Moved X509 pathlen constraint checking to constraints plugin

1 files changed, 29 insertions, 0 deletions

diff --git a/src/libstrongswan/plugins/constraints/constraints_validator.c b/src/libstrongswan/plugins/constraints/constraints_validator.c
index 834d4efbf..7598f2896 100644
--- a/src/libstrongswan/plugins/constraints/constraints_validator.c
+++ b/src/libstrongswan/plugins/constraints/constraints_validator.c
@@ -15,6 +15,9 @@
 
 #include "constraints_validator.h"
 
+#include <debug.h>
+#include <credentials/certificates/x509.h>
+
 typedef struct private_constraints_validator_t private_constraints_validator_t;
 
 /**
@@ -28,10 +31,36 @@ struct private_constraints_validator_t {
 	constraints_validator_t public;
 };
 
+/**
+ * Check pathlen constraint of issuer certificate
+ */
+static bool check_pathlen(x509_t *issuer, int pathlen)
+{
+	int pathlen_constraint;
+
+	pathlen_constraint = issuer->get_pathLenConstraint(issuer);
+	if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT &&
+		pathlen > pathlen_constraint)
+	{
+		DBG1(DBG_CFG, "path length of %d violates constraint of %d",
+			 pathlen, pathlen_constraint);
+		return FALSE;
+	}
+	return TRUE;
+}
+
 METHOD(cert_validator_t, validate, bool,
 	private_constraints_validator_t *this, certificate_t *subject,
 	certificate_t *issuer, bool online, int pathlen, auth_cfg_t *auth)
 {
+	if (issuer->get_type(issuer) == CERT_X509 &&
+		subject->get_type(subject) == CERT_X509)
+	{
+		if (!check_pathlen((x509_t*)issuer, pathlen))
+		{
+			return FALSE;
+		}
+	}
 	return TRUE;
 }