Botan 2.19.0
Crypto and TLS for C&
x509_ext.cpp
Go to the documentation of this file.
1/*
2* X.509 Certificate Extensions
3* (C) 1999-2010,2012 Jack Lloyd
4* (C) 2016 René Korthaus, Rohde & Schwarz Cybersecurity
5* (C) 2017 Fabian Weissberg, Rohde & Schwarz Cybersecurity
6*
7* Botan is released under the Simplified BSD License (see license.txt)
8*/
9
10#include <botan/x509_ext.h>
11#include <botan/x509cert.h>
12#include <botan/datastor.h>
13#include <botan/der_enc.h>
14#include <botan/ber_dec.h>
15#include <botan/hash.h>
16#include <botan/loadstor.h>
17#include <botan/internal/bit_ops.h>
18#include <algorithm>
19#include <set>
20#include <sstream>
21
22namespace Botan {
23
24/*
25* Create a Certificate_Extension object of some kind to handle
26*/
27std::unique_ptr<Certificate_Extension>
28Extensions::create_extn_obj(const OID& oid,
29 bool critical,
30 const std::vector<uint8_t>& body)
31 {
32 const std::string oid_str = oid.to_string();
33
34 std::unique_ptr<Certificate_Extension> extn;
35
36 if(oid == Cert_Extension::Subject_Key_ID::static_oid())
37 {
38 extn.reset(new Cert_Extension::Subject_Key_ID);
39 }
40 else if(oid == Cert_Extension::Key_Usage::static_oid())
41 {
42 extn.reset(new Cert_Extension::Key_Usage);
43 }
44 else if(oid == Cert_Extension::Subject_Alternative_Name::static_oid())
45 {
46 extn.reset(new Cert_Extension::Subject_Alternative_Name);
47 }
48 else if(oid == Cert_Extension::Issuer_Alternative_Name::static_oid())
49 {
50 extn.reset(new Cert_Extension::Issuer_Alternative_Name);
51 }
52 else if(oid == Cert_Extension::Basic_Constraints::static_oid())
53 {
54 extn.reset(new Cert_Extension::Basic_Constraints);
55 }
56 else if(oid == Cert_Extension::CRL_Number::static_oid())
57 {
58 extn.reset(new Cert_Extension::CRL_Number);
59 }
60 else if(oid == Cert_Extension::CRL_ReasonCode::static_oid())
61 {
62 extn.reset(new Cert_Extension::CRL_ReasonCode);
63 }
64 else if(oid == Cert_Extension::Authority_Key_ID::static_oid())
65 {
66 extn.reset(new Cert_Extension::Authority_Key_ID);
67 }
68 else if(oid == Cert_Extension::Name_Constraints::static_oid())
69 {
70 extn.reset(new Cert_Extension::Name_Constraints);
71 }
72 else if(oid == Cert_Extension::CRL_Distribution_Points::static_oid())
73 {
74 extn.reset(new Cert_Extension::CRL_Distribution_Points);
75 }
76 else if(oid == Cert_Extension::CRL_Issuing_Distribution_Point::static_oid())
77 {
78 extn.reset(new Cert_Extension::CRL_Issuing_Distribution_Point);
79 }
80 else if(oid == Cert_Extension::Certificate_Policies::static_oid())
81 {
82 extn.reset(new Cert_Extension::Certificate_Policies);
83 }
84 else if(oid == Cert_Extension::Extended_Key_Usage::static_oid())
85 {
86 extn.reset(new Cert_Extension::Extended_Key_Usage);
87 }
88 else if(oid == Cert_Extension::Authority_Information_Access::static_oid())
89 {
90 extn.reset(new Cert_Extension::Authority_Information_Access);
91 }
92 else
93 {
94 // some other unknown extension type
95 extn.reset(new Cert_Extension::Unknown_Extension(oid, critical));
96 }
97
98 try
99 {
100 extn->decode_inner(body);
101 }
102 catch(Decoding_Error&)
103 {
104 extn.reset(new Cert_Extension::Unknown_Extension(oid, critical));
105 extn->decode_inner(body);
106 }
107 return extn;
108 }
109
110/*
111* Validate the extension (the default implementation is a NOP)
112*/
113void Certificate_Extension::validate(const X509_Certificate&, const X509_Certificate&,
114 const std::vector<std::shared_ptr<const X509_Certificate>>&,
115 std::vector<std::set<Certificate_Status_Code>>&,
116 size_t)
117 {
118 }
119
120/*
121* Add a new cert
122*/
123void Extensions::add(Certificate_Extension* extn, bool critical)
124 {
125 // sanity check: we don't want to have the same extension more than once
126 if(m_extension_info.count(extn->oid_of()) > 0)
127 {
128 const std::string name = extn->oid_name();
129 delete extn;
130 throw Invalid_Argument("Extension " + name + " already present in Extensions::add");
131 }
132
133 const OID oid = extn->oid_of();
134 Extensions_Info info(critical, extn);
135 m_extension_oids.push_back(oid);
136 m_extension_info.emplace(oid, info);
137 }
138
139bool Extensions::add_new(Certificate_Extension* extn, bool critical)
140 {
141 if(m_extension_info.count(extn->oid_of()) > 0)
142 {
143 delete extn;
144 return false; // already exists
145 }
146
147 const OID oid = extn->oid_of();
148 Extensions_Info info(critical, extn);
149 m_extension_oids.push_back(oid);
150 m_extension_info.emplace(oid, info);
151 return true;
152 }
153
154bool Extensions::remove(const OID& oid)
155 {
156 const bool erased = m_extension_info.erase(oid) > 0;
157
158 if(erased)
159 {
