- identification_t supports now almost all id types
[strongswan.git] / Source / lib / crypto / x509.c
1 /**
2 * @file x509.c
3 *
4 * @brief Implementation of x509_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #include <gmp.h>
24 #include <sys/stat.h>
25 #include <unistd.h>
26 #include <string.h>
27
28 #include "x509.h"
29
30 #include <daemon.h>
31 #include <asn1/asn1.h>
32 #include <asn1/oid.h>
33 #include <utils/logger_manager.h>
34
35 typedef const char *err_t; /* error message, or NULL for success */
36
37
38 #define BUF_LEN 512
39 #define RSA_MIN_OCTETS (512 / 8)
40 #define RSA_MIN_OCTETS_UGH "RSA modulus too small for security: less than 512 bits"
41 #define RSA_MAX_OCTETS (8192 / 8)
42 #define RSA_MAX_OCTETS_UGH "RSA modulus too large: more than 8192 bits"
43
44 logger_t *logger;
45
46 typedef enum generalNames_t generalNames_t;
47
48 /**
49 * Different kinds of generalNames
50 */
51 enum generalNames_t {
52 GN_OTHER_NAME = 0,
53 GN_RFC822_NAME = 1,
54 GN_DNS_NAME = 2,
55 GN_X400_ADDRESS = 3,
56 GN_DIRECTORY_NAME = 4,
57 GN_EDI_PARTY_NAME = 5,
58 GN_URI = 6,
59 GN_IP_ADDRESS = 7,
60 GN_REGISTERED_ID = 8,
61 };
62
63 typedef struct generalName_t generalName_t;
64
65 /**
66 * A generalName, chainable in a list
67 */
68 struct generalName_t {
69 generalName_t *next;
70 generalNames_t kind;
71 chunk_t name;
72 };
73
74 typedef struct private_x509_t private_x509_t;
75
76 /**
77 * Private data of a x509_t object.
78 */
79 struct private_x509_t {
80 /**
81 * Public interface for this certificate.
82 */
83 x509_t public;
84
85 /**
86 * Version of the X509 certificate
87 */
88 u_int version;
89
90 /**
91 * ID representing the certificates subject
92 */
93 identification_t *subject;
94
95 /**
96 * ID representing the certificate issuer
97 */
98 identification_t *issuer;
99
100 /**
101 * List of identification_t's representing subjectAltNames
102 */
103 linked_list_t *subjectAltNames;
104
105 /**
106 * List of identification_t's representing issuerAltNames
107 */
108 linked_list_t *issuerAltNames;
109
110 /**
111 * List of identification_t's representing crlDistributionPoints
112 */
113 linked_list_t *crlDistributionPoints;
114
115 /**
116 * Type of the subjects Key (currently RSA only)
117 */
118 auth_method_t subjectPublicKeyAlgorithm;
119
120
121 /**
122 * Subjects RSA public key, if subjectPublicKeyAlgorithm == RSA
123 */
124 rsa_public_key_t *public_key;
125
126
127
128
129 time_t installed;
130 u_char authority_flags;
131 chunk_t x509;
132 chunk_t tbsCertificate;
133 chunk_t serialNumber;
134 /* signature */
135 int sigAlg;
136 /* validity */
137 time_t notBefore;
138 time_t notAfter;
139 /* subjectPublicKeyInfo */
140 chunk_t subjectPublicKey;
141 /* issuerUniqueID */
142 /* subjectUniqueID */
143 /* v3 extensions */
144 /* extension */
145 /* extension */
146 /* extnID */
147 /* critical */
148 /* extnValue */
149 bool isCA;
150 bool isOcspSigner; /* ocsp */
151 chunk_t subjectKeyID;
152 chunk_t authKeyID;
153 chunk_t authKeySerialNumber;
154 chunk_t accessLocation; /* ocsp */
155 /* signatureAlgorithm */
156 int algorithm;
157 chunk_t signature;
158 };
159
160 /**
