3 files changed, 96 insertions, 36 deletions

diff --git a/src/libstrongswan/credentials/certificates/crl.h b/src/libstrongswan/credentials/certificates/crl.h
index 9425311fb..2f3497474 100644
--- a/src/libstrongswan/credentials/certificates/crl.h
+++ b/src/libstrongswan/credentials/certificates/crl.h
@@ -72,6 +72,21 @@ struct crl_t {
 	chunk_t (*get_authKeyIdentifier)(crl_t *this);
 
 	/**
+	 * Is this CRL a delta CRL?
+	 *
+	 * @param base_crl	gets to baseCrlNumber, if this is a delta CRL
+	 * @return			TRUE if delta CRL
+	 */
+	bool (*is_delta_crl)(crl_t *this, chunk_t *base_crl);
+
+	/**
+	 * Create an enumerator over Freshest CRL distribution points and issuers.
+	 *
+	 * @return			enumerator over x509_cdp_t
+	 */
+	enumerator_t* (*create_delta_crl_uri_enumerator)(crl_t *this);
+
+	/**
 	 * Create an enumerator over all revoked certificates.
 	 *
 	 * The enumerator takes 3 pointer arguments:
diff --git a/src/libstrongswan/credentials/certificates/x509.c b/src/libstrongswan/credentials/certificates/x509.c
deleted file mode 100644
index 66dc192c1..000000000
--- a/src/libstrongswan/credentials/certificates/x509.c
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "x509.h"
-
-ENUM(x509_flag_names, X509_NONE, X509_IP_ADDR_BLOCKS,
-	"X509_NONE",
-	"X509_CA",
-	"X509_AA",
-	"X509_OCSP_SIGNER",
-	"X509_SERVER_AUTH",
-	"X509_CLIENT_AUTH",
-	"X509_SELF_SIGNED",
-	"X509_IP_ADDR_BLOCKS",
-);
-
diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h
index 6e0a5002a..fec02dbad 100644
--- a/src/libstrongswan/credentials/certificates/x509.h
+++ b/src/libstrongswan/credentials/certificates/x509.h
@@ -24,10 +24,15 @@
 #include <utils/enumerator.h>
 #include <credentials/certificates/certificate.h>
 
-#define X509_NO_PATH_LEN_CONSTRAINT		-1
+/* constraints are currently restricted to the range 0..127 */
+#define X509_NO_CONSTRAINT	255
 
 typedef struct x509_t x509_t;
+typedef struct x509_cert_policy_t x509_cert_policy_t;
+typedef struct x509_policy_mapping_t x509_policy_mapping_t;
+typedef struct x509_cdp_t x509_cdp_t;
 typedef enum x509_flag_t x509_flag_t;
+typedef enum x509_constraint_t x509_constraint_t;
 
 /**
  * X.509 certificate flags.
@@ -49,12 +54,55 @@ enum x509_flag_t {
 	X509_SELF_SIGNED =		(1<<5),
 	/** cert has an ipAddrBlocks extension */
 	X509_IP_ADDR_BLOCKS =	(1<<6),
+	/** cert has CRL sign key usage */
+	X509_CRL_SIGN =			(1<<7),
 };
 
 /**
- * enum names for x509 flags
+ * Different numerical X.509 constraints.
  */
-extern enum_name_t *x509_flag_names;
+enum x509_constraint_t {
+	/** pathLenConstraint basicConstraints */
+	X509_PATH_LEN,
+	/** inhibitPolicyMapping policyConstraint */
+	X509_INHIBIT_POLICY_MAPPING,
+	/** requireExplicitPolicy policyConstraint */
+	X509_REQUIRE_EXPLICIT_POLICY,
+	/** inhibitAnyPolicy constraint */
+	X509_INHIBIT_ANY_POLICY,
+};
+
+/**
+ * X.509 certPolicy extension.
+ */
+struct x509_cert_policy_t {
+	/** OID of certPolicy */
+	chunk_t oid;
+	/** Certification Practice Statement URI qualifier */
+	char *cps_uri;
+	/** UserNotice Text qualifier */
+	char *unotice_text;
+};
+
+/**
+ * X.509 policyMapping extension
+ */
+struct x509_policy_mapping_t {
+	/** OID of issuerDomainPolicy */
+	chunk_t issuer;
+	/** OID of subjectDomainPolicy */
+	chunk_t subject;
+};
+
+/**
+ * X.509 CRL distributionPoint
+ */
+struct x509_cdp_t {
+	/** CDP URI, as string */
+	char *uri;
+	/** CRL issuer */
+	identification_t *issuer;
+};
 
 /**
  * X.509 certificate interface.
@@ -98,11 +146,12 @@ struct x509_t {
 	chunk_t (*get_authKeyIdentifier)(x509_t *this);
 
 	/**
-	 * Get an optional path length constraint.
+	 * Get a numerical X.509 constraint.
 	 *
-	 * @return			pathLenConstraint, -1 if no constraint exists
+	 * @param type		type of constraint to get
+	 * @return			constraint, X509_NO_CONSTRAINT if none found
 	 */
-	int (*get_pathLenConstraint)(x509_t *this);
+	u_int (*get_constraint)(x509_t *this, x509_constraint_t type);
 
 	/**
 	 * Create an enumerator over all subjectAltNames.
@@ -112,9 +161,9 @@ struct x509_t {
 	enumerator_t* (*create_subjectAltName_enumerator)(x509_t *this);
 
 	/**
-	 * Create an enumerator over all CRL URIs.
+	 * Create an enumerator over all CRL URIs and CRL Issuers.
 	 *
-	 * @return			enumerator over URIs as char*
+	 * @return			enumerator over x509_cdp_t
 	 */
 	enumerator_t* (*create_crl_uri_enumerator)(x509_t *this);
 
@@ -131,6 +180,30 @@ struct x509_t {
 	 * @return			enumerator over ipAddrBlocks as traffic_selector_t*
 	 */
 	enumerator_t* (*create_ipAddrBlock_enumerator)(x509_t *this);
+
+	/**
+	 * Create an enumerator over name constraints.
+	 *
+	 * @param perm		TRUE for permitted, FALSE for excluded subtrees
+	 * @return			enumerator over subtrees as identification_t
+	 */
+	enumerator_t* (*create_name_constraint_enumerator)(x509_t *this, bool perm);
+
+	/**
+	 * Create an enumerator over certificate policies.
+	 *
+	 * @return			enumerator over x509_cert_policy_t
+	 */
+	enumerator_t* (*create_cert_policy_enumerator)(x509_t *this);
+
+	/**
+	 * Create an enumerator over policy mappings.
+	 *
+	 * @return			enumerator over x509_policy_mapping
+	 */
+	enumerator_t* (*create_policy_mapping_enumerator)(x509_t *this);
+
+
 };
 
 #endif /** X509_H_ @}*/