Added support for inhibitAnyPolicy constraint to x509 plugin
authorMartin Willi <martin@revosec.ch>
Wed, 22 Dec 2010 14:52:02 +0000 (15:52 +0100)
committerMartin Willi <martin@revosec.ch>
Wed, 5 Jan 2011 15:46:05 +0000 (16:46 +0100)
src/libstrongswan/credentials/builder.c
src/libstrongswan/credentials/builder.h
src/libstrongswan/credentials/certificates/x509.h
src/libstrongswan/plugins/x509/x509_cert.c

index 768b9da..47e1ed5 100644 (file)
@@ -49,6 +49,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
        "BUILD_POLICY_MAPPINGS",
        "BUILD_POLICY_CONSTRAINT_EXPLICIT",
        "BUILD_POLICY_CONSTRAINT_INHIBIT",
+       "BUILD_POLICY_CONSTRAINT_INHIBIT_ANY",
        "BUILD_X509_FLAG",
        "BUILD_REVOKED_ENUMERATOR",
        "BUILD_BASE_CRL",
index 5db3777..383fa90 100644 (file)
@@ -105,6 +105,8 @@ enum builder_part_t {
        BUILD_POLICY_CONSTRAINT_EXPLICIT,
        /** inhibitPolicyMapping constraint, int */
        BUILD_POLICY_CONSTRAINT_INHIBIT,
+       /** inhibitAnyPolicy constraint, int */
+       BUILD_POLICY_CONSTRAINT_INHIBIT_ANY,
        /** enforce an additional X509 flag, x509_flag_t */
        BUILD_X509_FLAG,
        /** enumerator_t over (chunk_t serial, time_t date, crl_reason_t reason) */
index d668ceb..9f5865d 100644 (file)
@@ -67,6 +67,8 @@ enum x509_constraint_t {
        X509_INHIBIT_POLICY_MAPPING,
        /** requireExplicitPolicy policyConstraint */
        X509_REQUIRE_EXPLICIT_POLICY,
+       /** inhibitAnyPolicy constraint */
+       X509_INHIBIT_ANY_POLICY,
 };
 
 /**
index 995ba9b..4bf221f 100644 (file)
@@ -187,6 +187,11 @@ struct private_x509_cert_t {
        char inhibit_policy_constraint;
 
        /**
+        * inhibitAnyPolicy Constraint
+        */
+       char inhibit_any_policy;
+
+       /**
         * x509 constraints and other flags
         */
        x509_flag_t flags;
@@ -248,6 +253,22 @@ static void policy_mapping_destroy(x509_policy_mapping_t *mapping)
 }
 
 /**
+ * Parse a length constraint from an unwrapped integer
+ */
+static int parse_constraint(chunk_t object)
+{
+       switch (object.len)
+       {
+               case 0:
+                       return 0;
+               case 1:
+                       return object.ptr[0];
+               default:
+                       return X509_NO_CONSTRAINT;
+       }
+}
+
+/**
  * ASN.1 definition of a basicConstraints extension
  */
 static const asn1Object_t basicConstraintsObjects[] = {
@@ -289,15 +310,7 @@ static void parse_basicConstraints(chunk_t blob, int level0,
                        case BASIC_CONSTRAINTS_PATH_LEN:
                                if (isCA)
                                {
-                                       if (object.len == 0)
-                                       {
-                                               this->pathLenConstraint = 0;
-                                       }
-                                       else if (object.len == 1)
-                                       {
-                                               this->pathLenConstraint = *object.ptr;
-                                       }
-                                       /* we ignore path length constraints > 127 */
+                                       this->pathLenConstraint = parse_constraint(object);
                                }
                                break;
                        default:
@@ -1076,24 +1089,10 @@ static void parse_policyConstraints(chunk_t blob, int level0,
                switch (objectID)
                {
                        case POLICY_CONSTRAINT_EXPLICIT:
-                               if (object.len == 0)
-                               {
-                                       this->explicit_policy_constraint = 0;
-                               }
-                               else if (object.len == 1)
-                               {
-                                       this->explicit_policy_constraint = *object.ptr;
-                               }
+                               this->explicit_policy_constraint = parse_constraint(object);
                                break;
                        case POLICY_CONSTRAINT_INHIBIT:
-                               if (object.len == 0)
-                               {
-                                       this->inhibit_policy_constraint = 0;
-                               }
-                               else if (object.len == 1)
-                               {
-                                       this->inhibit_policy_constraint = *object.ptr;
-                               }
+                               this->inhibit_policy_constraint = parse_constraint(object);
                                break;
                        default:
                                break;
@@ -1424,6 +1423,14 @@ static bool parse_certificate(private_x509_cert_t *this)
                                        case OID_POLICY_CONSTRAINTS:
                                                parse_policyConstraints(object, level, this);
                                                break;
+                                       case OID_INHIBIT_ANY_POLICY:
+                                               if (!asn1_parse_simple_object(&object, ASN1_INTEGER,
+                                                                                                         level, "inhibitAnyPolicy"))
+                                               {
+                                                       goto end;
+                                               }
+                                               this->inhibit_any_policy = parse_constraint(object);
+                                               break;
                                        case OID_NS_REVOCATION_URL:
                                        case OID_NS_CA_REVOCATION_URL:
                                        case OID_NS_CA_POLICY_URL:
@@ -1727,6 +1734,8 @@ METHOD(x509_t, get_constraint, int,
                        return this->explicit_policy_constraint;
                case X509_INHIBIT_POLICY_MAPPING:
                        return this->inhibit_policy_constraint;
+               case X509_INHIBIT_ANY_POLICY:
+                       return this->inhibit_any_policy;
                default:
                        return X509_NO_CONSTRAINT;
        }
@@ -1863,6 +1872,7 @@ static private_x509_cert_t* create_empty(void)
                .pathLenConstraint = X509_NO_CONSTRAINT,
                .explicit_policy_constraint = X509_NO_CONSTRAINT,
                .inhibit_policy_constraint = X509_NO_CONSTRAINT,
+               .inhibit_any_policy = X509_NO_CONSTRAINT,
                .ref = 1,
        );
        return this;
@@ -1983,7 +1993,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
        chunk_t subjectAltNames = chunk_empty, policyMappings = chunk_empty;
        chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty;
        chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty;
-       chunk_t policyConstraints = chunk_empty;
+       chunk_t policyConstraints = chunk_empty, inhibitAnyPolicy = chunk_empty;
        identification_t *issuer, *subject;
        chunk_t key_info;
        signature_scheme_t scheme;
@@ -2270,23 +2280,34 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
                                                asn1_integer("c",
                                                        chunk_from_thing(cert->inhibit_policy_constraint)));
                }
-               policyConstraints = asn1_wrap(ASN1_SEQUENCE, "mm",
-                                                               asn1_build_known_oid(OID_POLICY_CONSTRAINTS),
-                                                               asn1_wrap(ASN1_OCTET_STRING, "m",
-                                                                       asn1_wrap(ASN1_SEQUENCE, "mm",
-                                                                               explicit, inhibit)));
+               policyConstraints = asn1_wrap(ASN1_SEQUENCE, "mmm",
+                                               asn1_build_known_oid(OID_POLICY_CONSTRAINTS),
+                                               asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)),
+                                               asn1_wrap(ASN1_OCTET_STRING, "m",
+                                                       asn1_wrap(ASN1_SEQUENCE, "mm",
+                                                               explicit, inhibit)));
+       }
+
+       if (cert->inhibit_any_policy != X509_NO_CONSTRAINT)
+       {
+               inhibitAnyPolicy = asn1_wrap(ASN1_SEQUENCE, "mmm",
+                               asn1_build_known_oid(OID_INHIBIT_ANY_POLICY),
+                               asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)),
+                               asn1_wrap(ASN1_OCTET_STRING, "m",
+                                       asn1_integer("c",
+                                               chunk_from_thing(cert->inhibit_any_policy))));
        }
 
        if (basicConstraints.ptr || subjectAltNames.ptr || authKeyIdentifier.ptr ||
                crlDistributionPoints.ptr || nameConstraints.ptr)
        {
                extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m",
-                                               asn1_wrap(ASN1_SEQUENCE, "mmmmmmmmmmmm",
+                                               asn1_wrap(ASN1_SEQUENCE, "mmmmmmmmmmmmm",
                                                        basicConstraints, keyUsage, subjectKeyIdentifier,
                                                        authKeyIdentifier, subjectAltNames,
                                                        extendedKeyUsage, crlDistributionPoints,
                                                        authorityInfoAccess, nameConstraints, certPolicies,
-                                                       policyMappings, policyConstraints));
+                                                       policyMappings, policyConstraints, inhibitAnyPolicy));
        }
 
        cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmmcmcmm",
@@ -2527,6 +2548,9 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args)
                        case BUILD_POLICY_CONSTRAINT_INHIBIT:
                                cert->inhibit_policy_constraint = va_arg(args, int);
                                continue;
+                       case BUILD_POLICY_CONSTRAINT_INHIBIT_ANY:
+                               cert->inhibit_any_policy = va_arg(args, int);
+                               continue;
                        case BUILD_NOT_BEFORE_TIME:
                                cert->notBefore = va_arg(args, time_t);
                                continue;