Use a generic getter for all numerical X.509 constraints

8 files changed, 56 insertions, 52 deletions

diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c
index 375ea3833..5b195e27a 100644
--- a/src/libcharon/plugins/stroke/stroke_list.c
+++ b/src/libcharon/plugins/stroke/stroke_list.c
@@ -834,7 +834,7 @@ static void stroke_list_certs(linked_list_t *list, char *label,
 			}
 
 			/* list optional pathLenConstraint */
-			pathlen = x509->get_pathLenConstraint(x509);
+			pathlen = x509->get_constraint(x509, X509_PATH_LEN);
 			if (pathlen != X509_NO_CONSTRAINT)
 			{
 				fprintf(out, "  pathlen:   %d\n", pathlen);
diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h
index 24e30a7ae..d668ceba3 100644
--- a/src/libstrongswan/credentials/certificates/x509.h
+++ b/src/libstrongswan/credentials/certificates/x509.h
@@ -31,6 +31,7 @@ typedef struct x509_cert_policy_t x509_cert_policy_t;
 typedef struct x509_policy_mapping_t x509_policy_mapping_t;
 typedef struct x509_cdp_t x509_cdp_t;
 typedef enum x509_flag_t x509_flag_t;
+typedef enum x509_constraint_t x509_constraint_t;
 
 /**
  * X.509 certificate flags.
@@ -57,6 +58,18 @@ enum x509_flag_t {
 };
 
 /**
+ * Different numerical X.509 constraints.
+ */
+enum x509_constraint_t {
+	/** pathLenConstraint basicConstraints */
+	X509_PATH_LEN,
+	/** inhibitPolicyMapping policyConstraint */
+	X509_INHIBIT_POLICY_MAPPING,
+	/** requireExplicitPolicy policyConstraint */
+	X509_REQUIRE_EXPLICIT_POLICY,
+};
+
+/**
  * X.509 certPolicy extension.
  */
 struct x509_cert_policy_t {
@@ -130,19 +143,12 @@ struct x509_t {
 	chunk_t (*get_authKeyIdentifier)(x509_t *this);
 
 	/**
-	 * Get an optional path length constraint.
-	 *
-	 * @return			pathLenConstraint, X509_NO_CONSTRAINT if none found
-	 */
-	int (*get_pathLenConstraint)(x509_t *this);
-
-	/**
-	 * Get a policyConstraint, inhibitPolicyMapping or requireExplicitPolicy.
+	 * Get a numerical X.509 constraint.
 	 *
-	 * @param inhibit	TRUE to get inhibitPolicyMapping
+	 * @param type		type of constraint to get
 	 * @return			constraint, X509_NO_CONSTRAINT if none found
 	 */
-	int (*get_policyConstraint)(x509_t *this, bool inhibit);
+	int (*get_constraint)(x509_t *this, x509_constraint_t type);
 
 	/**
 	 * Create an enumerator over all subjectAltNames.
diff --git a/src/libstrongswan/plugins/constraints/constraints_validator.c b/src/libstrongswan/plugins/constraints/constraints_validator.c
index 3d5211ef8..9df775cd9 100644
--- a/src/libstrongswan/plugins/constraints/constraints_validator.c
+++ b/src/libstrongswan/plugins/constraints/constraints_validator.c
@@ -40,7 +40,7 @@ static bool check_pathlen(x509_t *issuer, int pathlen)
 {
 	int pathlen_constraint;
 
-	pathlen_constraint = issuer->get_pathLenConstraint(issuer);
+	pathlen_constraint = issuer->get_constraint(issuer, X509_PATH_LEN);
 	if (pathlen_constraint != X509_NO_CONSTRAINT &&
 		pathlen > pathlen_constraint)
 	{
@@ -439,7 +439,7 @@ static bool check_policy_constraints(x509_t *issuer, int pathlen,
 			enumerator = chain->create_enumerator(chain);
 			while (enumerator->enumerate(enumerator, &x509))
 			{
-				expl = x509->get_policyConstraint(x509, FALSE);
+				expl = x509->get_constraint(x509, X509_REQUIRE_EXPLICIT_POLICY);
 				if (expl != X509_NO_CONSTRAINT)
 				{
 					if (!has_policy_chain(chain, (x509_t*)subject, len - expl))
@@ -458,7 +458,7 @@ static bool check_policy_constraints(x509_t *issuer, int pathlen,
 			enumerator = chain->create_enumerator(chain);
 			while (enumerator->enumerate(enumerator, &x509))
 			{
-				expl = x509->get_policyConstraint(x509, TRUE);
+				expl = x509->get_constraint(x509, X509_INHIBIT_POLICY_MAPPING);
 				if (expl != X509_NO_CONSTRAINT)
 				{
 					if (!has_policy_mapping(chain, len - expl))
diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c
index cf83b152d..dfbebe746 100644
--- a/src/libstrongswan/plugins/openssl/openssl_x509.c
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
@@ -250,16 +250,16 @@ METHOD(x509_t, get_authKeyIdentifier, chunk_t,
 	return chunk_empty;
 }
 
-METHOD(x509_t, get_pathLenConstraint, int,
-	private_openssl_x509_t *this)
-{
-	return this->pathlen;
-}
-
-METHOD(x509_t, get_policyConstraint, int,
-	private_openssl_x509_t *this, bool inhibit)
+METHOD(x509_t, get_constraint, int,
+	private_openssl_x509_t *this, x509_constraint_t type)
 {
-	return X509_NO_CONSTRAINT;
+	switch (type)
+	{
+		case X509_PATH_LEN:
+			return this->pathlen;
+		default:
+			return X509_NO_CONSTRAINT;
+	}
 }
 
 METHOD(x509_t, create_subjectAltName_enumerator, enumerator_t*,
@@ -526,8 +526,7 @@ static private_openssl_x509_t *create_empty()
 				.get_serial = _get_serial,
 				.get_subjectKeyIdentifier = _get_subjectKeyIdentifier,
 				.get_authKeyIdentifier = _get_authKeyIdentifier,
-				.get_pathLenConstraint = _get_pathLenConstraint,
-				.get_policyConstraint = _get_policyConstraint,
+				.get_constraint = _get_constraint,
 				.create_subjectAltName_enumerator = _create_subjectAltName_enumerator,
 				.create_crl_uri_enumerator = _create_crl_uri_enumerator,
 				.create_ocsp_uri_enumerator = _create_ocsp_uri_enumerator,
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 1628509c5..995ba9bfa 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -1716,20 +1716,20 @@ METHOD(x509_t, get_authKeyIdentifier, chunk_t,
 	return this->authKeyIdentifier;
 }
 
-METHOD(x509_t, get_pathLenConstraint, int,
-	private_x509_cert_t *this)
-{
-	return this->pathLenConstraint;
-}
-
-METHOD(x509_t, get_policyConstraint, int,
-	private_x509_cert_t *this, bool inhibit)
+METHOD(x509_t, get_constraint, int,
+	private_x509_cert_t *this, x509_constraint_t type)
 {
-	if (inhibit)
-	{
-		return this->inhibit_policy_constraint;
+	switch (type)
+	{
+		case X509_PATH_LEN:
+			return this->pathLenConstraint;
+		case X509_REQUIRE_EXPLICIT_POLICY:
+			return this->explicit_policy_constraint;
+		case X509_INHIBIT_POLICY_MAPPING:
+			return this->inhibit_policy_constraint;
+		default:
+			return X509_NO_CONSTRAINT;
 	}
-	return this->explicit_policy_constraint;
 }
 
 METHOD(x509_t, create_subjectAltName_enumerator, enumerator_t*,
@@ -1841,8 +1841,7 @@ static private_x509_cert_t* create_empty(void)
 				.get_serial = _get_serial,
 				.get_subjectKeyIdentifier = _get_subjectKeyIdentifier,
 				.get_authKeyIdentifier = _get_authKeyIdentifier,
-				.get_pathLenConstraint = _get_pathLenConstraint,
-				.get_policyConstraint = _get_policyConstraint,
+				.get_constraint = _get_constraint,
 				.create_subjectAltName_enumerator = _create_subjectAltName_enumerator,
 				.create_crl_uri_enumerator = _create_crl_uri_enumerator,
 				.create_ocsp_uri_enumerator = _create_ocsp_uri_enumerator,
diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c
index 185895ec2..046f2bed0 100644
--- a/src/pki/commands/print.c
+++ b/src/pki/commands/print.c
@@ -73,7 +73,7 @@ static void print_x509(x509_t *x509)
 	chunk_t chunk;
 	bool first;
 	char *uri;
-	int len;
+	int len, explicit, inhibit;
 	x509_flag_t flags;
 	x509_cdp_t *cdp;
 	x509_cert_policy_t *policy;
@@ -176,7 +176,7 @@ static void print_x509(x509_t *x509)
 	}
 	enumerator->destroy(enumerator);
 
-	len = x509->get_pathLenConstraint(x509);
+	len = x509->get_constraint(x509, X509_PATH_LEN);
 	if (len != X509_NO_CONSTRAINT)
 	{
 		printf("pathlen:   %d\n", len);
@@ -259,19 +259,19 @@ static void print_x509(x509_t *x509)
 	}
 	enumerator->destroy(enumerator);
 
-	if (x509->get_policyConstraint(x509, FALSE) != X509_NO_CONSTRAINT ||
-		x509->get_policyConstraint(x509, TRUE) != X509_NO_CONSTRAINT)
+	explicit = x509->get_constraint(x509, X509_REQUIRE_EXPLICIT_POLICY);
+	inhibit = x509->get_constraint(x509, X509_INHIBIT_POLICY_MAPPING);
+
+	if (explicit != X509_NO_CONSTRAINT || inhibit != X509_NO_CONSTRAINT)
 	{
 		printf("PolicyConstraints:\n");
-		if (x509->get_policyConstraint(x509, FALSE) != X509_NO_CONSTRAINT)
+		if (explicit != X509_NO_CONSTRAINT)
 		{
-			printf("           requireExplicitPolicy: %d\n",
-				   x509->get_policyConstraint(x509, FALSE));
+			printf("           requireExplicitPolicy: %d\n", explicit);
 		}
-		if (x509->get_policyConstraint(x509, TRUE) != X509_NO_CONSTRAINT)
+		if (inhibit != X509_NO_CONSTRAINT)
 		{
-			printf("           inhibitPolicyMapping: %d\n",
-				   x509->get_policyConstraint(x509, TRUE));
+			printf("           inhibitPolicyMapping: %d\n", inhibit);
 		}
 	}
 
diff --git a/src/pluto/ocsp.c b/src/pluto/ocsp.c
index 85cc5e0f2..a3694b7b5 100644
--- a/src/pluto/ocsp.c
+++ b/src/pluto/ocsp.c
@@ -1045,7 +1045,7 @@ static bool valid_ocsp_response(response_t *res)
 		)
 
 		/* check path length constraint */
-		pathlen_constraint = x509->get_pathLenConstraint(x509);
+		pathlen_constraint = x509->get_constraint(x509, X509_PATH_LEN);
 		if (pathlen_constraint != X509_NO_CONSTRAINT &&
 			pathlen > pathlen_constraint)
 		{
diff --git a/src/pluto/x509.c b/src/pluto/x509.c
index d821c9b79..7e2aca862 100644
--- a/src/pluto/x509.c
+++ b/src/pluto/x509.c
@@ -255,7 +255,7 @@ bool verify_x509cert(cert_t *cert, bool strict, time_t *until)
 		unlock_authcert_list("verify_x509cert");
 
 		/* check path length constraint */
-		pathlen_constraint = x509->get_pathLenConstraint(x509);
+		pathlen_constraint = x509->get_constraint(x509, X509_PATH_LEN);
 		if (pathlen_constraint != X509_NO_CONSTRAINT &&
 			pathlen > pathlen_constraint)
 		{
@@ -450,7 +450,7 @@ void list_x509cert_chain(const char *caption, cert_t* cert,
 			}
 
 			/* list optional pathLenConstraint */
-			pathlen = x509->get_pathLenConstraint(x509);
+			pathlen = x509->get_constraint(x509, X509_PATH_LEN);
 			if (pathlen != X509_NO_CONSTRAINT)
 			{
 				whack_log(RC_COMMENT, "  pathlen:   %d", pathlen);