Gitiles
Code Review Sign In
gerrit.cesnet.cz / github / CESNET / libnetconf2 / e6ec60e32f4ceab56001dc6d18495abe2728d584 / . / src / server_config_util_tls.c
blob: 0ee6b0686eb16bc031cc6a06a50bbb19dc4472aa [file] [log] [blame]
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]1/**
2 * @file server_config_util_tls.c
3 * @author Roman Janota <janota@cesnet.cz>
4 * @brief libnetconf2 server TLS configuration utilities
5 *
6 * @copyright
7 * Copyright (c) 2023 CESNET, z.s.p.o.
8 *
9 * This source code is licensed under BSD 3-Clause License (the "License").
10 * You may not use this file except in compliance with the License.
11 * You may obtain a copy of the License at
12 *
13 * https://opensource.org/licenses/BSD-3-Clause
14 */
15
16#define _GNU_SOURCE
17
18#include "server_config_util.h"
19
20#include <stdarg.h>
21#include <stdint.h>
22#include <stdio.h>
23#include <stdlib.h>
24#include <string.h>
25
26#include <libyang/libyang.h>
27
28#include "compat.h"
29#include "config.h"
30#include "log_p.h"
31#include "server_config.h"
32#include "session.h"
33#include "session_p.h"
34
35static int
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame^]36_nc_server_config_add_tls_server_cert(const struct ly_ctx *ctx, const char *tree_path, const char *privkey_path,
37 const char *pubkey_path, const char *cert_path, struct lyd_node **config)
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]38{
39 int ret = 0;
40 char *privkey = NULL, *pubkey = NULL, *cert = NULL;
41 NC_PRIVKEY_FORMAT privkey_type;
42 const char *privkey_format, *pubkey_format = "ietf-crypto-types:subject-public-key-info-format";
43
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame^]44 NC_CHECK_ARG_RET(NULL, ctx, tree_path, privkey_path, cert_path, config, 1);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]45
46 /* get the keys as a string from the given files */
47 ret = nc_server_config_util_get_asym_key_pair(privkey_path, pubkey_path, NC_PUBKEY_FORMAT_X509, &privkey, &privkey_type, &pubkey);
48 if (ret) {
49 ERR(NULL, "Getting keys from file(s) failed.");
50 goto cleanup;
51 }
52
53 /* get cert data from file */
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame^]54 ret = nc_server_config_util_read_certificate(cert_path, &cert);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]55 if (ret) {
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame^]56 ERR(NULL, "Getting certificate from file \"%s\" failed.", cert_path);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]57 goto cleanup;
58 }
59
60 /* get privkey identityref value */
61 privkey_format = nc_server_config_util_privkey_format_to_identityref(privkey_type);
62 if (!privkey_format) {
63 ret = 1;
64 goto cleanup;
65 }
66
67 ret = nc_server_config_append(ctx, tree_path, "inline-definition/public-key-format", pubkey_format, config);
68 if (ret) {
69 goto cleanup;
70 }
71
72 ret = nc_server_config_append(ctx, tree_path, "inline-definition/public-key", pubkey, config);
73 if (ret) {
74 goto cleanup;
75 }
76
77 ret = nc_server_config_append(ctx, tree_path, "inline-definition/private-key-format", privkey_format, config);
78 if (ret) {
79 goto cleanup;
80 }
81
82 ret = nc_server_config_append(ctx, tree_path, "inline-definition/cleartext-private-key", privkey, config);
83 if (ret) {
84 goto cleanup;
85 }
86
87 ret = nc_server_config_append(ctx, tree_path, "inline-definition/cert-data", cert, config);
88 if (ret) {
89 goto cleanup;
90 }
91
92 /* delete keystore if present */
93 ret = nc_server_config_check_delete(config, "%s/keystore-reference", tree_path);
94 if (ret) {
95 goto cleanup;
96 }
97
98cleanup:
99 free(privkey);
100 free(pubkey);
101 free(cert);
102 return ret;
103}
104
105API int
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame^]106nc_server_config_add_tls_server_cert(const struct ly_ctx *ctx, const char *endpt_name, const char *privkey_path,
107 const char *pubkey_path, const char *cert_path, struct lyd_node **config)
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]108{
109 int ret = 0;
110 char *path = NULL;
111
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame^]112 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, privkey_path, cert_path, config, 1);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]113
114 if (asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/"
115 "tls/tls-server-parameters/server-identity/certificate", endpt_name) == -1) {
