I'm using the spd "end" structures 'this' and 'that' (ie
c->spd.that.ca_path) to store the chain of CA certs. The 'this' end is
loaded with the local cert path of the end certificate on a connection
add, and the 'that' end is a list of CA certs received from the peer
(which are all validated as a group down to the root and placed into
the global x509authcert list). 

The 'that' chain is only used for freeing the certs from the global
list when deleted. 'this' makes sense for the local authcert chain,
but I'm not sure about using 'that' for the received chain since the
connection can be refined right after processing it. I don't know if
that would affect it - Would there be a better spot?

I noticed get_peer_ca uses pluto_pubkeys to look for the peer CA's
key. Are local CA cert keys put into pluto_pubkeys at some point? If
so, I'm guessing I will also need to have that happen for CA certs
that come in through the exchange. Otherwise it needs to be changed to
use the authcert list. 

Any input is welcome.

Thanks,
Matt
_______________________________________________
Swan-dev mailing list
Swan-dev@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-dev

Reply via email to