160 m_extension_oids.erase(std::find(m_extension_oids.begin(), m_extension_oids.end(), oid));
161 }
162
163 return erased;
164 }
165
166void Extensions::replace(Certificate_Extension* extn, bool critical)
167 {
168 // Remove it if it existed
169 remove(extn->oid_of());
170
171 const OID oid = extn->oid_of();
172 Extensions_Info info(critical, extn);
173 m_extension_oids.push_back(oid);
174 m_extension_info.emplace(oid, info);
175 }
176
177bool Extensions::extension_set(const OID& oid) const
178 {
179 return (m_extension_info.find(oid) != m_extension_info.end());
180 }
181
182bool Extensions::critical_extension_set(const OID& oid) const
183 {
184 auto i = m_extension_info.find(oid);
185 if(i != m_extension_info.end())
186 return i->second.is_critical();
187 return false;
188 }
189
190std::vector<uint8_t> Extensions::get_extension_bits(const OID& oid) const
191 {
192 auto i = m_extension_info.find(oid);
193 if(i == m_extension_info.end())
194 throw Invalid_Argument("Extensions::get_extension_bits no such extension set");
195
196 return i->second.bits();
197 }
198
199const Certificate_Extension* Extensions::get_extension_object(const OID& oid) const
200 {
201 auto extn = m_extension_info.find(oid);
202 if(extn == m_extension_info.end())
203 return nullptr;
204
205 return &extn->second.obj();
206 }
207
208std::unique_ptr<Certificate_Extension> Extensions::get(const OID& oid) const
209 {
210 if(const Certificate_Extension* ext = this->get_extension_object(oid))
211 {
212 return std::unique_ptr<Certificate_Extension>(ext->copy());
213 }
214 return nullptr;
215 }
216
217std::vector<std::pair<std::unique_ptr<Certificate_Extension>, bool>> Extensions::extensions() const
218 {
219 std::vector<std::pair<std::unique_ptr<Certificate_Extension>, bool>> exts;
220 for(auto&& ext : m_extension_info)
221 {
222 exts.push_back(
223 std::make_pair(
224 std::unique_ptr<Certificate_Extension>(ext.second.obj().copy()),
225 ext.second.is_critical())
226 );
227 }
228 return exts;
229 }
230
231std::map<OID, std::pair<std::vector<uint8_t>, bool>> Extensions::extensions_raw() const
232 {
233 std::map<OID, std::pair<std::vector<uint8_t>, bool>> out;
234 for(auto&& ext : m_extension_info)
235 {
236 out.emplace(ext.first,
237 std::make_pair(ext.second.bits(),
238 ext.second.is_critical()));
239 }
240 return out;
241 }
242
243/*
244* Encode an Extensions list
245*/
246void Extensions::encode_into(DER_Encoder& to_object) const
247 {
248 for(auto ext_info : m_extension_info)
249 {
250 const OID& oid = ext_info.first;
251 const bool should_encode = ext_info.second.obj().should_encode();
252
253 if(should_encode)
254 {
255 const bool is_critical = ext_info.second.is_critical();
256 const std::vector<uint8_t>& ext_value = ext_info.second.bits();
257
258 to_object.start_cons(SEQUENCE)
259 .encode(oid)
260 .encode_optional(is_critical, false)
261 .encode(ext_value, OCTET_STRING)
262 .end_cons();
263 }
264 }
265 }
266
267/*
268* Decode a list of Extensions
269*/
270void Extensions::decode_from(BER_Decoder& from_source)
271 {
272 m_extension_oids.clear();
273 m_extension_info.clear();
274
275 BER_Decoder sequence = from_source.start_cons(SEQUENCE);
276
277 while(sequence.more_items())
278 {
279 OID oid;
280 bool critical;
281 std::vector<uint8_t> bits;
282
283 sequence.start_cons(SEQUENCE)
284 .decode(oid)
285 .decode_optional(critical, BOOLEAN, UNIVERSAL, false)
286 .decode(bits, OCTET_STRING)
287 .end_cons();
288
289 std::unique_ptr<Certificate_Extension> obj = create_extn_obj(oid, critical, bits);
290 Extensions_Info info(critical, bits, obj.release());
291
292 m_extension_oids.push_back(oid);
293 m_extension_info.emplace(oid, info);
294 }
295 sequence.verify_end();
296 }
297
298/*
299* Write the extensions to an info store
300*/
301void Extensions::contents_to(Data_Store& subject_info,
302 Data_Store& issuer_info) const
303 {
304 for(auto&& m_extn_info : m_extension_info)
305 {
306 m_extn_info.second.obj().contents_to(subject_info, issuer_info);
307 subject_info.add(m_extn_info.second.obj().oid_name() + ".is_critical",
308 m_extn_info.second.is_critical());
309 }
310 }
311
312namespace Cert_Extension {
313
314/*
315* Checked accessor for the path_limit member
316*/
317size_t Basic_Constraints::get_path_limit() const
318 {
319 if(!m_is_ca)
320 throw Invalid_State("Basic_Constraints::get_path_limit: Not a CA");
321 return m_path_limit;
322 }
323
324/*
325* Encode the extension
326*/
327std::vector<uint8_t> Basic_Constraints::encode_inner() const
328 {
329 std::vector<uint8_t> output;
330 DER_Encoder(output)
331 .start_cons(SEQUENCE)
332 .encode_if(m_is_ca,
333 DER_Encoder()
