257a903e48e98d1c272d0ddda4dccd1aa459ae54
[strongswan.git] / src / libstrongswan / plugins / x509 / x509_ac.c
1 /*
2 * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
3 * Copyright (C) 2003 Martin Berner, Lukas Suter
4 * Copyright (C) 2002-2008 Andreas Steffen
5 *
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 *
18 * $Id$
19 */
20
21 #include "x509_ac.h"
22 #include "ietf_attr_list.h"
23
24 #include <time.h>
25
26 #include <library.h>
27 #include <debug.h>
28 #include <asn1/oid.h>
29 #include <asn1/asn1.h>
30 #include <asn1/asn1_parser.h>
31 #include <asn1/pem.h>
32 #include <utils/identification.h>
33 #include <utils/linked_list.h>
34 #include <credentials/certificates/x509.h>
35
36 extern identification_t* x509_parse_authorityKeyIdentifier(chunk_t blob,
37 int level0, chunk_t *authKeySerialNumber);
38
39 typedef struct private_x509_ac_t private_x509_ac_t;
40
41 /**
42 * private data of x509_ac_t object
43 */
44 struct private_x509_ac_t {
45
46 /**
47 * public functions
48 */
49 x509_ac_t public;
50
51 /**
52 * X.509 attribute certificate encoding in ASN.1 DER format
53 */
54 chunk_t encoding;
55
56 /**
57 * X.509 attribute certificate body over which signature is computed
58 */
59 chunk_t certificateInfo;
60
61 /**
62 * Version of the X.509 attribute certificate
63 */
64 u_int version;
65
66 /**
67 * Serial number of the X.509 attribute certificate
68 */
69 chunk_t serialNumber;
70
71 /**
72 * ID representing the issuer of the holder certificate
73 */
74 identification_t *holderIssuer;
75
76 /**
77 * Serial number of the holder certificate
78 */
79 chunk_t holderSerial;
80
81 /**
82 * ID representing the holder
83 */
84 identification_t *entityName;
85
86 /**
87 * ID representing the attribute certificate issuer
88 */
89 identification_t *issuerName;
90
91 /**
92 * Start time of certificate validity
93 */
94 time_t notBefore;
95
96 /**
97 * End time of certificate validity
98 */
99 time_t notAfter;
100
101 /**
102 * List of charging attributes
103 */
104 linked_list_t *charging;
105
106 /**
107 * List of groub attributes
108 */
109 linked_list_t *groups;
110
111 /**
112 * Authority Key Identifier
113 */
114 identification_t *authKeyIdentifier;
115
116 /**
117 * Authority Key Serial Number
118 */
119 chunk_t authKeySerialNumber;
120
121 /**
122 * No revocation information available
123 */
124 bool noRevAvail;
125
126 /**
127 * Signature algorithm
128 */
129 int algorithm;
130
131 /**
132 * Signature
133 */
134 chunk_t signature;
135
136 /**
137 * Holder certificate
138 */
139 certificate_t *holderCert;
140
141 /**
142 * Signer certificate
143 */
144 certificate_t *signerCert;
145
146 /**
147 * Signer private key;
148 */
149 private_key_t *signerKey;
150
151 /**
152 * reference count
153 */
154 refcount_t ref;
155 };
156
157 static u_char ASN1_group_oid_str[] = {
158 0x06, 0x08,
159 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x0a ,0x04
160 };
161
162 static const chunk_t ASN1_group_oid = chunk_from_buf(ASN1_group_oid_str);
163
164 static u_char ASN1_authorityKeyIdentifier_oid_str[] = {
165 0x06, 0x03,
166 0x55, 0x1d, 0x23
167 };
168
169 static const chunk_t ASN1_authorityKeyIdentifier_oid =
170 chunk_from_buf(ASN1_authorityKeyIdentifier_oid_str);
171
172 static u_char ASN1_noRevAvail_ext_str[] = {
173 0x30, 0x09,
174 0x06, 0x03,
175 0x55, 0x1d, 0x38,
176 0x04, 0x02,
177 0x05, 0x00
178 };
179
180 static const chunk_t ASN1_noRevAvail_ext = chunk_from_buf(ASN1_noRevAvail_ext_str);
181
182 /**
183 * declaration of function implemented in x509_cert.c
184 */
185 extern void x509_parse_generalNames(chunk_t blob, int level0, bool implicit,
186 linked_list_t *list);
187 /**
188 * parses a directoryName
189 */
190 static bool parse_directoryName(chunk_t blob, int level, bool implicit, identification_t **name)
