Botan  2.8.0
Crypto and TLS for C++11
x509_ext.cpp
Go to the documentation of this file.
1 /*
2 * X.509 Certificate Extensions
3 * (C) 1999-2010,2012 Jack Lloyd
4 * (C) 2016 RenĂ© Korthaus, Rohde & Schwarz Cybersecurity
5 * (C) 2017 Fabian Weissberg, Rohde & Schwarz Cybersecurity
6 *
7 * Botan is released under the Simplified BSD License (see license.txt)
8 */
9 
10 #include <botan/x509_ext.h>
11 #include <botan/x509cert.h>
12 #include <botan/datastor.h>
13 #include <botan/der_enc.h>
14 #include <botan/ber_dec.h>
15 #include <botan/oids.h>
16 #include <botan/hash.h>
17 #include <botan/internal/bit_ops.h>
18 #include <algorithm>
19 #include <set>
20 #include <sstream>
21 
22 namespace Botan {
23 
24 /*
25 * Create a Certificate_Extension object of some kind to handle
26 */
27 std::unique_ptr<Certificate_Extension>
28 Extensions::create_extn_obj(const OID& oid,
29  bool critical,
30  const std::vector<uint8_t>& body)
31  {
32  const std::string oid_str = oid.as_string();
33 
34  std::unique_ptr<Certificate_Extension> extn;
35 
37  {
38  extn.reset(new Cert_Extension::Subject_Key_ID);
39  }
41  {
42  extn.reset(new Cert_Extension::Key_Usage);
43  }
45  {
46  extn.reset(new Cert_Extension::Subject_Alternative_Name);
47  }
49  {
50  extn.reset(new Cert_Extension::Issuer_Alternative_Name);
51  }
53  {
54  extn.reset(new Cert_Extension::Basic_Constraints);
55  }
57  {
58  extn.reset(new Cert_Extension::CRL_Number);
59  }
61  {
62  extn.reset(new Cert_Extension::CRL_ReasonCode);
63  }
65  {
66  extn.reset(new Cert_Extension::Authority_Key_ID);
67  }
69  {
70  extn.reset(new Cert_Extension::Name_Constraints);
71  }
73  {
74  extn.reset(new Cert_Extension::CRL_Distribution_Points);
75  }
77  {
78  extn.reset(new Cert_Extension::CRL_Issuing_Distribution_Point);
79  }
81  {
82  extn.reset(new Cert_Extension::Certificate_Policies);
83  }
85  {
86  extn.reset(new Cert_Extension::Extended_Key_Usage);
87  }
89  {
90  extn.reset(new Cert_Extension::Authority_Information_Access);
91  }
92  else
93  {
94  // some other unknown extension type
95  extn.reset(new Cert_Extension::Unknown_Extension(oid, critical));
96  }
97 
98  try
99  {
100  extn->decode_inner(body);
101  }
102  catch(Decoding_Error&)
103  {
104  extn.reset(new Cert_Extension::Unknown_Extension(oid, critical));
105  extn->decode_inner(body);
106  }
107  return extn;
108  }
109 
110 /*
111 * Validate the extension (the default implementation is a NOP)
112 */
114  const std::vector<std::shared_ptr<const X509_Certificate>>&,
115  std::vector<std::set<Certificate_Status_Code>>&,
116  size_t)
117  {
118  }
119 
120 /*
121 * Add a new cert
122 */
123 void Extensions::add(Certificate_Extension* extn, bool critical)
124  {
125  // sanity check: we don't want to have the same extension more than once
126  if(m_extension_info.count(extn->oid_of()) > 0)
127  throw Invalid_Argument(extn->oid_name() + " extension already present in Extensions::add");
128 
129  const OID oid = extn->oid_of();
130  Extensions_Info info(critical, extn);
131  m_extension_oids.push_back(oid);
132  m_extension_info.emplace(oid, info);
133  }
134 
135 bool Extensions::add_new(Certificate_Extension* extn, bool critical)
136  {
137  if(m_extension_info.count(extn->oid_of()) > 0)
138  {
139  delete extn;
140  return false; // already exists
141  }
142 
143  const OID oid = extn->oid_of();
144  Extensions_Info info(critical, extn);
145  m_extension_oids.push_back(oid);
146  m_extension_info.emplace(oid, info);
147  return true;
148  }
149 
150 void Extensions::replace(Certificate_Extension* extn, bool critical)
151  {
152  // Remove it if it existed
153  m_extension_info.erase(extn->oid_of());
154 
155  const OID oid = extn->oid_of();
156  Extensions_Info info(critical, extn);
157  m_extension_oids.push_back(oid);
158  m_extension_info.emplace(oid, info);
159  }
160 
161 bool Extensions::extension_set(const OID& oid) const
162  {
163  return (m_extension_info.find(oid) != m_extension_info.end());
164  }
165 
167  {
168  auto i = m_extension_info.find(oid);
169  if(i != m_extension_info.end())
170  return i->second.is_critical();
171  return false;
172  }
173 
175  {
176  auto extn = m_extension_info.find(oid);
177  if(extn == m_extension_info.end())
178  return nullptr;
179 
180  return &extn->second.obj();
181  }
182 
183 std::unique_ptr<Certificate_Extension> Extensions::get(const OID& oid) const
184  {
185  if(const Certificate_Extension* ext = this->get_extension_object(oid))
186  {
187  return std::unique_ptr<Certificate_Extension>(ext->copy());
188  }
189  return nullptr;
190  }
191 
192 std::vector<std::pair<std::unique_ptr<Certificate_Extension>, bool>> Extensions::extensions() const
193  {
194  std::vector<std::pair<std::unique_ptr<Certificate_Extension>, bool>> exts;
195  for(auto&& ext : m_extension_info)
196  {
197  exts.push_back(
198  std::make_pair(
199  std::unique_ptr<Certificate_Extension>(ext.second.obj().copy()),
200  ext.second.is_critical())
201  );
202  }
203  return exts;
204  }
205 
206 std::map<OID, std::pair<std::vector<uint8_t>, bool>> Extensions::extensions_raw() const
207  {
208  std::map<OID, std::pair<std::vector<uint8_t>, bool>> out;
209  for(auto&& ext : m_extension_info)
210  {
211  out.emplace(ext.first,
212  std::make_pair(ext.second.bits(),
213  ext.second.is_critical()));
214  }
215  return out;
216  }
217 
218 /*
219 * Encode an Extensions list
220 */
221 void Extensions::encode_into(DER_Encoder& to_object) const
222  {
223  for(auto ext_info : m_extension_info)
224  {
225  const OID& oid = ext_info.first;
226  const bool should_encode = ext_info.second.obj().should_encode();
227 
228  if(should_encode)
229  {
230  const bool is_critical = ext_info.second.is_critical();
231  const std::vector<uint8_t>& ext_value = ext_info.second.bits();
232 
233  to_object.start_cons(SEQUENCE)
234  .encode(oid)
235  .encode_optional(is_critical, false)
236  .encode(ext_value, OCTET_STRING)
237  .end_cons();
238  }
239  }
240  }
241 
242 /*
243 * Decode a list of Extensions
244 */
246  {
247  m_extension_oids.clear();
248  m_extension_info.clear();
249 
250  BER_Decoder sequence = from_source.start_cons(SEQUENCE);
251 
252  while(sequence.more_items())
253  {
254  OID oid;
255  bool critical;
256  std::vector<uint8_t> bits;
257 
258  sequence.start_cons(SEQUENCE)
259  .decode(oid)
260  .decode_optional(critical, BOOLEAN, UNIVERSAL, false)
261  .decode(bits, OCTET_STRING)
262  .end_cons();
263 
264  std::unique_ptr<Certificate_Extension> obj = create_extn_obj(oid, critical, bits);
265  Extensions_Info info(critical, bits, obj.release());
266 
267  m_extension_oids.push_back(oid);
268  m_extension_info.emplace(oid, info);
269  }
270  sequence.verify_end();
271  }
272 
273 /*
274 * Write the extensions to an info store
275 */
277  Data_Store& issuer_info) const
278  {
279  for(auto&& m_extn_info : m_extension_info)
280  {
281  m_extn_info.second.obj().contents_to(subject_info, issuer_info);
282  subject_info.add(m_extn_info.second.obj().oid_name() + ".is_critical",
283  m_extn_info.second.is_critical());
284  }
285  }
286 
287 namespace Cert_Extension {
288 
289 /*
290 * Checked accessor for the path_limit member
291 */
293  {
294  if(!m_is_ca)
295  throw Invalid_State("Basic_Constraints::get_path_limit: Not a CA");
296  return m_path_limit;
297  }
298 
299 /*
300 * Encode the extension
301 */
302 std::vector<uint8_t> Basic_Constraints::encode_inner() const
303  {
