fixed segmentation fault caused by malformed attribute certificates
[strongswan.git] / src / libstrongswan / plugins / x509 / x509_ac.c
1 /*
2 * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
3 * Copyright (C) 2003 Martin Berner, Lukas Suter
4 * Copyright (C) 2002-2008 Andreas Steffen
5 *
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 *
18 * $Id$
19 */
20
21 #include "x509_ac.h"
22 #include "ietf_attr_list.h"
23
24 #include <library.h>
25 #include <debug.h>
26 #include <asn1/oid.h>
27 #include <asn1/asn1.h>
28 #include <asn1/asn1_parser.h>
29 #include <asn1/pem.h>
30 #include <utils/identification.h>
31 #include <utils/linked_list.h>
32 #include <credentials/certificates/x509.h>
33
34 extern identification_t* x509_parse_authorityKeyIdentifier(chunk_t blob,
35 int level0, chunk_t *authKeySerialNumber);
36
37 typedef struct private_x509_ac_t private_x509_ac_t;
38
39 /**
40 * private data of x509_ac_t object
41 */
42 struct private_x509_ac_t {
43
44 /**
45 * public functions
46 */
47 x509_ac_t public;
48
49 /**
50 * X.509 attribute certificate encoding in ASN.1 DER format
51 */
52 chunk_t encoding;
53
54 /**
55 * X.509 attribute certificate body over which signature is computed
56 */
57 chunk_t certificateInfo;
58
59 /**
60 * Version of the X.509 attribute certificate
61 */
62 u_int version;
63
64 /**
65 * Serial number of the X.509 attribute certificate
66 */
67 chunk_t serialNumber;
68
69 /**
70 * ID representing the issuer of the holder certificate
71 */
72 identification_t *holderIssuer;
73
74 /**
75 * Serial number of the holder certificate
76 */
77 chunk_t holderSerial;
78
79 /**
80 * ID representing the holder
81 */
82 identification_t *entityName;
83
84 /**
85 * ID representing the attribute certificate issuer
86 */
87 identification_t *issuerName;
88
89 /**
90 * Start time of certificate validity
91 */
92 time_t notBefore;
93
94 /**
95 * End time of certificate validity
96 */
97 time_t notAfter;
98
99 /**
100 * List of charging attributes
101 */
102 linked_list_t *charging;
103
104 /**
105 * List of groub attributes
106 */
107 linked_list_t *groups;
108
109 /**
110 * Authority Key Identifier
111 */
112 identification_t *authKeyIdentifier;
113
114 /**
115 * Authority Key Serial Number
116 */
117 chunk_t authKeySerialNumber;
118
119 /**
120 * No revocation information available
121 */
122 bool noRevAvail;
123
124 /**
125 * Signature algorithm
126 */
127 int algorithm;
128
129 /**
130 * Signature
131 */
132 chunk_t signature;
133
134 /**
135 * Holder certificate
136 */
137 certificate_t *holderCert;
138
139 /**
140 * Signer certificate
141 */
142 certificate_t *signerCert;
143
144 /**
145 * Signer private key;
146 */
147 private_key_t *signerKey;
148
149 /**
150 * reference count
151 */
152 refcount_t ref;
153 };
154
155 static u_char ASN1_group_oid_str[] = {
156 0x06, 0x08,
157 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x0a ,0x04
158 };
159
160 static const chunk_t ASN1_group_oid = chunk_from_buf(ASN1_group_oid_str);
161
162 static u_char ASN1_authorityKeyIdentifier_oid_str[] = {
163 0x06, 0x03,
164 0x55, 0x1d, 0x23
165 };
166
167 static const chunk_t ASN1_authorityKeyIdentifier_oid =
168 chunk_from_buf(ASN1_authorityKeyIdentifier_oid_str);
169
170 static u_char ASN1_noRevAvail_ext_str[] = {
171 0x30, 0x09,
172 0x06, 0x03,
173 0x55, 0x1d, 0x38,
174 0x04, 0x02,
175 0x05, 0x00
176 };
177
178 static const chunk_t ASN1_noRevAvail_ext = chunk_from_buf(ASN1_noRevAvail_ext_str);
179
180 /**
181 * declaration of function implemented in x509_cert.c
182 */
183 extern void x509_parse_generalNames(chunk_t blob, int level0, bool implicit,
184 linked_list_t *list);
185 /**
186 * parses a directoryName
187 */
188 static bool parse_directoryName(chunk_t blob, int level, bool implicit, identification_t **name)
189 {
190 bool has_directoryName;
191 linked_list_t *list = linked_list_create();
192
193 x509_parse_generalNames(blob, level, implicit, list);
194 has_directoryName = list->get_count(list) > 0;
195
196 if (has_directoryName)
197 {
198 iterator_t *iterator = list->create_iterator(list, TRUE);
199 identification_t *directoryName;
200 bool first = TRUE;
201
202 while (iterator->iterate(iterator, (void**)&directoryName))
203 {
204 if (first)
205 {
206 *name = directoryName;
207 first = FALSE;
208 }
209 else
210 {
211 DBG1("more than one directory name - first selected");
212 directoryName->destroy(directoryName);
213 }
214 }
215 iterator->destroy(iterator);
216 }
217 else
218 {
219 DBG1("no directoryName found");
220 }
221
222 list->destroy(list);
223 return has_directoryName;
224 }
225
226 /**
227 * ASN.1 definition of roleSyntax
228 */
229 static const asn1Object_t roleSyntaxObjects[] =
230 {
231 { 0, "roleSyntax", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
232 { 1, "roleAuthority", ASN1_CONTEXT_C_0, ASN1_OPT |
233 ASN1_OBJ }, /* 1 */
234 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 2 */
235 { 1, "roleName", ASN1_CONTEXT_C_1, ASN1_OBJ }, /* 3 */
236 { 0, "exit", ASN1_EOC, ASN1_EXIT }
237 };
238
239 /**
240 * Parses roleSyntax
241 */
242 static void parse_roleSyntax(chunk_t blob, int level0)
243 {
244 asn1_parser_t *parser;
245 chunk_t object;
246 int objectID;
247
248 parser = asn1_parser_create(roleSyntaxObjects, blob);
249 parser->set_top_level(parser, level0);
250
251 while (parser->iterate(parser, &objectID, &object))
252 {
253 switch (objectID)
254 {
255 default:
256 break;
257 }
258 }
259 parser->destroy(parser);
260 }
261
262 /**
263 * ASN.1 definition of an X509 attribute certificate
264 */
265 static const asn1Object_t acObjects[] =
266 {
267 { 0, "AttributeCertificate", ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */
268 { 1, "AttributeCertificateInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */
269 { 2, "version", ASN1_INTEGER, ASN1_DEF |
270 ASN1_BODY }, /* 2 */
271 { 2, "holder", ASN1_SEQUENCE, ASN1_NONE }, /* 3 */
272 { 3, "baseCertificateID", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 4 */
273 { 4, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 5 */
274 { 4, "serial", ASN1_INTEGER, ASN1_BODY }, /* 6 */
275 { 4, "issuerUID", ASN1_BIT_STRING, ASN1_OPT |
276 ASN1_BODY }, /* 7 */
277 { 4, "end opt", ASN1_EOC, ASN1_END }, /* 8 */
278 { 3, "end opt", ASN1_EOC, ASN1_END }, /* 9 */
279 { 3, "entityName", ASN1_CONTEXT_C_1, ASN1_OPT |
280 ASN1_OBJ }, /* 10 */
281 { 3, "end opt", ASN1_EOC, ASN1_END }, /* 11 */
282 { 3, "objectDigestInfo", ASN1_CONTEXT_C_2, ASN1_OPT }, /* 12 */
283 { 4, "digestedObjectType", ASN1_ENUMERATED, ASN1_BODY }, /* 13*/
284 { 4, "otherObjectTypeID", ASN1_OID, ASN1_OPT |
285 ASN1_BODY }, /* 14 */
286 { 4, "end opt", ASN1_EOC, ASN1_END }, /* 15*/
287 { 4, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 16 */
288 { 3, "end opt", ASN1_EOC, ASN1_END }, /* 17 */
289 { 2, "v2Form", ASN1_CONTEXT_C_0, ASN1_NONE }, /* 18 */
290 { 3, "issuerName", ASN1_SEQUENCE, ASN1_OPT |
291 ASN1_OBJ }, /* 19 */
292 { 3, "end opt", ASN1_EOC, ASN1_END }, /* 20 */
293 { 3, "baseCertificateID", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 21 */
294 { 4, "issuerSerial", ASN1_SEQUENCE, ASN1_NONE }, /* 22 */
295 { 5, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 23 */
296 { 5, "serial", ASN1_INTEGER, ASN1_BODY }, /* 24 */
297 { 5, "issuerUID", ASN1_BIT_STRING, ASN1_OPT |
