1002
1007
time_t this_update, that_update, now = time(NULL);
1005
1010
this->get_validity(this, &now, &this_update, NULL);
1006
1011
that->get_validity(that, &now, &that_update, NULL);
1007
1012
new = this_update > that_update;
1008
DBG1(" certificate from %#T is %s - existing certificate from %#T %s",
1013
DBG1(" certificate from %T is %s - existing certificate from %T %s",
1009
1014
&this_update, FALSE, new ? "newer":"not newer",
1010
1015
&that_update, FALSE, new ? "replaced":"retained");
1221
1241
private_x509_cert_t *cert;
1222
1242
/** additional flags to enforce */
1223
1243
x509_flag_t flags;
1244
/** certificate to sign, if we generate a new cert */
1245
certificate_t *sign_cert;
1246
/** private key to sign, if we generate a new cert */
1247
private_key_t *sign_key;
1251
* Generate and sign a new certificate
1253
static bool generate(private_builder_t *this)
1255
chunk_t extensions = chunk_empty;
1256
identification_t *issuer, *subject;
1257
chunk_t key_info, key;
1258
signature_scheme_t scheme;
1261
subject = this->cert->subject;
1262
if (this->sign_cert)
1264
issuer = this->sign_cert->get_subject(this->sign_cert);
1265
if (!this->cert->public_key)
1273
if (!this->cert->public_key)
1275
this->cert->public_key = this->sign_key->get_public_key(this->sign_key);
1277
this->flags |= X509_SELF_SIGNED;
1279
this->cert->issuer = issuer->clone(issuer);
1280
if (!this->cert->notBefore)
1282
this->cert->notBefore = time(NULL);
1284
if (!this->cert->notAfter)
1285
{ /* defaults to 1 years from now on */
1286
this->cert->notAfter = this->cert->notBefore + 60 * 60 * 24 * 365;
1288
this->cert->flags = this->flags;
1290
switch (this->sign_key->get_type(this->sign_key))
1293
this->cert->algorithm = OID_SHA1_WITH_RSA;
1294
scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
1300
switch (this->cert->public_key->get_type(this->cert->public_key))
1303
key = this->cert->public_key->get_encoding(this->cert->public_key);
1304
key_info = asn1_wrap(ASN1_SEQUENCE, "cm",
1305
asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
1306
asn1_bitstring("m", key));
1312
if (this->cert->subjectAltNames->get_count(this->cert->subjectAltNames))
1314
/* TODO: encode subjectAltNames */
1317
this->cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmccmcmm",
1318
asn1_simple_object(ASN1_CONTEXT_C_0, ASN1_INTEGER_2),
1319
asn1_simple_object(ASN1_INTEGER, this->cert->serialNumber),
1320
asn1_algorithmIdentifier(this->cert->algorithm),
1321
issuer->get_encoding(issuer),
1322
asn1_wrap(ASN1_SEQUENCE, "mm",
1323
asn1_from_time(&this->cert->notBefore, ASN1_UTCTIME),
1324
asn1_from_time(&this->cert->notAfter, ASN1_UTCTIME)),
1325
subject->get_encoding(subject),
1326
key_info, extensions);
1328
if (!this->sign_key->sign(this->sign_key, scheme,
1329
this->cert->tbsCertificate, &this->cert->signature))
1333
this->cert->encoding = asn1_wrap(ASN1_SEQUENCE, "ccm",
1334
this->cert->tbsCertificate,
1335
asn1_algorithmIdentifier(this->cert->algorithm),
1336
asn1_bitstring("c", this->cert->signature));
1338
hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1343
hasher->allocate_hash(hasher, this->cert->encoding,
1344
&this->cert->encoding_hash);
1345
hasher->destroy(hasher);
1227
1350
* Implementation of builder_t.build
1229
1352
static private_x509_cert_t *build(private_builder_t *this)
1231
private_x509_cert_t *cert = this->cert;
1232
x509_flag_t flags = this->flags;
1354
private_x509_cert_t *cert;
1357
if (this->cert && !this->cert->encoding.ptr)
1359
if (!this->sign_key || !this->cert ||
1362
destroy(this->cert);
1368
flags = this->flags;
1235
1370
if (cert == NULL)
1239
1375
if ((flags & X509_CA) && !(cert->flags & X509_CA))
1241
1377
DBG1(" ca certificate must have ca basic constraint set, discarded");
1267
1404
case BUILD_X509_FLAG:
1268
1405
this->flags = va_arg(args, x509_flag_t);
1407
case BUILD_SIGNING_KEY:
1408
this->sign_key = va_arg(args, private_key_t*);
1410
case BUILD_SIGNING_CERT:
1411
this->sign_cert = va_arg(args, certificate_t*);
1414
/* all other parts need an empty cert */
1417
this->cert = create_empty();
1430
case BUILD_PUBLIC_KEY:
1432
public_key_t *key = va_arg(args, public_key_t*);
1433
this->cert->public_key = key->get_ref(key);
1438
identification_t *id = va_arg(args, identification_t*);
1439
this->cert->subject = id->clone(id);
1442
case BUILD_SUBJECT_ALTNAME:
1444
identification_t *id = va_arg(args, identification_t*);
1445
this->cert->subjectAltNames->insert_last(
1446
this->cert->subjectAltNames, id->clone(id));
1449
case BUILD_NOT_BEFORE_TIME:
1450
this->cert->notBefore = va_arg(args, time_t);
1452
case BUILD_NOT_AFTER_TIME:
1453
this->cert->notAfter = va_arg(args, time_t);
1457
chunk_t serial = va_arg(args, chunk_t);
1458
this->cert->serialNumber = chunk_clone(serial);
1271
1462
/* abort if unsupported option */
1272
1463
if (this->cert)