--- embedaddon/strongswan/src/libcharon/plugins/vici/vici_cred.c	2020/06/03 09:46:45	1.1.1.1
+++ embedaddon/strongswan/src/libcharon/plugins/vici/vici_cred.c	2021/03/17 00:20:09	1.1.1.2
@@ -52,6 +52,11 @@ struct private_vici_cred_t {
 	vici_dispatcher_t *dispatcher;
 
 	/**
+	 * CA certificate store
+	 */
+	vici_authority_t *authority;
+
+	/**
 	 * credentials
 	 */
 	mem_cred_t *creds;
@@ -135,7 +140,6 @@ CALLBACK(load_cert, vici_message_t*,
 	x509_flag_t ext_flag, flag = X509_NONE;
 	x509_t *x509;
 	chunk_t data;
-	bool trusted = TRUE;
 	char *str;
 
 	str = message->get_str(message, NULL, "type");
@@ -179,26 +183,31 @@ CALLBACK(load_cert, vici_message_t*,
 	}
 	DBG1(DBG_CFG, "loaded certificate '%Y'", cert->get_subject(cert));
 
-	/* check if CA certificate has CA basic constraint set */
-	if (flag & X509_CA)
+	if (type == CERT_X509)
 	{
-		char err_msg[] = "ca certificate lacks CA basic constraint, rejected";
 		x509 = (x509_t*)cert;
-
-		if (!(x509->get_flags(x509) & X509_CA))
+		if (x509->get_flags(x509) & X509_CA)
 		{
+			cert = this->authority->add_ca_cert(this->authority, cert);
 			cert->destroy(cert);
-			DBG1(DBG_CFG, "  %s", err_msg);
-			return create_reply(err_msg);
+			return create_reply(NULL);
 		}
+		else if (flag & X509_CA)
+		{
+			char msg[] = "ca certificate lacks CA basic constraint, rejected";
+			cert->destroy(cert);
+			DBG1(DBG_CFG, "  %s", msg);
+			return create_reply(msg);
+		}
 	}
+
 	if (type == CERT_X509_CRL)
 	{
 		this->creds->add_crl(this->creds, (crl_t*)cert);
 	}
 	else
 	{
-		this->creds->add_cert(this->creds, trusted, cert);
+		this->creds->add_cert(this->creds, type != CERT_X509_AC, cert);
 	}
 	return create_reply(NULL);
 }
@@ -217,24 +226,8 @@ CALLBACK(load_key, vici_message_t*,
 	{
 		return create_reply("key type missing");
 	}
-	if (strcaseeq(str, "any"))
+	if (!enum_from_name(key_type_names, str, &type))
 	{
-		type = KEY_ANY;
-	}
-	else if (strcaseeq(str, "rsa"))
-	{
-		type = KEY_RSA;
-	}
-	else if (strcaseeq(str, "ecdsa"))
-	{
-		type = KEY_ECDSA;
-	}
-	else if (strcaseeq(str, "bliss"))
-	{
-		type = KEY_BLISS;
-	}
-	else
-	{
 		return create_reply("invalid key type: %s", str);
 	}
 	data = message->get_value(message, chunk_empty, "data");
@@ -536,6 +529,7 @@ CALLBACK(clear_creds, vici_message_t*,
 	private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
 {
 	this->creds->clear(this->creds);
+	this->authority->clear_ca_certs(this->authority);
 	lib->credmgr->flush_cache(lib->credmgr, CERT_ANY);
 
 	return create_reply(NULL);
@@ -604,7 +598,8 @@ METHOD(vici_cred_t, destroy, void,
 /**
  * See header
  */
-vici_cred_t *vici_cred_create(vici_dispatcher_t *dispatcher)
+vici_cred_t *vici_cred_create(vici_dispatcher_t *dispatcher,
+							  vici_authority_t *authority)
 {
 	private_vici_cred_t *this;
 
@@ -621,6 +616,7 @@ vici_cred_t *vici_cred_create(vici_dispatcher_t *dispa
 			.destroy = _destroy,
 		},
 		.dispatcher = dispatcher,
+		.authority = authority,
 		.creds = mem_cred_create(),
 		.pins = mem_cred_create(),
 	);