enumerator_t *enumerator;
identification_t *altName;
bool first_altName = TRUE;
- int pathlen;
+ u_int pathlen;
chunk_t serial, authkey;
time_t notBefore, notAfter;
public_key_t *public;
pathlen = x509->get_constraint(x509, X509_PATH_LEN);
if (pathlen != X509_NO_CONSTRAINT)
{
- fprintf(out, " pathlen: %d\n", pathlen);
+ fprintf(out, " pathlen: %u\n", pathlen);
}
/* list optional ipAddrBlocks */
* @param auth container for resulting authentication info
*/
bool (*validate)(cert_validator_t *this, certificate_t *subject,
- certificate_t *issuer, bool online, int pathlen,
+ certificate_t *issuer, bool online, u_int pathlen,
bool anchor, auth_cfg_t *auth);
};
#include <utils/enumerator.h>
#include <credentials/certificates/certificate.h>
-#define X509_NO_CONSTRAINT -1
+/* constraints are currently restricted to the range 0..127 */
+#define X509_NO_CONSTRAINT 255
typedef struct x509_t x509_t;
typedef struct x509_cert_policy_t x509_cert_policy_t;
* @param type type of constraint to get
* @return constraint, X509_NO_CONSTRAINT if none found
*/
- int (*get_constraint)(x509_t *this, x509_constraint_t type);
+ u_int (*get_constraint)(x509_t *this, x509_constraint_t type);
/**
* Create an enumerator over all subjectAltNames.
*/
static bool check_pathlen(x509_t *issuer, int pathlen)
{
- int pathlen_constraint;
+ u_int pathlen_constraint;
pathlen_constraint = issuer->get_constraint(issuer, X509_PATH_LEN);
if (pathlen_constraint != X509_NO_CONSTRAINT &&
/**
* Check requireExplicitPolicy and inhibitPolicyMapping constraints
*/
-static bool check_policy_constraints(x509_t *issuer, int pathlen,
+static bool check_policy_constraints(x509_t *issuer, u_int pathlen,
auth_cfg_t *auth)
{
certificate_t *subject;
certificate_t *cert;
auth_rule_t rule;
x509_t *x509;
- int len = 0, expl, inh;
+ int len = 0;
+ u_int expl, inh;
/* prepare trustchain to validate */
chain = linked_list_create();
METHOD(cert_validator_t, validate, bool,
private_constraints_validator_t *this, certificate_t *subject,
- certificate_t *issuer, bool online, int pathlen, bool anchor,
+ certificate_t *issuer, bool online, u_int pathlen, bool anchor,
auth_cfg_t *auth)
{
if (issuer->get_type(issuer) == CERT_X509 &&
/**
* Pathlen constraint
*/
- int pathlen;
+ u_char pathlen;
/**
* certificate subject
return chunk_empty;
}
-METHOD(x509_t, get_constraint, int,
+METHOD(x509_t, get_constraint, u_int,
private_openssl_x509_t *this, x509_constraint_t type)
{
switch (type)
X509_EXTENSION *ext)
{
BASIC_CONSTRAINTS *constraints;
+ long pathlen;
constraints = (BASIC_CONSTRAINTS*)X509V3_EXT_d2i(ext);
if (constraints)
}
if (constraints->pathlen)
{
- this->pathlen = ASN1_INTEGER_get(constraints->pathlen);
+
+ pathlen = ASN1_INTEGER_get(constraints->pathlen);
+ this->pathlen = (pathlen >= 0 && pathlen < 128) ?
+ pathlen : X509_NO_CONSTRAINT;
}
BASIC_CONSTRAINTS_free(constraints);
return TRUE;
METHOD(cert_validator_t, validate, bool,
private_revocation_validator_t *this, certificate_t *subject,
- certificate_t *issuer, bool online, int pathlen, bool anchor,
+ certificate_t *issuer, bool online, u_int pathlen, bool anchor,
auth_cfg_t *auth)
{
if (subject->get_type(subject) == CERT_X509 &&
/**
* Path Length Constraint
*/
- char pathLenConstraint;
+ u_char pathLenConstraint;
/**
* requireExplicitPolicy Constraint
*/
- char require_explicit;
+ u_char require_explicit;
/**
* inhibitPolicyMapping Constraint
*/
- char inhibit_mapping;
+ u_char inhibit_mapping;
/**
* inhibitAnyPolicy Constraint
*/
- char inhibit_any;
+ u_char inhibit_any;
/**
* x509 constraints and other flags
/**
* Parse a length constraint from an unwrapped integer
*/
-static int parse_constraint(chunk_t object)
+static u_int parse_constraint(chunk_t object)
{
switch (object.len)
{
case 0:
return 0;
case 1:
- return object.ptr[0];
+ return (object.ptr[0] & 0x80) ? X509_NO_CONSTRAINT : object.ptr[0];
default:
return X509_NO_CONSTRAINT;
}
return this->authKeyIdentifier;
}
-METHOD(x509_t, get_constraint, int,
+METHOD(x509_t, get_constraint, u_int,
private_x509_cert_t *this, x509_constraint_t type)
{
switch (type)
certificate_t *sign_cert = NULL;
private_key_t *sign_key = NULL;
hash_algorithm_t digest_alg = HASH_SHA1;
+ u_int constraint;
cert = create_empty();
while (TRUE)
continue;
}
case BUILD_PATHLEN:
- cert->pathLenConstraint = va_arg(args, int);
- if (cert->pathLenConstraint < 0 || cert->pathLenConstraint > 127)
- {
- cert->pathLenConstraint = X509_NO_CONSTRAINT;
- }
+ constraint = va_arg(args, u_int);
+ cert->pathLenConstraint = (constraint < 128) ?
+ constraint : X509_NO_CONSTRAINT;
continue;
case BUILD_PERMITTED_NAME_CONSTRAINTS:
{
continue;
}
case BUILD_POLICY_REQUIRE_EXPLICIT:
- cert->require_explicit = va_arg(args, int);
+ constraint = va_arg(args, u_int);
+ cert->require_explicit = (constraint < 128) ?
+ constraint : X509_NO_CONSTRAINT;
continue;
case BUILD_POLICY_INHIBIT_MAPPING:
- cert->inhibit_mapping = va_arg(args, int);
+ constraint = va_arg(args, u_int);
+ cert->inhibit_mapping = (constraint < 128) ?
+ constraint : X509_NO_CONSTRAINT;
continue;
case BUILD_POLICY_INHIBIT_ANY:
- cert->inhibit_any = va_arg(args, int);
+ constraint = va_arg(args, u_int);
+ cert->inhibit_any = (constraint < 128) ?
+ constraint : X509_NO_CONSTRAINT;
continue;
case BUILD_NOT_BEFORE_TIME:
cert->notBefore = va_arg(args, time_t);
projects / thirdparty / strongswan.git / commitdiff
