diff options
| author | Martin Willi <martin@revosec.ch> | 2014-02-19 15:45:24 +0100 |
|---|---|---|
| committer | Martin Willi <martin@revosec.ch> | 2014-05-07 14:13:37 +0200 |
| commit | b57739f72112d468b664c84f6af6d1f499a61151 (patch) | |
| tree | 77026a710035f9c6b710018237ea31c103ebbb2f | |
| parent | e6e975ff9d0938b86f71e234372f58a0da002906 (diff) | |
| download | strongswan-b57739f72112d468b664c84f6af6d1f499a61151.tar.bz2 strongswan-b57739f72112d468b664c84f6af6d1f499a61151.tar.xz | |
vici: Support pinning end entity and CA certificates to connections
| -rw-r--r-- | src/libcharon/plugins/vici/vici_config.c | 37 | ||||
| -rw-r--r-- | src/libcharon/plugins/vici/vici_query.c | 25 |
2 files changed, 62 insertions, 0 deletions
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index b08d1b002..6f24378e7 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -962,6 +962,41 @@ CALLBACK(parse_group, bool, } /** + * Parse a certificate; add as auth rule to config + */ +static bool parse_cert(auth_cfg_t *cfg, auth_rule_t rule, chunk_t v) +{ + certificate_t *cert; + + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_BLOB_PEM, v, BUILD_END); + if (cert) + { + cfg->add(cfg, rule, cert); + return TRUE; + } + return FALSE; +} + +/** + * Parse subject certificates + */ +CALLBACK(parse_certs, bool, + auth_cfg_t *cfg, chunk_t v) +{ + return parse_cert(cfg, AUTH_RULE_SUBJECT_CERT, v); +} + +/** + * Parse CA certificates + */ +CALLBACK(parse_cacerts, bool, + auth_cfg_t *cfg, chunk_t v) +{ + return parse_cert(cfg, AUTH_RULE_CA_CERT, v); +} + +/** * Parse revocation status */ CALLBACK(parse_revocation, bool, @@ -1146,6 +1181,8 @@ CALLBACK(auth_li, bool, { parse_rule_t rules[] = { { "groups", parse_group, auth->cfg }, + { "certs", parse_certs, auth->cfg }, + { "cacerts", parse_cacerts, auth->cfg }, }; return parse_rules(rules, countof(rules), name, value, diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c index 59037b622..aff937e7d 100644 --- a/src/libcharon/plugins/vici/vici_query.c +++ b/src/libcharon/plugins/vici/vici_query.c @@ -493,6 +493,7 @@ static void build_auth_cfgs(peer_cfg_t *peer_cfg, bool local, vici_builder_t *b) union { uintptr_t u; identification_t *id; + certificate_t *cert; char *str; } v; @@ -551,6 +552,30 @@ static void build_auth_cfgs(peer_cfg_t *peer_cfg, bool local, vici_builder_t *b) rules->destroy(rules); b->end_list(b); + b->begin_list(b, "certs"); + rules = auth->create_enumerator(auth); + while (rules->enumerate(rules, &rule, &v)) + { + if (rule == AUTH_RULE_SUBJECT_CERT) + { + b->add_li(b, "%Y", v.cert->get_subject(v.cert)); + } + } + rules->destroy(rules); + b->end_list(b); + + b->begin_list(b, "cacerts"); + rules = auth->create_enumerator(auth); + while (rules->enumerate(rules, &rule, &v)) + { + if (rule == AUTH_RULE_CA_CERT) + { + b->add_li(b, "%Y", v.cert->get_subject(v.cert)); + } + } + rules->destroy(rules); + b->end_list(b); + b->end_section(b); } enumerator->destroy(enumerator); |