161 * ASN.1 definition of a basicConstraints extension
162 */
163 static const asn1Object_t basicConstraintsObjects[] = {
164 { 0, "basicConstraints", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
165 { 1, "CA", ASN1_BOOLEAN, ASN1_DEF|ASN1_BODY }, /* 1 */
166 { 1, "pathLenConstraint", ASN1_INTEGER, ASN1_OPT|ASN1_BODY }, /* 2 */
167 { 1, "end opt", ASN1_EOC, ASN1_END } /* 3 */
168 };
169 #define BASIC_CONSTRAINTS_CA 1
170 #define BASIC_CONSTRAINTS_ROOF 4
171
172 /**
173 * ASN.1 definition of time
174 */
175 static const asn1Object_t timeObjects[] = {
176 { 0, "utcTime", ASN1_UTCTIME, ASN1_OPT|ASN1_BODY }, /* 0 */
177 { 0, "end opt", ASN1_EOC, ASN1_END }, /* 1 */
178 { 0, "generalizeTime",ASN1_GENERALIZEDTIME, ASN1_OPT|ASN1_BODY }, /* 2 */
179 { 0, "end opt", ASN1_EOC, ASN1_END } /* 3 */
180 };
181 #define TIME_UTC 0
182 #define TIME_GENERALIZED 2
183 #define TIME_ROOF 4
184
185 /**
186 * ASN.1 definition of a keyIdentifier
187 */
188 static const asn1Object_t keyIdentifierObjects[] = {
189 { 0, "keyIdentifier", ASN1_OCTET_STRING, ASN1_BODY } /* 0 */
190 };
191
192 /**
193 * ASN.1 definition of a authorityKeyIdentifier extension
194 */
195 static const asn1Object_t authorityKeyIdentifierObjects[] = {
196 { 0, "authorityKeyIdentifier", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
197 { 1, "keyIdentifier", ASN1_CONTEXT_S_0, ASN1_OPT|ASN1_OBJ }, /* 1 */
198 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 2 */
199 { 1, "authorityCertIssuer", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_OBJ }, /* 3 */
200 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 4 */
201 { 1, "authorityCertSerialNumber",ASN1_CONTEXT_S_2, ASN1_OPT|ASN1_BODY }, /* 5 */
202 { 1, "end opt", ASN1_EOC, ASN1_END } /* 6 */
203 };
204 #define AUTH_KEY_ID_KEY_ID 1
205 #define AUTH_KEY_ID_CERT_ISSUER 3
206 #define AUTH_KEY_ID_CERT_SERIAL 5
207 #define AUTH_KEY_ID_ROOF 7
208
209 /**
210 * ASN.1 definition of a authorityInfoAccess extension
211 */
212 static const asn1Object_t authorityInfoAccessObjects[] = {
213 { 0, "authorityInfoAccess", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
214 { 1, "accessDescription", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
215 { 2, "accessMethod", ASN1_OID, ASN1_BODY }, /* 2 */
216 { 2, "accessLocation", ASN1_EOC, ASN1_RAW }, /* 3 */
217 { 0, "end loop", ASN1_EOC, ASN1_END } /* 4 */
218 };
219 #define AUTH_INFO_ACCESS_METHOD 2
220 #define AUTH_INFO_ACCESS_LOCATION 3
221 #define AUTH_INFO_ACCESS_ROOF 5
222
223 /**
224 * ASN.1 definition of a extendedKeyUsage extension
225 */
226 static const asn1Object_t extendedKeyUsageObjects[] = {
227 { 0, "extendedKeyUsage", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
228 { 1, "keyPurposeID", ASN1_OID, ASN1_BODY }, /* 1 */
229 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 2 */
230 };
231
232 #define EXT_KEY_USAGE_PURPOSE_ID 1
233 #define EXT_KEY_USAGE_ROOF 3
234
235 /**
236 * ASN.1 definition of generalNames
237 */
238 static const asn1Object_t generalNamesObjects[] = {
239 { 0, "generalNames", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
240 { 1, "generalName", ASN1_EOC, ASN1_RAW }, /* 1 */
