diff options
| author | Martin Willi <martin@strongswan.org> | 2009-05-15 18:15:55 +0200 |
|---|---|---|
| committer | Martin Willi <martin@strongswan.org> | 2009-05-18 10:42:16 +0200 |
| commit | 24cd2ca6eeb5f16895569bfcfa629f985ea84e18 (patch) | |
| tree | ff9172f618e1adb608b10e5d28bd46f9d6a4b96c /src/charon/plugins/stroke | |
| parent | 7736a4044892ccb91da0ba1c59686dfcbc11bb68 (diff) | |
| download | strongswan-24cd2ca6eeb5f16895569bfcfa629f985ea84e18.tar.bz2 strongswan-24cd2ca6eeb5f16895569bfcfa629f985ea84e18.tar.xz | |
moved very stroke specific x509 flag handling out of core library
Diffstat (limited to 'src/charon/plugins/stroke')
| -rw-r--r-- | src/charon/plugins/stroke/stroke_cred.c | 41 |
1 files changed, 35 insertions, 6 deletions
diff --git a/src/charon/plugins/stroke/stroke_cred.c b/src/charon/plugins/stroke/stroke_cred.c index c30e8fedf..dc73299b8 100644 --- a/src/charon/plugins/stroke/stroke_cred.c +++ b/src/charon/plugins/stroke/stroke_cred.c @@ -380,10 +380,18 @@ static certificate_t* load_ca(private_stroke_cred_t *this, char *filename) cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_FROM_FILE, path, - BUILD_X509_FLAG, X509_CA, BUILD_END); if (cert) { + x509_t *x509 = (x509_t*)cert; + + if (!(x509->get_flags(x509) & X509_CA)) + { + cert->destroy(cert); + DBG1(DBG_CFG, " ca certificate must have ca basic constraint set, " + "discarded"); + return NULL; + } return (certificate_t*)add_cert(this, cert); } return NULL; @@ -522,11 +530,32 @@ static void load_certdir(private_stroke_cred_t *this, char *path, switch (type) { case CERT_X509: - cert = lib->creds->create(lib->creds, - CRED_CERTIFICATE, CERT_X509, - BUILD_FROM_FILE, file, - BUILD_X509_FLAG, flag, - BUILD_END); + if (flag & X509_CA) + { /* for CA certificates, we strictly require CA + * basicconstraints to be set */ + cert = lib->creds->create(lib->creds, + CRED_CERTIFICATE, CERT_X509, + BUILD_FROM_FILE, file, BUILD_END); + if (cert) + { + x509_t *x509 = (x509_t*)cert; + + if (!(x509->get_flags(x509) & X509_CA)) + { + DBG1(DBG_CFG, " ca certificate must have ca " + "basic constraint set, discarded"); + cert->destroy(cert); + cert = NULL; + } + } + } + else + { /* for all other flags, we add them to the certificate. */ + cert = lib->creds->create(lib->creds, + CRED_CERTIFICATE, CERT_X509, + BUILD_FROM_FILE, file, + BUILD_X509_FLAG, flag, BUILD_END); + } if (cert) { add_cert(this, cert); |