x509: Do not mark generated addrblock extension as critical
[strongswan.git] / src / libstrongswan / plugins / x509 / x509_cert.c
1 /*
2 * Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann
3 * Copyright (C) 2001 Marco Bertossa, Andreas Schleiss
4 * Copyright (C) 2002 Mario Strasser
5 * Copyright (C) 2000-2006 Andreas Steffen
6 * Copyright (C) 2006-2009 Martin Willi
7 * Copyright (C) 2008 Tobias Brunner
8 * Hochschule fuer Technik Rapperswil
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 */
20
21 #define _GNU_SOURCE
22
23 #include <sys/stat.h>
24 #include <time.h>
25 #include <unistd.h>
26 #include <string.h>
27 #include <stdio.h>
28
29 #include "x509_cert.h"
30
31 #include <library.h>
32 #include <utils/debug.h>
33 #include <asn1/oid.h>
34 #include <asn1/asn1.h>
35 #include <asn1/asn1_parser.h>
36 #include <crypto/hashers/hasher.h>
37 #include <credentials/keys/private_key.h>
38 #include <collections/linked_list.h>
39 #include <utils/identification.h>
40 #include <selectors/traffic_selector.h>
41
42 /**
43 * Different kinds of generalNames
44 */
45 typedef enum {
46 GN_OTHER_NAME = 0,
47 GN_RFC822_NAME = 1,
48 GN_DNS_NAME = 2,
49 GN_X400_ADDRESS = 3,
50 GN_DIRECTORY_NAME = 4,
51 GN_EDI_PARTY_NAME = 5,
52 GN_URI = 6,
53 GN_IP_ADDRESS = 7,
54 GN_REGISTERED_ID = 8,
55 } generalNames_t;
56
57
58 typedef struct private_x509_cert_t private_x509_cert_t;
59
60 /**
61 * Private data of a x509_cert_t object.
62 */
63 struct private_x509_cert_t {
64 /**
65 * Public interface for this certificate.
66 */
67 x509_cert_t public;
68
69 /**
70 * X.509 certificate encoding in ASN.1 DER format
71 */
72 chunk_t encoding;
73
74 /**
75 * SHA1 hash of the DER encoding of this X.509 certificate
76 */
77 chunk_t encoding_hash;
78
79 /**
80 * X.509 certificate body over which signature is computed
81 */
82 chunk_t tbsCertificate;
83
84 /**
85 * Version of the X.509 certificate
86 */
87 u_int version;
88
89 /**
90 * Serial number of the X.509 certificate
91 */
92 chunk_t serialNumber;
93
94 /**
95 * ID representing the certificate issuer
96 */
97 identification_t *issuer;
98
99 /**
100 * Start time of certificate validity
101 */
102 time_t notBefore;
103
104 /**
105 * End time of certificate validity
106 */
107 time_t notAfter;
108
109 /**
110 * ID representing the certificate subject
111 */
112 identification_t *subject;
113
114 /**
115 * List of subjectAltNames as identification_t
116 */
117 linked_list_t *subjectAltNames;
118
119 /**
120 * List of crlDistributionPoints as x509_cdp_t*
121 */
122 linked_list_t *crl_uris;
123
124 /**
125 * List of ocspAccessLocations as allocated char*
126 */
127 linked_list_t *ocsp_uris;
128
129 /**
130 * List of ipAddrBlocks as traffic_selector_t
131 */
132 linked_list_t *ipAddrBlocks;
133
134 /**
135 * List of permitted name constraints
136 */
137 linked_list_t *permitted_names;
138
139 /**
140 * List of exluced name constraints
141 */
142 linked_list_t *excluded_names;
143
144 /**
145 * List of certificatePolicies, as x509_cert_policy_t
146 */
147 linked_list_t *cert_policies;
148
149 /**
150 * List of policyMappings, as x509_policy_mapping_t
151 */
152 linked_list_t *policy_mappings;
153
154 /**
155 * certificate's embedded public key
156 */
157 public_key_t *public_key;
158
159 /**
160 * Subject Key Identifier
161 */
162 chunk_t subjectKeyIdentifier;
163
164 /**
165 * Authority Key Identifier
166 */
167 chunk_t authKeyIdentifier;
168
169 /**
170 * Authority Key Serial Number
171 */
172 chunk_t authKeySerialNumber;
173
174 /**
175 * Path Length Constraint
176 */
177 u_char pathLenConstraint;
178
179 /**
180 * requireExplicitPolicy Constraint
181 */
182 u_char require_explicit;
183
184 /**
185 * inhibitPolicyMapping Constraint
186 */
187 u_char inhibit_mapping;
188
189 /**
190 * inhibitAnyPolicy Constraint
191 */
192 u_char inhibit_any;
193
194 /**
195 * x509 constraints and other flags
196 */
197 x509_flag_t flags;
198
199 /**
200 * Signature algorithm
201 */
202 int algorithm;
203
204 /**
205 * Signature
206 */
207 chunk_t signature;
208
209 /**
210 * Certificate parsed from blob/file?
211 */
212 bool parsed;
213
214 /**
215 * reference count
216 */
217 refcount_t ref;
218 };
219
220 /**
221 * Destroy a CertificateDistributionPoint
222 */
223 static void crl_uri_destroy(x509_cdp_t *this)
224 {
225 free(this->uri);
226 DESTROY_IF(this->issuer);
227 free(this);
228 }
229
230 /**
231 * Destroy a CertificatePolicy
232 */
233 static void cert_policy_destroy(x509_cert_policy_t *this)
234 {
235 free(this->oid.ptr);
236 free(this->cps_uri);
237 free(this->unotice_text);
238 free(this);
239 }
240
241 /**
242 * Free policy mapping
243 */
244 static void policy_mapping_destroy(x509_policy_mapping_t *mapping)
245 {
246 free(mapping->issuer.ptr);
247 free(mapping->subject.ptr);
248 free(mapping);
249 }
250
251 /**
252 * Parse a length constraint from an unwrapped integer
253 */
254 static u_int parse_constraint(chunk_t object)
255 {
256 switch (object.len)
257 {
258 case 0:
259 return 0;
260 case 1:
261 return (object.ptr[0] & 0x80) ? X509_NO_CONSTRAINT : object.ptr[0];
262 default:
263 return X509_NO_CONSTRAINT;
264 }
265 }
266
267 /**
268 * ASN.1 definition of a basicConstraints extension
269 */
270 static const asn1Object_t basicConstraintsObjects[] = {
271 { 0, "basicConstraints", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
272 { 1, "CA", ASN1_BOOLEAN, ASN1_DEF|ASN1_BODY }, /* 1 */
273 { 1, "pathLenConstraint", ASN1_INTEGER, ASN1_OPT|ASN1_BODY }, /* 2 */
274 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 3 */
275 { 0, "exit", ASN1_EOC, ASN1_EXIT }
276 };
277 #define BASIC_CONSTRAINTS_CA 1
278 #define BASIC_CONSTRAINTS_PATH_LEN 2
279
280 /**
281 * Extracts the basicConstraints extension
282 */
283 static void parse_basicConstraints(chunk_t blob, int level0,
284 private_x509_cert_t *this)
285 {
286 asn1_parser_t *parser;
287 chunk_t object;
288 int objectID;
289 bool isCA = FALSE;
290
291 parser = asn1_parser_create(basicConstraintsObjects, blob);
292 parser->set_top_level(parser, level0);
293
294 while (parser->iterate(parser, &objectID, &object))
295 {
296 switch (objectID)
297 {
298 case BASIC_CONSTRAINTS_CA:
299 isCA = object.len && *object.ptr;
300 DBG2(DBG_ASN, " %s", isCA ? "TRUE" : "FALSE");
301 if (isCA)
302 {
303 this->flags |= X509_CA;
304 }
305 break;
306 case BASIC_CONSTRAINTS_PATH_LEN:
307 if (isCA)
308 {
309 this->pathLenConstraint = parse_constraint(object);
310 }
311 break;
312 default:
313 break;
314 }
315 }
316 parser->destroy(parser);
317 }
318
319 /**
320 * ASN.1 definition of otherName
321 */
322 static const asn1Object_t otherNameObjects[] = {
323 {0, "type-id", ASN1_OID, ASN1_BODY }, /* 0 */
324 {0, "value", ASN1_CONTEXT_C_0, ASN1_BODY }, /* 1 */
325 {0, "exit", ASN1_EOC, ASN1_EXIT }
326 };
327 #define ON_OBJ_ID_TYPE 0
328 #define ON_OBJ_VALUE 1
329
330 /**
331 * Extracts an otherName
332 */
333 static bool parse_otherName(chunk_t *blob, int level0, id_type_t *type)
334 {
335 asn1_parser_t *parser;
336 chunk_t object;
337 int objectID;
338 int oid = OID_UNKNOWN;
339 bool success = FALSE;
340
341 parser = asn1_parser_create(otherNameObjects, *blob);
342 parser->set_top_level(parser, level0);
343
344 while (parser->iterate(parser, &objectID, &object))
345 {
346 switch (objectID)
347 {
348 case ON_OBJ_ID_TYPE:
349 oid = asn1_known_oid(object);
350 break;
351 case ON_OBJ_VALUE:
352 switch (oid)
353 {
354 case OID_XMPP_ADDR:
355 if (!asn1_parse_simple_object(&object, ASN1_UTF8STRING,
356 parser->get_level(parser)+1, "xmppAddr"))
357 {
358 goto end;
359 }
360 break;
361 case OID_USER_PRINCIPAL_NAME:
362 if (asn1_parse_simple_object(&object, ASN1_UTF8STRING,
363 parser->get_level(parser)+1, "msUPN"))
364 { /* we handle UPNs as RFC822 addr */
365 *blob = object;
366 *type = ID_RFC822_ADDR;
367 }
368 else
369 {
370 goto end;
371 }
372 break;
373 }
374 break;
375 default:
376 break;
377 }
378 }
379 success = parser->success(parser);
380
381 end:
382 parser->destroy(parser);
383 return success;
384 }
385
386 /**
387 * ASN.1 definition of generalName
388 */
389 static const asn1Object_t generalNameObjects[] = {
390 { 0, "otherName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_BODY }, /* 0 */
391 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 1 */
392 { 0, "rfc822Name", ASN1_CONTEXT_S_1, ASN1_OPT|ASN1_BODY }, /* 2 */
393 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 3 */
394 { 0, "dnsName", ASN1_CONTEXT_S_2, ASN1_OPT|ASN1_BODY }, /* 4 */
395 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 5 */
396 { 0, "x400Address", ASN1_CONTEXT_S_3, ASN1_OPT|ASN1_BODY }, /* 6 */
397 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 7 */
398 { 0, "directoryName", ASN1_CONTEXT_C_4, ASN1_OPT|ASN1_BODY }, /* 8 */
399 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 9 */
400 { 0, "ediPartyName", ASN1_CONTEXT_C_5, ASN1_OPT|ASN1_BODY }, /* 10 */
401 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 11 */
402 { 0, "URI", ASN1_CONTEXT_S_6, ASN1_OPT|ASN1_BODY }, /* 12 */
403 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 13 */
404 { 0, "ipAddress", ASN1_CONTEXT_S_7, ASN1_OPT|ASN1_BODY }, /* 14 */
405 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 15 */
406 { 0, "registeredID", ASN1_CONTEXT_S_8, ASN1_OPT|ASN1_BODY }, /* 16 */
407 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 17 */
408 { 0, "exit", ASN1_EOC, ASN1_EXIT }
409 };
410 #define GN_OBJ_OTHER_NAME 0
411 #define GN_OBJ_RFC822_NAME 2
412 #define GN_OBJ_DNS_NAME 4
413 #define GN_OBJ_X400_ADDRESS 6
414 #define GN_OBJ_DIRECTORY_NAME 8
415 #define GN_OBJ_EDI_PARTY_NAME 10
416 #define GN_OBJ_URI 12
417 #define GN_OBJ_IP_ADDRESS 14
418 #define GN_OBJ_REGISTERED_ID 16
419
420 /**
421 * Extracts a generalName
422 */
423 static identification_t *parse_generalName(chunk_t blob, int level0)
424 {
425 asn1_parser_t *parser;
426 chunk_t object;
427 int objectID ;
428
429 identification_t *gn = NULL;
430
431 parser = asn1_parser_create(generalNameObjects, blob);
432 parser->set_top_level(parser, level0);
433
434 while (parser->iterate(parser, &objectID, &object))
435 {
436 id_type_t id_type = ID_ANY;
437
438 switch (objectID)
439 {
440 case GN_OBJ_RFC822_NAME:
441 id_type = ID_RFC822_ADDR;
442 break;
443 case GN_OBJ_DNS_NAME:
444 id_type = ID_FQDN;
445 break;
446 case GN_OBJ_URI:
447 id_type = ID_DER_ASN1_GN_URI;
448 break;
449 case GN_OBJ_DIRECTORY_NAME:
450 id_type = ID_DER_ASN1_DN;
451 break;
452 case GN_OBJ_IP_ADDRESS:
453 switch (object.len)
454 {
455 case 4:
456 id_type = ID_IPV4_ADDR;
457 break;
458 case 16:
459 id_type = ID_IPV6_ADDR;
460 break;
461 default:
462 break;
463 }
464 break;
465 case GN_OBJ_OTHER_NAME:
466 if (!parse_otherName(&object, parser->get_level(parser)+1,
467 &id_type))
468 {
469 goto end;
470 }
471 break;
472 case GN_OBJ_X400_ADDRESS:
473 case GN_OBJ_EDI_PARTY_NAME:
474 case GN_OBJ_REGISTERED_ID:
475 default:
476 break;
477 }
478 if (id_type != ID_ANY)
479 {
480 gn = identification_create_from_encoding(id_type, object);
481 DBG2(DBG_ASN, " '%Y'", gn);
482 goto end;
483 }
484 }
485
486 end:
487 parser->destroy(parser);
488 return gn;
489 }
490
491 /**
492 * ASN.1 definition of generalNames
493 */
494 static const asn1Object_t generalNamesObjects[] = {
495 { 0, "generalNames", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
496 { 1, "generalName", ASN1_EOC, ASN1_RAW }, /* 1 */
497 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 2 */
498 { 0, "exit", ASN1_EOC, ASN1_EXIT }
499 };
500 #define GENERAL_NAMES_GN 1
501
502 /**
503 * Extracts one or several GNs and puts them into a chained list
504 */
505 void x509_parse_generalNames(chunk_t blob, int level0, bool implicit, linked_list_t *list)
506 {
507 asn1_parser_t *parser;
508 chunk_t object;
509 int objectID;
510
511 parser = asn1_parser_create(generalNamesObjects, blob);
512 parser->set_top_level(parser, level0);
513 parser->set_flags(parser, implicit, FALSE);
514
515 while (parser->iterate(parser, &objectID, &object))
516 {
517 if (objectID == GENERAL_NAMES_GN)
518 {
519 identification_t *gn = parse_generalName(object,
520 parser->get_level(parser)+1);
521
522 if (gn)
523 {
524 list->insert_last(list, (void *)gn);
525 }
526 }
527 }
528 parser->destroy(parser);
529 }
530
531 /**
532 * ASN.1 definition of a authorityKeyIdentifier extension
533 */
534 static const asn1Object_t authKeyIdentifierObjects[] = {
535 { 0, "authorityKeyIdentifier", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
536 { 1, "keyIdentifier", ASN1_CONTEXT_S_0, ASN1_OPT|ASN1_BODY }, /* 1 */
537 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 2 */
538 { 1, "authorityCertIssuer", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_OBJ }, /* 3 */
539 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 4 */
540 { 1, "authorityCertSerialNumber", ASN1_CONTEXT_S_2, ASN1_OPT|ASN1_BODY }, /* 5 */
541 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 6 */
542 { 0, "exit", ASN1_EOC, ASN1_EXIT }
543 };
544 #define AUTH_KEY_ID_KEY_ID 1
545 #define AUTH_KEY_ID_CERT_ISSUER 3
546 #define AUTH_KEY_ID_CERT_SERIAL 5
547
548 /**
549 * Extracts an authoritykeyIdentifier
550 */
551 chunk_t x509_parse_authorityKeyIdentifier(chunk_t blob, int level0,
552 chunk_t *authKeySerialNumber)
553 {
554 asn1_parser_t *parser;
555 chunk_t object;
556 int objectID;
557 chunk_t authKeyIdentifier = chunk_empty;
558
559 *authKeySerialNumber = chunk_empty;
560
561 parser = asn1_parser_create(authKeyIdentifierObjects, blob);
562 parser->set_top_level(parser, level0);
563
564 while (parser->iterate(parser, &objectID, &object))
565 {
566 switch (objectID)
567 {
568 case AUTH_KEY_ID_KEY_ID:
569 authKeyIdentifier = chunk_clone(object);
570 break;
571 case AUTH_KEY_ID_CERT_ISSUER:
572 /* TODO: x509_parse_generalNames(object, level+1, TRUE); */
573 break;
574 case AUTH_KEY_ID_CERT_SERIAL:
575 *authKeySerialNumber = object;
576 break;
577 default:
578 break;
579 }
580 }
581 parser->destroy(parser);
582 return authKeyIdentifier;
583 }
584
585 /**
586 * ASN.1 definition of a authorityInfoAccess extension
587 */
588 static const asn1Object_t authInfoAccessObjects[] = {
589 { 0, "authorityInfoAccess", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
590 { 1, "accessDescription", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
591 { 2, "accessMethod", ASN1_OID, ASN1_BODY }, /* 2 */
592 { 2, "accessLocation", ASN1_EOC, ASN1_RAW }, /* 3 */
593 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 4 */
594 { 0, "exit", ASN1_EOC, ASN1_EXIT }
595 };
596 #define AUTH_INFO_ACCESS_METHOD 2
597 #define AUTH_INFO_ACCESS_LOCATION 3
598
599 /**
600 * Extracts an authorityInfoAcess location
601 */
602 static void parse_authorityInfoAccess(chunk_t blob, int level0,
603 private_x509_cert_t *this)
604 {
605 asn1_parser_t *parser;
606 chunk_t object;
607 int objectID;
608 int accessMethod = OID_UNKNOWN;
609
610 parser = asn1_parser_create(authInfoAccessObjects, blob);
611 parser->set_top_level(parser, level0);
612
613 while (parser->iterate(parser, &objectID, &object))
614 {
615 switch (objectID)
616 {
617 case AUTH_INFO_ACCESS_METHOD:
618 accessMethod = asn1_known_oid(object);
619 break;
620 case AUTH_INFO_ACCESS_LOCATION:
621 {
622 switch (accessMethod)
623 {
624 case OID_OCSP:
625 case OID_CA_ISSUERS:
626 {
627 identification_t *id;
628 char *uri;
629
630 id = parse_generalName(object,
631 parser->get_level(parser)+1);
632 if (id == NULL)
633 {
634 /* parsing went wrong - abort */
635 goto end;
636 }
637 DBG2(DBG_ASN, " '%Y'", id);
638 if (accessMethod == OID_OCSP &&
639 asprintf(&uri, "%Y", id) > 0)
640 {
641 this->ocsp_uris->insert_last(this->ocsp_uris, uri);
642 }
643 id->destroy(id);
644 }
645 break;
646 default:
647 /* unknown accessMethod, ignoring */
648 break;
649 }
650 break;
651 }
652 default:
653 break;
654 }
655 }
656
657 end:
658 parser->destroy(parser);
659 }
660
661 /**
662 * Extract KeyUsage flags
663 */
664 static void parse_keyUsage(chunk_t blob, private_x509_cert_t *this)
665 {
666 enum {
667 KU_DIGITAL_SIGNATURE = 0,
668 KU_NON_REPUDIATION = 1,
669 KU_KEY_ENCIPHERMENT = 2,
670 KU_DATA_ENCIPHERMENT = 3,
671 KU_KEY_AGREEMENT = 4,
672 KU_KEY_CERT_SIGN = 5,
673 KU_CRL_SIGN = 6,
674 KU_ENCIPHER_ONLY = 7,
675 KU_DECIPHER_ONLY = 8,
676 };
677
678 if (asn1_unwrap(&blob, &blob) == ASN1_BIT_STRING && blob.len)
679 {
680 int bit, byte, unused = blob.ptr[0];
681
682 blob = chunk_skip(blob, 1);
683 for (byte = 0; byte < blob.len; byte++)
684 {
685 for (bit = 0; bit < 8; bit++)
686 {
687 if (byte == blob.len - 1 && bit > (7 - unused))
688 {
689 break;
690 }
691 if (blob.ptr[byte] & 1 << (7 - bit))
692 {
693 switch (byte * 8 + bit)
694 {
695 case KU_CRL_SIGN:
696 this->flags |= X509_CRL_SIGN;
697 break;
698 case KU_KEY_CERT_SIGN:
699 /* we use the caBasicConstraint, MUST be set */
700 case KU_DIGITAL_SIGNATURE:
701 case KU_NON_REPUDIATION:
702 case KU_KEY_ENCIPHERMENT:
703 case KU_DATA_ENCIPHERMENT:
704 case KU_KEY_AGREEMENT:
705 case KU_ENCIPHER_ONLY:
706 case KU_DECIPHER_ONLY:
707 break;
708 }
709 }
710 }
711 }
712 }
713 }
714
715 /**
716 * ASN.1 definition of a extendedKeyUsage extension
717 */
718 static const asn1Object_t extendedKeyUsageObjects[] = {
719 { 0, "extendedKeyUsage", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
720 { 1, "keyPurposeID", ASN1_OID, ASN1_BODY }, /* 1 */
721 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 2 */
722 { 0, "exit", ASN1_EOC, ASN1_EXIT }
723 };
724 #define EXT_KEY_USAGE_PURPOSE_ID 1
725
726 /**
727 * Extracts extendedKeyUsage OIDs
728 */
729 static void parse_extendedKeyUsage(chunk_t blob, int level0,
730 private_x509_cert_t *this)
731 {
732 asn1_parser_t *parser;
733 chunk_t object;
734 int objectID;
735
736 parser = asn1_parser_create(extendedKeyUsageObjects, blob);
737 parser->set_top_level(parser, level0);
738
739 while (parser->iterate(parser, &objectID, &object))
740 {
741 if (objectID == EXT_KEY_USAGE_PURPOSE_ID)
742 {
743 switch (asn1_known_oid(object))
744 {
745 case OID_SERVER_AUTH:
746 this->flags |= X509_SERVER_AUTH;
747 break;
748 case OID_CLIENT_AUTH:
749 this->flags |= X509_CLIENT_AUTH;
750 break;
751 case OID_IKE_INTERMEDIATE:
752 this->flags |= X509_IKE_INTERMEDIATE;
753 break;
754 case OID_OCSP_SIGNING:
755 this->flags |= X509_OCSP_SIGNER;
756 break;
757 case OID_MS_SMARTCARD_LOGON:
758 this->flags |= X509_MS_SMARTCARD_LOGON;
759 break;
760 default:
761 break;
762 }
763 }
764 }
765 parser->destroy(parser);
766 }
767
768 /**
769 * ASN.1 definition of crlDistributionPoints
770 */
771 static const asn1Object_t crlDistributionPointsObjects[] = {
772 { 0, "crlDistributionPoints", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
773 { 1, "DistributionPoint", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
774 { 2, "distributionPoint", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_LOOP }, /* 2 */
775 { 3, "fullName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_OBJ }, /* 3 */
776 { 3, "end choice", ASN1_EOC, ASN1_END }, /* 4 */
777 { 3, "nameRelToCRLIssuer",ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 5 */
778 { 3, "end choice", ASN1_EOC, ASN1_END }, /* 6 */
779 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 7 */
780 { 2, "reasons", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 8 */
781 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 9 */
782 { 2, "crlIssuer", ASN1_CONTEXT_C_2, ASN1_OPT|ASN1_OBJ }, /* 10 */
783 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 11 */
784 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 12 */
785 { 0, "exit", ASN1_EOC, ASN1_EXIT }
786 };
787 #define CRL_DIST_POINTS 1
788 #define CRL_DIST_POINTS_FULLNAME 3
789 #define CRL_DIST_POINTS_ISSUER 10
790
791 /**
792 * Add entry to the list of each pairing of URI and Issuer
793 */
794 static void add_cdps(linked_list_t *list, linked_list_t *uris,
795 linked_list_t *issuers)
796 {
797 identification_t *issuer, *id;
798 enumerator_t *enumerator;
799 x509_cdp_t *cdp;
800 char *uri;
801
802 while (uris->remove_last(uris, (void**)&id) == SUCCESS)
803 {
804 if (asprintf(&uri, "%Y", id) > 0)
805 {
806 if (issuers->get_count(issuers))
807 {
808 enumerator = issuers->create_enumerator(issuers);
809 while (enumerator->enumerate(enumerator, &issuer))
810 {
811 INIT(cdp,
812 .uri = strdup(uri),
813 .issuer = issuer->clone(issuer),
814 );
815 list->insert_last(list, cdp);
816 }
817 enumerator->destroy(enumerator);
818 free(uri);
819 }
820 else
821 {
822 INIT(cdp,
823 .uri = uri,
824 );
825 list->insert_last(list, cdp);
826 }
827 }
828 id->destroy(id);
829 }
830 while (issuers->remove_last(issuers, (void**)&id) == SUCCESS)
831 {
832 id->destroy(id);
833 }
834 }
835
836 /**
837 * Extracts one or several crlDistributionPoints into a list
838 */
839 void x509_parse_crlDistributionPoints(chunk_t blob, int level0,
840 linked_list_t *list)
841 {
842 linked_list_t *uris, *issuers;
843 asn1_parser_t *parser;
844 chunk_t object;
845 int objectID;
846
847 uris = linked_list_create();
848 issuers = linked_list_create();
849 parser = asn1_parser_create(crlDistributionPointsObjects, blob);
850 parser->set_top_level(parser, level0);
851
852 while (parser->iterate(parser, &objectID, &object))
853 {
854 switch (objectID)
855 {
856 case CRL_DIST_POINTS:
857 add_cdps(list, uris, issuers);
858 break;
859 case CRL_DIST_POINTS_FULLNAME:
860 x509_parse_generalNames(object, parser->get_level(parser) + 1,
861 TRUE, uris);
862 break;
863 case CRL_DIST_POINTS_ISSUER:
864 x509_parse_generalNames(object, parser->get_level(parser) + 1,
865 TRUE, issuers);
866 break;
867 default:
868 break;
869 }
870 }
871 parser->destroy(parser);
872
873 add_cdps(list, uris, issuers);
874
875 uris->destroy(uris);
876 issuers->destroy(issuers);
877 }
878
879 /**
880 * ASN.1 definition of nameConstraints
881 */
882 static const asn1Object_t nameConstraintsObjects[] = {
883 { 0, "nameConstraints", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
884 { 1, "permittedSubtrees", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_LOOP }, /* 1 */
885 { 2, "generalSubtree", ASN1_SEQUENCE, ASN1_BODY }, /* 2 */
886 { 1, "end loop", ASN1_EOC, ASN1_END }, /* 3 */
887 { 1, "excludedSubtrees", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_LOOP }, /* 4 */
888 { 2, "generalSubtree", ASN1_SEQUENCE, ASN1_BODY }, /* 5 */
889 { 1, "end loop", ASN1_EOC, ASN1_END }, /* 6 */
890 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 7 */
891 { 0, "exit", ASN1_EOC, ASN1_EXIT }
892 };
893 #define NAME_CONSTRAINT_PERMITTED 2
894 #define NAME_CONSTRAINT_EXCLUDED 5
895
896 /**
897 * Parse permitted/excluded nameConstraints
898 */
899 static void parse_nameConstraints(chunk_t blob, int level0,
900 private_x509_cert_t *this)
901 {
902 asn1_parser_t *parser;
903 identification_t *id;
904 chunk_t object;
905 int objectID;
906
907 parser = asn1_parser_create(nameConstraintsObjects, blob);
908 parser->set_top_level(parser, level0);
909
910 while (parser->iterate(parser, &objectID, &object))
911 {
912 switch (objectID)
913 {
914 case NAME_CONSTRAINT_PERMITTED:
915 id = parse_generalName(object, parser->get_level(parser) + 1);
916 if (id)
917 {
918 this->permitted_names->insert_last(this->permitted_names, id);
919 }
920 break;
921 case NAME_CONSTRAINT_EXCLUDED:
922 id = parse_generalName(object, parser->get_level(parser) + 1);
923 if (id)
924 {
925 this->excluded_names->insert_last(this->excluded_names, id);
926 }
927 break;
928 default:
929 break;
930 }
931 }
932 parser->destroy(parser);
933 }
934
935 /**
936 * ASN.1 definition of a certificatePolicies extension
937 */
938 static const asn1Object_t certificatePoliciesObject[] = {
939 { 0, "certificatePolicies", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
940 { 1, "policyInformation", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
941 { 2, "policyId", ASN1_OID, ASN1_BODY }, /* 2 */
942 { 2, "qualifiers", ASN1_SEQUENCE, ASN1_OPT|ASN1_LOOP }, /* 3 */
943 { 3, "qualifierInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 4 */
944 { 4, "qualifierId", ASN1_OID, ASN1_BODY }, /* 5 */
945 { 4, "cPSuri", ASN1_IA5STRING, ASN1_OPT|ASN1_BODY }, /* 6 */
946 { 4, "end choice", ASN1_EOC, ASN1_END }, /* 7 */
947 { 4, "userNotice", ASN1_SEQUENCE, ASN1_OPT|ASN1_BODY }, /* 8 */
948 { 5, "explicitText", ASN1_EOC, ASN1_RAW }, /* 9 */
949 { 4, "end choice", ASN1_EOC, ASN1_END }, /* 10 */
950 { 2, "end opt/loop", ASN1_EOC, ASN1_END }, /* 12 */
951 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 13 */
952 { 0, "exit", ASN1_EOC, ASN1_EXIT }
953 };
954 #define CERT_POLICY_ID 2
955 #define CERT_POLICY_QUALIFIER_ID 5
956 #define CERT_POLICY_CPS_URI 6
957 #define CERT_POLICY_EXPLICIT_TEXT 9
958
959 /**
960 * Parse certificatePolicies
961 */
962 static void parse_certificatePolicies(chunk_t blob, int level0,
963 private_x509_cert_t *this)
964 {
965 x509_cert_policy_t *policy = NULL;
966 asn1_parser_t *parser;
967 chunk_t object;
968 int objectID, qualifier = OID_UNKNOWN;
969
970 parser = asn1_parser_create(certificatePoliciesObject, blob);
971 parser->set_top_level(parser, level0);
972
973 while (parser->iterate(parser, &objectID, &object))
974 {
975 switch (objectID)
976 {
977 case CERT_POLICY_ID:
978 INIT(policy,
979 .oid = chunk_clone(object),
980 );
981 this->cert_policies->insert_last(this->cert_policies, policy);
982 break;
983 case CERT_POLICY_QUALIFIER_ID:
984 qualifier = asn1_known_oid(object);
985 break;
986 case CERT_POLICY_CPS_URI:
987 if (policy && !policy->cps_uri && object.len &&
988 qualifier == OID_POLICY_QUALIFIER_CPS &&
989 chunk_printable(object, NULL, 0))
990 {
991 policy->cps_uri = strndup(object.ptr, object.len);
992 }
993 break;
994 case CERT_POLICY_EXPLICIT_TEXT:
995 /* TODO */
996 break;
997 default:
998 break;
999 }
1000 }
1001 parser->destroy(parser);
1002 }
1003
1004 /**
1005 * ASN.1 definition of a policyMappings extension
1006 */
1007 static const asn1Object_t policyMappingsObjects[] = {
1008 { 0, "policyMappings", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
1009 { 1, "policyMapping", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
1010 { 2, "issuerPolicy", ASN1_OID, ASN1_BODY }, /* 2 */
1011 { 2, "subjectPolicy", ASN1_OID, ASN1_BODY }, /* 3 */
1012 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 4 */
1013 { 0, "exit", ASN1_EOC, ASN1_EXIT }
1014 };
1015 #define POLICY_MAPPING 1
1016 #define POLICY_MAPPING_ISSUER 2
1017 #define POLICY_MAPPING_SUBJECT 3
1018
1019 /**
1020 * Parse policyMappings
1021 */
1022 static void parse_policyMappings(chunk_t blob, int level0,
1023 private_x509_cert_t *this)
1024 {
1025 x509_policy_mapping_t *map = NULL;
1026 asn1_parser_t *parser;
1027 chunk_t object;
1028 int objectID;
1029
1030 parser = asn1_parser_create(policyMappingsObjects, blob);
1031 parser->set_top_level(parser, level0);
1032
1033 while (parser->iterate(parser, &objectID, &object))
1034 {
1035 switch (objectID)
1036 {
1037 case POLICY_MAPPING:
1038 INIT(map);
1039 this->policy_mappings->insert_last(this->policy_mappings, map);
1040 break;
1041 case POLICY_MAPPING_ISSUER:
1042 if (map && !map->issuer.len)
1043 {
1044 map->issuer = chunk_clone(object);
1045 }
1046 break;
1047 case POLICY_MAPPING_SUBJECT:
1048 if (map && !map->subject.len)
1049 {
1050 map->subject = chunk_clone(object);
1051 }
1052 break;
1053 default:
1054 break;
1055 }
1056 }
1057 parser->destroy(parser);
1058 }
1059
1060 /**
1061 * ASN.1 definition of a policyConstraints extension
1062 */
1063 static const asn1Object_t policyConstraintsObjects[] = {
1064 { 0, "policyConstraints", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
1065 { 1, "requireExplicitPolicy", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_NONE }, /* 1 */
1066 { 2, "SkipCerts", ASN1_INTEGER, ASN1_BODY }, /* 2 */
1067 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 3 */
1068 { 1, "inhibitPolicyMapping", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_NONE }, /* 4 */
1069 { 2, "SkipCerts", ASN1_INTEGER, ASN1_BODY }, /* 5 */
1070 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 6 */
1071 { 0, "exit", ASN1_EOC, ASN1_EXIT }
1072 };
1073 #define POLICY_CONSTRAINT_EXPLICIT 2
1074 #define POLICY_CONSTRAINT_INHIBIT 5
1075
1076 /**
1077 * Parse policyConstraints
1078 */
1079 static void parse_policyConstraints(chunk_t blob, int level0,
1080 private_x509_cert_t *this)
1081 {
1082 asn1_parser_t *parser;
1083 chunk_t object;
1084 int objectID;
1085
1086 parser = asn1_parser_create(policyConstraintsObjects, blob);
1087 parser->set_top_level(parser, level0);
1088
1089 while (parser->iterate(parser, &objectID, &object))
1090 {
1091 switch (objectID)
1092 {
1093 case POLICY_CONSTRAINT_EXPLICIT:
1094 this->require_explicit = parse_constraint(object);
1095 break;
1096 case POLICY_CONSTRAINT_INHIBIT:
1097 this->inhibit_mapping = parse_constraint(object);
1098 break;
1099 default:
1100 break;
1101 }
1102 }
1103 parser->destroy(parser);
1104 }
1105
1106 /**
1107 * ASN.1 definition of ipAddrBlocks according to RFC 3779
1108 */
1109 static const asn1Object_t ipAddrBlocksObjects[] = {
1110 { 0, "ipAddrBlocks", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
1111 { 1, "ipAddressFamily", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
1112 { 2, "addressFamily", ASN1_OCTET_STRING, ASN1_BODY }, /* 2 */
1113 { 2, "inherit", ASN1_NULL, ASN1_OPT|ASN1_NONE }, /* 3 */
1114 { 2, "end choice", ASN1_EOC, ASN1_END }, /* 4 */
1115 { 2, "addressesOrRanges", ASN1_SEQUENCE, ASN1_OPT|ASN1_LOOP }, /* 5 */
1116 { 3, "addressPrefix", ASN1_BIT_STRING, ASN1_OPT|ASN1_BODY }, /* 6 */
1117 { 3, "end choice", ASN1_EOC, ASN1_END }, /* 7 */
1118 { 3, "addressRange", ASN1_SEQUENCE, ASN1_OPT|ASN1_NONE }, /* 8 */
1119 { 4, "min", ASN1_BIT_STRING, ASN1_BODY }, /* 9 */
1120 { 4, "max", ASN1_BIT_STRING, ASN1_BODY }, /* 10 */
1121 { 3, "end choice", ASN1_EOC, ASN1_END }, /* 11 */
1122 { 2, "end opt/loop", ASN1_EOC, ASN1_END }, /* 12 */
1123 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 13 */
1124 { 0, "exit", ASN1_EOC, ASN1_EXIT }
1125 };
1126 #define IP_ADDR_BLOCKS_FAMILY 2
1127 #define IP_ADDR_BLOCKS_INHERIT 3
1128 #define IP_ADDR_BLOCKS_PREFIX 6
1129 #define IP_ADDR_BLOCKS_MIN 9
1130 #define IP_ADDR_BLOCKS_MAX 10
1131
1132 static bool check_address_object(ts_type_t ts_type, chunk_t object)
1133 {
1134 switch (ts_type)
1135 {
1136 case TS_IPV4_ADDR_RANGE:
1137 if (object.len > 5)
1138 {
1139 DBG1(DBG_ASN, "IPv4 address object is larger than 5 octets");
1140 return FALSE;
1141 }
1142 break;
1143 case TS_IPV6_ADDR_RANGE:
1144 if (object.len > 17)
1145 {
1146 DBG1(DBG_ASN, "IPv6 address object is larger than 17 octets");
1147 return FALSE;
1148 }
1149 break;
1150 default:
1151 DBG1(DBG_ASN, "unknown address family");
1152 return FALSE;
1153 }
1154 if (object.len == 0)
1155 {
1156 DBG1(DBG_ASN, "An ASN.1 bit string must contain at least the "
1157 "initial octet");
1158 return FALSE;
1159 }
1160 if (object.len == 1 && object.ptr[0] != 0)
1161 {
1162 DBG1(DBG_ASN, "An empty ASN.1 bit string must contain a zero "
1163 "initial octet");
1164 return FALSE;
1165 }
1166 if (object.ptr[0] > 7)
1167 {
1168 DBG1(DBG_ASN, "number of unused bits is too large");
1169 return FALSE;
1170 }
1171 return TRUE;
1172 }
1173
1174 static void parse_ipAddrBlocks(chunk_t blob, int level0,
1175 private_x509_cert_t *this)
1176 {
1177 asn1_parser_t *parser;
1178 chunk_t object, min_object;
1179 ts_type_t ts_type = 0;
1180 traffic_selector_t *ts;
1181 int objectID;
1182
1183 parser = asn1_parser_create(ipAddrBlocksObjects, blob);
1184 parser->set_top_level(parser, level0);
1185
1186 while (parser->iterate(parser, &objectID, &object))
1187 {
1188 switch (objectID)
1189 {
1190 case IP_ADDR_BLOCKS_FAMILY:
1191 ts_type = 0;
1192 if (object.len == 2 && object.ptr[0] == 0)
1193 {
1194 if (object.ptr[1] == 1)
1195 {
1196 ts_type = TS_IPV4_ADDR_RANGE;
1197 }
1198 else if (object.ptr[1] == 2)
1199 {
1200 ts_type = TS_IPV6_ADDR_RANGE;
1201 }
1202 else
1203 {
1204 break;
1205 }
1206 DBG2(DBG_ASN, " %N", ts_type_name, ts_type);
1207 }
1208 break;
1209 case IP_ADDR_BLOCKS_INHERIT:
1210 DBG1(DBG_ASN, "inherit choice is not supported");
1211 break;
1212 case IP_ADDR_BLOCKS_PREFIX:
1213 if (!check_address_object(ts_type, object))
1214 {
1215 goto end;
1216 }
1217 ts = traffic_selector_create_from_rfc3779_format(ts_type,
1218 object, object);
1219 DBG2(DBG_ASN, " %R", ts);
1220 this->ipAddrBlocks->insert_last(this->ipAddrBlocks, ts);
1221 break;
1222 case IP_ADDR_BLOCKS_MIN:
1223 if (!check_address_object(ts_type, object))
1224 {
1225 goto end;
1226 }
1227 min_object = object;
1228 break;
1229 case IP_ADDR_BLOCKS_MAX:
1230 if (!check_address_object(ts_type, object))
1231 {
1232 goto end;
1233 }
1234 ts = traffic_selector_create_from_rfc3779_format(ts_type,
1235 min_object, object);
1236 DBG2(DBG_ASN, " %R", ts);
1237 this->ipAddrBlocks->insert_last(this->ipAddrBlocks, ts);
1238 break;
1239 default:
1240 break;
1241 }
1242 }
1243 this->flags |= X509_IP_ADDR_BLOCKS;
1244
1245 end:
1246 parser->destroy(parser);
1247 }
1248
1249 /**
1250 * ASN.1 definition of an X.509v3 x509_cert
1251 */
1252 static const asn1Object_t certObjects[] = {
1253 { 0, "x509", ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */
1254 { 1, "tbsCertificate", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */
1255 { 2, "DEFAULT v1", ASN1_CONTEXT_C_0, ASN1_DEF }, /* 2 */
1256 { 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 3 */
1257 { 2, "serialNumber", ASN1_INTEGER, ASN1_BODY }, /* 4 */
1258 { 2, "signature", ASN1_EOC, ASN1_RAW }, /* 5 */
1259 { 2, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 6 */
1260 { 2, "validity", ASN1_SEQUENCE, ASN1_NONE }, /* 7 */
1261 { 3, "notBefore", ASN1_EOC, ASN1_RAW }, /* 8 */
1262 { 3, "notAfter", ASN1_EOC, ASN1_RAW }, /* 9 */
1263 { 2, "subject", ASN1_SEQUENCE, ASN1_OBJ }, /* 10 */
1264 { 2, "subjectPublicKeyInfo",ASN1_SEQUENCE, ASN1_RAW }, /* 11 */
1265 { 2, "issuerUniqueID", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 12 */
1266 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 13 */
1267 { 2, "subjectUniqueID", ASN1_CONTEXT_C_2, ASN1_OPT }, /* 14 */
1268 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 15 */
1269 { 2, "optional extensions", ASN1_CONTEXT_C_3, ASN1_OPT }, /* 16 */
1270 { 3, "extensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 17 */
1271 { 4, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 18 */
1272 { 5, "extnID", ASN1_OID, ASN1_BODY }, /* 19 */
1273 { 5, "critical", ASN1_BOOLEAN, ASN1_DEF|ASN1_BODY }, /* 20 */
1274 { 5, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 21 */
1275 { 3, "end loop", ASN1_EOC, ASN1_END }, /* 22 */
1276 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 23 */
1277 { 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 24 */
1278 { 1, "signatureValue", ASN1_BIT_STRING, ASN1_BODY }, /* 25 */
1279 { 0, "exit", ASN1_EOC, ASN1_EXIT }
1280 };
1281 #define X509_OBJ_TBS_CERTIFICATE 1
1282 #define X509_OBJ_VERSION 3
1283 #define X509_OBJ_SERIAL_NUMBER 4
1284 #define X509_OBJ_SIG_ALG 5
1285 #define X509_OBJ_ISSUER 6
1286 #define X509_OBJ_NOT_BEFORE 8
1287 #define X509_OBJ_NOT_AFTER 9
1288 #define X509_OBJ_SUBJECT 10
1289 #define X509_OBJ_SUBJECT_PUBLIC_KEY_INFO 11
1290 #define X509_OBJ_OPTIONAL_EXTENSIONS 16
1291 #define X509_OBJ_EXTN_ID 19
1292 #define X509_OBJ_CRITICAL 20
1293 #define X509_OBJ_EXTN_VALUE 21
1294 #define X509_OBJ_ALGORITHM 24
1295 #define X509_OBJ_SIGNATURE 25
1296
1297 /**
1298 * Parses an X.509v3 certificate
1299 */
1300 static bool parse_certificate(private_x509_cert_t *this)
1301 {
1302 asn1_parser_t *parser;
1303 chunk_t object;
1304 int objectID;
1305 int extn_oid = OID_UNKNOWN;
1306 int sig_alg = OID_UNKNOWN;
1307 bool success = FALSE;
1308 bool critical = FALSE;
1309
1310 parser = asn1_parser_create(certObjects, this->encoding);
1311
1312 while (parser->iterate(parser, &objectID, &object))
1313 {
1314 u_int level = parser->get_level(parser)+1;
1315
1316 switch (objectID)
1317 {
1318 case X509_OBJ_TBS_CERTIFICATE:
1319 this->tbsCertificate = object;
1320 break;
1321 case X509_OBJ_VERSION:
1322 this->version = (object.len) ? (1+(u_int)*object.ptr) : 1;
1323 if (this->version < 1 || this->version > 3)
1324 {
1325 DBG1(DBG_ASN, "X.509v%d not supported", this->version);
1326 goto end;
1327 }
1328 else
1329 {
1330 DBG2(DBG_ASN, " X.509v%d", this->version);
1331 }
1332 break;
1333 case X509_OBJ_SERIAL_NUMBER:
1334 this->serialNumber = object;
1335 break;
1336 case X509_OBJ_SIG_ALG:
1337 sig_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
1338 break;
1339 case X509_OBJ_ISSUER:
1340 this->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object);
1341 DBG2(DBG_ASN, " '%Y'", this->issuer);
1342 break;
1343 case X509_OBJ_NOT_BEFORE:
1344 this->notBefore = asn1_parse_time(object, level);
1345 break;
1346 case X509_OBJ_NOT_AFTER:
1347 this->notAfter = asn1_parse_time(object, level);
1348 break;
1349 case X509_OBJ_SUBJECT:
1350 this->subject = identification_create_from_encoding(ID_DER_ASN1_DN, object);
1351 DBG2(DBG_ASN, " '%Y'", this->subject);
1352 break;
1353 case X509_OBJ_SUBJECT_PUBLIC_KEY_INFO:
1354 DBG2(DBG_ASN, "-- > --");
1355 this->public_key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
1356 KEY_ANY, BUILD_BLOB_ASN1_DER, object, BUILD_END);
1357 DBG2(DBG_ASN, "-- < --");
1358 if (this->public_key == NULL)
1359 {
1360 goto end;
1361 }
1362 break;
1363 case X509_OBJ_OPTIONAL_EXTENSIONS:
1364 if (this->version != 3)
1365 {
1366 DBG1(DBG_ASN, "Only X.509v3 certificates have extensions");
1367 goto end;
1368 }
1369 break;
1370 case X509_OBJ_EXTN_ID:
1371 extn_oid = asn1_known_oid(object);
1372 break;
1373 case X509_OBJ_CRITICAL:
1374 critical = object.len && *object.ptr;
1375 DBG2(DBG_ASN, " %s", critical ? "TRUE" : "FALSE");
1376 break;
1377 case X509_OBJ_EXTN_VALUE:
1378 {
1379 switch (extn_oid)
1380 {
1381 case OID_SUBJECT_KEY_ID:
1382 if (!asn1_parse_simple_object(&object, ASN1_OCTET_STRING,
1383 level, "keyIdentifier"))
1384 {
1385 goto end;
1386 }
1387 this->subjectKeyIdentifier = object;
1388 break;
1389 case OID_SUBJECT_ALT_NAME:
1390 x509_parse_generalNames(object, level, FALSE,
1391 this->subjectAltNames);
1392 break;
1393 case OID_BASIC_CONSTRAINTS:
1394 parse_basicConstraints(object, level, this);
1395 break;
1396 case OID_CRL_DISTRIBUTION_POINTS:
1397 x509_parse_crlDistributionPoints(object, level,
1398 this->crl_uris);
1399 break;
1400 case OID_AUTHORITY_KEY_ID:
1401 this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object,
1402 level, &this->authKeySerialNumber);
1403 break;
1404 case OID_AUTHORITY_INFO_ACCESS:
1405 parse_authorityInfoAccess(object, level, this);
1406 break;
1407 case OID_KEY_USAGE:
1408 parse_keyUsage(object, this);
1409 break;
1410 case OID_EXTENDED_KEY_USAGE:
1411 parse_extendedKeyUsage(object, level, this);
1412 break;
1413 case OID_IP_ADDR_BLOCKS:
1414 parse_ipAddrBlocks(object, level, this);
1415 break;
1416 case OID_NAME_CONSTRAINTS:
1417 parse_nameConstraints(object, level, this);
1418 break;
1419 case OID_CERTIFICATE_POLICIES:
1420 parse_certificatePolicies(object, level, this);
1421 break;
1422 case OID_POLICY_MAPPINGS:
1423 parse_policyMappings(object, level, this);
1424 break;
1425 case OID_POLICY_CONSTRAINTS:
1426 parse_policyConstraints(object, level, this);
1427 break;
1428 case OID_INHIBIT_ANY_POLICY:
1429 if (!asn1_parse_simple_object(&object, ASN1_INTEGER,
1430 level, "inhibitAnyPolicy"))
1431 {
1432 goto end;
1433 }
1434 this->inhibit_any = parse_constraint(object);
1435 break;
1436 case OID_NS_REVOCATION_URL:
1437 case OID_NS_CA_REVOCATION_URL:
1438 case OID_NS_CA_POLICY_URL:
1439 case OID_NS_COMMENT:
1440 if (!asn1_parse_simple_object(&object, ASN1_IA5STRING,
1441 level, oid_names[extn_oid].name))
1442 {
1443 goto end;
1444 }
1445 break;
1446 default:
1447 if (critical && lib->settings->get_bool(lib->settings,
1448 "%s.x509.enforce_critical", TRUE, lib->ns))
1449 {
1450 DBG1(DBG_ASN, "critical '%s' extension not supported",
1451 (extn_oid == OID_UNKNOWN) ? "unknown" :
1452 (char*)oid_names[extn_oid].name);
1453 goto end;
1454 }
1455 break;
1456 }
1457 break;
1458 }
1459 case X509_OBJ_ALGORITHM:
1460 this->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL);
1461 if (this->algorithm != sig_alg)
1462 {
1463 DBG1(DBG_ASN, " signature algorithms do not agree");
1464 goto end;
1465 }
1466 break;
1467 case X509_OBJ_SIGNATURE:
1468 this->signature = chunk_skip(object, 1);
1469 break;
1470 default:
1471 break;
1472 }
1473 }
1474 success = parser->success(parser);
1475
1476 end:
1477 parser->destroy(parser);
1478 if (success)
1479 {
1480 hasher_t *hasher;
1481
1482 /* check if the certificate is self-signed */
1483 if (this->public.interface.interface.issued_by(
1484 &this->public.interface.interface,
1485 &this->public.interface.interface,
1486 NULL))
1487 {
1488 this->flags |= X509_SELF_SIGNED;
1489 }
1490 /* create certificate hash */
1491 hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1492 if (!hasher ||
1493 !hasher->allocate_hash(hasher, this->encoding, &this->encoding_hash))
1494 {
1495 DESTROY_IF(hasher);
1496 DBG1(DBG_ASN, " unable to create hash of certificate, SHA1 not supported");
1497 return FALSE;
1498 }
1499 hasher->destroy(hasher);
1500 }
1501 return success;
1502 }
1503
1504 METHOD(certificate_t, get_type, certificate_type_t,
1505 private_x509_cert_t *this)
1506 {
1507 return CERT_X509;
1508 }
1509
1510 METHOD(certificate_t, get_subject, identification_t*,
1511 private_x509_cert_t *this)
1512 {
1513 return this->subject;
1514 }
1515
1516 METHOD(certificate_t, get_issuer, identification_t*,
1517 private_x509_cert_t *this)
1518 {
1519 return this->issuer;
1520 }
1521
1522 METHOD(certificate_t, has_subject, id_match_t,
1523 private_x509_cert_t *this, identification_t *subject)
1524 {
1525 identification_t *current;
1526 enumerator_t *enumerator;
1527 id_match_t match, best;
1528 chunk_t encoding;
1529
1530 if (subject->get_type(subject) == ID_KEY_ID)
1531 {
1532 encoding = subject->get_encoding(subject);
1533
1534 if (this->encoding_hash.len &&
1535 chunk_equals(this->encoding_hash, encoding))
1536 {
1537 return ID_MATCH_PERFECT;
1538 }
1539 if (this->subjectKeyIdentifier.len &&
1540 chunk_equals(this->subjectKeyIdentifier, encoding))
1541 {
1542 return ID_MATCH_PERFECT;
1543 }
1544 if (this->public_key &&
1545 this->public_key->has_fingerprint(this->public_key, encoding))
1546 {
1547 return ID_MATCH_PERFECT;
1548 }
1549 if (chunk_equals(this->serialNumber, encoding))
1550 {
1551 return ID_MATCH_PERFECT;
1552 }
1553 }
1554 best = this->subject->matches(this->subject, subject);
1555 enumerator = this->subjectAltNames->create_enumerator(this->subjectAltNames);
1556 while (enumerator->enumerate(enumerator, &current))
1557 {
1558 match = current->matches(current, subject);
1559 if (match > best)
1560 {
1561 best = match;
1562 }
1563 }
1564 enumerator->destroy(enumerator);
1565 return best;
1566 }
1567
1568 METHOD(certificate_t, has_issuer, id_match_t,
1569 private_x509_cert_t *this, identification_t *issuer)
1570 {
1571 /* issuerAltNames currently not supported */
1572 return this->issuer->matches(this->issuer, issuer);
1573 }
1574
1575 METHOD(certificate_t, issued_by, bool,
1576 private_x509_cert_t *this, certificate_t *issuer,
1577 signature_scheme_t *schemep)
1578 {
1579 public_key_t *key;
1580 signature_scheme_t scheme;
1581 bool valid;
1582 x509_t *x509 = (x509_t*)issuer;
1583
1584 if (&this->public.interface.interface == issuer)
1585 {
1586 if (this->flags & X509_SELF_SIGNED)
1587 {
1588 return TRUE;
1589 }
1590 }
1591 else
1592 {
1593 if (issuer->get_type(issuer) != CERT_X509)
1594 {
1595 return FALSE;
1596 }
1597 if (!(x509->get_flags(x509) & X509_CA))
1598 {
1599 return FALSE;
1600 }
1601 }
1602 if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
1603 {
1604 return FALSE;
1605 }
1606
1607 /* determine signature scheme */
1608 scheme = signature_scheme_from_oid(this->algorithm);
1609 if (scheme == SIGN_UNKNOWN)
1610 {
1611 return FALSE;
1612 }
1613 /* get the public key of the issuer */
1614 key = issuer->get_public_key(issuer);
1615 if (!key)
1616 {
1617 return FALSE;
1618 }
1619 valid = key->verify(key, scheme, this->tbsCertificate, this->signature);
1620 key->destroy(key);
1621 if (valid && schemep)
1622 {
1623 *schemep = scheme;
1624 }
1625 return valid;
1626 }
1627
1628 METHOD(certificate_t, get_public_key, public_key_t*,
1629 private_x509_cert_t *this)
1630 {
1631 this->public_key->get_ref(this->public_key);
1632 return this->public_key;
1633 }
1634
1635 METHOD(certificate_t, get_ref, certificate_t*,
1636 private_x509_cert_t *this)
1637 {
1638 ref_get(&this->ref);
1639 return &this->public.interface.interface;
1640 }
1641
1642 METHOD(certificate_t, get_validity, bool,
1643 private_x509_cert_t *this, time_t *when, time_t *not_before,
1644 time_t *not_after)
1645 {
1646 time_t t = when ? *when : time(NULL);
1647
1648 if (not_before)
1649 {
1650 *not_before = this->notBefore;
1651 }
1652 if (not_after)
1653 {
1654 *not_after = this->notAfter;
1655 }
1656 return (t >= this->notBefore && t <= this->notAfter);
1657 }
1658
1659 METHOD(certificate_t, get_encoding, bool,
1660 private_x509_cert_t *this, cred_encoding_type_t type, chunk_t *encoding)
1661 {
1662 if (type == CERT_ASN1_DER)
1663 {
1664 *encoding = chunk_clone(this->encoding);
1665 return TRUE;
1666 }
1667 return lib->encoding->encode(lib->encoding, type, NULL, encoding,
1668 CRED_PART_X509_ASN1_DER, this->encoding, CRED_PART_END);
1669 }
1670
1671 METHOD(certificate_t, equals, bool,
1672 private_x509_cert_t *this, certificate_t *other)
1673 {
1674 chunk_t encoding;
1675 bool equal;
1676
1677 if (this == (private_x509_cert_t*)other)
1678 {
1679 return TRUE;
1680 }
1681 if (other->get_type(other) != CERT_X509)
1682 {
1683 return FALSE;
1684 }
1685 if (other->equals == (void*)equals)
1686 { /* skip allocation if we have the same implementation */
1687 return chunk_equals(this->encoding, ((private_x509_cert_t*)other)->encoding);
1688 }
1689 if (!other->get_encoding(other, CERT_ASN1_DER, &encoding))
1690 {
1691 return FALSE;
1692 }
1693 equal = chunk_equals(this->encoding, encoding);
1694 free(encoding.ptr);
1695 return equal;
1696 }
1697
1698 METHOD(x509_t, get_flags, x509_flag_t,
1699 private_x509_cert_t *this)
1700 {
1701 return this->flags;
1702 }
1703
1704 METHOD(x509_t, get_serial, chunk_t,
1705 private_x509_cert_t *this)
1706 {
1707 return this->serialNumber;
1708 }
1709
1710 METHOD(x509_t, get_subjectKeyIdentifier, chunk_t,
1711 private_x509_cert_t *this)
1712 {
1713 if (this->subjectKeyIdentifier.ptr)
1714 {
1715 return this->subjectKeyIdentifier;
1716 }
1717 else
1718 {
1719 chunk_t fingerprint;
1720
1721 if (this->public_key->get_fingerprint(this->public_key,
1722 KEYID_PUBKEY_SHA1, &fingerprint))
1723 {
1724 return fingerprint;
1725 }
1726 else
1727 {
1728 return chunk_empty;
1729 }
1730 }
1731 }
1732
1733 METHOD(x509_t, get_authKeyIdentifier, chunk_t,
1734 private_x509_cert_t *this)
1735 {
1736 return this->authKeyIdentifier;
1737 }
1738
1739 METHOD(x509_t, get_constraint, u_int,
1740 private_x509_cert_t *this, x509_constraint_t type)
1741 {
1742 switch (type)
1743 {
1744 case X509_PATH_LEN:
1745 return this->pathLenConstraint;
1746 case X509_REQUIRE_EXPLICIT_POLICY:
1747 return this->require_explicit;
1748 case X509_INHIBIT_POLICY_MAPPING:
1749 return this->inhibit_mapping;
1750 case X509_INHIBIT_ANY_POLICY:
1751 return this->inhibit_any;
1752 default:
1753 return X509_NO_CONSTRAINT;
1754 }
1755 }
1756
1757 METHOD(x509_t, create_subjectAltName_enumerator, enumerator_t*,
1758 private_x509_cert_t *this)
1759 {
1760 return this->subjectAltNames->create_enumerator(this->subjectAltNames);
1761 }
1762
1763 METHOD(x509_t, create_ocsp_uri_enumerator, enumerator_t*,
1764 private_x509_cert_t *this)
1765 {
1766 return this->ocsp_uris->create_enumerator(this->ocsp_uris);
1767 }
1768
1769 METHOD(x509_t, create_crl_uri_enumerator, enumerator_t*,
1770 private_x509_cert_t *this)
1771 {
1772 return this->crl_uris->create_enumerator(this->crl_uris);
1773 }
1774
1775 METHOD(x509_t, create_ipAddrBlock_enumerator, enumerator_t*,
1776 private_x509_cert_t *this)
1777 {
1778 return this->ipAddrBlocks->create_enumerator(this->ipAddrBlocks);
1779 }
1780
1781 METHOD(x509_t, create_name_constraint_enumerator, enumerator_t*,
1782 private_x509_cert_t *this, bool perm)
1783 {
1784 if (perm)
1785 {
1786 return this->permitted_names->create_enumerator(this->permitted_names);
1787 }
1788 return this->excluded_names->create_enumerator(this->excluded_names);
1789 }
1790
1791 METHOD(x509_t, create_cert_policy_enumerator, enumerator_t*,
1792 private_x509_cert_t *this)
1793 {
1794 return this->cert_policies->create_enumerator(this->cert_policies);
1795 }
1796
1797 METHOD(x509_t, create_policy_mapping_enumerator, enumerator_t*,
1798 private_x509_cert_t *this)
1799 {
1800 return this->policy_mappings->create_enumerator(this->policy_mappings);
1801 }
1802
1803 METHOD(certificate_t, destroy, void,
1804 private_x509_cert_t *this)
1805 {
1806 if (ref_put(&this->ref))
1807 {
1808 this->subjectAltNames->destroy_offset(this->subjectAltNames,
1809 offsetof(identification_t, destroy));
1810 this->crl_uris->destroy_function(this->crl_uris, (void*)crl_uri_destroy);
1811 this->ocsp_uris->destroy_function(this->ocsp_uris, free);
1812 this->ipAddrBlocks->destroy_offset(this->ipAddrBlocks,
1813 offsetof(traffic_selector_t, destroy));
1814 this->permitted_names->destroy_offset(this->permitted_names,
1815 offsetof(identification_t, destroy));
1816 this->excluded_names->destroy_offset(this->excluded_names,
1817 offsetof(identification_t, destroy));
1818 this->cert_policies->destroy_function(this->cert_policies,
1819 (void*)cert_policy_destroy);
1820 this->policy_mappings->destroy_function(this->policy_mappings,
1821 (void*)policy_mapping_destroy);
1822 DESTROY_IF(this->issuer);
1823 DESTROY_IF(this->subject);
1824 DESTROY_IF(this->public_key);
1825 chunk_free(&this->authKeyIdentifier);
1826 chunk_free(&this->encoding);
1827 chunk_free(&this->encoding_hash);
1828 if (!this->parsed)
1829 { /* only parsed certificates point these fields to "encoded" */
1830 chunk_free(&this->signature);
1831 chunk_free(&this->serialNumber);
1832 chunk_free(&this->tbsCertificate);
1833 }
1834 free(this);
1835 }
1836 }
1837
1838 /**
1839 * create an empty but initialized X.509 certificate
1840 */
1841 static private_x509_cert_t* create_empty(void)
1842 {
1843 private_x509_cert_t *this;
1844
1845 INIT(this,
1846 .public = {
1847 .interface = {
1848 .interface = {
1849 .get_type = _get_type,
1850 .get_subject = _get_subject,
1851 .get_issuer = _get_issuer,
1852 .has_subject = _has_subject,
1853 .has_issuer = _has_issuer,
1854 .issued_by = _issued_by,
1855 .get_public_key = _get_public_key,
1856 .get_validity = _get_validity,
1857 .get_encoding = _get_encoding,
1858 .equals = _equals,
1859 .get_ref = _get_ref,
1860 .destroy = _destroy,
1861 },
1862 .get_flags = _get_flags,
1863 .get_serial = _get_serial,
1864 .get_subjectKeyIdentifier = _get_subjectKeyIdentifier,
1865 .get_authKeyIdentifier = _get_authKeyIdentifier,
1866 .get_constraint = _get_constraint,
1867 .create_subjectAltName_enumerator = _create_subjectAltName_enumerator,
1868 .create_crl_uri_enumerator = _create_crl_uri_enumerator,
1869 .create_ocsp_uri_enumerator = _create_ocsp_uri_enumerator,
1870 .create_ipAddrBlock_enumerator = _create_ipAddrBlock_enumerator,
1871 .create_name_constraint_enumerator = _create_name_constraint_enumerator,
1872 .create_cert_policy_enumerator = _create_cert_policy_enumerator,
1873 .create_policy_mapping_enumerator = _create_policy_mapping_enumerator,
1874 },
1875 },
1876 .version = 1,
1877 .subjectAltNames = linked_list_create(),
1878 .crl_uris = linked_list_create(),
1879 .ocsp_uris = linked_list_create(),
1880 .ipAddrBlocks = linked_list_create(),
1881 .permitted_names = linked_list_create(),
1882 .excluded_names = linked_list_create(),
1883 .cert_policies = linked_list_create(),
1884 .policy_mappings = linked_list_create(),
1885 .pathLenConstraint = X509_NO_CONSTRAINT,
1886 .require_explicit = X509_NO_CONSTRAINT,
1887 .inhibit_mapping = X509_NO_CONSTRAINT,
1888 .inhibit_any = X509_NO_CONSTRAINT,
1889 .ref = 1,
1890 );
1891 return this;
1892 }
1893
1894 /**
1895 * Build a generalName from an id
1896 */
1897 chunk_t build_generalName(identification_t *id)
1898 {
1899 int context;
1900
1901 switch (id->get_type(id))
1902 {
1903 case ID_RFC822_ADDR:
1904 context = ASN1_CONTEXT_S_1;
1905 break;
1906 case ID_FQDN:
1907 context = ASN1_CONTEXT_S_2;
1908 break;
1909 case ID_DER_ASN1_DN:
1910 context = ASN1_CONTEXT_C_4;
1911 break;
1912 case ID_IPV4_ADDR:
1913 case ID_IPV6_ADDR:
1914 context = ASN1_CONTEXT_S_7;
1915 break;
1916 default:
1917 DBG1(DBG_ASN, "encoding %N as generalName not supported",
1918 id_type_names, id->get_type(id));
1919 return chunk_empty;
1920 }
1921 return asn1_wrap(context, "c", id->get_encoding(id));
1922 }
1923
1924 /**
1925 * Encode a linked list of subjectAltNames
1926 */
1927 chunk_t x509_build_subjectAltNames(linked_list_t *list)
1928 {
1929 chunk_t subjectAltNames = chunk_empty, name;
1930 enumerator_t *enumerator;
1931 identification_t *id;
1932
1933 if (list->get_count(list) == 0)
1934 {
1935 return chunk_empty;
1936 }
1937
1938 enumerator = list->create_enumerator(list);
1939 while (enumerator->enumerate(enumerator, &id))
1940 {
1941 name = build_generalName(id);
1942 subjectAltNames = chunk_cat("mm", subjectAltNames, name);
1943 }
1944 enumerator->destroy(enumerator);
1945
1946 return asn1_wrap(ASN1_SEQUENCE, "mm",
1947 asn1_build_known_oid(OID_SUBJECT_ALT_NAME),
1948 asn1_wrap(ASN1_OCTET_STRING, "m",
1949 asn1_wrap(ASN1_SEQUENCE, "m", subjectAltNames)
1950 )
1951 );
1952 }
1953
1954 /**
1955 * Encode CRL distribution points extension from a x509_cdp_t list
1956 */
1957 chunk_t x509_build_crlDistributionPoints(linked_list_t *list, int extn)
1958 {
1959 chunk_t crlDistributionPoints = chunk_empty;
1960 enumerator_t *enumerator;
1961 x509_cdp_t *cdp;
1962
1963 if (list->get_count(list) == 0)
1964 {
1965 return chunk_empty;
1966 }
1967
1968 enumerator = list->create_enumerator(list);
1969 while (enumerator->enumerate(enumerator, &cdp))
1970 {
1971 chunk_t distributionPoint, crlIssuer = chunk_empty;
1972
1973 if (cdp->issuer)
1974 {
1975 crlIssuer = asn1_wrap(ASN1_CONTEXT_C_2, "m",
1976 build_generalName(cdp->issuer));
1977 }
1978 distributionPoint = asn1_wrap(ASN1_SEQUENCE, "mm",
1979 asn1_wrap(ASN1_CONTEXT_C_0, "m",
1980 asn1_wrap(ASN1_CONTEXT_C_0, "m",
1981 asn1_wrap(ASN1_CONTEXT_S_6, "c",
1982 chunk_create(cdp->uri, strlen(cdp->uri))))),
1983 crlIssuer);
1984 crlDistributionPoints = chunk_cat("mm", crlDistributionPoints,
1985 distributionPoint);
1986 }
1987 enumerator->destroy(enumerator);
1988
1989 return asn1_wrap(ASN1_SEQUENCE, "mm",
1990 asn1_build_known_oid(extn),
1991 asn1_wrap(ASN1_OCTET_STRING, "m",
1992 asn1_wrap(ASN1_SEQUENCE, "m", crlDistributionPoints)));
1993 }
1994
1995 static chunk_t generate_ts(traffic_selector_t *ts)
1996 {
1997 chunk_t from, to;
1998 uint8_t minbits = 0, maxbits = 0, unused;
1999 host_t *net;
2000 int bit, byte;
2001
2002 if (ts->to_subnet(ts, &net, &minbits))
2003 {
2004 unused = round_up(minbits, BITS_PER_BYTE) - minbits;
2005 from = asn1_wrap(ASN1_BIT_STRING, "m",
2006 chunk_cat("cc", chunk_from_thing(unused),
2007 chunk_create(net->get_address(net).ptr,
2008 (minbits + unused) / BITS_PER_BYTE)));
2009 net->destroy(net);
2010 return from;
2011 }
2012 net->destroy(net);
2013
2014 from = ts->get_from_address(ts);
2015 for (byte = from.len - 1; byte >= 0; byte--)
2016 {
2017 if (from.ptr[byte] != 0)
2018 {
2019 minbits = byte * BITS_PER_BYTE + BITS_PER_BYTE;
2020 for (bit = 0; bit < BITS_PER_BYTE; bit++)
2021 {
2022 if (from.ptr[byte] & 1 << bit)
2023 {
2024 break;
2025 }
2026 minbits--;
2027 }
2028 break;
2029 }
2030 }
2031 to = ts->get_to_address(ts);
2032 for (byte = to.len - 1; byte >= 0; byte--)
2033 {
2034 if (to.ptr[byte] != 0xFF)
2035 {
2036 maxbits = byte * BITS_PER_BYTE + BITS_PER_BYTE;
2037 for (bit = 0; bit < BITS_PER_BYTE; bit++)
2038 {
2039 if ((to.ptr[byte] & 1 << bit) == 0)
2040 {
2041 break;
2042 }
2043 maxbits--;
2044 }
2045 break;
2046 }
2047 }
2048 unused = round_up(minbits, BITS_PER_BYTE) - minbits;
2049 from = asn1_wrap(ASN1_BIT_STRING, "m",
2050 chunk_cat("cc", chunk_from_thing(unused),
2051 chunk_create(from.ptr,
2052 (minbits + unused) / BITS_PER_BYTE)));
2053 unused = round_up(maxbits, BITS_PER_BYTE) - maxbits;
2054 to = asn1_wrap(ASN1_BIT_STRING, "m",
2055 chunk_cat("cc", chunk_from_thing(unused),
2056 chunk_create(to.ptr,
2057 (maxbits + unused) / BITS_PER_BYTE)));
2058 return asn1_wrap(ASN1_SEQUENCE, "mm", from, to);
2059 }
2060
2061 /**
2062 * Generate and sign a new certificate
2063 */
2064 static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
2065 private_key_t *sign_key, int digest_alg)
2066 {
2067 chunk_t extensions = chunk_empty, extendedKeyUsage = chunk_empty;
2068 chunk_t serverAuth = chunk_empty, clientAuth = chunk_empty;
2069 chunk_t ocspSigning = chunk_empty, certPolicies = chunk_empty;
2070 chunk_t basicConstraints = chunk_empty, nameConstraints = chunk_empty;
2071 chunk_t keyUsage = chunk_empty, keyUsageBits = chunk_empty;
2072 chunk_t subjectAltNames = chunk_empty, policyMappings = chunk_empty;
2073 chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty;
2074 chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty;
2075 chunk_t policyConstraints = chunk_empty, inhibitAnyPolicy = chunk_empty;
2076 chunk_t ikeIntermediate = chunk_empty, msSmartcardLogon = chunk_empty;
2077 chunk_t ipAddrBlocks = chunk_empty;
2078 identification_t *issuer, *subject;
2079 chunk_t key_info;
2080 signature_scheme_t scheme;
2081 hasher_t *hasher;
2082 enumerator_t *enumerator;
2083 char *uri;
2084
2085 subject = cert->subject;
2086 if (sign_cert)
2087 {
2088 issuer = sign_cert->get_subject(sign_cert);
2089 if (!cert->public_key)
2090 {
2091 return FALSE;
2092 }
2093 }
2094 else
2095 { /* self signed */
2096 issuer = subject;
2097 if (!cert->public_key)
2098 {
2099 cert->public_key = sign_key->get_public_key(sign_key);
2100 }
2101 cert->flags |= X509_SELF_SIGNED;
2102 }
2103 cert->issuer = issuer->clone(issuer);
2104 if (!cert->notBefore)
2105 {
2106 cert->notBefore = time(NULL);
2107 }
2108 if (!cert->notAfter)
2109 { /* defaults to 1 year from now */
2110 cert->notAfter = cert->notBefore + 60 * 60 * 24 * 365;
2111 }
2112
2113 /* select signature scheme */
2114 cert->algorithm = hasher_signature_algorithm_to_oid(digest_alg,
2115 sign_key->get_type(sign_key));
2116 if (cert->algorithm == OID_UNKNOWN)
2117 {
2118 return FALSE;
2119 }
2120 scheme = signature_scheme_from_oid(cert->algorithm);
2121
2122 if (!cert->public_key->get_encoding(cert->public_key,
2123 PUBKEY_SPKI_ASN1_DER, &key_info))
2124 {
2125 return FALSE;
2126 }
2127
2128 /* encode subjectAltNames */
2129 subjectAltNames = x509_build_subjectAltNames(cert->subjectAltNames);
2130
2131 crlDistributionPoints = x509_build_crlDistributionPoints(cert->crl_uris,
2132 OID_CRL_DISTRIBUTION_POINTS);
2133
2134 /* encode OCSP URIs in authorityInfoAccess extension */
2135 enumerator = cert->ocsp_uris->create_enumerator(cert->ocsp_uris);
2136 while (enumerator->enumerate(enumerator, &uri))
2137 {
2138 chunk_t accessDescription;
2139
2140 accessDescription = asn1_wrap(ASN1_SEQUENCE, "mm",
2141 asn1_build_known_oid(OID_OCSP),
2142 asn1_wrap(ASN1_CONTEXT_S_6, "c",
2143 chunk_create(uri, strlen(uri))));
2144 authorityInfoAccess = chunk_cat("mm", authorityInfoAccess,
2145 accessDescription);
2146 }
2147 enumerator->destroy(enumerator);
2148 if (authorityInfoAccess.ptr)
2149 {
2150 authorityInfoAccess = asn1_wrap(ASN1_SEQUENCE, "mm",
2151 asn1_build_known_oid(OID_AUTHORITY_INFO_ACCESS),
2152 asn1_wrap(ASN1_OCTET_STRING, "m",
2153 asn1_wrap(ASN1_SEQUENCE, "m", authorityInfoAccess)));
2154 }
2155
2156 /* build CA basicConstraint and keyUsage flags for CA certificates */
2157 if (cert->flags & X509_CA)
2158 {
2159 chunk_t pathLenConstraint = chunk_empty;
2160
2161 if (cert->pathLenConstraint != X509_NO_CONSTRAINT)
2162 {
2163 pathLenConstraint = asn1_integer("c",
2164 chunk_from_thing(cert->pathLenConstraint));
2165 }
2166 basicConstraints = asn1_wrap(ASN1_SEQUENCE, "mmm",
2167 asn1_build_known_oid(OID_BASIC_CONSTRAINTS),
2168 asn1_wrap(ASN1_BOOLEAN, "c",
2169 chunk_from_chars(0xFF)),
2170 asn1_wrap(ASN1_OCTET_STRING, "m",
2171 asn1_wrap(ASN1_SEQUENCE, "mm",
2172 asn1_wrap(ASN1_BOOLEAN, "c",
2173 chunk_from_chars(0xFF)),
2174 pathLenConstraint)));
2175 /* set CertificateSign and implicitly CRLsign */
2176 keyUsageBits = chunk_from_chars(0x01, 0x06);
2177 }
2178 else if (cert->flags & X509_CRL_SIGN)
2179 {
2180 keyUsageBits = chunk_from_chars(0x01, 0x02);
2181 }
2182 if (keyUsageBits.len)
2183 {
2184 keyUsage = asn1_wrap(ASN1_SEQUENCE, "mmm",
2185 asn1_build_known_oid(OID_KEY_USAGE),
2186 asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)),
2187 asn1_wrap(ASN1_OCTET_STRING, "m",
2188 asn1_wrap(ASN1_BIT_STRING, "c", keyUsageBits)));
2189 }
2190
2191 /* add extendedKeyUsage flags */
2192 if (cert->flags & X509_SERVER_AUTH)
2193 {
2194 serverAuth = asn1_build_known_oid(OID_SERVER_AUTH);
2195 }
2196 if (cert->flags & X509_CLIENT_AUTH)
2197 {
2198 clientAuth = asn1_build_known_oid(OID_CLIENT_AUTH);
2199 }
2200 if (cert->flags & X509_IKE_INTERMEDIATE)
2201 {
2202 ikeIntermediate = asn1_build_known_oid(OID_IKE_INTERMEDIATE);
2203 }
2204 if (cert->flags & X509_OCSP_SIGNER)
2205 {
2206 ocspSigning = asn1_build_known_oid(OID_OCSP_SIGNING);
2207 }
2208 if (cert->flags & X509_MS_SMARTCARD_LOGON)
2209 {
2210 msSmartcardLogon = asn1_build_known_oid(OID_MS_SMARTCARD_LOGON);
2211 }
2212
2213 if (serverAuth.ptr || clientAuth.ptr || ikeIntermediate.ptr ||
2214 ocspSigning.ptr || msSmartcardLogon.ptr)
2215 {
2216 extendedKeyUsage = asn1_wrap(ASN1_SEQUENCE, "mm",
2217 asn1_build_known_oid(OID_EXTENDED_KEY_USAGE),
2218 asn1_wrap(ASN1_OCTET_STRING, "m",
2219 asn1_wrap(ASN1_SEQUENCE, "mmmmm",
2220 serverAuth, clientAuth, ikeIntermediate,
2221 ocspSigning, msSmartcardLogon)));
2222 }
2223
2224 /* add subjectKeyIdentifier to CA and OCSP signer certificates */
2225 if (cert->flags & (X509_CA | X509_OCSP_SIGNER | X509_CRL_SIGN))
2226 {
2227 chunk_t keyid;
2228
2229 if (cert->public_key->get_fingerprint(cert->public_key,
2230 KEYID_PUBKEY_SHA1, &keyid))
2231 {
2232 subjectKeyIdentifier = asn1_wrap(ASN1_SEQUENCE, "mm",
2233 asn1_build_known_oid(OID_SUBJECT_KEY_ID),
2234 asn1_wrap(ASN1_OCTET_STRING, "m",
2235 asn1_wrap(ASN1_OCTET_STRING, "c", keyid)));
2236 }
2237 }
2238
2239 /* add the keyid authKeyIdentifier for non self-signed certificates */
2240 if (sign_cert)
2241 {
2242 chunk_t keyid;
2243
2244 if (sign_key->get_fingerprint(sign_key, KEYID_PUBKEY_SHA1, &keyid))
2245 {
2246 authKeyIdentifier = asn1_wrap(ASN1_SEQUENCE, "mm",
2247 asn1_build_known_oid(OID_AUTHORITY_KEY_ID),
2248 asn1_wrap(ASN1_OCTET_STRING, "m",
2249 asn1_wrap(ASN1_SEQUENCE, "m",
2250 asn1_wrap(ASN1_CONTEXT_S_0, "c", keyid))));
2251 }
2252 }
2253
2254 if (cert->ipAddrBlocks->get_count(cert->ipAddrBlocks))
2255 {
2256 chunk_t v4blocks = chunk_empty, v6blocks = chunk_empty, block;
2257 traffic_selector_t *ts;
2258
2259 enumerator = cert->ipAddrBlocks->create_enumerator(cert->ipAddrBlocks);
2260 while (enumerator->enumerate(enumerator, &ts))
2261 {
2262 switch (ts->get_type(ts))
2263 {
2264 case TS_IPV4_ADDR_RANGE:
2265 block = generate_ts(ts);
2266 v4blocks = chunk_cat("mm", v4blocks, block);
2267 break;
2268 case TS_IPV6_ADDR_RANGE:
2269 block = generate_ts(ts);
2270 v6blocks = chunk_cat("mm", v6blocks, block);
2271 break;
2272 default:
2273 break;
2274 }
2275 }
2276 enumerator->destroy(enumerator);
2277
2278 if (v4blocks.ptr)
2279 {
2280 v4blocks = asn1_wrap(ASN1_SEQUENCE, "mm",
2281 asn1_wrap(ASN1_OCTET_STRING, "c",
2282 chunk_from_chars(0x00,0x01)),
2283 asn1_wrap(ASN1_SEQUENCE, "m", v4blocks));
2284 }
2285 if (v6blocks.ptr)
2286 {
2287 v6blocks = asn1_wrap(ASN1_SEQUENCE, "mm",
2288 asn1_wrap(ASN1_OCTET_STRING, "c",
2289 chunk_from_chars(0x00,0x02)),
2290 asn1_wrap(ASN1_SEQUENCE, "m", v6blocks));
2291 }
2292 ipAddrBlocks = asn1_wrap(ASN1_SEQUENCE, "mm",
2293 asn1_build_known_oid(OID_IP_ADDR_BLOCKS),
2294 asn1_wrap(ASN1_OCTET_STRING, "m",
2295 asn1_wrap(ASN1_SEQUENCE, "mm",
2296 v4blocks, v6blocks)));
2297 cert->flags |= X509_IP_ADDR_BLOCKS;
2298 }
2299
2300 if (cert->permitted_names->get_count(cert->permitted_names) ||
2301 cert->excluded_names->get_count(cert->excluded_names))
2302 {
2303 chunk_t permitted = chunk_empty, excluded = chunk_empty, subtree;
2304 identification_t *id;
2305
2306 enumerator = create_name_constraint_enumerator(cert, TRUE);
2307 while (enumerator->enumerate(enumerator, &id))
2308 {
2309 subtree = asn1_wrap(ASN1_SEQUENCE, "m", build_generalName(id));
2310 permitted = chunk_cat("mm", permitted, subtree);
2311 }
2312 enumerator->destroy(enumerator);
2313 if (permitted.ptr)
2314 {
2315 permitted = asn1_wrap(ASN1_CONTEXT_C_0, "m", permitted);
2316 }
2317
2318 enumerator = create_name_constraint_enumerator(cert, FALSE);
2319 while (enumerator->enumerate(enumerator, &id))
2320 {
2321 subtree = asn1_wrap(ASN1_SEQUENCE, "m", build_generalName(id));
2322 excluded = chunk_cat("mm", excluded, subtree);
2323 }
2324 enumerator->destroy(enumerator);
2325 if (excluded.ptr)
2326 {
2327 excluded = asn1_wrap(ASN1_CONTEXT_C_1, "m", excluded);
2328 }
2329
2330 nameConstraints = asn1_wrap(ASN1_SEQUENCE, "mm",
2331 asn1_build_known_oid(OID_NAME_CONSTRAINTS),
2332 asn1_wrap(ASN1_OCTET_STRING, "m",
2333 asn1_wrap(ASN1_SEQUENCE, "mm",
2334 permitted, excluded)));
2335 }
2336
2337 if (cert->cert_policies->get_count(cert->cert_policies))
2338 {
2339 x509_cert_policy_t *policy;
2340
2341 enumerator = create_cert_policy_enumerator(cert);
2342 while (enumerator->enumerate(enumerator, &policy))
2343 {
2344 chunk_t chunk = chunk_empty, cps = chunk_empty, notice = chunk_empty;
2345
2346 if (policy->cps_uri)
2347 {
2348 cps = asn1_wrap(ASN1_SEQUENCE, "mm",
2349 asn1_build_known_oid(OID_POLICY_QUALIFIER_CPS),
2350 asn1_wrap(ASN1_IA5STRING, "c",
2351 chunk_create(policy->cps_uri,
2352 strlen(policy->cps_uri))));
2353 }
2354 if (policy->unotice_text)
2355 {
2356 notice = asn1_wrap(ASN1_SEQUENCE, "mm",
2357 asn1_build_known_oid(OID_POLICY_QUALIFIER_UNOTICE),
2358 asn1_wrap(ASN1_SEQUENCE, "m",
2359 asn1_wrap(ASN1_VISIBLESTRING, "c",
2360 chunk_create(policy->unotice_text,
2361 strlen(policy->unotice_text)))));
2362 }
2363 if (cps.len || notice.len)
2364 {
2365 chunk = asn1_wrap(ASN1_SEQUENCE, "mm", cps, notice);
2366 }
2367 chunk = asn1_wrap(ASN1_SEQUENCE, "mm",
2368 asn1_wrap(ASN1_OID, "c", policy->oid), chunk);
2369 certPolicies = chunk_cat("mm", certPolicies, chunk);
2370 }
2371 enumerator->destroy(enumerator);
2372
2373 certPolicies = asn1_wrap(ASN1_SEQUENCE, "mm",
2374 asn1_build_known_oid(OID_CERTIFICATE_POLICIES),
2375 asn1_wrap(ASN1_OCTET_STRING, "m",
2376 asn1_wrap(ASN1_SEQUENCE, "m", certPolicies)));
2377 }
2378
2379 if (cert->policy_mappings->get_count(cert->policy_mappings))
2380 {
2381 x509_policy_mapping_t *mapping;
2382
2383 enumerator = create_policy_mapping_enumerator(cert);
2384 while (enumerator->enumerate(enumerator, &mapping))
2385 {
2386 chunk_t chunk;
2387
2388 chunk = asn1_wrap(ASN1_SEQUENCE, "mm",
2389 asn1_wrap(ASN1_OID, "c", mapping->issuer),
2390 asn1_wrap(ASN1_OID, "c", mapping->subject));
2391 policyMappings = chunk_cat("mm", policyMappings, chunk);
2392 }
2393 enumerator->destroy(enumerator);
2394
2395 policyMappings = asn1_wrap(ASN1_SEQUENCE, "mm",
2396 asn1_build_known_oid(OID_POLICY_MAPPINGS),
2397 asn1_wrap(ASN1_OCTET_STRING, "m",
2398 asn1_wrap(ASN1_SEQUENCE, "m", policyMappings)));
2399 }
2400
2401 if (cert->inhibit_mapping != X509_NO_CONSTRAINT ||
2402 cert->require_explicit != X509_NO_CONSTRAINT)
2403 {
2404 chunk_t inhibit = chunk_empty, explicit = chunk_empty;
2405
2406 if (cert->require_explicit != X509_NO_CONSTRAINT)
2407 {
2408 explicit = asn1_wrap(ASN1_CONTEXT_C_0, "m",
2409 asn1_integer("c",
2410 chunk_from_thing(cert->require_explicit)));
2411 }
2412 if (cert->inhibit_mapping != X509_NO_CONSTRAINT)
2413 {
2414 inhibit = asn1_wrap(ASN1_CONTEXT_C_1, "m",
2415 asn1_integer("c",
2416 chunk_from_thing(cert->inhibit_mapping)));
2417 }
2418 policyConstraints = asn1_wrap(ASN1_SEQUENCE, "mmm",
2419 asn1_build_known_oid(OID_POLICY_CONSTRAINTS),
2420 asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)),
2421 asn1_wrap(ASN1_OCTET_STRING, "m",
2422 asn1_wrap(ASN1_SEQUENCE, "mm",
2423 explicit, inhibit)));
2424 }
2425
2426 if (cert->inhibit_any != X509_NO_CONSTRAINT)
2427 {
2428 inhibitAnyPolicy = asn1_wrap(ASN1_SEQUENCE, "mmm",
2429 asn1_build_known_oid(OID_INHIBIT_ANY_POLICY),
2430 asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)),
2431 asn1_wrap(ASN1_OCTET_STRING, "m",
2432 asn1_integer("c",
2433 chunk_from_thing(cert->inhibit_any))));
2434 }
2435
2436 if (basicConstraints.ptr || subjectAltNames.ptr || authKeyIdentifier.ptr ||
2437 crlDistributionPoints.ptr || nameConstraints.ptr || ipAddrBlocks.ptr)
2438 {
2439 extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m",
2440 asn1_wrap(ASN1_SEQUENCE, "mmmmmmmmmmmmmm",
2441 basicConstraints, keyUsage, subjectKeyIdentifier,
2442 authKeyIdentifier, subjectAltNames,
2443 extendedKeyUsage, crlDistributionPoints,
2444 authorityInfoAccess, nameConstraints, certPolicies,
2445 policyMappings, policyConstraints, inhibitAnyPolicy,
2446 ipAddrBlocks));
2447 }
2448
2449 cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmmcmcmm",
2450 asn1_simple_object(ASN1_CONTEXT_C_0, ASN1_INTEGER_2),
2451 asn1_integer("c", cert->serialNumber),
2452 asn1_algorithmIdentifier(cert->algorithm),
2453 issuer->get_encoding(issuer),
2454 asn1_wrap(ASN1_SEQUENCE, "mm",
2455 asn1_from_time(&cert->notBefore, ASN1_UTCTIME),
2456 asn1_from_time(&cert->notAfter, ASN1_UTCTIME)),
2457 subject->get_encoding(subject),
2458 key_info, extensions);
2459
2460 if (!sign_key->sign(sign_key, scheme, cert->tbsCertificate, &cert->signature))
2461 {
2462 return FALSE;
2463 }
2464 cert->encoding = asn1_wrap(ASN1_SEQUENCE, "cmm", cert->tbsCertificate,
2465 asn1_algorithmIdentifier(cert->algorithm),
2466 asn1_bitstring("c", cert->signature));
2467
2468 hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
2469 if (!hasher ||
2470 !hasher->allocate_hash(hasher, cert->encoding, &cert->encoding_hash))
2471 {
2472 DESTROY_IF(hasher);
2473 return FALSE;
2474 }
2475 hasher->destroy(hasher);
2476 return TRUE;
2477 }
2478
2479 /**
2480 * See header.
2481 */
2482 x509_cert_t *x509_cert_load(certificate_type_t type, va_list args)
2483 {
2484 x509_flag_t flags = 0;
2485 chunk_t blob = chunk_empty;
2486
2487 while (TRUE)
2488 {
2489 switch (va_arg(args, builder_part_t))
2490 {
2491 case BUILD_BLOB_ASN1_DER:
2492 blob = va_arg(args, chunk_t);
2493 continue;
2494 case BUILD_X509_FLAG:
2495 flags |= va_arg(args, x509_flag_t);
2496 continue;
2497 case BUILD_END:
2498 break;
2499 default:
2500 return NULL;
2501 }
2502 break;
2503 }
2504
2505 if (blob.ptr)
2506 {
2507 private_x509_cert_t *cert = create_empty();
2508
2509 cert->encoding = chunk_clone(blob);
2510 cert->parsed = TRUE;
2511 if (parse_certificate(cert))
2512 {
2513 cert->flags |= flags;
2514 return &cert->public;
2515 }
2516 destroy(cert);
2517 }
2518 return NULL;
2519 }
2520
2521 /**
2522 * See header.
2523 */
2524 x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args)
2525 {
2526 private_x509_cert_t *cert;
2527 certificate_t *sign_cert = NULL;
2528 private_key_t *sign_key = NULL;
2529 hash_algorithm_t digest_alg = HASH_SHA1;
2530 u_int constraint;
2531
2532 cert = create_empty();
2533 while (TRUE)
2534 {
2535 switch (va_arg(args, builder_part_t))
2536 {
2537 case BUILD_X509_FLAG:
2538 cert->flags |= va_arg(args, x509_flag_t);
2539 continue;
2540 case BUILD_SIGNING_KEY:
2541 sign_key = va_arg(args, private_key_t*);
2542 continue;
2543 case BUILD_SIGNING_CERT:
2544 sign_cert = va_arg(args, certificate_t*);
2545 continue;
2546 case BUILD_PUBLIC_KEY:
2547 cert->public_key = va_arg(args, public_key_t*);
2548 cert->public_key->get_ref(cert->public_key);
2549 continue;
2550 case BUILD_SUBJECT:
2551 cert->subject = va_arg(args, identification_t*);
2552 cert->subject = cert->subject->clone(cert->subject);
2553 continue;
2554 case BUILD_SUBJECT_ALTNAMES:
2555 {
2556 enumerator_t *enumerator;
2557 identification_t *id;
2558 linked_list_t *list;
2559
2560 list = va_arg(args, linked_list_t*);
2561 enumerator = list->create_enumerator(list);
2562 while (enumerator->enumerate(enumerator, &id))
2563 {
2564 cert->subjectAltNames->insert_last(cert->subjectAltNames,
2565 id->clone(id));
2566 }
2567 enumerator->destroy(enumerator);
2568 continue;
2569 }
2570 case BUILD_CRL_DISTRIBUTION_POINTS:
2571 {
2572 enumerator_t *enumerator;
2573 linked_list_t *list;
2574 x509_cdp_t *in, *cdp;
2575
2576 list = va_arg(args, linked_list_t*);
2577 enumerator = list->create_enumerator(list);
2578 while (enumerator->enumerate(enumerator, &in))
2579 {
2580 INIT(cdp,
2581 .uri = strdup(in->uri),
2582 .issuer = in->issuer ? in->issuer->clone(in->issuer) : NULL,
2583 );
2584 cert->crl_uris->insert_last(cert->crl_uris, cdp);
2585 }
2586 enumerator->destroy(enumerator);
2587 continue;
2588 }
2589 case BUILD_OCSP_ACCESS_LOCATIONS:
2590 {
2591 enumerator_t *enumerator;
2592 linked_list_t *list;
2593 char *uri;
2594
2595 list = va_arg(args, linked_list_t*);
2596 enumerator = list->create_enumerator(list);
2597 while (enumerator->enumerate(enumerator, &uri))
2598 {
2599 cert->ocsp_uris->insert_last(cert->ocsp_uris, strdup(uri));
2600 }
2601 enumerator->destroy(enumerator);
2602 continue;
2603 }
2604 case BUILD_PATHLEN:
2605 constraint = va_arg(args, u_int);
2606 cert->pathLenConstraint = (constraint < 128) ?
2607 constraint : X509_NO_CONSTRAINT;
2608 continue;
2609 case BUILD_ADDRBLOCKS:
2610 {
2611 enumerator_t *enumerator;
2612 traffic_selector_t *ts;
2613 linked_list_t *list;
2614
2615 list = va_arg(args, linked_list_t*);
2616 enumerator = list->create_enumerator(list);
2617 while (enumerator->enumerate(enumerator, &ts))
2618 {
2619 cert->ipAddrBlocks->insert_last(cert->ipAddrBlocks,
2620 ts->clone(ts));
2621 }
2622 enumerator->destroy(enumerator);
2623 continue;
2624 }
2625 case BUILD_PERMITTED_NAME_CONSTRAINTS:
2626 {
2627 enumerator_t *enumerator;
2628 linked_list_t *list;
2629 identification_t *constraint;
2630
2631 list = va_arg(args, linked_list_t*);
2632 enumerator = list->create_enumerator(list);
2633 while (enumerator->enumerate(enumerator, &constraint))
2634 {
2635 cert->permitted_names->insert_last(cert->permitted_names,
2636 constraint->clone(constraint));
2637 }
2638 enumerator->destroy(enumerator);
2639 continue;
2640 }
2641 case BUILD_EXCLUDED_NAME_CONSTRAINTS:
2642 {
2643 enumerator_t *enumerator;
2644 linked_list_t *list;
2645 identification_t *constraint;
2646
2647 list = va_arg(args, linked_list_t*);
2648 enumerator = list->create_enumerator(list);
2649 while (enumerator->enumerate(enumerator, &constraint))
2650 {
2651 cert->excluded_names->insert_last(cert->excluded_names,
2652 constraint->clone(constraint));
2653 }
2654 enumerator->destroy(enumerator);
2655 continue;
2656 }
2657 case BUILD_CERTIFICATE_POLICIES:
2658 {
2659 enumerator_t *enumerator;
2660 linked_list_t *list;
2661 x509_cert_policy_t *policy, *in;
2662
2663 list = va_arg(args, linked_list_t*);
2664 enumerator = list->create_enumerator(list);
2665 while (enumerator->enumerate(enumerator, &in))
2666 {
2667 INIT(policy,
2668 .oid = chunk_clone(in->oid),
2669 .cps_uri = strdupnull(in->cps_uri),
2670 .unotice_text = strdupnull(in->unotice_text),
2671 );
2672 cert->cert_policies->insert_last(cert->cert_policies, policy);
2673 }
2674 enumerator->destroy(enumerator);
2675 continue;
2676 }
2677 case BUILD_POLICY_MAPPINGS:
2678 {
2679 enumerator_t *enumerator;
2680 linked_list_t *list;
2681 x509_policy_mapping_t* mapping, *in;
2682
2683 list = va_arg(args, linked_list_t*);
2684 enumerator = list->create_enumerator(list);
2685 while (enumerator->enumerate(enumerator, &in))
2686 {
2687 INIT(mapping,
2688 .issuer = chunk_clone(in->issuer),
2689 .subject = chunk_clone(in->subject),
2690 );
2691 cert->policy_mappings->insert_last(cert->policy_mappings,
2692 mapping);
2693 }
2694 enumerator->destroy(enumerator);
2695 continue;
2696 }
2697 case BUILD_POLICY_REQUIRE_EXPLICIT:
2698 constraint = va_arg(args, u_int);
2699 cert->require_explicit = (constraint < 128) ?
2700 constraint : X509_NO_CONSTRAINT;
2701 continue;
2702 case BUILD_POLICY_INHIBIT_MAPPING:
2703 constraint = va_arg(args, u_int);
2704 cert->inhibit_mapping = (constraint < 128) ?
2705 constraint : X509_NO_CONSTRAINT;
2706 continue;
2707 case BUILD_POLICY_INHIBIT_ANY:
2708 constraint = va_arg(args, u_int);
2709 cert->inhibit_any = (constraint < 128) ?
2710 constraint : X509_NO_CONSTRAINT;
2711 continue;
2712 case BUILD_NOT_BEFORE_TIME:
2713 cert->notBefore = va_arg(args, time_t);
2714 continue;
2715 case BUILD_NOT_AFTER_TIME:
2716 cert->notAfter = va_arg(args, time_t);
2717 continue;
2718 case BUILD_SERIAL:
2719 cert->serialNumber = chunk_clone(va_arg(args, chunk_t));
2720 continue;
2721 case BUILD_DIGEST_ALG:
2722 digest_alg = va_arg(args, int);
2723 continue;
2724 case BUILD_END:
2725 break;
2726 default:
2727 destroy(cert);
2728 return NULL;
2729 }
2730 break;
2731 }
2732
2733 if (sign_key && generate(cert, sign_cert, sign_key, digest_alg))
2734 {
2735 return &cert->public;
2736 }
2737 destroy(cert);
2738 return NULL;
2739 }