Botan  2.6.0
Crypto and TLS for C++11
Public Member Functions | Static Public Member Functions | List of all members
Botan::Cert_Extension::Name_Constraints Class Referencefinal

#include <x509_ext.h>

Inheritance diagram for Botan::Cert_Extension::Name_Constraints:
Botan::Certificate_Extension

Public Member Functions

Name_Constraintscopy () const override
 
const NameConstraintsget_name_constraints () const
 
 Name_Constraints ()=default
 
 Name_Constraints (const NameConstraints &nc)
 
OID oid_of () const override
 
void validate (const X509_Certificate &subject, const X509_Certificate &issuer, const std::vector< std::shared_ptr< const X509_Certificate >> &cert_path, std::vector< std::set< Certificate_Status_Code >> &cert_status, size_t pos) override
 

Static Public Member Functions

static OID static_oid ()
 

Detailed Description

Name Constraints

Definition at line 491 of file x509_ext.h.

Constructor & Destructor Documentation

◆ Name_Constraints() [1/2]

Botan::Cert_Extension::Name_Constraints::Name_Constraints ( )
default

◆ Name_Constraints() [2/2]

Botan::Cert_Extension::Name_Constraints::Name_Constraints ( const NameConstraints nc)
inline

Definition at line 498 of file x509_ext.h.

498 : m_name_constraints(nc) {}

Member Function Documentation

◆ copy()

Name_Constraints* Botan::Cert_Extension::Name_Constraints::copy ( ) const
inlineoverridevirtual

Make a copy of this extension

Returns
copy of this

Implements Botan::Certificate_Extension.

Definition at line 494 of file x509_ext.h.

495  { return new Name_Constraints(m_name_constraints); }
Botan::Cert_Extension::Name_Constraints::Name_Constraints
Name_Constraints()=default

◆ get_name_constraints()

const NameConstraints& Botan::Cert_Extension::Name_Constraints::get_name_constraints ( ) const
inline

Definition at line 505 of file x509_ext.h.

505 { return m_name_constraints; }

◆ oid_of()

OID Botan::Cert_Extension::Name_Constraints::oid_of ( ) const
inlineoverridevirtual
Returns
OID representing this extension

Implements Botan::Certificate_Extension.

Definition at line 508 of file x509_ext.h.

508 { return static_oid(); }
Botan::Cert_Extension::Name_Constraints::static_oid
static OID static_oid()
Definition: x509_ext.h:507

◆ static_oid()

static OID Botan::Cert_Extension::Name_Constraints::static_oid ( )
inlinestatic

Definition at line 507 of file x509_ext.h.

507 { return OID("2.5.29.30"); }

◆ validate()

void Botan::Cert_Extension::Name_Constraints::validate ( const X509_Certificate subject,
const X509_Certificate issuer,
const std::vector< std::shared_ptr< const X509_Certificate >> &  cert_path,
std::vector< std::set< Certificate_Status_Code >> &  cert_status,
size_t  pos 
)
overridevirtual

Reimplemented from Botan::Certificate_Extension.

Definition at line 613 of file x509_ext.cpp.

References Botan::NameConstraints::excluded(), Botan::X509_Certificate::is_CA_cert(), Botan::X509_Certificate::is_critical(), Botan::NAME_CONSTRAINT_ERROR, and Botan::NameConstraints::permitted().

617  {
618  if(!m_name_constraints.permitted().empty() || !m_name_constraints.excluded().empty())
619  {
620  if(!subject.is_CA_cert() || !subject.is_critical("X509v3.NameConstraints"))
621  cert_status.at(pos).insert(Certificate_Status_Code::NAME_CONSTRAINT_ERROR);
622 
623  const bool issuer_name_constraint_critical =
624  issuer.is_critical("X509v3.NameConstraints");
625 
626  const bool at_self_signed_root = (pos == cert_path.size() - 1);
627 
628  // Check that all subordinate certs pass the name constraint
629  for(size_t j = 0; j <= pos; ++j)
630  {
631  if(pos == j && at_self_signed_root)
632  continue;
633 
634  bool permitted = m_name_constraints.permitted().empty();
635  bool failed = false;
636 
637  for(auto c: m_name_constraints.permitted())
638  {
639  switch(c.base().matches(*cert_path.at(j)))
640  {
641  case GeneralName::MatchResult::NotFound:
642  case GeneralName::MatchResult::All:
643  permitted = true;
644  break;
645  case GeneralName::MatchResult::UnknownType:
646  failed = issuer_name_constraint_critical;
647  permitted = true;
648  break;
649  default:
650  break;
651  }
652  }
653 
654  for(auto c: m_name_constraints.excluded())
655  {
656  switch(c.base().matches(*cert_path.at(j)))
657  {
658  case GeneralName::MatchResult::All:
659  case GeneralName::MatchResult::Some:
660  failed = true;
661  break;
662  case GeneralName::MatchResult::UnknownType:
663  failed = issuer_name_constraint_critical;
664  break;
665  default:
666  break;
667  }
668  }
669 
670  if(failed || !permitted)
671  {
672  cert_status.at(j).insert(Certificate_Status_Code::NAME_CONSTRAINT_ERROR);
673  }
674  }
675  }
676  }
Botan::NameConstraints::excluded
const std::vector< GeneralSubtree > & excluded() const
Definition: name_constraint.h:173
Botan::NameConstraints::permitted
const std::vector< GeneralSubtree > & permitted() const
Definition: name_constraint.h:168
The documentation for this class was generated from the following files:
Generated by   doxygen 1.8.14