fixed compilation warnings and errors when not using curl
[strongswan.git] / src / libstrongswan / crypto / ca.c
index 1a53021..1e930a4 100644 (file)
@@ -30,6 +30,7 @@
 #include "crl.h"
 #include "ca.h"
 #include "certinfo.h"
+#include "ocsp.h"
 
 #include <library.h>
 #include <debug.h>
@@ -199,6 +200,18 @@ static void list_crl(private_ca_info_t *this, FILE *out, bool utc)
 }
 
 /**
+ * Implements ca_info_t.list_certinfos
+ */
+static void list_certinfos(private_ca_info_t *this, FILE *out, bool utc)
+{
+       pthread_mutex_lock(&(this->mutex));
+
+       /* fprintf(out, "%#X\n", this->certifnos, utc); */
+
+       pthread_mutex_unlock(&(this->mutex));
+}
+
+/**
  * Find an exact copy of an identification in a linked list
  */
 static identification_t* find_identification(linked_list_t *list, identification_t *id)
@@ -369,11 +382,52 @@ err:
 /**
   * Implements ca_info_t.verify_by_ocsp.
   */
-static cert_status_t verify_by_ocsp(private_ca_info_t* this, const x509_t *cert,
-                                                                       certinfo_t *certinfo)
+static cert_status_t verify_by_ocsp(private_ca_info_t* this,
+                                                                       const x509_t *cert,
+                                                                       certinfo_t *certinfo,
+                                                                       credential_store_t *credentials)
 {
-       /* TODO implement function */
-       return CERT_UNDEFINED;
+       bool found = FALSE;
+
+       pthread_mutex_lock(&(this->mutex));
+
+       /* do we support OCSP at all? */
+       if (this->ocspuris->get_count(this->ocspuris) == 0)
+       {
+               goto ret;
+       }
+
+       /* do we have a valid certinfo record for this serial number in our cache? */
+       {
+               iterator_t *iterator = this->certinfos->create_iterator(this->certinfos, TRUE);
+               certinfo_t *current_certinfo;
+
+               while(iterator->iterate(iterator, (void**)&current_certinfo))
+               {
+                       if (certinfo->equals_serialNumber(certinfo, current_certinfo))
+                       {
+                               found = TRUE;
+                               DBG2("ocsp status found");
+                               break;
+                       }
+               }
+               iterator->destroy(iterator);
+       }
+       
+       if (!found)
+       {
+               ocsp_t *ocsp;
+
+               DBG2("ocsp status is not in cache");
+
+               ocsp = ocsp_create(this->cacert, this->ocspuris);
+               ocsp->fetch(ocsp, certinfo, credentials);
+               ocsp->destroy(ocsp);
+       }
+
+ret:
+       pthread_mutex_unlock(&(this->mutex));
+       return certinfo->get_status(certinfo);
 }
 
 /**
@@ -402,7 +456,6 @@ static int print(FILE *stream, const struct printf_info *info,
        bool utc = TRUE;
        int written = 0;
        const x509_t *cacert;
-       chunk_t keyid;
        
        if (info->alt)
        {
@@ -503,7 +556,7 @@ ca_info_t *ca_info_create(const char *name, x509_t *cacert)
        this->public.add_ocspuri = (void (*) (ca_info_t*,chunk_t))add_ocspuri;
        this->public.get_certificate = (x509_t* (*) (ca_info_t*))get_certificate;
        this->public.verify_by_crl = (cert_status_t (*) (ca_info_t*,const x509_t*,certinfo_t*))verify_by_crl;
-       this->public.verify_by_ocsp = (cert_status_t (*) (ca_info_t*,const x509_t*,certinfo_t*))verify_by_ocsp;
+       this->public.verify_by_ocsp = (cert_status_t (*) (ca_info_t*,const x509_t*,certinfo_t*,credential_store_t*))verify_by_ocsp;
        this->public.destroy = (void (*) (ca_info_t*))destroy;
 
        return &this->public;