Provide CRLs received in CERT payloads to trustchain verification

2 files changed, 22 insertions, 6 deletions

diff --git a/src/libcharon/encoding/payloads/cert_payload.c b/src/libcharon/encoding/payloads/cert_payload.c
index 814ec2726..c42cec680 100644
--- a/src/libcharon/encoding/payloads/cert_payload.c
+++ b/src/libcharon/encoding/payloads/cert_payload.c
@@ -206,13 +206,21 @@ METHOD(cert_payload_t, get_cert_encoding, cert_encoding_t,
 METHOD(cert_payload_t, get_cert, certificate_t*,
 	private_cert_payload_t *this)
 {
-	if (this->encoding != ENC_X509_SIGNATURE)
+	int type;
+
+	switch (this->encoding)
 	{
-		return NULL;
+		case ENC_X509_SIGNATURE:
+			type = CERT_X509;
+			break;
+		case ENC_CRL:
+			type = CERT_X509_CRL;
+			break;
+		default:
+			return NULL;
 	}
-	return lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-							  BUILD_BLOB_ASN1_DER, this->data,
-							  BUILD_END);
+	return lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
+							  BUILD_BLOB_ASN1_DER, this->data, BUILD_END);
 }
 
 METHOD(cert_payload_t, get_hash, chunk_t,
diff --git a/src/libcharon/sa/tasks/ike_cert_pre.c b/src/libcharon/sa/tasks/ike_cert_pre.c
index 1c0c54727..944637c11 100644
--- a/src/libcharon/sa/tasks/ike_cert_pre.c
+++ b/src/libcharon/sa/tasks/ike_cert_pre.c
@@ -253,11 +253,19 @@ static void process_certs(private_ike_cert_pre_t *this, message_t *message)
 					}
 					break;
 				}
+				case ENC_CRL:
+					cert = cert_payload->get_cert(cert_payload);
+					if (cert)
+					{
+						DBG1(DBG_IKE, "received CRL \"%Y\"",
+							 cert->get_subject(cert));
+						auth->add(auth, AUTH_HELPER_REVOCATION_CERT, cert);
+					}
+					break;
 				case ENC_PKCS7_WRAPPED_X509:
 				case ENC_PGP:
 				case ENC_DNS_SIGNED_KEY:
 				case ENC_KERBEROS_TOKEN:
-				case ENC_CRL:
 				case ENC_ARL:
 				case ENC_SPKI:
 				case ENC_X509_ATTRIBUTE: