x509: Integrate IETF attribute handling, and obsolete ietf_attributes_t
authorMartin Willi <martin@revosec.ch>
Tue, 4 Feb 2014 15:11:37 +0000 (16:11 +0100)
committerMartin Willi <martin@revosec.ch>
Mon, 31 Mar 2014 09:14:58 +0000 (11:14 +0200)
The ietf_attributes_t class is used for attribute certificates only these days,
and integrating them to x509_ac_t simplifies things significantly.

src/libstrongswan/Android.mk
src/libstrongswan/Makefile.am
src/libstrongswan/credentials/certificates/ac.h
src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c [deleted file]
src/libstrongswan/credentials/ietf_attributes/ietf_attributes.h [deleted file]
src/libstrongswan/plugins/x509/x509_ac.c

index 4409130..2b58db5 100644 (file)
@@ -20,7 +20,7 @@ credentials/keys/public_key.c credentials/keys/shared_key.c \
 credentials/certificates/certificate.c credentials/certificates/crl.c \
 credentials/certificates/ocsp_response.c \
 credentials/containers/container.c credentials/containers/pkcs12.c \
-credentials/ietf_attributes/ietf_attributes.c credentials/credential_manager.c \
+credentials/credential_manager.c \
 credentials/sets/auth_cfg_wrapper.c credentials/sets/ocsp_response_wrapper.c \
 credentials/sets/cert_cache.c credentials/sets/mem_cred.c \
 credentials/sets/callback_cred.c credentials/auth_cfg.c database/database.c \
index b3a4eda..50cac49 100644 (file)
@@ -18,7 +18,7 @@ credentials/keys/public_key.c credentials/keys/shared_key.c \
 credentials/certificates/certificate.c credentials/certificates/crl.c \
 credentials/certificates/ocsp_response.c \
 credentials/containers/container.c credentials/containers/pkcs12.c \
-credentials/ietf_attributes/ietf_attributes.c credentials/credential_manager.c \
+credentials/credential_manager.c \
 credentials/sets/auth_cfg_wrapper.c credentials/sets/ocsp_response_wrapper.c \
 credentials/sets/cert_cache.c credentials/sets/mem_cred.c \
 credentials/sets/callback_cred.c credentials/auth_cfg.c database/database.c \
@@ -61,7 +61,6 @@ credentials/certificates/ocsp_response.h \
 credentials/certificates/pgp_certificate.h \
 credentials/containers/container.h credentials/containers/pkcs7.h \
 credentials/containers/pkcs12.h \
-credentials/ietf_attributes/ietf_attributes.h \
 credentials/credential_manager.h credentials/sets/auth_cfg_wrapper.h \
 credentials/sets/ocsp_response_wrapper.h credentials/sets/cert_cache.h \
 credentials/sets/mem_cred.h credentials/sets/callback_cred.h \
index 1094cdc..9a3d8f0 100644 (file)
@@ -24,7 +24,6 @@
 
 #include <library.h>
 #include <credentials/certificates/certificate.h>
-#include <credentials/ietf_attributes/ietf_attributes.h>
 
 typedef struct ac_t ac_t;
 typedef enum ac_group_type_t ac_group_type_t;
diff --git a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c
deleted file mode 100644 (file)
index 6efbfb7..0000000
+++ /dev/null
@@ -1,528 +0,0 @@
-/*
- * Copyright (C) 2007-2009 Andreas Steffen
- *
- * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <asn1/oid.h>
-#include <asn1/asn1.h>
-#include <asn1/asn1_parser.h>
-#include <collections/linked_list.h>
-#include <utils/lexparser.h>
-#include <credentials/certificates/ac.h>
-
-#include "ietf_attributes.h"
-
-typedef struct ietf_attr_t ietf_attr_t;
-
-/**
- * Private definition of an IETF attribute
- */
-struct ietf_attr_t {
-
-       /**
-        * IETF attribute type
-        */
-       ac_group_type_t type;
-
-       /**
-        * IETF attribute value
-        */
-       chunk_t value;
-};
-
-/**
- * Implements ietf_attr_t.compare.
- */
-static int ietf_attr_compare(ietf_attr_t *this, ietf_attr_t *other)
-{
-       int cmp_len, len, cmp_value;
-
-       /* OID attributes are appended after STRING and OCTETS attributes */
-       if (this->type != AC_GROUP_TYPE_OID && other->type == AC_GROUP_TYPE_OID)
-       {
-               return -1;
-       }
-       if (this->type == AC_GROUP_TYPE_OID && other->type != AC_GROUP_TYPE_OID)
-       {
-               return 1;
-       }
-
-       cmp_len = this->value.len - other->value.len;
-       len = (cmp_len < 0) ? this->value.len : other->value.len;
-       cmp_value = memcmp(this->value.ptr, other->value.ptr, len);
-
-       return (cmp_value == 0) ? cmp_len : cmp_value;
-}
-
-/**
- * Implements ietf_attr_t.destroy.
- */
-static void ietf_attr_destroy(ietf_attr_t *this)
-{
-       free(this->value.ptr);
-       free(this);
-}
-
-/**
- * Creates an ietf_attr_t object.
- */
-static ietf_attr_t* ietf_attr_create(ac_group_type_t type, chunk_t value)
-{
-       ietf_attr_t *this;
-
-       INIT(this,
-               .type = type,
-               .value = chunk_clone(value),
-       );
-
-       return this;
-}
-
-typedef struct private_ietf_attributes_t private_ietf_attributes_t;
-
-/**
- * Private data of an ietf_attributes_t object.
- */
-struct private_ietf_attributes_t {
-       /**
-        * Public interface.
-        */
-       ietf_attributes_t public;
-
-       /**
-        * Printable representation of the IETF attributes
-        */
-       char *string;
-
-       /**
-        * Linked list of IETF attributes.
-        */
-       linked_list_t *list;
-
-       /**
-        * reference count
-        */
-       refcount_t ref;
-};
-
-METHOD(ietf_attributes_t, get_string, char*,
-       private_ietf_attributes_t *this)
-{
-       if (this->string == NULL)
-       {
-               char buf[BUF_LEN];
-               char *pos = buf;
-               int len = BUF_LEN;
-               bool first = TRUE;
-               ietf_attr_t *attr;
-               enumerator_t *enumerator;
-
-               enumerator = this->list->create_enumerator(this->list);
-               while (enumerator->enumerate(enumerator, &attr))
-               {
-                       int written;
-
-                       if (first)
-                       {
-                               first = FALSE;
-                       }
-                       else
-                       {
-                               written = snprintf(pos, len, ", ");
-                               if (written < 0 || written >= len)
-                               {
-                                       break;
-                               }
-                               pos += written;
-                               len -= written;
-                       }
-
-                       switch (attr->type)
-                       {
-                               case AC_GROUP_TYPE_OCTETS:
-                               case AC_GROUP_TYPE_STRING:
-                                       written = snprintf(pos, len, "%.*s", (int)attr->value.len,
-                                                                                                                attr->value.ptr);
-                                       break;
-                               case AC_GROUP_TYPE_OID:
-                               {
-                                       int oid = asn1_known_oid(attr->value);
-
-                                       if (oid == OID_UNKNOWN)
-                                       {
-                                               written = snprintf(pos, len, "0x%#B", &attr->value);
-                                       }
-                                       else
-                                       {
-                                               written = snprintf(pos, len, "%s", oid_names[oid].name);
-                                       }
-                                       break;
-                               }
-                               default:
-                                       written = 0;
-                                       break;
-                       }
-                       if (written < 0 || written >= len)
-                       {
-                               break;
-                       }
-                       pos += written;
-                       len -= written;
-               }
-               enumerator->destroy(enumerator);
-               if (len < BUF_LEN)
-               {
-                       this->string = strdup(buf);
-               }
-       }
-       return this->string;
-}
-
-/**
- * Filter function for attribute enumeration
- */
-static bool attr_filter(void *null, ietf_attr_t **in, ac_group_type_t *type,
-                                               void *in2, chunk_t *out)
-{
-       *type = (*in)->type;
-       *out = (*in)->value;
-       return TRUE;
-}
-
-METHOD(ietf_attributes_t, create_enumerator, enumerator_t*,
-       private_ietf_attributes_t *this)
-{
-       return enumerator_create_filter(this->list->create_enumerator(this->list),
-                                                               (void*)attr_filter, NULL, NULL);
-}
-
-METHOD(ietf_attributes_t, get_encoding, chunk_t,
-       private_ietf_attributes_t *this)
-{
-       chunk_t values;
-       size_t size = 0;
-       u_char *pos;
-       ietf_attr_t *attr;
-       enumerator_t *enumerator;
-
-       /* precalculate the total size of all values */
-       enumerator = this->list->create_enumerator(this->list);
-       while (enumerator->enumerate(enumerator, &attr))
-       {
-               size_t len = attr->value.len;
-
-               size += 1 + (len > 0) + (len >= 128) + (len >= 256) + (len >= 65536) + len;
-       }
-       enumerator->destroy(enumerator);
-
-       pos = asn1_build_object(&values, ASN1_SEQUENCE, size);
-
-       enumerator = this->list->create_enumerator(this->list);
-       while (enumerator->enumerate(enumerator, &attr))
-       {
-               chunk_t ietfAttribute;
-               asn1_t type = ASN1_NULL;
-
-               switch (attr->type)
-               {
-                       case AC_GROUP_TYPE_OCTETS:
-                               type = ASN1_OCTET_STRING;
-                               break;
-                       case AC_GROUP_TYPE_STRING:
-                               type = ASN1_UTF8STRING;
-                               break;
-                       case AC_GROUP_TYPE_OID:
-                               type = ASN1_OID;
-                               break;
-               }
-               ietfAttribute = asn1_simple_object(type, attr->value);
-
-               /* copy ietfAttribute into values chunk */
-               memcpy(pos, ietfAttribute.ptr, ietfAttribute.len);
-               pos += ietfAttribute.len;
-               free(ietfAttribute.ptr);
-       }
-       enumerator->destroy(enumerator);
-
-       return asn1_wrap(ASN1_SEQUENCE, "m", values);
-}
-
-/**
- * Implementation of ietf_attributes_t.equals.
- */
-static bool equals(private_ietf_attributes_t *this,
-                                  private_ietf_attributes_t *other)
-{
-        bool result = TRUE;
-
-       /* lists must have the same number of attributes */
-       if (other == NULL ||
-               this->list->get_count(this->list) != other->list->get_count(other->list))
-       {
-               return FALSE;
-       }
-
-       /* compare two alphabetically-sorted lists */
-       {
-               ietf_attr_t *attr_a, *attr_b;
-               enumerator_t *enum_a, *enum_b;
-
-               enum_a = this->list->create_enumerator(this->list);
-               enum_b = other->list->create_enumerator(other->list);
-               while (enum_a->enumerate(enum_a, &attr_a) &&
-                          enum_b->enumerate(enum_b, &attr_b))
-               {
-                       if (ietf_attr_compare(attr_a, attr_b) != 0)
-                       {
-                               /* we have a mismatch */
-                               result = FALSE;
-                               break;
-                       }
-               }
-               enum_a->destroy(enum_a);
-               enum_b->destroy(enum_b);
-       }
-       return result;
-}
-
-/**
- * Implementation of ietf_attributes_t.matches.
- */
-static bool matches(private_ietf_attributes_t *this,
-                                       private_ietf_attributes_t *other)
-{
-       bool result = FALSE;
-       ietf_attr_t *attr_a, *attr_b;
-       enumerator_t *enum_a, *enum_b;
-
-       /* always match if this->list does not contain any attributes */
-       if (this->list->get_count(this->list) == 0)
-       {
-               return TRUE;
-       }
-
-       /* never match if other->list does not contain any attributes */
-       if (other == NULL || other->list->get_count(other->list) == 0)
-       {
-               return FALSE;
-       }
-
-       /* get first attribute from both lists */
-       enum_a = this->list->create_enumerator(this->list);
-       enum_a->enumerate(enum_a, &attr_a);
-       enum_b = other->list->create_enumerator(other->list);
-       enum_b->enumerate(enum_b, &attr_b);
-
-       /* look for at least one common attribute */
-       while (TRUE)
-       {
-               int cmp;
-
-               cmp = ietf_attr_compare(attr_a, attr_b);
-               if (cmp == 0)
-               {
-                       /* we have a match */
-                       result = TRUE;
-                       break;
-               }
-               if (cmp == -1)
-               {
-                       /* attr_a is earlier in the alphabet, get next attr_a */
-                       if (!enum_a->enumerate(enum_a, &attr_a))
-                       {
-                               /* we have reached the end of enum_a */
-                               break;
-                       }
-               }
-               else
-               {
-                       /* attr_a is later in the alphabet, get next attr_b */
-                       if (!enum_b->enumerate(enum_b, &attr_b))
-                       {
-                               /* we have reached the end of enum_b */
-                               break;
-                       }
-               }
-       }
-       enum_a->destroy(enum_a);
-       enum_b->destroy(enum_b);
-
-       return result;
-}
-
-METHOD(ietf_attributes_t, get_ref, ietf_attributes_t*,
-       private_ietf_attributes_t *this)
-{
-       ref_get(&this->ref);
-       return &this->public;
-}
-
-METHOD(ietf_attributes_t, destroy, void,
-       private_ietf_attributes_t *this)
-{
-       if (ref_put(&this->ref))
-       {
-               this->list->destroy_function(this->list, (void*)ietf_attr_destroy);
-               free(this->string);
-               free(this);
-       }
-}
-
-static private_ietf_attributes_t* create_empty(void)
-{
-       private_ietf_attributes_t *this;
-
-       INIT(this,
-               .public = {
-                       .get_string = _get_string,
-                       .create_enumerator = _create_enumerator,
-                       .get_encoding = _get_encoding,
-                       .equals = (bool (*)(ietf_attributes_t*,ietf_attributes_t*))equals,
-                       .matches = (bool (*)(ietf_attributes_t*,ietf_attributes_t*))matches,
-                       .get_ref = _get_ref,
-                       .destroy = _destroy,
-               },
-               .list = linked_list_create(),
-               .ref = 1,
-       );
-
-       return this;
-}
-
-/**
- * Adds an ietf_attr_t object to a sorted linked list
- */
-static void ietf_attributes_add(private_ietf_attributes_t *this,
-                                                               ietf_attr_t *attr)
-{
-       ietf_attr_t *current_attr;
-       enumerator_t *enumerator;
-       int cmp = -1;
-
-       enumerator = this->list->create_enumerator(this->list);
-       while (enumerator->enumerate(enumerator, (void **)&current_attr) &&
-                 (cmp = ietf_attr_compare(attr, current_attr)) > 0)
-       {
-               continue;
-       }
-       if (cmp == 0)
-       {
-               ietf_attr_destroy(attr);
-       }
-       else
-       {       /* the enumerator either points to the end or to the attribute > attr */
-               this->list->insert_before(this->list, enumerator, attr);
-       }
-       enumerator->destroy(enumerator);
-}
-
-/*
- * Described in header.
- */
-ietf_attributes_t *ietf_attributes_create_from_string(char *string)
-{
-       private_ietf_attributes_t *this = create_empty();
-
-       chunk_t line = { string, strlen(string) };
-
-       while (eat_whitespace(&line))
-       {
-               chunk_t group;
-
-               /* extract the next comma-separated group attribute */
-               if (!extract_token(&group, ',', &line))
-               {
-                       group = line;
-                       line.len = 0;
-               }
-
-               /* remove any trailing spaces */
-               while (group.len > 0 && *(group.ptr + group.len - 1) == ' ')
-               {
-                       group.len--;
-               }
-
-               /* add the group attribute to the list */
-               if (group.len > 0)
-               {
-                       ietf_attr_t *attr = ietf_attr_create(AC_GROUP_TYPE_STRING, group);
-
-                       ietf_attributes_add(this, attr);
-               }
-       }
-
-       return &(this->public);
-}
-
-/**
- * ASN.1 definition of ietfAttrSyntax
- */
-static const asn1Object_t ietfAttrSyntaxObjects[] =
-{
-       { 0, "ietfAttrSyntax",          ASN1_SEQUENCE,          ASN1_NONE }, /*  0 */
-       { 1,   "policyAuthority",       ASN1_CONTEXT_C_0,       ASN1_OPT |
-                                                                                                       ASN1_BODY }, /*  1 */
-       { 1,   "end opt",                       ASN1_EOC,                       ASN1_END  }, /*  2 */
-       { 1,   "values",                        ASN1_SEQUENCE,          ASN1_LOOP }, /*  3 */
-       { 2,     "octets",                      ASN1_OCTET_STRING,      ASN1_OPT |
-                                                                                                       ASN1_BODY }, /*  4 */
-       { 2,     "end choice",          ASN1_EOC,                       ASN1_END  }, /*  5 */
-       { 2,     "oid",                         ASN1_OID,                       ASN1_OPT |
-                                                                                                       ASN1_BODY }, /*  6 */
-       { 2,     "end choice",          ASN1_EOC,                       ASN1_END  }, /*  7 */
-       { 2,     "string",                      ASN1_UTF8STRING,        ASN1_OPT |
-                                                                                                       ASN1_BODY }, /*  8 */
-       { 2,     "end choice",          ASN1_EOC,                       ASN1_END  }, /*  9 */
-       { 1,   "end loop",                      ASN1_EOC,                       ASN1_END  }, /* 10 */
-       { 0, "exit",                            ASN1_EOC,                       ASN1_EXIT }
-};
-#define IETF_ATTR_OCTETS        4
-#define IETF_ATTR_OID           6
-#define IETF_ATTR_STRING        8
-
-/*
- * Described in header.
- */
-ietf_attributes_t *ietf_attributes_create_from_encoding(chunk_t encoded)
-{
-       private_ietf_attributes_t *this = create_empty();
-       asn1_parser_t *parser;
-       chunk_t object;
-       int objectID;
-
-       parser = asn1_parser_create(ietfAttrSyntaxObjects, encoded);
-       while (parser->iterate(parser, &objectID, &object))
-       {
-               switch (objectID)
-               {
-                       case IETF_ATTR_OCTETS:
-                       case IETF_ATTR_OID:
-                       case IETF_ATTR_STRING:
-                               {
-                                       ac_group_type_t type;
-                                       ietf_attr_t *attr;
-
-                                       type = (objectID - IETF_ATTR_OCTETS) / 2;
-                                       attr = ietf_attr_create(type, object);
-                                       ietf_attributes_add(this, attr);
-                               }
-                               break;
-                       default:
-                               break;
-               }
-       }
-       parser->destroy(parser);
-
-       return &(this->public);
-}
diff --git a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.h b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.h
deleted file mode 100644 (file)
index a34b23a..0000000
+++ /dev/null
@@ -1,98 +0,0 @@
-/*
- * Copyright (C) 2007-2009 Andreas Steffen
- *
- * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup ietf_attributes ietf_attributes
- * @{ @ingroup credentials
- */
-
-#ifndef IETF_ATTRIBUTES_H_
-#define IETF_ATTRIBUTES_H_
-
-typedef struct ietf_attributes_t ietf_attributes_t;
-
-#include <library.h>
-
-/**
- *
- */
-struct ietf_attributes_t {
-
-       /**
-        * Get the an alphabetically sorted list of printable IETF attributes.
-        *
-        * Result points to internal data, do not free.
-        *
-        * @return                      a string containing printable attributes
-        */
-       char* (*get_string) (ietf_attributes_t *this);
-
-       /**
-        * Create an enumerator over attributes.
-        *
-        * @return                      enumerator over (ac_group_type_t, chunk_t)
-        */
-       enumerator_t* (*create_enumerator)(ietf_attributes_t *this);
-
-       /**
-        * Get the ASN.1 encoding of the IETF attributes.
-        *
-        * @return                      allocated chunk containing the encoded bytes
-        */
-       chunk_t (*get_encoding) (ietf_attributes_t *this);
-
-       /**
-        * Check for equality between two lists.
-        *
-        * @param other         attribute list to be checked for equality
-        * @return                      TRUE if equal
-        */
-       bool (*equals) (ietf_attributes_t *this, ietf_attributes_t *other);
-
-       /**
-        * Check for common attributes between two lists.
-        *
-        * @param other         attribute list to be matched
-        * @return                      TRUE if there is at least a common attribute
-        */
-       bool (*matches) (ietf_attributes_t *this, ietf_attributes_t *other);
-
-       /**
-        * Get a new reference to the IETF attributes.
-        *
-        * @return                      this, with an increased refcount
-        */
-       ietf_attributes_t* (*get_ref)(ietf_attributes_t *this);
-
-       /**
-        * Destroys an ietf_attributes_t object.
-        */
-       void (*destroy) (ietf_attributes_t *this);
-};
-
-/**
- * @param string       input string, which will be converted
- * @return                     ietf_attributes_t
- */
-ietf_attributes_t *ietf_attributes_create_from_string(char *string);
-
-/**
- * @param encoded      ASN.1 encoded bytes, such as from ietf_attributes.get_encoding
- * @return                     ietf_attributes_t
- */
-ietf_attributes_t *ietf_attributes_create_from_encoding(chunk_t encoded);
-
-#endif /** IETF_ATTRIBUTES_H_ @}*/
index 9845b21..410b2e5 100644 (file)
@@ -29,7 +29,6 @@
 #include <utils/identification.h>
 #include <collections/linked_list.h>
 #include <credentials/certificates/x509.h>
-#include <credentials/ietf_attributes/ietf_attributes.h>
 #include <credentials/keys/private_key.h>
 
 extern chunk_t x509_parse_authorityKeyIdentifier(chunk_t blob,
@@ -98,9 +97,9 @@ struct private_x509_ac_t {
        time_t notAfter;
 
        /**
-        * List of groub attributes
+        * List of group attributes, as group_t
         */
-       ietf_attributes_t *groups;
+       linked_list_t *groups;
 
        /**
         * Authority Key Identifier
@@ -148,6 +147,25 @@ struct private_x509_ac_t {
        refcount_t ref;
 };
 
+/**
+ * Group definition, an IETF attribute
+ */
+typedef struct {
+       /** Attribute type */
+       ac_group_type_t type;
+       /* attribute value */
+       chunk_t value;
+} group_t;
+
+/**
+ * Clean up a group entry
+ */
+static void group_destroy(group_t *group)
+{
+       free(group->value.ptr);
+       free(group);
+}
+
 static chunk_t ASN1_noRevAvail_ext = chunk_from_chars(
        0x30, 0x09,
                  0x06, 0x03,
@@ -238,6 +256,74 @@ static void parse_roleSyntax(chunk_t blob, int level0)
 }
 
 /**
+ * ASN.1 definition of ietfAttrSyntax
+ */
+static const asn1Object_t ietfAttrSyntaxObjects[] =
+{
+       { 0, "ietfAttrSyntax",          ASN1_SEQUENCE,          ASN1_NONE }, /*  0 */
+       { 1,   "policyAuthority",       ASN1_CONTEXT_C_0,       ASN1_OPT |
+                                                                                                       ASN1_BODY }, /*  1 */
+       { 1,   "end opt",                       ASN1_EOC,                       ASN1_END  }, /*  2 */
+       { 1,   "values",                        ASN1_SEQUENCE,          ASN1_LOOP }, /*  3 */
+       { 2,     "octets",                      ASN1_OCTET_STRING,      ASN1_OPT |
+                                                                                                       ASN1_BODY }, /*  4 */
+       { 2,     "end choice",          ASN1_EOC,                       ASN1_END  }, /*  5 */
+       { 2,     "oid",                         ASN1_OID,                       ASN1_OPT |
+                                                                                                       ASN1_BODY }, /*  6 */
