Botan 3.7.1
Crypto and TLS for C&
x509_crl.cpp
Go to the documentation of this file.
1/*
2* X.509 CRL
3* (C) 1999-2007 Jack Lloyd
4*
5* Botan is released under the Simplified BSD License (see license.txt)
6*/
7
8#include <botan/x509_crl.h>
9
10#include <botan/ber_dec.h>
11#include <botan/x509_ext.h>
12#include <botan/x509cert.h>
13
14#include <sstream>
15
16namespace Botan {
17
18struct CRL_Data {
19 X509_DN m_issuer;
20 size_t m_version;
21 X509_Time m_this_update;
22 X509_Time m_next_update;
23 std::vector<CRL_Entry> m_entries;
24 Extensions m_extensions;
25
26 // cached values from extensions
27 size_t m_crl_number = 0;
28 std::vector<uint8_t> m_auth_key_id;
29 std::vector<std::string> m_idp_urls;
30};
31
32std::string X509_CRL::PEM_label() const {
33 return "X509 CRL";
34}
35
36std::vector<std::string> X509_CRL::alternate_PEM_labels() const {
37 return {"CRL"};
38}
39
43
44X509_CRL::X509_CRL(const std::vector<uint8_t>& vec) {
45 DataSource_Memory src(vec.data(), vec.size());
46 load_data(src);
47}
48
49#if defined(BOTAN_TARGET_OS_HAS_FILESYSTEM)
50X509_CRL::X509_CRL(std::string_view fsname) {
51 DataSource_Stream src(fsname, true);
52 load_data(src);
53}
54#endif
55
57 const X509_Time& this_update,
58 const X509_Time& next_update,
59 const std::vector<CRL_Entry>& revoked) :
60 X509_Object() {
61 m_data = std::make_shared<CRL_Data>();
62 m_data->m_issuer = issuer;
63 m_data->m_this_update = this_update;
64 m_data->m_next_update = next_update;
65 m_data->m_entries = revoked;
66}
67
68/**
69* Check if this particular certificate is listed in the CRL
70*/
71bool X509_CRL::is_revoked(const X509_Certificate& cert) const {
72 /*
73 If the cert wasn't issued by the CRL issuer, it's possible the cert
74 is revoked, but not by this CRL. Maybe throw an exception instead?
75 */
76 if(cert.issuer_dn() != issuer_dn()) {
77 return false;
78 }
79
80 std::vector<uint8_t> crl_akid = authority_key_id();
81 const std::vector<uint8_t>& cert_akid = cert.authority_key_id();
82
83 if(!crl_akid.empty() && !cert_akid.empty()) {
84 if(crl_akid != cert_akid) {
85 return false;
86 }
87 }
88
89 const std::vector<uint8_t>& cert_serial = cert.serial_number();
90
91 bool is_revoked = false;
92
93 // FIXME would be nice to avoid a linear scan here - maybe sort the entries?
94 for(const CRL_Entry& entry : get_revoked()) {
95 if(cert_serial == entry.serial_number()) {
96 if(entry.reason_code() == CRL_Code::RemoveFromCrl) {
97 is_revoked = false;
98 } else {
99 is_revoked = true;
100 }
101 }
102 }
103
104 return is_revoked;
105}
106
107/*
108* Decode the TBSCertList data
109*/
110namespace {
111
112std::unique_ptr<CRL_Data> decode_crl_body(const std::vector<uint8_t>& body, const AlgorithmIdentifier& sig_algo) {
113 auto data = std::make_unique<CRL_Data>();
114
115 BER_Decoder tbs_crl(body);
116
117 tbs_crl.decode_optional(data->m_version, ASN1_Type::Integer, ASN1_Class::Universal);
118 data->m_version += 1; // wire-format is 0-based
119
120 if(data->m_version != 1 && data->m_version != 2) {
121 throw Decoding_Error("Unknown X.509 CRL version " + std::to_string(data->m_version));
122 }
123
124 AlgorithmIdentifier sig_algo_inner;
125 tbs_crl.decode(sig_algo_inner);
126
127 if(sig_algo != sig_algo_inner) {
128 throw Decoding_Error("Algorithm identifier mismatch in CRL");
129 }
130
131 tbs_crl.decode(data->m_issuer).decode(data->m_this_update).decode(data->m_next_update);
132
133 BER_Object next = tbs_crl.get_next_object();
134
136 BER_Decoder cert_list(std::move(next));
137
138 while(cert_list.more_items()) {
139 CRL_Entry entry;
140 cert_list.decode(entry);
141 data->m_entries.push_back(entry);
142 }
143 next = tbs_crl.get_next_object();
144 }
145
147 BER_Decoder crl_options(std::move(next));
