blob: 246a6c990f0b7b77d422e6d670e25d674d65f004 [file] [log] [blame]
#include <net-snmp/net-snmp-config.h>
#include <net-snmp/net-snmp-features.h>
#if defined(NETSNMP_USE_OPENSSL) && defined(HAVE_LIBSSL)
netsnmp_feature_child_of(cert_util_all, libnetsnmp)
netsnmp_feature_child_of(cert_util, cert_util_all)
#ifdef NETSNMP_FEATURE_REQUIRE_CERT_UTIL
netsnmp_feature_require(container_directory)
netsnmp_feature_require(container_fifo)
netsnmp_feature_require(container_dup)
netsnmp_feature_require(container_free_all)
netsnmp_feature_require(subcontainer_find)
netsnmp_feature_child_of(cert_map_remove, netsnmp_unused)
netsnmp_feature_child_of(cert_map_find, netsnmp_unused)
netsnmp_feature_child_of(tlstmparams_external, cert_util_all)
netsnmp_feature_child_of(tlstmparams_container, tlstmparams_external)
netsnmp_feature_child_of(tlstmparams_remove, tlstmparams_external)
netsnmp_feature_child_of(tlstmparams_find, tlstmparams_external)
netsnmp_feature_child_of(tlstmAddr_remove, netsnmp_unused)
netsnmp_feature_child_of(tlstmaddr_external, cert_util_all)
netsnmp_feature_child_of(tlstmaddr_container, tlstmaddr_external)
netsnmp_feature_child_of(tlstmAddr_get_serverId, tlstmaddr_external)
netsnmp_feature_child_of(cert_fingerprints, cert_util_all)
netsnmp_feature_child_of(tls_fingerprint_build, cert_util_all)
#endif /* NETSNMP_FEATURE_REQUIRE_CERT_UTIL */
#ifndef NETSNMP_FEATURE_REMOVE_CERT_UTIL
#include <ctype.h>
#if HAVE_STDLIB_H
#include <stdlib.h>
#endif
#if HAVE_STRING_H
#include <string.h>
#else
#include <strings.h>
#endif
#if HAVE_SYS_STAT_H
# include <sys/stat.h>
#endif
#if HAVE_DIRENT_H
# include <dirent.h>
# define NAMLEN(dirent) strlen((dirent)->d_name)
#else
# define dirent direct
# define NAMLEN(dirent) (dirent)->d_namlen
# if HAVE_SYS_NDIR_H
# include <sys/ndir.h>
# endif
# if HAVE_SYS_DIR_H
# include <sys/dir.h>
# endif
# if HAVE_NDIR_H
# include <ndir.h>
# endif
#endif
#if HAVE_DMALLOC_H
#include <dmalloc.h>
#endif
#include <net-snmp/types.h>
#include <net-snmp/output_api.h>
#include <net-snmp/config_api.h>
#include <net-snmp/library/snmp_assert.h>
#include <net-snmp/library/snmp_transport.h>
#include <net-snmp/library/system.h>
#include <net-snmp/library/tools.h>
#include <net-snmp/library/container.h>
#include <net-snmp/library/data_list.h>
#include <net-snmp/library/file_utils.h>
#include <net-snmp/library/dir_utils.h>
#include <net-snmp/library/read_config.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/x509v3.h>
#include <net-snmp/library/cert_util.h>
#include <net-snmp/library/snmp_openssl.h>
#ifndef NAME_MAX
#define NAME_MAX 255
#endif
/*
* bump this value whenever cert index format changes, so indexes
* will be regenerated with new format.
*/
#define CERT_INDEX_FORMAT 1
static netsnmp_container *_certs = NULL;
static netsnmp_container *_keys = NULL;
static netsnmp_container *_maps = NULL;
static netsnmp_container *_tlstmParams = NULL;
static netsnmp_container *_tlstmAddr = NULL;
static struct snmp_enum_list *_certindexes = NULL;
static netsnmp_container *_trusted_certs = NULL;
static void _setup_containers(void);
static void _cert_indexes_load(void);
static void _cert_free(netsnmp_cert *cert, void *context);
static void _key_free(netsnmp_key *key, void *context);
static int _cert_compare(netsnmp_cert *lhs, netsnmp_cert *rhs);
static int _cert_sn_compare(netsnmp_cert *lhs, netsnmp_cert *rhs);
static int _cert_sn_ncompare(netsnmp_cert *lhs, netsnmp_cert *rhs);
static int _cert_cn_compare(netsnmp_cert *lhs, netsnmp_cert *rhs);
static int _cert_fn_compare(netsnmp_cert_common *lhs,
netsnmp_cert_common *rhs);
static int _cert_fn_ncompare(netsnmp_cert_common *lhs,
netsnmp_cert_common *rhs);
static void _find_partner(netsnmp_cert *cert, netsnmp_key *key);
static netsnmp_cert *_find_issuer(netsnmp_cert *cert);
static netsnmp_void_array *_cert_find_subset_fn(const char *filename,
const char *directory);
static netsnmp_void_array *_cert_find_subset_sn(const char *subject);
static netsnmp_void_array *_key_find_subset(const char *filename);
static netsnmp_cert *_cert_find_fp(const char *fingerprint);
static char *_find_tlstmParams_fingerprint(const char *param);
static char *_find_tlstmAddr_fingerprint(const char *name);
static const char *_mode_str(u_char mode);
static const char *_where_str(u_int what);
void netsnmp_cert_dump_all(void);
int netsnmp_cert_load_x509(netsnmp_cert *cert);
void netsnmp_cert_free(netsnmp_cert *cert);
void netsnmp_key_free(netsnmp_key *key);
static int _certindex_add( const char *dirname, int i );
static int _time_filter(netsnmp_file *f, struct stat *idx);
static void _init_tlstmCertToTSN(void);
#define TRUSTCERT_CONFIG_TOKEN "trustCert"
static void _parse_trustcert(const char *token, char *line);
static void _init_tlstmParams(void);
static void _init_tlstmAddr(void);
/** mode descriptions should match up with header */
static const char _modes[][256] =
{
"none",
"identity",
"remote_peer",
"identity+remote_peer",
"reserved1",
"reserved1+identity",
"reserved1+remote_peer",
"reserved1+identity+remote_peer",
"CA",
"CA+identity",
"CA+remote_peer",
"CA+identity+remote_peer",
"CA+reserved1",
"CA+reserved1+identity",
"CA+reserved1+remote_peer",
"CA+reserved1+identity+remote_peer",
};
/* #####################################################################
*
* init and shutdown functions
*
*/
void
_netsnmp_release_trustcerts(void)
{
if (NULL != _trusted_certs) {
CONTAINER_FREE_ALL(_trusted_certs, NULL);
CONTAINER_FREE(_trusted_certs);
_trusted_certs = NULL;
}
}
void
_setup_trusted_certs(void)
{
_trusted_certs = netsnmp_container_find("trusted_certs:fifo");
if (NULL == _trusted_certs) {
snmp_log(LOG_ERR, "could not create container for trusted certs\n");
netsnmp_certs_shutdown();
return;
}
_trusted_certs->container_name = strdup("trusted certificates");
_trusted_certs->free_item = (netsnmp_container_obj_func*) free;
_trusted_certs->compare = (netsnmp_container_compare*) strcmp;
}
/*
* secname mapping for servers.
*/
void
netsnmp_certs_agent_init(void)
{
_init_tlstmCertToTSN();
_init_tlstmParams();
_init_tlstmAddr();
}
void
netsnmp_certs_init(void)
{
const char *trustCert_help = TRUSTCERT_CONFIG_TOKEN
" FINGERPRINT|FILENAME";
register_config_handler("snmp", TRUSTCERT_CONFIG_TOKEN,
_parse_trustcert, _netsnmp_release_trustcerts,
trustCert_help);
_setup_containers();
/** add certificate type mapping */
se_add_pair_to_slist("cert_types", strdup("pem"), NS_CERT_TYPE_PEM);
se_add_pair_to_slist("cert_types", strdup("crt"), NS_CERT_TYPE_DER);
se_add_pair_to_slist("cert_types", strdup("cer"), NS_CERT_TYPE_DER);
se_add_pair_to_slist("cert_types", strdup("cert"), NS_CERT_TYPE_DER);
se_add_pair_to_slist("cert_types", strdup("der"), NS_CERT_TYPE_DER);
se_add_pair_to_slist("cert_types", strdup("key"), NS_CERT_TYPE_KEY);
se_add_pair_to_slist("cert_types", strdup("private"), NS_CERT_TYPE_KEY);
/** hash algs */
se_add_pair_to_slist("cert_hash_alg", strdup("sha1"), NS_HASH_SHA1);
se_add_pair_to_slist("cert_hash_alg", strdup("md5"), NS_HASH_MD5);
se_add_pair_to_slist("cert_hash_alg", strdup("sha224"), NS_HASH_SHA224);
se_add_pair_to_slist("cert_hash_alg", strdup("sha256"), NS_HASH_SHA256);
se_add_pair_to_slist("cert_hash_alg", strdup("sha384"), NS_HASH_SHA384);
se_add_pair_to_slist("cert_hash_alg", strdup("sha512"), NS_HASH_SHA512);
/** map types */
se_add_pair_to_slist("cert_map_type", strdup("cn"),
TSNM_tlstmCertCommonName);
se_add_pair_to_slist("cert_map_type", strdup("ip"),
TSNM_tlstmCertSANIpAddress);
se_add_pair_to_slist("cert_map_type", strdup("rfc822"),
TSNM_tlstmCertSANRFC822Name);
se_add_pair_to_slist("cert_map_type", strdup("dns"),
TSNM_tlstmCertSANDNSName);
se_add_pair_to_slist("cert_map_type", strdup("any"), TSNM_tlstmCertSANAny);
se_add_pair_to_slist("cert_map_type", strdup("sn"),
TSNM_tlstmCertSpecified);
}
void
netsnmp_certs_shutdown(void)
{
DEBUGMSGT(("cert:util:shutdown","shutdown\n"));
if (_maps) {
CONTAINER_FREE_ALL(_maps, NULL);
CONTAINER_FREE(_maps);
_maps = NULL;
}
if (NULL != _certs) {
CONTAINER_FREE_ALL(_certs, NULL);
CONTAINER_FREE(_certs);
_certs = NULL;
}
if (NULL != _keys) {
CONTAINER_FREE_ALL(_keys, NULL);
CONTAINER_FREE(_keys);
_keys = NULL;
}
_netsnmp_release_trustcerts();
}
void
netsnmp_certs_load(void)
{
netsnmp_iterator *itr;
netsnmp_key *key;
netsnmp_cert *cert;
DEBUGMSGT(("cert:util:init","init\n"));
if (NULL == _certs) {
snmp_log(LOG_ERR, "cant load certs without container\n");
return;
}
if (CONTAINER_SIZE(_certs) != 0) {
DEBUGMSGT(("cert:util:init", "ignoring duplicate init\n"));
return;
}
netsnmp_init_openssl();
/** scan config dirs for certs */
_cert_indexes_load();
/** match up keys w/certs */
itr = CONTAINER_ITERATOR(_keys);
if (NULL == itr) {
snmp_log(LOG_ERR, "could not get iterator for keys\n");
netsnmp_certs_shutdown();
return;
}
key = ITERATOR_FIRST(itr);
for( ; key; key = ITERATOR_NEXT(itr))
_find_partner(NULL, key);
ITERATOR_RELEASE(itr);
DEBUGIF("cert:dump") {
itr = CONTAINER_ITERATOR(_certs);
if (NULL == itr) {
snmp_log(LOG_ERR, "could not get iterator for certs\n");
netsnmp_certs_shutdown();
return;
}
cert = ITERATOR_FIRST(itr);
for( ; cert; cert = ITERATOR_NEXT(itr)) {
netsnmp_cert_load_x509(cert);
}
ITERATOR_RELEASE(itr);
DEBUGMSGT(("cert:dump",
"-------------------- Certificates -----------------\n"));
netsnmp_cert_dump_all();
DEBUGMSGT(("cert:dump",
"------------------------ End ----------------------\n"));
}
}
/* #####################################################################
*
* cert container functions
*/
static netsnmp_container *
_get_cert_container(const char *use)
{
netsnmp_container *c;
c = netsnmp_container_find("certs:binary_array");
if (NULL == c) {
snmp_log(LOG_ERR, "could not create container for %s\n", use);
return NULL;
}
c->container_name = strdup(use);
c->free_item = (netsnmp_container_obj_func*)_cert_free;
c->compare = (netsnmp_container_compare*)_cert_compare;
return c;
}
static void
_setup_containers(void)
{
netsnmp_container *additional_keys;
_certs = _get_cert_container("netsnmp certificates");
if (NULL == _certs)
return;
/** additional keys: common name */
additional_keys = netsnmp_container_find("certs_cn:binary_array");
if (NULL == additional_keys) {
snmp_log(LOG_ERR, "could not create CN container for certificates\n");
netsnmp_certs_shutdown();
return;
}
additional_keys->container_name = strdup("certs_cn");
additional_keys->free_item = NULL;
additional_keys->compare = (netsnmp_container_compare*)_cert_cn_compare;
netsnmp_container_add_index(_certs, additional_keys);
/** additional keys: subject name */
additional_keys = netsnmp_container_find("certs_sn:binary_array");
if (NULL == additional_keys) {
snmp_log(LOG_ERR, "could not create SN container for certificates\n");
netsnmp_certs_shutdown();
return;
}
additional_keys->container_name = strdup("certs_sn");
additional_keys->free_item = NULL;
additional_keys->compare = (netsnmp_container_compare*)_cert_sn_compare;
additional_keys->ncompare = (netsnmp_container_compare*)_cert_sn_ncompare;
netsnmp_container_add_index(_certs, additional_keys);
/** additional keys: file name */
additional_keys = netsnmp_container_find("certs_fn:binary_array");
if (NULL == additional_keys) {
snmp_log(LOG_ERR, "could not create FN container for certificates\n");
netsnmp_certs_shutdown();
return;
}
additional_keys->container_name = strdup("certs_fn");
additional_keys->free_item = NULL;
additional_keys->compare = (netsnmp_container_compare*)_cert_fn_compare;
additional_keys->ncompare = (netsnmp_container_compare*)_cert_fn_ncompare;
netsnmp_container_add_index(_certs, additional_keys);
_keys = netsnmp_container_find("cert_keys:binary_array");
if (NULL == _keys) {
snmp_log(LOG_ERR, "could not create container for certificate keys\n");
netsnmp_certs_shutdown();
return;
}
_keys->container_name = strdup("netsnmp certificate keys");
_keys->free_item = (netsnmp_container_obj_func*)_key_free;
_keys->compare = (netsnmp_container_compare*)_cert_fn_compare;
_setup_trusted_certs();
}
netsnmp_container *
netsnmp_cert_map_container(void)
{
return _maps;
}
static netsnmp_cert *
_new_cert(const char *dirname, const char *filename, int certType,
int hashType, const char *fingerprint, const char *common_name,
const char *subject)
{
netsnmp_cert *cert;
if ((NULL == dirname) || (NULL == filename)) {
snmp_log(LOG_ERR, "bad parameters to _new_cert\n");
return NULL;
}
cert = SNMP_MALLOC_TYPEDEF(netsnmp_cert);
if (NULL == cert) {
snmp_log(LOG_ERR,"could not allocate memory for certificate at %s/%s\n",
dirname, filename);
return NULL;
}
DEBUGMSGT(("9:cert:struct:new","new cert 0x%#lx for %s\n", (u_long)cert,
filename));
cert->info.dir = strdup(dirname);
cert->info.filename = strdup(filename);
cert->info.allowed_uses = NS_CERT_REMOTE_PEER;
cert->info.type = certType;
if (fingerprint) {
cert->hash_type = hashType;
cert->fingerprint = strdup(fingerprint);
}
if (common_name)
cert->common_name = strdup(common_name);
if (subject)
cert->subject = strdup(subject);
return cert;
}
static netsnmp_key *
_new_key(const char *dirname, const char *filename)
{
netsnmp_key *key;
struct stat fstat;
char fn[SNMP_MAXPATH];
if ((NULL == dirname) || (NULL == filename)) {
snmp_log(LOG_ERR, "bad parameters to _new_key\n");
return NULL;
}
/** check file permissions */
snprintf(fn, sizeof(fn), "%s/%s", dirname, filename);
if (stat(fn, &fstat) != 0) {
snmp_log(LOG_ERR, "could not stat %s\n", fn);
return NULL;
}
if ((fstat.st_mode & S_IROTH) || (fstat.st_mode & S_IROTH)) {
snmp_log(LOG_ERR,
"refusing to read world readable or writable key %s\n", fn);
return NULL;
}
key = SNMP_MALLOC_TYPEDEF(netsnmp_key);
if (NULL == key) {
snmp_log(LOG_ERR, "could not allocate memory for key at %s/%s\n",
dirname, filename);
return NULL;
}
DEBUGMSGT(("cert:key:struct:new","new key 0x%#lx for %s\n", (u_long)key,
filename));
key->info.type = NS_CERT_TYPE_KEY;
key->info.dir = strdup(dirname);
key->info.filename = strdup(filename);
key->info.allowed_uses = NS_CERT_IDENTITY;
return key;
}
void
netsnmp_cert_free(netsnmp_cert *cert)
{
if (NULL == cert)
return;
DEBUGMSGT(("9:cert:struct:free","freeing cert 0x%#lx, %s (fp %s; CN %s)\n",
(u_long)cert, cert->info.filename ? cert->info.filename : "UNK",
cert->fingerprint ? cert->fingerprint : "UNK",
cert->common_name ? cert->common_name : "UNK"));
SNMP_FREE(cert->info.dir);
SNMP_FREE(cert->info.filename);
SNMP_FREE(cert->subject);
SNMP_FREE(cert->issuer);
SNMP_FREE(cert->fingerprint);
SNMP_FREE(cert->common_name);
if (cert->ocert)
X509_free(cert->ocert);
if (cert->key && cert->key->cert == cert)
cert->key->cert = NULL;
free(cert); /* SNMP_FREE not needed on parameters */
}
void
netsnmp_key_free(netsnmp_key *key)
{
if (NULL == key)
return;
DEBUGMSGT(("cert:key:struct:free","freeing key 0x%#lx, %s\n",
(u_long)key, key->info.filename ? key->info.filename : "UNK"));
SNMP_FREE(key->info.dir);
SNMP_FREE(key->info.filename);
EVP_PKEY_free(key->okey);
if (key->cert && key->cert->key == key)
key->cert->key = NULL;
free(key); /* SNMP_FREE not needed on parameters */
}
static void
_cert_free(netsnmp_cert *cert, void *context)
{
netsnmp_cert_free(cert);
}
static void
_key_free(netsnmp_key *key, void *context)
{
netsnmp_key_free(key);
}
static int
_cert_compare(netsnmp_cert *lhs, netsnmp_cert *rhs)
{
netsnmp_assert((lhs != NULL) && (rhs != NULL));
netsnmp_assert((lhs->fingerprint != NULL) &&
(rhs->fingerprint != NULL));
/** ignore hash type? */
return strcmp(lhs->fingerprint, rhs->fingerprint);
}
static int
_cert_path_compare(netsnmp_cert_common *lhs, netsnmp_cert_common *rhs)
{
int rc;
netsnmp_assert((lhs != NULL) && (rhs != NULL));
/** dir name first */
rc = strcmp(lhs->dir, rhs->dir);
if (rc)
return rc;
/** filename */
return strcmp(lhs->filename, rhs->filename);
}
static int
_cert_cn_compare(netsnmp_cert *lhs, netsnmp_cert *rhs)
{
int rc;
const char *lhcn, *rhcn;
netsnmp_assert((lhs != NULL) && (rhs != NULL));
if (NULL == lhs->common_name)
lhcn = "";
else
lhcn = lhs->common_name;
if (NULL == rhs->common_name)
rhcn = "";
else
rhcn = rhs->common_name;
rc = strcmp(lhcn, rhcn);
if (rc)
return rc;
/** in case of equal common names, sub-sort by path */
return _cert_path_compare((netsnmp_cert_common*)lhs,
(netsnmp_cert_common*)rhs);
}
static int
_cert_sn_compare(netsnmp_cert *lhs, netsnmp_cert *rhs)
{
int rc;
const char *lhsn, *rhsn;
netsnmp_assert((lhs != NULL) && (rhs != NULL));
if (NULL == lhs->subject)
lhsn = "";
else
lhsn = lhs->subject;
if (NULL == rhs->subject)
rhsn = "";
else
rhsn = rhs->subject;
rc = strcmp(lhsn, rhsn);
if (rc)
return rc;
/** in case of equal common names, sub-sort by path */
return _cert_path_compare((netsnmp_cert_common*)lhs,
(netsnmp_cert_common*)rhs);
}
static int
_cert_fn_compare(netsnmp_cert_common *lhs, netsnmp_cert_common *rhs)
{
int rc;
netsnmp_assert((lhs != NULL) && (rhs != NULL));
rc = strcmp(lhs->filename, rhs->filename);
if (rc)
return rc;
/** in case of equal common names, sub-sort by dir */
return strcmp(lhs->dir, rhs->dir);
}
static int
_cert_fn_ncompare(netsnmp_cert_common *lhs, netsnmp_cert_common *rhs)
{
netsnmp_assert((lhs != NULL) && (rhs != NULL));
netsnmp_assert((lhs->filename != NULL) && (rhs->filename != NULL));
return strncmp(lhs->filename, rhs->filename, strlen(rhs->filename));
}
static int
_cert_sn_ncompare(netsnmp_cert *lhs, netsnmp_cert *rhs)
{
netsnmp_assert((lhs != NULL) && (rhs != NULL));
netsnmp_assert((lhs->subject != NULL) && (rhs->subject != NULL));
return strncmp(lhs->subject, rhs->subject, strlen(rhs->subject));
}
static int
_cert_ext_type(const char *ext)
{
int rc = se_find_value_in_slist("cert_types", ext);
if (SE_DNE == rc)
return NS_CERT_TYPE_UNKNOWN;
return rc;
}
static int
_type_from_filename(const char *filename)
{
char *pos;
int type;
if (NULL == filename)
return NS_CERT_TYPE_UNKNOWN;
pos = strrchr(filename, '.');
if (NULL == pos)
return NS_CERT_TYPE_UNKNOWN;
type = _cert_ext_type(++pos);
return type;
}
/*
* filter functions; return 1 to include file, 0 to exclude
*/
static int
_cert_cert_filter(const char *filename)
{
int len = strlen(filename);
const char *pos;
if (len < 5) /* shortest name: x.YYY */
return 0;
pos = strrchr(filename, '.');
if (NULL == pos)
return 0;
if (_cert_ext_type(++pos) != NS_CERT_TYPE_UNKNOWN)
return 1;
return 0;
}
/* #####################################################################
*
* cert index functions
*
* This code mimics what the mib index code does. The persistent
* directory will have a subdirectory named 'cert_indexes'. Inside
* this directory will be some number of files with ascii numeric
* names (0, 1, 2, etc). Each of these files will start with a line
* with the text "DIR ", followed by a directory name. The rest of the
* file will be certificate fields and the certificate file name, one
* certificate per line. The numeric file name is the integer 'directory
* index'.
*/
/**
* _certindex_add
*
* add a directory name to the indexes
*/
static int
_certindex_add( const char *dirname, int i )
{
int rc;
char *dirname_copy = strdup(dirname);
if ( i == -1 ) {
int max = se_find_free_value_in_list(_certindexes);
if (SE_DNE == max)
i = 0;
else
i = max;
}
DEBUGMSGT(("cert:index:add","dir %s at index %d\n", dirname, i ));
rc = se_add_pair_to_list(&_certindexes, dirname_copy, i);
if (SE_OK != rc) {
snmp_log(LOG_ERR, "adding certindex dirname failed; "
"%d (%s) not added\n", i, dirname);
return -1;
}
return i;
}
/**
* _certindex_load
*
* read in the existing indexes
*/
static void
_certindexes_load( void )
{
DIR *dir;
struct dirent *file;
FILE *fp;
char filename[SNMP_MAXPATH], line[300];
int i;
char *cp, *pos;
/*
* Open the CERT index directory, or create it (empty)
*/
snprintf( filename, sizeof(filename), "%s/cert_indexes",
get_persistent_directory());
filename[sizeof(filename)-1] = 0;
dir = opendir( filename );
if ( dir == NULL ) {
DEBUGMSGT(("cert:index:load",
"creating new cert_indexes directory\n"));
mkdirhier( filename, NETSNMP_AGENT_DIRECTORY_MODE, 0);
return;
}
/*
* Create a list of which directory each file refers to
*/
while ((file = readdir( dir ))) {
if ( !isdigit(0xFF & file->d_name[0]))
continue;
i = atoi( file->d_name );
snprintf( filename, sizeof(filename), "%s/cert_indexes/%d",
get_persistent_directory(), i );
filename[sizeof(filename)-1] = 0;
fp = fopen( filename, "r" );
if ( !fp ) {
DEBUGMSGT(("cert:index:load", "error opening index (%d)\n", i));
continue;
}
cp = fgets( line, sizeof(line), fp );
if ( cp ) {
line[strlen(line)-1] = 0;
pos = strrchr(line, ' ');
if (pos)
*pos = '\0';
DEBUGMSGT(("9:cert:index:load","adding (%d) %s\n", i, line));
(void)_certindex_add( line+4, i ); /* Skip 'DIR ' */
} else {
DEBUGMSGT(("cert:index:load", "Empty index (%d)\n", i));
}
fclose( fp );
}
closedir( dir );
}
/**
* _certindex_lookup
*
* find index for a directory
*/
static char *
_certindex_lookup( const char *dirname )
{
int i;
char filename[SNMP_MAXPATH];
i = se_find_value_in_list(_certindexes, dirname);
if (SE_DNE == i) {
DEBUGMSGT(("9:cert:index:lookup","%s : (none)\n", dirname));
return NULL;
}
snprintf(filename, sizeof(filename), "%s/cert_indexes/%d",
get_persistent_directory(), i);
filename[sizeof(filename)-1] = 0;
DEBUGMSGT(("cert:index:lookup", "%s (%d) %s\n", dirname, i, filename ));
return strdup(filename);
}
static FILE *
_certindex_new( const char *dirname )
{
FILE *fp;
char filename[SNMP_MAXPATH], *cp;
int i;
cp = _certindex_lookup( dirname );
if (!cp) {
i = _certindex_add( dirname, -1 );
if (-1 == i)
return NULL; /* msg already logged */
snprintf( filename, sizeof(filename), "%s/cert_indexes/%d",
get_persistent_directory(), i );
filename[sizeof(filename)-1] = 0;
cp = filename;
}
DEBUGMSGT(("9:cert:index:new", "%s (%s)\n", dirname, cp ));
fp = fopen( cp, "w" );
if (fp)
fprintf( fp, "DIR %s %d\n", dirname, CERT_INDEX_FORMAT );
else
DEBUGMSGTL(("cert:index", "error opening new index file %s\n", dirname));
if (cp != filename)
free(cp);
return fp;
}
/* #####################################################################
*
* certificate utility functions
*
*/
static X509 *
netsnmp_ocert_get(netsnmp_cert *cert)
{
BIO *certbio;
X509 *ocert = NULL;
EVP_PKEY *okey = NULL;
char file[SNMP_MAXPATH];
int is_ca;
if (NULL == cert)
return NULL;
if (cert->ocert)
return cert->ocert;
if (NS_CERT_TYPE_UNKNOWN == cert->info.type) {
cert->info.type = _type_from_filename(cert->info.filename);
if (NS_CERT_TYPE_UNKNOWN == cert->info.type) {
snmp_log(LOG_ERR, "unknown certificate type %d for %s\n",
cert->info.type, cert->info.filename);
return NULL;
}
}
DEBUGMSGT(("9:cert:read", "Checking file %s\n", cert->info.filename));
certbio = BIO_new(BIO_s_file());
if (NULL == certbio) {
snmp_log(LOG_ERR, "error creating BIO\n");
return NULL;
}
snprintf(file, sizeof(file),"%s/%s", cert->info.dir, cert->info.filename);
if (BIO_read_filename(certbio, file) <=0) {
snmp_log(LOG_ERR, "error reading certificate %s into BIO\n", file);
BIO_vfree(certbio);
return NULL;
}
if (NS_CERT_TYPE_UNKNOWN == cert->info.type) {
char *pos = strrchr(cert->info.filename, '.');
if (NULL == pos)
return NULL;
cert->info.type = _cert_ext_type(++pos);
netsnmp_assert(cert->info.type != NS_CERT_TYPE_UNKNOWN);
}
switch (cert->info.type) {
case NS_CERT_TYPE_DER:
ocert = d2i_X509_bio(certbio,NULL); /* DER/ASN1 */
if (NULL != ocert)
break;
(void)BIO_reset(certbio);
/** FALLTHROUGH: check for PEM if DER didn't work */
case NS_CERT_TYPE_PEM:
ocert = PEM_read_bio_X509_AUX(certbio, NULL, NULL, NULL);
if (NULL == ocert)
break;
if (NS_CERT_TYPE_DER == cert->info.type) {
DEBUGMSGT(("9:cert:read", "Changing type from DER to PEM\n"));
cert->info.type = NS_CERT_TYPE_PEM;
}
/** check for private key too */
if (NULL == cert->key) {
(void)BIO_reset(certbio);
okey = PEM_read_bio_PrivateKey(certbio, NULL, NULL, NULL);
if (NULL != okey) {
netsnmp_key *key;
DEBUGMSGT(("cert:read:key", "found key with cert in %s\n",
cert->info.filename));
key = _new_key(cert->info.dir, cert->info.filename);
if (NULL != key) {
key->okey = okey;
if (-1 == CONTAINER_INSERT(_keys, key)) {
DEBUGMSGT(("cert:read:key:add",
"error inserting key into container\n"));
netsnmp_key_free(key);
key = NULL;
}
else {
DEBUGMSGT(("cert:read:partner", "%s match found!\n",
cert->info.filename));
key->cert = cert;
cert->key = key;
cert->info.allowed_uses |= NS_CERT_IDENTITY;
}
}
} /* null return from read */
} /* null key */
break;
#ifdef CERT_PKCS12_SUPPORT_MAYBE_LATER
case NS_CERT_TYPE_PKCS12:
(void)BIO_reset(certbio);
PKCS12 *p12 = d2i_PKCS12_bio(certbio, NULL);
if ( (NULL != p12) && (PKCS12_verify_mac(p12, "", 0) ||
PKCS12_verify_mac(p12, NULL, 0)))
PKCS12_parse(p12, "", NULL, &cert, NULL);
break;
#endif
default:
snmp_log(LOG_ERR, "unknown certificate type %d for %s\n",
cert->info.type, cert->info.filename);
}
BIO_vfree(certbio);
if (NULL == ocert) {
snmp_log(LOG_ERR, "error parsing certificate file %s\n",
cert->info.filename);
return NULL;
}
cert->ocert = ocert;
/*
* X509_check_ca return codes:
* 0 not a CA
* 1 is a CA
* 2 basicConstraints absent so "maybe" a CA
* 3 basicConstraints absent but self signed V1.
* 4 basicConstraints absent but keyUsage present and keyCertSign asserted.
* 5 outdated Netscape Certificate Type CA extension.
*/
is_ca = X509_check_ca(ocert);
if (1 == is_ca)
cert->info.allowed_uses |= NS_CERT_CA;
if (NULL == cert->subject) {
cert->subject = X509_NAME_oneline(X509_get_subject_name(ocert), NULL,
0);
DEBUGMSGT(("9:cert:add:subject", "subject name: %s\n", cert->subject));
}
if (NULL == cert->issuer) {
cert->issuer = X509_NAME_oneline(X509_get_issuer_name(ocert), NULL, 0);
if (strcmp(cert->subject, cert->issuer) == 0) {
free(cert->issuer);
cert->issuer = strdup("self-signed");
}
DEBUGMSGT(("9:cert:add:issuer", "CA issuer: %s\n", cert->issuer));
}
if (NULL == cert->fingerprint) {
cert->hash_type = netsnmp_openssl_cert_get_hash_type(ocert);
cert->fingerprint =
netsnmp_openssl_cert_get_fingerprint(ocert, cert->hash_type);
}
if (NULL == cert->common_name) {
cert->common_name =netsnmp_openssl_cert_get_commonName(ocert, NULL,
NULL);
DEBUGMSGT(("9:cert:add:name","%s\n", cert->common_name));
}
return ocert;
}
EVP_PKEY *
netsnmp_okey_get(netsnmp_key *key)
{
BIO *keybio;
EVP_PKEY *okey;
char file[SNMP_MAXPATH];
if (NULL == key)
return NULL;
if (key->okey)
return key->okey;
snprintf(file, sizeof(file),"%s/%s", key->info.dir, key->info.filename);
DEBUGMSGT(("cert:key:read", "Checking file %s\n", key->info.filename));
keybio = BIO_new(BIO_s_file());
if (NULL == keybio) {
snmp_log(LOG_ERR, "error creating BIO\n");
return NULL;
}
if (BIO_read_filename(keybio, file) <=0) {
snmp_log(LOG_ERR, "error reading certificate %s into BIO\n",
key->info.filename);
BIO_vfree(keybio);
return NULL;
}
okey = PEM_read_bio_PrivateKey(keybio, NULL, NULL, NULL);
if (NULL == okey)
snmp_log(LOG_ERR, "error parsing certificate file %s\n",
key->info.filename);
else
key->okey = okey;
BIO_vfree(keybio);
return okey;
}
static netsnmp_cert *
_find_issuer(netsnmp_cert *cert)
{
netsnmp_void_array *matching;
netsnmp_cert *candidate, *issuer = NULL;
int i;
if ((NULL == cert) || (NULL == cert->issuer))
return NULL;
/** find matching subject names */
matching = _cert_find_subset_sn(cert->issuer);
if (NULL == matching)
return NULL;
/** check each to see if it's the issuer */
for ( i=0; (NULL == issuer) && (i < matching->size); ++i) {
/** make sure we have ocert */
candidate = (netsnmp_cert*)matching->array[i];
if ((NULL == candidate->ocert) &&
(netsnmp_ocert_get(candidate) == NULL))
continue;
/** compare **/
if (netsnmp_openssl_cert_issued_by(candidate->ocert, cert->ocert))
issuer = candidate;
} /** candidate loop */
free(matching->array);
free(matching);
return issuer;
}
#define CERT_LOAD_OK 0
#define CERT_LOAD_ERR -1
#define CERT_LOAD_PARTIAL -2
int
netsnmp_cert_load_x509(netsnmp_cert *cert)
{
int rc = CERT_LOAD_OK;
/** load ocert */
if ((NULL == cert->ocert) && (netsnmp_ocert_get(cert) == NULL)) {
DEBUGMSGT(("cert:load:err", "couldn't load cert for %s\n",
cert->info.filename));
rc = CERT_LOAD_ERR;
}
/** load key */
if ((NULL != cert->key) && (NULL == cert->key->okey) &&
(netsnmp_okey_get(cert->key) == NULL)) {
DEBUGMSGT(("cert:load:err", "couldn't load key for cert %s\n",
cert->info.filename));
rc = CERT_LOAD_ERR;
}
/** make sure we have cert chain */
for (; cert && cert->issuer; cert = cert->issuer_cert) {
/** skip self signed */
if (strcmp(cert->issuer, "self-signed") == 0) {
netsnmp_assert(cert->issuer_cert == NULL);
break;
}
/** get issuer cert */
if (NULL == cert->issuer_cert) {
cert->issuer_cert = _find_issuer(cert);
if (NULL == cert->issuer_cert) {
DEBUGMSGT(("cert:load:warn",
"couldn't load CA chain for cert %s\n",
cert->info.filename));
rc = CERT_LOAD_PARTIAL;
break;
}
}
/** get issuer ocert */
if ((NULL == cert->issuer_cert->ocert) &&
(netsnmp_ocert_get(cert->issuer_cert) == NULL)) {
DEBUGMSGT(("cert:load:warn", "couldn't load cert chain for %s\n",
cert->info.filename));
rc = CERT_LOAD_PARTIAL;
break;
}
} /* cert CA for loop */
return rc;
}
static void
_find_partner(netsnmp_cert *cert, netsnmp_key *key)
{
netsnmp_void_array *matching = NULL;
char filename[NAME_MAX], *pos;
if ((cert && key) || (!cert && ! key)) {
DEBUGMSGT(("cert:partner", "bad parameters searching for partner\n"));
return;
}
if(key) {
if (key->cert) {
DEBUGMSGT(("cert:partner", "key already has partner\n"));
return;
}
DEBUGMSGT(("9:cert:partner", "%s looking for partner near %s\n",
key->info.filename, key->info.dir));
snprintf(filename, sizeof(filename), "%s", key->info.filename);
pos = strrchr(filename, '.');
if (NULL == pos)
return;
*pos = 0;
matching = _cert_find_subset_fn( filename, key->info.dir );
if (!matching)
return;
if (1 == matching->size) {
cert = (netsnmp_cert*)matching->array[0];
if (NULL == cert->key) {
DEBUGMSGT(("cert:partner", "%s match found!\n",
cert->info.filename));
key->cert = cert;
cert->key = key;
cert->info.allowed_uses |= NS_CERT_IDENTITY;
}
else if (cert->key != key)
snmp_log(LOG_ERR, "%s matching cert already has partner\n",
cert->info.filename);
}
else
DEBUGMSGT(("cert:partner", "%s matches multiple certs\n",
key->info.filename));
}
else if(cert) {
if (cert->key) {
DEBUGMSGT(("cert:partner", "cert already has partner\n"));
return;
}
DEBUGMSGT(("9:cert:partner", "%s looking for partner\n",
cert->info.filename));
snprintf(filename, sizeof(filename), "%s", cert->info.filename);
pos = strrchr(filename, '.');
if (NULL == pos)
return;
*pos = 0;
matching = _key_find_subset(filename);
if (!matching)
return;
if (1 == matching->size) {
key = (netsnmp_key*)matching->array[0];
if (NULL == key->cert) {
DEBUGMSGT(("cert:partner", "%s found!\n", cert->info.filename));
key->cert = cert;
cert->key = key;
}
else if (key->cert != cert)
snmp_log(LOG_ERR, "%s matching key already has partner\n",
cert->info.filename);
}
else
DEBUGMSGT(("cert:partner", "%s matches multiple keys\n",
cert->info.filename));
}
if (matching) {
free(matching->array);
free(matching);
}
}
static int
_add_certfile(const char* dirname, const char* filename, FILE *index)
{
X509 *ocert;
EVP_PKEY *okey;
netsnmp_cert *cert = NULL;
netsnmp_key *key = NULL;
char certfile[SNMP_MAXPATH];
int type;
if (((const void*)NULL == dirname) || (NULL == filename))
return -1;
type = _type_from_filename(filename);
netsnmp_assert(type != NS_CERT_TYPE_UNKNOWN);
snprintf(certfile, sizeof(certfile),"%s/%s", dirname, filename);
DEBUGMSGT(("9:cert:file:add", "Checking file: %s (type %d)\n", filename,
type));
if (NS_CERT_TYPE_KEY == type) {
key = _new_key(dirname, filename);
if (NULL == key)
return -1;
okey = netsnmp_okey_get(key);
if (NULL == okey) {
netsnmp_key_free(key);
return -1;
}
key->okey = okey;
if (-1 == CONTAINER_INSERT(_keys, key)) {
DEBUGMSGT(("cert:key:file:add:err",
"error inserting key into container\n"));
netsnmp_key_free(key);
key = NULL;
}
}
else {
cert = _new_cert(dirname, filename, type, -1, NULL, NULL, NULL);
if (NULL == cert)
return -1;
ocert = netsnmp_ocert_get(cert);
if (NULL == ocert) {
netsnmp_cert_free(cert);
return -1;
}
cert->ocert = ocert;
if (-1 == CONTAINER_INSERT(_certs, cert)) {
DEBUGMSGT(("cert:file:add:err",
"error inserting cert into container\n"));
netsnmp_cert_free(cert);
cert = NULL;
}
}
if ((NULL == cert) && (NULL == key)) {
DEBUGMSGT(("cert:file:add:failure", "for %s\n", certfile));
return -1;
}
if (index) {
/** filename = NAME_MAX = 255 */
/** fingerprint = 60 */
/** common name / CN = 64 */
if (cert)
fprintf(index, "c:%s %d %d %s '%s' '%s'\n", filename,
cert->info.type, cert->hash_type, cert->fingerprint,
cert->common_name, cert->subject);
else if (key)
fprintf(index, "k:%s\n", filename);
}
return 0;
}
static int
_cert_read_index(const char *dirname, struct stat *dirstat)
{
FILE *index;
char *idxname, *pos;
struct stat idx_stat;
char tmpstr[SNMP_MAXPATH + 5], filename[NAME_MAX];
char fingerprint[60+1], common_name[64+1], type_str[15];
char subject[SNMP_MAXBUF_SMALL], hash_str[15];
int count = 0, type, hash, version;
netsnmp_cert *cert;
netsnmp_key *key;
netsnmp_container *newer, *found;
netsnmp_assert(NULL != dirname);
idxname = _certindex_lookup( dirname );
if (NULL == idxname) {
DEBUGMSGT(("cert:index:parse", "no index for cert directory\n"));
return -1;
}
/*
* see if directory has been modified more recently than the index
*/
if (stat(idxname, &idx_stat) != 0) {
DEBUGMSGT(("cert:index:parse", "error getting index file stats\n"));
SNMP_FREE(idxname);
return -1;
}
#if (defined(WIN32) || defined(cygwin))
/* For Win32 platforms, the directory does not maintain a last modification
* date that we can compare with the modification date of the .index file.
*/
#else
if (dirstat->st_mtime >= idx_stat.st_mtime) {
DEBUGMSGT(("cert:index:parse", "Index outdated; dir modified\n"));
SNMP_FREE(idxname);
return -1;
}
#endif
/*
* dir mtime doesn't change when files are touched, so we need to check
* each file against the index in case a file has been modified.
*/
newer =
netsnmp_directory_container_read_some(NULL, dirname,
(netsnmp_directory_filter*)
_time_filter,(void*)&idx_stat,
NETSNMP_DIR_NSFILE |
NETSNMP_DIR_NSFILE_STATS);
if (newer) {
DEBUGMSGT(("cert:index:parse", "Index outdated; files modified\n"));
CONTAINER_FREE_ALL(newer, NULL);
CONTAINER_FREE(newer);
SNMP_FREE(idxname);
return -1;
}
DEBUGMSGT(("cert:index:parse", "The index for %s looks good\n", dirname));
index = fopen(idxname, "r");
if (NULL == index) {
snmp_log(LOG_ERR, "cert:index:parse can't open index for %s\n",
dirname);
SNMP_FREE(idxname);
return -1;
}
found = _get_cert_container(idxname);
/*
* check index format version
*/
fgets(tmpstr, sizeof(tmpstr), index);
pos = strrchr(tmpstr, ' ');
if (pos) {
++pos;
version = atoi(pos);
}
if ((NULL == pos) || (version != CERT_INDEX_FORMAT)) {
DEBUGMSGT(("cert:index:add", "missing or wrong index format!\n"));
fclose(index);
SNMP_FREE(idxname);
return -1;
}
while (1) {
if (NULL == fgets(tmpstr, sizeof(tmpstr), index))
break;
if ('c' == tmpstr[0]) {
pos = &tmpstr[2];
if ((NULL == (pos=copy_nword(pos, filename, sizeof(filename)))) ||
(NULL == (pos=copy_nword(pos, type_str, sizeof(type_str)))) ||
(NULL == (pos=copy_nword(pos, hash_str, sizeof(hash_str)))) ||
(NULL == (pos=copy_nword(pos, fingerprint,
sizeof(fingerprint)))) ||
(NULL == (pos=copy_nword(pos, common_name,
sizeof(common_name)))) ||
(NULL != copy_nword(pos, subject, sizeof(subject)))) {
snmp_log(LOG_ERR, "_cert_read_index: error parsing line: %s\n",
tmpstr);
count = -1;
break;
}
type = atoi(type_str);
hash = atoi(hash_str);
cert = (void*)_new_cert(dirname, filename, type, hash, fingerprint,
common_name, subject);
if (cert && 0 == CONTAINER_INSERT(found, cert))
++count;
else {
DEBUGMSGT(("cert:index:add",
"error inserting cert into container\n"));
netsnmp_cert_free(cert);
cert = NULL;
}
}
else if ('k' == tmpstr[0]) {
if (NULL != copy_nword(&tmpstr[2], filename, sizeof(filename))) {
snmp_log(LOG_ERR, "_cert_read_index: error parsing line %s\n",
tmpstr);
continue;
}
key = _new_key(dirname, filename);
if (key && 0 == CONTAINER_INSERT(_keys, key))
++count;
else {
DEBUGMSGT(("cert:index:add:key",
"error inserting key into container\n"));
netsnmp_key_free(key);
}
}
else {
snmp_log(LOG_ERR, "unknown line in cert index for %s\n", dirname);
continue;
}
} /* while */
fclose(index);
SNMP_FREE(idxname);
if (count > 0) {
netsnmp_iterator *itr = CONTAINER_ITERATOR(found);
if (NULL == itr) {
snmp_log(LOG_ERR, "could not get iterator for found certs\n");
count = -1;
}
else {
cert = ITERATOR_FIRST(itr);
for( ; cert; cert = ITERATOR_NEXT(itr))
CONTAINER_INSERT(_certs, cert);
ITERATOR_RELEASE(itr);
DEBUGMSGT(("cert:index:parse","added %d certs from index\n",
count));
}
}
if (count < 0)
CONTAINER_FREE_ALL(found, NULL);
CONTAINER_FREE(found);
return count;
}
static int
_add_certdir(const char *dirname)
{
FILE *index;
char *file;
int count = 0;
netsnmp_container *cert_container;
netsnmp_iterator *it;
struct stat statbuf;
netsnmp_assert(NULL != dirname);
DEBUGMSGT(("9:cert:dir:add", " config dir: %s\n", dirname ));
if (stat(dirname, &statbuf) != 0) {
DEBUGMSGT(("9:cert:dir:add", " dir not present: %s\n",
dirname ));
return -1;
}
#ifdef S_ISDIR
if (!S_ISDIR(statbuf.st_mode)) {
DEBUGMSGT(("9:cert:dir:add", " not a dir: %s\n", dirname ));
return -1;
}
#endif
DEBUGMSGT(("cert:index:dir", "Scanning directory %s\n", dirname));
/*
* look for existing index
*/
count = _cert_read_index(dirname, &statbuf);
if (count >= 0)
return count;
index = _certindex_new( dirname );
if (NULL == index) {
DEBUGMSGT(("9:cert:index:dir",
"error opening index for cert directory\n"));
DEBUGMSGTL(("cert:index", "could not open certificate index file\n"));
}
/*
* index was missing, out of date or bad. rescan directory.
*/
cert_container =
netsnmp_directory_container_read_some(NULL, dirname,
(netsnmp_directory_filter*)
&_cert_cert_filter, NULL,
NETSNMP_DIR_RELATIVE_PATH |
NETSNMP_DIR_EMPTY_OK );
if (NULL == cert_container) {
DEBUGMSGT(("cert:index:dir",
"error creating container for cert files\n"));
goto err_index;
}
/*
* iterate through the found files and add them to index
*/
it = CONTAINER_ITERATOR(cert_container);
if (NULL == it) {
DEBUGMSGT(("cert:index:dir",
"error creating iterator for cert files\n"));
goto err_container;
}
for (file = ITERATOR_FIRST(it); file; file = ITERATOR_NEXT(it)) {
DEBUGMSGT(("cert:index:dir", "adding %s to index\n", file));
if ( 0 == _add_certfile( dirname, file, index ))
count++;
else
DEBUGMSGT(("cert:index:dir", "error adding %s to index\n",
file));
}
/*
* clean up and return
*/
ITERATOR_RELEASE(it);
err_container:
netsnmp_directory_container_free(cert_container);
err_index:
if (index)
fclose(index);
return count;
}
static void
_cert_indexes_load(void)
{
const char *confpath;
char *confpath_copy, *dir, *st = NULL;
char certdir[SNMP_MAXPATH];
const char *subdirs[] = { NULL, "ca-certs", "certs", "private", NULL };
int i = 0;
/*
* load indexes from persistent dir
*/
_certindexes_load();
/*
* duplicate path building from read_config_files_of_type() in
* read_config.c. That is, use SNMPCONFPATH environment variable if
* it is defined, otherwise use configuration directory.
*/
confpath = netsnmp_getenv("SNMPCONFPATH");
if (NULL == confpath)
confpath = get_configuration_directory();
subdirs[0] = netsnmp_ds_get_string(NETSNMP_DS_LIBRARY_ID,
NETSNMP_DS_LIB_CERT_EXTRA_SUBDIR);
confpath_copy = strdup(confpath);
for ( dir = strtok_r(confpath_copy, ENV_SEPARATOR, &st);
dir; dir = strtok_r(NULL, ENV_SEPARATOR, &st)) {
i = (NULL == subdirs[0]) ? 1 : 0;
for ( ; subdirs[i] ; ++i ) {
/** check tls subdir */
snprintf(certdir, sizeof(certdir), "%s/tls/%s", dir, subdirs[i]);
_add_certdir(certdir);
} /* for subdirs */
} /* for conf path dirs */
SNMP_FREE(confpath_copy);
}
static void
_cert_print(netsnmp_cert *c, void *context)
{
if (NULL == c)
return;
DEBUGMSGT(("cert:dump", "cert %s in %s\n", c->info.filename, c->info.dir));
DEBUGMSGT(("cert:dump", " type %d flags 0x%x (%s)\n",
c->info.type, c->info.allowed_uses,
_mode_str(c->info.allowed_uses)));
DEBUGIF("9:cert:dump") {
if (NS_CERT_TYPE_KEY != c->info.type) {
if(c->subject) {
if (c->info.allowed_uses & NS_CERT_CA)
DEBUGMSGT(("9:cert:dump", " CA: %s\n", c->subject));
else
DEBUGMSGT(("9:cert:dump", " subject: %s\n", c->subject));
}
if(c->issuer)
DEBUGMSGT(("9:cert:dump", " issuer: %s\n", c->issuer));
if(c->fingerprint)
DEBUGMSGT(("9:cert:dump", " fingerprint: %s(%d):%s\n",
se_find_label_in_slist("cert_hash_alg", c->hash_type),
c->hash_type, c->fingerprint));
}
/* netsnmp_feature_require(cert_utils_dump_names) */
/* netsnmp_openssl_cert_dump_names(c->ocert); */
netsnmp_openssl_cert_dump_extensions(c->ocert);
}
}
static void
_key_print(netsnmp_key *k, void *context)
{
if (NULL == k)
return;
DEBUGMSGT(("cert:dump", "key %s in %s\n", k->info.filename, k->info.dir));
DEBUGMSGT(("cert:dump", " type %d flags 0x%x (%s)\n", k->info.type,
k->info.allowed_uses, _mode_str(k->info.allowed_uses)));
}
void
netsnmp_cert_dump_all(void)
{
CONTAINER_FOR_EACH(_certs, (netsnmp_container_obj_func*)_cert_print, NULL);
CONTAINER_FOR_EACH(_keys, (netsnmp_container_obj_func*)_key_print, NULL);
}
#ifdef CERT_MAIN
/*
* export BLD=~/net-snmp/build/ SRC=~/net-snmp/src
* cc -DCERT_MAIN `$BLD/net-snmp-config --cflags` `$BLD/net-snmp-config --build-includes $BLD/` $SRC/snmplib/cert_util.c -o cert_util `$BLD/net-snmp-config --build-lib-dirs $BLD` `$BLD/net-snmp-config --libs` -lcrypto -lssl
*
*/
int
main(int argc, char** argv)
{
int ch;
extern char *optarg;
while ((ch = getopt(argc, argv, "D:fHLMx:")) != EOF)
switch(ch) {
case 'D':
debug_register_tokens(optarg);
snmp_set_do_debugging(1);
break;
default:
fprintf(stderr,"unknown option %c\n", ch);
}
init_snmp("dtlsapp");
netsnmp_cert_dump_all();
return 0;
}
#endif /* CERT_MAIN */
static netsnmp_cert *_cert_find_fp(const char *fingerprint);
void
netsnmp_fp_lowercase_and_strip_colon(char *fp)
{
char *pos, *dest=NULL;
if(!fp)
return;
/** skip to first : */
for (pos = fp; *pos; ++pos ) {
if (':' == *pos) {
dest = pos;
break;
}
else
*pos = isalpha(0xFF & *pos) ? tolower(0xFF & *pos) : *pos;
}
if (!*pos)
return;
/** copy, skipping any ':' */
for (++pos; *pos; ++pos) {
if (':' == *pos)
continue;
*dest++ = isalpha(0xFF & *pos) ? tolower(0xFF & *pos) : *pos;
}
*dest = *pos; /* nul termination */
}
netsnmp_cert *
netsnmp_cert_find(int what, int where, void *hint)
{
netsnmp_cert *result = NULL;
char *fp, *hint_str;
DEBUGMSGT(("cert:find:params", "looking for %s(%d) in %s(0x%x), hint %lu\n",
_mode_str(what), what, _where_str(where), where, (u_long)hint));
if (NS_CERTKEY_DEFAULT == where) {
switch (what) {
case NS_CERT_IDENTITY: /* want my ID */
fp =
netsnmp_ds_get_string(NETSNMP_DS_LIBRARY_ID,
NETSNMP_DS_LIB_TLS_LOCAL_CERT);
/** temp backwards compability; remove in 5.7 */
if (!fp) {
int tmp;
tmp = (ptrdiff_t)hint;
DEBUGMSGT(("cert:find:params", " hint = %s\n",
tmp ? "server" : "client"));
fp =
netsnmp_ds_get_string(NETSNMP_DS_LIBRARY_ID, tmp ?
NETSNMP_DS_LIB_X509_SERVER_PUB :
NETSNMP_DS_LIB_X509_CLIENT_PUB );
}
if (!fp) {
/* As a special case, use the application type to
determine a file name to pull the default identity
from. */
return netsnmp_cert_find(what, NS_CERTKEY_FILE, netsnmp_ds_get_string(NETSNMP_DS_LIBRARY_ID, NETSNMP_DS_LIB_APPTYPE));
}
break;
case NS_CERT_REMOTE_PEER:
fp = netsnmp_ds_get_string(NETSNMP_DS_LIBRARY_ID,
NETSNMP_DS_LIB_TLS_PEER_CERT);
/** temp backwards compability; remove in 5.7 */
if (!fp)
fp = netsnmp_ds_get_string(NETSNMP_DS_LIBRARY_ID,
NETSNMP_DS_LIB_X509_SERVER_PUB);
break;
default:
DEBUGMSGT(("cert:find:err", "unhandled type %d for %s(%d)\n",
what, _where_str(where), where));
return NULL;
}
if (fp)
return netsnmp_cert_find(what, NS_CERTKEY_MULTIPLE, fp);
return NULL;
} /* where = ds store */
else if (NS_CERTKEY_MULTIPLE == where) {
/* tries multiple sources of certificates based on ascii lookup keys */
/* Try a fingerprint match first, which should always be done first */
/* (to avoid people naming filenames with conflicting FPs) */
result = netsnmp_cert_find(what, NS_CERTKEY_FINGERPRINT, hint);
if (!result) {
/* Then try a file name lookup */
result = netsnmp_cert_find(what, NS_CERTKEY_FILE, hint);
}
}
else if (NS_CERTKEY_FINGERPRINT == where) {
DEBUGMSGT(("cert:find:params", " hint = %s\n", (char *)hint));
result = _cert_find_fp((char *)hint);
}
else if (NS_CERTKEY_TARGET_PARAM == where) {
if (what != NS_CERT_IDENTITY) {
snmp_log(LOG_ERR, "only identity is valid for target params\n");
return NULL;
}
/** hint == target mib data */
hint_str = (char *)hint;
fp = _find_tlstmParams_fingerprint(hint_str);
if (NULL != fp)
result = _cert_find_fp(fp);
}
else if (NS_CERTKEY_TARGET_ADDR == where) {
/** hint == target mib data */
if (what != NS_CERT_REMOTE_PEER) {
snmp_log(LOG_ERR, "only peer is valid for target addr\n");
return NULL;
}
/** hint == target mib data */
hint_str = (char *)hint;
fp = _find_tlstmAddr_fingerprint(hint_str);
if (NULL != fp)
result = _cert_find_fp(fp);
}
else if (NS_CERTKEY_FILE == where) {
/** hint == filename */
char *filename = (char*)hint;
netsnmp_void_array *matching;
DEBUGMSGT(("cert:find:params", " hint = %s\n", (char *)hint));
matching = _cert_find_subset_fn( filename, NULL );
if (!matching)
return NULL;
if (1 == matching->size)
result = (netsnmp_cert*)matching->array[0];
else {
DEBUGMSGT(("cert:find:err", "%s matches multiple certs\n",
filename));
result = NULL;
}
free(matching->array);
free(matching);
} /* where = NS_CERTKEY_FILE */
else { /* unknown location */
DEBUGMSGT(("cert:find:err", "unhandled location %d for %d\n", where,
what));
return NULL;
}
if (NULL == result)
return NULL;
/** make sure result found can be used for specified type */
if (!(result->info.allowed_uses & what)) {
DEBUGMSGT(("cert:find:err",
"cert %s / %s not allowed for %s(%d) (uses=%s (%d))\n",
result->info.filename, result->fingerprint, _mode_str(what),
what , _mode_str(result->info.allowed_uses),
result->info.allowed_uses));
return NULL;
}
/** make sure we have the cert data */
if (netsnmp_cert_load_x509(result) == CERT_LOAD_ERR)
return NULL;
DEBUGMSGT(("cert:find:found",
"using cert %s / %s for %s(%d) (uses=%s (%d))\n",
result->info.filename, result->fingerprint, _mode_str(what),
what , _mode_str(result->info.allowed_uses),
result->info.allowed_uses));
return result;
}
#ifndef NETSNMP_FEATURE_REMOVE_CERT_FINGERPRINTS
int
netsnmp_cert_check_vb_fingerprint(const netsnmp_variable_list *var)
{
if (!var)
return SNMP_ERR_GENERR;
if (0 == var->val_len) /* empty allowed in some cases */
return SNMP_ERR_NOERROR;
if (! (0x01 & var->val_len)) { /* odd len */
DEBUGMSGT(("cert:varbind:fingerprint",
"expecting odd length for fingerprint\n"));
return SNMP_ERR_WRONGLENGTH;
}
if (var->val.string[0] > NS_HASH_MAX) {
DEBUGMSGT(("cert:varbind:fingerprint", "hashtype %d > max %d\n",
var->val.string[0], NS_HASH_MAX));
return SNMP_ERR_WRONGVALUE;
}
return SNMP_ERR_NOERROR;
}
/**
* break a SnmpTLSFingerprint into an integer hash type + hex string
*
* @return SNMPERR_SUCCESS : on success
* @return SNMPERR_GENERR : on failure
*/
int
netsnmp_tls_fingerprint_parse(const u_char *binary_fp, int fp_len,
char **fp_str_ptr, u_int *fp_str_len, int realloc,
u_char *hash_type_ptr)
{
int needed;
size_t fp_str_size;
netsnmp_require_ptr_LRV( hash_type_ptr, SNMPERR_GENERR );
netsnmp_require_ptr_LRV( fp_str_ptr, SNMPERR_GENERR );
netsnmp_require_ptr_LRV( fp_str_len, SNMPERR_GENERR );
/*
* output string is binary fp length (minus 1 for initial hash type
* char) * 2 for bin to hex conversion, + 1 for null termination.
