started to parse attribute certificates
[strongswan.git] / src / libstrongswan / crypto / ac.c
1 /**
2 * @file ac.c
3 *
4 * @brief Implementation of x509ac_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
10 * Copyright (C) 2003 Martin Berner, Lukas Suter
11 * Copyright (C) 2007 Andreas Steffen, Hochschule fuer Technik Rapperswil
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24 #include <debug.h>
25
26 #include <asn1/asn1.h>
27 #include <utils/identification.h>
28 #include <utils/linked_list.h>
29
30 #include "ac.h"
31
32 typedef struct private_x509ac_t private_x509ac_t;
33
34 /**
35 * Private data of a x509ac_t object.
36 */
37 struct private_x509ac_t {
38 /**
39 * Public interface for this attribute certificate.
40 */
41 x509ac_t public;
42
43 /**
44 * Time when attribute certificate was installed
45 */
46 time_t installed;
47
48 /**
49 * X.509 attribute certificate in DER format
50 */
51 chunk_t certificate;
52
53 /**
54 * X.509 attribute certificate body over which signature is computed
55 */
56 chunk_t certificateInfo;
57
58 /**
59 * Version of the X.509 attribute certificate
60 */
61 u_int version;
62
63 /**
64 * Serial number of the X.509 attribute certificate
65 */
66 chunk_t serialNumber;
67
68 /**
69 * ID representing the issuer of the holder certificate
70 */
71 identification_t *holderIssuer;
72
73 /**
74 * Serial number of the holder certificate
75 */
76 chunk_t holderSerial;
77
78 /**
79 * ID representing the holder
80 */
81 identification_t *entityName;
82
83 /**
84 * ID representing the attribute certificate issuer
85 */
86 identification_t *issuerName;
87
88 /**
89 * Signature algorithm
90 */
91 int sigAlg;
92
93 /**
94 * Start time of certificate validity
95 */
96 time_t notBefore;
97
98 /**
99 * End time of certificate validity
100 */
101 time_t notAfter;
102
103 /**
104 * List of charging attributes
105 */
106 linked_list_t *charging;
107
108 /**
109 * List of groub attributes
110 */
111 linked_list_t *groups;
112
113 /**
114 * Authority Key Identifier
115 */
116 chunk_t authKeyID;
117
118 /**
119 * Authority Key Serial Number
120 */
121 chunk_t authKeySerialNumber;
122
123 /**
124 * No revocation information available
125 */
126 bool noRevAvail;
127
128 /**
129 * Signature algorithm (must be identical to sigAlg)
130 */
131 int algorithm;
132
133 /**
134 * Signature
135 */
136 chunk_t signature;
137 };
138
139 /**
140 * definition of ietfAttribute kinds
141 */
142 typedef enum {
143 IETF_ATTRIBUTE_OCTETS = 0,
144 IETF_ATTRIBUTE_OID = 1,
145 IETF_ATTRIBUTE_STRING = 2
146 } ietfAttribute_t;
147
148 /**
149 * access structure for an ietfAttribute
150 */
151 typedef struct ietfAttr ietfAttr_t;
152
153 struct ietfAttr {
154 time_t installed;
155 int count;
156 ietfAttribute_t kind;
157 chunk_t value;
158 };
159
160 /**
161 * ASN.1 definition of ietfAttrSyntax
162 */
163 static const asn1Object_t ietfAttrSyntaxObjects[] =
164 {
165 { 0, "ietfAttrSyntax", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
166 { 1, "policyAuthority", ASN1_CONTEXT_C_0, ASN1_OPT |
167 ASN1_BODY }, /* 1 */
168 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 2 */
169 { 1, "values", ASN1_SEQUENCE, ASN1_LOOP }, /* 3 */
170 { 2, "octets", ASN1_OCTET_STRING, ASN1_OPT |
171 ASN1_BODY }, /* 4 */
172 { 2, "end choice", ASN1_EOC, ASN1_END }, /* 5 */
173 { 2, "oid", ASN1_OID, ASN1_OPT |
174 ASN1_BODY }, /* 6 */
175 { 2, "end choice", ASN1_EOC, ASN1_END }, /* 7 */
176 { 2, "string", ASN1_UTF8STRING, ASN1_OPT |
177 ASN1_BODY }, /* 8 */
178 { 2, "end choice", ASN1_EOC, ASN1_END }, /* 9 */
179 { 1, "end loop", ASN1_EOC, ASN1_END } /* 10 */
180 };
181
182 #define IETF_ATTR_OCTETS 4
183 #define IETF_ATTR_OID 6
184 #define IETF_ATTR_STRING 8
185 #define IETF_ATTR_ROOF 11
186
187 /**
188 * ASN.1 definition of roleSyntax
189 */
190 static const asn1Object_t roleSyntaxObjects[] =
191 {
192 { 0, "roleSyntax", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
193 { 1, "roleAuthority", ASN1_CONTEXT_C_0, ASN1_OPT |
194 ASN1_OBJ }, /* 1 */
195 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 2 */
196 { 1, "roleName", ASN1_CONTEXT_C_1, ASN1_OBJ } /* 3 */
197 };
198
199 #define ROLE_ROOF 4
200
201 /**
202 * ASN.1 definition of an X509 attribute certificate
203 */
204 static const asn1Object_t acObjects[] =
205 {
206 { 0, "AttributeCertificate", ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */
207 { 1, "AttributeCertificateInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */
208 { 2, "version", ASN1_INTEGER, ASN1_DEF |
209 ASN1_BODY }, /* 2 */
210 { 2, "holder", ASN1_SEQUENCE, ASN1_NONE }, /* 3 */
211 { 3, "baseCertificateID", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 4 */
212 { 4, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 5 */
213 { 4, "serial", ASN1_INTEGER, ASN1_BODY }, /* 6 */
214 { 4, "issuerUID", ASN1_BIT_STRING, ASN1_OPT |
215 ASN1_BODY }, /* 7 */
216 { 4, "end opt", ASN1_EOC, ASN1_END }, /* 8 */
217 { 3, "end opt", ASN1_EOC, ASN1_END }, /* 9 */
218 { 3, "entityName", ASN1_CONTEXT_C_1, ASN1_OPT |
219 ASN1_OBJ }, /* 10 */
220 { 3, "end opt", ASN1_EOC, ASN1_END }, /* 11 */
221 { 3, "objectDigestInfo", ASN1_CONTEXT_C_2, ASN1_OPT }, /* 12 */
222 { 4, "digestedObjectType", ASN1_ENUMERATED, ASN1_BODY }, /* 13*/
223 { 4, "otherObjectTypeID", ASN1_OID, ASN1_OPT |
224 ASN1_BODY }, /* 14 */
225 { 4, "end opt", ASN1_EOC, ASN1_END }, /* 15*/
226 { 4, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 16 */
227 { 3, "end opt", ASN1_EOC, ASN1_END }, /* 17 */
228 { 2, "v2Form", ASN1_CONTEXT_C_0, ASN1_NONE }, /* 18 */
229 { 3, "issuerName", ASN1_SEQUENCE, ASN1_OPT |
230 ASN1_OBJ }, /* 19 */
231 { 3, "end opt", ASN1_EOC, ASN1_END }, /* 20 */
232 { 3, "baseCertificateID", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 21 */
233 { 4, "issuerSerial", ASN1_SEQUENCE, ASN1_NONE }, /* 22 */
234 { 5, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 23 */
235 { 5, "serial", ASN1_INTEGER, ASN1_BODY }, /* 24 */
236 { 5, "issuerUID", ASN1_BIT_STRING, ASN1_OPT |
237 ASN1_BODY }, /* 25 */
238 { 5, "end opt", ASN1_EOC, ASN1_END }, /* 26 */
239 { 3, "end opt", ASN1_EOC, ASN1_END }, /* 27 */
240 { 3, "objectDigestInfo", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 28 */
241 { 4, "digestInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 29 */
242 { 5, "digestedObjectType", ASN1_ENUMERATED, ASN1_BODY }, /* 30 */
243 { 5, "otherObjectTypeID", ASN1_OID, ASN1_OPT |
244 ASN1_BODY }, /* 31 */
245 { 5, "end opt", ASN1_EOC, ASN1_END }, /* 32 */
246 { 5, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 33 */
247 { 3, "end opt", ASN1_EOC, ASN1_END }, /* 34 */
248 { 2, "signature", ASN1_EOC, ASN1_RAW }, /* 35 */
249 { 2, "serialNumber", ASN1_INTEGER, ASN1_BODY }, /* 36 */
250 { 2, "attrCertValidityPeriod", ASN1_SEQUENCE, ASN1_NONE }, /* 37 */
251 { 3, "notBeforeTime", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 38 */
252 { 3, "notAfterTime", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 39 */
253 { 2, "attributes", ASN1_SEQUENCE, ASN1_LOOP }, /* 40 */
254 { 3, "attribute", ASN1_SEQUENCE, ASN1_NONE }, /* 41 */
255 { 4, "type", ASN1_OID, ASN1_BODY }, /* 42 */
256 { 4, "values", ASN1_SET, ASN1_LOOP }, /* 43 */
257 { 5, "value", ASN1_EOC, ASN1_RAW }, /* 44 */
258 { 4, "end loop", ASN1_EOC, ASN1_END }, /* 45 */
259 { 2, "end loop", ASN1_EOC, ASN1_END }, /* 46 */
260 { 2, "extensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 47 */
261 { 3, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 48 */
262 { 4, "extnID", ASN1_OID, ASN1_BODY }, /* 49 */
263 { 4, "critical", ASN1_BOOLEAN, ASN1_DEF |
264 ASN1_BODY }, /* 50 */
265 { 4, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 51 */
266 { 2, "end loop", ASN1_EOC, ASN1_END }, /* 52 */
267 { 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 53 */
268 { 1, "signatureValue", ASN1_BIT_STRING, ASN1_BODY } /* 54 */
269 };
270
271 #define AC_OBJ_CERTIFICATE 0
272 #define AC_OBJ_CERTIFICATE_INFO 1
273 #define AC_OBJ_VERSION 2
274 #define AC_OBJ_HOLDER_ISSUER 5
275 #define AC_OBJ_HOLDER_SERIAL 6
276 #define AC_OBJ_ENTITY_NAME 10
277 #define AC_OBJ_ISSUER_NAME 19
278 #define AC_OBJ_ISSUER 23
279 #define AC_OBJ_SIG_ALG 35
280 #define AC_OBJ_SERIAL_NUMBER 36
281 #define AC_OBJ_NOT_BEFORE 38
282 #define AC_OBJ_NOT_AFTER 39
283 #define AC_OBJ_ATTRIBUTE_TYPE 42
284 #define AC_OBJ_ATTRIBUTE_VALUE 44
285 #define AC_OBJ_EXTN_ID 49
286 #define AC_OBJ_CRITICAL 50
287 #define AC_OBJ_EXTN_VALUE 51
288 #define AC_OBJ_ALGORITHM 53
289 #define AC_OBJ_SIGNATURE 54
290 #define AC_OBJ_ROOF 55
291
292 /**
293 * Implements x509ac_t.is_valid
294 */
295 static err_t is_valid(const private_x509ac_t *this, time_t *until)
296 {
297 time_t current_time = time(NULL);
298
299 DBG2(" not before : %T", &this->notBefore);
300 DBG2(" current time: %T", &current_time);
301 DBG2(" not after : %T", &this->notAfter);
302
303 if (until != NULL &&
304 (*until == UNDEFINED_TIME || this->notAfter < *until))
305 {
306 *until = this->notAfter;
307 }
308 if (current_time < this->notBefore)
309 {
310 return "is not valid yet";
311 }
312 if (current_time > this->notAfter)
313 {
314 return "has expired";
315 }
316 DBG2(" attribute certificate is valid");
317 return NULL;
318 }
319
320 /**
321 * parses a directoryName
322 */
323 static bool parse_directoryName(chunk_t blob, int level, bool implicit, identification_t **name)
324 {
325 *name = NULL;
326 return FALSE;
327 }
328
329 /**
330 * parses ietfAttrSyntax
331 */
332 static void parse_ietfAttrSyntax(chunk_t blob, int level0, linked_list_t *list)
333 {
334 /* TODO */
335 }
336
337 /**
338 * parses roleSyntax
339 */
340 static void parse_roleSyntax(chunk_t blob, int level0)
341 {
342 asn1_ctx_t ctx;
343 chunk_t object;
344 u_int level;
345 int objectID = 0;
346
347 asn1_init(&ctx, blob, level0, FALSE, FALSE);
348 while (objectID < ROLE_ROOF)
349 {
350 if (!extract_object(roleSyntaxObjects, &objectID, &object, &level, &ctx))
351 {
352 return;
353 }
354
355 switch (objectID)
356 {
357 default:
358 break;
359 }
360 objectID++;
361 }
362 }
363
364 /**
365 * Parses an X.509 attribute certificate
366 */
367 static bool parse_certificate(chunk_t blob, private_x509ac_t *this)
368 {
369 asn1_ctx_t ctx;
370 bool critical;
371 chunk_t object;
372 u_int level;
373 u_int type = OID_UNKNOWN;
374 u_int extn_oid = OID_UNKNOWN;
375 int objectID = 0;
376
377 asn1_init(&ctx, blob, 0, FALSE, FALSE);
378 while (objectID < AC_OBJ_ROOF)
379 {
380 if (!extract_object(acObjects, &objectID, &object, &level, &ctx))
381 {
382 return FALSE;
383 }
384
385 /* those objects which will parsed further need the next higher level */
386 level++;
387
388 switch (objectID)
389 {
390 case AC_OBJ_CERTIFICATE:
391 this->certificate = object;
392 break;
393 case AC_OBJ_CERTIFICATE_INFO:
394 this->certificateInfo = object;
395 break;
396 case AC_OBJ_VERSION:
397 this->version = (object.len) ? (1 + (u_int)*object.ptr) : 1;
398 DBG2(" v%d", this->version);
399 if (this->version != 2)
400 {
401 DBG1("v%d attribute certificates are not supported", this->version);
402 return FALSE;
403 }
404 break;
405 case AC_OBJ_HOLDER_ISSUER:
406 if (!parse_directoryName(object, level, FALSE, &this->holderIssuer));
407 {
408 return FALSE;
409 }
410 break;
411 case AC_OBJ_HOLDER_SERIAL:
412 this->holderSerial = object;
413 break;
414 case AC_OBJ_ENTITY_NAME:
415 if (!parse_directoryName(object, level, FALSE, &this->entityName));
416 {
417 return FALSE;
418 }
419 break;
420 case AC_OBJ_ISSUER_NAME:
421 if (!parse_directoryName(object, level, FALSE, &this->issuerName));
422 {
423 return FALSE;
424 }
425 break;
426 case AC_OBJ_SIG_ALG:
427 this->sigAlg = parse_algorithmIdentifier(object, level, NULL);
428 break;
429 case AC_OBJ_SERIAL_NUMBER:
430 this->serialNumber = object;
431 break;
432 case AC_OBJ_NOT_BEFORE:
433 this->notBefore = asn1totime(&object, ASN1_GENERALIZEDTIME);
434 break;
435 case AC_OBJ_NOT_AFTER:
436 this->notAfter = asn1totime(&object, ASN1_GENERALIZEDTIME);
437 break;
438 case AC_OBJ_ATTRIBUTE_TYPE:
439 type = known_oid(object);
440 break;
441 case AC_OBJ_ATTRIBUTE_VALUE:
442 {
443 switch (type)
444 {
445 case OID_AUTHENTICATION_INFO:
446 DBG2(" need to parse authenticationInfo");
447 break;
448 case OID_ACCESS_IDENTITY:
449 DBG2(" need to parse accessIdentity");
450 break;
451 case OID_CHARGING_IDENTITY:
452 parse_ietfAttrSyntax(object, level, this->charging);
453 break;
454 case OID_GROUP:
455 parse_ietfAttrSyntax(object, level, this->groups);
456 break;
457 case OID_ROLE:
458 parse_roleSyntax(object, level);
459 break;
460 default:
461 break;
462 }
463 }
464 break;
465 case AC_OBJ_EXTN_ID:
466 extn_oid = known_oid(object);
467 break;
468 case AC_OBJ_CRITICAL:
469 critical = object.len && *object.ptr;
470 DBG2(" %s",(critical)?"TRUE":"FALSE");
471 break;
472 case AC_OBJ_EXTN_VALUE:
473 {
474 switch (extn_oid)
475 {
476 case OID_CRL_DISTRIBUTION_POINTS:
477 DBG2(" need to parse crlDistributionPoints");
478 break;
479 case OID_AUTHORITY_KEY_ID:
480 parse_authorityKeyIdentifier(object, level,
481 &this->authKeyID, &this->authKeySerialNumber);
482 break;
483 case OID_TARGET_INFORMATION:
484 DBG2(" need to parse targetInformation");
485 break;
486 case OID_NO_REV_AVAIL:
487 this->noRevAvail = TRUE;
488 break;
489 default:
490 break;
491 }
492 }
493 break;
494 case AC_OBJ_ALGORITHM:
495 this->algorithm = parse_algorithmIdentifier(object, level, NULL);
496 break;
497 case AC_OBJ_SIGNATURE:
498 this->signature = object;
499 break;
500 default:
501 break;
502 }
503 objectID++;
504 }
505 this->installed = time(NULL);
506 return FALSE;
507 }
508
509 /**
510 * Implements x509ac_t.destroy
511 */
512 static void destroy(private_x509ac_t *this)
513 {
514 DESTROY_IF(this->holderIssuer);
515 DESTROY_IF(this->entityName);
516 DESTROY_IF(this->issuerName);
517 free(this->certificate.ptr);
518 free(this);
519 }
520
521 /*
522 * Described in header.
523 */
524 x509ac_t *x509ac_create_from_chunk(chunk_t chunk)
525 {
526 private_x509ac_t *this = malloc_thing(private_x509ac_t);
527
528 /* initialize */
529 this->holderIssuer = NULL;
530 this->entityName = NULL;
531 this->issuerName = NULL;
532
533 /* public functions */
534 this->public.is_valid = (err_t (*) (const x509ac_t*,time_t*))is_valid;
535 this->public.destroy = (void (*) (x509ac_t*))destroy;
536
537 if (!parse_certificate(chunk, this))
538 {
539 destroy(this);
540 return NULL;
541 }
542 return &this->public;
543 }
544
545 /*
546 * Described in header.
547 */
548 x509ac_t *x509ac_create_from_file(const char *filename)
549 {
550 bool pgp = FALSE;
551 chunk_t chunk = chunk_empty;
552 x509ac_t *cert = NULL;
553
554 if (!pem_asn1_load_file(filename, NULL, "attribute certificate", &chunk, &pgp))
555 {
556 return NULL;
557 }
558 cert = x509ac_create_from_chunk(chunk);
559
560 if (cert == NULL)
561 {
562 free(chunk.ptr);
563 }
564 return cert;
565 }
566