enforcing x509_flags on certificate construction
authorMartin Willi <martin@strongswan.org>
Mon, 17 Mar 2008 08:06:49 +0000 (08:06 -0000)
committerMartin Willi <martin@strongswan.org>
Mon, 17 Mar 2008 08:06:49 +0000 (08:06 -0000)
src/charon/plugins/stroke/stroke.c
src/libstrongswan/credentials/builder.c
src/libstrongswan/credentials/builder.h
src/libstrongswan/credentials/credential_factory.c
src/libstrongswan/plugins/x509/x509_cert.c

index 920533d..cfea918 100755 (executable)
@@ -710,9 +710,9 @@ static x509_t* load_cert(char *path, x509_flag_t flag)
 {
        bool pgp = FALSE;
        chunk_t chunk;
-       x509_flag_t flags;
        x509_t *x509;
        certificate_t *cert;
+       time_t notBefore, notAfter, now;
        
        if (!pem_asn1_load_file(path, NULL, &chunk, &pgp))
        {
@@ -721,40 +721,29 @@ static x509_t* load_cert(char *path, x509_flag_t flag)
        }
        x509 = (x509_t*)lib->creds->create(lib->creds,
                                                                           CRED_CERTIFICATE, CERT_X509,
-                                                                          BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
+                                                                          BUILD_BLOB_ASN1_DER, chunk,
+                                                                          BUILD_X509_FLAG, flag,
+                                                                          BUILD_END);
        if (x509 == NULL)
        {
                DBG1(DBG_CFG, "  could not load certificate file '%s'", path);
                return NULL;
        }
        DBG1(DBG_CFG, "  loaded certificate file '%s'", path);
-
+       
+       /* check validity */
        cert = &x509->interface;
-       flags = x509->get_flags(x509);
-
-       /* check basicConstraints */
-       if ((flag & X509_CA)  && !(flags & X509_CA))
+       now = time(NULL);
+       cert->get_validity(cert, &now, &notBefore, &notAfter);
+       if (now > notAfter)
        {
-               DBG1(DBG_CFG, "  isCA basicConstraint is not set, certificate discarded");
+               DBG1(DBG_CFG, "  certificate expired at %T, discarded", &notAfter);
                cert->destroy(cert);
                return NULL;
        }
-               
-       /* check validity */
+       if (now < notBefore)
        {
-               time_t notBefore, notAfter, now = time(NULL);
-
-               cert->get_validity(cert, &now, &notBefore, &notAfter);
-               if (now > notAfter)
-               {
-                       DBG1(DBG_CFG, "  certificate expired at %T, discarded", &notAfter);
-                       cert->destroy(cert);
-                       return NULL;
-               }
-               if (now < notBefore)
-               {
-                       DBG1(DBG_CFG, "  certificate not valid before %T", &notBefore);
-               }
+               DBG1(DBG_CFG, "  certificate not valid before %T", &notBefore);
        }
        return x509;
 }
index c4c3ba1..a2985ef 100644 (file)
@@ -27,5 +27,6 @@ ENUM(builder_part_names, BUILD_BLOB_ASN1_DER, BUILD_END,
        "BUILD_ISSUER_ALTNAME",
        "BUILD_CA_CERT",
        "BUILD_CERT",
+       "BUILD_X509_FLAG",
        "BUILD_END",
 );
index 14c3d24..fd1cc69 100644 (file)
@@ -58,8 +58,10 @@ enum builder_part_t {
        BUILD_ISSUER_ALTNAME,
        /** a CA certificate, certificate_t* */
        BUILD_CA_CERT,
-       /** a certificcate, certificate_t* */
+       /** a certificate, certificate_t* */
        BUILD_CERT,
+       /** enforce an additional X509 flag, x509_flag_t */
+       BUILD_X509_FLAG,
        /** end of variable argument builder list */
        BUILD_END,
 };
index ab99a42..6358293 100644 (file)
@@ -20,6 +20,7 @@
 #include <debug.h>
 #include <utils/linked_list.h>
 #include <utils/mutex.h>
+#include <credentials/certificates/x509.h>
 
 typedef struct private_credential_factory_t private_credential_factory_t;
 
@@ -147,6 +148,9 @@ static void* create(private_credential_factory_t *this, credential_type_t type,
                                case BUILD_BLOB_ASN1_DER:
                                        builder->add(builder, part, va_arg(args, chunk_t));
                                        continue;
+                               case BUILD_X509_FLAG:
+                                       builder->add(builder, part, va_arg(args, x509_flag_t));
+                                       continue;
                                case BUILD_KEY_SIZE:
                                        builder->add(builder, part, va_arg(args, u_int));
                                        continue;
@@ -164,7 +168,7 @@ static void* create(private_credential_factory_t *this, credential_type_t type,
                                default:
                                        DBG1("builder part %N not supported by factory",
                                                 builder_part_names, part);
-                                       continue;
+                                       break;
                        }
                        break;
                }
@@ -219,6 +223,7 @@ static void* create(private_credential_factory_t *this, credential_type_t type,
                                continue;
                        }
                        case BUILD_KEY_SIZE:
+                       case BUILD_X509_FLAG:
                                continue;
                        default:
                                DBG1("builder part %N not supported by factory",
index a044c60..e85076d 100644 (file)
@@ -1143,7 +1143,7 @@ static void destroy(private_x509_cert_t *this)
 /**
  * load x509 certificate from a chunk
  */
-static x509_cert_t *load(chunk_t chunk)
+static private_x509_cert_t *load(chunk_t chunk)
 {
        private_x509_cert_t *this = malloc_thing(private_x509_cert_t);
        
@@ -1188,7 +1188,7 @@ static x509_cert_t *load(chunk_t chunk)
        {
                this->flags |= X509_SELF_SIGNED;
        }
-       return &this->public;
+       return this;
 }
 
 typedef struct private_builder_t private_builder_t;
@@ -1199,7 +1199,9 @@ struct private_builder_t {
        /** implements the builder interface */
        builder_t public;
        /** loaded certificate */
-       x509_cert_t *cert;
+       private_x509_cert_t *cert;
+       /** additional flags to enforce */
+       x509_flag_t flags;
 };
 
 /**
@@ -1207,10 +1209,12 @@ struct private_builder_t {
  */
 static x509_cert_t *build(private_builder_t *this)
 {
-       x509_cert_t *cert = this->cert;
+       private_x509_cert_t *cert;
        
+       cert = this->cert;
+       cert->flags |= this->flags;
        free(this);
-       return cert;
+       return &cert->public;
 }
 
 /**
@@ -1220,25 +1224,28 @@ static void add(private_builder_t *this, builder_part_t part, ...)
 {
        va_list args;
        
-       if (this->cert)
-       {
-               DBG1("ignoring surplus build part %N", builder_part_names, part);
-               return;
-       }
-       
+       va_start(args, part);
        switch (part)
        {
                case BUILD_BLOB_ASN1_DER:
                {
-                       va_start(args, part);
+                       if (this->cert)
+                       {
+                               destroy(this->cert);
+                       }
                        this->cert = load(va_arg(args, chunk_t));
-                       va_end(args);
+                       break;
+               }
+               case BUILD_X509_FLAG:
+               {
+                       this->flags = va_arg(args, x509_flag_t);
                        break;
                }
                default:
                        DBG1("ignoring unsupported build part %N", builder_part_names, part);
                        break;
        }
+       va_end(args);
 }
 
 /**
@@ -1256,6 +1263,7 @@ builder_t *x509_cert_builder(certificate_type_t type)
        this = malloc_thing(private_builder_t);
        
        this->cert = NULL;
+       this->flags = 0;
        this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
        this->public.build = (void*(*)(builder_t *this))build;