vici: Introduce a ca_id option identity based CA certificate constraints
authorMartin Willi <martin@strongswan.org>
Thu, 28 Nov 2019 09:09:30 +0000 (10:09 +0100)
committerTobias Brunner <tobias@strongswan.org>
Fri, 6 Dec 2019 09:07:46 +0000 (10:07 +0100)
src/libcharon/plugins/vici/vici_config.c
src/libcharon/plugins/vici/vici_query.c

index 49ebea4..1bbad13 100644 (file)
@@ -373,6 +373,9 @@ static void log_auth(auth_cfg_t *auth)
                        case AUTH_RULE_IDENTITY:
                                DBG2(DBG_CFG, "   id = %Y", v.id);
                                break;
+                       case AUTH_RULE_CA_IDENTITY:
+                               DBG2(DBG_CFG, "   ca_id = %Y", v.id);
+                               break;
                        case AUTH_RULE_AAA_IDENTITY:
                                DBG2(DBG_CFG, "   aaa_id = %Y", v.id);
                                break;
@@ -1361,6 +1364,15 @@ CALLBACK(parse_ike_id, bool,
 }
 
 /**
+ * Parse CA identity constraint
+ */
+CALLBACK(parse_ca_id, bool,
+       auth_cfg_t *cfg, chunk_t v)
+{
+       return parse_id(cfg, AUTH_RULE_CA_IDENTITY, v);
+}
+
+/**
  * Parse AAA identity
  */
 CALLBACK(parse_aaa_id, bool,
@@ -1755,6 +1767,7 @@ CALLBACK(auth_kv, bool,
        parse_rule_t rules[] = {
                { "auth",                       parse_auth,                     auth->cfg                                       },
                { "id",                         parse_ike_id,           auth->cfg                                       },
+               { "ca_id",                      parse_ca_id,            auth->cfg                                       },
                { "aaa_id",                     parse_aaa_id,           auth->cfg                                       },
                { "eap_id",                     parse_eap_id,           auth->cfg                                       },
                { "xauth_id",           parse_xauth_id,         auth->cfg                                       },
index 81d692c..ad07ff1 100644 (file)
@@ -765,6 +765,9 @@ static void build_auth_cfgs(peer_cfg_t *peer_cfg, bool local, vici_builder_t *b)
                                case AUTH_RULE_IDENTITY:
                                        b->add_kv(b, "id", "%Y", v.id);
                                        break;
+                               case AUTH_RULE_CA_IDENTITY:
+                                       b->add_kv(b, "ca_id", "%Y", v.id);
+                                       break;
                                case AUTH_RULE_AAA_IDENTITY:
                                        b->add_kv(b, "aaa_id", "%Y", v.id);
                                        break;