summaryrefslogtreecommitdiff
path: root/src/pluto/keys.c
diff options
context:
space:
mode:
authorRene Mayrhofer <rene@mayrhofer.eu.org>2010-02-23 10:34:14 +0000
committerRene Mayrhofer <rene@mayrhofer.eu.org>2010-02-23 10:34:14 +0000
commited7d79f96177044949744da10f4431c1d6242241 (patch)
tree3aabaa55ed3b5291daef891cfee9befb5235e2b8 /src/pluto/keys.c
parent7410d3c6d6a9a1cd7aa55083c938946af6ff9498 (diff)
downloadvyos-strongswan-ed7d79f96177044949744da10f4431c1d6242241.tar.gz
vyos-strongswan-ed7d79f96177044949744da10f4431c1d6242241.zip
[svn-upgrade] Integrating new upstream version, strongswan (4.3.6)
Diffstat (limited to 'src/pluto/keys.c')
-rw-r--r--src/pluto/keys.c353
1 files changed, 157 insertions, 196 deletions
diff --git a/src/pluto/keys.c b/src/pluto/keys.c
index 516872e8e..8cf28ace1 100644
--- a/src/pluto/keys.c
+++ b/src/pluto/keys.c
@@ -36,12 +36,11 @@
#include <library.h>
#include <asn1/asn1.h>
+#include <credentials/certificates/pgp_certificate.h>
#include "constants.h"
#include "defs.h"
-#include "id.h"
#include "x509.h"
-#include "pgpcert.h"
#include "certs.h"
#include "smartcard.h"
#include "connections.h"
@@ -61,7 +60,7 @@ const char *shared_secrets_file = SHARED_SECRETS_FILE;
typedef struct id_list id_list_t;
struct id_list {
- struct id id;
+ identification_t *id;
id_list_t *next;
};
@@ -84,9 +83,9 @@ struct secret {
*/
static void free_public_key(pubkey_t *pk)
{
+ DESTROY_IF(pk->id);
DESTROY_IF(pk->public_key);
- free_id_content(&pk->id);
- free(pk->issuer.ptr);
+ DESTROY_IF(pk->issuer);
free(pk->serial.ptr);
free(pk);
}
@@ -97,7 +96,7 @@ secret_t *secrets = NULL;
* me and the peer. We match the Id (if none, the IP address).
* Failure is indicated by a NULL.
*/
-static const secret_t* get_secret(const struct connection *c,
+static const secret_t* get_secret(const connection_t *c,
enum PrivateKeyKind kind, bool asym)
{
enum { /* bits */
@@ -109,14 +108,14 @@ static const secret_t* get_secret(const struct connection *c,
unsigned int best_match = 0;
secret_t *best = NULL;
secret_t *s;
- const struct id *my_id = &c->spd.this.id
- , *his_id = &c->spd.that.id;
- struct id rw_id;
+ identification_t *my_id, *his_id;
/* is there a certificate assigned to this connection? */
- if (kind == PPK_PUBKEY && c->spd.this.cert.type != CERT_NONE)
+ if (kind == PPK_PUBKEY && c->spd.this.cert)
{
- public_key_t *pub_key = cert_get_public_key(c->spd.this.cert);
+ certificate_t *certificate = c->spd.this.cert->cert;
+
+ public_key_t *pub_key = certificate->get_public_key(certificate);
for (s = secrets; s != NULL; s = s->next)
{
@@ -127,26 +126,28 @@ static const secret_t* get_secret(const struct connection *c,
break; /* we have found the private key - no sense in searching further */
}
}
+ pub_key->destroy(pub_key);
return best;
}
+ my_id = c->spd.this.id;
+
if (his_id_was_instantiated(c))
{
/* roadwarrior: replace him with 0.0.0.0 */
- rw_id.kind = c->spd.that.id.kind;
- rw_id.name = chunk_empty;
- happy(anyaddr(addrtypeof(&c->spd.that.host_addr), &rw_id.ip_addr));