116 ERRMEM;
117 path = NULL;
118 ret = 1;
119 goto cleanup;
120 }
121
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame^]122 ret = _nc_server_config_add_tls_server_cert(ctx, path, privkey_path, pubkey_path,
123 cert_path, config);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]124 if (ret) {
125 ERR(NULL, "Creating new TLS server certificate YANG data failed.");
126 goto cleanup;
127 }
128
129cleanup:
130 free(path);
131 return ret;
132}
133
134API int
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame^]135nc_server_config_del_tls_server_cert(const char *endpt_name, struct lyd_node **config)
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]136{
137 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
138
139 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/"
140 "tls/tls-server-parameters/server-identity/certificate/inline-definition", endpt_name);
141}
142
143API int
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame^]144nc_server_config_add_ch_tls_server_cert(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
145 const char *privkey_path, const char *pubkey_path, const char *cert_path, struct lyd_node **config)
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]146{
147 int ret = 0;
148 char *path = NULL;
149
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame^]150 NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, privkey_path, cert_path, config, 1);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]151
152 if (asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/"
153 "netconf-client[name='%s']/endpoints/endpoint[name='%s']/tls/tls-server-parameters/server-identity/"
154 "certificate", client_name, endpt_name) == -1) {
155 ERRMEM;
156 path = NULL;
157 ret = 1;
158 goto cleanup;
159 }
160
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame^]161 ret = _nc_server_config_add_tls_server_cert(ctx, path, privkey_path, pubkey_path,
162 cert_path, config);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]163 if (ret) {
164 ERR(NULL, "Creating new CH TLS server certificate YANG data failed.");
165 goto cleanup;
166 }
167
168cleanup:
169 free(path);
170 return ret;
171}
172
173API int
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame^]174nc_server_config_del_ch_tls_server_cert(const char *client_name, const char *endpt_name,
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]175 struct lyd_node **config)
176{
177 NC_CHECK_ARG_RET(NULL, client_name, endpt_name, config, 1);
178
179 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/call-home/"
180 "netconf-client[name='%s']/endpoints/endpoint[name='%s']/tls/tls-server-parameters/server-identity/"
181 "certificate/inline-definition", client_name, endpt_name);
182}
183
184static int
romand348b942023-10-13 14:32:19 +0200[diff] [blame]185_nc_server_config_add_tls_keystore_ref(const struct ly_ctx *ctx, const char *tree_path, const char *asym_key_ref,
186 const char *cert_ref, struct lyd_node **config)
187{
188 int ret = 0;
189
190 /* create asymmetric key pair reference */
191 ret = nc_server_config_append(ctx, tree_path, "keystore-reference/asymmetric-key", asym_key_ref, config);
192 if (ret) {
193 goto cleanup;
194 }
195
196 /* create cert reference, this cert has to belong to the asym key */
197 ret = nc_server_config_append(ctx, tree_path, "keystore-reference/certificate", cert_ref, config);
198 if (ret) {
199 goto cleanup;
200 }
201
202 /* delete inline definition if present */
203 ret = nc_server_config_check_delete(config, "%s/inline-definition", tree_path);
204 if (ret) {
205 goto cleanup;
206 }
207
208cleanup:
209 return ret;
210}
211
212API int
213nc_server_config_add_tls_keystore_ref(const struct ly_ctx *ctx, const char *endpt_name, const char *asym_key_ref,
214 const char *cert_ref, struct lyd_node **config)
215{
216 int ret = 0;
217 char *path = NULL;
218
219 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, asym_key_ref, cert_ref, config, 1);
220
221 if (asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/"
222 "tls/tls-server-parameters/server-identity/certificate", endpt_name) == -1) {
223 ERRMEM;
224 path = NULL;
225 ret = 1;
226 goto cleanup;
227 }
228
229 ret = _nc_server_config_add_tls_keystore_ref(ctx, path, asym_key_ref, cert_ref, config);
230 if (ret) {
231 goto cleanup;
232 }
233
234cleanup:
235 free(path);
236 return ret;
237}
238
239API int
240nc_server_config_del_tls_keystore_ref(const char *endpt_name, struct lyd_node **config)
241{
242 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
243
244 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/"
245 "tls/tls-server-parameters/server-identity/certificate/keystore-reference", endpt_name);
246}
247
248API int
249nc_server_config_add_ch_tls_keystore_ref(const struct ly_ctx *ctx, const char *client_name,
250 const char *endpt_name, const char *asym_key_ref, const char *cert_ref, struct lyd_node **config)
251{
252 int ret = 0;
253 char *path = NULL;
254
255 NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, asym_key_ref, cert_ref, config, 1);
256
257 if (asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/endpoints/"
258 "endpoint[name='%s']/tls/tls-server-parameters/server-identity/certificate", client_name, endpt_name) == -1) {
259 ERRMEM;
260 path = NULL;
261 ret = 1;
262 goto cleanup;
263 }
264
265 ret = _nc_server_config_add_tls_keystore_ref(ctx, path, asym_key_ref, cert_ref, config);
266 if (ret) {
267 goto cleanup;
268 }
269
270cleanup:
271 free(path);
272 return ret;
273}
274
275API int
276nc_server_config_del_ch_tls_keystore_ref(const char *client_name, const char *endpt_name,
277 struct lyd_node **config)
278{
279 NC_CHECK_ARG_RET(NULL, client_name, endpt_name, config, 1);
280
281 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
282 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/server-identity/certificate/"
283 "keystore-reference", client_name, endpt_name);
284}
285
286static int
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame^]287_nc_server_config_add_tls_client_cert(const struct ly_ctx *ctx, const char *tree_path,
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]288 const char *cert_path, struct lyd_node **config)
289{
290 int ret = 0;
291 char *cert = NULL;
292
293 NC_CHECK_ARG_RET(NULL, ctx, tree_path, cert_path, config, 1);
294
295 ret = nc_server_config_util_read_certificate(cert_path, &cert);
296 if (ret) {
297 ERR(NULL, "Getting certificate from file \"%s\" failed.", cert_path);
298 goto cleanup;
299 }
300
301 ret = nc_server_config_append(ctx, tree_path, "cert-data", cert, config);
302 if (ret) {
303 goto cleanup;
304 }
305
306cleanup:
307 free(cert);
308 return ret;
309}
310
311API int
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame^]312nc_server_config_add_tls_client_cert(const struct ly_ctx *ctx, const char *endpt_name, const char *cert_name,
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]313 const char *cert_path, struct lyd_node **config)
314{
315 int ret = 0;
316 char *path = NULL;
317
318 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, cert_name, cert_path, config, 1);
319
320 if (asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
321 "client-authentication/ee-certs/inline-definition/certificate[name='%s']", endpt_name, cert_name) == -1) {
322 ERRMEM;
323 path = NULL;
324 ret = 1;
325 goto cleanup;
326 }
327
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame^]328 ret = _nc_server_config_add_tls_client_cert(ctx, path, cert_path, config);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]329 if (ret) {
330 ERR(NULL, "Creating new TLS client certificate YANG data failed.");
331 goto cleanup;
332 }
333
334 /* delete truststore if present */
335 ret = nc_server_config_check_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
336 "client-authentication/ee-certs/truststore-reference", endpt_name);
337 if (ret) {
338 goto cleanup;
339 }
340
341cleanup:
342 free(path);
343 return ret;
344}
345
346API int
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame^]347nc_server_config_del_tls_client_cert(const char *endpt_name, const char *cert_name, struct lyd_node **config)
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]348{
349 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
350
351 if (cert_name) {
352 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
353 "tls-server-parameters/client-authentication/ee-certs/inline-definition/"
354 "certificate[name='%s']", endpt_name, cert_name);
355 } else {
356 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
357 "tls-server-parameters/client-authentication/ee-certs/inline-definition/"
358 "certificate", endpt_name);
359 }
360}
361
362API int
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame^]363nc_server_config_add_ch_tls_client_cert(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]364 const char *cert_name, const char *cert_path, struct lyd_node **config)
365{
366 int ret = 0;
367 char *path = NULL;
368
369 NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, cert_name, cert_path, config, 1);
370
371 if (asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
372 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/client-authentication/ee-certs/"
373 "inline-definition/certificate[name='%s']", client_name, endpt_name, cert_name) == -1) {
374 ERRMEM;
375 path = NULL;
376 ret = 1;
377 goto cleanup;
378 }
379
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame^]380 ret = _nc_server_config_add_tls_client_cert(ctx, path, cert_path, config);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]381 if (ret) {
382 ERR(NULL, "Creating new CH TLS client certificate YANG data failed.");
383 goto cleanup;
384 }
385
386 /* delete truststore if present */
387 ret = nc_server_config_check_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
388 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
389 "client-authentication/ee-certs/truststore-reference", client_name, endpt_name);
390 if (ret) {
391 goto cleanup;
392 }
393
394cleanup:
395 free(path);
396 return ret;
397}
398
399API int
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame^]400nc_server_config_del_ch_tls_client_cert(const char *client_name, const char *endpt_name,
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]401 const char *cert_name, struct lyd_node **config)
402{
403 NC_CHECK_ARG_RET(NULL, client_name, endpt_name, config, 1);
404
405 if (cert_name) {
406 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
407 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/client-authentication/ee-certs/"
408 "inline-definition/certificate[name='%s']", client_name, endpt_name, cert_name);
409 } else {
410 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
411 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/client-authentication/ee-certs/"
412 "inline-definition/certificate", client_name, endpt_name);
413 }
414}
415
416API int
romand348b942023-10-13 14:32:19 +0200[diff] [blame]417nc_server_config_add_tls_client_cert_truststore_ref(const struct ly_ctx *ctx, const char *endpt_name,
418 const char *cert_bag_ref, struct lyd_node **config)
419{
420 int ret = 0;
421
422 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, cert_bag_ref, config, 1);
423
424 ret = nc_server_config_create(ctx, config, cert_bag_ref, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
425 "tls-server-parameters/client-authentication/ee-certs/truststore-reference", endpt_name);
426 if (ret) {
427 goto cleanup;
428 }
429
430 /* delete inline definition if present */
431 ret = nc_server_config_check_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
432 "tls-server-parameters/client-authentication/ee-certs/inline-definition", endpt_name);
433 if (ret) {
434 goto cleanup;
435 }
436
437cleanup:
438 return ret;
439}
440
441API int
442nc_server_config_del_tls_client_cert_truststore_ref(const char *endpt_name, struct lyd_node **config)
443{
444 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
445
446 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
447 "tls-server-parameters/client-authentication/ee-certs/truststore-reference", endpt_name);
448}
449
450API int
451nc_server_config_add_ch_tls_client_cert_truststore_ref(const struct ly_ctx *ctx, const char *client_name,
452 const char *endpt_name, const char *cert_bag_ref, struct lyd_node **config)
453{
454 int ret = 0;
455
456 NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, cert_bag_ref, config, 1);
457
458 ret = nc_server_config_create(ctx, config, cert_bag_ref, "/ietf-netconf-server:netconf-server/call-home/"
459 "netconf-client[name='%s']/endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
460 "client-authentication/ee-certs/truststore-reference", client_name, endpt_name);
461 if (ret) {
462 goto cleanup;
463 }
464
465 /* delete inline definition if present */
466 ret = nc_server_config_check_delete(config, "/ietf-netconf-server:netconf-server/call-home/"
467 "netconf-client[name='%s']/endpoints/endpoint[name='%s']/tls/"
468 "tls-server-parameters/client-authentication/ee-certs/inline-definition", client_name, endpt_name);
469 if (ret) {
470 goto cleanup;
471 }
472
473cleanup:
474 return ret;
475}
476
477API int
478nc_server_config_del_ch_tls_client_cert_truststore_ref(const char *client_name, const char *endpt_name,
