]> git.ipfire.org Git - thirdparty/strongswan.git/commitdiff
x509 plugin supports encoding of OCSP AuthorityInfo AccessLocations
authorMartin Willi <martin@strongswan.org>
Fri, 11 Sep 2009 15:16:22 +0000 (17:16 +0200)
committerMartin Willi <martin@strongswan.org>
Fri, 11 Sep 2009 15:16:22 +0000 (17:16 +0200)
src/libstrongswan/credentials/builder.c
src/libstrongswan/credentials/builder.h
src/libstrongswan/plugins/x509/x509_cert.c

index 66d5a6d8ba28495a91e66d00b008f7a9622b8846..873e7d139e6e2f952ffd509e6eb50a3a57861524 100644 (file)
@@ -41,6 +41,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
        "BUILD_CA_CERT",
        "BUILD_CERT",
        "BUILD_CRL_DISTRIBUTION_POINTS",
+       "BUILD_OCSP_ACCESS_LOCATIONS",
        "BUILD_X509_FLAG",
        "BUILD_SMARTCARD_KEYID",
        "BUILD_SMARTCARD_PIN",
index b68a6ffe6c2b4a69067b5581e519d8d7cce3e132..b6f0386cd853579978c63f195ff04609a9280a9f 100644 (file)
@@ -95,6 +95,8 @@ enum builder_part_t {
        BUILD_CERT,
        /** CRL distribution point URIs, linked_list_t* containing char* */
        BUILD_CRL_DISTRIBUTION_POINTS,
+       /** OCSP AuthorityInfoAccess locations, linked_list_t* containing char* */
+       BUILD_OCSP_ACCESS_LOCATIONS,
        /** enforce an additional X509 flag, x509_flag_t */
        BUILD_X509_FLAG,
        /** key ID of a key on a smartcard, null terminated char* ([slot:]keyid) */
index a4bd628c805def27815eb5593bf53e12750d1874..16d4b586aa8670c7319c1fb0ad47792d6057c17f 100644 (file)
@@ -1182,7 +1182,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
        chunk_t extensions = chunk_empty;
        chunk_t basicConstraints = chunk_empty, subjectAltNames = chunk_empty;
        chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty;
-       chunk_t crlDistributionPoints = chunk_empty;
+       chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty;
        identification_t *issuer, *subject;
        chunk_t key_info;
        signature_scheme_t scheme;
@@ -1315,6 +1315,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
                                                                asn1_wrap(ASN1_SEQUENCE, "m", subjectAltNames)));
        }
 
+       /* encode CRL distribution points extension */
        enumerator = cert->crl_uris->create_enumerator(cert->crl_uris);
        while (enumerator->enumerate(enumerator, &uri))
        {
@@ -1338,6 +1339,29 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
                                                asn1_wrap(ASN1_SEQUENCE, "m", crlDistributionPoints)));
        }
 
+       /* encode OCSP URIs in authorityInfoAccess extension */
+       enumerator = cert->ocsp_uris->create_enumerator(cert->ocsp_uris);
+       while (enumerator->enumerate(enumerator, &uri))
+       {
+               chunk_t accessDescription;
+
+               accessDescription = asn1_wrap(ASN1_SEQUENCE, "mm",
+                                                               asn1_build_known_oid(OID_OCSP),
+                                                               asn1_wrap(ASN1_CONTEXT_S_6, "c",
+                                                                                 chunk_create(uri, strlen(uri))));
+               authorityInfoAccess = chunk_cat("mm", authorityInfoAccess,
+                                                                               accessDescription);
+       }
+       enumerator->destroy(enumerator);
+       if (authorityInfoAccess.ptr)
+       {
+               authorityInfoAccess = asn1_wrap(ASN1_SEQUENCE, "mm",
+                                       asn1_build_known_oid(OID_AUTHORITY_INFO_ACCESS),
+                                       asn1_wrap(ASN1_OCTET_STRING, "m",
+                                               asn1_wrap(ASN1_SEQUENCE, "m", authorityInfoAccess)));
+       }
+
+       /* build CA basicConstraint for CA certificates */
        if (cert->flags & X509_CA)
        {
                chunk_t keyid;
@@ -1377,10 +1401,10 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
                crlDistributionPoints.ptr)
        {
                extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m",
-                                               asn1_wrap(ASN1_SEQUENCE, "mmmmm",
+                                               asn1_wrap(ASN1_SEQUENCE, "mmmmmm",
                                                        basicConstraints, subjectKeyIdentifier,
                                                        authKeyIdentifier, subjectAltNames,
-                                                       crlDistributionPoints));
+                                                       crlDistributionPoints, authorityInfoAccess));
        }
 
        cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmmcmcmm",
@@ -1512,6 +1536,21 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args)
                                enumerator->destroy(enumerator);
                                continue;
                        }
+                       case BUILD_OCSP_ACCESS_LOCATIONS:
+                       {
+                               enumerator_t *enumerator;
+                               linked_list_t *list;
+                               char *uri;
+
+                               list = va_arg(args, linked_list_t*);
+                               enumerator = list->create_enumerator(list);
+                               while (enumerator->enumerate(enumerator, &uri))
+                               {
+                                       cert->ocsp_uris->insert_last(cert->ocsp_uris, strdup(uri));
+                               }
+                               enumerator->destroy(enumerator);
+                               continue;
+                       }
                        case BUILD_NOT_BEFORE_TIME:
                                cert->notBefore = va_arg(args, time_t);
                                continue;