diff options
| author | Andreas Steffen <andreas@strongswan.org> | 2009-12-31 15:13:35 +0100 |
|---|---|---|
| committer | Andreas Steffen <andreas@strongswan.org> | 2009-12-31 15:13:35 +0100 |
| commit | 3e33ae1004bcad71c937c3f64cf746b19ec4ad1a (patch) | |
| tree | 698149cb1770020f2e9a6c390efdf27408003cf0 /src/libstrongswan | |
| parent | 7eaec999ca577fbde701d3ecf874cd9fee838f79 (diff) | |
| download | strongswan-3e33ae1004bcad71c937c3f64cf746b19ec4ad1a.tar.bz2 strongswan-3e33ae1004bcad71c937c3f64cf746b19ec4ad1a.tar.xz | |
ipsec pki --self|issue supports --pathlen option setting a path length constraint
Diffstat (limited to 'src/libstrongswan')
| -rw-r--r-- | src/libstrongswan/credentials/builder.c | 1 | ||||
| -rw-r--r-- | src/libstrongswan/credentials/builder.h | 2 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/x509/x509_cert.c | 20 |
3 files changed, 21 insertions, 2 deletions
diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c index 873e7d139..8be1c1576 100644 --- a/src/libstrongswan/credentials/builder.c +++ b/src/libstrongswan/credentials/builder.c @@ -42,6 +42,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END, "BUILD_CERT", "BUILD_CRL_DISTRIBUTION_POINTS", "BUILD_OCSP_ACCESS_LOCATIONS", + "BUILD_PATHLEN", "BUILD_X509_FLAG", "BUILD_SMARTCARD_KEYID", "BUILD_SMARTCARD_PIN", diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h index b6f0386cd..62a6ffaaf 100644 --- a/src/libstrongswan/credentials/builder.h +++ b/src/libstrongswan/credentials/builder.h @@ -97,6 +97,8 @@ enum builder_part_t { BUILD_CRL_DISTRIBUTION_POINTS, /** OCSP AuthorityInfoAccess locations, linked_list_t* containing char* */ BUILD_OCSP_ACCESS_LOCATIONS, + /** certificate path length constraint */ + BUILD_PATHLEN, /** enforce an additional X509 flag, x509_flag_t */ BUILD_X509_FLAG, /** key ID of a key on a smartcard, null terminated char* ([slot:]keyid) */ diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c index dee056d5d..199d5933e 100644 --- a/src/libstrongswan/plugins/x509/x509_cert.c +++ b/src/libstrongswan/plugins/x509/x509_cert.c @@ -1582,14 +1582,23 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, /* build CA basicConstraint for CA certificates */ if (cert->flags & X509_CA) { + chunk_t pathLenConstraint = chunk_empty; + + if (cert->pathLenConstraint != X509_NO_PATH_LEN_CONSTRAINT) + { + char pathlen = (char)cert->pathLenConstraint; + + pathLenConstraint = asn1_integer("c", chunk_from_thing(pathlen)); + } basicConstraints = asn1_wrap(ASN1_SEQUENCE, "mmm", asn1_build_known_oid(OID_BASIC_CONSTRAINTS), asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)), asn1_wrap(ASN1_OCTET_STRING, "m", - asn1_wrap(ASN1_SEQUENCE, "m", + asn1_wrap(ASN1_SEQUENCE, "mm", asn1_wrap(ASN1_BOOLEAN, "c", - chunk_from_chars(0xFF))))); + chunk_from_chars(0xFF)), + pathLenConstraint))); } /* add serverAuth extendedKeyUsage flag */ @@ -1802,6 +1811,13 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args) enumerator->destroy(enumerator); continue; } + case BUILD_PATHLEN: + cert->pathLenConstraint = va_arg(args, int); + if (cert->pathLenConstraint < 0 || cert->pathLenConstraint > 127) + { + cert->pathLenConstraint = X509_NO_PATH_LEN_CONSTRAINT; + } + continue; case BUILD_NOT_BEFORE_TIME: cert->notBefore = va_arg(args, time_t); continue; |