Added policyMappings support to x509 plugin

author Martin Willi <martin@revosec.ch>

Wed, 15 Dec 2010 14:29:25 +0000 (14:29 +0000)

committer Martin Willi <martin@revosec.ch>

Wed, 5 Jan 2011 15:46:02 +0000 (16:46 +0100)
author Martin Willi <martin@revosec.ch>
Wed, 15 Dec 2010 14:29:25 +0000 (14:29 +0000)
committer Martin Willi <martin@revosec.ch>
Wed, 5 Jan 2011 15:46:02 +0000 (16:46 +0100)
diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c

index c780588c2c995449c3e0537df1de88e050e81bbf..cdf5c702d923958f134becea31051a746dc0ebf4 100644 (file)
--- a/src/libstrongswan/credentials/builder.c
+++ b/src/libstrongswan/credentials/builder.c
@@ -47,6 +47,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
         "BUILD_PERMITTED_NAME_CONSTRAINTS",
         "BUILD_EXCLUDED_NAME_CONSTRAINTS",
         "BUILD_CERTIFICATE_POLICIES",
+       "BUILD_POLICY_MAPPINGS",
         "BUILD_X509_FLAG",
         "BUILD_REVOKED_ENUMERATOR",
         "BUILD_CHALLENGE_PWD",
diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h

index a2a3a4873380237c3ff76570fdd6412d077fb8ca..f2b3f44f6365eb41fd4583eb1d64c5bdbafdaace 100644 (file)
--- a/src/libstrongswan/credentials/builder.h
+++ b/src/libstrongswan/credentials/builder.h
@@ -101,6 +101,8 @@ enum builder_part_t {
         BUILD_EXCLUDED_NAME_CONSTRAINTS,
         /** certificatePolicy OIDs, linked_list_t* of x509_cert_policy_t* */
         BUILD_CERTIFICATE_POLICIES,
+       /** policyMapping OIDs, linked_list_t* of x509_policy_mapping_t* */
+       BUILD_POLICY_MAPPINGS,
         /** enforce an additional X509 flag, x509_flag_t */
         BUILD_X509_FLAG,
         /** enumerator_t over (chunk_t serial, time_t date, crl_reason_t reason) */
diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h

index 6f054f82a106375e69c4ba601886e8d041b7187a..b0f361edb300eac294b7eb53d4bd8089d3f3358d 100644 (file)
--- a/src/libstrongswan/credentials/certificates/x509.h
+++ b/src/libstrongswan/credentials/certificates/x509.h
@@ -28,6 +28,7 @@
  
  typedef struct x509_t x509_t;
  typedef struct x509_cert_policy_t x509_cert_policy_t;
+typedef struct x509_policy_mapping_t x509_policy_mapping_t;
  typedef enum x509_flag_t x509_flag_t;
  
  /**
@@ -66,6 +67,16 @@ struct x509_cert_policy_t {
         char *unotice_text;
  };
  
+/**
+ * X.509 policyMapping extension
+ */
+struct x509_policy_mapping_t {
+       /** OID of issuerDomainPolicy */
+       chunk_t issuer;
+       /** OID of subjectDomainPolicy */
+       chunk_t subject;
+};
+
  /**
   * X.509 certificate interface.
   *
@@ -156,6 +167,13 @@ struct x509_t {
          * @return                      enumerator over x509_cert_policy_t
          */
         enumerator_t* (*create_cert_policy_enumerator)(x509_t *this);
+
+       /**
+        * Create an enumerator over policy mappings.
+        *
+        * @return                      enumerator over x509_policy_mapping
+        */
+       enumerator_t* (*create_policy_mapping_enumerator)(x509_t *this);
  };
  
  #endif /** X509_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c

index 3326ffd3536f5266426b39d06104cc283f6da049..6ffe08f6e0572fb2e72543f04899360bbd69407f 100644 (file)
--- a/src/libstrongswan/plugins/openssl/openssl_x509.c
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
@@ -574,6 +574,7 @@ static private_openssl_x509_t *create_empty()
                                 .create_ipAddrBlock_enumerator = (void*)enumerator_create_empty,
                                 .create_name_constraint_enumerator = (void*)enumerator_create_empty,
                                 .create_cert_policy_enumerator = (void*)enumerator_create_empty,
+                               .create_policy_mapping_enumerator = (void*)enumerator_create_empty,
                         },
                 },
                 .subjectAltNames = linked_list_create(),
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c

index 160e7b5c41d665e1cde72b2d318cdbaee09c3227..f794183828fc07bbca33b71724174c85c4ee79b6 100644 (file)
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -146,6 +146,11 @@ struct private_x509_cert_t {
          */
         linked_list_t *cert_policies;
  
+       /**
+        * List of policyMappings, as x509_policy_mapping_t
+        */
+       linked_list_t *policy_mappings;
+
         /**
          * certificate's embedded public key
          */
@@ -244,6 +249,16 @@ static void cert_policy_destroy(x509_cert_policy_t *this)
         free(this);
  }
  
+/**
+ * Free policy mapping
+ */
+static void policy_mapping_destroy(x509_policy_mapping_t *mapping)
+{
+       free(mapping->issuer.ptr);
+       free(mapping->subject.ptr);
+       free(mapping);
+}
+
  /**
   * ASN.1 definition of a basicConstraints extension
   */
@@ -959,6 +974,62 @@ static void parse_certificatePolicies(chunk_t blob, int level0,
         parser->destroy(parser);
  }
  
+/**
+ * ASN.1 definition of a policyMappings extension
+ */
+static const asn1Object_t policyMappingsObjects[] = {
+       { 0, "policyMappings",                  ASN1_SEQUENCE,  ASN1_LOOP                       }, /*  0 */
+       { 1,   "policyMapping",                 ASN1_SEQUENCE,  ASN1_NONE                       }, /*  1 */
+       { 2,     "issuerPolicy",                ASN1_OID,               ASN1_BODY                       }, /*  2 */
+       { 2,     "subjectPolicy",               ASN1_OID,               ASN1_BODY                       }, /*  3 */
+       { 0, "end loop",                                ASN1_EOC,               ASN1_END                        }, /*  4 */
+       { 0, "exit",                                    ASN1_EOC,               ASN1_EXIT                       }
+};
+#define POLICY_MAPPING                 1
+#define POLICY_MAPPING_ISSUER  2
+#define POLICY_MAPPING_SUBJECT 3
+
+/**
+ * Parse policyMappings
+ */
+static void parse_policyMappings(chunk_t blob, int level0,
+                                                                private_x509_cert_t *this)
+{
+       x509_policy_mapping_t *map = NULL;
+       asn1_parser_t *parser;
+       chunk_t object;
+       int objectID;
+
+       parser = asn1_parser_create(policyMappingsObjects, blob);
+       parser->set_top_level(parser, level0);
+
+       while (parser->iterate(parser, &objectID, &object))
+       {
+               switch (objectID)
+               {
+                       case POLICY_MAPPING:
+                               INIT(map);
+                               this->policy_mappings->insert_last(this->policy_mappings, map);
+                               break;
+                       case POLICY_MAPPING_ISSUER:
+                               if (map && !map->issuer.len)
+                               {
+                                       map->issuer = chunk_clone(object);
+                               }
+                               break;
+                       case POLICY_MAPPING_SUBJECT:
+                               if (map && !map->subject.len)
+                               {
+                                       map->subject = chunk_clone(object);
+                               }
+                               break;
+                       default:
+                               break;
+               }
+       }
+       parser->destroy(parser);
+}
+
  /**
   * ASN.1 definition of ipAddrBlocks according to RFC 3779
   */
@@ -1274,6 +1345,9 @@ static bool parse_certificate(private_x509_cert_t *this)
                                         case OID_CERTIFICATE_POLICIES:
                                                 parse_certificatePolicies(object, level, this);
                                                 break;
+                                       case OID_POLICY_MAPPINGS:
+                                               parse_policyMappings(object, level, this);
+                                               break;
                                         case OID_NS_REVOCATION_URL:
                                         case OID_NS_CA_REVOCATION_URL:
                                         case OID_NS_CA_POLICY_URL:
@@ -1638,6 +1712,12 @@ METHOD(x509_t, create_cert_policy_enumerator, enumerator_t*,
         return this->cert_policies->create_enumerator(this->cert_policies);
  }
  
+METHOD(x509_t, create_policy_mapping_enumerator, enumerator_t*,
+       private_x509_cert_t *this)
+{
+       return this->policy_mappings->create_enumerator(this->policy_mappings);
+}
+
  METHOD(certificate_t, destroy, void,
         private_x509_cert_t *this)
  {
@@ -1655,6 +1735,8 @@ METHOD(certificate_t, destroy, void,
                                                                                 offsetof(identification_t, destroy));
                 this->cert_policies->destroy_function(this->cert_policies,
                                                                                           (void*)cert_policy_destroy);
+               this->policy_mappings->destroy_function(this->policy_mappings,
+                                                                                         (void*)policy_mapping_destroy);
                 DESTROY_IF(this->issuer);
                 DESTROY_IF(this->subject);
                 DESTROY_IF(this->public_key);
@@ -1706,6 +1788,7 @@ static private_x509_cert_t* create_empty(void)
                                 .create_ipAddrBlock_enumerator = _create_ipAddrBlock_enumerator,
                                 .create_name_constraint_enumerator = _create_name_constraint_enumerator,
                                 .create_cert_policy_enumerator = _create_cert_policy_enumerator,
+                               .create_policy_mapping_enumerator = _create_policy_mapping_enumerator,
                         },
                 },
                 .version = 1,
@@ -1716,6 +1799,7 @@ static private_x509_cert_t* create_empty(void)
                 .permitted_names = linked_list_create(),
                 .excluded_names = linked_list_create(),
                 .cert_policies = linked_list_create(),
+               .policy_mappings = linked_list_create(),
                 .pathLenConstraint = X509_NO_PATH_LEN_CONSTRAINT,
                 .ref = 1,
         );
@@ -1793,7 +1877,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
         chunk_t ocspSigning = chunk_empty, certPolicies = chunk_empty;
         chunk_t basicConstraints = chunk_empty, nameConstraints = chunk_empty;
         chunk_t keyUsage = chunk_empty, keyUsageBits = chunk_empty;
-       chunk_t subjectAltNames = chunk_empty;
+       chunk_t subjectAltNames = chunk_empty, policyMappings = chunk_empty;
         chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty;
         chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty;
         identification_t *issuer, *subject;
@@ -2078,15 +2162,38 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
                                                                 asn1_wrap(ASN1_SEQUENCE, "m", certPolicies)));
         }
  
+       if (cert->policy_mappings->get_count(cert->policy_mappings))
+       {
+               x509_policy_mapping_t *mapping;
+
+               enumerator = create_policy_mapping_enumerator(cert);
+               while (enumerator->enumerate(enumerator, &mapping))
+               {
+                       chunk_t chunk;
+
+                       chunk = asn1_wrap(ASN1_SEQUENCE, "mm",
+                                               asn1_wrap(ASN1_OID, "c", mapping->issuer),
+                                               asn1_wrap(ASN1_OID, "c", mapping->subject));
+                       policyMappings = chunk_cat("mm", policyMappings, chunk);
+               }
+               enumerator->destroy(enumerator);
+
+               policyMappings = asn1_wrap(ASN1_SEQUENCE, "mm",
+                                                       asn1_build_known_oid(OID_POLICY_MAPPINGS),
+                                                       asn1_wrap(ASN1_OCTET_STRING, "m",
+                                                               asn1_wrap(ASN1_SEQUENCE, "m", policyMappings)));
+       }
+
         if (basicConstraints.ptr || subjectAltNames.ptr || authKeyIdentifier.ptr ||
                 crlDistributionPoints.ptr || nameConstraints.ptr)
         {
                 extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m",
-                                               asn1_wrap(ASN1_SEQUENCE, "mmmmmmmmmm",
+                                               asn1_wrap(ASN1_SEQUENCE, "mmmmmmmmmmm",
                                                         basicConstraints, keyUsage, subjectKeyIdentifier,
                                                         authKeyIdentifier, subjectAltNames,
                                                         extendedKeyUsage, crlDistributionPoints,
-                                                       authorityInfoAccess, nameConstraints, certPolicies));
+                                                       authorityInfoAccess, nameConstraints, certPolicies,
+                                                       policyMappings));
         }
  
         cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmmcmcmm",
@@ -2309,6 +2416,26 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args)
                                 enumerator->destroy(enumerator);
                                 continue;
                         }
+                       case BUILD_POLICY_MAPPINGS:
+                       {
+                               enumerator_t *enumerator;
+                               linked_list_t *list;
+                               x509_policy_mapping_t* mapping, *in;
+
+                               list = va_arg(args, linked_list_t*);
+                               enumerator = list->create_enumerator(list);
+                               while (enumerator->enumerate(enumerator, &in))
+                               {
+                                       INIT(mapping,
+                                               .issuer = chunk_clone(in->issuer),
+                                               .subject = chunk_clone(in->subject),
+                                       );
+                                       cert->policy_mappings->insert_last(cert->policy_mappings,
+                                                                                                          mapping);
+                               }
+                               enumerator->destroy(enumerator);
+                               continue;
+                       }
                         case BUILD_NOT_BEFORE_TIME:
                                 cert->notBefore = va_arg(args, time_t);
                                 continue;
author	Martin Willi <martin@revosec.ch>
	Wed, 15 Dec 2010 14:29:25 +0000 (14:29 +0000)
committer	Martin Willi <martin@revosec.ch>
	Wed, 5 Jan 2011 15:46:02 +0000 (16:46 +0100)
src/libstrongswan/credentials/builder.c		patch \| blob \| blame \| history
src/libstrongswan/credentials/builder.h		patch \| blob \| blame \| history
src/libstrongswan/credentials/certificates/x509.h		patch \| blob \| blame \| history
src/libstrongswan/plugins/openssl/openssl_x509.c		patch \| blob \| blame \| history
src/libstrongswan/plugins/x509/x509_cert.c		patch \| blob \| blame \| history