certificate_t->issued_by takes an argument to receive signature scheme

16 files changed, 68 insertions, 24 deletions

diff --git a/src/libcharon/plugins/stroke/stroke_ca.c b/src/libcharon/plugins/stroke/stroke_ca.c
index bec35a661..e76560fa2 100644
--- a/src/libcharon/plugins/stroke/stroke_ca.c
+++ b/src/libcharon/plugins/stroke/stroke_ca.c
@@ -348,7 +348,7 @@ METHOD(stroke_ca_t, check_for_hash_and_url, void,
 	enumerator = this->sections->create_enumerator(this->sections);
 	while (enumerator->enumerate(enumerator, (void**)&section))
 	{
-		if (section->certuribase && cert->issued_by(cert, section->cert))
+		if (section->certuribase && cert->issued_by(cert, section->cert, NULL))
 		{
 			chunk_t hash, encoded;
 
diff --git a/src/libcharon/plugins/unit_tester/tests/test_cert.c b/src/libcharon/plugins/unit_tester/tests/test_cert.c
index 342194a4c..f4410a688 100644
--- a/src/libcharon/plugins/unit_tester/tests/test_cert.c
+++ b/src/libcharon/plugins/unit_tester/tests/test_cert.c
@@ -60,7 +60,7 @@ bool test_cert_x509()
 	{
 		return FALSE;
 	}
-	if (!parsed->issued_by(parsed, ca_cert))
+	if (!parsed->issued_by(parsed, ca_cert, NULL))
 	{
 		return FALSE;
 	}
@@ -90,7 +90,7 @@ bool test_cert_x509()
 	{
 		return FALSE;
 	}
-	if (!parsed->issued_by(parsed, ca_cert))
+	if (!parsed->issued_by(parsed, ca_cert, NULL))
 	{
 		return FALSE;
 	}
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_process.c b/src/libpts/plugins/imv_attestation/imv_attestation_process.c
index a742b6697..21277a18c 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_process.c
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_process.c
@@ -44,7 +44,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 	pts_t *pts;
 
 	pts = attestation_state->get_pts(attestation_state);
- 
+
 	switch (attr->get_type(attr))
 	{
 		case TCG_PTS_PROTO_CAPS:
@@ -169,7 +169,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 							KEY_ANY, aik->get_issuer(aik), FALSE);
 				while (e->enumerate(e, &issuer))
 				{
-					if (aik->issued_by(aik, issuer))
+					if (aik->issued_by(aik, issuer, NULL))
 					{
 						trusted = TRUE;
 						break;
@@ -289,7 +289,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 				break;
 			}
 			status = comp->verify(comp, pts, evidence);
-			
+
 			switch (status)
 			{
 				default:
diff --git a/src/libstrongswan/credentials/certificates/certificate.h b/src/libstrongswan/credentials/certificates/certificate.h
index 2f471da5b..b7a88ffbd 100644
--- a/src/libstrongswan/credentials/certificates/certificate.h
+++ b/src/libstrongswan/credentials/certificates/certificate.h
@@ -143,9 +143,11 @@ struct certificate_t {
 	 * Check if this certificate is issued and signed by a specific issuer.
 	 *
 	 * @param issuer	issuer's certificate
+	 * @param scheme	receives signature scheme used during verification
 	 * @return			TRUE if certificate issued by issuer and trusted
 	 */
-	bool (*issued_by)(certificate_t *this, certificate_t *issuer);
+	bool (*issued_by)(certificate_t *this, certificate_t *issuer,
+					  signature_scheme_t *scheme);
 
 	/**
 	 * Get the public key associated to this certificate.
diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c
index 968c3e31e..24007baa1 100644
--- a/src/libstrongswan/credentials/sets/cert_cache.c
+++ b/src/libstrongswan/credentials/sets/cert_cache.c
@@ -165,7 +165,7 @@ METHOD(cert_cache_t, issued_by, bool,
 		}
 	}
 	/* no cache hit, check and cache signature */
-	if (subject->issued_by(subject, issuer))
+	if (subject->issued_by(subject, issuer, NULL))
 	{
 		cache(this, subject, issuer);
 		return TRUE;
diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c
index 9a9efb2b6..e529ff8a5 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crl.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crl.c
@@ -225,7 +225,8 @@ METHOD(certificate_t, has_subject_or_issuer, id_match_t,
 }
 
 METHOD(certificate_t, issued_by, bool,
-	private_openssl_crl_t *this, certificate_t *issuer)
+	private_openssl_crl_t *this, certificate_t *issuer,
+	signature_scheme_t *scheme)
 {
 	chunk_t fingerprint, tbs;
 	public_key_t *key;
@@ -270,6 +271,10 @@ METHOD(certificate_t, issued_by, bool,
 						openssl_asn1_str2chunk(this->crl->signature));
 	free(tbs.ptr);
 	key->destroy(key);
+	if (valid && scheme)
+	{
+		*scheme = this->scheme;
+	}
 	return valid;
 }
 
diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c
index 5caf5182c..ee19c4179 100644
--- a/src/libstrongswan/plugins/openssl/openssl_x509.c
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
@@ -350,7 +350,8 @@ METHOD(certificate_t, has_issuer, id_match_t,
 }
 
 METHOD(certificate_t, issued_by, bool,
-	private_openssl_x509_t *this, certificate_t *issuer)
+	private_openssl_x509_t *this, certificate_t *issuer,
+	signature_scheme_t *scheme)
 {
 	public_key_t *key;
 	bool valid;
@@ -393,6 +394,10 @@ METHOD(certificate_t, issued_by, bool,
 						openssl_asn1_str2chunk(this->x509->signature));
 	free(tbs.ptr);
 	key->destroy(key);
+	if (valid && scheme)
+	{
+		*scheme = this->scheme;
+	}
 	return valid;
 }
 
@@ -975,7 +980,7 @@ static bool parse_certificate(private_openssl_x509_t *this)
 	hasher->allocate_hash(hasher, this->encoding, &this->hash);
 	hasher->destroy(hasher);
 
-	if (issued_by(this, &this->public.x509.interface))
+	if (issued_by(this, &this->public.x509.interface, NULL))
 	{
 		this->flags |= X509_SELF_SIGNED;
 	}
diff --git a/src/libstrongswan/plugins/pgp/pgp_cert.c b/src/libstrongswan/plugins/pgp/pgp_cert.c
index 70a236855..e6d13a243 100644
--- a/src/libstrongswan/plugins/pgp/pgp_cert.c
+++ b/src/libstrongswan/plugins/pgp/pgp_cert.c
@@ -114,7 +114,7 @@ METHOD(certificate_t, has_issuer, id_match_t,
 }
 
 METHOD(certificate_t, issued_by,bool,
-	private_pgp_cert_t *this, certificate_t *issuer)
+	private_pgp_cert_t *this, certificate_t *issuer, signature_scheme_t *scheme)
 {
 	/* TODO: check signature blobs for a valid signature */
 	return FALSE;
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_cert.c b/src/libstrongswan/plugins/pubkey/pubkey_cert.c
index 67240fe0c..0304ccb36 100644
--- a/src/libstrongswan/plugins/pubkey/pubkey_cert.c
+++ b/src/libstrongswan/plugins/pubkey/pubkey_cert.c
@@ -126,8 +126,13 @@ METHOD(certificate_t, equals, bool,
 }
 
 METHOD(certificate_t, issued_by, bool,
-	private_pubkey_cert_t *this, certificate_t *issuer)
+	private_pubkey_cert_t *this, certificate_t *issuer,
+	signature_scheme_t *scheme)
 {
+	if (scheme)
+	{
+		*scheme = SIGN_UNKNOWN;
+	}
 	return equals(this, issuer);
 }
 
diff --git a/src/libstrongswan/plugins/x509/x509_ac.c b/src/libstrongswan/plugins/x509/x509_ac.c
index a2cb589e0..d6ca8c4fa 100644
--- a/src/libstrongswan/plugins/x509/x509_ac.c
+++ b/src/libstrongswan/plugins/x509/x509_ac.c
@@ -701,7 +701,7 @@ METHOD(certificate_t, has_issuer, id_match_t,
 }
 
 METHOD(certificate_t, issued_by, bool,
-	private_x509_ac_t *this, certificate_t *issuer)
+	private_x509_ac_t *this, certificate_t *issuer, signature_scheme_t *schemep)
 {
 	public_key_t *key;
 	signature_scheme_t scheme;
@@ -750,6 +750,10 @@ METHOD(certificate_t, issued_by, bool,
 	}
 	valid = key->verify(key, scheme, this->certificateInfo, this->signature);
 	key->destroy(key);
+	if (valid && schemep)
+	{
+		*schemep = scheme;
+	}
 	return valid;
 }
 
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 25d92d5cb..88101e805 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -1483,7 +1483,8 @@ end:
 		/* check if the certificate is self-signed */
 		if (this->public.interface.interface.issued_by(
 											&this->public.interface.interface,
-											&this->public.interface.interface))
+											&this->public.interface.interface,
+											NULL))
 		{
 			this->flags |= X509_SELF_SIGNED;
 		}
@@ -1568,7 +1569,8 @@ METHOD(certificate_t, has_issuer, id_match_t,
 }
 
 METHOD(certificate_t, issued_by, bool,
-	private_x509_cert_t *this, certificate_t *issuer)
+	private_x509_cert_t *this, certificate_t *issuer,
+	signature_scheme_t *schemep)
 {
 	public_key_t *key;
 	signature_scheme_t scheme;
@@ -1612,6 +1614,10 @@ METHOD(certificate_t, issued_by, bool,
 	}
 	valid = key->verify(key, scheme, this->tbsCertificate, this->signature);
 	key->destroy(key);
+	if (valid && schemep)
+	{
+		*schemep = scheme;
+	}
 	return valid;
 }
 
diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c
index 7bcca16a3..5b4ba92da 100644
--- a/src/libstrongswan/plugins/x509/x509_crl.c
+++ b/src/libstrongswan/plugins/x509/x509_crl.c
@@ -442,7 +442,7 @@ METHOD(certificate_t, has_issuer, id_match_t,
 }
 
 METHOD(certificate_t, issued_by, bool,
-	private_x509_crl_t *this, certificate_t *issuer)
+	private_x509_crl_t *this, certificate_t *issuer, signature_scheme_t *schemep)
 {
 	public_key_t *key;
 	signature_scheme_t scheme;
@@ -490,6 +490,10 @@ METHOD(certificate_t, issued_by, bool,
 	}
 	valid = key->verify(key, scheme, this->tbsCertList, this->signature);
 	key->destroy(key);
+	if (valid && schemep)
+	{
+		*schemep = scheme;
+	}
 	return valid;
 }
 
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.c b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
index 33d0aa792..debf49086 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_request.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
@@ -364,7 +364,8 @@ METHOD(certificate_t, has_issuer, id_match_t,
 }
 
 METHOD(certificate_t, issued_by, bool,
-	private_x509_ocsp_request_t *this, certificate_t *issuer)
+	private_x509_ocsp_request_t *this, certificate_t *issuer,
+	signature_scheme_t *scheme)
 {
 	DBG1(DBG_LIB, "OCSP request validation not implemented!");
 	return FALSE;
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
index 7dfef3993..dc3fc27ca 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
@@ -670,7 +670,8 @@ METHOD(certificate_t, has_issuer, id_match_t,
 }
 
 METHOD(certificate_t, issued_by, bool,
-	private_x509_ocsp_response_t *this, certificate_t *issuer)
+	private_x509_ocsp_response_t *this, certificate_t *issuer,
+	signature_scheme_t *schemep)
 {
 	public_key_t *key;
 	signature_scheme_t scheme;
@@ -722,6 +723,10 @@ METHOD(certificate_t, issued_by, bool,
 	}
 	valid = key->verify(key, scheme, this->tbsResponseData, this->signature);
 	key->destroy(key);
+	if (valid && schemep)
+	{
+		*schemep = scheme;
+	}
 	return valid;
 }
 
diff --git a/src/libstrongswan/plugins/x509/x509_pkcs10.c b/src/libstrongswan/plugins/x509/x509_pkcs10.c
index ca08db2c6..5a9b2d92e 100644
--- a/src/libstrongswan/plugins/x509/x509_pkcs10.c
+++ b/src/libstrongswan/plugins/x509/x509_pkcs10.c
@@ -123,10 +123,12 @@ METHOD(certificate_t, has_subject, id_match_t,
 }
 
 METHOD(certificate_t, issued_by, bool,
-	private_x509_pkcs10_t *this, certificate_t *issuer)
+	private_x509_pkcs10_t *this, certificate_t *issuer,
+	signature_scheme_t *schemep)
 {
 	public_key_t *key;
 	signature_scheme_t scheme;
+	bool valid;
 
 	if (&this->public.interface.interface != issuer)
 	{
@@ -150,8 +152,13 @@ METHOD(certificate_t, issued_by, bool,
 	{
 		return FALSE;
 	}
-	return key->verify(key, scheme, this->certificationRequestInfo,
-									this->signature);
+	valid = key->verify(key, scheme, this->certificationRequestInfo,
+						this->signature);
+	if (valid && schemep)
+	{
+		*schemep = scheme;
+	}
+	return valid;
 }
 
 METHOD(certificate_t, get_public_key, public_key_t*,
@@ -441,7 +448,7 @@ end:
 	if (success)
 	{
 		/* check if the certificate request is self-signed */
-		if (issued_by(this, &this->public.interface.interface))
+		if (issued_by(this, &this->public.interface.interface, NULL))
 		{
 			this->self_signed = TRUE;
 		}
diff --git a/src/pki/commands/verify.c b/src/pki/commands/verify.c
index bbcc53891..3e983d3ec 100644
--- a/src/pki/commands/verify.c
+++ b/src/pki/commands/verify.c
@@ -77,7 +77,7 @@ static int verify()
 	{
 		ca = cert;
 	}
-	if (cert->issued_by(cert, ca))
+	if (cert->issued_by(cert, ca, NULL))
 	{
 		if (cert->get_validity(cert, NULL, NULL, NULL))
 		{