diff options
Diffstat (limited to 'src/libstrongswan/credentials')
24 files changed, 1732 insertions, 331 deletions
diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c index 701cbcde3..8be1c1576 100644 --- a/src/libstrongswan/credentials/builder.c +++ b/src/libstrongswan/credentials/builder.c @@ -17,36 +17,43 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END, "BUILD_FROM_FILE", + "BUILD_FROM_FD", "BUILD_AGENT_SOCKET", "BUILD_BLOB_ASN1_DER", - "BUILD_BLOB_ASN1_PEM", + "BUILD_BLOB_PEM", "BUILD_BLOB_PGP", - "BUILD_BLOB_RFC_3110", + "BUILD_BLOB_DNSKEY", + "BUILD_PASSPHRASE", + "BUILD_PASSPHRASE_CALLBACK", "BUILD_KEY_SIZE", "BUILD_SIGNING_KEY", "BUILD_SIGNING_CERT", "BUILD_PUBLIC_KEY", "BUILD_SUBJECT", - "BUILD_SUBJECT_ALTNAME", + "BUILD_SUBJECT_ALTNAMES", "BUILD_ISSUER", - "BUILD_ISSUER_ALTNAME", + "BUILD_ISSUER_ALTNAMES", "BUILD_NOT_BEFORE_TIME", "BUILD_NOT_AFTER_TIME", "BUILD_SERIAL", + "BUILD_DIGEST_ALG", "BUILD_IETF_GROUP_ATTR", "BUILD_CA_CERT", "BUILD_CERT", + "BUILD_CRL_DISTRIBUTION_POINTS", + "BUILD_OCSP_ACCESS_LOCATIONS", + "BUILD_PATHLEN", "BUILD_X509_FLAG", "BUILD_SMARTCARD_KEYID", "BUILD_SMARTCARD_PIN", + "BUILD_RSA_MODULUS", + "BUILD_RSA_PUB_EXP", + "BUILD_RSA_PRIV_EXP", + "BUILD_RSA_PRIME1", + "BUILD_RSA_PRIME2", + "BUILD_RSA_EXP1", + "BUILD_RSA_EXP2", + "BUILD_RSA_COEFF", "BUILD_END", ); -/** - * See header. - */ -void* builder_free(builder_t *this) -{ - free(this); - return NULL; -} diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h index 01ccf2a5c..62a6ffaaf 100644 --- a/src/libstrongswan/credentials/builder.h +++ b/src/libstrongswan/credentials/builder.h @@ -21,16 +21,21 @@ #ifndef BUILDER_H_ #define BUILDER_H_ -typedef struct builder_t builder_t; +#include <stdarg.h> + typedef enum builder_part_t builder_part_t; /** - * Constructor function which creates a new builder instance. + * Constructor function to build credentials. + * + * Any added parts are cloned/refcounted by the builder implementation, a + * caller may need to free the passed ressources themself. * - * @param subtype constructor specific subtype, e.g. certificate_type_t - * @return builder to construct a instance of type + * @param subtype constructor specific subtype, e.g. a certificate_type_t + * @param args list of builder part types, followed by parts, BUILD_END + * @return builder specific credential, NULL on error */ -typedef builder_t* (*builder_constructor_t)(int subtype); +typedef void* (*builder_function_t)(int subtype, va_list args); #include <library.h> @@ -38,18 +43,26 @@ typedef builder_t* (*builder_constructor_t)(int subtype); * Parts to build credentials from. */ enum builder_part_t { - /** path to a file containing an ASN.1 blob, char* */ + /** path to a file encoded in any format, char* */ BUILD_FROM_FILE, + /** file descriptor to read data, encoded in any format, int */ + BUILD_FROM_FD, /** unix socket of a ssh/pgp agent, char* */ BUILD_AGENT_SOCKET, /** DER encoded ASN.1 blob, chunk_t */ BUILD_BLOB_ASN1_DER, - /** PEM encoded ASN.1 blob, null terminated char* */ - BUILD_BLOB_ASN1_PEM, + /** PEM encoded ASN.1/PGP blob, chunk_t */ + BUILD_BLOB_PEM, /** OpenPGP key blob, chunk_t */ BUILD_BLOB_PGP, - /** RFC 3110 DNS public key blob, chunk_t */ - BUILD_BLOB_RFC_3110, + /** DNS public key blob (RFC 4034, RSA specifc RFC 3110), chunk_t */ + BUILD_BLOB_DNSKEY, + /** passphrase for e.g. PEM decryption, chunk_t */ + BUILD_PASSPHRASE, + /** passphrase callback, chunk_t(*fn)(void *user, int try), void *user. + * The callback is invoked until the returned passphrase is accepted, or + * a zero-length passphrase is returned. Try starts at 1. */ + BUILD_PASSPHRASE_CALLBACK, /** key size in bits, as used for key generation, u_int */ BUILD_KEY_SIZE, /** private key to use for signing, private_key_t* */ @@ -60,30 +73,54 @@ enum builder_part_t { BUILD_PUBLIC_KEY, /** subject for e.g. certificates, identification_t* */ BUILD_SUBJECT, - /** additional subject name, identification_t* */ - BUILD_SUBJECT_ALTNAME, + /** additional subject names, linked_list_t* containing identification_t* */ + BUILD_SUBJECT_ALTNAMES, /** issuer for e.g. certificates, identification_t* */ BUILD_ISSUER, - /** additional issuer name, identification_t* */ - BUILD_ISSUER_ALTNAME, + /** additional issuer names, linked_list_t* containing identification_t* */ + BUILD_ISSUER_ALTNAMES, /** notBefore, time_t* */ BUILD_NOT_BEFORE_TIME, /** notAfter, time_t* */ BUILD_NOT_AFTER_TIME, /** a serial number in binary form, chunk_t */ BUILD_SERIAL, + /** digest algorithm to be used for signature, int */ + BUILD_DIGEST_ALG, /** a comma-separated list of ietf group attributes, char* */ BUILD_IETF_GROUP_ATTR, /** a ca certificate, certificate_t* */ BUILD_CA_CERT, /** a certificate, certificate_t* */ BUILD_CERT, + /** CRL distribution point URIs, linked_list_t* containing char* */ + BUILD_CRL_DISTRIBUTION_POINTS, + /** OCSP AuthorityInfoAccess locations, linked_list_t* containing char* */ + BUILD_OCSP_ACCESS_LOCATIONS, + /** certificate path length constraint */ + BUILD_PATHLEN, /** enforce an additional X509 flag, x509_flag_t */ BUILD_X509_FLAG, /** key ID of a key on a smartcard, null terminated char* ([slot:]keyid) */ BUILD_SMARTCARD_KEYID, /** pin to access a key on a smartcard, null terminated char* */ BUILD_SMARTCARD_PIN, + /** modulus (n) of a RSA key, chunk_t */ + BUILD_RSA_MODULUS, + /** public exponent (e) of a RSA key, chunk_t */ + BUILD_RSA_PUB_EXP, + /** private exponent (d) of a RSA key, chunk_t */ + BUILD_RSA_PRIV_EXP, + /** prime 1 (p) of a RSA key (p < q), chunk_t */ + BUILD_RSA_PRIME1, + /** prime 2 (q) of a RSA key (p < q), chunk_t */ + BUILD_RSA_PRIME2, + /** exponent 1 (exp1) of a RSA key, chunk_t */ + BUILD_RSA_EXP1, + /** exponent 2 (exp1) of a RSA key, chunk_t */ + BUILD_RSA_EXP2, + /** coefficient (coeff) of a RSA key, chunk_t */ + BUILD_RSA_COEFF, /** end of variable argument builder list */ BUILD_END, }; @@ -93,44 +130,4 @@ enum builder_part_t { */ extern enum_name_t *builder_part_names; -/** - * Credential construction API. - * - * The builder allows the construction of credentials in a generic and - * flexible way. - */ -struct builder_t { - - /** - * Add a part to the construct. - * - * Any added parts are cloned/refcounted by the builder implementation, a - * caller may need to free the passed ressources themself. - * - * @param part kind of part - * @param ... part specific variable argument - */ - void (*add)(builder_t *this, builder_part_t part, ...); - - /** - * Build the construct with all supplied parts. - * - * Once build() is called, the builder gets destroyed. - * - * @return specific interface, as requested with constructor. - */ - void* (*build)(builder_t *this); -}; - -/** - * Helper macro to cancel a build in a builder - */ -#define builder_cancel(builder) { (builder)->add = (void*)nop; \ - (builder)->build = (void*)builder_free; } - -/** - * Helper function for a cancelled build. - */ -void* builder_free(builder_t *this); - #endif /** BUILDER_H_ @}*/ diff --git a/src/libstrongswan/credentials/certificates/ac.h b/src/libstrongswan/credentials/certificates/ac.h index fb99b4756..fef7f8c65 100644 --- a/src/libstrongswan/credentials/certificates/ac.h +++ b/src/libstrongswan/credentials/certificates/ac.h @@ -1,9 +1,7 @@ /* - * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler - * Copyright (C) 2003 Martin Berner, Lukas Suter - * Copyright (C) 2002-2008 Andreas Steffen + * Copyright (C) 2002-2009 Andreas Steffen * - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -26,6 +24,7 @@ #include <library.h> #include <credentials/certificates/certificate.h> +#include <credentials/ietf_attributes/ietf_attributes.h> typedef struct ac_t ac_t; @@ -41,14 +40,14 @@ struct ac_t { * Implements the certificate_t interface */ certificate_t certificate; - + /** * Get the attribute certificate's serial number. * * @return chunk pointing to serialNumber */ chunk_t (*get_serial)(ac_t *this); - + /** * Get the serial number of the holder certificate. * @@ -64,11 +63,18 @@ struct ac_t { identification_t* (*get_holderIssuer)(ac_t *this); /** - * Get the thauthorityKeyIdentifier. + * Get the authorityKeyIdentifier. + * + * @return authKeyIdentifier as chunk_t, to internal data + */ + chunk_t (*get_authKeyIdentifier)(ac_t *this); + + /** + * Get the group memberships as a list of IETF attributes * - * @return authKeyIdentifier as identification_t* + * @return object containing a list of IETF attributes */ - identification_t* (*get_authKeyIdentifier)(ac_t *this); + ietf_attributes_t* (*get_groups)(ac_t *this); /** * @brief Checks if two attribute certificates belong to the same holder diff --git a/src/libstrongswan/credentials/certificates/certificate.c b/src/libstrongswan/credentials/certificates/certificate.c index 041e2f1db..156d12358 100644 --- a/src/libstrongswan/credentials/certificates/certificate.c +++ b/src/libstrongswan/credentials/certificates/certificate.c @@ -17,16 +17,19 @@ #include <credentials/certificates/x509.h> -ENUM(certificate_type_names, CERT_ANY, CERT_PGP, +ENUM(certificate_type_names, CERT_ANY, CERT_PLUTO_CRL, "ANY", "X509", "X509_CRL", "X509_OCSP_REQUEST", "X509_OCSP_RESPONSE", "X509_AC", - "X509_CHAIN", "TRUSTED_PUBKEY", + "PKCS10_REQUEST", "PGP", + "PLUTO_CERT", + "PLUTO_AC", + "PLUTO_CRL", ); ENUM(cert_validation_names, VALIDATION_GOOD, VALIDATION_REVOKED, diff --git a/src/libstrongswan/credentials/certificates/certificate.h b/src/libstrongswan/credentials/certificates/certificate.h index 81fce5508..a4f9aa3e0 100644 --- a/src/libstrongswan/credentials/certificates/certificate.h +++ b/src/libstrongswan/credentials/certificates/certificate.h @@ -47,8 +47,14 @@ enum certificate_type_t { CERT_X509_AC, /** trusted, preinstalled public key */ CERT_TRUSTED_PUBKEY, + /** PKCS#10 certificate request */ + CERT_PKCS10_REQUEST, /** PGP certificate */ - CERT_PGP, + CERT_GPG, + /** Pluto cert_t (not a certificate_t), either x509 or PGP */ + CERT_PLUTO_CERT, + /** Pluto x509crl_t (not a certificate_t), certificate revocation list */ + CERT_PLUTO_CRL, }; /** @@ -82,7 +88,7 @@ extern enum_name_t *cert_validation_names; /** * An abstract certificate. * - * A certificate designs a subject-issuer relationship. It may have an + * A certificate designs a subject-issuer relationship. It may have an * associated public key. */ struct certificate_t { @@ -90,7 +96,7 @@ struct certificate_t { /** * Get the type of the certificate. * - * @return certifcate type + * @return certificate type */ certificate_type_t (*get_type)(certificate_t *this); @@ -100,7 +106,7 @@ struct certificate_t { * @return subject identity */ identification_t* (*get_subject)(certificate_t *this); - + /** * Check if certificate contains a subject ID. * @@ -111,14 +117,14 @@ struct certificate_t { * @return matching value of best match */ id_match_t (*has_subject)(certificate_t *this, identification_t *subject); - + /** * Get the issuer which signed this certificate. * * @return issuer identity */ identification_t* (*get_issuer)(certificate_t *this); - + /** * Check if certificate contains an issuer ID. * @@ -129,7 +135,7 @@ struct certificate_t { * @return matching value of best match */ id_match_t (*has_issuer)(certificate_t *this, identification_t *issuer); - + /** * Check if this certificate is issued and signed by a specific issuer. * @@ -137,14 +143,14 @@ struct certificate_t { * @return TRUE if certificate issued by issuer and trusted */ bool (*issued_by)(certificate_t *this, certificate_t *issuer); - + /** * Get the public key associated to this certificate. * * @return newly referenced public_key, NULL if none available */ public_key_t* (*get_public_key)(certificate_t *this); - + /** * Check the lifetime of the certificate. * @@ -155,21 +161,21 @@ struct certificate_t { */ bool (*get_validity)(certificate_t *this, time_t *when, time_t *not_before, time_t *not_after); - + /** * Is this newer than that? * * @return TRUE if newer, FALSE otherwise */ bool (*is_newer)(certificate_t *this, certificate_t *that); - + /** * Get the certificate in an encoded form. * * @return allocated chunk of encoded cert */ chunk_t (*get_encoding)(certificate_t *this); - + /** * Check if two certificates are equal. * @@ -177,18 +183,18 @@ struct certificate_t { * @return TRUE if certificates are equal */ bool (*equals)(certificate_t *this, certificate_t *other); - + /** * Get a new reference to the certificate. * - * @return this, with an increased refcount + * @return this, with an increased refcount */ certificate_t* (*get_ref)(certificate_t *this); - + /** - * Destroy a certificate. - */ - void (*destroy)(certificate_t *this); + * Destroy a certificate. + */ + void (*destroy)(certificate_t *this); }; #endif /** CERTIFICATE_H_ @}*/ diff --git a/src/libstrongswan/credentials/certificates/crl.c b/src/libstrongswan/credentials/certificates/crl.c index 0d6654075..085ad16cc 100644 --- a/src/libstrongswan/credentials/certificates/crl.c +++ b/src/libstrongswan/credentials/certificates/crl.c @@ -16,7 +16,7 @@ #include "crl.h" -ENUM(crl_reason_names, CRL_UNSPECIFIED, CRL_REMOVE_FROM_CRL, +ENUM(crl_reason_names, CRL_REASON_UNSPECIFIED, CRL_REASON_REMOVE_FROM_CRL, "unspecified", "key compromise", "ca compromise", diff --git a/src/libstrongswan/credentials/certificates/crl.h b/src/libstrongswan/credentials/certificates/crl.h index 3fef0d710..4b612390c 100644 --- a/src/libstrongswan/credentials/certificates/crl.h +++ b/src/libstrongswan/credentials/certificates/crl.h @@ -32,14 +32,14 @@ typedef enum crl_reason_t crl_reason_t; * RFC 2459 CRL reason codes */ enum crl_reason_t { - CRL_UNSPECIFIED = 0, - CRL_KEY_COMPROMISE = 1, - CRL_CA_COMPROMISE = 2, - CRL_AFFILIATION_CHANGED = 3, - CRL_SUPERSEDED = 4, - CRL_CESSATION_OF_OPERATON = 5, - CRL_CERTIFICATE_HOLD = 6, - CRL_REMOVE_FROM_CRL = 8, + CRL_REASON_UNSPECIFIED = 0, + CRL_REASON_KEY_COMPROMISE = 1, + CRL_REASON_CA_COMPROMISE = 2, + CRL_REASON_AFFILIATION_CHANGED = 3, + CRL_REASON_SUPERSEDED = 4, + CRL_REASON_CESSATION_OF_OPERATON = 5, + CRL_REASON_CERTIFICATE_HOLD = 6, + CRL_REASON_REMOVE_FROM_CRL = 8, }; /** @@ -56,21 +56,21 @@ struct crl_t { * Implements (parts of) the certificate_t interface */ certificate_t certificate; - + /** * Get the CRL serial number. * * @return chunk pointing to internal crlNumber */ chunk_t (*get_serial)(crl_t *this); - + /** * Get the the authorityKeyIdentifier. * - * @return authKeyIdentifier as identification_t* + * @return authKeyIdentifier chunk, point to internal data */ - identification_t* (*get_authKeyIdentifier)(crl_t *this); - + chunk_t (*get_authKeyIdentifier)(crl_t *this); + /** * Create an enumerator over all revoked certificates. * @@ -80,7 +80,7 @@ struct crl_t { * @return enumerator over revoked certificates. */ enumerator_t* (*create_enumerator)(crl_t *this); - + }; #endif /** CRL_H_ @}*/ diff --git a/src/libstrongswan/credentials/certificates/ocsp_response.h b/src/libstrongswan/credentials/certificates/ocsp_response.h index a70f3eee4..157577458 100644 --- a/src/libstrongswan/credentials/certificates/ocsp_response.h +++ b/src/libstrongswan/credentials/certificates/ocsp_response.h @@ -28,7 +28,7 @@ typedef struct ocsp_response_t ocsp_response_t; typedef enum ocsp_status_t ocsp_status_t; /** - * OCSP response status + * OCSP response status */ enum ocsp_status_t { OCSP_SUCCESSFUL = 0, @@ -53,7 +53,7 @@ struct ocsp_response_t { * Implements certificiate_t interface */ certificate_t certificate; - + /** * Check the status of a certificate by this OCSP response. * @@ -65,18 +65,18 @@ struct ocsp_response_t { * @param next_update exptected time of next revocation list * @return certificate revocation status */ - cert_validation_t (*get_status)(ocsp_response_t *this, + cert_validation_t (*get_status)(ocsp_response_t *this, x509_t *subject, x509_t *issuer, time_t *revocation_time, crl_reason_t *revocation_reason, time_t *this_update, time_t *next_update); - + /** * Create an enumerator over the contained certificates. * * @return enumerator over certificate_t* */ - enumerator_t* (*create_cert_enumerator)(ocsp_response_t *this); + enumerator_t* (*create_cert_enumerator)(ocsp_response_t *this); }; #endif /** OCSP_RESPONSE_H_ @}*/ diff --git a/src/libstrongswan/credentials/certificates/pgp_certificate.h b/src/libstrongswan/credentials/certificates/pgp_certificate.h new file mode 100644 index 000000000..94a31e14d --- /dev/null +++ b/src/libstrongswan/credentials/certificates/pgp_certificate.h @@ -0,0 +1,46 @@ +/* + * Copyright (C) 2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pgp_certificate pgp_certificate + * @{ @ingroup certificates + */ + +#ifndef PGP_CERTIFICATE_H_ +#define PGP_CERTIFICATE_H_ + +#include <credentials/certificates/certificate.h> + +typedef struct pgp_certificate_t pgp_certificate_t; + +/** + * PGP certificate interface. + */ +struct pgp_certificate_t { + + /** + * Implements certificate_t. + */ + certificate_t interface; + + /** + * Get the v3 or v4 fingerprint of the PGP public key + * + * @return fingerprint as chunk_t, internal data + */ + chunk_t (*get_fingerprint)(pgp_certificate_t *this); +}; + +#endif /** PGP_CERTIFICATE_H_ @}*/ diff --git a/src/libstrongswan/credentials/certificates/pkcs10.h b/src/libstrongswan/credentials/certificates/pkcs10.h new file mode 100644 index 000000000..9a4979757 --- /dev/null +++ b/src/libstrongswan/credentials/certificates/pkcs10.h @@ -0,0 +1,57 @@ +/* + * Copyright (C) 2009 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup req req + * @{ @ingroup certificates + */ + +#ifndef PKCS10_H_ +#define PKCS10_H_ + +#include <utils/enumerator.h> +#include <credentials/certificates/certificate.h> + +typedef struct pkcs10_t pkcs10_t; + +/** + * PKCS#10 certificate request interface. + * + * This interface adds additional methods to the certificate_t type to + * allow further operations on a certificate request. + */ +struct pkcs10_t { + + /** + * Implements certificate_t. + */ + certificate_t interface; + + /** + * Get the challenge password + * + * @return challenge password as a chunk_t + */ + chunk_t (*get_challengePassword)(pkcs10_t *this); + + /** + * Get. + * + * @return enumerator over subjectAltNames as identification_t* + */ + enumerator_t* (*create_subjectAltName_enumerator)(pkcs10_t *this); +}; + +#endif /** PKCS10_H_ @}*/ diff --git a/src/libstrongswan/credentials/certificates/x509.c b/src/libstrongswan/credentials/certificates/x509.c index 5d53f0c68..66dc192c1 100644 --- a/src/libstrongswan/credentials/certificates/x509.c +++ b/src/libstrongswan/credentials/certificates/x509.c @@ -15,10 +15,14 @@ #include "x509.h" -ENUM(x509_flag_names, X509_CA, X509_SELF_SIGNED, +ENUM(x509_flag_names, X509_NONE, X509_IP_ADDR_BLOCKS, + "X509_NONE", "X509_CA", "X509_AA", "X509_OCSP_SIGNER", + "X509_SERVER_AUTH", + "X509_CLIENT_AUTH", "X509_SELF_SIGNED", + "X509_IP_ADDR_BLOCKS", ); diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h index eedab78f7..172bd9696 100644 --- a/src/libstrongswan/credentials/certificates/x509.h +++ b/src/libstrongswan/credentials/certificates/x509.h @@ -24,6 +24,9 @@ #include <utils/enumerator.h> #include <credentials/certificates/certificate.h> +#define X509_NO_PATH_LEN_CONSTRAINT -1 +#define X509_MAX_PATH_LEN 7 + typedef struct x509_t x509_t; typedef enum x509_flag_t x509_flag_t; @@ -31,14 +34,22 @@ typedef enum x509_flag_t x509_flag_t; * X.509 certificate flags. */ enum x509_flag_t { + /** cert has no constraints */ + X509_NONE = 0, /** cert has CA constraint */ - X509_CA = (1<<0), + X509_CA = (1<<0), /** cert has AA constraint */ - X509_AA = (1<<1), + X509_AA = (1<<1), /** cert has OCSP signer constraint */ - X509_OCSP_SIGNER = (1<<2), + X509_OCSP_SIGNER = (1<<2), + /** cert has serverAuth key usage */ + X509_SERVER_AUTH = (1<<3), + /** cert has clientAuth key usage */ + X509_CLIENT_AUTH = (1<<4), /** cert is self-signed */ - X509_SELF_SIGNED = (1<<3), + X509_SELF_SIGNED = (1<<5), + /** cert has an ipAddrBlocks extension */ + X509_IP_ADDR_BLOCKS = (1<<6), }; /** @@ -58,48 +69,69 @@ struct x509_t { * Implements certificate_t. */ certificate_t interface; - + /** * Get the flags set for this certificate. * * @return set of flags */ x509_flag_t (*get_flags)(x509_t *this); - + /** * Get the certificate serial number. * * @return chunk pointing to internal serial number */ chunk_t (*get_serial)(x509_t *this); - + + /** + * Get the the subjectKeyIdentifier. + * + * @return subjectKeyIdentifier as chunk_t, internal data + */ + chunk_t (*get_subjectKeyIdentifier)(x509_t *this); + /** * Get the the authorityKeyIdentifier. * - * @return authKeyIdentifier as identification_t* + * @return authKeyIdentifier as chunk_t, internal data */ - identification_t* (*get_authKeyIdentifier)(x509_t *this); - + chunk_t (*get_authKeyIdentifier)(x509_t *this); + + /** + * Get an optional path length constraint. + * + * @return pathLenConstraint, -1 if no constraint exists + */ + int (*get_pathLenConstraint)(x509_t *this); + /** * Create an enumerator over all subjectAltNames. * * @return enumerator over subjectAltNames as identification_t* */ enumerator_t* (*create_subjectAltName_enumerator)(x509_t *this); - + /** * Create an enumerator over all CRL URIs. * * @return enumerator over URIs as char* */ enumerator_t* (*create_crl_uri_enumerator)(x509_t *this); - + /** * Create an enumerator over all OCSP URIs. * * @return enumerator over URIs as char* */ enumerator_t* (*create_ocsp_uri_enumerator)(x509_t *this); + + /** + * Create an enumerator over all ipAddrBlocks. + * + * @return enumerator over ipAddrBlocks as traffic_selector_t* + */ + enumerator_t* (*create_ipAddrBlock_enumerator)(x509_t *this); }; #endif /** X509_H_ @}*/ diff --git a/src/libstrongswan/credentials/credential_factory.c b/src/libstrongswan/credentials/credential_factory.c index e55df0398..5139ad504 100644 --- a/src/libstrongswan/credentials/credential_factory.c +++ b/src/libstrongswan/credentials/credential_factory.c @@ -13,17 +13,21 @@ * for more details. */ +#include <stdint.h> + #include "credential_factory.h" #include <debug.h> #include <utils/linked_list.h> -#include <utils/mutex.h> +#include <threading/thread_value.h> +#include <threading/rwlock.h> #include <credentials/certificates/x509.h> ENUM(credential_type_names, CRED_PRIVATE_KEY, CRED_CERTIFICATE, "CRED_PRIVATE_KEY", "CRED_PUBLIC_KEY", "CRED_CERTIFICATE", + "CRED_PLUTO_CERT", ); typedef struct private_credential_factory_t private_credential_factory_t; @@ -37,12 +41,17 @@ struct private_credential_factory_t { * public functions */ credential_factory_t public; - + /** * list with entry_t */ linked_list_t *constructors; - + + /** + * Thread specific recursiveness counter + */ + thread_value_t *recursive; + /** * lock access to builders */ @@ -55,52 +64,19 @@ struct entry_t { credential_type_t type; /** subtype of credential, e.g. certificate_type_t */ int subtype; - /** builder construction function */ - builder_constructor_t constructor; + /** builder function */ + builder_function_t constructor; }; /** - * type/subtype filter function for builder_enumerator - */ -static bool builder_filter(entry_t *data, entry_t **in, builder_t **out) -{ - if (data->type == (*in)->type && - data->subtype == (*in)->subtype) - { - *out = (*in)->constructor(data->subtype); - return TRUE; - } - return FALSE; -} - -/** - * Implementation of credential_factory_t.create_builder_enumerator. - */ -static enumerator_t* create_builder_enumerator( - private_credential_factory_t *this, credential_type_t type, int subtype) -{ - entry_t *data = malloc_thing(entry_t); - - data->type = type; - data->subtype = subtype; - - this->lock->read_lock(this->lock); - return enumerator_create_cleaner( - enumerator_create_filter( - this->constructors->create_enumerator(this->constructors), - (void*)builder_filter, data, free), - (void*)this->lock->unlock, this->lock); -} - -/** * Implementation of credential_factory_t.add_builder_constructor. */ static void add_builder(private_credential_factory_t *this, credential_type_t type, int subtype, - builder_constructor_t constructor) + builder_function_t constructor) { entry_t *entry = malloc_thing(entry_t); - + entry->type = type; entry->subtype = subtype; entry->constructor = constructor; @@ -113,11 +89,11 @@ static void add_builder(private_credential_factory_t *this, * Implementation of credential_factory_t.remove_builder. */ static void remove_builder(private_credential_factory_t *this, - builder_constructor_t constructor) + builder_function_t constructor) { enumerator_t *enumerator; entry_t *entry; - + this->lock->write_lock(this->lock); enumerator = this->constructors->create_enumerator(this->constructors); while (enumerator->enumerate(enumerator, &entry)) @@ -139,73 +115,46 @@ static void* create(private_credential_factory_t *this, credential_type_t type, int subtype, ...) { enumerator_t *enumerator; - builder_t *builder; - builder_part_t part; + entry_t *entry; va_list args; - void* construct = NULL; - - enumerator = create_builder_enumerator(this, type, subtype); - while (enumerator->enumerate(enumerator, &builder)) + void *construct = NULL; + int failures = 0; + uintptr_t level; + + level = (uintptr_t)this->recursive->get(this->recursive); + this->recursive->set(this->recursive, (void*)level + 1); + + this->lock->read_lock(this->lock); + enumerator = this->constructors->create_enumerator(this->constructors); + while (enumerator->enumerate(enumerator, &entry)) { - va_start(args, subtype); - while (TRUE) + if (entry->type == type && entry->subtype == subtype) { - part = va_arg(args, builder_part_t); - switch (part) + va_start(args, subtype); + construct = entry->constructor(subtype, args); + va_end(args); + if (construct) { - case BUILD_END: - break; - case BUILD_BLOB_ASN1_DER: - case BUILD_BLOB_PGP: - case BUILD_BLOB_RFC_3110: - case BUILD_SERIAL: - builder->add(builder, part, va_arg(args, chunk_t)); - continue; - case BUILD_X509_FLAG: - builder->add(builder, part, va_arg(args, x509_flag_t)); - continue; - case BUILD_KEY_SIZE: - builder->add(builder, part, va_arg(args, u_int)); - continue; - case BUILD_NOT_BEFORE_TIME: - case BUILD_NOT_AFTER_TIME: - builder->add(builder, part, va_arg(args, time_t)); - continue; - case BUILD_BLOB_ASN1_PEM: - case BUILD_FROM_FILE: - case BUILD_AGENT_SOCKET: - case BUILD_SIGNING_KEY: - case BUILD_PUBLIC_KEY: - case BUILD_SUBJECT: - case BUILD_SUBJECT_ALTNAME: - case BUILD_ISSUER: - case BUILD_ISSUER_ALTNAME: - case BUILD_SIGNING_CERT: - case BUILD_CA_CERT: - case BUILD_CERT: - case BUILD_IETF_GROUP_ATTR: - case BUILD_SMARTCARD_KEYID: - case BUILD_SMARTCARD_PIN: - builder->add(builder, part, va_arg(args, void*)); - continue; - /* no default to get a compiler warning */ + break; } - break; - } - va_end(args); - - construct = builder->build(builder); - if (construct) - { - break; + failures++; } } enumerator->destroy(enumerator); - if (!construct) + this->lock->unlock(this->lock); + + if (!construct && !level) { - DBG1("failed to create a builder for credential type %N," - " subtype (%d)", credential_type_names, type, subtype); + enum_name_t *names = key_type_names; + + if (type == CRED_CERTIFICATE) + { + names = certificate_type_names; + } + DBG1("building %N - %N failed, tried %d builders", + credential_type_names, type, names, subtype, failures); } + this->recursive->set(this->recursive, (void*)level); return construct; } @@ -215,6 +164,7 @@ static void* create(private_credential_factory_t *this, credential_type_t type, static void destroy(private_credential_factory_t *this) { this->constructors->destroy_function(this->constructors, free); + this->recursive->destroy(this->recursive); this->lock->destroy(this->lock); free(this); } @@ -227,15 +177,14 @@ credential_factory_t *credential_factory_create() private_credential_factory_t *this = malloc_thing(private_credential_factory_t); this->public.create = (void*(*)(credential_factory_t*, credential_type_t type, int subtype, ...))create; - this->public.create_builder_enumerator = (enumerator_t*(*)(credential_factory_t*, credential_type_t type, int subtype))create_builder_enumerator; - this->public.add_builder = (void(*)(credential_factory_t*,credential_type_t type, int subtype, builder_constructor_t constructor))add_builder; - this->public.remove_builder = (void(*)(credential_factory_t*,builder_constructor_t constructor))remove_builder; + this->public.add_builder = (void(*)(credential_factory_t*,credential_type_t type, int subtype, builder_function_t constructor))add_builder; + this->public.remove_builder = (void(*)(credential_factory_t*,builder_function_t constructor))remove_builder; this->public.destroy = (void(*)(credential_factory_t*))destroy; - + this->constructors = linked_list_create(); - + this->recursive = thread_value_create(NULL); this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); - + return &this->public; } diff --git a/src/libstrongswan/credentials/credential_factory.h b/src/libstrongswan/credentials/credential_factory.h index 5057a7aae..e8ffb6b9d 100644 --- a/src/libstrongswan/credentials/credential_factory.h +++ b/src/libstrongswan/credentials/credential_factory.h @@ -47,13 +47,13 @@ extern enum_name_t *credential_type_names; * Manages credential construction functions and creates instances. */ struct credential_factory_t { - + /** * Create a credential using a list of builder_part_t's. * * The variable argument list takes builder_part_t types followed * by the type specific value. The list must be terminated using BUILD_END. - * All passed parts get cloned/refcounted by the builder implementations, + * All passed parts get cloned/refcounted by the builder functions, * so free up allocated ressources after successful and unsuccessful * invocations. * @@ -64,41 +64,28 @@ struct credential_factory_t { */ void* (*create)(credential_factory_t *this, credential_type_t type, int subtype, ...); - - /** - * Create an enumerator for a builder type. - * - * The build() method has to be called on each enumerated builder to - * cleanup associated ressources. - * - * @param type type of credentials the builder creates - * @param subtype type specific subtype, such as certificate_type_t - * @return enumerator over builder_t - */ - enumerator_t* (*create_builder_enumerator)(credential_factory_t *this, - credential_type_t type, int subtype); - + /** - * Register a builder_t constructor function. + * Register a credential builder function. * * @param type type of credential the builder creates * @param constructor builder constructor function to register */ void (*add_builder)(credential_factory_t *this, - credential_type_t type, int subtype, - builder_constructor_t constructor); + credential_type_t type, int subtype, + builder_function_t constructor); /** - * Unregister a builder_t constructor function. + * Unregister a credential builder function. * * @param constructor constructor function to unregister. */ - void (*remove_builder)(credential_factory_t *this, - builder_constructor_t constructor); - + void (*remove_builder)(credential_factory_t *this, + builder_function_t constructor); + /** - * Destroy a credential_factory instance. - */ - void (*destroy)(credential_factory_t *this); + * Destroy a credential_factory instance. + */ + void (*destroy)(credential_factory_t *this); }; /** diff --git a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c new file mode 100644 index 000000000..ff3ddeb6f --- /dev/null +++ b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c @@ -0,0 +1,533 @@ +/* + * Copyright (C) 2007-2009 Andreas Steffen + * + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <asn1/oid.h> +#include <asn1/asn1.h> +#include <asn1/asn1_parser.h> +#include <utils/linked_list.h> +#include <utils/lexparser.h> + +#include "ietf_attributes.h" + +/** + * Private definition of IETF attribute types + */ +typedef enum { + IETF_ATTRIBUTE_OCTETS = 0, + IETF_ATTRIBUTE_OID = 1, + IETF_ATTRIBUTE_STRING = 2 +} ietf_attribute_type_t; + +typedef struct ietf_attr_t ietf_attr_t; + +/** + * Private definition of an IETF attribute + */ +struct ietf_attr_t { + /** + * IETF attribute type + */ + ietf_attribute_type_t type; + + /** + * IETF attribute value + */ + chunk_t value; + + /** + * Compares two IETF attributes + * + * return -1 if this is earlier in the alphabet than other + * return 0 if this equals other + * return +1 if this is later in the alphabet than other + * + * @param other other object + */ + int (*compare) (ietf_attr_t *this, ietf_attr_t *other); + + /** + * Destroys an ietf_attr_t object. + */ + void (*destroy) (ietf_attr_t *this); +}; + +/** + * Implements ietf_attr_t.compare. + */ +static int ietf_attr_compare(ietf_attr_t *this, ietf_attr_t *other) +{ + int cmp_len, len, cmp_value; + + /* OID attributes are appended after STRING and OCTETS attributes */ + if (this->type != IETF_ATTRIBUTE_OID && other->type == IETF_ATTRIBUTE_OID) + { + return -1; + } + if (this->type == IETF_ATTRIBUTE_OID && other->type != IETF_ATTRIBUTE_OID) + { + return 1; + } + + cmp_len = this->value.len - other->value.len; + len = (cmp_len < 0) ? this->value.len : other->value.len; + cmp_value = memcmp(this->value.ptr, other->value.ptr, len); + + return (cmp_value == 0) ? cmp_len : cmp_value; +} + +/** + * Implements ietf_attr_t.destroy. + */ +static void ietf_attr_destroy(ietf_attr_t *this) +{ + free(this->value.ptr); + free(this); +} + +/** + * Creates an ietf_attr_t object. + */ +static ietf_attr_t* ietf_attr_create(ietf_attribute_type_t type, chunk_t value) +{ + ietf_attr_t *this = malloc_thing(ietf_attr_t); + + /* initialize */ + this->type = type; + this->value = chunk_clone(value); + + /* function */ + this->compare = ietf_attr_compare; + this->destroy = ietf_attr_destroy; + + return this; +} + +typedef struct private_ietf_attributes_t private_ietf_attributes_t; + +/** + * Private data of an ietf_attributes_t object. + */ +struct private_ietf_attributes_t { + /** + * Public interface. + */ + ietf_attributes_t public; + + /** + * Printable representation of the IETF attributes + */ + char *string; + + /** + * Linked list of IETF attributes. + */ + linked_list_t *list; + + /** + * reference count + */ + refcount_t ref; +}; + +/** + * Implementation of ietf_attributes_t.get_string. + */ +static char* get_string(private_ietf_attributes_t *this) +{ + if (this->string == NULL) + { + char buf[BUF_LEN]; + char *pos = buf; + int len = BUF_LEN; + bool first = TRUE; + ietf_attr_t *attr; + enumerator_t *enumerator; + + enumerator = this->list->create_enumerator(this->list); + while (enumerator->enumerate(enumerator, &attr)) + { + int written = 0; + + if (first) + { + first = FALSE; + } + else + { + written = snprintf(pos, len, ", "); + pos += written; + len -= written; + } + + switch (attr->type) + { + case IETF_ATTRIBUTE_OCTETS: + case IETF_ATTRIBUTE_STRING: + written = snprintf(pos, len, "%.