Support different encoding types in certificate.get_encoding()
authorMartin Willi <martin@revosec.ch>
Tue, 13 Jul 2010 11:34:04 +0000 (13:34 +0200)
committerMartin Willi <martin@revosec.ch>
Tue, 13 Jul 2010 11:53:20 +0000 (13:53 +0200)
27 files changed:
src/libcharon/encoding/payloads/cert_payload.c
src/libcharon/plugins/stroke/stroke_ca.c
src/libcharon/plugins/stroke/stroke_cred.c
src/libcharon/sa/tasks/ike_cert_post.c
src/libstrongswan/credentials/certificates/certificate.h
src/libstrongswan/credentials/cred_encoding.h
src/libstrongswan/plugins/openssl/openssl_crl.c
src/libstrongswan/plugins/openssl/openssl_x509.c
src/libstrongswan/plugins/pgp/pgp_cert.c
src/libstrongswan/plugins/pubkey/pubkey_cert.c
src/libstrongswan/plugins/revocation/revocation_validator.c
src/libstrongswan/plugins/x509/x509_ac.c
src/libstrongswan/plugins/x509/x509_cert.c
src/libstrongswan/plugins/x509/x509_crl.c
src/libstrongswan/plugins/x509/x509_ocsp_request.c
src/libstrongswan/plugins/x509/x509_ocsp_response.c
src/libstrongswan/plugins/x509/x509_pkcs10.c
src/openac/openac.c
src/pki/commands/issue.c
src/pki/commands/req.c
src/pki/commands/self.c
src/pki/commands/signcrl.c
src/pluto/crl.c
src/pluto/ipsec_doi.c
src/pluto/ocsp.c
src/pluto/pkcs7.c
src/scepclient/scepclient.c

index 6dd3141..80239f6 100644 (file)
@@ -320,7 +320,12 @@ cert_payload_t *cert_payload_create_from_cert(certificate_t *cert)
                        free(this);
                        return NULL;
        }
-       this->data = cert->get_encoding(cert);
+       if (!cert->get_encoding(cert, CERT_ASN1_DER, &this->data))
+       {
+               DBG1(DBG_ENC, "encoding certificate for cert payload failed");
+               free(this);
+               return NULL;
+       }
        this->payload_length = CERT_PAYLOAD_HEADER_LENGTH + this->data.len;
        return &this->public;
 }
index b1cf5b2..9a3ae0a 100644 (file)
@@ -357,12 +357,16 @@ static void check_for_hash_and_url(private_stroke_ca_t *this, certificate_t* cer
        {
                if (section->certuribase && cert->issued_by(cert, section->cert))
                {
-                       chunk_t hash, encoded = cert->get_encoding(cert);
-                       hasher->allocate_hash(hasher, encoded, &hash);
-                       section->hashes->insert_last(section->hashes,
-                                       identification_create_from_encoding(ID_KEY_ID, hash));
-                       chunk_free(&hash);
-                       chunk_free(&encoded);
+                       chunk_t hash, encoded;
+
+                       if (cert->get_encoding(cert, CERT_ASN1_DER, &encoded))
+                       {
+                               hasher->allocate_hash(hasher, encoded, &hash);
+                               section->hashes->insert_last(section->hashes,
+                                               identification_create_from_encoding(ID_KEY_ID, hash));
+                               chunk_free(&hash);
+                               chunk_free(&encoded);
+                       }
                        break;
                }
        }
index 68703d1..2816b9b 100644 (file)
@@ -587,9 +587,11 @@ static void cache_cert(private_stroke_cred_t *this, certificate_t *cert)
                        snprintf(buf, sizeof(buf), "%s/%s.crl", CRL_DIR, hex);
                        free(hex.ptr);
 
-                       chunk = cert->get_encoding(cert);
-                       chunk_write(chunk, buf, "crl", 022, TRUE);
-                       free(chunk.ptr);
+                       if (cert->get_encoding(cert, CERT_ASN1_DER, &chunk))
+                       {
+                               chunk_write(chunk, buf, "crl", 022, TRUE);
+                               free(chunk.ptr);
+                       }
                }
        }
 }
index b28739d..cc810a4 100644 (file)
@@ -72,7 +72,12 @@ static cert_payload_t *build_cert_payload(private_ike_cert_post_t *this,
                return cert_payload_create_from_cert(cert);
        }
 
-       encoded = cert->get_encoding(cert);
+       if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoded))
+       {
+               DBG1(DBG_IKE, "encoding certificate for cert payload failed");
+               hasher->destroy(hasher);
+               return NULL;
+       }
        hasher->allocate_hash(hasher, encoded, &hash);
        chunk_free(&encoded);
        hasher->destroy(hasher);
index dcb5f36..43bfe3d 100644 (file)
@@ -28,6 +28,7 @@ typedef enum cert_validation_t cert_validation_t;
 #include <library.h>
 #include <utils/identification.h>
 #include <credentials/keys/public_key.h>
+#include <credentials/cred_encoding.h>
 
 /**
  * Kind of a certificate_t
@@ -163,11 +164,14 @@ struct certificate_t {
                                                 time_t *not_before, time_t *not_after);
 
        /**
-        * Get the certificate in an encoded form.
+        * Get the certificate in an encoded form as a chunk.
         *
-        * @return                              allocated chunk of encoded cert
+        * @param type          type of the encoding, one of CERT_*
+        * @param encoding      encoding of the key, allocated
+        * @return                      TRUE if encoding supported
         */
-       chunk_t (*get_encoding)(certificate_t *this);
+       bool (*get_encoding)(certificate_t *this, cred_encoding_type_t type,
+                                                chunk_t *encoding);
 
        /**
         * Check if two certificates are equal.
index 04104fd..e2d6969 100644 (file)
@@ -86,6 +86,13 @@ enum cred_encoding_type_t {
        PUBKEY_PGP,
        PRIVKEY_PGP,
 
+       /** ASN.1 DER encoded certificate */
+       CERT_ASN1_DER,
+       /** PEM encoded certificate */
+       CERT_PEM,
+       /** PGP Packet encoded certificate */
+       CERT_PGP_PKT,
+
        CRED_ENCODING_MAX,
 };
 
@@ -117,6 +124,20 @@ enum cred_encoding_part_t {
        CRED_PART_ECDSA_PUB_ASN1_DER,
        /** a DER encoded ECDSA private key */
        CRED_PART_ECDSA_PRIV_ASN1_DER,
+       /** a DER encoded X509 certificate */
+       CRED_PART_X509_ASN1_DER,
+       /** a DER encoded X509 CRL */
+       CRED_PART_X509_CRL_ASN1_DER,
+       /** a DER encoded X509 OCSP request */
+       CRED_PART_X509_OCSP_REQ_ASN1_DER,
+       /** a DER encoded X509 OCSP response */
+       CRED_PART_X509_OCSP_RES_ASN1_DER,
+       /** a DER encoded X509 attribute certificate */
+       CRED_PART_X509_AC_ASN1_DER,
+       /** a DER encoded PKCS10 certificate request */
+       CRED_PART_PKCS10_ASN1_DER,
+       /** a PGP encoded certificate */
+       CRED_PART_PGP_CERT,
 
        CRED_PART_END,
 };
index 3fe604a..5645d72 100644 (file)
@@ -296,10 +296,16 @@ METHOD(certificate_t, get_validity, bool,
        return t <= this->nextUpdate;
 }
 
-METHOD(certificate_t, get_encoding, chunk_t,
-       private_openssl_crl_t *this)
+METHOD(certificate_t, get_encoding, bool,
+       private_openssl_crl_t *this, cred_encoding_type_t type, chunk_t *encoding)
 {
-       return chunk_clone(this->encoding);
+       if (type == CERT_ASN1_DER)
+       {
+               *encoding = chunk_clone(this->encoding);
+               return TRUE;
+       }
+       return lib->encoding->encode(lib->encoding, type, NULL, encoding,
+                                       CRED_PART_X509_CRL_ASN1_DER, this->encoding, CRED_PART_END);
 }
 
 METHOD(certificate_t, equals, bool,
@@ -317,7 +323,10 @@ METHOD(certificate_t, equals, bool,
                return chunk_equals(this->encoding,
                                                        ((private_openssl_crl_t*)other)->encoding);
        }
-       encoding = other->get_encoding(other);
+       if (!other->get_encoding(other, CERT_ASN1_DER, &encoding))
+       {
+               return FALSE;
+       }
        equal = chunk_equals(this->encoding, encoding);
        free(encoding.ptr);
        return equal;
index b6a8394..1c9bb69 100644 (file)
@@ -393,12 +393,19 @@ METHOD(certificate_t, get_validity, bool,
        return (t >= this->notBefore && t <= this->notAfter);
 }
 
-METHOD(certificate_t, get_encoding, chunk_t,
-       private_openssl_x509_t *this)
+METHOD(certificate_t, get_encoding, bool,
+       private_openssl_x509_t *this, cred_encoding_type_t type, chunk_t *encoding)
 {
-       return chunk_clone(this->encoding);
+       if (type == CERT_ASN1_DER)
+       {
+               *encoding = chunk_clone(this->encoding);
+               return TRUE;
+       }
+       return lib->encoding->encode(lib->encoding, type, NULL, encoding,
+                                               CRED_PART_X509_ASN1_DER, this->encoding, CRED_PART_END);
 }
 
+
 METHOD(certificate_t, equals, bool,
        private_openssl_x509_t *this, certificate_t *other)
 {
@@ -418,7 +425,10 @@ METHOD(certificate_t, equals, bool,
                encoding = ((private_openssl_x509_t*)other)->encoding;
                return chunk_equals(this->encoding, encoding);
        }
-       encoding = other->get_encoding(other);
+       if (!other->get_encoding(other, CERT_ASN1_DER, &encoding))
+       {
+               return FALSE;
+       }
        equal = chunk_equals(this->encoding, encoding);
        free(encoding.ptr);
        return equal;
index ab0b24e..5b21b46 100644 (file)
@@ -190,9 +190,16 @@ static bool get_validity(private_pgp_cert_t *this, time_t *when,
 /**
  * Implementation of certificate_t.get_encoding.
  */
-static chunk_t get_encoding(private_pgp_cert_t *this)
+static bool get_encoding(private_pgp_cert_t *this, cred_encoding_type_t type,
+                                                chunk_t *encoding)
 {
-       return chunk_clone(this->encoding);
+       if (type == CERT_PGP_PKT)
+       {
+               *encoding = chunk_clone(this->encoding);
+               return TRUE;
+       }
+       return lib->encoding->encode(lib->encoding, type, NULL, encoding,
+                                               CRED_PART_PGP_CERT, this->encoding, CRED_PART_END);
 }
 
 /**
@@ -215,7 +222,10 @@ static bool equals(private_pgp_cert_t *this, certificate_t *other)
        {       /* skip allocation if we have the same implementation */
                return chunk_equals(this->encoding, ((private_pgp_cert_t*)other)->encoding);
        }
-       encoding = other->get_encoding(other);
+       if (!other->get_encoding(other, CERT_PGP_PKT, &encoding))
+       {
+               return FALSE;
+       }
        equal = chunk_equals(this->encoding, encoding);
        free(encoding.ptr);
        return equal;
@@ -259,7 +269,7 @@ private_pgp_cert_t *create_empty()
        this->public.interface.interface.issued_by = (bool (*) (certificate_t*, certificate_t*))issued_by;
        this->public.interface.interface.get_public_key = (public_key_t* (*) (certificate_t*))get_public_key;
        this->public.interface.interface.get_validity = (bool (*) (certificate_t*, time_t*, time_t*, time_t*))get_validity;
-       this->public.interface.interface.get_encoding = (chunk_t (*) (certificate_t*))get_encoding;
+       this->public.interface.interface.get_encoding = (bool (*) (certificate_t*,cred_encoding_type_t,chunk_t*))get_encoding;
        this->public.interface.interface.equals = (bool (*)(certificate_t*, certificate_t*))equals;
        this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t*))get_ref;
        this->public.interface.interface.destroy = (void (*)(certificate_t*))destroy;
index f2dcd71..c50189a 100644 (file)
@@ -163,15 +163,10 @@ static bool get_validity(private_pubkey_cert_t *this, time_t *when,
 /**
  * Implementation of certificate_t.get_encoding.
  */
-static chunk_t get_encoding(private_pubkey_cert_t *this)
+static bool get_encoding(private_pubkey_cert_t *this, cred_encoding_type_t type,
+                                                chunk_t *encoding)
 {
-       chunk_t encoding;
-
-       if (this->key->get_encoding(this->key, PUBKEY_ASN1_DER, &encoding))
-       {
-               return encoding;
-       }
-       return chunk_empty;
+       return this->key->get_encoding(this->key, PUBKEY_ASN1_DER, encoding);
 }
 
 /**
@@ -213,7 +208,7 @@ static pubkey_cert_t *pubkey_cert_create(public_key_t *key)
        this->public.interface.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer))issued_by;
        this->public.interface.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key;
        this->public.interface.get_validity = (bool (*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity;
-       this->public.interface.get_encoding = (chunk_t (*)(certificate_t*))get_encoding;
+       this->public.interface.get_encoding = (bool (*)(certificate_t*,cred_encoding_type_t,chunk_t*))get_encoding;
        this->public.interface.equals = (bool (*)(certificate_t*, certificate_t *other))equals;
        this->public.interface.get_ref = (certificate_t* (*)(certificate_t *this))get_ref;
        this->public.interface.destroy = (void (*)(certificate_t *this))destroy;
index 2893c7c..29d2bc1 100644 (file)
@@ -58,7 +58,12 @@ static certificate_t *fetch_ocsp(char *url, certificate_t *subject,
                return NULL;
        }
 
-       send = request->get_encoding(request);
+       if (!request->get_encoding(request, CERT_ASN1_DER, &send))
+       {
+               DBG1(DBG_CFG, "encoding ocsp request failed");
+               request->destroy(request);
+               return NULL;
+       }
        request->destroy(request);
 
        DBG1(DBG_CFG, "  requesting ocsp status from '%s' ...", url);
index 45b5cdf..ba0357c 100644 (file)
@@ -815,9 +815,16 @@ static bool get_validity(private_x509_ac_t *this, time_t *when,
 /**
  * Implementation of certificate_t.get_encoding.
  */
-static chunk_t get_encoding(private_x509_ac_t *this)
+static bool get_encoding(private_x509_ac_t *this, cred_encoding_type_t type,
+                                                chunk_t *encoding)
 {
-       return chunk_clone(this->encoding);
+       if (type == CERT_ASN1_DER)
+       {
+               *encoding = chunk_clone(this->encoding);
+               return TRUE;
+       }
+       return lib->encoding->encode(lib->encoding, type, NULL, encoding,
+                                       CRED_PART_X509_AC_ASN1_DER, this->encoding, CRED_PART_END);
 }
 
 /**
@@ -836,7 +843,10 @@ static bool equals(private_x509_ac_t *this, certificate_t *other)
        {       /* skip allocation if we have the same implementation */
                return chunk_equals(this->encoding, ((private_x509_ac_t*)other)->encoding);
        }
-       encoding = other->get_encoding(other);
+       if (!other->get_encoding(other, CERT_ASN1_DER, &encoding))
+       {
+               return FALSE;
+       }
        equal = chunk_equals(this->encoding, encoding);
        free(encoding.ptr);
        return equal;
@@ -885,7 +895,7 @@ static private_x509_ac_t *create_empty(void)
        this->public.interface.certificate.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer))issued_by;
        this->public.interface.certificate.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key;
        this->public.interface.certificate.get_validity = (bool(*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity;
-       this->public.interface.certificate.get_encoding = (chunk_t(*)(certificate_t*))get_encoding;
+       this->public.interface.certificate.get_encoding = (bool(*)(certificate_t*,cred_encoding_type_t,chunk_t*))get_encoding;
        this->public.interface.certificate.equals = (bool(*)(certificate_t*, certificate_t *other))equals;
        this->public.interface.certificate.get_ref = (certificate_t* (*)(certificate_t *this))get_ref;
        this->public.interface.certificate.destroy = (void (*)(certificate_t *this))destroy;
index e64c9f0..92b576a 100644 (file)
@@ -1221,9 +1221,16 @@ static bool get_validity(private_x509_cert_t *this, time_t *when,
 /**
  * Implementation of certificate_t.get_encoding.
  */
-static chunk_t get_encoding(private_x509_cert_t *this)
+static bool get_encoding(private_x509_cert_t *this, cred_encoding_type_t type,
+                                                chunk_t *encoding)
 {
-       return chunk_clone(this->encoding);
+       if (type == CERT_ASN1_DER)
+       {
+               *encoding = chunk_clone(this->encoding);
+               return TRUE;
+       }
+       return lib->encoding->encode(lib->encoding, type, NULL, encoding,
+                                               CRED_PART_X509_ASN1_DER, this->encoding, CRED_PART_END);
 }
 
 /**
@@ -1246,7 +1253,10 @@ static bool equals(private_x509_cert_t *this, certificate_t *other)
        {       /* skip allocation if we have the same implementation */
                return chunk_equals(this->encoding, ((private_x509_cert_t*)other)->encoding);
        }
-       encoding = other->get_encoding(other);
+       if (!other->get_encoding(other, CERT_ASN1_DER, &encoding))
+       {
+               return FALSE;
+       }
        equal = chunk_equals(this->encoding, encoding);
        free(encoding.ptr);
        return equal;
@@ -1376,7 +1386,7 @@ static private_x509_cert_t* create_empty(void)
        this->public.interface.interface.issued_by = (bool (*) (certificate_t*, certificate_t*))issued_by;
        this->public.interface.interface.get_public_key = (public_key_t* (*) (certificate_t*))get_public_key;
        this->public.interface.interface.get_validity = (bool (*) (certificate_t*, time_t*, time_t*, time_t*))get_validity;
-       this->public.interface.interface.get_encoding = (chunk_t (*) (certificate_t*))get_encoding;
+       this->public.interface.interface.get_encoding = (bool (*) (certificate_t*,cred_encoding_type_t,chunk_t*))get_encoding;
        this->public.interface.interface.equals = (bool (*)(certificate_t*, certificate_t*))equals;
        this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t*))get_ref;
        this->public.interface.interface.destroy = (void (*)(certificate_t*))destroy;
index 88d901a..4bd0470 100644 (file)
@@ -457,10 +457,16 @@ METHOD(certificate_t, get_validity, bool,
        return (t <= this->nextUpdate);
 }
 
-METHOD(certificate_t, get_encoding, chunk_t,
-       private_x509_crl_t *this)
+METHOD(certificate_t, get_encoding, bool,
+       private_x509_crl_t *this, cred_encoding_type_t type, chunk_t *encoding)
 {
-       return chunk_clone(this->encoding);
+       if (type == CERT_ASN1_DER)
+       {
+               *encoding = chunk_clone(this->encoding);
+               return TRUE;
+       }
+       return lib->encoding->encode(lib->encoding, type, NULL, encoding,
+                                       CRED_PART_X509_CRL_ASN1_DER, this->encoding, CRED_PART_END);
 }
 
 METHOD(certificate_t, equals, bool,
@@ -477,7 +483,10 @@ METHOD(certificate_t, equals, bool,
        {       /* skip allocation if we have the same implementation */
                return chunk_equals(this->encoding, ((private_x509_crl_t*)other)->encoding);
        }
-       encoding = other->get_encoding(other);
+       if (!other->get_encoding(other, CERT_ASN1_DER, &encoding))
+       {
+               return FALSE;
+       }
        equal = chunk_equals(this->encoding, encoding);
        free(encoding.ptr);
        return equal;
index 99e0789..ea02cba 100644 (file)
@@ -250,7 +250,7 @@ static chunk_t build_optionalSignature(private_x509_ocsp_request_t *this,
 {
        int oid;
        signature_scheme_t scheme;
-       chunk_t certs, signature;
+       chunk_t certs, signature, encoding;
 
        switch (this->key->get_type(this->key))
        {
@@ -274,11 +274,11 @@ static chunk_t build_optionalSignature(private_x509_ocsp_request_t *this,
                DBG1(DBG_LIB, "creating OCSP signature failed, skipped");
                return chunk_empty;
        }
-       if (this->cert)
+       if (this->cert &&
+               this->cert->get_encoding(this->cert, CERT_ASN1_DER, &encoding))
        {
                certs = asn1_wrap(ASN1_CONTEXT_C_0, "m",
-                                       asn1_wrap(ASN1_SEQUENCE, "m",
-                                               this->cert->get_encoding(this->cert)));
+                                       asn1_wrap(ASN1_SEQUENCE, "m", encoding));
        }
        return asn1_wrap(ASN1_CONTEXT_C_0, "m",
                                asn1_wrap(ASN1_SEQUENCE, "cmm",
@@ -413,9 +413,16 @@ static bool get_validity(private_x509_ocsp_request_t *this, time_t *when,
 /**
  * Implementation of certificate_t.get_encoding.
  */
-static chunk_t get_encoding(private_x509_ocsp_request_t *this)
+static bool get_encoding(private_x509_ocsp_request_t *this,
+                                                cred_encoding_type_t type, chunk_t *encoding)
 {
-       return chunk_clone(this->encoding);
+       if (type == CERT_ASN1_DER)
+       {
+               *encoding = chunk_clone(this->encoding);
+               return TRUE;
+       }
+       return lib->encoding->encode(lib->encoding, type, NULL, encoding,
+                               CRED_PART_X509_OCSP_REQ_ASN1_DER, this->encoding, CRED_PART_END);
 }
 
 /**
@@ -438,7 +445,10 @@ static bool equals(private_x509_ocsp_request_t *this, certificate_t *other)
        {       /* skip allocation if we have the same implementation */
                return chunk_equals(this->encoding, ((private_x509_ocsp_request_t*)other)->encoding);
        }
-       encoding = other->get_encoding(other);
+       if (!other->get_encoding(other, CERT_ASN1_DER, &encoding))
+       {
+               return FALSE;
+       }
        equal = chunk_equals(this->encoding, encoding);
        free(encoding.ptr);
        return equal;
@@ -486,7 +496,7 @@ static private_x509_ocsp_request_t *create_empty()
        this->public.interface.interface.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer))issued_by;
        this->public.interface.interface.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key;
        this->public.interface.interface.get_validity = (bool(*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity;
-       this->public.interface.interface.get_encoding = (chunk_t(*)(certificate_t*))get_encoding;
+       this->public.interface.interface.get_encoding = (bool(*)(certificate_t*,cred_encoding_type_t,chunk_t*))get_encoding;
        this->public.interface.interface.equals = (bool(*)(certificate_t*, certificate_t *other))equals;
        this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t *this))get_ref;
        this->public.interface.interface.destroy = (void (*)(certificate_t *this))destroy;
index cbaf776..829f47f 100644 (file)
@@ -766,9 +766,16 @@ static bool get_validity(private_x509_ocsp_response_t *this, time_t *when,
 /**
  * Implementation of certificate_t.get_encoding.
  */
-static chunk_t get_encoding(private_x509_ocsp_response_t *this)
+static bool get_encoding(private_x509_ocsp_response_t *this,
+                                                cred_encoding_type_t type, chunk_t *encoding)
 {
-       return chunk_clone(this->encoding);
+       if (type == CERT_ASN1_DER)
+       {
+               *encoding = chunk_clone(this->encoding);
+               return TRUE;
+       }
+       return lib->encoding->encode(lib->encoding, type, NULL, encoding,
+                               CRED_PART_X509_OCSP_RES_ASN1_DER, this->encoding, CRED_PART_END);
 }
 
 /**
@@ -791,7 +798,10 @@ static bool equals(private_x509_ocsp_response_t *this, certificate_t *other)
        {       /* skip allocation if we have the same implementation */
                return chunk_equals(this->encoding, ((private_x509_ocsp_response_t*)other)->encoding);
        }
-       encoding = other->get_encoding(other);
+       if (!other->get_encoding(other, CERT_ASN1_DER, &encoding))
+       {
+               return FALSE;
+       }
        equal = chunk_equals(this->encoding, encoding);
        free(encoding.ptr);
        return equal;
@@ -838,7 +848,7 @@ static x509_ocsp_response_t *load(chunk_t blob)
        this->public.interface.certificate.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer))issued_by;
        this->public.interface.certificate.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key;
        this->public.interface.certificate.get_validity = (bool(*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity;
-       this->public.interface.certificate.get_encoding = (chunk_t(*)(certificate_t*))get_encoding;
+       this->public.interface.certificate.get_encoding = (bool(*)(certificate_t*,cred_encoding_type_t,chunk_t*))get_encoding;
        this->public.interface.certificate.equals = (bool(*)(certificate_t*, certificate_t *other))equals;
        this->public.interface.certificate.get_ref = (certificate_t* (*)(certificate_t *this))get_ref;
        this->public.interface.certificate.destroy = (void (*)(certificate_t *this))destroy;
index ec2233a..bfb0ca6 100644 (file)
@@ -191,9 +191,16 @@ static bool get_validity(private_x509_pkcs10_t *this, time_t *when,
 /**
  * Implementation of certificate_t.get_encoding.
  */
-static chunk_t get_encoding(private_x509_pkcs10_t *this)
+static bool get_encoding(private_x509_pkcs10_t *this, cred_encoding_type_t type,
+                                                chunk_t *encoding)
 {
-       return chunk_clone(this->encoding);
+       if (type == CERT_ASN1_DER)
+       {
+               *encoding = chunk_clone(this->encoding);
+               return TRUE;
+       }
+       return lib->encoding->encode(lib->encoding, type, NULL, encoding,
+                                       CRED_PART_PKCS10_ASN1_DER, this->encoding, CRED_PART_END);
 }
 
 /**
@@ -216,7 +223,10 @@ static bool equals(private_x509_pkcs10_t *this, certificate_t *other)
        {       /* skip allocation if we have the same implementation */
                return chunk_equals(this->encoding, ((private_x509_pkcs10_t*)other)->encoding);
        }
-       encoding = other->get_encoding(other);
+       if (!other->get_encoding(other, CERT_ASN1_DER, &encoding))
+       {
+               return FALSE;
+       }
        equal = chunk_equals(this->encoding, encoding);
        free(encoding.ptr);
        return equal;
@@ -504,7 +514,7 @@ static private_x509_pkcs10_t* create_empty(void)
        this->public.interface.interface.issued_by = (bool (*) (certificate_t*, certificate_t*))issued_by;
        this->public.interface.interface.get_public_key = (public_key_t* (*) (certificate_t*))get_public_key;
        this->public.interface.interface.get_validity = (bool (*) (certificate_t*, time_t*, time_t*, time_t*))get_validity;
-       this->public.interface.interface.get_encoding = (chunk_t (*) (certificate_t*))get_encoding;
+       this->public.interface.interface.get_encoding = (bool (*) (certificate_t*,cred_encoding_type_t,chunk_t*))get_encoding;
        this->public.interface.interface.equals = (bool (*)(certificate_t*, certificate_t*))equals;
        this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t*))get_ref;
        this->public.interface.interface.destroy = (void (*)(certificate_t*))destroy;
index a280192..3f28b0a 100755 (executable)
@@ -501,11 +501,13 @@ int main(int argc, char **argv)
                }
 
