support for hash and URL encoded certificate payloads in charon

3 files changed, 37 insertions, 3 deletions

diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 9b6bdb630..0b3ea68f5 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -4,6 +4,7 @@
  * Copyright (C) 2002 Mario Strasser
  * Copyright (C) 2000-2006 Andreas Steffen
  * Copyright (C) 2006-2008 Martin Willi
+ * Copyright (C) 2008 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -68,6 +69,11 @@ struct private_x509_cert_t {
 	 * X.509 certificate encoding in ASN.1 DER format
 	 */
 	chunk_t encoding;
+	
+	/**
+	 * SHA1 hash of the DER encoding of this X.509 certificate
+	 */
+	chunk_t encoding_hash;
 
 	/**
 	 * X.509 certificate body over which signature is computed
@@ -904,6 +910,12 @@ static id_match_t has_subject(private_x509_cert_t *this, identification_t *subje
 	identification_t *current;
 	enumerator_t *enumerator;
 	id_match_t match, best;
+	
+	if (this->encoding_hash.ptr && subject->get_type(subject) == ID_CERT_DER_SHA1 &&
+		chunk_equals(this->encoding_hash, subject->get_encoding(subject)))
+	{
+		return ID_MATCH_PERFECT;
+	}
 
 	best = this->subject->matches(this->subject, subject);
 	enumerator = this->subjectAltNames->create_enumerator(this->subjectAltNames);
@@ -1152,6 +1164,7 @@ static void destroy(private_x509_cert_t *this)
 		DESTROY_IF(this->public_key);
 		DESTROY_IF(this->authKeyIdentifier);
 		chunk_free(&this->encoding);
+		chunk_free(&this->encoding_hash);
 		free(this);
 	}
 }
@@ -1184,6 +1197,7 @@ static private_x509_cert_t* create_empty(void)
 	this->public.interface.create_ocsp_uri_enumerator = (enumerator_t* (*)(x509_t*))create_ocsp_uri_enumerator;
 
 	this->encoding = chunk_empty;
+	this->encoding_hash = chunk_empty;
 	this->public_key = NULL;
 	this->subject = NULL;
 	this->issuer = NULL;
@@ -1218,6 +1232,18 @@ static private_x509_cert_t *create_from_chunk(chunk_t chunk)
 	{
 		this->flags |= X509_SELF_SIGNED;
 	}
+	
+	hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	if (hasher != NULL)
+	{
+		hasher->allocate_hash(hasher, this->encoding, &this->encoding_hash);
+		hasher->destroy(hasher);
+	}
+	else
+	{
+		DBG1("  unable to create hash of certificate, SHA1 not supported");		
+	}
+	
 	return this;
 }
 
diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
index 4eead4a9f..e44ba7d6f 100644
--- a/src/libstrongswan/utils/identification.c
+++ b/src/libstrongswan/utils/identification.c
@@ -50,11 +50,12 @@ ENUM_BEGIN(id_type_names, ID_ANY, ID_KEY_ID,
 	"ID_DER_ASN1_DN",
 	"ID_DER_ASN1_GN",
 	"ID_KEY_ID");
-ENUM_NEXT(id_type_names, ID_DER_ASN1_GN_URI, ID_PUBKEY_SHA1, ID_KEY_ID,
+ENUM_NEXT(id_type_names, ID_DER_ASN1_GN_URI, ID_CERT_DER_SHA1, ID_KEY_ID,
 	"ID_DER_ASN1_GN_URI",
 	"ID_PUBKEY_INFO_SHA1",
-	"ID_PUBKEY_SHA1");
-ENUM_END(id_type_names, ID_PUBKEY_SHA1);
+	"ID_PUBKEY_SHA1",
+	"ID_CERT_DER_SHA1");
+ENUM_END(id_type_names, ID_CERT_DER_SHA1);
 
 /**
  * X.501 acronyms for well known object identifiers (OIDs)
@@ -941,6 +942,7 @@ static int print(FILE *stream, const struct printf_info *info,
 		case ID_KEY_ID:
 		case ID_PUBKEY_INFO_SHA1:
 		case ID_PUBKEY_SHA1:
+		case ID_CERT_DER_SHA1:
 			return fprintf(stream, "%#B", &this->encoded);
 		case ID_DER_ASN1_GN_URI:
 		{
@@ -1175,6 +1177,7 @@ identification_t *identification_create_from_encoding(id_type_t type, chunk_t en
 		case ID_DER_ASN1_GN_URI:
 		case ID_PUBKEY_INFO_SHA1:
 		case ID_PUBKEY_SHA1:
+		case ID_CERT_DER_SHA1:
 		default:
 			break;
 	}
diff --git a/src/libstrongswan/utils/identification.h b/src/libstrongswan/utils/identification.h
index 31c49c269..29318ce47 100644
--- a/src/libstrongswan/utils/identification.h
+++ b/src/libstrongswan/utils/identification.h
@@ -137,6 +137,11 @@ enum id_type_t {
 	 * SHA1 hash over PKCS#1 subjectPublicKey
 	 */
 	ID_PUBKEY_SHA1,
+	
+	/**
+	 * SHA1 hash of the binary DER encoding of a certificate
+	 */
+	ID_CERT_DER_SHA1,
 };
 
 /**