implement basic listing of attribute certificates

3 files changed, 85 insertions, 17 deletions

diff --git a/src/charon/plugins/stroke/stroke_cred.c b/src/charon/plugins/stroke/stroke_cred.c
index 52140cb9c..819b3f024 100644
--- a/src/charon/plugins/stroke/stroke_cred.c
+++ b/src/charon/plugins/stroke/stroke_cred.c
@@ -157,8 +157,9 @@ static bool certs_filter(id_data_t *data, certificate_t **in, certificate_t **ou
 	public_key_t *public;
 	identification_t *candidate;
 	certificate_t *cert = *in;
-	
-	if (cert->get_type(cert) == CERT_X509_CRL)
+	certificate_type_t type = cert->get_type(cert);
+
+	if (type == CERT_X509_CRL || type == CERT_X509_AC)
 	{
 		return FALSE;
 	}
@@ -205,6 +206,26 @@ static bool crl_filter(id_data_t *data, certificate_t **in, certificate_t **out)
 }
 
 /**
+ * filter function for attribute certificate enumerator
+ */
+static bool ac_filter(id_data_t *data, certificate_t **in, certificate_t **out)
+{
+	certificate_t *cert = *in;
+	
+	if (cert->get_type(cert) != CERT_X509_AC)
+	{
+		return FALSE;
+	}
+
+	if (data->id == NULL || cert->has_subject(cert, data->id))
+	{
+		*out = *in;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
  * Implements credential_set_t.create_cert_enumerator
  */
 static enumerator_t* create_cert_enumerator(private_stroke_cred_t *this,
@@ -213,21 +234,20 @@ static enumerator_t* create_cert_enumerator(private_stroke_cred_t *this,
 {
 	id_data_t *data;
 	
-	if (cert == CERT_X509_CRL)
+	if (cert == CERT_X509_CRL || cert == CERT_X509_AC)
 	{
 		if (trusted)
 		{
 			return NULL;
 		}
-		
 		data = malloc_thing(id_data_t);
 		data->this = this;
 		data->id = id;
 		
 		this->mutex->lock(this->mutex);
 		return enumerator_create_filter(this->certs->create_enumerator(this->certs),
-										(void*)crl_filter, data,
-										(void*)id_data_destroy);
+					(cert == CERT_X509_CRL)? (void*)crl_filter : (void*)ac_filter,
+					data, (void*)id_data_destroy);
 	}
 	if (cert != CERT_X509 && cert != CERT_ANY)
 	{	/* we only have X509 certificates. TODO: ACs? */
@@ -440,6 +460,19 @@ static bool add_crl(private_stroke_cred_t *this, crl_t* crl)
 }
 
 /**
+ * Add X.509 attribute certificate to chain
+ */
+static bool add_ac(private_stroke_cred_t *this, ac_t* ac)
+{
+	certificate_t *cert = &ac->certificate;
+
+	this->mutex->lock(this->mutex);
+	this->certs->insert_last(this->certs, cert);
+	this->mutex->unlock(this->mutex);
+	return TRUE;
+}
+
+/**
  * Implementation of stroke_cred_t.load_peer.
  */
 static certificate_t* load_peer(private_stroke_cred_t *this, char *filename)
@@ -525,7 +558,7 @@ static void load_certdir(private_stroke_cred_t *this, char *path,
 										  BUILD_END);
 				if (cert)
 				{
-					cert->destroy(cert);
+					add_ac(this, (ac_t*)cert);
 				}
 				break;
 			default:
diff --git a/src/charon/plugins/stroke/stroke_list.c b/src/charon/plugins/stroke/stroke_list.c
index 7fde86164..be4570916 100644
--- a/src/charon/plugins/stroke/stroke_list.c
+++ b/src/charon/plugins/stroke/stroke_list.c
@@ -25,6 +25,7 @@
 /* warning intervals for list functions */
 #define CERT_WARNING_INTERVAL  30	/* days */
 #define CRL_WARNING_INTERVAL	7	/* days */
+#define AC_WARNING_INTERVAL		1	/* day */
 
 typedef struct private_stroke_list_t private_stroke_list_t;
 
@@ -461,9 +462,45 @@ static void stroke_list_certs(linked_list_t *list, char *label,
 /**
  * list all X.509 attribute certificates
  */
-static void stroke_list_acerts(bool utc, FILE *out)
+static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out)
 {
+	bool first = TRUE;
+	time_t thisUpdate, nextUpdate, now = time(NULL);
+	enumerator_t *enumerator = list->create_enumerator(list);
+	certificate_t *cert;
 
+	while (enumerator->enumerate(enumerator, (void**)&cert))
+	{
+		if (first)
+		{
+			fprintf(out, "\n");
+			fprintf(out, "List of X.509 Attribute Certificates:\n");
+			first = FALSE;
+		}
+		fprintf(out, "\n");
+
+		fprintf(out, "  holder:   \"%D\"\n", cert->get_subject(cert));
+		fprintf(out, "  issuer:   \"%D\"\n", cert->get_issuer(cert));
+
+		/* list validity */
+		cert->get_validity(cert, &now, &thisUpdate, &nextUpdate);
+		fprintf(out, "  updates:   this %#T\n",  &thisUpdate, utc);
+		fprintf(out, "             next %#T, ", &nextUpdate, utc);
+		if (now > nextUpdate)
+		{
+			fprintf(out, "expired (%#V ago)\n", &now, &nextUpdate);
+		}
+		else
+		{
+			fprintf(out, "ok");
+			if (now > nextUpdate - AC_WARNING_INTERVAL * 60 * 60 * 24)
+			{
+				fprintf(out, " (expires in %#V)", &now, &nextUpdate);
+			}
+			fprintf(out, " \n");
+		}
+	}
+	enumerator->destroy(enumerator);
 }
 
 /**
@@ -596,7 +633,10 @@ static void list(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out)
 	}
 	if (msg->list.flags & LIST_ACERTS)
 	{
-		stroke_list_acerts(msg->list.utc, out);
+		linked_list_t *ac_list = create_unique_cert_list(CERT_X509_AC);
+
+		stroke_list_acerts(ac_list, msg->list.utc, out);
+		ac_list->destroy_offset(ac_list, offsetof(certificate_t, destroy)); 
 	}
 	if (msg->list.flags & LIST_CRLS)
 	{
diff --git a/src/libstrongswan/plugins/x509/x509_ac.c b/src/libstrongswan/plugins/x509/x509_ac.c
index 3861d7145..a4bf0393f 100644
--- a/src/libstrongswan/plugins/x509/x509_ac.c
+++ b/src/libstrongswan/plugins/x509/x509_ac.c
@@ -990,13 +990,8 @@ static private_x509_ac_t* build(private_builder_t *this)
 
 	free(this);
 
-	if (ac == NULL)
-	{
-		return NULL;
-	}
-
-	/* synthesis if TRUE or analysis if FALSE */
-	if (ac->encoding.ptr == NULL)
+	/* synthesis if encoding does not exist */
+	if (ac && ac->encoding.ptr == NULL)
 	{
 		if (ac->holderCert && ac->signerCert && ac->signerKey)
 		{
@@ -1008,7 +1003,7 @@ static private_x509_ac_t* build(private_builder_t *this)
 	}
 	else
 	{
-		return NULL;
+		return ac;
 	}
 }