                /* write the attribute certificate to file */
-               attr_chunk = attr_cert->get_encoding(attr_cert);
-               if (chunk_write(attr_chunk, outfile, "attribute cert", 0022, TRUE))
+               if (attr_cert->get_encoding(attr_cert, CERT_ASN1_DER, &attr_chunk))
                {
-                       write_serial(serial);
-                       status = 0;
+                       if (chunk_write(attr_chunk, outfile, "attribute cert", 0022, TRUE))
+                       {
+                               write_serial(serial);
+                               status = 0;
+                       }
                }
        }
        else
index 1e11b84..d6d26d5 100644 (file)
@@ -301,8 +301,7 @@ static int issue()
                error = "generating certificate failed";
                goto end;
        }
-       encoding = cert->get_encoding(cert);
-       if (!encoding.ptr)
+       if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
        {
                error = "encoding certificate failed";
                goto end;
index 8335f25..c983a32 100644 (file)
@@ -128,8 +128,7 @@ static int req()
                error = "generating certificate request failed";
                goto end;
        }
-       encoding = cert->get_encoding(cert);
-       if (!encoding.ptr)
+       if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
        {
                error = "encoding certificate request failed";
                goto end;
index f6fb570..aebd883 100644 (file)
@@ -193,8 +193,7 @@ static int self()
                error = "generating certificate failed";
                goto end;
        }
-       encoding = cert->get_encoding(cert);
-       if (!encoding.ptr)
+       if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
        {
                error = "encoding certificate failed";
                goto end;
index 95ce0b5..3d83392 100644 (file)
@@ -314,8 +314,7 @@ static int sign_crl()
                error = "generating CRL failed";
                goto error;
        }
-       encoding = crl->get_encoding(crl);
-       if (!encoding.ptr)
+       if (!crl->get_encoding(crl, CERT_ASN1_DER, &encoding))
        {
                error = "encoding CRL failed";
                goto error;
index e6a64bf..c8fb107 100644 (file)
@@ -202,9 +202,11 @@ bool insert_crl(x509crl_t *x509crl, char *crl_uri, bool cache_crl)
                snprintf(buf, sizeof(buf), "%s/%s.crl", CRL_PATH, hex);
                free(hex.ptr);
 
-               encoding = cert_crl->get_encoding(cert_crl);
-               chunk_write(encoding, buf, "crl", 022, TRUE);
-               free(encoding.ptr);
+               if (cert_crl->get_encoding(cert_crl, CERT_ASN1_DER, &encoding))
+               {
+                       chunk_write(encoding, buf, "crl", 022, TRUE);
+                       free(encoding.ptr);
+               }
        }
 
        /* is the fetched crl valid? */
index f2a5de7..4a6a7c8 100644 (file)
@@ -3645,7 +3645,7 @@ stf_status main_inR2_outI3(struct msg_digest *md)
        }
        if (send_cert)
        {
-               bool success;
+               bool success = FALSE;
                chunk_t cert_encoding;
                pb_stream cert_pbs;
 
@@ -3657,9 +3657,12 @@ stf_status main_inR2_outI3(struct msg_digest *md)
                {
                        return STF_INTERNAL_ERROR;
                }
-               cert_encoding = mycert->cert->get_encoding(mycert->cert);
-               success = out_chunk(cert_encoding, &cert_pbs, "CERT");
-               free(cert_encoding.ptr);
+               if (mycert->cert->get_encoding(mycert->cert, CERT_ASN1_DER,
+                                                                          &cert_encoding))
+               {
+                       success = out_chunk(cert_encoding, &cert_pbs, "CERT");
+                       free(cert_encoding.ptr);
+               }
                if (!success)
                {
                        return STF_INTERNAL_ERROR;
@@ -4086,7 +4089,7 @@ main_inI3_outR3_tail(struct msg_digest *md
        }
        if (send_cert)
        {
-               bool success;
+               bool success = FALSE;
                chunk_t cert_encoding;
                pb_stream cert_pbs;
                struct isakmp_cert cert_hd;
@@ -4098,9 +4101,12 @@ main_inI3_outR3_tail(struct msg_digest *md
                {
                        return STF_INTERNAL_ERROR;
                }
-               cert_encoding = mycert->cert->get_encoding(mycert->cert);
-               success = out_chunk(cert_encoding, &cert_pbs, "CERT");
-               free(cert_encoding.ptr);
+               if (mycert->cert->get_encoding(mycert->cert, CERT_ASN1_DER,
+                                                                          &cert_encoding))
+               {
+                       success = out_chunk(cert_encoding, &cert_pbs, "CERT");
+                       free(cert_encoding.ptr);
+               }
                if (!success)
                {
                        return STF_INTERNAL_ERROR;
index b1f558e..8a351be 100644 (file)
@@ -621,7 +621,7 @@ void list_ocsp_locations(ocsp_location_t *location, bool requests,
                                }
                                else
                                {
-                                       whack_log(RC_COMMENT, "  serial:    %#B, %s, until %T %s", 
+                                       whack_log(RC_COMMENT, "  serial:    %#B, %s, until %T %s",
                                                &certinfo->serialNumber,
                                                cert_status_names[certinfo->status],
                                                &certinfo->nextUpdate, utc,
@@ -767,7 +767,7 @@ static chunk_t sc_build_sha1_signature(chunk_t tbs, smartcard_t *sc)
  */
 static chunk_t build_signature(chunk_t tbsRequest)
 {
-       chunk_t sigdata, cert, certs;
+       chunk_t sigdata, cert, certs = chunk_empty;
 
        if (ocsp_requestor_sc)
        {
@@ -786,10 +786,12 @@ static chunk_t build_signature(chunk_t tbsRequest)
        }
 
        /* include our certificate */
-       cert = ocsp_requestor_cert->cert->get_encoding(ocsp_requestor_cert->cert);
-       certs = asn1_wrap(ASN1_CONTEXT_C_0, "m",
-                               asn1_wrap(ASN1_SEQUENCE, "m", cert));
-
+       if (ocsp_requestor_cert->cert->get_encoding(ocsp_requestor_cert->cert,
+                                                                                               CERT_ASN1_DER, &cert))
+       {
+               certs = asn1_wrap(ASN1_CONTEXT_C_0, "m",
+                                       asn1_wrap(ASN1_SEQUENCE, "m", cert));
+       }
        /* build signature comprising algorithm, signature and cert */
        return asn1_wrap(ASN1_CONTEXT_C_0, "m"
                                , asn1_wrap(ASN1_SEQUENCE, "mmm"
@@ -1013,7 +1015,7 @@ static bool valid_ocsp_response(response_t *res)
                {
                        plog("certificate is invalid (valid from %T to %T)",
                                 &not_before, FALSE, &not_after, FALSE);
-                       
+
                        unlock_authcert_list("valid_ocsp_response");
                        return FALSE;
                }
@@ -1154,7 +1156,7 @@ static bool parse_basic_ocsp_response(chunk_t blob, int level0, response_t *res)
                                        break;
                                }
                                x509 = (x509_t*)cert->cert;
-                               
+
                                if ((x509->get_flags(x509) & X509_OCSP_SIGNER) &&
                                        trust_authcert_candidate(cert, NULL))
                                {
index b24ef1a..c0fd041 100644 (file)
@@ -591,7 +591,7 @@ chunk_t pkcs7_build_signedData(chunk_t data, chunk_t attributes,
        contentInfo_t pkcs7Data, signedData;
        chunk_t authenticatedAttributes = chunk_empty;
        chunk_t encryptedDigest = chunk_empty;
-       chunk_t signerInfo, cInfo, signature;
+       chunk_t signerInfo, cInfo, signature, encoding = chunk_empty;;
        signature_scheme_t scheme = signature_scheme_from_oid(digest_alg);
 
        if (attributes.ptr)
@@ -622,12 +622,13 @@ chunk_t pkcs7_build_signedData(chunk_t data, chunk_t attributes,
        pkcs7Data.content = (data.ptr == NULL)? chunk_empty
                                : asn1_simple_object(ASN1_OCTET_STRING, data);
 
+       cert->get_encoding(cert, CERT_ASN1_DER, &encoding);
        signedData.type = OID_PKCS7_SIGNED_DATA;
        signedData.content = asn1_wrap(ASN1_SEQUENCE, "cmmmm"
                                , ASN1_INTEGER_1
                                , asn1_wrap(ASN1_SET, "m", asn1_algorithmIdentifier(digest_alg))
                                , pkcs7_build_contentInfo(&pkcs7Data)
-                               , asn1_wrap(ASN1_CONTEXT_C_0, "m", cert->get_encoding(cert))
+                               , asn1_wrap(ASN1_CONTEXT_C_0, "m", encoding)
                                , asn1_wrap(ASN1_SET, "m", signerInfo));
 
        cInfo = pkcs7_build_contentInfo(&signedData);
index 2952b05..5c32bbd 100644 (file)
@@ -866,7 +866,7 @@ int main(int argc, char **argv)
                {
                        exit_scepclient("generating pkcs10 request failed");
                }
-               pkcs10_encoding = pkcs10_req->get_encoding(pkcs10_req);
+               pkcs10_req->get_encoding(pkcs10_req, CERT_ASN1_DER, &pkcs10_encoding);
                fingerprint = scep_generate_pkcs10_fingerprint(pkcs10_encoding);
                plog("  fingerprint:    %s", fingerprint.ptr);
        }
@@ -941,8 +941,7 @@ int main(int argc, char **argv)
        {
                char *path = concatenate_paths(HOST_CERT_PATH, file_out_cert_self);
 
-               encoding = x509_signer->get_encoding(x509_signer);
-               if (!encoding.ptr)
+               if (!x509_signer->get_encoding(x509_signer, CERT_ASN1_DER, &encoding))
                {
                        exit_scepclient("encoding certificate failed");
                }
@@ -1138,8 +1137,8 @@ int main(int argc, char **argv)
                                {
                                        exit_scepclient("multiple certs received, only first stored");
                                }
-                               encoding = cert->get_encoding(cert);
-                               if (!chunk_write(encoding, path, "requested cert", 0022, force))
+                               if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding) ||
+                                       !chunk_write(encoding, path, "requested cert", 0022, force))
                                {
                                        exit_scepclient("could not write cert file '%s'", path);
                                }