hide credentials headers in credential_factory.h
[strongswan.git] / src / libstrongswan / plugins / x509 / x509_cert.c
1 /*
2 * Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann
3 * Copyright (C) 2001 Marco Bertossa, Andreas Schleiss
4 * Copyright (C) 2002 Mario Strasser
5 * Copyright (C) 2000-2006 Andreas Steffen
6 * Copyright (C) 2006-2008 Martin Willi
7 * Copyright (C) 2008 Tobias Brunner
8 * Hochschule fuer Technik Rapperswil
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 */
20
21 #define _GNU_SOURCE
22
23 #include "x509_cert.h"
24
25 #include <sys/stat.h>
26 #include <time.h>
27 #include <unistd.h>
28 #include <string.h>
29 #include <stdio.h>
30
31 #include <library.h>
32 #include <debug.h>
33 #include <asn1/oid.h>
34 #include <asn1/asn1.h>
35 #include <asn1/asn1_parser.h>
36 #include <asn1/pem.h>
37 #include <crypto/hashers/hasher.h>
38 #include <credentials/keys/private_key.h>
39 #include <utils/linked_list.h>
40 #include <utils/identification.h>
41
42 /**
43 * Different kinds of generalNames
44 */
45 typedef enum {
46 GN_OTHER_NAME = 0,
47 GN_RFC822_NAME = 1,
48 GN_DNS_NAME = 2,
49 GN_X400_ADDRESS = 3,
50 GN_DIRECTORY_NAME = 4,
51 GN_EDI_PARTY_NAME = 5,
52 GN_URI = 6,
53 GN_IP_ADDRESS = 7,
54 GN_REGISTERED_ID = 8,
55 } generalNames_t;
56
57
58 typedef struct private_x509_cert_t private_x509_cert_t;
59
60 /**
61 * Private data of a x509_cert_t object.
62 */
63 struct private_x509_cert_t {
64 /**
65 * Public interface for this certificate.
66 */
67 x509_cert_t public;
68
69 /**
70 * X.509 certificate encoding in ASN.1 DER format
71 */
72 chunk_t encoding;
73
74 /**
75 * SHA1 hash of the DER encoding of this X.509 certificate
76 */
77 chunk_t encoding_hash;
78
79 /**
80 * X.509 certificate body over which signature is computed
81 */
82 chunk_t tbsCertificate;
83
84 /**
85 * Version of the X.509 certificate
86 */
87 u_int version;
88
89 /**
90 * Serial number of the X.509 certificate
91 */
92 chunk_t serialNumber;
93
94 /**
95 * ID representing the certificate issuer
96 */
97 identification_t *issuer;
98
99 /**
100 * Start time of certificate validity
101 */
102 time_t notBefore;
103
104 /**
105 * End time of certificate validity
106 */
107 time_t notAfter;
108
109 /**
110 * ID representing the certificate subject
111 */
112 identification_t *subject;
113
114 /**
115 * List of subjectAltNames as identification_t
116 */
117 linked_list_t *subjectAltNames;
118
119 /**
120 * List of crlDistributionPoints as allocated char*
121 */
122 linked_list_t *crl_uris;
123
124 /**
125 * List ocspAccessLocations as identification_t
126 */
127 linked_list_t *ocsp_uris;
128
129 /**
130 * certificates embedded public key
131 */
132 public_key_t *public_key;
133
134 /**
135 * Subject Key Identifier
136 */
137 chunk_t subjectKeyID;
138
139 /**
140 * Authority Key Identifier
141 */
142 identification_t *authKeyIdentifier;
143
144 /**
145 * Authority Key Serial Number
146 */
147 chunk_t authKeySerialNumber;
148
149 /**
150 * x509 constraints and other flags
151 */
152 x509_flag_t flags;
153
154 /**
155 * Signature algorithm
156 */
157 int algorithm;
158
159 /**
160 * Signature
161 */
162 chunk_t signature;
163
164 /**
165 * Certificate parsed from blob/file?
166 */
167 bool parsed;
168
169 /**
170 * reference count
171 */
172 refcount_t ref;
173 };
174
175 static u_char ASN1_sAN_oid_buf[] = {
176 0x06, 0x03, 0x55, 0x1D, 0x11
177 };
178 static const chunk_t ASN1_subjectAltName_oid = chunk_from_buf(ASN1_sAN_oid_buf);
179
180 /**
181 * ASN.1 definition of a basicConstraints extension
182 */
183 static const asn1Object_t basicConstraintsObjects[] = {
184 { 0, "basicConstraints", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
185 { 1, "CA", ASN1_BOOLEAN, ASN1_DEF|ASN1_BODY }, /* 1 */
186 { 1, "pathLenConstraint", ASN1_INTEGER, ASN1_OPT|ASN1_BODY }, /* 2 */
187 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 3 */
188 { 0, "exit", ASN1_EOC, ASN1_EXIT }
189 };
190 #define BASIC_CONSTRAINTS_CA 1
191
192 /**
193 * Extracts the basicConstraints extension
194 */
195 static bool parse_basicConstraints(chunk_t blob, int level0)
196 {
197 asn1_parser_t *parser;
198 chunk_t object;
199 int objectID;
200 bool isCA = FALSE;
201
202 parser = asn1_parser_create(basicConstraintsObjects, blob);
203 parser->set_top_level(parser, level0);
204
205 while (parser->iterate(parser, &objectID, &object))
206 {
207 if (objectID == BASIC_CONSTRAINTS_CA)
208 {
209 isCA = object.len && *object.ptr;
210 DBG2(" %s", isCA ? "TRUE" : "FALSE");
211 }
212 }
213 parser->destroy(parser);
214
215 return isCA;
216 }
217
218 /**
219 * ASN.1 definition of otherName
220 */
221 static const asn1Object_t otherNameObjects[] = {
222 {0, "type-id", ASN1_OID, ASN1_BODY }, /* 0 */
223 {0, "value", ASN1_CONTEXT_C_0, ASN1_BODY }, /* 1 */
224 {0, "exit", ASN1_EOC, ASN1_EXIT }
225 };
226 #define ON_OBJ_ID_TYPE 0
227 #define ON_OBJ_VALUE 1
228
229 /**
230 * Extracts an otherName
231 */
232 static bool parse_otherName(chunk_t blob, int level0)
233 {
234 asn1_parser_t *parser;
235 chunk_t object;
236 int objectID;
237 int oid = OID_UNKNOWN;
238 bool success = FALSE;
239
240 parser = asn1_parser_create(otherNameObjects, blob);
241 parser->set_top_level(parser, level0);
242
243 while (parser->iterate(parser, &objectID, &object))
