x509 certificates support encoding of email, DNS and IP subjectAltNames

diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c
index 88df476d51e708e644f8b76b9e439075d8e864b1..dc9829a5e3c2588d884eb0f818e198cdfe715a30 100644 (file)
--- a/src/libstrongswan/credentials/builder.c
+++ b/src/libstrongswan/credentials/builder.c
@@ -30,9 +30,9 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
        "BUILD_SIGNING_CERT",
        "BUILD_PUBLIC_KEY",
        "BUILD_SUBJECT",
-       "BUILD_SUBJECT_ALTNAME",
+       "BUILD_SUBJECT_ALTNAMES",
        "BUILD_ISSUER",
-       "BUILD_ISSUER_ALTNAME",
+       "BUILD_ISSUER_ALTNAMES",
        "BUILD_NOT_BEFORE_TIME",
        "BUILD_NOT_AFTER_TIME",
        "BUILD_SERIAL",

diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h
index a5ce7e13eb449ecf846fc811ff31e3ff7a2aad1f..6dbae98dcb3a74018dbbd96775b9c0512f68ac3b 100644 (file)
--- a/src/libstrongswan/credentials/builder.h
+++ b/src/libstrongswan/credentials/builder.h
@@ -68,12 +68,12 @@ enum builder_part_t {
        BUILD_PUBLIC_KEY,
        /** subject for e.g. certificates, identification_t* */
        BUILD_SUBJECT,
-       /** additional subject name, identification_t* */
-       BUILD_SUBJECT_ALTNAME,
+       /** additional subject names, linked_list_t* containing identification_t* */
+       BUILD_SUBJECT_ALTNAMES,
        /** issuer for e.g. certificates, identification_t* */
        BUILD_ISSUER,
-       /** additional issuer name, identification_t* */
-       BUILD_ISSUER_ALTNAME,
+       /** additional issuer names, linked_list_t* containing identification_t* */
+       BUILD_ISSUER_ALTNAMES,
        /** notBefore, time_t* */
        BUILD_NOT_BEFORE_TIME,
        /** notAfter, time_t* */

diff --git a/src/libstrongswan/credentials/credential_factory.c b/src/libstrongswan/credentials/credential_factory.c
index 6201cd6c9430573259b0912aef379e7f0e68ff05..aae280f3bda7cc812f1f474fc4892515d2b65c04 100644 (file)
--- a/src/libstrongswan/credentials/credential_factory.c
+++ b/src/libstrongswan/credentials/credential_factory.c
@@ -210,9 +210,9 @@ static void* create(private_credential_factory_t *this, credential_type_t type,
                                case BUILD_SIGNING_KEY:
                                case BUILD_PUBLIC_KEY:
                                case BUILD_SUBJECT:
-                               case BUILD_SUBJECT_ALTNAME:
+                               case BUILD_SUBJECT_ALTNAMES:
                                case BUILD_ISSUER:
-                               case BUILD_ISSUER_ALTNAME:
+                               case BUILD_ISSUER_ALTNAMES:
                                case BUILD_SIGNING_CERT:
                                case BUILD_CA_CERT:
                                case BUILD_CERT:

diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index b8e02ae5fd55091c3d2fec768289a42733b4c6f2..ae2ba19f771a18970f48f524ae071b3cc9fa8fc8 100644 (file)
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -1215,6 +1215,8 @@ static bool generate(private_builder_t *this)
        chunk_t key_info;
        signature_scheme_t scheme;
        hasher_t *hasher;
+       enumerator_t *enumerator;
+       identification_t *id;
 
        subject = this->cert->subject;
        if (this->sign_cert)
@@ -1303,10 +1305,45 @@ static bool generate(private_builder_t *this)
                return FALSE;
        }
 
-       if (this->cert->subjectAltNames->get_count(this->cert->subjectAltNames))
+       enumerator = this->cert->subjectAltNames->create_enumerator(
+                                                                                                       this->cert->subjectAltNames);
+       while (enumerator->enumerate(enumerator, &id))
+       {
+               int context;
+               chunk_t name;
+
+               switch (id->get_type(id))
+               {
+                       case ID_RFC822_ADDR:
+                               context = ASN1_CONTEXT_S_1;
+                               break;
+                       case ID_FQDN:
+                               context = ASN1_CONTEXT_S_2;
+                               break;
+                       case ID_IPV4_ADDR:
+                       case ID_IPV6_ADDR:
+                               context = ASN1_CONTEXT_S_7;
+                               break;
+                       default:
+                               DBG1("encoding %N as subjectAltName not supported",
+                                        id_type_names, id->get_type(id));
+                               enumerator->destroy(enumerator);
+                               free(key_info.ptr);
+                               free(subjectAltNames.ptr);
+                               return FALSE;
+               }
+               name = asn1_wrap(context, "c", id->get_encoding(id));
+               subjectAltNames = chunk_cat("mm", subjectAltNames, name);
+       }
+       enumerator->destroy(enumerator);
+       if (subjectAltNames.ptr)
        {
-               /* TODO: encode subjectAltNames */
+               subjectAltNames = asn1_wrap(ASN1_SEQUENCE, "mm",
+                                                       asn1_build_known_oid(OID_SUBJECT_ALT_NAME),
+                                                       asn1_wrap(ASN1_OCTET_STRING, "m",
+                                                               asn1_wrap(ASN1_SEQUENCE, "m", subjectAltNames)));
        }
+
        if (this->flags & X509_CA)
        {
                chunk_t yes, keyid;
@@ -1462,11 +1499,19 @@ static void add(private_builder_t *this, builder_part_t part, ...)
                        this->cert->subject = id->clone(id);
                        break;
                }
-               case BUILD_SUBJECT_ALTNAME:
+               case BUILD_SUBJECT_ALTNAMES:
                {
-                       identification_t *id = va_arg(args, identification_t*);
-                       this->cert->subjectAltNames->insert_last(
+                       identification_t *id;
+                       enumerator_t *enumerator;
+                       linked_list_t *list = va_arg(args, linked_list_t*);
+
+                       enumerator = list->create_enumerator(list);
+                       while (enumerator->enumerate(enumerator, &id))
+                       {
+                               this->cert->subjectAltNames->insert_last(
                                                                        this->cert->subjectAltNames, id->clone(id));
+                       }
+                       enumerator->destroy(enumerator);
                        break;
                }
                case BUILD_NOT_BEFORE_TIME: