support if ocsp signing certificates

4 files changed, 53 insertions, 22 deletions

diff --git a/src/charon/daemon.c b/src/charon/daemon.c
index 1e6e18b47..e2f079d5e 100644
--- a/src/charon/daemon.c
+++ b/src/charon/daemon.c
@@ -275,6 +275,7 @@ static void initialize(private_daemon_t *this, bool strict, bool syslog,
 	/* load secrets, ca certificates and crls */
 	credentials = this->public.credentials;
 	credentials->load_ca_certificates(credentials);
+	credentials->load_ocsp_certificates(credentials);
 	credentials->load_crls(credentials);
 	credentials->load_secrets(credentials);
 	
diff --git a/src/charon/daemon.h b/src/charon/daemon.h
index 3010f89f6..720fbdec7 100644
--- a/src/charon/daemon.h
+++ b/src/charon/daemon.h
@@ -276,6 +276,13 @@ typedef struct daemon_t daemon_t;
 #define CA_CERTIFICATE_DIR IPSEC_D_DIR "/cacerts"
 
 /**
+ * Default directory for OCSP signing certificates
+ * 
+ * @ingroup charon
+ */
+#define OCSP_CERTIFICATE_DIR IPSEC_D_DIR "/ocspcerts"
+
+/**
  * Default directory for CRLs
  * 
  * @ingroup charon
diff --git a/src/charon/encoding/payloads/certreq_payload.c b/src/charon/encoding/payloads/certreq_payload.c
index fcddcf971..ea465fd5f 100644
--- a/src/charon/encoding/payloads/certreq_payload.c
+++ b/src/charon/encoding/payloads/certreq_payload.c
@@ -26,6 +26,7 @@
 
 #include <daemon.h>
 #include <crypto/hashers/hasher.h>
+#include <crypto/ca.h>
 
 #include "certreq_payload.h"
 
@@ -300,9 +301,9 @@ certreq_payload_t *certreq_payload_create_from_cacerts(void)
 	certreq_payload_t *this;
 	chunk_t keyids;
 	u_char *pos;
-	x509_t *cacert;
+	ca_info_t *cainfo;
 
-	iterator_t *iterator = charon->credentials->create_cacert_iterator(charon->credentials);
+	iterator_t *iterator = charon->credentials->create_cainfo_iterator(charon->credentials);
 	int count = iterator->get_count(iterator);
 
 	if (count == 0)
@@ -315,10 +316,10 @@ certreq_payload_t *certreq_payload_create_from_cacerts(void)
 	keyids = chunk_alloc(count * HASH_SIZE_SHA1);
 	pos = keyids.ptr;
 
-	while (iterator->iterate(iterator, (void**)&cacert))
+	while (iterator->iterate(iterator, (void**)&cainfo))
 	{
-		rsa_public_key_t *pubkey = cacert->get_public_key(cacert);
-		chunk_t keyid = pubkey->get_keyid(pubkey);
+		x509_t *cacert = cainfo->get_certificate(cainfo);
+		chunk_t keyid = cacert->get_keyid(cacert);
 
 		DBG2(DBG_IKE, "requesting certificate issued by '%D'", cacert->get_subject(cacert));
 		DBG2(DBG_IKE, "  with keyid %#B", &keyid);
diff --git a/src/charon/threads/stroke_interface.c b/src/charon/threads/stroke_interface.c
index 0c523d8b4..69cf1443b 100755
--- a/src/charon/threads/stroke_interface.c
+++ b/src/charon/threads/stroke_interface.c
@@ -124,7 +124,7 @@ static x509_t* load_end_certificate(const char *filename, identification_t **idp
 		snprintf(path, sizeof(path), "%s/%s", CERTIFICATE_DIR, filename);
 	}
 
-	cert = x509_create_from_file(path, "end entity certificate");
+	cert = x509_create_from_file(path, "end entity");
 
 	if (cert)
 	{
@@ -167,13 +167,13 @@ static x509_t* load_ca_certificate(const char *filename)
 		snprintf(path, sizeof(path), "%s/%s", CA_CERTIFICATE_DIR, filename);
 	}
 
-	cert = x509_create_from_file(path, "ca certificate");
+	cert = x509_create_from_file(path, "ca");
 
 	if (cert)
 	{
 		if (cert->is_ca(cert))
 		{
-			return charon->credentials->add_ca_certificate(charon->credentials, cert);
+			return charon->credentials->add_auth_certificate(charon->credentials, cert, AUTH_CA);
 		}
 		else
 		{
@@ -1052,6 +1052,33 @@ static void stroke_status(stroke_msg_t *msg, FILE *out)
 }
 
 /**
+ * list all authority certificates matching a specified flag 
+ */
+static void list_auth_certificates(u_int flag, const char *label, bool utc, FILE *out)
+{
+	bool first = TRUE;
+	x509_t *cert;
+	
+	iterator_t *iterator = charon->credentials->create_auth_cert_iterator(charon->credentials);
+
+	while (iterator->iterate(iterator, (void**)&cert))
+	{
+		if (cert->has_authority_flag(cert, flag))
+		{
+			if (first)
+			{
+				fprintf(out, "\n");
+				fprintf(out, "List of X.509 %s Certificates:\n", label);
+				fprintf(out, "\n");
+				first = FALSE;
+			}
+			fprintf(out, "%#Q\n", cert, utc);
+		}
+	}
+	iterator->destroy(iterator);
+}
+
+/**
  * list various information
  */
 static void stroke_list(stroke_msg_t *msg, FILE *out)
@@ -1084,20 +1111,7 @@ static void stroke_list(stroke_msg_t *msg, FILE *out)
 	}
 	if (msg->list.flags & LIST_CACERTS)
 	{
-		x509_t *cert;
-		
-		iterator = charon->credentials->create_cacert_iterator(charon->credentials);
-		if (iterator->get_count(iterator))
-		{
-			fprintf(out, "\n");
-			fprintf(out, "List of X.509 CA Certificates:\n");
-			fprintf(out, "\n");
-		}
-		while (iterator->iterate(iterator, (void**)&cert))
-		{
-			fprintf(out, "%#Q\n", cert, msg->list.utc);
-		}
-		iterator->destroy(iterator);
+		list_auth_certificates(AUTH_CA, "CA", msg->list.utc, out);
 	}
 	if (msg->list.flags & LIST_CAINFOS)
 	{
@@ -1120,6 +1134,10 @@ static void stroke_list(stroke_msg_t *msg, FILE *out)
 	{
 		charon->credentials->list_crls(charon->credentials, out, msg->list.utc);
 	}
+	if (msg->list.flags & LIST_OCSPCERTS)
+	{
+		list_auth_certificates(AUTH_OCSP, "OCSP", msg->list.utc, out);
+	}
 }
 
 /**
@@ -1131,6 +1149,10 @@ static void stroke_reread(stroke_msg_t *msg, FILE *out)
 	{
 		charon->credentials->load_ca_certificates(charon->credentials);
 	}
+	if (msg->reread.flags & REREAD_OCSPCERTS)
+	{
+		charon->credentials->load_ocsp_certificates(charon->credentials);
+	}
 	if (msg->reread.flags & REREAD_CRLS)
 	{
 		charon->credentials->load_crls(charon->credentials);