ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity
strongswan/src/libstrongswan/plugins/x509/x509_ocsp_request.c

565 lines
14 KiB
C
Raw Blame History

/*
* Copyright (C) 2008-2009 Martin Willi
* Copyright (C) 2007 Andreas Steffen
* Hochschule fuer Technik Rapperswil
* Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include "x509_ocsp_request.h"
#include <library.h>
#include <asn1/oid.h>
#include <asn1/asn1.h>
#include <utils/identification.h>
#include <utils/linked_list.h>
#include <debug.h>
#include <credentials/certificates/x509.h>
#include <credentials/keys/private_key.h>
#define NONCE_LEN 16
typedef struct private_x509_ocsp_request_t private_x509_ocsp_request_t;
/**
* private data of x509_ocsp_request
*/
struct private_x509_ocsp_request_t {
/**
* public functions
*/
x509_ocsp_request_t public;
/**
* CA the candidates belong to
*/
x509_t *ca;
/**
* Requestor name, subject of cert used if not set
*/
identification_t *requestor;
/**
* Requestor certificate, included in request
*/
certificate_t *cert;
/**
* Requestor private key to sign request
*/
private_key_t *key;
/**
* list of certificates to check, x509_t
*/
linked_list_t *candidates;
/**
* nonce used in request
*/
chunk_t nonce;
/**
* encoded OCSP request
*/
chunk_t encoding;
/**
* reference count
*/
refcount_t ref;
};
static const chunk_t ASN1_nonce_oid = chunk_from_chars(
0x06, 0x09,
0x2B, 0x06,
0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x02
);
static const chunk_t ASN1_response_oid = chunk_from_chars(
0x06, 0x09,
0x2B, 0x06,
0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x04
);
static const chunk_t ASN1_response_content = chunk_from_chars(
0x04, 0x0D,
0x30, 0x0B,
0x06, 0x09,
0x2B, 0x06,
0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
);
/**
* build requestorName
*/
static chunk_t build_requestorName(private_x509_ocsp_request_t *this)
{
if (this->requestor || this->cert)
{ /* use requestor name, fallback to his cert subject */
if (!this->requestor)
{
this->requestor = this->cert->get_subject(this->cert);
this->requestor = this->requestor->clone(this->requestor);
}
return asn1_wrap(ASN1_CONTEXT_C_1, "m",
asn1_simple_object(ASN1_CONTEXT_C_4,
this->requestor->get_encoding(this->requestor)));
}
return chunk_empty;
}
/**
* build Request, not using singleRequestExtensions
*/
static chunk_t build_Request(private_x509_ocsp_request_t *this,
chunk_t issuerNameHash, chunk_t issuerKeyHash,
chunk_t serialNumber)
{
return asn1_wrap(ASN1_SEQUENCE, "m",
asn1_wrap(ASN1_SEQUENCE, "mmmm",
asn1_algorithmIdentifier(OID_SHA1),
asn1_simple_object(ASN1_OCTET_STRING, issuerNameHash),
asn1_simple_object(ASN1_OCTET_STRING, issuerKeyHash),
asn1_simple_object(ASN1_INTEGER, serialNumber)));
}
/**
* build requestList
*/
static chunk_t build_requestList(private_x509_ocsp_request_t *this)
{
chunk_t issuerNameHash, issuerKeyHash;
identification_t *issuer;
x509_t *x509;
certificate_t *cert;
chunk_t list = chunk_empty;
public_key_t *public;
cert = (certificate_t*)this->ca;
public = cert->get_public_key(cert);
if (public)
{
hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
if (hasher)
{
if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1,
&issuerKeyHash))
{
enumerator_t *enumerator;
issuer = cert->get_subject(cert);
hasher->allocate_hash(hasher, issuer->get_encoding(issuer),
&issuerNameHash);
hasher->destroy(hasher);
enumerator = this->candidates->create_enumerator(this->candidates);
while (enumerator->enumerate(enumerator, &x509))
{
chunk_t request, serialNumber;
serialNumber = x509->get_serial(x509);
request = build_Request(this, issuerNameHash, issuerKeyHash,
serialNumber);
list = chunk_cat("mm", list, request);
}
enumerator->destroy(enumerator);
chunk_free(&issuerNameHash);
}
}
else
{
DBG1(DBG_LIB, "creating OCSP request failed, SHA1 not supported");
}
public->destroy(public);
}
else
{
DBG1(DBG_LIB, "creating OCSP request failed, CA certificate has "
"no public key");
}
return asn1_wrap(ASN1_SEQUENCE, "m", list);
}
/**
* build nonce extension
*/
static chunk_t build_nonce(private_x509_ocsp_request_t *this)
{
rng_t *rng;
rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
if (rng)
{
rng->allocate_bytes(rng, NONCE_LEN, &this->nonce);
rng->destroy(rng);
return asn1_wrap(ASN1_SEQUENCE, "cm", ASN1_nonce_oid,
asn1_simple_object(ASN1_OCTET_STRING, this->nonce));
}
DBG1(DBG_LIB, "creating OCSP request nonce failed, no RNG found");
return chunk_empty;
}
/**
* build acceptableResponses extension
*/
static chunk_t build_acceptableResponses(private_x509_ocsp_request_t *this)
{
return asn1_wrap(ASN1_SEQUENCE, "cc",
ASN1_response_oid,
ASN1_response_content);
}
/**
* build requestExtensions
*/
static chunk_t build_requestExtensions(private_x509_ocsp_request_t *this)
{
return asn1_wrap(ASN1_CONTEXT_C_2, "m",
asn1_wrap(ASN1_SEQUENCE, "mm",
build_nonce(this),
build_acceptableResponses(this)));
}
/**
* build tbsRequest
*/
static chunk_t build_tbsRequest(private_x509_ocsp_request_t *this)
{
return asn1_wrap(ASN1_SEQUENCE, "mmm",
build_requestorName(this),
build_requestList(this),
build_requestExtensions(this));
}
/**
* Build the optionalSignature
*/
static chunk_t build_optionalSignature(private_x509_ocsp_request_t *this,
chunk_t tbsRequest)
{
int oid;
signature_scheme_t scheme;
chunk_t certs, signature;
switch (this->key->get_type(this->key))
{
/* TODO: use a generic mapping function */
case KEY_RSA:
oid = OID_SHA1_WITH_RSA;
scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
break;
case KEY_ECDSA:
oid = OID_ECDSA_WITH_SHA1;
scheme = SIGN_ECDSA_WITH_SHA1_DER;
break;
default:
DBG1(DBG_LIB, "unable to sign OCSP request, %N signature not "
"supported", key_type_names, this->key->get_type(this->key));
return chunk_empty;
}
if (!this->key->sign(this->key, scheme, tbsRequest, &signature))
{
DBG1(DBG_LIB, "creating OCSP signature failed, skipped");
return chunk_empty;
}
if (this->cert)
{
certs = asn1_wrap(ASN1_CONTEXT_C_0, "m",
asn1_wrap(ASN1_SEQUENCE, "m",
this->cert->get_encoding(this->cert)));
}
return asn1_wrap(ASN1_CONTEXT_C_0, "m",
asn1_wrap(ASN1_SEQUENCE, "cmm",
asn1_algorithmIdentifier(oid),
asn1_bitstring("m", signature),
certs));
}
/**
* Build the OCSPRequest data
*
*/
static chunk_t build_OCSPRequest(private_x509_ocsp_request_t *this)
{
chunk_t tbsRequest, optionalSignature = chunk_empty;
tbsRequest = build_tbsRequest(this);
if (this->key)
{
optionalSignature = build_optionalSignature(this, tbsRequest);
}
return asn1_wrap(ASN1_SEQUENCE, "mm", tbsRequest, optionalSignature);
}
/**
* Implementation of certificate_t.get_type
*/
static certificate_type_t get_type(private_x509_ocsp_request_t *this)
{
return CERT_X509_OCSP_REQUEST;
}
/**
* Implementation of certificate_t.get_subject
*/
static identification_t* get_subject(private_x509_ocsp_request_t *this)
{
certificate_t *ca = (certificate_t*)this->ca;
if (this->requestor)
{
return this->requestor;
}
if (this->cert)
{
return this->cert->get_subject(this->cert);
}
return ca->get_subject(ca);
}
/**
* Implementation of certificate_t.get_issuer
*/
static identification_t* get_issuer(private_x509_ocsp_request_t *this)
{
certificate_t *ca = (certificate_t*)this->ca;
return ca->get_subject(ca);
}
/**
* Implementation of certificate_t.has_subject.
*/
static id_match_t has_subject(private_x509_ocsp_request_t *this,
identification_t *subject)
{
certificate_t *current;
enumerator_t *enumerator;
id_match_t match, best = ID_MATCH_NONE;
enumerator = this->candidates->create_enumerator(this->candidates);
while (enumerator->enumerate(enumerator, &current))
{
match = current->has_subject(current, subject);
if (match > best)
{
best = match;
}
}
enumerator->destroy(enumerator);
return best;
}
/**
* Implementation of certificate_t.has_subject.
*/
static id_match_t has_issuer(private_x509_ocsp_request_t *this,
identification_t *issuer)
{
certificate_t *ca = (certificate_t*)this->ca;
return ca->has_subject(ca, issuer);
}
/**
* Implementation of certificate_t.issued_by
*/
static bool issued_by(private_x509_ocsp_request_t *this, certificate_t *issuer)
{
DBG1(DBG_LIB, "OCSP request validation not implemented!");
return FALSE;
}
/**
* Implementation of certificate_t.get_public_key
*/
static public_key_t* get_public_key(private_x509_ocsp_request_t *this)
{
return NULL;
}
/**
* Implementation of x509_cert_t.get_validity.
