summaryrefslogtreecommitdiff
path: root/src/libstrongswan/plugins/x509/x509_cert.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/libstrongswan/plugins/x509/x509_cert.c')
-rw-r--r--src/libstrongswan/plugins/x509/x509_cert.c293
1 files changed, 243 insertions, 50 deletions
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 9f76c3486..e618f31d8 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -17,7 +17,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * $Id: x509_cert.c 4576 2008-11-05 08:32:38Z martin $
+ * $Id: x509_cert.c 4767 2008-12-08 19:15:38Z martin $
*/
#define _GNU_SOURCE
@@ -66,7 +66,7 @@ struct private_x509_cert_t {
* Public interface for this certificate.
*/
x509_cert_t public;
-
+
/**
* X.509 certificate encoding in ASN.1 DER format
*/
@@ -76,7 +76,7 @@ struct private_x509_cert_t {
* SHA1 hash of the DER encoding of this X.509 certificate
*/
chunk_t encoding_hash;
-
+
/**
* X.509 certificate body over which signature is computed
*/
@@ -96,17 +96,17 @@ struct private_x509_cert_t {
* ID representing the certificate issuer
*/
identification_t *issuer;
-
+
/**
* Start time of certificate validity
*/
time_t notBefore;
-
+
/**
* End time of certificate validity
*/
time_t notAfter;
-
+
/**
* ID representing the certificate subject
*/
@@ -121,12 +121,12 @@ struct private_x509_cert_t {
* List of crlDistributionPoints as allocated char*
*/
linked_list_t *crl_uris;
-
+
/**
* List ocspAccessLocations as identification_t
*/
linked_list_t *ocsp_uris;
-
+
/**
* certificates embedded public key
*/
@@ -136,12 +136,12 @@ struct private_x509_cert_t {
* Subject Key Identifier
*/
chunk_t subjectKeyID;
-
+
/**
* Authority Key Identifier
*/
identification_t *authKeyIdentifier;
-
+
/**
* Authority Key Serial Number
*/
@@ -151,18 +151,23 @@ struct private_x509_cert_t {
* x509 constraints and other flags
*/
x509_flag_t flags;
-
+
/**
* Signature algorithm
*/
int algorithm;
-
+
/**
* Signature
*/
chunk_t signature;
/**
+ * Certificate parsed from blob/file?
+ */
+ bool parsed;
+
+ /**
* reference count
*/
refcount_t ref;
@@ -258,7 +263,7 @@ static bool parse_otherName(chunk_t blob, int level0)
}
}
success = parser->success(parser);
-
+
end:
parser->destroy(parser);
return success;
@@ -306,16 +311,16 @@ static identification_t *parse_generalName(chunk_t blob, int level0)
asn1_parser_t *parser;
chunk_t object;
int objectID ;
-
+
identification_t *gn = NULL;
-
+
parser = asn1_parser_create(generalNameObjects, blob);
parser->set_top_level(parser, level0);
-
+
while (parser->iterate(parser, &objectID, &object))
{
id_type_t id_type = ID_ANY;
-
+
switch (objectID)
{
case GN_OBJ_RFC822_NAME:
@@ -329,7 +334,7 @@ static identification_t *parse_generalName(chunk_t blob, int level0)
break;
case GN_OBJ_DIRECTORY_NAME:
id_type = ID_DER_ASN1_DN;
- break;
+ break;
case GN_OBJ_IP_ADDRESS:
id_type = ID_IPV4_ADDR;
break;
@@ -350,12 +355,12 @@ static identification_t *parse_generalName(chunk_t blob, int level0)
gn = identification_create_from_encoding(id_type, object);
DBG2(" '%D'", gn);
goto end;
- }
- }
-
+ }
+ }
+
end:
parser->destroy(parser);
- return gn;
+ return gn;
}
/**
@@ -377,18 +382,18 @@ void x509_parse_generalNames(chunk_t blob, int level0, bool implicit, linked_lis
asn1_parser_t *parser;
chunk_t object;
int objectID;
-
+
parser = asn1_parser_create(generalNamesObjects, blob);
parser->set_top_level(parser, level0);
parser->set_flags(parser, implicit, FALSE);
-
+
while (parser->iterate(parser, &objectID, &object))
{
if (objectID == GENERAL_NAMES_GN)
{
identification_t *gn = parse_generalName(object,
parser->get_level(parser)+1);
-
+
if (gn)
{
list->insert_last(list, (void *)gn);
@@ -425,12 +430,12 @@ identification_t* x509_parse_authorityKeyIdentifier(chunk_t blob, int level0,
chunk_t object;
int objectID;
identification_t *authKeyIdentifier = NULL;
-
+
*authKeySerialNumber = chunk_empty;
-
+
parser = asn1_parser_create(authKeyIdentifierObjects, blob);
parser->set_top_level(parser, level0);
-
+
while (parser->iterate(parser, &objectID, &object))
{
switch (objectID)
@@ -480,7 +485,7 @@ static void parse_authorityInfoAccess(chunk_t blob, int level0,
parser = asn1_parser_create(authInfoAccessObjects, blob);
parser->set_top_level(parser, level0);
-
+
while (parser->iterate(parser, &objectID, &object))
{
switch (objectID)
@@ -497,7 +502,7 @@ static void parse_authorityInfoAccess(chunk_t blob, int level0,
{
identification_t *id;
char *uri;
-
+
id = parse_generalName(object,
parser->get_level(parser)+1);
if (id == NULL)
@@ -524,7 +529,7 @@ static void parse_authorityInfoAccess(chunk_t blob, int level0,
break;
}
}
-
+
end:
parser->destroy(parser);
}
@@ -552,7 +557,7 @@ static bool parse_extendedKeyUsage(chunk_t blob, int level0)
parser = asn1_parser_create(extendedKeyUsageObjects, blob);
parser->set_top_level(parser, level0);
-
+
while (parser->iterate(parser, &objectID, &object))
{
if (objectID == EXT_KEY_USAGE_PURPOSE_ID &&
@@ -599,13 +604,13 @@ static void parse_crlDistributionPoints(chunk_t blob, int level0,
parser = asn1_parser_create(crlDistributionPointsObjects, blob);
parser->set_top_level(parser, level0);
-
+
while (parser->iterate(parser, &objectID, &object))
{
if (objectID == CRL_DIST_POINTS_FULLNAME)
{
identification_t *id;
-
+
/* append extracted generalNames to existing chained list */
x509_parse_generalNames(object, parser->get_level(parser)+1,
TRUE, list);
@@ -613,7 +618,7 @@ static void parse_crlDistributionPoints(chunk_t blob, int level0,
while (list->remove_last(list, (void**)&id) == SUCCESS)
{
char *uri;
-
+
if (asprintf(&uri, "%D", id) > 0)
{
this->crl_uris->insert_last(this->crl_uris, uri);
@@ -687,11 +692,11 @@ static bool parse_certificate(private_x509_cert_t *this)
bool critical;
parser = asn1_parser_create(certObjects, this->encoding);
-
+
while (parser->iterate(parser, &objectID, &object))
{
u_int level = parser->get_level(parser)+1;
-
+
switch (objectID)
{
case X509_OBJ_TBS_CERTIFICATE:
@@ -806,7 +811,7 @@ static bool parse_certificate(private_x509_cert_t *this)
}
}
success = parser->success(parser);
-
+
end:
parser->destroy(parser);
return success;
@@ -850,7 +855,7 @@ static id_match_t has_subject(private_x509_cert_t *this, identification_t *subje
{
return ID_MATCH_PERFECT;
}
-
+
best = this->subject->matches(this->subject, subject);
enumerator = this->subjectAltNames->create_enumerator(this->subjectAltNames);
while (enumerator->enumerate(enumerator, &current))
@@ -1001,7 +1006,7 @@ static bool is_newer(certificate_t *this, certificate_t *that)
{
time_t this_update, that_update, now = time(NULL);
bool new;
-
+
this->get_validity(this, &now, &this_update, NULL);
that->get_validity(that, &now, &that_update, NULL);
new = this_update > that_update;
@@ -1026,7 +1031,7 @@ static bool equals(private_x509_cert_t *this, certificate_t *other)
{
chunk_t encoding;
bool equal;
-
+
if (this == (private_x509_cert_t*)other)
{
return TRUE;
@@ -1102,6 +1107,12 @@ static void destroy(private_x509_cert_t *this)
DESTROY_IF(this->authKeyIdentifier);
chunk_free(&this->encoding);
chunk_free(&this->encoding_hash);
+ if (!this->parsed)
+ { /* only parsed certificates point these fields to "encoded" */
+ chunk_free(&this->signature);
+ chunk_free(&this->serialNumber);
+ chunk_free(&this->tbsCertificate);
+ }
free(this);
}
}
@@ -1132,9 +1143,14 @@ static private_x509_cert_t* create_empty(void)
this->public.interface.create_subjectAltName_enumerator = (enumerator_t* (*)(x509_t*))create_subjectAltName_enumerator;
this->public.interface.create_crl_uri_enumerator = (enumerator_t* (*)(x509_t*))create_crl_uri_enumerator;
this->public.interface.create_ocsp_uri_enumerator = (enumerator_t* (*)(x509_t*))create_ocsp_uri_enumerator;
-
+
this->encoding = chunk_empty;
this->encoding_hash = chunk_empty;
+ this->tbsCertificate = chunk_empty;
+ this->version = 3;
+ this->serialNumber = chunk_empty;
+ this->notBefore = 0;
+ this->notAfter = 0;
this->public_key = NULL;
this->subject = NULL;
this->issuer = NULL;
@@ -1144,9 +1160,12 @@ static private_x509_cert_t* create_empty(void)
this->subjectKeyID = chunk_empty;
this->authKeyIdentifier = NULL;
this->authKeySerialNumber = chunk_empty;
+ this->algorithm = 0;
+ this->signature = chunk_empty;
this->flags = 0;
this->ref = 1;
-
+ this->parsed = FALSE;
+
return this;
}
@@ -1155,22 +1174,23 @@ static private_x509_cert_t* create_empty(void)
*/
static private_x509_cert_t *create_from_chunk(chunk_t chunk)
{
+ hasher_t *hasher;
private_x509_cert_t *this = create_empty();
-
+
this->encoding = chunk;
if (!parse_certificate(this))
{
destroy(this);
return NULL;
}
-
+
/* check if the certificate is self-signed */
if (issued_by(this, &this->public.interface.interface))
{
this->flags |= X509_SELF_SIGNED;
}
- hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+ hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
if (hasher != NULL)
{
hasher->allocate_hash(hasher, this->encoding, &this->encoding_hash);
@@ -1181,6 +1201,7 @@ static private_x509_cert_t *create_from_chunk(chunk_t chunk)
DBG1(" unable to create hash of certificate, SHA1 not supported");
}
+ this->parsed = TRUE;
return this;
}
@@ -1207,7 +1228,6 @@ static private_x509_cert_t *create_from_file(char *path)
}
DBG1(" loaded certificate file '%s'", path);
return this;
-
}
typedef struct private_builder_t private_builder_t;
@@ -1221,21 +1241,137 @@ struct private_builder_t {
private_x509_cert_t *cert;
/** additional flags to enforce */
x509_flag_t flags;
+ /** certificate to sign, if we generate a new cert */
+ certificate_t *sign_cert;
+ /** private key to sign, if we generate a new cert */
+ private_key_t *sign_key;
};
/**
+ * Generate and sign a new certificate
+ */
+static bool generate(private_builder_t *this)
+{
+ chunk_t extensions = chunk_empty;
+ identification_t *issuer, *subject;
+ chunk_t key_info, key;
+ signature_scheme_t scheme;
+ hasher_t *hasher;
+
+ subject = this->cert->subject;
+ if (this->sign_cert)
+ {
+ issuer = this->sign_cert->get_subject(this->sign_cert);
+ if (!this->cert->public_key)
+ {
+ return FALSE;
+ }
+ }
+ else
+ { /* self signed */
+ issuer = subject;
+ if (!this->cert->public_key)
+ {
+ this->cert->public_key = this->sign_key->get_public_key(this->sign_key);
+ }
+ this->flags |= X509_SELF_SIGNED;
+ }
+ this->cert->issuer = issuer->clone(issuer);
+ if (!this->cert->notBefore)
+ {
+ this->cert->notBefore = time(NULL);
+ }
+ if (!this->cert->notAfter)
+ { /* defaults to 1 years from now on */
+ this->cert->notAfter = this->cert->notBefore + 60 * 60 * 24 * 365;
+ }
+ this->cert->flags = this->flags;
+
+ switch (this->sign_key->get_type(this->sign_key))
+ {
+ case KEY_RSA:
+ this->cert->algorithm = OID_SHA1_WITH_RSA;
+ scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
+ break;
+ default:
+ return FALSE;
+ }
+
+ switch (this->cert->public_key->get_type(this->cert->public_key))
+ {
+ case KEY_RSA:
+ key = this->cert->public_key->get_encoding(this->cert->public_key);
+ key_info = asn1_wrap(ASN1_SEQUENCE, "cm",
+ asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
+ asn1_bitstring("m", key));
+ break;
+ default:
+ return FALSE;
+ }
+
+ if (this->cert->subjectAltNames->get_count(this->cert->subjectAltNames))
+ {
+ /* TODO: encode subjectAltNames */
+ }
+
+ this->cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmccmcmm",
+ asn1_simple_object(ASN1_CONTEXT_C_0, ASN1_INTEGER_2),
+ asn1_simple_object(ASN1_INTEGER, this->cert->serialNumber),
+ asn1_algorithmIdentifier(this->cert->algorithm),
+ issuer->get_encoding(issuer),
+ asn1_wrap(ASN1_SEQUENCE, "mm",
+ asn1_from_time(&this->cert->notBefore, ASN1_UTCTIME),
+ asn1_from_time(&this->cert->notAfter, ASN1_UTCTIME)),
+ subject->get_encoding(subject),
+ key_info, extensions);
+
+ if (!this->sign_key->sign(this->sign_key, scheme,
+ this->cert->tbsCertificate, &this->cert->signature))
+ {
+ return FALSE;
+ }
+ this->cert->encoding = asn1_wrap(ASN1_SEQUENCE, "ccm",
+ this->cert->tbsCertificate,
+ asn1_algorithmIdentifier(this->cert->algorithm),
+ asn1_bitstring("c", this->cert->signature));
+
+ hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+ if (!hasher)
+ {
+ return FALSE;
+ }
+ hasher->allocate_hash(hasher, this->cert->encoding,
+ &this->cert->encoding_hash);
+ hasher->destroy(hasher);
+ return TRUE;
+}
+
+/**
* Implementation of builder_t.build
*/
static private_x509_cert_t *build(private_builder_t *this)
{
- private_x509_cert_t *cert = this->cert;
- x509_flag_t flags = this->flags;
-
+ private_x509_cert_t *cert;
+ x509_flag_t flags;
+
+ if (this->cert && !this->cert->encoding.ptr)
+ {
+ if (!this->sign_key || !this->cert ||
+ !generate(this))
+ {
+ destroy(this->cert);
+ free(this);
+ return NULL;
+ }
+ }
+ cert = this->cert;
+ flags = this->flags;
free(this);
if (cert == NULL)
{
return NULL;
}
+
if ((flags & X509_CA) && !(cert->flags & X509_CA))
{
DBG1(" ca certificate must have ca basic constraint set, discarded");
@@ -1253,6 +1389,7 @@ static void add(private_builder_t *this, builder_part_t part, ...)
{
va_list args;
chunk_t chunk;
+ bool handled = TRUE;
va_start(args, part);
switch (part)
@@ -1267,6 +1404,60 @@ static void add(private_builder_t *this, builder_part_t part, ...)
case BUILD_X509_FLAG:
this->flags = va_arg(args, x509_flag_t);
break;
+ case BUILD_SIGNING_KEY:
+ this->sign_key = va_arg(args, private_key_t*);
+ break;
+ case BUILD_SIGNING_CERT:
+ this->sign_cert = va_arg(args, certificate_t*);
+ break;
+ default:
+ /* all other parts need an empty cert */
+ if (!this->cert)
+ {
+ this->cert = create_empty();
+ }
+ handled = FALSE;
+ break;
+ }
+ if (handled)
+ {
+ va_end(args);
+ return;
+ }
+
+ switch (part)
+ {
+ case BUILD_PUBLIC_KEY:
+ {
+ public_key_t *key = va_arg(args, public_key_t*);
+ this->cert->public_key = key->get_ref(key);
+ break;
+ }
+ case BUILD_SUBJECT:
+ {
+ identification_t *id = va_arg(args, identification_t*);
+ this->cert->subject = id->clone(id);
+ break;
+ }
+ case BUILD_SUBJECT_ALTNAME:
+ {
+ identification_t *id = va_arg(args, identification_t*);
+ this->cert->subjectAltNames->insert_last(
+ this->cert->subjectAltNames, id->clone(id));
+ break;
+ }
+ case BUILD_NOT_BEFORE_TIME:
+ this->cert->notBefore = va_arg(args, time_t);
+ break;
+ case BUILD_NOT_AFTER_TIME:
+ this->cert->notAfter = va_arg(args, time_t);
+ break;
+ case BUILD_SERIAL:
+ {
+ chunk_t serial = va_arg(args, chunk_t);
+ this->cert->serialNumber = chunk_clone(serial);
+ break;
+ }
default:
/* abort if unsupported option */
if (this->cert)
@@ -1295,6 +1486,8 @@ builder_t *x509_cert_builder(certificate_type_t type)
this->cert = NULL;
this->flags = 0;
+ this->sign_cert = NULL;
+ this->sign_key = NULL;
this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
this->public.build = (void*(*)(builder_t *this))build;