src/libstrongswan/plugins/acert/acert_validator.c

   1 /*
   2  * Copyright (C) 2014 Martin Willi
   3  *
   4  * Copyright (C) secunet Security Networks AG
   5  *
   6  * This program is free software; you can redistribute it and/or modify it
   7  * under the terms of the GNU General Public License as published by the
   8  * Free Software Foundation; either version 2 of the License, or (at your
   9  * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
  10  *
  11  * This program is distributed in the hope that it will be useful, but
  12  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  13  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * for more details.
  15  */
  16
  17 #define _GNU_SOURCE
  18 #include <library.h>
  19
  20 #include "acert_validator.h"
  21
  22 #include <credentials/certificates/x509.h>
  23 #include <credentials/certificates/ac.h>
  24
  25 typedef struct private_acert_validator_t private_acert_validator_t;
  26
  27 /**
  28  * Private data of an acert_validator_t object.
  29  */
  30 struct private_acert_validator_t {
  31
  32         /**
  33          * Public acert_validator_t interface.
  34          */
  35         acert_validator_t public;
  36 };
  37
  38 /**
  39  * Check if an AC can be trusted
  40  */
  41 static bool verify(private_acert_validator_t *this, certificate_t *ac)
  42 {
  43         certificate_t *issuer;
  44         enumerator_t *enumerator;
  45         bool verified = FALSE;
  46
  47         if (!ac->get_validity(ac, NULL, NULL, NULL))
  48         {
  49                 return FALSE;
  50         }
  51         DBG1(DBG_CFG, "verifying attribute certificate issued by \"%Y\"",
  52                  ac->get_issuer(ac));
  53         enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr, KEY_ANY,
  54                                                                                                         ac->get_issuer(ac), TRUE);
  55         while (enumerator->enumerate(enumerator, &issuer, NULL))
  56         {
  57                 if (issuer->get_validity(issuer, NULL, NULL, NULL))
  58                 {
  59                         if (lib->credmgr->issued_by(lib->credmgr, ac, issuer, NULL))
  60                         {
  61                                 verified = TRUE;
  62                                 break;
  63                         }
  64                 }
  65         }
  66         enumerator->destroy(enumerator);
  67
  68         return verified;
  69 }
  70
  71 /**
  72  * Apply AC group membership to auth config
  73  */
  74 static void apply(private_acert_validator_t *this, ac_t *ac, auth_cfg_t *auth)
  75 {
  76         enumerator_t *enumerator;
  77         ac_group_type_t type;
  78         chunk_t chunk;
  79
  80         enumerator = ac->create_group_enumerator(ac);
  81         while (enumerator->enumerate(enumerator, &type, &chunk))
  82         {
  83                 if (type == AC_GROUP_TYPE_STRING)
  84                 {
  85                         auth->add(auth, AUTH_RULE_GROUP,
  86                                           identification_create_from_data(chunk));
  87                 }
  88         }
  89         enumerator->destroy(enumerator);
  90 }
  91
  92 METHOD(cert_validator_t, validate, bool,
  93         private_acert_validator_t *this, certificate_t *subject,
  94         certificate_t *issuer, bool online, u_int pathlen, bool anchor,
  95         auth_cfg_t *auth)
  96 {
  97         /* for X.509 end entity certs only */
  98         if (pathlen == 0 && subject->get_type(subject) == CERT_X509)
  99         {
 100                 x509_t *x509 = (x509_t*)subject;
 101                 enumerator_t *enumerator;
 102                 identification_t *id, *serial;
 103                 ac_t *ac;
 104
 105                 /* find attribute certificates by serial and issuer. A lookup by
 106                  * the holder DN would work as well, but RFC 5755 recommends the use
 107                  * of baseCertificateID. */
 108                 serial = identification_create_from_encoding(ID_KEY_ID,
 109                                                                                                          x509->get_serial(x509));
 110                 enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
 111                                                                                 CERT_X509_AC, KEY_ANY, serial, FALSE);
 112                 while (enumerator->enumerate(enumerator, &ac))
 113                 {
 114                         id = ac->get_holderIssuer(ac);
 115                         if (id && id->equals(id, subject->get_issuer(subject)))
 116                         {
 117                                 if (verify(this, &ac->certificate))
 118                                 {
 119                                         apply(this, ac, auth);
 120                                 }
 121                         }
 122                 }
 123                 enumerator->destroy(enumerator);
 124                 serial->destroy(serial);
 125         }
 126         return TRUE;
 127 }
 128
 129 METHOD(acert_validator_t, destroy, void,
 130         private_acert_validator_t *this)
 131 {
 132         free(this);
 133 }
 134
 135 /**
 136  * See header
 137  */
 138 acert_validator_t *acert_validator_create()
 139 {
 140         private_acert_validator_t *this;
 141
 142         INIT(this,
 143                 .public = {
 144                         .validator.validate = _validate,
 145                         .destroy = _destroy,
 146                 },
 147         );
 148
 149         return &this->public;
 150 }