9 files changed, 30 insertions, 2 deletions

diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index 0de9a2c92..a75b5566e 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -598,6 +598,10 @@ Same as
 .B leftcert,
 but for the second authentication round (IKEv2 only).
 .TP
+.BR leftcertpolicy " = <OIDs>"
+Comma separated list of certificate policy OIDs the peers certificate must have.
+OIDs are specified using the numerical dotted representation (IKEv2 only).
+.TP
 .BR leftfirewall " = yes | " no
 whether the left participant is doing forwarding-firewalling
 (including masquerading) using iptables for traffic from \fIleftsubnet\fR,
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index 4f2f58e86..dc2c57e9c 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -429,6 +429,20 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 		enumerator->destroy(enumerator);
 	}
 
+	/* certificatePolicies */
+	if (end->cert_policy)
+	{
+		enumerator_t *enumerator;
+		char *policy;
+
+		enumerator = enumerator_create_token(end->cert_policy, ",", " ");
+		while (enumerator->enumerate(enumerator, &policy))
+		{
+			cfg->add(cfg, AUTH_RULE_CERT_POLICY, strdup(policy));
+		}
+		enumerator->destroy(enumerator);
+	}
+
 	/* authentication metod (class, actually) */
 	if (streq(auth, "pubkey") ||
 		streq(auth, "rsasig") || streq(auth, "rsa") ||
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
index 3762ffcad..18e77905d 100644
--- a/src/libcharon/plugins/stroke/stroke_socket.c
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
@@ -151,6 +151,7 @@ static void pop_end(stroke_msg_t *msg, const char* label, stroke_end_t *end)
 	pop_string(msg, &end->ca);
 	pop_string(msg, &end->ca2);
 	pop_string(msg, &end->groups);
+	pop_string(msg, &end->cert_policy);
 	pop_string(msg, &end->updown);
 
 	DBG2(DBG_CFG, "  %s=%s", label, end->address);
diff --git a/src/starter/args.c b/src/starter/args.c
index c13f5a952..87307f1aa 100644
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -273,6 +273,7 @@ static const token_info_t token_info[] =
 	{ ARG_STR,  offsetof(starter_end_t, rsakey), NULL                              },
 	{ ARG_STR,  offsetof(starter_end_t, cert), NULL                                },
 	{ ARG_STR,  offsetof(starter_end_t, cert2), NULL                               },
+	{ ARG_STR,  offsetof(starter_end_t, cert_policy), NULL                         },
 	{ ARG_ENUM, offsetof(starter_end_t, sendcert), LST_sendcert                    },
 	{ ARG_STR,  offsetof(starter_end_t, ca), NULL                                  },
 	{ ARG_STR,  offsetof(starter_end_t, ca2), NULL                                 },
diff --git a/src/starter/confread.h b/src/starter/confread.h
index 75ef99211..4f9c5f7d0 100644
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -64,6 +64,7 @@ struct starter_end {
 		char            *ca;
 		char            *ca2;
 		char            *groups;
+		char            *cert_policy;
 		char            *iface;
 		ip_address      addr;
 		u_int           ikeport;
diff --git a/src/starter/keywords.h b/src/starter/keywords.h
index 038391aca..9f46a8b4b 100644
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -142,6 +142,7 @@ typedef enum {
 	KW_RSASIGKEY,
 	KW_CERT,
 	KW_CERT2,
+	KW_CERTPOLICY,
 	KW_SENDCERT,
 	KW_CA,
 	KW_CA2,
@@ -171,6 +172,7 @@ typedef enum {
 	KW_LEFTRSASIGKEY,
 	KW_LEFTCERT,
 	KW_LEFTCERT2,
+	KW_LEFTCERTPOLICY,
 	KW_LEFTSENDCERT,
 	KW_LEFTCA,
 	KW_LEFTCA2,
@@ -199,6 +201,7 @@ typedef enum {
 	KW_RIGHTRSASIGKEY,
 	KW_RIGHTCERT,
 	KW_RIGHTCERT2,
+	KW_RIGHTCERTPOLICY,
 	KW_RIGHTSENDCERT,
 	KW_RIGHTCA,
 	KW_RIGHTCA2,
diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt
index 67ae53f01..2c0e5de3d 100644
--- a/src/starter/keywords.txt
+++ b/src/starter/keywords.txt
@@ -121,8 +121,9 @@ leftid2,           KW_LEFTID2
 leftauth,          KW_LEFTAUTH
 leftauth2,         KW_LEFTAUTH2
 leftrsasigkey,     KW_LEFTRSASIGKEY
-leftcert,          KW_LEFTCERT,
-leftcert2,         KW_LEFTCERT2,
+leftcert,          KW_LEFTCERT
+leftcert2,         KW_LEFTCERT2
+leftcertpolicy,    KW_LEFTCERTPOLICY
 leftsendcert,      KW_LEFTSENDCERT
 leftca,            KW_LEFTCA
 leftca2,           KW_LEFTCA2
@@ -146,6 +147,7 @@ rightauth2,        KW_RIGHTAUTH2
 rightrsasigkey,    KW_RIGHTRSASIGKEY
 rightcert,         KW_RIGHTCERT
 rightcert2,        KW_RIGHTCERT2
+rightcertpolicy,   KW_RIGHTCERTPOLICY
 rightsendcert,     KW_RIGHTSENDCERT
 rightca,           KW_RIGHTCA
 rightca2,          KW_RIGHTCA2
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index a7e098d91..f251667c7 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -171,6 +171,7 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta
 	msg_end->id2 = push_string(msg, conn_end->id2);
 	msg_end->cert = push_string(msg, conn_end->cert);
 	msg_end->cert2 = push_string(msg, conn_end->cert2);
+	msg_end->cert_policy = push_string(msg, conn_end->cert_policy);
 	msg_end->ca = push_string(msg, conn_end->ca);
 	msg_end->ca2 = push_string(msg, conn_end->ca2);
 	msg_end->groups = push_string(msg, conn_end->groups);
diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h
index adb9d0e10..3af2b7042 100644
--- a/src/stroke/stroke_msg.h
+++ b/src/stroke/stroke_msg.h
@@ -149,6 +149,7 @@ struct stroke_end_t {
 	char *ca;
 	char *ca2;
 	char *groups;
+	char *cert_policy;
 	char *updown;
 	char *address;
 	u_int16_t ikeport;