1 files changed, 55 insertions, 0 deletions

diff --git a/src/lib/cert/x509/x509cert.cpp b/src/lib/cert/x509/x509cert.cpp
index cb24a7a03..73aa02cf3 100644
--- a/src/lib/cert/x509/x509cert.cpp
+++ b/src/lib/cert/x509/x509cert.cpp
@@ -279,6 +279,14 @@ u32bit X509_Certificate::path_limit() const
    }
 
 /*
+* Return if a certificate extension is marked critical
+*/
+bool X509_Certificate::is_critical(const std::string& ex_name) const
+   {
+   return !!m_subject.get1_u32bit(ex_name + ".is_critical",0);
+   }
+
+/*
 * Return the key usage constraints
 */
 Key_Constraints X509_Certificate::constraints() const
@@ -296,6 +304,26 @@ std::vector<std::string> X509_Certificate::ex_constraints() const
    }
 
 /*
+* Return the name constraints
+*/
+NameConstraints X509_Certificate::name_constraints() const
+   {
+   std::vector<GeneralSubtree> permit, exclude;
+
+   for(const std::string& v: m_subject.get("X509v3.NameConstraints.permitted"))
+      {
+      permit.push_back(GeneralSubtree(v));
+      }
+
+   for(const std::string& v: m_subject.get("X509v3.NameConstraints.excluded"))
+      {
+      exclude.push_back(GeneralSubtree(v));
+      }
+
+   return NameConstraints(std::move(permit),std::move(exclude));
+   }
+
+/*
 * Return the list of certificate policies
 */
 std::vector<std::string> X509_Certificate::policies() const
@@ -508,6 +536,33 @@ std::string X509_Certificate::to_string() const
          out << "   " << ex_constraints[i] << "\n";
       }
 
+   NameConstraints name_constraints = this->name_constraints();
+   if(!name_constraints.permitted().empty() ||
+         !name_constraints.excluded().empty())
+      {
+      out << "Name Constraints:\n";
+
+      if(!name_constraints.permitted().empty())
+         {
+         out << "   Permit";
+         for(auto st: name_constraints.permitted())
+            {
+            out << " " << st.base();
+            }
+         out << "\n";
+         }
+
+      if(!name_constraints.excluded().empty())
+         {
+         out << "   Exclude";
+         for(auto st: name_constraints.excluded())
+            {
+            out << " " << st.base();
+            }
+         out << "\n";
+         }
+      }
+
    if(!ocsp_responder().empty())
       out << "OCSP responder " << ocsp_responder() << "\n";
    if(!crl_distribution_point().empty())