implement basic listing of attribute certificates
authorAndreas Steffen <andreas.steffen@strongswan.org>
Thu, 22 May 2008 21:58:22 +0000 (21:58 -0000)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Thu, 22 May 2008 21:58:22 +0000 (21:58 -0000)
src/charon/plugins/stroke/stroke_cred.c
src/charon/plugins/stroke/stroke_list.c
src/libstrongswan/plugins/x509/x509_ac.c

index 52140cb..819b3f0 100644 (file)
@@ -157,8 +157,9 @@ static bool certs_filter(id_data_t *data, certificate_t **in, certificate_t **ou
        public_key_t *public;
        identification_t *candidate;
        certificate_t *cert = *in;
-       
-       if (cert->get_type(cert) == CERT_X509_CRL)
+       certificate_type_t type = cert->get_type(cert);
+
+       if (type == CERT_X509_CRL || type == CERT_X509_AC)
        {
                return FALSE;
        }
@@ -205,6 +206,26 @@ static bool crl_filter(id_data_t *data, certificate_t **in, certificate_t **out)
 }
 
 /**
+ * filter function for attribute certificate enumerator
+ */
+static bool ac_filter(id_data_t *data, certificate_t **in, certificate_t **out)
+{
+       certificate_t *cert = *in;
+       
+       if (cert->get_type(cert) != CERT_X509_AC)
+       {
+               return FALSE;
+       }
+
+       if (data->id == NULL || cert->has_subject(cert, data->id))
+       {
+               *out = *in;
+               return TRUE;
+       }
+       return FALSE;
+}
+
+/**
  * Implements credential_set_t.create_cert_enumerator
  */
 static enumerator_t* create_cert_enumerator(private_stroke_cred_t *this,
@@ -213,21 +234,20 @@ static enumerator_t* create_cert_enumerator(private_stroke_cred_t *this,
 {
        id_data_t *data;
        
-       if (cert == CERT_X509_CRL)
+       if (cert == CERT_X509_CRL || cert == CERT_X509_AC)
        {
                if (trusted)
                {
                        return NULL;
                }
-               
                data = malloc_thing(id_data_t);
                data->this = this;
                data->id = id;
                
                this->mutex->lock(this->mutex);
                return enumerator_create_filter(this->certs->create_enumerator(this->certs),
-                                                                               (void*)crl_filter, data,
-                                                                               (void*)id_data_destroy);
+                                       (cert == CERT_X509_CRL)? (void*)crl_filter : (void*)ac_filter,
+                                       data, (void*)id_data_destroy);
        }
        if (cert != CERT_X509 && cert != CERT_ANY)
        {       /* we only have X509 certificates. TODO: ACs? */
@@ -440,6 +460,19 @@ static bool add_crl(private_stroke_cred_t *this, crl_t* crl)
 }
 
 /**
+ * Add X.509 attribute certificate to chain
+ */
+static bool add_ac(private_stroke_cred_t *this, ac_t* ac)
+{
+       certificate_t *cert = &ac->certificate;
+
+       this->mutex->lock(this->mutex);
+       this->certs->insert_last(this->certs, cert);
+       this->mutex->unlock(this->mutex);
+       return TRUE;
+}
+
+/**
  * Implementation of stroke_cred_t.load_peer.
  */
 static certificate_t* load_peer(private_stroke_cred_t *this, char *filename)
@@ -525,7 +558,7 @@ static void load_certdir(private_stroke_cred_t *this, char *path,
                                                                                  BUILD_END);
                                if (cert)
                                {
-                                       cert->destroy(cert);
+                                       add_ac(this, (ac_t*)cert);
                                }
                                break;
                        default:
index 7fde861..be45709 100644 (file)
@@ -25,6 +25,7 @@
 /* warning intervals for list functions */
 #define CERT_WARNING_INTERVAL  30      /* days */
 #define CRL_WARNING_INTERVAL   7       /* days */
+#define AC_WARNING_INTERVAL            1       /* day */
 
 typedef struct private_stroke_list_t private_stroke_list_t;
 
@@ -461,9 +462,45 @@ static void stroke_list_certs(linked_list_t *list, char *label,
 /**
  * list all X.509 attribute certificates
  */
-static void stroke_list_acerts(bool utc, FILE *out)
+static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out)
 {
+       bool first = TRUE;
+       time_t thisUpdate, nextUpdate, now = time(NULL);
+       enumerator_t *enumerator = list->create_enumerator(list);
+       certificate_t *cert;
 
+       while (enumerator->enumerate(enumerator, (void**)&cert))
+       {
+               if (first)
+               {
+                       fprintf(out, "\n");
+                       fprintf(out, "List of X.509 Attribute Certificates:\n");
+                       first = FALSE;
+               }
+               fprintf(out, "\n");
+
+               fprintf(out, "  holder:   \"%D\"\n", cert->get_subject(cert));
+               fprintf(out, "  issuer:   \"%D\"\n", cert->get_issuer(cert));
+
+               /* list validity */
+               cert->get_validity(cert, &now, &thisUpdate, &nextUpdate);
+               fprintf(out, "  updates:   this %#T\n",  &thisUpdate, utc);
+               fprintf(out, "             next %#T, ", &nextUpdate, utc);
+               if (now > nextUpdate)
+               {
+                       fprintf(out, "expired (%#V ago)\n", &now, &nextUpdate);
+               }
+               else
+               {
+                       fprintf(out, "ok");
+                       if (now > nextUpdate - AC_WARNING_INTERVAL * 60 * 60 * 24)
+                       {
+                               fprintf(out, " (expires in %#V)", &now, &nextUpdate);
+                       }
+                       fprintf(out, " \n");
+               }
+       }
+       enumerator->destroy(enumerator);
 }
 
 /**
@@ -596,7 +633,10 @@ static void list(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out)
        }
        if (msg->list.flags & LIST_ACERTS)
        {
-               stroke_list_acerts(msg->list.utc, out);
+               linked_list_t *ac_list = create_unique_cert_list(CERT_X509_AC);
+
+               stroke_list_acerts(ac_list, msg->list.utc, out);
+               ac_list->destroy_offset(ac_list, offsetof(certificate_t, destroy)); 
        }
        if (msg->list.flags & LIST_CRLS)
        {
index 3861d71..a4bf039 100644 (file)
@@ -990,13 +990,8 @@ static private_x509_ac_t* build(private_builder_t *this)
 
        free(this);
 
-       if (ac == NULL)
-       {
-               return NULL;
-       }
-
-       /* synthesis if TRUE or analysis if FALSE */
-       if (ac->encoding.ptr == NULL)
+       /* synthesis if encoding does not exist */
+       if (ac && ac->encoding.ptr == NULL)
        {
                if (ac->holderCert && ac->signerCert && ac->signerKey)
                {
@@ -1008,7 +1003,7 @@ static private_x509_ac_t* build(private_builder_t *this)
        }
        else
        {
-               return NULL;
+               return ac;
        }
 }