#include <x509_crl.h>

Inheritance diagram for Botan::X509_CRL:

Public Member Functions
const std::vector< uint8_t > &	authority_key_id () const
std::vector< uint8_t >	BER_encode () const
bool	check_signature (const Public_Key &key) const
std::string	crl_issuing_distribution_point () const
uint32_t	crl_number () const
void	decode_from (BER_Decoder &from) override
void	encode_into (DER_Encoder &to) const override
const Extensions &	extensions () const
const std::vector< CRL_Entry > &	get_revoked () const
bool	has_matching_distribution_point (const X509_Certificate &cert) const
bool	is_revoked (const X509_Certificate &cert) const
const X509_DN &	issuer_dn () const
std::vector< std::string >	issuing_distribution_points () const
const X509_Time &	next_update () const
std::string	PEM_encode () const
const std::vector< uint8_t > &	signature () const
const AlgorithmIdentifier &	signature_algorithm () const
const std::vector< uint8_t > &	signed_body () const
std::vector< uint8_t >	tbs_data () const
const X509_Time &	this_update () const
std::pair< Certificate_Status_Code, std::string >	verify_signature (const Public_Key &key) const
	X509_CRL ()=default
BOTAN_FUTURE_EXPLICIT	X509_CRL (const std::vector< uint8_t > &vec)
	X509_CRL (const X509_DN &issuer, const X509_Time &thisUpdate, const X509_Time &nextUpdate, const std::vector< CRL_Entry > &revoked)
BOTAN_FUTURE_EXPLICIT	X509_CRL (DataSource &source)
uint32_t	x509_version () const

Static Public Member Functions
static std::unique_ptr< PK_Signer >	choose_sig_format (const Private_Key &key, RandomNumberGenerator &rng, std::string_view hash_fn, std::string_view padding_algo)
static std::vector< uint8_t >	make_signed (PK_Signer &signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &alg_id, std::span< const uint8_t > tbs)

Protected Member Functions
void	load_data (DataSource &src)

Detailed Description

This class represents X.509 Certificate Revocation Lists (CRLs).

Definition at line 90 of file x509_crl.h.

Constructor & Destructor Documentation

◆ X509_CRL() [1/4]

Botan::X509_CRL::X509_CRL ( )

default

Create an uninitialized CRL object. Any attempts to access this object will throw an exception.

References BOTAN_FUTURE_EXPLICIT, and X509_CRL().

Referenced by X509_CRL().

◆ X509_CRL() [2/4]

Botan::X509_CRL::X509_CRL ( DataSource & source )

Construct a CRL from a data source.

Parameters

source the data source providing the DER or PEM encoded CRL.

Definition at line 70 of file x509_crl.cpp.

                                  {
   load_data(src);
}

References Botan::X509_Object::load_data().

◆ X509_CRL() [3/4]

Botan::X509_CRL::X509_CRL ( const std::vector< uint8_t > & vec )

Construct a CRL from a binary vector

Parameters

vec	the binary (DER) representation of the CRL

Definition at line 74 of file x509_crl.cpp.

                                                {
   DataSource_Memory src(vec.data(), vec.size());
   load_data(src);
}

References Botan::X509_Object::load_data().

◆ X509_CRL() [4/4]

Botan::X509_CRL::X509_CRL	(	const X509_DN &	issuer,
		const X509_Time &	thisUpdate,
		const X509_Time &	nextUpdate,
		const std::vector< CRL_Entry > &	revoked )

Construct a CRL

Parameters

issuer	issuer of this CRL
thisUpdate	valid from
nextUpdate	valid until
revoked	entries to be included in the CRL

Definition at line 86 of file x509_crl.cpp.

                                                        {
   m_data = std::make_shared<CRL_Data>(issuer, this_update, next_update, revoked);
}

References next_update(), and this_update().

Member Function Documentation

◆ authority_key_id()

const std::vector< uint8_t > & Botan::X509_CRL::authority_key_id ( ) const

Get the AuthorityKeyIdentifier of this CRL.

Returns: this CRLs AuthorityKeyIdentifier

Definition at line 238 of file x509_crl.cpp.

                                                           {
   return data().m_auth_key_id;
}

Referenced by botan_x509_crl_view_binary_values(), and is_revoked().

◆ BER_encode()

std::vector< uint8_t > Botan::ASN1_Object::BER_encode ( ) const

inherited

Return the encoding of this object. This is a convenience method when just one object needs to be serialized. Use DER_Encoder for complicated encodings.

Definition at line 20 of file asn1_obj.cpp.

                                                 {
   std::vector<uint8_t> output;
   DER_Encoder der(output);
   this->encode_into(der);
   return output;
}

References encode_into().

Referenced by decode_from(), Botan::Certificate_Store_In_SQL::find_all_certs(), Botan::Certificate_Store_In_SQL::find_cert(), Botan::X509_Certificate::fingerprint(), Botan::Certificate_Store_In_SQL::insert_cert(), Botan::X509_Object::PEM_encode(), Botan::PSS_Params::PSS_Params(), and Botan::Certificate_Store_In_SQL::revoke_cert().

◆ check_signature()

bool Botan::X509_Object::check_signature ( const Public_Key & key ) const

inherited

Check the signature on this data

Parameters

key	the public key purportedly used to sign this data

Returns: true if the signature is valid, otherwise false

Definition at line 125 of file x509_obj.cpp.

                                                                 {
   const auto result = this->verify_signature(pub_key);
   return (result.first == Certificate_Status_Code::VERIFIED);
}

References Botan::VERIFIED, and verify_signature().

◆ choose_sig_format()

std::unique_ptr< PK_Signer > Botan::X509_Object::choose_sig_format	(	const Private_Key &	key,
		RandomNumberGenerator &	rng,
		std::string_view	hash_fn,
		std::string_view	padding_algo )

staticinherited

Choose and return a signature scheme appropriate for X.509 signing using the provided parameters.

Parameters

key	will be the key to choose a padding scheme for
Random Number Generators	the random generator to use
hash_fn	is the desired hash function
padding_algo	specifies the padding method

Returns: a PK_Signer object for generating signatures

Definition at line 237 of file x509_obj.cpp.

                                                                                                 {
   const Signature_Format format = key._default_x509_signature_format();
 
   if(!user_specified_padding.empty()) {
      try {
         auto pk_signer = std::make_unique<PK_Signer>(key, rng, user_specified_padding, format);
         if(!hash_fn.empty() && pk_signer->hash_function() != hash_fn) {
            throw Invalid_Argument(format_padding_error_message(
               key.algo_name(), pk_signer->hash_function(), hash_fn, "", user_specified_padding));
         }
         return pk_signer;
      } catch(Lookup_Error&) {}
   }
 
   const std::string padding = x509_signature_padding_for(key.algo_name(), hash_fn, user_specified_padding);
 
   try {
      auto pk_signer = std::make_unique<PK_Signer>(key, rng, padding, format);
      if(!hash_fn.empty() && pk_signer->hash_function() != hash_fn) {
         throw Invalid_Argument(format_padding_error_message(
            key.algo_name(), pk_signer->hash_function(), hash_fn, padding, user_specified_padding));
      }
      return pk_signer;
   } catch(Not_Implemented&) {
      throw Invalid_Argument("Signatures using " + key.algo_name() + "/" + padding + " are not supported");
   }
}

References Botan::Asymmetric_Key::_default_x509_signature_format(), and Botan::Asymmetric_Key::algo_name().

Referenced by Botan::PKCS10_Request::create(), Botan::X509::create_self_signed_cert(), and Botan::X509_CA::X509_CA().

◆ crl_issuing_distribution_point()

std::string Botan::X509_CRL::crl_issuing_distribution_point ( ) const

Get the CRL's issuing distribution point

Definition at line 266 of file x509_crl.cpp.

                                                         {
   if(!data().m_idp_urls.empty()) {
      return data().m_idp_urls[0];
   }
   return "";
}

◆ crl_number()

uint32_t Botan::X509_CRL::crl_number ( ) const

Get the serial number of this CRL.

Returns: CRLs serial number

Definition at line 245 of file x509_crl.cpp.

                                    {
   return static_cast<uint32_t>(data().m_crl_number);
}

Referenced by botan_x509_crl_view_binary_values(), and Botan::X509_CA::update_crl().

◆ decode_from()

void Botan::X509_Object::decode_from ( BER_Decoder & from )

overridevirtualinherited

Decode a BER encoded X509_Object See ASN1_Object::decode_from()

Implements Botan::ASN1_Object.

Definition at line 93 of file x509_obj.cpp.

                                               {
   auto data = std::make_shared<Signed_Data>();
 
   from.start_sequence()
      .start_sequence()
      .raw_bytes(data->m_tbs_bits)
      .end_cons()
      .decode(data->m_sig_algo)
      .decode(data->m_sig, ASN1_Type::BitString)
      .end_cons();
 
   m_signed_data = std::move(data);
   force_decode();
}

References Botan::BitString, Botan::BER_Decoder::decode(), Botan::BER_Decoder::end_cons(), Botan::BER_Decoder::raw_bytes(), and Botan::BER_Decoder::start_sequence().

Referenced by load_data().

◆ encode_into()

void Botan::X509_Object::encode_into ( DER_Encoder & to ) const

overridevirtualinherited

DER encode an X509_Object See ASN1_Object::encode_into()

Implements Botan::ASN1_Object.

Definition at line 80 of file x509_obj.cpp.

                                                   {
   to.start_sequence()
      .start_sequence()
      .raw_bytes(signed_body())
      .end_cons()
      .encode(signature_algorithm())
      .encode(signature(), ASN1_Type::BitString)
      .end_cons();
}

References Botan::BitString, Botan::DER_Encoder::encode(), Botan::DER_Encoder::end_cons(), Botan::DER_Encoder::raw_bytes(), signature(), signature_algorithm(), signed_body(), and Botan::DER_Encoder::start_sequence().

◆ extensions()

const Extensions & Botan::X509_CRL::extensions ( ) const

Returns: extension data for this CRL

Definition at line 213 of file x509_crl.cpp.

                                             {
   return data().m_extensions;
}

Referenced by has_matching_distribution_point().

◆ get_revoked()

const std::vector< CRL_Entry > & Botan::X509_CRL::get_revoked ( ) const

Get the entries of this CRL in the form of a vector.

Returns: vector containing the entries of this CRL.

Definition at line 220 of file x509_crl.cpp.

                                                        {
   return data().m_entries;
}

Referenced by botan_x509_crl_entries(), botan_x509_crl_entries_count(), and Botan::X509_CA::update_crl().

◆ has_matching_distribution_point()

bool Botan::X509_CRL::has_matching_distribution_point ( const X509_Certificate & cert ) const

Check if this CRL's scope covers the given certificate's CRL distribution points.

Per RFC 5280 6.3.3 step (b)(2), if the certificate has a CRL Distribution Points extension (4.2.1.13) and this CRL has an Issuing Distribution Point extension (5.2.5), at least one general name from the IDP must match a general name in one of the certificate's distribution points.

Returns true if the certificate has no CRLDP extension (this CRL's scope is unconstrained from the certificate's perspective), or if both extensions are present and their distribution point names overlap. Returns false otherwise, including when the certificate has a CRLDP but this CRL has no IDP.

The nameRelativeToCRLIssuer RDN form of DistributionPointName is not currently parsed by Botan's CRLDP/IDP decoders, so this comparison operates only on the fullName (GeneralNames) form.

Definition at line 298 of file x509_crl.cpp.

