x509: Add support for IP address nameConstraints

According to RFC 5280, section 4.2.1.10, these are encoded as address
followed by a network mask of the same length.

diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 3cb7a53633e07306a9b58bb296f89e92428ec839..ca200408e56c598226fd043d716e613a60cd6a0b 100644 (file)
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -483,9 +483,15 @@ static identification_t *parse_generalName(chunk_t blob, int level0)
                                        case 4:
                                                id_type = ID_IPV4_ADDR;
                                                break;
+                                       case 8:
+                                               id_type = ID_IPV4_ADDR_SUBNET;
+                                               break;
                                        case 16:
                                                id_type = ID_IPV6_ADDR;
                                                break;
+                                       case 32:
+                                               id_type = ID_IPV6_ADDR_SUBNET;
+                                               break;
                                        default:
                                                break;
                                }
@@ -2065,6 +2071,8 @@ static chunk_t build_generalName(identification_t *id)
                        break;
                case ID_IPV4_ADDR:
                case ID_IPV6_ADDR:
+               case ID_IPV4_ADDR_SUBNET:
+               case ID_IPV6_ADDR_SUBNET:
                        context = ASN1_CONTEXT_S_7;
                        break;
                default: