Added policyMappings support to pki tool

author: Martin Willi <martin@revosec.ch> 2010-12-15 14:30:09 +0000
committer: Martin Willi <martin@revosec.ch> 2011-01-05 16:46:02 +0100
commit: 3ffc9d9a881675df1f8403db625860fad328efd0 (patch)
tree: 7737a9e15645d6b106f61fe32eaff67c556aea61 /src/pki
parent: 5a0caa4b3a9431eb8ced8ed00292b88a341d4e8e (diff)
download: strongswan-3ffc9d9a881675df1f8403db625860fad328efd0.tar.bz2
strongswan-3ffc9d9a881675df1f8403db625860fad328efd0.tar.xz
3 files changed, 121 insertions, 12 deletions
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index aa62a07b8..62fe0185d 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -34,6 +34,16 @@ static void destroy_cert_policy(x509_cert_policy_t *policy)
 }
 
 /**
+ * Free policy mapping
+ */
+static void destroy_policy_mapping(x509_policy_mapping_t *mapping)
+{
+	free(mapping->issuer.ptr);
+	free(mapping->subject.ptr);
+	free(mapping);
+}
+
+/**
  * Issue a certificate using a CA certificate and key
  */
 static int issue()
@@ -47,7 +57,7 @@ static int issue()
 	char *file = NULL, *dn = NULL, *hex = NULL, *cacert = NULL, *cakey = NULL;
 	char *error = NULL, *keyid = NULL;
 	identification_t *id = NULL, *crl_issuer = NULL;;
-	linked_list_t *san, *cdps, *ocsp, *permitted, *excluded, *policies;
+	linked_list_t *san, *cdps, *ocsp, *permitted, *excluded, *policies, *mappings;
 	int lifetime = 1095;
 	int pathlen = X509_NO_PATH_LEN_CONSTRAINT;
 	chunk_t serial = chunk_empty;
@@ -64,6 +74,7 @@ static int issue()
 	permitted = linked_list_create();
 	excluded = linked_list_create();
 	policies = linked_list_create();
+	mappings = linked_list_create();
 
 	while (TRUE)
 	{
@@ -140,7 +151,8 @@ static int issue()
 				oid = asn1_oid_from_string(arg);
 				if (!oid.len)
 				{
-					return command_usage("--cert-policy OID invalid");
+					error = "--cert-policy OID invalid";
+					goto usage;
 				}
 				INIT(policy,
 					.oid = oid,
@@ -151,17 +163,43 @@ static int issue()
 			case 'C':
 				if (!policy)
 				{
-					return command_usage("--cps-uri must follow a --cert-policy");
+					error = "--cps-uri must follow a --cert-policy";
+					goto usage;
 				}
 				policy->cps_uri = arg;
 				continue;
 			case 'U':
 				if (!policy)
 				{
-					return command_usage("--user-notice must follow a --cert-policy");
+					error = "--user-notice must follow a --cert-policy";
+					goto usage;
 				}
 				policy->unotice_text = arg;
 				continue;
+			case 'M':
+			{
+				char *pos = strchr(arg, ':');
+				x509_policy_mapping_t *mapping;
+				chunk_t subject_oid, issuer_oid;
+
+				if (pos)
+				{
+					*pos++ = '\0';
+					issuer_oid = asn1_oid_from_string(arg);
+					subject_oid = asn1_oid_from_string(pos);
+				}
+				if (!pos || !issuer_oid.len || !subject_oid.len)
+				{
+					error = "--policy-map OIDs invalid";
+					goto usage;
+				}
+				INIT(mapping,
+					.issuer = issuer_oid,
+					.subject = subject_oid,
+				);
+				mappings->insert_last(mappings, mapping);
+				continue;
+			}
 			case 'e':
 				if (streq(arg, "serverAuth"))
 				{
@@ -183,7 +221,8 @@ static int issue()
 			case 'f':
 				if (!get_form(arg, &form, CRED_CERTIFICATE))
 				{
-					return command_usage("invalid output format");
+					error = "invalid output format";
+					goto usage;
 				}
 				continue;
 			case 'u':
@@ -379,7 +418,9 @@ static int issue()
 					BUILD_OCSP_ACCESS_LOCATIONS, ocsp,
 					BUILD_PERMITTED_NAME_CONSTRAINTS, permitted,
 					BUILD_EXCLUDED_NAME_CONSTRAINTS, excluded,
-					BUILD_CERTIFICATE_POLICIES, policies, BUILD_END);
+					BUILD_CERTIFICATE_POLICIES, policies,
+					BUILD_POLICY_MAPPINGS, mappings,
+					BUILD_END);
 	if (!cert)
 	{
 		error = "generating certificate failed";
@@ -407,6 +448,7 @@ end:
 	permitted->destroy_offset(permitted, offsetof(identification_t, destroy));
 	excluded->destroy_offset(excluded, offsetof(identification_t, destroy));
 	policies->destroy_function(policies, (void*)destroy_cert_policy);
+	mappings->destroy_function(mappings, (void*)destroy_policy_mapping);
 	cdps->destroy(cdps);
 	ocsp->destroy(ocsp);
 	DESTROY_IF(crl_issuer);
@@ -425,6 +467,7 @@ usage:
 	permitted->destroy_offset(permitted, offsetof(identification_t, destroy));
 	excluded->destroy_offset(excluded, offsetof(identification_t, destroy));
 	policies->destroy_function(policies, (void*)destroy_cert_policy);
+	mappings->destroy_function(mappings, (void*)destroy_policy_mapping);
 	cdps->destroy(cdps);
 	ocsp->destroy(ocsp);
 	DESTROY_IF(crl_issuer);
@@ -445,6 +488,7 @@ static void __attribute__ ((constructor))reg()
 		 "[--ca] [--pathlen len] [--flag serverAuth|clientAuth|crlSign|ocspSigning]+",
 		 "[--nc-permitted name] [--nc-excluded name]",
 		 "[--cert-policy oid [--cps-uri uri] [--user-notice text] ]+",
+		 "[--policy-map issuer-oid:subject-oid]",
 		 "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
 		{
 			{"help",		'h', 0, "show usage information"},
@@ -464,6 +508,7 @@ static void __attribute__ ((constructor))reg()
 			{"cert-policy",	'P', 1, "certificatePolicy OID to include"},
 			{"cps-uri",		'C', 1, "Certification Practice statement URI for certificatePolicy"},
 			{"user-notice",	'U', 1, "user notice for certificatePolicy"},
+			{"policy-map",	'M', 1, "policyMapping from issuer to subject OID"},
 			{"flag",		'e', 1, "include extendedKeyUsage flag"},
 			{"crl",			'u', 1, "CRL distribution point URI to include"},
 			{"crlissuer",	'I', 1, "CRL Issuer for CRL at distribution point"},
diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c
index af0c92cd4..23fb644e1 100644
--- a/src/pki/commands/print.c
+++ b/src/pki/commands/print.c
@@ -76,6 +76,7 @@ static void print_x509(x509_t *x509)
 	int len;
 	x509_flag_t flags;
 	x509_cert_policy_t *policy;
+	x509_policy_mapping_t *mapping;
 
 	chunk = x509->get_serial(x509);
 	printf("serial:    %#B\n", &chunk);
@@ -238,6 +239,25 @@ static void print_x509(x509_t *x509)
 	}
 	enumerator->destroy(enumerator);
 
+	first = TRUE;
+	enumerator = x509->create_policy_mapping_enumerator(x509);
+	while (enumerator->enumerate(enumerator, &mapping))
+	{
+		char *issuer_oid, *subject_oid;
+
+		if (first)
+		{
+			printf("PolicyMappings:\n");
+			first = FALSE;
+		}
+		issuer_oid = asn1_oid_to_string(mapping->issuer);
+		subject_oid = asn1_oid_to_string(mapping->subject);
+		printf("           %s => %s\n", issuer_oid, subject_oid);
+		free(issuer_oid);
+		free(subject_oid);
+	}
+	enumerator->destroy(enumerator);
+
 	chunk = x509->get_authKeyIdentifier(x509);
 	if (chunk.ptr)
 	{
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index 474903272..134231dca 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -32,6 +32,16 @@ static void destroy_cert_policy(x509_cert_policy_t *policy)
 }
 
 /**
+ * Free policy mapping
+ */
+static void destroy_policy_mapping(x509_policy_mapping_t *mapping)
+{
+	free(mapping->issuer.ptr);
+	free(mapping->subject.ptr);
+	free(mapping);
+}
+
+/**
  * Create a self signed certificate.
  */
 static int self()
@@ -44,7 +54,7 @@ static int self()
 	public_key_t *public = NULL;
 	char *file = NULL, *dn = NULL, *hex = NULL, *error = NULL, *keyid = NULL;
 	identification_t *id = NULL;
-	linked_list_t *san, *ocsp, *permitted, *excluded, *policies;
+	linked_list_t *san, *ocsp, *permitted, *excluded, *policies, *mappings;
 	int lifetime = 1095;
 	int pathlen = X509_NO_PATH_LEN_CONSTRAINT;
 	chunk_t serial = chunk_empty;
@@ -59,6 +69,7 @@ static int self()
 	permitted = linked_list_create();
 	excluded = linked_list_create();
 	policies = linked_list_create();
+	mappings = linked_list_create();
 
