sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-05 00:00:45 -04:00
Code Issues Projects Releases Wiki Activity

certificates: Retrieve serial numbers in canonical form

Browse Source 
The x509 plugin retrieves serial numbers with two's complement
encoding whereas the openssl plugin partially returns them without
leading zeroes.

Serial numbers in X.509 certificates, X.509 CRL, X.509 attribute
certificates, OCSP Requests and OCSP responses are now returned in
canonical form without prepended zero octets.
This commit is contained in:
Andreas Steffen 2022-11-20 11:27:34 +01:00
parent cb5ae75ac1
commit 18082ce2b0
10 changed files with 90 additions and 97 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/libstrongswan/credentials/certificates/certificate_printer.c
View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2015 Andreas Steffen
* Copyright (C) 2015-2022 Andreas Steffen
* Copyright (C) 2010 Martin Willi
*
* Copyright (C) secunet Security Networks AG
@ -85,7 +85,7 @@ static void print_x509(private_certificate_printer_t *this, x509_t *x509)
x509_policy_mapping_t *mapping;
FILE *f = this->f;
chunk = chunk_skip_zero(x509->get_serial(x509));
chunk = x509->get_serial(x509);
fprintf(f, " serial: %#B\n", &chunk);
first = TRUE;
@ -341,12 +341,11 @@ static void print_crl(private_certificate_printer_t *this, crl_t *crl)
x509_cdp_t *cdp;
FILE *f = this->f;
chunk = chunk_skip_zero(crl->get_serial(crl));
chunk = crl->get_serial(crl);
fprintf(f, " serial: %#B\n", &chunk);
if (crl->is_delta_crl(crl, &chunk))
{
chunk = chunk_skip_zero(chunk);
fprintf(f, " delta CRL: for serial %#B\n", &chunk);
}
chunk = crl->get_authKeyIdentifier(crl);
@ -388,7 +387,6 @@ static void print_crl(private_certificate_printer_t *this, crl_t *crl)
enumerator = crl->create_enumerator(crl);
while (enumerator->enumerate(enumerator, &chunk, &ts, &reason))
{
chunk = chunk_skip_zero(chunk);
fprintf(f, " %#B: %T, %N\n", &chunk, &ts, this->utc,
crl_reason_names, reason);
}
@ -408,7 +406,7 @@ static void print_ac(private_certificate_printer_t *this, ac_t *ac)
bool first = TRUE;
FILE *f = this->f;
chunk = chunk_skip_zero(ac->get_serial(ac));
chunk = ac->get_serial(ac);
fprintf(f, " serial: %#B\n", &chunk);
id = ac->get_holderIssuer(ac);
@ -416,7 +414,7 @@ static void print_ac(private_certificate_printer_t *this, ac_t *ac)
{
fprintf(f, " hissuer: \"%Y\"\n", id);
}
chunk = chunk_skip_zero(ac->get_holderSerial(ac));
chunk = ac->get_holderSerial(ac);
if (chunk.ptr)
{
fprintf(f, " hserial: %#B\n", &chunk);
@ -507,7 +505,6 @@ static void print_ocsp_response(private_certificate_printer_t *this,
{
fprintf(f, " ");
}
serialNumber = chunk_skip_zero(serialNumber);
switch (status)
{

24
src/libstrongswan/credentials/certificates/crl.h
View File

@ -1,6 +1,6 @@
/*
* Copyright (C) 2008 Martin Willi
* Copyright (C) 2006 Andreas Steffen
* Copyright (C) 2006-2022 Andreas Steffen
*
* Copyright (C) secunet Security Networks AG
*
@ -24,6 +24,7 @@
#define CRL_H_
typedef struct crl_t crl_t;
typedef struct crl_revoked_t crl_revoked_t;
typedef enum crl_reason_t crl_reason_t;
#include <library.h>
@ -61,6 +62,27 @@ enum crl_reason_t {
*/
extern enum_name_t *crl_reason_names;
/**
* Entry for a revoked certificate
*/
struct crl_revoked_t {
/**
* Serial of the revoked certificate
*/
chunk_t serial;
/**
* Date of revocation
*/
time_t date;
/**
* Reason for revocation
*/
crl_reason_t reason;
};
/**
* X509 certificate revocation list (CRL) interface definition.
*/

