config UPDATE add TLS keystore and truststore

CESNET · Jul 26, 2023 · 8ea70d6 · 8ea70d6
1 parent bb0df70
commit 8ea70d6
Show file tree

Hide file tree

Showing 5 changed files with 464 additions and 114 deletions.
diff --git a/src/config_new.c b/src/config_new.c
@@ -911,7 +911,7 @@ nc_server_config_new_ch_del_endpt(const char *client_name, const char *endpt_nam
 }
 
 API int
-nc_server_config_new_keystore_asym_key(const struct ly_ctx *ctx, const char *name, const char *privkey_path,
+nc_server_config_new_keystore_asym_key(const struct ly_ctx *ctx, const char *asym_key_name, const char *privkey_path,
         const char *pubkey_path, struct lyd_node **config)
 {
     int ret = 0;
@@ -920,7 +920,7 @@ nc_server_config_new_keystore_asym_key(const struct ly_ctx *ctx, const char *nam
     NC_PUBKEY_FORMAT pubkey_type;
     const char *privkey_format, *pubkey_format;
 
-    NC_CHECK_ARG_RET(NULL, ctx, name, privkey_path, config, 1);
+    NC_CHECK_ARG_RET(NULL, ctx, asym_key_name, privkey_path, config, 1);
 
     /* get the keys as a string from the given files */
     ret = nc_server_config_new_get_keys(privkey_path, pubkey_path, &privkey, &pubkey, &privkey_type, &pubkey_type);
@@ -944,25 +944,25 @@ nc_server_config_new_keystore_asym_key(const struct ly_ctx *ctx, const char *nam
     }
 
     ret = nc_config_new_create(ctx, config, pubkey_format, "/ietf-keystore:keystore/asymmetric-keys/"
-            "asymmetric-key[name='%s']/public-key-format", name);
+            "asymmetric-key[name='%s']/public-key-format", asym_key_name);
     if (ret) {
         goto cleanup;
     }
 
     ret = nc_config_new_create(ctx, config, pubkey, "/ietf-keystore:keystore/asymmetric-keys/"
-            "asymmetric-key[name='%s']/public-key", name);
+            "asymmetric-key[name='%s']/public-key", asym_key_name);
     if (ret) {
         goto cleanup;
     }
 
     ret = nc_config_new_create(ctx, config, privkey_format, "/ietf-keystore:keystore/asymmetric-keys/"
-            "asymmetric-key[name='%s']/private-key-format", name);
+            "asymmetric-key[name='%s']/private-key-format", asym_key_name);
     if (ret) {
         goto cleanup;
     }
 
     ret = nc_config_new_create(ctx, config, privkey, "/ietf-keystore:keystore/asymmetric-keys/"
-            "asymmetric-key[name='%s']/cleartext-private-key", name);
+            "asymmetric-key[name='%s']/cleartext-private-key", asym_key_name);
     if (ret) {
         goto cleanup;
     }
@@ -974,27 +974,64 @@ nc_server_config_new_keystore_asym_key(const struct ly_ctx *ctx, const char *nam
 }
 
 API int
-nc_server_config_new_del_keystore_asym_key(const char *name, struct lyd_node **config)
+nc_server_config_new_del_keystore_asym_key(const char *asym_key_name, struct lyd_node **config)
 {
     NC_CHECK_ARG_RET(NULL, config, 1);
 
-    if (name) {
-        return nc_config_new_delete(config, "/ietf-keystore:keystore/asymmetric-keys/asymmetric-key[name='%s']", name);
+    if (asym_key_name) {
+        return nc_config_new_delete(config, "/ietf-keystore:keystore/asymmetric-keys/asymmetric-key[name='%s']", asym_key_name);
     } else {
         return nc_config_new_delete(config, "/ietf-keystore:keystore/asymmetric-keys/asymmetric-key");
     }
 }
 
 API int
-nc_server_config_new_truststore_pubkey(const struct ly_ctx *ctx, const char *bag_name, const char *pubkey_name,
+nc_server_config_new_keystore_cert(const struct ly_ctx *ctx, const char *asym_key_name, const char *cert_name,
+        const char *cert_path, struct lyd_node **config)
+{
+    int ret = 0;
+    char *cert = NULL;
+
+    NC_CHECK_ARG_RET(NULL, ctx, asym_key_name, cert_name, cert_path, config, 1);
+
+    /* get cert data */
+    ret = nc_server_config_new_read_certificate(cert_path, &cert);
+    if (ret) {
+        goto cleanup;
+    }
+
+    ret = nc_config_new_create(ctx, config, cert, "/ietf-keystore:keystore/asymmetric-keys/"
+            "asymmetric-key[name='%s']/certificates/certificate[name='%s']/cert-data", asym_key_name, cert_name);
+
+cleanup:
+    free(cert);
+    return ret;
+}
+
+API int
+nc_server_config_new_del_keystore_cert(const char *asym_key_name, const char *cert_name, struct lyd_node **config)
+{
+    NC_CHECK_ARG_RET(NULL, asym_key_name, config, 1);
+
+    if (cert_name) {
+        return nc_config_new_delete(config, "/ietf-keystore:keystore/asymmetric-keys/asymmetric-key[name='%s']/"
+                "certificates/certificate[name='%s']", asym_key_name, cert_name);
+    } else {
+        return nc_config_new_delete(config, "/ietf-keystore:keystore/asymmetric-keys/asymmetric-key[name='%s']/"
+                "certificates/certificate", asym_key_name);
+    }
+}
+
+API int
+nc_server_config_new_truststore_pubkey(const struct ly_ctx *ctx, const char *pub_bag_name, const char *pubkey_name,
         const char *pubkey_path, struct lyd_node **config)
 {
     int ret = 0;
     char *pubkey = NULL;
     NC_PUBKEY_FORMAT pubkey_format;
     const char *format;
 
-    NC_CHECK_ARG_RET(NULL, ctx, bag_name, pubkey_name, pubkey_path, config, 1);
+    NC_CHECK_ARG_RET(NULL, ctx, pub_bag_name, pubkey_name, pubkey_path, config, 1);
 
     ret = nc_server_config_new_get_pubkey(pubkey_path, &pubkey, &pubkey_format);
     if (ret) {
@@ -1009,13 +1046,13 @@ nc_server_config_new_truststore_pubkey(const struct ly_ctx *ctx, const char *bag
     }
 
     ret = nc_config_new_create(ctx, config, format, "/ietf-truststore:truststore/public-key-bags/"
-            "public-key-bag[name='%s']/public-key[name='%s']/public-key-format", bag_name, pubkey_name);
+            "public-key-bag[name='%s']/public-key[name='%s']/public-key-format", pub_bag_name, pubkey_name);
     if (ret) {
         goto cleanup;
     }
 
     ret = nc_config_new_create(ctx, config, pubkey, "/ietf-truststore:truststore/public-key-bags/"
-            "public-key-bag[name='%s']/public-key[name='%s']/public-key", bag_name, pubkey_name);
+            "public-key-bag[name='%s']/public-key[name='%s']/public-key", pub_bag_name, pubkey_name);
     if (ret) {
         goto cleanup;
     }
@@ -1026,17 +1063,57 @@ nc_server_config_new_truststore_pubkey(const struct ly_ctx *ctx, const char *bag
 }
 
 API int
-nc_server_config_new_del_truststore_pubkey(const char *bag_name,
+nc_server_config_new_del_truststore_pubkey(const char *pub_bag_name,
         const char *pubkey_name, struct lyd_node **config)
 {
-    NC_CHECK_ARG_RET(NULL, bag_name, config, 1);
+    NC_CHECK_ARG_RET(NULL, pub_bag_name, config, 1);
 
     if (pubkey_name) {
         return nc_config_new_delete(config, "/ietf-truststore:truststore/public-key-bags/"
-                "public-key-bag[name='%s']/public-key[name='%s']", bag_name, pubkey_name);
+                "public-key-bag[name='%s']/public-key[name='%s']", pub_bag_name, pubkey_name);
     } else {
         return nc_config_new_delete(config, "/ietf-truststore:truststore/public-key-bags/"
-                "public-key-bag[name='%s']/public-key", bag_name);
+                "public-key-bag[name='%s']/public-key", pub_bag_name);
+    }
+}
+
+API int
+nc_server_config_new_truststore_cert(const struct ly_ctx *ctx, const char *cert_bag_name, const char *cert_name,
+        const char *cert_path, struct lyd_node **config)
+{
+    int ret = 0;
+    char *cert = NULL;
+
+    NC_CHECK_ARG_RET(NULL, ctx, cert_bag_name, cert_name, cert_path, config, 1);
+
+    ret = nc_server_config_new_read_certificate(cert_path, &cert);
+    if (ret) {
+        goto cleanup;
+    }
+
+    ret = nc_config_new_create(ctx, config, cert, "/ietf-truststore:truststore/certificate-bags/"
+            "certificate-bag[name='%s']/certificate[name='%s']/cert-data", cert_bag_name, cert_name);
+    if (ret) {
+        goto cleanup;
+    }
+
+cleanup:
+    free(cert);
+    return ret;
+}
+
+API int
+nc_server_config_new_del_truststore_cert(const char *cert_bag_name,
+        const char *cert_name, struct lyd_node **config)
+{
+    NC_CHECK_ARG_RET(NULL, cert_bag_name, config, 1);
+
+    if (cert_name) {
+        return nc_config_new_delete(config, "/ietf-truststore:truststore/certificate-bags/"
+                "certificate-bag[name='%s']/certificate[name='%s']", cert_bag_name, cert_name);
+    } else {
+        return nc_config_new_delete(config, "/ietf-truststore:truststore/certificate-bags/"
+                "certificate-bag[name='%s']/certificate", cert_bag_name);
     }
 }
 

