2 * Copyright (C) 2014 Martin Willi
4 * Copyright (C) secunet Security Networks AG
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 #include "acert_validator.h"
22 #include <credentials/certificates/x509.h>
23 #include <credentials/certificates/ac.h>
25 typedef struct private_acert_validator_t private_acert_validator_t
;
28 * Private data of an acert_validator_t object.
30 struct private_acert_validator_t
{
33 * Public acert_validator_t interface.
35 acert_validator_t
public;
39 * Check if an AC can be trusted
41 static bool verify(private_acert_validator_t
*this, certificate_t
*ac
)
43 certificate_t
*issuer
;
44 enumerator_t
*enumerator
;
45 bool verified
= FALSE
;
47 if (!ac
->get_validity(ac
, NULL
, NULL
, NULL
))
51 DBG1(DBG_CFG
, "verifying attribute certificate issued by \"%Y\"",
53 enumerator
= lib
->credmgr
->create_trusted_enumerator(lib
->credmgr
, KEY_ANY
,
54 ac
->get_issuer(ac
), TRUE
);
55 while (enumerator
->enumerate(enumerator
, &issuer
, NULL
))
57 if (issuer
->get_validity(issuer
, NULL
, NULL
, NULL
))
59 if (lib
->credmgr
->issued_by(lib
->credmgr
, ac
, issuer
, NULL
))
66 enumerator
->destroy(enumerator
);
72 * Apply AC group membership to auth config
74 static void apply(private_acert_validator_t
*this, ac_t
*ac
, auth_cfg_t
*auth
)
76 enumerator_t
*enumerator
;
80 enumerator
= ac
->create_group_enumerator(ac
);
81 while (enumerator
->enumerate(enumerator
, &type
, &chunk
))
83 if (type
== AC_GROUP_TYPE_STRING
)
85 auth
->add(auth
, AUTH_RULE_GROUP
,
86 identification_create_from_data(chunk
));
89 enumerator
->destroy(enumerator
);
92 METHOD(cert_validator_t
, validate
, bool,
93 private_acert_validator_t
*this, certificate_t
*subject
,
94 certificate_t
*issuer
, bool online
, u_int pathlen
, bool anchor
,
97 /* for X.509 end entity certs only */
98 if (pathlen
== 0 && subject
->get_type(subject
) == CERT_X509
)
100 x509_t
*x509
= (x509_t
*)subject
;
101 enumerator_t
*enumerator
;
102 identification_t
*id
, *serial
;
105 /* find attribute certificates by serial and issuer. A lookup by
106 * the holder DN would work as well, but RFC 5755 recommends the use
107 * of baseCertificateID. */
108 serial
= identification_create_from_encoding(ID_KEY_ID
,
109 x509
->get_serial(x509
));
110 enumerator
= lib
->credmgr
->create_cert_enumerator(lib
->credmgr
,
111 CERT_X509_AC
, KEY_ANY
, serial
, FALSE
);
112 while (enumerator
->enumerate(enumerator
, &ac
))
114 id
= ac
->get_holderIssuer(ac
);
115 if (id
&& id
->equals(id
, subject
->get_issuer(subject
)))
117 if (verify(this, &ac
->certificate
))
119 apply(this, ac
, auth
);
123 enumerator
->destroy(enumerator
);
124 serial
->destroy(serial
);
129 METHOD(acert_validator_t
, destroy
, void,
130 private_acert_validator_t
*this)
138 acert_validator_t
*acert_validator_create()
140 private_acert_validator_t
*this;
144 .validator
.validate
= _validate
,
149 return &this->public;