From: Martin Willi Date: Thu, 9 Dec 2010 10:50:50 +0000 (+0100) Subject: Added name constraint enumerator to x509 interface X-Git-Tag: 4.5.1~201 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dbfbbec368fbe77e0615968448b0fef765356ec8;p=thirdparty%2Fstrongswan.git Added name constraint enumerator to x509 interface --- diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h index cadb401994..ec6a335786 100644 --- a/src/libstrongswan/credentials/certificates/x509.h +++ b/src/libstrongswan/credentials/certificates/x509.h @@ -128,6 +128,14 @@ struct x509_t { * @return enumerator over ipAddrBlocks as traffic_selector_t* */ enumerator_t* (*create_ipAddrBlock_enumerator)(x509_t *this); + + /** + * Create an enumerator over name constraints. + * + * @param perm TRUE for permitted, FALSE for excluded subtrees + * @return enumerator over subtrees as identification_t + */ + enumerator_t* (*create_name_constraint_enumerator)(x509_t *this, bool perm); }; #endif /** X509_H_ @}*/ diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c index 1630d8faf0..b6a06d0151 100644 --- a/src/libstrongswan/plugins/openssl/openssl_x509.c +++ b/src/libstrongswan/plugins/openssl/openssl_x509.c @@ -579,6 +579,7 @@ static private_openssl_x509_t *create_empty() .create_crl_uri_enumerator = _create_crl_uri_enumerator, .create_ocsp_uri_enumerator = _create_ocsp_uri_enumerator, .create_ipAddrBlock_enumerator = _create_ipAddrBlock_enumerator, + .create_name_constraint_enumerator = (void*)enumerator_create_empty, }, }, .subjectAltNames = linked_list_create(), diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c index 23c0262a25..cf85fe9958 100644 --- a/src/libstrongswan/plugins/x509/x509_cert.c +++ b/src/libstrongswan/plugins/x509/x509_cert.c @@ -131,6 +131,16 @@ struct private_x509_cert_t { */ linked_list_t *ipAddrBlocks; + /** + * List of permitted name constraints + */ + linked_list_t *permitted_names; + + /** + * List of exluced name constraints + */ + linked_list_t *excluded_names; + /** * certificate's embedded public key */ @@ -1465,6 +1475,16 @@ METHOD(x509_t, create_ipAddrBlock_enumerator, enumerator_t*, return this->ipAddrBlocks->create_enumerator(this->ipAddrBlocks); } +METHOD(x509_t, create_name_constraint_enumerator, enumerator_t*, + private_x509_cert_t *this, bool perm) +{ + if (perm) + { + return this->permitted_names->create_enumerator(this->permitted_names); + } + return this->excluded_names->create_enumerator(this->excluded_names); +} + METHOD(certificate_t, destroy, void, private_x509_cert_t *this) { @@ -1474,7 +1494,12 @@ METHOD(certificate_t, destroy, void, offsetof(identification_t, destroy)); this->crl_uris->destroy_function(this->crl_uris, (void*)crl_uri_destroy); this->ocsp_uris->destroy_function(this->ocsp_uris, free); - this->ipAddrBlocks->destroy_offset(this->ipAddrBlocks, offsetof(traffic_selector_t, destroy)); + this->ipAddrBlocks->destroy_offset(this->ipAddrBlocks, + offsetof(traffic_selector_t, destroy)); + this->permitted_names->destroy_offset(this->permitted_names, + offsetof(identification_t, destroy)); + this->excluded_names->destroy_offset(this->excluded_names, + offsetof(identification_t, destroy)); DESTROY_IF(this->issuer); DESTROY_IF(this->subject); DESTROY_IF(this->public_key); @@ -1524,6 +1549,7 @@ static private_x509_cert_t* create_empty(void) .create_crl_uri_enumerator = _create_crl_uri_enumerator, .create_ocsp_uri_enumerator = _create_ocsp_uri_enumerator, .create_ipAddrBlock_enumerator = _create_ipAddrBlock_enumerator, + .create_name_constraint_enumerator = _create_name_constraint_enumerator, }, }, .version = 1, @@ -1531,6 +1557,8 @@ static private_x509_cert_t* create_empty(void) .crl_uris = linked_list_create(), .ocsp_uris = linked_list_create(), .ipAddrBlocks = linked_list_create(), + .permitted_names = linked_list_create(), + .excluded_names = linked_list_create(), .pathLenConstraint = X509_NO_PATH_LEN_CONSTRAINT, .ref = 1, );