Use a generic getter for all numerical X.509 constraints
authorMartin Willi <martin@revosec.ch>
Wed, 22 Dec 2010 14:10:03 +0000 (15:10 +0100)
committerMartin Willi <martin@revosec.ch>
Wed, 5 Jan 2011 15:46:05 +0000 (16:46 +0100)
src/libcharon/plugins/stroke/stroke_list.c
src/libstrongswan/credentials/certificates/x509.h
src/libstrongswan/plugins/constraints/constraints_validator.c
src/libstrongswan/plugins/openssl/openssl_x509.c
src/libstrongswan/plugins/x509/x509_cert.c
src/pki/commands/print.c
src/pluto/ocsp.c
src/pluto/x509.c

index 375ea38..5b195e2 100644 (file)
@@ -834,7 +834,7 @@ static void stroke_list_certs(linked_list_t *list, char *label,
                        }
 
                        /* list optional pathLenConstraint */
-                       pathlen = x509->get_pathLenConstraint(x509);
+                       pathlen = x509->get_constraint(x509, X509_PATH_LEN);
                        if (pathlen != X509_NO_CONSTRAINT)
                        {
                                fprintf(out, "  pathlen:   %d\n", pathlen);
index 24e30a7..d668ceb 100644 (file)
@@ -31,6 +31,7 @@ typedef struct x509_cert_policy_t x509_cert_policy_t;
 typedef struct x509_policy_mapping_t x509_policy_mapping_t;
 typedef struct x509_cdp_t x509_cdp_t;
 typedef enum x509_flag_t x509_flag_t;
+typedef enum x509_constraint_t x509_constraint_t;
 
 /**
  * X.509 certificate flags.
@@ -57,6 +58,18 @@ enum x509_flag_t {
 };
 
 /**
+ * Different numerical X.509 constraints.
+ */
+enum x509_constraint_t {
+       /** pathLenConstraint basicConstraints */
+       X509_PATH_LEN,
+       /** inhibitPolicyMapping policyConstraint */
+       X509_INHIBIT_POLICY_MAPPING,
+       /** requireExplicitPolicy policyConstraint */
+       X509_REQUIRE_EXPLICIT_POLICY,
+};
+
+/**
  * X.509 certPolicy extension.
  */
 struct x509_cert_policy_t {
@@ -130,19 +143,12 @@ struct x509_t {
        chunk_t (*get_authKeyIdentifier)(x509_t *this);
 
        /**
-        * Get an optional path length constraint.
-        *
-        * @return                      pathLenConstraint, X509_NO_CONSTRAINT if none found
-        */
-       int (*get_pathLenConstraint)(x509_t *this);
-
-       /**
-        * Get a policyConstraint, inhibitPolicyMapping or requireExplicitPolicy.
+        * Get a numerical X.509 constraint.
         *
-        * @param inhibit       TRUE to get inhibitPolicyMapping
+        * @param type          type of constraint to get
         * @return                      constraint, X509_NO_CONSTRAINT if none found
         */
-       int (*get_policyConstraint)(x509_t *this, bool inhibit);
+       int (*get_constraint)(x509_t *this, x509_constraint_t type);
 
        /**
         * Create an enumerator over all subjectAltNames.
index 3d5211e..9df775c 100644 (file)
@@ -40,7 +40,7 @@ static bool check_pathlen(x509_t *issuer, int pathlen)
 {
        int pathlen_constraint;
 
-       pathlen_constraint = issuer->get_pathLenConstraint(issuer);
+       pathlen_constraint = issuer->get_constraint(issuer, X509_PATH_LEN);
        if (pathlen_constraint != X509_NO_CONSTRAINT &&
                pathlen > pathlen_constraint)
        {
@@ -439,7 +439,7 @@ static bool check_policy_constraints(x509_t *issuer, int pathlen,
                        enumerator = chain->create_enumerator(chain);
                        while (enumerator->enumerate(enumerator, &x509))
                        {
-                               expl = x509->get_policyConstraint(x509, FALSE);
+                               expl = x509->get_constraint(x509, X509_REQUIRE_EXPLICIT_POLICY);
                                if (expl != X509_NO_CONSTRAINT)
                                {
                                        if (!has_policy_chain(chain, (x509_t*)subject, len - expl))
@@ -458,7 +458,7 @@ static bool check_policy_constraints(x509_t *issuer, int pathlen,
                        enumerator = chain->create_enumerator(chain);
                        while (enumerator->enumerate(enumerator, &x509))
                        {
-                               expl = x509->get_policyConstraint(x509, TRUE);
+                               expl = x509->get_constraint(x509, X509_INHIBIT_POLICY_MAPPING);
                                if (expl != X509_NO_CONSTRAINT)
                                {
                                        if (!has_policy_mapping(chain, len - expl))
index cf83b15..dfbebe7 100644 (file)
@@ -250,16 +250,16 @@ METHOD(x509_t, get_authKeyIdentifier, chunk_t,
        return chunk_empty;
 }
 
-METHOD(x509_t, get_pathLenConstraint, int,
-       private_openssl_x509_t *this)
-{
-       return this->pathlen;
-}
-
-METHOD(x509_t, get_policyConstraint, int,
-       private_openssl_x509_t *this, bool inhibit)
+METHOD(x509_t, get_constraint, int,
+       private_openssl_x509_t *this, x509_constraint_t type)
 {
-       return X509_NO_CONSTRAINT;
+       switch (type)
+       {
+               case X509_PATH_LEN:
+                       return this->pathlen;
+               default:
+                       return X509_NO_CONSTRAINT;
+       }
 }
 
 METHOD(x509_t, create_subjectAltName_enumerator, enumerator_t*,
@@ -526,8 +526,7 @@ static private_openssl_x509_t *create_empty()
                                .get_serial = _get_serial,
                                .get_subjectKeyIdentifier = _get_subjectKeyIdentifier,
                                .get_authKeyIdentifier = _get_authKeyIdentifier,
-                               .get_pathLenConstraint = _get_pathLenConstraint,
-                               .get_policyConstraint = _get_policyConstraint,
+                               .get_constraint = _get_constraint,
                                .create_subjectAltName_enumerator = _create_subjectAltName_enumerator,
                                .create_crl_uri_enumerator = _create_crl_uri_enumerator,
                                .create_ocsp_uri_enumerator = _create_ocsp_uri_enumerator,
index 1628509..995ba9b 100644 (file)
@@ -1716,20 +1716,20 @@ METHOD(x509_t, get_authKeyIdentifier, chunk_t,
        return this->authKeyIdentifier;
 }
 
-METHOD(x509_t, get_pathLenConstraint, int,
-       private_x509_cert_t *this)
-{
-       return this->pathLenConstraint;
-}
-
-METHOD(x509_t, get_policyConstraint, int,
-       private_x509_cert_t *this, bool inhibit)
+METHOD(x509_t, get_constraint, int,
+       private_x509_cert_t *this, x509_constraint_t type)
 {
-       if (inhibit)
-       {
-               return this->inhibit_policy_constraint;
+       switch (type)
+       {
+               case X509_PATH_LEN:
+                       return this->pathLenConstraint;
+               case X509_REQUIRE_EXPLICIT_POLICY:
+                       return this->explicit_policy_constraint;
+               case X509_INHIBIT_POLICY_MAPPING:
+                       return this->inhibit_policy_constraint;
+               default:
+                       return X509_NO_CONSTRAINT;
        }
-       return this->explicit_policy_constraint;
 }
 
 METHOD(x509_t, create_subjectAltName_enumerator, enumerator_t*,
@@ -1841,8 +1841,7 @@ static private_x509_cert_t* create_empty(void)
                                .get_serial = _get_serial,
                                .get_subjectKeyIdentifier = _get_subjectKeyIdentifier,
                                .get_authKeyIdentifier = _get_authKeyIdentifier,
-                               .get_pathLenConstraint = _get_pathLenConstraint,
-                               .get_policyConstraint = _get_policyConstraint,
+                               .get_constraint = _get_constraint,
                                .create_subjectAltName_enumerator = _create_subjectAltName_enumerator,
                                .create_crl_uri_enumerator = _create_crl_uri_enumerator,
                                .create_ocsp_uri_enumerator = _create_ocsp_uri_enumerator,
index 185895e..046f2be 100644 (file)
@@ -73,7 +73,7 @@ static void print_x509(x509_t *x509)
        chunk_t chunk;
        bool first;
        char *uri;
-       int len;
+       int len, explicit, inhibit;
        x509_flag_t flags;
        x509_cdp_t *cdp;
        x509_cert_policy_t *policy;
@@ -176,7 +176,7 @@ static void print_x509(x509_t *x509)
        }
        enumerator->destroy(enumerator);
 
-       len = x509->get_pathLenConstraint(x509);
+       len = x509->get_constraint(x509, X509_PATH_LEN);
        if (len != X509_NO_CONSTRAINT)
        {
                printf("pathlen:   %d\n", len);
@@ -259,19 +259,19 @@ static void print_x509(x509_t *x509)
        }
        enumerator->destroy(enumerator);
 
-       if (x509->get_policyConstraint(x509, FALSE) != X509_NO_CONSTRAINT ||
-               x509->get_policyConstraint(x509, TRUE) != X509_NO_CONSTRAINT)
+       explicit = x509->get_constraint(x509, X509_REQUIRE_EXPLICIT_POLICY);
+       inhibit = x509->get_constraint(x509, X509_INHIBIT_POLICY_MAPPING);
+
+       if (explicit != X509_NO_CONSTRAINT || inhibit != X509_NO_CONSTRAINT)
        {
                printf("PolicyConstraints:\n");
-               if (x509->get_policyConstraint(x509, FALSE) != X509_NO_CONSTRAINT)
+               if (explicit != X509_NO_CONSTRAINT)
                {
-                       printf("           requireExplicitPolicy: %d\n",
-                                  x509->get_policyConstraint(x509, FALSE));
+                       printf("           requireExplicitPolicy: %d\n", explicit);
                }
-               if (x509->get_policyConstraint(x509, TRUE) != X509_NO_CONSTRAINT)
+               if (inhibit != X509_NO_CONSTRAINT)
                {
-                       printf("           inhibitPolicyMapping: %d\n",
-                                  x509->get_policyConstraint(x509, TRUE));
+                       printf("           inhibitPolicyMapping: %d\n", inhibit);
                }
        }
 
index 85cc5e0..a3694b7 100644 (file)
@@ -1045,7 +1045,7 @@ static bool valid_ocsp_response(response_t *res)
                )
 
                /* check path length constraint */
-               pathlen_constraint = x509->get_pathLenConstraint(x509);
+               pathlen_constraint = x509->get_constraint(x509, X509_PATH_LEN);
                if (pathlen_constraint != X509_NO_CONSTRAINT &&
                        pathlen > pathlen_constraint)
                {
index d821c9b..7e2aca8 100644 (file)
@@ -255,7 +255,7 @@ bool verify_x509cert(cert_t *cert, bool strict, time_t *until)
                unlock_authcert_list("verify_x509cert");
 
                /* check path length constraint */
-               pathlen_constraint = x509->get_pathLenConstraint(x509);
+               pathlen_constraint = x509->get_constraint(x509, X509_PATH_LEN);
                if (pathlen_constraint != X509_NO_CONSTRAINT &&
                        pathlen > pathlen_constraint)
                {
@@ -450,7 +450,7 @@ void list_x509cert_chain(const char *caption, cert_t* cert,
                        }
 
                        /* list optional pathLenConstraint */
-                       pathlen = x509->get_pathLenConstraint(x509);
+                       pathlen = x509->get_constraint(x509, X509_PATH_LEN);
                        if (pathlen != X509_NO_CONSTRAINT)
                        {
                                whack_log(RC_COMMENT, "  pathlen:   %d", pathlen);