projects / strongswan.git / blob
? search:


108d7b29fe5d39891b5bbafa2b23305f7c65dfa5
[strongswan.git] / src / libstrongswan / plugins / x509 / x509_cert.c
1 /*
2 * Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann
3 * Copyright (C) 2001 Marco Bertossa, Andreas Schleiss
4 * Copyright (C) 2002 Mario Strasser
5 * Copyright (C) 2000-2006 Andreas Steffen
6 * Copyright (C) 2006-2009 Martin Willi
7 * Copyright (C) 2008 Tobias Brunner
8 * Hochschule fuer Technik Rapperswil
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 */
20
21 #define _GNU_SOURCE
22
23 #include "x509_cert.h"
24
25 #include <sys/stat.h>
26 #include <time.h>
27 #include <unistd.h>
28 #include <string.h>
29 #include <stdio.h>
30
31 #include <library.h>
32 #include <debug.h>
33 #include <asn1/oid.h>
34 #include <asn1/asn1.h>
35 #include <asn1/asn1_parser.h>
36 #include <crypto/hashers/hasher.h>
37 #include <credentials/keys/private_key.h>
38 #include <utils/linked_list.h>
39 #include <utils/identification.h>
40
41 /**
42 * Different kinds of generalNames
43 */
44 typedef enum {
45 GN_OTHER_NAME = 0,
46 GN_RFC822_NAME = 1,
47 GN_DNS_NAME = 2,
48 GN_X400_ADDRESS = 3,
49 GN_DIRECTORY_NAME = 4,
50 GN_EDI_PARTY_NAME = 5,
51 GN_URI = 6,
52 GN_IP_ADDRESS = 7,
53 GN_REGISTERED_ID = 8,
54 } generalNames_t;
55
56
57 typedef struct private_x509_cert_t private_x509_cert_t;
58
59 /**
60 * Private data of a x509_cert_t object.
61 */
62 struct private_x509_cert_t {
63 /**
64 * Public interface for this certificate.
65 */
66 x509_cert_t public;
67
68 /**
69 * X.509 certificate encoding in ASN.1 DER format
70 */
71 chunk_t encoding;
72
73 /**
74 * SHA1 hash of the DER encoding of this X.509 certificate
75 */
76 chunk_t encoding_hash;
77
78 /**
79 * X.509 certificate body over which signature is computed
80 */
81 chunk_t tbsCertificate;
82
83 /**
84 * Version of the X.509 certificate
85 */
86 u_int version;
87
88 /**
89 * Serial number of the X.509 certificate
90 */
91 chunk_t serialNumber;
92
93 /**
94 * ID representing the certificate issuer
95 */
96 identification_t *issuer;
97
98 /**
99 * Start time of certificate validity
100 */
101 time_t notBefore;
102
103 /**
104 * End time of certificate validity
105 */
106 time_t notAfter;
107
108 /**
109 * ID representing the certificate subject
110 */
111 identification_t *subject;
112
113 /**
114 * List of subjectAltNames as identification_t
115 */
116 linked_list_t *subjectAltNames;
117
118 /**
119 * List of crlDistributionPoints as allocated char*
120 */
121 linked_list_t *crl_uris;
122
123 /**
124 * List ocspAccessLocations as allocated char*
125 */
126 linked_list_t *ocsp_uris;
127
128 /**
129 * certificate's embedded public key
130 */
131 public_key_t *public_key;
132
133 /**
134 * Subject Key Identifier
135 */
136 chunk_t subjectKeyID;
137
138 /**
139 * Authority Key Identifier
140 */
141 chunk_t authKeyIdentifier;
142
143 /**
144 * Authority Key Serial Number
145 */
146 chunk_t authKeySerialNumber;
147
148 /**
149 * x509 constraints and other flags
150 */
151 x509_flag_t flags;
152
153 /**
154 * Signature algorithm
155 */
156 int algorithm;
157
158 /**
159 * Signature
160 */
161 chunk_t signature;
162
163 /**
164 * Certificate parsed from blob/file?
165 */
166 bool parsed;
167
168 /**
169 * reference count
170 */
171 refcount_t ref;
172 };
173
174 static const chunk_t ASN1_subjectAltName_oid = chunk_from_chars(
175 0x06, 0x03, 0x55, 0x1D, 0x11
176 );
177
178 /**
179 * ASN.1 definition of a basicConstraints extension
180 */
181 static const asn1Object_t basicConstraintsObjects[] = {
182 { 0, "basicConstraints", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
183 { 1, "CA", ASN1_BOOLEAN, ASN1_DEF|ASN1_BODY }, /* 1 */
184 { 1, "pathLenConstraint", ASN1_INTEGER, ASN1_OPT|ASN1_BODY }, /* 2 */
185 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 3 */
186 { 0, "exit", ASN1_EOC, ASN1_EXIT }
187 };
188 #define BASIC_CONSTRAINTS_CA 1
189
190 /**
191 * Extracts the basicConstraints extension
192 */
193 static bool parse_basicConstraints(chunk_t blob, int level0)
194 {
195 asn1_parser_t *parser;
196 chunk_t object;
197 int objectID;
198 bool isCA = FALSE;
199
200 parser = asn1_parser_create(basicConstraintsObjects, blob);
201 parser->set_top_level(parser, level0);
202
203 while (parser->iterate(parser, &objectID, &object))
204 {
205 if (objectID == BASIC_CONSTRAINTS_CA)
206 {
207 isCA = object.len && *object.ptr;
208 DBG2(" %s", isCA ? "TRUE" : "FALSE");
209 }
210 }
211 parser->destroy(parser);
212
213 return isCA;
214 }
215
216 /**
217 * ASN.1 definition of otherName
218 */
219 static const asn1Object_t otherNameObjects[] = {
220 {0, "type-id", ASN1_OID, ASN1_BODY }, /* 0 */
221 {0, "value", ASN1_CONTEXT_C_0, ASN1_BODY }, /* 1 */
222 {0, "exit", ASN1_EOC, ASN1_EXIT }
223 };
224 #define ON_OBJ_ID_TYPE 0
225 #define ON_OBJ_VALUE 1
226
227 /**
228 * Extracts an otherName
229 */
230 static bool parse_otherName(chunk_t blob, int level0)
231 {
232 asn1_parser_t *parser;
233 chunk_t object;
234 int objectID;
235 int oid = OID_UNKNOWN;
236 bool success = FALSE;
237
238 parser = asn1_parser_create(otherNameObjects, blob);
239 parser->set_top_level(parser, level0);
240
241 while (parser->iterate(parser, &objectID, &object))
242 {
243 switch (objectID)
244 {
245 case ON_OBJ_ID_TYPE:
246 oid = asn1_known_oid(object);
247 break;
248 case ON_OBJ_VALUE:
249 if (oid == OID_XMPP_ADDR)
250 {
251 if (!asn1_parse_simple_object(&object, ASN1_UTF8STRING,
252 parser->get_level(parser)+1, "xmppAddr"))
253 {
254 goto end;
255 }
256 }
257 break;
258 default:
259 break;
260 }
261 }
262 success = parser->success(parser);
263
264 end:
265 parser->destroy(parser);
266 return success;
267 }
268
269 /**
270 * ASN.1 definition of generalName
271 */
272 static const asn1Object_t generalNameObjects[] = {
273 { 0, "otherName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_BODY }, /* 0 */
274 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 1 */
275 { 0, "rfc822Name", ASN1_CONTEXT_S_1, ASN1_OPT|ASN1_BODY }, /* 2 */
276 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 3 */
277 { 0, "dnsName", ASN1_CONTEXT_S_2, ASN1_OPT|ASN1_BODY }, /* 4 */
278 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 5 */
279 { 0, "x400Address", ASN1_CONTEXT_S_3, ASN1_OPT|ASN1_BODY }, /* 6 */
280 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 7 */
281 { 0, "directoryName", ASN1_CONTEXT_C_4, ASN1_OPT|ASN1_BODY }, /* 8 */
282 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 9 */
283 { 0, "ediPartyName", ASN1_CONTEXT_C_5, ASN1_OPT|ASN1_BODY }, /* 10 */
284 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 11 */
285 { 0, "URI", ASN1_CONTEXT_S_6, ASN1_OPT|ASN1_BODY }, /* 12 */
286 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 13 */
287 { 0, "ipAddress", ASN1_CONTEXT_S_7, ASN1_OPT|ASN1_BODY }, /* 14 */
288 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 15 */
289 { 0, "registeredID", ASN1_CONTEXT_S_8, ASN1_OPT|ASN1_BODY }, /* 16 */
290 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 17 */
291 { 0, "exit", ASN1_EOC, ASN1_EXIT }
292 };
293 #define GN_OBJ_OTHER_NAME 0
294 #define GN_OBJ_RFC822_NAME 2
295 #define GN_OBJ_DNS_NAME 4
296 #define GN_OBJ_X400_ADDRESS 6
297 #define GN_OBJ_DIRECTORY_NAME 8
298 #define GN_OBJ_EDI_PARTY_NAME 10
299 #define GN_OBJ_URI 12
300 #define GN_OBJ_IP_ADDRESS 14
301 #define GN_OBJ_REGISTERED_ID 16
302
303 /**
304 * Extracts a generalName
305 */
306 static identification_t *parse_generalName(chunk_t blob, int level0)
307 {
308 asn1_parser_t *parser;
309 chunk_t object;
310 int objectID ;
311
312 identification_t *gn = NULL;
313
314 parser = asn1_parser_create(generalNameObjects, blob);
315 parser->set_top_level(parser, level0);
316
317 while (parser->iterate(parser, &objectID, &object))
318 {
319 id_type_t id_type = ID_ANY;
320
321 switch (objectID)
322 {
323 case GN_OBJ_RFC822_NAME:
324 id_type = ID_RFC822_ADDR;
325 break;
326 case GN_OBJ_DNS_NAME:
327 id_type = ID_FQDN;
328 break;
329 case GN_OBJ_URI:
330 id_type = ID_DER_ASN1_GN_URI;
331 break;
332 case GN_OBJ_DIRECTORY_NAME:
333 id_type = ID_DER_ASN1_DN;
334 break;
335 case GN_OBJ_IP_ADDRESS:
336 id_type = ID_IPV4_ADDR;
337 break;
338 case GN_OBJ_OTHER_NAME:
339 if (!parse_otherName(object, parser->get_level(parser)+1))
340 {
341 goto end;
342 }
343 break;
344 case GN_OBJ_X400_ADDRESS:
345 case GN_OBJ_EDI_PARTY_NAME:
346 case GN_OBJ_REGISTERED_ID:
347 default:
348 break;
349 }
350 if (id_type != ID_ANY)
351 {
352 gn = identification_create_from_encoding(id_type, object);
353 DBG2(" '%Y'", gn);
354 goto end;
355 }
356 }
357
358 end:
359 parser->destroy(parser);
360 return gn;
361 }
362
363 /**
364 * ASN.1 definition of generalNames
365 */
366 static const asn1Object_t generalNamesObjects[] = {
367 { 0, "generalNames", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
368 { 1, "generalName", ASN1_EOC, ASN1_RAW }, /* 1 */
369 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 2 */
370 { 0, "exit", ASN1_EOC, ASN1_EXIT }
371 };
372 #define GENERAL_NAMES_GN 1
373
374 /**
375 * Extracts one or several GNs and puts them into a chained list
376 */
377 void x509_parse_generalNames(chunk_t blob, int level0, bool implicit, linked_list_t *list)
378 {
379 asn1_parser_t *parser;
380 chunk_t object;
381 int objectID;
382
383 parser = asn1_parser_create(generalNamesObjects, blob);
384 parser->set_top_level(parser, level0);
385 parser->set_flags(parser, implicit, FALSE);
386
387 while (parser->iterate(parser, &objectID, &object))
388 {
389 if (objectID == GENERAL_NAMES_GN)
390 {
391 identification_t *gn = parse_generalName(object,
392 parser->get_level(parser)+1);
393
394 if (gn)
395 {
396 list->insert_last(list, (void *)gn);
397 }
398 }
399 }
400 parser->destroy(parser);
401 }
402
403 /**
404 * ASN.1 definition of a authorityKeyIdentifier extension
405 */
406 static const asn1Object_t authKeyIdentifierObjects[] = {
407 { 0, "authorityKeyIdentifier", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
408 { 1, "keyIdentifier", ASN1_CONTEXT_S_0, ASN1_OPT|ASN1_BODY }, /* 1 */
409 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 2 */
410 { 1, "authorityCertIssuer", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_OBJ }, /* 3 */
411 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 4 */
412 { 1, "authorityCertSerialNumber", ASN1_CONTEXT_S_2, ASN1_OPT|ASN1_BODY }, /* 5 */
413 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 6 */
414 { 0, "exit", ASN1_EOC, ASN1_EXIT }
415 };
416 #define AUTH_KEY_ID_KEY_ID 1
417 #define AUTH_KEY_ID_CERT_ISSUER 3
418 #define AUTH_KEY_ID_CERT_SERIAL 5
419
420 /**
421 * Extracts an authoritykeyIdentifier
422 */
423 chunk_t x509_parse_authorityKeyIdentifier(chunk_t blob, int level0,
424 chunk_t *authKeySerialNumber)
425 {
426 asn1_parser_t *parser;
427 chunk_t object;
428 int objectID;
429 chunk_t authKeyIdentifier = chunk_empty;
430
431 *authKeySerialNumber = chunk_empty;
432
433 parser = asn1_parser_create(authKeyIdentifierObjects, blob);
434 parser->set_top_level(parser, level0);
435
436 while (parser->iterate(parser, &objectID, &object))
437 {
438 switch (objectID)
439 {
440 case AUTH_KEY_ID_KEY_ID:
441 authKeyIdentifier = chunk_clone(object);
442 break;
443 case AUTH_KEY_ID_CERT_ISSUER:
444 /* TODO: x509_parse_generalNames(object, level+1, TRUE); */
445 break;
446 case AUTH_KEY_ID_CERT_SERIAL:
447 *authKeySerialNumber = object;
448 break;
449 default:
450 break;
451 }
452 }
453 parser->destroy(parser);
454 return authKeyIdentifier;
455 }
456
457 /**
458 * ASN.1 definition of a authorityInfoAccess extension
459 */
460 static const asn1Object_t authInfoAccessObjects[] = {
461 { 0, "authorityInfoAccess", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
462 { 1, "accessDescription", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
463 { 2, "accessMethod", ASN1_OID, ASN1_BODY }, /* 2 */
464 { 2, "accessLocation", ASN1_EOC, ASN1_RAW }, /* 3 */
465 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 4 */
466 { 0, "exit", ASN1_EOC, ASN1_EXIT }
467 };
468 #define AUTH_INFO_ACCESS_METHOD 2
469 #define AUTH_INFO_ACCESS_LOCATION 3
470
471 /**
472 * Extracts an authorityInfoAcess location
473 */
474 static void parse_authorityInfoAccess(chunk_t blob, int level0,
475 private_x509_cert_t *this)
476 {
477 asn1_parser_t *parser;
478 chunk_t object;
479 int objectID;
480 int accessMethod = OID_UNKNOWN;
481
482 parser = asn1_parser_create(authInfoAccessObjects, blob);
483 parser->set_top_level(parser, level0);
484
485 while (parser->iterate(parser, &objectID, &object))
486 {
487 switch (objectID)
488 {
489 case AUTH_INFO_ACCESS_METHOD:
490 accessMethod = asn1_known_oid(object);
491 break;
492 case AUTH_INFO_ACCESS_LOCATION:
493 {
494 switch (accessMethod)
495 {
496 case OID_OCSP:
497 case OID_CA_ISSUERS:
498 {
499 identification_t *id;
500 char *uri;
501
502 id = parse_generalName(object,
503 parser->get_level(parser)+1);
504 if (id == NULL)
505 {
506 /* parsing went wrong - abort */
507 goto end;
508 }
509 DBG2(" '%Y'", id);
510 if (accessMethod == OID_OCSP &&
511 asprintf(&uri, "%Y", id) > 0)
512 {
513 this->ocsp_uris->insert_last(this->ocsp_uris, uri);
514 }
515 id->destroy(id);
516 }
517 break;
518 default:
519 /* unkown accessMethod, ignoring */
520 break;
521 }
522 break;
523 }
524 default:
525 break;
526 }
527 }
528
529 end:
530 parser->destroy(parser);
531 }
532
533 /**
534 * ASN.1 definition of a extendedKeyUsage extension
535 */
536 static const asn1Object_t extendedKeyUsageObjects[] = {
537 { 0, "extendedKeyUsage", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
538 { 1, "keyPurposeID", ASN1_OID, ASN1_BODY }, /* 1 */
539 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 2 */
540 { 0, "exit", ASN1_EOC, ASN1_EXIT }
541 };
542 #define EXT_KEY_USAGE_PURPOSE_ID 1
543
544 /**
545 * Extracts extendedKeyUsage OIDs - currently only OCSP_SIGING is returned
546 */
547 static bool parse_extendedKeyUsage(chunk_t blob, int level0)
548 {
549 asn1_parser_t *parser;
550 chunk_t object;
551 int objectID;
552 bool ocsp_signing = FALSE;
553
554 parser = asn1_parser_create(extendedKeyUsageObjects, blob);
555 parser->set_top_level(parser, level0);
556
557 while (parser->iterate(parser, &objectID, &object))
558 {
559 if (objectID == EXT_KEY_USAGE_PURPOSE_ID &&
560 asn1_known_oid(object) == OID_OCSP_SIGNING)
561 {
562 ocsp_signing = TRUE;
563 }
564 }
565 parser->destroy(parser);
566 return ocsp_signing;
567 }
568
569 /**
570 * ASN.1 definition of crlDistributionPoints
571 */
572 static const asn1Object_t crlDistributionPointsObjects[] = {
573 { 0, "crlDistributionPoints", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
574 { 1, "DistributionPoint", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
575 { 2, "distributionPoint", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_LOOP }, /* 2 */
576 { 3, "fullName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_OBJ }, /* 3 */
577 { 3, "end choice", ASN1_EOC, ASN1_END }, /* 4 */
578 { 3, "nameRelToCRLIssuer",ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 5 */
579 { 3, "end choice", ASN1_EOC, ASN1_END }, /* 6 */
580 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 7 */
581 { 2, "reasons", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 8 */
582 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 9 */
583 { 2, "crlIssuer", ASN1_CONTEXT_C_2, ASN1_OPT|ASN1_BODY }, /* 10 */
584 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 11 */
585 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 12 */
586 { 0, "exit", ASN1_EOC, ASN1_EXIT }
587 };
588 #define CRL_DIST_POINTS_FULLNAME 3
589
590 /**
591 * Extracts one or several crlDistributionPoints into a list
592 */
593 static void parse_crlDistributionPoints(chunk_t blob, int level0,
594 private_x509_cert_t *this)
595 {
596 asn1_parser_t *parser;
597 chunk_t object;
598 int objectID;
599 linked_list_t *list = linked_list_create();
600
601 parser = asn1_parser_create(crlDistributionPointsObjects, blob);
602 parser->set_top_level(parser, level0);
603
604 while (parser->iterate(parser, &objectID, &object))
605 {
606 if (objectID == CRL_DIST_POINTS_FULLNAME)
607 {
608 identification_t *id;
609
610 /* append extracted generalNames to existing chained list */
611 x509_parse_generalNames(object, parser->get_level(parser)+1,
612 TRUE, list);
613
614 while (list->remove_last(list, (void**)&id) == SUCCESS)
615 {
616 char *uri;
617
618 if (asprintf(&uri, "%Y", id) > 0)
619 {
620 this->crl_uris->insert_last(this->crl_uris, uri);
621 }
622 id->destroy(id);
623 }
624 }
625 }
626 parser->destroy(parser);
627 list->destroy(list);
628 }
629
630 /**
631 * ASN.1 definition of an X.509v3 x509_cert
632 */
633 static const asn1Object_t certObjects[] = {
634 { 0, "x509", ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */
635 { 1, "tbsCertificate", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */
636 { 2, "DEFAULT v1", ASN1_CONTEXT_C_0, ASN1_DEF }, /* 2 */
637 { 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 3 */
638 { 2, "serialNumber", ASN1_INTEGER, ASN1_BODY }, /* 4 */
639 { 2, "signature", ASN1_EOC, ASN1_RAW }, /* 5 */
640 { 2, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 6 */
641 { 2, "validity", ASN1_SEQUENCE, ASN1_NONE }, /* 7 */
642 { 3, "notBefore", ASN1_EOC, ASN1_RAW }, /* 8 */
643 { 3, "notAfter", ASN1_EOC, ASN1_RAW }, /* 9 */
644 { 2, "subject", ASN1_SEQUENCE, ASN1_OBJ }, /* 10 */
645 { 2, "subjectPublicKeyInfo",ASN1_SEQUENCE, ASN1_RAW }, /* 11 */
646 { 2, "issuerUniqueID", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 12 */
647 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 13 */
648 { 2, "subjectUniqueID", ASN1_CONTEXT_C_2, ASN1_OPT }, /* 14 */
649 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 15 */
650 { 2, "optional extensions", ASN1_CONTEXT_C_3, ASN1_OPT }, /* 16 */
651 { 3, "extensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 17 */
652 { 4, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 18 */
653 { 5, "extnID", ASN1_OID, ASN1_BODY }, /* 19 */
654 { 5, "critical", ASN1_BOOLEAN, ASN1_DEF|ASN1_BODY }, /* 20 */
655 { 5, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 21 */
656 { 3, "end loop", ASN1_EOC, ASN1_END }, /* 22 */
657 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 23 */
658 { 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 24 */
659 { 1, "signatureValue", ASN1_BIT_STRING, ASN1_BODY }, /* 25 */
660 { 0, "exit", ASN1_EOC, ASN1_EXIT }
661 };
662 #define X509_OBJ_TBS_CERTIFICATE 1
663 #define X509_OBJ_VERSION 3
664 #define X509_OBJ_SERIAL_NUMBER 4
665 #define X509_OBJ_SIG_ALG 5
666 #define X509_OBJ_ISSUER 6
667 #define X509_OBJ_NOT_BEFORE 8
668 #define X509_OBJ_NOT_AFTER 9
669 #define X509_OBJ_SUBJECT 10
670 #define X509_OBJ_SUBJECT_PUBLIC_KEY_INFO 11
671 #define X509_OBJ_EXTN_ID 19
672 #define X509_OBJ_CRITICAL 20
673 #define X509_OBJ_EXTN_VALUE 21
674 #define X509_OBJ_ALGORITHM 24
675 #define X509_OBJ_SIGNATURE 25
676
677 /**
678 * forward declaration
679 */
680 static bool issued_by(private_x509_cert_t *this, certificate_t *issuer);
681
682 /**
683 * Parses an X.509v3 certificate
684 */
685 static bool parse_certificate(private_x509_cert_t *this)
686 {
687 asn1_parser_t *parser;
688 chunk_t object;
689 int objectID;
690 int extn_oid = OID_UNKNOWN;
691 int sig_alg = OID_UNKNOWN;
692 bool success = FALSE;
693 bool critical;
694
695 parser = asn1_parser_create(certObjects, this->encoding);
696
697 while (parser->iterate(parser, &objectID, &object))
698 {
699 u_int level = parser->get_level(parser)+1;
700
701 switch (objectID)
702 {
703 case X509_OBJ_TBS_CERTIFICATE:
704 this->tbsCertificate = object;
705 break;
706 case X509_OBJ_VERSION:
707 this->version = (object.len) ? (1+(u_int)*object.ptr) : 1;
708 DBG2(" v%d", this->version);
709 break;
710 case X509_OBJ_SERIAL_NUMBER:
711 this->serialNumber = object;
712 break;
713 case X509_OBJ_SIG_ALG:
714 sig_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
715 break;
716 case X509_OBJ_ISSUER:
717 this->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object);
718 DBG2(" '%Y'", this->issuer);
719 break;
720 case X509_OBJ_NOT_BEFORE:
721 this->notBefore = asn1_parse_time(object, level);
722 break;
723 case X509_OBJ_NOT_AFTER:
724 this->notAfter = asn1_parse_time(object, level);
725 break;
726 case X509_OBJ_SUBJECT:
727 this->subject = identification_create_from_encoding(ID_DER_ASN1_DN, object);
728 DBG2(" '%Y'", this->subject);
729 break;
730 case X509_OBJ_SUBJECT_PUBLIC_KEY_INFO:
731 this->public_key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
732 KEY_ANY, BUILD_BLOB_ASN1_DER, object, BUILD_END);
733 if (this->public_key == NULL)
734 {
735 goto end;
736 }
737 break;
738 case X509_OBJ_EXTN_ID:
739 extn_oid = asn1_known_oid(object);
740 break;
741 case X509_OBJ_CRITICAL:
742 critical = object.len && *object.ptr;
743 DBG2(" %s", critical ? "TRUE" : "FALSE");
744 break;
745 case X509_OBJ_EXTN_VALUE:
746 {
747 switch (extn_oid)
748 {
749 case OID_SUBJECT_KEY_ID:
750 if (!asn1_parse_simple_object(&object, ASN1_OCTET_STRING,
751 level, "keyIdentifier"))
752 {
753 goto end;
754 }
755 this->subjectKeyID = object;
756 break;
757 case OID_SUBJECT_ALT_NAME:
758 x509_parse_generalNames(object, level, FALSE,
759 this->subjectAltNames);
760 break;
761 case OID_BASIC_CONSTRAINTS:
762 if (parse_basicConstraints(object, level))
763 {
764 this->flags |= X509_CA;
765 }
766 break;
767 case OID_CRL_DISTRIBUTION_POINTS:
768 parse_crlDistributionPoints(object, level, this);
769 break;
770 case OID_AUTHORITY_KEY_ID:
771 this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object,
772 level, &this->authKeySerialNumber);
773 break;
774 case OID_AUTHORITY_INFO_ACCESS:
775 parse_authorityInfoAccess(object, level, this);
776 break;
777 case OID_EXTENDED_KEY_USAGE:
778 if (parse_extendedKeyUsage(object, level))
779 {
780 this->flags |= X509_OCSP_SIGNER;
781 }
782 break;
783 case OID_NS_REVOCATION_URL:
784 case OID_NS_CA_REVOCATION_URL:
785 case OID_NS_CA_POLICY_URL:
786 case OID_NS_COMMENT:
787 if (!asn1_parse_simple_object(&object, ASN1_IA5STRING,
788 level, oid_names[extn_oid].name))
789 {
790 goto end;
791 }
792 break;
793 default:
794 break;
795 }
796 break;
797 }
798 case X509_OBJ_ALGORITHM:
799 this->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL);
800 if (this->algorithm != sig_alg)
801 {
802 DBG1(" signature algorithms do not agree");
803 goto end;
804 }
805 break;
806 case X509_OBJ_SIGNATURE:
807 this->signature = object;
808 break;
809 default:
810 break;
811 }
812 }
813 success = parser->success(parser);
814
815 end:
816 parser->destroy(parser);
817 if (success)
818 {
819 hasher_t *hasher;
820
821 /* check if the certificate is self-signed */
822 if (issued_by(this, &this->public.interface.interface))
823 {
824 this->flags |= X509_SELF_SIGNED;
825 }
826 /* create certificate hash */
827 hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
828 if (hasher == NULL)
829 {
830 DBG1(" unable to create hash of certificate, SHA1 not supported");
831 return NULL;
832 }
833 hasher->allocate_hash(hasher, this->encoding, &this->encoding_hash);
834 hasher->destroy(hasher);
835 }
836 return success;
837 }
838
839 /**
840 * Implementation of certificate_t.get_type
841 */
842 static certificate_type_t get_type(private_x509_cert_t *this)
843 {
844 return CERT_X509;
845 }
846
847 /**
848 * Implementation of certificate_t.get_subject
849 */
850 static identification_t* get_subject(private_x509_cert_t *this)
851 {
852 return this->subject;
853 }
854
855 /**
856 * Implementation of certificate_t.get_issuer
857 */
858 static identification_t* get_issuer(private_x509_cert_t *this)
859 {
860 return this->issuer;
861 }
862
863 /**
864 * Implementation of certificate_t.has_subject.
865 */
866 static id_match_t has_subject(private_x509_cert_t *this, identification_t *subject)
867 {
868 identification_t *current;
869 enumerator_t *enumerator;
870 id_match_t match, best;
871
872 if (this->encoding_hash.ptr && subject->get_type(subject) == ID_KEY_ID)
873 {
874 if (chunk_equals(this->encoding_hash, subject->get_encoding(subject)))
875 {
876 return ID_MATCH_PERFECT;
877 }
878 }
879
880 best = this->subject->matches(this->subject, subject);
881 enumerator = this->subjectAltNames->create_enumerator(this->subjectAltNames);
882 while (enumerator->enumerate(enumerator, &current))
883 {
884 match = current->matches(current, subject);
885 if (match > best)
886 {
887 best = match;
888 }
889 }
890 enumerator->destroy(enumerator);
891 return best;
892 }
893
894 /**
895 * Implementation of certificate_t.has_subject.
896 */
897 static id_match_t has_issuer(private_x509_cert_t *this, identification_t *issuer)
898 {
899 /* issuerAltNames currently not supported */
900 return this->issuer->matches(this->issuer, issuer);
901 }
902
903 /**
904 * Implementation of certificate_t.issued_by
905 */
906 static bool issued_by(private_x509_cert_t *this, certificate_t *issuer)
907 {
908 public_key_t *key;
909 signature_scheme_t scheme;
910 bool valid;
911 x509_t *x509 = (x509_t*)issuer;
912
913 if (&this->public.interface.interface == issuer)
914 {
915 if (this->flags & X509_SELF_SIGNED)
916 {
917 return TRUE;
918 }
919 }
920 else
921 {
922 if (issuer->get_type(issuer) != CERT_X509)
923 {
924 return FALSE;
925 }
926 if (!(x509->get_flags(x509) & X509_CA))
927 {
928 return FALSE;
929 }
930 }
931 if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
932 {
933 return FALSE;
934 }
935
936 /* determine signature scheme */
937 scheme = signature_scheme_from_oid(this->algorithm);
938 if (scheme == SIGN_UNKNOWN)
939 {
940 return FALSE;
941 }
942 /* get the public key of the issuer */
943 key = issuer->get_public_key(issuer);
944 if (!key)
945 {
946 return FALSE;
947 }
948 valid = key->verify(key, scheme, this->tbsCertificate, this->signature);
949 key->destroy(key);
950 return valid;
951 }
952
953 /**
954 * Implementation of certificate_t.get_public_key
955 */
956 static public_key_t* get_public_key(private_x509_cert_t *this)
957 {
958 this->public_key->get_ref(this->public_key);
959 return this->public_key;
960 }
961
962 /**
963 * Implementation of certificate_t.get_ref
964 */
965 static private_x509_cert_t* get_ref(private_x509_cert_t *this)
966 {
967 ref_get(&this->ref);
968 return this;
969 }
970
971 /**
972 * Implementation of x509_cert_t.get_flags.
973 */
974 static x509_flag_t get_flags(private_x509_cert_t *this)
975 {
976 return this->flags;
977 }
978
979 /**
980 * Implementation of x509_cert_t.get_validity.
981 */
982 static bool get_validity(private_x509_cert_t *this, time_t *when,
983 time_t *not_before, time_t *not_after)
984 {
985 time_t t;
986
987 if (when)
988 {
989 t = *when;
990 }
991 else
992 {
993 t = time(NULL);
994 }
995 if (not_before)
996 {
997 *not_before = this->notBefore;
998 }
999 if (not_after)
1000 {
1001 *not_after = this->notAfter;
1002 }
1003 return (t >= this->notBefore && t <= this->notAfter);
1004 }
1005
1006 /**
1007 * Implementation of certificate_t.is_newer.
1008 */
1009 static bool is_newer(certificate_t *this, certificate_t *that)
1010 {
1011 time_t this_update, that_update, now = time(NULL);
1012 bool new;
1013
1014 this->get_validity(this, &now, &this_update, NULL);
1015 that->get_validity(that, &now, &that_update, NULL);
1016 new = this_update > that_update;
1017 DBG1(" certificate from %T is %s - existing certificate from %T %s",
1018 &this_update, FALSE, new ? "newer":"not newer",
1019 &that_update, FALSE, new ? "replaced":"retained");
1020 return new;
1021 }
1022
1023 /**
1024 * Implementation of certificate_t.get_encoding.
1025 */
1026 static chunk_t get_encoding(private_x509_cert_t *this)
1027 {
1028 return chunk_clone(this->encoding);
1029 }
1030
1031 /**
1032 * Implementation of certificate_t.equals.
1033 */
1034 static bool equals(private_x509_cert_t *this, certificate_t *other)
1035 {
1036 chunk_t encoding;
1037 bool equal;
1038
1039 if (this == (private_x509_cert_t*)other)
1040 {
1041 return TRUE;
1042 }
1043 if (other->get_type(other) != CERT_X509)
1044 {
1045 return FALSE;
1046 }
1047 if (other->equals == (void*)equals)
1048 { /* skip allocation if we have the same implementation */
1049 return chunk_equals(this->encoding, ((private_x509_cert_t*)other)->encoding);
1050 }
1051 encoding = other->get_encoding(other);
1052 equal = chunk_equals(this->encoding, encoding);
1053 free(encoding.ptr);
1054 return equal;
1055 }
1056
1057 /**
1058 * Implementation of x509_t.get_serial.
1059 */
1060 static chunk_t get_serial(private_x509_cert_t *this)
1061 {
1062 return this->serialNumber;
1063 }
1064
1065 /**
1066 * Implementation of x509_t.get_authKeyIdentifier.
1067 */
1068 static chunk_t get_authKeyIdentifier(private_x509_cert_t *this)
1069 {
1070 return this->authKeyIdentifier;
1071 }
1072
1073 /**
1074 * Implementation of x509_cert_t.create_subjectAltName_enumerator.
1075 */
1076 static enumerator_t* create_subjectAltName_enumerator(private_x509_cert_t *this)
1077 {
1078 return this->subjectAltNames->create_enumerator(this->subjectAltNames);
1079 }
1080
1081 /**
1082 * Implementation of x509_cert_t.create_ocsp_uri_enumerator.
1083 */
1084 static enumerator_t* create_ocsp_uri_enumerator(private_x509_cert_t *this)
1085 {
1086 return this->ocsp_uris->create_enumerator(this->ocsp_uris);
1087 }
1088
1089 /**
1090 * Implementation of x509_cert_t.create_crl_uri_enumerator.
1091 */
1092 static enumerator_t* create_crl_uri_enumerator(private_x509_cert_t *this)
1093 {
1094 return this->crl_uris->create_enumerator(this->crl_uris);
1095 }
1096
1097 /**
1098 * Implementation of certificate_t.destroy.
1099 */
1100 static void destroy(private_x509_cert_t *this)
1101 {
1102 if (ref_put(&this->ref))
1103 {
1104 this->subjectAltNames->destroy_offset(this->subjectAltNames,
1105 offsetof(identification_t, destroy));
1106 this->crl_uris->destroy_function(this->crl_uris, free);
1107 this->ocsp_uris->destroy_function(this->ocsp_uris, free);
1108 DESTROY_IF(this->issuer);
1109 DESTROY_IF(this->subject);
1110 DESTROY_IF(this->public_key);
1111 chunk_free(&this->authKeyIdentifier);
1112 chunk_free(&this->encoding);
1113 chunk_free(&this->encoding_hash);
1114 if (!this->parsed)
1115 { /* only parsed certificates point these fields to "encoded" */
1116 chunk_free(&this->signature);
1117 chunk_free(&this->serialNumber);
1118 chunk_free(&this->tbsCertificate);
1119 }
1120 free(this);
1121 }
1122 }
1123
1124 /**
1125 * create an empty but initialized X.509 certificate
1126 */
1127 static private_x509_cert_t* create_empty(void)
1128 {
1129 private_x509_cert_t *this = malloc_thing(private_x509_cert_t);
1130
1131 this->public.interface.interface.get_type = (certificate_type_t (*) (certificate_t*))get_type;
1132 this->public.interface.interface.get_subject = (identification_t* (*) (certificate_t*))get_subject;
1133 this->public.interface.interface.get_issuer = (identification_t* (*) (certificate_t*))get_issuer;
1134 this->public.interface.interface.has_subject = (id_match_t (*) (certificate_t*, identification_t*))has_subject;
1135 this->public.interface.interface.has_issuer = (id_match_t (*) (certificate_t*, identification_t*))has_issuer;
1136 this->public.interface.interface.issued_by = (bool (*) (certificate_t*, certificate_t*))issued_by;
1137 this->public.interface.interface.get_public_key = (public_key_t* (*) (certificate_t*))get_public_key;
1138 this->public.interface.interface.get_validity = (bool (*) (certificate_t*, time_t*, time_t*, time_t*))get_validity;
1139 this->public.interface.interface.is_newer = (bool (*) (certificate_t*,certificate_t*))is_newer;
1140 this->public.interface.interface.get_encoding = (chunk_t (*) (certificate_t*))get_encoding;
1141 this->public.interface.interface.equals = (bool (*)(certificate_t*, certificate_t*))equals;
1142 this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t*))get_ref;
1143 this->public.interface.interface.destroy = (void (*)(certificate_t*))destroy;
1144 this->public.interface.get_flags = (x509_flag_t (*)(x509_t*))get_flags;
1145 this->public.interface.get_serial = (chunk_t (*)(x509_t*))get_serial;
1146 this->public.interface.get_authKeyIdentifier = (chunk_t (*)(x509_t*))get_authKeyIdentifier;
1147 this->public.interface.create_subjectAltName_enumerator = (enumerator_t* (*)(x509_t*))create_subjectAltName_enumerator;
1148 this->public.interface.create_crl_uri_enumerator = (enumerator_t* (*)(x509_t*))create_crl_uri_enumerator;
1149 this->public.interface.create_ocsp_uri_enumerator = (enumerator_t* (*)(x509_t*))create_ocsp_uri_enumerator;
1150
1151 this->encoding = chunk_empty;
1152 this->encoding_hash = chunk_empty;
1153 this->tbsCertificate = chunk_empty;
1154 this->version = 3;
1155 this->serialNumber = chunk_empty;
1156 this->notBefore = 0;
1157 this->notAfter = 0;
1158 this->public_key = NULL;
1159 this->subject = NULL;
1160 this->issuer = NULL;
1161 this->subjectAltNames = linked_list_create();
1162 this->crl_uris = linked_list_create();
1163 this->ocsp_uris = linked_list_create();
1164 this->subjectKeyID = chunk_empty;
1165 this->authKeyIdentifier = chunk_empty;
1166 this->authKeySerialNumber = chunk_empty;
1167 this->algorithm = 0;
1168 this->signature = chunk_empty;
1169 this->flags = 0;
1170 this->ref = 1;
1171 this->parsed = FALSE;
1172
1173 return this;
1174 }
1175
1176 /**
1177 * Generate and sign a new certificate
1178 */
1179 static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
1180 private_key_t *sign_key, int digest_alg)
1181 {
1182 chunk_t extensions = chunk_empty;
1183 chunk_t basicConstraints = chunk_empty, subjectAltNames = chunk_empty;
1184 chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty;
1185 chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty;
1186 identification_t *issuer, *subject;
1187 chunk_t key_info;
1188 signature_scheme_t scheme;
1189 hasher_t *hasher;
1190 enumerator_t *enumerator;
1191 identification_t *id;
1192 char *uri;
1193
1194 subject = cert->subject;
1195 if (sign_cert)
1196 {
1197 issuer = sign_cert->get_subject(sign_cert);
1198 if (!cert->public_key)
1199 {
1200 return FALSE;
1201 }
1202 }
1203 else
1204 { /* self signed */
1205 issuer = subject;
1206 if (!cert->public_key)
