Gitiles
Code Review Sign In
gerrit.cesnet.cz / github / CESNET / libnetconf2 / eaf84c7398a851ab599c51b35fab585be1764545 / . / src / server_config_util_tls.c
blob: 20837c24bad86f0c78617a2f91509b6e5898e699 [file] [log] [blame]
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]1/**
2 * @file server_config_util_tls.c
3 * @author Roman Janota <janota@cesnet.cz>
4 * @brief libnetconf2 server TLS configuration utilities
5 *
6 * @copyright
7 * Copyright (c) 2023 CESNET, z.s.p.o.
8 *
9 * This source code is licensed under BSD 3-Clause License (the "License").
10 * You may not use this file except in compliance with the License.
11 * You may obtain a copy of the License at
12 *
13 * https://opensource.org/licenses/BSD-3-Clause
14 */
15
16#define _GNU_SOURCE
17
18#include "server_config_util.h"
19
20#include <stdarg.h>
21#include <stdint.h>
22#include <stdio.h>
23#include <stdlib.h>
24#include <string.h>
25
26#include <libyang/libyang.h>
27
28#include "compat.h"
29#include "config.h"
30#include "log_p.h"
31#include "server_config.h"
32#include "session.h"
33#include "session_p.h"
34
35static int
romand348b942023-10-13 14:32:19 +0200[diff] [blame]36_nc_server_config_add_tls_server_certificate(const struct ly_ctx *ctx, const char *tree_path, const char *privkey_path,
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]37 const char *pubkey_path, const char *certificate_path, struct lyd_node **config)
38{
39 int ret = 0;
40 char *privkey = NULL, *pubkey = NULL, *cert = NULL;
41 NC_PRIVKEY_FORMAT privkey_type;
42 const char *privkey_format, *pubkey_format = "ietf-crypto-types:subject-public-key-info-format";
43
44 NC_CHECK_ARG_RET(NULL, ctx, tree_path, privkey_path, certificate_path, config, 1);
45
46 /* get the keys as a string from the given files */
47 ret = nc_server_config_util_get_asym_key_pair(privkey_path, pubkey_path, NC_PUBKEY_FORMAT_X509, &privkey, &privkey_type, &pubkey);
48 if (ret) {
49 ERR(NULL, "Getting keys from file(s) failed.");
50 goto cleanup;
51 }
52
53 /* get cert data from file */
54 ret = nc_server_config_util_read_certificate(certificate_path, &cert);
55 if (ret) {
56 ERR(NULL, "Getting certificate from file \"%s\" failed.", certificate_path);
57 goto cleanup;
58 }
59
60 /* get privkey identityref value */
61 privkey_format = nc_server_config_util_privkey_format_to_identityref(privkey_type);
62 if (!privkey_format) {
63 ret = 1;
64 goto cleanup;
65 }
66
67 ret = nc_server_config_append(ctx, tree_path, "inline-definition/public-key-format", pubkey_format, config);
68 if (ret) {
69 goto cleanup;
70 }
71
72 ret = nc_server_config_append(ctx, tree_path, "inline-definition/public-key", pubkey, config);
73 if (ret) {
74 goto cleanup;
75 }
76
77 ret = nc_server_config_append(ctx, tree_path, "inline-definition/private-key-format", privkey_format, config);
78 if (ret) {
79 goto cleanup;
80 }
81
82 ret = nc_server_config_append(ctx, tree_path, "inline-definition/cleartext-private-key", privkey, config);
83 if (ret) {
84 goto cleanup;
85 }
86
87 ret = nc_server_config_append(ctx, tree_path, "inline-definition/cert-data", cert, config);
88 if (ret) {
89 goto cleanup;
90 }
91
92 /* delete keystore if present */
93 ret = nc_server_config_check_delete(config, "%s/keystore-reference", tree_path);
94 if (ret) {
95 goto cleanup;
96 }
97
98cleanup:
99 free(privkey);
100 free(pubkey);
101 free(cert);
102 return ret;
103}
104
105API int
romand348b942023-10-13 14:32:19 +0200[diff] [blame]106nc_server_config_add_tls_server_certificate(const struct ly_ctx *ctx, const char *endpt_name, const char *privkey_path,
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]107 const char *pubkey_path, const char *certificate_path, struct lyd_node **config)
108{
109 int ret = 0;
110 char *path = NULL;
111
112 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, privkey_path, certificate_path, config, 1);
113
114 if (asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/"
115 "tls/tls-server-parameters/server-identity/certificate", endpt_name) == -1) {
116 ERRMEM;
117 path = NULL;
118 ret = 1;
119 goto cleanup;
120 }
121
romand348b942023-10-13 14:32:19 +0200[diff] [blame]122 ret = _nc_server_config_add_tls_server_certificate(ctx, path, privkey_path, pubkey_path,
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]123 certificate_path, config);
124 if (ret) {
125 ERR(NULL, "Creating new TLS server certificate YANG data failed.");
126 goto cleanup;
127 }
128
129cleanup:
130 free(path);
131 return ret;
132}
133
134API int
romand348b942023-10-13 14:32:19 +0200[diff] [blame]135nc_server_config_del_tls_server_certificate(const char *endpt_name, struct lyd_node **config)
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]136{
137 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
138
139 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/"
140 "tls/tls-server-parameters/server-identity/certificate/inline-definition", endpt_name);
141}
142
143API int
romand348b942023-10-13 14:32:19 +0200[diff] [blame]144nc_server_config_add_ch_tls_server_certificate(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]145 const char *privkey_path, const char *pubkey_path, const char *certificate_path, struct lyd_node **config)
146{
147 int ret = 0;
148 char *path = NULL;
149
150 NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, privkey_path, certificate_path, config, 1);
151
152 if (asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/"
153 "netconf-client[name='%s']/endpoints/endpoint[name='%s']/tls/tls-server-parameters/server-identity/"
154 "certificate", client_name, endpt_name) == -1) {
155 ERRMEM;
156 path = NULL;
157 ret = 1;
158 goto cleanup;
159 }
160
romand348b942023-10-13 14:32:19 +0200[diff] [blame]161 ret = _nc_server_config_add_tls_server_certificate(ctx, path, privkey_path, pubkey_path,
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]162 certificate_path, config);
163 if (ret) {
164 ERR(NULL, "Creating new CH TLS server certificate YANG data failed.");
165 goto cleanup;
166 }
167
168cleanup:
169 free(path);
170 return ret;
171}
172
173API int
romand348b942023-10-13 14:32:19 +0200[diff] [blame]174nc_server_config_del_ch_tls_server_certificate(const char *client_name, const char *endpt_name,
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]175 struct lyd_node **config)
176{
177 NC_CHECK_ARG_RET(NULL, client_name, endpt_name, config, 1);
178
179 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/call-home/"
180 "netconf-client[name='%s']/endpoints/endpoint[name='%s']/tls/tls-server-parameters/server-identity/"
181 "certificate/inline-definition", client_name, endpt_name);
182}
183
184static int
romand348b942023-10-13 14:32:19 +0200[diff] [blame]185_nc_server_config_add_tls_keystore_ref(const struct ly_ctx *ctx, const char *tree_path, const char *asym_key_ref,
186 const char *cert_ref, struct lyd_node **config)
187{
188 int ret = 0;
189
190 /* create asymmetric key pair reference */
191 ret = nc_server_config_append(ctx, tree_path, "keystore-reference/asymmetric-key", asym_key_ref, config);
192 if (ret) {
193 goto cleanup;
194 }
195
196 /* create cert reference, this cert has to belong to the asym key */
197 ret = nc_server_config_append(ctx, tree_path, "keystore-reference/certificate", cert_ref, config);
198 if (ret) {
199 goto cleanup;
200 }
201
202 /* delete inline definition if present */
203 ret = nc_server_config_check_delete(config, "%s/inline-definition", tree_path);
204 if (ret) {
205 goto cleanup;
206 }
207
208cleanup:
209 return ret;
210}
211
212API int
213nc_server_config_add_tls_keystore_ref(const struct ly_ctx *ctx, const char *endpt_name, const char *asym_key_ref,
214 const char *cert_ref, struct lyd_node **config)
215{
216 int ret = 0;
217 char *path = NULL;
218
219 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, asym_key_ref, cert_ref, config, 1);
220
221 if (asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/"
222 "tls/tls-server-parameters/server-identity/certificate", endpt_name) == -1) {
223 ERRMEM;
224 path = NULL;
225 ret = 1;
226 goto cleanup;
227 }
228
229 ret = _nc_server_config_add_tls_keystore_ref(ctx, path, asym_key_ref, cert_ref, config);
230 if (ret) {
231 goto cleanup;
232 }
233
234cleanup:
235 free(path);
236 return ret;
237}
238
239API int
240nc_server_config_del_tls_keystore_ref(const char *endpt_name, struct lyd_node **config)
241{
242 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
243
244 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/"
245 "tls/tls-server-parameters/server-identity/certificate/keystore-reference", endpt_name);
246}
247
248API int
249nc_server_config_add_ch_tls_keystore_ref(const struct ly_ctx *ctx, const char *client_name,
250 const char *endpt_name, const char *asym_key_ref, const char *cert_ref, struct lyd_node **config)
251{
252 int ret = 0;
253 char *path = NULL;
254
255 NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, asym_key_ref, cert_ref, config, 1);
256
257 if (asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/endpoints/"
258 "endpoint[name='%s']/tls/tls-server-parameters/server-identity/certificate", client_name, endpt_name) == -1) {
259 ERRMEM;
260 path = NULL;
261 ret = 1;
262 goto cleanup;
263 }
264
265 ret = _nc_server_config_add_tls_keystore_ref(ctx, path, asym_key_ref, cert_ref, config);
266 if (ret) {
267 goto cleanup;
268 }
269
270cleanup:
271 free(path);
272 return ret;
273}
274
275API int
276nc_server_config_del_ch_tls_keystore_ref(const char *client_name, const char *endpt_name,
277 struct lyd_node **config)
278{
279 NC_CHECK_ARG_RET(NULL, client_name, endpt_name, config, 1);
280
281 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
282 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/server-identity/certificate/"
283 "keystore-reference", client_name, endpt_name);
284}
285
286static int
287_nc_server_config_add_tls_client_certificate(const struct ly_ctx *ctx, const char *tree_path,
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]288 const char *cert_path, struct lyd_node **config)
289{
290 int ret = 0;
291 char *cert = NULL;
292
293 NC_CHECK_ARG_RET(NULL, ctx, tree_path, cert_path, config, 1);
294
295 ret = nc_server_config_util_read_certificate(cert_path, &cert);
296 if (ret) {
297 ERR(NULL, "Getting certificate from file \"%s\" failed.", cert_path);
298 goto cleanup;
299 }
300
301 ret = nc_server_config_append(ctx, tree_path, "cert-data", cert, config);
302 if (ret) {
303 goto cleanup;
304 }
305
306cleanup:
307 free(cert);
308 return ret;
309}
310
311API int
romand348b942023-10-13 14:32:19 +0200[diff] [blame]312nc_server_config_add_tls_client_certificate(const struct ly_ctx *ctx, const char *endpt_name, const char *cert_name,
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]313 const char *cert_path, struct lyd_node **config)
314{
315 int ret = 0;
316 char *path = NULL;
317
318 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, cert_name, cert_path, config, 1);
319
320 if (asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
321 "client-authentication/ee-certs/inline-definition/certificate[name='%s']", endpt_name, cert_name) == -1) {
322 ERRMEM;
323 path = NULL;
324 ret = 1;
325 goto cleanup;
326 }
327
romand348b942023-10-13 14:32:19 +0200[diff] [blame]328 ret = _nc_server_config_add_tls_client_certificate(ctx, path, cert_path, config);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]329 if (ret) {
330 ERR(NULL, "Creating new TLS client certificate YANG data failed.");
331 goto cleanup;
332 }
333
334 /* delete truststore if present */
335 ret = nc_server_config_check_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
336 "client-authentication/ee-certs/truststore-reference", endpt_name);
337 if (ret) {
338 goto cleanup;
339 }
340
341cleanup:
342 free(path);
343 return ret;
344}
345
346API int
romand348b942023-10-13 14:32:19 +0200[diff] [blame]347nc_server_config_del_tls_client_certificate(const char *endpt_name, const char *cert_name, struct lyd_node **config)
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]348{
349 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
350
351 if (cert_name) {
352 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
353 "tls-server-parameters/client-authentication/ee-certs/inline-definition/"
354 "certificate[name='%s']", endpt_name, cert_name);
355 } else {
356 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
357 "tls-server-parameters/client-authentication/ee-certs/inline-definition/"
358 "certificate", endpt_name);
359 }
360}
361
362API int
romand348b942023-10-13 14:32:19 +0200[diff] [blame]363nc_server_config_add_ch_tls_client_certificate(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]364 const char *cert_name, const char *cert_path, struct lyd_node **config)
365{
366 int ret = 0;
367 char *path = NULL;
368
369 NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, cert_name, cert_path, config, 1);
370
371 if (asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
372 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/client-authentication/ee-certs/"
373 "inline-definition/certificate[name='%s']", client_name, endpt_name, cert_name) == -1) {
374 ERRMEM;
375 path = NULL;
376 ret = 1;
377 goto cleanup;
378 }
379
romand348b942023-10-13 14:32:19 +0200[diff] [blame]380 ret = _nc_server_config_add_tls_client_certificate(ctx, path, cert_path, config);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]381 if (ret) {
382 ERR(NULL, "Creating new CH TLS client certificate YANG data failed.");
383 goto cleanup;
384 }
385
386 /* delete truststore if present */
387 ret = nc_server_config_check_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
388 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
389 "client-authentication/ee-certs/truststore-reference", client_name, endpt_name);
390 if (ret) {
391 goto cleanup;
392 }
393
394cleanup:
395 free(path);
396 return ret;
397}
398
399API int
romand348b942023-10-13 14:32:19 +0200[diff] [blame]400nc_server_config_del_ch_tls_client_certificate(const char *client_name, const char *endpt_name,
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]401 const char *cert_name, struct lyd_node **config)
402{
403 NC_CHECK_ARG_RET(NULL, client_name, endpt_name, config, 1);
404
405 if (cert_name) {
406 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
407 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/client-authentication/ee-certs/"
408 "inline-definition/certificate[name='%s']", client_name, endpt_name, cert_name);
409 } else {
410 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
411 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/client-authentication/ee-certs/"
412 "inline-definition/certificate", client_name, endpt_name);
413 }
414}
415
416API int
romand348b942023-10-13 14:32:19 +0200[diff] [blame]417nc_server_config_add_tls_client_cert_truststore_ref(const struct ly_ctx *ctx, const char *endpt_name,
418 const char *cert_bag_ref, struct lyd_node **config)
419{
420 int ret = 0;
421
422 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, cert_bag_ref, config, 1);
423
424 ret = nc_server_config_create(ctx, config, cert_bag_ref, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
425 "tls-server-parameters/client-authentication/ee-certs/truststore-reference", endpt_name);
426 if (ret) {
427 goto cleanup;
428 }
429
430 /* delete inline definition if present */
431 ret = nc_server_config_check_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
432 "tls-server-parameters/client-authentication/ee-certs/inline-definition", endpt_name);
433 if (ret) {
434 goto cleanup;
435 }
436
437cleanup:
438 return ret;
439}
440
441API int
442nc_server_config_del_tls_client_cert_truststore_ref(const char *endpt_name, struct lyd_node **config)
443{
444 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
445
446 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
447 "tls-server-parameters/client-authentication/ee-certs/truststore-reference", endpt_name);
448}
449
450API int
451nc_server_config_add_ch_tls_client_cert_truststore_ref(const struct ly_ctx *ctx, const char *client_name,
452 const char *endpt_name, const char *cert_bag_ref, struct lyd_node **config)
453{
454 int ret = 0;
455
456 NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, cert_bag_ref, config, 1);
457
458 ret = nc_server_config_create(ctx, config, cert_bag_ref, "/ietf-netconf-server:netconf-server/call-home/"
459 "netconf-client[name='%s']/endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
460 "client-authentication/ee-certs/truststore-reference", client_name, endpt_name);
461 if (ret) {
462 goto cleanup;
463 }
464
465 /* delete inline definition if present */
466 ret = nc_server_config_check_delete(config, "/ietf-netconf-server:netconf-server/call-home/"
467 "netconf-client[name='%s']/endpoints/endpoint[name='%s']/tls/"
468 "tls-server-parameters/client-authentication/ee-certs/inline-definition", client_name, endpt_name);
469 if (ret) {
470 goto cleanup;
471 }
472
473cleanup:
474 return ret;
475}
476
477API int
478nc_server_config_del_ch_tls_client_cert_truststore_ref(const char *client_name, const char *endpt_name,
479 struct lyd_node **config)
480{
481 NC_CHECK_ARG_RET(NULL, client_name, endpt_name, config, 1);
482
483 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/call-home/"
484 "netconf-client[name='%s']/endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
485 "client-authentication/ee-certs/truststore-reference", client_name, endpt_name);
486}
487
488API int
489nc_server_config_add_tls_client_ca(const struct ly_ctx *ctx, const char *endpt_name, const char *cert_name,
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]490 const char *cert_path, struct lyd_node **config)
491{
492 int ret = 0;
493 char *path = NULL;
494
495 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, cert_name, cert_path, config, 1);
496
497 if (asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
498 "client-authentication/ca-certs/inline-definition/certificate[name='%s']", endpt_name, cert_name) == -1) {
499 ERRMEM;
500 path = NULL;
501 ret = 1;
502 goto cleanup;
503 }
504
romand348b942023-10-13 14:32:19 +0200[diff] [blame]505 ret = _nc_server_config_add_tls_client_certificate(ctx, path, cert_path, config);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]506 if (ret) {
507 ERR(NULL, "Creating new TLS client certificate authority YANG data failed.");
508 goto cleanup;
509 }
510
511 /* delete truststore if present */
512 ret = nc_server_config_check_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
513 "client-authentication/ca-certs/truststore-reference", endpt_name);
514 if (ret) {
515 goto cleanup;
516 }
517
518cleanup:
519 free(path);
520 return ret;
521}
522
523API int
romand348b942023-10-13 14:32:19 +0200[diff] [blame]524nc_server_config_del_tls_client_ca(const char *endpt_name, const char *cert_name, struct lyd_node **config)
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]525{
526 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
527
528 if (cert_name) {
529 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
530 "tls-server-parameters/client-authentication/ca-certs/inline-definition/"
531 "certificate[name='%s']", endpt_name, cert_name);
532 } else {
533 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
534 "tls-server-parameters/client-authentication/ca-certs/inline-definition/"
535 "certificate", endpt_name);
536 }
537}
538
539API int
romand348b942023-10-13 14:32:19 +0200[diff] [blame]540nc_server_config_add_ch_tls_client_ca(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]541 const char *cert_name, const char *cert_path, struct lyd_node **config)
542{
543 int ret = 0;
544 char *path = NULL;
545
546 NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, cert_name, cert_path, config, 1);
547
548 if (asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
549 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/client-authentication/ca-certs/"
550 "inline-definition/certificate[name='%s']", client_name, endpt_name, cert_name) == -1) {
551 ERRMEM;
552 path = NULL;
553 ret = 1;
554 goto cleanup;
555 }
556
romand348b942023-10-13 14:32:19 +0200[diff] [blame]557 ret = _nc_server_config_add_tls_client_certificate(ctx, path, cert_path, config);
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]558 if (ret) {
559 ERR(NULL, "Creating new CH TLS client certificate authority YANG data failed.");
560 goto cleanup;
561 }
562
563 /* delete truststore if present */
564 ret = nc_server_config_check_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
565 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
566 "client-authentication/ca-certs/truststore-reference", client_name, endpt_name);
567 if (ret) {
568 goto cleanup;
569 }
570
571cleanup:
572 free(path);
573 return ret;
574}
575
576API int
romand348b942023-10-13 14:32:19 +0200[diff] [blame]577nc_server_config_del_ch_tls_client_ca(const char *client_name, const char *endpt_name,
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]578 const char *cert_name, struct lyd_node **config)
579{
580 NC_CHECK_ARG_RET(NULL, client_name, endpt_name, config, 1);
581
582 if (cert_name) {
583 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
584 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/client-authentication/ca-certs/"
585 "inline-definition/certificate[name='%s']", client_name, endpt_name, cert_name);
586 } else {
587 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
588 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/client-authentication/ca-certs/"
589 "inline-definition/certificate", client_name, endpt_name);
590 }
591}
592
romand348b942023-10-13 14:32:19 +0200[diff] [blame]593API int
594nc_server_config_add_tls_client_ca_truststore_ref(const struct ly_ctx *ctx, const char *endpt_name,
595 const char *cert_bag_ref, struct lyd_node **config)
596{
597 int ret = 0;
598
599 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, cert_bag_ref, config, 1);
600
601 ret = nc_server_config_create(ctx, config, cert_bag_ref, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
602 "tls-server-parameters/client-authentication/ca-certs/truststore-reference", endpt_name);
603 if (ret) {
604 goto cleanup;
605 }
606
607 /* delete inline definition if present */
608 ret = nc_server_config_check_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
609 "tls-server-parameters/client-authentication/ca-certs/inline-definition", endpt_name);
610 if (ret) {
611 goto cleanup;
612 }
613
614cleanup:
615 return ret;
616}
617
618API int
619nc_server_config_del_tls_client_ca_truststore_ref(const char *endpt_name, struct lyd_node **config)
620{
621 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
622
623 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
624 "tls-server-parameters/client-authentication/ca-certs/truststore-reference", endpt_name);
625}
626
627API int
628nc_server_config_add_ch_tls_client_ca_truststore_ref(const struct ly_ctx *ctx, const char *client_name,
629 const char *endpt_name, const char *cert_bag_ref, struct lyd_node **config)
630{
631 int ret = 0;
632
633 NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, cert_bag_ref, config, 1);
634
635 ret = nc_server_config_create(ctx, config, cert_bag_ref, "/ietf-netconf-server:netconf-server/call-home/"
636 "netconf-client[name='%s']/endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
637 "client-authentication/ca-certs/truststore-reference", client_name, endpt_name);
638 if (ret) {
639 goto cleanup;
640 }
641
642 /* delete inline definition if present */
643 ret = nc_server_config_check_delete(config, "/ietf-netconf-server:netconf-server/call-home/"
644 "netconf-client[name='%s']/endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
645 "client-authentication/ca-certs/inline-definition", client_name, endpt_name);
646 if (ret) {
647 goto cleanup;
648 }
649
650cleanup:
651 return ret;
652}
653
654API int
655nc_server_config_del_ch_tls_client_ca_truststore_ref(const char *client_name, const char *endpt_name,
656 struct lyd_node **config)
657{
658 NC_CHECK_ARG_RET(NULL, client_name, endpt_name, config, 1);
659
660 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/call-home/"
661 "netconf-client[name='%s']/endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
662 "client-authentication/ca-certs/truststore-reference", client_name, endpt_name);
663}
664
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]665static const char *
666nc_server_config_tls_maptype2str(NC_TLS_CTN_MAPTYPE map_type)
667{
668 switch (map_type) {
669 case NC_TLS_CTN_SPECIFIED:
670 return "ietf-x509-cert-to-name:specified";
671 case NC_TLS_CTN_SAN_RFC822_NAME:
672 return "ietf-x509-cert-to-name:san-rfc822-name";
673 case NC_TLS_CTN_SAN_DNS_NAME:
674 return "ietf-x509-cert-to-name:san-dns-name";
675 case NC_TLS_CTN_SAN_IP_ADDRESS:
676 return "ietf-x509-cert-to-name:san-ip-address";
677 case NC_TLS_CTN_SAN_ANY:
678 return "ietf-x509-cert-to-name:san-any";
679 case NC_TLS_CTN_COMMON_NAME:
680 return "ietf-x509-cert-to-name:common-name";
681 case NC_TLS_CTN_UNKNOWN:
682 default:
683 ERR(NULL, "Unknown CTN mapping type.");
684 return NULL;
685 }
686}
687
688static int
689_nc_server_config_add_tls_ctn(const struct ly_ctx *ctx, const char *tree_path, const char *fingerprint,
690 NC_TLS_CTN_MAPTYPE map_type, const char *name, struct lyd_node **config)
691{
692 int ret = 0;
693 const char *map;
694
695 NC_CHECK_ARG_RET(NULL, ctx, tree_path, name, config, 1);
696
697 if (fingerprint) {
698 /* optional */
699 ret = nc_server_config_append(ctx, tree_path, "fingerprint", fingerprint, config);
700 if (ret) {
701 goto cleanup;
702 }
703 }
704
705 /* get map str */
706 map = nc_server_config_tls_maptype2str(map_type);
707 if (!map) {
708 ret = 1;
709 goto cleanup;
710 }
711
712 ret = nc_server_config_append(ctx, tree_path, "map-type", map, config);
713 if (ret) {
714 goto cleanup;
715 }
716
717 ret = nc_server_config_append(ctx, tree_path, "name", name, config);
718 if (ret) {
719 goto cleanup;
720 }
721
722cleanup:
723 return ret;
724}
725
726API int
727nc_server_config_add_tls_ctn(const struct ly_ctx *ctx, const char *endpt_name, uint32_t id, const char *fingerprint,
728 NC_TLS_CTN_MAPTYPE map_type, const char *name, struct lyd_node **config)
729{
730 int ret = 0;
731 char *path = NULL;
732
733 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, id, name, config, 1);
734
735 if (asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/netconf-server-parameters/"
736 "client-identity-mappings/cert-to-name[id='%u']", endpt_name, id) == -1) {
737 ERRMEM;
738 path = NULL;
739 ret = 1;
740 goto cleanup;
741 }
742
743 ret = _nc_server_config_add_tls_ctn(ctx, path, fingerprint, map_type, name, config);
744 if (ret) {
745 ERR(NULL, "Creating new TLS cert-to-name YANG data failed.");
746 goto cleanup;
747 }
748
749cleanup:
750 free(path);
751 return ret;
752}
753
754API int
755nc_server_config_del_tls_ctn(const char *endpt_name, uint32_t id, struct lyd_node **config)
756{
757 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
758
759 if (id) {
760 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
761 "netconf-server-parameters/client-identity-mappings/cert-to-name[id='%u']", endpt_name, id);
762 } else {
763 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
764 "netconf-server-parameters/client-identity-mappings/cert-to-name", endpt_name);
765 }
766}
767
768API int
769nc_server_config_add_ch_tls_ctn(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
770 uint32_t id, const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type, const char *name, struct lyd_node **config)
771{
772 int ret = 0;
773 char *path = NULL;
774
775 NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, id, name, config, 1);
776
777 if (asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
778 "endpoints/endpoint[name='%s']/tls/netconf-server-parameters/client-identity-mappings/"
779 "cert-to-name[id='%u']", client_name, endpt_name, id) == -1) {
780 ERRMEM;
781 path = NULL;
782 ret = 1;
783 goto cleanup;
784 }
785
786 ret = _nc_server_config_add_tls_ctn(ctx, path, fingerprint, map_type, name, config);
787 if (ret) {
788 ERR(NULL, "Creating new CH TLS cert-to-name YANG data failed.");
789 goto cleanup;
790 }
791
792cleanup:
793 free(path);
794 return ret;
795}
796
797API int
798nc_server_config_del_ch_tls_ctn(const char *client_name, const char *endpt_name,
799 uint32_t id, struct lyd_node **config)
800{
801 NC_CHECK_ARG_RET(NULL, client_name, endpt_name, config, 1);
802
803 if (id) {
804 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
805 "endpoints/endpoint[name='%s']/tls/netconf-server-parameters/client-identity-mappings/"
806 "cert-to-name[id='%u']", client_name, endpt_name, id);
807 } else {
808 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
809 "endpoints/endpoint[name='%s']/tls/netconf-server-parameters/client-identity-mappings/"
810 "cert-to-name", client_name, endpt_name);
811 }
812}
813
romand348b942023-10-13 14:32:19 +0200[diff] [blame]814static const char *
815nc_server_config_tlsversion2str(NC_TLS_VERSION version)
816{
817 switch (version) {
818 case NC_TLS_VERSION_10:
819 return "ietf-tls-common:tls10";
820 case NC_TLS_VERSION_11:
821 return "ietf-tls-common:tls11";
822 case NC_TLS_VERSION_12:
823 return "ietf-tls-common:tls12";
824 case NC_TLS_VERSION_13:
825 return "ietf-tls-common:tls13";
826 default:
827 ERR(NULL, "Unknown TLS version.");
828 return NULL;
829 }
830}
831
832API int
833nc_server_config_add_tls_version(const struct ly_ctx *ctx, const char *endpt_name,
834 NC_TLS_VERSION tls_version, struct lyd_node **config)
835{
836 int ret = 0;
837 const char *version;
838
839 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, config, 1);
840
841 /* version to str */
842 version = nc_server_config_tlsversion2str(tls_version);
843 if (!version) {
844 ret = 1;
845 goto cleanup;
846 }
847
848 ret = nc_server_config_create(ctx, config, version, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
849 "hello-params/tls-versions/tls-version", endpt_name);
850 if (ret) {
851 ERR(NULL, "Creating new YANG data nodes for TLS version failed.");
852 goto cleanup;
853 }
854
855cleanup:
856 return ret;
857}
858
859API int
860nc_server_config_add_ch_tls_version(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
861 NC_TLS_VERSION tls_version, struct lyd_node **config)
862{
863 int ret = 0;
864 const char *version;
865
866 NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, config, 1);
867
868 /* version to str */
869 version = nc_server_config_tlsversion2str(tls_version);
870 if (!version) {
871 ret = 1;
872 goto cleanup;
873 }
874
875 ret = nc_server_config_create(ctx, config, version, "/ietf-netconf-server:netconf-server/call-home/"
876 "netconf-client[name='%s']/endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
877 "hello-params/tls-versions/tls-version", client_name, endpt_name);
878 if (ret) {
879 ERR(NULL, "Creating new YANG data nodes for CH TLS version failed.");
880 goto cleanup;
881 }
882
883cleanup:
884 return ret;
885}
886
887API int
888nc_server_config_del_tls_version(const char *endpt_name, NC_TLS_VERSION tls_version, struct lyd_node **config)
889{
890 int ret = 0;
891 const char *version;
892
893 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
894
895 /* version to str */
896 version = nc_server_config_tlsversion2str(tls_version);
897 if (!version) {
898 ret = 1;
899 goto cleanup;
900 }
901
902 ret = nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
903 "tls-server-parameters/hello-params/tls-versions/tls-version[.='%s']", endpt_name, version);
904
905cleanup:
906 return ret;
907}
908
909API int
910nc_server_config_del_ch_tls_version(const char *client_name, const char *endpt_name,
911 NC_TLS_VERSION tls_version, struct lyd_node **config)
912{
913 int ret = 0;
914 const char *version;
915
916 NC_CHECK_ARG_RET(NULL, client_name, endpt_name, config, 1);
917
918 /* version to str */
919 version = nc_server_config_tlsversion2str(tls_version);
920 if (!version) {
921 ret = 1;
922 goto cleanup;
923 }
924
925 ret = nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/call-home/"
926 "netconf-client[name='%s']/endpoints/endpoint[name='%s']/tls/"
927 "tls-server-parameters/hello-params/tls-versions/tls-version[.='%s']", client_name, endpt_name, version);
928
929cleanup:
930 return ret;
931}
932
933static int
934_nc_server_config_add_tls_ciphers(const struct ly_ctx *ctx, const char *tree_path,
935 int cipher_count, va_list ap, struct lyd_node **config)
936{
937 int ret = 0, i;
938 struct lyd_node *old = NULL;
939 char *cipher = NULL, *cipher_ident = NULL;
940
941 NC_CHECK_ARG_RET(NULL, ctx, tree_path, config, 1);
942
943 /* delete all older algorithms (if any) se they can be replaced by the new ones */
944 lyd_find_path(*config, tree_path, 0, &old);
945 if (old) {
946 lyd_free_tree(old);
947 }
948
949 for (i = 0; i < cipher_count; i++) {
950 cipher = va_arg(ap, char *);
951
952 if (asprintf(&cipher_ident, "iana-tls-cipher-suite-algs:%s", cipher) == -1) {
953 ERRMEM;
954 ret = 1;
955 goto cleanup;
956 }
957
958 ret = nc_server_config_append(ctx, tree_path, "cipher-suite", cipher_ident, config);
959 if (ret) {
960 free(cipher_ident);
961 goto cleanup;
962 }
963
964 free(cipher_ident);
965 cipher_ident = NULL;
966 }
967
968cleanup:
969 return ret;
970}
971
972API int
973nc_server_config_add_tls_ciphers(const struct ly_ctx *ctx, const char *endpt_name, struct lyd_node **config,
974 int cipher_count, ...)
975{
976 int ret = 0;
977 va_list ap;
978 char *path = NULL;
979
980 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, cipher_count, config, 1);
981
982 va_start(ap, cipher_count);
983
984 if (asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
985 "tls-server-parameters/hello-params/cipher-suites", endpt_name) == -1) {
986 ERRMEM;
987 path = NULL;
988 ret = 1;
989 goto cleanup;
990 }
991
992 ret = _nc_server_config_add_tls_ciphers(ctx, path, cipher_count, ap, config);
993 if (ret) {
994 ERR(NULL, "Creating new TLS cipher YANG data nodes failed.");
995 goto cleanup;
996 }
997
998cleanup:
999 va_end(ap);
1000 free(path);
1001 return ret;
1002}
1003
1004API int
1005nc_server_config_add_ch_tls_ciphers(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
1006 struct lyd_node **config, int cipher_count, ...)
1007{
1008 int ret = 0;
1009 va_list ap;
1010 char *path = NULL;
1011
1012 NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, cipher_count, config, 1);
1013
1014 va_start(ap, cipher_count);
1015
1016 if (asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/endpoints/"
1017 "endpoint[name='%s']/tls/tls-server-parameters/hello-params/cipher-suites", client_name, endpt_name) == -1) {
1018 ERRMEM;
1019 path = NULL;
1020 ret = 1;
1021 goto cleanup;
1022 }
1023
1024 ret = _nc_server_config_add_tls_ciphers(ctx, path, cipher_count, ap, config);
1025 if (ret) {
1026 ERR(NULL, "Creating new Call-Home TLS cipher YANG data nodes failed.");
1027 goto cleanup;
1028 }
1029
1030cleanup:
1031 va_end(ap);
1032 free(path);
1033 return ret;
1034}
1035
1036API int
1037nc_server_config_del_tls_cipher(const char *endpt_name, const char *cipher, struct lyd_node **config)
1038{
1039 NC_CHECK_ARG_RET(NULL, endpt_name, cipher, config, 1);
1040
1041 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/"
1042 "tls/tls-server-parameters/hello-params/cipher-suites/"
1043 "cipher-suite[.='iana-tls-cipher-suite-algs:%s']", endpt_name, cipher);
1044}
1045
1046API int
1047nc_server_config_del_ch_tls_cipher(const char *client_name, const char *endpt_name,
1048 const char *cipher, struct lyd_node **config)
1049{
1050 NC_CHECK_ARG_RET(NULL, client_name, endpt_name, cipher, config, 1);
1051
1052 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
1053 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/hello-params/cipher-suites/"
1054 "cipher-suite[.='iana-tls-cipher-suite-algs:%s']", client_name, endpt_name, cipher);
1055}
1056
1057static int
1058_nc_server_config_add_tls_crl_path(const struct ly_ctx *ctx, const char *tree_path,
1059 const char *crl_path, struct lyd_node **config)
1060{
1061 int ret = 0;
1062
1063 NC_CHECK_ARG_RET(NULL, ctx, tree_path, crl_path, config, 1);
1064
1065 /* create the crl path node */
1066 ret = nc_server_config_append(ctx, tree_path, "libnetconf2-netconf-server:crl-path", crl_path, config);
1067 if (ret) {
1068 goto cleanup;
1069 }
1070
1071 /* delete other choice nodes if they are present */
1072 ret = nc_server_config_check_delete(config, "%s/libnetconf2-netconf-server:crl-url", tree_path);
1073 if (ret) {
1074 goto cleanup;
1075 }
1076 ret = nc_server_config_check_delete(config, "%s/libnetconf2-netconf-server:crl-cert-ext", tree_path);
1077 if (ret) {
1078 goto cleanup;
1079 }
1080
1081cleanup:
1082 return ret;
1083}
1084
1085API int
1086nc_server_config_add_tls_crl_path(const struct ly_ctx *ctx, const char *endpt_name,
1087 const char *crl_path, struct lyd_node **config)
1088{
1089 int ret = 0;
1090 char *path = NULL;
1091
1092 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, crl_path, config, 1);
1093
1094 if (asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
1095 "client-authentication", endpt_name) == -1) {
1096 ERRMEM;
1097 path = NULL;
1098 ret = 1;
1099 goto cleanup;
1100 }
1101
1102 ret = _nc_server_config_add_tls_crl_path(ctx, path, crl_path, config);
1103 if (ret) {
1104 ERR(NULL, "Creating new CRL YANG data nodes failed.");
1105 goto cleanup;
1106 }
1107
1108cleanup:
1109 free(path);
1110 return ret;
1111}
1112
1113API int
1114nc_server_config_add_ch_tls_crl_path(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
1115 const char *crl_path, struct lyd_node **config)
1116{
1117 int ret = 0;
1118 char *path = NULL;
1119
1120 NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, crl_path, config, 1);
1121
1122 if (asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
1123 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
1124 "client-authentication", client_name, endpt_name) == -1) {
1125 ERRMEM;
1126 path = NULL;
1127 ret = 1;
1128 goto cleanup;
1129 }
1130
1131 ret = _nc_server_config_add_tls_crl_path(ctx, path, crl_path, config);
1132 if (ret) {
1133 ERR(NULL, "Creating new CH CRL YANG data nodes failed.");
1134 goto cleanup;
1135 }
1136
1137cleanup:
1138 free(path);
1139 return ret;
1140}
1141
1142static int
1143_nc_server_config_add_tls_crl_url(const struct ly_ctx *ctx, const char *tree_path,
1144 const char *crl_url, struct lyd_node **config)
1145{
1146 int ret = 0;
1147
1148 NC_CHECK_ARG_RET(NULL, ctx, tree_path, crl_url, config, 1);
1149
1150 /* create the crl path node */
1151 ret = nc_server_config_append(ctx, tree_path, "libnetconf2-netconf-server:crl-url", crl_url, config);
1152 if (ret) {
1153 goto cleanup;
1154 }
1155
1156 /* delete other choice nodes if they are present */
1157 ret = nc_server_config_check_delete(config, "%s/libnetconf2-netconf-server:crl-path", tree_path);
1158 if (ret) {
1159 goto cleanup;
1160 }
1161 ret = nc_server_config_check_delete(config, "%s/libnetconf2-netconf-server:crl-cert-ext", tree_path);
1162 if (ret) {
1163 goto cleanup;
1164 }
1165
1166cleanup:
1167 return ret;
1168}
1169
1170API int
1171nc_server_config_add_tls_crl_url(const struct ly_ctx *ctx, const char *endpt_name, const char *crl_url, struct lyd_node **config)
1172{
1173 int ret = 0;
1174 char *path = NULL;
1175
1176 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, crl_url, config, 1);
1177
1178 if (asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
1179 "client-authentication", endpt_name) == -1) {
1180 ERRMEM;
1181 path = NULL;
1182 ret = 1;
1183 goto cleanup;
1184 }
1185
1186 ret = _nc_server_config_add_tls_crl_url(ctx, path, crl_url, config);
1187 if (ret) {
1188 ERR(NULL, "Creating new CRL YANG data nodes failed.");
1189 goto cleanup;
1190 }
1191
1192cleanup:
1193 free(path);
1194 return ret;
1195}
1196
1197API int
1198nc_server_config_add_ch_tls_crl_url(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
1199 const char *crl_url, struct lyd_node **config)
1200{
1201 int ret = 0;
1202 char *path = NULL;
1203
1204 NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, crl_url, config, 1);
1205
1206 if (asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
1207 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
1208 "client-authentication", client_name, endpt_name) == -1) {
1209 ERRMEM;
1210 path = NULL;
1211 ret = 1;
1212 goto cleanup;
1213 }
1214
1215 ret = _nc_server_config_add_tls_crl_url(ctx, path, crl_url, config);
1216 if (ret) {
1217 ERR(NULL, "Creating new CH CRL YANG data nodes failed.");
1218 goto cleanup;
1219 }
1220
1221cleanup:
1222 free(path);
1223 return ret;
1224}
1225
1226static int
1227_nc_server_config_add_tls_crl_cert_ext(const struct ly_ctx *ctx, const char *tree_path, struct lyd_node **config)
1228{
1229 int ret = 0;
1230
1231 NC_CHECK_ARG_RET(NULL, ctx, tree_path, config, 1);
1232
1233 /* create the crl path node */
1234 ret = nc_server_config_append(ctx, tree_path, "libnetconf2-netconf-server:crl-cert-ext", NULL, config);
1235 if (ret) {
1236 goto cleanup;
1237 }
1238
1239 /* delete other choice nodes if they are present */
1240 ret = nc_server_config_check_delete(config, "%s/libnetconf2-netconf-server:crl-path", tree_path);
1241 if (ret) {
1242 goto cleanup;
1243 }
1244 ret = nc_server_config_check_delete(config, "%s/libnetconf2-netconf-server:crl-url", tree_path);
1245 if (ret) {
1246 goto cleanup;
1247 }
1248
1249cleanup:
1250 return ret;
1251}
1252
1253API int
1254nc_server_config_add_tls_crl_cert_ext(const struct ly_ctx *ctx, const char *endpt_name, struct lyd_node **config)
1255{
1256 int ret = 0;
1257 char *path = NULL;
1258
1259 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, config, 1);
1260
1261 if (asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
1262 "client-authentication", endpt_name) == -1) {
1263 ERRMEM;
1264 path = NULL;
1265 ret = 1;
1266 goto cleanup;
1267 }
1268
1269 ret = _nc_server_config_add_tls_crl_cert_ext(ctx, path, config);
1270 if (ret) {
1271 ERR(NULL, "Creating new CRL YANG data nodes failed.");
1272 goto cleanup;
1273 }
1274
1275cleanup:
1276 free(path);
1277 return ret;
1278}
1279
1280API int
1281nc_server_config_add_ch_tls_crl_cert_ext(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
1282 struct lyd_node **config)
1283{
1284 int ret = 0;
1285 char *path = NULL;
1286
1287 NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, config, 1);
1288
1289 if (asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
1290 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
1291 "client-authentication", client_name, endpt_name) == -1) {
1292 ERRMEM;
1293 path = NULL;
1294 ret = 1;
1295 goto cleanup;
1296 }
1297
1298 ret = _nc_server_config_add_tls_crl_cert_ext(ctx, path, config);
1299 if (ret) {
1300 ERR(NULL, "Creating new CH CRL YANG data nodes failed.");
1301 goto cleanup;
1302 }
1303
1304cleanup:
1305 free(path);
1306 return ret;
1307}
1308
1309API int
1310nc_server_config_del_tls_crl(const char *endpt_name, struct lyd_node **config)
1311{
1312 int ret = 0;
1313
1314 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
1315
1316 ret = nc_server_config_check_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
1317 "client-authentication/libnetconf2-netconf-server:crl-path", endpt_name);
1318 if (ret) {
1319 goto cleanup;
1320 }
1321
1322 ret = nc_server_config_check_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
1323 "client-authentication/libnetconf2-netconf-server:crl-url", endpt_name);
1324 if (ret) {
1325 goto cleanup;
1326 }
1327
1328 ret = nc_server_config_check_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
1329 "client-authentication/libnetconf2-netconf-server:crl-cert-ext", endpt_name);
1330 if (ret) {
1331 goto cleanup;
1332 }
1333
1334cleanup:
1335 return ret;
1336}
1337
1338API int
1339nc_server_config_del_ch_tls_crl(const char *client_name, const char *endpt_name, struct lyd_node **config)
1340{
1341 int ret = 0;
1342
1343 NC_CHECK_ARG_RET(NULL, client_name, endpt_name, config, 1);
1344
1345 ret = nc_server_config_check_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
1346 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
1347 "client-authentication/libnetconf2-netconf-server:crl-path", client_name, endpt_name);
1348 if (ret) {
1349 goto cleanup;
1350 }
1351
1352 ret = nc_server_config_check_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
1353 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
1354 "client-authentication/libnetconf2-netconf-server:crl-url", client_name, endpt_name);
1355 if (ret) {
1356 goto cleanup;
1357 }
1358
1359 ret = nc_server_config_check_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
1360 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
1361 "client-authentication/libnetconf2-netconf-server:crl-cert-ext", client_name, endpt_name);
1362 if (ret) {
1363 goto cleanup;
1364 }
1365
1366cleanup:
1367 return ret;
1368}
1369
Roytakb2794852023-10-18 14:30:22 +0200[diff] [blame]1370API int
1371nc_server_config_add_tls_endpoint_client_ref(const struct ly_ctx *ctx, const char *endpt_name, const char *referenced_endpt, struct lyd_node **config)
1372{
1373 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, referenced_endpt, config, 1);
1374
1375 return nc_server_config_create(ctx, config, referenced_endpt, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
1376 "client-authentication/libnetconf2-netconf-server:endpoint-client-auth", endpt_name);
1377}
1378
1379API int
1380nc_server_config_del_tls_endpoint_client_ref(const char *endpt_name, struct lyd_node **config)
1381{
1382 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
1383
1384 return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
1385 "client-authentication/libnetconf2-netconf-server:endpoint-client-auth", endpt_name);
1386}