Added name constraint enumerator to x509 interface

3 files changed, 38 insertions, 1 deletions

diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h
index cadb40199..ec6a33578 100644
--- a/src/libstrongswan/credentials/certificates/x509.h
+++ b/src/libstrongswan/credentials/certificates/x509.h
@@ -128,6 +128,14 @@ struct x509_t {
 	 * @return			enumerator over ipAddrBlocks as traffic_selector_t*
 	 */
 	enumerator_t* (*create_ipAddrBlock_enumerator)(x509_t *this);
+
+	/**
+	 * Create an enumerator over name constraints.
+	 *
+	 * @param perm		TRUE for permitted, FALSE for excluded subtrees
+	 * @return			enumerator over subtrees as identification_t
+	 */
+	enumerator_t* (*create_name_constraint_enumerator)(x509_t *this, bool perm);
 };
 
 #endif /** X509_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c
index 1630d8faf..b6a06d015 100644
--- a/src/libstrongswan/plugins/openssl/openssl_x509.c
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
@@ -579,6 +579,7 @@ static private_openssl_x509_t *create_empty()
 				.create_crl_uri_enumerator = _create_crl_uri_enumerator,
 				.create_ocsp_uri_enumerator = _create_ocsp_uri_enumerator,
 				.create_ipAddrBlock_enumerator = _create_ipAddrBlock_enumerator,
+				.create_name_constraint_enumerator = (void*)enumerator_create_empty,
 			},
 		},
 		.subjectAltNames = linked_list_create(),
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 23c0262a2..cf85fe995 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -132,6 +132,16 @@ struct private_x509_cert_t {
 	linked_list_t *ipAddrBlocks;
 
 	/**
+	 * List of permitted name constraints
+	 */
+	linked_list_t *permitted_names;
+
+	/**
+	 * List of exluced name constraints
+	 */
+	linked_list_t *excluded_names;
+
+	/**
 	 * certificate's embedded public key
 	 */
 	public_key_t *public_key;
@@ -1465,6 +1475,16 @@ METHOD(x509_t, create_ipAddrBlock_enumerator, enumerator_t*,
 	return this->ipAddrBlocks->create_enumerator(this->ipAddrBlocks);
 }
 
+METHOD(x509_t, create_name_constraint_enumerator, enumerator_t*,
+	private_x509_cert_t *this, bool perm)
+{
+	if (perm)
+	{
+		return this->permitted_names->create_enumerator(this->permitted_names);
+	}
+	return this->excluded_names->create_enumerator(this->excluded_names);
+}
+
 METHOD(certificate_t, destroy, void,
 	private_x509_cert_t *this)
 {
@@ -1474,7 +1494,12 @@ METHOD(certificate_t, destroy, void,
 									offsetof(identification_t, destroy));
 		this->crl_uris->destroy_function(this->crl_uris, (void*)crl_uri_destroy);
 		this->ocsp_uris->destroy_function(this->ocsp_uris, free);
-		this->ipAddrBlocks->destroy_offset(this->ipAddrBlocks, offsetof(traffic_selector_t, destroy));
+		this->ipAddrBlocks->destroy_offset(this->ipAddrBlocks,
+										offsetof(traffic_selector_t, destroy));
+		this->permitted_names->destroy_offset(this->permitted_names,
+										offsetof(identification_t, destroy));
+		this->excluded_names->destroy_offset(this->excluded_names,
+										offsetof(identification_t, destroy));
 		DESTROY_IF(this->issuer);
 		DESTROY_IF(this->subject);
 		DESTROY_IF(this->public_key);
@@ -1524,6 +1549,7 @@ static private_x509_cert_t* create_empty(void)
 				.create_crl_uri_enumerator = _create_crl_uri_enumerator,
 				.create_ocsp_uri_enumerator = _create_ocsp_uri_enumerator,
 				.create_ipAddrBlock_enumerator = _create_ipAddrBlock_enumerator,
+				.create_name_constraint_enumerator = _create_name_constraint_enumerator,
 			},
 		},
 		.version = 1,
@@ -1531,6 +1557,8 @@ static private_x509_cert_t* create_empty(void)
 		.crl_uris = linked_list_create(),
 		.ocsp_uris = linked_list_create(),
 		.ipAddrBlocks = linked_list_create(),
+		.permitted_names = linked_list_create(),
+		.excluded_names = linked_list_create(),
 		.pathLenConstraint = X509_NO_PATH_LEN_CONSTRAINT,
 		.ref = 1,
 	);