diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/libcharon/plugins/vici/vici_config.c | 17 | ||||
| -rw-r--r-- | src/swanctl/commands/load_conns.c | 1 | ||||
| -rw-r--r-- | src/swanctl/swanctl.opt | 6 |
3 files changed, 24 insertions, 0 deletions
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index ff706be46..add81b9ef 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -1142,6 +1142,22 @@ CALLBACK(parse_group, bool, } /** + * Parse certificate policy + */ +CALLBACK(parse_cert_policy, bool, + auth_cfg_t *cfg, chunk_t v) +{ + char buf[BUF_LEN]; + + if (!vici_stringify(v, buf, sizeof(buf))) + { + return FALSE; + } + cfg->add(cfg, AUTH_RULE_CERT_POLICY, strdup(buf)); + return TRUE; +} + +/** * Parse a certificate; add as auth rule to config */ static bool parse_cert(auth_data_t *auth, auth_rule_t rule, chunk_t v) @@ -1402,6 +1418,7 @@ CALLBACK(auth_li, bool, { parse_rule_t rules[] = { { "groups", parse_group, auth->cfg }, + { "cert_policy", parse_cert_policy, auth }, { "certs", parse_certs, auth }, { "cacerts", parse_cacerts, auth }, { "pubkeys", parse_pubkeys, auth }, diff --git a/src/swanctl/commands/load_conns.c b/src/swanctl/commands/load_conns.c index 2e443a94a..82592f456 100644 --- a/src/swanctl/commands/load_conns.c +++ b/src/swanctl/commands/load_conns.c @@ -38,6 +38,7 @@ static bool is_list_key(char *key) "vips", "pools", "groups", + "cert_policy", }; int i; diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index e882e60ba..e74886641 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -406,6 +406,12 @@ connections.<conn>.remote<suffix>.groups = can be certified by different means, for example by appropriate Attribute Certificates or by an AAA backend involved in the authentication. +connections.<conn>.remote<suffix>.cert_policy = + Certificate policy OIDs the peer's certificate must have. + + Comma separated list of certificate policy OIDs the peer's certificate must + have. OIDs are specified using the numerical dotted representation. + connections.<conn>.remote<suffix>.certs = Comma separated list of certificate to accept for authentication. |