pluto now uses x509 plugin for attribute certificate handling
[strongswan.git] / src / pluto / x509.c
1 /* Support of X.509 certificates
2 * Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann
3 * Copyright (C) 2001 Marco Bertossa, Andreas Schleiss
4 * Copyright (C) 2002 Mario Strasser
5 * Copyright (C) 2000-2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 #include <stdlib.h>
19 #include <stdio.h>
20 #include <string.h>
21 #include <unistd.h>
22 #include <dirent.h>
23 #include <time.h>
24 #include <sys/types.h>
25
26 #include <freeswan.h>
27
28 #include <asn1/asn1.h>
29 #include <asn1/asn1_parser.h>
30 #include <asn1/oid.h>
31 #include <crypto/hashers/hasher.h>
32
33 #include "constants.h"
34 #include "defs.h"
35 #include "log.h"
36 #include "id.h"
37 #include "x509.h"
38 #include "crl.h"
39 #include "ca.h"
40 #include "certs.h"
41 #include "keys.h"
42 #include "whack.h"
43 #include "fetch.h"
44 #include "ocsp.h"
45
46 /**
47 * Chained lists of X.509 end certificates
48 */
49 static x509cert_t *x509certs = NULL;
50
51 /**
52 * ASN.1 definition of a authorityKeyIdentifier extension
53 */
54 static const asn1Object_t authKeyIdentifierObjects[] = {
55 { 0, "authorityKeyIdentifier", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
56 { 1, "keyIdentifier", ASN1_CONTEXT_S_0, ASN1_OPT|ASN1_BODY }, /* 1 */
57 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 2 */
58 { 1, "authorityCertIssuer", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_OBJ }, /* 3 */
59 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 4 */
60 { 1, "authorityCertSerialNumber", ASN1_CONTEXT_S_2, ASN1_OPT|ASN1_BODY }, /* 5 */
61 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 6 */
62 { 0, "exit", ASN1_EOC, ASN1_EXIT }
63 };
64 #define AUTH_KEY_ID_KEY_ID 1
65 #define AUTH_KEY_ID_CERT_ISSUER 3
66 #define AUTH_KEY_ID_CERT_SERIAL 5
67
68 /**
69 * ASN.1 definition of generalNames
70 */
71 static const asn1Object_t generalNamesObjects[] = {
72 { 0, "generalNames", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
73 { 1, "generalName", ASN1_EOC, ASN1_RAW }, /* 1 */
74 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 2 */
75 { 0, "exit", ASN1_EOC, ASN1_EXIT }
76 };
77 #define GENERAL_NAMES_GN 1
78
79 /**
80 * ASN.1 definition of generalName
81 */
82 static const asn1Object_t generalNameObjects[] = {
83 { 0, "otherName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_BODY }, /* 0 */
84 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 1 */
85 { 0, "rfc822Name", ASN1_CONTEXT_S_1, ASN1_OPT|ASN1_BODY }, /* 2 */
86 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 3 */
87 { 0, "dnsName", ASN1_CONTEXT_S_2, ASN1_OPT|ASN1_BODY }, /* 4 */
88 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 5 */
89 { 0, "x400Address", ASN1_CONTEXT_S_3, ASN1_OPT|ASN1_BODY }, /* 6 */
90 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 7 */
91 { 0, "directoryName", ASN1_CONTEXT_C_4, ASN1_OPT|ASN1_BODY }, /* 8 */
92 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 9 */
93 { 0, "ediPartyName", ASN1_CONTEXT_C_5, ASN1_OPT|ASN1_BODY }, /* 10 */
94 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 11 */
95 { 0, "URI", ASN1_CONTEXT_S_6, ASN1_OPT|ASN1_BODY }, /* 12 */
96 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 13 */
97 { 0, "ipAddress", ASN1_CONTEXT_S_7, ASN1_OPT|ASN1_BODY }, /* 14 */
98 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 15 */
99 { 0, "registeredID", ASN1_CONTEXT_S_8, ASN1_OPT|ASN1_BODY }, /* 16 */
100 { 0, "end choice", ASN1_EOC, ASN1_END }, /* 17 */
101 { 0, "exit", ASN1_EOC, ASN1_EXIT }
102 };
103 #define GN_OBJ_OTHER_NAME 0
104 #define GN_OBJ_RFC822_NAME 2
105 #define GN_OBJ_DNS_NAME 4
106 #define GN_OBJ_X400_ADDRESS 6
107 #define GN_OBJ_DIRECTORY_NAME 8
108 #define GN_OBJ_EDI_PARTY_NAME 10
109 #define GN_OBJ_URI 12
110 #define GN_OBJ_IP_ADDRESS 14
111 #define GN_OBJ_REGISTERED_ID 16
112
113 /**
114 * ASN.1 definition of otherName
115 */
116 static const asn1Object_t otherNameObjects[] = {
117 {0, "type-id", ASN1_OID, ASN1_BODY }, /* 0 */
118 {0, "value", ASN1_CONTEXT_C_0, ASN1_BODY }, /* 1 */
119 {0, "exit", ASN1_EOC, ASN1_EXIT }
120 };
121 #define ON_OBJ_ID_TYPE 0
122 #define ON_OBJ_VALUE 1
123
124 const x509cert_t empty_x509cert = {
125 NULL , /* cert */
126 NULL , /* *next */
127 UNDEFINED_TIME, /* installed */
128 0 , /* count */
129 FALSE /* smartcard */
130 };
131
132 /* coding of X.501 distinguished name */
133
134 typedef struct {
135 const u_char *name;
136 chunk_t oid;
137 u_char type;
138 } x501rdn_t;
139
140 /* X.501 acronyms for well known object identifiers (OIDs) */
141
142 static u_char oid_ND[] = {0x02, 0x82, 0x06, 0x01,
143 0x0A, 0x07, 0x14};
144 static u_char oid_UID[] = {0x09, 0x92, 0x26, 0x89, 0x93,
145 0xF2, 0x2C, 0x64, 0x01, 0x01};
146 static u_char oid_DC[] = {0x09, 0x92, 0x26, 0x89, 0x93,
147 0xF2, 0x2C, 0x64, 0x01, 0x19};
148 static u_char oid_CN[] = {0x55, 0x04, 0x03};
149 static u_char oid_S[] = {0x55, 0x04, 0x04};
150 static u_char oid_SN[] = {0x55, 0x04, 0x05};
151 static u_char oid_C[] = {0x55, 0x04, 0x06};
152 static u_char oid_L[] = {0x55, 0x04, 0x07};
153 static u_char oid_ST[] = {0x55, 0x04, 0x08};
154 static u_char oid_O[] = {0x55, 0x04, 0x0A};
155 static u_char oid_OU[] = {0x55, 0x04, 0x0B};
156 static u_char oid_T[] = {0x55, 0x04, 0x0C};
157 static u_char oid_D[] = {0x55, 0x04, 0x0D};
158 static u_char oid_N[] = {0x55, 0x04, 0x29};
159 static u_char oid_G[] = {0x55, 0x04, 0x2A};
160 static u_char oid_I[] = {0x55, 0x04, 0x2B};
161 static u_char oid_ID[] = {0x55, 0x04, 0x2D};
162 static u_char oid_EN[] = {0x60, 0x86, 0x48, 0x01, 0x86,
163 0xF8, 0x42, 0x03, 0x01, 0x03};
164 static u_char oid_E[] = {0x2A, 0x86, 0x48, 0x86, 0xF7,
165 0x0D, 0x01, 0x09, 0x01};
166 static u_char oid_UN[] = {0x2A, 0x86, 0x48, 0x86, 0xF7,
167 0x0D, 0x01, 0x09, 0x02};
168 static u_char oid_TCGID[] = {0x2B, 0x06, 0x01, 0x04, 0x01, 0x89,
169 0x31, 0x01, 0x01, 0x02, 0x02, 0x4B};
170
171 static const x501rdn_t x501rdns[] = {
172 {"ND" , {oid_ND, 7}, ASN1_PRINTABLESTRING},
173 {"UID" , {oid_UID, 10}, ASN1_PRINTABLESTRING},
174 {"DC" , {oid_DC, 10}, ASN1_PRINTABLESTRING},
175 {"CN" , {oid_CN, 3}, ASN1_PRINTABLESTRING},
176 {"S" , {oid_S, 3}, ASN1_PRINTABLESTRING},
177 {"SN" , {oid_SN, 3}, ASN1_PRINTABLESTRING},
178 {"serialNumber" , {oid_SN, 3}, ASN1_PRINTABLESTRING},
179 {"C" , {oid_C, 3}, ASN1_PRINTABLESTRING},
180 {"L" , {oid_L, 3}, ASN1_PRINTABLESTRING},
181 {"ST" , {oid_ST, 3}, ASN1_PRINTABLESTRING},
182 {"O" , {oid_O, 3}, ASN1_PRINTABLESTRING},
183 {"OU" , {oid_OU, 3}, ASN1_PRINTABLESTRING},
184 {"T" , {oid_T, 3}, ASN1_PRINTABLESTRING},
185 {"D" , {oid_D, 3}, ASN1_PRINTABLESTRING},
186 {"N" , {oid_N, 3}, ASN1_PRINTABLESTRING},
187 {"G" , {oid_G, 3}, ASN1_PRINTABLESTRING},
188 {"I" , {oid_I, 3}, ASN1_PRINTABLESTRING},
189 {"ID" , {oid_ID, 3}, ASN1_PRINTABLESTRING},
190 {"EN" , {oid_EN, 10}, ASN1_PRINTABLESTRING},
191 {"employeeNumber" , {oid_EN, 10}, ASN1_PRINTABLESTRING},
192 {"E" , {oid_E, 9}, ASN1_IA5STRING},
193 {"Email" , {oid_E, 9}, ASN1_IA5STRING},
194 {"emailAddress" , {oid_E, 9}, ASN1_IA5STRING},
195 {"UN" , {oid_UN, 9}, ASN1_IA5STRING},
196 {"unstructuredName", {oid_UN, 9}, ASN1_IA5STRING},
197 {"TCGID" , {oid_TCGID, 12}, ASN1_PRINTABLESTRING}
198 };
199
200 #define X501_RDN_ROOF 26
201
202 static void update_chunk(chunk_t *ch, int n)
203 {
204 n = (n > -1 && n < (int)ch->len)? n : (int)ch->len-1;
205 ch->ptr += n; ch->len -= n;
206 }
207
208 /**
209 * Pointer is set to the first RDN in a DN
210 */
211 static err_t init_rdn(chunk_t dn, chunk_t *rdn, chunk_t *attribute, bool *next)
212 {
213 *rdn = chunk_empty;
214 *attribute = chunk_empty;
215
216 /* a DN is a SEQUENCE OF RDNs */
217
218 if (*dn.ptr != ASN1_SEQUENCE)
219 {
220 return "DN is not a SEQUENCE";
221 }
222
223 rdn->len = asn1_length(&dn);
224
225 if (rdn->len == ASN1_INVALID_LENGTH)
226 {
227 return "Invalid RDN length";
228 }
229 rdn->ptr = dn.ptr;
230
231 /* are there any RDNs ? */
232 *next = rdn->len > 0;
233
234 return NULL;
235 }
236
237 /**
238 * Fetches the next RDN in a DN
239 */
240 static err_t get_next_rdn(chunk_t *rdn, chunk_t * attribute, chunk_t *oid,
241 chunk_t *value, asn1_t *type, bool *next)
242 {
243 chunk_t body;
244
245 /* initialize return values */
246 *oid = chunk_empty;
247 *value = chunk_empty;
248
249 /* if all attributes have been parsed, get next rdn */
250 if (attribute->len <= 0)
251 {
252 /* an RDN is a SET OF attributeTypeAndValue */
253 if (*rdn->ptr != ASN1_SET)
254 {
255 return "RDN is not a SET";
256 }
257 attribute->len = asn1_length(rdn);
258
259 if (attribute->len == ASN1_INVALID_LENGTH)
260 {
261 return "Invalid attribute length";
262 }
263 attribute->ptr = rdn->ptr;
264
265 /* advance to start of next RDN */
266 rdn->ptr += attribute->len;
267 rdn->len -= attribute->len;
268 }
269
270 /* an attributeTypeAndValue is a SEQUENCE */
271 if (*attribute->ptr != ASN1_SEQUENCE)
272 {
273 return "attributeTypeAndValue is not a SEQUENCE";
274 }
275
276 /* extract the attribute body */
277 body.len = asn1_length(attribute);
278
279 if (body.len == ASN1_INVALID_LENGTH)
280 {
281 return "Invalid attribute body length";
282 }
283 body.ptr = attribute->ptr;
284
285 /* advance to start of next attribute */
286 attribute->ptr += body.len;
287 attribute->len -= body.len;
288
289 /* attribute type is an OID */
290 if (*body.ptr != ASN1_OID)
291 {
292 return "attributeType is not an OID";
293 }
294
295 /* extract OID */
296 oid->len = asn1_length(&body);
297
298 if (oid->len == ASN1_INVALID_LENGTH)
299 {
300 return "Invalid attribute OID length";
301 }
302 oid->ptr = body.ptr;
303
304 /* advance to the attribute value */
305 body.ptr += oid->len;
306 body.len -= oid->len;
307
308 /* extract string type */
309 *type = *body.ptr;
310
311 /* extract string value */
312 value->len = asn1_length(&body);
313
314 if (value->len == ASN1_INVALID_LENGTH)
