return valid;
}
+/**
+ * check a certificate for optional IP address block constraints
+ */
+static bool check_ip_addr_block_constraints(x509_t *subject, x509_t *issuer)
+{
+ bool subject_constraint = subject->get_flags(subject) & X509_IP_ADDR_BLOCKS;
+ bool issuer_constraint = issuer->get_flags(issuer) & X509_IP_ADDR_BLOCKS;
+ bool contained = TRUE;
+
+ enumerator_t *subject_enumerator, *issuer_enumerator;
+ traffic_selector_t *subject_ts, *issuer_ts;
+
+ if (!subject_constraint && !issuer_constraint)
+ {
+ return TRUE;
+ }
+ if (!subject_constraint)
+ {
+ DBG1(DBG_CFG, "subject certficate lacks ipAddrBlocks extension");
+ return FALSE;
+ }
+ if (!issuer_constraint)
+ {
+ DBG1(DBG_CFG, "issuer certficate lacks ipAddrBlocks extension");
+ return FALSE;
+ }
+ subject_enumerator = subject->create_ipAddrBlock_enumerator(subject);
+ while (subject_enumerator->enumerate(subject_enumerator, &subject_ts))
+ {
+ contained = FALSE;
+
+ issuer_enumerator = issuer->create_ipAddrBlock_enumerator(issuer);
+ while (issuer_enumerator->enumerate(issuer_enumerator, &issuer_ts))
+ {
+ if (subject_ts->is_contained_in(subject_ts, issuer_ts))
+ {
+ DBG2(DBG_CFG, " subject address block %R is contained in "
+ "issuer address block %R", subject_ts, issuer_ts);
+ contained = TRUE;
+ break;
+ }
+ }
+ issuer_enumerator->destroy(issuer_enumerator);
+ if (!contained)
+ {
+ DBG1(DBG_CFG, "subject address block %R is not contained in any "
+ "issuer address block", subject_ts);
+ break;
+ }
+ }
+ subject_enumerator->destroy(subject_enumerator);
+ return contained;
+}
+
/**
* check a certificate for its lifetime
*/
if (issuer->get_type(issuer) == CERT_X509 &&
subject->get_type(subject) == CERT_X509)
{
+ if (!check_ip_addr_block_constraints((x509_t*)subject, (x509_t*)issuer))
+ {
+ return FALSE;
+ }
if (ocsp || crl)
{
DBG1(DBG_CFG, "checking certificate status of \"%Y\"",
{
bool first = TRUE;
time_t now = time(NULL);
- enumerator_t *enumerator = list->create_enumerator(list);
+ enumerator_t *enumerator;
certificate_t *cert;
+ x509_flag_t flag_mask;
+ /* mask all auxiliary flags */
+ flag_mask = ~(X509_SELF_SIGNED | X509_SERVER_AUTH | X509_IP_ADDR_BLOCKS );
+
+ enumerator = list->create_enumerator(list);
while (enumerator->enumerate(enumerator, (void**)&cert))
{
x509_t *x509 = (x509_t*)cert;
- x509_flag_t x509_flags = x509->get_flags(x509);
+ x509_flag_t x509_flags = x509->get_flags(x509) & flag_mask;
- /* list only if flag is set,
- * or flags == 0 (ignoring self-signed and serverAuth)
- */
- if ((x509_flags & flags) ||
- (flags == (x509_flags & ~(X509_SELF_SIGNED | X509_SERVER_AUTH))))
+ /* list only if flag is set or flag == 0 */
+ if ((x509_flags & flags) || (x509_flags == flags))
{
enumerator_t *enumerator;
identification_t *altName;
fprintf(out, " pathlen: %d\n", pathlen);
}
+ /* list optional ipAddrBlocks */
+ if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
+ {
+ traffic_selector_t *ipAddrBlock;
+ bool first_ipAddrBlock = TRUE;
+
+ fprintf(out, " addresses: ");
+ enumerator = x509->create_ipAddrBlock_enumerator(x509);
+ while (enumerator->enumerate(enumerator, &ipAddrBlock))
+ {
+ if (first_ipAddrBlock)
+ {
+ first_ipAddrBlock = FALSE;
+ }
+ else
+ {
+ fprintf(out, ", ");
+ }
+ fprintf(out, "%R", ipAddrBlock);
+ }
+ enumerator->destroy(enumerator);
+ fprintf(out, "\n");
+ }
}
}
enumerator->destroy(enumerator);
if (msg->list.flags & LIST_CERTS)
{
stroke_list_certs(cert_list, "X.509 End Entity Certificates",
- 0, msg->list.utc, out);
+ X509_NONE, msg->list.utc, out);
}
if (msg->list.flags & LIST_CACERTS)
{
projects / thirdparty / strongswan.git / commitdiff