241 { 0, "end loop", ASN1_EOC, ASN1_END } /* 2 */
242 };
243 #define GENERAL_NAMES_GN 1
244 #define GENERAL_NAMES_ROOF 3
245
246
247 /**
248 * ASN.1 definition of crlDistributionPoints
249 */
250 static const asn1Object_t crlDistributionPointsObjects[] = {
251 { 0, "crlDistributionPoints", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
252 { 1, "DistributionPoint", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
253 { 2, "distributionPoint", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_LOOP }, /* 2 */
254 { 3, "fullName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_OBJ }, /* 3 */
255 { 3, "end choice", ASN1_EOC, ASN1_END }, /* 4 */
256 { 3, "nameRelToCRLIssuer",ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 5 */
257 { 3, "end choice", ASN1_EOC, ASN1_END }, /* 6 */
258 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 7 */
259 { 2, "reasons", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 8 */
260 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 9 */
261 { 2, "crlIssuer", ASN1_CONTEXT_C_2, ASN1_OPT|ASN1_BODY }, /* 10 */
262 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 11 */
263 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 12 */
264 };
265 #define CRL_DIST_POINTS_FULLNAME 3
266 #define CRL_DIST_POINTS_ROOF 13
267
268 /**
269 * ASN.1 definition of an X.509v3 x509
270 */
271 static const asn1Object_t certObjects[] = {
272 { 0, "x509", ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */
273 { 1, "tbsCertificate", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */
274 { 2, "DEFAULT v1", ASN1_CONTEXT_C_0, ASN1_DEF }, /* 2 */
275 { 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 3 */
276 { 2, "serialNumber", ASN1_INTEGER, ASN1_BODY }, /* 4 */
277 { 2, "signature", ASN1_EOC, ASN1_RAW }, /* 5 */
278 { 2, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 6 */
279 { 2, "validity", ASN1_SEQUENCE, ASN1_NONE }, /* 7 */
280 { 3, "notBefore", ASN1_EOC, ASN1_RAW }, /* 8 */
281 { 3, "notAfter", ASN1_EOC, ASN1_RAW }, /* 9 */
282 { 2, "subject", ASN1_SEQUENCE, ASN1_OBJ }, /* 10 */
283 { 2, "subjectPublicKeyInfo",ASN1_SEQUENCE, ASN1_NONE }, /* 11 */
284 { 3, "algorithm", ASN1_EOC, ASN1_RAW }, /* 12 */
285 { 3, "subjectPublicKey", ASN1_BIT_STRING, ASN1_NONE }, /* 13 */
286 { 4, "RSAPublicKey", ASN1_SEQUENCE, ASN1_RAW }, /* 14 */
287 { 2, "issuerUniqueID", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 15 */
288 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 16 */
289 { 2, "subjectUniqueID", ASN1_CONTEXT_C_2, ASN1_OPT }, /* 17 */
290 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 18 */
291 { 2, "optional extensions", ASN1_CONTEXT_C_3, ASN1_OPT }, /* 19 */
292 { 3, "extensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 20 */
293 { 4, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 21 */
294 { 5, "extnID", ASN1_OID, ASN1_BODY }, /* 22 */
295 { 5, "critical", ASN1_BOOLEAN, ASN1_DEF|ASN1_BODY }, /* 23 */
296 { 5, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 24 */
297 { 3, "end loop", ASN1_EOC, ASN1_END }, /* 25 */
298 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 26 */
299 { 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 27 */
