support if ocsp signing certificates
authorAndreas Steffen <andreas.steffen@strongswan.org>
Thu, 8 Mar 2007 16:47:18 +0000 (16:47 -0000)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Thu, 8 Mar 2007 16:47:18 +0000 (16:47 -0000)
src/charon/daemon.c
src/charon/daemon.h
src/charon/encoding/payloads/certreq_payload.c
src/charon/threads/stroke_interface.c

index 1e6e18b..e2f079d 100644 (file)
@@ -275,6 +275,7 @@ static void initialize(private_daemon_t *this, bool strict, bool syslog,
        /* load secrets, ca certificates and crls */
        credentials = this->public.credentials;
        credentials->load_ca_certificates(credentials);
+       credentials->load_ocsp_certificates(credentials);
        credentials->load_crls(credentials);
        credentials->load_secrets(credentials);
        
index 3010f89..720fbde 100644 (file)
@@ -276,6 +276,13 @@ typedef struct daemon_t daemon_t;
 #define CA_CERTIFICATE_DIR IPSEC_D_DIR "/cacerts"
 
 /**
+ * Default directory for OCSP signing certificates
+ * 
+ * @ingroup charon
+ */
+#define OCSP_CERTIFICATE_DIR IPSEC_D_DIR "/ocspcerts"
+
+/**
  * Default directory for CRLs
  * 
  * @ingroup charon
index fcddcf9..ea465fd 100644 (file)
@@ -26,6 +26,7 @@
 
 #include <daemon.h>
 #include <crypto/hashers/hasher.h>
+#include <crypto/ca.h>
 
 #include "certreq_payload.h"
 
@@ -300,9 +301,9 @@ certreq_payload_t *certreq_payload_create_from_cacerts(void)
        certreq_payload_t *this;
        chunk_t keyids;
        u_char *pos;
-       x509_t *cacert;
+       ca_info_t *cainfo;
 
-       iterator_t *iterator = charon->credentials->create_cacert_iterator(charon->credentials);
+       iterator_t *iterator = charon->credentials->create_cainfo_iterator(charon->credentials);
        int count = iterator->get_count(iterator);
 
        if (count == 0)
@@ -315,10 +316,10 @@ certreq_payload_t *certreq_payload_create_from_cacerts(void)
        keyids = chunk_alloc(count * HASH_SIZE_SHA1);
        pos = keyids.ptr;
 
-       while (iterator->iterate(iterator, (void**)&cacert))
+       while (iterator->iterate(iterator, (void**)&cainfo))
        {
-               rsa_public_key_t *pubkey = cacert->get_public_key(cacert);
-               chunk_t keyid = pubkey->get_keyid(pubkey);
+               x509_t *cacert = cainfo->get_certificate(cainfo);
+               chunk_t keyid = cacert->get_keyid(cacert);
 
                DBG2(DBG_IKE, "requesting certificate issued by '%D'", cacert->get_subject(cacert));
                DBG2(DBG_IKE, "  with keyid %#B", &keyid);
index 0c523d8..69cf144 100755 (executable)
@@ -124,7 +124,7 @@ static x509_t* load_end_certificate(const char *filename, identification_t **idp
                snprintf(path, sizeof(path), "%s/%s", CERTIFICATE_DIR, filename);
        }
 
-       cert = x509_create_from_file(path, "end entity certificate");
+       cert = x509_create_from_file(path, "end entity");
 
        if (cert)
        {
@@ -167,13 +167,13 @@ static x509_t* load_ca_certificate(const char *filename)
                snprintf(path, sizeof(path), "%s/%s", CA_CERTIFICATE_DIR, filename);
        }
 
-       cert = x509_create_from_file(path, "ca certificate");
+       cert = x509_create_from_file(path, "ca");
 
        if (cert)
        {
                if (cert->is_ca(cert))
                {
-                       return charon->credentials->add_ca_certificate(charon->credentials, cert);
+                       return charon->credentials->add_auth_certificate(charon->credentials, cert, AUTH_CA);
                }
                else
                {
@@ -1052,6 +1052,33 @@ static void stroke_status(stroke_msg_t *msg, FILE *out)
 }
 
 /**
+ * list all authority certificates matching a specified flag 
+ */
+static void list_auth_certificates(u_int flag, const char *label, bool utc, FILE *out)
+{
+       bool first = TRUE;
+       x509_t *cert;
+       
+       iterator_t *iterator = charon->credentials->create_auth_cert_iterator(charon->credentials);
+
+       while (iterator->iterate(iterator, (void**)&cert))
+       {
+               if (cert->has_authority_flag(cert, flag))
+               {
+                       if (first)
+                       {
+                               fprintf(out, "\n");
+                               fprintf(out, "List of X.509 %s Certificates:\n", label);
+                               fprintf(out, "\n");
+                               first = FALSE;
+                       }
+                       fprintf(out, "%#Q\n", cert, utc);
+               }
+       }
+       iterator->destroy(iterator);
+}
+
+/**
  * list various information
  */
 static void stroke_list(stroke_msg_t *msg, FILE *out)
@@ -1084,20 +1111,7 @@ static void stroke_list(stroke_msg_t *msg, FILE *out)
        }
        if (msg->list.flags & LIST_CACERTS)
        {
-               x509_t *cert;
-               
-               iterator = charon->credentials->create_cacert_iterator(charon->credentials);
-               if (iterator->get_count(iterator))
-               {
-                       fprintf(out, "\n");
-                       fprintf(out, "List of X.509 CA Certificates:\n");
-                       fprintf(out, "\n");
-               }
-               while (iterator->iterate(iterator, (void**)&cert))
-               {
-                       fprintf(out, "%#Q\n", cert, msg->list.utc);
-               }
-               iterator->destroy(iterator);
+               list_auth_certificates(AUTH_CA, "CA", msg->list.utc, out);
        }
        if (msg->list.flags & LIST_CAINFOS)
        {
@@ -1120,6 +1134,10 @@ static void stroke_list(stroke_msg_t *msg, FILE *out)
        {
                charon->credentials->list_crls(charon->credentials, out, msg->list.utc);
        }
+       if (msg->list.flags & LIST_OCSPCERTS)
+       {
+               list_auth_certificates(AUTH_OCSP, "OCSP", msg->list.utc, out);
+       }
 }
 
 /**
@@ -1131,6 +1149,10 @@ static void stroke_reread(stroke_msg_t *msg, FILE *out)
        {
                charon->credentials->load_ca_certificates(charon->credentials);
        }
+       if (msg->reread.flags & REREAD_OCSPCERTS)
+       {
+               charon->credentials->load_ocsp_certificates(charon->credentials);
+       }
        if (msg->reread.flags & REREAD_CRLS)
        {
                charon->credentials->load_crls(charon->credentials);