fully implemented x509_create()
[strongswan.git] / src / libstrongswan / crypto / x509.c
1 /**
2 * @file x509.c
3 *
4 * @brief Implementation of x509_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann
10 * Copyright (C) 2001 Marco Bertossa, Andreas Schleiss
11 * Copyright (C) 2002 Mario Strasser
12 * Copyright (C) 2006 Martin Willi
13 * Copyright (C) 2000-2008 Andreas Steffen
14 *
15 * Hochschule fuer Technik Rapperswil
16 *
17 * This program is free software; you can redistribute it and/or modify it
18 * under the terms of the GNU General Public License as published by the
19 * Free Software Foundation; either version 2 of the License, or (at your
20 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
21 *
22 * This program is distributed in the hope that it will be useful, but
23 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
24 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
25 * for more details.
26 *
27 * RCSID $Id$
28 */
29
30 #include <gmp.h>
31 #include <sys/stat.h>
32 #include <unistd.h>
33 #include <string.h>
34 #include <stdio.h>
35
36 #include "x509.h"
37 #include "hashers/hasher.h"
38 #include <library.h>
39 #include <debug.h>
40 #include <asn1/oid.h>
41 #include <asn1/asn1.h>
42 #include <asn1/pem.h>
43 #include <utils/linked_list.h>
44 #include <utils/identification.h>
45
46 #define CERT_WARNING_INTERVAL 30 /* days */
47
48 /**
49 * Different kinds of generalNames
50 */
51 typedef enum generalNames_t generalNames_t;
52
53 enum generalNames_t {
54 GN_OTHER_NAME = 0,
55 GN_RFC822_NAME = 1,
56 GN_DNS_NAME = 2,
57 GN_X400_ADDRESS = 3,
58 GN_DIRECTORY_NAME = 4,
59 GN_EDI_PARTY_NAME = 5,
60 GN_URI = 6,
61 GN_IP_ADDRESS = 7,
62 GN_REGISTERED_ID = 8,
63 };
64
65 typedef struct private_x509_t private_x509_t;
66
67 /**
68 * Private data of a x509_t object.
69 */
70 struct private_x509_t {
71 /**
72 * Public interface for this certificate.
73 */
74 x509_t public;
75
76 /**
77 * Time when certificate was installed
78 */
79 time_t installed;
80
81 /**
82 * Time until certificate can be trusted
83 */
84 time_t until;
85
86 /**
87 * Certificate status
88 */
89 cert_status_t status;
90
91 /**
92 * Authority flags
93 */
94 u_int authority_flags;
95
96 /**
97 * X.509 Certificate in DER format
98 */
99 chunk_t certificate;
100
101 /**
102 * X.509 certificate body over which signature is computed
103 */
104 chunk_t tbsCertificate;
105
106 /**
107 * Version of the X.509 certificate
108 */
109 u_int version;
110
111 /**
112 * Serial number of the X.509 certificate
113 */
114 chunk_t serialNumber;
115
116 /**
117 * Signature algorithm
118 */
119 int signatureAlgorithm;
120
121 /**
122 * ID representing the certificate issuer
123 */
124 identification_t *issuer;
125
126 /**
127 * link to the info recored of the certificate issuer
128 */
129 ca_info_t *ca_info;
130
131 /**
132 * Start time of certificate validity
133 */
134 time_t notBefore;
135
136 /**
137 * End time of certificate validity
138 */
139 time_t notAfter;
140
141 /**
142 * ID representing the certificate subject
143 */
144 identification_t *subject;
145
146 /**
147 * List of identification_t's representing subjectAltNames
148 */
149 linked_list_t *subjectAltNames;
150
151 /**
152 * List of identification_t's representing crlDistributionPoints
153 */
154 linked_list_t *crlDistributionPoints;
155
156 /**
157 * List of identification_t's representing ocspAccessLocations
158 */
159 linked_list_t *ocspAccessLocations;
160
161 /**
162 * Subject public key
163 */
164 chunk_t subjectPublicKey;
165
166 /**
167 * Subject RSA public key, if subjectPublicKeyAlgorithm == RSA
168 */
169 rsa_public_key_t *public_key;
170
171 /**
172 * Subject Key Identifier
173 */
174 chunk_t subjectKeyID;
175
176 /**
177 * Authority Key Identifier
178 */
179 chunk_t authKeyID;
180
181 /**
182 * Authority Key Serial Number
183 */
184 chunk_t authKeySerialNumber;
185
186 /**
187 * Indicates if the certificate is self-signed
188 */
189 bool isSelfSigned;
190
191 /**
192 * CA basic constraints flag
193 */
194 bool isCA;
195
196 /**
197 * OCSPSigner extended key usage flag
198 */
199 bool isOcspSigner;
200
201 /**
202 * Signature
203 */
204 chunk_t signature;
205
206 };
207
208 /**
209 * ASN.1 definition of generalName
210 */
211 static const asn1Object_t generalNameObjects[] = {
212 { 0, "otherName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_BODY }, /* 0 */
213 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 1 */
214 { 0, "rfc822Name", ASN1_CONTEXT_S_1, ASN1_OPT|ASN1_BODY }, /* 2 */
215 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 3 */
216 { 0, "dnsName", ASN1_CONTEXT_S_2, ASN1_OPT|ASN1_BODY }, /* 4 */
217 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 5 */
218 { 0, "x400Address", ASN1_CONTEXT_S_3, ASN1_OPT|ASN1_BODY }, /* 6 */
219 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 7 */
220 { 0, "directoryName", ASN1_CONTEXT_C_4, ASN1_OPT|ASN1_BODY }, /* 8 */
221 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 9 */
222 { 0, "ediPartyName", ASN1_CONTEXT_C_5, ASN1_OPT|ASN1_BODY }, /* 10 */
223 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 11 */
224 { 0, "URI", ASN1_CONTEXT_S_6, ASN1_OPT|ASN1_BODY }, /* 12 */
225 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 13 */
226 { 0, "ipAddress", ASN1_CONTEXT_S_7, ASN1_OPT|ASN1_BODY }, /* 14 */
227 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 15 */
228 { 0, "registeredID", ASN1_CONTEXT_S_8, ASN1_OPT|ASN1_BODY }, /* 16 */
229 { 0, "end choice", ASN1_EOC, ASN1_END } /* 17 */
230 };
231 #define GN_OBJ_OTHER_NAME 0
232 #define GN_OBJ_RFC822_NAME 2
233 #define GN_OBJ_DNS_NAME 4
234 #define GN_OBJ_X400_ADDRESS 6
