send = request->get_encoding(request);
request->destroy(request);
- DBG1(DBG_CFG, "requesting ocsp status for '%D' from '%s' ...",
- subject->get_subject(subject), url);
+ DBG1(DBG_CFG, "requesting ocsp status from '%s' ...", url);
if (lib->fetcher->fetch(lib->fetcher, url, &receive,
FETCH_REQUEST_DATA, send,
FETCH_REQUEST_TYPE, "application/ocsp-request",
this->sets->insert_first(this->sets, wrapper);
this->sets->insert_first(this->sets, this->cache);
responder = response->get_issuer(response);
- DBG1(DBG_CFG, "ocsp signer is \"%D\"", responder);
+ DBG1(DBG_CFG, " ocsp signer is \"%D\"", responder);
issuer_cert = get_trusted_cert(this, KEY_ANY, responder, auth, FALSE, FALSE);
this->sets->remove(this->sets, wrapper, NULL);
wrapper->destroy(wrapper);
}
if (this->cache->issued_by(this->cache, response, issuer_cert))
{
- DBG1(DBG_CFG, "ocsp response correctly signed by \"%D\"",
+ DBG1(DBG_CFG, " ocsp response correctly signed by \"%D\"",
issuer_cert->get_subject(issuer_cert));
issuer_cert->destroy(issuer_cert);
}
else
{
- DBG1(DBG_CFG, "ocsp response not issued by \"%D\"",
+ DBG1(DBG_CFG, "ocsp response not accepted from \"%D\"",
issuer_cert->get_subject(issuer_cert));
issuer_cert->destroy(issuer_cert);
response->destroy(response);
if (this->cache->issued_by(this->cache, crl_cert, issuer_cert))
{
- DBG1(DBG_CFG, "crl correctly signed by \"%D\"",
+ DBG1(DBG_CFG, " crl correctly signed by \"%D\"",
issuer_cert->get_subject(issuer_cert));
issuer_cert->destroy(issuer_cert);
}
else
{
- DBG1(DBG_CFG, "crl not issued by \"%D\"",
+ DBG1(DBG_CFG, "crl not accepted from \"%D\"",
issuer_cert->get_subject(issuer_cert));
issuer_cert->destroy(issuer_cert);
crl_cert->destroy(crl_cert);
/* has already been logged */
return FALSE;
case VALIDATION_SKIPPED:
- DBG2(DBG_CFG, "OCSP check skipped, no OCSP URI found");
+ DBG2(DBG_CFG, "ocsp check skipped, no ocsp found");
break;
case VALIDATION_FAILED:
case VALIDATION_UNKNOWN:
- DBG1(DBG_CFG, "OCSP check failed, fallback to CRL");
+ DBG1(DBG_CFG, "ocsp check failed, fallback to crl");
break;
}
}
}
/**
- * try to verify trustchain of subject, return TRUE if trusted
+ * try to verify the trust chain of subject, return TRUE if trusted
*/
-static bool verify_trustchain(private_credential_manager_t *this,
- certificate_t *subject, auth_info_t *result,
- bool trusted, bool crl, bool ocsp)
+static bool verify_trust_chain(private_credential_manager_t *this,
+ certificate_t *subject, auth_info_t *result,
+ bool trusted, bool crl, bool ocsp)
{
certificate_t *current, *issuer;
auth_info_t *auth;
if (issuer)
{
auth->add_item(auth, AUTHZ_CA_CERT, issuer);
- DBG1(DBG_CFG, " using trusted root CA certificate \"%D\"",
+ DBG1(DBG_CFG, " using trusted ca certificate \"%D\"",
issuer->get_subject(issuer));
trusted = TRUE;
}
{
if (current->equals(current, issuer))
{
- DBG1(DBG_CFG, " certificate \"%D\" is self-signed, but ",
+ DBG1(DBG_CFG, "certificate \"%D\" is self-signed, but ",
"not trusted", current->get_subject(current));
issuer->destroy(issuer);
break;
}
auth->add_item(auth, AUTHZ_IM_CERT, issuer);
- DBG1(DBG_CFG, " using intermediate CA certificate \"%D\"",
+ DBG1(DBG_CFG, " using untrusted ca certificate \"%D\"",
issuer->get_subject(issuer));
}
else
}
/**
- * Get a trusted certificate by verifying the trustchain
+ * Get a trusted certificate by verifying the trust chain
*/
static certificate_t *get_trusted_cert(private_credential_manager_t *this,
key_type_t type, identification_t *id,
/* check if we have a trusted certificate for that peer */
subject = get_pretrusted_cert(this, type, id);
if (subject)
- { /* if we find a trusted certificate, we accept it. However, to
- * fullfill authorization rules, we try build the trustchain anyway. */
- if (verify_trustchain(this, subject, auth, TRUE, crl, ocsp))
+ {
+ /* if we find a trusted certificate, we accept it. However, to fulfill
+ * authorization rules, we try to build the trust chain anyway. */
+ if (verify_trust_chain(this, subject, auth, TRUE, crl, ocsp))
{
DBG1(DBG_CFG, " using pre-trusted certificate \"%D\"",
subject->get_subject(subject));
{
DBG1(DBG_CFG, " using certificate \"%D\"",
current->get_subject(current));
- if (verify_trustchain(this, current, auth, FALSE, crl, ocsp))
+ if (verify_trust_chain(this, current, auth, FALSE, crl, ocsp))
{
subject = current->get_ref(current);
break;
projects / strongswan.git / commitdiff