started support of X.509 attribute certificates
authorAndreas Steffen <andreas.steffen@strongswan.org>
Thu, 12 Apr 2007 17:49:33 +0000 (17:49 -0000)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Thu, 12 Apr 2007 17:49:33 +0000 (17:49 -0000)
src/charon/config/credentials/local_credential_store.c
src/charon/daemon.c
src/libstrongswan/Makefile.am
src/libstrongswan/credential_store.h
src/libstrongswan/crypto/ac.c [new file with mode: 0644]
src/libstrongswan/crypto/ac.h [new file with mode: 0644]
src/libstrongswan/crypto/ca.c

index b7b71b9..bee7fce 100644 (file)
@@ -32,6 +32,7 @@
 #include <crypto/certinfo.h>
 #include <crypto/x509.h>
 #include <crypto/ca.h>
+#include <crypto/ac.h>
 #include <crypto/crl.h>
 #include <asn1/ttodata.h>
 
@@ -103,24 +104,25 @@ static shared_key_t *shared_key_create(chunk_t secret)
   |                 | ca_info_t                |
   |                 +--------------------------+
 +---------------+   | char *name               |
-| x509_t        |<--| x509_t *cacert           |   +----------------------+
-+---------------+   | linked_list_t *certinfos |-->| certinfo_t           |
-| chunk_t keyid |   | linked_list_t *ocspuris  |   +----------------------+
-+---------------+   | crl_t *crl               |   | chunk_t serialNumber |
+| x509_t        |<--| x509_t *cacert           |
++---------------+   | linked_list_t *attrcerts |   +----------------------+
+| chunk_t keyid |   | linked_list_t *certinfos |-->| certinfo_t           |
++---------------+   | linked_list_t *ocspuris  |   +----------------------+
+  |                 | crl_t *crl               |   | chunk_t serialNumber |
   |                 | linked_list_t *crluris   |   | cert_status_t status |
-  |                 | pthread_mutex_t mutex    |   | time_t thisUpdate    |
-+---------------+   +--------------------------+   | time_t nextUpdate    |
-| x509_t        |                |                 | bool once            |
-+---------------+                |                 +----------------------+
-| chunk_t keyid |                |                   |
-+---------------+   +------------------------- +   +----------------------+
-  |                 | ca_info_t                |   | certinfo_t           |
-  |                 +--------------------------+   +----------------------+
-+---------------+   | char *name               |   | chunk_t serialNumber |
-| x509_t        |<--| x509_t *cacert           |   | cert_status_t status |
-+---------------+   | linked_list_t *certinfos |   | time_t thisUpdate    |
-| chunk_t keyid |   | linked_list_t *ocspuris  |   | time_t nextUpdate    |
-+---------------+   | crl_t *crl               |   | bool once            |
++---------------+   | pthread_mutex_t mutex    |   | time_t thisUpdate    |
+| x509_t        |   +--------------------------+   | time_t nextUpdate    |
++---------------+                |                 | bool once            |
+| chunk_t keyid |                |                 +----------------------+
++---------------+   +------------------------- +     |
+  |                 | ca_info_t                |   +----------------------+
+  |                 +--------------------------+   | certinfo_t           |
++---------------+   | char *name               |   +----------------------+
+| x509_t        |<--| x509_t *cacert           |   | chunk_t serialNumber |
++---------------+   | linked_list_t *attrcerts |   | cert_status_t status |
+| chunk_t keyid |   | linked_list_t *certinfos |   | time_t thisUpdate    |
++---------------+   | linked_list_t *ocspuris  |   | time_t nextUpdate    |
+  |                 | crl_t *crl               |   | bool once            |
   |                 | linked_list_t *crluris   |   +----------------------+
   |                 | pthread_mutex_t mutex;   |     |
   |                 +--------------------------+
@@ -886,12 +888,12 @@ static void load_auth_certificates(private_local_credential_store_t *this,
        struct stat stb;
        DIR* dir;
        
-       DBG1(DBG_CFG, "loading %s certificates from '%s/'", label, path);
+       DBG1(DBG_CFG, "loading %s certificates from '%s'", label, path);
 
        dir = opendir(path);
        if (dir == NULL)
        {
-               DBG1(DBG_CFG, "error opening %s certs directory %s'", label, path);
+               DBG1(DBG_CFG, "error opening %s certs directory '%s'", label, path);
                return;
        }
 
@@ -975,6 +977,74 @@ static void load_ca_certificates(private_local_credential_store_t *this)
 }
 
 /**
+ * Implements local_credential_store_t.load_aa_certificates
+ */
+static void load_aa_certificates(private_local_credential_store_t *this)
