Return to acert_validator.c CVS log | Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libstrongswan / plugins / acert |
1.1 misho 1: /* 2: * Copyright (C) 2014 Martin Willi 3: * Copyright (C) 2014 revosec AG 4: * 5: * This program is free software; you can redistribute it and/or modify it 6: * under the terms of the GNU General Public License as published by the 7: * Free Software Foundation; either version 2 of the License, or (at your 8: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. 9: * 10: * This program is distributed in the hope that it will be useful, but 11: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY 12: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 13: * for more details. 14: */ 15: 16: #define _GNU_SOURCE 17: #include <library.h> 18: 19: #include "acert_validator.h" 20: 21: #include <credentials/certificates/x509.h> 22: #include <credentials/certificates/ac.h> 23: 24: typedef struct private_acert_validator_t private_acert_validator_t; 25: 26: /** 27: * Private data of an acert_validator_t object. 28: */ 29: struct private_acert_validator_t { 30: 31: /** 32: * Public acert_validator_t interface. 33: */ 34: acert_validator_t public; 35: }; 36: 37: /** 38: * Check if an AC can be trusted 39: */ 40: static bool verify(private_acert_validator_t *this, certificate_t *ac) 41: { 42: certificate_t *issuer; 43: enumerator_t *enumerator; 44: bool verified = FALSE; 45: 46: if (!ac->get_validity(ac, NULL, NULL, NULL)) 47: { 48: return FALSE; 49: } 50: DBG1(DBG_CFG, "verifying attribute certificate issued by \"%Y\"", 51: ac->get_issuer(ac)); 52: enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr, KEY_ANY, 53: ac->get_issuer(ac), TRUE); 54: while (enumerator->enumerate(enumerator, &issuer, NULL)) 55: { 56: if (issuer->get_validity(issuer, NULL, NULL, NULL)) 57: { 58: if (lib->credmgr->issued_by(lib->credmgr, ac, issuer, NULL)) 59: { 60: verified = TRUE; 61: break; 62: } 63: } 64: } 65: enumerator->destroy(enumerator); 66: 67: return verified; 68: } 69: 70: /** 71: * Apply AC group membership to auth config 72: */ 73: static void apply(private_acert_validator_t *this, ac_t *ac, auth_cfg_t *auth) 74: { 75: enumerator_t *enumerator; 76: ac_group_type_t type; 77: chunk_t chunk; 78: 79: enumerator = ac->create_group_enumerator(ac); 80: while (enumerator->enumerate(enumerator, &type, &chunk)) 81: { 82: if (type == AC_GROUP_TYPE_STRING) 83: { 84: auth->add(auth, AUTH_RULE_GROUP, 85: identification_create_from_data(chunk)); 86: } 87: } 88: enumerator->destroy(enumerator); 89: } 90: 91: METHOD(cert_validator_t, validate, bool, 92: private_acert_validator_t *this, certificate_t *subject, 93: certificate_t *issuer, bool online, u_int pathlen, bool anchor, 94: auth_cfg_t *auth) 95: { 96: /* for X.509 end entity certs only */ 97: if (pathlen == 0 && subject->get_type(subject) == CERT_X509) 98: { 99: x509_t *x509 = (x509_t*)subject; 100: enumerator_t *enumerator; 101: identification_t *id, *serial; 102: ac_t *ac; 103: 104: /* find attribute certificates by serial and issuer. A lookup by 105: * the holder DN would work as well, but RFC 5755 recommends the use 106: * of baseCertificateID. */ 107: serial = identification_create_from_encoding(ID_KEY_ID, 108: x509->get_serial(x509)); 109: enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr, 110: CERT_X509_AC, KEY_ANY, serial, FALSE); 111: while (enumerator->enumerate(enumerator, &ac)) 112: { 113: id = ac->get_holderIssuer(ac); 114: if (id && id->equals(id, subject->get_issuer(subject))) 115: { 116: if (verify(this, &ac->certificate)) 117: { 118: apply(this, ac, auth); 119: } 120: } 121: } 122: enumerator->destroy(enumerator); 123: serial->destroy(serial); 124: } 125: return TRUE; 126: } 127: 128: METHOD(acert_validator_t, destroy, void, 129: private_acert_validator_t *this) 130: { 131: free(this); 132: } 133: 134: /** 135: * See header 136: */ 137: acert_validator_t *acert_validator_create() 138: { 139: private_acert_validator_t *this; 140: 141: INIT(this, 142: .public = { 143: .validator.validate = _validate, 144: .destroy = _destroy, 145: }, 146: ); 147: 148: return &this->public; 149: }