make use of the pem helper plugin to load credentials
[strongswan.git] / src / libstrongswan / plugins / x509 / x509_cert.c
1 /*
2 * Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann
3 * Copyright (C) 2001 Marco Bertossa, Andreas Schleiss
4 * Copyright (C) 2002 Mario Strasser
5 * Copyright (C) 2000-2006 Andreas Steffen
6 * Copyright (C) 2006-2008 Martin Willi
7 * Copyright (C) 2008 Tobias Brunner
8 * Hochschule fuer Technik Rapperswil
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 */
20
21 #define _GNU_SOURCE
22
23 #include "x509_cert.h"
24
25 #include <sys/stat.h>
26 #include <time.h>
27 #include <unistd.h>
28 #include <string.h>
29 #include <stdio.h>
30
31 #include <library.h>
32 #include <debug.h>
33 #include <asn1/oid.h>
34 #include <asn1/asn1.h>
35 #include <asn1/asn1_parser.h>
36 #include <crypto/hashers/hasher.h>
37 #include <credentials/keys/private_key.h>
38 #include <utils/linked_list.h>
39 #include <utils/identification.h>
40
41 /**
42 * Different kinds of generalNames
43 */
44 typedef enum {
45 GN_OTHER_NAME = 0,
46 GN_RFC822_NAME = 1,
47 GN_DNS_NAME = 2,
48 GN_X400_ADDRESS = 3,
49 GN_DIRECTORY_NAME = 4,
50 GN_EDI_PARTY_NAME = 5,
51 GN_URI = 6,
52 GN_IP_ADDRESS = 7,
53 GN_REGISTERED_ID = 8,
54 } generalNames_t;
55
56
57 typedef struct private_x509_cert_t private_x509_cert_t;
58
59 /**
60 * Private data of a x509_cert_t object.
61 */
62 struct private_x509_cert_t {
63 /**
64 * Public interface for this certificate.
65 */
66 x509_cert_t public;
67
68 /**
69 * X.509 certificate encoding in ASN.1 DER format
70 */
71 chunk_t encoding;
72
73 /**
74 * SHA1 hash of the DER encoding of this X.509 certificate
75 */
76 chunk_t encoding_hash;
77
78 /**
79 * X.509 certificate body over which signature is computed
80 */
81 chunk_t tbsCertificate;
82
83 /**
84 * Version of the X.509 certificate
85 */
86 u_int version;
87
88 /**
89 * Serial number of the X.509 certificate
90 */
91 chunk_t serialNumber;
92
93 /**
94 * ID representing the certificate issuer
95 */
96 identification_t *issuer;
97
98 /**
99 * Start time of certificate validity
100 */
101 time_t notBefore;
102
103 /**
104 * End time of certificate validity
105 */
106 time_t notAfter;
107
108 /**
109 * ID representing the certificate subject
110 */
111 identification_t *subject;
112
113 /**
114 * List of subjectAltNames as identification_t
115 */
116 linked_list_t *subjectAltNames;
117
118 /**
119 * List of crlDistributionPoints as allocated char*
120 */
121 linked_list_t *crl_uris;
122
123 /**
124 * List ocspAccessLocations as identification_t
125 */
126 linked_list_t *ocsp_uris;
127
128 /**
129 * certificates embedded public key
130 */
131 public_key_t *public_key;
132
133 /**
134 * Subject Key Identifier
135 */
136 chunk_t subjectKeyID;
137
138 /**
139 * Authority Key Identifier
140 */
141 identification_t *authKeyIdentifier;
142
143 /**
144 * Authority Key Serial Number
145 */
146 chunk_t authKeySerialNumber;
147
148 /**
149 * x509 constraints and other flags
150 */
151 x509_flag_t flags;
152
153 /**
154 * Signature algorithm
155 */
156 int algorithm;
157
158 /**
159 * Signature
160 */
161 chunk_t signature;
162
163 /**
164 * Certificate parsed from blob/file?
165 */
166 bool parsed;
167
168 /**
169 * reference count
170 */
171 refcount_t ref;
172 };
173
174 static u_char ASN1_sAN_oid_buf[] = {
175 0x06, 0x03, 0x55, 0x1D, 0x11
176 };
177 static const chunk_t ASN1_subjectAltName_oid = chunk_from_buf(ASN1_sAN_oid_buf);
178
179 /**
180 * ASN.1 definition of a basicConstraints extension
181 */
182 static const asn1Object_t basicConstraintsObjects[] = {
183 { 0, "basicConstraints", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
184 { 1, "CA", ASN1_BOOLEAN, ASN1_DEF|ASN1_BODY }, /* 1 */
185 { 1, "pathLenConstraint", ASN1_INTEGER, ASN1_OPT|ASN1_BODY }, /* 2 */
186 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 3 */
187 { 0, "exit", ASN1_EOC, ASN1_EXIT }
188 };
189 #define BASIC_CONSTRAINTS_CA 1
190
191 /**
192 * Extracts the basicConstraints extension
193 */
194 static bool parse_basicConstraints(chunk_t blob, int level0)
195 {
196 asn1_parser_t *parser;
197 chunk_t object;
198 int objectID;
199 bool isCA = FALSE;
200
201 parser = asn1_parser_create(basicConstraintsObjects, blob);
202 parser->set_top_level(parser, level0);
203
204 while (parser->iterate(parser, &objectID, &object))
205 {
206 if (objectID == BASIC_CONSTRAINTS_CA)
207 {
208 isCA = object.len && *object.ptr;
209 DBG2(" %s", isCA ? "TRUE" : "FALSE");
210 }
211 }
212 parser->destroy(parser);
213
214 return isCA;
215 }
216
217 /**
218 * ASN.1 definition of otherName
219 */
220 static const asn1Object_t otherNameObjects[] = {
221 {0, "type-id", ASN1_OID, ASN1_BODY }, /* 0 */
222 {0, "value", ASN1_CONTEXT_C_0, ASN1_BODY }, /* 1 */
223 {0, "exit", ASN1_EOC, ASN1_EXIT }
224 };
225 #define ON_OBJ_ID_TYPE 0
226 #define ON_OBJ_VALUE 1
227
228 /**
229 * Extracts an otherName
230 */
231 static bool parse_otherName(chunk_t blob, int level0)
232 {
233 asn1_parser_t *parser;
234 chunk_t object;
235 int objectID;
236 int oid = OID_UNKNOWN;
237 bool success = FALSE;
238
239 parser = asn1_parser_create(otherNameObjects, blob);
240 parser->set_top_level(parser, level0);
241
242 while (parser->iterate(parser, &objectID, &object))
243 {
244 switch (objectID)
245 {
246 case ON_OBJ_ID_TYPE:
247 oid = asn1_known_oid(object);
248 break;
249 case ON_OBJ_VALUE:
250 if (oid == OID_XMPP_ADDR)
251 {
252 if (!asn1_parse_simple_object(&object, ASN1_UTF8STRING,
253 parser->get_level(parser)+1, "xmppAddr"))
254 {
255 goto end;
256 }
257 }
258 break;
259 default:
260 break;
261 }
262 }
263 success = parser->success(parser);
264
265 end:
266 parser->destroy(parser);
267 return success;
268 }
269
270 /**
271 * ASN.1 definition of generalName
272 */
273 static const asn1Object_t generalNameObjects[] = {
274 { 0, "otherName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_BODY }, /* 0 */
275 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 1 */
276 { 0, "rfc822Name", ASN1_CONTEXT_S_1, ASN1_OPT|ASN1_BODY }, /* 2 */
277 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 3 */
278 { 0, "dnsName", ASN1_CONTEXT_S_2, ASN1_OPT|ASN1_BODY }, /* 4 */
279 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 5 */
280 { 0, "x400Address", ASN1_CONTEXT_S_3, ASN1_OPT|ASN1_BODY }, /* 6 */
281 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 7 */
282 { 0, "directoryName", ASN1_CONTEXT_C_4, ASN1_OPT|ASN1_BODY }, /* 8 */
283 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 9 */
284 { 0, "ediPartyName", ASN1_CONTEXT_C_5, ASN1_OPT|ASN1_BODY }, /* 10 */
285 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 11 */
286 { 0, "URI", ASN1_CONTEXT_S_6, ASN1_OPT|ASN1_BODY }, /* 12 */
287 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 13 */
288 { 0, "ipAddress", ASN1_CONTEXT_S_7, ASN1_OPT|ASN1_BODY }, /* 14 */
289 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 15 */
290 { 0, "registeredID", ASN1_CONTEXT_S_8, ASN1_OPT|ASN1_BODY }, /* 16 */
291 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 17 */
292 { 0, "exit", ASN1_EOC, ASN1_EXIT }
293 };
294 #define GN_OBJ_OTHER_NAME 0
295 #define GN_OBJ_RFC822_NAME 2
296 #define GN_OBJ_DNS_NAME 4
297 #define GN_OBJ_X400_ADDRESS 6
298 #define GN_OBJ_DIRECTORY_NAME 8
299 #define GN_OBJ_EDI_PARTY_NAME 10
300 #define GN_OBJ_URI 12
301 #define GN_OBJ_IP_ADDRESS 14
302 #define GN_OBJ_REGISTERED_ID 16
303
304 /**
305 * Extracts a generalName
306 */
307 static identification_t *parse_generalName(chunk_t blob, int level0)
308 {
309 asn1_parser_t *parser;
310 chunk_t object;
311 int objectID ;
312
313 identification_t *gn = NULL;
314
315 parser = asn1_parser_create(generalNameObjects, blob);
316 parser->set_top_level(parser, level0);
317
318 while (parser->iterate(parser, &objectID, &object))
319 {
320 id_type_t id_type = ID_ANY;
321
322 switch (objectID)
323 {
324 case GN_OBJ_RFC822_NAME:
325 id_type = ID_RFC822_ADDR;
326 break;
327 case GN_OBJ_DNS_NAME:
328 id_type = ID_FQDN;
329 break;
330 case GN_OBJ_URI:
331 id_type = ID_DER_ASN1_GN_URI;
332 break;
333 case GN_OBJ_DIRECTORY_NAME:
334 id_type = ID_DER_ASN1_DN;
335 break;
336 case GN_OBJ_IP_ADDRESS:
337 id_type = ID_IPV4_ADDR;
338 break;
339 case GN_OBJ_OTHER_NAME:
340 if (!parse_otherName(object, parser->get_level(parser)+1))
341 {
342 goto end;
343 }
344 break;
345 case GN_OBJ_X400_ADDRESS:
346 case GN_OBJ_EDI_PARTY_NAME:
347 case GN_OBJ_REGISTERED_ID:
348 default:
349 break;
350 }
351 if (id_type != ID_ANY)
352 {
353 gn = identification_create_from_encoding(id_type, object);
354 DBG2(" '%Y'", gn);
355 goto end;
356 }
357 }
358
359 end:
360 parser->destroy(parser);
361 return gn;
362 }
363
364 /**
365 * ASN.1 definition of generalNames
366 */
367 static const asn1Object_t generalNamesObjects[] = {
368 { 0, "generalNames", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
369 { 1, "generalName", ASN1_EOC, ASN1_RAW }, /* 1 */
370 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 2 */
371 { 0, "exit", ASN1_EOC, ASN1_EXIT }
372 };
373 #define GENERAL_NAMES_GN 1
374
375 /**
376 * Extracts one or several GNs and puts them into a chained list
377 */
378 void x509_parse_generalNames(chunk_t blob, int level0, bool implicit, linked_list_t *list)
379 {
380 asn1_parser_t *parser;
381 chunk_t object;
382 int objectID;
383
384 parser = asn1_parser_create(generalNamesObjects, blob);
385 parser->set_top_level(parser, level0);
386 parser->set_flags(parser, implicit, FALSE);
387
388 while (parser->iterate(parser, &objectID, &object))
389 {
390 if (objectID == GENERAL_NAMES_GN)
391 {
392 identification_t *gn = parse_generalName(object,
393 parser->get_level(parser)+1);
394
395 if (gn)
396 {
397 list->insert_last(list, (void *)gn);
398 }
399 }
400 }
401 parser->destroy(parser);
402 }
403
404 /**
405 * ASN.1 definition of a authorityKeyIdentifier extension
406 */
407 static const asn1Object_t authKeyIdentifierObjects[] = {
408 { 0, "authorityKeyIdentifier", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
409 { 1, "keyIdentifier", ASN1_CONTEXT_S_0, ASN1_OPT|ASN1_BODY }, /* 1 */
410 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 2 */
411 { 1, "authorityCertIssuer", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_OBJ }, /* 3 */
412 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 4 */
