Botan::Cert_Extension::Name_Constraints Class Referencefinal
#include <x509_ext.h>
Inheritance diagram for Botan::Cert_Extension::Name_Constraints:
Public Member Functions | |
| std::unique_ptr< Certificate_Extension > | copy () const override |
| const NameConstraints & | get_name_constraints () const |
| Name_Constraints ()=default | |
| BOTAN_FUTURE_EXPLICIT | Name_Constraints (const NameConstraints &nc) |
| OID | oid_of () const override |
| void | validate (const X509_Certificate &subject, const std::optional< X509_Certificate > &issuer, const std::vector< X509_Certificate > &cert_path, std::vector< std::set< Certificate_Status_Code > > &cert_status, size_t pos) override |
Static Public Member Functions | |
| static OID | static_oid () |
Detailed Description
Name Constraints
Definition at line 250 of file x509_ext.h.
Constructor & Destructor Documentation
◆ Name_Constraints() [1/2]
|
default |
◆ Name_Constraints() [2/2]
|
inline |
Definition at line 258 of file x509_ext.h.
258: m_name_constraints(nc) {}
References BOTAN_FUTURE_EXPLICIT.
Member Function Documentation
◆ copy()
|
inlineoverridevirtual |
Make a copy of this extension
- Returns
- copy of this
Implements Botan::Certificate_Extension.
Definition at line 252 of file x509_ext.h.
252 {
253 return std::make_unique<Name_Constraints>(m_name_constraints);
254 }
◆ get_name_constraints()
|
inline |
Definition at line 266 of file x509_ext.h.
266{ return m_name_constraints; }
◆ oid_of()
|
inlineoverridevirtual |
- Returns
- OID representing this extension
Implements Botan::Certificate_Extension.
Definition at line 270 of file x509_ext.h.
References static_oid().
◆ static_oid()
|
inlinestatic |
Definition at line 268 of file x509_ext.h.
268{ return OID({2, 5, 29, 30}); }
Referenced by oid_of().
◆ validate()
|
overridevirtual |
Reimplemented from Botan::Certificate_Extension.
Definition at line 634 of file x509_ext.cpp.
638 {
639 if(!m_name_constraints.permitted().empty() || !m_name_constraints.excluded().empty()) {
640 if(!subject.is_CA_cert()) {
641 cert_status.at(pos).insert(Certificate_Status_Code::NAME_CONSTRAINT_ERROR);
642 }
643
644 const bool issuer_name_constraint_critical = subject.is_critical("X509v3.NameConstraints");
645
646 // Check that all subordinate certs pass the name constraint
647 for(size_t j = 0; j < pos; ++j) {
648 const auto& cert = cert_path.at(j);
649
650 // RFC 5280 6.1.4(b): "Name constraints are not applied to self-issued
651 // certificates (unless the certificate is the final certificate in the path)"
652 // Position 0 is the end entity (final certificate); skip self-issued intermediates.
653 if(j > 0 && cert.issuer_dn() == cert.subject_dn()) {
654 continue;
655 }
656
657 if(!m_name_constraints.is_permitted(cert, issuer_name_constraint_critical)) {
658 cert_status.at(j).insert(Certificate_Status_Code::NAME_CONSTRAINT_ERROR);
659 continue;
660 }
661
662 if(m_name_constraints.is_excluded(cert, issuer_name_constraint_critical)) {
663 cert_status.at(j).insert(Certificate_Status_Code::NAME_CONSTRAINT_ERROR);
664 continue;
665 }
666 }
667 }
668}
@ NAME_CONSTRAINT_ERROR
Definition pkix_enums.h:75
References Botan::X509_Certificate::is_CA_cert(), Botan::X509_Certificate::is_critical(), and Botan::NAME_CONSTRAINT_ERROR.
The documentation for this class was generated from the following files:
- src/lib/x509/x509_ext.h
- src/lib/x509/x509_ext.cpp
Generated by
1.16.1