2008-03-13 14:14:44 +00:00
|
|
|
/*
|
|
|
|
* Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann
|
|
|
|
* Copyright (C) 2001 Marco Bertossa, Andreas Schleiss
|
|
|
|
* Copyright (C) 2002 Mario Strasser
|
|
|
|
* Copyright (C) 2000-2006 Andreas Steffen
|
2009-09-09 14:24:06 +00:00
|
|
|
* Copyright (C) 2006-2009 Martin Willi
|
2008-04-18 11:24:45 +00:00
|
|
|
* Copyright (C) 2008 Tobias Brunner
|
2008-03-13 14:14:44 +00:00
|
|
|
* Hochschule fuer Technik Rapperswil
|
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
|
|
* under the terms of the GNU General Public License as published by the
|
|
|
|
* Free Software Foundation; either version 2 of the License, or (at your
|
|
|
|
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful, but
|
|
|
|
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
|
|
|
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
|
|
* for more details.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#define _GNU_SOURCE
|
|
|
|
|
|
|
|
#include "x509_cert.h"
|
|
|
|
|
|
|
|
#include <sys/stat.h>
|
2008-11-05 08:32:38 +00:00
|
|
|
#include <time.h>
|
2008-03-13 14:14:44 +00:00
|
|
|
#include <unistd.h>
|
|
|
|
#include <string.h>
|
|
|
|
#include <stdio.h>
|
|
|
|
|
|
|
|
#include <library.h>
|
|
|
|
#include <debug.h>
|
|
|
|
#include <asn1/oid.h>
|
|
|
|
#include <asn1/asn1.h>
|
2008-04-26 09:24:14 +00:00
|
|
|
#include <asn1/asn1_parser.h>
|
|
|
|
#include <crypto/hashers/hasher.h>
|
2009-05-28 13:34:18 +00:00
|
|
|
#include <credentials/keys/private_key.h>
|
2008-03-13 14:14:44 +00:00
|
|
|
#include <utils/linked_list.h>
|
|
|
|
#include <utils/identification.h>
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Different kinds of generalNames
|
|
|
|
*/
|
|
|
|
typedef enum {
|
|
|
|
GN_OTHER_NAME = 0,
|
|
|
|
GN_RFC822_NAME = 1,
|
|
|
|
GN_DNS_NAME = 2,
|
|
|
|
GN_X400_ADDRESS = 3,
|
|
|
|
GN_DIRECTORY_NAME = 4,
|
|
|
|
GN_EDI_PARTY_NAME = 5,
|
|
|
|
GN_URI = 6,
|
|
|
|
GN_IP_ADDRESS = 7,
|
|
|
|
GN_REGISTERED_ID = 8,
|
|
|
|
} generalNames_t;
|
|
|
|
|
|
|
|
|
|
|
|
typedef struct private_x509_cert_t private_x509_cert_t;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Private data of a x509_cert_t object.
|
|
|
|
*/
|
|
|
|
struct private_x509_cert_t {
|
|
|
|
/**
|
|
|
|
* Public interface for this certificate.
|
|
|
|
*/
|
|
|
|
x509_cert_t public;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-03-13 14:14:44 +00:00
|
|
|
/**
|
2008-03-25 22:28:27 +00:00
|
|
|
* X.509 certificate encoding in ASN.1 DER format
|
2008-03-13 14:14:44 +00:00
|
|
|
*/
|
2008-03-25 12:22:12 +00:00
|
|
|
chunk_t encoding;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-04-18 11:24:45 +00:00
|
|
|
/**
|
|
|
|
* SHA1 hash of the DER encoding of this X.509 certificate
|
|
|
|
*/
|
|
|
|
chunk_t encoding_hash;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-03-13 14:14:44 +00:00
|
|
|
/**
|
|
|
|
* X.509 certificate body over which signature is computed
|
|
|
|
*/
|
|
|
|
chunk_t tbsCertificate;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Version of the X.509 certificate
|
|
|
|
*/
|
|
|
|
u_int version;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-03-13 14:14:44 +00:00
|
|
|
/**
|
|
|
|
* Serial number of the X.509 certificate
|
|
|
|
*/
|
|
|
|
chunk_t serialNumber;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-03-13 14:14:44 +00:00
|
|
|
/**
|
|
|
|
* ID representing the certificate issuer
|
|
|
|
*/
|
|
|
|
identification_t *issuer;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-03-13 14:14:44 +00:00
|
|
|
/**
|
|
|
|
* Start time of certificate validity
|
|
|
|
*/
|
|
|
|
time_t notBefore;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-03-13 14:14:44 +00:00
|
|
|
/**
|
|
|
|
* End time of certificate validity
|
|
|
|
*/
|
|
|
|
time_t notAfter;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-03-13 14:14:44 +00:00
|
|
|
/**
|
|
|
|
* ID representing the certificate subject
|
|
|
|
*/
|
|
|
|
identification_t *subject;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-03-13 14:14:44 +00:00
|
|
|
/**
|
|
|
|
* List of subjectAltNames as identification_t
|
|
|
|
*/
|
|
|
|
linked_list_t *subjectAltNames;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-03-13 14:14:44 +00:00
|
|
|
/**
|
|
|
|
* List of crlDistributionPoints as allocated char*
|
|
|
|
*/
|
|
|
|
linked_list_t *crl_uris;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-03-13 14:14:44 +00:00
|
|
|
/**
|
2009-09-11 09:45:04 +00:00
|
|
|
* List ocspAccessLocations as allocated char*
|
2008-03-13 14:14:44 +00:00
|
|
|
*/
|
|
|
|
linked_list_t *ocsp_uris;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-03-13 14:14:44 +00:00
|
|
|
/**
|
|
|
|
* certificates embedded public key
|
|
|
|
*/
|
|
|
|
public_key_t *public_key;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-03-13 14:14:44 +00:00
|
|
|
/**
|
|
|
|
* Subject Key Identifier
|
|
|
|
*/
|
|
|
|
chunk_t subjectKeyID;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-03-13 14:14:44 +00:00
|
|
|
/**
|
|
|
|
* Authority Key Identifier
|
|
|
|
*/
|
2009-08-24 12:11:44 +00:00
|
|
|
chunk_t authKeyIdentifier;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-03-13 14:14:44 +00:00
|
|
|
/**
|
|
|
|
* Authority Key Serial Number
|
|
|
|
*/
|
|
|
|
chunk_t authKeySerialNumber;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-03-13 14:14:44 +00:00
|
|
|
/**
|
|
|
|
* x509 constraints and other flags
|
|
|
|
*/
|
|
|
|
x509_flag_t flags;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-03-13 14:14:44 +00:00
|
|
|
/**
|
|
|
|
* Signature algorithm
|
|
|
|
*/
|
|
|
|
int algorithm;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-03-13 14:14:44 +00:00
|
|
|
/**
|
|
|
|
* Signature
|
|
|
|
*/
|
|
|
|
chunk_t signature;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-12-08 15:29:36 +00:00
|
|
|
/**
|
|
|
|
* Certificate parsed from blob/file?
|
|
|
|
*/
|
|
|
|
bool parsed;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-03-13 14:14:44 +00:00
|
|
|
/**
|
|
|
|
* reference count
|
|
|
|
*/
|
|
|
|
refcount_t ref;
|
|
|
|
};
|
|
|
|
|
2009-09-11 13:35:10 +00:00
|
|
|
static const chunk_t ASN1_subjectAltName_oid = chunk_from_chars(
|
2008-04-26 09:24:14 +00:00
|
|
|
0x06, 0x03, 0x55, 0x1D, 0x11
|
2009-09-11 13:35:10 +00:00
|
|
|
);
|
2008-03-13 14:14:44 +00:00
|
|
|
|
|
|
|
/**
|
2009-09-04 11:46:09 +00:00
|
|
|
* ASN.1 definition of a basicConstraints extension
|
2008-03-13 14:14:44 +00:00
|
|
|
*/
|
|
|
|
static const asn1Object_t basicConstraintsObjects[] = {
|
|
|
|
{ 0, "basicConstraints", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
|
|
|
|
{ 1, "CA", ASN1_BOOLEAN, ASN1_DEF|ASN1_BODY }, /* 1 */
|
|
|
|
{ 1, "pathLenConstraint", ASN1_INTEGER, ASN1_OPT|ASN1_BODY }, /* 2 */
|
2008-04-28 16:00:52 +00:00
|
|
|
{ 1, "end opt", ASN1_EOC, ASN1_END }, /* 3 */
|
|
|
|
{ 0, "exit", ASN1_EOC, ASN1_EXIT }
|
2008-03-13 14:14:44 +00:00
|
|
|
};
|
|
|
|
#define BASIC_CONSTRAINTS_CA 1
|
|
|
|
|
|
|
|
/**
|
2008-04-26 09:24:14 +00:00
|
|
|
* Extracts the basicConstraints extension
|
2008-03-13 14:14:44 +00:00
|
|
|
*/
|
|
|
|
static bool parse_basicConstraints(chunk_t blob, int level0)
|
|
|
|
{
|
2008-04-26 09:24:14 +00:00
|
|
|
asn1_parser_t *parser;
|
2008-03-13 14:14:44 +00:00
|
|
|
chunk_t object;
|
2008-04-26 09:24:14 +00:00
|
|
|
int objectID;
|
2008-03-13 14:14:44 +00:00
|
|
|
bool isCA = FALSE;
|
|
|
|
|
2008-04-28 16:00:52 +00:00
|
|
|
parser = asn1_parser_create(basicConstraintsObjects, blob);
|
2008-04-26 09:24:14 +00:00
|
|
|
parser->set_top_level(parser, level0);
|
2008-03-13 14:14:44 +00:00
|
|
|
|
2008-04-26 09:24:14 +00:00
|
|
|
while (parser->iterate(parser, &objectID, &object))
|
|
|
|
{
|
2008-03-13 14:14:44 +00:00
|
|
|
if (objectID == BASIC_CONSTRAINTS_CA)
|
|
|
|
{
|
|
|
|
isCA = object.len && *object.ptr;
|
|
|
|
DBG2(" %s", isCA ? "TRUE" : "FALSE");
|
|
|
|
}
|
|
|
|
}
|
2008-04-26 09:24:14 +00:00
|
|
|
parser->destroy(parser);
|
|
|
|
|
2008-03-13 14:14:44 +00:00
|
|
|
return isCA;
|
|
|
|
}
|
|
|
|
|
2008-04-26 09:24:14 +00:00
|
|
|
/**
|
2009-09-04 11:46:09 +00:00
|
|
|
* ASN.1 definition of otherName
|
2008-04-26 09:24:14 +00:00
|
|
|
*/
|
|
|
|
static const asn1Object_t otherNameObjects[] = {
|
2008-04-28 16:00:52 +00:00
|
|
|
{0, "type-id", ASN1_OID, ASN1_BODY }, /* 0 */
|
|
|
|
{0, "value", ASN1_CONTEXT_C_0, ASN1_BODY }, /* 1 */
|
|
|
|
{0, "exit", ASN1_EOC, ASN1_EXIT }
|
2008-04-26 09:24:14 +00:00
|
|
|
};
|
|
|
|
#define ON_OBJ_ID_TYPE 0
|
|
|
|
#define ON_OBJ_VALUE 1
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Extracts an otherName
|
2008-03-13 14:14:44 +00:00
|
|
|
*/
|
|
|
|
static bool parse_otherName(chunk_t blob, int level0)
|
|
|
|
{
|
2008-04-26 09:24:14 +00:00
|
|
|
asn1_parser_t *parser;
|
2008-03-13 14:14:44 +00:00
|
|
|
chunk_t object;
|
2008-04-26 09:24:14 +00:00
|
|
|
int objectID;
|
2008-03-13 14:14:44 +00:00
|
|
|
int oid = OID_UNKNOWN;
|
2008-04-26 11:08:36 +00:00
|
|
|
bool success = FALSE;
|
2008-03-13 14:14:44 +00:00
|
|
|
|
2008-04-28 16:00:52 +00:00
|
|
|
parser = asn1_parser_create(otherNameObjects, blob);
|
2008-04-26 09:24:14 +00:00
|
|
|
parser->set_top_level(parser, level0);
|
|
|
|
|
|
|
|
while (parser->iterate(parser, &objectID, &object))
|
2008-03-13 14:14:44 +00:00
|
|
|
{
|
|
|
|
switch (objectID)
|
|
|
|
{
|
|
|
|
case ON_OBJ_ID_TYPE:
|
2008-04-26 09:24:14 +00:00
|
|
|
oid = asn1_known_oid(object);
|
2008-03-13 14:14:44 +00:00
|
|
|
break;
|
|
|
|
case ON_OBJ_VALUE:
|
|
|
|
if (oid == OID_XMPP_ADDR)
|
|
|
|
{
|
2008-04-26 09:24:14 +00:00
|
|
|
if (!asn1_parse_simple_object(&object, ASN1_UTF8STRING,
|
|
|
|
parser->get_level(parser)+1, "xmppAddr"))
|
2008-03-13 14:14:44 +00:00
|
|
|
{
|
2008-04-26 09:24:14 +00:00
|
|
|
goto end;
|
2008-03-13 14:14:44 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
2008-04-26 11:08:36 +00:00
|
|
|
success = parser->success(parser);
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-04-26 09:24:14 +00:00
|
|
|
end:
|
|
|
|
parser->destroy(parser);
|
|
|
|
return success;
|
2008-03-13 14:14:44 +00:00
|
|
|
}
|
|
|
|
|
2008-04-26 09:24:14 +00:00
|
|
|
/**
|
2009-09-04 11:46:09 +00:00
|
|
|
* ASN.1 definition of generalName
|
2008-04-26 09:24:14 +00:00
|
|
|
*/
|
|
|
|
static const asn1Object_t generalNameObjects[] = {
|
2008-04-28 16:02:53 +00:00
|
|
|
{ 0, "otherName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_BODY }, /* 0 */
|
|
|
|
{ 0, "end choice", ASN1_EOC, ASN1_END }, /* 1 */
|
|
|
|
{ 0, "rfc822Name", ASN1_CONTEXT_S_1, ASN1_OPT|ASN1_BODY }, /* 2 */
|
|
|
|
{ 0, "end choice", ASN1_EOC, ASN1_END }, /* 3 */
|
|
|
|
{ 0, "dnsName", ASN1_CONTEXT_S_2, ASN1_OPT|ASN1_BODY }, /* 4 */
|
|
|
|
{ 0, "end choice", ASN1_EOC, ASN1_END }, /* 5 */
|
|
|
|
{ 0, "x400Address", ASN1_CONTEXT_S_3, ASN1_OPT|ASN1_BODY }, /* 6 */
|
|
|
|
{ 0, "end choice", ASN1_EOC, ASN1_END }, /* 7 */
|
|
|
|
{ 0, "directoryName", ASN1_CONTEXT_C_4, ASN1_OPT|ASN1_BODY }, /* 8 */
|
|
|
|
{ 0, "end choice", ASN1_EOC, ASN1_END }, /* 9 */
|
|
|
|
{ 0, "ediPartyName", ASN1_CONTEXT_C_5, ASN1_OPT|ASN1_BODY }, /* 10 */
|
|
|
|
{ 0, "end choice", ASN1_EOC, ASN1_END }, /* 11 */
|
|
|
|
{ 0, "URI", ASN1_CONTEXT_S_6, ASN1_OPT|ASN1_BODY }, /* 12 */
|
|
|
|
{ 0, "end choice", ASN1_EOC, ASN1_END }, /* 13 */
|
|
|
|
{ 0, "ipAddress", ASN1_CONTEXT_S_7, ASN1_OPT|ASN1_BODY }, /* 14 */
|
|
|
|
{ 0, "end choice", ASN1_EOC, ASN1_END }, /* 15 */
|
|
|
|
{ 0, "registeredID", ASN1_CONTEXT_S_8, ASN1_OPT|ASN1_BODY }, /* 16 */
|
|
|
|
{ 0, "end choice", ASN1_EOC, ASN1_END }, /* 17 */
|
|
|
|
{ 0, "exit", ASN1_EOC, ASN1_EXIT }
|
2008-04-26 09:24:14 +00:00
|
|
|
};
|
2009-09-04 12:58:05 +00:00
|
|
|
#define GN_OBJ_OTHER_NAME 0
|
|
|
|
#define GN_OBJ_RFC822_NAME 2
|
|
|
|
#define GN_OBJ_DNS_NAME 4
|
|
|
|
#define GN_OBJ_X400_ADDRESS 6
|
2008-04-26 09:24:14 +00:00
|
|
|
#define GN_OBJ_DIRECTORY_NAME 8
|
|
|
|
#define GN_OBJ_EDI_PARTY_NAME 10
|
|
|
|
#define GN_OBJ_URI 12
|
|
|
|
#define GN_OBJ_IP_ADDRESS 14
|
|
|
|
#define GN_OBJ_REGISTERED_ID 16
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Extracts a generalName
|
2008-03-13 14:14:44 +00:00
|
|
|
*/
|
|
|
|
static identification_t *parse_generalName(chunk_t blob, int level0)
|
|
|
|
{
|
2008-04-26 09:24:14 +00:00
|
|
|
asn1_parser_t *parser;
|
2008-03-13 14:14:44 +00:00
|
|
|
chunk_t object;
|
2008-04-26 09:24:14 +00:00
|
|
|
int objectID ;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-04-26 09:24:14 +00:00
|
|
|
identification_t *gn = NULL;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-04-28 16:00:52 +00:00
|
|
|
parser = asn1_parser_create(generalNameObjects, blob);
|
2008-04-26 09:24:14 +00:00
|
|
|
parser->set_top_level(parser, level0);
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-04-26 09:24:14 +00:00
|
|
|
while (parser->iterate(parser, &objectID, &object))
|
2008-03-13 14:14:44 +00:00
|
|
|
{
|
|
|
|
id_type_t id_type = ID_ANY;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-03-13 14:14:44 +00:00
|
|
|
switch (objectID)
|
|
|
|
{
|
|
|
|
case GN_OBJ_RFC822_NAME:
|
|
|
|
id_type = ID_RFC822_ADDR;
|
|
|
|
break;
|
|
|
|
case GN_OBJ_DNS_NAME:
|
|
|
|
id_type = ID_FQDN;
|
|
|
|
break;
|
|
|
|
case GN_OBJ_URI:
|
|
|
|
id_type = ID_DER_ASN1_GN_URI;
|
|
|
|
break;
|
|
|
|
case GN_OBJ_DIRECTORY_NAME:
|
|
|
|
id_type = ID_DER_ASN1_DN;
|
2008-12-08 15:29:36 +00:00
|
|
|
break;
|
2008-03-13 14:14:44 +00:00
|
|
|
case GN_OBJ_IP_ADDRESS:
|
|
|
|
id_type = ID_IPV4_ADDR;
|
|
|
|
break;
|
|
|
|
case GN_OBJ_OTHER_NAME:
|
2008-04-26 09:24:14 +00:00
|
|
|
if (!parse_otherName(object, parser->get_level(parser)+1))
|
|
|
|
{
|
|
|
|
goto end;
|
|
|
|
}
|
2008-03-13 14:14:44 +00:00
|
|
|
break;
|
|
|
|
case GN_OBJ_X400_ADDRESS:
|
|
|
|
case GN_OBJ_EDI_PARTY_NAME:
|
|
|
|
case GN_OBJ_REGISTERED_ID:
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
if (id_type != ID_ANY)
|
|
|
|
{
|
2008-04-26 09:24:14 +00:00
|
|
|
gn = identification_create_from_encoding(id_type, object);
|
2009-04-30 11:37:54 +00:00
|
|
|
DBG2(" '%Y'", gn);
|
2008-04-26 09:24:14 +00:00
|
|
|
goto end;
|
2008-12-08 15:29:36 +00:00
|
|
|
}
|
|
|
|
}
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-04-26 09:24:14 +00:00
|
|
|
end:
|
|
|
|
parser->destroy(parser);
|
2008-12-08 15:29:36 +00:00
|
|
|
return gn;
|
2008-03-13 14:14:44 +00:00
|
|
|
}
|
|
|
|
|
2008-04-26 09:24:14 +00:00
|
|
|
/**
|
2009-09-04 11:46:09 +00:00
|
|
|
* ASN.1 definition of generalNames
|
2008-04-26 09:24:14 +00:00
|
|
|
*/
|
|
|
|
static const asn1Object_t generalNamesObjects[] = {
|
2008-04-28 16:00:52 +00:00
|
|
|
{ 0, "generalNames", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
|
|
|
|
{ 1, "generalName", ASN1_EOC, ASN1_RAW }, /* 1 */
|
|
|
|
{ 0, "end loop", ASN1_EOC, ASN1_END }, /* 2 */
|
|
|
|
{ 0, "exit", ASN1_EOC, ASN1_EXIT }
|
2008-04-26 09:24:14 +00:00
|
|
|
};
|
|
|
|
#define GENERAL_NAMES_GN 1
|
2008-03-13 14:14:44 +00:00
|
|
|
|
|
|
|
/**
|
2008-04-26 09:24:14 +00:00
|
|
|
* Extracts one or several GNs and puts them into a chained list
|
2008-03-13 14:14:44 +00:00
|
|
|
*/
|
2008-03-26 09:29:30 +00:00
|
|
|
void x509_parse_generalNames(chunk_t blob, int level0, bool implicit, linked_list_t *list)
|
2008-03-13 14:14:44 +00:00
|
|
|
{
|
2008-04-26 09:24:14 +00:00
|
|
|
asn1_parser_t *parser;
|
2008-03-13 14:14:44 +00:00
|
|
|
chunk_t object;
|
2008-04-26 09:24:14 +00:00
|
|
|
int objectID;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-04-28 16:00:52 +00:00
|
|
|
parser = asn1_parser_create(generalNamesObjects, blob);
|
2008-04-26 09:24:14 +00:00
|
|
|
parser->set_top_level(parser, level0);
|
|
|
|
parser->set_flags(parser, implicit, FALSE);
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-04-26 09:24:14 +00:00
|
|
|
while (parser->iterate(parser, &objectID, &object))
|
2008-03-13 14:14:44 +00:00
|
|
|
{
|
|
|
|
if (objectID == GENERAL_NAMES_GN)
|
|
|
|
{
|
2008-04-26 09:24:14 +00:00
|
|
|
identification_t *gn = parse_generalName(object,
|
|
|
|
parser->get_level(parser)+1);
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-04-26 09:24:14 +00:00
|
|
|
if (gn)
|
2008-03-13 14:14:44 +00:00
|
|
|
{
|
|
|
|
list->insert_last(list, (void *)gn);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2008-04-26 09:24:14 +00:00
|
|
|
parser->destroy(parser);
|
2008-03-13 14:14:44 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2009-09-04 11:46:09 +00:00
|
|
|
* ASN.1 definition of a authorityKeyIdentifier extension
|
2008-04-26 09:24:14 +00:00
|
|
|
*/
|
|
|
|
static const asn1Object_t authKeyIdentifierObjects[] = {
|
2008-04-28 16:00:52 +00:00
|
|
|
{ 0, "authorityKeyIdentifier", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
|
|
|
|
