Add a ca export command for EAP mode where we only require the CA cert,

and make both export commands optionally take an argument that will be
added to a peer.txt file in the exported output.   Additionally
include any site specific notes from /usr/share/iked if present.

man page bits and help with the parser from reyk

5 files changed, 129 insertions, 38 deletions

diff --git a/usr.sbin/ikectl/ikeca.c b/usr.sbin/ikectl/ikeca.c
index dacb12f40a1..a4bda52a3f7 100644
--- a/usr.sbin/ikectl/ikeca.c
+++ b/usr.sbin/ikectl/ikeca.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikeca.c,v 1.6 2010/06/21 10:48:12 jsg Exp $	*/
+/*	$OpenBSD: ikeca.c,v 1.7 2010/06/23 16:01:01 jsg Exp $	*/
 /*	$vantronix: ikeca.c,v 1.13 2010/06/03 15:52:52 reyk Exp $	*/
 
 /*
@@ -41,6 +41,7 @@
 #define X509_CNF	"/etc/ssl/x509v3.cnf"
 #define IKECA_CNF	"/etc/ssl/ikeca.cnf"
 #define KEYBASE		"/etc/iked"
+#define EXPDIR		"/usr/share/iked"
 
 #define PATH_OPENSSL	"/usr/sbin/openssl"
 #define PATH_ZIP	"/usr/local/bin/zip"
@@ -75,7 +76,7 @@ int		 ca_key_create(struct ca *, char *);
 int		 ca_key_delete(struct ca *, char *);
 int		 ca_key_import(struct ca *, char *, char *);
 int		 ca_newpass(char *);
-int		 ca_export(struct ca *, char *);
+int		 ca_export(struct ca *, char *, char *);
 int		 ca_revoke(struct ca *, char *);
 int		 ca_install(struct ca *);
 int		 ca_show_certs(struct ca *);
@@ -250,7 +251,7 @@ ca_key_install(struct ca *ca, char *keyname)
 	system(cmd);
 
 
-	return (1);
+	return (0);
 }
 
 int
@@ -450,8 +451,10 @@ rm_dir(char *path)
 }
 
 int
-ca_export(struct ca *ca, char *keyname)
+ca_export(struct ca *ca, char *keyname, char *myname)
 {
+	DIR		*dexp;
+	struct dirent	*de;
 	struct stat	 st;
 	char		*pass;
 	char		 prev[_PASSWORD_LEN + 1];
@@ -464,9 +467,15 @@ ca_export(struct ca *ca, char *keyname)
 	const char	*exdirs[] = { "/ca", "/certs", "/crls", "/private",
 	    		              "/export" };
 	u_int		 i;
+	int		 fd;
+
+	if (keyname != NULL)
+		keyname = "ca";
+
+	if (strlcpy(oname, keyname, sizeof(oname)) >= sizeof(oname))
+		err(1, "name too long");
 
 	/* colons are not valid characters in windows filenames... */
-	strlcpy(oname, keyname, sizeof(oname));
 	while ((p = strchr(oname, ':')) != NULL)
 		*p = '_';
 
@@ -479,13 +488,15 @@ ca_export(struct ca *ca, char *keyname)
 	if (pass == NULL || strcmp(prev, pass) != 0)
 		errx(1, "passphrase does not match!");
 
-	snprintf(cmd, sizeof(cmd), "env EXPASS=%s %s pkcs12 -export"
-	    " -name %s -CAfile %s/ca.crt -inkey %s/private/%s.key"
-	    " -in %s/%s.crt -out %s/private/%s.pfx -passout env:EXPASS"
-	    " -passin file:%s", pass, PATH_OPENSSL, keyname, ca->sslpath,
-	    ca->sslpath, keyname, ca->sslpath, keyname, ca->sslpath,
-	    oname, ca->passfile);
-	system(cmd);
+	if (keyname != NULL) {
+		snprintf(cmd, sizeof(cmd), "env EXPASS=%s %s pkcs12 -export"
+		    " -name %s -CAfile %s/ca.crt -inkey %s/private/%s.key"
+		    " -in %s/%s.crt -out %s/private/%s.pfx -passout env:EXPASS"
+		    " -passin file:%s", pass, PATH_OPENSSL, keyname, ca->sslpath,
+		    ca->sslpath, keyname, ca->sslpath, keyname, ca->sslpath,
+		    oname, ca->passfile);
+		system(cmd);
+	}
 
 	snprintf(cmd, sizeof(cmd), "env EXPASS=%s %s pkcs12 -export"
 	    " -caname '%s' -name '%s' -cacerts -nokeys"
@@ -504,9 +515,14 @@ ca_export(struct ca *ca, char *keyname)
 			err(1, "failed to create dir %s", dst);
 	}
 
-	snprintf(src, sizeof(src), "%s/private/%s.pfx", ca->sslpath, oname);
-	snprintf(dst, sizeof(dst), "%s/export/%s.pfx", p, oname);
-	fcopy(src, dst, 0644);
+	/* create a file with the address of the peer to connect to */
+	if (myname != NULL) {
+		snprintf(dst, sizeof(dst), "%s/export/peer.txt", p);
+		if ((fd = open(dst, O_WRONLY|O_CREAT, 0644)) == -1)
+			err(1, "open %s", dst);
+		write(fd, myname, strlen(myname));
+		close(fd);
+	}
 
 	snprintf(src, sizeof(src), "%s/ca.pfx", ca->sslpath);
 	snprintf(dst, sizeof(dst), "%s/export/ca.pfx", p);
@@ -516,26 +532,34 @@ ca_export(struct ca *ca, char *keyname)
 	snprintf(dst, sizeof(dst), "%s/ca/ca.crt", p);
 	fcopy(src, dst, 0644);
 
-	snprintf(src, sizeof(src), "%s/private/%s.key", ca->sslpath, keyname);
-	snprintf(dst, sizeof(dst), "%s/private/%s.key", p, keyname);
-	fcopy(src, dst, 0600);
-	snprintf(dst, sizeof(dst), "%s/private/local.key", p);
-	fcopy(src, dst, 0600);
-
-	snprintf(src, sizeof(src), "%s/%s.crt", ca->sslpath, keyname);
-	snprintf(dst, sizeof(dst), "%s/certs/%s.crt", p, keyname);
-	fcopy(src, dst, 0644);
-
 	snprintf(src, sizeof(src), "%s/ca.crl", ca->sslpath);
 	if (stat(src, &st) == 0) {
 		snprintf(dst, sizeof(dst), "%s/crls/ca.crl", p);
 		fcopy(src, dst, 0644);
 	}
 
-	snprintf(cmd, sizeof(cmd), "%s rsa -out %s/local.pub"
-	    " -in %s/private/%s.key -pubout", PATH_OPENSSL, p, ca->sslpath,
-	    keyname);
-	system(cmd);
+	if (keyname != NULL) {
+		snprintf(src, sizeof(src), "%s/private/%s.pfx", ca->sslpath,
+		    oname);
+		snprintf(dst, sizeof(dst), "%s/export/%s.pfx", p, oname);
+		fcopy(src, dst, 0644);
+
+		snprintf(src, sizeof(src), "%s/private/%s.key", ca->sslpath,
+		    keyname);
+		snprintf(dst, sizeof(dst), "%s/private/%s.key", p, keyname);
+		fcopy(src, dst, 0600);
+		snprintf(dst, sizeof(dst), "%s/private/local.key", p);
+		fcopy(src, dst, 0600);
+
+		snprintf(src, sizeof(src), "%s/%s.crt", ca->sslpath, keyname);
+		snprintf(dst, sizeof(dst), "%s/certs/%s.crt", p, keyname);
+		fcopy(src, dst, 0644);
+
+		snprintf(cmd, sizeof(cmd), "%s rsa -out %s/local.pub"
+		    " -in %s/private/%s.key -pubout", PATH_OPENSSL, p,
+		    ca->sslpath, keyname);
+		system(cmd);
+	}
 
 	if (stat(PATH_TAR, &st) == 0) {
 		snprintf(cmd, sizeof(cmd), "%s -zcf %s.tgz -C %s .", PATH_TAR,
@@ -547,6 +571,21 @@ ca_export(struct ca *ca, char *keyname)
 	}
 
 	if (stat(PATH_ZIP, &st) == 0) {
+		dexp = opendir(EXPDIR);
+		if (dexp) {
+			while ((de = readdir(dexp)) != NULL) {
+				if (!strcmp(de->d_name, ".") ||
+				    !strcmp(de->d_name, ".."))
+					continue;
+				snprintf(src, sizeof(src), "%s/%s", EXPDIR,
+				    de->d_name);
+				snprintf(dst, sizeof(dst), "%s/export/%s", p,
+				    de->d_name);
+				fcopy(src, dst, 644);
+			}
+			closedir(dexp);
+		}
+
 		snprintf(dst, sizeof(dst), "%s/export", p);
 		if (getcwd(src, sizeof(src)) == NULL)
 			err(1, "could not get cwd");
diff --git a/usr.sbin/ikectl/ikectl.8 b/usr.sbin/ikectl/ikectl.8
index bbd942957ca..2b2e77a5f45 100644
--- a/usr.sbin/ikectl/ikectl.8
+++ b/usr.sbin/ikectl/ikectl.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ikectl.8,v 1.5 2010/06/15 08:41:44 jsg Exp $
+.\" $OpenBSD: ikectl.8,v 1.6 2010/06/23 16:01:01 jsg Exp $
 .\" $vantronix: ikectl.8,v 1.11 2010/06/03 15:55:51 reyk Exp $
 .\"
 .\" Copyright (c) 2007, 2008, 2009, 2010 Reyk Floeter <reyk@vantronix.net>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 15 2010 $
+.Dd $Mdocdate: June 23 2010 $
 .Dt IKECTL 8
 .Os
 .Sh NAME
@@ -105,6 +105,15 @@ Create a new certificate authority with the specified
 .It Cm ca Ar name Cm delete
 Delete the certificate authority with the specified
 .Ar name .
+.It Cm ca Ar name Cm export Op Ar peer
+Export the certificate authority with the specified
+.Ar name
+into the current directory for transport to other systems.
+The optional
+.Ar peer
+argument can be used to specify the address or FQDN of the local gateway
+which will be written into a text file
+.Pa peer.txt .
 .It Cm ca Ar name Cm install
 Install the certificate and Certificate Revocation List (CRL) for CA
 .Ar name
@@ -117,12 +126,17 @@ and sign then with the key of certificate authority with the speicified
 .It Cm ca Ar name Cm certificate Ar host Cm delete
 Deletes the private key and and certificates associated with
 .Ar host .
-.It Cm ca Ar name Cm certificate Ar host Cm export
+.It Cm ca Ar name Cm certificate Ar host Cm export Op Ar peer
 Export key files for
 .Ar host
 of the certificate authority with the specified
 .Ar name
 into the current directory for transport to other systems.
+The optional
+.Ar peer
+argument can be used to specify the address or FQDN of the local gateway
+which will be written into a text file
+.Pa peer.txt .
 .It Cm ca Ar name Cm certificate Ar host Cm install
 Install the private and public key for
 .Ar host
@@ -155,6 +169,12 @@ from the named
 .Bl -tag -width "/var/run/iked.sockXX" -compact
 .It /etc/ssl/
 Directory to store the CA files.
+.It /usr/share/iked
+If this optional directory exists,
+.Nm
+will include the contents with the
+.Cm ca export
+commands.
 .It /var/run/iked.sock
 default
 .Ux Ns -domain
diff --git a/usr.sbin/ikectl/ikectl.c b/usr.sbin/ikectl/ikectl.c
index 87d6bcf2346..c1a169ec08f 100644
--- a/usr.sbin/ikectl/ikectl.c
+++ b/usr.sbin/ikectl/ikectl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikectl.c,v 1.4 2010/06/14 17:41:18 jsg Exp $	*/
+/*	$OpenBSD: ikectl.c,v 1.5 2010/06/23 16:01:01 jsg Exp $	*/
 
 /*
  * Copyright (c) 2007, 2008 Reyk Floeter <reyk@vantronix.net>
@@ -53,7 +53,7 @@ int		 ca_opt(struct parse_result *);
 struct ca	*ca_setup(char *, int);
 int		 ca_create(struct ca *);
 int		 ca_certificate(struct ca *, char *, int);
-int		 ca_export(struct ca *, char *);
+int		 ca_export(struct ca *, char *, char *);
 int		 ca_revoke(struct ca *, char *);
 int		 ca_delete(struct ca *);
 int		 ca_delkey(struct ca *, char *);
@@ -109,6 +109,9 @@ ca_opt(struct parse_result *res)
 	case CA_INSTALL:
 		ca_install(ca);
 		break;
+	case CA_EXPORT:
+		ca_export(ca, NULL, res->peer);
+		break;
 	case CA_CERT_CREATE:
 		ca_certificate(ca, res->host, res->htype);
 		break;
@@ -119,7 +122,7 @@ ca_opt(struct parse_result *res)
 		ca_cert_install(ca, res->host);
 		break;
 	case CA_CERT_EXPORT:
-		ca_export(ca, res->host);
+		ca_export(ca, res->host, res->peer);
 		break;
 	case CA_CERT_REVOKE:
 		ca_revoke(ca, res->host);
@@ -183,6 +186,7 @@ main(int argc, char *argv[])
 	case CA_CREATE:
 	case CA_DELETE:
 	case CA_INSTALL:
+	case CA_EXPORT:
 	case CA_CERT_CREATE:
 	case CA_CERT_DELETE:
 	case CA_CERT_INSTALL:
diff --git a/usr.sbin/ikectl/parser.c b/usr.sbin/ikectl/parser.c
index 9989ef91569..c82e3d071b4 100644
--- a/usr.sbin/ikectl/parser.c
+++ b/usr.sbin/ikectl/parser.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parser.c,v 1.4 2010/06/14 17:41:18 jsg Exp $	*/
+/*	$OpenBSD: parser.c,v 1.5 2010/06/23 16:01:01 jsg Exp $	*/
 
 /*
  * Copyright (c) 2010 Reyk Floeter <reyk@vantronix.net>
@@ -42,6 +42,7 @@ enum token_type {
 	KEYWORD,
 	FILENAME,
 	CANAME,
+	PEER,
 	ADDRESS,
 	FQDN
 };
@@ -58,8 +59,10 @@ static const struct token t_reset[];
 static const struct token t_log[];
 static const struct token t_load[];
 static const struct token t_ca[];
+static const struct token t_ca_ex_peer[];
 static const struct token t_ca_modifiers[];
 static const struct token t_ca_cert[];
+static const struct token t_ca_cert_ex_peer[];
 static const struct token t_ca_cert_modifiers[];
 static const struct token t_ca_key[];
 static const struct token t_ca_key_modifiers[];
@@ -114,9 +117,16 @@ static const struct token t_ca_modifiers[] = {
 	{ KEYWORD,	"install",	CA_INSTALL,	NULL },
 	{ KEYWORD,	"certificate",	CA_CERTIFICATE,	t_ca_cert },
 	{ KEYWORD,	"key",		NONE,		t_ca_key },
+	{ KEYWORD,	"export",	CA_EXPORT,	t_ca_ex_peer },
 	{ ENDTOKEN, 	"",		NONE,		NULL }
 };
 
+static const struct token t_ca_ex_peer[] = {
+	{ NOTOKEN,	"",		NONE,		NULL},
+	{ PEER,		"",		NONE,		NULL },
+	{ ENDTOKEN,	"",		NONE,		NULL },
+};
+
 static const struct token t_ca_cert[] = {
 	{ ADDRESS,	"",		NONE,		t_ca_cert_modifiers },
 	{ FQDN,		"",		NONE,		t_ca_cert_modifiers },
@@ -127,11 +137,17 @@ static const struct token t_ca_cert_modifiers[] = {
 	{ KEYWORD,	"create",	CA_CERT_CREATE,		NULL },
 	{ KEYWORD,	"delete",	CA_CERT_DELETE,		NULL },
 	{ KEYWORD,	"install",	CA_CERT_INSTALL,	NULL },
-	{ KEYWORD,	"export",	CA_CERT_EXPORT,		NULL },
+	{ KEYWORD,	"export",	CA_CERT_EXPORT,		t_ca_cert_ex_peer },
 	{ KEYWORD,	"revoke",	CA_CERT_REVOKE,		NULL },
 	{ ENDTOKEN,	"",		NONE,			NULL }
 };
 
+static const struct token t_ca_cert_ex_peer[] = {
+	{ NOTOKEN,	"",		NONE,		NULL},
+	{ PEER,		"",		NONE,		NULL },
+	{ ENDTOKEN,	"",		NONE,		NULL },
+};
+
 static const struct token t_ca_key[] = {
 	{ ADDRESS,	"",		NONE,		t_ca_key_modifiers },
 	{ FQDN,		"",		NONE,		t_ca_key_modifiers },
@@ -258,6 +274,13 @@ match_token(char *word, const struct token table[])
 				t = &table[i];
 			}
 			break;
+		case PEER:
+			if (!match && word != NULL && strlen(word) > 0) {
+				res.peer = strdup(word);
+				match++;
+				t = &table[i];
+			}
+			break;
 		case ADDRESS:
 		case FQDN:
 			if (!match && word != NULL && strlen(word) > 0) {
@@ -308,6 +331,9 @@ show_valid_args(const struct token table[])
 		case CANAME:
 			fprintf(stderr, "  <caname>\n");
 			break;
+		case PEER:
+			fprintf(stderr, "  <peer>\n");
+			break;
 		case ADDRESS:
 			fprintf(stderr, "  <ipaddr>\n");
 			break;
diff --git a/usr.sbin/ikectl/parser.h b/usr.sbin/ikectl/parser.h
index 00f8b4b0698..e2e9eb6742a 100644
--- a/usr.sbin/ikectl/parser.h
+++ b/usr.sbin/ikectl/parser.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parser.h,v 1.4 2010/06/14 17:41:18 jsg Exp $	*/
+/*	$OpenBSD: parser.h,v 1.5 2010/06/23 16:01:01 jsg Exp $	*/
 
 /*
  * Copyright (c) 2007, 2008 Reyk Floeter <reyk@vantronix.net>
@@ -36,6 +36,7 @@ enum actions {
 	CA_CREATE,
 	CA_DELETE,
 	CA_INSTALL,
+	CA_EXPORT,
 	CA_CERTIFICATE,
 	CA_CERT_CREATE,
 	CA_CERT_DELETE,
@@ -56,6 +57,7 @@ struct parse_result {
 	char		*filename;
 	char 		*caname;
 	char		*host;
+	char		*peer;
 	int		 htype;
 };