Close #90: Name Constraints (RFC5280 section 4.2.1.10)

Conversion of name constraints from certificate to Template (Advanced Tab) and using them from there was working since long. Now there is an additional input line, like (and next to) SubjectAlternativeName with live validation and edit button with guided input. The conversion vrom cert to template now puts the extension into the correct LineEdit an not on the Advanced Tab anymore.
chris2511 · Sep 14, 2024 · f43f8f4 · f43f8f4
1 parent c6304a0
commit f43f8f4
Show file tree

Hide file tree

Showing 7 changed files with 195 additions and 65 deletions.
diff --git a/lib/func_base.cpp b/lib/func_base.cpp
@@ -244,6 +244,7 @@ D[NID_pkcs9_unstructuredName] = QObject::tr("Unstructured name");
 D[NID_pkcs9_challengePassword] = QObject::tr("Challenge password");
 
 D[NID_basic_constraints] = QObject::tr("Basic Constraints");
+D[NID_name_constraints] = QObject::tr("Name Constraints");
 D[NID_subject_alt_name] = QObject::tr("Subject alternative name");
 D[NID_issuer_alt_name] = QObject::tr("issuer alternative name");
 D[NID_subject_key_identifier] = QObject::tr("Subject key identifier");

diff --git a/lib/pki_temp.cpp b/lib/pki_temp.cpp
@@ -58,6 +58,7 @@ namespace db {
 };
 
 const QList<QString> pki_temp::tmpl_keys = {
+	"nameCons",
 	"subAltName",
 	"issAltName",
 	"crlDist",
@@ -223,6 +224,7 @@ extList pki_temp::fromCert(pki_x509super *cert_or_req)
 			xname.addEntryByNid(nid, n.getEntry(i));
 	}
 
+	fromExtList(&el, NID_name_constraints, "nameCons");
 	fromExtList(&el, NID_subject_alt_name, "subAltName");
 	fromExtList(&el, NID_issuer_alt_name, "issAltName");
 	fromExtList(&el, NID_crl_distribution_points, "crlDist");

diff --git a/lib/x509v3ext.cpp b/lib/x509v3ext.cpp
@@ -924,7 +924,7 @@ static bool nameConstraint(STACK_OF(GENERAL_SUBTREE) *trees,
 	return true;
 }
 
-bool x509v3ext::parse_nameConstraints(QString *, QString *adv) const
+bool x509v3ext::parse_nameConstraints(QString *single, QString *adv) const
 {
 	bool retval = true;
 	QString sect, ret;
@@ -947,11 +947,14 @@ bool x509v3ext::parse_nameConstraints(QString *, QString *adv) const
 	if (ret.size() > 0)
 		permEx << ret;
 
-	if (adv && retval &&permEx.size() > 0) {
+	if (retval && permEx.size() > 0) {
 		ret = permEx.join(", ");
-		qDebug("%s %d '%s'\n", __func__, retval, CCHAR(ret));
-		*adv = QString("%1=%2\n").arg(tag).
-			arg(parse_critical() +ret) + *adv + sect;
+		qDebug() << retval << ret;
+		if (single)
+			*single = ret;
+		else if (adv)
+			*adv = QString("%1=%2\n").arg(tag).
+				arg(parse_critical() +ret) + *adv + sect;
 	}
 	NAME_CONSTRAINTS_free(cons);
 	return retval;