support if ocsp signing certificates

2007-03-08 16:47:18 +00:00 · 2007-03-08 16:47:18 +00:00 · 9149635ffa
parent 9f4039755d
commit 9149635ffa
4 changed files with 53 additions and 22 deletions
--- a/src/charon/daemon.c
+++ b/src/charon/daemon.c
@ -275,6 +275,7 @@ static void initialize(private_daemon_t *this, bool strict, bool syslog,
 	/* load secrets, ca certificates and crls */
 	credentials = this->public.credentials;
 	credentials->load_ca_certificates(credentials);
+	credentials->load_ocsp_certificates(credentials);
 	credentials->load_crls(credentials);
 	credentials->load_secrets(credentials);
 	
--- a/src/charon/daemon.h
+++ b/src/charon/daemon.h
@ -275,6 +275,13 @@ typedef struct daemon_t daemon_t;
 */
 #define CA_CERTIFICATE_DIR IPSEC_D_DIR "/cacerts"

+/**
+ * Default directory for OCSP signing certificates
+ * 
+ * @ingroup charon
+ */
+#define OCSP_CERTIFICATE_DIR IPSEC_D_DIR "/ocspcerts"
+
 /**
 * Default directory for CRLs
 * 
--- a/src/charon/encoding/payloads/certreq_payload.c
+++ b/src/charon/encoding/payloads/certreq_payload.c
@ -26,6 +26,7 @@

 #include <daemon.h>
 #include <crypto/hashers/hasher.h>
+#include <crypto/ca.h>

 #include "certreq_payload.h"

@ -300,9 +301,9 @@ certreq_payload_t *certreq_payload_create_from_cacerts(void)
 	certreq_payload_t *this;
 	chunk_t keyids;
 	u_char *pos;
-	x509_t *cacert;
+	ca_info_t *cainfo;

-	iterator_t *iterator = charon->credentials->create_cacert_iterator(charon->credentials);
+	iterator_t *iterator = charon->credentials->create_cainfo_iterator(charon->credentials);
 	int count = iterator->get_count(iterator);

 	if (count == 0)
@ -315,10 +316,10 @@ certreq_payload_t *certreq_payload_create_from_cacerts(void)
 	keyids = chunk_alloc(count * HASH_SIZE_SHA1);
 	pos = keyids.ptr;

-	while (iterator->iterate(iterator, (void**)&cacert))
+	while (iterator->iterate(iterator, (void**)&cainfo))
 	{
-		rsa_public_key_t *pubkey = cacert->get_public_key(cacert);
-		chunk_t keyid = pubkey->get_keyid(pubkey);
+		x509_t *cacert = cainfo->get_certificate(cainfo);
+		chunk_t keyid = cacert->get_keyid(cacert);

 		DBG2(DBG_IKE, "requesting certificate issued by '%D'", cacert->get_subject(cacert));
 		DBG2(DBG_IKE, "  with keyid %#B", &keyid);
--- a/src/charon/threads/stroke_interface.c
+++ b/src/charon/threads/stroke_interface.c
@ -124,7 +124,7 @@ static x509_t* load_end_certificate(const char *filename, identification_t **idp
 		snprintf(path, sizeof(path), "%s/%s", CERTIFICATE_DIR, filename);
 	}

-	cert = x509_create_from_file(path, "end entity certificate");
+	cert = x509_create_from_file(path, "end entity");

 	if (cert)
 	{
@ -167,13 +167,13 @@ static x509_t* load_ca_certificate(const char *filename)
 		snprintf(path, sizeof(path), "%s/%s", CA_CERTIFICATE_DIR, filename);
 	}

-	cert = x509_create_from_file(path, "ca certificate");
+	cert = x509_create_from_file(path, "ca");

 	if (cert)
 	{
 		if (cert->is_ca(cert))
 		{
-			return charon->credentials->add_ca_certificate(charon->credentials, cert);
+			return charon->credentials->add_auth_certificate(charon->credentials, cert, AUTH_CA);
 		}
 		else
 		{
@ -1051,6 +1051,33 @@ static void stroke_status(stroke_msg_t *msg, FILE *out)
 	iterator->destroy(iterator);
 }

+/**
+ * list all authority certificates matching a specified flag 
+ */
+static void list_auth_certificates(u_int flag, const char *label, bool utc, FILE *out)
+{
+	bool first = TRUE;
+	x509_t *cert;
+	
+	iterator_t *iterator = charon->credentials->create_auth_cert_iterator(charon->credentials);
+
+	while (iterator->iterate(iterator, (void**)&cert))
+	{
+		if (cert->has_authority_flag(cert, flag))
+		{
+			if (first)
+			{
+				fprintf(out, "\n");
+				fprintf(out, "List of X.509 %s Certificates:\n", label);
+				fprintf(out, "\n");
+				first = FALSE;
+			}
+			fprintf(out, "%#Q\n", cert, utc);
+		}
+	}
+	iterator->destroy(iterator);
+}
+
 /**
 * list various information
 */
@ -1084,20 +1111,7 @@ static void stroke_list(stroke_msg_t *msg, FILE *out)
 	}
 	if (msg->list.flags & LIST_CACERTS)
 	{
-		x509_t *cert;
-		
-		iterator = charon->credentials->create_cacert_iterator(charon->credentials);
-		if (iterator->get_count(iterator))
-		{
-			fprintf(out, "\n");
-			fprintf(out, "List of X.509 CA Certificates:\n");
-			fprintf(out, "\n");
-		}
-		while (iterator->iterate(iterator, (void**)&cert))
-		{
-			fprintf(out, "%#Q\n", cert, msg->list.utc);
-		}
-		iterator->destroy(iterator);
+		list_auth_certificates(AUTH_CA, "CA", msg->list.utc, out);
 	}
 	if (msg->list.flags & LIST_CAINFOS)
 	{
@ -1120,6 +1134,10 @@ static void stroke_list(stroke_msg_t *msg, FILE *out)
 	{
 		charon->credentials->list_crls(charon->credentials, out, msg->list.utc);
 	}
+	if (msg->list.flags & LIST_OCSPCERTS)
+	{
+		list_auth_certificates(AUTH_OCSP, "OCSP", msg->list.utc, out);
+	}
 }

 /**
@ -1131,6 +1149,10 @@ static void stroke_reread(stroke_msg_t *msg, FILE *out)
 	{
 		charon->credentials->load_ca_certificates(charon->credentials);
 	}
+	if (msg->reread.flags & REREAD_OCSPCERTS)
+	{
+		charon->credentials->load_ocsp_certificates(charon->credentials);
+	}
 	if (msg->reread.flags & REREAD_CRLS)
 	{
 		charon->credentials->load_crls(charon->credentials);