diff options
Diffstat (limited to 'src/libstrongswan/plugins/x509')
| -rw-r--r-- | src/libstrongswan/plugins/x509/Makefile.in | 9 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/x509/x509_cert.c | 446 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/x509/x509_crl.c | 88 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/x509/x509_plugin.c | 13 |
4 files changed, 556 insertions, 0 deletions
diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in index 57deab98e..785d6441c 100644 --- a/src/libstrongswan/plugins/x509/Makefile.in +++ b/src/libstrongswan/plugins/x509/Makefile.in @@ -221,7 +221,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -260,8 +266,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c index 526dbe8c6..0eabc8010 100644 --- a/src/libstrongswan/plugins/x509/x509_cert.c +++ b/src/libstrongswan/plugins/x509/x509_cert.c @@ -117,7 +117,11 @@ struct private_x509_cert_t { linked_list_t *subjectAltNames; /** +<<<<<<< HEAD + * List of crlDistributionPoints as allocated char* +======= * List of crlDistributionPoints as x509_cdp_t* +>>>>>>> upstream/4.5.1 */ linked_list_t *crl_uris; @@ -132,6 +136,8 @@ struct private_x509_cert_t { linked_list_t *ipAddrBlocks; /** +<<<<<<< HEAD +======= * List of permitted name constraints */ linked_list_t *permitted_names; @@ -152,6 +158,7 @@ struct private_x509_cert_t { linked_list_t *policy_mappings; /** +>>>>>>> upstream/4.5.1 * certificate's embedded public key */ public_key_t *public_key; @@ -174,6 +181,9 @@ struct private_x509_cert_t { /** * Path Length Constraint */ +<<<<<<< HEAD + int pathLenConstraint; +======= u_char pathLenConstraint; /** @@ -190,6 +200,7 @@ struct private_x509_cert_t { * inhibitAnyPolicy Constraint */ u_char inhibit_any; +>>>>>>> upstream/4.5.1 /** * x509 constraints and other flags @@ -222,6 +233,8 @@ static const chunk_t ASN1_subjectAltName_oid = chunk_from_chars( ); /** +<<<<<<< HEAD +======= * Destroy a CertificateDistributionPoint */ static void crl_uri_destroy(x509_cdp_t *this) @@ -269,6 +282,7 @@ static u_int parse_constraint(chunk_t object) } /** +>>>>>>> upstream/4.5.1 * ASN.1 definition of a basicConstraints extension */ static const asn1Object_t basicConstraintsObjects[] = { @@ -310,7 +324,19 @@ static void parse_basicConstraints(chunk_t blob, int level0, case BASIC_CONSTRAINTS_PATH_LEN: if (isCA) { +<<<<<<< HEAD + if (object.len == 0) + { + this->pathLenConstraint = 0; + } + else if (object.len == 1) + { + this->pathLenConstraint = *object.ptr; + } + /* we ignore path length constraints > 127 */ +======= this->pathLenConstraint = parse_constraint(object); +>>>>>>> upstream/4.5.1 } break; default: @@ -648,7 +674,11 @@ static void parse_authorityInfoAccess(chunk_t blob, int level0, } break; default: +<<<<<<< HEAD + /* unkown accessMethod, ignoring */ +======= /* unknown accessMethod, ignoring */ +>>>>>>> upstream/4.5.1 break; } break; @@ -663,6 +693,8 @@ end: } /** +<<<<<<< HEAD +======= * Extract KeyUsage flags */ static void parse_keyUsage(chunk_t blob, private_x509_cert_t *this) @@ -717,6 +749,7 @@ static void parse_keyUsage(chunk_t blob, private_x509_cert_t *this) } /** +>>>>>>> upstream/4.5.1 * ASN.1 definition of a extendedKeyUsage extension */ static const asn1Object_t extendedKeyUsageObjects[] = { @@ -728,7 +761,11 @@ static const asn1Object_t extendedKeyUsageObjects[] = { #define EXT_KEY_USAGE_PURPOSE_ID 1 /** +<<<<<<< HEAD + * Extracts extendedKeyUsage OIDs - currently only OCSP_SIGING is returned +======= * Extracts extendedKeyUsage OIDs +>>>>>>> upstream/4.5.1 */ static void parse_extendedKeyUsage(chunk_t blob, int level0, private_x509_cert_t *this) @@ -777,11 +814,18 @@ static const asn1Object_t crlDistributionPointsObjects[] = { { 2, "end opt", ASN1_EOC, ASN1_END }, /* 7 */ { 2, "reasons", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 8 */ { 2, "end opt", ASN1_EOC, ASN1_END }, /* 9 */ +<<<<<<< HEAD + { 2, "crlIssuer", ASN1_CONTEXT_C_2, ASN1_OPT|ASN1_BODY }, /* 10 */ +======= { 2, "crlIssuer", ASN1_CONTEXT_C_2, ASN1_OPT|ASN1_OBJ }, /* 10 */ +>>>>>>> upstream/4.5.1 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 11 */ { 0, "end loop", ASN1_EOC, ASN1_END }, /* 12 */ { 0, "exit", ASN1_EOC, ASN1_EXIT } }; +<<<<<<< HEAD +#define CRL_DIST_POINTS_FULLNAME 3 +======= #define CRL_DIST_POINTS 1 #define CRL_DIST_POINTS_FULLNAME 3 #define CRL_DIST_POINTS_ISSUER 10 @@ -830,10 +874,21 @@ static void add_cdps(linked_list_t *list, linked_list_t *uris, id->destroy(id); } } +>>>>>>> upstream/4.5.1 /** * Extracts one or several crlDistributionPoints into a list */ +<<<<<<< HEAD +static void parse_crlDistributionPoints(chunk_t blob, int level0, + private_x509_cert_t *this) +{ + asn1_parser_t *parser; + chunk_t object; + int objectID; + linked_list_t *list = linked_list_create(); + +======= void x509_parse_crlDistributionPoints(chunk_t blob, int level0, linked_list_t *list) { @@ -844,11 +899,36 @@ void x509_parse_crlDistributionPoints(chunk_t blob, int level0, uris = linked_list_create(); issuers = linked_list_create(); +>>>>>>> upstream/4.5.1 parser = asn1_parser_create(crlDistributionPointsObjects, blob); parser->set_top_level(parser, level0); while (parser->iterate(parser, &objectID, &object)) { +<<<<<<< HEAD + if (objectID == CRL_DIST_POINTS_FULLNAME) + { + identification_t *id; + + /* append extracted generalNames to existing chained list */ + x509_parse_generalNames(object, parser->get_level(parser)+1, + TRUE, list); + + while (list->remove_last(list, (void**)&id) == SUCCESS) + { + char *uri; + + if (asprintf(&uri, "%Y", id) > 0) + { + this->crl_uris->insert_last(this->crl_uris, uri); + } + id->destroy(id); + } + } + } + parser->destroy(parser); + list->destroy(list); +======= switch (objectID) { case CRL_DIST_POINTS: @@ -1099,6 +1179,7 @@ static void parse_policyConstraints(chunk_t blob, int level0, } } parser->destroy(parser); +>>>>>>> upstream/4.5.1 } /** @@ -1293,6 +1374,14 @@ static const asn1Object_t certObjects[] = { #define X509_OBJ_SIGNATURE 25 /** +<<<<<<< HEAD + * forward declaration + */ +static bool issued_by(private_x509_cert_t *this, certificate_t *issuer); + +/** +======= +>>>>>>> upstream/4.5.1 * Parses an X.509v3 certificate */ static bool parse_certificate(private_x509_cert_t *this) @@ -1392,8 +1481,12 @@ static bool parse_certificate(private_x509_cert_t *this) parse_basicConstraints(object, level, this); break; case OID_CRL_DISTRIBUTION_POINTS: +<<<<<<< HEAD + parse_crlDistributionPoints(object, level, this); +======= x509_parse_crlDistributionPoints(object, level, this->crl_uris); +>>>>>>> upstream/4.5.1 break; case OID_AUTHORITY_KEY_ID: this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object, @@ -1403,7 +1496,11 @@ static bool parse_certificate(private_x509_cert_t *this) parse_authorityInfoAccess(object, level, this); break; case OID_KEY_USAGE: +<<<<<<< HEAD + /* TODO parse the flags */ +======= parse_keyUsage(object, this); +>>>>>>> upstream/4.5.1 break; case OID_EXTENDED_KEY_USAGE: parse_extendedKeyUsage(object, level, this); @@ -1411,6 +1508,8 @@ static bool parse_certificate(private_x509_cert_t *this) case OID_IP_ADDR_BLOCKS: parse_ipAddrBlocks(object, level, this); break; +<<<<<<< HEAD +======= case OID_NAME_CONSTRAINTS: parse_nameConstraints(object, level, this); break; @@ -1431,6 +1530,7 @@ static bool parse_certificate(private_x509_cert_t *this) } this->inhibit_any = parse_constraint(object); break; +>>>>>>> upstream/4.5.1 case OID_NS_REVOCATION_URL: case OID_NS_CA_REVOCATION_URL: case OID_NS_CA_POLICY_URL: @@ -1443,9 +1543,15 @@ static bool parse_certificate(private_x509_cert_t *this) break; default: if (critical && lib->settings->get_bool(lib->settings, +<<<<<<< HEAD + "libstrongswan.plugins.x509.enforce_critical", FALSE)) + { + DBG1(DBG_LIB, "critical %s extension not supported", +======= "libstrongswan.x509.enforce_critical", TRUE)) { DBG1(DBG_LIB, "critical '%s' extension not supported", +>>>>>>> upstream/4.5.1 (extn_oid == OID_UNKNOWN) ? "unknown" : (char*)oid_names[extn_oid].name); goto end; @@ -1478,9 +1584,13 @@ end: hasher_t *hasher; /* check if the certificate is self-signed */ +<<<<<<< HEAD + if (issued_by(this, &this->public.interface.interface)) +======= if (this->public.interface.interface.issued_by( &this->public.interface.interface, &this->public.interface.interface)) +>>>>>>> upstream/4.5.1 { this->flags |= X509_SELF_SIGNED; } @@ -1497,26 +1607,54 @@ end: return success; } +<<<<<<< HEAD +/** + * Implementation of certificate_t.get_type + */ +static certificate_type_t get_type(private_x509_cert_t *this) +======= METHOD(certificate_t, get_type, certificate_type_t, private_x509_cert_t *this) +>>>>>>> upstream/4.5.1 { return CERT_X509; } +<<<<<<< HEAD +/** + * Implementation of certificate_t.get_subject + */ +static identification_t* get_subject(private_x509_cert_t *this) +======= METHOD(certificate_t, get_subject, identification_t*, private_x509_cert_t *this) +>>>>>>> upstream/4.5.1 { return this->subject; } +<<<<<<< HEAD +/** + * Implementation of certificate_t.get_issuer + */ +static identification_t* get_issuer(private_x509_cert_t *this) +======= METHOD(certificate_t, get_issuer, identification_t*, private_x509_cert_t *this) +>>>>>>> upstream/4.5.1 { return this->issuer; } +<<<<<<< HEAD +/** + * Implementation of certificate_t.has_subject. + */ +static id_match_t has_subject(private_x509_cert_t *this, identification_t *subject) +======= METHOD(certificate_t, has_subject, id_match_t, private_x509_cert_t *this, identification_t *subject) +>>>>>>> upstream/4.5.1 { identification_t *current; enumerator_t *enumerator; @@ -1557,15 +1695,29 @@ METHOD(certificate_t, has_subject, id_match_t, return best; } +<<<<<<< HEAD +/** + * Implementation of certificate_t.has_issuer. + */ +static id_match_t has_issuer(private_x509_cert_t *this, identification_t *issuer) +======= METHOD(certificate_t, has_issuer, id_match_t, private_x509_cert_t *this, identification_t *issuer) +>>>>>>> upstream/4.5.1 { /* issuerAltNames currently not supported */ return this->issuer->matches(this->issuer, issuer); } +<<<<<<< HEAD +/** + * Implementation of certificate_t.issued_by. + */ +static bool issued_by(private_x509_cert_t *this, certificate_t *issuer) +======= METHOD(certificate_t, issued_by, bool, private_x509_cert_t *this, certificate_t *issuer) +>>>>>>> upstream/4.5.1 { public_key_t *key; signature_scheme_t scheme; @@ -1612,13 +1764,44 @@ METHOD(certificate_t, issued_by, bool, return valid; } +<<<<<<< HEAD +/** + * Implementation of certificate_t.get_public_key + */ +static public_key_t* get_public_key(private_x509_cert_t *this) +======= METHOD(certificate_t, get_public_key, public_key_t*, private_x509_cert_t *this) +>>>>>>> upstream/4.5.1 { this->public_key->get_ref(this->public_key); return this->public_key; } +<<<<<<< HEAD +/** + * Implementation of certificate_t.get_ref + */ +static private_x509_cert_t* get_ref(private_x509_cert_t *this) +{ + ref_get(&this->ref); + return this; +} + +/** + * Implementation of x509_cert_t.get_flags. + */ +static x509_flag_t get_flags(private_x509_cert_t *this) +{ + return this->flags; +} + +/** + * Implementation of x509_cert_t.get_validity. + */ +static bool get_validity(private_x509_cert_t *this, time_t *when, + time_t *not_before, time_t *not_after) +======= METHOD(certificate_t, get_ref, certificate_t*, private_x509_cert_t *this) { @@ -1629,6 +1812,7 @@ METHOD(certificate_t, get_ref, certificate_t*, METHOD(certificate_t, get_validity, bool, private_x509_cert_t *this, time_t *when, time_t *not_before, time_t *not_after) +>>>>>>> upstream/4.5.1 { time_t t = when ? *when : time(NULL); @@ -1643,8 +1827,16 @@ METHOD(certificate_t, get_validity, bool, return (t >= this->notBefore && t <= this->notAfter); } +<<<<<<< HEAD +/** + * Implementation of certificate_t.get_encoding. + */ +static bool get_encoding(private_x509_cert_t *this, cred_encoding_type_t type, + chunk_t *encoding) +======= METHOD(certificate_t, get_encoding, bool, private_x509_cert_t *this, cred_encoding_type_t type, chunk_t *encoding) +>>>>>>> upstream/4.5.1 { if (type == CERT_ASN1_DER) { @@ -1655,8 +1847,15 @@ METHOD(certificate_t, get_encoding, bool, CRED_PART_X509_ASN1_DER, this->encoding, CRED_PART_END); } +<<<<<<< HEAD +/** + * Implementation of certificate_t.equals. + */ +static bool equals(private_x509_cert_t *this, certificate_t *other) +======= METHOD(certificate_t, equals, bool, private_x509_cert_t *this, certificate_t *other) +>>>>>>> upstream/4.5.1 { chunk_t encoding; bool equal; @@ -1682,6 +1881,12 @@ METHOD(certificate_t, equals, bool, return equal; } +<<<<<<< HEAD +/** + * Implementation of x509_t.get_serial. + */ +static chunk_t get_serial(private_x509_cert_t *this) +======= METHOD(x509_t, get_flags, x509_flag_t, private_x509_cert_t *this) { @@ -1690,12 +1895,20 @@ METHOD(x509_t, get_flags, x509_flag_t, METHOD(x509_t, get_serial, chunk_t, private_x509_cert_t *this) +>>>>>>> upstream/4.5.1 { return this->serialNumber; } +<<<<<<< HEAD +/** + * Implementation of x509_t.get_subjectKeyIdentifier. + */ +static chunk_t get_subjectKeyIdentifier(private_x509_cert_t *this) +======= METHOD(x509_t, get_subjectKeyIdentifier, chunk_t, private_x509_cert_t *this) +>>>>>>> upstream/4.5.1 { if (this->subjectKeyIdentifier.ptr) { @@ -1717,12 +1930,33 @@ METHOD(x509_t, get_subjectKeyIdentifier, chunk_t, } } +<<<<<<< HEAD +/** + * Implementation of x509_t.get_authKeyIdentifier. + */ +static chunk_t get_authKeyIdentifier(private_x509_cert_t *this) +======= METHOD(x509_t, get_authKeyIdentifier, chunk_t, private_x509_cert_t *this) +>>>>>>> upstream/4.5.1 { return this->authKeyIdentifier; } +<<<<<<< HEAD +/** + * Implementation of x509_t.get_pathLenConstraint. + */ +static int get_pathLenConstraint(private_x509_cert_t *this) +{ + return this->pathLenConstraint; +} + +/** + * Implementation of x509_cert_t.create_subjectAltName_enumerator. + */ +static enumerator_t* create_subjectAltName_enumerator(private_x509_cert_t *this) +======= METHOD(x509_t, get_constraint, u_int, private_x509_cert_t *this, x509_constraint_t type) { @@ -1743,28 +1977,56 @@ METHOD(x509_t, get_constraint, u_int, METHOD(x509_t, create_subjectAltName_enumerator, enumerator_t*, private_x509_cert_t *this) +>>>>>>> upstream/4.5.1 { return this->subjectAltNames->create_enumerator(this->subjectAltNames); } +<<<<<<< HEAD +/** + * Implementation of x509_cert_t.create_ocsp_uri_enumerator. + */ +static enumerator_t* create_ocsp_uri_enumerator(private_x509_cert_t *this) +======= METHOD(x509_t, create_ocsp_uri_enumerator, enumerator_t*, private_x509_cert_t *this) +>>>>>>> upstream/4.5.1 { return this->ocsp_uris->create_enumerator(this->ocsp_uris); } +<<<<<<< HEAD +/** + * Implementation of x509_cert_t.create_crl_uri_enumerator. + */ +static enumerator_t* create_crl_uri_enumerator(private_x509_cert_t *this) +======= METHOD(x509_t, create_crl_uri_enumerator, enumerator_t*, private_x509_cert_t *this) +>>>>>>> upstream/4.5.1 { return this->crl_uris->create_enumerator(this->crl_uris); } +<<<<<<< HEAD +/** + * Implementation of x509_cert_t.create_ipAddrBlock_enumerator. + */ +static enumerator_t* create_ipAddrBlock_enumerator(private_x509_cert_t *this) +======= METHOD(x509_t, create_ipAddrBlock_enumerator, enumerator_t*, private_x509_cert_t *this) +>>>>>>> upstream/4.5.1 { return this->ipAddrBlocks->create_enumerator(this->ipAddrBlocks); } +<<<<<<< HEAD +/** + * Implementation of certificate_t.destroy. + */ +static void destroy(private_x509_cert_t *this) +======= METHOD(x509_t, create_name_constraint_enumerator, enumerator_t*, private_x509_cert_t *this, bool perm) { @@ -1789,11 +2051,17 @@ METHOD(x509_t, create_policy_mapping_enumerator, enumerator_t*, METHOD(certificate_t, destroy, void, private_x509_cert_t *this) +>>>>>>> upstream/4.5.1 { if (ref_put(&this->ref)) { this->subjectAltNames->destroy_offset(this->subjectAltNames, offsetof(identification_t, destroy)); +<<<<<<< HEAD + this->crl_uris->destroy_function(this->crl_uris, free); + this->ocsp_uris->destroy_function(this->ocsp_uris, free); + this->ipAddrBlocks->destroy_offset(this->ipAddrBlocks, offsetof(traffic_selector_t, destroy)); +======= this->crl_uris->destroy_function(this->crl_uris, (void*)crl_uri_destroy); this->ocsp_uris->destroy_function(this->ocsp_uris, free); this->ipAddrBlocks->destroy_offset(this->ipAddrBlocks, @@ -1806,6 +2074,7 @@ METHOD(certificate_t, destroy, void, (void*)cert_policy_destroy); this->policy_mappings->destroy_function(this->policy_mappings, (void*)policy_mapping_destroy); +>>>>>>> upstream/4.5.1 DESTROY_IF(this->issuer); DESTROY_IF(this->subject); DESTROY_IF(this->public_key); @@ -1827,6 +2096,56 @@ METHOD(certificate_t, destroy, void, */ static private_x509_cert_t* create_empty(void) { +<<<<<<< HEAD + private_x509_cert_t *this = malloc_thing(private_x509_cert_t); + + this->public.interface.interface.get_type = (certificate_type_t (*) (certificate_t*))get_type; + this->public.interface.interface.get_subject = (identification_t* (*) (certificate_t*))get_subject; + this->public.interface.interface.get_issuer = (identification_t* (*) (certificate_t*))get_issuer; + this->public.interface.interface.has_subject = (id_match_t (*) (certificate_t*, identification_t*))has_subject; + this->public.interface.interface.has_issuer = (id_match_t (*) (certificate_t*, identification_t*))has_issuer; + this->public.interface.interface.issued_by = (bool (*) (certificate_t*, certificate_t*))issued_by; + this->public.interface.interface.get_public_key = (public_key_t* (*) (certificate_t*))get_public_key; + this->public.interface.interface.get_validity = (bool (*) (certificate_t*, time_t*, time_t*, time_t*))get_validity; + this->public.interface.interface.get_encoding = (bool (*) (certificate_t*,cred_encoding_type_t,chunk_t*))get_encoding; + this->public.interface.interface.equals = (bool (*)(certificate_t*, certificate_t*))equals; + this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t*))get_ref; + this->public.interface.interface.destroy = (void (*)(certificate_t*))destroy; + this->public.interface.get_flags = (x509_flag_t (*)(x509_t*))get_flags; + this->public.interface.get_serial = (chunk_t (*)(x509_t*))get_serial; + this->public.interface.get_subjectKeyIdentifier = (chunk_t (*)(x509_t*))get_subjectKeyIdentifier; + this->public.interface.get_authKeyIdentifier = (chunk_t (*)(x509_t*))get_authKeyIdentifier; + this->public.interface.get_pathLenConstraint = (int (*)(x509_t*))get_pathLenConstraint; + this->public.interface.create_subjectAltName_enumerator = (enumerator_t* (*)(x509_t*))create_subjectAltName_enumerator; + this->public.interface.create_crl_uri_enumerator = (enumerator_t* (*)(x509_t*))create_crl_uri_enumerator; + this->public.interface.create_ocsp_uri_enumerator = (enumerator_t* (*)(x509_t*))create_ocsp_uri_enumerator; + this->public.interface.create_ipAddrBlock_enumerator = (enumerator_t* (*)(x509_t*))create_ipAddrBlock_enumerator; + + this->encoding = chunk_empty; + this->encoding_hash = chunk_empty; + this->tbsCertificate = chunk_empty; + this->version = 1; + this->serialNumber = chunk_empty; + this->notBefore = 0; + this->notAfter = 0; + this->public_key = NULL; + this->subject = NULL; + this->issuer = NULL; + this->subjectAltNames = linked_list_create(); + this->crl_uris = linked_list_create(); + this->ocsp_uris = linked_list_create(); + this->ipAddrBlocks = linked_list_create(); + this->subjectKeyIdentifier = chunk_empty; + this->authKeyIdentifier = chunk_empty; + this->authKeySerialNumber = chunk_empty; + this->pathLenConstraint = X509_NO_PATH_LEN_CONSTRAINT; + this->algorithm = 0; + this->signature = chunk_empty; + this->flags = 0; + this->ref = 1; + this->parsed = FALSE; + +======= private_x509_cert_t *this; INIT(this, @@ -1875,10 +2194,13 @@ static private_x509_cert_t* create_empty(void) .inhibit_any = X509_NO_CONSTRAINT, .ref = 1, ); +>>>>>>> upstream/4.5.1 return this; } /** +<<<<<<< HEAD +======= * Build a generalName from an id */ chunk_t build_generalName(identification_t *id) @@ -1909,11 +2231,16 @@ chunk_t build_generalName(identification_t *id) } /** +>>>>>>> upstream/4.5.1 * Encode a linked list of subjectAltNames */ chunk_t x509_build_subjectAltNames(linked_list_t *list) { +<<<<<<< HEAD + chunk_t subjectAltNames = chunk_empty; +======= chunk_t subjectAltNames = chunk_empty, name; +>>>>>>> upstream/4.5.1 enumerator_t *enumerator; identification_t *id; @@ -1925,7 +2252,33 @@ chunk_t x509_build_subjectAltNames(linked_list_t *list) enumerator = list->create_enumerator(list); while (enumerator->enumerate(enumerator, &id)) { +<<<<<<< HEAD + int context; + chunk_t name; + + switch (id->get_type(id)) + { + case ID_RFC822_ADDR: + context = ASN1_CONTEXT_S_1; + break; + case ID_FQDN: + context = ASN1_CONTEXT_S_2; + break; + case ID_IPV4_ADDR: + case ID_IPV6_ADDR: + context = ASN1_CONTEXT_S_7; + break; + default: + DBG1(DBG_LIB, "encoding %N as subjectAltName not supported", + id_type_names, id->get_type(id)); + enumerator->destroy(enumerator); + free(subjectAltNames.ptr); + return chunk_empty; + } + name = asn1_wrap(context, "c", id->get_encoding(id)); +======= name = build_generalName(id); +>>>>>>> upstream/4.5.1 subjectAltNames = chunk_cat("mm", subjectAltNames, name); } enumerator->destroy(enumerator); @@ -1939,6 +2292,8 @@ chunk_t x509_build_subjectAltNames(linked_list_t *list) } /** +<<<<<<< HEAD +======= * Encode CRL distribution points extension from a x509_cdp_t list */ chunk_t x509_build_crlDistributionPoints(linked_list_t *list, int extn) @@ -1980,6 +2335,7 @@ chunk_t x509_build_crlDistributionPoints(linked_list_t *list, int extn) } /** +>>>>>>> upstream/4.5.1 * Generate and sign a new certificate */ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, @@ -1987,6 +2343,14 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, { chunk_t extensions = chunk_empty, extendedKeyUsage = chunk_empty; chunk_t serverAuth = chunk_empty, clientAuth = chunk_empty; +<<<<<<< HEAD + chunk_t ocspSigning = chunk_empty; + chunk_t basicConstraints = chunk_empty; + chunk_t keyUsage = chunk_empty; + chunk_t subjectAltNames = chunk_empty; + chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty; + chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty; +======= chunk_t ocspSigning = chunk_empty, certPolicies = chunk_empty; chunk_t basicConstraints = chunk_empty, nameConstraints = chunk_empty; chunk_t keyUsage = chunk_empty, keyUsageBits = chunk_empty; @@ -1994,6 +2358,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty; chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty; chunk_t policyConstraints = chunk_empty, inhibitAnyPolicy = chunk_empty; +>>>>>>> upstream/4.5.1 identification_t *issuer, *subject; chunk_t key_info; signature_scheme_t scheme; @@ -2047,8 +2412,34 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, /* encode subjectAltNames */ subjectAltNames = x509_build_subjectAltNames(cert->subjectAltNames); +<<<<<<< HEAD + /* encode CRL distribution points extension */ + enumerator = cert->crl_uris->create_enumerator(cert->crl_uris); + while (enumerator->enumerate(enumerator, &uri)) + { + chunk_t distributionPoint; + + distributionPoint = asn1_wrap(ASN1_SEQUENCE, "m", + asn1_wrap(ASN1_CONTEXT_C_0, "m", + asn1_wrap(ASN1_CONTEXT_C_0, "m", + asn1_wrap(ASN1_CONTEXT_S_6, "c", + chunk_create(uri, strlen(uri)))))); + + crlDistributionPoints = chunk_cat("mm", crlDistributionPoints, + distributionPoint); + } + enumerator->destroy(enumerator); + if (crlDistributionPoints.ptr) + { + crlDistributionPoints = asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_build_known_oid(OID_CRL_DISTRIBUTION_POINTS), + asn1_wrap(ASN1_OCTET_STRING, "m", + asn1_wrap(ASN1_SEQUENCE, "m", crlDistributionPoints))); + } +======= crlDistributionPoints = x509_build_crlDistributionPoints(cert->crl_uris, OID_CRL_DISTRIBUTION_POINTS); +>>>>>>> upstream/4.5.1 /* encode OCSP URIs in authorityInfoAccess extension */ enumerator = cert->ocsp_uris->create_enumerator(cert->ocsp_uris); @@ -2077,10 +2468,18 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, { chunk_t pathLenConstraint = chunk_empty; +<<<<<<< HEAD + if (cert->pathLenConstraint != X509_NO_PATH_LEN_CONSTRAINT) + { + char pathlen = (char)cert->pathLenConstraint; + + pathLenConstraint = asn1_integer("c", chunk_from_thing(pathlen)); +======= if (cert->pathLenConstraint != X509_NO_CONSTRAINT) { pathLenConstraint = asn1_integer("c", chunk_from_thing(cert->pathLenConstraint)); +>>>>>>> upstream/4.5.1 } basicConstraints = asn1_wrap(ASN1_SEQUENCE, "mmm", asn1_build_known_oid(OID_BASIC_CONSTRAINTS), @@ -2091,6 +2490,15 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)), pathLenConstraint))); +<<<<<<< HEAD + keyUsage = asn1_wrap(ASN1_SEQUENCE, "mmm", + asn1_build_known_oid(OID_KEY_USAGE), + asn1_wrap(ASN1_BOOLEAN, "c", + chunk_from_chars(0xFF)), + asn1_wrap(ASN1_OCTET_STRING, "m", + asn1_wrap(ASN1_BIT_STRING, "c", + chunk_from_chars(0x01, 0x06)))); +======= /* set CertificateSign and implicitly CRLsign */ keyUsageBits = chunk_from_chars(0x01, 0x06); } @@ -2105,6 +2513,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)), asn1_wrap(ASN1_OCTET_STRING, "m", asn1_wrap(ASN1_BIT_STRING, "c", keyUsageBits))); +>>>>>>> upstream/4.5.1 } /* add serverAuth extendedKeyUsage flag */ @@ -2133,7 +2542,11 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, } /* add subjectKeyIdentifier to CA and OCSP signer certificates */ +<<<<<<< HEAD + if (cert->flags & (X509_CA | X509_OCSP_SIGNER)) +======= if (cert->flags & (X509_CA | X509_OCSP_SIGNER | X509_CRL_SIGN)) +>>>>>>> upstream/4.5.1 { chunk_t keyid; @@ -2161,6 +2574,17 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, asn1_wrap(ASN1_CONTEXT_S_0, "c", keyid)))); } } +<<<<<<< HEAD + if (basicConstraints.ptr || subjectAltNames.ptr || authKeyIdentifier.ptr || + crlDistributionPoints.ptr) + { + extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m", + asn1_wrap(ASN1_SEQUENCE, "mmmmmmmm", + basicConstraints, keyUsage, subjectKeyIdentifier, + authKeyIdentifier, subjectAltNames, + extendedKeyUsage, crlDistributionPoints, + authorityInfoAccess)); +======= if (cert->permitted_names->get_count(cert->permitted_names) || cert->excluded_names->get_count(cert->excluded_names)) @@ -2308,6 +2732,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, extendedKeyUsage, crlDistributionPoints, authorityInfoAccess, nameConstraints, certPolicies, policyMappings, policyConstraints, inhibitAnyPolicy)); +>>>>>>> upstream/4.5.1 } cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmmcmcmm", @@ -2390,7 +2815,10 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args) certificate_t *sign_cert = NULL; private_key_t *sign_key = NULL; hash_algorithm_t digest_alg = HASH_SHA1; +<<<<<<< HEAD +======= u_int constraint; +>>>>>>> upstream/4.5.1 cert = create_empty(); while (TRUE) @@ -2434,6 +2862,15 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args) { enumerator_t *enumerator; linked_list_t *list; +<<<<<<< HEAD + char *uri; + + list = va_arg(args, linked_list_t*); + enumerator = list->create_enumerator(list); + while (enumerator->enumerate(enumerator, &uri)) + { + cert->crl_uris->insert_last(cert->crl_uris, strdup(uri)); +======= x509_cdp_t *in, *cdp; list = va_arg(args, linked_list_t*); @@ -2445,6 +2882,7 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args) .issuer = in->issuer ? in->issuer->clone(in->issuer) : NULL, ); cert->crl_uris->insert_last(cert->crl_uris, cdp); +>>>>>>> upstream/4.5.1 } enumerator->destroy(enumerator); continue; @@ -2465,6 +2903,13 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args) continue; } case BUILD_PATHLEN: +<<<<<<< HEAD + cert->pathLenConstraint = va_arg(args, int); + if (cert->pathLenConstraint < 0 || cert->pathLenConstraint > 127) + { + cert->pathLenConstraint = X509_NO_PATH_LEN_CONSTRAINT; + } +======= constraint = va_arg(args, u_int); cert->pathLenConstraint = (constraint < 128) ? constraint : X509_NO_CONSTRAINT; @@ -2555,6 +3000,7 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args) constraint = va_arg(args, u_int); cert->inhibit_any = (constraint < 128) ? constraint : X509_NO_CONSTRAINT; +>>>>>>> upstream/4.5.1 continue; case BUILD_NOT_BEFORE_TIME: cert->notBefore = va_arg(args, time_t); diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c index 758505ab5..3e62681f5 100644 --- a/src/libstrongswan/plugins/x509/x509_crl.c +++ b/src/libstrongswan/plugins/x509/x509_crl.c @@ -100,11 +100,14 @@ struct private_x509_crl_t { linked_list_t *revoked; /** +<<<<<<< HEAD +======= * List of Freshest CRL distribution points */ linked_list_t *crl_uris; /** +>>>>>>> upstream/4.5.1 * Authority Key Identifier */ chunk_t authKeyIdentifier; @@ -115,11 +118,14 @@ struct private_x509_crl_t { chunk_t authKeySerialNumber; /** +<<<<<<< HEAD +======= * Number of BaseCRL, if a delta CRL */ chunk_t baseCrlNumber; /** +>>>>>>> upstream/4.5.1 * Signature algorithm */ int algorithm; @@ -143,6 +149,11 @@ struct private_x509_crl_t { /** * from x509_cert */ +<<<<<<< HEAD +extern chunk_t x509_parse_authorityKeyIdentifier( + chunk_t blob, int level0, + chunk_t *authKeySerialNumber); +======= extern chunk_t x509_parse_authorityKeyIdentifier(chunk_t blob, int level0, chunk_t *authKeySerialNumber); @@ -156,6 +167,7 @@ extern void x509_parse_crlDistributionPoints(chunk_t blob, int level0, * from x509_cert */ extern chunk_t x509_build_crlDistributionPoints(linked_list_t *list, int extn); +>>>>>>> upstream/4.5.1 /** * ASN.1 definition of an X.509 certificate revocation list @@ -226,7 +238,11 @@ static bool parse(private_x509_crl_t *this) int objectID; int sig_alg = OID_UNKNOWN; bool success = FALSE; +<<<<<<< HEAD + bool critical; +======= bool critical = FALSE; +>>>>>>> upstream/4.5.1 revoked_t *revoked = NULL; parser = asn1_parser_create(crlObjects, this->encoding); @@ -278,6 +294,28 @@ static bool parse(private_x509_crl_t *this) break; case CRL_OBJ_CRL_ENTRY_EXTN_VALUE: case CRL_OBJ_EXTN_VALUE: +<<<<<<< HEAD + { + int extn_oid = asn1_known_oid(extnID); + + if (revoked && extn_oid == OID_CRL_REASON_CODE) + { + if (*object.ptr == ASN1_ENUMERATED && + asn1_length(&object) == 1) + { + revoked->reason = *object.ptr; + } + DBG2(DBG_LIB, " '%N'", crl_reason_names, + revoked->reason); + } + else if (extn_oid == OID_AUTHORITY_KEY_ID) + { + this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object, + level, &this->authKeySerialNumber); + } + else if (extn_oid == OID_CRL_NUMBER) + { +======= { int extn_oid = asn1_known_oid(extnID); @@ -301,12 +339,18 @@ static bool parse(private_x509_crl_t *this) object, level, &this->authKeySerialNumber); break; case OID_CRL_NUMBER: +>>>>>>> upstream/4.5.1 if (!asn1_parse_simple_object(&object, ASN1_INTEGER, level, "crlNumber")) { goto end; } this->crlNumber = object; +<<<<<<< HEAD + } + } + break; +======= break; case OID_FRESHEST_CRL: x509_parse_crlDistributionPoints(object, level, @@ -333,6 +377,7 @@ static bool parse(private_x509_crl_t *this) } break; } +>>>>>>> upstream/4.5.1 case CRL_OBJ_ALGORITHM: { this->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL); @@ -390,6 +435,8 @@ METHOD(crl_t, get_authKeyIdentifier, chunk_t, return this->authKeyIdentifier; } +<<<<<<< HEAD +======= METHOD(crl_t, is_delta_crl, bool, private_x509_crl_t *this, chunk_t *base_crl) { @@ -410,6 +457,7 @@ METHOD(crl_t, create_delta_crl_uri_enumerator, enumerator_t*, return this->crl_uris->create_enumerator(this->crl_uris); } +>>>>>>> upstream/4.5.1 METHOD(crl_t, create_enumerator, enumerator_t*, private_x509_crl_t *this) { @@ -454,7 +502,11 @@ METHOD(certificate_t, issued_by, bool, { return FALSE; } +<<<<<<< HEAD + if (!(x509->get_flags(x509) & X509_CA)) +======= if (!(x509->get_flags(x509) & (X509_CA | X509_CRL_SIGN))) +>>>>>>> upstream/4.5.1 { return FALSE; } @@ -567,6 +619,8 @@ static void revoked_destroy(revoked_t *revoked) free(revoked); } +<<<<<<< HEAD +======= /** * Destroy a CDP entry */ @@ -577,20 +631,27 @@ static void cdp_destroy(x509_cdp_t *this) free(this); } +>>>>>>> upstream/4.5.1 METHOD(certificate_t, destroy, void, private_x509_crl_t *this) { if (ref_put(&this->ref)) { this->revoked->destroy_function(this->revoked, (void*)revoked_destroy); +<<<<<<< HEAD +======= this->crl_uris->destroy_function(this->crl_uris, (void*)cdp_destroy); +>>>>>>> upstream/4.5.1 DESTROY_IF(this->issuer); free(this->authKeyIdentifier.ptr); free(this->encoding.ptr); if (this->generated) { free(this->crlNumber.ptr); +<<<<<<< HEAD +======= free(this->baseCrlNumber.ptr); +>>>>>>> upstream/4.5.1 free(this->signature.ptr); free(this->tbsCertList.ptr); } @@ -624,13 +685,19 @@ static private_x509_crl_t* create_empty(void) }, .get_serial = _get_serial, .get_authKeyIdentifier = _get_authKeyIdentifier, +<<<<<<< HEAD +======= .is_delta_crl = _is_delta_crl, .create_delta_crl_uri_enumerator = _create_delta_crl_uri_enumerator, +>>>>>>> upstream/4.5.1 .create_enumerator = _create_enumerator, }, }, .revoked = linked_list_create(), +<<<<<<< HEAD +======= .crl_uris = linked_list_create(), +>>>>>>> upstream/4.5.1 .ref = 1, ); return this; @@ -699,7 +766,10 @@ static bool generate(private_x509_crl_t *this, certificate_t *cert, private_key_t *key, hash_algorithm_t digest_alg) { chunk_t extensions = chunk_empty, certList = chunk_empty, serial; +<<<<<<< HEAD +======= chunk_t crlDistributionPoints = chunk_empty, baseCrlNumber = chunk_empty; +>>>>>>> upstream/4.5.1 enumerator_t *enumerator; crl_reason_t reason; time_t date; @@ -707,7 +777,11 @@ static bool generate(private_x509_crl_t *this, certificate_t *cert, x509 = (x509_t*)cert; +<<<<<<< HEAD + this->issuer = cert->get_issuer(cert); +======= this->issuer = cert->get_subject(cert); +>>>>>>> upstream/4.5.1 this->issuer = this->issuer->clone(this->issuer); this->authKeyIdentifier = chunk_clone(x509->get_subjectKeyIdentifier(x509)); @@ -742,6 +816,10 @@ static bool generate(private_x509_crl_t *this, certificate_t *cert, } enumerator->destroy(enumerator); +<<<<<<< HEAD + extensions = asn1_wrap(ASN1_CONTEXT_C_0, "m", + asn1_wrap(ASN1_SEQUENCE, "mm", +======= crlDistributionPoints = x509_build_crlDistributionPoints(this->crl_uris, OID_FRESHEST_CRL); @@ -757,6 +835,7 @@ static bool generate(private_x509_crl_t *this, certificate_t *cert, extensions = asn1_wrap(ASN1_CONTEXT_C_0, "m", asn1_wrap(ASN1_SEQUENCE, "mmmm", +>>>>>>> upstream/4.5.1 asn1_wrap(ASN1_SEQUENCE, "mm", asn1_build_known_oid(OID_AUTHORITY_KEY_ID), asn1_wrap(ASN1_OCTET_STRING, "m", @@ -766,8 +845,14 @@ static bool generate(private_x509_crl_t *this, certificate_t *cert, asn1_wrap(ASN1_SEQUENCE, "mm", asn1_build_known_oid(OID_CRL_NUMBER), asn1_wrap(ASN1_OCTET_STRING, "m", +<<<<<<< HEAD + asn1_integer("c", this->crlNumber)) + ) + )); +======= asn1_integer("c", this->crlNumber))), crlDistributionPoints, baseCrlNumber)); +>>>>>>> upstream/4.5.1 this->tbsCertList = asn1_wrap(ASN1_SEQUENCE, "cmcmmmm", ASN1_INTEGER_1, @@ -830,6 +915,8 @@ x509_crl_t *x509_crl_gen(certificate_type_t type, va_list args) case BUILD_REVOKED_ENUMERATOR: read_revoked(crl, va_arg(args, enumerator_t*)); continue; +<<<<<<< HEAD +======= case BUILD_BASE_CRL: crl->baseCrlNumber = va_arg(args, chunk_t); crl->baseCrlNumber = chunk_clone(crl->baseCrlNumber); @@ -853,6 +940,7 @@ x509_crl_t *x509_crl_gen(certificate_type_t type, va_list args) enumerator->destroy(enumerator); continue; } +>>>>>>> upstream/4.5.1 case BUILD_END: break; default: diff --git a/src/libstrongswan/plugins/x509/x509_plugin.c b/src/libstrongswan/plugins/x509/x509_plugin.c index d40cc3567..a3c071f12 100644 --- a/src/libstrongswan/plugins/x509/x509_plugin.c +++ b/src/libstrongswan/plugins/x509/x509_plugin.c @@ -36,8 +36,15 @@ struct private_x509_plugin_t { x509_plugin_t public; }; +<<<<<<< HEAD +/** + * Implementation of x509_plugin_t.x509troy + */ +static void destroy(private_x509_plugin_t *this) +======= METHOD(plugin_t, destroy, void, private_x509_plugin_t *this) +>>>>>>> upstream/4.5.1 { lib->creds->remove_builder(lib->creds, (builder_function_t)x509_cert_gen); @@ -67,6 +74,11 @@ METHOD(plugin_t, destroy, void, */ plugin_t *x509_plugin_create() { +<<<<<<< HEAD + private_x509_plugin_t *this = malloc_thing(private_x509_plugin_t); + + this->public.plugin.destroy = (void(*)(plugin_t*))destroy; +======= private_x509_plugin_t *this; INIT(this, @@ -76,6 +88,7 @@ plugin_t *x509_plugin_create() }, }, ); +>>>>>>> upstream/4.5.1 lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509, FALSE, (builder_function_t)x509_cert_gen); |