aboutsummaryrefslogtreecommitdiffstats
path: root/src/pluto/x509.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/pluto/x509.c')
-rw-r--r--src/pluto/x509.c174
1 files changed, 17 insertions, 157 deletions
diff --git a/src/pluto/x509.c b/src/pluto/x509.c
index a612a70ed..705ff2c57 100644
--- a/src/pluto/x509.c
+++ b/src/pluto/x509.c
@@ -43,100 +43,6 @@
#include "ocsp.h"
/**
- * Chained lists of X.509 end certificates
- */
-static x509cert_t *x509certs = NULL;
-
-const x509cert_t empty_x509cert = {
- NULL , /* cert */
- NULL , /* *next */
- 0 , /* count */
- FALSE /* smartcard */
-};
-
-/* coding of X.501 distinguished name */
-
-/**
- * For each link pointing to the certificate increase the count by one
- */
-void share_x509cert(x509cert_t *cert)
-{
- if (cert != NULL)
- {
- cert->count++;
- }
-}
-
-/**
- * Add a X.509 user/host certificate to the chained list
- */
-x509cert_t* add_x509cert(x509cert_t *cert)
-{
- certificate_t *certificate = cert->cert;
- x509cert_t *c = x509certs;
-
- while (c != NULL)
- {
- if (certificate->equals(certificate, c->cert)) /* already in chain, free cert */
- {
- free_x509cert(cert);
- return c;
- }
- c = c->next;
- }
-
- /* insert new cert at the root of the chain */
- lock_certs_and_keys("add_x509cert");
- cert->next = x509certs;
- x509certs = cert;
- DBG(DBG_CONTROL | DBG_PARSING,
- DBG_log(" x509 cert inserted")
- )
- unlock_certs_and_keys("add_x509cert");
- return cert;
-}
-
-/**
- * Choose either subject DN or a subjectAltName as connection end ID
- */
-identification_t* select_x509cert_id(x509cert_t *cert, identification_t *id)
-{
- certificate_t *certificate = cert->cert;
- x509_t *x509 = (x509_t*)certificate;
- identification_t *subject, *subjectAltName;
-
- bool copy_subject_dn = TRUE; /* ID is subject DN */
-
- if (id->get_type(id) != ID_ANY) /* check for a matching subjectAltName */
- {
- enumerator_t *enumerator;
-
- enumerator = x509->create_subjectAltName_enumerator(x509);
- while (enumerator->enumerate(enumerator, &subjectAltName))
- {
- if (id->equals(id, subjectAltName))
- {
- copy_subject_dn = FALSE; /* take subjectAltName instead */
- break;
- }
- }
- enumerator->destroy(enumerator);
- }
- if (copy_subject_dn)
- {
- id->destroy(id);
- subject = certificate->get_subject(certificate);
- plog(" no subjectAltName matches ID '%Y', replaced by subject DN", id);
-
- return subject->clone(subject);
- }
- else
- {
- return id;
- }
-}
-
-/**
* Check for equality between two key identifiers
*/
bool same_keyid(chunk_t a, chunk_t b)
@@ -151,9 +57,9 @@ bool same_keyid(chunk_t a, chunk_t b)
/**
* Get a X.509 certificate with a given issuer found at a certain position
*/
-x509cert_t* get_x509cert(identification_t *issuer, chunk_t keyid, x509cert_t *chain)
+cert_t* get_x509cert(identification_t *issuer, chunk_t keyid, cert_t *chain)
{
- x509cert_t *cert = chain ? chain->next : x509certs;
+ cert_t *cert = chain->next;
while (cert)
{
@@ -172,47 +78,11 @@ x509cert_t* get_x509cert(identification_t *issuer, chunk_t keyid, x509cert_t *ch
}
/**
- * Free a X.509 certificate
- */
-void free_x509cert(x509cert_t *cert)
-{
- if (cert)
- {
- certificate_t *certificate = cert->cert;
-
- if (certificate)
- {
- certificate->destroy(certificate);
- }
- free(cert);
- cert = NULL;
- }
-}
-
-/**
- * Release of a certificate decreases the count by one
- * the certificate is freed when the counter reaches zero
- */
-void release_x509cert(x509cert_t *cert)
-{
- if (cert && --cert->count == 0)
- {
- x509cert_t **pp = &x509certs;
- while (*pp != cert)
- {
- pp = &(*pp)->next;
- }
- *pp = cert->next;
- free_x509cert(cert);
- }
-}
-
-/**
* Stores a chained list of end certs and CA certs
*/
void store_x509certs(linked_list_t *certs, bool strict)
{
- x509cert_t *x509cert, *cacerts = NULL;
+ cert_t *x509cert, *cacerts = NULL;
certificate_t *cert;
enumerator_t *enumerator;
@@ -235,8 +105,8 @@ void store_x509certs(linked_list_t *certs, bool strict)
else
{
/* insertion into temporary chain of candidate CA certs */
- x509cert = malloc_thing(x509cert_t);
- *x509cert = empty_x509cert;
+ x509cert = malloc_thing(cert_t);
+ *x509cert = cert_empty;
x509cert->cert = cert->get_ref(cert);
x509cert->next = cacerts;
cacerts = x509cert;
@@ -249,7 +119,7 @@ void store_x509certs(linked_list_t *certs, bool strict)
while (cacerts)
{
- x509cert_t *cert = cacerts;
+ cert_t *cert = cacerts;
cacerts = cacerts->next;
@@ -260,7 +130,7 @@ void store_x509certs(linked_list_t *certs, bool strict)
else
{
plog("intermediate cacert rejected");
- free_x509cert(cert);
+ cert_free(cert);
}
}
@@ -274,8 +144,8 @@ void store_x509certs(linked_list_t *certs, bool strict)
if (!(x509->get_flags(x509) & X509_CA))
{
- x509cert = malloc_thing(x509cert_t);
- *x509cert = empty_x509cert;
+ x509cert = malloc_thing(cert_t);
+ *x509cert = cert_empty;
x509cert->cert = cert->get_ref(cert);
if (verify_x509cert(x509cert, strict, &valid_until))
@@ -283,12 +153,12 @@ void store_x509certs(linked_list_t *certs, bool strict)
DBG(DBG_CONTROL | DBG_PARSING,
DBG_log("public key validated")
)
- add_x509_public_key(x509cert, valid_until, DAL_SIGNED);
+ add_public_key_from_cert(x509cert, valid_until, DAL_SIGNED);
}
else
{
plog("X.509 certificate rejected");
- free_x509cert(x509cert);
+ cert_free(x509cert);
}
}
}
@@ -342,7 +212,7 @@ chunk_t x509_build_signature(chunk_t tbs, int algorithm, private_key_t *key,
/**
* Verifies a X.509 certificate
*/
-bool verify_x509cert(const x509cert_t *cert, bool strict, time_t *until)
+bool verify_x509cert(cert_t *cert, bool strict, time_t *until)
{
int pathlen, pathlen_constraint;
@@ -355,7 +225,7 @@ bool verify_x509cert(const x509cert_t *cert, bool strict, time_t *until)
identification_t *issuer = certificate->get_issuer(certificate);
x509_t *x509 = (x509_t*)certificate;
chunk_t authKeyID = x509->get_authKeyIdentifier(x509);
- x509cert_t *issuer_cert;
+ cert_t *issuer_cert;
time_t notBefore, notAfter;
bool valid;
@@ -497,7 +367,7 @@ bool verify_x509cert(const x509cert_t *cert, bool strict, time_t *until)
/**
* List all X.509 certs in a chained list
*/
-void list_x509cert_chain(const char *caption, x509cert_t* cert,
+void list_x509cert_chain(const char *caption, cert_t* cert,
x509_flag_t flags, bool utc)
{
bool first = TRUE;
@@ -511,7 +381,8 @@ void list_x509cert_chain(const char *caption, x509cert_t* cert,
certificate_t *certificate = cert->cert;
x509_t *x509 = (x509_t*)certificate;
- if (flags == X509_NONE || (flags & x509->get_flags(x509)))
+ if (certificate->get_type(certificate) == CERT_X509 &&
+ (flags == X509_NONE || (flags & x509->get_flags(x509))))
{
enumerator_t *enumerator;
char buf[BUF_LEN];
@@ -522,10 +393,6 @@ void list_x509cert_chain(const char *caption, x509cert_t* cert,
time_t notBefore, notAfter;
public_key_t *key;
chunk_t serial, keyid, subjkey, authkey;
- cert_t c;
-
- c.type = CERT_X509_SIGNATURE;
- c.u.x509 = cert;
if (first)
{
@@ -581,7 +448,7 @@ void list_x509cert_chain(const char *caption, x509cert_t* cert,
key_type_names, key->get_type(key),
key->get_keysize(key) * BITS_PER_BYTE,
cert->smartcard ? ", on smartcard" :
- (has_private_key(c)? ", has private key" : ""));
+ (has_private_key(cert)? ", has private key" : ""));
if (key->get_fingerprint(key, KEY_ID_PUBKEY_INFO_SHA1, &keyid))
{
@@ -613,10 +480,3 @@ void list_x509cert_chain(const char *caption, x509cert_t* cert,
}
}
-/**
- * List all X.509 end certificates in a chained list
- */
-void list_x509_end_certs(bool utc)
-{
- list_x509cert_chain("End Entity", x509certs, X509_NONE, utc);
-}
generated by cgit v1.2.3 (git 2.25.1) at 2025-03-01 20:04:59 +0000