Pass an additional anchor flag to validate() hook if we reach the root CA
authorMartin Willi <martin@revosec.ch>
Wed, 22 Dec 2010 09:43:06 +0000 (10:43 +0100)
committerMartin Willi <martin@revosec.ch>
Wed, 5 Jan 2011 15:46:04 +0000 (16:46 +0100)
src/libstrongswan/credentials/cert_validator.h
src/libstrongswan/credentials/credential_manager.c
src/libstrongswan/plugins/constraints/constraints_validator.c
src/libstrongswan/plugins/revocation/revocation_validator.c

index 1e67c23..3c1ebc9 100644 (file)
@@ -40,12 +40,13 @@ struct cert_validator_t {
         * @param subject               subject certificate to check
         * @param issuer                issuer of subject
         * @param online                wheter to do online revocation checking
-        * @param pathlen               the current length of the path up to the root CA
+        * @param pathlen               the current length of the path bottom-up
+        * @param anchor                is issuer trusted root anchor
         * @param auth                  container for resulting authentication info
         */
        bool (*validate)(cert_validator_t *this, certificate_t *subject,
                                         certificate_t *issuer, bool online, int pathlen,
-                                        auth_cfg_t *auth);
+                                        bool anchor, auth_cfg_t *auth);
 };
 
 #endif /** CERT_VALIDATOR_H_ @}*/
index c32eb44..3cca0b2 100644 (file)
@@ -452,8 +452,8 @@ static void cache_queue(private_credential_manager_t *this)
  * check a certificate for its lifetime
  */
 static bool check_certificate(private_credential_manager_t *this,
-                                                         certificate_t *subject, certificate_t *issuer,
-                                                         bool online, int pathlen, auth_cfg_t *auth)
+                               certificate_t *subject, certificate_t *issuer, bool online,
+                               int pathlen, bool trusted, auth_cfg_t *auth)
 {
        time_t not_before, not_after;
        cert_validator_t *validator;
@@ -476,7 +476,7 @@ static bool check_certificate(private_credential_manager_t *this,
        while (enumerator->enumerate(enumerator, &validator))
        {
                if (!validator->validate(validator, subject, issuer,
-                                                                online, pathlen, auth))
+                                                                online, pathlen, trusted, auth))
                {
                        enumerator->destroy(enumerator);
                        return FALSE;
@@ -622,7 +622,8 @@ static bool verify_trust_chain(private_credential_manager_t *this,
                                break;
                        }
                }
-               if (!check_certificate(this, current, issuer, online, pathlen, auth))
+               if (!check_certificate(this, current, issuer, online,
+                                                          pathlen, trusted, auth))
                {
                        trusted = FALSE;
                        issuer->destroy(issuer);
index 36a622d..fa04527 100644 (file)
@@ -346,7 +346,8 @@ static bool check_policy(x509_t *subject, x509_t *issuer, int pathlen,
 
 METHOD(cert_validator_t, validate, bool,
        private_constraints_validator_t *this, certificate_t *subject,
-       certificate_t *issuer, bool online, int pathlen, auth_cfg_t *auth)
+       certificate_t *issuer, bool online, int pathlen, bool anchor,
+       auth_cfg_t *auth)
 {
        if (issuer->get_type(issuer) == CERT_X509 &&
                subject->get_type(subject) == CERT_X509)
index 0fe9722..be6d3a9 100644 (file)
@@ -568,7 +568,8 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer,
 
 METHOD(cert_validator_t, validate, bool,
        private_revocation_validator_t *this, certificate_t *subject,
-       certificate_t *issuer, bool online, int pathlen, auth_cfg_t *auth)
+       certificate_t *issuer, bool online, int pathlen, bool anchor,
+       auth_cfg_t *auth)
 {
        if (subject->get_type(subject) == CERT_X509 &&
                issuer->get_type(issuer) == CERT_X509 &&