#include <debug.h>
#include <utils/linked_list.h>
#include <utils/identification.h>
+#include <utils/fetcher.h>
typedef struct private_ca_info_t private_ca_info_t;
/**
* Implements ca_info_t.verify_by_crl.
*/
-static cert_status_t verify_by_crl(private_ca_info_t* this, const x509_t *cert,
+static cert_status_t verify_by_crl(private_ca_info_t* this,
certinfo_t *certinfo)
{
- bool valid_signature;
- rsa_public_key_t *issuer_public_key;
-
+ bool stale;
pthread_mutex_lock(&(this->mutex));
if (this->crl == NULL)
{
+ stale = TRUE;
DBG1("crl not found");
- goto err;
}
- DBG2("crl found");
-
- issuer_public_key = this->cacert->get_public_key(this->cacert);
- valid_signature = this->crl->verify(this->crl, issuer_public_key);
+ else
+ {
+ stale = !this->crl->is_valid(this->crl);
+ DBG1("crl is %s", stale? "stale":"valid");
+ }
- if (!valid_signature)
+ if (stale)
{
- DBG1("crl signature is invalid");
- goto err;
+ iterator_t *iterator = this->crluris->create_iterator(this->crluris, TRUE);
+ identification_t *uri;
+
+ while (iterator->iterate(iterator, (void**)&uri))
+ {
+ fetcher_t *fetcher;
+ char uri_string[BUF_LEN];
+ chunk_t uri_chunk = uri->get_encoding(uri);
+ chunk_t response_chunk;
+
+ snprintf(uri_string, BUF_LEN, "%.*s", uri_chunk.len, uri_chunk.ptr);
+ fetcher = fetcher_create(uri_string);
+
+ response_chunk = fetcher->get(fetcher);
+ fetcher->destroy(fetcher);
+ if (response_chunk.ptr != NULL)
+ {
+ crl_t *crl = crl_create_from_chunk(response_chunk);
+
+ if (crl)
+ {
+ if (this->crl == NULL)
+ {
+ this->crl = crl;
+ }
+ else if (crl->is_newer(crl, this->crl))
+ {
+ this->crl->destroy(this->crl);
+ this->crl = crl;
+ DBG1(" thisUpdate is newer - existing crl replaced");
+ if (this->crl->is_valid(this->crl))
+ {
+ break;
+ }
+ else
+ {
+ DBG1("fetched crl is stale");
+ }
+ }
+ else
+ {
+ crl->destroy(crl);
+ DBG1(" thisUpdate is not newer - existing crl retained");
+ }
+ }
+ else
+ {
+ free(response_chunk.ptr);
+ };
+ }
+ }
+ iterator->destroy(iterator);
}
- DBG2("crl signature is valid");
+ {
+ rsa_public_key_t *issuer_public_key;
+ bool valid_signature;
+ issuer_public_key = this->cacert->get_public_key(this->cacert);
+ valid_signature = this->crl->verify(this->crl, issuer_public_key);
+ if (!valid_signature)
+ {
+ DBG1("crl signature is invalid");
+ goto ret;
+ }
+ DBG2("crl signature is valid");
+ }
this->crl->get_status(this->crl, certinfo);
-err:
+ret:
pthread_mutex_unlock(&(this->mutex));
return certinfo->get_status(certinfo);
}
* Implements ca_info_t.verify_by_ocsp.
*/
static cert_status_t verify_by_ocsp(private_ca_info_t* this,
- const x509_t *cert,
certinfo_t *certinfo,
credential_store_t *credentials)
{
this->public.add_crluri = (void (*) (ca_info_t*,chunk_t))add_crluri;
this->public.add_ocspuri = (void (*) (ca_info_t*,chunk_t))add_ocspuri;
this->public.get_certificate = (x509_t* (*) (ca_info_t*))get_certificate;
- this->public.verify_by_crl = (cert_status_t (*) (ca_info_t*,const x509_t*,certinfo_t*))verify_by_crl;
- this->public.verify_by_ocsp = (cert_status_t (*) (ca_info_t*,const x509_t*,certinfo_t*,credential_store_t*))verify_by_ocsp;
+ this->public.verify_by_crl = (cert_status_t (*) (ca_info_t*,certinfo_t*))verify_by_crl;
+ this->public.verify_by_ocsp = (cert_status_t (*) (ca_info_t*,certinfo_t*,credential_store_t*))verify_by_ocsp;
this->public.purge_ocsp = (void (*) (ca_info_t*))purge_ocsp;
this->public.destroy = (void (*) (ca_info_t*))destroy;
* @brief Verify the status of a certificate by CRL
*
* @param this ca info object
- * @param cert certificate to be verified
* @param certinfo detailed certificate status information
* @return certificate status
*/
- cert_status_t (*verify_by_crl) (ca_info_t* this, const x509_t* cert, certinfo_t* certinfo);
+ cert_status_t (*verify_by_crl) (ca_info_t* this, certinfo_t* certinfo);
/**
* @brief Verify the status of a certificate by OCSP
*
* @param this ca info object
- * @param cert certificate to be verified
* @param certinfo detailed certificate status information
* @param credentials credential store needed for trust path verification
* @return certificate status
*/
- cert_status_t (*verify_by_ocsp) (ca_info_t* this, const x509_t* cert, certinfo_t* certinfo, credential_store_t* credentials);
+ cert_status_t (*verify_by_ocsp) (ca_info_t* this, certinfo_t* certinfo, credential_store_t* credentials);
/**
* @brief Purge the OCSP certinfos of a ca info record
/**
* Implements crl_t.is_valid
*/
-static err_t is_valid(const private_crl_t *this, time_t *until, bool strict)
+static bool is_valid(const private_crl_t *this)
{
time_t current_time = time(NULL);
DBG2(" current time: %T", ¤t_time);
DBG2(" next update: %T", &this->nextUpdate);
- if (strict && until != NULL &&
- (*until == UNDEFINED_TIME || this->nextUpdate < *until))
- {
- *until = this->nextUpdate;
- }
- if (current_time > this->nextUpdate)
- {
- return "has expired";
- }
- DBG2(" crl is valid");
- return NULL;
+ return current_time < this->nextUpdate;
}
/**
this->public.get_issuer = (identification_t* (*) (const crl_t*))get_issuer;
this->public.equals_issuer = (bool (*) (const crl_t*,const crl_t*))equals_issuer;
this->public.is_issuer = (bool (*) (const crl_t*,const x509_t*))is_issuer;
- this->public.is_valid = (err_t (*) (const crl_t*,time_t*,bool))is_valid;
+ this->public.is_valid = (bool (*) (const crl_t*))is_valid;
this->public.is_newer = (bool (*) (const crl_t*,const crl_t*))is_newer;
this->public.verify = (bool (*) (const crl_t*,const rsa_public_key_t*))verify;
this->public.get_status = (void (*) (const crl_t*,certinfo_t*))get_status;
projects / strongswan.git / commitdiff