From d69cf39bb45e57bf936b16ca7b9328a5637f6c72 Mon Sep 17 00:00:00 2001
From: Martin Willi <martin@revosec.ch>
Date: Fri, 6 Feb 2015 12:21:12 +0100
Subject: [PATCH] stroke: Use separate credential sets for CA/AA certificates

---
 src/libcharon/plugins/stroke/stroke_cred.c | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c
index 0ac3f82..31d9e07 100644
--- a/src/libcharon/plugins/stroke/stroke_cred.c
+++ b/src/libcharon/plugins/stroke/stroke_cred.c
@@ -70,11 +70,21 @@ struct private_stroke_cred_t {
 	char *secrets_file;
 
 	/**
-	 * credentials
+	 * credentials: end entity certs, attribute certs, CRLs, etc.
 	 */
 	mem_cred_t *creds;
 
 	/**
+	 * CA certificates
+	 */
+	mem_cred_t *cacerts;
+
+	/**
+	 * Attribute Authority certificates
+	 */
+	mem_cred_t *aacerts;
+
+	/**
 	 * ignore missing CA basic constraint (i.e. treat all certificates in
 	 * ipsec.conf ca sections and ipsec.d/cacerts as CA certificates)
 	 */
@@ -405,7 +415,7 @@ static void load_x509_ca(private_stroke_cred_t *this, char *file)
 		{
 			DBG1(DBG_CFG, "  loaded ca certificate \"%Y\" from '%s'",
 				 cert->get_subject(cert), file);
-			this->creds->add_cert(this->creds, TRUE, cert);
+			this->cacerts->add_cert(this->cacerts, TRUE, cert);
 		}
 	}
 	else
@@ -428,7 +438,7 @@ static void load_x509_aa(private_stroke_cred_t *this, char *file)
 	{
 		DBG1(DBG_CFG, "  loaded AA certificate \"%Y\" from '%s'",
 			 cert->get_subject(cert), file);
-		this->creds->add_cert(this->creds, TRUE, cert);
+		this->aacerts->add_cert(this->aacerts, TRUE, cert);
 	}
 	else
 	{
@@ -1409,7 +1419,11 @@ METHOD(stroke_cred_t, add_shared, void,
 METHOD(stroke_cred_t, destroy, void,
 	private_stroke_cred_t *this)
 {
+	lib->credmgr->remove_set(lib->credmgr, &this->aacerts->set);
+	lib->credmgr->remove_set(lib->credmgr, &this->cacerts->set);
 	lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
+	this->aacerts->destroy(this->aacerts);
+	this->cacerts->destroy(this->cacerts);
 	this->creds->destroy(this->creds);
 	free(this);
 }
@@ -1442,9 +1456,13 @@ stroke_cred_t *stroke_cred_create()
 								"%s.plugins.stroke.secrets_file", SECRETS_FILE,
 								lib->ns),
 		.creds = mem_cred_create(),
+		.cacerts = mem_cred_create(),
+		.aacerts = mem_cred_create(),
 	);
 
 	lib->credmgr->add_set(lib->credmgr, &this->creds->set);
+	lib->credmgr->add_set(lib->credmgr, &this->cacerts->set);
+	lib->credmgr->add_set(lib->credmgr, &this->aacerts->set);
 
 	this->force_ca_cert = lib->settings->get_bool(lib->settings,
 						"%s.plugins.stroke.ignore_missing_ca_basic_constraint",
-- 
2.7.4