Create a new NameConstraints constructor that takes in an already constructed GeneralNames object for permitted names. Change-Id: Ic9520ddcde12e3df61479f2cf4a95c29d1f1f5f2 Bug: chromium:1477317 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/65707 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Matt Mueller <mattm@google.com>
diff --git a/pki/name_constraints.cc b/pki/name_constraints.cc index f96af92..73d87aa 100644 --- a/pki/name_constraints.cc +++ b/pki/name_constraints.cc
@@ -288,6 +288,17 @@ return name_constraints; } +std::unique_ptr<NameConstraints> NameConstraints::CreateFromPermittedSubtrees( + GeneralNames permitted_subtrees) { + auto name_constraints = std::make_unique<NameConstraints>(); + + name_constraints->constrained_name_types_ = + permitted_subtrees.present_name_types; + name_constraints->permitted_subtrees_ = std::move(permitted_subtrees); + + return name_constraints; +} + bool NameConstraints::Parse(der::Input extension_value, bool is_critical, CertErrors *errors) { BSSL_CHECK(errors);
diff --git a/pki/name_constraints.h b/pki/name_constraints.h index f363849..a025985 100644 --- a/pki/name_constraints.h +++ b/pki/name_constraints.h
@@ -35,6 +35,11 @@ bool is_critical, CertErrors *errors); + // Create a NameConstraints object with only permitted names from the passed + // in |permitted_subtrees|. Should never return nullptr. + static std::unique_ptr<NameConstraints> CreateFromPermittedSubtrees( + GeneralNames permitted_subtrees); + // Tests if a certificate is allowed by the name constraints. // |subject_rdn_sequence| should be the DER-encoded value of the subject's // RDNSequence (not including Sequence tag), and may be an empty ASN.1