ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

Simplified format of x509 CRL URI parsing/enumerator

This commit is contained in:
Martin Willi 2010-12-17 15:52:15 +01:00
parent e24a02a28f
commit a6478a0402
9 changed files with 179 additions and 231 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/libstrongswan/credentials/builder.c
View File

@ -41,7 +41,6 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
"BUILD_CA_CERT",
"BUILD_CERT",
"BUILD_CRL_DISTRIBUTION_POINTS",
"BUILD_CRL_ISSUER",
"BUILD_OCSP_ACCESS_LOCATIONS",
"BUILD_PATHLEN",
"BUILD_PERMITTED_NAME_CONSTRAINTS",

4
src/libstrongswan/credentials/builder.h
View File

@ -87,10 +87,8 @@ enum builder_part_t {
BUILD_CA_CERT,
/** a certificate, certificate_t* */
BUILD_CERT,
/** CRL distribution point URIs, linked_list_t* containing char* */
/** CRL distribution point URIs, x509_cdp_t* */
BUILD_CRL_DISTRIBUTION_POINTS,
/** CRL issuer for all distribution points follow up, identification_t* */
BUILD_CRL_ISSUER,
/** OCSP AuthorityInfoAccess locations, linked_list_t* containing char* */
BUILD_OCSP_ACCESS_LOCATIONS,
/** certificate path length constraint */

13
src/libstrongswan/credentials/certificates/x509.h
View File

@ -29,6 +29,7 @@
typedef struct x509_t x509_t;
typedef struct x509_cert_policy_t x509_cert_policy_t;
typedef struct x509_policy_mapping_t x509_policy_mapping_t;
typedef struct x509_cdp_t x509_cdp_t;
typedef enum x509_flag_t x509_flag_t;
/**
@ -77,6 +78,16 @@ struct x509_policy_mapping_t {
chunk_t subject;
};
/**
* X.509 CRL distributionPoint
*/
struct x509_cdp_t {
/** CDP URI, as string */
char *uri;
/** CRL issuer */
identification_t *issuer;
};
/**
* X.509 certificate interface.
*
@ -143,7 +154,7 @@ struct x509_t {
/**
* Create an enumerator over all CRL URIs and CRL Issuers.
*
* @return enumerator over URIs (char*, identificiation_t*)
* @return enumerator over x509_cdp_t
*/
enumerator_t* (*create_crl_uri_enumerator)(x509_t *this);

106
src/libstrongswan/plugins/openssl/openssl_x509.c
View File

@ -137,7 +137,7 @@ struct private_openssl_x509_t {
linked_list_t *issuerAltNames;
/**
* List of CRL URIs, as crl_uri_t
* List of CRL URIs, as x509_cdp_t
*/
linked_list_t *crl_uris;
@ -152,33 +152,12 @@ struct private_openssl_x509_t {
refcount_t ref;
};
/**
* CRL URIs with associated issuer
*/
typedef struct {
identification_t *issuer;
linked_list_t *uris;
} crl_uri_t;
/**
* Create a new issuer entry
*/
static crl_uri_t *crl_uri_create()
{
crl_uri_t *this;
INIT(this,
.uris = linked_list_create(),
);
return this;
}
/**
* Destroy a CRL URI struct
*/
static void crl_uri_destroy(crl_uri_t *this)
static void crl_uri_destroy(x509_cdp_t *this)
{
this->uris->destroy_function(this->uris, free);
free(this->uri);
DESTROY_IF(this->issuer);
free(this);
}
@ -289,36 +268,10 @@ METHOD(x509_t, create_subjectAltName_enumerator, enumerator_t*,
return this->subjectAltNames->create_enumerator(this->subjectAltNames);
}
/**
* Convert enumerator value from entry to (uri, issuer)
*/
static bool crl_enum_filter(identification_t *issuer_in,
char **uri_in, char **uri_out,
void *none_in, identification_t **issuer_out)
{
*uri_out = *uri_in;
if (issuer_out)
{
*issuer_out = issuer_in;
}
return TRUE;
}
/**
* Create inner enumerator over URIs
*/
static enumerator_t *crl_enum_create(crl_uri_t *entry)
{
return enumerator_create_filter(entry->uris->create_enumerator(entry->uris),
(void*)crl_enum_filter, entry->issuer, NULL);
}
METHOD(x509_t, create_crl_uri_enumerator, enumerator_t*,
private_openssl_x509_t *this)
{
return enumerator_create_nested(
this->crl_uris->create_enumerator(this->crl_uris),
(void*)crl_enum_create, NULL, NULL);
return this->crl_uris->create_enumerator(this->crl_uris);
}
METHOD(x509_t, create_ocsp_uri_enumerator, enumerator_t*,
@ -660,9 +613,10 @@ static bool parse_crlDistributionPoints_ext(private_openssl_x509_t *this,
{
CRL_DIST_POINTS *cdps;
DIST_POINT *cdp;
identification_t *id;
identification_t *id, *issuer;
x509_cdp_t *entry;
char *uri;
int i, j, point_num, name_num;
int i, j, k, point_num, name_num, issuer_num;
cdps = X509V3_EXT_d2i(ext);
if (!cdps)
@ -675,11 +629,6 @@ static bool parse_crlDistributionPoints_ext(private_openssl_x509_t *this,
cdp = sk_DIST_POINT_value(cdps, i);
if (cdp)
{
crl_uri_t *entry;
entry = crl_uri_create();
this->crl_uris->insert_last(this->crl_uris, entry);
if (cdp->distpoint && cdp->distpoint->type == 0 &&
cdp->distpoint->name.fullname)
{
@ -692,25 +641,38 @@ static bool parse_crlDistributionPoints_ext(private_openssl_x509_t *this,
{
if (asprintf(&uri, "%Y", id) > 0)
{
entry->uris->insert_last(entry->uris, uri);
if (cdp->CRLissuer)
{
issuer_num = sk_GENERAL_NAME_num(cdp->CRLissuer);
for (k = 0; k < issuer_num; k++)
{
issuer = general_name2id(
sk_GENERAL_NAME_value(cdp->CRLissuer, k));
if (issuer)
{
INIT(entry,
.uri = strdup(uri),
.issuer = issuer,
);
this->crl_uris->insert_last(
this->crl_uris, entry);
}
}
free(uri);
}
else
{
INIT(entry,
.uri = uri,
);
this->crl_uris->insert_last(this->crl_uris, entry);
}
}
id->destroy(id);
}
}
}
if (cdp->CRLissuer)
{
name_num = sk_GENERAL_NAME_num(cdp->CRLissuer);
for (j = 0; j < name_num; j++)
{
id = general_name2id(sk_GENERAL_NAME_value(cdp->CRLissuer, j));
if (id)
{ /* get only one */
entry->issuer = id;
break;
}
}
}
DIST_POINT_free(cdp);
}
}

16
src/libstrongswan/plugins/revocation/revocation_validator.c
View File

@ -486,13 +486,13 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer,
auth_cfg_t *auth)
{
cert_validation_t valid = VALIDATION_SKIPPED;
identification_t *id;
certificate_t *best = NULL;
identification_t *id;
x509_cdp_t *cdp;
bool uri_found = FALSE;
certificate_t *current;
enumerator_t *enumerator;
chunk_t chunk;
char *uri;
/* use issuers subjectKeyIdentifier to find a cached CRL / fetch from CDP */
chunk = issuer->get_subjectKeyIdentifier(issuer);
@ -506,11 +506,11 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer,
/* find a cached CRL or fetch via configured CDP via CRLIssuer */
enumerator = subject->create_crl_uri_enumerator(subject);
while (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED &&
enumerator->enumerate(enumerator, &uri, &id))
enumerator->enumerate(enumerator, &cdp))
{
if (id)
{
valid = find_crl(subject, id, auth, &best, &uri_found);
valid = find_crl(subject, cdp->issuer, auth, &best, &uri_found);
}
}
enumerator->destroy(enumerator);
@ -519,17 +519,17 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer,
if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED)
{
enumerator = subject->create_crl_uri_enumerator(subject);
while (enumerator->enumerate(enumerator, &uri, &id))
while (enumerator->enumerate(enumerator, &cdp))
{
uri_found = TRUE;
current = fetch_crl(uri);
current = fetch_crl(cdp->uri);
if (current)
{
if (id && !current->has_issuer(current, id))
if (cdp->issuer && !current->has_issuer(current, cdp->issuer))
{
DBG1(DBG_CFG, "issuer of fetched CRL '%Y' does not match "
"certificates CRL issuer '%Y'",
current->get_issuer(current), id);
current->get_issuer(current), cdp->issuer);
current->destroy(current);
continue;
}

216
src/libstrongswan/plugins/x509/x509_cert.c
View File

@ -117,7 +117,7 @@ struct private_x509_cert_t {
linked_list_t *subjectAltNames;
/**
* List of crlDistributionPoints as crl_uri_t
* List of crlDistributionPoints as x509_cdp_t*
*/
linked_list_t *crl_uris;
@ -217,33 +217,11 @@ static const chunk_t ASN1_subjectAltName_oid = chunk_from_chars(
);
/**
* CRL URIs with associated issuer
* Destroy a CertificateDistributionPoint
*/
typedef struct {
identification_t *issuer;
linked_list_t *uris;
} crl_uri_t;
/**
* Create a new issuer entry
*/
static crl_uri_t *crl_uri_create(identification_t *issuer)
static void crl_uri_destroy(x509_cdp_t *this)
{
crl_uri_t *this;
INIT(this,
.issuer = issuer ? issuer->clone(issuer) : NULL,
.uris = linked_list_create(),
);
return this;
}
/**
* Destroy a CRL URI struct
*/
static void crl_uri_destroy(crl_uri_t *this)
{
this->uris->destroy_function(this->uris, free);
free(this->uri);
DESTROY_IF(this->issuer);
free(this);
}
@ -795,20 +773,64 @@ static const asn1Object_t crlDistributionPointsObjects[] = {
#define CRL_DIST_POINTS_FULLNAME 3
#define CRL_DIST_POINTS_ISSUER 10
/**
* Add entry to the list of each pairing of URI and Issuer
*/
static void add_cdps(linked_list_t *list, linked_list_t *uris,
linked_list_t *issuers)
{
identification_t *issuer, *id;
enumerator_t *enumerator;
x509_cdp_t *cdp;
char *uri;
while (uris->remove_last(uris, (void**)&id) == SUCCESS)
{
if (asprintf(&uri, "%Y", id) > 0)
{
if (issuers->get_count(issuers))
{
enumerator = issuers->create_enumerator(issuers);
while (enumerator->enumerate(enumerator, &issuer))
{
INIT(cdp,
.uri = strdup(uri),
.issuer = issuer->clone(issuer),
);
list->insert_last(list, cdp);
}
enumerator->destroy(enumerator);
free(uri);
}
else
{
INIT(cdp,
.uri = uri,
);
list->insert_last(list, cdp);
}
}
id->destroy(id);
}
while (issuers->remove_last(issuers, (void**)&id) == SUCCESS)
{
id->destroy(id);
}
}
/**
* Extracts one or several crlDistributionPoints into a list
*/
static void parse_crlDistributionPoints(chunk_t blob, int level0,
private_x509_cert_t *this)
void x509_parse_crlDistributionPoints(chunk_t blob, int level0,
linked_list_t *list)
{
linked_list_t *uris, *issuers;
asn1_parser_t *parser;
chunk_t object;
int objectID;
crl_uri_t *entry = NULL;
identification_t *id;
char *uri;
linked_list_t *list = linked_list_create();
uris = linked_list_create();
issuers = linked_list_create();
parser = asn1_parser_create(crlDistributionPointsObjects, blob);
parser->set_top_level(parser, level0);
@ -817,46 +839,26 @@ static void parse_crlDistributionPoints(chunk_t blob, int level0,
switch (objectID)
{
case CRL_DIST_POINTS:
entry = crl_uri_create(NULL);
this->crl_uris->insert_last(this->crl_uris, entry);
add_cdps(list, uris, issuers);
break;
case CRL_DIST_POINTS_FULLNAME:
if (entry)
{
x509_parse_generalNames(object, parser->get_level(parser)+1,
TRUE, list);
while (list->remove_last(list, (void**)&id) == SUCCESS)
{
if (asprintf(&uri, "%Y", id) > 0)
{
entry->uris->insert_last(entry->uris, uri);
}
id->destroy(id);
}
}
x509_parse_generalNames(object, parser->get_level(parser) + 1,
TRUE, uris);
break;
case CRL_DIST_POINTS_ISSUER:
if (entry)
{
x509_parse_generalNames(object, parser->get_level(parser)+1,
TRUE, list);
while (list->remove_last(list, (void**)&id) == SUCCESS)
{
if (!entry->issuer)
{
entry->issuer = id;
}
else
{
id->destroy(id);
}
}
}
x509_parse_generalNames(object, parser->get_level(parser) + 1,
TRUE, issuers);
break;
default:
break;
}
}
parser->destroy(parser);
list->destroy(list);
add_cdps(list, uris, issuers);
uris->destroy(uris);
issuers->destroy(issuers);
}
/**
@ -1391,7 +1393,8 @@ static bool parse_certificate(private_x509_cert_t *this)
parse_basicConstraints(object, level, this);
break;
case OID_CRL_DISTRIBUTION_POINTS:
parse_crlDistributionPoints(object, level, this);
x509_parse_crlDistributionPoints(object, level,
this->crl_uris);
break;
case OID_AUTHORITY_KEY_ID:
this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object,
@ -1741,36 +1744,10 @@ METHOD(x509_t, create_ocsp_uri_enumerator, enumerator_t*,
return this->ocsp_uris->create_enumerator(this->ocsp_uris);
}
/**
* Convert enumerator value from entry to (uri, issuer)
*/
static bool crl_enum_filter(identification_t *issuer_in,
char **uri_in, char **uri_out,
void *none_in, identification_t **issuer_out)
{
*uri_out = *uri_in;
if (issuer_out)
{
*issuer_out = issuer_in;
}
return TRUE;
}
/**
* Create inner enumerator over URIs
*/
static enumerator_t *crl_enum_create(crl_uri_t *entry)
{
return enumerator_create_filter(entry->uris->create_enumerator(entry->uris),
(void*)crl_enum_filter, entry->issuer, NULL);
}
METHOD(x509_t, create_crl_uri_enumerator, enumerator_t*,
private_x509_cert_t *this)
{
return enumerator_create_nested(
this->crl_uris->create_enumerator(this->crl_uris),
(void*)crl_enum_create, NULL, NULL);
return this->crl_uris->create_enumerator(this->crl_uris);
}
METHOD(x509_t, create_ipAddrBlock_enumerator, enumerator_t*,
@ -1968,11 +1945,11 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty;
chunk_t policyConstraints = chunk_empty;
identification_t *issuer, *subject;
crl_uri_t *entry;
x509_cdp_t *cdp;
chunk_t key_info;
signature_scheme_t scheme;
hasher_t *hasher;
enumerator_t *enumerator, *uris;
enumerator_t *enumerator;
char *uri;
subject = cert->subject;
@ -2023,28 +2000,21 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
/* encode CRL distribution points extension */
enumerator = cert->crl_uris->create_enumerator(cert->crl_uris);
while (enumerator->enumerate(enumerator, &entry))
while (enumerator->enumerate(enumerator, &cdp))
{
chunk_t distributionPoint, gn;
chunk_t crlIssuer = chunk_empty, gns = chunk_empty;
chunk_t distributionPoint, crlIssuer = chunk_empty;
if (entry->issuer)
if (cdp->issuer)
{
crlIssuer = asn1_wrap(ASN1_CONTEXT_C_2, "m",
build_generalName(entry->issuer));
build_generalName(cdp->issuer));
}
uris = entry->uris->create_enumerator(entry->uris);
while (uris->enumerate(uris, &uri))
{
gn = asn1_wrap(ASN1_CONTEXT_S_6, "c", chunk_create(uri, strlen(uri)));
gns = chunk_cat("mm", gns, gn);
}
uris->destroy(uris);
distributionPoint = asn1_wrap(ASN1_SEQUENCE, "mm",
asn1_wrap(ASN1_CONTEXT_C_0, "m",
asn1_wrap(ASN1_CONTEXT_C_0, "m", gns)),
crlIssuer);
asn1_wrap(ASN1_CONTEXT_C_0, "m",
asn1_wrap(ASN1_CONTEXT_C_0, "m",
asn1_wrap(ASN1_CONTEXT_S_6, "c",
chunk_create(cdp->uri, strlen(cdp->uri))))),
crlIssuer);
crlDistributionPoints = chunk_cat("mm", crlDistributionPoints,
distributionPoint);
}
@ -2385,7 +2355,6 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args)
private_x509_cert_t *cert;
certificate_t *sign_cert = NULL;
private_key_t *sign_key = NULL;
identification_t *crl_issuer = NULL;
hash_algorithm_t digest_alg = HASH_SHA1;
cert = create_empty();
@ -2430,26 +2399,19 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args)
{
enumerator_t *enumerator;
linked_list_t *list;
crl_uri_t *entry;
char *uri;
x509_cdp_t *in, *cdp;
list = va_arg(args, linked_list_t*);
if (list->get_count(list))
enumerator = list->create_enumerator(list);
while (enumerator->enumerate(enumerator, &in))
{
entry = crl_uri_create(crl_issuer);
enumerator = list->create_enumerator(list);
while (enumerator->enumerate(enumerator, &uri))
{
entry->uris->insert_last(entry->uris, strdup(uri));
}
enumerator->destroy(enumerator);
cert->crl_uris->insert_last(cert->crl_uris, entry);
INIT(cdp,
.uri = strdup(in->uri),
.issuer = in->issuer ? in->issuer->clone(in->issuer) : NULL,
);
cert->crl_uris->insert_last(cert->crl_uris, cdp);
}
continue;
}
case BUILD_CRL_ISSUER:
{
crl_issuer = va_arg(args, identification_t*);
enumerator->destroy(enumerator);
continue;
}
case BUILD_OCSP_ACCESS_LOCATIONS:

33
src/pki/commands/issue.c
View File

@ -43,6 +43,15 @@ static void destroy_policy_mapping(x509_policy_mapping_t *mapping)
free(mapping);
}
/**
* Free a CRL DistributionPoint
*/
static void destroy_cdp(x509_cdp_t *this)
{
DESTROY_IF(this->issuer);
free(this);
}
/**
* Issue a certificate using a CA certificate and key
*/
@ -56,7 +65,7 @@ static int issue()
bool pkcs10 = FALSE;
char *file = NULL, *dn = NULL, *hex = NULL, *cacert = NULL, *cakey = NULL;
char *error = NULL, *keyid = NULL;
identification_t *id = NULL, *crl_issuer = NULL;;
identification_t *id = NULL;
linked_list_t *san, *cdps, *ocsp, *permitted, *excluded, *policies, *mappings;
int lifetime = 1095;
int pathlen = X509_NO_CONSTRAINT;
@ -66,6 +75,7 @@ static int issue()
time_t not_before, not_after;
x509_flag_t flags = 0;
x509_t *x509;
x509_cdp_t *cdp = NULL;
x509_cert_policy_t *policy = NULL;
char *arg;
@ -233,10 +243,18 @@ static int issue()
}
continue;
case 'u':
cdps->insert_last(cdps, arg);
INIT(cdp,
.uri = strdup(arg),
);
cdps->insert_last(cdps, cdp);
continue;
case 'I':
crl_issuer = identification_create_from_string(arg);
if (!cdp || cdp->issuer)
{
error = "--crlissuer must follow a --crl";
goto usage;
}
cdp->issuer = identification_create_from_string(arg);
continue;
case 'o':
ocsp->insert_last(ocsp, arg);
@ -420,7 +438,6 @@ static int issue()
BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial,
BUILD_SUBJECT_ALTNAMES, san, BUILD_X509_FLAG, flags,
BUILD_PATHLEN, pathlen,
BUILD_CRL_ISSUER, crl_issuer,
BUILD_CRL_DISTRIBUTION_POINTS, cdps,
BUILD_OCSP_ACCESS_LOCATIONS, ocsp,
BUILD_PERMITTED_NAME_CONSTRAINTS, permitted,
@ -458,9 +475,8 @@ end:
excluded->destroy_offset(excluded, offsetof(identification_t, destroy));
policies->destroy_function(policies, (void*)destroy_cert_policy);
mappings->destroy_function(mappings, (void*)destroy_policy_mapping);
cdps->destroy(cdps);
cdps->destroy_function(cdps, (void*)destroy_cdp);
ocsp->destroy(ocsp);
DESTROY_IF(crl_issuer);
free(encoding.ptr);
free(serial.ptr);
@ -477,9 +493,8 @@ usage:
excluded->destroy_offset(excluded, offsetof(identification_t, destroy));
policies->destroy_function(policies, (void*)destroy_cert_policy);
mappings->destroy_function(mappings, (void*)destroy_policy_mapping);
cdps->destroy(cdps);
cdps->destroy_function(cdps, (void*)destroy_cdp);
ocsp->destroy(ocsp);
DESTROY_IF(crl_issuer);
return command_usage(error);
}
@ -493,7 +508,7 @@ static void __attribute__ ((constructor))reg()
"issue a certificate using a CA certificate and key",
{"[--in file] [--type pub|pkcs10] --cakey file | --cakeyid hex",
" --cacert file --dn subject-dn [--san subjectAltName]+",
"[--lifetime days] [--serial hex] [--crl uri]+ [--ocsp uri]+",
"[--lifetime days] [--serial hex] [--crl uri [--crlissuer i] ]+ [--ocsp uri]+",
"[--ca] [--pathlen len] [--flag serverAuth|clientAuth|crlSign|ocspSigning]+",
"[--nc-permitted name] [--nc-excluded name]",
"[--cert-policy oid [--cps-uri uri] [--user-notice text] ]+",

11
src/pki/commands/print.c
View File

@ -75,6 +75,7 @@ static void print_x509(x509_t *x509)
char *uri;
int len;
x509_flag_t flags;
x509_cdp_t *cdp;
x509_cert_policy_t *policy;
x509_policy_mapping_t *mapping;
@ -140,20 +141,20 @@ static void print_x509(x509_t *x509)
first = TRUE;
enumerator = x509->create_crl_uri_enumerator(x509);
while (enumerator->enumerate(enumerator, &uri, &id))
while (enumerator->enumerate(enumerator, &cdp))
{
if (first)
{
printf("CRL URIs: %s", uri);
printf("CRL URIs: %s", cdp->uri);
first = FALSE;
}
else
{
printf(" %s", uri);
printf(" %s", cdp->uri);
}
if (id)
if (cdp->issuer)
{
printf(" (CRL issuer: %Y)", id);
printf(" (CRL issuer: %Y)", cdp->issuer);
}
printf("\n");
}

10
src/pluto/crl.c
View File

@ -352,7 +352,7 @@ cert_status_t verify_by_crl(cert_t *cert, time_t *until, time_t *revocationDate,
x509crl_t *x509crl;
ca_info_t *ca;
enumerator_t *enumerator;
char *point;
x509_cdp_t *cdp;
ca = get_ca_info(issuer, authKeyID);
@ -376,9 +376,9 @@ cert_status_t verify_by_crl(cert_t *cert, time_t *until, time_t *revocationDate,
}
enumerator = x509->create_crl_uri_enumerator(x509);
while (enumerator->enumerate(enumerator, &point, NULL))
while (enumerator->enumerate(enumerator, &cdp))
{
add_distribution_point(crluris, point);
add_distribution_point(crluris, cdp->uri);
}
enumerator->destroy(enumerator);
@ -416,9 +416,9 @@ cert_status_t verify_by_crl(cert_t *cert, time_t *until, time_t *revocationDate,
}
enumerator = x509->create_crl_uri_enumerator(x509);
while (enumerator->enumerate(enumerator, &point, NULL))
while (enumerator->enumerate(enumerator, &cdp))
{
add_distribution_point(x509crl->distributionPoints, point);
add_distribution_point(x509crl->distributionPoints, cdp->uri);
}
enumerator->destroy(enumerator);