aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/libstrongswan/credentials/credential_manager.c17
-rw-r--r--src/libstrongswan/plugins/constraints/constraints_validator.c29
2 files changed, 29 insertions, 17 deletions
diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c
index f437bbf98..cc429ce68 100644
--- a/src/libstrongswan/credentials/credential_manager.c
+++ b/src/libstrongswan/credentials/credential_manager.c
@@ -471,23 +471,6 @@ static bool check_certificate(private_credential_manager_t *this,
&not_before, FALSE, &not_after, FALSE);
return FALSE;
}
- if (issuer->get_type(issuer) == CERT_X509 &&
- subject->get_type(subject) == CERT_X509)
- {
- int pathlen_constraint;
- x509_t *x509;
-
- /* check path length constraint */
- x509 = (x509_t*)issuer;
- pathlen_constraint = x509->get_pathLenConstraint(x509);
- if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT &&
- pathlen > pathlen_constraint)
- {
- DBG1(DBG_CFG, "path length of %d violates constraint of %d",
- pathlen, pathlen_constraint);
- return FALSE;
- }
- }
enumerator = this->validators->create_enumerator(this->validators);
while (enumerator->enumerate(enumerator, &validator))
diff --git a/src/libstrongswan/plugins/constraints/constraints_validator.c b/src/libstrongswan/plugins/constraints/constraints_validator.c
index 834d4efbf..7598f2896 100644
--- a/src/libstrongswan/plugins/constraints/constraints_validator.c
+++ b/src/libstrongswan/plugins/constraints/constraints_validator.c
@@ -15,6 +15,9 @@
#include "constraints_validator.h"
+#include <debug.h>
+#include <credentials/certificates/x509.h>
+
typedef struct private_constraints_validator_t private_constraints_validator_t;
/**
@@ -28,10 +31,36 @@ struct private_constraints_validator_t {
constraints_validator_t public;
};
+/**
+ * Check pathlen constraint of issuer certificate
+ */
+static bool check_pathlen(x509_t *issuer, int pathlen)
+{
+ int pathlen_constraint;
+
+ pathlen_constraint = issuer->get_pathLenConstraint(issuer);
+ if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT &&
+ pathlen > pathlen_constraint)
+ {
+ DBG1(DBG_CFG, "path length of %d violates constraint of %d",
+ pathlen, pathlen_constraint);
+ return FALSE;
+ }
+ return TRUE;
+}
+
METHOD(cert_validator_t, validate, bool,
private_constraints_validator_t *this, certificate_t *subject,
certificate_t *issuer, bool online, int pathlen, auth_cfg_t *auth)
{
+ if (issuer->get_type(issuer) == CERT_X509 &&
+ subject->get_type(subject) == CERT_X509)
+ {
+ if (!check_pathlen((x509_t*)issuer, pathlen))
+ {
+ return FALSE;
+ }
+ }
return TRUE;
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-23 22:22:45 +0000