304  std::vector<uint8_t> output;
305  DER_Encoder(output)
307  .encode_if(m_is_ca,
308  DER_Encoder()
309  .encode(m_is_ca)
310  .encode_optional(m_path_limit, NO_CERT_PATH_LIMIT)
311  )
312  .end_cons();
313  return output;
314  }
315 
316 /*
317 * Decode the extension
318 */
319 void Basic_Constraints::decode_inner(const std::vector<uint8_t>& in)
320  {
321  BER_Decoder(in)
323  .decode_optional(m_is_ca, BOOLEAN, UNIVERSAL, false)
324  .decode_optional(m_path_limit, INTEGER, UNIVERSAL, NO_CERT_PATH_LIMIT)
325  .end_cons();
326 
327  if(m_is_ca == false)
328  m_path_limit = 0;
329  }
330 
331 /*
332 * Return a textual representation
333 */
334 void Basic_Constraints::contents_to(Data_Store& subject, Data_Store&) const
335  {
336  subject.add("X509v3.BasicConstraints.is_ca", (m_is_ca ? 1 : 0));
337  subject.add("X509v3.BasicConstraints.path_constraint", static_cast<uint32_t>(m_path_limit));
338  }
339 
340 /*
341 * Encode the extension
342 */
343 std::vector<uint8_t> Key_Usage::encode_inner() const
344  {
345  if(m_constraints == NO_CONSTRAINTS)
346  throw Encoding_Error("Cannot encode zero usage constraints");
347 
348  const size_t unused_bits = low_bit(m_constraints) - 1;
349 
350  std::vector<uint8_t> der;
351  der.push_back(BIT_STRING);
352  der.push_back(2 + ((unused_bits < 8) ? 1 : 0));
353  der.push_back(unused_bits % 8);
354  der.push_back((m_constraints >> 8) & 0xFF);
355  if(m_constraints & 0xFF)
356  der.push_back(m_constraints & 0xFF);
357 
358  return der;
359  }
360 
361 /*
362 * Decode the extension
363 */
364 void Key_Usage::decode_inner(const std::vector<uint8_t>& in)
365  {
366  BER_Decoder ber(in);
367 
368  BER_Object obj = ber.get_next_object();
369 
370  obj.assert_is_a(BIT_STRING, UNIVERSAL, "usage constraint");
371 
372  if(obj.length() != 2 && obj.length() != 3)
373  throw BER_Decoding_Error("Bad size for BITSTRING in usage constraint");
374 
375  uint16_t usage = 0;
376 
377  const uint8_t* bits = obj.bits();
378 
379  if(bits[0] >= 8)
380  throw BER_Decoding_Error("Invalid unused bits in usage constraint");
381 
382  const uint8_t mask = static_cast<uint8_t>(0xFF << bits[0]);
383 
384  if(obj.length() == 2)
385  {
386  usage = make_uint16(bits[1] & mask, 0);
387  }
388  else if(obj.length() == 3)
389  {
390  usage = make_uint16(bits[1], bits[2] & mask);
391  }
392 
393  m_constraints = Key_Constraints(usage);
394  }
395 
396 /*
397 * Return a textual representation
398 */
399 void Key_Usage::contents_to(Data_Store& subject, Data_Store&) const
400  {
401  subject.add("X509v3.KeyUsage", m_constraints);
402  }
403 
404 /*
405 * Encode the extension
406 */
407 std::vector<uint8_t> Subject_Key_ID::encode_inner() const
408  {
409  std::vector<uint8_t> output;
410  DER_Encoder(output).encode(m_key_id, OCTET_STRING);
411  return output;
412  }
413 
414 /*
415 * Decode the extension
416 */
417 void Subject_Key_ID::decode_inner(const std::vector<uint8_t>& in)
418  {
419  BER_Decoder(in).decode(m_key_id, OCTET_STRING).verify_end();
420  }
421 
422 /*
423 * Return a textual representation
424 */
425 void Subject_Key_ID::contents_to(Data_Store& subject, Data_Store&) const
426  {
427  subject.add("X509v3.SubjectKeyIdentifier", m_key_id);
428  }
429 
430 /*
431 * Subject_Key_ID Constructor
432 */
433 Subject_Key_ID::Subject_Key_ID(const std::vector<uint8_t>& pub_key, const std::string& hash_name)
434  {
435  std::unique_ptr<HashFunction> hash(HashFunction::create_or_throw(hash_name));
436 
437  m_key_id.resize(hash->output_length());
438 
439  hash->update(pub_key);
440  hash->final(m_key_id.data());
441 
442  // Truncate longer hashes, 192 bits here seems plenty
443  const size_t max_skid_len = (192 / 8);
444  if(m_key_id.size() > max_skid_len)
445  m_key_id.resize(max_skid_len);
446  }
447 
448 /*
449 * Encode the extension
450 */
451 std::vector<uint8_t> Authority_Key_ID::encode_inner() const
452  {
453  std::vector<uint8_t> output;
454  DER_Encoder(output)
457  .end_cons();
458  return output;
459  }
460 
461 /*
462 * Decode the extension
463 */
464 void Authority_Key_ID::decode_inner(const std::vector<uint8_t>& in)
465  {
466  BER_Decoder(in)
468  .decode_optional_string(m_key_id, OCTET_STRING, 0);
469  }
470 
471 /*
472 * Return a textual representation
473 */
474 void Authority_Key_ID::contents_to(Data_Store&, Data_Store& issuer) const
475  {
476  if(m_key_id.size())
477  issuer.add("X509v3.AuthorityKeyIdentifier", m_key_id);
478  }
479 
480 /*
481 * Encode the extension
482 */
483 std::vector<uint8_t> Subject_Alternative_Name::encode_inner() const
484  {
485  std::vector<uint8_t> output;
486  DER_Encoder(output).encode(m_alt_name);
487  return output;
488  }
489 
490 /*
491 * Encode the extension
492 */
493 std::vector<uint8_t> Issuer_Alternative_Name::encode_inner() const
494  {
495  std::vector<uint8_t> output;
496  DER_Encoder(output).encode(m_alt_name);
497  return output;
498  }
499 
500 /*
501 * Decode the extension
502 */
503 void Subject_Alternative_Name::decode_inner(const std::vector<uint8_t>& in)
504  {
505  BER_Decoder(in).decode(m_alt_name);
506  }
507 
508 /*
509 * Decode the extension
510 */
511 void Issuer_Alternative_Name::decode_inner(const std::vector<uint8_t>& in)
512  {
513  BER_Decoder(in).decode(m_alt_name);
514  }
515 
516 /*
517 * Return a textual representation
518 */
519 void Subject_Alternative_Name::contents_to(Data_Store& subject_info,
520  Data_Store&) const
521  {
522  subject_info.add(get_alt_name().contents());
523  }
524 
525 /*
526 * Return a textual representation
527 */
528 void Issuer_Alternative_Name::contents_to(Data_Store&, Data_Store& issuer_info) const
529  {
530  issuer_info.add(get_alt_name().contents());
531  }
532 
533 /*
534 * Encode the extension
535 */
536 std::vector<uint8_t> Extended_Key_Usage::encode_inner() const
537  {
538  std::vector<uint8_t> output;
539  DER_Encoder(output)
541  .encode_list(m_oids)
542  .end_cons();
543  return output;
544  }
545 
546 /*
547 * Decode the extension
548 */
549 void Extended_Key_Usage::decode_inner(const std::vector<uint8_t>& in)
550  {
551  BER_Decoder(in).decode_list(m_oids);
552  }
553 
554 /*
555 * Return a textual representation
556 */
557 void Extended_Key_Usage::contents_to(Data_Store& subject, Data_Store&) const
558  {
559  for(size_t i = 0; i != m_oids.size(); ++i)
560  subject.add("X509v3.ExtendedKeyUsage", m_oids[i].as_string());
561  }
562 
563 /*
564 * Encode the extension
565 */
566 std::vector<uint8_t> Name_Constraints::encode_inner() const
567  {
568  throw Not_Implemented("Name_Constraints encoding");
569  }
570 
571 
572 /*
573 * Decode the extension
574 */
575 void Name_Constraints::decode_inner(const std::vector<uint8_t>& in)
576  {
577  std::vector<GeneralSubtree> permit, exclude;
578  BER_Decoder ber(in);
579  BER_Decoder ext = ber.start_cons(SEQUENCE);
580  BER_Object per = ext.get_next_object();
581 
582  ext.push_back(per);
583  if(per.is_a(0, ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC)))
584  {
585  ext.decode_list(permit,ASN1_Tag(0),ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC));
586  if(permit.empty())
587  throw Encoding_Error("Empty Name Contraint list");
588  }
589 
590  BER_Object exc = ext.get_next_object();
591  ext.push_back(exc);
592  if(per.is_a(1, ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC)))
593  {
594  ext.decode_list(exclude,ASN1_Tag(1),ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC));
595  if(exclude.empty())
596  throw Encoding_Error("Empty Name Contraint list");
597  }
598 
599  ext.end_cons();
600 
601  if(permit.empty() && exclude.empty())
602  throw Encoding_Error("Empty Name Contraint extension");
603 
604  m_name_constraints = NameConstraints(std::move(permit),std::move(exclude));
605  }
606 
607 /*
608 * Return a textual representation
609 */
610 void Name_Constraints::contents_to(Data_Store& subject, Data_Store&) const
611  {
612  std::stringstream ss;
613 
614  for(const GeneralSubtree& gs: m_name_constraints.permitted())
615  {
616  ss << gs;
617  subject.add("X509v3.NameConstraints.permitted", ss.str());
618  ss.str(std::string());
619  }
620  for(const GeneralSubtree& gs: m_name_constraints.excluded())
621  {
622  ss << gs;
623  subject.add("X509v3.NameConstraints.excluded", ss.str());
624  ss.str(std::string());
625  }
626  }
627 
629  const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path,
630  std::vector<std::set<Certificate_Status_Code>>& cert_status,
631  size_t pos)
632  {
633  if(!m_name_constraints.permitted().empty() || !m_name_constraints.excluded().empty())
634  {
635  if(!subject.is_CA_cert() || !subject.is_critical("X509v3.NameConstraints"))
636  cert_status.at(pos).insert(Certificate_Status_Code::NAME_CONSTRAINT_ERROR);
637 
638  const bool issuer_name_constraint_critical =
639  issuer.is_critical("X509v3.NameConstraints");
640 
641  const bool at_self_signed_root = (pos == cert_path.size() - 1);
642 
643  // Check that all subordinate certs pass the name constraint
644  for(size_t j = 0; j <= pos; ++j)
645  {
646  if(pos == j && at_self_signed_root)
647  continue;
648 
649  bool permitted = m_name_constraints.permitted().empty();
650  bool failed = false;
651 
652  for(auto c: m_name_constraints.permitted())
653  {
654  switch(c.base().matches(*cert_path.at(j)))
655  {
656  case GeneralName::MatchResult::NotFound:
657  case GeneralName::MatchResult::All:
658  permitted = true;
659  break;
660  case GeneralName::MatchResult::UnknownType:
661  failed = issuer_name_constraint_critical;
662  permitted = true;
663  break;
664  default:
665  break;
666  }
667  }
668 
669  for(auto c: m_name_constraints.excluded())
670  {
671  switch(c.base().matches(*cert_path.at(j)))
672  {
673  case GeneralName::MatchResult::All:
674  case GeneralName::MatchResult::Some:
675  failed = true;
676  break;
677  case GeneralName::MatchResult::UnknownType:
678  failed = issuer_name_constraint_critical;
679  break;
680  default:
681  break;
682  }
683  }
684 
685  if(failed || !permitted)
686  {
687  cert_status.at(j).insert(Certificate_Status_Code::NAME_CONSTRAINT_ERROR);
688  }
689  }
690  }
691  }
692 
693 namespace {
694 
695 /*
696 * A policy specifier
697 */
698 class Policy_Information final : public ASN1_Object
699  {
700  public:
701  Policy_Information() = default;
702  explicit Policy_Information(const OID& oid) : m_oid(oid) {}
703 
704  const OID& oid() const { return m_oid; }
705 
706  void encode_into(DER_Encoder& codec) const override
707  {
708  codec.start_cons(SEQUENCE)
709  .encode(m_oid)
710  .end_cons();
711  }
712 
713  void decode_from(BER_Decoder& codec) override
714  {
715  codec.start_cons(SEQUENCE)
716  .decode(m_oid)
717  .discard_remaining()
718  .end_cons();
719  }
720 
721  private:
722  OID m_oid;
723  };
724 
725 }
726 
727 /*
728 * Encode the extension
729 */
730 std::vector<uint8_t> Certificate_Policies::encode_inner() const
731  {
732  std::vector<Policy_Information> policies;
733 
734  for(size_t i = 0; i != m_oids.size(); ++i)
735  policies.push_back(Policy_Information(m_oids[i]));
736 
737  std::vector<uint8_t> output;
738  DER_Encoder(output)
739  .start_cons(SEQUENCE)
740  .encode_list(policies)
741  .end_cons();
742  return output;
