summaryrefslogtreecommitdiff
path: root/src/libstrongswan/plugins/x509/x509_cert.c
diff options
context:
space:
mode:
authorRene Mayrhofer <rene@mayrhofer.eu.org>2010-05-25 19:01:36 +0000
committerRene Mayrhofer <rene@mayrhofer.eu.org>2010-05-25 19:01:36 +0000
commit1ac70afcc1f7d6d2738a34308810719b0976d29f (patch)
tree805f6ce2a15d1a717781d7cbceac8408a74b6b0c /src/libstrongswan/plugins/x509/x509_cert.c
parented7d79f96177044949744da10f4431c1d6242241 (diff)
downloadvyos-strongswan-1ac70afcc1f7d6d2738a34308810719b0976d29f.tar.gz
vyos-strongswan-1ac70afcc1f7d6d2738a34308810719b0976d29f.zip
[svn-upgrade] Integrating new upstream version, strongswan (4.4.0)
Diffstat (limited to 'src/libstrongswan/plugins/x509/x509_cert.c')
-rw-r--r--src/libstrongswan/plugins/x509/x509_cert.c78
1 files changed, 46 insertions, 32 deletions
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 3b729236e..bdbaa8d4a 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -219,7 +219,7 @@ static void parse_basicConstraints(chunk_t blob, int level0,
{
case BASIC_CONSTRAINTS_CA:
isCA = object.len && *object.ptr;
- DBG2(" %s", isCA ? "TRUE" : "FALSE");
+ DBG2(DBG_LIB, " %s", isCA ? "TRUE" : "FALSE");
if (isCA)
{
this->flags |= X509_CA;
@@ -383,7 +383,7 @@ static identification_t *parse_generalName(chunk_t blob, int level0)
if (id_type != ID_ANY)
{
gn = identification_create_from_encoding(id_type, object);
- DBG2(" '%Y'", gn);
+ DBG2(DBG_LIB, " '%Y'", gn);
goto end;
}
}
@@ -539,7 +539,7 @@ static void parse_authorityInfoAccess(chunk_t blob, int level0,
/* parsing went wrong - abort */
goto end;
}
- DBG2(" '%Y'", id);
+ DBG2(DBG_LIB, " '%Y'", id);
if (accessMethod == OID_OCSP &&
asprintf(&uri, "%Y", id) > 0)
{
@@ -704,34 +704,36 @@ static bool check_address_object(ts_type_t ts_type, chunk_t object)
case TS_IPV4_ADDR_RANGE:
if (object.len > 5)
{
- DBG1("IPv4 address object is larger than 5 octets");
+ DBG1(DBG_LIB, "IPv4 address object is larger than 5 octets");
return FALSE;
}
break;
case TS_IPV6_ADDR_RANGE:
if (object.len > 17)
{
- DBG1("IPv6 address object is larger than 17 octets");
+ DBG1(DBG_LIB, "IPv6 address object is larger than 17 octets");
return FALSE;
}
break;
default:
- DBG1("unknown address family");
+ DBG1(DBG_LIB, "unknown address family");
return FALSE;
}
if (object.len == 0)
{
- DBG1("An ASN.1 bit string must contain at least the initial octet");
+ DBG1(DBG_LIB, "An ASN.1 bit string must contain at least the "
+ "initial octet");
return FALSE;
}
if (object.len == 1 && object.ptr[0] != 0)
{
- DBG1("An empty ASN.1 bit string must contain a zero initial octet");
+ DBG1(DBG_LIB, "An empty ASN.1 bit string must contain a zero "
+ "initial octet");
return FALSE;
}
if (object.ptr[0] > 7)
{
- DBG1("number of unused bits is too large");
+ DBG1(DBG_LIB, "number of unused bits is too large");
return FALSE;
}
return TRUE;
@@ -769,11 +771,11 @@ static void parse_ipAddrBlocks(chunk_t blob, int level0,
{
break;
}
- DBG2(" %N", ts_type_name, ts_type);
+ DBG2(DBG_LIB, " %N", ts_type_name, ts_type);
}
break;
case IP_ADDR_BLOCKS_INHERIT:
- DBG1("inherit choice is not supported");
+ DBG1(DBG_LIB, "inherit choice is not supported");
break;
case IP_ADDR_BLOCKS_PREFIX:
if (!check_address_object(ts_type, object))
@@ -782,7 +784,7 @@ static void parse_ipAddrBlocks(chunk_t blob, int level0,
}
ts = traffic_selector_create_from_rfc3779_format(ts_type,
object, object);
- DBG2(" %R", ts);
+ DBG2(DBG_LIB, " %R", ts);
this->ipAddrBlocks->insert_last(this->ipAddrBlocks, ts);
break;
case IP_ADDR_BLOCKS_MIN:
@@ -799,7 +801,7 @@ static void parse_ipAddrBlocks(chunk_t blob, int level0,
}
ts = traffic_selector_create_from_rfc3779_format(ts_type,
min_object, object);
- DBG2(" %R", ts);
+ DBG2(DBG_LIB, " %R", ts);
this->ipAddrBlocks->insert_last(this->ipAddrBlocks, ts);
break;
default:
@@ -893,12 +895,12 @@ static bool parse_certificate(private_x509_cert_t *this)
this->version = (object.len) ? (1+(u_int)*object.ptr) : 1;
if (this->version < 1 || this->version > 3)
{
- DBG1("X.509v%d not supported", this->version);
+ DBG1(DBG_LIB, "X.509v%d not supported", this->version);
goto end;
}
else
{
- DBG2(" X.509v%d", this->version);
+ DBG2(DBG_LIB, " X.509v%d", this->version);
}
break;
case X509_OBJ_SERIAL_NUMBER:
@@ -909,7 +911,7 @@ static bool parse_certificate(private_x509_cert_t *this)
break;
case X509_OBJ_ISSUER:
this->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object);
- DBG2(" '%Y'", this->issuer);
+ DBG2(DBG_LIB, " '%Y'", this->issuer);
break;
case X509_OBJ_NOT_BEFORE:
this->notBefore = asn1_parse_time(object, level);
@@ -919,13 +921,13 @@ static bool parse_certificate(private_x509_cert_t *this)
break;
case X509_OBJ_SUBJECT:
this->subject = identification_create_from_encoding(ID_DER_ASN1_DN, object);
- DBG2(" '%Y'", this->subject);
+ DBG2(DBG_LIB, " '%Y'", this->subject);
break;
case X509_OBJ_SUBJECT_PUBLIC_KEY_INFO:
- DBG2("-- > --");
+ DBG2(DBG_LIB, "-- > --");
this->public_key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
KEY_ANY, BUILD_BLOB_ASN1_DER, object, BUILD_END);
- DBG2("-- < --");
+ DBG2(DBG_LIB, "-- < --");
if (this->public_key == NULL)
{
goto end;
@@ -934,7 +936,7 @@ static bool parse_certificate(private_x509_cert_t *this)
case X509_OBJ_OPTIONAL_EXTENSIONS:
if (this->version != 3)
{
- DBG1("Only X.509v3 certificates have extensions");
+ DBG1(DBG_LIB, "Only X.509v3 certificates have extensions");
goto end;
}
break;
@@ -943,7 +945,7 @@ static bool parse_certificate(private_x509_cert_t *this)
break;
case X509_OBJ_CRITICAL:
critical = object.len && *object.ptr;
- DBG2(" %s", critical ? "TRUE" : "FALSE");
+ DBG2(DBG_LIB, " %s", critical ? "TRUE" : "FALSE");
break;
case X509_OBJ_EXTN_VALUE:
{
@@ -974,6 +976,9 @@ static bool parse_certificate(private_x509_cert_t *this)
case OID_AUTHORITY_INFO_ACCESS:
parse_authorityInfoAccess(object, level, this);
break;
+ case OID_KEY_USAGE:
+ /* TODO parse the flags */
+ break;
case OID_EXTENDED_KEY_USAGE:
parse_extendedKeyUsage(object, level, this);
break;
@@ -994,7 +999,7 @@ static bool parse_certificate(private_x509_cert_t *this)
if (critical && lib->settings->get_bool(lib->settings,
"libstrongswan.plugins.x509.enforce_critical", FALSE))
{
- DBG1("critical %s extension not supported",
+ DBG1(DBG_LIB, "critical %s extension not supported",
(extn_oid == OID_UNKNOWN) ? "unknown" :
(char*)oid_names[extn_oid].name);
goto end;
@@ -1007,7 +1012,7 @@ static bool parse_certificate(private_x509_cert_t *this)
this->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL);
if (this->algorithm != sig_alg)
{
- DBG1(" signature algorithms do not agree");
+ DBG1(DBG_LIB, " signature algorithms do not agree");
goto end;
}
break;
@@ -1035,7 +1040,7 @@ end:
hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
if (hasher == NULL)
{
- DBG1(" unable to create hash of certificate, SHA1 not supported");
+ DBG1(DBG_LIB, " unable to create hash of certificate, SHA1 not supported");
return NULL;
}
hasher->allocate_hash(hasher, this->encoding, &this->encoding_hash);
@@ -1214,9 +1219,9 @@ static bool is_newer(certificate_t *this, certificate_t *that)
this->get_validity(this, &now, &this_update, NULL);
that->get_validity(that, &now, &that_update, NULL);
new = this_update > that_update;
- DBG1(" certificate from %T is %s - existing certificate from %T %s",
- &this_update, FALSE, new ? "newer":"not newer",
- &that_update, FALSE, new ? "replaced":"retained");
+ DBG1(DBG_LIB, " certificate from %T is %s - existing certificate "
+ "from %T %s", &this_update, FALSE, new ? "newer":"not newer",
+ &that_update, FALSE, new ? "replaced":"retained");
return new;
}
@@ -1453,7 +1458,7 @@ chunk_t x509_build_subjectAltNames(linked_list_t *list)
context = ASN1_CONTEXT_S_7;
break;
default:
- DBG1("encoding %N as subjectAltName not supported",
+ DBG1(DBG_LIB, "encoding %N as subjectAltName not supported",
id_type_names, id->get_type(id));
enumerator->destroy(enumerator);
free(subjectAltNames.ptr);
@@ -1481,7 +1486,9 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
chunk_t extensions = chunk_empty, extendedKeyUsage = chunk_empty;
chunk_t serverAuth = chunk_empty, clientAuth = chunk_empty;
chunk_t ocspSigning = chunk_empty;
- chunk_t basicConstraints = chunk_empty, subjectAltNames = chunk_empty;
+ chunk_t basicConstraints = chunk_empty;
+ chunk_t keyUsage = chunk_empty;
+ chunk_t subjectAltNames = chunk_empty;
chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty;
chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty;
identification_t *issuer, *subject;
@@ -1583,7 +1590,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
asn1_wrap(ASN1_SEQUENCE, "m", authorityInfoAccess)));
}
- /* build CA basicConstraint for CA certificates */
+ /* build CA basicConstraint and keyUsage flags for CA certificates */
if (cert->flags & X509_CA)
{
chunk_t pathLenConstraint = chunk_empty;
@@ -1603,6 +1610,13 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
asn1_wrap(ASN1_BOOLEAN, "c",
chunk_from_chars(0xFF)),
pathLenConstraint)));
+ keyUsage = asn1_wrap(ASN1_SEQUENCE, "mmm",
+ asn1_build_known_oid(OID_KEY_USAGE),
+ asn1_wrap(ASN1_BOOLEAN, "c",
+ chunk_from_chars(0xFF)),
+ asn1_wrap(ASN1_OCTET_STRING, "m",
+ asn1_wrap(ASN1_BIT_STRING, "c",
+ chunk_from_chars(0x01, 0x06))));
}
/* add serverAuth extendedKeyUsage flag */
@@ -1663,8 +1677,8 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
crlDistributionPoints.ptr)
{
extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m",
- asn1_wrap(ASN1_SEQUENCE, "mmmmmmm",
- basicConstraints, subjectKeyIdentifier,
+ asn1_wrap(ASN1_SEQUENCE, "mmmmmmmm",
+ basicConstraints, keyUsage, subjectKeyIdentifier,
authKeyIdentifier, subjectAltNames,
extendedKeyUsage, crlDistributionPoints,
authorityInfoAccess));
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-10 12:19:06 +0000