From 00aa0275037565539780376845b4b5b71b5408c2 Mon Sep 17 00:00:00 2001 From: Andreas Steffen Date: Wed, 4 Nov 2009 00:03:10 +0100 Subject: [PATCH] implemented parsing of pathLenConstraint --- .../credentials/certificates/x509.h | 9 ++++ src/libstrongswan/plugins/x509/x509_cert.c | 47 ++++++++++++++----- 2 files changed, 45 insertions(+), 11 deletions(-) diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h index 8af9200ded..6d34195462 100644 --- a/src/libstrongswan/credentials/certificates/x509.h +++ b/src/libstrongswan/credentials/certificates/x509.h @@ -24,6 +24,8 @@ #include #include +#define NO_PATH_LEN_CONSTRAINT -1 + typedef struct x509_t x509_t; typedef enum x509_flag_t x509_flag_t; @@ -91,6 +93,13 @@ struct x509_t { */ chunk_t (*get_authKeyIdentifier)(x509_t *this); + /** + * Get an optional path length constraint. + * + * @return pathLenConstraint, -1 if no constraint exists + */ + int (*get_pathLenConstraint)(x509_t *this); + /** * Create an enumerator over all subjectAltNames. * diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c index 353c91e9f5..b10317093b 100644 --- a/src/libstrongswan/plugins/x509/x509_cert.c +++ b/src/libstrongswan/plugins/x509/x509_cert.c @@ -145,6 +145,11 @@ struct private_x509_cert_t { */ chunk_t authKeySerialNumber; + /** + * Path Length Constraint + */ + int pathLenConstraint; + /** * x509 constraints and other flags */ @@ -185,12 +190,14 @@ static const asn1Object_t basicConstraintsObjects[] = { { 1, "end opt", ASN1_EOC, ASN1_END }, /* 3 */ { 0, "exit", ASN1_EOC, ASN1_EXIT } }; -#define BASIC_CONSTRAINTS_CA 1 +#define BASIC_CONSTRAINTS_CA 1 +#define BASIC_CONSTRAINTS_PATH_LEN 2 /** * Extracts the basicConstraints extension */ -static bool parse_basicConstraints(chunk_t blob, int level0) +static void parse_basicConstraints(chunk_t blob, int level0, + private_x509_cert_t *this) { asn1_parser_t *parser; chunk_t object; @@ -202,15 +209,35 @@ static bool parse_basicConstraints(chunk_t blob, int level0) while (parser->iterate(parser, &objectID, &object)) { - if (objectID == BASIC_CONSTRAINTS_CA) + switch (objectID) { - isCA = object.len && *object.ptr; - DBG2(" %s", isCA ? "TRUE" : "FALSE"); + case BASIC_CONSTRAINTS_CA: + isCA = object.len && *object.ptr; + DBG2(" %s", isCA ? "TRUE" : "FALSE"); + if (isCA) + { + this->flags |= X509_CA; + } + break; + case BASIC_CONSTRAINTS_PATH_LEN: + if (isCA) + { + if (object.len == 0) + { + this->pathLenConstraint = 0; + } + else if (object.len == 1) + { + this->pathLenConstraint = *object.ptr; + } + /* we ignore path length constraints > 127 */ + } + break; + default: + break; } } parser->destroy(parser); - - return isCA; } /** @@ -785,10 +812,7 @@ static bool parse_certificate(private_x509_cert_t *this) this->subjectAltNames); break; case OID_BASIC_CONSTRAINTS: - if (parse_basicConstraints(object, level)) - { - this->flags |= X509_CA; - } + parse_basicConstraints(object, level, this); break; case OID_CRL_DISTRIBUTION_POINTS: parse_crlDistributionPoints(object, level, this); @@ -1205,6 +1229,7 @@ static private_x509_cert_t* create_empty(void) this->subjectKeyIdentifier = chunk_empty; this->authKeyIdentifier = chunk_empty; this->authKeySerialNumber = chunk_empty; + this->pathLenConstraint = NO_PATH_LEN_CONSTRAINT; this->algorithm = 0; this->signature = chunk_empty; this->flags = 0; -- 2.47.2