Added policyMappings support to x509 plugin
[strongswan.git] / src / libstrongswan / plugins / x509 / x509_cert.c
1 /*
2 * Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann
3 * Copyright (C) 2001 Marco Bertossa, Andreas Schleiss
4 * Copyright (C) 2002 Mario Strasser
5 * Copyright (C) 2000-2006 Andreas Steffen
6 * Copyright (C) 2006-2009 Martin Willi
7 * Copyright (C) 2008 Tobias Brunner
8 * Hochschule fuer Technik Rapperswil
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 */
20
21 #define _GNU_SOURCE
22
23 #include "x509_cert.h"
24
25 #include <sys/stat.h>
26 #include <time.h>
27 #include <unistd.h>
28 #include <string.h>
29 #include <stdio.h>
30
31 #include <library.h>
32 #include <debug.h>
33 #include <asn1/oid.h>
34 #include <asn1/asn1.h>
35 #include <asn1/asn1_parser.h>
36 #include <crypto/hashers/hasher.h>
37 #include <credentials/keys/private_key.h>
38 #include <utils/linked_list.h>
39 #include <utils/identification.h>
40 #include <selectors/traffic_selector.h>
41
42 /**
43 * Different kinds of generalNames
44 */
45 typedef enum {
46 GN_OTHER_NAME = 0,
47 GN_RFC822_NAME = 1,
48 GN_DNS_NAME = 2,
49 GN_X400_ADDRESS = 3,
50 GN_DIRECTORY_NAME = 4,
51 GN_EDI_PARTY_NAME = 5,
52 GN_URI = 6,
53 GN_IP_ADDRESS = 7,
54 GN_REGISTERED_ID = 8,
55 } generalNames_t;
56
57
58 typedef struct private_x509_cert_t private_x509_cert_t;
59
60 /**
61 * Private data of a x509_cert_t object.
62 */
63 struct private_x509_cert_t {
64 /**
65 * Public interface for this certificate.
66 */
67 x509_cert_t public;
68
69 /**
70 * X.509 certificate encoding in ASN.1 DER format
71 */
72 chunk_t encoding;
73
74 /**
75 * SHA1 hash of the DER encoding of this X.509 certificate
76 */
77 chunk_t encoding_hash;
78
79 /**
80 * X.509 certificate body over which signature is computed
81 */
82 chunk_t tbsCertificate;
83
84 /**
85 * Version of the X.509 certificate
86 */
87 u_int version;
88
89 /**
90 * Serial number of the X.509 certificate
91 */
92 chunk_t serialNumber;
93
94 /**
95 * ID representing the certificate issuer
96 */
97 identification_t *issuer;
98
99 /**
100 * Start time of certificate validity
101 */
102 time_t notBefore;
103
104 /**
105 * End time of certificate validity
106 */
107 time_t notAfter;
108
109 /**
110 * ID representing the certificate subject
111 */
112 identification_t *subject;
113
114 /**
115 * List of subjectAltNames as identification_t
116 */
117 linked_list_t *subjectAltNames;
118
119 /**
120 * List of crlDistributionPoints as crl_uri_t
121 */
122 linked_list_t *crl_uris;
123
124 /**
125 * List of ocspAccessLocations as allocated char*
126 */
127 linked_list_t *ocsp_uris;
128
129 /**
130 * List of ipAddrBlocks as traffic_selector_t
131 */
132 linked_list_t *ipAddrBlocks;
133
134 /**
135 * List of permitted name constraints
136 */
137 linked_list_t *permitted_names;
138
139 /**
140 * List of exluced name constraints
141 */
142 linked_list_t *excluded_names;
143
144 /**
145 * List of certificatePolicies, as x509_cert_policy_t
146 */
147 linked_list_t *cert_policies;
148
149 /**
150 * List of policyMappings, as x509_policy_mapping_t
151 */
152 linked_list_t *policy_mappings;
153
154 /**
155 * certificate's embedded public key
156 */
157 public_key_t *public_key;
158
159 /**
160 * Subject Key Identifier
161 */
162 chunk_t subjectKeyIdentifier;
163
164 /**
165 * Authority Key Identifier
166 */
167 chunk_t authKeyIdentifier;
168
169 /**
170 * Authority Key Serial Number
171 */
172 chunk_t authKeySerialNumber;
173
174 /**
175 * Path Length Constraint
176 */
177 int pathLenConstraint;
178
179 /**
180 * x509 constraints and other flags
181 */
182 x509_flag_t flags;
183
184 /**
185 * Signature algorithm
186 */
187 int algorithm;
188
189 /**
190 * Signature
191 */
192 chunk_t signature;
193
194 /**
195 * Certificate parsed from blob/file?
196 */
197 bool parsed;
198
199 /**
200 * reference count
201 */
202 refcount_t ref;
203 };
204
205 static const chunk_t ASN1_subjectAltName_oid = chunk_from_chars(
206 0x06, 0x03, 0x55, 0x1D, 0x11
207 );
208
209 /**
210 * CRL URIs with associated issuer
211 */
212 typedef struct {
213 identification_t *issuer;
214 linked_list_t *uris;
215 } crl_uri_t;
216
217 /**
218 * Create a new issuer entry
219 */
220 static crl_uri_t *crl_uri_create(identification_t *issuer)
221 {
222 crl_uri_t *this;
223
224 INIT(this,
225 .issuer = issuer ? issuer->clone(issuer) : NULL,
226 .uris = linked_list_create(),
227 );
228 return this;
229 }
230
231 /**
232 * Destroy a CRL URI struct
233 */
234 static void crl_uri_destroy(crl_uri_t *this)
235 {
236 this->uris->destroy_function(this->uris, free);
237 DESTROY_IF(this->issuer);
238 free(this);
239 }
240
241 /**
242 * Destroy a CertificatePolicy
243 */
244 static void cert_policy_destroy(x509_cert_policy_t *this)
245 {
246 free(this->oid.ptr);
247 free(this->cps_uri);
248 free(this->unotice_text);
249 free(this);
250 }
251
252 /**
253 * Free policy mapping
254 */
255 static void policy_mapping_destroy(x509_policy_mapping_t *mapping)
256 {
257 free(mapping->issuer.ptr);
258 free(mapping->subject.ptr);
259 free(mapping);
260 }
261
262 /**
263 * ASN.1 definition of a basicConstraints extension
264 */
265 static const asn1Object_t basicConstraintsObjects[] = {
266 { 0, "basicConstraints", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
267 { 1, "CA", ASN1_BOOLEAN, ASN1_DEF|ASN1_BODY }, /* 1 */
268 { 1, "pathLenConstraint", ASN1_INTEGER, ASN1_OPT|ASN1_BODY }, /* 2 */
269 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 3 */
270 { 0, "exit", ASN1_EOC, ASN1_EXIT }
271 };
272 #define BASIC_CONSTRAINTS_CA 1
273 #define BASIC_CONSTRAINTS_PATH_LEN 2
274
275 /**
276 * Extracts the basicConstraints extension
277 */
278 static void parse_basicConstraints(chunk_t blob, int level0,
279 private_x509_cert_t *this)
280 {
281 asn1_parser_t *parser;
282 chunk_t object;
283 int objectID;
284 bool isCA = FALSE;
285
286 parser = asn1_parser_create(basicConstraintsObjects, blob);
287 parser->set_top_level(parser, level0);
288
289 while (parser->iterate(parser, &objectID, &object))
290 {
291 switch (objectID)
292 {
293 case BASIC_CONSTRAINTS_CA:
294 isCA = object.len && *object.ptr;
295 DBG2(DBG_LIB, " %s", isCA ? "TRUE" : "FALSE");
296 if (isCA)
297 {
298 this->flags |= X509_CA;
299 }
300 break;
301 case BASIC_CONSTRAINTS_PATH_LEN:
302 if (isCA)
303 {
304 if (object.len == 0)
305 {
306 this->pathLenConstraint = 0;
307 }
308 else if (object.len == 1)
309 {
310 this->pathLenConstraint = *object.ptr;
311 }
312 /* we ignore path length constraints > 127 */
313 }
314 break;
315 default:
316 break;
317 }
318 }
319 parser->destroy(parser);
320 }
321
322 /**
323 * ASN.1 definition of otherName
324 */
325 static const asn1Object_t otherNameObjects[] = {
326 {0, "type-id", ASN1_OID, ASN1_BODY }, /* 0 */
327 {0, "value", ASN1_CONTEXT_C_0, ASN1_BODY }, /* 1 */
328 {0, "exit", ASN1_EOC, ASN1_EXIT }
329 };
330 #define ON_OBJ_ID_TYPE 0
331 #define ON_OBJ_VALUE 1
332
333 /**
334 * Extracts an otherName
335 */
336 static bool parse_otherName(chunk_t *blob, int level0, id_type_t *type)
337 {
338 asn1_parser_t *parser;
339 chunk_t object;
340 int objectID;
341 int oid = OID_UNKNOWN;
342 bool success = FALSE;
343
344 parser = asn1_parser_create(otherNameObjects, *blob);
345 parser->set_top_level(parser, level0);
346
347 while (parser->iterate(parser, &objectID, &object))
348 {
349 switch (objectID)
350 {
351 case ON_OBJ_ID_TYPE:
352 oid = asn1_known_oid(object);
353 break;
354 case ON_OBJ_VALUE:
355 switch (oid)
356 {
357 case OID_XMPP_ADDR:
358 if (!asn1_parse_simple_object(&object, ASN1_UTF8STRING,
359 parser->get_level(parser)+1, "xmppAddr"))
360 {
361 goto end;
362 }
363 break;
364 case OID_USER_PRINCIPAL_NAME:
365 if (asn1_parse_simple_object(&object, ASN1_UTF8STRING,
366 parser->get_level(parser)+1, "msUPN"))
367 { /* we handle UPNs as RFC822 addr */
368 *blob = object;
369 *type = ID_RFC822_ADDR;
370 }
371 else
372 {
373 goto end;
374 }
375 break;
376 }
377 break;
378 default:
379 break;
380 }
381 }
382 success = parser->success(parser);
383
384 end:
385 parser->destroy(parser);
386 return success;
387 }
388
389 /**
390 * ASN.1 definition of generalName
391 */
392 static const asn1Object_t generalNameObjects[] = {
393 { 0, "otherName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_BODY }, /* 0 */
394 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 1 */
395 { 0, "rfc822Name", ASN1_CONTEXT_S_1, ASN1_OPT|ASN1_BODY }, /* 2 */
396 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 3 */
397 { 0, "dnsName", ASN1_CONTEXT_S_2, ASN1_OPT|ASN1_BODY }, /* 4 */
398 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 5 */
399 { 0, "x400Address", ASN1_CONTEXT_S_3, ASN1_OPT|ASN1_BODY }, /* 6 */
400 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 7 */
401 { 0, "directoryName", ASN1_CONTEXT_C_4, ASN1_OPT|ASN1_BODY }, /* 8 */
402 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 9 */
403 { 0, "ediPartyName", ASN1_CONTEXT_C_5, ASN1_OPT|ASN1_BODY }, /* 10 */
