[strongSwan-dev] [PATCH 6/8] Handle certificates being on hold in a CRL

Fri, 04 Nov 2011 01:25:20 -0700 

Certificates which are set on hold in a CRL might be removed from any
subsequent CRL. Hence you cannot conclude that a certificate is revoked
for good in this case, you would try to retrieve an update CRL to see if
the certificate on hold is still on it or not.
---
 .../credentials/certificates/certificate.c         |    1 +
 .../credentials/certificates/certificate.h         |    2 ++
 .../plugins/revocation/revocation_validator.c      |   12 +++++++++++-
 3 files changed, 14 insertions(+), 1 deletions(-)



diff --git a/src/libstrongswan/credentials/certificates/certificate.c b/src/libstrongswan/credentials/certificates/certificate.c
index 661b69e..33ba4e9 100644
--- a/src/libstrongswan/credentials/certificates/certificate.c
+++ b/src/libstrongswan/credentials/certificates/certificate.c
@@ -38,6 +38,7 @@ ENUM(cert_validation_names, VALIDATION_GOOD, VALIDATION_REVOKED,
 	"SKIPPED",
 	"STALE",
 	"FAILED",
+	"ON_HOLD",
 	"REVOKED",
 );
 
diff --git a/src/libstrongswan/credentials/certificates/certificate.h b/src/libstrongswan/credentials/certificates/certificate.h
index 330cfe1..2f471da 100644
--- a/src/libstrongswan/credentials/certificates/certificate.h
+++ b/src/libstrongswan/credentials/certificates/certificate.h
@@ -77,6 +77,8 @@ enum cert_validation_t {
 	VALIDATION_STALE,
 	/** validation failed due to a processing error */
 	VALIDATION_FAILED,
+	/** certificate is on hold (i.e. temporary revokation) */
+	VALIDATION_ON_HOLD,
 	/** certificate has been revoked */
 	VALIDATION_REVOKED,
 };
diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c
index def1692..34f347d 100644
--- a/src/libstrongswan/plugins/revocation/revocation_validator.c
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@@ -404,7 +404,15 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
 		{
 			DBG1(DBG_CFG, "certificate was revoked on %T, reason: %N",
 				 &revocation, TRUE, crl_reason_names, reason);
-			*valid = VALIDATION_REVOKED;
+			if (reason != CRL_REASON_CERTIFICATE_HOLD)
+			{
+				*valid = VALIDATION_REVOKED;
+			}
+			else
+			{
+				/* if the cert is on hold, a newer CRL might not contain it */
+				*valid = VALIDATION_ON_HOLD;
+			}
 			enumerator->destroy(enumerator);
 			DESTROY_IF(best);
 			return cand;
@@ -681,6 +689,7 @@ METHOD(cert_validator_t, validate, bool,
 				DBG1(DBG_CFG, "certificate status is good");
 				return TRUE;
 			case VALIDATION_REVOKED:
+			case VALIDATION_ON_HOLD:
 				/* has already been logged */
 				return FALSE;
 			case VALIDATION_SKIPPED:
@@ -700,6 +709,7 @@ METHOD(cert_validator_t, validate, bool,
 				DBG1(DBG_CFG, "certificate status is good");
 				return TRUE;
 			case VALIDATION_REVOKED:
+			case VALIDATION_ON_HOLD:
 				/* has already been logged */
 				return FALSE;
 			case VALIDATION_FAILED:


_______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev

Reply via email to