Key strength checking stores all key sizes in auth_cfg, verifies all in complies()
[strongswan.git] / src / libstrongswan / credentials / credential_manager.c
index bb2bf5b..f437bbf 100644 (file)
@@ -551,52 +551,21 @@ static certificate_t *get_issuer_cert(private_credential_manager_t *this,
 }
 
 /**
- * Get the strength of the weakest key in a trustchain
+ * Get the strength of certificate, add it to auth
  */
-static void calculate_trustchain_strength(auth_cfg_t *auth)
+static void get_key_strength(certificate_t *cert, auth_cfg_t *auth)
 {
-       enumerator_t *enumerator;
-       uintptr_t strength = 0;
-       key_type_t type = KEY_ANY;
-       certificate_t *cert;
+       uintptr_t strength;
        public_key_t *key;
-       auth_rule_t rule;
+       key_type_t type;
 
-       enumerator = auth->create_enumerator(auth);
-       while (enumerator->enumerate(enumerator, &rule, &cert))
-       {
-               switch (rule)
-               {
-                       case AUTH_RULE_SUBJECT_CERT:
-                       case AUTH_RULE_IM_CERT:
-                       case AUTH_RULE_CA_CERT:
-                       {
-                               key = cert->get_public_key(cert);
-                               if (!key || (type != KEY_ANY && type != key->get_type(key)))
-                               {       /* no key, or different key families */
-                                       DESTROY_IF(key);
-                                       enumerator->destroy(enumerator);
-                                       return;
-                               }
-                               type = key->get_type(key);
-                               if (!strength)
-                               {
-                                       strength = key->get_keysize(key);
-                               }
-                               else
-                               {
-                                       strength = min(strength, key->get_keysize(key));
-                               }
-                               key->destroy(key);
-                               break;
-                       }
-                       default:
-                               break;
-               }
-       }
-       enumerator->destroy(enumerator);
-       if (strength)
+       key = cert->get_public_key(cert);
+       if (key)
        {
+               type = key->get_type(key);
+               strength = key->get_keysize(key);
+               DBG2(DBG_CFG, "  certificate \"%Y\" key: %d bit %N",
+                        cert->get_subject(cert), strength, key_type_names, type);
                switch (type)
                {
                        case KEY_RSA:
@@ -608,6 +577,7 @@ static void calculate_trustchain_strength(auth_cfg_t *auth)
                        default:
                                break;
                }
+               key->destroy(key);
        }
 }
 
@@ -623,6 +593,7 @@ static bool verify_trust_chain(private_credential_manager_t *this,
        int pathlen;
 
        auth = auth_cfg_create();
+       get_key_strength(subject, auth);
        current = subject->get_ref(subject);
 
        for (pathlen = 0; pathlen <= MAX_TRUST_PATH_LEN; pathlen++)
@@ -675,6 +646,10 @@ static bool verify_trust_chain(private_credential_manager_t *this,
                        issuer->destroy(issuer);
                        break;
                }
+               if (issuer)
+               {
+                       get_key_strength(issuer, auth);
+               }
                current->destroy(current);
                current = issuer;
                if (trusted)
@@ -746,7 +721,6 @@ METHOD(enumerator_t, trusted_enumerate, bool,
                        {
                                this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT,
                                                                this->pretrusted->get_ref(this->pretrusted));
-                               calculate_trustchain_strength(this->auth);
                                DBG1(DBG_CFG, "  using trusted certificate \"%Y\"",
                                         this->pretrusted->get_subject(this->pretrusted));
                                *cert = this->pretrusted;
@@ -775,7 +749,6 @@ METHOD(enumerator_t, trusted_enumerate, bool,
                        this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT,
                                                        current->get_ref(current));
                        *cert = current;
-                       calculate_trustchain_strength(this->auth);
                        if (auth)
                        {
                                *auth = this->auth;