doxygen/x509__crl_8cpp_source.html

/*

* X.509 CRL

* (C) 1999-2007 Jack Lloyd

*

* Botan is released under the Simplified BSD License (see license.txt)

*/


#include <botan/x509_crl.h>

#include <botan/x509_ext.h>

#include <botan/x509cert.h>

#include <botan/ber_dec.h>


#include <sstream>


namespace Botan {


struct CRL_Data

   {

   X509_DN m_issuer;

   X509_Time m_this_update;

   X509_Time m_next_update;

   std::vector<CRL_Entry> m_entries;

   Extensions m_extensions;


   // cached values from extensions

   size_t m_crl_number = 0;

   std::vector<uint8_t> m_auth_key_id;

   std::string m_issuing_distribution_point;

   };


std::string X509_CRL::PEM_label() const

   {

   return "X509 CRL";

   }


std::vector<std::string> X509_CRL::alternate_PEM_labels() const

   {

   return { "CRL" };

   }


X509_CRL::X509_CRL(DataSource& src)

   {

   load_data(src);

   }


X509_CRL::X509_CRL(const std::vector<uint8_t>& vec)

   {

   DataSource_Memory src(vec.data(), vec.size());

   load_data(src);

   }


#if defined(BOTAN_TARGET_OS_HAS_FILESYSTEM)

X509_CRL::X509_CRL(const std::string& fsname)

   {

   DataSource_Stream src(fsname, true);

   load_data(src);

   }

#endif


X509_CRL::X509_CRL(const X509_DN& issuer,

                   const X509_Time& this_update,

                   const X509_Time& next_update,

                   const std::vector<CRL_Entry>& revoked) :

   X509_Object()

   {

   m_data = std::make_shared<CRL_Data>();

   m_data->m_issuer = issuer;

   m_data->m_this_update = this_update;

   m_data->m_next_update = next_update;

   m_data->m_entries = revoked;

   }


/**

* Check if this particular certificate is listed in the CRL

*/

bool X509_CRL::is_revoked(const X509_Certificate& cert) const

   {

   /*

   If the cert wasn't issued by the CRL issuer, it's possible the cert

   is revoked, but not by this CRL. Maybe throw an exception instead?

   */

   if(cert.issuer_dn() != issuer_dn())

      return false;


   std::vector<uint8_t> crl_akid = authority_key_id();

   const std::vector<uint8_t>& cert_akid = cert.authority_key_id();


   if(!crl_akid.empty() && !cert_akid.empty())

      {

      if(crl_akid != cert_akid)

         return false;

      }


   const std::vector<uint8_t>& cert_serial = cert.serial_number();


   bool is_revoked = false;


   // FIXME would be nice to avoid a linear scan here - maybe sort the entries?

   for(const CRL_Entry& entry : get_revoked())

      {

      if(cert_serial == entry.serial_number())

         {

         if(entry.reason_code() == CRL_Code::REMOVE_FROM_CRL)

            is_revoked = false;

         else

            is_revoked = true;

         }

      }


   return is_revoked;

   }


/*

* Decode the TBSCertList data

*/

namespace {


std::unique_ptr<CRL_Data> decode_crl_body(const std::vector<uint8_t>& body,

                                          const AlgorithmIdentifier& sig_algo)

   {

   auto data = std::make_unique<CRL_Data>();


   BER_Decoder tbs_crl(body);


   size_t version;

   tbs_crl.decode_optional(version, ASN1_Type::Integer, ASN1_Class::Universal);


   if(version != 0 && version != 1)

      throw Decoding_Error("Unknown X.509 CRL version " + std::to_string(version+1));


   AlgorithmIdentifier sig_algo_inner;

   tbs_crl.decode(sig_algo_inner);


   if(sig_algo != sig_algo_inner)

      throw Decoding_Error("Algorithm identifier mismatch in CRL");


   tbs_crl.decode(data->m_issuer)

      .decode(data->m_this_update)

      .decode(data->m_next_update);


   BER_Object next = tbs_crl.get_next_object();


   if(next.is_a(ASN1_Type::Sequence, ASN1_Class::Constructed))

      {

      BER_Decoder cert_list(std::move(next));


      while(cert_list.more_items())

         {

         CRL_Entry entry;

         cert_list.decode(entry);

         data->m_entries.push_back(entry);

         }

      next = tbs_crl.get_next_object();

      }


   if(next.is_a(0, ASN1_Class::Constructed | ASN1_Class::ContextSpecific))

      {

      BER_Decoder crl_options(std::move(next));

      crl_options.decode(data->m_extensions).verify_end();

      next = tbs_crl.get_next_object();

      }


   if(next.is_set())

      throw Decoding_Error("Unknown tag following extensions in CRL");


   tbs_crl.verify_end();


   // Now cache some fields from the extensions

   if(auto ext = data->m_extensions.get_extension_object_as<Cert_Extension::CRL_Number>())

      {

      data->m_crl_number = ext->get_crl_number();

      }

   if(auto ext = data->m_extensions.get_extension_object_as<Cert_Extension::Authority_Key_ID>())

      {

      data->m_auth_key_id = ext->get_key_id();

      }

   if(auto ext = data->m_extensions.get_extension_object_as<Cert_Extension::CRL_Issuing_Distribution_Point>())

      {

      std::stringstream ss;


      for(const auto& pair : ext->get_point().contents())

         {

         ss << pair.first << ": " << pair.second << " ";

         }

      data->m_issuing_distribution_point = ss.str();

      }


   return data;

   }


}


void X509_CRL::force_decode()

   {

   m_data.reset(decode_crl_body(signed_body(), signature_algorithm()).release());

   }


const CRL_Data& X509_CRL::data() const

   {

   if(!m_data)

      {

      throw Invalid_State("X509_CRL uninitialized");

      }

   return *m_data.get();

   }


const Extensions& X509_CRL::extensions() const

   {

   return data().m_extensions;

   }


/*

* Return the list of revoked certificates

*/

const std::vector<CRL_Entry>& X509_CRL::get_revoked() const

   {

   return data().m_entries;

   }


/*

* Return the distinguished name of the issuer

*/

const X509_DN& X509_CRL::issuer_dn() const

   {

   return data().m_issuer;

   }


/*

* Return the key identifier of the issuer

*/

const std::vector<uint8_t>& X509_CRL::authority_key_id() const

   {

   return data().m_auth_key_id;

   }


/*

* Return the CRL number of this CRL

*/

uint32_t X509_CRL::crl_number() const

   {

   return static_cast<uint32_t>(data().m_crl_number);

   }


/*

* Return the issue data of the CRL

*/

const X509_Time& X509_CRL::this_update() const

   {

   return data().m_this_update;

   }


/*

* Return the date when a new CRL will be issued

*/

const X509_Time& X509_CRL::next_update() const

   {

   return data().m_next_update;

   }


/*

* Return the CRL's distribution point

*/

std::string X509_CRL::crl_issuing_distribution_point() const

   {

   return data().m_issuing_distribution_point;

   }

}

Botan::ASN1_Time
Definition: asn1_obj.h:328

Botan::AlgorithmIdentifier
Definition: asn1_obj.h:429

Botan::BER_Decoder
Definition: ber_dec.h:22

Botan::BER_Object
Definition: asn1_obj.h:129

Botan::BER_Object::is_a
bool is_a(ASN1_Type type_tag, ASN1_Class class_tag) const
Definition: asn1_obj.cpp:71

Botan::BER_Object::is_set
bool is_set() const
Definition: asn1_obj.h:141

Botan::CRL_Entry
Definition: x509_crl.h:29

Botan::DataSource_Memory
Definition: data_src.h:99

Botan::DataSource_Stream
Definition: data_src.h:144

Botan::DataSource
Definition: data_src.h:22

Botan::Decoding_Error
Definition: exceptn.h:188

Botan::Extensions
Definition: pkix_types.h:404

Botan::X509_CRL::get_revoked
const std::vector< CRL_Entry > & get_revoked() const
Definition: x509_crl.cpp:215

Botan::X509_CRL::authority_key_id
const std::vector< uint8_t > & authority_key_id() const
Definition: x509_crl.cpp:231

Botan::X509_CRL::this_update
const X509_Time & this_update() const
Definition: x509_crl.cpp:247

Botan::X509_CRL::X509_CRL
X509_CRL()=default

Botan::X509_CRL::extensions
const Extensions & extensions() const
Definition: x509_crl.cpp:207

Botan::X509_CRL::crl_number
uint32_t crl_number() const
Definition: x509_crl.cpp:239

Botan::X509_CRL::next_update
const X509_Time & next_update() const
Definition: x509_crl.cpp:255

Botan::X509_CRL::issuer_dn
const X509_DN & issuer_dn() const
Definition: x509_crl.cpp:223

Botan::X509_CRL::is_revoked
bool is_revoked(const X509_Certificate &cert) const
Definition: x509_crl.cpp:76

Botan::X509_CRL::crl_issuing_distribution_point
std::string crl_issuing_distribution_point() const
Definition: x509_crl.cpp:263

Botan::X509_Certificate
Definition: x509cert.h:38

Botan::X509_Certificate::serial_number
const std::vector< uint8_t > & serial_number() const
Definition: x509cert.cpp:449

Botan::X509_Certificate::authority_key_id
const std::vector< uint8_t > & authority_key_id() const
Definition: x509cert.cpp:439

Botan::X509_Certificate::issuer_dn
const X509_DN & issuer_dn() const
Definition: x509cert.cpp:460

Botan::X509_DN
Definition: pkix_types.h:42

Botan::X509_Object
Definition: x509_obj.h:27

Botan::X509_Object::signed_body
const std::vector< uint8_t > & signed_body() const
Definition: x509_obj.h:43

Botan::X509_Object::signature_algorithm
const AlgorithmIdentifier & signature_algorithm() const
Definition: x509_obj.h:48

Botan::X509_Object::load_data
void load_data(DataSource &src)
Definition: x509_obj.cpp:52

Botan::ASN1::to_string
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:209

Botan
Definition: alg_id.cpp:13

Botan::X509_Time
ASN1_Time X509_Time
Definition: asn1_obj.h:389

Botan::ASN1_Class::ContextSpecific
@ ContextSpecific

Botan::ASN1_Class::Universal
@ Universal

Botan::ASN1_Class::Constructed
@ Constructed

Botan::ASN1_Type::Sequence
@ Sequence

Botan::ASN1_Type::Integer
@ Integer

Botan::CRL_Code::REMOVE_FROM_CRL
@ REMOVE_FROM_CRL