/*
* free the first authority certificate in the chain
*/
static void free_first_authcert(void)
{
x509cert_t *first = x509authcerts;
x509authcerts = first->next;
free_x509cert(first);
}
/*
* add an authority certificate to the chained list
*/
void add_authcert(x509cert_t *cert, u_char auth_flags)
{
x509cert_t *old_cert;
/* set authority flags */
cert->authority_flags |= auth_flags;
lock_authcert_list("add_authcert");
old_cert = get_authcert(cert->subject, cert->serialNumber,
cert->subjectKeyID, auth_flags);
if (old_cert != NULL) {
if (same_x509cert(cert, old_cert)) {
/*
* cert is already present, just add additional
* authority flags
*/
old_cert->authority_flags |= cert->authority_flags;
DBG(DBG_X509 | DBG_PARSING,
DBG_log(" authcert is already present and identical");
);
unlock_authcert_list("add_authcert");
free_x509cert(cert);
return;
} else {
/*
* Parse PKCS#7 wrapped X.509 certificates
*/
static bool parse_pkcs7_signedData(chunk_t blob, int level0, x509cert_t **cert)
{
asn1_ctx_t ctx;
chunk_t object;
u_int level;
u_int objectID = 0;
asn1_init(&ctx, blob, level0, FALSE, DBG_RAW);
while (objectID < PKCS7_SIGNED_ROOF) {
if (!extract_object(signedDataObjects, &objectID, &object,
&level, &ctx))
return FALSE;
if (objectID == PKCS7_SIGNED_CERT) {
chunk_t cert_blob;
x509cert_t *newcert = alloc_thing(x509cert_t,
"pkcs7 wrapped x509cert");
clonetochunk(cert_blob, object.ptr, object.len,
"pkcs7 cert blob");
*newcert = empty_x509cert;
if (parse_x509cert(cert_blob, level + 1, newcert)) {
newcert->next = *cert;
*cert = newcert;
} else {
free_x509cert(newcert);
}
}
objectID++;
}
return TRUE;
}
/* release a certificate: decrease the count by one
* and free the certificate when the counter reaches zero
*/
static void release_x509cert(x509cert_t *cert)
{
if (cert != NULL && --cert->count == 0) {
x509cert_t **pp = &x509certs;
while (*pp != cert)
pp = &(*pp)->next;
lock_certs_and_keys("release_x509cert");
*pp = cert->next;
unlock_certs_and_keys("release_x509cert");
free_x509cert(cert);
}
}
/*
* add an authority certificate to the chained list
*/
void
add_authcert(x509cert_t *cert, u_char auth_flags)
{
x509cert_t *old_cert;
/* set authority flags */
cert->authority_flags |= auth_flags;
lock_authcert_list("add_authcert");
old_cert = get_authcert(cert->subject, cert->serialNumber
, cert->subjectKeyID, auth_flags);
if (old_cert != NULL)
{
if (same_x509cert(cert, old_cert))
{
/* cert is already present, just add additional authority flags */
old_cert->authority_flags |= cert->authority_flags;
DBG(DBG_X509 | DBG_PARSING ,
DBG_log(" authcert is already present and identical")
)
unlock_authcert_list("add_authcert");
free_x509cert(cert);
return;
}
else
{
/* cert is already present but will be replaced by new cert */
free_first_authcert();
DBG(DBG_X509 | DBG_PARSING ,
DBG_log(" existing authcert deleted")
)
}
}
/* add new authcert to chained list */
cert->next = x509authcerts;
x509authcerts = cert;
share_x509cert(cert); /* set count to one */
DBG(DBG_X509 | DBG_PARSING,
DBG_log(" authcert inserted")
)
unlock_authcert_list("add_authcert");
}
/*
* add a X.509 user/host certificate to the chained list
*/
x509cert_t *add_x509cert(x509cert_t *cert)
{
x509cert_t *c = x509certs;
while (c != NULL) {
if (same_x509cert(c, cert)) { /* already in chain, free cert */
free_x509cert(cert);
return c;
}
c = c->next;
}
/* insert new cert at the root of the chain */
lock_certs_and_keys("add_x509cert");
cert->next = x509certs;
x509certs = cert;
unlock_certs_and_keys("add_x509cert");
return cert;
}
/*
* stores a chained list of end certs and CA certs
*
* @verified_ca is a copied list of the verified authcerts that have
* been placed in the global authcert chain
*/
void store_x509certs(x509cert_t **firstcert, x509cert_t **verified_ca,
bool strict)
{
x509cert_t *cacerts = NULL;
x509cert_t **pp = firstcert;
/* first extract CA certs, discarding root CA certs */
while (*pp != NULL) {
x509cert_t *cert = *pp;
if (cert->isCA) {
*pp = cert->next;
/* we don't accept self-signed CA certs */
if (same_dn(cert->issuer, cert->subject)) {
libreswan_log("self-signed cacert rejected");
free_x509cert(cert);
} else {
/* insertion into temporary chain of candidate CA certs */
cert->next = cacerts;
cacerts = cert;
}
} else {
pp = &cert->next;
}
}
/* now verify the candidate CA certs */
x509cert_t *ver = NULL;
while (cacerts != NULL) {
realtime_t valid_until;
x509cert_t *cert = cacerts;
cacerts = cacerts->next;
if (trust_authcert_candidate(cert, cacerts) &&
verify_x509cert(cert, strict, &valid_until, cacerts)) {
add_authcert(cert, AUTH_CA);
if (ver == NULL) {
ver = clone_thing(*cert, "x509cert_t");
*verified_ca = ver;
} else {
ver->next = clone_thing(*cert, "x509cert_t");
ver = ver->next;
}
ver->next = NULL;
} else {
libreswan_log("intermediate cacert rejected");
free_x509cert(cert);
}
}
/* now verify the end certificates */
pp = firstcert;
while (*pp != NULL) {
realtime_t valid_until;
x509cert_t *cert = *pp;
if (verify_x509cert(cert, strict, &valid_until, NULL)) {
DBG(DBG_X509 | DBG_PARSING,
DBG_log("public key validated"));
add_x509_public_key(NULL, cert, valid_until,
DAL_SIGNED);
} else {
libreswan_log("X.509 certificate rejected");
}
*pp = cert->next;
free_x509cert(cert);
}
}
main(int argc, char *argv[])
{
int i;
chunk_t blob, crl_uri;
err_t e;
cert_t cacert,t1;
time_t until;
/* sadly, this is actually too late */
EF_DISABLE_BANNER = 1;
progname = argv[0];
leak_detective=1;
tool_init_log();
load_oswcrypto();
set_debugging(DBG_X509|DBG_PARSING|DBG_CONTROL);
until =1421896274;
set_fake_x509_time(until); /* Wed Jan 21 22:11:14 2015 */
#ifdef HAVE_LIBNSS
{
SECStatus nss_init_status= NSS_InitReadWrite("nss.d");
if (nss_init_status != SECSuccess) {
fprintf(stderr, "NSS initialization failed (err %d)\n", PR_GetError());
exit(10);
} else {
printf("NSS Initialized\n");
PK11_SetPasswordFunc(getNSSPassword);
}
}
#endif
if(argc < 3) {
fprintf(stderr, "Usage: nsscert CAcertfile.pem cert1.pem cert2.pem...\n");
exit(5);
}
/* skip argv0 */
argc--;
argv++;
/* load CAcert */
if(!load_cert(CERT_NONE, argv[0], TRUE, "cacert", &cacert)) {
printf("could not load CA cert file: %s\n", argv[0]);
exit(1);
}
add_authcert(cacert.u.x509, AUTH_CA);
argc--;
argv++;
while(argc-- > 0) {
char *file = *argv++;
/* load target cert */
if(!load_cert(CERT_NONE, file, TRUE, "test1", &t1)) {
printf("could not load cert file: %s\n", file);
exit(1);
}
until += 86400;
if(verify_x509cert(t1.u.x509, FALSE, &until) == FALSE) {
printf("verify x509 failed\n");
exit(3);
}
printf("cert: %s is valid\n", file);
free_x509cert(t1.u.x509);
}
free_x509cert(cacert.u.x509);
report_leaks();
tool_close_log();
exit(0);
}
