ipsec pki --self|issue supports --pathlen option setting a path length constraint
authorAndreas Steffen <andreas@strongswan.org>
Thu, 31 Dec 2009 14:13:35 +0000 (15:13 +0100)
committerAndreas Steffen <andreas@strongswan.org>
Thu, 31 Dec 2009 14:13:35 +0000 (15:13 +0100)
src/libstrongswan/credentials/builder.c
src/libstrongswan/credentials/builder.h
src/libstrongswan/plugins/x509/x509_cert.c
src/pki/commands/issue.c
src/pki/commands/self.c

index 873e7d1..8be1c15 100644 (file)
@@ -42,6 +42,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
        "BUILD_CERT",
        "BUILD_CRL_DISTRIBUTION_POINTS",
        "BUILD_OCSP_ACCESS_LOCATIONS",
+       "BUILD_PATHLEN",
        "BUILD_X509_FLAG",
        "BUILD_SMARTCARD_KEYID",
        "BUILD_SMARTCARD_PIN",
index b6f0386..62a6ffa 100644 (file)
@@ -97,6 +97,8 @@ enum builder_part_t {
        BUILD_CRL_DISTRIBUTION_POINTS,
        /** OCSP AuthorityInfoAccess locations, linked_list_t* containing char* */
        BUILD_OCSP_ACCESS_LOCATIONS,
+       /** certificate path length constraint */
+       BUILD_PATHLEN,
        /** enforce an additional X509 flag, x509_flag_t */
        BUILD_X509_FLAG,
        /** key ID of a key on a smartcard, null terminated char* ([slot:]keyid) */
index dee056d..199d593 100644 (file)
@@ -1582,14 +1582,23 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
        /* build CA basicConstraint for CA certificates */
        if (cert->flags & X509_CA)
        {
+               chunk_t pathLenConstraint = chunk_empty;
+
+               if (cert->pathLenConstraint != X509_NO_PATH_LEN_CONSTRAINT)
+               {
+                       char pathlen = (char)cert->pathLenConstraint;
+
+                       pathLenConstraint = asn1_integer("c", chunk_from_thing(pathlen));
+               }
                basicConstraints = asn1_wrap(ASN1_SEQUENCE, "mmm",
                                                                asn1_build_known_oid(OID_BASIC_CONSTRAINTS),
                                                                asn1_wrap(ASN1_BOOLEAN, "c",
                                                                        chunk_from_chars(0xFF)),
                                                                asn1_wrap(ASN1_OCTET_STRING, "m",
-                                                                               asn1_wrap(ASN1_SEQUENCE, "m",
+                                                                               asn1_wrap(ASN1_SEQUENCE, "mm",
                                                                                        asn1_wrap(ASN1_BOOLEAN, "c",
-                                                                                               chunk_from_chars(0xFF)))));
+                                                                                               chunk_from_chars(0xFF)),
+                                                                                       pathLenConstraint)));
        }
 
        /* add serverAuth extendedKeyUsage flag */
@@ -1802,6 +1811,13 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args)
                                enumerator->destroy(enumerator);
                                continue;
                        }
+                       case BUILD_PATHLEN:
+                               cert->pathLenConstraint = va_arg(args, int);
+                               if (cert->pathLenConstraint < 0 || cert->pathLenConstraint > 127)
+                               {
+                                       cert->pathLenConstraint = X509_NO_PATH_LEN_CONSTRAINT;
+                               }
+                               continue;
                        case BUILD_NOT_BEFORE_TIME:
                                cert->notBefore = va_arg(args, time_t);
                                continue;
index 48c1ead..89c9cc7 100644 (file)
@@ -38,6 +38,7 @@ static int issue()
        identification_t *id = NULL;
        linked_list_t *san, *cdps, *ocsp;
        int lifetime = 1080;
+       int pathlen = X509_NO_PATH_LEN_CONSTRAINT;
        chunk_t serial = chunk_empty;
        chunk_t encoding = chunk_empty;
        time_t not_before, not_after;
@@ -103,6 +104,9 @@ static int issue()
                        case 'b':
                                flags |= X509_CA;
                                continue;
+                       case 'p':
+                               pathlen = atoi(arg);
+                               continue;
                        case 'f':
                                if (streq(arg, "serverAuth"))
                                {
@@ -280,6 +284,7 @@ static int issue()
                                        BUILD_NOT_BEFORE_TIME, not_before, BUILD_DIGEST_ALG, digest,
                                        BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial,
                                        BUILD_SUBJECT_ALTNAMES, san, BUILD_X509_FLAG, flags,
+                                       BUILD_PATHLEN, pathlen,
                                        BUILD_CRL_DISTRIBUTION_POINTS, cdps,
                                        BUILD_OCSP_ACCESS_LOCATIONS, ocsp, BUILD_END);
        if (!cert)
@@ -336,8 +341,8 @@ static void __attribute__ ((constructor))reg()
                "issue a certificate using a CA certificate and key",
                {"[--in file] [--type pub|pkcs10]",
                 " --cacert file --cakey file --dn subject-dn [--san subjectAltName]+",
-                "[--lifetime days] [--serial hex] [--ca] [--crl uri]+ [--ocsp uri]+",
-                "[--flag serverAuth|ocspSigning]+",
+                "[--lifetime days] [--serial hex] [--crl uri]+ [--ocsp uri]+",
+                "[--ca] [--pathlen len] [--flag serverAuth|ocspSigning]+",
                 "[--digest md5|sha1|sha224|sha256|sha384|sha512]"},
                {
                        {"help",        'h', 0, "show usage information"},
@@ -350,6 +355,7 @@ static void __attribute__ ((constructor))reg()
                        {"lifetime",'l', 1, "days the certificate is valid, default: 1080"},
                        {"serial",      's', 1, "serial number in hex, default: random"},
                        {"ca",          'b', 0, "include CA basicConstraint, default: no"},
+                       {"pathlen",     'p', 1, "set path length constraint"},
                        {"flag",        'f', 1, "include extendedKeyUsage flag"},
                        {"crl",         'u', 1, "CRL distribution point URI to include"},
                        {"ocsp",        'o', 1, "OCSP AuthorityInfoAccess URI to include"},
index fb292a7..30ae23b 100644 (file)
@@ -35,6 +35,7 @@ static int self()
        identification_t *id = NULL;
        linked_list_t *san, *ocsp;
        int lifetime = 1080;
+       int pathlen = X509_NO_PATH_LEN_CONSTRAINT;
        chunk_t serial = chunk_empty;
        chunk_t encoding = chunk_empty;
        time_t not_before, not_after;
@@ -96,6 +97,9 @@ static int self()
                        case 'b':
                                flags |= X509_CA;
                                continue;
+                       case 'p':
+                               pathlen = atoi(arg);
+                               continue;
                        case 'o':
                                ocsp->insert_last(ocsp, arg);
                                continue;
@@ -163,7 +167,7 @@ static int self()
                                                BUILD_SUBJECT, id, BUILD_NOT_BEFORE_TIME, not_before,
                                                BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial,
                                                BUILD_DIGEST_ALG, digest, BUILD_X509_FLAG, flags,
-                                               BUILD_SUBJECT_ALTNAMES, san,
+                                               BUILD_PATHLEN, pathlen, BUILD_SUBJECT_ALTNAMES, san,
                                                BUILD_OCSP_ACCESS_LOCATIONS, ocsp, BUILD_END);
        if (!cert)
        {
@@ -226,6 +230,7 @@ static void __attribute__ ((constructor))reg()
                        {"lifetime",'l', 1, "days the certificate is valid, default: 1080"},
                        {"serial",      's', 1, "serial number in hex, default: random"},
                        {"ca",          'b', 0, "include CA basicConstraint, default: no"},
+                       {"pathlen",     'p', 1, "set path length constraint"},
                        {"ocsp",        'o', 1, "OCSP AuthorityInfoAccess URI to include"},
                        {"digest",      'g', 1, "digest for signature creation, default: sha1"},
                }