*s", (int)attr->value.len, + attr->value.ptr); + break; + case IETF_ATTRIBUTE_OID: + { + int oid = asn1_known_oid(attr->value); + + if (oid == OID_UNKNOWN) + { + written = snprintf(pos, len, "0x#B", &attr->value); + } + else + { + written = snprintf(pos, len, "%s", oid_names[oid]); + } + break; + } + default: + break; + } + pos += written; + len -= written; + } + enumerator->destroy(enumerator); + if (len < BUF_LEN) + { + this->string = strdup(buf); + } + } + return this->string; +} + +/** + * Implementation of ietf_attributes_t.get_encoding. + */ +static chunk_t get_encoding(private_ietf_attributes_t *this) +{ + chunk_t values; + size_t size = 0; + u_char *pos; + ietf_attr_t *attr; + enumerator_t *enumerator; + + /* precalculate the total size of all values */ + enumerator = this->list->create_enumerator(this->list); + while (enumerator->enumerate(enumerator, &attr)) + { + size_t len = attr->value.len; + + size += 1 + (len > 0) + (len >= 128) + (len >= 256) + (len >= 65536) + len; + } + enumerator->destroy(enumerator); + + pos = asn1_build_object(&values, ASN1_SEQUENCE, size); + + enumerator = this->list->create_enumerator(this->list); + while (enumerator->enumerate(enumerator, &attr)) + { + chunk_t ietfAttribute; + asn1_t type = ASN1_NULL; + + switch (attr->type) + { + case IETF_ATTRIBUTE_OCTETS: + type = ASN1_OCTET_STRING; + break; + case IETF_ATTRIBUTE_STRING: + type = ASN1_UTF8STRING; + break; + case IETF_ATTRIBUTE_OID: + type = ASN1_OID; + break; + } + ietfAttribute = asn1_simple_object(type, attr->value); + + /* copy ietfAttribute into values chunk */ + memcpy(pos, ietfAttribute.ptr, ietfAttribute.len); + pos += ietfAttribute.len; + free(ietfAttribute.ptr); + } + enumerator->destroy(enumerator); + + return asn1_wrap(ASN1_SEQUENCE, "m", values); +} + +static bool equals(private_ietf_attributes_t *this, private_ietf_attributes_t *other) +{ + bool result = TRUE; + + /* lists must have the same number of attributes */ + if (other == NULL || + this->list->get_count(this->list) != other->list->get_count(other->list)) + { + return FALSE; + } + + /* compare two alphabetically-sorted lists */ + { + ietf_attr_t *attr_a, *attr_b; + enumerator_t *enum_a, *enum_b; + + enum_a = this->list->create_enumerator(this->list); + enum_b = other->list->create_enumerator(other->list); + while (enum_a->enumerate(enum_a, &attr_a) && + enum_b->enumerate(enum_b, &attr_b)) + { + if (attr_a->compare(attr_a, attr_b) != 0) + { + /* we have a mismatch */ + result = FALSE; + break; + } + } + enum_a->destroy(enum_a); + enum_b->destroy(enum_b); + } + return result; +} + +static bool matches(private_ietf_attributes_t *this, private_ietf_attributes_t *other) +{ + bool result = FALSE; + ietf_attr_t *attr_a, *attr_b; + enumerator_t *enum_a, *enum_b; + + /* always match if this->list does not contain any attributes */ + if (this->list->get_count(this->list) == 0) + { + return TRUE; + } + + /* never match if other->list does not contain any attributes */ + if (other == NULL || other->list->get_count(other->list) == 0) + { + return FALSE; + } + + /* get first attribute from both lists */ + enum_a = this->list->create_enumerator(this->list); + enum_a->enumerate(enum_a, &attr_a); + enum_b = other->list->create_enumerator(other->list); + enum_b->enumerate(enum_b, &attr_b); + + /* look for at least one common attribute */ + while (TRUE) + { + bool cmp = attr_a->compare(attr_a, attr_b); + + if (cmp == 0) + { + /* we have a match */ + result = TRUE; + break; + } + if (cmp == -1) + { + /* attr_a is earlier in the alphabet, get next attr_a */ + if (!enum_a->enumerate(enum_a, &attr_a)) + { + /* we have reached the end of enum_a */ + break; + } + } + else + { + /* attr_a is later in the alphabet, get next attr_b */ + if (!enum_b->enumerate(enum_b, &attr_b)) + { + /* we have reached the end of enum_b */ + break; + } + } + } + enum_a->destroy(enum_a); + enum_b->destroy(enum_b); + + return result; +} + +/** + * Implementation of ietf_attributes_t.get_ref + */ +static private_ietf_attributes_t* get_ref(private_ietf_attributes_t *this) +{ + ref_get(&this->ref); + return this; +} + +/** + * Implementation of ietf_attributes_t.destroy. + */ +static void destroy(private_ietf_attributes_t *this) +{ + if (ref_put(&this->ref)) + { + this->list->destroy_offset(this->list, offsetof(ietf_attr_t, destroy)); + free(this->string); + free(this); + } +} + +static private_ietf_attributes_t* create_empty(void) +{ + private_ietf_attributes_t *this = malloc_thing(private_ietf_attributes_t); + + this->public.get_string = (char* (*)(ietf_attributes_t*))get_string; + this->public.get_encoding = (chunk_t (*)(ietf_attributes_t*))get_encoding; + this->public.equals = (bool (*)(ietf_attributes_t*,ietf_attributes_t*))equals; + this->public.matches = (bool (*)(ietf_attributes_t*,ietf_attributes_t*))matches; + this->public.get_ref = (ietf_attributes_t* (*)(ietf_attributes_t*))get_ref; + this->public.destroy = (void (*)(ietf_attributes_t*))destroy; + + this->list = linked_list_create(); + this->string = NULL; + this->ref = 1; + return this; +} + +/** + * Adds an ietf_attr_t object to a sorted linked list + */ +static void ietf_attributes_add(private_ietf_attributes_t *this, + ietf_attr_t *attr) +{ + ietf_attr_t *current_attr; + bool found = FALSE; + iterator_t *iterator; + + iterator = this->list->create_iterator(this->list, TRUE); + while (iterator->iterate(iterator, (void **)¤t_attr)) + { + int cmp = attr->compare(attr, current_attr); + + if (cmp > 0) + { + continue; + } + if (cmp == 0) + { + attr->destroy(attr); + } + else + { + iterator->insert_before(iterator, attr); + } + found = TRUE; + break; + } + iterator->destroy(iterator); + if (!found) + { + this->list->insert_last(this->list, attr); + } +} + +/* + * Described in header. + */ +ietf_attributes_t *ietf_attributes_create_from_string(char *string) +{ + private_ietf_attributes_t *this = create_empty(); + + chunk_t line = { string, strlen(string) }; + + while (eat_whitespace(&line)) + { + chunk_t group; + + /* extract the next comma-separated group attribute */ + if (!extract_token(&group, ',', &line)) + { + group = line; + line.len = 0; + } + + /* remove any trailing spaces */ + while (group.len > 0 && *(group.ptr + group.len - 1) == ' ') + { + group.len--; + } + + /* add the group attribute to the list */ + if (group.len > 0) + { + ietf_attr_t *attr = ietf_attr_create(IETF_ATTRIBUTE_STRING, group); + + ietf_attributes_add(this, attr); + } + } + + return &(this->public); +} + +/** + * ASN.1 definition of ietfAttrSyntax + */ +static const asn1Object_t ietfAttrSyntaxObjects[] = +{ + { 0, "ietfAttrSyntax", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */ + { 1, "policyAuthority", ASN1_CONTEXT_C_0, ASN1_OPT | + ASN1_BODY }, /* 1 */ + { 1, "end opt", ASN1_EOC, ASN1_END }, /* 2 */ + { 1, "values", ASN1_SEQUENCE, ASN1_LOOP }, /* 3 */ + { 2, "octets", ASN1_OCTET_STRING, ASN1_OPT | + ASN1_BODY }, /* 4 */ + { 2, "end choice", ASN1_EOC, ASN1_END }, /* 5 */ + { 2, "oid", ASN1_OID, ASN1_OPT | + ASN1_BODY }, /* 6 */ + { 2, "end choice", ASN1_EOC, ASN1_END }, /* 7 */ + { 2, "string", ASN1_UTF8STRING, ASN1_OPT | + ASN1_BODY }, /* 8 */ + { 2, "end choice", ASN1_EOC, ASN1_END }, /* 9 */ + { 1, "end loop", ASN1_EOC, ASN1_END }, /* 10 */ + { 0, "exit", ASN1_EOC, ASN1_EXIT } +}; +#define IETF_ATTR_OCTETS 4 +#define IETF_ATTR_OID 6 +#define IETF_ATTR_STRING 8 + +/* + * Described in header. + */ +ietf_attributes_t *ietf_attributes_create_from_encoding(chunk_t encoded) +{ + private_ietf_attributes_t *this = create_empty(); + asn1_parser_t *parser; + chunk_t object; + int objectID; + + parser = asn1_parser_create(ietfAttrSyntaxObjects, encoded); + while (parser->iterate(parser, &objectID, &object)) + { + switch (objectID) + { + case IETF_ATTR_OCTETS: + case IETF_ATTR_OID: + case IETF_ATTR_STRING: + { + ietf_attribute_type_t type; + ietf_attr_t *attr; + + type = (objectID - IETF_ATTR_OCTETS) / 2; + attr = ietf_attr_create(type, object); + ietf_attributes_add(this, attr); + } + break; + default: + break; + } + } + parser->destroy(parser); + + return &(this->public); +} + diff --git a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.h b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.h new file mode 100644 index 000000000..ab6bae984 --- /dev/null +++ b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.h @@ -0,0 +1,92 @@ +/* + * Copyright (C) 2007-2009 Andreas Steffen + * + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup ietf_attributes ietf_attributes + * @{ @ingroup credentials + */ + +#ifndef IETF_ATTRIBUTES_H_ +#define IETF_ATTRIBUTES_H_ + +typedef struct ietf_attributes_t ietf_attributes_t; + +#include <library.h> + +/** + * + */ +struct ietf_attributes_t { + + /** + * Get the an alphabetically sorted list of printable IETF attributes. + * + * Result points to internal data, do not free. + * + * @return a string containing printable attributes + */ + char* (*get_string) (ietf_attributes_t *this); + + /** + * Get the ASN.1 encoding of the IETF attributes. + * + * @return allocated chunk containing the encoded bytes + */ + chunk_t (*get_encoding) (ietf_attributes_t *this); + + /** + * Check for equality between two lists. + * + * @param other attribute list to be checked for equality + * @return TRUE if equal + */ + bool (*equals) (ietf_attributes_t *this, ietf_attributes_t *other); + + /** + * Check for common attributes between two lists. + * + * @param other attribute list to be matched + * @return TRUE if there is at least a common attribute + */ + bool (*matches) (ietf_attributes_t *this, ietf_attributes_t *other); + + /** + * Get a new reference to the IETF attributes. + * + * @return this, with an increased refcount + */ + ietf_attributes_t* (*get_ref)(ietf_attributes_t *this); + + /** + * Destroys an ietf_attributes_t object. + */ + void (*destroy) (ietf_attributes_t *this); +}; + +/** + * @param string input string, which will be converted + * @return ietf_attributes_t + */ +ietf_attributes_t *ietf_attributes_create_from_string(char *string); + +/** + * @param encoded ASN.1 encoded bytes, such as from ietf_attributes.get_encoding + * @return ietf_attributes_t + */ +ietf_attributes_t *ietf_attributes_create_from_encoding(chunk_t encoded); + +#endif /** IETF_ATTRIBUTES_H_ @}*/ + diff --git a/src/libstrongswan/credentials/keys/key_encoding.c b/src/libstrongswan/credentials/keys/key_encoding.c new file mode 100644 index 000000000..89b25226c --- /dev/null +++ b/src/libstrongswan/credentials/keys/key_encoding.c @@ -0,0 +1,299 @@ +/* + * Copyright (C) 2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "key_encoding.h" + +#include <stdint.h> + +#include <utils/linked_list.h> +#include <utils/hashtable.h> +#include <threading/rwlock.h> + +typedef struct private_key_encoding_t private_key_encoding_t; + +/** + * Private data of an key_encoding_t object. + */ +struct private_key_encoding_t { + + /** + * Public key_encoding_t interface. + */ + key_encoding_t public; + + /** + * cached encodings, a table for each encoding_type_t, containing chunk_t* + */ + hashtable_t *cache[KEY_ENCODING_MAX]; + + /** + * Registered encoding fuctions, key_encoder_t + */ + linked_list_t *encoders; + + /** + * lock to access cache/encoders + */ + rwlock_t *lock; +}; + +/** + * See header. + */ +bool key_encoding_args(va_list args, ...) +{ + va_list parts, copy; + bool failed = FALSE; + + va_start(parts, args); + + while (!failed) + { + key_encoding_part_t current, target; + chunk_t *out, data; + + /* get the part we are looking for */ + target = va_arg(parts, key_encoding_part_t); + if (target == KEY_PART_END) + { + break; + } + out = va_arg(parts, chunk_t*); + + va_copy(copy, args); + while (!failed) + { + current = va_arg(copy, key_encoding_part_t); + if (current == KEY_PART_END) + { + failed = TRUE; + break; + } + data = va_arg(copy, chunk_t); + if (current == target) + { + *out = data; + break; + } + } + va_end(copy); + } + va_end(parts); + return !failed; +} + +/** + * hashtable hash() function + */ +static u_int hash(void *key) +{ + return (uintptr_t)key; +} + +/** + * hashtable equals() function + */ +static bool equals(void *key1, void *key2) +{ + return key1 == key2; +} + +/** + * Implementation of key_encoding_t.get_cache + */ +static bool get_cache(private_key_encoding_t *this, key_encoding_type_t type, + void *cache, chunk_t *encoding) +{ + chunk_t *chunk; + + if (type >= KEY_ENCODING_MAX || type < 0) + { + return FALSE; + } + this->lock->read_lock(this->lock); + chunk = this->cache[type]->get(this->cache[type], cache); + if (chunk) + { + *encoding = *chunk; + } + this->lock->unlock(this->lock); + return !!chunk; +} + +/** + * Implementation of key_encoding_t.encode + */ +static bool encode(private_key_encoding_t *this, key_encoding_type_t type, + void *cache, chunk_t *encoding, ...) +{ + enumerator_t *enumerator; + va_list args, copy; + key_encoder_t encode; + bool success = FALSE; + chunk_t *chunk; + + if (type >= KEY_ENCODING_MAX || type < 0) + { + return FALSE; + } + this->lock->read_lock(this->lock); + if (cache) + { + chunk = this->cache[type]->get(this->cache[type], cache); + if (chunk) + { + *encoding = *chunk; + this->lock->unlock(this->lock); + return TRUE; + } + } + va_start(args, encoding); + enumerator = this->encoders->create_enumerator(this->encoders); + while (enumerator->enumerate(enumerator, &encode)) + { + va_copy(copy, args); + success = encode(type, encoding, copy); + va_end(copy); + if (success) + { + if (cache) + { + chunk = malloc_thing(chunk_t); + *chunk = *encoding; + this->lock->unlock(this->lock); + this->lock->write_lock(this->lock); + this->cache[type]->put(this->cache[type], cache, chunk); + } + break; + } + } + enumerator->destroy(enumerator); + va_end(args); + this->lock->unlock(this->lock); + return success; +} + +/** + * Implementation of key_encoding_t.cache + */ +static void cache(private_key_encoding_t *this, key_encoding_type_t type, + void *cache, chunk_t encoding) +{ + chunk_t *chunk; + + if (type >= KEY_ENCODING_MAX || type < 0) + { + return free(encoding.ptr); + } + chunk = malloc_thing(chunk_t); + *chunk = encoding; + this->lock->write_lock(this->lock); + chunk = this->cache[type]->put(this->cache[type], cache, chunk); + this->lock->unlock(this->lock); + /* free an encoding already associated to the cache */ + if (chunk) + { + free(chunk->ptr); + free(chunk); + } +} + +/** + * Implementation of key_encoding_t.clear_cache + */ +static void clear_cache(private_key_encoding_t *this, void *cache) +{ + key_encoding_type_t type; + chunk_t *chunk; + + this->lock->write_lock(this->lock); + for (type = 0; type < KEY_ENCODING_MAX; type++) + { + chunk = this->cache[type]->remove(this->cache[type], cache); + if (chunk) + { + chunk_free(chunk); + free(chunk); + } + } + this->lock->unlock(this->lock); +} + +/** + * Implementation of key_encoding_t.add_encoder + */ +static void add_encoder(private_key_encoding_t *this, key_encoder_t encoder) +{ + this->lock->write_lock(this->lock); + this->encoders->insert_last(this->encoders, encoder); + this->lock->unlock(this->lock); +} + +/** + * Implementation of key_encoding_t.remove_encoder + */ +static void remove_encoder(private_key_encoding_t *this, key_encoder_t encoder) +{ + this->lock->write_lock(this->lock); + this->encoders->remove(this->encoders, encoder, NULL); + this->lock->unlock(this->lock); +} + +/** + * Implementation of key_encoder_t.destroy. + */ +static void destroy(private_key_encoding_t *this) +{ + key_encoding_type_t type; + + for (type = 0; type < KEY_ENCODING_MAX; type++) + { + /* We explicitly do not free remaining encodings. All keys should + * have gone now, and they are responsible for cleaning out their + * cache entries. Not flushing here allows the leak detective to + * complain if a key did not flush cached encodings. */ + this->cache[type]->destroy(this->cache[type]); + } + this->encoders->destroy(this->encoders); + this->lock->destroy(this->lock); + free(this); +} + +/** + * See header + */ +key_encoding_t *key_encoding_create() +{ + private_key_encoding_t *this = malloc_thing(private_key_encoding_t); + key_encoding_type_t type; + + this->public.encode = (bool(*)(key_encoding_t*, key_encoding_type_t type, void *cache, chunk_t *encoding, ...))encode; + this->public.get_cache = (bool(*)(key_encoding_t*, key_encoding_type_t type, void *cache, chunk_t *encoding))get_cache; + this->public.cache = (void(*)(key_encoding_t*, key_encoding_type_t type, void *cache, chunk_t encoding))cache; + this->public.clear_cache = (void(*)(key_encoding_t*, void *cache))clear_cache; + this->public.add_encoder = (void(*)(key_encoding_t*, key_encoder_t encoder))add_encoder; + this->public.remove_encoder = (void(*)(key_encoding_t*, key_encoder_t encoder))remove_encoder; + this->public.destroy = (void(*)(key_encoding_t*))destroy; + + for (type = 0; type < KEY_ENCODING_MAX; type++) + { + this->cache[type] = hashtable_create(hash, equals, 8); + } + this->encoders = linked_list_create(); + this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); + + return &this->public; +} + diff --git a/src/libstrongswan/credentials/keys/key_encoding.h b/src/libstrongswan/credentials/keys/key_encoding.h new file mode 100644 index 000000000..384117166 --- /dev/null +++ b/src/libstrongswan/credentials/keys/key_encoding.h @@ -0,0 +1,203 @@ +/* + * Copyright (C) 2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup key_encoding key_encoding + * @{ @ingroup keys + */ + +#ifndef KEY_ENCODING_H_ +#define KEY_ENCODING_H_ + +typedef struct key_encoding_t key_encoding_t; +typedef enum key_encoding_type_t key_encoding_type_t; +typedef enum key_encoding_part_t key_encoding_part_t; + +#include <library.h> + +/** + * Key encoder function implementing encoding/fingerprinting. + * + * The variable argument list takes key_encoding_part_t, followed by part + * specific arguments, terminated by KEY_PART_END. + * + * @param type format to encode the key to + * @param args list of (key_encoding_part_t, data) + * @param encoding encoding result, allocated + * @return TRUE if encoding successful + */ +typedef bool (*key_encoder_t)(key_encoding_type_t type, chunk_t *encoding, + va_list args); + +/** + * Helper function for key_encoder_t implementations to parse argument list. + * + * Key encoder functions get a variable argument list to parse. To simplify + * the job, this function reads the arguments and returns chunks for each + * part. + * The argument list of this function takes a key_encoding_part_t, followed + * by a data pointer receiving the value, terminated by KEY_PART_END. + * + * @param args argument list passed to key encoder function + * @param ... list of (key_encoding_part_t, data*) + * @return TRUE if all parts found, FALSE otherwise + */ +bool key_encoding_args(va_list args, ...); + +/** + * Encoding type of a fingerprint/private-/public-key. + * + * Fingerprints have have the KEY_ID_*, public keys the KEY_PUB_* and + * private keys the KEY_PRIV_* prefix. + */ +enum key_encoding_type_t { + /** SHA1 fingerprint over subjectPublicKeyInfo */ + KEY_ID_PUBKEY_INFO_SHA1 = 0, + /** SHA1 fingerprint over subjectPublicKey */ + KEY_ID_PUBKEY_SHA1, + /** PGPv3 fingerprint */ + KEY_ID_PGPV3, + /** PGPv4 fingerprint */ + KEY_ID_PGPV4, + + KEY_ID_MAX, + + /** PKCS#1 and similar ASN.1 key encoding */ + KEY_PUB_ASN1_DER, + KEY_PRIV_ASN1_DER, + /** subjectPublicKeyInfo encoding */ + KEY_PUB_SPKI_ASN1_DER, + /** PEM oncoded PKCS#1 key */ + KEY_PUB_PEM, + KEY_PRIV_PEM, + /** PGP key encoding */ + KEY_PUB_PGP, + KEY_PRIV_PGP, + + KEY_ENCODING_MAX, +}; + +/** + * Parts of a key to encode. + */ +enum key_encoding_part_t { + /** modulus of a RSA key, n */ + KEY_PART_RSA_MODULUS, + /** public exponent of a RSA key, e */ + KEY_PART_RSA_PUB_EXP, + /** private exponent of a RSA key, d */ + KEY_PART_RSA_PRIV_EXP, + /** prime1 a RSA key, p */ + KEY_PART_RSA_PRIME1, + /** prime2 a RSA key, q */ + KEY_PART_RSA_PRIME2, + /** exponent1 a RSA key, exp1 */ + KEY_PART_RSA_EXP1, + /** exponent1 a RSA key, exp2 */ + KEY_PART_RSA_EXP2, + /** coefficient of RSA key, coeff */ + KEY_PART_RSA_COEFF, + /** a DER encoded RSA public key */ + KEY_PART_RSA_PUB_ASN1_DER, + /** a DER encoded RSA private key */ + KEY_PART_RSA_PRIV_ASN1_DER, + /** a DER encoded ECDSA public key */ + KEY_PART_ECDSA_PUB_ASN1_DER, + /** a DER encoded ECDSA private key */ + KEY_PART_ECDSA_PRIV_ASN1_DER, + + KEY_PART_END, +}; + +/** + * Private/Public key encoding and fingerprinting facility. + */ +struct key_encoding_t { + + /** + * Encode a key into a format using several key parts, optional caching. + * + * The variable argument list takes key_encoding_part_t, followed by part + * specific arguments, terminated by KEY_PART_END. + * If a cache key is given, the returned encoding points to internal data: + * do not free or modify. If no cache key is given, the encoding is + * allocated and must be freed by the caller. + * + * @param type format the key should be encoded to + * @param cache key to use for caching, NULL to not cache + * @param encoding encoding result, allocated if caching disabled + * @param ... list of (key_encoding_part_t, data) + * @return TRUE if encoding successful + */ + bool (*encode)(key_encoding_t *this, key_encoding_type_t type, void *cache, + chunk_t *encoding, ...); + + /** + * Clear all cached encodings of a given cache key. + * + * @param cache key used in encode() for caching + */ + void (*clear_cache)(key_encoding_t *this, void *cache); + + /** + * Check for a cached encoding. + * + * @param type format of the key encoding + * @param cache key to use for caching, as given to encode() + * @param encoding encoding result, internal data + * @return TRUE if cache entry found + */ + bool (*get_cache)(key_encoding_t *this, key_encoding_type_t type, + void *cache, chunk_t *encoding); + + /** + * Cache a key encoding created externally. + * + * After calling cache(), the passed encoding is owned by the key encoding + * facility. + * + * @param type format of the key encoding + * @param cache key to use for caching, as given to encode() + * @param encoding encoding to cache, gets owned by this + */ + void (*cache)(key_encoding_t *this, key_encoding_type_t type, void *cache, + chunk_t encoding); + + /** + * Register a key encoder function. + * + * @param encoder key encoder function to add + */ + void (*add_encoder)(key_encoding_t *this, key_encoder_t encoder); + + /** + * Unregister a previously registered key encoder function. + * + * @param encoder key encoder function to remove + */ + void (*remove_encoder)(key_encoding_t *this, key_encoder_t encoder); + + /** + * Destroy a key_encoding_t. + */ + void (*destroy)(key_encoding_t *this); +}; + +/** + * Create a key_encoding instance. + */ +key_encoding_t *key_encoding_create(); + +#endif /** KEY_ENCODING_H_ @}*/ diff --git a/src/libstrongswan/credentials/keys/private_key.c b/src/libstrongswan/credentials/keys/private_key.c index 0a01d0385..c3b5ac55b 100644 --- a/src/libstrongswan/credentials/keys/private_key.c +++ b/src/libstrongswan/credentials/keys/private_key.c @@ -15,3 +15,65 @@ #include "private_key.h" +/** + * See header. + */ +bool private_key_equals(private_key_t *this, private_key_t *other) +{ + key_encoding_type_t type; + chunk_t a, b; + + if (this == other) + { + return TRUE; + } + + for (type = 0; type < KEY_ENCODING_MAX; type++) + { + if (this->get_fingerprint(this, type, &a) && + other->get_fingerprint(other, type, &b)) + { + return chunk_equals(a, b); + } + } + return FALSE; +} + +/** + * See header. + */ +bool private_key_belongs_to(private_key_t *private, public_key_t *public) +{ + key_encoding_type_t type; + chunk_t a, b; + + for (type = 0; type < KEY_ENCODING_MAX; type++) + { + if (private->get_fingerprint(private, type, &a) && + public->get_fingerprint(public, type, &b)) + { + return chunk_equals(a, b); + } + } + return FALSE; +} + +/** + * See header. + */ +bool private_key_has_fingerprint(private_key_t *private, chunk_t fingerprint) +{ + key_encoding_type_t type; + chunk_t current; + + for (type = 0; type < KEY_ID_MAX; type++) + { + if (private->get_fingerprint(private, type, ¤t) && + chunk_equals(current, fingerprint)) + { + return TRUE; + } + } + return FALSE; +} + diff --git a/src/libstrongswan/credentials/keys/private_key.h b/src/libstrongswan/credentials/keys/private_key.h index f38af8ff4..d4517f296 100644 --- a/src/libstrongswan/credentials/keys/private_key.h +++ b/src/libstrongswan/credentials/keys/private_key.h @@ -12,7 +12,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. */ - + /** * @defgroup private_key private_key * @{ @ingroup keys @@ -23,7 +23,6 @@ typedef struct private_key_t private_key_t; -#include <utils/identification.h> #include <credentials/keys/public_key.h> /** @@ -46,7 +45,7 @@ struct private_key_t { * @param signature where to allocate created signature * @return TRUE if signature created */ - bool (*sign)(private_key_t *this, signature_scheme_t scheme, + bool (*sign)(private_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t *signature); /** * Decrypt a chunk of data. @@ -56,32 +55,24 @@ struct private_key_t { * @return TRUE if data decrypted and plaintext allocated */ bool (*decrypt)(private_key_t *this, chunk_t crypto, chunk_t *plain); - + /** * Get the strength of the key in bytes. - * + * * @return strength of the key in bytes */ size_t (*get_keysize) (private_key_t *this); /** - * Get a unique key identifier, such as a hash over the public key. - * - * @param type type of the key ID to get - * @return unique ID of the key as identification_t, or NULL - */ - identification_t* (*get_id) (private_key_t *this, id_type_t type); - - /** * Get the public part from the private key. * * @return public key */ public_key_t* (*get_public_key)(private_key_t *this); - + /** * Check if two private keys are equal. - * + * * @param other other private key * @return TRUE, if equality */ @@ -89,32 +80,78 @@ struct private_key_t { /** * Check if a private key belongs to a public key. - * + * * @param public public key * @return TRUE, if keys belong together */ bool (*belongs_to) (private_key_t *this, public_key_t *public); - + /** - * Get an encoded form of the private key. + * Get the fingerprint of the key. * - * @todo Do we need a encoding type specification? + * @param type type of fingerprint, one of KEY_ID_* + * @param fp fingerprint, points to internal data + * @return TRUE if fingerprint type supported + */ + bool (*get_fingerprint)(private_key_t *this, key_encoding_type_t type, + chunk_t *fp); + + /** + * Check if a key has a given fingerprint of any kind. * - * @return allocated chunk containing encoded private key + * @param fp fingerprint to check + * @return TRUE if key has given fingerprint */ - chunk_t (*get_encoding)(private_key_t *this); - + bool (*has_fingerprint)(private_key_t *this, chunk_t fp); + + /** + * Get the key in an encoded form as a chunk. + * + * @param type type of the encoding, one of KEY_PRIV_* + * @param encoding encoding of the key, allocated + * @return TRUE if encoding supported + */ + bool (*get_encoding)(private_key_t *this, key_encoding_type_t type, + chunk_t *encoding); + /** * Increase the refcount to this private key. * * @return this, with an increased refcount */ private_key_t* (*get_ref)(private_key_t *this); - + /** - * Decrease refcount, destroy private_key if no more references. - */ - void (*destroy)(private_key_t *this); + * Decrease refcount, destroy private_key if no more references. + */ + void (*destroy)(private_key_t *this); }; +/** + * Generic private key equals() implementation, usable by implementors. + * + * @param this first key to compare + * @param other second key to compare + * @return TRUE if this is equal to other + */ +bool private_key_equals(private_key_t *this, private_key_t *other); + +/** + * Generic private key belongs_to() implementation, usable by implementors. + * + * @param private private key to check + * @param public public key to compare + * @return TRUE if this is equal to other + */ +bool private_key_belongs_to(private_key_t *private, public_key_t *public); + +/** + * Generic private key has_fingerprint() implementation, usable by implementors. + * + * @param this key to check fingerprint + * @param fingerprint fingerprint to check + * @return TRUE if key has given fingerprint + */ +bool private_key_has_fingerprint(private_key_t *this, chunk_t fingerprint); + #endif /** PRIVATE_KEY_H_ @}*/ diff --git a/src/libstrongswan/credentials/keys/public_key.c b/src/libstrongswan/credentials/keys/public_key.c index a5f547038..ba3036793 100644 --- a/src/libstrongswan/credentials/keys/public_key.c +++ b/src/libstrongswan/credentials/keys/public_key.c @@ -32,13 +32,59 @@ ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_ECDSA_521, "RSA_EMSA_PKCS1_SHA256", "RSA_EMSA_PKCS1_SHA384", "RSA_EMSA_PKCS1_SHA512", + "ECDSA_WITH_SHA1_DER", + "ECDSA_WITH_SHA256_DER", + "ECDSA_WITH_SHA384_DER", + "ECDSA_WITH_SHA512_DER", "ECDSA_WITH_NULL", - "ECDSA_WITH_SHA1", "ECDSA-256", "ECDSA-384", "ECDSA-521", ); +/** + * See header. + */ +bool public_key_equals(public_key_t *this, public_key_t *other) +{ + key_encoding_type_t type; + chunk_t a, b; + + if (this == other) + { + return TRUE; + } + + for (type = 0; type < KEY_ENCODING_MAX; type++) + { + if (this->get_fingerprint(this, type, &a) && + other->get_fingerprint(other, type, &b)) + { + return chunk_equals(a, b); + } + } + return FALSE; +} + +/** + * See header. + */ +bool public_key_has_fingerprint(public_key_t *public, chunk_t fingerprint) +{ + key_encoding_type_t type; + chunk_t current; + + for (type = 0; type < KEY_ID_MAX; type++) + { + if (public->get_fingerprint(public, type, ¤t) && + chunk_equals(current, fingerprint)) + { + return TRUE; + } + } + return FALSE; +} + /* * Defined in header. */ @@ -66,13 +112,13 @@ signature_scheme_t signature_scheme_from_oid(int oid) return SIGN_RSA_EMSA_PKCS1_SHA512; case OID_ECDSA_WITH_SHA1: case OID_EC_PUBLICKEY: - return SIGN_ECDSA_WITH_SHA1; + return SIGN_ECDSA_WITH_SHA1_DER; case OID_ECDSA_WITH_SHA256: - return SIGN_ECDSA_256; + return SIGN_ECDSA_WITH_SHA256_DER; case OID_ECDSA_WITH_SHA384: - return SIGN_ECDSA_384; + return SIGN_ECDSA_WITH_SHA384_DER; case OID_ECDSA_WITH_SHA512: - return SIGN_ECDSA_521; + return SIGN_ECDSA_WITH_SHA512_DER; default: return SIGN_UNKNOWN; } diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h index be5f3bde6..a421e7b5b 100644 --- a/src/libstrongswan/credentials/keys/public_key.h +++ b/src/libstrongswan/credentials/keys/public_key.h @@ -12,7 +12,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. */ - + /** * @defgroup public_key public_key * @{ @ingroup keys @@ -28,6 +28,7 @@ typedef enum signature_scheme_t signature_scheme_t; #include <library.h> #include <utils/identification.h> +#include <credentials/keys/key_encoding.h> /** * Type of a key pair, the used crypto system @@ -53,9 +54,8 @@ extern enum_name_t *key_type_names; * Signature scheme for signature creation * * EMSA-PKCS1 signatures are defined in PKCS#1 standard. - * A prepended ASN.1 encoded digestInfo field contains the - * OID of the used hash algorithm. The ASN.1 type of the PKCS#7 - * variants is OCTET_STRING instead of the default BIT_STRING. + * A prepended ASN.1 encoded digestInfo field contains the + * OID of the used hash algorithm. */ enum signature_scheme_t { /** Unknown signature scheme */ @@ -74,10 +74,16 @@ enum signature_scheme_t { SIGN_RSA_EMSA_PKCS1_SHA384, /** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-512 */ SIGN_RSA_EMSA_PKCS1_SHA512, - /** ECDSA over precomputed digest */ + /** ECDSA with SHA-1 using DER encoding as in RFC 3279 */ + SIGN_ECDSA_WITH_SHA1_DER, + /** ECDSA with SHA-256 using DER encoding as in RFC 3279 */ + SIGN_ECDSA_WITH_SHA256_DER, + /** ECDSA with SHA-384 using DER encoding as in RFC 3279 */ + SIGN_ECDSA_WITH_SHA384_DER, + /** ECDSA with SHA-1 using DER encoding as in RFC 3279 */ + SIGN_ECDSA_WITH_SHA512_DER, + /** ECDSA over precomputed digest, signature as in RFC 4754 */ SIGN_ECDSA_WITH_NULL, - /** ECDSA with SHA-1 */ - SIGN_ECDSA_WITH_SHA1, /** ECDSA on the P-256 curve with SHA-256 as in RFC 4754 */ SIGN_ECDSA_256, /** ECDSA on the P-384 curve with SHA-384 as in RFC 4754 */ @@ -102,7 +108,7 @@ struct public_key_t { * @return type of the key */ key_type_t (*get_type)(public_key_t *this); - + /** * Verifies a signature against a chunk of data. * @@ -111,9 +117,9 @@ struct public_key_t { * @param signature signature to check * @return TRUE if signature matches */ - bool (*verify)(public_key_t *this, signature_scheme_t scheme, + bool (*verify)(public_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t signature); - + /** * Encrypt a chunk of data. * @@ -122,10 +128,10 @@ struct public_key_t { * @return TRUE if data successfully encrypted */ bool (*encrypt)(public_key_t *this, chunk_t plain, chunk_t *crypto); - + /** * Check if two public keys are equal. - * + * * @param other other public key * @return TRUE, if equality */ @@ -133,35 +139,46 @@ struct public_key_t { /** * Get the strength of the key in bytes. - * + * * @return strength of the key in bytes */ size_t (*get_keysize) (public_key_t *this); /** - * Get a unique key identifier, such as a hash over the key. - * - * @param type type of the key ID to get - * @return unique ID of the key as identification_t, or NULL + * Get the fingerprint of the key. + * + * @param type type of fingerprint, one of KEY_ID_* + * @param fp fingerprint, points to internal data + * @return TRUE if fingerprint type supported */ - identification_t* (*get_id) (public_key_t *this, id_type_t type); - + bool (*get_fingerprint)(public_key_t *this, key_encoding_type_t type, + chunk_t *fp); + /** - * Get an encoded form of the key. + * Check if a key has a given fingerprint of any kind. * - * @todo Do we need a encoding type specification? + * @param fp fingerprint to check + * @return TRUE if key has given fingerprint + */ + bool (*has_fingerprint)(public_key_t *this, chunk_t fp); + + /** + * Get the key in an encoded form as a chunk. * - * @return allocated chunk containing encoded key + * @param type type of the encoding, one of KEY_PRIV_* + * @param encoding encoding of the key, allocated + * @return TRUE if encoding supported */ - chunk_t (*get_encoding)(public_key_t *this); - + bool (*get_encoding)(public_key_t *this, key_encoding_type_t type, + chunk_t *encoding); + /** * Increase the refcount of the key. * * @return this with an increased refcount */ public_key_t* (*get_ref)(public_key_t *this); - + /** * Destroy a public_key instance. */ @@ -169,8 +186,26 @@ struct public_key_t { }; /** + * Generic public key equals() implementation, usable by implementors. + * + * @param this first key to compare + * @param other second key to compare + * @return TRUE if this is equal to other + */ +bool public_key_equals(public_key_t *this, public_key_t *other); + +/** + * Generic public key has_fingerprint() implementation, usable by implementors. + * + * @param this key to check fingerprint + * @param fingerprint fingerprint to check + * @return TRUE if key has given fingerprint + */ +bool public_key_has_fingerprint(public_key_t *this, chunk_t fingerprint); + +/** * Conversion of ASN.1 signature or hash OID to signature scheme. - * + * * @param oid ASN.1 OID * @return signature_scheme, SIGN_UNKNOWN if OID is unsupported */ diff --git a/src/libstrongswan/credentials/keys/shared_key.c b/src/libstrongswan/credentials/keys/shared_key.c index c6f141446..f695c078d 100644 --- a/src/libstrongswan/credentials/keys/shared_key.c +++ b/src/libstrongswan/credentials/keys/shared_key.c @@ -34,17 +34,17 @@ struct private_shared_key_t { * public functions */ shared_key_t public; - + /** * type of this shared key */ shared_key_type_t type; - + /** * associated shared key data */ chunk_t key; - + /** * reference counter */ @@ -94,16 +94,16 @@ static void destroy(private_shared_key_t *this) shared_key_t *shared_key_create(shared_key_type_t type, chunk_t key) { private_shared_key_t *this = malloc_thing(private_shared_key_t); - + this->public.get_type = (shared_key_type_t (*)(shared_key_t *this))get_type; this->public.get_key = (chunk_t (*)(shared_key_t *this))get_key; this->public.get_ref = (shared_key_t* (*)(shared_key_t *this))get_ref; this->public.destroy = (void(*)(shared_key_t*))destroy; - + this->type = type; this->key = key; this->ref = 1; - + return &this->public; } diff --git a/src/libstrongswan/credentials/keys/shared_key.h b/src/libstrongswan/credentials/keys/shared_key.h index ceb1309b7..fe7bc86be 100644 --- a/src/libstrongswan/credentials/keys/shared_key.h +++ b/src/libstrongswan/credentials/keys/shared_key.h @@ -55,32 +55,32 @@ extern enum_name_t *shared_key_type_names; * reading. */ struct shared_key_t { - + /** * Get the kind of this key. * * @return type of the key */ shared_key_type_t (*get_type)(shared_key_t *this); - + /** * Get the shared key data. * * @return chunk pointing to the internal key */ chunk_t (*get_key)(shared_key_t *this); - - /** + + /** * Increase refcount of the key. * - * @return this with an increased refcount + * @return this with an increased refcount */ shared_key_t* (*get_ref)(shared_key_t *this); - + /** - * Destroy a shared_key instance if all references are gone. - */ - void (*destroy)(shared_key_t *this); + * Destroy a shared_key instance if all references are gone. + */ + void (*destroy)(shared_key_t *this); }; /** |