244 {
245 switch (objectID)
246 {
247 case ON_OBJ_ID_TYPE:
248 oid = asn1_known_oid(object);
249 break;
250 case ON_OBJ_VALUE:
251 if (oid == OID_XMPP_ADDR)
252 {
253 if (!asn1_parse_simple_object(&object, ASN1_UTF8STRING,
254 parser->get_level(parser)+1, "xmppAddr"))
255 {
256 goto end;
257 }
258 }
259 break;
260 default:
261 break;
262 }
263 }
264 success = parser->success(parser);
265
266 end:
267 parser->destroy(parser);
268 return success;
269 }
270
271 /**
272 * ASN.1 definition of generalName
273 */
274 static const asn1Object_t generalNameObjects[] = {
275 { 0, "otherName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_BODY }, /* 0 */
276 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 1 */
277 { 0, "rfc822Name", ASN1_CONTEXT_S_1, ASN1_OPT|ASN1_BODY }, /* 2 */
278 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 3 */
279 { 0, "dnsName", ASN1_CONTEXT_S_2, ASN1_OPT|ASN1_BODY }, /* 4 */
280 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 5 */
281 { 0, "x400Address", ASN1_CONTEXT_S_3, ASN1_OPT|ASN1_BODY }, /* 6 */
282 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 7 */
283 { 0, "directoryName", ASN1_CONTEXT_C_4, ASN1_OPT|ASN1_BODY }, /* 8 */
284 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 9 */
285 { 0, "ediPartyName", ASN1_CONTEXT_C_5, ASN1_OPT|ASN1_BODY }, /* 10 */
286 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 11 */
287 { 0, "URI", ASN1_CONTEXT_S_6, ASN1_OPT|ASN1_BODY }, /* 12 */
288 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 13 */
289 { 0, "ipAddress", ASN1_CONTEXT_S_7, ASN1_OPT|ASN1_BODY }, /* 14 */
290 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 15 */
291 { 0, "registeredID", ASN1_CONTEXT_S_8, ASN1_OPT|ASN1_BODY }, /* 16 */
292 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 17 */
293 { 0, "exit", ASN1_EOC, ASN1_EXIT }
294 };
295 #define GN_OBJ_OTHER_NAME 0
296 #define GN_OBJ_RFC822_NAME 2
297 #define GN_OBJ_DNS_NAME 4
298 #define GN_OBJ_X400_ADDRESS 6
299 #define GN_OBJ_DIRECTORY_NAME 8
300 #define GN_OBJ_EDI_PARTY_NAME 10
301 #define GN_OBJ_URI 12
302 #define GN_OBJ_IP_ADDRESS 14
303 #define GN_OBJ_REGISTERED_ID 16
304
305 /**
306 * Extracts a generalName
307 */
308 static identification_t *parse_generalName(chunk_t blob, int level0)
309 {
310 asn1_parser_t *parser;
311 chunk_t object;
312 int objectID ;
313
314 identification_t *gn = NULL;
315
316 parser = asn1_parser_create(generalNameObjects, blob);
317 parser->set_top_level(parser, level0);
318
319 while (parser->iterate(parser, &objectID, &object))
320 {
321 id_type_t id_type = ID_ANY;
322
323 switch (objectID)
324 {
325 case GN_OBJ_RFC822_NAME:
326 id_type = ID_RFC822_ADDR;
327 break;
328 case GN_OBJ_DNS_NAME:
329 id_type = ID_FQDN;
330 break;
331 case GN_OBJ_URI:
332 id_type = ID_DER_ASN1_GN_URI;
333 break;
334 case GN_OBJ_DIRECTORY_NAME:
335 id_type = ID_DER_ASN1_DN;
336 break;
337 case GN_OBJ_IP_ADDRESS:
338 id_type = ID_IPV4_ADDR;
339 break;
340 case GN_OBJ_OTHER_NAME:
341 if (!parse_otherName(object, parser->get_level(parser)+1))
342 {
343 goto end;
344 }
345 break;
346 case GN_OBJ_X400_ADDRESS:
347 case GN_OBJ_EDI_PARTY_NAME:
348 case GN_OBJ_REGISTERED_ID:
349 default:
350 break;
351 }
352 if (id_type != ID_ANY)
353 {
354 gn = identification_create_from_encoding(id_type, object);
355 DBG2(" '%Y'", gn);
356 goto end;
357 }
358 }
359
360 end:
361 parser->destroy(parser);
362 return gn;
363 }
364
365 /**
366 * ASN.1 definition of generalNames
367 */
368 static const asn1Object_t generalNamesObjects[] = {
369 { 0, "generalNames", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
370 { 1, "generalName", ASN1_EOC, ASN1_RAW }, /* 1 */
371 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 2 */
372 { 0, "exit", ASN1_EOC, ASN1_EXIT }
373 };
374 #define GENERAL_NAMES_GN 1
375
376 /**
377 * Extracts one or several GNs and puts them into a chained list
378 */
379 void x509_parse_generalNames(chunk_t blob, int level0, bool implicit, linked_list_t *list)
380 {
381 asn1_parser_t *parser;
382 chunk_t object;
383 int objectID;
384
385 parser = asn1_parser_create(generalNamesObjects, blob);
386 parser->set_top_level(parser, level0);
387 parser->set_flags(parser, implicit, FALSE);
388
389 while (parser->iterate(parser, &objectID, &object))
390 {
391 if (objectID == GENERAL_NAMES_GN)
392 {
393 identification_t *gn = parse_generalName(object,
394 parser->get_level(parser)+1);
395
396 if (gn)
397 {
398 list->insert_last(list, (void *)gn);
399 }
400 }
401 }
402 parser->destroy(parser);
403 }
404
405 /**
406 * ASN.1 definition of a authorityKeyIdentifier extension
407 */
408 static const asn1Object_t authKeyIdentifierObjects[] = {
409 { 0, "authorityKeyIdentifier", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
410 { 1, "keyIdentifier", ASN1_CONTEXT_S_0, ASN1_OPT|ASN1_BODY }, /* 1 */
411 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 2 */
412 { 1, "authorityCertIssuer", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_OBJ }, /* 3 */
413 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 4 */
414 { 1, "authorityCertSerialNumber", ASN1_CONTEXT_S_2, ASN1_OPT|ASN1_BODY }, /* 5 */
415 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 6 */
416 { 0, "exit", ASN1_EOC, ASN1_EXIT }
