Added generic implementations for crl_is_newer/certificate_is_newer
authorMartin Willi <martin@revosec.ch>
Fri, 21 May 2010 07:48:23 +0000 (09:48 +0200)
committerMartin Willi <martin@revosec.ch>
Fri, 21 May 2010 14:25:51 +0000 (16:25 +0200)
src/libcharon/credentials/credential_manager.c
src/libcharon/plugins/stroke/stroke_cred.c
src/libstrongswan/credentials/certificates/certificate.c
src/libstrongswan/credentials/certificates/certificate.h
src/libstrongswan/credentials/certificates/crl.c
src/libstrongswan/credentials/certificates/crl.h
src/pluto/ac.c
src/pluto/crl.c

index adea0b4..f84c88b 100644 (file)
@@ -591,7 +591,7 @@ static certificate_t *get_better_ocsp(private_credential_manager_t *this,
        }
 
        /* select the better of the two responses */
-       if (best == NULL || cand->is_newer(cand, best))
+       if (best == NULL || certificate_is_newer(cand, best))
        {
                DESTROY_IF(best);
                best = cand;
@@ -812,7 +812,7 @@ static certificate_t *get_better_crl(private_credential_manager_t *this,
        enumerator->destroy(enumerator);
 
        /* select the better of the two CRLs */
-       if (best == NULL || cand->is_newer(cand, best))
+       if (best == NULL || crl_is_newer(crl, (crl_t*)best))
        {
                DESTROY_IF(best);
                best = cand;
@@ -959,7 +959,7 @@ static bool check_ip_addr_block_constraints(x509_t *subject, x509_t *issuer)
 
        if (!subject_constraint && !issuer_constraint)
        {
-               return TRUE;            
+               return TRUE;
        }
        if (!subject_constraint)
        {
@@ -969,7 +969,7 @@ static bool check_ip_addr_block_constraints(x509_t *subject, x509_t *issuer)
        if (!issuer_constraint)
        {
                DBG1(DBG_CFG, "issuer certficate lacks ipAddrBlocks extension");
-               return FALSE;           
+               return FALSE;
        }
        subject_enumerator = subject->create_ipAddrBlock_enumerator(subject);
        while (subject_enumerator->enumerate(subject_enumerator, &subject_ts))
@@ -996,7 +996,7 @@ static bool check_ip_addr_block_constraints(x509_t *subject, x509_t *issuer)
                }
        }
        subject_enumerator->destroy(subject_enumerator);
-       return contained;       
+       return contained;
 }
 
 /**
index e0a5210..68703d1 100644 (file)
@@ -378,7 +378,7 @@ static bool add_crl(private_stroke_cred_t *this, crl_t* crl)
                        }
                        if (found)
                        {
-                               new = cert->is_newer(cert, current);
+                               new = crl_is_newer(crl, crl_c);
                                if (new)
                                {
                                        this->certs->remove_at(this->certs, enumerator);
index 156d123..661b69e 100644 (file)
@@ -15,6 +15,7 @@
 
 #include "certificate.h"
 
+#include <debug.h>
 #include <credentials/certificates/x509.h>
 
 ENUM(certificate_type_names, CERT_ANY, CERT_PLUTO_CRL,
@@ -40,3 +41,24 @@ ENUM(cert_validation_names, VALIDATION_GOOD, VALIDATION_REVOKED,
        "REVOKED",
 );
 
+/**
+ * See header
+ */
+bool certificate_is_newer(certificate_t *this, certificate_t *other)
+{
+       time_t this_update, that_update;
+       char *type = "certificate";
+       bool newer;
+
+       if (this->get_type(this) == CERT_X509_CRL)
+       {
+               type = "crl";
+       }
+       this->get_validity(this, NULL, &this_update, NULL);
+       other->get_validity(other, NULL, &that_update, NULL);
+       newer = this_update > that_update;
+       DBG1(DBG_LIB, "  %s from %T is %s - existing %s from %T %s",
+                type, &this_update, FALSE, newer ? "newer" : "not newer",
+                type, &that_update, FALSE, newer ? "replaced" : "retained");
+       return newer;
+}
index a4f9aa3..e82fed1 100644 (file)
@@ -197,4 +197,13 @@ struct certificate_t {
        void (*destroy)(certificate_t *this);
 };
 
