]> git.ipfire.org Git - thirdparty/strongswan.git/blob - src/libstrongswan/plugins/x509/x509_ocsp_request.c
projects / thirdparty / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add a return value to hasher_t.allocate_hash()
[thirdparty/strongswan.git] / src / libstrongswan / plugins / x509 / x509_ocsp_request.c
1 /*
2 * Copyright (C) 2008-2009 Martin Willi
3 * Copyright (C) 2007 Andreas Steffen
4 * Hochschule fuer Technik Rapperswil
5 * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 #include "x509_ocsp_request.h"
19
20 #include <library.h>
21 #include <asn1/oid.h>
22 #include <asn1/asn1.h>
23 #include <utils/identification.h>
24 #include <utils/linked_list.h>
25 #include <debug.h>
26 #include <credentials/certificates/x509.h>
27 #include <credentials/keys/private_key.h>
28
29 #define NONCE_LEN 16
30
31 typedef struct private_x509_ocsp_request_t private_x509_ocsp_request_t;
32
33 /**
34 * private data of x509_ocsp_request
35 */
36 struct private_x509_ocsp_request_t {
37
38 /**
39 * public functions
40 */
41 x509_ocsp_request_t public;
42
43 /**
44 * CA the candidates belong to
45 */
46 x509_t *ca;
47
48 /**
49 * Requestor name, subject of cert used if not set
50 */
51 identification_t *requestor;
52
53 /**
54 * Requestor certificate, included in request
55 */
56 certificate_t *cert;
57
58 /**
59 * Requestor private key to sign request
60 */
61 private_key_t *key;
62
63 /**
64 * list of certificates to check, x509_t
65 */
66 linked_list_t *candidates;
67
68 /**
69 * nonce used in request
70 */
71 chunk_t nonce;
72
73 /**
74 * encoded OCSP request
75 */
76 chunk_t encoding;
77
78 /**
79 * reference count
80 */
81 refcount_t ref;
82 };
83
84 static const chunk_t ASN1_nonce_oid = chunk_from_chars(
85 0x06, 0x09,
86 0x2B, 0x06,
87 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x02
88 );
89 static const chunk_t ASN1_response_oid = chunk_from_chars(
90 0x06, 0x09,
91 0x2B, 0x06,
92 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x04
93 );
94 static const chunk_t ASN1_response_content = chunk_from_chars(
95 0x04, 0x0D,
96 0x30, 0x0B,
97 0x06, 0x09,
98 0x2B, 0x06,
99 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
100 );
101
102 /**
103 * build requestorName
104 */
105 static chunk_t build_requestorName(private_x509_ocsp_request_t *this)
106 {
107 if (this->requestor || this->cert)
108 { /* use requestor name, fallback to his cert subject */
109 if (!this->requestor)
110 {
111 this->requestor = this->cert->get_subject(this->cert);
112 this->requestor = this->requestor->clone(this->requestor);
113 }
114 return asn1_wrap(ASN1_CONTEXT_C_1, "m",
115 asn1_simple_object(ASN1_CONTEXT_C_4,
116 this->requestor->get_encoding(this->requestor)));
117
118 }
119 return chunk_empty;
120 }
121
122 /**
123 * build Request, not using singleRequestExtensions
124 */
125 static chunk_t build_Request(private_x509_ocsp_request_t *this,
126 chunk_t issuerNameHash, chunk_t issuerKeyHash,
127 chunk_t serialNumber)
128 {
129 return asn1_wrap(ASN1_SEQUENCE, "m",
130 asn1_wrap(ASN1_SEQUENCE, "mmmm",
131 asn1_algorithmIdentifier(OID_SHA1),
132 asn1_simple_object(ASN1_OCTET_STRING, issuerNameHash),
133 asn1_simple_object(ASN1_OCTET_STRING, issuerKeyHash),
134 asn1_simple_object(ASN1_INTEGER, serialNumber)));
135 }
136
137 /**
138 * build requestList
139 */
140 static chunk_t build_requestList(private_x509_ocsp_request_t *this)
141 {
142 chunk_t issuerNameHash, issuerKeyHash;
143 identification_t *issuer;
144 x509_t *x509;
145 certificate_t *cert;
146 chunk_t list = chunk_empty;
147 public_key_t *public;
148
149 cert = (certificate_t*)this->ca;
150 public = cert->get_public_key(cert);
151 if (public)
152 {
153 hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
154 if (hasher)
155 {
156 if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1,
157 &issuerKeyHash))
158 {
159 enumerator_t *enumerator;
160
161 issuer = cert->get_subject(cert);
162 if (hasher->allocate_hash(hasher, issuer->get_encoding(issuer),
163 &issuerNameHash))
164 {
165 enumerator = this->candidates->create_enumerator(
166 this->candidates);
167 while (enumerator->enumerate(enumerator, &x509))
168 {
169 chunk_t request, serialNumber;
170
171 serialNumber = x509->get_serial(x509);
172 request = build_Request(this, issuerNameHash,
173 issuerKeyHash, serialNumber);
174 list = chunk_cat("mm", list, request);
175 }
176 enumerator->destroy(enumerator);
177 chunk_free(&issuerNameHash);
178 }
179 hasher->destroy(hasher);
180 }
181 }
182 else
183 {
184 DBG1(DBG_LIB, "creating OCSP request failed, SHA1 not supported");
185 }
186 public->destroy(public);
187 }
188 else
189 {
190 DBG1(DBG_LIB, "creating OCSP request failed, CA certificate has "
191 "no public key");
192 }
193 return asn1_wrap(ASN1_SEQUENCE, "m", list);
194 }
195
196 /**
197 * build nonce extension
198 */
199 static chunk_t build_nonce(private_x509_ocsp_request_t *this)
200 {
201 rng_t *rng;
202
203 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
204 if (!rng || !rng->allocate_bytes(rng, NONCE_LEN, &this->nonce))
205 {
206 DBG1(DBG_LIB, "creating OCSP request nonce failed, no RNG found");
207 DESTROY_IF(rng);
208 return chunk_empty;
209 }
210 rng->destroy(rng);
211 return asn1_wrap(ASN1_SEQUENCE, "cm", ASN1_nonce_oid,
212 asn1_simple_object(ASN1_OCTET_STRING, this->nonce));
213 }
214
215 /**
216 * build acceptableResponses extension
217 */
218 static chunk_t build_acceptableResponses(private_x509_ocsp_request_t *this)
219 {
220 return asn1_wrap(ASN1_SEQUENCE, "cc",
221 ASN1_response_oid,
222 ASN1_response_content);
223 }
224
225 /**
226 * build requestExtensions
227 */
228 static chunk_t build_requestExtensions(private_x509_ocsp_request_t *this)
229 {
230 return asn1_wrap(ASN1_CONTEXT_C_2, "m",
231 asn1_wrap(ASN1_SEQUENCE, "mm",
232 build_nonce(this),
233 build_acceptableResponses(this)));
234 }
235
236 /**
237 * build tbsRequest
238 */
239 static chunk_t build_tbsRequest(private_x509_ocsp_request_t *this)
240 {
241 return asn1_wrap(ASN1_SEQUENCE, "mmm",
242 build_requestorName(this),
243 build_requestList(this),
244 build_requestExtensions(this));
245 }
246
247 /**
248 * Build the optionalSignature
249 */
250 static chunk_t build_optionalSignature(private_x509_ocsp_request_t *this,
251 chunk_t tbsRequest)
252 {
253 int oid;
254 signature_scheme_t scheme;
255 chunk_t certs, signature, encoding;
256
257 switch (this->key->get_type(this->key))
258 {
259 /* TODO: use a generic mapping function */
260 case KEY_RSA:
261 oid = OID_SHA1_WITH_RSA;
262 scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
263 break;
264 case KEY_ECDSA:
265 oid = OID_ECDSA_WITH_SHA1;
266 scheme = SIGN_ECDSA_WITH_SHA1_DER;
267 break;
268 default:
269 DBG1(DBG_LIB, "unable to sign OCSP request, %N signature not "
270 "supported", key_type_names, this->key->get_type(this->key));
271 return chunk_empty;
272 }
273
274 if (!this->key->sign(this->key, scheme, tbsRequest, &signature))
275 {
276 DBG1(DBG_LIB, "creating OCSP signature failed, skipped");
277 return chunk_empty;
278 }
279 if (this->cert &&
280 this->cert->get_encoding(this->cert, CERT_ASN1_DER, &encoding))
281 {
282 certs = asn1_wrap(ASN1_CONTEXT_C_0, "m",
283 asn1_wrap(ASN1_SEQUENCE, "m", encoding));
284 }
285 return asn1_wrap(ASN1_CONTEXT_C_0, "m",
286 asn1_wrap(ASN1_SEQUENCE, "cmm",
287 asn1_algorithmIdentifier(oid),
288 asn1_bitstring("m", signature),
289 certs));
290 }
291
292 /**
293 * Build the OCSPRequest data
294 *
295 */
296 static chunk_t build_OCSPRequest(private_x509_ocsp_request_t *this)
297 {
298 chunk_t tbsRequest, optionalSignature = chunk_empty;
299
300 tbsRequest = build_tbsRequest(this);
301 if (this->key)
302 {
303 optionalSignature = build_optionalSignature(this, tbsRequest);
304 }
305 return asn1_wrap(ASN1_SEQUENCE, "mm", tbsRequest, optionalSignature);
306 }
307
308
309 METHOD(certificate_t, get_type, certificate_type_t,
310 private_x509_ocsp_request_t *this)
311 {
312 return CERT_X509_OCSP_REQUEST;
313 }
314
315 METHOD(certificate_t, get_subject, identification_t*,
316 private_x509_ocsp_request_t *this)
317 {
318 certificate_t *ca = (certificate_t*)this->ca;
319
320 if (this->requestor)
321 {
322 return this->requestor;
323 }
324 if (this->cert)
325 {
326 return this->cert->get_subject(this->cert);
327 }
328 return ca->get_subject(ca);
329 }
330
331 METHOD(certificate_t, get_issuer, identification_t*,
332 private_x509_ocsp_request_t *this)
333 {
334 certificate_t *ca = (certificate_t*)this->ca;
335
336 return ca->get_subject(ca);
337 }
338
339 METHOD(certificate_t, has_subject, id_match_t,
340 private_x509_ocsp_request_t *this, identification_t *subject)
341 {
342 certificate_t *current;
343 enumerator_t *enumerator;
344 id_match_t match, best = ID_MATCH_NONE;
345
346 enumerator = this->candidates->create_enumerator(this->candidates);
347 while (enumerator->enumerate(enumerator, &current))
348 {
349 match = current->has_subject(current, subject);
350 if (match > best)
351 {
352 best = match;
353 }
354 }
355 enumerator->destroy(enumerator);
356 return best;
357 }
358
359 METHOD(certificate_t, has_issuer, id_match_t,
360 private_x509_ocsp_request_t *this,
361 identification_t *issuer)
362 {
363 certificate_t *ca = (certificate_t*)this->ca;
364
365 return ca->has_subject(ca, issuer);
366 }
367
368 METHOD(certificate_t, issued_by, bool,
369 private_x509_ocsp_request_t *this, certificate_t *issuer,
370 signature_scheme_t *scheme)
371 {
372 DBG1(DBG_LIB, "OCSP request validation not implemented!");
373 return FALSE;
374 }
375
376 METHOD(certificate_t, get_public_key, public_key_t*,
377 private_x509_ocsp_request_t *this)
378 {
379 return NULL;
380 }
381
382 METHOD(certificate_t, get_validity, bool,
383 private_x509_ocsp_request_t *this, time_t *when, time_t *not_before,
384 time_t *not_after)
385 {
386 certificate_t *cert;
387
388 if (this->cert)
389 {
390 cert = this->cert;
391 }
392 else
393 {
394 cert = (certificate_t*)this->ca;
395 }
396 return cert->get_validity(cert, when, not_before, not_after);
397 }
398
399 METHOD(certificate_t, get_encoding, bool,
400 private_x509_ocsp_request_t *this, cred_encoding_type_t type,
401 chunk_t *encoding)
402 {
403 if (type == CERT_ASN1_DER)
404 {
405 *encoding = chunk_clone(this->encoding);
406 return TRUE;
407 }
408 return lib->encoding->encode(lib->encoding, type, NULL, encoding,
409 CRED_PART_X509_OCSP_REQ_ASN1_DER, this->encoding, CRED_PART_END);
410 }
411
412 METHOD(certificate_t, equals, bool,
413 private_x509_ocsp_request_t *this, certificate_t *other)
414 {
415 chunk_t encoding;
416 bool equal;
417
418 if (this == (private_x509_ocsp_request_t*)other)
419 {
420 return TRUE;
421 }
422 if (other->get_type(other) != CERT_X509_OCSP_REQUEST)
423 {
424 return FALSE;
425 }
426 if (other->equals == (void*)equals)
427 { /* skip allocation if we have the same implementation */
428 return chunk_equals(this->encoding, ((private_x509_ocsp_request_t*)other)->encoding);
429 }
430 if (!other->get_encoding(other, CERT_ASN1_DER, &encoding))
431 {
432 return FALSE;
433 }
434 equal = chunk_equals(this->encoding, encoding);
435 free(encoding.ptr);
436 return equal;
437 }
438
439 METHOD(certificate_t, get_ref, certificate_t*,
440 private_x509_ocsp_request_t *this)
441 {
442 ref_get(&this->ref);
443 return &this->public.interface.interface;
444 }
445
446 METHOD(certificate_t, destroy, void,
447 private_x509_ocsp_request_t *this)
448 {
449 if (ref_put(&this->ref))
450 {
451 DESTROY_IF((certificate_t*)this->ca);
452 DESTROY_IF(this->requestor);
453 DESTROY_IF(this->cert);
454 DESTROY_IF(this->key);
455 this->candidates->destroy_offset(this->candidates, offsetof(certificate_t, destroy));
456 chunk_free(&this->nonce);
457 chunk_free(&this->encoding);
458 free(this);
459 }
460 }
461
462 /**
463 * create an empty but initialized OCSP request
464 */
465 static private_x509_ocsp_request_t *create_empty()
466 {
467 private_x509_ocsp_request_t *this;
468
469 INIT(this,
470 .public = {
471 .interface = {
472 .interface = {
473 .get_type = _get_type,
474 .get_subject = _get_subject,
475 .get_issuer = _get_issuer,
476 .has_subject = _has_subject,
477 .has_issuer = _has_issuer,
478 .issued_by = _issued_by,
479 .get_public_key = _get_public_key,
480 .get_validity = _get_validity,
481 .get_encoding = _get_encoding,
482 .equals = _equals,
483 .get_ref = _get_ref,
484 .destroy = _destroy,
485 },
486 },
487 },
488 .candidates = linked_list_create(),
489 .ref = 1,
490 );
491
492 return this;
493 }
494
495 /**
496 * See header.
497 */
498 x509_ocsp_request_t *x509_ocsp_request_gen(certificate_type_t type, va_list args)
499 {
500 private_x509_ocsp_request_t *req;
501 certificate_t *cert;
502 private_key_t *private;
503 identification_t *subject;
504
505 req = create_empty();
506 while (TRUE)
507 {
508 switch (va_arg(args, builder_part_t))
509 {
510 case BUILD_CA_CERT:
511 cert = va_arg(args, certificate_t*);
512 if (cert->get_type(cert) == CERT_X509)
513 {
514 req->ca = (x509_t*)cert->get_ref(cert);
515 }
516 continue;
517 case BUILD_CERT:
518 cert = va_arg(args, certificate_t*);
519 if (cert->get_type(cert) == CERT_X509)
520 {
521 req->candidates->insert_last(req->candidates,
522 cert->get_ref(cert));
523 }
524 continue;
525 case BUILD_SIGNING_CERT:
526 cert = va_arg(args, certificate_t*);
527 req->cert = cert->get_ref(cert);
528 continue;
529 case BUILD_SIGNING_KEY:
530 private = va_arg(args, private_key_t*);
531 req->key = private->get_ref(private);
532 continue;
533 case BUILD_SUBJECT:
534 subject = va_arg(args, identification_t*);
535 req->requestor = subject->clone(subject);
536 continue;
537 case BUILD_END:
538 break;
539 default:
540 destroy(req);
541 return NULL;
542 }
543 break;
544 }
545 if (req->ca)
546 {
547 req->encoding = build_OCSPRequest(req);
548 return &req->public;
549 }
550 destroy(req);
551 return NULL;
552 }
553
Unnamed repository; edit this file 'description' to name the repository.