                                                                                 {
   const auto* cdp_ext = cert.v3_extensions().get_extension_object_as<Cert_Extension::CRL_Distribution_Points>();
   if(cdp_ext == nullptr || cdp_ext->distribution_points().empty()) {
      return true;
   }
 
   const auto* idp_ext = this->extensions().get_extension_object_as<Cert_Extension::CRL_Issuing_Distribution_Point>();
   if(idp_ext == nullptr) {
      return false;
   }
 
   return std::ranges::any_of(cdp_ext->distribution_points(),
                              [&](const auto& dp) { return dp_names_overlap(dp.point(), idp_ext->get_point()); });
}

References extensions(), Botan::Extensions::get_extension_object_as(), and Botan::X509_Certificate::v3_extensions().

◆ is_revoked()

bool Botan::X509_CRL::is_revoked ( const X509_Certificate & cert ) const

Check if this particular certificate is listed in the CRL

Definition at line 96 of file x509_crl.cpp.

                                                            {
   /*
   If the cert wasn't issued by the CRL issuer, it's possible the cert
   is revoked, but not by this CRL. Maybe throw an exception instead?
   */
   if(cert.issuer_dn() != issuer_dn()) {
      return false;
   }
 
   const std::vector<uint8_t> crl_akid = authority_key_id();
   const std::vector<uint8_t>& cert_akid = cert.authority_key_id();
 
   if(!crl_akid.empty() && !cert_akid.empty()) {
      if(crl_akid != cert_akid) {
         return false;
      }
   }
 
   return data().m_revoked_serials.contains(cert.serial_number());
}

References Botan::X509_Certificate::authority_key_id(), authority_key_id(), Botan::X509_Certificate::issuer_dn(), issuer_dn(), and Botan::X509_Certificate::serial_number().

◆ issuer_dn()

const X509_DN & Botan::X509_CRL::issuer_dn ( ) const

Get the issuer DN of this CRL.

Returns: CRLs issuer DN

Definition at line 231 of file x509_crl.cpp.

                                         {
   return data().m_issuer;
}

Referenced by Botan::Certificate_Store_In_Memory::add_crl(), botan_x509_crl_view_binary_values(), and is_revoked().

◆ issuing_distribution_points()

std::vector< std::string > Botan::X509_CRL::issuing_distribution_points ( ) const

Get the CRL's issuing distribution points

See https://www.rfc-editor.org/rfc/rfc5280#section-5.2.5

Definition at line 276 of file x509_crl.cpp.

                                                                 {
   return data().m_idp_urls;
}

◆ load_data()

void Botan::X509_Object::load_data ( DataSource & src )

protectedinherited

Decodes from src as either DER or PEM data, then calls force_decode()

Definition at line 24 of file x509_obj.cpp.

                                          {
   try {
      if(ASN1::maybe_BER(in) && !PEM_Code::matches(in)) {
         BER_Decoder dec(in, BER_Decoder::Limits::DER());
         decode_from(dec);
         // Call to verify_end omitted here since we have to sometimes decode
         // multiple certificates encoded sequentially in a DataSource
      } else {
         std::string got_label;
         DataSource_Memory ber(PEM_Code::decode(in, got_label));
 
         if(got_label != PEM_label()) {
            bool is_alternate = false;
            for(const std::string_view alt_label : alternate_PEM_labels()) {
               if(got_label == alt_label) {
                  is_alternate = true;
                  break;
               }
            }
 
            if(!is_alternate) {
               throw Decoding_Error("Unexpected PEM label for " + PEM_label() + " of " + got_label);
            }
         }
 
         BER_Decoder dec(ber, BER_Decoder::Limits::DER());
         decode_from(dec);
         // Call to verify_end omitted here since we have to sometimes decode
         // multiple certificates encoded sequentially in a DataSource
      }
   } catch(Decoding_Error& e) {
      throw Decoding_Error(PEM_label() + " decoding", e);
   }
}

References alternate_PEM_labels(), Botan::PEM_Code::decode(), decode_from(), Botan::BER_Decoder::Limits::DER(), Botan::PEM_Code::matches(), Botan::ASN1::maybe_BER(), and PEM_label().

Referenced by Botan::PKCS10_Request::PKCS10_Request(), Botan::PKCS10_Request::PKCS10_Request(), Botan::X509_Certificate::X509_Certificate(), Botan::X509_Certificate::X509_Certificate(), Botan::X509_CRL::X509_CRL(), Botan::X509_CRL::X509_CRL(), and X509_Object().

◆ make_signed()

std::vector< uint8_t > Botan::X509_Object::make_signed	(	PK_Signer &	signer,
		RandomNumberGenerator &	rng,
		const AlgorithmIdentifier &	alg_id,
		std::span< const uint8_t >	tbs )

staticinherited

Create a signed X509 object.

Parameters

signer	the signer used to sign the object
Random Number Generators	the random number generator to use
alg_id	the algorithm identifier of the signature scheme
tbs	the tbs bits to be signed

Returns: signed X509 object

Definition at line 153 of file x509_obj.cpp.

                                                                               {
   const std::vector<uint8_t> signature = signer.sign_message(tbs_bits, rng);
 
   std::vector<uint8_t> output;
   DER_Encoder(output)
      .start_sequence()
      .raw_bytes(tbs_bits)
      .encode(algo)
      .encode(signature, ASN1_Type::BitString)
      .end_cons();
 
   return output;
}

References Botan::BitString, Botan::DER_Encoder::encode(), Botan::DER_Encoder::end_cons(), Botan::DER_Encoder::raw_bytes(), Botan::PK_Signer::sign_message(), signature(), and Botan::DER_Encoder::start_sequence().

Referenced by Botan::PKCS10_Request::create(), and Botan::X509_CA::make_cert().

◆ next_update()

const X509_Time & Botan::X509_CRL::next_update ( ) const

Get the CRL's nextUpdate value.

Technically nextUpdate is optional in the X.509 spec and may be omitted, despite RFC 5280 requiring it. If the nextUpdate field is not set, this will return a time object with time_is_set() returning false.

TODO(Botan4) return a const std::optional<X509_Time>& instead

Returns: CRLs nextUpdate

Definition at line 259 of file x509_crl.cpp.

                                             {
   return data().m_next_update;
}

Referenced by X509_CRL().

◆ PEM_encode()

std::string Botan::X509_Object::PEM_encode ( ) const

inherited

Returns: PEM encoding of this

Definition at line 111 of file x509_obj.cpp.

                                        {
   return PEM_Code::encode(BER_encode(), PEM_label());
}

References Botan::ASN1_Object::BER_encode(), Botan::PEM_Code::encode(), and PEM_label().

◆ signature()

const std::vector< uint8_t > & Botan::X509_Object::signature ( ) const

inherited

Returns: signature on tbs_data()

Definition at line 59 of file x509_obj.cpp.

                                                       {
   if(!m_signed_data) {
      throw Invalid_State("X509_Object uninitialized");
   }
   return m_signed_data->m_sig;
}

Referenced by encode_into(), make_signed(), Botan::X509_Certificate::operator<(), Botan::X509_Certificate::operator==(), and verify_signature().

◆ signature_algorithm()

const AlgorithmIdentifier & Botan::X509_Object::signature_algorithm ( ) const

inherited

Returns: signature algorithm that was used to generate signature

Definition at line 73 of file x509_obj.cpp.

                                                                  {
   if(!m_signed_data) {
      throw Invalid_State("X509_Object uninitialized");
   }
   return m_signed_data->m_sig_algo;
}

Referenced by Botan::PKIX::check_chain(), encode_into(), Botan::X509_Certificate::operator==(), Botan::X509_Certificate::to_string(), and verify_signature().

◆ signed_body()

const std::vector< uint8_t > & Botan::X509_Object::signed_body ( ) const

inherited

Returns: signed body

Definition at line 66 of file x509_obj.cpp.

                                                         {
   if(!m_signed_data) {
      throw Invalid_State("X509_Object uninitialized");
   }
   return m_signed_data->m_tbs_bits;
}

Referenced by encode_into(), Botan::X509_Certificate::operator<(), Botan::X509_Certificate::operator==(), and tbs_data().