334 .encode(m_is_ca)
335 .encode_optional(m_path_limit, NO_CERT_PATH_LIMIT)
336 )
337 .end_cons();
338 return output;
339 }
340
341/*
342* Decode the extension
343*/
344void Basic_Constraints::decode_inner(const std::vector<uint8_t>& in)
345 {
346 BER_Decoder(in)
347 .start_cons(SEQUENCE)
348 .decode_optional(m_is_ca, BOOLEAN, UNIVERSAL, false)
349 .decode_optional(m_path_limit, INTEGER, UNIVERSAL, NO_CERT_PATH_LIMIT)
350 .end_cons();
351
352 if(m_is_ca == false)
353 m_path_limit = 0;
354 }
355
356/*
357* Return a textual representation
358*/
359void Basic_Constraints::contents_to(Data_Store& subject, Data_Store&) const
360 {
361 subject.add("X509v3.BasicConstraints.is_ca", (m_is_ca ? 1 : 0));
362 subject.add("X509v3.BasicConstraints.path_constraint", static_cast<uint32_t>(m_path_limit));
363 }
364
365/*
366* Encode the extension
367*/
368std::vector<uint8_t> Key_Usage::encode_inner() const
369 {
370 if(m_constraints == NO_CONSTRAINTS)
371 throw Encoding_Error("Cannot encode zero usage constraints");
372
373 const size_t unused_bits = ctz(static_cast<uint32_t>(m_constraints));
374
375 std::vector<uint8_t> der;
376 der.push_back(BIT_STRING);
377 der.push_back(2 + ((unused_bits < 8) ? 1 : 0));
378 der.push_back(unused_bits % 8);
379 der.push_back((m_constraints >> 8) & 0xFF);
380 if(m_constraints & 0xFF)
381 der.push_back(m_constraints & 0xFF);
382
383 return der;
384 }
385
386/*
387* Decode the extension
388*/
389void Key_Usage::decode_inner(const std::vector<uint8_t>& in)
390 {
391 BER_Decoder ber(in);
392
393 BER_Object obj = ber.get_next_object();
394
395 obj.assert_is_a(BIT_STRING, UNIVERSAL, "usage constraint");
396
397 if(obj.length() != 2 && obj.length() != 3)
398 throw BER_Decoding_Error("Bad size for BITSTRING in usage constraint");
399
400 uint16_t usage = 0;
401
402 const uint8_t* bits = obj.bits();
403
404 if(bits[0] >= 8)
405 throw BER_Decoding_Error("Invalid unused bits in usage constraint");
406
407 const uint8_t mask = static_cast<uint8_t>(0xFF << bits[0]);
408
409 if(obj.length() == 2)
410 {
411 usage = make_uint16(bits[1] & mask, 0);
412 }
413 else if(obj.length() == 3)
414 {
415 usage = make_uint16(bits[1], bits[2] & mask);
416 }
417
418 m_constraints = Key_Constraints(usage);
419 }
420
421/*
422* Return a textual representation
423*/
424void Key_Usage::contents_to(Data_Store& subject, Data_Store&) const
425 {
426 subject.add("X509v3.KeyUsage", m_constraints);
427 }
428
429/*
430* Encode the extension
431*/
432std::vector<uint8_t> Subject_Key_ID::encode_inner() const
433 {
434 std::vector<uint8_t> output;
435 DER_Encoder(output).encode(m_key_id, OCTET_STRING);
436 return output;
437 }
438
439/*
440* Decode the extension
441*/
442void Subject_Key_ID::decode_inner(const std::vector<uint8_t>& in)
443 {
444 BER_Decoder(in).decode(m_key_id, OCTET_STRING).verify_end();
445 }
446
447/*
448* Return a textual representation
449*/
450void Subject_Key_ID::contents_to(Data_Store& subject, Data_Store&) const
451 {
452 subject.add("X509v3.SubjectKeyIdentifier", m_key_id);
453 }
454
455/*
456* Subject_Key_ID Constructor
457*/
458Subject_Key_ID::Subject_Key_ID(const std::vector<uint8_t>& pub_key, const std::string& hash_name)
459 {
460 std::unique_ptr<HashFunction> hash(HashFunction::create_or_throw(hash_name));
461
462 m_key_id.resize(hash->output_length());
463
464 hash->update(pub_key);
465 hash->final(m_key_id.data());
466
467 // Truncate longer hashes, 192 bits here seems plenty
468 const size_t max_skid_len = (192 / 8);
469 if(m_key_id.size() > max_skid_len)
470 m_key_id.resize(max_skid_len);
471 }
472
473/*
474* Encode the extension
475*/
476std::vector<uint8_t> Authority_Key_ID::encode_inner() const
477 {
478 std::vector<uint8_t> output;
479 DER_Encoder(output)
480 .start_cons(SEQUENCE)
481 .encode(m_key_id, OCTET_STRING, ASN1_Tag(0), CONTEXT_SPECIFIC)
482 .end_cons();
483 return output;
484 }
485
486/*
487* Decode the extension
488*/
489void Authority_Key_ID::decode_inner(const std::vector<uint8_t>& in)
490 {
491 BER_Decoder(in)
492 .start_cons(SEQUENCE)
493 .decode_optional_string(m_key_id, OCTET_STRING, 0);
494 }
495
496/*
497* Return a textual representation
498*/
499void Authority_Key_ID::contents_to(Data_Store&, Data_Store& issuer) const
500 {
501 if(m_key_id.size())
502 issuer.add("X509v3.AuthorityKeyIdentifier", m_key_id);
503 }
504
505/*
506* Encode the extension
507*/
508std::vector<uint8_t> Subject_Alternative_Name::encode_inner() const
509 {
510 std::vector<uint8_t> output;
511 DER_Encoder(output).encode(m_alt_name);
512 return output;
513 }
514
515/*
516* Encode the extension
517*/
