2 * Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann
3 * Copyright (C) 2001 Marco Bertossa, Andreas Schleiss
4 * Copyright (C) 2002 Mario Strasser
5 * Copyright (C) 2000-2006 Andreas Steffen
6 * Copyright (C) 2006-2009 Martin Willi
7 * Copyright (C) 2008 Tobias Brunner
8 * Hochschule fuer Technik Rapperswil
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
23 #include "x509_cert.h"
34 #include <asn1/asn1.h>
35 #include <asn1/asn1_parser.h>
36 #include <crypto/hashers/hasher.h>
37 #include <credentials/keys/private_key.h>
38 #include <utils/linked_list.h>
39 #include <utils/identification.h>
40 #include <selectors/traffic_selector.h>
43 * Different kinds of generalNames
50 GN_DIRECTORY_NAME
= 4,
51 GN_EDI_PARTY_NAME
= 5,
58 typedef struct private_x509_cert_t private_x509_cert_t
;
61 * Private data of a x509_cert_t object.
63 struct private_x509_cert_t
{
65 * Public interface for this certificate.
70 * X.509 certificate encoding in ASN.1 DER format
75 * SHA1 hash of the DER encoding of this X.509 certificate
77 chunk_t encoding_hash
;
80 * X.509 certificate body over which signature is computed
82 chunk_t tbsCertificate
;
85 * Version of the X.509 certificate
90 * Serial number of the X.509 certificate
95 * ID representing the certificate issuer
97 identification_t
*issuer
;
100 * Start time of certificate validity
105 * End time of certificate validity
110 * ID representing the certificate subject
112 identification_t
*subject
;
115 * List of subjectAltNames as identification_t
117 linked_list_t
*subjectAltNames
;
120 * List of crlDistributionPoints as x509_cdp_t*
122 linked_list_t
*crl_uris
;
125 * List of ocspAccessLocations as allocated char*
127 linked_list_t
*ocsp_uris
;
130 * List of ipAddrBlocks as traffic_selector_t
132 linked_list_t
*ipAddrBlocks
;
135 * List of permitted name constraints
137 linked_list_t
*permitted_names
;
140 * List of exluced name constraints
142 linked_list_t
*excluded_names
;
145 * List of certificatePolicies, as x509_cert_policy_t
147 linked_list_t
*cert_policies
;
150 * List of policyMappings, as x509_policy_mapping_t
152 linked_list_t
*policy_mappings
;
155 * certificate's embedded public key
157 public_key_t
*public_key
;
160 * Subject Key Identifier
162 chunk_t subjectKeyIdentifier
;
165 * Authority Key Identifier
167 chunk_t authKeyIdentifier
;
170 * Authority Key Serial Number
172 chunk_t authKeySerialNumber
;
175 * Path Length Constraint
177 u_char pathLenConstraint
;
180 * requireExplicitPolicy Constraint
182 u_char require_explicit
;
185 * inhibitPolicyMapping Constraint
187 u_char inhibit_mapping
;
190 * inhibitAnyPolicy Constraint
195 * x509 constraints and other flags
200 * Signature algorithm
210 * Certificate parsed from blob/file?
220 static const chunk_t ASN1_subjectAltName_oid
= chunk_from_chars(
221 0x06, 0x03, 0x55, 0x1D, 0x11
225 * Destroy a CertificateDistributionPoint
227 static void crl_uri_destroy(x509_cdp_t
*this)
230 DESTROY_IF(this->issuer
);
235 * Destroy a CertificatePolicy
237 static void cert_policy_destroy(x509_cert_policy_t
*this)
241 free(this->unotice_text
);
246 * Free policy mapping
248 static void policy_mapping_destroy(x509_policy_mapping_t
*mapping
)
250 free(mapping
->issuer
.ptr
);
251 free(mapping
->subject
.ptr
);
256 * Parse a length constraint from an unwrapped integer
258 static u_int
parse_constraint(chunk_t object
)
265 return (object
.ptr
[0] & 0x80) ? X509_NO_CONSTRAINT
: object
.ptr
[0];
267 return X509_NO_CONSTRAINT
;
272 * ASN.1 definition of a basicConstraints extension
274 static const asn1Object_t basicConstraintsObjects
[] = {
275 { 0, "basicConstraints", ASN1_SEQUENCE
, ASN1_NONE
}, /* 0 */
276 { 1, "CA", ASN1_BOOLEAN
, ASN1_DEF
|ASN1_BODY
}, /* 1 */
277 { 1, "pathLenConstraint", ASN1_INTEGER
, ASN1_OPT
|ASN1_BODY
}, /* 2 */
278 { 1, "end opt", ASN1_EOC
, ASN1_END
}, /* 3 */
279 { 0, "exit", ASN1_EOC
, ASN1_EXIT
}
281 #define BASIC_CONSTRAINTS_CA 1
282 #define BASIC_CONSTRAINTS_PATH_LEN 2
285 * Extracts the basicConstraints extension
287 static void parse_basicConstraints(chunk_t blob
, int level0
,
288 private_x509_cert_t
*this)
290 asn1_parser_t
*parser
;
295 parser
= asn1_parser_create(basicConstraintsObjects
, blob
);
296 parser
->set_top_level(parser
, level0
);
298 while (parser
->iterate(parser
, &objectID
, &object
))
302 case BASIC_CONSTRAINTS_CA
:
303 isCA
= object
.len
&& *object
.ptr
;
304 DBG2(DBG_ASN
, " %s", isCA ?
"TRUE" : "FALSE");
307 this->flags
|= X509_CA
;
310 case BASIC_CONSTRAINTS_PATH_LEN
:
313 this->pathLenConstraint
= parse_constraint(object
);
320 parser
->destroy(parser
);
324 * ASN.1 definition of otherName
326 static const asn1Object_t otherNameObjects
[] = {
327 {0, "type-id", ASN1_OID
, ASN1_BODY
}, /* 0 */
328 {0, "value", ASN1_CONTEXT_C_0
, ASN1_BODY
}, /* 1 */
329 {0, "exit", ASN1_EOC
, ASN1_EXIT
}
331 #define ON_OBJ_ID_TYPE 0
332 #define ON_OBJ_VALUE 1
335 * Extracts an otherName
337 static bool parse_otherName(chunk_t
*blob
, int level0
, id_type_t
*type
)
339 asn1_parser_t
*parser
;
342 int oid
= OID_UNKNOWN
;
343 bool success
= FALSE
;
345 parser
= asn1_parser_create(otherNameObjects
, *blob
);
346 parser
->set_top_level(parser
, level0
);
348 while (parser
->iterate(parser
, &objectID
, &object
))
353 oid
= asn1_known_oid(object
);
359 if (!asn1_parse_simple_object(&object
, ASN1_UTF8STRING
,
360 parser
->get_level(parser
)+1, "xmppAddr"))
365 case OID_USER_PRINCIPAL_NAME
:
366 if (asn1_parse_simple_object(&object
, ASN1_UTF8STRING
,
367 parser
->get_level(parser
)+1, "msUPN"))
368 { /* we handle UPNs as RFC822 addr */
370 *type
= ID_RFC822_ADDR
;
383 success
= parser
->success(parser
);
386 parser
->destroy(parser
);
391 * ASN.1 definition of generalName
393 static const asn1Object_t generalNameObjects
[] = {
394 { 0, "otherName", ASN1_CONTEXT_C_0
, ASN1_OPT
|ASN1_BODY
}, /* 0 */
395 { 0, "end choice", ASN1_EOC
, ASN1_END
}, /* 1 */
396 { 0, "rfc822Name", ASN1_CONTEXT_S_1
, ASN1_OPT
|ASN1_BODY
}, /* 2 */
397 { 0, "end choice", ASN1_EOC
, ASN1_END
}, /* 3 */
398 { 0, "dnsName", ASN1_CONTEXT_S_2
, ASN1_OPT
|ASN1_BODY
}, /* 4 */
399 { 0, "end choice", ASN1_EOC
, ASN1_END
}, /* 5 */
400 { 0, "x400Address", ASN1_CONTEXT_S_3
, ASN1_OPT
|ASN1_BODY
}, /* 6 */
401 { 0, "end choice", ASN1_EOC
, ASN1_END
}, /* 7 */
402 { 0, "directoryName", ASN1_CONTEXT_C_4
, ASN1_OPT
|ASN1_BODY
}, /* 8 */
403 { 0, "end choice", ASN1_EOC
, ASN1_END
}, /* 9 */
404 { 0, "ediPartyName", ASN1_CONTEXT_C_5
, ASN1_OPT
|ASN1_BODY
}, /* 10 */
405 { 0, "end choice", ASN1_EOC
, ASN1_END
}, /* 11 */
406 { 0, "URI", ASN1_CONTEXT_S_6
, ASN1_OPT
|ASN1_BODY
}, /* 12 */
407 { 0, "end choice", ASN1_EOC
, ASN1_END
}, /* 13 */
408 { 0, "ipAddress", ASN1_CONTEXT_S_7
, ASN1_OPT
|ASN1_BODY
}, /* 14 */
409 { 0, "end choice", ASN1_EOC
, ASN1_END
}, /* 15 */
410 { 0, "registeredID", ASN1_CONTEXT_S_8
, ASN1_OPT
|ASN1_BODY
}, /* 16 */
411 { 0, "end choice", ASN1_EOC
, ASN1_END
}, /* 17 */
412 { 0, "exit", ASN1_EOC
, ASN1_EXIT
}
414 #define GN_OBJ_OTHER_NAME 0
415 #define GN_OBJ_RFC822_NAME 2
416 #define GN_OBJ_DNS_NAME 4
417 #define GN_OBJ_X400_ADDRESS 6
418 #define GN_OBJ_DIRECTORY_NAME 8
419 #define GN_OBJ_EDI_PARTY_NAME 10
420 #define GN_OBJ_URI 12
421 #define GN_OBJ_IP_ADDRESS 14
422 #define GN_OBJ_REGISTERED_ID 16
425 * Extracts a generalName
427 static identification_t
*parse_generalName(chunk_t blob
, int level0
)
429 asn1_parser_t
*parser
;
433 identification_t
*gn
= NULL
;
435 parser
= asn1_parser_create(generalNameObjects
, blob
);
436 parser
->set_top_level(parser
, level0
);
438 while (parser
->iterate(parser
, &objectID
, &object
))
440 id_type_t id_type
