Load multiple comma seperarated certificates in the leftcert option

diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index 9f6124dc9969bab5e13c1ca0fdfee57ad87b4f21..d0fc9ea55c9a7416d9933f3f1a6b82e71da8658c 100644 (file)
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -447,25 +447,42 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
        identity = identification_create_from_string(id);
        if (cert)
        {
-               certificate = this->cred->load_peer(this->cred, cert);
-               if (certificate)
+               enumerator_t *enumerator;
+               bool has_subject = FALSE;
+               certificate_t *first = NULL;
+
+               enumerator = enumerator_create_token(cert, ",", " ");
+               while (enumerator->enumerate(enumerator, &cert))
                {
-                       if (local)
-                       {
-                               this->ca->check_for_hash_and_url(this->ca, certificate);
-                       }
-                       cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate);
-                       if (identity->get_type(identity) == ID_ANY ||
-                               !certificate->has_subject(certificate, identity))
+                       certificate = this->cred->load_peer(this->cred, cert);
+                       if (certificate)
                        {
-                               DBG1(DBG_CFG, "  id '%Y' not confirmed by certificate, "
-                                        "defaulting to '%Y'", identity,
-                                        certificate->get_subject(certificate));
-                               identity->destroy(identity);
-                               identity = certificate->get_subject(certificate);
-                               identity = identity->clone(identity);
+                               if (local)
+                               {
+                                       this->ca->check_for_hash_and_url(this->ca, certificate);
+                               }
+                               cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate);
+                               if (!first)
+                               {
+                                       first = certificate;
+                               }
+                               if (identity->get_type(identity) != ID_ANY &&
+                                       certificate->has_subject(certificate, identity))
+                               {
+                                       has_subject = TRUE;
+                               }
                        }
                }
+               enumerator->destroy(enumerator);
+
+               if (first && !has_subject)
+               {
+                       DBG1(DBG_CFG, "  id '%Y' not confirmed by certificate, "
+                                "defaulting to '%Y'", identity, first->get_subject(first));
+                       identity->destroy(identity);
+                       identity = first->get_subject(first);
+                       identity = identity->clone(identity);
+               }
        }
        if (identity->get_type(identity) != ID_ANY)
        {