summaryrefslogtreecommitdiff
path: root/src/libstrongswan/crypto/x509.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/libstrongswan/crypto/x509.c')
-rwxr-xr-xsrc/libstrongswan/crypto/x509.c1562
1 files changed, 0 insertions, 1562 deletions
diff --git a/src/libstrongswan/crypto/x509.c b/src/libstrongswan/crypto/x509.c
deleted file mode 100755
index eadf11327..000000000
--- a/src/libstrongswan/crypto/x509.c
+++ /dev/null
@@ -1,1562 +0,0 @@
-/**
- * @file x509.c
- *
- * @brief Implementation of x509_t.
- *
- */
-
-/*
- * Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann
- * Copyright (C) 2001 Marco Bertossa, Andreas Schleiss
- * Copyright (C) 2002 Mario Strasser
- * Copyright (C) 2006 Martin Willi
- * Copyright (C) 2000-2008 Andreas Steffen
- *
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: x509.c 3423 2008-01-22 10:32:37Z andreas $
- */
-
-#include <gmp.h>
-#include <sys/stat.h>
-#include <unistd.h>
-#include <string.h>
-#include <stdio.h>
-
-#include "x509.h"
-#include "hashers/hasher.h"
-#include <library.h>
-#include <debug.h>
-#include <asn1/oid.h>
-#include <asn1/asn1.h>
-#include <asn1/pem.h>
-#include <utils/linked_list.h>
-#include <utils/identification.h>
-
-#define CERT_WARNING_INTERVAL 30 /* days */
-
-/**
- * Different kinds of generalNames
- */
-typedef enum generalNames_t generalNames_t;
-
-enum generalNames_t {
- GN_OTHER_NAME = 0,
- GN_RFC822_NAME = 1,
- GN_DNS_NAME = 2,
- GN_X400_ADDRESS = 3,
- GN_DIRECTORY_NAME = 4,
- GN_EDI_PARTY_NAME = 5,
- GN_URI = 6,
- GN_IP_ADDRESS = 7,
- GN_REGISTERED_ID = 8,
-};
-
-typedef struct private_x509_t private_x509_t;
-
-/**
- * Private data of a x509_t object.
- */
-struct private_x509_t {
- /**
- * Public interface for this certificate.
- */
- x509_t public;
-
- /**
- * Time when certificate was installed
- */
- time_t installed;
-
- /**
- * Time until certificate can be trusted
- */
- time_t until;
-
- /**
- * Certificate status
- */
- cert_status_t status;
-
- /**
- * Authority flags
- */
- u_int authority_flags;
-
- /**
- * X.509 Certificate in DER format
- */
- chunk_t certificate;
-
- /**
- * X.509 certificate body over which signature is computed
- */
- chunk_t tbsCertificate;
-
- /**
- * Version of the X.509 certificate
- */
- u_int version;
-
- /**
- * Serial number of the X.509 certificate
- */
- chunk_t serialNumber;
-
- /**
- * Signature algorithm
- */
- int signatureAlgorithm;
-
- /**
- * ID representing the certificate issuer
- */
- identification_t *issuer;
-
- /**
- * link to the info recored of the certificate issuer
- */
- ca_info_t *ca_info;
-
- /**
- * Start time of certificate validity
- */
- time_t notBefore;
-
- /**
- * End time of certificate validity
- */
- time_t notAfter;
-
- /**
- * ID representing the certificate subject
- */
- identification_t *subject;
-
- /**
- * List of identification_t's representing subjectAltNames
- */
- linked_list_t *subjectAltNames;
-
- /**
- * List of identification_t's representing crlDistributionPoints
- */
- linked_list_t *crlDistributionPoints;
-
- /**
- * List of identification_t's representing ocspAccessLocations
- */
- linked_list_t *ocspAccessLocations;
-
- /**
- * Subject public key
- */
- chunk_t subjectPublicKey;
-
- /**
- * Subject RSA public key, if subjectPublicKeyAlgorithm == RSA
- */
- rsa_public_key_t *public_key;
-
- /**
- * Subject Key Identifier
- */
- chunk_t subjectKeyID;
-
- /**
- * Authority Key Identifier
- */
- chunk_t authKeyID;
-
- /**
- * Authority Key Serial Number
- */
- chunk_t authKeySerialNumber;
-
- /**
- * Indicates if the certificate is self-signed
- */
- bool isSelfSigned;
-
- /**
- * CA basic constraints flag
- */
- bool isCA;
-
- /**
- * OCSPSigner extended key usage flag
- */
- bool isOcspSigner;
-
- /**
- * Signature
- */
- chunk_t signature;
-
-};
-
-/**
- * ASN.1 definition of generalName
- */
-static const asn1Object_t generalNameObjects[] = {
- { 0, "otherName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_BODY }, /* 0 */
- { 0, "end choice", ASN1_EOC, ASN1_END }, /* 1 */
- { 0, "rfc822Name", ASN1_CONTEXT_S_1, ASN1_OPT|ASN1_BODY }, /* 2 */
- { 0, "end choice", ASN1_EOC, ASN1_END }, /* 3 */
- { 0, "dnsName", ASN1_CONTEXT_S_2, ASN1_OPT|ASN1_BODY }, /* 4 */
- { 0, "end choice", ASN1_EOC, ASN1_END }, /* 5 */
- { 0, "x400Address", ASN1_CONTEXT_S_3, ASN1_OPT|ASN1_BODY }, /* 6 */
- { 0, "end choice", ASN1_EOC, ASN1_END }, /* 7 */
- { 0, "directoryName", ASN1_CONTEXT_C_4, ASN1_OPT|ASN1_BODY }, /* 8 */
- { 0, "end choice", ASN1_EOC, ASN1_END }, /* 9 */
- { 0, "ediPartyName", ASN1_CONTEXT_C_5, ASN1_OPT|ASN1_BODY }, /* 10 */
- { 0, "end choice", ASN1_EOC, ASN1_END }, /* 11 */
- { 0, "URI", ASN1_CONTEXT_S_6, ASN1_OPT|ASN1_BODY }, /* 12 */
- { 0, "end choice", ASN1_EOC, ASN1_END }, /* 13 */
- { 0, "ipAddress", ASN1_CONTEXT_S_7, ASN1_OPT|ASN1_BODY }, /* 14 */
- { 0, "end choice", ASN1_EOC, ASN1_END }, /* 15 */
