2 * Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann
3 * Copyright (C) 2001 Marco Bertossa, Andreas Schleiss
4 * Copyright (C) 2002 Mario Strasser
5 * Copyright (C) 2000-2006 Andreas Steffen
6 * Copyright (C) 2006-2009 Martin Willi
7 * Copyright (C) 2008 Tobias Brunner
8 * Hochschule fuer Technik Rapperswil
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
23 #include "x509_cert.h"
34 #include <asn1/asn1.h>
35 #include <asn1/asn1_parser.h>
36 #include <crypto/hashers/hasher.h>
37 #include <credentials/keys/private_key.h>
38 #include <utils/linked_list.h>
39 #include <utils/identification.h>
40 #include <selectors/traffic_selector.h>
43 * Different kinds of generalNames
50 GN_DIRECTORY_NAME
= 4,
51 GN_EDI_PARTY_NAME
= 5,
58 typedef struct private_x509_cert_t private_x509_cert_t
;
61 * Private data of a x509_cert_t object.
63 struct private_x509_cert_t
{
65 * Public interface for this certificate.
70 * X.509 certificate encoding in ASN.1 DER format
75 * SHA1 hash of the DER encoding of this X.509 certificate
77 chunk_t encoding_hash
;
80 * X.509 certificate body over which signature is computed
82 chunk_t tbsCertificate
;
85 * Version of the X.509 certificate
90 * Serial number of the X.509 certificate
95 * ID representing the certificate issuer
97 identification_t
*issuer
;
100 * Start time of certificate validity
105 * End time of certificate validity
110 * ID representing the certificate subject
112 identification_t
*subject
;
115 * List of subjectAltNames as identification_t
117 linked_list_t
*subjectAltNames
;
120 * List of crlDistributionPoints as allocated char*
122 linked_list_t
*crl_uris
;
125 * List of ocspAccessLocations as allocated char*
127 linked_list_t
*ocsp_uris
;
130 * List of ipAddrBlocks as traffic_selector_t
132 linked_list_t
*ipAddrBlocks
;
135 * certificate's embedded public key
137 public_key_t
*public_key
;
140 * Subject Key Identifier
142 chunk_t subjectKeyIdentifier
;
145 * Authority Key Identifier
147 chunk_t authKeyIdentifier
;
150 * Authority Key Serial Number
152 chunk_t authKeySerialNumber
;
155 * Path Length Constraint
157 int pathLenConstraint
;
160 * x509 constraints and other flags
165 * Signature algorithm
175 * Certificate parsed from blob/file?
185 static const chunk_t ASN1_subjectAltName_oid
= chunk_from_chars(
186 0x06, 0x03, 0x55, 0x1D, 0x11
190 * ASN.1 definition of a basicConstraints extension
192 static const asn1Object_t basicConstraintsObjects
[] = {
193 { 0, "basicConstraints", ASN1_SEQUENCE
, ASN1_NONE
}, /* 0 */
194 { 1, "CA", ASN1_BOOLEAN
, ASN1_DEF
|ASN1_BODY
}, /* 1 */
195 { 1, "pathLenConstraint", ASN1_INTEGER
, ASN1_OPT
|ASN1_BODY
}, /* 2 */
196 { 1, "end opt", ASN1_EOC
, ASN1_END
}, /* 3 */
197 { 0, "exit", ASN1_EOC
, ASN1_EXIT
}
199 #define BASIC_CONSTRAINTS_CA 1
200 #define BASIC_CONSTRAINTS_PATH_LEN 2
203 * Extracts the basicConstraints extension
205 static void parse_basicConstraints(chunk_t blob
, int level0
,
206 private_x509_cert_t
*this)
208 asn1_parser_t
*parser
;
213 parser
= asn1_parser_create(basicConstraintsObjects
, blob
);
214 parser
->set_top_level(parser
, level0
);
216 while (parser
->iterate(parser
, &objectID
, &object
))
220 case BASIC_CONSTRAINTS_CA
:
221 isCA
= object
.len
&& *object
.ptr
;
222 DBG2(DBG_LIB
, " %s", isCA
? "TRUE" : "FALSE");
225 this->flags
|= X509_CA
;
228 case BASIC_CONSTRAINTS_PATH_LEN
:
233 this->pathLenConstraint
= 0;
235 else if (object
.len
== 1)
237 this->pathLenConstraint
= *object
.ptr
;
239 /* we ignore path length constraints > 127 */
246 parser
->destroy(parser
);
250 * ASN.1 definition of otherName
252 static const asn1Object_t otherNameObjects
[] = {
253 {0, "type-id", ASN1_OID
, ASN1_BODY
}, /* 0 */
254 {0, "value", ASN1_CONTEXT_C_0
, ASN1_BODY
}, /* 1 */
255 {0, "exit", ASN1_EOC
, ASN1_EXIT
}
257 #define ON_OBJ_ID_TYPE 0
258 #define ON_OBJ_VALUE 1
261 * Extracts an otherName
263 static bool parse_otherName(chunk_t blob
, int level0
)
265 asn1_parser_t
*parser
;
268 int oid
= OID_UNKNOWN
;
269 bool success
= FALSE
;
271 parser
= asn1_parser_create(otherNameObjects
, blob
);
272 parser
->set_top_level(parser
, level0
);
274 while (parser
->iterate(parser
, &objectID
, &object
))
279 oid
= asn1_known_oid(object
);
282 if (oid
== OID_XMPP_ADDR
)
284 if (!asn1_parse_simple_object(&object
, ASN1_UTF8STRING
,
285 parser
->get_level(parser
)+1, "xmppAddr"))
295 success
= parser
->success(parser
);
298 parser
->destroy(parser
);
303 * ASN.1 definition of generalName
305 static const asn1Object_t generalNameObjects
[] = {
306 { 0, "otherName", ASN1_CONTEXT_C_0
, ASN1_OPT
|ASN1_BODY
}, /* 0 */
307 { 0, "end choice", ASN1_EOC
, ASN1_END
}, /* 1 */
308 { 0, "rfc822Name", ASN1_CONTEXT_S_1
, ASN1_OPT
|ASN1_BODY
}, /* 2 */
309 { 0, "end choice", ASN1_EOC
, ASN1_END
}, /* 3 */
310 { 0, "dnsName", ASN1_CONTEXT_S_2
, ASN1_OPT
|ASN1_BODY
}, /* 4 */
311 { 0, "end choice", ASN1_EOC
, ASN1_END
}, /* 5 */
312 { 0, "x400Address", ASN1_CONTEXT_S_3
, ASN1_OPT
|ASN1_BODY
}, /* 6 */
313 { 0, "end choice", ASN1_EOC
, ASN1_END
}, /* 7 */
314 { 0, "directoryName", ASN1_CONTEXT_C_4
, ASN1_OPT
|ASN1_BODY
}, /* 8 */
315 { 0, "end choice", ASN1_EOC
, ASN1_END
}, /* 9 */
316 { 0, "ediPartyName", ASN1_CONTEXT_C_5
, ASN1_OPT
|ASN1_BODY
}, /* 10 */
317 { 0, "end choice", ASN1_EOC
, ASN1_END
}, /* 11 */
318 { 0, "URI", ASN1_CONTEXT_S_6
, ASN1_OPT
|ASN1_BODY
}, /* 12 */
319 { 0, "end choice", ASN1_EOC
, ASN1_END
}, /* 13 */
320 { 0, "ipAddress", ASN1_CONTEXT_S_7
, ASN1_OPT
|ASN1_BODY
}, /* 14 */
