Provide CRLs received in CERT payloads to trustchain verification
authorMartin Willi <martin@revosec.ch>
Thu, 23 Dec 2010 11:18:15 +0000 (12:18 +0100)
committerMartin Willi <martin@revosec.ch>
Wed, 5 Jan 2011 15:46:06 +0000 (16:46 +0100)
src/libcharon/encoding/payloads/cert_payload.c
src/libcharon/sa/tasks/ike_cert_pre.c

index 814ec27..c42cec6 100644 (file)
@@ -206,13 +206,21 @@ METHOD(cert_payload_t, get_cert_encoding, cert_encoding_t,
 METHOD(cert_payload_t, get_cert, certificate_t*,
        private_cert_payload_t *this)
 {
 METHOD(cert_payload_t, get_cert, certificate_t*,
        private_cert_payload_t *this)
 {
-       if (this->encoding != ENC_X509_SIGNATURE)
+       int type;
+
+       switch (this->encoding)
        {
        {
-               return NULL;
+               case ENC_X509_SIGNATURE:
+                       type = CERT_X509;
+                       break;
+               case ENC_CRL:
+                       type = CERT_X509_CRL;
+                       break;
+               default:
+                       return NULL;
        }
        }
-       return lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-                                                         BUILD_BLOB_ASN1_DER, this->data,
-                                                         BUILD_END);
+       return lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
+                                                         BUILD_BLOB_ASN1_DER, this->data, BUILD_END);
 }
 
 METHOD(cert_payload_t, get_hash, chunk_t,
 }
 
 METHOD(cert_payload_t, get_hash, chunk_t,
index 1c0c547..944637c 100644 (file)
@@ -253,11 +253,19 @@ static void process_certs(private_ike_cert_pre_t *this, message_t *message)
                                        }
                                        break;
                                }
                                        }
                                        break;
                                }
+                               case ENC_CRL:
+                                       cert = cert_payload->get_cert(cert_payload);
+                                       if (cert)
+                                       {
+                                               DBG1(DBG_IKE, "received CRL \"%Y\"",
+                                                        cert->get_subject(cert));
+                                               auth->add(auth, AUTH_HELPER_REVOCATION_CERT, cert);
+                                       }
+                                       break;
                                case ENC_PKCS7_WRAPPED_X509:
                                case ENC_PGP:
                                case ENC_DNS_SIGNED_KEY:
                                case ENC_KERBEROS_TOKEN:
                                case ENC_PKCS7_WRAPPED_X509:
                                case ENC_PGP:
                                case ENC_DNS_SIGNED_KEY:
                                case ENC_KERBEROS_TOKEN:
-                               case ENC_CRL:
                                case ENC_ARL:
                                case ENC_SPKI:
                                case ENC_X509_ATTRIBUTE:
                                case ENC_ARL:
                                case ENC_SPKI:
                                case ENC_X509_ATTRIBUTE: