Added inhibitAnyPolicy constraint support to pki tool

3 files changed, 21 insertions, 5 deletions

diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index 2ebb56594..32eade7f3 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -68,7 +68,7 @@ static int issue()
 	identification_t *id = NULL;
 	linked_list_t *san, *cdps, *ocsp, *permitted, *excluded, *policies, *mappings;
 	int lifetime = 1095;
-	int pathlen = X509_NO_CONSTRAINT;
+	int pathlen = X509_NO_CONSTRAINT, inhibit_any = X509_NO_CONSTRAINT;
 	int inhibit_policy = X509_NO_CONSTRAINT, explicit_policy = X509_NO_CONSTRAINT;
 	chunk_t serial = chunk_empty;
 	chunk_t encoding = chunk_empty;
@@ -217,6 +217,9 @@ static int issue()
 			case 'H':
 				inhibit_policy = atoi(arg);
 				continue;
+			case 'A':
+				inhibit_any = atoi(arg);
+				continue;
 			case 'e':
 				if (streq(arg, "serverAuth"))
 				{
@@ -446,6 +449,7 @@ static int issue()
 					BUILD_POLICY_MAPPINGS, mappings,
 					BUILD_POLICY_CONSTRAINT_INHIBIT, inhibit_policy,
 					BUILD_POLICY_CONSTRAINT_EXPLICIT, explicit_policy,
+					BUILD_POLICY_CONSTRAINT_INHIBIT_ANY, inhibit_any,
 					BUILD_END);
 	if (!cert)
 	{
@@ -513,7 +517,7 @@ static void __attribute__ ((constructor))reg()
 		 "[--nc-permitted name] [--nc-excluded name]",
 		 "[--cert-policy oid [--cps-uri uri] [--user-notice text] ]+",
 		 "[--policy-map issuer-oid:subject-oid]",
-		 "[--policy-explicit len] [--policy-inhibit len] ",
+		 "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]",
 		 "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
 		{
 			{"help",			'h', 0, "show usage information"},
@@ -536,6 +540,7 @@ static void __attribute__ ((constructor))reg()
 			{"policy-mapping",	'M', 1, "policyMapping from issuer to subject OID"},
 			{"policy-explicit",	'E', 1, "requireExplicitPolicy constraint"},
 			{"policy-inhibit",	'H', 1, "inhibitPolicyMapping constraint"},
+			{"policy-any",		'A', 1, "inhibitAnyPolicy constraint"},
 			{"flag",			'e', 1, "include extendedKeyUsage flag"},
 			{"crl",				'u', 1, "CRL distribution point URI to include"},
 			{"crlissuer",		'I', 1, "CRL Issuer for CRL at distribution point"},
diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c
index 046f2bed0..ee6f30c98 100644
--- a/src/pki/commands/print.c
+++ b/src/pki/commands/print.c
@@ -261,8 +261,10 @@ static void print_x509(x509_t *x509)
 
 	explicit = x509->get_constraint(x509, X509_REQUIRE_EXPLICIT_POLICY);
 	inhibit = x509->get_constraint(x509, X509_INHIBIT_POLICY_MAPPING);
+	len = x509->get_constraint(x509, X509_INHIBIT_ANY_POLICY);
 
-	if (explicit != X509_NO_CONSTRAINT || inhibit != X509_NO_CONSTRAINT)
+	if (explicit != X509_NO_CONSTRAINT || inhibit != X509_NO_CONSTRAINT ||
+		len != X509_NO_CONSTRAINT)
 	{
 		printf("PolicyConstraints:\n");
 		if (explicit != X509_NO_CONSTRAINT)
@@ -273,6 +275,10 @@ static void print_x509(x509_t *x509)
 		{
 			printf("           inhibitPolicyMapping: %d\n", inhibit);
 		}
+		if (len != X509_NO_CONSTRAINT)
+		{
+			printf("           inhibitAnyPolicy: %d\n", len);
+		}
 	}
 
 	chunk = x509->get_authKeyIdentifier(x509);
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index 513598588..ef0ea6bf3 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -56,7 +56,7 @@ static int self()
 	identification_t *id = NULL;
 	linked_list_t *san, *ocsp, *permitted, *excluded, *policies, *mappings;
 	int lifetime = 1095;
-	int pathlen = X509_NO_CONSTRAINT;
+	int pathlen = X509_NO_CONSTRAINT, inhibit_any = X509_NO_CONSTRAINT;
 	int inhibit_policy = X509_NO_CONSTRAINT, explicit_policy = X509_NO_CONSTRAINT;
 	chunk_t serial = chunk_empty;
 	chunk_t encoding = chunk_empty;
@@ -200,6 +200,9 @@ static int self()
 			case 'H':
 				inhibit_policy = atoi(arg);
 				continue;
+			case 'A':
+				inhibit_any = atoi(arg);
+				continue;
 			case 'e':
 				if (streq(arg, "serverAuth"))
 				{
@@ -314,6 +317,7 @@ static int self()
 						BUILD_POLICY_MAPPINGS, mappings,
 						BUILD_POLICY_CONSTRAINT_EXPLICIT, explicit_policy,
 						BUILD_POLICY_CONSTRAINT_INHIBIT, inhibit_policy,
+						BUILD_POLICY_CONSTRAINT_INHIBIT_ANY, inhibit_any,
 						BUILD_END);
 	if (!cert)
 	{
@@ -377,7 +381,7 @@ static void __attribute__ ((constructor))reg()
 		 "[--nc-permitted name] [--nc-excluded name]",
 		 "[--cert-policy oid [--cps-uri uri] [--user-notice text] ]+",
 		 "[--policy-map issuer-oid:subject-oid]",
-		 "[--policy-explicit len] [--policy-inhibit len] ",
+		 "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]",
 		 "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
 		{
 			{"help",			'h', 0, "show usage information"},
@@ -398,6 +402,7 @@ static void __attribute__ ((constructor))reg()
 			{"policy-mapping",	'M', 1, "policyMapping from issuer to subject OID"},
 			{"policy-explicit",	'E', 1, "requireExplicitPolicy constraint"},
 			{"policy-inhibit",	'H', 1, "inhibitPolicyMapping constraint"},
+			{"policy-any",		'A', 1, "inhibitAnyPolicy constraint"},
 			{"flag",			'e', 1, "include extendedKeyUsage flag"},
 			{"ocsp",			'o', 1, "OCSP AuthorityInfoAccess URI to include"},
 			{"digest",			'g', 1, "digest for signature creation, default: sha1"},