5
src/libstrongswan/plugins/openssl/openssl_crl.c
View File

@ -1,6 +1,7 @@
/*
* Copyright (C) 2017 Tobias Brunner
* Copyright (C) 2010 Martin Willi
* Copyright (C) 2022 Andreas Steffen
*
* Copyright (C) secunet Security Networks AG
*
@ -230,7 +231,7 @@ METHOD(crl_t, create_enumerator, enumerator_t*,
METHOD(crl_t, get_serial, chunk_t,
private_openssl_crl_t *this)
{
return this->serial;
return chunk_skip_zero(this->serial);
}
METHOD(crl_t, is_delta_crl, bool,
@ -240,7 +241,7 @@ METHOD(crl_t, is_delta_crl, bool,
{
if (base_crl)
{
*base_crl = this->base;
*base_crl = chunk_skip_zero(this->base);
}
return TRUE;
}

6
src/libstrongswan/plugins/revocation/revocation_validator.c
View File

@ -1,7 +1,7 @@
/*
* Copyright (C) 2015-2018 Tobias Brunner
* Copyright (C) 2010 Martin Willi
* Copyright (C) 2009 Andreas Steffen
* Copyright (C) 2009-2022 Andreas Steffen
*
* Copyright (C) secunet Security Networks AG
*
@ -534,11 +534,11 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
return best;
}
subject_serial = chunk_skip_zero(subject->get_serial(subject));
subject_serial = subject->get_serial(subject);
enumerator = crl->create_enumerator(crl);
while (enumerator->enumerate(enumerator, &serial, &revocation, &reason))
{
if (chunk_equals(subject_serial, chunk_skip_zero(serial)))
if (chunk_equals(subject_serial, serial))
{
if (reason != CRL_REASON_CERTIFICATE_HOLD)
{

17
src/libstrongswan/plugins/x509/x509_ac.c
View File

@ -2,7 +2,7 @@
* Copyright (C) 2017 Tobias Brunner
* Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
* Copyright (C) 2003 Martin Berner, Lukas Suter
* Copyright (C) 2002-2017 Andreas Steffen
* Copyright (C) 2002-2022 Andreas Steffen
* Copyright (C) 2009 Martin Willi
*
* Copyright (C) secunet Security Networks AG
@ -461,7 +461,7 @@ static bool parse_certificate(private_x509_ac_t *this)
break;
case AC_OBJ_HOLDER_SERIAL:
this->holderSerial = identification_create_from_encoding(
ID_KEY_ID, object);
ID_KEY_ID, chunk_skip_zero(object));
break;
case AC_OBJ_ENTITY_NAME:
if (!parse_directoryName(object, level, TRUE,
@ -600,13 +600,16 @@ static chunk_t build_holder(private_x509_ac_t *this)
x509_t* x509 = (x509_t*)this->holderCert;
identification_t *issuer, *subject;
this->holderSerial = identification_create_from_encoding(
ID_KEY_ID, x509->get_serial(x509));
issuer = this->holderCert->get_issuer(this->holderCert);
subject = this->holderCert->get_subject(this->holderCert);
return asn1_wrap(ASN1_SEQUENCE, "mm",
asn1_wrap(ASN1_CONTEXT_C_0, "mm",
build_directoryName(ASN1_SEQUENCE, issuer->get_encoding(issuer)),
asn1_simple_object(ASN1_INTEGER, x509->get_serial(x509))),
asn1_integer("c", x509->get_serial(x509))),
build_directoryName(ASN1_CONTEXT_C_1, subject->get_encoding(subject)));
}
@ -725,8 +728,8 @@ static chunk_t build_authorityKeyIdentifier(private_x509_ac_t *this)
}
authorityCertIssuer = build_directoryName(ASN1_CONTEXT_C_1,
issuer->get_encoding(issuer));
authorityCertSerialNumber = asn1_simple_object(ASN1_CONTEXT_S_2,
x509->get_serial(x509));
authorityCertSerialNumber = asn1_integer("c", x509->get_serial(x509));
authorityCertSerialNumber.ptr[0] = ASN1_CONTEXT_S_2;
return asn1_wrap(ASN1_SEQUENCE, "mm",
asn1_build_known_oid(OID_AUTHORITY_KEY_ID),
asn1_wrap(ASN1_OCTET_STRING, "m",
@ -759,7 +762,7 @@ static chunk_t build_attr_cert_info(private_x509_ac_t *this, chunk_t sig_scheme)
build_holder(this),
build_v2_form(this),
sig_scheme,
asn1_simple_object(ASN1_INTEGER, this->serialNumber),
asn1_integer("c", this->serialNumber),
build_attr_cert_validity(this),
build_attributes(this),
build_extensions(this));
@ -808,7 +811,7 @@ static bool build_ac(private_x509_ac_t *this, hash_algorithm_t digest_alg)
METHOD(ac_t, get_serial, chunk_t,
private_x509_ac_t *this)
{
return this->serialNumber;
return chunk_skip_zero(this->serialNumber);
}
METHOD(ac_t, get_holderSerial, chunk_t,

4
src/libstrongswan/plugins/x509/x509_cert.c
View File

@ -2,7 +2,7 @@
* Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann
* Copyright (C) 2001 Marco Bertossa, Andreas Schleiss
* Copyright (C) 2002 Mario Strasser
* Copyright (C) 2000-2017 Andreas Steffen
* Copyright (C) 2000-2022 Andreas Steffen
* Copyright (C) 2006-2009 Martin Willi
* Copyright (C) 2008-2017 Tobias Brunner
*
@ -1848,7 +1848,7 @@ METHOD(x509_t, get_flags, x509_flag_t,
METHOD(x509_t, get_serial, chunk_t,
private_x509_cert_t *this)
{
return this->serialNumber;
return chunk_skip_zero(this->serialNumber);
}
METHOD(x509_t, get_subjectKeyIdentifier, chunk_t,

45
src/libstrongswan/plugins/x509/x509_crl.c
View File

@ -1,7 +1,7 @@
/*
* Copyright (C) 2014-2017 Tobias Brunner
* Copyright (C) 2008-2009 Martin Willi
* Copyright (C) 2017 Andreas Steffen
* Copyright (C) 2017-2022 Andreas Steffen
*
* Copyright (C) secunet Security Networks AG
*
@ -19,7 +19,6 @@
#include "x509_crl.h"
typedef struct private_x509_crl_t private_x509_crl_t;
typedef struct revoked_t revoked_t;
#include <time.h>
@ -32,26 +31,6 @@ typedef struct revoked_t revoked_t;
#include <credentials/keys/private_key.h>
#include <collections/linked_list.h>
/**
* entry for a revoked certificate
*/
struct revoked_t {
/**
* serial of the revoked certificate
*/
chunk_t serial;
/**
* date of revocation
*/
time_t date;
/**
* reason for revocation
*/
crl_reason_t reason;
};
/**
* private data of x509_crl
*/
@ -98,7 +77,7 @@ struct private_x509_crl_t {
time_t nextUpdate;
/**
* list of revoked certificates as revoked_t
* list of revoked certificates as crl_revoked_t
*/
linked_list_t *revoked;
@ -235,7 +214,7 @@ static bool parse(private_x509_crl_t *this)
signature_params_t sig_alg = {};
bool success = FALSE;
bool critical = FALSE;
revoked_t *revoked = NULL;
crl_revoked_t *revoked = NULL;
parser = asn1_parser_create(crlObjects, this->encoding);
@ -273,7 +252,7 @@ static bool parse(private_x509_crl_t *this)
userCertificate = object;
break;
case CRL_OBJ_REVOCATION_DATE:
revoked = malloc_thing(revoked_t);
revoked = malloc_thing(crl_revoked_t);
revoked->serial = chunk_clone(userCertificate);
revoked->date = asn1_parse_time(object, level);
revoked->reason = CRL_REASON_UNSPECIFIED;
@ -385,7 +364,7 @@ end:
CALLBACK(filter, bool,
void *data, enumerator_t *orig, va_list args)
{
revoked_t *revoked;
crl_revoked_t *revoked;
crl_reason_t *reason;
chunk_t *serial;
time_t *date;
@ -396,7 +375,7 @@ CALLBACK(filter, bool,
{
if (serial)
{
*serial = revoked->serial;
*serial = chunk_skip_zero(revoked->serial);
}
if (date)
{
@ -414,7 +393,7 @@ CALLBACK(filter, bool,
METHOD(crl_t, get_serial, chunk_t,
private_x509_crl_t *this)
{
return this->crlNumber;
return chunk_skip_zero(this->crlNumber);
}
METHOD(crl_t, get_authKeyIdentifier, chunk_t,
@ -430,7 +409,7 @@ METHOD(crl_t, is_delta_crl, bool,
{
if (base_crl)
{
*base_crl = this->baseCrlNumber;
*base_crl = chunk_skip_zero(this->baseCrlNumber);
}
return TRUE;
}
@ -593,7 +572,7 @@ METHOD(certificate_t, equals, bool,
/**
* Destroy a revoked_t entry
*/
static void revoked_destroy(revoked_t *revoked)
static void revoked_destroy(crl_revoked_t *revoked)
{
free(revoked->serial.ptr);
free(revoked);
@ -701,7 +680,7 @@ x509_crl_t *x509_crl_load(certificate_type_t type, va_list args)
*/
static void read_revoked(private_x509_crl_t *crl, enumerator_t *enumerator)
{
revoked_t *revoked;
crl_revoked_t *revoked;
chunk_t serial;
time_t date;
crl_reason_t reason;
@ -841,7 +820,7 @@ static bool generate(private_x509_crl_t *this, certificate_t *cert,
*/
x509_crl_t *x509_crl_gen(certificate_type_t type, va_list args)
{
hash_algorithm_t digest_alg = HASH_SHA1;
hash_algorithm_t digest_alg = HASH_SHA256;
private_x509_crl_t *crl;
certificate_t *cert = NULL;
private_key_t *key = NULL;
@ -883,7 +862,7 @@ x509_crl_t *x509_crl_gen(certificate_type_t type, va_list args)
case BUILD_BASE_CRL:
crl->baseCrlNumber = va_arg(args, chunk_t);
crl->baseCrlNumber = chunk_clone(crl->baseCrlNumber);
break;
continue;
case BUILD_CRL_DISTRIBUTION_POINTS:
{
enumerator_t *enumerator;

4
src/libstrongswan/plugins/x509/x509_ocsp_request.c
View File

@ -1,7 +1,7 @@
/*
* Copyright (C) 2017-2019 Tobias Brunner
* Copyright (C) 2008-2009 Martin Willi
* Copyright (C) 2007-2014 Andreas Steffen
* Copyright (C) 2007-2022 Andreas Steffen
* Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
*
* Copyright (C) secunet Security Networks AG
@ -133,7 +133,7 @@ static chunk_t build_Request(private_x509_ocsp_request_t *this,
asn1_algorithmIdentifier(OID_SHA1),
asn1_simple_object(ASN1_OCTET_STRING, issuerNameHash),
asn1_simple_object(ASN1_OCTET_STRING, issuerKeyHash),
asn1_simple_object(ASN1_INTEGER, serialNumber)));
asn1_integer("c", serialNumber)));
}
/**

4
src/libstrongswan/plugins/x509/x509_ocsp_response.c
View File

@ -1,7 +1,7 @@
/*
* Copyright (C) 2017-2019 Tobias Brunner
* Copyright (C) 2008-2009 Martin Willi
* Copyright (C) 2007-2015 Andreas Steffen
* Copyright (C) 2007-2022 Andreas Steffen
* Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
*
* Copyright (C) secunet Security Networks AG
@ -370,7 +370,7 @@ static bool parse_singleResponse(private_x509_ocsp_response_t *this,
response->issuerKeyHash = object;
break;
case SINGLE_RESPONSE_SERIAL_NUMBER:
response->serialNumber = object;
response->serialNumber = chunk_skip_zero(object);
break;
case SINGLE_RESPONSE_CERT_STATUS_GOOD:
response->status = VALIDATION_GOOD;

17
src/pki/commands/signcrl.c
View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2017-2019 Andreas Steffen
* Copyright (C) 2017-2022 Andreas Steffen
* Copyright (C) 2010 Martin Willi
*
* Copyright (C) secunet Security Networks AG
@ -27,22 +27,13 @@
#include <asn1/asn1.h>
/**
* Entry for a revoked certificate
*/
typedef struct {
chunk_t serial;
crl_reason_t reason;
time_t date;
} revoked_t;
/**
* Add a revocation to the list
*/
static void add_revoked(linked_list_t *list,
chunk_t serial, crl_reason_t reason, time_t date)
{
revoked_t *revoked;
crl_revoked_t *revoked;
INIT(revoked,
.serial = chunk_clone(serial),
@ -55,7 +46,7 @@ static void add_revoked(linked_list_t *list,
/**
* Destroy a reason entry
*/
static void revoked_destroy(revoked_t *revoked)
static void revoked_destroy(crl_revoked_t *revoked)
{
free(revoked->serial.ptr);
free(revoked);
@ -64,7 +55,7 @@ static void revoked_destroy(revoked_t *revoked)
CALLBACK(filter, bool,
void *data, enumerator_t *orig, va_list args)
{
revoked_t *revoked;
crl_revoked_t *revoked;
crl_reason_t *reason;
chunk_t *serial;
time_t *date;