ipsec pki --self|issue supports --pathlen option setting a path length constraint

author: Andreas Steffen <andreas@strongswan.org> 2009-12-31 15:13:35 +0100
committer: Andreas Steffen <andreas@strongswan.org> 2009-12-31 15:13:35 +0100
commit: 3e33ae1004bcad71c937c3f64cf746b19ec4ad1a (patch)
tree: 698149cb1770020f2e9a6c390efdf27408003cf0
parent: 7eaec999ca577fbde701d3ecf874cd9fee838f79 (diff)
download: strongswan-3e33ae1004bcad71c937c3f64cf746b19ec4ad1a.tar.bz2
strongswan-3e33ae1004bcad71c937c3f64cf746b19ec4ad1a.tar.xz
5 files changed, 35 insertions, 5 deletions
diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c
index 873e7d139..8be1c1576 100644
--- a/src/libstrongswan/credentials/builder.c
+++ b/src/libstrongswan/credentials/builder.c
@@ -42,6 +42,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
 	"BUILD_CERT",
 	"BUILD_CRL_DISTRIBUTION_POINTS",
 	"BUILD_OCSP_ACCESS_LOCATIONS",
+	"BUILD_PATHLEN",
 	"BUILD_X509_FLAG",
 	"BUILD_SMARTCARD_KEYID",
 	"BUILD_SMARTCARD_PIN",
diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h
index b6f0386cd..62a6ffaaf 100644
--- a/src/libstrongswan/credentials/builder.h
+++ b/src/libstrongswan/credentials/builder.h
@@ -97,6 +97,8 @@ enum builder_part_t {
 	BUILD_CRL_DISTRIBUTION_POINTS,
 	/** OCSP AuthorityInfoAccess locations, linked_list_t* containing char* */
 	BUILD_OCSP_ACCESS_LOCATIONS,
+	/** certificate path length constraint */
+	BUILD_PATHLEN,
 	/** enforce an additional X509 flag, x509_flag_t */
 	BUILD_X509_FLAG,
 	/** key ID of a key on a smartcard, null terminated char* ([slot:]keyid) */
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index dee056d5d..199d5933e 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -1582,14 +1582,23 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 	/* build CA basicConstraint for CA certificates */
 	if (cert->flags & X509_CA)
 	{
+		chunk_t pathLenConstraint = chunk_empty;
+
+		if (cert->pathLenConstraint != X509_NO_PATH_LEN_CONSTRAINT)
+		{
+			char pathlen = (char)cert->pathLenConstraint;
+
+			pathLenConstraint = asn1_integer("c", chunk_from_thing(pathlen));
+		}
 		basicConstraints = asn1_wrap(ASN1_SEQUENCE, "mmm",
 								asn1_build_known_oid(OID_BASIC_CONSTRAINTS),
 								asn1_wrap(ASN1_BOOLEAN, "c",
 									chunk_from_chars(0xFF)),
 								asn1_wrap(ASN1_OCTET_STRING, "m",
-										asn1_wrap(ASN1_SEQUENCE, "m",
+										asn1_wrap(ASN1_SEQUENCE, "mm",
 											asn1_wrap(ASN1_BOOLEAN, "c",
-												chunk_from_chars(0xFF)))));
+												chunk_from_chars(0xFF)),
+											pathLenConstraint)));
 	}
 
 	/* add serverAuth extendedKeyUsage flag */
@@ -1802,6 +1811,13 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args)
 				enumerator->destroy(enumerator);
 				continue;
 			}
+			case BUILD_PATHLEN:
+				cert->pathLenConstraint = va_arg(args, int);
+				if (cert->pathLenConstraint < 0 || cert->pathLenConstraint > 127)
+				{
+					cert->pathLenConstraint = X509_NO_PATH_LEN_CONSTRAINT;
+				}
+				continue;
 			case BUILD_NOT_BEFORE_TIME:
 				cert->notBefore = va_arg(args, time_t);
 				continue;
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index 48c1ead20..89c9cc708 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -38,6 +38,7 @@ static int issue()
 	identification_t *id = NULL;
 	linked_list_t *san, *cdps, *ocsp;
 	int lifetime = 1080;
+	int pathlen = X509_NO_PATH_LEN_CONSTRAINT;
 	chunk_t serial = chunk_empty;
 	chunk_t encoding = chunk_empty;
 	time_t not_before, not_after;
@@ -103,6 +104,9 @@ static int issue()
 			case 'b':
 				flags |= X509_CA;
 				continue;
+			case 'p':
+				pathlen = atoi(arg);
+				continue;
 			case 'f':
 				if (streq(arg, "serverAuth"))
 				{
@@ -280,6 +284,7 @@ static int issue()
 					BUILD_NOT_BEFORE_TIME, not_before, BUILD_DIGEST_ALG, digest,
 					BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial,
 					BUILD_SUBJECT_ALTNAMES, san, BUILD_X509_FLAG, flags,
+					BUILD_PATHLEN, pathlen,
 					BUILD_CRL_DISTRIBUTION_POINTS, cdps,
 					BUILD_OCSP_ACCESS_LOCATIONS, ocsp, BUILD_END);
 	if (!cert)
@@ -336,8 +341,8 @@ static void __attribute__ ((constructor))reg()
 		"issue a certificate using a CA certificate and key",
 		{"[--in file] [--type pub|pkcs10]",
 		 " --cacert file --cakey file --dn subject-dn [--san subjectAltName]+",
-		 "[--lifetime days] [--serial hex] [--ca] [--crl uri]+ [--ocsp uri]+",
-		 "[--flag serverAuth|ocspSigning]+",
+		 "[--lifetime days] [--serial hex] [--crl uri]+ [--ocsp uri]+",
+		 "[--ca] [--pathlen len] [--flag serverAuth|ocspSigning]+",
 		 "[--digest md5|sha1|sha224|sha256|sha384|sha512]"},
 		{
 			{"help",	'h', 0, "show usage information"},
@@ -350,6 +355,7 @@ static void __attribute__ ((constructor))reg()
 			{"lifetime",'l', 1, "days the certificate is valid, default: 1080"},
 			{"serial",	's', 1, "serial number in hex, default: random"},
 			{"ca",		'b', 0, "include CA basicConstraint, default: no"},
+			{"pathlen",	'p', 1, "set path length constraint"},
 			{"flag",	'f', 1, "include extendedKeyUsage flag"},
 			{"crl",		'u', 1, "CRL distribution point URI to include"},
 			{"ocsp",	'o', 1, "OCSP AuthorityInfoAccess URI to include"},
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index fb292a790..30ae23be5 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -35,6 +35,7 @@ static int self()
 	identification_t *id = NULL;
 	linked_list_t *san, *ocsp;
 	int lifetime = 1080;
+	int pathlen = X509_NO_PATH_LEN_CONSTRAINT;
 	chunk_t serial = chunk_empty;
 	chunk_t encoding = chunk_empty;
 	time_t not_before, not_after;
@@ -96,6 +97,9 @@ static int self()
 			case 'b':
 				flags |= X509_CA;
 				continue;
+			case 'p':
+				pathlen = atoi(arg);
+				continue;
 			case 'o':
 				ocsp->insert_last(ocsp, arg);
 				continue;
@@ -163,7 +167,7 @@ static int self()
 						BUILD_SUBJECT, id, BUILD_NOT_BEFORE_TIME, not_before,
 						BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial,
 						BUILD_DIGEST_ALG, digest, BUILD_X509_FLAG, flags,
-						BUILD_SUBJECT_ALTNAMES, san,
+						BUILD_PATHLEN, pathlen, BUILD_SUBJECT_ALTNAMES, san,
 						BUILD_OCSP_ACCESS_LOCATIONS, ocsp, BUILD_END);
 	if (!cert)
 	{
@@ -226,6 +230,7 @@ static void __attribute__ ((constructor))reg()
 			{"lifetime",'l', 1, "days the certificate is valid, default: 1080"},
 			{"serial",	's', 1, "serial number in hex, default: random"},
 			{"ca",		'b', 0, "include CA basicConstraint, default: no"},
+			{"pathlen",	'p', 1, "set path length constraint"},
 			{"ocsp",	'o', 1, "OCSP AuthorityInfoAccess URI to include"},
 			{"digest",	'g', 1, "digest for signature creation, default: sha1"},
 		}
author	Andreas Steffen <andreas@strongswan.org>	2009-12-31 15:13:35 +0100
committer	Andreas Steffen <andreas@strongswan.org>	2009-12-31 15:13:35 +0100
commit	3e33ae1004bcad71c937c3f64cf746b19ec4ad1a (patch)
tree	698149cb1770020f2e9a6c390efdf27408003cf0
parent	7eaec999ca577fbde701d3ecf874cd9fee838f79 (diff)
download	strongswan-3e33ae1004bcad71c937c3f64cf746b19ec4ad1a.tar.bz2 strongswan-3e33ae1004bcad71c937c3f64cf746b19ec4ad1a.tar.xz