From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 13 Oct 2017 12:33:43 +0000 (+0200)
Subject: certificate: Return signature scheme and parameters from issued_by() method
X-Git-Tag: 5.6.1rc1~6^2~19
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=024b979522fa8cad18bef96208064db5e68e228e;p=thirdparty%2Fstrongswan.git

certificate: Return signature scheme and parameters from issued_by() method

This also required some include restructuring (avoid including library.h
in headers) to avoid unresolvable circular dependencies.
---

diff --git a/src/charon-tkm/src/tkm/tkm_private_key.c b/src/charon-tkm/src/tkm/tkm_private_key.c
index 02351b61c4..891b579eeb 100644
--- a/src/charon-tkm/src/tkm/tkm_private_key.c
+++ b/src/charon-tkm/src/tkm/tkm_private_key.c
@@ -14,6 +14,7 @@
  * for more details.
  */
 
+#include <library.h>
 #include <utils/debug.h>
 #include <tkm/constants.h>
 #include <tkm/client.h>
diff --git a/src/charon-tkm/src/tkm/tkm_public_key.c b/src/charon-tkm/src/tkm/tkm_public_key.c
index 788336cc1b..2a14a9bdd7 100644
--- a/src/charon-tkm/src/tkm/tkm_public_key.c
+++ b/src/charon-tkm/src/tkm/tkm_public_key.c
@@ -14,6 +14,7 @@
  * for more details.
  */
 
+#include <library.h>
 #include <utils/debug.h>
 
 #include "tkm_public_key.h"
diff --git a/src/libcharon/sa/ikev1/iv_manager.c b/src/libcharon/sa/ikev1/iv_manager.c
index c9f737ccde..2a6e5c04f1 100644
--- a/src/libcharon/sa/ikev1/iv_manager.c
+++ b/src/libcharon/sa/ikev1/iv_manager.c
@@ -15,6 +15,7 @@
 
 #include "iv_manager.h"
 
+#include <library.h>
 #include <collections/linked_list.h>
 
 /**
diff --git a/src/libstrongswan/credentials/certificates/certificate.h b/src/libstrongswan/credentials/certificates/certificate.h
index d59126bd51..6dc5c76941 100644
--- a/src/libstrongswan/credentials/certificates/certificate.h
+++ b/src/libstrongswan/credentials/certificates/certificate.h
@@ -25,9 +25,9 @@ typedef struct certificate_t certificate_t;
 typedef enum certificate_type_t certificate_type_t;
 typedef enum cert_validation_t cert_validation_t;
 
-#include <library.h>
 #include <utils/identification.h>
 #include <credentials/keys/public_key.h>
+#include <credentials/keys/signature_params.h>
 #include <credentials/cred_encoding.h>
 
 /**
@@ -139,11 +139,12 @@ struct certificate_t {
 	 * Check if this certificate is issued and signed by a specific issuer.
 	 *
 	 * @param issuer	issuer's certificate
-	 * @param scheme	receives signature scheme used during verification
+	 * @param scheme	receives used signature scheme and parameters, if
+	 *					given (allocated)
 	 * @return			TRUE if certificate issued by issuer and trusted
 	 */
 	bool (*issued_by)(certificate_t *this, certificate_t *issuer,
-					  signature_scheme_t *scheme);
+					  signature_params_t **scheme);
 
 	/**
 	 * Get the public key associated to this certificate.
diff --git a/src/libstrongswan/credentials/containers/pkcs12.c b/src/libstrongswan/credentials/containers/pkcs12.c
index 9e7815d04d..8cc6a6c63d 100644
--- a/src/libstrongswan/credentials/containers/pkcs12.c
+++ b/src/libstrongswan/credentials/containers/pkcs12.c
@@ -15,6 +15,7 @@
 
 #include "pkcs12.h"
 
+#include <library.h>
 #include <utils/debug.h>
 
 /**
diff --git a/src/libstrongswan/credentials/cred_encoding.h b/src/libstrongswan/credentials/cred_encoding.h
index 0b65364301..1129357ba3 100644
--- a/src/libstrongswan/credentials/cred_encoding.h
+++ b/src/libstrongswan/credentials/cred_encoding.h
@@ -25,7 +25,7 @@ typedef struct cred_encoding_t cred_encoding_t;
 typedef enum cred_encoding_type_t cred_encoding_type_t;
 typedef enum cred_encoding_part_t cred_encoding_part_t;
 
-#include <library.h>
+#include <utils/chunk.h>
 
 /**
  * Credential encoder function implementing encoding/fingerprinting.
diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c
index 9be7407ef3..a4a092e368 100644
--- a/src/libstrongswan/credentials/credential_manager.c
+++ b/src/libstrongswan/credentials/credential_manager.c
@@ -488,7 +488,7 @@ METHOD(credential_manager_t, remove_local_set, void,
 
 METHOD(credential_manager_t, issued_by, bool,
 	private_credential_manager_t *this, certificate_t *subject,
-	certificate_t *issuer, signature_scheme_t *scheme)
+	certificate_t *issuer, signature_params_t **scheme)
 {
 	if (this->cache)
 	{
@@ -661,7 +661,7 @@ static certificate_t *get_pretrusted_cert(private_credential_manager_t *this,
  */
 static certificate_t *get_issuer_cert(private_credential_manager_t *this,
 									  certificate_t *subject, bool trusted,
-									  signature_scheme_t *scheme)
+									  signature_params_t **scheme)
 {
 	enumerator_t *enumerator;
 	certificate_t *issuer = NULL, *candidate;
@@ -723,7 +723,7 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 {
 	certificate_t *current, *issuer;
 	auth_cfg_t *auth;
-	signature_scheme_t scheme;
+	signature_params_t *scheme;
 	int pathlen;
 
 	auth = auth_cfg_create();
@@ -750,7 +750,8 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 				DBG1(DBG_CFG, "  using trusted intermediate ca certificate "
 					 "\"%Y\"", issuer->get_subject(issuer));
 			}
-			auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, scheme);
+			auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, scheme->scheme);
+			signature_params_destroy(scheme);
 		}
 		else
 		{
@@ -768,7 +769,8 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 				auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer));
 				DBG1(DBG_CFG, "  using untrusted intermediate certificate "
 					 "\"%Y\"", issuer->get_subject(issuer));
-				auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, scheme);
+				auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, scheme->scheme);
+				signature_params_destroy(scheme);
 			}
 			else
 			{
diff --git a/src/libstrongswan/credentials/credential_manager.h b/src/libstrongswan/credentials/credential_manager.h
index 022ca566c4..d99f29b850 100644
--- a/src/libstrongswan/credentials/credential_manager.h
+++ b/src/libstrongswan/credentials/credential_manager.h
@@ -241,12 +241,13 @@ struct credential_manager_t {
 	 *
 	 * @param subject	subject certificate to check
 	 * @param issuer	issuer certificate that potentially has signed subject
-	 * @param scheme	receives used signature scheme, if given
+	 * @param scheme	receives used signature scheme and parameters, if
+	 *					given (allocated)
 	 * @return			TRUE if issuer signed subject
 	 */
 	bool (*issued_by)(credential_manager_t *this,
 					  certificate_t *subject, certificate_t *issuer,
-					  signature_scheme_t *scheme);
+					  signature_params_t **scheme);
 
 	/**
 	 * Register a credential set to the manager.
diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h
index 186530ff6e..d6a0a7bc9c 100644
--- a/src/libstrongswan/credentials/keys/public_key.h
+++ b/src/libstrongswan/credentials/keys/public_key.h
@@ -28,7 +28,6 @@ typedef enum key_type_t key_type_t;
 typedef enum signature_scheme_t signature_scheme_t;
 typedef enum encryption_scheme_t encryption_scheme_t;
 
-#include <library.h>
 #include <utils/identification.h>
 #include <credentials/cred_encoding.h>
 
diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c
index 92d5efdc6d..0e64f0350b 100644
--- a/src/libstrongswan/credentials/sets/cert_cache.c
+++ b/src/libstrongswan/credentials/sets/cert_cache.c
@@ -48,9 +48,9 @@ struct relation_t {
 	certificate_t *issuer;
 
 	/**
-	 * Signature scheme used to sign this relation
+	 * Signature scheme and parameters used to sign this relation
 	 */
-	signature_scheme_t scheme;
+	signature_params_t *scheme;
 
 	/**
 	 * Cache hits
@@ -84,7 +84,7 @@ struct private_cert_cache_t {
  */
 static void cache(private_cert_cache_t *this,
 				  certificate_t *subject, certificate_t *issuer,
-				  signature_scheme_t scheme)
+				  signature_params_t *scheme)
 {
 	relation_t *rel;
 	int i, offset, try;
@@ -118,7 +118,8 @@ static void cache(private_cert_cache_t *this,
 					{
 						rel->subject->destroy(rel->subject);
 						rel->subject = subject->get_ref(subject);
-						rel->scheme = scheme;
+						signature_params_destroy(rel->scheme);
+						rel->scheme = signature_params_clone(scheme);
 						return rel->lock->unlock(rel->lock);
 					}
 				}
@@ -139,7 +140,7 @@ static void cache(private_cert_cache_t *this,
 			{
 				rel->subject = subject->get_ref(subject);
 				rel->issuer = issuer->get_ref(issuer);
-				rel->scheme = scheme;
+				rel->scheme = signature_params_clone(scheme);
 				return rel->lock->unlock(rel->lock);
 			}
 			rel->lock->unlock(rel->lock);
@@ -165,10 +166,11 @@ static void cache(private_cert_cache_t *this,
 				{
 					rel->subject->destroy(rel->subject);
 					rel->issuer->destroy(rel->issuer);
+					signature_params_destroy(rel->scheme);
 				}
 				rel->subject = subject->get_ref(subject);
 				rel->issuer = issuer->get_ref(issuer);
-				rel->scheme = scheme;
+				rel->scheme = signature_params_clone(scheme);
 				rel->hits = 0;
 				return rel->lock->unlock(rel->lock);
 			}
@@ -180,11 +182,11 @@ static void cache(private_cert_cache_t *this,
 
 METHOD(cert_cache_t, issued_by, bool,
 	private_cert_cache_t *this, certificate_t *subject, certificate_t *issuer,
-	signature_scheme_t *schemep)
+	signature_params_t **schemep)
 {
 	certificate_t *cached_issuer = NULL;
 	relation_t *found = NULL, *current;
-	signature_scheme_t scheme;
+	signature_params_t *scheme;
 	int i;
 
 	for (i = 0; i < CACHE_SIZE; i++)
@@ -202,7 +204,7 @@ METHOD(cert_cache_t, issued_by, bool,
 					found = current;
 					if (schemep)
 					{
-						*schemep = current->scheme;
+						*schemep = signature_params_clone(current->scheme);
 					}
 				}
 				else if (!cached_issuer)
@@ -225,6 +227,10 @@ METHOD(cert_cache_t, issued_by, bool,
 		{
 			*schemep = scheme;
 		}
+		else
+		{
+			signature_params_destroy(scheme);
+		}
 		DESTROY_IF(cached_issuer);
 		return TRUE;
 	}
@@ -383,8 +389,10 @@ METHOD(cert_cache_t, flush, void,
 			{
 				rel->subject->destroy(rel->subject);
 				rel->issuer->destroy(rel->issuer);
+				signature_params_destroy(rel->scheme);
 				rel->subject = NULL;
 				rel->issuer = NULL;
+				rel->scheme = NULL;
 				rel->hits = 0;
 			}
 		}
@@ -405,6 +413,7 @@ METHOD(cert_cache_t, destroy, void,
 		{
 			rel->subject->destroy(rel->subject);
 			rel->issuer->destroy(rel->issuer);
+			signature_params_destroy(rel->scheme);
 		}
 		rel->lock->destroy(rel->lock);
 	}
@@ -438,6 +447,7 @@ cert_cache_t *cert_cache_create()
 	{
 		this->relations[i].subject = NULL;
 		this->relations[i].issuer = NULL;
+		this->relations[i].scheme = NULL;
 		this->relations[i].hits = 0;
 		this->relations[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
 	}
diff --git a/src/libstrongswan/credentials/sets/cert_cache.h b/src/libstrongswan/credentials/sets/cert_cache.h
index 2bcdbe4643..2235bc30d2 100644
--- a/src/libstrongswan/credentials/sets/cert_cache.h
+++ b/src/libstrongswan/credentials/sets/cert_cache.h
@@ -45,12 +45,13 @@ struct cert_cache_t {
 	 *
 	 * @param subject		certificate to verify
 	 * @param issuer		issuing certificate to verify subject
-	 * @param scheme		receives used signature scheme, if given
+	 * @param scheme		receives used signature scheme and parameters, if
+	 *						given (allocated)
 	 * @return				TRUE if subject issued by issuer
 	 */
 	bool (*issued_by)(cert_cache_t *this,
 					  certificate_t *subject, certificate_t *issuer,
-					  signature_scheme_t *scheme);
+					  signature_params_t **scheme);
 
 	/**
 	 * Flush the certificate cache.
diff --git a/src/libstrongswan/crypto/hashers/hasher.h b/src/libstrongswan/crypto/hashers/hasher.h
index 9d2df1d4ba..96de7e2589 100644
--- a/src/libstrongswan/crypto/hashers/hasher.h
+++ b/src/libstrongswan/crypto/hashers/hasher.h
@@ -27,7 +27,6 @@
 typedef enum hash_algorithm_t hash_algorithm_t;
 typedef struct hasher_t hasher_t;
 
-#include <library.h>
 #include <crypto/prfs/prf.h>
 #include <crypto/signers/signer.h>
 #include <credentials/keys/public_key.h>
diff --git a/src/libstrongswan/crypto/prfs/prf.h b/src/libstrongswan/crypto/prfs/prf.h
index bf443e5f46..fe9ffc2dde 100644
--- a/src/libstrongswan/crypto/prfs/prf.h
+++ b/src/libstrongswan/crypto/prfs/prf.h
@@ -25,7 +25,8 @@
 typedef enum pseudo_random_function_t pseudo_random_function_t;
 typedef struct prf_t prf_t;
 
-#include <library.h>
+#include <utils/utils.h>
+#include <utils/chunk.h>
 
 /**
  * Pseudo random function, as in IKEv2 RFC 3.3.2.
diff --git a/src/libstrongswan/crypto/signers/signer.h b/src/libstrongswan/crypto/signers/signer.h
index 01b702da18..8958e66e97 100644
--- a/src/libstrongswan/crypto/signers/signer.h
+++ b/src/libstrongswan/crypto/signers/signer.h
@@ -25,7 +25,8 @@
 typedef enum integrity_algorithm_t integrity_algorithm_t;
 typedef struct signer_t signer_t;
 
-#include <library.h>
+#include <utils/utils.h>
+#include <utils/chunk.h>
 
 /**
  * Integrity algorithm, as in IKEv2 RFC 3.3.2.
diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c
index 663f0915d0..171b7d684d 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crl.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crl.c
@@ -284,7 +284,7 @@ METHOD(certificate_t, has_subject_or_issuer, id_match_t,
 
 METHOD(certificate_t, issued_by, bool,
 	private_openssl_crl_t *this, certificate_t *issuer,
-	signature_scheme_t *scheme)
+	signature_params_t **scheme)
 {
 	chunk_t fingerprint, tbs;
 	public_key_t *key;
@@ -338,7 +338,9 @@ METHOD(certificate_t, issued_by, bool,
 	key->destroy(key);
 	if (valid && scheme)
 	{
-		*scheme = this->scheme;
+		INIT(*scheme,
+			.scheme = this->scheme,
+		);
 	}
 	return valid;
 }
diff --git a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c
index f6df03f12d..3a6d2f1932 100644
--- a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c
+++ b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c
@@ -20,6 +20,7 @@
 #include "openssl_sha1_prf.h"
 
 #include <openssl/sha.h>
+#include <crypto/hashers/hasher.h>
 
 typedef struct private_openssl_sha1_prf_t private_openssl_sha1_prf_t;
 
diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c
index 7e077e74da..d2773e3f87 100644
--- a/src/libstrongswan/plugins/openssl/openssl_x509.c
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
@@ -384,7 +384,7 @@ METHOD(certificate_t, has_issuer, id_match_t,
 
 METHOD(certificate_t, issued_by, bool,
 	private_openssl_x509_t *this, certificate_t *issuer,
-	signature_scheme_t *scheme)
+	signature_params_t **scheme)
 {
 	public_key_t *key;
 	bool valid;
@@ -392,11 +392,16 @@ METHOD(certificate_t, issued_by, bool,
 	ASN1_BIT_STRING *sig;
 	chunk_t tbs;
 
+	if (this->scheme == SIGN_UNKNOWN)
+	{
+		return FALSE;
+	}
 	if (&this->public.x509.interface == issuer)
 	{
 		if (this->flags & X509_SELF_SIGNED)
 		{
-			return TRUE;
+			valid = TRUE;
+			goto out;
 		}
 	}
 	else
@@ -414,10 +419,6 @@ METHOD(certificate_t, issued_by, bool,
 			return FALSE;
 		}
 	}
-	if (this->scheme == SIGN_UNKNOWN)
-	{
-		return FALSE;
-	}
 	key = issuer->get_public_key(issuer);
 	if (!key)
 	{
@@ -434,9 +435,13 @@ METHOD(certificate_t, issued_by, bool,
 						openssl_asn1_str2chunk(sig));
 	free(tbs.ptr);
 	key->destroy(key);
+
+out:
 	if (valid && scheme)
 	{
-		*scheme = this->scheme;
+		INIT(*scheme,
+			.scheme = this->scheme,
+		);
 	}
 	return valid;
 }
diff --git a/src/libstrongswan/plugins/pem/pem_encoder.c b/src/libstrongswan/plugins/pem/pem_encoder.c
index 76b0b7b409..8c6c5dae73 100644
--- a/src/libstrongswan/plugins/pem/pem_encoder.c
+++ b/src/libstrongswan/plugins/pem/pem_encoder.c
@@ -15,6 +15,8 @@
 
 #include "pem_encoder.h"
 
+#include <library.h>
+
 #define BYTES_PER_LINE	48
 
 /**
diff --git a/src/libstrongswan/plugins/pgp/pgp_cert.c b/src/libstrongswan/plugins/pgp/pgp_cert.c
index 0ffce4cfc7..392ef54402 100644
--- a/src/libstrongswan/plugins/pgp/pgp_cert.c
+++ b/src/libstrongswan/plugins/pgp/pgp_cert.c
@@ -114,7 +114,7 @@ METHOD(certificate_t, has_issuer, id_match_t,
 }
 
 METHOD(certificate_t, issued_by,bool,
-	private_pgp_cert_t *this, certificate_t *issuer, signature_scheme_t *scheme)
+	private_pgp_cert_t *this, certificate_t *issuer, signature_params_t **scheme)
 {
 	/* TODO: check signature blobs for a valid signature */
 	return FALSE;
diff --git a/src/libstrongswan/plugins/pgp/pgp_encoder.c b/src/libstrongswan/plugins/pgp/pgp_encoder.c
index 100f3ef337..eba936b832 100644
--- a/src/libstrongswan/plugins/pgp/pgp_encoder.c
+++ b/src/libstrongswan/plugins/pgp/pgp_encoder.c
@@ -15,6 +15,7 @@
 
 #include "pgp_encoder.h"
 
+#include <library.h>
 #include <utils/debug.h>
 
 /**
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_cert.c b/src/libstrongswan/plugins/pubkey/pubkey_cert.c
index 0631a68575..81dad65b72 100644
--- a/src/libstrongswan/plugins/pubkey/pubkey_cert.c
+++ b/src/libstrongswan/plugins/pubkey/pubkey_cert.c
@@ -137,13 +137,16 @@ METHOD(certificate_t, equals, bool,
 
 METHOD(certificate_t, issued_by, bool,
 	private_pubkey_cert_t *this, certificate_t *issuer,
-	signature_scheme_t *scheme)
+	signature_params_t **scheme)
 {
-	if (scheme)
+	bool valid = equals(this, issuer);
+	if (valid && scheme)
 	{
-		*scheme = SIGN_UNKNOWN;
+		INIT(*scheme,
+			.scheme = SIGN_UNKNOWN,
+		);
 	}
-	return equals(this, issuer);
+	return valid;
 }
 
 METHOD(certificate_t, get_public_key,  public_key_t*,
diff --git a/src/libstrongswan/plugins/x509/x509_ac.c b/src/libstrongswan/plugins/x509/x509_ac.c
index 2a1ef638b8..c0a64fc5d0 100644
--- a/src/libstrongswan/plugins/x509/x509_ac.c
+++ b/src/libstrongswan/plugins/x509/x509_ac.c
@@ -886,7 +886,8 @@ METHOD(certificate_t, has_issuer, id_match_t,
 }
 
 METHOD(certificate_t, issued_by, bool,
-	private_x509_ac_t *this, certificate_t *issuer, signature_scheme_t *schemep)
+	private_x509_ac_t *this, certificate_t *issuer,
+	signature_params_t **schemep)
 {
 	public_key_t *key;
 	signature_scheme_t scheme;
@@ -938,7 +939,9 @@ METHOD(certificate_t, issued_by, bool,
 	key->destroy(key);
 	if (valid && schemep)
 	{
-		*schemep = scheme;
+		INIT(*schemep,
+			.scheme = scheme,
+		);
 	}
 	return valid;
 }
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 6d2fb9de79..9bb272a4f0 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -1677,18 +1677,26 @@ METHOD(certificate_t, has_issuer, id_match_t,
 
 METHOD(certificate_t, issued_by, bool,
 	private_x509_cert_t *this, certificate_t *issuer,
-	signature_scheme_t *schemep)
+	signature_params_t **schemep)
 {
 	public_key_t *key;
 	signature_scheme_t scheme;
 	bool valid;
 	x509_t *x509 = (x509_t*)issuer;
 
+	/* determine signature scheme */
+	scheme = signature_scheme_from_oid(this->algorithm);
+	if (scheme == SIGN_UNKNOWN)
+	{
+		return FALSE;
+	}
+
 	if (&this->public.interface.interface == issuer)
 	{
 		if (this->flags & X509_SELF_SIGNED)
 		{
-			return TRUE;
+			valid = TRUE;
+			goto out;
 		}
 	}
 	else
@@ -1707,12 +1715,6 @@ METHOD(certificate_t, issued_by, bool,
 		return FALSE;
 	}
 
-	/* determine signature scheme */
-	scheme = signature_scheme_from_oid(this->algorithm);
-	if (scheme == SIGN_UNKNOWN)
-	{
-		return FALSE;
-	}
 	/* get the public key of the issuer */
 	key = issuer->get_public_key(issuer);
 	if (!key)
@@ -1722,9 +1724,13 @@ METHOD(certificate_t, issued_by, bool,
 	valid = key->verify(key, scheme, NULL, this->tbsCertificate,
 						this->signature);
 	key->destroy(key);
+
+out:
 	if (valid && schemep)
 	{
-		*schemep = scheme;
+		INIT(*schemep,
+			.scheme = scheme,
+		);
 	}
 	return valid;
 }
diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c
index 8ea70252fb..2712ad83ee 100644
--- a/src/libstrongswan/plugins/x509/x509_crl.c
+++ b/src/libstrongswan/plugins/x509/x509_crl.c
@@ -457,7 +457,8 @@ METHOD(certificate_t, has_issuer, id_match_t,
 }
 
 METHOD(certificate_t, issued_by, bool,
-	private_x509_crl_t *this, certificate_t *issuer, signature_scheme_t *schemep)
+	private_x509_crl_t *this, certificate_t *issuer,
+	signature_params_t **schemep)
 {
 	public_key_t *key;
 	signature_scheme_t scheme;
@@ -506,7 +507,9 @@ METHOD(certificate_t, issued_by, bool,
 	key->destroy(key);
 	if (valid && schemep)
 	{
-		*schemep = scheme;
+		INIT(*schemep,
+			.scheme = scheme,
+		);
 	}
 	return valid;
 }
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.c b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
index de2ad9878d..de22ab6bef 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_request.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
@@ -372,7 +372,7 @@ METHOD(certificate_t, has_issuer, id_match_t,
 
 METHOD(certificate_t, issued_by, bool,
 	private_x509_ocsp_request_t *this, certificate_t *issuer,
-	signature_scheme_t *scheme)
+	signature_params_t **scheme)
 {
 	DBG1(DBG_LIB, "OCSP request validation not implemented!");
 	return FALSE;
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
index fd0d84e480..e803c185c7 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
@@ -703,7 +703,7 @@ METHOD(certificate_t, has_issuer, id_match_t,
 
 METHOD(certificate_t, issued_by, bool,
 	private_x509_ocsp_response_t *this, certificate_t *issuer,
-	signature_scheme_t *schemep)
+	signature_params_t **schemep)
 {
 	public_key_t *key;
 	signature_scheme_t scheme;
@@ -758,7 +758,9 @@ METHOD(certificate_t, issued_by, bool,
 	key->destroy(key);
 	if (valid && schemep)
 	{
-		*schemep = scheme;
+		INIT(*schemep,
+			.scheme = scheme,
+		);
 	}
 	return valid;
 }
diff --git a/src/libstrongswan/plugins/x509/x509_pkcs10.c b/src/libstrongswan/plugins/x509/x509_pkcs10.c
index beeb436abe..019ccf7c17 100644
--- a/src/libstrongswan/plugins/x509/x509_pkcs10.c
+++ b/src/libstrongswan/plugins/x509/x509_pkcs10.c
@@ -124,7 +124,7 @@ METHOD(certificate_t, has_subject, id_match_t,
 
 METHOD(certificate_t, issued_by, bool,
 	private_x509_pkcs10_t *this, certificate_t *issuer,
-	signature_scheme_t *schemep)
+	signature_params_t **schemep)
 {
 	public_key_t *key;
 	signature_scheme_t scheme;
@@ -134,29 +134,32 @@ METHOD(certificate_t, issued_by, bool,
 	{
 		return FALSE;
 	}
-	if (this->self_signed)
-	{
-		return TRUE;
-	}
-
 	/* determine signature scheme */
 	scheme = signature_scheme_from_oid(this->algorithm);
 	if (scheme == SIGN_UNKNOWN)
 	{
 		return FALSE;
 	}
-
-	/* get the public key contained in the certificate request */
-	key = this->public_key;
-	if (!key)
+	if (this->self_signed)
 	{
-		return FALSE;
+		valid = TRUE;
+	}
+	else
+	{
+		/* get the public key contained in the certificate request */
+		key = this->public_key;
+		if (!key)
+		{
+			return FALSE;
+		}
+		valid = key->verify(key, scheme, NULL, this->certificationRequestInfo,
+							this->signature);
 	}
-	valid = key->verify(key, scheme, NULL, this->certificationRequestInfo,
-						this->signature);
 	if (valid && schemep)
 	{
-		*schemep = scheme;
+		INIT(*schemep,
+			.scheme = scheme,
+		);
 	}
 	return valid;
 }
diff --git a/src/libstrongswan/utils/debug.h b/src/libstrongswan/utils/debug.h
index f1c8c70ab3..3b554487cc 100644
--- a/src/libstrongswan/utils/debug.h
+++ b/src/libstrongswan/utils/debug.h
@@ -24,9 +24,9 @@
 typedef enum debug_t debug_t;
 typedef enum level_t level_t;
 
-#include <stdio.h>
-
+#include <utils/printf_hook/printf_hook.h>
 #include <utils/utils.h>
+#include <stdio.h>
 
 /**
  * Debug message group.
diff --git a/src/libtls/tls_prf.c b/src/libtls/tls_prf.c
index 918de1e50b..f88dbc2b79 100644
--- a/src/libtls/tls_prf.c
+++ b/src/libtls/tls_prf.c
@@ -17,6 +17,8 @@
 
 typedef struct private_tls_prf12_t private_tls_prf12_t;
 
+#include <library.h>
+
 /**
  * Private data of an tls_prf_t object.
  */