diff options
Diffstat (limited to 'src/libstrongswan/plugins/x509')
| -rw-r--r-- | src/libstrongswan/plugins/x509/ietf_attr_list.c | 12 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/x509/ietf_attr_list.h | 4 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/x509/x509_ac.c | 82 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/x509/x509_cert.c | 178 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/x509/x509_crl.c | 64 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/x509/x509_ocsp_request.c | 66 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/x509/x509_ocsp_response.c | 68 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/x509/x509_plugin.c | 2 |
8 files changed, 238 insertions, 238 deletions
diff --git a/src/libstrongswan/plugins/x509/ietf_attr_list.c b/src/libstrongswan/plugins/x509/ietf_attr_list.c index 17f6949b2..97dca3123 100644 --- a/src/libstrongswan/plugins/x509/ietf_attr_list.c +++ b/src/libstrongswan/plugins/x509/ietf_attr_list.c @@ -1,4 +1,4 @@ -/* +/* * Copyright (C) 2007 Andreas Steffen, Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -52,7 +52,7 @@ struct ietfAttr_t { /** * Compares two ietfAttributes - * + * * return -1 if this is earlier in the alphabet than other * return 0 if this equals other * return +1 if this is later in the alphabet than other @@ -64,7 +64,7 @@ struct ietfAttr_t { /** * Destroys the ietfAttr_t object. - * + * * @param this ietfAttr_t to destroy */ void (*destroy) (ietfAttr_t *this); @@ -86,7 +86,7 @@ static int ietfAttr_compare(const ietfAttr_t *this ,const ietfAttr_t *other) { return 1; } - + cmp_len = this->value.len - other->value.len; len = (cmp_len < 0)? this->value.len : other->value.len; cmp_value = memcmp(this->value.ptr, other->value.ptr, len); @@ -271,7 +271,7 @@ void ietfAttr_list_create_from_string(char *msg, linked_list_t *list) if (group.len > 0) { ietfAttr_t *attr = ietfAttr_create(IETF_ATTRIBUTE_STRING, group); - + ietfAttr_add(list, attr); } } @@ -378,7 +378,7 @@ chunk_t ietfAttr_list_encode(linked_list_t *list) ietfAttribute = asn1_simple_object(type, attr->value); /* copy ietfAttribute into ietfAttributes chunk */ - memcpy(pos, ietfAttribute.ptr, ietfAttribute.len); + memcpy(pos, ietfAttribute.ptr, ietfAttribute.len); pos += ietfAttribute.len; free(ietfAttribute.ptr); } diff --git a/src/libstrongswan/plugins/x509/ietf_attr_list.h b/src/libstrongswan/plugins/x509/ietf_attr_list.h index 5807a899e..124468bac 100644 --- a/src/libstrongswan/plugins/x509/ietf_attr_list.h +++ b/src/libstrongswan/plugins/x509/ietf_attr_list.h @@ -31,7 +31,7 @@ * * @param list_a first alphabetically-sorted list * @param list_b second alphabetically-sorted list - * @return TRUE if equal + * @return TRUE if equal */ bool ietfAttr_list_equals(linked_list_t *list_a, linked_list_t *list_b); @@ -39,7 +39,7 @@ bool ietfAttr_list_equals(linked_list_t *list_a, linked_list_t *list_b); * @brief Lists a linked list of ietfAttr_t objects * * @param list alphabetically-sorted linked list of attributes - * @param out output file + * @param out output file */ void ietfAttr_list_list(linked_list_t *list, FILE *out); diff --git a/src/libstrongswan/plugins/x509/x509_ac.c b/src/libstrongswan/plugins/x509/x509_ac.c index 1dfe1b80d..ebd6d8331 100644 --- a/src/libstrongswan/plugins/x509/x509_ac.c +++ b/src/libstrongswan/plugins/x509/x509_ac.c @@ -40,112 +40,112 @@ typedef struct private_x509_ac_t private_x509_ac_t; * private data of x509_ac_t object */ struct private_x509_ac_t { - + /** * public functions */ x509_ac_t public; - + /** * X.509 attribute certificate encoding in ASN.1 DER format */ chunk_t encoding; - + /** * X.509 attribute certificate body over which signature is computed */ chunk_t certificateInfo; - + /** * Version of the X.509 attribute certificate */ u_int version; - + /** * Serial number of the X.509 attribute certificate */ chunk_t serialNumber; - + /** * ID representing the issuer of the holder certificate */ identification_t *holderIssuer; - + /** * Serial number of the holder certificate */ chunk_t holderSerial; - + /** * ID representing the holder */ identification_t *entityName; - + /** * ID representing the attribute certificate issuer */ identification_t *issuerName; - + /** * Start time of certificate validity */ time_t notBefore; - + /** * End time of certificate validity */ time_t notAfter; - + /** * List of charging attributes */ linked_list_t *charging; - + /** * List of groub attributes */ linked_list_t *groups; - + /** * Authority Key Identifier */ chunk_t authKeyIdentifier; - + /** * Authority Key Serial Number */ chunk_t authKeySerialNumber; - + /** * No revocation information available */ bool noRevAvail; - + /** * Signature algorithm */ int algorithm; - + /** * Signature */ chunk_t signature; - + /** * Holder certificate */ certificate_t *holderCert; - + /** * Signer certificate */ certificate_t *signerCert; - + /** * Signer private key; */ private_key_t *signerKey; - + /** * reference count */ @@ -573,7 +573,7 @@ static chunk_t build_authorityKeyIdentifier(private_x509_ac_t *this) identification_t *issuer; public_key_t *public; x509_t *x509; - + x509 = (x509_t*)this->signerCert; issuer = this->signerCert->get_issuer(this->signerCert); public = this->signerCert->get_public_key(this->signerCert); @@ -733,7 +733,7 @@ static bool issued_by(private_x509_ac_t *this, certificate_t *issuer) signature_scheme_t scheme; bool valid; x509_t *x509 = (x509_t*)issuer; - + /* check if issuer is an X.509 AA certificate */ if (issuer->get_type(issuer) != CERT_X509) { @@ -743,22 +743,22 @@ static bool issued_by(private_x509_ac_t *this, certificate_t *issuer) { return FALSE; } - + /* get the public key of the issuer */ key = issuer->get_public_key(issuer); - + /* compare keyIdentifiers if available, otherwise use DNs */ if (this->authKeyIdentifier.ptr && key) { chunk_t fingerprint; - + if (!key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &fingerprint) || !chunk_equals(fingerprint, this->authKeyIdentifier)) { return FALSE; } } - else + else { if (!this->issuerName->equals(this->issuerName, issuer->get_subject(issuer))) @@ -766,10 +766,10 @@ static bool issued_by(private_x509_ac_t *this, certificate_t *issuer) return FALSE; } } - + /* determine signature scheme */ scheme = signature_scheme_from_oid(this->algorithm); - + if (scheme == SIGN_UNKNOWN || key == NULL) { return FALSE; @@ -803,7 +803,7 @@ static bool get_validity(private_x509_ac_t *this, time_t *when, time_t *not_before, time_t *not_after) { time_t t; - + if (when) { t = *when; @@ -841,7 +841,7 @@ static bool is_newer(private_x509_ac_t *this, ac_t *that) &that_update, FALSE, new ? "replaced":"retained"); return new; } - + /** * Implementation of certificate_t.get_encoding. */ @@ -857,14 +857,14 @@ static bool equals(private_x509_ac_t *this, certificate_t *other) { chunk_t encoding; bool equal; - + if ((certificate_t*)this == other) { return TRUE; } if (other->equals == (void*)equals) { /* skip allocation if we have the same implementation */ - return chunk_equals(this->encoding, ((private_x509_ac_t*)other)->encoding); + return chunk_equals(this->encoding, ((private_x509_ac_t*)other)->encoding); } encoding = other->get_encoding(other); equal = chunk_equals(this->encoding, encoding); @@ -901,7 +901,7 @@ static void destroy(private_x509_ac_t *this) static private_x509_ac_t *create_empty(void) { private_x509_ac_t *this = malloc_thing(private_x509_ac_t); - + /* public functions */ this->public.interface.get_serial = (chunk_t (*)(ac_t*))get_serial; this->public.interface.get_holderSerial = (chunk_t (*)(ac_t*))get_holderSerial; @@ -972,9 +972,9 @@ struct private_builder_t { static private_x509_ac_t* build(private_builder_t *this) { private_x509_ac_t *ac = this->ac; - + free(this); - + /* synthesis if encoding does not exist */ if (ac && ac->encoding.ptr == NULL) { @@ -1062,18 +1062,18 @@ static void add(private_builder_t *this, builder_part_t part, ...) builder_t *x509_ac_builder(certificate_type_t type) { private_builder_t *this; - + if (type != CERT_X509_AC) { return NULL; } - + this = malloc_thing(private_builder_t); - + this->ac = create_empty(); this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add; this->public.build = (void*(*)(builder_t *this))build; - + return &this->public; } diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c index 65527523a..9d6e2be87 100644 --- a/src/libstrongswan/plugins/x509/x509_cert.c +++ b/src/libstrongswan/plugins/x509/x509_cert.c @@ -64,17 +64,17 @@ struct private_x509_cert_t { * Public interface for this certificate. */ x509_cert_t public; - + /** * X.509 certificate encoding in ASN.1 DER format */ chunk_t encoding; - + /** * SHA1 hash of the DER encoding of this X.509 certificate */ chunk_t encoding_hash; - + /** * X.509 certificate body over which signature is computed */ @@ -84,87 +84,87 @@ struct private_x509_cert_t { * Version of the X.509 certificate */ u_int version; - + /** * Serial number of the X.509 certificate */ chunk_t serialNumber; - + /** * ID representing the certificate issuer */ identification_t *issuer; - + /** * Start time of certificate validity */ time_t notBefore; - + /** * End time of certificate validity */ time_t notAfter; - + /** * ID representing the certificate subject */ identification_t *subject; - + /** * List of subjectAltNames as identification_t */ linked_list_t *subjectAltNames; - + /** * List of crlDistributionPoints as allocated char* */ linked_list_t *crl_uris; - + /** * List ocspAccessLocations as identification_t */ linked_list_t *ocsp_uris; - + /** * certificates embedded public key */ public_key_t *public_key; - + /** * Subject Key Identifier */ chunk_t subjectKeyID; - + /** * Authority Key Identifier */ chunk_t authKeyIdentifier; - + /** * Authority Key Serial Number */ chunk_t authKeySerialNumber; - + /** * x509 constraints and other flags */ x509_flag_t flags; - + /** * Signature algorithm */ int algorithm; - + /** * Signature */ chunk_t signature; - + /** * Certificate parsed from blob/file? */ bool parsed; - + /** * reference count */ @@ -177,7 +177,7 @@ static u_char ASN1_sAN_oid_buf[] = { static const chunk_t ASN1_subjectAltName_oid = chunk_from_buf(ASN1_sAN_oid_buf); /** - * ASN.1 definition of a basicConstraints extension + * ASN.1 definition of a basicConstraints extension */ static const asn1Object_t basicConstraintsObjects[] = { { 0, "basicConstraints", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */ @@ -215,7 +215,7 @@ static bool parse_basicConstraints(chunk_t blob, int level0) } /** - * ASN.1 definition of otherName + * ASN.1 definition of otherName */ static const asn1Object_t otherNameObjects[] = { {0, "type-id", ASN1_OID, ASN1_BODY }, /* 0 */ @@ -261,14 +261,14 @@ static bool parse_otherName(chunk_t blob, int level0) } } success = parser->success(parser); - + end: parser->destroy(parser); return success; } /** - * ASN.1 definition of generalName + * ASN.1 definition of generalName */ static const asn1Object_t generalNameObjects[] = { { 0, "otherName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_BODY }, /* 0 */ @@ -309,16 +309,16 @@ static identification_t *parse_generalName(chunk_t blob, int level0) asn1_parser_t *parser; chunk_t object; int objectID ; - + identification_t *gn = NULL; - + parser = asn1_parser_create(generalNameObjects, blob); parser->set_top_level(parser, level0); - + while (parser->iterate(parser, &objectID, &object)) { id_type_t id_type = ID_ANY; - + switch (objectID) { case GN_OBJ_RFC822_NAME: @@ -355,14 +355,14 @@ static identification_t *parse_generalName(chunk_t blob, int level0) goto end; } } - + end: parser->destroy(parser); return gn; } /** - * ASN.1 definition of generalNames + * ASN.1 definition of generalNames */ static const asn1Object_t generalNamesObjects[] = { { 0, "generalNames", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */ @@ -380,18 +380,18 @@ void x509_parse_generalNames(chunk_t blob, int level0, bool implicit, linked_lis asn1_parser_t *parser; chunk_t object; int objectID; - + parser = asn1_parser_create(generalNamesObjects, blob); parser->set_top_level(parser, level0); parser->set_flags(parser, implicit, FALSE); - + while (parser->iterate(parser, &objectID, &object)) { if (objectID == GENERAL_NAMES_GN) { identification_t *gn = parse_generalName(object, parser->get_level(parser)+1); - + if (gn) { list->insert_last(list, (void *)gn); @@ -402,7 +402,7 @@ void x509_parse_generalNames(chunk_t blob, int level0, bool implicit, linked_lis } /** - * ASN.1 definition of a authorityKeyIdentifier extension + * ASN.1 definition of a authorityKeyIdentifier extension */ static const asn1Object_t authKeyIdentifierObjects[] = { { 0, "authorityKeyIdentifier", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */ @@ -428,15 +428,15 @@ chunk_t x509_parse_authorityKeyIdentifier(chunk_t blob, int level0, chunk_t object; int objectID; chunk_t authKeyIdentifier = chunk_empty; - + *authKeySerialNumber = chunk_empty; - + parser = asn1_parser_create(authKeyIdentifierObjects, blob); parser->set_top_level(parser, level0); - + while (parser->iterate(parser, &objectID, &object)) { - switch (objectID) + switch (objectID) { case AUTH_KEY_ID_KEY_ID: authKeyIdentifier = chunk_clone(object); @@ -456,7 +456,7 @@ chunk_t x509_parse_authorityKeyIdentifier(chunk_t blob, int level0, } /** - * ASN.1 definition of a authorityInfoAccess extension + * ASN.1 definition of a authorityInfoAccess extension */ static const asn1Object_t authInfoAccessObjects[] = { { 0, "authorityInfoAccess", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */ @@ -479,13 +479,13 @@ static void parse_authorityInfoAccess(chunk_t blob, int level0, chunk_t object; int objectID; int accessMethod = OID_UNKNOWN; - + parser = asn1_parser_create(authInfoAccessObjects, blob); parser->set_top_level(parser, level0); - + while (parser->iterate(parser, &objectID, &object)) { - switch (objectID) + switch (objectID) { case AUTH_INFO_ACCESS_METHOD: accessMethod = asn1_known_oid(object); @@ -499,7 +499,7 @@ static void parse_authorityInfoAccess(chunk_t blob, int level0, { identification_t *id; char *uri; - + id = parse_generalName(object, parser->get_level(parser)+1); if (id == NULL) @@ -526,7 +526,7 @@ static void parse_authorityInfoAccess(chunk_t blob, int level0, break; } } - + end: parser->destroy(parser); } @@ -551,13 +551,13 @@ static bool parse_extendedKeyUsage(chunk_t blob, int level0) chunk_t object; int objectID; bool ocsp_signing = FALSE; - + parser = asn1_parser_create(extendedKeyUsageObjects, blob); parser->set_top_level(parser, level0); - + while (parser->iterate(parser, &objectID, &object)) { - if (objectID == EXT_KEY_USAGE_PURPOSE_ID && + if (objectID == EXT_KEY_USAGE_PURPOSE_ID && asn1_known_oid(object) == OID_OCSP_SIGNING) { ocsp_signing = TRUE; @@ -598,24 +598,24 @@ static void parse_crlDistributionPoints(chunk_t blob, int level0, chunk_t object; int objectID; linked_list_t *list = linked_list_create(); - + parser = asn1_parser_create(crlDistributionPointsObjects, blob); parser->set_top_level(parser, level0); - + while (parser->iterate(parser, &objectID, &object)) { if (objectID == CRL_DIST_POINTS_FULLNAME) { identification_t *id; - + /* append extracted generalNames to existing chained list */ x509_parse_generalNames(object, parser->get_level(parser)+1, TRUE, list); - + while (list->remove_last(list, (void**)&id) == SUCCESS) { char *uri; - + if (asprintf(&uri, "%Y", id) > 0) { this->crl_uris->insert_last(this->crl_uris, uri); @@ -687,13 +687,13 @@ static bool parse_certificate(private_x509_cert_t *this) int sig_alg = OID_UNKNOWN; bool success = FALSE; bool critical; - + parser = asn1_parser_create(certObjects, this->encoding); - + while (parser->iterate(parser, &objectID, &object)) { u_int level = parser->get_level(parser)+1; - + switch (objectID) { case X509_OBJ_TBS_CERTIFICATE: @@ -780,7 +780,7 @@ static bool parse_certificate(private_x509_cert_t *this) case OID_NS_CA_REVOCATION_URL: case OID_NS_CA_POLICY_URL: case OID_NS_COMMENT: - if (!asn1_parse_simple_object(&object, ASN1_IA5STRING, + if (!asn1_parse_simple_object(&object, ASN1_IA5STRING, level, oid_names[extn_oid].name)) { goto end; @@ -807,7 +807,7 @@ static bool parse_certificate(private_x509_cert_t *this) } } success = parser->success(parser); - + end: parser->destroy(parser); return success; @@ -845,7 +845,7 @@ static id_match_t has_subject(private_x509_cert_t *this, identification_t *subje identification_t *current; enumerator_t *enumerator; id_match_t match, best; - + if (this->encoding_hash.ptr && subject->get_type(subject) == ID_KEY_ID) { if (chunk_equals(this->encoding_hash, subject->get_encoding(subject))) @@ -853,7 +853,7 @@ static id_match_t has_subject(private_x509_cert_t *this, identification_t *subje return ID_MATCH_PERFECT; } } - + best = this->subject->matches(this->subject, subject); enumerator = this->subjectAltNames->create_enumerator(this->subjectAltNames); while (enumerator->enumerate(enumerator, ¤t)) @@ -886,7 +886,7 @@ static bool issued_by(private_x509_cert_t *this, certificate_t *issuer) signature_scheme_t scheme; bool valid; x509_t *x509 = (x509_t*)issuer; - + if (&this->public.interface.interface == issuer) { if (this->flags & X509_SELF_SIGNED) @@ -959,7 +959,7 @@ static bool get_validity(private_x509_cert_t *this, time_t *when, time_t *not_before, time_t *not_after) { time_t t; - + if (when) { t = *when; @@ -986,7 +986,7 @@ static bool is_newer(certificate_t *this, certificate_t *that) { time_t this_update, that_update, now = time(NULL); bool new; - + this->get_validity(this, &now, &this_update, NULL); that->get_validity(that, &now, &that_update, NULL); new = this_update > that_update; @@ -995,7 +995,7 @@ static bool is_newer(certificate_t *this, certificate_t *that) &that_update, FALSE, new ? "replaced":"retained"); return new; } - + /** * Implementation of certificate_t.get_encoding. */ @@ -1011,7 +1011,7 @@ static bool equals(private_x509_cert_t *this, certificate_t *other) { chunk_t encoding; bool equal; - + if (this == (private_x509_cert_t*)other) { return TRUE; @@ -1022,7 +1022,7 @@ static bool equals(private_x509_cert_t *this, certificate_t *other) } if (other->equals == (void*)equals) { /* skip allocation if we have the same implementation */ - return chunk_equals(this->encoding, ((private_x509_cert_t*)other)->encoding); + return chunk_equals(this->encoding, ((private_x509_cert_t*)other)->encoding); } encoding = other->get_encoding(other); equal = chunk_equals(this->encoding, encoding); @@ -1103,7 +1103,7 @@ static void destroy(private_x509_cert_t *this) static private_x509_cert_t* create_empty(void) { private_x509_cert_t *this = malloc_thing(private_x509_cert_t); - + this->public.interface.interface.get_type = (certificate_type_t (*) (certificate_t*))get_type; this->public.interface.interface.get_subject = (identification_t* (*) (certificate_t*))get_subject; this->public.interface.interface.get_issuer = (identification_t* (*) (certificate_t*))get_issuer; @@ -1123,12 +1123,12 @@ static private_x509_cert_t* create_empty(void) this->public.interface.create_subjectAltName_enumerator = (enumerator_t* (*)(x509_t*))create_subjectAltName_enumerator; this->public.interface.create_crl_uri_enumerator = (enumerator_t* (*)(x509_t*))create_crl_uri_enumerator; this->public.interface.create_ocsp_uri_enumerator = (enumerator_t* (*)(x509_t*))create_ocsp_uri_enumerator; - + this->encoding = chunk_empty; this->encoding_hash = chunk_empty; this->tbsCertificate = chunk_empty; this->version = 3; - this->serialNumber = chunk_empty; + this->serialNumber = chunk_empty; this->notBefore = 0; this->notAfter = 0; this->public_key = NULL; @@ -1145,7 +1145,7 @@ static private_x509_cert_t* create_empty(void) this->flags = 0; this->ref = 1; this->parsed = FALSE; - + return this; } @@ -1156,7 +1156,7 @@ static private_x509_cert_t *create_from_chunk(chunk_t chunk) { hasher_t *hasher; private_x509_cert_t *this = create_empty(); - + this->encoding = chunk; this->parsed = TRUE; if (!parse_certificate(this)) @@ -1164,23 +1164,23 @@ static private_x509_cert_t *create_from_chunk(chunk_t chunk) destroy(this); return NULL; } - + /* check if the certificate is self-signed */ if (issued_by(this, &this->public.interface.interface)) { this->flags |= X509_SELF_SIGNED; } - + hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); if (hasher == NULL) { - DBG1(" unable to create hash of certificate, SHA1 not supported"); + DBG1(" unable to create hash of certificate, SHA1 not supported"); destroy(this); - return NULL; + return NULL; } hasher->allocate_hash(hasher, this->encoding, &this->encoding_hash); hasher->destroy(hasher); - + return this; } @@ -1213,7 +1213,7 @@ static bool generate(private_builder_t *this) chunk_t key_info; signature_scheme_t scheme; hasher_t *hasher; - + subject = this->cert->subject; if (this->sign_cert) { @@ -1242,7 +1242,7 @@ static bool generate(private_builder_t *this) this->cert->notAfter = this->cert->notBefore + 60 * 60 * 24 * 365; } this->cert->flags = this->flags; - + /* select signature scheme */ switch (this->sign_key->get_type(this->sign_key)) { @@ -1304,8 +1304,8 @@ static bool generate(private_builder_t *this) { /* TODO: encode subjectAltNames */ } - - this->cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmmcmcmm", + + this->cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmmcmcmm", asn1_simple_object(ASN1_CONTEXT_C_0, ASN1_INTEGER_2), asn1_integer("c", this->cert->serialNumber), asn1_algorithmIdentifier(this->cert->algorithm), @@ -1315,8 +1315,8 @@ static bool generate(private_builder_t *this) asn1_from_time(&this->cert->notAfter, ASN1_UTCTIME)), subject->get_encoding(subject), key_info, extensions); - - if (!this->sign_key->sign(this->sign_key, scheme, + + if (!this->sign_key->sign(this->sign_key, scheme, this->cert->tbsCertificate, &this->cert->signature)) { return FALSE; @@ -1325,7 +1325,7 @@ static bool generate(private_builder_t *this) this->cert->tbsCertificate, asn1_algorithmIdentifier(this->cert->algorithm), asn1_bitstring("c", this->cert->signature)); - + hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); if (!hasher) { @@ -1343,7 +1343,7 @@ static bool generate(private_builder_t *this) static private_x509_cert_t *build(private_builder_t *this) { private_x509_cert_t *cert; - + if (this->cert) { this->cert->flags |= this->flags; @@ -1370,7 +1370,7 @@ static void add(private_builder_t *this, builder_part_t part, ...) va_list args; chunk_t chunk; bool handled = TRUE; - + va_start(args, part); switch (part) { @@ -1401,7 +1401,7 @@ static void add(private_builder_t *this, builder_part_t part, ...) va_end(args); return; } - + switch (part) { case BUILD_PUBLIC_KEY: @@ -1456,14 +1456,14 @@ static void add(private_builder_t *this, builder_part_t part, ...) builder_t *x509_cert_builder(certificate_type_t type) { private_builder_t *this; - + if (type != CERT_X509) { return NULL; } - + this = malloc_thing(private_builder_t); - + this->cert = NULL; this->flags = 0; this->sign_cert = NULL; @@ -1471,7 +1471,7 @@ builder_t *x509_cert_builder(certificate_type_t type) this->digest_alg = HASH_SHA1; this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add; this->public.build = (void*(*)(builder_t *this))build; - + return &this->public; } diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c index 8df0e2f75..e826f34f9 100644 --- a/src/libstrongswan/plugins/x509/x509_crl.c +++ b/src/libstrongswan/plugins/x509/x509_crl.c @@ -36,12 +36,12 @@ struct revoked_t { * serial of the revoked certificate */ chunk_t serial; - + /** * date of revocation */ time_t date; - + /** * reason for revocation */ @@ -57,7 +57,7 @@ struct private_x509_crl_t { * public functions */ x509_crl_t public; - + /** * X.509 crl encoding in ASN.1 DER format */ @@ -72,12 +72,12 @@ struct private_x509_crl_t { * Version of the X.509 crl */ u_int version; - + /** * ID representing the crl issuer */ identification_t *issuer; - + /** * CRL number */ @@ -97,7 +97,7 @@ struct private_x509_crl_t { * list of revoked certificates as revoked_t */ linked_list_t *revoked; - + /** * Authority Key Identifier */ @@ -107,17 +107,17 @@ struct private_x509_crl_t { * Authority Key Serial Number */ chunk_t authKeySerialNumber; - + /** * Signature algorithm */ int algorithm; - + /** * Signature */ chunk_t signature; - + /** * reference counter */ @@ -128,7 +128,7 @@ struct private_x509_crl_t { * from x509_cert */ extern chunk_t x509_parse_authorityKeyIdentifier( - chunk_t blob, int level0, + chunk_t blob, int level0, chunk_t *authKeySerialNumber); /** @@ -140,7 +140,7 @@ static const asn1Object_t crlObjects[] = { { 2, "version", ASN1_INTEGER, ASN1_OPT | ASN1_BODY }, /* 2 */ { 2, "end opt", ASN1_EOC, ASN1_END }, /* 3 */ - { 2, "signature", ASN1_EOC, ASN1_RAW }, /* 4 */ + { 2, "signature", ASN1_EOC, ASN1_RAW }, /* 4 */ { 2, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 5 */ { 2, "thisUpdate", ASN1_EOC, ASN1_RAW }, /* 6 */ { 2, "nextUpdate", ASN1_EOC, ASN1_RAW }, /* 7 */ @@ -348,7 +348,7 @@ static chunk_t get_authKeyIdentifier(private_x509_crl_t *this) static enumerator_t* create_enumerator(private_x509_crl_t *this) { return enumerator_create_filter( - this->revoked->create_enumerator(this->revoked), + this->revoked->create_enumerator(this->revoked), (void*)filter, NULL, NULL); } @@ -390,7 +390,7 @@ static bool issued_by(private_x509_crl_t *this, certificate_t *issuer) signature_scheme_t scheme; bool valid; x509_t *x509 = (x509_t*)issuer; - + /* check if issuer is an X.509 CA certificate */ if (issuer->get_type(issuer) != CERT_X509) { @@ -408,24 +408,24 @@ static bool issued_by(private_x509_crl_t *this, certificate_t *issuer) if (this->authKeyIdentifier.ptr && key) { chunk_t fingerprint; - + if (!key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &fingerprint) || !chunk_equals(fingerprint, this->authKeyIdentifier)) { return FALSE; } } - else + else { if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer))) { return FALSE; } } - + /* determine signature scheme */ scheme = signature_scheme_from_oid(this->algorithm); - + if (scheme == SIGN_UNKNOWN || key == NULL) { return FALSE; @@ -459,7 +459,7 @@ static bool get_validity(private_x509_crl_t *this, time_t *when, time_t *not_before, time_t *not_after) { time_t t; - + if (when) { t = *when; @@ -486,7 +486,7 @@ static bool is_newer(private_x509_crl_t *this, crl_t *that) { chunk_t that_crlNumber = that->get_serial(that); bool new; - + /* compare crlNumbers if available - otherwise use thisUpdate */ if (this->crlNumber.ptr != NULL && that_crlNumber.ptr != NULL) { @@ -495,7 +495,7 @@ static bool is_newer(private_x509_crl_t *this, crl_t *that) &this->crlNumber, new ? "newer":"not newer", &that_crlNumber, new ? "replaced":"retained"); } - else + else { certificate_t *this_cert = &this->public.crl.certificate; certificate_t *that_cert = &that->certificate; @@ -511,7 +511,7 @@ static bool is_newer(private_x509_crl_t *this, crl_t *that) } return new; } - + /** * Implementation of certificate_t.get_encoding. */ @@ -527,14 +527,14 @@ static bool equals(private_x509_crl_t *this, certificate_t *other) { chunk_t encoding; bool equal; - + if ((certificate_t*)this == other) { return TRUE; } if (other->equals == (void*)equals) { /* skip allocation if we have the same implementation */ - return chunk_equals(this->encoding, ((private_x509_crl_t*)other)->encoding); + return chunk_equals(this->encoding, ((private_x509_crl_t*)other)->encoding); } encoding = other->get_encoding(other); equal = chunk_equals(this->encoding, encoding); @@ -563,7 +563,7 @@ static void destroy(private_x509_crl_t *this) static private_x509_crl_t* create_empty(void) { private_x509_crl_t *this = malloc_thing(private_x509_crl_t); - + this->public.crl.get_serial = (chunk_t (*)(crl_t*))get_serial; this->public.crl.get_authKeyIdentifier = (chunk_t (*)(crl_t*))get_authKeyIdentifier; this->public.crl.create_enumerator = (enumerator_t* (*)(crl_t*))create_enumerator; @@ -580,7 +580,7 @@ static private_x509_crl_t* create_empty(void) this->public.crl.certificate.equals = (bool (*)(certificate_t*, certificate_t *other))equals; this->public.crl.certificate.get_ref = (certificate_t* (*)(certificate_t *this))get_ref; this->public.crl.certificate.destroy = (void (*)(certificate_t *this))destroy; - + this->encoding = chunk_empty; this->tbsCertList = chunk_empty; this->issuer = NULL; @@ -589,7 +589,7 @@ static private_x509_crl_t* create_empty(void) this->authKeyIdentifier = chunk_empty; this->authKeySerialNumber = chunk_empty; this->ref = 1; - + return this; } @@ -610,7 +610,7 @@ struct private_builder_t { static private_x509_crl_t *build(private_builder_t *this) { private_x509_crl_t *crl = NULL; - + if (this->blob.len && this->blob.ptr) { crl = create_empty(); @@ -631,7 +631,7 @@ static private_x509_crl_t *build(private_builder_t *this) static void add(private_builder_t *this, builder_part_t part, ...) { va_list args; - + switch (part) { case BUILD_BLOB_ASN1_DER: @@ -653,18 +653,18 @@ static void add(private_builder_t *this, builder_part_t part, ...) builder_t *x509_crl_builder(certificate_type_t type) { private_builder_t *this; - + if (type != CERT_X509_CRL) { return NULL; } this = malloc_thing(private_builder_t); - + this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add; this->public.build = (void*(*)(builder_t *this))build; - + this->blob = chunk_empty; - + return &this->public; } diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.c b/src/libstrongswan/plugins/x509/x509_ocsp_request.c index e772b9720..76f82a4d4 100644 --- a/src/libstrongswan/plugins/x509/x509_ocsp_request.c +++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.c @@ -39,12 +39,12 @@ struct private_x509_ocsp_request_t { * public functions */ x509_ocsp_request_t public; - + /** * CA the candidates belong to */ x509_t *ca; - + /** * Requestor name, subject of cert used if not set */ @@ -54,27 +54,27 @@ struct private_x509_ocsp_request_t { * Requestor certificate, included in request */ certificate_t *cert; - + /** * Requestor private key to sign request */ private_key_t *key; - + /** * list of certificates to check, x509_t */ linked_list_t *candidates; - + /** * nonce used in request */ chunk_t nonce; - + /** * encoded OCSP request */ chunk_t encoding; - + /** * reference count */ @@ -120,7 +120,7 @@ static chunk_t build_requestorName(private_x509_ocsp_request_t *this) return asn1_wrap(ASN1_CONTEXT_C_1, "m", asn1_simple_object(ASN1_CONTEXT_C_4, this->requestor->get_encoding(this->requestor))); - + } return chunk_empty; } @@ -151,7 +151,7 @@ static chunk_t build_requestList(private_x509_ocsp_request_t *this) certificate_t *cert; chunk_t list = chunk_empty; public_key_t *public; - + cert = (certificate_t*)this->ca; public = cert->get_public_key(cert); if (public) @@ -163,17 +163,17 @@ static chunk_t build_requestList(private_x509_ocsp_request_t *this) &issuerKeyHash)) { enumerator_t *enumerator; - + issuer = cert->get_subject(cert); hasher->allocate_hash(hasher, issuer->get_encoding(issuer), &issuerNameHash); hasher->destroy(hasher); - + enumerator = this->candidates->create_enumerator(this->candidates); while (enumerator->enumerate(enumerator, &x509)) { chunk_t request, serialNumber; - + serialNumber = x509->get_serial(x509); request = build_Request(this, issuerNameHash, issuerKeyHash, serialNumber); @@ -202,7 +202,7 @@ static chunk_t build_requestList(private_x509_ocsp_request_t *this) static chunk_t build_nonce(private_x509_ocsp_request_t *this) { rng_t *rng; - + rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); if (rng) { @@ -256,7 +256,7 @@ static chunk_t build_optionalSignature(private_x509_ocsp_request_t *this, int oid; signature_scheme_t scheme; chunk_t certs, signature; - + switch (this->key->get_type(this->key)) { /* TODO: use a generic mapping function */ @@ -273,7 +273,7 @@ static chunk_t build_optionalSignature(private_x509_ocsp_request_t *this, key_type_names, this->key->get_type(this->key)); return chunk_empty; } - + if (!this->key->sign(this->key, scheme, tbsRequest, &signature)) { DBG1("creating OCSP signature failed, skipped"); @@ -286,7 +286,7 @@ static chunk_t build_optionalSignature(private_x509_ocsp_request_t *this, this->cert->get_encoding(this->cert))); } return asn1_wrap(ASN1_CONTEXT_C_0, "m", - asn1_wrap(ASN1_SEQUENCE, "cmm", + asn1_wrap(ASN1_SEQUENCE, "cmm", asn1_algorithmIdentifier(oid), asn1_bitstring("m", signature), certs)); @@ -299,7 +299,7 @@ static chunk_t build_optionalSignature(private_x509_ocsp_request_t *this, static chunk_t build_OCSPRequest(private_x509_ocsp_request_t *this) { chunk_t tbsRequest, optionalSignature = chunk_empty; - + tbsRequest = build_tbsRequest(this); if (this->key) { @@ -323,7 +323,7 @@ static certificate_type_t get_type(private_x509_ocsp_request_t *this) static identification_t* get_subject(private_x509_ocsp_request_t *this) { certificate_t *ca = (certificate_t*)this->ca; - + if (this->requestor) { return this->requestor; @@ -341,7 +341,7 @@ static identification_t* get_subject(private_x509_ocsp_request_t *this) static identification_t* get_issuer(private_x509_ocsp_request_t *this) { certificate_t *ca = (certificate_t*)this->ca; - + return ca->get_subject(ca); } @@ -361,11 +361,11 @@ static id_match_t has_subject(private_x509_ocsp_request_t *this, match = current->has_subject(current, subject); if (match > best) { - best = match; + best = match; } } enumerator->destroy(enumerator); - return best; + return best; } /** @@ -414,7 +414,7 @@ static bool get_validity(private_x509_ocsp_request_t *this, time_t *when, } return cert->get_validity(cert, when, not_before, not_after); } - + /** * Implementation of certificate_t.get_encoding. */ @@ -430,7 +430,7 @@ static bool equals(private_x509_ocsp_request_t *this, certificate_t *other) { chunk_t encoding; bool equal; - + if (this == (private_x509_ocsp_request_t*)other) { return TRUE; @@ -441,7 +441,7 @@ static bool equals(private_x509_ocsp_request_t *this, certificate_t *other) } if (other->equals == (void*)equals) { /* skip allocation if we have the same implementation */ - return chunk_equals(this->encoding, ((private_x509_ocsp_request_t*)other)->encoding); + return chunk_equals(this->encoding, ((private_x509_ocsp_request_t*)other)->encoding); } encoding = other->get_encoding(other); equal = chunk_equals(this->encoding, encoding); @@ -482,7 +482,7 @@ static void destroy(private_x509_ocsp_request_t *this) static private_x509_ocsp_request_t *create_empty() { private_x509_ocsp_request_t *this = malloc_thing(private_x509_ocsp_request_t); - + this->public.interface.interface.get_type = (certificate_type_t (*)(certificate_t *this))get_type; this->public.interface.interface.get_subject = (identification_t* (*)(certificate_t *this))get_subject; this->public.interface.interface.get_issuer = (identification_t* (*)(certificate_t *this))get_issuer; @@ -495,7 +495,7 @@ static private_x509_ocsp_request_t *create_empty() this->public.interface.interface.equals = (bool(*)(certificate_t*, certificate_t *other))equals; this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t *this))get_ref; this->public.interface.interface.destroy = (void (*)(certificate_t *this))destroy; - + this->ca = NULL; this->requestor = NULL; this->cert = NULL; @@ -504,7 +504,7 @@ static private_x509_ocsp_request_t *create_empty() this->encoding = chunk_empty; this->candidates = linked_list_create(); this->ref = 1; - + return this; } @@ -525,7 +525,7 @@ struct private_builder_t { static x509_ocsp_request_t *build(private_builder_t *this) { private_x509_ocsp_request_t *req; - + req = this->req; free(this); if (req->ca) @@ -546,7 +546,7 @@ static void add(private_builder_t *this, builder_part_t part, ...) certificate_t *cert; identification_t *subject; private_key_t *private; - + va_start(args, part); switch (part) { @@ -595,18 +595,18 @@ static void add(private_builder_t *this, builder_part_t part, ...) builder_t *x509_ocsp_request_builder(certificate_type_t type) { private_builder_t *this; - + if (type != CERT_X509_OCSP_REQUEST) { return NULL; } - + this = malloc_thing(private_builder_t); - + this->req = create_empty(); this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add; this->public.build = (void*(*)(builder_t *this))build; - + return &this->public; } diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c index 1472d3d7f..4e2336a09 100644 --- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c +++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c @@ -45,42 +45,42 @@ struct private_x509_ocsp_response_t { * Public interface for this ocsp object. */ x509_ocsp_response_t public; - + /** * complete encoded OCSP response */ chunk_t encoding; - + /** * data for signature verficiation */ chunk_t tbsResponseData; - + /** * signature algorithm (OID) */ int signatureAlgorithm; - + /** * signature */ chunk_t signature; - + /** * name or keyid of the responder */ identification_t *responderId; - + /** * time of response production */ time_t producedAt; - + /** * latest nextUpdate in this OCSP response */ time_t usableUntil; - + /** * list of included certificates */ @@ -95,7 +95,7 @@ struct private_x509_ocsp_response_t { * Nonce required for ocsp request and response */ chunk_t nonce; - + /** * reference counter */ @@ -167,7 +167,7 @@ static cert_validation_t get_status(private_x509_ocsp_response_t *this, single_response_t *response; cert_validation_t status = VALIDATION_FAILED; certificate_t *issuercert = &issuer->interface; - + enumerator = this->responses->create_enumerator(this->responses); while (enumerator->enumerate(enumerator, &response)) { @@ -175,7 +175,7 @@ static cert_validation_t get_status(private_x509_ocsp_response_t *this, identification_t *id; key_encoding_type_t type; chunk_t hash, fingerprint; - + /* check serial first, is cheaper */ if (!chunk_equals(subject->get_serial(subject), response->serialNumber)) { @@ -185,7 +185,7 @@ static cert_validation_t get_status(private_x509_ocsp_response_t *this, if (response->issuerKeyHash.ptr) { public_key_t *public; - + public = issuercert->get_public_key(issuercert); if (!public) { @@ -211,7 +211,7 @@ static cert_validation_t get_status(private_x509_ocsp_response_t *this, /* check issuerNameHash, if available */ else if (response->issuerNameHash.ptr) { - hasher = lib->crypto->create_hasher(lib->crypto, + hasher = lib->crypto->create_hasher(lib->crypto, hasher_algorithm_from_oid(response->hashAlgorithm)); if (!hasher) { @@ -235,7 +235,7 @@ static cert_validation_t get_status(private_x509_ocsp_response_t *this, *revocation_reason = response->revocationReason; *this_update = response->thisUpdate; *next_update = response->nextUpdate; - + break; } enumerator->destroy(enumerator); @@ -312,7 +312,7 @@ static bool parse_singleResponse(private_x509_ocsp_response_t *this, bool success = FALSE; single_response_t *response; - + response = malloc_thing(single_response_t); response->hashAlgorithm = OID_UNKNOWN; response->issuerNameHash = chunk_empty; @@ -402,14 +402,14 @@ static const asn1Object_t responsesObjects[] = { /** * Parse all responses */ -static bool parse_responses(private_x509_ocsp_response_t *this, +static bool parse_responses(private_x509_ocsp_response_t *this, chunk_t blob, int level0) { asn1_parser_t *parser; chunk_t object; int objectID; bool success = FALSE; - + parser = asn1_parser_create(responsesObjects, blob); parser->set_top_level(parser, level0); @@ -486,7 +486,7 @@ static const asn1Object_t basicResponseObjects[] = { /** * Parse a basicOCSPResponse */ -static bool parse_basicOCSPResponse(private_x509_ocsp_response_t *this, +static bool parse_basicOCSPResponse(private_x509_ocsp_response_t *this, chunk_t blob, int level0) { asn1_parser_t *parser; @@ -498,7 +498,7 @@ static bool parse_basicOCSPResponse(private_x509_ocsp_response_t *this, certificate_t *cert; bool success = FALSE; bool critical; - + parser = asn1_parser_create(basicResponseObjects, blob); parser->set_top_level(parser, level0); @@ -691,7 +691,7 @@ static bool issued_by(private_x509_ocsp_response_t *this, certificate_t *issuer) signature_scheme_t scheme; bool valid; x509_t *x509 = (x509_t*)issuer; - + if (issuer->get_type(issuer) != CERT_X509) { return FALSE; @@ -699,7 +699,7 @@ static bool issued_by(private_x509_ocsp_response_t *this, certificate_t *issuer) if (this->responderId->get_type(this->responderId) == ID_KEY_ID) { chunk_t fingerprint; - + key = issuer->get_public_key(issuer); if (!key || !key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &fingerprint) || @@ -711,7 +711,7 @@ static bool issued_by(private_x509_ocsp_response_t *this, certificate_t *issuer) } key->destroy(key); } - else + else { if (!this->responderId->equals(this->responderId, issuer->get_subject(issuer))) @@ -791,7 +791,7 @@ static bool is_newer(certificate_t *this, certificate_t *that) &that_update, FALSE, new ? "replaced":"retained"); return new; } - + /** * Implementation of certificate_t.get_encoding. */ @@ -807,7 +807,7 @@ static bool equals(private_x509_ocsp_response_t *this, certificate_t *other) { chunk_t encoding; bool equal; - + if (this == (private_x509_ocsp_response_t*)other) { return TRUE; @@ -818,7 +818,7 @@ static bool equals(private_x509_ocsp_response_t *this, certificate_t *other) } if (other->equals == (void*)equals) { /* skip allocation if we have the same implementation */ - return chunk_equals(this->encoding, ((private_x509_ocsp_response_t*)other)->encoding); + return chunk_equals(this->encoding, ((private_x509_ocsp_response_t*)other)->encoding); } encoding = other->get_encoding(other); equal = chunk_equals(this->encoding, encoding); @@ -856,9 +856,9 @@ static void destroy(private_x509_ocsp_response_t *this) static x509_ocsp_response_t *load(chunk_t data) { private_x509_ocsp_response_t *this; - + this = malloc_thing(private_x509_ocsp_response_t); - + this->public.interface.certificate.get_type = (certificate_type_t (*)(certificate_t *this))get_type; this->public.interface.certificate.get_subject = (identification_t* (*)(certificate_t *this))get_issuer; this->public.interface.certificate.get_issuer = (identification_t* (*)(certificate_t *this))get_issuer; @@ -874,7 +874,7 @@ static x509_ocsp_response_t *load(chunk_t data) this->public.interface.certificate.destroy = (void (*)(certificate_t *this))destroy; this->public.interface.get_status = (cert_validation_t(*)(ocsp_response_t*, x509_t *subject, x509_t *issuer, time_t *revocation_time,crl_reason_t *revocation_reason,time_t *this_update, time_t *next_update))get_status; this->public.interface.create_cert_enumerator = (enumerator_t*(*)(ocsp_response_t*))create_cert_enumerator; - + this->ref = 1; this->encoding = data; this->tbsResponseData = chunk_empty; @@ -913,7 +913,7 @@ struct private_builder_t { static x509_ocsp_response_t *build(private_builder_t *this) { x509_ocsp_response_t *res = this->res; - + free(this); return res; } @@ -927,7 +927,7 @@ static void add(private_builder_t *this, builder_part_t part, ...) { va_list args; chunk_t chunk; - + switch (part) { case BUILD_BLOB_ASN1_DER: @@ -955,18 +955,18 @@ static void add(private_builder_t *this, builder_part_t part, ...) builder_t *x509_ocsp_response_builder(certificate_type_t type) { private_builder_t *this; - + if (type != CERT_X509_OCSP_RESPONSE) { return NULL; } - + this = malloc_thing(private_builder_t); - + this->res = NULL; this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add; this->public.build = (void*(*)(builder_t *this))build; - + return &this->public; } diff --git a/src/libstrongswan/plugins/x509/x509_plugin.c b/src/libstrongswan/plugins/x509/x509_plugin.c index 9ed7f95bd..b7e8b5bd3 100644 --- a/src/libstrongswan/plugins/x509/x509_plugin.c +++ b/src/libstrongswan/plugins/x509/x509_plugin.c @@ -59,7 +59,7 @@ static void destroy(private_x509_plugin_t *this) plugin_t *plugin_create() { private_x509_plugin_t *this = malloc_thing(private_x509_plugin_t); - + this->public.plugin.destroy = (void(*)(plugin_t*))destroy; lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509, |