413 { 1, "authorityCertSerialNumber", ASN1_CONTEXT_S_2, ASN1_OPT|ASN1_BODY }, /* 5 */
414 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 6 */
415 { 0, "exit", ASN1_EOC, ASN1_EXIT }
416 };
417 #define AUTH_KEY_ID_KEY_ID 1
418 #define AUTH_KEY_ID_CERT_ISSUER 3
419 #define AUTH_KEY_ID_CERT_SERIAL 5
420
421 /**
422 * Extracts an authoritykeyIdentifier
423 */
424 identification_t* x509_parse_authorityKeyIdentifier(chunk_t blob, int level0,
425 chunk_t *authKeySerialNumber)
426 {
427 asn1_parser_t *parser;
428 chunk_t object;
429 int objectID;
430 identification_t *authKeyIdentifier = NULL;
431
432 *authKeySerialNumber = chunk_empty;
433
434 parser = asn1_parser_create(authKeyIdentifierObjects, blob);
435 parser->set_top_level(parser, level0);
436
437 while (parser->iterate(parser, &objectID, &object))
438 {
439 switch (objectID)
440 {
441 case AUTH_KEY_ID_KEY_ID:
442 authKeyIdentifier = identification_create_from_encoding(
443 ID_PUBKEY_SHA1, object);
444 break;
445 case AUTH_KEY_ID_CERT_ISSUER:
446 /* TODO: x509_parse_generalNames(object, level+1, TRUE); */
447 break;
448 case AUTH_KEY_ID_CERT_SERIAL:
449 *authKeySerialNumber = object;
450 break;
451 default:
452 break;
453 }
454 }
455 parser->destroy(parser);
456 return authKeyIdentifier;
457 }
458
459 /**
460 * ASN.1 definition of a authorityInfoAccess extension
461 */
462 static const asn1Object_t authInfoAccessObjects[] = {
463 { 0, "authorityInfoAccess", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
464 { 1, "accessDescription", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
465 { 2, "accessMethod", ASN1_OID, ASN1_BODY }, /* 2 */
466 { 2, "accessLocation", ASN1_EOC, ASN1_RAW }, /* 3 */
467 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 4 */
468 { 0, "exit", ASN1_EOC, ASN1_EXIT }
469 };
470 #define AUTH_INFO_ACCESS_METHOD 2
471 #define AUTH_INFO_ACCESS_LOCATION 3
472
473 /**
474 * Extracts an authorityInfoAcess location
475 */
476 static void parse_authorityInfoAccess(chunk_t blob, int level0,
477 private_x509_cert_t *this)
478 {
479 asn1_parser_t *parser;
480 chunk_t object;
481 int objectID;
482 int accessMethod = OID_UNKNOWN;
483
484 parser = asn1_parser_create(authInfoAccessObjects, blob);
485 parser->set_top_level(parser, level0);
486
487 while (parser->iterate(parser, &objectID, &object))
488 {
489 switch (objectID)
490 {
491 case AUTH_INFO_ACCESS_METHOD:
492 accessMethod = asn1_known_oid(object);
493 break;
494 case AUTH_INFO_ACCESS_LOCATION:
495 {
496 switch (accessMethod)
497 {
498 case OID_OCSP:
499 case OID_CA_ISSUERS:
500 {
501 identification_t *id;
502 char *uri;
503
504 id = parse_generalName(object,
505 parser->get_level(parser)+1);
506 if (id == NULL)
507 {
508 /* parsing went wrong - abort */
509 goto end;
510 }
511 DBG2(" '%Y'", id);
512 if (accessMethod == OID_OCSP &&
513 asprintf(&uri, "%Y", id) > 0)
514 {
515 this->ocsp_uris->insert_last(this->ocsp_uris, uri);
516 }
517 id->destroy(id);
518 }
519 break;
520 default:
521 /* unkown accessMethod, ignoring */
522 break;
523 }
524 break;
525 }
526 default:
527 break;
528 }
529 }
530
531 end:
532 parser->destroy(parser);
533 }
534
535 /**
536 * ASN.1 definition of a extendedKeyUsage extension
537 */
538 static const asn1Object_t extendedKeyUsageObjects[] = {
539 { 0, "extendedKeyUsage", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
540 { 1, "keyPurposeID", ASN1_OID, ASN1_BODY }, /* 1 */
541 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 2 */
542 { 0, "exit", ASN1_EOC, ASN1_EXIT }
543 };
544 #define EXT_KEY_USAGE_PURPOSE_ID 1
545
546 /**
547 * Extracts extendedKeyUsage OIDs - currently only OCSP_SIGING is returned
548 */
549 static bool parse_extendedKeyUsage(chunk_t blob, int level0)
550 {
551 asn1_parser_t *parser;
552 chunk_t object;
553 int objectID;
554 bool ocsp_signing = FALSE;
555
556 parser = asn1_parser_create(extendedKeyUsageObjects, blob);
557 parser->set_top_level(parser, level0);
558
559 while (parser->iterate(parser, &objectID, &object))
560 {
561 if (objectID == EXT_KEY_USAGE_PURPOSE_ID &&
562 asn1_known_oid(object) == OID_OCSP_SIGNING)
563 {
564 ocsp_signing = TRUE;
565 }
566 }
567 parser->destroy(parser);
568 return ocsp_signing;
569 }
570
571 /**
572 * ASN.1 definition of crlDistributionPoints
573 */
574 static const asn1Object_t crlDistributionPointsObjects[] = {
575 { 0, "crlDistributionPoints", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
576 { 1, "DistributionPoint", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
577 { 2, "distributionPoint", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_LOOP }, /* 2 */
578 { 3, "fullName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_OBJ }, /* 3 */
579 { 3, "end choice", ASN1_EOC, ASN1_END }, /* 4 */
580 { 3, "nameRelToCRLIssuer",ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 5 */
581 { 3, "end choice", ASN1_EOC, ASN1_END }, /* 6 */
582 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 7 */
583 { 2, "reasons", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 8 */
584 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 9 */
585 { 2, "crlIssuer", ASN1_CONTEXT_C_2, ASN1_OPT|ASN1_BODY }, /* 10 */
