diff options
author | Martin Willi <martin@strongswan.org> | 2009-08-24 14:11:44 +0200 |
---|---|---|
committer | Martin Willi <martin@strongswan.org> | 2009-08-26 11:23:52 +0200 |
commit | 6b6ece636c9160ab0f01c88df68dfa4e1e54a7ab (patch) | |
tree | d497a71d1bc890aa91478d5ff60c822f88665df8 /src | |
parent | a5e3153a36524c1689573cd04adc2125f879412f (diff) | |
download | strongswan-6b6ece636c9160ab0f01c88df68dfa4e1e54a7ab.tar.bz2 strongswan-6b6ece636c9160ab0f01c88df68dfa4e1e54a7ab.tar.xz |
updated x509 plugin to public key/x509 API changes
Diffstat (limited to 'src')
-rw-r--r-- | src/libstrongswan/plugins/x509/x509_ac.c | 150 | ||||
-rw-r--r-- | src/libstrongswan/plugins/x509/x509_cert.c | 39 | ||||
-rw-r--r-- | src/libstrongswan/plugins/x509/x509_crl.c | 47 | ||||
-rw-r--r-- | src/libstrongswan/plugins/x509/x509_ocsp_request.c | 12 | ||||
-rw-r--r-- | src/libstrongswan/plugins/x509/x509_ocsp_response.c | 40 |
5 files changed, 134 insertions, 154 deletions
diff --git a/src/libstrongswan/plugins/x509/x509_ac.c b/src/libstrongswan/plugins/x509/x509_ac.c index f8052eedb..ab88c23e6 100644 --- a/src/libstrongswan/plugins/x509/x509_ac.c +++ b/src/libstrongswan/plugins/x509/x509_ac.c @@ -31,8 +31,8 @@ #include <credentials/certificates/x509.h> #include <credentials/keys/private_key.h> -extern identification_t* x509_parse_authorityKeyIdentifier(chunk_t blob, - int level0, chunk_t *authKeySerialNumber); +extern chunk_t x509_parse_authorityKeyIdentifier(chunk_t blob, + int level0, chunk_t *authKeySerialNumber); typedef struct private_x509_ac_t private_x509_ac_t; @@ -40,7 +40,7 @@ typedef struct private_x509_ac_t private_x509_ac_t; * private data of x509_ac_t object */ struct private_x509_ac_t { - + /** * public functions */ @@ -50,32 +50,32 @@ struct private_x509_ac_t { * X.509 attribute certificate encoding in ASN.1 DER format */ chunk_t encoding; - + /** * X.509 attribute certificate body over which signature is computed */ chunk_t certificateInfo; - + /** * Version of the X.509 attribute certificate */ u_int version; - + /** * Serial number of the X.509 attribute certificate */ chunk_t serialNumber; - + /** * ID representing the issuer of the holder certificate */ identification_t *holderIssuer; - + /** * Serial number of the holder certificate */ chunk_t holderSerial; - + /** * ID representing the holder */ @@ -85,67 +85,67 @@ struct private_x509_ac_t { * ID representing the attribute certificate issuer */ identification_t *issuerName; - + /** * Start time of certificate validity */ time_t notBefore; - + /** * End time of certificate validity */ time_t notAfter; - + /** * List of charging attributes */ linked_list_t *charging; - + /** * List of groub attributes */ linked_list_t *groups; - + /** * Authority Key Identifier */ - identification_t *authKeyIdentifier; - + chunk_t authKeyIdentifier; + /** * Authority Key Serial Number */ chunk_t authKeySerialNumber; - + /** * No revocation information available */ bool noRevAvail; - + /** * Signature algorithm */ int algorithm; - + /** * Signature */ chunk_t signature; - - /** - * Holder certificate - */ + + /** + * Holder certificate + */ certificate_t *holderCert; - - /** - * Signer certificate - */ + + /** + * Signer certificate + */ certificate_t *signerCert; - - /** - * Signer private key; - */ + + /** + * Signer private key; + */ private_key_t *signerKey; - + /** * reference count */ @@ -458,7 +458,7 @@ static bool parse_certificate(private_x509_ac_t *this) break; case OID_AUTHORITY_KEY_ID: this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object, - level, &this->authKeySerialNumber); + level, &this->authKeySerialNumber); break; case OID_TARGET_INFORMATION: DBG2(" need to parse targetInformation"); @@ -567,29 +567,28 @@ static chunk_t build_attributes(private_x509_ac_t *this) */ static chunk_t build_authorityKeyIdentifier(private_x509_ac_t *this) { - chunk_t keyIdentifier; + chunk_t keyIdentifier = chunk_empty; chunk_t authorityCertIssuer; chunk_t authorityCertSerialNumber; - x509_t *x509 = (x509_t*)this->signerCert; - identification_t *issuer = this->signerCert->get_issuer(this->signerCert); - public_key_t *public = this->signerCert->get_public_key(this->signerCert); - + identification_t *issuer; + public_key_t *public; + x509_t *x509; + + x509 = (x509_t*)this->signerCert; + issuer = this->signerCert->get_issuer(this->signerCert); + public = this->signerCert->get_public_key(this->signerCert); if (public) { - identification_t *keyid = public->get_id(public, ID_PUBKEY_SHA1); - - this->authKeyIdentifier = keyid = keyid->clone(keyid); - keyIdentifier = keyid->get_encoding(keyid); + if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &keyIdentifier)) + { + this->authKeyIdentifier = chunk_clone(keyIdentifier); + } public->destroy(public); } - else - { - keyIdentifier = chunk_empty; - } authorityCertIssuer = build_directoryName(ASN1_CONTEXT_C_1, - issuer->get_encoding(issuer)); + issuer->get_encoding(issuer)); authorityCertSerialNumber = asn1_simple_object(ASN1_CONTEXT_S_2, - x509->get_serial(x509)); + x509->get_serial(x509)); return asn1_wrap(ASN1_SEQUENCE, "cm", ASN1_authorityKeyIdentifier_oid, asn1_wrap(ASN1_OCTET_STRING, "m", @@ -675,7 +674,7 @@ static identification_t* get_holderIssuer(private_x509_ac_t *this) /** * Implementation of ac_t.get_authKeyIdentifier. */ -static identification_t* get_authKeyIdentifier(private_x509_ac_t *this) +static chunk_t get_authKeyIdentifier(private_x509_ac_t *this) { return this->authKeyIdentifier; } @@ -709,7 +708,7 @@ static identification_t* get_issuer(private_x509_ac_t *this) */ static id_match_t has_subject(private_x509_ac_t *this, identification_t *subject) { - return ID_MATCH_NONE; + return ID_MATCH_NONE; } /** @@ -717,24 +716,12 @@ static id_match_t has_subject(private_x509_ac_t *this, identification_t *subject */ static id_match_t has_issuer(private_x509_ac_t *this, identification_t *issuer) { - id_match_t match; - - if (issuer->get_type(issuer) == ID_PUBKEY_SHA1) + if (issuer->get_type(issuer) == ID_KEY_ID && this->authKeyIdentifier.ptr && + chunk_equals(this->authKeyIdentifier, issuer->get_encoding(issuer))) { - if (this->authKeyIdentifier) - { - match = issuer->matches(issuer, this->authKeyIdentifier); - } - else - { - match = ID_MATCH_NONE; - } - } - else - { - match = this->issuerName->matches(this->issuerName, issuer); + return ID_MATCH_PERFECT; } - return match; + return this->issuerName->matches(this->issuerName, issuer); } /** @@ -756,32 +743,33 @@ static bool issued_by(private_x509_ac_t *this, certificate_t *issuer) { return FALSE; } - + /* get the public key of the issuer */ key = issuer->get_public_key(issuer); - + /* compare keyIdentifiers if available, otherwise use DNs */ - if (this->authKeyIdentifier && key) + if (this->authKeyIdentifier.ptr && key) { - identification_t *subjectKeyIdentifier = key->get_id(key, ID_PUBKEY_SHA1); - - if (!subjectKeyIdentifier->equals(subjectKeyIdentifier, - this->authKeyIdentifier)) + chunk_t fingerprint; + + if (!key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &fingerprint) || + !chunk_equals(fingerprint, this->authKeyIdentifier)) { return FALSE; } } else { - if (!this->issuerName->equals(this->issuerName, issuer->get_subject(issuer))) + if (!this->issuerName->equals(this->issuerName, + issuer->get_subject(issuer))) { return FALSE; } } - + /* determine signature scheme */ scheme = signature_scheme_from_oid(this->algorithm); - + if (scheme == SIGN_UNKNOWN || key == NULL) { return FALSE; @@ -894,7 +882,6 @@ static void destroy(private_x509_ac_t *this) DESTROY_IF(this->holderIssuer); DESTROY_IF(this->entityName); DESTROY_IF(this->issuerName); - DESTROY_IF(this->authKeyIdentifier); DESTROY_IF(this->holderCert); DESTROY_IF(this->signerCert); DESTROY_IF(this->signerKey); @@ -902,6 +889,7 @@ static void destroy(private_x509_ac_t *this) ietfAttr_list_destroy(this->charging); ietfAttr_list_destroy(this->groups); free(this->serialNumber.ptr); + free(this->authKeyIdentifier.ptr); free(this->encoding.ptr); free(this); } @@ -918,7 +906,7 @@ static private_x509_ac_t *create_empty(void) this->public.interface.get_serial = (chunk_t (*)(ac_t*))get_serial; this->public.interface.get_holderSerial = (chunk_t (*)(ac_t*))get_holderSerial; this->public.interface.get_holderIssuer = (identification_t* (*)(ac_t*))get_holderIssuer; - this->public.interface.get_authKeyIdentifier = (identification_t* (*)(ac_t*))get_authKeyIdentifier; + this->public.interface.get_authKeyIdentifier = (chunk_t(*)(ac_t*))get_authKeyIdentifier; this->public.interface.certificate.get_type = (certificate_type_t (*)(certificate_t *this))get_type; this->public.interface.certificate.get_subject = (identification_t* (*)(certificate_t *this))get_subject; this->public.interface.certificate.get_issuer = (identification_t* (*)(certificate_t *this))get_issuer; @@ -937,10 +925,10 @@ static private_x509_ac_t *create_empty(void) this->encoding = chunk_empty; this->serialNumber = chunk_empty; this->holderSerial = chunk_empty; + this->authKeyIdentifier = chunk_empty; this->holderIssuer = NULL; this->entityName = NULL; this->issuerName = NULL; - this->authKeyIdentifier = NULL; this->holderCert = NULL; this->signerCert = NULL; this->signerKey = NULL; @@ -984,9 +972,9 @@ struct private_builder_t { static private_x509_ac_t* build(private_builder_t *this) { private_x509_ac_t *ac = this->ac; - + free(this); - + /* synthesis if encoding does not exist */ if (ac && ac->encoding.ptr == NULL) { diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c index 32627ebef..81a2b33a2 100644 --- a/src/libstrongswan/plugins/x509/x509_cert.c +++ b/src/libstrongswan/plugins/x509/x509_cert.c @@ -138,7 +138,7 @@ struct private_x509_cert_t { /** * Authority Key Identifier */ - identification_t *authKeyIdentifier; + chunk_t authKeyIdentifier; /** * Authority Key Serial Number @@ -421,13 +421,13 @@ static const asn1Object_t authKeyIdentifierObjects[] = { /** * Extracts an authoritykeyIdentifier */ -identification_t* x509_parse_authorityKeyIdentifier(chunk_t blob, int level0, +chunk_t x509_parse_authorityKeyIdentifier(chunk_t blob, int level0, chunk_t *authKeySerialNumber) { asn1_parser_t *parser; chunk_t object; int objectID; - identification_t *authKeyIdentifier = NULL; + chunk_t authKeyIdentifier = chunk_empty; *authKeySerialNumber = chunk_empty; @@ -439,8 +439,7 @@ identification_t* x509_parse_authorityKeyIdentifier(chunk_t blob, int level0, switch (objectID) { case AUTH_KEY_ID_KEY_ID: - authKeyIdentifier = identification_create_from_encoding( - ID_PUBKEY_SHA1, object); + authKeyIdentifier = chunk_clone(object); break; case AUTH_KEY_ID_CERT_ISSUER: /* TODO: x509_parse_generalNames(object, level+1, TRUE); */ @@ -847,10 +846,12 @@ static id_match_t has_subject(private_x509_cert_t *this, identification_t *subje enumerator_t *enumerator; id_match_t match, best; - if (this->encoding_hash.ptr && subject->get_type(subject) == ID_CERT_DER_SHA1 && - chunk_equals(this->encoding_hash, subject->get_encoding(subject))) + if (this->encoding_hash.ptr && subject->get_type(subject) == ID_KEY_ID) { - return ID_MATCH_PERFECT; + if (chunk_equals(this->encoding_hash, subject->get_encoding(subject))) + { + return ID_MATCH_PERFECT; + } } best = this->subject->matches(this->subject, subject); @@ -860,11 +861,11 @@ static id_match_t has_subject(private_x509_cert_t *this, identification_t *subje match = current->matches(current, subject); if (match > best) { - best = match; + best = match; } } enumerator->destroy(enumerator); - return best; + return best; } /** @@ -1040,7 +1041,7 @@ static chunk_t get_serial(private_x509_cert_t *this) /** * Implementation of x509_t.get_authKeyIdentifier. */ -static identification_t *get_authKeyIdentifier(private_x509_cert_t *this) +static chunk_t get_authKeyIdentifier(private_x509_cert_t *this) { return this->authKeyIdentifier; } @@ -1083,7 +1084,7 @@ static void destroy(private_x509_cert_t *this) DESTROY_IF(this->issuer); DESTROY_IF(this->subject); DESTROY_IF(this->public_key); - DESTROY_IF(this->authKeyIdentifier); + chunk_free(&this->authKeyIdentifier); chunk_free(&this->encoding); chunk_free(&this->encoding_hash); if (!this->parsed) @@ -1118,7 +1119,7 @@ static private_x509_cert_t* create_empty(void) this->public.interface.interface.destroy = (void (*)(certificate_t*))destroy; this->public.interface.get_flags = (x509_flag_t (*)(x509_t*))get_flags; this->public.interface.get_serial = (chunk_t (*)(x509_t*))get_serial; - this->public.interface.get_authKeyIdentifier = (identification_t* (*)(x509_t*))get_authKeyIdentifier; + this->public.interface.get_authKeyIdentifier = (chunk_t (*)(x509_t*))get_authKeyIdentifier; this->public.interface.create_subjectAltName_enumerator = (enumerator_t* (*)(x509_t*))create_subjectAltName_enumerator; this->public.interface.create_crl_uri_enumerator = (enumerator_t* (*)(x509_t*))create_crl_uri_enumerator; this->public.interface.create_ocsp_uri_enumerator = (enumerator_t* (*)(x509_t*))create_ocsp_uri_enumerator; @@ -1137,7 +1138,7 @@ static private_x509_cert_t* create_empty(void) this->crl_uris = linked_list_create(); this->ocsp_uris = linked_list_create(); this->subjectKeyID = chunk_empty; - this->authKeyIdentifier = NULL; + this->authKeyIdentifier = chunk_empty; this->authKeySerialNumber = chunk_empty; this->algorithm = 0; this->signature = chunk_empty; @@ -1253,10 +1254,14 @@ static bool generate(private_builder_t *this) switch (this->cert->public_key->get_type(this->cert->public_key)) { case KEY_RSA: - key = this->cert->public_key->get_encoding(this->cert->public_key); + if (!this->cert->public_key->get_encoding(this->cert->public_key, + KEY_PUB_ASN1_DER, &key)) + { + return FALSE; + } key_info = asn1_wrap(ASN1_SEQUENCE, "cm", - asn1_algorithmIdentifier(OID_RSA_ENCRYPTION), - asn1_bitstring("m", key)); + asn1_algorithmIdentifier(OID_RSA_ENCRYPTION), + asn1_bitstring("m", key)); break; default: return FALSE; diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c index 93203bafe..e3d054c1c 100644 --- a/src/libstrongswan/plugins/x509/x509_crl.c +++ b/src/libstrongswan/plugins/x509/x509_crl.c @@ -101,7 +101,7 @@ struct private_x509_crl_t { /** * Authority Key Identifier */ - identification_t *authKeyIdentifier; + chunk_t authKeyIdentifier; /** * Authority Key Serial Number @@ -127,7 +127,7 @@ struct private_x509_crl_t { /** * from x509_cert */ -extern identification_t* x509_parse_authorityKeyIdentifier( +extern chunk_t x509_parse_authorityKeyIdentifier( chunk_t blob, int level0, chunk_t *authKeySerialNumber); @@ -337,10 +337,11 @@ static chunk_t get_serial(private_x509_crl_t *this) /** * Implementation of crl_t.get_authKeyIdentifier. */ -static identification_t* get_authKeyIdentifier(private_x509_crl_t *this) +static chunk_t get_authKeyIdentifier(private_x509_crl_t *this) { return this->authKeyIdentifier; } + /** * Implementation of crl_t.create_enumerator. */ @@ -372,24 +373,12 @@ static identification_t* get_issuer(private_x509_crl_t *this) */ static id_match_t has_issuer(private_x509_crl_t *this, identification_t *issuer) { - id_match_t match; - - if (issuer->get_type(issuer) == ID_PUBKEY_SHA1) - { - if (this->authKeyIdentifier) - { - match = issuer->matches(issuer, this->authKeyIdentifier); - } - else - { - match = ID_MATCH_NONE; - } - } - else + if (issuer->get_type(issuer) == ID_KEY_ID && this->authKeyIdentifier.ptr && + chunk_equals(this->authKeyIdentifier, issuer->get_encoding(issuer))) { - match = this->issuer->matches(this->issuer, issuer); + return ID_MATCH_PERFECT; } - return match; + return this->issuer->matches(this->issuer, issuer); } /** @@ -416,12 +405,12 @@ static bool issued_by(private_x509_crl_t *this, certificate_t *issuer) key = issuer->get_public_key(issuer); /* compare keyIdentifiers if available, otherwise use DNs */ - if (this->authKeyIdentifier && key) + if (this->authKeyIdentifier.ptr && key) { - identification_t *subjectKeyIdentifier = key->get_id(key, ID_PUBKEY_SHA1); - - if (!subjectKeyIdentifier->equals(subjectKeyIdentifier, - this->authKeyIdentifier)) + chunk_t fingerprint; + + if (!key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &fingerprint) || + !chunk_equals(fingerprint, this->authKeyIdentifier)) { return FALSE; } @@ -433,10 +422,10 @@ static bool issued_by(private_x509_crl_t *this, certificate_t *issuer) return FALSE; } } - + /* determine signature scheme */ scheme = signature_scheme_from_oid(this->algorithm); - + if (scheme == SIGN_UNKNOWN || key == NULL) { return FALSE; @@ -562,7 +551,7 @@ static void destroy(private_x509_crl_t *this) { this->revoked->destroy_function(this->revoked, free); DESTROY_IF(this->issuer); - DESTROY_IF(this->authKeyIdentifier); + free(this->authKeyIdentifier.ptr); free(this->encoding.ptr); free(this); } @@ -576,7 +565,7 @@ static private_x509_crl_t* create_empty(void) private_x509_crl_t *this = malloc_thing(private_x509_crl_t); this->public.crl.get_serial = (chunk_t (*)(crl_t*))get_serial; - this->public.crl.get_authKeyIdentifier = (identification_t* (*)(crl_t*))get_authKeyIdentifier; + this->public.crl.get_authKeyIdentifier = (chunk_t (*)(crl_t*))get_authKeyIdentifier; this->public.crl.create_enumerator = (enumerator_t* (*)(crl_t*))create_enumerator; this->public.crl.certificate.get_type = (certificate_type_t (*)(certificate_t *this))get_type; this->public.crl.certificate.get_subject = (identification_t* (*)(certificate_t *this))get_issuer; @@ -597,7 +586,7 @@ static private_x509_crl_t* create_empty(void) this->issuer = NULL; this->crlNumber = chunk_empty; this->revoked = linked_list_create(); - this->authKeyIdentifier = NULL; + this->authKeyIdentifier = chunk_empty; this->authKeySerialNumber = chunk_empty; this->ref = 1; diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.c b/src/libstrongswan/plugins/x509/x509_ocsp_request.c index 4020d8d95..5892e2baf 100644 --- a/src/libstrongswan/plugins/x509/x509_ocsp_request.c +++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.c @@ -159,23 +159,21 @@ static chunk_t build_requestList(private_x509_ocsp_request_t *this) hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); if (hasher) { - identification_t *keyid = public->get_id(public, ID_PUBKEY_SHA1); - if (keyid) + if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, + &issuerKeyHash)) { enumerator_t *enumerator; - - issuerKeyHash = keyid->get_encoding(keyid); - + issuer = cert->get_subject(cert); hasher->allocate_hash(hasher, issuer->get_encoding(issuer), &issuerNameHash); hasher->destroy(hasher); - + enumerator = this->candidates->create_enumerator(this->candidates); while (enumerator->enumerate(enumerator, &x509)) { chunk_t request, serialNumber; - + serialNumber = x509->get_serial(x509); request = build_Request(this, issuerNameHash, issuerKeyHash, serialNumber); diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c index 1b3187258..caaae6aa4 100644 --- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c +++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c @@ -173,7 +173,8 @@ static cert_validation_t get_status(private_x509_ocsp_response_t *this, { hasher_t *hasher; identification_t *id; - chunk_t hash; + key_encoding_type_t type; + chunk_t hash, fingerprint; /* check serial first, is cheaper */ if (!chunk_equals(subject->get_serial(subject), response->serialNumber)) @@ -191,15 +192,16 @@ static cert_validation_t get_status(private_x509_ocsp_response_t *this, continue; } switch (response->hashAlgorithm) - { /* TODO: generic mapper function */ + { case OID_SHA1: - id = public->get_id(public, ID_PUBKEY_SHA1); + type = KEY_ID_PUBKEY_SHA1; break; default: public->destroy(public); continue; } - if (!chunk_equals(response->issuerKeyHash, id->get_encoding(id))) + if (!public->get_fingerprint(public, type, &fingerprint) || + !chunk_equals(response->issuerKeyHash, fingerprint)) { public->destroy(public); continue; @@ -525,7 +527,7 @@ static bool parse_basicOCSPResponse(private_x509_ocsp_response_t *this, break; case BASIC_RESPONSE_ID_BY_KEY: this->responderId = identification_create_from_encoding( - ID_PUBKEY_INFO_SHA1, object); + ID_KEY_ID, object); DBG2(" '%Y'", this->responderId); break; case BASIC_RESPONSE_PRODUCED_AT: @@ -694,30 +696,28 @@ static bool issued_by(private_x509_ocsp_response_t *this, certificate_t *issuer) { return FALSE; } - if (this->responderId->get_type(this->responderId) == ID_DER_ASN1_DN) + if (this->responderId->get_type(this->responderId) == ID_KEY_ID) { - if (!this->responderId->equals(this->responderId, - issuer->get_subject(issuer))) + chunk_t fingerprint; + + key = issuer->get_public_key(issuer); + if (!key || + !key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &fingerprint) || + !chunk_equals(fingerprint, + this->responderId->get_encoding(this->responderId))) { + DESTROY_IF(key); return FALSE; } + key->destroy(key); } - else + else { - bool equal; - public_key_t *public = issuer->get_public_key(issuer); - - if (public == NULL) + if (!this->responderId->equals(this->responderId, + issuer->get_subject(issuer))) { return FALSE; } - equal = this->responderId->equals(this->responderId, - public->get_id(public, ID_PUBKEY_SHA1)); - public->destroy(public); - if (!equal) - { - return FALSE; - } } if (!(x509->get_flags(x509) & X509_OCSP_SIGNER) && !(x509->get_flags(x509) & X509_CA)) |