* for more details.
*/
+#include <library.h>
#include <utils/debug.h>
#include <tkm/constants.h>
#include <tkm/client.h>
* for more details.
*/
+#include <library.h>
#include <utils/debug.h>
#include "tkm_public_key.h"
#include "iv_manager.h"
+#include <library.h>
#include <collections/linked_list.h>
/**
typedef enum certificate_type_t certificate_type_t;
typedef enum cert_validation_t cert_validation_t;
-#include <library.h>
#include <utils/identification.h>
#include <credentials/keys/public_key.h>
+#include <credentials/keys/signature_params.h>
#include <credentials/cred_encoding.h>
/**
* Check if this certificate is issued and signed by a specific issuer.
*
* @param issuer issuer's certificate
- * @param scheme receives signature scheme used during verification
+ * @param scheme receives used signature scheme and parameters, if
+ * given (allocated)
* @return TRUE if certificate issued by issuer and trusted
*/
bool (*issued_by)(certificate_t *this, certificate_t *issuer,
- signature_scheme_t *scheme);
+ signature_params_t **scheme);
/**
* Get the public key associated to this certificate.
#include "pkcs12.h"
+#include <library.h>
#include <utils/debug.h>
/**
typedef enum cred_encoding_type_t cred_encoding_type_t;
typedef enum cred_encoding_part_t cred_encoding_part_t;
-#include <library.h>
+#include <utils/chunk.h>
/**
* Credential encoder function implementing encoding/fingerprinting.
METHOD(credential_manager_t, issued_by, bool,
private_credential_manager_t *this, certificate_t *subject,
- certificate_t *issuer, signature_scheme_t *scheme)
+ certificate_t *issuer, signature_params_t **scheme)
{
if (this->cache)
{
*/
static certificate_t *get_issuer_cert(private_credential_manager_t *this,
certificate_t *subject, bool trusted,
- signature_scheme_t *scheme)
+ signature_params_t **scheme)
{
enumerator_t *enumerator;
certificate_t *issuer = NULL, *candidate;
{
certificate_t *current, *issuer;
auth_cfg_t *auth;
- signature_scheme_t scheme;
+ signature_params_t *scheme;
int pathlen;
auth = auth_cfg_create();
DBG1(DBG_CFG, " using trusted intermediate ca certificate "
"\"%Y\"", issuer->get_subject(issuer));
}
- auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, scheme);
+ auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, scheme->scheme);
+ signature_params_destroy(scheme);
}
else
{
auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer));
DBG1(DBG_CFG, " using untrusted intermediate certificate "
"\"%Y\"", issuer->get_subject(issuer));
- auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, scheme);
+ auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, scheme->scheme);
+ signature_params_destroy(scheme);
}
else
{
*
* @param subject subject certificate to check
* @param issuer issuer certificate that potentially has signed subject
- * @param scheme receives used signature scheme, if given
+ * @param scheme receives used signature scheme and parameters, if
+ * given (allocated)
* @return TRUE if issuer signed subject
*/
bool (*issued_by)(credential_manager_t *this,
certificate_t *subject, certificate_t *issuer,
- signature_scheme_t *scheme);
+ signature_params_t **scheme);
/**
* Register a credential set to the manager.
typedef enum signature_scheme_t signature_scheme_t;
typedef enum encryption_scheme_t encryption_scheme_t;
-#include <library.h>
#include <utils/identification.h>
#include <credentials/cred_encoding.h>
certificate_t *issuer;
/**
- * Signature scheme used to sign this relation
+ * Signature scheme and parameters used to sign this relation
*/
- signature_scheme_t scheme;
+ signature_params_t *scheme;
/**
* Cache hits
*/
static void cache(private_cert_cache_t *this,
certificate_t *subject, certificate_t *issuer,
- signature_scheme_t scheme)
+ signature_params_t *scheme)
{
relation_t *rel;
int i, offset, try;
{
rel->subject->destroy(rel->subject);
rel->subject = subject->get_ref(subject);
- rel->scheme = scheme;
+ signature_params_destroy(rel->scheme);
+ rel->scheme = signature_params_clone(scheme);
return rel->lock->unlock(rel->lock);
}
}
{
rel->subject = subject->get_ref(subject);
rel->issuer = issuer->get_ref(issuer);
- rel->scheme = scheme;
+ rel->scheme = signature_params_clone(scheme);
return rel->lock->unlock(rel->lock);
}
rel->lock->unlock(rel->lock);
{
rel->subject->destroy(rel->subject);
rel->issuer->destroy(rel->issuer);
+ signature_params_destroy(rel->scheme);
}
rel->subject = subject->get_ref(subject);
rel->issuer = issuer->get_ref(issuer);
- rel->scheme = scheme;
+ rel->scheme = signature_params_clone(scheme);
rel->hits = 0;
return rel->lock->unlock(rel->lock);
}
METHOD(cert_cache_t, issued_by, bool,
private_cert_cache_t *this, certificate_t *subject, certificate_t *issuer,
- signature_scheme_t *schemep)
+ signature_params_t **schemep)
{
certificate_t *cached_issuer = NULL;
relation_t *found = NULL, *current;
- signature_scheme_t scheme;
+ signature_params_t *scheme;
int i;
for (i = 0; i < CACHE_SIZE; i++)
found = current;
if (schemep)
{
- *schemep = current->scheme;
+ *schemep = signature_params_clone(current->scheme);
}
}
else if (!cached_issuer)
{
*schemep = scheme;
}
+ else
+ {
+ signature_params_destroy(scheme);
+ }
DESTROY_IF(cached_issuer);
return TRUE;
}
{
rel->subject->destroy(rel->subject);
rel->issuer->destroy(rel->issuer);
+ signature_params_destroy(rel->scheme);
rel->subject = NULL;
rel->issuer = NULL;
+ rel->scheme = NULL;
rel->hits = 0;
}
}
{
rel->subject->destroy(rel->subject);
rel->issuer->destroy(rel->issuer);
+ signature_params_destroy(rel->scheme);
}
rel->lock->destroy(rel->lock);
}
{
this->relations[i].subject = NULL;
this->relations[i].issuer = NULL;
+ this->relations[i].scheme = NULL;
this->relations[i].hits = 0;
this->relations[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
}
*
* @param subject certificate to verify
* @param issuer issuing certificate to verify subject
- * @param scheme receives used signature scheme, if given
+ * @param scheme receives used signature scheme and parameters, if
+ * given (allocated)
* @return TRUE if subject issued by issuer
*/
bool (*issued_by)(cert_cache_t *this,
certificate_t *subject, certificate_t *issuer,
- signature_scheme_t *scheme);
+ signature_params_t **scheme);
/**
* Flush the certificate cache.
typedef enum hash_algorithm_t hash_algorithm_t;
typedef struct hasher_t hasher_t;
-#include <library.h>
#include <crypto/prfs/prf.h>
#include <crypto/signers/signer.h>
#include <credentials/keys/public_key.h>
typedef enum pseudo_random_function_t pseudo_random_function_t;
typedef struct prf_t prf_t;
-#include <library.h>
+#include <utils/utils.h>
+#include <utils/chunk.h>
/**
* Pseudo random function, as in IKEv2 RFC 3.3.2.
typedef enum integrity_algorithm_t integrity_algorithm_t;
typedef struct signer_t signer_t;
-#include <library.h>
+#include <utils/utils.h>
+#include <utils/chunk.h>
/**
* Integrity algorithm, as in IKEv2 RFC 3.3.2.
METHOD(certificate_t, issued_by, bool,
private_openssl_crl_t *this, certificate_t *issuer,
- signature_scheme_t *scheme)
+ signature_params_t **scheme)
{
chunk_t fingerprint, tbs;
public_key_t *key;
key->destroy(key);
if (valid && scheme)
{
- *scheme = this->scheme;
+ INIT(*scheme,
+ .scheme = this->scheme,
+ );
}
return valid;
}
#include "openssl_sha1_prf.h"
#include <openssl/sha.h>
+#include <crypto/hashers/hasher.h>
typedef struct private_openssl_sha1_prf_t private_openssl_sha1_prf_t;
METHOD(certificate_t, issued_by, bool,
private_openssl_x509_t *this, certificate_t *issuer,
- signature_scheme_t *scheme)
+ signature_params_t **scheme)
{
public_key_t *key;
bool valid;
ASN1_BIT_STRING *sig;
chunk_t tbs;
+ if (this->scheme == SIGN_UNKNOWN)
+ {
+ return FALSE;
+ }
if (&this->public.x509.interface == issuer)
{
if (this->flags & X509_SELF_SIGNED)
{
- return TRUE;
+ valid = TRUE;
+ goto out;
}
}
else
return FALSE;
}
}
- if (this->scheme == SIGN_UNKNOWN)
- {
- return FALSE;
- }
key = issuer->get_public_key(issuer);
if (!key)
{
openssl_asn1_str2chunk(sig));
free(tbs.ptr);
key->destroy(key);
+
+out:
if (valid && scheme)
{
- *scheme = this->scheme;
+ INIT(*scheme,
+ .scheme = this->scheme,
+ );
}
return valid;
}
#include "pem_encoder.h"
+#include <library.h>
+
#define BYTES_PER_LINE 48
/**
}
METHOD(certificate_t, issued_by,bool,
- private_pgp_cert_t *this, certificate_t *issuer, signature_scheme_t *scheme)
+ private_pgp_cert_t *this, certificate_t *issuer, signature_params_t **scheme)
{
/* TODO: check signature blobs for a valid signature */
return FALSE;
#include "pgp_encoder.h"
+#include <library.h>
#include <utils/debug.h>
/**
METHOD(certificate_t, issued_by, bool,
private_pubkey_cert_t *this, certificate_t *issuer,
- signature_scheme_t *scheme)
+ signature_params_t **scheme)
{
- if (scheme)
+ bool valid = equals(this, issuer);
+ if (valid && scheme)
{
- *scheme = SIGN_UNKNOWN;
+ INIT(*scheme,
+ .scheme = SIGN_UNKNOWN,
+ );
}
- return equals(this, issuer);
+ return valid;
}
METHOD(certificate_t, get_public_key, public_key_t*,
}
METHOD(certificate_t, issued_by, bool,
- private_x509_ac_t *this, certificate_t *issuer, signature_scheme_t *schemep)
+ private_x509_ac_t *this, certificate_t *issuer,
+ signature_params_t **schemep)
{
public_key_t *key;
signature_scheme_t scheme;
key->destroy(key);
if (valid && schemep)
{
- *schemep = scheme;
+ INIT(*schemep,
+ .scheme = scheme,
+ );
}
return valid;
}
METHOD(certificate_t, issued_by, bool,
private_x509_cert_t *this, certificate_t *issuer,
- signature_scheme_t *schemep)
+ signature_params_t **schemep)
{
public_key_t *key;
signature_scheme_t scheme;
bool valid;
x509_t *x509 = (x509_t*)issuer;
+ /* determine signature scheme */
+ scheme = signature_scheme_from_oid(this->algorithm);
+ if (scheme == SIGN_UNKNOWN)
+ {
+ return FALSE;
+ }
+
if (&this->public.interface.interface == issuer)
{
if (this->flags & X509_SELF_SIGNED)
{
- return TRUE;
+ valid = TRUE;
+ goto out;
}
}
else
return FALSE;
}
- /* determine signature scheme */
- scheme = signature_scheme_from_oid(this->algorithm);
- if (scheme == SIGN_UNKNOWN)
- {
- return FALSE;
- }
/* get the public key of the issuer */
key = issuer->get_public_key(issuer);
if (!key)
valid = key->verify(key, scheme, NULL, this->tbsCertificate,
this->signature);
key->destroy(key);
+
+out:
if (valid && schemep)
{
- *schemep = scheme;
+ INIT(*schemep,
+ .scheme = scheme,
+ );
}
return valid;
}
}
METHOD(certificate_t, issued_by, bool,
- private_x509_crl_t *this, certificate_t *issuer, signature_scheme_t *schemep)
+ private_x509_crl_t *this, certificate_t *issuer,
+ signature_params_t **schemep)
{
public_key_t *key;
signature_scheme_t scheme;
key->destroy(key);
if (valid && schemep)
{
- *schemep = scheme;
+ INIT(*schemep,
+ .scheme = scheme,
+ );
}
return valid;
}
METHOD(certificate_t, issued_by, bool,
private_x509_ocsp_request_t *this, certificate_t *issuer,
- signature_scheme_t *scheme)
+ signature_params_t **scheme)
{
DBG1(DBG_LIB, "OCSP request validation not implemented!");
return FALSE;
METHOD(certificate_t, issued_by, bool,
private_x509_ocsp_response_t *this, certificate_t *issuer,
- signature_scheme_t *schemep)
+ signature_params_t **schemep)
{
public_key_t *key;
signature_scheme_t scheme;
key->destroy(key);
if (valid && schemep)
{
- *schemep = scheme;
+ INIT(*schemep,
+ .scheme = scheme,
+ );
}
return valid;
}
METHOD(certificate_t, issued_by, bool,
private_x509_pkcs10_t *this, certificate_t *issuer,
- signature_scheme_t *schemep)
+ signature_params_t **schemep)
{
public_key_t *key;
signature_scheme_t scheme;
{
return FALSE;
}
- if (this->self_signed)
- {
- return TRUE;
- }
-
/* determine signature scheme */
scheme = signature_scheme_from_oid(this->algorithm);
if (scheme == SIGN_UNKNOWN)
{
return FALSE;
}
-
- /* get the public key contained in the certificate request */
- key = this->public_key;
- if (!key)
+ if (this->self_signed)
{
- return FALSE;
+ valid = TRUE;
+ }
+ else
+ {
+ /* get the public key contained in the certificate request */
+ key = this->public_key;
+ if (!key)
+ {
+ return FALSE;
+ }
+ valid = key->verify(key, scheme, NULL, this->certificationRequestInfo,
+ this->signature);
}
- valid = key->verify(key, scheme, NULL, this->certificationRequestInfo,
- this->signature);
if (valid && schemep)
{
- *schemep = scheme;
+ INIT(*schemep,
+ .scheme = scheme,
+ );
}
return valid;
}
typedef enum debug_t debug_t;
typedef enum level_t level_t;
-#include <stdio.h>
-
+#include <utils/printf_hook/printf_hook.h>
#include <utils/utils.h>
+#include <stdio.h>
/**
* Debug message group.
typedef struct private_tls_prf12_t private_tls_prf12_t;
+#include <library.h>
+
/**
* Private data of an tls_prf_t object.
*/