certificate: Return signature scheme and parameters from issued_by() method
authorTobias Brunner <tobias@strongswan.org>
Fri, 13 Oct 2017 12:33:43 +0000 (14:33 +0200)
committerTobias Brunner <tobias@strongswan.org>
Wed, 8 Nov 2017 15:48:10 +0000 (16:48 +0100)
This also required some include restructuring (avoid including library.h
in headers) to avoid unresolvable circular dependencies.

29 files changed:
src/charon-tkm/src/tkm/tkm_private_key.c
src/charon-tkm/src/tkm/tkm_public_key.c
src/libcharon/sa/ikev1/iv_manager.c
src/libstrongswan/credentials/certificates/certificate.h
src/libstrongswan/credentials/containers/pkcs12.c
src/libstrongswan/credentials/cred_encoding.h
src/libstrongswan/credentials/credential_manager.c
src/libstrongswan/credentials/credential_manager.h
src/libstrongswan/credentials/keys/public_key.h
src/libstrongswan/credentials/sets/cert_cache.c
src/libstrongswan/credentials/sets/cert_cache.h
src/libstrongswan/crypto/hashers/hasher.h
src/libstrongswan/crypto/prfs/prf.h
src/libstrongswan/crypto/signers/signer.h
src/libstrongswan/plugins/openssl/openssl_crl.c
src/libstrongswan/plugins/openssl/openssl_sha1_prf.c
src/libstrongswan/plugins/openssl/openssl_x509.c
src/libstrongswan/plugins/pem/pem_encoder.c
src/libstrongswan/plugins/pgp/pgp_cert.c
src/libstrongswan/plugins/pgp/pgp_encoder.c
src/libstrongswan/plugins/pubkey/pubkey_cert.c
src/libstrongswan/plugins/x509/x509_ac.c
src/libstrongswan/plugins/x509/x509_cert.c
src/libstrongswan/plugins/x509/x509_crl.c
src/libstrongswan/plugins/x509/x509_ocsp_request.c
src/libstrongswan/plugins/x509/x509_ocsp_response.c
src/libstrongswan/plugins/x509/x509_pkcs10.c
src/libstrongswan/utils/debug.h
src/libtls/tls_prf.c

index 02351b6..891b579 100644 (file)
@@ -14,6 +14,7 @@
  * for more details.
  */
 
+#include <library.h>
 #include <utils/debug.h>
 #include <tkm/constants.h>
 #include <tkm/client.h>
index 788336c..2a14a9b 100644 (file)
@@ -14,6 +14,7 @@
  * for more details.
  */
 
+#include <library.h>
 #include <utils/debug.h>
 
 #include "tkm_public_key.h"
index c9f737c..2a6e5c0 100644 (file)
@@ -15,6 +15,7 @@
 
 #include "iv_manager.h"
 
+#include <library.h>
 #include <collections/linked_list.h>
 
 /**
index d59126b..6dc5c76 100644 (file)
@@ -25,9 +25,9 @@ typedef struct certificate_t certificate_t;
 typedef enum certificate_type_t certificate_type_t;
 typedef enum cert_validation_t cert_validation_t;
 
-#include <library.h>
 #include <utils/identification.h>
 #include <credentials/keys/public_key.h>
+#include <credentials/keys/signature_params.h>
 #include <credentials/cred_encoding.h>
 
 /**
@@ -139,11 +139,12 @@ struct certificate_t {
         * Check if this certificate is issued and signed by a specific issuer.
         *
         * @param issuer        issuer's certificate
-        * @param scheme        receives signature scheme used during verification
+        * @param scheme        receives used signature scheme and parameters, if
+        *                                      given (allocated)
         * @return                      TRUE if certificate issued by issuer and trusted
         */
        bool (*issued_by)(certificate_t *this, certificate_t *issuer,
-                                         signature_scheme_t *scheme);
+                                         signature_params_t **scheme);
 
        /**
         * Get the public key associated to this certificate.
index 0b65364..1129357 100644 (file)
@@ -25,7 +25,7 @@ typedef struct cred_encoding_t cred_encoding_t;
 typedef enum cred_encoding_type_t cred_encoding_type_t;
 typedef enum cred_encoding_part_t cred_encoding_part_t;
 
-#include <library.h>
+#include <utils/chunk.h>
 
 /**
  * Credential encoder function implementing encoding/fingerprinting.
index 9be7407..a4a092e 100644 (file)
@@ -488,7 +488,7 @@ METHOD(credential_manager_t, remove_local_set, void,
 
 METHOD(credential_manager_t, issued_by, bool,
        private_credential_manager_t *this, certificate_t *subject,
-       certificate_t *issuer, signature_scheme_t *scheme)
+       certificate_t *issuer, signature_params_t **scheme)
 {
        if (this->cache)
        {
@@ -661,7 +661,7 @@ static certificate_t *get_pretrusted_cert(private_credential_manager_t *this,
  */
 static certificate_t *get_issuer_cert(private_credential_manager_t *this,
                                                                          certificate_t *subject, bool trusted,
-                                                                         signature_scheme_t *scheme)
+                                                                         signature_params_t **scheme)
 {
        enumerator_t *enumerator;
        certificate_t *issuer = NULL, *candidate;
@@ -723,7 +723,7 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 {
        certificate_t *current, *issuer;
        auth_cfg_t *auth;
-       signature_scheme_t scheme;
+       signature_params_t *scheme;
        int pathlen;
 
        auth = auth_cfg_create();
@@ -750,7 +750,8 @@ static bool verify_trust_chain(private_credential_manager_t *this,
                                DBG1(DBG_CFG, "  using trusted intermediate ca certificate "
                                         "\"%Y\"", issuer->get_subject(issuer));
                        }
-                       auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, scheme);
+                       auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, scheme->scheme);
+                       signature_params_destroy(scheme);
                }
                else
                {
@@ -768,7 +769,8 @@ static bool verify_trust_chain(private_credential_manager_t *this,
                                auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer));
                                DBG1(DBG_CFG, "  using untrusted intermediate certificate "
                                         "\"%Y\"", issuer->get_subject(issuer));
-                               auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, scheme);
+                               auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, scheme->scheme);
+                               signature_params_destroy(scheme);
                        }
                        else
                        {
index 022ca56..d99f29b 100644 (file)
@@ -241,12 +241,13 @@ struct credential_manager_t {
         *
         * @param subject       subject certificate to check
         * @param issuer        issuer certificate that potentially has signed subject
-        * @param scheme        receives used signature scheme, if given
+        * @param scheme        receives used signature scheme and parameters, if
+        *                                      given (allocated)
         * @return                      TRUE if issuer signed subject
         */
        bool (*issued_by)(credential_manager_t *this,
                                          certificate_t *subject, certificate_t *issuer,
-                                         signature_scheme_t *scheme);
+                                         signature_params_t **scheme);
 
        /**
         * Register a credential set to the manager.
index 186530f..d6a0a7b 100644 (file)
@@ -28,7 +28,6 @@ typedef enum key_type_t key_type_t;
 typedef enum signature_scheme_t signature_scheme_t;
 typedef enum encryption_scheme_t encryption_scheme_t;
 
-#include <library.h>
 #include <utils/identification.h>
 #include <credentials/cred_encoding.h>
 
index 92d5efd..0e64f03 100644 (file)
@@ -48,9 +48,9 @@ struct relation_t {
        certificate_t *issuer;
 
        /**
-        * Signature scheme used to sign this relation
+        * Signature scheme and parameters used to sign this relation
         */
-       signature_scheme_t scheme;
+       signature_params_t *scheme;
 
        /**
         * Cache hits
@@ -84,7 +84,7 @@ struct private_cert_cache_t {
  */
 static void cache(private_cert_cache_t *this,
                                  certificate_t *subject, certificate_t *issuer,
-                                 signature_scheme_t scheme)
+                                 signature_params_t *scheme)
 {
        relation_t *rel;
        int i, offset, try;
@@ -118,7 +118,8 @@ static void cache(private_cert_cache_t *this,
                                        {
                                                rel->subject->destroy(rel->subject);
                                                rel->subject = subject->get_ref(subject);
-                                               rel->scheme = scheme;
+                                               signature_params_destroy(rel->scheme);
+                                               rel->scheme = signature_params_clone(scheme);
                                                return rel->lock->unlock(rel->lock);
                                        }
                                }
@@ -139,7 +140,7 @@ static void cache(private_cert_cache_t *this,
                        {
                                rel->subject = subject->get_ref(subject);
                                rel->issuer = issuer->get_ref(issuer);
-                               rel->scheme = scheme;
+                               rel->scheme = signature_params_clone(scheme);
                                return rel->lock->unlock(rel->lock);
                        }
                        rel->lock->unlock(rel->lock);
@@ -165,10 +166,11 @@ static void cache(private_cert_cache_t *this,
                                {
                                        rel->subject->destroy(rel->subject);
                                        rel->issuer->destroy(rel->issuer);
+                                       signature_params_destroy(rel->scheme);
                                }
                                rel->subject = subject->get_ref(subject);
                                rel->issuer = issuer->get_ref(issuer);
-                               rel->scheme = scheme;
+                               rel->scheme = signature_params_clone(scheme);
                                rel->hits = 0;
                                return rel->lock->unlock(rel->lock);
                        }
@@ -180,11 +182,11 @@ static void cache(private_cert_cache_t *this,
 
 METHOD(cert_cache_t, issued_by, bool,
        private_cert_cache_t *this, certificate_t *subject, certificate_t *issuer,
-       signature_scheme_t *schemep)
+       signature_params_t **schemep)
 {
        certificate_t *cached_issuer = NULL;
        relation_t *found = NULL, *current;
-       signature_scheme_t scheme;
+       signature_params_t *scheme;
        int i;
 
        for (i = 0; i < CACHE_SIZE; i++)
@@ -202,7 +204,7 @@ METHOD(cert_cache_t, issued_by, bool,
                                        found = current;
                                        if (schemep)
                                        {
-                                               *schemep = current->scheme;
+                                               *schemep = signature_params_clone(current->scheme);
                                        }
                                }
                                else if (!cached_issuer)
@@ -225,6 +227,10 @@ METHOD(cert_cache_t, issued_by, bool,
                {
                        *schemep = scheme;
                }
+               else
+               {
+                       signature_params_destroy(scheme);
+               }
                DESTROY_IF(cached_issuer);
                return TRUE;
        }
@@ -383,8 +389,10 @@ METHOD(cert_cache_t, flush, void,
                        {
                                rel->subject->destroy(rel->subject);
                                rel->issuer->destroy(rel->issuer);
+                               signature_params_destroy(rel->scheme);
                                rel->subject = NULL;
                                rel->issuer = NULL;
+                               rel->scheme = NULL;
                                rel->hits = 0;
                        }
                }
@@ -405,6 +413,7 @@ METHOD(cert_cache_t, destroy, void,
                {
                        rel->subject->destroy(rel->subject);
                        rel->issuer->destroy(rel->issuer);
+                       signature_params_destroy(rel->scheme);
                }
                rel->lock->destroy(rel->lock);
        }
@@ -438,6 +447,7 @@ cert_cache_t *cert_cache_create()
        {
                this->relations[i].subject = NULL;
                this->relations[i].issuer = NULL;
+               this->relations[i].scheme = NULL;
                this->relations[i].hits = 0;
                this->relations[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
        }
index 2bcdbe4..2235bc3 100644 (file)
@@ -45,12 +45,13 @@ struct cert_cache_t {
         *
         * @param subject               certificate to verify
         * @param issuer                issuing certificate to verify subject
-        * @param scheme                receives used signature scheme, if given
+        * @param scheme                receives used signature scheme and parameters, if
+        *                                              given (allocated)
         * @return                              TRUE if subject issued by issuer
         */
        bool (*issued_by)(cert_cache_t *this,
                                          certificate_t *subject, certificate_t *issuer,
-                                         signature_scheme_t *scheme);
+                                         signature_params_t **scheme);
 
        /**
         * Flush the certificate cache.
index 9d2df1d..96de7e2 100644 (file)
@@ -27,7 +27,6 @@
 typedef enum hash_algorithm_t hash_algorithm_t;
 typedef struct hasher_t hasher_t;
 
-#include <library.h>
 #include <crypto/prfs/prf.h>
 #include <crypto/signers/signer.h>
 #include <credentials/keys/public_key.h>
index bf443e5..fe9ffc2 100644 (file)
@@ -25,7 +25,8 @@
 typedef enum pseudo_random_function_t pseudo_random_function_t;
 typedef struct prf_t prf_t;
 
-#include <library.h>
+#include <utils/utils.h>
+#include <utils/chunk.h>
 
 /**
  * Pseudo random function, as in IKEv2 RFC 3.3.2.
index 01b702d..8958e66 100644 (file)
@@ -25,7 +25,8 @@
 typedef enum integrity_algorithm_t integrity_algorithm_t;
 typedef struct signer_t signer_t;
 
-#include <library.h>
+#include <utils/utils.h>
+#include <utils/chunk.h>
 
 /**
  * Integrity algorithm, as in IKEv2 RFC 3.3.2.
index 663f091..171b7d6 100644 (file)
@@ -284,7 +284,7 @@ METHOD(certificate_t, has_subject_or_issuer, id_match_t,
 
 METHOD(certificate_t, issued_by, bool,
        private_openssl_crl_t *this, certificate_t *issuer,
-       signature_scheme_t *scheme)
+       signature_params_t **scheme)
 {
        chunk_t fingerprint, tbs;
        public_key_t *key;
@@ -338,7 +338,9 @@ METHOD(certificate_t, issued_by, bool,
        key->destroy(key);
        if (valid && scheme)
        {
-               *scheme = this->scheme;
+               INIT(*scheme,
+                       .scheme = this->scheme,
+               );
        }
        return valid;
 }
index f6df03f..3a6d2f1 100644 (file)
@@ -20,6 +20,7 @@
 #include "openssl_sha1_prf.h"
 
 #include <openssl/sha.h>
+#include <crypto/hashers/hasher.h>
 
 typedef struct private_openssl_sha1_prf_t private_openssl_sha1_prf_t;
 
index 7e077e7..d2773e3 100644 (file)
@@ -384,7 +384,7 @@ METHOD(certificate_t, has_issuer, id_match_t,
 
 METHOD(certificate_t, issued_by, bool,
        private_openssl_x509_t *this, certificate_t *issuer,
-       signature_scheme_t *scheme)
+       signature_params_t **scheme)
 {
        public_key_t *key;
        bool valid;
@@ -392,11 +392,16 @@ METHOD(certificate_t, issued_by, bool,
        ASN1_BIT_STRING *sig;
        chunk_t tbs;
 
+       if (this->scheme == SIGN_UNKNOWN)
+       {
+               return FALSE;
+       }
        if (&this->public.x509.interface == issuer)
        {
                if (this->flags & X509_SELF_SIGNED)
                {
-                       return TRUE;
+                       valid = TRUE;
+                       goto out;
                }
        }
        else
@@ -414,10 +419,6 @@ METHOD(certificate_t, issued_by, bool,
                        return FALSE;
                }
        }
-       if (this->scheme == SIGN_UNKNOWN)
-       {
-               return FALSE;
-       }
        key = issuer->get_public_key(issuer);
        if (!key)
        {
@@ -434,9 +435,13 @@ METHOD(certificate_t, issued_by, bool,
                                                openssl_asn1_str2chunk(sig));
        free(tbs.ptr);
        key->destroy(key);
+
+out:
        if (valid && scheme)
        {
-               *scheme = this->scheme;
+               INIT(*scheme,
+                       .scheme = this->scheme,
+               );
        }
        return valid;
 }
index 76b0b7b..8c6c5da 100644 (file)
@@ -15,6 +15,8 @@
 
 #include "pem_encoder.h"
 
+#include <library.h>
+
 #define BYTES_PER_LINE 48
 
 /**
index 0ffce4c..392ef54 100644 (file)
@@ -114,7 +114,7 @@ METHOD(certificate_t, has_issuer, id_match_t,
 }
 
 METHOD(certificate_t, issued_by,bool,
-       private_pgp_cert_t *this, certificate_t *issuer, signature_scheme_t *scheme)
+       private_pgp_cert_t *this, certificate_t *issuer, signature_params_t **scheme)
 {
        /* TODO: check signature blobs for a valid signature */
        return FALSE;
index 100f3ef..eba936b 100644 (file)
@@ -15,6 +15,7 @@
 
 #include "pgp_encoder.h"
 
+#include <library.h>
 #include <utils/debug.h>
 
 /**
index 0631a68..81dad65 100644 (file)
@@ -137,13 +137,16 @@ METHOD(certificate_t, equals, bool,
 
 METHOD(certificate_t, issued_by, bool,
        private_pubkey_cert_t *this, certificate_t *issuer,
-       signature_scheme_t *scheme)
+       signature_params_t **scheme)
 {
-       if (scheme)
+       bool valid = equals(this, issuer);
+       if (valid && scheme)
        {
-               *scheme = SIGN_UNKNOWN;
+               INIT(*scheme,
+                       .scheme = SIGN_UNKNOWN,
+               );
        }
-       return equals(this, issuer);
+       return valid;
 }
 
 METHOD(certificate_t, get_public_key,  public_key_t*,
index 2a1ef63..c0a64fc 100644 (file)
@@ -886,7 +886,8 @@ METHOD(certificate_t, has_issuer, id_match_t,
 }
 
 METHOD(certificate_t, issued_by, bool,
-       private_x509_ac_t *this, certificate_t *issuer, signature_scheme_t *schemep)
+       private_x509_ac_t *this, certificate_t *issuer,
+       signature_params_t **schemep)
 {
        public_key_t *key;
        signature_scheme_t scheme;
@@ -938,7 +939,9 @@ METHOD(certificate_t, issued_by, bool,
        key->destroy(key);
        if (valid && schemep)
        {
-               *schemep = scheme;
+               INIT(*schemep,
+                       .scheme = scheme,
+               );
        }
        return valid;
 }
index 6d2fb9d..9bb272a 100644 (file)
@@ -1677,18 +1677,26 @@ METHOD(certificate_t, has_issuer, id_match_t,
 
 METHOD(certificate_t, issued_by, bool,
        private_x509_cert_t *this, certificate_t *issuer,
-       signature_scheme_t *schemep)
+       signature_params_t **schemep)
 {
        public_key_t *key;
        signature_scheme_t scheme;
        bool valid;
        x509_t *x509 = (x509_t*)issuer;
 
+       /* determine signature scheme */
+       scheme = signature_scheme_from_oid(this->algorithm);
+       if (scheme == SIGN_UNKNOWN)
+       {
+               return FALSE;
+       }
+
        if (&this->public.interface.interface == issuer)
        {
                if (this->flags & X509_SELF_SIGNED)
                {
-                       return TRUE;
+                       valid = TRUE;
+                       goto out;
                }
        }
        else
@@ -1707,12 +1715,6 @@ METHOD(certificate_t, issued_by, bool,
                return FALSE;
        }
 
-       /* determine signature scheme */
-       scheme = signature_scheme_from_oid(this->algorithm);
-       if (scheme == SIGN_UNKNOWN)
-       {
-               return FALSE;
-       }
        /* get the public key of the issuer */
        key = issuer->get_public_key(issuer);
        if (!key)
@@ -1722,9 +1724,13 @@ METHOD(certificate_t, issued_by, bool,
        valid = key->verify(key, scheme, NULL, this->tbsCertificate,
                                                this->signature);
        key->destroy(key);
+
+out:
        if (valid && schemep)
        {
-               *schemep = scheme;
+               INIT(*schemep,
+                       .scheme = scheme,
+               );
        }
        return valid;
 }
index 8ea7025..2712ad8 100644 (file)
@@ -457,7 +457,8 @@ METHOD(certificate_t, has_issuer, id_match_t,
 }
 
 METHOD(certificate_t, issued_by, bool,
-       private_x509_crl_t *this, certificate_t *issuer, signature_scheme_t *schemep)
+       private_x509_crl_t *this, certificate_t *issuer,
+       signature_params_t **schemep)
 {
        public_key_t *key;
        signature_scheme_t scheme;
@@ -506,7 +507,9 @@ METHOD(certificate_t, issued_by, bool,
        key->destroy(key);
        if (valid && schemep)
        {
-               *schemep = scheme;
+               INIT(*schemep,
+                       .scheme = scheme,
+               );
        }
        return valid;
 }
index de2ad98..de22ab6 100644 (file)
@@ -372,7 +372,7 @@ METHOD(certificate_t, has_issuer, id_match_t,
 
 METHOD(certificate_t, issued_by, bool,
        private_x509_ocsp_request_t *this, certificate_t *issuer,
-       signature_scheme_t *scheme)
+       signature_params_t **scheme)
 {
        DBG1(DBG_LIB, "OCSP request validation not implemented!");
        return FALSE;
index fd0d84e..e803c18 100644 (file)
@@ -703,7 +703,7 @@ METHOD(certificate_t, has_issuer, id_match_t,
 
 METHOD(certificate_t, issued_by, bool,
        private_x509_ocsp_response_t *this, certificate_t *issuer,
-       signature_scheme_t *schemep)
+       signature_params_t **schemep)
 {
        public_key_t *key;
        signature_scheme_t scheme;
@@ -758,7 +758,9 @@ METHOD(certificate_t, issued_by, bool,
        key->destroy(key);
        if (valid && schemep)
        {
-               *schemep = scheme;
+               INIT(*schemep,
+                       .scheme = scheme,
+               );
        }
        return valid;
 }
index beeb436..019ccf7 100644 (file)
@@ -124,7 +124,7 @@ METHOD(certificate_t, has_subject, id_match_t,
 
 METHOD(certificate_t, issued_by, bool,
        private_x509_pkcs10_t *this, certificate_t *issuer,
-       signature_scheme_t *schemep)
+       signature_params_t **schemep)
 {
        public_key_t *key;
        signature_scheme_t scheme;
@@ -134,29 +134,32 @@ METHOD(certificate_t, issued_by, bool,
        {
                return FALSE;
        }
-       if (this->self_signed)
-       {
-               return TRUE;
-       }
-
        /* determine signature scheme */
        scheme = signature_scheme_from_oid(this->algorithm);
        if (scheme == SIGN_UNKNOWN)
        {
                return FALSE;
        }
-
-       /* get the public key contained in the certificate request */
-       key = this->public_key;
-       if (!key)
+       if (this->self_signed)
        {
-               return FALSE;
+               valid = TRUE;
+       }
+       else
+       {
+               /* get the public key contained in the certificate request */
+               key = this->public_key;
+               if (!key)
+               {
+                       return FALSE;
+               }
+               valid = key->verify(key, scheme, NULL, this->certificationRequestInfo,
+                                                       this->signature);
        }
-       valid = key->verify(key, scheme, NULL, this->certificationRequestInfo,
-                                               this->signature);
        if (valid && schemep)
        {
-               *schemep = scheme;
+               INIT(*schemep,
+                       .scheme = scheme,
+               );
        }
        return valid;
 }
index f1c8c70..3b55448 100644 (file)
@@ -24,9 +24,9 @@
 typedef enum debug_t debug_t;
 typedef enum level_t level_t;
 
-#include <stdio.h>
-
+#include <utils/printf_hook/printf_hook.h>
 #include <utils/utils.h>
+#include <stdio.h>
 
 /**
  * Debug message group.
index 918de1e..f88dbc2 100644 (file)
@@ -17,6 +17,8 @@
 
 typedef struct private_tls_prf12_t private_tls_prf12_t;
 
+#include <library.h>
+
 /**
  * Private data of an tls_prf_t object.
  */