Gitiles
Code Review Sign In
gerrit.cesnet.cz / github / CESNET / libnetconf2 / 487ab80f0bf0a80ccd69e41d9dd2d7a71af05fc6 / . / src / server_config_util_tls.c
blob: aeb91130c3a3a6e145f0b933a4d5ab9228ce4496 [file] [log] [blame]
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]1/**
2 * @file server_config_util_tls.c
3 * @author Roman Janota <janota@cesnet.cz>
4 * @brief libnetconf2 server TLS configuration utilities
5 *
6 * @copyright
7 * Copyright (c) 2023 CESNET, z.s.p.o.
8 *
9 * This source code is licensed under BSD 3-Clause License (the "License").
10 * You may not use this file except in compliance with the License.
11 * You may obtain a copy of the License at
12 *
13 * https://opensource.org/licenses/BSD-3-Clause
14 */
15
16#define _GNU_SOURCE
17
18#include "server_config_util.h"
19
20#include <stdarg.h>
21#include <stdint.h>
22#include <stdio.h>
23#include <stdlib.h>
24#include <string.h>
25
26#include <libyang/libyang.h>
27
28#include "compat.h"
29#include "config.h"
30#include "log_p.h"
31#include "server_config.h"
32#include "session.h"
33#include "session_p.h"
34
35static int
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame]36_nc_server_config_add_tls_server_cert(const struct ly_ctx *ctx, const char *tree_path, const char *privkey_path,
37 const char *pubkey_path, const char *cert_path, struct lyd_node **config)
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]38{
39 int ret = 0;
40 char *privkey = NULL, *pubkey = NULL, *cert = NULL;
41 NC_PRIVKEY_FORMAT privkey_type;
42 const char *privkey_format, *pubkey_format = "ietf-crypto-types:subject-public-key-info-format";
43
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame]44 NC_CHECK_ARG_RET(NULL, ctx, tree_path, privkey_path, cert_path, config, 1);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]45
46 /* get the keys as a string from the given files */
47 ret = nc_server_config_util_get_asym_key_pair(privkey_path, pubkey_path, NC_PUBKEY_FORMAT_X509, &privkey, &privkey_type, &pubkey);
48 if (ret) {
49 ERR(NULL, "Getting keys from file(s) failed.");
50 goto cleanup;
51 }
52
53 /* get cert data from file */
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame]54 ret = nc_server_config_util_read_certificate(cert_path, &cert);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]55 if (ret) {
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame]56 ERR(NULL, "Getting certificate from file \"%s\" failed.", cert_path);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]57 goto cleanup;
58 }
59
60 /* get privkey identityref value */
61 privkey_format = nc_server_config_util_privkey_format_to_identityref(privkey_type);
62 if (!privkey_format) {
63 ret = 1;
64 goto cleanup;
65 }
66
67 ret = nc_server_config_append(ctx, tree_path, "inline-definition/public-key-format", pubkey_format, config);
68 if (ret) {
69 goto cleanup;
70 }
71
72 ret = nc_server_config_append(ctx, tree_path, "inline-definition/public-key", pubkey, config);
73 if (ret) {
74 goto cleanup;
75 }
76
77 ret = nc_server_config_append(ctx, tree_path, "inline-definition/private-key-format", privkey_format, config);
78 if (ret) {
79 goto cleanup;
80 }
81
82 ret = nc_server_config_append(ctx, tree_path, "inline-definition/cleartext-private-key", privkey, config);
83 if (ret) {
84 goto cleanup;
85 }
86
87 ret = nc_server_config_append(ctx, tree_path, "inline-definition/cert-data", cert, config);
88 if (ret) {
89 goto cleanup;
90 }
91
92 /* delete keystore if present */
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]93 ret = nc_server_config_check_delete(config, "%s/central-keystore-reference", tree_path);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]94 if (ret) {
95 goto cleanup;
96 }
97
98cleanup:
99 free(privkey);
100 free(pubkey);
101 free(cert);
102 return ret;
103}
104
105API int
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame]106nc_server_config_add_tls_server_cert(const struct ly_ctx *ctx, const char *endpt_name, const char *privkey_path,
107 const char *pubkey_path, const char *cert_path, struct lyd_node **config)
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]108{
109 int ret = 0;
110 char *path = NULL;
111
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame]112 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, privkey_path, cert_path, config, 1);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]113
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]114 ret = asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoints/endpoint[name='%s']/"
roman3a95bb22023-10-26 11:07:17 +0200[diff] [blame]115 "tls/tls-server-parameters/server-identity/certificate", endpt_name);
116 NC_CHECK_ERRMEM_GOTO(ret == -1, path = NULL; ret = 1, cleanup);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]117
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame]118 ret = _nc_server_config_add_tls_server_cert(ctx, path, privkey_path, pubkey_path,
119 cert_path, config);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]120 if (ret) {
121 ERR(NULL, "Creating new TLS server certificate YANG data failed.");
122 goto cleanup;
123 }
124
125cleanup:
126 free(path);
127 return ret;
128}
129
130API int
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame]131nc_server_config_del_tls_server_cert(const char *endpt_name, struct lyd_node **config)
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]132{
133 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
134
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]135 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoints/endpoint[name='%s']/"
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]136 "tls/tls-server-parameters/server-identity/certificate/inline-definition", endpt_name);
137}
138
139API int
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame]140nc_server_config_add_ch_tls_server_cert(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
141 const char *privkey_path, const char *pubkey_path, const char *cert_path, struct lyd_node **config)
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]142{
143 int ret = 0;
144 char *path = NULL;
145
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame]146 NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, privkey_path, cert_path, config, 1);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]147
roman3a95bb22023-10-26 11:07:17 +0200[diff] [blame]148 ret = asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/"
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]149 "netconf-client[name='%s']/endpoints/endpoint[name='%s']/tls/tls-server-parameters/server-identity/"
roman3a95bb22023-10-26 11:07:17 +0200[diff] [blame]150 "certificate", client_name, endpt_name);
151 NC_CHECK_ERRMEM_GOTO(ret == -1, path = NULL; ret = 1, cleanup);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]152
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame]153 ret = _nc_server_config_add_tls_server_cert(ctx, path, privkey_path, pubkey_path,
154 cert_path, config);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]155 if (ret) {
156 ERR(NULL, "Creating new CH TLS server certificate YANG data failed.");
157 goto cleanup;
158 }
159
160cleanup:
161 free(path);
162 return ret;
163}
164
165API int
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame]166nc_server_config_del_ch_tls_server_cert(const char *client_name, const char *endpt_name,
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]167 struct lyd_node **config)
168{
169 NC_CHECK_ARG_RET(NULL, client_name, endpt_name, config, 1);
170
171 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/call-home/"
172 "netconf-client[name='%s']/endpoints/endpoint[name='%s']/tls/tls-server-parameters/server-identity/"
173 "certificate/inline-definition", client_name, endpt_name);
174}
175
176static int
romand348b942023-10-13 14:32:19 +0200[diff] [blame]177_nc_server_config_add_tls_keystore_ref(const struct ly_ctx *ctx, const char *tree_path, const char *asym_key_ref,
178 const char *cert_ref, struct lyd_node **config)
179{
180 int ret = 0;
181
182 /* create asymmetric key pair reference */
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]183 ret = nc_server_config_append(ctx, tree_path, "central-keystore-reference/asymmetric-key", asym_key_ref, config);
romand348b942023-10-13 14:32:19 +0200[diff] [blame]184 if (ret) {
185 goto cleanup;
186 }
187
188 /* create cert reference, this cert has to belong to the asym key */
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]189 ret = nc_server_config_append(ctx, tree_path, "central-keystore-reference/certificate", cert_ref, config);
romand348b942023-10-13 14:32:19 +0200[diff] [blame]190 if (ret) {
191 goto cleanup;
192 }
193
194 /* delete inline definition if present */
195 ret = nc_server_config_check_delete(config, "%s/inline-definition", tree_path);
196 if (ret) {
197 goto cleanup;
198 }
199
200cleanup:
201 return ret;
202}
203
204API int
205nc_server_config_add_tls_keystore_ref(const struct ly_ctx *ctx, const char *endpt_name, const char *asym_key_ref,
206 const char *cert_ref, struct lyd_node **config)
207{
208 int ret = 0;
209 char *path = NULL;
210
211 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, asym_key_ref, cert_ref, config, 1);
212
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]213 ret = asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoints/endpoint[name='%s']/"
roman3a95bb22023-10-26 11:07:17 +0200[diff] [blame]214 "tls/tls-server-parameters/server-identity/certificate", endpt_name);
215 NC_CHECK_ERRMEM_GOTO(ret == -1, path = NULL; ret = 1, cleanup);
romand348b942023-10-13 14:32:19 +0200[diff] [blame]216
217 ret = _nc_server_config_add_tls_keystore_ref(ctx, path, asym_key_ref, cert_ref, config);
218 if (ret) {
219 goto cleanup;
220 }
221
222cleanup:
223 free(path);
224 return ret;
225}
226
227API int
228nc_server_config_del_tls_keystore_ref(const char *endpt_name, struct lyd_node **config)
229{
230 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
231
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]232 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoints/endpoint[name='%s']/"
233 "tls/tls-server-parameters/server-identity/certificate/central-keystore-reference", endpt_name);
romand348b942023-10-13 14:32:19 +0200[diff] [blame]234}
235
236API int
237nc_server_config_add_ch_tls_keystore_ref(const struct ly_ctx *ctx, const char *client_name,
238 const char *endpt_name, const char *asym_key_ref, const char *cert_ref, struct lyd_node **config)
239{
240 int ret = 0;
241 char *path = NULL;
242
243 NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, asym_key_ref, cert_ref, config, 1);
244
roman3a95bb22023-10-26 11:07:17 +0200[diff] [blame]245 ret = asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/endpoints/"
246 "endpoint[name='%s']/tls/tls-server-parameters/server-identity/certificate", client_name, endpt_name);
247 NC_CHECK_ERRMEM_GOTO(ret == -1, path = NULL; ret = 1, cleanup);
romand348b942023-10-13 14:32:19 +0200[diff] [blame]248
249 ret = _nc_server_config_add_tls_keystore_ref(ctx, path, asym_key_ref, cert_ref, config);
250 if (ret) {
251 goto cleanup;
252 }
253
254cleanup:
255 free(path);
256 return ret;
257}
258
259API int
260nc_server_config_del_ch_tls_keystore_ref(const char *client_name, const char *endpt_name,
261 struct lyd_node **config)
262{
263 NC_CHECK_ARG_RET(NULL, client_name, endpt_name, config, 1);
264
265 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
266 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/server-identity/certificate/"
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]267 "central-keystore-reference", client_name, endpt_name);
romand348b942023-10-13 14:32:19 +0200[diff] [blame]268}
269
270static int
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame]271_nc_server_config_add_tls_client_cert(const struct ly_ctx *ctx, const char *tree_path,
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]272 const char *cert_path, struct lyd_node **config)
273{
274 int ret = 0;
275 char *cert = NULL;
276
277 NC_CHECK_ARG_RET(NULL, ctx, tree_path, cert_path, config, 1);
278
279 ret = nc_server_config_util_read_certificate(cert_path, &cert);
280 if (ret) {
281 ERR(NULL, "Getting certificate from file \"%s\" failed.", cert_path);
282 goto cleanup;
283 }
284
285 ret = nc_server_config_append(ctx, tree_path, "cert-data", cert, config);
286 if (ret) {
287 goto cleanup;
288 }
289
290cleanup:
291 free(cert);
292 return ret;
293}
294
295API int
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame]296nc_server_config_add_tls_client_cert(const struct ly_ctx *ctx, const char *endpt_name, const char *cert_name,
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]297 const char *cert_path, struct lyd_node **config)
298{
299 int ret = 0;
300 char *path = NULL;
301
302 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, cert_name, cert_path, config, 1);
303
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]304 ret = asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
roman3a95bb22023-10-26 11:07:17 +0200[diff] [blame]305 "client-authentication/ee-certs/inline-definition/certificate[name='%s']", endpt_name, cert_name);
306 NC_CHECK_ERRMEM_GOTO(ret == -1, path = NULL; ret = 1, cleanup);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]307
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame]308 ret = _nc_server_config_add_tls_client_cert(ctx, path, cert_path, config);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]309 if (ret) {
310 ERR(NULL, "Creating new TLS client certificate YANG data failed.");
311 goto cleanup;
312 }
313
314 /* delete truststore if present */
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]315 ret = nc_server_config_check_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoints/endpoint[name='%s']/"
316 "tls/tls-server-parameters/client-authentication/ee-certs/central-truststore-reference", endpt_name);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]317 if (ret) {
318 goto cleanup;
319 }
320
321cleanup:
322 free(path);
323 return ret;
324}
325
326API int
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame]327nc_server_config_del_tls_client_cert(const char *endpt_name, const char *cert_name, struct lyd_node **config)
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]328{
329 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
330
331 if (cert_name) {
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]332 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoints/endpoint[name='%s']/tls/"
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]333 "tls-server-parameters/client-authentication/ee-certs/inline-definition/"
334 "certificate[name='%s']", endpt_name, cert_name);
335 } else {
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]336 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoints/endpoint[name='%s']/tls/"
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]337 "tls-server-parameters/client-authentication/ee-certs/inline-definition/"
338 "certificate", endpt_name);
339 }
340}
341
342API int
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame]343nc_server_config_add_ch_tls_client_cert(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]344 const char *cert_name, const char *cert_path, struct lyd_node **config)
345{
346 int ret = 0;
347 char *path = NULL;
348
349 NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, cert_name, cert_path, config, 1);
350
roman3a95bb22023-10-26 11:07:17 +0200[diff] [blame]351 ret = asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]352 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/client-authentication/ee-certs/"
roman3a95bb22023-10-26 11:07:17 +0200[diff] [blame]353 "inline-definition/certificate[name='%s']", client_name, endpt_name, cert_name) == -1;
354 NC_CHECK_ERRMEM_GOTO(ret == -1, path = NULL; ret = 1, cleanup);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]355
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame]356 ret = _nc_server_config_add_tls_client_cert(ctx, path, cert_path, config);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]357 if (ret) {
358 ERR(NULL, "Creating new CH TLS client certificate YANG data failed.");
359 goto cleanup;
360 }
361
362 /* delete truststore if present */
363 ret = nc_server_config_check_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
364 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]365 "client-authentication/ee-certs/central-truststore-reference", client_name, endpt_name);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]366 if (ret) {
367 goto cleanup;
368 }
369
370cleanup:
371 free(path);
372 return ret;
373}
374
375API int
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame]376nc_server_config_del_ch_tls_client_cert(const char *client_name, const char *endpt_name,
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]377 const char *cert_name, struct lyd_node **config)
378{
379 NC_CHECK_ARG_RET(NULL, client_name, endpt_name, config, 1);
380
381 if (cert_name) {
382 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
383 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/client-authentication/ee-certs/"
384 "inline-definition/certificate[name='%s']", client_name, endpt_name, cert_name);
385 } else {
386 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
387 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/client-authentication/ee-certs/"
388 "inline-definition/certificate", client_name, endpt_name);
389 }
390}
391
392API int
romand348b942023-10-13 14:32:19 +0200[diff] [blame]393nc_server_config_add_tls_client_cert_truststore_ref(const struct ly_ctx *ctx, const char *endpt_name,
394 const char *cert_bag_ref, struct lyd_node **config)
395{
396 int ret = 0;
397
398 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, cert_bag_ref, config, 1);
399
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]400 ret = nc_server_config_create(ctx, config, cert_bag_ref, "/ietf-netconf-server:netconf-server/listen/endpoints/endpoint[name='%s']/tls/"
401 "tls-server-parameters/client-authentication/ee-certs/central-truststore-reference", endpt_name);
romand348b942023-10-13 14:32:19 +0200[diff] [blame]402 if (ret) {
403 goto cleanup;
404 }
405
406 /* delete inline definition if present */
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]407 ret = nc_server_config_check_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoints/endpoint[name='%s']/tls/"
romand348b942023-10-13 14:32:19 +0200[diff] [blame]408 "tls-server-parameters/client-authentication/ee-certs/inline-definition", endpt_name);
409 if (ret) {
410 goto cleanup;
411 }
412
413cleanup:
414 return ret;
415}
416
417API int
418nc_server_config_del_tls_client_cert_truststore_ref(const char *endpt_name, struct lyd_node **config)
419{
420 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
421
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]422 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoints/endpoint[name='%s']/tls/"
423 "tls-server-parameters/client-authentication/ee-certs/central-truststore-reference", endpt_name);
romand348b942023-10-13 14:32:19 +0200[diff] [blame]424}
425
426API int
427nc_server_config_add_ch_tls_client_cert_truststore_ref(const struct ly_ctx *ctx, const char *client_name,
428 const char *endpt_name, const char *cert_bag_ref, struct lyd_node **config)
429{
430 int ret = 0;
431
432 NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, cert_bag_ref, config, 1);
433
434 ret = nc_server_config_create(ctx, config, cert_bag_ref, "/ietf-netconf-server:netconf-server/call-home/"
435 "netconf-client[name='%s']/endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]436 "client-authentication/ee-certs/central-truststore-reference", client_name, endpt_name);
romand348b942023-10-13 14:32:19 +0200[diff] [blame]437 if (ret) {
438 goto cleanup;
439 }
440
441 /* delete inline definition if present */
442 ret = nc_server_config_check_delete(config, "/ietf-netconf-server:netconf-server/call-home/"
443 "netconf-client[name='%s']/endpoints/endpoint[name='%s']/tls/"
444 "tls-server-parameters/client-authentication/ee-certs/inline-definition", client_name, endpt_name);
445 if (ret) {
446 goto cleanup;
447 }
448
449cleanup:
450 return ret;
451}
452
453API int
454nc_server_config_del_ch_tls_client_cert_truststore_ref(const char *client_name, const char *endpt_name,
455 struct lyd_node **config)
456{
457 NC_CHECK_ARG_RET(NULL, client_name, endpt_name, config, 1);
458
459 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/call-home/"
460 "netconf-client[name='%s']/endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]461 "client-authentication/ee-certs/central-truststore-reference", client_name, endpt_name);
romand348b942023-10-13 14:32:19 +0200[diff] [blame]462}
463
464API int
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame]465nc_server_config_add_tls_ca_cert(const struct ly_ctx *ctx, const char *endpt_name, const char *cert_name,
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]466 const char *cert_path, struct lyd_node **config)
467{
468 int ret = 0;
469 char *path = NULL;
470
471 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, cert_name, cert_path, config, 1);
472
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]473 ret = asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
roman3a95bb22023-10-26 11:07:17 +0200[diff] [blame]474 "client-authentication/ca-certs/inline-definition/certificate[name='%s']", endpt_name, cert_name);
475 NC_CHECK_ERRMEM_GOTO(ret == -1, path = NULL; ret = 1, cleanup);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]476
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame]477 ret = _nc_server_config_add_tls_client_cert(ctx, path, cert_path, config);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]478 if (ret) {
479 ERR(NULL, "Creating new TLS client certificate authority YANG data failed.");
480 goto cleanup;
481 }
482
483 /* delete truststore if present */
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]484 ret = nc_server_config_check_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoints/endpoint[name='%s']/"
485 "tls/tls-server-parameters/client-authentication/ca-certs/central-truststore-reference", endpt_name);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]486 if (ret) {
487 goto cleanup;
488 }
489
490cleanup:
491 free(path);
492 return ret;
493}
494
495API int
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame]496nc_server_config_del_tls_ca_cert(const char *endpt_name, const char *cert_name, struct lyd_node **config)
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]497{
498 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
499
500 if (cert_name) {
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]501 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoints/endpoint[name='%s']/tls/"
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]502 "tls-server-parameters/client-authentication/ca-certs/inline-definition/"
503 "certificate[name='%s']", endpt_name, cert_name);
504 } else {
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]505 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoints/endpoint[name='%s']/tls/"
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]506 "tls-server-parameters/client-authentication/ca-certs/inline-definition/"
507 "certificate", endpt_name);
508 }
509}
510
511API int
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame]512nc_server_config_add_ch_tls_ca_cert(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]513 const char *cert_name, const char *cert_path, struct lyd_node **config)
514{
515 int ret = 0;
516 char *path = NULL;
517
518 NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, cert_name, cert_path, config, 1);
519
roman3a95bb22023-10-26 11:07:17 +0200[diff] [blame]520 ret = asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]521 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/client-authentication/ca-certs/"
roman3a95bb22023-10-26 11:07:17 +0200[diff] [blame]522 "inline-definition/certificate[name='%s']", client_name, endpt_name, cert_name);
523 NC_CHECK_ERRMEM_GOTO(ret == -1, path = NULL; ret = 1, cleanup);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]524
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame]525 ret = _nc_server_config_add_tls_client_cert(ctx, path, cert_path, config);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]526 if (ret) {
527 ERR(NULL, "Creating new CH TLS client certificate authority YANG data failed.");
528 goto cleanup;
529 }
530
531 /* delete truststore if present */
532 ret = nc_server_config_check_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
533 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]534 "client-authentication/ca-certs/central-truststore-reference", client_name, endpt_name);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]535 if (ret) {
536 goto cleanup;
537 }
538
539cleanup:
540 free(path);
541 return ret;
542}
543
544API int
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame]545nc_server_config_del_ch_tls_ca_cert(const char *client_name, const char *endpt_name,
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]546 const char *cert_name, struct lyd_node **config)
547{
548 NC_CHECK_ARG_RET(NULL, client_name, endpt_name, config, 1);
549
550 if (cert_name) {
551 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
552 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/client-authentication/ca-certs/"
553 "inline-definition/certificate[name='%s']", client_name, endpt_name, cert_name);
554 } else {
555 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
556 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/client-authentication/ca-certs/"
557 "inline-definition/certificate", client_name, endpt_name);
558 }
559}
560
romand348b942023-10-13 14:32:19 +0200[diff] [blame]561API int
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame]562nc_server_config_add_tls_ca_cert_truststore_ref(const struct ly_ctx *ctx, const char *endpt_name,
romand348b942023-10-13 14:32:19 +0200[diff] [blame]563 const char *cert_bag_ref, struct lyd_node **config)
564{
565 int ret = 0;
566
567 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, cert_bag_ref, config, 1);
568
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]569 ret = nc_server_config_create(ctx, config, cert_bag_ref, "/ietf-netconf-server:netconf-server/listen/endpoints/endpoint[name='%s']/tls/"
570 "tls-server-parameters/client-authentication/ca-certs/central-truststore-reference", endpt_name);
romand348b942023-10-13 14:32:19 +0200[diff] [blame]571 if (ret) {
572 goto cleanup;
573 }
574
575 /* delete inline definition if present */
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]576 ret = nc_server_config_check_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoints/endpoint[name='%s']/tls/"
romand348b942023-10-13 14:32:19 +0200[diff] [blame]577 "tls-server-parameters/client-authentication/ca-certs/inline-definition", endpt_name);
578 if (ret) {
579 goto cleanup;
580 }
581
582cleanup:
583 return ret;
584}
585
586API int
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame]587nc_server_config_del_tls_ca_cert_truststore_ref(const char *endpt_name, struct lyd_node **config)
romand348b942023-10-13 14:32:19 +0200[diff] [blame]588{
589 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
590
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]591 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoints/endpoint[name='%s']/tls/"
592 "tls-server-parameters/client-authentication/ca-certs/central-truststore-reference", endpt_name);
romand348b942023-10-13 14:32:19 +0200[diff] [blame]593}
594
595API int
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame]596nc_server_config_add_ch_tls_ca_cert_truststore_ref(const struct ly_ctx *ctx, const char *client_name,
romand348b942023-10-13 14:32:19 +0200[diff] [blame]597 const char *endpt_name, const char *cert_bag_ref, struct lyd_node **config)
598{
599 int ret = 0;
600
601 NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, cert_bag_ref, config, 1);
602
603 ret = nc_server_config_create(ctx, config, cert_bag_ref, "/ietf-netconf-server:netconf-server/call-home/"
604 "netconf-client[name='%s']/endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]605 "client-authentication/ca-certs/central-truststore-reference", client_name, endpt_name);
romand348b942023-10-13 14:32:19 +0200[diff] [blame]606 if (ret) {
607 goto cleanup;
608 }
609
610 /* delete inline definition if present */
611 ret = nc_server_config_check_delete(config, "/ietf-netconf-server:netconf-server/call-home/"
612 "netconf-client[name='%s']/endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
613 "client-authentication/ca-certs/inline-definition", client_name, endpt_name);
614 if (ret) {
615 goto cleanup;
616 }
617
618cleanup:
619 return ret;
620}
621
622API int
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame]623nc_server_config_del_ch_tls_ca_cert_truststore_ref(const char *client_name, const char *endpt_name,
romand348b942023-10-13 14:32:19 +0200[diff] [blame]624 struct lyd_node **config)
625{
626 NC_CHECK_ARG_RET(NULL, client_name, endpt_name, config, 1);
627
628 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/call-home/"
629 "netconf-client[name='%s']/endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]630 "client-authentication/ca-certs/central-truststore-reference", client_name, endpt_name);
romand348b942023-10-13 14:32:19 +0200[diff] [blame]631}
632
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]633static const char *
634nc_server_config_tls_maptype2str(NC_TLS_CTN_MAPTYPE map_type)
635{
636 switch (map_type) {
637 case NC_TLS_CTN_SPECIFIED:
638 return "ietf-x509-cert-to-name:specified";
639 case NC_TLS_CTN_SAN_RFC822_NAME:
640 return "ietf-x509-cert-to-name:san-rfc822-name";
641 case NC_TLS_CTN_SAN_DNS_NAME:
642 return "ietf-x509-cert-to-name:san-dns-name";
643 case NC_TLS_CTN_SAN_IP_ADDRESS:
644 return "ietf-x509-cert-to-name:san-ip-address";
645 case NC_TLS_CTN_SAN_ANY:
646 return "ietf-x509-cert-to-name:san-any";
647 case NC_TLS_CTN_COMMON_NAME:
648 return "ietf-x509-cert-to-name:common-name";
649 case NC_TLS_CTN_UNKNOWN:
650 default:
651 ERR(NULL, "Unknown CTN mapping type.");
652 return NULL;
653 }
654}
655
656static int
657_nc_server_config_add_tls_ctn(const struct ly_ctx *ctx, const char *tree_path, const char *fingerprint,
658 NC_TLS_CTN_MAPTYPE map_type, const char *name, struct lyd_node **config)
659{
660 int ret = 0;
661 const char *map;
662
663 NC_CHECK_ARG_RET(NULL, ctx, tree_path, name, config, 1);
664
665 if (fingerprint) {
666 /* optional */
667 ret = nc_server_config_append(ctx, tree_path, "fingerprint", fingerprint, config);
668 if (ret) {
669 goto cleanup;
670 }
671 }
672
673 /* get map str */
674 map = nc_server_config_tls_maptype2str(map_type);
675 if (!map) {
676 ret = 1;
677 goto cleanup;
678 }
679
680 ret = nc_server_config_append(ctx, tree_path, "map-type", map, config);
681 if (ret) {
682 goto cleanup;
683 }
684
685 ret = nc_server_config_append(ctx, tree_path, "name", name, config);
686 if (ret) {
687 goto cleanup;
688 }
689
690cleanup:
691 return ret;
692}
693
694API int
695nc_server_config_add_tls_ctn(const struct ly_ctx *ctx, const char *endpt_name, uint32_t id, const char *fingerprint,
696 NC_TLS_CTN_MAPTYPE map_type, const char *name, struct lyd_node **config)