+{
+       load_auth_certificates(this, AUTH_AA, "aa", AA_CERTIFICATE_DIR);
+}
+
+/**
+ * Add a unique attribute certificate to a linked list
+ */
+static void add_attr_certificate(private_local_credential_store_t *this, x509ac_t *cert)
+{
+  /* TODO add a new attribute certificate to the linked list */
+}
+
+/**
+ * Implements local_credential_store_t.load_attr_certificates
+ */
+static void load_attr_certificates(private_local_credential_store_t *this)
+{
+       struct dirent* entry;
+       struct stat stb;
+       DIR* dir;
+
+       const char *path = ATTR_CERTIFICATE_DIR;
+       
+       DBG1(DBG_CFG, "loading attribute certificates from '%s'", path);
+
+       dir = opendir(ATTR_CERTIFICATE_DIR);
+       if (dir == NULL)
+       {
+               DBG1(DBG_CFG, "error opening attribute certs directory '%s'", path);
+               return;
+       }
+
+       while ((entry = readdir(dir)) != NULL)
+       {
+               char file[PATH_BUF];
+
+               snprintf(file, sizeof(file), "%s/%s", path, entry->d_name);
+               
+               if (stat(file, &stb) == -1)
+               {
+                       continue;
+               }
+               /* try to parse all regular files */
+               if (stb.st_mode & S_IFREG)
+               {
+                       x509ac_t *cert = x509ac_create_from_file(file);
+
+                       if (cert)
+                       {
+                               err_t ugh = cert->is_valid(cert, NULL);
+
+                               if (ugh != NULL)
+                               {
+                                       DBG1(DBG_CFG, "warning: attribute certificate %s", ugh);
+                               }
+                               add_attr_certificate(this, cert);
+                       }
+               }
+       }
+       closedir(dir);
+
+
+}
+
+/**
  * Implements local_credential_store_t.load_ocsp_certificates
  */
 static void load_ocsp_certificates(private_local_credential_store_t *this)
@@ -1027,12 +1097,12 @@ static void load_crls(private_local_credential_store_t *this)
        DIR* dir;
        crl_t *crl;
        
-       DBG1(DBG_CFG, "loading crls from '%s/'", CRL_DIR);
+       DBG1(DBG_CFG, "loading crls from '%s'", CRL_DIR);
 
        dir = opendir(CRL_DIR);
        if (dir == NULL)
        {
-               DBG1(DBG_CFG, "error opening crl directory %s'", CRL_DIR);
+               DBG1(DBG_CFG, "error opening crl directory '%s'", CRL_DIR);
                return;
        }
 
@@ -1345,6 +1415,8 @@ local_credential_store_t * local_credential_store_create(bool strict)
        this->public.credential_store.create_auth_cert_iterator = (iterator_t* (*) (credential_store_t*))create_auth_cert_iterator;
        this->public.credential_store.create_cainfo_iterator = (iterator_t* (*) (credential_store_t*))create_cainfo_iterator;
        this->public.credential_store.load_ca_certificates = (void (*) (credential_store_t*))load_ca_certificates;
+       this->public.credential_store.load_aa_certificates = (void (*) (credential_store_t*))load_aa_certificates;
+       this->public.credential_store.load_attr_certificates = (void (*) (credential_store_t*))load_attr_certificates;
        this->public.credential_store.load_ocsp_certificates = (void (*) (credential_store_t*))load_ocsp_certificates;
        this->public.credential_store.load_crls = (void (*) (credential_store_t*))load_crls;
        this->public.credential_store.load_secrets = (void (*) (credential_store_t*))load_secrets;
index 9640f1c..4754d31 100644 (file)
@@ -273,6 +273,8 @@ static void initialize(private_daemon_t *this, bool strict, bool syslog,
        /* load secrets, ca certificates and crls */
        credentials = this->public.credentials;
        credentials->load_ca_certificates(credentials);
+       credentials->load_aa_certificates(credentials);
+       credentials->load_attr_certificates(credentials);
        credentials->load_ocsp_certificates(credentials);
        credentials->load_crls(credentials);
        credentials->load_secrets(credentials);
index b103be1..292abc0 100644 (file)
@@ -11,6 +11,7 @@ asn1/asn1.c asn1/asn1.h \
 asn1/oid.c asn1/oid.h \
 asn1/pem.c asn1/pem.h \
 asn1/ttodata.c asn1/ttodata.h \
+crypto/ac.c crypto/ac.h \
 crypto/ca.c crypto/ca.h \
 crypto/certinfo.c crypto/certinfo.h \
 crypto/crl.c crypto/crl.h \
index 5d51981..65e692d 100755 (executable)
@@ -244,6 +244,24 @@ struct credential_store_t {
        void (*load_ca_certificates) (credential_store_t *this);
        
        /**
+        * @brief Loads authorization authority certificates from a default directory.
+        *
+        * Certificates in both DER and PEM format are accepted
+        *
+        * @param this          calling object
+        */
+       void (*load_aa_certificates) (credential_store_t *this);
+
+       /**
+        * @brief Loads attribute certificates from a default directory.
+        *
+        * Certificates in both DER and PEM format are accepted
+        *
+        * @param this          calling object
+        */
+       void (*load_attr_certificates) (credential_store_t *this);
+
+       /**
         * @brief Loads ocsp certificates from a default directory.
         *
         * Certificates in both DER and PEM format are accepted
diff --git a/src/libstrongswan/crypto/ac.c b/src/libstrongswan/crypto/ac.c
new file mode 100644 (file)
index 0000000..3104f9f
--- /dev/null
@@ -0,0 +1,357 @@
+/**
+ * @file ac.c
+ * 
+ * @brief Implementation of x509ac_t.
+ * 
+ */
+
+/* 
+ * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
+ * Copyright (C) 2003 Martin Berner, Lukas Suter
+ * Copyright (C) 2007 Andreas Steffen, Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <asn1/asn1.h>
+#include <utils/identification.h>
+#include <utils/linked_list.h>
+
+#include "ac.h"
+
+typedef struct private_x509ac_t private_x509ac_t;
+
+/**
+ * Private data of a x509ac_t object.
+ */
+struct private_x509ac_t {
+       /**
+        * Public interface for this attribute certificate.
+        */
+       x509ac_t public;
+
+       /**
+        * Time when attribute certificate was installed
+        */
+       time_t installed;
+
+       /**
+        * X.509 attribute certificate in DER format
+        */
+       chunk_t certificate;
+
+       /**
+        * X.509 attribute certificate body over which signature is computed
+        */
+       chunk_t certificateInfo;
+
+       /**
+        * Version of the X.509 attribute certificate
+        */
+       u_int version;
+
+       /**
+        * Serial number of the X.509 attribute certificate
+        */
+       chunk_t serialNumber;
+
+       /**
+        * ID representing the issuer of the holder certificate
+        */
+       identification_t *holderIssuer;
+
+       /**
+        * Serial number of the holder certificate
+        */
+       chunk_t holderSerial;
+
+       /**
+        * ID representing the holder
+        */
+       identification_t *entityName;
+       
+       /**
+        * ID representing the attribute certificate issuer
+        */
+       identification_t *issuerName;
+
+       /**
+        * Signature algorithm
+        */
+       int sigAlg;
+
+       /**
+        * Start time of certificate validity
+        */
+       time_t notBefore;
+
+       /**
+        * End time of certificate validity
+        */
+       time_t notAfter;
+
+       /**
+        * List of charging attributes
+        */
+       linked_list_t *charging;
+
+       /**
+        * List of groub attributes
+        */
+       linked_list_t *groups;
+
+       /**
+        * Authority Key Identifier
+        */
+       chunk_t authKeyID;
+
+       /**
+        * Authority Key Serial Number
+        */
+       chunk_t authKeySerialNumber;
+
+       /**
+        * No revocation information available
+        */
+       bool noRevAvail;
+
+       /**
+        * Signature algorithm (must be identical to sigAlg)
+        */
+       int algorithm;
+
+       /**
+        * Signature
+        */
+       chunk_t signature;
+};
+
+/**
+ * definition of ietfAttribute kinds
+ */
+typedef enum {
+       IETF_ATTRIBUTE_OCTETS = 0,
+       IETF_ATTRIBUTE_OID =    1,
+       IETF_ATTRIBUTE_STRING = 2
+} ietfAttribute_t;
+
+/**
+ * access structure for an ietfAttribute
+ */
+typedef struct ietfAttr ietfAttr_t;
+
+struct ietfAttr {
+       time_t installed;
+       int count;
+       ietfAttribute_t kind;
+       chunk_t value;
+};
+
+/**
+ * ASN.1 definition of ietfAttrSyntax
+ */
+static const asn1Object_t ietfAttrSyntaxObjects[] =
+{
+       { 0, "ietfAttrSyntax",          ASN1_SEQUENCE,          ASN1_NONE }, /*  0 */
+       { 1,   "policyAuthority",       ASN1_CONTEXT_C_0,       ASN1_OPT |
+                                                                                                       ASN1_BODY }, /*  1 */
+       { 1,   "end opt",                       ASN1_EOC,                       ASN1_END  }, /*  2 */
+       { 1,   "values",                        ASN1_SEQUENCE,          ASN1_LOOP }, /*  3 */
+       { 2,     "octets",                      ASN1_OCTET_STRING,      ASN1_OPT |
+                                                                                                       ASN1_BODY }, /*  4 */
+       { 2,     "end choice",          ASN1_EOC,                       ASN1_END  }, /*  5 */
+       { 2,     "oid",                         ASN1_OID,                       ASN1_OPT |
+                                                                                                       ASN1_BODY }, /*  6 */
+       { 2,     "end choice",          ASN1_EOC,                       ASN1_END  }, /*  7 */
+       { 2,     "string",                      ASN1_UTF8STRING,        ASN1_OPT |
+                                                                                                       ASN1_BODY }, /*  8 */
+       { 2,     "end choice",          ASN1_EOC,                       ASN1_END  }, /*  9 */
+       { 1,   "end loop",                      ASN1_EOC,                       ASN1_END  }  /* 10 */
+};
+
+#define IETF_ATTR_OCTETS        4
+#define IETF_ATTR_OID           6
+#define IETF_ATTR_STRING        8
+#define IETF_ATTR_ROOF         11
+
+/**
+ * ASN.1 definition of roleSyntax
+ */
+static const asn1Object_t roleSyntaxObjects[] =
+{
+       { 0, "roleSyntax",                      ASN1_SEQUENCE,          ASN1_NONE }, /*  0 */
+       { 1,   "roleAuthority",         ASN1_CONTEXT_C_0,       ASN1_OPT |
+                                                                                                       ASN1_OBJ  }, /*  1 */
+       { 1,   "end opt",                       ASN1_EOC,                       ASN1_END  }, /*  2 */
+       { 1,   "roleName",                      ASN1_CONTEXT_C_1,       ASN1_OBJ  }  /*  3 */
+};
+
+#define ROLE_ROOF              4
+
+/**
+ * ASN.1 definition of an X509 attribute certificate
+ */
+static const asn1Object_t acObjects[] =
+{
+       { 0, "AttributeCertificate",                    ASN1_SEQUENCE,            ASN1_OBJ  }, /*  0 */
+       { 1,   "AttributeCertificateInfo",              ASN1_SEQUENCE,            ASN1_OBJ  }, /*  1 */
+       { 2,       "version",                                   ASN1_INTEGER,             ASN1_DEF |
+                                                                                                                                 ASN1_BODY }, /*  2 */
+       { 2,       "holder",                                    ASN1_SEQUENCE,            ASN1_NONE }, /*  3 */
+       { 3,         "baseCertificateID",               ASN1_CONTEXT_C_0,         ASN1_OPT  }, /*  4 */
+       { 4,           "issuer",                                ASN1_SEQUENCE,            ASN1_OBJ  }, /*  5 */
+       { 4,           "serial",                                ASN1_INTEGER,             ASN1_BODY }, /*  6 */
+       { 4,         "issuerUID",                               ASN1_BIT_STRING,          ASN1_OPT |
+                                                                                                                                 ASN1_BODY }, /*  7 */
+       { 4,         "end opt",                                 ASN1_EOC,                         ASN1_END  }, /*  8 */
+       { 3,       "end opt",                                   ASN1_EOC,                         ASN1_END  }, /*  9 */
+       { 3,         "entityName",                              ASN1_CONTEXT_C_1,         ASN1_OPT |
+                                                                                                                                 ASN1_OBJ  }, /* 10 */
+       { 3,       "end opt",                                   ASN1_EOC,                         ASN1_END  }, /* 11 */
+       { 3,         "objectDigestInfo",                ASN1_CONTEXT_C_2,         ASN1_OPT  }, /* 12 */
+       { 4,           "digestedObjectType",    ASN1_ENUMERATED,          ASN1_BODY }, /* 13*/
+       { 4,           "otherObjectTypeID",             ASN1_OID,                         ASN1_OPT |
+                                                                                                                                 ASN1_BODY }, /* 14 */
+       { 4,         "end opt",                                 ASN1_EOC,                         ASN1_END  }, /* 15*/
+       { 4,         "digestAlgorithm",                 ASN1_EOC,                         ASN1_RAW  }, /* 16 */
+       { 3,       "end opt",                                   ASN1_EOC,                         ASN1_END  }, /* 17 */
+       { 2,       "v2Form",                                    ASN1_CONTEXT_C_0,         ASN1_NONE }, /* 18 */
+       { 3,         "issuerName",                              ASN1_SEQUENCE,            ASN1_OPT |
+                                                                                                                                 ASN1_OBJ  }, /* 19 */
+       { 3,       "end opt",                                   ASN1_EOC,                         ASN1_END  }, /* 20 */
+       { 3,         "baseCertificateID",               ASN1_CONTEXT_C_0,         ASN1_OPT  }, /* 21 */
+       { 4,           "issuerSerial",                  ASN1_SEQUENCE,            ASN1_NONE }, /* 22 */
+       { 5,             "issuer",                              ASN1_SEQUENCE,            ASN1_OBJ  }, /* 23 */
+       { 5,             "serial",                                      ASN1_INTEGER,             ASN1_BODY }, /* 24 */
+       { 5,           "issuerUID",                             ASN1_BIT_STRING,          ASN1_OPT |
+                                                                                                                                 ASN1_BODY }, /* 25 */
+       { 5,           "end opt",                               ASN1_EOC,                         ASN1_END  }, /* 26 */
+       { 3,       "end opt",                                   ASN1_EOC,                         ASN1_END  }, /* 27 */
+       { 3,       "objectDigestInfo",                  ASN1_CONTEXT_C_1,         ASN1_OPT  }, /* 28 */
+       { 4,           "digestInfo",                    ASN1_SEQUENCE,            ASN1_OBJ  }, /* 29 */
+       { 5,     "digestedObjectType",                  ASN1_ENUMERATED,          ASN1_BODY }, /* 30 */
+       { 5,             "otherObjectTypeID",           ASN1_OID,                         ASN1_OPT |
+                                                                                                                                 ASN1_BODY }, /* 31 */
+       { 5,           "end opt",                               ASN1_EOC,                         ASN1_END  }, /* 32 */
+       { 5,           "digestAlgorithm",               ASN1_EOC,                         ASN1_RAW  }, /* 33 */
+       { 3,       "end opt",                                   ASN1_EOC,                         ASN1_END  }, /* 34 */
+       { 2,       "signature",                                 ASN1_EOC,                         ASN1_RAW  }, /* 35 */
+       { 2,       "serialNumber",                              ASN1_INTEGER,             ASN1_BODY }, /* 36 */
+       { 2,       "attrCertValidityPeriod",    ASN1_SEQUENCE,            ASN1_NONE }, /* 37 */
+       { 3,         "notBeforeTime",                   ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 38 */
