diff options
| author | Martin Willi <martin@revosec.ch> | 2010-12-17 15:52:15 +0100 |
|---|---|---|
| committer | Martin Willi <martin@revosec.ch> | 2011-01-05 16:46:03 +0100 |
| commit | a6478a0402d577a5974968e25d1018c9d9d111cd (patch) | |
| tree | d1ce7a33e97cb09a49f660f4b67bfa84dbaab119 | |
| parent | e24a02a28fbde4efcba79da0bcf7068ad4127dae (diff) | |
| download | strongswan-a6478a0402d577a5974968e25d1018c9d9d111cd.tar.bz2 strongswan-a6478a0402d577a5974968e25d1018c9d9d111cd.tar.xz | |
Simplified format of x509 CRL URI parsing/enumerator
| -rw-r--r-- | src/libstrongswan/credentials/builder.c | 1 | ||||
| -rw-r--r-- | src/libstrongswan/credentials/builder.h | 4 | ||||
| -rw-r--r-- | src/libstrongswan/credentials/certificates/x509.h | 13 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/openssl/openssl_x509.c | 106 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/revocation/revocation_validator.c | 16 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/x509/x509_cert.c | 216 | ||||
| -rw-r--r-- | src/pki/commands/issue.c | 33 | ||||
| -rw-r--r-- | src/pki/commands/print.c | 11 | ||||
| -rw-r--r-- | src/pluto/crl.c | 10 |
9 files changed, 179 insertions, 231 deletions
diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c index 122001924..3651e4b44 100644 --- a/src/libstrongswan/credentials/builder.c +++ b/src/libstrongswan/credentials/builder.c @@ -41,7 +41,6 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END, "BUILD_CA_CERT", "BUILD_CERT", "BUILD_CRL_DISTRIBUTION_POINTS", - "BUILD_CRL_ISSUER", "BUILD_OCSP_ACCESS_LOCATIONS", "BUILD_PATHLEN", "BUILD_PERMITTED_NAME_CONSTRAINTS", diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h index 56eee3cf0..956b1ac34 100644 --- a/src/libstrongswan/credentials/builder.h +++ b/src/libstrongswan/credentials/builder.h @@ -87,10 +87,8 @@ enum builder_part_t { BUILD_CA_CERT, /** a certificate, certificate_t* */ BUILD_CERT, - /** CRL distribution point URIs, linked_list_t* containing char* */ + /** CRL distribution point URIs, x509_cdp_t* */ BUILD_CRL_DISTRIBUTION_POINTS, - /** CRL issuer for all distribution points follow up, identification_t* */ - BUILD_CRL_ISSUER, /** OCSP AuthorityInfoAccess locations, linked_list_t* containing char* */ BUILD_OCSP_ACCESS_LOCATIONS, /** certificate path length constraint */ diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h index f4ec73029..24e30a7ae 100644 --- a/src/libstrongswan/credentials/certificates/x509.h +++ b/src/libstrongswan/credentials/certificates/x509.h @@ -29,6 +29,7 @@ typedef struct x509_t x509_t; typedef struct x509_cert_policy_t x509_cert_policy_t; typedef struct x509_policy_mapping_t x509_policy_mapping_t; +typedef struct x509_cdp_t x509_cdp_t; typedef enum x509_flag_t x509_flag_t; /** @@ -78,6 +79,16 @@ struct x509_policy_mapping_t { }; /** + * X.509 CRL distributionPoint + */ +struct x509_cdp_t { + /** CDP URI, as string */ + char *uri; + /** CRL issuer */ + identification_t *issuer; +}; + +/** * X.509 certificate interface. * * This interface adds additional methods to the certificate_t type to @@ -143,7 +154,7 @@ struct x509_t { /** * Create an enumerator over all CRL URIs and CRL Issuers. * - * @return enumerator over URIs (char*, identificiation_t*) + * @return enumerator over x509_cdp_t */ enumerator_t* (*create_crl_uri_enumerator)(x509_t *this); diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c index 58b58b6df..cf83b152d 100644 --- a/src/libstrongswan/plugins/openssl/openssl_x509.c +++ b/src/libstrongswan/plugins/openssl/openssl_x509.c @@ -137,7 +137,7 @@ struct private_openssl_x509_t { linked_list_t *issuerAltNames; /** - * List of CRL URIs, as crl_uri_t + * List of CRL URIs, as x509_cdp_t */ linked_list_t *crl_uris; @@ -153,32 +153,11 @@ struct private_openssl_x509_t { }; /** - * CRL URIs with associated issuer - */ -typedef struct { - identification_t *issuer; - linked_list_t *uris; -} crl_uri_t; - -/** - * Create a new issuer entry - */ -static crl_uri_t *crl_uri_create() -{ - crl_uri_t *this; - - INIT(this, - .uris = linked_list_create(), - ); - return this; -} - -/** * Destroy a CRL URI struct */ -static void crl_uri_destroy(crl_uri_t *this) +static void crl_uri_destroy(x509_cdp_t *this) { - this->uris->destroy_function(this->uris, free); + free(this->uri); DESTROY_IF(this->issuer); free(this); } @@ -289,36 +268,10 @@ METHOD(x509_t, create_subjectAltName_enumerator, enumerator_t*, return this->subjectAltNames->create_enumerator(this->subjectAltNames); } -/** - * Convert enumerator value from entry to (uri, issuer) - */ -static bool crl_enum_filter(identification_t *issuer_in, - char **uri_in, char **uri_out, - void *none_in, identification_t **issuer_out) -{ - *uri_out = *uri_in; - if (issuer_out) - { - *issuer_out = issuer_in; - } - return TRUE; -} - -/** - * Create inner enumerator over URIs - */ -static enumerator_t *crl_enum_create(crl_uri_t *entry) -{ - return enumerator_create_filter(entry->uris->create_enumerator(entry->uris), - (void*)crl_enum_filter, entry->issuer, NULL); -} - METHOD(x509_t, create_crl_uri_enumerator, enumerator_t*, private_openssl_x509_t *this) { - return enumerator_create_nested( - this->crl_uris->create_enumerator(this->crl_uris), - (void*)crl_enum_create, NULL, NULL); + return this->crl_uris->create_enumerator(this->crl_uris); } METHOD(x509_t, create_ocsp_uri_enumerator, enumerator_t*, @@ -660,9 +613,10 @@ static bool parse_crlDistributionPoints_ext(private_openssl_x509_t *this, { CRL_DIST_POINTS *cdps; DIST_POINT *cdp; - identification_t *id; + identification_t *id, *issuer; + x509_cdp_t *entry; char *uri; - int i, j, point_num, name_num; + int i, j, k, point_num, name_num, issuer_num; cdps = X509V3_EXT_d2i(ext); if (!cdps) @@ -675,11 +629,6 @@ static bool parse_crlDistributionPoints_ext(private_openssl_x509_t *this, cdp = sk_DIST_POINT_value(cdps, i); if (cdp) { - crl_uri_t *entry; - - entry = crl_uri_create(); - this->crl_uris->insert_last(this->crl_uris, entry); - if (cdp->distpoint && cdp->distpoint->type == 0 && cdp->distpoint->name.fullname) { @@ -692,25 +641,38 @@ static bool parse_crlDistributionPoints_ext(private_openssl_x509_t *this, { if (asprintf(&uri, "%Y", id) > 0) { - entry->uris->insert_last(entry->uris, uri); + if (cdp->CRLissuer) + { + issuer_num = sk_GENERAL_NAME_num(cdp->CRLissuer); + for (k = 0; k < issuer_num; k++) + { + issuer = general_name2id( + sk_GENERAL_NAME_value(cdp->CRLissuer, k)); + if (issuer) + { + INIT(entry, + .uri = strdup(uri), + .issuer = issuer, + ); + this->crl_uris->insert_last( + this->crl_uris, entry); + } + } + free(uri); + } + else + { + INIT(entry, + .uri = uri, + ); + this->crl_uris->insert_last(this->crl_uris, entry); + } } id->destroy(id); } } } - if (cdp->CRLissuer) - { - name_num = sk_GENERAL_NAME_num(cdp->CRLissuer); - for (j = 0; j < name_num; j++) - { - id = general_name2id(sk_GENERAL_NAME_value(cdp->CRLissuer, j)); - if (id) - { /* get only one */ - entry->issuer = id; - break; - } - } - } + DIST_POINT_free(cdp); } } diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c index 147818904..c9a60934b 100644 --- a/src/libstrongswan/plugins/revocation/revocation_validator.c +++ b/src/libstrongswan/plugins/revocation/revocation_validator.c @@ -486,13 +486,13 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer, auth_cfg_t *auth) { cert_validation_t valid = VALIDATION_SKIPPED; - identification_t *id; certificate_t *best = NULL; + identification_t *id; + x509_cdp_t *cdp; bool uri_found = FALSE; certificate_t *current; enumerator_t *enumerator; chunk_t chunk; - char *uri; /* use issuers subjectKeyIdentifier to find a cached CRL / fetch from CDP */ chunk = issuer->get_subjectKeyIdentifier(issuer); @@ -506,11 +506,11 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer, /* find a cached CRL or fetch via configured CDP via CRLIssuer */ enumerator = subject->create_crl_uri_enumerator(subject); while (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED && - enumerator->enumerate(enumerator, &uri, &id)) + enumerator->enumerate(enumerator, &cdp)) { if (id) { - valid = find_crl(subject, id, auth, &best, &uri_found); + valid = find_crl(subject, cdp->issuer, auth, &best, &uri_found); } } enumerator->destroy(enumerator); @@ -519,17 +519,17 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer, if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED) { enumerator = subject->create_crl_uri_enumerator(subject); - while (enumerator->enumerate(enumerator, &uri, &id)) + while (enumerator->enumerate(enumerator, &cdp)) { uri_found = TRUE; - current = fetch_crl(uri); + current = fetch_crl(cdp->uri); if (current) { - if (id && !current->has_issuer(current, id)) + if (cdp->issuer && !current->has_issuer(current, cdp->issuer)) { DBG1(DBG_CFG, "issuer of fetched CRL '%Y' does not match " "certificates CRL issuer '%Y'", - current->get_issuer(current), id); + current->get_issuer(current), cdp->issuer); current->destroy(current); continue; } diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c index 4d34de470..6866a482b 100644 --- a/src/libstrongswan/plugins/x509/x509_cert.c +++ b/src/libstrongswan/plugins/x509/x509_cert.c @@ -117,7 +117,7 @@ struct private_x509_cert_t { linked_list_t *subjectAltNames; /** - * List of crlDistributionPoints as crl_uri_t + * List of crlDistributionPoints as x509_cdp_t* */ linked_list_t *crl_uris; @@ -217,33 +217,11 @@ static const chunk_t ASN1_subjectAltName_oid = chunk_from_chars( ); /** - * CRL URIs with associated issuer + * Destroy a CertificateDistributionPoint */ -typedef struct { - identification_t *issuer; - linked_list_t *uris; -} crl_uri_t; - -/** - * Create a new issuer entry - */ -static crl_uri_t *crl_uri_create(identification_t *issuer) -{ - crl_uri_t *this; - - INIT(this, - .issuer = issuer ? issuer->clone(issuer) : NULL, - .uris = linked_list_create(), - ); - return this; -} - -/** - * Destroy a CRL URI struct - */ -static void crl_uri_destroy(crl_uri_t *this) +static void crl_uri_destroy(x509_cdp_t *this) { - this->uris->destroy_function(this->uris, free); + free(this->uri); DESTROY_IF(this->issuer); free(this); } @@ -796,19 +774,63 @@ static const asn1Object_t crlDistributionPointsObjects[] = { #define CRL_DIST_POINTS_ISSUER 10 /** + * Add entry to the list of each pairing of URI and Issuer + */ +static void add_cdps(linked_list_t *list, linked_list_t *uris, + linked_list_t *issuers) +{ + identification_t *issuer, *id; + enumerator_t *enumerator; + x509_cdp_t *cdp; + char *uri; + + while (uris->remove_last(uris, (void**)&id) == SUCCESS) + { + if (asprintf(&uri, "%Y", id) > 0) + { + if (issuers->get_count(issuers)) + { + enumerator = issuers->create_enumerator(issuers); + while (enumerator->enumerate(enumerator, &issuer)) + { + INIT(cdp, + .uri = strdup(uri), + .issuer = issuer->clone(issuer), + ); + list->insert_last(list, cdp); + } + enumerator->destroy(enumerator); + free(uri); + } + else + { + INIT(cdp, + .uri = uri, + ); + list->insert_last(list, cdp); + } + } + id->destroy(id); + } + while (issuers->remove_last(issuers, (void**)&id) == SUCCESS) + { + id->destroy(id); + } +} + +/** * Extracts one or several crlDistributionPoints into a list */ -static void parse_crlDistributionPoints(chunk_t blob, int level0, - private_x509_cert_t *this) +void x509_parse_crlDistributionPoints(chunk_t blob, int level0, + linked_list_t *list) { + linked_list_t *uris, *issuers; asn1_parser_t *parser; chunk_t object; int objectID; - crl_uri_t *entry = NULL; - identification_t *id; - char *uri; - linked_list_t *list = linked_list_create(); + uris = linked_list_create(); + issuers = linked_list_create(); parser = asn1_parser_create(crlDistributionPointsObjects, blob); parser->set_top_level(parser, level0); @@ -817,46 +839,26 @@ static void parse_crlDistributionPoints(chunk_t blob, int level0, switch (objectID) { case CRL_DIST_POINTS: - entry = crl_uri_create(NULL); - this->crl_uris->insert_last(this->crl_uris, entry); + add_cdps(list, uris, issuers); break; case CRL_DIST_POINTS_FULLNAME: - if (entry) - { - x509_parse_generalNames(object, parser->get_level(parser)+1, - TRUE, list); - while (list->remove_last(list, (void**)&id) == SUCCESS) - { - if (asprintf(&uri, "%Y", id) > 0) - { - entry->uris->insert_last(entry->uris, uri); - } - id->destroy(id); - } - } + x509_parse_generalNames(object, parser->get_level(parser) + 1, + TRUE, uris); break; case CRL_DIST_POINTS_ISSUER: - if (entry) - { - x509_parse_generalNames(object, parser->get_level(parser)+1, - TRUE, list); - while (list->remove_last(list, (void**)&id) == SUCCESS) - { - if (!entry->issuer) - { - entry->issuer = id; - } - else - { - id->destroy(id); - } - } - } + x509_parse_generalNames(object, parser->get_level(parser) + 1, + TRUE, issuers); + break; + default: break; } } parser->destroy(parser); - list->destroy(list); + + add_cdps(list, uris, issuers); + + uris->destroy(uris); + issuers->destroy(issuers); } /** @@ -1391,7 +1393,8 @@ static bool parse_certificate(private_x509_cert_t *this) parse_basicConstraints(object, level, this); break; case OID_CRL_DISTRIBUTION_POINTS: - parse_crlDistributionPoints(object, level, this); + x509_parse_crlDistributionPoints(object, level, + this->crl_uris); break; case OID_AUTHORITY_KEY_ID: this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object, @@ -1741,36 +1744,10 @@ METHOD(x509_t, create_ocsp_uri_enumerator, enumerator_t*, return this->ocsp_uris->create_enumerator(this->ocsp_uris); } -/** - * Convert enumerator value from entry to (uri, issuer) - */ -static bool crl_enum_filter(identification_t *issuer_in, - char **uri_in, char **uri_out, - void *none_in, identification_t **issuer_out) -{ - *uri_out = *uri_in; - if (issuer_out) - { - *issuer_out = issuer_in; - } - return TRUE; -} - -/** - * Create inner enumerator over URIs - */ -static enumerator_t *crl_enum_create(crl_uri_t *entry) -{ - return enumerator_create_filter(entry->uris->create_enumerator(entry->uris), - (void*)crl_enum_filter, entry->issuer, NULL); -} - METHOD(x509_t, create_crl_uri_enumerator, enumerator_t*, private_x509_cert_t *this) { - return enumerator_create_nested( - this->crl_uris->create_enumerator(this->crl_uris), - (void*)crl_enum_create, NULL, NULL); + return this->crl_uris->create_enumerator(this->crl_uris); } METHOD(x509_t, create_ipAddrBlock_enumerator, enumerator_t*, @@ -1968,11 +1945,11 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty; chunk_t policyConstraints = chunk_empty; identification_t *issuer, *subject; - crl_uri_t *entry; + x509_cdp_t *cdp; chunk_t key_info; signature_scheme_t scheme; hasher_t *hasher; - enumerator_t *enumerator, *uris; + enumerator_t *enumerator; char *uri; subject = cert->subject; @@ -2023,28 +2000,21 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, /* encode CRL distribution points extension */ enumerator = cert->crl_uris->create_enumerator(cert->crl_uris); - while (enumerator->enumerate(enumerator, &entry)) + while (enumerator->enumerate(enumerator, &cdp)) { - chunk_t distributionPoint, gn; - chunk_t crlIssuer = chunk_empty, gns = chunk_empty; + chunk_t distributionPoint, crlIssuer = chunk_empty; - if (entry->issuer) + if (cdp->issuer) { crlIssuer = asn1_wrap(ASN1_CONTEXT_C_2, "m", - build_generalName(entry->issuer)); + build_generalName(cdp->issuer)); } - uris = entry->uris->create_enumerator(entry->uris); - while (uris->enumerate(uris, &uri)) - { - gn = asn1_wrap(ASN1_CONTEXT_S_6, "c", chunk_create(uri, strlen(uri))); - gns = chunk_cat("mm", gns, gn); - } - uris->destroy(uris); - distributionPoint = asn1_wrap(ASN1_SEQUENCE, "mm", - asn1_wrap(ASN1_CONTEXT_C_0, "m", - asn1_wrap(ASN1_CONTEXT_C_0, "m", gns)), - crlIssuer); + asn1_wrap(ASN1_CONTEXT_C_0, "m", + asn1_wrap(ASN1_CONTEXT_C_0, "m", + asn1_wrap(ASN1_CONTEXT_S_6, "c", + chunk_create(cdp->uri, strlen(cdp->uri))))), + crlIssuer); crlDistributionPoints = chunk_cat("mm", crlDistributionPoints, distributionPoint); } @@ -2385,7 +2355,6 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args) private_x509_cert_t *cert; certificate_t *sign_cert = NULL; private_key_t *sign_key = NULL; - identification_t *crl_issuer = NULL; hash_algorithm_t digest_alg = HASH_SHA1; cert = create_empty(); @@ -2430,26 +2399,19 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args) { enumerator_t *enumerator; linked_list_t *list; - crl_uri_t *entry; - char *uri; + x509_cdp_t *in, *cdp; list = va_arg(args, linked_list_t*); - if (list->get_count(list)) + enumerator = list->create_enumerator(list); + while (enumerator->enumerate(enumerator, &in)) { - entry = crl_uri_create(crl_issuer); - enumerator = list->create_enumerator(list); - while (enumerator->enumerate(enumerator, &uri)) - { - entry->uris->insert_last(entry->uris, strdup(uri)); - } - enumerator->destroy(enumerator); - cert->crl_uris->insert_last(cert->crl_uris, entry); + INIT(cdp, + .uri = strdup(in->uri), + .issuer = in->issuer ? in->issuer->clone(in->issuer) : NULL, + ); + cert->crl_uris->insert_last(cert->crl_uris, cdp); } - continue; - } - case BUILD_CRL_ISSUER: - { - crl_issuer = va_arg(args, identification_t*); + enumerator->destroy(enumerator); continue; } case BUILD_OCSP_ACCESS_LOCATIONS: diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c index b309ea9b4..2c0f1e04c 100644 --- a/src/pki/commands/issue.c +++ b/src/pki/commands/issue.c @@ -44,6 +44,15 @@ static void destroy_policy_mapping(x509_policy_mapping_t *mapping) } /** + * Free a CRL DistributionPoint + */ +static void destroy_cdp(x509_cdp_t *this) +{ + DESTROY_IF(this->issuer); + free(this); +} + +/** * Issue a certificate using a CA certificate and key */ static int issue() @@ -56,7 +65,7 @@ static int issue() bool pkcs10 = FALSE; char *file = NULL, *dn = NULL, *hex = NULL, *cacert = NULL, *cakey = NULL; char *error = NULL, *keyid = NULL; - identification_t *id = NULL, *crl_issuer = NULL;; + identification_t *id = NULL; linked_list_t *san, *cdps, *ocsp, *permitted, *excluded, *policies, *mappings; int lifetime = 1095; int pathlen = X509_NO_CONSTRAINT; @@ -66,6 +75,7 @@ static int issue() time_t not_before, not_after; x509_flag_t flags = 0; x509_t *x509; + x509_cdp_t *cdp = NULL; x509_cert_policy_t *policy = NULL; char *arg; @@ -233,10 +243,18 @@ static int issue() } continue; case 'u': - cdps->insert_last(cdps, arg); + INIT(cdp, + .uri = strdup(arg), + ); + cdps->insert_last(cdps, cdp); continue; case 'I': - crl_issuer = identification_create_from_string(arg); + if (!cdp || cdp->issuer) + { + error = "--crlissuer must follow a --crl"; + goto usage; + } + cdp->issuer = identification_create_from_string(arg); continue; case 'o': ocsp->insert_last(ocsp, arg); @@ -420,7 +438,6 @@ static int issue() BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial, BUILD_SUBJECT_ALTNAMES, san, BUILD_X509_FLAG, flags, BUILD_PATHLEN, pathlen, - BUILD_CRL_ISSUER, crl_issuer, BUILD_CRL_DISTRIBUTION_POINTS, cdps, BUILD_OCSP_ACCESS_LOCATIONS, ocsp, BUILD_PERMITTED_NAME_CONSTRAINTS, permitted, @@ -458,9 +475,8 @@ end: excluded->destroy_offset(excluded, offsetof(identification_t, destroy)); policies->destroy_function(policies, (void*)destroy_cert_policy); mappings->destroy_function(mappings, (void*)destroy_policy_mapping); - cdps->destroy(cdps); + cdps->destroy_function(cdps, (void*)destroy_cdp); ocsp->destroy(ocsp); - DESTROY_IF(crl_issuer); free(encoding.ptr); free(serial.ptr); @@ -477,9 +493,8 @@ usage: excluded->destroy_offset(excluded, offsetof(identification_t, destroy)); policies->destroy_function(policies, (void*)destroy_cert_policy); mappings->destroy_function(mappings, (void*)destroy_policy_mapping); - cdps->destroy(cdps); + cdps->destroy_function(cdps, (void*)destroy_cdp); ocsp->destroy(ocsp); - DESTROY_IF(crl_issuer); return command_usage(error); } @@ -493,7 +508,7 @@ static void __attribute__ ((constructor))reg() "issue a certificate using a CA certificate and key", {"[--in file] [--type pub|pkcs10] --cakey file | --cakeyid hex", " --cacert file --dn subject-dn [--san subjectAltName]+", - "[--lifetime days] [--serial hex] [--crl uri]+ [--ocsp uri]+", + "[--lifetime days] [--serial hex] [--crl uri [--crlissuer i] ]+ [--ocsp uri]+", "[--ca] [--pathlen len] [--flag serverAuth|clientAuth|crlSign|ocspSigning]+", "[--nc-permitted name] [--nc-excluded name]", "[--cert-policy oid [--cps-uri uri] [--user-notice text] ]+", diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c index 78a694b04..f0795ea2c 100644 --- a/src/pki/commands/print.c +++ b/src/pki/commands/print.c @@ -75,6 +75,7 @@ static void print_x509(x509_t *x509) char *uri; int len; x509_flag_t flags; + x509_cdp_t *cdp; x509_cert_policy_t *policy; x509_policy_mapping_t *mapping; @@ -140,20 +141,20 @@ static void print_x509(x509_t *x509) first = TRUE; enumerator = x509->create_crl_uri_enumerator(x509); - while (enumerator->enumerate(enumerator, &uri, &id)) + while (enumerator->enumerate(enumerator, &cdp)) { if (first) { - printf("CRL URIs: %s", uri); + printf("CRL URIs: %s", cdp->uri); first = FALSE; } else { - printf(" %s", uri); + printf(" %s", cdp->uri); } - if (id) + if (cdp->issuer) { - printf(" (CRL issuer: %Y)", id); + printf(" (CRL issuer: %Y)", cdp->issuer); } printf("\n"); } diff --git a/src/pluto/crl.c b/src/pluto/crl.c index 7b14e5ff1..1c9c9a8cc 100644 --- a/src/pluto/crl.c +++ b/src/pluto/crl.c @@ -352,7 +352,7 @@ cert_status_t verify_by_crl(cert_t *cert, time_t *until, time_t *revocationDate, x509crl_t *x509crl; ca_info_t *ca; enumerator_t *enumerator; - char *point; + x509_cdp_t *cdp; ca = get_ca_info(issuer, authKeyID); @@ -376,9 +376,9 @@ cert_status_t verify_by_crl(cert_t *cert, time_t *until, time_t *revocationDate, } enumerator = x509->create_crl_uri_enumerator(x509); - while (enumerator->enumerate(enumerator, &point, NULL)) + while (enumerator->enumerate(enumerator, &cdp)) { - add_distribution_point(crluris, point); + add_distribution_point(crluris, cdp->uri); } enumerator->destroy(enumerator); @@ -416,9 +416,9 @@ cert_status_t verify_by_crl(cert_t *cert, time_t *until, time_t *revocationDate, } enumerator = x509->create_crl_uri_enumerator(x509); - while (enumerator->enumerate(enumerator, &point, NULL)) + while (enumerator->enumerate(enumerator, &cdp)) { - add_distribution_point(x509crl->distributionPoints, point); + add_distribution_point(x509crl->distributionPoints, cdp->uri); } enumerator->destroy(enumerator); |