static certificate_t *fetch_ocsp(private_credential_manager_t *this, char *url,
certificate_t *subject, certificate_t *issuer)
{
- certificate_t *request, *response, *issuer_cert;
+ certificate_t *request, *response;
chunk_t send, receive;
- identification_t *responder;
- auth_info_t *auth;
- ocsp_wrapper_t *wrapper;
/* TODO: requestor name, signature */
request = lib->creds->create(lib->creds,
send = request->get_encoding(request);
request->destroy(request);
+
+ DBG1(DBG_CFG, "requesting ocsp response from '%s' ...", url);
if (lib->fetcher->fetch(lib->fetcher, url, &receive,
FETCH_REQUEST_DATA, send,
FETCH_REQUEST_TYPE, "application/ocsp-request",
return NULL;
}
- responder = response->get_issuer(response);
- auth = auth_info_create();
- wrapper = ocsp_wrapper_create((ocsp_response_t*)response);
- this->sets->insert_first(this->sets, wrapper);
- issuer_cert = get_trusted_cert(this, KEY_ANY, responder, auth, FALSE, FALSE);
- this->sets->remove(this->sets, wrapper, NULL);
- free(wrapper);
- auth->destroy(auth);
- if (!issuer_cert)
- {
- DBG1(DBG_CFG, " ocsp response untrusted: no signer certificate found");
- response->destroy(response);
- return NULL;
- }
- if (!response->issued_by(response, issuer_cert, TRUE))
+
+ /* verify the signature of the ocsp response */
{
- DBG1(DBG_CFG, " ocsp response untrusted: bad signature");
- response->destroy(response);
+ certificate_t *issuer_cert;
+ identification_t *responder;
+ auth_info_t *auth;
+ ocsp_wrapper_t *wrapper;
+ bool ok;
+
+ auth = auth_info_create();
+ wrapper = ocsp_wrapper_create((ocsp_response_t*)response);
+ this->sets->insert_first(this->sets, wrapper);
+ responder = response->get_issuer(response);
+ issuer_cert = get_trusted_cert(this, KEY_ANY, responder, auth, FALSE, FALSE);
+ this->sets->remove(this->sets, wrapper, NULL);
+ free(wrapper);
+ auth->destroy(auth);
+
+ if (!issuer_cert)
+ {
+ DBG1(DBG_CFG, " ocsp response untrusted: no signer certificate found");
+ response->destroy(response);
+ return NULL;
+ }
+ ok = response->issued_by(response, issuer_cert, TRUE);
issuer_cert->destroy(issuer_cert);
- return NULL;
+ DBG1(DBG_CFG, " ocsp response is %strusted: %s signature",
+ ok ? "":"un", ok ? "good" : "bad");
+ if (ok)
+ {
+ response->destroy(response);
+ return NULL;
+ }
}
- issuer_cert->destroy(issuer_cert);
-
/* TODO: cache response? */
return response;
}
}
if (issuer && !subject->issued_by(subject, issuer, TRUE))
{
- DBG1(DBG_CFG, "certificate %D not issued by %D",
+ DBG1(DBG_CFG, "certificate not issued by \"%D\"",
subject->get_subject(subject), issuer->get_subject(issuer));
return FALSE;
}
public = subject->get_public_key(subject);
if (public)
{
- DBG2(DBG_CFG, "using trusted certificate %D",
- subject->get_subject(subject));
+ DBG1(DBG_CFG, " using trusted certificate \"%D\"",
+ subject->get_subject(subject));
this->sets->remove(this->sets, wrapper, NULL);
free(wrapper);
this->mutex->unlock(this->mutex);
subject = get_cert(this, CERT_ANY, type, id, FALSE);
if (!subject)
{
- DBG1(DBG_CFG, "no end entity certificate found for %D", id);
+ DBG1(DBG_CFG, "no end entity certificate found for \"%D\"", id);
}
else
{
issuer == subject ? auth2 : NULL) &&
check_certificate(this, candidate, NULL, crl, ocsp, NULL))
{
- DBG2(DBG_CFG, "using trusted root CA certificate %D",
+ DBG1(DBG_CFG, " using trusted root ca certificate \"%D\"",
candidate->get_subject(candidate));
issuer = candidate;
trusted = TRUE;
{
if (issuer != subject)
{
- DBG2(DBG_CFG, "using intermediate CA certificate %D",
+ DBG1(DBG_CFG, " using intermediate ca certificate \"%D\"",
candidate->get_subject(candidate));
auth1->add_item(auth1, AUTHZ_IM_CERT, candidate);
}
else
{
- DBG2(DBG_CFG, "using end entity certificate %D",
+ DBG1(DBG_CFG, " using end entity certificate \"%D\"",
candidate->get_subject(candidate));
}
issuer = candidate;
* TODO: allow other hash algorithms and note it in "auth" */
if (public->verify(public, SIGN_RSA_EMSA_PKCS1_SHA1, octets, auth_data))
{
- DBG1(DBG_IKE, "authentication of %D with %N successful",
+ DBG1(DBG_IKE, "authentication of '%D' with %N successful",
other_id, auth_method_names, AUTH_RSA);
status = SUCCESS;
}
}
else
{
- DBG1(DBG_IKE, "no trusted public key found for %D", other_id);
+ DBG1(DBG_IKE, "no trusted public key found for '%D'", other_id);
}
chunk_free(&octets);
return status;
auth_info_t *auth;
my_id = this->ike_sa->get_my_id(this->ike_sa);
- DBG1(DBG_IKE, "authentication of %D (myself) with %N",
+ DBG1(DBG_IKE, "authentication of '%D' (myself) with %N",
my_id, auth_method_names, AUTH_RSA);
auth = this->ike_sa->get_my_auth(this->ike_sa);
my_id, auth);
if (private == NULL)
{
- DBG1(DBG_IKE, "no RSA private key found for %D", my_id);
+ DBG1(DBG_IKE, "no RSA private key found for '%D'", my_id);
return NOT_FOUND;
}
prf = this->ike_sa->get_prf(this->ike_sa);
if (auth == NULL)
{
- SIG(IKE_UP_FAILED, "authentication method %N used by %D not "
+ SIG(IKE_UP_FAILED, "authentication method %N used by '%D' not "
"supported", auth_method_names, auth_method,
this->ike_sa->get_other_id(this->ike_sa));
return NOT_SUPPORTED;
req = this->ike_sa->get_other_id(this->ike_sa);
if (!id->matches(id, req))
{
- SIG(IKE_UP_FAILED, "peer ID %D unacceptable, %D required", id, req);
+ SIG(IKE_UP_FAILED, "peer ID '%D' unacceptable, '%D' required", id, req);
id->destroy(id);
return FAILED;
}
if (!this->initiator)
{
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
- SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %D[%H]...[%H]%D",
+ SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...[%D]%H",
this->ike_sa->get_name(this->ike_sa),
- this->ike_sa->get_my_id(this->ike_sa),
this->ike_sa->get_my_host(this->ike_sa),
- this->ike_sa->get_other_host(this->ike_sa),
- this->ike_sa->get_other_id(this->ike_sa));
+ this->ike_sa->get_my_id(this->ike_sa),
+ this->ike_sa->get_other_id(this->ike_sa),
+ this->ike_sa->get_other_host(this->ike_sa));
return SUCCESS;
}
return NEED_MORE;
if (this->initiator)
{
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
- SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %D[%H]...[%H]%D",
+ SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...[%D]%H",
this->ike_sa->get_name(this->ike_sa),
- this->ike_sa->get_my_id(this->ike_sa),
this->ike_sa->get_my_host(this->ike_sa),
- this->ike_sa->get_other_host(this->ike_sa),
- this->ike_sa->get_other_id(this->ike_sa));
+ this->ike_sa->get_my_id(this->ike_sa),
+ this->ike_sa->get_other_id(this->ike_sa),
+ this->ike_sa->get_other_host(this->ike_sa));
return SUCCESS;
}
return NEED_MORE;
return NEED_MORE;
default:
this->eap_payload = NULL;
- SIG(IKE_UP_FAILED, "failed to authenticate against %D using EAP",
+ SIG(IKE_UP_FAILED, "failed to authenticate against '%D' using EAP",
this->ike_sa->get_other_id(this->ike_sa));
return FAILED;
}
config = this->ike_sa->get_peer_cfg(this->ike_sa);
if (config == NULL)
{
- SIG(IKE_UP_FAILED, "no matching config found for %D...%D",
+ SIG(IKE_UP_FAILED, "no matching config found for '%D'...'%D'",
this->ike_sa->get_my_id(this->ike_sa),
this->ike_sa->get_other_id(this->ike_sa));
message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
if (this->peer_authenticated)
{
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
- SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %D[%H]...[%H]%D",
+ SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...[%D]%H",
this->ike_sa->get_name(this->ike_sa),
- this->ike_sa->get_my_id(this->ike_sa),
this->ike_sa->get_my_host(this->ike_sa),
- this->ike_sa->get_other_host(this->ike_sa),
- this->ike_sa->get_other_id(this->ike_sa));
+ this->ike_sa->get_my_id(this->ike_sa),
+ this->ike_sa->get_other_id(this->ike_sa),
+ this->ike_sa->get_other_host(this->ike_sa));
return SUCCESS;
}
auth = this->ike_sa->get_other_auth(this->ike_sa);
if (!auth->complies(auth, config->get_auth(config)))
{
- SIG(IKE_UP_FAILED, "authorization of %D for config %s failed",
+ SIG(IKE_UP_FAILED, "authorization of '%D' for config %s failed",
this->ike_sa->get_other_id(this->ike_sa), config->get_name(config));
return FAILED;
}
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
- SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %D[%H]...[%H]%D",
+ SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...[%D]%H",
this->ike_sa->get_name(this->ike_sa),
- this->ike_sa->get_my_id(this->ike_sa),
this->ike_sa->get_my_host(this->ike_sa),
- this->ike_sa->get_other_host(this->ike_sa),
- this->ike_sa->get_other_id(this->ike_sa));
+ this->ike_sa->get_my_id(this->ike_sa),
+ this->ike_sa->get_other_id(this->ike_sa),
+ this->ike_sa->get_other_host(this->ike_sa));
return SUCCESS;
}
{
break;
}
- DBG1(DBG_IKE, "sending end entity cert %D",
+ DBG1(DBG_IKE, "sending end entity cert \"%D\"",
cert->get_subject(cert));
message->add_payload(message, (payload_t*)payload);
payload = cert_payload_create_from_cert(cert);
if (payload)
{
- DBG1(DBG_IKE, "sending issuer cert %D",
+ DBG1(DBG_IKE, "sending issuer cert \"%D\"",
cert->get_subject(cert));
message->add_payload(message, (payload_t*)payload);
}
CERT_X509, KEY_ANY, id, TRUE);
if (cert)
{
- DBG1(DBG_IKE, "received cert request for %D",
+ DBG1(DBG_IKE, "received cert request for \"%D\"",
cert->get_subject(cert));
auth->add_item(auth, AUTHN_CA_CERT, cert);
cert->destroy(cert);
if (first)
{ /* the first certificate MUST be an end entity one */
- DBG1(DBG_IKE, "received end entity cert %D",
+ DBG1(DBG_IKE, "received end entity cert \"%D\"",
cert->get_subject(cert));
auth->add_item(auth, AUTHN_SUBJECT_CERT, cert);
first = FALSE;
}
else
{
- DBG1(DBG_IKE, "received issuer cert %D",
+ DBG1(DBG_IKE, "received issuer cert \"%D\"",
cert->get_subject(cert));
auth->add_item(auth, AUTHN_IM_CERT, cert);
}
req = *reqp;
keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1);
req->add_keyid(req, keyid->get_encoding(keyid));
- DBG1(DBG_IKE, "sending cert request for %D",
+ DBG1(DBG_IKE, "sending cert request for \"%D\"",
cert->get_subject(cert));
break;
}
version = (object.len)? (1 + (u_int)*object.ptr) : 1;
if (version != OCSP_BASIC_RESPONSE_VERSION)
{
- DBG1("OCSP ResponseData version %d not supported", version);
+ DBG1(" ocsp ResponseData version %d not supported", version);
return FALSE;
}
break;
case BASIC_RESPONSE_ID_BY_NAME:
this->responderId = identification_create_from_encoding(
ID_DER_ASN1_DN, object);
- DBG3(" %D", this->responderId);
+ DBG2(" '%D'", this->responderId);
break;
case BASIC_RESPONSE_ID_BY_KEY:
this->responderId = identification_create_from_encoding(
ID_PUBKEY_INFO_SHA1, object);
- DBG3(" %D", this->responderId);
+ DBG2(" '%D'", this->responderId);
break;
case BASIC_RESPONSE_PRODUCED_AT:
this->producedAt = asn1totime(&object, ASN1_GENERALIZEDTIME);
break;
case BASIC_RESPONSE_CRITICAL:
critical = object.len && *object.ptr;
- DBG3(" %s", critical ? "TRUE" : "FALSE");
+ DBG2(" %s", critical ? "TRUE" : "FALSE");
break;
case BASIC_RESPONSE_EXT_VALUE:
if (extn_oid == OID_NONCE)
case OCSP_SUCCESSFUL:
break;
default:
- DBG1("OCSP response status: %N",
+ DBG1(" ocsp response status: %N",
ocsp_status_names, status);
return FALSE;
}
case OID_BASIC:
return parse_basicOCSPResponse(this, object, level+1);
default:
- DBG1("OCSP response type %#B not supported", &object);
+ DBG1(" ocsp response type %#B not supported", &object);
return FALSE;
}
break;
snprintf(buf, sizeof(buf), "%.*s", this->encoded.len, this->encoded.ptr);
/* TODO: whats returned on failure?*/
dntoa(this->encoded, &buf_chunk);
- return fprintf(stream, "\"%s\"", buf);
+ return fprintf(stream, "%s", buf);
}
case ID_DER_ASN1_GN:
return fprintf(stream, "(ASN.1 general Name");
projects / thirdparty / strongswan.git / commitdiff
