7e32304122723c461e82bc9e7262b51e764ece95
[strongswan.git] / src / libstrongswan / plugins / x509 / x509_ocsp_request.c
1 /*
2 * Copyright (C) 2008 Martin Willi
3 * Copyright (C) 2007 Andreas Steffen
4 * Hochschule fuer Technik Rapperswil
5 * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 *
17 * $Id$
18 */
19
20 #include "x509_ocsp_request.h"
21
22 #include <library.h>
23 #include <asn1/oid.h>
24 #include <asn1/asn1.h>
25 #include <utils/identification.h>
26 #include <utils/randomizer.h>
27 #include <utils/linked_list.h>
28 #include <debug.h>
29 #include <credentials/certificates/x509.h>
30
31 #define NONCE_LEN 16
32
33 typedef struct private_x509_ocsp_request_t private_x509_ocsp_request_t;
34
35 /**
36 * private data of x509_ocsp_request
37 */
38 struct private_x509_ocsp_request_t {
39
40 /**
41 * public functions
42 */
43 x509_ocsp_request_t public;
44
45 /**
46 * CA the candidates belong to
47 */
48 x509_t *ca;
49
50 /**
51 * Requestor name, subject of cert used if not set
52 */
53 identification_t *requestor;
54
55 /**
56 * Requestor certificate, included in request
57 */
58 certificate_t *cert;
59
60 /**
61 * Requestor private key to sign request
62 */
63 private_key_t *key;
64
65 /**
66 * list of certificates to check, x509_t
67 */
68 linked_list_t *candidates;
69
70 /**
71 * nonce used in request
72 */
73 chunk_t nonce;
74
75 /**
76 * encoded OCSP request
77 */
78 chunk_t encoding;
79
80 /**
81 * reference count
82 */
83 refcount_t ref;
84 };
85
86 static u_char ASN1_nonce_oid_str[] = {
87 0x06, 0x09,
88 0x2B, 0x06,
89 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x02
90 };
91
92 static u_char ASN1_response_oid_str[] = {
93 0x06, 0x09,
94 0x2B, 0x06,
95 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x04
96 };
97
98 static u_char ASN1_response_content_str[] = {
99 0x04, 0x0D,
100 0x30, 0x0B,
101 0x06, 0x09,
102 0x2B, 0x06,
103 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
104 };
105
106 static const chunk_t ASN1_nonce_oid = chunk_from_buf(ASN1_nonce_oid_str);
107 static const chunk_t ASN1_response_oid = chunk_from_buf(ASN1_response_oid_str);
108 static const chunk_t ASN1_response_content = chunk_from_buf(ASN1_response_content_str);
109
110 /**
111 * build requestorName
112 */
113 static chunk_t build_requestorName(private_x509_ocsp_request_t *this)
114 {
115 if (this->requestor || this->cert)
116 { /* use requestor name, fallback to his cert subject */
117 if (!this->requestor)
118 {
119 this->requestor = this->cert->get_subject(this->cert);
120 this->requestor = this->requestor->clone(this->requestor);
121 }
122 return asn1_wrap(ASN1_CONTEXT_C_1, "m",
123 asn1_simple_object(ASN1_CONTEXT_C_4,
124 this->requestor->get_encoding(this->requestor)));
125
126 }
127 return chunk_empty;
128 }
129
130 /**
131 * build Request, not using singleRequestExtensions
132 */
133 static chunk_t build_Request(private_x509_ocsp_request_t *this,
134 chunk_t issuerNameHash, chunk_t issuerKeyHash,
135 chunk_t serialNumber)
136 {
137 return asn1_wrap(ASN1_SEQUENCE, "m",
138 asn1_wrap(ASN1_SEQUENCE, "cmmm",
139 asn1_algorithmIdentifier(OID_SHA1),
140 asn1_simple_object(ASN1_OCTET_STRING, issuerNameHash),
141 asn1_simple_object(ASN1_OCTET_STRING, issuerKeyHash),
142 asn1_simple_object(ASN1_INTEGER, serialNumber)));
143 }
144
145 /**
146 * build requestList
147 */
148 static chunk_t build_requestList(private_x509_ocsp_request_t *this)
149 {
150 chunk_t issuerNameHash, issuerKeyHash;
151 identification_t *issuer;
152 x509_t *x509;
153 certificate_t *cert;
154 chunk_t list = chunk_empty;
155 public_key_t *public;
156
157 cert = (certificate_t*)this->ca;
158 public = cert->get_public_key(cert);
159 if (public)
160 {
161 hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
162 if (hasher)
163 {
164 identification_t *keyid = public->get_id(public, ID_PUBKEY_SHA1);
165 if (keyid)
166 {
167 enumerator_t *enumerator;
168
169 issuerKeyHash = keyid->get_encoding(keyid);
170
171 issuer = cert->get_subject(cert);
172 hasher->allocate_hash(hasher, issuer->get_encoding(issuer),
173 &issuerNameHash);
174 hasher->destroy(hasher);
175
176 enumerator = this->candidates->create_enumerator(this->candidates);
177 while (enumerator->enumerate(enumerator, &x509))
