[BACK]Return to pubkey_cert.c CVS log [TXT] [DIR] Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libstrongswan / plugins / pubkey
File:  [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libstrongswan / plugins / pubkey / pubkey_cert.c
Revision 1.1.1.1 (vendor branch): download - view: text, annotated - select for diffs - revision graph
Wed Jun 3 09:46:44 2020 UTC (4 years, 1 month ago) by misho
Branches: strongswan, MAIN
CVS tags: v5_9_2p0, v5_8_4p7, HEAD
Strongswan

/*
 * Copyright (C) 2008 Martin Willi
 * HSR Hochschule fuer Technik Rapperswil
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */

#include "pubkey_cert.h"

#include <time.h>

#include <utils/debug.h>

typedef struct private_pubkey_cert_t private_pubkey_cert_t;

/**
 * private data of pubkey_cert
 */
struct private_pubkey_cert_t {

	/**
	 * public functions
	 */
	pubkey_cert_t public;

	/**
	 * wrapped public key
	 */
	public_key_t *key;

	/**
	 * dummy issuer id, ID_ANY
	 */
	identification_t *issuer;

	/**
	 * subject, ID_KEY_ID of the public key
	 */
	identification_t *subject;

	/**
	 * key inception time
	 */
	time_t notBefore;

	/**
	 * key expiration time
	 */
	time_t notAfter;

	/**
	 * reference count
	 */
	refcount_t ref;
};

METHOD(certificate_t, get_type, certificate_type_t,
	private_pubkey_cert_t *this)
{
	return CERT_TRUSTED_PUBKEY;
}

METHOD(certificate_t, get_subject, identification_t*,
	private_pubkey_cert_t *this)
{
	return this->subject;
}

METHOD(certificate_t, get_issuer, identification_t*,
	private_pubkey_cert_t *this)
{
	return this->issuer;
}

METHOD(certificate_t, has_subject, id_match_t,
	private_pubkey_cert_t *this, identification_t *subject)
{
	if (subject->get_type(subject) == ID_KEY_ID)
	{
		cred_encoding_type_t type;
		chunk_t fingerprint;

		for (type = 0; type < CRED_ENCODING_MAX; type++)
		{
			if (this->key->get_fingerprint(this->key, type, &fingerprint) &&
				chunk_equals(fingerprint, subject->get_encoding(subject)))
			{
				return ID_MATCH_PERFECT;
			}
		}
	}

	return this->subject->matches(this->subject, subject);
}

METHOD(certificate_t, has_issuer, id_match_t,
	private_pubkey_cert_t *this, identification_t *issuer)
{
	return ID_MATCH_NONE;
}

METHOD(certificate_t, equals, bool,
	private_pubkey_cert_t *this, certificate_t *other)
{
	identification_t *other_subject;
	public_key_t *other_key;

	if (this == (private_pubkey_cert_t*)other)
	{
		return TRUE;
	}
	if (other->get_type(other) != CERT_TRUSTED_PUBKEY)
	{
		return FALSE;
	}
	other_key = other->get_public_key(other);
	if (other_key)
	{
		if (public_key_equals(this->key, other_key))
		{
			other_key->destroy(other_key);
			other_subject = other->get_subject(other);
			return other_subject->equals(other_subject, this->subject);
		}
		other_key->destroy(other_key);
	}
	return FALSE;
}

METHOD(certificate_t, issued_by, bool,
	private_pubkey_cert_t *this, certificate_t *issuer,
	signature_params_t **scheme)
{
	bool valid = equals(this, issuer);
	if (valid && scheme)
	{
		INIT(*scheme,
			.scheme = SIGN_UNKNOWN,
		);
	}
	return valid;
}

METHOD(certificate_t, get_public_key,  public_key_t*,
	private_pubkey_cert_t *this)
{
	this->key->get_ref(this->key);
	return this->key;
}

METHOD(certificate_t, get_validity, bool,
	private_pubkey_cert_t *this, time_t *when, time_t *not_before,
	time_t *not_after)
{
	time_t t = when ? *when : time(NULL);

	if (not_before)
	{
		*not_before = this->notBefore;
	}
	if (not_after)
	{
		*not_after = this->notAfter;
	}
	return ((this->notBefore == UNDEFINED_TIME || t >= this->notBefore) &&
			(this->notAfter  == UNDEFINED_TIME || t <= this->notAfter));
}

METHOD(certificate_t, get_encoding, bool,
	private_pubkey_cert_t *this, cred_encoding_type_t type, chunk_t *encoding)
{
	return this->key->get_encoding(this->key, type, encoding);
}

METHOD(certificate_t, get_ref, certificate_t*,
	private_pubkey_cert_t *this)
{
	ref_get(&this->ref);
	return &this->public.interface;
}

METHOD(certificate_t, destroy, void,
	private_pubkey_cert_t *this)
{
	if (ref_put(&this->ref))
	{
		this->subject->destroy(this->subject);
		this->issuer->destroy(this->issuer);
		this->key->destroy(this->key);
		free(this);
	}
}

METHOD(pubkey_cert_t, set_subject, void,
	private_pubkey_cert_t *this, identification_t *subject)
{
	DESTROY_IF(this->subject);
	this->subject = subject->clone(subject);
}

/*
 * see header file
 */
static pubkey_cert_t *pubkey_cert_create(public_key_t *key,
										 time_t notBefore, time_t notAfter,
										 identification_t *subject)
{
	private_pubkey_cert_t *this;
	chunk_t fingerprint;

	INIT(this,
		.public = {
			.interface = {
				.get_type = _get_type,
				.get_subject = _get_subject,
				.get_issuer = _get_issuer,
				.has_subject = _has_subject,
				.has_issuer = _has_issuer,
				.issued_by = _issued_by,
				.get_public_key = _get_public_key,
				.get_validity = _get_validity,
				.get_encoding = _get_encoding,
				.equals = _equals,
				.get_ref = _get_ref,
				.destroy = _destroy,
			},
			.set_subject = _set_subject,
		},
		.ref = 1,
		.key = key,
		.notBefore = notBefore,
		.notAfter = notAfter,
		.issuer = identification_create_from_encoding(ID_ANY, chunk_empty),
	);

	if (subject)
	{
		this->subject = subject->clone(subject);
	}
	else if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &fingerprint))
	{
		this->subject = identification_create_from_encoding(ID_KEY_ID, fingerprint);
	}
	else
	{
		this->subject = identification_create_from_encoding(ID_ANY, chunk_empty);
	}

	return &this->public;
}

/**
 * See header.
 */
pubkey_cert_t *pubkey_cert_wrap(certificate_type_t type, va_list args)
{
	public_key_t *key = NULL;
	chunk_t blob = chunk_empty;
	identification_t *subject = NULL;
	time_t notBefore = UNDEFINED_TIME, notAfter = UNDEFINED_TIME;

	while (TRUE)
	{
		switch (va_arg(args, builder_part_t))
		{
			case BUILD_BLOB_ASN1_DER:
				blob = va_arg(args, chunk_t);
				continue;
			case BUILD_PUBLIC_KEY:
				key = va_arg(args, public_key_t*);
				continue;
			case BUILD_NOT_BEFORE_TIME:
				notBefore = va_arg(args, time_t);
				continue;
			case BUILD_NOT_AFTER_TIME:
				notAfter = va_arg(args, time_t);
				continue;
			case BUILD_SUBJECT:
				subject = va_arg(args, identification_t*);
				continue;
			case BUILD_END:
				break;
			default:
				return NULL;
		}
		break;
	}
	if (key)
	{
		key->get_ref(key);
	}
	else if (blob.ptr)
	{
		key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
								 BUILD_BLOB_ASN1_DER, blob, BUILD_END);
	}
	if (key)
	{
		return pubkey_cert_create(key, notBefore, notAfter, subject);
	}
	return NULL;
}
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>