static int
component_match(krb5_context context,
rule_component *rc,
pkinit_cert_matching_data *md,
krb5_principal princ)
{
int match = 0;
int i;
krb5_principal p;
char *princ_string;
switch (rc->kwval_type) {
case kwvaltype_regexp:
switch (rc->kw_type) {
case kw_subject:
match = regexp_match(context, rc, md->subject_dn);
break;
case kw_issuer:
match = regexp_match(context, rc, md->issuer_dn);
break;
case kw_san:
if (md->sans == NULL)
break;
for (i = 0, p = md->sans[i]; p != NULL; p = md->sans[++i]) {
krb5_unparse_name(context, p, &princ_string);
match = regexp_match(context, rc, princ_string);
krb5_free_unparsed_name(context, princ_string);
if (match)
break;
}
break;
default:
pkiDebug("%s: keyword %s, keyword value %s mismatch\n",
__FUNCTION__, keyword2string(rc->kw_type),
kwval2string(kwvaltype_regexp));
break;
}
break;
case kwvaltype_list:
switch(rc->kw_type) {
case kw_eku:
pkiDebug("%s: checking %s: rule 0x%08x, cert 0x%08x\n",
__FUNCTION__, keyword2string(rc->kw_type),
rc->eku_bits, md->eku_bits);
if ((rc->eku_bits & md->eku_bits) == rc->eku_bits)
match = 1;
break;
case kw_ku:
pkiDebug("%s: checking %s: rule 0x%08x, cert 0x%08x\n",
__FUNCTION__, keyword2string(rc->kw_type),
rc->ku_bits, md->ku_bits);
if ((rc->ku_bits & md->ku_bits) == rc->ku_bits)
match = 1;
break;
default:
pkiDebug("%s: keyword %s, keyword value %s mismatch\n",
__FUNCTION__, keyword2string(rc->kw_type),
kwval2string(kwvaltype_regexp));
break;
}
break;
case kwvaltype_principal:
if (md->sans == NULL)
break;
#ifdef DEBUG
krb5_unparse_name(context, princ, &princ_string);
#endif
for (i = 0, p = md->sans[i]; p != NULL; p = md->sans[++i]) {
#ifdef DEBUG
char *san_string;
krb5_unparse_name(context, p, &san_string);
pkiDebug("%s: comparing principal '%s' with cert SAN '%s'\n",
__FUNCTION__, princ_string, san_string);
#endif
if (krb5_principal_compare_flags(context, p, princ,
KRB5_PRINCIPAL_COMPARE_CASEFOLD)) {
match = 1;
break;
}
if (match)
break;
}
break;
default:
pkiDebug("%s: unknown keyword value type %d\n",
__FUNCTION__, rc->kwval_type);
break;
}
pkiDebug("%s: returning match = %d\n", __FUNCTION__, match);
return match;
}
static int
component_match(krb5_context context,
rule_component *rc,
pkinit_cert_matching_data *md)
{
int match = 0;
int i;
krb5_principal p;
char *princ_string;
switch (rc->kwval_type) {
case kwvaltype_regexp:
switch (rc->kw_type) {
case kw_subject:
match = regexp_match(context, rc, md->subject_dn);
break;
case kw_issuer:
match = regexp_match(context, rc, md->issuer_dn);
break;
case kw_san:
if (md->sans == NULL)
break;
for (i = 0, p = md->sans[i]; p != NULL; p = md->sans[++i]) {
krb5_unparse_name(context, p, &princ_string);
match = regexp_match(context, rc, princ_string);
krb5_free_unparsed_name(context, princ_string);
if (match)
break;
}
break;
default:
pkiDebug("%s: keyword %s, keyword value %s mismatch\n",
__FUNCTION__, keyword2string(rc->kw_type),
kwval2string(kwvaltype_regexp));
break;
}
break;
case kwvaltype_list:
switch(rc->kw_type) {
case kw_eku:
pkiDebug("%s: checking %s: rule 0x%08x, cert 0x%08x\n",
__FUNCTION__, keyword2string(rc->kw_type),
rc->eku_bits, md->eku_bits);
if ((rc->eku_bits & md->eku_bits) == rc->eku_bits)
match = 1;
break;
case kw_ku:
pkiDebug("%s: checking %s: rule 0x%08x, cert 0x%08x\n",
__FUNCTION__, keyword2string(rc->kw_type),
rc->ku_bits, md->ku_bits);
if ((rc->ku_bits & md->ku_bits) == rc->ku_bits)
match = 1;
break;
default:
pkiDebug("%s: keyword %s, keyword value %s mismatch\n",
__FUNCTION__, keyword2string(rc->kw_type),
kwval2string(kwvaltype_regexp));
break;
}
break;
default:
pkiDebug("%s: unknown keyword value type %d\n",
__FUNCTION__, rc->kwval_type);
break;
}
pkiDebug("%s: returning match = %d\n", __FUNCTION__, match);
return match;
}
