From f880eb2dca5a5b56ad44dc10e605fc1cb2478d2f Mon Sep 17 00:00:00 2001 From: Andreas Steffen Date: Thu, 12 Apr 2007 17:49:33 +0000 Subject: [PATCH] started support of X.509 attribute certificates --- .../credentials/local_credential_store.c | 114 ++++-- src/charon/daemon.c | 2 + src/libstrongswan/Makefile.am | 1 + src/libstrongswan/credential_store.h | 18 + src/libstrongswan/crypto/ac.c | 357 ++++++++++++++++++ src/libstrongswan/crypto/ac.h | 81 ++++ src/libstrongswan/crypto/ca.c | 9 + 7 files changed, 561 insertions(+), 21 deletions(-) create mode 100644 src/libstrongswan/crypto/ac.c create mode 100644 src/libstrongswan/crypto/ac.h diff --git a/src/charon/config/credentials/local_credential_store.c b/src/charon/config/credentials/local_credential_store.c index b7b71b9e7..bee7fce4b 100644 --- a/src/charon/config/credentials/local_credential_store.c +++ b/src/charon/config/credentials/local_credential_store.c @@ -32,6 +32,7 @@ #include #include #include +#include #include #include @@ -103,24 +104,25 @@ static shared_key_t *shared_key_create(chunk_t secret) | | ca_info_t | | +--------------------------+ +---------------+ | char *name | -| x509_t |<--| x509_t *cacert | +----------------------+ -+---------------+ | linked_list_t *certinfos |-->| certinfo_t | -| chunk_t keyid | | linked_list_t *ocspuris | +----------------------+ -+---------------+ | crl_t *crl | | chunk_t serialNumber | +| x509_t |<--| x509_t *cacert | ++---------------+ | linked_list_t *attrcerts | +----------------------+ +| chunk_t keyid | | linked_list_t *certinfos |-->| certinfo_t | ++---------------+ | linked_list_t *ocspuris | +----------------------+ + | | crl_t *crl | | chunk_t serialNumber | | | linked_list_t *crluris | | cert_status_t status | - | | pthread_mutex_t mutex | | time_t thisUpdate | -+---------------+ +--------------------------+ | time_t nextUpdate | -| x509_t | | | bool once | -+---------------+ | +----------------------+ -| chunk_t keyid | | | -+---------------+ +------------------------- + +----------------------+ - | | ca_info_t | | certinfo_t | - | +--------------------------+ +----------------------+ -+---------------+ | char *name | | chunk_t serialNumber | -| x509_t |<--| x509_t *cacert | | cert_status_t status | -+---------------+ | linked_list_t *certinfos | | time_t thisUpdate | -| chunk_t keyid | | linked_list_t *ocspuris | | time_t nextUpdate | -+---------------+ | crl_t *crl | | bool once | ++---------------+ | pthread_mutex_t mutex | | time_t thisUpdate | +| x509_t | +--------------------------+ | time_t nextUpdate | ++---------------+ | | bool once | +| chunk_t keyid | | +----------------------+ ++---------------+ +------------------------- + | + | | ca_info_t | +----------------------+ + | +--------------------------+ | certinfo_t | ++---------------+ | char *name | +----------------------+ +| x509_t |<--| x509_t *cacert | | chunk_t serialNumber | ++---------------+ | linked_list_t *attrcerts | | cert_status_t status | +| chunk_t keyid | | linked_list_t *certinfos | | time_t thisUpdate | ++---------------+ | linked_list_t *ocspuris | | time_t nextUpdate | + | | crl_t *crl | | bool once | | | linked_list_t *crluris | +----------------------+ | | pthread_mutex_t mutex; | | | +--------------------------+ @@ -886,12 +888,12 @@ static void load_auth_certificates(private_local_credential_store_t *this, struct stat stb; DIR* dir; - DBG1(DBG_CFG, "loading %s certificates from '%s/'", label, path); + DBG1(DBG_CFG, "loading %s certificates from '%s'", label, path); dir = opendir(path); if (dir == NULL) { - DBG1(DBG_CFG, "error opening %s certs directory %s'", label, path); + DBG1(DBG_CFG, "error opening %s certs directory '%s'", label, path); return; } @@ -974,6 +976,74 @@ static void load_ca_certificates(private_local_credential_store_t *this) } } +/** + * Implements local_credential_store_t.load_aa_certificates + */ +static void load_aa_certificates(private_local_credential_store_t *this) +{ + load_auth_certificates(this, AUTH_AA, "aa", AA_CERTIFICATE_DIR); +} + +/** + * Add a unique attribute certificate to a linked list + */ +static void add_attr_certificate(private_local_credential_store_t *this, x509ac_t *cert) +{ + /* TODO add a new attribute certificate to the linked list */ +} + +/** + * Implements local_credential_store_t.load_attr_certificates + */ +static void load_attr_certificates(private_local_credential_store_t *this) +{ + struct dirent* entry; + struct stat stb; + DIR* dir; + + const char *path = ATTR_CERTIFICATE_DIR; + + DBG1(DBG_CFG, "loading attribute certificates from '%s'", path); + + dir = opendir(ATTR_CERTIFICATE_DIR); + if (dir == NULL) + { + DBG1(DBG_CFG, "error opening attribute certs directory '%s'", path); + return; + } + + while ((entry = readdir(dir)) != NULL) + { + char file[PATH_BUF]; + + snprintf(file, sizeof(file), "%s/%s", path, entry->d_name); + + if (stat(file, &stb) == -1) + { + continue; + } + /* try to parse all regular files */ + if (stb.st_mode & S_IFREG) + { + x509ac_t *cert = x509ac_create_from_file(file); + + if (cert) + { + err_t ugh = cert->is_valid(cert, NULL); + + if (ugh != NULL) + { + DBG1(DBG_CFG, "warning: attribute certificate %s", ugh); + } + add_attr_certificate(this, cert); + } + } + } + closedir(dir); + + +} + /** * Implements local_credential_store_t.load_ocsp_certificates */ @@ -1027,12 +1097,12 @@ static void load_crls(private_local_credential_store_t *this) DIR* dir; crl_t *crl; - DBG1(DBG_CFG, "loading crls from '%s/'", CRL_DIR); + DBG1(DBG_CFG, "loading crls from '%s'", CRL_DIR); dir = opendir(CRL_DIR); if (dir == NULL) { - DBG1(DBG_CFG, "error opening crl directory %s'", CRL_DIR); + DBG1(DBG_CFG, "error opening crl directory '%s'", CRL_DIR); return; } @@ -1345,6 +1415,8 @@ local_credential_store_t * local_credential_store_create(bool strict) this->public.credential_store.create_auth_cert_iterator = (iterator_t* (*) (credential_store_t*))create_auth_cert_iterator; this->public.credential_store.create_cainfo_iterator = (iterator_t* (*) (credential_store_t*))create_cainfo_iterator; this->public.credential_store.load_ca_certificates = (void (*) (credential_store_t*))load_ca_certificates; + this->public.credential_store.load_aa_certificates = (void (*) (credential_store_t*))load_aa_certificates; + this->public.credential_store.load_attr_certificates = (void (*) (credential_store_t*))load_attr_certificates; this->public.credential_store.load_ocsp_certificates = (void (*) (credential_store_t*))load_ocsp_certificates; this->public.credential_store.load_crls = (void (*) (credential_store_t*))load_crls; this->public.credential_store.load_secrets = (void (*) (credential_store_t*))load_secrets; diff --git a/src/charon/daemon.c b/src/charon/daemon.c index 9640f1cf2..4754d319b 100644 --- a/src/charon/daemon.c +++ b/src/charon/daemon.c @@ -273,6 +273,8 @@ static void initialize(private_daemon_t *this, bool strict, bool syslog, /* load secrets, ca certificates and crls */ credentials = this->public.credentials; credentials->load_ca_certificates(credentials); + credentials->load_aa_certificates(credentials); + credentials->load_attr_certificates(credentials); credentials->load_ocsp_certificates(credentials); credentials->load_crls(credentials); credentials->load_secrets(credentials); diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am index b103be193..292abc0a4 100644 --- a/src/libstrongswan/Makefile.am +++ b/src/libstrongswan/Makefile.am @@ -11,6 +11,7 @@ asn1/asn1.c asn1/asn1.h \ asn1/oid.c asn1/oid.h \ asn1/pem.c asn1/pem.h \ asn1/ttodata.c asn1/ttodata.h \ +crypto/ac.c crypto/ac.h \ crypto/ca.c crypto/ca.h \ crypto/certinfo.c crypto/certinfo.h \ crypto/crl.c crypto/crl.h \ diff --git a/src/libstrongswan/credential_store.h b/src/libstrongswan/credential_store.h index 5d51981ec..65e692dcd 100755 --- a/src/libstrongswan/credential_store.h +++ b/src/libstrongswan/credential_store.h @@ -243,6 +243,24 @@ struct credential_store_t { */ void (*load_ca_certificates) (credential_store_t *this); + /** + * @brief Loads authorization authority certificates from a default directory. + * + * Certificates in both DER and PEM format are accepted + * + * @param this calling object + */ + void (*load_aa_certificates) (credential_store_t *this); + + /** + * @brief Loads attribute certificates from a default directory. + * + * Certificates in both DER and PEM format are accepted + * + * @param this calling object + */ + void (*load_attr_certificates) (credential_store_t *this); + /** * @brief Loads ocsp certificates from a default directory. * diff --git a/src/libstrongswan/crypto/ac.c b/src/libstrongswan/crypto/ac.c new file mode 100644 index 000000000..3104f9fb7 --- /dev/null +++ b/src/libstrongswan/crypto/ac.c @@ -0,0 +1,357 @@ +/** + * @file ac.c + * + * @brief Implementation of x509ac_t. + * + */ + +/* + * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler + * Copyright (C) 2003 Martin Berner, Lukas Suter + * Copyright (C) 2007 Andreas Steffen, Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include +#include +#include + +#include "ac.h" + +typedef struct private_x509ac_t private_x509ac_t; + +/** + * Private data of a x509ac_t object. + */ +struct private_x509ac_t { + /** + * Public interface for this attribute certificate. + */ + x509ac_t public; + + /** + * Time when attribute certificate was installed + */ + time_t installed; + + /** + * X.509 attribute certificate in DER format + */ + chunk_t certificate; + + /** + * X.509 attribute certificate body over which signature is computed + */ + chunk_t certificateInfo; + + /** + * Version of the X.509 attribute certificate + */ + u_int version; + + /** + * Serial number of the X.509 attribute certificate + */ + chunk_t serialNumber; + + /** + * ID representing the issuer of the holder certificate + */ + identification_t *holderIssuer; + + /** + * Serial number of the holder certificate + */ + chunk_t holderSerial; + + /** + * ID representing the holder + */ + identification_t *entityName; + + /** + * ID representing the attribute certificate issuer + */ + identification_t *issuerName; + + /** + * Signature algorithm + */ + int sigAlg; + + /** + * Start time of certificate validity + */ + time_t notBefore; + + /** + * End time of certificate validity + */ + time_t notAfter; + + /** + * List of charging attributes + */ + linked_list_t *charging; + + /** + * List of groub attributes + */ + linked_list_t *groups; + + /** + * Authority Key Identifier + */ + chunk_t authKeyID; + + /** + * Authority Key Serial Number + */ + chunk_t authKeySerialNumber; + + /** + * No revocation information available + */ + bool noRevAvail; + + /** + * Signature algorithm (must be identical to sigAlg) + */ + int algorithm; + + /** + * Signature + */ + chunk_t signature; +}; + +/** + * definition of ietfAttribute kinds + */ +typedef enum { + IETF_ATTRIBUTE_OCTETS = 0, + IETF_ATTRIBUTE_OID = 1, + IETF_ATTRIBUTE_STRING = 2 +} ietfAttribute_t; + +/** + * access structure for an ietfAttribute + */ +typedef struct ietfAttr ietfAttr_t; + +struct ietfAttr { + time_t installed; + int count; + ietfAttribute_t kind; + chunk_t value; +}; + +/** + * ASN.1 definition of ietfAttrSyntax + */ +static const asn1Object_t ietfAttrSyntaxObjects[] = +{ + { 0, "ietfAttrSyntax", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */ + { 1, "policyAuthority", ASN1_CONTEXT_C_0, ASN1_OPT | + ASN1_BODY }, /* 1 */ + { 1, "end opt", ASN1_EOC, ASN1_END }, /* 2 */ + { 1, "values", ASN1_SEQUENCE, ASN1_LOOP }, /* 3 */ + { 2, "octets", ASN1_OCTET_STRING, ASN1_OPT | + ASN1_BODY }, /* 4 */ + { 2, "end choice", ASN1_EOC, ASN1_END }, /* 5 */ + { 2, "oid", ASN1_OID, ASN1_OPT | + ASN1_BODY }, /* 6 */ + { 2, "end choice", ASN1_EOC, ASN1_END }, /* 7 */ + { 2, "string", ASN1_UTF8STRING, ASN1_OPT | + ASN1_BODY }, /* 8 */ + { 2, "end choice", ASN1_EOC, ASN1_END }, /* 9 */ + { 1, "end loop", ASN1_EOC, ASN1_END } /* 10 */ +}; + +#define IETF_ATTR_OCTETS 4 +#define IETF_ATTR_OID 6 +#define IETF_ATTR_STRING 8 +#define IETF_ATTR_ROOF 11 + +/** + * ASN.1 definition of roleSyntax + */ +static const asn1Object_t roleSyntaxObjects[] = +{ + { 0, "roleSyntax", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */ + { 1, "roleAuthority", ASN1_CONTEXT_C_0, ASN1_OPT | + ASN1_OBJ }, /* 1 */ + { 1, "end opt", ASN1_EOC, ASN1_END }, /* 2 */ + { 1, "roleName", ASN1_CONTEXT_C_1, ASN1_OBJ } /* 3 */ +}; + +#define ROLE_ROOF 4 + +/** + * ASN.1 definition of an X509 attribute certificate + */ +static const asn1Object_t acObjects[] = +{ + { 0, "AttributeCertificate", ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */ + { 1, "AttributeCertificateInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */ + { 2, "version", ASN1_INTEGER, ASN1_DEF | + ASN1_BODY }, /* 2 */ + { 2, "holder", ASN1_SEQUENCE, ASN1_NONE }, /* 3 */ + { 3, "baseCertificateID", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 4 */ + { 4, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 5 */ + { 4, "serial", ASN1_INTEGER, ASN1_BODY }, /* 6 */ + { 4, "issuerUID", ASN1_BIT_STRING, ASN1_OPT | + ASN1_BODY }, /* 7 */ + { 4, "end opt", ASN1_EOC, ASN1_END }, /* 8 */ + { 3, "end opt", ASN1_EOC, ASN1_END }, /* 9 */ + { 3, "entityName", ASN1_CONTEXT_C_1, ASN1_OPT | + ASN1_OBJ }, /* 10 */ + { 3, "end opt", ASN1_EOC, ASN1_END }, /* 11 */ + { 3, "objectDigestInfo", ASN1_CONTEXT_C_2, ASN1_OPT }, /* 12 */ + { 4, "digestedObjectType", ASN1_ENUMERATED, ASN1_BODY }, /* 13*/ + { 4, "otherObjectTypeID", ASN1_OID, ASN1_OPT | + ASN1_BODY }, /* 14 */ + { 4, "end opt", ASN1_EOC, ASN1_END }, /* 15*/ + { 4, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 16 */ + { 3, "end opt", ASN1_EOC, ASN1_END }, /* 17 */ + { 2, "v2Form", ASN1_CONTEXT_C_0, ASN1_NONE }, /* 18 */ + { 3, "issuerName", ASN1_SEQUENCE, ASN1_OPT | + ASN1_OBJ }, /* 19 */ + { 3, "end opt", ASN1_EOC, ASN1_END }, /* 20 */ + { 3, "baseCertificateID", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 21 */ + { 4, "issuerSerial", ASN1_SEQUENCE, ASN1_NONE }, /* 22 */ + { 5, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 23 */ + { 5, "serial", ASN1_INTEGER, ASN1_BODY }, /* 24 */ + { 5, "issuerUID", ASN1_BIT_STRING, ASN1_OPT | + ASN1_BODY }, /* 25 */ + { 5, "end opt", ASN1_EOC, ASN1_END }, /* 26 */ + { 3, "end opt", ASN1_EOC, ASN1_END }, /* 27 */ + { 3, "objectDigestInfo", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 28 */ + { 4, "digestInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 29 */ + { 5, "digestedObjectType", ASN1_ENUMERATED, ASN1_BODY }, /* 30 */ + { 5, "otherObjectTypeID", ASN1_OID, ASN1_OPT | + ASN1_BODY }, /* 31 */ + { 5, "end opt", ASN1_EOC, ASN1_END }, /* 32 */ + { 5, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 33 */ + { 3, "end opt", ASN1_EOC, ASN1_END }, /* 34 */ + { 2, "signature", ASN1_EOC, ASN1_RAW }, /* 35 */ + { 2, "serialNumber", ASN1_INTEGER, ASN1_BODY }, /* 36 */ + { 2, "attrCertValidityPeriod", ASN1_SEQUENCE, ASN1_NONE }, /* 37 */ + { 3, "notBeforeTime", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 38 */ + { 3, "notAfterTime", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 39 */ + { 2, "attributes", ASN1_SEQUENCE, ASN1_LOOP }, /* 40 */ + { 3, "attribute", ASN1_SEQUENCE, ASN1_NONE }, /* 41 */ + { 4, "type", ASN1_OID, ASN1_BODY }, /* 42 */ + { 4, "values", ASN1_SET, ASN1_LOOP }, /* 43 */ + { 5, "value", ASN1_EOC, ASN1_RAW }, /* 44 */ + { 4, "end loop", ASN1_EOC, ASN1_END }, /* 45 */ + { 2, "end loop", ASN1_EOC, ASN1_END }, /* 46 */ + { 2, "extensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 47 */ + { 3, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 48 */ + { 4, "extnID", ASN1_OID, ASN1_BODY }, /* 49 */ + { 4, "critical", ASN1_BOOLEAN, ASN1_DEF | + ASN1_BODY }, /* 50 */ + { 4, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 51 */ + { 2, "end loop", ASN1_EOC, ASN1_END }, /* 52 */ + { 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 53 */ + { 1, "signatureValue", ASN1_BIT_STRING, ASN1_BODY } /* 54 */ +}; + +#define AC_OBJ_CERTIFICATE 0 +#define AC_OBJ_CERTIFICATE_INFO 1 +#define AC_OBJ_VERSION 2 +#define AC_OBJ_HOLDER_ISSUER 5 +#define AC_OBJ_HOLDER_SERIAL 6 +#define AC_OBJ_ENTITY_NAME 10 +#define AC_OBJ_ISSUER_NAME 19 +#define AC_OBJ_ISSUER 23 +#define AC_OBJ_SIG_ALG 35 +#define AC_OBJ_SERIAL_NUMBER 36 +#define AC_OBJ_NOT_BEFORE 38 +#define AC_OBJ_NOT_AFTER 39 +#define AC_OBJ_ATTRIBUTE_TYPE 42 +#define AC_OBJ_ATTRIBUTE_VALUE 44 +#define AC_OBJ_EXTN_ID 49 +#define AC_OBJ_CRITICAL 50 +#define AC_OBJ_EXTN_VALUE 51 +#define AC_OBJ_ALGORITHM 53 +#define AC_OBJ_SIGNATURE 54 +#define AC_OBJ_ROOF 55 + +/** + * Implements x509ac_t.is_valid + */ +static err_t is_valid(const private_x509ac_t *this, time_t *until) +{ + time_t current_time = time(NULL); + + DBG2(" not before : %T", &this->notBefore); + DBG2(" current time: %T", ¤t_time); + DBG2(" not after : %T", &this->notAfter); + + if (until != NULL && + (*until == UNDEFINED_TIME || this->notAfter < *until)) + { + *until = this->notAfter; + } + if (current_time < this->notBefore) + { + return "is not valid yet"; + } + if (current_time > this->notAfter) + { + return "has expired"; + } + DBG2(" attribute certificate is valid"); + return NULL; +} + +/** + * Implements x509ac_t.destroy + */ +static void destroy(private_x509ac_t *this) +{ + free(this); +} + +/* + * Described in header. + */ +x509ac_t *x509ac_create_from_chunk(chunk_t chunk) +{ + private_x509ac_t *this = malloc_thing(private_x509ac_t); + + /* initialize */ +} + +/* + * Described in header. + */ +x509ac_t *x509ac_create_from_file(const char *filename) +{ + bool pgp = FALSE; + chunk_t chunk = chunk_empty; + x509ac_t *cert = NULL; + + if (!pem_asn1_load_file(filename, NULL, "attribute certificate", &chunk, &pgp)) + { + return NULL; + } + cert = x509ac_create_from_chunk(chunk); + + if (cert == NULL) + { + free(chunk.ptr); + } + return cert; +} + diff --git a/src/libstrongswan/crypto/ac.h b/src/libstrongswan/crypto/ac.h new file mode 100644 index 000000000..b7fd26c94 --- /dev/null +++ b/src/libstrongswan/crypto/ac.h @@ -0,0 +1,81 @@ +/** + * @file ac.h + * + * @brief Interface of x509ac_t. + * + */ + +/* + * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler + * Copyright (C) 2003 Martin Berner, Lukas Suter + * Copyright (C) 2007 Andreas Steffen + * + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef AC_H_ +#define AC_H_ + +typedef struct x509ac_t x509ac_t; + +/** + * @brief X.509 attribute certificate. + * + * @b Constructors: + * - x509ac_create_from_chunk() + * - x509ac_create_from_file() + * + * @ingroup crypto + */ +struct x509ac_t { + + /** + * @brief Checks the validity interval of the attribute certificate + * + * @param this certificate being examined + * @param until until = min(until, notAfter) + * @return NULL if the certificate is valid + */ + err_t (*is_valid) (const x509ac_t *this, time_t *until); + + /** + * @brief Destroys the attribute certificate. + * + * @param this certificate to destroy + */ + void (*destroy) (x509ac_t *this); +}; + +/** + * @brief Read a x509 attribute certificate from a DER encoded blob. + * + * @param chunk chunk containing DER encoded data + * @return created x509ac_t certificate, or NULL if invalid. + * + * @ingroup crypto + */ +x509ac_t *x509ac_create_from_chunk(chunk_t chunk); + +/** + * @brief Read a x509 attribute certificate from a DER encoded file. + * + * @param filename file containing DER encoded data + * @return created x509ac_t certificate, or NULL if invalid. + * + * @ingroup crypto + */ +x509ac_t *x509ac_create_from_file(const char *filename); + + +#endif /* AC_H_ */ + diff --git a/src/libstrongswan/crypto/ca.c b/src/libstrongswan/crypto/ca.c index 8f39f08cc..f08dba057 100644 --- a/src/libstrongswan/crypto/ca.c +++ b/src/libstrongswan/crypto/ca.c @@ -29,6 +29,7 @@ #include "x509.h" #include "crl.h" #include "ca.h" +#include "ac.h" #include "certinfo.h" #include "ocsp.h" @@ -64,6 +65,11 @@ struct private_ca_info_t { */ x509_t *cacert; + /** + * List of attribute certificates + */ + linked_list_t *attrcerts; + /** * List of crl URIs */ @@ -658,6 +664,8 @@ static void purge_ocsp(private_ca_info_t *this) */ static void destroy(private_ca_info_t *this) { + this->attrcerts->destroy_offset(this->attrcerts, + offsetof(x509ac_t, destroy)); this->crluris->destroy_offset(this->crluris, offsetof(identification_t, destroy)); this->ocspuris->destroy_offset(this->ocspuris, @@ -737,6 +745,7 @@ ca_info_t *ca_info_create(const char *name, x509_t *cacert) this->installed = time(NULL); this->name = (name == NULL)? NULL:strdup(name); this->cacert = cacert; + this->attrcerts = linked_list_create(); this->crluris = linked_list_create(); this->ocspuris = linked_list_create(); this->certinfos = linked_list_create();