added crl support
[strongswan.git] / src / libstrongswan / crypto / crl.c
1 /**
2 * @file crl.c
3 *
4 * @brief Implementation of crl_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Andreas Steffen
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #include <sys/stat.h>
24 #include <unistd.h>
25 #include <string.h>
26
27 #include <types.h>
28 #include <definitions.h>
29 #include <asn1/oid.h>
30 #include <asn1/asn1.h>
31 #include <asn1/pem.h>
32 #include <utils/logger_manager.h>
33 #include <utils/linked_list.h>
34 #include <utils/identification.h>
35
36 #include "crl.h"
37 #include "x509.h"
38
39 #define CRL_WARNING_INTERVAL 7 /* days */
40
41 static logger_t *logger;
42
43 /* access structure for a revoked certificate */
44
45 typedef struct revokedCert_t revokedCert_t;
46
47 struct revokedCert_t {
48 chunk_t userCertificate;
49 time_t revocationDate;
50 crl_reason_t revocationReason;
51 };
52
53 typedef struct private_crl_t private_crl_t;
54
55 /**
56 * Private data of a crl_t object.
57 */
58 struct private_crl_t {
59 /**
60 * Public interface for this crl.
61 */
62 crl_t public;
63
64 /**
65 * Time when crl was installed
66 */
67 time_t installed;
68
69 /**
70 * List of crlDistributionPoints
71 */
72 linked_list_t *crlDistributionPoints;
73
74 /**
75 * X.509 crl in DER format
76 */
77 chunk_t certificateList;
78
79 /**
80 * X.509 crl body over which signature is computed
81 */
82 chunk_t tbsCertList;
83
84 /**
85 * Version of the X.509 crl
86 */
87 u_int version;
88
89 /**
90 * Signature algorithm
91 */
92 int sigAlg;
93
94 /**
95 * ID representing the crl issuer
96 */
97 identification_t *issuer;
98
99 /**
100 * Time when the crl was generated
101 */
102 time_t thisUpdate;
103
104 /**
105 * Time when an update crl will be available
106 */
107 time_t nextUpdate;
108
109 /**
110 * List of identification_t's representing subjectAltNames
111 */
112 linked_list_t *revokedCertificates;
113
114 /**
115 * Authority Key Identifier
116 */
117 chunk_t authKeyID;
118
119 /**
120 * Authority Key Serial Number
121 */
122 chunk_t authKeySerialNumber;
123
124 /**
125 * Signature algorithm (must be identical to sigAlg)
126 */
127 int algorithm;
128
129 /**
130 * Signature
131 */
132 chunk_t signature;
133 };
134
135 /* ASN.1 definition of an X.509 certificate revocation list */
136
137 static const asn1Object_t crlObjects[] = {
138 { 0, "certificateList", ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */
139 { 1, "tbsCertList", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */
140 { 2, "version", ASN1_INTEGER, ASN1_OPT |
141 ASN1_BODY }, /* 2 */
142 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 3 */
143 { 2, "signature", ASN1_EOC, ASN1_RAW }, /* 4 */
144 { 2, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 5 */
145 { 2, "thisUpdate", ASN1_EOC, ASN1_RAW }, /* 6 */
146 { 2, "nextUpdate", ASN1_EOC, ASN1_RAW }, /* 7 */
147 { 2, "revokedCertificates", ASN1_SEQUENCE, ASN1_OPT |
148 ASN1_LOOP }, /* 8 */
149 { 3, "certList", ASN1_SEQUENCE, ASN1_NONE }, /* 9 */
150 { 4, "userCertificate", ASN1_INTEGER, ASN1_BODY }, /* 10 */
151 { 4, "revocationDate", ASN1_EOC, ASN1_RAW }, /* 11 */
152 { 4, "crlEntryExtensions", ASN1_SEQUENCE, ASN1_OPT |
153 ASN1_LOOP }, /* 12 */
154 { 5, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 13 */
155 { 6, "extnID", ASN1_OID, ASN1_BODY }, /* 14 */
156 { 6, "critical", ASN1_BOOLEAN, ASN1_DEF |
157 ASN1_BODY }, /* 15 */
158 { 6, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 16 */
159 { 4, "end opt or loop", ASN1_EOC, ASN1_END }, /* 17 */
160 { 2, "end opt or loop", ASN1_EOC, ASN1_END }, /* 18 */
161 { 2, "optional extensions", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 19 */
162 { 3, "crlExtensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 20 */
163 { 4, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 21 */
164 { 5, "extnID", ASN1_OID, ASN1_BODY }, /* 22 */
165 { 5, "critical", ASN1_BOOLEAN, ASN1_DEF |
166 ASN1_BODY }, /* 23 */
167 { 5, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 24 */
168 { 3, "end loop", ASN1_EOC, ASN1_END }, /* 25 */
169 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 26 */
170 { 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 27 */
171 { 1, "signatureValue", ASN1_BIT_STRING, ASN1_BODY } /* 28 */
172 };
173
174 #define CRL_OBJ_CERTIFICATE_LIST 0
175 #define CRL_OBJ_TBS_CERT_LIST 1
176 #define CRL_OBJ_VERSION 2
177 #define CRL_OBJ_SIG_ALG 4
178 #define CRL_OBJ_ISSUER 5
179 #define CRL_OBJ_THIS_UPDATE 6
180 #define CRL_OBJ_NEXT_UPDATE 7
181 #define CRL_OBJ_USER_CERTIFICATE 10
182 #define CRL_OBJ_REVOCATION_DATE 11
183 #define CRL_OBJ_CRL_ENTRY_EXTN_ID 14
184 #define CRL_OBJ_CRL_ENTRY_CRITICAL 15
185 #define CRL_OBJ_CRL_ENTRY_EXTN_VALUE 16
186 #define CRL_OBJ_EXTN_ID 22
187 #define CRL_OBJ_CRITICAL 23
188 #define CRL_OBJ_EXTN_VALUE 24
189 #define CRL_OBJ_ALGORITHM 27
190 #define CRL_OBJ_SIGNATURE 28
191 #define CRL_OBJ_ROOF 29
192
193 /**
194 * Parses a CRL revocation reason code
195 */
196 static crl_reason_t parse_crl_reasonCode(chunk_t object)
197 {
198 crl_reason_t reason = REASON_UNSPECIFIED;
199
200 if (*object.ptr == ASN1_ENUMERATED && asn1_length(&object) == 1)
201 {
202 reason = *object.ptr;
203 }
204 /* TODO logger->log(logger, CONTROL|LEVEL2, " '%s'", enum_name(&crl_reason_names, reason)) */
205 return reason;
206 }
207
208 /**
209 * Parses an X.509 Certificate Revocation List (CRL)
210 */
211 bool parse_x509crl(chunk_t blob, u_int level0, private_crl_t *crl)
212 {
213 u_char buf[BUF_LEN];
214 asn1_ctx_t ctx;
215 bool critical;
216 chunk_t extnID;
217 chunk_t userCertificate;
218 revokedCert_t *revokedCert;
219 chunk_t object;
220 u_int level;
221 int objectID = 0;
222
223 asn1_init(&ctx, blob, level0, FALSE);
224
225 while (objectID < CRL_OBJ_ROOF)
226 {
227 if (!extract_object(crlObjects, &objectID, &object, &level, &ctx))
228 return FALSE;
229
230 /* those objects which will parsed further need the next higher level */
231 level++;
232
233 switch (objectID)
234 {
235 case CRL_OBJ_CERTIFICATE_LIST:
236 crl->certificateList = object;
237 break;
238 case CRL_OBJ_TBS_CERT_LIST:
239 crl->tbsCertList = object;
240 break;
241 case CRL_OBJ_VERSION:
242 crl->version = (object.len) ? (1+(u_int)*object.ptr) : 1;
243 logger->log(logger, CONTROL|LEVEL2, " v%d", crl->version);
244 break;
245 case CRL_OBJ_SIG_ALG:
246 crl->sigAlg = parse_algorithmIdentifier(object, level, NULL);
247 break;
248 case CRL_OBJ_ISSUER:
249 crl->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object);
250 logger->log(logger, CONTROL|LEVEL1, " '%s'", crl->issuer->get_string(crl->issuer));
251 break;
252 case CRL_OBJ_THIS_UPDATE:
253 crl->thisUpdate = parse_time(object, level);
254 break;
255 case CRL_OBJ_NEXT_UPDATE:
256 crl->nextUpdate = parse_time(object, level);
257 break;
258 case CRL_OBJ_USER_CERTIFICATE:
259 userCertificate = object;
260 break;
261 case CRL_OBJ_REVOCATION_DATE:
262 revokedCert = malloc_thing(revokedCert_t);
263 revokedCert->userCertificate = userCertificate;
264 revokedCert->revocationDate = parse_time(object, level);
265 revokedCert->revocationReason = REASON_UNSPECIFIED;
266 crl->revokedCertificates->insert_last(crl->revokedCertificates, (void *)revokedCert);
267 break;
268 case CRL_OBJ_CRL_ENTRY_EXTN_ID:
269 case CRL_OBJ_EXTN_ID:
270 extnID = object;
271 break;
272 case CRL_OBJ_CRL_ENTRY_CRITICAL:
273 case CRL_OBJ_CRITICAL:
274 critical = object.len && *object.ptr;
275 logger->log(logger, CONTROL|LEVEL2, " %s",(critical)?"TRUE":"FALSE");
276 break;
277 case CRL_OBJ_CRL_ENTRY_EXTN_VALUE:
278 case CRL_OBJ_EXTN_VALUE:
279 {
280 int extn_oid = known_oid(extnID);
281
282 if (extn_oid == OID_CRL_REASON_CODE)
283 {
284 revokedCert->revocationReason = parse_crl_reasonCode(object);
285 }
286 else if (extn_oid == OID_AUTHORITY_KEY_ID)
287 {
288 parse_authorityKeyIdentifier(object, level, &crl->authKeyID, &crl->authKeySerialNumber);
289 }
290 }
291 break;
292 case CRL_OBJ_ALGORITHM:
293 crl->algorithm = parse_algorithmIdentifier(object, level, NULL);
294 break;
295 case CRL_OBJ_SIGNATURE:
296 crl->signature = object;
297 break;
298 default:
299 break;
300 }
301 objectID++;
302 }
303 time(&crl->installed);
304 return TRUE;
305 }
306
307 /**
308 * Implements crl_t.is_valid
309 */
310 static err_t is_valid(const private_crl_t *this, time_t *until, bool strict)
311 {
312 char buf[TIMETOA_BUF];
313
314 time_t current_time = time(NULL);
315
316 timetoa(buf, BUF_LEN, &this->thisUpdate, TRUE);
317 logger->log(logger, CONTROL|LEVEL1, " this update : %s", buf);
318 timetoa(buf, BUF_LEN, &current_time, TRUE);
319 logger->log(logger, CONTROL|LEVEL1, " current time: %s", buf);
320 timetoa(buf, BUF_LEN, &this->nextUpdate, TRUE);
321 logger->log(logger, CONTROL|LEVEL1, " next update: %s", buf);
322
323 if (strict && until != NULL
324 && (*until == UNDEFINED_TIME || this->nextUpdate < *until))
325 {
326 *until = this->nextUpdate;
327 }
328 if (current_time > this->nextUpdate)
329 return "has expired";
330 logger->log(logger, CONTROL|LEVEL1, " crl is valid", buf);
331 return NULL;
332 }
333
334 /**
335 * Implements crl_t.get_issuer
336 */
337 static identification_t *get_issuer(const private_crl_t *this)
338 {
339 return this->issuer;
340 }
341
342 /**
343 * Implements crl_t.equals_issuer
344 */
345 static bool equals_issuer(const private_crl_t *this, const private_crl_t *other)
346 {
347 return (this->authKeyID.ptr)
348 ? chunk_equals(this->authKeyID, other->authKeyID)
349 : (this->issuer->equals(this->issuer, other->issuer)
350 && chunk_equals_or_null(this->authKeySerialNumber, other->authKeySerialNumber));
351 }
352
353 /**
354 * destroy
355 */
356 static void destroy(private_crl_t *this)
357 {
358 revokedCert_t *revokedCert;
359 identification_t *id;
360
361 while (this->revokedCertificates->remove_last(this->revokedCertificates, (void**)&revokedCert) == SUCCESS)
362 {
363 free(revokedCert);
364 }
365 this->revokedCertificates->destroy(this->revokedCertificates);
366
367 while (this->crlDistributionPoints->remove_last(this->crlDistributionPoints, (void**)&id) == SUCCESS)
368 {
369 id->destroy(id);
370 }
371 this->crlDistributionPoints->destroy(this->crlDistributionPoints);
372
373 if (this->issuer)
374 this->issuer->destroy(this->issuer);
375
376 free(this->certificateList.ptr);
377 free(this);
378 }
379
380 /**
381 * log crl
382 */
383 static void log_crl(const private_crl_t *this, logger_t *logger, bool utc, bool strict)
384 {
385 identification_t *issuer = this->issuer;
386 linked_list_t *crlDistributionPoints = this->crlDistributionPoints;
387 linked_list_t *revokedCertificates = this->revokedCertificates;
388
389 char buf[BUF_LEN];
390
391 /* determine the current time */
392 time_t now = time(NULL);
393
394 timetoa(buf, BUF_LEN, &this->installed, utc);
395 logger->log(logger, CONTROL, "%s, revoked certs: %d",
396 buf, revokedCertificates->get_count(revokedCertificates));
397
398 logger->log(logger, CONTROL, " issuer: '%s'", issuer->get_string(issuer));
399
400 timetoa(buf, BUF_LEN, &this->thisUpdate, utc);
401 logger->log(logger, CONTROL, " updates: this %s", buf);
402
403 timetoa(buf, BUF_LEN, &this->nextUpdate, utc);
404 logger->log(logger, CONTROL, " next %s %s", buf,
405 check_expiry(this->nextUpdate, CRL_WARNING_INTERVAL, strict));
406
407 if (this->authKeyID.ptr != NULL)
408 {
409 chunk_to_hex(buf, BUF_LEN, this->authKeyID);
410 logger->log(logger, CONTROL, " authkey: %s", buf);
411 }
412 if (this->authKeySerialNumber.ptr != NULL)
413 {
414 chunk_to_hex(buf, BUF_LEN, this->authKeySerialNumber);
415 logger->log(logger, CONTROL, " aserial: %s", buf);
416 }
417 }
418
419 /*
420 * Described in header.
421 */
422 crl_t *crl_create_from_chunk(chunk_t chunk)
423 {
424 private_crl_t *this = malloc_thing(private_crl_t);
425
426 /* initialize */
427 this->crlDistributionPoints = linked_list_create();
428 this->tbsCertList = CHUNK_INITIALIZER;
429 this->issuer = NULL;
430 this->revokedCertificates = linked_list_create();
431 this->authKeyID = CHUNK_INITIALIZER;
432 this->authKeySerialNumber = CHUNK_INITIALIZER;
433
434 /* public functions */
435 this->public.is_valid = (err_t (*) (const crl_t*,time_t*))is_valid;
436 this->public.destroy = (void (*) (crl_t*))destroy;
437 this->public.get_issuer = (identification_t* (*) (const crl_t*))get_issuer;
438 this->public.equals_issuer = (bool (*) (const crl_t*, const crl_t*))equals_issuer;
439 this->public.log_crl = (void (*) (const crl_t*,logger_t*,bool,bool))log_crl;
440
441 /* we do not use a per-instance logger right now, since its not always accessible */
442 logger = logger_manager->get_logger(logger_manager, ASN1);
443
444 if (!parse_x509crl(chunk, 0, this))
445 {
446 destroy(this);
447 return NULL;
448 }
449
450 return &this->public;
451 }
452
453 /*
454 * Described in header.
455 */
456 crl_t *crl_create_from_file(const char *filename)
457 {
458 bool pgp = FALSE;
459 chunk_t chunk = CHUNK_INITIALIZER;
460 crl_t *crl = NULL;
461
462 if (!pem_asn1_load_file(filename, "", "crl", &chunk, &pgp))
463 return NULL;
464
465 crl = crl_create_from_chunk(chunk);
466
467 if (crl == NULL)
468 free(chunk.ptr);
469 return crl;
470 }