/**
* check the signature of an OCSP response
*/
-static bool verify_ocsp(ocsp_response_t *response)
+static bool verify_ocsp(ocsp_response_t *response, auth_cfg_t *auth)
{
certificate_t *issuer, *subject;
identification_t *responder;
ocsp_response_wrapper_t *wrapper;
enumerator_t *enumerator;
+ auth_cfg_t *current;
bool verified = FALSE;
wrapper = ocsp_response_wrapper_create((ocsp_response_t*)response);
responder = subject->get_issuer(subject);
enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr,
KEY_ANY, responder, FALSE);
- while (enumerator->enumerate(enumerator, &issuer, NULL))
+ while (enumerator->enumerate(enumerator, &issuer, ¤t))
{
if (lib->credmgr->issued_by(lib->credmgr, subject, issuer))
{
DBG1(DBG_CFG, " ocsp response correctly signed by \"%Y\"",
issuer->get_subject(issuer));
+ if (auth)
+ {
+ auth->merge(auth, current, FALSE);
+ }
verified = TRUE;
break;
}
* Get the better of two OCSP responses, and check for usable OCSP info
*/
static certificate_t *get_better_ocsp(certificate_t *cand, certificate_t *best,
- x509_t *subject, x509_t *issuer, cert_validation_t *valid, bool cache)
+ x509_t *subject, x509_t *issuer, cert_validation_t *valid,
+ auth_cfg_t *auth, bool cache)
{
ocsp_response_t *response;
time_t revocation, this_update, next_update, valid_until;
response = (ocsp_response_t*)cand;
/* check ocsp signature */
- if (!verify_ocsp(response))
+ if (!verify_ocsp(response, auth))
{
DBG1(DBG_CFG, "ocsp response verification failed");
cand->destroy(cand);
while (enumerator->enumerate(enumerator, ¤t))
{
current->get_ref(current);
- best = get_better_ocsp(current, best, subject, issuer, &valid, FALSE);
+ best = get_better_ocsp(current, best, subject, issuer,
+ &valid, auth, FALSE);
if (best && valid != VALIDATION_STALE)
{
DBG1(DBG_CFG, " using cached ocsp response");
if (current)
{
best = get_better_ocsp(current, best, subject, issuer,
- &valid, TRUE);
+ &valid, auth, TRUE);
if (best && valid != VALIDATION_STALE)
{
break;
if (current)
{
best = get_better_ocsp(current, best, subject, issuer,
- &valid, TRUE);
+ &valid, auth, TRUE);
if (best && valid != VALIDATION_STALE)
{
break;
/**
* check the signature of an CRL
*/
-static bool verify_crl(certificate_t *crl)
+static bool verify_crl(certificate_t *crl, auth_cfg_t *auth)
{
certificate_t *issuer;
enumerator_t *enumerator;
bool verified = FALSE;
+ auth_cfg_t *current;
enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr,
KEY_ANY, crl->get_issuer(crl), FALSE);
- while (enumerator->enumerate(enumerator, &issuer, NULL))
+ while (enumerator->enumerate(enumerator, &issuer, ¤t))
{
if (lib->credmgr->issued_by(lib->credmgr, crl, issuer))
{
DBG1(DBG_CFG, " crl correctly signed by \"%Y\"",
issuer->get_subject(issuer));
+ if (auth)
+ {
+ auth->merge(auth, current, FALSE);
+ }
verified = TRUE;
break;
}
* Get the better of two CRLs, and check for usable CRL info
*/
static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
- x509_t *subject, cert_validation_t *valid, bool cache)
+ x509_t *subject, cert_validation_t *valid, auth_cfg_t *auth, bool cache)
{
enumerator_t *enumerator;
time_t revocation, valid_until;
crl_t *crl;
/* check CRL signature */
- if (!verify_crl(cand))
+ if (!verify_crl(cand, auth))
{
DBG1(DBG_CFG, "crl response verification failed");
cand->destroy(cand);
* Find or fetch a certificate for a given crlIssuer
*/
static cert_validation_t find_crl(x509_t *subject, identification_t *issuer,
- certificate_t **best, bool *uri_found)
+ auth_cfg_t *auth, certificate_t **best, bool *uri_found)
{
cert_validation_t valid = VALIDATION_SKIPPED;
enumerator_t *enumerator;
while (enumerator->enumerate(enumerator, ¤t))
{
current->get_ref(current);
- *best = get_better_crl(current, *best, subject, &valid, FALSE);
+ *best = get_better_crl(current, *best, subject, &valid, auth, FALSE);
if (*best && valid != VALIDATION_STALE)
{
DBG1(DBG_CFG, " using cached crl");
}
if (current)
{
- *best = get_better_crl(current, *best, subject, &valid, TRUE);
+ *best = get_better_crl(current, *best, subject,
+ &valid, auth, TRUE);
if (*best && valid != VALIDATION_STALE)
{
break;
if (chunk.len)
{
id = identification_create_from_encoding(ID_KEY_ID, chunk);
- valid = find_crl(subject, id, &best, &uri_found);
+ valid = find_crl(subject, id, auth, &best, &uri_found);
id->destroy(id);
}
{
if (id)
{
- valid = find_crl(subject, id, &best, &uri_found);
+ valid = find_crl(subject, id, auth, &best, &uri_found);
}
}
enumerator->destroy(enumerator);
current->destroy(current);
continue;
}
- best = get_better_crl(current, best, subject, &valid, TRUE);
+ best = get_better_crl(current, best, subject, &valid,
+ auth, TRUE);
if (best && valid != VALIDATION_STALE)
{
break;
projects / thirdparty / strongswan.git / commitdiff
