vici: Add support for certificate policies
authorTobias Brunner <tobias@strongswan.org>
Wed, 16 Nov 2016 14:37:23 +0000 (15:37 +0100)
committerTobias Brunner <tobias@strongswan.org>
Thu, 16 Feb 2017 18:23:50 +0000 (19:23 +0100)
src/libcharon/plugins/vici/vici_config.c
src/swanctl/commands/load_conns.c
src/swanctl/swanctl.opt

index ff706be..add81b9 100644 (file)
@@ -1142,6 +1142,22 @@ CALLBACK(parse_group, bool,
 }
 
 /**
+ * Parse certificate policy
+ */
+CALLBACK(parse_cert_policy, bool,
+       auth_cfg_t *cfg, chunk_t v)
+{
+       char buf[BUF_LEN];
+
+       if (!vici_stringify(v, buf, sizeof(buf)))
+       {
+               return FALSE;
+       }
+       cfg->add(cfg, AUTH_RULE_CERT_POLICY, strdup(buf));
+       return TRUE;
+}
+
+/**
  * Parse a certificate; add as auth rule to config
  */
 static bool parse_cert(auth_data_t *auth, auth_rule_t rule, chunk_t v)
@@ -1402,6 +1418,7 @@ CALLBACK(auth_li, bool,
 {
        parse_rule_t rules[] = {
                { "groups",                     parse_group,            auth->cfg                                       },
+               { "cert_policy",        parse_cert_policy,      auth                                            },
                { "certs",                      parse_certs,            auth                                            },
                { "cacerts",            parse_cacerts,          auth                                            },
                { "pubkeys",            parse_pubkeys,          auth                                            },
index 2e443a9..82592f4 100644 (file)
@@ -38,6 +38,7 @@ static bool is_list_key(char *key)
                "vips",
                "pools",
                "groups",
+               "cert_policy",
        };
        int i;
 
index e882e60..e748866 100644 (file)
@@ -406,6 +406,12 @@ connections.<conn>.remote<suffix>.groups =
        can be certified by different means, for example by appropriate Attribute
        Certificates or by an AAA backend involved in the authentication.
 
+connections.<conn>.remote<suffix>.cert_policy =
+       Certificate policy OIDs the peer's certificate must have.
+
+       Comma separated list of certificate policy OIDs the peer's certificate must
+       have. OIDs are specified using the numerical dotted representation.
+
 connections.<conn>.remote<suffix>.certs =
        Comma separated list of certificate to accept for authentication.