Botan 3.3.0
Crypto and TLS for C&
Public Member Functions | Static Public Member Functions | Protected Member Functions | List of all members
Botan::X509_CRL Class Referencefinal

#include <x509_crl.h>

Inheritance diagram for Botan::X509_CRL:
Botan::X509_Object Botan::ASN1_Object

Public Member Functions

const std::vector< uint8_t > & authority_key_id () const
 
std::vector< uint8_t > BER_encode () const
 
bool check_signature (const Public_Key &key) const
 
std::string crl_issuing_distribution_point () const
 
uint32_t crl_number () const
 
void decode_from (BER_Decoder &from) override
 
void encode_into (DER_Encoder &to) const override
 
const Extensionsextensions () const
 
const std::vector< CRL_Entry > & get_revoked () const
 
bool is_revoked (const X509_Certificate &cert) const
 
const X509_DNissuer_dn () const
 
const X509_Timenext_update () const
 
std::string PEM_encode () const
 
const std::vector< uint8_t > & signature () const
 
const AlgorithmIdentifiersignature_algorithm () const
 
const std::vector< uint8_t > & signed_body () const
 
std::vector< uint8_t > tbs_data () const
 
const X509_Timethis_update () const
 
std::pair< Certificate_Status_Code, std::string > verify_signature (const Public_Key &key) const
 
 X509_CRL ()=default
 
 X509_CRL (const std::vector< uint8_t > &vec)
 
 X509_CRL (const X509_DN &issuer, const X509_Time &thisUpdate, const X509_Time &nextUpdate, const std::vector< CRL_Entry > &revoked)
 
 X509_CRL (DataSource &source)
 

Static Public Member Functions

static std::unique_ptr< PK_Signerchoose_sig_format (const Private_Key &key, RandomNumberGenerator &rng, std::string_view hash_fn, std::string_view padding_algo)
 
static std::vector< uint8_t > make_signed (PK_Signer &signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &alg_id, const secure_vector< uint8_t > &tbs)
 

Protected Member Functions

void load_data (DataSource &src)
 

Detailed Description

This class represents X.509 Certificate Revocation Lists (CRLs).

Definition at line 89 of file x509_crl.h.

Constructor & Destructor Documentation

◆ X509_CRL() [1/4]

Botan::X509_CRL::X509_CRL ( )
default

Create an uninitialized CRL object. Any attempts to access this object will throw an exception.

◆ X509_CRL() [2/4]

Botan::X509_CRL::X509_CRL ( DataSource & source)

Construct a CRL from a data source.

Parameters
sourcethe data source providing the DER or PEM encoded CRL.

Definition at line 39 of file x509_crl.cpp.

39 {
40 load_data(src);
41}
void load_data(DataSource &src)
Definition x509_obj.cpp:24

References Botan::X509_Object::load_data().

◆ X509_CRL() [3/4]

Botan::X509_CRL::X509_CRL ( const std::vector< uint8_t > & vec)

Construct a CRL from a binary vector

Parameters
vecthe binary (DER) representation of the CRL

Definition at line 43 of file x509_crl.cpp.

43 {
44 DataSource_Memory src(vec.data(), vec.size());
45 load_data(src);
46}

References Botan::X509_Object::load_data().

◆ X509_CRL() [4/4]

Botan::X509_CRL::X509_CRL ( const X509_DN & issuer,
const X509_Time & thisUpdate,
const X509_Time & nextUpdate,
const std::vector< CRL_Entry > & revoked )

Construct a CRL

Parameters
issuerissuer of this CRL
thisUpdatevalid from
nextUpdatevalid until
revokedentries to be included in the CRL

Definition at line 55 of file x509_crl.cpp.

58 :
59 X509_Object() {
60 m_data = std::make_shared<CRL_Data>();
61 m_data->m_issuer = issuer;
62 m_data->m_this_update = this_update;
63 m_data->m_next_update = next_update;
64 m_data->m_entries = revoked;
65}
const X509_Time & this_update() const
Definition x509_crl.cpp:224
const X509_Time & next_update() const
Definition x509_crl.cpp:231
X509_Object()=default

References next_update(), and this_update().

Member Function Documentation

◆ authority_key_id()

const std::vector< uint8_t > & Botan::X509_CRL::authority_key_id ( ) const

Get the AuthorityKeyIdentifier of this CRL.

Returns
this CRLs AuthorityKeyIdentifier

Definition at line 210 of file x509_crl.cpp.

210 {
211 return data().m_auth_key_id;
212}

Referenced by is_revoked().

◆ BER_encode()

std::vector< uint8_t > Botan::ASN1_Object::BER_encode ( ) const
inherited

Return the encoding of this object. This is a convenience method when just one object needs to be serialized. Use DER_Encoder for complicated encodings.

Definition at line 19 of file asn1_obj.cpp.

19 {
20 std::vector<uint8_t> output;
21 DER_Encoder der(output);
22 this->encode_into(der);
23 return output;
24}
virtual void encode_into(DER_Encoder &to) const =0

References Botan::ASN1_Object::encode_into().

Referenced by Botan::PSS_Params::decode_from(), Botan::Certificate_Store_In_SQL::find_all_certs(), Botan::Certificate_Store_In_SQL::find_cert(), Botan::X509_Certificate::fingerprint(), Botan::Certificate_Store_In_SQL::insert_cert(), Botan::X509_Object::PEM_encode(), and Botan::Certificate_Store_In_SQL::revoke_cert().

◆ check_signature()

bool Botan::X509_Object::check_signature ( const Public_Key & key) const
inherited

Check the signature on this data

Parameters
keythe public key purportedly used to sign this data
Returns
true if the signature is valid, otherwise false

Definition at line 97 of file x509_obj.cpp.

97 {
98 const auto result = this->verify_signature(pub_key);
99 return (result.first == Certificate_Status_Code::VERIFIED);
100}
std::pair< Certificate_Status_Code, std::string > verify_signature(const Public_Key &key) const
Definition x509_obj.cpp:102

References Botan::VERIFIED, and Botan::X509_Object::verify_signature().

◆ choose_sig_format()

std::unique_ptr< PK_Signer > Botan::X509_Object::choose_sig_format ( const Private_Key & key,
RandomNumberGenerator & rng,
std::string_view hash_fn,
std::string_view padding_algo )
staticinherited

Choose and return a signature scheme appropriate for X.509 signing using the provided parameters.

Parameters
keywill be the key to choose a padding scheme for
rngthe random generator to use
hash_fnis the desired hash function
padding_algospecifies the padding method
Returns
a PK_Signer object for generating signatures

Definition at line 209 of file x509_obj.cpp.

212 {
213 const Signature_Format format = key.default_x509_signature_format();
214
215 if(!user_specified_padding.empty()) {
216 try {
217 auto pk_signer = std::make_unique<PK_Signer>(key, rng, user_specified_padding, format);
218 if(!hash_fn.empty() && pk_signer->hash_function() != hash_fn) {
219 throw Invalid_Argument(format_padding_error_message(
220 key.algo_name(), pk_signer->hash_function(), hash_fn, "", user_specified_padding));
221 }
222 return pk_signer;
223 } catch(Lookup_Error&) {}
224 }
225
226 const std::string padding = x509_signature_padding_for(key.algo_name(), hash_fn, user_specified_padding);
227
228 try {
229 auto pk_signer = std::make_unique<PK_Signer>(key, rng, padding, format);
230 if(!hash_fn.empty() && pk_signer->hash_function() != hash_fn) {
231 throw Invalid_Argument(format_padding_error_message(
232 key.algo_name(), pk_signer->hash_function(), hash_fn, padding, user_specified_padding));
233 }
234 return pk_signer;
235 } catch(Not_Implemented&) {
236 throw Invalid_Argument("Signatures using " + key.algo_name() + "/" + padding + " are not supported");
237 }
238}
Signature_Format
Definition pk_keys.h:31

References Botan::Asymmetric_Key::algo_name(), and Botan::Public_Key::default_x509_signature_format().

Referenced by Botan::PKCS10_Request::create(), Botan::X509::create_self_signed_cert(), and Botan::X509_CA::X509_CA().

◆ crl_issuing_distribution_point()

std::string Botan::X509_CRL::crl_issuing_distribution_point ( ) const

Get the CRL's distribution point

Definition at line 238 of file x509_crl.cpp.

238 {
239 return data().m_issuing_distribution_point;
240}

◆ crl_number()

uint32_t Botan::X509_CRL::crl_number ( ) const

Get the serial number of this CRL.

Returns
CRLs serial number

Definition at line 217 of file x509_crl.cpp.

217 {
218 return static_cast<uint32_t>(data().m_crl_number);
219}

Referenced by Botan::X509_CA::update_crl().

◆ decode_from()

void Botan::X509_Object::decode_from ( BER_Decoder & from)
overridevirtualinherited

Decode a BER encoded X509_Object See ASN1_Object::decode_from()

Implements Botan::ASN1_Object.

Definition at line 68 of file x509_obj.cpp.

68 {
69 from.start_sequence()
70 .start_sequence()
71 .raw_bytes(m_tbs_bits)
72 .end_cons()
73 .decode(m_sig_algo)
74 .decode(m_sig, ASN1_Type::BitString)
75 .end_cons();
76
77 force_decode();
78}

References Botan::BitString, Botan::BER_Decoder::decode(), Botan::BER_Decoder::end_cons(), Botan::BER_Decoder::raw_bytes(), and Botan::BER_Decoder::start_sequence().

Referenced by Botan::X509_Object::load_data().

◆ encode_into()

void Botan::X509_Object::encode_into ( DER_Encoder & to) const
overridevirtualinherited

DER encode an X509_Object See ASN1_Object::encode_into()

Implements Botan::ASN1_Object.

Definition at line 55 of file x509_obj.cpp.

55 {
56 to.start_sequence()
57 .start_sequence()
58 .raw_bytes(signed_body())
59 .end_cons()
60 .encode(signature_algorithm())
62 .end_cons();
63}
const std::vector< uint8_t > & signed_body() const
Definition x509_obj.h:42
const AlgorithmIdentifier & signature_algorithm() const
Definition x509_obj.h:47
const std::vector< uint8_t > & signature() const
Definition x509_obj.h:37

References Botan::BitString, Botan::DER_Encoder::encode(), Botan::DER_Encoder::end_cons(), Botan::DER_Encoder::raw_bytes(), Botan::X509_Object::signature(), Botan::X509_Object::signature_algorithm(), Botan::X509_Object::signed_body(), and Botan::DER_Encoder::start_sequence().

◆ extensions()

const Extensions & Botan::X509_CRL::extensions ( ) const
Returns
extension data for this CRL

Definition at line 189 of file x509_crl.cpp.

189 {
190 return data().m_extensions;
191}

◆ get_revoked()

const std::vector< CRL_Entry > & Botan::X509_CRL::get_revoked ( ) const

Get the entries of this CRL in the form of a vector.

Returns
vector containing the entries of this CRL.

Definition at line 196 of file x509_crl.cpp.

196 {
197 return data().m_entries;
198}

Referenced by is_revoked(), and Botan::X509_CA::update_crl().

◆ is_revoked()

bool Botan::X509_CRL::is_revoked ( const X509_Certificate & cert) const

Check if this particular certificate is listed in the CRL

Definition at line 70 of file x509_crl.cpp.

70 {
71 /*
72 If the cert wasn't issued by the CRL issuer, it's possible the cert
73 is revoked, but not by this CRL. Maybe throw an exception instead?
74 */
75 if(cert.issuer_dn() != issuer_dn()) {
76 return false;
77 }
78
79 std::vector<uint8_t> crl_akid = authority_key_id();
80 const std::vector<uint8_t>& cert_akid = cert.authority_key_id();
81
82 if(!crl_akid.empty() && !cert_akid.empty()) {
83 if(crl_akid != cert_akid) {
84 return false;
85 }
86 }
87
88 const std::vector<uint8_t>& cert_serial = cert.serial_number();
89
90 bool is_revoked = false;
91
92 // FIXME would be nice to avoid a linear scan here - maybe sort the entries?
93 for(const CRL_Entry& entry : get_revoked()) {
94 if(cert_serial == entry.serial_number()) {
95 if(entry.reason_code() == CRL_Code::RemoveFromCrl) {
96 is_revoked = false;
97 } else {
98 is_revoked = true;
99 }
100 }
101 }
102
103 return is_revoked;
104}
const std::vector< CRL_Entry > & get_revoked() const
Definition x509_crl.cpp:196
const std::vector< uint8_t > & authority_key_id() const
Definition x509_crl.cpp:210
const X509_DN & issuer_dn() const
Definition x509_crl.cpp:203
bool is_revoked(const X509_Certificate &cert) const
Definition x509_crl.cpp:70

References authority_key_id(), Botan::X509_Certificate::authority_key_id(), get_revoked(), is_revoked(), issuer_dn(), Botan::X509_Certificate::issuer_dn(), Botan::RemoveFromCrl, and Botan::X509_Certificate::serial_number().

Referenced by is_revoked().

◆ issuer_dn()

const X509_DN & Botan::X509_CRL::issuer_dn ( ) const

Get the issuer DN of this CRL.

Returns
CRLs issuer DN

Definition at line 203 of file x509_crl.cpp.

203 {
204 return data().m_issuer;
205}

Referenced by Botan::Certificate_Store_In_Memory::add_crl(), and is_revoked().

◆ load_data()

void Botan::X509_Object::load_data ( DataSource & src)
protectedinherited

Decodes from src as either DER or PEM data, then calls force_decode()

Definition at line 24 of file x509_obj.cpp.

24 {
25 try {
26 if(ASN1::maybe_BER(in) && !PEM_Code::matches(in)) {
27 BER_Decoder dec(in);
28 decode_from(dec);
29 } else {
30 std::string got_label;
31 DataSource_Memory ber(PEM_Code::decode(in, got_label));
32
33 if(got_label != PEM_label()) {
34 bool is_alternate = false;
35 for(std::string_view alt_label : alternate_PEM_labels()) {
36 if(got_label == alt_label) {
37 is_alternate = true;
38 break;
39 }
40 }
41
42 if(!is_alternate) {
43 throw Decoding_Error("Unexpected PEM label for " + PEM_label() + " of " + got_label);
44 }
45 }
46
47 BER_Decoder dec(ber);
48 decode_from(dec);
49 }
50 } catch(Decoding_Error& e) {
51 throw Decoding_Error(PEM_label() + " decoding", e);
52 }
53}
void decode_from(BER_Decoder &from) override
Definition x509_obj.cpp:68
virtual std::vector< std::string > alternate_PEM_labels() const
Definition x509_obj.h:101
virtual std::string PEM_label() const =0
bool maybe_BER(DataSource &source)
Definition asn1_obj.cpp:192
bool matches(DataSource &source, std::string_view extra, size_t search_range)
Definition pem.cpp:137
secure_vector< uint8_t > decode(DataSource &source, std::string &label)
Definition pem.cpp:62

References Botan::X509_Object::alternate_PEM_labels(), Botan::PEM_Code::decode(), Botan::X509_Object::decode_from(), Botan::PEM_Code::matches(), Botan::ASN1::maybe_BER(), and Botan::X509_Object::PEM_label().

Referenced by Botan::PKCS10_Request::PKCS10_Request(), Botan::PKCS10_Request::PKCS10_Request(), Botan::X509_Certificate::X509_Certificate(), Botan::X509_Certificate::X509_Certificate(), Botan::X509_Certificate::X509_Certificate(), X509_CRL(), and X509_CRL().

◆ make_signed()

std::vector< uint8_t > Botan::X509_Object::make_signed ( PK_Signer & signer,
RandomNumberGenerator & rng,
const AlgorithmIdentifier & alg_id,
const secure_vector< uint8_t > & tbs )
staticinherited

Create a signed X509 object.

Parameters
signerthe signer used to sign the object
rngthe random number generator to use
alg_idthe algorithm identifier of the signature scheme
tbsthe tbs bits to be signed
Returns
signed X509 object

Definition at line 125 of file x509_obj.cpp.

128 {
129 const std::vector<uint8_t> signature = signer.sign_message(tbs_bits, rng);
130
131 std::vector<uint8_t> output;
132 DER_Encoder(output)
133 .start_sequence()
134 .raw_bytes(tbs_bits)
135 .encode(algo)
137 .end_cons();
138
139 return output;
140}

References Botan::BitString, Botan::DER_Encoder::encode(), Botan::DER_Encoder::end_cons(), Botan::DER_Encoder::raw_bytes(), Botan::PK_Signer::sign_message(), Botan::X509_Object::signature(), and Botan::DER_Encoder::start_sequence().

Referenced by Botan::PKCS10_Request::create(), and Botan::X509_CA::make_cert().

◆ next_update()

const X509_Time & Botan::X509_CRL::next_update ( ) const

Get the CRL's nextUpdate value.

Returns
CRLs nextdUpdate

Definition at line 231 of file x509_crl.cpp.

231 {
232 return data().m_next_update;
233}

Referenced by X509_CRL().

