basic x509 certificate generation
[strongswan.git] / src / libstrongswan / plugins / x509 / x509_cert.c
1 /*
2 * Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann
3 * Copyright (C) 2001 Marco Bertossa, Andreas Schleiss
4 * Copyright (C) 2002 Mario Strasser
5 * Copyright (C) 2000-2006 Andreas Steffen
6 * Copyright (C) 2006-2008 Martin Willi
7 * Copyright (C) 2008 Tobias Brunner
8 * Hochschule fuer Technik Rapperswil
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 *
20 * $Id$
21 */
22
23 #define _GNU_SOURCE
24
25 #include "x509_cert.h"
26
27 #include <sys/stat.h>
28 #include <time.h>
29 #include <unistd.h>
30 #include <string.h>
31 #include <stdio.h>
32
33 #include <library.h>
34 #include <debug.h>
35 #include <asn1/oid.h>
36 #include <asn1/asn1.h>
37 #include <asn1/asn1_parser.h>
38 #include <asn1/pem.h>
39 #include <crypto/hashers/hasher.h>
40 #include <utils/linked_list.h>
41 #include <utils/identification.h>
42
43 /**
44 * Different kinds of generalNames
45 */
46 typedef enum {
47 GN_OTHER_NAME = 0,
48 GN_RFC822_NAME = 1,
49 GN_DNS_NAME = 2,
50 GN_X400_ADDRESS = 3,
51 GN_DIRECTORY_NAME = 4,
52 GN_EDI_PARTY_NAME = 5,
53 GN_URI = 6,
54 GN_IP_ADDRESS = 7,
55 GN_REGISTERED_ID = 8,
56 } generalNames_t;
57
58
59 typedef struct private_x509_cert_t private_x509_cert_t;
60
61 /**
62 * Private data of a x509_cert_t object.
63 */
64 struct private_x509_cert_t {
65 /**
66 * Public interface for this certificate.
67 */
68 x509_cert_t public;
69
70 /**
71 * X.509 certificate encoding in ASN.1 DER format
72 */
73 chunk_t encoding;
74
75 /**
76 * SHA1 hash of the DER encoding of this X.509 certificate
77 */
78 chunk_t encoding_hash;
79
80 /**
81 * X.509 certificate body over which signature is computed
82 */
83 chunk_t tbsCertificate;
84
85 /**
86 * Version of the X.509 certificate
87 */
88 u_int version;
89
90 /**
91 * Serial number of the X.509 certificate
92 */
93 chunk_t serialNumber;
94
95 /**
96 * ID representing the certificate issuer
97 */
98 identification_t *issuer;
99
100 /**
101 * Start time of certificate validity
102 */
103 time_t notBefore;
104
105 /**
106 * End time of certificate validity
107 */
108 time_t notAfter;
109
110 /**
111 * ID representing the certificate subject
112 */
113 identification_t *subject;
114
115 /**
116 * List of subjectAltNames as identification_t
117 */
118 linked_list_t *subjectAltNames;
119
120 /**
121 * List of crlDistributionPoints as allocated char*
122 */
123 linked_list_t *crl_uris;
124
125 /**
126 * List ocspAccessLocations as identification_t
127 */
128 linked_list_t *ocsp_uris;
129
130 /**
131 * certificates embedded public key
132 */
133 public_key_t *public_key;
134
135 /**
136 * Subject Key Identifier
137 */
138 chunk_t subjectKeyID;
139
140 /**
141 * Authority Key Identifier
142 */
143 identification_t *authKeyIdentifier;
144
145 /**
146 * Authority Key Serial Number
147 */
148 chunk_t authKeySerialNumber;
149
150 /**
151 * x509 constraints and other flags
152 */
153 x509_flag_t flags;
154
155 /**
156 * Signature algorithm
157 */
158 int algorithm;
159
160 /**
161 * Signature
162 */
163 chunk_t signature;
164
165 /**
166 * Certificate parsed from blob/file?
167 */
168 bool parsed;
169
170 /**
171 * reference count
172 */
173 refcount_t ref;
174 };
175
176 static u_char ASN1_sAN_oid_buf[] = {
177 0x06, 0x03, 0x55, 0x1D, 0x11
178 };
179 static const chunk_t ASN1_subjectAltName_oid = chunk_from_buf(ASN1_sAN_oid_buf);
180
181 /**
182 * ASN.1 definition of a basicConstraints extension
183 */
184 static const asn1Object_t basicConstraintsObjects[] = {
185 { 0, "basicConstraints", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
186 { 1, "CA", ASN1_BOOLEAN, ASN1_DEF|ASN1_BODY }, /* 1 */
187 { 1, "pathLenConstraint", ASN1_INTEGER, ASN1_OPT|ASN1_BODY }, /* 2 */
188 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 3 */
189 { 0, "exit", ASN1_EOC, ASN1_EXIT }
190 };
191 #define BASIC_CONSTRAINTS_CA 1
192
193 /**
194 * Extracts the basicConstraints extension
195 */
196 static bool parse_basicConstraints(chunk_t blob, int level0)
197 {
198 asn1_parser_t *parser;
199 chunk_t object;
200 int objectID;
201 bool isCA = FALSE;
202
203 parser = asn1_parser_create(basicConstraintsObjects, blob);
204 parser->set_top_level(parser, level0);
205
206 while (parser->iterate(parser, &objectID, &object))
207 {
208 if (objectID == BASIC_CONSTRAINTS_CA)
209 {
210 isCA = object.len && *object.ptr;
211 DBG2(" %s", isCA ? "TRUE" : "FALSE");
212 }
213 }
214 parser->destroy(parser);
215
216 return isCA;
217 }
218
219 /**
220 * ASN.1 definition of otherName
221 */
222 static const asn1Object_t otherNameObjects[] = {
223 {0, "type-id", ASN1_OID, ASN1_BODY }, /* 0 */
224 {0, "value", ASN1_CONTEXT_C_0, ASN1_BODY }, /* 1 */
225 {0, "exit", ASN1_EOC, ASN1_EXIT }
226 };
227 #define ON_OBJ_ID_TYPE 0
228 #define ON_OBJ_VALUE 1
229
230 /**
231 * Extracts an otherName
232 */
233 static bool parse_otherName(chunk_t blob, int level0)
234 {
235 asn1_parser_t *parser;
236 chunk_t object;
237 int objectID;
238 int oid = OID_UNKNOWN;
239 bool success = FALSE;
240
241 parser = asn1_parser_create(otherNameObjects, blob);
242 parser->set_top_level(parser, level0);
243
244 while (parser->iterate(parser, &objectID, &object))
245 {
246 switch (objectID)
247 {
248 case ON_OBJ_ID_TYPE:
249 oid = asn1_known_oid(object);
250 break;
251 case ON_OBJ_VALUE:
252 if (oid == OID_XMPP_ADDR)
253 {
254 if (!asn1_parse_simple_object(&object, ASN1_UTF8STRING,
255 parser->get_level(parser)+1, "xmppAddr"))
256 {
257 goto end;
258 }
259 }
260 break;
261 default:
262 break;
263 }
264 }
265 success = parser->success(parser);
266
267 end:
268 parser->destroy(parser);
269 return success;
270 }
271
272 /**
273 * ASN.1 definition of generalName
274 */
275 static const asn1Object_t generalNameObjects[] = {
276 { 0, "otherName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_BODY }, /* 0 */
277 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 1 */
278 { 0, "rfc822Name", ASN1_CONTEXT_S_1, ASN1_OPT|ASN1_BODY }, /* 2 */
279 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 3 */
280 { 0, "dnsName", ASN1_CONTEXT_S_2, ASN1_OPT|ASN1_BODY }, /* 4 */
281 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 5 */
282 { 0, "x400Address", ASN1_CONTEXT_S_3, ASN1_OPT|ASN1_BODY }, /* 6 */
283 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 7 */
284 { 0, "directoryName", ASN1_CONTEXT_C_4, ASN1_OPT|ASN1_BODY }, /* 8 */
285 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 9 */
286 { 0, "ediPartyName", ASN1_CONTEXT_C_5, ASN1_OPT|ASN1_BODY }, /* 10 */
287 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 11 */
288 { 0, "URI", ASN1_CONTEXT_S_6, ASN1_OPT|ASN1_BODY }, /* 12 */
289 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 13 */
290 { 0, "ipAddress", ASN1_CONTEXT_S_7, ASN1_OPT|ASN1_BODY }, /* 14 */
291 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 15 */
292 { 0, "registeredID", ASN1_CONTEXT_S_8, ASN1_OPT|ASN1_BODY }, /* 16 */
293 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 17 */
294 { 0, "exit", ASN1_EOC, ASN1_EXIT }
295 };
296 #define GN_OBJ_OTHER_NAME 0
297 #define GN_OBJ_RFC822_NAME 2
298 #define GN_OBJ_DNS_NAME 4
299 #define GN_OBJ_X400_ADDRESS 6
300 #define GN_OBJ_DIRECTORY_NAME 8
301 #define GN_OBJ_EDI_PARTY_NAME 10
302 #define GN_OBJ_URI 12
303 #define GN_OBJ_IP_ADDRESS 14
304 #define GN_OBJ_REGISTERED_ID 16
305
306 /**
307 * Extracts a generalName
308 */
309 static identification_t *parse_generalName(chunk_t blob, int level0)
310 {
311 asn1_parser_t *parser;
312 chunk_t object;
313 int objectID ;
314
315 identification_t *gn = NULL;
316
317 parser = asn1_parser_create(generalNameObjects, blob);
318 parser->set_top_level(parser, level0);
319
320 while (parser->iterate(parser, &objectID, &object))
321 {
322 id_type_t id_type = ID_ANY;
323
324 switch (objectID)
325 {
326 case GN_OBJ_RFC822_NAME:
327 id_type = ID_RFC822_ADDR;
328 break;
329 case GN_OBJ_DNS_NAME:
330 id_type = ID_FQDN;
331 break;
332 case GN_OBJ_URI:
333 id_type = ID_DER_ASN1_GN_URI;
334 break;
335 case GN_OBJ_DIRECTORY_NAME:
336 id_type = ID_DER_ASN1_DN;
337 break;
338 case GN_OBJ_IP_ADDRESS:
339 id_type = ID_IPV4_ADDR;
340 break;
341 case GN_OBJ_OTHER_NAME:
342 if (!parse_otherName(object, parser->get_level(parser)+1))
343 {
344 goto end;
345 }
346 break;
347 case GN_OBJ_X400_ADDRESS:
348 case GN_OBJ_EDI_PARTY_NAME:
349 case GN_OBJ_REGISTERED_ID:
350 default:
351 break;
352 }
353 if (id_type != ID_ANY)
354 {
355 gn = identification_create_from_encoding(id_type, object);
356 DBG2(" '%D'", gn);
357 goto end;
358 }
359 }
360
361 end:
362 parser->destroy(parser);
363 return gn;
364 }
365
366 /**
367 * ASN.1 definition of generalNames
368 */
369 static const asn1Object_t generalNamesObjects[] = {
370 { 0, "generalNames", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
371 { 1, "generalName", ASN1_EOC, ASN1_RAW }, /* 1 */
372 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 2 */
373 { 0, "exit", ASN1_EOC, ASN1_EXIT }
374 };
375 #define GENERAL_NAMES_GN 1
376
377 /**
378 * Extracts one or several GNs and puts them into a chained list
379 */
380 void x509_parse_generalNames(chunk_t blob, int level0, bool implicit, linked_list_t *list)
381 {
382 asn1_parser_t *parser;
383 chunk_t object;
384 int objectID;
385
386 parser = asn1_parser_create(generalNamesObjects, blob);
387 parser->set_top_level(parser, level0);
388 parser->set_flags(parser, implicit, FALSE);
389
390 while (parser->iterate(parser, &objectID, &object))
391 {
392 if (objectID == GENERAL_NAMES_GN)
393 {
394 identification_t *gn = parse_generalName(object,
395 parser->get_level(parser)+1);
396
397 if (gn)
398 {
399 list->insert_last(list, (void *)gn);
400 }
401 }
402 }
403 parser->destroy(parser);
404 }
405
406 /**
407 * ASN.1 definition of a authorityKeyIdentifier extension
408 */
409 static const asn1Object_t authKeyIdentifierObjects[] = {
410 { 0, "authorityKeyIdentifier", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
411 { 1, "keyIdentifier", ASN1_CONTEXT_S_0, ASN1_OPT|ASN1_BODY }, /* 1 */
412 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 2 */
413 { 1, "authorityCertIssuer", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_OBJ }, /* 3 */
414 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 4 */
415 { 1, "authorityCertSerialNumber", ASN1_CONTEXT_S_2, ASN1_OPT|ASN1_BODY }, /* 5 */
416 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 6 */
417 { 0, "exit", ASN1_EOC, ASN1_EXIT }
418 };
419 #define AUTH_KEY_ID_KEY_ID 1
420 #define AUTH_KEY_ID_CERT_ISSUER 3
421 #define AUTH_KEY_ID_CERT_SERIAL 5
422
423 /**
424 * Extracts an authoritykeyIdentifier
425 */
426 identification_t* x509_parse_authorityKeyIdentifier(chunk_t blob, int level0,
427 chunk_t *authKeySerialNumber)
428 {
429 asn1_parser_t *parser;
430 chunk_t object;
431 int objectID;
432 identification_t *authKeyIdentifier = NULL;
433
434 *authKeySerialNumber = chunk_empty;
435
436 parser = asn1_parser_create(authKeyIdentifierObjects, blob);
437 parser->set_top_level(parser, level0);
438
439 while (parser->iterate(parser, &objectID, &object))
440 {
441 switch (objectID)
442 {
443 case AUTH_KEY_ID_KEY_ID:
444 authKeyIdentifier = identification_create_from_encoding(
445 ID_PUBKEY_SHA1, object);
446 break;
447 case AUTH_KEY_ID_CERT_ISSUER:
448 /* TODO: x509_parse_generalNames(object, level+1, TRUE); */
449 break;
450 case AUTH_KEY_ID_CERT_SERIAL:
451 *authKeySerialNumber = object;
452 break;
453 default:
454 break;
455 }
456 }
457 parser->destroy(parser);
458 return authKeyIdentifier;
459 }
460
461 /**
462 * ASN.1 definition of a authorityInfoAccess extension
463 */
464 static const asn1Object_t authInfoAccessObjects[] = {
465 { 0, "authorityInfoAccess", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
466 { 1, "accessDescription", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
467 { 2, "accessMethod", ASN1_OID, ASN1_BODY }, /* 2 */
468 { 2, "accessLocation", ASN1_EOC, ASN1_RAW }, /* 3 */
469 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 4 */
470 { 0, "exit", ASN1_EOC, ASN1_EXIT }
471 };
472 #define AUTH_INFO_ACCESS_METHOD 2
473 #define AUTH_INFO_ACCESS_LOCATION 3
474
475 /**
476 * Extracts an authorityInfoAcess location
477 */
478 static void parse_authorityInfoAccess(chunk_t blob, int level0,
479 private_x509_cert_t *this)
480 {
481 asn1_parser_t *parser;
482 chunk_t object;
483 int objectID;
484 int accessMethod = OID_UNKNOWN;
485
486 parser = asn1_parser_create(authInfoAccessObjects, blob);
487 parser->set_top_level(parser, level0);
488
489 while (parser->iterate(parser, &objectID, &object))
490 {
491 switch (objectID)
492 {
493 case AUTH_INFO_ACCESS_METHOD:
494 accessMethod = asn1_known_oid(object);
495 break;
496 case AUTH_INFO_ACCESS_LOCATION:
497 {
498 switch (accessMethod)
499 {
500 case OID_OCSP:
501 case OID_CA_ISSUERS:
502 {
503 identification_t *id;
504 char *uri;
505
506 id = parse_generalName(object,
507 parser->get_level(parser)+1);
508 if (id == NULL)
509 {
510 /* parsing went wrong - abort */
511 goto end;
512 }
513 DBG2(" '%D'", id);
514 if (accessMethod == OID_OCSP &&
515 asprintf(&uri, "%D", id) > 0)
516 {
517 this->ocsp_uris->insert_last(this->ocsp_uris, uri);
518 }
519 id->destroy(id);
520 }
521 break;
522 default:
523 /* unkown accessMethod, ignoring */
524 break;
525 }
526 break;
527 }
528 default:
529 break;
530 }
531 }
532
533 end:
534 parser->destroy(parser);
535 }
536
537 /**
538 * ASN.1 definition of a extendedKeyUsage extension
539 */
540 static const asn1Object_t extendedKeyUsageObjects[] = {
541 { 0, "extendedKeyUsage", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
542 { 1, "keyPurposeID", ASN1_OID, ASN1_BODY }, /* 1 */
543 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 2 */
544 { 0, "exit", ASN1_EOC, ASN1_EXIT }
545 };
546 #define EXT_KEY_USAGE_PURPOSE_ID 1
547
548 /**
549 * Extracts extendedKeyUsage OIDs - currently only OCSP_SIGING is returned
550 */
551 static bool parse_extendedKeyUsage(chunk_t blob, int level0)
552 {
553 asn1_parser_t *parser;
554 chunk_t object;
555 int objectID;
556 bool ocsp_signing = FALSE;
557
558 parser = asn1_parser_create(extendedKeyUsageObjects, blob);
559 parser->set_top_level(parser, level0);
560
561 while (parser->iterate(parser, &objectID, &object))
562 {
563 if (objectID == EXT_KEY_USAGE_PURPOSE_ID &&
564 asn1_known_oid(object) == OID_OCSP_SIGNING)
565 {
566 ocsp_signing = TRUE;
567 }
568 }
569 parser->destroy(parser);
570 return ocsp_signing;
571 }
572
573 /**
574 * ASN.1 definition of crlDistributionPoints
575 */
576 static const asn1Object_t crlDistributionPointsObjects[] = {
577 { 0, "crlDistributionPoints", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
578 { 1, "DistributionPoint", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
579 { 2, "distributionPoint", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_LOOP }, /* 2 */
580 { 3, "fullName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_OBJ }, /* 3 */
581 { 3, "end choice", ASN1_EOC, ASN1_END }, /* 4 */
582 { 3, "nameRelToCRLIssuer",ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 5 */
583 { 3, "end choice", ASN1_EOC, ASN1_END }, /* 6 */
584 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 7 */
585 { 2, "reasons", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 8 */
586 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 9 */
587 { 2, "crlIssuer", ASN1_CONTEXT_C_2, ASN1_OPT|ASN1_BODY }, /* 10 */
588 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 11 */
589 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 12 */
590 { 0, "exit", ASN1_EOC, ASN1_EXIT }
591 };
592 #define CRL_DIST_POINTS_FULLNAME 3
593
594 /**
595 * Extracts one or several crlDistributionPoints into a list
596 */
597 static void parse_crlDistributionPoints(chunk_t blob, int level0,
598 private_x509_cert_t *this)
599 {
600 asn1_parser_t *parser;
601 chunk_t object;
602 int objectID;
603 linked_list_t *list = linked_list_create();
604
605 parser = asn1_parser_create(crlDistributionPointsObjects, blob);
606 parser->set_top_level(parser, level0);
607
608 while (parser->iterate(parser, &objectID, &object))
609 {
610 if (objectID == CRL_DIST_POINTS_FULLNAME)
611 {
612 identification_t *id;
613
614 /* append extracted generalNames to existing chained list */
615 x509_parse_generalNames(object, parser->get_level(parser)+1,
616 TRUE, list);
617
618 while (list->remove_last(list, (void**)&id) == SUCCESS)
619 {
620 char *uri;
621
622 if (asprintf(&uri, "%D", id) > 0)
623 {
624 this->crl_uris->insert_last(this->crl_uris, uri);
625 }
626 id->destroy(id);
627 }
628 }
629 }
630 parser->destroy(parser);
631 list->destroy(list);
632 }
633
634 /**
635 * ASN.1 definition of an X.509v3 x509_cert
636 */
637 static const asn1Object_t certObjects[] = {
638 { 0, "x509", ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */
639 { 1, "tbsCertificate", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */
640 { 2, "DEFAULT v1", ASN1_CONTEXT_C_0, ASN1_DEF }, /* 2 */
641 { 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 3 */
642 { 2, "serialNumber", ASN1_INTEGER, ASN1_BODY }, /* 4 */
643 { 2, "signature", ASN1_EOC, ASN1_RAW }, /* 5 */
644 { 2, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 6 */
645 { 2, "validity", ASN1_SEQUENCE, ASN1_NONE }, /* 7 */
646 { 3, "notBefore", ASN1_EOC, ASN1_RAW }, /* 8 */
647 { 3, "notAfter", ASN1_EOC, ASN1_RAW }, /* 9 */
648 { 2, "subject", ASN1_SEQUENCE, ASN1_OBJ }, /* 10 */
649 { 2, "subjectPublicKeyInfo",ASN1_SEQUENCE, ASN1_RAW }, /* 11 */
650 { 2, "issuerUniqueID", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 12 */
651 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 13 */
652 { 2, "subjectUniqueID", ASN1_CONTEXT_C_2, ASN1_OPT }, /* 14 */
653 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 15 */
654 { 2, "optional extensions", ASN1_CONTEXT_C_3, ASN1_OPT }, /* 16 */
655 { 3, "extensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 17 */
656 { 4, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 18 */
657 { 5, "extnID", ASN1_OID, ASN1_BODY }, /* 19 */
658 { 5, "critical", ASN1_BOOLEAN, ASN1_DEF|ASN1_BODY }, /* 20 */
659 { 5, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 21 */
660 { 3, "end loop", ASN1_EOC, ASN1_END }, /* 22 */
661 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 23 */
662 { 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 24 */
663 { 1, "signatureValue", ASN1_BIT_STRING, ASN1_BODY }, /* 25 */
664 { 0, "exit", ASN1_EOC, ASN1_EXIT }
665 };
666 #define X509_OBJ_TBS_CERTIFICATE 1
667 #define X509_OBJ_VERSION 3
668 #define X509_OBJ_SERIAL_NUMBER 4
669 #define X509_OBJ_SIG_ALG 5
670 #define X509_OBJ_ISSUER 6
671 #define X509_OBJ_NOT_BEFORE 8
672 #define X509_OBJ_NOT_AFTER 9
673 #define X509_OBJ_SUBJECT 10
674 #define X509_OBJ_SUBJECT_PUBLIC_KEY_INFO 11
675 #define X509_OBJ_EXTN_ID 19
676 #define X509_OBJ_CRITICAL 20
677 #define X509_OBJ_EXTN_VALUE 21
678 #define X509_OBJ_ALGORITHM 24
679 #define X509_OBJ_SIGNATURE 25
680
681 /**
682 * Parses an X.509v3 certificate
683 */
684 static bool parse_certificate(private_x509_cert_t *this)
685 {
686 asn1_parser_t *parser;
687 chunk_t object;
688 int objectID;
689 int extn_oid = OID_UNKNOWN;
690 int sig_alg = OID_UNKNOWN;
691 bool success = FALSE;
692 bool critical;
693
694 parser = asn1_parser_create(certObjects, this->encoding);
695
696 while (parser->iterate(parser, &objectID, &object))
697 {
698 u_int level = parser->get_level(parser)+1;
699
700 switch (objectID)
701 {
702 case X509_OBJ_TBS_CERTIFICATE:
703 this->tbsCertificate = object;
704 break;
705 case X509_OBJ_VERSION:
706 this->version = (object.len) ? (1+(u_int)*object.ptr) : 1;
707 DBG2(" v%d", this->version);
708 break;
709 case X509_OBJ_SERIAL_NUMBER:
710 this->serialNumber = object;
711 break;
712 case X509_OBJ_SIG_ALG:
713 sig_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
714 break;
715 case X509_OBJ_ISSUER:
716 this->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object);
717 DBG2(" '%D'", this->issuer);
718 break;
719 case X509_OBJ_NOT_BEFORE:
720 this->notBefore = asn1_parse_time(object, level);
721 break;
722 case X509_OBJ_NOT_AFTER:
723 this->notAfter = asn1_parse_time(object, level);
724 break;
725 case X509_OBJ_SUBJECT:
726 this->subject = identification_create_from_encoding(ID_DER_ASN1_DN, object);
727 DBG2(" '%D'", this->subject);
728 break;
729 case X509_OBJ_SUBJECT_PUBLIC_KEY_INFO:
730 this->public_key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
731 KEY_ANY, BUILD_BLOB_ASN1_DER, object, BUILD_END);
732 if (this->public_key == NULL)
733 {
734 DBG1("could not create public key");
735 goto end;
736 }
737 break;
738 case X509_OBJ_EXTN_ID:
739 extn_oid = asn1_known_oid(object);
740 break;
741 case X509_OBJ_CRITICAL:
742 critical = object.len && *object.ptr;
743 DBG2(" %s", critical ? "TRUE" : "FALSE");
744 break;
745 case X509_OBJ_EXTN_VALUE:
746 {
747 switch (extn_oid)
748 {
749 case OID_SUBJECT_KEY_ID:
750 if (!asn1_parse_simple_object(&object, ASN1_OCTET_STRING,
751 level, "keyIdentifier"))
752 {
753 goto end;
754 }
755 this->subjectKeyID = object;
756 break;
757 case OID_SUBJECT_ALT_NAME:
758 x509_parse_generalNames(object, level, FALSE,
759 this->subjectAltNames);
760 break;
761 case OID_BASIC_CONSTRAINTS:
762 if (parse_basicConstraints(object, level))
763 {
764 this->flags |= X509_CA;
765 }
766 break;
767 case OID_CRL_DISTRIBUTION_POINTS:
768 parse_crlDistributionPoints(object, level, this);
769 break;
770 case OID_AUTHORITY_KEY_ID:
771 this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object,
772 level, &this->authKeySerialNumber);
773 break;
774 case OID_AUTHORITY_INFO_ACCESS:
775 parse_authorityInfoAccess(object, level, this);
776 break;
777 case OID_EXTENDED_KEY_USAGE:
778 if (parse_extendedKeyUsage(object, level))
779 {
780 this->flags |= X509_OCSP_SIGNER;
781 }
782 break;
783 case OID_NS_REVOCATION_URL:
784 case OID_NS_CA_REVOCATION_URL:
785 case OID_NS_CA_POLICY_URL:
786 case OID_NS_COMMENT:
787 if (!asn1_parse_simple_object(&object, ASN1_IA5STRING,
788 level, oid_names[extn_oid].name))
789 {
790 goto end;
791 }
792 break;
793 default:
794 break;
795 }
796 break;
797 }
798 case X509_OBJ_ALGORITHM:
799 this->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL);
800 if (this->algorithm != sig_alg)
801 {
802 DBG1(" signature algorithms do not agree");
803 goto end;
804 }
805 break;
806 case X509_OBJ_SIGNATURE:
807 this->signature = object;
808 break;
809 default:
810 break;
811 }
812 }
813 success = parser->success(parser);
814
815 end:
816 parser->destroy(parser);
817 return success;
818 }
819
820 /**
821 * Implementation of certificate_t.get_type
822 */
823 static certificate_type_t get_type(private_x509_cert_t *this)
824 {
825 return CERT_X509;
826 }
827
828 /**
829 * Implementation of certificate_t.get_subject
830 */
831 static identification_t* get_subject(private_x509_cert_t *this)
832 {
833 return this->subject;
834 }
835
836 /**
837 * Implementation of certificate_t.get_issuer
838 */
839 static identification_t* get_issuer(private_x509_cert_t *this)
840 {
841 return this->issuer;
842 }
843
844 /**
845 * Implementation of certificate_t.has_subject.
846 */
847 static id_match_t has_subject(private_x509_cert_t *this, identification_t *subject)
848 {
849 identification_t *current;
850 enumerator_t *enumerator;
851 id_match_t match, best;
852
853 if (this->encoding_hash.ptr && subject->get_type(subject) == ID_CERT_DER_SHA1 &&
854 chunk_equals(this->encoding_hash, subject->get_encoding(subject)))
855 {
856 return ID_MATCH_PERFECT;
857 }
858
859 best = this->subject->matches(this->subject, subject);
860 enumerator = this->subjectAltNames->create_enumerator(this->subjectAltNames);
861 while (enumerator->enumerate(enumerator, &current))
862 {
863 match = current->matches(current, subject);
864 if (match > best)
865 {
866 best = match;
867 }
868 }
869 enumerator->destroy(enumerator);
870 return best;
871 }
872
873 /**
874 * Implementation of certificate_t.has_subject.
875 */
876 static id_match_t has_issuer(private_x509_cert_t *this, identification_t *issuer)
877 {
878 /* issuerAltNames currently not supported */
879 return this->issuer->matches(this->issuer, issuer);
880 }
881
882 /**
883 * Implementation of certificate_t.issued_by
884 */
885 static bool issued_by(private_x509_cert_t *this, certificate_t *issuer)
886 {
887 public_key_t *key;
888 signature_scheme_t scheme;
889 bool valid;
890 x509_t *x509 = (x509_t*)issuer;
891
892 if (&this->public.interface.interface == issuer)
893 {
894 if (this->flags & X509_SELF_SIGNED)
895 {
896 return TRUE;
897 }
898 }
899 else
900 {
901 if (issuer->get_type(issuer) != CERT_X509)
902 {
903 POS;
904 return FALSE;
905 }
906 if (!(x509->get_flags(x509) & X509_CA))
907 {
908 POS;
909 return FALSE;
910 }
911 }
912 if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
913 {
914 return FALSE;
915 }
916 /* TODO: generic OID to scheme mapper? */
917 switch (this->algorithm)
918 {
919 case OID_MD5_WITH_RSA:
920 scheme = SIGN_RSA_EMSA_PKCS1_MD5;
921 break;
922 case OID_SHA1_WITH_RSA:
923 scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
924 break;
925 case OID_SHA256_WITH_RSA:
926 scheme = SIGN_RSA_EMSA_PKCS1_SHA256;
927 break;
928 case OID_SHA384_WITH_RSA:
929 scheme = SIGN_RSA_EMSA_PKCS1_SHA384;
930 break;
931 case OID_SHA512_WITH_RSA:
932 scheme = SIGN_RSA_EMSA_PKCS1_SHA512;
933 break;
934 case OID_ECDSA_WITH_SHA1:
935 scheme = SIGN_ECDSA_WITH_SHA1;
936 break;
937 default:
938 POS;
939 return FALSE;
940 }
941 key = issuer->get_public_key(issuer);
942 if (key == NULL)
943 {
944 POS;
945 return FALSE;
946 }
947 /* TODO: add a lightweight check option (comparing auth/subject keyids only) */
948 valid = key->verify(key, scheme, this->tbsCertificate, this->signature);
949 key->destroy(key);
950 return valid;
951 }
952
953 /**
954 * Implementation of certificate_t.get_public_key
955 */
956 static public_key_t* get_public_key(private_x509_cert_t *this)
957 {
958 this->public_key->get_ref(this->public_key);
959 return this->public_key;
960 }
961
962 /**
963 * Implementation of certificate_t.asdf
964 */
965 static private_x509_cert_t* get_ref(private_x509_cert_t *this)
966 {
967 ref_get(&this->ref);
968 return this;
969 }
970
971 /**
972 * Implementation of x509_cert_t.get_flags.