315 {
316 return "Invalid attribute string length";
317 }
318 value->ptr = body.ptr;
319
320 /* are there any RDNs left? */
321 *next = rdn->len > 0 || attribute->len > 0;
322
323 return NULL;
324 }
325
326 /**
327 * Parses an ASN.1 distinguished name int its OID/value pairs
328 */
329 static err_t dn_parse(chunk_t dn, chunk_t *str)
330 {
331 chunk_t rdn, oid, attribute, value;
332 asn1_t type;
333 int oid_code;
334 bool next;
335 bool first = TRUE;
336
337 err_t ugh = init_rdn(dn, &rdn, &attribute, &next);
338
339 if (ugh != NULL) /* a parsing error has occured */
340 {
341 return ugh;
342 }
343
344 while (next)
345 {
346 ugh = get_next_rdn(&rdn, &attribute, &oid, &value, &type, &next);
347
348 if (ugh != NULL) /* a parsing error has occured */
349 {
350 return ugh;
351 }
352
353 if (first) /* first OID/value pair */
354 {
355 first = FALSE;
356 }
357 else /* separate OID/value pair by a comma */
358 {
359 update_chunk(str, snprintf(str->ptr,str->len,", "));
360 }
361
362 /* print OID */
363 oid_code = asn1_known_oid(oid);
364 if (oid_code == OID_UNKNOWN) /* OID not found in list */
365 {
366 hex_str(oid, str);
367 }
368 else
369 {
370 update_chunk(str, snprintf(str->ptr,str->len,"%s",
371 oid_names[oid_code].name));
372 }
373
374 /* print value */
375 update_chunk(str, snprintf(str->ptr,str->len,"=%.*s",
376 (int)value.len,value.ptr));
377 }
378 return NULL;
379 }
380
381 /**
382 * Count the number of wildcard RDNs in a distinguished name
383 */
384 int dn_count_wildcards(chunk_t dn)
385 {
386 chunk_t rdn, attribute, oid, value;
387 asn1_t type;
388 bool next;
389 int wildcards = 0;
390
391 err_t ugh = init_rdn(dn, &rdn, &attribute, &next);
392
393 if (ugh != NULL) /* a parsing error has occured */
394 {
395 return -1;
396 }
397
398 while (next)
399 {
400 ugh = get_next_rdn(&rdn, &attribute, &oid, &value, &type, &next);
401
402 if (ugh != NULL) /* a parsing error has occured */
403 {
404 return -1;
405 }
406 if (value.len == 1 && *value.ptr == '*')
407 {
408 wildcards++; /* we have found a wildcard RDN */
409 }
410 }
411 return wildcards;
412 }
413
414 /**
415 * Prints a binary string in hexadecimal form
416 */
417 void hex_str(chunk_t bin, chunk_t *str)
418 {
419 u_int i;
420 update_chunk(str, snprintf(str->ptr,str->len,"0x"));
421 for (i=0; i < bin.len; i++)
422 update_chunk(str, snprintf(str->ptr,str->len,"%02X",*bin.ptr++));
423 }
424
425
426 /** Converts a binary DER-encoded ASN.1 distinguished name
427 * into LDAP-style human-readable ASCII format
428 */
429 int dntoa(char *dst, size_t dstlen, chunk_t dn)
430 {
431 err_t ugh = NULL;
432 chunk_t str;
433
434 str.ptr = dst;
435 str.len = dstlen;
436 ugh = dn_parse(dn, &str);
437
438 if (ugh != NULL) /* error, print DN as hex string */
439 {
440 DBG(DBG_PARSING,
441 DBG_log("error in DN parsing: %s", ugh)
442 )
443 str.ptr = dst;
444 str.len = dstlen;
445 hex_str(dn, &str);
446 }
447 return (int)(dstlen - str.len);
448 }
449
450 /**
451 * Same as dntoa but prints a special string for a null dn
452 */
453 int dntoa_or_null(char *dst, size_t dstlen, chunk_t dn, const char* null_dn)
454 {
455 if (dn.ptr == NULL)
456 {
457 return snprintf(dst, dstlen, "%s", null_dn);
458 }
459 else
460 {
461 return dntoa(dst, dstlen, dn);
462 }
463 }
464
465
466 /**
467 * Codes ASN.1 lengths up to a size of 16'777'215 bytes
468 */
469 static void code_asn1_length(size_t length, chunk_t *code)
470 {
471 if (length < 128)
472 {
473 code->ptr[0] = length;
474 code->len = 1;
475 }
476 else if (length < 256)
477 {
478 code->ptr[0] = 0x81;
479 code->ptr[1] = (u_char) length;
480 code->len = 2;
481 }
482 else if (length < 65536)
483 {
484 code->ptr[0] = 0x82;
485 code->ptr[1] = length >> 8;
486 code->ptr[2] = length & 0x00ff;
487 code->len = 3;
488 }
489 else
490 {
491 code->ptr[0] = 0x83;
492 code->ptr[1] = length >> 16;
493 code->ptr[2] = (length >> 8) & 0x00ff;
494 code->ptr[3] = length & 0x0000ff;
495 code->len = 4;
496 }
497 }
498
499 /**
500 * Converts an LDAP-style human-readable ASCII-encoded
501 * ASN.1 distinguished name into binary DER-encoded format
502 */
503 err_t atodn(char *src, chunk_t *dn)
504 {
505 /* finite state machine for atodn */
506
507 typedef enum {
508 SEARCH_OID = 0,
509 READ_OID = 1,
510 SEARCH_NAME = 2,
511 READ_NAME = 3,
512 UNKNOWN_OID = 4
513 } state_t;
514
515 u_char oid_len_buf[3];
516 u_char name_len_buf[3];
517 u_char rdn_seq_len_buf[3];
518 u_char rdn_set_len_buf[3];
519 u_char dn_seq_len_buf[3];
520
521 chunk_t asn1_oid_len = { oid_len_buf, 0 };
522 chunk_t asn1_name_len = { name_len_buf, 0 };
523 chunk_t asn1_rdn_seq_len = { rdn_seq_len_buf, 0 };
524 chunk_t asn1_rdn_set_len = { rdn_set_len_buf, 0 };
525 chunk_t asn1_dn_seq_len = { dn_seq_len_buf, 0 };
526 chunk_t oid = chunk_empty;
527 chunk_t name = chunk_empty;
528
529 int whitespace = 0;
530 int rdn_seq_len = 0;
531 int rdn_set_len = 0;
532 int dn_seq_len = 0;
533 int pos = 0;
534
535 err_t ugh = NULL;
536
537 u_char *dn_ptr = dn->ptr + 4;
538
539 state_t state = SEARCH_OID;
540
541 do
542 {
543 switch (state)
544 {
545 case SEARCH_OID:
546 if (*src != ' ' && *src != '/' && *src != ',')
547 {
548 oid.ptr = src;
549 oid.len = 1;
550 state = READ_OID;
551 }
552 break;
553 case READ_OID:
554 if (*src != ' ' && *src != '=')
555 {
556 oid.len++;
557 }
558 else
559 {
560 for (pos = 0; pos < X501_RDN_ROOF; pos++)
561 {
562 if (strlen(x501rdns[pos].name) == oid.len &&
563 strncasecmp(x501rdns[pos].name, oid.ptr, oid.len) == 0)
564 {
565 break; /* found a valid OID */
566 }
567 }
568 if (pos == X501_RDN_ROOF)
569 {
570 ugh = "unknown OID in distinguished name";
571 state = UNKNOWN_OID;
572 break;
573 }
574 code_asn1_length(x501rdns[pos].oid.len, &asn1_oid_len);
575
576 /* reset oid and change state */
577 oid = chunk_empty;
578 state = SEARCH_NAME;
579 }
580 break;
581 case SEARCH_NAME:
582 if (*src != ' ' && *src != '=')
583 {
584 name.ptr = src;
585 name.len = 1;
586 whitespace = 0;
587 state = READ_NAME;
588 }
589 break;
590 case READ_NAME:
591 if (*src != ',' && *src != '/' && *src != '\0')
592 {
593 name.len++;
594 if (*src == ' ')
595 {
596 whitespace++;
597 }
598 else
599 {
600 whitespace = 0;
601 }
602 }
603 else
604 {
605 name.len -= whitespace;
606 code_asn1_length(name.len, &asn1_name_len);
607
608 /* compute the length of the relative distinguished name sequence */
609 rdn_seq_len = 1 + asn1_oid_len.len + x501rdns[pos].oid.len +
610 1 + asn1_name_len.len + name.len;
611 code_asn1_length(rdn_seq_len, &asn1_rdn_seq_len);
612
613 /* compute the length of the relative distinguished name set */
614 rdn_set_len = 1 + asn1_rdn_seq_len.len + rdn_seq_len;
615 code_asn1_length(rdn_set_len, &asn1_rdn_set_len);
616
617 /* encode the relative distinguished name */
618 *dn_ptr++ = ASN1_SET;
619 chunkcpy(dn_ptr, asn1_rdn_set_len);
620 *dn_ptr++ = ASN1_SEQUENCE;
621 chunkcpy(dn_ptr, asn1_rdn_seq_len);
622 *dn_ptr++ = ASN1_OID;
623 chunkcpy(dn_ptr, asn1_oid_len);
624 chunkcpy(dn_ptr, x501rdns[pos].oid);
625 /* encode the ASN.1 character string type of the name */
626 *dn_ptr++ = (x501rdns[pos].type == ASN1_PRINTABLESTRING
627 && !asn1_is_printablestring(name))? ASN1_T61STRING : x501rdns[pos].type;
628 chunkcpy(dn_ptr, asn1_name_len);
629 chunkcpy(dn_ptr, name);
630
631 /* accumulate the length of the distinguished name sequence */
632 dn_seq_len += 1 + asn1_rdn_set_len.len + rdn_set_len;
633
634 /* reset name and change state */
635 name = chunk_empty;
636 state = SEARCH_OID;
637 }
638 break;
639 case UNKNOWN_OID:
640 break;
641 }
642 } while (*src++ != '\0');
643
644 /* complete the distinguished name sequence*/
645 code_asn1_length(dn_seq_len, &asn1_dn_seq_len);
646 dn->ptr += 3 - asn1_dn_seq_len.len;
647 dn->len = 1 + asn1_dn_seq_len.len + dn_seq_len;
648 dn_ptr = dn->ptr;
649 *dn_ptr++ = ASN1_SEQUENCE;
650 chunkcpy(dn_ptr, asn1_dn_seq_len);
651 return ugh;
652 }
653
654 /**
655 * compare two distinguished names by comparing the individual RDNs
656 */
657 bool same_dn(chunk_t a, chunk_t b)
658 {
659 chunk_t rdn_a, rdn_b, attribute_a, attribute_b;
660 chunk_t oid_a, oid_b, value_a, value_b;
661 asn1_t type_a, type_b;
662 bool next_a, next_b;
663
664 /* same lengths for the DNs */
665 if (a.len != b.len)
666 {
667 return FALSE;
668 }
669
670 /* try a binary comparison first */
671 if (memeq(a.ptr, b.ptr, b.len))
672 {
673 return TRUE;
674 }
675
676 /* initialize DN parsing */
677 if (init_rdn(a, &rdn_a, &attribute_a, &next_a) != NULL
678 || init_rdn(b, &rdn_b, &attribute_b, &next_b) != NULL)
679 {
680 return FALSE;
681 }
682
683 /* fetch next RDN pair */
684 while (next_a && next_b)
685 {
686 /* parse next RDNs and check for errors */
687 if (get_next_rdn(&rdn_a, &attribute_a, &oid_a, &value_a, &type_a, &next_a) != NULL
688 || get_next_rdn(&rdn_b, &attribute_b, &oid_b, &value_b, &type_b, &next_b) != NULL)
689 {
690 return FALSE;
691 }
692
693 /* OIDs must agree */
694 if (oid_a.len != oid_b.len || memcmp(oid_a.ptr, oid_b.ptr, oid_b.len) != 0)
695 {
696 return FALSE;
697 }
698
699 /* same lengths for values */
700 if (value_a.len != value_b.len)
701 {
702 return FALSE;
703 }
704
705 /* printableStrings and email RDNs require uppercase comparison */
706 if (type_a == type_b && (type_a == ASN1_PRINTABLESTRING ||
707 (type_a == ASN1_IA5STRING && asn1_known_oid(oid_a) == OID_EMAIL_ADDRESS)))
708 {
709 if (strncasecmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
710 {
711 return FALSE;
712 }
713 }
714 else
715 {
716 if (strncmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
717 {
718 return FALSE;
719 }
720 }
721 }
722 /* both DNs must have same number of RDNs */
723 if (next_a || next_b)
724 {
725 return FALSE;
726 }
727
728 /* the two DNs are equal! */
729 return TRUE;
730 }
731
732
733 /**
734 * Compare two distinguished names by comparing the individual RDNs.
735 * A single'*' character designates a wildcard RDN in DN b.
736 */
737 bool match_dn(chunk_t a, chunk_t b, int *wildcards)
738 {
739 chunk_t rdn_a, rdn_b, attribute_a, attribute_b;
740 chunk_t oid_a, oid_b, value_a, value_b;
741 asn1_t type_a, type_b;
742 bool next_a, next_b;
743
744 /* initialize wildcard counter */
745 *wildcards = 0;
746
747 /* initialize DN parsing */
748 if (init_rdn(a, &rdn_a, &attribute_a, &next_a) != NULL
749 || init_rdn(b, &rdn_b, &attribute_b, &next_b) != NULL)
750 {
751 return FALSE;
752 }
753
754 /* fetch next RDN pair */
755 while (next_a && next_b)
756 {
757 /* parse next RDNs and check for errors */
758 if (get_next_rdn(&rdn_a, &attribute_a, &oid_a, &value_a, &type_a, &next_a) != NULL
759 || get_next_rdn(&rdn_b, &attribute_b, &oid_b, &value_b, &type_b, &next_b) != NULL)
760 {
761 return FALSE;
762 }
763
764 /* OIDs must agree */
765 if (oid_a.len != oid_b.len || memcmp(oid_a.ptr, oid_b.ptr, oid_b.len) != 0)
766 {
767 return FALSE;
768 }
769
770 /* does rdn_b contain a wildcard? */
771 if (value_b.len == 1 && *value_b.ptr == '*')
772 {
773 (*wildcards)++;
774 continue;
775 }
776
777 /* same lengths for values */
778 if (value_a.len != value_b.len)
779 {
780 return FALSE;
781 }
782
783 /* printableStrings and email RDNs require uppercase comparison */
784 if (type_a == type_b && (type_a == ASN1_PRINTABLESTRING ||
785 (type_a == ASN1_IA5STRING && asn1_known_oid(oid_a) == OID_EMAIL_ADDRESS)))
786 {
787 if (strncasecmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
788 {
789 return FALSE;
790 }
791 }
792 else
793 {
794 if (strncmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
795 {
796 return FALSE;
797 }
798 }
799 }
800
801 /* both DNs must have same number of RDNs */
802 if (next_a || next_b)
803 {
804 return FALSE;
805 }
806
807 /* the two DNs match! */
808 return TRUE;
809 }
810
811 /**
812 * For each link pointing to the certificate increase the count by one
813 */
814 void share_x509cert(x509cert_t *cert)
815 {
816 if (cert != NULL)
817 {
818 cert->count++;
819 }
820 }
821
822 /**
823 * Add a X.509 user/host certificate to the chained list
824 */
825 x509cert_t* add_x509cert(x509cert_t *cert)
826 {
827 certificate_t *certificate = cert->cert;
828 x509cert_t *c = x509certs;
829
830 while (c != NULL)
831 {
832 if (certificate->equals(certificate, c->cert)) /* already in chain, free cert */
833 {
834 free_x509cert(cert);
835 return c;
836 }
837 c = c->next;
838 }
839
840 /* insert new cert at the root of the chain */
841 lock_certs_and_keys("add_x509cert");
842 cert->next = x509certs;
843 x509certs = cert;
844 DBG(DBG_CONTROL | DBG_PARSING,
845 DBG_log(" x509 cert inserted")
846 )
847 unlock_certs_and_keys("add_x509cert");
848 return cert;
849 }
850
851 /**
852 * Choose either subject DN or a subjectAltName as connection end ID
853 */
854 void select_x509cert_id(x509cert_t *cert, struct id *end_id)
855 {
856 certificate_t *certificate = cert->cert;
857 x509_t *x509 = (x509_t*)certificate;
858 identification_t *subjectAltName;
859
860 bool copy_subject_dn = TRUE; /* ID is subject DN */
861
862 if (end_id->kind != ID_ANY) /* check for matching subjectAltName */
863 {
864 enumerator_t *enumerator;
865
866 enumerator = x509->create_subjectAltName_enumerator(x509);
867 while (enumerator->enumerate(enumerator, &subjectAltName))
868 {
869 struct id id = empty_id;
870
871 id_from_identification(&id, subjectAltName);
872 if (same_id(&id, end_id))
873 {
874 copy_subject_dn = FALSE; /* take subjectAltName instead */
875 break;
876 }
877 }
878 enumerator->destroy(enumerator);
879 }
880
881 if (copy_subject_dn)
882 {
883 identification_t *subject = certificate->get_subject(certificate);
884 chunk_t subject_dn = subject->get_encoding(subject);
885
886 if (end_id->kind != ID_ANY && end_id->kind != ID_DER_ASN1_DN)
887 {
888 char buf[BUF_LEN];
889
890 idtoa(end_id, buf, BUF_LEN);
891 plog(" no subjectAltName matches ID '%s', replaced by subject DN", buf);
892 }
893 end_id->kind = ID_DER_ASN1_DN;
894 end_id->name.len = subject_dn.len;
895 end_id->name.ptr = temporary_cyclic_buffer();
896 memcpy(end_id->name.ptr, subject_dn.ptr, subject_dn.len);
897 }
898 }
899
900 /**
901 * Check for equality between two key identifiers
902 */
903 bool same_keyid(chunk_t a, chunk_t b)
904 {
905 if (a.ptr == NULL || b.ptr == NULL)
906 {
907 return FALSE;
908 }
909 return chunk_equals(a, b);
910 }
911
912 /**
913 * Get a X.509 certificate with a given issuer found at a certain position
914 */
915 x509cert_t* get_x509cert(chunk_t issuer, chunk_t keyid, x509cert_t *chain)
916 {
917 x509cert_t *cert = (chain != NULL)? chain->next : x509certs;
918
919 while (cert != NULL)
920 {
921 certificate_t *certificate = cert->cert;
922 x509_t *x509 = (x509_t*)certificate;
923 identification_t *cert_issuer = certificate->get_issuer(certificate);
924 chunk_t cert_issuer_dn = cert_issuer->get_encoding(cert_issuer);
925 chunk_t authKeyID = x509->get_authKeyIdentifier(x509);
926
927 if ((keyid.ptr != NULL) ? same_keyid(keyid, authKeyID)
928 : same_dn(issuer, cert_issuer_dn))
929 {
930 return cert;
931 }
932 cert = cert->next;
933 }
934 return NULL;
935 }
936
937 /**
938 * Free the dynamic memory used to store generalNames
939 */
940 void free_generalNames(generalName_t* gn, bool free_name)
941 {
942 while (gn != NULL)
943 {
944 generalName_t *gn_top = gn;
945 if (free_name)
946 {
947 free(gn->name.ptr);
948 }
949 gn = gn->next;
950 free(gn_top);
951 }
952 }
953
954 /**
955 * Free a X.509 certificate
956 */
957 void free_x509cert(x509cert_t *cert)
958 {
959 if (cert != NULL)
960 {
961 certificate_t *certificate = cert->cert;
962
963 if (certificate)
964 {
965 certificate->destroy(certificate);
966 }
967 free(cert);
968 cert = NULL;
969 }
970 }
971
972 /**
973 * Release of a certificate decreases the count by one
974 * the certificate is freed when the counter reaches zero
975 */
976 void release_x509cert(x509cert_t *cert)
977 {
978 if (cert != NULL && --cert->count == 0)
979 {
980 x509cert_t **pp = &x509certs;
981 while (*pp != cert)
982 {
983 pp = &(*pp)->next;
984 }
985 *pp = cert->next;
986 free_x509cert(cert);
987 }
988 }
989
990 /**
991 * Stores a chained list of end certs and CA certs
992 */
993 void store_x509certs(x509cert_t **firstcert, bool strict)
994 {
995 x509cert_t *cacerts = NULL;
996 x509cert_t **pp = firstcert;
997
998 /* first extract CA certs, discarding root CA certs */
999
1000 while (*pp != NULL)
1001 {
1002 x509cert_t *cert = *pp;
1003 certificate_t *certificate = cert->cert;
1004 x509_t *x509 = (x509_t*)certificate;
1005 x509_flag_t flags = x509->get_flags(x509);
1006
1007 if (flags & X509_CA)
1008 {
1009 *pp = cert->next;
1010
1011 /* we don't accept self-signed CA certs */
1012 if (flags & X509_SELF_SIGNED)
1013 {
1014 plog("self-signed cacert rejected");
1015 free_x509cert(cert);
1016 }
1017 else
1018 {
1019 /* insertion into temporary chain of candidate CA certs */
1020 cert->next = cacerts;
1021 cacerts = cert;
1022 }
1023 }
1024 else
1025 {
1026 pp = &cert->next;
1027 }
1028 }
1029
1030 /* now verify the candidate CA certs */
1031
1032 while (cacerts != NULL)
1033 {
1034 x509cert_t *cert = cacerts;
1035
1036 cacerts = cacerts->next;
1037
1038 if (trust_authcert_candidate(cert, cacerts))
1039 {
1040 add_authcert(cert, X509_CA);
1041 }
1042 else
1043 {
1044 plog("intermediate cacert rejected");
1045 free_x509cert(cert);
1046 }
1047 }
1048
1049 /* now verify the end certificates */
1050
1051 pp = firstcert;
1052
1053 while (*pp != NULL)
1054 {
1055 time_t valid_until;
1056 x509cert_t *cert = *pp;
1057
1058 if (verify_x509cert(cert, strict, &valid_until))
1059 {
1060 DBG(DBG_CONTROL | DBG_PARSING,
1061 DBG_log("public key validated")
1062 )
1063 add_x509_public_key(cert, valid_until, DAL_SIGNED);
1064 }
1065 else
1066 {
1067 plog("X.509 certificate rejected");
1068 }
1069 *pp = cert->next;
1070 free_x509cert(cert);
1071 }
1072 }
1073
1074 /**
1075 * Check if a signature over binary blob is genuine
1076 */
1077 bool x509_check_signature(chunk_t tbs, chunk_t sig, int algorithm,
1078 certificate_t *issuer_cert)
1079 {
1080 bool success;
1081 public_key_t *key;
1082 signature_scheme_t scheme;
1083
1084 scheme = signature_scheme_from_oid(algorithm);
1085 if (scheme == SIGN_UNKNOWN)
1086 {
1087 return FALSE;
1088 }
1089
1090 key = issuer_cert->get_public_key(issuer_cert);
1091 if (key == NULL)
1092 {
1093 return FALSE;
1094 }
1095 success = key->verify(key, scheme, tbs, sig);
1096 key->destroy(key);
1097
1098 return success;
1099 }
1100
1101 /**
1102 * Build an ASN.1 encoded PKCS#1 signature over a binary blob
1103 */
1104 chunk_t x509_build_signature(chunk_t tbs, int algorithm, private_key_t *key,
1105 bool bit_string)
1106 {
1107 chunk_t signature;
1108 signature_scheme_t scheme = signature_scheme_from_oid(algorithm);
1109
1110 if (scheme == SIGN_UNKNOWN || !key->sign(key, scheme, tbs, &signature))
1111 {
1112 return chunk_empty;
1113 }
1114 return (bit_string) ? asn1_bitstring("m", signature)
1115 : asn1_wrap(ASN1_OCTET_STRING, "m", signature);
1116 }
1117
1118 /**
1119 * Extracts an otherName
1120 */
1121 static bool parse_otherName(chunk_t blob, int level0)
1122 {
1123 asn1_parser_t *parser;
1124 chunk_t object;
1125 int objectID;
1126 int oid = OID_UNKNOWN;
1127 bool success = FALSE;
1128
1129 parser = asn1_parser_create(otherNameObjects, blob);
1130 parser->set_top_level(parser, level0);
1131
1132 while (parser->iterate(parser, &objectID, &object))
1133 {
1134 switch (objectID)
1135 {
1136 case ON_OBJ_ID_TYPE:
1137 oid = asn1_known_oid(object);
1138 break;
1139 case ON_OBJ_VALUE:
1140 if (oid == OID_XMPP_ADDR)
1141 {
1142 if (!asn1_parse_simple_object(&object, ASN1_UTF8STRING,
1143 parser->get_level(parser) + 1, "xmppAddr"))
1144 {
1145 goto end;
1146 }
1147 }
1148 break;
1149 default:
1150 break;
1151 }
1152 }
1153 success = parser->success(parser);
1154
1155 end:
1156 parser->destroy(parser);
1157 return success;
1158 }
1159
1160
1161 /**
1162 * Extracts a generalName
1163 */
1164 static generalName_t* parse_generalName(chunk_t blob, int level0)
1165 {
1166 u_char buf[BUF_LEN];
1167 asn1_parser_t *parser;
1168 chunk_t object;
1169 generalName_t *gn = NULL;
1170 int objectID;
1171
1172 parser = asn1_parser_create(generalNameObjects, blob);
1173 parser->set_top_level(parser, level0);
1174
1175 while (parser->iterate(parser, &objectID, &object))
1176 {
1177 bool valid_gn = FALSE;
1178
1179 switch (objectID) {
1180 case GN_OBJ_RFC822_NAME:
1181 case GN_OBJ_DNS_NAME:
1182 case GN_OBJ_URI:
1183 DBG(DBG_PARSING,
1184 DBG_log(" '%.*s'", (int)object.len, object.ptr);
1185 )
1186 valid_gn = TRUE;
1187 break;
1188 case GN_OBJ_DIRECTORY_NAME:
1189 DBG(DBG_PARSING,
1190 dntoa(buf, BUF_LEN, object);
1191 DBG_log(" '%s'", buf)
1192 )
1193 valid_gn = TRUE;
1194 break;
1195 case GN_OBJ_IP_ADDRESS:
1196 DBG(DBG_PARSING,
1197 DBG_log(" '%d.%d.%d.%d'", *object.ptr, *(object.ptr+1),
1198 *(object.ptr+2), *(object.ptr+3));
1199 )
1200 valid_gn = TRUE;
1201 break;
1202 case GN_OBJ_OTHER_NAME:
1203 if (!parse_otherName(object, parser->get_level(parser)+1))
1204 {
1205 goto end;
1206 }
1207 break;
1208 case GN_OBJ_X400_ADDRESS:
1209 case GN_OBJ_EDI_PARTY_NAME:
1210 case GN_OBJ_REGISTERED_ID:
1211 break;
1212 default:
1213 break;
1214 }
1215
1216 if (valid_gn)
1217 {
1218 gn = malloc_thing(generalName_t);
1219 gn->kind = (objectID - GN_OBJ_OTHER_NAME) / 2;
1220 gn->name = object;
1221 gn->next = NULL;
1222 goto end;
1223 }
1224 }
1225
1226 end:
1227 parser->destroy(parser);
1228 return gn;
1229 }
1230
1231 /**
1232 * Extracts one or several GNs and puts them into a chained list
1233 */
1234 static generalName_t* parse_generalNames(chunk_t blob, int level0, bool implicit)
1235 {
1236 asn1_parser_t *parser;
1237 chunk_t object;
1238 int objectID;
1239 generalName_t *top_gn = NULL;
1240
1241 parser = asn1_parser_create(generalNamesObjects, blob);
1242 parser->set_top_level(parser, level0);
1243 parser->set_flags(parser, implicit, FALSE);
1244
1245 while (parser->iterate(parser, &objectID, &object))
1246 {
1247 if (objectID == GENERAL_NAMES_GN)
1248 {
1249 generalName_t *gn = parse_generalName(object,
1250 parser->get_level(parser)+1);
1251 if (gn)
1252 {
1253 gn->next = top_gn;
1254 top_gn = gn;
1255 }
1256 }
1257 }
1258 parser->destroy(parser);
1259
1260 return top_gn;
1261 }
1262
1263 /**
1264 * Returns a directoryName
1265 */
1266 chunk_t get_directoryName(chunk_t blob, int level, bool implicit)
1267 {
1268 chunk_t name = chunk_empty;
1269 generalName_t * gn = parse_generalNames(blob, level, implicit);
1270
1271 if (gn != NULL && gn->kind == GN_DIRECTORY_NAME)
1272 {
1273 name= gn->name;
1274 }
1275 free_generalNames(gn, FALSE);
1276 return name;
1277 }
1278
1279 /**
1280 * Extracts an authoritykeyIdentifier
1281 */
1282 void parse_authorityKeyIdentifier(chunk_t blob, int level0,
1283 chunk_t *authKeyID,
1284 chunk_t *authKeySerialNumber)
1285 {
1286 asn1_parser_t *parser;
1287 chunk_t object;
1288 int objectID;
1289
1290 parser = asn1_parser_create(authKeyIdentifierObjects, blob);
1291 parser->set_top_level(parser, level0);
1292
1293 while (parser->iterate(parser, &objectID, &object))
1294 {
1295 switch (objectID)
1296 {
1297 case AUTH_KEY_ID_KEY_ID:
1298 *authKeyID = object;
1299 break;
1300 case AUTH_KEY_ID_CERT_ISSUER:
1301 {
1302 generalName_t * gn = parse_generalNames(object,
1303 parser->get_level(parser) + 1, TRUE);
1304
1305 free_generalNames(gn, FALSE);
1306 }
1307 break;
1308 case AUTH_KEY_ID_CERT_SERIAL:
1309 *authKeySerialNumber = object;
1310 break;
1311 default:
1312 break;
1313 }
1314 }
1315 parser->destroy(parser);
1316 }
1317
1318 /**
1319 * Verify the validity of a certificate by
1320 * checking the notBefore and notAfter dates
1321 */
1322 err_t check_validity(const x509cert_t *cert, time_t *until)
1323 {
1324 time_t current_time, notBefore, notAfter;
1325 certificate_t *certificate = cert->cert;
1326
1327 time(&current_time);
1328 certificate->get_validity(certificate, &current_time, &notBefore, &notAfter);
1329 DBG(DBG_CONTROL | DBG_PARSING ,
1330 DBG_log(" not before : %T", &notBefore, TRUE);
1331 DBG_log(" current time: %T", &current_time, TRUE);
1332 DBG_log(" not after : %T", &notAfter, TRUE);
1333 )
1334
1335 if (*until == 0 || notAfter < *until)
1336 {
1337 *until = notAfter;
1338 }
1339 if (current_time < notBefore)
1340 {
1341 return "certificate is not valid yet";
1342 }
1343 if (current_time > notAfter)
1344 {
1345 return "certificate has expired";
1346 }
1347 else
1348 {
1349 return NULL;
1350 }
1351 }
1352
1353 /**
1354 * Verifies a X.509 certificate
1355 */
1356 bool verify_x509cert(const x509cert_t *cert, bool strict, time_t *until)
1357 {
1358 int pathlen;
1359
1360 *until = 0;
1361
1362 for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++)
1363 {
1364 certificate_t *certificate = cert->cert;
1365 identification_t *subject = certificate->get_subject(certificate);
1366 identification_t *issuer = certificate->get_issuer(certificate);
1367 x509_t *x509 = (x509_t*)certificate;
1368 chunk_t authKeyID = x509->get_authKeyIdentifier(x509);
1369 x509cert_t *issuer_cert;
1370 err_t ugh = NULL;
1371
1372 DBG(DBG_CONTROL,
1373 DBG_log("subject: '%Y'", subject);
1374 DBG_log("issuer: '%Y'", issuer);
1375 if (authKeyID.ptr != NULL)
1376 {
1377 DBG_log("authkey: %#B", &authKeyID);
1378 }
1379 )
1380
1381 ugh = check_validity(cert, until);
1382
1383 if (ugh != NULL)
1384 {
1385 plog("%s", ugh);
1386 return FALSE;
1387 }
1388
1389 DBG(DBG_CONTROL,
1390 DBG_log("certificate is valid")
1391 )
1392
1393 lock_authcert_list("verify_x509cert");
1394 issuer_cert = get_authcert(issuer->get_encoding(issuer),
