53e9cb64f202adac60dd967005dad0bf6e4f3dff
[strongswan.git] / src / charon / config / credentials / local_credential_store.c
1 /**
2 * @file local_credential_store.c
3 *
4 * @brief Implementation of local_credential_store_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #include <sys/stat.h>
24 #include <dirent.h>
25 #include <string.h>
26 #include <pthread.h>
27
28 #include <utils/lexparser.h>
29 #include <utils/linked_list.h>
30 #include <utils/logger_manager.h>
31 #include <crypto/certinfo.h>
32 #include <crypto/rsa/rsa_public_key.h>
33 #include <crypto/x509.h>
34 #include <crypto/crl.h>
35
36 #include "local_credential_store.h"
37
38 #define PATH_BUF 256
39 #define MAX_CA_PATH_LEN 7
40
41 typedef struct private_local_credential_store_t private_local_credential_store_t;
42
43 /**
44 * Private data of an local_credential_store_t object
45 */
46 struct private_local_credential_store_t {
47
48 /**
49 * Public part
50 */
51 local_credential_store_t public;
52
53 /**
54 * list of key_entry_t's with private keys
55 */
56 linked_list_t *private_keys;
57
58 /**
59 * list of X.509 certificates with public keys
60 */
61 linked_list_t *certs;
62
63 /**
64 * list of X.509 CA certificates with public keys
65 */
66 linked_list_t *ca_certs;
67
68 /**
69 * list of X.509 CRLs
70 */
71 linked_list_t *crls;
72
73 /**
74 * mutex controlling the access to the crls linked list
75 */
76 pthread_mutex_t crls_mutex;
77
78 /**
79 * enforce strict crl policy
80 */
81 bool strict;
82
83 /**
84 * Assigned logger
85 */
86 logger_t *logger;
87 };
88
89
90 /**
91 * Implementation of local_credential_store_t.get_shared_secret.
92 */
93 static status_t get_shared_secret(private_local_credential_store_t *this, identification_t *id, chunk_t *secret)
94 {
95 return FAILED;
96 }
97
98 /**
99 * Implementation of local_credential_store_t.get_rsa_public_key.
100 */
101 static rsa_public_key_t *get_rsa_public_key(private_local_credential_store_t *this, identification_t *id)
102 {
103 rsa_public_key_t *found = NULL;
104
105 iterator_t *iterator = this->certs->create_iterator(this->certs, TRUE);
106
107 while (iterator->has_next(iterator))
108 {
109 x509_t *cert;
110
111 iterator->current(iterator, (void**)&cert);
112
113 if (id->equals(id, cert->get_subject(cert)) || cert->equals_subjectAltName(cert, id))
114 {
115 found = cert->get_public_key(cert);
116 break;
117 }
118 }
119 iterator->destroy(iterator);
120 return found;
121 }
122
123 /**
124 * Implementation of local_credential_store_t.get_rsa_private_key.
125 */
126 static rsa_private_key_t *get_rsa_private_key(private_local_credential_store_t *this, rsa_public_key_t *pubkey)
127 {
128 rsa_private_key_t *found = NULL;
129 rsa_private_key_t *current;
130
131 iterator_t *iterator = this->private_keys->create_iterator(this->private_keys, TRUE);
132
133 while (iterator->has_next(iterator))
134 {
135 iterator->current(iterator, (void**)&current);
136
137 if (current->belongs_to(current, pubkey))
138 {
139 found = current->clone(current);
140 break;
141 }
142 }
143 iterator->destroy(iterator);
144 return found;
145 }
146
147 /**
148 * Implementation of local_credential_store_t.has_rsa_private_key.
149 */
150 static bool has_rsa_private_key(private_local_credential_store_t *this, rsa_public_key_t *pubkey)
151 {
152 bool found = FALSE;
153 rsa_private_key_t *current;
154
155 iterator_t *iterator = this->private_keys->create_iterator(this->private_keys, TRUE);
156
157 while (iterator->has_next(iterator))
158 {
159 iterator->current(iterator, (void**)&current);
160
161 if (current->belongs_to(current, pubkey))
162 {
163 found = TRUE;
164 break;
165 }
166 }
167 iterator->destroy(iterator);
168 return found;
169 }
170
171 /**
172 * Implementation of credential_store_t.get_issuer_certificate.
173 */
174 static x509_t* get_issuer_certificate(private_local_credential_store_t *this, const x509_t *cert)
175 {
176 x509_t *issuer_cert = NULL;
177
178 iterator_t *iterator = this->ca_certs->create_iterator(this->ca_certs, TRUE);
179
180 while (iterator->has_next(iterator))
181 {
182 x509_t *current_cert;
183
184 iterator->current(iterator, (void**)&current_cert);
185 if (cert->is_issuer(cert, current_cert))
186 {
187 issuer_cert = current_cert;
188 break;
189 }
190 }
191 iterator->destroy(iterator);
192
193 return issuer_cert;
194 }
195
196 /**
197 * Implementation of credential_store_t.get_crl.
198 */
199 static crl_t* get_crl(private_local_credential_store_t *this, const x509_t *issuer)
200 {
201 crl_t *crl = NULL;
202
203 iterator_t *iterator = this->crls->create_iterator(this->crls, TRUE);
204
205 while (iterator->has_next(iterator))
206 {
207 crl_t *current_crl;
208
209 iterator->current(iterator, (void**)&current_crl);
210 if (current_crl->is_issuer(current_crl, issuer))
211 {
212 crl = current_crl;
213 break;
214 }
215 }
216 iterator->destroy(iterator);
217
218 return crl;
219 }
220
221 /**
222 * Verify the certificate status using CRLs
223 */
224 static cert_status_t verify_by_crl(private_local_credential_store_t* this, const x509_t *cert,
225 const x509_t *issuer_cert, certinfo_t *certinfo)
226 {
227 crl_t *crl;
228 bool valid_signature;
229 rsa_public_key_t *issuer_public_key;
230
231
232 pthread_mutex_lock(&(this->crls_mutex));
233
234 crl = get_crl(this, issuer_cert);
235 if (crl == NULL)
236 {
237 this->logger->log(this->logger, ERROR, "crl not found");
238 goto err;
239 }
240 this->logger->log(this->logger, CONTROL|LEVEL1, "crl found");
241
242 issuer_public_key = issuer_cert->get_public_key(issuer_cert);
243 valid_signature = crl->verify(crl, issuer_public_key);
244 issuer_public_key->destroy(issuer_public_key);
245
246 if (!valid_signature)
247 {
248 this->logger->log(this->logger, ERROR, "crl signature is invalid");
249 goto err;
250 }
251 this->logger->log(this->logger, CONTROL|LEVEL1, "crl signature is valid");
252
253 crl->get_status(crl, certinfo);
254
255 err:
256 pthread_mutex_unlock(&(this->crls_mutex));
257 return certinfo->get_status(certinfo);
258 }
259
260 /**
261 * Verify the certificate status using OCSP
262 */
263 static cert_status_t verify_by_ocsp(private_local_credential_store_t* this,
264 const x509_t *cert, certinfo_t *certinfo)
265 {
266 /* TODO implement function */
267 return CERT_UNDEFINED;
268 }
269
270 /**
271 * Remove a public key for the linked list
272 */
273 static void remove_public_key(private_local_credential_store_t *this, const x509_t *cert)
274 {
275 /* TODO implement function */
276 }
277
278 /**
279 * Implementation of credential_store_t.verify.