321 { 0, "end choice", ASN1_EOC
, ASN1_END
}, /* 15 */
322 { 0, "registeredID", ASN1_CONTEXT_S_8
, ASN1_OPT
|ASN1_BODY
}, /* 16 */
323 { 0, "end choice", ASN1_EOC
, ASN1_END
}, /* 17 */
324 { 0, "exit", ASN1_EOC
, ASN1_EXIT
}
326 #define GN_OBJ_OTHER_NAME 0
327 #define GN_OBJ_RFC822_NAME 2
328 #define GN_OBJ_DNS_NAME 4
329 #define GN_OBJ_X400_ADDRESS 6
330 #define GN_OBJ_DIRECTORY_NAME 8
331 #define GN_OBJ_EDI_PARTY_NAME 10
332 #define GN_OBJ_URI 12
333 #define GN_OBJ_IP_ADDRESS 14
334 #define GN_OBJ_REGISTERED_ID 16
337 * Extracts a generalName
339 static identification_t
*parse_generalName(chunk_t blob
, int level0
)
341 asn1_parser_t
*parser
;
345 identification_t
*gn
= NULL
;
347 parser
= asn1_parser_create(generalNameObjects
, blob
);
348 parser
->set_top_level(parser
, level0
);
350 while (parser
->iterate(parser
, &objectID
, &object
))
352 id_type_t id_type
= ID_ANY
;
356 case GN_OBJ_RFC822_NAME
:
357 id_type
= ID_RFC822_ADDR
;
359 case GN_OBJ_DNS_NAME
:
363 id_type
= ID_DER_ASN1_GN_URI
;
365 case GN_OBJ_DIRECTORY_NAME
:
366 id_type
= ID_DER_ASN1_DN
;
368 case GN_OBJ_IP_ADDRESS
:
372 id_type
= ID_IPV4_ADDR
;
375 id_type
= ID_IPV6_ADDR
;
381 case GN_OBJ_OTHER_NAME
:
382 if (!parse_otherName(object
, parser
->get_level(parser
)+1))
387 case GN_OBJ_X400_ADDRESS
:
388 case GN_OBJ_EDI_PARTY_NAME
:
389 case GN_OBJ_REGISTERED_ID
:
393 if (id_type
!= ID_ANY
)
395 gn
= identification_create_from_encoding(id_type
, object
);
396 DBG2(DBG_LIB
, " '%Y'", gn
);
402 parser
->destroy(parser
);
407 * ASN.1 definition of generalNames
409 static const asn1Object_t generalNamesObjects
[] = {
410 { 0, "generalNames", ASN1_SEQUENCE
, ASN1_LOOP
}, /* 0 */
411 { 1, "generalName", ASN1_EOC
, ASN1_RAW
}, /* 1 */
412 { 0, "end loop", ASN1_EOC
, ASN1_END
}, /* 2 */
413 { 0, "exit", ASN1_EOC
, ASN1_EXIT
}
415 #define GENERAL_NAMES_GN 1
418 * Extracts one or several GNs and puts them into a chained list
420 void x509_parse_generalNames(chunk_t blob
, int level0
, bool implicit
, linked_list_t
*list
)
422 asn1_parser_t
*parser
;
426 parser
= asn1_parser_create(generalNamesObjects
, blob
);
427 parser
->set_top_level(parser
, level0
);
428 parser
->set_flags(parser
, implicit
, FALSE
);
430 while (parser
->iterate(parser
, &objectID
, &object
))
432 if (objectID
== GENERAL_NAMES_GN
)
434 identification_t
*gn
= parse_generalName(object
,
435 parser
->get_level(parser
)+1);
439 list
->insert_last(list
, (void *)gn
);
443 parser
->destroy(parser
);
447 * ASN.1 definition of a authorityKeyIdentifier extension
449 static const asn1Object_t authKeyIdentifierObjects
[] = {
450 { 0, "authorityKeyIdentifier", ASN1_SEQUENCE
, ASN1_NONE
}, /* 0 */
451 { 1, "keyIdentifier", ASN1_CONTEXT_S_0
, ASN1_OPT
|ASN1_BODY
}, /* 1 */
452 { 1, "end opt", ASN1_EOC
, ASN1_END
}, /* 2 */
453 { 1, "authorityCertIssuer", ASN1_CONTEXT_C_1
, ASN1_OPT
|ASN1_OBJ
}, /* 3 */
454 { 1, "end opt", ASN1_EOC
, ASN1_END
}, /* 4 */
455 { 1, "authorityCertSerialNumber", ASN1_CONTEXT_S_2
, ASN1_OPT
|ASN1_BODY
}, /* 5 */
456 { 1, "end opt", ASN1_EOC
, ASN1_END
}, /* 6 */
457 { 0, "exit", ASN1_EOC
, ASN1_EXIT
}
459 #define AUTH_KEY_ID_KEY_ID 1
460 #define AUTH_KEY_ID_CERT_ISSUER 3
461 #define AUTH_KEY_ID_CERT_SERIAL 5
464 * Extracts an authoritykeyIdentifier
466 chunk_t
x509_parse_authorityKeyIdentifier(chunk_t blob
, int level0
,
467 chunk_t
*authKeySerialNumber
)
469 asn1_parser_t
*parser
;
472 chunk_t authKeyIdentifier
= chunk_empty
;
474 *authKeySerialNumber
= chunk_empty
;
476 parser
= asn1_parser_create(authKeyIdentifierObjects
, blob
);
477 parser
->set_top_level(parser
, level0
);
479 while (parser
->iterate(parser
, &objectID
, &object
))
483 case AUTH_KEY_ID_KEY_ID
:
484 authKeyIdentifier
= chunk_clone(object
);
486 case AUTH_KEY_ID_CERT_ISSUER
:
487 /* TODO: x509_parse_generalNames(object, level+1, TRUE); */
489 case AUTH_KEY_ID_CERT_SERIAL
:
490 *authKeySerialNumber
= object
;
496 parser
->destroy(parser
);
497 return authKeyIdentifier
;
501 * ASN.1 definition of a authorityInfoAccess extension
503 static const asn1Object_t authInfoAccessObjects
[] = {
504 { 0, "authorityInfoAccess", ASN1_SEQUENCE
, ASN1_LOOP
}, /* 0 */
505 { 1, "accessDescription", ASN1_SEQUENCE
, ASN1_NONE
}, /* 1 */
506 { 2, "accessMethod", ASN1_OID
, ASN1_BODY
}, /* 2 */
507 { 2, "accessLocation", ASN1_EOC
, ASN1_RAW
}, /* 3 */
508 { 0, "end loop", ASN1_EOC
, ASN1_END
}, /* 4 */
509 { 0, "exit", ASN1_EOC
, ASN1_EXIT
}
511 #define AUTH_INFO_ACCESS_METHOD 2
512 #define AUTH_INFO_ACCESS_LOCATION 3
515 * Extracts an authorityInfoAcess location
517 static void parse_authorityInfoAccess(chunk_t blob
, int level0
,
518 private_x509_cert_t
*this)
520 asn1_parser_t
*parser
;
523 int accessMethod
= OID_UNKNOWN
;
525 parser
= asn1_parser_create(authInfoAccessObjects
, blob
);
526 parser
->set_top_level(parser
, level0
);
528 while (parser
->iterate(parser
, &objectID
, &object
))
532 case AUTH_INFO_ACCESS_METHOD
:
533 accessMethod
= asn1_known_oid(object
);
535 case AUTH_INFO_ACCESS_LOCATION
:
537 switch (accessMethod
)
542 identification_t
*id
;
545 id
= parse_generalName(object
,
546 parser
->get_level(parser
)+1);
549 /* parsing went wrong - abort */
552 DBG2(DBG_LIB
, " '%Y'", id
);
553 if (accessMethod
== OID_OCSP
&&
554 asprintf(&uri
, "%Y", id
) > 0)
556 this->ocsp_uris
->insert_last(this->ocsp_uris
, uri
);
562 /* unkown accessMethod, ignoring */
573 parser
->destroy(parser
);
577 * ASN.1 definition of a extendedKeyUsage extension
579 static const asn1Object_t extendedKeyUsageObjects
[] = {
580 { 0, "extendedKeyUsage", ASN1_SEQUENCE
, ASN1_LOOP
}, /* 0 */
581 { 1, "keyPurposeID", ASN1_OID
, ASN1_BODY
}, /* 1 */
582 { 0, "end loop", ASN1_EOC
, ASN1_END
}, /* 2 */
583 { 0, "exit", ASN1_EOC
, ASN1_EXIT
}
585 #define EXT_KEY_USAGE_PURPOSE_ID 1
588 * Extracts extendedKeyUsage OIDs - currently only OCSP_SIGING is returned
590 static void parse_extendedKeyUsage(chunk_t blob
, int level0
,
591 private_x509_cert_t
*this)
593 asn1_parser_t
*parser
;
597 parser
= asn1_parser_create(extendedKeyUsageObjects
, blob
);
598 parser
->set_top_level(parser
, level0
);
600 while (parser
->iterate(parser
, &objectID
, &object
))
602 if (objectID
== EXT_KEY_USAGE_PURPOSE_ID
)
604 switch (asn1_known_oid(object
))
606 case OID_SERVER_AUTH
:
607 this->flags
|= X509_SERVER_AUTH
;
609 case OID_CLIENT_AUTH
:
610 this->flags
|= X509_CLIENT_AUTH
;
612 case OID_OCSP_SIGNING
:
613 this->flags
|= X509_OCSP_SIGNER
;
620 parser
->destroy(parser
);
624 * ASN.1 definition of crlDistributionPoints
626 static const asn1Object_t crlDistributionPointsObjects
[] = {
627 { 0, "crlDistributionPoints", ASN1_SEQUENCE
, ASN1_LOOP
}, /* 0 */
628 { 1, "DistributionPoint", ASN1_SEQUENCE
, ASN1_NONE
}, /* 1 */
629 { 2, "distributionPoint", ASN1_CONTEXT_C_0
, ASN1_OPT
|ASN1_LOOP
}, /* 2 */
630 { 3, "fullName", ASN1_CONTEXT_C_0
, ASN1_OPT
|ASN1_OBJ
}, /* 3 */
631 { 3, "end choice", ASN1_EOC
, ASN1_END
}, /* 4 */
632 { 3, "nameRelToCRLIssuer",ASN1_CONTEXT_C_1
, ASN1_OPT
|ASN1_BODY
}, /* 5 */
633 { 3, "end choice", ASN1_EOC
, ASN1_END
}, /* 6 */
634 { 2, "end opt", ASN1_EOC
, ASN1_END
}, /* 7 */
635 { 2, "reasons", ASN1_CONTEXT_C_1
, ASN1_OPT
|ASN1_BODY
}, /* 8 */
636 { 2, "end opt", ASN1_EOC
, ASN1_END
}, /* 9 */
637 { 2, "crlIssuer", ASN1_CONTEXT_C_2
, ASN1_OPT
|ASN1_BODY
}, /* 10 */
638 { 2, "end opt", ASN1_EOC
, ASN1_END
}, /* 11 */
639 { 0, "end loop", ASN1_EOC
, ASN1_END
}, /* 12 */
640 { 0, "exit", ASN1_EOC
, ASN1_EXIT
}
642 #define CRL_DIST_POINTS_FULLNAME 3
645 * Extracts one or several crlDistributionPoints into a list
647 static void parse_crlDistributionPoints(chunk_t blob
, int level0
,
648 private_x509_cert_t
*this)
650 asn1_parser_t
*parser
;
653 linked_list_t
*list
= linked_list_create();
655 parser
= asn1_parser_create(crlDistributionPointsObjects
, blob
);
656 parser
->set_top_level(parser
, level0
);
658 while (parser
->iterate(parser
, &objectID
, &object
))
660 if (objectID
== CRL_DIST_POINTS_FULLNAME
)
662 identification_t
*id
;
664 /* append extracted generalNames to existing chained list */
665 x509_parse_generalNames(object
, parser
->get_level(parser
)+1,
668 while (list
->remove_last(list
, (void**)&id
) == SUCCESS
)
672 if (asprintf(&uri
, "%Y", id
) > 0)
674 this->crl_uris
->insert_last(this->crl_uris
, uri
);
680 parser
->destroy(parser
);
685 * ASN.1 definition of ipAddrBlocks according to RFC 3779
687 static const asn1Object_t ipAddrBlocksObjects
[] = {
688 { 0, "ipAddrBlocks", ASN1_SEQUENCE
, ASN1_LOOP
}, /* 0 */
689 { 1, "ipAddressFamily", ASN1_SEQUENCE
, ASN1_NONE
}, /* 1 */
690 { 2, "addressFamily", ASN1_OCTET_STRING
, ASN1_BODY
}, /* 2 */
691 { 2, "inherit", ASN1_NULL
, ASN1_OPT
|ASN1_NONE
}, /* 3 */
692 { 2, "end choice", ASN1_EOC
, ASN1_END
}, /* 4 */
693 { 2, "addressesOrRanges", ASN1_SEQUENCE
, ASN1_OPT
|ASN1_LOOP
}, /* 5 */
694 { 3, "addressPrefix", ASN1_BIT_STRING
, ASN1_OPT
|ASN1_BODY
}, /* 6 */
695 { 3, "end choice", ASN1_EOC
, ASN1_END
}, /* 7 */
696 { 3, "addressRange", ASN1_SEQUENCE
, ASN1_OPT
|ASN1_NONE
}, /* 8 */
697 { 4, "min", ASN1_BIT_STRING
, ASN1_BODY
}, /* 9 */
698 { 4, "max", ASN1_BIT_STRING
, ASN1_BODY
}, /* 10 */
699 { 3, "end choice", ASN1_EOC
, ASN1_END
}, /* 11 */
700 { 2, "end choice/loop", ASN1_EOC
, ASN1_END
}, /* 12 */
701 { 0, "end loop", ASN1_EOC
, ASN1_END
}, /* 13 */
702 { 0, "exit", ASN1_EOC
, ASN1_EXIT
}
704 #define IP_ADDR_BLOCKS_FAMILY 2
705 #define IP_ADDR_BLOCKS_INHERIT 3
706 #define IP_ADDR_BLOCKS_PREFIX 6
707 #define IP_ADDR_BLOCKS_MIN 9
708 #define IP_ADDR_BLOCKS_MAX 10
710 static bool check_address_object(ts_type_t ts_type
, chunk_t object
)
714 case TS_IPV4_ADDR_RANGE
:
717 DBG1(DBG_LIB
, "IPv4 address object is larger than 5 octets");
721 case TS_IPV6_ADDR_RANGE
:
724 DBG1(DBG_LIB
, "IPv6 address object is larger than 17 octets");
729 DBG1(DBG_LIB
, "unknown address family");
734 DBG1(DBG_LIB
, "An ASN.1 bit string must contain at least the "
738 if (object
.len
== 1 && object
.ptr
[0] != 0)
740 DBG1(DBG_LIB
, "An empty ASN.1 bit string must contain a zero "
744 if (object
.ptr
[0] > 7)
746 DBG1(DBG_LIB
, "number of unused bits is too large");
752 static void parse_ipAddrBlocks(chunk_t blob
, int level0
,
753 private_x509_cert_t
*this)
755 asn1_parser_t
*parser
;
756 chunk_t object
, min_object
;
757 ts_type_t ts_type
= 0;
758 traffic_selector_t
*ts
;
761 parser
= asn1_parser_create(ipAddrBlocksObjects
, blob
);
762 parser
->set_top_level(parser
, level0
);
764 while (parser
->iterate(parser
, &objectID
, &object
))
768 case IP_ADDR_BLOCKS_FAMILY
:
770 if (object
.len
== 2 && object
.ptr
[0] == 0)
772 if (object
.ptr
[1] == 1)
774 ts_type
= TS_IPV4_ADDR_RANGE
;
776 else if (object
.ptr
[1] == 2)
778 ts_type
= TS_IPV6_ADDR_RANGE
;
784 DBG2(DBG_LIB
, " %N", ts_type_name
, ts_type
);
787 case IP_ADDR_BLOCKS_INHERIT
:
788 DBG1(DBG_LIB
, "inherit choice is not supported");
790 case IP_ADDR_BLOCKS_PREFIX
:
791 if (!check_address_object(ts_type
, object
))
795 ts
= traffic_selector_create_from_rfc3779_format(ts_type
