x509 plugin supports encoding of CA basicConstraint extension

1 files changed, 22 insertions, 0 deletions

diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 406fe4d4e..dc789e771 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -1209,6 +1209,7 @@ struct private_builder_t {
 static bool generate(private_builder_t *this)
 {
 	chunk_t extensions = chunk_empty;
+	chunk_t basicConstraints = chunk_empty, subjectAltNames = chunk_empty;
 	identification_t *issuer, *subject;
 	chunk_t key_info;
 	signature_scheme_t scheme;
@@ -1300,10 +1301,31 @@ static bool generate(private_builder_t *this)
 	{
 		return FALSE;
 	}
+
+
 	if (this->cert->subjectAltNames->get_count(this->cert->subjectAltNames))
 	{
 		/* TODO: encode subjectAltNames */
 	}
+	if (this->flags & X509_CA)
+	{
+		chunk_t yes;
+
+		yes = chunk_alloca(1);
+		yes.ptr[0] = 0xFF;
+		basicConstraints = asn1_wrap(ASN1_SEQUENCE, "mmm",
+								asn1_build_known_oid(OID_BASIC_CONSTRAINTS),
+								asn1_wrap(ASN1_BOOLEAN, "c", yes),
+								asn1_wrap(ASN1_OCTET_STRING, "m",
+										asn1_wrap(ASN1_SEQUENCE, "m",
+											asn1_wrap(ASN1_BOOLEAN, "c", yes))));
+	}
+	if (basicConstraints.ptr || subjectAltNames.ptr)
+	{
+		extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m",
+						asn1_wrap(ASN1_SEQUENCE, "mm",
+							basicConstraints, subjectAltNames));
+	}
 
 	this->cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmmcmcmm",
 		asn1_simple_object(ASN1_CONTEXT_C_0, ASN1_INTEGER_2),