◆ PEM_encode()

std::string Botan::X509_Object::PEM_encode ( ) const
inherited
Returns
PEM encoding of this

Definition at line 83 of file x509_obj.cpp.

83 {
85}
std::vector< uint8_t > BER_encode() const
Definition asn1_obj.cpp:19
std::string encode(const uint8_t der[], size_t length, std::string_view label, size_t width)
Definition pem.cpp:39

References Botan::ASN1_Object::BER_encode(), Botan::PEM_Code::encode(), and Botan::X509_Object::PEM_label().

◆ signature()

const std::vector< uint8_t > & Botan::X509_Object::signature ( ) const
inlineinherited

◆ signature_algorithm()

const AlgorithmIdentifier & Botan::X509_Object::signature_algorithm ( ) const
inlineinherited
Returns
signature algorithm that was used to generate signature

Definition at line 47 of file x509_obj.h.

47{ return m_sig_algo; }

Referenced by Botan::PKIX::check_chain(), Botan::X509_Object::encode_into(), Botan::X509_Certificate::operator==(), Botan::X509_Certificate::to_string(), and Botan::X509_Object::verify_signature().

◆ signed_body()

const std::vector< uint8_t > & Botan::X509_Object::signed_body ( ) const
inlineinherited
Returns
signed body

Definition at line 42 of file x509_obj.h.

42{ return m_tbs_bits; }

Referenced by Botan::X509_Object::encode_into(), Botan::X509_Certificate::operator<(), and Botan::X509_Certificate::operator==().

◆ tbs_data()

std::vector< uint8_t > Botan::X509_Object::tbs_data ( ) const
inherited

The underlying data that is to be or was signed

Returns
data that is or was signed

Definition at line 90 of file x509_obj.cpp.

90 {
91 return ASN1::put_in_sequence(m_tbs_bits);
92}
std::vector< uint8_t > put_in_sequence(const std::vector< uint8_t > &contents)
Definition asn1_obj.cpp:172

References Botan::ASN1::put_in_sequence().

Referenced by Botan::X509_Object::verify_signature().

◆ this_update()

const X509_Time & Botan::X509_CRL::this_update ( ) const

Get the CRL's thisUpdate value.

Returns
CRLs thisUpdate

Definition at line 224 of file x509_crl.cpp.

224 {
225 return data().m_this_update;
226}

Referenced by Botan::Certificate_Store_In_Memory::add_crl(), and X509_CRL().

◆ verify_signature()

std::pair< Certificate_Status_Code, std::string > Botan::X509_Object::verify_signature ( const Public_Key & key) const
inherited

Check the signature on this data

Parameters
keythe public key purportedly used to sign this data
Returns
status of the signature - OK if verified or otherwise an indicator of the problem preventing verification, along with the hash function that was used, for further policy checks. The second parameter is empty unless the validation was sucessful.

Definition at line 102 of file x509_obj.cpp.

102 {
103 try {
104 PK_Verifier verifier(pub_key, signature_algorithm());
105 const bool valid = verifier.verify_message(tbs_data(), signature());
106
107 if(valid) {
108 return std::make_pair(Certificate_Status_Code::VERIFIED, verifier.hash_function());
109 } else {
110 return std::make_pair(Certificate_Status_Code::SIGNATURE_ERROR, "");
111 }
112 } catch(Decoding_Error&) {
114 } catch(Algorithm_Not_Found&) {
115 return std::make_pair(Certificate_Status_Code::SIGNATURE_ALGO_UNKNOWN, "");
116 } catch(...) {
117 // This shouldn't happen, fallback to generic signature error
118 return std::make_pair(Certificate_Status_Code::SIGNATURE_ERROR, "");
119 }
120}
std::vector< uint8_t > tbs_data() const
Definition x509_obj.cpp:90

References Botan::PK_Verifier::hash_function(), Botan::X509_Object::signature(), Botan::SIGNATURE_ALGO_BAD_PARAMS, Botan::SIGNATURE_ALGO_UNKNOWN, Botan::X509_Object::signature_algorithm(), Botan::SIGNATURE_ERROR, Botan::X509_Object::tbs_data(), Botan::VERIFIED, and Botan::PK_Verifier::verify_message().

Referenced by Botan::PKIX::check_chain(), and Botan::X509_Object::check_signature().


The documentation for this class was generated from the following files: