vici: Remove obsolete certificate registration for hash-and-URL
authorTobias Brunner <tobias@strongswan.org>
Thu, 31 Oct 2019 08:49:21 +0000 (09:49 +0100)
committerTobias Brunner <tobias@strongswan.org>
Tue, 26 Nov 2019 10:12:26 +0000 (11:12 +0100)
src/libcharon/plugins/vici/vici_authority.c
src/libcharon/plugins/vici/vici_authority.h
src/libcharon/plugins/vici/vici_config.c

index bac3eb3..a91ece0 100644 (file)
@@ -88,11 +88,6 @@ struct authority_t {
        linked_list_t *ocsp_uris;
 
        /**
-        * Hashes of certificates issued by this CA
-        */
-       linked_list_t *hashes;
-
-       /**
         * Base URI used for certificates from this CA
         */
        char *cert_uri_base;
@@ -109,7 +104,6 @@ static authority_t *authority_create(char *name)
                .name = strdup(name),
                .crl_uris = linked_list_create(),
                .ocsp_uris = linked_list_create(),
-               .hashes = linked_list_create(),
        );
 
        return authority;
@@ -122,7 +116,6 @@ static void authority_destroy(authority_t *this)
 {
        this->crl_uris->destroy_function(this->crl_uris, free);
        this->ocsp_uris->destroy_function(this->ocsp_uris, free);
-       this->hashes->destroy_offset(this->hashes, offsetof(identification_t, destroy));
        DESTROY_IF(this->cert);
        free(this->cert_uri_base);
        free(this->name);
@@ -738,48 +731,6 @@ METHOD(credential_set_t, create_cdp_enumerator, enumerator_t*,
                        (void*)create_inner_cdp, data, (void*)cdp_data_destroy);
 }
 
-METHOD(vici_authority_t, check_for_hash_and_url, void,
-       private_vici_authority_t *this, certificate_t* cert)
-{
-       authority_t *authority;
-       enumerator_t *enumerator;
-       hasher_t *hasher;
-
-       hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-       if (hasher == NULL)
-       {
-               DBG1(DBG_CFG, "unable to use hash-and-url: sha1 not supported");
-               return;
-       }
-
-       this->lock->write_lock(this->lock);
-       enumerator = this->authorities->create_enumerator(this->authorities);
-       while (enumerator->enumerate(enumerator, &authority))
-       {
-               if (authority->cert_uri_base &&
-                       cert->issued_by(cert, authority->cert, NULL))
-               {
-                       chunk_t hash, encoded;
-
-                       if (cert->get_encoding(cert, CERT_ASN1_DER, &encoded))
-                       {
-                               if (hasher->allocate_hash(hasher, encoded, &hash))
-                               {
-                                       authority->hashes->insert_last(authority->hashes,
-                                               identification_create_from_encoding(ID_KEY_ID, hash));
-                                       chunk_free(&hash);
-                               }
-                               chunk_free(&encoded);
-                       }
-                       break;
-               }
-       }
-       enumerator->destroy(enumerator);
-       this->lock->unlock(this->lock);
-
-       hasher->destroy(hasher);
-}
-
 METHOD(vici_authority_t, destroy, void,
        private_vici_authority_t *this)
 {
@@ -808,7 +759,6 @@ vici_authority_t *vici_authority_create(vici_dispatcher_t *dispatcher,
                                .create_cdp_enumerator = _create_cdp_enumerator,
                                .cache_cert = (void*)nop,
                        },
-                       .check_for_hash_and_url = _check_for_hash_and_url,
                        .destroy = _destroy,
                },
                .dispatcher = dispatcher,
index dbeabae..58f542c 100644 (file)
@@ -37,13 +37,6 @@ struct vici_authority_t {
        credential_set_t set;
 
        /**
-        * Check if a certificate can be made available through hash and URL.
-        *
-        * @param cert          end entity certificate
-        */
-       void (*check_for_hash_and_url)(vici_authority_t *this, certificate_t* cert);
-
-       /**
         * Destroy a vici_authority_t.
         */
        void (*destroy)(vici_authority_t *this);
index 1ff0754..49ebea4 100644 (file)
@@ -1417,14 +1417,8 @@ CALLBACK(parse_cert_policy, bool,
  */
 static bool add_cert(auth_data_t *auth, auth_rule_t rule, certificate_t *cert)
 {
-       vici_authority_t *authority;
        vici_cred_t *cred;
 
-       if (rule == AUTH_RULE_SUBJECT_CERT)
-       {
-               authority = auth->request->this->authority;
-               authority->check_for_hash_and_url(authority, cert);
-       }
        cred = auth->request->this->cred;
        cert = cred->add_cert(cred, cert);
        auth->cfg->add(auth->cfg, rule, cert);