(hx509_verify_set_proxy_certificate): Add

(*): rename policy cert to proxy cert git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17251 ec53bebd-3082-4978-b11e-865c3cabbd6b
2006-04-26 12:21:20 +00:00
parent 3d4b238a8b
commit 253352539c
1 changed files with 25 additions and 13 deletions
--- a/lib/hx509/cert.c
+++ b/lib/hx509/cert.c
@@ -300,6 +300,15 @@ hx509_verify_set_time(hx509_verify_ctx ctx, time_t t)
    ctx->time_now = t;
 }
 void
 hx509_verify_set_proxy_certificate(hx509_verify_ctx ctx, int boolean)
 {
    if (boolean)
 	ctx->flags |= HX509_VERIFY_CTX_F_ALLOW_PROXY_CERTIFICATE;
    else
 	ctx->flags &= ~HX509_VERIFY_CTX_F_ALLOW_PROXY_CERTIFICATE;
 }
 static const Extension *
 find_extension(const Certificate *cert, const heim_oid *oid, int *idx)
 {
@@ -506,7 +515,7 @@ _hx509_check_key_usage(hx509_cert cert, unsigned flags, int req_present)
    return check_key_usage(_hx509_get_cert(cert), flags, req_present);
 }
-enum certtype { POLICY_CERT, EE_CERT, CA_CERT };
+enum certtype { PROXY_CERT, EE_CERT, CA_CERT };
 static int
 check_basic_constraints(const Certificate *cert, enum certtype type, int depth)
@@ -522,7 +531,7 @@ check_basic_constraints(const Certificate *cert, enum certtype type, int depth)
    e = find_extension(cert, oid_id_x509_ce_basicConstraints(), &i);
    if (e == NULL) {
 	switch(type) {
-	case POLICY_CERT:
+	case PROXY_CERT:
 	case EE_CERT:
 	    return 0;
 	case CA_CERT:
@@ -536,7 +545,7 @@ check_basic_constraints(const Certificate *cert, enum certtype type, int depth)
    if (ret)
 	return ret;
    switch(type) {
-    case POLICY_CERT:
+    case PROXY_CERT:
 	if (bc.cA != NULL && *bc.cA)
 	    ret = HX509_PARENT_IS_CA;
 	break;
@@ -1184,7 +1193,7 @@ free_name_constraints(hx509_name_constraints *nc)
 }
 static int
-policy_cert_p(const Certificate *cert, ProxyCertInfo *info)
+proxy_cert_p(const Certificate *cert, ProxyCertInfo *info)
 {
    const Extension *e;
    size_t size;
@@ -1220,7 +1229,7 @@ hx509_verify_path(hx509_context context,
 #if 0
    const AlgorithmIdentifier *alg_id;
 #endif
-    int ret, i, policy_cert_depth;
+    int ret, i, proxy_cert_depth;
    enum certtype type;
    ret = init_name_constraints(&nc);
@@ -1247,15 +1256,18 @@ hx509_verify_path(hx509_context context,
 #endif
    /*
-     * Check CA and policy certificate chain from the top of the
+     * Check CA and proxy certificate chain from the top of the
     * certificate chain. Also check certificate is valid with respect
     * to the current time.
     *
     */
-    policy_cert_depth = 0;
+    proxy_cert_depth = 0;
-    type = POLICY_CERT; /* XXX works for now */
+    if (ctx->flags & HX509_VERIFY_CTX_F_ALLOW_PROXY_CERTIFICATE)
 	type = PROXY_CERT;
    else
 	type = EE_CERT;
    for (i = 0; i < path.len; i++) {
 	Certificate *c;
@@ -1275,10 +1287,10 @@ hx509_verify_path(hx509_context context,
 	    if (ret)
 		goto out;
 	    break;
-	case POLICY_CERT: {
+	case PROXY_CERT: {
 	    ProxyCertInfo info;	    
-	    if (policy_cert_p(c, &info)) {
+	    if (proxy_cert_p(c, &info)) {
 		if (info.pCPathLenConstraint != NULL &&
 		    *info.pCPathLenConstraint > i)
@@ -1297,7 +1309,7 @@ hx509_verify_path(hx509_context context,
 	    break;
 	}
-	ret = check_basic_constraints(c, type, i - policy_cert_depth);
+	ret = check_basic_constraints(c, type, i - proxy_cert_depth);
 	if (ret)
 	    goto out;
@@ -1314,8 +1326,8 @@ hx509_verify_path(hx509_context context,
 	if (type == EE_CERT)
 	    type = CA_CERT;
-	else if (type == POLICY_CERT)
+	else if (type == PROXY_CERT)
-	    policy_cert_depth++;
+	    proxy_cert_depth++;
    }
    /*