586 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 11 */
587 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 12 */
588 { 0, "exit", ASN1_EOC, ASN1_EXIT }
589 };
590 #define CRL_DIST_POINTS_FULLNAME 3
591
592 /**
593 * Extracts one or several crlDistributionPoints into a list
594 */
595 static void parse_crlDistributionPoints(chunk_t blob, int level0,
596 private_x509_cert_t *this)
597 {
598 asn1_parser_t *parser;
599 chunk_t object;
600 int objectID;
601 linked_list_t *list = linked_list_create();
602
603 parser = asn1_parser_create(crlDistributionPointsObjects, blob);
604 parser->set_top_level(parser, level0);
605
606 while (parser->iterate(parser, &objectID, &object))
607 {
608 if (objectID == CRL_DIST_POINTS_FULLNAME)
609 {
610 identification_t *id;
611
612 /* append extracted generalNames to existing chained list */
613 x509_parse_generalNames(object, parser->get_level(parser)+1,
614 TRUE, list);
615
616 while (list->remove_last(list, (void**)&id) == SUCCESS)
617 {
618 char *uri;
619
620 if (asprintf(&uri, "%Y", id) > 0)
621 {
622 this->crl_uris->insert_last(this->crl_uris, uri);
623 }
624 id->destroy(id);
625 }
626 }
627 }
628 parser->destroy(parser);
629 list->destroy(list);
630 }
631
632 /**
633 * ASN.1 definition of an X.509v3 x509_cert
634 */
635 static const asn1Object_t certObjects[] = {
636 { 0, "x509", ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */
637 { 1, "tbsCertificate", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */
638 { 2, "DEFAULT v1", ASN1_CONTEXT_C_0, ASN1_DEF }, /* 2 */
639 { 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 3 */
640 { 2, "serialNumber", ASN1_INTEGER, ASN1_BODY }, /* 4 */
641 { 2, "signature", ASN1_EOC, ASN1_RAW }, /* 5 */
642 { 2, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 6 */
643 { 2, "validity", ASN1_SEQUENCE, ASN1_NONE }, /* 7 */
644 { 3, "notBefore", ASN1_EOC, ASN1_RAW }, /* 8 */
645 { 3, "notAfter", ASN1_EOC, ASN1_RAW }, /* 9 */
646 { 2, "subject", ASN1_SEQUENCE, ASN1_OBJ }, /* 10 */
647 { 2, "subjectPublicKeyInfo",ASN1_SEQUENCE, ASN1_RAW }, /* 11 */
648 { 2, "issuerUniqueID", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 12 */
649 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 13 */
650 { 2, "subjectUniqueID", ASN1_CONTEXT_C_2, ASN1_OPT }, /* 14 */
651 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 15 */
652 { 2, "optional extensions", ASN1_CONTEXT_C_3, ASN1_OPT }, /* 16 */
653 { 3, "extensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 17 */
654 { 4, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 18 */
655 { 5, "extnID", ASN1_OID, ASN1_BODY }, /* 19 */
656 { 5, "critical", ASN1_BOOLEAN, ASN1_DEF|ASN1_BODY }, /* 20 */
657 { 5, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 21 */
658 { 3, "end loop", ASN1_EOC, ASN1_END }, /* 22 */
659 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 23 */
660 { 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 24 */
661 { 1, "signatureValue", ASN1_BIT_STRING, ASN1_BODY }, /* 25 */
662 { 0, "exit", ASN1_EOC, ASN1_EXIT }
663 };
664 #define X509_OBJ_TBS_CERTIFICATE 1
665 #define X509_OBJ_VERSION 3
666 #define X509_OBJ_SERIAL_NUMBER 4
667 #define X509_OBJ_SIG_ALG 5
668 #define X509_OBJ_ISSUER 6
669 #define X509_OBJ_NOT_BEFORE 8
670 #define X509_OBJ_NOT_AFTER 9
671 #define X509_OBJ_SUBJECT 10
672 #define X509_OBJ_SUBJECT_PUBLIC_KEY_INFO 11
673 #define X509_OBJ_EXTN_ID 19
674 #define X509_OBJ_CRITICAL 20
675 #define X509_OBJ_EXTN_VALUE 21
676 #define X509_OBJ_ALGORITHM 24
677 #define X509_OBJ_SIGNATURE 25
678
679 /**
680 * Parses an X.509v3 certificate
681 */
682 static bool parse_certificate(private_x509_cert_t *this)
683 {
684 asn1_parser_t *parser;
685 chunk_t object;
686 int objectID;
687 int extn_oid = OID_UNKNOWN;
688 int sig_alg = OID_UNKNOWN;
689 bool success = FALSE;
690 bool critical;
691
692 parser = asn1_parser_create(certObjects, this->encoding);
693
694 while (parser->iterate(parser, &objectID, &object))
695 {
696 u_int level = parser->get_level(parser)+1;
697
698 switch (objectID)
699 {
700 case X509_OBJ_TBS_CERTIFICATE:
701 this->tbsCertificate = object;
702 break;
703 case X509_OBJ_VERSION:
704 this->version = (object.len) ? (1+(u_int)*object.ptr) : 1;
705 DBG2(" v%d", this->version);
706 break;
707 case X509_OBJ_SERIAL_NUMBER:
708 this->serialNumber = object;
709 break;
710 case X509_OBJ_SIG_ALG:
711 sig_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
712 break;
713 case X509_OBJ_ISSUER:
714 this->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object);
715 DBG2(" '%Y'", this->issuer);
716 break;
717 case X509_OBJ_NOT_BEFORE:
718 this->notBefore = asn1_parse_time(object, level);
719 break;
720 case X509_OBJ_NOT_AFTER:
721 this->notAfter = asn1_parse_time(object, level);
722 break;
723 case X509_OBJ_SUBJECT:
724 this->subject = identification_create_from_encoding(ID_DER_ASN1_DN, object);
725 DBG2(" '%Y'", this->subject);
726 break;
727 case X509_OBJ_SUBJECT_PUBLIC_KEY_INFO:
728 this->public_key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
729 KEY_ANY, BUILD_BLOB_ASN1_DER, object, BUILD_END);
730 if (this->public_key == NULL)
731 {
732 goto end;
733 }
734 break;
