diff options
| -rw-r--r-- | src/libcharon/plugins/stroke/stroke_ca.c | 2 | ||||
| -rw-r--r-- | src/libcharon/plugins/unit_tester/tests/test_cert.c | 4 | ||||
| -rw-r--r-- | src/libpts/plugins/imv_attestation/imv_attestation_process.c | 6 | ||||
| -rw-r--r-- | src/libstrongswan/credentials/certificates/certificate.h | 4 | ||||
| -rw-r--r-- | src/libstrongswan/credentials/sets/cert_cache.c | 2 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/openssl/openssl_crl.c | 7 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/openssl/openssl_x509.c | 9 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/pgp/pgp_cert.c | 2 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/pubkey/pubkey_cert.c | 7 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/x509/x509_ac.c | 6 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/x509/x509_cert.c | 10 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/x509/x509_crl.c | 6 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/x509/x509_ocsp_request.c | 3 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/x509/x509_ocsp_response.c | 7 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/x509/x509_pkcs10.c | 15 | ||||
| -rw-r--r-- | src/pki/commands/verify.c | 2 |
16 files changed, 68 insertions, 24 deletions
diff --git a/src/libcharon/plugins/stroke/stroke_ca.c b/src/libcharon/plugins/stroke/stroke_ca.c index bec35a661..e76560fa2 100644 --- a/src/libcharon/plugins/stroke/stroke_ca.c +++ b/src/libcharon/plugins/stroke/stroke_ca.c @@ -348,7 +348,7 @@ METHOD(stroke_ca_t, check_for_hash_and_url, void, enumerator = this->sections->create_enumerator(this->sections); while (enumerator->enumerate(enumerator, (void**)§ion)) { - if (section->certuribase && cert->issued_by(cert, section->cert)) + if (section->certuribase && cert->issued_by(cert, section->cert, NULL)) { chunk_t hash, encoded; diff --git a/src/libcharon/plugins/unit_tester/tests/test_cert.c b/src/libcharon/plugins/unit_tester/tests/test_cert.c index 342194a4c..f4410a688 100644 --- a/src/libcharon/plugins/unit_tester/tests/test_cert.c +++ b/src/libcharon/plugins/unit_tester/tests/test_cert.c @@ -60,7 +60,7 @@ bool test_cert_x509() { return FALSE; } - if (!parsed->issued_by(parsed, ca_cert)) + if (!parsed->issued_by(parsed, ca_cert, NULL)) { return FALSE; } @@ -90,7 +90,7 @@ bool test_cert_x509() { return FALSE; } - if (!parsed->issued_by(parsed, ca_cert)) + if (!parsed->issued_by(parsed, ca_cert, NULL)) { return FALSE; } diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_process.c b/src/libpts/plugins/imv_attestation/imv_attestation_process.c index a742b6697..21277a18c 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_process.c +++ b/src/libpts/plugins/imv_attestation/imv_attestation_process.c @@ -44,7 +44,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, pts_t *pts; pts = attestation_state->get_pts(attestation_state); - + switch (attr->get_type(attr)) { case TCG_PTS_PROTO_CAPS: @@ -169,7 +169,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, KEY_ANY, aik->get_issuer(aik), FALSE); while (e->enumerate(e, &issuer)) { - if (aik->issued_by(aik, issuer)) + if (aik->issued_by(aik, issuer, NULL)) { trusted = TRUE; break; @@ -289,7 +289,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, break; } status = comp->verify(comp, pts, evidence); - + switch (status) { default: diff --git a/src/libstrongswan/credentials/certificates/certificate.h b/src/libstrongswan/credentials/certificates/certificate.h index 2f471da5b..b7a88ffbd 100644 --- a/src/libstrongswan/credentials/certificates/certificate.h +++ b/src/libstrongswan/credentials/certificates/certificate.h @@ -143,9 +143,11 @@ struct certificate_t { * Check if this certificate is issued and signed by a specific issuer. * * @param issuer issuer's certificate + * @param scheme receives signature scheme used during verification * @return TRUE if certificate issued by issuer and trusted */ - bool (*issued_by)(certificate_t *this, certificate_t *issuer); + bool (*issued_by)(certificate_t *this, certificate_t *issuer, + signature_scheme_t *scheme); /** * Get the public key associated to this certificate. diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c index 968c3e31e..24007baa1 100644 --- a/src/libstrongswan/credentials/sets/cert_cache.c +++ b/src/libstrongswan/credentials/sets/cert_cache.c @@ -165,7 +165,7 @@ METHOD(cert_cache_t, issued_by, bool, } } /* no cache hit, check and cache signature */ - if (subject->issued_by(subject, issuer)) + if (subject->issued_by(subject, issuer, NULL)) { cache(this, subject, issuer); return TRUE; diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c index 9a9efb2b6..e529ff8a5 100644 --- a/src/libstrongswan/plugins/openssl/openssl_crl.c +++ b/src/libstrongswan/plugins/openssl/openssl_crl.c @@ -225,7 +225,8 @@ METHOD(certificate_t, has_subject_or_issuer, id_match_t, } METHOD(certificate_t, issued_by, bool, - private_openssl_crl_t *this, certificate_t *issuer) + private_openssl_crl_t *this, certificate_t *issuer, + signature_scheme_t *scheme) { chunk_t fingerprint, tbs; public_key_t *key; @@ -270,6 +271,10 @@ METHOD(certificate_t, issued_by, bool, openssl_asn1_str2chunk(this->crl->signature)); free(tbs.ptr); key->destroy(key); + if (valid && scheme) + { + *scheme = this->scheme; + } return valid; } diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c index 5caf5182c..ee19c4179 100644 --- a/src/libstrongswan/plugins/openssl/openssl_x509.c +++ b/src/libstrongswan/plugins/openssl/openssl_x509.c @@ -350,7 +350,8 @@ METHOD(certificate_t, has_issuer, id_match_t, } METHOD(certificate_t, issued_by, bool, - private_openssl_x509_t *this, certificate_t *issuer) + private_openssl_x509_t *this, certificate_t *issuer, + signature_scheme_t *scheme) { public_key_t *key; bool valid; @@ -393,6 +394,10 @@ METHOD(certificate_t, issued_by, bool, openssl_asn1_str2chunk(this->x509->signature)); free(tbs.ptr); key->destroy(key); + if (valid && scheme) + { + *scheme = this->scheme; + } return valid; } @@ -975,7 +980,7 @@ static bool parse_certificate(private_openssl_x509_t *this) hasher->allocate_hash(hasher, this->encoding, &this->hash); hasher->destroy(hasher); - if (issued_by(this, &this->public.x509.interface)) + if (issued_by(this, &this->public.x509.interface, NULL)) { this->flags |= X509_SELF_SIGNED; } diff --git a/src/libstrongswan/plugins/pgp/pgp_cert.c b/src/libstrongswan/plugins/pgp/pgp_cert.c index 70a236855..e6d13a243 100644 --- a/src/libstrongswan/plugins/pgp/pgp_cert.c +++ b/src/libstrongswan/plugins/pgp/pgp_cert.c @@ -114,7 +114,7 @@ METHOD(certificate_t, has_issuer, id_match_t, } METHOD(certificate_t, issued_by,bool, - private_pgp_cert_t *this, certificate_t *issuer) + private_pgp_cert_t *this, certificate_t *issuer, signature_scheme_t *scheme) { /* TODO: check signature blobs for a valid signature */ return FALSE; diff --git a/src/libstrongswan/plugins/pubkey/pubkey_cert.c b/src/libstrongswan/plugins/pubkey/pubkey_cert.c index 67240fe0c..0304ccb36 100644 --- a/src/libstrongswan/plugins/pubkey/pubkey_cert.c +++ b/src/libstrongswan/plugins/pubkey/pubkey_cert.c @@ -126,8 +126,13 @@ METHOD(certificate_t, equals, bool, } METHOD(certificate_t, issued_by, bool, - private_pubkey_cert_t *this, certificate_t *issuer) + private_pubkey_cert_t *this, certificate_t *issuer, + signature_scheme_t *scheme) { + if (scheme) + { + *scheme = SIGN_UNKNOWN; + } return equals(this, issuer); } diff --git a/src/libstrongswan/plugins/x509/x509_ac.c b/src/libstrongswan/plugins/x509/x509_ac.c index a2cb589e0..d6ca8c4fa 100644 --- a/src/libstrongswan/plugins/x509/x509_ac.c +++ b/src/libstrongswan/plugins/x509/x509_ac.c @@ -701,7 +701,7 @@ METHOD(certificate_t, has_issuer, id_match_t, } METHOD(certificate_t, issued_by, bool, - private_x509_ac_t *this, certificate_t *issuer) + private_x509_ac_t *this, certificate_t *issuer, signature_scheme_t *schemep) { public_key_t *key; signature_scheme_t scheme; @@ -750,6 +750,10 @@ METHOD(certificate_t, issued_by, bool, } valid = key->verify(key, scheme, this->certificateInfo, this->signature); key->destroy(key); + if (valid && schemep) + { + *schemep = scheme; + } return valid; } diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c index 25d92d5cb..88101e805 100644 --- a/src/libstrongswan/plugins/x509/x509_cert.c +++ b/src/libstrongswan/plugins/x509/x509_cert.c @@ -1483,7 +1483,8 @@ end: /* check if the certificate is self-signed */ if (this->public.interface.interface.issued_by( &this->public.interface.interface, - &this->public.interface.interface)) + &this->public.interface.interface, + NULL)) { this->flags |= X509_SELF_SIGNED; } @@ -1568,7 +1569,8 @@ METHOD(certificate_t, has_issuer, id_match_t, } METHOD(certificate_t, issued_by, bool, - private_x509_cert_t *this, certificate_t *issuer) + private_x509_cert_t *this, certificate_t *issuer, + signature_scheme_t *schemep) { public_key_t *key; signature_scheme_t scheme; @@ -1612,6 +1614,10 @@ METHOD(certificate_t, issued_by, bool, } valid = key->verify(key, scheme, this->tbsCertificate, this->signature); key->destroy(key); + if (valid && schemep) + { + *schemep = scheme; + } return valid; } diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c index 7bcca16a3..5b4ba92da 100644 --- a/src/libstrongswan/plugins/x509/x509_crl.c +++ b/src/libstrongswan/plugins/x509/x509_crl.c @@ -442,7 +442,7 @@ METHOD(certificate_t, has_issuer, id_match_t, } METHOD(certificate_t, issued_by, bool, - private_x509_crl_t *this, certificate_t *issuer) + private_x509_crl_t *this, certificate_t *issuer, signature_scheme_t *schemep) { public_key_t *key; signature_scheme_t scheme; @@ -490,6 +490,10 @@ METHOD(certificate_t, issued_by, bool, } valid = key->verify(key, scheme, this->tbsCertList, this->signature); key->destroy(key); + if (valid && schemep) + { + *schemep = scheme; + } return valid; } diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.c b/src/libstrongswan/plugins/x509/x509_ocsp_request.c index 33d0aa792..debf49086 100644 --- a/src/libstrongswan/plugins/x509/x509_ocsp_request.c +++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.c @@ -364,7 +364,8 @@ METHOD(certificate_t, has_issuer, id_match_t, } METHOD(certificate_t, issued_by, bool, - private_x509_ocsp_request_t *this, certificate_t *issuer) + private_x509_ocsp_request_t *this, certificate_t *issuer, + signature_scheme_t *scheme) { DBG1(DBG_LIB, "OCSP request validation not implemented!"); return FALSE; diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c index 7dfef3993..dc3fc27ca 100644 --- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c +++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c @@ -670,7 +670,8 @@ METHOD(certificate_t, has_issuer, id_match_t, } METHOD(certificate_t, issued_by, bool, - private_x509_ocsp_response_t *this, certificate_t *issuer) + private_x509_ocsp_response_t *this, certificate_t *issuer, + signature_scheme_t *schemep) { public_key_t *key; signature_scheme_t scheme; @@ -722,6 +723,10 @@ METHOD(certificate_t, issued_by, bool, } valid = key->verify(key, scheme, this->tbsResponseData, this->signature); key->destroy(key); + if (valid && schemep) + { + *schemep = scheme; + } return valid; } diff --git a/src/libstrongswan/plugins/x509/x509_pkcs10.c b/src/libstrongswan/plugins/x509/x509_pkcs10.c index ca08db2c6..5a9b2d92e 100644 --- a/src/libstrongswan/plugins/x509/x509_pkcs10.c +++ b/src/libstrongswan/plugins/x509/x509_pkcs10.c @@ -123,10 +123,12 @@ METHOD(certificate_t, has_subject, id_match_t, } METHOD(certificate_t, issued_by, bool, - private_x509_pkcs10_t *this, certificate_t *issuer) + private_x509_pkcs10_t *this, certificate_t *issuer, + signature_scheme_t *schemep) { public_key_t *key; signature_scheme_t scheme; + bool valid; if (&this->public.interface.interface != issuer) { @@ -150,8 +152,13 @@ METHOD(certificate_t, issued_by, bool, { return FALSE; } - return key->verify(key, scheme, this->certificationRequestInfo, - this->signature); + valid = key->verify(key, scheme, this->certificationRequestInfo, + this->signature); + if (valid && schemep) + { + *schemep = scheme; + } + return valid; } METHOD(certificate_t, get_public_key, public_key_t*, @@ -441,7 +448,7 @@ end: if (success) { /* check if the certificate request is self-signed */ - if (issued_by(this, &this->public.interface.interface)) + if (issued_by(this, &this->public.interface.interface, NULL)) { this->self_signed = TRUE; } diff --git a/src/pki/commands/verify.c b/src/pki/commands/verify.c index bbcc53891..3e983d3ec 100644 --- a/src/pki/commands/verify.c +++ b/src/pki/commands/verify.c @@ -77,7 +77,7 @@ static int verify() { ca = cert; } - if (cert->issued_by(cert, ca)) + if (cert->issued_by(cert, ca, NULL)) { if (cert->get_validity(cert, NULL, NULL, NULL)) { |