518std::vector<uint8_t> Issuer_Alternative_Name::encode_inner() const
519 {
520 std::vector<uint8_t> output;
521 DER_Encoder(output).encode(m_alt_name);
522 return output;
523 }
524
525/*
526* Decode the extension
527*/
528void Subject_Alternative_Name::decode_inner(const std::vector<uint8_t>& in)
529 {
530 BER_Decoder(in).decode(m_alt_name);
531 }
532
533/*
534* Decode the extension
535*/
536void Issuer_Alternative_Name::decode_inner(const std::vector<uint8_t>& in)
537 {
538 BER_Decoder(in).decode(m_alt_name);
539 }
540
541/*
542* Return a textual representation
543*/
544void Subject_Alternative_Name::contents_to(Data_Store& subject_info,
545 Data_Store&) const
546 {
547 subject_info.add(get_alt_name().contents());
548 }
549
550/*
551* Return a textual representation
552*/
553void Issuer_Alternative_Name::contents_to(Data_Store&, Data_Store& issuer_info) const
554 {
555 issuer_info.add(get_alt_name().contents());
556 }
557
558/*
559* Encode the extension
560*/
561std::vector<uint8_t> Extended_Key_Usage::encode_inner() const
562 {
563 std::vector<uint8_t> output;
564 DER_Encoder(output)
565 .start_cons(SEQUENCE)
566 .encode_list(m_oids)
567 .end_cons();
568 return output;
569 }
570
571/*
572* Decode the extension
573*/
574void Extended_Key_Usage::decode_inner(const std::vector<uint8_t>& in)
575 {
576 BER_Decoder(in).decode_list(m_oids);
577 }
578
579/*
580* Return a textual representation
581*/
582void Extended_Key_Usage::contents_to(Data_Store& subject, Data_Store&) const
583 {
584 for(size_t i = 0; i != m_oids.size(); ++i)
585 subject.add("X509v3.ExtendedKeyUsage", m_oids[i].to_string());
586 }
587
588/*
589* Encode the extension
590*/
591std::vector<uint8_t> Name_Constraints::encode_inner() const
592 {
593 throw Not_Implemented("Name_Constraints encoding");
594 }
595
596
597/*
598* Decode the extension
599*/
600void Name_Constraints::decode_inner(const std::vector<uint8_t>& in)
601 {
602 std::vector<GeneralSubtree> permit, exclude;
603 BER_Decoder ber(in);
604 BER_Decoder ext = ber.start_cons(SEQUENCE);
605 BER_Object per = ext.get_next_object();
606
607 ext.push_back(per);
608 if(per.is_a(0, ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC)))
609 {
610 ext.decode_list(permit,ASN1_Tag(0),ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC));
611 if(permit.empty())
612 throw Encoding_Error("Empty Name Contraint list");
613 }
614
615 BER_Object exc = ext.get_next_object();
616 ext.push_back(exc);
617 if(per.is_a(1, ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC)))
618 {
619 ext.decode_list(exclude,ASN1_Tag(1),ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC));
620 if(exclude.empty())
621 throw Encoding_Error("Empty Name Contraint list");
622 }
623
624 ext.end_cons();
625
626 if(permit.empty() && exclude.empty())
627 throw Encoding_Error("Empty Name Contraint extension");
628
629 m_name_constraints = NameConstraints(std::move(permit),std::move(exclude));
630 }
631
632/*
633* Return a textual representation
634*/
635void Name_Constraints::contents_to(Data_Store& subject, Data_Store&) const
636 {
637 std::stringstream ss;
638
639 for(const GeneralSubtree& gs: m_name_constraints.permitted())
640 {
641 ss << gs;
642 subject.add("X509v3.NameConstraints.permitted", ss.str());
643 ss.str(std::string());
644 }
645 for(const GeneralSubtree& gs: m_name_constraints.excluded())
646 {
647 ss << gs;
648 subject.add("X509v3.NameConstraints.excluded", ss.str());
649 ss.str(std::string());
650 }
651 }
652
653void Name_Constraints::validate(const X509_Certificate& subject, const X509_Certificate& issuer,
654 const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path,
655 std::vector<std::set<Certificate_Status_Code>>& cert_status,
656 size_t pos)
657 {
658 if(!m_name_constraints.permitted().empty() || !m_name_constraints.excluded().empty())
659 {
660 if(!subject.is_CA_cert())
661 {
662 cert_status.at(pos).insert(Certificate_Status_Code::NAME_CONSTRAINT_ERROR);
663 }
664
665 const bool issuer_name_constraint_critical =
666 issuer.is_critical("X509v3.NameConstraints");
667
668 // Check that all subordinate certs pass the name constraint
669 for(size_t j = 0; j < pos; ++j)
670 {
671 bool permitted = m_name_constraints.permitted().empty();
672 bool failed = false;
673
674 for(auto c: m_name_constraints.permitted())
675 {
676 switch(c.base().matches(*cert_path.at(j)))
677 {
678 case GeneralName::MatchResult::NotFound:
679 case GeneralName::MatchResult::All:
680 permitted = true;
681 break;
682 case GeneralName::MatchResult::UnknownType:
683 failed = issuer_name_constraint_critical;
684 permitted = true;
685 break;
686 default:
687 break;
688 }
689 }
690
691 for(auto c: m_name_constraints.excluded())
692 {
693 switch(c.base().matches(*cert_path.at(j)))
694 {
695 case GeneralName::MatchResult::All:
696 case GeneralName::MatchResult::Some:
697 failed = true;
698 break;
699 case GeneralName::MatchResult::UnknownType:
700 failed = issuer_name_constraint_critical;
701 break;
702 default:
703 break;
704 }
705 }
706
707 if(failed || !permitted)
708 {
709 cert_status.at(j).insert(Certificate_Status_Code::NAME_CONSTRAINT_ERROR);
710 }
711 }
712 }
713 }
714
715namespace {
716
717/*
718* A policy specifier
719*/
720class Policy_Information final : public ASN1_Object
721 {
722 public:
723 Policy_Information() = default;
724 explicit Policy_Information(const OID& oid) : m_oid(oid) {}
725
726 const OID& oid() const { return m_oid; }
727
728 void encode_into(DER_Encoder& codec) const override
729 {
730 codec.start_cons(SEQUENCE)
731 .encode(m_oid)
732 .end_cons();
733 }
734
735 void decode_from(BER_Decoder& codec) override
736 {
737 codec.start_cons(SEQUENCE)
738 .decode(m_oid)
739 .discard_remaining()
740 .end_cons();
741 }
742
743 private:
744 OID m_oid;
745 };
746
747}
748
749/*
750* Encode the extension
751*/
752std::vector<uint8_t> Certificate_Policies::encode_inner() const
753 {
754 std::vector<Policy_Information> policies;
755
756 for(size_t i = 0; i != m_oids.size(); ++i)
757 policies.push_back(Policy_Information(m_oids[i]));
758
759 std::vector<uint8_t> output;
760 DER_Encoder(output)
761 .start_cons(SEQUENCE)
762 .encode_list(policies)
763 .end_cons();
764 return output;
765 }
766
767/*
768* Decode the extension
769*/
770void Certificate_Policies::decode_inner(const std::vector<uint8_t>& in)
771 {
772 std::vector<Policy_Information> policies;
773
774 BER_Decoder(in).decode_list(policies);
775 m_oids.clear();
776 for(size_t i = 0; i != policies.size(); ++i)
777 m_oids.push_back(policies[i].oid());
778 }
779
780/*
781* Return a textual representation
782*/
783void Certificate_Policies::contents_to(Data_Store& info, Data_Store&) const
784 {
785 for(size_t i = 0; i != m_oids.size(); ++i)
786 info.add("X509v3.CertificatePolicies", m_oids[i].to_string());
787 }
788
789void Certificate_Policies::validate(
790 const X509_Certificate& /*subject*/,
791 const X509_Certificate& /*issuer*/,
792 const std::vector<std::shared_ptr<const X509_Certificate>>& /*cert_path*/,
793 std::vector<std::set<Certificate_Status_Code>>& cert_status,
794 size_t pos)
795 {
796 std::set<OID> oid_set(m_oids.begin(), m_oids.end());
797 if(oid_set.size() != m_oids.size())
798 {
799 cert_status.at(pos).insert(Certificate_Status_Code::DUPLICATE_CERT_POLICY);
800 }
801 }
802
803std::vector<uint8_t> Authority_Information_Access::encode_inner() const
804 {
805 ASN1_String url(m_ocsp_responder, IA5_STRING);
806
807 std::vector<uint8_t> output;
808 DER_Encoder(output)
809 .start_cons(SEQUENCE)
810 .start_cons(SEQUENCE)
811 .encode(OID::from_string("PKIX.OCSP"))
812 .add_object(ASN1_Tag(6), CONTEXT_SPECIFIC, url.value())
813 .end_cons()
814 .end_cons();
815 return output;
816 }
817
818void Authority_Information_Access::decode_inner(const std::vector<uint8_t>& in)
819 {
820 BER_Decoder ber = BER_Decoder(in).start_cons(SEQUENCE);
821
822 while(ber.more_items())
823 {
824 OID oid;
825
826 BER_Decoder info = ber.start_cons(SEQUENCE);
827
828 info.decode(oid);
829
830 if(oid == OID::from_string("PKIX.OCSP"))
831 {
832 BER_Object name = info.get_next_object();
833
834 if(name.is_a(6, CONTEXT_SPECIFIC))
835 {
836 m_ocsp_responder = ASN1::to_string(name);
837 }
838
839 }
840 if(oid == OID::from_string("PKIX.CertificateAuthorityIssuers"))
841 {
842 BER_Object name = info.get_next_object();
843
844 if(name.is_a(6, CONTEXT_SPECIFIC))
845 {
846 m_ca_issuers.push_back(ASN1::to_string(name));
847 }
848 }
849 }
850 }
851
852void Authority_Information_Access::contents_to(Data_Store& subject, Data_Store&) const
853 {
854 if(!m_ocsp_responder.empty())
855 subject.add("OCSP.responder", m_ocsp_responder);
856 for(const std::string& ca_issuer : m_ca_issuers)
857 subject.add("PKIX.CertificateAuthorityIssuers", ca_issuer);
858 }
859
860/*
861* Checked accessor for the crl_number member
862*/
863size_t CRL_Number::get_crl_number() const
864 {
865 if(!m_has_value)
866 throw Invalid_State("CRL_Number::get_crl_number: Not set");
867 return m_crl_number;
868 }
869
870/*
871* Copy a CRL_Number extension
872*/
873CRL_Number* CRL_Number::copy() const
874 {
875 if(!m_has_value)
876 throw Invalid_State("CRL_Number::copy: Not set");
877 return new CRL_Number(m_crl_number);
878 }
879
880/*
881* Encode the extension
882*/
883std::vector<uint8_t> CRL_Number::encode_inner() const
884 {
885 std::vector<uint8_t> output;
886 DER_Encoder(output).encode(m_crl_number);
887 return output;
888 }
889
890/*
891* Decode the extension
892*/
893void CRL_Number::decode_inner(const std::vector<uint8_t>& in)
894 {
895 BER_Decoder(in).decode(m_crl_number);
896 m_has_value = true;
897 }
898
899/*
900* Return a textual representation
901*/
902void CRL_Number::contents_to(Data_Store& info, Data_Store&) const
903 {
904 info.add("X509v3.CRLNumber", static_cast<uint32_t>(m_crl_number));
905 }
906
907/*
908* Encode the extension
909*/
910std::vector<uint8_t> CRL_ReasonCode::encode_inner() const
911 {
912 std::vector<uint8_t> output;
913 DER_Encoder(output).encode(static_cast<size_t>(m_reason), ENUMERATED, UNIVERSAL);
914 return output;
915 }
916
917/*
918* Decode the extension
919*/
920void CRL_ReasonCode::decode_inner(const std::vector<uint8_t>& in)
921 {
922 size_t reason_code = 0;
923 BER_Decoder(in).decode(reason_code, ENUMERATED, UNIVERSAL);
924 m_reason = static_cast<CRL_Code>(reason_code);
925 }
926
927/*
928* Return a textual representation
929*/
930void CRL_ReasonCode::contents_to(Data_Store& info, Data_Store&) const
931 {
932 info.add("X509v3.CRLReasonCode", m_reason);
933 }
934
935std::vector<uint8_t> CRL_Distribution_Points::encode_inner() const
936 {
937 throw Not_Implemented("CRL_Distribution_Points encoding");
938 }
939
940void CRL_Distribution_Points::decode_inner(const std::vector<uint8_t>& buf)
941 {
942 BER_Decoder(buf)
943 .decode_list(m_distribution_points)
944 .verify_end();
945
946 std::stringstream ss;
947
948 for(size_t i = 0; i != m_distribution_points.size(); ++i)
949 {
950 auto contents = m_distribution_points[i].point().contents();
951
952 for(const auto& pair : contents)
953 {
954 ss << pair.first << ": " << pair.second << " ";
955 }
956 }
957
958 m_crl_distribution_urls.push_back(ss.str());
959 }
960
961void CRL_Distribution_Points::contents_to(Data_Store& subject, Data_Store&) const
962 {
963 for(const std::string& crl_url : m_crl_distribution_urls)
964 subject.add("CRL.DistributionPoint", crl_url);
965 }
966
967void CRL_Distribution_Points::Distribution_Point::encode_into(class DER_Encoder&) const
968 {
969 throw Not_Implemented("CRL_Distribution_Points encoding");
970 }
971
972void CRL_Distribution_Points::Distribution_Point::decode_from(class BER_Decoder& ber)
973 {
974 ber.start_cons(SEQUENCE)
975 .start_cons(ASN1_Tag(0), CONTEXT_SPECIFIC)
976 .decode_optional_implicit(m_point, ASN1_Tag(0),
977 ASN1_Tag(CONTEXT_SPECIFIC | CONSTRUCTED),
978 SEQUENCE, CONSTRUCTED)
979 .end_cons().end_cons();
980 }
981
982std::vector<uint8_t> CRL_Issuing_Distribution_Point::encode_inner() const
983 {
984 throw Not_Implemented("CRL_Issuing_Distribution_Point encoding");
985 }
986
987void CRL_Issuing_Distribution_Point::decode_inner(const std::vector<uint8_t>& buf)
988 {
989 BER_Decoder(buf).decode(m_distribution_point).verify_end();
990 }
991
992void CRL_Issuing_Distribution_Point::contents_to(Data_Store& info, Data_Store&) const
993 {
994 auto contents = m_distribution_point.point().contents();
995 std::stringstream ss;
996
997 for(const auto& pair : contents)
998 {
999 ss << pair.first << ": " << pair.second << " ";
1000 }
1001
1002 info.add("X509v3.CRLIssuingDistributionPoint", ss.str());
1003 }
1004
1005std::vector<uint8_t> Unknown_Extension::encode_inner() const
1006 {
1007 return m_bytes;
1008 }
1009
1010void Unknown_Extension::decode_inner(const std::vector<uint8_t>& bytes)
1011 {
1012 // Just treat as an opaque blob at this level
1013 m_bytes = bytes;
1014 }
1015
1016void Unknown_Extension::contents_to(Data_Store&, Data_Store&) const
1017 {
1018 // No information store
1019 }
1020
1021}
1022
1023}
Botan::ASN1_Object
Definition: asn1_obj.h:69
Botan::ASN1_String
Definition: asn1_obj.h:393
Botan::BER_Decoder
Definition: ber_dec.h:22
Botan::BER_Decoder::start_cons
BER_Decoder start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
Definition: ber_dec.cpp:290
Botan::BER_Decoder::decode_list
BER_Decoder & decode_list(std::vector< T > &out, ASN1_Tag type_tag=SEQUENCE, ASN1_Tag class_tag=UNIVERSAL)
Definition: ber_dec.h:398
Botan::BER_Decoder::get_next_object
BER_Object get_next_object()
Definition: ber_dec.cpp:237
Botan::BER_Decoder::decode
BER_Decoder & decode(bool &out)
Definition: ber_dec.h:170
Botan::BER_Decoder::more_items
bool more_items() const
Definition: ber_dec.cpp:198
Botan::BER_Decoder::decode_optional_string
BER_Decoder & decode_optional_string(std::vector< uint8_t, Alloc > &out, ASN1_Tag real_type, uint16_t type_no, ASN1_Tag class_tag=CONTEXT_SPECIFIC)
Definition: ber_dec.h:293
