diff options
Diffstat (limited to 'src/libstrongswan')
| -rw-r--r-- | src/libstrongswan/crypto/certinfo.c | 14 | ||||
| -rw-r--r-- | src/libstrongswan/crypto/certinfo.h | 5 | ||||
| -rwxr-xr-x | src/libstrongswan/crypto/x509.c | 78 | ||||
| -rwxr-xr-x | src/libstrongswan/crypto/x509.h | 33 |
4 files changed, 119 insertions, 11 deletions
diff --git a/src/libstrongswan/crypto/certinfo.c b/src/libstrongswan/crypto/certinfo.c index 7fef2fa4f..a289d6562 100644 --- a/src/libstrongswan/crypto/certinfo.c +++ b/src/libstrongswan/crypto/certinfo.c @@ -70,6 +70,20 @@ struct private_certinfo_t { }; /** + * RFC 2560 OCSP - certificate status + */ +static const char *const cert_status_name[] = { + "good", + "revoked", + "unknown", + "unknown", + "untrusted" + }; + +enum_names cert_status_names = + { CERT_GOOD, CERT_UNTRUSTED, cert_status_name, NULL}; + +/** * RFC 2459 CRL reason codes */ static const char *const crl_reason_name[] = { diff --git a/src/libstrongswan/crypto/certinfo.h b/src/libstrongswan/crypto/certinfo.h index 81707fad8..45090eafc 100644 --- a/src/libstrongswan/crypto/certinfo.h +++ b/src/libstrongswan/crypto/certinfo.h @@ -29,11 +29,14 @@ /** * RFC 2560 OCSP - certificate status */ +extern enum_names cert_status_names; + typedef enum { CERT_GOOD = 0, CERT_REVOKED = 1, CERT_UNKNOWN = 2, - CERT_UNDEFINED = 3 + CERT_UNDEFINED = 3, + CERT_UNTRUSTED = 4 /* private use */ } cert_status_t; /** diff --git a/src/libstrongswan/crypto/x509.c b/src/libstrongswan/crypto/x509.c index c65071c72..2a25ac179 100755 --- a/src/libstrongswan/crypto/x509.c +++ b/src/libstrongswan/crypto/x509.c @@ -79,6 +79,11 @@ struct private_x509_t { time_t until; /** + * Certificate status + */ + cert_status_t status; + + /** * X.509 Certificate in DER format */ chunk_t certificate; @@ -957,11 +962,19 @@ static bool is_issuer(const private_x509_t *this, const private_x509_t *issuer) } /** + * Implements x509_t.get_certificate + */ +static chunk_t get_certificate(const private_x509_t *this) +{ + return this->certificate; +} + +/** * Implements x509_t.get_public_key */ static rsa_public_key_t *get_public_key(const private_x509_t *this) { - return this->public_key->clone(this->public_key); + return this->public_key; } /** @@ -1005,6 +1018,30 @@ static void set_until(private_x509_t *this, time_t until) } /** + * Implements x509_t.get_until + */ +static time_t get_until(const private_x509_t *this) +{ + return this->until; +} + +/** + * Implements x509_t.set_status + */ +static void set_status(private_x509_t *this, cert_status_t status) +{ + this->status = status; +} + +/** + * Implements x509_t.get_status + */ +static cert_status_t get_status(const private_x509_t *this) +{ + return this->status; +} + +/** * Implements x509_t.verify */ static bool verify(const private_x509_t *this, const rsa_public_key_t *signer) @@ -1096,30 +1133,46 @@ static void log_certificate(const private_x509_t *this, logger_t *logger, bool u rsa_public_key_t *pubkey = this->public_key; char buf[BUF_LEN]; + char time_buf[TIMETOA_BUF]; /* determine the current time */ time_t now = time(NULL); - timetoa(buf, BUF_LEN, &this->installed, utc); - logger->log(logger, CONTROL, "%s", buf); + timetoa(time_buf, TIMETOA_BUF, &this->installed, utc); + logger->log(logger, CONTROL, "%s", time_buf); logger->log(logger, CONTROL, " subject: '%s'", subject->get_string(subject)); logger->log(logger, CONTROL, " issuer: '%s'", issuer->get_string(issuer)); chunk_to_hex(buf, BUF_LEN, this->serialNumber); logger->log(logger, CONTROL, " serial: %s", buf); - timetoa(buf, BUF_LEN, &this->notBefore, utc); - logger->log(logger, CONTROL, " validity: not before %s %s", buf, + timetoa(time_buf, TIMETOA_BUF, &this->notBefore, utc); + logger->log(logger, CONTROL, " validity: not before %s %s", time_buf, (this->notBefore < now)? "ok":"fatal (not valid