started support of X.509 attribute certificates

7 files changed, 561 insertions, 21 deletions

diff --git a/src/charon/config/credentials/local_credential_store.c b/src/charon/config/credentials/local_credential_store.c
index b7b71b9e7..bee7fce4b 100644
--- a/src/charon/config/credentials/local_credential_store.c
+++ b/src/charon/config/credentials/local_credential_store.c
@@ -32,6 +32,7 @@
 #include <crypto/certinfo.h>
 #include <crypto/x509.h>
 #include <crypto/ca.h>
+#include <crypto/ac.h>
 #include <crypto/crl.h>
 #include <asn1/ttodata.h>
 
@@ -103,24 +104,25 @@ static shared_key_t *shared_key_create(chunk_t secret)
   |                 | ca_info_t                |
   |                 +--------------------------+
 +---------------+   | char *name               |
-| x509_t        |<--| x509_t *cacert           |   +----------------------+
-+---------------+   | linked_list_t *certinfos |-->| certinfo_t           |
-| chunk_t keyid |   | linked_list_t *ocspuris  |   +----------------------+
-+---------------+   | crl_t *crl               |   | chunk_t serialNumber |
+| x509_t        |<--| x509_t *cacert           |
++---------------+   | linked_list_t *attrcerts |   +----------------------+
+| chunk_t keyid |   | linked_list_t *certinfos |-->| certinfo_t           |
++---------------+   | linked_list_t *ocspuris  |   +----------------------+
+  |                 | crl_t *crl               |   | chunk_t serialNumber |
   |                 | linked_list_t *crluris   |   | cert_status_t status |
-  |                 | pthread_mutex_t mutex    |   | time_t thisUpdate    |
-+---------------+   +--------------------------+   | time_t nextUpdate    |
-| x509_t        |                |                 | bool once            |
-+---------------+                |                 +----------------------+
-| chunk_t keyid |                |                   |
-+---------------+   +------------------------- +   +----------------------+
-  |                 | ca_info_t                |   | certinfo_t           |
-  |                 +--------------------------+   +----------------------+
-+---------------+   | char *name               |   | chunk_t serialNumber |
-| x509_t        |<--| x509_t *cacert           |   | cert_status_t status |
-+---------------+   | linked_list_t *certinfos |   | time_t thisUpdate    |
-| chunk_t keyid |   | linked_list_t *ocspuris  |   | time_t nextUpdate    |
-+---------------+   | crl_t *crl               |   | bool once            |
++---------------+   | pthread_mutex_t mutex    |   | time_t thisUpdate    |
+| x509_t        |   +--------------------------+   | time_t nextUpdate    |
++---------------+                |                 | bool once            |
+| chunk_t keyid |                |                 +----------------------+
++---------------+   +------------------------- +     |
+  |                 | ca_info_t                |   +----------------------+
+  |                 +--------------------------+   | certinfo_t           |
++---------------+   | char *name               |   +----------------------+
+| x509_t        |<--| x509_t *cacert           |   | chunk_t serialNumber |
++---------------+   | linked_list_t *attrcerts |   | cert_status_t status |
+| chunk_t keyid |   | linked_list_t *certinfos |   | time_t thisUpdate    |
++---------------+   | linked_list_t *ocspuris  |   | time_t nextUpdate    |
+  |                 | crl_t *crl               |   | bool once            |
   |                 | linked_list_t *crluris   |   +----------------------+
   |                 | pthread_mutex_t mutex;   |     |
   |                 +--------------------------+
@@ -886,12 +888,12 @@ static void load_auth_certificates(private_local_credential_store_t *this,
 	struct stat stb;
 	DIR* dir;
 	
-	DBG1(DBG_CFG, "loading %s certificates from '%s/'", label, path);
+	DBG1(DBG_CFG, "loading %s certificates from '%s'", label, path);
 
 	dir = opendir(path);
 	if (dir == NULL)
 	{
-		DBG1(DBG_CFG, "error opening %s certs directory %s'", label, path);
+		DBG1(DBG_CFG, "error opening %s certs directory '%s'", label, path);
 		return;
 	}
 
@@ -975,6 +977,74 @@ static void load_ca_certificates(private_local_credential_store_t *this)
 }
 
 /**
+ * Implements local_credential_store_t.load_aa_certificates
+ */
+static void load_aa_certificates(private_local_credential_store_t *this)
+{
+	load_auth_certificates(this, AUTH_AA, "aa", AA_CERTIFICATE_DIR);
+}
+
+/**
+ * Add a unique attribute certificate to a linked list
+ */
+static void add_attr_certificate(private_local_credential_store_t *this, x509ac_t *cert)
+{
+  /* TODO add a new attribute certificate to the linked list */
+}
+
+/**
+ * Implements local_credential_store_t.load_attr_certificates
+ */
+static void load_attr_certificates(private_local_credential_store_t *this)
+{
+	struct dirent* entry;
+	struct stat stb;
+	DIR* dir;
+
+	const char *path = ATTR_CERTIFICATE_DIR;
+	
+	DBG1(DBG_CFG, "loading attribute certificates from '%s'", path);
+
+	dir = opendir(ATTR_CERTIFICATE_DIR);
+	if (dir == NULL)
+	{
+		DBG1(DBG_CFG, "error opening attribute certs directory '%s'", path);
+		return;
+	}
+
+	while ((entry = readdir(dir)) != NULL)
+	{
+		char file[PATH_BUF];
+
+		snprintf(file, sizeof(file), "%s/%s", path, entry->d_name);
+		
+		if (stat(file, &stb) == -1)
+		{
+			continue;
+		}
+		/* try to parse all regular files */
+		if (stb.st_mode & S_IFREG)
+		{
+			x509ac_t *cert = x509ac_create_from_file(file);
+
+			if (cert)
+			{
+				err_t ugh = cert->is_valid(cert, NULL);
+
+				if (ugh != NULL)
+				{
+					DBG1(DBG_CFG, "warning: attribute certificate %s", ugh);
+				}
+				add_attr_certificate(this, cert);
+			}
+		}
+	}
+	closedir(dir);
+
+
+}
+
+/**
  * Implements local_credential_store_t.load_ocsp_certificates
  */
 static void load_ocsp_certificates(private_local_credential_store_t *this)
@@ -1027,12 +1097,12 @@ static void load_crls(private_local_credential_store_t *this)
 	DIR* dir;
 	crl_t *crl;
 	
-	DBG1(DBG_CFG, "loading crls from '%s/'", CRL_DIR);
+	DBG1(DBG_CFG, "loading crls from '%s'", CRL_DIR);
 
 	dir = opendir(CRL_DIR);
 	if (dir == NULL)
 	{
-		DBG1(DBG_CFG, "error opening crl directory %s'", CRL_DIR);
+		DBG1(DBG_CFG, "error opening crl directory '%s'", CRL_DIR);
 		return;
 	}
 
@@ -1345,6 +1415,8 @@ local_credential_store_t * local_credential_store_create(bool strict)
 	this->public.credential_store.create_auth_cert_iterator = (iterator_t* (*) (credential_store_t*))create_auth_cert_iterator;
 	this->public.credential_store.create_cainfo_iterator = (iterator_t* (*) (credential_store_t*))create_cainfo_iterator;
 	this->public.credential_store.load_ca_certificates = (void (*) (credential_store_t*))load_ca_certificates;
+	this->public.credential_store.load_aa_certificates = (void (*) (credential_store_t*))load_aa_certificates;
+	this->public.credential_store.load_attr_certificates = (void (*) (credential_store_t*))load_attr_certificates;
 	this->public.credential_store.load_ocsp_certificates = (void (*) (credential_store_t*))load_ocsp_certificates;
 	this->public.credential_store.load_crls = (void (*) (credential_store_t*))load_crls;
 	this->public.credential_store.load_secrets = (void (*) (credential_store_t*))load_secrets;
diff --git a/src/charon/daemon.c b/src/charon/daemon.c
index 9640f1cf2..4754d319b 100644
--- a/src/charon/daemon.c
+++ b/src/charon/daemon.c
@@ -273,6 +273,8 @@ static void initialize(private_daemon_t *this, bool strict, bool syslog,
 	/* load secrets, ca certificates and crls */
 	credentials = this->public.credentials;
 	credentials->load_ca_certificates(credentials);
+	credentials->load_aa_certificates(credentials);
+	credentials->load_attr_certificates(credentials);
 	credentials->load_ocsp_certificates(credentials);
 	credentials->load_crls(credentials);
 	credentials->load_secrets(credentials);
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index b103be193..292abc0a4 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -11,6 +11,7 @@ asn1/asn1.c asn1/asn1.h \
 asn1/oid.c asn1/oid.h \
 asn1/pem.c asn1/pem.h \
 asn1/ttodata.c asn1/ttodata.h \
+crypto/ac.c crypto/ac.h \
 crypto/ca.c crypto/ca.h \
 crypto/certinfo.c crypto/certinfo.h \
 crypto/crl.c crypto/crl.h \
diff --git a/src/libstrongswan/credential_store.h b/src/libstrongswan/credential_store.h
index 5d51981ec..65e692dcd 100755
--- a/src/libstrongswan/credential_store.h
+++ b/src/libstrongswan/credential_store.h
@@ -244,6 +244,24 @@ struct credential_store_t {
 	void (*load_ca_certificates) (credential_store_t *this);
 	