,
797 DBG2(DBG_LIB
, " %R", ts
);
798 this->ipAddrBlocks
->insert_last(this->ipAddrBlocks
, ts
);
800 case IP_ADDR_BLOCKS_MIN
:
801 if (!check_address_object(ts_type
, object
))
807 case IP_ADDR_BLOCKS_MAX
:
808 if (!check_address_object(ts_type
, object
))
812 ts
= traffic_selector_create_from_rfc3779_format(ts_type
,
814 DBG2(DBG_LIB
, " %R", ts
);
815 this->ipAddrBlocks
->insert_last(this->ipAddrBlocks
, ts
);
821 this->flags
|= X509_IP_ADDR_BLOCKS
;
824 parser
->destroy(parser
);
828 * ASN.1 definition of an X.509v3 x509_cert
830 static const asn1Object_t certObjects
[] = {
831 { 0, "x509", ASN1_SEQUENCE
, ASN1_OBJ
}, /* 0 */
832 { 1, "tbsCertificate", ASN1_SEQUENCE
, ASN1_OBJ
}, /* 1 */
833 { 2, "DEFAULT v1", ASN1_CONTEXT_C_0
, ASN1_DEF
}, /* 2 */
834 { 3, "version", ASN1_INTEGER
, ASN1_BODY
}, /* 3 */
835 { 2, "serialNumber", ASN1_INTEGER
, ASN1_BODY
}, /* 4 */
836 { 2, "signature", ASN1_EOC
, ASN1_RAW
}, /* 5 */
837 { 2, "issuer", ASN1_SEQUENCE
, ASN1_OBJ
}, /* 6 */
838 { 2, "validity", ASN1_SEQUENCE
, ASN1_NONE
}, /* 7 */
839 { 3, "notBefore", ASN1_EOC
, ASN1_RAW
}, /* 8 */
840 { 3, "notAfter", ASN1_EOC
, ASN1_RAW
}, /* 9 */
841 { 2, "subject", ASN1_SEQUENCE
, ASN1_OBJ
}, /* 10 */
842 { 2, "subjectPublicKeyInfo",ASN1_SEQUENCE
, ASN1_RAW
}, /* 11 */
843 { 2, "issuerUniqueID", ASN1_CONTEXT_C_1
, ASN1_OPT
}, /* 12 */
844 { 2, "end opt", ASN1_EOC
, ASN1_END
}, /* 13 */
845 { 2, "subjectUniqueID", ASN1_CONTEXT_C_2
, ASN1_OPT
}, /* 14 */
846 { 2, "end opt", ASN1_EOC
, ASN1_END
}, /* 15 */
847 { 2, "optional extensions", ASN1_CONTEXT_C_3
, ASN1_OPT
}, /* 16 */
848 { 3, "extensions", ASN1_SEQUENCE
, ASN1_LOOP
}, /* 17 */
849 { 4, "extension", ASN1_SEQUENCE
, ASN1_NONE
}, /* 18 */
850 { 5, "extnID", ASN1_OID
, ASN1_BODY
}, /* 19 */
851 { 5, "critical", ASN1_BOOLEAN
, ASN1_DEF
|ASN1_BODY
}, /* 20 */
852 { 5, "extnValue", ASN1_OCTET_STRING
, ASN1_BODY
}, /* 21 */
853 { 3, "end loop", ASN1_EOC
, ASN1_END
}, /* 22 */
854 { 2, "end opt", ASN1_EOC
, ASN1_END
}, /* 23 */
855 { 1, "signatureAlgorithm", ASN1_EOC
, ASN1_RAW
}, /* 24 */
856 { 1, "signatureValue", ASN1_BIT_STRING
, ASN1_BODY
}, /* 25 */
857 { 0, "exit", ASN1_EOC
, ASN1_EXIT
}
859 #define X509_OBJ_TBS_CERTIFICATE 1
860 #define X509_OBJ_VERSION 3
861 #define X509_OBJ_SERIAL_NUMBER 4
862 #define X509_OBJ_SIG_ALG 5
863 #define X509_OBJ_ISSUER 6
864 #define X509_OBJ_NOT_BEFORE 8
865 #define X509_OBJ_NOT_AFTER 9
866 #define X509_OBJ_SUBJECT 10
867 #define X509_OBJ_SUBJECT_PUBLIC_KEY_INFO 11
868 #define X509_OBJ_OPTIONAL_EXTENSIONS 16
869 #define X509_OBJ_EXTN_ID 19
870 #define X509_OBJ_CRITICAL 20
871 #define X509_OBJ_EXTN_VALUE 21
872 #define X509_OBJ_ALGORITHM 24
873 #define X509_OBJ_SIGNATURE 25
876 * forward declaration
878 static bool issued_by(private_x509_cert_t
*this, certificate_t
*issuer
);
881 * Parses an X.509v3 certificate
883 static bool parse_certificate(private_x509_cert_t
*this)
885 asn1_parser_t
*parser
;
888 int extn_oid
= OID_UNKNOWN
;
889 int sig_alg
= OID_UNKNOWN
;
890 bool success
= FALSE
;
891 bool critical
= FALSE
;
893 parser
= asn1_parser_create(certObjects
, this->encoding
);
895 while (parser
->iterate(parser
, &objectID
, &object
))
897 u_int level
= parser
->get_level(parser
)+1;
901 case X509_OBJ_TBS_CERTIFICATE
:
902 this->tbsCertificate
= object
;
904 case X509_OBJ_VERSION
:
905 this->version
= (object
.len
) ? (1+(u_int
)*object
.ptr
) : 1;
906 if (this->version
< 1 || this->version
> 3)
908 DBG1(DBG_LIB
, "X.509v%d not supported", this->version
);
913 DBG2(DBG_LIB
, " X.509v%d", this->version
);
916 case X509_OBJ_SERIAL_NUMBER
:
917 this->serialNumber
= object
;
919 case X509_OBJ_SIG_ALG
:
920 sig_alg
= asn1_parse_algorithmIdentifier(object
, level
, NULL
);
922 case X509_OBJ_ISSUER
:
923 this->issuer
= identification_create_from_encoding(ID_DER_ASN1_DN
, object
);
924 DBG2(DBG_LIB
, " '%Y'", this->issuer
);
926 case X509_OBJ_NOT_BEFORE
:
927 this->notBefore
= asn1_parse_time(object
, level
);
929 case X509_OBJ_NOT_AFTER
:
930 this->notAfter
= asn1_parse_time(object
, level
);
932 case X509_OBJ_SUBJECT
:
933 this->subject
= identification_create_from_encoding(ID_DER_ASN1_DN
, object
);
934 DBG2(DBG_LIB
, " '%Y'", this->subject
);
936 case X509_OBJ_SUBJECT_PUBLIC_KEY_INFO
:
937 DBG2(DBG_LIB
, "-- > --");
938 this->public_key
= lib
->creds
->create(lib
->creds
, CRED_PUBLIC_KEY
,
939 KEY_ANY
, BUILD_BLOB_ASN1_DER
, object
, BUILD_END
);
940 DBG2(DBG_LIB
, "-- < --");
941 if (this->public_key
== NULL
)
946 case X509_OBJ_OPTIONAL_EXTENSIONS
:
947 if (this->version
!= 3)
949 DBG1(DBG_LIB
, "Only X.509v3 certificates have extensions");
953 case X509_OBJ_EXTN_ID
:
954 extn_oid
= asn1_known_oid(object
);
956 case X509_OBJ_CRITICAL
:
957 critical
= object
.len
&& *object
.ptr
;
958 DBG2(DBG_LIB
, " %s", critical
? "TRUE" : "FALSE");
960 case X509_OBJ_EXTN_VALUE
:
964 case OID_SUBJECT_KEY_ID
:
965 if (!asn1_parse_simple_object(&object
, ASN1_OCTET_STRING
,
966 level
, "keyIdentifier"))
970 this->subjectKeyIdentifier
= object
;
972 case OID_SUBJECT_ALT_NAME
:
973 x509_parse_generalNames(object
, level
, FALSE
,
974 this->subjectAltNames
);
976 case OID_BASIC_CONSTRAINTS
:
977 parse_basicConstraints(object
, level
, this);
979 case OID_CRL_DISTRIBUTION_POINTS
:
980 parse_crlDistributionPoints(object
, level
, this);
982 case OID_AUTHORITY_KEY_ID
:
983 this->authKeyIdentifier
= x509_parse_authorityKeyIdentifier(object
,
984 level
, &this->authKeySerialNumber
);
986 case OID_AUTHORITY_INFO_ACCESS
:
987 parse_authorityInfoAccess(object
, level
, this);
990 /* TODO parse the flags */
992 case OID_EXTENDED_KEY_USAGE
:
993 parse_extendedKeyUsage(object
, level
, this);
995 case OID_IP_ADDR_BLOCKS
:
996 parse_ipAddrBlocks(object
, level
, this);
998 case OID_NS_REVOCATION_URL
:
999 case OID_NS_CA_REVOCATION_URL
:
1000 case OID_NS_CA_POLICY_URL
:
1001 case OID_NS_COMMENT
:
1002 if (!asn1_parse_simple_object(&object
, ASN1_IA5STRING
,
1003 level
, oid_names
[extn_oid
].name
))
1009 if (critical
&& lib
->settings
->get_bool(lib
->settings
,
1010 "libstrongswan.plugins.x509.enforce_critical", FALSE
))
1012 DBG1(DBG_LIB
, "critical %s extension not supported",
1013 (extn_oid
== OID_UNKNOWN
) ? "unknown" :
1014 (char*)oid_names
[extn_oid
].name
);
1021 case X509_OBJ_ALGORITHM
:
1022 this->algorithm
= asn1_parse_algorithmIdentifier(object
, level
, NULL
);
1023 if (this->algorithm
!= sig_alg
)
1025 DBG1(DBG_LIB
, " signature algorithms do not agree");
1029 case X509_OBJ_SIGNATURE
:
1030 this->signature
= object
;
1036 success
= parser
->success(parser
);
1039 parser
->destroy(parser
);
1044 /* check if the certificate is self-signed */
1045 if (issued_by(this, &this->public.interface
.interface
))
1047 this->flags
|= X509_SELF_SIGNED
;
1049 /* create certificate hash */
1050 hasher
= lib
->crypto
->create_hasher(lib
->crypto
, HASH_SHA1
);
1053 DBG1(DBG_LIB
, " unable to create hash of certificate, SHA1 not supported");
1056 hasher
->allocate_hash(hasher
, this->encoding
, &this->encoding_hash
);
1057 hasher
->destroy(hasher
);
1063 * Implementation of certificate_t.get_type
1065 static certificate_type_t
get_type(private_x509_cert_t
*this)
1071 * Implementation of certificate_t.get_subject
1073 static identification_t
* get_subject(private_x509_cert_t
*this)
1075 return this->subject
;
1079 * Implementation of certificate_t.get_issuer
1081 static identification_t
* get_issuer(private_x509_cert_t
*this)
1083 return this->issuer
;
1087 * Implementation of certificate_t.has_subject.
1089 static id_match_t
has_subject(private_x509_cert_t
*this, identification_t
*subject
)
1091 identification_t
*current
;
1092 enumerator_t
*enumerator
;
1093 id_match_t match
, best
;
1095 if (this->encoding_hash
.ptr
&& subject
->get_type(subject
) == ID_KEY_ID
)
1097 if (chunk_equals(this->encoding_hash
, subject
->get_encoding(subject
)))
1099 return ID_MATCH_PERFECT
;
1103 best
= this->subject
->matches(this->subject
, subject
);
1104 enumerator
= this->subjectAltNames
->create_enumerator(this->subjectAltNames
);
1105 while (enumerator
->enumerate(enumerator
, ¤t
))
1107 match
= current
->matches(current
, subject
);
1113 enumerator
->destroy(enumerator
);
1118 * Implementation of certificate_t.has_issuer.
1120 static id_match_t
has_issuer(private_x509_cert_t
*this, identification_t
*issuer
)
1122 /* issuerAltNames currently not supported */
1123 return this->issuer
->matches(this->issuer
, issuer
);
1127 * Implementation of certificate_t.issued_by.
1129 static bool issued_by(private_x509_cert_t
*this, certificate_t
*issuer
)
1132 signature_scheme_t scheme
;
1134 x509_t
*x509
= (x509_t
*)issuer
;
1136 if (&this->public.interface
.interface
== issuer
)
1138 if (this->flags
& X509_SELF_SIGNED
)
1145 if (issuer
->get_type(issuer
) != CERT_X509
)
1149 if (!(x509
->get_flags(x509
) & X509_CA
))
1154 if (!this->issuer
->equals(this->issuer
, issuer
->get_subject(issuer
)))
1159 /* determine signature scheme */
1160 scheme
= signature_scheme_from_oid(this->algorithm
);
1161 if (scheme
== SIGN_UNKNOWN
)
1165 /* get the public key of the issuer */
1166 key
= issuer
->get_public_key(issuer
);
1171 valid
= key
->verify(key
, scheme
, this->tbsCertificate
, this->signature
);
1177 * Implementation of certificate_t.get_public_key
1179 static public_key_t
* get_public_key(private_x509_cert_t
*this)
1181 this->public_key
->get_ref(this->public_key
);
1182 return this->public_key
;
1186 * Implementation of certificate_t.get_ref
1188 static private_x509_cert_t
* get_ref(private_x509_cert_t
*this)
1190 ref_get(&this->ref
);
1195 * Implementation of x509_cert_t.get_flags.
1197 static x509_flag_t
get_flags(private_x509_cert_t
*this)
1203 * Implementation of x509_cert_t.get_validity.
1205 static bool get_validity(private_x509_cert_t
*this, time_t *when
,
1206 time_t *not_before
, time_t *not_after
)
1208 time_t t
= when
? *when
: time(NULL
);
1212 *not_before
= this->notBefore
;
1216 *not_after
= this->notAfter
;
1218 return (t
>= this->notBefore
&& t
<= this->notAfter
);
1222 * Implementation of certificate_t.get_encoding.
1224 static bool get_encoding(private_x509_cert_t
*this, cred_encoding_type_t type
,
1227 if (type
== CERT_ASN1_DER
)
1229 *encoding
= chunk_clone(this->encoding
);
1232 return lib
->encoding
->encode(lib
->encoding
, type
, NULL
, encoding
,
1233 CRED_PART_X509_ASN1_DER
, this->encoding
, CRED_PART_END
);
1237 * Implementation of certificate_t.equals.
1239 static bool equals(private_x509_cert_t
*this, certificate_t
*other
)
1244 if (this == (private_x509_cert_t
*)other
)
1248 if (other
->get_type(other
) != CERT_X509
)
1252 if (other
->equals
== (void*)equals
)
1253 { /* skip allocation if we have the same implementation */
1254 return chunk_equals(this->encoding
, ((private_x509_cert_t
*)other
)->encoding
);
1256 if (!other
->get_encoding(other
, CERT_ASN1_DER
, &encoding
))
1260 equal
= chunk_equals(this->encoding
, encoding
);
1266 * Implementation of x509_t.get_serial.
1268 static chunk_t
get_serial(private_x509_cert_t
*this)
1270 return this->serialNumber
;
1274 * Implementation of x509_t.get_subjectKeyIdentifier.
1276 static chunk_t
get_subjectKeyIdentifier(private_x509_cert_t
*this)
1278 if (this->subjectKeyIdentifier
.ptr
)
1280 return this->subjectKeyIdentifier
;
1284 chunk_t fingerprint
;
1286 if (this->public_key
->get_fingerprint(this->public_key
,
1287 KEYID_PUBKEY_SHA1
, &fingerprint
))
1299 * Implementation of x509_t.get_authKeyIdentifier.
1301 static chunk_t
get_authKeyIdentifier(private_x509_cert_t
*this)
1303 return this->authKeyIdentifier
;
1307 * Implementation of x509_t.get_pathLenConstraint.
1309 static int get_pathLenConstraint(private_x509_cert_t
*this)
1311 return this->pathLenConstraint
;
1315 * Implementation of x509_cert_t.create_subjectAltName_enumerator.
1317 static enumerator_t
* create_subjectAltName_enumerator(private_x509_cert_t
*this)
1319 return this->subjectAltNames
->create_enumerator(this->subjectAltNames
);
1323 * Implementation of x509_cert_t.create_ocsp_uri_enumerator.
1325 static enumerator_t
* create_ocsp_uri_enumerator(private_x509_cert_t
*this)
1327 return this->ocsp_uris
->create_enumerator(this->ocsp_uris
);
1331 * Implementation of x509_cert_t.create_crl_uri_enumerator.
1333 static enumerator_t
* create_crl_uri_enumerator(private_x509_cert_t
*this)
1335 return this->crl_uris
->create_enumerator(this->crl_uris
);
1339 * Implementation of x509_cert_t.create_ipAddrBlock_enumerator.
1341 static enumerator_t
* create_ipAddrBlock_enumerator(private_x509_cert_t
*this)
1343 return this->ipAddrBlocks
->create_enumerator(this->ipAddrBlocks
);
1347 * Implementation of certificate_t.destroy.
1349 static void destroy(private_x509_cert_t
*this)
1351 if (ref_put(&this->ref
))
1353 this->subjectAltNames
->destroy_offset(this->subjectAltNames
,
1354 offsetof(identification_t
, destroy
));
1355 this->crl_uris
->destroy_function(this->crl_uris
, free
);
1356 this->ocsp_uris
->destroy_function(this->ocsp_uris
, free
);
1357 this->ipAddrBlocks
->destroy_offset(this->ipAddrBlocks
, offsetof(traffic_selector_t
, destroy
));
1358 DESTROY_IF(this->issuer
);
1359 DESTROY_IF(this->subject
);
1360 DESTROY_IF(this->public_key
);
1361 chunk_free(&this->authKeyIdentifier
);
1362 chunk_free(&this->encoding
);
1363 chunk_free(&this->encoding_hash
);
1365 { /* only parsed certificates point these fields to "encoded" */
1366 chunk_free(&this->signature
);
1367 chunk_free(&this->serialNumber
);
1368 chunk_free(&this->tbsCertificate
);
1375 * create an empty but initialized X.509 certificate
1377 static private_x509_cert_t
* create_empty(void)
1379 private_x509_cert_t
*this = malloc_thing(private_x509_cert_t
);
1381 this->public.interface
.interface
.get_type
= (certificate_type_t (*) (certificate_t
*))get_type
;
1382 this->public.interface
.interface
.get_subject
= (identification_t
* (*) (certificate_t
*))get_subject
;
1383 this->public.interface
.interface
.get_issuer
= (identification_t
* (*) (certificate_t
*))get_issuer
;
1384 this->public.interface
.interface
.has_subject
= (id_match_t (*) (certificate_t
*, identification_t
*))has_subject
;
1385 this->public.interface
.interface
.has_issuer
= (id_match_t (*) (certificate_t
*, identification_t
*))has_issuer
;
1386 this->public.interface
.interface
.issued_by
= (bool (*) (certificate_t
*, certificate_t
*))issued_by
;
1387 this->public.interface
.interface
.get_public_key
= (public_key_t
* (*) (certificate_t
*))get_public_key
;
1388 this->public.interface
.interface
.get_validity
= (bool (*) (certificate_t
*, time_t*, time_t*, time_t*))get_validity
;
1389 this->public.interface
.interface
.get_encoding
= (bool (*) (certificate_t
*,cred_encoding_type_t
,chunk_t
*))get_encoding
;
1390 this->public.interface
.interface
.equals
= (bool (*)(certificate_t
*, certificate_t
*))equals
;
1391 this->public.interface
.interface
.get_ref
= (certificate_t
* (*)(certificate_t
*))get_ref
;
1392 this->public.interface
.interface
.destroy
= (void (*)(certificate_t
*))destroy
;
1393 this->public.interface
.get_flags
= (x509_flag_t (*)(x509_t
*))get_flags
;
1394 this->public.interface
.get_serial
= (chunk_t (*)(x509_t
*))get_serial
;
1395 this->public.interface
.get_subjectKeyIdentifier
= (chunk_t (*)(x509_t
*))get_subjectKeyIdentifier
;
1396 this->public.interface
.get_authKeyIdentifier
= (chunk_t (*)(x509_t
*))get_authKeyIdentifier
;
1397 this->public.interface
.get_pathLenConstraint
= (int (*)(x509_t
*))get_pathLenConstraint
;
1398 this->public.interface
.create_subjectAltName_enumerator
= (enumerator_t
* (*)(x509_t
*))create_subjectAltName_enumerator
;
1399 this->public.interface
.create_crl_uri_enumerator
= (enumerator_t
* (*)(x509_t
*))create_crl_uri_enumerator
;
1400 this->public.interface
.create_ocsp_uri_enumerator
= (enumerator_t
* (*)(x509_t
*))create_ocsp_uri_enumerator
;
1401 this->public.interface
.create_ipAddrBlock_enumerator
= (enumerator_t
* (*)(x509_t
*))create_ipAddrBlock_enumerator
;
1403 this->encoding
= chunk_empty
;
1404 this->encoding_hash
= chunk_empty
;
1405 this->tbsCertificate
= chunk_empty
;
1407 this->serialNumber
= chunk_empty
;
1408 this->notBefore
= 0;
1410 this->public_key
= NULL
;
1411 this->subject
= NULL
;
1412 this->issuer
= NULL
;
1413 this->subjectAltNames
= linked_list_create();
1414 this->crl_uris
= linked_list_create();
1415 this->ocsp_uris
= linked_list_create();
1416 this->ipAddrBlocks
= linked_list_create();
1417 this->subjectKeyIdentifier
= chunk_empty
;
1418 this->authKeyIdentifier
= chunk_empty
;
1419 this->authKeySerialNumber
= chunk_empty
;
1420 this->pathLenConstraint
= X509_NO_PATH_LEN_CONSTRAINT
;
1421 this->algorithm
= 0;
1422 this->signature
= chunk_empty
;
1425 this->parsed
= FALSE
;
1431 * Encode a linked list of subjectAltNames
1433 chunk_t
x509_build_subjectAltNames(linked_list_t
*list
)
1435 chunk_t subjectAltNames
= chunk_empty
;
1436 enumerator_t
*enumerator
;
1437 identification_t
*id
;
1439 if (list
->get_count(list
) == 0)
1444 enumerator
= list
->create_enumerator(list
);
1445 while (enumerator
->enumerate(enumerator
, &id
))
1450 switch (id
->get_type(id
))
1452 case ID_RFC822_ADDR
:
1453 context
= ASN1_CONTEXT_S_1
;
1456 context
= ASN1_CONTEXT_S_2
;
1460 context
= ASN1_CONTEXT_S_7
;
1463 DBG1(DBG_LIB
, "encoding %N as subjectAltName not supported",
1464 id_type_names
, id
->get_type(id
));
1465 enumerator
->destroy(enumerator
);
1466 free(subjectAltNames
.ptr
);
1469 name
= asn1_wrap(context
, "c", id
->get_encoding(id
));
1470 subjectAltNames
= chunk_cat("mm", subjectAltNames
, name
);
1472 enumerator
->destroy(enumerator
);
1474 return asn1_wrap(ASN1_SEQUENCE
, "mm",
1475 asn1_build_known_oid(OID_SUBJECT_ALT_NAME
),
1476 asn1_wrap(ASN1_OCTET_STRING
, "m",
1477 asn1_wrap(ASN1_SEQUENCE
, "m", subjectAltNames
)
1483 * Generate and sign a new certificate
1485 static bool generate(private_x509_cert_t
*cert
, certificate_t
*sign_cert
,
1486 private_key_t
*sign_key
, int digest_alg
)
1488 chunk_t extensions
= chunk_empty
, extendedKeyUsage
= chunk_empty
;
1489 chunk_t serverAuth
= chunk_empty
, clientAuth
= chunk_empty
;
1490 chunk_t ocspSigning
= chunk_empty
;
1491 chunk_t basicConstraints
= chunk_empty
;
1492 chunk_t keyUsage
= chunk_empty
;
1493 chunk_t subjectAltNames
= chunk_empty
;
1494 chunk_t subjectKeyIdentifier
= chunk_empty
, authKeyIdentifier
= chunk_empty
;
1495 chunk_t crlDistributionPoints
= chunk_empty
, authorityInfoAccess
= chunk_empty
;
1496 identification_t
*issuer
, *subject
;
1498 signature_scheme_t scheme
;
1500 enumerator_t
*enumerator
;
1503 subject
= cert
->subject
;
1506 issuer
= sign_cert
->get_subject(sign_cert
);
1507 if (!cert
->public_key
)
1515 if (!cert
->public_key
)
1517 cert
->public_key
= sign_key
->get_public_key(sign_key
);
1519 cert
->flags
|= X509_SELF_SIGNED
;
1521 cert
->issuer
= issuer
->clone(issuer
);
1522 if (!cert
->notBefore
)
1524 cert
->notBefore
= time(NULL
);
1526 if (!cert
->notAfter
)
1527 { /* defaults to 1 year from now */
1528 cert
->notAfter
= cert
->notBefore
+ 60 * 60 * 24 * 365;
1531 /* select signature scheme */
1532 cert
->algorithm
= hasher_signature_algorithm_to_oid(digest_alg
,
1533 sign_key
->get_type(sign_key
));
1534 if (cert
->algorithm
== OID_UNKNOWN
)
1538 scheme
= signature_scheme_from_oid(cert
->algorithm
);
1540 if (!cert
->public_key
->get_encoding(cert
->public_key
,
1541 PUBKEY_SPKI_ASN1_DER
, &key_info
))
1546 /* encode subjectAltNames */
1547 subjectAltNames
= x509_build_subjectAltNames(cert
->subjectAltNames
);
1549 /* encode CRL distribution points extension */
1550 enumerator
= cert
->crl_uris
->create_enumerator(cert
->crl_uris
);
1551 while (enumerator
->enumerate(enumerator
, &uri
))
1553 chunk_t distributionPoint
;
1555 distributionPoint
= asn1_wrap(ASN1_SEQUENCE
, "m",
1556 asn1_wrap(ASN1_CONTEXT_C_0
, "m",
1557 asn1_wrap(ASN1_CONTEXT_C_0
, "m",
1558 asn1_wrap(ASN1_CONTEXT_S_6
, "c",
1559 chunk_create(uri
, strlen(uri
))))));
1561 crlDistributionPoints
= chunk_cat("mm", crlDistributionPoints
,
1564 enumerator
->destroy(enumerator
);
1565 if (crlDistributionPoints
.ptr
)
1567 crlDistributionPoints
= asn1_wrap(ASN1_SEQUENCE
, "mm",
1568 asn1_build_known_oid(OID_CRL_DISTRIBUTION_POINTS
),
1569 asn1_wrap(ASN1_OCTET_STRING
, "m",
1570 asn1_wrap(ASN1_SEQUENCE
, "m", crlDistributionPoints
)));
1573 /* encode OCSP URIs in authorityInfoAccess extension */
1574 enumerator
= cert
->ocsp_uris
->create_enumerator(cert
->ocsp_uris
);
1575 while (enumerator
->enumerate(enumerator
, &uri
))
1577 chunk_t accessDescription
;
1579 accessDescription
= asn1_wrap(ASN1_SEQUENCE
, "mm",
1580 asn1_build_known_oid(OID_OCSP
),
1581 asn1_wrap(ASN1_CONTEXT_S_6
, "c",
1582 chunk_create(uri
, strlen(uri
))));
1583 authorityInfoAccess
= chunk_cat("mm", authorityInfoAccess
,
1586 enumerator
->destroy(enumerator
);
1587 if (authorityInfoAccess
.ptr
)
1589 authorityInfoAccess
= asn1_wrap(ASN1_SEQUENCE
, "mm",
1590 asn1_build_known_oid(OID_AUTHORITY_INFO_ACCESS
),
1591 asn1_wrap(ASN1_OCTET_STRING
, "m",
1592 asn1_wrap(ASN1_SEQUENCE
, "m", authorityInfoAccess
)));
1595 /* build CA basicConstraint and keyUsage flags for CA certificates */
1596 if (cert
->flags
& X509_CA
)
1598 chunk_t pathLenConstraint
= chunk_empty
;
1600 if (cert
->pathLenConstraint
!= X509_NO_PATH_LEN_CONSTRAINT
)
1602 char pathlen
= (char)cert
->pathLenConstraint
;
1604 pathLenConstraint
= asn1_integer("c", chunk_from_thing(pathlen
));
1606 basicConstraints
= asn1_wrap(ASN1_SEQUENCE
, "mmm",
1607 asn1_build_known_oid(OID_BASIC_CONSTRAINTS
),
1608 asn1_wrap(ASN1_BOOLEAN
, "c",
1609 chunk_from_chars(0xFF)),
1610 asn1_wrap(ASN1_OCTET_STRING
, "m",
1611 asn1_wrap(ASN1_SEQUENCE
, "mm",
1612 asn1_wrap(ASN1_BOOLEAN
, "c",
1613 chunk_from_chars(0xFF)),
1614 pathLenConstraint
)));
1615 keyUsage
= asn1_wrap(ASN1_SEQUENCE
, "mmm",
1616 asn1_build_known_oid(OID_KEY_USAGE
),
1617 asn1_wrap(ASN1_BOOLEAN
, "c",
1618 chunk_from_chars(0xFF)),
1619 asn1_wrap(ASN1_OCTET_STRING
, "m",
1620 asn1_wrap(ASN1_BIT_STRING
, "c",
1621 chunk_from_chars(0x01, 0x06))));
1624 /* add serverAuth extendedKeyUsage flag */
1625 if (cert
->flags
& X509_SERVER_AUTH
)
1627 serverAuth
= asn1_build_known_oid(OID_SERVER_AUTH
);
1629 if (cert
->flags
& X509_CLIENT_AUTH
)
1631 clientAuth
= asn1_build_known_oid(OID_CLIENT_AUTH
);
1634 /* add ocspSigning extendedKeyUsage flag */
1635 if (cert
->flags
& X509_OCSP_SIGNER
)
1637 ocspSigning
= asn1_build_known_oid(OID_OCSP_SIGNING
);
1640 if (serverAuth
.ptr
|| clientAuth
.ptr
|| ocspSigning
.ptr
)
1642 extendedKeyUsage
= asn1_wrap(ASN1_SEQUENCE
, "mm",
1643 asn1_build_known_oid(OID_EXTENDED_KEY_USAGE
),
1644 asn1_wrap(ASN1_OCTET_STRING
, "m",
1645 asn1_wrap(ASN1_SEQUENCE
, "mmm",
1646 serverAuth
, clientAuth
, ocspSigning
)));
1649 /* add subjectKeyIdentifier to CA and OCSP signer certificates */
1650 if (cert
->flags
& (X509_CA
| X509_OCSP_SIGNER
))
1654 if (cert
->public_key
->get_fingerprint(cert
->public_key
,
1655 KEYID_PUBKEY_SHA1
, &keyid
))
1657 subjectKeyIdentifier
= asn1_wrap(ASN1_SEQUENCE
, "mm",
1658 asn1_build_known_oid(OID_SUBJECT_KEY_ID
),
1659 asn1_wrap(ASN1_OCTET_STRING
, "m",
1660 asn1_wrap(ASN1_OCTET_STRING
, "c", keyid
)));
1664 /* add the keyid authKeyIdentifier for non self-signed certificates */
1669 if (sign_key
->get_fingerprint(sign_key
, KEYID_PUBKEY_SHA1
, &keyid
))
1671 authKeyIdentifier
= asn1_wrap(ASN1_SEQUENCE
, "mm",
1672 asn1_build_known_oid(OID_AUTHORITY_KEY_ID
),
1673 asn1_wrap(ASN1_OCTET_STRING
, "m",
1674 asn1_wrap(ASN1_SEQUENCE
, "m",
1675 asn1_wrap(ASN1_CONTEXT_S_0
, "c", keyid
))));
1678 if (basicConstraints
.ptr
|| subjectAltNames
.ptr
|| authKeyIdentifier
.ptr
||
1679 crlDistributionPoints
.ptr
)
1681 extensions
= asn1_wrap(ASN1_CONTEXT_C_3
, "m",
1682 asn1_wrap(ASN1_SEQUENCE
, "mmmmmmmm",
1683 basicConstraints
, keyUsage
, subjectKeyIdentifier
,
1684 authKeyIdentifier
, subjectAltNames
,
1685 extendedKeyUsage
, crlDistributionPoints
,
1686 authorityInfoAccess
));
1689 cert
->tbsCertificate
= asn1_wrap(ASN1_SEQUENCE
, "mmmcmcmm",
1690 asn1_simple_object(ASN1_CONTEXT_C_0
, ASN1_INTEGER_2
),
1691 asn1_integer("c", cert
->serialNumber
),
1692 asn1_algorithmIdentifier(cert
->algorithm
),
1693 issuer
->get_encoding(issuer
),
1694 asn1_wrap(ASN1_SEQUENCE
, "mm",
1695 asn1_from_time(&cert
->notBefore
, ASN1_UTCTIME
),
1696 asn1_from_time(&cert
->notAfter
, ASN1_UTCTIME
)),
1697 subject
->get_encoding(subject
),
1698 key_info
, extensions
);
1700 if (!sign_key
->sign(sign_key
, scheme
, cert
->tbsCertificate
, &cert
->signature
))
1704 cert
->encoding
= asn1_wrap(ASN1_SEQUENCE
, "cmm", cert
->tbsCertificate
,
1705 asn1_algorithmIdentifier(cert
->algorithm
),
1706 asn1_bitstring("c", cert
->signature
));
1708 hasher
= lib
->crypto
->create_hasher(lib
->crypto
, HASH_SHA1
);
1713 hasher
->allocate_hash(hasher
, cert
->encoding
, &cert
->encoding_hash
);
1714 hasher
->destroy(hasher
);
1721 x509_cert_t
*x509_cert_load(certificate_type_t type
, va_list args
)
1723 x509_flag_t flags
= 0;
1724 chunk_t blob
= chunk_empty
;
1728 switch (va_arg(args
, builder_part_t
))
1730 case BUILD_BLOB_ASN1_DER
:
1731 blob
= va_arg(args
, chunk_t
);
1733 case BUILD_X509_FLAG
:
1734 flags
|= va_arg(args
, x509_flag_t
);
1746 private_x509_cert_t
*cert
= create_empty();
1748 cert
->encoding
= chunk_clone(blob
);
1749 cert
->parsed
= TRUE
;
1750 if (parse_certificate(cert
))
1752 cert
->flags
|= flags
;
1753 return &cert
->public;
1763 x509_cert_t
*x509_cert_gen(certificate_type_t type
, va_list args
)
1765 private_x509_cert_t
*cert
;
1766 certificate_t
*sign_cert
= NULL
;
1767 private_key_t
*sign_key
= NULL
;
1768 hash_algorithm_t digest_alg
= HASH_SHA1
;
1770 cert
= create_empty();
1773 switch (va_arg(args
, builder_part_t
))
1775 case BUILD_X509_FLAG
:
1776 cert
->flags
|= va_arg(args
, x509_flag_t
);
1778 case BUILD_SIGNING_KEY
:
1779 sign_key
= va_arg(args
, private_key_t
*);
1781 case BUILD_SIGNING_CERT
:
1782 sign_cert
= va_arg(args
, certificate_t
*);
1784 case BUILD_PUBLIC_KEY
:
1785 cert
->public_key
= va_arg(args
, public_key_t
*);
1786 cert
->public_key
->get_ref(cert
->public_key
);
1789 cert
->subject
= va_arg(args
, identification_t
*);
1790 cert
->subject
= cert
->subject
->clone(cert
->subject
);
1792 case BUILD_SUBJECT_ALTNAMES
:
1794 enumerator_t
*enumerator
;
1795 identification_t
*id
;
1796 linked_list_t
*list
;
1798 list
= va_arg(args
, linked_list_t
*);
1799 enumerator
= list
->create_enumerator(list
);
1800 while (enumerator
->enumerate(enumerator
, &id
))
1802 cert
->subjectAltNames
->insert_last(cert
->subjectAltNames
,
1805 enumerator
->destroy(enumerator
);
1808 case BUILD_CRL_DISTRIBUTION_POINTS
:
1810 enumerator_t
*enumerator
;
1811 linked_list_t
*list
;
1814 list
= va_arg(args
, linked_list_t
*);
1815 enumerator
= list
->create_enumerator(list
);
1816 while (enumerator
->enumerate(enumerator
, &uri
))
1818 cert
->crl_uris
->insert_last(cert
->crl_uris
, strdup(uri
));
1820 enumerator
->destroy(enumerator
);
1823 case BUILD_OCSP_ACCESS_LOCATIONS
:
1825 enumerator_t
*enumerator
;
1826 linked_list_t
*list
;
1829 list
= va_arg(args
, linked_list_t
*);
1830 enumerator
= list
->create_enumerator(list
);
1831 while (enumerator
->enumerate(enumerator
, &uri
))
1833 cert
->ocsp_uris
->insert_last(cert
->ocsp_uris
, strdup(uri
));
1835 enumerator
->destroy(enumerator
);
1839 cert
->pathLenConstraint
= va_arg(args
, int);
1840 if (cert
->pathLenConstraint
< 0 || cert
->pathLenConstraint
> 127)
1842 cert
->pathLenConstraint
= X509_NO_PATH_LEN_CONSTRAINT
;
1845 case BUILD_NOT_BEFORE_TIME
:
1846 cert
->notBefore
= va_arg(args
, time_t);
1848 case BUILD_NOT_AFTER_TIME
:
1849 cert
->notAfter
= va_arg(args
, time_t);
1852 cert
->serialNumber
= chunk_clone(va_arg(args
, chunk_t
));
1854 case BUILD_DIGEST_ALG
:
1855 digest_alg
= va_arg(args
, int);
1866 if (sign_key
&& generate(cert
, sign_cert
, sign_key
, digest_alg
))
1868 return &cert
->public;