support of ECDSA signatures for all certificate types
[strongswan.git] / src / libstrongswan / plugins / x509 / x509_ocsp_request.c
1 /*
2 * Copyright (C) 2008 Martin Willi
3 * Copyright (C) 2007 Andreas Steffen
4 * Hochschule fuer Technik Rapperswil
5 * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 *
17 * $Id$
18 */
19
20 #include "x509_ocsp_request.h"
21
22 #include <library.h>
23 #include <asn1/oid.h>
24 #include <asn1/asn1.h>
25 #include <utils/identification.h>
26 #include <utils/linked_list.h>
27 #include <debug.h>
28 #include <credentials/certificates/x509.h>
29
30 #define NONCE_LEN 16
31
32 typedef struct private_x509_ocsp_request_t private_x509_ocsp_request_t;
33
34 /**
35 * private data of x509_ocsp_request
36 */
37 struct private_x509_ocsp_request_t {
38
39 /**
40 * public functions
41 */
42 x509_ocsp_request_t public;
43
44 /**
45 * CA the candidates belong to
46 */
47 x509_t *ca;
48
49 /**
50 * Requestor name, subject of cert used if not set
51 */
52 identification_t *requestor;
53
54 /**
55 * Requestor certificate, included in request
56 */
57 certificate_t *cert;
58
59 /**
60 * Requestor private key to sign request
61 */
62 private_key_t *key;
63
64 /**
65 * list of certificates to check, x509_t
66 */
67 linked_list_t *candidates;
68
69 /**
70 * nonce used in request
71 */
72 chunk_t nonce;
73
74 /**
75 * encoded OCSP request
76 */
77 chunk_t encoding;
78
79 /**
80 * reference count
81 */
82 refcount_t ref;
83 };
84
85 static u_char ASN1_nonce_oid_str[] = {
86 0x06, 0x09,
87 0x2B, 0x06,
88 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x02
89 };
90
91 static u_char ASN1_response_oid_str[] = {
92 0x06, 0x09,
93 0x2B, 0x06,
94 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x04
95 };
96
97 static u_char ASN1_response_content_str[] = {
98 0x04, 0x0D,
99 0x30, 0x0B,
100 0x06, 0x09,
101 0x2B, 0x06,
102 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
103 };
104
105 static const chunk_t ASN1_nonce_oid = chunk_from_buf(ASN1_nonce_oid_str);
106 static const chunk_t ASN1_response_oid = chunk_from_buf(ASN1_response_oid_str);
107 static const chunk_t ASN1_response_content = chunk_from_buf(ASN1_response_content_str);
108
109 /**
110 * build requestorName
111 */
112 static chunk_t build_requestorName(private_x509_ocsp_request_t *this)
113 {
114 if (this->requestor || this->cert)
115 { /* use requestor name, fallback to his cert subject */
116 if (!this->requestor)
117 {
118 this->requestor = this->cert->get_subject(this->cert);
119 this->requestor = this->requestor->clone(this->requestor);
120 }
121 return asn1_wrap(ASN1_CONTEXT_C_1, "m",
122 asn1_simple_object(ASN1_CONTEXT_C_4,
123 this->requestor->get_encoding(this->requestor)));
124
125 }
126 return chunk_empty;
127 }
128
129 /**
130 * build Request, not using singleRequestExtensions
131 */
132 static chunk_t build_Request(private_x509_ocsp_request_t *this,
133 chunk_t issuerNameHash, chunk_t issuerKeyHash,
134 chunk_t serialNumber)
135 {
136 return asn1_wrap(ASN1_SEQUENCE, "m",
137 asn1_wrap(ASN1_SEQUENCE, "cmmm",
138 asn1_algorithmIdentifier(OID_SHA1),
139 asn1_simple_object(ASN1_OCTET_STRING, issuerNameHash),
140 asn1_simple_object(ASN1_OCTET_STRING, issuerKeyHash),
141 asn1_simple_object(ASN1_INTEGER, serialNumber)));
142 }
143
144 /**
145 * build requestList
146 */
147 static chunk_t build_requestList(private_x509_ocsp_request_t *this)
148 {
149 chunk_t issuerNameHash, issuerKeyHash;
150 identification_t *issuer;
151 x509_t *x509;
152 certificate_t *cert;
153 chunk_t list = chunk_empty;
154 public_key_t *public;
155
156 cert = (certificate_t*)this->ca;
157 public = cert->get_public_key(cert);
158 if (public)
159 {
160 hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
161 if (hasher)
162 {
163 identification_t *keyid = public->get_id(public, ID_PUBKEY_SHA1);
164 if (keyid)
165 {
166 enumerator_t *enumerator;
167
168 issuerKeyHash = keyid->get_encoding(keyid);
169
170 issuer = cert->get_subject(cert);
171 hasher->allocate_hash(hasher, issuer->get_encoding(issuer),
172 &issuerNameHash);
173 hasher->destroy(hasher);
174
175 enumerator = this->candidates->create_enumerator(this->candidates);
176 while (enumerator->enumerate(enumerator, &x509))
177 {
178 chunk_t request, serialNumber;
179
180 serialNumber = x509->get_serial(x509);
181 request = build_Request(this, issuerNameHash, issuerKeyHash,
182 serialNumber);
183 list = chunk_cat("mm", list, request);
184 }
185 enumerator->destroy(enumerator);
186 chunk_free(&issuerNameHash);
187 }
188 }
189 else
190 {
191 DBG1("creating OCSP request failed, SHA1 not supported");
192 }
193 public->destroy(public);
194 }
195 else
196 {
197 DBG1("creating OCSP request failed, CA certificate has no public key");
198 }
199 return asn1_wrap(ASN1_SEQUENCE, "m", list);
200 }
201
202 /**
203 * build nonce extension
204 */
205 static chunk_t build_nonce(private_x509_ocsp_request_t *this)
206 {
207 rng_t *rng;
208
209 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
210 if (rng)
211 {
212 rng->allocate_bytes(rng, NONCE_LEN, &this->nonce);
213 rng->destroy(rng);
214 return asn1_wrap(ASN1_SEQUENCE, "cm", ASN1_nonce_oid,
215 asn1_simple_object(ASN1_OCTET_STRING, this->nonce));
216 }
217 DBG1("creating OCSP request nonce failed, no RNG found");
218 return chunk_empty;
219 }
220
221 /**
222 * build acceptableResponses extension
223 */
224 static chunk_t build_acceptableResponses(private_x509_ocsp_request_t *this)
225 {
226 return asn1_wrap(ASN1_SEQUENCE, "cc",
227 ASN1_response_oid,
228 ASN1_response_content);
229 }
230
231 /**
232 * build requestExtensions
233 */
234 static chunk_t build_requestExtensions(private_x509_ocsp_request_t *this)
235 {
236 return asn1_wrap(ASN1_CONTEXT_C_2, "m",
237 asn1_wrap(ASN1_SEQUENCE, "mm",
238 build_nonce(this),
239 build_acceptableResponses(this)));
240 }
241
242 /**
243 * build tbsRequest
244 */
245 static chunk_t build_tbsRequest(private_x509_ocsp_request_t *this)
246 {
247 return asn1_wrap(ASN1_SEQUENCE, "mmm",
248 build_requestorName(this),
249 build_requestList(this),
250 build_requestExtensions(this));
251 }
252
253 /**
254 * Build the optionalSignature
255 */
256 static chunk_t build_optionalSignature(private_x509_ocsp_request_t *this,
257 chunk_t tbsRequest)
258 {
259 int oid;
260 signature_scheme_t scheme;
261 chunk_t certs, signature;
262
263 switch (this->key->get_type(this->key))
264 {
265 /* TODO: use a generic mapping function */
266 case KEY_RSA:
267 oid = OID_SHA1_WITH_RSA;
268 scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
269 break;
270 case KEY_ECDSA:
271 oid = OID_ECDSA_WITH_SHA1;
272 scheme = SIGN_ECDSA_WITH_SHA1;
273 break;
274 default:
275 DBG1("unable to sign OCSP request, %N signature not supported",
276 key_type_names, this->key->get_type(this->key));
277 return chunk_empty;
278 }
279
280 if (!this->key->sign(this->key, scheme, tbsRequest, &signature))
281 {
282 DBG1("creating OCSP signature failed, skipped");
283 return chunk_empty;
284 }
285 if (this->cert)
286 {
287 certs = asn1_wrap(ASN1_CONTEXT_C_0, "m",
288 asn1_wrap(ASN1_SEQUENCE, "m",
289 this->cert->get_encoding(this->cert)));
290 }
291 return asn1_wrap(ASN1_CONTEXT_C_0, "m",
292 asn1_wrap(ASN1_SEQUENCE, "cmm",
293 asn1_algorithmIdentifier(oid),
294 asn1_bitstring("m", signature),
295 certs));
296 }
297
298 /**
299 * Build the OCSPRequest data
300 *
301 */
302 static chunk_t build_OCSPRequest(private_x509_ocsp_request_t *this)
303 {
304 chunk_t tbsRequest, optionalSignature = chunk_empty;
305
306 tbsRequest = build_tbsRequest(this);
307 if (this->key)
308 {
309 optionalSignature = build_optionalSignature(this, tbsRequest);
310 }
311 return asn1_wrap(ASN1_SEQUENCE, "mm", tbsRequest, optionalSignature);
312 }
313
314
315 /**
316 * Implementation of certificate_t.get_type
317 */
318 static certificate_type_t get_type(private_x509_ocsp_request_t *this)
319 {
320 return CERT_X509_OCSP_REQUEST;
321 }
322
323 /**
324 * Implementation of certificate_t.get_subject
325 */
326 static identification_t* get_subject(private_x509_ocsp_request_t *this)
327 {
328 certificate_t *ca = (certificate_t*)this->ca;
329
330 if (this->requestor)
331 {
332 return this->requestor;
333 }
334 if (this->cert)
335 {
336 return this->cert->get_subject(this->cert);
337 }
338 return ca->get_subject(ca);
339 }
340
341 /**
342 * Implementation of certificate_t.get_issuer
343 */
344 static identification_t* get_issuer(private_x509_ocsp_request_t *this)
345 {
346 certificate_t *ca = (certificate_t*)this->ca;
347
348 return ca->get_subject(ca);
349 }
350
351 /**
352 * Implementation of certificate_t.has_subject.
353 */
354 static id_match_t has_subject(private_x509_ocsp_request_t *this,
355 identification_t *subject)
356 {
357 certificate_t *current;
358 enumerator_t *enumerator;
359 id_match_t match, best = ID_MATCH_NONE;
360
361 enumerator = this->candidates->create_enumerator(this->candidates);
362 while (enumerator->enumerate(enumerator, &current))
363 {
364 match = current->has_subject(current, subject);
365 if (match > best)
366 {
367 best = match;
368 }
369 }
370 enumerator->destroy(enumerator);
371 return best;
372 }
373
374 /**
375 * Implementation of certificate_t.has_subject.
376 */
377 static id_match_t has_issuer(private_x509_ocsp_request_t *this,
378 identification_t *issuer)
379 {
380 certificate_t *ca = (certificate_t*)this->ca;
381
382 return ca->has_subject(ca, issuer);
383 }
384
385 /**
386 * Implementation of certificate_t.issued_by
387 */
388 static bool issued_by(private_x509_ocsp_request_t *this, certificate_t *issuer)
389 {
390 DBG1("OCSP request validation not implemented!");
391 return FALSE;
392 }
393
394 /**
395 * Implementation of certificate_t.get_public_key
396 */
397 static public_key_t* get_public_key(private_x509_ocsp_request_t *this)
398 {
399 return NULL;
400 }
401
402 /**
403 * Implementation of x509_cert_t.get_validity.
404 */
405 static bool get_validity(private_x509_ocsp_request_t *this, time_t *when,
406 time_t *not_before, time_t *not_after)
407 {
408 certificate_t *cert;
409
410 if (this->cert)
411 {
412 cert = this->cert;
413 }
414 else
415 {
416 cert = (certificate_t*)this->ca;
417 }
418 return cert->get_validity(cert, when, not_before, not_after);
419 }
420
421 /**
422 * Implementation of certificate_t.get_encoding.
423 */
424 static chunk_t get_encoding(private_x509_ocsp_request_t *this)
425 {
426 return chunk_clone(this->encoding);
427 }
428
429 /**
430 * Implementation of certificate_t.equals.
431 */
432 static bool equals(private_x509_ocsp_request_t *this, certificate_t *other)
433 {
434 chunk_t encoding;
435 bool equal;
436
437 if (this == (private_x509_ocsp_request_t*)other)
438 {
439 return TRUE;
440 }
441 if (other->get_type(other) != CERT_X509_OCSP_REQUEST)
442 {
443 return FALSE;
444 }
445 if (other->equals == (void*)equals)
446 { /* skip allocation if we have the same implementation */
447 return chunk_equals(this->encoding, ((private_x509_ocsp_request_t*)other)->encoding);
448 }
449 encoding = other->get_encoding(other);
450 equal = chunk_equals(this->encoding, encoding);
451 free(encoding.ptr);
452 return equal;
453 }
454
455 /**
456 * Implementation of certificate_t.asdf
457 */
458 static private_x509_ocsp_request_t* get_ref(private_x509_ocsp_request_t *this)
459 {
460 ref_get(&this->ref);
461 return this;
462 }
463
464 /**
465 * Implementation of x509_ocsp_request_t.destroy
466 */
467 static void destroy(private_x509_ocsp_request_t *this)
468 {
469 if (ref_put(&this->ref))
470 {
471 DESTROY_IF((certificate_t*)this->ca);
472 DESTROY_IF(this->requestor);
473 DESTROY_IF(this->cert);
474 DESTROY_IF(this->key);
475 this->candidates->destroy_offset(this->candidates, offsetof(certificate_t, destroy));
476 chunk_free(&this->nonce);
477 chunk_free(&this->encoding);
478 free(this);
479 }
480 }
481
482 /**
483 * create an empty but initialized OCSP request
484 */
485 static private_x509_ocsp_request_t *create_empty()
486 {
487 private_x509_ocsp_request_t *this = malloc_thing(private_x509_ocsp_request_t);
488
489 this->public.interface.interface.get_type = (certificate_type_t (*)(certificate_t *this))get_type;
490 this->public.interface.interface.get_subject = (identification_t* (*)(certificate_t *this))get_subject;
491 this->public.interface.interface.get_issuer = (identification_t* (*)(certificate_t *this))get_issuer;
492 this->public.interface.interface.has_subject = (id_match_t(*)(certificate_t*, identification_t *subject))has_subject;
493 this->public.interface.interface.has_issuer = (id_match_t(*)(certificate_t*, identification_t *issuer))has_issuer;
494 this->public.interface.interface.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer))issued_by;
495 this->public.interface.interface.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key;
496 this->public.interface.interface.get_validity = (bool(*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity;
497 this->public.interface.interface.get_encoding = (chunk_t(*)(certificate_t*))get_encoding;
498 this->public.interface.interface.equals = (bool(*)(certificate_t*, certificate_t *other))equals;
499 this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t *this))get_ref;
500 this->public.interface.interface.destroy = (void (*)(certificate_t *this))destroy;
501
502 this->ca = NULL;
503 this->requestor = NULL;
504 this->cert = NULL;
505 this->key = NULL;
506 this->nonce = chunk_empty;
507 this->encoding = chunk_empty;
508 this->candidates = linked_list_create();
509 this->ref = 1;
510
511 return this;
512 }
513
514 typedef struct private_builder_t private_builder_t;
515 /**
516 * Builder implementation for certificate loading
517 */
518 struct private_builder_t {
519 /** implements the builder interface */
520 builder_t public;
521 /** OCSP request to build */
522 private_x509_ocsp_request_t *req;
523 };
524
525 /**
526 * Implementation of builder_t.build
527 */
528 static x509_ocsp_request_t *build(private_builder_t *this)
529 {
530 private_x509_ocsp_request_t *req;
531
532 req = this->req;
533 free(this);
534 if (req->ca)
535 {
536 req->encoding = build_OCSPRequest(req);
537 return &req->public;
538 }
539 destroy(req);
540 return NULL;
541 }
542
543 /**
544 * Implementation of builder_t.add
545 */
546 static void add(private_builder_t *this, builder_part_t part, ...)
547 {
548 va_list args;
549 certificate_t *cert;
550
551 va_start(args, part);
552 switch (part)
553 {
554 case BUILD_CA_CERT:
555 cert = va_arg(args, certificate_t*);
556 if (cert->get_type(cert) == CERT_X509)
557 {
558 this->req->ca = (x509_t*)cert;
559 }
560 else
561 {
562 cert->destroy(cert);
563 }
564 break;
565 case BUILD_CERT:
566 cert = va_arg(args, certificate_t*);
567 if (cert->get_type(cert) == CERT_X509)
568 {
569 this->req->candidates->insert_last(this->req->candidates, cert);
570 }
571 else
572 {
573 cert->destroy(cert);
574 }
575 break;
576 case BUILD_SIGNING_CERT:
577 this->req->cert = va_arg(args, certificate_t*);
578 break;
579 case BUILD_SIGNING_KEY:
580 this->req->key = va_arg(args, private_key_t*);
581 break;
582 case BUILD_SUBJECT:
583 this->req->requestor = va_arg(args, identification_t*);
584 break;
585 default:
586 DBG1("ignoring unsupported build part %N", builder_part_names, part);
587 break;
588 }
589 va_end(args);
590 }
591
592 /**
593 * Builder construction function
594 */
595 builder_t *x509_ocsp_request_builder(certificate_type_t type)
596 {
597 private_builder_t *this;
598
599 if (type != CERT_X509_OCSP_REQUEST)
600 {
601 return NULL;
602 }
603
604 this = malloc_thing(private_builder_t);
605
606 this->req = create_empty();
607 this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
608 this->public.build = (void*(*)(builder_t *this))build;
609
610 return &this->public;
611 }
612