*/
static bool get_validity(private_x509_ocsp_request_t *this, time_t *when,
time_t *not_before, time_t *not_after)
{
certificate_t *cert;
if (this->cert)
{
cert = this->cert;
}
else
{
cert = (certificate_t*)this->ca;
}
return cert->get_validity(cert, when, not_before, not_after);
}
/**
* Implementation of certificate_t.get_encoding.
*/
static chunk_t get_encoding(private_x509_ocsp_request_t *this)
{
return chunk_clone(this->encoding);
}
/**
* Implementation of certificate_t.equals.
*/
static bool equals(private_x509_ocsp_request_t *this, certificate_t *other)
{
chunk_t encoding;
bool equal;
if (this == (private_x509_ocsp_request_t*)other)
{
return TRUE;
}
if (other->get_type(other) != CERT_X509_OCSP_REQUEST)
{
return FALSE;
}
if (other->equals == (void*)equals)
{ /* skip allocation if we have the same implementation */
return chunk_equals(this->encoding, ((private_x509_ocsp_request_t*)other)->encoding);
}
encoding = other->get_encoding(other);
equal = chunk_equals(this->encoding, encoding);
free(encoding.ptr);
return equal;
}
/**
* Implementation of certificate_t.asdf
*/
static private_x509_ocsp_request_t* get_ref(private_x509_ocsp_request_t *this)
{
ref_get(&this->ref);
return this;
}
/**
* Implementation of x509_ocsp_request_t.destroy
*/
static void destroy(private_x509_ocsp_request_t *this)
{
if (ref_put(&this->ref))
{
DESTROY_IF((certificate_t*)this->ca);
DESTROY_IF(this->requestor);
DESTROY_IF(this->cert);
DESTROY_IF(this->key);
this->candidates->destroy_offset(this->candidates, offsetof(certificate_t, destroy));
chunk_free(&this->nonce);
chunk_free(&this->encoding);
free(this);
}
}
/**
* create an empty but initialized OCSP request
*/
static private_x509_ocsp_request_t *create_empty()
{
private_x509_ocsp_request_t *this = malloc_thing(private_x509_ocsp_request_t);
this->public.interface.interface.get_type = (certificate_type_t (*)(certificate_t *this))get_type;
this->public.interface.interface.get_subject = (identification_t* (*)(certificate_t *this))get_subject;
this->public.interface.interface.get_issuer = (identification_t* (*)(certificate_t *this))get_issuer;
this->public.interface.interface.has_subject = (id_match_t(*)(certificate_t*, identification_t *subject))has_subject;
this->public.interface.interface.has_issuer = (id_match_t(*)(certificate_t*, identification_t *issuer))has_issuer;
this->public.interface.interface.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer))issued_by;
this->public.interface.interface.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key;
this->public.interface.interface.get_validity = (bool(*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity;
this->public.interface.interface.get_encoding = (chunk_t(*)(certificate_t*))get_encoding;
this->public.interface.interface.equals = (bool(*)(certificate_t*, certificate_t *other))equals;
this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t *this))get_ref;
this->public.interface.interface.destroy = (void (*)(certificate_t *this))destroy;
this->ca = NULL;
this->requestor = NULL;
this->cert = NULL;
this->key = NULL;
this->nonce = chunk_empty;
this->encoding = chunk_empty;
this->candidates = linked_list_create();
this->ref = 1;
return this;
}
/**
* See header.
*/
x509_ocsp_request_t *x509_ocsp_request_gen(certificate_type_t type, va_list args)
{
private_x509_ocsp_request_t *req;
certificate_t *cert;
private_key_t *private;
identification_t *subject;
req = create_empty();
while (TRUE)
{
switch (va_arg(args, builder_part_t))
{
case BUILD_CA_CERT:
cert = va_arg(args, certificate_t*);
if (cert->get_type(cert) == CERT_X509)
{
req->ca = (x509_t*)cert->get_ref(cert);
}
continue;
case BUILD_CERT:
cert = va_arg(args, certificate_t*);
if (cert->get_type(cert) == CERT_X509)
{
req->candidates->insert_last(req->candidates,
cert->get_ref(cert));
}
continue;
case BUILD_SIGNING_CERT:
cert = va_arg(args, certificate_t*);
req->cert = cert->get_ref(cert);
continue;
case BUILD_SIGNING_KEY:
private = va_arg(args, private_key_t*);
req->key = private->get_ref(private);
continue;
case BUILD_SUBJECT:
subject = va_arg(args, identification_t*);
req->requestor = subject->clone(subject);
continue;
case BUILD_END:
break;
default:
destroy(req);
return NULL;
}
break;
}
if (req->ca)
{
req->encoding = build_OCSPRequest(req);
return &req->public;
}
destroy(req);
return NULL;
}
View Git Blame Copy Permalink