METHOD(cert_validator_t, validate, bool,
private_addrblock_validator_t *this, certificate_t *subject,
- certificate_t *issuer, bool online, u_int pathlen, bool anchor,
- auth_cfg_t *auth)
+ certificate_t *issuer, u_int pathlen, bool anchor, auth_cfg_t *auth)
{
if (subject->get_type(subject) == CERT_X509 &&
issuer->get_type(issuer) == CERT_X509)
}
METHOD(cert_validator_t, validate, bool,
- private_coupling_validator_t *this,
- certificate_t *subject, certificate_t *issuer,
- bool online, u_int pathlen, bool anchor, auth_cfg_t *auth)
+ private_coupling_validator_t *this, certificate_t *subject,
+ certificate_t *issuer, u_int pathlen, bool anchor, auth_cfg_t *auth)
{
bool valid = FALSE;
char hash[MAX_HASH_SIZE];
/*
+ * Copyright (C) 2022 Tobias Brunner
* Copyright (C) 2010 Martin Willi
*
* Copyright (C) secunet Security Networks AG
*/
status_t (*check_lifetime)(cert_validator_t *this, certificate_t *cert,
int pathlen, bool anchor, auth_cfg_t *auth);
+
/**
* Validate a subject certificate in relation to its issuer.
*
*
* @param subject subject certificate to check
* @param issuer issuer of subject
- * @param online whether to do online revocation checking
* @param pathlen the current length of the path bottom-up
* @param anchor is issuer trusted root anchor
* @param auth container for resulting authentication info
* @return TRUE if subject certificate valid
*/
bool (*validate)(cert_validator_t *this, certificate_t *subject,
- certificate_t *issuer, bool online, u_int pathlen,
- bool anchor, auth_cfg_t *auth);
+ certificate_t *issuer, u_int pathlen, bool anchor,
+ auth_cfg_t *auth);
+
+ /**
+ * Do extended online revocation checking for the given subject certificate
+ * in relation to its issuer.
+ *
+ * If FALSE is returned, the validator should call_hook() on the
+ * credential manager with an appropriate type and the certificate.
+ *
+ * @note This is called after successful basic validation of the complete
+ * trust chain including validation via validate().
+ *
+ * @param subject subject certificate to check
+ * @param issuer issuer of subject
+ * @param pathlen the current length of the path bottom-up
+ * @param anchor is issuer trusted root anchor
+ * @param auth container for resulting authentication info
+ * @return TRUE if subject certificate valid
+ */
+ bool (*validate_online)(cert_validator_t *this, certificate_t *subject,
+ certificate_t *issuer, u_int pathlen, bool anchor,
+ auth_cfg_t *auth);
};
#endif /** CERT_VALIDATOR_H_ @}*/
/*
- * Copyright (C) 2015 Tobias Brunner
+ * Copyright (C) 2015-2022 Tobias Brunner
* Copyright (C) 2007 Martin Willi
*
* Copyright (C) secunet Security Networks AG
}
/**
- * check a certificate for its lifetime
+ * Check a certificate's lifetime and consult plugins
*/
static bool check_certificate(private_credential_manager_t *this,
- certificate_t *subject, certificate_t *issuer, bool online,
- int pathlen, bool anchor, auth_cfg_t *auth)
+ certificate_t *subject, certificate_t *issuer,
+ int pathlen, bool anchor, auth_cfg_t *auth)
{
cert_validator_t *validator;
enumerator_t *enumerator;
enumerator = this->validators->create_enumerator(this->validators);
while (enumerator->enumerate(enumerator, &validator))
{
- if (!validator->validate)
+ if (validator->validate &&
+ !validator->validate(validator, subject, issuer,
+ pathlen, anchor, auth))
{
- continue;
+ enumerator->destroy(enumerator);
+ return FALSE;
}
- if (!validator->validate(validator, subject, issuer,
- online, pathlen, anchor, auth))
+ }
+ enumerator->destroy(enumerator);
+ return TRUE;
+}
+
+/**
+ * Do online revocation checking
+ */
+static bool check_certificate_online(private_credential_manager_t *this,
+ certificate_t *subject, certificate_t *issuer,
+ int pathlen, bool anchor, auth_cfg_t *auth)
+{
+ cert_validator_t *validator;
+ enumerator_t *enumerator;
+
+ enumerator = this->validators->create_enumerator(this->validators);
+ while (enumerator->enumerate(enumerator, &validator))
+ {
+ if (validator->validate_online &&
+ !validator->validate_online(validator, subject, issuer,
+ pathlen, anchor, auth))
{
enumerator->destroy(enumerator);
return FALSE;
break;
}
}
- /* don't do online verification here */
- if (!check_certificate(this, current, issuer, FALSE,
- pathlen, is_anchor, auth))
+ if (!check_certificate(this, current, issuer, pathlen, is_anchor, auth))
{
trusted = FALSE;
issuer->destroy(issuer);
{
if (rule == AUTH_RULE_CA_CERT || rule == AUTH_RULE_IM_CERT)
{
- if (!check_certificate(this, current, issuer, TRUE, pathlen++,
- rule == AUTH_RULE_CA_CERT, auth))
+ if (!check_certificate_online(this, current, issuer, pathlen++,
+ rule == AUTH_RULE_CA_CERT, auth))
{
trusted = FALSE;
break;
METHOD(cert_validator_t, validate, bool,
private_acert_validator_t *this, certificate_t *subject,
- certificate_t *issuer, bool online, u_int pathlen, bool anchor,
- auth_cfg_t *auth)
+ certificate_t *issuer, u_int pathlen, bool anchor, auth_cfg_t *auth)
{
/* for X.509 end entity certs only */
if (pathlen == 0 && subject->get_type(subject) == CERT_X509)
METHOD(cert_validator_t, validate, bool,
private_constraints_validator_t *this, certificate_t *subject,
- certificate_t *issuer, bool online, u_int pathlen, bool anchor,
- auth_cfg_t *auth)
+ certificate_t *issuer, u_int pathlen, bool anchor, auth_cfg_t *auth)
{
if (issuer->get_type(issuer) == CERT_X509 &&
subject->get_type(subject) == CERT_X509)
return valid;
}
-METHOD(cert_validator_t, validate, bool,
+METHOD(cert_validator_t, validate_online, bool,
private_revocation_validator_t *this, certificate_t *subject,
- certificate_t *issuer, bool online, u_int pathlen, bool anchor,
- auth_cfg_t *auth)
+ certificate_t *issuer, u_int pathlen, bool anchor, auth_cfg_t *auth)
{
bool enable_ocsp, enable_crl;
u_int timeout;
timeout = this->timeout;
this->lock->unlock(this->lock);
- if (online && (enable_ocsp || enable_crl) &&
+ if ((enable_ocsp || enable_crl) &&
subject->get_type(subject) == CERT_X509 &&
issuer->get_type(issuer) == CERT_X509)
{
INIT(this,
.public = {
- .validator.validate = _validate,
+ .validator.validate_online = _validate_online,
.reload = _reload,
.destroy = _destroy,
},
projects / thirdparty / strongswan.git / commitdiff