Botan::BER_Decoder::decode_optional
BER_Decoder & decode_optional(T &out, ASN1_Tag type_tag, ASN1_Tag class_tag, const T &default_value=T())
Definition: ber_dec.h:337
Botan::BER_Decoder::verify_end
BER_Decoder & verify_end()
Definition: ber_dec.cpp:208
Botan::BER_Decoder::end_cons
BER_Decoder & end_cons()
Definition: ber_dec.cpp:300
Botan::BER_Decoder::decode_optional_implicit
BER_Decoder & decode_optional_implicit(T &out, ASN1_Tag type_tag, ASN1_Tag class_tag, ASN1_Tag real_type, ASN1_Tag real_class, const T &default_value=T())
Definition: ber_dec.h:369
Botan::BER_Object
Definition: asn1_obj.h:100
Botan::Cert_Extension::Authority_Information_Access::static_oid
static OID static_oid()
Definition: x509_ext.h:313
Botan::Cert_Extension::Authority_Key_ID::static_oid
static OID static_oid()
Definition: x509_ext.h:128
Botan::Cert_Extension::Basic_Constraints::get_path_limit
size_t get_path_limit() const
Definition: x509_ext.cpp:317
Botan::Cert_Extension::Basic_Constraints::static_oid
static OID static_oid()
Definition: x509_ext.h:38
Botan::Cert_Extension::CRL_Distribution_Points::Distribution_Point::decode_from
void decode_from(class BER_Decoder &) override
Definition: x509_ext.cpp:972
Botan::Cert_Extension::CRL_Distribution_Points::Distribution_Point::encode_into
void encode_into(class DER_Encoder &) const override
Definition: x509_ext.cpp:967
Botan::Cert_Extension::CRL_Distribution_Points::static_oid
static OID static_oid()
Definition: x509_ext.h:419
Botan::Cert_Extension::CRL_Issuing_Distribution_Point::static_oid
static OID static_oid()
Definition: x509_ext.h:455
Botan::Cert_Extension::CRL_Number
Definition: x509_ext.h:336
Botan::Cert_Extension::CRL_Number::copy
CRL_Number * copy() const override
Definition: x509_ext.cpp:873
Botan::Cert_Extension::CRL_Number::get_crl_number
size_t get_crl_number() const
Definition: x509_ext.cpp:863
Botan::Cert_Extension::CRL_Number::CRL_Number
CRL_Number()
Definition: x509_ext.h:340
Botan::Cert_Extension::CRL_Number::static_oid
static OID static_oid()
Definition: x509_ext.h:345
Botan::Cert_Extension::CRL_ReasonCode::static_oid
static OID static_oid()
Definition: x509_ext.h:373
Botan::Cert_Extension::Certificate_Policies::static_oid
static OID static_oid()
Definition: x509_ext.h:278
Botan::Cert_Extension::Certificate_Policies::validate
void validate(const X509_Certificate &subject, const X509_Certificate &issuer, const std::vector< std::shared_ptr< const X509_Certificate > > &cert_path, std::vector< std::set< Certificate_Status_Code > > &cert_status, size_t pos) override
Definition: x509_ext.cpp:789
Botan::Cert_Extension::Extended_Key_Usage::static_oid
static OID static_oid()
Definition: x509_ext.h:213
Botan::Cert_Extension::Issuer_Alternative_Name::static_oid
static OID static_oid()
Definition: x509_ext.h:179
Botan::Cert_Extension::Issuer_Alternative_Name::get_alt_name
const AlternativeName & get_alt_name() const
Definition: x509_ext.h:177
Botan::Cert_Extension::Key_Usage::static_oid
static OID static_oid()
Definition: x509_ext.h:65
Botan::Cert_Extension::Name_Constraints::validate
void validate(const X509_Certificate &subject, const X509_Certificate &issuer, const std::vector< std::shared_ptr< const X509_Certificate > > &cert_path, std::vector< std::set< Certificate_Status_Code > > &cert_status, size_t pos) override
Definition: x509_ext.cpp:653
Botan::Cert_Extension::Name_Constraints::static_oid
static OID static_oid()
Definition: x509_ext.h:246
Botan::Cert_Extension::Subject_Alternative_Name::get_alt_name
const AlternativeName & get_alt_name() const
Definition: x509_ext.h:149
Botan::Cert_Extension::Subject_Alternative_Name::static_oid
static OID static_oid()
Definition: x509_ext.h:151
Botan::Cert_Extension::Subject_Key_ID::Subject_Key_ID
Subject_Key_ID()=default
Botan::Cert_Extension::Subject_Key_ID::static_oid
static OID static_oid()
Definition: x509_ext.h:98
Botan::Certificate_Extension
Definition: pkix_types.h:351
Botan::Certificate_Extension::validate
virtual void validate(const X509_Certificate &subject, const X509_Certificate &issuer, const std::vector< std::shared_ptr< const X509_Certificate > > &cert_path, std::vector< std::set< Certificate_Status_Code > > &cert_status, size_t pos)
Definition: x509_ext.cpp:113
Botan::Certificate_Extension::oid_name
virtual std::string oid_name() const =0
Botan::Certificate_Extension::oid_of
virtual OID oid_of() const =0
Botan::DER_Encoder
Definition: der_enc.h:23
Botan::DER_Encoder::encode_optional
DER_Encoder & encode_optional(const T &value, const T &default_value)
Definition: der_enc.h:120
Botan::DER_Encoder::add_object
DER_Encoder & add_object(ASN1_Tag type_tag, ASN1_Tag class_tag, const uint8_t rep[], size_t length)
Definition: der_enc.cpp:249
Botan::DER_Encoder::start_cons
DER_Encoder & start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
Definition: der_enc.cpp:181
Botan::DER_Encoder::encode_if
DER_Encoder & encode_if(bool pred, DER_Encoder &enc)
Definition: der_enc.h:143
Botan::DER_Encoder::end_cons
DER_Encoder & end_cons()
Definition: der_enc.cpp:191
Botan::DER_Encoder::encode
DER_Encoder & encode(bool b)
Definition: der_enc.cpp:285
Botan::Data_Store
Definition: datastor.h:29
Botan::Data_Store::add
void add(const std::multimap< std::string, std::string > &)
Definition: datastor.cpp:154
Botan::Extensions::get_extension_object
const Certificate_Extension * get_extension_object(const OID &oid) const
Definition: x509_ext.cpp:199
Botan::Extensions::decode_from
void decode_from(class BER_Decoder &) override
Definition: x509_ext.cpp:270
Botan::Extensions::extensions_raw
std::map< OID, std::pair< std::vector< uint8_t >, bool > > extensions_raw() const
Definition: x509_ext.cpp:231
Botan::Extensions::replace
void replace(Certificate_Extension *extn, bool critical=false)
Definition: x509_ext.cpp:166
Botan::Extensions::get
std::unique_ptr< Certificate_Extension > get(const OID &oid) const
Definition: x509_ext.cpp:208
Botan::Extensions::remove
bool remove(const OID &oid)
Definition: x509_ext.cpp:154
Botan::Extensions::contents_to
void contents_to(Data_Store &, Data_Store &) const
Definition: x509_ext.cpp:301
Botan::Extensions::get_extension_bits
std::vector< uint8_t > get_extension_bits(const OID &oid) const
Definition: x509_ext.cpp:190
Botan::Extensions::critical_extension_set
bool critical_extension_set(const OID &oid) const
Definition: x509_ext.cpp:182
Botan::Extensions::extensions
std::vector< std::pair< std::unique_ptr< Certificate_Extension >, bool > > extensions() const
Definition: x509_ext.cpp:217
Botan::Extensions::add_new
bool add_new(Certificate_Extension *extn, bool critical=false)
Definition: x509_ext.cpp:139
Botan::Extensions::encode_into
void encode_into(class DER_Encoder &) const override
Definition: x509_ext.cpp:246
Botan::Extensions::add
void add(Certificate_Extension *extn, bool critical=false)
Definition: x509_ext.cpp:123
Botan::Extensions::extension_set
bool extension_set(const OID &oid) const
Definition: x509_ext.cpp:177
Botan::HashFunction::create_or_throw
static std::unique_ptr< HashFunction > create_or_throw(const std::string &algo_spec, const std::string &provider="")
Definition: hash.cpp:344
Botan::Invalid_Argument
Definition: exceptn.h:137
Botan::Invalid_State
Definition: exceptn.h:216
Botan::NameConstraints::permitted
const std::vector< GeneralSubtree > & permitted() const
Definition: pkix_types.h:335
Botan::NameConstraints::excluded
const std::vector< GeneralSubtree > & excluded() const
Definition: pkix_types.h:340
Botan::Not_Implemented
Definition: exceptn.h:356
Botan::OID::from_string
static OID from_string(const std::string &str)
Definition: asn1_oid.cpp:62
Botan::X509_Certificate
Definition: x509cert.h:38
Botan::X509_Certificate::is_CA_cert
bool is_CA_cert() const
Definition: x509cert.cpp:491
Botan::X509_Certificate::is_critical
bool is_critical(const std::string &ex_name) const
Definition: x509cert.cpp:608
name
std::string name
Definition: commoncrypto_hash.cpp:24
final
int(* final)(unsigned char *, CTX *)
Definition: commoncrypto_hash.cpp:29
Botan::ASN1::to_string
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:213
Botan::PEM_Code::encode
std::string encode(const uint8_t der[], size_t length, const std::string &label, size_t width)
Definition: pem.cpp:43
Botan
Definition: alg_id.cpp:13
Botan::ctz
size_t ctz(T n)
Definition: bit_ops.h:99
Botan::ASN1_Tag
ASN1_Tag
Definition: asn1_obj.h:25
Botan::CONSTRUCTED
@ CONSTRUCTED
Definition: asn1_obj.h:30
Botan::IA5_STRING
@ IA5_STRING
Definition: asn1_obj.h:49
Botan::BIT_STRING
@ BIT_STRING
Definition: asn1_obj.h:37
Botan::SEQUENCE
@ SEQUENCE
Definition: asn1_obj.h:42
Botan::BOOLEAN
@ BOOLEAN
Definition: asn1_obj.h:35
Botan::CONTEXT_SPECIFIC
@ CONTEXT_SPECIFIC
Definition: asn1_obj.h:28
Botan::ENUMERATED
@ ENUMERATED
Definition: asn1_obj.h:41
Botan::OCTET_STRING
@ OCTET_STRING
Definition: asn1_obj.h:38
Botan::UNIVERSAL
@ UNIVERSAL
Definition: asn1_obj.h:26
Botan::INTEGER
@ INTEGER
Definition: asn1_obj.h:36
Botan::Key_Constraints
Key_Constraints
Definition: pkix_enums.h:106
Botan::NO_CONSTRAINTS
@ NO_CONSTRAINTS
Definition: pkix_enums.h:107
Botan::make_uint16
constexpr uint16_t make_uint16(uint8_t i0, uint8_t i1)
Definition: loadstor.h:54
hash
MechanismType hash
Definition: p11_mechanism.cpp:64
Generated by doxygen 1.9.3