219b0cbac4b6e4186a357fbe19b00df54978e69a
[strongswan.git] / src / libstrongswan / plugins / x509 / x509_ac.c
1 /*
2 * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
3 * Copyright (C) 2003 Martin Berner, Lukas Suter
4 * Copyright (C) 2002-2008 Andreas Steffen
5 *
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #include "x509_ac.h"
20 #include "ietf_attr_list.h"
21
22 #include <time.h>
23
24 #include <library.h>
25 #include <debug.h>
26 #include <asn1/oid.h>
27 #include <asn1/asn1.h>
28 #include <asn1/asn1_parser.h>
29 #include <utils/identification.h>
30 #include <utils/linked_list.h>
31 #include <credentials/certificates/x509.h>
32 #include <credentials/keys/private_key.h>
33
34 extern chunk_t x509_parse_authorityKeyIdentifier(chunk_t blob,
35 int level0, chunk_t *authKeySerialNumber);
36
37 typedef struct private_x509_ac_t private_x509_ac_t;
38
39 /**
40 * private data of x509_ac_t object
41 */
42 struct private_x509_ac_t {
43
44 /**
45 * public functions
46 */
47 x509_ac_t public;
48
49 /**
50 * X.509 attribute certificate encoding in ASN.1 DER format
51 */
52 chunk_t encoding;
53
54 /**
55 * X.509 attribute certificate body over which signature is computed
56 */
57 chunk_t certificateInfo;
58
59 /**
60 * Version of the X.509 attribute certificate
61 */
62 u_int version;
63
64 /**
65 * Serial number of the X.509 attribute certificate
66 */
67 chunk_t serialNumber;
68
69 /**
70 * ID representing the issuer of the holder certificate
71 */
72 identification_t *holderIssuer;
73
74 /**
75 * Serial number of the holder certificate
76 */
77 chunk_t holderSerial;
78
79 /**
80 * ID representing the holder
81 */
82 identification_t *entityName;
83
84 /**
85 * ID representing the attribute certificate issuer
86 */
87 identification_t *issuerName;
88
89 /**
90 * Start time of certificate validity
91 */
92 time_t notBefore;
93
94 /**
95 * End time of certificate validity
96 */
97 time_t notAfter;
98
99 /**
100 * List of charging attributes
101 */
102 linked_list_t *charging;
103
104 /**
105 * List of groub attributes
106 */
107 linked_list_t *groups;
108
109 /**
110 * Authority Key Identifier
111 */
112 chunk_t authKeyIdentifier;
113
114 /**
115 * Authority Key Serial Number
116 */
117 chunk_t authKeySerialNumber;
118
119 /**
120 * No revocation information available
121 */
122 bool noRevAvail;
123
124 /**
125 * Signature algorithm
126 */
127 int algorithm;
128
129 /**
130 * Signature
131 */
132 chunk_t signature;
133
134 /**
135 * Holder certificate
136 */
137 certificate_t *holderCert;
138
139 /**
140 * Signer certificate
141 */
142 certificate_t *signerCert;
143
144 /**
145 * Signer private key;
146 */
147 private_key_t *signerKey;
148
149 /**
150 * reference count
151 */
152 refcount_t ref;
153 };
154
155 static u_char ASN1_group_oid_str[] = {
156 0x06, 0x08,
157 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x0a ,0x04
158 };
159
160 static const chunk_t ASN1_group_oid = chunk_from_buf(ASN1_group_oid_str);
161
162 static u_char ASN1_authorityKeyIdentifier_oid_str[] = {
163 0x06, 0x03,
164 0x55, 0x1d, 0x23
165 };
166
167 static const chunk_t ASN1_authorityKeyIdentifier_oid =
168 chunk_from_buf(ASN1_authorityKeyIdentifier_oid_str);
169
170 static u_char ASN1_noRevAvail_ext_str[] = {
171 0x30, 0x09,
172 0x06, 0x03,
173 0x55, 0x1d, 0x38,
174 0x04, 0x02,
175 0x05, 0x00
176 };
177
178 static const chunk_t ASN1_noRevAvail_ext = chunk_from_buf(ASN1_noRevAvail_ext_str);
179
180 /**
181 * declaration of function implemented in x509_cert.c
182 */
183 extern void x509_parse_generalNames(chunk_t blob, int level0, bool implicit,
184 linked_list_t *list);
185 /**
186 * parses a directoryName
187 */
188 static bool parse_directoryName(chunk_t blob, int level, bool implicit, identification_t **name)
189 {
190 bool has_directoryName;
191 linked_list_t *list = linked_list_create();
192
193 x509_parse_generalNames(blob, level, implicit, list);
194 has_directoryName = list->get_count(list) > 0;
195
196 if (has_directoryName)
197 {
198 iterator_t *iterator = list->create_iterator(list, TRUE);
199 identification_t *directoryName;
200 bool first = TRUE;
201
202 while (iterator->iterate(iterator, (void**)&directoryName))
203 {
204 if (first)
205 {
206 *name = directoryName;
207 first = FALSE;
208 }
209 else
210 {
211 DBG1("more than one directory name - first selected");
212 directoryName->destroy(directoryName);
213 }
214 }
215 iterator->destroy(iterator);
216 }
217 else
218 {
219 DBG1("no directoryName found");
220 }
221
222 list->destroy(list);
223 return has_directoryName;
224 }
225
226 /**
227 * ASN.1 definition of roleSyntax
228 */
229 static const asn1Object_t roleSyntaxObjects[] =
230 {
231 { 0, "roleSyntax", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
232 { 1, "roleAuthority", ASN1_CONTEXT_C_0, ASN1_OPT |
233 ASN1_OBJ }, /* 1 */
234 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 2 */
235 { 1, "roleName", ASN1_CONTEXT_C_1, ASN1_OBJ }, /* 3 */
236 { 0, "exit", ASN1_EOC, ASN1_EXIT }
237 };
238
239 /**
240 * Parses roleSyntax
241 */
242 static void parse_roleSyntax(chunk_t blob, int level0)
243 {
244 asn1_parser_t *parser;
245 chunk_t object;
246 int objectID;
247
248 parser = asn1_parser_create(roleSyntaxObjects, blob);
249 parser->set_top_level(parser, level0);
250
251 while (parser->iterate(parser, &objectID, &object))
252 {
253 switch (objectID)
254 {
255 default:
256 break;
257 }
258 }
259 parser->destroy(parser);
260 }
261
262 /**
263 * ASN.1 definition of an X509 attribute certificate
264 */
265 static const asn1Object_t acObjects[] =
266 {
267 { 0, "AttributeCertificate", ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */
268 { 1, "AttributeCertificateInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */
269 { 2, "version", ASN1_INTEGER, ASN1_DEF |
270 ASN1_BODY }, /* 2 */
271 { 2, "holder", ASN1_SEQUENCE, ASN1_NONE }, /* 3 */
272 { 3, "baseCertificateID", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 4 */
273 { 4, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 5 */
274 { 4, "serial", ASN1_INTEGER, ASN1_BODY }, /* 6 */
275 { 4, "issuerUID", ASN1_BIT_STRING, ASN1_OPT |
276 ASN1_BODY }, /* 7 */
277 { 4, "end opt", ASN1_EOC, ASN1_END }, /* 8 */
278 { 3, "end opt", ASN1_EOC, ASN1_END }, /* 9 */
279 { 3, "entityName", ASN1_CONTEXT_C_1, ASN1_OPT |
280 ASN1_OBJ }, /* 10 */
281 { 3, "end opt", ASN1_EOC, ASN1_END }, /* 11 */
282 { 3, "objectDigestInfo", ASN1_CONTEXT_C_2, ASN1_OPT }, /* 12 */
283 { 4, "digestedObjectType", ASN1_ENUMERATED, ASN1_BODY }, /* 13 */
284 { 4, "otherObjectTypeID", ASN1_OID, ASN1_OPT |
285 ASN1_BODY }, /* 14 */
286 { 4, "end opt", ASN1_EOC, ASN1_END }, /* 15 */
287 { 4, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 16 */
288 { 3, "end opt", ASN1_EOC, ASN1_END }, /* 17 */
289 { 2, "v2Form", ASN1_CONTEXT_C_0, ASN1_NONE }, /* 18 */
290 { 3, "issuerName", ASN1_SEQUENCE, ASN1_OPT |
291 ASN1_OBJ }, /* 19 */
292 { 3, "end opt", ASN1_EOC, ASN1_END }, /* 20 */
293 { 3, "baseCertificateID", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 21 */
294 { 4, "issuerSerial", ASN1_SEQUENCE, ASN1_NONE }, /* 22 */
295 { 5, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 23 */
296 { 5, "serial", ASN1_INTEGER, ASN1_BODY }, /* 24 */
297 { 5, "issuerUID", ASN1_BIT_STRING, ASN1_OPT |
298 ASN1_BODY }, /* 25 */
299 { 5, "end opt", ASN1_EOC, ASN1_END }, /* 26 */
300 { 3, "end opt", ASN1_EOC, ASN1_END }, /* 27 */
301 { 3, "objectDigestInfo", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 28 */
302 { 4, "digestInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 29 */
303 { 5, "digestedObjectType", ASN1_ENUMERATED, ASN1_BODY }, /* 30 */
304 { 5, "otherObjectTypeID", ASN1_OID, ASN1_OPT |
305 ASN1_BODY }, /* 31 */
306 { 5, "end opt", ASN1_EOC, ASN1_END }, /* 32 */
307 { 5, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 33 */
308 { 3, "end opt", ASN1_EOC, ASN1_END }, /* 34 */
309 { 2, "signature", ASN1_EOC, ASN1_RAW }, /* 35 */
310 { 2, "serialNumber", ASN1_INTEGER, ASN1_BODY }, /* 36 */
311 { 2, "attrCertValidityPeriod", ASN1_SEQUENCE, ASN1_NONE }, /* 37 */
312 { 3, "notBeforeTime", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 38 */
313 { 3, "notAfterTime", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 39 */
314 { 2, "attributes", ASN1_SEQUENCE, ASN1_LOOP }, /* 40 */
315 { 3, "attribute", ASN1_SEQUENCE, ASN1_NONE }, /* 41 */
316 { 4, "type", ASN1_OID, ASN1_BODY }, /* 42 */
317 { 4, "values", ASN1_SET, ASN1_LOOP }, /* 43 */
318 { 5, "value", ASN1_EOC, ASN1_RAW }, /* 44 */
319 { 4, "end loop", ASN1_EOC, ASN1_END }, /* 45 */
320 { 2, "end loop", ASN1_EOC, ASN1_END }, /* 46 */
321 { 2, "extensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 47 */
322 { 3, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 48 */
323 { 4, "extnID", ASN1_OID, ASN1_BODY }, /* 49 */
324 { 4, "critical", ASN1_BOOLEAN, ASN1_DEF |
325 ASN1_BODY }, /* 50 */
326 { 4, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 51 */
327 { 2, "end loop", ASN1_EOC, ASN1_END }, /* 52 */
328 { 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 53 */
329 { 1, "signatureValue", ASN1_BIT_STRING, ASN1_BODY }, /* 54 */
330 { 0, "exit", ASN1_EOC, ASN1_EXIT }
331 };
332 #define AC_OBJ_CERTIFICATE_INFO 1
333 #define AC_OBJ_VERSION 2
334 #define AC_OBJ_HOLDER_ISSUER 5
335 #define AC_OBJ_HOLDER_SERIAL 6
336 #define AC_OBJ_ENTITY_NAME 10
337 #define AC_OBJ_ISSUER_NAME 19
338 #define AC_OBJ_ISSUER 23
339 #define AC_OBJ_SIG_ALG 35
340 #define AC_OBJ_SERIAL_NUMBER 36
341 #define AC_OBJ_NOT_BEFORE 38
342 #define AC_OBJ_NOT_AFTER 39
343 #define AC_OBJ_ATTRIBUTE_TYPE 42
344 #define AC_OBJ_ATTRIBUTE_VALUE 44
345 #define AC_OBJ_EXTN_ID 49
346 #define AC_OBJ_CRITICAL 50
347 #define AC_OBJ_EXTN_VALUE 51
348 #define AC_OBJ_ALGORITHM 53
349 #define AC_OBJ_SIGNATURE 54
350
351 /**
352 * Parses an X.509 attribute certificate
353 */
354 static bool parse_certificate(private_x509_ac_t *this)
355 {
356 asn1_parser_t *parser;
357 chunk_t object;
358 int objectID;
359 int type = OID_UNKNOWN;
360 int extn_oid = OID_UNKNOWN;
361 int sig_alg = OID_UNKNOWN;
362 bool success = FALSE;
363 bool critical;
364
365 parser = asn1_parser_create(acObjects, this->encoding);
366
367 while (parser->iterate(parser, &objectID, &object))
368 {
369 u_int level = parser->get_level(parser)+1;
370
371 switch (objectID)
372 {
373 case AC_OBJ_CERTIFICATE_INFO:
374 this->certificateInfo = object;
375 break;
376 case AC_OBJ_VERSION:
377 this->version = (object.len) ? (1 + (u_int)*object.ptr) : 1;
378 DBG2(" v%d", this->version);
379 if (this->version != 2)
380 {
381 DBG1("v%d attribute certificates are not supported", this->version);
382 goto end;
383 }
384 break;
385 case AC_OBJ_HOLDER_ISSUER:
386 if (!parse_directoryName(object, level, FALSE, &this->holderIssuer))
387 {
388 goto end;
389 }
390 break;
391 case AC_OBJ_HOLDER_SERIAL:
392 this->holderSerial = object;
393 break;
394 case AC_OBJ_ENTITY_NAME:
395 if (!parse_directoryName(object, level, TRUE, &this->entityName))
396 {
397 goto end;
398 }
399 break;
400 case AC_OBJ_ISSUER_NAME:
401 if (!parse_directoryName(object, level, FALSE, &this->issuerName))
402 {
403 goto end;
404 }
405 break;
406 case AC_OBJ_SIG_ALG:
407 sig_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
408 break;
409 case AC_OBJ_SERIAL_NUMBER:
410 this->serialNumber = chunk_clone(object);
411 break;
412 case AC_OBJ_NOT_BEFORE:
413 this->notBefore = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
414 break;
415 case AC_OBJ_NOT_AFTER:
416 this->notAfter = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
417 break;
418 case AC_OBJ_ATTRIBUTE_TYPE:
419 type = asn1_known_oid(object);
420 break;
421 case AC_OBJ_ATTRIBUTE_VALUE:
422 {
423 switch (type)
424 {
425 case OID_AUTHENTICATION_INFO:
426 DBG2(" need to parse authenticationInfo");
427 break;
428 case OID_ACCESS_IDENTITY:
429 DBG2(" need to parse accessIdentity");
430 break;
431 case OID_CHARGING_IDENTITY:
432 ietfAttr_list_create_from_chunk(object, this->charging, level);
433 break;
434 case OID_GROUP:
435 ietfAttr_list_create_from_chunk(object, this->groups, level);
436 break;
437 case OID_ROLE:
438 parse_roleSyntax(object, level);
439 break;
440 default:
441 break;
442 }
443 break;
444 }
445 case AC_OBJ_EXTN_ID:
446 extn_oid = asn1_known_oid(object);
447 break;
448 case AC_OBJ_CRITICAL:
449 critical = object.len && *object.ptr;
450 DBG2(" %s",(critical)?"TRUE":"FALSE");
451 break;
452 case AC_OBJ_EXTN_VALUE:
453 {
454 switch (extn_oid)
455 {
456 case OID_CRL_DISTRIBUTION_POINTS:
457 DBG2(" need to parse crlDistributionPoints");
458 break;
459 case OID_AUTHORITY_KEY_ID:
460 this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object,
461 level, &this->authKeySerialNumber);
462 break;
463 case OID_TARGET_INFORMATION:
464 DBG2(" need to parse targetInformation");
465 break;
466 case OID_NO_REV_AVAIL:
467 this->noRevAvail = TRUE;
468 break;
469 default:
470 break;
471 }
472 break;
473 }
474 case AC_OBJ_ALGORITHM:
475 this->algorithm = asn1_parse_algorithmIdentifier(object, level,
476 NULL);
477 if (this->algorithm != sig_alg)
478 {
479 DBG1(" signature algorithms do not agree");
480 success = FALSE;
481 goto end;
482 }
483 break;
484 case AC_OBJ_SIGNATURE:
485 this->signature = object;
486 break;
487 default:
488 break;
489 }
490 }
491 success = parser->success(parser);
492
493 end:
494 parser->destroy(parser);
495 return success;
496 }
497
498 /**
499 * build directoryName
500 */
501 static chunk_t build_directoryName(asn1_t tag, chunk_t name)
502 {
503 return asn1_wrap(tag, "m",
504 asn1_simple_object(ASN1_CONTEXT_C_4, name));
505 }
506
507 /**
508 * build holder
509 */
510 static chunk_t build_holder(private_x509_ac_t *this)
511 {
512 x509_t* x509 = (x509_t*)this->holderCert;
513 identification_t *issuer = this->holderCert->get_issuer(this->holderCert);
514 identification_t *subject = this->holderCert->get_subject(this->holderCert);
515
516 return asn1_wrap(ASN1_SEQUENCE, "mm",
517 asn1_wrap(ASN1_CONTEXT_C_0, "mm",
518 build_directoryName(ASN1_SEQUENCE, issuer->get_encoding(issuer)),
519 asn1_simple_object(ASN1_INTEGER, x509->get_serial(x509))
520 ),
521 build_directoryName(ASN1_CONTEXT_C_1, subject->get_encoding(subject)));
522 }
523
524 /**
525 * build v2Form
526 */
527 static chunk_t build_v2_form(private_x509_ac_t *this)
528 {
529 identification_t *subject = this->signerCert->get_subject(this->signerCert);
530
531 return asn1_wrap(ASN1_CONTEXT_C_0, "m",
532 build_directoryName(ASN1_SEQUENCE, subject->get_encoding(subject)));
533 }
534
535 /**
536 * build attrCertValidityPeriod
537 */
538 static chunk_t build_attr_cert_validity(private_x509_ac_t *this)
539 {
540 return asn1_wrap(ASN1_SEQUENCE, "mm",
541 asn1_from_time(&this->notBefore, ASN1_GENERALIZEDTIME),
542 asn1_from_time(&this->notAfter, ASN1_GENERALIZEDTIME));
543 }
544
545
546 /**
547 * build attribute type
548 */
549 static chunk_t build_attribute_type(const chunk_t type, chunk_t content)
550 {
551 return asn1_wrap(ASN1_SEQUENCE, "cm",
552 type,
553 asn1_wrap(ASN1_SET, "m", content));
554 }
555
556 /**
557 * build attributes
558 */
559 static chunk_t build_attributes(private_x509_ac_t *this)
560 {
561 return asn1_wrap(ASN1_SEQUENCE, "m",
562 build_attribute_type(ASN1_group_oid, ietfAttr_list_encode(this->groups)));
563 }
564
565 /**
566 * build authorityKeyIdentifier
567 */
568 static chunk_t build_authorityKeyIdentifier(private_x509_ac_t *this)
569 {
570 chunk_t keyIdentifier = chunk_empty;
571 chunk_t authorityCertIssuer;
572 chunk_t authorityCertSerialNumber;
573 identification_t *issuer;
574 public_key_t *public;
575 x509_t *x509;
576
577 x509 = (x509_t*)this->signerCert;
578 issuer = this->signerCert->get_issuer(this->signerCert);
579 public = this->signerCert->get_public_key(this->signerCert);
580 if (public)
581 {
582 if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &keyIdentifier))
583 {
584 this->authKeyIdentifier = chunk_clone(keyIdentifier);
585 }
586 public->destroy(public);
587 }
588 authorityCertIssuer = build_directoryName(ASN1_CONTEXT_C_1,
589 issuer->get_encoding(issuer));
590 authorityCertSerialNumber = asn1_simple_object(ASN1_CONTEXT_S_2,
591 x509->get_serial(x509));
592 return asn1_wrap(ASN1_SEQUENCE, "cm",
593 ASN1_authorityKeyIdentifier_oid,
594 asn1_wrap(ASN1_OCTET_STRING, "m",
595 asn1_wrap(ASN1_SEQUENCE, "cmm",
596 keyIdentifier,
597 authorityCertIssuer,
598 authorityCertSerialNumber
599 )
600 )
601 );
602 }
603
604 /**
605 * build extensions
606 */
607 static chunk_t build_extensions(private_x509_ac_t *this)
608 {
609 return asn1_wrap(ASN1_SEQUENCE, "mc",
610 build_authorityKeyIdentifier(this),
611 ASN1_noRevAvail_ext);
612 }
613
614 /**
615 * build attributeCertificateInfo
616 */
617 static chunk_t build_attr_cert_info(private_x509_ac_t *this)
618 {
619 return asn1_wrap(ASN1_SEQUENCE, "cmmmmmmm",
620 ASN1_INTEGER_1,
621 build_holder(this),
622 build_v2_form(this),
623 asn1_algorithmIdentifier(OID_SHA1_WITH_RSA),
624 asn1_simple_object(ASN1_INTEGER, this->serialNumber),
625 build_attr_cert_validity(this),
626 build_attributes(this),
627 build_extensions(this));
628 }
629
630
631 /**
632 * build an X.509 attribute certificate
633 */
634 static chunk_t build_ac(private_x509_ac_t *this)
635 {
636 chunk_t signatureValue;
637 chunk_t attributeCertificateInfo;
638
639 attributeCertificateInfo = build_attr_cert_info(this);
640
641 this->signerKey->sign(this->signerKey, SIGN_RSA_EMSA_PKCS1_SHA1,
642 attributeCertificateInfo, &signatureValue);
643
644 return asn1_wrap(ASN1_SEQUENCE, "mmm",
645 attributeCertificateInfo,
646 asn1_algorithmIdentifier(OID_SHA1_WITH_RSA),
647 asn1_bitstring("m", signatureValue));
648 }
649
650 /**
651 * Implementation of ac_t.get_serial.
