config UPDATE implemented CRL for TLS

Certificate Revocation List now supported, this means a new dependency - libcurl.
CESNET · Jun 15, 2023 · 12378fc · 12378fc
1 parent 94ac92e
commit 12378fc
Show file tree

Hide file tree

Showing 11 changed files with 1,190 additions and 134 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -239,6 +239,11 @@ if(ENABLE_SSH_TLS)
     list(APPEND CMAKE_REQUIRED_LIBRARIES ${LIBSSH_LIBRARIES})
     include_directories(${LIBSSH_INCLUDE_DIRS})
 
+    # dependencies - libcurl
+    find_package(CURL 7.30.0 REQUIRED)
+    target_link_libraries(netconf2 ${CURL_LIBRARIES})
+    include_directories(${CURL_INCLUDE_DIR})
+
     # crypt
     if(${CMAKE_SYSTEM_NAME} MATCHES "QNX")
         target_link_libraries(netconf2 -llogin)

diff --git a/modules/libnetconf2-netconf-server.yang b/modules/libnetconf2-netconf-server.yang
@@ -27,6 +27,10 @@ module libnetconf2-netconf-server {
     prefix sshma;
   }
 
+  import ietf-tls-server {
+    prefix tlss;
+  }
+
   /*
   identity ed25519-private-key-format {
     base ct:private-key-format;
@@ -309,4 +313,46 @@ module libnetconf2-netconf-server {
       must "deref(.)/../*[local-name() = 'tls']";
     }
   }
+
+  augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:tls/ncs:tls/ncs:tls-server-parameters/ncs:client-authentication" {
+    description
+      "Indicates that the TLS server is using a Certificate Revocation List
+       to authenticate clients or to deny access for certain certificates.
+       The given Certificate Revocation List must be PEM or DER encoded.";
+
+    reference
+      "RFC 5280:
+         Internet X.509 Public Key Infrastructure Certificate
+         and Certificate Revocation List (CRL) Profile";
+
+    choice certificate-revocation-list {
+      leaf crl-url {
+        type string;
+        description
+          "An URL from which the Certificate Revocation List will be
+           downloaded and used. The HTTP protocol works, but other
+           protocols, such as FTP, may work as well.";
+      }
+
+      leaf crl-path {
+        type string;
+        description
+          "A path to a Certificate Revocation List file.";
+      }
+
+      leaf crl-cert-ext {
+        type empty;
+        description
+          "Indicates that the Certificate Revocation List
+           Distribution Points extension will be used to fetch
+           Certificate Revocation Lists from. This will be done
+           for all the configured Certificate Authority certificates.";
+
+        reference
+          "RFC 5280:
+             Internet X.509 Public Key Infrastructure Certificate
+             and Certificate Revocation List (CRL) Profile, Section 4.2.1.13";
+      }
+    }
+  }
 }
diff --git a/src/config_new_tls.c b/src/config_new_tls.c
@@ -570,3 +570,231 @@ nc_server_config_new_tls_ciphers(const struct ly_ctx *ctx, const char *endpt_nam
     free(tree_path);
     return ret;
 }
+
+API int
+nc_server_config_new_tls_crl_path(const struct ly_ctx *ctx, const char *endpt_name, const char *path, struct lyd_node **config)
+{
+    int ret = 0;
+    struct lyd_node *new_tree, *node = NULL;
+    char *tree_path = NULL;
+    struct lys_module *mod;
+
+    NC_CHECK_ARG_RET(NULL, ctx, endpt_name, path, config, 1);
+
+    /* prepare path for instertion of leaves later */
+    asprintf(&tree_path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
+            "client-authentication", endpt_name);
+    if (!tree_path) {
+        ERRMEM;
+        ret = 1;
+        goto cleanup;
+    }
+
+    /* create all the nodes in the path */
+    ret = lyd_new_path(*config, ctx, tree_path, NULL, LYD_NEW_PATH_UPDATE, &new_tree);
+    if (ret) {
+        goto cleanup;
+    }
+    if (!*config) {
+        *config = new_tree;
+    }
+
+    if (!new_tree) {
+        /* no new nodes were created */
+        ret = lyd_find_path(*config, tree_path, 0, &new_tree);
+    } else {
+        /* config was NULL */
+        ret = lyd_find_path(new_tree, tree_path, 0, &new_tree);
+    }
+    if (ret) {
+        goto cleanup;
+    }
+
+    /* delete other choice nodes if they are present */
+    lyd_find_path(new_tree, "libnetconf2-netconf-server:crl-url", 0, &node);
+    lyd_free_tree(node);
+    lyd_find_path(new_tree, "libnetconf2-netconf-server:crl-cert-ext", 0, &node);
+    lyd_free_tree(node);
+
+    /* get the wanted module, because parent of the inserted node has a different one */
+    mod = ly_ctx_get_module_implemented(ctx, "libnetconf2-netconf-server");
+    if (!mod) {
+        ERR(NULL, "Error getting libnetconf2-netconf-server module.");
+        ret = 1;
+        goto cleanup;
+    }
+
+    ret = lyd_new_term(new_tree, mod, "crl-path", path, 0, NULL);
+    if (ret) {
+        ERR(NULL, "Creating new Certificate Revocation List node failed.");
+        goto cleanup;
+    }
+
+    /* check if top-level container has operation and if not, add it */
+    ret = nc_config_new_check_add_operation(ctx, *config);
+    if (ret) {
+        goto cleanup;
+    }
+
+    /* Add all default nodes */
+    ret = lyd_new_implicit_tree(*config, LYD_IMPLICIT_NO_STATE, NULL);
+    if (ret) {
+        goto cleanup;
+    }
+
+cleanup:
+    free(tree_path);
+    return ret;
+}
+
+API int
+nc_server_config_new_tls_crl_url(const struct ly_ctx *ctx, const char *endpt_name, const char *url, struct lyd_node **config)
+{
+    int ret = 0;
+    struct lyd_node *new_tree, *node = NULL;
+    char *tree_path = NULL;
+    struct lys_module *mod;
+
+    NC_CHECK_ARG_RET(NULL, ctx, endpt_name, url, config, 1);
+
+    /* prepare path for instertion of leaves later */
+    asprintf(&tree_path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
+            "client-authentication", endpt_name);
+    if (!tree_path) {
+        ERRMEM;
+        ret = 1;
+        goto cleanup;
+    }
+
+    /* create all the nodes in the path */
+    ret = lyd_new_path(*config, ctx, tree_path, NULL, LYD_NEW_PATH_UPDATE, &new_tree);
+    if (ret) {
+        goto cleanup;
+    }
+    if (!*config) {
+        *config = new_tree;
+    }
+
+    if (!new_tree) {
+        /* no new nodes were created */
+        ret = lyd_find_path(*config, tree_path, 0, &new_tree);
+    } else {
+        /* config was NULL */
+        ret = lyd_find_path(new_tree, tree_path, 0, &new_tree);
+    }
+    if (ret) {
+        goto cleanup;
+    }
+
+    /* delete other choice nodes if they are present */
+    lyd_find_path(new_tree, "libnetconf2-netconf-server:crl-path", 0, &node);
+    lyd_free_tree(node);
+    lyd_find_path(new_tree, "libnetconf2-netconf-server:crl-cert-ext", 0, &node);
+    lyd_free_tree(node);
+
+    /* get the wanted module, because parent of the inserted node has a different one */
+    mod = ly_ctx_get_module_implemented(ctx, "libnetconf2-netconf-server");
+    if (!mod) {
+        ERR(NULL, "Error getting libnetconf2-netconf-server module.");
+        ret = 1;
+        goto cleanup;
+    }
+
+    ret = lyd_new_term(new_tree, mod, "crl-url", url, 0, NULL);
+    if (ret) {
+        ERR(NULL, "Creating new Certificate Revocation List node failed.");
+        goto cleanup;
+    }
+
+    /* check if top-level container has operation and if not, add it */
+    ret = nc_config_new_check_add_operation(ctx, *config);
+    if (ret) {
+        goto cleanup;
+    }
+
+    /* Add all default nodes */
+    ret = lyd_new_implicit_tree(*config, LYD_IMPLICIT_NO_STATE, NULL);
+    if (ret) {
+        goto cleanup;
+    }
+
+cleanup:
+    free(tree_path);
+    return ret;
+}
+
+API int
+nc_server_config_new_tls_crl_cert_ext(const struct ly_ctx *ctx, const char *endpt_name, struct lyd_node **config)
+{
+    int ret = 0;
+    struct lyd_node *new_tree, *node = NULL;
+    char *tree_path = NULL;
+    struct lys_module *mod;
+
+    NC_CHECK_ARG_RET(NULL, ctx, endpt_name, config, 1);
+
+    /* prepare path for instertion of leaves later */
+    asprintf(&tree_path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
+            "client-authentication", endpt_name);
+    if (!tree_path) {
+        ERRMEM;
+        ret = 1;
+        goto cleanup;
+    }
+
+    /* create all the nodes in the path */
+    ret = lyd_new_path(*config, ctx, tree_path, NULL, LYD_NEW_PATH_UPDATE, &new_tree);
+    if (ret) {
+        goto cleanup;
+    }
+    if (!*config) {
+        *config = new_tree;
+    }
+
+    if (!new_tree) {
+        /* no new nodes were created */
+        ret = lyd_find_path(*config, tree_path, 0, &new_tree);
+    } else {
+        /* config was NULL */
+        ret = lyd_find_path(new_tree, tree_path, 0, &new_tree);
+    }
+    if (ret) {
+        goto cleanup;
+    }
+
+    /* delete other choice nodes if they are present */
+    lyd_find_path(new_tree, "libnetconf2-netconf-server:crl-path", 0, &node);
+    lyd_free_tree(node);
+    lyd_find_path(new_tree, "libnetconf2-netconf-server:crl-url", 0, &node);
+    lyd_free_tree(node);
+
+    /* get the wanted module, because parent of the inserted node has a different one */
+    mod = ly_ctx_get_module_implemented(ctx, "libnetconf2-netconf-server");
+    if (!mod) {
+        ERR(NULL, "Error getting libnetconf2-netconf-server module.");
+        ret = 1;
+        goto cleanup;
+    }
+
+    ret = lyd_new_term(new_tree, mod, "crl-cert-ext", NULL, 0, NULL);
+    if (ret) {
+        ERR(NULL, "Creating new Certificate Revocation List node failed.");
+        goto cleanup;
+    }
+
+    /* check if top-level container has operation and if not, add it */
+    ret = nc_config_new_check_add_operation(ctx, *config);
+    if (ret) {
+        goto cleanup;
+    }
+
+    /* Add all default nodes */
+    ret = lyd_new_implicit_tree(*config, LYD_IMPLICIT_NO_STATE, NULL);
+    if (ret) {
+        goto cleanup;
+    }
+
+cleanup:
+    free(tree_path);
+    return ret;
+}