diff options
| author | Martin Willi <martin@revosec.ch> | 2013-02-19 11:26:21 +0100 |
|---|---|---|
| committer | Martin Willi <martin@revosec.ch> | 2013-02-19 14:31:18 +0100 |
| commit | de399f550d1bf7a84e57da52af10c8c2532403b9 (patch) | |
| tree | 23696f02c4e5c675bac14f2ddae13b779a2a5fe7 /src/libstrongswan/credentials/credential_manager.c | |
| parent | 790e00aaa9082c6b6ed5de64567971f994ce45ce (diff) | |
| download | strongswan-de399f550d1bf7a84e57da52af10c8c2532403b9.tar.bz2 strongswan-de399f550d1bf7a84e57da52af10c8c2532403b9.tar.xz | |
Add a cert_validator hook allowing plugins to provide custom lifetime checking
Diffstat (limited to 'src/libstrongswan/credentials/credential_manager.c')
| -rw-r--r-- | src/libstrongswan/credentials/credential_manager.c | 58 |
1 files changed, 48 insertions, 10 deletions
diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c index a427b57fb..44eaec62c 100644 --- a/src/libstrongswan/credentials/credential_manager.c +++ b/src/libstrongswan/credentials/credential_manager.c @@ -515,26 +515,64 @@ static void cache_queue(private_credential_manager_t *this) } /** + * Use validators to check the lifetime of certificates + */ +static bool check_lifetime(private_credential_manager_t *this, + certificate_t *cert, char *label, + int pathlen, bool trusted, auth_cfg_t *auth) +{ + time_t not_before, not_after; + cert_validator_t *validator; + enumerator_t *enumerator; + status_t status = NEED_MORE; + + enumerator = this->validators->create_enumerator(this->validators); + while (enumerator->enumerate(enumerator, &validator)) + { + if (!validator->check_lifetime) + { + continue; + } + status = validator->check_lifetime(validator, cert, + pathlen, trusted, auth); + if (status != NEED_MORE) + { + break; + } + } + enumerator->destroy(enumerator); + + switch (status) + { + case NEED_MORE: + if (!cert->get_validity(cert, NULL, ¬_before, ¬_after)) + { + DBG1(DBG_CFG, "%s certificate invalid (valid from %T to %T)", + label, ¬_before, FALSE, ¬_after, FALSE); + return FALSE; + } + return TRUE; + case SUCCESS: + return TRUE; + case FAILED: + default: + return FALSE; + } +} + +/** * check a certificate for its lifetime */ static bool check_certificate(private_credential_manager_t *this, certificate_t *subject, certificate_t *issuer, bool online, int pathlen, bool trusted, auth_cfg_t *auth) { - time_t not_before, not_after; cert_validator_t *validator; enumerator_t *enumerator; - if (!subject->get_validity(subject, NULL, ¬_before, ¬_after)) - { - DBG1(DBG_CFG, "subject certificate invalid (valid from %T to %T)", - ¬_before, FALSE, ¬_after, FALSE); - return FALSE; - } - if (!issuer->get_validity(issuer, NULL, ¬_before, ¬_after)) + if (!check_lifetime(this, subject, "subject", pathlen, FALSE, auth) || + !check_lifetime(this, issuer, "issuer", pathlen + 1, trusted, auth)) { - DBG1(DBG_CFG, "issuer certificate invalid (valid from %T to %T)", - ¬_before, FALSE, ¬_after, FALSE); return FALSE; } |