+       { 2,     "end choice",          ASN1_EOC,                       ASN1_END  }, /*  7 */
+       { 2,     "string",                      ASN1_UTF8STRING,        ASN1_OPT |
+                                                                                                       ASN1_BODY }, /*  8 */
+       { 2,     "end choice",          ASN1_EOC,                       ASN1_END  }, /*  9 */
+       { 1,   "end loop",                      ASN1_EOC,                       ASN1_END  }, /* 10 */
+       { 0, "exit",                            ASN1_EOC,                       ASN1_EXIT }
+};
+#define IETF_ATTR_OCTETS        4
+#define IETF_ATTR_OID           6
+#define IETF_ATTR_STRING        8
+
+/**
+ * Parse group memberships, IETF attributes
+ */
+static bool parse_groups(private_x509_ac_t *this, chunk_t encoded, int level0)
+{
+       ac_group_type_t type;
+       group_t *group;
+       asn1_parser_t *parser;
+       chunk_t object;
+       int objectID;
+       bool success;
+
+       parser = asn1_parser_create(ietfAttrSyntaxObjects, encoded);
+       parser->set_top_level(parser, level0);
+       while (parser->iterate(parser, &objectID, &object))
+       {
+               switch (objectID)
+               {
+                       case IETF_ATTR_OCTETS:
+                               type = AC_GROUP_TYPE_OCTETS;
+                               break;
+                       case IETF_ATTR_OID:
+                               type = AC_GROUP_TYPE_OID;
+                               break;
+                       case IETF_ATTR_STRING:
+                               type = AC_GROUP_TYPE_STRING;
+                               break;
+                       default:
+                               continue;
+               }
+               INIT(group,
+                       .type = type,
+                       .value = chunk_clone(object),
+               );
+               this->groups->insert_last(this->groups, group);
+       }
+       success = parser->success(parser);
+       parser->destroy(parser);
+
+       return success;
+}
+
+/**
  * ASN.1 definition of an X509 attribute certificate
  */
 static const asn1Object_t acObjects[] =
@@ -415,7 +501,10 @@ static bool parse_certificate(private_x509_ac_t *this)
                                                break;
                                        case OID_GROUP:
                                                DBG2(DBG_ASN, "-- > --");
-                                               this->groups = ietf_attributes_create_from_encoding(object);
+                                               if (!parse_groups(this, object, level))
+                                               {
+                                                       goto end;
+                                               }
                                                DBG2(DBG_ASN, "-- < --");
                                                break;
                                        case OID_ROLE:
@@ -545,9 +634,55 @@ static chunk_t build_attribute_type(int type, chunk_t content)
  */
 static chunk_t build_attributes(private_x509_ac_t *this)
 {
+       enumerator_t *enumerator;
+       group_t *group;
+       chunk_t values;
+       size_t size = 0, len;
+       u_char *pos;
+
+       /* precalculate the total size of all values */
+       enumerator = this->groups->create_enumerator(this->groups);
+       while (enumerator->enumerate(enumerator, &group))
+       {
+               len = group->value.len;
+               size += 1 + (len > 0) + (len >= 128) +
+                               (len >= 256) + (len >= 65536) + len;
+       }
+       enumerator->destroy(enumerator);
+
+       pos = asn1_build_object(&values, ASN1_SEQUENCE, size);
+
+       enumerator = this->groups->create_enumerator(this->groups);
+       while (enumerator->enumerate(enumerator, &group))
+       {
+               chunk_t attr;
+               asn1_t type;
+
+               switch (group->type)
+               {
+                       case AC_GROUP_TYPE_OCTETS:
+                               type = ASN1_OCTET_STRING;
+                               break;
+                       case AC_GROUP_TYPE_STRING:
+                               type = ASN1_UTF8STRING;
+                               break;
+                       case AC_GROUP_TYPE_OID:
+                               type = ASN1_OID;
+                               break;
+                       default:
+                               continue;
+               }
+               attr = asn1_simple_object(type, group->value);
+
+               memcpy(pos, attr.ptr, attr.len);
+               pos += attr.len;
+               free(attr.ptr);
+       }
+       enumerator->destroy(enumerator);
+
        return asn1_wrap(ASN1_SEQUENCE, "m",
-                                        build_attribute_type(OID_GROUP,
-                                               this->groups->get_encoding(this->groups)));
+                               build_attribute_type(OID_GROUP,
+                                       asn1_wrap(ASN1_SEQUENCE, "m", values)));
 }
 
 /**
@@ -655,10 +790,28 @@ METHOD(ac_t, get_authKeyIdentifier, chunk_t,
        return this->authKeyIdentifier;
 }
 
+/**
+ * Filter function for attribute enumeration
+ */
+static bool attr_filter(void *null, group_t **in, ac_group_type_t *type,
+                                               void *in2, chunk_t *out)
+{
+       if ((*in)->type == AC_GROUP_TYPE_STRING &&
+               !chunk_printable((*in)->value, NULL, 0))
+       {       /* skip non-printable strings */
+               return FALSE;
+       }
+       *type = (*in)->type;
+       *out = (*in)->value;
+       return TRUE;
+}
+
 METHOD(ac_t, create_group_enumerator, enumerator_t*,
        private_x509_ac_t *this)
 {
-       return this->groups->create_enumerator(this->groups);
+       return enumerator_create_filter(
+                                                       this->groups->create_enumerator(this->groups),
+                                                       (void*)attr_filter, NULL, NULL);
 }
 
 METHOD(certificate_t, get_type, certificate_type_t,
@@ -830,7 +983,7 @@ METHOD(certificate_t, destroy, void,
                DESTROY_IF(this->holderCert);
                DESTROY_IF(this->signerCert);
                DESTROY_IF(this->signerKey);
-               DESTROY_IF(this->groups);
+               this->groups->destroy_function(this->groups, (void*)group_destroy);
                free(this->serialNumber.ptr);
                free(this->authKeyIdentifier.ptr);
                free(this->encoding.ptr);
@@ -869,6 +1022,7 @@ static private_x509_ac_t *create_empty(void)
                                .create_group_enumerator = _create_group_enumerator,
                        },
                },
+               .groups = linked_list_create(),
                .ref = 1,
        );
 
@@ -911,6 +1065,27 @@ x509_ac_t *x509_ac_load(certificate_type_t type, va_list args)
 }
 
 /**
+ * Parse a comma separated group list into AC group memberships
+ */
+static void add_groups_from_string(private_x509_ac_t *this, char *str)
+{
+       enumerator_t *enumerator;
+       group_t *group;
+       char *name;
+
+       enumerator = enumerator_create_token(str, ",", " ");
+       while (enumerator->enumerate(enumerator, &name))
+       {
+               INIT(group,
+                       .type = AC_GROUP_TYPE_STRING,
+                       .value = chunk_clone(chunk_from_str(name)),
+               );
+               this->groups->insert_last(this->groups, group);
+       }
+       enumerator->destroy(enumerator);
+}
+
+/**
  * See header.
  */
 x509_ac_t *x509_ac_gen(certificate_type_t type, va_list args)
@@ -932,7 +1107,7 @@ x509_ac_t *x509_ac_gen(certificate_type_t type, va_list args)
                                ac->serialNumber = chunk_clone(va_arg(args, chunk_t));
                                continue;
                        case BUILD_IETF_GROUP_ATTR:
-                               ac->groups = ietf_attributes_create_from_string(va_arg(args, char*));
+                               add_groups_from_string(ac, va_arg(args, char*));
                                continue;
                        case BUILD_CERT:
                                ac->holderCert = va_arg(args, certificate_t*);