- his_id = &rw_id;
+ his_id = identification_create_from_string("%any");
}
- else if (kind == PPK_PSK
- && (c->policy & (POLICY_PSK | POLICY_XAUTH_PSK))
- && ((c->kind == CK_TEMPLATE && c->spd.that.id.kind == ID_ANY) ||
- (c->kind == CK_INSTANCE && id_is_ipaddr(&c->spd.that.id))))
+ else if (kind == PPK_PSK && (c->policy & (POLICY_PSK | POLICY_XAUTH_PSK)) &&
+ ((c->kind == CK_TEMPLATE &&
+ c->spd.that.id->get_type(c->spd.that.id) == ID_ANY) ||
+ (c->kind == CK_INSTANCE && id_is_ipaddr(c->spd.that.id))))
{
/* roadwarrior: replace him with 0.0.0.0 */
- rw_id.kind = ID_IPV4_ADDR;
- happy(anyaddr(addrtypeof(&c->spd.that.host_addr), &rw_id.ip_addr));
- his_id = &rw_id;
+ his_id = identification_create_from_string("%any");
+ }
+ else
+ {
+ his_id = c->spd.that.id->clone(c->spd.that.id);
}
for (s = secrets; s != NULL; s = s->next)
@@ -169,11 +170,11 @@ static const secret_t* get_secret(const struct connection *c,
for (i = s->ids; i != NULL; i = i->next)
{
- if (same_id(my_id, &i->id))
+ if (my_id->equals(my_id, i->id))
{
match |= match_me;
}
- if (same_id(his_id, &i->id))
+ if (his_id->equals(his_id, i->id))
{
match |= match_him;
}
@@ -239,6 +240,7 @@ static const secret_t* get_secret(const struct connection *c,
}
}
}
+ his_id->destroy(his_id);
return best;
}
@@ -246,7 +248,7 @@ static const secret_t* get_secret(const struct connection *c,
* Failure is indicated by a NULL pointer.
* Note: the result is not to be freed by the caller.
*/
-const chunk_t* get_preshared_secret(const struct connection *c)
+const chunk_t* get_preshared_secret(const connection_t *c)
{
const secret_t *s = get_secret(c, PPK_PSK, FALSE);
@@ -262,11 +264,11 @@ const chunk_t* get_preshared_secret(const struct connection *c)
/* check the existence of a private key matching a public key contained
* in an X.509 or OpenPGP certificate
*/
-bool has_private_key(cert_t cert)
+bool has_private_key(cert_t *cert)
{
secret_t *s;
bool has_key = FALSE;
- public_key_t *pub_key = cert_get_public_key(cert);
+ public_key_t *pub_key = cert->cert->get_public_key(cert->cert);
for (s = secrets; s != NULL; s = s->next)
{
@@ -277,31 +279,37 @@ bool has_private_key(cert_t cert)
break;
}
}
+ pub_key->destroy(pub_key);
return has_key;
}
/*
* get the matching private key belonging to a given X.509 certificate
*/
-private_key_t* get_x509_private_key(const x509cert_t *cert)
+private_key_t* get_x509_private_key(const cert_t *cert)
{
+ public_key_t *public_key = cert->cert->get_public_key(cert->cert);
+ private_key_t *private_key = NULL;
secret_t *s;
for (s = secrets; s != NULL; s = s->next)
{
+
if (s->kind == PPK_PUBKEY &&
- s->u.private_key->belongs_to(s->u.private_key, cert->public_key))
+ s->u.private_key->belongs_to(s->u.private_key, public_key))
{
- return s->u.private_key;
+ private_key = s->u.private_key;
+ break;
}
}
- return NULL;
+ public_key->destroy(public_key);
+ return private_key;
}
/* find the appropriate private key (see get_secret).
* Failure is indicated by a NULL pointer.
*/
-private_key_t* get_private_key(const struct connection *c)
+private_key_t* get_private_key(const connection_t *c)
{
const secret_t *s = get_secret(c, PPK_PUBKEY, TRUE);
@@ -392,7 +400,7 @@ enum rsa_private_key_part_t {
RSA_PART_EXPONENT1 = 5,
RSA_PART_EXPONENT2 = 6,
RSA_PART_COEFFICIENT = 7
-};
+};
const char *rsa_private_key_part_names[] = {
"Modulus",
@@ -408,20 +416,17 @@ const char *rsa_private_key_part_names[] = {
/**
* Parse fields of an RSA private key in BIND 8.2's representation
* consistiong of a braced list of keyword and value pairs in required order.
- * Conversion into ASN.1 DER encoded PKCS#1 representation.
*/
static err_t process_rsa_secret(private_key_t **key)
{
- chunk_t asn1_chunk[countof(rsa_private_key_part_names)];
- chunk_t pkcs1_chunk;
+ chunk_t rsa_chunk[countof(rsa_private_key_part_names)];
u_char buf[RSA_MAX_ENCODING_BYTES]; /* limit on size of binary representation of key */
rsa_private_key_part_t part, p;
- size_t sz, len = 0;
+ size_t sz;
err_t ugh;
for (part = RSA_PART_MODULUS; part <= RSA_PART_COEFFICIENT; part++)
{
- chunk_t rsa_private_key_part;
const char *keyword = rsa_private_key_part_names[part];
if (!shift())
@@ -448,9 +453,8 @@ static err_t process_rsa_secret(private_key_t **key)
part++;
goto end;
}
- rsa_private_key_part = chunk_create(buf, sz);
- asn1_chunk[part] = asn1_integer("c", rsa_private_key_part);
- len += asn1_chunk[part].len;
+ rsa_chunk[part] = chunk_create(buf, sz);
+ rsa_chunk[part] = chunk_clone(rsa_chunk[part]);
}
/* We require an (indented) '}' and the end of the record.
@@ -468,21 +472,17 @@ static err_t process_rsa_secret(private_key_t **key)
goto end;
}
- pkcs1_chunk = asn1_wrap(ASN1_SEQUENCE, "ccccccccc",
- ASN1_INTEGER_0,
- asn1_chunk[RSA_PART_MODULUS],
- asn1_chunk[RSA_PART_PUBLIC_EXPONENT],
- asn1_chunk[RSA_PART_PRIVATE_EXPONENT],
- asn1_chunk[RSA_PART_PRIME1],
- asn1_chunk[RSA_PART_PRIME2],
- asn1_chunk[RSA_PART_EXPONENT1],
- asn1_chunk[RSA_PART_EXPONENT2],
- asn1_chunk[RSA_PART_COEFFICIENT]);
-
*key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
- BUILD_BLOB_ASN1_DER, pkcs1_chunk,
- BUILD_END);
- free(pkcs1_chunk.ptr);
+ BUILD_RSA_MODULUS, rsa_chunk[RSA_PART_MODULUS],
+ BUILD_RSA_PUB_EXP, rsa_chunk[RSA_PART_PUBLIC_EXPONENT],
+ BUILD_RSA_PRIV_EXP, rsa_chunk[RSA_PART_PRIVATE_EXPONENT],
+ BUILD_RSA_PRIME1, rsa_chunk[RSA_PART_PRIME1],
+ BUILD_RSA_PRIME2, rsa_chunk[RSA_PART_PRIME2],
+ BUILD_RSA_EXP1, rsa_chunk[RSA_PART_EXPONENT1],
+ BUILD_RSA_EXP2, rsa_chunk[RSA_PART_EXPONENT2],
+ BUILD_RSA_COEFF, rsa_chunk[RSA_PART_COEFFICIENT],
+ BUILD_END);
+
if (*key == NULL)
{
ugh = "parsing of RSA private key failed";
@@ -492,9 +492,9 @@ end:
/* clean up and return */
for (p = RSA_PART_MODULUS ; p < part; p++)
{
- free(asn1_chunk[p].ptr);
+ chunk_clear(&rsa_chunk[p]);
}
- return ugh;
+ return ugh;
}
/**
@@ -722,7 +722,7 @@ static err_t process_pin(secret_t *s, int whackfd)
}
}
else
- {
+ {
/* we read the pin directly from ipsec.secrets */
err_t ugh = process_psk_secret(&sc->pin);
if (ugh != NULL)
@@ -762,16 +762,12 @@ static void log_psk(secret_t *s)
{
do
{
- n += idtoa(&id_list->id, buf + n, BUF_LEN - n);
+ n += snprintf(buf + n, BUF_LEN - n, "%Y ", id_list->id);
if (n >= BUF_LEN)
{
n = BUF_LEN - 1;
break;
}
- else if (n < BUF_LEN - 1)
- {
- n += snprintf(buf + n, BUF_LEN - n, " ");
- }
id_list = id_list->next;
}
while (id_list);
@@ -948,42 +944,12 @@ static void process_secret_records(int whackfd)
/* an id
* See RFC2407 IPsec Domain of Interpretation 4.6.2
*/
- struct id id;
- err_t ugh;
+ id_list_t *i = malloc_thing(id_list_t);
- if (tokeq("%any"))
- {
- id = empty_id;
- id.kind = ID_IPV4_ADDR;
- ugh = anyaddr(AF_INET, &id.ip_addr);
- }
- else if (tokeq("%any6"))
- {
- id = empty_id;
- id.kind = ID_IPV6_ADDR;
- ugh = anyaddr(AF_INET6, &id.ip_addr);
- }
- else
- {
- ugh = atoid(tok, &id, FALSE);
- }
+ i->id = identification_create_from_string(tok);
+ i->next = s->ids;
+ s->ids = i;
- if (ugh != NULL)
- {
- loglog(RC_LOG_SERIOUS
- , "ERROR \"%s\" line %d: index \"%s\" %s"
- , flp->filename, flp->lino, tok, ugh);
- }
- else
- {
- id_list_t *i = malloc_thing(id_list_t);
-
- i->id = id;
- unshare_id_content(&i->id);
- i->next = s->ids;
- s->ids = i;
- /* DBG_log("id type %d: %s %.*s", i->kind, ip_str(&i->ip_addr), (int)i->name.len, i->name.ptr); */
- }
if (!shift())
{
/* unexpected Record Boundary or EOF */
@@ -1071,11 +1037,11 @@ void free_preshared_secrets(void)
{
id_list_t *i, *ni;
- ns = s->next; /* grab before freeing s */
+ ns = s->next;
for (i = s->ids; i != NULL; i = ni)
{
- ni = i->next; /* grab before freeing i */
- free_id_content(&i->id);
+ ni = i->next;
+ i->id->destroy(i->id);
free(i);
}
switch (s->kind)
@@ -1119,8 +1085,8 @@ pubkey_t* public_key_from_rsa(public_key_t *key)
pubkey_t *p = malloc_thing(pubkey_t);
zero(p);
- p->id = empty_id; /* don't know, doesn't matter */
- p->issuer = chunk_empty;
+ p->id = identification_create_from_string("%any"); /* don't know, doesn't matter */
+ p->issuer = NULL;
p->serial = chunk_empty;
p->public_key = key;
@@ -1128,7 +1094,6 @@ pubkey_t* public_key_from_rsa(public_key_t *key)
* invariant: recount > 0.
*/
p->refcnt = 1;
- time(&p->installed_time);
return p;
}
@@ -1207,25 +1172,14 @@ static void install_public_key(pubkey_t *pk, pubkey_list_t **head)
{
pubkey_list_t *p = malloc_thing(pubkey_list_t);
- unshare_id_content(&pk->id);
-
- /* copy issuer dn */
- pk->issuer = chunk_clone(pk->issuer);
-
- /* copy serial number */
- pk->serial = chunk_clone(pk->serial);
-
- /* store the time the public key was installed */
- time(&pk->installed_time);
-
/* install new key at front */
p->key = reference_key(pk);
p->next = *head;
*head = p;
}
-void delete_public_keys(const struct id *id, key_type_t type,
- chunk_t issuer, chunk_t serial)
+void delete_public_keys(identification_t *id, key_type_t type,
+ identification_t *issuer, chunk_t serial)
{
pubkey_list_t **pp, *p;
pubkey_t *pk;
@@ -1236,10 +1190,10 @@ void delete_public_keys(const struct id *id, key_type_t type,
pk = p->key;
pk_type = pk->public_key->get_type(pk->public_key);
- if (same_id(id, &pk->id) && pk_type == type
- && (issuer.ptr == NULL || pk->issuer.ptr == NULL
- || same_dn(issuer, pk->issuer))
- && same_serial(serial, pk->serial))
+ if (id->equals(id, pk->id) && pk_type == type
+ && (issuer == NULL || pk->issuer == NULL
+ || issuer->equals(issuer, pk->issuer))
+ && (serial.ptr == NULL || chunk_equals(serial, pk->serial)))
{
*pp = free_public_keyentry(p);
}
@@ -1252,25 +1206,26 @@ void delete_public_keys(const struct id *id, key_type_t type,
pubkey_t* reference_key(pubkey_t *pk)
{
+ DBG(DBG_CONTROLMORE,
+ DBG_log(" ref key: %p %p cnt %d '%Y'",
+ pk, pk->public_key, pk->refcnt, pk->id)
+ )
pk->refcnt++;
return pk;
}
-void
-unreference_key(pubkey_t **pkp)
+void unreference_key(pubkey_t **pkp)
{
pubkey_t *pk = *pkp;
- char b[BUF_LEN];
if (pk == NULL)
{
return;
}
- /* print stuff */
DBG(DBG_CONTROLMORE,
- idtoa(&pk->id, b, sizeof(b));
- DBG_log("unreference key: %p %s cnt %d--", pk, b, pk->refcnt)
+ DBG_log("unref key: %p %p cnt %d '%Y'",
+ pk, pk->public_key, pk->refcnt, pk->id)
)
/* cancel out the pointer */
@@ -1284,7 +1239,7 @@ unreference_key(pubkey_t **pkp)
}
}
-bool add_public_key(const struct id *id, enum dns_auth_level dns_auth_level,
+bool add_public_key(identification_t *id, enum dns_auth_level dns_auth_level,
enum pubkey_alg alg, chunk_t rfc3110_key,
pubkey_list_t **head)
{
@@ -1296,7 +1251,7 @@ bool add_public_key(const struct id *id, enum dns_auth_level dns_auth_level,
{
case PUBKEY_ALG_RSA:
key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
- BUILD_BLOB_RFC_3110, rfc3110_key,
+ BUILD_BLOB_DNSKEY, rfc3110_key,
BUILD_END);
if (key == NULL)
{
@@ -1310,90 +1265,97 @@ bool add_public_key(const struct id *id, enum dns_auth_level dns_auth_level,
pk = malloc_thing(pubkey_t);
zero(pk);
pk->public_key = key;
- pk->id = *id;
+ pk->id = id->clone(id);
pk->dns_auth_level = dns_auth_level;
pk->until_time = UNDEFINED_TIME;
- pk->issuer = chunk_empty;
+ pk->issuer = NULL;
pk->serial = chunk_empty;
install_public_key(pk, head);
return TRUE;
}
-/* extract id and public key from x.509 certificate and
- * insert it into a pubkeyrec
+/**
+ * Extract id and public key a certificate and insert it into a pubkeyrec
*/
-void add_x509_public_key(x509cert_t *cert , time_t until,
- enum dns_auth_level dns_auth_level)
+void add_public_key_from_cert(cert_t *cert , time_t until,
+ enum dns_auth_level dns_auth_level)
{
- generalName_t *gn;
+ certificate_t *certificate = cert->cert;
+ identification_t *subject = certificate->get_subject(certificate);
+ identification_t *issuer = NULL;
+ identification_t *id;
+ chunk_t serialNumber = chunk_empty;
pubkey_t *pk;
key_type_t pk_type;
/* ID type: ID_DER_ASN1_DN (X.509 subject field) */
pk = malloc_thing(pubkey_t);
zero(pk);
- pk->public_key = cert->public_key->get_ref(cert->public_key);
- pk->id.kind = ID_DER_ASN1_DN;
- pk->id.name = cert->subject;
+ pk->public_key = certificate->get_public_key(certificate);
+ pk_type = pk->public_key->get_type(pk->public_key);
+ pk->id = subject->clone(subject);
pk->dns_auth_level = dns_auth_level;
pk->until_time = until;
- pk->issuer = cert->issuer;
- pk->serial = cert->serialNumber;
- pk_type = pk->public_key->get_type(pk->public_key);
- delete_public_keys(&pk->id, pk_type, pk->issuer, pk->serial);
- install_public_key(pk, &pubkeys);
+ if (certificate->get_type(certificate) == CERT_X509)
+ {
+ x509_t *x509 = (x509_t*)certificate;
- gn = cert->subjectAltName;
+ issuer = certificate->get_issuer(certificate);
+ serialNumber = x509->get_serial(x509);
+ pk->issuer = issuer->clone(issuer);
+ pk->serial = chunk_clone(serialNumber);
+ }
+ delete_public_keys(pk->id, pk_type, pk->issuer, pk->serial);
+ install_public_key(pk, &pubkeys);
- while (gn != NULL) /* insert all subjectAltNames */
+ if (certificate->get_type(certificate) == CERT_X509)
{
- struct id id = empty_id;
+ x509_t *x509 = (x509_t*)certificate;
+ enumerator_t *enumerator;
- gntoid(&id, gn);
- if (id.kind != ID_ANY)
+ /* insert all subjectAltNames from X.509 certificates */
+ enumerator = x509->create_subjectAltName_enumerator(x509);
+ while (enumerator->enumerate(enumerator, &id))
{
- pk = malloc_thing(pubkey_t);
- zero(pk);
- pk->public_key = cert->public_key->get_ref(cert->public_key);
- pk->id = id;
- pk->dns_auth_level = dns_auth_level;
- pk->until_time = until;
- pk->issuer = cert->issuer;
- pk->serial = cert->serialNumber;
- delete_public_keys(&pk->id, pk_type, pk->issuer, pk->serial);
- install_public_key(pk, &pubkeys);
+ if (id->get_type(id) != ID_ANY)
+ {
+ pk = malloc_thing(pubkey_t);
+ zero(pk);
+ pk->id = id->clone(id);
+ pk->public_key = certificate->get_public_key(certificate);
+ pk->dns_auth_level = dns_auth_level;
+ pk->until_time = until;
+ pk->issuer = issuer->clone(issuer);
+ pk->serial = chunk_clone(serialNumber);
+ delete_public_keys(pk->id, pk_type, pk->issuer, pk->serial);
+ install_public_key(pk, &pubkeys);
+ }
}
- gn = gn->next;
+ enumerator->destroy(enumerator);
+ }
+ else
+ {
+ pgp_certificate_t *pgp_cert = (pgp_certificate_t*)certificate;
+ chunk_t fingerprint = pgp_cert->get_fingerprint(pgp_cert);
+
+ /* add v3 or v4 PGP fingerprint */
+ pk = malloc_thing(pubkey_t);
+ zero(pk);
+ pk->id = identification_create_from_encoding(ID_KEY_ID, fingerprint);
+ pk->public_key = certificate->get_public_key(certificate);
+ pk->dns_auth_level = dns_auth_level;
+ pk->until_time = until;
+ delete_public_keys(pk->id, pk_type, pk->issuer, pk->serial);
+ install_public_key(pk, &pubkeys);
}
-}
-
-/* extract id and public key from OpenPGP certificate and
- * insert it into a pubkeyrec
- */
-void add_pgp_public_key(pgpcert_t *cert , time_t until,
- enum dns_auth_level dns_auth_level)
-{
- pubkey_t *pk;
- key_type_t pk_type;
-
- pk = malloc_thing(pubkey_t);
- zero(pk);
- pk->public_key = cert->public_key->get_ref(cert->public_key);
- pk->id.kind = ID_KEY_ID;
- pk->id.name = cert->fingerprint->get_encoding(cert->fingerprint);
- pk->dns_auth_level = dns_auth_level;
- pk->until_time = until;
- pk_type = pk->public_key->get_type(pk->public_key);
- delete_public_keys(&pk->id, pk_type, chunk_empty, chunk_empty);
- install_public_key(pk, &pubkeys);
}
/* when a X.509 certificate gets revoked, all instances of
* the corresponding public key must be removed
*/
-void remove_x509_public_key(const x509cert_t *cert)
+void remove_x509_public_key(const cert_t *cert)
{
- public_key_t *revoked_key = cert->public_key;
+ public_key_t *revoked_key = cert->cert->get_public_key(cert->cert);
pubkey_list_t *p, **pp;
p = pubkeys;
@@ -1413,6 +1375,7 @@ void remove_x509_public_key(const x509cert_t *cert)
}
p =*pp;
}
+ revoked_key->destroy(revoked_key);
}
/*
@@ -1426,34 +1389,32 @@ void list_public_keys(bool utc)
{
whack_log(RC_COMMENT, " ");
whack_log(RC_COMMENT, "List of Public Keys:");
- whack_log(RC_COMMENT, " ");
}
while (p != NULL)
{
pubkey_t *key = p->key;
public_key_t *public = key->public_key;
- identification_t *keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1);
- char buf[BUF_LEN];
+ chunk_t keyid;
- idtoa(&key->id, buf, BUF_LEN);
- whack_log(RC_COMMENT,"%T, '%s'", &key->installed_time, utc, buf);
- whack_log(RC_COMMENT, " pubkey: %N %4d bits, until %T %s",
+ whack_log(RC_COMMENT, " ");
+ whack_log(RC_COMMENT, " identity: '%Y'", key->id);
+ whack_log(RC_COMMENT, " pubkey: %N %4d bits, until %T %s",
key_type_names, public->get_type(public),
public->get_keysize(public) * BITS_PER_BYTE,
&key->until_time, utc,
check_expiry(key->until_time, PUBKEY_WARNING_INTERVAL, TRUE));
- whack_log(RC_COMMENT," keyid: %Y", keyid);
- if (key->issuer.len > 0)
+ if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &keyid))
+ {
+ whack_log(RC_COMMENT," keyid: %#B", &keyid);
+ }
+ if (key->issuer)
{
- dntoa(buf, BUF_LEN, key->issuer);
- whack_log(RC_COMMENT," issuer: '%s'", buf);
+ whack_log(RC_COMMENT," issuer: \"%Y\"", key->issuer);
}
- if (key->serial.len > 0)
+ if (key->serial.len)
{
- datatot(key->serial.ptr, key->serial.len, ':'
- , buf, BUF_LEN);
- whack_log(RC_COMMENT," serial: %s", buf);
+ whack_log(RC_COMMENT," serial: %#B", &key->serial);
}
p = p->next;
}