diff options
Diffstat (limited to 'src/libstrongswan/credentials/credential_manager.c')
-rw-r--r-- | src/libstrongswan/credentials/credential_manager.c | 59 |
1 files changed, 16 insertions, 43 deletions
diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c index bb2bf5be9..f437bbf98 100644 --- a/src/libstrongswan/credentials/credential_manager.c +++ b/src/libstrongswan/credentials/credential_manager.c @@ -551,52 +551,21 @@ static certificate_t *get_issuer_cert(private_credential_manager_t *this, } /** - * Get the strength of the weakest key in a trustchain + * Get the strength of certificate, add it to auth */ -static void calculate_trustchain_strength(auth_cfg_t *auth) +static void get_key_strength(certificate_t *cert, auth_cfg_t *auth) { - enumerator_t *enumerator; - uintptr_t strength = 0; - key_type_t type = KEY_ANY; - certificate_t *cert; + uintptr_t strength; public_key_t *key; - auth_rule_t rule; + key_type_t type; - enumerator = auth->create_enumerator(auth); - while (enumerator->enumerate(enumerator, &rule, &cert)) - { - switch (rule) - { - case AUTH_RULE_SUBJECT_CERT: - case AUTH_RULE_IM_CERT: - case AUTH_RULE_CA_CERT: - { - key = cert->get_public_key(cert); - if (!key || (type != KEY_ANY && type != key->get_type(key))) - { /* no key, or different key families */ - DESTROY_IF(key); - enumerator->destroy(enumerator); - return; - } - type = key->get_type(key); - if (!strength) - { - strength = key->get_keysize(key); - } - else - { - strength = min(strength, key->get_keysize(key)); - } - key->destroy(key); - break; - } - default: - break; - } - } - enumerator->destroy(enumerator); - if (strength) + key = cert->get_public_key(cert); + if (key) { + type = key->get_type(key); + strength = key->get_keysize(key); + DBG2(DBG_CFG, " certificate \"%Y\" key: %d bit %N", + cert->get_subject(cert), strength, key_type_names, type); switch (type) { case KEY_RSA: @@ -608,6 +577,7 @@ static void calculate_trustchain_strength(auth_cfg_t *auth) default: break; } + key->destroy(key); } } @@ -623,6 +593,7 @@ static bool verify_trust_chain(private_credential_manager_t *this, int pathlen; auth = auth_cfg_create(); + get_key_strength(subject, auth); current = subject->get_ref(subject); for (pathlen = 0; pathlen <= MAX_TRUST_PATH_LEN; pathlen++) @@ -675,6 +646,10 @@ static bool verify_trust_chain(private_credential_manager_t *this, issuer->destroy(issuer); break; } + if (issuer) + { + get_key_strength(issuer, auth); + } current->destroy(current); current = issuer; if (trusted) @@ -746,7 +721,6 @@ METHOD(enumerator_t, trusted_enumerate, bool, { this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT, this->pretrusted->get_ref(this->pretrusted)); - calculate_trustchain_strength(this->auth); DBG1(DBG_CFG, " using trusted certificate \"%Y\"", this->pretrusted->get_subject(this->pretrusted)); *cert = this->pretrusted; @@ -775,7 +749,6 @@ METHOD(enumerator_t, trusted_enumerate, bool, this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT, current->get_ref(current)); *cert = current; - calculate_trustchain_strength(this->auth); if (auth) { *auth = this->auth; |