[strongSwan-dev] [PATCH 2/2] ikev1 support for PKCS#7 wrapped certificates

Volker Rümelin vr_strongswan at t-online.de
Thu Jan 10 21:27:20 CET 2013 

ikev1 support for PKCS#7 wrapped certificates.
---
 src/libcharon/encoding/payloads/cert_payload.c |   18 ++++++
 src/libcharon/encoding/payloads/cert_payload.h |    8 +++
 src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c |   70 ++++++++++++++++++++++++
 3 files changed, 96 insertions(+), 0 deletions(-)

diff --git a/src/libcharon/encoding/payloads/cert_payload.c b/src/libcharon/encoding/payloads/cert_payload.c
index 3a230b9..a32f570 100644
--- a/src/libcharon/encoding/payloads/cert_payload.c
+++ b/src/libcharon/encoding/payloads/cert_payload.c
@@ -234,6 +234,23 @@ METHOD(cert_payload_t, get_cert, certificate_t*,
 							  BUILD_BLOB_ASN1_DER, this->data, BUILD_END);
 }
 
+METHOD(cert_payload_t, get_container, container_t*,
+	private_cert_payload_t *this)
+{
+	int type;
+
+	switch (this->encoding)
+	{
+		case ENC_PKCS7_WRAPPED_X509:
+			type = CONTAINER_PKCS7;
+			break;
+		default:
+			return NULL;
+	}
+	return lib->creds->create(lib->creds, CRED_CONTAINER, type,
+							  BUILD_BLOB_ASN1_DER, this->data, BUILD_END);
+}
+
 METHOD(cert_payload_t, get_hash, chunk_t,
 	private_cert_payload_t *this)
 {
@@ -289,6 +306,7 @@ cert_payload_t *cert_payload_create(payload_type_t type)
 				.destroy = _destroy,
 			},
 			.get_cert = _get_cert,
+			.get_container = _get_container,
 			.get_cert_encoding = _get_cert_encoding,
 			.get_hash = _get_hash,
 			.get_url = _get_url,
diff --git a/src/libcharon/encoding/payloads/cert_payload.h b/src/libcharon/encoding/payloads/cert_payload.h
index 768afbb..834f35d 100644
--- a/src/libcharon/encoding/payloads/cert_payload.h
+++ b/src/libcharon/encoding/payloads/cert_payload.h
@@ -28,6 +28,7 @@ typedef enum cert_encoding_t cert_encoding_t;
 
 #include <library.h>
 #include <credentials/certificates/certificate.h>
+#include <credentials/containers/container.h>
 #include <encoding/payloads/payload.h>
 
 /**
@@ -72,6 +73,13 @@ struct cert_payload_t {
 	certificate_t *(*get_cert)(cert_payload_t *this);
 
 	/**
+	 * Get the payloads certificate container.
+	 *
+	 * @return				container copy
+	 */
+	container_t *(*get_container)(cert_payload_t *this);
+
+	/**
 	 * Get the encoding of the certificate.
 	 *
 	 * @return				encoding
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c b/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c
index 3282ed9..6d7e1eb 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c
@@ -13,6 +13,28 @@
  * for more details.
  */
 
+/*
+ * Copyright (C) 2013 Volker Rümelin
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
 #include "isakmp_cert_pre.h"
 
 #include <daemon.h>
@@ -21,6 +43,7 @@
 #include <encoding/payloads/sa_payload.h>
 #include <encoding/payloads/certreq_payload.h>
 #include <credentials/certificates/x509.h>
+#include <credentials/containers/pkcs7.h>
 
 
 typedef struct private_isakmp_cert_pre_t private_isakmp_cert_pre_t;
@@ -188,6 +211,53 @@ static void process_certs(private_isakmp_cert_pre_t *this, message_t *message)
 					}
 					break;
 				case ENC_PKCS7_WRAPPED_X509:
+				{
+					container_t *container;
+
+					container = cert_payload->get_container(cert_payload);
+					if (container)
+					{
+						pkcs7_t *pkcs7;
+						enumerator_t *enumerator;
+
+						pkcs7 = (pkcs7_t *)container;
+						enumerator = pkcs7->create_cert_enumerator(pkcs7);
+						while (enumerator->enumerate(enumerator, &cert))
+						{
+							if (cert->get_type(cert) == CERT_X509)
+							{
+								auth_rule_t rule;
+								x509_t *x509 = (x509_t*)cert;
+
+								if (x509->get_flags(x509) & X509_CA)
+								{
+									DBG1(DBG_IKE,
+										 "received intermediate ca cert \"%Y\"",
+										 cert->get_subject(cert));
+									rule = AUTH_HELPER_IM_CERT;
+								}
+								else
+								{
+									DBG1(DBG_IKE,
+										 "received end entity cert \"%Y\"",
+										 cert->get_subject(cert));
+									rule = AUTH_HELPER_SUBJECT_CERT;
+								}
+								auth->add(auth, rule, cert->get_ref(cert));
+							}
+							else
+							{
+								DBG1(DBG_IKE,
+									 "received unsupported cert type %N",
+						 			 certificate_type_names,
+									 cert->get_type(cert));
+							}
+						}
+						enumerator->destroy(enumerator);
+						container->destroy(container);
+					}
+					break;
+				}
 				case ENC_PGP:
 				case ENC_DNS_SIGNED_KEY:
 				case ENC_KERBEROS_TOKEN:
-- 
1.7.3.4

More information about the Dev mailing list