Added support for inhibitAnyPolicy constraint to x509 plugin

author Martin Willi <martin@revosec.ch>

Wed, 22 Dec 2010 14:52:02 +0000 (15:52 +0100)

committer Martin Willi <martin@revosec.ch>

Wed, 5 Jan 2011 15:46:05 +0000 (16:46 +0100)
author Martin Willi <martin@revosec.ch>
Wed, 22 Dec 2010 14:52:02 +0000 (15:52 +0100)
committer Martin Willi <martin@revosec.ch>
Wed, 5 Jan 2011 15:46:05 +0000 (16:46 +0100)
diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c

index 768b9da3d46b608de979535c41ab31102b693ca8..47e1ed5b222322c38ca51d171b6a03f2e46ab2ed 100644 (file)
--- a/src/libstrongswan/credentials/builder.c
+++ b/src/libstrongswan/credentials/builder.c
@@ -49,6 +49,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
         "BUILD_POLICY_MAPPINGS",
         "BUILD_POLICY_CONSTRAINT_EXPLICIT",
         "BUILD_POLICY_CONSTRAINT_INHIBIT",
+       "BUILD_POLICY_CONSTRAINT_INHIBIT_ANY",
         "BUILD_X509_FLAG",
         "BUILD_REVOKED_ENUMERATOR",
         "BUILD_BASE_CRL",
diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h

index 5db37775a6e0ca9c4a03aa5b9d8662e7e593f113..383fa90a76e774688692f1296fcd942ab312d26d 100644 (file)
--- a/src/libstrongswan/credentials/builder.h
+++ b/src/libstrongswan/credentials/builder.h
@@ -105,6 +105,8 @@ enum builder_part_t {
         BUILD_POLICY_CONSTRAINT_EXPLICIT,
         /** inhibitPolicyMapping constraint, int */
         BUILD_POLICY_CONSTRAINT_INHIBIT,
+       /** inhibitAnyPolicy constraint, int */
+       BUILD_POLICY_CONSTRAINT_INHIBIT_ANY,
         /** enforce an additional X509 flag, x509_flag_t */
         BUILD_X509_FLAG,
         /** enumerator_t over (chunk_t serial, time_t date, crl_reason_t reason) */
diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h

index d668ceba3cd5a190eae424a46e6d26a3a731eb64..9f5865da801431e0621b94ba40e788717ba93017 100644 (file)
--- a/src/libstrongswan/credentials/certificates/x509.h
+++ b/src/libstrongswan/credentials/certificates/x509.h
@@ -67,6 +67,8 @@ enum x509_constraint_t {
         X509_INHIBIT_POLICY_MAPPING,
         /** requireExplicitPolicy policyConstraint */
         X509_REQUIRE_EXPLICIT_POLICY,
+       /** inhibitAnyPolicy constraint */
+       X509_INHIBIT_ANY_POLICY,
  };
  
  /**
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c

index 995ba9bfa1c976bf998759129c5754b111efc0f4..4bf221fdb821c426fc18c9580af22a794000d6f9 100644 (file)
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -186,6 +186,11 @@ struct private_x509_cert_t {
          */
         char inhibit_policy_constraint;
  
+       /**
+        * inhibitAnyPolicy Constraint
+        */
+       char inhibit_any_policy;
+
         /**
          * x509 constraints and other flags
          */
@@ -247,6 +252,22 @@ static void policy_mapping_destroy(x509_policy_mapping_t *mapping)
         free(mapping);
  }
  
+/**
+ * Parse a length constraint from an unwrapped integer
+ */
+static int parse_constraint(chunk_t object)
+{
+       switch (object.len)
+       {
+               case 0:
+                       return 0;
+               case 1:
+                       return object.ptr[0];
+               default:
+                       return X509_NO_CONSTRAINT;
+       }
+}
+
  /**
   * ASN.1 definition of a basicConstraints extension
   */
@@ -289,15 +310,7 @@ static void parse_basicConstraints(chunk_t blob, int level0,
                         case BASIC_CONSTRAINTS_PATH_LEN:
                                 if (isCA)
                                 {
-                                       if (object.len == 0)
-                                       {
-                                               this->pathLenConstraint = 0;
-                                       }
-                                       else if (object.len == 1)
-                                       {
-                                               this->pathLenConstraint = *object.ptr;
-                                       }
-                                       /* we ignore path length constraints > 127 */
+                                       this->pathLenConstraint = parse_constraint(object);
                                 }
                                 break;
                         default:
@@ -1076,24 +1089,10 @@ static void parse_policyConstraints(chunk_t blob, int level0,
                 switch (objectID)
                 {
                         case POLICY_CONSTRAINT_EXPLICIT:
-                               if (object.len == 0)
-                               {
-                                       this->explicit_policy_constraint = 0;
-                               }
-                               else if (object.len == 1)
-                               {
-                                       this->explicit_policy_constraint = *object.ptr;
-                               }
+                               this->explicit_policy_constraint = parse_constraint(object);
                                 break;
                         case POLICY_CONSTRAINT_INHIBIT:
-                               if (object.len == 0)
-                               {
-                                       this->inhibit_policy_constraint = 0;
-                               }
-                               else if (object.len == 1)
-                               {
-                                       this->inhibit_policy_constraint = *object.ptr;
-                               }
+                               this->inhibit_policy_constraint = parse_constraint(object);
                                 break;
                         default:
                                 break;
@@ -1424,6 +1423,14 @@ static bool parse_certificate(private_x509_cert_t *this)
                                         case OID_POLICY_CONSTRAINTS:
                                                 parse_policyConstraints(object, level, this);
                                                 break;
+                                       case OID_INHIBIT_ANY_POLICY:
+                                               if (!asn1_parse_simple_object(&object, ASN1_INTEGER,
+                                                                                                         level, "inhibitAnyPolicy"))
+                                               {
+                                                       goto end;
+                                               }
+                                               this->inhibit_any_policy = parse_constraint(object);
+                                               break;
                                         case OID_NS_REVOCATION_URL:
                                         case OID_NS_CA_REVOCATION_URL:
                                         case OID_NS_CA_POLICY_URL:
@@ -1727,6 +1734,8 @@ METHOD(x509_t, get_constraint, int,
                         return this->explicit_policy_constraint;
                 case X509_INHIBIT_POLICY_MAPPING:
                         return this->inhibit_policy_constraint;
+               case X509_INHIBIT_ANY_POLICY:
+                       return this->inhibit_any_policy;
                 default:
                         return X509_NO_CONSTRAINT;
         }
@@ -1863,6 +1872,7 @@ static private_x509_cert_t* create_empty(void)
                 .pathLenConstraint = X509_NO_CONSTRAINT,
                 .explicit_policy_constraint = X509_NO_CONSTRAINT,
                 .inhibit_policy_constraint = X509_NO_CONSTRAINT,
+               .inhibit_any_policy = X509_NO_CONSTRAINT,
                 .ref = 1,
         );
         return this;
@@ -1983,7 +1993,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
         chunk_t subjectAltNames = chunk_empty, policyMappings = chunk_empty;
         chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty;
         chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty;
-       chunk_t policyConstraints = chunk_empty;
+       chunk_t policyConstraints = chunk_empty, inhibitAnyPolicy = chunk_empty;
         identification_t *issuer, *subject;
         chunk_t key_info;
         signature_scheme_t scheme;
@@ -2270,23 +2280,34 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
                                                 asn1_integer("c",
                                                         chunk_from_thing(cert->inhibit_policy_constraint)));
                 }
-               policyConstraints = asn1_wrap(ASN1_SEQUENCE, "mm",
-                                                               asn1_build_known_oid(OID_POLICY_CONSTRAINTS),
-                                                               asn1_wrap(ASN1_OCTET_STRING, "m",
-                                                                       asn1_wrap(ASN1_SEQUENCE, "mm",
-                                                                               explicit, inhibit)));
+               policyConstraints = asn1_wrap(ASN1_SEQUENCE, "mmm",
+                                               asn1_build_known_oid(OID_POLICY_CONSTRAINTS),
+                                               asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)),
+                                               asn1_wrap(ASN1_OCTET_STRING, "m",
+                                                       asn1_wrap(ASN1_SEQUENCE, "mm",
+                                                               explicit, inhibit)));
+       }
+
+       if (cert->inhibit_any_policy != X509_NO_CONSTRAINT)
+       {
+               inhibitAnyPolicy = asn1_wrap(ASN1_SEQUENCE, "mmm",
+                               asn1_build_known_oid(OID_INHIBIT_ANY_POLICY),
+                               asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)),
+                               asn1_wrap(ASN1_OCTET_STRING, "m",
+                                       asn1_integer("c",
+                                               chunk_from_thing(cert->inhibit_any_policy))));
         }
  
         if (basicConstraints.ptr || subjectAltNames.ptr || authKeyIdentifier.ptr ||
                 crlDistributionPoints.ptr || nameConstraints.ptr)
         {
                 extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m",
-                                               asn1_wrap(ASN1_SEQUENCE, "mmmmmmmmmmmm",
+                                               asn1_wrap(ASN1_SEQUENCE, "mmmmmmmmmmmmm",
                                                         basicConstraints, keyUsage, subjectKeyIdentifier,
                                                         authKeyIdentifier, subjectAltNames,
                                                         extendedKeyUsage, crlDistributionPoints,
                                                         authorityInfoAccess, nameConstraints, certPolicies,
-                                                       policyMappings, policyConstraints));
+                                                       policyMappings, policyConstraints, inhibitAnyPolicy));
         }
  
         cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmmcmcmm",
@@ -2527,6 +2548,9 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args)
                         case BUILD_POLICY_CONSTRAINT_INHIBIT:
                                 cert->inhibit_policy_constraint = va_arg(args, int);
                                 continue;
+                       case BUILD_POLICY_CONSTRAINT_INHIBIT_ANY:
+                               cert->inhibit_any_policy = va_arg(args, int);
+                               continue;
                         case BUILD_NOT_BEFORE_TIME:
                                 cert->notBefore = va_arg(args, time_t);
                                 continue;
author	Martin Willi <martin@revosec.ch>
	Wed, 22 Dec 2010 14:52:02 +0000 (15:52 +0100)
committer	Martin Willi <martin@revosec.ch>
	Wed, 5 Jan 2011 15:46:05 +0000 (16:46 +0100)
src/libstrongswan/credentials/builder.c		patch \| blob \| blame \| history
src/libstrongswan/credentials/builder.h		patch \| blob \| blame \| history
src/libstrongswan/credentials/certificates/x509.h		patch \| blob \| blame \| history
src/libstrongswan/plugins/x509/x509_cert.c		patch \| blob \| blame \| history