479 struct lyd_node **config)
480{
481 NC_CHECK_ARG_RET(NULL, client_name, endpt_name, config, 1);
482
483 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/call-home/"
484 "netconf-client[name='%s']/endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
485 "client-authentication/ee-certs/truststore-reference", client_name, endpt_name);
486}
487
488API int
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame^]489nc_server_config_add_tls_ca_cert(const struct ly_ctx *ctx, const char *endpt_name, const char *cert_name,
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]490 const char *cert_path, struct lyd_node **config)
491{
492 int ret = 0;
493 char *path = NULL;
494
495 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, cert_name, cert_path, config, 1);
496
497 if (asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
498 "client-authentication/ca-certs/inline-definition/certificate[name='%s']", endpt_name, cert_name) == -1) {
499 ERRMEM;
500 path = NULL;
501 ret = 1;
502 goto cleanup;
503 }
504
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame^]505 ret = _nc_server_config_add_tls_client_cert(ctx, path, cert_path, config);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]506 if (ret) {
507 ERR(NULL, "Creating new TLS client certificate authority YANG data failed.");
508 goto cleanup;
509 }
510
511 /* delete truststore if present */
512 ret = nc_server_config_check_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
513 "client-authentication/ca-certs/truststore-reference", endpt_name);
514 if (ret) {
515 goto cleanup;
516 }
517
518cleanup:
519 free(path);
520 return ret;
521}
522
523API int
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame^]524nc_server_config_del_tls_ca_cert(const char *endpt_name, const char *cert_name, struct lyd_node **config)
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]525{
526 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
527
528 if (cert_name) {
529 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
530 "tls-server-parameters/client-authentication/ca-certs/inline-definition/"
531 "certificate[name='%s']", endpt_name, cert_name);
532 } else {
533 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
534 "tls-server-parameters/client-authentication/ca-certs/inline-definition/"
535 "certificate", endpt_name);
536 }
537}
538
539API int
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame^]540nc_server_config_add_ch_tls_ca_cert(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]541 const char *cert_name, const char *cert_path, struct lyd_node **config)
542{
543 int ret = 0;
544 char *path = NULL;
545
546 NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, cert_name, cert_path, config, 1);
547
548 if (asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
549 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/client-authentication/ca-certs/"
550 "inline-definition/certificate[name='%s']", client_name, endpt_name, cert_name) == -1) {
551 ERRMEM;
552 path = NULL;
553 ret = 1;
554 goto cleanup;
555 }
556
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame^]557 ret = _nc_server_config_add_tls_client_cert(ctx, path, cert_path, config);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]558 if (ret) {
559 ERR(NULL, "Creating new CH TLS client certificate authority YANG data failed.");
560 goto cleanup;
561 }
562
563 /* delete truststore if present */
564 ret = nc_server_config_check_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
565 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
566 "client-authentication/ca-certs/truststore-reference", client_name, endpt_name);
567 if (ret) {
568 goto cleanup;
569 }
570
571cleanup:
572 free(path);
573 return ret;
574}
575
576API int
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame^]577nc_server_config_del_ch_tls_ca_cert(const char *client_name, const char *endpt_name,
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]578 const char *cert_name, struct lyd_node **config)
579{
580 NC_CHECK_ARG_RET(NULL, client_name, endpt_name, config, 1);
581
582 if (cert_name) {
583 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
584 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/client-authentication/ca-certs/"
585 "inline-definition/certificate[name='%s']", client_name, endpt_name, cert_name);
586 } else {