404 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 11 */
405 { 0, "URI", ASN1_CONTEXT_S_6, ASN1_OPT|ASN1_BODY }, /* 12 */
406 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 13 */
407 { 0, "ipAddress", ASN1_CONTEXT_S_7, ASN1_OPT|ASN1_BODY }, /* 14 */
408 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 15 */
409 { 0, "registeredID", ASN1_CONTEXT_S_8, ASN1_OPT|ASN1_BODY }, /* 16 */
410 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 17 */
411 { 0, "exit", ASN1_EOC, ASN1_EXIT }
412 };
413 #define GN_OBJ_OTHER_NAME 0
414 #define GN_OBJ_RFC822_NAME 2
415 #define GN_OBJ_DNS_NAME 4
416 #define GN_OBJ_X400_ADDRESS 6
417 #define GN_OBJ_DIRECTORY_NAME 8
418 #define GN_OBJ_EDI_PARTY_NAME 10
419 #define GN_OBJ_URI 12
420 #define GN_OBJ_IP_ADDRESS 14
421 #define GN_OBJ_REGISTERED_ID 16
422
423 /**
424 * Extracts a generalName
425 */
426 static identification_t *parse_generalName(chunk_t blob, int level0)
427 {
428 asn1_parser_t *parser;
429 chunk_t object;
430 int objectID ;
431
432 identification_t *gn = NULL;
433
434 parser = asn1_parser_create(generalNameObjects, blob);
435 parser->set_top_level(parser, level0);
436
437 while (parser->iterate(parser, &objectID, &object))
438 {
439 id_type_t id_type = ID_ANY;
440
441 switch (objectID)
442 {
443 case GN_OBJ_RFC822_NAME:
444 id_type = ID_RFC822_ADDR;
445 break;
446 case GN_OBJ_DNS_NAME:
447 id_type = ID_FQDN;
448 break;
449 case GN_OBJ_URI:
450 id_type = ID_DER_ASN1_GN_URI;
451 break;
452 case GN_OBJ_DIRECTORY_NAME:
453 id_type = ID_DER_ASN1_DN;
454 break;
455 case GN_OBJ_IP_ADDRESS:
456 switch (object.len)
457 {
458 case 4:
459 id_type = ID_IPV4_ADDR;
460 break;
461 case 16:
462 id_type = ID_IPV6_ADDR;
463 break;
464 default:
465 break;
466 }
467 break;
468 case GN_OBJ_OTHER_NAME:
469 if (!parse_otherName(&object, parser->get_level(parser)+1,
470 &id_type))
471 {
472 goto end;
473 }
474 break;
475 case GN_OBJ_X400_ADDRESS:
476 case GN_OBJ_EDI_PARTY_NAME:
477 case GN_OBJ_REGISTERED_ID:
478 default:
479 break;
480 }
481 if (id_type != ID_ANY)
482 {
483 gn = identification_create_from_encoding(id_type, object);
484 DBG2(DBG_LIB, " '%Y'", gn);
485 goto end;
486 }
487 }
488
489 end:
490 parser->destroy(parser);
491 return gn;
492 }
493
494 /**
495 * ASN.1 definition of generalNames
496 */
497 static const asn1Object_t generalNamesObjects[] = {
498 { 0, "generalNames", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
499 { 1, "generalName", ASN1_EOC, ASN1_RAW }, /* 1 */
500 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 2 */
501 { 0, "exit", ASN1_EOC, ASN1_EXIT }
502 };
503 #define GENERAL_NAMES_GN 1
504
505 /**
506 * Extracts one or several GNs and puts them into a chained list
507 */
508 void x509_parse_generalNames(chunk_t blob, int level0, bool implicit, linked_list_t *list)
509 {
510 asn1_parser_t *parser;
511 chunk_t object;
512 int objectID;
513
514 parser = asn1_parser_create(generalNamesObjects, blob);
515 parser->set_top_level(parser, level0);
516 parser->set_flags(parser, implicit, FALSE);
517
518 while (parser->iterate(parser, &objectID, &object))
519 {
520 if (objectID == GENERAL_NAMES_GN)
521 {
522 identification_t *gn = parse_generalName(object,
523 parser->get_level(parser)+1);
524
525 if (gn)
526 {
527 list->insert_last(list, (void *)gn);
528 }
529 }
530 }
531 parser->destroy(parser);
532 }
533
534 /**
535 * ASN.1 definition of a authorityKeyIdentifier extension
536 */
537 static const asn1Object_t authKeyIdentifierObjects[] = {
538 { 0, "authorityKeyIdentifier", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
539 { 1, "keyIdentifier", ASN1_CONTEXT_S_0, ASN1_OPT|ASN1_BODY }, /* 1 */
540 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 2 */
541 { 1, "authorityCertIssuer", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_OBJ }, /* 3 */
542 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 4 */
543 { 1, "authorityCertSerialNumber", ASN1_CONTEXT_S_2, ASN1_OPT|ASN1_BODY }, /* 5 */
544 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 6 */
545 { 0, "exit", ASN1_EOC, ASN1_EXIT }
546 };
547 #define AUTH_KEY_ID_KEY_ID 1
548 #define AUTH_KEY_ID_CERT_ISSUER 3
549 #define AUTH_KEY_ID_CERT_SERIAL 5
550
551 /**
552 * Extracts an authoritykeyIdentifier
553 */
554 chunk_t x509_parse_authorityKeyIdentifier(chunk_t blob, int level0,
555 chunk_t *authKeySerialNumber)
556 {
557 asn1_parser_t *parser;
558 chunk_t object;
559 int objectID;
560 chunk_t authKeyIdentifier = chunk_empty;
561
562 *authKeySerialNumber = chunk_empty;
563
564 parser = asn1_parser_create(authKeyIdentifierObjects, blob);
565 parser->set_top_level(parser, level0);
566
567 while (parser->iterate(parser, &objectID, &object))
568 {
569 switch (objectID)
570 {
571 case AUTH_KEY_ID_KEY_ID:
572 authKeyIdentifier = chunk_clone(object);
573 break;
574 case AUTH_KEY_ID_CERT_ISSUER:
575 /* TODO: x509_parse_generalNames(object, level+1, TRUE); */
576 break;
577 case AUTH_KEY_ID_CERT_SERIAL:
578 *authKeySerialNumber = object;
579 break;
580 default:
581 break;
582 }
583 }
584 parser->destroy(parser);
585 return authKeyIdentifier;
586 }
587
588 /**
589 * ASN.1 definition of a authorityInfoAccess extension
590 */
591 static const asn1Object_t authInfoAccessObjects[] = {
592 { 0, "authorityInfoAccess", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
593 { 1, "accessDescription", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
594 { 2, "accessMethod", ASN1_OID, ASN1_BODY }, /* 2 */
595 { 2, "accessLocation", ASN1_EOC, ASN1_RAW }, /* 3 */
596 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 4 */
597 { 0, "exit", ASN1_EOC, ASN1_EXIT }
598 };
599 #define AUTH_INFO_ACCESS_METHOD 2
600 #define AUTH_INFO_ACCESS_LOCATION 3
601
602 /**
603 * Extracts an authorityInfoAcess location
604 */
605 static void parse_authorityInfoAccess(chunk_t blob, int level0,
606 private_x509_cert_t *this)
607 {
608 asn1_parser_t *parser;
609 chunk_t object;
610 int objectID;
611 int accessMethod = OID_UNKNOWN;
612
613 parser = asn1_parser_create(authInfoAccessObjects, blob);
614 parser->set_top_level(parser, level0);
615
616 while (parser->iterate(parser, &objectID, &object))
617 {
618 switch (objectID)
619 {
620 case AUTH_INFO_ACCESS_METHOD:
621 accessMethod = asn1_known_oid(object);
622 break;
623 case AUTH_INFO_ACCESS_LOCATION:
624 {
625 switch (accessMethod)
626 {
627 case OID_OCSP:
628 case OID_CA_ISSUERS:
629 {
630 identification_t *id;
631 char *uri;
632
633 id = parse_generalName(object,
634 parser->get_level(parser)+1);
635 if (id == NULL)
636 {
637 /* parsing went wrong - abort */
638 goto end;
639 }
640 DBG2(DBG_LIB, " '%Y'", id);
641 if (accessMethod == OID_OCSP &&
642 asprintf(&uri, "%Y", id) > 0)
643 {
644 this->ocsp_uris->insert_last(this->ocsp_uris, uri);
645 }
646 id->destroy(id);
647 }
648 break;
649 default:
650 /* unkown accessMethod, ignoring */
651 break;
652 }
653 break;
654 }
655 default:
656 break;
657 }
658 }
659
660 end:
661 parser->destroy(parser);
662 }
663
664 /**
665 * Extract KeyUsage flags
666 */
667 static void parse_keyUsage(chunk_t blob, private_x509_cert_t *this)
668 {
669 enum {
670 KU_DIGITAL_SIGNATURE = 0,
671 KU_NON_REPUDIATION = 1,
672 KU_KEY_ENCIPHERMENT = 2,
673 KU_DATA_ENCIPHERMENT = 3,
674 KU_KEY_AGREEMENT = 4,
675 KU_KEY_CERT_SIGN = 5,
676 KU_CRL_SIGN = 6,
677 KU_ENCIPHER_ONLY = 7,
678 KU_DECIPHER_ONLY = 8,
679 };
680
681 if (asn1_unwrap(&blob, &blob) == ASN1_BIT_STRING && blob.len)
682 {
683 int bit, byte, unused = blob.ptr[0];
684
685 blob = chunk_skip(blob, 1);
686 for (byte = 0; byte < blob.len; byte++)
687 {
688 for (bit = 0; bit < 8; bit++)
689 {
690 if (byte == blob.len - 1 && bit > (7 - unused))
691 {
692 break;
693 }
694 if (blob.ptr[byte] & 1 << (7 - bit))
695 {
696 switch (byte * 8 + bit)
697 {
698 case KU_CRL_SIGN:
699 this->flags |= X509_CRL_SIGN;
700 break;
701 case KU_KEY_CERT_SIGN:
702 /* we use the caBasicConstraint, MUST be set */
703 case KU_DIGITAL_SIGNATURE:
704 case KU_NON_REPUDIATION:
705 case KU_KEY_ENCIPHERMENT:
706 case KU_DATA_ENCIPHERMENT:
707 case KU_KEY_AGREEMENT:
708 case KU_ENCIPHER_ONLY:
709 case KU_DECIPHER_ONLY:
710 break;
711 }
712 }
713 }
714 }
715 }
716 }
717
718 /**
719 * ASN.1 definition of a extendedKeyUsage extension
720 */
721 static const asn1Object_t extendedKeyUsageObjects[] = {
722 { 0, "extendedKeyUsage", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
723 { 1, "keyPurposeID", ASN1_OID, ASN1_BODY }, /* 1 */
724 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 2 */
725 { 0, "exit", ASN1_EOC, ASN1_EXIT }
726 };
727 #define EXT_KEY_USAGE_PURPOSE_ID 1
728
729 /**
730 * Extracts extendedKeyUsage OIDs
731 */
732 static void parse_extendedKeyUsage(chunk_t blob, int level0,
733 private_x509_cert_t *this)
734 {
735 asn1_parser_t *parser;
736 chunk_t object;
737 int objectID;
738
739 parser = asn1_parser_create(extendedKeyUsageObjects, blob);
740 parser->set_top_level(parser, level0);
741
742 while (parser->iterate(parser, &objectID, &object))
743 {
744 if (objectID == EXT_KEY_USAGE_PURPOSE_ID)
745 {