1207 {
1208 cert->public_key = sign_key->get_public_key(sign_key);
1209 }
1210 cert->flags |= X509_SELF_SIGNED;
1211 }
1212 cert->issuer = issuer->clone(issuer);
1213 if (!cert->notBefore)
1214 {
1215 cert->notBefore = time(NULL);
1216 }
1217 if (!cert->notAfter)
1218 { /* defaults to 1 year from now */
1219 cert->notAfter = cert->notBefore + 60 * 60 * 24 * 365;
1220 }
1221
1222 /* select signature scheme */
1223 switch (sign_key->get_type(sign_key))
1224 {
1225 case KEY_RSA:
1226 switch (digest_alg)
1227 {
1228 case HASH_MD5:
1229 cert->algorithm = OID_MD5_WITH_RSA;
1230 break;
1231 case HASH_SHA1:
1232 cert->algorithm = OID_SHA1_WITH_RSA;
1233 break;
1234 case HASH_SHA224:
1235 cert->algorithm = OID_SHA224_WITH_RSA;
1236 break;
1237 case HASH_SHA256:
1238 cert->algorithm = OID_SHA256_WITH_RSA;
1239 break;
1240 case HASH_SHA384:
1241 cert->algorithm = OID_SHA384_WITH_RSA;
1242 break;
1243 case HASH_SHA512:
1244 cert->algorithm = OID_SHA512_WITH_RSA;
1245 break;
1246 default:
1247 return FALSE;
1248 }
1249 break;
1250 case KEY_ECDSA:
1251 switch (digest_alg)
1252 {
1253 case HASH_SHA1:
1254 cert->algorithm = OID_ECDSA_WITH_SHA1;
1255 break;
1256 case HASH_SHA256:
1257 cert->algorithm = OID_ECDSA_WITH_SHA256;
1258 break;
1259 case HASH_SHA384:
1260 cert->algorithm = OID_ECDSA_WITH_SHA384;
1261 break;
1262 case HASH_SHA512:
1263 cert->algorithm = OID_ECDSA_WITH_SHA512;
1264 break;
1265 default:
1266 return FALSE;
1267 }
1268 break;
1269 default:
1270 return FALSE;
1271 }
1272 scheme = signature_scheme_from_oid(cert->algorithm);
1273
1274 if (!cert->public_key->get_encoding(cert->public_key,
1275 KEY_PUB_SPKI_ASN1_DER, &key_info))
1276 {
1277 return FALSE;
1278 }
1279
1280 enumerator = cert->subjectAltNames->create_enumerator(cert->subjectAltNames);
1281 while (enumerator->enumerate(enumerator, &id))
1282 {
1283 int context;
1284 chunk_t name;
1285
1286 switch (id->get_type(id))
1287 {
1288 case ID_RFC822_ADDR:
1289 context = ASN1_CONTEXT_S_1;
1290 break;
1291 case ID_FQDN:
1292 context = ASN1_CONTEXT_S_2;
1293 break;
1294 case ID_IPV4_ADDR:
1295 case ID_IPV6_ADDR:
1296 context = ASN1_CONTEXT_S_7;
1297 break;
1298 default:
1299 DBG1("encoding %N as subjectAltName not supported",
1300 id_type_names, id->get_type(id));
1301 enumerator->destroy(enumerator);
1302 free(key_info.ptr);
1303 free(subjectAltNames.ptr);
1304 return FALSE;
1305 }
1306 name = asn1_wrap(context, "c", id->get_encoding(id));
1307 subjectAltNames = chunk_cat("mm", subjectAltNames, name);
1308 }
1309 enumerator->destroy(enumerator);
1310 if (subjectAltNames.ptr)
1311 {
1312 subjectAltNames = asn1_wrap(ASN1_SEQUENCE, "mm",
1313 asn1_build_known_oid(OID_SUBJECT_ALT_NAME),
1314 asn1_wrap(ASN1_OCTET_STRING, "m",
1315 asn1_wrap(ASN1_SEQUENCE, "m", subjectAltNames)));
1316 }
1317
1318 /* encode CRL distribution points extension */
1319 enumerator = cert->crl_uris->create_enumerator(cert->crl_uris);
1320 while (enumerator->enumerate(enumerator, &uri))
1321 {
1322 chunk_t distributionPoint;
1323
1324 distributionPoint = asn1_wrap(ASN1_SEQUENCE, "m",
1325 asn1_wrap(ASN1_CONTEXT_C_0, "m",
1326 asn1_wrap(ASN1_CONTEXT_C_0, "m",
1327 asn1_wrap(ASN1_CONTEXT_S_6, "c",
1328 chunk_create(uri, strlen(uri))))));
1329
1330 crlDistributionPoints = chunk_cat("mm", crlDistributionPoints,
1331 distributionPoint);
1332 }
1333 enumerator->destroy(enumerator);
1334 if (crlDistributionPoints.ptr)
1335 {
1336 crlDistributionPoints = asn1_wrap(ASN1_SEQUENCE, "mm",
1337 asn1_build_known_oid(OID_CRL_DISTRIBUTION_POINTS),
1338 asn1_wrap(ASN1_OCTET_STRING, "m",
1339 asn1_wrap(ASN1_SEQUENCE, "m", crlDistributionPoints)));
1340 }
1341
1342 /* encode OCSP URIs in authorityInfoAccess extension */
1343 enumerator = cert->ocsp_uris->create_enumerator(cert->ocsp_uris);
1344 while (enumerator->enumerate(enumerator, &uri))
1345 {
1346 chunk_t accessDescription;
1347
1348 accessDescription = asn1_wrap(ASN1_SEQUENCE, "mm",
1349 asn1_build_known_oid(OID_OCSP),
1350 asn1_wrap(ASN1_CONTEXT_S_6, "c",
1351 chunk_create(uri, strlen(uri))));
1352 authorityInfoAccess = chunk_cat("mm", authorityInfoAccess,
1353 accessDescription);
1354 }
1355 enumerator->destroy(enumerator);
1356 if (authorityInfoAccess.ptr)
1357 {
1358 authorityInfoAccess = asn1_wrap(ASN1_SEQUENCE, "mm",
1359 asn1_build_known_oid(OID_AUTHORITY_INFO_ACCESS),
1360 asn1_wrap(ASN1_OCTET_STRING, "m",
1361 asn1_wrap(ASN1_SEQUENCE, "m", authorityInfoAccess)));
1362 }
1363
1364 /* build CA basicConstraint for CA certificates */
1365 if (cert->flags & X509_CA)
1366 {
1367 chunk_t keyid;
1368
1369 basicConstraints = asn1_wrap(ASN1_SEQUENCE, "mmm",
1370 asn1_build_known_oid(OID_BASIC_CONSTRAINTS),
1371 asn1_wrap(ASN1_BOOLEAN, "c",
1372 chunk_from_chars(0xFF)),
1373 asn1_wrap(ASN1_OCTET_STRING, "m",
1374 asn1_wrap(ASN1_SEQUENCE, "m",
1375 asn1_wrap(ASN1_BOOLEAN, "c",
1376 chunk_from_chars(0xFF)))));
1377 /* add subjectKeyIdentifier to CA certificates */
1378 if (cert->public_key->get_fingerprint(cert->public_key,
1379 KEY_ID_PUBKEY_SHA1, &keyid))
1380 {
1381 subjectKeyIdentifier = asn1_wrap(ASN1_SEQUENCE, "mm",
1382 asn1_build_known_oid(OID_SUBJECT_KEY_ID),
1383 asn1_wrap(ASN1_OCTET_STRING, "m",
1384 asn1_wrap(ASN1_OCTET_STRING, "c", keyid)));
1385 }
1386 }
1387 if (sign_key)
1388 { /* add the keyid authKeyIdentifier for non self-signed certificates */
