diff options
author | Martin Willi <martin@revosec.ch> | 2010-12-22 15:10:03 +0100 |
---|---|---|
committer | Martin Willi <martin@revosec.ch> | 2011-01-05 16:46:05 +0100 |
commit | b3d359e58facb9744a1fc95507fb97e970b30891 (patch) | |
tree | b03335fce01ee158aa5f993094ec076086f18c81 | |
parent | b1703d6cb3fb1df9df7f840d422de84ab3a0c3c7 (diff) | |
download | strongswan-b3d359e58facb9744a1fc95507fb97e970b30891.tar.bz2 strongswan-b3d359e58facb9744a1fc95507fb97e970b30891.tar.xz |
Use a generic getter for all numerical X.509 constraints
-rw-r--r-- | src/libcharon/plugins/stroke/stroke_list.c | 2 | ||||
-rw-r--r-- | src/libstrongswan/credentials/certificates/x509.h | 26 | ||||
-rw-r--r-- | src/libstrongswan/plugins/constraints/constraints_validator.c | 6 | ||||
-rw-r--r-- | src/libstrongswan/plugins/openssl/openssl_x509.c | 21 | ||||
-rw-r--r-- | src/libstrongswan/plugins/x509/x509_cert.c | 27 | ||||
-rw-r--r-- | src/pki/commands/print.c | 20 | ||||
-rw-r--r-- | src/pluto/ocsp.c | 2 | ||||
-rw-r--r-- | src/pluto/x509.c | 4 |
8 files changed, 56 insertions, 52 deletions
diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c index 375ea3833..5b195e27a 100644 --- a/src/libcharon/plugins/stroke/stroke_list.c +++ b/src/libcharon/plugins/stroke/stroke_list.c @@ -834,7 +834,7 @@ static void stroke_list_certs(linked_list_t *list, char *label, } /* list optional pathLenConstraint */ - pathlen = x509->get_pathLenConstraint(x509); + pathlen = x509->get_constraint(x509, X509_PATH_LEN); if (pathlen != X509_NO_CONSTRAINT) { fprintf(out, " pathlen: %d\n", pathlen); diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h index 24e30a7ae..d668ceba3 100644 --- a/src/libstrongswan/credentials/certificates/x509.h +++ b/src/libstrongswan/credentials/certificates/x509.h @@ -31,6 +31,7 @@ typedef struct x509_cert_policy_t x509_cert_policy_t; typedef struct x509_policy_mapping_t x509_policy_mapping_t; typedef struct x509_cdp_t x509_cdp_t; typedef enum x509_flag_t x509_flag_t; +typedef enum x509_constraint_t x509_constraint_t; /** * X.509 certificate flags. @@ -57,6 +58,18 @@ enum x509_flag_t { }; /** + * Different numerical X.509 constraints. + */ +enum x509_constraint_t { + /** pathLenConstraint basicConstraints */ + X509_PATH_LEN, + /** inhibitPolicyMapping policyConstraint */ + X509_INHIBIT_POLICY_MAPPING, + /** requireExplicitPolicy policyConstraint */ + X509_REQUIRE_EXPLICIT_POLICY, +}; + +/** * X.509 certPolicy extension. */ struct x509_cert_policy_t { @@ -130,19 +143,12 @@ struct x509_t { chunk_t (*get_authKeyIdentifier)(x509_t *this); /** - * Get an optional path length constraint. - * - * @return pathLenConstraint, X509_NO_CONSTRAINT if none found - */ - int (*get_pathLenConstraint)(x509_t *this); - - /** - * Get a policyConstraint, inhibitPolicyMapping or requireExplicitPolicy. + * Get a numerical X.509 constraint. * - * @param inhibit TRUE to get inhibitPolicyMapping + * @param type type of constraint to get * @return constraint, X509_NO_CONSTRAINT if none found */ - int (*get_policyConstraint)(x509_t *this, bool inhibit); + int (*get_constraint)(x509_t *this, x509_constraint_t type); /** * Create an enumerator over all subjectAltNames. diff --git a/src/libstrongswan/plugins/constraints/constraints_validator.c b/src/libstrongswan/plugins/constraints/constraints_validator.c index 3d5211ef8..9df775cd9 100644 --- a/src/libstrongswan/plugins/constraints/constraints_validator.c +++ b/src/libstrongswan/plugins/constraints/constraints_validator.c @@ -40,7 +40,7 @@ static bool check_pathlen(x509_t *issuer, int pathlen) { int pathlen_constraint; - pathlen_constraint = issuer->get_pathLenConstraint(issuer); + pathlen_constraint = issuer->get_constraint(issuer, X509_PATH_LEN); if (pathlen_constraint != X509_NO_CONSTRAINT && pathlen > pathlen_constraint) { @@ -439,7 +439,7 @@ static bool check_policy_constraints(x509_t *issuer, int pathlen, enumerator = chain->create_enumerator(chain); while (enumerator->enumerate(enumerator, &x509)) { - expl = x509->get_policyConstraint(x509, FALSE); + expl = x509->get_constraint(x509, X509_REQUIRE_EXPLICIT_POLICY); if (expl != X509_NO_CONSTRAINT) { if (!has_policy_chain(chain, (x509_t*)subject, len - expl)) @@ -458,7 +458,7 @@ static bool check_policy_constraints(x509_t *issuer, int pathlen, enumerator = chain->create_enumerator(chain); while (enumerator->enumerate(enumerator, &x509)) { - expl = x509->get_policyConstraint(x509, TRUE); + expl = x509->get_constraint(x509, X509_INHIBIT_POLICY_MAPPING); if (expl != X509_NO_CONSTRAINT) { if (!has_policy_mapping(chain, len - expl)) diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c index cf83b152d..dfbebe746 100644 --- a/src/libstrongswan/plugins/openssl/openssl_x509.c +++ b/src/libstrongswan/plugins/openssl/openssl_x509.c @@ -250,16 +250,16 @@ METHOD(x509_t, get_authKeyIdentifier, chunk_t, return chunk_empty; } -METHOD(x509_t, get_pathLenConstraint, int, - private_openssl_x509_t *this) -{ - return this->pathlen; -} - -METHOD(x509_t, get_policyConstraint, int, - private_openssl_x509_t *this, bool inhibit) +METHOD(x509_t, get_constraint, int, + private_openssl_x509_t *this, x509_constraint_t type) { - return X509_NO_CONSTRAINT; + switch (type) + { + case X509_PATH_LEN: + return this->pathlen; + default: + return X509_NO_CONSTRAINT; + } } METHOD(x509_t, create_subjectAltName_enumerator, enumerator_t*, @@ -526,8 +526,7 @@ static private_openssl_x509_t *create_empty() .get_serial = _get_serial, .get_subjectKeyIdentifier = _get_subjectKeyIdentifier, .get_authKeyIdentifier = _get_authKeyIdentifier, - .get_pathLenConstraint = _get_pathLenConstraint, - .get_policyConstraint = _get_policyConstraint, + .get_constraint = _get_constraint, .create_subjectAltName_enumerator = _create_subjectAltName_enumerator, .create_crl_uri_enumerator = _create_crl_uri_enumerator, .create_ocsp_uri_enumerator = _create_ocsp_uri_enumerator, diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c index 1628509c5..995ba9bfa 100644 --- a/src/libstrongswan/plugins/x509/x509_cert.c +++ b/src/libstrongswan/plugins/x509/x509_cert.c @@ -1716,20 +1716,20 @@ METHOD(x509_t, get_authKeyIdentifier, chunk_t, return this->authKeyIdentifier; } -METHOD(x509_t, get_pathLenConstraint, int, - private_x509_cert_t *this) -{ - return this->pathLenConstraint; -} - -METHOD(x509_t, get_policyConstraint, int, - private_x509_cert_t *this, bool inhibit) +METHOD(x509_t, get_constraint, int, + private_x509_cert_t *this, x509_constraint_t type) { - if (inhibit) - { - return this->inhibit_policy_constraint; + switch (type) + { + case X509_PATH_LEN: + return this->pathLenConstraint; + case X509_REQUIRE_EXPLICIT_POLICY: + return this->explicit_policy_constraint; + case X509_INHIBIT_POLICY_MAPPING: + return this->inhibit_policy_constraint; + default: + return X509_NO_CONSTRAINT; } - return this->explicit_policy_constraint; } METHOD(x509_t, create_subjectAltName_enumerator, enumerator_t*, @@ -1841,8 +1841,7 @@ static private_x509_cert_t* create_empty(void) .get_serial = _get_serial, .get_subjectKeyIdentifier = _get_subjectKeyIdentifier, .get_authKeyIdentifier = _get_authKeyIdentifier, - .get_pathLenConstraint = _get_pathLenConstraint, - .get_policyConstraint = _get_policyConstraint, + .get_constraint = _get_constraint, .create_subjectAltName_enumerator = _create_subjectAltName_enumerator, .create_crl_uri_enumerator = _create_crl_uri_enumerator, .create_ocsp_uri_enumerator = _create_ocsp_uri_enumerator, diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c index 185895ec2..046f2bed0 100644 --- a/src/pki/commands/print.c +++ b/src/pki/commands/print.c @@ -73,7 +73,7 @@ static void print_x509(x509_t *x509) chunk_t chunk; bool first; char *uri; - int len; + int len, explicit, inhibit; x509_flag_t flags; x509_cdp_t *cdp; x509_cert_policy_t *policy; @@ -176,7 +176,7 @@ static void print_x509(x509_t *x509) } enumerator->destroy(enumerator); - len = x509->get_pathLenConstraint(x509); + len = x509->get_constraint(x509, X509_PATH_LEN); if (len != X509_NO_CONSTRAINT) { printf("pathlen: %d\n", len); @@ -259,19 +259,19 @@ static void print_x509(x509_t *x509) } enumerator->destroy(enumerator); - if (x509->get_policyConstraint(x509, FALSE) != X509_NO_CONSTRAINT || - x509->get_policyConstraint(x509, TRUE) != X509_NO_CONSTRAINT) + explicit = x509->get_constraint(x509, X509_REQUIRE_EXPLICIT_POLICY); + inhibit = x509->get_constraint(x509, X509_INHIBIT_POLICY_MAPPING); + + if (explicit != X509_NO_CONSTRAINT || inhibit != X509_NO_CONSTRAINT) { printf("PolicyConstraints:\n"); - if (x509->get_policyConstraint(x509, FALSE) != X509_NO_CONSTRAINT) + if (explicit != X509_NO_CONSTRAINT) { - printf(" requireExplicitPolicy: %d\n", - x509->get_policyConstraint(x509, FALSE)); + printf(" requireExplicitPolicy: %d\n", explicit); } - if (x509->get_policyConstraint(x509, TRUE) != X509_NO_CONSTRAINT) + if (inhibit != X509_NO_CONSTRAINT) { - printf(" inhibitPolicyMapping: %d\n", - x509->get_policyConstraint(x509, TRUE)); + printf(" inhibitPolicyMapping: %d\n", inhibit); } } diff --git a/src/pluto/ocsp.c b/src/pluto/ocsp.c index 85cc5e0f2..a3694b7b5 100644 --- a/src/pluto/ocsp.c +++ b/src/pluto/ocsp.c @@ -1045,7 +1045,7 @@ static bool valid_ocsp_response(response_t *res) ) /* check path length constraint */ - pathlen_constraint = x509->get_pathLenConstraint(x509); + pathlen_constraint = x509->get_constraint(x509, X509_PATH_LEN); if (pathlen_constraint != X509_NO_CONSTRAINT && pathlen > pathlen_constraint) { diff --git a/src/pluto/x509.c b/src/pluto/x509.c index d821c9b79..7e2aca862 100644 --- a/src/pluto/x509.c +++ b/src/pluto/x509.c @@ -255,7 +255,7 @@ bool verify_x509cert(cert_t *cert, bool strict, time_t *until) unlock_authcert_list("verify_x509cert"); /* check path length constraint */ - pathlen_constraint = x509->get_pathLenConstraint(x509); + pathlen_constraint = x509->get_constraint(x509, X509_PATH_LEN); if (pathlen_constraint != X509_NO_CONSTRAINT && pathlen > pathlen_constraint) { @@ -450,7 +450,7 @@ void list_x509cert_chain(const char *caption, cert_t* cert, } /* list optional pathLenConstraint */ - pathlen = x509->get_pathLenConstraint(x509); + pathlen = x509->get_constraint(x509, X509_PATH_LEN); if (pathlen != X509_NO_CONSTRAINT) { whack_log(RC_COMMENT, " pathlen: %d", pathlen); |