= ID_ANY
;
444 case GN_OBJ_RFC822_NAME
:
445 id_type
= ID_RFC822_ADDR
;
447 case GN_OBJ_DNS_NAME
:
451 id_type
= ID_DER_ASN1_GN_URI
;
453 case GN_OBJ_DIRECTORY_NAME
:
454 id_type
= ID_DER_ASN1_DN
;
456 case GN_OBJ_IP_ADDRESS
:
460 id_type
= ID_IPV4_ADDR
;
463 id_type
= ID_IPV6_ADDR
;
469 case GN_OBJ_OTHER_NAME
:
470 if (!parse_otherName(&object
, parser
->get_level(parser
)+1,
476 case GN_OBJ_X400_ADDRESS
:
477 case GN_OBJ_EDI_PARTY_NAME
:
478 case GN_OBJ_REGISTERED_ID
:
482 if (id_type
!= ID_ANY
)
484 gn
= identification_create_from_encoding(id_type
, object
);
485 DBG2(DBG_ASN
, " '%Y'", gn
);
491 parser
->destroy(parser
);
496 * ASN.1 definition of generalNames
498 static const asn1Object_t generalNamesObjects
[] = {
499 { 0, "generalNames", ASN1_SEQUENCE
, ASN1_LOOP
}, /* 0 */
500 { 1, "generalName", ASN1_EOC
, ASN1_RAW
}, /* 1 */
501 { 0, "end loop", ASN1_EOC
, ASN1_END
}, /* 2 */
502 { 0, "exit", ASN1_EOC
, ASN1_EXIT
}
504 #define GENERAL_NAMES_GN 1
507 * Extracts one or several GNs and puts them into a chained list
509 void x509_parse_generalNames(chunk_t blob
, int level0
, bool implicit
, linked_list_t
*list
)
511 asn1_parser_t
*parser
;
515 parser
= asn1_parser_create(generalNamesObjects
, blob
);
516 parser
->set_top_level(parser
, level0
);
517 parser
->set_flags(parser
, implicit
, FALSE
);
519 while (parser
->iterate(parser
, &objectID
, &object
))
521 if (objectID
== GENERAL_NAMES_GN
)
523 identification_t
*gn
= parse_generalName(object
,
524 parser
->get_level(parser
)+1);
528 list
->insert_last(list
, (void *)gn
);
532 parser
->destroy(parser
);
536 * ASN.1 definition of a authorityKeyIdentifier extension
538 static const asn1Object_t authKeyIdentifierObjects
[] = {
539 { 0, "authorityKeyIdentifier", ASN1_SEQUENCE
, ASN1_NONE
}, /* 0 */
540 { 1, "keyIdentifier", ASN1_CONTEXT_S_0
, ASN1_OPT
|ASN1_BODY
}, /* 1 */
541 { 1, "end opt", ASN1_EOC
, ASN1_END
}, /* 2 */
542 { 1, "authorityCertIssuer", ASN1_CONTEXT_C_1
, ASN1_OPT
|ASN1_OBJ
}, /* 3 */
543 { 1, "end opt", ASN1_EOC
, ASN1_END
}, /* 4 */
544 { 1, "authorityCertSerialNumber", ASN1_CONTEXT_S_2
, ASN1_OPT
|ASN1_BODY
}, /* 5 */
545 { 1, "end opt", ASN1_EOC
, ASN1_END
}, /* 6 */
546 { 0, "exit", ASN1_EOC
, ASN1_EXIT
}
548 #define AUTH_KEY_ID_KEY_ID 1
549 #define AUTH_KEY_ID_CERT_ISSUER 3
550 #define AUTH_KEY_ID_CERT_SERIAL 5
553 * Extracts an authoritykeyIdentifier
555 chunk_t
x509_parse_authorityKeyIdentifier(chunk_t blob
, int level0
,
556 chunk_t
*authKeySerialNumber
)
558 asn1_parser_t
*parser
;
561 chunk_t authKeyIdentifier
= chunk_empty
;
563 *authKeySerialNumber
= chunk_empty
;
565 parser
= asn1_parser_create(authKeyIdentifierObjects
, blob
);
566 parser
->set_top_level(parser
, level0
);
568 while (parser
->iterate(parser
, &objectID
, &object
))
572 case AUTH_KEY_ID_KEY_ID
:
573 authKeyIdentifier
= chunk_clone(object
);
575 case AUTH_KEY_ID_CERT_ISSUER
:
576 /* TODO: x509_parse_generalNames(object, level+1, TRUE); */
578 case AUTH_KEY_ID_CERT_SERIAL
:
579 *authKeySerialNumber
= object
;
585 parser
->destroy(parser
);
586 return authKeyIdentifier
;
590 * ASN.1 definition of a authorityInfoAccess extension
592 static const asn1Object_t authInfoAccessObjects
[] = {
593 { 0, "authorityInfoAccess", ASN1_SEQUENCE
, ASN1_LOOP
}, /* 0 */
594 { 1, "accessDescription", ASN1_SEQUENCE
, ASN1_NONE
}, /* 1 */
595 { 2, "accessMethod", ASN1_OID
, ASN1_BODY
}, /* 2 */
596 { 2, "accessLocation", ASN1_EOC
, ASN1_RAW
}, /* 3 */
597 { 0, "end loop", ASN1_EOC
, ASN1_END
}, /* 4 */
598 { 0, "exit", ASN1_EOC
, ASN1_EXIT
}
600 #define AUTH_INFO_ACCESS_METHOD 2
601 #define AUTH_INFO_ACCESS_LOCATION 3
604 * Extracts an authorityInfoAcess location
606 static void parse_authorityInfoAccess(chunk_t blob
, int level0
,
607 private_x509_cert_t
*this)
609 asn1_parser_t
*parser
;
612 int accessMethod
= OID_UNKNOWN
;
614 parser
= asn1_parser_create(authInfoAccessObjects
, blob
);
615 parser
->set_top_level(parser
, level0
);
617 while (parser
->iterate(parser
, &objectID
, &object
))
621 case AUTH_INFO_ACCESS_METHOD
:
622 accessMethod
= asn1_known_oid(object
);
624 case AUTH_INFO_ACCESS_LOCATION
:
626 switch (accessMethod
)
631 identification_t
*id
;
634 id
= parse_generalName(object
,
635 parser
->get_level(parser
)+1);
638 /* parsing went wrong - abort */
641 DBG2(DBG_ASN
, " '%Y'", id
);
642 if (accessMethod
== OID_OCSP
&&
643 asprintf(&uri
, "%Y", id
) > 0)
645 this->ocsp_uris
->insert_last(this->ocsp_uris
, uri
);
651 /* unknown accessMethod, ignoring */
662 parser
->destroy(parser
);
666 * Extract KeyUsage flags
668 static void parse_keyUsage(chunk_t blob
, private_x509_cert_t
*this)
671 KU_DIGITAL_SIGNATURE
= 0,
672 KU_NON_REPUDIATION
= 1,
673 KU_KEY_ENCIPHERMENT
= 2,
674 KU_DATA_ENCIPHERMENT
= 3,
675 KU_KEY_AGREEMENT
= 4,
676 KU_KEY_CERT_SIGN
= 5,
678 KU_ENCIPHER_ONLY
= 7,
679 KU_DECIPHER_ONLY
= 8,
682 if (asn1_unwrap(&blob
, &blob
) == ASN1_BIT_STRING
&& blob
.len
)
684 int bit
, byte
, unused
= blob
.ptr
[0];
686 blob
= chunk_skip(blob
, 1);
687 for (byte
= 0; byte
< blob
.len
; byte
++)
689 for (bit
= 0; bit
< 8; bit
++)
691 if (byte
== blob
.len
- 1 && bit
> (7 - unused
))
695 if (blob
.ptr
[byte
] & 1 << (7 - bit
))
697 switch (byte
* 8 + bit
)
700 this->flags
|= X509_CRL_SIGN
;
702 case KU_KEY_CERT_SIGN
:
703 /* we use the caBasicConstraint, MUST be set */
704 case KU_DIGITAL_SIGNATURE
:
705 case KU_NON_REPUDIATION
:
706 case KU_KEY_ENCIPHERMENT
:
707 case KU_DATA_ENCIPHERMENT
:
708 case KU_KEY_AGREEMENT
:
709 case KU_ENCIPHER_ONLY
:
710 case KU_DECIPHER_ONLY
:
720 * ASN.1 definition of a extendedKeyUsage extension
722 static const asn1Object_t extendedKeyUsageObjects
[] = {
723 { 0, "extendedKeyUsage", ASN1_SEQUENCE
, ASN1_LOOP
}, /* 0 */
724 { 1, "keyPurposeID", ASN1_OID
, ASN1_BODY
}, /* 1 */
725 { 0, "end loop", ASN1_EOC
, ASN1_END
}, /* 2 */
726 { 0, "exit", ASN1_EOC
, ASN1_EXIT
}
728 #define EXT_KEY_USAGE_PURPOSE_ID 1
731 * Extracts extendedKeyUsage OIDs
733 static void parse_extendedKeyUsage(chunk_t blob
, int level0
,
734 private_x509_cert_t
*this)
736 asn1_parser_t
*parser
;
740 parser
= asn1_parser_create(extendedKeyUsageObjects
, blob
);
741 parser
->set_top_level(parser
, level0
);
743 while (parser
->iterate(parser
, &objectID
, &object
))
745 if (objectID
== EXT_KEY_USAGE_PURPOSE_ID
)
747 switch (asn1_known_oid(object
))
749 case OID_SERVER_AUTH
:
750 this->flags
|= X509_SERVER_AUTH
;
752 case OID_CLIENT_AUTH
:
753 this->flags
|= X509_CLIENT_AUTH
;
755 case OID_OCSP_SIGNING
:
756 this->flags
|= X509_OCSP_SIGNER
;
763 parser
->destroy(parser
);
767 * ASN.1 definition of crlDistributionPoints
769 static const asn1Object_t crlDistributionPointsObjects
[] = {
770 { 0, "crlDistributionPoints", ASN1_SEQUENCE
, ASN1_LOOP
}, /* 0 */
771 { 1, "DistributionPoint", ASN1_SEQUENCE
, ASN1_NONE
}, /* 1 */
772 { 2, "distributionPoint", ASN1_CONTEXT_C_0
, ASN1_OPT
|ASN1_LOOP
}, /* 2 */
773 { 3, "fullName", ASN1_CONTEXT_C_0
, ASN1_OPT
|ASN1_OBJ
}, /* 3 */
774 { 3, "end choice", ASN1_EOC
, ASN1_END
}, /* 4 */
775 { 3, "nameRelToCRLIssuer",ASN1_CONTEXT_C_1
, ASN1_OPT
|ASN1_BODY
}, /* 5 */
776 { 3, "end choice", ASN1_EOC
, ASN1_END
}, /* 6 */
777 { 2, "end opt", ASN1_EOC
, ASN1_END
}, /* 7 */
778 { 2, "reasons", ASN1_CONTEXT_C_1
, ASN1_OPT
|ASN1_BODY
}, /* 8 */
779 { 2, "end opt", ASN1_EOC
, ASN1_END
}, /* 9 */
780 { 2, "crlIssuer", ASN1_CONTEXT_C_2
, ASN1_OPT
|ASN1_OBJ
}, /* 10 */
781 { 2, "end opt", ASN1_EOC
, ASN1_END
}, /* 11 */
782 { 0, "end loop", ASN1_EOC
, ASN1_END
}, /* 12 */
783 { 0, "exit", ASN1_EOC
, ASN1_EXIT
}
785 #define CRL_DIST_POINTS 1
786 #define CRL_DIST_POINTS_FULLNAME 3
787 #define CRL_DIST_POINTS_ISSUER 10
790 * Add entry to the list of each pairing of URI and Issuer
792 static void add_cdps(linked_list_t
*list
, linked_list_t
*uris
,
793 linked_list_t
*issuers
)
795 identification_t
*issuer
, *id
;
796 enumerator_t
*enumerator
;
800 while (uris
->remove_last(uris
, (void**)&id
) == SUCCESS
)
802 if (asprintf(&uri
, "%Y", id
) > 0)
804 if (issuers
->get_count(issuers
))
806 enumerator
= issuers
->create_enumerator(issuers
);
807 while (enumerator
->enumerate(enumerator
, &issuer
))
811 .issuer
= issuer
->clone(issuer
),
813 list
->insert_last(list
, cdp
);
815 enumerator
->destroy(enumerator
);
823 list
->insert_last(list
, cdp
);
828 while (issuers
->remove_last(issuers
, (void**)&id
) == SUCCESS
)
835 * Extracts one or several crlDistributionPoints into a list
837 void x509_parse_crlDistributionPoints(chunk_t blob
, int level0
,
840 linked_list_t
*uris
, *issuers
;
841 asn1_parser_t
*parser
;
845 uris
= linked_list_create();
846 issuers
= linked_list_create();
847 parser
= asn1_parser_create(crlDistributionPointsObjects
, blob
);
848 parser
->set_top_level(parser
, level0
);
850 while (parser
->iterate(parser
, &objectID
, &object
))
854 case CRL_DIST_POINTS
:
855 add_cdps(list
, uris
, issuers
);
857 case CRL_DIST_POINTS_FULLNAME
:
858 x509_parse_generalNames(object
, parser
->get_level(parser
) + 1,
861 case CRL_DIST_POINTS_ISSUER
:
862 x509_parse_generalNames(object
, parser
->get_level(parser
) + 1,
869 parser
->destroy(parser
);
871 add_cdps(list
, uris
, issuers
);
874 issuers
->destroy(issuers
);
878 * ASN.1 definition of nameConstraints
880 static const asn1Object_t nameConstraintsObjects
[] = {
881 { 0, "nameConstraints", ASN1_SEQUENCE
, ASN1_LOOP
}, /* 0 */
882 { 1, "permittedSubtrees", ASN1_CONTEXT_C_0
, ASN1_OPT
|ASN1_LOOP
}, /* 1 */
883 { 2, "generalSubtree", ASN1_SEQUENCE
, ASN1_BODY
}, /* 2 */
884 { 1, "end loop", ASN1_EOC
, ASN1_END
}, /* 3 */
885 { 1, "excludedSubtrees", ASN1_CONTEXT_C_1
, ASN1_OPT
|ASN1_LOOP
}, /* 4 */
886 { 2, "generalSubtree", ASN1_SEQUENCE
, ASN1_BODY
}, /* 5 */
887 { 1, "end loop", ASN1_EOC
, ASN1_END
}, /* 6 */
888 { 0, "end loop", ASN1_EOC
, ASN1_END
}, /* 7 */
889 { 0, "exit", ASN1_EOC
, ASN1_EXIT
}
891 #define NAME_CONSTRAINT_PERMITTED 2
892 #define NAME_CONSTRAINT_EXCLUDED 5
895 * Parse permitted/excluded nameConstraints
897 static void parse_nameConstraints(chunk_t blob
, int level0
,
898 private_x509_cert_t
*this)
900 asn1_parser_t
*parser
;
901 identification_t
*id
;
905 parser
= asn1_parser_create(nameConstraintsObjects
, blob
);
906 parser
->set_top_level(parser
, level0
);
908 while (parser
->iterate(parser
, &objectID
, &object
))
912 case NAME_CONSTRAINT_PERMITTED
:
913 id
= parse_generalName(object
, parser
->get_level(parser
) + 1);
916 this->permitted_names
->insert_last(this->permitted_names
, id
);
919 case NAME_CONSTRAINT_EXCLUDED
:
920 id
= parse_generalName(object
, parser
->get_level(parser
) + 1);
923 this->excluded_names
->insert_last(this->excluded_names
, id
);
930 parser
->destroy(parser
);
934 * ASN.1 definition of a certificatePolicies extension
936 static const asn1Object_t certificatePoliciesObject
[] = {
937 { 0, "certificatePolicies", ASN1_SEQUENCE
, ASN1_LOOP
}, /* 0 */
938 { 1, "policyInformation", ASN1_SEQUENCE
, ASN1_NONE
}, /* 1 */
939 { 2, "policyId", ASN1_OID
, ASN1_BODY
}, /* 2 */
940 { 2, "qualifiers", ASN1_SEQUENCE
, ASN1_OPT
|ASN1_LOOP
}, /* 3 */
941 { 3, "qualifierInfo", ASN1_SEQUENCE
, ASN1_NONE
}, /* 4 */
942 { 4, "qualifierId", ASN1_OID
, ASN1_BODY
}, /* 5 */
943 { 4, "cPSuri", ASN1_IA5STRING
, ASN1_OPT
|ASN1_BODY
}, /* 6 */
944 { 4, "end choice", ASN1_EOC
, ASN1_END
}, /* 7 */
945 { 4, "userNotice", ASN1_SEQUENCE
, ASN1_OPT
|ASN1_BODY
}, /* 8 */
946 { 5, "explicitText", ASN1_EOC
, ASN1_RAW
}, /* 9 */
947 { 4, "end choice", ASN1_EOC
, ASN1_END
}, /* 10 */
948 { 2, "end opt/loop", ASN1_EOC
, ASN1_END
}, /* 12 */
949 { 0, "end loop", ASN1_EOC
, ASN1_END
}, /* 13 */
950 { 0, "exit", ASN1_EOC
, ASN1_EXIT
}
952 #define CERT_POLICY_ID 2
953 #define CERT_POLICY_QUALIFIER_ID 5
954 #define CERT_POLICY_CPS_URI 6
955 #define CERT_POLICY_EXPLICIT_TEXT 9
958 * Parse certificatePolicies
960 static void parse_certificatePolicies(chunk_t blob
, int level0
,
961 private_x509_cert_t
*this)
963 x509_cert_policy_t
*policy
= NULL
;
964 asn1_parser_t
*parser
;
966 int objectID
, qualifier
= OID_UNKNOWN
;
968 parser
= asn1_parser_create(certificatePoliciesObject
, blob
);
969 parser
->set_top_level(parser
, level0
);
971 while (parser
->iterate(parser
, &objectID
, &object
))
977 .oid
= chunk_clone(object
),
979 this->cert_policies
->insert_last(this->cert_policies
, policy
);
981 case CERT_POLICY_QUALIFIER_ID
:
982 qualifier
= asn1_known_oid(object
);
984 case CERT_POLICY_CPS_URI
:
985 if (policy
&& !policy
->cps_uri
&& object
.len
&&
986 qualifier
== OID_POLICY_QUALIFIER_CPS
&&
987 chunk_printable(object
, NULL
, 0))
989 policy
->cps_uri
= strndup(object
.ptr
, object
.len
);
992 case CERT_POLICY_EXPLICIT_TEXT
:
999 parser
->destroy(parser
);
1003 * ASN.1 definition of a policyMappings extension
1005 static const asn1Object_t policyMappingsObjects
[] = {
1006 { 0, "policyMappings", ASN1_SEQUENCE
, ASN1_LOOP
}, /* 0 */
1007 { 1, "policyMapping", ASN1_SEQUENCE
, ASN1_NONE
}, /* 1 */
1008 { 2, "issuerPolicy", ASN1_OID
, ASN1_BODY
}, /* 2 */
1009 { 2, "subjectPolicy", ASN1_OID
, ASN1_BODY
}, /* 3 */
1010 { 0, "end loop", ASN1_EOC
, ASN1_END
}, /* 4 */
1011 { 0, "exit", ASN1_EOC
, ASN1_EXIT
}
1013 #define POLICY_MAPPING 1
1014 #define POLICY_MAPPING_ISSUER 2
1015 #define POLICY_MAPPING_SUBJECT 3
1018 * Parse policyMappings
1020 static void parse_policyMappings(chunk_t blob
, int level0
,
1021 private_x509_cert_t
*this)
1023 x509_policy_mapping_t
*map
= NULL
;
1024 asn1_parser_t
*parser
;
1028 parser
= asn1_parser_create(policyMappingsObjects
, blob
);
1029 parser
->set_top_level(parser
, level0
);
1031 while (parser
->iterate(parser
, &objectID
, &object
))
1035 case POLICY_MAPPING
:
1037 this->policy_mappings
->insert_last(this->policy_mappings
, map
);
1039 case POLICY_MAPPING_ISSUER
:
1040 if (map
&& !map
->issuer
.len
)
1042 map
->issuer
= chunk_clone(object
);
1045 case POLICY_MAPPING_SUBJECT
:
1046 if (map
&& !map
->subject
.len
)
1048 map
->subject
= chunk_clone(object
);
1055 parser
->destroy(parser
);
1059 * ASN.1 definition of a policyConstraints extension
1061 static const asn1Object_t policyConstraintsObjects
[] = {
1062 { 0, "policyConstraints", ASN1_SEQUENCE
, ASN1_NONE
}, /* 0 */
1063 { 1, "requireExplicitPolicy", ASN1_CONTEXT_C_0
, ASN1_OPT
|ASN1_NONE
}, /* 1 */
1064 { 2, "SkipCerts", ASN1_INTEGER
, ASN1_BODY
}, /* 2 */
1065 { 1, "end opt", ASN1_EOC
, ASN1_END
}, /* 3 */
1066 { 1, "inhibitPolicyMapping", ASN1_CONTEXT_C_1
, ASN1_OPT
|ASN1_NONE
}, /* 4 */
1067 { 2, "SkipCerts", ASN1_INTEGER
, ASN1_BODY
}, /* 5 */
1068 { 1, "end opt", ASN1_EOC
, ASN1_END
}, /* 6 */
1069 { 0, "exit", ASN1_EOC
, ASN1_EXIT
}
1071 #define POLICY_CONSTRAINT_EXPLICIT 2
1072 #define POLICY_CONSTRAINT_INHIBIT 5
1075 * Parse policyConstraints
1077 static void parse_policyConstraints(chunk_t blob
, int level0
,
1078 private_x509_cert_t
*this)
1080 asn1_parser_t
*parser
;
1084 parser
= asn1_parser_create(policyConstraintsObjects
, blob
);
1085 parser
->set_top_level(parser
, level0
);
1087 while (parser
->iterate(parser
, &objectID
, &object
))
1091 case POLICY_CONSTRAINT_EXPLICIT
:
1092 this->require_explicit
= parse_constraint(object
);
1094 case POLICY_CONSTRAINT_INHIBIT
:
1095 this->inhibit_mapping
= parse_constraint(object
);
1101 parser
->destroy(parser
);