280 */
281 static bool verify(private_local_credential_store_t *this, const x509_t *cert, time_t *until)
282 {
283 int pathlen;
284
285 *until = UNDEFINED_TIME;
286
287 for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++)
288 {
289 err_t ugh = NULL;
290 x509_t *issuer_cert;
291 rsa_public_key_t *issuer_public_key;
292 bool valid_signature;
293
294 identification_t *subject = cert->get_subject(cert);
295 identification_t *issuer = cert->get_issuer(cert);
296
297 this->logger->log(this->logger, CONTROL|LEVEL1, "subject: '%s'", subject->get_string(subject));
298 this->logger->log(this->logger, CONTROL|LEVEL1, "issuer: '%s'", issuer->get_string(issuer));
299
300 ugh = cert->is_valid(cert, until);
301 if (ugh != NULL)
302 {
303 this->logger->log(this->logger, ERROR, "certificate %s", ugh);
304 return FALSE;
305 }
306 this->logger->log(this->logger, CONTROL|LEVEL1, "certificate is valid");
307
308 issuer_cert = get_issuer_certificate(this, cert);
309 if (issuer_cert == NULL)
310 {
311 this->logger->log(this->logger, ERROR, "issuer certificate not found");
312 return FALSE;
313 }
314 this->logger->log(this->logger, CONTROL|LEVEL1, "issuer certificate found");
315
316 issuer_public_key = issuer_cert->get_public_key(issuer_cert);
317 valid_signature = cert->verify(cert, issuer_public_key);
318 issuer_public_key->destroy(issuer_public_key);
319
320 if (!valid_signature)
321 {
322 this->logger->log(this->logger, ERROR, "certificate signature is invalid");
323 return FALSE;
324 }
325 this->logger->log(this->logger, CONTROL|LEVEL1, "certificate signature is valid");
326
327 /* check if cert is a self-signed root ca */
328 if (pathlen > 0 && cert->is_self_signed(cert))
329 {
330 this->logger->log(this->logger, CONTROL|LEVEL1, "reached self-signed root ca");
331 return TRUE;
332 }
333 else
334 {
335 time_t nextUpdate;
336 cert_status_t status;
337 certinfo_t *certinfo = certinfo_create(cert->get_serialNumber(cert));
338
339 certinfo->set_nextUpdate(certinfo, *until);
340
341 /* first check certificate revocation using ocsp */
342 status = verify_by_ocsp(this, cert, certinfo);
343
344 /* if ocsp service is not available then fall back to crl */
345 if ((status == CERT_UNDEFINED) || (status == CERT_UNKNOWN && this->strict))
346 {
347 status = verify_by_crl(this, cert, issuer_cert, certinfo);
348 }
349
350 nextUpdate = certinfo->get_nextUpdate(certinfo);
351
352 switch (status)
353 {
354 case CERT_GOOD:
355 /* if status information is stale */
356 if (this->strict && nextUpdate < time(NULL))
357 {
358 this->logger->log(this->logger, CONTROL|LEVEL1, "certificate is good but status is stale");
359 remove_public_key(this, cert);
360 return FALSE;
361 }
362 this->logger->log(this->logger, CONTROL|LEVEL1, "certificate is good");
363
364 /* with strict crl policy the public key must have the same
365 * lifetime as the validity of the ocsp status or crl lifetime
366 */
367 if (this->strict && nextUpdate < *until)
368 *until = nextUpdate;
369 break;
370 case CERT_REVOKED:
371 {
372 u_char buf[TIMETOA_BUF];
373 time_t revocationTime = certinfo->get_revocationTime(certinfo);
374
375 timetoa(buf, TIMETOA_BUF, &revocationTime, TRUE);
376 this->logger->log(this->logger, ERROR, "certificate was revoked on %s, reason: %s",
377 buf, certinfo->get_revocationReason(certinfo));
378 remove_public_key(this, cert);
379 return FALSE;
380 }
381 case CERT_UNKNOWN:
382 case CERT_UNDEFINED:
383 default:
384 this->logger->log(this->logger, CONTROL|LEVEL1, "certificate status unknown");
385 if (this->strict)
386 {
387 remove_public_key(this, cert);
388 return FALSE;
389 }
390 break;
391 }
392 certinfo->destroy(certinfo);
393 }
394 /* go up one step in the trust chain */
395 cert = issuer_cert;
396 }
397 this->logger->log(this->logger, ERROR, "maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN);
398 return FALSE;
399 }
400
401 /**
402 * Add a unique certificate to a linked list
403 */
404 static x509_t* add_certificate(linked_list_t *certs, x509_t *cert)
405 {
406 bool found = FALSE;
407
408 iterator_t *iterator = certs->create_iterator(certs, TRUE);
409
410 while (iterator->has_next(iterator))
411 {
412 x509_t *current_cert;
413
414 iterator->current(iterator, (void**)&current_cert);
415 if (cert->equals(cert, current_cert))
416 {
417 found = TRUE;
418 cert->destroy(cert);
419 cert = current_cert;
420 break;
421 }
422 }
423 iterator->destroy(iterator);
424
425 if (!found)
426 {
427 certs->insert_last(certs, (void*)cert);
428 }
429 return cert;
430 }
431
432 /**
433 * Implements local_credential_store_t.add_end_certificate
434 */
435 static x509_t* add_end_certificate(private_local_credential_store_t *this, x509_t *cert)
436 {
437 return add_certificate(this->certs, cert);
438 }
439
440 /**
441 * Implements local_credential_store_t.add_ca_certificate
442 */
443 static x509_t* add_ca_certificate(private_local_credential_store_t *this, x509_t *cert)
444 {
445 return add_certificate(this->ca_certs, cert);
446 }
447
448 /**
449 * Implements local_credential_store_t.log_certificates
450 */
451 static void log_certificates(private_local_credential_store_t *this, logger_t *logger, bool utc)
452 {
453 iterator_t *iterator = this->certs->create_iterator(this->certs, TRUE);
454
455 if (iterator->get_count(iterator))
456 {
457 logger->log(logger, CONTROL, "");
458 logger->log(logger, CONTROL, "List of X.509 End Entity Certificates:");
459 logger->log(logger, CONTROL, "");
460 }
461
462 while (iterator->has_next(iterator))
463 {
464 x509_t *cert;
465 bool has_key;
466
467 iterator->current(iterator, (void**)&cert);
468 has_key = has_rsa_private_key(this, cert->get_public_key(cert));
469 cert->log_certificate(cert, logger, utc, has_key);
470 }
471 iterator->destroy(iterator);
472 }
473
474 /**
475 * Implements local_credential_store_t.log_ca_certificates
476 */
477 static void log_ca_certificates(private_local_credential_store_t *this, logger_t *logger, bool utc)
478 {
479 iterator_t *iterator = this->ca_certs->create_iterator(this->ca_certs, TRUE);
480
481 if (iterator->get_count(iterator))
482 {
483 logger->log(logger, CONTROL, "");
484 logger->log(logger, CONTROL, "List of X.509 CA Certificates:");
485 logger->log(logger, CONTROL, "");
486 }
487
488 while (iterator->has_next(iterator))
489 {
490 x509_t *cert;
491
492 iterator->current(iterator, (void**)&cert);
493 cert->log_certificate(cert, logger, utc, FALSE);
494 }
495 iterator->destroy(iterator);
496 }
497
498 /**
499 * Implements local_credential_store_t.log_crls
500 */
501 static void log_crls(private_local_credential_store_t *this, logger_t *logger, bool utc)
502 {