735 case X509_OBJ_EXTN_ID:
736 extn_oid = asn1_known_oid(object);
737 break;
738 case X509_OBJ_CRITICAL:
739 critical = object.len && *object.ptr;
740 DBG2(" %s", critical ? "TRUE" : "FALSE");
741 break;
742 case X509_OBJ_EXTN_VALUE:
743 {
744 switch (extn_oid)
745 {
746 case OID_SUBJECT_KEY_ID:
747 if (!asn1_parse_simple_object(&object, ASN1_OCTET_STRING,
748 level, "keyIdentifier"))
749 {
750 goto end;
751 }
752 this->subjectKeyID = object;
753 break;
754 case OID_SUBJECT_ALT_NAME:
755 x509_parse_generalNames(object, level, FALSE,
756 this->subjectAltNames);
757 break;
758 case OID_BASIC_CONSTRAINTS:
759 if (parse_basicConstraints(object, level))
760 {
761 this->flags |= X509_CA;
762 }
763 break;
764 case OID_CRL_DISTRIBUTION_POINTS:
765 parse_crlDistributionPoints(object, level, this);
766 break;
767 case OID_AUTHORITY_KEY_ID:
768 this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object,
769 level, &this->authKeySerialNumber);
770 break;
771 case OID_AUTHORITY_INFO_ACCESS:
772 parse_authorityInfoAccess(object, level, this);
773 break;
774 case OID_EXTENDED_KEY_USAGE:
775 if (parse_extendedKeyUsage(object, level))
776 {
777 this->flags |= X509_OCSP_SIGNER;
778 }
779 break;
780 case OID_NS_REVOCATION_URL:
781 case OID_NS_CA_REVOCATION_URL:
782 case OID_NS_CA_POLICY_URL:
783 case OID_NS_COMMENT:
784 if (!asn1_parse_simple_object(&object, ASN1_IA5STRING,
785 level, oid_names[extn_oid].name))
786 {
787 goto end;
788 }
789 break;
790 default:
791 break;
792 }
793 break;
794 }
795 case X509_OBJ_ALGORITHM:
796 this->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL);
797 if (this->algorithm != sig_alg)
798 {
799 DBG1(" signature algorithms do not agree");
800 goto end;
801 }
802 break;
803 case X509_OBJ_SIGNATURE:
804 this->signature = object;
805 break;
806 default:
807 break;
808 }
809 }
810 success = parser->success(parser);
811
812 end:
813 parser->destroy(parser);
814 return success;
815 }
816
817 /**
818 * Implementation of certificate_t.get_type
819 */
820 static certificate_type_t get_type(private_x509_cert_t *this)
821 {
822 return CERT_X509;
823 }
824
825 /**
826 * Implementation of certificate_t.get_subject
827 */
828 static identification_t* get_subject(private_x509_cert_t *this)
829 {
830 return this->subject;
831 }
832
833 /**
834 * Implementation of certificate_t.get_issuer
835 */
836 static identification_t* get_issuer(private_x509_cert_t *this)
837 {
838 return this->issuer;
839 }
840
841 /**
842 * Implementation of certificate_t.has_subject.
843 */
844 static id_match_t has_subject(private_x509_cert_t *this, identification_t *subject)
845 {
846 identification_t *current;
847 enumerator_t *enumerator;
848 id_match_t match, best;
849
850 if (this->encoding_hash.ptr && subject->get_type(subject) == ID_CERT_DER_SHA1 &&
851 chunk_equals(this->encoding_hash, subject->get_encoding(subject)))
852 {
853 return ID_MATCH_PERFECT;
854 }
855
856 best = this->subject->matches(this->subject, subject);
857 enumerator = this->subjectAltNames->create_enumerator(this->subjectAltNames);
858 while (enumerator->enumerate(enumerator, &current))
859 {
860 match = current->matches(current, subject);
861 if (match > best)
862 {
863 best = match;
864 }
865 }
866 enumerator->destroy(enumerator);
867 return best;
868 }
869
870 /**
871 * Implementation of certificate_t.has_subject.
872 */
873 static id_match_t has_issuer(private_x509_cert_t *this, identification_t *issuer)
874 {
875 /* issuerAltNames currently not supported */
876 return this->issuer->matches(this->issuer, issuer);
877 }
878
879 /**
880 * Implementation of certificate_t.issued_by
881 */
882 static bool issued_by(private_x509_cert_t *this, certificate_t *issuer)
883 {
884 public_key_t *key;
885 signature_scheme_t scheme;
886 bool valid;
887 x509_t *x509 = (x509_t*)issuer;
888
889 if (&this->public.interface.interface == issuer)
890 {
891 if (this->flags & X509_SELF_SIGNED)
892 {
893 return TRUE;
894 }
895 }
896 else
897 {
898 if (issuer->get_type(issuer) != CERT_X509)
899 {
900 return FALSE;
901 }
902 if (!(x509->get_flags(x509) & X509_CA))
903 {
904 return FALSE;
905 }
906 }
907 if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
908 {
909 return FALSE;
910 }
911
912 /* get the public key of the issuer */
913 key = issuer->get_public_key(issuer);
914
915 /* determine signature scheme */
916 scheme = signature_scheme_from_oid(this->algorithm);
917
918 if (scheme == SIGN_UNKNOWN || key == NULL)
919 {
920 return FALSE;
921 }
922 /* TODO: add a lightweight check option (comparing auth/subject keyids only) */
923 valid = key->verify(key, scheme, this->tbsCertificate, this->signature);
924 key->destroy(key);
925 return valid;
926 }
927
928 /**
929 * Implementation of certificate_t.get_public_key
930 */
931 static public_key_t* get_public_key(private_x509_cert_t *this)
932 {
933 this->public_key->get_ref(this->public_key);
934 return this->public_key;
935 }
936
937 /**
938 * Implementation of certificate_t.asdf
939 */
940 static private_x509_cert_t* get_ref(private_x509_cert_t *this)
941 {
942 ref_get(&this->ref);
943 return this;
944 }
945
946 /**
947 * Implementation of x509_cert_t.get_flags.