1389 chunk_t keyid;
1390
1391 if (sign_key->get_fingerprint(sign_key, KEY_ID_PUBKEY_SHA1, &keyid))
1392 {
1393 authKeyIdentifier = asn1_wrap(ASN1_SEQUENCE, "mm",
1394 asn1_build_known_oid(OID_AUTHORITY_KEY_ID),
1395 asn1_wrap(ASN1_OCTET_STRING, "m",
1396 asn1_wrap(ASN1_SEQUENCE, "m",
1397 asn1_wrap(ASN1_CONTEXT_S_0, "c", keyid))));
1398 }
1399 }
1400 if (basicConstraints.ptr || subjectAltNames.ptr || authKeyIdentifier.ptr ||
1401 crlDistributionPoints.ptr)
1402 {
1403 extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m",
1404 asn1_wrap(ASN1_SEQUENCE, "mmmmmm",
1405 basicConstraints, subjectKeyIdentifier,
1406 authKeyIdentifier, subjectAltNames,
1407 crlDistributionPoints, authorityInfoAccess));
1408 }
1409
1410 cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmmcmcmm",
1411 asn1_simple_object(ASN1_CONTEXT_C_0, ASN1_INTEGER_2),
1412 asn1_integer("c", cert->serialNumber),
1413 asn1_algorithmIdentifier(cert->algorithm),
1414 issuer->get_encoding(issuer),
1415 asn1_wrap(ASN1_SEQUENCE, "mm",
1416 asn1_from_time(&cert->notBefore, ASN1_UTCTIME),
1417 asn1_from_time(&cert->notAfter, ASN1_UTCTIME)),
1418 subject->get_encoding(subject),
1419 key_info, extensions);
1420
1421 if (!sign_key->sign(sign_key, scheme, cert->tbsCertificate, &cert->signature))
1422 {
1423 return FALSE;
1424 }
1425 cert->encoding = asn1_wrap(ASN1_SEQUENCE, "cmm", cert->tbsCertificate,
1426 asn1_algorithmIdentifier(cert->algorithm),
1427 asn1_bitstring("c", cert->signature));
1428
1429 hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1430 if (!hasher)
1431 {
1432 return FALSE;
1433 }
1434 hasher->allocate_hash(hasher, cert->encoding, &cert->encoding_hash);
1435 hasher->destroy(hasher);
1436 return TRUE;
1437 }
1438
1439 /**
1440 * See header.
1441 */
1442 x509_cert_t *x509_cert_load(certificate_type_t type, va_list args)
1443 {
1444 chunk_t blob = chunk_empty;
1445
1446 while (TRUE)
1447 {
1448 switch (va_arg(args, builder_part_t))
1449 {
1450 case BUILD_BLOB_ASN1_DER:
1451 blob = va_arg(args, chunk_t);
1452 continue;
1453 case BUILD_END:
1454 break;
1455 default:
1456 return NULL;
1457 }
1458 break;
1459 }
1460
1461 if (blob.ptr)
1462 {
1463 private_x509_cert_t *cert = create_empty();
1464
1465 cert->encoding = chunk_clone(blob);
1466 cert->parsed = TRUE;
1467 if (parse_certificate(cert))
1468 {
1469 return &cert->public;
1470 }
1471 destroy(cert);
1472 }
1473 return NULL;
1474 }
1475
1476 /**
1477 * See header.
1478 */
1479 x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args)
1480 {
1481 private_x509_cert_t *cert;
1482 certificate_t *sign_cert = NULL;
1483 private_key_t *sign_key = NULL;
1484 hash_algorithm_t digest_alg = HASH_SHA1;
1485
1486 cert = create_empty();
1487 while (TRUE)
1488 {
1489 switch (va_arg(args, builder_part_t))
1490 {
1491 case BUILD_X509_FLAG:
1492 cert->flags |= va_arg(args, x509_flag_t);
1493 continue;
1494 case BUILD_SIGNING_KEY:
1495 sign_key = va_arg(args, private_key_t*);
1496 continue;
1497 case BUILD_SIGNING_CERT:
1498 sign_cert = va_arg(args, certificate_t*);
1499 continue;
1500 case BUILD_PUBLIC_KEY:
1501 cert->public_key = va_arg(args, public_key_t*);
1502 cert->public_key->get_ref(cert->public_key);
1503 continue;
1504 case BUILD_SUBJECT:
1505 cert->subject = va_arg(args, identification_t*);
1506 cert->subject = cert->subject->clone(cert->subject);
1507 continue;
1508 case BUILD_SUBJECT_ALTNAMES:
1509 {
1510 enumerator_t *enumerator;
1511 identification_t *id;
1512 linked_list_t *list;
1513
1514 list = va_arg(args, linked_list_t*);
1515 enumerator = list->create_enumerator(list);
1516 while (enumerator->enumerate(enumerator, &id))
1517 {
1518 cert->subjectAltNames->insert_last(
1519 cert->subjectAltNames, id->clone(id));
1520 }
1521 enumerator->destroy(enumerator);
1522 continue;
1523 }
1524 case BUILD_CRL_DISTRIBUTION_POINTS:
1525 {
1526 enumerator_t *enumerator;
1527 linked_list_t *list;
1528 char *uri;
1529
1530 list = va_arg(args, linked_list_t*);
1531 enumerator = list->create_enumerator(list);
1532 while (enumerator->enumerate(enumerator, &uri))
1533 {
1534 cert->crl_uris->insert_last(cert->crl_uris, strdup(uri));
1535 }
1536 enumerator->destroy(enumerator);
1537 continue;
1538 }
1539 case BUILD_OCSP_ACCESS_LOCATIONS:
1540 {
1541 enumerator_t *enumerator;
1542 linked_list_t *list;
1543 char *uri;
1544
1545 list = va_arg(args, linked_list_t*);
1546 enumerator = list->create_enumerator(list);
1547 while (enumerator->enumerate(enumerator, &uri))
1548 {
1549 cert->ocsp_uris->insert_last(cert->ocsp_uris, strdup(uri));
1550 }
1551 enumerator->destroy(enumerator);
1552 continue;
1553 }
1554 case BUILD_NOT_BEFORE_TIME:
1555 cert->notBefore = va_arg(args, time_t);
1556 continue;
1557 case BUILD_NOT_AFTER_TIME:
1558 cert->notAfter = va_arg(args, time_t);
1559 continue;
1560 case BUILD_SERIAL:
1561 cert->serialNumber = chunk_clone(va_arg(args, chunk_t));
1562 continue;
1563 case BUILD_DIGEST_ALG:
1564 digest_alg = va_arg(args, int);
1565 continue;
1566 case BUILD_END:
1567 break;
1568 default:
1569 destroy(cert);
1570 return NULL;
1571 }
1572 break;
1573 }
1574
1575 if (sign_key && generate(cert, sign_cert, sign_key, digest_alg))
1576 {
1577 return &cert->public;
1578 }
1579 destroy(cert);
1580 return NULL;
1581 }
1582
strongSwan - IPsec VPN