746 switch (asn1_known_oid(object))
747 {
748 case OID_SERVER_AUTH:
749 this->flags |= X509_SERVER_AUTH;
750 break;
751 case OID_CLIENT_AUTH:
752 this->flags |= X509_CLIENT_AUTH;
753 break;
754 case OID_OCSP_SIGNING:
755 this->flags |= X509_OCSP_SIGNER;
756 break;
757 default:
758 break;
759 }
760 }
761 }
762 parser->destroy(parser);
763 }
764
765 /**
766 * ASN.1 definition of crlDistributionPoints
767 */
768 static const asn1Object_t crlDistributionPointsObjects[] = {
769 { 0, "crlDistributionPoints", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
770 { 1, "DistributionPoint", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
771 { 2, "distributionPoint", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_LOOP }, /* 2 */
772 { 3, "fullName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_OBJ }, /* 3 */
773 { 3, "end choice", ASN1_EOC, ASN1_END }, /* 4 */
774 { 3, "nameRelToCRLIssuer",ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 5 */
775 { 3, "end choice", ASN1_EOC, ASN1_END }, /* 6 */
776 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 7 */
777 { 2, "reasons", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 8 */
778 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 9 */
779 { 2, "crlIssuer", ASN1_CONTEXT_C_2, ASN1_OPT|ASN1_OBJ }, /* 10 */
780 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 11 */
781 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 12 */
782 { 0, "exit", ASN1_EOC, ASN1_EXIT }
783 };
784 #define CRL_DIST_POINTS 1
785 #define CRL_DIST_POINTS_FULLNAME 3
786 #define CRL_DIST_POINTS_ISSUER 10
787
788 /**
789 * Extracts one or several crlDistributionPoints into a list
790 */
791 static void parse_crlDistributionPoints(chunk_t blob, int level0,
792 private_x509_cert_t *this)
793 {
794 asn1_parser_t *parser;
795 chunk_t object;
796 int objectID;
797 crl_uri_t *entry = NULL;
798 identification_t *id;
799 char *uri;
800 linked_list_t *list = linked_list_create();
801
802 parser = asn1_parser_create(crlDistributionPointsObjects, blob);
803 parser->set_top_level(parser, level0);
804
805 while (parser->iterate(parser, &objectID, &object))
806 {
807 switch (objectID)
808 {
809 case CRL_DIST_POINTS:
810 entry = crl_uri_create(NULL);
811 this->crl_uris->insert_last(this->crl_uris, entry);
812 break;
813 case CRL_DIST_POINTS_FULLNAME:
814 if (entry)
815 {
816 x509_parse_generalNames(object, parser->get_level(parser)+1,
817 TRUE, list);
818 while (list->remove_last(list, (void**)&id) == SUCCESS)
819 {
820 if (asprintf(&uri, "%Y", id) > 0)
821 {
822 entry->uris->insert_last(entry->uris, uri);
823 }
824 id->destroy(id);
825 }
826 }
827 break;
828 case CRL_DIST_POINTS_ISSUER:
829 if (entry)
830 {
831 x509_parse_generalNames(object, parser->get_level(parser)+1,
832 TRUE, list);
833 while (list->remove_last(list, (void**)&id) == SUCCESS)
834 {
835 if (!entry->issuer)
836 {
837 entry->issuer = id;
838 }
839 else
840 {
841 id->destroy(id);
842 }
843 }
844 }
845 break;
846 }
847 }
848 parser->destroy(parser);
849 list->destroy(list);
850 }
851
852 /**
853 * ASN.1 definition of nameConstraints
854 */
855 static const asn1Object_t nameConstraintsObjects[] = {
856 { 0, "nameConstraints", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
857 { 1, "permittedSubtrees", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_LOOP }, /* 1 */
858 { 2, "generalSubtree", ASN1_SEQUENCE, ASN1_BODY }, /* 2 */
859 { 1, "end loop", ASN1_EOC, ASN1_END }, /* 3 */
860 { 1, "excludedSubtrees", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_LOOP }, /* 4 */
861 { 2, "generalSubtree", ASN1_SEQUENCE, ASN1_BODY }, /* 5 */
862 { 1, "end loop", ASN1_EOC, ASN1_END }, /* 6 */
863 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 7 */
864 { 0, "exit", ASN1_EOC, ASN1_EXIT }
865 };
866 #define NAME_CONSTRAINT_PERMITTED 2
867 #define NAME_CONSTRAINT_EXCLUDED 5
868
869 /**
870 * Parse permitted/excluded nameConstraints
871 */
872 static void parse_nameConstraints(chunk_t blob, int level0,
873 private_x509_cert_t *this)
874 {
875 asn1_parser_t *parser;
876 identification_t *id;
877 chunk_t object;
878 int objectID;
879
880 parser = asn1_parser_create(nameConstraintsObjects, blob);
881 parser->set_top_level(parser, level0);
882
883 while (parser->iterate(parser, &objectID, &object))
884 {
885 switch (objectID)
886 {
887 case NAME_CONSTRAINT_PERMITTED:
888 id = parse_generalName(object, parser->get_level(parser) + 1);
889 if (id)
890 {
891 this->permitted_names->insert_last(this->permitted_names, id);
892 }
893 break;
894 case NAME_CONSTRAINT_EXCLUDED:
895 id = parse_generalName(object, parser->get_level(parser) + 1);
896 if (id)
897 {
898 this->excluded_names->insert_last(this->excluded_names, id);
899 }
900 break;
901 default:
902 break;
903 }
904 }
905 parser->destroy(parser);
906 }
907
908 /**
909 * ASN.1 definition of a certificatePolicies extension
910 */
911 static const asn1Object_t certificatePoliciesObject[] = {
912 { 0, "certificatePolicies", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
913 { 1, "policyInformation", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
914 { 2, "policyId", ASN1_OID, ASN1_BODY }, /* 2 */
915 { 2, "qualifier", ASN1_SEQUENCE, ASN1_OPT|ASN1_BODY }, /* 3 */
916 { 3, "qualifierInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 4 */
917 { 4, "qualifierId", ASN1_OID, ASN1_BODY }, /* 5 */
918 { 4, "cPSuri", ASN1_IA5STRING, ASN1_OPT|ASN1_BODY }, /* 6 */
919 { 4, "end choice", ASN1_EOC, ASN1_END }, /* 7 */
920 { 4, "userNotice", ASN1_SEQUENCE, ASN1_OPT|ASN1_NONE }, /* 8 */
921 { 5, "explicitText", ASN1_EOC, ASN1_RAW }, /* 9 */
922 { 4, "end choice", ASN1_EOC, ASN1_END }, /* 10 */
923 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 12 */
924 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 13 */
925 { 0, "exit", ASN1_EOC, ASN1_EXIT }
926 };
927 #define CERT_POLICY_ID 2
928 #define CERT_POLICY_QUALIFIER_ID 5
929 #define CERT_POLICY_CPS_URI 6
930 #define CERT_POLICY_EXPLICIT_TEXT 9
931
932 /**
933 * Parse certificatePolicies
934 */
935 static void parse_certificatePolicies(chunk_t blob, int level0,
936 private_x509_cert_t *this)
937 {
938 x509_cert_policy_t *policy = NULL;
939 asn1_parser_t *parser;
940 chunk_t object;
941 int objectID, qualifier = OID_UNKNOWN;
942
943 parser = asn1_parser_create(certificatePoliciesObject, blob);
944 parser->set_top_level(parser, level0);
945
946 while (parser->iterate(parser, &objectID, &object))
947 {
948 switch (objectID)
949 {
950 case CERT_POLICY_ID:
951 INIT(policy,
952 .oid = chunk_clone(object),
953 );
954 this->cert_policies->insert_last(this->cert_policies, policy);
955 break;
956 case CERT_POLICY_QUALIFIER_ID:
957 qualifier = asn1_known_oid(object);
958 break;
959 case CERT_POLICY_CPS_URI:
960 if (policy && !policy->cps_uri && object.len &&
961 qualifier == OID_POLICY_QUALIFIER_CPS &&
962 chunk_printable(object, NULL, 0))
963 {
964 policy->cps_uri = strndup(object.ptr, object.len);
965 }
966 break;
967 case CERT_POLICY_EXPLICIT_TEXT:
968 /* TODO */
969 break;
970 default:
971 break;
972 }
973 }
974 parser->destroy(parser);
975 }
976
977 /**
978 * ASN.1 definition of a policyMappings extension
979 */
980 static const asn1Object_t policyMappingsObjects[] = {
981 { 0, "policyMappings", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
982 { 1, "policyMapping", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
983 { 2, "issuerPolicy", ASN1_OID, ASN1_BODY }, /* 2 */
984 { 2, "subjectPolicy", ASN1_OID, ASN1_BODY }, /* 3 */
985 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 4 */
986 { 0, "exit", ASN1_EOC, ASN1_EXIT }
987 };
988 #define POLICY_MAPPING 1
989 #define POLICY_MAPPING_ISSUER 2
990 #define POLICY_MAPPING_SUBJECT 3
991
992 /**
993 * Parse policyMappings
994 */
995 static void parse_policyMappings(chunk_t blob, int level0,
996 private_x509_cert_t *this)
997 {
998 x509_policy_mapping_t *map = NULL;
999 asn1_parser_t *parser;
1000 chunk_t object;
1001 int objectID;
1002
1003 parser = asn1_parser_create(policyMappingsObjects, blob);
1004 parser->set_top_level(parser, level0);
1005
1006 while (parser->iterate(parser, &objectID, &object))
1007 {
1008 switch (objectID)
1009 {
1010 case POLICY_MAPPING:
1011 INIT(map);
1012 this->policy_mappings->insert_last(this->policy_mappings, map);
1013 break;
1014 case POLICY_MAPPING_ISSUER:
1015 if (map && !map->issuer.len)
1016 {
1017 map->issuer = chunk_clone(object);
1018 }
1019 break;
1020 case POLICY_MAPPING_SUBJECT:
1021 if (map && !map->subject.len)
1022 {
1023 map->subject = chunk_clone(object);
1024 }
1025 break;
1026 default:
1027 break;
1028 }
1029 }
1030 parser->destroy(parser);
1031 }
1032
1033 /**
1034 * ASN.1 definition of ipAddrBlocks according to RFC 3779
1035 */
1036 static const asn1Object_t ipAddrBlocksObjects[] = {
1037 { 0, "ipAddrBlocks", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
1038 { 1, "ipAddressFamily", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
1039 { 2, "addressFamily", ASN1_OCTET_STRING, ASN1_BODY }, /* 2 */
1040 { 2, "inherit", ASN1_NULL, ASN1_OPT|ASN1_NONE }, /* 3 */
1041 { 2, "end choice", ASN1_EOC, ASN1_END }, /* 4 */
1042 { 2, "addressesOrRanges", ASN1_SEQUENCE, ASN1_OPT|ASN1_LOOP }, /* 5 */
1043 { 3, "addressPrefix", ASN1_BIT_STRING, ASN1_OPT|ASN1_BODY }, /* 6 */
1044 { 3, "end choice", ASN1_EOC, ASN1_END }, /* 7 */
1045 { 3, "addressRange", ASN1_SEQUENCE, ASN1_OPT|ASN1_NONE }, /* 8 */
1046 { 4, "min", ASN1_BIT_STRING, ASN1_BODY }, /* 9 */
1047 { 4, "max", ASN1_BIT_STRING, ASN1_BODY }, /* 10 */
1048 { 3, "end choice", ASN1_EOC, ASN1_END }, /* 11 */
1049 { 2, "end choice/loop", ASN1_EOC, ASN1_END }, /* 12 */
1050 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 13 */
1051 { 0, "exit", ASN1_EOC, ASN1_EXIT }
1052 };
1053 #define IP_ADDR_BLOCKS_FAMILY 2
1054 #define IP_ADDR_BLOCKS_INHERIT 3
1055 #define IP_ADDR_BLOCKS_PREFIX 6
1056 #define IP_ADDR_BLOCKS_MIN 9
1057 #define IP_ADDR_BLOCKS_MAX 10
1058
1059 static bool check_address_object(ts_type_t ts_type, chunk_t object)
1060 {
1061 switch (ts_type)
1062 {
1063 case TS_IPV4_ADDR_RANGE:
1064 if (object.len > 5)
1065 {
1066 DBG1(DBG_LIB, "IPv4 address object is larger than 5 octets");
1067 return FALSE;
1068 }
1069 break;
1070 case TS_IPV6_ADDR_RANGE:
1071 if (object.len > 17)
1072 {
1073 DBG1(DBG_LIB, "IPv6 address object is larger than 17 octets");
1074 return FALSE;
1075 }
1076 break;
1077 default:
1078 DBG1(DBG_LIB, "unknown address family");
1079 return FALSE;
1080 }
1081 if (object.len == 0)
1082 {
1083 DBG1(DBG_LIB, "An ASN.1 bit string must contain at least the "
1084 "initial octet");
1085 return FALSE;
1086 }
1087 if (object.len == 1 && object.ptr[0] != 0)
1088 {
1089 DBG1(DBG_LIB, "An empty ASN.1 bit string must contain a zero "
1090 "initial octet");
1091 return FALSE;
1092 }
1093 if (object.ptr[0] > 7)
1094 {
1095 DBG1(DBG_LIB, "number of unused bits is too large");
1096 return FALSE;
1097 }
1098 return TRUE;
1099 }
1100
1101 static void parse_ipAddrBlocks(chunk_t blob, int level0,
1102 private_x509_cert_t *this)
1103 {
1104 asn1_parser_t *parser;
1105 chunk_t object, min_object;
1106 ts_type_t ts_type = 0;
1107 traffic_selector_t *ts;
1108 int objectID;
1109
1110 parser = asn1_parser_create(ipAddrBlocksObjects, blob);
1111 parser->set_top_level(parser, level0);
1112
1113 while (parser->iterate(parser, &objectID, &object))
1114 {
1115 switch (objectID)
1116 {
1117 case IP_ADDR_BLOCKS_FAMILY:
1118 ts_type = 0;
1119 if (object.len == 2 && object.ptr[0] == 0)
1120 {
1121 if (object.ptr[1] == 1)
1122 {
1123 ts_type = TS_IPV4_ADDR_RANGE;
1124 }
1125 else if (object.ptr[1] == 2)
1126 {
1127 ts_type = TS_IPV6_ADDR_RANGE;
1128 }
1129 else
1130 {
1131 break;
1132 }
1133 DBG2(DBG_LIB, " %N", ts_type_name, ts_type);
1134 }
1135 break;
1136 case IP_ADDR_BLOCKS_INHERIT:
1137 DBG1(DBG_LIB, "inherit choice is not supported");
1138 break;
1139 case IP_ADDR_BLOCKS_PREFIX:
1140 if (!check_address_object(ts_type, object))
1141 {
1142 goto end;
1143 }
1144 ts = traffic_selector_create_from_rfc3779_format(ts_type,
1145 object, object);
1146 DBG2(DBG_LIB, " %R", ts);
1147 this->ipAddrBlocks->insert_last(this->ipAddrBlocks, ts);
1148 break;
1149 case IP_ADDR_BLOCKS_MIN:
1150 if (!check_address_object(ts_type, object))
1151 {
1152 goto end;
1153 }
1154 min_object = object;
1155 break;
1156 case IP_ADDR_BLOCKS_MAX:
1157 if (!check_address_object(ts_type, object))
1158 {
1159 goto end;
1160 }
1161 ts = traffic_selector_create_from_rfc3779_format(ts_type,
1162 min_object, object);
1163 DBG2(DBG_LIB, " %R", ts);
1164 this->ipAddrBlocks->insert_last(this->ipAddrBlocks, ts);
1165 break;
1166 default:
1167 break;
1168 }
1169 }
1170 this->flags |= X509_IP_ADDR_BLOCKS;
1171
1172 end:
1173 parser->destroy(parser);
1174 }
1175
1176 /**
1177 * ASN.1 definition of an X.509v3 x509_cert
1178 */
1179 static const asn1Object_t certObjects[] = {
1180 { 0, "x509", ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */
1181 { 1, "tbsCertificate", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */
1182 { 2, "DEFAULT v1", ASN1_CONTEXT_C_0, ASN1_DEF }, /* 2 */
1183 { 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 3 */
1184 { 2, "serialNumber", ASN1_INTEGER, ASN1_BODY }, /* 4 */
1185 { 2, "signature", ASN1_EOC, ASN1_RAW }, /* 5 */
1186 { 2, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 6 */
1187 { 2, "validity", ASN1_SEQUENCE, ASN1_NONE }, /* 7 */
1188 { 3, "notBefore", ASN1_EOC, ASN1_RAW }, /* 8 */
1189 { 3, "notAfter", ASN1_EOC, ASN1_RAW }, /* 9 */
1190 { 2, "subject", ASN1_SEQUENCE, ASN1_OBJ }, /* 10 */
1191 { 2, "subjectPublicKeyInfo",ASN1_SEQUENCE, ASN1_RAW }, /* 11 */
1192 { 2, "issuerUniqueID", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 12 */
1193 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 13 */
1194 { 2, "subjectUniqueID", ASN1_CONTEXT_C_2, ASN1_OPT }, /* 14 */
1195 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 15 */
1196 { 2, "optional extensions", ASN1_CONTEXT_C_3, ASN1_OPT }, /* 16 */
1197 { 3, "extensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 17 */
1198 { 4, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 18 */
1199 { 5, "extnID", ASN1_OID, ASN1_BODY }, /* 19 */
1200 { 5, "critical", ASN1_BOOLEAN, ASN1_DEF|ASN1_BODY }, /* 20 */
1201 { 5, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 21 */
1202 { 3, "end loop", ASN1_EOC, ASN1_END }, /* 22 */
1203 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 23 */
1204 { 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 24 */
1205 { 1, "signatureValue", ASN1_BIT_STRING, ASN1_BODY }, /* 25 */
1206 { 0, "exit", ASN1_EOC, ASN1_EXIT }
1207 };
1208 #define X509_OBJ_TBS_CERTIFICATE 1
1209 #define X509_OBJ_VERSION 3
1210 #define X509_OBJ_SERIAL_NUMBER 4
1211 #define X509_OBJ_SIG_ALG 5
1212 #define X509_OBJ_ISSUER 6
1213 #define X509_OBJ_NOT_BEFORE 8
1214 #define X509_OBJ_NOT_AFTER 9
1215 #define X509_OBJ_SUBJECT 10
1216 #define X509_OBJ_SUBJECT_PUBLIC_KEY_INFO 11
1217 #define X509_OBJ_OPTIONAL_EXTENSIONS 16
1218 #define X509_OBJ_EXTN_ID 19
1219 #define X509_OBJ_CRITICAL 20
1220 #define X509_OBJ_EXTN_VALUE 21
1221 #define X509_OBJ_ALGORITHM 24
1222 #define X509_OBJ_SIGNATURE 25
1223
1224 /**
1225 * Parses an X.509v3 certificate
1226 */
1227 static bool parse_certificate(private_x509_cert_t *this)
1228 {
1229 asn1_parser_t *parser;
1230 chunk_t object;
1231 int objectID;
1232 int extn_oid = OID_UNKNOWN;
1233 int sig_alg = OID_UNKNOWN;
1234 bool success = FALSE;
1235 bool critical = FALSE;
1236
1237 parser = asn1_parser_create(certObjects, this->encoding);
1238
1239 while (parser->iterate(parser, &objectID, &object))
1240 {
1241 u_int level = parser->get_level(parser)+1;
1242
1243 switch (objectID)
1244 {
1245 case X509_OBJ_TBS_CERTIFICATE:
1246 this->tbsCertificate = object;
1247 break;
1248 case X509_OBJ_VERSION:
1249 this->version = (object.len) ? (1+(u_int)*object.ptr) : 1;
1250 if (this->version < 1 || this->version > 3)
1251 {
1252 DBG1(DBG_LIB, "X.509v%d not supported", this->version);
1253 goto end;
1254 }
1255 else
1256 {
1257 DBG2(DBG_LIB, " X.509v%d", this->version);
1258 }
1259 break;
1260 case X509_OBJ_SERIAL_NUMBER:
1261 this->serialNumber = object;
1262 break;
1263 case X509_OBJ_SIG_ALG:
1264 sig_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
1265 break;
1266 case X509_OBJ_ISSUER:
1267 this->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object);
1268 DBG2(DBG_LIB, " '%Y'", this->issuer);
1269 break;
1270 case X509_OBJ_NOT_BEFORE:
1271 this->notBefore = asn1_parse_time(object, level);
1272 break;
1273 case X509_OBJ_NOT_AFTER:
1274 this->notAfter = asn1_parse_time(object, level);
1275 break;
1276 case X509_OBJ_SUBJECT:
1277 this->subject = identification_create_from_encoding(ID_DER_ASN1_DN, object);
1278 DBG2(DBG_LIB, " '%Y'", this->subject);
1279 break;
1280 case X509_OBJ_SUBJECT_PUBLIC_KEY_INFO:
1281 DBG2(DBG_LIB, "-- > --");
1282 this->public_key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
1283 KEY_ANY, BUILD_BLOB_ASN1_DER, object, BUILD_END);
1284 DBG2(DBG_LIB, "-- < --");
1285 if (this->public_key == NULL)
1286 {
1287 goto end;
1288 }
1289 break;
1290 case X509_OBJ_OPTIONAL_EXTENSIONS:
1291 if (this->version != 3)
1292 {
1293 DBG1(DBG_LIB, "Only X.509v3 certificates have extensions");
1294 goto end;
1295 }
1296 break;
1297 case X509_OBJ_EXTN_ID:
1298 extn_oid = asn1_known_oid(object);
1299 break;
1300 case X509_OBJ_CRITICAL:
1301 critical = object.len && *object.ptr;
1302 DBG2(DBG_LIB, " %s", critical ? "TRUE" : "FALSE");
1303 break;
1304 case X509_OBJ_EXTN_VALUE:
1305 {
1306 switch (extn_oid)
1307 {
1308 case OID_SUBJECT_KEY_ID:
1309 if (!asn1_parse_simple_object(&object, ASN1_OCTET_STRING,
1310 level, "keyIdentifier"))
1311 {
1312 goto end;
1313 }
1314 this->subjectKeyIdentifier = object;
1315 break;
1316 case OID_SUBJECT_ALT_NAME:
1317 x509_parse_generalNames(object, level, FALSE,
1318 this->subjectAltNames);
1319 break;
1320 case OID_BASIC_CONSTRAINTS:
1321 parse_basicConstraints(object, level, this);
1322 break;
1323 case OID_CRL_DISTRIBUTION_POINTS:
1324 parse_crlDistributionPoints(object, level, this);
1325 break;
1326 case OID_AUTHORITY_KEY_ID:
1327 this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object,
1328 level, &this->authKeySerialNumber);
1329 break;
1330 case OID_AUTHORITY_INFO_ACCESS:
1331 parse_authorityInfoAccess(object, level, this);
1332 break;
1333 case OID_KEY_USAGE:
1334 parse_keyUsage(object, this);
1335 break;
1336 case OID_EXTENDED_KEY_USAGE:
1337 parse_extendedKeyUsage(object, level, this);
1338 break;
1339 case OID_IP_ADDR_BLOCKS:
1340 parse_ipAddrBlocks(object, level, this);
1341 break;
1342 case OID_NAME_CONSTRAINTS:
1343 parse_nameConstraints(object, level, this);
1344 break;
1345 case OID_CERTIFICATE_POLICIES:
1346 parse_certificatePolicies(object, level, this);
1347 break;
1348 case OID_POLICY_MAPPINGS:
1349 parse_policyMappings(object, level, this);
1350 break;
1351 case OID_NS_REVOCATION_URL:
1352 case OID_NS_CA_REVOCATION_URL:
1353 case OID_NS_CA_POLICY_URL:
1354 case OID_NS_COMMENT:
1355 if (!asn1_parse_simple_object(&object, ASN1_IA5STRING,
1356 level, oid_names[extn_oid].name))
1357 {
1358 goto end;
1359 }
1360 break;
1361 default:
1362 if (critical && lib->settings->get_bool(lib->settings,
1363 "libstrongswan.plugins.x509.enforce_critical", FALSE))
1364 {
1365 DBG1(DBG_LIB, "critical %s extension not supported",
1366 (extn_oid == OID_UNKNOWN) ? "unknown" :
1367 (char*)oid_names[extn_oid].name);
1368 goto end;
1369 }
1370 break;
1371 }
1372 break;
1373 }
1374 case X509_OBJ_ALGORITHM:
1375 this->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL);
1376 if (this->algorithm != sig_alg)
1377 {
1378 DBG1(DBG_LIB, " signature algorithms do not agree");
1379 goto end;
1380 }
1381 break;
1382 case X509_OBJ_SIGNATURE:
1383 this->signature = object;
1384 break;
1385 default:
1386 break;
1387 }
1388 }
1389 success = parser->success(parser);
1390
1391 end:
1392 parser->destroy(parser);
1393 if (success)
1394 {
1395 hasher_t *hasher;
1396
1397 /* check if the certificate is self-signed */
1398 if (this->public.interface.interface.issued_by(
1399 &this->public.interface.interface,
1400 &this->public.interface.interface))
1401 {
1402 this->flags |= X509_SELF_SIGNED;
1403 }
1404 /* create certificate hash */
1405 hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1406 if (hasher == NULL)
1407 {
1408 DBG1(DBG_LIB, " unable to create hash of certificate, SHA1 not supported");
1409 return NULL;
1410 }
1411 hasher->allocate_hash(hasher, this->encoding, &this->encoding_hash);
1412 hasher->destroy(hasher);
1413 }
1414 return success;
1415 }
1416
1417 METHOD(certificate_t, get_type, certificate_type_t,
1418 private_x509_cert_t *this)
1419 {
1420 return CERT_X509;
1421 }
1422
1423 METHOD(certificate_t, get_subject, identification_t*,
1424 private_x509_cert_t *this)
1425 {
1426 return this->subject;
1427 }
1428
1429 METHOD(certificate_t, get_issuer, identification_t*,
1430 private_x509_cert_t *this)
1431 {
1432 return this->issuer;
1433 }
1434
1435 METHOD(certificate_t, has_subject, id_match_t,
1436 private_x509_cert_t *this, identification_t *subject)
1437 {
1438 identification_t *current;
1439 enumerator_t *enumerator;
1440 id_match_t match, best;
1441 chunk_t encoding;
1442
1443 if (subject->get_type(subject) == ID_KEY_ID)
1444 {
1445 encoding = subject->get_encoding(subject);
1446
1447 if (this->encoding_hash.len &&
1448 chunk_equals(this->encoding_hash, encoding))
1449 {
1450 return ID_MATCH_PERFECT;
1451 }
1452 if (this->subjectKeyIdentifier.len &&
1453 chunk_equals(this->subjectKeyIdentifier, encoding))
1454 {
1455 return ID_MATCH_PERFECT;
1456 }
1457 if (this->public_key &&
1458 this->public_key->has_fingerprint(this->public_key, encoding))
1459 {
1460 return ID_MATCH_PERFECT;
1461 }
1462 }
1463 best = this->subject->matches(this->subject, subject);
1464 enumerator = this->subjectAltNames->create_enumerator(this->subjectAltNames);
1465 while (enumerator->enumerate(enumerator, &current))
1466 {
1467 match = current->matches(current, subject);
1468 if (match > best)
1469 {
1470 best = match;
1471 }
1472 }
1473 enumerator->destroy(enumerator);
1474 return best;
1475 }
1476
1477 METHOD(certificate_t, has_issuer, id_match_t,
1478 private_x509_cert_t *this, identification_t *issuer)
1479 {
1480 /* issuerAltNames currently not supported */
1481 return this->issuer->matches(this->issuer, issuer);
1482 }
1483
1484 METHOD(certificate_t, issued_by, bool,
1485 private_x509_cert_t *this, certificate_t *issuer)
1486 {
1487 public_key_t *key;
1488 signature_scheme_t scheme;
1489 bool valid;
1490 x509_t *x509 = (x509_t*)issuer;
1491
1492 if (&this->public.interface.interface == issuer)
1493 {
1494 if (this->flags & X509_SELF_SIGNED)
1495 {
1496 return TRUE;
1497 }
1498 }
1499 else
1500 {
1501 if (issuer->get_type(issuer) != CERT_X509)
1502 {
1503 return FALSE;
1504 }
1505 if (!(x509->get_flags(x509) & X509_CA))
1506 {
1507 return FALSE;
1508 }
1509 }
1510 if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
1511 {
1512 return FALSE;
1513 }
1514
1515 /* determine signature scheme */
1516 scheme = signature_scheme_from_oid(this->algorithm);
1517 if (scheme == SIGN_UNKNOWN)
1518 {
1519 return FALSE;
1520 }
1521 /* get the public key of the issuer */
1522 key = issuer->get_public_key(issuer);
1523 if (!key)
1524 {
1525 return FALSE;
1526 }
1527 valid = key->verify(key, scheme, this->tbsCertificate, this->signature);
1528 key->destroy(key);
1529 return valid;
1530 }
1531
1532 METHOD(certificate_t, get_public_key, public_key_t*,
1533 private_x509_cert_t *this)
1534 {
1535 this->public_key->get_ref(this->public_key);
1536 return this->public_key;
1537 }
1538
1539 METHOD(certificate_t, get_ref, certificate_t*,
1540 private_x509_cert_t *this)
1541 {
1542 ref_get(&this->ref);
1543 return &this->public.interface.interface;
1544 }
1545
1546 METHOD(certificate_t, get_validity, bool,
1547 private_x509_cert_t *this, time_t *when, time_t *not_before,
1548 time_t *not_after)
1549 {
1550 time_t t = when ? *when : time(NULL);
1551
1552 if (not_before)
1553 {
1554 *not_before = this->notBefore;
1555 }
1556 if (not_after)
1557 {
1558 *not_after = this->notAfter;
1559 }
1560 return (t >= this->notBefore && t <= this->notAfter);
1561 }
1562
1563 METHOD(certificate_t, get_encoding, bool,
1564 private_x509_cert_t *this, cred_encoding_type_t type, chunk_t *encoding)
1565 {
1566 if (type == CERT_ASN1_DER)
1567 {
1568 *encoding = chunk_clone(this->encoding);
1569 return TRUE;
1570 }
1571 return lib->encoding->encode(lib->encoding, type, NULL, encoding,
1572 CRED_PART_X509_ASN1_DER, this->encoding, CRED_PART_END);
1573 }
1574
1575 METHOD(certificate_t, equals, bool,
1576 private_x509_cert_t *this, certificate_t *other)
1577 {
1578 chunk_t encoding;
1579 bool equal;
1580
1581 if (this == (private_x509_cert_t*)other)
1582 {
1583 return TRUE;
1584 }
1585 if (other->get_type(other) != CERT_X509)
1586 {
1587 return FALSE;
1588 }
1589 if (other->equals == (void*)equals)
1590 { /* skip allocation if we have the same implementation */
1591 return chunk_equals(this->encoding, ((private_x509_cert_t*)other)->encoding);
1592 }
1593 if (!other->get_encoding(other, CERT_ASN1_DER, &encoding))
1594 {
1595 return FALSE;
1596 }
1597 equal = chunk_equals(this->encoding, encoding);
1598 free(encoding.ptr);
1599 return equal;
1600 }
1601
1602 METHOD(x509_t, get_flags, x509_flag_t,
1603 private_x509_cert_t *this)
1604 {
1605 return this->flags;
1606 }
1607
1608 METHOD(x509_t, get_serial, chunk_t,
1609 private_x509_cert_t *this)
1610 {
1611 return this->serialNumber;
1612 }
1613
1614 METHOD(x509_t, get_subjectKeyIdentifier, chunk_t,
1615 private_x509_cert_t *this)
1616 {
1617 if (this->subjectKeyIdentifier.ptr)
1618 {
1619 return this->subjectKeyIdentifier;
1620 }
1621 else
1622 {
1623 chunk_t fingerprint;
1624
1625 if (this->public_key->get_fingerprint(this->public_key,
1626 KEYID_PUBKEY_SHA1, &fingerprint))
1627 {
1628 return fingerprint;
1629 }
1630 else
1631 {
1632 return chunk_empty;
1633 }
1634 }
1635 }
1636
1637 METHOD(x509_t, get_authKeyIdentifier, chunk_t,
1638 private_x509_cert_t *this)
1639 {
1640 return this->authKeyIdentifier;
1641 }
1642
1643 METHOD(x509_t, get_pathLenConstraint, int,
1644 private_x509_cert_t *this)
1645 {
1646 return this->pathLenConstraint;
1647 }
1648
1649 METHOD(x509_t, create_subjectAltName_enumerator, enumerator_t*,
1650 private_x509_cert_t *this)
1651 {
1652 return this->subjectAltNames->create_enumerator(this->subjectAltNames);
1653 }
1654
1655 METHOD(x509_t, create_ocsp_uri_enumerator, enumerator_t*,
1656 private_x509_cert_t *this)
1657 {
1658 return this->ocsp_uris->create_enumerator(this->ocsp_uris);
1659 }
1660
1661 /**
1662 * Convert enumerator value from entry to (uri, issuer)
1663 */
1664 static bool crl_enum_filter(identification_t *issuer_in,
1665 char **uri_in, char **uri_out,
1666 void *none_in, identification_t **issuer_out)
1667 {
1668 *uri_out = *uri_in;
1669 if (issuer_out)
1670 {
1671 *issuer_out = issuer_in;
1672 }
1673 return TRUE;
1674 }
1675
1676 /**
1677 * Create inner enumerator over URIs
1678 */
1679 static enumerator_t *crl_enum_create(crl_uri_t *entry)
1680 {
1681 return enumerator_create_filter(entry->uris->create_enumerator(entry->uris),
1682 (void*)crl_enum_filter, entry->issuer, NULL);
1683 }
1684
1685 METHOD(x509_t, create_crl_uri_enumerator, enumerator_t*,
1686 private_x509_cert_t *this)
1687 {
1688 return enumerator_create_nested(
1689 this->crl_uris->create_enumerator(this->crl_uris),
1690 (void*)crl_enum_create, NULL, NULL);
1691 }
1692
1693 METHOD(x509_t, create_ipAddrBlock_enumerator, enumerator_t*,
1694 private_x509_cert_t *this)
1695 {
1696 return this->ipAddrBlocks->create_enumerator(this->ipAddrBlocks);
1697 }
1698
1699 METHOD(x509_t, create_name_constraint_enumerator, enumerator_t*,
1700 private_x509_cert_t *this, bool perm)
1701 {
1702 if (perm)
1703 {
1704 return this->permitted_names->create_enumerator(this->permitted_names);
1705 }
1706 return this->excluded_names->create_enumerator(this->excluded_names);
1707 }
1708
1709 METHOD(x509_t, create_cert_policy_enumerator, enumerator_t*,
1710 private_x509_cert_t *this)
1711 {
1712 return this->cert_policies->create_enumerator(this->cert_policies);
1713 }
1714
1715 METHOD(x509_t, create_policy_mapping_enumerator, enumerator_t*,
1716 private_x509_cert_t *this)
1717 {
1718 return this->policy_mappings->create_enumerator(this->policy_mappings);
1719 }
1720
1721 METHOD(certificate_t, destroy, void,
1722 private_x509_cert_t *this)
1723 {
1724 if (ref_put(&this->ref))
1725 {
1726 this->subjectAltNames->destroy_offset(this->subjectAltNames,
1727 offsetof(identification_t, destroy));
1728 this->crl_uris->destroy_function(this->crl_uris, (void*)crl_uri_destroy);
1729 this->ocsp_uris->destroy_function(this->ocsp_uris, free);
1730 this->ipAddrBlocks->destroy_offset(this->ipAddrBlocks,
1731 offsetof(traffic_selector_t, destroy));
1732 this->permitted_names->destroy_offset(this->permitted_names,
1733 offsetof(identification_t, destroy));
1734 this->excluded_names->destroy_offset(this->excluded_names,
1735 offsetof(identification_t, destroy));
1736 this->cert_policies->destroy_function(this->cert_policies,
1737 (void*)cert_policy_destroy);
1738 this->policy_mappings->destroy_function(this->policy_mappings,
1739 (void*)policy_mapping_destroy);
1740 DESTROY_IF(this->issuer);
1741 DESTROY_IF(this->subject);
1742 DESTROY_IF(this->public_key);
1743 chunk_free(&this->authKeyIdentifier);
1744 chunk_free(&this->encoding);
1745 chunk_free(&this->encoding_hash);
1746 if (!this->parsed)
1747 { /* only parsed certificates point these fields to "encoded" */
1748 chunk_free(&this->signature);
1749 chunk_free(&this->serialNumber);
1750 chunk_free(&this->tbsCertificate);
1751 }
1752 free(this);
1753 }
1754 }
1755
1756 /**
1757 * create an empty but initialized X.509 certificate
1758 */
1759 static private_x509_cert_t* create_empty(void)
1760 {
1761 private_x509_cert_t *this;
1762
1763 INIT(this,
1764 .public = {
1765 .interface = {
1766 .interface = {
1767 .get_type = _get_type,
1768 .get_subject = _get_subject,
1769 .get_issuer = _get_issuer,
1770 .has_subject = _has_subject,
1771 .has_issuer = _has_issuer,
1772 .issued_by = _issued_by,
1773 .get_public_key = _get_public_key,
1774 .get_validity = _get_validity,
1775 .get_encoding = _get_encoding,
1776 .equals = _equals,
1777 .get_ref = _get_ref,
1778 .destroy = _destroy,
1779 },
1780 .get_flags = _get_flags,
1781 .get_serial = _get_serial,
1782 .get_subjectKeyIdentifier = _get_subjectKeyIdentifier,
1783 .get_authKeyIdentifier = _get_authKeyIdentifier,
1784 .get_pathLenConstraint = _get_pathLenConstraint,
1785 .create_subjectAltName_enumerator = _create_subjectAltName_enumerator,
1786 .create_crl_uri_enumerator = _create_crl_uri_enumerator,
1787 .create_ocsp_uri_enumerator = _create_ocsp_uri_enumerator,
1788 .create_ipAddrBlock_enumerator = _create_ipAddrBlock_enumerator,
1789 .create_name_constraint_enumerator = _create_name_constraint_enumerator,
1790 .create_cert_policy_enumerator = _create_cert_policy_enumerator,
1791 .create_policy_mapping_enumerator = _create_policy_mapping_enumerator,
1792 },
1793 },
1794 .version = 1,
1795 .subjectAltNames = linked_list_create(),
1796 .crl_uris = linked_list_create(),
1797 .ocsp_uris = linked_list_create(),
1798 .ipAddrBlocks = linked_list_create(),
1799 .permitted_names = linked_list_create(),
1800 .excluded_names = linked_list_create(),
1801 .cert_policies = linked_list_create(),
1802 .policy_mappings = linked_list_create(),
1803 .pathLenConstraint = X509_NO_PATH_LEN_CONSTRAINT,
1804 .ref = 1,
1805 );
1806 return this;
1807 }
1808
1809 /**
1810 * Build a generalName from an id
1811 */
1812 chunk_t build_generalName(identification_t *id)
1813 {
1814 int context;
1815
1816 switch (id->get_type(id))
1817 {
1818 case ID_RFC822_ADDR:
1819 context = ASN1_CONTEXT_S_1;
1820 break;
1821 case ID_FQDN:
1822 context = ASN1_CONTEXT_S_2;
1823 break;
1824 case ID_DER_ASN1_DN:
1825 context = ASN1_CONTEXT_C_4;
1826 break;
1827 case ID_IPV4_ADDR:
1828 case ID_IPV6_ADDR:
1829 context = ASN1_CONTEXT_S_7;
1830 break;
1831 default:
1832 DBG1(DBG_LIB, "encoding %N as generalName not supported",
1833 id_type_names, id->get_type(id));
1834 return chunk_empty;
1835 }
1836 return asn1_wrap(context, "c", id->get_encoding(id));
1837 }
1838
1839 /**
1840 * Encode a linked list of subjectAltNames
1841 */
1842 chunk_t x509_build_subjectAltNames(linked_list_t *list)
1843 {
1844 chunk_t subjectAltNames = chunk_empty, name;
1845 enumerator_t *enumerator;
1846 identification_t *id;
1847
1848 if (list->get_count(list) == 0)
1849 {
1850 return chunk_empty;
1851 }
1852
1853 enumerator = list->create_enumerator(list);
1854 while (enumerator->enumerate(enumerator, &id))
1855 {
1856 name = build_generalName(id);
1857 subjectAltNames = chunk_cat("mm", subjectAltNames, name);
1858 }
1859 enumerator->destroy(enumerator);
1860
1861 return asn1_wrap(ASN1_SEQUENCE, "mm",
1862 asn1_build_known_oid(OID_SUBJECT_ALT_NAME),
1863 asn1_wrap(ASN1_OCTET_STRING, "m",
1864 asn1_wrap(ASN1_SEQUENCE, "m", subjectAltNames)
1865 )
1866 );
1867 }
1868
1869 /**
1870 * Generate and sign a new certificate
1871 */
1872 static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
1873 private_key_t *sign_key, int digest_alg)
1874 {
1875 chunk_t extensions = chunk_empty, extendedKeyUsage = chunk_empty;
1876 chunk_t serverAuth = chunk_empty, clientAuth = chunk_empty;
1877 chunk_t ocspSigning = chunk_empty, certPolicies = chunk_empty;
1878 chunk_t basicConstraints = chunk_empty, nameConstraints = chunk_empty;
1879 chunk_t keyUsage = chunk_empty, keyUsageBits = chunk_empty;
1880 chunk_t subjectAltNames = chunk_empty, policyMappings = chunk_empty;
1881 chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty;
1882 chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty;
1883 identification_t *issuer, *subject;
1884 crl_uri_t *entry;
1885 chunk_t key_info;
1886 signature_scheme_t scheme;
1887 hasher_t *hasher;
1888 enumerator_t *enumerator, *uris;
1889 char *uri;
1890
1891 subject = cert->subject;
1892 if (sign_cert)
1893 {
1894 issuer = sign_cert->get_subject(sign_cert);
1895 if (!cert->public_key)
1896 {
1897 return FALSE;
1898 }
1899 }
1900 else
1901 { /* self signed */
1902 issuer = subject;
1903 if (!cert->public_key)
1904 {
1905 cert->public_key = sign_key->get_public_key(sign_key);
1906 }
1907 cert->flags |= X509_SELF_SIGNED;
1908 }
1909 cert->issuer = issuer->clone(issuer);
1910 if (!cert->notBefore)
1911 {
1912 cert->notBefore = time(NULL);
1913 }
1914 if (!cert->notAfter)
1915 { /* defaults to 1 year from now */
1916 cert->notAfter = cert->notBefore + 60 * 60 * 24 * 365;
1917 }
1918
1919 /* select signature scheme */
1920 cert->algorithm = hasher_signature_algorithm_to_oid(digest_alg,
1921 sign_key->get_type(sign_key));
1922 if (cert->algorithm == OID_UNKNOWN)
1923 {
1924 return FALSE;
1925 }
1926 scheme = signature_scheme_from_oid(cert->algorithm);
1927
1928 if (!cert->public_key->get_encoding(cert->public_key,
1929 PUBKEY_SPKI_ASN1_DER, &key_info))
1930 {
1931 return FALSE;
1932 }
1933
1934 /* encode subjectAltNames */
1935 subjectAltNames = x509_build_subjectAltNames(cert->subjectAltNames);
1936
1937 /* encode CRL distribution points extension */
1938 enumerator = cert->crl_uris->create_enumerator(cert->crl_uris);
1939 while (enumerator->enumerate(enumerator, &entry))
1940 {
1941 chunk_t distributionPoint, gn;
1942 chunk_t crlIssuer = chunk_empty, gns = chunk_empty;
1943
1944 if (entry->issuer)
1945 {
1946 crlIssuer = asn1_wrap(ASN1_CONTEXT_C_2, "m",
1947 build_generalName(entry->issuer));
1948 }
1949 uris = entry->uris->create_enumerator(entry->uris);
1950 while (uris->enumerate(uris, &uri))
1951 {
1952 gn = asn1_wrap(ASN1_CONTEXT_S_6, "c", chunk_create(uri, strlen(uri)));
1953 gns = chunk_cat("mm", gns, gn);
1954 }
1955 uris->destroy(uris);
1956
1957 distributionPoint = asn1_wrap(ASN1_SEQUENCE, "mm",
1958 asn1_wrap(ASN1_CONTEXT_C_0, "m",
1959 asn1_wrap(ASN1_CONTEXT_C_0, "m", gns)),
1960 crlIssuer);
1961 crlDistributionPoints = chunk_cat("mm", crlDistributionPoints,
1962 distributionPoint);
1963 }
1964 enumerator->destroy(enumerator);
1965 if (crlDistributionPoints.ptr)
1966 {
1967 crlDistributionPoints = asn1_wrap(ASN1_SEQUENCE, "mm",
1968 asn1_build_known_oid(OID_CRL_DISTRIBUTION_POINTS),
1969 asn1_wrap(ASN1_OCTET_STRING, "m",
1970 asn1_wrap(ASN1_SEQUENCE, "m", crlDistributionPoints)));
1971 }
1972
1973 /* encode OCSP URIs in authorityInfoAccess extension */
1974 enumerator = cert->ocsp_uris->create_enumerator(cert->ocsp_uris);
1975 while (enumerator->enumerate(enumerator, &uri))
1976 {
1977 chunk_t accessDescription;
1978
1979 accessDescription = asn1_wrap(ASN1_SEQUENCE, "mm",
1980 asn1_build_known_oid(OID_OCSP),
1981 asn1_wrap(ASN1_CONTEXT_S_6, "c",
1982 chunk_create(uri, strlen(uri))));
1983 authorityInfoAccess = chunk_cat("mm", authorityInfoAccess,
1984 accessDescription);
1985 }
1986 enumerator->destroy(enumerator);
1987 if (authorityInfoAccess.ptr)
1988 {
1989 authorityInfoAccess = asn1_wrap(ASN1_SEQUENCE, "mm",
1990 asn1_build_known_oid(OID_AUTHORITY_INFO_ACCESS),
1991 asn1_wrap(ASN1_OCTET_STRING, "m",
1992 asn1_wrap(ASN1_SEQUENCE, "m", authorityInfoAccess)));
1993 }
1994
1995 /* build CA basicConstraint and keyUsage flags for CA certificates */
1996 if (cert->flags & X509_CA)
1997 {
1998 chunk_t pathLenConstraint = chunk_empty;
1999
2000 if (cert->pathLenConstraint != X509_NO_PATH_LEN_CONSTRAINT)
2001 {
2002 char pathlen = (char)cert->pathLenConstraint;
2003
2004 pathLenConstraint = asn1_integer("c", chunk_from_thing(pathlen));
2005 }
2006 basicConstraints = asn1_wrap(ASN1_SEQUENCE, "mmm",
2007 asn1_build_known_oid(OID_BASIC_CONSTRAINTS),
2008 asn1_wrap(ASN1_BOOLEAN, "c",
2009 chunk_from_chars(0xFF)),
2010 asn1_wrap(ASN1_OCTET_STRING, "m",
2011 asn1_wrap(ASN1_SEQUENCE, "mm",
2012 asn1_wrap(ASN1_BOOLEAN, "c",
2013 chunk_from_chars(0xFF)),
2014 pathLenConstraint)));
2015 /* set CertificateSign and implicitly CRLsign */
2016 keyUsageBits = chunk_from_chars(0x01, 0x06);
2017 }
2018 else if (cert->flags & X509_CRL_SIGN)
2019 {
2020 keyUsageBits = chunk_from_chars(0x01, 0x02);
2021 }
2022 if (keyUsageBits.len)
2023 {
2024 keyUsage = asn1_wrap(ASN1_SEQUENCE, "mmm",
2025 asn1_build_known_oid(OID_KEY_USAGE),
2026 asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)),
2027 asn1_wrap(ASN1_OCTET_STRING, "m",
2028 asn1_wrap(ASN1_BIT_STRING, "c", keyUsageBits)));
2029 }
2030
2031 /* add serverAuth extendedKeyUsage flag */
2032 if (cert->flags & X509_SERVER_AUTH)
2033 {
2034 serverAuth = asn1_build_known_oid(OID_SERVER_AUTH);
2035 }
2036 if (cert->flags & X509_CLIENT_AUTH)
2037 {
2038 clientAuth = asn1_build_known_oid(OID_CLIENT_AUTH);
2039 }
2040
2041 /* add ocspSigning extendedKeyUsage flag */
2042 if (cert->flags & X509_OCSP_SIGNER)
2043 {
2044 ocspSigning = asn1_build_known_oid(OID_OCSP_SIGNING);
2045 }
2046
2047 if (serverAuth.ptr || clientAuth.ptr || ocspSigning.ptr)
2048 {
2049 extendedKeyUsage = asn1_wrap(ASN1_SEQUENCE, "mm",
2050 asn1_build_known_oid(OID_EXTENDED_KEY_USAGE),
2051 asn1_wrap(ASN1_OCTET_STRING, "m",
2052 asn1_wrap(ASN1_SEQUENCE, "mmm",
2053 serverAuth, clientAuth, ocspSigning)));
2054 }
2055
2056 /* add subjectKeyIdentifier to CA and OCSP signer certificates */
2057 if (cert->flags & (X509_CA | X509_OCSP_SIGNER | X509_CRL_SIGN))
2058 {
2059 chunk_t keyid;
2060
2061 if (cert->public_key->get_fingerprint(cert->public_key,
2062 KEYID_PUBKEY_SHA1, &keyid))
2063 {
2064 subjectKeyIdentifier = asn1_wrap(ASN1_SEQUENCE, "mm",
2065 asn1_build_known_oid(OID_SUBJECT_KEY_ID),
2066 asn1_wrap(ASN1_OCTET_STRING, "m",
2067 asn1_wrap(ASN1_OCTET_STRING, "c", keyid)));
2068 }
2069 }
2070
2071 /* add the keyid authKeyIdentifier for non self-signed certificates */
2072 if (sign_key)
2073 {
2074 chunk_t keyid;
2075
2076 if (sign_key->get_fingerprint(sign_key, KEYID_PUBKEY_SHA1, &keyid))
2077 {
2078 authKeyIdentifier = asn1_wrap(ASN1_SEQUENCE, "mm",
2079 asn1_build_known_oid(OID_AUTHORITY_KEY_ID),
2080 asn1_wrap(ASN1_OCTET_STRING, "m",
2081 asn1_wrap(ASN1_SEQUENCE, "m",
2082 asn1_wrap(ASN1_CONTEXT_S_0, "c", keyid))));
2083 }
2084 }
2085
2086 if (cert->permitted_names->get_count(cert->permitted_names) ||
2087 cert->excluded_names->get_count(cert->excluded_names))
2088 {
2089 chunk_t permitted = chunk_empty, excluded = chunk_empty, subtree;
2090 identification_t *id;
2091
2092 enumerator = create_name_constraint_enumerator(cert, TRUE);
2093 while (enumerator->enumerate(enumerator, &id))
2094 {
2095 subtree = asn1_wrap(ASN1_SEQUENCE, "m", build_generalName(id));
2096 permitted = chunk_cat("mm", permitted, subtree);
2097 }
2098 enumerator->destroy(enumerator);
2099 if (permitted.ptr)
2100 {
2101 permitted = asn1_wrap(ASN1_CONTEXT_C_0, "m", permitted);
2102 }
2103
2104 enumerator = create_name_constraint_enumerator(cert, FALSE);
2105 while (enumerator->enumerate(enumerator, &id))
2106 {
2107 subtree = asn1_wrap(ASN1_SEQUENCE, "m", build_generalName(id));
2108 excluded = chunk_cat("mm", excluded, subtree);
2109 }
2110 enumerator->destroy(enumerator);
2111 if (excluded.ptr)
2112 {
2113 excluded = asn1_wrap(ASN1_CONTEXT_C_1, "m", excluded);
2114 }
2115
2116 nameConstraints = asn1_wrap(ASN1_SEQUENCE, "mm",
2117 asn1_build_known_oid(OID_NAME_CONSTRAINTS),
2118 asn1_wrap(ASN1_OCTET_STRING, "m",
2119 asn1_wrap(ASN1_SEQUENCE, "mm",
2120 permitted, excluded)));
2121 }
2122
2123 if (cert->cert_policies->get_count(cert->cert_policies))
2124 {
2125 x509_cert_policy_t *policy;
2126
2127 enumerator = create_cert_policy_enumerator(cert);
2128 while (enumerator->enumerate(enumerator, &policy))
2129 {
2130 chunk_t chunk = chunk_empty, cps = chunk_empty, notice = chunk_empty;
2131
2132 if (policy->cps_uri)
2133 {
2134 cps = asn1_wrap(ASN1_SEQUENCE, "mm",
2135 asn1_build_known_oid(OID_POLICY_QUALIFIER_CPS),
2136 asn1_wrap(ASN1_IA5STRING, "c",
2137 chunk_create(policy->cps_uri,
2138 strlen(policy->cps_uri))));
2139 }
2140 if (policy->unotice_text)
2141 {
2142 notice = asn1_wrap(ASN1_SEQUENCE, "mm",
2143 asn1_build_known_oid(OID_POLICY_QUALIFIER_UNOTICE),
2144 asn1_wrap(ASN1_SEQUENCE, "m",
2145 asn1_wrap(ASN1_VISIBLESTRING, "c",
2146 chunk_create(policy->unotice_text,
2147 strlen(policy->unotice_text)))));
2148 }
2149 if (cps.len || notice.len)
2150 {
2151 chunk = asn1_wrap(ASN1_SEQUENCE, "mm", cps, notice);
2152 }
2153 chunk = asn1_wrap(ASN1_SEQUENCE, "mm",
2154 asn1_wrap(ASN1_OID, "c", policy->oid), chunk);
2155 certPolicies = chunk_cat("mm", certPolicies, chunk);
2156 }
2157 enumerator->destroy(enumerator);
2158
2159 certPolicies = asn1_wrap(ASN1_SEQUENCE, "mm",
2160 asn1_build_known_oid(OID_CERTIFICATE_POLICIES),
2161 asn1_wrap(ASN1_OCTET_STRING, "m",
2162 asn1_wrap(ASN1_SEQUENCE, "m", certPolicies)));
2163 }
2164
2165 if (cert->policy_mappings->get_count(cert->policy_mappings))
2166 {
2167 x509_policy_mapping_t *mapping;
2168
2169 enumerator = create_policy_mapping_enumerator(cert);
2170 while (enumerator->enumerate(enumerator, &mapping))
2171 {
2172 chunk_t chunk;
2173
2174 chunk = asn1_wrap(ASN1_SEQUENCE, "mm",
2175 asn1_wrap(ASN1_OID, "c", mapping->issuer),
2176 asn1_wrap(ASN1_OID, "c", mapping->subject));
2177 policyMappings = chunk_cat("mm", policyMappings, chunk);
2178 }
2179 enumerator->destroy(enumerator);
2180
2181 policyMappings = asn1_wrap(ASN1_SEQUENCE, "mm",
2182 asn1_build_known_oid(OID_POLICY_MAPPINGS),
2183 asn1_wrap(ASN1_OCTET_STRING, "m",
2184 asn1_wrap(ASN1_SEQUENCE, "m", policyMappings)));
2185 }
2186
2187 if (basicConstraints.ptr || subjectAltNames.ptr || authKeyIdentifier.ptr ||
2188 crlDistributionPoints.ptr || nameConstraints.ptr)
2189 {
2190 extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m",
2191 asn1_wrap(ASN1_SEQUENCE, "mmmmmmmmmmm",
2192 basicConstraints, keyUsage, subjectKeyIdentifier,
2193 authKeyIdentifier, subjectAltNames,
2194 extendedKeyUsage, crlDistributionPoints,
2195 authorityInfoAccess, nameConstraints, certPolicies,
2196 policyMappings));
2197 }
2198
2199 cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmmcmcmm",
2200 asn1_simple_object(ASN1_CONTEXT_C_0, ASN1_INTEGER_2),
2201 asn1_integer("c", cert->serialNumber),
2202 asn1_algorithmIdentifier(cert->algorithm),
2203 issuer->get_encoding(issuer),
2204 asn1_wrap(ASN1_SEQUENCE, "mm",
2205 asn1_from_time(&cert->notBefore, ASN1_UTCTIME),
2206 asn1_from_time(&cert->notAfter, ASN1_UTCTIME)),
2207 subject->get_encoding(subject),
2208 key_info, extensions);
2209
2210 if (!sign_key->sign(sign_key, scheme, cert->tbsCertificate, &cert->signature))
2211 {
2212 return FALSE;
2213 }
2214 cert->encoding = asn1_wrap(ASN1_SEQUENCE, "cmm", cert->tbsCertificate,
2215 asn1_algorithmIdentifier(cert->algorithm),
2216 asn1_bitstring("c", cert->signature));
2217
2218 hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
2219 if (!hasher)
2220 {
2221 return FALSE;
2222 }
2223 hasher->allocate_hash(hasher, cert->encoding, &cert->encoding_hash);
2224 hasher->destroy(hasher);
2225 return TRUE;
2226 }
2227
2228 /**
2229 * See header.