+       { 3,         "notAfterTime",                    ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 39 */
+       { 2,       "attributes",                                ASN1_SEQUENCE,            ASN1_LOOP }, /* 40 */
+       { 3,       "attribute",                                 ASN1_SEQUENCE,            ASN1_NONE }, /* 41 */
+       { 4,         "type",                                    ASN1_OID,                         ASN1_BODY }, /* 42 */
+       { 4,         "values",                                  ASN1_SET,                         ASN1_LOOP }, /* 43 */
+       { 5,           "value",                                 ASN1_EOC,                         ASN1_RAW  }, /* 44 */
+       { 4,           "end loop",                              ASN1_EOC,                         ASN1_END  }, /* 45 */
+       { 2,     "end loop",                                    ASN1_EOC,                         ASN1_END  }, /* 46 */
+       { 2,     "extensions",                                  ASN1_SEQUENCE,            ASN1_LOOP }, /* 47 */
+       { 3,       "extension",                                 ASN1_SEQUENCE,            ASN1_NONE }, /* 48 */
+       { 4,         "extnID",                                  ASN1_OID,                         ASN1_BODY }, /* 49 */
+       { 4,         "critical",                                ASN1_BOOLEAN,             ASN1_DEF |
+                                                                                                                                 ASN1_BODY }, /* 50 */
+       { 4,         "extnValue",                               ASN1_OCTET_STRING,        ASN1_BODY }, /* 51 */
+       { 2,     "end loop",                                    ASN1_EOC,                         ASN1_END  }, /* 52 */
+       { 1,   "signatureAlgorithm",                    ASN1_EOC,                         ASN1_RAW  }, /* 53 */
+       { 1,   "signatureValue",                                ASN1_BIT_STRING,          ASN1_BODY }  /* 54 */
+};
+
+#define AC_OBJ_CERTIFICATE                      0
+#define AC_OBJ_CERTIFICATE_INFO                 1
+#define AC_OBJ_VERSION                          2
+#define AC_OBJ_HOLDER_ISSUER            5
+#define AC_OBJ_HOLDER_SERIAL            6
+#define AC_OBJ_ENTITY_NAME                     10
+#define AC_OBJ_ISSUER_NAME                     19
+#define AC_OBJ_ISSUER                          23
+#define AC_OBJ_SIG_ALG                         35
+#define AC_OBJ_SERIAL_NUMBER           36
+#define AC_OBJ_NOT_BEFORE                      38
+#define AC_OBJ_NOT_AFTER                       39
+#define AC_OBJ_ATTRIBUTE_TYPE          42
+#define AC_OBJ_ATTRIBUTE_VALUE         44
+#define AC_OBJ_EXTN_ID                         49
+#define AC_OBJ_CRITICAL                                50
+#define AC_OBJ_EXTN_VALUE                      51
+#define AC_OBJ_ALGORITHM                       53
+#define AC_OBJ_SIGNATURE                       54
+#define AC_OBJ_ROOF                                    55
+
+/**
+ * Implements x509ac_t.is_valid
+ */
+static err_t is_valid(const private_x509ac_t *this, time_t *until)
+{
+       time_t current_time = time(NULL);
+       
+       DBG2("  not before  : %T", &this->notBefore);
+       DBG2("  current time: %T", &current_time);
+       DBG2("  not after   : %T", &this->notAfter);
+
+       if (until != NULL &&
+               (*until == UNDEFINED_TIME || this->notAfter < *until))
+       {
+               *until = this->notAfter;
+       }
+       if (current_time < this->notBefore)
+       {
+               return "is not valid yet";
+       }
+       if (current_time > this->notAfter)
+       {
+               return "has expired";
+       }
+       DBG2("  attribute certificate is valid");
+       return NULL;
+}
+
+/**
+ * Implements x509ac_t.destroy
+ */
+static void destroy(private_x509ac_t *this)
+{
+       free(this);
+}
+
+/*
+ * Described in header.
+ */
+x509ac_t *x509ac_create_from_chunk(chunk_t chunk)
+{
+       private_x509ac_t *this = malloc_thing(private_x509ac_t);
+       
+       /* initialize */
+}
+
+/*
+ * Described in header.
+ */
+x509ac_t *x509ac_create_from_file(const char *filename)
+{
+       bool pgp = FALSE;
+       chunk_t chunk = chunk_empty;
+       x509ac_t *cert = NULL;
+
+       if (!pem_asn1_load_file(filename, NULL, "attribute certificate", &chunk, &pgp))
+       {
+               return NULL;
+       }
+       cert = x509ac_create_from_chunk(chunk);
+
+       if (cert == NULL)
+       {
+               free(chunk.ptr);
+       }
+       return cert;
+}
+
diff --git a/src/libstrongswan/crypto/ac.h b/src/libstrongswan/crypto/ac.h
new file mode 100644 (file)
index 0000000..b7fd26c
--- /dev/null
@@ -0,0 +1,81 @@
+/**
+ * @file ac.h
+ * 
+ * @brief Interface of x509ac_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
+ * Copyright (C) 2003 Martin Berner, Lukas Suter
+ * Copyright (C) 2007 Andreas Steffen
+ *
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef AC_H_
+#define AC_H_
+
+typedef struct x509ac_t x509ac_t;
+
+/**
+ * @brief X.509 attribute certificate.
+ * 
+ * @b Constructors:
+ *  - x509ac_create_from_chunk()
+ *  - x509ac_create_from_file()
+ *
+ * @ingroup crypto
+ */
+struct x509ac_t {
+
+       /**
+        * @brief Checks the validity interval of the attribute certificate
+        * 
+        * @param this                  certificate being examined
+        * @param until                 until = min(until, notAfter)
+        * @return                              NULL if the certificate is valid
+        */
+       err_t (*is_valid) (const x509ac_t *this, time_t *until);
+
+       /**
+        * @brief Destroys the attribute certificate.
+        * 
+        * @param this                  certificate to destroy
+        */
+       void (*destroy) (x509ac_t *this);
+};
+
+/**
+ * @brief Read a x509 attribute certificate from a DER encoded blob.
+ * 
+ * @param chunk        chunk containing DER encoded data
+ * @return                     created x509ac_t certificate, or NULL if invalid.
+ * 
+ * @ingroup crypto
+ */
+x509ac_t *x509ac_create_from_chunk(chunk_t chunk);
+
+/**
+ * @brief Read a x509 attribute certificate from a DER encoded file.
+ * 
+ * @param filename     file containing DER encoded data
+ * @return                     created x509ac_t certificate, or NULL if invalid.
+ * 
+ * @ingroup crypto
+ */
+x509ac_t *x509ac_create_from_file(const char *filename);
+
+
+#endif /* AC_H_ */
+
index 8f39f08..f08dba0 100644 (file)
@@ -29,6 +29,7 @@
 #include "x509.h"
 #include "crl.h"
 #include "ca.h"
+#include "ac.h"
 #include "certinfo.h"
 #include "ocsp.h"
 
@@ -65,6 +66,11 @@ struct private_ca_info_t {
        x509_t *cacert;
        
        /**
+        * List of attribute certificates
+        */
+       linked_list_t *attrcerts;
+
+       /**
         * List of crl URIs
         */
        linked_list_t *crluris;
@@ -658,6 +664,8 @@ static void purge_ocsp(private_ca_info_t *this)
  */
 static void destroy(private_ca_info_t *this)
 {
+       this->attrcerts->destroy_offset(this->attrcerts,
+                                                                 offsetof(x509ac_t, destroy));
        this->crluris->destroy_offset(this->crluris,
                                                                  offsetof(identification_t, destroy));
        this->ocspuris->destroy_offset(this->ocspuris,
@@ -737,6 +745,7 @@ ca_info_t *ca_info_create(const char *name, x509_t *cacert)
        this->installed = time(NULL);
        this->name = (name == NULL)? NULL:strdup(name);
        this->cacert = cacert;
+       this->attrcerts = linked_list_create();
        this->crluris = linked_list_create();
        this->ocspuris = linked_list_create();
        this->certinfos = linked_list_create();