298 ASN1_BODY }, /* 25 */
299 { 5, "end opt", ASN1_EOC, ASN1_END }, /* 26 */
300 { 3, "end opt", ASN1_EOC, ASN1_END }, /* 27 */
301 { 3, "objectDigestInfo", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 28 */
302 { 4, "digestInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 29 */
303 { 5, "digestedObjectType", ASN1_ENUMERATED, ASN1_BODY }, /* 30 */
304 { 5, "otherObjectTypeID", ASN1_OID, ASN1_OPT |
305 ASN1_BODY }, /* 31 */
306 { 5, "end opt", ASN1_EOC, ASN1_END }, /* 32 */
307 { 5, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 33 */
308 { 3, "end opt", ASN1_EOC, ASN1_END }, /* 34 */
309 { 2, "signature", ASN1_EOC, ASN1_RAW }, /* 35 */
310 { 2, "serialNumber", ASN1_INTEGER, ASN1_BODY }, /* 36 */
311 { 2, "attrCertValidityPeriod", ASN1_SEQUENCE, ASN1_NONE }, /* 37 */
312 { 3, "notBeforeTime", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 38 */
313 { 3, "notAfterTime", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 39 */
314 { 2, "attributes", ASN1_SEQUENCE, ASN1_LOOP }, /* 40 */
315 { 3, "attribute", ASN1_SEQUENCE, ASN1_NONE }, /* 41 */
316 { 4, "type", ASN1_OID, ASN1_BODY }, /* 42 */
317 { 4, "values", ASN1_SET, ASN1_LOOP }, /* 43 */
318 { 5, "value", ASN1_EOC, ASN1_RAW }, /* 44 */
319 { 4, "end loop", ASN1_EOC, ASN1_END }, /* 45 */
320 { 2, "end loop", ASN1_EOC, ASN1_END }, /* 46 */
321 { 2, "extensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 47 */
322 { 3, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 48 */
323 { 4, "extnID", ASN1_OID, ASN1_BODY }, /* 49 */
324 { 4, "critical", ASN1_BOOLEAN, ASN1_DEF |
325 ASN1_BODY }, /* 50 */
326 { 4, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 51 */
327 { 2, "end loop", ASN1_EOC, ASN1_END }, /* 52 */
328 { 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 53 */
329 { 1, "signatureValue", ASN1_BIT_STRING, ASN1_BODY }, /* 54 */
330 { 0, "exit", ASN1_EOC, ASN1_EXIT }
331 };
332 #define AC_OBJ_CERTIFICATE_INFO 1
333 #define AC_OBJ_VERSION 2
334 #define AC_OBJ_HOLDER_ISSUER 5
335 #define AC_OBJ_HOLDER_SERIAL 6
336 #define AC_OBJ_ENTITY_NAME 10
337 #define AC_OBJ_ISSUER_NAME 19
338 #define AC_OBJ_ISSUER 23
339 #define AC_OBJ_SIG_ALG 35
340 #define AC_OBJ_SERIAL_NUMBER 36
341 #define AC_OBJ_NOT_BEFORE 38
342 #define AC_OBJ_NOT_AFTER 39
343 #define AC_OBJ_ATTRIBUTE_TYPE 42
344 #define AC_OBJ_ATTRIBUTE_VALUE 44
345 #define AC_OBJ_EXTN_ID 49
346 #define AC_OBJ_CRITICAL 50
347 #define AC_OBJ_EXTN_VALUE 51
348 #define AC_OBJ_ALGORITHM 53
349 #define AC_OBJ_SIGNATURE 54
350
351 /**
352 * Parses an X.509 attribute certificate
353 */
354 static bool parse_certificate(private_x509_ac_t *this)
355 {
356 asn1_parser_t *parser;
357 chunk_t object;
358 int objectID;
359 int type = OID_UNKNOWN;
360 int extn_oid = OID_UNKNOWN;
361 int sig_alg = OID_UNKNOWN;
362 bool success = FALSE;
363 bool critical;
364
365 parser = asn1_parser_create(acObjects, this->encoding);
366
367 while (parser->iterate(parser, &objectID, &object))
368 {
369 u_int level = parser->get_level(parser)+1;
370
371 switch (objectID)
372 {
373 case AC_OBJ_CERTIFICATE_INFO:
374 this->certificateInfo = object;
375 break;
376 case AC_OBJ_VERSION:
377 this->version = (object.len) ? (1 + (u_int)*object.ptr) : 1;
378 DBG2(" v%d", this->version);
379 if (this->version != 2)
380 {
381 DBG1("v%d attribute certificates are not supported", this->version);
382 goto end;
383 }
384 break;
385 case AC_OBJ_HOLDER_ISSUER:
386 if (!parse_directoryName(object, level, FALSE, &this->holderIssuer))
387 {
388 goto end;
389 }
390 break;
391 case AC_OBJ_HOLDER_SERIAL:
392 this->holderSerial = object;
393 break;
394 case AC_OBJ_ENTITY_NAME:
395 if (!parse_directoryName(object, level, TRUE, &this->entityName))
396 {
397 goto end;
398 }
399 break;
400 case AC_OBJ_ISSUER_NAME:
401 if (!parse_directoryName(object, level, FALSE, &this->issuerName))
402 {
403 goto end;
404 }
405 break;
406 case AC_OBJ_SIG_ALG:
407 sig_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
408 break;
409 case AC_OBJ_SERIAL_NUMBER:
410 this->serialNumber = object;
411 break;
412 case AC_OBJ_NOT_BEFORE:
413 this->notBefore = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
414 break;
415 case AC_OBJ_NOT_AFTER:
416 this->notAfter = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
417 break;
418 case AC_OBJ_ATTRIBUTE_TYPE:
419 type = asn1_known_oid(object);
420 break;
421 case AC_OBJ_ATTRIBUTE_VALUE:
422 {
423 switch (type)
424 {
425 case OID_AUTHENTICATION_INFO:
426 DBG2(" need to parse authenticationInfo");
427 break;
428 case OID_ACCESS_IDENTITY:
429 DBG2(" need to parse accessIdentity");
430 break;
431 case OID_CHARGING_IDENTITY:
432 ietfAttr_list_create_from_chunk(object, this->charging, level);
433 break;
434 case OID_GROUP:
435 ietfAttr_list_create_from_chunk(object, this->groups, level);
436 break;
437 case OID_ROLE:
438 parse_roleSyntax(object, level);
439 break;
440 default:
441 break;
442 }
443 break;
444 }
445 case AC_OBJ_EXTN_ID:
446 extn_oid = asn1_known_oid(object);
447 break;
448 case AC_OBJ_CRITICAL:
449 critical = object.len && *object.ptr;
450 DBG2(" %s",(critical)?"TRUE":"FALSE");
451 break;
452 case AC_OBJ_EXTN_VALUE:
453 {
454 switch (extn_oid)
455 {
456 case OID_CRL_DISTRIBUTION_POINTS:
457 DBG2(" need to parse crlDistributionPoints");
458 break;
459 case OID_AUTHORITY_KEY_ID:
460 this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object,
461 level, &this->authKeySerialNumber);
462 break;
463 case OID_TARGET_INFORMATION:
464 DBG2(" need to parse targetInformation");
465 break;
466 case OID_NO_REV_AVAIL:
467 this->noRevAvail = TRUE;
468 break;
469 default:
470 break;
471 }
472 break;
473 }
474 case AC_OBJ_ALGORITHM:
475 this->algorithm = asn1_parse_algorithmIdentifier(object, level,
476 NULL);
477 if (this->algorithm != sig_alg)
478 {
479 DBG1(" signature algorithms do not agree");
480 success = FALSE;
481 goto end;
482 }
483 break;
484 case AC_OBJ_SIGNATURE:
485 this->signature = object;
486 break;
487 default:
488 break;
489 }
490 }
491 success = parser->success(parser);
492
493 end:
494 parser->destroy(parser);
495 return success;
496 }
497
498 /**
499 * build directoryName
500 */
501 static chunk_t build_directoryName(asn1_t tag, chunk_t name)
502 {
503 return asn1_wrap(tag, "m",
504 asn1_simple_object(ASN1_CONTEXT_C_4, name));
505 }
506
507 /**
508 * build holder
509 */
510 static chunk_t build_holder(private_x509_ac_t *this)
511 {
512 x509_t* x509 = (x509_t*)this->holderCert;
513 identification_t *issuer = this->holderCert->get_issuer(this->holderCert);
514 identification_t *subject = this->holderCert->get_subject(this->holderCert);
515
516 return asn1_wrap(ASN1_SEQUENCE, "mm",
517 asn1_wrap(ASN1_CONTEXT_C_0, "mm",
518 build_directoryName(ASN1_SEQUENCE, issuer->get_encoding(issuer)),
519 asn1_simple_object(ASN1_INTEGER, x509->get_serial(x509))
520 ),
521 build_directoryName(ASN1_CONTEXT_C_1, subject->get_encoding(subject)));
522 }
523
524 /**
525 * build v2Form
526 */
527 static chunk_t build_v2_form(private_x509_ac_t *this)
528 {
529 identification_t *subject = this->signerCert->get_subject(this->signerCert);
530
531 return asn1_wrap(ASN1_CONTEXT_C_0, "m",
532 build_directoryName(ASN1_SEQUENCE, subject->get_encoding(subject)));
533 }
534
535 /**
536 * build attrCertValidityPeriod
537 */
538 static chunk_t build_attr_cert_validity(private_x509_ac_t *this)
539 {
540 return asn1_wrap(ASN1_SEQUENCE, "mm",
541 asn1_from_time(&this->notBefore, ASN1_GENERALIZEDTIME),
542 asn1_from_time(&this->notAfter, ASN1_GENERALIZEDTIME));
543 }
544
545
546 /**
547 * build attribute type
548 */
549 static chunk_t build_attribute_type(const chunk_t type, chunk_t content)
550 {
551 return asn1_wrap(ASN1_SEQUENCE, "cm",
552 type,
553 asn1_wrap(ASN1_SET, "m", content));
554 }
555
556 /**
557 * build attributes
558 */
559 static chunk_t build_attributes(private_x509_ac_t *this)
560 {
561 return asn1_wrap(ASN1_SEQUENCE, "m",
562 build_attribute_type(ASN1_group_oid, ietfAttr_list_encode(this->groups)));
563 }
564
565 /**
566 * build authorityKeyIdentifier
567 */
568 static chunk_t build_authorityKeyIdentifier(private_x509_ac_t *this)
569 {
570 chunk_t keyIdentifier;
571 chunk_t authorityCertIssuer;
572 chunk_t authorityCertSerialNumber;
573 x509_t *x509 = (x509_t*)this->signerCert;
574 identification_t *issuer = this->signerCert->get_issuer(this->signerCert);
575 public_key_t *public = this->signerCert->get_public_key(this->signerCert);
576
577 if (public)
578 {
579 identification_t *keyid = public->get_id(public, ID_PUBKEY_SHA1);
580
581 this->authKeyIdentifier = keyid = keyid->clone(keyid);
582 keyIdentifier = keyid->get_encoding(keyid);
583 public->destroy(public);
584 }
585 else
586 {
587 keyIdentifier = chunk_empty;
588 }
589 authorityCertIssuer = build_directoryName(ASN1_CONTEXT_C_1,
590 issuer->get_encoding(issuer));
591 authorityCertSerialNumber = asn1_simple_object(ASN1_CONTEXT_S_2,
592 x509->get_serial(x509));
593 return asn1_wrap(ASN1_SEQUENCE, "cm",
594 ASN1_authorityKeyIdentifier_oid,
595 asn1_wrap(ASN1_OCTET_STRING, "m",
596 asn1_wrap(ASN1_SEQUENCE, "cmm",
597 keyIdentifier,
598 authorityCertIssuer,
599 authorityCertSerialNumber
600 )
601 )
602 );
603 }
604
605 /**
606 * build extensions
607 */
608 static chunk_t build_extensions(private_x509_ac_t *this)
609 {
610 return asn1_wrap(ASN1_SEQUENCE, "mc",
611 build_authorityKeyIdentifier(this),
612 ASN1_noRevAvail_ext);
613 }
614
615 /**
616 * build attributeCertificateInfo
617 */
618 static chunk_t build_attr_cert_info(private_x509_ac_t *this)
619 {
620 return asn1_wrap(ASN1_SEQUENCE, "cmmcmmmm",
621 ASN1_INTEGER_1,
622 build_holder(this),
623 build_v2_form(this),
624 asn1_algorithmIdentifier(OID_SHA1_WITH_RSA),
625 asn1_simple_object(ASN1_INTEGER, this->serialNumber),
626 build_attr_cert_validity(this),
627 build_attributes(this),
628 build_extensions(this));
629 }
630
631
632 /**
633 * build an X.509 attribute certificate
634 */
635 static chunk_t build_ac(private_x509_ac_t *this)
636 {
637 chunk_t signatureValue;
638 chunk_t attributeCertificateInfo;
639
640 attributeCertificateInfo = build_attr_cert_info(this);
641
642 this->signerKey->sign(this->signerKey, SIGN_RSA_EMSA_PKCS1_SHA1,
643 attributeCertificateInfo, &signatureValue);
644
645 return asn1_wrap(ASN1_SEQUENCE, "mcm",
646 attributeCertificateInfo,
647 asn1_algorithmIdentifier(OID_SHA1_WITH_RSA),
648 asn1_bitstring("m", signatureValue));
649 }
650
651 /**
652 * Implementation of certificate_t.get_type
653 */
654 static certificate_type_t get_type(private_x509_ac_t *this)
655 {
656 return CERT_X509_AC;
657 }
658
659 /**
660 * Implementation of certificate_t.get_subject
661 */
662 static identification_t* get_subject(private_x509_ac_t *this)
663 {
664 return this->entityName;
665 }
666
667 /**
668 * Implementation of certificate_t.get_issuer
669 */
670 static identification_t* get_issuer(private_x509_ac_t *this)
671 {
672 return this->issuerName;
673 }
674
675 /**
676 * Implementation of certificate_t.has_subject.
677 */
678 static id_match_t has_subject(private_x509_ac_t *this, identification_t *subject)
679 {
680 return ID_MATCH_NONE;
681 }
682
683 /**
684 * Implementation of certificate_t.has_issuer.
685 */
686 static id_match_t has_issuer(private_x509_ac_t *this, identification_t *issuer)
687 {
688 id_match_t match;
689
690 if (issuer->get_type(issuer) == ID_PUBKEY_SHA1)
691 {
692 if (this->authKeyIdentifier)
693 {
694 match = issuer->matches(issuer, this->authKeyIdentifier);
695 }
696 else
697 {
698 match = ID_MATCH_NONE;
699 }
700 }
701 else
702 {
703 match = this->issuerName->matches(this->issuerName, issuer);
704 }
705 return match;
706 }
707
708 /**
709 * Implementation of certificate_t.issued_by
710 */
711 static bool issued_by(private_x509_ac_t *this, certificate_t *issuer)
712 {
713 public_key_t *key;
714 signature_scheme_t scheme;
715 bool valid;
716 x509_t *x509 = (x509_t*)issuer;
717
718 /* check if issuer is an X.509 AA certificate */
719 if (issuer->get_type(issuer) != CERT_X509)
720 {
721 return FALSE;
722 }
723 if (!(x509->get_flags(x509) & X509_AA))
724 {
725 return FALSE;
726 }
727
728 /* get the public key of the issuer */
729 key = issuer->get_public_key(issuer);
730
731 /* compare keyIdentifiers if available, otherwise use DNs */
732 if (this->authKeyIdentifier && key)
733 {
734 identification_t *subjectKeyIdentifier = key->get_id(key, ID_PUBKEY_SHA1);
735
736 if (!subjectKeyIdentifier->equals(subjectKeyIdentifier,
737 this->authKeyIdentifier))
738 {
739 return FALSE;
740 }
741 }
742 else
743 {
744 if (!this->issuerName->equals(this->issuerName, issuer->get_subject(issuer)))
745 {
746 return FALSE;
747 }
748 }
749 /* TODO: generic OID to scheme mapper? */
750 switch (this->algorithm)
751 {
752 case OID_MD5_WITH_RSA:
753 scheme = SIGN_RSA_EMSA_PKCS1_MD5;
754 break;
755 case OID_SHA1_WITH_RSA:
756 scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
757 break;
758 case OID_SHA256_WITH_RSA:
759 scheme = SIGN_RSA_EMSA_PKCS1_SHA256;
760 break;
761 case OID_SHA384_WITH_RSA:
762 scheme = SIGN_RSA_EMSA_PKCS1_SHA384;
763 break;
764 case OID_SHA512_WITH_RSA:
765 scheme = SIGN_RSA_EMSA_PKCS1_SHA512;
766 break;
767 default:
768 return FALSE;
769 }
770 if (key == NULL)
771 {
772 return FALSE;
773 }
774 valid = key->verify(key, scheme, this->certificateInfo, this->signature);
775 key->destroy(key);
776 return valid;
777 }
778
779 /**
780 * Implementation of certificate_t.get_public_key.
781 */
782 static public_key_t* get_public_key(private_x509_ac_t *this)
783 {
784 return NULL;
785 }
786
787 /**
788 * Implementation of certificate_t.get_ref.
789 */
790 static private_x509_ac_t* get_ref(private_x509_ac_t *this)
791 {
792 ref_get(&this->ref);
793 return this;
794 }
795
796 /**
797 * Implementation of certificate_t.get_validity.
798 */
799 static bool get_validity(private_x509_ac_t *this, time_t *when,
800 time_t *not_before, time_t *not_after)
801 {
802 time_t t;
803
804 if (when)
805 {
806 t = *when;
807 }
808 else
809 {
810 t = time(NULL);
811 }
812 if (not_before)
813 {
814 *not_before = this->notBefore;
815 }
816 if (not_after)
817 {
818 *not_after = this->notAfter;
819 }
820 return (t >= this->notBefore && t <= this->notAfter);
821 }
822
823 /**
824 * Implementation of certificate_t.is_newer.
825 */
826 static bool is_newer(private_x509_ac_t *this, ac_t *that)
827 {
828 certificate_t *this_cert = &this->public.interface.certificate;
829 certificate_t *that_cert = &that->certificate;
830 time_t this_update, that_update, now = time(NULL);
831 bool new;
832
833 this_cert->get_validity(this_cert, &now, &this_update, NULL);
834 that_cert->get_validity(that_cert, &now, &that_update, NULL);
835 new = this_update > that_update;
836 DBG1(" attr cert from %#T is %s - existing attr_cert from %#T %s",
837 &this_update, FALSE, new ? "newer":"not newer",
838 &that_update, FALSE, new ? "replaced":"retained");
839 return new;
840 }
841
842 /**
843 * Implementation of certificate_t.get_encoding.
844 */
845 static chunk_t get_encoding(private_x509_ac_t *this)
846 {
847 return chunk_clone(this->encoding);
848 }
849
850 /**
851 * Implementation of certificate_t.equals.
852 */
853 static bool equals(private_x509_ac_t *this, certificate_t *other)
854 {
855 chunk_t encoding;
856 bool equal;
857
858 if ((certificate_t*)this == other)
859 {
860 return TRUE;
861 }
862 if (other->equals == (void*)equals)
863 { /* skip allocation if we have the same implementation */
864 return chunk_equals(this->encoding, ((private_x509_ac_t*)other)->encoding);
865 }
866 encoding = other->get_encoding(other);
867 equal = chunk_equals(this->encoding, encoding);
868 free(encoding.ptr);
869 return equal;
870 }
871
872 /**
873 * Implementation of x509_ac_t.destroy
874 */
875 static void destroy(private_x509_ac_t *this)
876 {
877 if (ref_put(&this->ref))
878 {
879 DESTROY_IF(this->holderIssuer);
880 DESTROY_IF(this->entityName);
881 DESTROY_IF(this->issuerName);
882 DESTROY_IF(this->authKeyIdentifier);
883 DESTROY_IF(this->holderCert);
884 DESTROY_IF(this->signerCert);
885 DESTROY_IF(this->signerKey);
886
887 ietfAttr_list_destroy(this->charging);
888 ietfAttr_list_destroy(this->groups);
889 free(this->encoding.ptr);
890 free(this);
891 }
892 }
893
894 /**
895 * create an empty but initialized X.509 attribute certificate
896 */
897 static private_x509_ac_t *create_empty(void)
898 {
899 private_x509_ac_t *this = malloc_thing(private_x509_ac_t);
900
901 /* public functions */
902 this->public.interface.certificate.get_type = (certificate_type_t (*)(certificate_t *this))get_type;
903 this->public.interface.certificate.get_subject = (identification_t* (*)(certificate_t *this))get_subject;
904 this->public.interface.certificate.get_issuer = (identification_t* (*)(certificate_t *this))get_issuer;
905 this->public.interface.certificate.has_subject = (id_match_t(*)(certificate_t*, identification_t *subject))has_subject;
906 this->public.interface.certificate.has_issuer = (id_match_t(*)(certificate_t*, identification_t *issuer))has_issuer;
907 this->public.interface.certificate.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer))issued_by;
908 this->public.interface.certificate.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key;
909 this->public.interface.certificate.get_validity = (bool(*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity;
910 this->public.interface.certificate.is_newer = (bool (*)(certificate_t*,certificate_t*))is_newer;
911 this->public.interface.certificate.get_encoding = (chunk_t(*)(certificate_t*))get_encoding;
912 this->public.interface.certificate.equals = (bool(*)(certificate_t*, certificate_t *other))equals;
913 this->public.interface.certificate.get_ref = (certificate_t* (*)(certificate_t *this))get_ref;
914 this->public.interface.certificate.destroy = (void (*)(certificate_t *this))destroy;
915
916 /* initialize */
917 this->encoding = chunk_empty;
918 this->holderIssuer = NULL;
919 this->entityName = NULL;
920 this->issuerName = NULL;
921 this->authKeyIdentifier = NULL;
922 this->holderCert = NULL;
923 this->signerCert = NULL;
924 this->signerKey = NULL;
925 this->charging = linked_list_create();
926 this->groups = linked_list_create();
927 this->ref = 1;
928
929 return this;
930 }
931
932 /**
933 * create X.509 attribute certificate from a chunk
934 */
935 static private_x509_ac_t* create_from_chunk(chunk_t chunk)
936 {
937 private_x509_ac_t *this = create_empty();
938
939 this->encoding = chunk;
940 if (!parse_certificate(this))
941 {
942 destroy(this);
943 return NULL;
944 }
945 return this;
946 }
947
948 /**
949 * create X.509 crl from a file
950 */
951 static private_x509_ac_t* create_from_file(char *path)
952 {
953 bool pgp = FALSE;
954 chunk_t chunk;
955 private_x509_ac_t *this;
956
957 if (!pem_asn1_load_file(path, NULL, &chunk, &pgp))
958 {
959 return NULL;
960 }
961
962 this = create_from_chunk(chunk);
963
964 if (this == NULL)
965 {
966 DBG1(" could not parse loaded attribute certificate file '%s'", path);
967 return NULL;
968 }
969 DBG1(" loaded attribute certificate file '%s'", path);
970 return this;
971 }
972
973 typedef struct private_builder_t private_builder_t;
974 /**
975 * Builder implementation for certificate loading
976 */
977 struct private_builder_t {
978 /** implements the builder interface */
979 builder_t public;
980 /** X.509 attribute certificate to build */
981 private_x509_ac_t *ac;
982 };
983
984 /**
985 * Implementation of builder_t.build
986 */
987 static private_x509_ac_t* build(private_builder_t *this)
988 {
989 private_x509_ac_t *ac = this->ac;
990
991 free(this);
992
993 if (ac == NULL)
994 {
995 return NULL;
996 }
997
998 /* synthesis if TRUE or analysis if FALSE */
999 if (ac->encoding.ptr == NULL)
1000 {
1001 if (ac->holderCert && ac->signerCert && ac->signerKey)
1002 {
1003 ac->encoding = build_ac(ac);
1004 return ac;
1005 }
1006 destroy(ac);
1007 return NULL;
1008 }
1009 else
1010 {
1011 return NULL;
1012 }
1013 }
1014
1015 /**
1016 * Implementation of builder_t.add
1017 */
1018 static void add(private_builder_t *this, builder_part_t part, ...)
1019 {
1020 va_list args;
1021 certificate_t *cert;
1022
1023 va_start(args, part);
1024 switch (part)
1025 {
1026 case BUILD_FROM_FILE:
1027 if (this->ac)
1028 {
1029 destroy(this->ac);
1030 }
1031 this->ac = create_from_file(va_arg(args, char*));
1032 break;
1033 case BUILD_BLOB_ASN1_DER:
1034 if (this->ac)
1035 {
1036 destroy(this->ac);
1037 }
1038 this->ac = create_from_chunk(va_arg(args, chunk_t));
1039 break;
1040 case BUILD_NOT_BEFORE_TIME:
1041 this->ac->notBefore = va_arg(args, time_t);
1042 break;
1043 case BUILD_NOT_AFTER_TIME:
1044 this->ac->notAfter = va_arg(args, time_t);
1045 break;
1046 case BUILD_SERIAL:
1047 this->ac->serialNumber = va_arg(args, chunk_t);
1048 break;
1049 case BUILD_IETF_GROUP_ATTR:
1050 ietfAttr_list_create_from_string(va_arg(args, char*),
1051 this->ac->groups);
1052 break;
1053 case BUILD_CERT:
1054 cert = va_arg(args, certificate_t*);
1055 if (cert->get_type(cert) == CERT_X509)
1056 {
1057 this->ac->holderCert = cert;
1058 }
1059 else
1060 {
1061 cert->destroy(cert);
1062 }
1063 break;
1064 case BUILD_SIGNING_CERT:
1065 cert = va_arg(args, certificate_t*);
1066 if (cert->get_type(cert) == CERT_X509)
1067 {
1068 this->ac->signerCert = cert;
1069 }
1070 else
1071 {
1072 cert->destroy(cert);
1073 }
1074 break;
1075 case BUILD_SIGNING_KEY:
1076 this->ac->signerKey = va_arg(args, private_key_t*);
1077 break;
1078 default:
1079 DBG1("ignoring unsupported build part %N", builder_part_names, part);
1080 break;
1081 }
1082 va_end(args);
1083 }
1084
1085 /**
1086 * Builder construction function
1087 */
1088 builder_t *x509_ac_builder(certificate_type_t type)
1089 {
1090 private_builder_t *this;
1091
1092 if (type != CERT_X509_AC)
1093 {
1094 return NULL;
1095 }
1096
1097 this = malloc_thing(private_builder_t);
1098
1099 this->ac = create_empty();
1100 this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
1101 this->public.build = (void*(*)(builder_t *this))build;
1102
1103 return &this->public;
1104 }
1105