added support for certificate requests for not yet known CAs
authorMartin Willi <martin@strongswan.org>
Thu, 20 Mar 2008 10:09:56 +0000 (10:09 -0000)
committerMartin Willi <martin@strongswan.org>
Thu, 20 Mar 2008 10:09:56 +0000 (10:09 -0000)
src/charon/credentials/auth_info.c
src/charon/credentials/auth_info.h
src/charon/credentials/credential_manager.c
src/charon/sa/tasks/ike_cert_pre.c

index a0fc4c0..1148473 100644 (file)
@@ -25,6 +25,7 @@
 
 ENUM(auth_item_names, AUTHN_CA_CERT, AUTHZ_AC_GROUP,
        "AUTHN_CA_CERT",
+       "AUTHN_CA_CERT_KEYID",
        "AUTHN_IM_CERT",
        "AUTHN_SUBJECT_CERT",
        "AUTHZ_PUBKEY",
@@ -162,6 +163,7 @@ static void add_item(private_auth_info_t *this, auth_item_t type, void *value)
                        item->value = method;
                        break;
                }
+               case AUTHN_CA_CERT_KEYID:
                case AUTHZ_AC_GROUP:
                {
                        identification_t *id = (identification_t*)value;
@@ -189,6 +191,7 @@ static bool complies(private_auth_info_t *this, auth_info_t *constraints)
        {
                switch (type)
                {
+                       case AUTHN_CA_CERT_KEYID:
                        case AUTHN_CA_CERT:
                        case AUTHN_IM_CERT:
                        case AUTHN_SUBJECT_CERT:
@@ -322,6 +325,7 @@ static void destroy(private_auth_info_t *this)
                                free(item->value);
                                break;
                        }
+                       case AUTHN_CA_CERT_KEYID:
                        case AUTHZ_AC_GROUP:
                        {
                                identification_t *id = (identification_t*)item->value;
index f8ba29d..15cae4f 100644 (file)
@@ -61,6 +61,8 @@ enum auth_item_t {
        
        /** CA certificate to use for authentication, value is certificate_t* */
        AUTHN_CA_CERT,
+       /** Keyid of a CA certificate to use, value is identification_t* */
+       AUTHN_CA_CERT_KEYID,
        /** intermediate certificate, value is certificate_t* */
        AUTHN_IM_CERT,
        /** certificate for trustchain verification, value is certificate_t* */
index 98d965f..47c4376 100644 (file)
@@ -1064,6 +1064,25 @@ static bool auth_contains_cacert(auth_info_t *auth, certificate_t *cert)
                        found = TRUE;
                        break;
                }
+               if (type == AUTHN_CA_CERT_KEYID)
+               {
+                       public_key_t *public;
+                       identification_t *certid, *keyid;
+                       
+                       public = cert->get_public_key(cert);
+                       if (public)
+                       {
+                               keyid = (identification_t*)value;
+                               certid = public->get_id(public, keyid->get_type(keyid));
+                               if (certid && certid->equals(certid, keyid))
+                               {
+                                       public->destroy(public);
+                                       found = TRUE;
+                                       break;
+                               }
+                               public->destroy(public);
+                       }
+               }
        }
        enumerator->destroy(enumerator);
        return found;
index 752f94c..d7f7a40 100644 (file)
@@ -94,17 +94,18 @@ static void process_certreqs(private_ike_cert_pre_t *this, message_t *message)
                                        cert->destroy(cert);
                                        ca_found = TRUE;
                                }
+                               else
+                               {
+                                       DBG1(DBG_IKE, "received cert request of unknown cert "
+                                                "\"%D\"", id);
+                                       auth->add_item(auth, AUTHN_CA_CERT_KEYID, id);
+                               }
                                id->destroy(id);
                        }
                        enumerator->destroy(enumerator);
                }
        }
        iterator->destroy(iterator);
-       
-       if (this->ike_sa->has_condition(this->ike_sa, COND_CERTREQ_SEEN) && !ca_found)
-       {
-               DBG1(DBG_IKE, "received cert request, but no such CA cert found");
-       }
 }
 
 /**