diff options
| author | Martin Willi <martin@revosec.ch> | 2014-10-15 12:33:17 +0200 |
|---|---|---|
| committer | Martin Willi <martin@revosec.ch> | 2014-10-30 11:40:48 +0100 |
| commit | b9d38c9fa2397fffb7cfdc56d91292c93f84b2ba (patch) | |
| tree | 6a65a828d79021d18f67703160e6e96cab524f46 | |
| parent | a6c8647eca8014ba2fab9f8f3e8f3f173a256173 (diff) | |
| download | strongswan-b9d38c9fa2397fffb7cfdc56d91292c93f84b2ba.tar.bz2 strongswan-b9d38c9fa2397fffb7cfdc56d91292c93f84b2ba.tar.xz | |
pki: Print and document the name constraint type for DNS or email constraints
As email constraints may be for a specific host, it is not clear from the
name itself if it is a DNS or email constraint.
| -rw-r--r-- | src/pki/commands/print.c | 20 | ||||
| -rw-r--r-- | src/pki/man/pki---issue.1.in | 16 | ||||
| -rw-r--r-- | src/pki/man/pki---self.1.in | 16 |
3 files changed, 46 insertions, 6 deletions
diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c index fb07169bf..a8a4e8375 100644 --- a/src/pki/commands/print.c +++ b/src/pki/commands/print.c @@ -66,6 +66,22 @@ static void print_key(private_key_t *key) } /** + * Get a prefix for a named constraint identity type + */ +static char* get_type_pfx(identification_t *id) +{ + switch (id->get_type(id)) + { + case ID_RFC822_ADDR: + return "email:"; + case ID_FQDN: + return "dns:"; + default: + return ""; + } +} + +/** * Print X509 specific certificate information */ static void print_x509(x509_t *x509) @@ -202,7 +218,7 @@ static void print_x509(x509_t *x509) printf("Permitted NameConstraints:\n"); first = FALSE; } - printf(" %Y\n", id); + printf(" %s%Y\n", get_type_pfx(id), id); } enumerator->destroy(enumerator); first = TRUE; @@ -214,7 +230,7 @@ static void print_x509(x509_t *x509) printf("Excluded NameConstraints:\n"); first = FALSE; } - printf(" %Y\n", id); + printf(" %s%Y\n", get_type_pfx(id), id); } enumerator->destroy(enumerator); diff --git a/src/pki/man/pki---issue.1.in b/src/pki/man/pki---issue.1.in index 375cb2fe4..d017bfe1d 100644 --- a/src/pki/man/pki---issue.1.in +++ b/src/pki/man/pki---issue.1.in @@ -147,10 +147,22 @@ times. Set path length constraint. .TP .BI "\-n, \-\-nc-permitted " name -Add permitted NameConstraint extension to certificate. +Add permitted NameConstraint extension to certificate. For DNS or email +constraints, the identity type is not always detectable by the given name. Use +the +.B dns: +or +.B email: +prefix to force a constraint type. .TP .BI "\-N, \-\-nc-excluded " name -Add excluded NameConstraint extension to certificate. +Add excluded NameConstraint extension to certificate. For DNS or email +constraints, the identity type is not always detectable by the given name. Use +the +.B dns: +or +.B email: +prefix to force a constraint type. .TP .BI "\-M, \-\-policy-mapping " issuer-oid:subject-oid Add policyMapping from issuer to subject OID. diff --git a/src/pki/man/pki---self.1.in b/src/pki/man/pki---self.1.in index 5e6e78bd0..03ce03934 100644 --- a/src/pki/man/pki---self.1.in +++ b/src/pki/man/pki---self.1.in @@ -127,10 +127,22 @@ times. Set path length constraint. .TP .BI "\-n, \-\-nc-permitted " name -Add permitted NameConstraint extension to certificate. +Add permitted NameConstraint extension to certificate. For DNS or email +constraints, the identity type is not always detectable by the given name. Use +the +.B dns: +or +.B email: +prefix to force a constraint type. .TP .BI "\-N, \-\-nc-excluded " name -Add excluded NameConstraint extension to certificate. +Add excluded NameConstraint extension to certificate. For DNS or email +constraints, the identity type is not always detectable by the given name. Use +the +.B dns: +or +.B email: +prefix to force a constraint type. .TP .BI "\-M, \-\-policy-mapping " issuer-oid:subject-oid Add policyMapping from issuer to subject OID. |