updated stroke plugin to fingerprinting API

3 files changed, 135 insertions, 128 deletions

diff --git a/src/charon/plugins/stroke/stroke_ca.c b/src/charon/plugins/stroke/stroke_ca.c
index c354d8cb8..2f87ba0aa 100644
--- a/src/charon/plugins/stroke/stroke_ca.c
+++ b/src/charon/plugins/stroke/stroke_ca.c
@@ -142,7 +142,7 @@ static void cdp_data_destroy(cdp_data_t *data)
 static enumerator_t *create_inner_cdp(ca_section_t *section, cdp_data_t *data)
 {
 	public_key_t *public;
-	identification_t *keyid;
+	chunk_t keyid;
 	enumerator_t *enumerator = NULL;
 	linked_list_t *list;
 	
@@ -154,7 +154,7 @@ static enumerator_t *create_inner_cdp(ca_section_t *section, cdp_data_t *data)
 	{
 		list = section->crl;
 	}
-
+	
 	public = section->cert->get_public_key(section->cert);
 	if (public)
 	{
@@ -164,10 +164,10 @@ static enumerator_t *create_inner_cdp(ca_section_t *section, cdp_data_t *data)
 		}
 		else
 		{
-			keyid = public->get_id(public, data->id->get_type(data->id));
-			if (keyid && keyid->matches(keyid, data->id))
+			if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &keyid) &&
+				chunk_equals(keyid, data->id->get_encoding(data->id)))
 			{
-				enumerator = list->create_enumerator(list);		
+				enumerator = list->create_enumerator(list);
 			}
 		}
 		public->destroy(public);
@@ -361,7 +361,7 @@ static void check_for_hash_and_url(private_stroke_ca_t *this, certificate_t* cer
 			chunk_t hash, encoded = cert->get_encoding(cert);
 			hasher->allocate_hash(hasher, encoded, &hash);
 			section->hashes->insert_last(section->hashes,
-					identification_create_from_encoding(ID_CERT_DER_SHA1, hash));
+					identification_create_from_encoding(ID_KEY_ID, hash));
 			chunk_free(&hash);
 			chunk_free(&encoded);
 			break;
@@ -388,7 +388,8 @@ static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out)
 	{
 		certificate_t *cert = section->cert;
 		public_key_t *public = cert->get_public_key(cert);
-
+		chunk_t chunk;
+		
 		if (first)
 		{
 			fprintf(out, "\n");
@@ -397,14 +398,18 @@ static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out)
 		}
 		fprintf(out, "\n");
 		fprintf(out, "  authname:    \"%Y\"\n", cert->get_subject(cert));
-
+		
 		/* list authkey and keyid */
 		if (public)
 		{
-			fprintf(out, "  authkey:      %Y\n",
-					public->get_id(public, ID_PUBKEY_SHA1));
-			fprintf(out, "  keyid:        %Y\n",
-					public->get_id(public, ID_PUBKEY_INFO_SHA1));
+			if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &chunk))
+			{
+				fprintf(out, "  authkey:      %#B\n", &chunk);
+			}
+			if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &chunk))
+			{
+				fprintf(out, "  keyid:        %#B\n", &chunk);
+			}
 			public->destroy(public);
 		}
 		list_uris(section->crl, "  crluris:     ", out);
diff --git a/src/charon/plugins/stroke/stroke_cred.c b/src/charon/plugins/stroke/stroke_cred.c
index 80ca177d3..1b309de22 100644
--- a/src/charon/plugins/stroke/stroke_cred.c
+++ b/src/charon/plugins/stroke/stroke_cred.c
@@ -105,26 +105,24 @@ static void id_data_destroy(id_data_t *data)
 static bool private_filter(id_data_t *data,
 						   private_key_t **in, private_key_t **out)
 {
-	identification_t *candidate;
-	id_type_t type;
+	key_encoding_type_t type;
+	private_key_t *key;
+	chunk_t keyid;
 	
+	key = *in;
 	if (data->id == NULL)
 	{
-		*out = *in;
+		*out = key;
 		return TRUE;
 	}
-	type = data->id->get_type(data->id);
-	if (type == ID_KEY_ID)
-	{	/* handle ID_KEY_ID as a ID_PUBKEY_SHA1 */
-		type = ID_PUBKEY_SHA1;
-	}
-	candidate = (*in)->get_id(*in, type);
-	if (candidate &&
-		chunk_equals(candidate->get_encoding(candidate),
-					 data->id->get_encoding(data->id)))
+	for (type = KEY_ID_PUBKEY_INFO_SHA1; type < KEY_ID_PUBKEY_SHA1; type++)
 	{
-		*out = *in;
-		return TRUE;
+		if (key->get_fingerprint(key, type, &keyid) &&
+			chunk_equals(keyid, data->id->get_encoding(data->id)))
+		{
+			*out = key;
+			return TRUE;
+		}
 	}
 	return FALSE;
 }
@@ -152,31 +150,34 @@ static enumerator_t* create_private_enumerator(private_stroke_cred_t *this,
  */
 static bool certs_filter(id_data_t *data, certificate_t **in, certificate_t **out)
 {
+	key_encoding_type_t type;
 	public_key_t *public;
-	identification_t *candidate;
 	certificate_t *cert = *in;
-	certificate_type_t type = cert->get_type(cert);
-
-	if (type == CERT_X509_CRL || type == CERT_X509_AC)
+	chunk_t keyid;
+	
+	if (cert->get_type(cert) == CERT_X509_CRL ||
+		cert->get_type(cert) == CERT_X509_AC)
 	{
 		return FALSE;
 	}
-
 	if (data->id == NULL || cert->has_subject(cert, data->id))
 	{
 		*out = *in;
 		return TRUE;
 	}
 	
-	public = (cert)->get_public_key(cert);
+	public = cert->get_public_key(cert);
 	if (public)
 	{
-		candidate = public->get_id(public, data->id->get_type(data->id));
-		if (candidate && data->id->equals(data->id, candidate))
+		for (type = KEY_ID_PUBKEY_INFO_SHA1; type < KEY_ID_PUBKEY_SHA1; type++)
 		{
-			public->destroy(public);
-			*out = *in;
-			return TRUE;
+			if (public->get_fingerprint(public, type, &keyid) &&
+				chunk_equals(keyid, data->id->get_encoding(data->id)))
+			{
+				public->destroy(public);
+				*out = *in;
+				return TRUE;
+			}
 		}
 		public->destroy(public);
 	}
@@ -416,12 +417,11 @@ static bool add_crl(private_stroke_cred_t *this, crl_t* crl)
 		if (current->get_type(current) == CERT_X509_CRL)
 		{
 			crl_t *crl_c = (crl_t*)current;
-			identification_t *authkey = crl->get_authKeyIdentifier(crl);
-			identification_t *authkey_c = crl_c->get_authKeyIdentifier(crl_c);
-
+			chunk_t authkey = crl->get_authKeyIdentifier(crl);
+			chunk_t authkey_c = crl_c->get_authKeyIdentifier(crl_c);
+			
 			/* if compare authorityKeyIdentifiers if available */
-			if (authkey != NULL && authkey_c != NULL &&
-				authkey->equals(authkey, authkey_c))
+			if (authkey.ptr && authkey_c.ptr && chunk_equals(authkey, authkey_c))
 			{
 				found = TRUE;
 			}
@@ -429,7 +429,7 @@ static bool add_crl(private_stroke_cred_t *this, crl_t* crl)
 			{
 				identification_t *issuer = cert->get_issuer(cert);
 				identification_t *issuer_c = current->get_issuer(current);
-
+				
 				/* otherwise compare issuer distinguished names */
 				if (issuer->equals(issuer, issuer_c))
 				{
@@ -452,7 +452,7 @@ static bool add_crl(private_stroke_cred_t *this, crl_t* crl)
 		}
 	}
 	enumerator->destroy(enumerator);
-
+	
 	if (new)
 	{
 		this->certs->insert_last(this->certs, cert);
@@ -637,16 +637,14 @@ static void cache_cert(private_stroke_cred_t *this, certificate_t *cert)
 	{
 		/* CRLs get written to /etc/ipsec.d/crls/<authkeyId>.crl */
 		crl_t *crl = (crl_t*)cert;
-	
+		
 		cert->get_ref(cert);
 		if (add_crl(this, crl))
 		{
 			char buf[BUF_LEN];
 			chunk_t chunk, hex;
-			identification_t *id;
 			
-			id = crl->get_authKeyIdentifier(crl);
-			chunk = id->get_encoding(id);
+			chunk = crl->get_authKeyIdentifier(crl);
 			hex = chunk_to_hex(chunk, NULL, FALSE);
 			snprintf(buf, sizeof(buf), "%s/%s.crl", CRL_DIR, hex);
 			free(hex.ptr);
diff --git a/src/charon/plugins/stroke/stroke_list.c b/src/charon/plugins/stroke/stroke_list.c
index 6f421bd30..bff85c987 100644
--- a/src/charon/plugins/stroke/stroke_list.c
+++ b/src/charon/plugins/stroke/stroke_list.c
@@ -569,24 +569,52 @@ static linked_list_t* create_unique_cert_list(certificate_type_t type)
 }
 
 /**
+ * Print a single public key.
+ */
+static void list_public_key(public_key_t *public, FILE *out)
+{
+	private_key_t *private = NULL;
+	chunk_t keyid;
+	identification_t *id;
+	
+	if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &keyid))
+	{
+		id = identification_create_from_encoding(ID_KEY_ID, keyid);
+		private = charon->credentials->get_private(charon->credentials,
+									public->get_type(public), id, NULL);
+		id->destroy(id);
+	}
+	fprintf(out, "  pubkey:    %N %d bits%s\n",
+			key_type_names, public->get_type(public),
+			public->get_keysize(public) * 8,
+			private ? ", has private key" : "");
+	if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &keyid))
+	{
+		fprintf(out, "  keyid:     %#B\n", &keyid);
+	}
+	if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &keyid))
+	{
+		fprintf(out, "  subjkey:   %#B\n", &keyid);
+	}
+	DESTROY_IF(private);
+}
+
+/**
  * list all raw public keys
  */
 static void stroke_list_pubkeys(linked_list_t *list, bool utc, FILE *out)
 {
 	bool first = TRUE;
-
+	
 	enumerator_t *enumerator = list->create_enumerator(list);
 	certificate_t *cert;
-
+	
 	while (enumerator->enumerate(enumerator, (void**)&cert))
 	{
 		public_key_t *public = cert->get_public_key(cert);
-
+		
 		if (public)
 		{
-			private_key_t *private = NULL;
-			identification_t *id, *keyid;
-			
 			if (first)
 			{
 				fprintf(out, "\n");
@@ -594,21 +622,8 @@ static void stroke_list_pubkeys(linked_list_t *list, bool utc, FILE *out)
 				first = FALSE;
 			}
 			fprintf(out, "\n");
-
-			/* list public key information */
-			id    = public->get_id(public, ID_PUBKEY_SHA1);
-			keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1);
-
-			private = charon->credentials->get_private(
-								charon->credentials, 
-								public->get_type(public), keyid, NULL);
-			fprintf(out, "  pubkey:    %N %d bits%s\n",
-					key_type_names, public->get_type(public),
-					public->get_keysize(public) * 8,
-					private ? ", has private key" : "");
-			fprintf(out, "  keyid:     %Y\n", keyid);
-			fprintf(out, "  subjkey:   %Y\n", id);
-			DESTROY_IF(private);
+			
+			list_public_key(public, out);
 			public->destroy(public);
 		}
 	}
@@ -630,18 +645,17 @@ static void stroke_list_certs(linked_list_t *list, char *label,
 	{
 		x509_t *x509 = (x509_t*)cert;
 		x509_flag_t x509_flags = x509->get_flags(x509);
-
+		
 		/* list only if flag is set, or flags == 0 (ignoring self-signed) */
 		if ((x509_flags & flags) || (flags == (x509_flags & ~X509_SELF_SIGNED)))
 		{
 			enumerator_t *enumerator;
 			identification_t *altName;
 			bool first_altName = TRUE;
-			chunk_t serial = x509->get_serial(x509);
-			identification_t *authkey = x509->get_authKeyIdentifier(x509);
+			chunk_t serial, authkey;
 			time_t notBefore, notAfter;
-			public_key_t *public = cert->get_public_key(cert);
-
+			public_key_t *public;
+			
 			if (first)
 			{
 				fprintf(out, "\n");
@@ -649,7 +663,7 @@ static void stroke_list_certs(linked_list_t *list, char *label,
 				first = FALSE;
 			}
 			fprintf(out, "\n");
-
+			
 			/* list subjectAltNames */
 			enumerator = x509->create_subjectAltName_enumerator(x509);
 			while (enumerator->enumerate(enumerator, (void**)&altName))
@@ -670,11 +684,12 @@ static void stroke_list_certs(linked_list_t *list, char *label,
 				fprintf(out, "\n");
 			}
 			enumerator->destroy(enumerator);
-
+			
 			fprintf(out, "  subject:  \"%Y\"\n", cert->get_subject(cert));
 			fprintf(out, "  issuer:   \"%Y\"\n", cert->get_issuer(cert));
+			serial = x509->get_serial(x509);
 			fprintf(out, "  serial:    %#B\n", &serial);
-
+			
 			/* list validity */
 			cert->get_validity(cert, &now, &notBefore, &notAfter);
 			fprintf(out, "  validity:  not before %T, ", &notBefore, utc);
@@ -700,33 +715,19 @@ static void stroke_list_certs(linked_list_t *list, char *label,
 				}
 				fprintf(out, " \n");
 			}
-	
-			/* list public key information */
+			
+			public = cert->get_public_key(cert);
 			if (public)
 			{
-				private_key_t *private = NULL;
-				identification_t *id, *keyid;
-			
-				id    = public->get_id(public, ID_PUBKEY_SHA1);
-				keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1);
-
-				private = charon->credentials->get_private(
-									charon->credentials, 
-									public->get_type(public), keyid, NULL);
-				fprintf(out, "  pubkey:    %N %d bits%s\n",
-						key_type_names, public->get_type(public),
-						public->get_keysize(public) * 8,
-						private ? ", has private key" : "");
-				fprintf(out, "  keyid:     %Y\n", keyid);
-				fprintf(out, "  subjkey:   %Y\n", id);
-				DESTROY_IF(private);
+				list_public_key(public, out);
 				public->destroy(public);
 			}
-	
+			
 			/* list optional authorityKeyIdentifier */
-			if (authkey)
+			authkey = x509->get_authKeyIdentifier(x509);
+			if (authkey.ptr)
 			{
-				fprintf(out, "  authkey:   %Y\n", authkey);
+				fprintf(out, "  authkey:   %#B\n", &authkey);
 			}
 		}
 	}
@@ -746,12 +747,9 @@ static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out)
 	while (enumerator->enumerate(enumerator, (void**)&cert))
 	{
 		ac_t *ac = (ac_t*)cert;
-		chunk_t serial  = ac->get_serial(ac);
-		chunk_t holderSerial = ac->get_holderSerial(ac);
-		identification_t *holderIssuer = ac->get_holderIssuer(ac);
-		identification_t *authkey = ac->get_authKeyIdentifier(ac);
-		identification_t *entityName = cert->get_subject(cert);
-
+		identification_t *id;
+		chunk_t chunk;
+		
 		if (first)
 		{
 			fprintf(out, "\n");
@@ -759,21 +757,25 @@ static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out)
 			first = FALSE;
 		}
 		fprintf(out, "\n");
-
-		if (entityName)
+		
+		id = cert->get_subject(cert);
+		if (id)
 		{
-			fprintf(out, "  holder:   \"%Y\"\n", entityName);
+			fprintf(out, "  holder:   \"%Y\"\n", id);
 		}
-		if (holderIssuer)
+		id = ac->get_holderIssuer(ac);
+		if (id)
 		{
-			fprintf(out, "  hissuer:  \"%Y\"\n", holderIssuer);
+			fprintf(out, "  hissuer:  \"%Y\"\n", id);
 		}
-		if (holderSerial.ptr)
+		chunk = ac->get_holderSerial(ac);
+		if (chunk.ptr)
 		{
-			fprintf(out, "  hserial:   %#B\n", &holderSerial);
+			fprintf(out, "  hserial:   %#B\n", &chunk);
 		}
 		fprintf(out, "  issuer:   \"%Y\"\n", cert->get_issuer(cert));
-		fprintf(out, "  serial:    %#B\n", &serial);
+		chunk  = ac->get_serial(ac);
+		fprintf(out, "  serial:    %#B\n", &chunk);
 
 		/* list validity */
 		cert->get_validity(cert, &now, &thisUpdate, &nextUpdate);
@@ -792,11 +794,12 @@ static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out)
 			}
 			fprintf(out, " \n");
 		}
-
+		
 		/* list optional authorityKeyIdentifier */
-		if (authkey)
+		chunk = ac->get_authKeyIdentifier(ac);
+		if (chunk.ptr)
 		{
-			fprintf(out, "  authkey:   %Y\n", authkey);
+			fprintf(out, "  authkey:   %#B\n", &chunk);
 		}
 	}
 	enumerator->destroy(enumerator);
@@ -815,9 +818,8 @@ static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out)
 	while (enumerator->enumerate(enumerator, (void**)&cert))
 	{
 		crl_t *crl = (crl_t*)cert;
-		chunk_t serial  = crl->get_serial(crl);
-		identification_t *authkey = crl->get_authKeyIdentifier(crl);
-
+		chunk_t chunk;
+		
 		if (first)
 		{
 			fprintf(out, "\n");
@@ -825,20 +827,21 @@ static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out)
 			first = FALSE;
 		}
 		fprintf(out, "\n");
-
+		
 		fprintf(out, "  issuer:   \"%Y\"\n", cert->get_issuer(cert));
-
+		
 		/* list optional crlNumber */
-		if (serial.ptr)
+		chunk = crl->get_serial(crl);
+		if (chunk.ptr)
 		{
-			fprintf(out, "  serial:    %#B\n", &serial);
+			fprintf(out, "  serial:    %#B\n", &chunk);
 		}
-
+		
 		/* count the number of revoked certificates */
 		{
 			int count = 0;
 			enumerator_t *enumerator = crl->create_enumerator(crl);
-
+			
 			while (enumerator->enumerate(enumerator, NULL, NULL, NULL))
 			{
 				count++;
@@ -847,7 +850,7 @@ static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out)
 							(count == 1)? "" : "s");
 			enumerator->destroy(enumerator);
 		}
-
+		
 		/* list validity */
 		cert->get_validity(cert, &now, &thisUpdate, &nextUpdate);
 		fprintf(out, "  updates:   this %T\n",  &thisUpdate, utc);
@@ -865,11 +868,12 @@ static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out)
 			}
 			fprintf(out, " \n");
 		}
-
+		
 		/* list optional authorityKeyIdentifier */
-		if (authkey)
+		chunk = crl->get_authKeyIdentifier(crl);
+		if (chunk.ptr)
 		{
-			fprintf(out, "  authkey:   %Y\n", authkey);
+			fprintf(out, "  authkey:   %#B\n", chunk);
 		}
 	}
 	enumerator->destroy(enumerator);