Refactored IKEv1 cert payload processing to multiple functions
authorMartin Willi <martin@revosec.ch>
Fri, 11 Jan 2013 09:19:12 +0000 (10:19 +0100)
committerMartin Willi <martin@revosec.ch>
Fri, 11 Jan 2013 09:21:56 +0000 (10:21 +0100)
src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c

index 17279ea..1b7b01e 100644 (file)
@@ -155,6 +155,105 @@ static void process_certreqs(private_isakmp_cert_pre_t *this, message_t *message
 }
 
 /**
+ * Process an X509 certificate payload
+ */
+static void process_x509(cert_payload_t *payload, auth_cfg_t *auth, bool *first)
+{
+       certificate_t *cert;
+
+       cert = payload->get_cert(payload);
+       if (cert)
+       {
+               if (*first)
+               {       /* the first is an end entity certificate */
+                       DBG1(DBG_IKE, "received end entity cert \"%Y\"",
+                                cert->get_subject(cert));
+                       auth->add(auth, AUTH_HELPER_SUBJECT_CERT, cert);
+                       *first = FALSE;
+               }
+               else
+               {
+                       DBG1(DBG_IKE, "received issuer cert \"%Y\"",
+                                cert->get_subject(cert));
+                       auth->add(auth, AUTH_HELPER_IM_CERT, cert);
+               }
+       }
+}
+
+/**
+ * Process a CRL certificate payload
+ */
+static void process_crl(cert_payload_t *payload, auth_cfg_t *auth)
+{
+       certificate_t *cert;
+
+       cert = payload->get_cert(payload);
+       if (cert)
+       {
+               DBG1(DBG_IKE, "received CRL \"%Y\"", cert->get_subject(cert));
+               auth->add(auth, AUTH_HELPER_REVOCATION_CERT, cert);
+       }
+}
+
+/**
+ * Process a PKCS7 certificate payload
+ */
+static void process_pkcs7(cert_payload_t *payload, auth_cfg_t *auth)
+{
+       enumerator_t *enumerator;
+       container_t *container;
+       certificate_t *cert;
+       pkcs7_t *pkcs7;
+
+       container = payload->get_container(payload);
+       if (!container)
+       {
+               return;
+       }
+       switch (container->get_type(container))
+       {
+               case CONTAINER_PKCS7_DATA:
+               case CONTAINER_PKCS7_SIGNED_DATA:
+               case CONTAINER_PKCS7_ENVELOPED_DATA:
+                       break;
+               default:
+                       container->destroy(container);
+                       return;
+       }
+
+       pkcs7 = (pkcs7_t *)container;
+       enumerator = pkcs7->create_cert_enumerator(pkcs7);
+       while (enumerator->enumerate(enumerator, &cert))
+       {
+               if (cert->get_type(cert) == CERT_X509)
+               {
+                       x509_t *x509 = (x509_t*)cert;
+
+                       if (x509->get_flags(x509) & X509_CA)
+                       {
+                               DBG1(DBG_IKE, "received intermediate ca cert \"%Y\"",
+                                        cert->get_subject(cert));
+                               auth->add(auth, AUTH_HELPER_IM_CERT, cert->get_ref(cert));
+                       }
+                       else
+                       {
+                               DBG1(DBG_IKE, "received end entity cert \"%Y\"",
+                                        cert->get_subject(cert));
+                               auth->add(auth, AUTH_HELPER_SUBJECT_CERT, cert->get_ref(cert));
+                       }
+               }
+               else
+               {
+                       DBG1(DBG_IKE, "received unsupported cert type %N",
+                                certificate_type_names, cert->get_type(cert));
+               }
+       }
+       enumerator->destroy(enumerator);
+
+       container->destroy(container);
+}
+
+/**
  * Import received certificates
  */
 static void process_certs(private_isakmp_cert_pre_t *this, message_t *message)
@@ -173,7 +272,6 @@ static void process_certs(private_isakmp_cert_pre_t *this, message_t *message)
                {
                        cert_payload_t *cert_payload;
                        cert_encoding_t encoding;
-                       certificate_t *cert;
 
                        cert_payload = (cert_payload_t*)payload;
                        encoding = cert_payload->get_cert_encoding(cert_payload);
@@ -181,83 +279,14 @@ static void process_certs(private_isakmp_cert_pre_t *this, message_t *message)
                        switch (encoding)
                        {
                                case ENC_X509_SIGNATURE:
-                               {
-                                       cert = cert_payload->get_cert(cert_payload);
-                                       if (cert)
-                                       {
-                                               if (first)
-                                               {       /* the first is an end entity certificate */
-                                                       DBG1(DBG_IKE, "received end entity cert \"%Y\"",
-                                                                cert->get_subject(cert));
-                                                       auth->add(auth, AUTH_HELPER_SUBJECT_CERT, cert);
-                                                       first = FALSE;
-                                               }
-                                               else
-                                               {
-                                                       DBG1(DBG_IKE, "received issuer cert \"%Y\"",
-                                                                cert->get_subject(cert));
-                                                       auth->add(auth, AUTH_HELPER_IM_CERT, cert);
-                                               }
-                                       }
+                                       process_x509(cert_payload, auth, &first);
                                        break;
-                               }
                                case ENC_CRL:
-                                       cert = cert_payload->get_cert(cert_payload);
-                                       if (cert)
-                                       {
-                                               DBG1(DBG_IKE, "received CRL \"%Y\"",
-                                                        cert->get_subject(cert));
-                                               auth->add(auth, AUTH_HELPER_REVOCATION_CERT, cert);
-                                       }
+                                       process_crl(cert_payload, auth);
                                        break;
                                case ENC_PKCS7_WRAPPED_X509:
-                               {
-                                       container_t *container;
-
-                                       container = cert_payload->get_container(cert_payload);
-                                       if (container)
-                                       {
-                                               pkcs7_t *pkcs7;
-                                               enumerator_t *enumerator;
-
-                                               pkcs7 = (pkcs7_t *)container;
-                                               enumerator = pkcs7->create_cert_enumerator(pkcs7);
-                                               while (enumerator->enumerate(enumerator, &cert))
-                                               {
-                                                       if (cert->get_type(cert) == CERT_X509)
-                                                       {
-                                                               auth_rule_t rule;
-                                                               x509_t *x509 = (x509_t*)cert;
-
-                                                               if (x509->get_flags(x509) & X509_CA)
-                                                               {
-                                                                       DBG1(DBG_IKE,
-                                                                                "received intermediate ca cert \"%Y\"",
-                                                                                cert->get_subject(cert));
-                                                                       rule = AUTH_HELPER_IM_CERT;
-                                                               }
-                                                               else
-                                                               {
-                                                                       DBG1(DBG_IKE,
-                                                                                "received end entity cert \"%Y\"",
-                                                                                cert->get_subject(cert));
-                                                                       rule = AUTH_HELPER_SUBJECT_CERT;
-                                                               }
-                                                               auth->add(auth, rule, cert->get_ref(cert));
-                                                       }
-                                                       else
-                                                       {
-                                                               DBG1(DBG_IKE,
-                                                                        "received unsupported cert type %N",
-                                                                        certificate_type_names,
-                                                                        cert->get_type(cert));
-                                                       }
-                                               }
-                                               enumerator->destroy(enumerator);
-                                               container->destroy(container);
-                                       }
+                                       process_pkcs7(cert_payload, auth);
                                        break;
-                               }
                                case ENC_PGP:
                                case ENC_DNS_SIGNED_KEY:
                                case ENC_KERBEROS_TOKEN: