cf85fe9958ac8a7b2e0b4b7e0df7c7b1c975b83a
[strongswan.git] / src / libstrongswan / plugins / x509 / x509_cert.c
1 /*
2 * Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann
3 * Copyright (C) 2001 Marco Bertossa, Andreas Schleiss
4 * Copyright (C) 2002 Mario Strasser
5 * Copyright (C) 2000-2006 Andreas Steffen
6 * Copyright (C) 2006-2009 Martin Willi
7 * Copyright (C) 2008 Tobias Brunner
8 * Hochschule fuer Technik Rapperswil
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 */
20
21 #define _GNU_SOURCE
22
23 #include "x509_cert.h"
24
25 #include <sys/stat.h>
26 #include <time.h>
27 #include <unistd.h>
28 #include <string.h>
29 #include <stdio.h>
30
31 #include <library.h>
32 #include <debug.h>
33 #include <asn1/oid.h>
34 #include <asn1/asn1.h>
35 #include <asn1/asn1_parser.h>
36 #include <crypto/hashers/hasher.h>
37 #include <credentials/keys/private_key.h>
38 #include <utils/linked_list.h>
39 #include <utils/identification.h>
40 #include <selectors/traffic_selector.h>
41
42 /**
43 * Different kinds of generalNames
44 */
45 typedef enum {
46 GN_OTHER_NAME = 0,
47 GN_RFC822_NAME = 1,
48 GN_DNS_NAME = 2,
49 GN_X400_ADDRESS = 3,
50 GN_DIRECTORY_NAME = 4,
51 GN_EDI_PARTY_NAME = 5,
52 GN_URI = 6,
53 GN_IP_ADDRESS = 7,
54 GN_REGISTERED_ID = 8,
55 } generalNames_t;
56
57
58 typedef struct private_x509_cert_t private_x509_cert_t;
59
60 /**
61 * Private data of a x509_cert_t object.
62 */
63 struct private_x509_cert_t {
64 /**
65 * Public interface for this certificate.
66 */
67 x509_cert_t public;
68
69 /**
70 * X.509 certificate encoding in ASN.1 DER format
71 */
72 chunk_t encoding;
73
74 /**
75 * SHA1 hash of the DER encoding of this X.509 certificate
76 */
77 chunk_t encoding_hash;
78
79 /**
80 * X.509 certificate body over which signature is computed
81 */
82 chunk_t tbsCertificate;
83
84 /**
85 * Version of the X.509 certificate
86 */
87 u_int version;
88
89 /**
90 * Serial number of the X.509 certificate
91 */
92 chunk_t serialNumber;
93
94 /**
95 * ID representing the certificate issuer
96 */
97 identification_t *issuer;
98
99 /**
100 * Start time of certificate validity
101 */
102 time_t notBefore;
103
104 /**
105 * End time of certificate validity
106 */
107 time_t notAfter;
108
109 /**
110 * ID representing the certificate subject
111 */
112 identification_t *subject;
113
114 /**
115 * List of subjectAltNames as identification_t
116 */
117 linked_list_t *subjectAltNames;
118
119 /**
120 * List of crlDistributionPoints as crl_uri_t
121 */
122 linked_list_t *crl_uris;
123
124 /**
125 * List of ocspAccessLocations as allocated char*
126 */
127 linked_list_t *ocsp_uris;
128
129 /**
130 * List of ipAddrBlocks as traffic_selector_t
131 */
132 linked_list_t *ipAddrBlocks;
133
134 /**
135 * List of permitted name constraints
136 */
137 linked_list_t *permitted_names;
138
139 /**
140 * List of exluced name constraints
141 */
142 linked_list_t *excluded_names;
143
144 /**
145 * certificate's embedded public key
146 */
147 public_key_t *public_key;
148
149 /**
150 * Subject Key Identifier
151 */
152 chunk_t subjectKeyIdentifier;
153
154 /**
155 * Authority Key Identifier
156 */
157 chunk_t authKeyIdentifier;
158
159 /**
160 * Authority Key Serial Number
161 */
162 chunk_t authKeySerialNumber;
163
164 /**
165 * Path Length Constraint
166 */
167 int pathLenConstraint;
168
169 /**
170 * x509 constraints and other flags
171 */
172 x509_flag_t flags;
173
174 /**
175 * Signature algorithm
176 */
177 int algorithm;
178
179 /**
180 * Signature
181 */
182 chunk_t signature;
183
184 /**
185 * Certificate parsed from blob/file?
186 */
187 bool parsed;
188
189 /**
190 * reference count
191 */
192 refcount_t ref;
193 };
194
195 static const chunk_t ASN1_subjectAltName_oid = chunk_from_chars(
196 0x06, 0x03, 0x55, 0x1D, 0x11
197 );
198
199 /**
200 * CRL URIs with associated issuer
201 */
202 typedef struct {
203 identification_t *issuer;
204 linked_list_t *uris;
205 } crl_uri_t;
206
207 /**
208 * Create a new issuer entry
209 */
210 static crl_uri_t *crl_uri_create(identification_t *issuer)
211 {
212 crl_uri_t *this;
213
214 INIT(this,
215 .issuer = issuer ? issuer->clone(issuer) : NULL,
216 .uris = linked_list_create(),
217 );
218 return this;
219 }
220
221 /**
222 * Destroy a CRL URI struct
223 */
224 static void crl_uri_destroy(crl_uri_t *this)
225 {
226 this->uris->destroy_function(this->uris, free);
227 DESTROY_IF(this->issuer);
228 free(this);
229 }
230
231 /**
232 * ASN.1 definition of a basicConstraints extension
233 */
234 static const asn1Object_t basicConstraintsObjects[] = {
235 { 0, "basicConstraints", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
236 { 1, "CA", ASN1_BOOLEAN, ASN1_DEF|ASN1_BODY }, /* 1 */
237 { 1, "pathLenConstraint", ASN1_INTEGER, ASN1_OPT|ASN1_BODY }, /* 2 */
238 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 3 */
239 { 0, "exit", ASN1_EOC, ASN1_EXIT }
240 };
241 #define BASIC_CONSTRAINTS_CA 1
242 #define BASIC_CONSTRAINTS_PATH_LEN 2
243
244 /**
245 * Extracts the basicConstraints extension
246 */
247 static void parse_basicConstraints(chunk_t blob, int level0,
248 private_x509_cert_t *this)
249 {
250 asn1_parser_t *parser;
251 chunk_t object;
252 int objectID;
253 bool isCA = FALSE;
254
255 parser = asn1_parser_create(basicConstraintsObjects, blob);
256 parser->set_top_level(parser, level0);
257
258 while (parser->iterate(parser, &objectID, &object))
259 {
260 switch (objectID)
261 {
262 case BASIC_CONSTRAINTS_CA:
263 isCA = object.len && *object.ptr;
264 DBG2(DBG_LIB, " %s", isCA ? "TRUE" : "FALSE");
265 if (isCA)
266 {
267 this->flags |= X509_CA;
268 }
269 break;
270 case BASIC_CONSTRAINTS_PATH_LEN:
271 if (isCA)
272 {
273 if (object.len == 0)
274 {
275 this->pathLenConstraint = 0;
276 }
277 else if (object.len == 1)
278 {
279 this->pathLenConstraint = *object.ptr;
280 }
281 /* we ignore path length constraints > 127 */
282 }
283 break;
284 default:
285 break;
286 }
287 }
288 parser->destroy(parser);
289 }
290
291 /**
292 * ASN.1 definition of otherName
293 */
294 static const asn1Object_t otherNameObjects[] = {
295 {0, "type-id", ASN1_OID, ASN1_BODY }, /* 0 */
296 {0, "value", ASN1_CONTEXT_C_0, ASN1_BODY }, /* 1 */
297 {0, "exit", ASN1_EOC, ASN1_EXIT }
298 };
299 #define ON_OBJ_ID_TYPE 0
300 #define ON_OBJ_VALUE 1
301
302 /**
303 * Extracts an otherName
304 */
305 static bool parse_otherName(chunk_t *blob, int level0, id_type_t *type)
306 {
307 asn1_parser_t *parser;
308 chunk_t object;
309 int objectID;
310 int oid = OID_UNKNOWN;
311 bool success = FALSE;
312
313 parser = asn1_parser_create(otherNameObjects, *blob);
314 parser->set_top_level(parser, level0);
315
316 while (parser->iterate(parser, &objectID, &object))
317 {
318 switch (objectID)
319 {
320 case ON_OBJ_ID_TYPE:
321 oid = asn1_known_oid(object);
322 break;
323 case ON_OBJ_VALUE:
324 switch (oid)
325 {
326 case OID_XMPP_ADDR:
327 if (!asn1_parse_simple_object(&object, ASN1_UTF8STRING,
328 parser->get_level(parser)+1, "xmppAddr"))
329 {
330 goto end;
331 }
332 break;
333 case OID_USER_PRINCIPAL_NAME:
334 if (asn1_parse_simple_object(&object, ASN1_UTF8STRING,
335 parser->get_level(parser)+1, "msUPN"))
336 { /* we handle UPNs as RFC822 addr */
337 *blob = object;
338 *type = ID_RFC822_ADDR;
339 }
340 else
341 {
342 goto end;
343 }
344 break;
345 }
346 break;
347 default:
348 break;
349 }
350 }
351 success = parser->success(parser);
352
353 end:
354 parser->destroy(parser);
355 return success;
356 }
357
358 /**
359 * ASN.1 definition of generalName
360 */
361 static const asn1Object_t generalNameObjects[] = {
362 { 0, "otherName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_BODY }, /* 0 */
363 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 1 */
364 { 0, "rfc822Name", ASN1_CONTEXT_S_1, ASN1_OPT|ASN1_BODY }, /* 2 */
365 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 3 */
366 { 0, "dnsName", ASN1_CONTEXT_S_2, ASN1_OPT|ASN1_BODY }, /* 4 */
367 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 5 */
368 { 0, "x400Address", ASN1_CONTEXT_S_3, ASN1_OPT|ASN1_BODY }, /* 6 */
369 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 7 */
370 { 0, "directoryName", ASN1_CONTEXT_C_4, ASN1_OPT|ASN1_BODY }, /* 8 */
371 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 9 */
372 { 0, "ediPartyName", ASN1_CONTEXT_C_5, ASN1_OPT|ASN1_BODY }, /* 10 */
373 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 11 */
374 { 0, "URI", ASN1_CONTEXT_S_6, ASN1_OPT|ASN1_BODY }, /* 12 */
375 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 13 */
376 { 0, "ipAddress", ASN1_CONTEXT_S_7, ASN1_OPT|ASN1_BODY }, /* 14 */
377 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 15 */
378 { 0, "registeredID", ASN1_CONTEXT_S_8, ASN1_OPT|ASN1_BODY }, /* 16 */
379 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 17 */
380 { 0, "exit", ASN1_EOC, ASN1_EXIT }
381 };
382 #define GN_OBJ_OTHER_NAME 0
383 #define GN_OBJ_RFC822_NAME 2
384 #define GN_OBJ_DNS_NAME 4
385 #define GN_OBJ_X400_ADDRESS 6
386 #define GN_OBJ_DIRECTORY_NAME 8
387 #define GN_OBJ_EDI_PARTY_NAME 10
388 #define GN_OBJ_URI 12
389 #define GN_OBJ_IP_ADDRESS 14
390 #define GN_OBJ_REGISTERED_ID 16
391
392 /**
393 * Extracts a generalName
394 */
395 static identification_t *parse_generalName(chunk_t blob, int level0)
396 {
397 asn1_parser_t *parser;
398 chunk_t object;
399 int objectID ;
400
401 identification_t *gn = NULL;
402
403 parser = asn1_parser_create(generalNameObjects, blob);
404 parser->set_top_level(parser, level0);
405
406 while (parser->iterate(parser, &objectID, &object))
407 {
408 id_type_t id_type = ID_ANY;
409
410 switch (objectID)
411 {
412 case GN_OBJ_RFC822_NAME:
413 id_type = ID_RFC822_ADDR;
414 break;
415 case GN_OBJ_DNS_NAME:
416 id_type = ID_FQDN;
417 break;
418 case GN_OBJ_URI:
419 id_type = ID_DER_ASN1_GN_URI;
420 break;
421 case GN_OBJ_DIRECTORY_NAME:
422 id_type = ID_DER_ASN1_DN;
423 break;
424 case GN_OBJ_IP_ADDRESS:
425 switch (object.len)
426 {
427 case 4:
428 id_type = ID_IPV4_ADDR;
429 break;
430 case 16:
431 id_type = ID_IPV6_ADDR;
432 break;
433 default:
434 break;
435 }
436 break;
437 case GN_OBJ_OTHER_NAME:
438 if (!parse_otherName(&object, parser->get_level(parser)+1,
439 &id_type))
440 {
441 goto end;
442 }
443 break;
444 case GN_OBJ_X400_ADDRESS:
445 case GN_OBJ_EDI_PARTY_NAME:
446 case GN_OBJ_REGISTERED_ID:
447 default:
448 break;
449 }
450 if (id_type != ID_ANY)
451 {
452 gn = identification_create_from_encoding(id_type, object);
453 DBG2(DBG_LIB, " '%Y'", gn);
454 goto end;
455 }
456 }
457
458 end:
459 parser->destroy(parser);
460 return gn;
461 }
462
463 /**
464 * ASN.1 definition of generalNames
465 */
466 static const asn1Object_t generalNamesObjects[] = {
467 { 0, "generalNames", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
468 { 1, "generalName", ASN1_EOC, ASN1_RAW }, /* 1 */
469 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 2 */
470 { 0, "exit", ASN1_EOC, ASN1_EXIT }
471 };
472 #define GENERAL_NAMES_GN 1
473
474 /**
475 * Extracts one or several GNs and puts them into a chained list
476 */
477 void x509_parse_generalNames(chunk_t blob, int level0, bool implicit, linked_list_t *list)
478 {
479 asn1_parser_t *parser;
480 chunk_t object;
481 int objectID;
482
483 parser = asn1_parser_create(generalNamesObjects, blob);
484 parser->set_top_level(parser, level0);
485 parser->set_flags(parser, implicit, FALSE);
486
487 while (parser->iterate(parser, &objectID, &object))
488 {
489 if (objectID == GENERAL_NAMES_GN)
490 {
491 identification_t *gn = parse_generalName(object,
492 parser->get_level(parser)+1);
493
494 if (gn)
495 {
496 list->insert_last(list, (void *)gn);
497 }
498 }
499 }
500 parser->destroy(parser);
501 }
502
503 /**
504 * ASN.1 definition of a authorityKeyIdentifier extension
505 */
506 static const asn1Object_t authKeyIdentifierObjects[] = {
507 { 0, "authorityKeyIdentifier", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
508 { 1, "keyIdentifier", ASN1_CONTEXT_S_0, ASN1_OPT|ASN1_BODY }, /* 1 */
509 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 2 */
510 { 1, "authorityCertIssuer", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_OBJ }, /* 3 */
511 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 4 */
512 { 1, "authorityCertSerialNumber", ASN1_CONTEXT_S_2, ASN1_OPT|ASN1_BODY }, /* 5 */
513 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 6 */
514 { 0, "exit", ASN1_EOC, ASN1_EXIT }
515 };
516 #define AUTH_KEY_ID_KEY_ID 1
517 #define AUTH_KEY_ID_CERT_ISSUER 3
518 #define AUTH_KEY_ID_CERT_SERIAL 5
519
520 /**
521 * Extracts an authoritykeyIdentifier
522 */
523 chunk_t x509_parse_authorityKeyIdentifier(chunk_t blob, int level0,
524 chunk_t *authKeySerialNumber)
525 {
526 asn1_parser_t *parser;
527 chunk_t object;
528 int objectID;
529 chunk_t authKeyIdentifier = chunk_empty;
530
531 *authKeySerialNumber = chunk_empty;
532
533 parser = asn1_parser_create(authKeyIdentifierObjects, blob);
534 parser->set_top_level(parser, level0);
535
536 while (parser->iterate(parser, &objectID, &object))
537 {
538 switch (objectID)
539 {
540 case AUTH_KEY_ID_KEY_ID:
541 authKeyIdentifier = chunk_clone(object);
542 break;
543 case AUTH_KEY_ID_CERT_ISSUER:
544 /* TODO: x509_parse_generalNames(object, level+1, TRUE); */
545 break;
546 case AUTH_KEY_ID_CERT_SERIAL:
547 *authKeySerialNumber = object;
548 break;
549 default:
550 break;
551 }
552 }
553 parser->destroy(parser);
554 return authKeyIdentifier;
555 }
556
557 /**
558 * ASN.1 definition of a authorityInfoAccess extension
559 */
560 static const asn1Object_t authInfoAccessObjects[] = {
561 { 0, "authorityInfoAccess", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
562 { 1, "accessDescription", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
563 { 2, "accessMethod", ASN1_OID, ASN1_BODY }, /* 2 */
564 { 2, "accessLocation", ASN1_EOC, ASN1_RAW }, /* 3 */
565 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 4 */
566 { 0, "exit", ASN1_EOC, ASN1_EXIT }
567 };
568 #define AUTH_INFO_ACCESS_METHOD 2
569 #define AUTH_INFO_ACCESS_LOCATION 3
570
571 /**
572 * Extracts an authorityInfoAcess location
573 */
574 static void parse_authorityInfoAccess(chunk_t blob, int level0,
575 private_x509_cert_t *this)
576 {
577 asn1_parser_t *parser;
578 chunk_t object;
579 int objectID;
580 int accessMethod = OID_UNKNOWN;
581
582 parser = asn1_parser_create(authInfoAccessObjects, blob);
583 parser->set_top_level(parser, level0);
584
585 while (parser->iterate(parser, &objectID, &object))
586 {
587 switch (objectID)
588 {
589 case AUTH_INFO_ACCESS_METHOD:
590 accessMethod = asn1_known_oid(object);
591 break;
592 case AUTH_INFO_ACCESS_LOCATION:
593 {
594 switch (accessMethod)
595 {
596 case OID_OCSP:
597 case OID_CA_ISSUERS:
598 {
599 identification_t *id;
600 char *uri;
601
602 id = parse_generalName(object,
603 parser->get_level(parser)+1);
604 if (id == NULL)
605 {
606 /* parsing went wrong - abort */
607 goto end;
608 }
609 DBG2(DBG_LIB, " '%Y'", id);
610 if (accessMethod == OID_OCSP &&
611 asprintf(&uri, "%Y", id) > 0)
612 {
613 this->ocsp_uris->insert_last(this->ocsp_uris, uri);
614 }
615 id->destroy(id);
616 }
617 break;
618 default:
619 /* unkown accessMethod, ignoring */
620 break;
621 }
622 break;
623 }
624 default:
625 break;
626 }
627 }
628
629 end:
630 parser->destroy(parser);
631 }
632
633 /**
634 * Extract KeyUsage flags
635 */
636 static void parse_keyUsage(chunk_t blob, private_x509_cert_t *this)
637 {
638 enum {
639 KU_DIGITAL_SIGNATURE = 0,
640 KU_NON_REPUDIATION = 1,
641 KU_KEY_ENCIPHERMENT = 2,
642 KU_DATA_ENCIPHERMENT = 3,
643 KU_KEY_AGREEMENT = 4,
644 KU_KEY_CERT_SIGN = 5,
645 KU_CRL_SIGN = 6,
646 KU_ENCIPHER_ONLY = 7,
647 KU_DECIPHER_ONLY = 8,
648 };
649
650 if (asn1_unwrap(&blob, &blob) == ASN1_BIT_STRING && blob.len)
651 {
652 int bit, byte, unused = blob.ptr[0];
653
654 blob = chunk_skip(blob, 1);
655 for (byte = 0; byte < blob.len; byte++)
656 {
657 for (bit = 0; bit < 8; bit++)
658 {
659 if (byte == blob.len - 1 && bit > (7 - unused))
660 {
661 break;
662 }
663 if (blob.ptr[byte] & 1 << (7 - bit))
664 {
665 switch (byte * 8 + bit)
666 {
667 case KU_CRL_SIGN:
668 this->flags |= X509_CRL_SIGN;
669 break;
670 case KU_KEY_CERT_SIGN:
671 /* we use the caBasicConstraint, MUST be set */
672 case KU_DIGITAL_SIGNATURE:
673 case KU_NON_REPUDIATION:
674 case KU_KEY_ENCIPHERMENT:
675 case KU_DATA_ENCIPHERMENT:
676 case KU_KEY_AGREEMENT:
677 case KU_ENCIPHER_ONLY:
678 case KU_DECIPHER_ONLY:
679 break;
680 }
681 }
682 }
683 }
684 }
685 }
686
687 /**
688 * ASN.1 definition of a extendedKeyUsage extension
689 */
690 static const asn1Object_t extendedKeyUsageObjects[] = {
691 { 0, "extendedKeyUsage", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
692 { 1, "keyPurposeID", ASN1_OID, ASN1_BODY }, /* 1 */
693 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 2 */
694 { 0, "exit", ASN1_EOC, ASN1_EXIT }
695 };
696 #define EXT_KEY_USAGE_PURPOSE_ID 1
697
698 /**
699 * Extracts extendedKeyUsage OIDs
700 */
701 static void parse_extendedKeyUsage(chunk_t blob, int level0,
702 private_x509_cert_t *this)
703 {
704 asn1_parser_t *parser;
705 chunk_t object;
706 int objectID;
707
708 parser = asn1_parser_create(extendedKeyUsageObjects, blob);
709 parser->set_top_level(parser, level0);
710
711 while (parser->iterate(parser, &objectID, &object))
712 {
713 if (objectID == EXT_KEY_USAGE_PURPOSE_ID)
714 {
715 switch (asn1_known_oid(object))
716 {
717 case OID_SERVER_AUTH:
718 this->flags |= X509_SERVER_AUTH;
719 break;
720 case OID_CLIENT_AUTH:
721 this->flags |= X509_CLIENT_AUTH;
722 break;
723 case OID_OCSP_SIGNING:
724 this->flags |= X509_OCSP_SIGNER;
725 break;
726 default:
727 break;
728 }
729 }
730 }
731 parser->destroy(parser);
732 }
733
734 /**
735 * ASN.1 definition of crlDistributionPoints
736 */
737 static const asn1Object_t crlDistributionPointsObjects[] = {
738 { 0, "crlDistributionPoints", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
739 { 1, "DistributionPoint", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
740 { 2, "distributionPoint", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_LOOP }, /* 2 */
741 { 3, "fullName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_OBJ }, /* 3 */
742 { 3, "end choice", ASN1_EOC, ASN1_END }, /* 4 */
743 { 3, "nameRelToCRLIssuer",ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 5 */
744 { 3, "end choice", ASN1_EOC, ASN1_END }, /* 6 */
745 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 7 */
746 { 2, "reasons", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 8 */
747 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 9 */
748 { 2, "crlIssuer", ASN1_CONTEXT_C_2, ASN1_OPT|ASN1_OBJ }, /* 10 */
749 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 11 */
750 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 12 */
751 { 0, "exit", ASN1_EOC, ASN1_EXIT }
752 };
753 #define CRL_DIST_POINTS 1
754 #define CRL_DIST_POINTS_FULLNAME 3
755 #define CRL_DIST_POINTS_ISSUER 10
756
757 /**
758 * Extracts one or several crlDistributionPoints into a list
759 */
760 static void parse_crlDistributionPoints(chunk_t blob, int level0,
761 private_x509_cert_t *this)
762 {
763 asn1_parser_t *parser;
764 chunk_t object;
765 int objectID;
766 crl_uri_t *entry = NULL;
767 identification_t *id;
768 char *uri;
769 linked_list_t *list = linked_list_create();
770
771 parser = asn1_parser_create(crlDistributionPointsObjects, blob);
772 parser->set_top_level(parser, level0);
773
774 while (parser->iterate(parser, &objectID, &object))
775 {
776 switch (objectID)
777 {
778 case CRL_DIST_POINTS:
779 entry = crl_uri_create(NULL);
780 this->crl_uris->insert_last(this->crl_uris, entry);
781 break;
782 case CRL_DIST_POINTS_FULLNAME:
783 if (entry)
784 {
785 x509_parse_generalNames(object, parser->get_level(parser)+1,
786 TRUE, list);
787 while (list->remove_last(list, (void**)&id) == SUCCESS)
788 {
789 if (asprintf(&uri, "%Y", id) > 0)
790 {
791 entry->uris->insert_last(entry->uris, uri);
792 }
793 id->destroy(id);
794 }
795 }
796 break;
797 case CRL_DIST_POINTS_ISSUER:
798 if (entry)
799 {
800 x509_parse_generalNames(object, parser->get_level(parser)+1,
801 TRUE, list);
802 while (list->remove_last(list, (void**)&id) == SUCCESS)
803 {
804 if (!entry->issuer)
805 {
806 entry->issuer = id;
807 }
808 else
809 {
810 id->destroy(id);
811 }
812 }
813 }
814 break;
815 }
816 }
817 parser->destroy(parser);
818 list->destroy(list);
819 }
820
821 /**
822 * ASN.1 definition of ipAddrBlocks according to RFC 3779
823 */
824 static const asn1Object_t ipAddrBlocksObjects[] = {
825 { 0, "ipAddrBlocks", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
826 { 1, "ipAddressFamily", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
827 { 2, "addressFamily", ASN1_OCTET_STRING, ASN1_BODY }, /* 2 */
828 { 2, "inherit", ASN1_NULL, ASN1_OPT|ASN1_NONE }, /* 3 */
829 { 2, "end choice", ASN1_EOC, ASN1_END }, /* 4 */
830 { 2, "addressesOrRanges", ASN1_SEQUENCE, ASN1_OPT|ASN1_LOOP }, /* 5 */
831 { 3, "addressPrefix", ASN1_BIT_STRING, ASN1_OPT|ASN1_BODY }, /* 6 */
832 { 3, "end choice", ASN1_EOC, ASN1_END }, /* 7 */
833 { 3, "addressRange", ASN1_SEQUENCE, ASN1_OPT|ASN1_NONE }, /* 8 */
834 { 4, "min", ASN1_BIT_STRING, ASN1_BODY }, /* 9 */
835 { 4, "max", ASN1_BIT_STRING, ASN1_BODY }, /* 10 */
836 { 3, "end choice", ASN1_EOC, ASN1_END }, /* 11 */
837 { 2, "end choice/loop", ASN1_EOC, ASN1_END }, /* 12 */
838 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 13 */
839 { 0, "exit", ASN1_EOC, ASN1_EXIT }
840 };
841 #define IP_ADDR_BLOCKS_FAMILY 2
842 #define IP_ADDR_BLOCKS_INHERIT 3
843 #define IP_ADDR_BLOCKS_PREFIX 6
844 #define IP_ADDR_BLOCKS_MIN 9
845 #define IP_ADDR_BLOCKS_MAX 10
846
847 static bool check_address_object(ts_type_t ts_type, chunk_t object)
848 {
849 switch (ts_type)
850 {
851 case TS_IPV4_ADDR_RANGE:
852 if (object.len > 5)
853 {
854 DBG1(DBG_LIB, "IPv4 address object is larger than 5 octets");
855 return FALSE;
856 }
857 break;
858 case TS_IPV6_ADDR_RANGE:
859 if (object.len > 17)
860 {
861 DBG1(DBG_LIB, "IPv6 address object is larger than 17 octets");
862 return FALSE;
863 }
864 break;
865 default:
866 DBG1(DBG_LIB, "unknown address family");
867 return FALSE;
868 }
869 if (object.len == 0)
870 {
871 DBG1(DBG_LIB, "An ASN.1 bit string must contain at least the "
872 "initial octet");
873 return FALSE;
874 }
875 if (object.len == 1 && object.ptr[0] != 0)
876 {
877 DBG1(DBG_LIB, "An empty ASN.1 bit string must contain a zero "
878 "initial octet");
879 return FALSE;
880 }
881 if (object.ptr[0] > 7)
882 {
883 DBG1(DBG_LIB, "number of unused bits is too large");
884 return FALSE;
885 }
886 return TRUE;
887 }
888
889 static void parse_ipAddrBlocks(chunk_t blob, int level0,
890 private_x509_cert_t *this)
891 {
892 asn1_parser_t *parser;
893 chunk_t object, min_object;
894 ts_type_t ts_type = 0;
895 traffic_selector_t *ts;
896 int objectID;
897
898 parser = asn1_parser_create(ipAddrBlocksObjects, blob);
899 parser->set_top_level(parser, level0);
900
901 while (parser->iterate(parser, &objectID, &object))
902 {
903 switch (objectID)
904 {
905 case IP_ADDR_BLOCKS_FAMILY:
906 ts_type = 0;
907 if (object.len == 2 && object.ptr[0] == 0)
908 {
909 if (object.ptr[1] == 1)
910 {
911 ts_type = TS_IPV4_ADDR_RANGE;
912 }
913 else if (object.ptr[1] == 2)
914 {
915 ts_type = TS_IPV6_ADDR_RANGE;
916 }
917 else
918 {
919 break;
920 }
921 DBG2(DBG_LIB, " %N", ts_type_name, ts_type);
922 }
923 break;
924 case IP_ADDR_BLOCKS_INHERIT:
925 DBG1(DBG_LIB, "inherit choice is not supported");
926 break;
927 case IP_ADDR_BLOCKS_PREFIX:
928 if (!check_address_object(ts_type, object))
929 {
930 goto end;
931 }
932 ts = traffic_selector_create_from_rfc3779_format(ts_type,
933 object, object);
934 DBG2(DBG_LIB, " %R", ts);
935 this->ipAddrBlocks->insert_last(this->ipAddrBlocks, ts);
936 break;
937 case IP_ADDR_BLOCKS_MIN:
938 if (!check_address_object(ts_type, object))
939 {
940 goto end;
941 }
942 min_object = object;
943 break;
944 case IP_ADDR_BLOCKS_MAX:
945 if (!check_address_object(ts_type, object))
946 {
947 goto end;
948 }
949 ts = traffic_selector_create_from_rfc3779_format(ts_type,
950 min_object, object);
951 DBG2(DBG_LIB, " %R", ts);
952 this->ipAddrBlocks->insert_last(this->ipAddrBlocks, ts);
953 break;
954 default:
955 break;
956 }
957 }
958 this->flags |= X509_IP_ADDR_BLOCKS;
959
960 end:
961 parser->destroy(parser);
962 }
963
964 /**
965 * ASN.1 definition of an X.509v3 x509_cert
966 */
967 static const asn1Object_t certObjects[] = {
968 { 0, "x509", ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */
969 { 1, "tbsCertificate", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */
970 { 2, "DEFAULT v1", ASN1_CONTEXT_C_0, ASN1_DEF }, /* 2 */
971 { 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 3 */
972 { 2, "serialNumber", ASN1_INTEGER, ASN1_BODY }, /* 4 */
973 { 2, "signature", ASN1_EOC, ASN1_RAW }, /* 5 */
974 { 2, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 6 */
975 { 2, "validity", ASN1_SEQUENCE, ASN1_NONE }, /* 7 */
976 { 3, "notBefore", ASN1_EOC, ASN1_RAW }, /* 8 */
977 { 3, "notAfter", ASN1_EOC, ASN1_RAW }, /* 9 */
978 { 2, "subject", ASN1_SEQUENCE, ASN1_OBJ }, /* 10 */
979 { 2, "subjectPublicKeyInfo",ASN1_SEQUENCE, ASN1_RAW }, /* 11 */
980 { 2, "issuerUniqueID", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 12 */
981 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 13 */
982 { 2, "subjectUniqueID", ASN1_CONTEXT_C_2, ASN1_OPT }, /* 14 */
983 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 15 */
984 { 2, "optional extensions", ASN1_CONTEXT_C_3, ASN1_OPT }, /* 16 */
985 { 3, "extensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 17 */
986 { 4, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 18 */
987 { 5, "extnID", ASN1_OID, ASN1_BODY }, /* 19 */
988 { 5, "critical", ASN1_BOOLEAN, ASN1_DEF|ASN1_BODY }, /* 20 */
989 { 5, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 21 */
990 { 3, "end loop", ASN1_EOC, ASN1_END }, /* 22 */
991 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 23 */
992 { 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 24 */
993 { 1, "signatureValue", ASN1_BIT_STRING, ASN1_BODY }, /* 25 */
994 { 0, "exit", ASN1_EOC, ASN1_EXIT }
995 };
996 #define X509_OBJ_TBS_CERTIFICATE 1
997 #define X509_OBJ_VERSION 3
998 #define X509_OBJ_SERIAL_NUMBER 4
999 #define X509_OBJ_SIG_ALG 5
1000 #define X509_OBJ_ISSUER 6
1001 #define X509_OBJ_NOT_BEFORE 8
1002 #define X509_OBJ_NOT_AFTER 9
1003 #define X509_OBJ_SUBJECT 10
1004 #define X509_OBJ_SUBJECT_PUBLIC_KEY_INFO 11
1005 #define X509_OBJ_OPTIONAL_EXTENSIONS 16
1006 #define X509_OBJ_EXTN_ID 19
1007 #define X509_OBJ_CRITICAL 20
1008 #define X509_OBJ_EXTN_VALUE 21
1009 #define X509_OBJ_ALGORITHM 24
1010 #define X509_OBJ_SIGNATURE 25
1011
1012 /**
1013 * Parses an X.509v3 certificate
1014 */
1015 static bool parse_certificate(private_x509_cert_t *this)
1016 {
1017 asn1_parser_t *parser;
1018 chunk_t object;
1019 int objectID;
1020 int extn_oid = OID_UNKNOWN;
1021 int sig_alg = OID_UNKNOWN;
1022 bool success = FALSE;
1023 bool critical = FALSE;
1024
1025 parser = asn1_parser_create(certObjects, this->encoding);
1026
1027 while (parser->iterate(parser, &objectID, &object))
1028 {
1029 u_int level = parser->get_level(parser)+1;
1030
1031 switch (objectID)
1032 {
1033 case X509_OBJ_TBS_CERTIFICATE:
1034 this->tbsCertificate = object;
1035 break;
1036 case X509_OBJ_VERSION:
1037 this->version = (object.len) ? (1+(u_int)*object.ptr) : 1;
1038 if (this->version < 1 || this->version > 3)
1039 {
1040 DBG1(DBG_LIB, "X.509v%d not supported", this->version);
1041 goto end;
1042 }
1043 else
1044 {
1045 DBG2(DBG_LIB, " X.509v%d", this->version);
1046 }
1047 break;
1048 case X509_OBJ_SERIAL_NUMBER:
1049 this->serialNumber = object;
1050 break;
1051 case X509_OBJ_SIG_ALG:
1052 sig_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
1053 break;
1054 case X509_OBJ_ISSUER:
1055 this->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object);
1056 DBG2(DBG_LIB, " '%Y'", this->issuer);
1057 break;
1058 case X509_OBJ_NOT_BEFORE:
1059 this->notBefore = asn1_parse_time(object, level);
1060 break;