697{
698 int ret = 0;
699 char *path = NULL;
700
701 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, id, name, config, 1);
702
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]703 ret = asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoints/endpoint[name='%s']/tls/netconf-server-parameters/"
roman3a95bb22023-10-26 11:07:17 +0200[diff] [blame]704 "client-identity-mappings/cert-to-name[id='%u']", endpt_name, id);
705 NC_CHECK_ERRMEM_GOTO(ret == -1, path = NULL; ret = 1, cleanup);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]706
707 ret = _nc_server_config_add_tls_ctn(ctx, path, fingerprint, map_type, name, config);
708 if (ret) {
709 ERR(NULL, "Creating new TLS cert-to-name YANG data failed.");
710 goto cleanup;
711 }
712
713cleanup:
714 free(path);
715 return ret;
716}
717
718API int
719nc_server_config_del_tls_ctn(const char *endpt_name, uint32_t id, struct lyd_node **config)
720{
721 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
722
723 if (id) {
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]724 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoints/endpoint[name='%s']/tls/"
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]725 "netconf-server-parameters/client-identity-mappings/cert-to-name[id='%u']", endpt_name, id);
726 } else {
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]727 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoints/endpoint[name='%s']/tls/"
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]728 "netconf-server-parameters/client-identity-mappings/cert-to-name", endpt_name);
729 }
730}
731
732API int
733nc_server_config_add_ch_tls_ctn(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
734 uint32_t id, const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type, const char *name, struct lyd_node **config)
735{
736 int ret = 0;
737 char *path = NULL;
738
739 NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, id, name, config, 1);
740
roman3a95bb22023-10-26 11:07:17 +0200[diff] [blame]741 ret = asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]742 "endpoints/endpoint[name='%s']/tls/netconf-server-parameters/client-identity-mappings/"
roman3a95bb22023-10-26 11:07:17 +0200[diff] [blame]743 "cert-to-name[id='%u']", client_name, endpt_name, id);
744 NC_CHECK_ERRMEM_GOTO(ret == -1, path = NULL; ret = 1, cleanup);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]745
746 ret = _nc_server_config_add_tls_ctn(ctx, path, fingerprint, map_type, name, config);
747 if (ret) {
748 ERR(NULL, "Creating new CH TLS cert-to-name YANG data failed.");
749 goto cleanup;
750 }
751
752cleanup:
753 free(path);
754 return ret;
755}
756
757API int
758nc_server_config_del_ch_tls_ctn(const char *client_name, const char *endpt_name,
759 uint32_t id, struct lyd_node **config)
760{
761 NC_CHECK_ARG_RET(NULL, client_name, endpt_name, config, 1);
762
763 if (id) {
764 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
765 "endpoints/endpoint[name='%s']/tls/netconf-server-parameters/client-identity-mappings/"
766 "cert-to-name[id='%u']", client_name, endpt_name, id);
767 } else {
768 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
769 "endpoints/endpoint[name='%s']/tls/netconf-server-parameters/client-identity-mappings/"
770 "cert-to-name", client_name, endpt_name);
771 }
772}
773
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]774API int
775nc_server_config_add_tls_endpoint_client_ref(const struct ly_ctx *ctx, const char *endpt_name, const char *referenced_endpt, struct lyd_node **config)
776{
777 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, referenced_endpt, config, 1);
778
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]779 return nc_server_config_create(ctx, config, referenced_endpt, "/ietf-netconf-server:netconf-server/listen/endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]780 "client-authentication/libnetconf2-netconf-server:endpoint-reference", endpt_name);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]781}
782
783API int
784nc_server_config_del_tls_endpoint_client_ref(const char *endpt_name, struct lyd_node **config)
785{
786 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
787
Michal Vaskocf898172024-01-15 15:04:28 +0100[diff] [blame]788 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]789 "client-authentication/libnetconf2-netconf-server:endpoint-reference", endpt_name);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]790}