178 {
179 chunk_t request, serialNumber;
180
181 serialNumber = x509->get_serial(x509);
182 request = build_Request(this, issuerNameHash, issuerKeyHash,
183 serialNumber);
184 list = chunk_cat("mm", list, request);
185 }
186 enumerator->destroy(enumerator);
187 chunk_free(&issuerNameHash);
188 }
189 }
190 else
191 {
192 DBG1("creating OCSP request failed, SHA1 not supported");
193 }
194 public->destroy(public);
195 }
196 else
197 {
198 DBG1("creating OCSP request failed, CA certificate has no public key");
199 }
200 return asn1_wrap(ASN1_SEQUENCE, "m", list);
201 }
202
203 /**
204 * build nonce extension
205 */
206 static chunk_t build_nonce(private_x509_ocsp_request_t *this)
207 {
208 randomizer_t *randomizer;
209
210 randomizer = randomizer_create();
211 randomizer->allocate_pseudo_random_bytes(randomizer, NONCE_LEN, &this->nonce);
212 randomizer->destroy(randomizer);
213
214 return asn1_wrap(ASN1_SEQUENCE, "cm", ASN1_nonce_oid,
215 asn1_simple_object(ASN1_OCTET_STRING, this->nonce));
216 }
217
218 /**
219 * build acceptableResponses extension
220 */
221 static chunk_t build_acceptableResponses(private_x509_ocsp_request_t *this)
222 {
223 return asn1_wrap(ASN1_SEQUENCE, "cc",
224 ASN1_response_oid,
225 ASN1_response_content);
226 }
227
228 /**
229 * build requestExtensions
230 */
231 static chunk_t build_requestExtensions(private_x509_ocsp_request_t *this)
232 {
233 return asn1_wrap(ASN1_CONTEXT_C_2, "m",
234 asn1_wrap(ASN1_SEQUENCE, "mm",
235 build_nonce(this),
236 build_acceptableResponses(this)));
237 }
238
239 /**
240 * build tbsRequest
241 */
242 static chunk_t build_tbsRequest(private_x509_ocsp_request_t *this)
243 {
244 return asn1_wrap(ASN1_SEQUENCE, "mmm",
245 build_requestorName(this),
246 build_requestList(this),
247 build_requestExtensions(this));
248 }
249
250 /**
251 * Build the optionalSignature
252 */
253 static chunk_t build_optionalSignature(private_x509_ocsp_request_t *this,
254 chunk_t tbsRequest)
255 {
256 int oid;
257 signature_scheme_t scheme;
258 chunk_t certs, signature;
259
260 switch (this->key->get_type(this->key))
261 {
262 /* TODO: use a generic mapping function */
263 case KEY_RSA:
264 oid = OID_SHA1_WITH_RSA;
265 scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
266 break;
267 default:
268 DBG1("unable to sign OCSP request, %N signature not supported",
269 key_type_names, this->key->get_type(this->key));
270 return chunk_empty;
271 }
272
273 if (!this->key->sign(this->key, scheme, tbsRequest, &signature))
274 {
275 DBG1("creating OCSP signature failed, skipped");
276 return chunk_empty;
277 }
278 if (this->cert)
279 {
280 certs = asn1_wrap(ASN1_CONTEXT_C_0, "m",
281 asn1_wrap(ASN1_SEQUENCE, "m",
282 this->cert->get_encoding(this->cert)));
283 }
284 return asn1_wrap(ASN1_CONTEXT_C_0, "m",
285 asn1_wrap(ASN1_SEQUENCE, "cmm",
286 asn1_algorithmIdentifier(oid),
287 asn1_bitstring("m", signature),
288 certs));
289 }
290
291 /**
292 * Build the OCSPRequest data
293 *
294 */
295 static chunk_t build_OCSPRequest(private_x509_ocsp_request_t *this)
296 {
297 chunk_t tbsRequest, optionalSignature = chunk_empty;
298
299 tbsRequest = build_tbsRequest(this);
300 if (this->key)
301 {
302 optionalSignature = build_optionalSignature(this, tbsRequest);
303 }
304 return asn1_wrap(ASN1_SEQUENCE, "mm", tbsRequest, optionalSignature);
305 }
306
307
308 /**
309 * Implementation of certificate_t.get_type
310 */
311 static certificate_type_t get_type(private_x509_ocsp_request_t *this)
312 {
313 return CERT_X509_OCSP_REQUEST;
314 }
315
316 /**
317 * Implementation of certificate_t.get_subject
318 */
319 static identification_t* get_subject(private_x509_ocsp_request_t *this)
320 {
321 certificate_t *ca = (certificate_t*)this->ca;
322
323 if (this->requestor)
324 {
325 return this->requestor;
326 }
327 if (this->cert)
328 {
329 return this->cert->get_subject(this->cert);
330 }
331 return ca->get_subject(ca);
332 }
333
334 /**
335 * Implementation of certificate_t.get_issuer
336 */
337 static identification_t* get_issuer(private_x509_ocsp_request_t *this)
338 {
339 certificate_t *ca = (certificate_t*)this->ca;
340
341 return ca->get_subject(ca);
342 }
343
344 /**
345 * Implementation of certificate_t.has_subject.
346 */
347 static id_match_t has_subject(private_x509_ocsp_request_t *this,
348 identification_t *subject)
349 {
350 certificate_t *current;
351 enumerator_t *enumerator;
352 id_match_t match, best = ID_MATCH_NONE;
353
354 enumerator = this->candidates->create_enumerator(this->candidates);
355 while (enumerator->enumerate(enumerator, &current))
356 {
357 match = current->has_subject(current, subject);
358 if (match > best)
359 {
360 best = match;
361 }
362 }
363 enumerator->destroy(enumerator);
364 return best;
365 }
366
367 /**
368 * Implementation of certificate_t.has_subject.
369 */
370 static id_match_t has_issuer(private_x509_ocsp_request_t *this,
371 identification_t *issuer)
372 {
373 certificate_t *ca = (certificate_t*)this->ca;
374
375 return ca->has_subject(ca, issuer);
376 }
377
378 /**
379 * Implementation of certificate_t.issued_by
380 */
381 static bool issued_by(private_x509_ocsp_request_t *this, certificate_t *issuer,
382 bool sigcheck)
383 {
384 DBG1("OCSP request validation not implemented!");
385 return FALSE;
386 }
387
388 /**
389 * Implementation of certificate_t.get_public_key
390 */
391 static public_key_t* get_public_key(private_x509_ocsp_request_t *this)
392 {
393 return NULL;
394 }
395
396 /**
397 * Implementation of x509_cert_t.get_validity.
398 */
399 static bool get_validity(private_x509_ocsp_request_t *this, time_t *when,
400 time_t *not_before, time_t *not_after)
401 {
402 certificate_t *cert;
403
404 if (this->cert)
405 {
406 cert = this->cert;
407 }
408 else
409 {
410 cert = (certificate_t*)this->ca;
411 }
412 return cert->get_validity(cert, when, not_before, not_after);
413 }
414
415 /**
416 * Implementation of certificate_t.get_encoding.
417 */
418 static chunk_t get_encoding(private_x509_ocsp_request_t *this)
419 {
420 return chunk_clone(this->encoding);
421 }
422
423 /**
424 * Implementation of certificate_t.equals.
