb1653311cb6102f82a83c638c2a79985dbb9600752e9cbc272014a5c547b4ab59130c3a948658bff794b6f202cf95939ffa73b10521f05c060cecb15f8597ed95d72b9e405ee31f1b5d90203010001'
+);
+
diff --git a/src/charon/plugins/unit_tester/Makefile.am b/src/charon/plugins/unit_tester/Makefile.am
index 9d9f4d79a..8d0070ac9 100644
--- a/src/charon/plugins/unit_tester/Makefile.am
+++ b/src/charon/plugins/unit_tester/Makefile.am
@@ -13,6 +13,7 @@ libcharon_unit_tester_la_SOURCES = unit_tester.c unit_tester.h \
   tests/test_mysql.c \
   tests/test_sqlite.c \
   tests/test_mutex.c \
-  tests/test_rsa_gen.c
+  tests/test_rsa_gen.c \
+  tests/test_med_db.c
 libcharon_unit_tester_la_LDFLAGS = -module
 
diff --git a/src/charon/plugins/unit_tester/tests.h b/src/charon/plugins/unit_tester/tests.h
index a14946a42..18bd58c83 100644
--- a/src/charon/plugins/unit_tester/tests.h
+++ b/src/charon/plugins/unit_tester/tests.h
@@ -31,4 +31,5 @@ DEFINE_TEST("MySQL operations", test_mysql, FALSE)
 DEFINE_TEST("SQLite operations", test_sqlite, FALSE)
 DEFINE_TEST("mutex primitive", test_mutex, FALSE)
 DEFINE_TEST("RSA key generation", test_rsa_gen, FALSE)
-DEFINE_TEST("RSA subjectPublicKeyInfo loading", test_rsa_load_any, TRUE)
+DEFINE_TEST("RSA subjectPublicKeyInfo loading", test_rsa_load_any, FALSE)
+DEFINE_TEST("Mediation database key fetch", test_med_db, TRUE)
diff --git a/src/charon/plugins/unit_tester/tests/test_med_db.c b/src/charon/plugins/unit_tester/tests/test_med_db.c
new file mode 100644
index 000000000..7ce280861
--- /dev/null
+++ b/src/charon/plugins/unit_tester/tests/test_med_db.c
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <library.h>
+#include <daemon.h>
+#include <utils/enumerator.h>
+
+#include <unistd.h>
+
+/*******************************************************************************
+ * fetch public key from mediation database
+ ******************************************************************************/
+
+bool test_med_db()
+{
+	char keyid_buf[] = {
+		0xed,0x90,0xe6,0x4f,0xec,0xa2,0x1f,0x4b,
+		0x68,0x97,0x99,0x24,0x22,0xe0,0xde,0x21,
+		0xb9,0xd6,0x26,0x29
+	};
+	chunk_t keyid = chunk_from_buf(keyid_buf);
+	identification_t *id, *found;
+	enumerator_t *enumerator;
+	auth_info_t *auth;
+	public_key_t *public;
+	bool good = FALSE;
+	
+	id = identification_create_from_encoding(ID_KEY_ID, keyid);
+	enumerator = charon->credentials->create_public_enumerator(
+									charon->credentials, KEY_ANY, id, NULL);
+	while (enumerator->enumerate(enumerator, &public, &auth))
+	{
+		found = public->get_id(public, ID_PUBKEY_SHA1);
+		good = chunk_equals(id->get_encoding(id), found->get_encoding(found));
+	}
+	enumerator->destroy(enumerator);
+	id->destroy(id);
+	return TRUE;
+}
+