1105 * ASN.1 definition of ipAddrBlocks according to RFC 3779
1107 static const asn1Object_t ipAddrBlocksObjects
[] = {
1108 { 0, "ipAddrBlocks", ASN1_SEQUENCE
, ASN1_LOOP
}, /* 0 */
1109 { 1, "ipAddressFamily", ASN1_SEQUENCE
, ASN1_NONE
}, /* 1 */
1110 { 2, "addressFamily", ASN1_OCTET_STRING
, ASN1_BODY
}, /* 2 */
1111 { 2, "inherit", ASN1_NULL
, ASN1_OPT
|ASN1_NONE
}, /* 3 */
1112 { 2, "end choice", ASN1_EOC
, ASN1_END
}, /* 4 */
1113 { 2, "addressesOrRanges", ASN1_SEQUENCE
, ASN1_OPT
|ASN1_LOOP
}, /* 5 */
1114 { 3, "addressPrefix", ASN1_BIT_STRING
, ASN1_OPT
|ASN1_BODY
}, /* 6 */
1115 { 3, "end choice", ASN1_EOC
, ASN1_END
}, /* 7 */
1116 { 3, "addressRange", ASN1_SEQUENCE
, ASN1_OPT
|ASN1_NONE
}, /* 8 */
1117 { 4, "min", ASN1_BIT_STRING
, ASN1_BODY
}, /* 9 */
1118 { 4, "max", ASN1_BIT_STRING
, ASN1_BODY
}, /* 10 */
1119 { 3, "end choice", ASN1_EOC
, ASN1_END
}, /* 11 */
1120 { 2, "end opt/loop", ASN1_EOC
, ASN1_END
}, /* 12 */
1121 { 0, "end loop", ASN1_EOC
, ASN1_END
}, /* 13 */
1122 { 0, "exit", ASN1_EOC
, ASN1_EXIT
}
1124 #define IP_ADDR_BLOCKS_FAMILY 2
1125 #define IP_ADDR_BLOCKS_INHERIT 3
1126 #define IP_ADDR_BLOCKS_PREFIX 6
1127 #define IP_ADDR_BLOCKS_MIN 9
1128 #define IP_ADDR_BLOCKS_MAX 10
1130 static bool check_address_object(ts_type_t ts_type
, chunk_t object
)
1134 case TS_IPV4_ADDR_RANGE
:
1137 DBG1(DBG_ASN
, "IPv4 address object is larger than 5 octets");
1141 case TS_IPV6_ADDR_RANGE
:
1142 if (object
.len
> 17)
1144 DBG1(DBG_ASN
, "IPv6 address object is larger than 17 octets");
1149 DBG1(DBG_ASN
, "unknown address family");
1152 if (object
.len
== 0)
1154 DBG1(DBG_ASN
, "An ASN.1 bit string must contain at least the "
1158 if (object
.len
== 1 && object
.ptr
[0] != 0)
1160 DBG1(DBG_ASN
, "An empty ASN.1 bit string must contain a zero "
1164 if (object
.ptr
[0] > 7)
1166 DBG1(DBG_ASN
, "number of unused bits is too large");
1172 static void parse_ipAddrBlocks(chunk_t blob
, int level0
,
1173 private_x509_cert_t
*this)
1175 asn1_parser_t
*parser
;
1176 chunk_t object
, min_object
;
1177 ts_type_t ts_type
= 0;
1178 traffic_selector_t
*ts
;
1181 parser
= asn1_parser_create(ipAddrBlocksObjects
, blob
);
1182 parser
->set_top_level(parser
, level0
);
1184 while (parser
->iterate(parser
, &objectID
, &object
))
1188 case IP_ADDR_BLOCKS_FAMILY
:
1190 if (object
.len
== 2 && object
.ptr
[0] == 0)
1192 if (object
.ptr
[1] == 1)
1194 ts_type
= TS_IPV4_ADDR_RANGE
;
1196 else if (object
.ptr
[1] == 2)
1198 ts_type
= TS_IPV6_ADDR_RANGE
;
1204 DBG2(DBG_ASN
, " %N", ts_type_name
, ts_type
);
1207 case IP_ADDR_BLOCKS_INHERIT
:
1208 DBG1(DBG_ASN
, "inherit choice is not supported");
1210 case IP_ADDR_BLOCKS_PREFIX
:
1211 if (!check_address_object(ts_type
, object
))
1215 ts
= traffic_selector_create_from_rfc3779_format(ts_type
,
1217 DBG2(DBG_ASN
, " %R", ts
);
1218 this->ipAddrBlocks
->insert_last(this->ipAddrBlocks
, ts
);
1220 case IP_ADDR_BLOCKS_MIN
:
1221 if (!check_address_object(ts_type
, object
))
1225 min_object
= object
;
1227 case IP_ADDR_BLOCKS_MAX
:
1228 if (!check_address_object(ts_type
, object
))
1232 ts
= traffic_selector_create_from_rfc3779_format(ts_type
,
1233 min_object
, object
);
1234 DBG2(DBG_ASN
, " %R", ts
);
1235 this->ipAddrBlocks
->insert_last(this->ipAddrBlocks
, ts
);
1241 this->flags
|= X509_IP_ADDR_BLOCKS
;
1244 parser
->destroy(parser
);
1248 * ASN.1 definition of an X.509v3 x509_cert
1250 static const asn1Object_t certObjects
[] = {
1251 { 0, "x509", ASN1_SEQUENCE
, ASN1_OBJ
}, /* 0 */
1252 { 1, "tbsCertificate", ASN1_SEQUENCE
, ASN1_OBJ
}, /* 1 */
1253 { 2, "DEFAULT v1", ASN1_CONTEXT_C_0
, ASN1_DEF
}, /* 2 */
1254 { 3, "version", ASN1_INTEGER
, ASN1_BODY
}, /* 3 */
1255 { 2, "serialNumber", ASN1_INTEGER
, ASN1_BODY
}, /* 4 */
1256 { 2, "signature", ASN1_EOC
, ASN1_RAW
}, /* 5 */
1257 { 2, "issuer", ASN1_SEQUENCE
, ASN1_OBJ
}, /* 6 */
1258 { 2, "validity", ASN1_SEQUENCE
, ASN1_NONE
}, /* 7 */
1259 { 3, "notBefore", ASN1_EOC
, ASN1_RAW
}, /* 8 */
1260 { 3, "notAfter", ASN1_EOC
, ASN1_RAW
}, /* 9 */
1261 { 2, "subject", ASN1_SEQUENCE
, ASN1_OBJ
}, /* 10 */
1262 { 2, "subjectPublicKeyInfo",ASN1_SEQUENCE
, ASN1_RAW
}, /* 11 */
1263 { 2, "issuerUniqueID", ASN1_CONTEXT_C_1
, ASN1_OPT
}, /* 12 */
1264 { 2, "end opt", ASN1_EOC
, ASN1_END
}, /* 13 */
1265 { 2, "subjectUniqueID", ASN1_CONTEXT_C_2
, ASN1_OPT
}, /* 14 */
1266 { 2, "end opt", ASN1_EOC
, ASN1_END
}, /* 15 */
1267 { 2, "optional extensions", ASN1_CONTEXT_C_3
, ASN1_OPT
}, /* 16 */
1268 { 3, "extensions", ASN1_SEQUENCE
, ASN1_LOOP
}, /* 17 */
1269 { 4, "extension", ASN1_SEQUENCE
, ASN1_NONE
}, /* 18 */
1270 { 5, "extnID", ASN1_OID
, ASN1_BODY
}, /* 19 */
1271 { 5, "critical", ASN1_BOOLEAN
, ASN1_DEF
|ASN1_BODY
}, /* 20 */
1272 { 5, "extnValue", ASN1_OCTET_STRING
, ASN1_BODY
}, /* 21 */
1273 { 3, "end loop", ASN1_EOC
, ASN1_END
}, /* 22 */
1274 { 2, "end opt", ASN1_EOC
, ASN1_END
}, /* 23 */
1275 { 1, "signatureAlgorithm", ASN1_EOC
, ASN1_RAW
}, /* 24 */
1276 { 1, "signatureValue", ASN1_BIT_STRING
, ASN1_BODY
}, /* 25 */
1277 { 0, "exit", ASN1_EOC
, ASN1_EXIT
}
1279 #define X509_OBJ_TBS_CERTIFICATE 1
1280 #define X509_OBJ_VERSION 3
1281 #define X509_OBJ_SERIAL_NUMBER 4
1282 #define X509_OBJ_SIG_ALG 5
1283 #define X509_OBJ_ISSUER 6
1284 #define X509_OBJ_NOT_BEFORE 8
1285 #define X509_OBJ_NOT_AFTER 9
1286 #define X509_OBJ_SUBJECT 10
1287 #define X509_OBJ_SUBJECT_PUBLIC_KEY_INFO 11
1288 #define X509_OBJ_OPTIONAL_EXTENSIONS 16
1289 #define X509_OBJ_EXTN_ID 19
1290 #define X509_OBJ_CRITICAL 20
1291 #define X509_OBJ_EXTN_VALUE 21
1292 #define X509_OBJ_ALGORITHM 24
1293 #define X509_OBJ_SIGNATURE 25
1296 * Parses an X.509v3 certificate
1298 static bool parse_certificate(private_x509_cert_t
*this)
1300 asn1_parser_t
*parser
;
1303 int extn_oid
= OID_UNKNOWN
;
1304 int sig_alg
= OID_UNKNOWN
;
1305 bool success
= FALSE
;
1306 bool critical
= FALSE
;
1308 parser
= asn1_parser_create(certObjects
, this->encoding
);
1310 while (parser
->iterate(parser
, &objectID
, &object
))
1312 u_int level
= parser
->get_level(parser
)+1;
1316 case X509_OBJ_TBS_CERTIFICATE
:
1317 this->tbsCertificate
= object
;
1319 case X509_OBJ_VERSION
:
1320 this->version
= (object
.len
) ?
(1+(u_int
)*object
.ptr
) : 1;
1321 if (this->version
< 1 || this->version
> 3)
1323 DBG1(DBG_ASN
, "X.509v%d not supported", this->version
);
1328 DBG2(DBG_ASN
, " X.509v%d", this->version
);
1331 case X509_OBJ_SERIAL_NUMBER
:
1332 this->serialNumber
= object
;
1334 case X509_OBJ_SIG_ALG
:
1335 sig_alg
= asn1_parse_algorithmIdentifier(object
, level
, NULL
);
1337 case X509_OBJ_ISSUER
:
1338 this->issuer
= identification_create_from_encoding(ID_DER_ASN1_DN
, object
);
1339 DBG2(DBG_ASN
, " '%Y'", this->issuer
);
1341 case X509_OBJ_NOT_BEFORE
:
1342 this->notBefore
= asn1_parse_time(object
, level
);
1344 case X509_OBJ_NOT_AFTER
:
1345 this->notAfter
= asn1_parse_time(object
, level
);
1347 case X509_OBJ_SUBJECT
:
1348 this->subject
= identification_create_from_encoding(ID_DER_ASN1_DN
, object
);
1349 DBG2(DBG_ASN
, " '%Y'", this->subject
);
1351 case X509_OBJ_SUBJECT_PUBLIC_KEY_INFO
:
1352 DBG2(DBG_ASN
, "-- > --");
1353 this->public_key
= lib
->creds
->create(lib
->creds
, CRED_PUBLIC_KEY
,
1354 KEY_ANY
, BUILD_BLOB_ASN1_DER
, object
, BUILD_END
);
1355 DBG2(DBG_ASN
, "-- < --");
1356 if (this->public_key
== NULL
)
1361 case X509_OBJ_OPTIONAL_EXTENSIONS
:
1362 if (this->version
!= 3)
1364 DBG1(DBG_ASN
, "Only X.509v3 certificates have extensions");
1368 case X509_OBJ_EXTN_ID
:
1369 extn_oid
= asn1_known_oid(object
);
1371 case X509_OBJ_CRITICAL
:
1372 critical
= object
.len
&& *object
.ptr
;
1373 DBG2(DBG_ASN
, " %s", critical ?
"TRUE" : "FALSE");
1375 case X509_OBJ_EXTN_VALUE
:
1379 case OID_SUBJECT_KEY_ID
:
1380 if (!asn1_parse_simple_object(&object
, ASN1_OCTET_STRING
,
1381 level
, "keyIdentifier"))
1385 this->subjectKeyIdentifier
= object
;
1387 case OID_SUBJECT_ALT_NAME
:
1388 x509_parse_generalNames(object
, level
, FALSE
,
1389 this->subjectAltNames
);
1391 case OID_BASIC_CONSTRAINTS
:
1392 parse_basicConstraints(object
, level
, this);
1394 case OID_CRL_DISTRIBUTION_POINTS
:
1395 x509_parse_crlDistributionPoints(object
, level
,
1398 case OID_AUTHORITY_KEY_ID
:
1399 this->authKeyIdentifier
= x509_parse_authorityKeyIdentifier(object
,
1400 level
, &this->authKeySerialNumber
);
1402 case OID_AUTHORITY_INFO_ACCESS
:
1403 parse_authorityInfoAccess(object
, level
, this);
1406 parse_keyUsage(object
, this);
1408 case OID_EXTENDED_KEY_USAGE
:
1409 parse_extendedKeyUsage(object
, level
, this);
1411 case OID_IP_ADDR_BLOCKS
:
1412 parse_ipAddrBlocks(object
, level
, this);
1414 case OID_NAME_CONSTRAINTS
:
1415 parse_nameConstraints(object
, level
, this);
1417 case OID_CERTIFICATE_POLICIES
:
1418 parse_certificatePolicies(object
, level
, this);
1420 case OID_POLICY_MAPPINGS
:
1421 parse_policyMappings(object
, level
, this);
1423 case OID_POLICY_CONSTRAINTS
:
1424 parse_policyConstraints(object
, level
, this);
1426 case OID_INHIBIT_ANY_POLICY
:
1427 if (!asn1_parse_simple_object(&object
, ASN1_INTEGER
,
1428 level
, "inhibitAnyPolicy"))
1432 this->inhibit_any
= parse_constraint(object
);
1434 case OID_NS_REVOCATION_URL
:
1435 case OID_NS_CA_REVOCATION_URL
:
1436 case OID_NS_CA_POLICY_URL
:
1437 case OID_NS_COMMENT
:
1438 if (!asn1_parse_simple_object(&object
, ASN1_IA5STRING
,
1439 level
, oid_names
[extn_oid
].name
))
1445 if (critical
&& lib
->settings
->get_bool(lib
->settings
,
1446 "libstrongswan.x509.enforce_critical", TRUE
))
1448 DBG1(DBG_ASN
, "critical '%s' extension not supported",
1449 (extn_oid
== OID_UNKNOWN
) ?
"unknown" :
1450 (char*)oid_names
[extn_oid
].name
);
1457 case X509_OBJ_ALGORITHM
:
1458 this->algorithm
= asn1_parse_algorithmIdentifier(object
, level
, NULL
);
1459 if (this->algorithm
!= sig_alg
)
1461 DBG1(DBG_ASN
, " signature algorithms do not agree");
1465 case X509_OBJ_SIGNATURE
:
1466 this->signature
= object
;
1472 success
= parser
->success(parser
);
1475 parser
->destroy(parser
);
1480 /* check if the certificate is self-signed */
1481 if (this->public.interface
.interface
.issued_by(
1482 &this->public.interface
.interface
,
1483 &this->public.interface
.interface
))
1485 this->flags
|= X509_SELF_SIGNED
;
1487 /* create certificate hash */
1488 hasher
= lib
->crypto
->create_hasher(lib
->crypto
, HASH_SHA1
);
1491 DBG1(DBG_ASN
, " unable to create hash of certificate, SHA1 not supported");
1494 hasher
->allocate_hash(hasher
, this->encoding
, &this->encoding_hash
);
1495 hasher
->destroy(hasher
);
1500 METHOD(certificate_t
, get_type
, certificate_type_t
,
1501 private_x509_cert_t
*this)
1506 METHOD(certificate_t
, get_subject
, identification_t
*,
1507 private_x509_cert_t
*this)
1509 return this->subject
;
1512 METHOD(certificate_t
, get_issuer
, identification_t
*,
1513 private_x509_cert_t
*this)
1515 return this->issuer
;
1518 METHOD(certificate_t
, has_subject
, id_match_t
,
1519 private_x509_cert_t
*this, identification_t
*subject
)
1521 identification_t
*current
;
1522 enumerator_t
*enumerator
;
1523 id_match_t match
, best
;
1526 if (subject
->get_type(subject
) == ID_KEY_ID
)
1528 encoding
= subject
->get_encoding(subject
);
1530 if (this->encoding_hash
.len
&&
1531 chunk_equals(this->encoding_hash
, encoding
))
1533 return ID_MATCH_PERFECT
;
1535 if (this->subjectKeyIdentifier
.len
&&
1536 chunk_equals(this->subjectKeyIdentifier
, encoding
))
1538 return ID_MATCH_PERFECT
;
1540 if (this->public_key
&&
1541 this->public_key
->has_fingerprint(this->public_key
, encoding
))
1543 return ID_MATCH_PERFECT
;
1546 best
= this->subject
->matches(this->subject
, subject
);
1547 enumerator
= this->subjectAltNames
->create_enumerator(this->subjectAltNames
);
1548 while (enumerator
->enumerate(enumerator
, ¤t
))
1550 match
= current
->matches(current
, subject
);
1556 enumerator
->destroy(enumerator
);
1560 METHOD(certificate_t
, has_issuer
, id_match_t
,
1561 private_x509_cert_t
*this, identification_t
*issuer
)
1563 /* issuerAltNames currently not supported */
1564 return this->issuer
->matches(this->issuer
, issuer
);
1567 METHOD(certificate_t
, issued_by
, bool,
1568 private_x509_cert_t
*this, certificate_t
*issuer
)
1571 signature_scheme_t scheme
;
1573 x509_t
*x509
= (x509_t
*)issuer
;
1575 if (&this->public.interface
.interface
== issuer
)
1577 if (this->flags
& X509_SELF_SIGNED
)
1584 if (issuer
->get_type(issuer
) != CERT_X509
)
1588 if (!(x509
->get_flags(x509
) & X509_CA
))
1593 if (!this->issuer
->equals(this->issuer
, issuer
->get_subject(issuer
)))
1598 /* determine signature scheme */
1599 scheme
= signature_scheme_from_oid(this->algorithm
);
1600 if (scheme
== SIGN_UNKNOWN
)
1604 /* get the public key of the issuer */
1605 key
= issuer
->get_public_key(issuer
);
1610 valid
= key
->verify(key
, scheme
, this->tbsCertificate
, this->signature
);
1615 METHOD(certificate_t
, get_public_key
, public_key_t
*,
1616 private_x509_cert_t
*this)
1618 this->public_key
->get_ref(this->public_key
);
1619 return this->public_key
;
1622 METHOD(certificate_t
, get_ref
, certificate_t
*,
1623 private_x509_cert_t
*this)
1625 ref_get(&this->ref
);
1626 return &this->public.interface
.interface
;
1629 METHOD(certificate_t
, get_validity
, bool,
1630 private_x509_cert_t
*this, time_t *when
, time_t *not_before
,
1633 time_t t
= when ?
*when
: time(NULL
);
1637 *not_before
= this->notBefore
;
1641 *not_after
= this->notAfter
;
1643 return (t
>= this->notBefore
&& t
<= this->notAfter
);
1646 METHOD(certificate_t
, get_encoding
, bool,
1647 private_x509_cert_t
*this, cred_encoding_type_t type
, chunk_t
*encoding
)
1649 if (type
== CERT_ASN1_DER
)
1651 *encoding
= chunk_clone(this->encoding
);
1654 return lib
->encoding
->encode(lib
->encoding
, type
, NULL
, encoding
,
1655 CRED_PART_X509_ASN1_DER
, this->encoding
, CRED_PART_END
);
1658 METHOD(certificate_t
, equals
, bool,
1659 private_x509_cert_t
*this, certificate_t
*other
)
1664 if (this == (private_x509_cert_t
*)other
)
1668 if (other
->get_type(other
) != CERT_X509
)
1672 if (other
->equals
== (void*)equals
)
1673 { /* skip allocation if we have the same implementation */
1674 return chunk_equals(this->encoding
, ((private_x509_cert_t
*)other
)->encoding
);
1676 if (!other
->get_encoding(other
, CERT_ASN1_DER
, &encoding
))
1680 equal
= chunk_equals(this->encoding
, encoding
);
1685 METHOD(x509_t
, get_flags
, x509_flag_t
,
1686 private_x509_cert_t
*this)
1691 METHOD(x509_t
, get_serial
, chunk_t
,
1692 private_x509_cert_t
*this)
1694 return this->serialNumber
;
1697 METHOD(x509_t
, get_subjectKeyIdentifier
, chunk_t
,
1698 private_x509_cert_t
*this)
1700 if (this->subjectKeyIdentifier
.ptr
)
1702 return this->subjectKeyIdentifier
;
1706 chunk_t fingerprint
;
1708 if (this->public_key
->get_fingerprint(this->public_key
,
1709 KEYID_PUBKEY_SHA1
, &fingerprint
))
1720 METHOD(x509_t
, get_authKeyIdentifier
, chunk_t
,
1721 private_x509_cert_t
*this)
1723 return this->authKeyIdentifier
;
1726 METHOD(x509_t
, get_constraint
, u_int
,
1727 private_x509_cert_t
*this, x509_constraint_t type
)
1732 return this->pathLenConstraint
;
1733 case X509_REQUIRE_EXPLICIT_POLICY
:
1734 return this->require_explicit
;
1735 case X509_INHIBIT_POLICY_MAPPING
:
1736 return this->inhibit_mapping
;
1737 case X509_INHIBIT_ANY_POLICY
:
1738 return this->inhibit_any
;
1740 return X509_NO_CONSTRAINT
;
1744 METHOD(x509_t
, create_subjectAltName_enumerator
, enumerator_t
*,
1745 private_x509_cert_t
*this)
1747 return this->subjectAltNames
->create_enumerator(this->subjectAltNames
);
1750 METHOD(x509_t
, create_ocsp_uri_enumerator
, enumerator_t
*,
1751 private_x509_cert_t
*this)
1753 return this->ocsp_uris
->create_enumerator(this->ocsp_uris
);
1756 METHOD(x509_t
, create_crl_uri_enumerator
, enumerator_t
*,
1757 private_x509_cert_t
*this)
1759 return this->crl_uris
->create_enumerator(this->crl_uris
);
1762 METHOD(x509_t
, create_ipAddrBlock_enumerator
, enumerator_t
*,
1763 private_x509_cert_t
*this)
1765 return this->ipAddrBlocks
->create_enumerator(this->ipAddrBlocks
);
1768 METHOD(x509_t
, create_name_constraint_enumerator
, enumerator_t
*,
1769 private_x509_cert_t
*this, bool perm
)
1773 return this->permitted_names
->create_enumerator(this->permitted_names
);
1775 return this->excluded_names
->create_enumerator(this->excluded_names
);
1778 METHOD(x509_t
, create_cert_policy_enumerator
, enumerator_t
*,
1779 private_x509_cert_t
*this)
1781 return this->cert_policies
->create_enumerator(this->cert_policies
);
1784 METHOD(x509_t
, create_policy_mapping_enumerator
, enumerator_t
*,
1785 private_x509_cert_t
*this)
1787 return this->policy_mappings
->create_enumerator(this->policy_mappings
);
1790 METHOD(certificate_t
, destroy
, void,
1791 private_x509_cert_t
*this)
1793 if (ref_put(&this->ref
))
1795 this->subjectAltNames
->destroy_offset(this->subjectAltNames
,
1796 offsetof(identification_t
, destroy
));
1797 this->crl_uris
->destroy_function(this->crl_uris
, (void*)crl_uri_destroy
);
1798 this->ocsp_uris
->destroy_function(this->ocsp_uris
, free
);
1799 this->ipAddrBlocks
->destroy_offset(this->ipAddrBlocks
,
1800 offsetof(traffic_selector_t
, destroy
));
1801 this->permitted_names
->destroy_offset(this->permitted_names
,
1802 offsetof(identification_t
, destroy
));
1803 this->excluded_names
->destroy_offset(this->excluded_names
,
1804 offsetof(identification_t
, destroy
));
1805 this->cert_policies
->destroy_function(this->cert_policies
,
1806 (void*)cert_policy_destroy
);
1807 this->policy_mappings
->destroy_function(this->policy_mappings
,
1808 (void*)policy_mapping_destroy
);
1809 DESTROY_IF(this->issuer
);
1810 DESTROY_IF(this->subject
);
1811 DESTROY_IF(this->public_key
);
1812 chunk_free(&this->authKeyIdentifier
);
1813 chunk_free(&this->encoding
);
1814 chunk_free(&this->encoding_hash
);
1816 { /* only parsed certificates point these fields to "encoded" */
1817 chunk_free(&this->signature
);
1818 chunk_free(&this->serialNumber
);
1819 chunk_free(&this->tbsCertificate
);
1826 * create an empty but initialized X.509 certificate
1828 static private_x509_cert_t
* create_empty(void)
1830 private_x509_cert_t
*this;
1836 .get_type
= _get_type
,
1837 .get_subject
= _get_subject
,
1838 .get_issuer
= _get_issuer
,
1839 .has_subject
= _has_subject
,
1840 .has_issuer
= _has_issuer
,
1841 .issued_by
= _issued_by
,
1842 .get_public_key
= _get_public_key
,
1843 .get_validity
= _get_validity
,
1844 .get_encoding
= _get_encoding
,
1846 .get_ref
= _get_ref
,
1847 .destroy
= _destroy
,
1849 .get_flags
= _get_flags
,
1850 .get_serial
= _get_serial
,
1851 .get_subjectKeyIdentifier
= _get_subjectKeyIdentifier
,
1852 .get_authKeyIdentifier
= _get_authKeyIdentifier
,
1853 .get_constraint
= _get_constraint
,
1854 .create_subjectAltName_enumerator
= _create_subjectAltName_enumerator
,
1855 .create_crl_uri_enumerator
= _create_crl_uri_enumerator
,
1856 .create_ocsp_uri_enumerator
= _create_ocsp_uri_enumerator
,
1857 .create_ipAddrBlock_enumerator
= _create_ipAddrBlock_enumerator
,
1858 .create_name_constraint_enumerator
= _create_name_constraint_enumerator
,
1859 .create_cert_policy_enumerator
= _create_cert_policy_enumerator
,
1860 .create_policy_mapping_enumerator
= _create_policy_mapping_enumerator
,
1864 .subjectAltNames
= linked_list_create(),
1865 .crl_uris
= linked_list_create(),
1866 .ocsp_uris
= linked_list_create(),
1867 .ipAddrBlocks
= linked_list_create(),
1868 .permitted_names
= linked_list_create(),
1869 .excluded_names
= linked_list_create(),
1870 .cert_policies
= linked_list_create(),
1871 .policy_mappings
= linked_list_create(),
1872 .pathLenConstraint
= X509_NO_CONSTRAINT
,
1873 .require_explicit
= X509_NO_CONSTRAINT
,
1874 .inhibit_mapping
= X509_NO_CONSTRAINT
,
1875 .inhibit_any
= X509_NO_CONSTRAINT
,
1882 * Build a generalName from an id
1884 chunk_t
build_generalName(identification_t
*id
)
1888 switch (id
->get_type(id
))
1890 case ID_RFC822_ADDR
:
1891 context
= ASN1_CONTEXT_S_1
;
1894 context
= ASN1_CONTEXT_S_2
;
1896 case ID_DER_ASN1_DN
:
1897 context
= ASN1_CONTEXT_C_4
;
1901 context
= ASN1_CONTEXT_S_7
;
1904 DBG1(DBG_ASN
, "encoding %N as generalName not supported",
1905 id_type_names
, id
->get_type(id
));
1908 return asn1_wrap(context
, "c", id
->get_encoding(id
));
1912 * Encode a linked list of subjectAltNames
1914 chunk_t
x509_build_subjectAltNames(linked_list_t
*list
)
1916 chunk_t subjectAltNames
= chunk_empty
, name
;
1917 enumerator_t
*enumerator
;
1918 identification_t
*id
;
1920 if (list
->get_count(list
) == 0)
1925 enumerator
= list
->create_enumerator(list
);
1926 while (enumerator
->enumerate(enumerator
, &id
))
1928 name
= build_generalName(id
);
1929 subjectAltNames
= chunk_cat("mm", subjectAltNames
, name
);
1931 enumerator
->destroy(enumerator
);
1933 return asn1_wrap(ASN1_SEQUENCE
, "mm",
1934 asn1_build_known_oid(OID_SUBJECT_ALT_NAME
),
1935 asn1_wrap(ASN1_OCTET_STRING
, "m",
1936 asn1_wrap(ASN1_SEQUENCE
, "m", subjectAltNames
)
1942 * Encode CRL distribution points extension from a x509_cdp_t list
1944 chunk_t
x509_build_crlDistributionPoints(linked_list_t
*list
, int extn
)
1946 chunk_t crlDistributionPoints
= chunk_empty
;
1947 enumerator_t
*enumerator
;
1950 if (list
->get_count(list
) == 0)
1955 enumerator
= list
->create_enumerator(list
);
1956 while (enumerator
->enumerate(enumerator
, &cdp
))
1958 chunk_t distributionPoint
, crlIssuer
= chunk_empty
;
1962 crlIssuer
= asn1_wrap(ASN1_CONTEXT_C_2
, "m",
1963 build_generalName(cdp
->issuer
));
1965 distributionPoint
= asn1_wrap(ASN1_SEQUENCE
, "mm",
1966 asn1_wrap(ASN1_CONTEXT_C_0
, "m",
1967 asn1_wrap(ASN1_CONTEXT_C_0
, "m",
1968 asn1_wrap(ASN1_CONTEXT_S_6
, "c",
1969 chunk_create(cdp
->uri
, strlen(cdp
->uri
))))),
1971 crlDistributionPoints
= chunk_cat("mm", crlDistributionPoints
,
1974 enumerator
->destroy(enumerator
);
1976 return asn1_wrap(ASN1_SEQUENCE
, "mm",
1977 asn1_build_known_oid(extn
),
1978 asn1_wrap(ASN1_OCTET_STRING
, "m",
1979 asn1_wrap(ASN1_SEQUENCE
, "m", crlDistributionPoints
)));
1983 * Generate and sign a new certificate
1985 static bool generate(private_x509_cert_t
*cert
, certificate_t
*sign_cert
,
1986 private_key_t
*sign_key
, int digest_alg
)
1988 chunk_t extensions
= chunk_empty
, extendedKeyUsage
= chunk_empty
;
1989 chunk_t serverAuth
= chunk_empty
, clientAuth
= chunk_empty
;
1990 chunk_t ocspSigning
= chunk_empty
, certPolicies
= chunk_empty
;
1991 chunk_t basicConstraints
= chunk_empty
, nameConstraints
= chunk_empty
;
1992 chunk_t keyUsage
= chunk_empty
, keyUsageBits
= chunk_empty
;
1993 chunk_t subjectAltNames
= chunk_empty
, policyMappings
= chunk_empty
;
1994 chunk_t subjectKeyIdentifier
= chunk_empty
, authKeyIdentifier
= chunk_empty
;
1995 chunk_t crlDistributionPoints
= chunk_empty
, authorityInfoAccess
= chunk_empty
;
1996 chunk_t policyConstraints
= chunk_empty
, inhibitAnyPolicy
= chunk_empty
;
1997 identification_t
*issuer
, *subject
;
1999 signature_scheme_t scheme
;
2001 enumerator_t
*enumerator
;
2004 subject
= cert
->subject
;
2007 issuer
= sign_cert
->get_subject(sign_cert
);
2008 if (!cert
->public_key
)
2016 if (!cert
->public_key
)
2018 cert
->public_key
= sign_key
->get_public_key(sign_key
);
2020 cert
->flags
|= X509_SELF_SIGNED
;
2022 cert
->issuer
= issuer
->clone(issuer
);
2023 if (!cert
->notBefore
)
2025 cert
->notBefore
= time(NULL
);
2027 if (!cert
->notAfter
)
2028 { /* defaults to 1 year from now */
2029 cert
->notAfter
= cert
->notBefore
+ 60 * 60 * 24 * 365;
2032 /* select signature scheme */
2033 cert
->algorithm
= hasher_signature_algorithm_to_oid(digest_alg
,
2034 sign_key
->get_type(sign_key
));
2035 if (cert
->algorithm
== OID_UNKNOWN
)
2039 scheme
= signature_scheme_from_oid(cert
->algorithm
);
2041 if (!cert
->public_key
->get_encoding(cert
->public_key
,
2042 PUBKEY_SPKI_ASN1_DER
, &key_info
))
2047 /* encode subjectAltNames */
2048 subjectAltNames
= x509_build_subjectAltNames(cert
->subjectAltNames
);
2050 crlDistributionPoints
= x509_build_crlDistributionPoints(cert
->crl_uris
,
2051 OID_CRL_DISTRIBUTION_POINTS
);
2053 /* encode OCSP URIs in authorityInfoAccess extension */
2054 enumerator
= cert
->ocsp_uris
->create_enumerator(cert
->ocsp_uris
);
2055 while (enumerator
->enumerate(enumerator
, &uri
))
2057 chunk_t accessDescription
;
2059 accessDescription
= asn1_wrap(ASN1_SEQUENCE
, "mm",
2060 asn1_build_known_oid(OID_OCSP
),
2061 asn1_wrap(ASN1_CONTEXT_S_6
, "c",
2062 chunk_create(uri
, strlen(uri
))));
2063 authorityInfoAccess
= chunk_cat("mm", authorityInfoAccess
,
2066 enumerator
->destroy(enumerator
);
2067 if (authorityInfoAccess
.ptr
)
2069 authorityInfoAccess
= asn1_wrap(ASN1_SEQUENCE
, "mm",
2070 asn1_build_known_oid(OID_AUTHORITY_INFO_ACCESS
),
2071 asn1_wrap(ASN1_OCTET_STRING
, "m",
2072 asn1_wrap(ASN1_SEQUENCE
, "m", authorityInfoAccess
)));
2075 /* build CA basicConstraint and keyUsage flags for CA certificates */
2076 if (cert
->flags
& X509_CA
)
2078 chunk_t pathLenConstraint
= chunk_empty
;
2080 if (cert
->pathLenConstraint
!= X509_NO_CONSTRAINT
)
2082 pathLenConstraint
= asn1_integer("c",
2083 chunk_from_thing(cert
->pathLenConstraint
));
2085 basicConstraints
= asn1_wrap(ASN1_SEQUENCE
, "mmm",
2086 asn1_build_known_oid(OID_BASIC_CONSTRAINTS
),
2087 asn1_wrap(ASN1_BOOLEAN
, "c",
2088 chunk_from_chars(0xFF)),
2089 asn1_wrap(ASN1_OCTET_STRING
, "m",
2090 asn1_wrap(ASN1_SEQUENCE
, "mm",
2091 asn1_wrap(ASN1_BOOLEAN
, "c",
2092 chunk_from_chars(0xFF)),
2093 pathLenConstraint
)));
2094 /* set CertificateSign and implicitly CRLsign */
2095 keyUsageBits
= chunk_from_chars(0x01, 0x06);
2097 else if (cert
->flags
& X509_CRL_SIGN
)
2099 keyUsageBits
= chunk_from_chars(0x01, 0x02);
2101 if (keyUsageBits
.len
)
2103 keyUsage
= asn1_wrap(ASN1_SEQUENCE
, "mmm",
2104 asn1_build_known_oid(OID_KEY_USAGE
),
2105 asn1_wrap(ASN1_BOOLEAN
, "c", chunk_from_chars(0xFF)),
2106 asn1_wrap(ASN1_OCTET_STRING
, "m",
2107 asn1_wrap(ASN1_BIT_STRING
, "c", keyUsageBits
)));
2110 /* add serverAuth extendedKeyUsage flag */
2111 if (cert
->flags
& X509_SERVER_AUTH
)
2113 serverAuth
= asn1_build_known_oid(OID_SERVER_AUTH
);
2115 if (cert
->flags
& X509_CLIENT_AUTH
)
2117 clientAuth
= asn1_build_known_oid(OID_CLIENT_AUTH
);
2120 /* add ocspSigning extendedKeyUsage flag */
2121 if (cert
->flags
& X509_OCSP_SIGNER
)
2123 ocspSigning
= asn1_build_known_oid(OID_OCSP_SIGNING
);
2126 if (serverAuth
.ptr
|| clientAuth
.ptr
|| ocspSigning
.ptr
)
2128 extendedKeyUsage
= asn1_wrap(ASN1_SEQUENCE
, "mm",
2129 asn1_build_known_oid(OID_EXTENDED_KEY_USAGE
),
2130 asn1_wrap(ASN1_OCTET_STRING
, "m",
2131 asn1_wrap(ASN1_SEQUENCE
, "mmm",
2132 serverAuth
, clientAuth
, ocspSigning
)));
2135 /* add subjectKeyIdentifier to CA and OCSP signer certificates */
2136 if (cert
->flags
& (X509_CA
| X509_OCSP_SIGNER
| X509_CRL_SIGN
))
2140 if (cert
->public_key
->get_fingerprint(cert
->public_key
,
2141 KEYID_PUBKEY_SHA1
, &keyid
))
2143 subjectKeyIdentifier
= asn1_wrap(ASN1_SEQUENCE
, "mm",
2144 asn1_build_known_oid(OID_SUBJECT_KEY_ID
),
2145 asn1_wrap(ASN1_OCTET_STRING
, "m",
2146 asn1_wrap(ASN1_OCTET_STRING
, "c", keyid
)));
2150 /* add the keyid authKeyIdentifier for non self-signed certificates */
2155 if (sign_key
->get_fingerprint(sign_key
, KEYID_PUBKEY_SHA1
, &keyid
))
2157 authKeyIdentifier
= asn1_wrap(ASN1_SEQUENCE
, "mm",
2158 asn1_build_known_oid(OID_AUTHORITY_KEY_ID
),
2159 asn1_wrap(ASN1_OCTET_STRING
, "m",
2160 asn1_wrap(ASN1_SEQUENCE
, "m",
2161 asn1_wrap(ASN1_CONTEXT_S_0
, "c", keyid
))));
2165 if (cert
->permitted_names
->get_count(cert
->permitted_names
) ||
2166 cert
->excluded_names
->get_count(cert
->excluded_names
))
2168 chunk_t permitted
= chunk_empty
, excluded
= chunk_empty
, subtree
;
2169 identification_t
*id
;
2171 enumerator
= create_name_constraint_enumerator(cert
, TRUE
);
2172 while (enumerator
->enumerate(enumerator
, &id
))
2174 subtree
= asn1_wrap(ASN1_SEQUENCE
, "m", build_generalName(id
));
2175 permitted
= chunk_cat("mm", permitted
, subtree
);
2177 enumerator
->destroy(enumerator
);
2180 permitted
= asn1_wrap(ASN1_CONTEXT_C_0
, "m", permitted
);
2183 enumerator
= create_name_constraint_enumerator(cert
, FALSE
);
2184 while (enumerator
->enumerate(enumerator
, &id
))
2186 subtree
= asn1_wrap(ASN1_SEQUENCE
, "m", build_generalName(id
));
2187 excluded
= chunk_cat("mm", excluded
, subtree
);
2189 enumerator
->destroy(enumerator
);
2192 excluded
= asn1_wrap(ASN1_CONTEXT_C_1
, "m", excluded
);
2195 nameConstraints
= asn1_wrap(ASN1_SEQUENCE
, "mm",
2196 asn1_build_known_oid(OID_NAME_CONSTRAINTS
),
2197 asn1_wrap(ASN1_OCTET_STRING
, "m",
2198 asn1_wrap(ASN1_SEQUENCE
, "mm",
2199 permitted
, excluded
)));
2202 if (cert
->cert_policies
->get_count(cert
->cert_policies
))
2204 x509_cert_policy_t
*policy
;
2206 enumerator
= create_cert_policy_enumerator(cert
);
2207 while (enumerator
->enumerate(enumerator
, &policy
))
2209 chunk_t chunk
= chunk_empty
, cps
= chunk_empty
, notice
= chunk_empty
;
2211 if (policy
->cps_uri
)
2213 cps
= asn1_wrap(ASN1_SEQUENCE
, "mm",
2214 asn1_build_known_oid(OID_POLICY_QUALIFIER_CPS
),
2215 asn1_wrap(ASN1_IA5STRING
, "c",
2216 chunk_create(policy
->cps_uri
,
2217 strlen(policy
->cps_uri
))));
2219 if (policy
->unotice_text
)
2221 notice
= asn1_wrap(ASN1_SEQUENCE
, "mm",
2222 asn1_build_known_oid(OID_POLICY_QUALIFIER_UNOTICE
),
2223 asn1_wrap(ASN1_SEQUENCE
, "m",
2224 asn1_wrap(ASN1_VISIBLESTRING
, "c",
2225 chunk_create(policy
->unotice_text
,
2226 strlen(policy
->unotice_text
)))));
2228 if (cps
.len
|| notice
.len
)
2230 chunk
= asn1_wrap(ASN1_SEQUENCE
, "mm", cps
, notice
);
2232 chunk
= asn1_wrap(ASN1_SEQUENCE
, "mm",
2233 asn1_wrap(ASN1_OID
, "c", policy
->oid
), chunk
);
2234 certPolicies
= chunk_cat("mm", certPolicies
, chunk
);
2236 enumerator
->destroy(enumerator
);
2238 certPolicies
= asn1_wrap(ASN1_SEQUENCE
, "mm",
2239 asn1_build_known_oid(OID_CERTIFICATE_POLICIES
),
2240 asn1_wrap(ASN1_OCTET_STRING
, "m",
2241 asn1_wrap(ASN1_SEQUENCE
, "m", certPolicies
)));
2244 if (cert
->policy_mappings
->get_count(cert
->policy_mappings
))
2246 x509_policy_mapping_t
*mapping
;
2248 enumerator
= create_policy_mapping_enumerator(cert
);
2249 while (enumerator
->enumerate(enumerator
, &mapping
))
2253 chunk
= asn1_wrap(ASN1_SEQUENCE
, "mm",
2254 asn1_wrap(ASN1_OID
, "c", mapping
->issuer
),
2255 asn1_wrap(ASN1_OID
, "c", mapping
->subject
));
2256 policyMappings
= chunk_cat("mm", policyMappings
, chunk
);
2258 enumerator
->destroy(enumerator
);
2260 policyMappings
= asn1_wrap(ASN1_SEQUENCE
, "mm",
2261 asn1_build_known_oid(OID_POLICY_MAPPINGS
),
2262 asn1_wrap(ASN1_OCTET_STRING
, "m",
2263 asn1_wrap(ASN1_SEQUENCE
, "m", policyMappings
)));
2266 if (cert
->inhibit_mapping
!= X509_NO_CONSTRAINT
||
2267 cert
->require_explicit
!= X509_NO_CONSTRAINT
)
2269 chunk_t inhibit
= chunk_empty
, explicit = chunk_empty
;
2271 if (cert
->require_explicit
!= X509_NO_CONSTRAINT
)
2273 explicit = asn1_wrap(ASN1_CONTEXT_C_0
, "m",
2275 chunk_from_thing(cert
->require_explicit
)));
2277 if (cert
->inhibit_mapping
!= X509_NO_CONSTRAINT
)
2279 inhibit
= asn1_wrap(ASN1_CONTEXT_C_1
, "m",
2281 chunk_from_thing(cert
->inhibit_mapping
)));
2283 policyConstraints
= asn1_wrap(ASN1_SEQUENCE
, "mmm",
2284 asn1_build_known_oid(OID_POLICY_CONSTRAINTS
),
2285 asn1_wrap(ASN1_BOOLEAN
, "c", chunk_from_chars(0xFF)),
2286 asn1_wrap(ASN1_OCTET_STRING
, "m",
2287 asn1_wrap(ASN1_SEQUENCE
, "mm",
2288 explicit, inhibit
)));
2291 if (cert
->inhibit_any
!= X509_NO_CONSTRAINT
)
2293 inhibitAnyPolicy
= asn1_wrap(ASN1_SEQUENCE
, "mmm",
2294 asn1_build_known_oid(OID_INHIBIT_ANY_POLICY
),
2295 asn1_wrap(ASN1_BOOLEAN
, "c", chunk_from_chars(0xFF)),
2296 asn1_wrap(ASN1_OCTET_STRING
, "m",
2298 chunk_from_thing(cert
->inhibit_any
))));
2301 if (basicConstraints
.ptr
|| subjectAltNames
.ptr
|| authKeyIdentifier
.ptr
||
2302 crlDistributionPoints
.ptr
|| nameConstraints
.ptr
)
2304 extensions
= asn1_wrap(ASN1_CONTEXT_C_3
, "m",
2305 asn1_wrap(ASN1_SEQUENCE
, "mmmmmmmmmmmmm",
2306 basicConstraints
, keyUsage
, subjectKeyIdentifier
,
2307 authKeyIdentifier
, subjectAltNames
,
2308 extendedKeyUsage
, crlDistributionPoints
,
2309 authorityInfoAccess
, nameConstraints
, certPolicies
,
2310 policyMappings
, policyConstraints
, inhibitAnyPolicy
));
2313 cert
->tbsCertificate
= asn1_wrap(ASN1_SEQUENCE
, "mmmcmcmm",
2314 asn1_simple_object(ASN1_CONTEXT_C_0
, ASN1_INTEGER_2
),
2315 asn1_integer("c", cert
->serialNumber
),
2316 asn1_algorithmIdentifier(cert
->algorithm
),
2317 issuer
->get_encoding(issuer
),
2318 asn1_wrap(ASN1_SEQUENCE
, "mm",
2319 asn1_from_time(&cert
->notBefore
, ASN1_UTCTIME
),
2320 asn1_from_time(&cert
->notAfter
, ASN1_UTCTIME
)),
2321 subject
->get_encoding(subject
),
2322 key_info
, extensions
);
2324 if (!sign_key
->sign(sign_key
, scheme
, cert
->tbsCertificate
, &cert
->signature
))
2328 cert
->encoding
= asn1_wrap(ASN1_SEQUENCE
, "cmm", cert
->tbsCertificate
,
2329 asn1_algorithmIdentifier(cert
->algorithm
),
2330 asn1_bitstring("c", cert
->signature
));
2332 hasher
= lib
->crypto
->create_hasher(lib
->crypto
, HASH_SHA1
);
2337 hasher
->allocate_hash(hasher
, cert
->encoding
, &cert
->encoding_hash
);
2338 hasher
->destroy(hasher
);
2345 x509_cert_t
*x509_cert_load(certificate_type_t type
, va_list args
)
2347 x509_flag_t flags
= 0;
2348 chunk_t blob
= chunk_empty
;
2352 switch (va_arg(args
, builder_part_t
))
2354 case BUILD_BLOB_ASN1_DER
:
2355 blob
= va_arg(args
, chunk_t
);
2357 case BUILD_X509_FLAG
:
2358 flags
|= va_arg(args
, x509_flag_t
);
2370 private_x509_cert_t
*cert
= create_empty();
2372 cert
->encoding
= chunk_clone(blob
);
2373 cert
->parsed
= TRUE
;
2374 if (parse_certificate(cert
))
2376 cert
->flags
|= flags
;
2377 return &cert
->public;
2387 x509_cert_t
*x509_cert_gen(certificate_type_t type
, va_list args
)
2389 private_x509_cert_t
*cert
;
2390 certificate_t
*sign_cert
= NULL
;
2391 private_key_t
*sign_key
= NULL
;
2392 hash_algorithm_t digest_alg
= HASH_SHA1
;
2395 cert
= create_empty();
2398 switch (va_arg(args
, builder_part_t
))
2400 case BUILD_X509_FLAG
:
2401 cert
->flags
|= va_arg(args
, x509_flag_t
);
2403 case BUILD_SIGNING_KEY
:
2404 sign_key
= va_arg(args
, private_key_t
*);
2406 case BUILD_SIGNING_CERT
:
2407 sign_cert
= va_arg(args
, certificate_t
*);
2409 case BUILD_PUBLIC_KEY
:
2410 cert
->public_key
= va_arg(args
, public_key_t
*);
2411 cert
->public_key
->get_ref(cert
->public_key
);
2414 cert
->subject
= va_arg(args
, identification_t
*);
2415 cert
->subject
= cert
->subject
->clone(cert
->subject
);
2417 case BUILD_SUBJECT_ALTNAMES
:
2419 enumerator_t
*enumerator
;
2420 identification_t
*id
;
2421 linked_list_t
*list
;
2423 list
= va_arg(args
, linked_list_t
*);
2424 enumerator
= list
->create_enumerator(list
);
2425 while (enumerator
->enumerate(enumerator
, &id
))
2427 cert
->subjectAltNames
->insert_last(cert
->subjectAltNames
,
2430 enumerator
->destroy(enumerator
);
2433 case BUILD_CRL_DISTRIBUTION_POINTS
:
2435 enumerator_t
*enumerator
;
2436 linked_list_t
*list
;
2437 x509_cdp_t
*in
, *cdp
;
2439 list
= va_arg(args
, linked_list_t
*);
2440 enumerator
= list
->create_enumerator(list
);
2441 while (enumerator
->enumerate(enumerator
, &in
))
2444 .uri
= strdup(in
->uri
),
2445 .issuer
= in
->issuer ? in
->issuer
->clone(in
->issuer
) : NULL
,
2447 cert
->crl_uris
->insert_last(cert
->crl_uris
, cdp
);
2449 enumerator
->destroy(enumerator
);
2452 case BUILD_OCSP_ACCESS_LOCATIONS
:
2454 enumerator_t
*enumerator
;
2455 linked_list_t
*list
;
2458 list
= va_arg(args
, linked_list_t
*);
2459 enumerator
= list
->create_enumerator(list
);
2460 while (enumerator
->enumerate(enumerator
, &uri
))
2462 cert
->ocsp_uris
->insert_last(cert
->ocsp_uris
, strdup(uri
));
2464 enumerator
->destroy(enumerator
);
2468 constraint
= va_arg(args
, u_int
);
2469 cert
->pathLenConstraint
= (constraint
< 128) ?
2470 constraint
: X509_NO_CONSTRAINT
;
2472 case BUILD_PERMITTED_NAME_CONSTRAINTS
:
2474 enumerator_t
*enumerator
;
2475 linked_list_t
*list
;
2476 identification_t
*constraint
;
2478 list
= va_arg(args
, linked_list_t
*);
2479 enumerator
= list
->create_enumerator(list
);
2480 while (enumerator
->enumerate(enumerator
, &constraint
))
2482 cert
->permitted_names
->insert_last(cert
->permitted_names
,
2483 constraint
->clone(constraint
));
2485 enumerator
->destroy(enumerator
);
2488 case BUILD_EXCLUDED_NAME_CONSTRAINTS
:
2490 enumerator_t
*enumerator
;
2491 linked_list_t
*list
;
2492 identification_t
*constraint
;
2494 list
= va_arg(args
, linked_list_t
*);
2495 enumerator
= list
->create_enumerator(list
);
2496 while (enumerator
->enumerate(enumerator
, &constraint
))
2498 cert
->excluded_names
->insert_last(cert
->excluded_names
,
2499 constraint
->clone(constraint
));
2501 enumerator
->destroy(enumerator
);
2504 case BUILD_CERTIFICATE_POLICIES
:
2506 enumerator_t
*enumerator
;
2507 linked_list_t
*list
;
2508 x509_cert_policy_t
*policy
, *in
;
2510 list
= va_arg(args
, linked_list_t
*);
2511 enumerator
= list
->create_enumerator(list
);
2512 while (enumerator
->enumerate(enumerator
, &in
))
2515 .oid
= chunk_clone(in
->oid
),
2516 .cps_uri
= strdupnull(in
->cps_uri
),
2517 .unotice_text
= strdupnull(in
->unotice_text
),
2519 cert
->cert_policies
->insert_last(cert
->cert_policies
, policy
);
2521 enumerator
->destroy(enumerator
);
2524 case BUILD_POLICY_MAPPINGS
:
2526 enumerator_t
*enumerator
;
2527 linked_list_t
*list
;
2528 x509_policy_mapping_t
* mapping
, *in
;
2530 list
= va_arg(args
, linked_list_t
*);
2531 enumerator
= list
->create_enumerator(list
);
2532 while (enumerator
->enumerate(enumerator
, &in
))
2535 .issuer
= chunk_clone(in
->issuer
),
2536 .subject
= chunk_clone(in
->subject
),
2538 cert
->policy_mappings
->insert_last(cert
->policy_mappings
,
2541 enumerator
->destroy(enumerator
);
2544 case BUILD_POLICY_REQUIRE_EXPLICIT
:
2545 constraint
= va_arg(args
, u_int
);
2546 cert
->require_explicit
= (constraint
< 128) ?
2547 constraint
: X509_NO_CONSTRAINT
;
2549 case BUILD_POLICY_INHIBIT_MAPPING
:
2550 constraint
= va_arg(args
, u_int
);
2551 cert
->inhibit_mapping
= (constraint
< 128) ?
2552 constraint
: X509_NO_CONSTRAINT
;
2554 case BUILD_POLICY_INHIBIT_ANY
:
2555 constraint
= va_arg(args
, u_int
);
2556 cert
->inhibit_any
= (constraint
< 128) ?
2557 constraint
: X509_NO_CONSTRAINT
;
2559 case BUILD_NOT_BEFORE_TIME
:
2560 cert
->notBefore
= va_arg(args
, time_t);
2562 case BUILD_NOT_AFTER_TIME
:
2563 cert
->notAfter
= va_arg(args
, time_t);
2566 cert
->serialNumber
= chunk_clone(va_arg(args
, chunk_t
));
2568 case BUILD_DIGEST_ALG
:
2569 digest_alg
= va_arg(args
, int);
2580 if (sign_key
&& generate(cert
, sign_cert
, sign_key
, digest_alg
))
2582 return &cert
->public;
projects / strongswan.git / blob