From: Andreas Steffen <andreas.steffen@strongswan.org>
Date: Sun, 25 Feb 2007 08:15:46 +0000 (-0000)
Subject: added support of OCSP accessLocations
X-Git-Tag: 4.0.7~16
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9c6032510f2a075b4130cf1c6c22b6e352010ce0;p=thirdparty%2Fstrongswan.git

added support of OCSP accessLocations
---

diff --git a/src/libstrongswan/crypto/x509.c b/src/libstrongswan/crypto/x509.c
index f2e87d2853..4340a6c7bb 100755
--- a/src/libstrongswan/crypto/x509.c
+++ b/src/libstrongswan/crypto/x509.c
@@ -136,6 +136,11 @@ struct private_x509_t {
 	 */
 	linked_list_t *crlDistributionPoints;
 
+	/**
+	 * List of identification_t's representing ocspAccessLocations
+	 */
+	linked_list_t *ocspAccessLocations;
+
 	/**
 	 * Subject RSA public key, if subjectPublicKeyAlgorithm == RSA
 	 */
@@ -174,7 +179,6 @@ struct private_x509_t {
 	u_char authority_flags;
 	chunk_t subjectPublicKey;
 	bool isOcspSigner; /* ocsp */
-	chunk_t accessLocation; /* ocsp */
 };
 
 /**
@@ -638,7 +642,7 @@ void parse_authorityKeyIdentifier(chunk_t blob, int level0 , chunk_t *authKeyID,
 /**
  * extracts an authorityInfoAcess location
  */
-static void parse_authorityInfoAccess(chunk_t blob, int level0, chunk_t *accessLocation)
+static void parse_authorityInfoAccess(chunk_t blob, int level0, linked_list_t *list)
 {
 	asn1_ctx_t ctx;
 	chunk_t object;
@@ -666,17 +670,14 @@ static void parse_authorityInfoAccess(chunk_t blob, int level0, chunk_t *accessL
 					case OID_OCSP:
 						if (*object.ptr == ASN1_CONTEXT_S_6)
 						{
+							identification_t *accessLocation;
+
 							if (asn1_length(&object) == ASN1_INVALID_LENGTH)
 								return;
 							DBG2("  '%.*s'",(int)object.len, object.ptr);
-							/* only HTTP(S) URIs accepted */
-							if (strncasecmp(object.ptr, "http", 4) == 0)
-							{
-								*accessLocation = object;
-								return;
-							}
+							accessLocation = identification_create_from_encoding(ID_DER_ASN1_GN_URI, object);
+							list->insert_last(list, (void *)accessLocation);
 						}
-						DBG2("ignoring OCSP InfoAccessLocation with unkown protocol");
 						break;
 					default:
 						/* unkown accessMethod, ignoring */
@@ -847,7 +848,7 @@ bool parse_x509cert(chunk_t blob, u_int level0, private_x509_t *cert)
 						parse_authorityKeyIdentifier(object, level , &cert->authKeyID, &cert->authKeySerialNumber);
 						break;
 					case OID_AUTHORITY_INFO_ACCESS:
-						parse_authorityInfoAccess(object, level, &cert->accessLocation);
+						parse_authorityInfoAccess(object, level, cert->ocspAccessLocations);
 						break;
 					case OID_EXTENDED_KEY_USAGE:
 						cert->isOcspSigner = parse_extendedKeyUsage(object, level);
@@ -1052,6 +1053,14 @@ static iterator_t *create_crluri_iterator(const private_x509_t *this)
 	return this->crlDistributionPoints->create_iterator(this->crlDistributionPoints, TRUE);
 }
 
+/**
+ * Implements x509_t.create_crluri_iterator
+ */
+static iterator_t *create_ocspuri_iterator(const private_x509_t *this)
+{
+	return this->ocspAccessLocations->create_iterator(this->ocspAccessLocations, TRUE);
+}
+
 /**
  * Implements x509_t.verify
  */
@@ -1193,6 +1202,8 @@ static void destroy(private_x509_t *this)
 								offsetof(identification_t, destroy));
 	this->crlDistributionPoints->destroy_offset(this->crlDistributionPoints,
 								offsetof(identification_t, destroy));
+	this->ocspAccessLocations->destroy_offset(this->ocspAccessLocations,
+								offsetof(identification_t, destroy));
 	DESTROY_IF(this->issuer);
 	DESTROY_IF(this->subject);
 	DESTROY_IF(this->public_key);
@@ -1214,6 +1225,7 @@ x509_t *x509_create_from_chunk(chunk_t chunk)
 	this->issuer = NULL;
 	this->subjectAltNames = linked_list_create();
 	this->crlDistributionPoints = linked_list_create();
+	this->ocspAccessLocations = linked_list_create();
 	this->subjectKeyID = chunk_empty;
 	this->authKeyID = chunk_empty;
 	this->authKeySerialNumber = chunk_empty;
@@ -1237,6 +1249,7 @@ x509_t *x509_create_from_chunk(chunk_t chunk)
 	this->public.set_status = (void (*) (x509_t*,cert_status_t))set_status;
 	this->public.get_status = (cert_status_t (*) (const x509_t*))get_status;
 	this->public.create_crluri_iterator = (iterator_t* (*) (const x509_t*))create_crluri_iterator;
+	this->public.create_ocspuri_iterator = (iterator_t* (*) (const x509_t*))create_ocspuri_iterator;
 	this->public.verify = (bool (*) (const x509_t*,const rsa_public_key_t*))verify;
 	this->public.destroy = (void (*) (x509_t*))destroy;
 	
diff --git a/src/libstrongswan/crypto/x509.h b/src/libstrongswan/crypto/x509.h
index 824a4e170e..992ce1ffa4 100755
--- a/src/libstrongswan/crypto/x509.h
+++ b/src/libstrongswan/crypto/x509.h
@@ -148,6 +148,14 @@ struct x509_t {
 	 */
 	iterator_t *(*create_crluri_iterator) (const x509_t *this);
 
+	/**
+	 * @brief Create an iterator for the ocspAccessLocations.
+	 * 
+	 * @param this				calling object
+	 * @return					iterator for ocspAccessLocations
+	 */
+	iterator_t *(*create_ocspuri_iterator) (const x509_t *this);
+
 	/**
 	 * @brief Check if a certificate is trustworthy
 	 *