implemented parsing of pathLenConstraint

author Andreas Steffen <andreas.steffen@strongswan.org>

Tue, 3 Nov 2009 23:03:10 +0000 (00:03 +0100)

committer Andreas Steffen <andreas.steffen@strongswan.org>

Tue, 3 Nov 2009 23:03:10 +0000 (00:03 +0100)
author Andreas Steffen <andreas.steffen@strongswan.org>
Tue, 3 Nov 2009 23:03:10 +0000 (00:03 +0100)
committer Andreas Steffen <andreas.steffen@strongswan.org>
Tue, 3 Nov 2009 23:03:10 +0000 (00:03 +0100)
diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h

index 8af9200ded5d51baa2320b7b36d898d4926ff33a..6d34195462bdb9bbcfc1907edd62525d10307bce 100644 (file)
--- a/src/libstrongswan/credentials/certificates/x509.h
+++ b/src/libstrongswan/credentials/certificates/x509.h
@@ -24,6 +24,8 @@
  #include <utils/enumerator.h>
  #include <credentials/certificates/certificate.h>
  
+#define NO_PATH_LEN_CONSTRAINT -1
+
  typedef struct x509_t x509_t;
  typedef enum x509_flag_t x509_flag_t;
  
@@ -91,6 +93,13 @@ struct x509_t {
          */
         chunk_t (*get_authKeyIdentifier)(x509_t *this);
  
+       /**
+        * Get an optional path length constraint.
+        *
+        * @return                      pathLenConstraint, -1 if no constraint exists
+        */
+       int (*get_pathLenConstraint)(x509_t *this);
+
         /**
          * Create an enumerator over all subjectAltNames.
          *
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c

index 353c91e9f53f463a657f45e16d9ce023e382be46..b10317093b31ac881c70a1ee8847ef440f8a5878 100644 (file)
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -145,6 +145,11 @@ struct private_x509_cert_t {
          */
         chunk_t authKeySerialNumber;
  
+       /**
+        * Path Length Constraint
+        */
+       int pathLenConstraint;
+
         /**
          * x509 constraints and other flags
          */
@@ -185,12 +190,14 @@ static const asn1Object_t basicConstraintsObjects[] = {
         { 1,   "end opt",                       ASN1_EOC,               ASN1_END                        }, /*  3 */
         { 0, "exit",                            ASN1_EOC,               ASN1_EXIT                       }
  };
-#define BASIC_CONSTRAINTS_CA   1
+#define BASIC_CONSTRAINTS_CA           1
+#define BASIC_CONSTRAINTS_PATH_LEN     2
  
  /**
   * Extracts the basicConstraints extension
   */
-static bool parse_basicConstraints(chunk_t blob, int level0)
+static void parse_basicConstraints(chunk_t blob, int level0,
+                                                                  private_x509_cert_t *this)
  {
         asn1_parser_t *parser;
         chunk_t object;
@@ -202,15 +209,35 @@ static bool parse_basicConstraints(chunk_t blob, int level0)
  
         while (parser->iterate(parser, &objectID, &object))
         {
-               if (objectID == BASIC_CONSTRAINTS_CA)
+               switch (objectID)
                 {
-                       isCA = object.len && *object.ptr;
-                       DBG2("  %s", isCA ? "TRUE" : "FALSE");
+                       case BASIC_CONSTRAINTS_CA:
+                               isCA = object.len && *object.ptr;
+                               DBG2("  %s", isCA ? "TRUE" : "FALSE");
+                               if (isCA)
+                               {
+                                       this->flags |= X509_CA;
+                               }
+                               break;
+                       case BASIC_CONSTRAINTS_PATH_LEN:
+                               if (isCA)
+                               {
+                                       if (object.len == 0)
+                                       {
+                                               this->pathLenConstraint = 0;
+                                       }
+                                       else if (object.len == 1)
+                                       {
+                                               this->pathLenConstraint = *object.ptr;
+                                       }
+                                       /* we ignore path length constraints > 127 */
+                               }
+                               break;
+                       default:
+                               break;
                 }
         }
         parser->destroy(parser);
-
-       return isCA;
  }
  
  /**
@@ -785,10 +812,7 @@ static bool parse_certificate(private_x509_cert_t *this)
                                                                                                 this->subjectAltNames);
                                                 break;
                                         case OID_BASIC_CONSTRAINTS:
-                                               if (parse_basicConstraints(object, level))
-                                               {
-                                                       this->flags |= X509_CA;
-                                               }
+                                               parse_basicConstraints(object, level, this);
                                                 break;
                                         case OID_CRL_DISTRIBUTION_POINTS:
                                                 parse_crlDistributionPoints(object, level, this);
@@ -1205,6 +1229,7 @@ static private_x509_cert_t* create_empty(void)
         this->subjectKeyIdentifier = chunk_empty;
         this->authKeyIdentifier = chunk_empty;
         this->authKeySerialNumber = chunk_empty;
+       this->pathLenConstraint = NO_PATH_LEN_CONSTRAINT;
         this->algorithm = 0;
         this->signature = chunk_empty;
         this->flags = 0;
author	Andreas Steffen <andreas.steffen@strongswan.org>
	Tue, 3 Nov 2009 23:03:10 +0000 (00:03 +0100)
committer	Andreas Steffen <andreas.steffen@strongswan.org>
	Tue, 3 Nov 2009 23:03:10 +0000 (00:03 +0100)
src/libstrongswan/credentials/certificates/x509.h		patch \| blob \| blame \| history
src/libstrongswan/plugins/x509/x509_cert.c		patch \| blob \| blame \| history