Botan  2.7.0
Crypto and TLS for C++11
name_constraint.h
Go to the documentation of this file.
1 /*
2 * X.509 Name Constraint
3 * (C) 2015 Kai Michaelis
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #ifndef BOTAN_NAME_CONSTRAINT_H_
9 #define BOTAN_NAME_CONSTRAINT_H_
10 
11 #include <botan/asn1_obj.h>
12 #include <ostream>
13 #include <limits>
14 
15 namespace Botan {
16 
17 class BER_Encoder;
18 class DER_Encoder;
19 class X509_Certificate;
20 
21 /**
22 * @brief X.509 GeneralName Type
23 *
24 * Handles parsing GeneralName types in their BER and canonical string
25 * encoding. Allows matching GeneralNames against each other using
26 * the rules laid out in the RFC 5280, sec. 4.2.1.10 (Name Contraints).
27 */
28 class BOTAN_PUBLIC_API(2,0) GeneralName final : public ASN1_Object
29  {
30  public:
31  enum MatchResult : int
32  {
33  All,
38  };
39 
40  /**
41  * Creates an empty GeneralName.
42  */
43  GeneralName() = default;
44 
45  /**
46  * Creates a new GeneralName for its string format.
47  * @param str type and name, colon-separated, e.g., "DNS:google.com"
48  */
49  GeneralName(const std::string& str);
50 
51  void encode_into(DER_Encoder&) const override;
52 
53  void decode_from(BER_Decoder&) override;
54 
55  /**
56  * @return Type of the name. Can be DN, DNS, IP, RFC822 or URI.
57  */
58  const std::string& type() const { return m_type; }
59 
60  /**
61  * @return The name as string. Format depends on type.
62  */
63  const std::string& name() const { return m_name; }
64 
65  /**
66  * Checks whether a given certificate (partially) matches this name.
67  * @param cert certificate to be matched
68  * @return the match result
69  */
70  MatchResult matches(const X509_Certificate& cert) const;
71 
72  private:
73  std::string m_type;
74  std::string m_name;
75 
76  bool matches_dns(const std::string&) const;
77  bool matches_dn(const std::string&) const;
78  bool matches_ip(const std::string&) const;
79  };
80 
81 std::ostream& operator<<(std::ostream& os, const GeneralName& gn);
82 
83 /**
84 * @brief A single Name Constraint
85 *
86 * The Name Constraint extension adds a minimum and maximum path
87 * length to a GeneralName to form a constraint. The length limits
88 * are currently unused.
89 */
90 class BOTAN_PUBLIC_API(2,0) GeneralSubtree final : public ASN1_Object
91  {
92  public:
93  /**
94  * Creates an empty name constraint.
95  */
96  GeneralSubtree() : m_base(), m_minimum(0), m_maximum(std::numeric_limits<std::size_t>::max())
97  {}
98 
99  /***
100  * Creates a new name constraint.
101  * @param base name
102  * @param min minimum path length
103  * @param max maximum path length
104  */
105  GeneralSubtree(GeneralName base, size_t min, size_t max)
106  : m_base(base), m_minimum(min), m_maximum(max)
107  {}
108 
109  /**
110  * Creates a new name constraint for its string format.
111  * @param str name constraint
112  */
113  GeneralSubtree(const std::string& str);
114 
115  void encode_into(DER_Encoder&) const override;
116 
117  void decode_from(BER_Decoder&) override;
118 
119  /**
120  * @return name
121  */
122  GeneralName base() const { return m_base; }
123 
124  /**
125  * @return minimum path length
126  */
127  size_t minimum() const { return m_minimum; }
128 
129  /**
130  * @return maximum path length
131  */
132  size_t maximum() const { return m_maximum; }
133 
134  private:
135  GeneralName m_base;
136  size_t m_minimum;
137  size_t m_maximum;
138  };
139 
140 std::ostream& operator<<(std::ostream& os, const GeneralSubtree& gs);
141 
142 /**
143 * @brief Name Constraints
144 *
145 * Wraps the Name Constraints associated with a certificate.
146 */
148  {
149  public:
150  /**
151  * Creates an empty name NameConstraints.
152  */
153  NameConstraints() : m_permitted_subtrees(), m_excluded_subtrees() {}
154 
155  /**
156  * Creates NameConstraints from a list of permitted and excluded subtrees.
157  * @param permitted_subtrees names for which the certificate is permitted
158  * @param excluded_subtrees names for which the certificate is not permitted
159  */
160  NameConstraints(std::vector<GeneralSubtree>&& permitted_subtrees,
161  std::vector<GeneralSubtree>&& excluded_subtrees)
162  : m_permitted_subtrees(permitted_subtrees), m_excluded_subtrees(excluded_subtrees)
163  {}
164 
165  /**
166  * @return permitted names
167  */
168  const std::vector<GeneralSubtree>& permitted() const { return m_permitted_subtrees; }
169 
170  /**
171  * @return excluded names
172  */
173  const std::vector<GeneralSubtree>& excluded() const { return m_excluded_subtrees; }
174 
175  private:
176  std::vector<GeneralSubtree> m_permitted_subtrees;
177  std::vector<GeneralSubtree> m_excluded_subtrees;
178 };
179 
180 }
181 
182 #endif
size_t maximum() const
int operator<<(int fd, Pipe &pipe)
Definition: fd_unix.cpp:17
GeneralSubtree(GeneralName base, size_t min, size_t max)
const std::string & type() const
#define BOTAN_PUBLIC_API(maj, min)
Definition: compiler.h:27
Definition: bigint.h:796
const std::vector< GeneralSubtree > & excluded() const
GeneralName base() const
NameConstraints(std::vector< GeneralSubtree > &&permitted_subtrees, std::vector< GeneralSubtree > &&excluded_subtrees)
bool matches(DataSource &source, const std::string &extra, size_t search_range)
Definition: pem.cpp:142
const std::vector< GeneralSubtree > & permitted() const
const std::string & name() const
Definition: alg_id.cpp:13
X.509 GeneralName Type.
A single Name Constraint.
size_t minimum() const
Name Constraints.