503 iterator_t *iterator = this->crls->create_iterator(this->crls, TRUE);
504
505 pthread_mutex_lock(&(this->crls_mutex));
506 if (iterator->get_count(iterator))
507 {
508 logger->log(logger, CONTROL, "");
509 logger->log(logger, CONTROL, "List of X.509 CRLs:");
510 logger->log(logger, CONTROL, "");
511 }
512
513 while (iterator->has_next(iterator))
514 {
515 crl_t *crl;
516
517 iterator->current(iterator, (void**)&crl);
518 crl->log_crl(crl, logger, utc, this->strict);
519 }
520 pthread_mutex_unlock(&(this->crls_mutex));
521
522 iterator->destroy(iterator);
523 }
524
525 /**
526 * Implements local_credential_store_t.load_ca_certificates
527 */
528 static void load_ca_certificates(private_local_credential_store_t *this)
529 {
530 struct dirent* entry;
531 struct stat stb;
532 DIR* dir;
533 x509_t *cert;
534
535 this->logger->log(this->logger, CONTROL, "loading ca certificates from '%s/'", CA_CERTIFICATE_DIR);
536
537 dir = opendir(CA_CERTIFICATE_DIR);
538 if (dir == NULL)
539 {
540 this->logger->log(this->logger, ERROR, "error opening ca certs directory %s'", CA_CERTIFICATE_DIR);
541 return;
542 }
543
544 while ((entry = readdir(dir)) != NULL)
545 {
546 char file[PATH_BUF];
547
548 snprintf(file, sizeof(file), "%s/%s", CA_CERTIFICATE_DIR, entry->d_name);
549
550 if (stat(file, &stb) == -1)
551 {
552 continue;
553 }
554 /* try to parse all regular files */
555 if (stb.st_mode & S_IFREG)
556 {
557 cert = x509_create_from_file(file, "ca certificate");
558 if (cert)
559 {
560 err_t ugh = cert->is_valid(cert, NULL);
561
562 if (ugh != NULL)
563 {
564 this->logger->log(this->logger, ERROR, "warning: ca certificate %s", ugh);
565 }
566 if (cert->is_ca(cert))
567 {
568 cert = add_certificate(this->ca_certs, cert);
569 }
570 else
571 {
572 this->logger->log(this->logger, ERROR,
573 " CA basic constraints flag not set, cert discarded");
574 cert->destroy(cert);
575 }
576 }
577 }
578 }
579 closedir(dir);
580 }
581
582 /**
583 * Add the latest crl to a linked list
584 */
585 static crl_t* add_crl(linked_list_t *crls, crl_t *crl, logger_t *logger)
586 {
587 bool found = FALSE;
588
589 iterator_t *iterator = crls->create_iterator(crls, TRUE);
590
591 while (iterator->has_next(iterator))
592 {
593 crl_t *current_crl;
594
595 iterator->current(iterator, (void**)&current_crl);
596 if (crl->equals_issuer(crl, current_crl))
597 {
598 found = TRUE;
599 if (crl->is_newer(crl, current_crl))
600 {
601 crl_t *old_crl = NULL;
602
603 iterator->replace(iterator, (void**)&old_crl, (void*)crl);
604 if (old_crl != NULL)
605 {
606 old_crl->destroy(old_crl);
607 }
608 logger->log(logger, CONTROL|LEVEL1, " thisUpdate is newer - existing crl replaced");
609 }
610 else
611 {
612 crl->destroy(crl);
613 crl = current_crl;
614 logger->log(logger, CONTROL|LEVEL1, " thisUpdate is not newer - existing crl retained");
615 }
616 break;
617 }
618 }
619 iterator->destroy(iterator);
620
621 if (!found)
622 {
623 crls->insert_last(crls, (void*)crl);
624 logger->log(logger, CONTROL|LEVEL1, " crl added");
625 }
626 return crl;
627 }
628
629 /**
630 * Implements local_credential_store_t.load_crls
631 */
632 static void load_crls(private_local_credential_store_t *this)
633 {
634 struct dirent* entry;
635 struct stat stb;
636 DIR* dir;
637 crl_t *crl;
638
639 this->logger->log(this->logger, CONTROL, "loading crls from '%s/'", CRL_DIR);
