389 lines
9.2 KiB
C
389 lines
9.2 KiB
C
/*
|
|
* Copyright (C) 2008 Tobias Brunner
|
|
* Copyright (C) 2005-2010 Martin Willi
|
|
* Copyright (C) 2010 revosec AG
|
|
* Copyright (C) 2005 Jan Hutter
|
|
* Hochschule fuer Technik Rapperswil
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
* under the terms of the GNU General Public License as published by the
|
|
* Free Software Foundation; either version 2 of the License, or (at your
|
|
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
|
*
|
|
* This program is distributed in the hope that it will be useful, but
|
|
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
|
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
* for more details.
|
|
*/
|
|
|
|
#include <stddef.h>
|
|
#include <ctype.h>
|
|
|
|
#include <daemon.h>
|
|
|
|
#include "cert_payload.h"
|
|
|
|
ENUM(cert_encoding_names, ENC_PKCS7_WRAPPED_X509, ENC_OCSP_CONTENT,
|
|
"ENC_PKCS7_WRAPPED_X509",
|
|
"ENC_PGP",
|
|
"ENC_DNS_SIGNED_KEY",
|
|
"ENC_X509_SIGNATURE",
|
|
"ENC_X509_KEY_EXCHANGE",
|
|
"ENC_KERBEROS_TOKENS",
|
|
"ENC_CRL",
|
|
"ENC_ARL",
|
|
"ENC_SPKI",
|
|
"ENC_X509_ATTRIBUTE",
|
|
"ENC_RAW_RSA_KEY",
|
|
"ENC_X509_HASH_AND_URL",
|
|
"ENC_X509_HASH_AND_URL_BUNDLE",
|
|
"ENC_OCSP_CONTENT",
|
|
);
|
|
|
|
typedef struct private_cert_payload_t private_cert_payload_t;
|
|
|
|
/**
|
|
* Private data of an cert_payload_t object.
|
|
*/
|
|
struct private_cert_payload_t {
|
|
|
|
/**
|
|
* Public cert_payload_t interface.
|
|
*/
|
|
cert_payload_t public;
|
|
|
|
/**
|
|
* Next payload type.
|
|
*/
|
|
uint8_t next_payload;
|
|
|
|
/**
|
|
* Critical flag.
|
|
*/
|
|
bool critical;
|
|
|
|
/**
|
|
* reserved bits
|
|
*/
|
|
bool reserved[7];
|
|
|
|
/**
|
|
* Length of this payload.
|
|
*/
|
|
uint16_t payload_length;
|
|
|
|
/**
|
|
* Encoding of the CERT Data.
|
|
*/
|
|
uint8_t encoding;
|
|
|
|
/**
|
|
* The contained cert data value.
|
|
*/
|
|
chunk_t data;
|
|
|
|
/**
|
|
* TRUE if the "Hash and URL" data is invalid
|
|
*/
|
|
bool invalid_hash_and_url;
|
|
|
|
/**
|
|
* The payload type.
|
|
*/
|
|
payload_type_t type;
|
|
};
|
|
|
|
/**
|
|
* Encoding rules to parse or generate a CERT payload
|
|
*
|
|
* The defined offsets are the positions in a object of type
|
|
* private_cert_payload_t.
|
|
*
|
|
*/
|
|
static encoding_rule_t encodings[] = {
|
|
/* 1 Byte next payload type, stored in the field next_payload */
|
|
{ U_INT_8, offsetof(private_cert_payload_t, next_payload) },
|
|
/* the critical bit */
|
|
{ FLAG, offsetof(private_cert_payload_t, critical) },
|
|
/* 7 Bit reserved bits, nowhere stored */
|
|
{ RESERVED_BIT, offsetof(private_cert_payload_t, reserved[0]) },
|
|
{ RESERVED_BIT, offsetof(private_cert_payload_t, reserved[1]) },
|
|
{ RESERVED_BIT, offsetof(private_cert_payload_t, reserved[2]) },
|
|
{ RESERVED_BIT, offsetof(private_cert_payload_t, reserved[3]) },
|
|
{ RESERVED_BIT, offsetof(private_cert_payload_t, reserved[4]) },
|
|
{ RESERVED_BIT, offsetof(private_cert_payload_t, reserved[5]) },
|
|
{ RESERVED_BIT, offsetof(private_cert_payload_t, reserved[6]) },
|
|
/* Length of the whole payload*/
|
|
{ PAYLOAD_LENGTH, offsetof(private_cert_payload_t, payload_length)},
|
|
/* 1 Byte CERT type*/
|
|
{ U_INT_8, offsetof(private_cert_payload_t, encoding) },
|
|
/* some cert data bytes, length is defined in PAYLOAD_LENGTH */
|
|
{ CHUNK_DATA, offsetof(private_cert_payload_t, data) }
|
|
};
|
|
|
|
/*
|
|
1 2 3
|
|
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
! Next Payload !C! RESERVED ! Payload Length !
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
! Cert Encoding ! !
|
|
+-+-+-+-+-+-+-+-+ !
|
|
~ Certificate Data ~
|
|
! !
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
*/
|
|
|
|
METHOD(payload_t, verify, status_t,
|
|
private_cert_payload_t *this)
|
|
{
|
|
if (this->encoding == ENC_X509_HASH_AND_URL ||
|
|
this->encoding == ENC_X509_HASH_AND_URL_BUNDLE)
|
|
{
|
|
int i;
|
|
|
|
/* coarse verification of "Hash and URL" encoded certificates */
|
|
if (this->data.len <= 20)
|
|
{
|
|
DBG1(DBG_ENC, "invalid payload length for hash-and-url (%d), ignore",
|
|
this->data.len);
|
|
this->invalid_hash_and_url = TRUE;
|
|
return SUCCESS;
|
|
}
|
|
for (i = 20; i < this->data.len; ++i)
|
|
{
|
|
if (this->data.ptr[i] == '\0')
|
|
{
|
|
/* null terminated, fine */
|
|
return SUCCESS;
|
|
}
|
|
else if (!isprint(this->data.ptr[i]))
|
|
{
|
|
DBG1(DBG_ENC, "non printable characters in url of hash-and-url"
|
|
" encoded certificate payload, ignore");
|
|
this->invalid_hash_and_url = TRUE;
|
|
return SUCCESS;
|
|
}
|
|
}
|
|
/* URL is not null terminated, correct that */
|
|
this->data = chunk_cat("mc", this->data, chunk_from_chars(0));
|
|
}
|
|
return SUCCESS;
|
|
}
|
|
|
|
METHOD(payload_t, get_encoding_rules, int,
|
|
private_cert_payload_t *this, encoding_rule_t **rules)
|
|
{
|
|
*rules = encodings;
|
|
return countof(encodings);
|
|
}
|
|
|
|
METHOD(payload_t, get_header_length, int,
|
|
private_cert_payload_t *this)
|
|
{
|
|
return 5;
|
|
}
|
|
|
|
METHOD(payload_t, get_type, payload_type_t,
|
|
private_cert_payload_t *this)
|
|
{
|
|
return this->type;
|
|
}
|
|
|
|
METHOD(payload_t, get_next_type, payload_type_t,
|
|
private_cert_payload_t *this)
|
|
{
|
|
return this->next_payload;
|
|
}
|
|
|
|
METHOD(payload_t, set_next_type, void,
|
|
private_cert_payload_t *this, payload_type_t type)
|
|
{
|
|
this->next_payload = type;
|
|
}
|
|
|
|
METHOD(payload_t, get_length, size_t,
|
|
private_cert_payload_t *this)
|
|
{
|
|
return this->payload_length;
|
|
}
|
|
|
|
METHOD(cert_payload_t, get_cert_encoding, cert_encoding_t,
|
|
private_cert_payload_t *this)
|
|
{
|
|
return this->encoding;
|
|
}
|
|
|
|
METHOD(cert_payload_t, get_cert, certificate_t*,
|
|
private_cert_payload_t *this)
|
|
{
|
|
int type;
|
|
|
|
switch (this->encoding)
|
|
{
|
|
case ENC_X509_SIGNATURE:
|
|
type = CERT_X509;
|
|
break;
|
|
case ENC_X509_ATTRIBUTE:
|
|
type = CERT_X509_AC;
|
|
break;
|
|
case ENC_CRL:
|
|
type = CERT_X509_CRL;
|
|
break;
|
|
default:
|
|
return NULL;
|
|
}
|
|
return lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
|
|
BUILD_BLOB_ASN1_DER, this->data, BUILD_END);
|
|
}
|
|
|
|
METHOD(cert_payload_t, get_container, container_t*,
|
|
private_cert_payload_t *this)
|
|
{
|
|
int type;
|
|
|
|
switch (this->encoding)
|
|
{
|
|
case ENC_PKCS7_WRAPPED_X509:
|
|
type = CONTAINER_PKCS7;
|
|
break;
|
|
default:
|
|
return NULL;
|
|
}
|
|
return lib->creds->create(lib->creds, CRED_CONTAINER, type,
|
|
BUILD_BLOB_ASN1_DER, this->data, BUILD_END);
|
|
}
|
|
|
|
METHOD(cert_payload_t, get_hash, chunk_t,
|
|
private_cert_payload_t *this)
|
|
{
|
|
chunk_t hash = chunk_empty;
|
|
|
|
if ((this->encoding != ENC_X509_HASH_AND_URL &&
|
|
this->encoding != ENC_X509_HASH_AND_URL_BUNDLE) ||
|
|
this->invalid_hash_and_url)
|
|
{
|
|
return hash;
|
|
}
|
|
hash.ptr = this->data.ptr;
|
|
hash.len = 20;
|
|
return hash;
|
|
}
|
|
|
|
METHOD(cert_payload_t, get_url, char*,
|
|
private_cert_payload_t *this)
|
|
{
|
|
if ((this->encoding != ENC_X509_HASH_AND_URL &&
|
|
this->encoding != ENC_X509_HASH_AND_URL_BUNDLE) ||
|
|
this->invalid_hash_and_url)
|
|
{
|
|
return NULL;
|
|
}
|
|
return (char*)this->data.ptr + 20;
|
|
}
|
|
|
|
METHOD2(payload_t, cert_payload_t, destroy, void,
|
|
private_cert_payload_t *this)
|
|
{
|
|
free(this->data.ptr);
|
|
free(this);
|
|
}
|
|
|
|
/*
|
|
* Described in header
|
|
*/
|
|
cert_payload_t *cert_payload_create(payload_type_t type)
|
|
{
|
|
private_cert_payload_t *this;
|
|
|
|
INIT(this,
|
|
.public = {
|
|
.payload_interface = {
|
|
.verify = _verify,
|
|
.get_encoding_rules = _get_encoding_rules,
|
|
.get_header_length = _get_header_length,
|
|
.get_length = _get_length,
|
|
.get_next_type = _get_next_type,
|
|
.set_next_type = _set_next_type,
|
|
.get_type = _get_type,
|
|
.destroy = _destroy,
|
|
},
|
|
.get_cert = _get_cert,
|
|
.get_container = _get_container,
|
|
.get_cert_encoding = _get_cert_encoding,
|
|
.get_hash = _get_hash,
|
|
.get_url = _get_url,
|
|
.destroy = _destroy,
|
|
},
|
|
.next_payload = PL_NONE,
|
|
.payload_length = get_header_length(this),
|
|
.type = type,
|
|
);
|
|
return &this->public;
|
|
}
|
|
|
|
/*
|
|
* Described in header
|
|
*/
|
|
cert_payload_t *cert_payload_create_from_cert(payload_type_t type,
|
|
certificate_t *cert)
|
|
{
|
|
private_cert_payload_t *this;
|
|
|
|
this = (private_cert_payload_t*)cert_payload_create(type);
|
|
switch (cert->get_type(cert))
|
|
{
|
|
case CERT_X509:
|
|
this->encoding = ENC_X509_SIGNATURE;
|
|
break;
|
|
case CERT_X509_AC:
|
|
this->encoding = ENC_X509_ATTRIBUTE;
|
|
break;
|
|
default:
|
|
DBG1(DBG_ENC, "embedding %N certificate in payload failed",
|
|
certificate_type_names, cert->get_type(cert));
|
|
free(this);
|
|
return NULL;
|
|
}
|
|
if (!cert->get_encoding(cert, CERT_ASN1_DER, &this->data))
|
|
{
|
|
DBG1(DBG_ENC, "encoding certificate for cert payload failed");
|
|
free(this);
|
|
return NULL;
|
|
}
|
|
this->payload_length = get_header_length(this) + this->data.len;
|
|
|
|
return &this->public;
|
|
}
|
|
|
|
/*
|
|
* Described in header
|
|
*/
|
|
cert_payload_t *cert_payload_create_from_hash_and_url(chunk_t hash, char *url)
|
|
{
|
|
private_cert_payload_t *this;
|
|
|
|
this = (private_cert_payload_t*)cert_payload_create(PLV2_CERTIFICATE);
|
|
this->encoding = ENC_X509_HASH_AND_URL;
|
|
this->data = chunk_cat("cc", hash, chunk_create(url, strlen(url)));
|
|
this->payload_length = get_header_length(this) + this->data.len;
|
|
|
|
return &this->public;
|
|
}
|
|
|
|
/*
|
|
* Described in header
|
|
*/
|
|
cert_payload_t *cert_payload_create_custom(payload_type_t type,
|
|
cert_encoding_t encoding, chunk_t data)
|
|
{
|
|
private_cert_payload_t *this;
|
|
|
|
this = (private_cert_payload_t*)cert_payload_create(type);
|
|
this->encoding = encoding;
|
|
this->data = data;
|
|
this->payload_length = get_header_length(this) + this->data.len;
|
|
|
|
return &this->public;
|
|
}
|