Moved X509 pathlen constraint checking to constraints plugin
authorMartin Willi <martin@revosec.ch>
Thu, 9 Dec 2010 09:46:48 +0000 (10:46 +0100)
committerMartin Willi <martin@revosec.ch>
Wed, 5 Jan 2011 15:46:00 +0000 (16:46 +0100)
src/libstrongswan/credentials/credential_manager.c
src/libstrongswan/plugins/constraints/constraints_validator.c

index f437bbf..cc429ce 100644 (file)
@@ -471,23 +471,6 @@ static bool check_certificate(private_credential_manager_t *this,
                         &not_before, FALSE, &not_after, FALSE);
                return FALSE;
        }
-       if (issuer->get_type(issuer) == CERT_X509 &&
-               subject->get_type(subject) == CERT_X509)
-       {
-               int pathlen_constraint;
-               x509_t *x509;
-
-               /* check path length constraint */
-               x509 = (x509_t*)issuer;
-               pathlen_constraint = x509->get_pathLenConstraint(x509);
-               if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT &&
-                       pathlen > pathlen_constraint)
-               {
-                       DBG1(DBG_CFG, "path length of %d violates constraint of %d",
-                                pathlen, pathlen_constraint);
-                       return FALSE;
-               }
-       }
 
        enumerator = this->validators->create_enumerator(this->validators);
        while (enumerator->enumerate(enumerator, &validator))
index 834d4ef..7598f28 100644 (file)
@@ -15,6 +15,9 @@
 
 #include "constraints_validator.h"
 
+#include <debug.h>
+#include <credentials/certificates/x509.h>
+
 typedef struct private_constraints_validator_t private_constraints_validator_t;
 
 /**
@@ -28,10 +31,36 @@ struct private_constraints_validator_t {
        constraints_validator_t public;
 };
 
+/**
+ * Check pathlen constraint of issuer certificate
+ */
+static bool check_pathlen(x509_t *issuer, int pathlen)
+{
+       int pathlen_constraint;
+
+       pathlen_constraint = issuer->get_pathLenConstraint(issuer);
+       if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT &&
+               pathlen > pathlen_constraint)
+       {
+               DBG1(DBG_CFG, "path length of %d violates constraint of %d",
+                        pathlen, pathlen_constraint);
+               return FALSE;
+       }
+       return TRUE;
+}
+
 METHOD(cert_validator_t, validate, bool,
        private_constraints_validator_t *this, certificate_t *subject,
        certificate_t *issuer, bool online, int pathlen, auth_cfg_t *auth)
 {
+       if (issuer->get_type(issuer) == CERT_X509 &&
+               subject->get_type(subject) == CERT_X509)
+       {
+               if (!check_pathlen((x509_t*)issuer, pathlen))
+               {
+                       return FALSE;
+               }
+       }
        return TRUE;
 }