certificate_t->issued_by takes an argument to receive signature scheme
authorMartin Willi <martin@revosec.ch>
Mon, 11 Jun 2012 12:33:34 +0000 (14:33 +0200)
committerMartin Willi <martin@revosec.ch>
Tue, 12 Jun 2012 12:24:49 +0000 (14:24 +0200)
16 files changed:
src/libcharon/plugins/stroke/stroke_ca.c
src/libcharon/plugins/unit_tester/tests/test_cert.c
src/libpts/plugins/imv_attestation/imv_attestation_process.c
src/libstrongswan/credentials/certificates/certificate.h
src/libstrongswan/credentials/sets/cert_cache.c
src/libstrongswan/plugins/openssl/openssl_crl.c
src/libstrongswan/plugins/openssl/openssl_x509.c
src/libstrongswan/plugins/pgp/pgp_cert.c
src/libstrongswan/plugins/pubkey/pubkey_cert.c
src/libstrongswan/plugins/x509/x509_ac.c
src/libstrongswan/plugins/x509/x509_cert.c
src/libstrongswan/plugins/x509/x509_crl.c
src/libstrongswan/plugins/x509/x509_ocsp_request.c
src/libstrongswan/plugins/x509/x509_ocsp_response.c
src/libstrongswan/plugins/x509/x509_pkcs10.c
src/pki/commands/verify.c

index bec35a6..e76560f 100644 (file)
@@ -348,7 +348,7 @@ METHOD(stroke_ca_t, check_for_hash_and_url, void,
        enumerator = this->sections->create_enumerator(this->sections);
        while (enumerator->enumerate(enumerator, (void**)&section))
        {
-               if (section->certuribase && cert->issued_by(cert, section->cert))
+               if (section->certuribase && cert->issued_by(cert, section->cert, NULL))
                {
                        chunk_t hash, encoded;
 
index 342194a..f4410a6 100644 (file)
@@ -60,7 +60,7 @@ bool test_cert_x509()
        {
                return FALSE;
        }
-       if (!parsed->issued_by(parsed, ca_cert))
+       if (!parsed->issued_by(parsed, ca_cert, NULL))
        {
                return FALSE;
        }
@@ -90,7 +90,7 @@ bool test_cert_x509()
        {
                return FALSE;
        }
-       if (!parsed->issued_by(parsed, ca_cert))
+       if (!parsed->issued_by(parsed, ca_cert, NULL))
        {
                return FALSE;
        }
index a742b66..21277a1 100644 (file)
@@ -44,7 +44,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
        pts_t *pts;
 
        pts = attestation_state->get_pts(attestation_state);
+
        switch (attr->get_type(attr))
        {
                case TCG_PTS_PROTO_CAPS:
@@ -169,7 +169,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
                                                        KEY_ANY, aik->get_issuer(aik), FALSE);
                                while (e->enumerate(e, &issuer))
                                {
-                                       if (aik->issued_by(aik, issuer))
+                                       if (aik->issued_by(aik, issuer, NULL))
                                        {
                                                trusted = TRUE;
                                                break;
@@ -289,7 +289,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
                                break;
                        }
                        status = comp->verify(comp, pts, evidence);
-                       
+
                        switch (status)
                        {
                                default:
index 2f471da..b7a88ff 100644 (file)
@@ -143,9 +143,11 @@ struct certificate_t {
         * Check if this certificate is issued and signed by a specific issuer.
         *
         * @param issuer        issuer's certificate
+        * @param scheme        receives signature scheme used during verification
         * @return                      TRUE if certificate issued by issuer and trusted
         */
-       bool (*issued_by)(certificate_t *this, certificate_t *issuer);
+       bool (*issued_by)(certificate_t *this, certificate_t *issuer,
+                                         signature_scheme_t *scheme);
 
        /**
         * Get the public key associated to this certificate.
index 968c3e3..24007ba 100644 (file)
@@ -165,7 +165,7 @@ METHOD(cert_cache_t, issued_by, bool,
                }
        }
        /* no cache hit, check and cache signature */
-       if (subject->issued_by(subject, issuer))
+       if (subject->issued_by(subject, issuer, NULL))
        {
                cache(this, subject, issuer);
                return TRUE;
index 9a9efb2..e529ff8 100644 (file)
@@ -225,7 +225,8 @@ METHOD(certificate_t, has_subject_or_issuer, id_match_t,
 }
 
 METHOD(certificate_t, issued_by, bool,
-       private_openssl_crl_t *this, certificate_t *issuer)
+       private_openssl_crl_t *this, certificate_t *issuer,
+       signature_scheme_t *scheme)
 {
        chunk_t fingerprint, tbs;
        public_key_t *key;
@@ -270,6 +271,10 @@ METHOD(certificate_t, issued_by, bool,
                                                openssl_asn1_str2chunk(this->crl->signature));
        free(tbs.ptr);
        key->destroy(key);
+       if (valid && scheme)
+       {
+               *scheme = this->scheme;
+       }
        return valid;
 }
 
index 5caf518..ee19c41 100644 (file)
@@ -350,7 +350,8 @@ METHOD(certificate_t, has_issuer, id_match_t,
 }
 
 METHOD(certificate_t, issued_by, bool,
-       private_openssl_x509_t *this, certificate_t *issuer)
+       private_openssl_x509_t *this, certificate_t *issuer,
+       signature_scheme_t *scheme)
 {
        public_key_t *key;
        bool valid;
@@ -393,6 +394,10 @@ METHOD(certificate_t, issued_by, bool,
                                                openssl_asn1_str2chunk(this->x509->signature));
        free(tbs.ptr);
        key->destroy(key);
+       if (valid && scheme)
+       {
+               *scheme = this->scheme;
+       }
        return valid;
 }
 
@@ -975,7 +980,7 @@ static bool parse_certificate(private_openssl_x509_t *this)
        hasher->allocate_hash(hasher, this->encoding, &this->hash);
        hasher->destroy(hasher);
 
-       if (issued_by(this, &this->public.x509.interface))
+       if (issued_by(this, &this->public.x509.interface, NULL))
        {
                this->flags |= X509_SELF_SIGNED;
        }
index 70a2368..e6d13a2 100644 (file)
@@ -114,7 +114,7 @@ METHOD(certificate_t, has_issuer, id_match_t,
 }
 
 METHOD(certificate_t, issued_by,bool,
-       private_pgp_cert_t *this, certificate_t *issuer)
+       private_pgp_cert_t *this, certificate_t *issuer, signature_scheme_t *scheme)
 {
        /* TODO: check signature blobs for a valid signature */
        return FALSE;
index 67240fe..0304ccb 100644 (file)
@@ -126,8 +126,13 @@ METHOD(certificate_t, equals, bool,
 }
 
 METHOD(certificate_t, issued_by, bool,
-       private_pubkey_cert_t *this, certificate_t *issuer)
+       private_pubkey_cert_t *this, certificate_t *issuer,
+       signature_scheme_t *scheme)
 {
+       if (scheme)
+       {
+               *scheme = SIGN_UNKNOWN;
+       }
        return equals(this, issuer);
 }
 
index a2cb589..d6ca8c4 100644 (file)
@@ -701,7 +701,7 @@ METHOD(certificate_t, has_issuer, id_match_t,
 }
 
 METHOD(certificate_t, issued_by, bool,
-       private_x509_ac_t *this, certificate_t *issuer)
+       private_x509_ac_t *this, certificate_t *issuer, signature_scheme_t *schemep)
 {
        public_key_t *key;
        signature_scheme_t scheme;
@@ -750,6 +750,10 @@ METHOD(certificate_t, issued_by, bool,
        }
        valid = key->verify(key, scheme, this->certificateInfo, this->signature);
        key->destroy(key);
+       if (valid && schemep)
+       {
+               *schemep = scheme;
+       }
        return valid;
 }
 
index 25d92d5..88101e8 100644 (file)
@@ -1483,7 +1483,8 @@ end:
                /* check if the certificate is self-signed */
                if (this->public.interface.interface.issued_by(
                                                                                        &this->public.interface.interface,
-                                                                                       &this->public.interface.interface))
+                                                                                       &this->public.interface.interface,
+                                                                                       NULL))
                {
                        this->flags |= X509_SELF_SIGNED;
                }
@@ -1568,7 +1569,8 @@ METHOD(certificate_t, has_issuer, id_match_t,
 }
 
 METHOD(certificate_t, issued_by, bool,
-       private_x509_cert_t *this, certificate_t *issuer)
+       private_x509_cert_t *this, certificate_t *issuer,
+       signature_scheme_t *schemep)
 {
        public_key_t *key;
        signature_scheme_t scheme;
@@ -1612,6 +1614,10 @@ METHOD(certificate_t, issued_by, bool,
        }
        valid = key->verify(key, scheme, this->tbsCertificate, this->signature);
        key->destroy(key);
+       if (valid && schemep)
+       {
+               *schemep = scheme;
+       }
        return valid;
 }
 
index 7bcca16..5b4ba92 100644 (file)
@@ -442,7 +442,7 @@ METHOD(certificate_t, has_issuer, id_match_t,
 }
 
 METHOD(certificate_t, issued_by, bool,
-       private_x509_crl_t *this, certificate_t *issuer)
+       private_x509_crl_t *this, certificate_t *issuer, signature_scheme_t *schemep)
 {
        public_key_t *key;
        signature_scheme_t scheme;
@@ -490,6 +490,10 @@ METHOD(certificate_t, issued_by, bool,
        }
        valid = key->verify(key, scheme, this->tbsCertList, this->signature);
        key->destroy(key);
+       if (valid && schemep)
+       {
+               *schemep = scheme;
+       }
        return valid;
 }
 
index 33d0aa7..debf490 100644 (file)
@@ -364,7 +364,8 @@ METHOD(certificate_t, has_issuer, id_match_t,
 }
 
 METHOD(certificate_t, issued_by, bool,
-       private_x509_ocsp_request_t *this, certificate_t *issuer)
+       private_x509_ocsp_request_t *this, certificate_t *issuer,
+       signature_scheme_t *scheme)
 {
        DBG1(DBG_LIB, "OCSP request validation not implemented!");
        return FALSE;
index 7dfef39..dc3fc27 100644 (file)
@@ -670,7 +670,8 @@ METHOD(certificate_t, has_issuer, id_match_t,
 }
 
 METHOD(certificate_t, issued_by, bool,
-       private_x509_ocsp_response_t *this, certificate_t *issuer)
+       private_x509_ocsp_response_t *this, certificate_t *issuer,
+       signature_scheme_t *schemep)
 {
        public_key_t *key;
        signature_scheme_t scheme;
@@ -722,6 +723,10 @@ METHOD(certificate_t, issued_by, bool,
        }
        valid = key->verify(key, scheme, this->tbsResponseData, this->signature);
        key->destroy(key);
+       if (valid && schemep)
+       {
+               *schemep = scheme;
+       }
        return valid;
 }
 
index ca08db2..5a9b2d9 100644 (file)
@@ -123,10 +123,12 @@ METHOD(certificate_t, has_subject, id_match_t,
 }
 
 METHOD(certificate_t, issued_by, bool,
-       private_x509_pkcs10_t *this, certificate_t *issuer)
+       private_x509_pkcs10_t *this, certificate_t *issuer,
+       signature_scheme_t *schemep)
 {
        public_key_t *key;
        signature_scheme_t scheme;
+       bool valid;
 
        if (&this->public.interface.interface != issuer)
        {
@@ -150,8 +152,13 @@ METHOD(certificate_t, issued_by, bool,
        {
                return FALSE;
        }
-       return key->verify(key, scheme, this->certificationRequestInfo,
-                                                                       this->signature);
+       valid = key->verify(key, scheme, this->certificationRequestInfo,
+                                               this->signature);
+       if (valid && schemep)
+       {
+               *schemep = scheme;
+       }
+       return valid;
 }
 
 METHOD(certificate_t, get_public_key, public_key_t*,
@@ -441,7 +448,7 @@ end:
        if (success)
        {
                /* check if the certificate request is self-signed */
-               if (issued_by(this, &this->public.interface.interface))
+               if (issued_by(this, &this->public.interface.interface, NULL))
                {
                        this->self_signed = TRUE;
                }
index bbcc538..3e983d3 100644 (file)
@@ -77,7 +77,7 @@ static int verify()
        {
                ca = cert;
        }
-       if (cert->issued_by(cert, ca))
+       if (cert->issued_by(cert, ca, NULL))
        {
                if (cert->get_validity(cert, NULL, NULL, NULL))
                {