235 #define GN_OBJ_DIRECTORY_NAME 8
236 #define GN_OBJ_EDI_PARTY_NAME 10
237 #define GN_OBJ_URI 12
238 #define GN_OBJ_IP_ADDRESS 14
239 #define GN_OBJ_REGISTERED_ID 16
240 #define GN_OBJ_ROOF 18
241
242 /**
243 * ASN.1 definition of otherName
244 */
245 static const asn1Object_t otherNameObjects[] = {
246 {0, "type-id", ASN1_OID, ASN1_BODY }, /* 0 */
247 {0, "value", ASN1_CONTEXT_C_0, ASN1_BODY } /* 1 */
248 };
249 #define ON_OBJ_ID_TYPE 0
250 #define ON_OBJ_VALUE 1
251 #define ON_OBJ_ROOF 2
252 /**
253 * ASN.1 definition of a basicConstraints extension
254 */
255 static const asn1Object_t basicConstraintsObjects[] = {
256 { 0, "basicConstraints", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
257 { 1, "CA", ASN1_BOOLEAN, ASN1_DEF|ASN1_BODY }, /* 1 */
258 { 1, "pathLenConstraint", ASN1_INTEGER, ASN1_OPT|ASN1_BODY }, /* 2 */
259 { 1, "end opt", ASN1_EOC, ASN1_END } /* 3 */
260 };
261 #define BASIC_CONSTRAINTS_CA 1
262 #define BASIC_CONSTRAINTS_ROOF 4
263
264 /**
265 * ASN.1 definition of a keyIdentifier
266 */
267 static const asn1Object_t keyIdentifierObjects[] = {
268 { 0, "keyIdentifier", ASN1_OCTET_STRING, ASN1_BODY } /* 0 */
269 };
270
271 /**
272 * ASN.1 definition of a authorityKeyIdentifier extension
273 */
274 static const asn1Object_t authorityKeyIdentifierObjects[] = {
275 { 0, "authorityKeyIdentifier", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
276 { 1, "keyIdentifier", ASN1_CONTEXT_S_0, ASN1_OPT|ASN1_OBJ }, /* 1 */
277 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 2 */
278 { 1, "authorityCertIssuer", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_OBJ }, /* 3 */
279 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 4 */
280 { 1, "authorityCertSerialNumber",ASN1_CONTEXT_S_2, ASN1_OPT|ASN1_BODY }, /* 5 */
281 { 1, "end opt", ASN1_EOC, ASN1_END } /* 6 */
282 };
283 #define AUTH_KEY_ID_KEY_ID 1
284 #define AUTH_KEY_ID_CERT_ISSUER 3
285 #define AUTH_KEY_ID_CERT_SERIAL 5
286 #define AUTH_KEY_ID_ROOF 7
287
288 /**
289 * ASN.1 definition of a authorityInfoAccess extension
290 */
291 static const asn1Object_t authorityInfoAccessObjects[] = {
292 { 0, "authorityInfoAccess", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
293 { 1, "accessDescription", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
294 { 2, "accessMethod", ASN1_OID, ASN1_BODY }, /* 2 */
295 { 2, "accessLocation", ASN1_EOC, ASN1_RAW }, /* 3 */
296 { 0, "end loop", ASN1_EOC, ASN1_END } /* 4 */
297 };
298 #define AUTH_INFO_ACCESS_METHOD 2
299 #define AUTH_INFO_ACCESS_LOCATION 3
300 #define AUTH_INFO_ACCESS_ROOF 5
301
302 /**
303 * ASN.1 definition of a extendedKeyUsage extension
304 */
305 static const asn1Object_t extendedKeyUsageObjects[] = {
306 { 0, "extendedKeyUsage", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
307 { 1, "keyPurposeID", ASN1_OID, ASN1_BODY }, /* 1 */
308 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 2 */
309 };
310
311 #define EXT_KEY_USAGE_PURPOSE_ID 1
312 #define EXT_KEY_USAGE_ROOF 3
313
314 /**
315 * ASN.1 definition of generalNames
316 */
317 static const asn1Object_t generalNamesObjects[] = {
318 { 0, "generalNames", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
319 { 1, "generalName", ASN1_EOC, ASN1_RAW }, /* 1 */
320 { 0, "end loop", ASN1_EOC, ASN1_END } /* 2 */
321 };
322 #define GENERAL_NAMES_GN 1
323 #define GENERAL_NAMES_ROOF 3
324
325
326 /**
327 * ASN.1 definition of crlDistributionPoints
328 */
329 static const asn1Object_t crlDistributionPointsObjects[] = {
330 { 0, "crlDistributionPoints", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
331 { 1, "DistributionPoint", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
332 { 2, "distributionPoint", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_LOOP }, /* 2 */
333 { 3, "fullName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_OBJ }, /* 3 */
334 { 3, "end choice", ASN1_EOC, ASN1_END }, /* 4 */
335 { 3, "nameRelToCRLIssuer",ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 5 */
336 { 3, "end choice", ASN1_EOC, ASN1_END }, /* 6 */
337 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 7 */
338 { 2, "reasons", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 8 */
339 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 9 */
340 { 2, "crlIssuer", ASN1_CONTEXT_C_2, ASN1_OPT|ASN1_BODY }, /* 10 */
341 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 11 */
342 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 12 */
343 };
344 #define CRL_DIST_POINTS_FULLNAME 3
345 #define CRL_DIST_POINTS_ROOF 13
346
347 /**
348 * ASN.1 definition of an X.509v3 x509
349 */
350 static const asn1Object_t certObjects[] = {
351 { 0, "x509", ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */
352 { 1, "tbsCertificate", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */
353 { 2, "DEFAULT v1", ASN1_CONTEXT_C_0, ASN1_DEF }, /* 2 */
354 { 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 3 */
355 { 2, "serialNumber", ASN1_INTEGER, ASN1_BODY }, /* 4 */
356 { 2, "signature", ASN1_EOC, ASN1_RAW }, /* 5 */
357 { 2, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 6 */
358 { 2, "validity", ASN1_SEQUENCE, ASN1_NONE }, /* 7 */
359 { 3, "notBefore", ASN1_EOC, ASN1_RAW }, /* 8 */
360 { 3, "notAfter", ASN1_EOC, ASN1_RAW }, /* 9 */
361 { 2, "subject", ASN1_SEQUENCE, ASN1_OBJ }, /* 10 */
362 { 2, "subjectPublicKeyInfo",ASN1_SEQUENCE, ASN1_NONE }, /* 11 */
363 { 3, "algorithm", ASN1_EOC, ASN1_RAW }, /* 12 */
364 { 3, "subjectPublicKey", ASN1_BIT_STRING, ASN1_NONE }, /* 13 */
365 { 4, "RSAPublicKey", ASN1_SEQUENCE, ASN1_RAW }, /* 14 */
366 { 2, "issuerUniqueID", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 15 */
