0eccfa02b264c7179cc902799f42700450072bb1
[strongswan.git] / src / libstrongswan / crypto / ac.c
1 /**
2 * @file ac.c
3 *
4 * @brief Implementation of x509ac_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
10 * Copyright (C) 2003 Martin Berner, Lukas Suter
11 * Copyright (C) 2007 Andreas Steffen, Hochschule fuer Technik Rapperswil
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24 #include <library.h>
25 #include <debug.h>
26
27 #include <asn1/asn1.h>
28 #include <utils/identification.h>
29 #include <utils/linked_list.h>
30
31 #include "ac.h"
32
33 typedef struct private_x509ac_t private_x509ac_t;
34
35 /**
36 * Private data of a x509ac_t object.
37 */
38 struct private_x509ac_t {
39 /**
40 * Public interface for this attribute certificate.
41 */
42 x509ac_t public;
43
44 /**
45 * Time when attribute certificate was installed
46 */
47 time_t installed;
48
49 /**
50 * X.509 attribute certificate in DER format
51 */
52 chunk_t certificate;
53
54 /**
55 * X.509 attribute certificate body over which signature is computed
56 */
57 chunk_t certificateInfo;
58
59 /**
60 * Version of the X.509 attribute certificate
61 */
62 u_int version;
63
64 /**
65 * Serial number of the X.509 attribute certificate
66 */
67 chunk_t serialNumber;
68
69 /**
70 * ID representing the issuer of the holder certificate
71 */
72 identification_t *holderIssuer;
73
74 /**
75 * Serial number of the holder certificate
76 */
77 chunk_t holderSerial;
78
79 /**
80 * ID representing the holder
81 */
82 identification_t *entityName;
83
84 /**
85 * ID representing the attribute certificate issuer
86 */
87 identification_t *issuerName;
88
89 /**
90 * Signature algorithm
91 */
92 int sigAlg;
93
94 /**
95 * Start time of certificate validity
96 */
97 time_t notBefore;
98
99 /**
100 * End time of certificate validity
101 */
102 time_t notAfter;
103
104 /**
105 * List of charging attributes
106 */
107 linked_list_t *charging;
108
109 /**
110 * List of groub attributes
111 */
112 linked_list_t *groups;
113
114 /**
115 * Authority Key Identifier
116 */
117 chunk_t authKeyID;
118
119 /**
120 * Authority Key Serial Number
121 */
122 chunk_t authKeySerialNumber;
123
124 /**
125 * No revocation information available
126 */
127 bool noRevAvail;
128
129 /**
130 * Signature algorithm (must be identical to sigAlg)
131 */
132 int algorithm;
133
134 /**
135 * Signature
136 */
137 chunk_t signature;
138 };
139
140 /**
141 * definition of ietfAttribute kinds
142 */
143 typedef enum {
144 IETF_ATTRIBUTE_OCTETS = 0,
145 IETF_ATTRIBUTE_OID = 1,
146 IETF_ATTRIBUTE_STRING = 2
147 } ietfAttribute_t;
148
149 /**
150 * access structure for an ietfAttribute
151 */
152 typedef struct ietfAttr_t ietfAttr_t;
153
154 struct ietfAttr_t {
155 /**
156 * Time when attribute was first installed
157 */
158 time_t installed;
159
160 /**
161 * Reference count
162 */
163 int count;
164
165 /**
166 * IETF attribute kind
167 */
168 ietfAttribute_t kind;
169
170 /**
171 * IETF attribute valuse
172 */
173 chunk_t value;
174 };
175
176 /**
177 * Destroys an ietfAttribute_t object
178 */
179 static void ietfAttr_destroy(ietfAttr_t *this)
180 {
181 free(this->value.ptr);
182 free(this);
