Added support for msSmartcardLogon EKU
[strongswan.git] / src / libstrongswan / plugins / x509 / x509_cert.c
1 /*
2 * Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann
3 * Copyright (C) 2001 Marco Bertossa, Andreas Schleiss
4 * Copyright (C) 2002 Mario Strasser
5 * Copyright (C) 2000-2006 Andreas Steffen
6 * Copyright (C) 2006-2009 Martin Willi
7 * Copyright (C) 2008 Tobias Brunner
8 * Hochschule fuer Technik Rapperswil
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 */
20
21 #define _GNU_SOURCE
22
23 #include <sys/stat.h>
24 #include <time.h>
25 #include <unistd.h>
26 #include <string.h>
27 #include <stdio.h>
28
29 #include "x509_cert.h"
30
31 #include <library.h>
32 #include <utils/debug.h>
33 #include <asn1/oid.h>
34 #include <asn1/asn1.h>
35 #include <asn1/asn1_parser.h>
36 #include <crypto/hashers/hasher.h>
37 #include <credentials/keys/private_key.h>
38 #include <collections/linked_list.h>
39 #include <utils/identification.h>
40 #include <selectors/traffic_selector.h>
41
42 /**
43 * Different kinds of generalNames
44 */
45 typedef enum {
46 GN_OTHER_NAME = 0,
47 GN_RFC822_NAME = 1,
48 GN_DNS_NAME = 2,
49 GN_X400_ADDRESS = 3,
50 GN_DIRECTORY_NAME = 4,
51 GN_EDI_PARTY_NAME = 5,
52 GN_URI = 6,
53 GN_IP_ADDRESS = 7,
54 GN_REGISTERED_ID = 8,
55 } generalNames_t;
56
57
58 typedef struct private_x509_cert_t private_x509_cert_t;
59
60 /**
61 * Private data of a x509_cert_t object.
62 */
63 struct private_x509_cert_t {
64 /**
65 * Public interface for this certificate.
66 */
67 x509_cert_t public;
68
69 /**
70 * X.509 certificate encoding in ASN.1 DER format
71 */
72 chunk_t encoding;
73
74 /**
75 * SHA1 hash of the DER encoding of this X.509 certificate
76 */
77 chunk_t encoding_hash;
78
79 /**
80 * X.509 certificate body over which signature is computed
81 */
82 chunk_t tbsCertificate;
83
84 /**
85 * Version of the X.509 certificate
86 */
87 u_int version;
88
89 /**
90 * Serial number of the X.509 certificate
91 */
92 chunk_t serialNumber;
93
94 /**
95 * ID representing the certificate issuer
96 */
97 identification_t *issuer;
98
99 /**
100 * Start time of certificate validity
101 */
102 time_t notBefore;
103
104 /**
105 * End time of certificate validity
106 */
107 time_t notAfter;
108
109 /**
110 * ID representing the certificate subject
111 */
112 identification_t *subject;
113
114 /**
115 * List of subjectAltNames as identification_t
116 */
117 linked_list_t *subjectAltNames;
118
119 /**
120 * List of crlDistributionPoints as x509_cdp_t*
121 */
122 linked_list_t *crl_uris;
123
124 /**
125 * List of ocspAccessLocations as allocated char*
126 */
127 linked_list_t *ocsp_uris;
128
129 /**
130 * List of ipAddrBlocks as traffic_selector_t
131 */
132 linked_list_t *ipAddrBlocks;
133
134 /**
135 * List of permitted name constraints
136 */
137 linked_list_t *permitted_names;
138
139 /**
140 * List of exluced name constraints
141 */
142 linked_list_t *excluded_names;
143
144 /**
145 * List of certificatePolicies, as x509_cert_policy_t
146 */
147 linked_list_t *cert_policies;
148
149 /**
150 * List of policyMappings, as x509_policy_mapping_t
151 */
152 linked_list_t *policy_mappings;
153
154 /**
155 * certificate's embedded public key
156 */
157 public_key_t *public_key;
158
159 /**
160 * Subject Key Identifier
161 */
162 chunk_t subjectKeyIdentifier;
163
164 /**
165 * Authority Key Identifier
166 */
167 chunk_t authKeyIdentifier;
168
169 /**
170 * Authority Key Serial Number
171 */
172 chunk_t authKeySerialNumber;
173
174 /**
175 * Path Length Constraint
176 */
177 u_char pathLenConstraint;
178
179 /**
180 * requireExplicitPolicy Constraint
181 */
182 u_char require_explicit;
183
184 /**
185 * inhibitPolicyMapping Constraint
186 */
187 u_char inhibit_mapping;
188
189 /**
190 * inhibitAnyPolicy Constraint
191 */
192 u_char inhibit_any;
193
194 /**
195 * x509 constraints and other flags
196 */
197 x509_flag_t flags;
198
199 /**
200 * Signature algorithm
201 */
202 int algorithm;
203
204 /**
205 * Signature
206 */
207 chunk_t signature;
208
209 /**
210 * Certificate parsed from blob/file?
211 */
212 bool parsed;
213
214 /**
215 * reference count
216 */
217 refcount_t ref;
218 };
219
220 static const chunk_t ASN1_subjectAltName_oid = chunk_from_chars(
221 0x06, 0x03, 0x55, 0x1D, 0x11
222 );
223
224 /**
225 * Destroy a CertificateDistributionPoint
226 */
227 static void crl_uri_destroy(x509_cdp_t *this)
228 {
229 free(this->uri);
230 DESTROY_IF(this->issuer);
231 free(this);
232 }
233
234 /**
235 * Destroy a CertificatePolicy
236 */
237 static void cert_policy_destroy(x509_cert_policy_t *this)
238 {
239 free(this->oid.ptr);
240 free(this->cps_uri);
241 free(this->unotice_text);
242 free(this);
243 }
244
245 /**
246 * Free policy mapping
247 */
248 static void policy_mapping_destroy(x509_policy_mapping_t *mapping)
249 {
250 free(mapping->issuer.ptr);
251 free(mapping->subject.ptr);
252 free(mapping);
253 }
254
255 /**
256 * Parse a length constraint from an unwrapped integer
257 */
258 static u_int parse_constraint(chunk_t object)
259 {
260 switch (object.len)
261 {
262 case 0:
263 return 0;
264 case 1:
265 return (object.ptr[0] & 0x80) ? X509_NO_CONSTRAINT : object.ptr[0];
266 default:
267 return X509_NO_CONSTRAINT;
268 }
269 }
270
271 /**
272 * ASN.1 definition of a basicConstraints extension
273 */
274 static const asn1Object_t basicConstraintsObjects[] = {
275 { 0, "basicConstraints", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
276 { 1, "CA", ASN1_BOOLEAN, ASN1_DEF|ASN1_BODY }, /* 1 */
277 { 1, "pathLenConstraint", ASN1_INTEGER, ASN1_OPT|ASN1_BODY }, /* 2 */
278 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 3 */
279 { 0, "exit", ASN1_EOC, ASN1_EXIT }
280 };
281 #define BASIC_CONSTRAINTS_CA 1
282 #define BASIC_CONSTRAINTS_PATH_LEN 2
283
284 /**
285 * Extracts the basicConstraints extension
286 */
287 static void parse_basicConstraints(chunk_t blob, int level0,
288 private_x509_cert_t *this)
289 {
290 asn1_parser_t *parser;
291 chunk_t object;
292 int objectID;
293 bool isCA = FALSE;
294
295 parser = asn1_parser_create(basicConstraintsObjects, blob);
296 parser->set_top_level(parser, level0);
297
298 while (parser->iterate(parser, &objectID, &object))
299 {
300 switch (objectID)
301 {
302 case BASIC_CONSTRAINTS_CA:
303 isCA = object.len && *object.ptr;
304 DBG2(DBG_ASN, " %s", isCA ? "TRUE" : "FALSE");
305 if (isCA)
306 {
307 this->flags |= X509_CA;
308 }
309 break;
310 case BASIC_CONSTRAINTS_PATH_LEN:
311 if (isCA)
312 {
313 this->pathLenConstraint = parse_constraint(object);
314 }
315 break;
316 default:
317 break;
318 }
319 }
320 parser->destroy(parser);
321 }
322
323 /**
324 * ASN.1 definition of otherName
325 */
326 static const asn1Object_t otherNameObjects[] = {
327 {0, "type-id", ASN1_OID, ASN1_BODY }, /* 0 */
328 {0, "value", ASN1_CONTEXT_C_0, ASN1_BODY }, /* 1 */
329 {0, "exit", ASN1_EOC, ASN1_EXIT }
330 };
331 #define ON_OBJ_ID_TYPE 0
332 #define ON_OBJ_VALUE 1
333
334 /**
335 * Extracts an otherName
336 */
337 static bool parse_otherName(chunk_t *blob, int level0, id_type_t *type)
338 {
339 asn1_parser_t *parser;
340 chunk_t object;
341 int objectID;
342 int oid = OID_UNKNOWN;
343 bool success = FALSE;
344
345 parser = asn1_parser_create(otherNameObjects, *blob);
346 parser->set_top_level(parser, level0);
347
348 while (parser->iterate(parser, &objectID, &object))
349 {
350 switch (objectID)
351 {
352 case ON_OBJ_ID_TYPE:
353 oid = asn1_known_oid(object);
354 break;
355 case ON_OBJ_VALUE:
356 switch (oid)
357 {
358 case OID_XMPP_ADDR:
359 if (!asn1_parse_simple_object(&object, ASN1_UTF8STRING,
360 parser->get_level(parser)+1, "xmppAddr"))
361 {
362 goto end;
363 }
364 break;
365 case OID_USER_PRINCIPAL_NAME:
366 if (asn1_parse_simple_object(&object, ASN1_UTF8STRING,
367 parser->get_level(parser)+1, "msUPN"))
368 { /* we handle UPNs as RFC822 addr */
369 *blob = object;
370 *type = ID_RFC822_ADDR;
371 }
372 else
373 {
374 goto end;
375 }
376 break;
377 }
378 break;
379 default:
380 break;
381 }
382 }
383 success = parser->success(parser);
384
385 end:
386 parser->destroy(parser);
387 return success;
388 }
389
390 /**
391 * ASN.1 definition of generalName
392 */
393 static const asn1Object_t generalNameObjects[] = {
394 { 0, "otherName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_BODY }, /* 0 */
395 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 1 */
396 { 0, "rfc822Name", ASN1_CONTEXT_S_1, ASN1_OPT|ASN1_BODY }, /* 2 */
397 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 3 */
398 { 0, "dnsName", ASN1_CONTEXT_S_2, ASN1_OPT|ASN1_BODY }, /* 4 */
399 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 5 */
400 { 0, "x400Address", ASN1_CONTEXT_S_3, ASN1_OPT|ASN1_BODY }, /* 6 */
401 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 7 */
402 { 0, "directoryName", ASN1_CONTEXT_C_4, ASN1_OPT|ASN1_BODY }, /* 8 */
403 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 9 */
404 { 0, "ediPartyName", ASN1_CONTEXT_C_5, ASN1_OPT|ASN1_BODY }, /* 10 */
405 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 11 */
406 { 0, "URI", ASN1_CONTEXT_S_6, ASN1_OPT|ASN1_BODY }, /* 12 */
407 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 13 */
408 { 0, "ipAddress", ASN1_CONTEXT_S_7, ASN1_OPT|ASN1_BODY }, /* 14 */
409 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 15 */
410 { 0, "registeredID", ASN1_CONTEXT_S_8, ASN1_OPT|ASN1_BODY }, /* 16 */
411 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 17 */
412 { 0, "exit", ASN1_EOC, ASN1_EXIT }
413 };
414 #define GN_OBJ_OTHER_NAME 0
415 #define GN_OBJ_RFC822_NAME 2
416 #define GN_OBJ_DNS_NAME 4
417 #define GN_OBJ_X400_ADDRESS 6
418 #define GN_OBJ_DIRECTORY_NAME 8
419 #define GN_OBJ_EDI_PARTY_NAME 10
420 #define GN_OBJ_URI 12
421 #define GN_OBJ_IP_ADDRESS 14
422 #define GN_OBJ_REGISTERED_ID 16
423
424 /**
425 * Extracts a generalName
426 */
427 static identification_t *parse_generalName(chunk_t blob, int level0)
428 {
429 asn1_parser_t *parser;
430 chunk_t object;
431 int objectID ;
432
433 identification_t *gn = NULL;
434
435 parser = asn1_parser_create(generalNameObjects, blob);
436 parser->set_top_level(parser, level0);
437
438 while (parser->iterate(parser, &objectID, &object))
439 {
440 id_type_t id_type = ID_ANY;
441
442 switch (objectID)
443 {
444 case GN_OBJ_RFC822_NAME:
445 id_type = ID_RFC822_ADDR;
446 break;
447 case GN_OBJ_DNS_NAME:
448 id_type = ID_FQDN;
449 break;
450 case GN_OBJ_URI:
451 id_type = ID_DER_ASN1_GN_URI;
452 break;
453 case GN_OBJ_DIRECTORY_NAME:
454 id_type = ID_DER_ASN1_DN;
455 break;
456 case GN_OBJ_IP_ADDRESS:
457 switch (object.len)
458 {
459 case 4:
460 id_type = ID_IPV4_ADDR;
461 break;
462 case 16:
463 id_type = ID_IPV6_ADDR;
464 break;
465 default:
466 break;
467 }
468 break;
469 case GN_OBJ_OTHER_NAME:
470 if (!parse_otherName(&object, parser->get_level(parser)+1,
471 &id_type))
472 {
473 goto end;
474 }
475 break;
476 case GN_OBJ_X400_ADDRESS:
477 case GN_OBJ_EDI_PARTY_NAME:
478 case GN_OBJ_REGISTERED_ID:
479 default:
480 break;
481 }
482 if (id_type != ID_ANY)
483 {
484 gn = identification_create_from_encoding(id_type, object);
485 DBG2(DBG_ASN, " '%Y'", gn);
486 goto end;
487 }
488 }
489
490 end:
491 parser->destroy(parser);
492 return gn;
493 }
494
495 /**
496 * ASN.1 definition of generalNames
497 */
498 static const asn1Object_t generalNamesObjects[] = {
499 { 0, "generalNames", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
500 { 1, "generalName", ASN1_EOC, ASN1_RAW }, /* 1 */
501 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 2 */
502 { 0, "exit", ASN1_EOC, ASN1_EXIT }
503 };
504 #define GENERAL_NAMES_GN 1
505
506 /**
507 * Extracts one or several GNs and puts them into a chained list
508 */
509 void x509_parse_generalNames(chunk_t blob, int level0, bool implicit, linked_list_t *list)
510 {
511 asn1_parser_t *parser;
512 chunk_t object;
513 int objectID;
514
515 parser = asn1_parser_create(generalNamesObjects, blob);
516 parser->set_top_level(parser, level0);
517 parser->set_flags(parser, implicit, FALSE);
518
519 while (parser->iterate(parser, &objectID, &object))
520 {
521 if (objectID == GENERAL_NAMES_GN)
522 {
523 identification_t *gn = parse_generalName(object,
524 parser->get_level(parser)+1);
525
526 if (gn)
527 {
528 list->insert_last(list, (void *)gn);
529 }
530 }
531 }
532 parser->destroy(parser);
533 }
534
535 /**
536 * ASN.1 definition of a authorityKeyIdentifier extension
537 */
538 static const asn1Object_t authKeyIdentifierObjects[] = {
539 { 0, "authorityKeyIdentifier", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
540 { 1, "keyIdentifier", ASN1_CONTEXT_S_0, ASN1_OPT|ASN1_BODY }, /* 1 */
541 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 2 */
542 { 1, "authorityCertIssuer", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_OBJ }, /* 3 */
543 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 4 */
544 { 1, "authorityCertSerialNumber", ASN1_CONTEXT_S_2, ASN1_OPT|ASN1_BODY }, /* 5 */
545 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 6 */
546 { 0, "exit", ASN1_EOC, ASN1_EXIT }
547 };
548 #define AUTH_KEY_ID_KEY_ID 1
549 #define AUTH_KEY_ID_CERT_ISSUER 3
550 #define AUTH_KEY_ID_CERT_SERIAL 5
551
552 /**
553 * Extracts an authoritykeyIdentifier
554 */
555 chunk_t x509_parse_authorityKeyIdentifier(chunk_t blob, int level0,
556 chunk_t *authKeySerialNumber)
557 {
558 asn1_parser_t *parser;
559 chunk_t object;
560 int objectID;
561 chunk_t authKeyIdentifier = chunk_empty;
562
563 *authKeySerialNumber = chunk_empty;
564
565 parser = asn1_parser_create(authKeyIdentifierObjects, blob);
566 parser->set_top_level(parser, level0);
567
568 while (parser->iterate(parser, &objectID, &object))
569 {
570 switch (objectID)
571 {
572 case AUTH_KEY_ID_KEY_ID:
573 authKeyIdentifier = chunk_clone(object);
574 break;
575 case AUTH_KEY_ID_CERT_ISSUER:
576 /* TODO: x509_parse_generalNames(object, level+1, TRUE); */
577 break;
578 case AUTH_KEY_ID_CERT_SERIAL:
579 *authKeySerialNumber = object;
580 break;
581 default:
582 break;
583 }
584 }
585 parser->destroy(parser);
586 return authKeyIdentifier;
587 }
588
589 /**
590 * ASN.1 definition of a authorityInfoAccess extension
591 */
592 static const asn1Object_t authInfoAccessObjects[] = {
593 { 0, "authorityInfoAccess", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
594 { 1, "accessDescription", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
595 { 2, "accessMethod", ASN1_OID, ASN1_BODY }, /* 2 */
596 { 2, "accessLocation", ASN1_EOC, ASN1_RAW }, /* 3 */
597 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 4 */
598 { 0, "exit", ASN1_EOC, ASN1_EXIT }
599 };
600 #define AUTH_INFO_ACCESS_METHOD 2
601 #define AUTH_INFO_ACCESS_LOCATION 3
602
603 /**
604 * Extracts an authorityInfoAcess location
605 */
606 static void parse_authorityInfoAccess(chunk_t blob, int level0,
607 private_x509_cert_t *this)
608 {
609 asn1_parser_t *parser;
610 chunk_t object;
611 int objectID;
612 int accessMethod = OID_UNKNOWN;
613
614 parser = asn1_parser_create(authInfoAccessObjects, blob);
615 parser->set_top_level(parser, level0);
616
617 while (parser->iterate(parser, &objectID, &object))
618 {
619 switch (objectID)
620 {
621 case AUTH_INFO_ACCESS_METHOD:
622 accessMethod = asn1_known_oid(object);
623 break;
624 case AUTH_INFO_ACCESS_LOCATION:
625 {
626 switch (accessMethod)
627 {
628 case OID_OCSP:
629 case OID_CA_ISSUERS:
630 {
631 identification_t *id;
632 char *uri;
633
634 id = parse_generalName(object,
635 parser->get_level(parser)+1);
636 if (id == NULL)
637 {
638 /* parsing went wrong - abort */
639 goto end;
640 }
641 DBG2(DBG_ASN, " '%Y'", id);
642 if (accessMethod == OID_OCSP &&
643 asprintf(&uri, "%Y", id) > 0)
644 {
645 this->ocsp_uris->insert_last(this->ocsp_uris, uri);
646 }
647 id->destroy(id);
648 }
649 break;
650 default:
651 /* unknown accessMethod, ignoring */
652 break;
653 }
654 break;
655 }
656 default:
657 break;
658 }
659 }
660
661 end:
662 parser->destroy(parser);
663 }
664
665 /**
666 * Extract KeyUsage flags
667 */
668 static void parse_keyUsage(chunk_t blob, private_x509_cert_t *this)
669 {
670 enum {
671 KU_DIGITAL_SIGNATURE = 0,
672 KU_NON_REPUDIATION = 1,
673 KU_KEY_ENCIPHERMENT = 2,
674 KU_DATA_ENCIPHERMENT = 3,
675 KU_KEY_AGREEMENT = 4,
676 KU_KEY_CERT_SIGN = 5,
677 KU_CRL_SIGN = 6,
678 KU_ENCIPHER_ONLY = 7,
679 KU_DECIPHER_ONLY = 8,
680 };
681
682 if (asn1_unwrap(&blob, &blob) == ASN1_BIT_STRING && blob.len)
683 {
684 int bit, byte, unused = blob.ptr[0];
685
686 blob = chunk_skip(blob, 1);
687 for (byte = 0; byte < blob.len; byte++)
688 {
689 for (bit = 0; bit < 8; bit++)
690 {
691 if (byte == blob.len - 1 && bit > (7 - unused))
692 {
693 break;
694 }
695 if (blob.ptr[byte] & 1 << (7 - bit))
696 {
697 switch (byte * 8 + bit)
698 {
699 case KU_CRL_SIGN:
700 this->flags |= X509_CRL_SIGN;
701 break;
702 case KU_KEY_CERT_SIGN:
703 /* we use the caBasicConstraint, MUST be set */
704 case KU_DIGITAL_SIGNATURE:
705 case KU_NON_REPUDIATION:
706 case KU_KEY_ENCIPHERMENT:
707 case KU_DATA_ENCIPHERMENT:
708 case KU_KEY_AGREEMENT:
709 case KU_ENCIPHER_ONLY:
710 case KU_DECIPHER_ONLY:
711 break;
712 }
713 }
714 }
715 }
716 }
717 }
718
719 /**
720 * ASN.1 definition of a extendedKeyUsage extension
721 */
722 static const asn1Object_t extendedKeyUsageObjects[] = {
723 { 0, "extendedKeyUsage", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
724 { 1, "keyPurposeID", ASN1_OID, ASN1_BODY }, /* 1 */
725 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 2 */
726 { 0, "exit", ASN1_EOC, ASN1_EXIT }
727 };
728 #define EXT_KEY_USAGE_PURPOSE_ID 1
729
730 /**
731 * Extracts extendedKeyUsage OIDs
732 */
733 static void parse_extendedKeyUsage(chunk_t blob, int level0,
734 private_x509_cert_t *this)
735 {
736 asn1_parser_t *parser;
737 chunk_t object;
738 int objectID;
739
740 parser = asn1_parser_create(extendedKeyUsageObjects, blob);
741 parser->set_top_level(parser, level0);
742
743 while (parser->iterate(parser, &objectID, &object))
744 {
745 if (objectID == EXT_KEY_USAGE_PURPOSE_ID)
746 {
747 switch (asn1_known_oid(object))
748 {
749 case OID_SERVER_AUTH:
750 this->flags |= X509_SERVER_AUTH;
751 break;
752 case OID_CLIENT_AUTH:
753 this->flags |= X509_CLIENT_AUTH;
754 break;
755 case OID_IKE_INTERMEDIATE:
756 this->flags |= X509_IKE_INTERMEDIATE;
757 break;
758 case OID_OCSP_SIGNING:
759 this->flags |= X509_OCSP_SIGNER;
760 break;
761 case OID_MS_SMARTCARD_LOGON:
762 this->flags |= X509_MS_SMARTCARD_LOGON;
763 break;
764 default:
765 break;
766 }
767 }
768 }
769 parser->destroy(parser);
770 }
771
772 /**
773 * ASN.1 definition of crlDistributionPoints
774 */
775 static const asn1Object_t crlDistributionPointsObjects[] = {
776 { 0, "crlDistributionPoints", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
777 { 1, "DistributionPoint", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
778 { 2, "distributionPoint", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_LOOP }, /* 2 */
779 { 3, "fullName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_OBJ }, /* 3 */
780 { 3, "end choice", ASN1_EOC, ASN1_END }, /* 4 */
781 { 3, "nameRelToCRLIssuer",ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 5 */
782 { 3, "end choice", ASN1_EOC, ASN1_END }, /* 6 */
783 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 7 */
784 { 2, "reasons", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 8 */
785 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 9 */
786 { 2, "crlIssuer", ASN1_CONTEXT_C_2, ASN1_OPT|ASN1_OBJ }, /* 10 */
787 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 11 */
788 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 12 */
789 { 0, "exit", ASN1_EOC, ASN1_EXIT }
790 };
791 #define CRL_DIST_POINTS 1
792 #define CRL_DIST_POINTS_FULLNAME 3
793 #define CRL_DIST_POINTS_ISSUER 10
794
795 /**
796 * Add entry to the list of each pairing of URI and Issuer
797 */
798 static void add_cdps(linked_list_t *list, linked_list_t *uris,
799 linked_list_t *issuers)
800 {
801 identification_t *issuer, *id;
802 enumerator_t *enumerator;
803 x509_cdp_t *cdp;
804 char *uri;
805
806 while (uris->remove_last(uris, (void**)&id) == SUCCESS)
807 {
808 if (asprintf(&uri, "%Y", id) > 0)
809 {
810 if (issuers->get_count(issuers))
811 {
812 enumerator = issuers->create_enumerator(issuers);
813 while (enumerator->enumerate(enumerator, &issuer))
814 {
815 INIT(cdp,
816 .uri = strdup(uri),
817 .issuer = issuer->clone(issuer),
818 );
819 list->insert_last(list, cdp);
820 }
821 enumerator->destroy(enumerator);
822 free(uri);
823 }
824 else
825 {
826 INIT(cdp,
827 .uri = uri,
828 );
829 list->insert_last(list, cdp);
830 }
831 }
832 id->destroy(id);
833 }
834 while (issuers->remove_last(issuers, (void**)&id) == SUCCESS)
835 {
836 id->destroy(id);
837 }
838 }
839
840 /**
841 * Extracts one or several crlDistributionPoints into a list
842 */
843 void x509_parse_crlDistributionPoints(chunk_t blob, int level0,
844 linked_list_t *list)
845 {
846 linked_list_t *uris, *issuers;
847 asn1_parser_t *parser;
848 chunk_t object;
849 int objectID;
850
851 uris = linked_list_create();
852 issuers = linked_list_create();
853 parser = asn1_parser_create(crlDistributionPointsObjects, blob);
854 parser->set_top_level(parser, level0);
855
856 while (parser->iterate(parser, &objectID, &object))
857 {
858 switch (objectID)
859 {
860 case CRL_DIST_POINTS:
861 add_cdps(list, uris, issuers);
862 break;
863 case CRL_DIST_POINTS_FULLNAME:
864 x509_parse_generalNames(object, parser->get_level(parser) + 1,
865 TRUE, uris);
866 break;
867 case CRL_DIST_POINTS_ISSUER:
868 x509_parse_generalNames(object, parser->get_level(parser) + 1,
869 TRUE, issuers);
870 break;
871 default:
872 break;
873 }
874 }
875 parser->destroy(parser);
876
877 add_cdps(list, uris, issuers);
878
879 uris->destroy(uris);
880 issuers->destroy(issuers);
881 }
882
883 /**
884 * ASN.1 definition of nameConstraints
885 */
886 static const asn1Object_t nameConstraintsObjects[] = {
887 { 0, "nameConstraints", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
888 { 1, "permittedSubtrees", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_LOOP }, /* 1 */
889 { 2, "generalSubtree", ASN1_SEQUENCE, ASN1_BODY }, /* 2 */
890 { 1, "end loop", ASN1_EOC, ASN1_END }, /* 3 */
891 { 1, "excludedSubtrees", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_LOOP }, /* 4 */
892 { 2, "generalSubtree", ASN1_SEQUENCE, ASN1_BODY }, /* 5 */
893 { 1, "end loop", ASN1_EOC, ASN1_END }, /* 6 */
894 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 7 */
895 { 0, "exit", ASN1_EOC, ASN1_EXIT }
896 };
897 #define NAME_CONSTRAINT_PERMITTED 2
898 #define NAME_CONSTRAINT_EXCLUDED 5
899
900 /**
901 * Parse permitted/excluded nameConstraints
902 */
903 static void parse_nameConstraints(chunk_t blob, int level0,
904 private_x509_cert_t *this)
905 {
906 asn1_parser_t *parser;
907 identification_t *id;
908 chunk_t object;
909 int objectID;
910
911 parser = asn1_parser_create(nameConstraintsObjects, blob);
912 parser->set_top_level(parser, level0);
913
914 while (parser->iterate(parser, &objectID, &object))
915 {
916 switch (objectID)
917 {
918 case NAME_CONSTRAINT_PERMITTED:
919 id = parse_generalName(object, parser->get_level(parser) + 1);
920 if (id)
921 {
922 this->permitted_names->insert_last(this->permitted_names, id);
923 }
924 break;
925 case NAME_CONSTRAINT_EXCLUDED:
926 id = parse_generalName(object, parser->get_level(parser) + 1);
927 if (id)
928 {
929 this->excluded_names->insert_last(this->excluded_names, id);
930 }
931 break;
932 default:
933 break;
934 }
935 }
936 parser->destroy(parser);
937 }
938
939 /**
940 * ASN.1 definition of a certificatePolicies extension
941 */
942 static const asn1Object_t certificatePoliciesObject[] = {
943 { 0, "certificatePolicies", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
944 { 1, "policyInformation", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
945 { 2, "policyId", ASN1_OID, ASN1_BODY }, /* 2 */
946 { 2, "qualifiers", ASN1_SEQUENCE, ASN1_OPT|ASN1_LOOP }, /* 3 */
947 { 3, "qualifierInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 4 */
948 { 4, "qualifierId", ASN1_OID, ASN1_BODY }, /* 5 */
949 { 4, "cPSuri", ASN1_IA5STRING, ASN1_OPT|ASN1_BODY }, /* 6 */
950 { 4, "end choice", ASN1_EOC, ASN1_END }, /* 7 */
951 { 4, "userNotice", ASN1_SEQUENCE, ASN1_OPT|ASN1_BODY }, /* 8 */
952 { 5, "explicitText", ASN1_EOC, ASN1_RAW }, /* 9 */
953 { 4, "end choice", ASN1_EOC, ASN1_END }, /* 10 */
954 { 2, "end opt/loop", ASN1_EOC, ASN1_END }, /* 12 */
955 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 13 */
956 { 0, "exit", ASN1_EOC, ASN1_EXIT }
957 };
958 #define CERT_POLICY_ID 2
959 #define CERT_POLICY_QUALIFIER_ID 5
960 #define CERT_POLICY_CPS_URI 6
961 #define CERT_POLICY_EXPLICIT_TEXT 9
962
963 /**
964 * Parse certificatePolicies
965 */
966 static void parse_certificatePolicies(chunk_t blob, int level0,
967 private_x509_cert_t *this)
968 {
969 x509_cert_policy_t *policy = NULL;
970 asn1_parser_t *parser;
971 chunk_t object;
972 int objectID, qualifier = OID_UNKNOWN;
973
974 parser = asn1_parser_create(certificatePoliciesObject, blob);
975 parser->set_top_level(parser, level0);
976
977 while (parser->iterate(parser, &objectID, &object))
978 {
979 switch (objectID)
980 {
981 case CERT_POLICY_ID:
982 INIT(policy,
983 .oid = chunk_clone(object),
984 );
985 this->cert_policies->insert_last(this->cert_policies, policy);
986 break;
987 case CERT_POLICY_QUALIFIER_ID:
988 qualifier = asn1_known_oid(object);
989 break;
990 case CERT_POLICY_CPS_URI:
991 if (policy && !policy->cps_uri && object.len &&
992 qualifier == OID_POLICY_QUALIFIER_CPS &&
993 chunk_printable(object, NULL, 0))
994 {
995 policy->cps_uri = strndup(object.ptr, object.len);
996 }
997 break;
998 case CERT_POLICY_EXPLICIT_TEXT:
999 /* TODO */
1000 break;
1001 default:
1002 break;
1003 }
1004 }
1005 parser->destroy(parser);
1006 }
1007
1008 /**
1009 * ASN.1 definition of a policyMappings extension
1010 */
1011 static const asn1Object_t policyMappingsObjects[] = {
1012 { 0, "policyMappings", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
1013 { 1, "policyMapping", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
1014 { 2, "issuerPolicy", ASN1_OID, ASN1_BODY }, /* 2 */
1015 { 2, "subjectPolicy", ASN1_OID, ASN1_BODY }, /* 3 */
1016 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 4 */
1017 { 0, "exit", ASN1_EOC, ASN1_EXIT }
1018 };
1019 #define POLICY_MAPPING 1
1020 #define POLICY_MAPPING_ISSUER 2
1021 #define POLICY_MAPPING_SUBJECT 3
1022
1023 /**
1024 * Parse policyMappings
1025 */
1026 static void parse_policyMappings(chunk_t blob, int level0,
1027 private_x509_cert_t *this)
1028 {
1029 x509_policy_mapping_t *map = NULL;
1030 asn1_parser_t *parser;
1031 chunk_t object;
1032 int objectID;
1033
1034 parser = asn1_parser_create(policyMappingsObjects, blob);
1035 parser->set_top_level(parser, level0);
1036
1037 while (parser->iterate(parser, &objectID, &object))
1038 {
1039 switch (objectID)
1040 {
1041 case POLICY_MAPPING:
1042 INIT(map);
1043 this->policy_mappings->insert_last(this->policy_mappings, map);
1044 break;
1045 case POLICY_MAPPING_ISSUER:
1046 if (map && !map->issuer.len)
1047 {
1048 map->issuer = chunk_clone(object);
1049 }
1050 break;
1051 case POLICY_MAPPING_SUBJECT:
1052 if (map && !map->subject.len)
1053 {
1054 map->subject = chunk_clone(object);
1055 }
1056 break;
1057 default:
1058 break;
1059 }
1060 }
1061 parser->destroy(parser);
1062 }
1063
1064 /**
1065 * ASN.1 definition of a policyConstraints extension
1066 */
1067 static const asn1Object_t policyConstraintsObjects[] = {
1068 { 0, "policyConstraints", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
1069 { 1, "requireExplicitPolicy", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_NONE }, /* 1 */
1070 { 2, "SkipCerts", ASN1_INTEGER, ASN1_BODY }, /* 2 */
1071 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 3 */
1072 { 1, "inhibitPolicyMapping", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_NONE }, /* 4 */
1073 { 2, "SkipCerts", ASN1_INTEGER, ASN1_BODY }, /* 5 */
1074 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 6 */
1075 { 0, "exit", ASN1_EOC, ASN1_EXIT }
1076 };
1077 #define POLICY_CONSTRAINT_EXPLICIT 2
1078 #define POLICY_CONSTRAINT_INHIBIT 5
1079
1080 /**
1081 * Parse policyConstraints
1082 */
1083 static void parse_policyConstraints(chunk_t blob, int level0,
1084 private_x509_cert_t *this)
1085 {
1086 asn1_parser_t *parser;
1087 chunk_t object;
1088 int objectID;
1089
1090 parser = asn1_parser_create(policyConstraintsObjects, blob);
1091 parser->set_top_level(parser, level0);
1092
1093 while (parser->iterate(parser, &objectID, &object))
1094 {
1095 switch (objectID)
1096 {
1097 case POLICY_CONSTRAINT_EXPLICIT:
1098 this->require_explicit = parse_constraint(object);
1099 break;
1100 case POLICY_CONSTRAINT_INHIBIT:
1101 this->inhibit_mapping = parse_constraint(object);
1102 break;
1103 default:
1104 break;
1105 }
1106 }
1107 parser->destroy(parser);
1108 }
1109
1110 /**
1111 * ASN.1 definition of ipAddrBlocks according to RFC 3779
1112 */
1113 static const asn1Object_t ipAddrBlocksObjects[] = {
1114 { 0, "ipAddrBlocks", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
1115 { 1, "ipAddressFamily", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
1116 { 2, "addressFamily", ASN1_OCTET_STRING, ASN1_BODY }, /* 2 */
1117 { 2, "inherit", ASN1_NULL, ASN1_OPT|ASN1_NONE }, /* 3 */
1118 { 2, "end choice", ASN1_EOC, ASN1_END }, /* 4 */
1119 { 2, "addressesOrRanges", ASN1_SEQUENCE, ASN1_OPT|ASN1_LOOP }, /* 5 */
1120 { 3, "addressPrefix", ASN1_BIT_STRING, ASN1_OPT|ASN1_BODY }, /* 6 */
1121 { 3, "end choice", ASN1_EOC, ASN1_END }, /* 7 */
1122 { 3, "addressRange", ASN1_SEQUENCE, ASN1_OPT|ASN1_NONE }, /* 8 */
1123 { 4, "min", ASN1_BIT_STRING, ASN1_BODY }, /* 9 */
1124 { 4, "max", ASN1_BIT_STRING, ASN1_BODY }, /* 10 */
1125 { 3, "end choice", ASN1_EOC, ASN1_END }, /* 11 */
1126 { 2, "end opt/loop", ASN1_EOC, ASN1_END }, /* 12 */
1127 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 13 */
1128 { 0, "exit", ASN1_EOC, ASN1_EXIT }
1129 };
1130 #define IP_ADDR_BLOCKS_FAMILY 2
1131 #define IP_ADDR_BLOCKS_INHERIT 3
1132 #define IP_ADDR_BLOCKS_PREFIX 6
1133 #define IP_ADDR_BLOCKS_MIN 9
1134 #define IP_ADDR_BLOCKS_MAX 10
1135
1136 static bool check_address_object(ts_type_t ts_type, chunk_t object)
1137 {
1138 switch (ts_type)
1139 {
1140 case TS_IPV4_ADDR_RANGE:
1141 if (object.len > 5)
1142 {
1143 DBG1(DBG_ASN, "IPv4 address object is larger than 5 octets");
1144 return FALSE;
1145 }
1146 break;
1147 case TS_IPV6_ADDR_RANGE:
1148 if (object.len > 17)
1149 {
1150 DBG1(DBG_ASN, "IPv6 address object is larger than 17 octets");
1151 return FALSE;
1152 }
1153 break;
1154 default:
1155 DBG1(DBG_ASN, "unknown address family");
1156 return FALSE;
1157 }
1158 if (object.len == 0)
1159 {
1160 DBG1(DBG_ASN, "An ASN.1 bit string must contain at least the "
1161 "initial octet");
1162 return FALSE;
1163 }
1164 if (object.len == 1 && object.ptr[0] != 0)
1165 {
1166 DBG1(DBG_ASN, "An empty ASN.1 bit string must contain a zero "
1167 "initial octet");
1168 return FALSE;
1169 }
1170 if (object.ptr[0] > 7)
1171 {
1172 DBG1(DBG_ASN, "number of unused bits is too large");
1173 return FALSE;
1174 }
1175 return TRUE;
1176 }
1177
1178 static void parse_ipAddrBlocks(chunk_t blob, int level0,
1179 private_x509_cert_t *this)
1180 {
1181 asn1_parser_t *parser;
1182 chunk_t object, min_object;
1183 ts_type_t ts_type = 0;
1184 traffic_selector_t *ts;
1185 int objectID;
1186
1187 parser = asn1_parser_create(ipAddrBlocksObjects, blob);
1188 parser->set_top_level(parser, level0);
1189
1190 while (parser->iterate(parser, &objectID, &object))
1191 {
1192 switch (objectID)
1193 {
1194 case IP_ADDR_BLOCKS_FAMILY:
1195 ts_type = 0;
1196 if (object.len == 2 && object.ptr[0] == 0)
1197 {
1198 if (object.ptr[1] == 1)
1199 {
1200 ts_type = TS_IPV4_ADDR_RANGE;
1201 }
1202 else if (object.ptr[1] == 2)
1203 {
1204 ts_type = TS_IPV6_ADDR_RANGE;
1205 }
1206 else
1207 {
1208 break;
1209 }
1210 DBG2(DBG_ASN, " %N", ts_type_name, ts_type);
1211 }
1212 break;
1213 case IP_ADDR_BLOCKS_INHERIT:
1214 DBG1(DBG_ASN, "inherit choice is not supported");
1215 break;
1216 case IP_ADDR_BLOCKS_PREFIX:
1217 if (!check_address_object(ts_type, object))
1218 {
1219 goto end;
1220 }
1221 ts = traffic_selector_create_from_rfc3779_format(ts_type,
1222 object, object);
1223 DBG2(DBG_ASN, " %R", ts);
1224 this->ipAddrBlocks->insert_last(this->ipAddrBlocks, ts);
1225 break;
1226 case IP_ADDR_BLOCKS_MIN:
1227 if (!check_address_object(ts_type, object))
1228 {
1229 goto end;
1230 }
1231 min_object = object;
1232 break;
1233 case IP_ADDR_BLOCKS_MAX:
1234 if (!check_address_object(ts_type, object))
1235 {
1236 goto end;
1237 }
1238 ts = traffic_selector_create_from_rfc3779_format(ts_type,
1239 min_object, object);
1240 DBG2(DBG_ASN, " %R", ts);
1241 this->ipAddrBlocks->insert_last(this->ipAddrBlocks, ts);
1242 break;
1243 default:
1244 break;
1245 }
1246 }
1247 this->flags |= X509_IP_ADDR_BLOCKS;
1248
1249 end:
1250 parser->destroy(parser);
1251 }
1252
1253 /**
1254 * ASN.1 definition of an X.509v3 x509_cert
1255 */
1256 static const asn1Object_t certObjects[] = {
1257 { 0, "x509", ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */
1258 { 1, "tbsCertificate", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */
1259 { 2, "DEFAULT v1", ASN1_CONTEXT_C_0, ASN1_DEF }, /* 2 */
1260 { 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 3 */
1261 { 2, "serialNumber", ASN1_INTEGER, ASN1_BODY }, /* 4 */
1262 { 2, "signature", ASN1_EOC, ASN1_RAW }, /* 5 */
1263 { 2, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 6 */
1264 { 2, "validity", ASN1_SEQUENCE, ASN1_NONE }, /* 7 */
1265 { 3, "notBefore", ASN1_EOC, ASN1_RAW }, /* 8 */
1266 { 3, "notAfter", ASN1_EOC, ASN1_RAW }, /* 9 */
1267 { 2, "subject", ASN1_SEQUENCE, ASN1_OBJ }, /* 10 */
1268 { 2, "subjectPublicKeyInfo",ASN1_SEQUENCE, ASN1_RAW }, /* 11 */
1269 { 2, "issuerUniqueID", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 12 */
1270 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 13 */
1271 { 2, "subjectUniqueID", ASN1_CONTEXT_C_2, ASN1_OPT }, /* 14 */
1272 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 15 */
1273 { 2, "optional extensions", ASN1_CONTEXT_C_3, ASN1_OPT }, /* 16 */
1274 { 3, "extensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 17 */
1275 { 4, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 18 */
1276 { 5, "extnID", ASN1_OID, ASN1_BODY }, /* 19 */
1277 { 5, "critical", ASN1_BOOLEAN, ASN1_DEF|ASN1_BODY }, /* 20 */
1278 { 5, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 21 */
1279 { 3, "end loop", ASN1_EOC, ASN1_END }, /* 22 */
1280 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 23 */
1281 { 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 24 */
1282 { 1, "signatureValue", ASN1_BIT_STRING, ASN1_BODY }, /* 25 */
1283 { 0, "exit", ASN1_EOC, ASN1_EXIT }
1284 };
1285 #define X509_OBJ_TBS_CERTIFICATE 1
1286 #define X509_OBJ_VERSION 3
1287 #define X509_OBJ_SERIAL_NUMBER 4
1288 #define X509_OBJ_SIG_ALG 5
1289 #define X509_OBJ_ISSUER 6
1290 #define X509_OBJ_NOT_BEFORE 8
1291 #define X509_OBJ_NOT_AFTER 9
1292 #define X509_OBJ_SUBJECT 10
1293 #define X509_OBJ_SUBJECT_PUBLIC_KEY_INFO 11
1294 #define X509_OBJ_OPTIONAL_EXTENSIONS 16
1295 #define X509_OBJ_EXTN_ID 19
1296 #define X509_OBJ_CRITICAL 20
1297 #define X509_OBJ_EXTN_VALUE 21
1298 #define X509_OBJ_ALGORITHM 24
1299 #define X509_OBJ_SIGNATURE 25
1300
1301 /**
1302 * Parses an X.509v3 certificate
1303 */
1304 static bool parse_certificate(private_x509_cert_t *this)
1305 {
1306 asn1_parser_t *parser;
1307 chunk_t object;
1308 int objectID;
1309 int extn_oid = OID_UNKNOWN;
1310 int sig_alg = OID_UNKNOWN;
1311 bool success = FALSE;
1312 bool critical = FALSE;
1313
1314 parser = asn1_parser_create(certObjects, this->encoding);
1315
1316 while (parser->iterate(parser, &objectID, &object))
1317 {
1318 u_int level = parser->get_level(parser)+1;
1319
1320 switch (objectID)
1321 {
1322 case X509_OBJ_TBS_CERTIFICATE:
1323 this->tbsCertificate = object;
1324 break;
1325 case X509_OBJ_VERSION:
1326 this->version = (object.len) ? (1+(u_int)*object.ptr) : 1;
1327 if (this->version < 1 || this->version > 3)
1328 {
1329 DBG1(DBG_ASN, "X.509v%d not supported", this->version);
1330 goto end;
1331 }
1332 else
1333 {
1334 DBG2(DBG_ASN, " X.509v%d", this->version);
1335 }
1336 break;
1337 case X509_OBJ_SERIAL_NUMBER:
1338 this->serialNumber = object;
1339 break;
1340 case X509_OBJ_SIG_ALG:
1341 sig_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
1342 break;
1343 case X509_OBJ_ISSUER:
1344 this->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object);
1345 DBG2(DBG_ASN, " '%Y'", this->issuer);
1346 break;
1347 case X509_OBJ_NOT_BEFORE:
1348 this->notBefore = asn1_parse_time(object, level);
1349 break;
1350 case X509_OBJ_NOT_AFTER:
1351 this->notAfter = asn1_parse_time(object, level);
1352 break;
1353 case X509_OBJ_SUBJECT:
1354 this->subject = identification_create_from_encoding(ID_DER_ASN1_DN, object);
1355 DBG2(DBG_ASN, " '%Y'", this->subject);
1356 break;
1357 case X509_OBJ_SUBJECT_PUBLIC_KEY_INFO:
1358 DBG2(DBG_ASN, "-- > --");
1359 this->public_key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
1360 KEY_ANY, BUILD_BLOB_ASN1_DER, object, BUILD_END);
1361 DBG2(DBG_ASN, "-- < --");
1362 if (this->public_key == NULL)
1363 {
1364 goto end;
1365 }
1366 break;
1367 case X509_OBJ_OPTIONAL_EXTENSIONS:
1368 if (this->version != 3)
1369 {
1370 DBG1(DBG_ASN, "Only X.509v3 certificates have extensions");
1371 goto end;
1372 }
1373 break;
1374 case X509_OBJ_EXTN_ID:
1375 extn_oid = asn1_known_oid(object);
1376 break;
1377 case X509_OBJ_CRITICAL:
1378 critical = object.len && *object.ptr;
1379 DBG2(DBG_ASN, " %s", critical ? "TRUE" : "FALSE");
1380 break;
1381 case X509_OBJ_EXTN_VALUE:
1382 {
1383 switch (extn_oid)
1384 {
1385 case OID_SUBJECT_KEY_ID:
1386 if (!asn1_parse_simple_object(&object, ASN1_OCTET_STRING,
1387 level, "keyIdentifier"))
1388 {
1389 goto end;
1390 }
1391 this->subjectKeyIdentifier = object;
1392 break;
1393 case OID_SUBJECT_ALT_NAME:
1394 x509_parse_generalNames(object, level, FALSE,
1395 this->subjectAltNames);
1396 break;
1397 case OID_BASIC_CONSTRAINTS:
1398 parse_basicConstraints(object, level, this);
1399 break;
1400 case OID_CRL_DISTRIBUTION_POINTS:
1401 x509_parse_crlDistributionPoints(object, level,
1402 this->crl_uris);
1403 break;
1404 case OID_AUTHORITY_KEY_ID:
1405 this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object,
1406 level, &this->authKeySerialNumber);
1407 break;
1408 case OID_AUTHORITY_INFO_ACCESS:
1409 parse_authorityInfoAccess(object, level, this);
1410 break;
1411 case OID_KEY_USAGE:
1412 parse_keyUsage(object, this);
1413 break;
1414 case OID_EXTENDED_KEY_USAGE:
1415 parse_extendedKeyUsage(object, level, this);
1416 break;
1417 case OID_IP_ADDR_BLOCKS:
1418 parse_ipAddrBlocks(object, level, this);
1419 break;
1420 case OID_NAME_CONSTRAINTS:
1421 parse_nameConstraints(object, level, this);
1422 break;
1423 case OID_CERTIFICATE_POLICIES:
1424 parse_certificatePolicies(object, level, this);
1425 break;
1426 case OID_POLICY_MAPPINGS:
1427 parse_policyMappings(object, level, this);
1428 break;
1429 case OID_POLICY_CONSTRAINTS:
1430 parse_policyConstraints(object, level, this);
1431 break;
1432 case OID_INHIBIT_ANY_POLICY:
1433 if (!asn1_parse_simple_object(&object, ASN1_INTEGER,
1434 level, "inhibitAnyPolicy"))
1435 {
1436 goto end;
1437 }
1438 this->inhibit_any = parse_constraint(object);
1439 break;
1440 case OID_NS_REVOCATION_URL:
1441 case OID_NS_CA_REVOCATION_URL:
1442 case OID_NS_CA_POLICY_URL:
1443 case OID_NS_COMMENT:
1444 if (!asn1_parse_simple_object(&object, ASN1_IA5STRING,
1445 level, oid_names[extn_oid].name))
1446 {
1447 goto end;
1448 }
1449 break;
1450 default:
1451 if (critical && lib->settings->get_bool(lib->settings,
1452 "%s.x509.enforce_critical", TRUE, lib->ns))
1453 {
1454 DBG1(DBG_ASN, "critical '%s' extension not supported",
1455 (extn_oid == OID_UNKNOWN) ? "unknown" :
1456 (char*)oid_names[extn_oid].name);
1457 goto end;
1458 }
1459 break;
1460 }
1461 break;
1462 }
1463 case X509_OBJ_ALGORITHM:
1464 this->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL);
1465 if (this->algorithm != sig_alg)
1466 {
1467 DBG1(DBG_ASN, " signature algorithms do not agree");
1468 goto end;
1469 }
1470 break;
1471 case X509_OBJ_SIGNATURE:
1472 this->signature = object;
1473 break;
1474 default:
1475 break;
1476 }
1477 }
1478 success = parser->success(parser);
1479
1480 end:
1481 parser->destroy(parser);
1482 if (success)
1483 {
1484 hasher_t *hasher;
1485
1486 /* check if the certificate is self-signed */
1487 if (this->public.interface.interface.issued_by(
1488 &this->public.interface.interface,
1489 &this->public.interface.interface,
1490 NULL))
1491 {
1492 this->flags |= X509_SELF_SIGNED;
1493 }
1494 /* create certificate hash */
1495 hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1496 if (!hasher ||
1497 !hasher->allocate_hash(hasher, this->encoding, &this->encoding_hash))
1498 {
1499 DESTROY_IF(hasher);
1500 DBG1(DBG_ASN, " unable to create hash of certificate, SHA1 not supported");
1501 return FALSE;
1502 }
1503 hasher->destroy(hasher);
1504 }
1505 return success;
1506 }
1507
1508 METHOD(certificate_t, get_type, certificate_type_t,
1509 private_x509_cert_t *this)
1510 {
1511 return CERT_X509;
1512 }
1513
1514 METHOD(certificate_t, get_subject, identification_t*,
1515 private_x509_cert_t *this)
1516 {
1517 return this->subject;
1518 }
1519
1520 METHOD(certificate_t, get_issuer, identification_t*,
1521 private_x509_cert_t *this)
1522 {
1523 return this->issuer;
1524 }
1525
1526 METHOD(certificate_t, has_subject, id_match_t,
1527 private_x509_cert_t *this, identification_t *subject)
1528 {
1529 identification_t *current;
1530 enumerator_t *enumerator;
1531 id_match_t match, best;
1532 chunk_t encoding;
1533
1534 if (subject->get_type(subject) == ID_KEY_ID)
1535 {
1536 encoding = subject->get_encoding(subject);
1537
1538 if (this->encoding_hash.len &&
1539 chunk_equals(this->encoding_hash, encoding))
1540 {
1541 return ID_MATCH_PERFECT;
1542 }
1543 if (this->subjectKeyIdentifier.len &&
1544 chunk_equals(this->subjectKeyIdentifier, encoding))
1545 {
1546 return ID_MATCH_PERFECT;
1547 }
1548 if (this->public_key &&
1549 this->public_key->has_fingerprint(this->public_key, encoding))
1550 {
1551 return ID_MATCH_PERFECT;
1552 }
1553 if (chunk_equals(this->serialNumber, encoding))
1554 {
1555 return ID_MATCH_PERFECT;
1556 }
1557 }
1558 best = this->subject->matches(this->subject, subject);
1559 enumerator = this->subjectAltNames->create_enumerator(this->subjectAltNames);
1560 while (enumerator->enumerate(enumerator, &current))
1561 {
1562 match = current->matches(current, subject);
1563 if (match > best)
1564 {
1565 best = match;
1566 }
1567 }
1568 enumerator->destroy(enumerator);
1569 return best;
1570 }
1571
1572 METHOD(certificate_t, has_issuer, id_match_t,
1573 private_x509_cert_t *this, identification_t *issuer)
1574 {
1575 /* issuerAltNames currently not supported */
1576 return this->issuer->matches(this->issuer, issuer);
1577 }
1578
1579 METHOD(certificate_t, issued_by, bool,
1580 private_x509_cert_t *this, certificate_t *issuer,
1581 signature_scheme_t *schemep)
1582 {
1583 public_key_t *key;
1584 signature_scheme_t scheme;
1585 bool valid;
1586 x509_t *x509 = (x509_t*)issuer;
1587
1588 if (&this->public.interface.interface == issuer)
1589 {
1590 if (this->flags & X509_SELF_SIGNED)
1591 {
1592 return TRUE;
1593 }
1594 }
1595 else
1596 {
1597 if (issuer->get_type(issuer) != CERT_X509)
1598 {
1599 return FALSE;
1600 }
1601 if (!(x509->get_flags(x509) & X509_CA))
1602 {
1603 return FALSE;
1604 }
1605 }
1606 if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
1607 {
1608 return FALSE;
1609 }
1610
1611 /* determine signature scheme */
1612 scheme = signature_scheme_from_oid(this->algorithm);
1613 if (scheme == SIGN_UNKNOWN)
1614 {
1615 return FALSE;
1616 }
1617 /* get the public key of the issuer */
1618 key = issuer->get_public_key(issuer);
1619 if (!key)
1620 {
1621 return FALSE;
1622 }
1623 valid = key->verify(key, scheme, this->tbsCertificate, this->signature);
1624 key->destroy(key);
1625 if (valid && schemep)
1626 {
1627 *schemep = scheme;
1628 }
1629 return valid;
1630 }
1631
1632 METHOD(certificate_t, get_public_key, public_key_t*,
1633 private_x509_cert_t *this)
1634 {
1635 this->public_key->get_ref(this->public_key);
1636 return this->public_key;
1637 }
1638
1639 METHOD(certificate_t, get_ref, certificate_t*,
1640 private_x509_cert_t *this)
1641 {
1642 ref_get(&this->ref);
1643 return &this->public.interface.interface;
1644 }
1645
1646 METHOD(certificate_t, get_validity, bool,
1647 private_x509_cert_t *this, time_t *when, time_t *not_before,
1648 time_t *not_after)
1649 {
1650 time_t t = when ? *when : time(NULL);
1651
1652 if (not_before)
1653 {
1654 *not_before = this->notBefore;
1655 }
1656 if (not_after)
1657 {
1658 *not_after = this->notAfter;
1659 }
1660 return (t >= this->notBefore && t <= this->notAfter);
1661 }
1662
1663 METHOD(certificate_t, get_encoding, bool,
1664 private_x509_cert_t *this, cred_encoding_type_t type, chunk_t *encoding)
1665 {
1666 if (type == CERT_ASN1_DER)
1667 {
1668 *encoding = chunk_clone(this->encoding);
1669 return TRUE;
1670 }
1671 return lib->encoding->encode(lib->encoding, type, NULL, encoding,
1672 CRED_PART_X509_ASN1_DER, this->encoding, CRED_PART_END);
1673 }
1674
1675 METHOD(certificate_t, equals, bool,
1676 private_x509_cert_t *this, certificate_t *other)
1677 {
1678 chunk_t encoding;
1679 bool equal;
1680
1681 if (this == (private_x509_cert_t*)other)
1682 {
1683 return TRUE;
1684 }
1685 if (other->get_type(other) != CERT_X509)
1686 {
1687 return FALSE;
1688 }
1689 if (other->equals == (void*)equals)
1690 { /* skip allocation if we have the same implementation */
1691 return chunk_equals(this->encoding, ((private_x509_cert_t*)other)->encoding);
1692 }
1693 if (!other->get_encoding(other, CERT_ASN1_DER, &encoding))
1694 {
1695 return FALSE;
1696 }
1697 equal = chunk_equals(this->encoding, encoding);
1698 free(encoding.ptr);
1699 return equal;
1700 }
1701
1702 METHOD(x509_t, get_flags, x509_flag_t,
1703 private_x509_cert_t *this)
1704 {
1705 return this->flags;
1706 }
1707
1708 METHOD(x509_t, get_serial, chunk_t,
1709 private_x509_cert_t *this)
1710 {
1711 return this->serialNumber;
1712 }
1713
1714 METHOD(x509_t, get_subjectKeyIdentifier, chunk_t,
1715 private_x509_cert_t *this)
1716 {
1717 if (this->subjectKeyIdentifier.ptr)
1718 {
1719 return this->subjectKeyIdentifier;
1720 }
1721 else
1722 {
1723 chunk_t fingerprint;
1724
1725 if (this->public_key->get_fingerprint(this->public_key,
1726 KEYID_PUBKEY_SHA1, &fingerprint))
1727 {
1728 return fingerprint;
1729 }
1730 else
1731 {
1732 return chunk_empty;
1733 }
1734 }
1735 }
1736
1737 METHOD(x509_t, get_authKeyIdentifier, chunk_t,
1738 private_x509_cert_t *this)
1739 {
1740 return this->authKeyIdentifier;
1741 }
1742
1743 METHOD(x509_t, get_constraint, u_int,
1744 private_x509_cert_t *this, x509_constraint_t type)
1745 {
1746 switch (type)
1747 {
1748 case X509_PATH_LEN:
1749 return this->pathLenConstraint;
1750 case X509_REQUIRE_EXPLICIT_POLICY:
1751 return this->require_explicit;
1752 case X509_INHIBIT_POLICY_MAPPING:
1753 return this->inhibit_mapping;
1754 case X509_INHIBIT_ANY_POLICY:
1755 return this->inhibit_any;
1756 default:
1757 return X509_NO_CONSTRAINT;
1758 }
1759 }
1760
1761 METHOD(x509_t, create_subjectAltName_enumerator, enumerator_t*,
1762 private_x509_cert_t *this)
1763 {
1764 return this->subjectAltNames->create_enumerator(this->subjectAltNames);
1765 }
1766
1767 METHOD(x509_t, create_ocsp_uri_enumerator, enumerator_t*,
1768 private_x509_cert_t *this)
1769 {
1770 return this->ocsp_uris->create_enumerator(this->ocsp_uris);
1771 }
1772
1773 METHOD(x509_t, create_crl_uri_enumerator, enumerator_t*,
1774 private_x509_cert_t *this)
1775 {
1776 return this->crl_uris->create_enumerator(this->crl_uris);
1777 }
1778
1779 METHOD(x509_t, create_ipAddrBlock_enumerator, enumerator_t*,
1780 private_x509_cert_t *this)
1781 {
1782 return this->ipAddrBlocks->create_enumerator(this->ipAddrBlocks);
1783 }
1784
1785 METHOD(x509_t, create_name_constraint_enumerator, enumerator_t*,
1786 private_x509_cert_t *this, bool perm)
1787 {
1788 if (perm)
1789 {
1790 return this->permitted_names->create_enumerator(this->permitted_names);
1791 }
1792 return this->excluded_names->create_enumerator(this->excluded_names);
1793 }
1794
1795 METHOD(x509_t, create_cert_policy_enumerator, enumerator_t*,
1796 private_x509_cert_t *this)
1797 {
1798 return this->cert_policies->create_enumerator(this->cert_policies);
1799 }
1800
1801 METHOD(x509_t, create_policy_mapping_enumerator, enumerator_t*,
1802 private_x509_cert_t *this)
1803 {
1804 return this->policy_mappings->create_enumerator(this->policy_mappings);
1805 }
1806
1807 METHOD(certificate_t, destroy, void,
1808 private_x509_cert_t *this)
1809 {
1810 if (ref_put(&this->ref))
1811 {
1812 this->subjectAltNames->destroy_offset(this->subjectAltNames,
1813 offsetof(identification_t, destroy));
1814 this->crl_uris->destroy_function(this->crl_uris, (void*)crl_uri_destroy);
1815 this->ocsp_uris->destroy_function(this->ocsp_uris, free);
1816 this->ipAddrBlocks->destroy_offset(this->ipAddrBlocks,
1817 offsetof(traffic_selector_t, destroy));
1818 this->permitted_names->destroy_offset(this->permitted_names,
1819 offsetof(identification_t, destroy));
1820 this->excluded_names->destroy_offset(this->excluded_names,
1821 offsetof(identification_t, destroy));
1822 this->cert_policies->destroy_function(this->cert_policies,
1823 (void*)cert_policy_destroy);
1824 this->policy_mappings->destroy_function(this->policy_mappings,
1825 (void*)policy_mapping_destroy);
1826 DESTROY_IF(this->issuer);
1827 DESTROY_IF(this->subject);
1828 DESTROY_IF(this->public_key);
1829 chunk_free(&this->authKeyIdentifier);
1830 chunk_free(&this->encoding);
1831 chunk_free(&this->encoding_hash);
1832 if (!this->parsed)
1833 { /* only parsed certificates point these fields to "encoded" */
1834 chunk_free(&this->signature);
1835 chunk_free(&this->serialNumber);
1836 chunk_free(&this->tbsCertificate);
1837 }
1838 free(this);
1839 }
1840 }
1841
1842 /**
1843 * create an empty but initialized X.509 certificate
1844 */
1845 static private_x509_cert_t* create_empty(void)
1846 {
1847 private_x509_cert_t *this;
1848
1849 INIT(this,
1850 .public = {
1851 .interface = {
1852 .interface = {
1853 .get_type = _get_type,
1854 .get_subject = _get_subject,
1855 .get_issuer = _get_issuer,
1856 .has_subject = _has_subject,
1857 .has_issuer = _has_issuer,
1858 .issued_by = _issued_by,
1859 .get_public_key = _get_public_key,
1860 .get_validity = _get_validity,
1861 .get_encoding = _get_encoding,
1862 .equals = _equals,
1863 .get_ref = _get_ref,
1864 .destroy = _destroy,
1865 },
1866 .get_flags = _get_flags,
1867 .get_serial = _get_serial,
1868 .get_subjectKeyIdentifier = _get_subjectKeyIdentifier,
1869 .get_authKeyIdentifier = _get_authKeyIdentifier,
1870 .get_constraint = _get_constraint,
1871 .create_subjectAltName_enumerator = _create_subjectAltName_enumerator,
1872 .create_crl_uri_enumerator = _create_crl_uri_enumerator,
1873 .create_ocsp_uri_enumerator = _create_ocsp_uri_enumerator,
1874 .create_ipAddrBlock_enumerator = _create_ipAddrBlock_enumerator,
1875 .create_name_constraint_enumerator = _create_name_constraint_enumerator,
1876 .create_cert_policy_enumerator = _create_cert_policy_enumerator,
1877 .create_policy_mapping_enumerator = _create_policy_mapping_enumerator,
1878 },
1879 },
1880 .version = 1,
1881 .subjectAltNames = linked_list_create(),
1882 .crl_uris = linked_list_create(),
1883 .ocsp_uris = linked_list_create(),
1884 .ipAddrBlocks = linked_list_create(),
1885 .permitted_names = linked_list_create(),
1886 .excluded_names = linked_list_create(),
1887 .cert_policies = linked_list_create(),
1888 .policy_mappings = linked_list_create(),
1889 .pathLenConstraint = X509_NO_CONSTRAINT,
1890 .require_explicit = X509_NO_CONSTRAINT,
1891 .inhibit_mapping = X509_NO_CONSTRAINT,
1892 .inhibit_any = X509_NO_CONSTRAINT,
1893 .ref = 1,
1894 );
1895 return this;
1896 }
1897
1898 /**
1899 * Build a generalName from an id
1900 */
1901 chunk_t build_generalName(identification_t *id)
1902 {
1903 int context;
1904
1905 switch (id->get_type(id))
1906 {
1907 case ID_RFC822_ADDR:
1908 context = ASN1_CONTEXT_S_1;
1909 break;
1910 case ID_FQDN:
1911 context = ASN1_CONTEXT_S_2;
1912 break;
1913 case ID_DER_ASN1_DN:
1914 context = ASN1_CONTEXT_C_4;
1915 break;
1916 case ID_IPV4_ADDR:
1917 case ID_IPV6_ADDR:
1918 context = ASN1_CONTEXT_S_7;
1919 break;
1920 default:
1921 DBG1(DBG_ASN, "encoding %N as generalName not supported",
1922 id_type_names, id->get_type(id));
1923 return chunk_empty;
1924 }
1925 return asn1_wrap(context, "c", id->get_encoding(id));
1926 }
1927
1928 /**
1929 * Encode a linked list of subjectAltNames
1930 */
1931 chunk_t x509_build_subjectAltNames(linked_list_t *list)
1932 {
1933 chunk_t subjectAltNames = chunk_empty, name;
1934 enumerator_t *enumerator;
1935 identification_t *id;
1936
1937 if (list->get_count(list) == 0)
1938 {
1939 return chunk_empty;
1940 }
1941
1942 enumerator = list->create_enumerator(list);
1943 while (enumerator->enumerate(enumerator, &id))
1944 {
1945 name = build_generalName(id);
1946 subjectAltNames = chunk_cat("mm", subjectAltNames, name);
1947 }
1948 enumerator->destroy(enumerator);
1949
1950 return asn1_wrap(ASN1_SEQUENCE, "mm",
1951 asn1_build_known_oid(OID_SUBJECT_ALT_NAME),
1952 asn1_wrap(ASN1_OCTET_STRING, "m",
1953 asn1_wrap(ASN1_SEQUENCE, "m", subjectAltNames)
1954 )
1955 );
1956 }
1957
1958 /**
1959 * Encode CRL distribution points extension from a x509_cdp_t list
1960 */
1961 chunk_t x509_build_crlDistributionPoints(linked_list_t *list, int extn)
1962 {
1963 chunk_t crlDistributionPoints = chunk_empty;
1964 enumerator_t *enumerator;
1965 x509_cdp_t *cdp;
1966
1967 if (list->get_count(list) == 0)
1968 {
1969 return chunk_empty;
1970 }
1971
1972 enumerator = list->create_enumerator(list);
1973 while (enumerator->enumerate(enumerator, &cdp))
1974 {
1975 chunk_t distributionPoint, crlIssuer = chunk_empty;
1976
1977 if (cdp->issuer)
1978 {
1979 crlIssuer = asn1_wrap(ASN1_CONTEXT_C_2, "m",
1980 build_generalName(cdp->issuer));
1981 }
1982 distributionPoint = asn1_wrap(ASN1_SEQUENCE, "mm",
1983 asn1_wrap(ASN1_CONTEXT_C_0, "m",
1984 asn1_wrap(ASN1_CONTEXT_C_0, "m",
1985 asn1_wrap(ASN1_CONTEXT_S_6, "c",
1986 chunk_create(cdp->uri, strlen(cdp->uri))))),
1987 crlIssuer);
1988 crlDistributionPoints = chunk_cat("mm", crlDistributionPoints,
1989 distributionPoint);
1990 }
1991 enumerator->destroy(enumerator);
1992
1993 return asn1_wrap(ASN1_SEQUENCE, "mm",
1994 asn1_build_known_oid(extn),
1995 asn1_wrap(ASN1_OCTET_STRING, "m",
1996 asn1_wrap(ASN1_SEQUENCE, "m", crlDistributionPoints)));
1997 }
1998
1999 /**
2000 * Generate and sign a new certificate
2001 */
2002 static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
2003 private_key_t *sign_key, int digest_alg)
2004 {
2005 chunk_t extensions = chunk_empty, extendedKeyUsage = chunk_empty;
2006 chunk_t serverAuth = chunk_empty, clientAuth = chunk_empty;
2007 chunk_t ocspSigning = chunk_empty, certPolicies = chunk_empty;
2008 chunk_t basicConstraints = chunk_empty, nameConstraints = chunk_empty;
2009 chunk_t keyUsage = chunk_empty, keyUsageBits = chunk_empty;
2010 chunk_t subjectAltNames = chunk_empty, policyMappings = chunk_empty;
2011 chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty;
2012 chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty;
2013 chunk_t policyConstraints = chunk_empty, inhibitAnyPolicy = chunk_empty;
2014 chunk_t ikeIntermediate = chunk_empty, msSmartcardLogon = chunk_empty;
2015 identification_t *issuer, *subject;
2016 chunk_t key_info;
2017 signature_scheme_t scheme;
2018 hasher_t *hasher;
2019 enumerator_t *enumerator;
2020 char *uri;
2021
2022 subject = cert->subject;
2023 if (sign_cert)
2024 {
2025 issuer = sign_cert->get_subject(sign_cert);
2026 if (!cert->public_key)
2027 {
2028 return FALSE;
2029 }
2030 }
2031 else
2032 { /* self signed */
2033 issuer = subject;
2034 if (!cert->public_key)
2035 {
2036 cert->public_key = sign_key->get_public_key(sign_key);
2037 }
2038 cert->flags |= X509_SELF_SIGNED;
2039 }
2040 cert->issuer = issuer->clone(issuer);
2041 if (!cert->notBefore)
2042 {
2043 cert->notBefore = time(NULL);
2044 }
2045 if (!cert->notAfter)
2046 { /* defaults to 1 year from now */
2047 cert->notAfter = cert->notBefore + 60 * 60 * 24 * 365;
2048 }
2049
2050 /* select signature scheme */
2051 cert->algorithm = hasher_signature_algorithm_to_oid(digest_alg,
2052 sign_key->get_type(sign_key));
2053 if (cert->algorithm == OID_UNKNOWN)
2054 {
2055 return FALSE;
2056 }
2057 scheme = signature_scheme_from_oid(cert->algorithm);
2058
2059 if (!cert->public_key->get_encoding(cert->public_key,
2060 PUBKEY_SPKI_ASN1_DER, &key_info))
2061 {
2062 return FALSE;
2063 }
2064
2065 /* encode subjectAltNames */
2066 subjectAltNames = x509_build_subjectAltNames(cert->subjectAltNames);
2067
2068 crlDistributionPoints = x509_build_crlDistributionPoints(cert->crl_uris,
2069 OID_CRL_DISTRIBUTION_POINTS);
2070
2071 /* encode OCSP URIs in authorityInfoAccess extension */
2072 enumerator = cert->ocsp_uris->create_enumerator(cert->ocsp_uris);
2073 while (enumerator->enumerate(enumerator, &uri))
2074 {
2075 chunk_t accessDescription;
2076
2077 accessDescription = asn1_wrap(ASN1_SEQUENCE, "mm",
2078 asn1_build_known_oid(OID_OCSP),
2079 asn1_wrap(ASN1_CONTEXT_S_6, "c",
2080 chunk_create(uri, strlen(uri))));