425 */
426 static bool equals(private_x509_ocsp_request_t *this, certificate_t *other)
427 {
428 if (this == (private_x509_ocsp_request_t*)other)
429 {
430 return TRUE;
431 }
432 if (other->get_type(other) != CERT_X509_OCSP_REQUEST)
433 {
434 return FALSE;
435 }
436 /* check if we have the same X509 implementation */
437 if (other->equals == (void*)equals)
438 {
439 return chunk_equals(this->encoding,
440 ((private_x509_ocsp_request_t*)other)->encoding);
441 }
442 /* TODO: compare against other implementation */
443 return FALSE;
444 }
445
446 /**
447 * Implementation of certificate_t.asdf
448 */
449 static private_x509_ocsp_request_t* get_ref(private_x509_ocsp_request_t *this)
450 {
451 ref_get(&this->ref);
452 return this;
453 }
454
455 /**
456 * Implementation of x509_ocsp_request_t.destroy
457 */
458 static void destroy(private_x509_ocsp_request_t *this)
459 {
460 if (ref_put(&this->ref))
461 {
462 DESTROY_IF((certificate_t*)this->ca);
463 DESTROY_IF(this->requestor);
464 DESTROY_IF(this->cert);
465 DESTROY_IF(this->key);
466 this->candidates->destroy_offset(this->candidates, offsetof(certificate_t, destroy));
467 chunk_free(&this->nonce);
468 chunk_free(&this->encoding);
469 free(this);
470 }
471 }
472
473 /**
474 * create an empty but initialized OCSP request
475 */
476 static private_x509_ocsp_request_t *create_empty()
477 {
478 private_x509_ocsp_request_t *this = malloc_thing(private_x509_ocsp_request_t);
479
480 this->public.interface.interface.get_type = (certificate_type_t (*)(certificate_t *this))get_type;
481 this->public.interface.interface.get_subject = (identification_t* (*)(certificate_t *this))get_subject;
482 this->public.interface.interface.get_issuer = (identification_t* (*)(certificate_t *this))get_issuer;
483 this->public.interface.interface.has_subject = (id_match_t(*)(certificate_t*, identification_t *subject))has_subject;
484 this->public.interface.interface.has_issuer = (id_match_t(*)(certificate_t*, identification_t *issuer))has_issuer;
485 this->public.interface.interface.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer,bool))issued_by;
486 this->public.interface.interface.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key;
487 this->public.interface.interface.get_validity = (bool(*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity;
488 this->public.interface.interface.get_encoding = (chunk_t(*)(certificate_t*))get_encoding;
489 this->public.interface.interface.equals = (bool(*)(certificate_t*, certificate_t *other))equals;
490 this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t *this))get_ref;
491 this->public.interface.interface.destroy = (void (*)(certificate_t *this))destroy;
492
493 this->ca = NULL;
494 this->requestor = NULL;
495 this->cert = NULL;
496 this->key = NULL;
497 this->nonce = chunk_empty;
498 this->encoding = chunk_empty;
499 this->candidates = linked_list_create();
500 this->ref = 1;
501
502 return this;
503 }
504
505 typedef struct private_builder_t private_builder_t;
506 /**
507 * Builder implementation for certificate loading
508 */
509 struct private_builder_t {
510 /** implements the builder interface */
511 builder_t public;
512 /** OCSP request to build */
513 private_x509_ocsp_request_t *req;
514 };
515
516 /**
517 * Implementation of builder_t.build
518 */
519 static x509_ocsp_request_t *build(private_builder_t *this)
520 {
521 private_x509_ocsp_request_t *req;
522
523 req = this->req;
524 free(this);
525 if (req->ca)
526 {
527 req->encoding = build_OCSPRequest(req);
528 return &req->public;
529 }
530 destroy(req);
531 return NULL;
532 }
533
534 /**
535 * Implementation of builder_t.add
536 */
537 static void add(private_builder_t *this, builder_part_t part, ...)
538 {
539 va_list args;
540 certificate_t *cert;
541
542 va_start(args, part);
543 switch (part)
544 {
545 case BUILD_CA_CERT:
546 cert = va_arg(args, certificate_t*);
547 if (cert->get_type(cert) == CERT_X509)
548 {
549 this->req->ca = (x509_t*)cert;
550 }
551 else
552 {
553 cert->destroy(cert);
554 }
555 break;
556 case BUILD_CERT:
557 cert = va_arg(args, certificate_t*);
558 if (cert->get_type(cert) == CERT_X509)
559 {
560 this->req->candidates->insert_last(this->req->candidates, cert);
561 }
562 else
563 {
564 cert->destroy(cert);
565 }
566 break;
567 case BUILD_SIGNING_CERT:
568 this->req->cert = va_arg(args, certificate_t*);
569 break;
570 case BUILD_SIGNING_KEY:
571 this->req->key = va_arg(args, private_key_t*);
572 break;
573 case BUILD_SUBJECT:
574 this->req->requestor = va_arg(args, identification_t*);
575 break;
576 default:
577 DBG1("ignoring unsupported build part %N", builder_part_names, part);
578 break;
579 }
580 va_end(args);
581 }
582
583 /**
584 * Builder construction function
585 */
586 builder_t *x509_ocsp_request_builder(certificate_type_t type)
587 {
588 private_builder_t *this;
589
590 if (type != CERT_X509_OCSP_REQUEST)
591 {
592 return NULL;
593 }
594
595 this = malloc_thing(private_builder_t);
596
597 this->req = create_empty();
598 this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
599 this->public.build = (void*(*)(builder_t *this))build;
600
601 return &this->public;
602 }
603