[Swan-dev] CA chains / Bug 182
mrogers at redhat.com
Fri Aug 15 20:12:01 EEST 2014
I pushed the branch for this so I can start getting some eyes on it. Test cases
are on the way. A summary of the changes:
- Added load_end_ca_path() to load the available intermediate CA certs into the
- Added the connection option "sendca=none|issuer|all". This is a very basic way
of choosing the delivery policy, so I'd like some ideas here. I chose none as
the default which is the previous behavior. Should this change?
- This still just uses the CERTREQ as an indication to send an end cert, and the
sendca= policy and availability of the end cert's CA chain dictates how much of
its chain to send. ikev1_ship_ca_chain() would need improvement to incorporate
the CERTREQ contents into the decision as defined by RFC4945
- ikev1_ship_CERT()'s code was floating out there, and it just needed to be
turned into a real function.
- receiving certs needed improvements to ikev1_decode_cert() and
store_x509certs(). Received CA certs are added to the global authcert list and
removed when the connection is deleted. Added an alternate cert list to
verify_x509cert() so recieved CAs can be verified through their own chain
first before adding them to the global list.
Among other small changes.
More information about the Swan-dev