diff options
| author | Tobias Brunner <tobias@strongswan.org> | 2016-11-16 15:37:23 +0100 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2017-02-16 19:23:50 +0100 |
| commit | e00bc9f6b298bf2ae8151bee83c346d6f867c0cb (patch) | |
| tree | d3861a6604246cd9bc1ee80dbd2d3c7241e3b479 /src | |
| parent | 44fcc83310ed7a032d2cf0fa315f3f7bd36c0f69 (diff) | |
| download | strongswan-e00bc9f6b298bf2ae8151bee83c346d6f867c0cb.tar.bz2 strongswan-e00bc9f6b298bf2ae8151bee83c346d6f867c0cb.tar.xz | |
vici: Add support for certificate policies
Diffstat (limited to 'src')
| -rw-r--r-- | src/libcharon/plugins/vici/vici_config.c | 17 | ||||
| -rw-r--r-- | src/swanctl/commands/load_conns.c | 1 | ||||
| -rw-r--r-- | src/swanctl/swanctl.opt | 6 |
3 files changed, 24 insertions, 0 deletions
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index ff706be46..add81b9ef 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -1142,6 +1142,22 @@ CALLBACK(parse_group, bool, } /** + * Parse certificate policy + */ +CALLBACK(parse_cert_policy, bool, + auth_cfg_t *cfg, chunk_t v) +{ + char buf[BUF_LEN]; + + if (!vici_stringify(v, buf, sizeof(buf))) + { + return FALSE; + } + cfg->add(cfg, AUTH_RULE_CERT_POLICY, strdup(buf)); + return TRUE; +} + +/** * Parse a certificate; add as auth rule to config */ static bool parse_cert(auth_data_t *auth, auth_rule_t rule, chunk_t v) @@ -1402,6 +1418,7 @@ CALLBACK(auth_li, bool, { parse_rule_t rules[] = { { "groups", parse_group, auth->cfg }, + { "cert_policy", parse_cert_policy, auth }, { "certs", parse_certs, auth }, { "cacerts", parse_cacerts, auth }, { "pubkeys", parse_pubkeys, auth }, diff --git a/src/swanctl/commands/load_conns.c b/src/swanctl/commands/load_conns.c index 2e443a94a..82592f456 100644 --- a/src/swanctl/commands/load_conns.c +++ b/src/swanctl/commands/load_conns.c @@ -38,6 +38,7 @@ static bool is_list_key(char *key) "vips", "pools", "groups", + "cert_policy", }; int i; diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index e882e60ba..e74886641 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -406,6 +406,12 @@ connections.<conn>.remote<suffix>.groups = can be certified by different means, for example by appropriate Attribute Certificates or by an AAA backend involved in the authentication. +connections.<conn>.remote<suffix>.cert_policy = + Certificate policy OIDs the peer's certificate must have. + + Comma separated list of certificate policy OIDs the peer's certificate must + have. OIDs are specified using the numerical dotted representation. + connections.<conn>.remote<suffix>.certs = Comma separated list of certificate to accept for authentication. |