error-notify: catch and forward some alerts related to certificate validation

src/libcharon/plugins/error_notify/error_notify_listener.c

@@ -45,6 +45,8 @@ METHOD(listener_t, alert, bool,
 	identification_t *id;
 	linked_list_t *list, *list2;
 	peer_cfg_t *peer_cfg;
+	certificate_t *cert;
+	time_t not_before, not_after;
 
 	if (!this->socket->has_listeners(this->socket))
 	{
@@ -147,6 +149,26 @@ METHOD(listener_t, alert, bool,
 			snprintf(msg.str, sizeof(msg.str), "an authorization plugin "
 					 "prevented establishment of an IKE_SA");
 			break;
+		case ALERT_CERT_EXPIRED:
+			msg.type = htonl(ERROR_NOTIFY_CERT_EXPIRED);
+			cert = va_arg(args, certificate_t*);
+			cert->get_validity(cert, NULL, &not_before, &not_after);
+			snprintf(msg.str, sizeof(msg.str), "certificiate expired: '%Y' "
+					 "(valid from %T to %T)", cert->get_subject(cert),
+					 &not_before, TRUE, &not_after, TRUE);
+			break;
+		case ALERT_CERT_REVOKED:
+			msg.type = htonl(ERROR_NOTIFY_CERT_REVOKED);
+			cert = va_arg(args, certificate_t*);
+			snprintf(msg.str, sizeof(msg.str), "certificiate revoked: '%Y'",
+					 cert->get_subject(cert));
+			break;
+		case ALERT_CERT_NO_ISSUER:
+			msg.type = htonl(ERROR_NOTIFY_NO_ISSUER_CERT);
+			cert = va_arg(args, certificate_t*);
+			snprintf(msg.str, sizeof(msg.str), "no trusted issuer certificate "
+					 "found: '%Y'", cert->get_issuer(cert));
+			break;
 		default:
 			return TRUE;
 	}

src/libcharon/plugins/error_notify/error_notify_msg.h

@@ -45,6 +45,9 @@ enum {
 	ERROR_NOTIFY_UNIQUE_KEEP = 14,
 	ERROR_NOTIFY_VIP_FAILURE = 15,
 	ERROR_NOTIFY_AUTHORIZATION_FAILED = 16,
+	ERROR_NOTIFY_CERT_EXPIRED = 17,
+	ERROR_NOTIFY_CERT_REVOKED = 18,
+	ERROR_NOTIFY_NO_ISSUER_CERT = 19,
 };
 
 /**