Create a new NameConstraints constructor that takes in an already constructed GeneralNames object for permitted names.
Change-Id: Ic9520ddcde12e3df61479f2cf4a95c29d1f1f5f2
Bug: chromium:1477317
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/65707
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Matt Mueller <mattm@google.com>
diff --git a/pki/name_constraints.cc b/pki/name_constraints.cc
index f96af92..73d87aa 100644
--- a/pki/name_constraints.cc
+++ b/pki/name_constraints.cc
@@ -288,6 +288,17 @@
return name_constraints;
}
+std::unique_ptr<NameConstraints> NameConstraints::CreateFromPermittedSubtrees(
+ GeneralNames permitted_subtrees) {
+ auto name_constraints = std::make_unique<NameConstraints>();
+
+ name_constraints->constrained_name_types_ =
+ permitted_subtrees.present_name_types;
+ name_constraints->permitted_subtrees_ = std::move(permitted_subtrees);
+
+ return name_constraints;
+}
+
bool NameConstraints::Parse(der::Input extension_value, bool is_critical,
CertErrors *errors) {
BSSL_CHECK(errors);
diff --git a/pki/name_constraints.h b/pki/name_constraints.h
index f363849..a025985 100644
--- a/pki/name_constraints.h
+++ b/pki/name_constraints.h
@@ -35,6 +35,11 @@
bool is_critical,
CertErrors *errors);
+ // Create a NameConstraints object with only permitted names from the passed
+ // in |permitted_subtrees|. Should never return nullptr.
+ static std::unique_ptr<NameConstraints> CreateFromPermittedSubtrees(
+ GeneralNames permitted_subtrees);
+
// Tests if a certificate is allowed by the name constraints.
// |subject_rdn_sequence| should be the DER-encoded value of the subject's
// RDNSequence (not including Sequence tag), and may be an empty ASN.1