aboutsummaryrefslogtreecommitdiffstats
path: root/src/libstrongswan/credentials/credential_manager.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/libstrongswan/credentials/credential_manager.c')
-rw-r--r--src/libstrongswan/credentials/credential_manager.c59
1 files changed, 16 insertions, 43 deletions
diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c
index bb2bf5be9..f437bbf98 100644
--- a/src/libstrongswan/credentials/credential_manager.c
+++ b/src/libstrongswan/credentials/credential_manager.c
@@ -551,52 +551,21 @@ static certificate_t *get_issuer_cert(private_credential_manager_t *this,
}
/**
- * Get the strength of the weakest key in a trustchain
+ * Get the strength of certificate, add it to auth
*/
-static void calculate_trustchain_strength(auth_cfg_t *auth)
+static void get_key_strength(certificate_t *cert, auth_cfg_t *auth)
{
- enumerator_t *enumerator;
- uintptr_t strength = 0;
- key_type_t type = KEY_ANY;
- certificate_t *cert;
+ uintptr_t strength;
public_key_t *key;
- auth_rule_t rule;
+ key_type_t type;
- enumerator = auth->create_enumerator(auth);
- while (enumerator->enumerate(enumerator, &rule, &cert))
- {
- switch (rule)
- {
- case AUTH_RULE_SUBJECT_CERT:
- case AUTH_RULE_IM_CERT:
- case AUTH_RULE_CA_CERT:
- {
- key = cert->get_public_key(cert);
- if (!key || (type != KEY_ANY && type != key->get_type(key)))
- { /* no key, or different key families */
- DESTROY_IF(key);
- enumerator->destroy(enumerator);
- return;
- }
- type = key->get_type(key);
- if (!strength)
- {
- strength = key->get_keysize(key);
- }
- else
- {
- strength = min(strength, key->get_keysize(key));
- }
- key->destroy(key);
- break;
- }
- default:
- break;
- }
- }
- enumerator->destroy(enumerator);
- if (strength)
+ key = cert->get_public_key(cert);
+ if (key)
{
+ type = key->get_type(key);
+ strength = key->get_keysize(key);
+ DBG2(DBG_CFG, " certificate \"%Y\" key: %d bit %N",
+ cert->get_subject(cert), strength, key_type_names, type);
switch (type)
{
case KEY_RSA:
@@ -608,6 +577,7 @@ static void calculate_trustchain_strength(auth_cfg_t *auth)
default:
break;
}
+ key->destroy(key);
}
}
@@ -623,6 +593,7 @@ static bool verify_trust_chain(private_credential_manager_t *this,
int pathlen;
auth = auth_cfg_create();
+ get_key_strength(subject, auth);
current = subject->get_ref(subject);
for (pathlen = 0; pathlen <= MAX_TRUST_PATH_LEN; pathlen++)
@@ -675,6 +646,10 @@ static bool verify_trust_chain(private_credential_manager_t *this,
issuer->destroy(issuer);
break;
}
+ if (issuer)
+ {
+ get_key_strength(issuer, auth);
+ }
current->destroy(current);
current = issuer;
if (trusted)
@@ -746,7 +721,6 @@ METHOD(enumerator_t, trusted_enumerate, bool,
{
this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT,
this->pretrusted->get_ref(this->pretrusted));
- calculate_trustchain_strength(this->auth);
DBG1(DBG_CFG, " using trusted certificate \"%Y\"",
this->pretrusted->get_subject(this->pretrusted));
*cert = this->pretrusted;
@@ -775,7 +749,6 @@ METHOD(enumerator_t, trusted_enumerate, bool,
this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT,
current->get_ref(current));
*cert = current;
- calculate_trustchain_strength(this->auth);
if (auth)
{
*auth = this->auth;