 	/**
+	 * @brief Loads authorization authority certificates from a default directory.
+	 *
+	 * Certificates in both DER and PEM format are accepted
+	 *
+	 * @param this		calling object
+	 */
+	void (*load_aa_certificates) (credential_store_t *this);
+
+	/**
+	 * @brief Loads attribute certificates from a default directory.
+	 *
+	 * Certificates in both DER and PEM format are accepted
+	 *
+	 * @param this		calling object
+	 */
+	void (*load_attr_certificates) (credential_store_t *this);
+
+	/**
 	 * @brief Loads ocsp certificates from a default directory.
 	 *
 	 * Certificates in both DER and PEM format are accepted
diff --git a/src/libstrongswan/crypto/ac.c b/src/libstrongswan/crypto/ac.c
new file mode 100644
index 000000000..3104f9fb7
--- /dev/null
+++ b/src/libstrongswan/crypto/ac.c
@@ -0,0 +1,357 @@
+/**
+ * @file ac.c
+ * 
+ * @brief Implementation of x509ac_t.
+ * 
+ */
+
+/* 
+ * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
+ * Copyright (C) 2003 Martin Berner, Lukas Suter
+ * Copyright (C) 2007 Andreas Steffen, Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <asn1/asn1.h>
+#include <utils/identification.h>
+#include <utils/linked_list.h>
+
+#include "ac.h"
+
+typedef struct private_x509ac_t private_x509ac_t;
+
+/**
+ * Private data of a x509ac_t object.
+ */
+struct private_x509ac_t {
+	/**
+	 * Public interface for this attribute certificate.
+	 */
+	x509ac_t public;
+
+	/**
+	 * Time when attribute certificate was installed
+	 */
+	time_t installed;
+
+	/**
+	 * X.509 attribute certificate in DER format
+	 */
+	chunk_t certificate;
+
+	/**
+	 * X.509 attribute certificate body over which signature is computed
+	 */
+	chunk_t certificateInfo;
+
+	/**
+	 * Version of the X.509 attribute certificate
+	 */
+	u_int version;
+
+	/**
+	 * Serial number of the X.509 attribute certificate
+	 */
+	chunk_t serialNumber;
+
+	/**
+	 * ID representing the issuer of the holder certificate
+	 */
+	identification_t *holderIssuer;
+
+	/**
+	 * Serial number of the holder certificate
+	 */
+	chunk_t holderSerial;
+
+	/**
+	 * ID representing the holder
+	 */
+	identification_t *entityName;
+	
+	/**
+	 * ID representing the attribute certificate issuer
+	 */
+	identification_t *issuerName;
+
+	/**
+	 * Signature algorithm
+	 */
+	int sigAlg;
+
+	/**
+	 * Start time of certificate validity
+	 */
+	time_t notBefore;
+
+	/**
+	 * End time of certificate validity
+	 */
+	time_t notAfter;
+
+	/**
+	 * List of charging attributes
+	 */
+	linked_list_t *charging;
+
+	/**
+	 * List of groub attributes
+	 */
+	linked_list_t *groups;
+
+	/**
+	 * Authority Key Identifier
+	 */
+	chunk_t authKeyID;
+
+	/**
+	 * Authority Key Serial Number
+	 */
+	chunk_t authKeySerialNumber;
+
+	/**
+	 * No revocation information available
+	 */
+	bool noRevAvail;
+
+	/**
+	 * Signature algorithm (must be identical to sigAlg)
+	 */
+	int algorithm;
+
+	/**
+	 * Signature
+	 */
+	chunk_t signature;
+};
+
+/**
+ * definition of ietfAttribute kinds
+ */
+typedef enum {
+	IETF_ATTRIBUTE_OCTETS =	0,
+	IETF_ATTRIBUTE_OID =	1,
+	IETF_ATTRIBUTE_STRING =	2
+} ietfAttribute_t;
+
+/**
+ * access structure for an ietfAttribute
+ */
+typedef struct ietfAttr ietfAttr_t;
+
+struct ietfAttr {
+	time_t installed;
+	int count;
+	ietfAttribute_t kind;
+	chunk_t value;
+};
+
+/**
+ * ASN.1 definition of ietfAttrSyntax
+ */
+static const asn1Object_t ietfAttrSyntaxObjects[] =
+{
+	{ 0, "ietfAttrSyntax",		ASN1_SEQUENCE,		ASN1_NONE }, /*  0 */
+	{ 1,   "policyAuthority",	ASN1_CONTEXT_C_0,	ASN1_OPT |
+													ASN1_BODY }, /*  1 */
+	{ 1,   "end opt",			ASN1_EOC,			ASN1_END  }, /*  2 */
+	{ 1,   "values",			ASN1_SEQUENCE,		ASN1_LOOP }, /*  3 */
+	{ 2,     "octets",			ASN1_OCTET_STRING,	ASN1_OPT |
+													ASN1_BODY }, /*  4 */
+	{ 2,     "end choice",		ASN1_EOC,			ASN1_END  }, /*  5 */
+	{ 2,     "oid",				ASN1_OID,			ASN1_OPT |
+													ASN1_BODY }, /*  6 */
+	{ 2,     "end choice",		ASN1_EOC,			ASN1_END  }, /*  7 */
+	{ 2,     "string",			ASN1_UTF8STRING,	ASN1_OPT |
+													ASN1_BODY }, /*  8 */
+	{ 2,     "end choice",		ASN1_EOC,			ASN1_END  }, /*  9 */
+	{ 1,   "end loop",			ASN1_EOC,			ASN1_END  }  /* 10 */
+};
+
+#define IETF_ATTR_OCTETS	 4
+#define IETF_ATTR_OID		 6
+#define IETF_ATTR_STRING	 8
+#define IETF_ATTR_ROOF		11
+
+/**
+ * ASN.1 definition of roleSyntax
+ */
+static const asn1Object_t roleSyntaxObjects[] =
+{
+	{ 0, "roleSyntax",			ASN1_SEQUENCE,		ASN1_NONE }, /*  0 */
+	{ 1,   "roleAuthority",		ASN1_CONTEXT_C_0,	ASN1_OPT |
+													ASN1_OBJ  }, /*  1 */
+	{ 1,   "end opt",			ASN1_EOC,			ASN1_END  }, /*  2 */
+	{ 1,   "roleName",			ASN1_CONTEXT_C_1,	ASN1_OBJ  }  /*  3 */
+};
+
+#define ROLE_ROOF		4
+
+/**
+ * ASN.1 definition of an X509 attribute certificate
+ */
+static const asn1Object_t acObjects[] =
+{
+	{ 0, "AttributeCertificate",			ASN1_SEQUENCE,		  ASN1_OBJ  }, /*  0 */
+	{ 1,   "AttributeCertificateInfo",		ASN1_SEQUENCE,		  ASN1_OBJ  }, /*  1 */
+	{ 2,	   "version",					ASN1_INTEGER,		  ASN1_DEF |
+																  ASN1_BODY }, /*  2 */
+	{ 2,	   "holder",					ASN1_SEQUENCE,		  ASN1_NONE }, /*  3 */
+	{ 3,	     "baseCertificateID",		ASN1_CONTEXT_C_0,	  ASN1_OPT  }, /*  4 */
+	{ 4,	       "issuer",				ASN1_SEQUENCE,		  ASN1_OBJ  }, /*  5 */
+	{ 4,	       "serial",				ASN1_INTEGER,		  ASN1_BODY }, /*  6 */
+	{ 4,         "issuerUID",				ASN1_BIT_STRING,	  ASN1_OPT |
+																  ASN1_BODY }, /*  7 */
+	{ 4,         "end opt",					ASN1_EOC,			  ASN1_END  }, /*  8 */
+	{ 3,       "end opt",					ASN1_EOC,			  ASN1_END  }, /*  9 */
+	{ 3,	     "entityName",				ASN1_CONTEXT_C_1,	  ASN1_OPT |
+																  ASN1_OBJ  }, /* 10 */
+	{ 3,       "end opt",					ASN1_EOC,			  ASN1_END  }, /* 11 */
+	{ 3,	     "objectDigestInfo",		ASN1_CONTEXT_C_2,	  ASN1_OPT  }, /* 12 */
+	{ 4,	       "digestedObjectType",	ASN1_ENUMERATED,	  ASN1_BODY }, /* 13*/
+	{ 4,	       "otherObjectTypeID",		ASN1_OID,			  ASN1_OPT |
+																  ASN1_BODY }, /* 14 */
+	{ 4,         "end opt",					ASN1_EOC,			  ASN1_END  }, /* 15*/
+	{ 4,         "digestAlgorithm",			ASN1_EOC,			  ASN1_RAW  }, /* 16 */
+	{ 3,       "end opt",					ASN1_EOC,			  ASN1_END  }, /* 17 */
+	{ 2,	   "v2Form",					ASN1_CONTEXT_C_0,	  ASN1_NONE }, /* 18 */
+	{ 3,	     "issuerName",				ASN1_SEQUENCE,		  ASN1_OPT |
+																  ASN1_OBJ  }, /* 19 */
+	{ 3,       "end opt",					ASN1_EOC,			  ASN1_END  }, /* 20 */
+	{ 3,	     "baseCertificateID",		ASN1_CONTEXT_C_0,	  ASN1_OPT  }, /* 21 */
+	{ 4,	       "issuerSerial",			ASN1_SEQUENCE,		  ASN1_NONE }, /* 22 */
+	{ 5,	         "issuer",				ASN1_SEQUENCE,		  ASN1_OBJ  }, /* 23 */
+	{ 5,	  	 "serial",					ASN1_INTEGER,		  ASN1_BODY }, /* 24 */
+	{ 5,           "issuerUID",				ASN1_BIT_STRING,	  ASN1_OPT |
+																  ASN1_BODY }, /* 25 */
+	{ 5,           "end opt",				ASN1_EOC,			  ASN1_END  }, /* 26 */
+	{ 3,       "end opt",					ASN1_EOC,			  ASN1_END  }, /* 27 */
+	{ 3,       "objectDigestInfo",			ASN1_CONTEXT_C_1,	  ASN1_OPT  }, /* 28 */
+	{ 4,	       "digestInfo",			ASN1_SEQUENCE,		  ASN1_OBJ  }, /* 29 */
+	{ 5,  	 "digestedObjectType",			ASN1_ENUMERATED,	  ASN1_BODY }, /* 30 */
+	{ 5,	  	 "otherObjectTypeID",		ASN1_OID,			  ASN1_OPT |
+																  ASN1_BODY }, /* 31 */
+	{ 5,           "end opt",				ASN1_EOC,			  ASN1_END  }, /* 32 */
+	{ 5,           "digestAlgorithm",		ASN1_EOC,			  ASN1_RAW  }, /* 33 */
+	{ 3,       "end opt",					ASN1_EOC,			  ASN1_END  }, /* 34 */
+	{ 2,	   "signature",					ASN1_EOC,			  ASN1_RAW  }, /* 35 */
+	{ 2,	   "serialNumber",				ASN1_INTEGER,		  ASN1_BODY }, /* 36 */
+	{ 2,	   "attrCertValidityPeriod",	ASN1_SEQUENCE,		  ASN1_NONE }, /* 37 */
+	{ 3,	     "notBeforeTime",			ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 38 */
+	{ 3,	     "notAfterTime",			ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 39 */
+	{ 2,	   "attributes",				ASN1_SEQUENCE,		  ASN1_LOOP }, /* 40 */
+	{ 3,       "attribute",					ASN1_SEQUENCE,		  ASN1_NONE }, /* 41 */
+	{ 4,         "type",					ASN1_OID,			  ASN1_BODY }, /* 42 */
+	{ 4,         "values",					ASN1_SET, 			  ASN1_LOOP }, /* 43 */
+	{ 5,           "value",					ASN1_EOC, 			  ASN1_RAW  }, /* 44 */
+	{ 4, 	       "end loop",				ASN1_EOC,			  ASN1_END  }, /* 45 */
+	{ 2,     "end loop",					ASN1_EOC,			  ASN1_END  }, /* 46 */
