stroke: Use separate credential sets for CA/AA certificates

author Martin Willi <martin@revosec.ch>

Fri, 6 Feb 2015 11:21:12 +0000 (12:21 +0100)

committer Martin Willi <martin@revosec.ch>

Tue, 3 Mar 2015 12:50:26 +0000 (13:50 +0100)
author Martin Willi <martin@revosec.ch>
Fri, 6 Feb 2015 11:21:12 +0000 (12:21 +0100)
committer Martin Willi <martin@revosec.ch>
Tue, 3 Mar 2015 12:50:26 +0000 (13:50 +0100)
diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c

index 0ac3f82..31d9e07 100644 (file)
--- a/src/libcharon/plugins/stroke/stroke_cred.c
+++ b/src/libcharon/plugins/stroke/stroke_cred.c
@@ -70,11 +70,21 @@ struct private_stroke_cred_t {
         char *secrets_file;
  
         /**
         char *secrets_file;
  
         /**
-        * credentials
+        * credentials: end entity certs, attribute certs, CRLs, etc.
          */
         mem_cred_t *creds;
  
         /**
          */
         mem_cred_t *creds;
  
         /**
+        * CA certificates
+        */
+       mem_cred_t *cacerts;
+
+       /**
+        * Attribute Authority certificates
+        */
+       mem_cred_t *aacerts;
+
+       /**
          * ignore missing CA basic constraint (i.e. treat all certificates in
          * ipsec.conf ca sections and ipsec.d/cacerts as CA certificates)
          */
          * ignore missing CA basic constraint (i.e. treat all certificates in
          * ipsec.conf ca sections and ipsec.d/cacerts as CA certificates)
          */
@@ -405,7 +415,7 @@ static void load_x509_ca(private_stroke_cred_t *this, char *file)
                 {
                         DBG1(DBG_CFG, "  loaded ca certificate \"%Y\" from '%s'",
                                  cert->get_subject(cert), file);
                 {
                         DBG1(DBG_CFG, "  loaded ca certificate \"%Y\" from '%s'",
                                  cert->get_subject(cert), file);
-                       this->creds->add_cert(this->creds, TRUE, cert);
+                       this->cacerts->add_cert(this->cacerts, TRUE, cert);
                 }
         }
         else
                 }
         }
         else
@@ -428,7 +438,7 @@ static void load_x509_aa(private_stroke_cred_t *this, char *file)
         {
                 DBG1(DBG_CFG, "  loaded AA certificate \"%Y\" from '%s'",
                          cert->get_subject(cert), file);
         {
                 DBG1(DBG_CFG, "  loaded AA certificate \"%Y\" from '%s'",
                          cert->get_subject(cert), file);
-               this->creds->add_cert(this->creds, TRUE, cert);
+               this->aacerts->add_cert(this->aacerts, TRUE, cert);
         }
         else
         {
         }
         else
         {
@@ -1409,7 +1419,11 @@ METHOD(stroke_cred_t, add_shared, void,
  METHOD(stroke_cred_t, destroy, void,
         private_stroke_cred_t *this)
  {
  METHOD(stroke_cred_t, destroy, void,
         private_stroke_cred_t *this)
  {
+       lib->credmgr->remove_set(lib->credmgr, &this->aacerts->set);
+       lib->credmgr->remove_set(lib->credmgr, &this->cacerts->set);
         lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
         lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
+       this->aacerts->destroy(this->aacerts);
+       this->cacerts->destroy(this->cacerts);
         this->creds->destroy(this->creds);
         free(this);
  }
         this->creds->destroy(this->creds);
         free(this);
  }
@@ -1442,9 +1456,13 @@ stroke_cred_t *stroke_cred_create()
                                                                 "%s.plugins.stroke.secrets_file", SECRETS_FILE,
                                                                 lib->ns),
                 .creds = mem_cred_create(),
                                                                 "%s.plugins.stroke.secrets_file", SECRETS_FILE,
                                                                 lib->ns),
                 .creds = mem_cred_create(),
+               .cacerts = mem_cred_create(),
+               .aacerts = mem_cred_create(),
         );
  
         lib->credmgr->add_set(lib->credmgr, &this->creds->set);
         );
  
         lib->credmgr->add_set(lib->credmgr, &this->creds->set);
+       lib->credmgr->add_set(lib->credmgr, &this->cacerts->set);
+       lib->credmgr->add_set(lib->credmgr, &this->aacerts->set);
  
         this->force_ca_cert = lib->settings->get_bool(lib->settings,
                                                 "%s.plugins.stroke.ignore_missing_ca_basic_constraint",
  
         this->force_ca_cert = lib->settings->get_bool(lib->settings,
                                                 "%s.plugins.stroke.ignore_missing_ca_basic_constraint",
author	Martin Willi <martin@revosec.ch>
	Fri, 6 Feb 2015 11:21:12 +0000 (12:21 +0100)
committer	Martin Willi <martin@revosec.ch>
	Tue, 3 Mar 2015 12:50:26 +0000 (13:50 +0100)