Imported Upstream version 4.5.1

12 files changed, 599 insertions, 112 deletions

diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
index ce718b9cb..23a3f62d9 100644
--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -131,11 +131,13 @@ static void destroy_entry_value(entry_t *entry)
 		case AUTH_RULE_SUBJECT_CERT:
 		case AUTH_HELPER_IM_CERT:
 		case AUTH_HELPER_SUBJECT_CERT:
+		case AUTH_HELPER_REVOCATION_CERT:
 		{
 			certificate_t *cert = (certificate_t*)entry->value;
 			cert->destroy(cert);
 			break;
 		}
+		case AUTH_RULE_CERT_POLICY:
 		case AUTH_HELPER_IM_HASH_URL:
 		case AUTH_HELPER_SUBJECT_HASH_URL:
 		{
@@ -147,6 +149,8 @@ static void destroy_entry_value(entry_t *entry)
 		case AUTH_RULE_EAP_VENDOR:
 		case AUTH_RULE_CRL_VALIDATION:
 		case AUTH_RULE_OCSP_VALIDATION:
+		case AUTH_RULE_RSA_STRENGTH:
+		case AUTH_RULE_ECDSA_STRENGTH:
 			break;
 	}
 }
@@ -172,6 +176,8 @@ static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator,
 			case AUTH_RULE_EAP_VENDOR:
 			case AUTH_RULE_CRL_VALIDATION:
 			case AUTH_RULE_OCSP_VALIDATION:
+			case AUTH_RULE_RSA_STRENGTH:
+			case AUTH_RULE_ECDSA_STRENGTH:
 				/* integer type */
 				enumerator->current->value = (void*)(uintptr_t)va_arg(args, u_int);
 				break;
@@ -182,10 +188,12 @@ static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator,
 			case AUTH_RULE_CA_CERT:
 			case AUTH_RULE_IM_CERT:
 			case AUTH_RULE_SUBJECT_CERT:
+			case AUTH_RULE_CERT_POLICY:
 			case AUTH_HELPER_IM_CERT:
 			case AUTH_HELPER_SUBJECT_CERT:
 			case AUTH_HELPER_IM_HASH_URL:
 			case AUTH_HELPER_SUBJECT_HASH_URL:
+			case AUTH_HELPER_REVOCATION_CERT:
 				/* pointer type */
 				enumerator->current->value = va_arg(args, void*);
 				break;
@@ -237,6 +245,8 @@ static void* get(private_auth_cfg_t *this, auth_rule_t type)
 		case AUTH_RULE_EAP_TYPE:
 			return (void*)EAP_NAK;
 		case AUTH_RULE_EAP_VENDOR:
+		case AUTH_RULE_RSA_STRENGTH:
+		case AUTH_RULE_ECDSA_STRENGTH:
 			return (void*)0;
 		case AUTH_RULE_CRL_VALIDATION:
 		case AUTH_RULE_OCSP_VALIDATION:
@@ -248,10 +258,12 @@ static void* get(private_auth_cfg_t *this, auth_rule_t type)
 		case AUTH_RULE_CA_CERT:
 		case AUTH_RULE_IM_CERT:
 		case AUTH_RULE_SUBJECT_CERT:
+		case AUTH_RULE_CERT_POLICY:
 		case AUTH_HELPER_IM_CERT:
 		case AUTH_HELPER_SUBJECT_CERT:
 		case AUTH_HELPER_IM_HASH_URL:
 		case AUTH_HELPER_SUBJECT_HASH_URL:
+		case AUTH_HELPER_REVOCATION_CERT:
 		default:
 			return NULL;
 	}
@@ -274,6 +286,8 @@ static void add(private_auth_cfg_t *this, auth_rule_t type, ...)
 		case AUTH_RULE_EAP_VENDOR:
 		case AUTH_RULE_CRL_VALIDATION:
 		case AUTH_RULE_OCSP_VALIDATION:
+		case AUTH_RULE_RSA_STRENGTH:
+		case AUTH_RULE_ECDSA_STRENGTH:
 			/* integer type */
 			entry->value = (void*)(uintptr_t)va_arg(args, u_int);
 			break;
@@ -284,10 +298,12 @@ static void add(private_auth_cfg_t *this, auth_rule_t type, ...)
 		case AUTH_RULE_CA_CERT:
 		case AUTH_RULE_IM_CERT:
 		case AUTH_RULE_SUBJECT_CERT:
+		case AUTH_RULE_CERT_POLICY:
 		case AUTH_HELPER_IM_CERT:
 		case AUTH_HELPER_SUBJECT_CERT:
 		case AUTH_HELPER_IM_HASH_URL:
 		case AUTH_HELPER_SUBJECT_HASH_URL:
+		case AUTH_HELPER_REVOCATION_CERT:
 			/* pointer type */
 			entry->value = va_arg(args, void*);
 			break;
@@ -358,38 +374,45 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints,
 			case AUTH_RULE_CRL_VALIDATION:
 			case AUTH_RULE_OCSP_VALIDATION:
 			{
-				cert_validation_t validated, required;
+				uintptr_t validated;
 
-				required = (uintptr_t)value;
-				validated = (uintptr_t)get(this, t1);
-				switch (required)
+				e2 = create_enumerator(this);
+				while (e2->enumerate(e2, &t2, &validated))
 				{
-					case VALIDATION_FAILED:
-						/* no constraint */
-						break;
-					case VALIDATION_SKIPPED:
-						if (validated == VALIDATION_SKIPPED)
-						{
-							break;
-						}
-						/* FALL */
-					case VALIDATION_GOOD:
-						if (validated == VALIDATION_GOOD)
-						{
-							break;
-						}
-						/* FALL */
-					default:
-						success = FALSE;
-						if (log_error)
+					if (t2 == t1)
+					{
+						switch ((uintptr_t)value)
 						{
-							DBG1(DBG_CFG, "constraint check failed: %N is %N, "
-								 "but requires at least %N", auth_rule_names,
-								 t1, cert_validation_names, validated,
-								 cert_validation_names, required);
+							case VALIDATION_FAILED:
+								/* no constraint */
+								break;
+							case VALIDATION_SKIPPED:
+								if (validated == VALIDATION_SKIPPED)
+								{
+									break;
+								}
+								/* FALL */
+							case VALIDATION_GOOD:
+								if (validated == VALIDATION_GOOD)
+								{
+									break;
+								}
+								/* FALL */
+							default:
+								success = FALSE;
+								if (log_error)
+								{
+									DBG1(DBG_CFG, "constraint check failed: "
+										 "%N is %N, but requires at least %N",
+										 auth_rule_names, t1,
+										 cert_validation_names, validated,
+										 cert_validation_names, (uintptr_t)value);
+								}
+								break;
 						}
-						break;
+					}
 				}
+				e2->destroy(e2);
 				break;
 			}
 			case AUTH_RULE_IDENTITY:
@@ -473,10 +496,76 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints,
 				e2->destroy(e2);
 				break;
 			}
+			case AUTH_RULE_RSA_STRENGTH:
+			case AUTH_RULE_ECDSA_STRENGTH:
+			{
+				uintptr_t strength;
+
+				e2 = create_enumerator(this);
+				while (e2->enumerate(e2, &t2, &strength))
+				{
+					if (t2 == t1)
+					{
+						if ((uintptr_t)value > strength)
+						{
+							success = FALSE;
+							if (log_error)
+							{
+								DBG1(DBG_CFG, "constraint requires %d bit "
+									 "public keys, but %d bit key used",
+									 (uintptr_t)value, strength);
+							}
+						}
+					}
+					else if (t2 == AUTH_RULE_RSA_STRENGTH)
+					{
+						success = FALSE;
+						if (log_error)
+						{
+							DBG1(DBG_CFG, "constraint requires %d bit ECDSA, "
+								 "but RSA used", (uintptr_t)value);
+						}
+					}
+					else if (t2 == AUTH_RULE_ECDSA_STRENGTH)
+					{
+						success = FALSE;
+						if (log_error)
+						{
+							DBG1(DBG_CFG, "constraint requires %d bit RSA, "
+								 "but ECDSA used", (uintptr_t)value);
+						}
+					}
+				}
+				e2->destroy(e2);
+				break;
+			}
+			case AUTH_RULE_CERT_POLICY:
+			{
+				char *oid1, *oid2;
+
+				oid1 = (char*)value;
+				success = FALSE;
+				e2 = create_enumerator(this);
+				while (e2->enumerate(e2, &t2, &oid2))
+				{
+					if (t2 == t1 && streq(oid1, oid2))
+					{
+						success = TRUE;
+						break;
+					}
+				}
+				e2->destroy(e2);
+				if (!success && log_error)
+				{
+					DBG1(DBG_CFG, "constraint requires cert policy %s", oid1);
+				}
+				break;
+			}
 			case AUTH_HELPER_IM_CERT:
 			case AUTH_HELPER_SUBJECT_CERT:
 			case AUTH_HELPER_IM_HASH_URL:
 			case AUTH_HELPER_SUBJECT_HASH_URL:
+			case AUTH_HELPER_REVOCATION_CERT:
 				/* skip helpers */
 				continue;
 		}
@@ -523,6 +612,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
 				case AUTH_RULE_SUBJECT_CERT:
 				case AUTH_HELPER_IM_CERT:
 				case AUTH_HELPER_SUBJECT_CERT:
+				case AUTH_HELPER_REVOCATION_CERT:
 				{
 					certificate_t *cert = (certificate_t*)value;
 
@@ -534,6 +624,8 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
 				case AUTH_RULE_AUTH_CLASS:
 				case AUTH_RULE_EAP_TYPE:
 				case AUTH_RULE_EAP_VENDOR:
+				case AUTH_RULE_RSA_STRENGTH:
+				case AUTH_RULE_ECDSA_STRENGTH:
 				{
 					add(this, type, (uintptr_t)value);
 					break;
@@ -548,6 +640,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
 					add(this, type, id->clone(id));
 					break;
 				}
+				case AUTH_RULE_CERT_POLICY:
 				case AUTH_HELPER_IM_HASH_URL:
 				case AUTH_HELPER_SUBJECT_HASH_URL:
 				{
@@ -600,6 +693,8 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
 					case AUTH_RULE_EAP_VENDOR:
 					case AUTH_RULE_CRL_VALIDATION:
 					case AUTH_RULE_OCSP_VALIDATION:
+					case AUTH_RULE_RSA_STRENGTH:
+					case AUTH_RULE_ECDSA_STRENGTH:
 					{
 						if (i1->value == i2->value)
 						{
@@ -613,6 +708,7 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
 					case AUTH_RULE_SUBJECT_CERT:
 					case AUTH_HELPER_IM_CERT:
 					case AUTH_HELPER_SUBJECT_CERT:
+					case AUTH_HELPER_REVOCATION_CERT:
 					{
 						certificate_t *c1, *c2;
 
@@ -643,6 +739,7 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
 						}
 						continue;
 					}
+					case AUTH_RULE_CERT_POLICY:
 					case AUTH_HELPER_IM_HASH_URL:
 					case AUTH_HELPER_SUBJECT_HASH_URL:
 					{
@@ -725,11 +822,13 @@ static auth_cfg_t* clone_(private_auth_cfg_t *this)
 			case AUTH_RULE_SUBJECT_CERT:
 			case AUTH_HELPER_IM_CERT:
 			case AUTH_HELPER_SUBJECT_CERT:
+			case AUTH_HELPER_REVOCATION_CERT:
 			{
 				certificate_t *cert = (certificate_t*)entry->value;
 				clone->add(clone, entry->type, cert->get_ref(cert));
 				break;
 			}
+			case AUTH_RULE_CERT_POLICY:
 			case AUTH_HELPER_IM_HASH_URL:
 			case AUTH_HELPER_SUBJECT_HASH_URL:
 			{
@@ -741,6 +840,8 @@ static auth_cfg_t* clone_(private_auth_cfg_t *this)
 			case AUTH_RULE_EAP_VENDOR:
 			case AUTH_RULE_CRL_VALIDATION:
 			case AUTH_RULE_OCSP_VALIDATION:
+			case AUTH_RULE_RSA_STRENGTH:
+			case AUTH_RULE_ECDSA_STRENGTH:
 				clone->add(clone, entry->type, (uintptr_t)entry->value);
 				break;
 		}
diff --git a/src/libstrongswan/credentials/auth_cfg.h b/src/libstrongswan/credentials/auth_cfg.h
index 19624a2fe..489ce1134 100644
--- a/src/libstrongswan/credentials/auth_cfg.h
+++ b/src/libstrongswan/credentials/auth_cfg.h
@@ -90,6 +90,12 @@ enum auth_rule_t {
 	 * The group membership constraint is fulfilled if the subject is member of
 	 * one group defined in the constraints. */
 	AUTH_RULE_GROUP,
+	/** required RSA public key strength, u_int in bits */
+	AUTH_RULE_RSA_STRENGTH,
+	/** required ECDSA public key strength, u_int in bits */
+	AUTH_RULE_ECDSA_STRENGTH,
+	/** certificatePolicy constraint, numerical OID as char* */
+	AUTH_RULE_CERT_POLICY,
 
 	/** intermediate certificate, certificate_t* */
 	AUTH_HELPER_IM_CERT,
@@ -99,6 +105,8 @@ enum auth_rule_t {
 	AUTH_HELPER_IM_HASH_URL,
 	/** Hash and URL of a end-entity certificate, char* */
 	AUTH_HELPER_SUBJECT_HASH_URL,
+	/** revocation certificate (CRL, OCSP), certificate_t* */
+	AUTH_HELPER_REVOCATION_CERT,
 };
 
 /**
diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c
index c43e5fd5d..f9a277a2c 100644
--- a/src/libstrongswan/credentials/builder.c
+++ b/src/libstrongswan/credentials/builder.c
@@ -43,8 +43,16 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
 	"BUILD_CRL_DISTRIBUTION_POINTS",
 	"BUILD_OCSP_ACCESS_LOCATIONS",
 	"BUILD_PATHLEN",
+	"BUILD_PERMITTED_NAME_CONSTRAINTS",
+	"BUILD_EXCLUDED_NAME_CONSTRAINTS",
+	"BUILD_CERTIFICATE_POLICIES",
+	"BUILD_POLICY_MAPPINGS",
+	"BUILD_POLICY_REQUIRE_EXPLICIT",
+	"BUILD_POLICY_INHIBIT_MAPPING",
+	"BUILD_POLICY_INHIBIT_ANY",
 	"BUILD_X509_FLAG",
 	"BUILD_REVOKED_ENUMERATOR",
+	"BUILD_BASE_CRL",
 	"BUILD_CHALLENGE_PWD",
 	"BUILD_PKCS11_MODULE",
 	"BUILD_PKCS11_SLOT",
diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h
index dc87da2a4..325b668cd 100644
--- a/src/libstrongswan/credentials/builder.h
+++ b/src/libstrongswan/credentials/builder.h
@@ -87,16 +87,32 @@ enum builder_part_t {
 	BUILD_CA_CERT,
 	/** a certificate, certificate_t* */
 	BUILD_CERT,
-	/** CRL distribution point URIs, linked_list_t* containing char* */
+	/** CRL distribution point URIs, x509_cdp_t* */
 	BUILD_CRL_DISTRIBUTION_POINTS,
 	/** OCSP AuthorityInfoAccess locations, linked_list_t* containing char* */
 	BUILD_OCSP_ACCESS_LOCATIONS,
 	/** certificate path length constraint */
 	BUILD_PATHLEN,
+	/** permitted X509 name constraints, linked_list_t* of identification_t* */
+	BUILD_PERMITTED_NAME_CONSTRAINTS,
+	/** excluded X509 name constraints, linked_list_t* of identification_t* */
+	BUILD_EXCLUDED_NAME_CONSTRAINTS,
+	/** certificatePolicy OIDs, linked_list_t* of x509_cert_policy_t* */
+	BUILD_CERTIFICATE_POLICIES,
+	/** policyMapping OIDs, linked_list_t* of x509_policy_mapping_t* */
+	BUILD_POLICY_MAPPINGS,
+	/** requireExplicitPolicy constraint, int */
+	BUILD_POLICY_REQUIRE_EXPLICIT,
+	/** inhibitPolicyMapping constraint, int */
+	BUILD_POLICY_INHIBIT_MAPPING,
+	/** inhibitAnyPolicy constraint, int */
+	BUILD_POLICY_INHIBIT_ANY,
 	/** enforce an additional X509 flag, x509_flag_t */
 	BUILD_X509_FLAG,
 	/** enumerator_t over (chunk_t serial, time_t date, crl_reason_t reason) */
 	BUILD_REVOKED_ENUMERATOR,
+	/** Base CRL serial for a delta CRL, chunk_t, */
+	BUILD_BASE_CRL,
 	/** PKCS#10 challenge password */
 	BUILD_CHALLENGE_PWD,
 	/** friendly name of a PKCS#11 module, null terminated char* */
diff --git a/src/libstrongswan/credentials/cert_validator.h b/src/libstrongswan/credentials/cert_validator.h
index 1e67c23ab..733d9d612 100644
--- a/src/libstrongswan/credentials/cert_validator.h
+++ b/src/libstrongswan/credentials/cert_validator.h
@@ -40,12 +40,13 @@ struct cert_validator_t {
 	 * @param subject		subject certificate to check
 	 * @param issuer		issuer of subject
 	 * @param online		wheter to do online revocation checking
-	 * @param pathlen		the current length of the path up to the root CA
+	 * @param pathlen		the current length of the path bottom-up
+	 * @param anchor		is issuer trusted root anchor
 	 * @param auth			container for resulting authentication info
 	 */
 	bool (*validate)(cert_validator_t *this, certificate_t *subject,
-					 certificate_t *issuer, bool online, int pathlen,
-					 auth_cfg_t *auth);
+					 certificate_t *issuer, bool online, u_int pathlen,
+					 bool anchor, auth_cfg_t *auth);
 };
 
 #endif /** CERT_VALIDATOR_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/crl.h b/src/libstrongswan/credentials/certificates/crl.h
index 9425311fb..2f3497474 100644
--- a/src/libstrongswan/credentials/certificates/crl.h
+++ b/src/libstrongswan/credentials/certificates/crl.h
@@ -72,6 +72,21 @@ struct crl_t {
 	chunk_t (*get_authKeyIdentifier)(crl_t *this);
 
 	/**
+	 * Is this CRL a delta CRL?
+	 *
+	 * @param base_crl	gets to baseCrlNumber, if this is a delta CRL
+	 * @return			TRUE if delta CRL
+	 */
+	bool (*is_delta_crl)(crl_t *this, chunk_t *base_crl);
+
+	/**
+	 * Create an enumerator over Freshest CRL distribution points and issuers.
+	 *
+	 * @return			enumerator over x509_cdp_t
+	 */
+	enumerator_t* (*create_delta_crl_uri_enumerator)(crl_t *this);
+
+	/**
 	 * Create an enumerator over all revoked certificates.
 	 *
 	 * The enumerator takes 3 pointer arguments:
diff --git a/src/libstrongswan/credentials/certificates/x509.c b/src/libstrongswan/credentials/certificates/x509.c
deleted file mode 100644
index 66dc192c1..000000000
--- a/src/libstrongswan/credentials/certificates/x509.c
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "x509.h"
-
-ENUM(x509_flag_names, X509_NONE, X509_IP_ADDR_BLOCKS,
-	"X509_NONE",
-	"X509_CA",
-	"X509_AA",
-	"X509_OCSP_SIGNER",
-	"X509_SERVER_AUTH",
-	"X509_CLIENT_AUTH",
-	"X509_SELF_SIGNED",
-	"X509_IP_ADDR_BLOCKS",
-);
-
diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h
index 6e0a5002a..fec02dbad 100644
--- a/src/libstrongswan/credentials/certificates/x509.h
+++ b/src/libstrongswan/credentials/certificates/x509.h
@@ -24,10 +24,15 @@
 #include <utils/enumerator.h>
 #include <credentials/certificates/certificate.h>
 
-#define X509_NO_PATH_LEN_CONSTRAINT		-1
+/* constraints are currently restricted to the range 0..127 */
+#define X509_NO_CONSTRAINT	255
 
 typedef struct x509_t x509_t;
+typedef struct x509_cert_policy_t x509_cert_policy_t;
+typedef struct x509_policy_mapping_t x509_policy_mapping_t;
+typedef struct x509_cdp_t x509_cdp_t;
 typedef enum x509_flag_t x509_flag_t;
+typedef enum x509_constraint_t x509_constraint_t;
 
 /**
  * X.509 certificate flags.
@@ -49,12 +54,55 @@ enum x509_flag_t {
 	X509_SELF_SIGNED =		(1<<5),
 	/** cert has an ipAddrBlocks extension */
 	X509_IP_ADDR_BLOCKS =	(1<<6),
+	/** cert has CRL sign key usage */
+	X509_CRL_SIGN =			(1<<7),
 };
 
 /**
- * enum names for x509 flags
+ * Different numerical X.509 constraints.
  */
-extern enum_name_t *x509_flag_names;
+enum x509_constraint_t {
+	/** pathLenConstraint basicConstraints */
+	X509_PATH_LEN,
+	/** inhibitPolicyMapping policyConstraint */
+	X509_INHIBIT_POLICY_MAPPING,
+	/** requireExplicitPolicy policyConstraint */
+	X509_REQUIRE_EXPLICIT_POLICY,
+	/** inhibitAnyPolicy constraint */
+	X509_INHIBIT_ANY_POLICY,
+};
+
+/**
+ * X.509 certPolicy extension.
+ */
+struct x509_cert_policy_t {
+	/** OID of certPolicy */
+	chunk_t oid;
+	/** Certification Practice Statement URI qualifier */
+	char *cps_uri;
+	/** UserNotice Text qualifier */
+	char *unotice_text;
+};
+
+/**
+ * X.509 policyMapping extension
+ */
+struct x509_policy_mapping_t {
+	/** OID of issuerDomainPolicy */
+	chunk_t issuer;
+	/** OID of subjectDomainPolicy */
+	chunk_t subject;
+};
+
+/**
+ * X.509 CRL distributionPoint
+ */
+struct x509_cdp_t {
+	/** CDP URI, as string */
+	char *uri;
+	/** CRL issuer */
+	identification_t *issuer;
+};
 
 /**
  * X.509 certificate interface.
@@ -98,11 +146,12 @@ struct x509_t {
 	chunk_t (*get_authKeyIdentifier)(x509_t *this);
 
 	/**
-	 * Get an optional path length constraint.
+	 * Get a numerical X.509 constraint.
 	 *
-	 * @return			pathLenConstraint, -1 if no constraint exists
+	 * @param type		type of constraint to get
+	 * @return			constraint, X509_NO_CONSTRAINT if none found
 	 */
-	int (*get_pathLenConstraint)(x509_t *this);
+	u_int (*get_constraint)(x509_t *this, x509_constraint_t type);
 
 	/**
 	 * Create an enumerator over all subjectAltNames.
@@ -112,9 +161,9 @@ struct x509_t {
 	enumerator_t* (*create_subjectAltName_enumerator)(x509_t *this);
 
 	/**
-	 * Create an enumerator over all CRL URIs.
+	 * Create an enumerator over all CRL URIs and CRL Issuers.
 	 *
-	 * @return			enumerator over URIs as char*
+	 * @return			enumerator over x509_cdp_t
 	 */
 	enumerator_t* (*create_crl_uri_enumerator)(x509_t *this);
 
@@ -131,6 +180,30 @@ struct x509_t {
 	 * @return			enumerator over ipAddrBlocks as traffic_selector_t*
 	 */
 	enumerator_t* (*create_ipAddrBlock_enumerator)(x509_t *this);
+
+	/**
+	 * Create an enumerator over name constraints.
+	 *
+	 * @param perm		TRUE for permitted, FALSE for excluded subtrees
+	 * @return			enumerator over subtrees as identification_t
+	 */
+	enumerator_t* (*create_name_constraint_enumerator)(x509_t *this, bool perm);
+
+	/**
+	 * Create an enumerator over certificate policies.
+	 *
+	 * @return			enumerator over x509_cert_policy_t
+	 */
+	enumerator_t* (*create_cert_policy_enumerator)(x509_t *this);
+
+	/**
+	 * Create an enumerator over policy mappings.
+	 *
+	 * @return			enumerator over x509_policy_mapping
+	 */
+	enumerator_t* (*create_policy_mapping_enumerator)(x509_t *this);
+
+
 };
 
 #endif /** X509_H_ @}*/
diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c
index 97e8d8887..27b97eab3 100644
--- a/src/libstrongswan/credentials/credential_manager.c
+++ b/src/libstrongswan/credentials/credential_manager.c
@@ -452,8 +452,8 @@ static void cache_queue(private_credential_manager_t *this)
  * check a certificate for its lifetime
  */
 static bool check_certificate(private_credential_manager_t *this,
-							  certificate_t *subject, certificate_t *issuer,
-							  bool online, int pathlen, auth_cfg_t *auth)
+				certificate_t *subject, certificate_t *issuer, bool online,
+				int pathlen, bool trusted, auth_cfg_t *auth)
 {
 	time_t not_before, not_after;
 	cert_validator_t *validator;
@@ -471,29 +471,12 @@ static bool check_certificate(private_credential_manager_t *this,
 			 &not_before, FALSE, &not_after, FALSE);
 		return FALSE;
 	}
-	if (issuer->get_type(issuer) == CERT_X509 &&
-		subject->get_type(subject) == CERT_X509)
-	{
-		int pathlen_constraint;
-		x509_t *x509;
-
-		/* check path length constraint */
-		x509 = (x509_t*)issuer;
-		pathlen_constraint = x509->get_pathLenConstraint(x509);
-		if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT &&
-			pathlen > pathlen_constraint)
-		{
-			DBG1(DBG_CFG, "path length of %d violates constraint of %d",
-				 pathlen, pathlen_constraint);
-			return FALSE;
-		}
-	}
 
 	enumerator = this->validators->create_enumerator(this->validators);
 	while (enumerator->enumerate(enumerator, &validator))
 	{
 		if (!validator->validate(validator, subject, issuer,
-								 online, pathlen, auth))
+								 online, pathlen, trusted, auth))
 		{
 			enumerator->destroy(enumerator);
 			return FALSE;
@@ -551,6 +534,37 @@ static certificate_t *get_issuer_cert(private_credential_manager_t *this,
 }
 
 /**
+ * Get the strength of certificate, add it to auth
+ */
+static void get_key_strength(certificate_t *cert, auth_cfg_t *auth)
+{
+	uintptr_t strength;
+	public_key_t *key;
+	key_type_t type;
+
+	key = cert->get_public_key(cert);
+	if (key)
+	{
+		type = key->get_type(key);
+		strength = key->get_keysize(key);
+		DBG2(DBG_CFG, "  certificate \"%Y\" key: %d bit %N",
+			 cert->get_subject(cert), strength, key_type_names, type);
+		switch (type)
+		{
+			case KEY_RSA:
+				auth->add(auth, AUTH_RULE_RSA_STRENGTH, strength);
+				break;
+			case KEY_ECDSA:
+				auth->add(auth, AUTH_RULE_ECDSA_STRENGTH, strength);
+				break;
+			default:
+				break;
+		}
+		key->destroy(key);
+	}
+}
+
+/**
  * try to verify the trust chain of subject, return TRUE if trusted
  */
 static bool verify_trust_chain(private_credential_manager_t *this,
@@ -562,7 +576,9 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 	int pathlen;
 
 	auth = auth_cfg_create();
+	get_key_strength(subject, auth);
 	current = subject->get_ref(subject);
+	auth->add(auth, AUTH_RULE_SUBJECT_CERT, current->get_ref(current));
 
 	for (pathlen = 0; pathlen <= MAX_TRUST_PATH_LEN; pathlen++)
 	{
@@ -607,13 +623,17 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 				break;
 			}
 		}
-		if (!check_certificate(this, current, issuer, online, pathlen,
-							   current == subject ? auth : NULL))
+		if (!check_certificate(this, current, issuer, online,
+							   pathlen, trusted, auth))
 		{
 			trusted = FALSE;
 			issuer->destroy(issuer);
 			break;
 		}
+		if (issuer)
+		{
+			get_key_strength(issuer, auth);
+		}
 		current->destroy(current);
 		current = issuer;
 		if (trusted)
@@ -637,6 +657,14 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 }
 
 /**
+ * List find match function for certificates
+ */
+static bool cert_equals(certificate_t *a, certificate_t *b)
+{
+	return a->equals(a, b);
+}
+
+/**
  * enumerator for trusted certificates
  */
 typedef struct {
@@ -656,6 +684,8 @@ typedef struct {
 	certificate_t *pretrusted;
 	/** currently enumerating auth config */
 	auth_cfg_t *auth;
+	/** list of failed candidates */
+	linked_list_t *failed;
 } trusted_enumerator_t;
 
 METHOD(enumerator_t, trusted_enumerate, bool,
@@ -683,11 +713,14 @@ METHOD(enumerator_t, trusted_enumerate, bool,
 				verify_trust_chain(this->this, this->pretrusted, this->auth,
 								   TRUE, this->online))
 			{
-				this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT,
-								this->pretrusted->get_ref(this->pretrusted));
 				DBG1(DBG_CFG, "  using trusted certificate \"%Y\"",
 					 this->pretrusted->get_subject(this->pretrusted));
 				*cert = this->pretrusted;
+				if (!this->auth->get(this->auth, AUTH_RULE_SUBJECT_CERT))
+				{	/* add cert to auth info, if not returned by trustchain */
+					this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT,
+									this->pretrusted->get_ref(this->pretrusted));
+				}
 				if (auth)
 				{
 					*auth = this->auth;
@@ -705,6 +738,12 @@ METHOD(enumerator_t, trusted_enumerate, bool,
 			continue;
 		}
 
+		if (this->failed->find_first(this->failed, (void*)cert_equals,
+									 NULL, current) == SUCCESS)
+		{	/* check each candidate only once */
+			continue;
+		}
+
 		DBG1(DBG_CFG, "  using certificate \"%Y\"",
 			 current->get_subject(current));
 		if (verify_trust_chain(this->this, current, this->auth, FALSE,
@@ -717,6 +756,7 @@ METHOD(enumerator_t, trusted_enumerate, bool,
 			}
 			return TRUE;
 		}
+		this->failed->insert_last(this->failed, current->get_ref(current));
 	}
 	return FALSE;
 }
@@ -727,6 +767,7 @@ METHOD(enumerator_t, trusted_destroy, void,
 	DESTROY_IF(this->pretrusted);
 	DESTROY_IF(this->auth);
 	DESTROY_IF(this->candidates);
+	this->failed->destroy_offset(this->failed, offsetof(certificate_t, destroy));
 	free(this);
 }
 
@@ -745,6 +786,7 @@ METHOD(credential_manager_t, create_trusted_enumerator, enumerator_t*,
 		.type = type,
 		.id = id,
 		.online = online,
+		.failed = linked_list_create(),
 	);
 	return &enumerator->public;
 }
diff --git a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
index 5e8458616..225fabe31 100644
--- a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
+++ b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
@@ -132,7 +132,8 @@ static bool enumerate(wrapper_enumerator_t *this, certificate_t **cert)
 			}
 		}
 		else if (rule != AUTH_HELPER_SUBJECT_CERT &&
-				 rule != AUTH_HELPER_IM_CERT)
+				 rule != AUTH_HELPER_IM_CERT &&
+				 rule != AUTH_HELPER_REVOCATION_CERT)
 		{	/* handle only HELPER certificates */
 			continue;
 		}
diff --git a/src/libstrongswan/credentials/sets/mem_cred.c b/src/libstrongswan/credentials/sets/mem_cred.c
index c29a99f1f..e023e8443 100644
--- a/src/libstrongswan/credentials/sets/mem_cred.c
+++ b/src/libstrongswan/credentials/sets/mem_cred.c
@@ -1,4 +1,6 @@
 /*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperwsil
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  *
@@ -54,6 +56,11 @@ struct private_mem_cred_t {
 	 * List of shared keys, as shared_entry_t
 	 */
 	linked_list_t *shared;
+
+	/**
+	 * List of CDPs, as cdp_t
+	 */
+	linked_list_t *cdps;
 };
 
 /**
@@ -144,21 +151,104 @@ static bool certificate_equals(certificate_t *item, certificate_t *cert)
 	return item->equals(item, cert);
 }
 
+/**
+ * Add a certificate the the cache. Returns a reference to "cert" or a
+ * previously cached certificate that equals "cert".
+ */
+static certificate_t *add_cert_internal(private_mem_cred_t *this, bool trusted,
+										certificate_t *cert)
+{
+	certificate_t *cached;
+	this->lock->write_lock(this->lock);
+	if (this->untrusted->find_first(this->untrusted,
+									(linked_list_match_t)certificate_equals,
+									(void**)&cached, cert) == SUCCESS)
+	{
+		cert->destroy(cert);
+		cert = cached->get_ref(cached);
+	}
+	else
+	{
+		if (trusted)
+		{
+			this->trusted->insert_first(this->trusted, cert->get_ref(cert));
+		}
+		this->untrusted->insert_first(this->untrusted, cert->get_ref(cert));
+	}
+	this->lock->unlock(this->lock);
+	return cert;
+}
+
 METHOD(mem_cred_t, add_cert, void,
 	private_mem_cred_t *this, bool trusted, certificate_t *cert)
 {
+	certificate_t *cached = add_cert_internal(this, trusted, cert);
+	cached->destroy(cached);
+}
+
+METHOD(mem_cred_t, add_cert_ref, certificate_t*,
+	private_mem_cred_t *this, bool trusted, certificate_t *cert)
+{
+	return add_cert_internal(this, trusted, cert);
+}
+
+METHOD(mem_cred_t, add_crl, bool,
+	private_mem_cred_t *this, crl_t *crl)
+{
+	certificate_t *current, *cert = &crl->certificate;
+	enumerator_t *enumerator;
+	bool new = TRUE;
+
 	this->lock->write_lock(this->lock);
-	if (this->untrusted->find_last(this->untrusted,
-				(linked_list_match_t)certificate_equals, NULL, cert) != SUCCESS)
+	enumerator = this->untrusted->create_enumerator(this->untrusted);
+	while (enumerator->enumerate(enumerator, (void**)&current))
 	{
-		if (trusted)
+		if (current->get_type(current) == CERT_X509_CRL)
 		{
-			this->trusted->insert_last(this->trusted, cert->get_ref(cert));
+			bool found = FALSE;
+			crl_t *crl_c = (crl_t*)current;
+			chunk_t authkey = crl->get_authKeyIdentifier(crl);
+			chunk_t authkey_c = crl_c->get_authKeyIdentifier(crl_c);
+
+			/* compare authorityKeyIdentifiers if available */
+			if (chunk_equals(authkey, authkey_c))
+			{
+				found = TRUE;
+			}
+			else
+			{
+				identification_t *issuer = cert->get_issuer(cert);
+				identification_t *issuer_c = current->get_issuer(current);
+
+				/* otherwise compare issuer distinguished names */
+				if (issuer->equals(issuer, issuer_c))
+				{
+					found = TRUE;
+				}
+			}
+			if (found)
+			{
+				new = crl_is_newer(crl, crl_c);
+				if (new)
+				{
+					this->untrusted->remove_at(this->untrusted, enumerator);
+				}
+				else
+				{
+					cert->destroy(cert);
+				}
+				break;
+			}
 		}
-		this->untrusted->insert_last(this->untrusted, cert->get_ref(cert));
 	}
-	cert->destroy(cert);
+	enumerator->destroy(enumerator);
+
+	if (new)
+	{
+		this->untrusted->insert_first(this->untrusted, cert);
+	}
 	this->lock->unlock(this->lock);
+	return new;
 }
 
 /**
@@ -218,7 +308,7 @@ METHOD(mem_cred_t, add_key, void,
 	private_mem_cred_t *this, private_key_t *key)
 {
 	this->lock->write_lock(this->lock);
-	this->keys->insert_last(this->keys, key);
+	this->keys->insert_first(this->keys, key);
 	this->lock->unlock(this->lock);
 }
 
@@ -342,32 +432,137 @@ METHOD(credential_set_t, create_shared_enumerator, enumerator_t*,
 						(void*)shared_filter, data, (void*)shared_data_destroy);
 }
 
-METHOD(mem_cred_t, add_shared, void,
-	private_mem_cred_t *this, shared_key_t *shared, ...)
+METHOD(mem_cred_t, add_shared_list, void,
+	private_mem_cred_t *this, shared_key_t *shared, linked_list_t* owners)
 {
 	shared_entry_t *entry;
-	identification_t *id;
-	va_list args;
 
 	INIT(entry,
 		.shared = shared,
-		.owners = linked_list_create(),
+		.owners = owners,
 	);
 
+	this->lock->write_lock(this->lock);
+	this->shared->insert_first(this->shared, entry);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(mem_cred_t, add_shared, void,
+	private_mem_cred_t *this, shared_key_t *shared, ...)
+{
+	identification_t *id;
+	linked_list_t *owners = linked_list_create();
+	va_list args;
+
 	va_start(args, shared);
 	do
 	{
 		id = va_arg(args, identification_t*);
 		if (id)
 		{
-			entry->owners->insert_last(entry->owners, id);
+			owners->insert_first(owners, id);
 		}
 	}
 	while (id);
 	va_end(args);
 
+	add_shared_list(this, shared, owners);
+}
+
+/**
+ * Certificate distribution point
+ */
+typedef struct {
+	certificate_type_t type;
+	identification_t *id;
+	char *uri;
+} cdp_t;
+
+/**
+ * Destroy a CDP entry
+ */
+static void cdp_destroy(cdp_t *this)
+{
+	this->id->destroy(this->id);
+	free(this->uri);
+	free(this);
+}
+
+METHOD(mem_cred_t, add_cdp, void,
+	private_mem_cred_t *this, certificate_type_t type,
+	identification_t *id, char *uri)
+{
+	cdp_t *cdp;
+
+	INIT(cdp,
+		.type = type,
+		.id = id->clone(id),
+		.uri = strdup(uri),
+	);
+	this->lock->write_lock(this->lock);
+	this->cdps->insert_last(this->cdps, cdp);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * CDP enumerator data
+ */
+typedef struct {
+	certificate_type_t type;
+	identification_t *id;
+	rwlock_t *lock;
+} cdp_data_t;
+
+/**
+ * Clean up CDP enumerator data
+ */
+static void cdp_data_destroy(cdp_data_t *data)
+{
+	data->lock->unlock(data->lock);
+	free(data);
+}
+
+/**
+ * CDP enumerator filter
+ */
+static bool cdp_filter(cdp_data_t *data, cdp_t **cdp, char **uri)
+{
+	if (data->type != CERT_ANY && data->type != (*cdp)->type)
+	{
+		return FALSE;
+	}
+	if (data->id && !(*cdp)->id->matches((*cdp)->id, data->id))
+	{
+		return FALSE;
+	}
+	*uri = (*cdp)->uri;
+	return TRUE;
+}
+
+METHOD(credential_set_t, create_cdp_enumerator, enumerator_t*,
+	private_mem_cred_t *this, certificate_type_t type, identification_t *id)
+{
+	cdp_data_t *data;
+
+	INIT(data,
+		.type = type,
+		.id = id,
+		.lock = this->lock,
+	);
+	this->lock->read_lock(this->lock);
+	return enumerator_create_filter(this->cdps->create_enumerator(this->cdps),
+							(void*)cdp_filter, data, (void*)cdp_data_destroy);
+
+}
+
+METHOD(mem_cred_t, clear_secrets, void,
+	private_mem_cred_t *this)
+{
 	this->lock->write_lock(this->lock);
-	this->shared->insert_last(this->shared, entry);
+	this->keys->destroy_offset(this->keys, offsetof(private_key_t, destroy));
+	this->shared->destroy_function(this->shared, (void*)shared_entry_destroy);
+	this->keys = linked_list_create();
+	this->shared = linked_list_create();
 	this->lock->unlock(this->lock);
 }
 
@@ -379,13 +574,13 @@ METHOD(mem_cred_t, clear_, void,
 								  offsetof(certificate_t, destroy));
 	this->untrusted->destroy_offset(this->untrusted,
 									offsetof(certificate_t, destroy));
-	this->keys->destroy_offset(this->keys, offsetof(private_key_t, destroy));
-	this->shared->destroy_function(this->shared, (void*)shared_entry_destroy);
+	this->cdps->destroy_function(this->cdps, (void*)cdp_destroy);
 	this->trusted = linked_list_create();
 	this->untrusted = linked_list_create();
-	this->keys = linked_list_create();
-	this->shared = linked_list_create();
+	this->cdps = linked_list_create();
 	this->lock->unlock(this->lock);
+
+	clear_secrets(this);
 }
 
 METHOD(mem_cred_t, destroy, void,
@@ -396,6 +591,7 @@ METHOD(mem_cred_t, destroy, void,
 	this->untrusted->destroy(this->untrusted);
 	this->keys->destroy(this->keys);
 	this->shared->destroy(this->shared);
+	this->cdps->destroy(this->cdps);
 	this->lock->destroy(this->lock);
 	free(this);
 }
@@ -413,19 +609,25 @@ mem_cred_t *mem_cred_create()
 				.create_shared_enumerator = _create_shared_enumerator,
 				.create_private_enumerator = _create_private_enumerator,
 				.create_cert_enumerator = _create_cert_enumerator,
-				.create_cdp_enumerator  = (void*)return_null,
+				.create_cdp_enumerator  = _create_cdp_enumerator,
 				.cache_cert = (void*)nop,
 			},
 			.add_cert = _add_cert,
+			.add_cert_ref = _add_cert_ref,
+			.add_crl = _add_crl,
 			.add_key = _add_key,
 			.add_shared = _add_shared,
+			.add_shared_list = _add_shared_list,
+			.add_cdp = _add_cdp,
 			.clear = _clear_,
+			.clear_secrets = _clear_secrets,
 			.destroy = _destroy,
 		},
 		.trusted = linked_list_create(),
 		.untrusted = linked_list_create(),
 		.keys = linked_list_create(),
 		.shared = linked_list_create(),
+		.cdps = linked_list_create(),
 		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
 	);
 
diff --git a/src/libstrongswan/credentials/sets/mem_cred.h b/src/libstrongswan/credentials/sets/mem_cred.h
index b26e43d6c..eb46b065b 100644
--- a/src/libstrongswan/credentials/sets/mem_cred.h
+++ b/src/libstrongswan/credentials/sets/mem_cred.h
@@ -1,4 +1,6 @@
 /*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  *
@@ -24,6 +26,8 @@
 typedef struct mem_cred_t mem_cred_t;
 
 #include <credentials/credential_set.h>
+#include <credentials/certificates/crl.h>
+#include <utils/linked_list.h>
 
 /**
  * Generic in-memory credential set.
@@ -44,6 +48,26 @@ struct mem_cred_t {
 	void (*add_cert)(mem_cred_t *this, bool trusted, certificate_t *cert);
 
 	/**
+	 * Add a certificate to the credential set, returning a reference to it or
+	 * to a cached duplicate.
+	 *
+	 * @param trusted		TRUE to serve certificate as trusted
+	 * @param cert			certificate, reference gets owned by set
+	 * @return				reference to cert or a previously cached duplicate
+	 */
+	certificate_t *(*add_cert_ref)(mem_cred_t *this, bool trusted,
+								   certificate_t *cert);
+
+	/**
+	 * Add an X.509 CRL to the credential set.
+	 *
+	 * @param crl			CRL, gets owned by set
+	 * @return				TRUE, if the CRL is newer than an existing one (or
+	 *						new at all)
+	 */
+	bool (*add_crl)(mem_cred_t *this, crl_t *crl);
+
+	/**
 	 * Add a private key to the credential set.
 	 *
 	 * @param key			key, reference gets owned by set
@@ -54,16 +78,40 @@ struct mem_cred_t {
 	 * Add a shared key to the credential set.
 	 *
 	 * @param shared		shared key to add, gets owned by set
-	 * @param ...			NULL terminated list of owners identification_t*
+	 * @param ...			NULL terminated list of owners (identification_t*)
 	 */
 	void (*add_shared)(mem_cred_t *this, shared_key_t *shared, ...);
 
 	/**
+	 * Add a shared key to the credential set.
+	 *
+	 * @param shared		shared key to add, gets owned by set
+	 * @param owners		list of owners (identification_t*), gets owned
+	 */
+	void (*add_shared_list)(mem_cred_t *this, shared_key_t *shared,
+							linked_list_t *owners);
+	/**
+	 * Add a certificate distribution point to the set.
+	 *
+	 * @param type			type of the certificate
+	 * @param id			certificate ID CDP has a cert for, gets cloned
+	 * @param uri			CDP URI, gets strduped
+	 */
+	void (*add_cdp)(mem_cred_t *this, certificate_type_t type,
+					identification_t *id, char *uri);
+
+	/**
 	 * Clear all credentials from the credential set.
 	 */
 	void (*clear)(mem_cred_t *this);
 
 	/**
+	 * Clear the secrets (private and shared keys, not the certificates) from
+	 * the credential set.
+	 */
+	void (*clear_secrets)(mem_cred_t *this);
+
+	/**
 	 * Destroy a mem_cred_t.
 	 */
 	void (*destroy)(mem_cred_t *this);