[hopefully] fixed pathlen problem on ARM platforms
This commit is contained in:
parent
afddd6a7e8
commit
d390b3b901
|
@ -754,7 +754,7 @@ static void stroke_list_certs(linked_list_t *list, char *label,
|
||||||
enumerator_t *enumerator;
|
enumerator_t *enumerator;
|
||||||
identification_t *altName;
|
identification_t *altName;
|
||||||
bool first_altName = TRUE;
|
bool first_altName = TRUE;
|
||||||
int pathlen;
|
u_int pathlen;
|
||||||
chunk_t serial, authkey;
|
chunk_t serial, authkey;
|
||||||
time_t notBefore, notAfter;
|
time_t notBefore, notAfter;
|
||||||
public_key_t *public;
|
public_key_t *public;
|
||||||
|
@ -837,7 +837,7 @@ static void stroke_list_certs(linked_list_t *list, char *label,
|
||||||
pathlen = x509->get_constraint(x509, X509_PATH_LEN);
|
pathlen = x509->get_constraint(x509, X509_PATH_LEN);
|
||||||
if (pathlen != X509_NO_CONSTRAINT)
|
if (pathlen != X509_NO_CONSTRAINT)
|
||||||
{
|
{
|
||||||
fprintf(out, " pathlen: %d\n", pathlen);
|
fprintf(out, " pathlen: %u\n", pathlen);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* list optional ipAddrBlocks */
|
/* list optional ipAddrBlocks */
|
||||||
|
|
|
@ -45,7 +45,7 @@ struct cert_validator_t {
|
||||||
* @param auth container for resulting authentication info
|
* @param auth container for resulting authentication info
|
||||||
*/
|
*/
|
||||||
bool (*validate)(cert_validator_t *this, certificate_t *subject,
|
bool (*validate)(cert_validator_t *this, certificate_t *subject,
|
||||||
certificate_t *issuer, bool online, int pathlen,
|
certificate_t *issuer, bool online, u_int pathlen,
|
||||||
bool anchor, auth_cfg_t *auth);
|
bool anchor, auth_cfg_t *auth);
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -24,7 +24,8 @@
|
||||||
#include <utils/enumerator.h>
|
#include <utils/enumerator.h>
|
||||||
#include <credentials/certificates/certificate.h>
|
#include <credentials/certificates/certificate.h>
|
||||||
|
|
||||||
#define X509_NO_CONSTRAINT -1
|
/* constraints are currently restricted to the range 0..127 */
|
||||||
|
#define X509_NO_CONSTRAINT 255
|
||||||
|
|
||||||
typedef struct x509_t x509_t;
|
typedef struct x509_t x509_t;
|
||||||
typedef struct x509_cert_policy_t x509_cert_policy_t;
|
typedef struct x509_cert_policy_t x509_cert_policy_t;
|
||||||
|
@ -150,7 +151,7 @@ struct x509_t {
|
||||||
* @param type type of constraint to get
|
* @param type type of constraint to get
|
||||||
* @return constraint, X509_NO_CONSTRAINT if none found
|
* @return constraint, X509_NO_CONSTRAINT if none found
|
||||||
*/
|
*/
|
||||||
int (*get_constraint)(x509_t *this, x509_constraint_t type);
|
u_int (*get_constraint)(x509_t *this, x509_constraint_t type);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Create an enumerator over all subjectAltNames.
|
* Create an enumerator over all subjectAltNames.
|
||||||
|
|
|
@ -38,7 +38,7 @@ struct private_constraints_validator_t {
|
||||||
*/
|
*/
|
||||||
static bool check_pathlen(x509_t *issuer, int pathlen)
|
static bool check_pathlen(x509_t *issuer, int pathlen)
|
||||||
{
|
{
|
||||||
int pathlen_constraint;
|
u_int pathlen_constraint;
|
||||||
|
|
||||||
pathlen_constraint = issuer->get_constraint(issuer, X509_PATH_LEN);
|
pathlen_constraint = issuer->get_constraint(issuer, X509_PATH_LEN);
|
||||||
if (pathlen_constraint != X509_NO_CONSTRAINT &&
|
if (pathlen_constraint != X509_NO_CONSTRAINT &&
|
||||||
|
@ -439,7 +439,7 @@ static bool has_no_any_policy(linked_list_t *chain, int len)
|
||||||
/**
|
/**
|
||||||
* Check requireExplicitPolicy and inhibitPolicyMapping constraints
|
* Check requireExplicitPolicy and inhibitPolicyMapping constraints
|
||||||
*/
|
*/
|
||||||
static bool check_policy_constraints(x509_t *issuer, int pathlen,
|
static bool check_policy_constraints(x509_t *issuer, u_int pathlen,
|
||||||
auth_cfg_t *auth)
|
auth_cfg_t *auth)
|
||||||
{
|
{
|
||||||
certificate_t *subject;
|
certificate_t *subject;
|
||||||
|
@ -455,7 +455,8 @@ static bool check_policy_constraints(x509_t *issuer, int pathlen,
|
||||||
certificate_t *cert;
|
certificate_t *cert;
|
||||||
auth_rule_t rule;
|
auth_rule_t rule;
|
||||||
x509_t *x509;
|
x509_t *x509;
|
||||||
int len = 0, expl, inh;
|
int len = 0;
|
||||||
|
u_int expl, inh;
|
||||||
|
|
||||||
/* prepare trustchain to validate */
|
/* prepare trustchain to validate */
|
||||||
chain = linked_list_create();
|
chain = linked_list_create();
|
||||||
|
@ -524,7 +525,7 @@ static bool check_policy_constraints(x509_t *issuer, int pathlen,
|
||||||
|
|
||||||
METHOD(cert_validator_t, validate, bool,
|
METHOD(cert_validator_t, validate, bool,
|
||||||
private_constraints_validator_t *this, certificate_t *subject,
|
private_constraints_validator_t *this, certificate_t *subject,
|
||||||
certificate_t *issuer, bool online, int pathlen, bool anchor,
|
certificate_t *issuer, bool online, u_int pathlen, bool anchor,
|
||||||
auth_cfg_t *auth)
|
auth_cfg_t *auth)
|
||||||
{
|
{
|
||||||
if (issuer->get_type(issuer) == CERT_X509 &&
|
if (issuer->get_type(issuer) == CERT_X509 &&
|
||||||
|
|
|
@ -84,7 +84,7 @@ struct private_openssl_x509_t {
|
||||||
/**
|
/**
|
||||||
* Pathlen constraint
|
* Pathlen constraint
|
||||||
*/
|
*/
|
||||||
int pathlen;
|
u_char pathlen;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* certificate subject
|
* certificate subject
|
||||||
|
@ -250,7 +250,7 @@ METHOD(x509_t, get_authKeyIdentifier, chunk_t,
|
||||||
return chunk_empty;
|
return chunk_empty;
|
||||||
}
|
}
|
||||||
|
|
||||||
METHOD(x509_t, get_constraint, int,
|
METHOD(x509_t, get_constraint, u_int,
|
||||||
private_openssl_x509_t *this, x509_constraint_t type)
|
private_openssl_x509_t *this, x509_constraint_t type)
|
||||||
{
|
{
|
||||||
switch (type)
|
switch (type)
|
||||||
|
@ -586,6 +586,7 @@ static bool parse_basicConstraints_ext(private_openssl_x509_t *this,
|
||||||
X509_EXTENSION *ext)
|
X509_EXTENSION *ext)
|
||||||
{
|
{
|
||||||
BASIC_CONSTRAINTS *constraints;
|
BASIC_CONSTRAINTS *constraints;
|
||||||
|
long pathlen;
|
||||||
|
|
||||||
constraints = (BASIC_CONSTRAINTS*)X509V3_EXT_d2i(ext);
|
constraints = (BASIC_CONSTRAINTS*)X509V3_EXT_d2i(ext);
|
||||||
if (constraints)
|
if (constraints)
|
||||||
|
@ -596,7 +597,10 @@ static bool parse_basicConstraints_ext(private_openssl_x509_t *this,
|
||||||
}
|
}
|
||||||
if (constraints->pathlen)
|
if (constraints->pathlen)
|
||||||
{
|
{
|
||||||
this->pathlen = ASN1_INTEGER_get(constraints->pathlen);
|
|
||||||
|
pathlen = ASN1_INTEGER_get(constraints->pathlen);
|
||||||
|
this->pathlen = (pathlen >= 0 && pathlen < 128) ?
|
||||||
|
pathlen : X509_NO_CONSTRAINT;
|
||||||
}
|
}
|
||||||
BASIC_CONSTRAINTS_free(constraints);
|
BASIC_CONSTRAINTS_free(constraints);
|
||||||
return TRUE;
|
return TRUE;
|
||||||
|
|
|
@ -665,7 +665,7 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer,
|
||||||
|
|
||||||
METHOD(cert_validator_t, validate, bool,
|
METHOD(cert_validator_t, validate, bool,
|
||||||
private_revocation_validator_t *this, certificate_t *subject,
|
private_revocation_validator_t *this, certificate_t *subject,
|
||||||
certificate_t *issuer, bool online, int pathlen, bool anchor,
|
certificate_t *issuer, bool online, u_int pathlen, bool anchor,
|
||||||
auth_cfg_t *auth)
|
auth_cfg_t *auth)
|
||||||
{
|
{
|
||||||
if (subject->get_type(subject) == CERT_X509 &&
|
if (subject->get_type(subject) == CERT_X509 &&
|
||||||
|
|
|
@ -174,22 +174,22 @@ struct private_x509_cert_t {
|
||||||
/**
|
/**
|
||||||
* Path Length Constraint
|
* Path Length Constraint
|
||||||
*/
|
*/
|
||||||
char pathLenConstraint;
|
u_char pathLenConstraint;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* requireExplicitPolicy Constraint
|
* requireExplicitPolicy Constraint
|
||||||
*/
|
*/
|
||||||
char require_explicit;
|
u_char require_explicit;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* inhibitPolicyMapping Constraint
|
* inhibitPolicyMapping Constraint
|
||||||
*/
|
*/
|
||||||
char inhibit_mapping;
|
u_char inhibit_mapping;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* inhibitAnyPolicy Constraint
|
* inhibitAnyPolicy Constraint
|
||||||
*/
|
*/
|
||||||
char inhibit_any;
|
u_char inhibit_any;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* x509 constraints and other flags
|
* x509 constraints and other flags
|
||||||
|
@ -255,14 +255,14 @@ static void policy_mapping_destroy(x509_policy_mapping_t *mapping)
|
||||||
/**
|
/**
|
||||||
* Parse a length constraint from an unwrapped integer
|
* Parse a length constraint from an unwrapped integer
|
||||||
*/
|
*/
|
||||||
static int parse_constraint(chunk_t object)
|
static u_int parse_constraint(chunk_t object)
|
||||||
{
|
{
|
||||||
switch (object.len)
|
switch (object.len)
|
||||||
{
|
{
|
||||||
case 0:
|
case 0:
|
||||||
return 0;
|
return 0;
|
||||||
case 1:
|
case 1:
|
||||||
return object.ptr[0];
|
return (object.ptr[0] & 0x80) ? X509_NO_CONSTRAINT : object.ptr[0];
|
||||||
default:
|
default:
|
||||||
return X509_NO_CONSTRAINT;
|
return X509_NO_CONSTRAINT;
|
||||||
}
|
}
|
||||||
|
@ -1723,7 +1723,7 @@ METHOD(x509_t, get_authKeyIdentifier, chunk_t,
|
||||||
return this->authKeyIdentifier;
|
return this->authKeyIdentifier;
|
||||||
}
|
}
|
||||||
|
|
||||||
METHOD(x509_t, get_constraint, int,
|
METHOD(x509_t, get_constraint, u_int,
|
||||||
private_x509_cert_t *this, x509_constraint_t type)
|
private_x509_cert_t *this, x509_constraint_t type)
|
||||||
{
|
{
|
||||||
switch (type)
|
switch (type)
|
||||||
|
@ -2390,6 +2390,7 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args)
|
||||||
certificate_t *sign_cert = NULL;
|
certificate_t *sign_cert = NULL;
|
||||||
private_key_t *sign_key = NULL;
|
private_key_t *sign_key = NULL;
|
||||||
hash_algorithm_t digest_alg = HASH_SHA1;
|
hash_algorithm_t digest_alg = HASH_SHA1;
|
||||||
|
u_int constraint;
|
||||||
|
|
||||||
cert = create_empty();
|
cert = create_empty();
|
||||||
while (TRUE)
|
while (TRUE)
|
||||||
|
@ -2464,11 +2465,9 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args)
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
case BUILD_PATHLEN:
|
case BUILD_PATHLEN:
|
||||||
cert->pathLenConstraint = va_arg(args, int);
|
constraint = va_arg(args, u_int);
|
||||||
if (cert->pathLenConstraint < 0 || cert->pathLenConstraint > 127)
|
cert->pathLenConstraint = (constraint < 128) ?
|
||||||
{
|
constraint : X509_NO_CONSTRAINT;
|
||||||
cert->pathLenConstraint = X509_NO_CONSTRAINT;
|
|
||||||
}
|
|
||||||
continue;
|
continue;
|
||||||
case BUILD_PERMITTED_NAME_CONSTRAINTS:
|
case BUILD_PERMITTED_NAME_CONSTRAINTS:
|
||||||
{
|
{
|
||||||
|
@ -2543,13 +2542,19 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args)
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
case BUILD_POLICY_REQUIRE_EXPLICIT:
|
case BUILD_POLICY_REQUIRE_EXPLICIT:
|
||||||
cert->require_explicit = va_arg(args, int);
|
constraint = va_arg(args, u_int);
|
||||||
|
cert->require_explicit = (constraint < 128) ?
|
||||||
|
constraint : X509_NO_CONSTRAINT;
|
||||||
continue;
|
continue;
|
||||||
case BUILD_POLICY_INHIBIT_MAPPING:
|
case BUILD_POLICY_INHIBIT_MAPPING:
|
||||||
cert->inhibit_mapping = va_arg(args, int);
|
constraint = va_arg(args, u_int);
|
||||||
|
cert->inhibit_mapping = (constraint < 128) ?
|
||||||
|
constraint : X509_NO_CONSTRAINT;
|
||||||
continue;
|
continue;
|
||||||
case BUILD_POLICY_INHIBIT_ANY:
|
case BUILD_POLICY_INHIBIT_ANY:
|
||||||
cert->inhibit_any = va_arg(args, int);
|
constraint = va_arg(args, u_int);
|
||||||
|
cert->inhibit_any = (constraint < 128) ?
|
||||||
|
constraint : X509_NO_CONSTRAINT;
|
||||||
continue;
|
continue;
|
||||||
case BUILD_NOT_BEFORE_TIME:
|
case BUILD_NOT_BEFORE_TIME:
|
||||||
cert->notBefore = va_arg(args, time_t);
|
cert->notBefore = va_arg(args, time_t);
|
||||||
|
|
Loading…
Reference in New Issue