pubkey: Improve comparison of raw public key certificate objects
[strongswan.git] / src / libstrongswan / plugins / pubkey / pubkey_cert.c
1 /*
2 * Copyright (C) 2008 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "pubkey_cert.h"
17
18 #include <time.h>
19
20 #include <utils/debug.h>
21
22 typedef struct private_pubkey_cert_t private_pubkey_cert_t;
23
24 /**
25 * private data of pubkey_cert
26 */
27 struct private_pubkey_cert_t {
28
29 /**
30 * public functions
31 */
32 pubkey_cert_t public;
33
34 /**
35 * wrapped public key
36 */
37 public_key_t *key;
38
39 /**
40 * dummy issuer id, ID_ANY
41 */
42 identification_t *issuer;
43
44 /**
45 * subject, ID_KEY_ID of the public key
46 */
47 identification_t *subject;
48
49 /**
50 * key inception time
51 */
52 time_t notBefore;
53
54 /**
55 * key expiration time
56 */
57 time_t notAfter;
58
59 /**
60 * reference count
61 */
62 refcount_t ref;
63 };
64
65 METHOD(certificate_t, get_type, certificate_type_t,
66 private_pubkey_cert_t *this)
67 {
68 return CERT_TRUSTED_PUBKEY;
69 }
70
71 METHOD(certificate_t, get_subject, identification_t*,
72 private_pubkey_cert_t *this)
73 {
74 return this->subject;
75 }
76
77 METHOD(certificate_t, get_issuer, identification_t*,
78 private_pubkey_cert_t *this)
79 {
80 return this->issuer;
81 }
82
83 METHOD(certificate_t, has_subject, id_match_t,
84 private_pubkey_cert_t *this, identification_t *subject)
85 {
86 if (subject->get_type(subject) == ID_KEY_ID)
87 {
88 cred_encoding_type_t type;
89 chunk_t fingerprint;
90
91 for (type = 0; type < CRED_ENCODING_MAX; type++)
92 {
93 if (this->key->get_fingerprint(this->key, type, &fingerprint) &&
94 chunk_equals(fingerprint, subject->get_encoding(subject)))
95 {
96 return ID_MATCH_PERFECT;
97 }
98 }
99 }
100
101 return this->subject->matches(this->subject, subject);
102 }
103
104 METHOD(certificate_t, has_issuer, id_match_t,
105 private_pubkey_cert_t *this, identification_t *issuer)
106 {
107 return ID_MATCH_NONE;
108 }
109
110 METHOD(certificate_t, equals, bool,
111 private_pubkey_cert_t *this, certificate_t *other)
112 {
113 identification_t *other_subject;
114 public_key_t *other_key;
115
116 if (this == (private_pubkey_cert_t*)other)
117 {
118 return TRUE;
119 }
120 if (other->get_type(other) != CERT_TRUSTED_PUBKEY)
121 {
122 return FALSE;
123 }
124 other_key = other->get_public_key(other);
125 if (other_key)
126 {
127 if (public_key_equals(this->key, other_key))
128 {
129 other_key->destroy(other_key);
130 other_subject = other->get_subject(other);
131 return other_subject->equals(other_subject, this->subject);
132 }
133 other_key->destroy(other_key);
134 }
135 return FALSE;
136 }
137
138 METHOD(certificate_t, issued_by, bool,
139 private_pubkey_cert_t *this, certificate_t *issuer,
140 signature_scheme_t *scheme)
141 {
142 if (scheme)
143 {
144 *scheme = SIGN_UNKNOWN;
145 }
146 return equals(this, issuer);
147 }
148
149 METHOD(certificate_t, get_public_key, public_key_t*,
150 private_pubkey_cert_t *this)
151 {
152 this->key->get_ref(this->key);
153 return this->key;
154 }
155
156 METHOD(certificate_t, get_validity, bool,
157 private_pubkey_cert_t *this, time_t *when, time_t *not_before,
158 time_t *not_after)
159 {
160 time_t t = when ? *when : time(NULL);
161
162 if (not_before)
163 {
164 *not_before = this->notBefore;
165 }
166 if (not_after)
167 {
168 *not_after = this->notAfter;
169 }
170 return ((this->notBefore == UNDEFINED_TIME || t >= this->notBefore) &&
171 (this->notAfter == UNDEFINED_TIME || t <= this->notAfter));
172 }
173
174 METHOD(certificate_t, get_encoding, bool,
175 private_pubkey_cert_t *this, cred_encoding_type_t type, chunk_t *encoding)
176 {
177 return this->key->get_encoding(this->key, type, encoding);
178 }
179
180 METHOD(certificate_t, get_ref, certificate_t*,
181 private_pubkey_cert_t *this)
182 {
183 ref_get(&this->ref);
184 return &this->public.interface;
185 }
186
187 METHOD(certificate_t, destroy, void,
188 private_pubkey_cert_t *this)
189 {
190 if (ref_put(&this->ref))
191 {
192 this->subject->destroy(this->subject);
193 this->issuer->destroy(this->issuer);
194 this->key->destroy(this->key);
195 free(this);
196 }
197 }
198
199 /*
200 * see header file
201 */
202 static pubkey_cert_t *pubkey_cert_create(public_key_t *key,
203 time_t notBefore, time_t notAfter,
204 identification_t *subject)
205 {
206 private_pubkey_cert_t *this;
207 chunk_t fingerprint;
208
209 INIT(this,
210 .public = {
211 .interface = {
212 .get_type = _get_type,
213 .get_subject = _get_subject,
214 .get_issuer = _get_issuer,
215 .has_subject = _has_subject,
216 .has_issuer = _has_issuer,
217 .issued_by = _issued_by,
218 .get_public_key = _get_public_key,
219 .get_validity = _get_validity,
220 .get_encoding = _get_encoding,
221 .equals = _equals,
222 .get_ref = _get_ref,
223 .destroy = _destroy,
224 },
225 },
226 .ref = 1,
227 .key = key,
228 .notBefore = notBefore,
229 .notAfter = notAfter,
230 .issuer = identification_create_from_encoding(ID_ANY, chunk_empty),
231 );
232
233 if (subject)
234 {
235 this->subject = subject->clone(subject);
236 }
237 else if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &fingerprint))
238 {
239 this->subject = identification_create_from_encoding(ID_KEY_ID, fingerprint);
240 }
241 else
242 {
243 this->subject = identification_create_from_encoding(ID_ANY, chunk_empty);
244 }
245
246 return &this->public;
247 }
248
249 /**
250 * See header.
251 */
252 pubkey_cert_t *pubkey_cert_wrap(certificate_type_t type, va_list args)
253 {
254 public_key_t *key = NULL;
255 chunk_t blob = chunk_empty;
256 identification_t *subject = NULL;
257 time_t notBefore = UNDEFINED_TIME, notAfter = UNDEFINED_TIME;
258
259 while (TRUE)
260 {
261 switch (va_arg(args, builder_part_t))
262 {
263 case BUILD_BLOB_ASN1_DER:
264 blob = va_arg(args, chunk_t);
265 continue;
266 case BUILD_PUBLIC_KEY:
267 key = va_arg(args, public_key_t*);
268 continue;
269 case BUILD_NOT_BEFORE_TIME:
270 notBefore = va_arg(args, time_t);
271 continue;
272 case BUILD_NOT_AFTER_TIME:
273 notAfter = va_arg(args, time_t);
274 continue;
275 case BUILD_SUBJECT:
276 subject = va_arg(args, identification_t*);
277 continue;
278 case BUILD_END:
279 break;
280 default:
281 return NULL;
282 }
283 break;
284 }
285 if (key)
286 {
287 key->get_ref(key);
288 }
289 else if (blob.ptr)
290 {
291 key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
292 BUILD_BLOB_ASN1_DER, blob, BUILD_END);
293 }
294 if (key)
295 {
296 return pubkey_cert_create(key, notBefore, notAfter, subject);
297 }
298 return NULL;
299 }
300