diff options
| author | Andreas Steffen <andreas.steffen@strongswan.org> | 2013-04-01 22:32:20 +0200 |
|---|---|---|
| committer | Andreas Steffen <andreas.steffen@strongswan.org> | 2013-04-02 08:55:40 +0200 |
| commit | d4a1ae3af1fb7cb5da4c6823761bb9b8a6354d93 (patch) | |
| tree | 29f8c5ebd7697c30758e30617ae5b961dbc67c55 /src/libcharon | |
| parent | c2c4125cde0936bb2b963a2acabe0fae3d6fce1f (diff) | |
| download | strongswan-d4a1ae3af1fb7cb5da4c6823761bb9b8a6354d93.tar.bz2 strongswan-d4a1ae3af1fb7cb5da4c6823761bb9b8a6354d93.tar.xz | |
allow retrieval of private keys from other credential sets
Diffstat (limited to 'src/libcharon')
| -rw-r--r-- | src/libcharon/plugins/tnc_ifmap/tnc_ifmap_plugin.c | 1 | ||||
| -rw-r--r-- | src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c | 34 |
2 files changed, 26 insertions, 9 deletions
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_plugin.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_plugin.c index c9e84241c..85ad49bd8 100644 --- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_plugin.c +++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_plugin.c @@ -76,6 +76,7 @@ METHOD(plugin_t, get_features, int, PLUGIN_PROVIDE(CUSTOM, "tnc-ifmap-2.1"), PLUGIN_SDEPEND(CERT_DECODE, CERT_X509), PLUGIN_SDEPEND(PRIVKEY, KEY_RSA), + PLUGIN_SDEPEND(CUSTOM, "stroke"), }; *features = f; return countof(f); diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c index e9dbbc79a..246b2af90 100644 --- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c +++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c @@ -626,6 +626,7 @@ static bool soap_init(private_tnc_ifmap_soap_t *this) char *server_uri, *server_str, *port_str, *uri_str; char *server_cert, *client_cert, *client_key, *user_pass; int port; + auth_cfg_t *auth; certificate_t *cert; private_key_t *key; identification_t *server_id, *client_id = NULL; @@ -661,9 +662,9 @@ static bool soap_init(private_tnc_ifmap_soap_t *this) this->creds->add_cert(this->creds, TRUE, cert); /* check availability of client credentials */ - if (!((client_cert && client_key) || user_pass)) + if (!client_cert && !user_pass) { - DBG1(DBG_TNC, "neither MAP client certificate and private key " + DBG1(DBG_TNC, "neither MAP client certificate " "nor username:password defined"); return FALSE; } @@ -683,19 +684,34 @@ static bool soap_init(private_tnc_ifmap_soap_t *this) this->creds->add_cert(this->creds, TRUE, cert); /* load MAP client private key */ - key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, - BUILD_FROM_FILE, client_key, BUILD_END); - if (!key) + if (client_key) { - DBG1(DBG_TNC, "loading MAP client private key from '%s' failed", + key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, + BUILD_FROM_FILE, client_key, BUILD_END); + if (!key) + { + DBG1(DBG_TNC, "loading MAP client private key from '%s' failed", + client_key); + return FALSE; + } + DBG1(DBG_TNC, "loaded MAP client RSA private key from '%s'", client_key); - return FALSE; + this->creds->add_key(this->creds, key); } - DBG1(DBG_TNC, "loaded MAP client RSA private key from '%s'", client_key); - this->creds->add_key(this->creds, key); /* set client ID to certificate distinguished name */ client_id = cert->get_subject(cert); + + /* check if we have a private key matching the certificate */ + auth = auth_cfg_create(); + auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert); + key = lib->credmgr->get_private(lib->credmgr, KEY_RSA, client_id, auth); + auth->destroy(auth); + if (!key) + { + DBG1(DBG_TNC, "no RSA private key matching MAP client certificate"); + return FALSE; + } } else { |