Added inhibitAnyPolicy constraint support to pki tool
authorMartin Willi <martin@revosec.ch>
Wed, 22 Dec 2010 14:52:19 +0000 (15:52 +0100)
committerMartin Willi <martin@revosec.ch>
Wed, 5 Jan 2011 15:46:05 +0000 (16:46 +0100)
src/pki/commands/issue.c
src/pki/commands/print.c
src/pki/commands/self.c

index 2ebb565..32eade7 100644 (file)
@@ -68,7 +68,7 @@ static int issue()
        identification_t *id = NULL;
        linked_list_t *san, *cdps, *ocsp, *permitted, *excluded, *policies, *mappings;
        int lifetime = 1095;
-       int pathlen = X509_NO_CONSTRAINT;
+       int pathlen = X509_NO_CONSTRAINT, inhibit_any = X509_NO_CONSTRAINT;
        int inhibit_policy = X509_NO_CONSTRAINT, explicit_policy = X509_NO_CONSTRAINT;
        chunk_t serial = chunk_empty;
        chunk_t encoding = chunk_empty;
@@ -217,6 +217,9 @@ static int issue()
                        case 'H':
                                inhibit_policy = atoi(arg);
                                continue;
+                       case 'A':
+                               inhibit_any = atoi(arg);
+                               continue;
                        case 'e':
                                if (streq(arg, "serverAuth"))
                                {
@@ -446,6 +449,7 @@ static int issue()
                                        BUILD_POLICY_MAPPINGS, mappings,
                                        BUILD_POLICY_CONSTRAINT_INHIBIT, inhibit_policy,
                                        BUILD_POLICY_CONSTRAINT_EXPLICIT, explicit_policy,
+                                       BUILD_POLICY_CONSTRAINT_INHIBIT_ANY, inhibit_any,
                                        BUILD_END);
        if (!cert)
        {
@@ -513,7 +517,7 @@ static void __attribute__ ((constructor))reg()
                 "[--nc-permitted name] [--nc-excluded name]",
                 "[--cert-policy oid [--cps-uri uri] [--user-notice text] ]+",
                 "[--policy-map issuer-oid:subject-oid]",
-                "[--policy-explicit len] [--policy-inhibit len] ",
+                "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]",
                 "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
                {
                        {"help",                        'h', 0, "show usage information"},
@@ -536,6 +540,7 @@ static void __attribute__ ((constructor))reg()
                        {"policy-mapping",      'M', 1, "policyMapping from issuer to subject OID"},
                        {"policy-explicit",     'E', 1, "requireExplicitPolicy constraint"},
                        {"policy-inhibit",      'H', 1, "inhibitPolicyMapping constraint"},
+                       {"policy-any",          'A', 1, "inhibitAnyPolicy constraint"},
                        {"flag",                        'e', 1, "include extendedKeyUsage flag"},
                        {"crl",                         'u', 1, "CRL distribution point URI to include"},
                        {"crlissuer",           'I', 1, "CRL Issuer for CRL at distribution point"},
index 046f2be..ee6f30c 100644 (file)
@@ -261,8 +261,10 @@ static void print_x509(x509_t *x509)
 
        explicit = x509->get_constraint(x509, X509_REQUIRE_EXPLICIT_POLICY);
        inhibit = x509->get_constraint(x509, X509_INHIBIT_POLICY_MAPPING);
+       len = x509->get_constraint(x509, X509_INHIBIT_ANY_POLICY);
 
-       if (explicit != X509_NO_CONSTRAINT || inhibit != X509_NO_CONSTRAINT)
+       if (explicit != X509_NO_CONSTRAINT || inhibit != X509_NO_CONSTRAINT ||
+               len != X509_NO_CONSTRAINT)
        {
                printf("PolicyConstraints:\n");
                if (explicit != X509_NO_CONSTRAINT)
@@ -273,6 +275,10 @@ static void print_x509(x509_t *x509)
                {
                        printf("           inhibitPolicyMapping: %d\n", inhibit);
                }
+               if (len != X509_NO_CONSTRAINT)
+               {
+                       printf("           inhibitAnyPolicy: %d\n", len);
+               }
        }
 
        chunk = x509->get_authKeyIdentifier(x509);
index 5135985..ef0ea6b 100644 (file)
@@ -56,7 +56,7 @@ static int self()
        identification_t *id = NULL;
        linked_list_t *san, *ocsp, *permitted, *excluded, *policies, *mappings;
        int lifetime = 1095;
-       int pathlen = X509_NO_CONSTRAINT;
+       int pathlen = X509_NO_CONSTRAINT, inhibit_any = X509_NO_CONSTRAINT;
        int inhibit_policy = X509_NO_CONSTRAINT, explicit_policy = X509_NO_CONSTRAINT;
        chunk_t serial = chunk_empty;
        chunk_t encoding = chunk_empty;
@@ -200,6 +200,9 @@ static int self()
                        case 'H':
                                inhibit_policy = atoi(arg);
                                continue;
+                       case 'A':
+                               inhibit_any = atoi(arg);
+                               continue;
                        case 'e':
                                if (streq(arg, "serverAuth"))
                                {
@@ -314,6 +317,7 @@ static int self()
                                                BUILD_POLICY_MAPPINGS, mappings,
                                                BUILD_POLICY_CONSTRAINT_EXPLICIT, explicit_policy,
                                                BUILD_POLICY_CONSTRAINT_INHIBIT, inhibit_policy,
+                                               BUILD_POLICY_CONSTRAINT_INHIBIT_ANY, inhibit_any,
                                                BUILD_END);
        if (!cert)
        {
@@ -377,7 +381,7 @@ static void __attribute__ ((constructor))reg()
                 "[--nc-permitted name] [--nc-excluded name]",
                 "[--cert-policy oid [--cps-uri uri] [--user-notice text] ]+",
                 "[--policy-map issuer-oid:subject-oid]",
-                "[--policy-explicit len] [--policy-inhibit len] ",
+                "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]",
                 "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
                {
                        {"help",                        'h', 0, "show usage information"},
@@ -398,6 +402,7 @@ static void __attribute__ ((constructor))reg()
                        {"policy-mapping",      'M', 1, "policyMapping from issuer to subject OID"},
                        {"policy-explicit",     'E', 1, "requireExplicitPolicy constraint"},
                        {"policy-inhibit",      'H', 1, "inhibitPolicyMapping constraint"},
+                       {"policy-any",          'A', 1, "inhibitAnyPolicy constraint"},
                        {"flag",                        'e', 1, "include extendedKeyUsage flag"},
                        {"ocsp",                        'o', 1, "OCSP AuthorityInfoAccess URI to include"},
                        {"digest",                      'g', 1, "digest for signature creation, default: sha1"},