Botan::Cert_Extension::IPAddressBlocks::IPAddressOrRange< V > Class Template Reference

#include <x509_ext.h>

Inheritance diagram for Botan::Cert_Extension::IPAddressBlocks::IPAddressOrRange< V >:

Public Member Functions
std::vector< uint8_t >	BER_encode () const
void	decode_from (BER_Decoder &from) override
void	encode_into (DER_Encoder &to) const override
	IPAddressOrRange ()=default
	IPAddressOrRange (const IPAddress< V > &addr)
	IPAddressOrRange (const IPAddress< V > &min, const IPAddress< V > &max)
IPAddress< V >	max () const
IPAddress< V >	min () const

Detailed Description

template<Version V>
class Botan::Cert_Extension::IPAddressBlocks::IPAddressOrRange< V >

Definition at line 644 of file x509_ext.h.

Constructor & Destructor Documentation

IPAddressOrRange() [1/3]

template<Version V>

Botan::Cert_Extension::IPAddressBlocks::IPAddressOrRange< V >::IPAddressOrRange ( )

default

IPAddressOrRange() [2/3]

template<Version V>

Botan::Cert_Extension::IPAddressBlocks::IPAddressOrRange< V >::IPAddressOrRange ( const IPAddress< V > & addr )

inlineexplicit

Definition at line 651 of file x509_ext.h.

: m_min(addr), m_max(addr) {}

IPAddressOrRange() [3/3]

template<Version V>

Botan::Cert_Extension::IPAddressBlocks::IPAddressOrRange< V >::IPAddressOrRange ( const IPAddress< V > & min, const IPAddress< V > & max )

inline

Definition at line 653 of file x509_ext.h.

                                                                               : m_min(min), m_max(max) {
               if(max < min) {
                  throw Decoding_Error("IP address ranges must be sorted");
               }
            }

References max(), and min().

Member Function Documentation

BER_encode()

std::vector< uint8_t > Botan::ASN1_Object::BER_encode ( ) const

inherited

Return the encoding of this object. This is a convenience method when just one object needs to be serialized. Use DER_Encoder for complicated encodings.

Definition at line 19 of file asn1_obj.cpp.

                                                 {
   std::vector<uint8_t> output;
   DER_Encoder der(output);
   this->encode_into(der);
   return output;
}

References encode_into().

Referenced by decode_from(), Botan::Certificate_Store_In_SQL::find_all_certs(), Botan::Certificate_Store_In_SQL::find_cert(), Botan::X509_Certificate::fingerprint(), Botan::Certificate_Store_In_SQL::insert_cert(), Botan::X509_Object::PEM_encode(), Botan::PSS_Params::PSS_Params(), and Botan::Certificate_Store_In_SQL::revoke_cert().

decode_from()

template<Version V>

void Botan::Cert_Extension::IPAddressBlocks::IPAddressOrRange< V >::decode_from ( BER_Decoder & from )

overridevirtual

Decode whatever this object is from from

Parameters

from	the BER_Decoder that will be read from

Implements Botan::ASN1_Object.

Definition at line 1295 of file x509_ext.cpp.

                                                                           {
   const ASN1_Type next_tag = from.peek_next_object().type_tag();
 
   // this can either be a prefix or a single address
   if(next_tag == ASN1_Type::BitString) {
      // construct a min and a max address from the prefix
 
      std::vector<uint8_t> prefix_min;
      from.decode(prefix_min, ASN1_Type::OctetString, ASN1_Type::BitString, ASN1_Class::Universal);
 
      // copy because we modify the address in `decode_single_address`, but we need it twice for min and max
      std::vector<uint8_t> prefix_max(prefix_min);
 
      // min address gets filled with 0's
      m_min = decode_single_address(std::move(prefix_min), true);
      // max address with 1's
      m_max = decode_single_address(std::move(prefix_max), false);
   } else if(next_tag == ASN1_Type::Sequence) {
      // this is a range
 
      std::vector<uint8_t> addr_min;
      std::vector<uint8_t> addr_max;
 
      from.start_sequence()
         .decode(addr_min, ASN1_Type::OctetString, ASN1_Type::BitString, ASN1_Class::Universal)
         .decode(addr_max, ASN1_Type::OctetString, ASN1_Type::BitString, ASN1_Class::Universal)
         .end_cons();
 
      m_min = decode_single_address(std::move(addr_min), true);
      m_max = decode_single_address(std::move(addr_max), false);
 
      if(m_min > m_max) {
         throw Decoding_Error("IP address ranges must be sorted.");
      }
   } else {
      throw Decoding_Error(fmt("Unexpected type for IPAddressOrRange {}", static_cast<uint32_t>(next_tag)));
   }
}

References Botan::BitString, Botan::BER_Decoder::decode(), Botan::BER_Decoder::end_cons(), Botan::fmt(), Botan::OctetString, Botan::BER_Decoder::peek_next_object(), Botan::Sequence, Botan::BER_Decoder::start_sequence(), Botan::BER_Object::type_tag(), and Botan::Universal.

encode_into()

template<Version V>

void Botan::Cert_Extension::IPAddressBlocks::IPAddressOrRange< V >::encode_into ( DER_Encoder & to ) const

overridevirtual

Encode whatever this object is into to

Parameters

to	the DER_Encoder that will be written to

Implements Botan::ASN1_Object.

Definition at line 1175 of file x509_ext.cpp.

                                                                                 {
   // Compress IPAddressOrRange as much as possible
   // cf. https://www.rfc-editor.org/rfc/rfc3779.html#section-2.2.3.7 - https://www.rfc-editor.org/rfc/rfc3779.html#section-2.2.3.9
   //
   // If possible encode as a prefix x.x.x.x/x, else encode as a range of min-max.
   // Single addresses are encoded as is (technically a /32 or /128 prefix).
   //
   // A range can be encoded as a prefix if the lowest n bits of the min address are 0
   // and the highest n bits of the max address are 1, or in other words, contiguous sequences of 0s and 1s are omitted.
   // To make reconstruction possible, an 'unused' octet is included at the start, since in the case of e.g. /25 only
   // the highest bit of the last octet is actually meaningful.
   //
   // If encoding requires a range, the individual elements can still be compressed using the above method,
   // but the number of used bits varies between them.
 
   const size_t version_octets = static_cast<size_t>(V);
 
   std::array<uint8_t, version_octets> min = m_min.value();
   std::array<uint8_t, version_octets> max = m_max.value();
 
   uint8_t zeros = 0;
   uint8_t ones = 0;
 
   bool zeros_done = false;
   bool ones_done = false;
 
   // count contiguous 0s/1s from the right of the min/max addresses
   for(size_t i = version_octets; i > 0; i--) {
      if(!zeros_done) {
         uint8_t local_zeros = static_cast<uint8_t>(std::countr_zero(min[i - 1]));
         zeros += local_zeros;
         zeros_done = (local_zeros != 8);
      }
 
      if(!ones_done) {
         uint8_t local_ones = static_cast<uint8_t>(std::countr_one(max[i - 1]));
         ones += local_ones;
         ones_done = (local_ones != 8);
      }
 
      if(zeros_done && ones_done) {
         break;
      }
   }
 
   // the part we want to compress
   const uint8_t host = std::min(zeros, ones);
 
   // these we can outright drop
   const uint8_t discarded_octets = host / 8;
   // in a partially used octet
   const uint8_t unused_bits = host % 8;
 
   bool octets_match = true;
   bool used_bits_match = true;
 
   // we have octets to check
   if(discarded_octets < version_octets) {
      // check all but the last octet
      for(size_t i = 0; i < static_cast<uint8_t>(version_octets - discarded_octets - 1); i++) {
         if(min[i] != max[i]) {
            octets_match = false;
            break;
         }
      }
      // check the last significant octet if we have matched so far
      if(octets_match) {
         const uint8_t shifted_min = (min[version_octets - 1 - discarded_octets] >> unused_bits);
         const uint8_t shifted_max = (max[version_octets - 1 - discarded_octets] >> unused_bits);
         used_bits_match = (shifted_min == shifted_max);
      }
   }
 
   // both the full octets and the partially used one match
   if(octets_match && used_bits_match) {
      // at this point the range can be encoded as a prefix
      std::vector<uint8_t> prefix;
 
      prefix.push_back(unused_bits);
      for(size_t i = 0; i < static_cast<uint8_t>(version_octets - discarded_octets); i++) {
         prefix.push_back(min[i]);
      }
 
      into.add_object(ASN1_Type::BitString, ASN1_Class::Universal, prefix);
   } else {
      const uint8_t discarded_octets_min = zeros / 8;
      const uint8_t unused_bits_min = zeros % 8;
 
      const uint8_t discarded_octets_max = ones / 8;
      const uint8_t unused_bits_max = ones % 8;
 
      // compress the max address by setting unused bits to 0, for the min address these are already 0
      if(unused_bits_max != 0) {
         BOTAN_ASSERT_NOMSG(discarded_octets_max < version_octets);
         max[version_octets - 1 - discarded_octets_max] >>= unused_bits_max;
         max[version_octets - 1 - discarded_octets_max] <<= unused_bits_max;
      }
 
      std::vector<uint8_t> compressed_min;
      std::vector<uint8_t> compressed_max;
 
      // construct the address as a byte sequence of the unused bits followed by the compressed address
      compressed_min.push_back(unused_bits_min);
      for(size_t i = 0; i < static_cast<uint8_t>(version_octets - discarded_octets_min); i++) {
         compressed_min.push_back(min[i]);
      }
 
      compressed_max.push_back(unused_bits_max);
      for(size_t i = 0; i < static_cast<uint8_t>(version_octets - discarded_octets_max); i++) {
         compressed_max.push_back(max[i]);
      }
 
      into.start_sequence()
         .add_object(ASN1_Type::BitString, ASN1_Class::Universal, compressed_min)
         .add_object(ASN1_Type::BitString, ASN1_Class::Universal, compressed_max)
         .end_cons();
   }
}

References Botan::DER_Encoder::add_object(), Botan::BitString, BOTAN_ASSERT_NOMSG, Botan::DER_Encoder::end_cons(), max(), min(), Botan::DER_Encoder::start_sequence(), and Botan::Universal.

max()

template<Version V>

IPAddress< V > Botan::Cert_Extension::IPAddressBlocks::IPAddressOrRange< V >::max ( ) const

inline

Definition at line 661 of file x509_ext.h.

{ return m_max; }

Referenced by encode_into(), and IPAddressOrRange().

min()

template<Version V>

IPAddress< V > Botan::Cert_Extension::IPAddressBlocks::IPAddressOrRange< V >::min ( ) const

inline

Definition at line 659 of file x509_ext.h.

{ return m_min; }

Referenced by encode_into(), and IPAddressOrRange().

---

The documentation for this class was generated from the following files:

• src/lib/x509/x509_ext.h
• src/lib/x509/x509_ext.cpp