2230 */
2231 x509_cert_t *x509_cert_load(certificate_type_t type, va_list args)
2232 {
2233 x509_flag_t flags = 0;
2234 chunk_t blob = chunk_empty;
2235
2236 while (TRUE)
2237 {
2238 switch (va_arg(args, builder_part_t))
2239 {
2240 case BUILD_BLOB_ASN1_DER:
2241 blob = va_arg(args, chunk_t);
2242 continue;
2243 case BUILD_X509_FLAG:
2244 flags |= va_arg(args, x509_flag_t);
2245 continue;
2246 case BUILD_END:
2247 break;
2248 default:
2249 return NULL;
2250 }
2251 break;
2252 }
2253
2254 if (blob.ptr)
2255 {
2256 private_x509_cert_t *cert = create_empty();
2257
2258 cert->encoding = chunk_clone(blob);
2259 cert->parsed = TRUE;
2260 if (parse_certificate(cert))
2261 {
2262 cert->flags |= flags;
2263 return &cert->public;
2264 }
2265 destroy(cert);
2266 }
2267 return NULL;
2268 }
2269
2270 /**
2271 * See header.
2272 */
2273 x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args)
2274 {
2275 private_x509_cert_t *cert;
2276 certificate_t *sign_cert = NULL;
2277 private_key_t *sign_key = NULL;
2278 identification_t *crl_issuer = NULL;
2279 hash_algorithm_t digest_alg = HASH_SHA1;
2280
2281 cert = create_empty();
2282 while (TRUE)
2283 {
2284 switch (va_arg(args, builder_part_t))
2285 {
2286 case BUILD_X509_FLAG:
2287 cert->flags |= va_arg(args, x509_flag_t);
2288 continue;
2289 case BUILD_SIGNING_KEY:
2290 sign_key = va_arg(args, private_key_t*);
2291 continue;
2292 case BUILD_SIGNING_CERT:
2293 sign_cert = va_arg(args, certificate_t*);
2294 continue;
2295 case BUILD_PUBLIC_KEY:
2296 cert->public_key = va_arg(args, public_key_t*);
2297 cert->public_key->get_ref(cert->public_key);
2298 continue;
2299 case BUILD_SUBJECT:
2300 cert->subject = va_arg(args, identification_t*);
2301 cert->subject = cert->subject->clone(cert->subject);
2302 continue;
2303 case BUILD_SUBJECT_ALTNAMES:
2304 {
2305 enumerator_t *enumerator;
2306 identification_t *id;
2307 linked_list_t *list;
2308
2309 list = va_arg(args, linked_list_t*);
2310 enumerator = list->create_enumerator(list);
2311 while (enumerator->enumerate(enumerator, &id))
2312 {
2313 cert->subjectAltNames->insert_last(cert->subjectAltNames,
2314 id->clone(id));
2315 }
2316 enumerator->destroy(enumerator);
2317 continue;
2318 }
2319 case BUILD_CRL_DISTRIBUTION_POINTS:
2320 {
2321 enumerator_t *enumerator;
2322 linked_list_t *list;
2323 crl_uri_t *entry;
2324 char *uri;
2325
2326 list = va_arg(args, linked_list_t*);
2327 if (list->get_count(list))
2328 {
2329 entry = crl_uri_create(crl_issuer);
2330 enumerator = list->create_enumerator(list);
2331 while (enumerator->enumerate(enumerator, &uri))
2332 {
2333 entry->uris->insert_last(entry->uris, strdup(uri));
2334 }
2335 enumerator->destroy(enumerator);
2336 cert->crl_uris->insert_last(cert->crl_uris, entry);
2337 }
2338 continue;
2339 }
2340 case BUILD_CRL_ISSUER:
2341 {
2342 crl_issuer = va_arg(args, identification_t*);
2343 continue;
2344 }
2345 case BUILD_OCSP_ACCESS_LOCATIONS:
2346 {
2347 enumerator_t *enumerator;
2348 linked_list_t *list;
2349 char *uri;
2350
2351 list = va_arg(args, linked_list_t*);
2352 enumerator = list->create_enumerator(list);
2353 while (enumerator->enumerate(enumerator, &uri))
2354 {
2355 cert->ocsp_uris->insert_last(cert->ocsp_uris, strdup(uri));
2356 }
2357 enumerator->destroy(enumerator);
2358 continue;
2359 }
2360 case BUILD_PATHLEN:
2361 cert->pathLenConstraint = va_arg(args, int);
2362 if (cert->pathLenConstraint < 0 || cert->pathLenConstraint > 127)
2363 {
2364 cert->pathLenConstraint = X509_NO_PATH_LEN_CONSTRAINT;
2365 }
2366 continue;
2367 case BUILD_PERMITTED_NAME_CONSTRAINTS:
2368 {
2369 enumerator_t *enumerator;
2370 linked_list_t *list;
2371 identification_t *constraint;
2372
2373 list = va_arg(args, linked_list_t*);
2374 enumerator = list->create_enumerator(list);
2375 while (enumerator->enumerate(enumerator, &constraint))
2376 {
2377 cert->permitted_names->insert_last(cert->permitted_names,
2378 constraint->clone(constraint));
2379 }
2380 enumerator->destroy(enumerator);
2381 continue;
2382 }
2383 case BUILD_EXCLUDED_NAME_CONSTRAINTS:
2384 {
2385 enumerator_t *enumerator;
2386 linked_list_t *list;
2387 identification_t *constraint;
2388
2389 list = va_arg(args, linked_list_t*);
2390 enumerator = list->create_enumerator(list);
2391 while (enumerator->enumerate(enumerator, &constraint))
2392 {
2393 cert->excluded_names->insert_last(cert->excluded_names,
2394 constraint->clone(constraint));
2395 }
2396 enumerator->destroy(enumerator);
2397 continue;
2398 }
2399 case BUILD_CERTIFICATE_POLICIES:
2400 {
2401 enumerator_t *enumerator;
2402 linked_list_t *list;
2403 x509_cert_policy_t *policy, *in;
2404
2405 list = va_arg(args, linked_list_t*);
2406 enumerator = list->create_enumerator(list);
2407 while (enumerator->enumerate(enumerator, &in))
2408 {
2409 INIT(policy,
2410 .oid = chunk_clone(in->oid),
2411 .cps_uri = strdupnull(in->cps_uri),
2412 .unotice_text = strdupnull(in->unotice_text),
2413 );
2414 cert->cert_policies->insert_last(cert->cert_policies, policy);
2415 }
2416 enumerator->destroy(enumerator);
2417 continue;
2418 }
2419 case BUILD_POLICY_MAPPINGS:
2420 {
2421 enumerator_t *enumerator;
2422 linked_list_t *list;
2423 x509_policy_mapping_t* mapping, *in;
2424
2425 list = va_arg(args, linked_list_t*);
2426 enumerator = list->create_enumerator(list);
2427 while (enumerator->enumerate(enumerator, &in))
2428 {
2429 INIT(mapping,
2430 .issuer = chunk_clone(in->issuer),
2431 .subject = chunk_clone(in->subject),
2432 );
2433 cert->policy_mappings->insert_last(cert->policy_mappings,
2434 mapping);
2435 }
2436 enumerator->destroy(enumerator);
2437 continue;
2438 }
2439 case BUILD_NOT_BEFORE_TIME:
2440 cert->notBefore = va_arg(args, time_t);
2441 continue;
2442 case BUILD_NOT_AFTER_TIME:
2443 cert->notAfter = va_arg(args, time_t);
2444 continue;
2445 case BUILD_SERIAL:
2446 cert->serialNumber = chunk_clone(va_arg(args, chunk_t));
2447 continue;
2448 case BUILD_DIGEST_ALG:
2449 digest_alg = va_arg(args, int);
2450 continue;
2451 case BUILD_END:
2452 break;
2453 default:
2454 destroy(cert);
2455 return NULL;
2456 }
2457 break;
2458 }
2459
2460 if (sign_key && generate(cert, sign_cert, sign_key, digest_alg))
2461 {
2462 return &cert->public;
2463 }
2464 destroy(cert);
2465 return NULL;
2466 }
2467