652 */
653 static chunk_t get_serial(private_x509_ac_t *this)
654 {
655 return this->serialNumber;
656 }
657
658 /**
659 * Implementation of ac_t.get_holderSerial.
660 */
661 static chunk_t get_holderSerial(private_x509_ac_t *this)
662 {
663 return this->holderSerial;
664 }
665
666 /**
667 * Implementation of ac_t.get_holderIssuer.
668 */
669 static identification_t* get_holderIssuer(private_x509_ac_t *this)
670 {
671 return this->holderIssuer;
672 }
673
674 /**
675 * Implementation of ac_t.get_authKeyIdentifier.
676 */
677 static chunk_t get_authKeyIdentifier(private_x509_ac_t *this)
678 {
679 return this->authKeyIdentifier;
680 }
681
682 /**
683 * Implementation of certificate_t.get_type
684 */
685 static certificate_type_t get_type(private_x509_ac_t *this)
686 {
687 return CERT_X509_AC;
688 }
689
690 /**
691 * Implementation of certificate_t.get_subject
692 */
693 static identification_t* get_subject(private_x509_ac_t *this)
694 {
695 return this->entityName;
696 }
697
698 /**
699 * Implementation of certificate_t.get_issuer
700 */
701 static identification_t* get_issuer(private_x509_ac_t *this)
702 {
703 return this->issuerName;
704 }
705
706 /**
707 * Implementation of certificate_t.has_subject.
708 */
709 static id_match_t has_subject(private_x509_ac_t *this, identification_t *subject)
710 {
711 return ID_MATCH_NONE;
712 }
713
714 /**
715 * Implementation of certificate_t.has_issuer.
716 */
717 static id_match_t has_issuer(private_x509_ac_t *this, identification_t *issuer)
718 {
719 if (issuer->get_type(issuer) == ID_KEY_ID && this->authKeyIdentifier.ptr &&
720 chunk_equals(this->authKeyIdentifier, issuer->get_encoding(issuer)))
721 {
722 return ID_MATCH_PERFECT;
723 }
724 return this->issuerName->matches(this->issuerName, issuer);
725 }
726
727 /**
728 * Implementation of certificate_t.issued_by
729 */
730 static bool issued_by(private_x509_ac_t *this, certificate_t *issuer)
731 {
732 public_key_t *key;
733 signature_scheme_t scheme;
734 bool valid;
735 x509_t *x509 = (x509_t*)issuer;
736
737 /* check if issuer is an X.509 AA certificate */
738 if (issuer->get_type(issuer) != CERT_X509)
739 {
740 return FALSE;
741 }
742 if (!(x509->get_flags(x509) & X509_AA))
743 {
744 return FALSE;
745 }
746
747 /* get the public key of the issuer */
748 key = issuer->get_public_key(issuer);
749
750 /* compare keyIdentifiers if available, otherwise use DNs */
751 if (this->authKeyIdentifier.ptr && key)
752 {
753 chunk_t fingerprint;
754
755 if (!key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &fingerprint) ||
756 !chunk_equals(fingerprint, this->authKeyIdentifier))
757 {
758 return FALSE;
759 }
760 }
761 else
762 {
763 if (!this->issuerName->equals(this->issuerName,
764 issuer->get_subject(issuer)))
765 {
766 return FALSE;
767 }
768 }
769
770 /* determine signature scheme */
771 scheme = signature_scheme_from_oid(this->algorithm);
772
773 if (scheme == SIGN_UNKNOWN || key == NULL)
774 {
775 return FALSE;
776 }
777 valid = key->verify(key, scheme, this->certificateInfo, this->signature);
778 key->destroy(key);
779 return valid;
780 }
781
782 /**
783 * Implementation of certificate_t.get_public_key.
784 */
785 static public_key_t* get_public_key(private_x509_ac_t *this)
786 {
787 return NULL;
788 }
789
790 /**
791 * Implementation of certificate_t.get_ref.
792 */
793 static private_x509_ac_t* get_ref(private_x509_ac_t *this)
794 {
795 ref_get(&this->ref);
796 return this;
797 }
798
799 /**
800 * Implementation of certificate_t.get_validity.
801 */
802 static bool get_validity(private_x509_ac_t *this, time_t *when,
803 time_t *not_before, time_t *not_after)
804 {
805 time_t t;
806
807 if (when)
808 {
809 t = *when;
810 }
811 else
812 {
813 t = time(NULL);
814 }
815 if (not_before)
816 {
817 *not_before = this->notBefore;
818 }
819 if (not_after)
820 {
821 *not_after = this->notAfter;
822 }
823 return (t >= this->notBefore && t <= this->notAfter);
824 }
825
826 /**
827 * Implementation of certificate_t.is_newer.
828 */
829 static bool is_newer(private_x509_ac_t *this, ac_t *that)
830 {
831 certificate_t *this_cert = &this->public.interface.certificate;
832 certificate_t *that_cert = &that->certificate;
833 time_t this_update, that_update, now = time(NULL);
834 bool new;
835
836 this_cert->get_validity(this_cert, &now, &this_update, NULL);
837 that_cert->get_validity(that_cert, &now, &that_update, NULL);
838 new = this_update > that_update;
839 DBG1(" attr cert from %T is %s - existing attr_cert from %T %s",
840 &this_update, FALSE, new ? "newer":"not newer",
841 &that_update, FALSE, new ? "replaced":"retained");
842 return new;
843 }
844
845 /**
846 * Implementation of certificate_t.get_encoding.
847 */
848 static chunk_t get_encoding(private_x509_ac_t *this)
849 {
850 return chunk_clone(this->encoding);
851 }
852
853 /**
854 * Implementation of certificate_t.equals.
855 */
856 static bool equals(private_x509_ac_t *this, certificate_t *other)
857 {
858 chunk_t encoding;
859 bool equal;
860
861 if ((certificate_t*)this == other)
862 {
863 return TRUE;
864 }
865 if (other->equals == (void*)equals)
866 { /* skip allocation if we have the same implementation */
867 return chunk_equals(this->encoding, ((private_x509_ac_t*)other)->encoding);
868 }
869 encoding = other->get_encoding(other);
870 equal = chunk_equals(this->encoding, encoding);
871 free(encoding.ptr);
872 return equal;
873 }
874
875 /**
876 * Implementation of x509_ac_t.destroy
877 */
878 static void destroy(private_x509_ac_t *this)
879 {
880 if (ref_put(&this->ref))
881 {
882 DESTROY_IF(this->holderIssuer);
883 DESTROY_IF(this->entityName);
884 DESTROY_IF(this->issuerName);
885 DESTROY_IF(this->holderCert);
886 DESTROY_IF(this->signerCert);
887 DESTROY_IF(this->signerKey);
888
889 ietfAttr_list_destroy(this->charging);
890 ietfAttr_list_destroy(this->groups);
891 free(this->serialNumber.ptr);
892 free(this->authKeyIdentifier.ptr);
893 free(this->encoding.ptr);
894 free(this);
895 }
896 }
897
898 /**
899 * create an empty but initialized X.509 attribute certificate
900 */
901 static private_x509_ac_t *create_empty(void)
902 {
903 private_x509_ac_t *this = malloc_thing(private_x509_ac_t);
904
905 /* public functions */
906 this->public.interface.get_serial = (chunk_t (*)(ac_t*))get_serial;
907 this->public.interface.get_holderSerial = (chunk_t (*)(ac_t*))get_holderSerial;
908 this->public.interface.get_holderIssuer = (identification_t* (*)(ac_t*))get_holderIssuer;
909 this->public.interface.get_authKeyIdentifier = (chunk_t(*)(ac_t*))get_authKeyIdentifier;
910 this->public.interface.certificate.get_type = (certificate_type_t (*)(certificate_t *this))get_type;
911 this->public.interface.certificate.get_subject = (identification_t* (*)(certificate_t *this))get_subject;
912 this->public.interface.certificate.get_issuer = (identification_t* (*)(certificate_t *this))get_issuer;
913 this->public.interface.certificate.has_subject = (id_match_t(*)(certificate_t*, identification_t *subject))has_subject;
914 this->public.interface.certificate.has_issuer = (id_match_t(*)(certificate_t*, identification_t *issuer))has_issuer;
915 this->public.interface.certificate.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer))issued_by;
916 this->public.interface.certificate.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key;
917 this->public.interface.certificate.get_validity = (bool(*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity;
918 this->public.interface.certificate.is_newer = (bool (*)(certificate_t*,certificate_t*))is_newer;
919 this->public.interface.certificate.get_encoding = (chunk_t(*)(certificate_t*))get_encoding;
920 this->public.interface.certificate.equals = (bool(*)(certificate_t*, certificate_t *other))equals;
921 this->public.interface.certificate.get_ref = (certificate_t* (*)(certificate_t *this))get_ref;
