implemented ipsec listocsp function

7 files changed, 239 insertions, 22 deletions

diff --git a/src/charon/config/credentials/local_credential_store.c b/src/charon/config/credentials/local_credential_store.c
index 50fc53b32..59a21e624 100644
--- a/src/charon/config/credentials/local_credential_store.c
+++ b/src/charon/config/credentials/local_credential_store.c
@@ -562,8 +562,8 @@ static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *f
 		rsa_public_key_t *issuer_public_key;
 		bool valid_signature;
 
-		DBG2(DBG_CFG, "subject: '%D'", cert->get_subject(cert));
-		DBG2(DBG_CFG, "issuer:  '%D'", cert->get_issuer(cert));
+		DBG1(DBG_CFG, "subject: '%D'", cert->get_subject(cert));
+		DBG1(DBG_CFG, "issuer:  '%D'", cert->get_issuer(cert));
 
 		ugh = cert->is_valid(cert, &until);
 		if (ugh != NULL)
@@ -576,10 +576,10 @@ static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *f
 		issuer = get_issuer(this, cert);
 		if (issuer == NULL)
 		{
-			DBG1(DBG_CFG, "issuer info not found");
+			DBG1(DBG_CFG, "issuer not found");
 			return FALSE;
 		}
-		DBG2(DBG_CFG, "issuer info found");
+		DBG2(DBG_CFG, "issuer found");
 
 		issuer_cert = issuer->get_certificate(issuer);
 		issuer_public_key = issuer_cert->get_public_key(issuer_cert);
@@ -595,7 +595,7 @@ static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *f
 		/* check if cert is a self-signed root ca */
 		if (pathlen > 0 && cert->is_self_signed(cert))
 		{
-			DBG2(DBG_CFG, "reached self-signed root ca");
+			DBG1(DBG_CFG, "reached self-signed root ca");
 
 			/* set the definite status and trust interval of the end entity certificate */
 			end_cert->set_until(end_cert, until);
@@ -863,6 +863,32 @@ static void list_crls(private_local_credential_store_t *this, FILE *out, bool ut
 }
 
 /**
+ * Implements local_credential_store_t.list_ocsp
+ */
+static void list_ocsp(private_local_credential_store_t *this, FILE *out, bool utc)
+{
+	iterator_t *iterator = this->ca_infos->create_iterator(this->ca_infos, TRUE);
+	ca_info_t *ca_info;
+	bool first = TRUE;
+
+	while (iterator->iterate(iterator, (void **)&ca_info))
+	{
+		if (ca_info->has_certinfos(ca_info))
+		{
+			if (first)
+			{
+				fprintf(out, "\n");
+				fprintf(out, "List of OCSP responses:\n");
+				first = FALSE;
+			}
+			fprintf(out, "\n");
+			ca_info->list_certinfos(ca_info, out, utc);
+		}
+	}
+	iterator->destroy(iterator);
+}
+
+/**
  * Implements local_credential_store_t.load_auth_certificates
  */
 static void load_auth_certificates(private_local_credential_store_t *this,
@@ -1303,6 +1329,7 @@ local_credential_store_t * local_credential_store_create(bool strict)
 	this->public.credential_store.create_auth_cert_iterator = (iterator_t* (*) (credential_store_t*))create_auth_cert_iterator;
 	this->public.credential_store.create_cainfo_iterator = (iterator_t* (*) (credential_store_t*))create_cainfo_iterator;
 	this->public.credential_store.list_crls = (void (*) (credential_store_t*,FILE*,bool))list_crls;
+	this->public.credential_store.list_ocsp = (void (*) (credential_store_t*,FILE*,bool))list_ocsp;
 	this->public.credential_store.load_ca_certificates = (void (*) (credential_store_t*))load_ca_certificates;
 	this->public.credential_store.load_ocsp_certificates = (void (*) (credential_store_t*))load_ocsp_certificates;
 	this->public.credential_store.load_crls = (void (*) (credential_store_t*))load_crls;
diff --git a/src/charon/threads/stroke_interface.c b/src/charon/threads/stroke_interface.c
index 69cf1443b..b03958158 100755
--- a/src/charon/threads/stroke_interface.c
+++ b/src/charon/threads/stroke_interface.c
@@ -1138,6 +1138,10 @@ static void stroke_list(stroke_msg_t *msg, FILE *out)
 	{
 		list_auth_certificates(AUTH_OCSP, "OCSP", msg->list.utc, out);
 	}
+	if (msg->list.flags & LIST_OCSP)
+	{
+		charon->credentials->list_ocsp(charon->credentials, out, msg->list.utc);
+	}
 }
 
 /**
diff --git a/src/libstrongswan/credential_store.h b/src/libstrongswan/credential_store.h
index e19f14789..e660a2ad0 100755
--- a/src/libstrongswan/credential_store.h
+++ b/src/libstrongswan/credential_store.h
@@ -226,6 +226,15 @@ struct credential_store_t {
 	void (*list_crls) (credential_store_t *this, FILE *out, bool utc);
 
 	/**
+	 * @brief Check if there are any OCSP cert infos
+	 *
+	 * @param this		calling object
+	 * @param out		output stream
+	 * @param utc		either utc or local time
+	 */
+	void (*list_ocsp) (credential_store_t *this, FILE *out, bool utc);
+
+	/**
 	 * @brief Loads ca certificates from a default directory.
 	 *
 	 * Certificates in both DER and PEM format are accepted
diff --git a/src/libstrongswan/crypto/ca.c b/src/libstrongswan/crypto/ca.c
index 1e930a466..d80738d59 100644
--- a/src/libstrongswan/crypto/ca.c
+++ b/src/libstrongswan/crypto/ca.c
@@ -158,6 +158,20 @@ static bool has_crl(private_ca_info_t *this)
 }
 
 /**
+ * Implements ca_info_t.has_certinfos
+ */
+static bool has_certinfos(private_ca_info_t *this)
+{
+	bool found;
+
+	pthread_mutex_lock(&(this->mutex));
+	found = this->certinfos->get_count(this->certinfos) > 0;
+	pthread_mutex_unlock(&(this->mutex));
+
+	return found;
+}
+
+/**
  * Implements ca_info_t.add_crl
  */
 static void add_crl(private_ca_info_t *this, crl_t *crl)
@@ -206,7 +220,22 @@ static void list_certinfos(private_ca_info_t *this, FILE *out, bool utc)
 {
 	pthread_mutex_lock(&(this->mutex));
 
-	/* fprintf(out, "%#X\n", this->certifnos, utc); */
+	fprintf(out,"    authname:  '%D'\n", this->cacert->get_subject(this->cacert));
+	{
+		chunk_t authkey = this->cacert->get_subjectKeyID(this->cacert);
+
+		fprintf(out,"    authkey:    %#B\n", &authkey);
+	}
+	{
+		iterator_t *iterator = this->certinfos->create_iterator(this->certinfos, TRUE);
+		certinfo_t *certinfo;
+
+		while (iterator->iterate(iterator, (void**)&certinfo))
+		{
+			fprintf(out, "%#Y\n", certinfo, utc);
+		}
+		iterator->destroy(iterator);
+	}
 
 	pthread_mutex_unlock(&(this->mutex));
 }
@@ -387,7 +416,10 @@ static cert_status_t verify_by_ocsp(private_ca_info_t* this,
 									certinfo_t *certinfo,
 									credential_store_t *credentials)
 {
-	bool found = FALSE;
+	bool stale;
+	iterator_t *iterator;
+	certinfo_t *cached_certinfo = NULL;
+	int comparison = 1;
 
 	pthread_mutex_lock(&(this->mutex));
 
@@ -397,33 +429,62 @@ static cert_status_t verify_by_ocsp(private_ca_info_t* this,
 		goto ret;
 	}
 
-	/* do we have a valid certinfo record for this serial number in our cache? */
+	iterator = this->certinfos->create_iterator(this->certinfos, TRUE);
+
+	/* find the list insertion point in alphabetical order */
+	while(iterator->iterate(iterator, (void**)&cached_certinfo))
 	{
-		iterator_t *iterator = this->certinfos->create_iterator(this->certinfos, TRUE);
-		certinfo_t *current_certinfo;
+		comparison = certinfo->compare_serialNumber(certinfo, cached_certinfo);
 
-		while(iterator->iterate(iterator, (void**)&current_certinfo))
+		if (comparison <= 0)
 		{
-			if (certinfo->equals_serialNumber(certinfo, current_certinfo))
-			{
-				found = TRUE;
-				DBG2("ocsp status found");
-				break;
-			}
+			break;
 		}
-		iterator->destroy(iterator);
 	}
-	
-	if (!found)
+
+	/* do we have a valid certinfo_t for this serial number in our cache? */
+	if (comparison == 0)
+	{	
+		stale = cached_certinfo->get_nextUpdate(cached_certinfo) < time(NULL);
+		DBG1("ocsp status in cache is %s", stale ? "stale":"fresh");
+	}
+	else
 	{
-		ocsp_t *ocsp;
+		stale = TRUE;
+		DBG1("ocsp status is not in cache");
+	}
 
-		DBG2("ocsp status is not in cache");
+	if (stale)
+	{
+		ocsp_t *ocsp;
 
 		ocsp = ocsp_create(this->cacert, this->ocspuris);
 		ocsp->fetch(ocsp, certinfo, credentials);
+		if (certinfo->get_status(certinfo) != CERT_UNDEFINED)
+		{
+			if (comparison != 0)
+			{
+				cached_certinfo = certinfo_create(certinfo->get_serialNumber(certinfo));
+
+				if (comparison > 0)
+				{
+					iterator->insert_after(iterator, (void *)cached_certinfo);
+				}
+				else
+				{
+					iterator->insert_before(iterator, (void *)cached_certinfo);
+				}
+			}
+			cached_certinfo->update(cached_certinfo, certinfo);
+		}
 		ocsp->destroy(ocsp);
 	}
+	else
+	{
+		certinfo->update(certinfo, cached_certinfo);
+	}
+
+	iterator->destroy(iterator);
 
 ret:
 	pthread_mutex_unlock(&(this->mutex));
@@ -480,7 +541,11 @@ static int print(FILE *stream, const struct printf_info *info,
 
 	cacert = this->cacert;
 	written += fprintf(stream, "    authname:  '%D'\n", cacert->get_subject(cacert));
+	{
+		chunk_t authkey = cacert->get_subjectKeyID(cacert);
 
+		written += fprintf(stream, "    authkey:    %#B\n", &authkey);
+	}
 	{
 		chunk_t keyid = cacert->get_keyid(cacert);
 
@@ -551,7 +616,9 @@ ca_info_t *ca_info_create(const char *name, x509_t *cacert)
 	this->public.add_info = (void (*) (ca_info_t*,const ca_info_t*))add_info;
 	this->public.add_crl = (void (*) (ca_info_t*,crl_t*))add_crl;
 	this->public.has_crl = (bool (*) (ca_info_t*))has_crl;
+	this->public.has_certinfos = (bool (*) (ca_info_t*))has_certinfos;
 	this->public.list_crl = (void (*) (ca_info_t*,FILE*,bool))list_crl;
+	this->public.list_certinfos = (void (*) (ca_info_t*,FILE*,bool))list_certinfos;
 	this->public.add_crluri = (void (*) (ca_info_t*,chunk_t))add_crluri;
 	this->public.add_ocspuri = (void (*) (ca_info_t*,chunk_t))add_ocspuri;
 	this->public.get_certificate = (x509_t* (*) (ca_info_t*))get_certificate;
diff --git a/src/libstrongswan/crypto/ca.h b/src/libstrongswan/crypto/ca.h
index 0aa3e20e3..3ecf17e03 100644
--- a/src/libstrongswan/crypto/ca.h
+++ b/src/libstrongswan/crypto/ca.h
@@ -105,15 +105,34 @@ struct ca_info_t {
 	bool (*has_crl) (ca_info_t *this);
 
 	/**
+	 * @brief Does the CA have OCSP certinfos?
+	 * 
+	 * @param this			ca info object
+	 * @return				TRUE if there are any certinfos
+	 */
+	bool (*has_certinfos) (ca_info_t *this);
+
+	/**
 	 * @brief List the CRL onto the console
 	 * 
 	 * @param this			ca info object
+	 * @param out			output stream
 	 * @param utc			TRUE -  utc
 							FALSE - local time
 	 */
 	void (*list_crl) (ca_info_t *this, FILE *out, bool utc);
 
 	/**
+	 * @brief List the OCSP certinfos onto the console
+	 * 
+	 * @param this			ca info object
+	 * @param out			output stream
+	 * @param utc			TRUE -  utc
+							FALSE - local time
+	 */
+	void (*list_certinfos) (ca_info_t *this, FILE *out, bool utc);
+
+	/**
 	 * @brief Adds a CRL URI to a list
 	 * 
 	 * @param this			ca info object
diff --git a/src/libstrongswan/crypto/certinfo.c b/src/libstrongswan/crypto/certinfo.c
index 8c899e678..3d542c994 100644
--- a/src/libstrongswan/crypto/certinfo.c
+++ b/src/libstrongswan/crypto/certinfo.c
@@ -21,6 +21,7 @@
  */
 
 #include <time.h>
+#include <stdio.h>
 
 #include <library.h>
 
@@ -94,6 +95,14 @@ ENUM(crl_reason_names, REASON_UNSPECIFIED, REASON_REMOVE_FROM_CRL,
 );
 
 /**
+ * Implements certinfo_t.compare_serialNumber
+ */
+static int compare_serialNumber(const private_certinfo_t *this, const private_certinfo_t *that)
+{
+	return chunk_compare(this->serialNumber, that->serialNumber);
+}
+
+/**
  * Implements certinfo_t.equals_serialNumber
  */
 static bool equals_serialNumber(const private_certinfo_t *this, const private_certinfo_t *that)
@@ -190,6 +199,20 @@ static crl_reason_t get_revocationReason(const private_certinfo_t *this)
 }
 
 /**
+ * Implements certinfo_t.update
+ */
+static void update(private_certinfo_t *this, const private_certinfo_t *that)
+{
+	if (equals_serialNumber(this, that))
+	{
+		chunk_t this_serialNumber = this->serialNumber;
+
+		*this = *that;
+		this->serialNumber = this_serialNumber;
+	}
+}
+
+/**
  * Implements certinfo_t.destroy
  */
 static void destroy(private_certinfo_t *this)
@@ -198,6 +221,54 @@ static void destroy(private_certinfo_t *this)
 	free(this);
 }
 
+/**
+ * output handler in printf()
+ */
+static int print(FILE *stream, const struct printf_info *info,
+				 const void *const *args)
+{
+	private_certinfo_t *this = *((private_certinfo_t**)(args[0]));
+	bool utc = TRUE;
+	int written = 0;
+	time_t now;
+	
+	if (info->alt)
+	{
+		utc = *((bool*)args[1]);
+	}
+	
+	if (this == NULL)
+	{
+		return fprintf(stream, "(null)");
+	}
+	
+	now = time(NULL);
+	
+	written += fprintf(stream, "%#T, until %#T, ",
+					   &this->thisUpdate, utc,
+					   &this->nextUpdate, utc);
+	if (now > this->nextUpdate)
+	{
+		written += fprintf(stream, "expired (since %V)\n", &now, &this->nextUpdate);
+	}
+	else
+	{
+		written += fprintf(stream, "ok (expires in %V)\n", &now, &this->nextUpdate);
+	}
+	written += fprintf(stream, "    serial:     %#B, %N",
+					   &this->serialNumber,
+					   cert_status_names, this->status);
+	return written;
+}
+
+/**
+ * register printf() handlers
+ */
+static void __attribute__ ((constructor))print_register()
+{
+	register_printf_function(PRINTF_CERTINFO, print, arginfo_ptr_alt_ptr_int);
+}
+
 /*
  * Described in header.
  */
@@ -214,6 +285,7 @@ certinfo_t *certinfo_create(chunk_t serial)
 	this->revocationReason = REASON_UNSPECIFIED;
 
 	/* public functions */
+	this->public.compare_serialNumber = (int (*) (const certinfo_t*,const certinfo_t*))compare_serialNumber;
 	this->public.equals_serialNumber = (bool (*) (const certinfo_t*,const certinfo_t*))equals_serialNumber;
 	this->public.get_serialNumber = (chunk_t (*) (const certinfo_t*))get_serialNumber;
 	this->public.set_status = (void (*) (certinfo_t*,cert_status_t))set_status;
@@ -226,6 +298,7 @@ certinfo_t *certinfo_create(chunk_t serial)
 	this->public.get_revocationTime = (time_t (*) (const certinfo_t*))get_revocationTime;
 	this->public.set_revocationReason = (void (*) (certinfo_t*, crl_reason_t))set_revocationReason;
 	this->public.get_revocationReason = (crl_reason_t(*) (const certinfo_t*))get_revocationReason;
+	this->public.update = (void (*) (certinfo_t*, const certinfo_t*))update;
 	this->public.destroy = (void (*) (certinfo_t*))destroy;
 
 	return &this->public;
diff --git a/src/libstrongswan/crypto/certinfo.h b/src/libstrongswan/crypto/certinfo.h
index b8be002a9..476befda8 100644
--- a/src/libstrongswan/crypto/certinfo.h
+++ b/src/libstrongswan/crypto/certinfo.h
@@ -74,6 +74,16 @@ struct certinfo_t {
 	 */
 	bool (*equals_serialNumber) (const certinfo_t *this, const certinfo_t *that);
 
+	/**
+	 * @brief Compares two serial numbers.
+	 * 
+	 * @param this				calling object
+	 * @param that				second certinfo_t object
+	 * @return					negative if this is smaller than that
+	 *							zero if this equals that
+	 *							positive if this is greater than that
+	 */
+	int (*compare_serialNumber) (const certinfo_t *this, const certinfo_t *that);
 
 	/**
 	 * @brief Get serial number.
@@ -164,6 +174,14 @@ struct certinfo_t {
 	crl_reason_t (*get_revocationReason) (const certinfo_t *this);
 
 	/**
+	 * @brief Set revocationReason.
+	 *
+	 * @param this				calling object to be updated
+	 * @param that				object containing updated information
+	 */
+	void (*update) (certinfo_t *this, const certinfo_t *that);
+
+	/**
 	 * @brief Destroys the certinfo_t object.
 	 * 
 	 * @param this			certinfo_t to destroy