300 { 1, "signatureValue", ASN1_BIT_STRING, ASN1_BODY } /* 28 */
301 };
302 #define X509_OBJ_CERTIFICATE 0
303 #define X509_OBJ_TBS_CERTIFICATE 1
304 #define X509_OBJ_VERSION 3
305 #define X509_OBJ_SERIAL_NUMBER 4
306 #define X509_OBJ_SIG_ALG 5
307 #define X509_OBJ_ISSUER 6
308 #define X509_OBJ_NOT_BEFORE 8
309 #define X509_OBJ_NOT_AFTER 9
310 #define X509_OBJ_SUBJECT 10
311 #define X509_OBJ_SUBJECT_PUBLIC_KEY_ALGORITHM 12
312 #define X509_OBJ_SUBJECT_PUBLIC_KEY 13
313 #define X509_OBJ_RSA_PUBLIC_KEY 14
314 #define X509_OBJ_EXTN_ID 22
315 #define X509_OBJ_CRITICAL 23
316 #define X509_OBJ_EXTN_VALUE 24
317 #define X509_OBJ_ALGORITHM 27
318 #define X509_OBJ_SIGNATURE 28
319 #define X509_OBJ_ROOF 29
320
321
322 static u_char ASN1_subjectAltName_oid_str[] = {
323 0x06, 0x03, 0x55, 0x1D, 0x11
324 };
325
326 static const chunk_t ASN1_subjectAltName_oid = chunk_from_buf(ASN1_subjectAltName_oid_str);
327
328
329 /**
330 * compare two X.509 x509s by comparing their signatures
331 */
332 static bool equals(private_x509_t *this, private_x509_t *other)
333 {
334 return chunk_equals(this->signature, other->signature);
335 }
336
337 /**
338 * encode a linked list of subjectAltNames
339 */
340 chunk_t build_subjectAltNames(generalName_t *subjectAltNames)
341 {
342 u_char *pos;
343 chunk_t names;
344 size_t len = 0;
345 generalName_t *gn = subjectAltNames;
346
347 /* compute the total size of the ASN.1 attributes object */
348 while (gn != NULL)
349 {
350 len += gn->name.len;
351 gn = gn->next;
352 }
353
354 pos = build_asn1_object(&names, ASN1_SEQUENCE, len);
355
356 gn = subjectAltNames;
357 while (gn != NULL)
358 {
359 memcpy(pos, gn->name.ptr, gn->name.len);
360 pos += gn->name.len;
361 gn = gn->next;
362 }
363
364 return asn1_wrap(ASN1_SEQUENCE, "cm",
365 ASN1_subjectAltName_oid,
366 asn1_wrap(ASN1_OCTET_STRING, "m", names)
367 );
368 }
369
370 /**
371 * free the dynamic memory used to store generalNames
372 */
373 void free_generalNames(generalName_t* gn, bool free_name)
374 {
375 while (gn != NULL)
376 {
377 generalName_t *gn_top = gn;
378 if (free_name)
379 {
380 free(gn->name.ptr);
381 }
382 gn = gn->next;
383 free(gn_top);
384 }
385 }
386
387 /**
388 * extracts the basicConstraints extension
389 */
390 static bool parse_basicConstraints(chunk_t blob, int level0)
391 {
392 asn1_ctx_t ctx;
393 chunk_t object;
394 u_int level;
395 int objectID = 0;
396 bool isCA = FALSE;
397
398 asn1_init(&ctx, blob, level0, FALSE);
399
400 while (objectID < BASIC_CONSTRAINTS_ROOF) {
401
402 if (!extract_object(basicConstraintsObjects, &objectID, &object,&level, &ctx))
403 {
404 break;
405 }
406 if (objectID == BASIC_CONSTRAINTS_CA)
407 {
408 isCA = object.len && *object.ptr;
409 logger->log(logger, RAW|LEVEL1, " %s", isCA ? "TRUE" : "FALSE");
410 }
411 objectID++;
412 }
413 return isCA;
414 }
415
416 /**
417 * extracts one or several GNs and puts them into a chained list
418 */
419 static void parse_generalNames(chunk_t blob, int level0, bool implicit, linked_list_t *list)
420 {
421 asn1_ctx_t ctx;
422 chunk_t object;
423 u_int level;
424 int objectID = 0;
425
426 asn1_init(&ctx, blob, level0, implicit);
