Charon uses a generic trunstchain length limit, not only for X509 certificates

src/libcharon/credentials/credential_manager.c

@@ -28,6 +28,11 @@
 #include <credentials/certificates/ocsp_request.h>
 #include <credentials/certificates/ocsp_response.h>
 
+/**
+ * Maximum length of a certificate trust chain
+ */
+#define MAX_TRUST_PATH_LEN 7
+
 typedef struct private_credential_manager_t private_credential_manager_t;
 
 /**
@@ -1132,7 +1137,7 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 	auth = auth_cfg_create();
 	current = subject->get_ref(subject);
 
-	for (pathlen = 0; pathlen <= X509_MAX_PATH_LEN; pathlen++)
+	for (pathlen = 0; pathlen <= MAX_TRUST_PATH_LEN; pathlen++)
 	{
 		issuer = get_issuer_cert(this, current, TRUE);
 		if (issuer)
@@ -1205,9 +1210,9 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 		}
 	}
 	current->destroy(current);
-	if (pathlen > X509_MAX_PATH_LEN)
+	if (pathlen > MAX_TRUST_PATH_LEN)
 	{
-		DBG1(DBG_CFG, "maximum path length of %d exceeded", X509_MAX_PATH_LEN);
+		DBG1(DBG_CFG, "maximum path length of %d exceeded", MAX_TRUST_PATH_LEN);
 	}
 	if (trusted)
 	{
@@ -1479,7 +1484,7 @@ static auth_cfg_t *build_trustchain(private_credential_manager_t *this,
 		}
 		issuer = get_issuer_cert(this, current, FALSE);
 		if (!issuer || issuer->equals(issuer, current) ||
-			pathlen > X509_MAX_PATH_LEN)
+			pathlen > MAX_TRUST_PATH_LEN)
 		{
 			DESTROY_IF(issuer);
 			break;

src/libstrongswan/credentials/certificates/x509.h

@@ -25,7 +25,6 @@
 #include <credentials/certificates/certificate.h>
 
 #define X509_NO_PATH_LEN_CONSTRAINT		-1
-#define X509_MAX_PATH_LEN				 7
 
 typedef struct x509_t x509_t;
 typedef enum x509_flag_t x509_flag_t;

src/pluto/x509.h

@@ -26,6 +26,8 @@
 #include "constants.h"
 #include "certs.h"
 
+#define X509_MAX_PATH_LEN				 7
+
 extern bool same_keyid(chunk_t a, chunk_t b);
 extern bool x509_check_signature(chunk_t tbs, chunk_t sig, int algorithm,
 								 certificate_t *issuer_cert);