src/libstrongswan/credentials/certificates/certificate.c

   1 /*
   2  * Copyright (C) 2020 Tobias Brunner
   3  * Copyright (C) 2007 Martin Willi
   4  * Copyright (C) 2015 Andreas Steffen
   5  *
   6  * Copyright (C) secunet Security Networks AG
   7  *
   8  * This program is free software; you can redistribute it and/or modify it
   9  * under the terms of the GNU General Public License as published by the
  10  * Free Software Foundation; either version 2 of the License, or (at your
  11  * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
  12  *
  13  * This program is distributed in the hope that it will be useful, but
  14  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  15  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  16  * for more details.
  17  */
  18
  19 #include "certificate.h"
  20
  21 #include <utils/debug.h>
  22 #include <credentials/certificates/x509.h>
  23
  24 ENUM(certificate_type_names, CERT_ANY, CERT_GPG,
  25         "ANY",
  26         "X509",
  27         "X509_CRL",
  28         "OCSP_REQUEST",
  29         "OCSP_RESPONSE",
  30         "X509_AC",
  31         "PUBKEY",
  32         "PKCS10_REQUEST",
  33         "PGP",
  34 );
  35
  36 ENUM(cert_validation_names, VALIDATION_GOOD, VALIDATION_REVOKED,
  37         "GOOD",
  38         "SKIPPED",
  39         "STALE",
  40         "FAILED",
  41         "ON_HOLD",
  42         "REVOKED",
  43 );
  44
  45 /**
  46  * See header
  47  */
  48 bool certificate_is_newer(certificate_t *this, certificate_t *other)
  49 {
  50         time_t this_update, that_update;
  51         char *type = "certificate";
  52         bool newer;
  53
  54         if (this->get_type(this) == CERT_X509_CRL)
  55         {
  56                 type = "crl";
  57         }
  58         this->get_validity(this, NULL, &this_update, NULL);
  59         other->get_validity(other, NULL, &that_update, NULL);
  60         newer = this_update > that_update;
  61         DBG1(DBG_LIB, "  %s from %T is %s - existing %s from %T %s",
  62                  type, &this_update, FALSE, newer ? "newer" : "not newer",
  63                  type, &that_update, FALSE, newer ? "replaced" : "retained");
  64         return newer;
  65 }
  66
  67 /*
  68  * Described in header
  69  */
  70 bool certificate_matches(certificate_t *cert, certificate_type_t type,
  71                                                  key_type_t key, identification_t *id)
  72 {
  73         public_key_t *public;
  74
  75         if (type != CERT_ANY && type != cert->get_type(cert))
  76         {
  77                 return FALSE;
  78         }
  79         public = cert->get_public_key(cert);
  80         if (public)
  81         {
  82                 if (key == KEY_ANY || key == public->get_type(public))
  83                 {
  84                         if (id && public->has_fingerprint(public, id->get_encoding(id)))
  85                         {
  86                                 public->destroy(public);
  87                                 return TRUE;
  88                         }
  89                 }
  90                 else
  91                 {
  92                         public->destroy(public);
  93                         return FALSE;
  94                 }
  95                 public->destroy(public);
  96         }
  97         else if (key != KEY_ANY)
  98         {
  99                 return FALSE;
 100         }
 101         return !id || cert->has_subject(cert, id);
 102 }