support if ocsp signing certificates
This commit is contained in:
parent
9f4039755d
commit
9149635ffa
|
@ -275,6 +275,7 @@ static void initialize(private_daemon_t *this, bool strict, bool syslog,
|
|||
/* load secrets, ca certificates and crls */
|
||||
credentials = this->public.credentials;
|
||||
credentials->load_ca_certificates(credentials);
|
||||
credentials->load_ocsp_certificates(credentials);
|
||||
credentials->load_crls(credentials);
|
||||
credentials->load_secrets(credentials);
|
||||
|
||||
|
|
|
@ -275,6 +275,13 @@ typedef struct daemon_t daemon_t;
|
|||
*/
|
||||
#define CA_CERTIFICATE_DIR IPSEC_D_DIR "/cacerts"
|
||||
|
||||
/**
|
||||
* Default directory for OCSP signing certificates
|
||||
*
|
||||
* @ingroup charon
|
||||
*/
|
||||
#define OCSP_CERTIFICATE_DIR IPSEC_D_DIR "/ocspcerts"
|
||||
|
||||
/**
|
||||
* Default directory for CRLs
|
||||
*
|
||||
|
|
|
@ -26,6 +26,7 @@
|
|||
|
||||
#include <daemon.h>
|
||||
#include <crypto/hashers/hasher.h>
|
||||
#include <crypto/ca.h>
|
||||
|
||||
#include "certreq_payload.h"
|
||||
|
||||
|
@ -300,9 +301,9 @@ certreq_payload_t *certreq_payload_create_from_cacerts(void)
|
|||
certreq_payload_t *this;
|
||||
chunk_t keyids;
|
||||
u_char *pos;
|
||||
x509_t *cacert;
|
||||
ca_info_t *cainfo;
|
||||
|
||||
iterator_t *iterator = charon->credentials->create_cacert_iterator(charon->credentials);
|
||||
iterator_t *iterator = charon->credentials->create_cainfo_iterator(charon->credentials);
|
||||
int count = iterator->get_count(iterator);
|
||||
|
||||
if (count == 0)
|
||||
|
@ -315,10 +316,10 @@ certreq_payload_t *certreq_payload_create_from_cacerts(void)
|
|||
keyids = chunk_alloc(count * HASH_SIZE_SHA1);
|
||||
pos = keyids.ptr;
|
||||
|
||||
while (iterator->iterate(iterator, (void**)&cacert))
|
||||
while (iterator->iterate(iterator, (void**)&cainfo))
|
||||
{
|
||||
rsa_public_key_t *pubkey = cacert->get_public_key(cacert);
|
||||
chunk_t keyid = pubkey->get_keyid(pubkey);
|
||||
x509_t *cacert = cainfo->get_certificate(cainfo);
|
||||
chunk_t keyid = cacert->get_keyid(cacert);
|
||||
|
||||
DBG2(DBG_IKE, "requesting certificate issued by '%D'", cacert->get_subject(cacert));
|
||||
DBG2(DBG_IKE, " with keyid %#B", &keyid);
|
||||
|
|
|
@ -124,7 +124,7 @@ static x509_t* load_end_certificate(const char *filename, identification_t **idp
|
|||
snprintf(path, sizeof(path), "%s/%s", CERTIFICATE_DIR, filename);
|
||||
}
|
||||
|
||||
cert = x509_create_from_file(path, "end entity certificate");
|
||||
cert = x509_create_from_file(path, "end entity");
|
||||
|
||||
if (cert)
|
||||
{
|
||||
|
@ -167,13 +167,13 @@ static x509_t* load_ca_certificate(const char *filename)
|
|||
snprintf(path, sizeof(path), "%s/%s", CA_CERTIFICATE_DIR, filename);
|
||||
}
|
||||
|
||||
cert = x509_create_from_file(path, "ca certificate");
|
||||
cert = x509_create_from_file(path, "ca");
|
||||
|
||||
if (cert)
|
||||
{
|
||||
if (cert->is_ca(cert))
|
||||
{
|
||||
return charon->credentials->add_ca_certificate(charon->credentials, cert);
|
||||
return charon->credentials->add_auth_certificate(charon->credentials, cert, AUTH_CA);
|
||||
}
|
||||
else
|
||||
{
|
||||
|
@ -1051,6 +1051,33 @@ static void stroke_status(stroke_msg_t *msg, FILE *out)
|
|||
iterator->destroy(iterator);
|
||||
}
|
||||
|
||||
/**
|
||||
* list all authority certificates matching a specified flag
|
||||
*/
|
||||
static void list_auth_certificates(u_int flag, const char *label, bool utc, FILE *out)
|
||||
{
|
||||
bool first = TRUE;
|
||||
x509_t *cert;
|
||||
|
||||
iterator_t *iterator = charon->credentials->create_auth_cert_iterator(charon->credentials);
|
||||
|
||||
while (iterator->iterate(iterator, (void**)&cert))
|
||||
{
|
||||
if (cert->has_authority_flag(cert, flag))
|
||||
{
|
||||
if (first)
|
||||
{
|
||||
fprintf(out, "\n");
|
||||
fprintf(out, "List of X.509 %s Certificates:\n", label);
|
||||
fprintf(out, "\n");
|
||||
first = FALSE;
|
||||
}
|
||||
fprintf(out, "%#Q\n", cert, utc);
|
||||
}
|
||||
}
|
||||
iterator->destroy(iterator);
|
||||
}
|
||||
|
||||
/**
|
||||
* list various information
|
||||
*/
|
||||
|
@ -1084,20 +1111,7 @@ static void stroke_list(stroke_msg_t *msg, FILE *out)
|
|||
}
|
||||
if (msg->list.flags & LIST_CACERTS)
|
||||
{
|
||||
x509_t *cert;
|
||||
|
||||
iterator = charon->credentials->create_cacert_iterator(charon->credentials);
|
||||
if (iterator->get_count(iterator))
|
||||
{
|
||||
fprintf(out, "\n");
|
||||
fprintf(out, "List of X.509 CA Certificates:\n");
|
||||
fprintf(out, "\n");
|
||||
}
|
||||
while (iterator->iterate(iterator, (void**)&cert))
|
||||
{
|
||||
fprintf(out, "%#Q\n", cert, msg->list.utc);
|
||||
}
|
||||
iterator->destroy(iterator);
|
||||
list_auth_certificates(AUTH_CA, "CA", msg->list.utc, out);
|
||||
}
|
||||
if (msg->list.flags & LIST_CAINFOS)
|
||||
{
|
||||
|
@ -1120,6 +1134,10 @@ static void stroke_list(stroke_msg_t *msg, FILE *out)
|
|||
{
|
||||
charon->credentials->list_crls(charon->credentials, out, msg->list.utc);
|
||||
}
|
||||
if (msg->list.flags & LIST_OCSPCERTS)
|
||||
{
|
||||
list_auth_certificates(AUTH_OCSP, "OCSP", msg->list.utc, out);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -1131,6 +1149,10 @@ static void stroke_reread(stroke_msg_t *msg, FILE *out)
|
|||
{
|
||||
charon->credentials->load_ca_certificates(charon->credentials);
|
||||
}
|
||||
if (msg->reread.flags & REREAD_OCSPCERTS)
|
||||
{
|
||||
charon->credentials->load_ocsp_certificates(charon->credentials);
|
||||
}
|
||||
if (msg->reread.flags & REREAD_CRLS)
|
||||
{
|
||||
charon->credentials->load_crls(charon->credentials);
|
||||
|
|
Loading…
Reference in New Issue