Botan  2.0.1
Crypto and TLS for C++11
Classes | Public Member Functions | Static Public Member Functions | Protected Member Functions | Protected Attributes | List of all members
Botan::X509_CRL Class Referencefinal

#include <x509_crl.h>

Inheritance diagram for Botan::X509_CRL:
Botan::X509_Object Botan::ASN1_Object

Classes

struct  X509_CRL_Error
 

Public Member Functions

std::vector< uint8_t > authority_key_id () const
 
std::vector< uint8_t > BER_encode () const
 
bool check_signature (const Public_Key &key) const
 
bool check_signature (const Public_Key *key) const
 
uint32_t crl_number () const
 
void decode_from (class BER_Decoder &from) override
 
void encode_into (class DER_Encoder &to) const override
 
std::vector< CRL_Entryget_revoked () const
 
std::string hash_used_for_signature () const
 
bool is_revoked (const X509_Certificate &cert) const
 
X509_DN issuer_dn () const
 
X509_Time next_update () const
 
std::string PEM_encode () const
 
std::vector< uint8_t > signature () const
 
AlgorithmIdentifier signature_algorithm () const
 
std::vector< uint8_t > tbs_data () const
 
X509_Time this_update () const
 
 X509_CRL (DataSource &source, bool throw_on_unknown_critical=false)
 
 X509_CRL (const std::vector< uint8_t > &vec, bool throw_on_unknown_critical=false)
 
 X509_CRL (const X509_DN &issuer, const X509_Time &thisUpdate, const X509_Time &nextUpdate, const std::vector< CRL_Entry > &revoked)
 

Static Public Member Functions

static std::vector< uint8_t > make_signed (class PK_Signer *signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &alg_id, const secure_vector< uint8_t > &tbs)
 

Protected Member Functions

void do_decode ()
 

Protected Attributes

std::vector< uint8_t > m_sig
 
AlgorithmIdentifier m_sig_algo
 
std::vector< uint8_t > m_tbs_bits
 

Detailed Description

This class represents X.509 Certificate Revocation Lists (CRLs).

Definition at line 24 of file x509_crl.h.

Constructor & Destructor Documentation

◆ X509_CRL() [1/3]

Botan::X509_CRL::X509_CRL ( DataSource source,
bool  throw_on_unknown_critical = false 
)

Construct a CRL from a data source.

Parameters
sourcethe data source providing the DER or PEM encoded CRL.
throw_on_unknown_criticalshould we throw an exception if an unknown CRL extension marked as critical is encountered.

Definition at line 21 of file x509_crl.cpp.

References Botan::X509_Object::do_decode(), and Botan::X509_Object::X509_Object().

21  :
22  X509_Object(in, "X509 CRL/CRL"), m_throw_on_unknown_critical(touc)
23  {
24  do_decode();
25  }
X509_Object()=default

◆ X509_CRL() [2/3]

Botan::X509_CRL::X509_CRL ( const std::vector< uint8_t > &  vec,
bool  throw_on_unknown_critical = false 
)

Construct a CRL from a binary vector

Parameters
vecthe binary (DER) representation of the CRL
throw_on_unknown_criticalshould we throw an exception if an unknown CRL extension marked as critical is encountered.

Definition at line 38 of file x509_crl.cpp.

References Botan::X509_Object::do_decode().

38  :
39  X509_Object(in, "CRL/X509 CRL"), m_throw_on_unknown_critical(touc)
40  {
41  do_decode();
42  }
X509_Object()=default

◆ X509_CRL() [3/3]

Botan::X509_CRL::X509_CRL ( const X509_DN issuer,
const X509_Time thisUpdate,
const X509_Time nextUpdate,
const std::vector< CRL_Entry > &  revoked 
)

Construct a CRL

Parameters
issuerissuer of this CRL
thisUpdatevalid from
nextUpdatevalid until
revokedentries to be included in the CRL

Definition at line 44 of file x509_crl.cpp.

References Botan::Data_Store::add(), Botan::X509_DN::contents(), and Botan::X509_Time::to_string().

45  :
46  X509_Object(), m_throw_on_unknown_critical(false), m_revoked(revoked)
47  {
48  m_info.add(issuer.contents());
49  m_info.add("X509.CRL.start", thisUpdate.to_string());
50  m_info.add("X509.CRL.end", nextUpdate.to_string());
51  }
X509_Object()=default
void add(const std::multimap< std::string, std::string > &)
Definition: datastor.cpp:154

Member Function Documentation

◆ authority_key_id()

std::vector< uint8_t > Botan::X509_CRL::authority_key_id ( ) const

Get the AuthorityKeyIdentifier of this CRL.

Returns
this CRLs AuthorityKeyIdentifier

Definition at line 173 of file x509_crl.cpp.

References Botan::Data_Store::get1_memvec().

Referenced by is_revoked().

174  {
175  return m_info.get1_memvec("X509v3.AuthorityKeyIdentifier");
176  }
std::vector< uint8_t > get1_memvec(const std::string &) const
Definition: datastor.cpp:92

◆ BER_encode()

std::vector< uint8_t > Botan::X509_Object::BER_encode ( ) const
inherited
Returns
BER encoding of this

Definition at line 114 of file x509_obj.cpp.

References Botan::X509_Object::encode_into(), and Botan::DER_Encoder::get_contents_unlocked().

Referenced by Botan::X509_Certificate::fingerprint(), and Botan::X509_Object::PEM_encode().

115  {
116  DER_Encoder der;
117  encode_into(der);
118  return der.get_contents_unlocked();
119  }
void encode_into(class DER_Encoder &to) const override
Definition: x509_obj.cpp:86

◆ check_signature() [1/2]

bool Botan::X509_Object::check_signature ( const Public_Key key) const
inherited

Check the signature on this data

Parameters
keythe public key purportedly used to sign this data
Returns
true if the signature is valid, otherwise false

Definition at line 188 of file x509_obj.cpp.

References Botan::Public_Key::algo_name(), Botan::DER_SEQUENCE, Botan::IEEE_1363, Botan::OIDS::lookup(), Botan::X509_Object::m_sig_algo, Botan::Public_Key::message_parts(), Botan::AlgorithmIdentifier::oid, Botan::X509_Object::signature(), Botan::split_on(), Botan::X509_Object::tbs_data(), and Botan::PK_Verifier::verify_message().

Referenced by Botan::X509_Object::check_signature(), Botan::PKCS10_Request::PKCS10_Request(), and Botan::X509_Certificate::X509_Certificate().

189  {
190  try {
191  std::vector<std::string> sig_info =
193 
194  if(sig_info.size() != 2 || sig_info[0] != pub_key.algo_name())
195  return false;
196 
197  std::string padding = sig_info[1];
198  Signature_Format format =
199  (pub_key.message_parts() >= 2) ? DER_SEQUENCE : IEEE_1363;
200 
201  PK_Verifier verifier(pub_key, padding, format);
202 
203  return verifier.verify_message(tbs_data(), signature());
204  }
205  catch(std::exception&)
206  {
207  return false;
208  }
209  }
AlgorithmIdentifier m_sig_algo
Definition: x509_obj.h:109
Signature_Format
Definition: pubkey.h:29
std::vector< std::string > split_on(const std::string &str, char delim)
Definition: parsing.cpp:138
std::string lookup(const OID &oid)
Definition: oids.cpp:18
std::vector< uint8_t > signature() const
Definition: x509_obj.cpp:140
std::vector< uint8_t > tbs_data() const
Definition: x509_obj.cpp:132

◆ check_signature() [2/2]

bool Botan::X509_Object::check_signature ( const Public_Key key) const
inherited

Check the signature on this data

Parameters
keythe public key purportedly used to sign this data the pointer will be deleted after use
Returns
true if the signature is valid, otherwise false

Definition at line 177 of file x509_obj.cpp.

References Botan::X509_Object::check_signature().

178  {
179  if(!pub_key)
180  throw Exception("No key provided for " + m_PEM_label_pref + " signature check");
181  std::unique_ptr<const Public_Key> key(pub_key);
182  return check_signature(*key);
183 }
bool check_signature(const Public_Key &key) const
Definition: x509_obj.cpp:188

◆ crl_number()

uint32_t Botan::X509_CRL::crl_number ( ) const

Get the serial number of this CRL.

Returns
CRLs serial number

Definition at line 181 of file x509_crl.cpp.

References Botan::Data_Store::get1_uint32().

Referenced by Botan::X509_CA::update_crl().

182  {
183  return m_info.get1_uint32("X509v3.CRLNumber");
184  }
uint32_t get1_uint32(const std::string &, uint32_t=0) const
Definition: datastor.cpp:109

◆ decode_from()

void Botan::X509_Object::decode_from ( class BER_Decoder from)
overridevirtualinherited

Decode a BER encoded X509_Object See ASN1_Object::decode_from()

Implements Botan::ASN1_Object.

Definition at line 100 of file x509_obj.cpp.

References Botan::BIT_STRING, Botan::BER_Decoder::decode(), Botan::BER_Decoder::end_cons(), Botan::X509_Object::m_sig, Botan::X509_Object::m_sig_algo, Botan::X509_Object::m_tbs_bits, Botan::BER_Decoder::raw_bytes(), Botan::SEQUENCE, and Botan::BER_Decoder::start_cons().

Referenced by Botan::X509_Object::X509_Object().

101  {
102  from.start_cons(SEQUENCE)
103  .start_cons(SEQUENCE)
104  .raw_bytes(m_tbs_bits)
105  .end_cons()
106  .decode(m_sig_algo)
107  .decode(m_sig, BIT_STRING)
108  .end_cons();
109  }
AlgorithmIdentifier m_sig_algo
Definition: x509_obj.h:109
std::vector< uint8_t > m_tbs_bits
Definition: x509_obj.h:110
std::vector< uint8_t > m_sig
Definition: x509_obj.h:110

◆ do_decode()

void Botan::X509_Object::do_decode ( )
protectedinherited

Definition at line 231 of file x509_obj.cpp.

References Botan::Exception::what().

Referenced by Botan::PKCS10_Request::PKCS10_Request(), Botan::X509_Certificate::X509_Certificate(), and X509_CRL().

232  {
233  try {
234  force_decode();
235  }
236  catch(Decoding_Error& e)
237  {
238  throw Decoding_Error(m_PEM_label_pref + " decoding failed (" +
239  e.what() + ")");
240  }
241  catch(Invalid_Argument& e)
242  {
243  throw Decoding_Error(m_PEM_label_pref + " decoding failed (" +
244  e.what() + ")");
245  }
246  }

◆ encode_into()

void Botan::X509_Object::encode_into ( class DER_Encoder to) const
overridevirtualinherited

◆ get_revoked()

std::vector< CRL_Entry > Botan::X509_CRL::get_revoked ( ) const

Get the entries of this CRL in the form of a vector.

Returns
vector containing the entries of this CRL.

Definition at line 157 of file x509_crl.cpp.

Referenced by Botan::X509_CA::update_crl().

158  {
159  return m_revoked;
160  }

◆ hash_used_for_signature()

std::string Botan::X509_Object::hash_used_for_signature ( ) const
inherited
Returns
hash algorithm that was used to generate signature

Definition at line 156 of file x509_obj.cpp.

References Botan::OID::as_string(), Botan::OIDS::lookup(), Botan::X509_Object::m_sig_algo, Botan::AlgorithmIdentifier::oid, Botan::parse_algorithm_name(), and Botan::split_on().

157  {
158  std::vector<std::string> sig_info =
160 
161  if(sig_info.size() != 2)
162  throw Internal_Error("Invalid name format found for " +
164 
165  std::vector<std::string> pad_and_hash =
166  parse_algorithm_name(sig_info[1]);
167 
168  if(pad_and_hash.size() != 2)
169  throw Internal_Error("Invalid name format " + sig_info[1]);
170 
171  return pad_and_hash[1];
172  }
std::vector< std::string > parse_algorithm_name(const std::string &namex)
Definition: parsing.cpp:85
AlgorithmIdentifier m_sig_algo
Definition: x509_obj.h:109
std::string as_string() const
Definition: asn1_oid.cpp:50
std::vector< std::string > split_on(const std::string &str, char delim)
Definition: parsing.cpp:138
std::string lookup(const OID &oid)
Definition: oids.cpp:18

◆ is_revoked()

bool Botan::X509_CRL::is_revoked ( const X509_Certificate cert) const

Check if this particular certificate is listed in the CRL

Definition at line 56 of file x509_crl.cpp.

References Botan::Data_Store::add(), authority_key_id(), Botan::X509_Certificate::authority_key_id(), Botan::BER_Object::class_tag, Botan::CONSTRUCTED, Botan::X509_DN::contents(), Botan::Extensions::contents_to(), Botan::CONTEXT_SPECIFIC, Botan::BER_Decoder::decode(), Botan::BER_Decoder::decode_optional(), Botan::BER_Decoder::get_next_object(), Botan::INTEGER, issuer_dn(), Botan::X509_Certificate::issuer_dn(), Botan::X509_Object::m_sig_algo, Botan::X509_Object::m_tbs_bits, Botan::BER_Decoder::more_items(), Botan::NO_OBJECT, Botan::REMOVE_FROM_CRL, Botan::SEQUENCE, Botan::X509_Certificate::serial_number(), Botan::X509_Time::to_string(), Botan::ASN1::to_string(), Botan::BER_Object::type_tag, Botan::UNIVERSAL, Botan::BER_Object::value, and Botan::BER_Decoder::verify_end().

57  {
58  /*
59  If the cert wasn't issued by the CRL issuer, it's possible the cert
60  is revoked, but not by this CRL. Maybe throw an exception instead?
61  */
62  if(cert.issuer_dn() != issuer_dn())
63  return false;
64 
65  std::vector<uint8_t> crl_akid = authority_key_id();
66  std::vector<uint8_t> cert_akid = cert.authority_key_id();
67 
68  if(!crl_akid.empty() && !cert_akid.empty())
69  if(crl_akid != cert_akid)
70  return false;
71 
72  std::vector<uint8_t> cert_serial = cert.serial_number();
73 
74  bool is_revoked = false;
75 
76  for(size_t i = 0; i != m_revoked.size(); ++i)
77  {
78  if(cert_serial == m_revoked[i].serial_number())
79  {
80  if(m_revoked[i].reason_code() == REMOVE_FROM_CRL)
81  is_revoked = false;
82  else
83  is_revoked = true;
84  }
85  }
86 
87  return is_revoked;
88  }
std::vector< uint8_t > authority_key_id() const
Definition: x509_crl.cpp:173
X509_DN issuer_dn() const
Definition: x509_crl.cpp:165
bool is_revoked(const X509_Certificate &cert) const
Definition: x509_crl.cpp:56

◆ issuer_dn()

X509_DN Botan::X509_CRL::issuer_dn ( ) const

Get the issuer DN of this CRL.

Returns
CRLs issuer DN

Definition at line 165 of file x509_crl.cpp.

References Botan::create_dn().

Referenced by is_revoked().

166  {
167  return create_dn(m_info);
168  }
X509_DN create_dn(const Data_Store &info)
Definition: x509cert.cpp:673

◆ make_signed()

std::vector< uint8_t > Botan::X509_Object::make_signed ( class PK_Signer signer,
RandomNumberGenerator rng,
const AlgorithmIdentifier alg_id,
const secure_vector< uint8_t > &  tbs 
)
staticinherited

Create a signed X509 object.

Parameters
signerthe signer used to sign the object
rngthe random number generator to use
alg_idthe algorithm identifier of the signature scheme
tbsthe tbs bits to be signed
Returns
signed X509 object

Definition at line 214 of file x509_obj.cpp.

References Botan::BIT_STRING, Botan::DER_Encoder::encode(), Botan::DER_Encoder::get_contents_unlocked(), Botan::DER_Encoder::raw_bytes(), Botan::SEQUENCE, Botan::PK_Signer::sign_message(), and Botan::DER_Encoder::start_cons().

Referenced by Botan::X509::create_cert_req(), Botan::X509_CA::make_cert(), and Botan::X509_CA::update_crl().

218  {
219  return DER_Encoder()
220  .start_cons(SEQUENCE)
221  .raw_bytes(tbs_bits)
222  .encode(algo)
223  .encode(signer->sign_message(tbs_bits, rng), BIT_STRING)
224  .end_cons()
225  .get_contents_unlocked();
226  }

◆ next_update()

X509_Time Botan::X509_CRL::next_update ( ) const

Get the CRL's nextUpdate value.

Returns
CRLs nextdUpdate

Definition at line 197 of file x509_crl.cpp.

References Botan::Data_Store::get1(), and Botan::UTC_OR_GENERALIZED_TIME.

198  {
199  return X509_Time(m_info.get1("X509.CRL.end"), ASN1_Tag::UTC_OR_GENERALIZED_TIME);
200  }
std::string get1(const std::string &key) const
Definition: datastor.cpp:62

◆ PEM_encode()

std::string Botan::X509_Object::PEM_encode ( ) const
inherited
Returns
PEM encoding of this

Definition at line 124 of file x509_obj.cpp.

References Botan::X509_Object::BER_encode(), and Botan::PEM_Code::encode().

125  {
126  return PEM_Code::encode(BER_encode(), m_PEM_label_pref);
127  }
std::string encode(const uint8_t der[], size_t length, const std::string &label, size_t width)
Definition: pem.cpp:43
std::vector< uint8_t > BER_encode() const
Definition: x509_obj.cpp:114

◆ signature()

std::vector< uint8_t > Botan::X509_Object::signature ( ) const
inherited
Returns
signature on tbs_data()

Definition at line 140 of file x509_obj.cpp.

References Botan::X509_Object::m_sig.

Referenced by Botan::X509_Object::check_signature().

141  {
142  return m_sig;
143  }
std::vector< uint8_t > m_sig
Definition: x509_obj.h:110

◆ signature_algorithm()

AlgorithmIdentifier Botan::X509_Object::signature_algorithm ( ) const
inherited
Returns
signature algorithm that was used to generate signature

Definition at line 148 of file x509_obj.cpp.

References Botan::X509_Object::m_sig_algo.

Referenced by Botan::X509_Certificate::to_string().

149  {
150  return m_sig_algo;
151  }
AlgorithmIdentifier m_sig_algo
Definition: x509_obj.h:109

◆ tbs_data()

std::vector< uint8_t > Botan::X509_Object::tbs_data ( ) const
inherited

The underlying data that is to be or was signed

Returns
data that is or was signed

Definition at line 132 of file x509_obj.cpp.

References Botan::X509_Object::m_tbs_bits, and Botan::ASN1::put_in_sequence().

Referenced by Botan::X509_Object::check_signature().

133  {
135  }
std::vector< uint8_t > m_tbs_bits
Definition: x509_obj.h:110
std::vector< uint8_t > put_in_sequence(const std::vector< uint8_t > &contents)
Definition: asn1_obj.cpp:35

◆ this_update()

X509_Time Botan::X509_CRL::this_update ( ) const

Get the CRL's thisUpdate value.

Returns
CRLs thisUpdate

Definition at line 189 of file x509_crl.cpp.

References Botan::Data_Store::get1(), and Botan::UTC_OR_GENERALIZED_TIME.

190  {
191  return X509_Time(m_info.get1("X509.CRL.start"), ASN1_Tag::UTC_OR_GENERALIZED_TIME);
192  }
std::string get1(const std::string &key) const
Definition: datastor.cpp:62

Member Data Documentation

◆ m_sig

std::vector<uint8_t> Botan::X509_Object::m_sig
protectedinherited

◆ m_sig_algo

AlgorithmIdentifier Botan::X509_Object::m_sig_algo
protectedinherited

◆ m_tbs_bits

std::vector<uint8_t> Botan::X509_Object::m_tbs_bits
protectedinherited

The documentation for this class was generated from the following files: