x509: Evaluate return codes of parsing functions
[strongswan.git] / src / libstrongswan / plugins / x509 / x509_cert.c
1 /*
2 * Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann
3 * Copyright (C) 2001 Marco Bertossa, Andreas Schleiss
4 * Copyright (C) 2002 Mario Strasser
5 * Copyright (C) 2000-2006 Andreas Steffen
6 * Copyright (C) 2006-2009 Martin Willi
7 * Copyright (C) 2008 Tobias Brunner
8 * Hochschule fuer Technik Rapperswil
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 */
20
21 #define _GNU_SOURCE
22
23 #include <sys/stat.h>
24 #include <time.h>
25 #include <unistd.h>
26 #include <string.h>
27 #include <stdio.h>
28
29 #include "x509_cert.h"
30
31 #include <library.h>
32 #include <utils/debug.h>
33 #include <asn1/oid.h>
34 #include <asn1/asn1.h>
35 #include <asn1/asn1_parser.h>
36 #include <crypto/hashers/hasher.h>
37 #include <credentials/keys/private_key.h>
38 #include <collections/linked_list.h>
39 #include <utils/identification.h>
40 #include <selectors/traffic_selector.h>
41
42 /**
43 * Different kinds of generalNames
44 */
45 typedef enum {
46 GN_OTHER_NAME = 0,
47 GN_RFC822_NAME = 1,
48 GN_DNS_NAME = 2,
49 GN_X400_ADDRESS = 3,
50 GN_DIRECTORY_NAME = 4,
51 GN_EDI_PARTY_NAME = 5,
52 GN_URI = 6,
53 GN_IP_ADDRESS = 7,
54 GN_REGISTERED_ID = 8,
55 } generalNames_t;
56
57
58 typedef struct private_x509_cert_t private_x509_cert_t;
59
60 /**
61 * Private data of a x509_cert_t object.
62 */
63 struct private_x509_cert_t {
64 /**
65 * Public interface for this certificate.
66 */
67 x509_cert_t public;
68
69 /**
70 * X.509 certificate encoding in ASN.1 DER format
71 */
72 chunk_t encoding;
73
74 /**
75 * SHA1 hash of the DER encoding of this X.509 certificate
76 */
77 chunk_t encoding_hash;
78
79 /**
80 * X.509 certificate body over which signature is computed
81 */
82 chunk_t tbsCertificate;
83
84 /**
85 * Version of the X.509 certificate
86 */
87 u_int version;
88
89 /**
90 * Serial number of the X.509 certificate
91 */
92 chunk_t serialNumber;
93
94 /**
95 * ID representing the certificate issuer
96 */
97 identification_t *issuer;
98
99 /**
100 * Start time of certificate validity
101 */
102 time_t notBefore;
103
104 /**
105 * End time of certificate validity
106 */
107 time_t notAfter;
108
109 /**
110 * ID representing the certificate subject
111 */
112 identification_t *subject;
113
114 /**
115 * List of subjectAltNames as identification_t
116 */
117 linked_list_t *subjectAltNames;
118
119 /**
120 * List of crlDistributionPoints as x509_cdp_t*
121 */
122 linked_list_t *crl_uris;
123
124 /**
125 * List of ocspAccessLocations as allocated char*
126 */
127 linked_list_t *ocsp_uris;
128
129 /**
130 * List of ipAddrBlocks as traffic_selector_t
131 */
132 linked_list_t *ipAddrBlocks;
133
134 /**
135 * List of permitted name constraints
136 */
137 linked_list_t *permitted_names;
138
139 /**
140 * List of exluced name constraints
141 */
142 linked_list_t *excluded_names;
143
144 /**
145 * List of certificatePolicies, as x509_cert_policy_t
146 */
147 linked_list_t *cert_policies;
148
149 /**
150 * List of policyMappings, as x509_policy_mapping_t
151 */
152 linked_list_t *policy_mappings;
153
154 /**
155 * certificate's embedded public key
156 */
157 public_key_t *public_key;
158
159 /**
160 * Subject Key Identifier
161 */
162 chunk_t subjectKeyIdentifier;
163
164 /**
165 * Authority Key Identifier
166 */
167 chunk_t authKeyIdentifier;
168
169 /**
170 * Authority Key Serial Number
171 */
172 chunk_t authKeySerialNumber;
173
174 /**
175 * Path Length Constraint
176 */
177 u_char pathLenConstraint;
178
179 /**
180 * requireExplicitPolicy Constraint
181 */
182 u_char require_explicit;
183
184 /**
185 * inhibitPolicyMapping Constraint
186 */
187 u_char inhibit_mapping;
188
189 /**
190 * inhibitAnyPolicy Constraint
191 */
192 u_char inhibit_any;
193
194 /**
195 * x509 constraints and other flags
196 */
197 x509_flag_t flags;
198
199 /**
200 * Signature algorithm
201 */
202 int algorithm;
203
204 /**
205 * Signature
206 */
207 chunk_t signature;
208
209 /**
210 * Certificate parsed from blob/file?
211 */
212 bool parsed;
213
214 /**
215 * reference count
216 */
217 refcount_t ref;
218 };
219
220 /**
221 * Destroy a CertificateDistributionPoint
222 */
223 static void crl_uri_destroy(x509_cdp_t *this)
224 {
225 free(this->uri);
226 DESTROY_IF(this->issuer);
227 free(this);
228 }
229
230 /**
231 * Destroy a CertificatePolicy
232 */
233 static void cert_policy_destroy(x509_cert_policy_t *this)
234 {
235 free(this->oid.ptr);
236 free(this->cps_uri);
237 free(this->unotice_text);
238 free(this);
239 }
240
241 /**
242 * Free policy mapping
243 */
244 static void policy_mapping_destroy(x509_policy_mapping_t *mapping)
245 {
246 free(mapping->issuer.ptr);
247 free(mapping->subject.ptr);
248 free(mapping);
249 }
250
251 /**
252 * Parse a length constraint from an unwrapped integer
253 */
254 static u_int parse_constraint(chunk_t object)
255 {
256 switch (object.len)
257 {
258 case 0:
259 return 0;
260 case 1:
261 return (object.ptr[0] & 0x80) ? X509_NO_CONSTRAINT : object.ptr[0];
262 default:
263 return X509_NO_CONSTRAINT;
264 }
265 }
266
267 /**
268 * ASN.1 definition of a basicConstraints extension
269 */
270 static const asn1Object_t basicConstraintsObjects[] = {
271 { 0, "basicConstraints", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
272 { 1, "CA", ASN1_BOOLEAN, ASN1_DEF|ASN1_BODY }, /* 1 */
273 { 1, "pathLenConstraint", ASN1_INTEGER, ASN1_OPT|ASN1_BODY }, /* 2 */
274 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 3 */
275 { 0, "exit", ASN1_EOC, ASN1_EXIT }
276 };
277 #define BASIC_CONSTRAINTS_CA 1
278 #define BASIC_CONSTRAINTS_PATH_LEN 2
279
280 /**
281 * Extracts the basicConstraints extension
282 */
283 static bool parse_basicConstraints(chunk_t blob, int level0,
284 private_x509_cert_t *this)
285 {
286 asn1_parser_t *parser;
287 chunk_t object;
288 int objectID;
289 bool isCA = FALSE;
290 bool success;
291
292 parser = asn1_parser_create(basicConstraintsObjects, blob);
293 parser->set_top_level(parser, level0);
294
295 while (parser->iterate(parser, &objectID, &object))
296 {
297 switch (objectID)
298 {
299 case BASIC_CONSTRAINTS_CA:
300 isCA = object.len && *object.ptr;
301 DBG2(DBG_ASN, " %s", isCA ? "TRUE" : "FALSE");
302 if (isCA)
303 {
304 this->flags |= X509_CA;
305 }
306 break;
307 case BASIC_CONSTRAINTS_PATH_LEN:
308 if (isCA)
309 {
310 this->pathLenConstraint = parse_constraint(object);
311 }
312 break;
313 default:
314 break;
315 }
316 }
317 success = parser->success(parser);
318 parser->destroy(parser);
319
320 return success;
321 }
322
323 /**
324 * ASN.1 definition of otherName
325 */
326 static const asn1Object_t otherNameObjects[] = {
327 {0, "type-id", ASN1_OID, ASN1_BODY }, /* 0 */
328 {0, "value", ASN1_CONTEXT_C_0, ASN1_BODY }, /* 1 */
329 {0, "exit", ASN1_EOC, ASN1_EXIT }
330 };
331 #define ON_OBJ_ID_TYPE 0
332 #define ON_OBJ_VALUE 1
333
334 /**
335 * Extracts an otherName
336 */
337 static bool parse_otherName(chunk_t *blob, int level0, id_type_t *type)
338 {
339 asn1_parser_t *parser;
340 chunk_t object;
341 int objectID;
342 int oid = OID_UNKNOWN;
343 bool success = FALSE;
344
345 parser = asn1_parser_create(otherNameObjects, *blob);
346 parser->set_top_level(parser, level0);
347
348 while (parser->iterate(parser, &objectID, &object))
349 {
350 switch (objectID)
351 {
352 case ON_OBJ_ID_TYPE:
353 oid = asn1_known_oid(object);
354 break;
355 case ON_OBJ_VALUE:
356 switch (oid)
357 {
358 case OID_XMPP_ADDR:
359 if (!asn1_parse_simple_object(&object, ASN1_UTF8STRING,
360 parser->get_level(parser)+1, "xmppAddr"))
361 {
362 goto end;
363 }
364 break;
365 case OID_USER_PRINCIPAL_NAME:
366 if (asn1_parse_simple_object(&object, ASN1_UTF8STRING,
367 parser->get_level(parser)+1, "msUPN"))
368 { /* we handle UPNs as RFC822 addr */
369 *blob = object;
370 *type = ID_RFC822_ADDR;
371 }
372 else
373 {
374 goto end;
375 }
376 break;
377 }
378 break;
379 default:
380 break;
381 }
382 }
383 success = parser->success(parser);
384
385 end:
386 parser->destroy(parser);
387 return success;
388 }
389
390 /**
391 * ASN.1 definition of generalName
392 */
393 static const asn1Object_t generalNameObjects[] = {
394 { 0, "otherName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_BODY }, /* 0 */
395 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 1 */
396 { 0, "rfc822Name", ASN1_CONTEXT_S_1, ASN1_OPT|ASN1_BODY }, /* 2 */
397 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 3 */
398 { 0, "dnsName", ASN1_CONTEXT_S_2, ASN1_OPT|ASN1_BODY }, /* 4 */
399 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 5 */
400 { 0, "x400Address", ASN1_CONTEXT_S_3, ASN1_OPT|ASN1_BODY }, /* 6 */
401 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 7 */
402 { 0, "directoryName", ASN1_CONTEXT_C_4, ASN1_OPT|ASN1_BODY }, /* 8 */
403 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 9 */
404 { 0, "ediPartyName", ASN1_CONTEXT_C_5, ASN1_OPT|ASN1_BODY }, /* 10 */
405 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 11 */
406 { 0, "URI", ASN1_CONTEXT_S_6, ASN1_OPT|ASN1_BODY }, /* 12 */
407 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 13 */
408 { 0, "ipAddress", ASN1_CONTEXT_S_7, ASN1_OPT|ASN1_BODY }, /* 14 */
409 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 15 */
410 { 0, "registeredID", ASN1_CONTEXT_S_8, ASN1_OPT|ASN1_BODY }, /* 16 */
411 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 17 */
412 { 0, "exit", ASN1_EOC, ASN1_EXIT }
413 };
414 #define GN_OBJ_OTHER_NAME 0
415 #define GN_OBJ_RFC822_NAME 2
416 #define GN_OBJ_DNS_NAME 4
417 #define GN_OBJ_X400_ADDRESS 6
418 #define GN_OBJ_DIRECTORY_NAME 8
419 #define GN_OBJ_EDI_PARTY_NAME 10
420 #define GN_OBJ_URI 12
421 #define GN_OBJ_IP_ADDRESS 14
422 #define GN_OBJ_REGISTERED_ID 16
423
424 /**
425 * Extracts a generalName
426 */
427 static identification_t *parse_generalName(chunk_t blob, int level0)
428 {
429 asn1_parser_t *parser;
430 chunk_t object;
431 int objectID ;
432
433 identification_t *gn = NULL;
434
435 parser = asn1_parser_create(generalNameObjects, blob);
436 parser->set_top_level(parser, level0);
437
438 while (parser->iterate(parser, &objectID, &object))
439 {
440 id_type_t id_type = ID_ANY;
441
442 switch (objectID)
443 {
444 case GN_OBJ_RFC822_NAME:
445 id_type = ID_RFC822_ADDR;
446 break;
447 case GN_OBJ_DNS_NAME:
448 id_type = ID_FQDN;
449 break;
450 case GN_OBJ_URI:
451 id_type = ID_DER_ASN1_GN_URI;
452 break;
453 case GN_OBJ_DIRECTORY_NAME:
454 id_type = ID_DER_ASN1_DN;
455 break;
456 case GN_OBJ_IP_ADDRESS:
457 switch (object.len)
458 {
459 case 4:
460 id_type = ID_IPV4_ADDR;
461 break;
462 case 16:
463 id_type = ID_IPV6_ADDR;
464 break;
465 default:
466 break;
467 }
468 break;
469 case GN_OBJ_OTHER_NAME:
470 if (!parse_otherName(&object, parser->get_level(parser)+1,
471 &id_type))
472 {
473 goto end;
474 }
475 break;
476 case GN_OBJ_X400_ADDRESS:
477 case GN_OBJ_EDI_PARTY_NAME:
478 case GN_OBJ_REGISTERED_ID:
479 default:
480 break;
481 }
482 if (id_type != ID_ANY)
483 {
484 gn = identification_create_from_encoding(id_type, object);
485 DBG2(DBG_ASN, " '%Y'", gn);
486 goto end;
487 }
488 }
489
490 end:
491 parser->destroy(parser);
492 return gn;
493 }
494
495 /**
496 * ASN.1 definition of generalNames
497 */
498 static const asn1Object_t generalNamesObjects[] = {
499 { 0, "generalNames", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
500 { 1, "generalName", ASN1_EOC, ASN1_RAW }, /* 1 */
501 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 2 */
502 { 0, "exit", ASN1_EOC, ASN1_EXIT }
503 };
504 #define GENERAL_NAMES_GN 1
505
506 /**
507 * Extracts one or several GNs and puts them into a chained list
508 */
509 bool x509_parse_generalNames(chunk_t blob, int level0, bool implicit,
510 linked_list_t *list)
511 {
512 asn1_parser_t *parser;
513 chunk_t object;
514 identification_t *gn;
515 int objectID;
516 bool success = FALSE;
517
518 parser = asn1_parser_create(generalNamesObjects, blob);
519 parser->set_top_level(parser, level0);
520 parser->set_flags(parser, implicit, FALSE);
521
522 while (parser->iterate(parser, &objectID, &object))
523 {
524 if (objectID == GENERAL_NAMES_GN)
525 {
526 gn = parse_generalName(object, parser->get_level(parser)+1);
527 if (!gn)
528 {
529 goto end;
530 }
531 list->insert_last(list, (void *)gn);
532 }
533 }
534 success = parser->success(parser);
535
536 end:
537 parser->destroy(parser);
538
539 return success;
540 }
541
542 /**
543 * ASN.1 definition of a authorityKeyIdentifier extension
544 */
545 static const asn1Object_t authKeyIdentifierObjects[] = {
546 { 0, "authorityKeyIdentifier", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
547 { 1, "keyIdentifier", ASN1_CONTEXT_S_0, ASN1_OPT|ASN1_BODY }, /* 1 */
548 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 2 */
549 { 1, "authorityCertIssuer", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_OBJ }, /* 3 */
550 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 4 */
551 { 1, "authorityCertSerialNumber", ASN1_CONTEXT_S_2, ASN1_OPT|ASN1_BODY }, /* 5 */
552 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 6 */
553 { 0, "exit", ASN1_EOC, ASN1_EXIT }
554 };
555 #define AUTH_KEY_ID_KEY_ID 1
556 #define AUTH_KEY_ID_CERT_ISSUER 3
557 #define AUTH_KEY_ID_CERT_SERIAL 5
558
559 /**
560 * Extracts an authoritykeyIdentifier
561 */
562 chunk_t x509_parse_authorityKeyIdentifier(chunk_t blob, int level0,
563 chunk_t *authKeySerialNumber)
564 {
565 asn1_parser_t *parser;
566 chunk_t object;
567 int objectID;
568 chunk_t authKeyIdentifier = chunk_empty;
569
570 *authKeySerialNumber = chunk_empty;
571
572 parser = asn1_parser_create(authKeyIdentifierObjects, blob);
573 parser->set_top_level(parser, level0);
574
575 while (parser->iterate(parser, &objectID, &object))
576 {
577 switch (objectID)
578 {
579 case AUTH_KEY_ID_KEY_ID:
580 authKeyIdentifier = chunk_clone(object);
581 break;
582 case AUTH_KEY_ID_CERT_ISSUER:
583 /* TODO: x509_parse_generalNames(object, level+1, TRUE); */
584 break;
585 case AUTH_KEY_ID_CERT_SERIAL:
586 *authKeySerialNumber = object;
587 break;
588 default:
589 break;
590 }
591 }
592 parser->destroy(parser);
593
594 return authKeyIdentifier;
595 }
596
597 /**
598 * ASN.1 definition of a authorityInfoAccess extension
599 */
600 static const asn1Object_t authInfoAccessObjects[] = {
601 { 0, "authorityInfoAccess", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
602 { 1, "accessDescription", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
603 { 2, "accessMethod", ASN1_OID, ASN1_BODY }, /* 2 */
604 { 2, "accessLocation", ASN1_EOC, ASN1_RAW }, /* 3 */
605 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 4 */
606 { 0, "exit", ASN1_EOC, ASN1_EXIT }
607 };
608 #define AUTH_INFO_ACCESS_METHOD 2
609 #define AUTH_INFO_ACCESS_LOCATION 3
610
611 /**
612 * Extracts an authorityInfoAcess location
613 */
614 static bool parse_authorityInfoAccess(chunk_t blob, int level0,
615 private_x509_cert_t *this)
616 {
617 asn1_parser_t *parser;
618 chunk_t object;
619 int objectID;
620 int accessMethod = OID_UNKNOWN;
621 bool success = FALSE;
622
623 parser = asn1_parser_create(authInfoAccessObjects, blob);
624 parser->set_top_level(parser, level0);
625
626 while (parser->iterate(parser, &objectID, &object))
627 {
628 switch (objectID)
629 {
630 case AUTH_INFO_ACCESS_METHOD:
631 accessMethod = asn1_known_oid(object);
632 break;
633 case AUTH_INFO_ACCESS_LOCATION:
634 {
635 switch (accessMethod)
636 {
637 case OID_OCSP:
638 case OID_CA_ISSUERS:
639 {
640 identification_t *id;
641 char *uri;
642
643 id = parse_generalName(object,
644 parser->get_level(parser)+1);
645 if (id == NULL)
646 {
647 /* parsing went wrong - abort */
648 goto end;
649 }
650 DBG2(DBG_ASN, " '%Y'", id);
651 if (accessMethod == OID_OCSP &&
652 asprintf(&uri, "%Y", id) > 0)
653 {
654 this->ocsp_uris->insert_last(this->ocsp_uris, uri);
655 }
656 id->destroy(id);
657 }
658 break;
659 default:
660 /* unknown accessMethod, ignoring */
661 break;
662 }
663 break;
664 }
665 default:
666 break;
667 }
668 }
669 success = parser->success(parser);
670
671 end:
672 parser->destroy(parser);
673
674 return success;
675 }
676
677 /**
678 * Extract KeyUsage flags
679 */
680 static void parse_keyUsage(chunk_t blob, private_x509_cert_t *this)
681 {
682 enum {
683 KU_DIGITAL_SIGNATURE = 0,
684 KU_NON_REPUDIATION = 1,
685 KU_KEY_ENCIPHERMENT = 2,
686 KU_DATA_ENCIPHERMENT = 3,
687 KU_KEY_AGREEMENT = 4,
688 KU_KEY_CERT_SIGN = 5,
689 KU_CRL_SIGN = 6,
690 KU_ENCIPHER_ONLY = 7,
691 KU_DECIPHER_ONLY = 8,
692 };
693
694 if (asn1_unwrap(&blob, &blob) == ASN1_BIT_STRING && blob.len)
695 {
696 int bit, byte, unused = blob.ptr[0];
697
698 blob = chunk_skip(blob, 1);
699 for (byte = 0; byte < blob.len; byte++)
700 {
701 for (bit = 0; bit < 8; bit++)
702 {
703 if (byte == blob.len - 1 && bit > (7 - unused))
704 {
705 break;
706 }
707 if (blob.ptr[byte] & 1 << (7 - bit))
708 {
709 switch (byte * 8 + bit)
710 {
711 case KU_CRL_SIGN:
712 this->flags |= X509_CRL_SIGN;
713 break;
714 case KU_KEY_CERT_SIGN:
715 /* we use the caBasicConstraint, MUST be set */
716 case KU_DIGITAL_SIGNATURE:
717 case KU_NON_REPUDIATION:
718 case KU_KEY_ENCIPHERMENT:
719 case KU_DATA_ENCIPHERMENT:
720 case KU_KEY_AGREEMENT:
721 case KU_ENCIPHER_ONLY:
722 case KU_DECIPHER_ONLY:
723 break;
724 }
725 }
726 }
727 }
728 }
729 }
730
731 /**
732 * ASN.1 definition of a extendedKeyUsage extension
733 */
734 static const asn1Object_t extendedKeyUsageObjects[] = {
735 { 0, "extendedKeyUsage", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
736 { 1, "keyPurposeID", ASN1_OID, ASN1_BODY }, /* 1 */
737 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 2 */
738 { 0, "exit", ASN1_EOC, ASN1_EXIT }
739 };
740 #define EXT_KEY_USAGE_PURPOSE_ID 1
741
742 /**
743 * Extracts extendedKeyUsage OIDs
744 */
745 static bool parse_extendedKeyUsage(chunk_t blob, int level0,
746 private_x509_cert_t *this)
747 {
748 asn1_parser_t *parser;
749 chunk_t object;
750 int objectID;
751 bool success;
752
753 parser = asn1_parser_create(extendedKeyUsageObjects, blob);
754 parser->set_top_level(parser, level0);
755
756 while (parser->iterate(parser, &objectID, &object))
757 {
758 if (objectID == EXT_KEY_USAGE_PURPOSE_ID)
759 {
760 switch (asn1_known_oid(object))
761 {
762 case OID_SERVER_AUTH:
763 this->flags |= X509_SERVER_AUTH;
764 break;
765 case OID_CLIENT_AUTH:
766 this->flags |= X509_CLIENT_AUTH;
767 break;
768 case OID_IKE_INTERMEDIATE:
769 this->flags |= X509_IKE_INTERMEDIATE;
770 break;
771 case OID_OCSP_SIGNING:
772 this->flags |= X509_OCSP_SIGNER;
773 break;
774 case OID_MS_SMARTCARD_LOGON:
775 this->flags |= X509_MS_SMARTCARD_LOGON;
776 break;
777 default:
778 break;
779 }
780 }
781 }
782 success = parser->success(parser);
783 parser->destroy(parser);
784
785 return success;
786 }
787
788 /**
789 * ASN.1 definition of crlDistributionPoints
790 */
791 static const asn1Object_t crlDistributionPointsObjects[] = {
792 { 0, "crlDistributionPoints", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
793 { 1, "DistributionPoint", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
794 { 2, "distributionPoint", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_LOOP }, /* 2 */
795 { 3, "fullName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_OBJ }, /* 3 */
796 { 3, "end choice", ASN1_EOC, ASN1_END }, /* 4 */
797 { 3, "nameRelToCRLIssuer",ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 5 */
798 { 3, "end choice", ASN1_EOC, ASN1_END }, /* 6 */
799 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 7 */
800 { 2, "reasons", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 8 */
801 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 9 */
802 { 2, "crlIssuer", ASN1_CONTEXT_C_2, ASN1_OPT|ASN1_OBJ }, /* 10 */
803 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 11 */
804 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 12 */
805 { 0, "exit", ASN1_EOC, ASN1_EXIT }
806 };
807 #define CRL_DIST_POINTS 1
808 #define CRL_DIST_POINTS_FULLNAME 3
809 #define CRL_DIST_POINTS_ISSUER 10
810
811 /**
812 * Add entry to the list of each pairing of URI and Issuer
813 */
814 static void add_cdps(linked_list_t *list, linked_list_t *uris,
815 linked_list_t *issuers)
816 {
817 identification_t *issuer, *id;
818 enumerator_t *enumerator;
819 x509_cdp_t *cdp;
820 char *uri;
821
822 while (uris->remove_last(uris, (void**)&id) == SUCCESS)
823 {
824 if (asprintf(&uri, "%Y", id) > 0)
825 {
826 if (issuers->get_count(issuers))
827 {
828 enumerator = issuers->create_enumerator(issuers);
829 while (enumerator->enumerate(enumerator, &issuer))
830 {
831 INIT(cdp,
832 .uri = strdup(uri),
833 .issuer = issuer->clone(issuer),
834 );
835 list->insert_last(list, cdp);
836 }
837 enumerator->destroy(enumerator);
838 free(uri);
839 }
840 else
841 {
842 INIT(cdp,
843 .uri = uri,
844 );
845 list->insert_last(list, cdp);
846 }
847 }
848 id->destroy(id);
849 }
850 while (issuers->remove_last(issuers, (void**)&id) == SUCCESS)
851 {
852 id->destroy(id);
853 }
854 }
855
856 /**
857 * Extracts one or several crlDistributionPoints into a list
858 */
859 bool x509_parse_crlDistributionPoints(chunk_t blob, int level0,
860 linked_list_t *list)
861 {
862 linked_list_t *uris, *issuers;
863 asn1_parser_t *parser;
864 chunk_t object;
865 int objectID;
866 bool success = FALSE;
867
868 uris = linked_list_create();
869 issuers = linked_list_create();
870 parser = asn1_parser_create(crlDistributionPointsObjects, blob);
871 parser->set_top_level(parser, level0);
872
873 while (parser->iterate(parser, &objectID, &object))
874 {
875 switch (objectID)
876 {
877 case CRL_DIST_POINTS:
878 add_cdps(list, uris, issuers);
879 break;
880 case CRL_DIST_POINTS_FULLNAME:
881 if (!x509_parse_generalNames(object,
882 parser->get_level(parser) + 1, TRUE, uris))
883 {
884 goto end;
885 }
886 break;
887 case CRL_DIST_POINTS_ISSUER:
888 if (!x509_parse_generalNames(object,
889 parser->get_level(parser) + 1, TRUE, issuers))
890 {
891 goto end;
892 }
893 break;
894 default:
895 break;
896 }
897 }
898 success = parser->success(parser);
899 add_cdps(list, uris, issuers);
900
901 end:
902 parser->destroy(parser);
903 uris->destroy(uris);
904 issuers->destroy(issuers);
905
906 return success;
907 }
908
909 /**
910 * ASN.1 definition of nameConstraints
911 */
912 static const asn1Object_t nameConstraintsObjects[] = {
913 { 0, "nameConstraints", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
914 { 1, "permittedSubtrees", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_LOOP }, /* 1 */
915 { 2, "generalSubtree", ASN1_SEQUENCE, ASN1_BODY }, /* 2 */
916 { 1, "end loop", ASN1_EOC, ASN1_END }, /* 3 */
917 { 1, "excludedSubtrees", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_LOOP }, /* 4 */
918 { 2, "generalSubtree", ASN1_SEQUENCE, ASN1_BODY }, /* 5 */
919 { 1, "end loop", ASN1_EOC, ASN1_END }, /* 6 */
920 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 7 */
921 { 0, "exit", ASN1_EOC, ASN1_EXIT }
922 };
923 #define NAME_CONSTRAINT_PERMITTED 2
924 #define NAME_CONSTRAINT_EXCLUDED 5
925
926 /**
927 * Parse permitted/excluded nameConstraints
928 */
929 static bool parse_nameConstraints(chunk_t blob, int level0,
930 private_x509_cert_t *this)
931 {
932 asn1_parser_t *parser;
933 identification_t *id;
934 chunk_t object;
935 int objectID;
936 bool success = FALSE;
937
938 parser = asn1_parser_create(nameConstraintsObjects, blob);
939 parser->set_top_level(parser, level0);
940
941 while (parser->iterate(parser, &objectID, &object))
942 {
943 switch (objectID)
944 {
945 case NAME_CONSTRAINT_PERMITTED:
946 id = parse_generalName(object, parser->get_level(parser) + 1);
947 if (!id)
948 {
949 goto end;
950 }
951 this->permitted_names->insert_last(this->permitted_names, id);
952 break;
953 case NAME_CONSTRAINT_EXCLUDED:
954 id = parse_generalName(object, parser->get_level(parser) + 1);
955 if (!id)
956 {
957 goto end;
958 }
959 this->excluded_names->insert_last(this->excluded_names, id);
960 break;
961 default:
962 break;
963 }
964 }
965 success = parser->success(parser);
966
967 end:
968 parser->destroy(parser);
969
970 return success;
971 }
972
973 /**
974 * ASN.1 definition of a certificatePolicies extension
975 */
976 static const asn1Object_t certificatePoliciesObject[] = {
977 { 0, "certificatePolicies", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
978 { 1, "policyInformation", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
979 { 2, "policyId", ASN1_OID, ASN1_BODY }, /* 2 */
980 { 2, "qualifiers", ASN1_SEQUENCE, ASN1_OPT|ASN1_LOOP }, /* 3 */
981 { 3, "qualifierInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 4 */
982 { 4, "qualifierId", ASN1_OID, ASN1_BODY }, /* 5 */
983 { 4, "cPSuri", ASN1_IA5STRING, ASN1_OPT|ASN1_BODY }, /* 6 */
984 { 4, "end choice", ASN1_EOC, ASN1_END }, /* 7 */
985 { 4, "userNotice", ASN1_SEQUENCE, ASN1_OPT|ASN1_BODY }, /* 8 */
986 { 5, "explicitText", ASN1_EOC, ASN1_RAW }, /* 9 */
987 { 4, "end choice", ASN1_EOC, ASN1_END }, /* 10 */
988 { 2, "end opt/loop", ASN1_EOC, ASN1_END }, /* 12 */
989 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 13 */
990 { 0, "exit", ASN1_EOC, ASN1_EXIT }
991 };
992 #define CERT_POLICY_ID 2
993 #define CERT_POLICY_QUALIFIER_ID 5
994 #define CERT_POLICY_CPS_URI 6
995 #define CERT_POLICY_EXPLICIT_TEXT 9
996
997 /**
998 * Parse certificatePolicies
999 */
1000 static bool parse_certificatePolicies(chunk_t blob, int level0,
1001 private_x509_cert_t *this)
1002 {
1003 x509_cert_policy_t *policy = NULL;
1004 asn1_parser_t *parser;
1005 chunk_t object;
1006 int objectID, qualifier = OID_UNKNOWN;
1007 bool success;
1008
1009 parser = asn1_parser_create(certificatePoliciesObject, blob);
1010 parser->set_top_level(parser, level0);
1011
1012 while (parser->iterate(parser, &objectID, &object))
1013 {
1014 switch (objectID)
1015 {
1016 case CERT_POLICY_ID:
1017 INIT(policy,
1018 .oid = chunk_clone(object),
1019 );
1020 this->cert_policies->insert_last(this->cert_policies, policy);
1021 break;
1022 case CERT_POLICY_QUALIFIER_ID:
1023 qualifier = asn1_known_oid(object);
1024 break;
1025 case CERT_POLICY_CPS_URI:
1026 if (policy && !policy->cps_uri && object.len &&
1027 qualifier == OID_POLICY_QUALIFIER_CPS &&
1028 chunk_printable(object, NULL, 0))
1029 {
1030 policy->cps_uri = strndup(object.ptr, object.len);
1031 }
1032 break;
1033 case CERT_POLICY_EXPLICIT_TEXT:
1034 /* TODO */
1035 break;
1036 default:
1037 break;
1038 }
1039 }
1040 success = parser->success(parser);
1041 parser->destroy(parser);
1042
1043 return success;
1044 }
1045
1046 /**
1047 * ASN.1 definition of a policyMappings extension
1048 */
1049 static const asn1Object_t policyMappingsObjects[] = {
1050 { 0, "policyMappings", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
1051 { 1, "policyMapping", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
1052 { 2, "issuerPolicy", ASN1_OID, ASN1_BODY }, /* 2 */
1053 { 2, "subjectPolicy", ASN1_OID, ASN1_BODY }, /* 3 */
1054 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 4 */
1055 { 0, "exit", ASN1_EOC, ASN1_EXIT }
1056 };
1057 #define POLICY_MAPPING 1
1058 #define POLICY_MAPPING_ISSUER 2
1059 #define POLICY_MAPPING_SUBJECT 3
1060
1061 /**
1062 * Parse policyMappings
1063 */
1064 static bool parse_policyMappings(chunk_t blob, int level0,
1065 private_x509_cert_t *this)
1066 {
1067 x509_policy_mapping_t *map = NULL;
1068 asn1_parser_t *parser;
1069 chunk_t object;
1070 int objectID;
1071 bool success;
1072
1073 parser = asn1_parser_create(policyMappingsObjects, blob);
1074 parser->set_top_level(parser, level0);
1075
1076 while (parser->iterate(parser, &objectID, &object))
1077 {
1078 switch (objectID)
1079 {
1080 case POLICY_MAPPING:
1081 INIT(map);
1082 this->policy_mappings->insert_last(this->policy_mappings, map);
1083 break;
1084 case POLICY_MAPPING_ISSUER:
1085 if (map && !map->issuer.len)
1086 {
1087 map->issuer = chunk_clone(object);
1088 }
1089 break;
1090 case POLICY_MAPPING_SUBJECT:
1091 if (map && !map->subject.len)
1092 {
1093 map->subject = chunk_clone(object);
1094 }
1095 break;
1096 default:
1097 break;
1098 }
1099 }
1100 success = parser->success(parser);
1101 parser->destroy(parser);
1102
1103 return success;
1104 }
1105
1106 /**
1107 * ASN.1 definition of a policyConstraints extension
1108 */
1109 static const asn1Object_t policyConstraintsObjects[] = {
1110 { 0, "policyConstraints", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
1111 { 1, "requireExplicitPolicy", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_NONE }, /* 1 */
1112 { 2, "SkipCerts", ASN1_INTEGER, ASN1_BODY }, /* 2 */
1113 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 3 */
1114 { 1, "inhibitPolicyMapping", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_NONE }, /* 4 */
1115 { 2, "SkipCerts", ASN1_INTEGER, ASN1_BODY }, /* 5 */
1116 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 6 */
1117 { 0, "exit", ASN1_EOC, ASN1_EXIT }
1118 };
1119 #define POLICY_CONSTRAINT_EXPLICIT 2
1120 #define POLICY_CONSTRAINT_INHIBIT 5
1121
1122 /**
1123 * Parse policyConstraints
1124 */
1125 static bool parse_policyConstraints(chunk_t blob, int level0,
1126 private_x509_cert_t *this)
1127 {
1128 asn1_parser_t *parser;
1129 chunk_t object;
1130 int objectID;
1131 bool success;
1132
1133 parser = asn1_parser_create(policyConstraintsObjects, blob);
1134 parser->set_top_level(parser, level0);
1135
1136 while (parser->iterate(parser, &objectID, &object))
1137 {
1138 switch (objectID)
1139 {
1140 case POLICY_CONSTRAINT_EXPLICIT:
1141 this->require_explicit = parse_constraint(object);
1142 break;
1143 case POLICY_CONSTRAINT_INHIBIT:
1144 this->inhibit_mapping = parse_constraint(object);
1145 break;
1146 default:
1147 break;
1148 }
1149 }
1150 success = parser->success(parser);
1151 parser->destroy(parser);
1152
1153 return success;
1154 }
1155
1156 /**
1157 * ASN.1 definition of ipAddrBlocks according to RFC 3779
1158 */
1159 static const asn1Object_t ipAddrBlocksObjects[] = {
1160 { 0, "ipAddrBlocks", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
1161 { 1, "ipAddressFamily", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
1162 { 2, "addressFamily", ASN1_OCTET_STRING, ASN1_BODY }, /* 2 */
1163 { 2, "inherit", ASN1_NULL, ASN1_OPT|ASN1_NONE }, /* 3 */
1164 { 2, "end choice", ASN1_EOC, ASN1_END }, /* 4 */
1165 { 2, "addressesOrRanges", ASN1_SEQUENCE, ASN1_OPT|ASN1_LOOP }, /* 5 */
1166 { 3, "addressPrefix", ASN1_BIT_STRING, ASN1_OPT|ASN1_BODY }, /* 6 */
1167 { 3, "end choice", ASN1_EOC, ASN1_END }, /* 7 */
1168 { 3, "addressRange", ASN1_SEQUENCE, ASN1_OPT|ASN1_NONE }, /* 8 */
1169 { 4, "min", ASN1_BIT_STRING, ASN1_BODY }, /* 9 */
1170 { 4, "max", ASN1_BIT_STRING, ASN1_BODY }, /* 10 */
1171 { 3, "end choice", ASN1_EOC, ASN1_END }, /* 11 */
1172 { 2, "end opt/loop", ASN1_EOC, ASN1_END }, /* 12 */
1173 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 13 */
1174 { 0, "exit", ASN1_EOC, ASN1_EXIT }
1175 };
1176 #define IP_ADDR_BLOCKS_FAMILY 2
1177 #define IP_ADDR_BLOCKS_INHERIT 3
1178 #define IP_ADDR_BLOCKS_PREFIX 6
1179 #define IP_ADDR_BLOCKS_MIN 9
1180 #define IP_ADDR_BLOCKS_MAX 10
1181
1182 static bool check_address_object(ts_type_t ts_type, chunk_t object)
1183 {
1184 switch (ts_type)
1185 {
1186 case TS_IPV4_ADDR_RANGE:
1187 if (object.len > 5)
1188 {
1189 DBG1(DBG_ASN, "IPv4 address object is larger than 5 octets");
1190 return FALSE;
1191 }
1192 break;
1193 case TS_IPV6_ADDR_RANGE:
1194 if (object.len > 17)
1195 {
1196 DBG1(DBG_ASN, "IPv6 address object is larger than 17 octets");
1197 return FALSE;
1198 }
1199 break;
1200 default:
1201 DBG1(DBG_ASN, "unknown address family");
1202 return FALSE;
1203 }
1204 if (object.len == 0)
1205 {
1206 DBG1(DBG_ASN, "An ASN.1 bit string must contain at least the "
1207 "initial octet");
1208 return FALSE;
1209 }
1210 if (object.len == 1 && object.ptr[0] != 0)
1211 {
1212 DBG1(DBG_ASN, "An empty ASN.1 bit string must contain a zero "
1213 "initial octet");
1214 return FALSE;
1215 }
1216 if (object.ptr[0] > 7)
1217 {
1218 DBG1(DBG_ASN, "number of unused bits is too large");
1219 return FALSE;
1220 }
1221 return TRUE;
1222 }
1223
1224 static bool parse_ipAddrBlocks(chunk_t blob, int level0,
1225 private_x509_cert_t *this)
1226 {
1227 asn1_parser_t *parser;
1228 chunk_t object, min_object;
1229 ts_type_t ts_type = 0;
1230 traffic_selector_t *ts;
1231 int objectID;
1232 bool success = FALSE;
1233
1234 parser = asn1_parser_create(ipAddrBlocksObjects, blob);
1235 parser->set_top_level(parser, level0);
1236
1237 while (parser->iterate(parser, &objectID, &object))
1238 {
1239 switch (objectID)
1240 {
1241 case IP_ADDR_BLOCKS_FAMILY:
1242 ts_type = 0;
1243 if (object.len == 2 && object.ptr[0] == 0)
1244 {
1245 if (object.ptr[1] == 1)
1246 {
1247 ts_type = TS_IPV4_ADDR_RANGE;
1248 }
1249 else if (object.ptr[1] == 2)
1250 {
1251 ts_type = TS_IPV6_ADDR_RANGE;
1252 }
1253 else
1254 {
1255 break;
1256 }
1257 DBG2(DBG_ASN, " %N", ts_type_name, ts_type);
1258 }
1259 break;
1260 case IP_ADDR_BLOCKS_INHERIT:
1261 DBG1(DBG_ASN, "inherit choice is not supported");
1262 break;
1263 case IP_ADDR_BLOCKS_PREFIX:
1264 if (!check_address_object(ts_type, object))
1265 {
1266 goto end;
1267 }
1268 ts = traffic_selector_create_from_rfc3779_format(ts_type,
1269 object, object);
1270 DBG2(DBG_ASN, " %R", ts);
1271 this->ipAddrBlocks->insert_last(this->ipAddrBlocks, ts);
1272 break;
1273 case IP_ADDR_BLOCKS_MIN:
1274 if (!check_address_object(ts_type, object))
1275 {
1276 goto end;
1277 }
1278 min_object = object;
1279 break;
1280 case IP_ADDR_BLOCKS_MAX:
1281 if (!check_address_object(ts_type, object))
1282 {
1283 goto end;
1284 }
1285 ts = traffic_selector_create_from_rfc3779_format(ts_type,
1286 min_object, object);
1287 DBG2(DBG_ASN, " %R", ts);
1288 this->ipAddrBlocks->insert_last(this->ipAddrBlocks, ts);
1289 break;
1290 default:
1291 break;
1292 }
1293 }
1294 success = parser->success(parser);
1295 this->flags |= X509_IP_ADDR_BLOCKS;
1296
1297 end:
1298 parser->destroy(parser);
1299
1300 return success;
1301 }
1302
1303 /**
1304 * ASN.1 definition of an X.509v3 x509_cert
1305 */
1306 static const asn1Object_t certObjects[] = {
1307 { 0, "x509", ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */
1308 { 1, "tbsCertificate", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */
1309 { 2, "DEFAULT v1", ASN1_CONTEXT_C_0, ASN1_DEF }, /* 2 */
1310 { 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 3 */
1311 { 2, "serialNumber", ASN1_INTEGER, ASN1_BODY }, /* 4 */
1312 { 2, "signature", ASN1_EOC, ASN1_RAW }, /* 5 */
1313 { 2, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 6 */
1314 { 2, "validity", ASN1_SEQUENCE, ASN1_NONE }, /* 7 */
1315 { 3, "notBefore", ASN1_EOC, ASN1_RAW }, /* 8 */
1316 { 3, "notAfter", ASN1_EOC, ASN1_RAW }, /* 9 */
1317 { 2, "subject", ASN1_SEQUENCE, ASN1_OBJ }, /* 10 */
1318 { 2, "subjectPublicKeyInfo",ASN1_SEQUENCE, ASN1_RAW }, /* 11 */
1319 { 2, "issuerUniqueID", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 12 */
1320 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 13 */
1321 { 2, "subjectUniqueID", ASN1_CONTEXT_C_2, ASN1_OPT }, /* 14 */
1322 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 15 */
1323 { 2, "optional extensions", ASN1_CONTEXT_C_3, ASN1_OPT }, /* 16 */
1324 { 3, "extensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 17 */
1325 { 4, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 18 */
1326 { 5, "extnID", ASN1_OID, ASN1_BODY }, /* 19 */
1327 { 5, "critical", ASN1_BOOLEAN, ASN1_DEF|ASN1_BODY }, /* 20 */
1328 { 5, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 21 */
1329 { 3, "end loop", ASN1_EOC, ASN1_END }, /* 22 */
1330 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 23 */
1331 { 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 24 */
1332 { 1, "signatureValue", ASN1_BIT_STRING, ASN1_BODY }, /* 25 */
1333 { 0, "exit", ASN1_EOC, ASN1_EXIT }
1334 };
1335 #define X509_OBJ_TBS_CERTIFICATE 1
1336 #define X509_OBJ_VERSION 3
1337 #define X509_OBJ_SERIAL_NUMBER 4
1338 #define X509_OBJ_SIG_ALG 5
1339 #define X509_OBJ_ISSUER 6
1340 #define X509_OBJ_NOT_BEFORE 8
1341 #define X509_OBJ_NOT_AFTER 9
1342 #define X509_OBJ_SUBJECT 10
1343 #define X509_OBJ_SUBJECT_PUBLIC_KEY_INFO 11
1344 #define X509_OBJ_OPTIONAL_EXTENSIONS 16
1345 #define X509_OBJ_EXTN_ID 19
1346 #define X509_OBJ_CRITICAL 20
1347 #define X509_OBJ_EXTN_VALUE 21
1348 #define X509_OBJ_ALGORITHM 24
1349 #define X509_OBJ_SIGNATURE 25
1350
1351 /**
1352 * Parses an X.509v3 certificate
1353 */
1354 static bool parse_certificate(private_x509_cert_t *this)
1355 {
1356 asn1_parser_t *parser;
1357 chunk_t object;
1358 int objectID;
1359 int extn_oid = OID_UNKNOWN;
1360 int sig_alg = OID_UNKNOWN;
1361 bool success = FALSE;
1362 bool critical = FALSE;
1363
1364 parser = asn1_parser_create(certObjects, this->encoding);
1365
1366 while (parser->iterate(parser, &objectID, &object))
1367 {
1368 u_int level = parser->get_level(parser)+1;
1369
1370 switch (objectID)
1371 {
1372 case X509_OBJ_TBS_CERTIFICATE:
1373 this->tbsCertificate = object;
1374 break;
1375 case X509_OBJ_VERSION:
1376 this->version = (object.len) ? (1+(u_int)*object.ptr) : 1;
1377 if (this->version < 1 || this->version > 3)
1378 {
1379 DBG1(DBG_ASN, "X.509v%d not supported", this->version);
1380 goto end;
1381 }
1382 else
1383 {
1384 DBG2(DBG_ASN, " X.509v%d", this->version);
1385 }
1386 break;
1387 case X509_OBJ_SERIAL_NUMBER:
1388 this->serialNumber = object;
1389 break;
1390 case X509_OBJ_SIG_ALG:
1391 sig_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
1392 break;
1393 case X509_OBJ_ISSUER:
1394 this->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object);
1395 DBG2(DBG_ASN, " '%Y'", this->issuer);
1396 break;
1397 case X509_OBJ_NOT_BEFORE:
1398 this->notBefore = asn1_parse_time(object, level);
1399 break;
1400 case X509_OBJ_NOT_AFTER:
1401 this->notAfter = asn1_parse_time(object, level);
1402 break;
1403 case X509_OBJ_SUBJECT:
1404 this->subject = identification_create_from_encoding(ID_DER_ASN1_DN, object);
1405 DBG2(DBG_ASN, " '%Y'", this->subject);
1406 break;
1407 case X509_OBJ_SUBJECT_PUBLIC_KEY_INFO:
1408 DBG2(DBG_ASN, "-- > --");
1409 this->public_key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
1410 KEY_ANY, BUILD_BLOB_ASN1_DER, object, BUILD_END);
1411 DBG2(DBG_ASN, "-- < --");
1412 if (this->public_key == NULL)
1413 {
1414 goto end;
1415 }
1416 break;
1417 case X509_OBJ_OPTIONAL_EXTENSIONS:
1418 if (this->version != 3)
1419 {
1420 DBG1(DBG_ASN, "Only X.509v3 certificates have extensions");
1421 goto end;
1422 }
1423 break;
1424 case X509_OBJ_EXTN_ID:
1425 extn_oid = asn1_known_oid(object);
1426 break;
1427 case X509_OBJ_CRITICAL:
1428 critical = object.len && *object.ptr;
1429 DBG2(DBG_ASN, " %s", critical ? "TRUE" : "FALSE");
1430 break;
1431 case X509_OBJ_EXTN_VALUE:
1432 {
1433 switch (extn_oid)
1434 {
1435 case OID_SUBJECT_KEY_ID:
1436 if (!asn1_parse_simple_object(&object, ASN1_OCTET_STRING,
1437 level, "keyIdentifier"))
1438 {
1439 goto end;
1440 }
1441 this->subjectKeyIdentifier = object;
1442 break;
1443 case OID_SUBJECT_ALT_NAME:
1444 if (!x509_parse_generalNames(object, level, FALSE,
1445 this->subjectAltNames))
1446 {
1447 goto end;
1448 }
1449 break;
1450 case OID_BASIC_CONSTRAINTS:
1451 if (!parse_basicConstraints(object, level, this))
1452 {
1453 goto end;
1454 }
1455 break;
1456 case OID_CRL_DISTRIBUTION_POINTS:
1457 if (!x509_parse_crlDistributionPoints(object, level,
1458 this->crl_uris))
1459 {
1460 goto end;
1461 }
1462 break;
1463 case OID_AUTHORITY_KEY_ID:
1464 this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(
1465 object, level, &this->authKeySerialNumber);
1466 break;
1467 case OID_AUTHORITY_INFO_ACCESS:
1468 if (!parse_authorityInfoAccess(object, level, this))
1469 {
1470 goto end;
1471 }
1472 break;
1473 case OID_KEY_USAGE:
1474 parse_keyUsage(object, this);
1475 break;
1476 case OID_EXTENDED_KEY_USAGE:
1477 if (!parse_extendedKeyUsage(object, level, this))
1478 {
1479 goto end;
1480 }
1481 break;
1482 case OID_IP_ADDR_BLOCKS:
1483 if (!parse_ipAddrBlocks(object, level, this))
1484 {
1485 goto end;
1486 }
1487 break;
1488 case OID_NAME_CONSTRAINTS:
1489 if (!parse_nameConstraints(object, level, this))
1490 {
1491 goto end;
1492 }
1493 break;
1494 case OID_CERTIFICATE_POLICIES:
1495 if (!parse_certificatePolicies(object, level, this))
1496 {
1497 goto end;
1498 }
1499 break;
1500 case OID_POLICY_MAPPINGS:
1501 if (!parse_policyMappings(object, level, this))
1502 {
1503 goto end;
1504 }
1505 break;
1506 case OID_POLICY_CONSTRAINTS:
1507 if (!parse_policyConstraints(object, level, this))
1508 {
1509 goto end;
1510 }
1511 break;
1512 case OID_INHIBIT_ANY_POLICY:
1513 if (!asn1_parse_simple_object(&object, ASN1_INTEGER,
1514 level, "inhibitAnyPolicy"))
1515 {
1516 goto end;
1517 }
1518 this->inhibit_any = parse_constraint(object);
1519 break;
1520 case OID_NS_REVOCATION_URL:
1521 case OID_NS_CA_REVOCATION_URL:
1522 case OID_NS_CA_POLICY_URL:
1523 case OID_NS_COMMENT:
1524 if (!asn1_parse_simple_object(&object, ASN1_IA5STRING,
1525 level, oid_names[extn_oid].name))
1526 {
1527 goto end;
1528 }
1529 break;
1530 default:
1531 if (critical && lib->settings->get_bool(lib->settings,
1532 "%s.x509.enforce_critical", TRUE, lib->ns))
1533 {
1534 DBG1(DBG_ASN, "critical '%s' extension not supported",
1535 (extn_oid == OID_UNKNOWN) ? "unknown" :
1536 (char*)oid_names[extn_oid].name);
1537 goto end;
1538 }
1539 break;
1540 }
1541 break;
1542 }
1543 case X509_OBJ_ALGORITHM:
1544 this->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL);
1545 if (this->algorithm != sig_alg)
1546 {
1547 DBG1(DBG_ASN, " signature algorithms do not agree");
1548 goto end;
1549 }
1550 break;
1551 case X509_OBJ_SIGNATURE:
1552 this->signature = chunk_skip(object, 1);
1553 break;
1554 default:
1555 break;
1556 }
1557 }
1558 success = parser->success(parser);
1559
1560 end:
1561 parser->destroy(parser);
1562 if (success)
1563 {
1564 hasher_t *hasher;
1565
1566 /* check if the certificate is self-signed */
1567 if (this->public.interface.interface.issued_by(
1568 &this->public.interface.interface,
1569 &this->public.interface.interface,
1570 NULL))
1571 {
1572 this->flags |= X509_SELF_SIGNED;
1573 }
1574 /* create certificate hash */
1575 hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1576 if (!hasher ||
1577 !hasher->allocate_hash(hasher, this->encoding, &this->encoding_hash))
1578 {
1579 DESTROY_IF(hasher);
1580 DBG1(DBG_ASN, " unable to create hash of certificate, SHA1 not supported");
1581 return FALSE;
1582 }
1583 hasher->destroy(hasher);
1584 }
1585 return success;
1586 }
1587
1588 METHOD(certificate_t, get_type, certificate_type_t,
1589 private_x509_cert_t *this)
1590 {
1591 return CERT_X509;
1592 }
1593
1594 METHOD(certificate_t, get_subject, identification_t*,
1595 private_x509_cert_t *this)
1596 {
1597 return this->subject;
1598 }
1599
1600 METHOD(certificate_t, get_issuer, identification_t*,
1601 private_x509_cert_t *this)
1602 {
1603 return this->issuer;
1604 }
1605
1606 METHOD(certificate_t, has_subject, id_match_t,
1607 private_x509_cert_t *this, identification_t *subject)
1608 {
1609 identification_t *current;
1610 enumerator_t *enumerator;
1611 id_match_t match, best;
1612 chunk_t encoding;
1613
1614 if (subject->get_type(subject) == ID_KEY_ID)
1615 {
1616 encoding = subject->get_encoding(subject);
1617
1618 if (this->encoding_hash.len &&
1619 chunk_equals(this->encoding_hash, encoding))
1620 {
1621 return ID_MATCH_PERFECT;
1622 }
1623 if (this->subjectKeyIdentifier.len &&
1624 chunk_equals(this->subjectKeyIdentifier, encoding))
1625 {
1626 return ID_MATCH_PERFECT;
1627 }
1628 if (this->public_key &&
1629 this->public_key->has_fingerprint(this->public_key, encoding))
1630 {
1631 return ID_MATCH_PERFECT;
1632 }
1633 if (chunk_equals(this->serialNumber, encoding))
1634 {
1635 return ID_MATCH_PERFECT;
1636 }
1637 }
1638 best = this->subject->matches(this->subject, subject);
1639 enumerator = this->subjectAltNames->create_enumerator(this->subjectAltNames);
1640 while (enumerator->enumerate(enumerator, &current))
1641 {
1642 match = current->matches(current, subject);
1643 if (match > best)
1644 {
1645 best = match;
1646 }
1647 }
1648 enumerator->destroy(enumerator);
1649 return best;
1650 }
1651
1652 METHOD(certificate_t, has_issuer, id_match_t,
1653 private_x509_cert_t *this, identification_t *issuer)
1654 {
1655 /* issuerAltNames currently not supported */
1656 return this->issuer->matches(this->issuer, issuer);
1657 }
1658
1659 METHOD(certificate_t, issued_by, bool,
1660 private_x509_cert_t *this, certificate_t *issuer,
1661 signature_scheme_t *schemep)
1662 {
1663 public_key_t *key;
1664 signature_scheme_t scheme;
1665 bool valid;
1666 x509_t *x509 = (x509_t*)issuer;
1667
1668 if (&this->public.interface.interface == issuer)
1669 {
1670 if (this->flags & X509_SELF_SIGNED)
1671 {
1672 return TRUE;
1673 }
1674 }
1675 else
1676 {
1677 if (issuer->get_type(issuer) != CERT_X509)
1678 {
1679 return FALSE;
1680 }
1681 if (!(x509->get_flags(x509) & X509_CA))
1682 {
1683 return FALSE;
1684 }
1685 }
1686 if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
1687 {
1688 return FALSE;
1689 }
1690
1691 /* determine signature scheme */
1692 scheme = signature_scheme_from_oid(this->algorithm);
1693 if (scheme == SIGN_UNKNOWN)
1694 {
1695 return FALSE;
1696 }
1697 /* get the public key of the issuer */
1698 key = issuer->get_public_key(issuer);
1699 if (!key)
1700 {
1701 return FALSE;
1702 }
1703 valid = key->verify(key, scheme, this->tbsCertificate, this->signature);
1704 key->destroy(key);
1705 if (valid && schemep)
1706 {
1707 *schemep = scheme;
1708 }
1709 return valid;
1710 }
1711
1712 METHOD(certificate_t, get_public_key, public_key_t*,
1713 private_x509_cert_t *this)
1714 {
1715 this->public_key->get_ref(this->public_key);
1716 return this->public_key;
1717 }
1718
1719 METHOD(certificate_t, get_ref, certificate_t*,
1720 private_x509_cert_t *this)
1721 {
1722 ref_get(&this->ref);
1723 return &this->public.interface.interface;
1724 }
1725
1726 METHOD(certificate_t, get_validity, bool,
1727 private_x509_cert_t *this, time_t *when, time_t *not_before,
1728 time_t *not_after)
1729 {
1730 time_t t = when ? *when : time(NULL);
1731
1732 if (not_before)
1733 {
1734 *not_before = this->notBefore;
1735 }
1736 if (not_after)
1737 {
1738 *not_after = this->notAfter;
1739 }
1740 return (t >= this->notBefore && t <= this->notAfter);
1741 }
1742
1743 METHOD(certificate_t, get_encoding, bool,
1744 private_x509_cert_t *this, cred_encoding_type_t type, chunk_t *encoding)
1745 {
1746 if (type == CERT_ASN1_DER)
1747 {
1748 *encoding = chunk_clone(this->encoding);
1749 return TRUE;
1750 }
1751 return lib->encoding->encode(lib->encoding, type, NULL, encoding,
1752 CRED_PART_X509_ASN1_DER, this->encoding, CRED_PART_END);
1753 }
1754
1755 METHOD(certificate_t, equals, bool,
1756 private_x509_cert_t *this, certificate_t *other)
1757 {
1758 chunk_t encoding;
1759 bool equal;
1760
1761 if (this == (private_x509_cert_t*)other)
1762 {
1763 return TRUE;
1764 }
1765 if (other->get_type(other) != CERT_X509)
1766 {
1767 return FALSE;
1768 }
1769 if (other->equals == (void*)equals)
1770 { /* skip allocation if we have the same implementation */
1771 return chunk_equals(this->encoding, ((private_x509_cert_t*)other)->encoding);
1772 }
1773 if (!other->get_encoding(other, CERT_ASN1_DER, &encoding))
1774 {
1775 return FALSE;
1776 }
1777 equal = chunk_equals(this->encoding, encoding);
1778 free(encoding.ptr);
1779 return equal;
1780 }
1781
1782 METHOD(x509_t, get_flags, x509_flag_t,
1783 private_x509_cert_t *this)
1784 {
1785 return this->flags;
1786 }
1787
1788 METHOD(x509_t, get_serial, chunk_t,
1789 private_x509_cert_t *this)
1790 {
1791 return this->serialNumber;
1792 }
1793
1794 METHOD(x509_t, get_subjectKeyIdentifier, chunk_t,
1795 private_x509_cert_t *this)
1796 {
1797 if (this->subjectKeyIdentifier.ptr)
1798 {
1799 return this->subjectKeyIdentifier;
1800 }
1801 else
1802 {
1803 chunk_t fingerprint;
1804
1805 if (this->public_key->get_fingerprint(this->public_key,
1806 KEYID_PUBKEY_SHA1, &fingerprint))
1807 {
1808 return fingerprint;
1809 }
1810 else
1811 {
1812 return chunk_empty;
1813 }
1814 }
1815 }
1816
1817 METHOD(x509_t, get_authKeyIdentifier, chunk_t,
1818 private_x509_cert_t *this)
1819 {
1820 return this->authKeyIdentifier;
1821 }
1822
1823 METHOD(x509_t, get_constraint, u_int,
1824 private_x509_cert_t *this, x509_constraint_t type)
1825 {
1826 switch (type)
1827 {
1828 case X509_PATH_LEN:
1829 return this->pathLenConstraint;
1830 case X509_REQUIRE_EXPLICIT_POLICY:
1831 return this->require_explicit;
1832 case X509_INHIBIT_POLICY_MAPPING:
1833 return this->inhibit_mapping;
1834 case X509_INHIBIT_ANY_POLICY:
1835 return this->inhibit_any;
1836 default:
1837 return X509_NO_CONSTRAINT;
1838 }
1839 }
1840
1841 METHOD(x509_t, create_subjectAltName_enumerator, enumerator_t*,
1842 private_x509_cert_t *this)
1843 {
1844 return this->subjectAltNames->create_enumerator(this->subjectAltNames);
1845 }
1846
1847 METHOD(x509_t, create_ocsp_uri_enumerator, enumerator_t*,
1848 private_x509_cert_t *this)
1849 {
1850 return this->ocsp_uris->create_enumerator(this->ocsp_uris);
1851 }
1852
1853 METHOD(x509_t, create_crl_uri_enumerator, enumerator_t*,
1854 private_x509_cert_t *this)
1855 {
1856 return this->crl_uris->create_enumerator(this->crl_uris);
1857 }
1858
1859 METHOD(x509_t, create_ipAddrBlock_enumerator, enumerator_t*,
1860 private_x509_cert_t *this)
1861 {
1862 return this->ipAddrBlocks->create_enumerator(this->ipAddrBlocks);
1863 }
1864
1865 METHOD(x509_t, create_name_constraint_enumerator, enumerator_t*,
1866 private_x509_cert_t *this, bool perm)
1867 {
1868 if (perm)
1869 {
1870 return this->permitted_names->create_enumerator(this->permitted_names);
1871 }
1872 return this->excluded_names->create_enumerator(this->excluded_names);
1873 }
1874
1875 METHOD(x509_t, create_cert_policy_enumerator, enumerator_t*,
1876 private_x509_cert_t *this)
1877 {
1878 return this->cert_policies->create_enumerator(this->cert_policies);
1879 }
1880
1881 METHOD(x509_t, create_policy_mapping_enumerator, enumerator_t*,
1882 private_x509_cert_t *this)
1883 {
1884 return this->policy_mappings->create_enumerator(this->policy_mappings);
1885 }
1886
1887 METHOD(certificate_t, destroy, void,
1888 private_x509_cert_t *this)
1889 {
1890 if (ref_put(&this->ref))
1891 {
1892 this->subjectAltNames->destroy_offset(this->subjectAltNames,
1893 offsetof(identification_t, destroy));
1894 this->crl_uris->destroy_function(this->crl_uris, (void*)crl_uri_destroy);
1895 this->ocsp_uris->destroy_function(this->ocsp_uris, free);
1896 this->ipAddrBlocks->destroy_offset(this->ipAddrBlocks,
1897 offsetof(traffic_selector_t, destroy));
1898 this->permitted_names->destroy_offset(this->permitted_names,
1899 offsetof(identification_t, destroy));
1900 this->excluded_names->destroy_offset(this->excluded_names,
1901 offsetof(identification_t, destroy));
1902 this->cert_policies->destroy_function(this->cert_policies,
1903 (void*)cert_policy_destroy);
1904 this->policy_mappings->destroy_function(this->policy_mappings,
1905 (void*)policy_mapping_destroy);
1906 DESTROY_IF(this->issuer);
1907 DESTROY_IF(this->subject);
1908 DESTROY_IF(this->public_key);
1909 chunk_free(&this->authKeyIdentifier);
1910 chunk_free(&this->encoding);
1911 chunk_free(&this->encoding_hash);
1912 if (!this->parsed)
1913 { /* only parsed certificates point these fields to "encoded" */
1914 chunk_free(&this->signature);
1915 chunk_free(&this->serialNumber);
1916 chunk_free(&this->tbsCertificate);
1917 }
1918 free(this);
1919 }
1920 }
1921
1922 /**
1923 * create an empty but initialized X.509 certificate
1924 */
1925 static private_x509_cert_t* create_empty(void)
1926 {
1927 private_x509_cert_t *this;
1928
1929 INIT(this,
1930 .public = {
1931 .interface = {
1932 .interface = {
1933 .get_type = _get_type,
1934 .get_subject = _get_subject,
1935 .get_issuer = _get_issuer,
1936 .has_subject = _has_subject,
1937 .has_issuer = _has_issuer,
1938 .issued_by = _issued_by,
1939 .get_public_key = _get_public_key,
1940 .get_validity = _get_validity,
1941 .get_encoding = _get_encoding,
1942 .equals = _equals,
1943 .get_ref = _get_ref,
1944 .destroy = _destroy,
1945 },
1946 .get_flags = _get_flags,
1947 .get_serial = _get_serial,
1948 .get_subjectKeyIdentifier = _get_subjectKeyIdentifier,
1949 .get_authKeyIdentifier = _get_authKeyIdentifier,
1950 .get_constraint = _get_constraint,
1951 .create_subjectAltName_enumerator = _create_subjectAltName_enumerator,
1952 .create_crl_uri_enumerator = _create_crl_uri_enumerator,
1953 .create_ocsp_uri_enumerator = _create_ocsp_uri_enumerator,
1954 .create_ipAddrBlock_enumerator = _create_ipAddrBlock_enumerator,
1955 .create_name_constraint_enumerator = _create_name_constraint_enumerator,
1956 .create_cert_policy_enumerator = _create_cert_policy_enumerator,
1957 .create_policy_mapping_enumerator = _create_policy_mapping_enumerator,
1958 },
1959 },
1960 .version = 1,
1961 .subjectAltNames = linked_list_create(),
1962 .crl_uris = linked_list_create(),
1963 .ocsp_uris = linked_list_create(),
1964 .ipAddrBlocks = linked_list_create(),
1965 .permitted_names = linked_list_create(),
1966 .excluded_names = linked_list_create(),
1967 .cert_policies = linked_list_create(),
1968 .policy_mappings = linked_list_create(),
1969 .pathLenConstraint = X509_NO_CONSTRAINT,
1970 .require_explicit = X509_NO_CONSTRAINT,
1971 .inhibit_mapping = X509_NO_CONSTRAINT,
1972 .inhibit_any = X509_NO_CONSTRAINT,
1973 .ref = 1,
1974 );
1975 return this;
1976 }
1977
1978 /**
1979 * Build a generalName from an id
1980 */
1981 chunk_t build_generalName(identification_t *id)
1982 {
1983 int context;
1984
1985 switch (id->get_type(id))
1986 {
1987 case ID_RFC822_ADDR:
1988 context = ASN1_CONTEXT_S_1;
1989 break;
1990 case ID_FQDN:
1991 context = ASN1_CONTEXT_S_2;
1992 break;
1993 case ID_DER_ASN1_DN:
1994 context = ASN1_CONTEXT_C_4;
1995 break;
1996 case ID_IPV4_ADDR:
1997 case ID_IPV6_ADDR:
1998 context = ASN1_CONTEXT_S_7;
1999 break;
2000 default:
2001 DBG1(DBG_ASN, "encoding %N as generalName not supported",
2002 id_type_names, id->get_type(id));
2003 return chunk_empty;
2004 }
2005 return asn1_wrap(context, "c", id->get_encoding(id));
2006 }
2007
2008 /**
2009 * Encode a linked list of subjectAltNames
2010 */
2011 chunk_t x509_build_subjectAltNames(linked_list_t *list)
2012 {
2013 chunk_t subjectAltNames = chunk_empty, name;
2014 enumerator_t *enumerator;
2015 identification_t *id;
2016
2017 if (list->get_count(list) == 0)
2018 {
2019 return chunk_empty;
2020 }
2021
2022 enumerator = list->create_enumerator(list);
2023 while (enumerator->enumerate(enumerator, &id))
2024 {
2025 name = build_generalName(id);
2026 subjectAltNames = chunk_cat("mm", subjectAltNames, name);
2027 }
2028 enumerator->destroy(enumerator);
2029
2030 return asn1_wrap(ASN1_SEQUENCE, "mm",
2031 asn1_build_known_oid(OID_SUBJECT_ALT_NAME),
2032 asn1_wrap(ASN1_OCTET_STRING, "m",
2033 asn1_wrap(ASN1_SEQUENCE, "m", subjectAltNames)
2034 )
2035 );
2036 }
2037
2038 /**
2039 * Encode CRL distribution points extension from a x509_cdp_t list
2040 */
2041 chunk_t x509_build_crlDistributionPoints(linked_list_t *list, int extn)
2042 {
2043 chunk_t crlDistributionPoints = chunk_empty;
2044 enumerator_t *enumerator;
2045 x509_cdp_t *cdp;
2046
2047 if (list->get_count(list) == 0)
2048 {
2049 return chunk_empty;
2050 }
2051
2052 enumerator = list->create_enumerator(list);
2053 while (enumerator->enumerate(enumerator, &cdp))
2054 {
2055 chunk_t distributionPoint, crlIssuer = chunk_empty;
2056
2057 if (cdp->issuer)
2058 {
2059 crlIssuer = asn1_wrap(ASN1_CONTEXT_C_2, "m",
2060 build_generalName(cdp->issuer));
2061 }
2062 distributionPoint = asn1_wrap(ASN1_SEQUENCE, "mm",
2063 asn1_wrap(ASN1_CONTEXT_C_0, "m",
2064 asn1_wrap(ASN1_CONTEXT_C_0, "m",
2065 asn1_wrap(ASN1_CONTEXT_S_6, "c",
2066 chunk_create(cdp->uri, strlen(cdp->uri))))),
2067 crlIssuer);
2068 crlDistributionPoints = chunk_cat("mm", crlDistributionPoints,
2069 distributionPoint);
2070 }
2071 enumerator->destroy(enumerator);
2072
2073 return asn1_wrap(ASN1_SEQUENCE, "mm",
2074 asn1_build_known_oid(extn),
2075 asn1_wrap(ASN1_OCTET_STRING, "m",
2076 asn1_wrap(ASN1_SEQUENCE, "m", crlDistributionPoints)));
2077 }
2078
2079 static chunk_t generate_ts(traffic_selector_t *ts)
2080 {
2081 chunk_t from, to;
2082 uint8_t minbits = 0, maxbits = 0, unused;
2083 host_t *net;
2084 int bit, byte;
2085
2086 if (ts->to_subnet(ts, &net, &minbits))
2087 {
2088 unused = round_up(minbits, BITS_PER_BYTE) - minbits;
2089 from = asn1_wrap(ASN1_BIT_STRING, "m",
2090 chunk_cat("cc", chunk_from_thing(unused),
2091 chunk_create(net->get_address(net).ptr,
2092 (minbits + unused) / BITS_PER_BYTE)));
2093 net->destroy(net);
2094 return from;
2095 }
2096 net->destroy(net);
2097
2098 from = ts->get_from_address(ts);
2099 for (byte = from.len - 1; byte >= 0; byte--)
2100 {
2101 if (from.ptr[byte] != 0)
2102 {
2103 minbits = byte * BITS_PER_BYTE + BITS_PER_BYTE;
2104 for (bit = 0; bit < BITS_PER_BYTE; bit++)
2105 {
2106 if (from.ptr[byte] & 1 << bit)
2107 {
2108 break;
2109 }
2110 minbits--;
2111 }
2112 break;
2113 }
2114 }
2115 to = ts->get_to_address(ts);
2116 for (byte = to.len - 1; byte >= 0; byte--)
2117 {
2118 if (to.ptr[byte] != 0xFF)
2119 {
2120 maxbits = byte * BITS_PER_BYTE + BITS_PER_BYTE;
2121 for (bit = 0; bit < BITS_PER_BYTE; bit++)
2122 {
2123 if ((to.ptr[byte] & 1 << bit) == 0)
2124 {
2125 break;
2126 }
2127 maxbits--;
2128 }
2129 break;
2130 }
2131 }
2132 unused = round_up(minbits, BITS_PER_BYTE) - minbits;
2133 from = asn1_wrap(ASN1_BIT_STRING, "m",
2134 chunk_cat("cc", chunk_from_thing(unused),
2135 chunk_create(from.ptr,
2136 (minbits + unused) / BITS_PER_BYTE)));
2137 unused = round_up(maxbits, BITS_PER_BYTE) - maxbits;
2138 to = asn1_wrap(ASN1_BIT_STRING, "m",
2139 chunk_cat("cc", chunk_from_thing(unused),
2140 chunk_create(to.ptr,
2141 (maxbits + unused) / BITS_PER_BYTE)));
2142 return asn1_wrap(ASN1_SEQUENCE, "mm", from, to);
2143 }
2144
2145 /**
2146 * Generate and sign a new certificate
2147 */
2148 static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
2149 private_key_t *sign_key, int digest_alg)
2150 {
2151 chunk_t extensions = chunk_empty, extendedKeyUsage = chunk_empty;
2152 chunk_t serverAuth = chunk_empty, clientAuth = chunk_empty;
2153 chunk_t ocspSigning = chunk_empty, certPolicies = chunk_empty;
2154 chunk_t basicConstraints = chunk_empty, nameConstraints = chunk_empty;
2155 chunk_t keyUsage = chunk_empty, keyUsageBits = chunk_empty;
2156 chunk_t subjectAltNames = chunk_empty, policyMappings = chunk_empty;
2157 chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty;
2158 chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty;
2159 chunk_t policyConstraints = chunk_empty, inhibitAnyPolicy = chunk_empty;
2160 chunk_t ikeIntermediate = chunk_empty, msSmartcardLogon = chunk_empty;
2161 chunk_t ipAddrBlocks = chunk_empty;
2162 identification_t *issuer, *subject;
2163 chunk_t key_info;
2164 signature_scheme_t scheme;
2165 hasher_t *hasher;
2166 enumerator_t *enumerator;
2167 char *uri;
2168
2169 subject = cert->subject;
2170 if (sign_cert)
2171 {
2172 issuer = sign_cert->get_subject(sign_cert);
2173 if (!cert->public_key)
2174 {
2175 return FALSE;
2176 }
2177 }
2178 else
2179 { /* self signed */
2180 issuer = subject;
2181 if (!cert->public_key)
2182 {
2183 cert->public_key = sign_key->get_public_key(sign_key);
2184 }
2185 cert->flags |= X509_SELF_SIGNED;
2186 }
2187 cert->issuer = issuer->clone(issuer);
2188 if (!cert->notBefore)
2189 {
2190 cert->notBefore = time(NULL);
2191 }
2192 if (!cert->notAfter)
2193 { /* defaults to 1 year from now */
2194 cert->notAfter = cert->notBefore + 60 * 60 * 24 * 365;
2195 }
2196
2197 /* select signature scheme */
2198 cert->algorithm = hasher_signature_algorithm_to_oid(digest_alg,
2199 sign_key->get_type(sign_key));
2200 if (cert->algorithm == OID_UNKNOWN)
2201 {
2202 return FALSE;
2203 }
2204 scheme = signature_scheme_from_oid(cert->algorithm);
2205
2206 if (!cert->public_key->get_encoding(cert->public_key,
2207 PUBKEY_SPKI_ASN1_DER, &key_info))
2208 {
2209 return FALSE;
2210 }
2211
2212 /* encode subjectAltNames */
2213 subjectAltNames = x509_build_subjectAltNames(cert->subjectAltNames);
2214
2215 crlDistributionPoints = x509_build_crlDistributionPoints(cert->crl_uris,
2216 OID_CRL_DISTRIBUTION_POINTS);
2217
2218 /* encode OCSP URIs in authorityInfoAccess extension */
2219 enumerator = cert->ocsp_uris->create_enumerator(cert->ocsp_uris);
2220 while (enumerator->enumerate(enumerator, &uri))
2221 {
2222 chunk_t accessDescription;
2223
2224 accessDescription = asn1_wrap(ASN1_SEQUENCE, "mm",
2225 asn1_build_known_oid(OID_OCSP),
2226 asn1_wrap(ASN1_CONTEXT_S_6, "c",
2227 chunk_create(uri, strlen(uri))));
2228 authorityInfoAccess = chunk_cat("mm", authorityInfoAccess,
2229 accessDescription);
2230 }
2231 enumerator->destroy(enumerator);
2232 if (authorityInfoAccess.ptr)
2233 {
2234 authorityInfoAccess = asn1_wrap(ASN1_SEQUENCE, "mm",
2235 asn1_build_known_oid(OID_AUTHORITY_INFO_ACCESS),
2236 asn1_wrap(ASN1_OCTET_STRING, "m",
2237 asn1_wrap(ASN1_SEQUENCE, "m", authorityInfoAccess)));
2238 }
2239
2240 /* build CA basicConstraint and keyUsage flags for CA certificates */
2241 if (cert->flags & X509_CA)
2242 {
2243 chunk_t pathLenConstraint = chunk_empty;
2244
2245 if (cert->pathLenConstraint != X509_NO_CONSTRAINT)
2246 {
2247 pathLenConstraint = asn1_integer("c",
2248 chunk_from_thing(cert->pathLenConstraint));
2249 }
2250 basicConstraints = asn1_wrap(ASN1_SEQUENCE, "mmm",
2251 asn1_build_known_oid(OID_BASIC_CONSTRAINTS),
2252 asn1_wrap(ASN1_BOOLEAN, "c",
2253 chunk_from_chars(0xFF)),
2254 asn1_wrap(ASN1_OCTET_STRING, "m",
2255 asn1_wrap(ASN1_SEQUENCE, "mm",
2256 asn1_wrap(ASN1_BOOLEAN, "c",
2257 chunk_from_chars(0xFF)),
2258 pathLenConstraint)));
2259 /* set CertificateSign and implicitly CRLsign */
2260 keyUsageBits = chunk_from_chars(0x01, 0x06);
2261 }
2262 else if (cert->flags & X509_CRL_SIGN)
2263 {
2264 keyUsageBits = chunk_from_chars(0x01, 0x02);
2265 }
2266 if (keyUsageBits.len)
2267 {
2268 keyUsage = asn1_wrap(ASN1_SEQUENCE, "mmm",
2269 asn1_build_known_oid(OID_KEY_USAGE),
2270 asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)),
2271 asn1_wrap(ASN1_OCTET_STRING, "m",
2272 asn1_wrap(ASN1_BIT_STRING, "c", keyUsageBits)));
2273 }
2274
2275 /* add extendedKeyUsage flags */
2276 if (cert->flags & X509_SERVER_AUTH)
2277 {
2278 serverAuth = asn1_build_known_oid(OID_SERVER_AUTH);
2279 }
2280 if (cert->flags & X509_CLIENT_AUTH)
2281 {
2282 clientAuth = asn1_build_known_oid(OID_CLIENT_AUTH);
2283 }
2284 if (cert->flags & X509_IKE_INTERMEDIATE)
2285 {
2286 ikeIntermediate = asn1_build_known_oid(OID_IKE_INTERMEDIATE);
2287 }
2288 if (cert->flags & X509_OCSP_SIGNER)
2289 {
2290 ocspSigning = asn1_build_known_oid(OID_OCSP_SIGNING);
2291 }
2292 if (cert->flags & X509_MS_SMARTCARD_LOGON)
2293 {
2294 msSmartcardLogon = asn1_build_known_oid(OID_MS_SMARTCARD_LOGON);
2295 }
2296
2297 if (serverAuth.ptr || clientAuth.ptr || ikeIntermediate.ptr ||
2298 ocspSigning.ptr || msSmartcardLogon.ptr)
2299 {
2300 extendedKeyUsage = asn1_wrap(ASN1_SEQUENCE, "mm",
2301 asn1_build_known_oid(OID_EXTENDED_KEY_USAGE),
2302 asn1_wrap(ASN1_OCTET_STRING, "m",
2303 asn1_wrap(ASN1_SEQUENCE, "mmmmm",
2304 serverAuth, clientAuth, ikeIntermediate,
2305 ocspSigning, msSmartcardLogon)));
2306 }
2307
2308 /* add subjectKeyIdentifier to CA and OCSP signer certificates */
2309 if (cert->flags & (X509_CA | X509_OCSP_SIGNER | X509_CRL_SIGN))
2310 {
2311 chunk_t keyid;
2312
2313 if (cert->public_key->get_fingerprint(cert->public_key,
2314 KEYID_PUBKEY_SHA1, &keyid))
2315 {
2316 subjectKeyIdentifier = asn1_wrap(ASN1_SEQUENCE, "mm",
2317 asn1_build_known_oid(OID_SUBJECT_KEY_ID),
2318 asn1_wrap(ASN1_OCTET_STRING, "m",
2319 asn1_wrap(ASN1_OCTET_STRING, "c", keyid)));
2320 }
2321 }
2322
2323 /* add the keyid authKeyIdentifier for non self-signed certificates */
2324 if (sign_cert)
2325 {
2326 chunk_t keyid;
2327
2328 if (sign_key->get_fingerprint(sign_key, KEYID_PUBKEY_SHA1, &keyid))
2329 {
2330 authKeyIdentifier = asn1_wrap(ASN1_SEQUENCE, "mm",
2331 asn1_build_known_oid(OID_AUTHORITY_KEY_ID),
2332 asn1_wrap(ASN1_OCTET_STRING, "m",
2333 asn1_wrap(ASN1_SEQUENCE, "m",
2334 asn1_wrap(ASN1_CONTEXT_S_0, "c", keyid))));
2335 }
2336 }
2337
2338 if (cert->ipAddrBlocks->get_count(cert->ipAddrBlocks))
2339 {
2340 chunk_t v4blocks = chunk_empty, v6blocks = chunk_empty, block;
2341 traffic_selector_t *ts;
2342
2343 enumerator = cert->ipAddrBlocks->create_enumerator(cert->ipAddrBlocks);
2344 while (enumerator->enumerate(enumerator, &ts))
2345 {
2346 switch (ts->get_type(ts))
2347 {
2348 case TS_IPV4_ADDR_RANGE:
2349 block = generate_ts(ts);
2350 v4blocks = chunk_cat("mm", v4blocks, block);
2351 break;
2352 case TS_IPV6_ADDR_RANGE:
2353 block = generate_ts(ts);
2354 v6blocks = chunk_cat("mm", v6blocks, block);
2355 break;
2356 default:
2357 break;
2358 }
2359 }
2360 enumerator->destroy(enumerator);
2361
2362 if (v4blocks.ptr)
2363 {
2364 v4blocks = asn1_wrap(ASN1_SEQUENCE, "mm",
2365 asn1_wrap(ASN1_OCTET_STRING, "c",
2366 chunk_from_chars(0x00,0x01)),
2367 asn1_wrap(ASN1_SEQUENCE, "m", v4blocks));
2368 }
2369 if (v6blocks.ptr)
2370 {
2371 v6blocks = asn1_wrap(ASN1_SEQUENCE, "mm",
2372 asn1_wrap(ASN1_OCTET_STRING, "c",
2373 chunk_from_chars(0x00,0x02)),
2374 asn1_wrap(ASN1_SEQUENCE, "m", v6blocks));
2375 }
2376 ipAddrBlocks = asn1_wrap(ASN1_SEQUENCE, "mm",
2377 asn1_build_known_oid(OID_IP_ADDR_BLOCKS),
2378 asn1_wrap(ASN1_OCTET_STRING, "m",
2379 asn1_wrap(ASN1_SEQUENCE, "mm",
2380 v4blocks, v6blocks)));
2381 cert->flags |= X509_IP_ADDR_BLOCKS;
2382 }
2383
2384 if (cert->permitted_names->get_count(cert->permitted_names) ||
2385 cert->excluded_names->get_count(cert->excluded_names))
2386 {
2387 chunk_t permitted = chunk_empty, excluded = chunk_empty, subtree;
2388 identification_t *id;
2389
2390 enumerator = create_name_constraint_enumerator(cert, TRUE);
2391 while (enumerator->enumerate(enumerator, &id))
2392 {
2393 subtree = asn1_wrap(ASN1_SEQUENCE, "m", build_generalName(id));
2394 permitted = chunk_cat("mm", permitted, subtree);
2395 }
2396 enumerator->destroy(enumerator);
2397 if (permitted.ptr)
2398 {
2399 permitted = asn1_wrap(ASN1_CONTEXT_C_0, "m", permitted);
2400 }
2401
2402 enumerator = create_name_constraint_enumerator(cert, FALSE);
2403 while (enumerator->enumerate(enumerator, &id))
2404 {
2405 subtree = asn1_wrap(ASN1_SEQUENCE, "m", build_generalName(id));
2406 excluded = chunk_cat("mm", excluded, subtree);
2407 }
2408 enumerator->destroy(enumerator);
2409 if (excluded.ptr)
2410 {
2411 excluded = asn1_wrap(ASN1_CONTEXT_C_1, "m", excluded);
2412 }
2413
2414 nameConstraints = asn1_wrap(ASN1_SEQUENCE, "mm",
2415 asn1_build_known_oid(OID_NAME_CONSTRAINTS),
2416 asn1_wrap(ASN1_OCTET_STRING, "m",
2417 asn1_wrap(ASN1_SEQUENCE, "mm",
2418 permitted, excluded)));
2419 }
2420
2421 if (cert->cert_policies->get_count(cert->cert_policies))
2422 {
2423 x509_cert_policy_t *policy;
2424
2425 enumerator = create_cert_policy_enumerator(cert);
2426 while (enumerator->enumerate(enumerator, &policy))
2427 {
2428 chunk_t chunk = chunk_empty, cps = chunk_empty, notice = chunk_empty;
2429
2430 if (policy->cps_uri)
2431 {
2432 cps = asn1_wrap(ASN1_SEQUENCE, "mm",
2433 asn1_build_known_oid(OID_POLICY_QUALIFIER_CPS),
2434 asn1_wrap(ASN1_IA5STRING, "c",
2435 chunk_create(policy->cps_uri,
2436 strlen(policy->cps_uri))));
2437 }
2438 if (policy->unotice_text)
2439 {
2440 notice = asn1_wrap(ASN1_SEQUENCE, "mm",
2441 asn1_build_known_oid(OID_POLICY_QUALIFIER_UNOTICE),
2442 asn1_wrap(ASN1_SEQUENCE, "m",
2443 asn1_wrap(ASN1_VISIBLESTRING, "c",
2444 chunk_create(policy->unotice_text,
2445 strlen(policy->unotice_text)))));
2446 }
2447 if (cps.len || notice.len)
2448 {
2449 chunk = asn1_wrap(ASN1_SEQUENCE, "mm", cps, notice);
2450 }
2451 chunk = asn1_wrap(ASN1_SEQUENCE, "mm",
2452 asn1_wrap(ASN1_OID, "c", policy->oid), chunk);
2453 certPolicies = chunk_cat("mm", certPolicies, chunk);
2454 }
2455 enumerator->destroy(enumerator);
2456
2457 certPolicies = asn1_wrap(ASN1_SEQUENCE, "mm",
2458 asn1_build_known_oid(OID_CERTIFICATE_POLICIES),
2459 asn1_wrap(ASN1_OCTET_STRING, "m",
2460 asn1_wrap(ASN1_SEQUENCE, "m", certPolicies)));
2461 }
2462
2463 if (cert->policy_mappings->get_count(cert->policy_mappings))
2464 {
2465 x509_policy_mapping_t *mapping;
2466
2467 enumerator = create_policy_mapping_enumerator(cert);
2468 while (enumerator->enumerate(enumerator, &mapping))
2469 {
2470 chunk_t chunk;
2471
2472 chunk = asn1_wrap(ASN1_SEQUENCE, "mm",
2473 asn1_wrap(ASN1_OID, "c", mapping->issuer),
2474 asn1_wrap(ASN1_OID, "c", mapping->subject));
2475 policyMappings = chunk_cat("mm", policyMappings, chunk);
2476 }
2477 enumerator->destroy(enumerator);
2478
2479 policyMappings = asn1_wrap(ASN1_SEQUENCE, "mm",
2480 asn1_build_known_oid(OID_POLICY_MAPPINGS),
2481 asn1_wrap(ASN1_OCTET_STRING, "m",
2482 asn1_wrap(ASN1_SEQUENCE, "m", policyMappings)));
2483 }
2484
2485 if (cert->inhibit_mapping != X509_NO_CONSTRAINT ||
2486 cert->require_explicit != X509_NO_CONSTRAINT)
2487 {
2488 chunk_t inhibit = chunk_empty, explicit = chunk_empty;
2489
2490 if (cert->require_explicit != X509_NO_CONSTRAINT)
2491 {
2492 explicit = asn1_wrap(ASN1_CONTEXT_C_0, "m",
2493 asn1_integer("c",
2494 chunk_from_thing(cert->require_explicit)));
2495 }
2496 if (cert->inhibit_mapping != X509_NO_CONSTRAINT)
2497 {
2498 inhibit = asn1_wrap(ASN1_CONTEXT_C_1, "m",
2499 asn1_integer("c",
2500 chunk_from_thing(cert->inhibit_mapping)));
2501 }
2502 policyConstraints = asn1_wrap(ASN1_SEQUENCE, "mmm",
2503 asn1_build_known_oid(OID_POLICY_CONSTRAINTS),
2504 asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)),
2505 asn1_wrap(ASN1_OCTET_STRING, "m",
2506 asn1_wrap(ASN1_SEQUENCE, "mm",
2507 explicit, inhibit)));
2508 }
2509
2510 if (cert->inhibit_any != X509_NO_CONSTRAINT)
2511 {
2512 inhibitAnyPolicy = asn1_wrap(ASN1_SEQUENCE, "mmm",
2513 asn1_build_known_oid(OID_INHIBIT_ANY_POLICY),
2514 asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)),
2515 asn1_wrap(ASN1_OCTET_STRING, "m",
2516 asn1_integer("c",
2517 chunk_from_thing(cert->inhibit_any))));
2518 }
2519
2520 if (basicConstraints.ptr || subjectAltNames.ptr || authKeyIdentifier.ptr ||
2521 crlDistributionPoints.ptr || nameConstraints.ptr || ipAddrBlocks.ptr)
2522 {
2523 extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m",
2524 asn1_wrap(ASN1_SEQUENCE, "mmmmmmmmmmmmmm",
2525 basicConstraints, keyUsage, subjectKeyIdentifier,
2526 authKeyIdentifier, subjectAltNames,
2527 extendedKeyUsage, crlDistributionPoints,
2528 authorityInfoAccess, nameConstraints, certPolicies,
2529 policyMappings, policyConstraints, inhibitAnyPolicy,
2530 ipAddrBlocks));
2531 }
2532
2533 cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmmcmcmm",
2534 asn1_simple_object(ASN1_CONTEXT_C_0, ASN1_INTEGER_2),
2535 asn1_integer("c", cert->serialNumber),
2536 asn1_algorithmIdentifier(cert->algorithm),
2537 issuer->get_encoding(issuer),
2538 asn1_wrap(ASN1_SEQUENCE, "mm",
2539 asn1_from_time(&cert->notBefore, ASN1_UTCTIME),
2540 asn1_from_time(&cert->notAfter, ASN1_UTCTIME)),
2541 subject->get_encoding(subject),
2542 key_info, extensions);
2543
2544 if (!sign_key->sign(sign_key, scheme, cert->tbsCertificate, &cert->signature))
2545 {
2546 return FALSE;
2547 }
2548 cert->encoding = asn1_wrap(ASN1_SEQUENCE, "cmm", cert->tbsCertificate,
2549 asn1_algorithmIdentifier(cert->algorithm),
2550 asn1_bitstring("c", cert->signature));
2551
2552 hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
2553 if (!hasher ||
2554 !hasher->allocate_hash(hasher, cert->encoding, &cert->encoding_hash))
2555 {
2556 DESTROY_IF(hasher);
2557 return FALSE;
2558 }
2559 hasher->destroy(hasher);
2560 return TRUE;
2561 }
2562
2563 /**
2564 * See header.
2565 */
2566 x509_cert_t *x509_cert_load(certificate_type_t type, va_list args)
2567 {
2568 x509_flag_t flags = 0;
2569 chunk_t blob = chunk_empty;
2570
2571 while (TRUE)
2572 {
2573 switch (va_arg(args, builder_part_t))
2574 {
2575 case BUILD_BLOB_ASN1_DER:
2576 blob = va_arg(args, chunk_t);
2577 continue;
2578 case BUILD_X509_FLAG:
2579 flags |= va_arg(args, x509_flag_t);
2580 continue;
2581 case BUILD_END:
2582 break;
2583 default:
2584 return NULL;
2585 }
2586 break;
2587 }
2588
2589 if (blob.ptr)
2590 {
2591 private_x509_cert_t *cert = create_empty();
2592
2593 cert->encoding = chunk_clone(blob);
2594 cert->parsed = TRUE;
2595 if (parse_certificate(cert))
2596 {
2597 cert->flags |= flags;
2598 return &cert->public;
2599 }
2600 destroy(cert);
2601 }
2602 return NULL;
2603 }
2604
2605 /**
2606 * See header.
2607 */
2608 x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args)
2609 {
2610 private_x509_cert_t *cert;
2611 certificate_t *sign_cert = NULL;
2612 private_key_t *sign_key = NULL;
2613 hash_algorithm_t digest_alg = HASH_SHA1;
2614 u_int constraint;
2615
2616 cert = create_empty();
2617 while (TRUE)
2618 {
2619 switch (va_arg(args, builder_part_t))
2620 {
2621 case BUILD_X509_FLAG:
2622 cert->flags |= va_arg(args, x509_flag_t);
2623 continue;
2624 case BUILD_SIGNING_KEY:
2625 sign_key = va_arg(args, private_key_t*);
2626 continue;
2627 case BUILD_SIGNING_CERT:
2628 sign_cert = va_arg(args, certificate_t*);
2629 continue;
2630 case BUILD_PUBLIC_KEY:
2631 cert->public_key = va_arg(args, public_key_t*);
2632 cert->public_key->get_ref(cert->public_key);
2633 continue;
2634 case BUILD_SUBJECT:
2635 cert->subject = va_arg(args, identification_t*);
2636 cert->subject = cert->subject->clone(cert->subject);
2637 continue;
2638 case BUILD_SUBJECT_ALTNAMES:
2639 {
2640 enumerator_t *enumerator;
2641 identification_t *id;
2642 linked_list_t *list;
2643
2644 list = va_arg(args, linked_list_t*);
2645 enumerator = list->create_enumerator(list);
2646 while (enumerator->enumerate(enumerator, &id))
2647 {
2648 cert->subjectAltNames->insert_last(cert->subjectAltNames,
2649 id->clone(id));
2650 }
2651 enumerator->destroy(enumerator);
2652 continue;
2653 }
2654 case BUILD_CRL_DISTRIBUTION_POINTS:
2655 {
2656 enumerator_t *enumerator;
2657 linked_list_t *list;
2658 x509_cdp_t *in, *cdp;
2659
2660 list = va_arg(args, linked_list_t*);
2661 enumerator = list->create_enumerator(list);
2662 while (enumerator->enumerate(enumerator, &in))
2663 {
2664 INIT(cdp,
2665 .uri = strdup(in->uri),
2666 .issuer = in->issuer ? in->issuer->clone(in->issuer) : NULL,
2667 );
2668 cert->crl_uris->insert_last(cert->crl_uris, cdp);
2669 }
2670 enumerator->destroy(enumerator);
2671 continue;
2672 }
2673 case BUILD_OCSP_ACCESS_LOCATIONS:
2674 {
2675 enumerator_t *enumerator;
2676 linked_list_t *list;
2677 char *uri;
2678
2679 list = va_arg(args, linked_list_t*);
2680 enumerator = list->create_enumerator(list);
2681 while (enumerator->enumerate(enumerator, &uri))
2682 {
2683 cert->ocsp_uris->insert_last(cert->ocsp_uris, strdup(uri));
2684 }
2685 enumerator->destroy(enumerator);
2686 continue;
2687 }
2688 case BUILD_PATHLEN:
2689 constraint = va_arg(args, u_int);
2690 cert->pathLenConstraint = (constraint < 128) ?
2691 constraint : X509_NO_CONSTRAINT;
2692 continue;
2693 case BUILD_ADDRBLOCKS:
2694 {
2695 enumerator_t *enumerator;
2696 traffic_selector_t *ts;
2697 linked_list_t *list;
2698
2699 list = va_arg(args, linked_list_t*);
2700 enumerator = list->create_enumerator(list);
2701 while (enumerator->enumerate(enumerator, &ts))
2702 {
2703 cert->ipAddrBlocks->insert_last(cert->ipAddrBlocks,
2704 ts->clone(ts));
2705 }
2706 enumerator->destroy(enumerator);
2707 continue;
2708 }
2709 case BUILD_PERMITTED_NAME_CONSTRAINTS:
2710 {
2711 enumerator_t *enumerator;
2712 linked_list_t *list;
2713 identification_t *constraint;
2714
2715 list = va_arg(args, linked_list_t*);
2716 enumerator = list->create_enumerator(list);
2717 while (enumerator->enumerate(enumerator, &constraint))
2718 {
2719 cert->permitted_names->insert_last(cert->permitted_names,
2720 constraint->clone(constraint));
2721 }
2722 enumerator->destroy(enumerator);
2723 continue;
2724 }
2725 case BUILD_EXCLUDED_NAME_CONSTRAINTS:
2726 {
2727 enumerator_t *enumerator;
2728 linked_list_t *list;
2729 identification_t *constraint;
2730
2731 list = va_arg(args, linked_list_t*);
2732 enumerator = list->create_enumerator(list);
2733 while (enumerator->enumerate(enumerator, &constraint))
2734 {
2735 cert->excluded_names->insert_last(cert->excluded_names,
2736 constraint->clone(constraint));
2737 }
2738 enumerator->destroy(enumerator);
2739 continue;
2740 }
2741 case BUILD_CERTIFICATE_POLICIES:
2742 {
2743 enumerator_t *enumerator;
2744 linked_list_t *list;
2745 x509_cert_policy_t *policy, *in;
2746
2747 list = va_arg(args, linked_list_t*);
2748 enumerator = list->create_enumerator(list);
2749 while (enumerator->enumerate(enumerator, &in))
2750 {
2751 INIT(policy,
2752 .oid = chunk_clone(in->oid),
2753 .cps_uri = strdupnull(in->cps_uri),
2754 .unotice_text = strdupnull(in->unotice_text),
2755 );
2756 cert->cert_policies->insert_last(cert->cert_policies, policy);
2757 }
2758 enumerator->destroy(enumerator);
2759 continue;
2760 }
2761 case BUILD_POLICY_MAPPINGS:
2762 {
2763 enumerator_t *enumerator;
2764 linked_list_t *list;
2765 x509_policy_mapping_t* mapping, *in;
2766
2767 list = va_arg(args, linked_list_t*);
2768 enumerator = list->create_enumerator(list);
2769 while (enumerator->enumerate(enumerator, &in))
2770 {
2771 INIT(mapping,
2772 .issuer = chunk_clone(in->issuer),
2773 .subject = chunk_clone(in->subject),
2774 );
2775 cert->policy_mappings->insert_last(cert->policy_mappings,
2776 mapping);
2777 }
2778 enumerator->destroy(enumerator);
2779 continue;
2780 }
2781 case BUILD_POLICY_REQUIRE_EXPLICIT:
2782 constraint = va_arg(args, u_int);
2783 cert->require_explicit = (constraint < 128) ?
2784 constraint : X509_NO_CONSTRAINT;
2785 continue;
2786 case BUILD_POLICY_INHIBIT_MAPPING:
2787 constraint = va_arg(args, u_int);
2788 cert->inhibit_mapping = (constraint < 128) ?
2789 constraint : X509_NO_CONSTRAINT;
2790 continue;
2791 case BUILD_POLICY_INHIBIT_ANY:
2792 constraint = va_arg(args, u_int);
2793 cert->inhibit_any = (constraint < 128) ?
2794 constraint : X509_NO_CONSTRAINT;
2795 continue;
2796 case BUILD_NOT_BEFORE_TIME:
2797 cert->notBefore = va_arg(args, time_t);
2798 continue;
2799 case BUILD_NOT_AFTER_TIME:
2800 cert->notAfter = va_arg(args, time_t);
2801 continue;
2802 case BUILD_SERIAL:
2803 cert->serialNumber = chunk_clone(va_arg(args, chunk_t));
2804 continue;
2805 case BUILD_DIGEST_ALG:
2806 digest_alg = va_arg(args, int);
2807 continue;
2808 case BUILD_END:
2809 break;
2810 default:
2811 destroy(cert);
2812 return NULL;
2813 }
2814 break;
2815 }
2816
2817 if (sign_key && generate(cert, sign_cert, sign_key, digest_alg))
2818 {
2819 return &cert->public;
2820 }
2821 destroy(cert);
2822 return NULL;
2823 }