973 */
974 static x509_flag_t get_flags(private_x509_cert_t *this)
975 {
976 return this->flags;
977 }
978
979 /**
980 * Implementation of x509_cert_t.get_validity.
981 */
982 static bool get_validity(private_x509_cert_t *this, time_t *when,
983 time_t *not_before, time_t *not_after)
984 {
985 time_t t;
986
987 if (when)
988 {
989 t = *when;
990 }
991 else
992 {
993 t = time(NULL);
994 }
995 if (not_before)
996 {
997 *not_before = this->notBefore;
998 }
999 if (not_after)
1000 {
1001 *not_after = this->notAfter;
1002 }
1003 return (t >= this->notBefore && t <= this->notAfter);
1004 }
1005
1006 /**
1007 * Implementation of certificate_t.is_newer.
1008 */
1009 static bool is_newer(certificate_t *this, certificate_t *that)
1010 {
1011 time_t this_update, that_update, now = time(NULL);
1012 bool new;
1013
1014 this->get_validity(this, &now, &this_update, NULL);
1015 that->get_validity(that, &now, &that_update, NULL);
1016 new = this_update > that_update;
1017 DBG1(" certificate from %#T is %s - existing certificate from %#T %s",
1018 &this_update, FALSE, new ? "newer":"not newer",
1019 &that_update, FALSE, new ? "replaced":"retained");
1020 return new;
1021 }
1022
1023 /**
1024 * Implementation of certificate_t.get_encoding.
1025 */
1026 static chunk_t get_encoding(private_x509_cert_t *this)
1027 {
1028 return chunk_clone(this->encoding);
1029 }
1030
1031 /**
1032 * Implementation of certificate_t.equals.
1033 */
1034 static bool equals(private_x509_cert_t *this, certificate_t *other)
1035 {
1036 chunk_t encoding;
1037 bool equal;
1038
1039 if (this == (private_x509_cert_t*)other)
1040 {
1041 return TRUE;
1042 }
1043 if (other->get_type(other) != CERT_X509)
1044 {
1045 return FALSE;
1046 }
1047 if (other->equals == (void*)equals)
1048 { /* skip allocation if we have the same implementation */
1049 return chunk_equals(this->encoding, ((private_x509_cert_t*)other)->encoding);
1050 }
1051 encoding = other->get_encoding(other);
1052 equal = chunk_equals(this->encoding, encoding);
1053 free(encoding.ptr);
1054 return equal;
1055 }
1056
1057 /**
1058 * Implementation of x509_t.get_serial.
1059 */
1060 static chunk_t get_serial(private_x509_cert_t *this)
1061 {
1062 return this->serialNumber;
1063 }
1064
1065 /**
1066 * Implementation of x509_t.get_authKeyIdentifier.
1067 */
1068 static identification_t *get_authKeyIdentifier(private_x509_cert_t *this)
1069 {
1070 return this->authKeyIdentifier;
1071 }
1072
1073 /**
1074 * Implementation of x509_cert_t.create_subjectAltName_enumerator.
1075 */
1076 static enumerator_t* create_subjectAltName_enumerator(private_x509_cert_t *this)
1077 {
1078 return this->subjectAltNames->create_enumerator(this->subjectAltNames);
1079 }
1080
1081 /**
1082 * Implementation of x509_cert_t.create_ocsp_uri_enumerator.
1083 */
1084 static enumerator_t* create_ocsp_uri_enumerator(private_x509_cert_t *this)
1085 {
1086 return this->ocsp_uris->create_enumerator(this->ocsp_uris);
1087 }
1088
1089 /**
1090 * Implementation of x509_cert_t.create_crl_uri_enumerator.
1091 */
1092 static enumerator_t* create_crl_uri_enumerator(private_x509_cert_t *this)
1093 {
1094 return this->crl_uris->create_enumerator(this->crl_uris);
1095 }
1096
1097 /**
1098 * Implementation of certificate_t.asdf
1099 */
1100 static void destroy(private_x509_cert_t *this)
1101 {
1102 if (ref_put(&this->ref))
1103 {
1104 this->subjectAltNames->destroy_offset(this->subjectAltNames,
1105 offsetof(identification_t, destroy));
1106 this->crl_uris->destroy_function(this->crl_uris, free);
1107 this->ocsp_uris->destroy_function(this->ocsp_uris, free);
1108 DESTROY_IF(this->issuer);
1109 DESTROY_IF(this->subject);
1110 DESTROY_IF(this->public_key);
1111 DESTROY_IF(this->authKeyIdentifier);
1112 chunk_free(&this->encoding);
1113 chunk_free(&this->encoding_hash);
1114 if (!this->parsed)
1115 { /* only parsed certificates point these fields to "encoded" */
1116 chunk_free(&this->signature);
1117 chunk_free(&this->serialNumber);
1118 chunk_free(&this->tbsCertificate);
1119 }
1120 free(this);
1121 }
1122 }
1123
1124 /**
1125 * create an empty but initialized X.509 certificate
1126 */
1127 static private_x509_cert_t* create_empty(void)
1128 {
1129 private_x509_cert_t *this = malloc_thing(private_x509_cert_t);
1130
1131 this->public.interface.interface.get_type = (certificate_type_t (*)(certificate_t *this))get_type;
1132 this->public.interface.interface.get_subject = (identification_t* (*)(certificate_t *this))get_subject;
1133 this->public.interface.interface.get_issuer = (identification_t* (*)(certificate_t *this))get_issuer;
1134 this->public.interface.interface.has_subject = (id_match_t (*)(certificate_t*, identification_t *subject))has_subject;
1135 this->public.interface.interface.has_issuer = (id_match_t (*)(certificate_t*, identification_t *issuer))has_issuer;
1136 this->public.interface.interface.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer))issued_by;
1137 this->public.interface.interface.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key;
1138 this->public.interface.interface.get_validity = (bool (*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity;
1139 this->public.interface.interface.is_newer = (bool (*)(certificate_t*,certificate_t*))is_newer;
1140 this->public.interface.interface.get_encoding = (chunk_t (*)(certificate_t*))get_encoding;
1141 this->public.interface.interface.equals = (bool (*)(certificate_t*, certificate_t *other))equals;
1142 this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t *this))get_ref;
1143 this->public.interface.interface.destroy = (void (*)(certificate_t *this))destroy;
1144 this->public.interface.get_flags = (x509_flag_t (*)(x509_t*))get_flags;
1145 this->public.interface.get_serial = (chunk_t (*)(x509_t*))get_serial;
1146 this->public.interface.get_authKeyIdentifier = (identification_t* (*)(x509_t*))get_authKeyIdentifier;
1147 this->public.interface.create_subjectAltName_enumerator = (enumerator_t* (*)(x509_t*))create_subjectAltName_enumerator;
1148 this->public.interface.create_crl_uri_enumerator = (enumerator_t* (*)(x509_t*))create_crl_uri_enumerator;
1149 this->public.interface.create_ocsp_uri_enumerator = (enumerator_t* (*)(x509_t*))create_ocsp_uri_enumerator;
1150
1151 this->encoding = chunk_empty;
1152 this->encoding_hash = chunk_empty;
1153 this->tbsCertificate = chunk_empty;
1154 this->version = 3;
1155 this->serialNumber = chunk_empty;
1156 this->notBefore = 0;
1157 this->notAfter = 0;
1158 this->public_key = NULL;
1159 this->subject = NULL;
1160 this->issuer = NULL;
1161 this->subjectAltNames = linked_list_create();
1162 this->crl_uris = linked_list_create();
1163 this->ocsp_uris = linked_list_create();
1164 this->subjectKeyID = chunk_empty;
1165 this->authKeyIdentifier = NULL;
1166 this->authKeySerialNumber = chunk_empty;
1167 this->algorithm = 0;
1168 this->signature = chunk_empty;
1169 this->flags = 0;
1170 this->ref = 1;
1171 this->parsed = FALSE;
1172
1173 return this;
1174 }
1175
1176 /**
1177 * create an X.509 certificate from a chunk
1178 */
1179 static private_x509_cert_t *create_from_chunk(chunk_t chunk)
1180 {
1181 hasher_t *hasher;
1182 private_x509_cert_t *this = create_empty();
1183
1184 this->encoding = chunk;
1185 if (!parse_certificate(this))
1186 {
1187 destroy(this);
1188 return NULL;
1189 }
1190
1191 /* check if the certificate is self-signed */
1192 if (issued_by(this, &this->public.interface.interface))
1193 {
1194 this->flags |= X509_SELF_SIGNED;
1195 }
1196
1197 hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1198 if (hasher != NULL)
1199 {
1200 hasher->allocate_hash(hasher, this->encoding, &this->encoding_hash);
1201 hasher->destroy(hasher);
1202 }
1203 else
1204 {
1205 DBG1(" unable to create hash of certificate, SHA1 not supported");
1206 }
1207
1208 this->parsed = TRUE;
1209 return this;
1210 }
1211
1212 /**
1213 * create an X.509 certificate from a file
1214 */
1215 static private_x509_cert_t *create_from_file(char *path)
1216 {
1217 bool pgp = FALSE;
1218 chunk_t chunk;
1219 private_x509_cert_t *this;
1220
1221 if (!pem_asn1_load_file(path, NULL, &chunk, &pgp))
1222 {
1223 return NULL;
1224 }
1225
1226 this = create_from_chunk(chunk);
1227
1228 if (this == NULL)
1229 {
1230 DBG1(" could not parse loaded certificate file '%s'",path);
1231 return NULL;
1232 }
1233 DBG1(" loaded certificate file '%s'", path);
1234 return this;
1235 }
1236
1237 typedef struct private_builder_t private_builder_t;
1238 /**
1239 * Builder implementation for certificate loading
1240 */
1241 struct private_builder_t {
1242 /** implements the builder interface */
1243 builder_t public;
1244 /** loaded certificate */
1245 private_x509_cert_t *cert;
1246 /** additional flags to enforce */
1247 x509_flag_t flags;
1248 /** certificate to sign, if we generate a new cert */
1249 certificate_t *sign_cert;
1250 /** private key to sign, if we generate a new cert */
1251 private_key_t *sign_key;
1252 };
1253
1254 /**
1255 * Generate and sign a new certificate
1256 */
1257 static bool generate(private_builder_t *this)
1258 {
1259 chunk_t extensions = chunk_empty;
1260 identification_t *issuer, *subject;
1261 chunk_t key_info, key;
1262 signature_scheme_t scheme;
1263 hasher_t *hasher;
1264
1265 subject = this->cert->subject;
1266 if (this->sign_cert)
1267 {
1268 issuer = this->sign_cert->get_subject(this->sign_cert);
1269 if (!this->cert->public_key)
1270 {
1271 return FALSE;
1272 }
1273 }
1274 else
1275 { /* self signed */
1276 issuer = subject;
1277 if (!this->cert->public_key)
1278 {
1279 this->cert->public_key = this->sign_key->get_public_key(this->sign_key);
1280 }
1281 this->flags |= X509_SELF_SIGNED;
1282 }
1283 this->cert->issuer = issuer->clone(issuer);
1284 if (!this->cert->notBefore)
1285 {
1286 this->cert->notBefore = time(NULL);
1287 }
1288 if (!this->cert->notAfter)
1289 { /* defaults to 1 years from now on */
1290 this->cert->notAfter = this->cert->notBefore + 60 * 60 * 24 * 365;
1291 }
1292 this->cert->flags = this->flags;
1293
1294 switch (this->sign_key->get_type(this->sign_key))
1295 {
1296 case KEY_RSA:
1297 this->cert->algorithm = OID_SHA1_WITH_RSA;
1298 scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
1299 break;
1300 default:
1301 return FALSE;
1302 }
1303
1304 switch (this->cert->public_key->get_type(this->cert->public_key))
1305 {
1306 case KEY_RSA:
1307 key = this->cert->public_key->get_encoding(this->cert->public_key);
1308 key_info = asn1_wrap(ASN1_SEQUENCE, "cm",
1309 asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
1310 asn1_bitstring("m", key));
1311 break;
1312 default:
1313 return FALSE;
1314 }
1315
1316 if (this->cert->subjectAltNames->get_count(this->cert->subjectAltNames))
1317 {
1318 /* TODO: encode subjectAltNames */
1319 }
1320
1321 this->cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmccmcmm",
1322 asn1_simple_object(ASN1_CONTEXT_C_0, ASN1_INTEGER_2),
1323 asn1_simple_object(ASN1_INTEGER, this->cert->serialNumber),
1324 asn1_algorithmIdentifier(this->cert->algorithm),
1325 issuer->get_encoding(issuer),
1326 asn1_wrap(ASN1_SEQUENCE, "mm",
1327 asn1_from_time(&this->cert->notBefore, ASN1_UTCTIME),
1328 asn1_from_time(&this->cert->notAfter, ASN1_UTCTIME)),
1329 subject->get_encoding(subject),
1330 key_info, extensions);
1331
1332 if (!this->sign_key->sign(this->sign_key, scheme,
1333 this->cert->tbsCertificate, &this->cert->signature))
1334 {
1335 return FALSE;
1336 }
1337 this->cert->encoding = asn1_wrap(ASN1_SEQUENCE, "ccm",
1338 this->cert->tbsCertificate,
1339 asn1_algorithmIdentifier(this->cert->algorithm),
1340 asn1_bitstring("c", this->cert->signature));
1341
1342 hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1343 if (!hasher)
1344 {
1345 return FALSE;
1346 }
1347 hasher->allocate_hash(hasher, this->cert->encoding,
1348 &this->cert->encoding_hash);
1349 hasher->destroy(hasher);
1350 return TRUE;
1351 }
1352
1353 /**
1354 * Implementation of builder_t.build
1355 */
1356 static private_x509_cert_t *build(private_builder_t *this)
1357 {
1358 private_x509_cert_t *cert;
1359 x509_flag_t flags;
1360
1361 if (this->cert && !this->cert->encoding.ptr)
1362 {
1363 if (!this->sign_key || !this->cert ||
1364 !generate(this))
1365 {
1366 destroy(this->cert);
1367 free(this);
1368 return NULL;
1369 }
1370 }
1371 cert = this->cert;
1372 flags = this->flags;
1373 free(this);
1374 if (cert == NULL)
1375 {
1376 return NULL;
1377 }
1378
1379 if ((flags & X509_CA) && !(cert->flags & X509_CA))
1380 {
1381 DBG1(" ca certificate must have ca basic constraint set, discarded");
1382 destroy(cert);
1383 return NULL;
1384 }
1385 cert->flags |= flags;
1386 return cert;
1387 }
1388
1389 /**
1390 * Implementation of builder_t.add
1391 */
1392 static void add(private_builder_t *this, builder_part_t part, ...)
1393 {
1394 va_list args;
1395 chunk_t chunk;
1396 bool handled = TRUE;
1397
1398 va_start(args, part);
1399 switch (part)
1400 {
1401 case BUILD_FROM_FILE:
1402 this->cert = create_from_file(va_arg(args, char*));
1403 break;
1404 case BUILD_BLOB_ASN1_DER:
1405 chunk = va_arg(args, chunk_t);
1406 this->cert = create_from_chunk(chunk_clone(chunk));
1407 break;
1408 case BUILD_X509_FLAG:
1409 this->flags = va_arg(args, x509_flag_t);
1410 break;
1411 case BUILD_SIGNING_KEY:
1412 this->sign_key = va_arg(args, private_key_t*);
1413 break;
1414 case BUILD_SIGNING_CERT:
1415 this->sign_cert = va_arg(args, certificate_t*);
1416 break;
1417 default:
1418 /* all other parts need an empty cert */
1419 if (!this->cert)
1420 {
1421 this->cert = create_empty();
1422 }
1423 handled = FALSE;
1424 break;
1425 }
1426 if (handled)
1427 {
1428 va_end(args);
1429 return;
1430 }
1431
1432 switch (part)
1433 {
1434 case BUILD_PUBLIC_KEY:
1435 {
1436 public_key_t *key = va_arg(args, public_key_t*);
1437 this->cert->public_key = key->get_ref(key);
1438 break;
1439 }
1440 case BUILD_SUBJECT:
1441 {
1442 identification_t *id = va_arg(args, identification_t*);
1443 this->cert->subject = id->clone(id);
1444 break;
1445 }
1446 case BUILD_SUBJECT_ALTNAME:
1447 {
1448 identification_t *id = va_arg(args, identification_t*);
1449 this->cert->subjectAltNames->insert_last(
1450 this->cert->subjectAltNames, id->clone(id));
1451 break;
1452 }
1453 case BUILD_NOT_BEFORE_TIME:
1454 this->cert->notBefore = va_arg(args, time_t);
1455 break;
1456 case BUILD_NOT_AFTER_TIME:
1457 this->cert->notAfter = va_arg(args, time_t);
1458 break;
1459 case BUILD_SERIAL:
1460 {
1461 chunk_t serial = va_arg(args, chunk_t);
1462 this->cert->serialNumber = chunk_clone(serial);
1463 break;
1464 }
1465 default:
1466 /* abort if unsupported option */
1467 if (this->cert)
1468 {
1469 destroy(this->cert);
1470 }
1471 builder_cancel(&this->public);
1472 break;
1473 }
1474 va_end(args);
1475 }
1476
1477 /**
1478 * Builder construction function
1479 */
1480 builder_t *x509_cert_builder(certificate_type_t type)
1481 {
1482 private_builder_t *this;
1483
1484 if (type != CERT_X509)
1485 {
1486 return NULL;
1487 }
1488
1489 this = malloc_thing(private_builder_t);
1490
1491 this->cert = NULL;
1492 this->flags = 0;
1493 this->sign_cert = NULL;
1494 this->sign_key = NULL;
1495 this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
1496 this->public.build = (void*(*)(builder_t *this))build;
1497
1498 return &this->public;
1499 }
1500