565 lines
14 KiB
C
565 lines
14 KiB
C
/*
|
|
* Copyright (C) 2008-2009 Martin Willi
|
|
* Copyright (C) 2007 Andreas Steffen
|
|
* Hochschule fuer Technik Rapperswil
|
|
* Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
* under the terms of the GNU General Public License as published by the
|
|
* Free Software Foundation; either version 2 of the License, or (at your
|
|
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
|
*
|
|
* This program is distributed in the hope that it will be useful, but
|
|
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
|
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
* for more details.
|
|
*/
|
|
|
|
#include "x509_ocsp_request.h"
|
|
|
|
#include <library.h>
|
|
#include <asn1/oid.h>
|
|
#include <asn1/asn1.h>
|
|
#include <utils/identification.h>
|
|
#include <utils/linked_list.h>
|
|
#include <debug.h>
|
|
#include <credentials/certificates/x509.h>
|
|
#include <credentials/keys/private_key.h>
|
|
|
|
#define NONCE_LEN 16
|
|
|
|
typedef struct private_x509_ocsp_request_t private_x509_ocsp_request_t;
|
|
|
|
/**
|
|
* private data of x509_ocsp_request
|
|
*/
|
|
struct private_x509_ocsp_request_t {
|
|
|
|
/**
|
|
* public functions
|
|
*/
|
|
x509_ocsp_request_t public;
|
|
|
|
/**
|
|
* CA the candidates belong to
|
|
*/
|
|
x509_t *ca;
|
|
|
|
/**
|
|
* Requestor name, subject of cert used if not set
|
|
*/
|
|
identification_t *requestor;
|
|
|
|
/**
|
|
* Requestor certificate, included in request
|
|
*/
|
|
certificate_t *cert;
|
|
|
|
/**
|
|
* Requestor private key to sign request
|
|
*/
|
|
private_key_t *key;
|
|
|
|
/**
|
|
* list of certificates to check, x509_t
|
|
*/
|
|
linked_list_t *candidates;
|
|
|
|
/**
|
|
* nonce used in request
|
|
*/
|
|
chunk_t nonce;
|
|
|
|
/**
|
|
* encoded OCSP request
|
|
*/
|
|
chunk_t encoding;
|
|
|
|
/**
|
|
* reference count
|
|
*/
|
|
refcount_t ref;
|
|
};
|
|
|
|
static const chunk_t ASN1_nonce_oid = chunk_from_chars(
|
|
0x06, 0x09,
|
|
0x2B, 0x06,
|
|
0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x02
|
|
);
|
|
static const chunk_t ASN1_response_oid = chunk_from_chars(
|
|
0x06, 0x09,
|
|
0x2B, 0x06,
|
|
0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x04
|
|
);
|
|
static const chunk_t ASN1_response_content = chunk_from_chars(
|
|
0x04, 0x0D,
|
|
0x30, 0x0B,
|
|
0x06, 0x09,
|
|
0x2B, 0x06,
|
|
0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
|
|
);
|
|
|
|
/**
|
|
* build requestorName
|
|
*/
|
|
static chunk_t build_requestorName(private_x509_ocsp_request_t *this)
|
|
{
|
|
if (this->requestor || this->cert)
|
|
{ /* use requestor name, fallback to his cert subject */
|
|
if (!this->requestor)
|
|
{
|
|
this->requestor = this->cert->get_subject(this->cert);
|
|
this->requestor = this->requestor->clone(this->requestor);
|
|
}
|
|
return asn1_wrap(ASN1_CONTEXT_C_1, "m",
|
|
asn1_simple_object(ASN1_CONTEXT_C_4,
|
|
this->requestor->get_encoding(this->requestor)));
|
|
|
|
}
|
|
return chunk_empty;
|
|
}
|
|
|
|
/**
|
|
* build Request, not using singleRequestExtensions
|
|
*/
|
|
static chunk_t build_Request(private_x509_ocsp_request_t *this,
|
|
chunk_t issuerNameHash, chunk_t issuerKeyHash,
|
|
chunk_t serialNumber)
|
|
{
|
|
return asn1_wrap(ASN1_SEQUENCE, "m",
|
|
asn1_wrap(ASN1_SEQUENCE, "mmmm",
|
|
asn1_algorithmIdentifier(OID_SHA1),
|
|
asn1_simple_object(ASN1_OCTET_STRING, issuerNameHash),
|
|
asn1_simple_object(ASN1_OCTET_STRING, issuerKeyHash),
|
|
asn1_simple_object(ASN1_INTEGER, serialNumber)));
|
|
}
|
|
|
|
/**
|
|
* build requestList
|
|
*/
|
|
static chunk_t build_requestList(private_x509_ocsp_request_t *this)
|
|
{
|
|
chunk_t issuerNameHash, issuerKeyHash;
|
|
identification_t *issuer;
|
|
x509_t *x509;
|
|
certificate_t *cert;
|
|
chunk_t list = chunk_empty;
|
|
public_key_t *public;
|
|
|
|
cert = (certificate_t*)this->ca;
|
|
public = cert->get_public_key(cert);
|
|
if (public)
|
|
{
|
|
hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
|
|
if (hasher)
|
|
{
|
|
if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1,
|
|
&issuerKeyHash))
|
|
{
|
|
enumerator_t *enumerator;
|
|
|
|
issuer = cert->get_subject(cert);
|
|
hasher->allocate_hash(hasher, issuer->get_encoding(issuer),
|
|
&issuerNameHash);
|
|
hasher->destroy(hasher);
|
|
|
|
enumerator = this->candidates->create_enumerator(this->candidates);
|
|
while (enumerator->enumerate(enumerator, &x509))
|
|
{
|
|
chunk_t request, serialNumber;
|
|
|
|
serialNumber = x509->get_serial(x509);
|
|
request = build_Request(this, issuerNameHash, issuerKeyHash,
|
|
serialNumber);
|
|
list = chunk_cat("mm", list, request);
|
|
}
|
|
enumerator->destroy(enumerator);
|
|
chunk_free(&issuerNameHash);
|
|
}
|
|
}
|
|
else
|
|
{
|
|
DBG1(DBG_LIB, "creating OCSP request failed, SHA1 not supported");
|
|
}
|
|
public->destroy(public);
|
|
}
|
|
else
|
|
{
|
|
DBG1(DBG_LIB, "creating OCSP request failed, CA certificate has "
|
|
"no public key");
|
|
}
|
|
return asn1_wrap(ASN1_SEQUENCE, "m", list);
|
|
}
|
|
|
|
/**
|
|
* build nonce extension
|
|
*/
|
|
static chunk_t build_nonce(private_x509_ocsp_request_t *this)
|
|
{
|
|
rng_t *rng;
|
|
|
|
rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
|
|
if (rng)
|
|
{
|
|
rng->allocate_bytes(rng, NONCE_LEN, &this->nonce);
|
|
rng->destroy(rng);
|
|
return asn1_wrap(ASN1_SEQUENCE, "cm", ASN1_nonce_oid,
|
|
asn1_simple_object(ASN1_OCTET_STRING, this->nonce));
|
|
}
|
|
DBG1(DBG_LIB, "creating OCSP request nonce failed, no RNG found");
|
|
return chunk_empty;
|
|
}
|
|
|
|
/**
|
|
* build acceptableResponses extension
|
|
*/
|
|
static chunk_t build_acceptableResponses(private_x509_ocsp_request_t *this)
|
|
{
|
|
return asn1_wrap(ASN1_SEQUENCE, "cc",
|
|
ASN1_response_oid,
|
|
ASN1_response_content);
|
|
}
|
|
|
|
/**
|
|
* build requestExtensions
|
|
*/
|
|
static chunk_t build_requestExtensions(private_x509_ocsp_request_t *this)
|
|
{
|
|
return asn1_wrap(ASN1_CONTEXT_C_2, "m",
|
|
asn1_wrap(ASN1_SEQUENCE, "mm",
|
|
build_nonce(this),
|
|
build_acceptableResponses(this)));
|
|
}
|
|
|
|
/**
|
|
* build tbsRequest
|
|
*/
|
|
static chunk_t build_tbsRequest(private_x509_ocsp_request_t *this)
|
|
{
|
|
return asn1_wrap(ASN1_SEQUENCE, "mmm",
|
|
build_requestorName(this),
|
|
build_requestList(this),
|
|
build_requestExtensions(this));
|
|
}
|
|
|
|
/**
|
|
* Build the optionalSignature
|
|
*/
|
|
static chunk_t build_optionalSignature(private_x509_ocsp_request_t *this,
|
|
chunk_t tbsRequest)
|
|
{
|
|
int oid;
|
|
signature_scheme_t scheme;
|
|
chunk_t certs, signature;
|
|
|
|
switch (this->key->get_type(this->key))
|
|
{
|
|
/* TODO: use a generic mapping function */
|
|
case KEY_RSA:
|
|
oid = OID_SHA1_WITH_RSA;
|
|
scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
|
|
break;
|
|
case KEY_ECDSA:
|
|
oid = OID_ECDSA_WITH_SHA1;
|
|
scheme = SIGN_ECDSA_WITH_SHA1_DER;
|
|
break;
|
|
default:
|
|
DBG1(DBG_LIB, "unable to sign OCSP request, %N signature not "
|
|
"supported", key_type_names, this->key->get_type(this->key));
|
|
return chunk_empty;
|
|
}
|
|
|
|
if (!this->key->sign(this->key, scheme, tbsRequest, &signature))
|
|
{
|
|
DBG1(DBG_LIB, "creating OCSP signature failed, skipped");
|
|
return chunk_empty;
|
|
}
|
|
if (this->cert)
|
|
{
|
|
certs = asn1_wrap(ASN1_CONTEXT_C_0, "m",
|
|
asn1_wrap(ASN1_SEQUENCE, "m",
|
|
this->cert->get_encoding(this->cert)));
|
|
}
|
|
return asn1_wrap(ASN1_CONTEXT_C_0, "m",
|
|
asn1_wrap(ASN1_SEQUENCE, "cmm",
|
|
asn1_algorithmIdentifier(oid),
|
|
asn1_bitstring("m", signature),
|
|
certs));
|
|
}
|
|
|
|
/**
|
|
* Build the OCSPRequest data
|
|
*
|
|
*/
|
|
static chunk_t build_OCSPRequest(private_x509_ocsp_request_t *this)
|
|
{
|
|
chunk_t tbsRequest, optionalSignature = chunk_empty;
|
|
|
|
tbsRequest = build_tbsRequest(this);
|
|
if (this->key)
|
|
{
|
|
optionalSignature = build_optionalSignature(this, tbsRequest);
|
|
}
|
|
return asn1_wrap(ASN1_SEQUENCE, "mm", tbsRequest, optionalSignature);
|
|
}
|
|
|
|
|
|
/**
|
|
* Implementation of certificate_t.get_type
|
|
*/
|
|
static certificate_type_t get_type(private_x509_ocsp_request_t *this)
|
|
{
|
|
return CERT_X509_OCSP_REQUEST;
|
|
}
|
|
|
|
/**
|
|
* Implementation of certificate_t.get_subject
|
|
*/
|
|
static identification_t* get_subject(private_x509_ocsp_request_t *this)
|
|
{
|
|
certificate_t *ca = (certificate_t*)this->ca;
|
|
|
|
if (this->requestor)
|
|
{
|
|
return this->requestor;
|
|
}
|
|
if (this->cert)
|
|
{
|
|
return this->cert->get_subject(this->cert);
|
|
}
|
|
return ca->get_subject(ca);
|
|
}
|
|
|
|
/**
|
|
* Implementation of certificate_t.get_issuer
|
|
*/
|
|
static identification_t* get_issuer(private_x509_ocsp_request_t *this)
|
|
{
|
|
certificate_t *ca = (certificate_t*)this->ca;
|
|
|
|
return ca->get_subject(ca);
|
|
}
|
|
|
|
/**
|
|
* Implementation of certificate_t.has_subject.
|
|
*/
|
|
static id_match_t has_subject(private_x509_ocsp_request_t *this,
|
|
identification_t *subject)
|
|
{
|
|
certificate_t *current;
|
|
enumerator_t *enumerator;
|
|
id_match_t match, best = ID_MATCH_NONE;
|
|
|
|
enumerator = this->candidates->create_enumerator(this->candidates);
|
|
while (enumerator->enumerate(enumerator, ¤t))
|
|
{
|
|
match = current->has_subject(current, subject);
|
|
if (match > best)
|
|
{
|
|
best = match;
|
|
}
|
|
}
|
|
enumerator->destroy(enumerator);
|
|
return best;
|
|
}
|
|
|
|
/**
|
|
* Implementation of certificate_t.has_subject.
|
|
*/
|
|
static id_match_t has_issuer(private_x509_ocsp_request_t *this,
|
|
identification_t *issuer)
|
|
{
|
|
certificate_t *ca = (certificate_t*)this->ca;
|
|
|
|
return ca->has_subject(ca, issuer);
|
|
}
|
|
|
|
/**
|
|
* Implementation of certificate_t.issued_by
|
|
*/
|
|
static bool issued_by(private_x509_ocsp_request_t *this, certificate_t *issuer)
|
|
{
|
|
DBG1(DBG_LIB, "OCSP request validation not implemented!");
|
|
return FALSE;
|
|
}
|
|
|
|
/**
|
|
* Implementation of certificate_t.get_public_key
|
|
*/
|
|
static public_key_t* get_public_key(private_x509_ocsp_request_t *this)
|
|
{
|
|
return NULL;
|
|
}
|
|
|
|
/**
|
|
* Implementation of x509_cert_t.get_validity.
|
|
*/
|
|
static bool get_validity(private_x509_ocsp_request_t *this, time_t *when,
|
|
time_t *not_before, time_t *not_after)
|
|
{
|
|
certificate_t *cert;
|
|
|
|
if (this->cert)
|
|
{
|
|
cert = this->cert;
|
|
}
|
|
else
|
|
{
|
|
cert = (certificate_t*)this->ca;
|
|
}
|
|
return cert->get_validity(cert, when, not_before, not_after);
|
|
}
|
|
|
|
/**
|
|
* Implementation of certificate_t.get_encoding.
|
|
*/
|
|
static chunk_t get_encoding(private_x509_ocsp_request_t *this)
|
|
{
|
|
return chunk_clone(this->encoding);
|
|
}
|
|
|
|
/**
|
|
* Implementation of certificate_t.equals.
|
|
*/
|
|
static bool equals(private_x509_ocsp_request_t *this, certificate_t *other)
|
|
{
|
|
chunk_t encoding;
|
|
bool equal;
|
|
|
|
if (this == (private_x509_ocsp_request_t*)other)
|
|
{
|
|
return TRUE;
|
|
}
|
|
if (other->get_type(other) != CERT_X509_OCSP_REQUEST)
|
|
{
|
|
return FALSE;
|
|
}
|
|
if (other->equals == (void*)equals)
|
|
{ /* skip allocation if we have the same implementation */
|
|
return chunk_equals(this->encoding, ((private_x509_ocsp_request_t*)other)->encoding);
|
|
}
|
|
encoding = other->get_encoding(other);
|
|
equal = chunk_equals(this->encoding, encoding);
|
|
free(encoding.ptr);
|
|
return equal;
|
|
}
|
|
|
|
/**
|
|
* Implementation of certificate_t.asdf
|
|
*/
|
|
static private_x509_ocsp_request_t* get_ref(private_x509_ocsp_request_t *this)
|
|
{
|
|
ref_get(&this->ref);
|
|
return this;
|
|
}
|
|
|
|
/**
|
|
* Implementation of x509_ocsp_request_t.destroy
|
|
*/
|
|
static void destroy(private_x509_ocsp_request_t *this)
|
|
{
|
|
if (ref_put(&this->ref))
|
|
{
|
|
DESTROY_IF((certificate_t*)this->ca);
|
|
DESTROY_IF(this->requestor);
|
|
DESTROY_IF(this->cert);
|
|
DESTROY_IF(this->key);
|
|
this->candidates->destroy_offset(this->candidates, offsetof(certificate_t, destroy));
|
|
chunk_free(&this->nonce);
|
|
chunk_free(&this->encoding);
|
|
free(this);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* create an empty but initialized OCSP request
|
|
*/
|
|
static private_x509_ocsp_request_t *create_empty()
|
|
{
|
|
private_x509_ocsp_request_t *this = malloc_thing(private_x509_ocsp_request_t);
|
|
|
|
this->public.interface.interface.get_type = (certificate_type_t (*)(certificate_t *this))get_type;
|
|
this->public.interface.interface.get_subject = (identification_t* (*)(certificate_t *this))get_subject;
|
|
this->public.interface.interface.get_issuer = (identification_t* (*)(certificate_t *this))get_issuer;
|
|
this->public.interface.interface.has_subject = (id_match_t(*)(certificate_t*, identification_t *subject))has_subject;
|
|
this->public.interface.interface.has_issuer = (id_match_t(*)(certificate_t*, identification_t *issuer))has_issuer;
|
|
this->public.interface.interface.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer))issued_by;
|
|
this->public.interface.interface.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key;
|
|
this->public.interface.interface.get_validity = (bool(*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity;
|
|
this->public.interface.interface.get_encoding = (chunk_t(*)(certificate_t*))get_encoding;
|
|
this->public.interface.interface.equals = (bool(*)(certificate_t*, certificate_t *other))equals;
|
|
this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t *this))get_ref;
|
|
this->public.interface.interface.destroy = (void (*)(certificate_t *this))destroy;
|
|
|
|
this->ca = NULL;
|
|
this->requestor = NULL;
|
|
this->cert = NULL;
|
|
this->key = NULL;
|
|
this->nonce = chunk_empty;
|
|
this->encoding = chunk_empty;
|
|
this->candidates = linked_list_create();
|
|
this->ref = 1;
|
|
|
|
return this;
|
|
}
|
|
|
|
/**
|
|
* See header.
|
|
*/
|
|
x509_ocsp_request_t *x509_ocsp_request_gen(certificate_type_t type, va_list args)
|
|
{
|
|
private_x509_ocsp_request_t *req;
|
|
certificate_t *cert;
|
|
private_key_t *private;
|
|
identification_t *subject;
|
|
|
|
req = create_empty();
|
|
while (TRUE)
|
|
{
|
|
switch (va_arg(args, builder_part_t))
|
|
{
|
|
case BUILD_CA_CERT:
|
|
cert = va_arg(args, certificate_t*);
|
|
if (cert->get_type(cert) == CERT_X509)
|
|
{
|
|
req->ca = (x509_t*)cert->get_ref(cert);
|
|
}
|
|
continue;
|
|
case BUILD_CERT:
|
|
cert = va_arg(args, certificate_t*);
|
|
if (cert->get_type(cert) == CERT_X509)
|
|
{
|
|
req->candidates->insert_last(req->candidates,
|
|
cert->get_ref(cert));
|
|
}
|
|
continue;
|
|
case BUILD_SIGNING_CERT:
|
|
cert = va_arg(args, certificate_t*);
|
|
req->cert = cert->get_ref(cert);
|
|
continue;
|
|
case BUILD_SIGNING_KEY:
|
|
private = va_arg(args, private_key_t*);
|
|
req->key = private->get_ref(private);
|
|
continue;
|
|
case BUILD_SUBJECT:
|
|
subject = va_arg(args, identification_t*);
|
|
req->requestor = subject->clone(subject);
|
|
continue;
|
|
case BUILD_END:
|
|
break;
|
|
default:
|
|
destroy(req);
|
|
return NULL;
|
|
}
|
|
break;
|
|
}
|
|
if (req->ca)
|
|
{
|
|
req->encoding = build_OCSPRequest(req);
|
|
return &req->public;
|
|
}
|
|
destroy(req);
|
|
return NULL;
|
|
}
|
|
|