948 */
949 static x509_flag_t get_flags(private_x509_cert_t *this)
950 {
951 return this->flags;
952 }
953
954 /**
955 * Implementation of x509_cert_t.get_validity.
956 */
957 static bool get_validity(private_x509_cert_t *this, time_t *when,
958 time_t *not_before, time_t *not_after)
959 {
960 time_t t;
961
962 if (when)
963 {
964 t = *when;
965 }
966 else
967 {
968 t = time(NULL);
969 }
970 if (not_before)
971 {
972 *not_before = this->notBefore;
973 }
974 if (not_after)
975 {
976 *not_after = this->notAfter;
977 }
978 return (t >= this->notBefore && t <= this->notAfter);
979 }
980
981 /**
982 * Implementation of certificate_t.is_newer.
983 */
984 static bool is_newer(certificate_t *this, certificate_t *that)
985 {
986 time_t this_update, that_update, now = time(NULL);
987 bool new;
988
989 this->get_validity(this, &now, &this_update, NULL);
990 that->get_validity(that, &now, &that_update, NULL);
991 new = this_update > that_update;
992 DBG1(" certificate from %T is %s - existing certificate from %T %s",
993 &this_update, FALSE, new ? "newer":"not newer",
994 &that_update, FALSE, new ? "replaced":"retained");
995 return new;
996 }
997
998 /**
999 * Implementation of certificate_t.get_encoding.
1000 */
1001 static chunk_t get_encoding(private_x509_cert_t *this)
1002 {
1003 return chunk_clone(this->encoding);
1004 }
1005
1006 /**
1007 * Implementation of certificate_t.equals.
1008 */
1009 static bool equals(private_x509_cert_t *this, certificate_t *other)
1010 {
1011 chunk_t encoding;
1012 bool equal;
1013
1014 if (this == (private_x509_cert_t*)other)
1015 {
1016 return TRUE;
1017 }
1018 if (other->get_type(other) != CERT_X509)
1019 {
1020 return FALSE;
1021 }
1022 if (other->equals == (void*)equals)
1023 { /* skip allocation if we have the same implementation */
1024 return chunk_equals(this->encoding, ((private_x509_cert_t*)other)->encoding);
1025 }
1026 encoding = other->get_encoding(other);
1027 equal = chunk_equals(this->encoding, encoding);
1028 free(encoding.ptr);
1029 return equal;
1030 }
1031
1032 /**
1033 * Implementation of x509_t.get_serial.
1034 */
1035 static chunk_t get_serial(private_x509_cert_t *this)
1036 {
1037 return this->serialNumber;
1038 }
1039
1040 /**
1041 * Implementation of x509_t.get_authKeyIdentifier.
1042 */
1043 static identification_t *get_authKeyIdentifier(private_x509_cert_t *this)
1044 {
1045 return this->authKeyIdentifier;
1046 }
1047
1048 /**
1049 * Implementation of x509_cert_t.create_subjectAltName_enumerator.
1050 */
1051 static enumerator_t* create_subjectAltName_enumerator(private_x509_cert_t *this)
1052 {
1053 return this->subjectAltNames->create_enumerator(this->subjectAltNames);
1054 }
1055
1056 /**
1057 * Implementation of x509_cert_t.create_ocsp_uri_enumerator.
1058 */
1059 static enumerator_t* create_ocsp_uri_enumerator(private_x509_cert_t *this)
1060 {
1061 return this->ocsp_uris->create_enumerator(this->ocsp_uris);
1062 }
1063
1064 /**
1065 * Implementation of x509_cert_t.create_crl_uri_enumerator.
1066 */
1067 static enumerator_t* create_crl_uri_enumerator(private_x509_cert_t *this)
1068 {
1069 return this->crl_uris->create_enumerator(this->crl_uris);
1070 }
1071
1072 /**
1073 * Implementation of certificate_t.asdf
1074 */
1075 static void destroy(private_x509_cert_t *this)
1076 {
1077 if (ref_put(&this->ref))
1078 {
1079 this->subjectAltNames->destroy_offset(this->subjectAltNames,
1080 offsetof(identification_t, destroy));
1081 this->crl_uris->destroy_function(this->crl_uris, free);
1082 this->ocsp_uris->destroy_function(this->ocsp_uris, free);
1083 DESTROY_IF(this->issuer);
1084 DESTROY_IF(this->subject);
1085 DESTROY_IF(this->public_key);
1086 DESTROY_IF(this->authKeyIdentifier);
1087 chunk_free(&this->encoding);
1088 chunk_free(&this->encoding_hash);
1089 if (!this->parsed)
1090 { /* only parsed certificates point these fields to "encoded" */
1091 chunk_free(&this->signature);
1092 chunk_free(&this->serialNumber);
1093 chunk_free(&this->tbsCertificate);
1094 }
1095 free(this);
1096 }
1097 }
1098
1099 /**
1100 * create an empty but initialized X.509 certificate
1101 */
1102 static private_x509_cert_t* create_empty(void)
1103 {
1104 private_x509_cert_t *this = malloc_thing(private_x509_cert_t);
1105
1106 this->public.interface.interface.get_type = (certificate_type_t (*) (certificate_t*))get_type;
1107 this->public.interface.interface.get_subject = (identification_t* (*) (certificate_t*))get_subject;
1108 this->public.interface.interface.get_issuer = (identification_t* (*) (certificate_t*))get_issuer;
1109 this->public.interface.interface.has_subject = (id_match_t (*) (certificate_t*, identification_t*))has_subject;
1110 this->public.interface.interface.has_issuer = (id_match_t (*) (certificate_t*, identification_t*))has_issuer;
1111 this->public.interface.interface.issued_by = (bool (*) (certificate_t*, certificate_t*))issued_by;
1112 this->public.interface.interface.get_public_key = (public_key_t* (*) (certificate_t*))get_public_key;
1113 this->public.interface.interface.get_validity = (bool (*) (certificate_t*, time_t*, time_t*, time_t*))get_validity;
1114 this->public.interface.interface.is_newer = (bool (*) (certificate_t*,certificate_t*))is_newer;
1115 this->public.interface.interface.get_encoding = (chunk_t (*) (certificate_t*))get_encoding;
1116 this->public.interface.interface.equals = (bool (*)(certificate_t*, certificate_t*))equals;
1117 this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t*))get_ref;
1118 this->public.interface.interface.destroy = (void (*)(certificate_t*))destroy;
1119 this->public.interface.get_flags = (x509_flag_t (*)(x509_t*))get_flags;
1120 this->public.interface.get_serial = (chunk_t (*)(x509_t*))get_serial;
1121 this->public.interface.get_authKeyIdentifier = (identification_t* (*)(x509_t*))get_authKeyIdentifier;
1122 this->public.interface.create_subjectAltName_enumerator = (enumerator_t* (*)(x509_t*))create_subjectAltName_enumerator;
1123 this->public.interface.create_crl_uri_enumerator = (enumerator_t* (*)(x509_t*))create_crl_uri_enumerator;
1124 this->public.interface.create_ocsp_uri_enumerator = (enumerator_t* (*)(x509_t*))create_ocsp_uri_enumerator;
1125
1126 this->encoding = chunk_empty;
1127 this->encoding_hash = chunk_empty;
1128 this->tbsCertificate = chunk_empty;
1129 this->version = 3;
1130 this->serialNumber = chunk_empty;
1131 this->notBefore = 0;
1132 this->notAfter = 0;
1133 this->public_key = NULL;
1134 this->subject = NULL;
1135 this->issuer = NULL;
1136 this->subjectAltNames = linked_list_create();
1137 this->crl_uris = linked_list_create();
1138 this->ocsp_uris = linked_list_create();
1139 this->subjectKeyID = chunk_empty;
1140 this->authKeyIdentifier = NULL;
1141 this->authKeySerialNumber = chunk_empty;
1142 this->algorithm = 0;
1143 this->signature = chunk_empty;
1144 this->flags = 0;
1145 this->ref = 1;
1146 this->parsed = FALSE;
1147
1148 return this;
1149 }
1150
1151 /**
1152 * create an X.509 certificate from a chunk
1153 */
1154 static private_x509_cert_t *create_from_chunk(chunk_t chunk)
1155 {
1156 hasher_t *hasher;
1157 private_x509_cert_t *this = create_empty();
1158
1159 this->encoding = chunk;
1160 this->parsed = TRUE;
1161 if (!parse_certificate(this))
1162 {
1163 destroy(this);
1164 return NULL;
1165 }
1166
1167 /* check if the certificate is self-signed */
1168 if (issued_by(this, &this->public.interface.interface))
1169 {
1170 this->flags |= X509_SELF_SIGNED;
1171 }
1172
1173 hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1174 if (hasher == NULL)
1175 {
1176 DBG1(" unable to create hash of certificate, SHA1 not supported");
1177 destroy(this);
1178 return NULL;
1179 }
1180 hasher->allocate_hash(hasher, this->encoding, &this->encoding_hash);
1181 hasher->destroy(hasher);
1182
1183 return this;
1184 }
1185
1186 typedef struct private_builder_t private_builder_t;
1187 /**
1188 * Builder implementation for certificate loading
1189 */
1190 struct private_builder_t {
1191 /** implements the builder interface */
1192 builder_t public;
1193 /** loaded certificate */
1194 private_x509_cert_t *cert;
1195 /** additional flags to enforce */
1196 x509_flag_t flags;
1197 /** certificate to sign, if we generate a new cert */
1198 certificate_t *sign_cert;
1199 /** private key to sign, if we generate a new cert */
1200 private_key_t *sign_key;
1201 };
1202
1203 /**
1204 * Generate and sign a new certificate
1205 */
1206 static bool generate(private_builder_t *this)
1207 {
1208 chunk_t extensions = chunk_empty;
1209 identification_t *issuer, *subject;
1210 chunk_t key_info, key;
1211 signature_scheme_t scheme;
1212 hasher_t *hasher;
1213
1214 subject = this->cert->subject;
1215 if (this->sign_cert)
1216 {
1217 issuer = this->sign_cert->get_subject(this->sign_cert);
1218 if (!this->cert->public_key)
1219 {
1220 return FALSE;
1221 }
1222 }
1223 else
1224 { /* self signed */
1225 issuer = subject;
1226 if (!this->cert->public_key)
1227 {
1228 this->cert->public_key = this->sign_key->get_public_key(this->sign_key);
1229 }
1230 this->flags |= X509_SELF_SIGNED;
1231 }
1232 this->cert->issuer = issuer->clone(issuer);
1233 if (!this->cert->notBefore)
1234 {
1235 this->cert->notBefore = time(NULL);
1236 }
1237 if (!this->cert->notAfter)
1238 { /* defaults to 1 years from now on */
1239 this->cert->notAfter = this->cert->notBefore + 60 * 60 * 24 * 365;
1240 }
1241 this->cert->flags = this->flags;
1242
1243 switch (this->sign_key->get_type(this->sign_key))
1244 {
1245 case KEY_RSA:
1246 this->cert->algorithm = OID_SHA1_WITH_RSA;
1247 scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
1248 break;
1249 default:
1250 return FALSE;
1251 }
1252
1253 switch (this->cert->public_key->get_type(this->cert->public_key))
1254 {
1255 case KEY_RSA:
1256 key = this->cert->public_key->get_encoding(this->cert->public_key);
1257 key_info = asn1_wrap(ASN1_SEQUENCE, "cm",
1258 asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
1259 asn1_bitstring("m", key));
1260 break;
1261 default:
1262 return FALSE;
1263 }
1264
1265 if (this->cert->subjectAltNames->get_count(this->cert->subjectAltNames))
1266 {
1267 /* TODO: encode subjectAltNames */
1268 }
1269
1270 this->cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmccmcmm",
1271 asn1_simple_object(ASN1_CONTEXT_C_0, ASN1_INTEGER_2),
1272 asn1_integer("c", this->cert->serialNumber),
1273 asn1_algorithmIdentifier(this->cert->algorithm),
1274 issuer->get_encoding(issuer),
1275 asn1_wrap(ASN1_SEQUENCE, "mm",
1276 asn1_from_time(&this->cert->notBefore, ASN1_UTCTIME),
1277 asn1_from_time(&this->cert->notAfter, ASN1_UTCTIME)),
1278 subject->get_encoding(subject),
1279 key_info, extensions);
1280
1281 if (!this->sign_key->sign(this->sign_key, scheme,
1282 this->cert->tbsCertificate, &this->cert->signature))
1283 {
1284 return FALSE;
1285 }
1286 this->cert->encoding = asn1_wrap(ASN1_SEQUENCE, "ccm",
1287 this->cert->tbsCertificate,
1288 asn1_algorithmIdentifier(this->cert->algorithm),
1289 asn1_bitstring("c", this->cert->signature));
1290
1291 hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1292 if (!hasher)
1293 {
1294 return FALSE;
1295 }
1296 hasher->allocate_hash(hasher, this->cert->encoding,
1297 &this->cert->encoding_hash);
1298 hasher->destroy(hasher);
1299 return TRUE;
1300 }
1301
1302 /**
1303 * Implementation of builder_t.build
1304 */
1305 static private_x509_cert_t *build(private_builder_t *this)
1306 {
1307 private_x509_cert_t *cert;
1308
1309 if (this->cert)
1310 {
1311 this->cert->flags |= this->flags;
1312 if (!this->cert->encoding.ptr)
1313 { /* generate a new certificate */
1314 if (!this->sign_key || !generate(this))
1315 {
1316 destroy(this->cert);
1317 free(this);
1318 return NULL;
1319 }
1320 }
1321 }
1322 cert = this->cert;
1323 free(this);
1324 return cert;
1325 }
1326
1327 /**
1328 * Implementation of builder_t.add
1329 */
1330 static void add(private_builder_t *this, builder_part_t part, ...)
1331 {
1332 va_list args;
1333 chunk_t chunk;
1334 bool handled = TRUE;
1335
1336 va_start(args, part);
1337 switch (part)
1338 {
1339 case BUILD_BLOB_ASN1_DER:
1340 chunk = va_arg(args, chunk_t);
1341 this->cert = create_from_chunk(chunk_clone(chunk));
1342 break;
1343 case BUILD_X509_FLAG:
1344 this->flags = va_arg(args, x509_flag_t);
1345 break;
1346 case BUILD_SIGNING_KEY:
1347 this->sign_key = va_arg(args, private_key_t*);
1348 break;
1349 case BUILD_SIGNING_CERT:
1350 this->sign_cert = va_arg(args, certificate_t*);
1351 break;
1352 default:
1353 /* all other parts need an empty cert */
1354 if (!this->cert)
1355 {
1356 this->cert = create_empty();
1357 }
1358 handled = FALSE;
1359 break;
1360 }
1361 if (handled)
1362 {
1363 va_end(args);
1364 return;
1365 }
1366
1367 switch (part)
1368 {
1369 case BUILD_PUBLIC_KEY:
1370 {
1371 public_key_t *key = va_arg(args, public_key_t*);
1372 this->cert->public_key = key->get_ref(key);
1373 break;
1374 }
1375 case BUILD_SUBJECT:
1376 {
1377 identification_t *id = va_arg(args, identification_t*);
1378 this->cert->subject = id->clone(id);
1379 break;
1380 }
1381 case BUILD_SUBJECT_ALTNAME:
1382 {
1383 identification_t *id = va_arg(args, identification_t*);
1384 this->cert->subjectAltNames->insert_last(
1385 this->cert->subjectAltNames, id->clone(id));
1386 break;
1387 }
1388 case BUILD_NOT_BEFORE_TIME:
1389 this->cert->notBefore = va_arg(args, time_t);
1390 break;
1391 case BUILD_NOT_AFTER_TIME:
1392 this->cert->notAfter = va_arg(args, time_t);
1393 break;
1394 case BUILD_SERIAL:
1395 {
1396 chunk_t serial = va_arg(args, chunk_t);
1397 this->cert->serialNumber = chunk_clone(serial);
1398 break;
1399 }
1400 default:
1401 /* abort if unsupported option */
1402 if (this->cert)
1403 {
1404 destroy(this->cert);
1405 }
1406 builder_cancel(&this->public);
1407 break;
1408 }
1409 va_end(args);
1410 }
1411
1412 /**
1413 * Builder construction function
1414 */
1415 builder_t *x509_cert_builder(certificate_type_t type)
1416 {
1417 private_builder_t *this;
1418
1419 if (type != CERT_X509)
1420 {
1421 return NULL;
1422 }
1423
1424 this = malloc_thing(private_builder_t);
1425
1426 this->cert = NULL;
1427 this->flags = 0;
1428 this->sign_cert = NULL;
1429 this->sign_key = NULL;
1430 this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
1431 this->public.build = (void*(*)(builder_t *this))build;
1432
1433 return &this->public;
1434 }
1435