static void free_first_crl(void)
{
x509crl_t *crl = x509crls;
x509crls = crl->next;
free_crl(crl);
}
/**
* Load a CRL
*/
static x509crl_t *builder_load_crl(certificate_type_t type, va_list args)
{
chunk_t blob = chunk_empty;
x509crl_t *crl;
while (TRUE)
{
switch (va_arg(args, builder_part_t))
{
case BUILD_BLOB_ASN1_DER:
blob = va_arg(args, chunk_t);
continue;
case BUILD_END:
break;
default:
return NULL;
}
break;
}
if (blob.ptr)
{
crl = malloc_thing(x509crl_t);
crl->next = NULL;
crl->distributionPoints = linked_list_create();
crl->crl = lib->creds->create(lib->creds,
CRED_CERTIFICATE, CERT_X509_CRL,
BUILD_BLOB_ASN1_DER, blob,
BUILD_END);
if (crl->crl)
{
return crl;
}
plog(" error in X.509 crl");
free_crl(crl);
}
return NULL;
}
/*
* Insert X.509 CRL into chained list
*/
bool insert_crl(chunk_t blob, chunk_t crl_uri)
{
x509crl_t *crl = alloc_thing(x509crl_t, "x509crl");
*crl = empty_x509crl;
if (parse_x509crl(blob, 0, crl)) {
x509cert_t *issuer_cert;
x509crl_t *oldcrl;
bool valid_sig;
generalName_t *gn;
/* add distribution point */
gn = alloc_thing(generalName_t, "generalName");
gn->kind = GN_URI;
gn->name = crl_uri;
gn->next = crl->distributionPoints;
crl->distributionPoints = gn;
lock_authcert_list("insert_crl");
/* get the issuer cacert */
issuer_cert = get_authcert(crl->issuer,
crl->authKeySerialNumber,
crl->authKeyID, AUTH_CA);
if (issuer_cert == NULL) {
chunk_t *n = &crl->distributionPoints->name;
loglog(RC_LOG_SERIOUS,
"CRL rejected: crl issuer cacert not found for %.*s",
(int)n->len, (char *)n->ptr);
free_crl(crl);
unlock_authcert_list("insert_crl");
return FALSE;
}
DBG(DBG_X509,
DBG_log("crl issuer cacert found"));
/* check the issuer's signature of the crl */
valid_sig = check_signature(crl->tbsCertList, crl->signature,
crl->algorithm, issuer_cert);
unlock_authcert_list("insert_crl");
if (!valid_sig) {
free_crl(crl);
return FALSE;
}
DBG(DBG_X509,
DBG_log("valid crl signature"));
lock_crl_list("insert_crl");
oldcrl = get_x509crl(crl->issuer, crl->authKeySerialNumber,
crl->authKeyID);
if (oldcrl != NULL) {
if (realbefore(oldcrl->thisUpdate, crl->thisUpdate)) {
/* old CRL is older than new CRL: replace */
#if defined(LIBCURL) || defined(LDAP_VER)
/* keep any known CRL distribution points */
add_distribution_points(
oldcrl->distributionPoints,
&crl->distributionPoints);
#endif
/* now delete the old CRL */
free_first_crl();
DBG(DBG_X509,
DBG_log("thisUpdate is newer - existing crl deleted"));
} else {
/* old CRL is not older than new CRL: keep old one */
unlock_crl_list("insert_crls");
DBG(DBG_X509,
DBG_log("thisUpdate is not newer - existing crl not replaced"));
free_crl(crl);
/*
* is the fetched crl valid?
* now + 2 * crl_check_interval < oldcrl->nextUpdate
*/
return realbefore(realtimesum(realnow(), deltatimescale(2, 1, crl_check_interval)), oldcrl->nextUpdate);
}
}
/* insert new CRL */
crl->next = x509crls;
x509crls = crl;
unlock_crl_list("insert_crl");
/*
* is the new crl valid?
* now + 2 * crl_check_interval < crl->nextUpdate
*/
return realbefore(realtimesum(realnow(), deltatimescale(2, 1, crl_check_interval)), crl->nextUpdate);
} else {
loglog(RC_LOG_SERIOUS, " error in X.509 crl %s",
(char *)crl_uri.ptr);
free_crl(crl);
return FALSE;
}
}
/*
* Insert X.509 CRL into chained list
*/
bool
insert_crl(chunk_t blob, chunk_t crl_uri)
{
x509crl_t *crl = alloc_thing(x509crl_t, "x509crl");
*crl = empty_x509crl;
if (parse_x509crl(blob, 0, crl))
{
x509cert_t *issuer_cert;
x509crl_t *oldcrl;
bool valid_sig;
generalName_t *gn;
/* add distribution point */
gn = alloc_thing(generalName_t, "generalName");
gn->kind = GN_URI;
gn->name = crl_uri;
gn->next = crl->distributionPoints;
crl->distributionPoints = gn;
lock_authcert_list("insert_crl");
/* get the issuer cacert */
issuer_cert = get_authcert(crl->issuer, crl->authKeySerialNumber,
crl->authKeyID, AUTH_CA);
if (issuer_cert == NULL)
{
char distpoint[PATH_MAX];
distpoint[0] = '\0';
strncat(distpoint, (char *)crl->distributionPoints->name.ptr,
(crl->distributionPoints->name.len < PATH_MAX ?
crl->distributionPoints->name.len : PATH_MAX));
openswan_log("crl issuer cacert not found for (%s)",
distpoint);;
free_crl(crl);
unlock_authcert_list("insert_crl");
return FALSE;
}
DBG(DBG_X509,
DBG_log("crl issuer cacert found")
)
/* check the issuer's signature of the crl */
valid_sig = check_signature(crl->tbsCertList, crl->signature
, crl->algorithm, issuer_cert);
unlock_authcert_list("insert_crl");
if (!valid_sig)
{
free_crl(crl);
return FALSE;
}
DBG(DBG_X509,
DBG_log("valid crl signature")
)
lock_crl_list("insert_crl");
oldcrl = get_x509crl(crl->issuer, crl->authKeySerialNumber
, crl->authKeyID);
if (oldcrl != NULL)
{
if (crl->thisUpdate > oldcrl->thisUpdate)
{
#ifdef HAVE_THREADS
/* keep any known CRL distribution points */
add_distribution_points(oldcrl->distributionPoints
, &crl->distributionPoints);
#endif
/* now delete the old CRL */
free_first_crl();
DBG(DBG_X509,
DBG_log("thisUpdate is newer - existing crl deleted")
)
}
else
{