diff --git a/src/config_new_tls.c b/src/config_new_tls.c
@@ -181,6 +181,38 @@ nc_server_config_new_ch_tls_del_server_certificate(const char *client_name, cons
             "certificate/inline-definition", client_name, endpt_name);
 }
 
+API int
+nc_server_config_new_tls_keystore_reference(const struct ly_ctx *ctx, const char *endpt_name, const char *asym_key_ref,
+        const char *cert_ref, struct lyd_node **config)
+{
+    int ret = 0;
+
+    NC_CHECK_ARG_RET(NULL, ctx, endpt_name, asym_key_ref, cert_ref, config, 1);
+
+    /* create asymmetric key pair reference */
+    ret = nc_config_new_create(ctx, config, asym_key_ref, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/"
+            "tls/tls-server-parameters/server-identity/certificate/keystore-reference/asymmetric-key", endpt_name);
+    if (ret) {
+        goto cleanup;
+    }
+
+    /* create cert reference, this cert has to belong to the asym key */
+    ret = nc_config_new_create(ctx, config, cert_ref, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/"
+            "tls/tls-server-parameters/server-identity/certificate/keystore-reference/certificate", endpt_name);
+
+cleanup:
+    return ret;
+}
+
+API int
+nc_server_config_new_tls_del_keystore_reference(const char *endpt_name, struct lyd_node **config)
+{
+    NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
+
+    return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/"
+            "tls/tls-server-parameters/server-identity/certificate/keystore-reference", endpt_name);
+}
+
 static int
 _nc_server_config_new_tls_client_certificate(const struct ly_ctx *ctx, const char *tree_path,
         const char *cert_path, struct lyd_node **config)
@@ -295,6 +327,25 @@ nc_server_config_new_ch_tls_del_client_certificate(const char *client_name, cons
     }
 }
 
+API int
+nc_server_config_new_tls_client_cert_truststore_ref(const struct ly_ctx *ctx, const char *endpt_name,
+        const char *cert_bag_ref, struct lyd_node **config)
+{
+    NC_CHECK_ARG_RET(NULL, ctx, endpt_name, cert_bag_ref, config, 1);
+
+    return nc_config_new_create(ctx, config, cert_bag_ref, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
+            "tls-server-parameters/client-authentication/ee-certs/truststore-reference", endpt_name);
+}
+
+API int
+nc_server_config_new_tls_del_client_cert_truststore_ref(const char *endpt_name, struct lyd_node **config)
+{
+    NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
+
+    return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
+            "tls-server-parameters/client-authentication/ee-certs/truststore-reference", endpt_name);
+}
+
 API int
 nc_server_config_new_tls_client_ca(const struct ly_ctx *ctx, const char *endpt_name, const char *cert_name,
         const char *cert_path, struct lyd_node **config)
@@ -386,6 +437,25 @@ nc_server_config_new_ch_tls_del_client_ca(const char *client_name, const char *e
     }
 }
 
+API int
+nc_server_config_new_tls_client_ca_truststore_ref(const struct ly_ctx *ctx, const char *endpt_name,
+        const char *cert_bag_ref, struct lyd_node **config)
+{
+    NC_CHECK_ARG_RET(NULL, ctx, endpt_name, cert_bag_ref, config, 1);
+
+    return nc_config_new_create(ctx, config, cert_bag_ref, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
+            "tls-server-parameters/client-authentication/ca-certs/truststore-reference", endpt_name);
+}
+
+API int
+nc_server_config_new_tls_del_client_ca_truststore_ref(const char *endpt_name, struct lyd_node **config)
+{
+    NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
+
+    return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
+            "tls-server-parameters/client-authentication/ca-certs/truststore-reference", endpt_name);
+}
+
 static const char *
 nc_config_new_tls_maptype2str(NC_TLS_CTN_MAPTYPE map_type)
 {