183 }
184
185 /**
186 * ASN.1 definition of ietfAttrSyntax
187 */
188 static const asn1Object_t ietfAttrSyntaxObjects[] =
189 {
190 { 0, "ietfAttrSyntax", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
191 { 1, "policyAuthority", ASN1_CONTEXT_C_0, ASN1_OPT |
192 ASN1_BODY }, /* 1 */
193 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 2 */
194 { 1, "values", ASN1_SEQUENCE, ASN1_LOOP }, /* 3 */
195 { 2, "octets", ASN1_OCTET_STRING, ASN1_OPT |
196 ASN1_BODY }, /* 4 */
197 { 2, "end choice", ASN1_EOC, ASN1_END }, /* 5 */
198 { 2, "oid", ASN1_OID, ASN1_OPT |
199 ASN1_BODY }, /* 6 */
200 { 2, "end choice", ASN1_EOC, ASN1_END }, /* 7 */
201 { 2, "string", ASN1_UTF8STRING, ASN1_OPT |
202 ASN1_BODY }, /* 8 */
203 { 2, "end choice", ASN1_EOC, ASN1_END }, /* 9 */
204 { 1, "end loop", ASN1_EOC, ASN1_END } /* 10 */
205 };
206
207 #define IETF_ATTR_OCTETS 4
208 #define IETF_ATTR_OID 6
209 #define IETF_ATTR_STRING 8
210 #define IETF_ATTR_ROOF 11
211
212 /**
213 * ASN.1 definition of roleSyntax
214 */
215 static const asn1Object_t roleSyntaxObjects[] =
216 {
217 { 0, "roleSyntax", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
218 { 1, "roleAuthority", ASN1_CONTEXT_C_0, ASN1_OPT |
219 ASN1_OBJ }, /* 1 */
220 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 2 */
221 { 1, "roleName", ASN1_CONTEXT_C_1, ASN1_OBJ } /* 3 */
222 };
223
224 #define ROLE_ROOF 4
225
226 /**
227 * ASN.1 definition of an X509 attribute certificate
228 */
229 static const asn1Object_t acObjects[] =
230 {
231 { 0, "AttributeCertificate", ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */
232 { 1, "AttributeCertificateInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */
233 { 2, "version", ASN1_INTEGER, ASN1_DEF |
234 ASN1_BODY }, /* 2 */
235 { 2, "holder", ASN1_SEQUENCE, ASN1_NONE }, /* 3 */
236 { 3, "baseCertificateID", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 4 */
237 { 4, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 5 */
238 { 4, "serial", ASN1_INTEGER, ASN1_BODY }, /* 6 */
239 { 4, "issuerUID", ASN1_BIT_STRING, ASN1_OPT |
240 ASN1_BODY }, /* 7 */
241 { 4, "end opt", ASN1_EOC, ASN1_END }, /* 8 */
242 { 3, "end opt", ASN1_EOC, ASN1_END }, /* 9 */
243 { 3, "entityName", ASN1_CONTEXT_C_1, ASN1_OPT |
244 ASN1_OBJ }, /* 10 */
245 { 3, "end opt", ASN1_EOC, ASN1_END }, /* 11 */
246 { 3, "objectDigestInfo", ASN1_CONTEXT_C_2, ASN1_OPT }, /* 12 */
247 { 4, "digestedObjectType", ASN1_ENUMERATED, ASN1_BODY }, /* 13*/
248 { 4, "otherObjectTypeID", ASN1_OID, ASN1_OPT |
249 ASN1_BODY }, /* 14 */
250 { 4, "end opt", ASN1_EOC, ASN1_END }, /* 15*/
251 { 4, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 16 */
252 { 3, "end opt", ASN1_EOC, ASN1_END }, /* 17 */
253 { 2, "v2Form", ASN1_CONTEXT_C_0, ASN1_NONE }, /* 18 */
254 { 3, "issuerName", ASN1_SEQUENCE, ASN1_OPT |
255 ASN1_OBJ }, /* 19 */
256 { 3, "end opt", ASN1_EOC, ASN1_END }, /* 20 */
257 { 3, "baseCertificateID", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 21 */
258 { 4, "issuerSerial", ASN1_SEQUENCE, ASN1_NONE }, /* 22 */
259 { 5, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 23 */
260 { 5, "serial", ASN1_INTEGER, ASN1_BODY }, /* 24 */
261 { 5, "issuerUID", ASN1_BIT_STRING, ASN1_OPT |
262 ASN1_BODY }, /* 25 */
263 { 5, "end opt", ASN1_EOC, ASN1_END }, /* 26 */
264 { 3, "end opt", ASN1_EOC, ASN1_END }, /* 27 */
265 { 3, "objectDigestInfo", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 28 */
266 { 4, "digestInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 29 */
267 { 5, "digestedObjectType", ASN1_ENUMERATED, ASN1_BODY }, /* 30 */
268 { 5, "otherObjectTypeID", ASN1_OID, ASN1_OPT |
269 ASN1_BODY }, /* 31 */
270 { 5, "end opt", ASN1_EOC, ASN1_END }, /* 32 */
271 { 5, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 33 */
272 { 3, "end opt", ASN1_EOC, ASN1_END }, /* 34 */
273 { 2, "signature", ASN1_EOC, ASN1_RAW }, /* 35 */
274 { 2, "serialNumber", ASN1_INTEGER, ASN1_BODY }, /* 36 */
275 { 2, "attrCertValidityPeriod", ASN1_SEQUENCE, ASN1_NONE }, /* 37 */
276 { 3, "notBeforeTime", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 38 */
277 { 3, "notAfterTime", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 39 */
278 { 2, "attributes", ASN1_SEQUENCE, ASN1_LOOP }, /* 40 */
279 { 3, "attribute", ASN1_SEQUENCE, ASN1_NONE }, /* 41 */
280 { 4, "type", ASN1_OID, ASN1_BODY }, /* 42 */
281 { 4, "values", ASN1_SET, ASN1_LOOP }, /* 43 */
282 { 5, "value", ASN1_EOC, ASN1_RAW }, /* 44 */
283 { 4, "end loop", ASN1_EOC, ASN1_END }, /* 45 */
284 { 2, "end loop", ASN1_EOC, ASN1_END }, /* 46 */
285 { 2, "extensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 47 */
286 { 3, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 48 */
287 { 4, "extnID", ASN1_OID, ASN1_BODY }, /* 49 */
288 { 4, "critical", ASN1_BOOLEAN, ASN1_DEF |
289 ASN1_BODY }, /* 50 */
290 { 4, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 51 */
291 { 2, "end loop", ASN1_EOC, ASN1_END }, /* 52 */
292 { 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 53 */
293 { 1, "signatureValue", ASN1_BIT_STRING, ASN1_BODY } /* 54 */
294 };
295
296 #define AC_OBJ_CERTIFICATE 0
297 #define AC_OBJ_CERTIFICATE_INFO 1
298 #define AC_OBJ_VERSION 2
299 #define AC_OBJ_HOLDER_ISSUER 5
300 #define AC_OBJ_HOLDER_SERIAL 6
301 #define AC_OBJ_ENTITY_NAME 10
302 #define AC_OBJ_ISSUER_NAME 19
303 #define AC_OBJ_ISSUER 23
304 #define AC_OBJ_SIG_ALG 35
305 #define AC_OBJ_SERIAL_NUMBER 36
306 #define AC_OBJ_NOT_BEFORE 38
307 #define AC_OBJ_NOT_AFTER 39
308 #define AC_OBJ_ATTRIBUTE_TYPE 42
309 #define AC_OBJ_ATTRIBUTE_VALUE 44
310 #define AC_OBJ_EXTN_ID 49
311 #define AC_OBJ_CRITICAL 50
312 #define AC_OBJ_EXTN_VALUE 51
313 #define AC_OBJ_ALGORITHM 53
314 #define AC_OBJ_SIGNATURE 54
315 #define AC_OBJ_ROOF 55
316
317 /**
318 * Implements x509ac_t.is_valid
319 */
320 static err_t is_valid(const private_x509ac_t *this, time_t *until)
321 {
322 time_t current_time = time(NULL);
323
324 DBG2(" not before : %T", &this->notBefore);
325 DBG2(" current time: %T", &current_time);
326 DBG2(" not after : %T", &this->notAfter);
327
328 if (until != NULL &&
329 (*until == UNDEFINED_TIME || this->notAfter < *until))
330 {
331 *until = this->notAfter;
332 }
333 if (current_time < this->notBefore)
334 {
335 return "is not valid yet";
336 }
337 if (current_time > this->notAfter)
338 {
339 return "has expired";
340 }
341 DBG2(" attribute certificate is valid");
342 return NULL;
343 }
344
345 /**
346 * parses a directoryName
347 */
348 static bool parse_directoryName(chunk_t blob, int level, bool implicit, identification_t **name)
349 {
350 bool has_directoryName;
351 linked_list_t *list = linked_list_create();
352
353 parse_generalNames(blob, level, implicit, list);
354 has_directoryName = list->get_count(list) > 0;
355
356 if (has_directoryName)
357 {
358 iterator_t *iterator = list->create_iterator(list, TRUE);
359 identification_t *directoryName;
360 bool first = TRUE;
361
362 while (iterator->iterate(iterator, (void**)&directoryName))
363 {
364 if (first)
365 {
366 *name = directoryName;
367 first = FALSE;
368 }
369 else
370 {
371 DBG1("more than one directory name - first selected");
372 directoryName->destroy(directoryName);
373 }
374 }
375 iterator->destroy(iterator);
376 }
377 else
378 {
379 DBG1("no directoryName found");
380 }
381
382 list->destroy(list);
383 return has_directoryName;
384 }
385
386 /**
387 * parses ietfAttrSyntax
388 */
389 static void parse_ietfAttrSyntax(chunk_t blob, int level0, linked_list_t *list)
390 {
391 /* TODO */
392 }
393
394 /**
395 * parses roleSyntax
396 */
397 static void parse_roleSyntax(chunk_t blob, int level0)
398 {
399 asn1_ctx_t ctx;
400 chunk_t object;
401 u_int level;
402 int objectID = 0;
403
404 asn1_init(&ctx, blob, level0, FALSE, FALSE);
405 while (objectID < ROLE_ROOF)
406 {
407 if (!extract_object(roleSyntaxObjects, &objectID, &object, &level, &ctx))
408 {
409 return;
410 }
411
412 switch (objectID)
413 {
414 default:
415 break;
416 }
417 objectID++;
418 }
419 }
420
421 /**
422 * Parses an X.509 attribute certificate
423 */
424 static bool parse_certificate(chunk_t blob, private_x509ac_t *this)
425 {
426 asn1_ctx_t ctx;
427 bool critical;
428 chunk_t object;
429 u_int level;
430 u_int type = OID_UNKNOWN;
431 u_int extn_oid = OID_UNKNOWN;
432 int objectID = 0;
433
434 asn1_init(&ctx, blob, 0, FALSE, FALSE);
435 while (objectID < AC_OBJ_ROOF)
436 {
437 if (!extract_object(acObjects, &objectID, &object, &level, &ctx))
438 {
439 return FALSE;
440 }
441
442 /* those objects which will parsed further need the next higher level */
443 level++;
444
445 switch (objectID)
446 {
447 case AC_OBJ_CERTIFICATE:
448 this->certificate = object;
449 break;
450 case AC_OBJ_CERTIFICATE_INFO:
451 this->certificateInfo = object;
452 break;
453 case AC_OBJ_VERSION:
454 this->version = (object.len) ? (1 + (u_int)*object.ptr) : 1;
455 DBG2(" v%d", this->version);
456 if (this->version != 2)
457 {
458 DBG1("v%d attribute certificates are not supported", this->version);
459 return FALSE;
460 }
461 break;
462 case AC_OBJ_HOLDER_ISSUER:
463 if (!parse_directoryName(object, level, FALSE, &this->holderIssuer))
464 {
465 return FALSE;
466 }
467 break;
468 case AC_OBJ_HOLDER_SERIAL:
469 this->holderSerial = object;
470 break;
471 case AC_OBJ_ENTITY_NAME:
472 if (!parse_directoryName(object, level, TRUE, &this->entityName))
473 {
474 return FALSE;
475 }
476 break;
477 case AC_OBJ_ISSUER_NAME:
478 if (!parse_directoryName(object, level, FALSE, &this->issuerName))
479 {
480 return FALSE;
481 }
482 break;
483 case AC_OBJ_SIG_ALG:
484 this->sigAlg = parse_algorithmIdentifier(object, level, NULL);
485 break;
486 case AC_OBJ_SERIAL_NUMBER:
487 this->serialNumber = object;
488 break;
489 case AC_OBJ_NOT_BEFORE:
490 this->notBefore = asn1totime(&object, ASN1_GENERALIZEDTIME);
491 break;
492 case AC_OBJ_NOT_AFTER:
493 this->notAfter = asn1totime(&object, ASN1_GENERALIZEDTIME);
494 break;
495 case AC_OBJ_ATTRIBUTE_TYPE:
496 type = known_oid(object);
497 break;
498 case AC_OBJ_ATTRIBUTE_VALUE:
499 {
500 switch (type)
501 {
502 case OID_AUTHENTICATION_INFO:
503 DBG2(" need to parse authenticationInfo");
504 break;
505 case OID_ACCESS_IDENTITY:
506 DBG2(" need to parse accessIdentity");
507 break;
508 case OID_CHARGING_IDENTITY:
509 parse_ietfAttrSyntax(object, level, this->charging);
510 break;
511 case OID_GROUP:
512 parse_ietfAttrSyntax(object, level, this->groups);
513 break;
514 case OID_ROLE:
515 parse_roleSyntax(object, level);
516 break;
517 default:
518 break;
519 }
520 }
521 break;
522 case AC_OBJ_EXTN_ID:
523 extn_oid = known_oid(object);
524 break;
525 case AC_OBJ_CRITICAL:
526 critical = object.len && *object.ptr;
527 DBG2(" %s",(critical)?"TRUE":"FALSE");
528 break;
529 case AC_OBJ_EXTN_VALUE:
530 {
531 switch (extn_oid)
532 {
533 case OID_CRL_DISTRIBUTION_POINTS:
534 DBG2(" need to parse crlDistributionPoints");
535 break;
536 case OID_AUTHORITY_KEY_ID:
537 parse_authorityKeyIdentifier(object, level,
538 &this->authKeyID, &this->authKeySerialNumber);
539 break;
540 case OID_TARGET_INFORMATION:
541 DBG2(" need to parse targetInformation");
542 break;
543 case OID_NO_REV_AVAIL:
544 this->noRevAvail = TRUE;
545 break;
546 default:
547 break;
548 }
549 }
550 break;
551 case AC_OBJ_ALGORITHM:
552 this->algorithm = parse_algorithmIdentifier(object, level, NULL);
553 break;
554 case AC_OBJ_SIGNATURE:
555 this->signature = object;
556 break;
557 default:
558 break;
559 }
560 objectID++;
561 }
562 this->installed = time(NULL);
563 return FALSE;
564 }
565
566 /**
567 * Implements x509ac_t.destroy
568 */
569 static void destroy(private_x509ac_t *this)
570 {
571 DESTROY_IF(this->holderIssuer);
572 DESTROY_IF(this->entityName);
573 DESTROY_IF(this->issuerName);
574 free(this->certificate.ptr);
575 free(this);
576 }
577
578 /*
579 * Described in header.
580 */
581 x509ac_t *x509ac_create_from_chunk(chunk_t chunk)
582 {
583 private_x509ac_t *this = malloc_thing(private_x509ac_t);
584
585 /* initialize */
586 this->holderIssuer = NULL;
587 this->entityName = NULL;
588 this->issuerName = NULL;
589
590 /* public functions */
591 this->public.is_valid = (err_t (*) (const x509ac_t*,time_t*))is_valid;
592 this->public.destroy = (void (*) (x509ac_t*))destroy;
593
594 if (!parse_certificate(chunk, this))
595 {
596 destroy(this);
597 return NULL;
598 }
599 return &this->public;
600 }
601
602 /*
603 * Described in header.
604 */
605 x509ac_t *x509ac_create_from_file(const char *filename)
606 {
607 bool pgp = FALSE;
608 chunk_t chunk = chunk_empty;
609
610 if (!pem_asn1_load_file(filename, NULL, "attribute certificate", &chunk, &pgp))
611 {
612 return NULL;
613 }
614 return x509ac_create_from_chunk(chunk);
615 }
616