191 {
192 bool has_directoryName;
193 linked_list_t *list = linked_list_create();
194
195 x509_parse_generalNames(blob, level, implicit, list);
196 has_directoryName = list->get_count(list) > 0;
197
198 if (has_directoryName)
199 {
200 iterator_t *iterator = list->create_iterator(list, TRUE);
201 identification_t *directoryName;
202 bool first = TRUE;
203
204 while (iterator->iterate(iterator, (void**)&directoryName))
205 {
206 if (first)
207 {
208 *name = directoryName;
209 first = FALSE;
210 }
211 else
212 {
213 DBG1("more than one directory name - first selected");
214 directoryName->destroy(directoryName);
215 }
216 }
217 iterator->destroy(iterator);
218 }
219 else
220 {
221 DBG1("no directoryName found");
222 }
223
224 list->destroy(list);
225 return has_directoryName;
226 }
227
228 /**
229 * ASN.1 definition of roleSyntax
230 */
231 static const asn1Object_t roleSyntaxObjects[] =
232 {
233 { 0, "roleSyntax", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
234 { 1, "roleAuthority", ASN1_CONTEXT_C_0, ASN1_OPT |
235 ASN1_OBJ }, /* 1 */
236 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 2 */
237 { 1, "roleName", ASN1_CONTEXT_C_1, ASN1_OBJ }, /* 3 */
238 { 0, "exit", ASN1_EOC, ASN1_EXIT }
239 };
240
241 /**
242 * Parses roleSyntax
243 */
244 static void parse_roleSyntax(chunk_t blob, int level0)
245 {
246 asn1_parser_t *parser;
247 chunk_t object;
248 int objectID;
249
250 parser = asn1_parser_create(roleSyntaxObjects, blob);
251 parser->set_top_level(parser, level0);
252
253 while (parser->iterate(parser, &objectID, &object))
254 {
255 switch (objectID)
256 {
257 default:
258 break;
259 }
260 }
261 parser->destroy(parser);
262 }
263
264 /**
265 * ASN.1 definition of an X509 attribute certificate
266 */
267 static const asn1Object_t acObjects[] =
268 {
269 { 0, "AttributeCertificate", ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */
270 { 1, "AttributeCertificateInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */
271 { 2, "version", ASN1_INTEGER, ASN1_DEF |
272 ASN1_BODY }, /* 2 */
273 { 2, "holder", ASN1_SEQUENCE, ASN1_NONE }, /* 3 */
274 { 3, "baseCertificateID", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 4 */
275 { 4, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 5 */
276 { 4, "serial", ASN1_INTEGER, ASN1_BODY }, /* 6 */
277 { 4, "issuerUID", ASN1_BIT_STRING, ASN1_OPT |
278 ASN1_BODY }, /* 7 */
279 { 4, "end opt", ASN1_EOC, ASN1_END }, /* 8 */
280 { 3, "end opt", ASN1_EOC, ASN1_END }, /* 9 */
281 { 3, "entityName", ASN1_CONTEXT_C_1, ASN1_OPT |
282 ASN1_OBJ }, /* 10 */
283 { 3, "end opt", ASN1_EOC, ASN1_END }, /* 11 */
284 { 3, "objectDigestInfo", ASN1_CONTEXT_C_2, ASN1_OPT }, /* 12 */
285 { 4, "digestedObjectType", ASN1_ENUMERATED, ASN1_BODY }, /* 13 */
286 { 4, "otherObjectTypeID", ASN1_OID, ASN1_OPT |
287 ASN1_BODY }, /* 14 */
288 { 4, "end opt", ASN1_EOC, ASN1_END }, /* 15 */
289 { 4, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 16 */
290 { 3, "end opt", ASN1_EOC, ASN1_END }, /* 17 */
291 { 2, "v2Form", ASN1_CONTEXT_C_0, ASN1_NONE }, /* 18 */
292 { 3, "issuerName", ASN1_SEQUENCE, ASN1_OPT |
293 ASN1_OBJ }, /* 19 */
294 { 3, "end opt", ASN1_EOC, ASN1_END }, /* 20 */
295 { 3, "baseCertificateID", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 21 */
296 { 4, "issuerSerial", ASN1_SEQUENCE, ASN1_NONE }, /* 22 */
297 { 5, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 23 */
298 { 5, "serial", ASN1_INTEGER, ASN1_BODY }, /* 24 */
299 { 5, "issuerUID", ASN1_BIT_STRING, ASN1_OPT |
300 ASN1_BODY }, /* 25 */
301 { 5, "end opt", ASN1_EOC, ASN1_END }, /* 26 */
302 { 3, "end opt", ASN1_EOC, ASN1_END }, /* 27 */
303 { 3, "objectDigestInfo", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 28 */
304 { 4, "digestInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 29 */
305 { 5, "digestedObjectType", ASN1_ENUMERATED, ASN1_BODY }, /* 30 */
306 { 5, "otherObjectTypeID", ASN1_OID, ASN1_OPT |
307 ASN1_BODY }, /* 31 */
308 { 5, "end opt", ASN1_EOC, ASN1_END }, /* 32 */
309 { 5, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 33 */
310 { 3, "end opt", ASN1_EOC, ASN1_END }, /* 34 */
311 { 2, "signature", ASN1_EOC, ASN1_RAW }, /* 35 */
312 { 2, "serialNumber", ASN1_INTEGER, ASN1_BODY }, /* 36 */
313 { 2, "attrCertValidityPeriod", ASN1_SEQUENCE, ASN1_NONE }, /* 37 */
314 { 3, "notBeforeTime", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 38 */
315 { 3, "notAfterTime", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 39 */
316 { 2, "attributes", ASN1_SEQUENCE, ASN1_LOOP }, /* 40 */
317 { 3, "attribute", ASN1_SEQUENCE, ASN1_NONE }, /* 41 */
318 { 4, "type", ASN1_OID, ASN1_BODY }, /* 42 */
319 { 4, "values", ASN1_SET, ASN1_LOOP }, /* 43 */
320 { 5, "value", ASN1_EOC, ASN1_RAW }, /* 44 */
321 { 4, "end loop", ASN1_EOC, ASN1_END }, /* 45 */
322 { 2, "end loop", ASN1_EOC, ASN1_END }, /* 46 */
323 { 2, "extensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 47 */
324 { 3, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 48 */
325 { 4, "extnID", ASN1_OID, ASN1_BODY }, /* 49 */
326 { 4, "critical", ASN1_BOOLEAN, ASN1_DEF |
327 ASN1_BODY }, /* 50 */
328 { 4, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 51 */
329 { 2, "end loop", ASN1_EOC, ASN1_END }, /* 52 */
330 { 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 53 */
331 { 1, "signatureValue", ASN1_BIT_STRING, ASN1_BODY }, /* 54 */
332 { 0, "exit", ASN1_EOC, ASN1_EXIT }
333 };
334 #define AC_OBJ_CERTIFICATE_INFO 1
335 #define AC_OBJ_VERSION 2
336 #define AC_OBJ_HOLDER_ISSUER 5
337 #define AC_OBJ_HOLDER_SERIAL 6
338 #define AC_OBJ_ENTITY_NAME 10
339 #define AC_OBJ_ISSUER_NAME 19
340 #define AC_OBJ_ISSUER 23
341 #define AC_OBJ_SIG_ALG 35
342 #define AC_OBJ_SERIAL_NUMBER 36
343 #define AC_OBJ_NOT_BEFORE 38
344 #define AC_OBJ_NOT_AFTER 39
345 #define AC_OBJ_ATTRIBUTE_TYPE 42
346 #define AC_OBJ_ATTRIBUTE_VALUE 44
347 #define AC_OBJ_EXTN_ID 49
348 #define AC_OBJ_CRITICAL 50
349 #define AC_OBJ_EXTN_VALUE 51
350 #define AC_OBJ_ALGORITHM 53
351 #define AC_OBJ_SIGNATURE 54
352
353 /**
354 * Parses an X.509 attribute certificate
355 */
356 static bool parse_certificate(private_x509_ac_t *this)
357 {
358 asn1_parser_t *parser;
359 chunk_t object;
360 int objectID;
361 int type = OID_UNKNOWN;
362 int extn_oid = OID_UNKNOWN;
363 int sig_alg = OID_UNKNOWN;
364 bool success = FALSE;
365 bool critical;
366
367 parser = asn1_parser_create(acObjects, this->encoding);
368
369 while (parser->iterate(parser, &objectID, &object))
370 {
371 u_int level = parser->get_level(parser)+1;
372
373 switch (objectID)
374 {
375 case AC_OBJ_CERTIFICATE_INFO:
376 this->certificateInfo = object;
377 break;
378 case AC_OBJ_VERSION:
379 this->version = (object.len) ? (1 + (u_int)*object.ptr) : 1;
380 DBG2(" v%d", this->version);
381 if (this->version != 2)
382 {
383 DBG1("v%d attribute certificates are not supported", this->version);
384 goto end;
385 }
386 break;
387 case AC_OBJ_HOLDER_ISSUER:
388 if (!parse_directoryName(object, level, FALSE, &this->holderIssuer))
389 {
390 goto end;
391 }
392 break;
393 case AC_OBJ_HOLDER_SERIAL:
394 this->holderSerial = object;
395 break;
396 case AC_OBJ_ENTITY_NAME:
397 if (!parse_directoryName(object, level, TRUE, &this->entityName))
398 {
399 goto end;
400 }
401 break;
402 case AC_OBJ_ISSUER_NAME:
403 if (!parse_directoryName(object, level, FALSE, &this->issuerName))
404 {
405 goto end;
406 }
407 break;
408 case AC_OBJ_SIG_ALG:
409 sig_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
410 break;
411 case AC_OBJ_SERIAL_NUMBER:
412 this->serialNumber = object;
413 break;
414 case AC_OBJ_NOT_BEFORE:
415 this->notBefore = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
416 break;
417 case AC_OBJ_NOT_AFTER:
418 this->notAfter = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
419 break;
420 case AC_OBJ_ATTRIBUTE_TYPE:
421 type = asn1_known_oid(object);
422 break;
423 case AC_OBJ_ATTRIBUTE_VALUE:
424 {
425 switch (type)
426 {
427 case OID_AUTHENTICATION_INFO:
428 DBG2(" need to parse authenticationInfo");
429 break;
430 case OID_ACCESS_IDENTITY:
431 DBG2(" need to parse accessIdentity");
432 break;
433 case OID_CHARGING_IDENTITY:
434 ietfAttr_list_create_from_chunk(object, this->charging, level);
435 break;
436 case OID_GROUP:
437 ietfAttr_list_create_from_chunk(object, this->groups, level);
438 break;
439 case OID_ROLE:
440 parse_roleSyntax(object, level);
441 break;
442 default:
443 break;
444 }
445 break;
446 }
447 case AC_OBJ_EXTN_ID:
448 extn_oid = asn1_known_oid(object);
449 break;
450 case AC_OBJ_CRITICAL:
451 critical = object.len && *object.ptr;
452 DBG2(" %s",(critical)?"TRUE":"FALSE");
453 break;
454 case AC_OBJ_EXTN_VALUE:
455 {
456 switch (extn_oid)
457 {
458 case OID_CRL_DISTRIBUTION_POINTS:
459 DBG2(" need to parse crlDistributionPoints");
460 break;
461 case OID_AUTHORITY_KEY_ID:
462 this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object,
463 level, &this->authKeySerialNumber);
464 break;
465 case OID_TARGET_INFORMATION:
466 DBG2(" need to parse targetInformation");
467 break;
468 case OID_NO_REV_AVAIL:
469 this->noRevAvail = TRUE;
470 break;
471 default:
472 break;
473 }
474 break;
475 }
476 case AC_OBJ_ALGORITHM:
477 this->algorithm = asn1_parse_algorithmIdentifier(object, level,
478 NULL);
479 if (this->algorithm != sig_alg)
480 {
481 DBG1(" signature algorithms do not agree");
482 success = FALSE;
483 goto end;
484 }
485 break;
486 case AC_OBJ_SIGNATURE:
487 this->signature = object;
488 break;
489 default:
490 break;
491 }
492 }
493 success = parser->success(parser);
494
495 end:
496 parser->destroy(parser);
497 return success;
498 }
499
500 /**
501 * build directoryName
502 */
503 static chunk_t build_directoryName(asn1_t tag, chunk_t name)
504 {
505 return asn1_wrap(tag, "m",
506 asn1_simple_object(ASN1_CONTEXT_C_4, name));
507 }
508
509 /**
510 * build holder
511 */
512 static chunk_t build_holder(private_x509_ac_t *this)
513 {
514 x509_t* x509 = (x509_t*)this->holderCert;
515 identification_t *issuer = this->holderCert->get_issuer(this->holderCert);
516 identification_t *subject = this->holderCert->get_subject(this->holderCert);
517
518 return asn1_wrap(ASN1_SEQUENCE, "mm",
519 asn1_wrap(ASN1_CONTEXT_C_0, "mm",
520 build_directoryName(ASN1_SEQUENCE, issuer->get_encoding(issuer)),
521 asn1_simple_object(ASN1_INTEGER, x509->get_serial(x509))
522 ),
523 build_directoryName(ASN1_CONTEXT_C_1, subject->get_encoding(subject)));
524 }
525
526 /**
527 * build v2Form
528 */
529 static chunk_t build_v2_form(private_x509_ac_t *this)
530 {
531 identification_t *subject = this->signerCert->get_subject(this->signerCert);
532
533 return asn1_wrap(ASN1_CONTEXT_C_0, "m",
534 build_directoryName(ASN1_SEQUENCE, subject->get_encoding(subject)));
535 }
536
537 /**
538 * build attrCertValidityPeriod
539 */
540 static chunk_t build_attr_cert_validity(private_x509_ac_t *this)
541 {
542 return asn1_wrap(ASN1_SEQUENCE, "mm",
543 asn1_from_time(&this->notBefore, ASN1_GENERALIZEDTIME),
544 asn1_from_time(&this->notAfter, ASN1_GENERALIZEDTIME));
545 }
546
547
548 /**
549 * build attribute type
550 */
551 static chunk_t build_attribute_type(const chunk_t type, chunk_t content)
552 {
553 return asn1_wrap(ASN1_SEQUENCE, "cm",
554 type,
555 asn1_wrap(ASN1_SET, "m", content));
556 }
557
558 /**
559 * build attributes
560 */
561 static chunk_t build_attributes(private_x509_ac_t *this)
562 {
563 return asn1_wrap(ASN1_SEQUENCE, "m",
