]> git.ipfire.org Git - thirdparty/strongswan.git/blame - src/libstrongswan/plugins/openssl/openssl_x509.c
projects / thirdparty / strongswan.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
has_subject() now resolves ID_KEY_IDs
[thirdparty/strongswan.git] / src / libstrongswan / plugins / openssl / openssl_x509.c
CommitLineData
5728c6aa
MW		 1/*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16/*
17 * Copyright (C) 2010 secunet Security Networks AG
18 * Copyright (C) 2010 Thomas Egerer
19 *
20 * Permission is hereby granted, free of charge, to any person obtaining a copy
21 * of this software and associated documentation files (the "Software"), to deal
22 * in the Software without restriction, including without limitation the rights
23 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
24 * copies of the Software, and to permit persons to whom the Software is
25 * furnished to do so, subject to the following conditions:
26 *
27 * The above copyright notice and this permission notice shall be included in
28 * all copies or substantial portions of the Software.
29 *
30 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
31 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
32 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
33 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
34 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
35 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
36 * THE SOFTWARE.
37 */
38
39#define _GNU_SOURCE
40#include <stdio.h>
41#include <openssl/x509.h>
42#include <openssl/x509v3.h>
43
44#include "openssl_x509.h"
45#include "openssl_util.h"
46
47#include <debug.h>
48#include <asn1/oid.h>
49#include <utils/linked_list.h>
50
51
52typedef struct private_openssl_x509_t private_openssl_x509_t;
53
54/**
55 * Private data of an openssl_x509_t object.
56 */
57struct private_openssl_x509_t {
58
59 /**
60 * Public openssl_x509_t interface.
61 */
62 openssl_x509_t public;
63
64 /**
65 * OpenSSL certificate representation
66 */
67 X509 *x509;
68
69 /**
70 * DER encoded certificate
71 */
72 chunk_t encoding;
73
74 /**
75 * SHA1 hash of the certificate
76 */
77 chunk_t hash;
78
79 /**
80 * X509 flags
81 */
82 x509_flag_t flags;
83
84 /**
85 * Pathlen constraint
86 */
87 int pathlen;
88
89 /**
90 * certificate subject
91 */
92 identification_t *subject;
93
94 /**
95 * certificate issuer
96 */
97 identification_t *issuer;
98
99 /**
100 * Certificates public key
101 */
102 public_key_t *pubkey;
103
104 /**
105 * subjectKeyIdentifier as read from cert
106 */
107 chunk_t subjectKeyIdentifier;
108
109 /**
110 * authorityKeyIdentifier as read from cert
111 */
112 chunk_t authKeyIdentifier;
113
114 /**
115 * Start time of certificate validity
116 */
117 time_t notBefore;
118
119 /**
120 * End time of certificate validity
121 */
122 time_t notAfter;
123
124 /**
125 * Signature scheme of the certificate
126 */
127 signature_scheme_t scheme;
128
129 /**
130 * subjectAltNames
131 */
132 linked_list_t *subjectAltNames;
133
134 /**
135 * issuerAltNames
136 */
137 linked_list_t *issuerAltNames;
138
139 /**
140 * List of CRL URIs
141 */
142 linked_list_t *crl_uris;
143
144 /**
145 * List of OCSP URIs
146 */
147 linked_list_t *ocsp_uris;
148
149 /**
150 * References to this cert
151 */
152 refcount_t ref;
153};
154
155/**
156 * Convert a GeneralName to an identification_t.
157 */
158static identification_t *general_name2id(GENERAL_NAME *name)
159{
160 if (!name)
161 {
162 return NULL;
163 }
164 switch (name->type)
165 {
166 case GEN_EMAIL:
167 return identification_create_from_encoding(ID_RFC822_ADDR,
168 openssl_asn1_str2chunk(name->d.rfc822Name));
169 case GEN_DNS:
170 return identification_create_from_encoding(ID_FQDN,
171 openssl_asn1_str2chunk(name->d.dNSName));
172 case GEN_URI:
173 return identification_create_from_encoding(ID_DER_ASN1_GN_URI,
174 openssl_asn1_str2chunk(name->d.uniformResourceIdentifier));
175 case GEN_IPADD:
07c5aacc
MW		 176 {
177 chunk_t chunk = openssl_asn1_str2chunk(name->d.iPAddress);
178 if (chunk.len == 4)
179 {
180 return identification_create_from_encoding(ID_IPV4_ADDR, chunk);
181 }
182 if (chunk.len == 16)
183 {
184 return identification_create_from_encoding(ID_IPV6_ADDR, chunk);
185 }
186 return NULL;
187 }
5728c6aa
MW		 188 case GEN_DIRNAME :
189 return openssl_x509_name2id(name->d.directoryName);
a0a8aaaf
MW		 190 case GEN_OTHERNAME:
191 if (OBJ_obj2nid(name->d.otherName->type_id) == NID_ms_upn &&
192 name->d.otherName->value->type == V_ASN1_UTF8STRING)
193 {
194 return identification_create_from_encoding(ID_RFC822_ADDR,
195 openssl_asn1_str2chunk(
196 name->d.otherName->value->value.utf8string));
197 }
198 return NULL;
5728c6aa
MW		 199 default:
200 return NULL;
201 }
202}
203
204METHOD(x509_t, get_flags, x509_flag_t,
205 private_openssl_x509_t *this)
206{
207 return this->flags;
208}
209
210METHOD(x509_t, get_serial, chunk_t,
211 private_openssl_x509_t *this)
212{
213 return openssl_asn1_str2chunk(X509_get_serialNumber(this->x509));
214}
215
216METHOD(x509_t, get_subjectKeyIdentifier, chunk_t,
217 private_openssl_x509_t *this)
218{
219 chunk_t fingerprint;
220
221 if (this->subjectKeyIdentifier.len)
222 {
223 return this->subjectKeyIdentifier;
224 }
da9724e6 225 if (this->pubkey->get_fingerprint(this->pubkey, KEYID_PUBKEY_SHA1,
5728c6aa
MW		 226 &fingerprint))
227 {
228 return fingerprint;
229 }
230 return chunk_empty;
231}
232
233METHOD(x509_t, get_authKeyIdentifier, chunk_t,
234 private_openssl_x509_t *this)
235{
236 if (this->authKeyIdentifier.len)
237 {
238 return this->authKeyIdentifier;
239 }
240 return chunk_empty;
241}
242
243METHOD(x509_t, get_pathLenConstraint, int,
244 private_openssl_x509_t *this)
245{
246 return this->pathlen;
247}
248
249METHOD(x509_t, create_subjectAltName_enumerator, enumerator_t*,
250 private_openssl_x509_t *this)
251{
252 return this->subjectAltNames->create_enumerator(this->subjectAltNames);
253}
254
255METHOD(x509_t, create_crl_uri_enumerator, enumerator_t*,
256 private_openssl_x509_t *this)
257{
258 return this->crl_uris->create_enumerator(this->crl_uris);
259}
260
261METHOD(x509_t, create_ocsp_uri_enumerator, enumerator_t*,
262 private_openssl_x509_t *this)
263{
264 return this->ocsp_uris->create_enumerator(this->ocsp_uris);
265}
266
267METHOD(x509_t, create_ipAddrBlock_enumerator, enumerator_t*,
268 private_openssl_x509_t *this)
269{
270 /* TODO */
271 return enumerator_create_empty();
272}
273
274METHOD(certificate_t, get_type, certificate_type_t,