+	{ 2,     "extensions",					ASN1_SEQUENCE,		  ASN1_LOOP }, /* 47 */
+	{ 3,       "extension",					ASN1_SEQUENCE,		  ASN1_NONE }, /* 48 */
+	{ 4,         "extnID",					ASN1_OID,			  ASN1_BODY }, /* 49 */
+	{ 4,         "critical",				ASN1_BOOLEAN,		  ASN1_DEF |
+																  ASN1_BODY }, /* 50 */
+	{ 4,         "extnValue",				ASN1_OCTET_STRING,	  ASN1_BODY }, /* 51 */
+	{ 2,     "end loop",					ASN1_EOC,			  ASN1_END  }, /* 52 */
+	{ 1,   "signatureAlgorithm",			ASN1_EOC,			  ASN1_RAW  }, /* 53 */
+	{ 1,   "signatureValue",				ASN1_BIT_STRING,	  ASN1_BODY }  /* 54 */
+};
+
+#define AC_OBJ_CERTIFICATE			 0
+#define AC_OBJ_CERTIFICATE_INFO		 1
+#define AC_OBJ_VERSION				 2
+#define AC_OBJ_HOLDER_ISSUER		 5
+#define AC_OBJ_HOLDER_SERIAL		 6
+#define AC_OBJ_ENTITY_NAME			10
+#define AC_OBJ_ISSUER_NAME			19
+#define AC_OBJ_ISSUER				23
+#define AC_OBJ_SIG_ALG				35
+#define AC_OBJ_SERIAL_NUMBER		36
+#define AC_OBJ_NOT_BEFORE			38
+#define AC_OBJ_NOT_AFTER			39
+#define AC_OBJ_ATTRIBUTE_TYPE		42
+#define AC_OBJ_ATTRIBUTE_VALUE		44
+#define AC_OBJ_EXTN_ID				49
+#define AC_OBJ_CRITICAL				50
+#define AC_OBJ_EXTN_VALUE			51
+#define AC_OBJ_ALGORITHM			53
+#define AC_OBJ_SIGNATURE			54
+#define AC_OBJ_ROOF					55
+
+/**
+ * Implements x509ac_t.is_valid
+ */
+static err_t is_valid(const private_x509ac_t *this, time_t *until)
+{
+	time_t current_time = time(NULL);
+	
+	DBG2("  not before  : %T", &this->notBefore);
+	DBG2("  current time: %T", &current_time);
+	DBG2("  not after   : %T", &this->notAfter);
+
+	if (until != NULL &&
+		(*until == UNDEFINED_TIME || this->notAfter < *until))
+	{
+		*until = this->notAfter;
+	}
+	if (current_time < this->notBefore)
+	{
+		return "is not valid yet";
+	}
+	if (current_time > this->notAfter)
+	{
+		return "has expired";
+	}
+	DBG2("  attribute certificate is valid");
+	return NULL;
+}
+
+/**
+ * Implements x509ac_t.destroy
+ */
+static void destroy(private_x509ac_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+x509ac_t *x509ac_create_from_chunk(chunk_t chunk)
+{
+	private_x509ac_t *this = malloc_thing(private_x509ac_t);
+	
+	/* initialize */
+}
+
+/*
+ * Described in header.
+ */
+x509ac_t *x509ac_create_from_file(const char *filename)
+{
+	bool pgp = FALSE;
+	chunk_t chunk = chunk_empty;
+	x509ac_t *cert = NULL;
+
+	if (!pem_asn1_load_file(filename, NULL, "attribute certificate", &chunk, &pgp))
+	{
+		return NULL;
+	}
+	cert = x509ac_create_from_chunk(chunk);
+
+	if (cert == NULL)
+	{
+		free(chunk.ptr);
+	}
+	return cert;
+}
+
diff --git a/src/libstrongswan/crypto/ac.h b/src/libstrongswan/crypto/ac.h
new file mode 100644
index 000000000..b7fd26c94
--- /dev/null
+++ b/src/libstrongswan/crypto/ac.h
@@ -0,0 +1,81 @@
+/**
+ * @file ac.h
+ * 
+ * @brief Interface of x509ac_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
+ * Copyright (C) 2003 Martin Berner, Lukas Suter
+ * Copyright (C) 2007 Andreas Steffen
+ *
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef AC_H_
+#define AC_H_
+
+typedef struct x509ac_t x509ac_t;
+
+/**
+ * @brief X.509 attribute certificate.
+ * 
+ * @b Constructors:
+ *  - x509ac_create_from_chunk()
+ *  - x509ac_create_from_file()
+ *
+ * @ingroup crypto
+ */
+struct x509ac_t {
+
+	/**
+	 * @brief Checks the validity interval of the attribute certificate
+	 * 
+	 * @param this			certificate being examined
+	 * @param until			until = min(until, notAfter)
+	 * @return				NULL if the certificate is valid
+	 */
+	err_t (*is_valid) (const x509ac_t *this, time_t *until);
+
+	/**
+	 * @brief Destroys the attribute certificate.
+	 * 
+	 * @param this			certificate to destroy
+	 */
+	void (*destroy) (x509ac_t *this);
+};
+
+/**
+ * @brief Read a x509 attribute certificate from a DER encoded blob.
+ * 
+ * @param chunk 	chunk containing DER encoded data
+ * @return 			created x509ac_t certificate, or NULL if invalid.
+ * 
+ * @ingroup crypto
+ */
+x509ac_t *x509ac_create_from_chunk(chunk_t chunk);
+
+/**
+ * @brief Read a x509 attribute certificate from a DER encoded file.
+ * 
+ * @param filename 	file containing DER encoded data
+ * @return 			created x509ac_t certificate, or NULL if invalid.
+ * 
+ * @ingroup crypto
+ */
+x509ac_t *x509ac_create_from_file(const char *filename);
+
+
+#endif /* AC_H_ */
+
diff --git a/src/libstrongswan/crypto/ca.c b/src/libstrongswan/crypto/ca.c
index 8f39f08cc..f08dba057 100644
--- a/src/libstrongswan/crypto/ca.c
+++ b/src/libstrongswan/crypto/ca.c
@@ -29,6 +29,7 @@
 #include "x509.h"
 #include "crl.h"
 #include "ca.h"
+#include "ac.h"
 #include "certinfo.h"
 #include "ocsp.h"
 
@@ -65,6 +66,11 @@ struct private_ca_info_t {
 	x509_t *cacert;
 	
 	/**
+	 * List of attribute certificates
+	 */
+	linked_list_t *attrcerts;
+
+	/**
 	 * List of crl URIs
 	 */
 	linked_list_t *crluris;
@@ -658,6 +664,8 @@ static void purge_ocsp(private_ca_info_t *this)
  */
 static void destroy(private_ca_info_t *this)
 {
+	this->attrcerts->destroy_offset(this->attrcerts,
+								  offsetof(x509ac_t, destroy));
 	this->crluris->destroy_offset(this->crluris,
 								  offsetof(identification_t, destroy));
 	this->ocspuris->destroy_offset(this->ocspuris,
@@ -737,6 +745,7 @@ ca_info_t *ca_info_create(const char *name, x509_t *cacert)
 	this->installed = time(NULL);
 	this->name = (name == NULL)? NULL:strdup(name);
 	this->cacert = cacert;
+	this->attrcerts = linked_list_create();
 	this->crluris = linked_list_create();
 	this->ocspuris = linked_list_create();
 	this->certinfos = linked_list_create();