587 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
588 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/client-authentication/ca-certs/"
589 "inline-definition/certificate", client_name, endpt_name);
590 }
591}
592
romand348b942023-10-13 14:32:19 +0200[diff] [blame]593API int
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame^]594nc_server_config_add_tls_ca_cert_truststore_ref(const struct ly_ctx *ctx, const char *endpt_name,
romand348b942023-10-13 14:32:19 +0200[diff] [blame]595 const char *cert_bag_ref, struct lyd_node **config)
596{
597 int ret = 0;
598
599 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, cert_bag_ref, config, 1);
600
601 ret = nc_server_config_create(ctx, config, cert_bag_ref, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
602 "tls-server-parameters/client-authentication/ca-certs/truststore-reference", endpt_name);
603 if (ret) {
604 goto cleanup;
605 }
606
607 /* delete inline definition if present */
608 ret = nc_server_config_check_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
609 "tls-server-parameters/client-authentication/ca-certs/inline-definition", endpt_name);
610 if (ret) {
611 goto cleanup;
612 }
613
614cleanup:
615 return ret;
616}
617
618API int
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame^]619nc_server_config_del_tls_ca_cert_truststore_ref(const char *endpt_name, struct lyd_node **config)
romand348b942023-10-13 14:32:19 +0200[diff] [blame]620{
621 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
622
623 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
624 "tls-server-parameters/client-authentication/ca-certs/truststore-reference", endpt_name);
625}
626
627API int
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame^]628nc_server_config_add_ch_tls_ca_cert_truststore_ref(const struct ly_ctx *ctx, const char *client_name,
romand348b942023-10-13 14:32:19 +0200[diff] [blame]629 const char *endpt_name, const char *cert_bag_ref, struct lyd_node **config)
630{
631 int ret = 0;
632
633 NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, cert_bag_ref, config, 1);
634
635 ret = nc_server_config_create(ctx, config, cert_bag_ref, "/ietf-netconf-server:netconf-server/call-home/"
636 "netconf-client[name='%s']/endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
637 "client-authentication/ca-certs/truststore-reference", client_name, endpt_name);
638 if (ret) {
639 goto cleanup;
640 }
641
642 /* delete inline definition if present */
643 ret = nc_server_config_check_delete(config, "/ietf-netconf-server:netconf-server/call-home/"
644 "netconf-client[name='%s']/endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
645 "client-authentication/ca-certs/inline-definition", client_name, endpt_name);
646 if (ret) {
647 goto cleanup;
648 }
649
650cleanup:
651 return ret;
652}
653
654API int
romane6ec60e2023-10-19 15:21:52 +0200[diff] [blame^]655nc_server_config_del_ch_tls_ca_cert_truststore_ref(const char *client_name, const char *endpt_name,
romand348b942023-10-13 14:32:19 +0200[diff] [blame]656 struct lyd_node **config)
657{
658 NC_CHECK_ARG_RET(NULL, client_name, endpt_name, config, 1);
659
660 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/call-home/"
661 "netconf-client[name='%s']/endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
662 "client-authentication/ca-certs/truststore-reference", client_name, endpt_name);
663}
664
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]665static const char *
666nc_server_config_tls_maptype2str(NC_TLS_CTN_MAPTYPE map_type)
667{
668 switch (map_type) {
669 case NC_TLS_CTN_SPECIFIED:
670 return "ietf-x509-cert-to-name:specified";
671 case NC_TLS_CTN_SAN_RFC822_NAME:
672 return "ietf-x509-cert-to-name:san-rfc822-name";
673 case NC_TLS_CTN_SAN_DNS_NAME:
674 return "ietf-x509-cert-to-name:san-dns-name";
675 case NC_TLS_CTN_SAN_IP_ADDRESS:
676 return "ietf-x509-cert-to-name:san-ip-address";
677 case NC_TLS_CTN_SAN_ANY:
678 return "ietf-x509-cert-to-name:san-any";
679 case NC_TLS_CTN_COMMON_NAME:
680 return "ietf-x509-cert-to-name:common-name";
681 case NC_TLS_CTN_UNKNOWN:
682 default:
683 ERR(NULL, "Unknown CTN mapping type.");
684 return NULL;
685 }
686}
687
688static int
689_nc_server_config_add_tls_ctn(const struct ly_ctx *ctx, const char *tree_path, const char *fingerprint,
690 NC_TLS_CTN_MAPTYPE map_type, const char *name, struct lyd_node **config)
691{
692 int ret = 0;
693 const char *map;
694
695 NC_CHECK_ARG_RET(NULL, ctx, tree_path, name, config, 1);
696
697 if (fingerprint) {
698 /* optional */
699 ret = nc_server_config_append(ctx, tree_path, "fingerprint", fingerprint, config);
700 if (ret) {
701 goto cleanup;
702 }
703 }
704
705 /* get map str */
706 map = nc_server_config_tls_maptype2str(map_type);
707 if (!map) {
708 ret = 1;
709 goto cleanup;
710 }
711
712 ret = nc_server_config_append(ctx, tree_path, "map-type", map, config);
713 if (ret) {
714 goto cleanup;
715 }
716
717 ret = nc_server_config_append(ctx, tree_path, "name", name, config);
718 if (ret) {
719 goto cleanup;
720 }
721
722cleanup:
723 return ret;
724}
725
726API int
727nc_server_config_add_tls_ctn(const struct ly_ctx *ctx, const char *endpt_name, uint32_t id, const char *fingerprint,
728 NC_TLS_CTN_MAPTYPE map_type, const char *name, struct lyd_node **config)
729{
730 int ret = 0;
731 char *path = NULL;
732
733 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, id, name, config, 1);
734
735 if (asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/netconf-server-parameters/"
736 "client-identity-mappings/cert-to-name[id='%u']", endpt_name, id) == -1) {
737 ERRMEM;
738 path = NULL;
739 ret = 1;
740 goto cleanup;
741 }
742
743 ret = _nc_server_config_add_tls_ctn(ctx, path, fingerprint, map_type, name, config);
744 if (ret) {
745 ERR(NULL, "Creating new TLS cert-to-name YANG data failed.");
746 goto cleanup;
747 }
748
749cleanup:
750 free(path);
751 return ret;
752}
753
754API int
755nc_server_config_del_tls_ctn(const char *endpt_name, uint32_t id, struct lyd_node **config)
756{
757 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
758
759 if (id) {
760 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
761 "netconf-server-parameters/client-identity-mappings/cert-to-name[id='%u']", endpt_name, id);
762 } else {
763 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
764 "netconf-server-parameters/client-identity-mappings/cert-to-name", endpt_name);
765 }
766}
767
768API int
769nc_server_config_add_ch_tls_ctn(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
770 uint32_t id, const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type, const char *name, struct lyd_node **config)
771{
772 int ret = 0;
773 char *path = NULL;
774
775 NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, id, name, config, 1);
776
777 if (asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
778 "endpoints/endpoint[name='%s']/tls/netconf-server-parameters/client-identity-mappings/"
779 "cert-to-name[id='%u']", client_name, endpt_name, id) == -1) {
780 ERRMEM;
781 path = NULL;
782 ret = 1;
783 goto cleanup;
784 }
785
786 ret = _nc_server_config_add_tls_ctn(ctx, path, fingerprint, map_type, name, config);
787 if (ret) {
788 ERR(NULL, "Creating new CH TLS cert-to-name YANG data failed.");
789 goto cleanup;
790 }
791
792cleanup:
793 free(path);
794 return ret;
795}
796
797API int
798nc_server_config_del_ch_tls_ctn(const char *client_name, const char *endpt_name,
799 uint32_t id, struct lyd_node **config)
800{
801 NC_CHECK_ARG_RET(NULL, client_name, endpt_name, config, 1);
802
803 if (id) {
804 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
805 "endpoints/endpoint[name='%s']/tls/netconf-server-parameters/client-identity-mappings/"
806 "cert-to-name[id='%u']", client_name, endpt_name, id);
807 } else {
808 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
809 "endpoints/endpoint[name='%s']/tls/netconf-server-parameters/client-identity-mappings/"
810 "cert-to-name", client_name, endpt_name);
811 }
812}
813
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]814API int
815nc_server_config_add_tls_endpoint_client_ref(const struct ly_ctx *ctx, const char *endpt_name, const char *referenced_endpt, struct lyd_node **config)
816{
817 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, referenced_endpt, config, 1);
818
819 return nc_server_config_create(ctx, config, referenced_endpt, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
820 "client-authentication/libnetconf2-netconf-server:endpoint-client-auth", endpt_name);
821}
822
823API int
824nc_server_config_del_tls_endpoint_client_ref(const char *endpt_name, struct lyd_node **config)
825{
826 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
827
828 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
829 "client-authentication/libnetconf2-netconf-server:endpoint-client-auth", endpt_name);
830}