moved very stroke specific x509 flag handling out of core library
authorMartin Willi <martin@strongswan.org>
Fri, 15 May 2009 16:15:55 +0000 (18:15 +0200)
committerMartin Willi <martin@strongswan.org>
Mon, 18 May 2009 08:42:16 +0000 (10:42 +0200)
src/charon/plugins/stroke/stroke_cred.c
src/libstrongswan/plugins/x509/x509_cert.c

index c30e8fe..dc73299 100644 (file)
@@ -380,10 +380,18 @@ static certificate_t* load_ca(private_stroke_cred_t *this, char *filename)
        cert = lib->creds->create(lib->creds,
                                                          CRED_CERTIFICATE, CERT_X509,
                                                          BUILD_FROM_FILE, path,
        cert = lib->creds->create(lib->creds,
                                                          CRED_CERTIFICATE, CERT_X509,
                                                          BUILD_FROM_FILE, path,
-                                                         BUILD_X509_FLAG, X509_CA,
                                                          BUILD_END);
        if (cert)
        {
                                                          BUILD_END);
        if (cert)
        {
+               x509_t *x509 = (x509_t*)cert;
+               
+               if (!(x509->get_flags(x509) & X509_CA))
+               {
+                       cert->destroy(cert);
+                       DBG1(DBG_CFG, "  ca certificate must have ca basic constraint set, "
+                                "discarded");
+                       return NULL;
+               }
                return (certificate_t*)add_cert(this, cert);
        }
        return NULL;
                return (certificate_t*)add_cert(this, cert);
        }
        return NULL;
@@ -522,11 +530,32 @@ static void load_certdir(private_stroke_cred_t *this, char *path,
                switch (type)
                {
                        case CERT_X509:
                switch (type)
                {
                        case CERT_X509:
-                               cert = lib->creds->create(lib->creds,
-                                                                                 CRED_CERTIFICATE, CERT_X509,
-                                                                                 BUILD_FROM_FILE, file,
-                                                                                 BUILD_X509_FLAG, flag,
-                                                                                 BUILD_END);
+                               if (flag & X509_CA)
+                               {       /* for CA certificates, we strictly require CA
+                                        * basicconstraints to be set */
+                                       cert = lib->creds->create(lib->creds,
+                                                                               CRED_CERTIFICATE, CERT_X509,
+                                                                               BUILD_FROM_FILE, file, BUILD_END);
+                                       if (cert)
+                                       {
+                                               x509_t *x509 = (x509_t*)cert;
+                                               
+                                               if (!(x509->get_flags(x509) & X509_CA))
+                                               {
+                                                       DBG1(DBG_CFG, "  ca certificate must have ca "
+                                                                "basic constraint set, discarded");
+                                                       cert->destroy(cert);
+                                                       cert = NULL;
+                                               }
+                                       }
+                               }
+                               else
+                               {       /* for all other flags, we add them to the certificate. */
+                                       cert = lib->creds->create(lib->creds,
+                                                                               CRED_CERTIFICATE, CERT_X509,
+                                                                               BUILD_FROM_FILE, file,
+                                                                               BUILD_X509_FLAG, flag, BUILD_END);
+                               }
                                if (cert)
                                {
                                        add_cert(this, cert);
                                if (cert)
                                {
                                        add_cert(this, cert);
index 860006f..7462544 100644 (file)
@@ -1350,33 +1350,22 @@ static bool generate(private_builder_t *this)
 static private_x509_cert_t *build(private_builder_t *this)
 {
        private_x509_cert_t *cert;
 static private_x509_cert_t *build(private_builder_t *this)
 {
        private_x509_cert_t *cert;
-       x509_flag_t flags;
        
        
-       if (this->cert && !this->cert->encoding.ptr)
+       if (this->cert)
        {
        {
-               if (!this->sign_key || !this->cert ||
-                       !generate(this))
-               {
-                       destroy(this->cert);
-                       free(this);
-                       return NULL;
+               this->cert->flags |= this->flags;
+               if (!this->cert->encoding.ptr)
+               {       /* generate a new certificate */
+                       if (!this->sign_key || !generate(this))
+                       {
+                               destroy(this->cert);
+                               free(this);
+                               return NULL;
+                       }
                }
        }
        cert = this->cert;
                }
        }
        cert = this->cert;
-       flags =  this->flags;
        free(this);
        free(this);
-       if (cert == NULL)
-       {
-               return NULL;
-       }
-       
-       if ((flags & X509_CA) && !(cert->flags & X509_CA))
-       {
-               DBG1("  ca certificate must have ca basic constraint set, discarded");
-               destroy(cert);
-               return NULL;
-       }
-       cert->flags |= flags;
        return cert;
 }
 
        return cert;
 }