1395 authKeyID, X509_CA);
1396 if (issuer_cert == NULL)
1397 {
1398 plog("issuer cacert not found");
1399 unlock_authcert_list("verify_x509cert");
1400 return FALSE;
1401 }
1402 DBG(DBG_CONTROL,
1403 DBG_log("issuer cacert found")
1404 )
1405
1406 if (!certificate->issued_by(certificate, issuer_cert->cert))
1407 {
1408 plog("certificate signature is invalid");
1409 unlock_authcert_list("verify_x509cert");
1410 return FALSE;
1411 }
1412 DBG(DBG_CONTROL,
1413 DBG_log("certificate signature is valid")
1414 )
1415 unlock_authcert_list("verify_x509cert");
1416
1417 /* check if cert is a self-signed root ca */
1418 if (pathlen > 0 && (x509->get_flags(x509) & X509_SELF_SIGNED))
1419 {
1420 DBG(DBG_CONTROL,
1421 DBG_log("reached self-signed root ca")
1422 )
1423 return TRUE;
1424 }
1425 else
1426 {
1427 time_t nextUpdate = *until;
1428 time_t revocationDate = UNDEFINED_TIME;
1429 crl_reason_t revocationReason = CRL_REASON_UNSPECIFIED;
1430
1431 /* first check certificate revocation using ocsp */
1432 cert_status_t status = verify_by_ocsp(cert, &nextUpdate
1433 , &revocationDate, &revocationReason);
1434
1435 /* if ocsp service is not available then fall back to crl */
1436 if ((status == CERT_UNDEFINED)
1437 || (status == CERT_UNKNOWN && strict))
1438 {
1439 status = verify_by_crl(cert, &nextUpdate, &revocationDate
1440 , &revocationReason);
1441 }
1442
1443 switch (status)
1444 {
1445 case CERT_GOOD:
1446 /* if status information is stale */
1447 if (strict && nextUpdate < time(NULL))
1448 {
1449 DBG(DBG_CONTROL,
1450 DBG_log("certificate is good but status is stale")
1451 )
1452 remove_x509_public_key(cert);
1453 return FALSE;
1454 }
1455 DBG(DBG_CONTROL,
1456 DBG_log("certificate is good")
1457 )
1458
1459 /* with strict crl policy the public key must have the same
1460 * lifetime as the validity of the ocsp status or crl lifetime
1461 */
1462 if (strict && nextUpdate < *until)
1463 {
1464 *until = nextUpdate;
1465 }
1466 break;
1467 case CERT_REVOKED:
1468 plog("certificate was revoked on %T, reason: %N"
1469 , &revocationDate, TRUE
1470 , crl_reason_names, revocationReason);
1471 remove_x509_public_key(cert);
1472 return FALSE;
1473 case CERT_UNKNOWN:
1474 case CERT_UNDEFINED:
1475 default:
1476 plog("certificate status unknown");
1477 if (strict)
1478 {
1479 remove_x509_public_key(cert);
1480 return FALSE;
1481 }
1482 break;
1483 }
1484 }
1485
1486 /* go up one step in the trust chain */
1487 cert = issuer_cert;
1488 }
1489 plog("maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN);
1490 return FALSE;
1491 }
1492
1493 /**
1494 * List all X.509 certs in a chained list
1495 */
1496 void list_x509cert_chain(const char *caption, x509cert_t* cert,
1497 x509_flag_t flags, bool utc)
1498 {
1499 bool first = TRUE;
1500 time_t now;
1501
1502 /* determine the current time */
1503 time(&now);
1504
1505 while (cert != NULL)
1506 {
1507 certificate_t *certificate = cert->cert;
1508 x509_t *x509 = (x509_t*)certificate;
1509
1510 if (flags == X509_NONE || (flags & x509->get_flags(x509)))
1511 {
1512 time_t notBefore, notAfter;
1513 public_key_t *key;
1514 chunk_t serial, keyid, subjkey, authkey;
1515 cert_t c;
1516
1517 c.type = CERT_X509_SIGNATURE;
1518 c.u.x509 = cert;
1519
1520 if (first)
1521 {
1522 whack_log(RC_COMMENT, " ");
1523 whack_log(RC_COMMENT, "List of X.509 %s Certificates:", caption);
1524 whack_log(RC_COMMENT, " ");
1525 first = FALSE;
1526 }
1527
1528 whack_log(RC_COMMENT, "%T, count: %d", &cert->installed, utc,
1529 cert->count);
1530 whack_log(RC_COMMENT, " subject: '%Y'",
1531 certificate->get_subject(certificate));
1532 whack_log(RC_COMMENT, " issuer: '%Y'",
1533 certificate->get_issuer(certificate));
1534 serial = x509->get_serial(x509);
1535 whack_log(RC_COMMENT, " serial: %#B", &serial);
1536
1537 /* list validity */
1538 certificate->get_validity(certificate, &now, &notBefore, &notAfter);
1539 whack_log(RC_COMMENT, " validity: not before %T %s",
1540 &notBefore, utc,
1541 (notBefore < now)?"ok":"fatal (not valid yet)");
1542 whack_log(RC_COMMENT, " not after %T %s",
1543 &notAfter, utc,
1544 check_expiry(notAfter, CA_CERT_WARNING_INTERVAL, TRUE));
1545
1546 key = certificate->get_public_key(certificate);
1547 if (key);
1548 {
1549 whack_log(RC_COMMENT, " pubkey: %N %4d bits%s",
1550 key_type_names, key->get_type(key),
1551 key->get_keysize(key) * BITS_PER_BYTE,
1552 cert->smartcard ? ", on smartcard" :
1553 (has_private_key(c)? ", has private key" : ""));
1554
1555 if (key->get_fingerprint(key, KEY_ID_PUBKEY_INFO_SHA1, &keyid))
1556 {
1557 whack_log(RC_COMMENT, " keyid: %#B", &keyid);
1558 }
1559 if (key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &subjkey))
1560 {
1561 whack_log(RC_COMMENT, " subjkey: %#B", &subjkey);
1562 }
1563 key->destroy(key);
1564 }
1565
1566 /* list optional authorityKeyIdentifier */
1567 authkey = x509->get_authKeyIdentifier(x509);
1568 if (authkey.ptr)
1569 {
1570 whack_log(RC_COMMENT, " authkey: %#B", &authkey);
1571 }
1572 }
1573 cert = cert->next;
1574 }
1575 }
1576
1577 /**
1578 * List all X.509 end certificates in a chained list
1579 */
1580 void list_x509_end_certs(bool utc)
1581 {
1582 list_x509cert_chain("End", x509certs, X509_NONE, utc);
1583 }