aboutsummaryrefslogtreecommitdiffstats
path: root/src/libstrongswan/credentials
diff options
context:
space:
mode:
Diffstat (limited to 'src/libstrongswan/credentials')
-rw-r--r--src/libstrongswan/credentials/certificates/certificate.h7
-rw-r--r--src/libstrongswan/credentials/containers/pkcs12.c1
-rw-r--r--src/libstrongswan/credentials/cred_encoding.h2
-rw-r--r--src/libstrongswan/credentials/credential_manager.c12
-rw-r--r--src/libstrongswan/credentials/credential_manager.h5
-rw-r--r--src/libstrongswan/credentials/keys/public_key.h1
-rw-r--r--src/libstrongswan/credentials/sets/cert_cache.c28
-rw-r--r--src/libstrongswan/credentials/sets/cert_cache.h5
8 files changed, 38 insertions, 23 deletions
diff --git a/src/libstrongswan/credentials/certificates/certificate.h b/src/libstrongswan/credentials/certificates/certificate.h
index d59126bd5..6dc5c7694 100644
--- a/src/libstrongswan/credentials/certificates/certificate.h
+++ b/src/libstrongswan/credentials/certificates/certificate.h
@@ -25,9 +25,9 @@ typedef struct certificate_t certificate_t;
typedef enum certificate_type_t certificate_type_t;
typedef enum cert_validation_t cert_validation_t;
-#include <library.h>
#include <utils/identification.h>
#include <credentials/keys/public_key.h>
+#include <credentials/keys/signature_params.h>
#include <credentials/cred_encoding.h>
/**
@@ -139,11 +139,12 @@ struct certificate_t {
* Check if this certificate is issued and signed by a specific issuer.
*
* @param issuer issuer's certificate
- * @param scheme receives signature scheme used during verification
+ * @param scheme receives used signature scheme and parameters, if
+ * given (allocated)
* @return TRUE if certificate issued by issuer and trusted
*/
bool (*issued_by)(certificate_t *this, certificate_t *issuer,
- signature_scheme_t *scheme);
+ signature_params_t **scheme);
/**
* Get the public key associated to this certificate.
diff --git a/src/libstrongswan/credentials/containers/pkcs12.c b/src/libstrongswan/credentials/containers/pkcs12.c
index 9e7815d04..8cc6a6c63 100644
--- a/src/libstrongswan/credentials/containers/pkcs12.c
+++ b/src/libstrongswan/credentials/containers/pkcs12.c
@@ -15,6 +15,7 @@
#include "pkcs12.h"
+#include <library.h>
#include <utils/debug.h>
/**
diff --git a/src/libstrongswan/credentials/cred_encoding.h b/src/libstrongswan/credentials/cred_encoding.h
index 0b6536430..1129357ba 100644
--- a/src/libstrongswan/credentials/cred_encoding.h
+++ b/src/libstrongswan/credentials/cred_encoding.h
@@ -25,7 +25,7 @@ typedef struct cred_encoding_t cred_encoding_t;
typedef enum cred_encoding_type_t cred_encoding_type_t;
typedef enum cred_encoding_part_t cred_encoding_part_t;
-#include <library.h>
+#include <utils/chunk.h>
/**
* Credential encoder function implementing encoding/fingerprinting.
diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c
index 9be7407ef..a4a092e36 100644
--- a/src/libstrongswan/credentials/credential_manager.c
+++ b/src/libstrongswan/credentials/credential_manager.c
@@ -488,7 +488,7 @@ METHOD(credential_manager_t, remove_local_set, void,
METHOD(credential_manager_t, issued_by, bool,
private_credential_manager_t *this, certificate_t *subject,
- certificate_t *issuer, signature_scheme_t *scheme)
+ certificate_t *issuer, signature_params_t **scheme)
{
if (this->cache)
{
@@ -661,7 +661,7 @@ static certificate_t *get_pretrusted_cert(private_credential_manager_t *this,
*/
static certificate_t *get_issuer_cert(private_credential_manager_t *this,
certificate_t *subject, bool trusted,
- signature_scheme_t *scheme)
+ signature_params_t **scheme)
{
enumerator_t *enumerator;
certificate_t *issuer = NULL, *candidate;
@@ -723,7 +723,7 @@ static bool verify_trust_chain(private_credential_manager_t *this,
{
certificate_t *current, *issuer;
auth_cfg_t *auth;
- signature_scheme_t scheme;
+ signature_params_t *scheme;
int pathlen;
auth = auth_cfg_create();
@@ -750,7 +750,8 @@ static bool verify_trust_chain(private_credential_manager_t *this,
DBG1(DBG_CFG, " using trusted intermediate ca certificate "
"\"%Y\"", issuer->get_subject(issuer));
}
- auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, scheme);
+ auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, scheme->scheme);
+ signature_params_destroy(scheme);
}
else
{
@@ -768,7 +769,8 @@ static bool verify_trust_chain(private_credential_manager_t *this,
auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer));
DBG1(DBG_CFG, " using untrusted intermediate certificate "
"\"%Y\"", issuer->get_subject(issuer));
- auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, scheme);
+ auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, scheme->scheme);
+ signature_params_destroy(scheme);
}
else
{
diff --git a/src/libstrongswan/credentials/credential_manager.h b/src/libstrongswan/credentials/credential_manager.h
index 022ca566c..d99f29b85 100644
--- a/src/libstrongswan/credentials/credential_manager.h
+++ b/src/libstrongswan/credentials/credential_manager.h
@@ -241,12 +241,13 @@ struct credential_manager_t {
*
* @param subject subject certificate to check
* @param issuer issuer certificate that potentially has signed subject
- * @param scheme receives used signature scheme, if given
+ * @param scheme receives used signature scheme and parameters, if
+ * given (allocated)
* @return TRUE if issuer signed subject
*/
bool (*issued_by)(credential_manager_t *this,
certificate_t *subject, certificate_t *issuer,
- signature_scheme_t *scheme);
+ signature_params_t **scheme);
/**
* Register a credential set to the manager.
diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h
index 186530ff6..d6a0a7bc9 100644
--- a/src/libstrongswan/credentials/keys/public_key.h
+++ b/src/libstrongswan/credentials/keys/public_key.h
@@ -28,7 +28,6 @@ typedef enum key_type_t key_type_t;
typedef enum signature_scheme_t signature_scheme_t;
typedef enum encryption_scheme_t encryption_scheme_t;
-#include <library.h>
#include <utils/identification.h>
#include <credentials/cred_encoding.h>
diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c
index 92d5efdc6..0e64f0350 100644
--- a/src/libstrongswan/credentials/sets/cert_cache.c
+++ b/src/libstrongswan/credentials/sets/cert_cache.c
@@ -48,9 +48,9 @@ struct relation_t {
certificate_t *issuer;
/**
- * Signature scheme used to sign this relation
+ * Signature scheme and parameters used to sign this relation
*/
- signature_scheme_t scheme;
+ signature_params_t *scheme;
/**
* Cache hits
@@ -84,7 +84,7 @@ struct private_cert_cache_t {
*/
static void cache(private_cert_cache_t *this,
certificate_t *subject, certificate_t *issuer,
- signature_scheme_t scheme)
+ signature_params_t *scheme)
{
relation_t *rel;
int i, offset, try;
@@ -118,7 +118,8 @@ static void cache(private_cert_cache_t *this,
{
rel->subject->destroy(rel->subject);
rel->subject = subject->get_ref(subject);
- rel->scheme = scheme;
+ signature_params_destroy(rel->scheme);
+ rel->scheme = signature_params_clone(scheme);
return rel->lock->unlock(rel->lock);
}
}
@@ -139,7 +140,7 @@ static void cache(private_cert_cache_t *this,
{
rel->subject = subject->get_ref(subject);
rel->issuer = issuer->get_ref(issuer);
- rel->scheme = scheme;
+ rel->scheme = signature_params_clone(scheme);
return rel->lock->unlock(rel->lock);
}
rel->lock->unlock(rel->lock);
@@ -165,10 +166,11 @@ static void cache(private_cert_cache_t *this,
{
rel->subject->destroy(rel->subject);
rel->issuer->destroy(rel->issuer);
+ signature_params_destroy(rel->scheme);
}
rel->subject = subject->get_ref(subject);
rel->issuer = issuer->get_ref(issuer);
- rel->scheme = scheme;
+ rel->scheme = signature_params_clone(scheme);
rel->hits = 0;
return rel->lock->unlock(rel->lock);
}
@@ -180,11 +182,11 @@ static void cache(private_cert_cache_t *this,
METHOD(cert_cache_t, issued_by, bool,
private_cert_cache_t *this, certificate_t *subject, certificate_t *issuer,
- signature_scheme_t *schemep)
+ signature_params_t **schemep)
{
certificate_t *cached_issuer = NULL;
relation_t *found = NULL, *current;
- signature_scheme_t scheme;
+ signature_params_t *scheme;
int i;
for (i = 0; i < CACHE_SIZE; i++)
@@ -202,7 +204,7 @@ METHOD(cert_cache_t, issued_by, bool,
found = current;
if (schemep)
{
- *schemep = current->scheme;
+ *schemep = signature_params_clone(current->scheme);
}
}
else if (!cached_issuer)
@@ -225,6 +227,10 @@ METHOD(cert_cache_t, issued_by, bool,
{
*schemep = scheme;
}
+ else
+ {
+ signature_params_destroy(scheme);
+ }
DESTROY_IF(cached_issuer);
return TRUE;
}
@@ -383,8 +389,10 @@ METHOD(cert_cache_t, flush, void,
{
rel->subject->destroy(rel->subject);
rel->issuer->destroy(rel->issuer);
+ signature_params_destroy(rel->scheme);
rel->subject = NULL;
rel->issuer = NULL;
+ rel->scheme = NULL;
rel->hits = 0;
}
}
@@ -405,6 +413,7 @@ METHOD(cert_cache_t, destroy, void,
{
rel->subject->destroy(rel->subject);
rel->issuer->destroy(rel->issuer);
+ signature_params_destroy(rel->scheme);
}
rel->lock->destroy(rel->lock);
}
@@ -438,6 +447,7 @@ cert_cache_t *cert_cache_create()
{
this->relations[i].subject = NULL;
this->relations[i].issuer = NULL;
+ this->relations[i].scheme = NULL;
this->relations[i].hits = 0;
this->relations[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
}
diff --git a/src/libstrongswan/credentials/sets/cert_cache.h b/src/libstrongswan/credentials/sets/cert_cache.h
index 2bcdbe464..2235bc30d 100644
--- a/src/libstrongswan/credentials/sets/cert_cache.h
+++ b/src/libstrongswan/credentials/sets/cert_cache.h
@@ -45,12 +45,13 @@ struct cert_cache_t {
*
* @param subject certificate to verify
* @param issuer issuing certificate to verify subject
- * @param scheme receives used signature scheme, if given
+ * @param scheme receives used signature scheme and parameters, if
+ * given (allocated)
* @return TRUE if subject issued by issuer
*/
bool (*issued_by)(cert_cache_t *this,
certificate_t *subject, certificate_t *issuer,
- signature_scheme_t *scheme);
+ signature_params_t **scheme);
/**
* Flush the certificate cache.
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-24 02:01:23 +0000