Added support for inhibitAnyPolicy constraint to x509 plugin

4 files changed, 62 insertions, 33 deletions

diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c
index 768b9da3d..47e1ed5b2 100644
--- a/src/libstrongswan/credentials/builder.c
+++ b/src/libstrongswan/credentials/builder.c
@@ -49,6 +49,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
 	"BUILD_POLICY_MAPPINGS",
 	"BUILD_POLICY_CONSTRAINT_EXPLICIT",
 	"BUILD_POLICY_CONSTRAINT_INHIBIT",
+	"BUILD_POLICY_CONSTRAINT_INHIBIT_ANY",
 	"BUILD_X509_FLAG",
 	"BUILD_REVOKED_ENUMERATOR",
 	"BUILD_BASE_CRL",
diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h
index 5db37775a..383fa90a7 100644
--- a/src/libstrongswan/credentials/builder.h
+++ b/src/libstrongswan/credentials/builder.h
@@ -105,6 +105,8 @@ enum builder_part_t {
 	BUILD_POLICY_CONSTRAINT_EXPLICIT,
 	/** inhibitPolicyMapping constraint, int */
 	BUILD_POLICY_CONSTRAINT_INHIBIT,
+	/** inhibitAnyPolicy constraint, int */
+	BUILD_POLICY_CONSTRAINT_INHIBIT_ANY,
 	/** enforce an additional X509 flag, x509_flag_t */
 	BUILD_X509_FLAG,
 	/** enumerator_t over (chunk_t serial, time_t date, crl_reason_t reason) */
diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h
index d668ceba3..9f5865da8 100644
--- a/src/libstrongswan/credentials/certificates/x509.h
+++ b/src/libstrongswan/credentials/certificates/x509.h
@@ -67,6 +67,8 @@ enum x509_constraint_t {
 	X509_INHIBIT_POLICY_MAPPING,
 	/** requireExplicitPolicy policyConstraint */
 	X509_REQUIRE_EXPLICIT_POLICY,
+	/** inhibitAnyPolicy constraint */
+	X509_INHIBIT_ANY_POLICY,
 };
 
 /**
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 995ba9bfa..4bf221fdb 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -187,6 +187,11 @@ struct private_x509_cert_t {
 	char inhibit_policy_constraint;
 
 	/**
+	 * inhibitAnyPolicy Constraint
+	 */
+	char inhibit_any_policy;
+
+	/**
 	 * x509 constraints and other flags
 	 */
 	x509_flag_t flags;
@@ -248,6 +253,22 @@ static void policy_mapping_destroy(x509_policy_mapping_t *mapping)
 }
 
 /**
+ * Parse a length constraint from an unwrapped integer
+ */
+static int parse_constraint(chunk_t object)
+{
+	switch (object.len)
+	{
+		case 0:
+			return 0;
+		case 1:
+			return object.ptr[0];
+		default:
+			return X509_NO_CONSTRAINT;
+	}
+}
+
+/**
  * ASN.1 definition of a basicConstraints extension
  */
 static const asn1Object_t basicConstraintsObjects[] = {
@@ -289,15 +310,7 @@ static void parse_basicConstraints(chunk_t blob, int level0,
 			case BASIC_CONSTRAINTS_PATH_LEN:
 				if (isCA)
 				{
-					if (object.len == 0)
-					{
-						this->pathLenConstraint = 0;
-					}
-					else if (object.len == 1)
-					{
-						this->pathLenConstraint = *object.ptr;
-					}
-					/* we ignore path length constraints > 127 */
+					this->pathLenConstraint = parse_constraint(object);
 				}
 				break;
 			default:
@@ -1076,24 +1089,10 @@ static void parse_policyConstraints(chunk_t blob, int level0,
 		switch (objectID)
 		{
 			case POLICY_CONSTRAINT_EXPLICIT:
-				if (object.len == 0)
-				{
-					this->explicit_policy_constraint = 0;
-				}
-				else if (object.len == 1)
-				{
-					this->explicit_policy_constraint = *object.ptr;
-				}
+				this->explicit_policy_constraint = parse_constraint(object);
 				break;
 			case POLICY_CONSTRAINT_INHIBIT:
-				if (object.len == 0)
-				{
-					this->inhibit_policy_constraint = 0;
-				}
-				else if (object.len == 1)
-				{
-					this->inhibit_policy_constraint = *object.ptr;
-				}
+				this->inhibit_policy_constraint = parse_constraint(object);
 				break;
 			default:
 				break;
@@ -1424,6 +1423,14 @@ static bool parse_certificate(private_x509_cert_t *this)
 					case OID_POLICY_CONSTRAINTS:
 						parse_policyConstraints(object, level, this);
 						break;
+					case OID_INHIBIT_ANY_POLICY:
+						if (!asn1_parse_simple_object(&object, ASN1_INTEGER,
+													  level, "inhibitAnyPolicy"))
+						{
+							goto end;
+						}
+						this->inhibit_any_policy = parse_constraint(object);
+						break;
 					case OID_NS_REVOCATION_URL:
 					case OID_NS_CA_REVOCATION_URL:
 					case OID_NS_CA_POLICY_URL:
@@ -1727,6 +1734,8 @@ METHOD(x509_t, get_constraint, int,
 			return this->explicit_policy_constraint;
 		case X509_INHIBIT_POLICY_MAPPING:
 			return this->inhibit_policy_constraint;
+		case X509_INHIBIT_ANY_POLICY:
+			return this->inhibit_any_policy;
 		default:
 			return X509_NO_CONSTRAINT;
 	}
@@ -1863,6 +1872,7 @@ static private_x509_cert_t* create_empty(void)
 		.pathLenConstraint = X509_NO_CONSTRAINT,
 		.explicit_policy_constraint = X509_NO_CONSTRAINT,
 		.inhibit_policy_constraint = X509_NO_CONSTRAINT,
+		.inhibit_any_policy = X509_NO_CONSTRAINT,
 		.ref = 1,
 	);
 	return this;
@@ -1983,7 +1993,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 	chunk_t subjectAltNames = chunk_empty, policyMappings = chunk_empty;
 	chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty;
 	chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty;
-	chunk_t policyConstraints = chunk_empty;
+	chunk_t policyConstraints = chunk_empty, inhibitAnyPolicy = chunk_empty;
 	identification_t *issuer, *subject;
 	chunk_t key_info;
 	signature_scheme_t scheme;
@@ -2270,23 +2280,34 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 						asn1_integer("c",
 							chunk_from_thing(cert->inhibit_policy_constraint)));
 		}
-		policyConstraints = asn1_wrap(ASN1_SEQUENCE, "mm",
-								asn1_build_known_oid(OID_POLICY_CONSTRAINTS),
-								asn1_wrap(ASN1_OCTET_STRING, "m",
-									asn1_wrap(ASN1_SEQUENCE, "mm",
-										explicit, inhibit)));
+		policyConstraints = asn1_wrap(ASN1_SEQUENCE, "mmm",
+						asn1_build_known_oid(OID_POLICY_CONSTRAINTS),
+						asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)),
+						asn1_wrap(ASN1_OCTET_STRING, "m",
+							asn1_wrap(ASN1_SEQUENCE, "mm",
+								explicit, inhibit)));
+	}
+
+	if (cert->inhibit_any_policy != X509_NO_CONSTRAINT)
+	{
+		inhibitAnyPolicy = asn1_wrap(ASN1_SEQUENCE, "mmm",
+				asn1_build_known_oid(OID_INHIBIT_ANY_POLICY),
+				asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)),
+				asn1_wrap(ASN1_OCTET_STRING, "m",
+					asn1_integer("c",
+						chunk_from_thing(cert->inhibit_any_policy))));
 	}
 
 	if (basicConstraints.ptr || subjectAltNames.ptr || authKeyIdentifier.ptr ||
 		crlDistributionPoints.ptr || nameConstraints.ptr)
 	{
 		extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m",
-						asn1_wrap(ASN1_SEQUENCE, "mmmmmmmmmmmm",
+						asn1_wrap(ASN1_SEQUENCE, "mmmmmmmmmmmmm",
 							basicConstraints, keyUsage, subjectKeyIdentifier,
 							authKeyIdentifier, subjectAltNames,
 							extendedKeyUsage, crlDistributionPoints,
 							authorityInfoAccess, nameConstraints, certPolicies,
-							policyMappings, policyConstraints));
+							policyMappings, policyConstraints, inhibitAnyPolicy));
 	}
 
 	cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmmcmcmm",
@@ -2527,6 +2548,9 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args)
 			case BUILD_POLICY_CONSTRAINT_INHIBIT:
 				cert->inhibit_policy_constraint = va_arg(args, int);
 				continue;
+			case BUILD_POLICY_CONSTRAINT_INHIBIT_ANY:
+				cert->inhibit_any_policy = va_arg(args, int);
+				continue;
 			case BUILD_NOT_BEFORE_TIME:
 				cert->notBefore = va_arg(args, time_t);
 				continue;