- { 0, "registeredID", ASN1_CONTEXT_S_8, ASN1_OPT|ASN1_BODY }, /* 16 */
- { 0, "end choice", ASN1_EOC, ASN1_END } /* 17 */
-};
-#define GN_OBJ_OTHER_NAME 0
-#define GN_OBJ_RFC822_NAME 2
-#define GN_OBJ_DNS_NAME 4
-#define GN_OBJ_X400_ADDRESS 6
-#define GN_OBJ_DIRECTORY_NAME 8
-#define GN_OBJ_EDI_PARTY_NAME 10
-#define GN_OBJ_URI 12
-#define GN_OBJ_IP_ADDRESS 14
-#define GN_OBJ_REGISTERED_ID 16
-#define GN_OBJ_ROOF 18
-
-/**
- * ASN.1 definition of otherName
- */
-static const asn1Object_t otherNameObjects[] = {
- {0, "type-id", ASN1_OID, ASN1_BODY }, /* 0 */
- {0, "value", ASN1_CONTEXT_C_0, ASN1_BODY } /* 1 */
-};
-#define ON_OBJ_ID_TYPE 0
-#define ON_OBJ_VALUE 1
-#define ON_OBJ_ROOF 2
-/**
- * ASN.1 definition of a basicConstraints extension
- */
-static const asn1Object_t basicConstraintsObjects[] = {
- { 0, "basicConstraints", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
- { 1, "CA", ASN1_BOOLEAN, ASN1_DEF|ASN1_BODY }, /* 1 */
- { 1, "pathLenConstraint", ASN1_INTEGER, ASN1_OPT|ASN1_BODY }, /* 2 */
- { 1, "end opt", ASN1_EOC, ASN1_END } /* 3 */
-};
-#define BASIC_CONSTRAINTS_CA 1
-#define BASIC_CONSTRAINTS_ROOF 4
-
-/**
- * ASN.1 definition of a keyIdentifier
- */
-static const asn1Object_t keyIdentifierObjects[] = {
- { 0, "keyIdentifier", ASN1_OCTET_STRING, ASN1_BODY } /* 0 */
-};
-
-/**
- * ASN.1 definition of a authorityKeyIdentifier extension
- */
-static const asn1Object_t authorityKeyIdentifierObjects[] = {
- { 0, "authorityKeyIdentifier", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
- { 1, "keyIdentifier", ASN1_CONTEXT_S_0, ASN1_OPT|ASN1_OBJ }, /* 1 */
- { 1, "end opt", ASN1_EOC, ASN1_END }, /* 2 */
- { 1, "authorityCertIssuer", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_OBJ }, /* 3 */
- { 1, "end opt", ASN1_EOC, ASN1_END }, /* 4 */
- { 1, "authorityCertSerialNumber",ASN1_CONTEXT_S_2, ASN1_OPT|ASN1_BODY }, /* 5 */
- { 1, "end opt", ASN1_EOC, ASN1_END } /* 6 */
-};
-#define AUTH_KEY_ID_KEY_ID 1
-#define AUTH_KEY_ID_CERT_ISSUER 3
-#define AUTH_KEY_ID_CERT_SERIAL 5
-#define AUTH_KEY_ID_ROOF 7
-
-/**
- * ASN.1 definition of a authorityInfoAccess extension
- */
-static const asn1Object_t authorityInfoAccessObjects[] = {
- { 0, "authorityInfoAccess", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
- { 1, "accessDescription", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
- { 2, "accessMethod", ASN1_OID, ASN1_BODY }, /* 2 */
- { 2, "accessLocation", ASN1_EOC, ASN1_RAW }, /* 3 */
- { 0, "end loop", ASN1_EOC, ASN1_END } /* 4 */
-};
-#define AUTH_INFO_ACCESS_METHOD 2
-#define AUTH_INFO_ACCESS_LOCATION 3
-#define AUTH_INFO_ACCESS_ROOF 5
-
-/**
- * ASN.1 definition of a extendedKeyUsage extension
- */
-static const asn1Object_t extendedKeyUsageObjects[] = {
- { 0, "extendedKeyUsage", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
- { 1, "keyPurposeID", ASN1_OID, ASN1_BODY }, /* 1 */
- { 0, "end loop", ASN1_EOC, ASN1_END }, /* 2 */
-};
-
-#define EXT_KEY_USAGE_PURPOSE_ID 1
-#define EXT_KEY_USAGE_ROOF 3
-
-/**
- * ASN.1 definition of generalNames
- */
-static const asn1Object_t generalNamesObjects[] = {
- { 0, "generalNames", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
- { 1, "generalName", ASN1_EOC, ASN1_RAW }, /* 1 */
- { 0, "end loop", ASN1_EOC, ASN1_END } /* 2 */
-};
-#define GENERAL_NAMES_GN 1
-#define GENERAL_NAMES_ROOF 3
-
-
-/**
- * ASN.1 definition of crlDistributionPoints
- */
-static const asn1Object_t crlDistributionPointsObjects[] = {
- { 0, "crlDistributionPoints", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
- { 1, "DistributionPoint", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
- { 2, "distributionPoint", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_LOOP }, /* 2 */
- { 3, "fullName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_OBJ }, /* 3 */
- { 3, "end choice", ASN1_EOC, ASN1_END }, /* 4 */
- { 3, "nameRelToCRLIssuer",ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 5 */
- { 3, "end choice", ASN1_EOC, ASN1_END }, /* 6 */
- { 2, "end opt", ASN1_EOC, ASN1_END }, /* 7 */
- { 2, "reasons", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 8 */
- { 2, "end opt", ASN1_EOC, ASN1_END }, /* 9 */
- { 2, "crlIssuer", ASN1_CONTEXT_C_2, ASN1_OPT|ASN1_BODY }, /* 10 */
- { 2, "end opt", ASN1_EOC, ASN1_END }, /* 11 */
- { 0, "end loop", ASN1_EOC, ASN1_END }, /* 12 */
-};
-#define CRL_DIST_POINTS_FULLNAME 3
-#define CRL_DIST_POINTS_ROOF 13
-
-/**
- * ASN.1 definition of an X.509v3 x509
- */
-static const asn1Object_t certObjects[] = {
- { 0, "x509", ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */
- { 1, "tbsCertificate", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */
- { 2, "DEFAULT v1", ASN1_CONTEXT_C_0, ASN1_DEF }, /* 2 */
- { 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 3 */
- { 2, "serialNumber", ASN1_INTEGER, ASN1_BODY }, /* 4 */
