288 lines
5.5 KiB
C
288 lines
5.5 KiB
C
/* Certificate support for IKE authentication
|
|
* Copyright (C) 2002-2004 Andreas Steffen, Zuercher Hochschule Winterthur
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
* under the terms of the GNU General Public License as published by the
|
|
* Free Software Foundation; either version 2 of the License, or (at your
|
|
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
|
*
|
|
* This program is distributed in the hope that it will be useful, but
|
|
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
|
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
* for more details.
|
|
*
|
|
* RCSID $Id$
|
|
*/
|
|
|
|
#include <stdlib.h>
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
|
|
#include <freeswan.h>
|
|
#include <ipsec_policy.h>
|
|
|
|
#include "constants.h"
|
|
#include "defs.h"
|
|
#include "log.h"
|
|
#include "asn1.h"
|
|
#include "id.h"
|
|
#include "x509.h"
|
|
#include "pgp.h"
|
|
#include "pem.h"
|
|
#include "certs.h"
|
|
#include "pkcs1.h"
|
|
|
|
/*
|
|
* used for initializatin of certs
|
|
*/
|
|
const cert_t empty_cert = {CERT_NONE, {NULL}};
|
|
|
|
/*
|
|
* extracts the certificate to be sent to the peer
|
|
*/
|
|
chunk_t
|
|
get_mycert(cert_t cert)
|
|
{
|
|
switch (cert.type)
|
|
{
|
|
case CERT_PGP:
|
|
return cert.u.pgp->certificate;
|
|
case CERT_X509_SIGNATURE:
|
|
return cert.u.x509->certificate;
|
|
default:
|
|
return chunk_empty;
|
|
}
|
|
}
|
|
|
|
/* load a coded key or certificate file with autodetection
|
|
* of binary DER or base64 PEM ASN.1 formats and armored PGP format
|
|
*/
|
|
bool
|
|
load_coded_file(const char *filename, prompt_pass_t *pass, const char *type
|
|
, chunk_t *blob, bool *pgp)
|
|
{
|
|
err_t ugh = NULL;
|
|
|
|
FILE *fd = fopen(filename, "r");
|
|
|
|
if (fd)
|
|
{
|
|
int bytes;
|
|
fseek(fd, 0, SEEK_END );
|
|
blob->len = ftell(fd);
|
|
rewind(fd);
|
|
blob->ptr = malloc(blob->len);
|
|
bytes = fread(blob->ptr, 1, blob->len, fd);
|
|
fclose(fd);
|
|
plog(" loaded %s file '%s' (%d bytes)", type, filename, bytes);
|
|
|
|
*pgp = FALSE;
|
|
|
|
/* try DER format */
|
|
if (is_asn1(*blob))
|
|
{
|
|
DBG(DBG_PARSING,
|
|
DBG_log(" file coded in DER format");
|
|
)
|
|
return TRUE;
|
|
}
|
|
|
|
/* try PEM format */
|
|
ugh = pemtobin(blob, pass, filename, pgp);
|
|
|
|
if (ugh == NULL)
|
|
{
|
|
if (*pgp)
|
|
{
|
|
DBG(DBG_PARSING,
|
|
DBG_log(" file coded in armored PGP format");
|
|
)
|
|
return TRUE;
|
|
}
|
|
if (is_asn1(*blob))
|
|
{
|
|
DBG(DBG_PARSING,
|
|
DBG_log(" file coded in PEM format");
|
|
)
|
|
return TRUE;
|
|
}
|
|
ugh = "file coded in unknown format, discarded";
|
|
}
|
|
|
|
/* a conversion error has occured */
|
|
plog(" %s", ugh);
|
|
free(blob->ptr);
|
|
*blob = chunk_empty;
|
|
}
|
|
else
|
|
{
|
|
plog(" could not open %s file '%s'", type, filename);
|
|
}
|
|
return FALSE;
|
|
}
|
|
|
|
/*
|
|
* Loads a PKCS#1 or PGP private RSA key file
|
|
*/
|
|
err_t
|
|
load_rsa_private_key(const char* filename, prompt_pass_t *pass
|
|
, RSA_private_key_t *key)
|
|
{
|
|
err_t ugh = NULL;
|
|
bool pgp = FALSE;
|
|
chunk_t blob = chunk_empty;
|
|
|
|
const char *path = concatenate_paths(PRIVATE_KEY_PATH, filename);
|
|
|
|
if (load_coded_file(path, pass, "private key", &blob, &pgp))
|
|
{
|
|
if (pgp)
|
|
{
|
|
if (!parse_pgp(blob, NULL, key))
|
|
ugh = "syntax error in PGP private key file";
|
|
}
|
|
else
|
|
{
|
|
if (!pkcs1_parse_private_key(blob, key))
|
|
ugh = "syntax error in PKCS#1 private key file";
|
|
}
|
|
free(blob.ptr);
|
|
}
|
|
else
|
|
ugh = "error loading RSA private key file";
|
|
|
|
return ugh;
|
|
}
|
|
/*
|
|
* Loads a X.509 or OpenPGP certificate
|
|
*/
|
|
bool
|
|
load_cert(const char *filename, const char *label, cert_t *cert)
|
|
{
|
|
bool pgp = FALSE;
|
|
chunk_t blob = chunk_empty;
|
|
|
|
/* initialize cert struct */
|
|
cert->type = CERT_NONE;
|
|
cert->u.x509 = NULL;
|
|
|
|
if (load_coded_file(filename, NULL, label, &blob, &pgp))
|
|
{
|
|
if (pgp)
|
|
{
|
|
pgpcert_t *pgpcert = malloc_thing(pgpcert_t);
|
|
*pgpcert = empty_pgpcert;
|
|
if (parse_pgp(blob, pgpcert, NULL))
|
|
{
|
|
cert->type = CERT_PGP;
|
|
cert->u.pgp = pgpcert;
|
|
return TRUE;
|
|
}
|
|
else
|
|
{
|
|
plog(" error in OpenPGP certificate");
|
|
free_pgpcert(pgpcert);
|
|
return FALSE;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
x509cert_t *x509cert = malloc_thing(x509cert_t);
|
|
*x509cert = empty_x509cert;
|
|
if (parse_x509cert(blob, 0, x509cert))
|
|
{
|
|
cert->type = CERT_X509_SIGNATURE;
|
|
cert->u.x509 = x509cert;
|
|
return TRUE;
|
|
}
|
|
else
|
|
{
|
|
plog(" error in X.509 certificate");
|
|
free_x509cert(x509cert);
|
|
return FALSE;
|
|
}
|
|
}
|
|
}
|
|
return FALSE;
|
|
}
|
|
|
|
/*
|
|
* Loads a host certificate
|
|
*/
|
|
bool
|
|
load_host_cert(const char *filename, cert_t *cert)
|
|
{
|
|
const char *path = concatenate_paths(HOST_CERT_PATH, filename);
|
|
|
|
return load_cert(path, "host cert", cert);
|
|
}
|
|
|
|
/*
|
|
* Loads a CA certificate
|
|
*/
|
|
bool
|
|
load_ca_cert(const char *filename, cert_t *cert)
|
|
{
|
|
const char *path = concatenate_paths(CA_CERT_PATH, filename);
|
|
|
|
return load_cert(path, "CA cert", cert);
|
|
}
|
|
|
|
/*
|
|
* establish equality of two certificates
|
|
*/
|
|
bool
|
|
same_cert(const cert_t *a, const cert_t *b)
|
|
{
|
|
return a->type == b->type && a->u.x509 == b->u.x509;
|
|
}
|
|
|
|
/* for each link pointing to the certif icate
|
|
" increase the count by one
|
|
*/
|
|
void
|
|
share_cert(cert_t cert)
|
|
{
|
|
switch (cert.type)
|
|
{
|
|
case CERT_PGP:
|
|
share_pgpcert(cert.u.pgp);
|
|
break;
|
|
case CERT_X509_SIGNATURE:
|
|
share_x509cert(cert.u.x509);
|
|
break;
|
|
default:
|
|
break;
|
|
}
|
|
}
|
|
|
|
/* release of a certificate decreases the count by one
|
|
" the certificate is freed when the counter reaches zero
|
|
*/
|
|
void
|
|
release_cert(cert_t cert)
|
|
{
|
|
switch (cert.type)
|
|
{
|
|
case CERT_PGP:
|
|
release_pgpcert(cert.u.pgp);
|
|
break;
|
|
case CERT_X509_SIGNATURE:
|
|
release_x509cert(cert.u.x509);
|
|
break;
|
|
default:
|
|
break;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* list all X.509 and OpenPGP end certificates
|
|
*/
|
|
void
|
|
list_certs(bool utc)
|
|
{
|
|
list_x509_end_certs(utc);
|
|
list_pgp_end_certs(utc);
|
|
}
|
|
|