Discussion:
[strongSwan-dev] Getting raw certificate from authorize hook
Tobias Brunner
2017-05-24 14:21:37 UTC
Permalink
Hi Emeric,
Is there a way to get the peer's raw certificate during the authorize hook?
Sure, have a look at the certexpire plugin, or the tkm_listener.
Maybe using a cert_validator hook?
Different thing (it's called during the validation of individual
certificates, the authorize hook, on the other hand, after each or all
authentication rounds are finished) but could be used too depending on
the use case. Examples may be found in the addrblock, coupling,
constraints and, of course, revocation plugins.

Regards,
Tobias
Sriram Yagnaraman
2017-05-24 14:20:53 UTC
Permalink
Hi,

I guess this should do the trick in authorize.

METHOD(listener_t, authorize, bool, private_ike_alarm_t *this,
ike_sa_t *ike_sa, bool final, bool *success)
{

enumerator_t *auth_enumerator;
auth_cfg_t *peer_auth_cfg;
certificate_t *peer_cert;
chunk_t cert_pem; // will hold the peer's raw certificate.

auth_enumerator = ike_sa->create_auth_cfg_enumerator(ike_sa, FALSE);
if (auth_enumerator->enumerate(auth_enumerator, &peer_auth_cfg)) {
peer_cert = peer_auth_cfg->get(peer_auth_cfg, AUTH_HELPER_SUBJECT_CERT);

if (peer_cert) {
cert_pem = chunk_empty;
peer_cert->get_encoding(peer_cert, CERT_PEM, cert_pem);
}

}

/Sriram

-----Original Message-----
From: Dev [mailto:dev-***@lists.strongswan.org] On Behalf Of Emeric POUPON
Sent: den 24 maj 2017 16:05
To: ***@lists.strongswan.org
Subject: [strongSwan-dev] Getting raw certificate from authorize hook

Hello,

Is there a way to get the peer's raw certificate during the authorize hook?

The idea would be to perform extra checks on the firmware using an external tool.
Maybe using a cert_validator hook?

Regards,

Loading...