implemented ipsec listocsp function
authorAndreas Steffen <andreas.steffen@strongswan.org>
Tue, 27 Mar 2007 04:40:25 +0000 (04:40 -0000)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Tue, 27 Mar 2007 04:40:25 +0000 (04:40 -0000)
src/charon/config/credentials/local_credential_store.c
src/charon/threads/stroke_interface.c
src/libstrongswan/credential_store.h
src/libstrongswan/crypto/ca.c
src/libstrongswan/crypto/ca.h
src/libstrongswan/crypto/certinfo.c
src/libstrongswan/crypto/certinfo.h

index 50fc53b..59a21e6 100644 (file)
@@ -562,8 +562,8 @@ static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *f
                rsa_public_key_t *issuer_public_key;
                bool valid_signature;
 
-               DBG2(DBG_CFG, "subject: '%D'", cert->get_subject(cert));
-               DBG2(DBG_CFG, "issuer:  '%D'", cert->get_issuer(cert));
+               DBG1(DBG_CFG, "subject: '%D'", cert->get_subject(cert));
+               DBG1(DBG_CFG, "issuer:  '%D'", cert->get_issuer(cert));
 
                ugh = cert->is_valid(cert, &until);
                if (ugh != NULL)
@@ -576,10 +576,10 @@ static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *f
                issuer = get_issuer(this, cert);
                if (issuer == NULL)
                {
-                       DBG1(DBG_CFG, "issuer info not found");
+                       DBG1(DBG_CFG, "issuer not found");
                        return FALSE;
                }
-               DBG2(DBG_CFG, "issuer info found");
+               DBG2(DBG_CFG, "issuer found");
 
                issuer_cert = issuer->get_certificate(issuer);
                issuer_public_key = issuer_cert->get_public_key(issuer_cert);
@@ -595,7 +595,7 @@ static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *f
                /* check if cert is a self-signed root ca */
                if (pathlen > 0 && cert->is_self_signed(cert))
                {
-                       DBG2(DBG_CFG, "reached self-signed root ca");
+                       DBG1(DBG_CFG, "reached self-signed root ca");
 
                        /* set the definite status and trust interval of the end entity certificate */
                        end_cert->set_until(end_cert, until);
@@ -863,6 +863,32 @@ static void list_crls(private_local_credential_store_t *this, FILE *out, bool ut
 }
 
 /**
+ * Implements local_credential_store_t.list_ocsp
+ */
+static void list_ocsp(private_local_credential_store_t *this, FILE *out, bool utc)
+{
+       iterator_t *iterator = this->ca_infos->create_iterator(this->ca_infos, TRUE);
+       ca_info_t *ca_info;
+       bool first = TRUE;
+
+       while (iterator->iterate(iterator, (void **)&ca_info))
+       {
+               if (ca_info->has_certinfos(ca_info))
+               {
+                       if (first)
+                       {
+                               fprintf(out, "\n");
+                               fprintf(out, "List of OCSP responses:\n");
+                               first = FALSE;
+                       }
+                       fprintf(out, "\n");
+                       ca_info->list_certinfos(ca_info, out, utc);
+               }
+       }
+       iterator->destroy(iterator);
+}
+
+/**
  * Implements local_credential_store_t.load_auth_certificates
  */
 static void load_auth_certificates(private_local_credential_store_t *this,
@@ -1303,6 +1329,7 @@ local_credential_store_t * local_credential_store_create(bool strict)
        this->public.credential_store.create_auth_cert_iterator = (iterator_t* (*) (credential_store_t*))create_auth_cert_iterator;
        this->public.credential_store.create_cainfo_iterator = (iterator_t* (*) (credential_store_t*))create_cainfo_iterator;
        this->public.credential_store.list_crls = (void (*) (credential_store_t*,FILE*,bool))list_crls;
+       this->public.credential_store.list_ocsp = (void (*) (credential_store_t*,FILE*,bool))list_ocsp;
        this->public.credential_store.load_ca_certificates = (void (*) (credential_store_t*))load_ca_certificates;
        this->public.credential_store.load_ocsp_certificates = (void (*) (credential_store_t*))load_ocsp_certificates;
        this->public.credential_store.load_crls = (void (*) (credential_store_t*))load_crls;
index 69cf144..b039581 100755 (executable)
@@ -1138,6 +1138,10 @@ static void stroke_list(stroke_msg_t *msg, FILE *out)
        {
                list_auth_certificates(AUTH_OCSP, "OCSP", msg->list.utc, out);
        }
+       if (msg->list.flags & LIST_OCSP)
+       {
+               charon->credentials->list_ocsp(charon->credentials, out, msg->list.utc);
+       }
 }
 
 /**
index e19f147..e660a2a 100755 (executable)
@@ -226,6 +226,15 @@ struct credential_store_t {
        void (*list_crls) (credential_store_t *this, FILE *out, bool utc);
 
        /**
+        * @brief Check if there are any OCSP cert infos
+        *
+        * @param this          calling object
+        * @param out           output stream
+        * @param utc           either utc or local time
+        */
+       void (*list_ocsp) (credential_store_t *this, FILE *out, bool utc);
+
+       /**
         * @brief Loads ca certificates from a default directory.
         *
         * Certificates in both DER and PEM format are accepted
index 1e930a4..d80738d 100644 (file)
@@ -158,6 +158,20 @@ static bool has_crl(private_ca_info_t *this)
 }
 
 /**
+ * Implements ca_info_t.has_certinfos
+ */
+static bool has_certinfos(private_ca_info_t *this)
+{
+       bool found;
+
+       pthread_mutex_lock(&(this->mutex));
+       found = this->certinfos->get_count(this->certinfos) > 0;
+       pthread_mutex_unlock(&(this->mutex));
+
+       return found;
+}
+
+/**
  * Implements ca_info_t.add_crl
  */
 static void add_crl(private_ca_info_t *this, crl_t *crl)
@@ -206,7 +220,22 @@ static void list_certinfos(private_ca_info_t *this, FILE *out, bool utc)
 {
        pthread_mutex_lock(&(this->mutex));
 
-       /* fprintf(out, "%#X\n", this->certifnos, utc); */
+       fprintf(out,"    authname:  '%D'\n", this->cacert->get_subject(this->cacert));
+       {
+               chunk_t authkey = this->cacert->get_subjectKeyID(this->cacert);
+
+               fprintf(out,"    authkey:    %#B\n", &authkey);
+       }
+       {
+               iterator_t *iterator = this->certinfos->create_iterator(this->certinfos, TRUE);
+               certinfo_t *certinfo;
+
+               while (iterator->iterate(iterator, (void**)&certinfo))
+               {
+                       fprintf(out, "%#Y\n", certinfo, utc);
+               }
+               iterator->destroy(iterator);
+       }
 
        pthread_mutex_unlock(&(this->mutex));
 }
@@ -387,7 +416,10 @@ static cert_status_t verify_by_ocsp(private_ca_info_t* this,
                                                                        certinfo_t *certinfo,
                                                                        credential_store_t *credentials)
 {
-       bool found = FALSE;
+       bool stale;
+       iterator_t *iterator;
+       certinfo_t *cached_certinfo = NULL;
+       int comparison = 1;
 
        pthread_mutex_lock(&(this->mutex));
 
@@ -397,33 +429,62 @@ static cert_status_t verify_by_ocsp(private_ca_info_t* this,
                goto ret;
        }
 
-       /* do we have a valid certinfo record for this serial number in our cache? */
+       iterator = this->certinfos->create_iterator(this->certinfos, TRUE);
+
+       /* find the list insertion point in alphabetical order */
+       while(iterator->iterate(iterator, (void**)&cached_certinfo))
        {
-               iterator_t *iterator = this->certinfos->create_iterator(this->certinfos, TRUE);
-               certinfo_t *current_certinfo;
+               comparison = certinfo->compare_serialNumber(certinfo, cached_certinfo);
 
-               while(iterator->iterate(iterator, (void**)&current_certinfo))
+               if (comparison <= 0)
                {
-                       if (certinfo->equals_serialNumber(certinfo, current_certinfo))
-                       {
-                               found = TRUE;
-                               DBG2("ocsp status found");
-                               break;
-                       }
+                       break;
                }
-               iterator->destroy(iterator);
        }
-       
-       if (!found)
+
+       /* do we have a valid certinfo_t for this serial number in our cache? */
+       if (comparison == 0)
+       {       
+               stale = cached_certinfo->get_nextUpdate(cached_certinfo) < time(NULL);
+               DBG1("ocsp status in cache is %s", stale ? "stale":"fresh");
+       }
+       else
        {
-               ocsp_t *ocsp;
+               stale = TRUE;
+               DBG1("ocsp status is not in cache");
+       }
 
-               DBG2("ocsp status is not in cache");
+       if (stale)
+       {
+               ocsp_t *ocsp;
 
                ocsp = ocsp_create(this->cacert, this->ocspuris);
                ocsp->fetch(ocsp, certinfo, credentials);
+               if (certinfo->get_status(certinfo) != CERT_UNDEFINED)
+               {
+                       if (comparison != 0)
+                       {
+                               cached_certinfo = certinfo_create(certinfo->get_serialNumber(certinfo));
+
+                               if (comparison > 0)
+                               {
+                                       iterator->insert_after(iterator, (void *)cached_certinfo);
+                               }
+                               else
+                               {
+                                       iterator->insert_before(iterator, (void *)cached_certinfo);
+                               }
+                       }
+                       cached_certinfo->update(cached_certinfo, certinfo);
+               }
                ocsp->destroy(ocsp);
        }
+       else
+       {
+               certinfo->update(certinfo, cached_certinfo);
+       }
+
+       iterator->destroy(iterator);
 
 ret:
        pthread_mutex_unlock(&(this->mutex));
@@ -480,7 +541,11 @@ static int print(FILE *stream, const struct printf_info *info,
 
        cacert = this->cacert;
        written += fprintf(stream, "    authname:  '%D'\n", cacert->get_subject(cacert));
+       {
+               chunk_t authkey = cacert->get_subjectKeyID(cacert);
 
+               written += fprintf(stream, "    authkey:    %#B\n", &authkey);
+       }
        {
                chunk_t keyid = cacert->get_keyid(cacert);
 
@@ -551,7 +616,9 @@ ca_info_t *ca_info_create(const char *name, x509_t *cacert)
        this->public.add_info = (void (*) (ca_info_t*,const ca_info_t*))add_info;
        this->public.add_crl = (void (*) (ca_info_t*,crl_t*))add_crl;
        this->public.has_crl = (bool (*) (ca_info_t*))has_crl;
+       this->public.has_certinfos = (bool (*) (ca_info_t*))has_certinfos;
        this->public.list_crl = (void (*) (ca_info_t*,FILE*,bool))list_crl;
+       this->public.list_certinfos = (void (*) (ca_info_t*,FILE*,bool))list_certinfos;
        this->public.add_crluri = (void (*) (ca_info_t*,chunk_t))add_crluri;
        this->public.add_ocspuri = (void (*) (ca_info_t*,chunk_t))add_ocspuri;
        this->public.get_certificate = (x509_t* (*) (ca_info_t*))get_certificate;
index 0aa3e20..3ecf17e 100644 (file)
@@ -105,15 +105,34 @@ struct ca_info_t {
        bool (*has_crl) (ca_info_t *this);
 
        /**
+        * @brief Does the CA have OCSP certinfos?
+        * 
+        * @param this                  ca info object
+        * @return                              TRUE if there are any certinfos
+        */
+       bool (*has_certinfos) (ca_info_t *this);
+
+       /**
         * @brief List the CRL onto the console
         * 
         * @param this                  ca info object
+        * @param out                   output stream
         * @param utc                   TRUE -  utc
                                                        FALSE - local time
         */
        void (*list_crl) (ca_info_t *this, FILE *out, bool utc);
 
        /**
+        * @brief List the OCSP certinfos onto the console
+        * 
+        * @param this                  ca info object
+        * @param out                   output stream
+        * @param utc                   TRUE -  utc
+                                                       FALSE - local time
+        */
+       void (*list_certinfos) (ca_info_t *this, FILE *out, bool utc);
+
+       /**
         * @brief Adds a CRL URI to a list
         * 
         * @param this                  ca info object
index 8c899e6..3d542c9 100644 (file)
@@ -21,6 +21,7 @@
  */
 
 #include <time.h>
+#include <stdio.h>
 
 #include <library.h>
 
@@ -94,6 +95,14 @@ ENUM(crl_reason_names, REASON_UNSPECIFIED, REASON_REMOVE_FROM_CRL,
 );
 
 /**
+ * Implements certinfo_t.compare_serialNumber
+ */
+static int compare_serialNumber(const private_certinfo_t *this, const private_certinfo_t *that)
+{
+       return chunk_compare(this->serialNumber, that->serialNumber);
+}
+
+/**
  * Implements certinfo_t.equals_serialNumber
  */
 static bool equals_serialNumber(const private_certinfo_t *this, const private_certinfo_t *that)
@@ -190,6 +199,20 @@ static crl_reason_t get_revocationReason(const private_certinfo_t *this)
 }
 
 /**
+ * Implements certinfo_t.update
+ */
+static void update(private_certinfo_t *this, const private_certinfo_t *that)
+{
+       if (equals_serialNumber(this, that))
+       {
+               chunk_t this_serialNumber = this->serialNumber;
+
+               *this = *that;
+               this->serialNumber = this_serialNumber;
+       }
+}
+
+/**
  * Implements certinfo_t.destroy
  */
 static void destroy(private_certinfo_t *this)
@@ -198,6 +221,54 @@ static void destroy(private_certinfo_t *this)
        free(this);
 }
 
+/**
+ * output handler in printf()
+ */
+static int print(FILE *stream, const struct printf_info *info,
+                                const void *const *args)
+{
+       private_certinfo_t *this = *((private_certinfo_t**)(args[0]));
+       bool utc = TRUE;
+       int written = 0;
+       time_t now;
+       
+       if (info->alt)
+       {
+               utc = *((bool*)args[1]);
+       }
+       
+       if (this == NULL)
+       {
+               return fprintf(stream, "(null)");
+       }
+       
+       now = time(NULL);
+       
+       written += fprintf(stream, "%#T, until %#T, ",
+                                          &this->thisUpdate, utc,
+                                          &this->nextUpdate, utc);
+       if (now > this->nextUpdate)
+       {
+               written += fprintf(stream, "expired (since %V)\n", &now, &this->nextUpdate);
+       }
+       else
+       {
+               written += fprintf(stream, "ok (expires in %V)\n", &now, &this->nextUpdate);
+       }
+       written += fprintf(stream, "    serial:     %#B, %N",
+                                          &this->serialNumber,
+                                          cert_status_names, this->status);
+       return written;
+}
+
+/**
+ * register printf() handlers
+ */
+static void __attribute__ ((constructor))print_register()
+{
+       register_printf_function(PRINTF_CERTINFO, print, arginfo_ptr_alt_ptr_int);
+}
+
 /*
  * Described in header.
  */
@@ -214,6 +285,7 @@ certinfo_t *certinfo_create(chunk_t serial)
        this->revocationReason = REASON_UNSPECIFIED;
 
        /* public functions */
+       this->public.compare_serialNumber = (int (*) (const certinfo_t*,const certinfo_t*))compare_serialNumber;
        this->public.equals_serialNumber = (bool (*) (const certinfo_t*,const certinfo_t*))equals_serialNumber;
        this->public.get_serialNumber = (chunk_t (*) (const certinfo_t*))get_serialNumber;
        this->public.set_status = (void (*) (certinfo_t*,cert_status_t))set_status;
@@ -226,6 +298,7 @@ certinfo_t *certinfo_create(chunk_t serial)
        this->public.get_revocationTime = (time_t (*) (const certinfo_t*))get_revocationTime;
        this->public.set_revocationReason = (void (*) (certinfo_t*, crl_reason_t))set_revocationReason;
        this->public.get_revocationReason = (crl_reason_t(*) (const certinfo_t*))get_revocationReason;
+       this->public.update = (void (*) (certinfo_t*, const certinfo_t*))update;
        this->public.destroy = (void (*) (certinfo_t*))destroy;
 
        return &this->public;
index b8be002..476befd 100644 (file)
@@ -74,6 +74,16 @@ struct certinfo_t {
         */
        bool (*equals_serialNumber) (const certinfo_t *this, const certinfo_t *that);
 
+       /**
+        * @brief Compares two serial numbers.
+        * 
+        * @param this                          calling object
+        * @param that                          second certinfo_t object
+        * @return                                      negative if this is smaller than that
+        *                                                      zero if this equals that
+        *                                                      positive if this is greater than that
+        */
+       int (*compare_serialNumber) (const certinfo_t *this, const certinfo_t *that);
 
        /**
         * @brief Get serial number.
@@ -164,6 +174,14 @@ struct certinfo_t {
        crl_reason_t (*get_revocationReason) (const certinfo_t *this);
 
        /**
+        * @brief Set revocationReason.
+        *
+        * @param this                          calling object to be updated
+        * @param that                          object containing updated information
+        */
+       void (*update) (certinfo_t *this, const certinfo_t *that);
+
+       /**
         * @brief Destroys the certinfo_t object.
         * 
         * @param this                  certinfo_t to destroy