diff options
| author | Andreas Steffen <andreas.steffen@strongswan.org> | 2006-06-27 08:48:28 +0000 |
|---|---|---|
| committer | Andreas Steffen <andreas.steffen@strongswan.org> | 2006-06-27 08:48:28 +0000 |
| commit | 6f74bfd6ac6e37c6c3796fc55d02635b2851e72b (patch) | |
| tree | eafd391f54c49167848b1a04d3df5ebe3083ce3f /src/libstrongswan/crypto/x509.c | |
| parent | c01d911201b18db6f4ca5e71e0e6584a59658dbc (diff) | |
| download | strongswan-6f74bfd6ac6e37c6c3796fc55d02635b2851e72b.tar.bz2 strongswan-6f74bfd6ac6e37c6c3796fc55d02635b2851e72b.tar.xz | |
added X.509 trust chain verification
Diffstat (limited to 'src/libstrongswan/crypto/x509.c')
| -rwxr-xr-x | src/libstrongswan/crypto/x509.c | 82 |
1 files changed, 74 insertions, 8 deletions
diff --git a/src/libstrongswan/crypto/x509.c b/src/libstrongswan/crypto/x509.c index 905fc4c95..c65071c72 100755 --- a/src/libstrongswan/crypto/x509.c +++ b/src/libstrongswan/crypto/x509.c @@ -74,6 +74,11 @@ struct private_x509_t { time_t installed; /** + * Time until certificate can be trusted + */ + time_t until; + + /** * X.509 Certificate in DER format */ chunk_t certificate; @@ -910,6 +915,14 @@ static bool is_ca(const private_x509_t *this) } /** + * Implements x509_t.is_self_signed + */ +static bool is_self_signed(const private_x509_t *this) +{ + return this->subject->equals(this->subject, this->issuer); +} + +/** * Implements x509_t.equals_subjectAltName */ static bool equals_subjectAltName(const private_x509_t *this, identification_t *id) @@ -933,6 +946,17 @@ static bool equals_subjectAltName(const private_x509_t *this, identification_t * } /** + * Implements x509_t.is_issuer + */ +static bool is_issuer(const private_x509_t *this, const private_x509_t *issuer) +{ + return (this->authKeyID.ptr) + ? chunk_equals(this->authKeyID, issuer->subjectKeyID) + : (this->issuer->equals(this->issuer, issuer->subject) + && chunk_equals_or_null(this->authKeySerialNumber, issuer->serialNumber)); +} + +/** * Implements x509_t.get_public_key */ static rsa_public_key_t *get_public_key(const private_x509_t *this) @@ -941,11 +965,19 @@ static rsa_public_key_t *get_public_key(const private_x509_t *this) } /** - * Implements x509_t.get_subject + * Implements x509_t.get_serialNumber */ -static identification_t *get_subject(const private_x509_t *this) +static chunk_t get_serialNumber(const private_x509_t *this) { - return this->subject; + return this->serialNumber; +} + +/** + * Implements x509_t.get_subjectKeyID + */ +static chunk_t get_subjectKeyID(const private_x509_t *this) +{ + return this->subjectKeyID; } /** @@ -957,6 +989,30 @@ static identification_t *get_issuer(const private_x509_t *this) } /** + * Implements x509_t.get_subject + */ +static identification_t *get_subject(const private_x509_t *this) +{ + return this->subject; +} + +/** + * Implements x509_t.set_until + */ +static void set_until(private_x509_t *this, time_t until) +{ + this->until = until; +} + +/** + * Implements x509_t.verify + */ +static bool verify(const private_x509_t *this, const rsa_public_key_t *signer) +{ + return signer->verify_emsa_pkcs1_signature(signer, this->tbsCertificate, this->signature); +} + +/** * destroy */ static void destroy(private_x509_t *this) @@ -1060,8 +1116,11 @@ static void log_certificate(const private_x509_t *this, logger_t *logger, bool u logger->log(logger, CONTROL, " not after %s %s", buf, check_expiry(this->notAfter, CERT_WARNING_INTERVAL, TRUE)); - logger->log(logger, CONTROL, " pubkey: RSA %d bits%s", - BITS_PER_BYTE * pubkey->get_keysize(pubkey), has_key? ", has private key":""); + timetoa(buf, BUF_LEN, &this->until, utc); + logger->log(logger, CONTROL, " pubkey: RSA %d bits%s, until %s", + BITS_PER_BYTE * pubkey->get_keysize(pubkey), + has_key? ", has private key":"", buf); + chunk_to_hex(buf, BUF_LEN, pubkey->get_keyid(pubkey)); logger->log(logger, CONTROL, " keyid: %s", buf); @@ -1103,12 +1162,18 @@ x509_t *x509_create_from_chunk(chunk_t chunk) /* public functions */ this->public.equals = (bool (*) (const x509_t*,const x509_t*))equals; this->public.equals_subjectAltName = (bool (*) (const x509_t*,identification_t*))equals_subjectAltName; + this->public.is_issuer = (bool (*) (const x509_t*,const x509_t*))is_issuer; this->public.is_valid = (err_t (*) (const x509_t*,time_t*))is_valid; this->public.is_ca = (bool (*) (const x509_t*))is_ca; - this->public.destroy = (void (*) (x509_t*))destroy; + this->public.is_self_signed = (bool (*) (const x509_t*))is_self_signed; this->public.get_public_key = (rsa_public_key_t* (*) (const x509_t*))get_public_key; - this->public.get_subject = (identification_t* (*) (const x509_t*))get_subject; + this->public.get_serialNumber = (chunk_t (*) (const x509_t*))get_serialNumber; + this->public.get_subjectKeyID = (chunk_t (*) (const x509_t*))get_subjectKeyID; this->public.get_issuer = (identification_t* (*) (const x509_t*))get_issuer; + this->public.get_subject = (identification_t* (*) (const x509_t*))get_subject; + this->public.set_until = (void (*) (x509_t*,time_t))set_until; + this->public.verify = (bool (*) (const x509_t*,const rsa_public_key_t*))verify; + this->public.destroy = (void (*) (x509_t*))destroy; this->public.log_certificate = (void (*) (const x509_t*,logger_t*,bool,bool))log_certificate; /* we do not use a per-instance logger right now, since its not always accessible */ @@ -1127,7 +1192,8 @@ x509_t *x509_create_from_chunk(chunk_t chunk) destroy(this); return NULL; } - + /* set trusted lifetime of public key to notAfter */ + this->until = this->notAfter; return &this->public; } |