* forward declaration
*/
static enumerator_t *create_trusted_enumerator(private_credential_manager_t *this,
- key_type_t type, identification_t *id, bool crl, bool ocsp);
+ key_type_t type, identification_t *id, bool online);
/**
* Do an OCSP request
subject = &response->certificate;
responder = subject->get_issuer(subject);
- enumerator = create_trusted_enumerator(this, KEY_ANY, responder, FALSE, FALSE);
+ enumerator = create_trusted_enumerator(this, KEY_ANY, responder, FALSE);
while (enumerator->enumerate(enumerator, &issuer, NULL))
{
if (this->cache->issued_by(this->cache, subject, issuer))
bool verified = FALSE;
enumerator = create_trusted_enumerator(this, KEY_ANY, crl->get_issuer(crl),
- FALSE, FALSE);
+ FALSE);
while (enumerator->enumerate(enumerator, &issuer, NULL))
{
if (this->cache->issued_by(this->cache, crl, issuer))
*/
static bool check_certificate(private_credential_manager_t *this,
certificate_t *subject, certificate_t *issuer,
- bool crl, bool ocsp, auth_cfg_t *auth)
+ bool online, auth_cfg_t *auth)
{
time_t not_before, not_after;
{
return FALSE;
}
- if (ocsp || crl)
+ if (online)
{
DBG1(DBG_CFG, "checking certificate status of \"%Y\"",
subject->get_subject(subject));
- }
- if (ocsp)
- {
switch (check_ocsp(this, (x509_t*)subject, (x509_t*)issuer, auth))
{
case VALIDATION_GOOD:
DBG1(DBG_CFG, "ocsp check failed, fallback to crl");
break;
}
- }
- if (crl)
- {
switch (check_crl(this, (x509_t*)subject, (x509_t*)issuer, auth))
{
case VALIDATION_GOOD:
*/
static bool verify_trust_chain(private_credential_manager_t *this,
certificate_t *subject, auth_cfg_t *result,
- bool trusted, bool crl, bool ocsp)
+ bool trusted, bool online)
{
certificate_t *current, *issuer;
x509_t *x509;
break;
}
}
- if (!check_certificate(this, current, issuer, crl, ocsp,
+ if (!check_certificate(this, current, issuer, online,
current == subject ? auth : NULL))
{
trusted = FALSE;
key_type_t type;
/** identity the requested key belongs to */
identification_t *id;
- /** TRUE to do CRL checking */
- bool crl;
- /** TRUE to do OCSP checking */
- bool ocsp;
+ /** TRUE to do CRL/OCSP checking */
+ bool online;
/** pretrusted certificate we have served at first invocation */
certificate_t *pretrusted;
/** currently enumerating auth config */
if (this->this->cache->issued_by(this->this->cache,
this->pretrusted, this->pretrusted) ||
verify_trust_chain(this->this, this->pretrusted, this->auth,
- TRUE, this->crl, this->ocsp))
+ TRUE, this->online))
{
this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT,
this->pretrusted->get_ref(this->pretrusted));
DBG1(DBG_CFG, " using certificate \"%Y\"",
current->get_subject(current));
if (verify_trust_chain(this->this, current, this->auth, FALSE,
- this->crl, this->ocsp))
+ this->online))
{
*cert = current;
if (auth)
* create an enumerator over trusted certificates and their trustchain
*/
static enumerator_t *create_trusted_enumerator(private_credential_manager_t *this,
- key_type_t type, identification_t *id, bool crl, bool ocsp)
+ key_type_t type, identification_t *id, bool online)
{
trusted_enumerator_t *enumerator = malloc_thing(trusted_enumerator_t);
enumerator->this = this;
enumerator->type = type;
enumerator->id = id;
- enumerator->crl = crl;
- enumerator->ocsp = ocsp;
+ enumerator->online = online;
enumerator->pretrusted = NULL;
enumerator->auth = NULL;
enumerator->public.enumerate = (void*)public_enumerate;
enumerator->public.destroy = (void*)public_destroy;
- enumerator->inner = create_trusted_enumerator(this, type, id, TRUE, TRUE);
+ enumerator->inner = create_trusted_enumerator(this, type, id, TRUE);
enumerator->this = this;
enumerator->current = NULL;
enumerator->wrapper = NULL;
projects / thirdparty / strongswan.git / commitdiff