148 crl_options.decode(data->m_extensions).verify_end();
149 next = tbs_crl.get_next_object();
150 }
151
152 if(next.is_set()) {
153 throw Decoding_Error("Unknown tag following extensions in CRL");
154 }
155
156 tbs_crl.verify_end();
157
158 // Now cache some fields from the extensions
159 if(auto ext = data->m_extensions.get_extension_object_as<Cert_Extension::CRL_Number>()) {
160 data->m_crl_number = ext->get_crl_number();
161 }
162 if(auto ext = data->m_extensions.get_extension_object_as<Cert_Extension::Authority_Key_ID>()) {
163 data->m_auth_key_id = ext->get_key_id();
164 }
165 if(auto ext = data->m_extensions.get_extension_object_as<Cert_Extension::CRL_Issuing_Distribution_Point>()) {
166 data->m_idp_urls = ext->get_point().get_attribute("URL");
167 }
168
169 return data;
170}
171
172} // namespace
173
174void X509_CRL::force_decode() {
175 m_data.reset(decode_crl_body(signed_body(), signature_algorithm()).release());
176}
177
178const CRL_Data& X509_CRL::data() const {
179 if(!m_data) {
180 throw Invalid_State("X509_CRL uninitialized");
181 }
182 return *m_data;
183}
184
186 return data().m_extensions;
187}
188
189/*
190* Return the list of revoked certificates
191*/
192const std::vector<CRL_Entry>& X509_CRL::get_revoked() const {
193 return data().m_entries;
194}
195
196uint32_t X509_CRL::x509_version() const {
197 return static_cast<uint32_t>(data().m_version);
198}
199
200/*
201* Return the distinguished name of the issuer
202*/
204 return data().m_issuer;
205}
206
207/*
208* Return the key identifier of the issuer
209*/
210const std::vector<uint8_t>& X509_CRL::authority_key_id() const {
211 return data().m_auth_key_id;
212}
213
214/*
215* Return the CRL number of this CRL
216*/
217uint32_t X509_CRL::crl_number() const {
218 return static_cast<uint32_t>(data().m_crl_number);
219}
220
221/*
222* Return the issue data of the CRL
223*/
225 return data().m_this_update;
226}
227
228/*
229* Return the date when a new CRL will be issued
230*/
232 return data().m_next_update;
233}
234
235/*
236* Return the CRL's distribution point
237*/
239 if(!data().m_idp_urls.empty()) {
240 return data().m_idp_urls[0];
241 }
242 return "";
243}
244
245/*
246* Return the CRL's issuing distribution point
247*/
248std::vector<std::string> X509_CRL::issuing_distribution_points() const {
249 return data().m_idp_urls;
250}
251
252} // namespace Botan
Definition x509_crl.h:28
const std::vector< CRL_Entry > & get_revoked() const
Definition x509_crl.cpp:192
const std::vector< uint8_t > & authority_key_id() const
Definition x509_crl.cpp:210
const X509_Time & this_update() const
Definition x509_crl.cpp:224
std::vector< std::string > issuing_distribution_points() const
Definition x509_crl.cpp:248
X509_CRL()=default
const Extensions & extensions() const
Definition x509_crl.cpp:185
uint32_t crl_number() const
Definition x509_crl.cpp:217
const X509_Time & next_update() const
Definition x509_crl.cpp:231
const X509_DN & issuer_dn() const
Definition x509_crl.cpp:203
bool is_revoked(const X509_Certificate &cert) const
Definition x509_crl.cpp:71
std::string crl_issuing_distribution_point() const
Definition x509_crl.cpp:238
uint32_t x509_version() const
Definition x509_crl.cpp:196
const std::vector< uint8_t > & serial_number() const
Definition x509cert.cpp:397
const std::vector< uint8_t > & authority_key_id() const
Definition x509cert.cpp:389
const X509_DN & issuer_dn() const
Definition x509cert.cpp:405
const std::vector< uint8_t > & signed_body() const
Definition x509_obj.h:42
const AlgorithmIdentifier & signature_algorithm() const
Definition x509_obj.h:47
void load_data(DataSource &src)
Definition x509_obj.cpp:23
ASN1_Time X509_Time
Definition asn1_obj.h:417