certificate_t->issued_by takes an argument to receive signature scheme

2012-06-11 14:33:34 +02:00 · 2012-06-11 14:33:34 +02:00 · a37f2d2006
parent 439d0742e9
commit a37f2d2006
16 changed files with 68 additions and 24 deletions
--- a/src/libcharon/plugins/stroke/stroke_ca.c
+++ b/src/libcharon/plugins/stroke/stroke_ca.c
@ -348,7 +348,7 @@ METHOD(stroke_ca_t, check_for_hash_and_url, void,
 	enumerator = this->sections->create_enumerator(this->sections);
 	while (enumerator->enumerate(enumerator, (void**)&section))
 	{
-		if (section->certuribase && cert->issued_by(cert, section->cert))
+		if (section->certuribase && cert->issued_by(cert, section->cert, NULL))
 		{
 			chunk_t hash, encoded;

--- a/src/libcharon/plugins/unit_tester/tests/test_cert.c
+++ b/src/libcharon/plugins/unit_tester/tests/test_cert.c
@ -60,7 +60,7 @@ bool test_cert_x509()
 	{
 		return FALSE;
 	}
-	if (!parsed->issued_by(parsed, ca_cert))
+	if (!parsed->issued_by(parsed, ca_cert, NULL))
 	{
 		return FALSE;
 	}
@ -90,7 +90,7 @@ bool test_cert_x509()
 	{
 		return FALSE;
 	}
-	if (!parsed->issued_by(parsed, ca_cert))
+	if (!parsed->issued_by(parsed, ca_cert, NULL))
 	{
 		return FALSE;
 	}
--- a/src/libpts/plugins/imv_attestation/imv_attestation_process.c
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_process.c
@ -44,7 +44,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 	pts_t *pts;

 	pts = attestation_state->get_pts(attestation_state);
- 
+
 	switch (attr->get_type(attr))
 	{
 		case TCG_PTS_PROTO_CAPS:
@ -169,7 +169,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 							KEY_ANY, aik->get_issuer(aik), FALSE);
 				while (e->enumerate(e, &issuer))
 				{
-					if (aik->issued_by(aik, issuer))
+					if (aik->issued_by(aik, issuer, NULL))
 					{
 						trusted = TRUE;
 						break;
@ -289,7 +289,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 				break;
 			}
 			status = comp->verify(comp, pts, evidence);
-			
+
 			switch (status)
 			{
 				default:
--- a/src/libstrongswan/credentials/certificates/certificate.h
+++ b/src/libstrongswan/credentials/certificates/certificate.h
@ -143,9 +143,11 @@ struct certificate_t {
 	 * Check if this certificate is issued and signed by a specific issuer.
 	 *
 	 * @param issuer	issuer's certificate
+	 * @param scheme	receives signature scheme used during verification
 	 * @return			TRUE if certificate issued by issuer and trusted
 	 */
-	bool (*issued_by)(certificate_t *this, certificate_t *issuer);
+	bool (*issued_by)(certificate_t *this, certificate_t *issuer,
+					  signature_scheme_t *scheme);

 	/**
 	 * Get the public key associated to this certificate.
--- a/src/libstrongswan/credentials/sets/cert_cache.c
+++ b/src/libstrongswan/credentials/sets/cert_cache.c
@ -165,7 +165,7 @@ METHOD(cert_cache_t, issued_by, bool,
 		}
 	}
 	/* no cache hit, check and cache signature */
-	if (subject->issued_by(subject, issuer))
+	if (subject->issued_by(subject, issuer, NULL))
 	{
 		cache(this, subject, issuer);
 		return TRUE;
--- a/src/libstrongswan/plugins/openssl/openssl_crl.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crl.c
@ -225,7 +225,8 @@ METHOD(certificate_t, has_subject_or_issuer, id_match_t,
 }

 METHOD(certificate_t, issued_by, bool,
-	private_openssl_crl_t *this, certificate_t *issuer)
+	private_openssl_crl_t *this, certificate_t *issuer,
+	signature_scheme_t *scheme)
 {
 	chunk_t fingerprint, tbs;
 	public_key_t *key;
@ -270,6 +271,10 @@ METHOD(certificate_t, issued_by, bool,
 						openssl_asn1_str2chunk(this->crl->signature));
 	free(tbs.ptr);
 	key->destroy(key);
+	if (valid && scheme)
+	{
+		*scheme = this->scheme;
+	}
 	return valid;
 }

--- a/src/libstrongswan/plugins/openssl/openssl_x509.c
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
@ -350,7 +350,8 @@ METHOD(certificate_t, has_issuer, id_match_t,
 }

 METHOD(certificate_t, issued_by, bool,
-	private_openssl_x509_t *this, certificate_t *issuer)
+	private_openssl_x509_t *this, certificate_t *issuer,
+	signature_scheme_t *scheme)
 {
 	public_key_t *key;
 	bool valid;
@ -393,6 +394,10 @@ METHOD(certificate_t, issued_by, bool,
 						openssl_asn1_str2chunk(this->x509->signature));
 	free(tbs.ptr);
 	key->destroy(key);
+	if (valid && scheme)
+	{
+		*scheme = this->scheme;
+	}
 	return valid;
 }

@ -975,7 +980,7 @@ static bool parse_certificate(private_openssl_x509_t *this)
 	hasher->allocate_hash(hasher, this->encoding, &this->hash);
 	hasher->destroy(hasher);

-	if (issued_by(this, &this->public.x509.interface))
+	if (issued_by(this, &this->public.x509.interface, NULL))
 	{
 		this->flags |= X509_SELF_SIGNED;
 	}
--- a/src/libstrongswan/plugins/pgp/pgp_cert.c
+++ b/src/libstrongswan/plugins/pgp/pgp_cert.c
@ -114,7 +114,7 @@ METHOD(certificate_t, has_issuer, id_match_t,
 }

 METHOD(certificate_t, issued_by,bool,
-	private_pgp_cert_t *this, certificate_t *issuer)
+	private_pgp_cert_t *this, certificate_t *issuer, signature_scheme_t *scheme)
 {
 	/* TODO: check signature blobs for a valid signature */
 	return FALSE;
--- a/src/libstrongswan/plugins/pubkey/pubkey_cert.c
+++ b/src/libstrongswan/plugins/pubkey/pubkey_cert.c
@ -126,8 +126,13 @@ METHOD(certificate_t, equals, bool,
 }

 METHOD(certificate_t, issued_by, bool,
-	private_pubkey_cert_t *this, certificate_t *issuer)
+	private_pubkey_cert_t *this, certificate_t *issuer,
+	signature_scheme_t *scheme)
 {
+	if (scheme)
+	{
+		*scheme = SIGN_UNKNOWN;
+	}
 	return equals(this, issuer);
 }

--- a/src/libstrongswan/plugins/x509/x509_ac.c
+++ b/src/libstrongswan/plugins/x509/x509_ac.c
@ -701,7 +701,7 @@ METHOD(certificate_t, has_issuer, id_match_t,
 }

 METHOD(certificate_t, issued_by, bool,
-	private_x509_ac_t *this, certificate_t *issuer)
+	private_x509_ac_t *this, certificate_t *issuer, signature_scheme_t *schemep)
 {
 	public_key_t *key;
 	signature_scheme_t scheme;
@ -750,6 +750,10 @@ METHOD(certificate_t, issued_by, bool,
 	}
 	valid = key->verify(key, scheme, this->certificateInfo, this->signature);
 	key->destroy(key);
+	if (valid && schemep)
+	{
+		*schemep = scheme;
+	}
 	return valid;
 }

--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@ -1483,7 +1483,8 @@ end:
 		/* check if the certificate is self-signed */
 		if (this->public.interface.interface.issued_by(
 											&this->public.interface.interface,
-											&this->public.interface.interface))
+											&this->public.interface.interface,
+											NULL))
 		{
 			this->flags |= X509_SELF_SIGNED;
 		}
@ -1568,7 +1569,8 @@ METHOD(certificate_t, has_issuer, id_match_t,
 }

 METHOD(certificate_t, issued_by, bool,
-	private_x509_cert_t *this, certificate_t *issuer)
+	private_x509_cert_t *this, certificate_t *issuer,
+	signature_scheme_t *schemep)
 {
 	public_key_t *key;
 	signature_scheme_t scheme;
@ -1612,6 +1614,10 @@ METHOD(certificate_t, issued_by, bool,
 	}
 	valid = key->verify(key, scheme, this->tbsCertificate, this->signature);
 	key->destroy(key);
+	if (valid && schemep)
+	{
+		*schemep = scheme;
+	}
 	return valid;
 }

--- a/src/libstrongswan/plugins/x509/x509_crl.c
+++ b/src/libstrongswan/plugins/x509/x509_crl.c
@ -442,7 +442,7 @@ METHOD(certificate_t, has_issuer, id_match_t,
 }

 METHOD(certificate_t, issued_by, bool,
-	private_x509_crl_t *this, certificate_t *issuer)
+	private_x509_crl_t *this, certificate_t *issuer, signature_scheme_t *schemep)
 {
 	public_key_t *key;
 	signature_scheme_t scheme;
@ -490,6 +490,10 @@ METHOD(certificate_t, issued_by, bool,
 	}
 	valid = key->verify(key, scheme, this->tbsCertList, this->signature);
 	key->destroy(key);
+	if (valid && schemep)
+	{
+		*schemep = scheme;
+	}
 	return valid;
 }

--- a/src/libstrongswan/plugins/x509/x509_ocsp_request.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
@ -364,7 +364,8 @@ METHOD(certificate_t, has_issuer, id_match_t,
 }

 METHOD(certificate_t, issued_by, bool,
-	private_x509_ocsp_request_t *this, certificate_t *issuer)
+	private_x509_ocsp_request_t *this, certificate_t *issuer,
+	signature_scheme_t *scheme)
 {
 	DBG1(DBG_LIB, "OCSP request validation not implemented!");
 	return FALSE;
--- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
@ -670,7 +670,8 @@ METHOD(certificate_t, has_issuer, id_match_t,
 }

 METHOD(certificate_t, issued_by, bool,
-	private_x509_ocsp_response_t *this, certificate_t *issuer)
+	private_x509_ocsp_response_t *this, certificate_t *issuer,
+	signature_scheme_t *schemep)
 {
 	public_key_t *key;
 	signature_scheme_t scheme;
@ -722,6 +723,10 @@ METHOD(certificate_t, issued_by, bool,
 	}
 	valid = key->verify(key, scheme, this->tbsResponseData, this->signature);
 	key->destroy(key);
+	if (valid && schemep)
+	{
+		*schemep = scheme;
+	}
 	return valid;
 }

--- a/src/libstrongswan/plugins/x509/x509_pkcs10.c
+++ b/src/libstrongswan/plugins/x509/x509_pkcs10.c
@ -123,10 +123,12 @@ METHOD(certificate_t, has_subject, id_match_t,
 }

 METHOD(certificate_t, issued_by, bool,
-	private_x509_pkcs10_t *this, certificate_t *issuer)
+	private_x509_pkcs10_t *this, certificate_t *issuer,
+	signature_scheme_t *schemep)
 {
 	public_key_t *key;
 	signature_scheme_t scheme;
+	bool valid;

 	if (&this->public.interface.interface != issuer)
 	{
@ -150,8 +152,13 @@ METHOD(certificate_t, issued_by, bool,
 	{
 		return FALSE;
 	}
-	return key->verify(key, scheme, this->certificationRequestInfo,
-									this->signature);
+	valid = key->verify(key, scheme, this->certificationRequestInfo,
+						this->signature);
+	if (valid && schemep)
+	{
+		*schemep = scheme;
+	}
+	return valid;
 }

 METHOD(certificate_t, get_public_key, public_key_t*,
@ -441,7 +448,7 @@ end:
 	if (success)
 	{
 		/* check if the certificate request is self-signed */
-		if (issued_by(this, &this->public.interface.interface))
+		if (issued_by(this, &this->public.interface.interface, NULL))
 		{
 			this->self_signed = TRUE;
 		}
--- a/src/pki/commands/verify.c
+++ b/src/pki/commands/verify.c
@ -77,7 +77,7 @@ static int verify()
 	{
 		ca = cert;
 	}
-	if (cert->issued_by(cert, ca))
+	if (cert->issued_by(cert, ca, NULL))
 	{
 		if (cert->get_validity(cert, NULL, NULL, NULL))
 		{