src - OpenBSD base system

diff options


context:
space:
mode:

author	Jonathan Gray <jsg@cvs.openbsd.org>	2010-06-14 17:41:19 +0000
committer	Jonathan Gray <jsg@cvs.openbsd.org>	2010-06-14 17:41:19 +0000
commit	90f0e6d3922ff873babd84fbd427fe7c47b1c789 (patch)
tree	f73bed5d7a126f08f3e8383945a7e0bf4d296a8a /usr.sbin/ikectl
parent	55b600468dcca918ab131bd192cbfc6f9ac8706b (diff)

Add commands to create/delete/install/import keys without

involving certificates as suggested by reyk and don't recreate private keys if a key already exists. ok reyk@

Diffstat (limited to 'usr.sbin/ikectl')

-rw-r--r--

usr.sbin/ikectl/ikeca.c

-rw-r--r--

usr.sbin/ikectl/ikectl.8

-rw-r--r--

usr.sbin/ikectl/ikectl.c

-rw-r--r--

usr.sbin/ikectl/parser.c

-rw-r--r--

usr.sbin/ikectl/parser.h

5 files changed, 126 insertions, 12 deletions

diff --git a/usr.sbin/ikectl/ikeca.c b/usr.sbin/ikectl/ikeca.c
index 8fd9865a4f0..5f2b4d97250 100644
--- a/usr.sbin/ikectl/ikeca.c
+++ b/usr.sbin/ikectl/ikeca.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ikeca.c,v 1.4 2010/06/10 16:14:04 jsg Exp $ */

+/* $OpenBSD: ikeca.c,v 1.5 2010/06/14 17:41:18 jsg Exp $ */

/* $vantronix: ikeca.c,v 1.13 2010/06/03 15:52:52 reyk Exp $ */

@@ -65,12 +65,15 @@ struct ca {

struct ca *ca_setup(char *, int);

int ca_create(struct ca *);

int ca_delete(struct ca *);

-int ca_key(char *, char *, char *);

int ca_delkey(struct ca *, char *);

int ca_sign(struct ca *, char *, int);

int ca_request(char *, char *, char *);

int ca_certificate(struct ca *, char *, int);

int ca_cert_install(struct ca *, char *);

+int ca_key_install(struct ca *, char *);

+int ca_key_create(struct ca *, char *);

+int ca_key_delete(struct ca *, char *);

+int ca_key_import(struct ca *, char *, char *);

int ca_newpass(char *);

int ca_export(struct ca *, char *);

int ca_revoke(struct ca *, char *);

@@ -87,12 +90,18 @@ ca_delete(struct ca *ca)

}

int

-ca_key(char *sslpath, char *caname, char *keyname)

+ca_key_create(struct ca *ca, char *keyname)

{

+ struct stat st;

char cmd[PATH_MAX * 2];

char path[PATH_MAX];

- snprintf(path, sizeof(path), "%s/private/%s.key", sslpath, keyname);

+ snprintf(path, sizeof(path), "%s/private/%s.key", ca->sslpath, keyname);

+ /* don't recreate key if one is already present */

+ if (stat(path, &st) == 0) {

+ return (0);

+ }

snprintf(cmd, sizeof(cmd),

"%s genrsa -out %s 2048",

@@ -104,6 +113,34 @@ ca_key(char *sslpath, char *caname, char *keyname)

}

int

+ca_key_import(struct ca *ca, char *keyname, char *import)

+ struct stat st;

+ char dst[PATH_MAX];

+ if (stat(import, &st) != 0) {

+ warn("could not access keyfile %s", import);

+ return (1);

+ }

+ snprintf(dst, sizeof(dst), "%s/private/%s.key", ca->sslpath, keyname);

+ fcopy(import, dst, 0600);

+ return (0);

+int

+ca_key_delete(struct ca *ca, char *keyname)

+ char path[PATH_MAX];

+ snprintf(path, sizeof(path), "%s/private/%s.key", ca->sslpath, keyname);

+ unlink(path);

+ return (0);

+int

ca_delkey(struct ca *ca, char *keyname)

{

char file[PATH_MAX];

@@ -180,7 +217,7 @@ ca_sign(struct ca *ca, char *keyname, int type)

int

ca_certificate(struct ca *ca, char *keyname, int type)

{

- ca_key(ca->sslpath, ca->caname, keyname);

+ ca_key_create(ca, keyname);

ca_request(ca->sslpath, ca->sslcnf, keyname);

ca_sign(ca, keyname, type);

@@ -188,7 +225,7 @@ ca_certificate(struct ca *ca, char *keyname, int type)

}

int

-ca_cert_install(struct ca *ca, char *keyname)

+ca_key_install(struct ca *ca, char *keyname)

{

struct stat st;

char cmd[PATH_MAX * 2];

@@ -212,6 +249,20 @@ ca_cert_install(struct ca *ca, char *keyname)

KEYBASE);

system(cmd);

+ return (1);

+int

+ca_cert_install(struct ca *ca, char *keyname)

+ char src[PATH_MAX];

+ char dst[PATH_MAX];

+ int r;

+ if ((r = ca_key_install(ca, keyname)) != 0)

+ return (r);

snprintf(src, sizeof(src), "%s/%s.crt", ca->sslpath, keyname);

snprintf(dst, sizeof(dst), "%s/certs/%s.crt", KEYBASE, keyname);

fcopy(src, dst, 0644);

@@ -348,7 +399,7 @@ fcopy(char *src, char *dst, mode_t mode)

if ((ifd = open(src, O_RDONLY)) == -1)

err(1, "open %s", src);

- if ((ofd = open(dst, O_WRONLY|O_CREAT, mode)) == -1) {

+ if ((ofd = open(dst, O_WRONLY|O_CREAT|O_TRUNC, mode)) == -1) {

close(ifd);

err(1, "open %s", dst);

}

diff --git a/usr.sbin/ikectl/ikectl.8 b/usr.sbin/ikectl/ikectl.8
index 75d34fdda45..2de05e34459 100644
--- a/usr.sbin/ikectl/ikectl.8
+++ b/usr.sbin/ikectl/ikectl.8

@@ -1,4 +1,4 @@

-.\" $OpenBSD: ikectl.8,v 1.3 2010/06/10 16:14:04 jsg Exp $

+.\" $OpenBSD: ikectl.8,v 1.4 2010/06/14 17:41:18 jsg Exp $

.\" $vantronix: ikectl.8,v 1.11 2010/06/03 15:55:51 reyk Exp $

.\"

@@ -15,7 +15,7 @@

.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

.\"

-.Dd $Mdocdate: June 10 2010 $

+.Dd $Mdocdate: June 14 2010 $

.Dt IKECTL 8

.Os

.Sh NAME

@@ -134,6 +134,22 @@ and generate a new Certificate Revocation List (CRL).

.It Cm show Cm ca Ar name Cm certificates

Display a listing of certificates associated with CA

.Ar name .

+.It Cm ca Ar name Cm key Ar host Cm create

+Create a private key for

+.Ar host

+if one does not already exist.

+.It Cm ca Ar name Cm key Ar host Cm install

+Install the private and public keys for

+.Ar host

+into the active configuration.

+.It Cm ca Ar name Cm key Ar host Cm delete

+Delete the private key for

+.Ar host .

+.It Cm ca Ar name Cm key Ar host Cm import Cm file

+Source the private key for

+.Ar host

+from the named

+.Ar file .

.El

.Sh FILES

.Bl -tag -width "/var/run/iked.sockXX" -compact

diff --git a/usr.sbin/ikectl/ikectl.c b/usr.sbin/ikectl/ikectl.c
index 6c47bfd7cbd..87d6bcf2346 100644
--- a/usr.sbin/ikectl/ikectl.c
+++ b/usr.sbin/ikectl/ikectl.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ikectl.c,v 1.3 2010/06/10 16:14:04 jsg Exp $ */

+/* $OpenBSD: ikectl.c,v 1.4 2010/06/14 17:41:18 jsg Exp $ */

@@ -60,6 +60,10 @@ int ca_delkey(struct ca *, char *);

int ca_install(struct ca *);

int ca_cert_install(struct ca *, char *);

int ca_show_certs(struct ca *);

+int ca_key_create(struct ca *, char *);

+int ca_key_delete(struct ca *, char *);

+int ca_key_install(struct ca *, char *);

+int ca_key_import(struct ca *, char *, char *);

struct imsgname imsgs[] = {

{ IMSG_CTL_OK, "ok", NULL },

@@ -123,6 +127,18 @@ ca_opt(struct parse_result *res)

case SHOW_CA_CERTIFICATES:

ca_show_certs(ca);

break;

+ case CA_KEY_CREATE:

+ ca_key_create(ca, res->host);

+ break;

+ case CA_KEY_DELETE:

+ ca_key_delete(ca, res->host);

+ break;

+ case CA_KEY_INSTALL:

+ ca_key_install(ca, res->host);

+ break;

+ case CA_KEY_IMPORT:

+ ca_key_import(ca, res->host, res->filename);

+ break;

default:

break;

}

@@ -174,6 +190,10 @@ main(int argc, char *argv[])

case CA_CERT_REVOKE:

case SHOW_CA:

case SHOW_CA_CERTIFICATES:

+ case CA_KEY_CREATE:

+ case CA_KEY_DELETE:

+ case CA_KEY_INSTALL:

+ case CA_KEY_IMPORT:

ca_opt(res);

break;

case NONE:

diff --git a/usr.sbin/ikectl/parser.c b/usr.sbin/ikectl/parser.c
index 2a5b28535f5..9989ef91569 100644
--- a/usr.sbin/ikectl/parser.c
+++ b/usr.sbin/ikectl/parser.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: parser.c,v 1.3 2010/06/10 16:14:04 jsg Exp $ */

+/* $OpenBSD: parser.c,v 1.4 2010/06/14 17:41:18 jsg Exp $ */

@@ -61,6 +61,9 @@ static const struct token t_ca[];

static const struct token t_ca_modifiers[];

static const struct token t_ca_cert[];

static const struct token t_ca_cert_modifiers[];

+static const struct token t_ca_key[];

+static const struct token t_ca_key_modifiers[];

+static const struct token t_ca_key_path[];

static const struct token t_show[];

static const struct token t_show_ca[];

static const struct token t_show_ca_modifiers[];

@@ -110,6 +113,7 @@ static const struct token t_ca_modifiers[] = {

{ KEYWORD, "delete", CA_DELETE, NULL },

{ KEYWORD, "install", CA_INSTALL, NULL },

{ KEYWORD, "certificate", CA_CERTIFICATE, t_ca_cert },

+ { KEYWORD, "key", NONE, t_ca_key },

{ ENDTOKEN, "", NONE, NULL }

};

@@ -128,6 +132,25 @@ static const struct token t_ca_cert_modifiers[] = {

{ ENDTOKEN, "", NONE, NULL }

};

+static const struct token t_ca_key[] = {

+ { ADDRESS, "", NONE, t_ca_key_modifiers },

+ { FQDN, "", NONE, t_ca_key_modifiers },

+ { ENDTOKEN, "", NONE, NULL }

+};

+static const struct token t_ca_key_modifiers[] = {

+ { KEYWORD, "create", CA_KEY_CREATE, NULL },

+ { KEYWORD, "delete", CA_KEY_DELETE, NULL },

+ { KEYWORD, "install", CA_KEY_INSTALL, NULL },

+ { KEYWORD, "import", CA_KEY_IMPORT, t_ca_key_path },

+ { ENDTOKEN, "", NONE, NULL }

+};

+static const struct token t_ca_key_path[] = {

+ { FILENAME, "", NONE, NULL },

+ { ENDTOKEN, "", NONE, NULL }

+};

static const struct token t_show[] = {

{ KEYWORD, "ca", SHOW_CA, t_show_ca },

{ ENDTOKEN, "", NONE, NULL }

diff --git a/usr.sbin/ikectl/parser.h b/usr.sbin/ikectl/parser.h
index e274e0af073..00f8b4b0698 100644
--- a/usr.sbin/ikectl/parser.h
+++ b/usr.sbin/ikectl/parser.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: parser.h,v 1.3 2010/06/10 16:14:04 jsg Exp $ */

+/* $OpenBSD: parser.h,v 1.4 2010/06/14 17:41:18 jsg Exp $ */

@@ -42,6 +42,10 @@ enum actions {

CA_CERT_INSTALL,

CA_CERT_EXPORT,

CA_CERT_REVOKE,

+ CA_KEY_CREATE,

+ CA_KEY_DELETE,

+ CA_KEY_INSTALL,

+ CA_KEY_IMPORT,

SHOW_CA,

SHOW_CA_CERTIFICATES

};