projects / strongswan.git / blob
? search:


f65fa6d124353fccbef40c0a517db65f55da5490
[strongswan.git] / src / libstrongswan / plugins / x509 / x509_ocsp_request.c
1 /*
2 * Copyright (C) 2008 Martin Willi
3 * Copyright (C) 2007 Andreas Steffen
4 * Hochschule fuer Technik Rapperswil
5 * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 #include "x509_ocsp_request.h"
19
20 #include <library.h>
21 #include <asn1/oid.h>
22 #include <asn1/asn1.h>
23 #include <utils/identification.h>
24 #include <utils/linked_list.h>
25 #include <debug.h>
26 #include <credentials/certificates/x509.h>
27 #include <credentials/keys/private_key.h>
28
29 #define NONCE_LEN 16
30
31 typedef struct private_x509_ocsp_request_t private_x509_ocsp_request_t;
32
33 /**
34 * private data of x509_ocsp_request
35 */
36 struct private_x509_ocsp_request_t {
37
38 /**
39 * public functions
40 */
41 x509_ocsp_request_t public;
42
43 /**
44 * CA the candidates belong to
45 */
46 x509_t *ca;
47
48 /**
49 * Requestor name, subject of cert used if not set
50 */
51 identification_t *requestor;
52
53 /**
54 * Requestor certificate, included in request
55 */
56 certificate_t *cert;
57
58 /**
59 * Requestor private key to sign request
60 */
61 private_key_t *key;
62
63 /**
64 * list of certificates to check, x509_t
65 */
66 linked_list_t *candidates;
67
68 /**
69 * nonce used in request
70 */
71 chunk_t nonce;
72
73 /**
74 * encoded OCSP request
75 */
76 chunk_t encoding;
77
78 /**
79 * reference count
80 */
81 refcount_t ref;
82 };
83
84 static u_char ASN1_nonce_oid_str[] = {
85 0x06, 0x09,
86 0x2B, 0x06,
87 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x02
88 };
89
90 static u_char ASN1_response_oid_str[] = {
91 0x06, 0x09,
92 0x2B, 0x06,
93 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x04
94 };
95
96 static u_char ASN1_response_content_str[] = {
97 0x04, 0x0D,
98 0x30, 0x0B,
99 0x06, 0x09,
100 0x2B, 0x06,
101 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
102 };
103
104 static const chunk_t ASN1_nonce_oid = chunk_from_buf(ASN1_nonce_oid_str);
105 static const chunk_t ASN1_response_oid = chunk_from_buf(ASN1_response_oid_str);
106 static const chunk_t ASN1_response_content = chunk_from_buf(ASN1_response_content_str);
107
108 /**
109 * build requestorName
110 */
111 static chunk_t build_requestorName(private_x509_ocsp_request_t *this)
112 {
113 if (this->requestor || this->cert)
114 { /* use requestor name, fallback to his cert subject */
115 if (!this->requestor)
116 {
117 this->requestor = this->cert->get_subject(this->cert);
118 this->requestor = this->requestor->clone(this->requestor);
119 }
120 return asn1_wrap(ASN1_CONTEXT_C_1, "m",
121 asn1_simple_object(ASN1_CONTEXT_C_4,
122 this->requestor->get_encoding(this->requestor)));
123
124 }
125 return chunk_empty;
126 }
127
128 /**
129 * build Request, not using singleRequestExtensions
130 */
131 static chunk_t build_Request(private_x509_ocsp_request_t *this,
132 chunk_t issuerNameHash, chunk_t issuerKeyHash,
133 chunk_t serialNumber)
134 {
135 return asn1_wrap(ASN1_SEQUENCE, "m",
136 asn1_wrap(ASN1_SEQUENCE, "mmmm",
137 asn1_algorithmIdentifier(OID_SHA1),
138 asn1_simple_object(ASN1_OCTET_STRING, issuerNameHash),
139 asn1_simple_object(ASN1_OCTET_STRING, issuerKeyHash),
140 asn1_simple_object(ASN1_INTEGER, serialNumber)));
141 }
142
143 /**
144 * build requestList
145 */
146 static chunk_t build_requestList(private_x509_ocsp_request_t *this)
147 {
148 chunk_t issuerNameHash, issuerKeyHash;
149 identification_t *issuer;
150 x509_t *x509;
151 certificate_t *cert;
152 chunk_t list = chunk_empty;
153 public_key_t *public;
154
155 cert = (certificate_t*)this->ca;
156 public = cert->get_public_key(cert);
157 if (public)
158 {
159 hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
160 if (hasher)
161 {
162 if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1,
163 &issuerKeyHash))
164 {
165 enumerator_t *enumerator;
166
167 issuer = cert->get_subject(cert);
168 hasher->allocate_hash(hasher, issuer->get_encoding(issuer),
169 &issuerNameHash);
170 hasher->destroy(hasher);
171
172 enumerator = this->candidates->create_enumerator(this->candidates);
173 while (enumerator->enumerate(enumerator, &x509))
174 {
175 chunk_t request, serialNumber;
176
177 serialNumber = x509->get_serial(x509);
178 request = build_Request(this, issuerNameHash, issuerKeyHash,
179 serialNumber);
180 list = chunk_cat("mm", list, request);
181 }
182 enumerator->destroy(enumerator);
183 chunk_free(&issuerNameHash);
184 }
185 }
186 else
187 {
188 DBG1("creating OCSP request failed, SHA1 not supported");
189 }
190 public->destroy(public);
191 }
192 else
193 {
194 DBG1("creating OCSP request failed, CA certificate has no public key");
195 }
196 return asn1_wrap(ASN1_SEQUENCE, "m", list);
197 }
198
199 /**
200 * build nonce extension
201 */
202 static chunk_t build_nonce(private_x509_ocsp_request_t *this)
203 {
204 rng_t *rng;
205
206 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
207 if (rng)
208 {
209 rng->allocate_bytes(rng, NONCE_LEN, &this->nonce);
210 rng->destroy(rng);
211 return asn1_wrap(ASN1_SEQUENCE, "cm", ASN1_nonce_oid,
212 asn1_simple_object(ASN1_OCTET_STRING, this->nonce));
213 }
214 DBG1("creating OCSP request nonce failed, no RNG found");
215 return chunk_empty;
216 }
217
218 /**
219 * build acceptableResponses extension
220 */
221 static chunk_t build_acceptableResponses(private_x509_ocsp_request_t *this)
222 {
223 return asn1_wrap(ASN1_SEQUENCE, "cc",
224 ASN1_response_oid,
225 ASN1_response_content);
226 }
227
228 /**
229 * build requestExtensions
230 */
231 static chunk_t build_requestExtensions(private_x509_ocsp_request_t *this)
232 {
233 return asn1_wrap(ASN1_CONTEXT_C_2, "m",
234 asn1_wrap(ASN1_SEQUENCE, "mm",
235 build_nonce(this),
236 build_acceptableResponses(this)));
237 }
238
239 /**
240 * build tbsRequest
241 */
242 static chunk_t build_tbsRequest(private_x509_ocsp_request_t *this)
243 {
244 return asn1_wrap(ASN1_SEQUENCE, "mmm",
245 build_requestorName(this),
246 build_requestList(this),
247 build_requestExtensions(this));
248 }
249
250 /**
251 * Build the optionalSignature
252 */
253 static chunk_t build_optionalSignature(private_x509_ocsp_request_t *this,
254 chunk_t tbsRequest)
255 {
256 int oid;
257 signature_scheme_t scheme;
258 chunk_t certs, signature;
259
260 switch (this->key->get_type(this->key))
261 {
262 /* TODO: use a generic mapping function */
263 case KEY_RSA:
264 oid = OID_SHA1_WITH_RSA;
265 scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
266 break;
267 case KEY_ECDSA:
268 oid = OID_ECDSA_WITH_SHA1;
269 scheme = SIGN_ECDSA_WITH_SHA1;
270 break;
271 default:
272 DBG1("unable to sign OCSP request, %N signature not supported",
273 key_type_names, this->key->get_type(this->key));
274 return chunk_empty;
275 }
276
277 if (!this->key->sign(this->key, scheme, tbsRequest, &signature))
278 {
279 DBG1("creating OCSP signature failed, skipped");
280 return chunk_empty;
281 }
282 if (this->cert)
283 {
284 certs = asn1_wrap(ASN1_CONTEXT_C_0, "m",
285 asn1_wrap(ASN1_SEQUENCE, "m",
286 this->cert->get_encoding(this->cert)));
287 }
288 return asn1_wrap(ASN1_CONTEXT_C_0, "m",
289 asn1_wrap(ASN1_SEQUENCE, "cmm",
290 asn1_algorithmIdentifier(oid),
291 asn1_bitstring("m", signature),
292 certs));
293 }
294
295 /**
296 * Build the OCSPRequest data
297 *
298 */
299 static chunk_t build_OCSPRequest(private_x509_ocsp_request_t *this)
300 {
301 chunk_t tbsRequest, optionalSignature = chunk_empty;
302
303 tbsRequest = build_tbsRequest(this);
304 if (this->key)
305 {
306 optionalSignature = build_optionalSignature(this, tbsRequest);
307 }
308 return asn1_wrap(ASN1_SEQUENCE, "mm", tbsRequest, optionalSignature);
309 }
310
311
312 /**
313 * Implementation of certificate_t.get_type
314 */
315 static certificate_type_t get_type(private_x509_ocsp_request_t *this)
316 {
317 return CERT_X509_OCSP_REQUEST;
318 }
319
320 /**
321 * Implementation of certificate_t.get_subject
322 */
323 static identification_t* get_subject(private_x509_ocsp_request_t *this)
324 {
325 certificate_t *ca = (certificate_t*)this->ca;
326
327 if (this->requestor)
328 {
329 return this->requestor;
330 }
331 if (this->cert)
332 {
333 return this->cert->get_subject(this->cert);
334 }
335 return ca->get_subject(ca);
336 }
337
338 /**
339 * Implementation of certificate_t.get_issuer
340 */
341 static identification_t* get_issuer(private_x509_ocsp_request_t *this)
342 {
343 certificate_t *ca = (certificate_t*)this->ca;
344
345 return ca->get_subject(ca);
346 }
347
348 /**
349 * Implementation of certificate_t.has_subject.
350 */
351 static id_match_t has_subject(private_x509_ocsp_request_t *this,
352 identification_t *subject)
353 {
354 certificate_t *current;
355 enumerator_t *enumerator;
356 id_match_t match, best = ID_MATCH_NONE;
357
358 enumerator = this->candidates->create_enumerator(this->candidates);
359 while (enumerator->enumerate(enumerator, &current))
360 {
361 match = current->has_subject(current, subject);
362 if (match > best)
363 {
364 best = match;
365 }
366 }
367 enumerator->destroy(enumerator);
368 return best;
369 }
370
371 /**
372 * Implementation of certificate_t.has_subject.
373 */
374 static id_match_t has_issuer(private_x509_ocsp_request_t *this,
375 identification_t *issuer)
376 {
377 certificate_t *ca = (certificate_t*)this->ca;
378
379 return ca->has_subject(ca, issuer);
380 }
381
382 /**
383 * Implementation of certificate_t.issued_by
384 */
385 static bool issued_by(private_x509_ocsp_request_t *this, certificate_t *issuer)
386 {
387 DBG1("OCSP request validation not implemented!");
388 return FALSE;
389 }
390
391 /**
392 * Implementation of certificate_t.get_public_key
393 */
394 static public_key_t* get_public_key(private_x509_ocsp_request_t *this)
395 {
396 return NULL;
397 }
398
399 /**
400 * Implementation of x509_cert_t.get_validity.
401 */
402 static bool get_validity(private_x509_ocsp_request_t *this, time_t *when,
403 time_t *not_before, time_t *not_after)
404 {
405 certificate_t *cert;
406
407 if (this->cert)
408 {
409 cert = this->cert;
410 }
411 else
412 {
413 cert = (certificate_t*)this->ca;
414 }
415 return cert->get_validity(cert, when, not_before, not_after);
416 }
417
418 /**
419 * Implementation of certificate_t.get_encoding.
420 */
421 static chunk_t get_encoding(private_x509_ocsp_request_t *this)
422 {
423 return chunk_clone(this->encoding);
424 }
425
426 /**
427 * Implementation of certificate_t.equals.
428 */
429 static bool equals(private_x509_ocsp_request_t *this, certificate_t *other)
430 {
431 chunk_t encoding;
432 bool equal;
433
434 if (this == (private_x509_ocsp_request_t*)other)
435 {
436 return TRUE;
437 }
438 if (other->get_type(other) != CERT_X509_OCSP_REQUEST)
439 {
440 return FALSE;
441 }
442 if (other->equals == (void*)equals)
443 { /* skip allocation if we have the same implementation */
444 return chunk_equals(this->encoding, ((private_x509_ocsp_request_t*)other)->encoding);
445 }
446 encoding = other->get_encoding(other);
447 equal = chunk_equals(this->encoding, encoding);
448 free(encoding.ptr);
449 return equal;
450 }
451
452 /**
453 * Implementation of certificate_t.asdf
454 */
455 static private_x509_ocsp_request_t* get_ref(private_x509_ocsp_request_t *this)
456 {
457 ref_get(&this->ref);
458 return this;
459 }
460
461 /**
462 * Implementation of x509_ocsp_request_t.destroy
463 */
464 static void destroy(private_x509_ocsp_request_t *this)
465 {
466 if (ref_put(&this->ref))
467 {
468 DESTROY_IF((certificate_t*)this->ca);
469 DESTROY_IF(this->requestor);
470 DESTROY_IF(this->cert);
471 DESTROY_IF(this->key);
472 this->candidates->destroy_offset(this->candidates, offsetof(certificate_t, destroy));
473 chunk_free(&this->nonce);
474 chunk_free(&this->encoding);
475 free(this);
476 }
477 }
478
479 /**
480 * create an empty but initialized OCSP request
481 */
482 static private_x509_ocsp_request_t *create_empty()
483 {
484 private_x509_ocsp_request_t *this = malloc_thing(private_x509_ocsp_request_t);
485
486 this->public.interface.interface.get_type = (certificate_type_t (*)(certificate_t *this))get_type;
487 this->public.interface.interface.get_subject = (identification_t* (*)(certificate_t *this))get_subject;
488 this->public.interface.interface.get_issuer = (identification_t* (*)(certificate_t *this))get_issuer;
489 this->public.interface.interface.has_subject = (id_match_t(*)(certificate_t*, identification_t *subject))has_subject;
490 this->public.interface.interface.has_issuer = (id_match_t(*)(certificate_t*, identification_t *issuer))has_issuer;
491 this->public.interface.interface.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer))issued_by;
492 this->public.interface.interface.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key;
493 this->public.interface.interface.get_validity = (bool(*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity;
494 this->public.interface.interface.get_encoding = (chunk_t(*)(certificate_t*))get_encoding;
495 this->public.interface.interface.equals = (bool(*)(certificate_t*, certificate_t *other))equals;
496 this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t *this))get_ref;
497 this->public.interface.interface.destroy = (void (*)(certificate_t *this))destroy;
498
499 this->ca = NULL;
500 this->requestor = NULL;
501 this->cert = NULL;
502 this->key = NULL;
503 this->nonce = chunk_empty;
504 this->encoding = chunk_empty;
505 this->candidates = linked_list_create();
506 this->ref = 1;
507
508 return this;
509 }
510
511 typedef struct private_builder_t private_builder_t;
512 /**
513 * Builder implementation for certificate loading
514 */
515 struct private_builder_t {
516 /** implements the builder interface */
517 builder_t public;
518 /** OCSP request to build */
519 private_x509_ocsp_request_t *req;
520 };
521
522 /**
523 * Implementation of builder_t.build
524 */
525 static x509_ocsp_request_t *build(private_builder_t *this)
526 {
527 private_x509_ocsp_request_t *req;
528
529 req = this->req;
530 free(this);
531 if (req->ca)
532 {
533 req->encoding = build_OCSPRequest(req);
534 return &req->public;
535 }
536 destroy(req);
537 return NULL;
538 }
539
540 /**
541 * Implementation of builder_t.add
542 */
543 static void add(private_builder_t *this, builder_part_t part, ...)
544 {
545 va_list args;
546 certificate_t *cert;
547 identification_t *subject;
548 private_key_t *private;
549
550 va_start(args, part);
551 switch (part)
552 {
553 case BUILD_CA_CERT:
554 cert = va_arg(args, certificate_t*);
555 if (cert->get_type(cert) == CERT_X509)
556 {
557 this->req->ca = (x509_t*)cert->get_ref(cert);
558 }
559 break;
560 case BUILD_CERT:
561 cert = va_arg(args, certificate_t*);
562 if (cert->get_type(cert) == CERT_X509)
563 {
564 this->req->candidates->insert_last(this->req->candidates,
565 cert->get_ref(cert));
566 }
567 break;
568 case BUILD_SIGNING_CERT:
569 cert = va_arg(args, certificate_t*);
570 this->req->cert = cert->get_ref(cert);
571 break;
572 case BUILD_SIGNING_KEY:
573 private = va_arg(args, private_key_t*);
574 this->req->key = private->get_ref(private);
575 break;
576 case BUILD_SUBJECT:
577 subject = va_arg(args, identification_t*);
578 this->req->requestor = subject->clone(subject);
579 break;
580 default:
581 /* cancel if option not supported */
582 if (this->req)
583 {
584 destroy(this->req);
585 }
586 builder_cancel(&this->public);
587 break;
588 }
589 va_end(args);
590 }
591
592 /**
593 * Builder construction function
594 */
595 builder_t *x509_ocsp_request_builder(certificate_type_t type)
596 {
597 private_builder_t *this;
598
599 if (type != CERT_X509_OCSP_REQUEST)
600 {
601 return NULL;
602 }
603
604 this = malloc_thing(private_builder_t);
605
606 this->req = create_empty();
607 this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
608 this->public.build = (void*(*)(builder_t *this))build;
609
610 return &this->public;
611 }
612
strongSwan - IPsec VPN