640
641 dir = opendir(CRL_DIR);
642 if (dir == NULL)
643 {
644 this->logger->log(this->logger, ERROR, "error opening crl directory %s'", CRL_DIR);
645 return;
646 }
647
648 while ((entry = readdir(dir)) != NULL)
649 {
650 char file[PATH_BUF];
651
652 snprintf(file, sizeof(file), "%s/%s", CRL_DIR, entry->d_name);
653
654 if (stat(file, &stb) == -1)
655 {
656 continue;
657 }
658 /* try to parse all regular files */
659 if (stb.st_mode & S_IFREG)
660 {
661 crl = crl_create_from_file(file);
662 if (crl)
663 {
664 err_t ugh = crl->is_valid(crl, NULL, this->strict);
665
666 if (ugh != NULL)
667 {
668 this->logger->log(this->logger, ERROR, "warning: crl %s", ugh);
669 }
670 pthread_mutex_lock(&(this->crls_mutex));
671 crl = add_crl(this->crls, crl, this->logger);
672 pthread_mutex_unlock(&(this->crls_mutex));
673 }
674 }
675 }
676 closedir(dir);
677 }
678
679 /**
680 * Implements local_credential_store_t.load_private_keys
681 */
682 static void load_private_keys(private_local_credential_store_t *this)
683 {
684 FILE *fd = fopen(SECRETS_FILE, "r");
685
686 if (fd)
687 {
688 int bytes;
689 int line_nr = 0;
690 chunk_t chunk, src, line;
691
692 this->logger->log(this->logger, CONTROL, "loading secrets from \"%s\"", SECRETS_FILE);
693
694 fseek(fd, 0, SEEK_END);
695 chunk.len = ftell(fd);
696 rewind(fd);
697 chunk.ptr = malloc(chunk.len);
698 bytes = fread(chunk.ptr, 1, chunk.len, fd);
699 fclose(fd);
700
701 src = chunk;
702
703 while (fetchline(&src, &line))
704 {
705 chunk_t ids, token;
706
707 line_nr++;
708
709 if (!eat_whitespace(&line))
710 {
711 continue;
712 }
713 if (!extract_token(&ids, ':', &line))
714 {
715 this->logger->log(this->logger, ERROR, "line %d: missing ':' separator", line_nr);
716 goto error;
717 }
718 if (!eat_whitespace(&line) || !extract_token(&token, ' ', &line))
719 {
720 this->logger->log(this->logger, ERROR, "line %d: missing token", line_nr);
721 goto error;
722 }
723 if (match("RSA", &token))
724 {
725 char path[PATH_BUF];
726 chunk_t filename;
727
728 err_t ugh = extract_value(&filename, &line);
729
730 if (ugh != NULL)
731 {
732 this->logger->log(this->logger, ERROR, "line %d: %s", line_nr, ugh);
733 goto error;
734 }
735 if (filename.len == 0)
736 {
737 this->logger->log(this->logger, ERROR,
738 "line %d: empty filename", line_nr);
739 goto error;
740 }
741 if (*filename.ptr == '/')
742 {
743 /* absolute path name */
744 snprintf(path, sizeof(path), "%.*s", filename.len, filename.ptr);
745 }
746 else
747 {
748 /* relative path name */
749 snprintf(path, sizeof(path), "%s/%.*s", PRIVATE_KEY_DIR, filename.len, filename.ptr);
750 }
751
752 rsa_private_key_t *key = rsa_private_key_create_from_file(path, NULL);
753 if (key)
754 {
755 this->private_keys->insert_last(this->private_keys, (void*)key);
756 }
757 }
758 else if (match("PSK", &token))
759 {
760
761 }
762 else if (match("PIN", &token))
763 {
764
765 }
766 else
767 {
768 this->logger->log(this->logger, ERROR,
769 "line %d: token must be either RSA, PSK, or PIN",
770 line_nr, token.len);
771 goto error;
772 }
773 }
774 error:
775 free(chunk.ptr);
776 }
777 else
778 {
779 this->logger->log(this->logger, ERROR, "could not open file '%s'", SECRETS_FILE);
780 }
781 }
782
783 /**
784 * Implementation of local_credential_store_t.destroy.
785 */
786 static void destroy(private_local_credential_store_t *this)
787 {
788 x509_t *cert;
789 crl_t *crl;
790 rsa_private_key_t *key;
791
792 /* destroy cert list */
793 while (this->certs->remove_last(this->certs, (void**)&cert) == SUCCESS)
794 {
795 cert->destroy(cert);
796 }
797 this->certs->destroy(this->certs);
798
799 /* destroy ca cert list */
800 while (this->ca_certs->remove_last(this->ca_certs, (void**)&cert) == SUCCESS)
801 {
802 cert->destroy(cert);
803 }
804 this->ca_certs->destroy(this->ca_certs);
805
806 /* destroy crl list */
807 pthread_mutex_lock(&(this->crls_mutex));
808 while (this->crls->remove_last(this->crls, (void**)&crl) == SUCCESS)
809 {
810 crl->destroy(crl);
811 }
812 this->crls->destroy(this->crls);
813 pthread_mutex_unlock(&(this->crls_mutex));
814
815 /* destroy private key list */
816 while (this->private_keys->remove_last(this->private_keys, (void**)&key) == SUCCESS)
817 {
818 key->destroy(key);
819 }
820 this->private_keys->destroy(this->private_keys);
821
822 free(this);
823 }
824
825 /**
826 * Described in header.
827 */
828 local_credential_store_t * local_credential_store_create(bool strict)
829 {
830 private_local_credential_store_t *this = malloc_thing(private_local_credential_store_t);
831
832 this->public.credential_store.get_shared_secret = (status_t(*)(credential_store_t*,identification_t*,chunk_t*))get_shared_secret;
833 this->public.credential_store.get_rsa_private_key = (rsa_private_key_t*(*)(credential_store_t*,rsa_public_key_t*))get_rsa_private_key;
834 this->public.credential_store.has_rsa_private_key = (bool(*)(credential_store_t*,rsa_public_key_t*))has_rsa_private_key;
835 this->public.credential_store.get_rsa_public_key = (rsa_public_key_t*(*)(credential_store_t*,identification_t*))get_rsa_public_key;
836 this->public.credential_store.verify = (bool(*)(credential_store_t*,const x509_t*,time_t*))verify;
837 this->public.credential_store.add_end_certificate = (x509_t*(*)(credential_store_t*,x509_t*))add_end_certificate;
838 this->public.credential_store.add_ca_certificate = (x509_t*(*)(credential_store_t*,x509_t*))add_ca_certificate;
839 this->public.credential_store.log_certificates = (void(*)(credential_store_t*,logger_t*,bool))log_certificates;
840 this->public.credential_store.log_ca_certificates = (void(*)(credential_store_t*,logger_t*,bool))log_ca_certificates;
841 this->public.credential_store.log_crls = (void(*)(credential_store_t*,logger_t*,bool))log_crls;
842 this->public.credential_store.load_ca_certificates = (void(*)(credential_store_t*))load_ca_certificates;
843 this->public.credential_store.load_crls = (void(*)(credential_store_t*))load_crls;
844 this->public.credential_store.load_private_keys = (void(*)(credential_store_t*))load_private_keys;
845 this->public.credential_store.destroy = (void(*)(credential_store_t*))destroy;
846
847 /* initialize mutexes */
848 pthread_mutex_init(&(this->crls_mutex), NULL);
849
850 /* private variables */
851 this->private_keys = linked_list_create();
852 this->certs = linked_list_create();
853 this->ca_certs = linked_list_create();
854 this->crls = linked_list_create();
855 this->strict = strict;
856 this->logger = logger_manager->get_logger(logger_manager, CONFIG);
857
858 return (&this->public);
859 }