427
428 while (objectID < GENERAL_NAMES_ROOF)
429 {
430 if (!extract_object(generalNamesObjects, &objectID, &object, &level, &ctx))
431 return;
432
433 if (objectID == GENERAL_NAMES_GN)
434 {
435 list->insert_last(list, identification_create_from_encoding(ID_DER_ASN1_GN, object));
436 }
437 objectID++;
438 }
439 return;
440 }
441
442 /**
443 * extracts and converts a UTCTIME or GENERALIZEDTIME object
444 */
445 time_t parse_time(chunk_t blob, int level0)
446 {
447 asn1_ctx_t ctx;
448 chunk_t object;
449 u_int level;
450 int objectID = 0;
451
452 asn1_init(&ctx, blob, level0, FALSE);
453
454 while (objectID < TIME_ROOF)
455 {
456 if (!extract_object(timeObjects, &objectID, &object, &level, &ctx))
457 return 0;
458
459 if (objectID == TIME_UTC || objectID == TIME_GENERALIZED)
460 {
461 return asn1totime(&object, (objectID == TIME_UTC)
462 ? ASN1_UTCTIME : ASN1_GENERALIZEDTIME);
463 }
464 objectID++;
465 }
466 return 0;
467 }
468
469 /**
470 * extracts a keyIdentifier
471 */
472 static chunk_t parse_keyIdentifier(chunk_t blob, int level0, bool implicit)
473 {
474 asn1_ctx_t ctx;
475 chunk_t object;
476 u_int level;
477 int objectID = 0;
478
479 asn1_init(&ctx, blob, level0, implicit);
480
481 extract_object(keyIdentifierObjects, &objectID, &object, &level, &ctx);
482 return object;
483 }
484
485 /**
486 * extracts an authoritykeyIdentifier
487 */
488 void parse_authorityKeyIdentifier(chunk_t blob, int level0 , chunk_t *authKeyID, chunk_t *authKeySerialNumber)
489 {
490 asn1_ctx_t ctx;
491 chunk_t object;
492 u_int level;
493 int objectID = 0;
494
495 asn1_init(&ctx, blob, level0, FALSE);
496 while (objectID < AUTH_KEY_ID_ROOF)
497 {
498 if (!extract_object(authorityKeyIdentifierObjects, &objectID, &object, &level, &ctx))
499 {
500 return;
501 }
502 switch (objectID)
503 {
504 case AUTH_KEY_ID_KEY_ID:
505 *authKeyID = parse_keyIdentifier(object, level+1, TRUE);
506 break;
507 case AUTH_KEY_ID_CERT_ISSUER:
508 {
509 /* TODO: parse_generalNames(object, level+1, TRUE); */
510 break;
511 }
512 case AUTH_KEY_ID_CERT_SERIAL:
513 *authKeySerialNumber = object;
514 break;
515 default:
516 break;
517 }
518 objectID++;
519 }
520 }
521
522 /**
523 * extracts an authorityInfoAcess location
524 */
525 static void parse_authorityInfoAccess(chunk_t blob, int level0, chunk_t *accessLocation)
526 {
527 asn1_ctx_t ctx;
528 chunk_t object;
529 u_int level;
530 int objectID = 0;
531
532 u_int accessMethod = OID_UNKNOWN;
533
534 asn1_init(&ctx, blob, level0, FALSE);
535 while (objectID < AUTH_INFO_ACCESS_ROOF)
536 {
537 if (!extract_object(authorityInfoAccessObjects, &objectID, &object, &level, &ctx))
538 {
539 return;
540 }
541 switch (objectID)
542 {
543 case AUTH_INFO_ACCESS_METHOD:
544 accessMethod = known_oid(object);
545 break;
546 case AUTH_INFO_ACCESS_LOCATION:
547 {
548 switch (accessMethod)
549 {
550 case OID_OCSP:
551 if (*object.ptr == ASN1_CONTEXT_S_6)
552 {
553 if (asn1_length(&object) == ASN1_INVALID_LENGTH)
554 {
555 return;
556 }
557 logger->log(logger, RAW|LEVEL1, " '%.*s'",(int)object.len, object.ptr);
558 /* only HTTP(S) URIs accepted */
559 if (strncasecmp(object.ptr, "http", 4) == 0)
560 {
561 *accessLocation = object;
562 return;
563 }
564 }
565 logger->log(logger, ERROR|LEVEL2, "ignoring OCSP InfoAccessLocation with unkown protocol");
566 break;
567 default:
568 /* unkown accessMethod, ignoring */
569 break;
570 }
571 break;
572 }
573 default:
574 break;
575 }
576 objectID++;
577 }
578 }
579
580 /**
581 * extracts extendedKeyUsage OIDs
582 */
583 static bool parse_extendedKeyUsage(chunk_t blob, int level0)
584 {
585 asn1_ctx_t ctx;
586 chunk_t object;
587 u_int level;
588 int objectID = 0;
589
590 asn1_init(&ctx, blob, level0, FALSE);
591 while (objectID < EXT_KEY_USAGE_ROOF)
592 {
593 if (!extract_object(extendedKeyUsageObjects, &objectID, &object, &level, &ctx))
594 {
595 return FALSE;
596 }
597 if (objectID == EXT_KEY_USAGE_PURPOSE_ID &&
598 known_oid(object) == OID_OCSP_SIGNING)
599 {
600 return TRUE;
601 }
602 objectID++;
603 }
604 return FALSE;
605 }
606
607 /**
608 * extracts one or several crlDistributionPoints and puts them into
609 * a chained list
610 */
611 static void parse_crlDistributionPoints(chunk_t blob, int level0, linked_list_t *list)
612 {
613 asn1_ctx_t ctx;
614 chunk_t object;
615 u_int level;
616 int objectID = 0;
617
618 asn1_init(&ctx, blob, level0, FALSE);
619 while (objectID < CRL_DIST_POINTS_ROOF)
620 {
621 if (!extract_object(crlDistributionPointsObjects, &objectID, &object, &level, &ctx))
622 {
623 return;
624 }
625 if (objectID == CRL_DIST_POINTS_FULLNAME)
626 {
627 /* append extracted generalNames to existing chained list */
628 parse_generalNames(object, level+1, TRUE, list);
629
630 }
631 objectID++;
632 }
633 }
634
635
636 /**
637 * Parses an X.509v3 x509
638 */
639 bool parse_x509cert(chunk_t blob, u_int level0, private_x509_t *cert)
640 {
641 asn1_ctx_t ctx;
642 bool critical;
643 chunk_t object;
644 u_int level;
645 u_int extn_oid = OID_UNKNOWN;
646 int objectID = 0;
647
648 asn1_init(&ctx, blob, level0, FALSE);
649 while (objectID < X509_OBJ_ROOF)
650 {
651 if (!extract_object(certObjects, &objectID, &object, &level, &ctx))
652 {
653 return FALSE;
654 }
655 /* those objects which will parsed further need the next higher level */
656 level++;
657 switch (objectID) {
658 case X509_OBJ_CERTIFICATE:
659 cert->x509 = object;
660 break;
661 case X509_OBJ_TBS_CERTIFICATE:
662 cert->tbsCertificate = object;
663 break;
664 case X509_OBJ_VERSION:
665 cert->version = (object.len) ? (1+(u_int)*object.ptr) : 1;
666 logger->log(logger, RAW|LEVEL1, " v%d", cert->version);
667 break;
668 case X509_OBJ_SERIAL_NUMBER:
669 cert->serialNumber = object;
670 break;
671 case X509_OBJ_SIG_ALG:
672 cert->sigAlg = parse_algorithmIdentifier(object, level, NULL);
673 break;
674 case X509_OBJ_ISSUER:
675 cert->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object);
676 break;
677 case X509_OBJ_NOT_BEFORE:
678 cert->notBefore = parse_time(object, level);
679 break;
680 case X509_OBJ_NOT_AFTER:
681 cert->notAfter = parse_time(object, level);
682 break;
683 case X509_OBJ_SUBJECT:
684 cert->subject = identification_create_from_encoding(ID_DER_ASN1_DN, object);
685 break;
686 case X509_OBJ_SUBJECT_PUBLIC_KEY_ALGORITHM:
687 if (parse_algorithmIdentifier(object, level, NULL) == OID_RSA_ENCRYPTION)
688 {
689 cert->subjectPublicKeyAlgorithm = RSA_DIGITAL_SIGNATURE;
690 }
691 else
692 {
693 logger->log(logger, ERROR|LEVEL1, " unsupported public key algorithm");
694 return FALSE;
695 }
696 break;
697 case X509_OBJ_SUBJECT_PUBLIC_KEY:
698 if (ctx.blobs[4].len > 0 && *ctx.blobs[4].ptr == 0x00)
699 {
700 /* skip initial bit string octet defining 0 unused bits */
701 ctx.blobs[4].ptr++; ctx.blobs[4].len--;
702 }
703 else
704 {
705 logger->log(logger, ERROR|LEVEL1, " invalid RSA public key format");
706 return FALSE;
707 }
708 break;
709 case X509_OBJ_RSA_PUBLIC_KEY:
710 cert->subjectPublicKey = object;
711 break;
712 case X509_OBJ_EXTN_ID:
713 extn_oid = known_oid(object);
714 break;
715 case X509_OBJ_CRITICAL:
716 critical = object.len && *object.ptr;
717 logger->log(logger, ERROR|LEVEL1, " %s", critical ? "TRUE" : "FALSE");
718 break;
719 case X509_OBJ_EXTN_VALUE:
720 {
721 switch (extn_oid) {
722 case OID_SUBJECT_KEY_ID:
723 cert->subjectKeyID = parse_keyIdentifier(object, level, FALSE);
724 break;
725 case OID_SUBJECT_ALT_NAME:
726 parse_generalNames(object, level, FALSE, cert->subjectAltNames);
727 break;
728 case OID_BASIC_CONSTRAINTS:
729 cert->isCA = parse_basicConstraints(object, level);
730 break;
731 case OID_CRL_DISTRIBUTION_POINTS:
732 parse_crlDistributionPoints(object, level, cert->crlDistributionPoints);
733 break;
734 case OID_AUTHORITY_KEY_ID:
735 parse_authorityKeyIdentifier(object, level , &cert->authKeyID, &cert->authKeySerialNumber);
736 break;
737 case OID_AUTHORITY_INFO_ACCESS:
738 parse_authorityInfoAccess(object, level, &cert->accessLocation);
739 break;
740 case OID_EXTENDED_KEY_USAGE:
741 cert->isOcspSigner = parse_extendedKeyUsage(object, level);
742 break;
743 case OID_NS_REVOCATION_URL:
744 case OID_NS_CA_REVOCATION_URL:
745 case OID_NS_CA_POLICY_URL:
746 case OID_NS_COMMENT:
747 if (!parse_asn1_simple_object(&object, ASN1_IA5STRING , level, oid_names[extn_oid].name))
748 {
749 return FALSE;
750 }
751 break;
752 default:
753 break;
754 }
755 break;
756 }
757 case X509_OBJ_ALGORITHM:
758 cert->algorithm = parse_algorithmIdentifier(object, level, NULL);
759 break;
760 case X509_OBJ_SIGNATURE:
761 cert->signature = object;
762 break;
763 default:
764 break;
765 }
766 objectID++;
767 }
768 time(&cert->installed);
769 return TRUE;
770 }
771
772 /**
773 * verify the validity of a x509 by
774 * checking the notBefore and notAfter dates
775 */
776 err_t check_validity(const private_x509_t *cert, time_t *until)
777 {
778 time_t current_time;
779
780 time(&current_time);
781
782 if (cert->notAfter < *until)
783 {
784 *until = cert->notAfter;
785 }
786 if (current_time < cert->notBefore)
787 {
788 return "x509 is not valid yet";
789 }
790 if (current_time > cert->notAfter)
791 {
792 return "x509 has expired";
793 }
794 else
795 {
796 return NULL;
797 }
798 }
799
800 /**
801 * Implements x509_t.get_public_key
802 */
803 static rsa_public_key_t *get_public_key(private_x509_t *this)
804 {
805 return this->public_key->clone(this->public_key);;
806 }
807
808 /**
809 * Implements x509_t.get_subject
810 */
811 static identification_t *get_subject(private_x509_t *this)
812 {
813 return this->subject;
814 }
815
816 /**
817 * Implements x509_t.get_issuer
818 */
819 static identification_t *get_issuer(private_x509_t *this)
820 {
821 return this->issuer;
822 }
823
824 /**
825 * destroy
826 */
827 static void destroy(private_x509_t *this)
828 {
829 identification_t *id;
830 while (this->subjectAltNames->remove_last(this->subjectAltNames, (void**)&id) == SUCCESS)
831 {
832 id->destroy(id);
833 }
834 this->subjectAltNames->destroy(this->subjectAltNames);
835 while (this->issuerAltNames->remove_last(this->issuerAltNames, (void**)&id) == SUCCESS)
836 {
837 id->destroy(id);
838 }
839 this->issuerAltNames->destroy(this->issuerAltNames);
840 while (this->crlDistributionPoints->remove_last(this->crlDistributionPoints, (void**)&id) == SUCCESS)
841 {
842 id->destroy(id);
843 }
844 this->crlDistributionPoints->destroy(this->crlDistributionPoints);
845 if (this->issuer)
846 {
847 this->issuer->destroy(this->issuer);
848 }
849 if (this->subject)
850 {
851 this->subject->destroy(this->subject);
852 }
853 if (this->public_key)
854 {
855 this->public_key->destroy(this->public_key);
856 }
857 free(this);
858 }
859
860 /*
861 * Described in header.
862 */
863 x509_t *x509_create_from_chunk(chunk_t chunk)
864 {
865 private_x509_t *this = malloc_thing(private_x509_t);
866
867 /* public functions */
868 this->public.equals = (bool (*) (x509_t*,x509_t*))equals;
869 this->public.destroy = (void (*) (x509_t*))destroy;
870 this->public.get_public_key = (rsa_public_key_t* (*) (x509_t*))get_public_key;
871 this->public.get_subject = (identification_t* (*) (x509_t*))get_subject;
872 this->public.get_issuer = (identification_t* (*) (x509_t*))get_issuer;
873
874 /* initialize */
875 this->subjectPublicKey = CHUNK_INITIALIZER;
876 this->public_key = NULL;
877 this->subject = NULL;
878 this->issuer = NULL;
879 this->subjectAltNames = linked_list_create(this->subjectAltNames);
880 this->issuerAltNames = linked_list_create(this->issuerAltNames);
881 this->crlDistributionPoints = linked_list_create(this->crlDistributionPoints);
882
883 /* we do not use a per-instance logger right now, since its not always accessible */
884 logger = logger_manager->get_logger(logger_manager, ASN1);
885
886 if (!parse_x509cert(chunk, 0, this))
887 {
888 destroy(this);
889 return NULL;
890 }
891
892 this->public_key = rsa_public_key_create_from_chunk(this->subjectPublicKey);
893 if (this->public_key == NULL)
894 {
895 destroy(this);
896 return NULL;
897 }
898
899 return &this->public;
900 }
901
902 /*
903 * Described in header.
904 */
905 x509_t *x509_create_from_file(char *filename)
906 {
907 struct stat stb;
908 FILE *file;
909 char *buffer;
910 chunk_t chunk;
911
912 if (stat(filename, &stb) == -1)
913 {
914 return NULL;
915 }
916
917 buffer = alloca(stb.st_size);
918
919 file = fopen(filename, "r");
920 if (file == NULL)
921 {
922 return NULL;
923 }
924
925 if (fread(buffer, stb.st_size, 1, file) == -1)
926 {
927 fclose(file);
928 return NULL;
929 }
930 fclose(file);
931
932 chunk.ptr = buffer;
933 chunk.len = stb.st_size;
934
935 return x509_create_from_chunk(chunk);
936 }