◆ tbs_data()

std::vector< uint8_t > Botan::X509_Object::tbs_data ( ) const

inherited

The underlying data that is to be or was signed

Returns: data that is or was signed

Definition at line 118 of file x509_obj.cpp.

                                               {
   return ASN1::put_in_sequence(signed_body());
}

References Botan::ASN1::put_in_sequence(), and signed_body().

Referenced by verify_signature().

◆ this_update()

const X509_Time & Botan::X509_CRL::this_update ( ) const

Get the CRL's thisUpdate value.

Returns: CRLs thisUpdate

Definition at line 252 of file x509_crl.cpp.

                                             {
   return data().m_this_update;
}

Referenced by Botan::Certificate_Store_In_Memory::add_crl(), and X509_CRL().

◆ verify_signature()

std::pair< Certificate_Status_Code, std::string > Botan::X509_Object::verify_signature ( const Public_Key & key ) const

inherited

Check the signature on this data

Parameters

key	the public key purportedly used to sign this data

Returns: status of the signature - OK if verified or otherwise an indicator of the problem preventing verification, along with the hash function that was used, for further policy checks. The second parameter is empty unless the validation was successful.

Definition at line 130 of file x509_obj.cpp.

                                                                                                         {
   try {
      PK_Verifier verifier(pub_key, signature_algorithm());
      const bool valid = verifier.verify_message(tbs_data(), signature());
 
      if(valid) {
         return std::make_pair(Certificate_Status_Code::VERIFIED, verifier.hash_function());
      } else {
         return std::make_pair(Certificate_Status_Code::SIGNATURE_ERROR, "");
      }
   } catch(Decoding_Error&) {
      return std::make_pair(Certificate_Status_Code::SIGNATURE_ALGO_BAD_PARAMS, "");
   } catch(Algorithm_Not_Found&) {
      return std::make_pair(Certificate_Status_Code::SIGNATURE_ALGO_UNKNOWN, "");
   } catch(...) {
      // This shouldn't happen, fallback to generic signature error
      return std::make_pair(Certificate_Status_Code::SIGNATURE_ERROR, "");
   }
}

References Botan::PK_Verifier::hash_function(), signature(), Botan::SIGNATURE_ALGO_BAD_PARAMS, Botan::SIGNATURE_ALGO_UNKNOWN, signature_algorithm(), Botan::SIGNATURE_ERROR, tbs_data(), Botan::VERIFIED, and Botan::PK_Verifier::verify_message().

Referenced by Botan::PKIX::check_chain(), and check_signature().

◆ x509_version()

uint32_t Botan::X509_CRL::x509_version ( ) const

Get the X509 version of this CRL object

Returns: X509 version

Definition at line 224 of file x509_crl.cpp.

                                      {
   return static_cast<uint32_t>(data().m_version);
}

The documentation for this class was generated from the following files:

src/lib/x509/x509_crl.h
src/lib/x509/x509_crl.cpp

Public Member Functions

Static Public Member Functions

Protected Member Functions

Detailed Description

Constructor & Destructor Documentation

◆ X509_CRL() [1/4]

◆ X509_CRL() [2/4]

◆ X509_CRL() [3/4]

◆ X509_CRL() [4/4]

Member Function Documentation

◆ authority_key_id()

◆ BER_encode()

◆ check_signature()

◆ choose_sig_format()

◆ crl_issuing_distribution_point()

◆ crl_number()

◆ decode_from()

◆ encode_into()

◆ extensions()

◆ get_revoked()

◆ has_matching_distribution_point()

◆ is_revoked()

◆ issuer_dn()

◆ issuing_distribution_points()

◆ load_data()

◆ make_signed()

◆ next_update()

◆ PEM_encode()

◆ signature()

◆ signature_algorithm()

◆ signed_body()

◆ tbs_data()

◆ this_update()

◆ verify_signature()

◆ x509_version()