- { 2, "signature", ASN1_EOC, ASN1_RAW }, /* 5 */
- { 2, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 6 */
- { 2, "validity", ASN1_SEQUENCE, ASN1_NONE }, /* 7 */
- { 3, "notBefore", ASN1_EOC, ASN1_RAW }, /* 8 */
- { 3, "notAfter", ASN1_EOC, ASN1_RAW }, /* 9 */
- { 2, "subject", ASN1_SEQUENCE, ASN1_OBJ }, /* 10 */
- { 2, "subjectPublicKeyInfo",ASN1_SEQUENCE, ASN1_NONE }, /* 11 */
- { 3, "algorithm", ASN1_EOC, ASN1_RAW }, /* 12 */
- { 3, "subjectPublicKey", ASN1_BIT_STRING, ASN1_NONE }, /* 13 */
- { 4, "RSAPublicKey", ASN1_SEQUENCE, ASN1_RAW }, /* 14 */
- { 2, "issuerUniqueID", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 15 */
- { 2, "end opt", ASN1_EOC, ASN1_END }, /* 16 */
- { 2, "subjectUniqueID", ASN1_CONTEXT_C_2, ASN1_OPT }, /* 17 */
- { 2, "end opt", ASN1_EOC, ASN1_END }, /* 18 */
- { 2, "optional extensions", ASN1_CONTEXT_C_3, ASN1_OPT }, /* 19 */
- { 3, "extensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 20 */
- { 4, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 21 */
- { 5, "extnID", ASN1_OID, ASN1_BODY }, /* 22 */
- { 5, "critical", ASN1_BOOLEAN, ASN1_DEF|ASN1_BODY }, /* 23 */
- { 5, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 24 */
- { 3, "end loop", ASN1_EOC, ASN1_END }, /* 25 */
- { 2, "end opt", ASN1_EOC, ASN1_END }, /* 26 */
- { 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 27 */
- { 1, "signatureValue", ASN1_BIT_STRING, ASN1_BODY } /* 28 */
-};
-#define X509_OBJ_CERTIFICATE 0
-#define X509_OBJ_TBS_CERTIFICATE 1
-#define X509_OBJ_VERSION 3
-#define X509_OBJ_SERIAL_NUMBER 4
-#define X509_OBJ_SIG_ALG 5
-#define X509_OBJ_ISSUER 6
-#define X509_OBJ_NOT_BEFORE 8
-#define X509_OBJ_NOT_AFTER 9
-#define X509_OBJ_SUBJECT 10
-#define X509_OBJ_SUBJECT_PUBLIC_KEY_ALGORITHM 12
-#define X509_OBJ_SUBJECT_PUBLIC_KEY 13
-#define X509_OBJ_RSA_PUBLIC_KEY 14
-#define X509_OBJ_EXTN_ID 22
-#define X509_OBJ_CRITICAL 23
-#define X509_OBJ_EXTN_VALUE 24
-#define X509_OBJ_ALGORITHM 27
-#define X509_OBJ_SIGNATURE 28
-#define X509_OBJ_ROOF 29
-
-
-static u_char ASN1_subjectAltName_oid_str[] = {
- 0x06, 0x03, 0x55, 0x1D, 0x11
-};
-
-static const chunk_t ASN1_subjectAltName_oid = chunk_from_buf(ASN1_subjectAltName_oid_str);
-
-
-/**
- * compare two X.509 x509s by comparing their signatures
- */
-static bool equals(const private_x509_t *this, const private_x509_t *other)
-{
- return chunk_equals(this->signature, other->signature);
-}
-
-/**
- * extracts the basicConstraints extension
- */
-static bool parse_basicConstraints(chunk_t blob, int level0)
-{
- asn1_ctx_t ctx;
- chunk_t object;
- u_int level;
- int objectID = 0;
- bool isCA = FALSE;
-
- asn1_init(&ctx, blob, level0, FALSE, FALSE);
-
- while (objectID < BASIC_CONSTRAINTS_ROOF) {
-
- if (!extract_object(basicConstraintsObjects, &objectID, &object,&level, &ctx))
- {
- break;
- }
- if (objectID == BASIC_CONSTRAINTS_CA)
- {
- isCA = object.len && *object.ptr;
- DBG2(" %s", isCA ? "TRUE" : "FALSE");
- }
- objectID++;
- }
- return isCA;
-}
-
-/**
- * extracts an otherName
- */
-static bool parse_otherName(chunk_t blob, int level0)
-{
- asn1_ctx_t ctx;
- chunk_t object;
- u_int level;
- int objectID = 0;
- int oid = OID_UNKNOWN;
-
- asn1_init(&ctx, blob, level0, FALSE, FALSE);
-
- while (objectID < ON_OBJ_ROOF)
- {
- if (!extract_object(otherNameObjects, &objectID, &object, &level, &ctx))
- return FALSE;
-
- switch (objectID)
- {
- case ON_OBJ_ID_TYPE:
- oid = known_oid(object);
- break;
- case ON_OBJ_VALUE:
- if (oid == OID_XMPP_ADDR)
- {
- if (!parse_asn1_simple_object(&object, ASN1_UTF8STRING, level + 1, "xmppAddr"))
- return FALSE;
- }
- break;
- default:
- break;
- }
- objectID++;
- }
- return TRUE;
-}
-
-/**
- * extracts a generalName
- */
-static identification_t *parse_generalName(chunk_t blob, int level0)
-{
- asn1_ctx_t ctx;
- chunk_t object;
- int objectID = 0;
- u_int level;
-
- asn1_init(&ctx, blob, level0, FALSE, FALSE);
-
- while (objectID < GN_OBJ_ROOF)
- {
- id_type_t id_type = ID_ANY;
-
- if (!extract_object(generalNameObjects, &objectID, &object, &level, &ctx))
- return NULL;
-
- switch (objectID)
- {
- case GN_OBJ_RFC822_NAME:
- id_type = ID_RFC822_ADDR;
- break;
- case GN_OBJ_DNS_NAME:
- id_type = ID_FQDN;
- break;
- case GN_OBJ_URI:
- id_type = ID_DER_ASN1_GN_URI;
- break;
- case GN_OBJ_DIRECTORY_NAME:
- id_type = ID_DER_ASN1_DN;
- break;
- case GN_OBJ_IP_ADDRESS:
- id_type = (object.len == 4)? ID_IPV4_ADDR : ID_IPV6_ADDR;
- break;
- case GN_OBJ_OTHER_NAME:
- if (!parse_otherName(object, level + 1))
- return NULL;
- break;
- case GN_OBJ_X400_ADDRESS:
- case GN_OBJ_EDI_PARTY_NAME:
- case GN_OBJ_REGISTERED_ID:
- break;
- default:
- break;
- }
-
- if (id_type != ID_ANY)
- {
- identification_t *gn = identification_create_from_encoding(id_type, object);
- DBG2(" '%D'", gn);
- return gn;
- }
- objectID++;
- }
- return NULL;
-}
-
-
-/*
- * Defined in header.
- */
-void x509_parse_generalNames(chunk_t blob, int level0, bool implicit, linked_list_t *list)
-{
- asn1_ctx_t ctx;
- chunk_t object;
- u_int level;
- int objectID = 0;
-
- asn1_init(&ctx, blob, level0, implicit, FALSE);
-
- while (objectID < GENERAL_NAMES_ROOF)
- {
- if (!extract_object(generalNamesObjects, &objectID, &object, &level, &ctx))
- return;
-
- if (objectID == GENERAL_NAMES_GN)
- {
- identification_t *gn = parse_generalName(object, level+1);
-
- if (gn != NULL)
- list->insert_last(list, (void *)gn);
- }
- objectID++;
- }
- return;
-}
-
-/**
- * extracts a keyIdentifier
- */
-static chunk_t parse_keyIdentifier(chunk_t blob, int level0, bool implicit)
-{
- asn1_ctx_t ctx;
- chunk_t object;
- u_int level;
- int objectID = 0;
-
- asn1_init(&ctx, blob, level0, implicit, FALSE);
-
- extract_object(keyIdentifierObjects, &objectID, &object, &level, &ctx);
- return object;
-}
-
-/*
- * Defined in header.
- */
-void x509_parse_authorityKeyIdentifier(chunk_t blob, int level0 , chunk_t *authKeyID, chunk_t *authKeySerialNumber)
-{
- asn1_ctx_t ctx;
- chunk_t object;
- u_int level;
- int objectID = 0;
-
- *authKeyID = chunk_empty;
- *authKeySerialNumber = chunk_empty;
-
- asn1_init(&ctx, blob, level0, FALSE, FALSE);
-
- while (objectID < AUTH_KEY_ID_ROOF)
- {
- if (!extract_object(authorityKeyIdentifierObjects, &objectID, &object, &level, &ctx))
- {
- return;
- }
- switch (objectID)
- {
- case AUTH_KEY_ID_KEY_ID:
- *authKeyID = parse_keyIdentifier(object, level+1, TRUE);
- break;
- case AUTH_KEY_ID_CERT_ISSUER:
- {
- /* TODO: parse_generalNames(object, level+1, TRUE); */
- break;
- }
- case AUTH_KEY_ID_CERT_SERIAL:
- *authKeySerialNumber = object;
- break;
- default:
- break;
- }
- objectID++;
- }
-}
-
-/**
- * extracts an authorityInfoAcess location
- */
-static void parse_authorityInfoAccess(chunk_t blob, int level0, linked_list_t *list)
-{
- asn1_ctx_t ctx;
- chunk_t object;
- u_int level;
- int objectID = 0;
- int accessMethod = OID_UNKNOWN;
-
- asn1_init(&ctx, blob, level0, FALSE, FALSE);
- while (objectID < AUTH_INFO_ACCESS_ROOF)
- {
- if (!extract_object(authorityInfoAccessObjects, &objectID, &object, &level, &ctx))
- {
- return;
- }
- switch (objectID)
- {
- case AUTH_INFO_ACCESS_METHOD:
- accessMethod = known_oid(object);
- break;
- case AUTH_INFO_ACCESS_LOCATION:
- {
- switch (accessMethod)
- {
- case OID_OCSP:
- case OID_CA_ISSUERS:
- {
- identification_t *accessLocation;
-
- accessLocation = parse_generalName(object, level+1);
- if (accessLocation == NULL)
- {
- /* parsing went wrong - abort */
- return;
- }
- DBG2(" '%D'", accessLocation);
- if (accessMethod == OID_OCSP)
- {
- list->insert_last(list, (void *)accessLocation);
- }
- else
- {
- /* caIsssuer accessLocation is not used yet */
- accessLocation->destroy(accessLocation);
- }
- }
- break;
- default:
- /* unkown accessMethod, ignoring */
- break;
- }
- break;
- }
- default:
- break;
- }
- objectID++;
- }
-}
-
-/**
- * extracts extendedKeyUsage OIDs
- */
-static bool parse_extendedKeyUsage(chunk_t blob, int level0)
-{
- asn1_ctx_t ctx;
- chunk_t object;
- u_int level;
- int objectID = 0;
-
- asn1_init(&ctx, blob, level0, FALSE, FALSE);
- while (objectID < EXT_KEY_USAGE_ROOF)
- {
- if (!extract_object(extendedKeyUsageObjects, &objectID, &object, &level, &ctx))
- {
- return FALSE;
- }
- if (objectID == EXT_KEY_USAGE_PURPOSE_ID &&
- known_oid(object) == OID_OCSP_SIGNING)
- {
- return TRUE;
- }
- objectID++;
- }
- return FALSE;
-}
-
-/**
- * extracts one or several crlDistributionPoints and puts them into
- * a chained list
- */
-static void parse_crlDistributionPoints(chunk_t blob, int level0, linked_list_t *list)
-{
- asn1_ctx_t ctx;
- chunk_t object;
- u_int level;
- int objectID = 0;
-
- asn1_init(&ctx, blob, level0, FALSE, FALSE);
- while (objectID < CRL_DIST_POINTS_ROOF)
- {
- if (!extract_object(crlDistributionPointsObjects, &objectID, &object, &level, &ctx))
- {
- return;
- }
- if (objectID == CRL_DIST_POINTS_FULLNAME)
- {
- /* append extracted generalNames to existing chained list */
- x509_parse_generalNames(object, level+1, TRUE, list);
-
- }
- objectID++;
- }
-}
-
-
-/**
- * Parses an X.509v3 certificate
- */
-static bool parse_certificate(chunk_t blob, u_int level0, private_x509_t *this)
-{
- asn1_ctx_t ctx;
- bool critical;
- chunk_t object;
- u_int level;
- int objectID = 0;
- int extn_oid = OID_UNKNOWN;
-
- asn1_init(&ctx, blob, level0, FALSE, FALSE);
- while (objectID < X509_OBJ_ROOF)
- {
- if (!extract_object(certObjects, &objectID, &object, &level, &ctx))
- {
- return FALSE;
- }
-
- /* those objects which will parsed further need the next higher level */
- level++;
-
- switch (objectID)
- {
- case X509_OBJ_CERTIFICATE:
- this->certificate = object;
- break;
- case X509_OBJ_TBS_CERTIFICATE:
- this->tbsCertificate = object;
- break;
- case X509_OBJ_VERSION:
- this->version = (object.len) ? (1+(u_int)*object.ptr) : 1;
- DBG2(" v%d", this->version);
- break;
- case X509_OBJ_SERIAL_NUMBER:
- this->serialNumber = object;
- break;
- case X509_OBJ_SIG_ALG:
- this->signatureAlgorithm = parse_algorithmIdentifier(object, level, NULL);
- break;
- case X509_OBJ_ISSUER:
- this->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object);
- DBG2(" '%D'", this->issuer);
- break;
- case X509_OBJ_NOT_BEFORE:
- this->notBefore = parse_time(object, level);
- break;
- case X509_OBJ_NOT_AFTER:
- this->notAfter = parse_time(object, level);
- break;
- case X509_OBJ_SUBJECT:
- this->subject = identification_create_from_encoding(ID_DER_ASN1_DN, object);
- DBG2(" '%D'", this->subject);
- break;
- case X509_OBJ_SUBJECT_PUBLIC_KEY_ALGORITHM:
- if (parse_algorithmIdentifier(object, level, NULL) != OID_RSA_ENCRYPTION)
- {
- DBG1(" unsupported public key algorithm");
- return FALSE;
- }
- break;
- case X509_OBJ_SUBJECT_PUBLIC_KEY:
- if (ctx.blobs[4].len > 0 && *ctx.blobs[4].ptr == 0x00)
- {
- /* skip initial bit string octet defining 0 unused bits */
- ctx.blobs[4].ptr++; ctx.blobs[4].len--;
- }
- else
- {
- DBG1(" invalid RSA public key format");
- return FALSE;
- }
- break;
- case X509_OBJ_RSA_PUBLIC_KEY:
- this->subjectPublicKey = object;
- break;
- case X509_OBJ_EXTN_ID:
- extn_oid = known_oid(object);
- break;
- case X509_OBJ_CRITICAL:
- critical = object.len && *object.ptr;
- DBG2(" %s", critical ? "TRUE" : "FALSE");
- break;
- case X509_OBJ_EXTN_VALUE:
- {
- switch (extn_oid)
- {
- case OID_SUBJECT_KEY_ID:
- this->subjectKeyID = chunk_clone(parse_keyIdentifier(object, level, FALSE));
- break;
- case OID_SUBJECT_ALT_NAME:
- x509_parse_generalNames(object, level, FALSE, this->subjectAltNames);
- break;
- case OID_BASIC_CONSTRAINTS:
- this->isCA = parse_basicConstraints(object, level);
- break;
- case OID_CRL_DISTRIBUTION_POINTS:
- parse_crlDistributionPoints(object, level, this->crlDistributionPoints);
- break;
- case OID_AUTHORITY_KEY_ID:
- x509_parse_authorityKeyIdentifier(object, level,
- &this->authKeyID, &this->authKeySerialNumber);
- break;
- case OID_AUTHORITY_INFO_ACCESS:
- parse_authorityInfoAccess(object, level, this->ocspAccessLocations);
- break;
- case OID_EXTENDED_KEY_USAGE:
- this->isOcspSigner = parse_extendedKeyUsage(object, level);
- break;
- case OID_NS_REVOCATION_URL:
- case OID_NS_CA_REVOCATION_URL:
- case OID_NS_CA_POLICY_URL:
- case OID_NS_COMMENT:
- if (!parse_asn1_simple_object(&object, ASN1_IA5STRING , level, oid_names[extn_oid].name))
- return FALSE;
- break;
- default:
- break;
- }
- break;
- }
- case X509_OBJ_ALGORITHM:
- {
- int alg = parse_algorithmIdentifier(object, level, NULL);
-
- if (alg != this->signatureAlgorithm)
- {
- DBG1(" signature algorithms do not agree");
- return FALSE;
- }
- }
- break;
- case X509_OBJ_SIGNATURE:
- this->signature = object;
- break;
- default:
- break;
- }
- objectID++;
- }
-
- /* generate the subjectKeyID if it is missing in the certificate */
- if (this->subjectKeyID.ptr == NULL)
- {
- hasher_t *hasher = hasher_create(HASH_SHA1);
-
- hasher->allocate_hash(hasher, this->subjectPublicKey, &this->subjectKeyID);
- hasher->destroy(hasher);
- }
-
- this->installed = time(NULL);
- return TRUE;
-}
-
-/**
- * Implements x509_t.is_valid
- */
-static err_t is_valid(const private_x509_t *this, time_t *until)
-{
- time_t current_time = time(NULL);
-
- DBG2(" not before : %T", &this->notBefore);
- DBG2(" current time: %T", &current_time);
- DBG2(" not after : %T", &this->notAfter);
-
- if (until != NULL &&
- (*until == UNDEFINED_TIME || this->notAfter < *until))
- {
- *until = this->notAfter;
- }
- if (current_time < this->notBefore)
- {
- return "is not valid yet";
- }
- if (current_time > this->notAfter)
- {
- return "has expired";
- }
- DBG2(" certificate is valid");
- return NULL;
-}
-
-/**
- * Implements x509_t.is_ca
- */
-static bool is_ca(const private_x509_t *this)
-{
- return this->isCA;
-}
-
-/**
- * Implements x509_t.is_ocsp_signer
- */
-static bool is_ocsp_signer(const private_x509_t *this)
-{
- return this->isOcspSigner;
-}
-
-/**
- * Implements x509_t.is_self_signed
- */
-static bool is_self_signed(const private_x509_t *this)
-{
- return this->isSelfSigned;
-}
-
-/**
- * Implements x509_t.equals_subjectAltName
- */
-static bool equals_subjectAltName(const private_x509_t *this, identification_t *id)
-{
- bool found = FALSE;
- identification_t *subjectAltName;
- iterator_t *iterator;
-
- iterator = this->subjectAltNames->create_iterator(this->subjectAltNames, TRUE);
- while (iterator->iterate(iterator, (void**)&subjectAltName))
- {
- if (id->equals(id, subjectAltName))
- {
- found = TRUE;
- break;
- }
- }
- iterator->destroy(iterator);
- return found;
-}
-
-/**
- * Implements x509_t.is_issuer
- */
-static bool is_issuer(const private_x509_t *this, const private_x509_t *issuer)
-{
- return (this->authKeyID.ptr)
- ? chunk_equals(this->authKeyID, issuer->subjectKeyID)
- : (this->issuer->equals(this->issuer, issuer->subject)
- && chunk_equals_or_null(this->authKeySerialNumber, issuer->serialNumber));
-}
-
-/**
- * Implements x509_t.get_certificate
- */
-static chunk_t get_certificate(const private_x509_t *this)
-{
- return this->certificate;
-}
-
-/**
- * Implements x509_t.get_public_key
- */
-static rsa_public_key_t *get_public_key(const private_x509_t *this)
-{
- return this->public_key;
-}
-
-/**
- * Implements x509_t.get_serialNumber
- */
-static chunk_t get_serialNumber(const private_x509_t *this)
-{
- return this->serialNumber;
-}
-
-/**
- * Implements x509_t.get_subjectKeyID
- */
-static chunk_t get_subjectKeyID(const private_x509_t *this)
-{
- return this->subjectKeyID;
-}
-
-/**
- * Implements x509_t.get_keyid
- */
-static chunk_t get_keyid(const private_x509_t *this)
-{
- return this->public_key->get_keyid(this->public_key);
-}
-
-/**
- * Implements x509_t.get_issuer
- */
-static identification_t *get_issuer(const private_x509_t *this)
-{
- return this->issuer;
-}
-
-/**
- * Implements x509_t.get_subject
- */
-static identification_t *get_subject(const private_x509_t *this)
-{
- return this->subject;
-}
-
-/**
- * Implements x509_t.set_ca_info
- */
-static void set_ca_info(private_x509_t *this, ca_info_t *ca_info)
-{
- this->ca_info = ca_info;
-}
-
-/**
- * Implements x509_t.get_ca_info
- */
-static ca_info_t *get_ca_info(const private_x509_t *this)
-{
- return this->ca_info;
-}
-
-/**
- * Implements x509_t.set_until
- */
-static void set_until(private_x509_t *this, time_t until)
-{
- this->until = until;
-}
-
-/**
- * Implements x509_t.get_until
- */
-static time_t get_until(const private_x509_t *this)
-{
- return this->until;
-}
-
-/**
- * Implements x509_t.set_status
- */
-static void set_status(private_x509_t *this, cert_status_t status)
-{
- this->status = status;
-}
-
-/**
- * Implements x509_t.get_status
- */
-static cert_status_t get_status(const private_x509_t *this)
-{
- return this->status;
-}
-
-/**
- * Implements x509_t.add_authority_flags
- */
-static void add_authority_flags(private_x509_t *this, u_int flags)
-{
- this->authority_flags |= flags;
-}
-
-/**
- * Implements x509_t.add_authority_flags
- */
-static u_int get_authority_flags(private_x509_t *this)
-{
- return this->authority_flags;
-}
-
-/**
- * Implements x509_t.has_authority_flag
- */
-static bool has_authority_flag(private_x509_t *this, u_int flags)
-{
- return (this->authority_flags & flags) != AUTH_NONE;
-}
-
-/**
- * Implements x509_t.create_crluri_iterator
- */
-static iterator_t *create_crluri_iterator(const private_x509_t *this)
-{
- return this->crlDistributionPoints->create_iterator(this->crlDistributionPoints, TRUE);
-}
-
-/**
- * Implements x509_t.create_crluri_iterator
- */
-static iterator_t *create_ocspuri_iterator(const private_x509_t *this)
-{
- return this->ocspAccessLocations->create_iterator(this->ocspAccessLocations, TRUE);
-}
-
-/**
- * Implements x509_t.verify
- */
-static bool verify(const private_x509_t *this, const rsa_public_key_t *signer)
-{
- hash_algorithm_t algorithm = hasher_algorithm_from_oid(this->signatureAlgorithm);
-
- if (algorithm == HASH_UNKNOWN)
- {
- DBG1(" unknown signature algorithm");
- return FALSE;
- }
- return signer->verify_emsa_pkcs1_signature(signer, algorithm, this->tbsCertificate, this->signature) == SUCCESS;
-}
-
-/**
- * Implementation of x509_t.list.
- */
-static void list(private_x509_t *this, FILE *out, bool utc)
-{
- iterator_t *iterator;
- time_t now = time(NULL);
-
- fprintf(out, "%#T\n", &this->installed, utc);
-
- if (this->subjectAltNames->get_count(this->subjectAltNames))
- {
- identification_t *subjectAltName;
- bool first = TRUE;
-
- fprintf(out, " altNames: ");
- iterator = this->subjectAltNames->create_iterator(this->subjectAltNames, TRUE);
- while (iterator->iterate(iterator, (void**)&subjectAltName))
- {
- if (first)
- {
- first = FALSE;
- }
- else
- {
- fprintf(out, ", ");
- }
- fprintf(out, "'%D'", subjectAltName);
- }
- iterator->destroy(iterator);
- fprintf(out, "\n");
- }
- fprintf(out, " subject: '%D'\n", this->subject);
- fprintf(out, " issuer: '%D'\n", this->issuer);
- fprintf(out, " serial: %#B\n", &this->serialNumber);
- fprintf(out, " validity: not before %#T, ", &this->notBefore, utc);
- if (now < this->notBefore)
- {
- fprintf(out, "not valid yet (valid in %#V)\n", &now, &this->notBefore);
- }
- else
- {
- fprintf(out, "ok\n");
- }
-
- fprintf(out, " not after %#T, ", &this->notAfter, utc);
- if (now > this->notAfter)
- {
- fprintf(out, "expired (%#V ago)\n", &now, &this->notAfter);
- }
- else
- {
- fprintf(out, "ok");
- if (now > this->notAfter - CERT_WARNING_INTERVAL * 60 * 60 * 24)
- {
- fprintf(out, " (expires in %#V)", &now, &this->notAfter);
- }
- fprintf(out, " \n");
- }
-
- {
- chunk_t keyid = this->public_key->get_keyid(this->public_key);
- fprintf(out, " keyid: %#B\n", &keyid);
- }
-
- if (this->subjectKeyID.ptr)
- {
- fprintf(out, " subjkey: %#B\n", &this->subjectKeyID);
- }
- if (this->authKeyID.ptr)
- {
- fprintf(out, " authkey: %#B\n", &this->authKeyID);
- }
- if (this->authKeySerialNumber.ptr)
- {
- fprintf(out, " aserial: %#B\n", &this->authKeySerialNumber);
- }
-
- fprintf(out, " pubkey: RSA %d bits", BITS_PER_BYTE *
- this->public_key->get_keysize(this->public_key));
- fprintf(out, ", status %N",
- cert_status_names, this->status);
-
- switch (this->status)
- {
- case CERT_GOOD:
- fprintf(out, " until %#T", &this->until, utc);
- break;
- case CERT_REVOKED:
- fprintf(out, " on %#T", &this->until, utc);
- break;
- case CERT_UNKNOWN:
- case CERT_UNDEFINED:
- case CERT_UNTRUSTED:
- default:
- break;
- }
-}
-
-/**
- * Implements x509_t.add_subjectAltNames.
