Pass an additional anchor flag to validate() hook if we reach the root CA

2025-10-06 00:00:47 -04:00 · 2010-12-22 10:43:06 +01:00 · 2010-12-22 10:43:06 +01:00 · 6aba6ff061
commit 6aba6ff061
parent 09e319d419
4 changed files with 12 additions and 8 deletions
--- a/src/libstrongswan/credentials/cert_validator.h
+++ b/src/libstrongswan/credentials/cert_validator.h
@ -40,12 +40,13 @@ struct cert_validator_t {
 	 * @param subject		subject certificate to check
 	 * @param issuer		issuer of subject
 	 * @param online		wheter to do online revocation checking
-	 * @param pathlen		the current length of the path up to the root CA
+	 * @param pathlen		the current length of the path bottom-up
+	 * @param anchor		is issuer trusted root anchor
 	 * @param auth			container for resulting authentication info
 	 */
 	bool (*validate)(cert_validator_t *this, certificate_t *subject,
 					 certificate_t *issuer, bool online, int pathlen,
-					 auth_cfg_t *auth);
+					 bool anchor, auth_cfg_t *auth);
 };

 #endif /** CERT_VALIDATOR_H_ @}*/
--- a/src/libstrongswan/credentials/credential_manager.c
+++ b/src/libstrongswan/credentials/credential_manager.c
@ -452,8 +452,8 @@ static void cache_queue(private_credential_manager_t *this)
 * check a certificate for its lifetime
 */
 static bool check_certificate(private_credential_manager_t *this,
-							  certificate_t *subject, certificate_t *issuer,
-							  bool online, int pathlen, auth_cfg_t *auth)
+				certificate_t *subject, certificate_t *issuer, bool online,
+				int pathlen, bool trusted, auth_cfg_t *auth)
 {
 	time_t not_before, not_after;
 	cert_validator_t *validator;
@ -476,7 +476,7 @@ static bool check_certificate(private_credential_manager_t *this,
 	while (enumerator->enumerate(enumerator, &validator))
 	{
 		if (!validator->validate(validator, subject, issuer,
-								 online, pathlen, auth))
+								 online, pathlen, trusted, auth))
 		{
 			enumerator->destroy(enumerator);
 			return FALSE;
@ -622,7 +622,8 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 				break;
 			}
 		}
-		if (!check_certificate(this, current, issuer, online, pathlen, auth))
+		if (!check_certificate(this, current, issuer, online,
+							   pathlen, trusted, auth))
 		{
 			trusted = FALSE;
 			issuer->destroy(issuer);
--- a/src/libstrongswan/plugins/constraints/constraints_validator.c
+++ b/src/libstrongswan/plugins/constraints/constraints_validator.c
@ -346,7 +346,8 @@ static bool check_policy(x509_t *subject, x509_t *issuer, int pathlen,

 METHOD(cert_validator_t, validate, bool,
 	private_constraints_validator_t *this, certificate_t *subject,
-	certificate_t *issuer, bool online, int pathlen, auth_cfg_t *auth)
+	certificate_t *issuer, bool online, int pathlen, bool anchor,
+	auth_cfg_t *auth)
 {
 	if (issuer->get_type(issuer) == CERT_X509 &&
 		subject->get_type(subject) == CERT_X509)
--- a/src/libstrongswan/plugins/revocation/revocation_validator.c
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@ -568,7 +568,8 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer,

 METHOD(cert_validator_t, validate, bool,
 	private_revocation_validator_t *this, certificate_t *subject,
-	certificate_t *issuer, bool online, int pathlen, auth_cfg_t *auth)
+	certificate_t *issuer, bool online, int pathlen, bool anchor,
+	auth_cfg_t *auth)
 {
 	if (subject->get_type(subject) == CERT_X509 &&
 		issuer->get_type(issuer) == CERT_X509 &&