yet)"); - timetoa(buf, BUF_LEN, &this->notAfter, utc); - logger->log(logger, CONTROL, " not after %s %s", buf, + timetoa(time_buf, TIMETOA_BUF, &this->notAfter, utc); + logger->log(logger, CONTROL, " not after %s %s", time_buf, check_expiry(this->notAfter, CERT_WARNING_INTERVAL, TRUE)); - timetoa(buf, BUF_LEN, &this->until, utc); - logger->log(logger, CONTROL, " pubkey: RSA %d bits%s, until %s", + timetoa(time_buf, TIMETOA_BUF, &this->until, utc); + switch (this->status) + { + case CERT_GOOD: + snprintf(buf, BUF_LEN, " until %s", time_buf); + break; + case CERT_REVOKED: + snprintf(buf, BUF_LEN, " on %s", time_buf); + break; + case CERT_UNKNOWN: + case CERT_UNDEFINED: + case CERT_UNTRUSTED: + default: + *buf = '\0'; + } + logger->log(logger, CONTROL, " pubkey: RSA %d bits%s, status %s%s", BITS_PER_BYTE * pubkey->get_keysize(pubkey), - has_key? ", has private key":"", buf); + has_key? ", has private key":"", + enum_name(&cert_status_names, this->status), buf); chunk_to_hex(buf, BUF_LEN, pubkey->get_keyid(pubkey)); logger->log(logger, CONTROL, " keyid: %s", buf); @@ -1166,12 +1219,16 @@ x509_t *x509_create_from_chunk(chunk_t chunk) this->public.is_valid = (err_t (*) (const x509_t*,time_t*))is_valid; this->public.is_ca = (bool (*) (const x509_t*))is_ca; this->public.is_self_signed = (bool (*) (const x509_t*))is_self_signed; + this->public.get_certificate = (chunk_t (*) (const x509_t*))get_certificate; this->public.get_public_key = (rsa_public_key_t* (*) (const x509_t*))get_public_key; this->public.get_serialNumber = (chunk_t (*) (const x509_t*))get_serialNumber; this->public.get_subjectKeyID = (chunk_t (*) (const x509_t*))get_subjectKeyID; this->public.get_issuer = (identification_t* (*) (const x509_t*))get_issuer; this->public.get_subject = (identification_t* (*) (const x509_t*))get_subject; this->public.set_until = (void (*) (x509_t*,time_t))set_until; + this->public.get_until = (time_t (*) (const x509_t*))get_until; + this->public.set_status = (void (*) (x509_t*,cert_status_t))set_status; + this->public.get_status = (cert_status_t (*) (const x509_t*))get_status; this->public.verify = (bool (*) (const x509_t*,const rsa_public_key_t*))verify; this->public.destroy = (void (*) (x509_t*))destroy; this->public.log_certificate = (void (*) (const x509_t*,logger_t*,bool,bool))log_certificate; @@ -1193,6 +1250,7 @@ x509_t *x509_create_from_chunk(chunk_t chunk) return NULL; } /* set trusted lifetime of public key to notAfter */ + this->status = is_self_signed(this)? CERT_GOOD:CERT_UNDEFINED; this->until = this->notAfter; return &this->public; } diff --git a/src/libstrongswan/crypto/x509.h b/src/libstrongswan/crypto/x509.h index a4451eb41..866659e3b 100755 --- a/src/libstrongswan/crypto/x509.h +++ b/src/libstrongswan/crypto/x509.h @@ -26,6 +26,7 @@ #include <types.h> #include <definitions.h> #include <crypto/rsa/rsa_public_key.h> +#include <crypto/certinfo.h> #include <utils/identification.h> #include <utils/iterator.h> #include <utils/logger.h> @@ -57,6 +58,38 @@ struct x509_t { void (*set_until) (x509_t *this, time_t until); /** + * @brief Get trusted public key life. + * + * @param this calling object + * @return time until public key is trusted + */ + time_t (*get_until) (const x509_t *this); + + /** + * @brief Set the certificate status + * + * @param this calling object + * @param status certificate status + */ + void (*set_status) (x509_t *this, cert_status_t status); + + /** + * @brief Get the certificate status + * + * @param this calling object + * @return certificate status + */ + cert_status_t (*get_status) (const x509_t *this); + + /** + * @brief Get the DER-encoded X.509 certificate body + * + * @param this calling object + * @return DER-encoded X.509 certificate + */ + chunk_t (*get_certificate) (const x509_t *this); + + /** * @brief Get the RSA public key from the certificate. * * @param this calling object |