2081 authorityInfoAccess = chunk_cat("mm", authorityInfoAccess,
2082 accessDescription);
2083 }
2084 enumerator->destroy(enumerator);
2085 if (authorityInfoAccess.ptr)
2086 {
2087 authorityInfoAccess = asn1_wrap(ASN1_SEQUENCE, "mm",
2088 asn1_build_known_oid(OID_AUTHORITY_INFO_ACCESS),
2089 asn1_wrap(ASN1_OCTET_STRING, "m",
2090 asn1_wrap(ASN1_SEQUENCE, "m", authorityInfoAccess)));
2091 }
2092
2093 /* build CA basicConstraint and keyUsage flags for CA certificates */
2094 if (cert->flags & X509_CA)
2095 {
2096 chunk_t pathLenConstraint = chunk_empty;
2097
2098 if (cert->pathLenConstraint != X509_NO_CONSTRAINT)
2099 {
2100 pathLenConstraint = asn1_integer("c",
2101 chunk_from_thing(cert->pathLenConstraint));
2102 }
2103 basicConstraints = asn1_wrap(ASN1_SEQUENCE, "mmm",
2104 asn1_build_known_oid(OID_BASIC_CONSTRAINTS),
2105 asn1_wrap(ASN1_BOOLEAN, "c",
2106 chunk_from_chars(0xFF)),
2107 asn1_wrap(ASN1_OCTET_STRING, "m",
2108 asn1_wrap(ASN1_SEQUENCE, "mm",
2109 asn1_wrap(ASN1_BOOLEAN, "c",
2110 chunk_from_chars(0xFF)),
2111 pathLenConstraint)));
2112 /* set CertificateSign and implicitly CRLsign */
2113 keyUsageBits = chunk_from_chars(0x01, 0x06);
2114 }
2115 else if (cert->flags & X509_CRL_SIGN)
2116 {
2117 keyUsageBits = chunk_from_chars(0x01, 0x02);
2118 }
2119 if (keyUsageBits.len)
2120 {
2121 keyUsage = asn1_wrap(ASN1_SEQUENCE, "mmm",
2122 asn1_build_known_oid(OID_KEY_USAGE),
2123 asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)),
2124 asn1_wrap(ASN1_OCTET_STRING, "m",
2125 asn1_wrap(ASN1_BIT_STRING, "c", keyUsageBits)));
2126 }
2127
2128 /* add extendedKeyUsage flags */
2129 if (cert->flags & X509_SERVER_AUTH)
2130 {
2131 serverAuth = asn1_build_known_oid(OID_SERVER_AUTH);
2132 }
2133 if (cert->flags & X509_CLIENT_AUTH)
2134 {
2135 clientAuth = asn1_build_known_oid(OID_CLIENT_AUTH);
2136 }
2137 if (cert->flags & X509_IKE_INTERMEDIATE)
2138 {
2139 ikeIntermediate = asn1_build_known_oid(OID_IKE_INTERMEDIATE);
2140 }
2141 if (cert->flags & X509_OCSP_SIGNER)
2142 {
2143 ocspSigning = asn1_build_known_oid(OID_OCSP_SIGNING);
2144 }
2145 if (cert->flags & X509_MS_SMARTCARD_LOGON)
2146 {
2147 msSmartcardLogon = asn1_build_known_oid(OID_MS_SMARTCARD_LOGON);
2148 }
2149
2150 if (serverAuth.ptr || clientAuth.ptr || ikeIntermediate.ptr ||
2151 ocspSigning.ptr)
2152 {
2153 extendedKeyUsage = asn1_wrap(ASN1_SEQUENCE, "mm",
2154 asn1_build_known_oid(OID_EXTENDED_KEY_USAGE),
2155 asn1_wrap(ASN1_OCTET_STRING, "m",
2156 asn1_wrap(ASN1_SEQUENCE, "mmmmm",
2157 serverAuth, clientAuth, ikeIntermediate,
2158 ocspSigning, msSmartcardLogon)));
2159 }
2160
2161 /* add subjectKeyIdentifier to CA and OCSP signer certificates */
2162 if (cert->flags & (X509_CA | X509_OCSP_SIGNER | X509_CRL_SIGN))
2163 {
2164 chunk_t keyid;
2165
2166 if (cert->public_key->get_fingerprint(cert->public_key,
2167 KEYID_PUBKEY_SHA1, &keyid))
2168 {
2169 subjectKeyIdentifier = asn1_wrap(ASN1_SEQUENCE, "mm",
2170 asn1_build_known_oid(OID_SUBJECT_KEY_ID),
2171 asn1_wrap(ASN1_OCTET_STRING, "m",
2172 asn1_wrap(ASN1_OCTET_STRING, "c", keyid)));
2173 }
2174 }
2175
2176 /* add the keyid authKeyIdentifier for non self-signed certificates */
2177 if (sign_key)
2178 {
2179 chunk_t keyid;
2180
2181 if (sign_key->get_fingerprint(sign_key, KEYID_PUBKEY_SHA1, &keyid))
2182 {
2183 authKeyIdentifier = asn1_wrap(ASN1_SEQUENCE, "mm",
2184 asn1_build_known_oid(OID_AUTHORITY_KEY_ID),
2185 asn1_wrap(ASN1_OCTET_STRING, "m",
2186 asn1_wrap(ASN1_SEQUENCE, "m",
2187 asn1_wrap(ASN1_CONTEXT_S_0, "c", keyid))));
2188 }
2189 }
2190
2191 if (cert->permitted_names->get_count(cert->permitted_names) ||
2192 cert->excluded_names->get_count(cert->excluded_names))
2193 {
2194 chunk_t permitted = chunk_empty, excluded = chunk_empty, subtree;
2195 identification_t *id;
2196
2197 enumerator = create_name_constraint_enumerator(cert, TRUE);
2198 while (enumerator->enumerate(enumerator, &id))
2199 {
2200 subtree = asn1_wrap(ASN1_SEQUENCE, "m", build_generalName(id));
2201 permitted = chunk_cat("mm", permitted, subtree);
2202 }
2203 enumerator->destroy(enumerator);
2204 if (permitted.ptr)
2205 {
2206 permitted = asn1_wrap(ASN1_CONTEXT_C_0, "m", permitted);
2207 }
2208
2209 enumerator = create_name_constraint_enumerator(cert, FALSE);
2210 while (enumerator->enumerate(enumerator, &id))
2211 {
2212 subtree = asn1_wrap(ASN1_SEQUENCE, "m", build_generalName(id));
2213 excluded = chunk_cat("mm", excluded, subtree);
2214 }
2215 enumerator->destroy(enumerator);
2216 if (excluded.ptr)
2217 {
2218 excluded = asn1_wrap(ASN1_CONTEXT_C_1, "m", excluded);
2219 }
2220
2221 nameConstraints = asn1_wrap(ASN1_SEQUENCE, "mm",
2222 asn1_build_known_oid(OID_NAME_CONSTRAINTS),
2223 asn1_wrap(ASN1_OCTET_STRING, "m",
2224 asn1_wrap(ASN1_SEQUENCE, "mm",
2225 permitted, excluded)));
2226 }
2227
2228 if (cert->cert_policies->get_count(cert->cert_policies))
2229 {
2230 x509_cert_policy_t *policy;
2231
2232 enumerator = create_cert_policy_enumerator(cert);
2233 while (enumerator->enumerate(enumerator, &policy))
2234 {
2235 chunk_t chunk = chunk_empty, cps = chunk_empty, notice = chunk_empty;
2236
2237 if (policy->cps_uri)
2238 {
2239 cps = asn1_wrap(ASN1_SEQUENCE, "mm",
2240 asn1_build_known_oid(OID_POLICY_QUALIFIER_CPS),
2241 asn1_wrap(ASN1_IA5STRING, "c",
2242 chunk_create(policy->cps_uri,
2243 strlen(policy->cps_uri))));
2244 }
2245 if (policy->unotice_text)
2246 {
2247 notice = asn1_wrap(ASN1_SEQUENCE, "mm",
2248 asn1_build_known_oid(OID_POLICY_QUALIFIER_UNOTICE),
2249 asn1_wrap(ASN1_SEQUENCE, "m",
2250 asn1_wrap(ASN1_VISIBLESTRING, "c",
2251 chunk_create(policy->unotice_text,
2252 strlen(policy->unotice_text)))));
2253 }
2254 if (cps.len || notice.len)
2255 {
2256 chunk = asn1_wrap(ASN1_SEQUENCE, "mm", cps, notice);
2257 }
2258 chunk = asn1_wrap(ASN1_SEQUENCE, "mm",
2259 asn1_wrap(ASN1_OID, "c", policy->oid), chunk);
2260 certPolicies = chunk_cat("mm", certPolicies, chunk);
2261 }
2262 enumerator->destroy(enumerator);
2263
2264 certPolicies = asn1_wrap(ASN1_SEQUENCE, "mm",
2265 asn1_build_known_oid(OID_CERTIFICATE_POLICIES),
2266 asn1_wrap(ASN1_OCTET_STRING, "m",
2267 asn1_wrap(ASN1_SEQUENCE, "m", certPolicies)));
2268 }
2269
2270 if (cert->policy_mappings->get_count(cert->policy_mappings))
2271 {
2272 x509_policy_mapping_t *mapping;
2273
2274 enumerator = create_policy_mapping_enumerator(cert);
2275 while (enumerator->enumerate(enumerator, &mapping))
2276 {
2277 chunk_t chunk;
2278
2279 chunk = asn1_wrap(ASN1_SEQUENCE, "mm",
2280 asn1_wrap(ASN1_OID, "c", mapping->issuer),
2281 asn1_wrap(ASN1_OID, "c", mapping->subject));
2282 policyMappings = chunk_cat("mm", policyMappings, chunk);
2283 }
2284 enumerator->destroy(enumerator);
2285
2286 policyMappings = asn1_wrap(ASN1_SEQUENCE, "mm",
2287 asn1_build_known_oid(OID_POLICY_MAPPINGS),
2288 asn1_wrap(ASN1_OCTET_STRING, "m",
2289 asn1_wrap(ASN1_SEQUENCE, "m", policyMappings)));
2290 }
2291
2292 if (cert->inhibit_mapping != X509_NO_CONSTRAINT ||
2293 cert->require_explicit != X509_NO_CONSTRAINT)
2294 {
2295 chunk_t inhibit = chunk_empty, explicit = chunk_empty;
2296
2297 if (cert->require_explicit != X509_NO_CONSTRAINT)
2298 {
2299 explicit = asn1_wrap(ASN1_CONTEXT_C_0, "m",
2300 asn1_integer("c",
2301 chunk_from_thing(cert->require_explicit)));
2302 }
2303 if (cert->inhibit_mapping != X509_NO_CONSTRAINT)
2304 {
2305 inhibit = asn1_wrap(ASN1_CONTEXT_C_1, "m",
2306 asn1_integer("c",
2307 chunk_from_thing(cert->inhibit_mapping)));
2308 }
2309 policyConstraints = asn1_wrap(ASN1_SEQUENCE, "mmm",
2310 asn1_build_known_oid(OID_POLICY_CONSTRAINTS),
2311 asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)),
2312 asn1_wrap(ASN1_OCTET_STRING, "m",
2313 asn1_wrap(ASN1_SEQUENCE, "mm",
2314 explicit, inhibit)));
2315 }
2316
2317 if (cert->inhibit_any != X509_NO_CONSTRAINT)
2318 {
2319 inhibitAnyPolicy = asn1_wrap(ASN1_SEQUENCE, "mmm",
2320 asn1_build_known_oid(OID_INHIBIT_ANY_POLICY),
2321 asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)),
2322 asn1_wrap(ASN1_OCTET_STRING, "m",
2323 asn1_integer("c",
2324 chunk_from_thing(cert->inhibit_any))));
2325 }
2326
2327 if (basicConstraints.ptr || subjectAltNames.ptr || authKeyIdentifier.ptr ||
2328 crlDistributionPoints.ptr || nameConstraints.ptr)
2329 {
2330 extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m",
2331 asn1_wrap(ASN1_SEQUENCE, "mmmmmmmmmmmmm",
2332 basicConstraints, keyUsage, subjectKeyIdentifier,
2333 authKeyIdentifier, subjectAltNames,
2334 extendedKeyUsage, crlDistributionPoints,
2335 authorityInfoAccess, nameConstraints, certPolicies,
2336 policyMappings, policyConstraints, inhibitAnyPolicy));
2337 }
2338
2339 cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmmcmcmm",
2340 asn1_simple_object(ASN1_CONTEXT_C_0, ASN1_INTEGER_2),
2341 asn1_integer("c", cert->serialNumber),
2342 asn1_algorithmIdentifier(cert->algorithm),
2343 issuer->get_encoding(issuer),
2344 asn1_wrap(ASN1_SEQUENCE, "mm",
2345 asn1_from_time(&cert->notBefore, ASN1_UTCTIME),
2346 asn1_from_time(&cert->notAfter, ASN1_UTCTIME)),
2347 subject->get_encoding(subject),
2348 key_info, extensions);
2349
2350 if (!sign_key->sign(sign_key, scheme, cert->tbsCertificate, &cert->signature))
2351 {
2352 return FALSE;
2353 }
2354 cert->encoding = asn1_wrap(ASN1_SEQUENCE, "cmm", cert->tbsCertificate,
2355 asn1_algorithmIdentifier(cert->algorithm),
2356 asn1_bitstring("c", cert->signature));
2357
2358 hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
2359 if (!hasher ||
2360 !hasher->allocate_hash(hasher, cert->encoding, &cert->encoding_hash))
2361 {
2362 DESTROY_IF(hasher);
2363 return FALSE;
2364 }
2365 hasher->destroy(hasher);
2366 return TRUE;
2367 }
2368
2369 /**
2370 * See header.
2371 */
2372 x509_cert_t *x509_cert_load(certificate_type_t type, va_list args)
2373 {
2374 x509_flag_t flags = 0;
2375 chunk_t blob = chunk_empty;
2376
2377 while (TRUE)
2378 {
2379 switch (va_arg(args, builder_part_t))
2380 {
2381 case BUILD_BLOB_ASN1_DER:
2382 blob = va_arg(args, chunk_t);
2383 continue;
2384 case BUILD_X509_FLAG:
2385 flags |= va_arg(args, x509_flag_t);
2386 continue;
2387 case BUILD_END:
2388 break;
2389 default:
2390 return NULL;
2391 }
2392 break;
2393 }
2394
2395 if (blob.ptr)
2396 {
2397 private_x509_cert_t *cert = create_empty();
2398
2399 cert->encoding = chunk_clone(blob);
2400 cert->parsed = TRUE;
2401 if (parse_certificate(cert))
2402 {
2403 cert->flags |= flags;
2404 return &cert->public;
2405 }
2406 destroy(cert);
2407 }
2408 return NULL;
2409 }
2410
2411 /**
2412 * See header.
2413 */
2414 x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args)
2415 {
2416 private_x509_cert_t *cert;
2417 certificate_t *sign_cert = NULL;
2418 private_key_t *sign_key = NULL;
2419 hash_algorithm_t digest_alg = HASH_SHA1;
2420 u_int constraint;
2421
2422 cert = create_empty();
2423 while (TRUE)
2424 {
2425 switch (va_arg(args, builder_part_t))
2426 {
2427 case BUILD_X509_FLAG:
2428 cert->flags |= va_arg(args, x509_flag_t);
2429 continue;
2430 case BUILD_SIGNING_KEY:
2431 sign_key = va_arg(args, private_key_t*);
2432 continue;
2433 case BUILD_SIGNING_CERT:
2434 sign_cert = va_arg(args, certificate_t*);
2435 continue;
2436 case BUILD_PUBLIC_KEY:
2437 cert->public_key = va_arg(args, public_key_t*);
2438 cert->public_key->get_ref(cert->public_key);
2439 continue;
2440 case BUILD_SUBJECT:
2441 cert->subject = va_arg(args, identification_t*);
2442 cert->subject = cert->subject->clone(cert->subject);
2443 continue;
2444 case BUILD_SUBJECT_ALTNAMES:
2445 {
2446 enumerator_t *enumerator;
2447 identification_t *id;
2448 linked_list_t *list;
2449
2450 list = va_arg(args, linked_list_t*);
2451 enumerator = list->create_enumerator(list);
2452 while (enumerator->enumerate(enumerator, &id))
2453 {
2454 cert->subjectAltNames->insert_last(cert->subjectAltNames,
2455 id->clone(id));
2456 }
2457 enumerator->destroy(enumerator);
2458 continue;
2459 }
2460 case BUILD_CRL_DISTRIBUTION_POINTS:
2461 {
2462 enumerator_t *enumerator;
2463 linked_list_t *list;
2464 x509_cdp_t *in, *cdp;
2465
2466 list = va_arg(args, linked_list_t*);
2467 enumerator = list->create_enumerator(list);
2468 while (enumerator->enumerate(enumerator, &in))
2469 {
2470 INIT(cdp,
2471 .uri = strdup(in->uri),
2472 .issuer = in->issuer ? in->issuer->clone(in->issuer) : NULL,
2473 );
2474 cert->crl_uris->insert_last(cert->crl_uris, cdp);
2475 }
2476 enumerator->destroy(enumerator);
2477 continue;
2478 }
2479 case BUILD_OCSP_ACCESS_LOCATIONS:
2480 {
2481 enumerator_t *enumerator;
2482 linked_list_t *list;
2483 char *uri;
2484
2485 list = va_arg(args, linked_list_t*);
2486 enumerator = list->create_enumerator(list);
2487 while (enumerator->enumerate(enumerator, &uri))
2488 {
2489 cert->ocsp_uris->insert_last(cert->ocsp_uris, strdup(uri));
2490 }
2491 enumerator->destroy(enumerator);
2492 continue;
2493 }
2494 case BUILD_PATHLEN:
2495 constraint = va_arg(args, u_int);
2496 cert->pathLenConstraint = (constraint < 128) ?
2497 constraint : X509_NO_CONSTRAINT;
2498 continue;
2499 case BUILD_PERMITTED_NAME_CONSTRAINTS:
2500 {
2501 enumerator_t *enumerator;
2502 linked_list_t *list;
2503 identification_t *constraint;
2504
2505 list = va_arg(args, linked_list_t*);
2506 enumerator = list->create_enumerator(list);
2507 while (enumerator->enumerate(enumerator, &constraint))
2508 {
2509 cert->permitted_names->insert_last(cert->permitted_names,
2510 constraint->clone(constraint));
2511 }
2512 enumerator->destroy(enumerator);
2513 continue;
2514 }
2515 case BUILD_EXCLUDED_NAME_CONSTRAINTS:
2516 {
2517 enumerator_t *enumerator;
2518 linked_list_t *list;
2519 identification_t *constraint;
2520
2521 list = va_arg(args, linked_list_t*);
2522 enumerator = list->create_enumerator(list);
2523 while (enumerator->enumerate(enumerator, &constraint))
2524 {
2525 cert->excluded_names->insert_last(cert->excluded_names,
2526 constraint->clone(constraint));
2527 }
2528 enumerator->destroy(enumerator);
2529 continue;
2530 }
2531 case BUILD_CERTIFICATE_POLICIES:
2532 {
2533 enumerator_t *enumerator;
2534 linked_list_t *list;
2535 x509_cert_policy_t *policy, *in;
2536
2537 list = va_arg(args, linked_list_t*);
2538 enumerator = list->create_enumerator(list);
2539 while (enumerator->enumerate(enumerator, &in))
2540 {
2541 INIT(policy,
2542 .oid = chunk_clone(in->oid),
2543 .cps_uri = strdupnull(in->cps_uri),
2544 .unotice_text = strdupnull(in->unotice_text),
2545 );
2546 cert->cert_policies->insert_last(cert->cert_policies, policy);
2547 }
2548 enumerator->destroy(enumerator);
2549 continue;
2550 }
2551 case BUILD_POLICY_MAPPINGS:
2552 {
2553 enumerator_t *enumerator;
2554 linked_list_t *list;
2555 x509_policy_mapping_t* mapping, *in;
2556
2557 list = va_arg(args, linked_list_t*);
2558 enumerator = list->create_enumerator(list);
2559 while (enumerator->enumerate(enumerator, &in))
2560 {
2561 INIT(mapping,
2562 .issuer = chunk_clone(in->issuer),
2563 .subject = chunk_clone(in->subject),
2564 );
2565 cert->policy_mappings->insert_last(cert->policy_mappings,
2566 mapping);
2567 }
2568 enumerator->destroy(enumerator);
2569 continue;
2570 }
2571 case BUILD_POLICY_REQUIRE_EXPLICIT:
2572 constraint = va_arg(args, u_int);
2573 cert->require_explicit = (constraint < 128) ?
2574 constraint : X509_NO_CONSTRAINT;
2575 continue;
2576 case BUILD_POLICY_INHIBIT_MAPPING:
2577 constraint = va_arg(args, u_int);
2578 cert->inhibit_mapping = (constraint < 128) ?
2579 constraint : X509_NO_CONSTRAINT;
2580 continue;
2581 case BUILD_POLICY_INHIBIT_ANY:
2582 constraint = va_arg(args, u_int);
2583 cert->inhibit_any = (constraint < 128) ?
2584 constraint : X509_NO_CONSTRAINT;
2585 continue;
2586 case BUILD_NOT_BEFORE_TIME:
2587 cert->notBefore = va_arg(args, time_t);
2588 continue;
2589 case BUILD_NOT_AFTER_TIME:
2590 cert->notAfter = va_arg(args, time_t);
2591 continue;
2592 case BUILD_SERIAL:
2593 cert->serialNumber = chunk_clone(va_arg(args, chunk_t));
2594 continue;
2595 case BUILD_DIGEST_ALG:
2596 digest_alg = va_arg(args, int);
2597 continue;
2598 case BUILD_END:
2599 break;
2600 default:
2601 destroy(cert);
2602 return NULL;
2603 }
2604 break;
2605 }
2606
2607 if (sign_key && generate(cert, sign_cert, sign_key, digest_alg))
2608 {
2609 return &cert->public;
2610 }
2611 destroy(cert);
2612 return NULL;
2613 }
2614