417 };
418 #define AUTH_KEY_ID_KEY_ID 1
419 #define AUTH_KEY_ID_CERT_ISSUER 3
420 #define AUTH_KEY_ID_CERT_SERIAL 5
421
422 /**
423 * Extracts an authoritykeyIdentifier
424 */
425 identification_t* x509_parse_authorityKeyIdentifier(chunk_t blob, int level0,
426 chunk_t *authKeySerialNumber)
427 {
428 asn1_parser_t *parser;
429 chunk_t object;
430 int objectID;
431 identification_t *authKeyIdentifier = NULL;
432
433 *authKeySerialNumber = chunk_empty;
434
435 parser = asn1_parser_create(authKeyIdentifierObjects, blob);
436 parser->set_top_level(parser, level0);
437
438 while (parser->iterate(parser, &objectID, &object))
439 {
440 switch (objectID)
441 {
442 case AUTH_KEY_ID_KEY_ID:
443 authKeyIdentifier = identification_create_from_encoding(
444 ID_PUBKEY_SHA1, object);
445 break;
446 case AUTH_KEY_ID_CERT_ISSUER:
447 /* TODO: x509_parse_generalNames(object, level+1, TRUE); */
448 break;
449 case AUTH_KEY_ID_CERT_SERIAL:
450 *authKeySerialNumber = object;
451 break;
452 default:
453 break;
454 }
455 }
456 parser->destroy(parser);
457 return authKeyIdentifier;
458 }
459
460 /**
461 * ASN.1 definition of a authorityInfoAccess extension
462 */
463 static const asn1Object_t authInfoAccessObjects[] = {
464 { 0, "authorityInfoAccess", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
465 { 1, "accessDescription", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
466 { 2, "accessMethod", ASN1_OID, ASN1_BODY }, /* 2 */
467 { 2, "accessLocation", ASN1_EOC, ASN1_RAW }, /* 3 */
468 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 4 */
469 { 0, "exit", ASN1_EOC, ASN1_EXIT }
470 };
471 #define AUTH_INFO_ACCESS_METHOD 2
472 #define AUTH_INFO_ACCESS_LOCATION 3
473
474 /**
475 * Extracts an authorityInfoAcess location
476 */
477 static void parse_authorityInfoAccess(chunk_t blob, int level0,
478 private_x509_cert_t *this)
479 {
480 asn1_parser_t *parser;
481 chunk_t object;
482 int objectID;
483 int accessMethod = OID_UNKNOWN;
484
485 parser = asn1_parser_create(authInfoAccessObjects, blob);
486 parser->set_top_level(parser, level0);
487
488 while (parser->iterate(parser, &objectID, &object))
489 {
490 switch (objectID)
491 {
492 case AUTH_INFO_ACCESS_METHOD:
493 accessMethod = asn1_known_oid(object);
494 break;
495 case AUTH_INFO_ACCESS_LOCATION:
496 {
497 switch (accessMethod)
498 {
499 case OID_OCSP:
500 case OID_CA_ISSUERS:
501 {
502 identification_t *id;
503 char *uri;
504
505 id = parse_generalName(object,
506 parser->get_level(parser)+1);
507 if (id == NULL)
508 {
509 /* parsing went wrong - abort */
510 goto end;
511 }
512 DBG2(" '%Y'", id);
513 if (accessMethod == OID_OCSP &&
514 asprintf(&uri, "%Y", id) > 0)
515 {
516 this->ocsp_uris->insert_last(this->ocsp_uris, uri);
517 }
518 id->destroy(id);
519 }
520 break;
521 default:
522 /* unkown accessMethod, ignoring */
523 break;
524 }
525 break;
526 }
527 default:
528 break;
529 }
530 }
531
532 end:
533 parser->destroy(parser);
534 }
535
536 /**
537 * ASN.1 definition of a extendedKeyUsage extension
538 */
539 static const asn1Object_t extendedKeyUsageObjects[] = {
540 { 0, "extendedKeyUsage", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
541 { 1, "keyPurposeID", ASN1_OID, ASN1_BODY }, /* 1 */
542 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 2 */
543 { 0, "exit", ASN1_EOC, ASN1_EXIT }
544 };
545 #define EXT_KEY_USAGE_PURPOSE_ID 1
546
547 /**
548 * Extracts extendedKeyUsage OIDs - currently only OCSP_SIGING is returned
549 */
550 static bool parse_extendedKeyUsage(chunk_t blob, int level0)
551 {
552 asn1_parser_t *parser;
553 chunk_t object;
554 int objectID;
555 bool ocsp_signing = FALSE;
556
557 parser = asn1_parser_create(extendedKeyUsageObjects, blob);
558 parser->set_top_level(parser, level0);
559
560 while (parser->iterate(parser, &objectID, &object))
561 {
562 if (objectID == EXT_KEY_USAGE_PURPOSE_ID &&
563 asn1_known_oid(object) == OID_OCSP_SIGNING)
564 {
565 ocsp_signing = TRUE;
566 }
567 }
568 parser->destroy(parser);
569 return ocsp_signing;
570 }
571
572 /**
573 * ASN.1 definition of crlDistributionPoints
574 */
575 static const asn1Object_t crlDistributionPointsObjects[] = {
576 { 0, "crlDistributionPoints", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
577 { 1, "DistributionPoint", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
578 { 2, "distributionPoint", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_LOOP }, /* 2 */
579 { 3, "fullName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_OBJ }, /* 3 */
580 { 3, "end choice", ASN1_EOC, ASN1_END }, /* 4 */
581 { 3, "nameRelToCRLIssuer",ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 5 */
582 { 3, "end choice", ASN1_EOC, ASN1_END }, /* 6 */
583 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 7 */
584 { 2, "reasons", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 8 */
585 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 9 */
586 { 2, "crlIssuer", ASN1_CONTEXT_C_2, ASN1_OPT|ASN1_BODY }, /* 10 */
587 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 11 */
588 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 12 */
589 { 0, "exit", ASN1_EOC, ASN1_EXIT }
590 };
591 #define CRL_DIST_POINTS_FULLNAME 3
592
593 /**
594 * Extracts one or several crlDistributionPoints into a list
595 */
596 static void parse_crlDistributionPoints(chunk_t blob, int level0,
597 private_x509_cert_t *this)
598 {
599 asn1_parser_t *parser;
600 chunk_t object;
601 int objectID;
602 linked_list_t *list = linked_list_create();
603
604 parser = asn1_parser_create(crlDistributionPointsObjects, blob);
605 parser->set_top_level(parser, level0);
606
607 while (parser->iterate(parser, &objectID, &object))
608 {
609 if (objectID == CRL_DIST_POINTS_FULLNAME)
610 {
611 identification_t *id;
612
613 /* append extracted generalNames to existing chained list */
614 x509_parse_generalNames(object, parser->get_level(parser)+1,
615 TRUE, list);
616
617 while (list->remove_last(list, (void**)&id) == SUCCESS)
618 {
619 char *uri;
620
621 if (asprintf(&uri, "%Y", id) > 0)
622 {
623 this->crl_uris->insert_last(this->crl_uris, uri);
624 }
625 id->destroy(id);
626 }
627 }
628 }
629 parser->destroy(parser);
630 list->destroy(list);
631 }
632
633 /**
634 * ASN.1 definition of an X.509v3 x509_cert
635 */
636 static const asn1Object_t certObjects[] = {
637 { 0, "x509", ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */
638 { 1, "tbsCertificate", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */
639 { 2, "DEFAULT v1", ASN1_CONTEXT_C_0, ASN1_DEF }, /* 2 */
640 { 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 3 */
641 { 2, "serialNumber", ASN1_INTEGER, ASN1_BODY }, /* 4 */
642 { 2, "signature", ASN1_EOC, ASN1_RAW }, /* 5 */
643 { 2, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 6 */
644 { 2, "validity", ASN1_SEQUENCE, ASN1_NONE }, /* 7 */
645 { 3, "notBefore", ASN1_EOC, ASN1_RAW }, /* 8 */
646 { 3, "notAfter", ASN1_EOC, ASN1_RAW }, /* 9 */
647 { 2, "subject", ASN1_SEQUENCE, ASN1_OBJ }, /* 10 */
648 { 2, "subjectPublicKeyInfo",ASN1_SEQUENCE, ASN1_RAW }, /* 11 */
649 { 2, "issuerUniqueID", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 12 */
650 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 13 */
651 { 2, "subjectUniqueID", ASN1_CONTEXT_C_2, ASN1_OPT }, /* 14 */
652 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 15 */
653 { 2, "optional extensions", ASN1_CONTEXT_C_3, ASN1_OPT }, /* 16 */
654 { 3, "extensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 17 */
655 { 4, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 18 */
656 { 5, "extnID", ASN1_OID, ASN1_BODY }, /* 19 */
657 { 5, "critical", ASN1_BOOLEAN, ASN1_DEF|ASN1_BODY }, /* 20 */
658 { 5, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 21 */
659 { 3, "end loop", ASN1_EOC, ASN1_END }, /* 22 */
660 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 23 */
661 { 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 24 */
662 { 1, "signatureValue", ASN1_BIT_STRING, ASN1_BODY }, /* 25 */
663 { 0, "exit", ASN1_EOC, ASN1_EXIT }
664 };
665 #define X509_OBJ_TBS_CERTIFICATE 1
666 #define X509_OBJ_VERSION 3
667 #define X509_OBJ_SERIAL_NUMBER 4
668 #define X509_OBJ_SIG_ALG 5
669 #define X509_OBJ_ISSUER 6
670 #define X509_OBJ_NOT_BEFORE 8
671 #define X509_OBJ_NOT_AFTER 9
672 #define X509_OBJ_SUBJECT 10
673 #define X509_OBJ_SUBJECT_PUBLIC_KEY_INFO 11
674 #define X509_OBJ_EXTN_ID 19
675 #define X509_OBJ_CRITICAL 20
676 #define X509_OBJ_EXTN_VALUE 21
677 #define X509_OBJ_ALGORITHM 24
678 #define X509_OBJ_SIGNATURE 25
679
680 /**
681 * Parses an X.509v3 certificate
682 */
683 static bool parse_certificate(private_x509_cert_t *this)
684 {
685 asn1_parser_t *parser;
686 chunk_t object;
687 int objectID;
688 int extn_oid = OID_UNKNOWN;
689 int sig_alg = OID_UNKNOWN;
690 bool success = FALSE;
691 bool critical;
692
693 parser = asn1_parser_create(certObjects, this->encoding);
694
695 while (parser->iterate(parser, &objectID, &object))
696 {
697 u_int level = parser->get_level(parser)+1;
698
699 switch (objectID)
700 {
701 case X509_OBJ_TBS_CERTIFICATE:
702 this->tbsCertificate = object;
703 break;
704 case X509_OBJ_VERSION:
705 this->version = (object.len) ? (1+(u_int)*object.ptr) : 1;
706 DBG2(" v%d", this->version);
707 break;
708 case X509_OBJ_SERIAL_NUMBER:
709 this->serialNumber = object;
710 break;
711 case X509_OBJ_SIG_ALG:
712 sig_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
713 break;
714 case X509_OBJ_ISSUER:
715 this->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object);
716 DBG2(" '%Y'", this->issuer);
717 break;
718 case X509_OBJ_NOT_BEFORE:
719 this->notBefore = asn1_parse_time(object, level);
720 break;
721 case X509_OBJ_NOT_AFTER:
722 this->notAfter = asn1_parse_time(object, level);
723 break;
724 case X509_OBJ_SUBJECT:
725 this->subject = identification_create_from_encoding(ID_DER_ASN1_DN, object);
726 DBG2(" '%Y'", this->subject);
727 break;
728 case X509_OBJ_SUBJECT_PUBLIC_KEY_INFO:
729 this->public_key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
730 KEY_ANY, BUILD_BLOB_ASN1_DER, object, BUILD_END);
731 if (this->public_key == NULL)
732 {
733 DBG1("could not create public key");
734 goto end;
735 }
736 break;
737 case X509_OBJ_EXTN_ID:
738 extn_oid = asn1_known_oid(object);
739 break;
740 case X509_OBJ_CRITICAL:
741 critical = object.len && *object.ptr;
742 DBG2(" %s", critical ? "TRUE" : "FALSE");
743 break;
744 case X509_OBJ_EXTN_VALUE:
745 {
746 switch (extn_oid)
747 {
748 case OID_SUBJECT_KEY_ID:
749 if (!asn1_parse_simple_object(&object, ASN1_OCTET_STRING,
750 level, "keyIdentifier"))
751 {
752 goto end;
753 }
754 this->subjectKeyID = object;
755 break;
756 case OID_SUBJECT_ALT_NAME:
757 x509_parse_generalNames(object, level, FALSE,
758 this->subjectAltNames);
759 break;
760 case OID_BASIC_CONSTRAINTS:
761 if (parse_basicConstraints(object, level))
762 {
763 this->flags |= X509_CA;
764 }
765 break;
766 case OID_CRL_DISTRIBUTION_POINTS:
767 parse_crlDistributionPoints(object, level, this);
768 break;
769 case OID_AUTHORITY_KEY_ID:
770 this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object,
771 level, &this->authKeySerialNumber);
772 break;
773 case OID_AUTHORITY_INFO_ACCESS:
774 parse_authorityInfoAccess(object, level, this);
775 break;
776 case OID_EXTENDED_KEY_USAGE:
777 if (parse_extendedKeyUsage(object, level))
778 {
779 this->flags |= X509_OCSP_SIGNER;
780 }
781 break;
782 case OID_NS_REVOCATION_URL:
783 case OID_NS_CA_REVOCATION_URL:
784 case OID_NS_CA_POLICY_URL:
785 case OID_NS_COMMENT:
786 if (!asn1_parse_simple_object(&object, ASN1_IA5STRING,
787 level, oid_names[extn_oid].name))
788 {
789 goto end;
790 }
791 break;
792 default:
793 break;
794 }
795 break;
796 }
797 case X509_OBJ_ALGORITHM:
798 this->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL);
799 if (this->algorithm != sig_alg)
800 {
801 DBG1(" signature algorithms do not agree");
802 goto end;
803 }
804 break;
805 case X509_OBJ_SIGNATURE:
806 this->signature = object;
807 break;
808 default:
809 break;
810 }
811 }
812 success = parser->success(parser);
813
814 end:
815 parser->destroy(parser);
816 return success;
817 }
818
819 /**
820 * Implementation of certificate_t.get_type
821 */
822 static certificate_type_t get_type(private_x509_cert_t *this)
823 {
824 return CERT_X509;
825 }
826
827 /**
828 * Implementation of certificate_t.get_subject
829 */
830 static identification_t* get_subject(private_x509_cert_t *this)
831 {
832 return this->subject;
833 }
834
835 /**
836 * Implementation of certificate_t.get_issuer
837 */
838 static identification_t* get_issuer(private_x509_cert_t *this)
839 {
840 return this->issuer;
841 }
842
843 /**
844 * Implementation of certificate_t.has_subject.
845 */
846 static id_match_t has_subject(private_x509_cert_t *this, identification_t *subject)
847 {
848 identification_t *current;
849 enumerator_t *enumerator;
850 id_match_t match, best;
851
852 if (this->encoding_hash.ptr && subject->get_type(subject) == ID_CERT_DER_SHA1 &&
853 chunk_equals(this->encoding_hash, subject->get_encoding(subject)))
854 {
855 return ID_MATCH_PERFECT;
856 }
857
858 best = this->subject->matches(this->subject, subject);
859 enumerator = this->subjectAltNames->create_enumerator(this->subjectAltNames);
860 while (enumerator->enumerate(enumerator, &current))
861 {
862 match = current->matches(current, subject);
863 if (match > best)
864 {
865 best = match;
866 }
867 }
868 enumerator->destroy(enumerator);
869 return best;
870 }
871
872 /**
873 * Implementation of certificate_t.has_subject.
874 */
875 static id_match_t has_issuer(private_x509_cert_t *this, identification_t *issuer)
876 {
877 /* issuerAltNames currently not supported */
878 return this->issuer->matches(this->issuer, issuer);
879 }
880
881 /**
882 * Implementation of certificate_t.issued_by
883 */
884 static bool issued_by(private_x509_cert_t *this, certificate_t *issuer)
885 {
886 public_key_t *key;
887 signature_scheme_t scheme;
888 bool valid;
889 x509_t *x509 = (x509_t*)issuer;
890
891 if (&this->public.interface.interface == issuer)
892 {
893 if (this->flags & X509_SELF_SIGNED)
894 {
895 return TRUE;
896 }
897 }
898 else
899 {
900 if (issuer->get_type(issuer) != CERT_X509)
901 {
902 return FALSE;
903 }
904 if (!(x509->get_flags(x509) & X509_CA))
905 {
906 return FALSE;
907 }
908 }
909 if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
910 {
911 return FALSE;
912 }
913 /* TODO: generic OID to scheme mapper? */
914 switch (this->algorithm)
915 {
916 case OID_MD5_WITH_RSA:
917 scheme = SIGN_RSA_EMSA_PKCS1_MD5;
918 break;
919 case OID_SHA1_WITH_RSA:
920 scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
921 break;
922 case OID_SHA256_WITH_RSA:
923 scheme = SIGN_RSA_EMSA_PKCS1_SHA256;
924 break;
925 case OID_SHA384_WITH_RSA:
926 scheme = SIGN_RSA_EMSA_PKCS1_SHA384;
927 break;
928 case OID_SHA512_WITH_RSA:
929 scheme = SIGN_RSA_EMSA_PKCS1_SHA512;
930 break;
931 case OID_ECDSA_WITH_SHA1:
932 scheme = SIGN_ECDSA_WITH_SHA1;
933 break;
934 default:
935 return FALSE;
936 }
937 key = issuer->get_public_key(issuer);
938 if (key == NULL)
939 {
940 return FALSE;
941 }
942 /* TODO: add a lightweight check option (comparing auth/subject keyids only) */
943 valid = key->verify(key, scheme, this->tbsCertificate, this->signature);
944 key->destroy(key);
945 return valid;
946 }
947
948 /**
949 * Implementation of certificate_t.get_public_key
950 */
951 static public_key_t* get_public_key(private_x509_cert_t *this)
952 {
953 this->public_key->get_ref(this->public_key);
954 return this->public_key;
955 }
956
957 /**
958 * Implementation of certificate_t.asdf
959 */
960 static private_x509_cert_t* get_ref(private_x509_cert_t *this)
961 {
962 ref_get(&this->ref);
963 return this;
964 }
965
966 /**
967 * Implementation of x509_cert_t.get_flags.
968 */
969 static x509_flag_t get_flags(private_x509_cert_t *this)
970 {
971 return this->flags;
972 }
973
974 /**
975 * Implementation of x509_cert_t.get_validity.
976 */
977 static bool get_validity(private_x509_cert_t *this, time_t *when,
978 time_t *not_before, time_t *not_after)
979 {
980 time_t t;
981
982 if (when)
983 {
984 t = *when;
985 }
986 else
987 {
988 t = time(NULL);
989 }
990 if (not_before)
991 {
992 *not_before = this->notBefore;
993 }
994 if (not_after)
995 {
996 *not_after = this->notAfter;
997 }
998 return (t >= this->notBefore && t <= this->notAfter);
999 }
1000
1001 /**
1002 * Implementation of certificate_t.is_newer.
1003 */
1004 static bool is_newer(certificate_t *this, certificate_t *that)
1005 {
1006 time_t this_update, that_update, now = time(NULL);
1007 bool new;
1008
1009 this->get_validity(this, &now, &this_update, NULL);
1010 that->get_validity(that, &now, &that_update, NULL);
1011 new = this_update > that_update;
1012 DBG1(" certificate from %T is %s - existing certificate from %T %s",
1013 &this_update, FALSE, new ? "newer":"not newer",
1014 &that_update, FALSE, new ? "replaced":"retained");
1015 return new;
1016 }
1017
1018 /**
1019 * Implementation of certificate_t.get_encoding.
1020 */
1021 static chunk_t get_encoding(private_x509_cert_t *this)
1022 {
1023 return chunk_clone(this->encoding);
1024 }
1025
1026 /**
1027 * Implementation of certificate_t.equals.
1028 */
1029 static bool equals(private_x509_cert_t *this, certificate_t *other)
1030 {
1031 chunk_t encoding;
1032 bool equal;
1033
1034 if (this == (private_x509_cert_t*)other)
1035 {
1036 return TRUE;
1037 }
1038 if (other->get_type(other) != CERT_X509)
1039 {
1040 return FALSE;
1041 }
1042 if (other->equals == (void*)equals)
1043 { /* skip allocation if we have the same implementation */
1044 return chunk_equals(this->encoding, ((private_x509_cert_t*)other)->encoding);
1045 }
1046 encoding = other->get_encoding(other);
1047 equal = chunk_equals(this->encoding, encoding);
1048 free(encoding.ptr);
1049 return equal;
1050 }
1051
1052 /**
1053 * Implementation of x509_t.get_serial.
1054 */
1055 static chunk_t get_serial(private_x509_cert_t *this)
1056 {
1057 return this->serialNumber;
1058 }
1059
1060 /**
1061 * Implementation of x509_t.get_authKeyIdentifier.
1062 */
1063 static identification_t *get_authKeyIdentifier(private_x509_cert_t *this)
1064 {
1065 return this->authKeyIdentifier;
1066 }
1067
1068 /**
1069 * Implementation of x509_cert_t.create_subjectAltName_enumerator.
1070 */
1071 static enumerator_t* create_subjectAltName_enumerator(private_x509_cert_t *this)
1072 {
1073 return this->subjectAltNames->create_enumerator(this->subjectAltNames);
1074 }
1075
1076 /**
1077 * Implementation of x509_cert_t.create_ocsp_uri_enumerator.
1078 */
1079 static enumerator_t* create_ocsp_uri_enumerator(private_x509_cert_t *this)
1080 {
1081 return this->ocsp_uris->create_enumerator(this->ocsp_uris);
1082 }
1083
1084 /**
1085 * Implementation of x509_cert_t.create_crl_uri_enumerator.
1086 */
1087 static enumerator_t* create_crl_uri_enumerator(private_x509_cert_t *this)
1088 {
1089 return this->crl_uris->create_enumerator(this->crl_uris);
1090 }
1091
1092 /**
1093 * Implementation of certificate_t.asdf
1094 */
1095 static void destroy(private_x509_cert_t *this)
1096 {
1097 if (ref_put(&this->ref))
1098 {
1099 this->subjectAltNames->destroy_offset(this->subjectAltNames,
1100 offsetof(identification_t, destroy));
1101 this->crl_uris->destroy_function(this->crl_uris, free);
1102 this->ocsp_uris->destroy_function(this->ocsp_uris, free);
1103 DESTROY_IF(this->issuer);
1104 DESTROY_IF(this->subject);
1105 DESTROY_IF(this->public_key);
1106 DESTROY_IF(this->authKeyIdentifier);
1107 chunk_free(&this->encoding);
1108 chunk_free(&this->encoding_hash);
1109 if (!this->parsed)
1110 { /* only parsed certificates point these fields to "encoded" */
1111 chunk_free(&this->signature);
1112 chunk_free(&this->serialNumber);
1113 chunk_free(&this->tbsCertificate);
1114 }
1115 free(this);
1116 }
1117 }
1118
1119 /**
1120 * create an empty but initialized X.509 certificate
1121 */
1122 static private_x509_cert_t* create_empty(void)
1123 {
1124 private_x509_cert_t *this = malloc_thing(private_x509_cert_t);
1125
1126 this->public.interface.interface.get_type = (certificate_type_t (*)(certificate_t *this))get_type;
1127 this->public.interface.interface.get_subject = (identification_t* (*)(certificate_t *this))get_subject;
1128 this->public.interface.interface.get_issuer = (identification_t* (*)(certificate_t *this))get_issuer;
1129 this->public.interface.interface.has_subject = (id_match_t (*)(certificate_t*, identification_t *subject))has_subject;
1130 this->public.interface.interface.has_issuer = (id_match_t (*)(certificate_t*, identification_t *issuer))has_issuer;
1131 this->public.interface.interface.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer))issued_by;
1132 this->public.interface.interface.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key;
1133 this->public.interface.interface.get_validity = (bool (*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity;
1134 this->public.interface.interface.is_newer = (bool (*)(certificate_t*,certificate_t*))is_newer;
1135 this->public.interface.interface.get_encoding = (chunk_t (*)(certificate_t*))get_encoding;
1136 this->public.interface.interface.equals = (bool (*)(certificate_t*, certificate_t *other))equals;
1137 this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t *this))get_ref;
1138 this->public.interface.interface.destroy = (void (*)(certificate_t *this))destroy;
1139 this->public.interface.get_flags = (x509_flag_t (*)(x509_t*))get_flags;
1140 this->public.interface.get_serial = (chunk_t (*)(x509_t*))get_serial;
1141 this->public.interface.get_authKeyIdentifier = (identification_t* (*)(x509_t*))get_authKeyIdentifier;
1142 this->public.interface.create_subjectAltName_enumerator = (enumerator_t* (*)(x509_t*))create_subjectAltName_enumerator;
1143 this->public.interface.create_crl_uri_enumerator = (enumerator_t* (*)(x509_t*))create_crl_uri_enumerator;
1144 this->public.interface.create_ocsp_uri_enumerator = (enumerator_t* (*)(x509_t*))create_ocsp_uri_enumerator;
1145
1146 this->encoding = chunk_empty;
1147 this->encoding_hash = chunk_empty;
1148 this->tbsCertificate = chunk_empty;
1149 this->version = 3;
1150 this->serialNumber = chunk_empty;
1151 this->notBefore = 0;
1152 this->notAfter = 0;
1153 this->public_key = NULL;
1154 this->subject = NULL;
1155 this->issuer = NULL;
1156 this->subjectAltNames = linked_list_create();
1157 this->crl_uris = linked_list_create();
1158 this->ocsp_uris = linked_list_create();
1159 this->subjectKeyID = chunk_empty;
1160 this->authKeyIdentifier = NULL;
1161 this->authKeySerialNumber = chunk_empty;
1162 this->algorithm = 0;
1163 this->signature = chunk_empty;
1164 this->flags = 0;
1165 this->ref = 1;
1166 this->parsed = FALSE;
1167
1168 return this;
1169 }
1170
1171 /**
1172 * create an X.509 certificate from a chunk
1173 */
1174 static private_x509_cert_t *create_from_chunk(chunk_t chunk)
1175 {
1176 hasher_t *hasher;
1177 private_x509_cert_t *this = create_empty();
1178
1179 this->encoding = chunk;
1180 this->parsed = TRUE;
1181 if (!parse_certificate(this))
1182 {
1183 destroy(this);
1184 return NULL;
1185 }
1186
1187 /* check if the certificate is self-signed */
1188 if (issued_by(this, &this->public.interface.interface))
1189 {
1190 this->flags |= X509_SELF_SIGNED;
1191 }
1192
1193 hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1194 if (hasher == NULL)
1195 {
1196 DBG1(" unable to create hash of certificate, SHA1 not supported");
1197 destroy(this);
1198 return NULL;
1199 }
1200 hasher->allocate_hash(hasher, this->encoding, &this->encoding_hash);
1201 hasher->destroy(hasher);
1202
1203 return this;
1204 }
1205
1206 /**
1207 * create an X.509 certificate from a file
1208 */
1209 static private_x509_cert_t *create_from_file(char *path)
1210 {
1211 bool pgp = FALSE;
1212 chunk_t chunk;
1213 private_x509_cert_t *this;
1214
1215 if (!pem_asn1_load_file(path, NULL, &chunk, &pgp))
1216 {
1217 return NULL;
1218 }
1219
1220 this = create_from_chunk(chunk);
1221
1222 if (this == NULL)
1223 {
1224 DBG1(" could not parse loaded certificate file '%s'",path);
1225 return NULL;
1226 }
1227 DBG1(" loaded certificate file '%s'", path);
1228 return this;
1229 }
1230
1231 typedef struct private_builder_t private_builder_t;
1232 /**
1233 * Builder implementation for certificate loading
1234 */
1235 struct private_builder_t {
1236 /** implements the builder interface */
1237 builder_t public;
1238 /** loaded certificate */
1239 private_x509_cert_t *cert;
1240 /** additional flags to enforce */
1241 x509_flag_t flags;
1242 /** certificate to sign, if we generate a new cert */
1243 certificate_t *sign_cert;
1244 /** private key to sign, if we generate a new cert */
1245 private_key_t *sign_key;
1246 };
1247
1248 /**
1249 * Generate and sign a new certificate
1250 */
