--- /dev/null
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <library.h>
+#include <daemon.h>
+#include <credentials/certificates/x509.h>
+
+/*******************************************************************************
+ * X509 certificate generation and parsing
+ ******************************************************************************/
+bool test_cert_x509()
+{
+ private_key_t *ca_key, *peer_key;
+ public_key_t *public;
+ certificate_t *ca_cert, *peer_cert, *parsed;
+ identification_t *issuer, *subject;
+ u_int32_t serial = htonl(0);
+ chunk_t encoding;
+
+ issuer = identification_create_from_string("CN=CA, OU=Test, O=strongSwan");
+ subject = identification_create_from_string("CN=Peer, OU=Test, O=strongSwan");
+
+ ca_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+ BUILD_KEY_SIZE, 1024, BUILD_END);
+ peer_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+ BUILD_KEY_SIZE, 1024, BUILD_END);
+ if (!ca_key)
+ {
+ return FALSE;
+ }
+ ca_cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+ BUILD_SIGNING_KEY, ca_key,
+ BUILD_SUBJECT, issuer,
+ BUILD_SERIAL, chunk_from_thing(serial),
+ BUILD_X509_FLAG, X509_CA,
+ BUILD_END);
+ if (!ca_cert)
+ {
+ return FALSE;
+ }
+
+ encoding = ca_cert->get_encoding(ca_cert);
+ parsed = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+ BUILD_BLOB_ASN1_DER, encoding,
+ BUILD_END);
+ chunk_free(&encoding);
+ if (!parsed)
+ {
+ return FALSE;
+ }
+ if (!parsed->issued_by(parsed, ca_cert))
+ {
+ return FALSE;
+ }
+ parsed->destroy(parsed);
+
+ serial = htonl(ntohl(serial) + 1);
+ public = peer_key->get_public_key(peer_key);
+ peer_cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+ BUILD_SIGNING_KEY, ca_key,
+ BUILD_SIGNING_CERT, ca_cert,
+ BUILD_PUBLIC_KEY, public,
+ BUILD_SUBJECT, subject,
+ BUILD_SERIAL, chunk_from_thing(serial),
+ BUILD_END);
+ public->destroy(public);
+ if (!peer_cert)
+ {
+ return FALSE;
+ }
+
+ encoding = peer_cert->get_encoding(peer_cert);
+ parsed = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+ BUILD_BLOB_ASN1_DER, encoding,
+ BUILD_END);
+ chunk_free(&encoding);
+ if (!parsed)
+ {
+ return FALSE;
+ }
+ if (!parsed->issued_by(parsed, ca_cert))
+ {
+ return FALSE;
+ }
+ parsed->destroy(parsed);
+
+ ca_cert->destroy(ca_cert);
+ ca_key->destroy(ca_key);
+ peer_cert->destroy(peer_cert);
+ peer_key->destroy(peer_key);
+ issuer->destroy(issuer);
+ subject->destroy(subject);
+ return TRUE;
+}
+
+
* Public interface for this certificate.
*/
x509_cert_t public;
-
+
/**
* X.509 certificate encoding in ASN.1 DER format
*/
* SHA1 hash of the DER encoding of this X.509 certificate
*/
chunk_t encoding_hash;
-
+
/**
* X.509 certificate body over which signature is computed
*/
* ID representing the certificate issuer
*/
identification_t *issuer;
-
+
/**
* Start time of certificate validity
*/
time_t notBefore;
-
+
/**
* End time of certificate validity
*/
time_t notAfter;
-
+
/**
* ID representing the certificate subject
*/
* List of crlDistributionPoints as allocated char*
*/
linked_list_t *crl_uris;
-
+
/**
* List ocspAccessLocations as identification_t
*/
linked_list_t *ocsp_uris;
-
+
/**
* certificates embedded public key
*/
* Subject Key Identifier
*/
chunk_t subjectKeyID;
-
+
/**
* Authority Key Identifier
*/
identification_t *authKeyIdentifier;
-
+
/**
* Authority Key Serial Number
*/
* x509 constraints and other flags
*/
x509_flag_t flags;
-
+
/**
* Signature algorithm
*/
int algorithm;
-
+
/**
* Signature
*/
chunk_t signature;
/**
+ * Certificate parsed from blob/file?
