From b57739f72112d468b664c84f6af6d1f499a61151 Mon Sep 17 00:00:00 2001
From: Martin Willi <martin@revosec.ch>
Date: Wed, 19 Feb 2014 15:45:24 +0100
Subject: vici: Support pinning end entity and CA certificates to connections

---
 src/libcharon/plugins/vici/vici_config.c | 37 ++++++++++++++++++++++++++++++++
 src/libcharon/plugins/vici/vici_query.c  | 25 +++++++++++++++++++++
 2 files changed, 62 insertions(+)

diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index b08d1b002..6f24378e7 100644
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -961,6 +961,41 @@ CALLBACK(parse_group, bool,
 	return parse_id(cfg, AUTH_RULE_GROUP, v);
 }
 
+/**
+ * Parse a certificate; add as auth rule to config
+ */
+static bool parse_cert(auth_cfg_t *cfg, auth_rule_t rule, chunk_t v)
+{
+	certificate_t *cert;
+
+	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+							  BUILD_BLOB_PEM, v, BUILD_END);
+	if (cert)
+	{
+		cfg->add(cfg, rule, cert);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Parse subject certificates
+ */
+CALLBACK(parse_certs, bool,
+	auth_cfg_t *cfg, chunk_t v)
+{
+	return parse_cert(cfg, AUTH_RULE_SUBJECT_CERT, v);
+}
+
+/**
+ * Parse CA certificates
+ */
+CALLBACK(parse_cacerts, bool,
+	auth_cfg_t *cfg, chunk_t v)
+{
+	return parse_cert(cfg, AUTH_RULE_CA_CERT, v);
+}
+
 /**
  * Parse revocation status
  */
@@ -1146,6 +1181,8 @@ CALLBACK(auth_li, bool,
 {
 	parse_rule_t rules[] = {
 		{ "groups",			parse_group,		auth->cfg					},
+		{ "certs",			parse_certs,		auth->cfg					},
+		{ "cacerts",		parse_cacerts,		auth->cfg					},
 	};
 
 	return parse_rules(rules, countof(rules), name, value,
diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
index 59037b622..aff937e7d 100644
--- a/src/libcharon/plugins/vici/vici_query.c
+++ b/src/libcharon/plugins/vici/vici_query.c
@@ -493,6 +493,7 @@ static void build_auth_cfgs(peer_cfg_t *peer_cfg, bool local, vici_builder_t *b)
 	union {
 		uintptr_t u;
 		identification_t *id;
+		certificate_t *cert;
 		char *str;
 	} v;
 
@@ -551,6 +552,30 @@ static void build_auth_cfgs(peer_cfg_t *peer_cfg, bool local, vici_builder_t *b)
 		rules->destroy(rules);
 		b->end_list(b);
 
+		b->begin_list(b, "certs");
+		rules = auth->create_enumerator(auth);
+		while (rules->enumerate(rules, &rule, &v))
+		{
+			if (rule == AUTH_RULE_SUBJECT_CERT)
+			{
+				b->add_li(b, "%Y", v.cert->get_subject(v.cert));
+			}
+		}
+		rules->destroy(rules);
+		b->end_list(b);
+
+		b->begin_list(b, "cacerts");
+		rules = auth->create_enumerator(auth);
+		while (rules->enumerate(rules, &rule, &v))
+		{
+			if (rule == AUTH_RULE_CA_CERT)
+			{
+				b->add_li(b, "%Y", v.cert->get_subject(v.cert));
+			}
+		}
+		rules->destroy(rules);
+		b->end_list(b);
+
 		b->end_section(b);
 	}
 	enumerator->destroy(enumerator);
-- 
cgit v1.2.3