Botan 2.19.1
Crypto and TLS for C&
key_constraint.cpp
Go to the documentation of this file.
1/*
2* KeyUsage
3* (C) 1999-2007,2016 Jack Lloyd
4* (C) 2016 René Korthaus, Rohde & Schwarz Cybersecurity
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/pkix_types.h>
10#include <botan/pk_keys.h>
11#include <vector>
12
13namespace Botan {
14
15std::string key_constraints_to_string(Key_Constraints constraints)
16 {
17 std::vector<std::string> str;
18
19 if(constraints == NO_CONSTRAINTS)
20 return "no_constraints";
21
22 if(constraints & DIGITAL_SIGNATURE)
23 str.push_back("digital_signature");
24
25 if(constraints & NON_REPUDIATION)
26 str.push_back("non_repudiation");
27
28 if(constraints & KEY_ENCIPHERMENT)
29 str.push_back("key_encipherment");
30
31 if(constraints & DATA_ENCIPHERMENT)
32 str.push_back("data_encipherment");
33
34 if(constraints & KEY_AGREEMENT)
35 str.push_back("key_agreement");
36
37 if(constraints & KEY_CERT_SIGN)
38 str.push_back("key_cert_sign");
39
40 if(constraints & CRL_SIGN)
41 str.push_back("crl_sign");
42
43 if(constraints & ENCIPHER_ONLY)
44 str.push_back("encipher_only");
45
46 if(constraints & DECIPHER_ONLY)
47 str.push_back("decipher_only");
48
49 // Not 0 (checked at start) but nothing matched above!
50 if(str.empty())
51 return "other_unknown_constraints";
52
53 if(str.size() == 1)
54 return str[0];
55
56 std::string out;
57 for(size_t i = 0; i < str.size() - 1; ++i)
58 {
59 out += str[i];
60 out += ',';
61 }
62 out += str[str.size() - 1];
63
64 return out;
65 }
66
67/*
68* Make sure the given key constraints are permitted for the given key type
69*/
70void verify_cert_constraints_valid_for_key_type(const Public_Key& pub_key,
71 Key_Constraints constraints)
72 {
73 const std::string name = pub_key.algo_name();
74
75 size_t permitted = 0;
76
77 const bool can_agree = (name == "DH" || name == "ECDH");
78 const bool can_encrypt = (name == "RSA" || name == "ElGamal");
79
80 const bool can_sign =
81 (name == "RSA" || name == "DSA" ||
82 name == "ECDSA" || name == "ECGDSA" || name == "ECKCDSA" || name == "Ed25519" ||
83 name == "GOST-34.10" || name == "GOST-34.10-2012-256" || name == "GOST-34.10-2012-512");
84
85 if(can_agree)
86 {
87 permitted |= KEY_AGREEMENT | ENCIPHER_ONLY | DECIPHER_ONLY;
88 }
89
90 if(can_encrypt)
91 {
92 permitted |= KEY_ENCIPHERMENT | DATA_ENCIPHERMENT;
93 }
94
95 if(can_sign)
96 {
97 permitted |= DIGITAL_SIGNATURE | NON_REPUDIATION | KEY_CERT_SIGN | CRL_SIGN;
98 }
99
100 if(Key_Constraints(constraints & permitted) != constraints)
101 {
102 throw Invalid_Argument("Invalid " + name + " constraints " + key_constraints_to_string(constraints));
103 }
104 }
105
106}
Botan::Invalid_Argument
Definition: exceptn.h:137
Botan::Public_Key
Definition: pk_keys.h:29
Botan::Public_Key::algo_name
virtual std::string algo_name() const =0
name
std::string name
Definition: commoncrypto_hash.cpp:24
Botan
Definition: alg_id.cpp:13
Botan::verify_cert_constraints_valid_for_key_type
void verify_cert_constraints_valid_for_key_type(const Public_Key &pub_key, Key_Constraints constraints)
Definition: key_constraint.cpp:70
Botan::Key_Constraints
Key_Constraints
Definition: pkix_enums.h:106
Botan::DATA_ENCIPHERMENT
@ DATA_ENCIPHERMENT
Definition: pkix_enums.h:111
Botan::CRL_SIGN
@ CRL_SIGN
Definition: pkix_enums.h:114
Botan::KEY_CERT_SIGN
@ KEY_CERT_SIGN
Definition: pkix_enums.h:113
Botan::NO_CONSTRAINTS
@ NO_CONSTRAINTS
Definition: pkix_enums.h:107
Botan::ENCIPHER_ONLY
@ ENCIPHER_ONLY
Definition: pkix_enums.h:115
Botan::DIGITAL_SIGNATURE
@ DIGITAL_SIGNATURE
Definition: pkix_enums.h:108
Botan::KEY_AGREEMENT
@ KEY_AGREEMENT
Definition: pkix_enums.h:112
Botan::DECIPHER_ONLY
@ DECIPHER_ONLY
Definition: pkix_enums.h:116
Botan::KEY_ENCIPHERMENT
@ KEY_ENCIPHERMENT
Definition: pkix_enums.h:110
Botan::NON_REPUDIATION
@ NON_REPUDIATION
Definition: pkix_enums.h:109
Botan::key_constraints_to_string
std::string key_constraints_to_string(Key_Constraints constraints)
Definition: key_constraint.cpp:15
Generated by doxygen 1.9.3