*/
needed = ((fp_len - 1) * 2) + 1;
if (*fp_str_len < needed) {
DEBUGMSGT(("tls:fp:parse", "need %d bytes for output\n", needed ));
return SNMPERR_GENERR;
}
/*
* make sure hash type is in valid range
*/
if ((0 == binary_fp[0]) || (binary_fp[0] > NS_HASH_MAX)) {
DEBUGMSGT(("tls:fp:parse", "invalid hash type %d\n",
binary_fp[0]));
return SNMPERR_GENERR;
}
/*
* netsnmp_binary_to_hex allocate space for string, if needed
*/
fp_str_size = *fp_str_len;
*hash_type_ptr = binary_fp[0];
netsnmp_binary_to_hex((u_char**)fp_str_ptr, &fp_str_size,
realloc, &binary_fp[1], fp_len - 1);
*fp_str_len = fp_str_size;
if (0 == *fp_str_len)
return SNMPERR_GENERR;
return SNMPERR_SUCCESS;
}
#endif /* NETSNMP_FEATURE_REMOVE_CERT_FINGERPRINTS */
#ifndef NETSNMP_FEATURE_REMOVE_TLS_FINGERPRINT_BUILD
/**
* combine a hash type and hex fingerprint into a SnmpTLSFingerprint
*
* On entry, tls_fp_len should point to the size of the tls_fp buffer.
* On a successful exit, tls_fp_len will contain the length of the
* fingerprint buffer.
*/
int
netsnmp_tls_fingerprint_build(int hash_type, const char *hex_fp,
u_char **tls_fp, size_t *tls_fp_len,
int realloc)
{
int hex_fp_len, rc;
size_t tls_fp_size;
size_t offset;
netsnmp_require_ptr_LRV( hex_fp, SNMPERR_GENERR );
netsnmp_require_ptr_LRV( tls_fp, SNMPERR_GENERR );
netsnmp_require_ptr_LRV( tls_fp_len, SNMPERR_GENERR );
hex_fp_len = strlen(hex_fp);
if (0 == hex_fp_len) {
*tls_fp_len = 0;
return SNMPERR_SUCCESS;
}
if ((hash_type <= NS_HASH_NONE) || (hash_type > NS_HASH_MAX)) {
DEBUGMSGT(("tls:fp:build", "invalid hash type %d\n", hash_type ));
return SNMPERR_GENERR;
}
/*
* convert to binary
*/
offset = 1;
rc = netsnmp_hex_to_binary(tls_fp, &tls_fp_size, &offset, realloc, hex_fp,
":");
*tls_fp_len = tls_fp_size;
if (rc != 1)
return SNMPERR_GENERR;
*tls_fp_len = offset;
(*tls_fp)[0] = hash_type;
return SNMPERR_SUCCESS;
}
#endif /* NETSNMP_FEATURE_REMOVE_TLS_FINGERPRINT_BUILD */
/**
* Trusts a given certificate for use in TLS translations.
*
* @param ctx The SSL context to trust the certificate in
* @param thiscert The netsnmp_cert certificate to trust
*
* @return SNMPERR_SUCCESS : on success
* @return SNMPERR_GENERR : on failure
*/
int
netsnmp_cert_trust(SSL_CTX *ctx, netsnmp_cert *thiscert)
{
X509_STORE *certstore;
X509 *cert;
char *fingerprint;
/* ensure all needed pieces are present */
netsnmp_assert_or_msgreturn(NULL != thiscert, "NULL certificate passed in",
SNMPERR_GENERR);
netsnmp_assert_or_msgreturn(NULL != thiscert->info.dir,
"NULL certificate directory name passed in",
SNMPERR_GENERR);
netsnmp_assert_or_msgreturn(NULL != thiscert->info.filename,
"NULL certificate filename name passed in",
SNMPERR_GENERR);
/* get the trusted certificate store and the certificate to load into it */
certstore = SSL_CTX_get_cert_store(ctx);
netsnmp_assert_or_msgreturn(NULL != certstore,
"failed to get certificate trust store",
SNMPERR_GENERR);
cert = netsnmp_ocert_get(thiscert);
netsnmp_assert_or_msgreturn(NULL != cert,
"failed to get certificate from netsnmp_cert",
SNMPERR_GENERR);
/* Put the certificate into the store */
fingerprint = netsnmp_openssl_cert_get_fingerprint(cert, -1);
DEBUGMSGTL(("cert:trust",
"putting trusted cert %p = %s in certstore %p\n", cert,
fingerprint, certstore));
SNMP_FREE(fingerprint);
X509_STORE_add_cert(certstore, cert);
return SNMPERR_SUCCESS;
}
/**
* Trusts a given certificate's root CA for use in TLS translations.
* If no issuer is found the existing certificate will be trusted instead.
*
* @param ctx The SSL context to trust the certificate in
* @param thiscert The netsnmp_cert certificate
*
* @return SNMPERR_SUCCESS : on success
* @return SNMPERR_GENERR : on failure
*/
int
netsnmp_cert_trust_ca(SSL_CTX *ctx, netsnmp_cert *thiscert)
{
netsnmp_assert_or_msgreturn(NULL != thiscert, "NULL certificate passed in",
SNMPERR_GENERR);
/* find the root CA certificate in the chain */
DEBUGMSGTL(("cert:trust_ca", "checking roots for %p \n", thiscert));
while (thiscert->issuer_cert) {
thiscert = thiscert->issuer_cert;
DEBUGMSGTL(("cert:trust_ca", " up one to %p\n", thiscert));
}
/* Add the found top lever certificate to the store */
return netsnmp_cert_trust(ctx, thiscert);
}
netsnmp_container *
netsnmp_cert_get_trustlist(void)
{
if (!_trusted_certs)
_setup_trusted_certs();
return _trusted_certs;
}
static void
_parse_trustcert(const char *token, char *line)
{
if (!_trusted_certs)
_setup_trusted_certs();
if (!_trusted_certs)
return;
CONTAINER_INSERT(_trusted_certs, strdup(line));
}
/* ***************************************************************************
*
* mode text functions
*
*/
static const char *_mode_str(u_char mode)
{
return _modes[mode];
}
static const char *_where_str(u_int what)
{
switch (what) {
case NS_CERTKEY_DEFAULT: return "DEFAULT";
case NS_CERTKEY_FILE: return "FILE";
case NS_CERTKEY_FINGERPRINT: return "FINGERPRINT";
case NS_CERTKEY_MULTIPLE: return "MULTIPLE";
case NS_CERTKEY_CA: return "CA";
case NS_CERTKEY_SAN_RFC822: return "SAN_RFC822";
case NS_CERTKEY_SAN_DNS: return "SAN_DNS";
case NS_CERTKEY_SAN_IPADDR: return "SAN_IPADDR";
case NS_CERTKEY_COMMON_NAME: return "COMMON_NAME";
case NS_CERTKEY_TARGET_PARAM: return "TARGET_PARAM";
case NS_CERTKEY_TARGET_ADDR: return "TARGET_ADDR";
}
return "UNKNOWN";
}
/* ***************************************************************************
*
* find functions
*
*/
static netsnmp_cert *
_cert_find_fp(const char *fingerprint)
{
netsnmp_cert cert, *result = NULL;
char fp[EVP_MAX_MD_SIZE];
if (NULL == fingerprint)
return NULL;
strlcpy(fp, fingerprint, sizeof(fp));
netsnmp_fp_lowercase_and_strip_colon(fp);
/** clear search key */
memset(&cert, 0x00, sizeof(cert));
cert.fingerprint = fp;
result = CONTAINER_FIND(_certs,&cert);
return result;
}
/*
* reduce subset by eliminating any filenames that are longer than
* the specified file name. e.g. 'snmp' would match 'snmp.key' and
* 'snmpd.key'. We only want 'snmp.X', where X is a valid extension.
*/
static void
_reduce_subset(netsnmp_void_array *matching, const char *filename)
{
netsnmp_cert_common *cc;
int i = 0, j, newsize, pos;
if ((NULL == matching) || (NULL == filename))
return;
pos = strlen(filename);
newsize = matching->size;
for( ; i < matching->size; ) {
/*
* if we've shifted matches down we'll hit a NULL entry before
* we hit the end of the array.
*/
if (NULL == matching->array[i])
break;
/*
* skip over valid matches. Note that we do not want to use
* _type_from_filename.
*/
cc = (netsnmp_cert_common*)matching->array[i];
if (('.' == cc->filename[pos]) &&
(NS_CERT_TYPE_UNKNOWN != _cert_ext_type(&cc->filename[pos+1]))) {
++i;
continue;
}
/*
* shrink array by shifting everything down a spot. Might not be
* the most efficient soloution, but this is just happening at
* startup and hopefully most certs won't have common prefixes.
*/
--newsize;
for ( j=i; j < newsize; ++j )
matching->array[j] = matching->array[j+1];
matching->array[j] = NULL;
/** no ++i; just shifted down, need to look at same position again */
}
/*
* if we shifted, set the new size
*/
if (newsize != matching->size) {
DEBUGMSGT(("9:cert:subset:reduce", "shrank from %" NETSNMP_PRIz "d to %d\n",
matching->size, newsize));
matching->size = newsize;
}
}
/*
* reduce subset by eliminating any filenames that are not under the
* specified directory path.
*/
static void
_reduce_subset_dir(netsnmp_void_array *matching, const char *directory)
{
netsnmp_cert_common *cc;
int i = 0, j, newsize, dir_len;
char dir[SNMP_MAXPATH], *pos;
if ((NULL == matching) || (NULL == directory))
return;
newsize = matching->size;
/*
* dir struct should be something like
* /usr/share/snmp/tls/certs
* /usr/share/snmp/tls/private
*
* so we want to backup up on directory for compares..
*/
strlcpy(dir, directory, sizeof(dir));
pos = strrchr(dir, '/');
if (NULL == pos) {
DEBUGMSGTL(("cert:subset:dir", "no '/' in directory %s\n", directory));
return;
}
*pos = '\0';
dir_len = strlen(dir);
for( ; i < matching->size; ) {
/*
* if we've shifted matches down we'll hit a NULL entry before
* we hit the end of the array.
*/
if (NULL == matching->array[i])
break;
/*
* skip over valid matches.
*/
cc = (netsnmp_cert_common*)matching->array[i];
if (strncmp(dir, cc->dir, dir_len) == 0) {
++i;
continue;
}
/*
* shrink array by shifting everything down a spot. Might not be
* the most efficient soloution, but this is just happening at
* startup and hopefully most certs won't have common prefixes.
*/
--newsize;
for ( j=i; j < newsize; ++j )
matching->array[j] = matching->array[j+1];
matching->array[j] = NULL;
/** no ++i; just shifted down, need to look at same position again */
}
/*
* if we shifted, set the new size
*/
if (newsize != matching->size) {
DEBUGMSGT(("9:cert:subset:dir", "shrank from %" NETSNMP_PRIz "d to %d\n",
matching->size, newsize));
matching->size = newsize;
}
}
static netsnmp_void_array *
_cert_find_subset_common(const char *filename, netsnmp_container *container)
{
netsnmp_cert_common search;
netsnmp_void_array *matching;
netsnmp_assert(filename && container);
memset(&search, 0x00, sizeof(search)); /* clear search key */
search.filename = NETSNMP_REMOVE_CONST(char*,filename);
matching = CONTAINER_GET_SUBSET(container, &search);
DEBUGMSGT(("9:cert:subset:found", "%" NETSNMP_PRIz "d matches\n", matching ?
matching->size : 0));
if (matching && matching->size > 1) {
_reduce_subset(matching, filename);
if (0 == matching->size) {
free(matching->array);
SNMP_FREE(matching);
}
}
return matching;
}
static netsnmp_void_array *
_cert_find_subset_fn(const char *filename, const char *directory)
{
netsnmp_container *fn_container;
netsnmp_void_array *matching;
/** find subcontainer with filename as key */
fn_container = SUBCONTAINER_FIND(_certs, "certs_fn");
netsnmp_assert(fn_container);
matching = _cert_find_subset_common(filename, fn_container);
if (matching && (matching->size > 1) && directory) {
_reduce_subset_dir(matching, directory);
if (0 == matching->size) {
free(matching->array);
SNMP_FREE(matching);
}
}
return matching;
}
static netsnmp_void_array *
_cert_find_subset_sn(const char *subject)
{
netsnmp_cert search;
netsnmp_void_array *matching;
netsnmp_container *sn_container;
/** find subcontainer with subject as key */
sn_container = SUBCONTAINER_FIND(_certs, "certs_sn");
netsnmp_assert(sn_container);
memset(&search, 0x00, sizeof(search)); /* clear search key */
search.subject = NETSNMP_REMOVE_CONST(char*,subject);
matching = CONTAINER_GET_SUBSET(sn_container, &search);
DEBUGMSGT(("9:cert:subset:found", "%" NETSNMP_PRIz "d matches\n", matching ?
matching->size : 0));
return matching;
}
static netsnmp_void_array *
_key_find_subset(const char *filename)
{
return _cert_find_subset_common(filename, _keys);
}
/** find all entries matching given fingerprint */
static netsnmp_void_array *
_find_subset_fp(netsnmp_container *certs, const char *fp)
{
netsnmp_cert_map entry;
netsnmp_container *fp_container;
netsnmp_void_array *va;
if ((NULL == certs) || (NULL == fp))
return NULL;
fp_container = SUBCONTAINER_FIND(certs, "cert2sn_fp");
netsnmp_assert_or_msgreturn(fp_container, "cert2sn_fp container missing",
NULL);
memset(&entry, 0x0, sizeof(entry));
entry.fingerprint = NETSNMP_REMOVE_CONST(char*,fp);
va = CONTAINER_GET_SUBSET(fp_container, &entry);
return va;
}
#if 0 /* not used yet */
static netsnmp_key *
_key_find_fn(const char *filename)
{
netsnmp_key key, *result = NULL;
netsnmp_assert(NULL != filename);
memset(&key, 0x00, sizeof(key)); /* clear search key */
key.info.filename = NETSNMP_REMOVE_CONST(char*,filename);
result = CONTAINER_FIND(_keys,&key);
return result;
}
#endif
static int
_time_filter(netsnmp_file *f, struct stat *idx)
{
/** include if mtime or ctime newer than index mtime */
if (f && idx && f->stats &&
((f->stats->st_mtime >= idx->st_mtime) ||
(f->stats->st_ctime >= idx->st_mtime)))
return NETSNMP_DIR_INCLUDE;
return NETSNMP_DIR_EXCLUDE;
}
/* ***************************************************************************
* ***************************************************************************
*
*
* cert map functions
*
*
* ***************************************************************************
* ***************************************************************************/
#define MAP_CONFIG_TOKEN "certSecName"
static void _parse_map(const char *token, char *line);
static void _map_free(netsnmp_cert_map* entry, void *ctx);
static void _purge_config_entries(void);
static void
_init_tlstmCertToTSN(void)
{
const char *certSecName_help = MAP_CONFIG_TOKEN " PRIORITY FINGERPRINT "
"[--shaNN|md5] <--sn SECNAME | --rfc822 | --dns | --ip | --cn | --any>";
/*
* container for cert to fingerprint mapping, with fingerprint key
*/
_maps = netsnmp_cert_map_container_create(1);
register_config_handler(NULL, MAP_CONFIG_TOKEN, _parse_map, _purge_config_entries,
certSecName_help);
}
netsnmp_cert_map *
netsnmp_cert_map_alloc(char *fingerprint, X509 *ocert)
{
netsnmp_cert_map *cert_map = SNMP_MALLOC_TYPEDEF(netsnmp_cert_map);
if (NULL == cert_map) {
snmp_log(LOG_ERR, "could not allocate netsnmp_cert_map\n");
return NULL;
}
if (fingerprint) {
/** MIB limits to 255 bytes; 2x since we've got ascii */
if (strlen(fingerprint) > (SNMPADMINLENGTH * 2)) {
snmp_log(LOG_ERR, "fingerprint %s exceeds max length %d\n",
fingerprint, (SNMPADMINLENGTH * 2));
free(cert_map);
return NULL;
}
cert_map->fingerprint = strdup(fingerprint);
}
if (ocert) {
cert_map->hashType = netsnmp_openssl_cert_get_hash_type(ocert);
cert_map->ocert = ocert;
}
return cert_map;
}
void
netsnmp_cert_map_free(netsnmp_cert_map *cert_map)
{
if (NULL == cert_map)
return;
SNMP_FREE(cert_map->fingerprint);
SNMP_FREE(cert_map->data);
/** x509 cert isn't ours */
free(cert_map); /* SNMP_FREE wasted on param */
}
int
netsnmp_cert_map_add(netsnmp_cert_map *map)
{
int rc;
if (NULL == map)
return -1;
DEBUGMSGTL(("cert:map:add", "pri %d, fp %s\n",
map->priority, map->fingerprint));
if ((rc = CONTAINER_INSERT(_maps, map)) != 0)
snmp_log(LOG_ERR, "could not insert new certificate map");
return rc;
}
#ifndef NETSNMP_FEATURE_REMOVE_CERT_MAP_REMOVE
int
netsnmp_cert_map_remove(netsnmp_cert_map *map)
{
int rc;
if (NULL == map)
return -1;
DEBUGMSGTL(("cert:map:remove", "pri %d, fp %s\n",
map->priority, map->fingerprint));
if ((rc = CONTAINER_REMOVE(_maps, map)) != 0)
snmp_log(LOG_ERR, "could not remove certificate map");
return rc;
}
#endif /* NETSNMP_FEATURE_REMOVE_CERT_MAP_REMOVE */
#ifndef NETSNMP_FEATURE_REMOVE_CERT_MAP_FIND
netsnmp_cert_map *
netsnmp_cert_map_find(netsnmp_cert_map *map)
{
if (NULL == map)
return NULL;
return CONTAINER_FIND(_maps, map);
}
#endif /* NETSNMP_FEATURE_REMOVE_CERT_MAP_FIND */
static void
_map_free(netsnmp_cert_map *map, void *context)
{
netsnmp_cert_map_free(map);
}
static int
_map_compare(netsnmp_cert_map *lhs, netsnmp_cert_map *rhs)
{
netsnmp_assert((lhs != NULL) && (rhs != NULL));
if (lhs->priority < rhs->priority)
return -1;
else if (lhs->priority > rhs->priority)
return 1;
return strcmp(lhs->fingerprint, rhs->fingerprint);
}
static int
_map_fp_compare(netsnmp_cert_map *lhs, netsnmp_cert_map *rhs)
{
int rc;
netsnmp_assert((lhs != NULL) && (rhs != NULL));
if ((rc = strcmp(lhs->fingerprint, rhs->fingerprint)) != 0)
return rc;
if (lhs->priority < rhs->priority)
return -1;
else if (lhs->priority > rhs->priority)
return 1;
return 0;
}
static int
_map_fp_ncompare(netsnmp_cert_map *lhs, netsnmp_cert_map *rhs)
{
netsnmp_assert((lhs != NULL) && (rhs != NULL));
return strncmp(lhs->fingerprint, rhs->fingerprint,
strlen(rhs->fingerprint));
}
netsnmp_container *
netsnmp_cert_map_container_create(int with_fp)
{
netsnmp_container *chain_map, *fp;
chain_map = netsnmp_container_find("cert_map:stack:binary_array");
if (NULL == chain_map) {
snmp_log(LOG_ERR, "could not allocate container for cert_map\n");
return NULL;
}
chain_map->container_name = strdup("cert_map");
chain_map->free_item = (netsnmp_container_obj_func*)_map_free;
chain_map->compare = (netsnmp_container_compare*)_map_compare;
if (!with_fp)
return chain_map;
/*
* add a secondary index to the table container
*/
fp = netsnmp_container_find("cert2sn_fp:binary_array");
if (NULL == fp) {
snmp_log(LOG_ERR,
"error creating sub-container for tlstmCertToTSNTable\n");
CONTAINER_FREE(chain_map);
return NULL;
}
fp->container_name = strdup("cert2sn_fp");
fp->compare = (netsnmp_container_compare*)_map_fp_compare;
fp->ncompare = (netsnmp_container_compare*)_map_fp_ncompare;
netsnmp_container_add_index(chain_map, fp);
return chain_map;
}
int
netsnmp_cert_parse_hash_type(const char *str)
{
int rc = se_find_value_in_slist("cert_hash_alg", str);
if (SE_DNE == rc)
return NS_HASH_NONE;
return rc;
}
void
netsnmp_cert_map_container_free(netsnmp_container *c)
{
if (NULL == c)
return;
CONTAINER_FREE_ALL(c, NULL);
CONTAINER_FREE(c);
}
/** clear out config rows
* called during reconfig processing (e.g. SIGHUP)
*/
static void
_purge_config_entries(void)
{
/**
** dup container
** iterate looking for NSCM_FROM_CONFIG flag
** delete from original
** delete dup
**/
netsnmp_iterator *itr;
netsnmp_cert_map *cert_map;
netsnmp_container *cert_maps = netsnmp_cert_map_container();
netsnmp_container *tmp_maps = NULL;
if ((NULL == cert_maps) || (CONTAINER_SIZE(cert_maps) == 0))
return;
DEBUGMSGT(("cert:map:reconfig", "removing locally configured rows\n"));
/*
* duplicate cert_maps and then iterate over the copy. That way we can
* add/remove to cert_maps without distrubing the iterator.
xx
*/
tmp_maps = CONTAINER_DUP(cert_maps, NULL, 0);
if (NULL == tmp_maps) {
snmp_log(LOG_ERR, "could not duplicate maps for reconfig\n");
return;
}
itr = CONTAINER_ITERATOR(tmp_maps);
if (NULL == itr) {
snmp_log(LOG_ERR, "could not get iterator for reconfig\n");
CONTAINER_FREE(tmp_maps);
return;
}
cert_map = ITERATOR_FIRST(itr);
for( ; cert_map; cert_map = ITERATOR_NEXT(itr)) {
if (!(cert_map->flags & NSCM_FROM_CONFIG))
continue;
if (CONTAINER_REMOVE(cert_maps, cert_map) == 0)
netsnmp_cert_map_free(cert_map);
}
ITERATOR_RELEASE(itr);
CONTAINER_FREE(tmp_maps);
return;
}
/*
certSecName PRIORITY [--shaNN|md5] FINGERPRINT <--sn SECNAME | --rfc822 | --dns | --ip | --cn | --any>
certSecName 100 ff:..11 --sn Wes
certSecName 200 ee:..:22 --sn JohnDoe
certSecName 300 ee:..:22 --rfc822
*/
netsnmp_cert_map *
netsnmp_certToTSN_parse_common(char **line)
{
netsnmp_cert_map *map;
char *tmp, buf[SNMP_MAXBUF_SMALL];
size_t len;
netsnmp_cert *tmpcert;
if ((NULL == line) || (NULL == *line))
return NULL;
/** need somewhere to save rows */
if (NULL == _maps) {
NETSNMP_LOGONCE((LOG_ERR, "no container for certificate mappings\n"));
return NULL;
}
DEBUGMSGT(("cert:util:config", "parsing %s\n", *line));
/* read the priority */
len = sizeof(buf);
tmp = buf;
*line = read_config_read_octet_string(*line, (u_char **)&tmp, &len);
tmp[len] = 0;
if (!isdigit(0xFF & tmp[0])) {
netsnmp_config_error("could not parse priority");
return NULL;
}
map = netsnmp_cert_map_alloc(NULL, NULL);
if (NULL == map) {
netsnmp_config_error("could not allocate cert map struct");
return NULL;
}
map->flags |= NSCM_FROM_CONFIG;
map->priority = atoi(buf);
/* read the flag or the fingerprint */
len = sizeof(buf);
tmp = buf;
*line = read_config_read_octet_string(*line, (u_char **)&tmp, &len);
tmp[len] = 0;
if ((buf[0] == '-') && (buf[1] == '-')) {
map->hashType = netsnmp_cert_parse_hash_type(&buf[2]);
if (NS_HASH_NONE == map->hashType) {
netsnmp_config_error("invalid hash type");
goto end;
}
/** set up for fingerprint */
len = sizeof(buf);
tmp = buf;
*line = read_config_read_octet_string(*line, (u_char **)&tmp, &len);
tmp[len] = 0;
}
else
map->hashType = NS_HASH_SHA1;
/* look up the fingerprint */
tmpcert = netsnmp_cert_find(NS_CERT_REMOTE_PEER, NS_CERTKEY_MULTIPLE, buf);
if (NULL == tmpcert) {
/* assume it's a raw fingerprint we don't have */
netsnmp_fp_lowercase_and_strip_colon(buf);
map->fingerprint = strdup(buf);
} else {
map->fingerprint =
netsnmp_openssl_cert_get_fingerprint(tmpcert->ocert, -1);
}
if (NULL == *line) {
netsnmp_config_error("must specify map type");
goto end;
}
/* read the mapping type */
len = sizeof(buf);
tmp = buf;
*line = read_config_read_octet_string(*line, (u_char **)&tmp, &len);
tmp[len] = 0;
if ((buf[0] != '-') || (buf[1] != '-')) {
netsnmp_config_error("unexpected fromat: %s\n", *line);
goto end;
}
if (strcmp(&buf[2], "sn") == 0) {
if (NULL == *line) {
netsnmp_config_error("must specify secName for --sn");
goto end;
}
len = sizeof(buf);
tmp = buf;
*line = read_config_read_octet_string(*line, (u_char **)&tmp, &len);
map->data = strdup(buf);
if (map->data)
map->mapType = TSNM_tlstmCertSpecified;
}
else if (strcmp(&buf[2], "cn") == 0)
map->mapType = TSNM_tlstmCertCommonName;
else if (strcmp(&buf[2], "ip") == 0)
map->mapType = TSNM_tlstmCertSANIpAddress;
else if (strcmp(&buf[2], "rfc822") == 0)
map->mapType = TSNM_tlstmCertSANRFC822Name;
else if (strcmp(&buf[2], "dns") == 0)
map->mapType = TSNM_tlstmCertSANDNSName;
else if (strcmp(&buf[2], "any") == 0)
map->mapType = TSNM_tlstmCertSANAny;
else
netsnmp_config_error("unknown argument %s\n", buf);
end:
if (0 == map->mapType) {
netsnmp_cert_map_free(map);
map = NULL;
}
return map;
}
static void
_parse_map(const char *token, char *line)
{
netsnmp_cert_map *map = netsnmp_certToTSN_parse_common(&line);
if (NULL == map)
return;
if (netsnmp_cert_map_add(map) != 0) {
netsnmp_cert_map_free(map);
netsnmp_config_error(MAP_CONFIG_TOKEN
": duplicate priority for certificate map");
}
}
static int
_fill_cert_map(netsnmp_cert_map *cert_map, netsnmp_cert_map *entry)
{
DEBUGMSGT(("cert:map:secname", "map: pri %d type %d data %s\n",
entry->priority, entry->mapType, entry->data));
cert_map->priority = entry->priority;
cert_map->mapType = entry->mapType;
cert_map->hashType = entry->hashType;
if (entry->data) {
cert_map->data = strdup(entry->data);
if (NULL == cert_map->data ) {
snmp_log(LOG_ERR, "secname map data dup failed\n");
return -1;
}
}
return 0;
}
/*
* get secname map(s) for fingerprints
*/
int
netsnmp_cert_get_secname_maps(netsnmp_container *cert_maps)
{
netsnmp_iterator *itr;
netsnmp_cert_map *cert_map, *new_cert_map, *entry;
netsnmp_container *new_maps = NULL;
netsnmp_void_array *results;
int j;
if ((NULL == cert_maps) || (CONTAINER_SIZE(cert_maps) == 0))
return -1;
DEBUGMSGT(("cert:map:secname", "looking for matches for %" NETSNMP_PRIz "d fingerprints\n",
CONTAINER_SIZE(cert_maps)));
/*
* duplicate cert_maps and then iterate over the copy. That way we can
* add/remove to cert_maps without distrubing the iterator.
*/
new_maps = CONTAINER_DUP(cert_maps, NULL, 0);
if (NULL == new_maps) {
snmp_log(LOG_ERR, "could not duplicate maps for secname mapping\n");
return -1;
}
itr = CONTAINER_ITERATOR(new_maps);
if (NULL == itr) {
snmp_log(LOG_ERR, "could not get iterator for secname mappings\n");
CONTAINER_FREE(new_maps);
return -1;
}
cert_map = ITERATOR_FIRST(itr);
for( ; cert_map; cert_map = ITERATOR_NEXT(itr)) {
results = _find_subset_fp( netsnmp_cert_map_container(),
cert_map->fingerprint );
if (NULL == results) {
DEBUGMSGT(("cert:map:secname", "no match for %s\n",
cert_map->fingerprint));
if (CONTAINER_REMOVE(cert_maps, cert_map) != 0)
goto fail;
continue;
}
DEBUGMSGT(("cert:map:secname", "%" NETSNMP_PRIz "d matches for %s\n",
results->size, cert_map->fingerprint));
/*
* first entry is a freebie
*/
entry = (netsnmp_cert_map*)results->array[0];
if (_fill_cert_map(cert_map, entry) != 0)
goto fail;
/*
* additional entries must be allocated/inserted
*/
if (results->size > 1) {
for(j=1; j < results->size; ++j) {
entry = (netsnmp_cert_map*)results->array[j];
new_cert_map = netsnmp_cert_map_alloc(entry->fingerprint,
entry->ocert);
if (NULL == new_cert_map) {
snmp_log(LOG_ERR,
"could not allocate new cert map entry\n");
goto fail;
}
if (_fill_cert_map(new_cert_map, entry) != 0) {
netsnmp_cert_map_free(new_cert_map);
goto fail;
}
new_cert_map->ocert = cert_map->ocert;
if (CONTAINER_INSERT(cert_maps,new_cert_map) != 0) {
netsnmp_cert_map_free(new_cert_map);
goto fail;
}
} /* for results */
} /* results size > 1 */
free(results->array);
SNMP_FREE(results);
}
ITERATOR_RELEASE(itr);
CONTAINER_FREE(new_maps);
DEBUGMSGT(("cert:map:secname",
"found %" NETSNMP_PRIz "d matches for fingerprints\n",
CONTAINER_SIZE(cert_maps)));
return 0;
fail:
if (results) {
free(results->array);
free(results);
}
ITERATOR_RELEASE(itr);
CONTAINER_FREE(new_maps);
return -1;
}
/* ***************************************************************************
* ***************************************************************************
*
*
* snmpTlstmParmsTable data
*
*
* ***************************************************************************
* ***************************************************************************/
#define PARAMS_CONFIG_TOKEN "snmpTlstmParams"
static void _parse_params(const char *token, char *line);
static void
_init_tlstmParams(void)
{
const char *params_help =
PARAMS_CONFIG_TOKEN " targetParamsName hashType:fingerPrint";
/*
* container for snmpTlstmParamsTable data
*/
_tlstmParams = netsnmp_container_find("tlstmParams:string");
if (NULL == _tlstmParams)
snmp_log(LOG_ERR,
"error creating sub-container for tlstmParamsTable\n");
else
_tlstmParams->container_name = strdup("tlstmParams");
register_config_handler(NULL, PARAMS_CONFIG_TOKEN, _parse_params, NULL,
params_help);
}
#ifndef NETSNMP_FEATURE_REMOVE_TLSTMPARAMS_CONTAINER
netsnmp_container *
netsnmp_tlstmParams_container(void)
{
return _tlstmParams;
}
#endif /* NETSNMP_FEATURE_REMOVE_TLSTMPARAMS_CONTAINER */
snmpTlstmParams *
netsnmp_tlstmParams_create(const char *name, int hashType, const char *fp,
int fp_len)
{
snmpTlstmParams *stp = SNMP_MALLOC_TYPEDEF(snmpTlstmParams);
if (NULL == stp)
return NULL;
if (name)
stp->name = strdup(name);
stp->hashType = hashType;
if (fp)
stp->fingerprint = strdup(fp);
DEBUGMSGT(("9:tlstmParams:create", "0x%lx: %s\n", (u_long)stp,
stp->name ? stp->name : "null"));
return stp;
}
void
netsnmp_tlstmParams_free(snmpTlstmParams *stp)
{
if (NULL == stp)
return;
DEBUGMSGT(("9:tlstmParams:release", "0x%lx %s\n", (u_long)stp,
stp->name ? stp->name : "null"));
SNMP_FREE(stp->name);
SNMP_FREE(stp->fingerprint);
free(stp); /* SNMP_FREE pointless on parameter */
}
snmpTlstmParams *
netsnmp_tlstmParams_restore_common(char **line)
{
snmpTlstmParams *stp;
char *tmp, buf[SNMP_MAXBUF_SMALL];
size_t len;
if ((NULL == line) || (NULL == *line))
return NULL;
/** need somewhere to save rows */
netsnmp_assert(_tlstmParams);
stp = netsnmp_tlstmParams_create(NULL, 0, NULL, 0);
if (NULL == stp)
return NULL;
/** name */
len = sizeof(buf);
tmp = buf;
*line = read_config_read_octet_string(*line, (u_char **)&tmp, &len);
tmp[len] = 0;
/** xxx-rks: validate snmpadminstring? */
if (len)
stp->name = strdup(buf);
/** fingerprint hash type*/
len = sizeof(buf);
tmp = buf;
*line = read_config_read_octet_string(*line, (u_char **)&tmp, &len);
tmp[len] = 0;
if ((buf[0] == '-') && (buf[1] == '-')) {
stp->hashType = netsnmp_cert_parse_hash_type(&buf[2]);
/** set up for fingerprint */
len = sizeof(buf);
tmp = buf;
*line = read_config_read_octet_string(*line, (u_char **)&tmp, &len);
tmp[len] = 0;
}
else
stp->hashType =NS_HASH_SHA1;
netsnmp_fp_lowercase_and_strip_colon(buf);
stp->fingerprint = strdup(buf);
stp->fingerprint_len = strlen(buf);
DEBUGMSGTL(("tlstmParams:restore:common", "name '%s'\n", stp->name));
return stp;
}