7d211c50a369578671b0617c84faa84a4c11755b
[strongswan.git] / src / libstrongswan / plugins / pubkey / pubkey_cert.c
1 /*
2 * Copyright (C) 2008 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "pubkey_cert.h"
17
18 #include <time.h>
19
20 #include <debug.h>
21
22 typedef struct private_pubkey_cert_t private_pubkey_cert_t;
23
24 /**
25 * private data of pubkey_cert
26 */
27 struct private_pubkey_cert_t {
28
29 /**
30 * public functions
31 */
32 pubkey_cert_t public;
33
34 /**
35 * wrapped public key
36 */
37 public_key_t *key;
38
39 /**
40 * dummy issuer id, ID_ANY
41 */
42 identification_t *issuer;
43
44 /**
45 * subject, ID_KEY_ID of the public key
46 */
47 identification_t *subject;
48
49 /**
50 * key inception time
51 */
52 time_t notBefore;
53
54 /**
55 * key expiration time
56 */
57 time_t notAfter;
58 /**
59 * reference count
60 */
61 refcount_t ref;
62 };
63
64 METHOD(certificate_t, get_type, certificate_type_t,
65 private_pubkey_cert_t *this)
66 {
67 return CERT_TRUSTED_PUBKEY;
68 }
69
70 METHOD(certificate_t, get_subject, identification_t*,
71 private_pubkey_cert_t *this)
72 {
73 return this->subject;
74 }
75
76 METHOD(certificate_t, get_issuer, identification_t*,
77 private_pubkey_cert_t *this)
78 {
79 return this->issuer;
80 }
81
82 METHOD(certificate_t, has_subject, id_match_t,
83 private_pubkey_cert_t *this, identification_t *subject)
84 {
85 if (subject->get_type(subject) == ID_KEY_ID)
86 {
87 cred_encoding_type_t type;
88 chunk_t fingerprint;
89
90 for (type = 0; type < CRED_ENCODING_MAX; type++)
91 {
92 if (this->key->get_fingerprint(this->key, type, &fingerprint) &&
93 chunk_equals(fingerprint, subject->get_encoding(subject)))
94 {
95 return ID_MATCH_PERFECT;
96 }
97 }
98 }
99
100 return this->subject->matches(this->subject, subject);
101 }
102
103 METHOD(certificate_t, has_issuer, id_match_t,
104 private_pubkey_cert_t *this, identification_t *issuer)
105 {
106 return ID_MATCH_NONE;
107 }
108
109 METHOD(certificate_t, equals, bool,
110 private_pubkey_cert_t *this, certificate_t *other)
111 {
112 public_key_t *other_key;
113
114 other_key = other->get_public_key(other);
115 if (other_key)
116 {
117 if (public_key_equals(this->key, other_key))
118 {
119 other_key->destroy(other_key);
120 return TRUE;
121 }
122 other_key->destroy(other_key);
123 }
124 return FALSE;
125 }
126
127 METHOD(certificate_t, issued_by, bool,
128 private_pubkey_cert_t *this, certificate_t *issuer)
129 {
130 return equals(this, issuer);
131 }
132
133 METHOD(certificate_t, get_public_key, public_key_t*,
134 private_pubkey_cert_t *this)
135 {
136 this->key->get_ref(this->key);
137 return this->key;
138 }
139
140 METHOD(certificate_t, get_validity, bool,
141 private_pubkey_cert_t *this, time_t *when, time_t *not_before,
142 time_t *not_after)
143 {
144 time_t t = when ? *when : time(NULL);
145
146 if (not_before)
147 {
148 *not_before = this->notBefore;
149 }
150 if (not_after)
151 {
152 *not_after = this->notAfter;
153 }
154 return ((this->notBefore == UNDEFINED_TIME || t >= this->notBefore) &&
155 (this->notAfter == UNDEFINED_TIME || t <= this->notAfter));
156 }
157
158 METHOD(certificate_t, get_encoding, bool,
159 private_pubkey_cert_t *this, cred_encoding_type_t type, chunk_t *encoding)
160 {
161 return this->key->get_encoding(this->key, type, encoding);
162 }
163
164 METHOD(certificate_t, get_ref, certificate_t*,
165 private_pubkey_cert_t *this)
166 {
167 ref_get(&this->ref);
168 return &this->public.interface;
169 }
170
171 METHOD(certificate_t, destroy, void,
172 private_pubkey_cert_t *this)
173 {
174 if (ref_put(&this->ref))
175 {
176 this->subject->destroy(this->subject);
177 this->issuer->destroy(this->issuer);
178 this->key->destroy(this->key);
179 free(this);
180 }
181 }
182
183 /*
184 * see header file
185 */
186 static pubkey_cert_t *pubkey_cert_create(public_key_t *key,
187 time_t notBefore, time_t notAfter,
188 identification_t *subject)
189 {
190 private_pubkey_cert_t *this;
191 chunk_t fingerprint;
192
193 INIT(this,
194 .public = {
195 .interface = {
196 .get_type = _get_type,
197 .get_subject = _get_subject,
198 .get_issuer = _get_issuer,
199 .has_subject = _has_subject,
200 .has_issuer = _has_issuer,
201 .issued_by = _issued_by,
202 .get_public_key = _get_public_key,
203 .get_validity = _get_validity,
204 .get_encoding = _get_encoding,
205 .equals = _equals,
206 .get_ref = _get_ref,
207 .destroy = _destroy,
208 },
209 },
210 .ref = 1,
211 .key = key,
212 .notBefore = notBefore,
213 .notAfter = notAfter,
214 .issuer = identification_create_from_encoding(ID_ANY, chunk_empty),
215 );
216
217 if (subject)
218 {
219 this->subject = subject->clone(subject);
220 }
221 else if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &fingerprint))
222 {
223 this->subject = identification_create_from_encoding(ID_KEY_ID, fingerprint);
224 }
225 else
226 {
227 this->subject = identification_create_from_encoding(ID_ANY, chunk_empty);
228 }
229
230 return &this->public;
231 }
232
233 /**
234 * See header.
235 */
236 pubkey_cert_t *pubkey_cert_wrap(certificate_type_t type, va_list args)
237 {
238 public_key_t *key = NULL;
239 chunk_t blob = chunk_empty;
240 identification_t *subject = NULL;
241 time_t notBefore = UNDEFINED_TIME, notAfter = UNDEFINED_TIME;
242
243 while (TRUE)
244 {
245 switch (va_arg(args, builder_part_t))
246 {
247 case BUILD_BLOB_ASN1_DER:
248 blob = va_arg(args, chunk_t);
249 continue;
250 case BUILD_PUBLIC_KEY:
251 key = va_arg(args, public_key_t*);
252 continue;
253 case BUILD_NOT_BEFORE_TIME:
254 notBefore = va_arg(args, time_t);
255 continue;
256 case BUILD_NOT_AFTER_TIME:
257 notAfter = va_arg(args, time_t);
258 continue;
259 case BUILD_SUBJECT:
260 subject = va_arg(args, identification_t*);
261 continue;
262 case BUILD_END:
263 break;
264 default:
265 return NULL;
266 }
267 break;
268 }
269 if (key)
270 {
271 key->get_ref(key);
272 }
273 else if (blob.ptr)
274 {
275 key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
276 BUILD_BLOB_ASN1_DER, blob, BUILD_END);
277 }
278 if (key)
279 {
280 return pubkey_cert_create(key, notBefore, notAfter, subject);
281 }
282 return NULL;
283 }
284