Provide CRLs received in CERT payloads to trustchain verification
[strongswan.git] / src / libcharon / sa / tasks / ike_cert_pre.c
index 0805d02..944637c 100644 (file)
@@ -93,8 +93,8 @@ static void process_certreqs(private_ike_cert_pre_t *this, message_t *message)
                                        certificate_t *cert;
 
                                        id = identification_create_from_encoding(ID_KEY_ID, keyid);
-                                       cert = charon->credentials->get_cert(charon->credentials,
-                                                                                       CERT_X509, KEY_ANY, id, TRUE);
+                                       cert = lib->credmgr->get_cert(lib->credmgr,
+                                                                                                 CERT_X509, KEY_ANY, id, TRUE);
                                        if (cert)
                                        {
                                                DBG1(DBG_IKE, "received cert request for \"%Y\"",
@@ -156,8 +156,8 @@ static certificate_t *try_get_cert(cert_payload_t *cert_payload)
                                break;
                        }
                        id = identification_create_from_encoding(ID_KEY_ID, hash);
-                       cert = charon->credentials->get_cert(charon->credentials,
-                                                                                                CERT_X509, KEY_ANY, id, FALSE);
+                       cert = lib->credmgr->get_cert(lib->credmgr,
+                                                                                 CERT_X509, KEY_ANY, id, FALSE);
                        id->destroy(id);
                        break;
                }
@@ -253,11 +253,19 @@ static void process_certs(private_ike_cert_pre_t *this, message_t *message)
                                        }
                                        break;
                                }
+                               case ENC_CRL:
+                                       cert = cert_payload->get_cert(cert_payload);
+                                       if (cert)
+                                       {
+                                               DBG1(DBG_IKE, "received CRL \"%Y\"",
+                                                        cert->get_subject(cert));
+                                               auth->add(auth, AUTH_HELPER_REVOCATION_CERT, cert);
+                                       }
+                                       break;
                                case ENC_PKCS7_WRAPPED_X509:
                                case ENC_PGP:
                                case ENC_DNS_SIGNED_KEY:
                                case ENC_KERBEROS_TOKEN:
-                               case ENC_CRL:
                                case ENC_ARL:
                                case ENC_SPKI:
                                case ENC_X509_ATTRIBUTE:
@@ -299,7 +307,7 @@ static void add_certreq(certreq_payload_t **req, certificate_t *cert)
                        {
                                *req = certreq_payload_create_type(CERT_X509);
                        }
-                       if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &keyid))
+                       if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid))
                        {
                                (*req)->add_keyid(*req, keyid);
                                DBG1(DBG_IKE, "sending cert request for \"%Y\"",
@@ -370,8 +378,8 @@ static void build_certreqs(private_ike_cert_pre_t *this, message_t *message)
        if (!req)
        {
                /* otherwise add all trusted CA certificates */
-               enumerator = charon->credentials->create_cert_enumerator(
-                                                       charon->credentials, CERT_ANY, KEY_ANY, NULL, TRUE);
+               enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
+                                                                                               CERT_ANY, KEY_ANY, NULL, TRUE);
                while (enumerator->enumerate(enumerator, &cert))
                {
                        add_certreq(&req, cert);