diff options
Diffstat (limited to 'src/libcharon/plugins')
| -rw-r--r-- | src/libcharon/plugins/vici/Makefile.am | 1 | ||||
| -rw-r--r-- | src/libcharon/plugins/vici/vici_config.c | 58 | ||||
| -rw-r--r-- | src/libcharon/plugins/vici/vici_config.h | 5 | ||||
| -rw-r--r-- | src/libcharon/plugins/vici/vici_cred.c | 2 | ||||
| -rw-r--r-- | src/libcharon/plugins/vici/vici_plugin.c | 3 |
5 files changed, 60 insertions, 9 deletions
diff --git a/src/libcharon/plugins/vici/Makefile.am b/src/libcharon/plugins/vici/Makefile.am index f51670de4..552128397 100644 --- a/src/libcharon/plugins/vici/Makefile.am +++ b/src/libcharon/plugins/vici/Makefile.am @@ -1,5 +1,6 @@ AM_CPPFLAGS = \ -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libstrongswan/plugins/pubkey \ -I$(top_srcdir)/src/libhydra \ -I$(top_srcdir)/src/libcharon \ -DIPSEC_PIDDIR=\"${piddir}\" diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index 52e4a9204..b0615df5b 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -48,6 +48,8 @@ #include <collections/array.h> #include <collections/linked_list.h> +#include <pubkey_cert.h> + #include <stdio.h> /** @@ -98,6 +100,11 @@ struct private_vici_config_t { rwlock_t *lock; /** + * Credential backend managed by VICI used for our certificates + */ + vici_cred_t *cred; + + /** * Auxiliary certification authority information */ vici_authority_t *authority; @@ -1057,6 +1064,7 @@ CALLBACK(parse_group, bool, static bool parse_cert(auth_data_t *auth, auth_rule_t rule, chunk_t v) { vici_authority_t *authority; + vici_cred_t *cred; certificate_t *cert; cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, @@ -1068,6 +1076,8 @@ static bool parse_cert(auth_data_t *auth, auth_rule_t rule, chunk_t v) authority = auth->request->this->authority; authority->check_for_hash_and_url(authority, cert); } + cred = auth->request->this->cred; + cert = cred->add_cert(cred, cert); auth->cfg->add(auth->cfg, rule, cert); return TRUE; } @@ -1093,6 +1103,27 @@ CALLBACK(parse_cacerts, bool, } /** + * Parse raw public keys + */ +CALLBACK(parse_pubkeys, bool, + auth_data_t *auth, chunk_t v) +{ + vici_cred_t *cred; + certificate_t *cert; + + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_TRUSTED_PUBKEY, + BUILD_BLOB_PEM, v, BUILD_END); + if (cert) + { + cred = auth->request->this->cred; + cert = cred->add_cert(cred, cert); + auth->cfg->add(auth->cfg, AUTH_RULE_SUBJECT_CERT, cert); + return TRUE; + } + return FALSE; +} + +/** * Parse revocation status */ CALLBACK(parse_revocation, bool, @@ -1287,6 +1318,7 @@ CALLBACK(auth_li, bool, { "groups", parse_group, auth->cfg }, { "certs", parse_certs, auth }, { "cacerts", parse_cacerts, auth }, + { "pubkeys", parse_pubkeys, auth }, }; return parse_rules(rules, countof(rules), name, value, @@ -1510,20 +1542,32 @@ CALLBACK(peer_sn, bool, .request = peer->request, .cfg = auth_cfg_create(), }; + certificate_t *cert; + identification_t *id; if (!message->parse(message, ctx, NULL, auth_kv, auth_li, &auth)) { auth.cfg->destroy(auth.cfg); return FALSE; } + cert = auth.cfg->get(auth.cfg, AUTH_RULE_SUBJECT_CERT); + id = auth.cfg->get(auth.cfg, AUTH_RULE_IDENTITY); - if (!auth.cfg->get(auth.cfg, AUTH_RULE_IDENTITY)) + if (cert) { - identification_t *id; - certificate_t *cert; + if (id) + { + if (cert->get_type(cert) == CERT_TRUSTED_PUBKEY && + id->get_type != ID_ANY) + { + pubkey_cert_t *pubkey_cert; - cert = auth.cfg->get(auth.cfg, AUTH_RULE_SUBJECT_CERT); - if (cert) + /* the id is set for informational purposes, only */ + pubkey_cert = (pubkey_cert_t*)cert; + pubkey_cert->set_subject(pubkey_cert, id); + } + } + else { id = cert->get_subject(cert); DBG1(DBG_CFG, " id not specified, defaulting to cert id '%Y'", @@ -2121,7 +2165,8 @@ METHOD(vici_config_t, destroy, void, * See header */ vici_config_t *vici_config_create(vici_dispatcher_t *dispatcher, - vici_authority_t *authority) + vici_authority_t *authority, + vici_cred_t *cred) { private_vici_config_t *this; @@ -2138,6 +2183,7 @@ vici_config_t *vici_config_create(vici_dispatcher_t *dispatcher, .conns = linked_list_create(), .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), .authority = authority, + .cred = cred, ); manage_commands(this, TRUE); diff --git a/src/libcharon/plugins/vici/vici_config.h b/src/libcharon/plugins/vici/vici_config.h index c3245bf5c..0c237e7de 100644 --- a/src/libcharon/plugins/vici/vici_config.h +++ b/src/libcharon/plugins/vici/vici_config.h @@ -26,6 +26,7 @@ #include "vici_dispatcher.h" #include "vici_authority.h" +#include "vici_cred.h" #include <config/backend.h> @@ -51,9 +52,11 @@ struct vici_config_t { * * @param dispatcher dispatcher to receive requests from * @param authority Auxiliary certification authority information + * @param cred in-memory credential backend managed by VICI * @return config backend */ vici_config_t *vici_config_create(vici_dispatcher_t *dispatcher, - vici_authority_t *authority); + vici_authority_t *authority, + vici_cred_t *cred); #endif /** VICI_CONFIG_H_ @}*/ diff --git a/src/libcharon/plugins/vici/vici_cred.c b/src/libcharon/plugins/vici/vici_cred.c index fa3158fa9..3411b7d6c 100644 --- a/src/libcharon/plugins/vici/vici_cred.c +++ b/src/libcharon/plugins/vici/vici_cred.c @@ -308,7 +308,7 @@ static void manage_commands(private_vici_cred_t *this, bool reg) METHOD(vici_cred_t, add_cert, certificate_t*, private_vici_cred_t *this, certificate_t *cert) { - return this->creds->get_cert_ref(this->creds, cert); + return this->creds->add_cert_ref(this->creds, TRUE, cert); } METHOD(vici_cred_t, destroy, void, diff --git a/src/libcharon/plugins/vici/vici_plugin.c b/src/libcharon/plugins/vici/vici_plugin.c index 53ed8cdfb..ed7c743c7 100644 --- a/src/libcharon/plugins/vici/vici_plugin.c +++ b/src/libcharon/plugins/vici/vici_plugin.c @@ -131,7 +131,8 @@ static bool register_vici(private_vici_plugin_t *this, this->authority = vici_authority_create(this->dispatcher, this->cred); lib->credmgr->add_set(lib->credmgr, &this->authority->set); - this->config = vici_config_create(this->dispatcher, this->authority); + this->config = vici_config_create(this->dispatcher, this->authority, + this->cred); this->attrs = vici_attribute_create(this->dispatcher); this->logger = vici_logger_create(this->dispatcher); |