From: Martin Willi Date: Thu, 20 Mar 2008 10:09:56 +0000 (-0000) Subject: added support for certificate requests for not yet known CAs X-Git-Tag: 4.2.0~109 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=36524c4844bfb5e36a476af5e85379b44f17b4d2;p=thirdparty%2Fstrongswan.git added support for certificate requests for not yet known CAs --- diff --git a/src/charon/credentials/auth_info.c b/src/charon/credentials/auth_info.c index a0fc4c00f2..1148473ee5 100644 --- a/src/charon/credentials/auth_info.c +++ b/src/charon/credentials/auth_info.c @@ -25,6 +25,7 @@ ENUM(auth_item_names, AUTHN_CA_CERT, AUTHZ_AC_GROUP, "AUTHN_CA_CERT", + "AUTHN_CA_CERT_KEYID", "AUTHN_IM_CERT", "AUTHN_SUBJECT_CERT", "AUTHZ_PUBKEY", @@ -162,6 +163,7 @@ static void add_item(private_auth_info_t *this, auth_item_t type, void *value) item->value = method; break; } + case AUTHN_CA_CERT_KEYID: case AUTHZ_AC_GROUP: { identification_t *id = (identification_t*)value; @@ -189,6 +191,7 @@ static bool complies(private_auth_info_t *this, auth_info_t *constraints) { switch (type) { + case AUTHN_CA_CERT_KEYID: case AUTHN_CA_CERT: case AUTHN_IM_CERT: case AUTHN_SUBJECT_CERT: @@ -322,6 +325,7 @@ static void destroy(private_auth_info_t *this) free(item->value); break; } + case AUTHN_CA_CERT_KEYID: case AUTHZ_AC_GROUP: { identification_t *id = (identification_t*)item->value; diff --git a/src/charon/credentials/auth_info.h b/src/charon/credentials/auth_info.h index f8ba29df00..15cae4fcda 100644 --- a/src/charon/credentials/auth_info.h +++ b/src/charon/credentials/auth_info.h @@ -61,6 +61,8 @@ enum auth_item_t { /** CA certificate to use for authentication, value is certificate_t* */ AUTHN_CA_CERT, + /** Keyid of a CA certificate to use, value is identification_t* */ + AUTHN_CA_CERT_KEYID, /** intermediate certificate, value is certificate_t* */ AUTHN_IM_CERT, /** certificate for trustchain verification, value is certificate_t* */ diff --git a/src/charon/credentials/credential_manager.c b/src/charon/credentials/credential_manager.c index 98d965f68d..47c437670c 100644 --- a/src/charon/credentials/credential_manager.c +++ b/src/charon/credentials/credential_manager.c @@ -1064,6 +1064,25 @@ static bool auth_contains_cacert(auth_info_t *auth, certificate_t *cert) found = TRUE; break; } + if (type == AUTHN_CA_CERT_KEYID) + { + public_key_t *public; + identification_t *certid, *keyid; + + public = cert->get_public_key(cert); + if (public) + { + keyid = (identification_t*)value; + certid = public->get_id(public, keyid->get_type(keyid)); + if (certid && certid->equals(certid, keyid)) + { + public->destroy(public); + found = TRUE; + break; + } + public->destroy(public); + } + } } enumerator->destroy(enumerator); return found; diff --git a/src/charon/sa/tasks/ike_cert_pre.c b/src/charon/sa/tasks/ike_cert_pre.c index 752f94c402..d7f7a40fc8 100644 --- a/src/charon/sa/tasks/ike_cert_pre.c +++ b/src/charon/sa/tasks/ike_cert_pre.c @@ -94,17 +94,18 @@ static void process_certreqs(private_ike_cert_pre_t *this, message_t *message) cert->destroy(cert); ca_found = TRUE; } + else + { + DBG1(DBG_IKE, "received cert request of unknown cert " + "\"%D\"", id); + auth->add_item(auth, AUTHN_CA_CERT_KEYID, id); + } id->destroy(id); } enumerator->destroy(enumerator); } } iterator->destroy(iterator); - - if (this->ike_sa->has_condition(this->ike_sa, COND_CERTREQ_SEEN) && !ca_found) - { - DBG1(DBG_IKE, "received cert request, but no such CA cert found"); - } } /**