Always pass auth info to validate(), use pathlen to check for user certificate
authorMartin Willi <martin@revosec.ch>
Wed, 22 Dec 2010 09:34:58 +0000 (10:34 +0100)
committerMartin Willi <martin@revosec.ch>
Wed, 5 Jan 2011 15:46:04 +0000 (16:46 +0100)
src/libstrongswan/credentials/credential_manager.c
src/libstrongswan/plugins/constraints/constraints_validator.c
src/libstrongswan/plugins/revocation/revocation_validator.c

index cc429ce..c32eb44 100644 (file)
@@ -622,8 +622,7 @@ static bool verify_trust_chain(private_credential_manager_t *this,
                                break;
                        }
                }
-               if (!check_certificate(this, current, issuer, online, pathlen,
-                                                          current == subject ? auth : NULL))
+               if (!check_certificate(this, current, issuer, online, pathlen, auth))
                {
                        trusted = FALSE;
                        issuer->destroy(issuer);
index 5c8ea7d..36a622d 100644 (file)
@@ -293,7 +293,8 @@ static bool has_policy(x509_t *issuer, chunk_t oid)
 /**
  * Check certificatePolicies
  */
-static bool check_policy(x509_t *subject, x509_t *issuer, auth_cfg_t *auth)
+static bool check_policy(x509_t *subject, x509_t *issuer, int pathlen,
+                                                auth_cfg_t *auth)
 {
        certificate_t *cert = (certificate_t*)subject;
        x509_policy_mapping_t *mapping;
@@ -329,7 +330,7 @@ static bool check_policy(x509_t *subject, x509_t *issuer, auth_cfg_t *auth)
                        enumerator->destroy(enumerator);
                        return FALSE;
                }
-               if (auth)
+               if (pathlen == 0)
                {
                        oid = asn1_oid_to_string(policy->oid);
                        if (oid)
@@ -358,7 +359,7 @@ METHOD(cert_validator_t, validate, bool,
                {
                        return FALSE;
                }
-               if (!check_policy((x509_t*)subject, (x509_t*)issuer, auth))
+               if (!check_policy((x509_t*)subject, (x509_t*)issuer, pathlen, auth))
                {
                        return FALSE;
                }
index c9a6093..0fe9722 100644 (file)
@@ -576,7 +576,8 @@ METHOD(cert_validator_t, validate, bool,
        {
                DBG1(DBG_CFG, "checking certificate status of \"%Y\"",
                                           subject->get_subject(subject));
-               switch (check_ocsp((x509_t*)subject, (x509_t*)issuer, auth))
+               switch (check_ocsp((x509_t*)subject, (x509_t*)issuer,
+                                                  pathlen ? NULL : auth))
                {
                        case VALIDATION_GOOD:
                                DBG1(DBG_CFG, "certificate status is good");
@@ -594,7 +595,8 @@ METHOD(cert_validator_t, validate, bool,
                                DBG1(DBG_CFG, "ocsp check failed, fallback to crl");
                                break;
                }
-               switch (check_crl((x509_t*)subject, (x509_t*)issuer, auth))
+               switch (check_crl((x509_t*)subject, (x509_t*)issuer,
+                                                 pathlen ? NULL : auth))
                {
                        case VALIDATION_GOOD:
                                DBG1(DBG_CFG, "certificate status is good");