 	while (TRUE)
 	{
@@ -133,7 +144,8 @@ static int self()
 				oid = asn1_oid_from_string(arg);
 				if (!oid.len)
 				{
-					return command_usage("--cert-policy OID invalid");
+					error = "--cert-policy OID invalid";
+					goto usage;
 				}
 				INIT(policy,
 					.oid = oid,
@@ -144,17 +156,43 @@ static int self()
 			case 'C':
 				if (!policy)
 				{
-					return command_usage("--cps-uri must follow a --cert-policy");
+					error = "--cps-uri must follow a --cert-policy";
+					goto usage;
 				}
 				policy->cps_uri = arg;
 				continue;
 			case 'U':
 				if (!policy)
 				{
-					return command_usage("--user-notice must follow a --cert-policy");
+					error = "--user-notice must follow a --cert-policy";
+					goto usage;
 				}
 				policy->unotice_text = arg;
 				continue;
+			case 'M':
+			{
+				char *pos = strchr(arg, ':');
+				x509_policy_mapping_t *mapping;
+				chunk_t subject_oid, issuer_oid;
+
+				if (pos)
+				{
+					*pos++ = '\0';
+					issuer_oid = asn1_oid_from_string(arg);
+					subject_oid = asn1_oid_from_string(pos);
+				}
+				if (!pos || !issuer_oid.len || !subject_oid.len)
+				{
+					error = "--policy-map OIDs invalid";
+					goto usage;
+				}
+				INIT(mapping,
+					.issuer = issuer_oid,
+					.subject = subject_oid,
+				);
+				mappings->insert_last(mappings, mapping);
+				continue;
+			}
 			case 'e':
 				if (streq(arg, "serverAuth"))
 				{
@@ -176,7 +214,8 @@ static int self()
 			case 'f':
 				if (!get_form(arg, &form, CRED_CERTIFICATE))
 				{
-					return command_usage("invalid output format");
+					error = "invalid output format";
+					goto usage;
 				}
 				continue;
 			case 'o':
@@ -264,7 +303,8 @@ static int self()
 						BUILD_OCSP_ACCESS_LOCATIONS, ocsp,
 						BUILD_PERMITTED_NAME_CONSTRAINTS, permitted,
 						BUILD_EXCLUDED_NAME_CONSTRAINTS, excluded,
-						BUILD_CERTIFICATE_POLICIES, policies, BUILD_END);
+						BUILD_CERTIFICATE_POLICIES, policies,
+						BUILD_POLICY_MAPPINGS, mappings, BUILD_END);
 	if (!cert)
 	{
 		error = "generating certificate failed";
@@ -290,6 +330,7 @@ end:
 	permitted->destroy_offset(permitted, offsetof(identification_t, destroy));
 	excluded->destroy_offset(excluded, offsetof(identification_t, destroy));
 	policies->destroy_function(policies, (void*)destroy_cert_policy);
+	mappings->destroy_function(mappings, (void*)destroy_policy_mapping);
 	ocsp->destroy(ocsp);
 	free(encoding.ptr);
 	free(serial.ptr);
@@ -306,6 +347,7 @@ usage:
 	permitted->destroy_offset(permitted, offsetof(identification_t, destroy));
 	excluded->destroy_offset(excluded, offsetof(identification_t, destroy));
 	policies->destroy_function(policies, (void*)destroy_cert_policy);
+	mappings->destroy_function(mappings, (void*)destroy_policy_mapping);
 	ocsp->destroy(ocsp);
 	return command_usage(error);
 }
@@ -324,6 +366,7 @@ static void __attribute__ ((constructor))reg()
 		 "[--flag serverAuth|clientAuth|crlSign|ocspSigning]+",
 		 "[--nc-permitted name] [--nc-excluded name]",
 		 "[--cert-policy oid [--cps-uri uri] [--user-notice text] ]+",
+		 "[--policy-map issuer-oid:subject-oid]",
 		 "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
 		{
 			{"help",		'h', 0, "show usage information"},
@@ -341,6 +384,7 @@ static void __attribute__ ((constructor))reg()
 			{"cert-policy",	'P', 1, "certificatePolicy OID to include"},
 			{"cps-uri",		'C', 1, "Certification Practice statement URI for certificatePolicy"},
 			{"user-notice",	'U', 1, "user notice for certificatePolicy"},
+			{"policy-map",	'M', 1, "policyMapping from issuer to subject OID"},
 			{"flag",		'e', 1, "include extendedKeyUsage flag"},
 			{"ocsp",		'o', 1, "OCSP AuthorityInfoAccess URI to include"},
 			{"digest",		'g', 1, "digest for signature creation, default: sha1"},
author	Martin Willi <martin@revosec.ch>	2010-12-15 14:30:09 +0000
committer	Martin Willi <martin@revosec.ch>	2011-01-05 16:46:02 +0100
commit	3ffc9d9a881675df1f8403db625860fad328efd0 (patch)
tree	7737a9e15645d6b106f61fe32eaff67c556aea61 /src/pki
parent	5a0caa4b3a9431eb8ced8ed00292b88a341d4e8e (diff)
download	strongswan-3ffc9d9a881675df1f8403db625860fad328efd0.tar.bz2 strongswan-3ffc9d9a881675df1f8403db625860fad328efd0.tar.xz