diff options
Diffstat (limited to 'src/libstrongswan/credentials/certificates')
5 files changed, 75 insertions, 12 deletions
diff --git a/src/libstrongswan/credentials/certificates/certificate.c b/src/libstrongswan/credentials/certificates/certificate.c index 156d12358..661b69e36 100644 --- a/src/libstrongswan/credentials/certificates/certificate.c +++ b/src/libstrongswan/credentials/certificates/certificate.c @@ -15,6 +15,7 @@ #include "certificate.h" +#include <debug.h> #include <credentials/certificates/x509.h> ENUM(certificate_type_names, CERT_ANY, CERT_PLUTO_CRL, @@ -40,3 +41,24 @@ ENUM(cert_validation_names, VALIDATION_GOOD, VALIDATION_REVOKED, "REVOKED", ); +/** + * See header + */ +bool certificate_is_newer(certificate_t *this, certificate_t *other) +{ + time_t this_update, that_update; + char *type = "certificate"; + bool newer; + + if (this->get_type(this) == CERT_X509_CRL) + { + type = "crl"; + } + this->get_validity(this, NULL, &this_update, NULL); + other->get_validity(other, NULL, &that_update, NULL); + newer = this_update > that_update; + DBG1(DBG_LIB, " %s from %T is %s - existing %s from %T %s", + type, &this_update, FALSE, newer ? "newer" : "not newer", + type, &that_update, FALSE, newer ? "replaced" : "retained"); + return newer; +} diff --git a/src/libstrongswan/credentials/certificates/certificate.h b/src/libstrongswan/credentials/certificates/certificate.h index a4f9aa3e0..43bfe3dc1 100644 --- a/src/libstrongswan/credentials/certificates/certificate.h +++ b/src/libstrongswan/credentials/certificates/certificate.h @@ -28,6 +28,7 @@ typedef enum cert_validation_t cert_validation_t; #include <library.h> #include <utils/identification.h> #include <credentials/keys/public_key.h> +#include <credentials/cred_encoding.h> /** * Kind of a certificate_t @@ -163,18 +164,14 @@ struct certificate_t { time_t *not_before, time_t *not_after); /** - * Is this newer than that? + * Get the certificate in an encoded form as a chunk. * - * @return TRUE if newer, FALSE otherwise + * @param type type of the encoding, one of CERT_* + * @param encoding encoding of the key, allocated + * @return TRUE if encoding supported */ - bool (*is_newer)(certificate_t *this, certificate_t *that); - - /** - * Get the certificate in an encoded form. - * - * @return allocated chunk of encoded cert - */ - chunk_t (*get_encoding)(certificate_t *this); + bool (*get_encoding)(certificate_t *this, cred_encoding_type_t type, + chunk_t *encoding); /** * Check if two certificates are equal. @@ -197,4 +194,13 @@ struct certificate_t { void (*destroy)(certificate_t *this); }; +/** + * Generic check if a given certificate is newer than another. + * + * @param this first certificate to check + * @param other second certificate + * @return TRUE if this newer than other + */ +bool certificate_is_newer(certificate_t *this, certificate_t *other); + #endif /** CERTIFICATE_H_ @}*/ diff --git a/src/libstrongswan/credentials/certificates/crl.c b/src/libstrongswan/credentials/certificates/crl.c index 085ad16cc..69bd80b84 100644 --- a/src/libstrongswan/credentials/certificates/crl.c +++ b/src/libstrongswan/credentials/certificates/crl.c @@ -16,6 +16,8 @@ #include "crl.h" +#include <debug.h> + ENUM(crl_reason_names, CRL_REASON_UNSPECIFIED, CRL_REASON_REMOVE_FROM_CRL, "unspecified", "key compromise", @@ -27,3 +29,29 @@ ENUM(crl_reason_names, CRL_REASON_UNSPECIFIED, CRL_REASON_REMOVE_FROM_CRL, "reason #7", "remove from crl", ); + +/** + * Check if this CRL is newer + */ +bool crl_is_newer(crl_t *this, crl_t *other) +{ + chunk_t this_num, other_num; + bool newer; + + this_num = this->get_serial(this); + other_num = other->get_serial(other); + + /* compare crlNumbers if available - otherwise use generic cert compare */ + if (this_num.ptr != NULL && other_num.ptr != NULL) + { + newer = chunk_compare(this_num, other_num) > 0; + DBG1(DBG_LIB, " crl #%#B is %s - existing crl #%#B %s", + &this_num, newer ? "newer" : "not newer", + &other_num, newer ? "replaced" : "retained"); + } + else + { + newer = certificate_is_newer(&this->certificate, &other->certificate); + } + return newer; +} diff --git a/src/libstrongswan/credentials/certificates/crl.h b/src/libstrongswan/credentials/certificates/crl.h index 4b612390c..9425311fb 100644 --- a/src/libstrongswan/credentials/certificates/crl.h +++ b/src/libstrongswan/credentials/certificates/crl.h @@ -80,7 +80,15 @@ struct crl_t { * @return enumerator over revoked certificates. */ enumerator_t* (*create_enumerator)(crl_t *this); - }; +/** + * Generic check if a given CRL is newer than another. + * + * @param this first CRL to check + * @param other second CRL + * @return TRUE if this newer than other + */ +bool crl_is_newer(crl_t *this, crl_t *other); + #endif /** CRL_H_ @}*/ diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h index 172bd9696..6e0a5002a 100644 --- a/src/libstrongswan/credentials/certificates/x509.h +++ b/src/libstrongswan/credentials/certificates/x509.h @@ -25,7 +25,6 @@ #include <credentials/certificates/certificate.h> #define X509_NO_PATH_LEN_CONSTRAINT -1 -#define X509_MAX_PATH_LEN 7 typedef struct x509_t x509_t; typedef enum x509_flag_t x509_flag_t; |