1061 case X509_OBJ_NOT_AFTER:
1062 this->notAfter = asn1_parse_time(object, level);
1063 break;
1064 case X509_OBJ_SUBJECT:
1065 this->subject = identification_create_from_encoding(ID_DER_ASN1_DN, object);
1066 DBG2(DBG_LIB, " '%Y'", this->subject);
1067 break;
1068 case X509_OBJ_SUBJECT_PUBLIC_KEY_INFO:
1069 DBG2(DBG_LIB, "-- > --");
1070 this->public_key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
1071 KEY_ANY, BUILD_BLOB_ASN1_DER, object, BUILD_END);
1072 DBG2(DBG_LIB, "-- < --");
1073 if (this->public_key == NULL)
1074 {
1075 goto end;
1076 }
1077 break;
1078 case X509_OBJ_OPTIONAL_EXTENSIONS:
1079 if (this->version != 3)
1080 {
1081 DBG1(DBG_LIB, "Only X.509v3 certificates have extensions");
1082 goto end;
1083 }
1084 break;
1085 case X509_OBJ_EXTN_ID:
1086 extn_oid = asn1_known_oid(object);
1087 break;
1088 case X509_OBJ_CRITICAL:
1089 critical = object.len && *object.ptr;
1090 DBG2(DBG_LIB, " %s", critical ? "TRUE" : "FALSE");
1091 break;
1092 case X509_OBJ_EXTN_VALUE:
1093 {
1094 switch (extn_oid)
1095 {
1096 case OID_SUBJECT_KEY_ID:
1097 if (!asn1_parse_simple_object(&object, ASN1_OCTET_STRING,
1098 level, "keyIdentifier"))
1099 {
1100 goto end;
1101 }
1102 this->subjectKeyIdentifier = object;
1103 break;
1104 case OID_SUBJECT_ALT_NAME:
1105 x509_parse_generalNames(object, level, FALSE,
1106 this->subjectAltNames);
1107 break;
1108 case OID_BASIC_CONSTRAINTS:
1109 parse_basicConstraints(object, level, this);
1110 break;
1111 case OID_CRL_DISTRIBUTION_POINTS:
1112 parse_crlDistributionPoints(object, level, this);
1113 break;
1114 case OID_AUTHORITY_KEY_ID:
1115 this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object,
1116 level, &this->authKeySerialNumber);
1117 break;
1118 case OID_AUTHORITY_INFO_ACCESS:
1119 parse_authorityInfoAccess(object, level, this);
1120 break;
1121 case OID_KEY_USAGE:
1122 parse_keyUsage(object, this);
1123 break;
1124 case OID_EXTENDED_KEY_USAGE:
1125 parse_extendedKeyUsage(object, level, this);
1126 break;
1127 case OID_IP_ADDR_BLOCKS:
1128 parse_ipAddrBlocks(object, level, this);
1129 break;
1130 case OID_NS_REVOCATION_URL:
1131 case OID_NS_CA_REVOCATION_URL:
1132 case OID_NS_CA_POLICY_URL:
1133 case OID_NS_COMMENT:
1134 if (!asn1_parse_simple_object(&object, ASN1_IA5STRING,
1135 level, oid_names[extn_oid].name))
1136 {
1137 goto end;
1138 }
1139 break;
1140 default:
1141 if (critical && lib->settings->get_bool(lib->settings,
1142 "libstrongswan.plugins.x509.enforce_critical", FALSE))
1143 {
1144 DBG1(DBG_LIB, "critical %s extension not supported",
1145 (extn_oid == OID_UNKNOWN) ? "unknown" :
1146 (char*)oid_names[extn_oid].name);
1147 goto end;
1148 }
1149 break;
1150 }
1151 break;
1152 }
1153 case X509_OBJ_ALGORITHM:
1154 this->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL);
1155 if (this->algorithm != sig_alg)
1156 {
1157 DBG1(DBG_LIB, " signature algorithms do not agree");
1158 goto end;
1159 }
1160 break;
1161 case X509_OBJ_SIGNATURE:
1162 this->signature = object;
1163 break;
1164 default:
1165 break;
1166 }
1167 }
1168 success = parser->success(parser);
1169
1170 end:
1171 parser->destroy(parser);
1172 if (success)
1173 {
1174 hasher_t *hasher;
1175
1176 /* check if the certificate is self-signed */
1177 if (this->public.interface.interface.issued_by(
1178 &this->public.interface.interface,
1179 &this->public.interface.interface))
1180 {
1181 this->flags |= X509_SELF_SIGNED;
1182 }
1183 /* create certificate hash */
1184 hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1185 if (hasher == NULL)
1186 {
1187 DBG1(DBG_LIB, " unable to create hash of certificate, SHA1 not supported");
1188 return NULL;
1189 }
1190 hasher->allocate_hash(hasher, this->encoding, &this->encoding_hash);
1191 hasher->destroy(hasher);
1192 }
1193 return success;
1194 }
1195
1196 METHOD(certificate_t, get_type, certificate_type_t,
1197 private_x509_cert_t *this)
1198 {
1199 return CERT_X509;
1200 }
1201
1202 METHOD(certificate_t, get_subject, identification_t*,
1203 private_x509_cert_t *this)
1204 {
1205 return this->subject;
1206 }
1207
1208 METHOD(certificate_t, get_issuer, identification_t*,
1209 private_x509_cert_t *this)
1210 {
1211 return this->issuer;
1212 }
1213
1214 METHOD(certificate_t, has_subject, id_match_t,
1215 private_x509_cert_t *this, identification_t *subject)
1216 {
1217 identification_t *current;
1218 enumerator_t *enumerator;
1219 id_match_t match, best;
1220 chunk_t encoding;
1221
1222 if (subject->get_type(subject) == ID_KEY_ID)
1223 {
1224 encoding = subject->get_encoding(subject);
1225
1226 if (this->encoding_hash.len &&
1227 chunk_equals(this->encoding_hash, encoding))
1228 {
1229 return ID_MATCH_PERFECT;
1230 }
1231 if (this->subjectKeyIdentifier.len &&
1232 chunk_equals(this->subjectKeyIdentifier, encoding))
1233 {
1234 return ID_MATCH_PERFECT;
1235 }
1236 if (this->public_key &&
1237 this->public_key->has_fingerprint(this->public_key, encoding))
1238 {
1239 return ID_MATCH_PERFECT;
1240 }
1241 }
1242 best = this->subject->matches(this->subject, subject);
1243 enumerator = this->subjectAltNames->create_enumerator(this->subjectAltNames);
1244 while (enumerator->enumerate(enumerator, &current))
1245 {
1246 match = current->matches(current, subject);
1247 if (match > best)
1248 {
1249 best = match;
1250 }
1251 }
1252 enumerator->destroy(enumerator);
1253 return best;
1254 }
1255
1256 METHOD(certificate_t, has_issuer, id_match_t,
1257 private_x509_cert_t *this, identification_t *issuer)
1258 {
1259 /* issuerAltNames currently not supported */
1260 return this->issuer->matches(this->issuer, issuer);
1261 }
1262
1263 METHOD(certificate_t, issued_by, bool,
1264 private_x509_cert_t *this, certificate_t *issuer)
1265 {
1266 public_key_t *key;
1267 signature_scheme_t scheme;
1268 bool valid;
1269 x509_t *x509 = (x509_t*)issuer;
1270
1271 if (&this->public.interface.interface == issuer)
1272 {
1273 if (this->flags & X509_SELF_SIGNED)
1274 {
1275 return TRUE;
1276 }
1277 }
1278 else
1279 {
1280 if (issuer->get_type(issuer) != CERT_X509)
1281 {
1282 return FALSE;
1283 }
1284 if (!(x509->get_flags(x509) & X509_CA))
1285 {
1286 return FALSE;
1287 }
1288 }
1289 if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
1290 {
1291 return FALSE;
1292 }
1293
1294 /* determine signature scheme */
1295 scheme = signature_scheme_from_oid(this->algorithm);
1296 if (scheme == SIGN_UNKNOWN)
1297 {
1298 return FALSE;
1299 }
1300 /* get the public key of the issuer */
1301 key = issuer->get_public_key(issuer);
1302 if (!key)
1303 {
1304 return FALSE;
1305 }
1306 valid = key->verify(key, scheme, this->tbsCertificate, this->signature);
1307 key->destroy(key);
1308 return valid;
1309 }
1310
1311 METHOD(certificate_t, get_public_key, public_key_t*,
1312 private_x509_cert_t *this)
1313 {
1314 this->public_key->get_ref(this->public_key);
1315 return this->public_key;
1316 }
1317
1318 METHOD(certificate_t, get_ref, certificate_t*,
1319 private_x509_cert_t *this)
1320 {
1321 ref_get(&this->ref);
1322 return &this->public.interface.interface;
1323 }
1324
1325 METHOD(certificate_t, get_validity, bool,
1326 private_x509_cert_t *this, time_t *when, time_t *not_before,
1327 time_t *not_after)
1328 {
1329 time_t t = when ? *when : time(NULL);
1330
1331 if (not_before)
1332 {
1333 *not_before = this->notBefore;
1334 }
1335 if (not_after)
1336 {
1337 *not_after = this->notAfter;
1338 }
1339 return (t >= this->notBefore && t <= this->notAfter);
1340 }
1341
1342 METHOD(certificate_t, get_encoding, bool,
1343 private_x509_cert_t *this, cred_encoding_type_t type, chunk_t *encoding)
1344 {
1345 if (type == CERT_ASN1_DER)
1346 {
1347 *encoding = chunk_clone(this->encoding);
1348 return TRUE;
1349 }
1350 return lib->encoding->encode(lib->encoding, type, NULL, encoding,
1351 CRED_PART_X509_ASN1_DER, this->encoding, CRED_PART_END);
1352 }
1353
1354 METHOD(certificate_t, equals, bool,
1355 private_x509_cert_t *this, certificate_t *other)
1356 {
1357 chunk_t encoding;
1358 bool equal;
1359
1360 if (this == (private_x509_cert_t*)other)
1361 {
1362 return TRUE;
1363 }
1364 if (other->get_type(other) != CERT_X509)
1365 {
1366 return FALSE;
1367 }
1368 if (other->equals == (void*)equals)
1369 { /* skip allocation if we have the same implementation */
1370 return chunk_equals(this->encoding, ((private_x509_cert_t*)other)->encoding);
1371 }
1372 if (!other->get_encoding(other, CERT_ASN1_DER, &encoding))
1373 {
1374 return FALSE;
1375 }
1376 equal = chunk_equals(this->encoding, encoding);
1377 free(encoding.ptr);
1378 return equal;
1379 }
1380
1381 METHOD(x509_t, get_flags, x509_flag_t,
1382 private_x509_cert_t *this)
1383 {
1384 return this->flags;
1385 }
1386
1387 METHOD(x509_t, get_serial, chunk_t,
1388 private_x509_cert_t *this)
1389 {
1390 return this->serialNumber;
1391 }
1392
1393 METHOD(x509_t, get_subjectKeyIdentifier, chunk_t,
1394 private_x509_cert_t *this)
1395 {
1396 if (this->subjectKeyIdentifier.ptr)
1397 {
1398 return this->subjectKeyIdentifier;
1399 }
1400 else
1401 {
1402 chunk_t fingerprint;
1403
1404 if (this->public_key->get_fingerprint(this->public_key,
1405 KEYID_PUBKEY_SHA1, &fingerprint))
1406 {
1407 return fingerprint;
1408 }
1409 else
1410 {
1411 return chunk_empty;
1412 }
1413 }
1414 }
1415
1416 METHOD(x509_t, get_authKeyIdentifier, chunk_t,
1417 private_x509_cert_t *this)
1418 {
1419 return this->authKeyIdentifier;
1420 }
1421
1422 METHOD(x509_t, get_pathLenConstraint, int,
1423 private_x509_cert_t *this)
1424 {
1425 return this->pathLenConstraint;
1426 }
1427
1428 METHOD(x509_t, create_subjectAltName_enumerator, enumerator_t*,
1429 private_x509_cert_t *this)
1430 {
1431 return this->subjectAltNames->create_enumerator(this->subjectAltNames);
1432 }
1433
1434 METHOD(x509_t, create_ocsp_uri_enumerator, enumerator_t*,
1435 private_x509_cert_t *this)
1436 {
1437 return this->ocsp_uris->create_enumerator(this->ocsp_uris);
1438 }
1439
1440 /**
1441 * Convert enumerator value from entry to (uri, issuer)
1442 */
1443 static bool crl_enum_filter(identification_t *issuer_in,
1444 char **uri_in, char **uri_out,
1445 void *none_in, identification_t **issuer_out)
1446 {
1447 *uri_out = *uri_in;
1448 if (issuer_out)
1449 {
1450 *issuer_out = issuer_in;
1451 }
1452 return TRUE;
1453 }
1454
1455 /**
1456 * Create inner enumerator over URIs
1457 */
1458 static enumerator_t *crl_enum_create(crl_uri_t *entry)
1459 {
1460 return enumerator_create_filter(entry->uris->create_enumerator(entry->uris),
1461 (void*)crl_enum_filter, entry->issuer, NULL);
1462 }
1463
1464 METHOD(x509_t, create_crl_uri_enumerator, enumerator_t*,
1465 private_x509_cert_t *this)
1466 {
1467 return enumerator_create_nested(
1468 this->crl_uris->create_enumerator(this->crl_uris),
1469 (void*)crl_enum_create, NULL, NULL);
1470 }
1471
1472 METHOD(x509_t, create_ipAddrBlock_enumerator, enumerator_t*,
1473 private_x509_cert_t *this)
1474 {
1475 return this->ipAddrBlocks->create_enumerator(this->ipAddrBlocks);
1476 }
1477
1478 METHOD(x509_t, create_name_constraint_enumerator, enumerator_t*,
1479 private_x509_cert_t *this, bool perm)
1480 {
1481 if (perm)
1482 {
1483 return this->permitted_names->create_enumerator(this->permitted_names);
1484 }
1485 return this->excluded_names->create_enumerator(this->excluded_names);
1486 }
1487
1488 METHOD(certificate_t, destroy, void,
1489 private_x509_cert_t *this)
1490 {
1491 if (ref_put(&this->ref))
1492 {
1493 this->subjectAltNames->destroy_offset(this->subjectAltNames,
1494 offsetof(identification_t, destroy));
1495 this->crl_uris->destroy_function(this->crl_uris, (void*)crl_uri_destroy);
1496 this->ocsp_uris->destroy_function(this->ocsp_uris, free);
1497 this->ipAddrBlocks->destroy_offset(this->ipAddrBlocks,
1498 offsetof(traffic_selector_t, destroy));
1499 this->permitted_names->destroy_offset(this->permitted_names,
1500 offsetof(identification_t, destroy));
1501 this->excluded_names->destroy_offset(this->excluded_names,
1502 offsetof(identification_t, destroy));
1503 DESTROY_IF(this->issuer);
1504 DESTROY_IF(this->subject);
1505 DESTROY_IF(this->public_key);
1506 chunk_free(&this->authKeyIdentifier);
1507 chunk_free(&this->encoding);
1508 chunk_free(&this->encoding_hash);
1509 if (!this->parsed)
1510 { /* only parsed certificates point these fields to "encoded" */
1511 chunk_free(&this->signature);
1512 chunk_free(&this->serialNumber);
1513 chunk_free(&this->tbsCertificate);
1514 }
1515 free(this);
1516 }
1517 }
1518
1519 /**
1520 * create an empty but initialized X.509 certificate
1521 */
1522 static private_x509_cert_t* create_empty(void)
1523 {
1524 private_x509_cert_t *this;
1525
1526 INIT(this,
1527 .public = {
1528 .interface = {
1529 .interface = {
1530 .get_type = _get_type,
1531 .get_subject = _get_subject,
1532 .get_issuer = _get_issuer,
1533 .has_subject = _has_subject,
1534 .has_issuer = _has_issuer,
1535 .issued_by = _issued_by,
1536 .get_public_key = _get_public_key,
1537 .get_validity = _get_validity,
1538 .get_encoding = _get_encoding,
1539 .equals = _equals,
1540 .get_ref = _get_ref,
1541 .destroy = _destroy,
1542 },
1543 .get_flags = _get_flags,
1544 .get_serial = _get_serial,
1545 .get_subjectKeyIdentifier = _get_subjectKeyIdentifier,
1546 .get_authKeyIdentifier = _get_authKeyIdentifier,
1547 .get_pathLenConstraint = _get_pathLenConstraint,
1548 .create_subjectAltName_enumerator = _create_subjectAltName_enumerator,
1549 .create_crl_uri_enumerator = _create_crl_uri_enumerator,
1550 .create_ocsp_uri_enumerator = _create_ocsp_uri_enumerator,
1551 .create_ipAddrBlock_enumerator = _create_ipAddrBlock_enumerator,
1552 .create_name_constraint_enumerator = _create_name_constraint_enumerator,
1553 },
1554 },
1555 .version = 1,
1556 .subjectAltNames = linked_list_create(),
1557 .crl_uris = linked_list_create(),
1558 .ocsp_uris = linked_list_create(),
1559 .ipAddrBlocks = linked_list_create(),
1560 .permitted_names = linked_list_create(),
1561 .excluded_names = linked_list_create(),
1562 .pathLenConstraint = X509_NO_PATH_LEN_CONSTRAINT,
1563 .ref = 1,
1564 );
1565 return this;
1566 }
1567
1568 /**
1569 * Build a generalName from an id
1570 */
1571 chunk_t build_generalName(identification_t *id)
1572 {
1573 int context;
1574
1575 switch (id->get_type(id))
1576 {
1577 case ID_RFC822_ADDR:
1578 context = ASN1_CONTEXT_S_1;
1579 break;
1580 case ID_FQDN:
1581 context = ASN1_CONTEXT_S_2;
1582 break;
1583 case ID_DER_ASN1_DN:
1584 context = ASN1_CONTEXT_C_4;
1585 break;
1586 case ID_IPV4_ADDR:
1587 case ID_IPV6_ADDR:
1588 context = ASN1_CONTEXT_S_7;
1589 break;
1590 default:
1591 DBG1(DBG_LIB, "encoding %N as generalName not supported",
1592 id_type_names, id->get_type(id));
1593 return chunk_empty;
1594 }
1595 return asn1_wrap(context, "c", id->get_encoding(id));
1596 }
1597
1598 /**
1599 * Encode a linked list of subjectAltNames
1600 */
1601 chunk_t x509_build_subjectAltNames(linked_list_t *list)
1602 {
1603 chunk_t subjectAltNames = chunk_empty, name;
1604 enumerator_t *enumerator;
1605 identification_t *id;
1606
1607 if (list->get_count(list) == 0)
1608 {
1609 return chunk_empty;
1610 }
1611
1612 enumerator = list->create_enumerator(list);
1613 while (enumerator->enumerate(enumerator, &id))
1614 {
1615 name = build_generalName(id);
1616 subjectAltNames = chunk_cat("mm", subjectAltNames, name);
1617 }
1618 enumerator->destroy(enumerator);
1619
1620 return asn1_wrap(ASN1_SEQUENCE, "mm",
1621 asn1_build_known_oid(OID_SUBJECT_ALT_NAME),
1622 asn1_wrap(ASN1_OCTET_STRING, "m",
1623 asn1_wrap(ASN1_SEQUENCE, "m", subjectAltNames)
1624 )
1625 );
1626 }
1627
1628 /**
1629 * Generate and sign a new certificate
1630 */
1631 static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
1632 private_key_t *sign_key, int digest_alg)
1633 {
1634 chunk_t extensions = chunk_empty, extendedKeyUsage = chunk_empty;
1635 chunk_t serverAuth = chunk_empty, clientAuth = chunk_empty;
1636 chunk_t ocspSigning = chunk_empty;
1637 chunk_t basicConstraints = chunk_empty;
1638 chunk_t keyUsage = chunk_empty, keyUsageBits = chunk_empty;
1639 chunk_t subjectAltNames = chunk_empty;
1640 chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty;
1641 chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty;
1642 identification_t *issuer, *subject;
1643 crl_uri_t *entry;
1644 chunk_t key_info;
1645 signature_scheme_t scheme;
1646 hasher_t *hasher;
1647 enumerator_t *enumerator, *uris;
1648 char *uri;
1649
1650 subject = cert->subject;
1651 if (sign_cert)
1652 {
1653 issuer = sign_cert->get_subject(sign_cert);
1654 if (!cert->public_key)
1655 {
1656 return FALSE;
1657 }
1658 }
1659 else
1660 { /* self signed */
1661 issuer = subject;
1662 if (!cert->public_key)
1663 {
1664 cert->public_key = sign_key->get_public_key(sign_key);
1665 }
1666 cert->flags |= X509_SELF_SIGNED;
1667 }
1668 cert->issuer = issuer->clone(issuer);
1669 if (!cert->notBefore)
1670 {
1671 cert->notBefore = time(NULL);
1672 }
1673 if (!cert->notAfter)
1674 { /* defaults to 1 year from now */
1675 cert->notAfter = cert->notBefore + 60 * 60 * 24 * 365;
1676 }
1677
1678 /* select signature scheme */
1679 cert->algorithm = hasher_signature_algorithm_to_oid(digest_alg,
1680 sign_key->get_type(sign_key));
1681 if (cert->algorithm == OID_UNKNOWN)
1682 {
1683 return FALSE;
1684 }
1685 scheme = signature_scheme_from_oid(cert->algorithm);
1686
1687 if (!cert->public_key->get_encoding(cert->public_key,
1688 PUBKEY_SPKI_ASN1_DER, &key_info))
1689 {
1690 return FALSE;
1691 }
1692
1693 /* encode subjectAltNames */
1694 subjectAltNames = x509_build_subjectAltNames(cert->subjectAltNames);
1695
1696 /* encode CRL distribution points extension */
1697 enumerator = cert->crl_uris->create_enumerator(cert->crl_uris);
1698 while (enumerator->enumerate(enumerator, &entry))
1699 {
1700 chunk_t distributionPoint, gn;
1701 chunk_t crlIssuer = chunk_empty, gns = chunk_empty;
1702
1703 if (entry->issuer)
1704 {
1705 crlIssuer = asn1_wrap(ASN1_CONTEXT_C_2, "m",
1706 build_generalName(entry->issuer));
1707 }
1708 uris = entry->uris->create_enumerator(entry->uris);
1709 while (uris->enumerate(uris, &uri))
1710 {
1711 gn = asn1_wrap(ASN1_CONTEXT_S_6, "c", chunk_create(uri, strlen(uri)));
1712 gns = chunk_cat("mm", gns, gn);
1713 }
1714 uris->destroy(uris);
1715
1716 distributionPoint = asn1_wrap(ASN1_SEQUENCE, "mm",
1717 asn1_wrap(ASN1_CONTEXT_C_0, "m",
1718 asn1_wrap(ASN1_CONTEXT_C_0, "m", gns)),
1719 crlIssuer);
1720 crlDistributionPoints = chunk_cat("mm", crlDistributionPoints,
1721 distributionPoint);
1722 }
1723 enumerator->destroy(enumerator);
1724 if (crlDistributionPoints.ptr)
1725 {
1726 crlDistributionPoints = asn1_wrap(ASN1_SEQUENCE, "mm",
1727 asn1_build_known_oid(OID_CRL_DISTRIBUTION_POINTS),
1728 asn1_wrap(ASN1_OCTET_STRING, "m",
1729 asn1_wrap(ASN1_SEQUENCE, "m", crlDistributionPoints)));
1730 }
1731
1732 /* encode OCSP URIs in authorityInfoAccess extension */
1733 enumerator = cert->ocsp_uris->create_enumerator(cert->ocsp_uris);
1734 while (enumerator->enumerate(enumerator, &uri))
1735 {
1736 chunk_t accessDescription;
1737
1738 accessDescription = asn1_wrap(ASN1_SEQUENCE, "mm",
1739 asn1_build_known_oid(OID_OCSP),
1740 asn1_wrap(ASN1_CONTEXT_S_6, "c",
1741 chunk_create(uri, strlen(uri))));
1742 authorityInfoAccess = chunk_cat("mm", authorityInfoAccess,
1743 accessDescription);
1744 }
1745 enumerator->destroy(enumerator);
1746 if (authorityInfoAccess.ptr)
1747 {
1748 authorityInfoAccess = asn1_wrap(ASN1_SEQUENCE, "mm",
1749 asn1_build_known_oid(OID_AUTHORITY_INFO_ACCESS),
1750 asn1_wrap(ASN1_OCTET_STRING, "m",
1751 asn1_wrap(ASN1_SEQUENCE, "m", authorityInfoAccess)));
1752 }
1753
1754 /* build CA basicConstraint and keyUsage flags for CA certificates */
1755 if (cert->flags & X509_CA)
1756 {
1757 chunk_t pathLenConstraint = chunk_empty;
1758
1759 if (cert->pathLenConstraint != X509_NO_PATH_LEN_CONSTRAINT)
1760 {
1761 char pathlen = (char)cert->pathLenConstraint;
1762
1763 pathLenConstraint = asn1_integer("c", chunk_from_thing(pathlen));
1764 }
1765 basicConstraints = asn1_wrap(ASN1_SEQUENCE, "mmm",
1766 asn1_build_known_oid(OID_BASIC_CONSTRAINTS),
1767 asn1_wrap(ASN1_BOOLEAN, "c",
1768 chunk_from_chars(0xFF)),
1769 asn1_wrap(ASN1_OCTET_STRING, "m",
1770 asn1_wrap(ASN1_SEQUENCE, "mm",
1771 asn1_wrap(ASN1_BOOLEAN, "c",
1772 chunk_from_chars(0xFF)),
1773 pathLenConstraint)));
1774 /* set CertificateSign and implicitly CRLsign */
1775 keyUsageBits = chunk_from_chars(0x01, 0x06);
1776 }
1777 else if (cert->flags & X509_CRL_SIGN)
1778 {
1779 keyUsageBits = chunk_from_chars(0x01, 0x02);
1780 }
1781 if (keyUsageBits.len)
1782 {
1783 keyUsage = asn1_wrap(ASN1_SEQUENCE, "mmm",
1784 asn1_build_known_oid(OID_KEY_USAGE),
1785 asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)),
1786 asn1_wrap(ASN1_OCTET_STRING, "m",
1787 asn1_wrap(ASN1_BIT_STRING, "c", keyUsageBits)));
1788 }
1789
1790 /* add serverAuth extendedKeyUsage flag */
1791 if (cert->flags & X509_SERVER_AUTH)
1792 {
1793 serverAuth = asn1_build_known_oid(OID_SERVER_AUTH);
1794 }
1795 if (cert->flags & X509_CLIENT_AUTH)
1796 {
1797 clientAuth = asn1_build_known_oid(OID_CLIENT_AUTH);
1798 }
1799