+ */
+ bool parsed;
+
+ /**
* reference count
*/
refcount_t ref;
}
}
success = parser->success(parser);
-
+
end:
parser->destroy(parser);
return success;
asn1_parser_t *parser;
chunk_t object;
int objectID ;
-
+
identification_t *gn = NULL;
-
+
parser = asn1_parser_create(generalNameObjects, blob);
parser->set_top_level(parser, level0);
-
+
while (parser->iterate(parser, &objectID, &object))
{
id_type_t id_type = ID_ANY;
-
+
switch (objectID)
{
case GN_OBJ_RFC822_NAME:
break;
case GN_OBJ_DIRECTORY_NAME:
id_type = ID_DER_ASN1_DN;
- break;
+ break;
case GN_OBJ_IP_ADDRESS:
id_type = ID_IPV4_ADDR;
break;
gn = identification_create_from_encoding(id_type, object);
DBG2(" '%D'", gn);
goto end;
- }
- }
-
+ }
+ }
+
end:
parser->destroy(parser);
- return gn;
+ return gn;
}
/**
asn1_parser_t *parser;
chunk_t object;
int objectID;
-
+
parser = asn1_parser_create(generalNamesObjects, blob);
parser->set_top_level(parser, level0);
parser->set_flags(parser, implicit, FALSE);
-
+
while (parser->iterate(parser, &objectID, &object))
{
if (objectID == GENERAL_NAMES_GN)
{
identification_t *gn = parse_generalName(object,
parser->get_level(parser)+1);
-
+
if (gn)
{
list->insert_last(list, (void *)gn);
chunk_t object;
int objectID;
identification_t *authKeyIdentifier = NULL;
-
+
*authKeySerialNumber = chunk_empty;
-
+
parser = asn1_parser_create(authKeyIdentifierObjects, blob);
parser->set_top_level(parser, level0);
-
+
while (parser->iterate(parser, &objectID, &object))
{
switch (objectID)
parser = asn1_parser_create(authInfoAccessObjects, blob);
parser->set_top_level(parser, level0);
-
+
while (parser->iterate(parser, &objectID, &object))
{
switch (objectID)
{
identification_t *id;
char *uri;
-
+
id = parse_generalName(object,
parser->get_level(parser)+1);
if (id == NULL)
break;
}
}
-
+
end:
parser->destroy(parser);
}
parser = asn1_parser_create(extendedKeyUsageObjects, blob);
parser->set_top_level(parser, level0);
-
+
while (parser->iterate(parser, &objectID, &object))
{
if (objectID == EXT_KEY_USAGE_PURPOSE_ID &&
parser = asn1_parser_create(crlDistributionPointsObjects, blob);
parser->set_top_level(parser, level0);
-
+
while (parser->iterate(parser, &objectID, &object))
{
if (objectID == CRL_DIST_POINTS_FULLNAME)
{
identification_t *id;
-
+
/* append extracted generalNames to existing chained list */
x509_parse_generalNames(object, parser->get_level(parser)+1,
TRUE, list);
while (list->remove_last(list, (void**)&id) == SUCCESS)
{
char *uri;
-
+
if (asprintf(&uri, "%D", id) > 0)
{
this->crl_uris->insert_last(this->crl_uris, uri);
bool critical;
parser = asn1_parser_create(certObjects, this->encoding);
-
+
while (parser->iterate(parser, &objectID, &object))
{
u_int level = parser->get_level(parser)+1;
-
+
switch (objectID)
{
case X509_OBJ_TBS_CERTIFICATE:
}
}
success = parser->success(parser);
-
+
end:
parser->destroy(parser);
return success;
{
return ID_MATCH_PERFECT;
}
-
+
best = this->subject->matches(this->subject, subject);
enumerator = this->subjectAltNames->create_enumerator(this->subjectAltNames);
while (enumerator->enumerate(enumerator, ¤t))
{
if (issuer->get_type(issuer) != CERT_X509)
{
+ POS;
return FALSE;
}
if (!(x509->get_flags(x509) & X509_CA))
{
+ POS;
return FALSE;
}
}
scheme = SIGN_ECDSA_WITH_SHA1;
break;
default:
+ POS;
return FALSE;
}
key = issuer->get_public_key(issuer);
if (key == NULL)
{
+ POS;
return FALSE;
}
/* TODO: add a lightweight check option (comparing auth/subject keyids only) */
{
time_t this_update, that_update, now = time(NULL);
bool new;
-
+
this->get_validity(this, &now, &this_update, NULL);
that->get_validity(that, &now, &that_update, NULL);
new = this_update > that_update;
{
chunk_t encoding;
bool equal;
-
+
if (this == (private_x509_cert_t*)other)
{
return TRUE;
DESTROY_IF(this->authKeyIdentifier);
chunk_free(&this->encoding);
chunk_free(&this->encoding_hash);
+ if (!this->parsed)
+ { /* only parsed certificates point these fields to "encoded" */
+ chunk_free(&this->signature);
+ chunk_free(&this->serialNumber);
+ chunk_free(&this->tbsCertificate);
+ }
free(this);
}
}
this->public.interface.create_subjectAltName_enumerator = (enumerator_t* (*)(x509_t*))create_subjectAltName_enumerator;
this->public.interface.create_crl_uri_enumerator = (enumerator_t* (*)(x509_t*))create_crl_uri_enumerator;
this->public.interface.create_ocsp_uri_enumerator = (enumerator_t* (*)(x509_t*))create_ocsp_uri_enumerator;
-
+
this->encoding = chunk_empty;
this->encoding_hash = chunk_empty;
+ this->tbsCertificate = chunk_empty;
+ this->version = 3;
+ this->serialNumber = chunk_empty;
+ this->notBefore = 0;
+ this->notAfter = 0;
this->public_key = NULL;
this->subject = NULL;
this->issuer = NULL;
this->subjectKeyID = chunk_empty;
this->authKeyIdentifier = NULL;
this->authKeySerialNumber = chunk_empty;
+ this->algorithm = 0;
+ this->signature = chunk_empty;
this->flags = 0;
this->ref = 1;
-
+ this->parsed = FALSE;
+
return this;
}
*/
static private_x509_cert_t *create_from_chunk(chunk_t chunk)
{
+ hasher_t *hasher;
private_x509_cert_t *this = create_empty();
-
+
this->encoding = chunk;
if (!parse_certificate(this))
{
destroy(this);
return NULL;
}
-
+
/* check if the certificate is self-signed */
if (issued_by(this, &this->public.interface.interface))
{
this->flags |= X509_SELF_SIGNED;
}
- hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+ hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
if (hasher != NULL)
{
hasher->allocate_hash(hasher, this->encoding, &this->encoding_hash);
DBG1(" unable to create hash of certificate, SHA1 not supported");
}
+ this->parsed = TRUE;
return this;
}
}
DBG1(" loaded certificate file '%s'", path);
return this;
-
}
typedef struct private_builder_t private_builder_t;
private_x509_cert_t *cert;
/** additional flags to enforce */
x509_flag_t flags;
+ /** certificate to sign, if we generate a new cert */
+ certificate_t *sign_cert;
+ /** private key to sign, if we generate a new cert */
+ private_key_t *sign_key;
};
/**
+ * Generate and sign a new certificate
+ */
+static bool generate(private_builder_t *this)
+{
+ chunk_t extensions = chunk_empty;
+ identification_t *issuer, *subject;
+ chunk_t key_info, key;
+ signature_scheme_t scheme;
+ hasher_t *hasher;
+
+ subject = this->cert->subject;
+ if (this->sign_cert)
+ {
+ issuer = this->sign_cert->get_subject(this->sign_cert);
+ if (!this->cert->public_key)
+ {
+ return FALSE;
+ }
+ }
+ else
+ { /* self signed */
+ issuer = subject;
+ if (!this->cert->public_key)
+ {
+ this->cert->public_key = this->sign_key->get_public_key(this->sign_key);
+ }
+ this->flags |= X509_SELF_SIGNED;
+ }
+ this->cert->issuer = issuer->clone(issuer);
+ if (!this->cert->notBefore)
+ {
+ this->cert->notBefore = time(NULL);
+ }
+ if (!this->cert->notAfter)
+ { /* defaults to 1 years from now on */
+ this->cert->notAfter = this->cert->notBefore + 60 * 60 * 24 * 365;
+ }
+ this->cert->flags = this->flags;
+
+ switch (this->sign_key->get_type(this->sign_key))
+ {
+ case KEY_RSA:
+ this->cert->algorithm = OID_SHA1_WITH_RSA;
+ scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
+ break;
+ default:
+ return FALSE;
+ }
+
+ switch (this->cert->public_key->get_type(this->cert->public_key))
+ {
+ case KEY_RSA:
+ key = this->cert->public_key->get_encoding(this->cert->public_key);
+ key_info = asn1_wrap(ASN1_SEQUENCE, "cm",
+ asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
+ asn1_bitstring("m", key));
+ break;
+ default:
+ return FALSE;
+ }
+
+ if (this->cert->subjectAltNames->get_count(this->cert->subjectAltNames))
+ {
+ /* TODO: encode subjectAltNames */
+ }
+
+ this->cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmccmcmm",
+ asn1_simple_object(ASN1_CONTEXT_C_0, ASN1_INTEGER_2),
+ asn1_simple_object(ASN1_INTEGER, this->cert->serialNumber),
+ asn1_algorithmIdentifier(this->cert->algorithm),
+ issuer->get_encoding(issuer),
+ asn1_wrap(ASN1_SEQUENCE, "mm",
+ asn1_from_time(&this->cert->notBefore, ASN1_UTCTIME),
+ asn1_from_time(&this->cert->notAfter, ASN1_UTCTIME)),
+ subject->get_encoding(subject),
+ key_info, extensions);
+
+ if (!this->sign_key->sign(this->sign_key, scheme,
+ this->cert->tbsCertificate, &this->cert->signature))
+ {
+ return FALSE;
+ }
+ this->cert->encoding = asn1_wrap(ASN1_SEQUENCE, "ccm",
+ this->cert->tbsCertificate,
+ asn1_algorithmIdentifier(this->cert->algorithm),
+ asn1_bitstring("c", this->cert->signature));
+
+ hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+ if (!hasher)
+ {
+ return FALSE;
+ }
+ hasher->allocate_hash(hasher, this->cert->encoding,
+ &this->cert->encoding_hash);
+ hasher->destroy(hasher);
+ return TRUE;
+}
+
+/**
* Implementation of builder_t.build
*/
static private_x509_cert_t *build(private_builder_t *this)
{
- private_x509_cert_t *cert = this->cert;
- x509_flag_t flags = this->flags;
-
+ private_x509_cert_t *cert;
+ x509_flag_t flags;
+
+ if (this->cert && !this->cert->encoding.ptr)
+ {
+ if (!this->sign_key || !this->cert ||
+ !generate(this))
+ {
+ destroy(this->cert);
+ free(this);
+ return NULL;
+ }
+ }
+ cert = this->cert;
+ flags = this->flags;
free(this);
if (cert == NULL)
{
return NULL;
}
+
if ((flags & X509_CA) && !(cert->flags & X509_CA))
{
DBG1(" ca certificate must have ca basic constraint set, discarded");
{
va_list args;
chunk_t chunk;
+ bool handled = TRUE;
va_start(args, part);
switch (part)
case BUILD_X509_FLAG:
this->flags = va_arg(args, x509_flag_t);
break;
+ case BUILD_SIGNING_KEY:
+ this->sign_key = va_arg(args, private_key_t*);
+ break;
+ case BUILD_SIGNING_CERT:
+ this->sign_cert = va_arg(args, certificate_t*);
+ break;
+ default:
+ /* all other parts need an empty cert */
+ if (!this->cert)
+ {
+ this->cert = create_empty();
+ }
+ handled = FALSE;
+ break;
+ }
+ if (handled)
+ {
+ va_end(args);
+ return;
+ }
+
+ switch (part)
+ {
+ case BUILD_PUBLIC_KEY:
+ {
+ public_key_t *key = va_arg(args, public_key_t*);
+ this->cert->public_key = key->get_ref(key);
+ break;
+ }
+ case BUILD_SUBJECT:
+ {
+ identification_t *id = va_arg(args, identification_t*);
+ this->cert->subject = id->clone(id);
+ break;
+ }
+ case BUILD_SUBJECT_ALTNAME:
+ {
+ identification_t *id = va_arg(args, identification_t*);
+ this->cert->subjectAltNames->insert_last(
+ this->cert->subjectAltNames, id->clone(id));
+ break;
+ }
+ case BUILD_NOT_BEFORE_TIME:
+ this->cert->notBefore = va_arg(args, time_t);
+ break;
+ case BUILD_NOT_AFTER_TIME:
+ this->cert->notAfter = va_arg(args, time_t);
+ break;
+ case BUILD_SERIAL:
+ {
+ chunk_t serial = va_arg(args, chunk_t);
+ this->cert->serialNumber = chunk_clone(serial);
+ break;
+ }
default:
/* abort if unsupported option */
if (this->cert)
this->cert = NULL;
this->flags = 0;
+ this->sign_cert = NULL;
+ this->sign_key = NULL;
this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
this->public.build = (void*(*)(builder_t *this))build;