From: Tobias Brunner Date: Wed, 16 Nov 2016 14:37:23 +0000 (+0100) Subject: vici: Add support for certificate policies X-Git-Tag: 5.5.2dr5~9^2~22 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e00bc9f6b298bf2ae8151bee83c346d6f867c0cb;p=thirdparty%2Fstrongswan.git vici: Add support for certificate policies --- diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index ff706be464..add81b9eff 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -1141,6 +1141,22 @@ CALLBACK(parse_group, bool, return parse_id(cfg, AUTH_RULE_GROUP, v); } +/** + * Parse certificate policy + */ +CALLBACK(parse_cert_policy, bool, + auth_cfg_t *cfg, chunk_t v) +{ + char buf[BUF_LEN]; + + if (!vici_stringify(v, buf, sizeof(buf))) + { + return FALSE; + } + cfg->add(cfg, AUTH_RULE_CERT_POLICY, strdup(buf)); + return TRUE; +} + /** * Parse a certificate; add as auth rule to config */ @@ -1402,6 +1418,7 @@ CALLBACK(auth_li, bool, { parse_rule_t rules[] = { { "groups", parse_group, auth->cfg }, + { "cert_policy", parse_cert_policy, auth }, { "certs", parse_certs, auth }, { "cacerts", parse_cacerts, auth }, { "pubkeys", parse_pubkeys, auth }, diff --git a/src/swanctl/commands/load_conns.c b/src/swanctl/commands/load_conns.c index 2e443a94ab..82592f4561 100644 --- a/src/swanctl/commands/load_conns.c +++ b/src/swanctl/commands/load_conns.c @@ -38,6 +38,7 @@ static bool is_list_key(char *key) "vips", "pools", "groups", + "cert_policy", }; int i; diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index e882e60ba5..e74886641b 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -406,6 +406,12 @@ connections..remote.groups = can be certified by different means, for example by appropriate Attribute Certificates or by an AAA backend involved in the authentication. +connections..remote.cert_policy = + Certificate policy OIDs the peer's certificate must have. + + Comma separated list of certificate policy OIDs the peer's certificate must + have. OIDs are specified using the numerical dotted representation. + connections..remote.certs = Comma separated list of certificate to accept for authentication.