}
/**
+ * Parse certificate policy
+ */
+CALLBACK(parse_cert_policy, bool,
+ auth_cfg_t *cfg, chunk_t v)
+{
+ char buf[BUF_LEN];
+
+ if (!vici_stringify(v, buf, sizeof(buf)))
+ {
+ return FALSE;
+ }
+ cfg->add(cfg, AUTH_RULE_CERT_POLICY, strdup(buf));
+ return TRUE;
+}
+
+/**
* Parse a certificate; add as auth rule to config
*/
static bool parse_cert(auth_data_t *auth, auth_rule_t rule, chunk_t v)
{
parse_rule_t rules[] = {
{ "groups", parse_group, auth->cfg },
+ { "cert_policy", parse_cert_policy, auth },
{ "certs", parse_certs, auth },
{ "cacerts", parse_cacerts, auth },
{ "pubkeys", parse_pubkeys, auth },
can be certified by different means, for example by appropriate Attribute
Certificates or by an AAA backend involved in the authentication.
+connections.<conn>.remote<suffix>.cert_policy =
+ Certificate policy OIDs the peer's certificate must have.
+
+ Comma separated list of certificate policy OIDs the peer's certificate must
+ have. OIDs are specified using the numerical dotted representation.
+
connections.<conn>.remote<suffix>.certs =
Comma separated list of certificate to accept for authentication.