{ 1, "keyIdentifier", ASN1_CONTEXT_S_0, ASN1_OPT|ASN1_BODY }, /* 1 */
|
|
|
|
{ 1, "end opt", ASN1_EOC, ASN1_END }, /* 2 */
|
|
|
|
{ 1, "authorityCertIssuer", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_OBJ }, /* 3 */
|
|
|
|
{ 1, "end opt", ASN1_EOC, ASN1_END }, /* 4 */
|
|
|
|
{ 1, "authorityCertSerialNumber", ASN1_CONTEXT_S_2, ASN1_OPT|ASN1_BODY }, /* 5 */
|
|
|
|
{ 1, "end opt", ASN1_EOC, ASN1_END }, /* 6 */
|
|
|
|
{ 0, "exit", ASN1_EOC, ASN1_EXIT }
|
2008-04-26 09:24:14 +00:00
|
|
|
};
|
|
|
|
#define AUTH_KEY_ID_KEY_ID 1
|
|
|
|
#define AUTH_KEY_ID_CERT_ISSUER 3
|
|
|
|
#define AUTH_KEY_ID_CERT_SERIAL 5
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Extracts an authoritykeyIdentifier
|
2008-03-13 14:14:44 +00:00
|
|
|
*/
|
2009-08-24 12:11:44 +00:00
|
|
|
chunk_t x509_parse_authorityKeyIdentifier(chunk_t blob, int level0,
|
2008-03-13 14:14:44 +00:00
|
|
|
chunk_t *authKeySerialNumber)
|
|
|
|
{
|
2008-04-26 09:24:14 +00:00
|
|
|
asn1_parser_t *parser;
|
2008-03-13 14:14:44 +00:00
|
|
|
chunk_t object;
|
2008-04-26 09:24:14 +00:00
|
|
|
int objectID;
|
2009-08-24 12:11:44 +00:00
|
|
|
chunk_t authKeyIdentifier = chunk_empty;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-03-13 14:14:44 +00:00
|
|
|
*authKeySerialNumber = chunk_empty;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-04-28 16:00:52 +00:00
|
|
|
parser = asn1_parser_create(authKeyIdentifierObjects, blob);
|
2008-04-26 09:24:14 +00:00
|
|
|
parser->set_top_level(parser, level0);
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-04-26 09:24:14 +00:00
|
|
|
while (parser->iterate(parser, &objectID, &object))
|
2008-03-13 14:14:44 +00:00
|
|
|
{
|
2009-09-04 11:46:09 +00:00
|
|
|
switch (objectID)
|
2008-03-13 14:14:44 +00:00
|
|
|
{
|
|
|
|
case AUTH_KEY_ID_KEY_ID:
|
2009-08-24 12:11:44 +00:00
|
|
|
authKeyIdentifier = chunk_clone(object);
|
2008-03-13 14:14:44 +00:00
|
|
|
break;
|
|
|
|
case AUTH_KEY_ID_CERT_ISSUER:
|
2008-03-26 09:29:30 +00:00
|
|
|
/* TODO: x509_parse_generalNames(object, level+1, TRUE); */
|
2008-03-13 14:14:44 +00:00
|
|
|
break;
|
|
|
|
case AUTH_KEY_ID_CERT_SERIAL:
|
|
|
|
*authKeySerialNumber = object;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
2008-04-26 09:24:14 +00:00
|
|
|
parser->destroy(parser);
|
2008-03-13 14:14:44 +00:00
|
|
|
return authKeyIdentifier;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2009-09-04 11:46:09 +00:00
|
|
|
* ASN.1 definition of a authorityInfoAccess extension
|
2008-04-26 09:24:14 +00:00
|
|
|
*/
|
|
|
|
static const asn1Object_t authInfoAccessObjects[] = {
|
2008-04-28 16:00:52 +00:00
|
|
|
{ 0, "authorityInfoAccess", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
|
|
|
|
{ 1, "accessDescription", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
|
|
|
|
{ 2, "accessMethod", ASN1_OID, ASN1_BODY }, /* 2 */
|
|
|
|
{ 2, "accessLocation", ASN1_EOC, ASN1_RAW }, /* 3 */
|
|
|
|
{ 0, "end loop", ASN1_EOC, ASN1_END }, /* 4 */
|
|
|
|
{ 0, "exit", ASN1_EOC, ASN1_EXIT }
|
2008-04-26 09:24:14 +00:00
|
|
|
};
|
|
|
|
#define AUTH_INFO_ACCESS_METHOD 2
|
|
|
|
#define AUTH_INFO_ACCESS_LOCATION 3
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Extracts an authorityInfoAcess location
|
2008-03-13 14:14:44 +00:00
|
|
|
*/
|
|
|
|
static void parse_authorityInfoAccess(chunk_t blob, int level0,
|
|
|
|
private_x509_cert_t *this)
|
|
|
|
{
|
2008-04-26 09:24:14 +00:00
|
|
|
asn1_parser_t *parser;
|
2008-03-13 14:14:44 +00:00
|
|
|
chunk_t object;
|
2008-04-26 09:24:14 +00:00
|
|
|
int objectID;
|
2008-03-13 14:14:44 +00:00
|
|
|
int accessMethod = OID_UNKNOWN;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-04-28 16:00:52 +00:00
|
|
|
parser = asn1_parser_create(authInfoAccessObjects, blob);
|
2008-04-26 09:24:14 +00:00
|
|
|
parser->set_top_level(parser, level0);
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-04-26 09:24:14 +00:00
|
|
|
while (parser->iterate(parser, &objectID, &object))
|
2008-03-13 14:14:44 +00:00
|
|
|
{
|
2009-09-04 11:46:09 +00:00
|
|
|
switch (objectID)
|
2008-03-13 14:14:44 +00:00
|
|
|
{
|
|
|
|
case AUTH_INFO_ACCESS_METHOD:
|
2008-04-26 09:24:14 +00:00
|
|
|
accessMethod = asn1_known_oid(object);
|
2008-03-13 14:14:44 +00:00
|
|
|
break;
|
|
|
|
case AUTH_INFO_ACCESS_LOCATION:
|
|
|
|
{
|
|
|
|
switch (accessMethod)
|
|
|
|
{
|
|
|
|
case OID_OCSP:
|
|
|
|
case OID_CA_ISSUERS:
|
|
|
|
{
|
|
|
|
identification_t *id;
|
|
|
|
char *uri;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-04-26 09:24:14 +00:00
|
|
|
id = parse_generalName(object,
|
|
|
|
parser->get_level(parser)+1);
|
2008-03-13 14:14:44 +00:00
|
|
|
if (id == NULL)
|
2008-04-26 09:24:14 +00:00
|
|
|
{
|
|
|
|
/* parsing went wrong - abort */
|
|
|
|
goto end;
|
2008-03-13 14:14:44 +00:00
|
|
|
}
|
2009-04-30 11:37:54 +00:00
|
|
|
DBG2(" '%Y'", id);
|
2008-03-13 14:14:44 +00:00
|
|
|
if (accessMethod == OID_OCSP &&
|
2009-04-30 11:37:54 +00:00
|
|
|
asprintf(&uri, "%Y", id) > 0)
|
2008-03-13 14:14:44 +00:00
|
|
|
{
|
|
|
|
this->ocsp_uris->insert_last(this->ocsp_uris, uri);
|
|
|
|
}
|
|
|
|
id->destroy(id);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
/* unkown accessMethod, ignoring */
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-04-26 09:24:14 +00:00
|
|
|
end:
|
|
|
|
parser->destroy(parser);
|
2008-03-13 14:14:44 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2008-04-26 09:24:14 +00:00
|
|
|
* ASN.1 definition of a extendedKeyUsage extension
|
|
|
|
*/
|
|
|
|
static const asn1Object_t extendedKeyUsageObjects[] = {
|
2008-04-28 16:00:52 +00:00
|
|
|
{ 0, "extendedKeyUsage", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
|
|
|
|
{ 1, "keyPurposeID", ASN1_OID, ASN1_BODY }, /* 1 */
|
|
|
|
{ 0, "end loop", ASN1_EOC, ASN1_END }, /* 2 */
|
|
|
|
{ 0, "exit", ASN1_EOC, ASN1_EXIT }
|
2008-04-26 09:24:14 +00:00
|
|
|
};
|
|
|
|
#define EXT_KEY_USAGE_PURPOSE_ID 1
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Extracts extendedKeyUsage OIDs - currently only OCSP_SIGING is returned
|
2008-03-13 14:14:44 +00:00
|
|
|
*/
|
|
|
|
static bool parse_extendedKeyUsage(chunk_t blob, int level0)
|
|
|
|
{
|
2008-04-26 09:24:14 +00:00
|
|
|
asn1_parser_t *parser;
|
2008-03-13 14:14:44 +00:00
|
|
|
chunk_t object;
|
2008-04-26 09:24:14 +00:00
|
|
|
int objectID;
|
|
|
|
bool ocsp_signing = FALSE;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-04-28 16:00:52 +00:00
|
|
|
parser = asn1_parser_create(extendedKeyUsageObjects, blob);
|
2008-04-26 09:24:14 +00:00
|
|
|
parser->set_top_level(parser, level0);
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-04-26 09:24:14 +00:00
|
|
|
while (parser->iterate(parser, &objectID, &object))
|
2008-03-13 14:14:44 +00:00
|
|
|
{
|
2009-09-04 11:46:09 +00:00
|
|
|
if (objectID == EXT_KEY_USAGE_PURPOSE_ID &&
|
2008-04-26 09:24:14 +00:00
|
|
|
asn1_known_oid(object) == OID_OCSP_SIGNING)
|
2008-03-13 14:14:44 +00:00
|
|
|
{
|
2008-04-26 09:24:14 +00:00
|
|
|
ocsp_signing = TRUE;
|
2008-03-13 14:14:44 +00:00
|
|
|
}
|
|
|
|
}
|
2008-04-26 09:24:14 +00:00
|
|
|
parser->destroy(parser);
|
|
|
|
return ocsp_signing;
|
2008-03-13 14:14:44 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2008-04-26 09:24:14 +00:00
|
|
|
* ASN.1 definition of crlDistributionPoints
|
|
|
|
*/
|
|
|
|
static const asn1Object_t crlDistributionPointsObjects[] = {
|
|
|
|
{ 0, "crlDistributionPoints", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
|
|
|
|
{ 1, "DistributionPoint", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
|
|
|
|
{ 2, "distributionPoint", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_LOOP }, /* 2 */
|
|
|
|
{ 3, "fullName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_OBJ }, /* 3 */
|
|
|
|
{ 3, "end choice", ASN1_EOC, ASN1_END }, /* 4 */
|
|
|
|
{ 3, "nameRelToCRLIssuer",ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 5 */
|
|
|
|
{ 3, "end choice", ASN1_EOC, ASN1_END }, /* 6 */
|
|
|
|
{ 2, "end opt", ASN1_EOC, ASN1_END }, /* 7 */
|
|
|
|
{ 2, "reasons", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 8 */
|
|
|
|
{ 2, "end opt", ASN1_EOC, ASN1_END }, /* 9 */
|
|
|
|
{ 2, "crlIssuer", ASN1_CONTEXT_C_2, ASN1_OPT|ASN1_BODY }, /* 10 */
|
|
|
|
{ 2, "end opt", ASN1_EOC, ASN1_END }, /* 11 */
|
|
|
|
{ 0, "end loop", ASN1_EOC, ASN1_END }, /* 12 */
|
2008-04-28 16:00:52 +00:00
|
|
|
{ 0, "exit", ASN1_EOC, ASN1_EXIT }
|
2008-04-26 09:24:14 +00:00
|
|
|
};
|
|
|
|
#define CRL_DIST_POINTS_FULLNAME 3
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Extracts one or several crlDistributionPoints into a list
|
2008-03-13 14:14:44 +00:00
|
|
|
*/
|
|
|
|
static void parse_crlDistributionPoints(chunk_t blob, int level0,
|
|
|
|
private_x509_cert_t *this)
|
|
|
|
{
|
2008-04-26 09:24:14 +00:00
|
|
|
asn1_parser_t *parser;
|
2008-03-13 14:14:44 +00:00
|
|
|
chunk_t object;
|
2008-04-26 09:24:14 +00:00
|
|
|
int objectID;
|
|
|
|
linked_list_t *list = linked_list_create();
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-04-28 16:00:52 +00:00
|
|
|
parser = asn1_parser_create(crlDistributionPointsObjects, blob);
|
2008-04-26 09:24:14 +00:00
|
|
|
parser->set_top_level(parser, level0);
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-04-26 09:24:14 +00:00
|
|
|
while (parser->iterate(parser, &objectID, &object))
|
2008-03-13 14:14:44 +00:00
|
|
|
{
|
|
|
|
if (objectID == CRL_DIST_POINTS_FULLNAME)
|
2008-04-26 09:24:14 +00:00
|
|
|
{
|
|
|
|
identification_t *id;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-04-26 09:24:14 +00:00
|
|
|
/* append extracted generalNames to existing chained list */
|
|
|
|
x509_parse_generalNames(object, parser->get_level(parser)+1,
|
|
|
|
TRUE, list);
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-03-13 14:14:44 +00:00
|
|
|
while (list->remove_last(list, (void**)&id) == SUCCESS)
|
|
|
|
{
|
2008-04-26 09:24:14 +00:00
|
|
|
char *uri;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-04-30 11:37:54 +00:00
|
|
|
if (asprintf(&uri, "%Y", id) > 0)
|
2008-03-13 14:14:44 +00:00
|
|
|
{
|
|
|
|
this->crl_uris->insert_last(this->crl_uris, uri);
|
|
|
|
}
|
|
|
|
id->destroy(id);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2008-04-26 09:24:14 +00:00
|
|
|
parser->destroy(parser);
|
2008-03-13 14:14:44 +00:00
|
|
|
list->destroy(list);
|
|
|
|
}
|
|
|
|
|
2008-04-26 09:24:14 +00:00
|
|
|
/**
|
|
|
|
* ASN.1 definition of an X.509v3 x509_cert
|
|
|
|
*/
|
|
|
|
static const asn1Object_t certObjects[] = {
|
|
|
|
{ 0, "x509", ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */
|
|
|
|
{ 1, "tbsCertificate", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */
|
|
|
|
{ 2, "DEFAULT v1", ASN1_CONTEXT_C_0, ASN1_DEF }, /* 2 */
|
|
|
|
{ 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 3 */
|
|
|
|
{ 2, "serialNumber", ASN1_INTEGER, ASN1_BODY }, /* 4 */
|
|
|
|
{ 2, "signature", ASN1_EOC, ASN1_RAW }, /* 5 */
|
|
|
|
{ 2, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 6 */
|
|
|
|
{ 2, "validity", ASN1_SEQUENCE, ASN1_NONE }, /* 7 */
|
|
|
|
{ 3, "notBefore", ASN1_EOC, ASN1_RAW }, /* 8 */
|
|
|
|
{ 3, "notAfter", ASN1_EOC, ASN1_RAW }, /* 9 */
|
|
|
|
{ 2, "subject", ASN1_SEQUENCE, ASN1_OBJ }, /* 10 */
|
2008-06-10 09:00:42 +00:00
|
|
|
{ 2, "subjectPublicKeyInfo",ASN1_SEQUENCE, ASN1_RAW }, /* 11 */
|
|
|
|
{ 2, "issuerUniqueID", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 12 */
|
|
|
|
{ 2, "end opt", ASN1_EOC, ASN1_END }, /* 13 */
|
|
|
|
{ 2, "subjectUniqueID", ASN1_CONTEXT_C_2, ASN1_OPT }, /* 14 */
|
2008-04-26 09:24:14 +00:00
|
|
|
{ 2, "end opt", ASN1_EOC, ASN1_END }, /* 15 */
|
2008-06-10 09:00:42 +00:00
|
|
|
{ 2, "optional extensions", ASN1_CONTEXT_C_3, ASN1_OPT }, /* 16 */
|
|
|
|
{ 3, "extensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 17 */
|
|
|
|
{ 4, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 18 */
|
|
|
|
{ 5, "extnID", ASN1_OID, ASN1_BODY }, /* 19 */
|
|
|
|
{ 5, "critical", ASN1_BOOLEAN, ASN1_DEF|ASN1_BODY }, /* 20 */
|
|
|
|
{ 5, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 21 */
|
|
|
|
{ 3, "end loop", ASN1_EOC, ASN1_END }, /* 22 */
|
|
|
|
{ 2, "end opt", ASN1_EOC, ASN1_END }, /* 23 */
|
|
|
|
{ 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 24 */
|
|
|
|
{ 1, "signatureValue", ASN1_BIT_STRING, ASN1_BODY }, /* 25 */
|
2008-04-28 16:00:52 +00:00
|
|
|
{ 0, "exit", ASN1_EOC, ASN1_EXIT }
|
2008-04-26 09:24:14 +00:00
|
|
|
};
|
|
|
|
#define X509_OBJ_TBS_CERTIFICATE 1
|
|
|
|
#define X509_OBJ_VERSION 3
|
|
|
|
#define X509_OBJ_SERIAL_NUMBER 4
|
|
|
|
#define X509_OBJ_SIG_ALG 5
|
|
|
|
#define X509_OBJ_ISSUER 6
|
|
|
|
#define X509_OBJ_NOT_BEFORE 8
|
|
|
|
#define X509_OBJ_NOT_AFTER 9
|
|
|
|
#define X509_OBJ_SUBJECT 10
|
2008-06-10 09:00:42 +00:00
|
|
|
#define X509_OBJ_SUBJECT_PUBLIC_KEY_INFO 11
|
|
|
|
#define X509_OBJ_EXTN_ID 19
|
|
|
|
#define X509_OBJ_CRITICAL 20
|
|
|
|
#define X509_OBJ_EXTN_VALUE 21
|
|
|
|
#define X509_OBJ_ALGORITHM 24
|
|
|
|
#define X509_OBJ_SIGNATURE 25
|
2008-04-26 09:24:14 +00:00
|
|
|
|
2009-09-09 14:24:06 +00:00
|
|
|
/**
|
|
|
|
* forward declaration
|
|
|
|
*/
|
|
|
|
static bool issued_by(private_x509_cert_t *this, certificate_t *issuer);
|
|
|
|
|
2008-03-13 14:14:44 +00:00
|
|
|
/**
|
|
|
|
* Parses an X.509v3 certificate
|
|
|
|
*/
|
|
|
|
static bool parse_certificate(private_x509_cert_t *this)
|
|
|
|
{
|
2008-04-26 09:24:14 +00:00
|
|
|
asn1_parser_t *parser;
|
2008-03-13 14:14:44 +00:00
|
|
|
chunk_t object;
|
2008-04-26 09:24:14 +00:00
|
|
|
int objectID;
|
2008-03-13 14:14:44 +00:00
|
|
|
int extn_oid = OID_UNKNOWN;
|
2008-04-26 09:24:14 +00:00
|
|
|
int sig_alg = OID_UNKNOWN;
|
2008-04-26 11:08:36 +00:00
|
|
|
bool success = FALSE;
|
2008-04-26 09:24:14 +00:00
|
|
|
bool critical;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-04-28 16:00:52 +00:00
|
|
|
parser = asn1_parser_create(certObjects, this->encoding);
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-04-26 09:24:14 +00:00
|
|
|
while (parser->iterate(parser, &objectID, &object))
|
2008-03-13 14:14:44 +00:00
|
|
|
{
|
2008-04-26 09:24:14 +00:00
|
|
|
u_int level = parser->get_level(parser)+1;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-03-13 14:14:44 +00:00
|
|
|
switch (objectID)
|
|
|
|
{
|
|
|
|
case X509_OBJ_TBS_CERTIFICATE:
|
|
|
|
this->tbsCertificate = object;
|
|
|
|
break;
|
|
|
|
case X509_OBJ_VERSION:
|
|
|
|
this->version = (object.len) ? (1+(u_int)*object.ptr) : 1;
|
|
|
|
DBG2(" v%d", this->version);
|
|
|
|
break;
|
|
|
|
case X509_OBJ_SERIAL_NUMBER:
|
|
|
|
this->serialNumber = object;
|
|
|
|
break;
|
|
|
|
case X509_OBJ_SIG_ALG:
|
2008-04-26 09:24:14 +00:00
|
|
|
sig_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
|
2008-03-13 14:14:44 +00:00
|
|
|
break;
|
|
|
|
case X509_OBJ_ISSUER:
|
|
|
|
this->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object);
|
2009-04-30 11:37:54 +00:00
|
|
|
DBG2(" '%Y'", this->issuer);
|
2008-03-13 14:14:44 +00:00
|
|
|
break;
|
|
|
|
case X509_OBJ_NOT_BEFORE:
|
2008-04-26 09:24:14 +00:00
|
|
|
this->notBefore = asn1_parse_time(object, level);
|
2008-03-13 14:14:44 +00:00
|
|
|
break;
|
|
|
|
case X509_OBJ_NOT_AFTER:
|
2008-04-26 09:24:14 +00:00
|
|
|
this->notAfter = asn1_parse_time(object, level);
|
2008-03-13 14:14:44 +00:00
|
|
|
break;
|
|
|
|
case X509_OBJ_SUBJECT:
|
|
|
|
this->subject = identification_create_from_encoding(ID_DER_ASN1_DN, object);
|
2009-04-30 11:37:54 +00:00
|
|
|
DBG2(" '%Y'", this->subject);
|
2008-03-13 14:14:44 +00:00
|
|
|
break;
|
2008-06-10 09:00:42 +00:00
|
|
|
case X509_OBJ_SUBJECT_PUBLIC_KEY_INFO:
|
|
|
|
this->public_key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
|
2008-09-02 11:00:13 +00:00
|
|
|
KEY_ANY, BUILD_BLOB_ASN1_DER, object, BUILD_END);
|
2008-06-10 09:00:42 +00:00
|
|
|
if (this->public_key == NULL)
|
2008-05-06 12:56:36 +00:00
|
|
|
{
|
2008-06-10 09:00:42 +00:00
|
|
|
goto end;
|
2008-03-13 14:14:44 +00:00
|
|
|
}
|
|
|
|
break;
|
|
|
|
case X509_OBJ_EXTN_ID:
|
2008-04-26 09:24:14 +00:00
|
|
|
extn_oid = asn1_known_oid(object);
|
2008-03-13 14:14:44 +00:00
|
|
|
break;
|
|
|
|
case X509_OBJ_CRITICAL:
|
|
|
|
critical = object.len && *object.ptr;
|
|
|
|
DBG2(" %s", critical ? "TRUE" : "FALSE");
|
|
|
|
break;
|
|
|
|
case X509_OBJ_EXTN_VALUE:
|
|
|
|
{
|
|
|
|
switch (extn_oid)
|
|
|
|
{
|
|
|
|
case OID_SUBJECT_KEY_ID:
|
2008-04-28 16:00:52 +00:00
|
|
|
if (!asn1_parse_simple_object(&object, ASN1_OCTET_STRING,
|
|
|
|
level, "keyIdentifier"))
|
|
|
|
{
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
this->subjectKeyID = object;
|
2008-03-13 14:14:44 +00:00
|
|
|
break;
|
|
|
|
case OID_SUBJECT_ALT_NAME:
|
2008-04-28 16:00:52 +00:00
|
|
|
x509_parse_generalNames(object, level, FALSE,
|
|
|
|
this->subjectAltNames);
|
2008-03-13 14:14:44 +00:00
|
|
|
break;
|
|
|
|
case OID_BASIC_CONSTRAINTS:
|
|
|
|
if (parse_basicConstraints(object, level))
|
|
|
|
{
|
|
|
|
this->flags |= X509_CA;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case OID_CRL_DISTRIBUTION_POINTS:
|
|
|
|
parse_crlDistributionPoints(object, level, this);
|
|
|
|
break;
|
|
|
|
case OID_AUTHORITY_KEY_ID:
|
|
|
|
this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object,
|
2009-09-04 12:58:05 +00:00
|
|
|
level, &this->authKeySerialNumber);
|
2008-03-13 14:14:44 +00:00
|
|
|
break;
|
|
|
|
case OID_AUTHORITY_INFO_ACCESS:
|
|
|
|
parse_authorityInfoAccess(object, level, this);
|
|
|
|
break;
|
|
|
|
case OID_EXTENDED_KEY_USAGE:
|
|
|
|
if (parse_extendedKeyUsage(object, level))
|
|
|
|
{
|
|
|
|
this->flags |= X509_OCSP_SIGNER;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case OID_NS_REVOCATION_URL:
|
|
|
|
case OID_NS_CA_REVOCATION_URL:
|
|
|
|
case OID_NS_CA_POLICY_URL:
|
|
|
|
case OID_NS_COMMENT:
|
2009-09-04 11:46:09 +00:00
|
|
|
if (!asn1_parse_simple_object(&object, ASN1_IA5STRING,
|
2008-03-13 14:14:44 +00:00
|
|
|
level, oid_names[extn_oid].name))
|
2008-04-26 11:08:36 +00:00
|
|
|
{
|
|
|
|
goto end;
|
|
|
|
}
|
2008-03-13 14:14:44 +00:00
|
|
|
break;
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
case X509_OBJ_ALGORITHM:
|
2008-04-26 09:24:14 +00:00
|
|
|
this->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL);
|
2008-03-13 14:14:44 +00:00
|
|
|
if (this->algorithm != sig_alg)
|
|
|
|
{
|
|
|
|
DBG1(" signature algorithms do not agree");
|
2008-04-26 09:24:14 +00:00
|
|
|
goto end;
|
2008-03-13 14:14:44 +00:00
|
|
|
}
|
|
|
|
break;
|
|
|
|
case X509_OBJ_SIGNATURE:
|
|
|
|
this->signature = object;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
2008-04-26 11:08:36 +00:00
|
|
|
success = parser->success(parser);
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-04-26 09:24:14 +00:00
|
|
|
end:
|
|
|
|
parser->destroy(parser);
|
2009-09-09 14:24:06 +00:00
|
|
|
if (success)
|
|
|
|
{
|
|
|
|
hasher_t *hasher;
|
|
|
|
|
|
|
|
/* check if the certificate is self-signed */
|
|
|
|
if (issued_by(this, &this->public.interface.interface))
|
|
|
|
{
|
|
|
|
this->flags |= X509_SELF_SIGNED;
|
|
|
|
}
|
|
|
|
/* create certificate hash */
|
|
|
|
hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
|
|
|
|
if (hasher == NULL)
|
|
|
|
{
|
|
|
|
DBG1(" unable to create hash of certificate, SHA1 not supported");
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
hasher->allocate_hash(hasher, this->encoding, &this->encoding_hash);
|
|
|
|
hasher->destroy(hasher);
|
|
|
|
}
|
2008-04-26 09:24:14 +00:00
|
|
|
return success;
|
2008-03-13 14:14:44 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Implementation of certificate_t.get_type
|
|
|
|
*/
|
|
|
|
static certificate_type_t get_type(private_x509_cert_t *this)
|
|
|
|
{
|
|
|
|
return CERT_X509;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Implementation of certificate_t.get_subject
|
|
|
|
*/
|
|
|
|
static identification_t* get_subject(private_x509_cert_t *this)
|
|
|
|
{
|
|
|
|
return this->subject;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Implementation of certificate_t.get_issuer
|
|
|
|
*/
|
|
|
|
static identification_t* get_issuer(private_x509_cert_t *this)
|
|
|
|
{
|
|
|
|
return this->issuer;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Implementation of certificate_t.has_subject.
|
|
|
|
*/
|
|
|
|
static id_match_t has_subject(private_x509_cert_t *this, identification_t *subject)
|
|
|
|
{
|
|
|
|
identification_t *current;
|
|
|
|
enumerator_t *enumerator;
|
|
|
|
id_match_t match, best;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-08-24 12:11:44 +00:00
|
|
|
if (this->encoding_hash.ptr && subject->get_type(subject) == ID_KEY_ID)
|
2008-04-18 11:24:45 +00:00
|
|
|
{
|
2009-08-24 12:11:44 +00:00
|
|
|
if (chunk_equals(this->encoding_hash, subject->get_encoding(subject)))
|
|
|
|
{
|
|
|
|
return ID_MATCH_PERFECT;
|
|
|
|
}
|
2008-04-18 11:24:45 +00:00
|
|
|
}
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-03-13 14:14:44 +00:00
|
|
|
best = this->subject->matches(this->subject, subject);
|
|
|
|
enumerator = this->subjectAltNames->create_enumerator(this->subjectAltNames);
|
|
|
|
while (enumerator->enumerate(enumerator, ¤t))
|
|
|
|
{
|
|
|
|
match = current->matches(current, subject);
|
|
|
|
if (match > best)
|
|
|
|
{
|
2009-08-24 12:11:44 +00:00
|
|
|
best = match;
|
2008-03-13 14:14:44 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
enumerator->destroy(enumerator);
|
2009-08-24 12:11:44 +00:00
|
|
|
return best;
|
2008-03-13 14:14:44 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Implementation of certificate_t.has_subject.
|
|
|
|
*/
|
|
|
|
static id_match_t has_issuer(private_x509_cert_t *this, identification_t *issuer)
|
|
|
|
{
|
|
|
|
/* issuerAltNames currently not supported */
|
|
|
|
return this->issuer->matches(this->issuer, issuer);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Implementation of certificate_t.issued_by
|
|
|
|
*/
|
2008-03-26 15:21:50 +00:00
|
|
|
static bool issued_by(private_x509_cert_t *this, certificate_t *issuer)
|
2008-03-13 14:14:44 +00:00
|
|
|
{
|
|
|
|
public_key_t *key;
|
|
|
|
signature_scheme_t scheme;
|
|
|
|
bool valid;
|
|
|
|
x509_t *x509 = (x509_t*)issuer;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-03-21 19:07:12 +00:00
|
|
|
if (&this->public.interface.interface == issuer)
|
2008-03-13 14:14:44 +00:00
|
|
|
{
|
2008-03-21 19:07:12 +00:00
|
|
|
if (this->flags & X509_SELF_SIGNED)
|
|
|
|
{
|
|
|
|
return TRUE;
|
|
|
|
}
|
2008-03-13 14:14:44 +00:00
|
|
|
}
|
2008-03-21 19:07:12 +00:00
|
|
|
else
|
2008-03-13 14:14:44 +00:00
|
|
|
{
|
2008-03-21 19:07:12 +00:00
|
|
|
if (issuer->get_type(issuer) != CERT_X509)
|
|
|
|
{
|
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
if (!(x509->get_flags(x509) & X509_CA))
|
|
|
|
{
|
|
|
|
return FALSE;
|
|
|
|
}
|
2008-03-13 14:14:44 +00:00
|
|
|
}
|
2008-03-21 20:37:08 +00:00
|
|
|
if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
|
|
|
|
{
|
|
|
|
return FALSE;
|
|
|
|
}
|
2009-06-07 09:52:03 +00:00
|
|
|
|
|
|
|
/* determine signature scheme */
|
|
|
|
scheme = signature_scheme_from_oid(this->algorithm);
|
2009-09-09 14:24:06 +00:00
|
|
|
if (scheme == SIGN_UNKNOWN)
|
|
|
|
{
|
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
/* get the public key of the issuer */
|
|
|
|
key = issuer->get_public_key(issuer);
|
|
|
|
if (!key)
|
2008-03-13 14:14:44 +00:00
|
|
|
{
|
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
valid = key->verify(key, scheme, this->tbsCertificate, this->signature);
|
|
|
|
key->destroy(key);
|
|
|
|
return valid;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Implementation of certificate_t.get_public_key
|
|
|
|
*/
|
|
|
|
static public_key_t* get_public_key(private_x509_cert_t *this)
|
|
|
|
{
|
|
|
|
this->public_key->get_ref(this->public_key);
|
|
|
|
return this->public_key;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Implementation of certificate_t.asdf
|
|
|
|
*/
|
|
|
|
static private_x509_cert_t* get_ref(private_x509_cert_t *this)
|
|
|
|
{
|
|
|
|
ref_get(&this->ref);
|
|
|
|
return this;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Implementation of x509_cert_t.get_flags.
|
|
|
|
*/
|
|
|
|
static x509_flag_t get_flags(private_x509_cert_t *this)
|
|
|
|
{
|
|
|
|
return this->flags;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Implementation of x509_cert_t.get_validity.
|
|
|
|
*/
|
|
|
|
static bool get_validity(private_x509_cert_t *this, time_t *when,
|
|
|
|
time_t *not_before, time_t *not_after)
|
|
|
|
{
|
|
|
|
time_t t;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-03-13 14:14:44 +00:00
|
|
|
if (when)
|
|
|
|
{
|
|
|
|
t = *when;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
t = time(NULL);
|
|
|
|
}
|
|
|
|
if (not_before)
|
|
|
|
{
|
|
|
|
*not_before = this->notBefore;
|
|
|
|
}
|
2008-03-18 10:36:08 +00:00
|
|
|
if (not_after)
|
|
|
|
{
|
|
|
|
*not_after = this->notAfter;
|
|
|
|
}
|
2008-03-13 14:14:44 +00:00
|
|
|
return (t >= this->notBefore && t <= this->notAfter);
|
|
|
|
}
|
2008-03-18 10:36:08 +00:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Implementation of certificate_t.is_newer.
|
|
|
|
*/
|
|
|
|
static bool is_newer(certificate_t *this, certificate_t *that)
|
|
|
|
{
|
|
|
|
time_t this_update, that_update, now = time(NULL);
|
|
|
|
bool new;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-03-18 10:36:08 +00:00
|
|
|
this->get_validity(this, &now, &this_update, NULL);
|
|
|
|
that->get_validity(that, &now, &that_update, NULL);
|
|
|
|
new = this_update > that_update;
|
2009-03-12 18:07:32 +00:00
|
|
|
DBG1(" certificate from %T is %s - existing certificate from %T %s",
|
2008-03-18 10:36:08 +00:00
|
|
|
&this_update, FALSE, new ? "newer":"not newer",
|
|
|
|
&that_update, FALSE, new ? "replaced":"retained");
|
|
|
|
return new;
|
|
|
|
}
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-03-13 14:14:44 +00:00
|
|
|
/**
|
|
|
|
* Implementation of certificate_t.get_encoding.
|
|
|
|
*/
|
|
|
|
static chunk_t get_encoding(private_x509_cert_t *this)
|
|
|
|
{
|
2008-03-25 12:22:12 +00:00
|
|
|
return chunk_clone(this->encoding);
|
2008-03-13 14:14:44 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Implementation of certificate_t.equals.
|
|
|
|
*/
|
|
|
|
static bool equals(private_x509_cert_t *this, certificate_t *other)
|
|
|
|
{
|
2008-04-07 08:28:35 +00:00
|
|
|
chunk_t encoding;
|
|
|
|
bool equal;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-03-13 14:14:44 +00:00
|
|
|
if (this == (private_x509_cert_t*)other)
|
|
|
|
{
|
|
|
|
return TRUE;
|
|
|
|
}
|
|
|
|
if (other->get_type(other) != CERT_X509)
|
|
|
|
{
|
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
if (other->equals == (void*)equals)
|
2008-04-07 08:28:35 +00:00
|
|
|
{ /* skip allocation if we have the same implementation */
|
2009-09-04 11:46:09 +00:00
|
|
|
return chunk_equals(this->encoding, ((private_x509_cert_t*)other)->encoding);
|
2008-03-13 14:14:44 +00:00
|
|
|
}
|
2008-04-07 08:28:35 +00:00
|
|
|
encoding = other->get_encoding(other);
|
|
|
|
equal = chunk_equals(this->encoding, encoding);
|
|
|
|
free(encoding.ptr);
|
|
|
|
return equal;
|
2008-03-13 14:14:44 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Implementation of x509_t.get_serial.
|
|
|
|
*/
|
|
|
|
static chunk_t get_serial(private_x509_cert_t *this)
|
|
|
|
{
|
|
|
|
return this->serialNumber;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Implementation of x509_t.get_authKeyIdentifier.
|
|
|
|
*/
|
2009-08-24 12:11:44 +00:00
|
|
|
static chunk_t get_authKeyIdentifier(private_x509_cert_t *this)
|
2008-03-13 14:14:44 +00:00
|
|
|
{
|
|
|
|
return this->authKeyIdentifier;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Implementation of x509_cert_t.create_subjectAltName_enumerator.
|
|
|
|
*/
|
|
|
|
static enumerator_t* create_subjectAltName_enumerator(private_x509_cert_t *this)
|
|
|
|
{
|
|
|
|
return this->subjectAltNames->create_enumerator(this->subjectAltNames);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Implementation of x509_cert_t.create_ocsp_uri_enumerator.
|
|
|
|
*/
|
|
|
|
static enumerator_t* create_ocsp_uri_enumerator(private_x509_cert_t *this)
|
|
|
|
{
|
|
|
|
return this->ocsp_uris->create_enumerator(this->ocsp_uris);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Implementation of x509_cert_t.create_crl_uri_enumerator.
|
|
|
|
*/
|
|
|
|
static enumerator_t* create_crl_uri_enumerator(private_x509_cert_t *this)
|
|
|
|
{
|
|
|
|
return this->crl_uris->create_enumerator(this->crl_uris);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Implementation of certificate_t.asdf
|
|
|
|
*/
|
|
|
|
static void destroy(private_x509_cert_t *this)
|
|
|
|
{
|
|
|
|
if (ref_put(&this->ref))
|
|
|
|
{
|
|
|
|
this->subjectAltNames->destroy_offset(this->subjectAltNames,
|
|
|
|
offsetof(identification_t, destroy));
|
|
|
|
this->crl_uris->destroy_function(this->crl_uris, free);
|
|
|
|
this->ocsp_uris->destroy_function(this->ocsp_uris, free);
|
|
|
|
DESTROY_IF(this->issuer);
|
|
|
|
DESTROY_IF(this->subject);
|
|
|
|
DESTROY_IF(this->public_key);
|
2009-08-24 12:11:44 +00:00
|
|
|
chunk_free(&this->authKeyIdentifier);
|
2008-03-25 12:22:12 +00:00
|
|
|
chunk_free(&this->encoding);
|
2008-04-18 11:24:45 +00:00
|
|
|
chunk_free(&this->encoding_hash);
|
2008-12-08 15:29:36 +00:00
|
|
|
if (!this->parsed)
|
|
|
|
{ /* only parsed certificates point these fields to "encoded" */
|
|
|
|
chunk_free(&this->signature);
|
|
|
|
chunk_free(&this->serialNumber);
|
|
|
|
chunk_free(&this->tbsCertificate);
|
|
|
|
}
|
2008-03-13 14:14:44 +00:00
|
|
|
free(this);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2008-03-25 22:28:27 +00:00
|
|
|
* create an empty but initialized X.509 certificate
|
2008-03-13 14:14:44 +00:00
|
|
|
*/
|
2008-03-25 22:28:27 +00:00
|
|
|
static private_x509_cert_t* create_empty(void)
|
2008-03-13 14:14:44 +00:00
|
|
|
{
|
|
|
|
private_x509_cert_t *this = malloc_thing(private_x509_cert_t);
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-06-05 19:14:31 +00:00
|
|
|
this->public.interface.interface.get_type = (certificate_type_t (*) (certificate_t*))get_type;
|
|
|
|
this->public.interface.interface.get_subject = (identification_t* (*) (certificate_t*))get_subject;
|
|
|
|
this->public.interface.interface.get_issuer = (identification_t* (*) (certificate_t*))get_issuer;
|
|
|
|
this->public.interface.interface.has_subject = (id_match_t (*) (certificate_t*, identification_t*))has_subject;
|
|
|
|
this->public.interface.interface.has_issuer = (id_match_t (*) (certificate_t*, identification_t*))has_issuer;
|
|
|
|
this->public.interface.interface.issued_by = (bool (*) (certificate_t*, certificate_t*))issued_by;
|
|
|
|
this->public.interface.interface.get_public_key = (public_key_t* (*) (certificate_t*))get_public_key;
|
|
|
|
this->public.interface.interface.get_validity = (bool (*) (certificate_t*, time_t*, time_t*, time_t*))get_validity;
|
|
|
|
this->public.interface.interface.is_newer = (bool (*) (certificate_t*,certificate_t*))is_newer;
|
|
|
|
this->public.interface.interface.get_encoding = (chunk_t (*) (certificate_t*))get_encoding;
|
|
|
|
this->public.interface.interface.equals = (bool (*)(certificate_t*, certificate_t*))equals;
|
|
|
|
this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t*))get_ref;
|
|
|
|
this->public.interface.interface.destroy = (void (*)(certificate_t*))destroy;
|
2008-03-13 14:14:44 +00:00
|
|
|
this->public.interface.get_flags = (x509_flag_t (*)(x509_t*))get_flags;
|
|
|
|
this->public.interface.get_serial = (chunk_t (*)(x509_t*))get_serial;
|
2009-08-24 12:11:44 +00:00
|
|
|
this->public.interface.get_authKeyIdentifier = (chunk_t (*)(x509_t*))get_authKeyIdentifier;
|
2008-03-13 14:14:44 +00:00
|
|
|
this->public.interface.create_subjectAltName_enumerator = (enumerator_t* (*)(x509_t*))create_subjectAltName_enumerator;
|
|
|
|
this->public.interface.create_crl_uri_enumerator = (enumerator_t* (*)(x509_t*))create_crl_uri_enumerator;
|
|
|
|
this->public.interface.create_ocsp_uri_enumerator = (enumerator_t* (*)(x509_t*))create_ocsp_uri_enumerator;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-03-25 22:28:27 +00:00
|
|
|
this->encoding = chunk_empty;
|
2008-04-18 11:24:45 +00:00
|
|
|
this->encoding_hash = chunk_empty;
|
2008-12-08 15:29:36 +00:00
|
|
|
this->tbsCertificate = chunk_empty;
|
|
|
|
this->version = 3;
|
2009-09-04 11:46:09 +00:00
|
|
|
this->serialNumber = chunk_empty;
|
2008-12-08 15:29:36 +00:00
|
|
|
this->notBefore = 0;
|
|
|
|
this->notAfter = 0;
|
2008-03-13 14:14:44 +00:00
|
|
|
this->public_key = NULL;
|
|
|
|
this->subject = NULL;
|
|
|
|
this->issuer = NULL;
|
|
|
|
this->subjectAltNames = linked_list_create();
|
|
|
|
this->crl_uris = linked_list_create();
|
|
|
|
this->ocsp_uris = linked_list_create();
|
|
|
|
this->subjectKeyID = chunk_empty;
|
2009-08-24 12:11:44 +00:00
|
|
|
this->authKeyIdentifier = chunk_empty;
|
2008-03-13 14:14:44 +00:00
|
|
|
this->authKeySerialNumber = chunk_empty;
|
2008-12-08 15:29:36 +00:00
|
|
|
this->algorithm = 0;
|
|
|
|
this->signature = chunk_empty;
|
2008-03-13 14:14:44 +00:00
|
|
|
this->flags = 0;
|
|
|
|
this->ref = 1;
|
2008-12-08 15:29:36 +00:00
|
|
|
this->parsed = FALSE;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-03-25 22:28:27 +00:00
|
|
|
return this;
|
|
|
|
}
|
|
|
|
|
2008-12-08 15:29:36 +00:00
|
|
|
/**
|
|
|
|
* Generate and sign a new certificate
|
|
|
|
*/
|
2009-09-09 14:24:06 +00:00
|
|
|
static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
|
|
|
|
private_key_t *sign_key, int digest_alg)
|
2008-12-08 15:29:36 +00:00
|
|
|
{
|
|
|
|
chunk_t extensions = chunk_empty;
|
2009-09-08 08:38:02 +00:00
|
|
|
chunk_t basicConstraints = chunk_empty, subjectAltNames = chunk_empty;
|
2009-09-08 09:26:05 +00:00
|
|
|
chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty;
|
2009-09-11 09:45:04 +00:00
|
|
|
chunk_t crlDistributionPoints = chunk_empty;
|
2008-12-08 15:29:36 +00:00
|
|
|
identification_t *issuer, *subject;
|
2009-08-27 11:34:06 +00:00
|
|
|
chunk_t key_info;
|
2008-12-08 15:29:36 +00:00
|
|
|
signature_scheme_t scheme;
|
|
|
|
hasher_t *hasher;
|
2009-09-08 11:17:41 +00:00
|
|
|
enumerator_t *enumerator;
|
|
|
|
identification_t *id;
|
2009-09-11 09:45:04 +00:00
|
|
|
char *uri;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-09-09 14:24:06 +00:00
|
|
|
subject = cert->subject;
|
|
|
|
if (sign_cert)
|
2008-12-08 15:29:36 +00:00
|
|
|
{
|
2009-09-09 14:24:06 +00:00
|
|
|
issuer = sign_cert->get_subject(sign_cert);
|
|
|
|
if (!cert->public_key)
|
2008-12-08 15:29:36 +00:00
|
|
|
{
|
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{ /* self signed */
|
|
|
|
issuer = subject;
|
2009-09-09 14:24:06 +00:00
|
|
|
if (!cert->public_key)
|
2008-12-08 15:29:36 +00:00
|
|
|
{
|
2009-09-09 14:24:06 +00:00
|
|
|
cert->public_key = sign_key->get_public_key(sign_key);
|
2008-12-08 15:29:36 +00:00
|
|
|
}
|
2009-09-09 14:24:06 +00:00
|
|
|
cert->flags |= X509_SELF_SIGNED;
|
2008-12-08 15:29:36 +00:00
|
|
|
}
|
2009-09-09 14:24:06 +00:00
|
|
|
cert->issuer = issuer->clone(issuer);
|
|
|
|
if (!cert->notBefore)
|
2008-12-08 15:29:36 +00:00
|
|
|
{
|
2009-09-09 14:24:06 +00:00
|
|
|
cert->notBefore = time(NULL);
|
2008-12-08 15:29:36 +00:00
|
|
|
}
|
2009-09-09 14:24:06 +00:00
|
|
|
if (!cert->notAfter)
|
2009-08-28 07:08:03 +00:00
|
|
|
{ /* defaults to 1 year from now */
|
2009-09-09 14:24:06 +00:00
|
|
|
cert->notAfter = cert->notBefore + 60 * 60 * 24 * 365;
|
2008-12-08 15:29:36 +00:00
|
|
|
}
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-08-28 07:28:39 +00:00
|
|
|
/* select signature scheme */
|
2009-09-09 14:24:06 +00:00
|
|
|
switch (sign_key->get_type(sign_key))
|
2008-12-08 15:29:36 +00:00
|
|
|
{
|
|
|
|
case KEY_RSA:
|
2009-09-09 14:24:06 +00:00
|
|
|
switch (digest_alg)
|
2009-08-28 07:08:03 +00:00
|
|
|
{
|
|
|
|
case HASH_MD5:
|
2009-09-09 14:24:06 +00:00
|
|
|
cert->algorithm = OID_MD5_WITH_RSA;
|
2009-08-28 07:08:03 +00:00
|
|
|
break;
|
|
|
|
case HASH_SHA1:
|
2009-09-09 14:24:06 +00:00
|
|
|
cert->algorithm = OID_SHA1_WITH_RSA;
|
2009-08-28 07:08:03 +00:00
|
|
|
break;
|
|
|
|
case HASH_SHA224:
|
2009-09-09 14:24:06 +00:00
|
|
|
cert->algorithm = OID_SHA224_WITH_RSA;
|
2009-08-28 07:08:03 +00:00
|
|
|
break;
|
|
|
|
case HASH_SHA256:
|
2009-09-09 14:24:06 +00:00
|
|
|
cert->algorithm = OID_SHA256_WITH_RSA;
|
2009-08-28 07:08:03 +00:00
|
|
|
break;
|
|
|
|
case HASH_SHA384:
|
2009-09-09 14:24:06 +00:00
|
|
|
cert->algorithm = OID_SHA384_WITH_RSA;
|
2009-08-28 07:08:03 +00:00
|
|
|
break;
|
|
|
|
case HASH_SHA512:
|
2009-09-09 14:24:06 +00:00
|
|
|
cert->algorithm = OID_SHA512_WITH_RSA;
|
2009-08-28 07:08:03 +00:00
|
|
|
break;
|
|
|
|
default:
|
|
|
|
return FALSE;
|
|
|
|
}
|
2008-12-08 15:29:36 +00:00
|
|
|
break;
|
2009-08-27 11:34:06 +00:00
|
|
|
case KEY_ECDSA:
|
2009-09-09 14:24:06 +00:00
|
|
|
switch (digest_alg)
|
2009-08-28 07:08:03 +00:00
|
|
|
{
|
|
|
|
case HASH_SHA1:
|
2009-09-09 14:24:06 +00:00
|
|
|
cert->algorithm = OID_ECDSA_WITH_SHA1;
|
2009-08-28 07:08:03 +00:00
|
|
|
break;
|
|
|
|
case HASH_SHA256:
|
2009-09-09 14:24:06 +00:00
|
|
|
cert->algorithm = OID_ECDSA_WITH_SHA256;
|
2009-08-28 07:08:03 +00:00
|
|
|
break;
|
|
|
|
case HASH_SHA384:
|
2009-09-09 14:24:06 +00:00
|
|
|
cert->algorithm = OID_ECDSA_WITH_SHA384;
|
2009-08-28 07:08:03 +00:00
|
|
|
break;
|
|
|
|
case HASH_SHA512:
|
2009-09-09 14:24:06 +00:00
|
|
|
cert->algorithm = OID_ECDSA_WITH_SHA512;
|
2009-08-28 07:08:03 +00:00
|
|
|
break;
|
|
|
|
default:
|
|
|
|
return FALSE;
|
|
|
|
}
|
2009-08-27 11:34:06 +00:00
|
|
|
break;
|
2008-12-08 15:29:36 +00:00
|
|
|
default:
|
|
|
|
return FALSE;
|
|
|
|
}
|
2009-09-09 14:24:06 +00:00
|
|
|
scheme = signature_scheme_from_oid(cert->algorithm);
|
2009-08-28 07:08:03 +00:00
|
|
|
|
2009-09-09 14:24:06 +00:00
|
|
|
if (!cert->public_key->get_encoding(cert->public_key,
|
|
|
|
KEY_PUB_SPKI_ASN1_DER, &key_info))
|
2008-12-08 15:29:36 +00:00
|
|
|
{
|
2009-08-27 11:34:06 +00:00
|
|
|
return FALSE;
|
2008-12-08 15:29:36 +00:00
|
|
|
}
|
2009-09-08 08:38:02 +00:00
|
|
|
|
2009-09-09 14:24:06 +00:00
|
|
|
enumerator = cert->subjectAltNames->create_enumerator(cert->subjectAltNames);
|
2009-09-08 11:17:41 +00:00
|
|
|
while (enumerator->enumerate(enumerator, &id))
|
|
|
|
{
|
|
|
|
int context;
|
|
|
|
chunk_t name;
|
|
|
|
|
|
|
|
switch (id->get_type(id))
|
|
|
|
{
|
|
|
|
case ID_RFC822_ADDR:
|
|
|
|
context = ASN1_CONTEXT_S_1;
|
|
|
|
break;
|
|
|
|
case ID_FQDN:
|
|
|
|
context = ASN1_CONTEXT_S_2;
|
|
|
|
break;
|
|
|
|
case ID_IPV4_ADDR:
|
|
|
|
case ID_IPV6_ADDR:
|
|
|
|
context = ASN1_CONTEXT_S_7;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
DBG1("encoding %N as subjectAltName not supported",
|
|
|
|
id_type_names, id->get_type(id));
|
|
|
|
enumerator->destroy(enumerator);
|
|
|
|
free(key_info.ptr);
|
|
|
|
free(subjectAltNames.ptr);
|
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
name = asn1_wrap(context, "c", id->get_encoding(id));
|
|
|
|
subjectAltNames = chunk_cat("mm", subjectAltNames, name);
|
|
|
|
}
|
|
|
|
enumerator->destroy(enumerator);
|
|
|
|
if (subjectAltNames.ptr)
|
2008-12-08 15:29:36 +00:00
|
|
|
{
|
2009-09-08 11:17:41 +00:00
|
|
|
subjectAltNames = asn1_wrap(ASN1_SEQUENCE, "mm",
|
|
|
|
asn1_build_known_oid(OID_SUBJECT_ALT_NAME),
|
|
|
|
asn1_wrap(ASN1_OCTET_STRING, "m",
|
|
|
|
asn1_wrap(ASN1_SEQUENCE, "m", subjectAltNames)));
|
2008-12-08 15:29:36 +00:00
|
|
|
}
|
2009-09-08 11:17:41 +00:00
|
|
|
|
2009-09-11 09:45:04 +00:00
|
|
|
enumerator = cert->crl_uris->create_enumerator(cert->crl_uris);
|
|
|
|
while (enumerator->enumerate(enumerator, &uri))
|
|
|
|
{
|
|
|
|
chunk_t distributionPoint;
|
|
|
|
|
|
|
|
distributionPoint = asn1_wrap(ASN1_SEQUENCE, "m",
|
|
|
|
asn1_wrap(ASN1_CONTEXT_C_0, "m",
|
|
|
|
asn1_wrap(ASN1_CONTEXT_C_0, "m",
|
|
|
|
asn1_wrap(ASN1_CONTEXT_S_6, "c",
|
|
|
|
chunk_create(uri, strlen(uri))))));
|
|
|
|
|
|
|
|
crlDistributionPoints = chunk_cat("mm", crlDistributionPoints,
|
|
|
|
distributionPoint);
|
|
|
|
}
|
|
|
|
enumerator->destroy(enumerator);
|
|
|
|
if (crlDistributionPoints.ptr)
|
|
|
|
{
|
|
|
|
crlDistributionPoints = asn1_wrap(ASN1_SEQUENCE, "mm",
|
|
|
|
asn1_build_known_oid(OID_CRL_DISTRIBUTION_POINTS),
|
|
|
|
asn1_wrap(ASN1_OCTET_STRING, "m",
|
|
|
|
asn1_wrap(ASN1_SEQUENCE, "m", crlDistributionPoints)));
|
|
|
|
}
|
|
|
|
|
2009-09-09 14:24:06 +00:00
|
|
|
if (cert->flags & X509_CA)
|
2009-09-08 08:38:02 +00:00
|
|
|
{
|
2009-09-11 13:35:10 +00:00
|
|
|
chunk_t keyid;
|
2009-09-08 08:38:02 +00:00
|
|
|
|
|
|
|
basicConstraints = asn1_wrap(ASN1_SEQUENCE, "mmm",
|
|
|
|
asn1_build_known_oid(OID_BASIC_CONSTRAINTS),
|
2009-09-11 13:35:10 +00:00
|
|
|
asn1_wrap(ASN1_BOOLEAN, "c",
|
|
|
|
chunk_from_chars(0xFF)),
|
2009-09-08 08:38:02 +00:00
|
|
|
asn1_wrap(ASN1_OCTET_STRING, "m",
|
|
|
|
asn1_wrap(ASN1_SEQUENCE, "m",
|
2009-09-11 13:35:10 +00:00
|
|
|
asn1_wrap(ASN1_BOOLEAN, "c",
|
|
|
|
chunk_from_chars(0xFF)))));
|
2009-09-08 09:02:49 +00:00
|
|
|
/* add subjectKeyIdentifier to CA certificates */
|
2009-09-09 14:24:06 +00:00
|
|
|
if (cert->public_key->get_fingerprint(cert->public_key,
|
|
|
|
KEY_ID_PUBKEY_SHA1, &keyid))
|
2009-09-08 09:02:49 +00:00
|
|
|
{
|
|
|
|
subjectKeyIdentifier = asn1_wrap(ASN1_SEQUENCE, "mm",
|
|
|
|
asn1_build_known_oid(OID_SUBJECT_KEY_ID),
|
|
|
|
asn1_wrap(ASN1_OCTET_STRING, "m",
|
|
|
|
asn1_wrap(ASN1_OCTET_STRING, "c", keyid)));
|
|
|
|
}
|
2009-09-08 08:38:02 +00:00
|
|
|
}
|
2009-09-09 14:24:06 +00:00
|
|
|
if (sign_key)
|
2009-09-08 09:26:05 +00:00
|
|
|
{ /* add the keyid authKeyIdentifier for non self-signed certificates */
|
|
|
|
chunk_t keyid;
|
|
|
|
|
2009-09-09 14:24:06 +00:00
|
|
|
if (sign_key->get_fingerprint(sign_key, KEY_ID_PUBKEY_SHA1, &keyid))
|
2009-09-08 09:26:05 +00:00
|
|
|
{
|
|
|
|
authKeyIdentifier = asn1_wrap(ASN1_SEQUENCE, "mm",
|
|
|
|
asn1_build_known_oid(OID_AUTHORITY_KEY_ID),
|
|
|
|
asn1_wrap(ASN1_OCTET_STRING, "m",
|
|
|
|
asn1_wrap(ASN1_SEQUENCE, "m",
|
|
|
|
asn1_wrap(ASN1_CONTEXT_S_0, "c", keyid))));
|
|
|
|
}
|
|
|
|
}
|
2009-09-11 09:45:04 +00:00
|
|
|
if (basicConstraints.ptr || subjectAltNames.ptr || authKeyIdentifier.ptr ||
|
|
|
|
crlDistributionPoints.ptr)
|
2009-09-08 08:38:02 +00:00
|
|
|
{
|
|
|
|
extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m",
|
2009-09-11 09:45:04 +00:00
|
|
|
asn1_wrap(ASN1_SEQUENCE, "mmmmm",
|
2009-09-08 09:02:49 +00:00
|
|
|
basicConstraints, subjectKeyIdentifier,
|
2009-09-11 09:45:04 +00:00
|
|
|
authKeyIdentifier, subjectAltNames,
|
|
|
|
crlDistributionPoints));
|
2009-09-08 08:38:02 +00:00
|
|
|
}
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-09-09 14:24:06 +00:00
|
|
|
cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmmcmcmm",
|
2008-12-08 15:29:36 +00:00
|
|
|
asn1_simple_object(ASN1_CONTEXT_C_0, ASN1_INTEGER_2),
|
2009-09-09 14:24:06 +00:00
|
|
|
asn1_integer("c", cert->serialNumber),
|
|
|
|
asn1_algorithmIdentifier(cert->algorithm),
|
2008-12-08 15:29:36 +00:00
|
|
|
issuer->get_encoding(issuer),
|
|
|
|
asn1_wrap(ASN1_SEQUENCE, "mm",
|
2009-09-09 14:24:06 +00:00
|
|
|
asn1_from_time(&cert->notBefore, ASN1_UTCTIME),
|
|
|
|
asn1_from_time(&cert->notAfter, ASN1_UTCTIME)),
|
2008-12-08 15:29:36 +00:00
|
|
|
subject->get_encoding(subject),
|
|
|
|
key_info, extensions);
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-09-09 14:24:06 +00:00
|
|
|
if (!sign_key->sign(sign_key, scheme, cert->tbsCertificate, &cert->signature))
|
2008-12-08 15:29:36 +00:00
|
|
|
{
|
|
|
|
return FALSE;
|
|
|
|
}
|
2009-09-09 14:24:06 +00:00
|
|
|
cert->encoding = asn1_wrap(ASN1_SEQUENCE, "cmm", cert->tbsCertificate,
|
|
|
|
asn1_algorithmIdentifier(cert->algorithm),
|
|
|
|
asn1_bitstring("c", cert->signature));
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-12-08 15:29:36 +00:00
|
|
|
hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
|
|
|
|
if (!hasher)
|
|
|
|
{
|
|
|
|
return FALSE;
|
|
|
|
}
|
2009-09-09 14:24:06 +00:00
|
|
|
hasher->allocate_hash(hasher, cert->encoding, &cert->encoding_hash);
|
2008-12-08 15:29:36 +00:00
|
|
|
hasher->destroy(hasher);
|
|
|
|
return TRUE;
|
|
|
|
}
|
|
|
|
|
2008-03-13 14:14:44 +00:00
|
|
|
/**
|
2009-09-09 14:24:06 +00:00
|
|
|
* See header.
|
2008-03-13 14:14:44 +00:00
|
|
|
*/
|
2009-09-09 14:24:06 +00:00
|
|
|
x509_cert_t *x509_cert_load(certificate_type_t type, va_list args)
|
2008-03-13 14:14:44 +00:00
|
|
|
{
|
2009-09-09 14:24:06 +00:00
|
|
|
chunk_t blob = chunk_empty;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-09-09 14:24:06 +00:00
|
|
|
while (TRUE)
|
2008-12-08 15:29:36 +00:00
|
|
|
{
|
2009-09-09 14:24:06 +00:00
|
|
|
switch (va_arg(args, builder_part_t))
|
|
|
|
{
|
|
|
|
case BUILD_BLOB_ASN1_DER:
|
|
|
|
blob = va_arg(args, chunk_t);
|
|
|
|
continue;
|
|
|
|
case BUILD_END:
|
|
|
|
break;
|
|
|
|
default:
|
2009-05-15 16:15:55 +00:00
|
|
|
return NULL;
|
2008-12-08 15:29:36 +00:00
|
|
|
}
|
2009-09-09 14:24:06 +00:00
|
|
|
break;
|
2008-12-08 15:29:36 +00:00
|
|
|
}
|
2008-03-13 14:14:44 +00:00
|
|
|
|
2009-09-09 14:24:06 +00:00
|
|
|
if (blob.ptr)
|
2008-12-08 15:29:36 +00:00
|
|
|
{
|
2009-09-09 14:24:06 +00:00
|
|
|
private_x509_cert_t *cert = create_empty();
|
2009-09-08 11:17:41 +00:00
|
|
|
|
2009-09-09 14:24:06 +00:00
|
|
|
cert->encoding = chunk_clone(blob);
|
|
|
|
if (parse_certificate(cert))
|
2008-12-08 15:29:36 +00:00
|
|
|
{
|
2009-09-09 14:24:06 +00:00
|
|
|
cert->parsed = TRUE;
|
|
|
|
return &cert->public;
|
2008-12-08 15:29:36 +00:00
|
|
|
}
|
2009-09-09 14:24:06 +00:00
|
|
|
destroy(cert);
|
2008-03-13 14:14:44 +00:00
|
|
|
}
|
2009-09-09 14:24:06 +00:00
|
|
|
return NULL;
|
2008-03-13 14:14:44 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2009-09-09 14:24:06 +00:00
|
|
|
* See header.
|
2008-03-13 14:14:44 +00:00
|
|
|
*/
|
2009-09-09 14:24:06 +00:00
|
|
|
x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args)
|
2008-03-13 14:14:44 +00:00
|
|
|
{
|
2009-09-09 14:24:06 +00:00
|
|
|
private_x509_cert_t *cert;
|
|
|
|
certificate_t *sign_cert = NULL;
|
|
|
|
private_key_t *sign_key = NULL;
|
|
|
|
hash_algorithm_t digest_alg = HASH_SHA1;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-09-09 14:24:06 +00:00
|
|
|
cert = create_empty();
|
|
|
|
while (TRUE)
|
2008-03-13 14:14:44 +00:00
|
|
|
{
|
2009-09-09 14:24:06 +00:00
|
|
|
switch (va_arg(args, builder_part_t))
|
|
|
|
{
|
|
|
|
case BUILD_X509_FLAG:
|
|
|
|
cert->flags |= va_arg(args, x509_flag_t);
|
|
|
|
continue;
|
|
|
|
case BUILD_SIGNING_KEY:
|
|
|
|
sign_key = va_arg(args, private_key_t*);
|
|
|
|
continue;
|
|
|
|
case BUILD_SIGNING_CERT:
|
|
|
|
sign_cert = va_arg(args, certificate_t*);
|
|
|
|
continue;
|
|
|
|
case BUILD_PUBLIC_KEY:
|
|
|
|
cert->public_key = va_arg(args, public_key_t*);
|
|
|
|
cert->public_key->get_ref(cert->public_key);
|
|
|
|
continue;
|
|
|
|
case BUILD_SUBJECT:
|
|
|
|
cert->subject = va_arg(args, identification_t*);
|
|
|
|
cert->subject = cert->subject->clone(cert->subject);
|
|
|
|
continue;
|
|
|
|
case BUILD_SUBJECT_ALTNAMES:
|
|
|
|
{
|
|
|
|
enumerator_t *enumerator;
|
|
|
|
identification_t *id;
|
|
|
|
linked_list_t *list;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-09-09 14:24:06 +00:00
|
|
|
list = va_arg(args, linked_list_t*);
|
|
|
|
enumerator = list->create_enumerator(list);
|
|
|
|
while (enumerator->enumerate(enumerator, &id))
|
|
|
|
{
|
|
|
|
cert->subjectAltNames->insert_last(
|
|
|
|
cert->subjectAltNames, id->clone(id));
|
|
|
|
}
|
|
|
|
enumerator->destroy(enumerator);
|
|
|
|
continue;
|
|
|
|
}
|
2009-09-11 09:45:04 +00:00
|
|
|
case BUILD_CRL_DISTRIBUTION_POINTS:
|
|
|
|
{
|
|
|
|
enumerator_t *enumerator;
|
|
|
|
linked_list_t *list;
|
|
|
|
char *uri;
|
|
|
|
|
|
|
|
list = va_arg(args, linked_list_t*);
|
|
|
|
enumerator = list->create_enumerator(list);
|
|
|
|
while (enumerator->enumerate(enumerator, &uri))
|
|
|
|
{
|
|
|
|
cert->crl_uris->insert_last(cert->crl_uris, strdup(uri));
|
|
|
|
}
|
|
|
|
enumerator->destroy(enumerator);
|
|
|
|
continue;
|
|
|
|
}
|
2009-09-09 14:24:06 +00:00
|
|
|
case BUILD_NOT_BEFORE_TIME:
|
|
|
|
cert->notBefore = va_arg(args, time_t);
|
|
|
|
continue;
|
|
|
|
case BUILD_NOT_AFTER_TIME:
|
|
|
|
cert->notAfter = va_arg(args, time_t);
|
|
|
|
continue;
|
|
|
|
case BUILD_SERIAL:
|
|
|
|
cert->serialNumber = chunk_clone(va_arg(args, chunk_t));
|
|
|
|
continue;
|
|
|
|
case BUILD_DIGEST_ALG:
|
|
|
|
digest_alg = va_arg(args, int);
|
|
|
|
continue;
|
|
|
|
case BUILD_END:
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
destroy(cert);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
}
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-09-09 14:24:06 +00:00
|
|
|
if (sign_key && generate(cert, sign_cert, sign_key, digest_alg))
|
|
|
|
{
|
|
|
|
return &cert->public;
|
|
|
|
}
|
|
|
|
destroy(cert);
|
|
|
|
return NULL;
|
2008-03-13 14:14:44 +00:00
|
|
|
}
|
|
|
|
|