removed TODO reminder
[strongswan.git] / src / libstrongswan / plugins / x509 / x509_cert.c
index 9cdd7ff..b8df5ad 100644 (file)
@@ -16,8 +16,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #define _GNU_SOURCE
@@ -35,8 +33,8 @@
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
-#include <asn1/pem.h>
 #include <crypto/hashers/hasher.h>
+#include <credentials/keys/private_key.h>
 #include <utils/linked_list.h>
 #include <utils/identification.h>
 
@@ -66,7 +64,7 @@ struct private_x509_cert_t {
         * Public interface for this certificate.
         */
        x509_cert_t public;
-
+       
        /**
         * X.509 certificate encoding in ASN.1 DER format
         */
@@ -76,7 +74,7 @@ struct private_x509_cert_t {
         * SHA1 hash of the DER encoding of this X.509 certificate
         */
        chunk_t encoding_hash;
-
+       
        /**
         * X.509 certificate body over which signature is computed
         */
@@ -96,17 +94,17 @@ struct private_x509_cert_t {
         * ID representing the certificate issuer
         */
        identification_t *issuer;
-
+       
        /**
         * Start time of certificate validity
         */
        time_t notBefore;
-
+       
        /**
         * End time of certificate validity
         */
        time_t notAfter;
-
+       
        /**
         * ID representing the certificate subject
         */
@@ -121,12 +119,12 @@ struct private_x509_cert_t {
         * List of crlDistributionPoints as allocated char*
         */
        linked_list_t *crl_uris;
-
+       
        /**
         * List ocspAccessLocations as identification_t
         */
        linked_list_t *ocsp_uris;
-
+       
        /**
         * certificates embedded public key
         */
@@ -136,12 +134,12 @@ struct private_x509_cert_t {
         * Subject Key Identifier
         */
        chunk_t subjectKeyID;
-
+       
        /**
         * Authority Key Identifier
         */
-       identification_t *authKeyIdentifier;
-
+       chunk_t authKeyIdentifier;
+       
        /**
         * Authority Key Serial Number
         */
@@ -151,18 +149,23 @@ struct private_x509_cert_t {
         * x509 constraints and other flags
         */
        x509_flag_t flags;
-
+       
        /**
         * Signature algorithm
         */
        int algorithm;
-
+       
        /**
         * Signature
         */
        chunk_t signature;
        
        /**
+        * Certificate parsed from blob/file?
+        */
+       bool parsed;
+       
+       /**
         * reference count
         */
        refcount_t ref;
@@ -258,7 +261,7 @@ static bool parse_otherName(chunk_t blob, int level0)
                }
        }
        success = parser->success(parser);
-
+       
 end:
        parser->destroy(parser);
        return success;
@@ -306,16 +309,16 @@ static identification_t *parse_generalName(chunk_t blob, int level0)
        asn1_parser_t *parser;
        chunk_t object;
        int objectID ;
-
+       
        identification_t *gn = NULL;
-
+       
        parser = asn1_parser_create(generalNameObjects, blob);
        parser->set_top_level(parser, level0);
-
+       
        while (parser->iterate(parser, &objectID, &object))
        {
                id_type_t id_type = ID_ANY;
-       
+               
                switch (objectID)
                {
                        case GN_OBJ_RFC822_NAME:
@@ -329,7 +332,7 @@ static identification_t *parse_generalName(chunk_t blob, int level0)
                                break;
                        case GN_OBJ_DIRECTORY_NAME:
                                id_type = ID_DER_ASN1_DN;
-                       break;
+                               break;
                        case GN_OBJ_IP_ADDRESS:
                                id_type = ID_IPV4_ADDR;
                                break;
@@ -348,14 +351,14 @@ static identification_t *parse_generalName(chunk_t blob, int level0)
                if (id_type != ID_ANY)
                {
                        gn = identification_create_from_encoding(id_type, object);
-                       DBG2("  '%D'", gn);
+                       DBG2("  '%Y'", gn);
                        goto end;
-        }
-   }
-
+               }
+       }
+       
 end:
        parser->destroy(parser);
-    return gn;
+       return gn;
 }
 
 /**
@@ -377,18 +380,18 @@ void x509_parse_generalNames(chunk_t blob, int level0, bool implicit, linked_lis
        asn1_parser_t *parser;
        chunk_t object;
        int objectID;
-
+       
        parser = asn1_parser_create(generalNamesObjects, blob);
        parser->set_top_level(parser, level0);
        parser->set_flags(parser, implicit, FALSE);
-
+       
        while (parser->iterate(parser, &objectID, &object))
        {
                if (objectID == GENERAL_NAMES_GN)
                {
                        identification_t *gn = parse_generalName(object,
                                                                                        parser->get_level(parser)+1);
-
+                       
                        if (gn)
                        {
                                list->insert_last(list, (void *)gn);
@@ -418,26 +421,25 @@ static const asn1Object_t authKeyIdentifierObjects[] = {
 /**
  * Extracts an authoritykeyIdentifier
  */
-identification_t* x509_parse_authorityKeyIdentifier(chunk_t blob, int level0,
+chunk_t x509_parse_authorityKeyIdentifier(chunk_t blob, int level0,
                                                                                                chunk_t *authKeySerialNumber)
 {
        asn1_parser_t *parser;
        chunk_t object;
        int objectID;
-       identification_t *authKeyIdentifier = NULL;
-
+       chunk_t authKeyIdentifier = chunk_empty;
+       
        *authKeySerialNumber = chunk_empty;
-
+       
        parser = asn1_parser_create(authKeyIdentifierObjects, blob);
        parser->set_top_level(parser, level0);
-
+       
        while (parser->iterate(parser, &objectID, &object))
        {
                switch (objectID) 
                {
                        case AUTH_KEY_ID_KEY_ID:
-                               authKeyIdentifier = identification_create_from_encoding(
-                                                                                               ID_PUBKEY_SHA1, object); 
+                               authKeyIdentifier = chunk_clone(object);
                                break;
                        case AUTH_KEY_ID_CERT_ISSUER:
                                /* TODO: x509_parse_generalNames(object, level+1, TRUE); */
@@ -480,7 +482,7 @@ static void parse_authorityInfoAccess(chunk_t blob, int level0,
        
        parser = asn1_parser_create(authInfoAccessObjects, blob);
        parser->set_top_level(parser, level0);
-
+       
        while (parser->iterate(parser, &objectID, &object))
        {
                switch (objectID) 
@@ -497,7 +499,7 @@ static void parse_authorityInfoAccess(chunk_t blob, int level0,
                                                {
                                                        identification_t *id;
                                                        char *uri;
-
+                                                       
                                                        id = parse_generalName(object,
                                                                                        parser->get_level(parser)+1);
                                                        if (id == NULL)
@@ -505,9 +507,9 @@ static void parse_authorityInfoAccess(chunk_t blob, int level0,
                                                                /* parsing went wrong - abort */
                                                                goto end;
                                                        }
-                                                       DBG2("  '%D'", id);
+                                                       DBG2("  '%Y'", id);
                                                        if (accessMethod == OID_OCSP &&
-                                                               asprintf(&uri, "%D", id) > 0)
+                                                               asprintf(&uri, "%Y", id) > 0)
                                                        {
                                                                this->ocsp_uris->insert_last(this->ocsp_uris, uri);
                                                        }
@@ -524,7 +526,7 @@ static void parse_authorityInfoAccess(chunk_t blob, int level0,
                                break;
                }
        }
-
+       
 end:
        parser->destroy(parser);
 }
@@ -552,7 +554,7 @@ static bool parse_extendedKeyUsage(chunk_t blob, int level0)
        
        parser = asn1_parser_create(extendedKeyUsageObjects, blob);
        parser->set_top_level(parser, level0);
-
+       
        while (parser->iterate(parser, &objectID, &object))
        {
                if (objectID == EXT_KEY_USAGE_PURPOSE_ID && 
@@ -599,13 +601,13 @@ static void parse_crlDistributionPoints(chunk_t blob, int level0,
        
        parser = asn1_parser_create(crlDistributionPointsObjects, blob);
        parser->set_top_level(parser, level0);
-
+       
        while (parser->iterate(parser, &objectID, &object))
        {
                if (objectID == CRL_DIST_POINTS_FULLNAME)
                {
                        identification_t *id;
-
+                       
                        /* append extracted generalNames to existing chained list */
                        x509_parse_generalNames(object, parser->get_level(parser)+1,
                                                                        TRUE, list);
@@ -613,8 +615,8 @@ static void parse_crlDistributionPoints(chunk_t blob, int level0,
                        while (list->remove_last(list, (void**)&id) == SUCCESS)
                        {
                                char *uri;
-
-                               if (asprintf(&uri, "%D", id) > 0)
+                               
+                               if (asprintf(&uri, "%Y", id) > 0)
                                {
                                        this->crl_uris->insert_last(this->crl_uris, uri);
                                }
@@ -687,11 +689,11 @@ static bool parse_certificate(private_x509_cert_t *this)
        bool critical;
        
        parser = asn1_parser_create(certObjects, this->encoding);
-
+       
        while (parser->iterate(parser, &objectID, &object))
        {
                u_int level = parser->get_level(parser)+1;
-
+               
                switch (objectID)
                {
                        case X509_OBJ_TBS_CERTIFICATE:
@@ -709,7 +711,7 @@ static bool parse_certificate(private_x509_cert_t *this)
                                break;
                        case X509_OBJ_ISSUER:
                                this->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object);
-                               DBG2("  '%D'", this->issuer);
+                               DBG2("  '%Y'", this->issuer);
                                break;
                        case X509_OBJ_NOT_BEFORE:
                                this->notBefore = asn1_parse_time(object, level);
@@ -719,14 +721,13 @@ static bool parse_certificate(private_x509_cert_t *this)
                                break;
                        case X509_OBJ_SUBJECT:
                                this->subject = identification_create_from_encoding(ID_DER_ASN1_DN, object);
-                               DBG2("  '%D'", this->subject);
+                               DBG2("  '%Y'", this->subject);
                                break;
                        case X509_OBJ_SUBJECT_PUBLIC_KEY_INFO:
                                this->public_key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
                                                KEY_ANY, BUILD_BLOB_ASN1_DER, object, BUILD_END);
                                if (this->public_key == NULL)
                                {
-                                       DBG1("could not create public key");
                                        goto end;
                                }
                                break;
@@ -806,7 +807,7 @@ static bool parse_certificate(private_x509_cert_t *this)
                }
        }
        success = parser->success(parser);
-
+       
 end:
        parser->destroy(parser);
        return success;
@@ -845,12 +846,14 @@ static id_match_t has_subject(private_x509_cert_t *this, identification_t *subje
        enumerator_t *enumerator;
        id_match_t match, best;
        
-       if (this->encoding_hash.ptr && subject->get_type(subject) == ID_CERT_DER_SHA1 &&
-               chunk_equals(this->encoding_hash, subject->get_encoding(subject)))
+       if (this->encoding_hash.ptr && subject->get_type(subject) == ID_KEY_ID)
        {
-               return ID_MATCH_PERFECT;
+               if (chunk_equals(this->encoding_hash, subject->get_encoding(subject)))
+               {
+                       return ID_MATCH_PERFECT;
+               }
        }
-
+       
        best = this->subject->matches(this->subject, subject);
        enumerator = this->subjectAltNames->create_enumerator(this->subjectAltNames);
        while (enumerator->enumerate(enumerator, &current))
@@ -858,11 +861,11 @@ static id_match_t has_subject(private_x509_cert_t *this, identification_t *subje
                match = current->matches(current, subject);
                if (match > best)
                {
-                       best = match;   
+                       best = match;
                }
        }
        enumerator->destroy(enumerator);
-       return best;    
+       return best;
 }
 
 /**
@@ -906,32 +909,14 @@ static bool issued_by(private_x509_cert_t *this, certificate_t *issuer)
        {
                return FALSE;
        }
-       /* TODO: generic OID to scheme mapper? */
-       switch (this->algorithm)
-       {
-               case OID_MD5_WITH_RSA:
-                       scheme = SIGN_RSA_EMSA_PKCS1_MD5;
-                       break;
-               case OID_SHA1_WITH_RSA:
-                       scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
-                       break;
-               case OID_SHA256_WITH_RSA:
-                       scheme = SIGN_RSA_EMSA_PKCS1_SHA256;
-                       break;
-               case OID_SHA384_WITH_RSA:
-                       scheme = SIGN_RSA_EMSA_PKCS1_SHA384;
-                       break;
-               case OID_SHA512_WITH_RSA:
-                       scheme = SIGN_RSA_EMSA_PKCS1_SHA512;
-                       break;
-               case OID_ECDSA_WITH_SHA1:
-                       scheme = SIGN_ECDSA_WITH_SHA1;
-                       break;
-               default:
-                       return FALSE;
-       }
+
+       /* get the public key of the issuer */
        key = issuer->get_public_key(issuer);
-       if (key == NULL)
+
+       /* determine signature scheme */
+       scheme = signature_scheme_from_oid(this->algorithm);
+
+       if (scheme == SIGN_UNKNOWN || key == NULL)
        {
                return FALSE;
        }
@@ -1001,11 +986,11 @@ static bool is_newer(certificate_t *this, certificate_t *that)
 {
        time_t this_update, that_update, now = time(NULL);
        bool new;
-
+       
        this->get_validity(this, &now, &this_update, NULL);
        that->get_validity(that, &now, &that_update, NULL);
        new = this_update > that_update;
-       DBG1("  certificate from %#T is %s - existing certificate from %#T %s",
+       DBG1("  certificate from %T is %s - existing certificate from %T %s",
                                &this_update, FALSE, new ? "newer":"not newer",
                                &that_update, FALSE, new ? "replaced":"retained");
        return new;
@@ -1026,7 +1011,7 @@ static bool equals(private_x509_cert_t *this, certificate_t *other)
 {
        chunk_t encoding;
        bool equal;
-
+       
        if (this == (private_x509_cert_t*)other)
        {
                return TRUE;
@@ -1056,7 +1041,7 @@ static chunk_t get_serial(private_x509_cert_t *this)
 /**
  * Implementation of x509_t.get_authKeyIdentifier.
  */
-static identification_t *get_authKeyIdentifier(private_x509_cert_t *this)
+static chunk_t get_authKeyIdentifier(private_x509_cert_t *this)
 {
        return this->authKeyIdentifier;
 }
@@ -1099,9 +1084,15 @@ static void destroy(private_x509_cert_t *this)
                DESTROY_IF(this->issuer);
                DESTROY_IF(this->subject);
                DESTROY_IF(this->public_key);
-               DESTROY_IF(this->authKeyIdentifier);
+               chunk_free(&this->authKeyIdentifier);
                chunk_free(&this->encoding);
                chunk_free(&this->encoding_hash);
+               if (!this->parsed)
+               {       /* only parsed certificates point these fields to "encoded" */
+                       chunk_free(&this->signature);
+                       chunk_free(&this->serialNumber);
+                       chunk_free(&this->tbsCertificate);
+               }
                free(this);
        }
 }
@@ -1113,28 +1104,33 @@ static private_x509_cert_t* create_empty(void)
 {
        private_x509_cert_t *this = malloc_thing(private_x509_cert_t);
        
-       this->public.interface.interface.get_type = (certificate_type_t (*)(certificate_t *this))get_type;
-       this->public.interface.interface.get_subject = (identification_t* (*)(certificate_t *this))get_subject;
-       this->public.interface.interface.get_issuer = (identification_t* (*)(certificate_t *this))get_issuer;
-       this->public.interface.interface.has_subject = (id_match_t (*)(certificate_t*, identification_t *subject))has_subject;
-       this->public.interface.interface.has_issuer = (id_match_t (*)(certificate_t*, identification_t *issuer))has_issuer;
-       this->public.interface.interface.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer))issued_by;
-       this->public.interface.interface.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key;
-       this->public.interface.interface.get_validity = (bool (*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity;
-       this->public.interface.interface.is_newer = (bool (*)(certificate_t*,certificate_t*))is_newer;
-       this->public.interface.interface.get_encoding = (chunk_t (*)(certificate_t*))get_encoding;
-       this->public.interface.interface.equals = (bool (*)(certificate_t*, certificate_t *other))equals;
-       this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t *this))get_ref;
-       this->public.interface.interface.destroy = (void (*)(certificate_t *this))destroy;
+       this->public.interface.interface.get_type = (certificate_type_t (*) (certificate_t*))get_type;
+       this->public.interface.interface.get_subject = (identification_t* (*) (certificate_t*))get_subject;
+       this->public.interface.interface.get_issuer = (identification_t* (*) (certificate_t*))get_issuer;
+       this->public.interface.interface.has_subject = (id_match_t (*) (certificate_t*, identification_t*))has_subject;
+       this->public.interface.interface.has_issuer = (id_match_t (*) (certificate_t*, identification_t*))has_issuer;
+       this->public.interface.interface.issued_by = (bool (*) (certificate_t*, certificate_t*))issued_by;
+       this->public.interface.interface.get_public_key = (public_key_t* (*) (certificate_t*))get_public_key;
+       this->public.interface.interface.get_validity = (bool (*) (certificate_t*, time_t*, time_t*, time_t*))get_validity;
+       this->public.interface.interface.is_newer = (bool (*) (certificate_t*,certificate_t*))is_newer;
+       this->public.interface.interface.get_encoding = (chunk_t (*) (certificate_t*))get_encoding;
+       this->public.interface.interface.equals = (bool (*)(certificate_t*, certificate_t*))equals;
+       this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t*))get_ref;
+       this->public.interface.interface.destroy = (void (*)(certificate_t*))destroy;
        this->public.interface.get_flags = (x509_flag_t (*)(x509_t*))get_flags;
        this->public.interface.get_serial = (chunk_t (*)(x509_t*))get_serial;
-       this->public.interface.get_authKeyIdentifier = (identification_t* (*)(x509_t*))get_authKeyIdentifier;
+       this->public.interface.get_authKeyIdentifier = (chunk_t (*)(x509_t*))get_authKeyIdentifier;
        this->public.interface.create_subjectAltName_enumerator = (enumerator_t* (*)(x509_t*))create_subjectAltName_enumerator;
        this->public.interface.create_crl_uri_enumerator = (enumerator_t* (*)(x509_t*))create_crl_uri_enumerator;
        this->public.interface.create_ocsp_uri_enumerator = (enumerator_t* (*)(x509_t*))create_ocsp_uri_enumerator;
-
+       
        this->encoding = chunk_empty;
        this->encoding_hash = chunk_empty;
+       this->tbsCertificate = chunk_empty;
+       this->version = 3;
+       this->serialNumber = chunk_empty;       
+       this->notBefore = 0;
+       this->notAfter = 0;
        this->public_key = NULL;
        this->subject = NULL;
        this->issuer = NULL;
@@ -1142,11 +1138,14 @@ static private_x509_cert_t* create_empty(void)
        this->crl_uris = linked_list_create();
        this->ocsp_uris = linked_list_create();
        this->subjectKeyID = chunk_empty;
-       this->authKeyIdentifier = NULL;
+       this->authKeyIdentifier = chunk_empty;
        this->authKeySerialNumber = chunk_empty;
+       this->algorithm = 0;
+       this->signature = chunk_empty;
        this->flags = 0;
        this->ref = 1;
-
+       this->parsed = FALSE;
+       
        return this;
 }
 
@@ -1155,61 +1154,36 @@ static private_x509_cert_t* create_empty(void)
  */
 static private_x509_cert_t *create_from_chunk(chunk_t chunk)
 {
+       hasher_t *hasher;
        private_x509_cert_t *this = create_empty();
-
+       
        this->encoding = chunk;
+       this->parsed = TRUE;
        if (!parse_certificate(this))
        {
                destroy(this);
                return NULL;
        }
-
+       
        /* check if the certificate is self-signed */
        if (issued_by(this, &this->public.interface.interface))
        {
                this->flags |= X509_SELF_SIGNED;
        }
        
-       hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-       if (hasher != NULL)
-       {
-               hasher->allocate_hash(hasher, this->encoding, &this->encoding_hash);
-               hasher->destroy(hasher);
-       }
-       else
+       hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+       if (hasher == NULL)
        {
-               DBG1("  unable to create hash of certificate, SHA1 not supported");             
+               DBG1("  unable to create hash of certificate, SHA1 not supported");     
+               destroy(this);
+               return NULL;    
        }
+       hasher->allocate_hash(hasher, this->encoding, &this->encoding_hash);
+       hasher->destroy(hasher);
        
        return this;
 }
 
-/**
- * create an X.509 certificate from a file
- */
-static private_x509_cert_t *create_from_file(char *path)
-{
-       bool pgp = FALSE;
-       chunk_t chunk;
-       private_x509_cert_t *this;
-       
-       if (!pem_asn1_load_file(path, NULL, &chunk, &pgp))
-       {
-               return NULL;
-       }
-
-       this = create_from_chunk(chunk);
-
-       if (this == NULL)
-       {
-               DBG1("  could not parse loaded certificate file '%s'",path);
-               return NULL;
-       }
-       DBG1("  loaded certificate file '%s'",  path);
-       return this;
-
-}
-
 typedef struct private_builder_t private_builder_t;
 /**
  * Builder implementation for certificate loading
@@ -1221,28 +1195,169 @@ struct private_builder_t {
        private_x509_cert_t *cert;
        /** additional flags to enforce */
        x509_flag_t flags;
+       /** certificate to sign, if we generate a new cert */
+       certificate_t *sign_cert;
+       /** private key to sign, if we generate a new cert */
+       private_key_t *sign_key;
+       /** digest algorithm to be used for signature */
+       hash_algorithm_t digest_alg;
 };
 
 /**
- * Implementation of builder_t.build
+ * Generate and sign a new certificate
  */
-static private_x509_cert_t *build(private_builder_t *this)
+static bool generate(private_builder_t *this)
 {
-       private_x509_cert_t *cert = this->cert;
-       x509_flag_t flags = this->flags;
+       chunk_t extensions = chunk_empty;
+       identification_t *issuer, *subject;
+       chunk_t key_info;
+       signature_scheme_t scheme;
+       hasher_t *hasher;
+       
+       subject = this->cert->subject;
+       if (this->sign_cert)
+       {
+               issuer = this->sign_cert->get_subject(this->sign_cert);
+               if (!this->cert->public_key)
+               {
+                       return FALSE;
+               }
+       }
+       else
+       {       /* self signed */
+               issuer = subject;
+               if (!this->cert->public_key)
+               {
+                       this->cert->public_key = this->sign_key->get_public_key(this->sign_key);
+               }
+               this->flags |= X509_SELF_SIGNED;
+       }
+       this->cert->issuer = issuer->clone(issuer);
+       if (!this->cert->notBefore)
+       {
+               this->cert->notBefore = time(NULL);
+       }
+       if (!this->cert->notAfter)
+       {       /* defaults to 1 year from now */
+               this->cert->notAfter = this->cert->notBefore + 60 * 60 * 24 * 365;
+       }
+       this->cert->flags = this->flags;
+       
+       switch (this->sign_key->get_type(this->sign_key))
+       {
+               case KEY_RSA:
+                       switch (this->digest_alg)
+                       {
+                               case HASH_MD5:
+                                       this->cert->algorithm = OID_MD5_WITH_RSA;
+                                       break;
+                               case HASH_SHA1:
+                                       this->cert->algorithm = OID_SHA1_WITH_RSA;
+                                       break;
+                               case HASH_SHA224:
+                                       this->cert->algorithm = OID_SHA224_WITH_RSA;
+                                       break;
+                               case HASH_SHA256:
+                                       this->cert->algorithm = OID_SHA256_WITH_RSA;
+                                       break;
+                               case HASH_SHA384:
+                                       this->cert->algorithm = OID_SHA384_WITH_RSA;
+                                       break;
+                               case HASH_SHA512:
+                                       this->cert->algorithm = OID_SHA512_WITH_RSA;
+                                       break;
+                               default:
+                                       return FALSE;
+                       }
+                       break;
+               case KEY_ECDSA:
+                       switch (this->digest_alg)
+                       {
+                               case HASH_SHA1:
+                                       this->cert->algorithm = OID_ECDSA_WITH_SHA1;
+                                       break;
+                               case HASH_SHA256:
+                                       this->cert->algorithm = OID_ECDSA_WITH_SHA256;
+                                       break;
+                               case HASH_SHA384:
+                                       this->cert->algorithm = OID_ECDSA_WITH_SHA384;
+                                       break;
+                               case HASH_SHA512:
+                                       this->cert->algorithm = OID_ECDSA_WITH_SHA512;
+                                       break;
+                               default:
+                                       return FALSE;
+                       }
+                       break;
+               default:
+                       return FALSE;
+       }
+       scheme = signature_scheme_from_oid(this->cert->algorithm);
 
-       free(this);
-       if (cert == NULL)
+       if (!this->cert->public_key->get_encoding(this->cert->public_key,
+                                                                                         KEY_PUB_SPKI_ASN1_DER, &key_info))
        {
-               return NULL;
+               return FALSE;
        }
-       if ((flags & X509_CA) && !(cert->flags & X509_CA))
+       if (this->cert->subjectAltNames->get_count(this->cert->subjectAltNames))
        {
-               DBG1("  ca certificate must have ca basic constraint set, discarded");
-               destroy(cert);
-               return NULL;
+               /* TODO: encode subjectAltNames */
        }
-       cert->flags |= flags;
+       
+       this->cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmmcmcmm", 
+               asn1_simple_object(ASN1_CONTEXT_C_0, ASN1_INTEGER_2),
+               asn1_integer("c", this->cert->serialNumber),
+               asn1_algorithmIdentifier(this->cert->algorithm),
+               issuer->get_encoding(issuer),
+               asn1_wrap(ASN1_SEQUENCE, "mm",
+                       asn1_from_time(&this->cert->notBefore, ASN1_UTCTIME),
+                       asn1_from_time(&this->cert->notAfter, ASN1_UTCTIME)),
+               subject->get_encoding(subject),
+               key_info, extensions);
+       
+       if (!this->sign_key->sign(this->sign_key, scheme, 
+                                                       this->cert->tbsCertificate, &this->cert->signature))
+       {
+               return FALSE;
+       }
+       this->cert->encoding = asn1_wrap(ASN1_SEQUENCE, "cmm",
+                                                               this->cert->tbsCertificate,
+                                                               asn1_algorithmIdentifier(this->cert->algorithm),
+                                                               asn1_bitstring("c", this->cert->signature));
+       
+       hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+       if (!hasher)
+       {
+               return FALSE;
+       }
+       hasher->allocate_hash(hasher, this->cert->encoding,
+                                                 &this->cert->encoding_hash);
+       hasher->destroy(hasher);
+       return TRUE;
+}
+
+/**
+ * Implementation of builder_t.build
+ */
+static private_x509_cert_t *build(private_builder_t *this)
+{
+       private_x509_cert_t *cert;
+       
+       if (this->cert)
+       {
+               this->cert->flags |= this->flags;
+               if (!this->cert->encoding.ptr)
+               {       /* generate a new certificate */
+                       if (!this->sign_key || !generate(this))
+                       {
+                               destroy(this->cert);
+                               free(this);
+                               return NULL;
+                       }
+               }
+       }
+       cert = this->cert;
+       free(this);
        return cert;
 }
 
@@ -1253,13 +1368,11 @@ static void add(private_builder_t *this, builder_part_t part, ...)
 {
        va_list args;
        chunk_t chunk;
+       bool handled = TRUE;
        
        va_start(args, part);
        switch (part)
        {
-               case BUILD_FROM_FILE:
-                       this->cert = create_from_file(va_arg(args, char*));
-                       break;
                case BUILD_BLOB_ASN1_DER:
                        chunk = va_arg(args, chunk_t);
                        this->cert = create_from_chunk(chunk_clone(chunk));
@@ -1267,6 +1380,63 @@ static void add(private_builder_t *this, builder_part_t part, ...)
                case BUILD_X509_FLAG:
                        this->flags = va_arg(args, x509_flag_t);
                        break;
+               case BUILD_SIGNING_KEY:
+                       this->sign_key = va_arg(args, private_key_t*);
+                       break;
+               case BUILD_SIGNING_CERT:
+                       this->sign_cert = va_arg(args, certificate_t*);
+                       break;
+               default:
+                       /* all other parts need an empty cert */
+                       if (!this->cert)
+                       {
+                               this->cert = create_empty();
+                       }
+                       handled = FALSE;
+                       break;
+       }
+       if (handled)
+       {
+               va_end(args);
+               return;
+       }
+       
+       switch (part)
+       {
+               case BUILD_PUBLIC_KEY:
+               {
+                       public_key_t *key = va_arg(args, public_key_t*);
+                       this->cert->public_key = key->get_ref(key);
+                       break;
+               }
+               case BUILD_SUBJECT:
+               {
+                       identification_t *id = va_arg(args, identification_t*);
+                       this->cert->subject = id->clone(id);
+                       break;
+               }
+               case BUILD_SUBJECT_ALTNAME:
+               {
+                       identification_t *id = va_arg(args, identification_t*);
+                       this->cert->subjectAltNames->insert_last(
+                                                                       this->cert->subjectAltNames, id->clone(id));
+                       break;
+               }
+               case BUILD_NOT_BEFORE_TIME:
+                       this->cert->notBefore = va_arg(args, time_t);
+                       break;
+               case BUILD_NOT_AFTER_TIME:
+                       this->cert->notAfter = va_arg(args, time_t);
+                       break;
+               case BUILD_SERIAL:
+               {
+                       chunk_t serial = va_arg(args, chunk_t);
+                       this->cert->serialNumber = chunk_clone(serial);
+                       break;
+               }
+               case BUILD_DIGEST_ALG:
+                       this->digest_alg = va_arg(args, int);
+                       break;
                default:
                        /* abort if unsupported option */
                        if (this->cert)
@@ -1295,6 +1465,9 @@ builder_t *x509_cert_builder(certificate_type_t type)
        
        this->cert = NULL;
        this->flags = 0;
+       this->sign_cert = NULL;
+       this->sign_key = NULL;
+       this->digest_alg = HASH_SHA1;
        this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
        this->public.build = (void*(*)(builder_t *this))build;