+/**
+ * Generic check if a given certificate is newer than another.
+ *
+ * @param this                 first certificate to check
+ * @param other                        second certificate
+ * @return                             TRUE if this newer than other
+ */
+bool certificate_is_newer(certificate_t *this, certificate_t *other);
+
 #endif /** CERTIFICATE_H_ @}*/
index 085ad16..69bd80b 100644 (file)
@@ -16,6 +16,8 @@
 
 #include "crl.h"
 
+#include <debug.h>
+
 ENUM(crl_reason_names, CRL_REASON_UNSPECIFIED, CRL_REASON_REMOVE_FROM_CRL,
        "unspecified",
        "key compromise",
@@ -27,3 +29,29 @@ ENUM(crl_reason_names, CRL_REASON_UNSPECIFIED, CRL_REASON_REMOVE_FROM_CRL,
        "reason #7",
        "remove from crl",
 );
+
+/**
+ * Check if this CRL is newer
+ */
+bool crl_is_newer(crl_t *this, crl_t *other)
+{
+       chunk_t this_num, other_num;
+       bool newer;
+
+       this_num = this->get_serial(this);
+       other_num = other->get_serial(other);
+
+       /* compare crlNumbers if available - otherwise use generic cert compare */
+       if (this_num.ptr != NULL && other_num.ptr != NULL)
+       {
+               newer = chunk_compare(this_num, other_num) > 0;
+               DBG1(DBG_LIB, "  crl #%#B is %s - existing crl #%#B %s",
+                        &this_num, newer ? "newer" : "not newer",
+                        &other_num, newer ? "replaced" : "retained");
+       }
+       else
+       {
+               newer = certificate_is_newer(&this->certificate, &other->certificate);
+       }
+       return newer;
+}
index 4b61239..9425311 100644 (file)
@@ -80,7 +80,15 @@ struct crl_t {
         * @return                      enumerator over revoked certificates.
         */
        enumerator_t* (*create_enumerator)(crl_t *this);
-
 };
 
+/**
+ * Generic check if a given CRL is newer than another.
+ *
+ * @param this                 first CRL to check
+ * @param other                        second CRL
+ * @return                             TRUE if this newer than other
+ */
+bool crl_is_newer(crl_t *this, crl_t *other);
+
 #endif /** CRL_H_ @}*/
index 3ee05d2..3339d91 100644 (file)
@@ -141,7 +141,7 @@ static void ac_add_cert(certificate_t *cert)
                if (hIssuer->equals(hIssuer, ac_old->get_holderIssuer(ac_old)) &&
                           chunk_equals(hSerial, ac_old->get_holderSerial(ac_old)))
                {
-                       if (cert->is_newer(cert, cert_old))
+                       if (certificate_is_newer(cert, cert_old))
                        {
                                acerts->remove_at(acerts, enumerator);
                                cert_old->destroy(cert_old);
index 84fe775..b28c7be 100644 (file)
@@ -159,7 +159,7 @@ bool insert_crl(x509crl_t *x509crl, char *crl_uri, bool cache_crl)
        {
                certificate_t *old_cert_crl = oldcrl->crl;
 
-               if (cert_crl->is_newer(cert_crl, old_cert_crl))
+               if (crl_is_newer(x509crl->crl, oldcrl->crl))
                {
                        /* keep any known CRL distribution points */
                        add_distribution_points(x509crl->distributionPoints,
@@ -313,7 +313,7 @@ void check_crls(void)
                certificate_t *cert_crl = x509crl->crl;
                crl_t *crl = (crl_t*)cert_crl;
                identification_t *issuer = cert_crl->get_issuer(cert_crl);
-               chunk_t authKeyID = crl->get_authKeyIdentifier(crl);            
+               chunk_t authKeyID = crl->get_authKeyIdentifier(crl);
 
                cert_crl->get_validity(cert_crl, &now, NULL, &nextUpdate);
                time_left = nextUpdate - now;
@@ -353,7 +353,7 @@ cert_status_t verify_by_crl(cert_t *cert, time_t *until, time_t *revocationDate,
        char *point;
 
        ca = get_ca_info(issuer, authKeyID);
-       
+
        *revocationDate = UNDEFINED_TIME;
        *revocationReason = CRL_REASON_UNSPECIFIED;