367 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 16 */
368 { 2, "subjectUniqueID", ASN1_CONTEXT_C_2, ASN1_OPT }, /* 17 */
369 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 18 */
370 { 2, "optional extensions", ASN1_CONTEXT_C_3, ASN1_OPT }, /* 19 */
371 { 3, "extensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 20 */
372 { 4, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 21 */
373 { 5, "extnID", ASN1_OID, ASN1_BODY }, /* 22 */
374 { 5, "critical", ASN1_BOOLEAN, ASN1_DEF|ASN1_BODY }, /* 23 */
375 { 5, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 24 */
376 { 3, "end loop", ASN1_EOC, ASN1_END }, /* 25 */
377 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 26 */
378 { 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 27 */
379 { 1, "signatureValue", ASN1_BIT_STRING, ASN1_BODY } /* 28 */
380 };
381 #define X509_OBJ_CERTIFICATE 0
382 #define X509_OBJ_TBS_CERTIFICATE 1
383 #define X509_OBJ_VERSION 3
384 #define X509_OBJ_SERIAL_NUMBER 4
385 #define X509_OBJ_SIG_ALG 5
386 #define X509_OBJ_ISSUER 6
387 #define X509_OBJ_NOT_BEFORE 8
388 #define X509_OBJ_NOT_AFTER 9
389 #define X509_OBJ_SUBJECT 10
390 #define X509_OBJ_SUBJECT_PUBLIC_KEY_ALGORITHM 12
391 #define X509_OBJ_SUBJECT_PUBLIC_KEY 13
392 #define X509_OBJ_RSA_PUBLIC_KEY 14
393 #define X509_OBJ_EXTN_ID 22
394 #define X509_OBJ_CRITICAL 23
395 #define X509_OBJ_EXTN_VALUE 24
396 #define X509_OBJ_ALGORITHM 27
397 #define X509_OBJ_SIGNATURE 28
398 #define X509_OBJ_ROOF 29
399
400
401 static u_char ASN1_subjectAltName_oid_str[] = {
402 0x06, 0x03, 0x55, 0x1D, 0x11
403 };
404
405 static const chunk_t ASN1_subjectAltName_oid = chunk_from_buf(ASN1_subjectAltName_oid_str);
406
407
408 /**
409 * compare two X.509 x509s by comparing their signatures
410 */
411 static bool equals(const private_x509_t *this, const private_x509_t *other)
412 {
413 return chunk_equals(this->signature, other->signature);
414 }
415
416 /**
417 * extracts the basicConstraints extension
418 */
419 static bool parse_basicConstraints(chunk_t blob, int level0)
420 {
421 asn1_ctx_t ctx;
422 chunk_t object;
423 u_int level;
424 int objectID = 0;
425 bool isCA = FALSE;
426
427 asn1_init(&ctx, blob, level0, FALSE, FALSE);
428
429 while (objectID < BASIC_CONSTRAINTS_ROOF) {
430
431 if (!extract_object(basicConstraintsObjects, &objectID, &object,&level, &ctx))
432 {
433 break;
434 }
435 if (objectID == BASIC_CONSTRAINTS_CA)
436 {
437 isCA = object.len && *object.ptr;
438 DBG2(" %s", isCA ? "TRUE" : "FALSE");
439 }
440 objectID++;
441 }
442 return isCA;
443 }
444
445 /**
446 * extracts an otherName
447 */
448 static bool parse_otherName(chunk_t blob, int level0)
449 {
450 asn1_ctx_t ctx;
451 chunk_t object;
452 u_int level;
453 int objectID = 0;
454 int oid = OID_UNKNOWN;
455
456 asn1_init(&ctx, blob, level0, FALSE, FALSE);
457
458 while (objectID < ON_OBJ_ROOF)
459 {
460 if (!extract_object(otherNameObjects, &objectID, &object, &level, &ctx))
461 return FALSE;
462
463 switch (objectID)
464 {
465 case ON_OBJ_ID_TYPE:
466 oid = known_oid(object);
467 break;
468 case ON_OBJ_VALUE:
469 if (oid == OID_XMPP_ADDR)
470 {
471 if (!parse_asn1_simple_object(&object, ASN1_UTF8STRING, level + 1, "xmppAddr"))
472 return FALSE;
473 }
474 break;
475 default:
476 break;
477 }
478 objectID++;
479 }
480 return TRUE;
481 }
482
483 /**
484 * extracts a generalName
485 */
486 static identification_t *parse_generalName(chunk_t blob, int level0)
487 {
488 asn1_ctx_t ctx;
489 chunk_t object;
490 int objectID = 0;
491 u_int level;
492
493 asn1_init(&ctx, blob, level0, FALSE, FALSE);
494
495 while (objectID < GN_OBJ_ROOF)
496 {
497 id_type_t id_type = ID_ANY;
498
499 if (!extract_object(generalNameObjects, &objectID, &object, &level, &ctx))
500 return NULL;
501
502 switch (objectID)
503 {
504 case GN_OBJ_RFC822_NAME:
505 id_type = ID_RFC822_ADDR;
506 break;
507 case GN_OBJ_DNS_NAME:
508 id_type = ID_FQDN;
509 break;
510 case GN_OBJ_URI:
511 id_type = ID_DER_ASN1_GN_URI;
512 break;
513 case GN_OBJ_DIRECTORY_NAME:
514 id_type = ID_DER_ASN1_DN;
515 break;
516 case GN_OBJ_IP_ADDRESS:
517 id_type = (object.len == 4)? ID_IPV4_ADDR : ID_IPV6_ADDR;
518 break;
519 case GN_OBJ_OTHER_NAME:
520 if (!parse_otherName(object, level + 1))
521 return NULL;
522 break;
523 case GN_OBJ_X400_ADDRESS:
524 case GN_OBJ_EDI_PARTY_NAME:
525 case GN_OBJ_REGISTERED_ID:
526 break;
527 default:
528 break;
529 }
530
531 if (id_type != ID_ANY)
532 {
533 identification_t *gn = identification_create_from_encoding(id_type, object);
534 DBG2(" '%D'", gn);
535 return gn;
536 }
537 objectID++;
538 }
539 return NULL;
540 }
541
542
543 /*
544 * Defined in header.
545 */
546 void x509_parse_generalNames(chunk_t blob, int level0, bool implicit, linked_list_t *list)
547 {
548 asn1_ctx_t ctx;
549 chunk_t object;
550 u_int level;
551 int objectID = 0;
552
553 asn1_init(&ctx, blob, level0, implicit, FALSE);
554
555 while (objectID < GENERAL_NAMES_ROOF)
556 {
557 if (!extract_object(generalNamesObjects, &objectID, &object, &level, &ctx))
558 return;
559
560 if (objectID == GENERAL_NAMES_GN)
561 {
562 identification_t *gn = parse_generalName(object, level+1);
563
564 if (gn != NULL)
565 list->insert_last(list, (void *)gn);
566 }
567 objectID++;
568 }
569 return;
570 }
571
572 /**
573 * extracts a keyIdentifier
574 */
575 static chunk_t parse_keyIdentifier(chunk_t blob, int level0, bool implicit)
576 {
577 asn1_ctx_t ctx;
578 chunk_t object;
579 u_int level;
580 int objectID = 0;
581
582 asn1_init(&ctx, blob, level0, implicit, FALSE);
583
584 extract_object(keyIdentifierObjects, &objectID, &object, &level, &ctx);
585 return object;
586 }
587
588 /*
589 * Defined in header.
590 */
591 void x509_parse_authorityKeyIdentifier(chunk_t blob, int level0 , chunk_t *authKeyID, chunk_t *authKeySerialNumber)
592 {
593 asn1_ctx_t ctx;
594 chunk_t object;
595 u_int level;
596 int objectID = 0;
597
598 *authKeyID = chunk_empty;
599 *authKeySerialNumber = chunk_empty;
600
601 asn1_init(&ctx, blob, level0, FALSE, FALSE);
602
603 while (objectID < AUTH_KEY_ID_ROOF)
604 {
605 if (!extract_object(authorityKeyIdentifierObjects, &objectID, &object, &level, &ctx))
606 {
607 return;
608 }
609 switch (objectID)
610 {
611 case AUTH_KEY_ID_KEY_ID:
612 *authKeyID = parse_keyIdentifier(object, level+1, TRUE);
613 break;
614 case AUTH_KEY_ID_CERT_ISSUER:
615 {
616 /* TODO: parse_generalNames(object, level+1, TRUE); */
617 break;
618 }
619 case AUTH_KEY_ID_CERT_SERIAL:
620 *authKeySerialNumber = object;
621 break;
622 default:
623 break;
624 }
625 objectID++;
626 }
627 }
628
629 /**
630 * extracts an authorityInfoAcess location
631 */
632 static void parse_authorityInfoAccess(chunk_t blob, int level0, linked_list_t *list)
633 {
634 asn1_ctx_t ctx;
635 chunk_t object;
636 u_int level;
637 int objectID = 0;
638 int accessMethod = OID_UNKNOWN;
639
640 asn1_init(&ctx, blob, level0, FALSE, FALSE);
641 while (objectID < AUTH_INFO_ACCESS_ROOF)
642 {
643 if (!extract_object(authorityInfoAccessObjects, &objectID, &object, &level, &ctx))
644 {
645 return;
646 }
647 switch (objectID)
648 {
649 case AUTH_INFO_ACCESS_METHOD:
650 accessMethod = known_oid(object);
651 break;
652 case AUTH_INFO_ACCESS_LOCATION:
653 {
654 switch (accessMethod)
655 {
656 case OID_OCSP:
657 case OID_CA_ISSUERS:
658 {
659 identification_t *accessLocation;
660
661 accessLocation = parse_generalName(object, level+1);
662 if (accessLocation == NULL)
663 {
664 /* parsing went wrong - abort */
665 return;
666 }
667 DBG2(" '%D'", accessLocation);
668 if (accessMethod == OID_OCSP)
669 {
670 list->insert_last(list, (void *)accessLocation);
671 }
672 else
673 {
674 /* caIsssuer accessLocation is not used yet */
675 accessLocation->destroy(accessLocation);
676 }
677 }
678 break;
679 default:
680 /* unkown accessMethod, ignoring */
681 break;
682 }
683 break;
684 }
685 default:
686 break;
687 }
688 objectID++;
689 }
690 }
691
692 /**
693 * extracts extendedKeyUsage OIDs
694 */
695 static bool parse_extendedKeyUsage(chunk_t blob, int level0)
696 {
697 asn1_ctx_t ctx;
698 chunk_t object;
699 u_int level;
700 int objectID = 0;
701
702 asn1_init(&ctx, blob, level0, FALSE, FALSE);
703 while (objectID < EXT_KEY_USAGE_ROOF)
704 {
705 if (!extract_object(extendedKeyUsageObjects, &objectID, &object, &level, &ctx))
706 {
707 return FALSE;
708 }
709 if (objectID == EXT_KEY_USAGE_PURPOSE_ID &&
710 known_oid(object) == OID_OCSP_SIGNING)
711 {
712 return TRUE;
713 }
714 objectID++;
715 }
716 return FALSE;
717 }
718
719 /**
720 * extracts one or several crlDistributionPoints and puts them into
721 * a chained list
722 */
723 static void parse_crlDistributionPoints(chunk_t blob, int level0, linked_list_t *list)
724 {
725 asn1_ctx_t ctx;
726 chunk_t object;
727 u_int level;
728 int objectID = 0;
729
730 asn1_init(&ctx, blob, level0, FALSE, FALSE);
731 while (objectID < CRL_DIST_POINTS_ROOF)
732 {
733 if (!extract_object(crlDistributionPointsObjects, &objectID, &object, &level, &ctx))
734 {
735 return;
736 }
737 if (objectID == CRL_DIST_POINTS_FULLNAME)
738 {
739 /* append extracted generalNames to existing chained list */
740 x509_parse_generalNames(object, level+1, TRUE, list);
741
742 }
743 objectID++;
744 }
745 }
746
747
748 /**
749 * Parses an X.509v3 certificate
750 */
751 static bool parse_certificate(chunk_t blob, u_int level0, private_x509_t *this)
752 {
753 asn1_ctx_t ctx;
754 bool critical;
755 chunk_t object;
756 u_int level;
757 int objectID = 0;
758 int extn_oid = OID_UNKNOWN;
759
760 asn1_init(&ctx, blob, level0, FALSE, FALSE);
761 while (objectID < X509_OBJ_ROOF)
762 {
763 if (!extract_object(certObjects, &objectID, &object, &level, &ctx))
764 {
765 return FALSE;
766 }
767
768 /* those objects which will parsed further need the next higher level */
769 level++;
770
771 switch (objectID)
772 {
773 case X509_OBJ_CERTIFICATE:
774 this->certificate = object;
775 break;
776 case X509_OBJ_TBS_CERTIFICATE:
777 this->tbsCertificate = object;
778 break;
779 case X509_OBJ_VERSION:
780 this->version = (object.len) ? (1+(u_int)*object.ptr) : 1;
781 DBG2(" v%d", this->version);
782 break;
783 case X509_OBJ_SERIAL_NUMBER:
784 this->serialNumber = object;
785 break;
786 case X509_OBJ_SIG_ALG:
787 this->signatureAlgorithm = parse_algorithmIdentifier(object, level, NULL);
788 break;
789 case X509_OBJ_ISSUER:
790 this->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object);
791 DBG2(" '%D'", this->issuer);
792 break;
793 case X509_OBJ_NOT_BEFORE:
794 this->notBefore = parse_time(object, level);
795 break;
796 case X509_OBJ_NOT_AFTER:
797 this->notAfter = parse_time(object, level);
798 break;
799 case X509_OBJ_SUBJECT:
800 this->subject = identification_create_from_encoding(ID_DER_ASN1_DN, object);
801 DBG2(" '%D'", this->subject);
802 break;
803 case X509_OBJ_SUBJECT_PUBLIC_KEY_ALGORITHM:
804 if (parse_algorithmIdentifier(object, level, NULL) != OID_RSA_ENCRYPTION)
805 {
806 DBG1(" unsupported public key algorithm");
807 return FALSE;
808 }
809 break;
810 case X509_OBJ_SUBJECT_PUBLIC_KEY:
811 if (ctx.blobs[4].len > 0 && *ctx.blobs[4].ptr == 0x00)
812 {
813 /* skip initial bit string octet defining 0 unused bits */
814 ctx.blobs[4].ptr++; ctx.blobs[4].len--;
815 }
816 else
817 {
818 DBG1(" invalid RSA public key format");
819 return FALSE;
820 }
821 break;
822 case X509_OBJ_RSA_PUBLIC_KEY:
823 this->subjectPublicKey = object;
824 break;
825 case X509_OBJ_EXTN_ID:
826 extn_oid = known_oid(object);
827 break;
828 case X509_OBJ_CRITICAL:
829 critical = object.len && *object.ptr;
830 DBG2(" %s", critical ? "TRUE" : "FALSE");
831 break;
832 case X509_OBJ_EXTN_VALUE:
833 {
834 switch (extn_oid)
835 {
836 case OID_SUBJECT_KEY_ID:
837 this->subjectKeyID = chunk_clone(parse_keyIdentifier(object, level, FALSE));
838 break;
839 case OID_SUBJECT_ALT_NAME:
840 x509_parse_generalNames(object, level, FALSE, this->subjectAltNames);
841 break;
842 case OID_BASIC_CONSTRAINTS:
843 this->isCA = parse_basicConstraints(object, level);
844 break;
845 case OID_CRL_DISTRIBUTION_POINTS:
846 parse_crlDistributionPoints(object, level, this->crlDistributionPoints);
847 break;
848 case OID_AUTHORITY_KEY_ID:
849 x509_parse_authorityKeyIdentifier(object, level,
850 &this->authKeyID, &this->authKeySerialNumber);
851 break;
852 case OID_AUTHORITY_INFO_ACCESS:
853 parse_authorityInfoAccess(object, level, this->ocspAccessLocations);
854 break;
855 case OID_EXTENDED_KEY_USAGE:
856 this->isOcspSigner = parse_extendedKeyUsage(object, level);
857 break;
858 case OID_NS_REVOCATION_URL:
859 case OID_NS_CA_REVOCATION_URL:
860 case OID_NS_CA_POLICY_URL:
861 case OID_NS_COMMENT:
862 if (!parse_asn1_simple_object(&object, ASN1_IA5STRING , level, oid_names[extn_oid].name))
863 return FALSE;
864 break;
865 default:
866 break;
867 }
868 break;
869 }
870 case X509_OBJ_ALGORITHM:
871 {
872 int alg = parse_algorithmIdentifier(object, level, NULL);
873
874 if (alg != this->signatureAlgorithm)
875 {
876 DBG1(" signature algorithms do not agree");
877 return FALSE;
878 }
879 }
880 break;
881 case X509_OBJ_SIGNATURE:
882 this->signature = object;
883 break;
884 default:
885 break;
886 }
887 objectID++;
888 }
889
890 /* generate the subjectKeyID if it is missing in the certificate */
891 if (this->subjectKeyID.ptr == NULL)
892 {
893 hasher_t *hasher = hasher_create(HASH_SHA1);
894
895 hasher->allocate_hash(hasher, this->subjectPublicKey, &this->subjectKeyID);
896 hasher->destroy(hasher);
897 }
898
899 this->installed = time(NULL);
900 return TRUE;
901 }
902
903 /**
904 * Implements x509_t.is_valid
905 */
906 static err_t is_valid(const private_x509_t *this, time_t *until)
907 {
908 time_t current_time = time(NULL);
909
910 DBG2(" not before : %T", &this->notBefore);
911 DBG2(" current time: %T", &current_time);
912 DBG2(" not after : %T", &this->notAfter);
913
914 if (until != NULL &&
915 (*until == UNDEFINED_TIME || this->notAfter < *until))
916 {
917 *until = this->notAfter;
918 }
919 if (current_time < this->notBefore)
920 {
921 return "is not valid yet";
922 }
923 if (current_time > this->notAfter)
924 {
925 return "has expired";
926 }
927 DBG2(" certificate is valid");
928 return NULL;
929 }
930
931 /**
932 * Implements x509_t.is_ca
933 */
934 static bool is_ca(const private_x509_t *this)
935 {
936 return this->isCA;
937 }
938
939 /**
940 * Implements x509_t.is_ocsp_signer
941 */
942 static bool is_ocsp_signer(const private_x509_t *this)
943 {
944 return this->isOcspSigner;
945 }
946
947 /**
948 * Implements x509_t.is_self_signed
949 */
950 static bool is_self_signed(const private_x509_t *this)
951 {
952 return this->isSelfSigned;
953 }
954
955 /**
956 * Implements x509_t.equals_subjectAltName
957 */
958 static bool equals_subjectAltName(const private_x509_t *this, identification_t *id)
959 {
960 bool found = FALSE;
961 identification_t *subjectAltName;
962 iterator_t *iterator;
963
964 iterator = this->subjectAltNames->create_iterator(this->subjectAltNames, TRUE);
965 while (iterator->iterate(iterator, (void**)&subjectAltName))
966 {
967 if (id->equals(id, subjectAltName))
968 {
969 found = TRUE;
970 break;
971 }
972 }
973 iterator->destroy(iterator);
974 return found;
975 }
976
977 /**
978 * Implements x509_t.is_issuer
979 */
980 static bool is_issuer(const private_x509_t *this, const private_x509_t *issuer)
981 {
982 return (this->authKeyID.ptr)
983 ? chunk_equals(this->authKeyID, issuer->subjectKeyID)
984 : (this->issuer->equals(this->issuer, issuer->subject)
985 && chunk_equals_or_null(this->authKeySerialNumber, issuer->serialNumber));
986 }
987
988 /**
989 * Implements x509_t.get_certificate
990 */
991 static chunk_t get_certificate(const private_x509_t *this)
992 {
993 return this->certificate;
994 }
995
996 /**
997 * Implements x509_t.get_public_key
998 */
999 static rsa_public_key_t *get_public_key(const private_x509_t *this)
1000 {
1001 return this->public_key;
1002 }
1003
1004 /**
1005 * Implements x509_t.get_serialNumber
1006 */
1007 static chunk_t get_serialNumber(const private_x509_t *this)
1008 {
1009 return this->serialNumber;
1010 }
1011
1012 /**
1013 * Implements x509_t.get_subjectKeyID
1014 */
1015 static chunk_t get_subjectKeyID(const private_x509_t *this)
1016 {
1017 return this->subjectKeyID;
1018 }
1019
1020 /**
1021 * Implements x509_t.get_keyid
1022 */
1023 static chunk_t get_keyid(const private_x509_t *this)
1024 {
1025 return this->public_key->get_keyid(this->public_key);
1026 }
1027
1028 /**
1029 * Implements x509_t.get_issuer
1030 */
1031 static identification_t *get_issuer(const private_x509_t *this)
1032 {
1033 return this->issuer;
1034 }
1035
1036 /**
1037 * Implements x509_t.get_subject
1038 */
1039 static identification_t *get_subject(const private_x509_t *this)
1040 {
1041 return this->subject;
1042 }
1043
1044 /**
1045 * Implements x509_t.set_ca_info
1046 */
1047 static void set_ca_info(private_x509_t *this, ca_info_t *ca_info)
1048 {
1049 this->ca_info = ca_info;
1050 }
1051
1052 /**
1053 * Implements x509_t.get_ca_info
1054 */
1055 static ca_info_t *get_ca_info(const private_x509_t *this)
1056 {
1057 return this->ca_info;
1058 }
1059
1060 /**
1061 * Implements x509_t.set_until
1062 */
1063 static void set_until(private_x509_t *this, time_t until)
1064 {
1065 this->until = until;
1066 }
1067
1068 /**
1069 * Implements x509_t.get_until
1070 */
1071 static time_t get_until(const private_x509_t *this)
1072 {
1073 return this->until;
1074 }
1075
1076 /**
1077 * Implements x509_t.set_status
1078 */
1079 static void set_status(private_x509_t *this, cert_status_t status)
1080 {
1081 this->status = status;
1082 }
1083
1084 /**
1085 * Implements x509_t.get_status
1086 */
1087 static cert_status_t get_status(const private_x509_t *this)
1088 {
1089 return this->status;
1090 }
1091
1092 /**
1093 * Implements x509_t.add_authority_flags
1094 */
1095 static void add_authority_flags(private_x509_t *this, u_int flags)
1096 {
1097 this->authority_flags |= flags;
1098 }
1099
1100 /**
1101 * Implements x509_t.add_authority_flags
1102 */
1103 static u_int get_authority_flags(private_x509_t *this)
1104 {
1105 return this->authority_flags;
1106 }
1107
1108 /**
1109 * Implements x509_t.has_authority_flag
1110 */
1111 static bool has_authority_flag(private_x509_t *this, u_int flags)
1112 {
1113 return (this->authority_flags & flags) != AUTH_NONE;
1114 }
1115
1116 /**
1117 * Implements x509_t.create_crluri_iterator
1118 */
1119 static iterator_t *create_crluri_iterator(const private_x509_t *this)
1120 {
1121 return this->crlDistributionPoints->create_iterator(this->crlDistributionPoints, TRUE);
1122 }
1123
1124 /**
1125 * Implements x509_t.create_crluri_iterator
1126 */
1127 static iterator_t *create_ocspuri_iterator(const private_x509_t *this)
1128 {
1129 return this->ocspAccessLocations->create_iterator(this->ocspAccessLocations, TRUE);
1130 }
1131
1132 /**
1133 * Implements x509_t.verify
1134 */
1135 static bool verify(const private_x509_t *this, const rsa_public_key_t *signer)
1136 {
1137 hash_algorithm_t algorithm = hasher_algorithm_from_oid(this->signatureAlgorithm);
1138
1139 if (algorithm == HASH_UNKNOWN)
1140 {
1141 DBG1(" unknown signature algorithm");
1142 return FALSE;
1143 }
1144 return signer->verify_emsa_pkcs1_signature(signer, algorithm, this->tbsCertificate, this->signature) == SUCCESS;
1145 }
1146
1147 /**
1148 * Implementation of x509_t.list.
1149 */
1150 static void list(private_x509_t *this, FILE *out, bool utc)
1151 {
1152 iterator_t *iterator;
1153 time_t now = time(NULL);
1154
1155 fprintf(out, "%#T\n", &this->installed, utc);
1156
1157 if (this->subjectAltNames->get_count(this->subjectAltNames))
1158 {
1159 identification_t *subjectAltName;
1160 bool first = TRUE;
1161
1162 fprintf(out, " altNames: ");
1163 iterator = this->subjectAltNames->create_iterator(this->subjectAltNames, TRUE);
1164 while (iterator->iterate(iterator, (void**)&subjectAltName))
1165 {
1166 if (first)
1167 {
1168 first = FALSE;
1169 }
1170 else
1171 {
1172 fprintf(out, ", ");
1173 }
1174 fprintf(out, "'%D'", subjectAltName);
1175 }
1176 iterator->destroy(iterator);
1177 fprintf(out, "\n");
1178 }
1179 fprintf(out, " subject: '%D'\n", this->subject);
1180 fprintf(out, " issuer: '%D'\n", this->issuer);
1181 fprintf(out, " serial: %#B\n", &this->serialNumber);
1182 fprintf(out, " validity: not before %#T, ", &this->notBefore, utc);
1183 if (now < this->notBefore)
1184 {
1185 fprintf(out, "not valid yet (valid in %#V)\n", &now, &this->notBefore);
1186 }
1187 else
1188 {
1189 fprintf(out, "ok\n");
1190 }
1191
1192 fprintf(out, " not after %#T, ", &this->notAfter, utc);
1193 if (now > this->notAfter)
1194 {
1195 fprintf(out, "expired (%#V ago)\n", &now, &this->notAfter);
1196 }
1197 else
1198 {
1199 fprintf(out, "ok");
1200 if (now > this->notAfter - CERT_WARNING_INTERVAL * 60 * 60 * 24)
1201 {
1202 fprintf(out, " (expires in %#V)", &now, &this->notAfter);
1203 }
1204 fprintf(out, " \n");
1205 }
1206
1207 {
1208 chunk_t keyid = this->public_key->get_keyid(this->public_key);
1209 fprintf(out, " keyid: %#B\n", &keyid);
1210 }
1211
1212 if (this->subjectKeyID.ptr)
1213 {
1214 fprintf(out, " subjkey: %#B\n", &this->subjectKeyID);
1215 }
1216 if (this->authKeyID.ptr)
1217 {
1218 fprintf(out, " authkey: %#B\n", &this->authKeyID);
1219 }
1220 if (this->authKeySerialNumber.ptr)
1221 {
1222 fprintf(out, " aserial: %#B\n", &this->authKeySerialNumber);
1223 }
1224
1225 fprintf(out, " pubkey: RSA %d bits", BITS_PER_BYTE *
1226 this->public_key->get_keysize(this->public_key));
1227 fprintf(out, ", status %N",
1228 cert_status_names, this->status);
1229
1230 switch (this->status)
1231 {
1232 case CERT_GOOD:
1233 fprintf(out, " until %#T", &this->until, utc);
1234 break;
1235 case CERT_REVOKED:
1236 fprintf(out, " on %#T", &this->until, utc);
1237 break;
1238 case CERT_UNKNOWN:
1239 case CERT_UNDEFINED:
1240 case CERT_UNTRUSTED:
1241 default:
1242 break;
1243 }
1244 }
1245
1246 /**
1247 * Implements x509_t.add_subjectAltNames.
1248 */
1249 static void add_subjectAltNames(private_x509_t *this, linked_list_t *subjectAltNames)
1250 {
1251 iterator_t *iterator = subjectAltNames->create_iterator(subjectAltNames, TRUE);
1252 identification_t *name = NULL;
1253
1254 while (iterator->iterate(iterator, (void**)&name))
1255 {
1256 name = name->clone(name);
1257 this->subjectAltNames->insert_last(this->subjectAltNames, (void*)name);
1258 }
1259 iterator->destroy(iterator);
1260 }
1261
1262 /*
1263 * Defined in header.
1264 */
1265 chunk_t x509_build_generalNames(linked_list_t *list)
1266 {
1267 linked_list_t *generalNames = linked_list_create();
1268 iterator_t *iterator = list->create_iterator(list, TRUE);
1269 identification_t *name;
1270 chunk_t names = chunk_empty;
1271 size_t len = 0;
1272
1273 while (iterator->iterate(iterator, (void**)&name))
1274 {
1275 asn1_t asn1_type = ASN1_EOC;
1276 chunk_t *generalName;
1277
1278 switch (name->get_type(name))
1279 {
1280 case ID_RFC822_ADDR:
1281 asn1_type = ASN1_CONTEXT_S_1;
1282 break;
1283 case ID_FQDN:
1284 asn1_type = ASN1_CONTEXT_S_2;
1285 break;
1286 case ID_DER_ASN1_DN:
1287 asn1_type = ASN1_CONTEXT_C_4;
1288 break;
1289 case ID_DER_ASN1_GN_URI:
1290 asn1_type = ASN1_CONTEXT_S_6;
1291 break;
1292 case ID_IPV4_ADDR:
1293 case ID_IPV6_ADDR:
1294 asn1_type = ASN1_CONTEXT_S_7;
1295 break;
1296 default:
1297 continue;
1298 }
1299
1300 generalName = malloc_thing(chunk_t);
1301 *generalName = asn1_simple_object(asn1_type, name->get_encoding(name));
1302 len += generalName->len;
1303 generalNames->insert_last(generalNames, (void*)generalName);
1304 }
1305 iterator->destroy(iterator);
1306
1307 if (len > 0)
1308 {
1309 iterator_t *iterator = generalNames->create_iterator(generalNames, TRUE);
1310 chunk_t *generalName;
1311 u_char *pos = build_asn1_object(&names, ASN1_SEQUENCE, len);
1312
1313 while (iterator->iterate(iterator, (void**)&generalName))
1314 {
1315 memcpy(pos, generalName->ptr, generalName->len);
1316 pos += generalName->len;
1317 free(generalName->ptr);
1318 free(generalName);
1319 }
1320 iterator->destroy(iterator);
1321 }
1322 generalNames->destroy(generalNames);
1323 return names;
1324 }
1325
1326 /*
1327 * Defined in header.
1328 */
1329 chunk_t x509_build_subjectAltNames(linked_list_t *list)
1330 {
1331 chunk_t generalNames = x509_build_generalNames(list);
1332
1333 if (generalNames.len)
1334 {
1335 return asn1_wrap(ASN1_SEQUENCE, "cm",
1336 ASN1_subjectAltName_oid,
1337 asn1_wrap(ASN1_OCTET_STRING, "m", generalNames)
1338 );
1339 }
1340 else
1341 {
1342 return chunk_empty;
1343 }
1344 }
1345
1346 /**
1347 * Build a to-be-signed X.509 certificate body
1348 */
1349 static chunk_t x509_build_tbs(private_x509_t *this)
1350 {
1351 /* version is always X.509v3 */
1352 chunk_t version = asn1_simple_object(ASN1_CONTEXT_C_0, ASN1_INTEGER_2);
1353
1354 chunk_t extensions = chunk_empty;
1355
1356 if (this->subjectAltNames->get_count(this->subjectAltNames))
1357 {
1358 extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m",
1359 asn1_wrap(ASN1_SEQUENCE, "m",
1360 x509_build_subjectAltNames(this->subjectAltNames)));
1361 }
1362
1363 return asn1_wrap(ASN1_SEQUENCE, "mmccmcmm",
1364 version,
1365 asn1_simple_object(ASN1_INTEGER, this->serialNumber),
1366 asn1_algorithmIdentifier(this->signatureAlgorithm),
1367 this->issuer->get_encoding(this->issuer),
1368 asn1_wrap(ASN1_SEQUENCE, "mm",
1369 timetoasn1(&this->notBefore, ASN1_UTCTIME),
1370 timetoasn1(&this->notAfter, ASN1_UTCTIME)
1371 ),
1372 this->subject->get_encoding(this->subject),
1373 this->public_key->get_publicKeyInfo(this->public_key),
1374 extensions
1375 );
1376 }
1377
1378 /**
1379 * Implementation of x509_t.build_encoding.
1380 */
1381 static void build_encoding(private_x509_t *this, hash_algorithm_t alg,
1382 rsa_private_key_t *private_key)
1383 {
1384 chunk_t tbs_cert, rawSignature, signature;
1385 u_char *pos;
1386
1387 this->signatureAlgorithm = OID_SHA1_WITH_RSA;
1388 tbs_cert = x509_build_tbs(this);
1389 private_key->build_emsa_pkcs1_signature(private_key, alg, tbs_cert,
1390 &rawSignature);
1391
1392 pos = build_asn1_object(&signature, ASN1_BIT_STRING, 1 + rawSignature.len);
1393 *pos++ = 0x00;
1394 memcpy(pos, rawSignature.ptr, rawSignature.len);
1395 free(rawSignature.ptr);
1396
1397 this->certificate = asn1_wrap(ASN1_SEQUENCE, "mcm",
1398 tbs_cert,
1399 asn1_algorithmIdentifier(this->signatureAlgorithm),
1400 signature);
1401
1402 }
1403
1404 /**
1405 * Implements x509_t.destroy
1406 */
1407 static void destroy(private_x509_t *this)
1408 {
1409 this->subjectAltNames->destroy_offset(this->subjectAltNames,
1410 offsetof(identification_t, destroy));
1411 this->crlDistributionPoints->destroy_offset(this->crlDistributionPoints,
1412 offsetof(identification_t, destroy));
1413 this->ocspAccessLocations->destroy_offset(this->ocspAccessLocations,
1414 offsetof(identification_t, destroy));
1415 DESTROY_IF(this->issuer);
1416 DESTROY_IF(this->subject);
1417 DESTROY_IF(this->public_key);
1418 free(this->subjectKeyID.ptr);
1419 free(this->certificate.ptr);
1420 free(this);
1421 }
1422
1423 /**
1424 * Internal generic constructor
1425 */
1426 static private_x509_t *x509_create_empty(void)
1427 {
1428 private_x509_t *this = malloc_thing(private_x509_t);
1429
1430 /* initialize */
1431 this->subjectPublicKey = chunk_empty;
1432 this->public_key = NULL;
1433 this->subject = NULL;
1434 this->issuer = NULL;
1435 this->ca_info = NULL;
1436 this->subjectAltNames = linked_list_create();
1437 this->crlDistributionPoints = linked_list_create();
1438 this->ocspAccessLocations = linked_list_create();
1439 this->subjectKeyID = chunk_empty;
1440 this->authKeyID = chunk_empty;
1441 this->authKeySerialNumber = chunk_empty;
1442 this->authority_flags = AUTH_NONE;
1443 this->isCA = FALSE;
1444 this->isOcspSigner = FALSE;
1445
1446 /* public functions */
1447 this->public.equals = (bool (*) (const x509_t*,const x509_t*))equals;
1448 this->public.equals_subjectAltName = (bool (*) (const x509_t*,identification_t*))equals_subjectAltName;
1449 this->public.is_issuer = (bool (*) (const x509_t*,const x509_t*))is_issuer;
1450 this->public.is_valid = (err_t (*) (const x509_t*,time_t*))is_valid;
1451 this->public.is_ca = (bool (*) (const x509_t*))is_ca;
1452 this->public.is_self_signed = (bool (*) (const x509_t*))is_self_signed;
1453 this->public.is_ocsp_signer = (bool (*) (const x509_t*))is_ocsp_signer;
1454 this->public.get_certificate = (chunk_t (*) (const x509_t*))get_certificate;
1455 this->public.get_public_key = (rsa_public_key_t* (*) (const x509_t*))get_public_key;
1456 this->public.get_serialNumber = (chunk_t (*) (const x509_t*))get_serialNumber;
1457 this->public.get_subjectKeyID = (chunk_t (*) (const x509_t*))get_subjectKeyID;
1458 this->public.get_keyid = (chunk_t (*) (const x509_t*))get_keyid;
1459 this->public.get_issuer = (identification_t* (*) (const x509_t*))get_issuer;
1460 this->public.get_subject = (identification_t* (*) (const x509_t*))get_subject;
1461 this->public.set_ca_info = (void (*) (x509_t*,ca_info_t*))set_ca_info;
1462 this->public.get_ca_info = (ca_info_t* (*) (const x509_t*))get_ca_info;
1463 this->public.set_until = (void (*) (x509_t*,time_t))set_until;
1464 this->public.get_until = (time_t (*) (const x509_t*))get_until;
1465 this->public.set_status = (void (*) (x509_t*,cert_status_t))set_status;
1466 this->public.get_status = (cert_status_t (*) (const x509_t*))get_status;
1467 this->public.add_authority_flags = (void (*) (x509_t*,u_int))add_authority_flags;
1468 this->public.get_authority_flags = (u_int (*) (x509_t*))get_authority_flags;
1469 this->public.has_authority_flag = (bool (*) (x509_t*,u_int))has_authority_flag;
1470 this->public.create_crluri_iterator = (iterator_t* (*) (const x509_t*))create_crluri_iterator;
1471 this->public.create_ocspuri_iterator = (iterator_t* (*) (const x509_t*))create_ocspuri_iterator;
1472 this->public.verify = (bool (*) (const x509_t*,const rsa_public_key_t*))verify;
1473 this->public.list = (void (*) (x509_t*, FILE *out, bool utc))list;
1474 this->public.add_subjectAltNames = (void (*) (x509_t*,linked_list_t*))add_subjectAltNames;
1475 this->public.build_encoding = (void (*) (x509_t*,hash_algorithm_t,rsa_private_key_t*))build_encoding;
1476 this->public.destroy = (void (*) (x509_t*))destroy;
1477
1478 return this;
1479 }
1480
1481 /*
1482 * Described in header.
1483 */
1484 x509_t *x509_create(chunk_t serialNumber, identification_t *issuer,
1485 time_t notBefore, time_t notAfter,
1486 identification_t *subject,
1487 rsa_public_key_t *public_key)
1488 {
1489 private_x509_t *this = x509_create_empty();
1490
1491 this->serialNumber = serialNumber;
1492 this->issuer = issuer->clone(issuer);
1493 this->notBefore = notBefore;
1494 this->notAfter = notAfter;
1495 this->subject = subject->clone(subject);
1496 this->public_key = public_key->clone(public_key);
1497
1498 return &this->public;
1499 }
1500
1501 /*
1502 * Described in header.
1503 */
1504 x509_t *x509_create_from_chunk(chunk_t chunk, u_int level)
1505 {
1506 private_x509_t *this = x509_create_empty();
1507
1508 if (!parse_certificate(chunk, level, this))
1509 {
1510 destroy(this);
1511 return NULL;
1512 }
1513
1514 /* extract public key from certificate */
1515 this->public_key = rsa_public_key_create_from_chunk(this->subjectPublicKey);
1516 if (this->public_key == NULL)
1517 {
1518 destroy(this);
1519 return NULL;
1520 }
1521
1522 /* set trusted lifetime of public key to notAfter */
1523 this->until = this->notAfter;
1524
1525 /* check if the certificate is self-signed */
1526 this->isSelfSigned = FALSE;
1527 if (this->subject->equals(this->subject, this->issuer))
1528 {
1529 hash_algorithm_t algorithm = hasher_algorithm_from_oid(this->signatureAlgorithm);
1530
1531 if (algorithm == HASH_UNKNOWN)
1532 {
1533 destroy(this);
1534 return NULL;
1535 }
1536 this->isSelfSigned = this->public_key->verify_emsa_pkcs1_signature(this->public_key,
1537 algorithm, this->tbsCertificate, this->signature) == SUCCESS;
1538 }
1539 if (this->isSelfSigned)
1540 {
1541 DBG2(" certificate is self-signed");
1542 this->status = CERT_GOOD;
1543 }
1544 else
1545 {
1546 this->status = CERT_UNDEFINED;
1547 }
1548
1549 return &this->public;
1550 }
1551
1552 /*
1553 * Described in header.
1554 */
1555 x509_t *x509_create_from_file(const char *filename, const char *label)
1556 {
1557 bool pgp = FALSE;
1558 chunk_t chunk = chunk_empty;
1559 char cert_label[BUF_LEN];
1560
1561 snprintf(cert_label, BUF_LEN, "%s certificate", label);
1562
1563 if (!pem_asn1_load_file(filename, NULL, cert_label, &chunk, &pgp))
1564 {
1565 return NULL;
1566 }
1567 return x509_create_from_chunk(chunk, 0);
1568 }