1800 /* add ocspSigning extendedKeyUsage flag */
1801 if (cert->flags & X509_OCSP_SIGNER)
1802 {
1803 ocspSigning = asn1_build_known_oid(OID_OCSP_SIGNING);
1804 }
1805
1806 if (serverAuth.ptr || clientAuth.ptr || ocspSigning.ptr)
1807 {
1808 extendedKeyUsage = asn1_wrap(ASN1_SEQUENCE, "mm",
1809 asn1_build_known_oid(OID_EXTENDED_KEY_USAGE),
1810 asn1_wrap(ASN1_OCTET_STRING, "m",
1811 asn1_wrap(ASN1_SEQUENCE, "mmm",
1812 serverAuth, clientAuth, ocspSigning)));
1813 }
1814
1815 /* add subjectKeyIdentifier to CA and OCSP signer certificates */
1816 if (cert->flags & (X509_CA | X509_OCSP_SIGNER | X509_CRL_SIGN))
1817 {
1818 chunk_t keyid;
1819
1820 if (cert->public_key->get_fingerprint(cert->public_key,
1821 KEYID_PUBKEY_SHA1, &keyid))
1822 {
1823 subjectKeyIdentifier = asn1_wrap(ASN1_SEQUENCE, "mm",
1824 asn1_build_known_oid(OID_SUBJECT_KEY_ID),
1825 asn1_wrap(ASN1_OCTET_STRING, "m",
1826 asn1_wrap(ASN1_OCTET_STRING, "c", keyid)));
1827 }
1828 }
1829
1830 /* add the keyid authKeyIdentifier for non self-signed certificates */
1831 if (sign_key)
1832 {
1833 chunk_t keyid;
1834
1835 if (sign_key->get_fingerprint(sign_key, KEYID_PUBKEY_SHA1, &keyid))
1836 {
1837 authKeyIdentifier = asn1_wrap(ASN1_SEQUENCE, "mm",
1838 asn1_build_known_oid(OID_AUTHORITY_KEY_ID),
1839 asn1_wrap(ASN1_OCTET_STRING, "m",
1840 asn1_wrap(ASN1_SEQUENCE, "m",
1841 asn1_wrap(ASN1_CONTEXT_S_0, "c", keyid))));
1842 }
1843 }
1844 if (basicConstraints.ptr || subjectAltNames.ptr || authKeyIdentifier.ptr ||
1845 crlDistributionPoints.ptr)
1846 {
1847 extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m",
1848 asn1_wrap(ASN1_SEQUENCE, "mmmmmmmm",
1849 basicConstraints, keyUsage, subjectKeyIdentifier,
1850 authKeyIdentifier, subjectAltNames,
1851 extendedKeyUsage, crlDistributionPoints,
1852 authorityInfoAccess));
1853 }
1854
1855 cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmmcmcmm",
1856 asn1_simple_object(ASN1_CONTEXT_C_0, ASN1_INTEGER_2),
1857 asn1_integer("c", cert->serialNumber),
1858 asn1_algorithmIdentifier(cert->algorithm),
1859 issuer->get_encoding(issuer),
1860 asn1_wrap(ASN1_SEQUENCE, "mm",
1861 asn1_from_time(&cert->notBefore, ASN1_UTCTIME),
1862 asn1_from_time(&cert->notAfter, ASN1_UTCTIME)),
1863 subject->get_encoding(subject),
1864 key_info, extensions);
1865
1866 if (!sign_key->sign(sign_key, scheme, cert->tbsCertificate, &cert->signature))
1867 {
1868 return FALSE;
1869 }
1870 cert->encoding = asn1_wrap(ASN1_SEQUENCE, "cmm", cert->tbsCertificate,
1871 asn1_algorithmIdentifier(cert->algorithm),
1872 asn1_bitstring("c", cert->signature));
1873
1874 hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1875 if (!hasher)
1876 {
1877 return FALSE;
1878 }
1879 hasher->allocate_hash(hasher, cert->encoding, &cert->encoding_hash);
1880 hasher->destroy(hasher);
1881 return TRUE;
1882 }
1883
1884 /**
1885 * See header.
1886 */
1887 x509_cert_t *x509_cert_load(certificate_type_t type, va_list args)
1888 {
1889 x509_flag_t flags = 0;
1890 chunk_t blob = chunk_empty;
1891
1892 while (TRUE)
1893 {
1894 switch (va_arg(args, builder_part_t))
1895 {
1896 case BUILD_BLOB_ASN1_DER:
1897 blob = va_arg(args, chunk_t);
1898 continue;
1899 case BUILD_X509_FLAG:
1900 flags |= va_arg(args, x509_flag_t);
1901 continue;
1902 case BUILD_END:
1903 break;
1904 default:
1905 return NULL;
1906 }
1907 break;
1908 }
1909
1910 if (blob.ptr)
1911 {
1912 private_x509_cert_t *cert = create_empty();
1913
1914 cert->encoding = chunk_clone(blob);
1915 cert->parsed = TRUE;
1916 if (parse_certificate(cert))
1917 {
1918 cert->flags |= flags;
1919 return &cert->public;
1920 }
1921 destroy(cert);
1922 }
1923 return NULL;
1924 }
1925
1926 /**
1927 * See header.
1928 */
1929 x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args)
1930 {
1931 private_x509_cert_t *cert;
1932 certificate_t *sign_cert = NULL;
1933 private_key_t *sign_key = NULL;
1934 identification_t *crl_issuer = NULL;
1935 hash_algorithm_t digest_alg = HASH_SHA1;
1936
1937 cert = create_empty();
1938 while (TRUE)
1939 {
1940 switch (va_arg(args, builder_part_t))
1941 {
1942 case BUILD_X509_FLAG:
1943 cert->flags |= va_arg(args, x509_flag_t);
1944 continue;
1945 case BUILD_SIGNING_KEY:
1946 sign_key = va_arg(args, private_key_t*);
1947 continue;
1948 case BUILD_SIGNING_CERT:
1949 sign_cert = va_arg(args, certificate_t*);
1950 continue;
1951 case BUILD_PUBLIC_KEY:
1952 cert->public_key = va_arg(args, public_key_t*);
1953 cert->public_key->get_ref(cert->public_key);
1954 continue;
1955 case BUILD_SUBJECT:
1956 cert->subject = va_arg(args, identification_t*);
1957 cert->subject = cert->subject->clone(cert->subject);
1958 continue;
1959 case BUILD_SUBJECT_ALTNAMES:
1960 {
1961 enumerator_t *enumerator;
1962 identification_t *id;
1963 linked_list_t *list;
1964
1965 list = va_arg(args, linked_list_t*);
1966 enumerator = list->create_enumerator(list);
1967 while (enumerator->enumerate(enumerator, &id))
1968 {
1969 cert->subjectAltNames->insert_last(cert->subjectAltNames,
1970 id->clone(id));
1971 }
1972 enumerator->destroy(enumerator);
1973 continue;
1974 }
1975 case BUILD_CRL_DISTRIBUTION_POINTS:
1976 {
1977 enumerator_t *enumerator;
1978 linked_list_t *list;
1979 crl_uri_t *entry;
1980 char *uri;
1981
1982 list = va_arg(args, linked_list_t*);
1983 if (list->get_count(list))
1984 {
1985 entry = crl_uri_create(crl_issuer);
1986 enumerator = list->create_enumerator(list);
1987 while (enumerator->enumerate(enumerator, &uri))
1988 {
1989 entry->uris->insert_last(entry->uris, strdup(uri));
1990 }
1991 enumerator->destroy(enumerator);
1992 cert->crl_uris->insert_last(cert->crl_uris, entry);
1993 }
1994 continue;
1995 }
1996 case BUILD_CRL_ISSUER:
1997 {
1998 crl_issuer = va_arg(args, identification_t*);
1999 continue;
2000 }
2001 case BUILD_OCSP_ACCESS_LOCATIONS:
2002 {
2003 enumerator_t *enumerator;
2004 linked_list_t *list;
2005 char *uri;
2006
2007 list = va_arg(args, linked_list_t*);
2008 enumerator = list->create_enumerator(list);
2009 while (enumerator->enumerate(enumerator, &uri))
2010 {
2011 cert->ocsp_uris->insert_last(cert->ocsp_uris, strdup(uri));
2012 }
2013 enumerator->destroy(enumerator);
2014 continue;
2015 }
2016 case BUILD_PATHLEN:
2017 cert->pathLenConstraint = va_arg(args, int);
2018 if (cert->pathLenConstraint < 0 || cert->pathLenConstraint > 127)
2019 {
2020 cert->pathLenConstraint = X509_NO_PATH_LEN_CONSTRAINT;
2021 }
2022 continue;
2023 case BUILD_NOT_BEFORE_TIME:
2024 cert->notBefore = va_arg(args, time_t);
2025 continue;
2026 case BUILD_NOT_AFTER_TIME:
2027 cert->notAfter = va_arg(args, time_t);
2028 continue;
2029 case BUILD_SERIAL:
2030 cert->serialNumber = chunk_clone(va_arg(args, chunk_t));
2031 continue;
2032 case BUILD_DIGEST_ALG:
2033 digest_alg = va_arg(args, int);
2034 continue;
2035 case BUILD_END:
2036 break;
2037 default:
2038 destroy(cert);
2039 return NULL;
2040 }
2041 break;
2042 }
2043
2044 if (sign_key && generate(cert, sign_cert, sign_key, digest_alg))
2045 {
2046 return &cert->public;
2047 }
2048 destroy(cert);
2049 return NULL;
2050 }
2051