275 private_openssl_x509_t *this)
276{
277 return CERT_X509;
278}
279
280METHOD(certificate_t, get_subject, identification_t*,
281 private_openssl_x509_t *this)
282{
283 return this->subject;
284}
285
286METHOD(certificate_t, get_issuer, identification_t*,
287 private_openssl_x509_t *this)
288{
289 return this->issuer;
290}
291
292METHOD(certificate_t, has_subject, id_match_t,
293 private_openssl_x509_t *this, identification_t *subject)
294{
295 identification_t *current;
296 enumerator_t *enumerator;
297 id_match_t match, best;
298
299 if (subject->get_type(subject) == ID_KEY_ID)
300 {
301 if (chunk_equals(this->hash, subject->get_encoding(subject)))
302 {
303 return ID_MATCH_PERFECT;
304 }
305 }
306 best = this->subject->matches(this->subject, subject);
307 enumerator = create_subjectAltName_enumerator(this);
308 while (enumerator->enumerate(enumerator, &current))
309 {
310 match = current->matches(current, subject);
311 if (match > best)
312 {
313 best = match;
314 }
315 }
316 enumerator->destroy(enumerator);
317 return best;
318}
319
320METHOD(certificate_t, has_issuer, id_match_t,
321 private_openssl_x509_t *this, identification_t *issuer)
322{
323 /* issuerAltNames currently not supported */
324 return this->issuer->matches(this->issuer, issuer);
325}
326
327METHOD(certificate_t, issued_by, bool,
328 private_openssl_x509_t *this, certificate_t *issuer)
329{
330 public_key_t *key;
331 bool valid;
332 x509_t *x509 = (x509_t*)issuer;
333 chunk_t tbs;
334
335 if (&this->public.x509.interface == issuer)
336 {
337 if (this->flags & X509_SELF_SIGNED)
338 {
339 return TRUE;
340 }
341 }
342 else
343 {
344 if (issuer->get_type(issuer) != CERT_X509)
345 {
346 return FALSE;
347 }
348 if (!(x509->get_flags(x509) & X509_CA))
349 {
350 return FALSE;
351 }
352 if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
353 {
354 return FALSE;
355 }
356 }
357 if (this->scheme == SIGN_UNKNOWN)
358 {
359 return FALSE;
360 }
361 key = issuer->get_public_key(issuer);
362 if (!key)
363 {
364 return FALSE;
365 }
366 tbs = openssl_i2chunk(X509_CINF, this->x509->cert_info);
367 valid = key->verify(key, this->scheme, tbs,
368 openssl_asn1_str2chunk(this->x509->signature));
369 free(tbs.ptr);
370 key->destroy(key);
371 return valid;
372}
373
374METHOD(certificate_t, get_public_key, public_key_t*,
375 private_openssl_x509_t *this)
376{
377 return this->pubkey->get_ref(this->pubkey);
378}
379
380METHOD(certificate_t, get_validity, bool,
381 private_openssl_x509_t *this,
382 time_t *when, time_t *not_before, time_t *not_after)
383{
384 time_t t;
385
386 if (when)
387 {
388 t = *when;
389 }
390 else
391 {
392 t = time(NULL);
393 }
394 if (not_before)
395 {
396 *not_before = this->notBefore;
397 }
398 if (not_after)
399 {
400 *not_after = this->notAfter;
401 }
402 return (t >= this->notBefore && t <= this->notAfter);
403}
404
0406eeaa
MW		 405METHOD(certificate_t, get_encoding, bool,
406 private_openssl_x509_t *this, cred_encoding_type_t type, chunk_t *encoding)
5728c6aa 407{
0406eeaa
MW		 408 if (type == CERT_ASN1_DER)
409 {
410 *encoding = chunk_clone(this->encoding);
411 return TRUE;
412 }
413 return lib->encoding->encode(lib->encoding, type, NULL, encoding,
414 CRED_PART_X509_ASN1_DER, this->encoding, CRED_PART_END);
5728c6aa
MW		 415}
416
0406eeaa 417
5728c6aa
MW		 418METHOD(certificate_t, equals, bool,
419 private_openssl_x509_t *this, certificate_t *other)
420{
421 chunk_t encoding;
422 bool equal;
423
424 if (this == (private_openssl_x509_t*)other)
425 {
426 return TRUE;
427 }
428 if (other->get_type(other) != CERT_X509)
429 {
430 return FALSE;
431 }
432 if (other->equals == (void*)equals)
433 { /* skip allocation if we have the same implementation */
434 encoding = ((private_openssl_x509_t*)other)->encoding;
435 return chunk_equals(this->encoding, encoding);
436 }
0406eeaa
MW		 437 if (!other->get_encoding(other, CERT_ASN1_DER, &encoding))
438 {
439 return FALSE;
440 }
5728c6aa
MW		 441 equal = chunk_equals(this->encoding, encoding);
442 free(encoding.ptr);
443 return equal;
444}
445
446METHOD(certificate_t, get_ref, certificate_t*,
447 private_openssl_x509_t *this)
448{
449 ref_get(&this->ref);
450 return &this->public.x509.interface;
451}
452
453METHOD(certificate_t, destroy, void,
454 private_openssl_x509_t *this)
455{
456 if (ref_put(&this->ref))
457 {
458 if (this->x509)
459 {
460 X509_free(this->x509);
461 }
462 DESTROY_IF(this->subject);
463 DESTROY_IF(this->issuer);
464 DESTROY_IF(this->pubkey);
465 free(this->subjectKeyIdentifier.ptr);
466 free(this->authKeyIdentifier.ptr);
467 free(this->encoding.ptr);
468 free(this->hash.ptr);
469 this->subjectAltNames->destroy_offset(this->subjectAltNames,
470 offsetof(identification_t, destroy));
471 this->issuerAltNames->destroy_offset(this->issuerAltNames,
472 offsetof(identification_t, destroy));
473 this->crl_uris->destroy_function(this->crl_uris, free);
474 this->ocsp_uris->destroy_function(this->ocsp_uris, free);
475 free(this);
476 }
477}
478
479/**
480 * Create an empty certificate
481 */
482static private_openssl_x509_t *create_empty()
483{
484 private_openssl_x509_t *this;
485
486 INIT(this,
487 .public = {
488 .x509 = {
489 .interface = {
490 .get_type = _get_type,
491 .get_subject = _get_subject,
492 .get_issuer = _get_issuer,
493 .has_subject = _has_subject,
494 .has_issuer = _has_issuer,
495 .issued_by = _issued_by,
496 .get_public_key = _get_public_key,
497 .get_validity = _get_validity,
5728c6aa
MW		 498 .get_encoding = _get_encoding,
499 .equals = _equals,
500 .get_ref = _get_ref,
501 .destroy = _destroy,
502 },
503 .get_flags = _get_flags,
504 .get_serial = _get_serial,
505 .get_subjectKeyIdentifier = _get_subjectKeyIdentifier,
506 .get_authKeyIdentifier = _get_authKeyIdentifier,
507 .get_pathLenConstraint = _get_pathLenConstraint,
508 .create_subjectAltName_enumerator = _create_subjectAltName_enumerator,
509 .create_crl_uri_enumerator = _create_crl_uri_enumerator,
510 .create_ocsp_uri_enumerator = _create_ocsp_uri_enumerator,
511 .create_ipAddrBlock_enumerator = _create_ipAddrBlock_enumerator,
512 },
513 },
514 .subjectAltNames = linked_list_create(),
515 .issuerAltNames = linked_list_create(),
516 .crl_uris = linked_list_create(),
517 .ocsp_uris = linked_list_create(),
518 .pathlen = X509_NO_PATH_LEN_CONSTRAINT,
519 .ref = 1,
520 );
521
522 return this;
523}
524
525/**
526 * parse an extionsion containing GENERAL_NAMES into a list
527 */
528static bool parse_generalNames_ext(linked_list_t *list,
529 X509_EXTENSION *ext)
530{
531 GENERAL_NAMES *names;
532 GENERAL_NAME *name;
533 identification_t *id;
534 int i, num;
535
536 names = X509V3_EXT_d2i(ext);
537 if (!names)
538 {
539 return FALSE;
540 }
541
542 num = sk_GENERAL_NAME_num(names);
543 for (i = 0; i < num; i++)
544 {
545 name = sk_GENERAL_NAME_value(names, i);
546 id = general_name2id(name);
547 if (id)
548 {
549 list->insert_last(list, id);
550 }
551 GENERAL_NAME_free(name);
552 }
553 sk_GENERAL_NAME_free(names);
554 return TRUE;
555}
556
557/**
558 * parse basic constraints
559 */
560static bool parse_basicConstraints_ext(private_openssl_x509_t *this,
561 X509_EXTENSION *ext)
562{
563 BASIC_CONSTRAINTS *constraints;
564
565 constraints = (BASIC_CONSTRAINTS*)X509V3_EXT_d2i(ext);
566 if (constraints)
567 {
568 if (constraints->ca)
569 {
570 this->flags |= X509_CA;
571 }
572 if (constraints->pathlen)
573 {
574 this->pathlen = ASN1_INTEGER_get(constraints->pathlen);
575 }
576 BASIC_CONSTRAINTS_free(constraints);
577 return TRUE;
578 }
579 return FALSE;
580}
581
582/**
583 * Parse CRL distribution points
584 */
585static bool parse_crlDistributionPoints_ext(private_openssl_x509_t *this,
586 X509_EXTENSION *ext)
587{
588 CRL_DIST_POINTS *cdps;
589 DIST_POINT *cdp;
590 identification_t *id;
591 char *uri;
592 int i, j, point_num, name_num;
593
594 cdps = X509V3_EXT_d2i(ext);
595 if (!cdps)
596 {
597 return FALSE;
598 }
599 point_num = sk_DIST_POINT_num(cdps);
600 for (i = 0; i < point_num; i++)
601 {
602 cdp = sk_DIST_POINT_value(cdps, i);
603 if (cdp)
604 {
605 if (cdp->distpoint && cdp->distpoint->type == 0 &&
606 cdp->distpoint->name.fullname)
607 {
608 name_num = sk_GENERAL_NAME_num(cdp->distpoint->name.fullname);
609 for (j = 0; j < name_num; j++)
610 {
611 id = general_name2id(sk_GENERAL_NAME_value(
612 cdp->distpoint->name.fullname, j));
613 if (id)
614 {
615 if (asprintf(&uri, "%Y", id) > 0)
616 {
617 this->crl_uris->insert_first(this->crl_uris, uri);
618 }
619 id->destroy(id);
620 }
621 }
622 }
623 DIST_POINT_free(cdp);
624 }
625 }
626 sk_DIST_POINT_free(cdps);
627 return TRUE;
628}
629
630/**
631 * Parse authorityInfoAccess with OCSP URIs
632 */
633static bool parse_authorityInfoAccess_ext(private_openssl_x509_t *this,
634 X509_EXTENSION *ext)
635{
636 AUTHORITY_INFO_ACCESS *infos;
637 ACCESS_DESCRIPTION *desc;
638 identification_t *id;
639 int i, num;
640 char *uri;
641
642 infos = X509V3_EXT_d2i(ext);
643 if (!infos)
644 {
645 return FALSE;
646 }
647 num = sk_ACCESS_DESCRIPTION_num(infos);
648 for (i = 0; i < num; i++)
649 {
650 desc = sk_ACCESS_DESCRIPTION_value(infos, i);
651 if (desc)
652 {
653 if (openssl_asn1_known_oid(desc->method) == OID_OCSP)
654 {
655 id = general_name2id(desc->location);
656 if (id)
657 {
658 if (asprintf(&uri, "%Y", id) > 0)
659 {
660 this->ocsp_uris->insert_first(this->ocsp_uris, uri);
661 }
662 id->destroy(id);
663 }
664 }
665 ACCESS_DESCRIPTION_free(desc);
666 }
667 }
668 sk_ACCESS_DESCRIPTION_free(infos);
669 return TRUE;
670}
671
672/**
673 * Parse authorityKeyIdentifier extension
674 */
675static bool parse_authKeyIdentifier_ext(private_openssl_x509_t *this,
676 X509_EXTENSION *ext)
677{
678 AUTHORITY_KEYID *keyid;
679
680 keyid = (AUTHORITY_KEYID*)X509V3_EXT_d2i(ext);
681 if (keyid)
682 {
683 free(this->authKeyIdentifier.ptr);
684 this->authKeyIdentifier = chunk_clone(
685 openssl_asn1_str2chunk(keyid->keyid));
686 AUTHORITY_KEYID_free(keyid);
687 return TRUE;
688 }
689 return FALSE;
690}
691
692/**
693 * Parse subjectKeyIdentifier extension
694 */
695static bool parse_subjectKeyIdentifier_ext(private_openssl_x509_t *this,
696 X509_EXTENSION *ext)
697{
f00a1015
MW		 698 chunk_t ostr;
699
700 ostr = openssl_asn1_str2chunk(X509_EXTENSION_get_data(ext));
701 /* quick and dirty unwrap of octet string */
702 if (ostr.len > 2 &&
703 ostr.ptr[0] == V_ASN1_OCTET_STRING && ostr.ptr[1] == ostr.len - 2)
704 {
705 free(this->subjectKeyIdentifier.ptr);
706 this->subjectKeyIdentifier = chunk_clone(chunk_skip(ostr, 2));
707 return TRUE;
708 }
709 return FALSE;
5728c6aa
MW		 710}
711
712/**
713 * Parse X509 extensions we are interested in
714 */
715static bool parse_extensions(private_openssl_x509_t *this)
716{
717 STACK_OF(X509_EXTENSION) *extensions;
718 int i, num;
719
720 extensions = this->x509->cert_info->extensions;
721 if (extensions)
722 {
723 num = sk_X509_EXTENSION_num(extensions);
724
725 for (i = 0; i < num; i++)
726 {
727 X509_EXTENSION *ext;
728 bool ok;
729
730 ext = sk_X509_EXTENSION_value(extensions, i);
731 switch (OBJ_obj2nid(X509_EXTENSION_get_object(ext)))
732 {
733 case NID_info_access:
734 ok = parse_authorityInfoAccess_ext(this, ext);
735 break;
736 case NID_authority_key_identifier:
737 ok = parse_authKeyIdentifier_ext(this, ext);
738 break;
739 case NID_subject_key_identifier:
740 ok = parse_subjectKeyIdentifier_ext(this, ext);
741 break;
742 case NID_subject_alt_name:
743 ok = parse_generalNames_ext(this->subjectAltNames, ext);
744 break;
745 case NID_issuer_alt_name:
746 ok = parse_generalNames_ext(this->issuerAltNames, ext);
747 break;
748 case NID_basic_constraints:
749 ok = parse_basicConstraints_ext(this, ext);
750 break;
751 case NID_crl_distribution_points:
752 ok = parse_crlDistributionPoints_ext(this, ext);
753 break;
754 default:
755 ok = TRUE;
756 break;
757 }
758 if (!ok)
759 {
760 return FALSE;
761 }
762 }
763 }
764 return TRUE;
765}
766
07d2b391
MW		 767/**
768 * Parse ExtendedKeyUsage
769 */
770static void parse_extKeyUsage(private_openssl_x509_t *this)
771{
772 EXTENDED_KEY_USAGE *usage;
773 int i;
774
775 usage = X509_get_ext_d2i(this->x509, NID_ext_key_usage, NULL, NULL);
776 if (usage)
777 {
778 for (i = 0; i < sk_ASN1_OBJECT_num(usage); i++)
779 {
780 switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(usage, i)))
781 {
782 case NID_server_auth:
783 this->flags |= X509_SERVER_AUTH;
784 break;
785 case NID_client_auth:
786 this->flags |= X509_CLIENT_AUTH;
787 break;
788 case NID_OCSP_sign:
789 this->flags |= X509_OCSP_SIGNER;
790 break;
791 default:
792 break;
793 }
794 }
795 sk_ASN1_OBJECT_pop_free(usage, ASN1_OBJECT_free);
796 }
797}
798
5728c6aa
MW		 799/**
800 * Parse a DER encoded x509 certificate
801 */
802static bool parse_certificate(private_openssl_x509_t *this)
803{
804 const unsigned char *ptr = this->encoding.ptr;
805 hasher_t *hasher;
806 chunk_t chunk;
807
808 this->x509 = d2i_X509(NULL, &ptr, this->encoding.len);
809 if (!this->x509)
810 {
811 return FALSE;
812 }
813 this->subject = openssl_x509_name2id(X509_get_subject_name(this->x509));
814 this->issuer = openssl_x509_name2id(X509_get_issuer_name(this->x509));
815
816 switch (openssl_asn1_known_oid(this->x509->cert_info->key->algor->algorithm))
817 {
818 case OID_RSA_ENCRYPTION:
819 this->pubkey = lib->creds->create(lib->creds,
820 CRED_PUBLIC_KEY, KEY_RSA, BUILD_BLOB_ASN1_DER,
821 openssl_asn1_str2chunk(X509_get0_pubkey_bitstr(this->x509)),
822 BUILD_END);
823 break;
824 case OID_EC_PUBLICKEY:
825 /* for ECDSA, we need the full subjectPublicKeyInfo, as it contains
826 * the curve parameters. */
827 chunk = openssl_i2chunk(X509_PUBKEY, X509_get_X509_PUBKEY(this->x509));
828 this->pubkey = lib->creds->create(lib->creds,
829 CRED_PUBLIC_KEY, KEY_ECDSA, BUILD_BLOB_ASN1_DER,
830 chunk, BUILD_END);
831 free(chunk.ptr);
832 break;
833 default:
834 DBG1(DBG_LIB, "unsupported public key algorithm");
835 break;
836 }
837 if (!this->subject || !this->issuer || !this->pubkey)
838 {
839 return FALSE;
840 }
841
842 this->notBefore = openssl_asn1_to_time(X509_get_notBefore(this->x509));
843 this->notAfter = openssl_asn1_to_time(X509_get_notAfter(this->x509));
844
845 if (!chunk_equals(
846 openssl_asn1_obj2chunk(this->x509->cert_info->signature->algorithm),
847 openssl_asn1_obj2chunk(this->x509->sig_alg->algorithm)))
848 {
849 return FALSE;
850 }
851 this->scheme = signature_scheme_from_oid(openssl_asn1_known_oid(
852 this->x509->sig_alg->algorithm));
853
854 if (!parse_extensions(this))
855 {
856 return TRUE;
857 }
07d2b391 858 parse_extKeyUsage(this);
5728c6aa
MW		 859
860 hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
861 if (!hasher)
862 {
863 return FALSE;
864 }
865 hasher->allocate_hash(hasher, this->encoding, &this->hash);
866 hasher->destroy(hasher);
867
868 if (issued_by(this, &this->public.x509.interface))
869 {
870 this->flags |= X509_SELF_SIGNED;
871 }
872 return TRUE;
873}
874
875openssl_x509_t *openssl_x509_load(certificate_type_t type, va_list args)
876{
877 chunk_t blob = chunk_empty;
878 x509_flag_t flags = 0;
879
880 while (TRUE)
881 {
882 switch (va_arg(args, builder_part_t))
883 {
884 case BUILD_BLOB_ASN1_DER:
885 blob = va_arg(args, chunk_t);
886 continue;
887 case BUILD_X509_FLAG:
888 flags |= va_arg(args, x509_flag_t);
889 continue;
890 case BUILD_END:
891 break;
892 default:
893 return NULL;
894 }
895 break;
896 }
897
898 if (blob.ptr)
899 {
900 private_openssl_x509_t *this;
901
902 this = create_empty();
903 this->encoding = chunk_clone(blob);
904 this->flags |= flags;
905 if (parse_certificate(this))
906 {
907 return &this->public;
908 }
909 DBG1(DBG_LIB, "OpenSSL X.509 parsing failed");
910 destroy(this);
911 }
912 return NULL;
913}
Unnamed repository; edit this file 'description' to name the repository.