- */
-static void add_subjectAltNames(private_x509_t *this, linked_list_t *subjectAltNames)
-{
- iterator_t *iterator = subjectAltNames->create_iterator(subjectAltNames, TRUE);
- identification_t *name = NULL;
-
- while (iterator->iterate(iterator, (void**)&name))
- {
- name = name->clone(name);
- this->subjectAltNames->insert_last(this->subjectAltNames, (void*)name);
- }
- iterator->destroy(iterator);
-}
-
-/*
- * Defined in header.
- */
-chunk_t x509_build_generalNames(linked_list_t *list)
-{
- linked_list_t *generalNames = linked_list_create();
- iterator_t *iterator = list->create_iterator(list, TRUE);
- identification_t *name;
- chunk_t names = chunk_empty;
- size_t len = 0;
-
- while (iterator->iterate(iterator, (void**)&name))
- {
- asn1_t asn1_type = ASN1_EOC;
- chunk_t *generalName;
-
- switch (name->get_type(name))
- {
- case ID_RFC822_ADDR:
- asn1_type = ASN1_CONTEXT_S_1;
- break;
- case ID_FQDN:
- asn1_type = ASN1_CONTEXT_S_2;
- break;
- case ID_DER_ASN1_DN:
- asn1_type = ASN1_CONTEXT_C_4;
- break;
- case ID_DER_ASN1_GN_URI:
- asn1_type = ASN1_CONTEXT_S_6;
- break;
- case ID_IPV4_ADDR:
- case ID_IPV6_ADDR:
- asn1_type = ASN1_CONTEXT_S_7;
- break;
- default:
- continue;
- }
-
- generalName = malloc_thing(chunk_t);
- *generalName = asn1_simple_object(asn1_type, name->get_encoding(name));
- len += generalName->len;
- generalNames->insert_last(generalNames, (void*)generalName);
- }
- iterator->destroy(iterator);
-
- if (len > 0)
- {
- iterator_t *iterator = generalNames->create_iterator(generalNames, TRUE);
- chunk_t *generalName;
- u_char *pos = build_asn1_object(&names, ASN1_SEQUENCE, len);
-
- while (iterator->iterate(iterator, (void**)&generalName))
- {
- memcpy(pos, generalName->ptr, generalName->len);
- pos += generalName->len;
- free(generalName->ptr);
- free(generalName);
- }
- iterator->destroy(iterator);
- }
- generalNames->destroy(generalNames);
- return names;
-}
-
-/*
- * Defined in header.
- */
-chunk_t x509_build_subjectAltNames(linked_list_t *list)
-{
- chunk_t generalNames = x509_build_generalNames(list);
-
- if (generalNames.len)
- {
- return asn1_wrap(ASN1_SEQUENCE, "cm",
- ASN1_subjectAltName_oid,
- asn1_wrap(ASN1_OCTET_STRING, "m", generalNames)
- );
- }
- else
- {
- return chunk_empty;
- }
-}
-
-/**
- * Build a to-be-signed X.509 certificate body
- */
-static chunk_t x509_build_tbs(private_x509_t *this)
-{
- /* version is always X.509v3 */
- chunk_t version = asn1_simple_object(ASN1_CONTEXT_C_0, ASN1_INTEGER_2);
-
- chunk_t extensions = chunk_empty;
-
- if (this->subjectAltNames->get_count(this->subjectAltNames))
- {
- extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m",
- asn1_wrap(ASN1_SEQUENCE, "m",
- x509_build_subjectAltNames(this->subjectAltNames)));
- }
-
- return asn1_wrap(ASN1_SEQUENCE, "mmccmcmm",
- version,
- asn1_simple_object(ASN1_INTEGER, this->serialNumber),
- asn1_algorithmIdentifier(this->signatureAlgorithm),
- this->issuer->get_encoding(this->issuer),
- asn1_wrap(ASN1_SEQUENCE, "mm",
- timetoasn1(&this->notBefore, ASN1_UTCTIME),
- timetoasn1(&this->notAfter, ASN1_UTCTIME)
- ),
- this->subject->get_encoding(this->subject),
- this->public_key->get_publicKeyInfo(this->public_key),
- extensions
- );
-}
-
-/**
- * Implementation of x509_t.build_encoding.
- */
-static void build_encoding(private_x509_t *this, hash_algorithm_t alg,
- rsa_private_key_t *private_key)
-{
- chunk_t signature;
-
- this->signatureAlgorithm = hasher_signature_algorithm_to_oid(alg);
- this->tbsCertificate = x509_build_tbs(this);
- private_key->build_emsa_pkcs1_signature(private_key, alg,
- this->tbsCertificate, &signature);
- this->signature = asn1_bitstring("m", signature);
- this->certificate = asn1_wrap(ASN1_SEQUENCE, "mcm",
- this->tbsCertificate,
- asn1_algorithmIdentifier(this->signatureAlgorithm),
- this->signature);
-
-}
-
-/**
- * Implements x509_t.destroy
- */
-static void destroy(private_x509_t *this)
-{
- this->subjectAltNames->destroy_offset(this->subjectAltNames,
- offsetof(identification_t, destroy));
- this->crlDistributionPoints->destroy_offset(this->crlDistributionPoints,
- offsetof(identification_t, destroy));
- this->ocspAccessLocations->destroy_offset(this->ocspAccessLocations,
- offsetof(identification_t, destroy));
- DESTROY_IF(this->issuer);
- DESTROY_IF(this->subject);
- DESTROY_IF(this->public_key);
- free(this->subjectKeyID.ptr);
- free(this->certificate.ptr);
- free(this);
-}
-
-/**
- * Internal generic constructor
- */
-static private_x509_t *x509_create_empty(void)
-{
- private_x509_t *this = malloc_thing(private_x509_t);
-
- /* initialize */
- this->subjectPublicKey = chunk_empty;
- this->public_key = NULL;
- this->subject = NULL;
- this->issuer = NULL;
- this->ca_info = NULL;
- this->subjectAltNames = linked_list_create();
- this->crlDistributionPoints = linked_list_create();
- this->ocspAccessLocations = linked_list_create();
- this->subjectKeyID = chunk_empty;
- this->authKeyID = chunk_empty;
- this->authKeySerialNumber = chunk_empty;
- this->authority_flags = AUTH_NONE;
- this->isCA = FALSE;
- this->isOcspSigner = FALSE;
-
- /* public functions */
- this->public.equals = (bool (*) (const x509_t*,const x509_t*))equals;
- this->public.equals_subjectAltName = (bool (*) (const x509_t*,identification_t*))equals_subjectAltName;
- this->public.is_issuer = (bool (*) (const x509_t*,const x509_t*))is_issuer;
- this->public.is_valid = (err_t (*) (const x509_t*,time_t*))is_valid;
- this->public.is_ca = (bool (*) (const x509_t*))is_ca;
- this->public.is_self_signed = (bool (*) (const x509_t*))is_self_signed;
- this->public.is_ocsp_signer = (bool (*) (const x509_t*))is_ocsp_signer;
- this->public.get_certificate = (chunk_t (*) (const x509_t*))get_certificate;
- this->public.get_public_key = (rsa_public_key_t* (*) (const x509_t*))get_public_key;
- this->public.get_serialNumber = (chunk_t (*) (const x509_t*))get_serialNumber;
- this->public.get_subjectKeyID = (chunk_t (*) (const x509_t*))get_subjectKeyID;
- this->public.get_keyid = (chunk_t (*) (const x509_t*))get_keyid;
- this->public.get_issuer = (identification_t* (*) (const x509_t*))get_issuer;
- this->public.get_subject = (identification_t* (*) (const x509_t*))get_subject;
- this->public.set_ca_info = (void (*) (x509_t*,ca_info_t*))set_ca_info;
- this->public.get_ca_info = (ca_info_t* (*) (const x509_t*))get_ca_info;
- this->public.set_until = (void (*) (x509_t*,time_t))set_until;
- this->public.get_until = (time_t (*) (const x509_t*))get_until;
- this->public.set_status = (void (*) (x509_t*,cert_status_t))set_status;
- this->public.get_status = (cert_status_t (*) (const x509_t*))get_status;
- this->public.add_authority_flags = (void (*) (x509_t*,u_int))add_authority_flags;
- this->public.get_authority_flags = (u_int (*) (x509_t*))get_authority_flags;
- this->public.has_authority_flag = (bool (*) (x509_t*,u_int))has_authority_flag;
- this->public.create_crluri_iterator = (iterator_t* (*) (const x509_t*))create_crluri_iterator;
- this->public.create_ocspuri_iterator = (iterator_t* (*) (const x509_t*))create_ocspuri_iterator;
- this->public.verify = (bool (*) (const x509_t*,const rsa_public_key_t*))verify;
- this->public.list = (void (*) (x509_t*, FILE *out, bool utc))list;
- this->public.add_subjectAltNames = (void (*) (x509_t*,linked_list_t*))add_subjectAltNames;
- this->public.build_encoding = (void (*) (x509_t*,hash_algorithm_t,rsa_private_key_t*))build_encoding;
- this->public.destroy = (void (*) (x509_t*))destroy;
-
- return this;
-}
-
-/*
- * Described in header.
- */
-x509_t *x509_create(chunk_t serialNumber, identification_t *issuer,
- time_t notBefore, time_t notAfter,
- identification_t *subject,
- rsa_public_key_t *public_key)
-{
- private_x509_t *this = x509_create_empty();
-
- this->serialNumber = serialNumber;
- this->issuer = issuer->clone(issuer);
- this->notBefore = notBefore;
- this->notAfter = notAfter;
- this->subject = subject->clone(subject);
- this->public_key = public_key->clone(public_key);
-
- return &this->public;
-}
-
-/*
- * Described in header.
- */
-x509_t *x509_create_from_chunk(chunk_t chunk, u_int level)
-{
- private_x509_t *this = x509_create_empty();
-
- if (!parse_certificate(chunk, level, this))
- {
- destroy(this);
- return NULL;
- }
-
- /* extract public key from certificate */
- this->public_key = rsa_public_key_create_from_chunk(this->subjectPublicKey);
- if (this->public_key == NULL)
- {
- destroy(this);
- return NULL;
- }
-
- /* set trusted lifetime of public key to notAfter */
- this->until = this->notAfter;
-
- /* check if the certificate is self-signed */
- this->isSelfSigned = FALSE;
- if (this->subject->equals(this->subject, this->issuer))
- {
- hash_algorithm_t algorithm = hasher_algorithm_from_oid(this->signatureAlgorithm);
-
- if (algorithm == HASH_UNKNOWN)
- {
- destroy(this);
- return NULL;
- }
- this->isSelfSigned = this->public_key->verify_emsa_pkcs1_signature(this->public_key,
- algorithm, this->tbsCertificate, this->signature) == SUCCESS;
- }
- if (this->isSelfSigned)
- {
- DBG2(" certificate is self-signed");
- this->status = CERT_GOOD;
- }
- else
- {
- this->status = CERT_UNDEFINED;
- }
-
- return &this->public;
-}
-
-/*
- * Described in header.
- */
-x509_t *x509_create_from_file(const char *filename, const char *label)
-{
- bool pgp = FALSE;
- chunk_t chunk = chunk_empty;
- char cert_label[BUF_LEN];
-
- snprintf(cert_label, BUF_LEN, "%s certificate", label);
-
- if (!pem_asn1_load_file(filename, NULL, cert_label, &chunk, &pgp))
- {
- return NULL;
- }
- return x509_create_from_chunk(chunk, 0);
-}