564 build_attribute_type(ASN1_group_oid, ietfAttr_list_encode(this->groups)));
565 }
566
567 /**
568 * build authorityKeyIdentifier
569 */
570 static chunk_t build_authorityKeyIdentifier(private_x509_ac_t *this)
571 {
572 chunk_t keyIdentifier;
573 chunk_t authorityCertIssuer;
574 chunk_t authorityCertSerialNumber;
575 x509_t *x509 = (x509_t*)this->signerCert;
576 identification_t *issuer = this->signerCert->get_issuer(this->signerCert);
577 public_key_t *public = this->signerCert->get_public_key(this->signerCert);
578
579 if (public)
580 {
581 identification_t *keyid = public->get_id(public, ID_PUBKEY_SHA1);
582
583 this->authKeyIdentifier = keyid = keyid->clone(keyid);
584 keyIdentifier = keyid->get_encoding(keyid);
585 public->destroy(public);
586 }
587 else
588 {
589 keyIdentifier = chunk_empty;
590 }
591 authorityCertIssuer = build_directoryName(ASN1_CONTEXT_C_1,
592 issuer->get_encoding(issuer));
593 authorityCertSerialNumber = asn1_simple_object(ASN1_CONTEXT_S_2,
594 x509->get_serial(x509));
595 return asn1_wrap(ASN1_SEQUENCE, "cm",
596 ASN1_authorityKeyIdentifier_oid,
597 asn1_wrap(ASN1_OCTET_STRING, "m",
598 asn1_wrap(ASN1_SEQUENCE, "cmm",
599 keyIdentifier,
600 authorityCertIssuer,
601 authorityCertSerialNumber
602 )
603 )
604 );
605 }
606
607 /**
608 * build extensions
609 */
610 static chunk_t build_extensions(private_x509_ac_t *this)
611 {
612 return asn1_wrap(ASN1_SEQUENCE, "mc",
613 build_authorityKeyIdentifier(this),
614 ASN1_noRevAvail_ext);
615 }
616
617 /**
618 * build attributeCertificateInfo
619 */
620 static chunk_t build_attr_cert_info(private_x509_ac_t *this)
621 {
622 return asn1_wrap(ASN1_SEQUENCE, "cmmcmmmm",
623 ASN1_INTEGER_1,
624 build_holder(this),
625 build_v2_form(this),
626 asn1_algorithmIdentifier(OID_SHA1_WITH_RSA),
627 asn1_simple_object(ASN1_INTEGER, this->serialNumber),
628 build_attr_cert_validity(this),
629 build_attributes(this),
630 build_extensions(this));
631 }
632
633
634 /**
635 * build an X.509 attribute certificate
636 */
637 static chunk_t build_ac(private_x509_ac_t *this)
638 {
639 chunk_t signatureValue;
640 chunk_t attributeCertificateInfo;
641
642 attributeCertificateInfo = build_attr_cert_info(this);
643
644 this->signerKey->sign(this->signerKey, SIGN_RSA_EMSA_PKCS1_SHA1,
645 attributeCertificateInfo, &signatureValue);
646
647 return asn1_wrap(ASN1_SEQUENCE, "mcm",
648 attributeCertificateInfo,
649 asn1_algorithmIdentifier(OID_SHA1_WITH_RSA),
650 asn1_bitstring("m", signatureValue));
651 }
652
653 /**
654 * Implementation of ac_t.get_serial.
655 */
656 static chunk_t get_serial(private_x509_ac_t *this)
657 {
658 return this->serialNumber;
659 }
660
661 /**
662 * Implementation of ac_t.get_holderSerial.
663 */
664 static chunk_t get_holderSerial(private_x509_ac_t *this)
665 {
666 return this->holderSerial;
667 }
668
669 /**
670 * Implementation of ac_t.get_holderIssuer.
671 */
672 static identification_t* get_holderIssuer(private_x509_ac_t *this)
673 {
674 return this->holderIssuer;
675 }
676
677 /**
678 * Implementation of ac_t.get_authKeyIdentifier.
679 */
680 static identification_t* get_authKeyIdentifier(private_x509_ac_t *this)
681 {
682 return this->authKeyIdentifier;
683 }
684
685 /**
686 * Implementation of certificate_t.get_type
687 */
688 static certificate_type_t get_type(private_x509_ac_t *this)
689 {
690 return CERT_X509_AC;
691 }
692
693 /**
694 * Implementation of certificate_t.get_subject
695 */
696 static identification_t* get_subject(private_x509_ac_t *this)
697 {
698 return this->entityName;
699 }
700
701 /**
702 * Implementation of certificate_t.get_issuer
703 */
704 static identification_t* get_issuer(private_x509_ac_t *this)
705 {
706 return this->issuerName;
707 }
708
709 /**
710 * Implementation of certificate_t.has_subject.
711 */
712 static id_match_t has_subject(private_x509_ac_t *this, identification_t *subject)
713 {
714 return ID_MATCH_NONE;
715 }
716
717 /**
718 * Implementation of certificate_t.has_issuer.
719 */
720 static id_match_t has_issuer(private_x509_ac_t *this, identification_t *issuer)
721 {
722 id_match_t match;
723
724 if (issuer->get_type(issuer) == ID_PUBKEY_SHA1)
725 {
726 if (this->authKeyIdentifier)
727 {
728 match = issuer->matches(issuer, this->authKeyIdentifier);
729 }
730 else
731 {
732 match = ID_MATCH_NONE;
733 }
734 }
735 else
736 {
737 match = this->issuerName->matches(this->issuerName, issuer);
738 }
739 return match;
740 }
741
742 /**
743 * Implementation of certificate_t.issued_by
744 */
745 static bool issued_by(private_x509_ac_t *this, certificate_t *issuer)
746 {
747 public_key_t *key;
748 signature_scheme_t scheme;
749 bool valid;
750 x509_t *x509 = (x509_t*)issuer;
751
752 /* check if issuer is an X.509 AA certificate */
753 if (issuer->get_type(issuer) != CERT_X509)
754 {
755 return FALSE;
756 }
757 if (!(x509->get_flags(x509) & X509_AA))
758 {
759 return FALSE;
760 }
761
762 /* get the public key of the issuer */
763 key = issuer->get_public_key(issuer);
764
765 /* compare keyIdentifiers if available, otherwise use DNs */
766 if (this->authKeyIdentifier && key)
767 {
768 identification_t *subjectKeyIdentifier = key->get_id(key, ID_PUBKEY_SHA1);
769
770 if (!subjectKeyIdentifier->equals(subjectKeyIdentifier,
771 this->authKeyIdentifier))
772 {
773 return FALSE;
774 }
775 }
776 else
777 {
778 if (!this->issuerName->equals(this->issuerName, issuer->get_subject(issuer)))
779 {
780 return FALSE;
781 }
782 }
783 /* TODO: generic OID to scheme mapper? */
784 switch (this->algorithm)
785 {
786 case OID_MD5_WITH_RSA:
787 scheme = SIGN_RSA_EMSA_PKCS1_MD5;
788 break;
789 case OID_SHA1_WITH_RSA:
790 scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
791 break;
792 case OID_SHA256_WITH_RSA:
793 scheme = SIGN_RSA_EMSA_PKCS1_SHA256;
794 break;
795 case OID_SHA384_WITH_RSA:
796 scheme = SIGN_RSA_EMSA_PKCS1_SHA384;
797 break;
798 case OID_SHA512_WITH_RSA:
799 scheme = SIGN_RSA_EMSA_PKCS1_SHA512;
800 break;
801 case OID_ECDSA_WITH_SHA1:
802 scheme = SIGN_ECDSA_WITH_SHA1;
803 break;
804 default:
805 return FALSE;
806 }
807 if (key == NULL)
808 {
809 return FALSE;
810 }
811 valid = key->verify(key, scheme, this->certificateInfo, this->signature);
812 key->destroy(key);
813 return valid;
814 }
815
816 /**
817 * Implementation of certificate_t.get_public_key.
818 */
819 static public_key_t* get_public_key(private_x509_ac_t *this)
820 {
821 return NULL;
822 }
823
824 /**
825 * Implementation of certificate_t.get_ref.
826 */
827 static private_x509_ac_t* get_ref(private_x509_ac_t *this)
828 {
829 ref_get(&this->ref);
830 return this;
831 }
832
833 /**
834 * Implementation of certificate_t.get_validity.
835 */
836 static bool get_validity(private_x509_ac_t *this, time_t *when,
837 time_t *not_before, time_t *not_after)
838 {
839 time_t t;
840
841 if (when)
842 {
843 t = *when;
844 }
845 else
846 {
847 t = time(NULL);
848 }
849 if (not_before)
850 {
851 *not_before = this->notBefore;
852 }
853 if (not_after)
854 {
855 *not_after = this->notAfter;
856 }
857 return (t >= this->notBefore && t <= this->notAfter);
858 }
859
860 /**
861 * Implementation of certificate_t.is_newer.
862 */
863 static bool is_newer(private_x509_ac_t *this, ac_t *that)
864 {
865 certificate_t *this_cert = &this->public.interface.certificate;
866 certificate_t *that_cert = &that->certificate;
867 time_t this_update, that_update, now = time(NULL);
868 bool new;
869
870 this_cert->get_validity(this_cert, &now, &this_update, NULL);
871 that_cert->get_validity(that_cert, &now, &that_update, NULL);
872 new = this_update > that_update;
873 DBG1(" attr cert from %#T is %s - existing attr_cert from %#T %s",
874 &this_update, FALSE, new ? "newer":"not newer",
875 &that_update, FALSE, new ? "replaced":"retained");
876 return new;
877 }
878
879 /**
880 * Implementation of certificate_t.get_encoding.
881 */
882 static chunk_t get_encoding(private_x509_ac_t *this)
883 {
884 return chunk_clone(this->encoding);
885 }
886
887 /**
888 * Implementation of certificate_t.equals.
889 */
890 static bool equals(private_x509_ac_t *this, certificate_t *other)
891 {
892 chunk_t encoding;
893 bool equal;
894
895 if ((certificate_t*)this == other)
896 {
897 return TRUE;
898 }
899 if (other->equals == (void*)equals)
900 { /* skip allocation if we have the same implementation */
901 return chunk_equals(this->encoding, ((private_x509_ac_t*)other)->encoding);
902 }
903 encoding = other->get_encoding(other);
904 equal = chunk_equals(this->encoding, encoding);
905 free(encoding.ptr);
906 return equal;
907 }
908
909 /**
910 * Implementation of x509_ac_t.destroy
911 */
912 static void destroy(private_x509_ac_t *this)
913 {
914 if (ref_put(&this->ref))
915 {
916 DESTROY_IF(this->holderIssuer);
917 DESTROY_IF(this->entityName);
918 DESTROY_IF(this->issuerName);
919 DESTROY_IF(this->authKeyIdentifier);
920 DESTROY_IF(this->holderCert);
921 DESTROY_IF(this->signerCert);
922 DESTROY_IF(this->signerKey);
923
924 ietfAttr_list_destroy(this->charging);
925 ietfAttr_list_destroy(this->groups);
926 free(this->encoding.ptr);
927 free(this);
928 }
929 }
930
931 /**
932 * create an empty but initialized X.509 attribute certificate
933 */
934 static private_x509_ac_t *create_empty(void)
935 {
936 private_x509_ac_t *this = malloc_thing(private_x509_ac_t);
937
938 /* public functions */
939 this->public.interface.get_serial = (chunk_t (*)(ac_t*))get_serial;
940 this->public.interface.get_holderSerial = (chunk_t (*)(ac_t*))get_holderSerial;
941 this->public.interface.get_holderIssuer = (identification_t* (*)(ac_t*))get_holderIssuer;
942 this->public.interface.get_authKeyIdentifier = (identification_t* (*)(ac_t*))get_authKeyIdentifier;
943 this->public.interface.certificate.get_type = (certificate_type_t (*)(certificate_t *this))get_type;
944 this->public.interface.certificate.get_subject = (identification_t* (*)(certificate_t *this))get_subject;
945 this->public.interface.certificate.get_issuer = (identification_t* (*)(certificate_t *this))get_issuer;
946 this->public.interface.certificate.has_subject = (id_match_t(*)(certificate_t*, identification_t *subject))has_subject;
947 this->public.interface.certificate.has_issuer = (id_match_t(*)(certificate_t*, identification_t *issuer))has_issuer;
948 this->public.interface.certificate.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer))issued_by;
949 this->public.interface.certificate.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key;
950 this->public.interface.certificate.get_validity = (bool(*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity;
951 this->public.interface.certificate.is_newer = (bool (*)(certificate_t*,certificate_t*))is_newer;
952 this->public.interface.certificate.get_encoding = (chunk_t(*)(certificate_t*))get_encoding;
953 this->public.interface.certificate.equals = (bool(*)(certificate_t*, certificate_t *other))equals;
954 this->public.interface.certificate.get_ref = (certificate_t* (*)(certificate_t *this))get_ref;
955 this->public.interface.certificate.destroy = (void (*)(certificate_t *this))destroy;
956
957 /* initialize */
958 this->encoding = chunk_empty;
959 this->holderSerial = chunk_empty;
960 this->holderIssuer = NULL;
961 this->entityName = NULL;
962 this->issuerName = NULL;
963 this->authKeyIdentifier = NULL;
964 this->holderCert = NULL;
965 this->signerCert = NULL;
966 this->signerKey = NULL;
967 this->charging = linked_list_create();
968 this->groups = linked_list_create();
969 this->ref = 1;
970
971 return this;
972 }
973
974 /**
975 * create X.509 attribute certificate from a chunk
976 */
977 static private_x509_ac_t* create_from_chunk(chunk_t chunk)
978 {
979 private_x509_ac_t *this = create_empty();
980
981 this->encoding = chunk;
982 if (!parse_certificate(this))
983 {
984 destroy(this);
985 return NULL;
986 }
987 return this;
988 }
989
990 /**
991 * create X.509 crl from a file
992 */
993 static private_x509_ac_t* create_from_file(char *path)
994 {
995 bool pgp = FALSE;
996 chunk_t chunk;
997 private_x509_ac_t *this;
998
999 if (!pem_asn1_load_file(path, NULL, &chunk, &pgp))
1000 {
1001 return NULL;
1002 }
1003
1004 this = create_from_chunk(chunk);
1005
1006 if (this == NULL)
1007 {
1008 DBG1(" could not parse loaded attribute certificate file '%s'", path);
1009 return NULL;
1010 }
1011 DBG1(" loaded attribute certificate file '%s'", path);
1012 return this;
1013 }
1014
1015 typedef struct private_builder_t private_builder_t;
1016 /**
1017 * Builder implementation for certificate loading
1018 */
1019 struct private_builder_t {
1020 /** implements the builder interface */
1021 builder_t public;
1022 /** X.509 attribute certificate to build */
1023 private_x509_ac_t *ac;
1024 };
1025
1026 /**
1027 * Implementation of builder_t.build
1028 */
1029 static private_x509_ac_t* build(private_builder_t *this)
1030 {
1031 private_x509_ac_t *ac = this->ac;
1032
1033 free(this);
1034
1035 /* synthesis if encoding does not exist */
1036 if (ac && ac->encoding.ptr == NULL)
1037 {
1038 if (ac->holderCert && ac->signerCert && ac->signerKey)
1039 {
1040 ac->encoding = build_ac(ac);
1041 return ac;
1042 }
1043 destroy(ac);
1044 return NULL;
1045 }
1046 else
1047 {
1048 return ac;
1049 }
1050 }
1051
1052 /**
1053 * Implementation of builder_t.add
1054 */
1055 static void add(private_builder_t *this, builder_part_t part, ...)
1056 {
1057 va_list args;
1058 certificate_t *cert;
1059 chunk_t chunk;
1060
1061 va_start(args, part);
1062 switch (part)
1063 {
1064 case BUILD_FROM_FILE:
1065 if (this->ac)
1066 {
1067 destroy(this->ac);
1068 }
1069 this->ac = create_from_file(va_arg(args, char*));
1070 break;
1071 case BUILD_BLOB_ASN1_DER:
1072 if (this->ac)
1073 {
1074 destroy(this->ac);
1075 }
1076 chunk = va_arg(args, chunk_t);
1077 this->ac = create_from_chunk(chunk_clone(chunk));
1078 break;
1079 case BUILD_NOT_BEFORE_TIME:
1080 this->ac->notBefore = va_arg(args, time_t);
1081 break;
1082 case BUILD_NOT_AFTER_TIME:
1083 this->ac->notAfter = va_arg(args, time_t);
1084 break;
1085 case BUILD_SERIAL:
1086 chunk = va_arg(args, chunk_t);
1087 this->ac->serialNumber = chunk_clone(chunk);
1088 break;
1089 case BUILD_IETF_GROUP_ATTR:
1090 ietfAttr_list_create_from_string(va_arg(args, char*),
1091 this->ac->groups);
1092 break;
1093 case BUILD_CERT:
1094 cert = va_arg(args, certificate_t*);
1095 if (cert->get_type(cert) == CERT_X509)
1096 {
1097 this->ac->holderCert = cert->get_ref(cert);
1098 }
1099 break;
1100 case BUILD_SIGNING_CERT:
1101 cert = va_arg(args, certificate_t*);
1102 if (cert->get_type(cert) == CERT_X509)
1103 {
1104 this->ac->signerCert = cert->get_ref(cert);
1105 }
1106 break;
1107 case BUILD_SIGNING_KEY:
1108 this->ac->signerKey = va_arg(args, private_key_t*);
1109 this->ac->signerKey->get_ref(this->ac->signerKey);
1110 break;
1111 default:
1112 /* abort if unsupported option */
1113 if (this->ac)
1114 {
1115 destroy(this->ac);
1116 }
1117 builder_cancel(&this->public);
1118 break;
1119 }
1120 va_end(args);
1121 }
1122
1123 /**
1124 * Builder construction function
1125 */
1126 builder_t *x509_ac_builder(certificate_type_t type)
1127 {
1128 private_builder_t *this;
1129
1130 if (type != CERT_X509_AC)
1131 {
1132 return NULL;
1133 }
1134
1135 this = malloc_thing(private_builder_t);
1136
1137 this->ac = create_empty();
1138 this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
1139 this->public.build = (void*(*)(builder_t *this))build;
1140
1141 return &this->public;
1142 }
1143