vici: Introduce a ca_id option identity based CA certificate constraints

2019-11-28 10:09:30 +01:00 · 2019-11-28 10:09:30 +01:00 · 3c71a3201f
parent c70201f1e3
commit 3c71a3201f
2 changed files with 16 additions and 0 deletions
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@ -373,6 +373,9 @@ static void log_auth(auth_cfg_t *auth)
 			case AUTH_RULE_IDENTITY:
 				DBG2(DBG_CFG, "   id = %Y", v.id);
 				break;
+			case AUTH_RULE_CA_IDENTITY:
+				DBG2(DBG_CFG, "   ca_id = %Y", v.id);
+				break;
 			case AUTH_RULE_AAA_IDENTITY:
 				DBG2(DBG_CFG, "   aaa_id = %Y", v.id);
 				break;
@ -1360,6 +1363,15 @@ CALLBACK(parse_ike_id, bool,
 	return parse_id(cfg, AUTH_RULE_IDENTITY, v);
 }

+/**
+ * Parse CA identity constraint
+ */
+CALLBACK(parse_ca_id, bool,
+	auth_cfg_t *cfg, chunk_t v)
+{
+	return parse_id(cfg, AUTH_RULE_CA_IDENTITY, v);
+}
+
 /**
 * Parse AAA identity
 */
@ -1755,6 +1767,7 @@ CALLBACK(auth_kv, bool,
 	parse_rule_t rules[] = {
 		{ "auth",			parse_auth,			auth->cfg					},
 		{ "id",				parse_ike_id,		auth->cfg					},
+		{ "ca_id",			parse_ca_id,		auth->cfg					},
 		{ "aaa_id",			parse_aaa_id,		auth->cfg					},
 		{ "eap_id",			parse_eap_id,		auth->cfg					},
 		{ "xauth_id",		parse_xauth_id,		auth->cfg					},
--- a/src/libcharon/plugins/vici/vici_query.c
+++ b/src/libcharon/plugins/vici/vici_query.c
@ -765,6 +765,9 @@ static void build_auth_cfgs(peer_cfg_t *peer_cfg, bool local, vici_builder_t *b)
 				case AUTH_RULE_IDENTITY:
 					b->add_kv(b, "id", "%Y", v.id);
 					break;
+				case AUTH_RULE_CA_IDENTITY:
+					b->add_kv(b, "ca_id", "%Y", v.id);
+					break;
 				case AUTH_RULE_AAA_IDENTITY:
 					b->add_kv(b, "aaa_id", "%Y", v.id);
 					break;