1251 static bool generate(private_builder_t *this)
1252 {
1253 chunk_t extensions = chunk_empty;
1254 identification_t *issuer, *subject;
1255 chunk_t key_info, key;
1256 signature_scheme_t scheme;
1257 hasher_t *hasher;
1258
1259 subject = this->cert->subject;
1260 if (this->sign_cert)
1261 {
1262 issuer = this->sign_cert->get_subject(this->sign_cert);
1263 if (!this->cert->public_key)
1264 {
1265 return FALSE;
1266 }
1267 }
1268 else
1269 { /* self signed */
1270 issuer = subject;
1271 if (!this->cert->public_key)
1272 {
1273 this->cert->public_key = this->sign_key->get_public_key(this->sign_key);
1274 }
1275 this->flags |= X509_SELF_SIGNED;
1276 }
1277 this->cert->issuer = issuer->clone(issuer);
1278 if (!this->cert->notBefore)
1279 {
1280 this->cert->notBefore = time(NULL);
1281 }
1282 if (!this->cert->notAfter)
1283 { /* defaults to 1 years from now on */
1284 this->cert->notAfter = this->cert->notBefore + 60 * 60 * 24 * 365;
1285 }
1286 this->cert->flags = this->flags;
1287
1288 switch (this->sign_key->get_type(this->sign_key))
1289 {
1290 case KEY_RSA:
1291 this->cert->algorithm = OID_SHA1_WITH_RSA;
1292 scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
1293 break;
1294 default:
1295 return FALSE;
1296 }
1297
1298 switch (this->cert->public_key->get_type(this->cert->public_key))
1299 {
1300 case KEY_RSA:
1301 key = this->cert->public_key->get_encoding(this->cert->public_key);
1302 key_info = asn1_wrap(ASN1_SEQUENCE, "cm",
1303 asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
1304 asn1_bitstring("m", key));
1305 break;
1306 default:
1307 return FALSE;
1308 }
1309
1310 if (this->cert->subjectAltNames->get_count(this->cert->subjectAltNames))
1311 {
1312 /* TODO: encode subjectAltNames */
1313 }
1314
1315 this->cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmccmcmm",
1316 asn1_simple_object(ASN1_CONTEXT_C_0, ASN1_INTEGER_2),
1317 asn1_simple_object(ASN1_INTEGER, this->cert->serialNumber),
1318 asn1_algorithmIdentifier(this->cert->algorithm),
1319 issuer->get_encoding(issuer),
1320 asn1_wrap(ASN1_SEQUENCE, "mm",
1321 asn1_from_time(&this->cert->notBefore, ASN1_UTCTIME),
1322 asn1_from_time(&this->cert->notAfter, ASN1_UTCTIME)),
1323 subject->get_encoding(subject),
1324 key_info, extensions);
1325
1326 if (!this->sign_key->sign(this->sign_key, scheme,
1327 this->cert->tbsCertificate, &this->cert->signature))
1328 {
1329 return FALSE;
1330 }
1331 this->cert->encoding = asn1_wrap(ASN1_SEQUENCE, "ccm",
1332 this->cert->tbsCertificate,
1333 asn1_algorithmIdentifier(this->cert->algorithm),
1334 asn1_bitstring("c", this->cert->signature));
1335
1336 hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1337 if (!hasher)
1338 {
1339 return FALSE;
1340 }
1341 hasher->allocate_hash(hasher, this->cert->encoding,
1342 &this->cert->encoding_hash);
1343 hasher->destroy(hasher);
1344 return TRUE;
1345 }
1346
1347 /**
1348 * Implementation of builder_t.build
1349 */
1350 static private_x509_cert_t *build(private_builder_t *this)
1351 {
1352 private_x509_cert_t *cert;
1353
1354 if (this->cert)
1355 {
1356 this->cert->flags |= this->flags;
1357 if (!this->cert->encoding.ptr)
1358 { /* generate a new certificate */
1359 if (!this->sign_key || !generate(this))
1360 {
1361 destroy(this->cert);
1362 free(this);
1363 return NULL;
1364 }
1365 }
1366 }
1367 cert = this->cert;
1368 free(this);
1369 return cert;
1370 }
1371
1372 /**
1373 * Implementation of builder_t.add
1374 */
1375 static void add(private_builder_t *this, builder_part_t part, ...)
1376 {
1377 va_list args;
1378 chunk_t chunk;
1379 bool handled = TRUE;
1380
1381 va_start(args, part);
1382 switch (part)
1383 {
1384 case BUILD_FROM_FILE:
1385 this->cert = create_from_file(va_arg(args, char*));
1386 break;
1387 case BUILD_BLOB_ASN1_DER:
1388 chunk = va_arg(args, chunk_t);
1389 this->cert = create_from_chunk(chunk_clone(chunk));
1390 break;
1391 case BUILD_X509_FLAG:
1392 this->flags = va_arg(args, x509_flag_t);
1393 break;
1394 case BUILD_SIGNING_KEY:
1395 this->sign_key = va_arg(args, private_key_t*);
1396 break;
1397 case BUILD_SIGNING_CERT:
1398 this->sign_cert = va_arg(args, certificate_t*);
1399 break;
1400 default:
1401 /* all other parts need an empty cert */
1402 if (!this->cert)
1403 {
1404 this->cert = create_empty();
1405 }
1406 handled = FALSE;
1407 break;
1408 }
1409 if (handled)
1410 {
1411 va_end(args);
1412 return;
1413 }
1414
1415 switch (part)
1416 {
1417 case BUILD_PUBLIC_KEY:
1418 {
1419 public_key_t *key = va_arg(args, public_key_t*);
1420 this->cert->public_key = key->get_ref(key);
1421 break;
1422 }
1423 case BUILD_SUBJECT:
1424 {
1425 identification_t *id = va_arg(args, identification_t*);
1426 this->cert->subject = id->clone(id);
1427 break;
1428 }
1429 case BUILD_SUBJECT_ALTNAME:
1430 {
1431 identification_t *id = va_arg(args, identification_t*);
1432 this->cert->subjectAltNames->insert_last(
1433 this->cert->subjectAltNames, id->clone(id));
1434 break;
1435 }
1436 case BUILD_NOT_BEFORE_TIME:
1437 this->cert->notBefore = va_arg(args, time_t);
1438 break;
1439 case BUILD_NOT_AFTER_TIME:
1440 this->cert->notAfter = va_arg(args, time_t);
1441 break;
1442 case BUILD_SERIAL:
1443 {
1444 chunk_t serial = va_arg(args, chunk_t);
1445 this->cert->serialNumber = chunk_clone(serial);
1446 break;
1447 }
1448 default:
1449 /* abort if unsupported option */
1450 if (this->cert)
1451 {
1452 destroy(this->cert);
1453 }
1454 builder_cancel(&this->public);
1455 break;
1456 }
1457 va_end(args);
1458 }
1459
1460 /**
1461 * Builder construction function
1462 */
1463 builder_t *x509_cert_builder(certificate_type_t type)
1464 {
1465 private_builder_t *this;
1466
1467 if (type != CERT_X509)
1468 {
1469 return NULL;
1470 }
1471
1472 this = malloc_thing(private_builder_t);
1473
1474 this->cert = NULL;
1475 this->flags = 0;
1476 this->sign_cert = NULL;
1477 this->sign_key = NULL;
1478 this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
1479 this->public.build = (void*(*)(builder_t *this))build;
1480
1481 return &this->public;
1482 }
1483