743  }
744 
745 /*
746 * Decode the extension
747 */
748 void Certificate_Policies::decode_inner(const std::vector<uint8_t>& in)
749  {
750  std::vector<Policy_Information> policies;
751 
752  BER_Decoder(in).decode_list(policies);
753  m_oids.clear();
754  for(size_t i = 0; i != policies.size(); ++i)
755  m_oids.push_back(policies[i].oid());
756  }
757 
758 /*
759 * Return a textual representation
760 */
761 void Certificate_Policies::contents_to(Data_Store& info, Data_Store&) const
762  {
763  for(size_t i = 0; i != m_oids.size(); ++i)
764  info.add("X509v3.CertificatePolicies", m_oids[i].as_string());
765  }
766 
768  const X509_Certificate& /*subject*/,
769  const X509_Certificate& /*issuer*/,
770  const std::vector<std::shared_ptr<const X509_Certificate>>& /*cert_path*/,
771  std::vector<std::set<Certificate_Status_Code>>& cert_status,
772  size_t pos)
773  {
774  std::set<OID> oid_set(m_oids.begin(), m_oids.end());
775  if(oid_set.size() != m_oids.size())
776  {
777  cert_status.at(pos).insert(Certificate_Status_Code::DUPLICATE_CERT_POLICY);
778  }
779  }
780 
781 std::vector<uint8_t> Authority_Information_Access::encode_inner() const
782  {
783  ASN1_String url(m_ocsp_responder, IA5_STRING);
784 
785  std::vector<uint8_t> output;
786  DER_Encoder(output)
789  .encode(OIDS::lookup("PKIX.OCSP"))
790  .add_object(ASN1_Tag(6), CONTEXT_SPECIFIC, url.value())
791  .end_cons()
792  .end_cons();
793  return output;
794  }
795 
796 void Authority_Information_Access::decode_inner(const std::vector<uint8_t>& in)
797  {
799 
800  while(ber.more_items())
801  {
802  OID oid;
803 
804  BER_Decoder info = ber.start_cons(SEQUENCE);
805 
806  info.decode(oid);
807 
808  if(oid == OIDS::lookup("PKIX.OCSP"))
809  {
811 
812  if(name.is_a(6, CONTEXT_SPECIFIC))
813  {
814  m_ocsp_responder = ASN1::to_string(name);
815  }
816 
817  }
818  if(oid == OIDS::lookup("PKIX.CertificateAuthorityIssuers"))
819  {
820  BER_Object name = info.get_next_object();
821 
822  if(name.is_a(6, CONTEXT_SPECIFIC))
823  {
824  m_ca_issuers.push_back(ASN1::to_string(name));
825  }
826  }
827  }
828  }
829 
830 void Authority_Information_Access::contents_to(Data_Store& subject, Data_Store&) const
831  {
832  if(!m_ocsp_responder.empty())
833  subject.add("OCSP.responder", m_ocsp_responder);
834  for(const std::string& ca_issuer : m_ca_issuers)
835  subject.add("PKIX.CertificateAuthorityIssuers", ca_issuer);
836  }
837 
838 /*
839 * Checked accessor for the crl_number member
840 */
842  {
843  if(!m_has_value)
844  throw Invalid_State("CRL_Number::get_crl_number: Not set");
845  return m_crl_number;
846  }
847 
848 /*
849 * Copy a CRL_Number extension
850 */
852  {
853  if(!m_has_value)
854  throw Invalid_State("CRL_Number::copy: Not set");
855  return new CRL_Number(m_crl_number);
856  }
857 
858 /*
859 * Encode the extension
860 */
861 std::vector<uint8_t> CRL_Number::encode_inner() const
862  {
863  std::vector<uint8_t> output;
864  DER_Encoder(output).encode(m_crl_number);
865  return output;
866  }
867 
868 /*
869 * Decode the extension
870 */
871 void CRL_Number::decode_inner(const std::vector<uint8_t>& in)
872  {
873  BER_Decoder(in).decode(m_crl_number);
874  m_has_value = true;
875  }
876 
877 /*
878 * Return a textual representation
879 */
880 void CRL_Number::contents_to(Data_Store& info, Data_Store&) const
881  {
882  info.add("X509v3.CRLNumber", static_cast<uint32_t>(m_crl_number));
883  }
884 
885 /*
886 * Encode the extension
887 */
888 std::vector<uint8_t> CRL_ReasonCode::encode_inner() const
889  {
890  std::vector<uint8_t> output;
891  DER_Encoder(output).encode(static_cast<size_t>(m_reason), ENUMERATED, UNIVERSAL);
892  return output;
893  }
894 
895 /*
896 * Decode the extension
897 */
898 void CRL_ReasonCode::decode_inner(const std::vector<uint8_t>& in)
899  {
900  size_t reason_code = 0;
901  BER_Decoder(in).decode(reason_code, ENUMERATED, UNIVERSAL);
902  m_reason = static_cast<CRL_Code>(reason_code);
903  }
904 
905 /*
906 * Return a textual representation
907 */
908 void CRL_ReasonCode::contents_to(Data_Store& info, Data_Store&) const
909  {
910  info.add("X509v3.CRLReasonCode", m_reason);
911  }
912 
913 std::vector<uint8_t> CRL_Distribution_Points::encode_inner() const
914  {
915  throw Not_Implemented("CRL_Distribution_Points encoding");
916  }
917 
918 void CRL_Distribution_Points::decode_inner(const std::vector<uint8_t>& buf)
919  {
920  BER_Decoder(buf)
921  .decode_list(m_distribution_points)
922  .verify_end();
923 
924  std::stringstream ss;
925 
926  for(size_t i = 0; i != m_distribution_points.size(); ++i)
927  {
928  auto contents = m_distribution_points[i].point().contents();
929 
930  for(const auto& pair : contents)
931  {
932  ss << pair.first << ": " << pair.second << " ";
933  }
934  }
935 
936  m_crl_distribution_urls.push_back(ss.str());
937  }
938 
939 void CRL_Distribution_Points::contents_to(Data_Store& subject, Data_Store&) const
940  {
941  for(const std::string& crl_url : m_crl_distribution_urls)
942  subject.add("CRL.DistributionPoint", crl_url);
943  }
944 
946  {
947  throw Not_Implemented("CRL_Distribution_Points encoding");
948  }
949 
951  {
952  ber.start_cons(SEQUENCE)
954  .decode_optional_implicit(m_point, ASN1_Tag(0),
957  .end_cons().end_cons();
958  }
959 
960 std::vector<uint8_t> CRL_Issuing_Distribution_Point::encode_inner() const
961  {
962  throw Not_Implemented("CRL_Issuing_Distribution_Point encoding");
963  }
964 
965 void CRL_Issuing_Distribution_Point::decode_inner(const std::vector<uint8_t>& buf)
966  {
967  BER_Decoder(buf).decode(m_distribution_point).verify_end();
968  }
969 
970 void CRL_Issuing_Distribution_Point::contents_to(Data_Store& info, Data_Store&) const
971  {
972  auto contents = m_distribution_point.point().contents();
973  std::stringstream ss;
974 
975  for(const auto& pair : contents)
976  {
977  ss << pair.first << ": " << pair.second << " ";
978  }
979 
980  info.add("X509v3.CRLIssuingDistributionPoint", ss.str());
981  }
982 
983 std::vector<uint8_t> Unknown_Extension::encode_inner() const
984  {
985  return m_bytes;
986  }
987 
988 void Unknown_Extension::decode_inner(const std::vector<uint8_t>& bytes)
989  {
990  // Just treat as an opaque blob at this level
991  m_bytes = bytes;
992  }
993 
994 void Unknown_Extension::contents_to(Data_Store&, Data_Store&) const
995  {
996  // No information store
997  }
998 
999 }
1000 
1001 }
const AlternativeName & get_alt_name() const
Definition: x509_ext.h:415
DER_Encoder & add_object(ASN1_Tag type_tag, ASN1_Tag class_tag, const uint8_t rep[], size_t length)
Definition: der_enc.cpp:249
virtual std::string oid_name() const =0
bool is_critical(const std::string &ex_name) const
Definition: x509cert.cpp:551
std::unique_ptr< Certificate_Extension > get(const OID &oid) const
Definition: x509_ext.cpp:183
DER_Encoder & encode_optional(const T &value, const T &default_value)
Definition: der_enc.h:114
static std::unique_ptr< HashFunction > create_or_throw(const std::string &algo_spec, const std::string &provider="")
Definition: hash.cpp:359
BER_Decoder & decode_optional_string(std::vector< uint8_t, Alloc > &out, ASN1_Tag real_type, uint16_t type_no, ASN1_Tag class_tag=CONTEXT_SPECIFIC)
Definition: ber_dec.h:293
CRL_Code
Definition: crl_ent.h:22
int(* final)(unsigned char *, CTX *)
void encode_into(class DER_Encoder &) const override
Definition: x509_ext.cpp:945
void decode_from(class BER_Decoder &) override
Definition: x509_ext.cpp:245
bool critical_extension_set(const OID &oid) const
Definition: x509_ext.cpp:166
void replace(Certificate_Extension *extn, bool critical=false)
Definition: x509_ext.cpp:150
const std::vector< GeneralSubtree > & excluded() const
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:210
ASN1_Tag
Definition: asn1_obj.h:22
DER_Encoder & end_cons()
Definition: der_enc.cpp:191
DER_Encoder & encode_if(bool pred, DER_Encoder &enc)
Definition: der_enc.h:137
void validate(const X509_Certificate &subject, const X509_Certificate &issuer, const std::vector< std::shared_ptr< const X509_Certificate >> &cert_path, std::vector< std::set< Certificate_Status_Code >> &cert_status, size_t pos) override
Definition: x509_ext.cpp:628
BER_Decoder & decode(bool &out)
Definition: ber_dec.h:170
bool is_CA_cert() const
Definition: x509cert.cpp:443
void add(Certificate_Extension *extn, bool critical=false)
Definition: x509_ext.cpp:123
DER_Encoder & encode(bool b)
Definition: der_enc.cpp:285
BER_Decoder & decode_optional(T &out, ASN1_Tag type_tag, ASN1_Tag class_tag, const T &default_value=T())
Definition: ber_dec.h:337
std::string name
void encode_into(class DER_Encoder &) const override
Definition: x509_ext.cpp:221
bool add_new(Certificate_Extension *extn, bool critical=false)
Definition: x509_ext.cpp:135
std::string encode(const uint8_t der[], size_t length, const std::string &label, size_t width)
Definition: pem.cpp:43
BER_Decoder & end_cons()
Definition: ber_dec.cpp:300
const AlternativeName & get_alt_name() const
Definition: x509_ext.h:443
const std::vector< GeneralSubtree > & permitted() const
BER_Decoder start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
Definition: ber_dec.cpp:290
bool extension_set(const OID &oid) const
Definition: x509_ext.cpp:161
virtual OID oid_of() const =0
Definition: alg_id.cpp:13
BER_Decoder & decode_optional_implicit(T &out, ASN1_Tag type_tag, ASN1_Tag class_tag, ASN1_Tag real_type, ASN1_Tag real_class, const T &default_value=T())
Definition: ber_dec.h:369
void contents_to(Data_Store &, Data_Store &) const
Definition: x509_ext.cpp:276
void validate(const X509_Certificate &subject, const X509_Certificate &issuer, const std::vector< std::shared_ptr< const X509_Certificate >> &cert_path, std::vector< std::set< Certificate_Status_Code >> &cert_status, size_t pos) override
Definition: x509_ext.cpp:767
BER_Object get_next_object()
Definition: ber_dec.cpp:237
BER_Decoder & verify_end()
Definition: ber_dec.cpp:208
uint16_t make_uint16(uint8_t i0, uint8_t i1)
Definition: loadstor.h:52
DER_Encoder & start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
Definition: der_enc.cpp:181
BER_Decoder & decode_list(std::vector< T > &out, ASN1_Tag type_tag=SEQUENCE, ASN1_Tag class_tag=UNIVERSAL)
Definition: ber_dec.h:398
virtual void validate(const X509_Certificate &subject, const X509_Certificate &issuer, const std::vector< std::shared_ptr< const X509_Certificate >> &cert_path, std::vector< std::set< Certificate_Status_Code >> &cert_status, size_t pos)
Definition: x509_ext.cpp:113
bool more_items() const
Definition: ber_dec.cpp:198
std::map< OID, std::pair< std::vector< uint8_t >, bool > > extensions_raw() const
Definition: x509_ext.cpp:206
std::string lookup(const OID &oid)
Definition: oids.cpp:113
CRL_Number * copy() const override
Definition: x509_ext.cpp:851
MechanismType hash
const Certificate_Extension * get_extension_object(const OID &oid) const
Definition: x509_ext.cpp:174
void add(const std::multimap< std::string, std::string > &)
Definition: datastor.cpp:154
size_t low_bit(T n)
Definition: bit_ops.h:52
std::vector< std::pair< std::unique_ptr< Certificate_Extension >, bool > > extensions() const
Definition: x509_ext.cpp:192