Allow appending name constraints.

diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h
index a5204d6779eaf59143f6ee81964ec92f5b9deba9..8cd4e62a96f3e7a65ee0ba1d13b0b60bd104cb2e 100644 (file)
--- a/lib/includes/gnutls/x509.h
+++ b/lib/includes/gnutls/x509.h
@@ -243,6 +243,7 @@ int gnutls_x509_name_constraints_init(gnutls_x509_name_constraints_t *nc);
 void gnutls_x509_name_constraints_deinit(gnutls_x509_name_constraints_t nc);
 int gnutls_x509_crt_get_name_constraints(gnutls_x509_crt_t crt,
                                         gnutls_x509_name_constraints_t nc,
+                                        unsigned int append,
                                         unsigned int *critical);
 int gnutls_x509_name_constraints_add_permitted(gnutls_x509_name_constraints_t nc,
                                               gnutls_x509_subject_alt_name_t type,

diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c
index 6dc7ab7b388d2104255cccc659fe6424cad9bc48..13764d1b64839a892a0d45575ec4dbf3991d2cb6 100644 (file)
--- a/lib/x509/name_constraints.c
+++ b/lib/x509/name_constraints.c
@@ -119,6 +119,7 @@ static int extract_name_constraints(ASN1_TYPE c2, const char *vstr,
  * gnutls_x509_crt_get_name_constraints:
  * @crt: should contain a #gnutls_x509_crt_t structure
  * @nc: The nameconstraints intermediate structure
+ * @append: whether the constraints from the certificate will be set or appended
  * @critical: the extension status
  *
  * This function will return an intermediate structure containing
@@ -126,6 +127,11 @@ static int extract_name_constraints(ASN1_TYPE c2, const char *vstr,
  * structure can be used in combination with gnutls_x509_name_constraints_check()
  * to verify whether a server's name is in accordance with the constraints.
  *
+ * When the @append flag is set to 1, then if the @nc structure is empty
+ * this function will behave identically as if the flag was not set.
+ * Otherwise if there are elements in the @nc structure then only the
+ * excluded constraints will be appended to the constraints.
+ *
  * Note that @nc must be initialized prior to calling this function.
  *
  * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
@@ -135,6 +141,7 @@ static int extract_name_constraints(ASN1_TYPE c2, const char *vstr,
  **/
 int gnutls_x509_crt_get_name_constraints(gnutls_x509_crt_t crt,
                                         gnutls_x509_name_constraints_t nc,
+                                        unsigned int append,
                                         unsigned int *critical)
 {
        int result, ret;
@@ -170,10 +177,12 @@ int gnutls_x509_crt_get_name_constraints(gnutls_x509_crt_t crt,
                goto cleanup;
        }
 
-       ret = extract_name_constraints(c2, "permittedSubtrees", &nc->permitted);
-       if (ret < 0) {
-               gnutls_assert();
-               goto cleanup;
+       if (append == 0 || (nc->permitted == NULL && nc->excluded == NULL)) {
+               ret = extract_name_constraints(c2, "permittedSubtrees", &nc->permitted);
+               if (ret < 0) {
+                       gnutls_assert();
+                       goto cleanup;
+               }
        }
 
        ret = extract_name_constraints(c2, "excludedSubtrees", &nc->excluded);

diff --git a/lib/x509/output.c b/lib/x509/output.c
index fd3fd1a72e69724fc233514e7b64f1a629be72dc..77d095d22592ee52b0d84b4a8294bc97daf1e620 100644 (file)
--- a/lib/x509/output.c
+++ b/lib/x509/output.c
@@ -170,7 +170,7 @@ static void print_nc(gnutls_buffer_st * str, const char* prefix, gnutls_x509_crt
        if (ret < 0)
                return;
 
-       ret = gnutls_x509_crt_get_name_constraints(cert, nc, &critical);
+       ret = gnutls_x509_crt_get_name_constraints(cert, nc, 0, &critical);
        if (ret < 0)
                goto cleanup;