diff options
author | Martin Willi <martin@revosec.ch> | 2010-12-07 17:53:13 +0100 |
---|---|---|
committer | Martin Willi <martin@revosec.ch> | 2011-01-05 16:45:56 +0100 |
commit | 6840a6fb9847e0bdb27745aafb7c99bff5ecefbd (patch) | |
tree | e0579977b5227238f191f76d2e8ab285b86b1121 /src/libstrongswan/plugins/revocation/revocation_validator.c | |
parent | 473d5aa86891a00d7c680b9667107d3f968f76b5 (diff) | |
download | strongswan-6840a6fb9847e0bdb27745aafb7c99bff5ecefbd.tar.bz2 strongswan-6840a6fb9847e0bdb27745aafb7c99bff5ecefbd.tar.xz |
CRL/OCSP validation stores trustchain information in auth_cfg
Diffstat (limited to 'src/libstrongswan/plugins/revocation/revocation_validator.c')
-rw-r--r-- | src/libstrongswan/plugins/revocation/revocation_validator.c | 48 |
1 files changed, 31 insertions, 17 deletions
diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c index a20f40a26..147818904 100644 --- a/src/libstrongswan/plugins/revocation/revocation_validator.c +++ b/src/libstrongswan/plugins/revocation/revocation_validator.c @@ -93,12 +93,13 @@ static certificate_t *fetch_ocsp(char *url, certificate_t *subject, /** * check the signature of an OCSP response */ -static bool verify_ocsp(ocsp_response_t *response) +static bool verify_ocsp(ocsp_response_t *response, auth_cfg_t *auth) { certificate_t *issuer, *subject; identification_t *responder; ocsp_response_wrapper_t *wrapper; enumerator_t *enumerator; + auth_cfg_t *current; bool verified = FALSE; wrapper = ocsp_response_wrapper_create((ocsp_response_t*)response); @@ -108,12 +109,16 @@ static bool verify_ocsp(ocsp_response_t *response) responder = subject->get_issuer(subject); enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr, KEY_ANY, responder, FALSE); - while (enumerator->enumerate(enumerator, &issuer, NULL)) + while (enumerator->enumerate(enumerator, &issuer, ¤t)) { if (lib->credmgr->issued_by(lib->credmgr, subject, issuer)) { DBG1(DBG_CFG, " ocsp response correctly signed by \"%Y\"", issuer->get_subject(issuer)); + if (auth) + { + auth->merge(auth, current, FALSE); + } verified = TRUE; break; } @@ -129,7 +134,8 @@ static bool verify_ocsp(ocsp_response_t *response) * Get the better of two OCSP responses, and check for usable OCSP info */ static certificate_t *get_better_ocsp(certificate_t *cand, certificate_t *best, - x509_t *subject, x509_t *issuer, cert_validation_t *valid, bool cache) + x509_t *subject, x509_t *issuer, cert_validation_t *valid, + auth_cfg_t *auth, bool cache) { ocsp_response_t *response; time_t revocation, this_update, next_update, valid_until; @@ -139,7 +145,7 @@ static certificate_t *get_better_ocsp(certificate_t *cand, certificate_t *best, response = (ocsp_response_t*)cand; /* check ocsp signature */ - if (!verify_ocsp(response)) + if (!verify_ocsp(response, auth)) { DBG1(DBG_CFG, "ocsp response verification failed"); cand->destroy(cand); @@ -220,7 +226,8 @@ static cert_validation_t check_ocsp(x509_t *subject, x509_t *issuer, while (enumerator->enumerate(enumerator, ¤t)) { current->get_ref(current); - best = get_better_ocsp(current, best, subject, issuer, &valid, FALSE); + best = get_better_ocsp(current, best, subject, issuer, + &valid, auth, FALSE); if (best && valid != VALIDATION_STALE) { DBG1(DBG_CFG, " using cached ocsp response"); @@ -247,7 +254,7 @@ static cert_validation_t check_ocsp(x509_t *subject, x509_t *issuer, if (current) { best = get_better_ocsp(current, best, subject, issuer, - &valid, TRUE); + &valid, auth, TRUE); if (best && valid != VALIDATION_STALE) { break; @@ -269,7 +276,7 @@ static cert_validation_t check_ocsp(x509_t *subject, x509_t *issuer, if (current) { best = get_better_ocsp(current, best, subject, issuer, - &valid, TRUE); + &valid, auth, TRUE); if (best && valid != VALIDATION_STALE) { break; @@ -323,20 +330,25 @@ static certificate_t* fetch_crl(char *url) /** * check the signature of an CRL */ -static bool verify_crl(certificate_t *crl) +static bool verify_crl(certificate_t *crl, auth_cfg_t *auth) { certificate_t *issuer; enumerator_t *enumerator; bool verified = FALSE; + auth_cfg_t *current; enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr, KEY_ANY, crl->get_issuer(crl), FALSE); - while (enumerator->enumerate(enumerator, &issuer, NULL)) + while (enumerator->enumerate(enumerator, &issuer, ¤t)) { if (lib->credmgr->issued_by(lib->credmgr, crl, issuer)) { DBG1(DBG_CFG, " crl correctly signed by \"%Y\"", issuer->get_subject(issuer)); + if (auth) + { + auth->merge(auth, current, FALSE); + } verified = TRUE; break; } @@ -350,7 +362,7 @@ static bool verify_crl(certificate_t *crl) * Get the better of two CRLs, and check for usable CRL info */ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best, - x509_t *subject, cert_validation_t *valid, bool cache) + x509_t *subject, cert_validation_t *valid, auth_cfg_t *auth, bool cache) { enumerator_t *enumerator; time_t revocation, valid_until; @@ -359,7 +371,7 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best, crl_t *crl; /* check CRL signature */ - if (!verify_crl(cand)) + if (!verify_crl(cand, auth)) { DBG1(DBG_CFG, "crl response verification failed"); cand->destroy(cand); @@ -414,7 +426,7 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best, * Find or fetch a certificate for a given crlIssuer */ static cert_validation_t find_crl(x509_t *subject, identification_t *issuer, - certificate_t **best, bool *uri_found) + auth_cfg_t *auth, certificate_t **best, bool *uri_found) { cert_validation_t valid = VALIDATION_SKIPPED; enumerator_t *enumerator; @@ -427,7 +439,7 @@ static cert_validation_t find_crl(x509_t *subject, identification_t *issuer, while (enumerator->enumerate(enumerator, ¤t)) { current->get_ref(current); - *best = get_better_crl(current, *best, subject, &valid, FALSE); + *best = get_better_crl(current, *best, subject, &valid, auth, FALSE); if (*best && valid != VALIDATION_STALE) { DBG1(DBG_CFG, " using cached crl"); @@ -454,7 +466,8 @@ static cert_validation_t find_crl(x509_t *subject, identification_t *issuer, } if (current) { - *best = get_better_crl(current, *best, subject, &valid, TRUE); + *best = get_better_crl(current, *best, subject, + &valid, auth, TRUE); if (*best && valid != VALIDATION_STALE) { break; @@ -486,7 +499,7 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer, if (chunk.len) { id = identification_create_from_encoding(ID_KEY_ID, chunk); - valid = find_crl(subject, id, &best, &uri_found); + valid = find_crl(subject, id, auth, &best, &uri_found); id->destroy(id); } @@ -497,7 +510,7 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer, { if (id) { - valid = find_crl(subject, id, &best, &uri_found); + valid = find_crl(subject, id, auth, &best, &uri_found); } } enumerator->destroy(enumerator); @@ -520,7 +533,8 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer, current->destroy(current); continue; } - best = get_better_crl(current, best, subject, &valid, TRUE); + best = get_better_crl(current, best, subject, &valid, + auth, TRUE); if (best && valid != VALIDATION_STALE) { break; |