pki: Support an --addrblock option for issued certificates
authorMartin Willi <martin@strongswan.org>
Tue, 21 Feb 2017 14:07:42 +0000 (15:07 +0100)
committerMartin Willi <martin@strongswan.org>
Mon, 27 Feb 2017 08:36:48 +0000 (09:36 +0100)
src/pki/commands/issue.c
src/pki/man/pki---issue.1.in

index d95f53c..333c6eb 100644 (file)
@@ -71,6 +71,7 @@ static int issue()
        char *error = NULL, *keyid = NULL;
        identification_t *id = NULL;
        linked_list_t *san, *cdps, *ocsp, *permitted, *excluded, *policies, *mappings;
+       linked_list_t *addrblocks;
        int pathlen = X509_NO_CONSTRAINT, inhibit_any = X509_NO_CONSTRAINT;
        int inhibit_mapping = X509_NO_CONSTRAINT, require_explicit = X509_NO_CONSTRAINT;
        chunk_t serial = chunk_empty;
@@ -81,6 +82,7 @@ static int issue()
        x509_t *x509;
        x509_cdp_t *cdp = NULL;
        x509_cert_policy_t *policy = NULL;
+       traffic_selector_t *ts;
        char *arg;
 
        san = linked_list_create();
@@ -90,6 +92,7 @@ static int issue()
        excluded = linked_list_create();
        policies = linked_list_create();
        mappings = linked_list_create();
+       addrblocks = linked_list_create();
 
        while (TRUE)
        {
@@ -184,6 +187,15 @@ static int issue()
                        case 'p':
                                pathlen = atoi(arg);
                                continue;
+                       case 'B':
+                               ts = parse_ts(arg);
+                               if (!ts)
+                               {
+                                       error = "invalid addressBlock";
+                                       goto usage;
+                               }
+                               addrblocks->insert_last(addrblocks, ts);
+                               continue;
                        case 'n':
                                permitted->insert_last(permitted,
                                                                           identification_create_from_string(arg));
@@ -519,7 +531,7 @@ static int issue()
                                        BUILD_NOT_BEFORE_TIME, not_before, BUILD_DIGEST_ALG, digest,
                                        BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial,
                                        BUILD_SUBJECT_ALTNAMES, san, BUILD_X509_FLAG, flags,
-                                       BUILD_PATHLEN, pathlen,
+                                       BUILD_PATHLEN, pathlen, BUILD_ADDRBLOCKS, addrblocks,
                                        BUILD_CRL_DISTRIBUTION_POINTS, cdps,
                                        BUILD_OCSP_ACCESS_LOCATIONS, ocsp,
                                        BUILD_PERMITTED_NAME_CONSTRAINTS, permitted,
@@ -557,6 +569,7 @@ end:
        san->destroy_offset(san, offsetof(identification_t, destroy));
        permitted->destroy_offset(permitted, offsetof(identification_t, destroy));
        excluded->destroy_offset(excluded, offsetof(identification_t, destroy));
+       addrblocks->destroy_offset(addrblocks, offsetof(traffic_selector_t, destroy));
        policies->destroy_function(policies, (void*)destroy_cert_policy);
        mappings->destroy_function(mappings, (void*)destroy_policy_mapping);
        cdps->destroy_function(cdps, (void*)destroy_cdp);
@@ -575,6 +588,7 @@ usage:
        san->destroy_offset(san, offsetof(identification_t, destroy));
        permitted->destroy_offset(permitted, offsetof(identification_t, destroy));
        excluded->destroy_offset(excluded, offsetof(identification_t, destroy));
+       addrblocks->destroy_offset(addrblocks, offsetof(traffic_selector_t, destroy));
        policies->destroy_function(policies, (void*)destroy_cert_policy);
        mappings->destroy_function(mappings, (void*)destroy_policy_mapping);
        cdps->destroy_function(cdps, (void*)destroy_cdp);
@@ -616,6 +630,7 @@ static void __attribute__ ((constructor))reg()
                        {"serial",                      's', 1, "serial number in hex, default: random"},
                        {"ca",                          'b', 0, "include CA basicConstraint, default: no"},
                        {"pathlen",                     'p', 1, "set path length constraint"},
+                       {"addrblock",           'B', 1, "RFC 3779 addrBlock to include"},
                        {"nc-permitted",        'n', 1, "add permitted NameConstraint"},
                        {"nc-excluded",         'N', 1, "add excluded NameConstraint"},
                        {"cert-policy",         'P', 1, "certificatePolicy OID to include"},
index ba5886f..3f9382e 100644 (file)
@@ -24,6 +24,7 @@ pki \-\-issue \- Issue a certificate using a CA certificate and key
 .OP \-\-ocsp uri
 .OP \-\-pathlen len
 .OP \-\-nc-permitted name
+.OP \-\-addrblock block
 .OP \-\-nc-excluded name
 .OP \-\-policy\-mapping mapping
 .OP \-\-policy\-explicit len
@@ -148,6 +149,11 @@ times.
 .BI "\-p, \-\-pathlen " len
 Set path length constraint.
 .TP
+.BI "\-B, \-\-addrblock " block
+RFC 3779 address block to include in certificate. \fIblock\fR is either a
+CIDR subnet (such as \fI10.0.0.0/8\fR) or an arbitrary address range
+(\fI192.168.1.7-192.168.1.13\fR). Can be repeated to include multiple blocks.
+.TP
 .BI "\-n, \-\-nc-permitted " name
 Add permitted NameConstraint extension to certificate. For DNS or email
 constraints, the identity type is not always detectable by the given name. Use