From 6dc57cd02ef1059bb47f7b498f602fe51af37080 Mon Sep 17 00:00:00 2001
From: Martin Willi <martin@strongswan.org>
Date: Fri, 11 Sep 2009 17:16:22 +0200
Subject: [PATCH] x509 plugin supports encoding of OCSP AuthorityInfo
 AccessLocations

---
 src/libstrongswan/credentials/builder.c    |  1 +
 src/libstrongswan/credentials/builder.h    |  2 +
 src/libstrongswan/plugins/x509/x509_cert.c | 45 ++++++++++++++++++++--
 3 files changed, 45 insertions(+), 3 deletions(-)

diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c
index 66d5a6d8ba..873e7d139e 100644
--- a/src/libstrongswan/credentials/builder.c
+++ b/src/libstrongswan/credentials/builder.c
@@ -41,6 +41,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
 	"BUILD_CA_CERT",
 	"BUILD_CERT",
 	"BUILD_CRL_DISTRIBUTION_POINTS",
+	"BUILD_OCSP_ACCESS_LOCATIONS",
 	"BUILD_X509_FLAG",
 	"BUILD_SMARTCARD_KEYID",
 	"BUILD_SMARTCARD_PIN",
diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h
index b68a6ffe6c..b6f0386cd8 100644
--- a/src/libstrongswan/credentials/builder.h
+++ b/src/libstrongswan/credentials/builder.h
@@ -95,6 +95,8 @@ enum builder_part_t {
 	BUILD_CERT,
 	/** CRL distribution point URIs, linked_list_t* containing char* */
 	BUILD_CRL_DISTRIBUTION_POINTS,
+	/** OCSP AuthorityInfoAccess locations, linked_list_t* containing char* */
+	BUILD_OCSP_ACCESS_LOCATIONS,
 	/** enforce an additional X509 flag, x509_flag_t */
 	BUILD_X509_FLAG,
 	/** key ID of a key on a smartcard, null terminated char* ([slot:]keyid) */
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index a4bd628c80..16d4b586aa 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -1182,7 +1182,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 	chunk_t extensions = chunk_empty;
 	chunk_t basicConstraints = chunk_empty, subjectAltNames = chunk_empty;
 	chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty;
-	chunk_t crlDistributionPoints = chunk_empty;
+	chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty;
 	identification_t *issuer, *subject;
 	chunk_t key_info;
 	signature_scheme_t scheme;
@@ -1315,6 +1315,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 								asn1_wrap(ASN1_SEQUENCE, "m", subjectAltNames)));
 	}
 
+	/* encode CRL distribution points extension */
 	enumerator = cert->crl_uris->create_enumerator(cert->crl_uris);
 	while (enumerator->enumerate(enumerator, &uri))
 	{
@@ -1338,6 +1339,29 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 						asn1_wrap(ASN1_SEQUENCE, "m", crlDistributionPoints)));
 	}
 
+	/* encode OCSP URIs in authorityInfoAccess extension */
+	enumerator = cert->ocsp_uris->create_enumerator(cert->ocsp_uris);
+	while (enumerator->enumerate(enumerator, &uri))
+	{
+		chunk_t accessDescription;
+
+		accessDescription = asn1_wrap(ASN1_SEQUENCE, "mm",
+								asn1_build_known_oid(OID_OCSP),
+								asn1_wrap(ASN1_CONTEXT_S_6, "c",
+										  chunk_create(uri, strlen(uri))));
+		authorityInfoAccess = chunk_cat("mm", authorityInfoAccess,
+										accessDescription);
+	}
+	enumerator->destroy(enumerator);
+	if (authorityInfoAccess.ptr)
+	{
+		authorityInfoAccess = asn1_wrap(ASN1_SEQUENCE, "mm",
+					asn1_build_known_oid(OID_AUTHORITY_INFO_ACCESS),
+					asn1_wrap(ASN1_OCTET_STRING, "m",
+						asn1_wrap(ASN1_SEQUENCE, "m", authorityInfoAccess)));
+	}
+
+	/* build CA basicConstraint for CA certificates */
 	if (cert->flags & X509_CA)
 	{
 		chunk_t keyid;
@@ -1377,10 +1401,10 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 		crlDistributionPoints.ptr)
 	{
 		extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m",
-						asn1_wrap(ASN1_SEQUENCE, "mmmmm",
+						asn1_wrap(ASN1_SEQUENCE, "mmmmmm",
 							basicConstraints, subjectKeyIdentifier,
 							authKeyIdentifier, subjectAltNames,
-							crlDistributionPoints));
+							crlDistributionPoints, authorityInfoAccess));
 	}
 
 	cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmmcmcmm",
@@ -1512,6 +1536,21 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args)
 				enumerator->destroy(enumerator);
 				continue;
 			}
+			case BUILD_OCSP_ACCESS_LOCATIONS:
+			{
+				enumerator_t *enumerator;
+				linked_list_t *list;
+				char *uri;
+
+				list = va_arg(args, linked_list_t*);
+				enumerator = list->create_enumerator(list);
+				while (enumerator->enumerate(enumerator, &uri))
+				{
+					cert->ocsp_uris->insert_last(cert->ocsp_uris, strdup(uri));
+				}
+				enumerator->destroy(enumerator);
+				continue;
+			}
 			case BUILD_NOT_BEFORE_TIME:
 				cert->notBefore = va_arg(args, time_t);
 				continue;
-- 
2.47.2