diff options
Diffstat (limited to 'src/pluto/ca.c')
| -rw-r--r-- | src/pluto/ca.c | 486 |
1 files changed, 252 insertions, 234 deletions
diff --git a/src/pluto/ca.c b/src/pluto/ca.c index 4fdb8cfe7..e25e7f6f5 100644 --- a/src/pluto/ca.c +++ b/src/pluto/ca.c @@ -15,11 +15,14 @@ #include <stdlib.h> #include <stdio.h> #include <string.h> -#include <unistd.h> -#include <dirent.h> #include <time.h> +#include <sys/stat.h> #include <sys/types.h> +#include <debug.h> +#include <utils/enumerator.h> +#include <credentials/certificates/x509.h> + #include <freeswan.h> #include "constants.h" @@ -34,21 +37,7 @@ /* chained list of X.509 authority certificates (ca, aa, and ocsp) */ -static x509cert_t *x509authcerts = NULL; - -const ca_info_t empty_ca_info = { - NULL , /* next */ - NULL , /* name */ - UNDEFINED_TIME, - { NULL, 0 } , /* authName */ - { NULL, 0 } , /* authKeyID */ - { NULL, 0 } , /* authKey SerialNumber */ - NULL , /* ldaphost */ - NULL , /* ldapbase */ - NULL , /* ocspori */ - NULL , /* crluri */ - FALSE /* strictcrlpolicy */ -}; +static cert_t *x509authcerts = NULL; /* chained list of X.509 certification authority information records */ @@ -57,53 +46,71 @@ static ca_info_t *ca_infos = NULL; /* * Checks if CA a is trusted by CA b */ -bool -trusted_ca(chunk_t a, chunk_t b, int *pathlen) +bool trusted_ca(identification_t *a, identification_t *b, int *pathlen) { bool match = FALSE; /* no CA b specified -> any CA a is accepted */ - if (b.ptr == NULL) + if (b == NULL) { - *pathlen = (a.ptr == NULL)? 0 : MAX_CA_PATH_LEN; + *pathlen = (a == NULL) ? 0 : X509_MAX_PATH_LEN; return TRUE; } /* no CA a specified -> trust cannot be established */ - if (a.ptr == NULL) + if (a == NULL) { - *pathlen = MAX_CA_PATH_LEN; + *pathlen = X509_MAX_PATH_LEN; return FALSE; } *pathlen = 0; /* CA a equals CA b -> we have a match */ - if (same_dn(a, b)) + if (a->equals(a, b)) + { return TRUE; + } /* CA a might be a subordinate CA of b */ lock_authcert_list("trusted_ca"); - while ((*pathlen)++ < MAX_CA_PATH_LEN) + while ((*pathlen)++ < X509_MAX_PATH_LEN) { - x509cert_t *cacert = get_authcert(a, chunk_empty, chunk_empty, AUTH_CA); + certificate_t *certificate; + identification_t *issuer; + cert_t *cacert; - /* cacert not found or self-signed root cacert-> exit */ - if (cacert == NULL || same_dn(cacert->issuer, a)) + cacert = get_authcert(a, chunk_empty, X509_CA); + if (cacert == NULL) + { break; + } + certificate = cacert->cert; + + /* is the certificate self-signed? */ + { + x509_t *x509 = (x509_t*)certificate; + + if (x509->get_flags(x509) & X509_SELF_SIGNED) + { + break; + } + } /* does the issuer of CA a match CA b? */ - match = same_dn(cacert->issuer, b); + issuer = certificate->get_issuer(certificate); + match = b->equals(b, issuer); /* we have a match and exit the loop */ if (match) + { break; - + } /* go one level up in the CA chain */ - a = cacert->issuer; + a = issuer; } - + unlock_authcert_list("trusted_ca"); return match; } @@ -111,33 +118,36 @@ trusted_ca(chunk_t a, chunk_t b, int *pathlen) /* * does our CA match one of the requested CAs? */ -bool -match_requested_ca(generalName_t *requested_ca, chunk_t our_ca, int *our_pathlen) +bool match_requested_ca(linked_list_t *requested_ca, identification_t *our_ca, + int *our_pathlen) { + identification_t *ca; + enumerator_t *enumerator; + /* if no ca is requested than any ca will match */ - if (requested_ca == NULL) + if (requested_ca == NULL || requested_ca->get_count(requested_ca) == 0) { *our_pathlen = 0; return TRUE; } - *our_pathlen = MAX_CA_PATH_LEN + 1; + *our_pathlen = X509_MAX_PATH_LEN + 1; - while (requested_ca != NULL) + enumerator = requested_ca->create_enumerator(requested_ca); + while (enumerator->enumerate(enumerator, &ca)) { int pathlen; - if (trusted_ca(our_ca, requested_ca->name, &pathlen) - && pathlen < *our_pathlen) + if (trusted_ca(our_ca, ca, &pathlen) && pathlen < *our_pathlen) { *our_pathlen = pathlen; } - requested_ca = requested_ca->next; } + enumerator->destroy(enumerator); - if (*our_pathlen > MAX_CA_PATH_LEN) + if (*our_pathlen > X509_MAX_PATH_LEN) { - *our_pathlen = MAX_CA_PATH_LEN; + *our_pathlen = X509_MAX_PATH_LEN; return FALSE; } else @@ -149,55 +159,80 @@ match_requested_ca(generalName_t *requested_ca, chunk_t our_ca, int *our_pathlen /* * free the first authority certificate in the chain */ -static void -free_first_authcert(void) +static void free_first_authcert(void) { - x509cert_t *first = x509authcerts; + cert_t *first = x509authcerts; + x509authcerts = first->next; - free_x509cert(first); + cert_free(first); } /* * free all CA certificates */ -void -free_authcerts(void) +void free_authcerts(void) { lock_authcert_list("free_authcerts"); while (x509authcerts != NULL) + { free_first_authcert(); - + } unlock_authcert_list("free_authcerts"); } /* * get a X.509 authority certificate with a given subject or keyid */ -x509cert_t* -get_authcert(chunk_t subject, chunk_t serial, chunk_t keyid, u_char auth_flags) +cert_t* get_authcert(identification_t *subject, chunk_t keyid, + x509_flag_t auth_flags) { - x509cert_t *cert = x509authcerts; - x509cert_t *prev_cert = NULL; + cert_t *cert, *prev_cert = NULL; + + /* the authority certificate list is empty */ + if (x509authcerts == NULL) + { + return NULL; + } - while (cert != NULL) + for (cert = x509authcerts; cert != NULL; prev_cert = cert, cert = cert->next) { - if (cert->authority_flags & auth_flags - && ((keyid.ptr != NULL) ? same_keyid(keyid, cert->subjectKeyID) - : (same_dn(subject, cert->subject) - && same_serial(serial, cert->serialNumber)))) + certificate_t *certificate = cert->cert; + x509_t *x509 = (x509_t*)certificate; + + /* skip non-matching types of authority certificates */ + if (!(x509->get_flags(x509) & auth_flags)) + { + continue; + } + + /* compare the keyid with the certificate's subjectKeyIdentifier */ + if (keyid.ptr) { - if (cert != x509authcerts) + chunk_t subjectKeyId; + + subjectKeyId = x509->get_subjectKeyIdentifier(x509); + if (subjectKeyId.ptr && !chunk_equals(keyid, subjectKeyId)) { - /* bring the certificate up front */ - prev_cert->next = cert->next; - cert->next = x509authcerts; - x509authcerts = cert; + continue; } - return cert; } - prev_cert = cert; - cert = cert->next; + + /* compare the subjectDistinguishedNames */ + if (!certificate->has_subject(certificate, subject)) + { + continue; + } + + /* found the authcert */ + if (cert != x509authcerts) + { + /* bring the certificate up front */ + prev_cert->next = cert->next; + cert->next = x509authcerts; + x509authcerts = cert; + } + return cert; } return NULL; } @@ -205,31 +240,27 @@ get_authcert(chunk_t subject, chunk_t serial, chunk_t keyid, u_char auth_flags) /* * add an authority certificate to the chained list */ -x509cert_t* -add_authcert(x509cert_t *cert, u_char auth_flags) +cert_t* add_authcert(cert_t *cert, x509_flag_t auth_flags) { - x509cert_t *old_cert; - - /* set authority flags */ - cert->authority_flags |= auth_flags; + certificate_t *certificate = cert->cert; + x509_t *x509 = (x509_t*)certificate; + cert_t *old_cert; lock_authcert_list("add_authcert"); - old_cert = get_authcert(cert->subject, cert->serialNumber - , cert->subjectKeyID, auth_flags); - - if (old_cert != NULL) + old_cert = get_authcert(certificate->get_subject(certificate), + x509->get_subjectKeyIdentifier(x509), + auth_flags); + if (old_cert) { - if (same_x509cert(cert, old_cert)) + if (certificate->equals(certificate, old_cert->cert)) { - /* cert is already present, just add additional authority flags */ - old_cert->authority_flags |= cert->authority_flags; DBG(DBG_CONTROL | DBG_PARSING , DBG_log(" authcert is already present and identical") ) unlock_authcert_list("add_authcert"); - free_x509cert(cert); + cert_free(cert); return old_cert; } else @@ -245,7 +276,7 @@ add_authcert(x509cert_t *cert, u_char auth_flags) /* add new authcert to chained list */ cert->next = x509authcerts; x509authcerts = cert; - share_x509cert(cert); /* set count to one */ + cert_share(cert); /* set count to one */ DBG(DBG_CONTROL | DBG_PARSING, DBG_log(" authcert inserted") ) @@ -256,51 +287,43 @@ add_authcert(x509cert_t *cert, u_char auth_flags) /* * Loads authority certificates */ -void -load_authcerts(const char *type, const char *path, u_char auth_flags) +void load_authcerts(char *type, char *path, x509_flag_t auth_flags) { - struct dirent **filelist; - u_char buf[BUF_LEN]; - u_char *save_dir; - int n; + enumerator_t *enumerator; + struct stat st; + char *file; - /* change directory to specified path */ - save_dir = getcwd(buf, BUF_LEN); + DBG1("loading %s certificates from '%s'", type, path); - if (chdir(path)) + enumerator = enumerator_create_directory(path); + if (!enumerator) { - plog("Could not change to directory '%s'", path); + DBG1(" reading directory '%s' failed"); + return; } - else + + while (enumerator->enumerate(enumerator, NULL, &file, &st)) { - plog("Changing to directory '%s'", path); - n = scandir(path, &filelist, file_select, alphasort); + cert_t *cert; - if (n < 0) - plog(" scandir() error"); - else + if (!S_ISREG(st.st_mode)) { - while (n--) - { - cert_t cert; - - if (load_cert(filelist[n]->d_name, type, &cert)) - add_authcert(cert.u.x509, auth_flags); - - free(filelist[n]); - } - free(filelist); + /* skip special file */ + continue; + } + cert = load_cert(file, type, auth_flags); + if (cert) + { + add_authcert(cert, auth_flags); } } - /* restore directory path */ - ignore_result(chdir(save_dir)); + enumerator->destroy(enumerator); } /* * list all X.509 authcerts with given auth flags in a chained list */ -void -list_authcerts(const char *caption, u_char auth_flags, bool utc) +void list_authcerts(const char *caption, x509_flag_t auth_flags, bool utc) { lock_authcert_list("list_authcerts"); list_x509cert_chain(caption, x509authcerts, auth_flags, utc); @@ -310,19 +333,38 @@ list_authcerts(const char *caption, u_char auth_flags, bool utc) /* * get a cacert with a given subject or keyid from an alternative list */ -static const x509cert_t* -get_alt_cacert(chunk_t subject, chunk_t serial, chunk_t keyid - , const x509cert_t *cert) +static const cert_t* get_alt_cacert(identification_t *subject, chunk_t keyid, + const cert_t *cert) { - while (cert != NULL) + if (cert == NULL) { - if ((keyid.ptr != NULL) ? same_keyid(keyid, cert->subjectKeyID) - : (same_dn(subject, cert->subject) - && same_serial(serial, cert->serialNumber))) + return NULL; + } + for (; cert != NULL; cert = cert->next) + { + certificate_t *certificate = cert->cert; + + /* compare the keyid with the certificate's subjectKeyIdentifier */ + if (keyid.ptr) + { + x509_t *x509 = (x509_t*)certificate; + chunk_t subjectKeyId; + + subjectKeyId = x509->get_subjectKeyIdentifier(x509); + if (subjectKeyId.ptr && !chunk_equals(keyid, subjectKeyId)) + { + continue; + } + } + + /* compare the subjectDistinguishedNames */ + if (!certificate->has_subject(certificate, subject)) { - return cert; + continue; } - cert = cert->next; + + /* we found the cacert */ + return cert; } return NULL; } @@ -330,34 +372,32 @@ get_alt_cacert(chunk_t subject, chunk_t serial, chunk_t keyid /* establish trust into a candidate authcert by going up the trust chain. * validity and revocation status are not checked. */ -bool -trust_authcert_candidate(const x509cert_t *cert, const x509cert_t *alt_chain) +bool trust_authcert_candidate(const cert_t *cert, const cert_t *alt_chain) { int pathlen; lock_authcert_list("trust_authcert_candidate"); - for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++) + for (pathlen = 0; pathlen < X509_MAX_PATH_LEN; pathlen++) { - const x509cert_t *authcert = NULL; - u_char buf[BUF_LEN]; + certificate_t *certificate = cert->cert; + x509_t *x509 = (x509_t*)certificate; + identification_t *subject = certificate->get_subject(certificate); + identification_t *issuer = certificate->get_issuer(certificate); + chunk_t authKeyID = x509->get_authKeyIdentifier(x509); + const cert_t *authcert = NULL; DBG(DBG_CONTROL, - dntoa(buf, BUF_LEN, cert->subject); - DBG_log("subject: '%s'",buf); - dntoa(buf, BUF_LEN, cert->issuer); - DBG_log("issuer: '%s'",buf); - if (cert->authKeyID.ptr != NULL) + DBG_log("subject: '%Y'", subject); + DBG_log("issuer: '%Y'", issuer); + if (authKeyID.ptr != NULL) { - datatot(cert->authKeyID.ptr, cert->authKeyID.len, ':' - , buf, BUF_LEN); - DBG_log("authkey: %s", buf); + DBG_log("authkey: %#B", &authKeyID); } ) /* search in alternative chain first */ - authcert = get_alt_cacert(cert->issuer, cert->authKeySerialNumber - , cert->authKeyID, alt_chain); + authcert = get_alt_cacert(issuer, authKeyID, alt_chain); if (authcert != NULL) { @@ -368,8 +408,7 @@ trust_authcert_candidate(const x509cert_t *cert, const x509cert_t *alt_chain) else { /* search in trusted chain */ - authcert = get_authcert(cert->issuer, cert->authKeySerialNumber - , cert->authKeyID, AUTH_CA); + authcert = get_authcert(issuer, authKeyID, X509_CA); if (authcert != NULL) { @@ -385,8 +424,7 @@ trust_authcert_candidate(const x509cert_t *cert, const x509cert_t *alt_chain) } } - if (!x509_check_signature(cert->tbsCertificate, cert->signature, - cert->algorithm, authcert)) + if (!certificate->issued_by(certificate, authcert->cert)) { plog("certificate signature is invalid"); unlock_authcert_list("trust_authcert_candidate"); @@ -397,7 +435,7 @@ trust_authcert_candidate(const x509cert_t *cert, const x509cert_t *alt_chain) ) /* check if cert is a self-signed root ca */ - if (pathlen > 0 && same_dn(cert->issuer, cert->subject)) + if (pathlen > 0 && (x509->get_flags(x509) & X509_SELF_SIGNED)) { DBG(DBG_CONTROL, DBG_log("reached self-signed root ca") @@ -409,7 +447,7 @@ trust_authcert_candidate(const x509cert_t *cert, const x509cert_t *alt_chain) /* go up one step in the trust chain */ cert = authcert; } - plog("maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN); + plog("maximum ca path length of %d levels exceeded", X509_MAX_PATH_LEN); unlock_authcert_list("trust_authcert_candidate"); return FALSE; } @@ -417,16 +455,14 @@ trust_authcert_candidate(const x509cert_t *cert, const x509cert_t *alt_chain) /* * get a CA info record with a given authName or authKeyID */ -ca_info_t* -get_ca_info(chunk_t authname, chunk_t serial, chunk_t keyid) +ca_info_t* get_ca_info(identification_t *name, chunk_t keyid) { ca_info_t *ca= ca_infos; - while (ca!= NULL) + while (ca != NULL) { - if ((keyid.ptr != NULL) ? same_keyid(keyid, ca->authKeyID) - : (same_dn(authname, ca->authName) - && same_serial(serial, ca->authKeySerialNumber))) + if ((keyid.ptr) ? same_keyid(keyid, ca->authKeyID) + : name->equals(name, ca->authName)) { return ca; } @@ -443,24 +479,23 @@ static void free_ca_info(ca_info_t* ca_info) { if (ca_info == NULL) + { return; - + } + ca_info->crluris->destroy_function(ca_info->crluris, free); + DESTROY_IF(ca_info->authName); free(ca_info->name); free(ca_info->ldaphost); free(ca_info->ldapbase); free(ca_info->ocspuri); - free(ca_info->authName.ptr); free(ca_info->authKeyID.ptr); - free(ca_info->authKeySerialNumber.ptr); - free_generalNames(ca_info->crluri, TRUE); free(ca_info); } /* * free all CA certificates */ -void -free_ca_infos(void) +void free_ca_infos(void) { while (ca_infos != NULL) { @@ -474,8 +509,7 @@ free_ca_infos(void) /* * find a CA information record by name and optionally delete it */ -bool -find_ca_info_by_name(const char *name, bool delete) +bool find_ca_info_by_name(const char *name, bool delete) { ca_info_t **ca_p = &ca_infos; ca_info_t *ca = *ca_p; @@ -501,16 +535,26 @@ find_ca_info_by_name(const char *name, bool delete) return FALSE; } +/* + * Create an empty ca_info_t record + */ +ca_info_t* create_ca_info(void) +{ + ca_info_t *ca_info = malloc_thing(ca_info_t); + + memset(ca_info, 0, sizeof(ca_info_t)); + ca_info->crluris = linked_list_create(); - /* - * adds a CA description to a chained list + return ca_info; +} + +/** + * Adds a CA description to a chained list */ -void -add_ca_info(const whack_message_t *msg) +void add_ca_info(const whack_message_t *msg) { smartcard_t *sc = NULL; - cert_t cert; - bool valid_cert = FALSE; + cert_t *cert = NULL; bool cached_cert = FALSE; if (find_ca_info_by_name(msg->name, FALSE)) @@ -522,60 +566,54 @@ add_ca_info(const whack_message_t *msg) if (scx_on_smartcard(msg->cacert)) { /* load CA cert from smartcard */ - valid_cert = scx_load_cert(msg->cacert, &sc, &cert, &cached_cert); + cert = scx_load_cert(msg->cacert, &sc, &cached_cert); } else { /* load CA cert from file */ - valid_cert = load_ca_cert(msg->cacert, &cert); + cert = load_ca_cert(msg->cacert); } - if (valid_cert) + if (cert) { - char buf[BUF_LEN]; - x509cert_t *cacert = cert.u.x509; + certificate_t *certificate = cert->cert; + x509_t *x509 = (x509_t*)certificate; + identification_t *subject = certificate->get_subject(certificate); + chunk_t subjectKeyID = x509->get_subjectKeyIdentifier(x509); ca_info_t *ca = NULL; /* does the authname already exist? */ - ca = get_ca_info(cacert->subject, cacert->serialNumber - , cacert->subjectKeyID); - + ca = get_ca_info(subject, subjectKeyID); + if (ca != NULL) { /* ca_info is already present */ loglog(RC_DUPNAME, " duplicate ca information in record \"%s\" found," "ignoring \"%s\"", ca->name, msg->name); - free_x509cert(cacert); + cert_free(cert); return; } plog("added ca description \"%s\"", msg->name); /* create and initialize new ca_info record */ - ca = malloc_thing(ca_info_t); - *ca = empty_ca_info; + ca = create_ca_info(); /* name */ ca->name = clone_str(msg->name); - + /* authName */ - ca->authName = chunk_clone(cacert->subject); - dntoa(buf, BUF_LEN, ca->authName); + ca->authName = subject->clone(subject); DBG(DBG_CONTROL, - DBG_log("authname: '%s'", buf) + DBG_log("authname: '%Y'", subject) ) - /* authSerialNumber */ - ca->authKeySerialNumber = chunk_clone(cacert->serialNumber); - /* authKeyID */ - if (cacert->subjectKeyID.ptr != NULL) + if (subjectKeyID.ptr) { - ca->authKeyID = chunk_clone(cacert->subjectKeyID); - datatot(cacert->subjectKeyID.ptr, cacert->subjectKeyID.len, ':' - , buf, BUF_LEN); + ca->authKeyID = chunk_clone(subjectKeyID); DBG(DBG_CONTROL | DBG_PARSING , - DBG_log("authkey: %s", buf) + DBG_log("authkey: %#B", &subjectKeyID) ) } @@ -594,23 +632,9 @@ add_ca_info(const whack_message_t *msg) plog(" ignoring ocspuri with unkown protocol"); } - /* crluri2*/ - if (msg->crluri2 != NULL) - { - generalName_t gn = - { NULL, GN_URI, {msg->crluri2, strlen(msg->crluri2)} }; - - add_distribution_points(&gn, &ca->crluri); - } - - /* crluri */ - if (msg->crluri != NULL) - { - generalName_t gn = - { NULL, GN_URI, {msg->crluri, strlen(msg->crluri)} }; - - add_distribution_points(&gn, &ca->crluri); - } + /* add crl uris */ + add_distribution_point(ca->crluris, msg->crluri); + add_distribution_point(ca->crluris, msg->crluri2); /* strictrlpolicy */ ca->strictcrlpolicy = msg->whack_strict; @@ -620,17 +644,19 @@ add_ca_info(const whack_message_t *msg) ca->next = ca_infos; ca_infos = ca; - ca->installed = time(NULL); - + unlock_ca_info_list("add_ca_info"); /* add cacert to list of authcerts */ + cert = add_authcert(cert, X509_CA); if (!cached_cert && sc != NULL) { - if (sc->last_cert.type == CERT_X509_SIGNATURE) - sc->last_cert.u.x509->count--; - sc->last_cert.u.x509 = add_authcert(cacert, AUTH_CA); - share_cert(sc->last_cert); + if (sc->last_cert != NULL) + { + sc->last_cert->count--; + } + sc->last_cert = cert; + cert_share(sc->last_cert); } if (sc != NULL) time(&sc->last_load); @@ -640,54 +666,46 @@ add_ca_info(const whack_message_t *msg) /* * list all ca_info records in the chained list */ -void -list_ca_infos(bool utc) +void list_ca_infos(bool utc) { ca_info_t *ca = ca_infos; - + if (ca != NULL) { whack_log(RC_COMMENT, " "); whack_log(RC_COMMENT, "List of X.509 CA Information Records:"); - whack_log(RC_COMMENT, " "); } while (ca != NULL) { - u_char buf[BUF_LEN]; - /* strictpolicy per CA not supported yet * whack_log(RC_COMMENT, "%T, \"%s\", strictcrlpolicy: %s" , &ca->installed, utc, ca->name , ca->strictcrlpolicy? "yes":"no"); */ - whack_log(RC_COMMENT, "%T, \"%s\"", &ca->installed, utc, ca->name); - dntoa(buf, BUF_LEN, ca->authName); - whack_log(RC_COMMENT, " authname: '%s'", buf); - if (ca->ldaphost != NULL) - whack_log(RC_COMMENT, " ldaphost: '%s'", ca->ldaphost); - if (ca->ldapbase != NULL) - whack_log(RC_COMMENT, " ldapbase: '%s'", ca->ldapbase); - if (ca->ocspuri != NULL) - whack_log(RC_COMMENT, " ocspuri: '%s'", ca->ocspuri); - - list_distribution_points(ca->crluri); - - if (ca->authKeyID.ptr != NULL) + whack_log(RC_COMMENT, " "); + whack_log(RC_COMMENT, " authname: \"%Y\"", ca->authName); + if (ca->ldaphost) + { + whack_log(RC_COMMENT, " ldaphost: '%s'", ca->ldaphost); + } + if (ca->ldapbase) { - datatot(ca->authKeyID.ptr, ca->authKeyID.len, ':' - , buf, BUF_LEN); - whack_log(RC_COMMENT, " authkey: %s", buf); + whack_log(RC_COMMENT, " ldapbase: '%s'", ca->ldapbase); } - if (ca->authKeySerialNumber.ptr != NULL) + if (ca->ocspuri) { - datatot(ca->authKeySerialNumber.ptr, ca->authKeySerialNumber.len, ':' - , buf, BUF_LEN); - whack_log(RC_COMMENT, " aserial: %s", buf); + whack_log(RC_COMMENT, " ocspuri: '%s'", ca->ocspuri); + } + + list_distribution_points(ca->crluris); + + if (ca->authKeyID.ptr) + { + whack_log(RC_COMMENT, " authkey: %#B", &ca->authKeyID); } ca = ca->next; } } - |