922 this->public.interface.certificate.destroy = (void (*)(certificate_t *this))destroy;
923
924 /* initialize */
925 this->encoding = chunk_empty;
926 this->serialNumber = chunk_empty;
927 this->holderSerial = chunk_empty;
928 this->authKeyIdentifier = chunk_empty;
929 this->holderIssuer = NULL;
930 this->entityName = NULL;
931 this->issuerName = NULL;
932 this->holderCert = NULL;
933 this->signerCert = NULL;
934 this->signerKey = NULL;
935 this->charging = linked_list_create();
936 this->groups = linked_list_create();
937 this->ref = 1;
938
939 return this;
940 }
941
942 /**
943 * create X.509 attribute certificate from a chunk
944 */
945 static private_x509_ac_t* create_from_chunk(chunk_t chunk)
946 {
947 private_x509_ac_t *this = create_empty();
948
949 this->encoding = chunk;
950 if (!parse_certificate(this))
951 {
952 destroy(this);
953 return NULL;
954 }
955 return this;
956 }
957
958 typedef struct private_builder_t private_builder_t;
959 /**
960 * Builder implementation for certificate loading
961 */
962 struct private_builder_t {
963 /** implements the builder interface */
964 builder_t public;
965 /** X.509 attribute certificate to build */
966 private_x509_ac_t *ac;
967 };
968
969 /**
970 * Implementation of builder_t.build
971 */
972 static private_x509_ac_t* build(private_builder_t *this)
973 {
974 private_x509_ac_t *ac = this->ac;
975
976 free(this);
977
978 /* synthesis if encoding does not exist */
979 if (ac && ac->encoding.ptr == NULL)
980 {
981 if (ac->holderCert && ac->signerCert && ac->signerKey)
982 {
983 ac->encoding = build_ac(ac);
984 return ac;
985 }
986 destroy(ac);
987 return NULL;
988 }
989 else
990 {
991 return ac;
992 }
993 }
994
995 /**
996 * Implementation of builder_t.add
997 */
998 static void add(private_builder_t *this, builder_part_t part, ...)
999 {
1000 va_list args;
1001 certificate_t *cert;
1002 chunk_t chunk;
1003
1004 va_start(args, part);
1005 switch (part)
1006 {
1007 case BUILD_BLOB_ASN1_DER:
1008 if (this->ac)
1009 {
1010 destroy(this->ac);
1011 }
1012 chunk = va_arg(args, chunk_t);
1013 this->ac = create_from_chunk(chunk_clone(chunk));
1014 break;
1015 case BUILD_NOT_BEFORE_TIME:
1016 this->ac->notBefore = va_arg(args, time_t);
1017 break;
1018 case BUILD_NOT_AFTER_TIME:
1019 this->ac->notAfter = va_arg(args, time_t);
1020 break;
1021 case BUILD_SERIAL:
1022 chunk = va_arg(args, chunk_t);
1023 this->ac->serialNumber = chunk_clone(chunk);
1024 break;
1025 case BUILD_IETF_GROUP_ATTR:
1026 ietfAttr_list_create_from_string(va_arg(args, char*),
1027 this->ac->groups);
1028 break;
1029 case BUILD_CERT:
1030 cert = va_arg(args, certificate_t*);
1031 if (cert->get_type(cert) == CERT_X509)
1032 {
1033 this->ac->holderCert = cert->get_ref(cert);
1034 }
1035 break;
1036 case BUILD_SIGNING_CERT:
1037 cert = va_arg(args, certificate_t*);
1038 if (cert->get_type(cert) == CERT_X509)
1039 {
1040 this->ac->signerCert = cert->get_ref(cert);
1041 }
1042 break;
1043 case BUILD_SIGNING_KEY:
1044 this->ac->signerKey = va_arg(args, private_key_t*);
1045 this->ac->signerKey->get_ref(this->ac->signerKey);
1046 break;
1047 default:
1048 /* abort if unsupported option */
1049 if (this->ac)
1050 {
1051 destroy(this->ac);
1052 }
1053 builder_cancel(&this->public);
1054 break;
1055 }
1056 va_end(args);
1057 }
1058
1059 /**
1060 * Builder construction function
1061 */
1062 builder_t *x509_ac_builder(certificate_type_t type)
1063 {
1064 private_builder_t *this;
1065
1066 if (type != CERT_X509_AC)
1067 {
1068 return NULL;
1069 }
1070
1071 this = malloc_thing(private_builder_t);
1072
1073 this->ac = create_empty();
1074 this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
1075 this->public.build = (void*(*)(builder_t *this))build;
1076
1077 return &this->public;
1078 }
1079