10#include <botan/x509_ext.h>
11#include <botan/x509cert.h>
12#include <botan/der_enc.h>
13#include <botan/ber_dec.h>
14#include <botan/hash.h>
15#include <botan/internal/loadstor.h>
16#include <botan/internal/bit_ops.h>
25std::unique_ptr<Certificate_Extension>
26extension_from_oid(
const OID& oid)
29 return std::make_unique<Cert_Extension::Subject_Key_ID>();
32 return std::make_unique<Cert_Extension::Key_Usage>();
35 return std::make_unique<Cert_Extension::Subject_Alternative_Name>();
38 return std::make_unique<Cert_Extension::Issuer_Alternative_Name>();
41 return std::make_unique<Cert_Extension::Basic_Constraints>();
44 return std::make_unique<Cert_Extension::CRL_Number>();
47 return std::make_unique<Cert_Extension::CRL_ReasonCode>();
50 return std::make_unique<Cert_Extension::Authority_Key_ID>();
53 return std::make_unique<Cert_Extension::Name_Constraints>();
56 return std::make_unique<Cert_Extension::CRL_Distribution_Points>();
59 return std::make_unique<Cert_Extension::CRL_Issuing_Distribution_Point>();
62 return std::make_unique<Cert_Extension::Certificate_Policies>();
65 return std::make_unique<Cert_Extension::Extended_Key_Usage>();
68 return std::make_unique<Cert_Extension::Authority_Information_Access>();
78std::unique_ptr<Certificate_Extension>
79Extensions::create_extn_obj(
const OID& oid,
81 const std::vector<uint8_t>& body)
83 const std::string oid_str = oid.to_string();
85 std::unique_ptr<Certificate_Extension> extn = extension_from_oid(oid);
90 extn = std::make_unique<Cert_Extension::Unknown_Extension>(oid, critical);
95 extn->decode_inner(body);
97 catch(Decoding_Error&)
99 extn.reset(
new Cert_Extension::Unknown_Extension(oid, critical));
100 extn->decode_inner(body);
109 const std::vector<X509_Certificate>& ,
110 std::vector<std::set<Certificate_Status_Code>>& ,
121 if(m_extension_info.count(extn->oid_of()) > 0)
123 const std::string
name = extn->oid_name();
127 const OID oid = extn->oid_of();
128 Extensions_Info info(critical, std::move(extn));
129 m_extension_oids.push_back(oid);
130 m_extension_info.emplace(oid, info);
135 if(m_extension_info.count(extn->oid_of()) > 0)
140 const OID oid = extn->oid_of();
141 Extensions_Info info(critical, std::move(extn));
142 m_extension_oids.push_back(oid);
143 m_extension_info.emplace(oid, info);
149 const bool erased = m_extension_info.erase(oid) > 0;
153 m_extension_oids.erase(std::find(m_extension_oids.begin(), m_extension_oids.end(), oid));
164 const OID oid = extn->oid_of();
165 Extensions_Info info(critical, std::move(extn));
166 m_extension_oids.push_back(oid);
167 m_extension_info.emplace(oid, info);
172 return (m_extension_info.find(oid) != m_extension_info.end());
177 auto i = m_extension_info.find(oid);
178 if(i != m_extension_info.end())
179 return i->second.is_critical();
185 auto i = m_extension_info.find(oid);
186 if(i == m_extension_info.end())
187 throw Invalid_Argument(
"Extensions::get_extension_bits no such extension set");
189 return i->second.bits();
194 auto extn = m_extension_info.find(oid);
195 if(extn == m_extension_info.end())
198 return &extn->second.obj();
212 std::vector<std::pair<std::unique_ptr<Certificate_Extension>,
bool>> exts;
213 for(
auto&& ext : m_extension_info)
217 ext.second.obj().copy(),
218 ext.second.is_critical())
226 std::map<OID, std::pair<std::vector<uint8_t>,
bool>> out;
227 for(
auto&& ext : m_extension_info)
229 out.emplace(ext.first,
230 std::make_pair(ext.second.bits(),
231 ext.second.is_critical()));
241 for(
const auto& ext_info : m_extension_info)
243 const OID& oid = ext_info.first;
244 const bool should_encode = ext_info.second.obj().should_encode();
248 const bool is_critical = ext_info.second.is_critical();
249 const std::vector<uint8_t>& ext_value = ext_info.second.bits();
265 m_extension_oids.clear();
266 m_extension_info.clear();
274 std::vector<uint8_t> bits;
282 std::unique_ptr<Certificate_Extension> obj = create_extn_obj(oid, critical, bits);
283 Extensions_Info info(critical, bits, std::move(obj));
285 m_extension_oids.push_back(oid);
286 m_extension_info.emplace(oid, info);
291namespace Cert_Extension {
299 throw Invalid_State(
"Basic_Constraints::get_path_limit: Not a CA");
306std::vector<uint8_t> Basic_Constraints::encode_inner()
const
308 std::vector<uint8_t> output;
314 .encode_optional(m_path_limit, NO_CERT_PATH_LIMIT)
323void Basic_Constraints::decode_inner(
const std::vector<uint8_t>& in)
338std::vector<uint8_t> Key_Usage::encode_inner()
const
341 throw Encoding_Error(
"Cannot encode zero usage constraints");
343 const size_t unused_bits =
ctz(
static_cast<uint32_t
>(m_constraints));
345 std::vector<uint8_t> der;
347 der.push_back(2 + ((unused_bits < 8) ? 1 : 0));
348 der.push_back(unused_bits % 8);
349 der.push_back((m_constraints >> 8) & 0xFF);
350 if(m_constraints & 0xFF)
351 der.push_back(m_constraints & 0xFF);
359void Key_Usage::decode_inner(
const std::vector<uint8_t>& in)
363 BER_Object obj = ber.get_next_object();
367 if(obj.length() != 2 && obj.length() != 3)
368 throw BER_Decoding_Error(
"Bad size for BITSTRING in usage constraint");
372 const uint8_t* bits = obj.bits();
375 throw BER_Decoding_Error(
"Invalid unused bits in usage constraint");
377 const uint8_t mask =
static_cast<uint8_t
>(0xFF << bits[0]);
379 if(obj.length() == 2)
383 else if(obj.length() == 3)
394std::vector<uint8_t> Subject_Key_ID::encode_inner()
const
396 std::vector<uint8_t> output;
404void Subject_Key_ID::decode_inner(
const std::vector<uint8_t>& in)
416 m_key_id.resize(
hash->output_length());
418 hash->update(pub_key);
419 hash->final(m_key_id.data());
422 const size_t max_skid_len = (192 / 8);
423 if(m_key_id.size() > max_skid_len)
424 m_key_id.resize(max_skid_len);
430std::vector<uint8_t> Authority_Key_ID::encode_inner()
const
432 std::vector<uint8_t> output;
443void Authority_Key_ID::decode_inner(
const std::vector<uint8_t>& in)
453std::vector<uint8_t> Subject_Alternative_Name::encode_inner()
const
455 std::vector<uint8_t> output;
456 DER_Encoder(output).encode(m_alt_name);
463std::vector<uint8_t> Issuer_Alternative_Name::encode_inner()
const
465 std::vector<uint8_t> output;
466 DER_Encoder(output).encode(m_alt_name);
473void Subject_Alternative_Name::decode_inner(
const std::vector<uint8_t>& in)
475 BER_Decoder(in).
decode(m_alt_name);
481void Issuer_Alternative_Name::decode_inner(
const std::vector<uint8_t>& in)
483 BER_Decoder(in).
decode(m_alt_name);
489std::vector<uint8_t> Extended_Key_Usage::encode_inner()
const
491 std::vector<uint8_t> output;
502void Extended_Key_Usage::decode_inner(
const std::vector<uint8_t>& in)
510std::vector<uint8_t> Name_Constraints::encode_inner()
const
512 throw Not_Implemented(
"Name_Constraints encoding");
519void Name_Constraints::decode_inner(
const std::vector<uint8_t>& in)
521 std::vector<GeneralSubtree> permit, exclude;
523 BER_Decoder ext = ber.start_sequence();
524 BER_Object per = ext.get_next_object();
531 throw Encoding_Error(
"Empty Name Contraint list");
534 BER_Object exc = ext.get_next_object();
540 throw Encoding_Error(
"Empty Name Contraint list");
545 if(permit.empty() && exclude.empty())
546 throw Encoding_Error(
"Empty Name Contraint extension");
548 m_name_constraints = NameConstraints(std::move(permit),std::move(exclude));
552 const std::vector<X509_Certificate>& cert_path,
553 std::vector<std::set<Certificate_Status_Code>>& cert_status,
556 if(!m_name_constraints.
permitted().empty() || !m_name_constraints.
excluded().empty())
563 const bool issuer_name_constraint_critical =
567 for(
size_t j = 0; j < pos; ++j)
569 bool permitted = m_name_constraints.
permitted().empty();
572 for(
const auto& c: m_name_constraints.
permitted())
574 switch(c.base().matches(cert_path.at(j)))
576 case GeneralName::MatchResult::NotFound:
577 case GeneralName::MatchResult::All:
580 case GeneralName::MatchResult::UnknownType:
581 failed = issuer_name_constraint_critical;
589 for(
const auto& c: m_name_constraints.
excluded())
591 switch(c.base().matches(cert_path.at(j)))
593 case GeneralName::MatchResult::All:
594 case GeneralName::MatchResult::Some:
597 case GeneralName::MatchResult::UnknownType:
598 failed = issuer_name_constraint_critical;
605 if(failed || !permitted)
621 Policy_Information() =
default;
622 explicit Policy_Information(
const OID& oid) : m_oid(oid) {}
624 const OID& oid()
const {
return m_oid; }
626 void encode_into(DER_Encoder& codec)
const override
628 codec.start_sequence()
633 void decode_from(BER_Decoder& codec)
override
635 codec.start_sequence()
650std::vector<uint8_t> Certificate_Policies::encode_inner()
const
652 std::vector<Policy_Information> policies;
654 for(
const auto& oid : m_oids)
655 policies.push_back(Policy_Information(oid));
657 std::vector<uint8_t> output;
660 .encode_list(policies)
668void Certificate_Policies::decode_inner(
const std::vector<uint8_t>& in)
670 std::vector<Policy_Information> policies;
672 BER_Decoder(in).decode_list(policies);
674 for(
const auto& policy : policies)
675 m_oids.push_back(policy.oid());
681 const std::vector<X509_Certificate>& ,
682 std::vector<std::set<Certificate_Status_Code>>& cert_status,
685 std::set<OID> oid_set(m_oids.begin(), m_oids.end());
686 if(oid_set.size() != m_oids.size())
692std::vector<uint8_t> Authority_Information_Access::encode_inner()
const
696 std::vector<uint8_t> output;
707void Authority_Information_Access::decode_inner(
const std::vector<uint8_t>& in)
758 return std::make_unique<CRL_Number>(m_crl_number);
764std::vector<uint8_t> CRL_Number::encode_inner()
const
766 std::vector<uint8_t> output;
774void CRL_Number::decode_inner(
const std::vector<uint8_t>& in)
783std::vector<uint8_t> CRL_ReasonCode::encode_inner()
const
785 std::vector<uint8_t> output;
793void CRL_ReasonCode::decode_inner(
const std::vector<uint8_t>& in)
795 size_t reason_code = 0;
797 m_reason =
static_cast<CRL_Code>(reason_code);
800std::vector<uint8_t> CRL_Distribution_Points::encode_inner()
const
802 throw Not_Implemented(
"CRL_Distribution_Points encoding");
805void CRL_Distribution_Points::decode_inner(
const std::vector<uint8_t>& buf)
808 .decode_list(m_distribution_points)
811 std::stringstream ss;
813 for(
const auto& distribution_point : m_distribution_points)
815 auto contents = distribution_point.point().contents();
817 for(
const auto& pair : contents)
819 ss << pair.first <<
": " << pair.second <<
" ";
823 m_crl_distribution_urls.push_back(ss.str());
841std::vector<uint8_t> CRL_Issuing_Distribution_Point::encode_inner()
const
846void CRL_Issuing_Distribution_Point::decode_inner(
const std::vector<uint8_t>& buf)
851std::vector<uint8_t> Unknown_Extension::encode_inner()
const
856void Unknown_Extension::decode_inner(
const std::vector<uint8_t>& bytes)
BER_Object get_next_object()
BER_Decoder & decode(bool &out)
BER_Decoder & verify_end()
BER_Decoder & decode_list(std::vector< T > &out, ASN1_Type type_tag=ASN1_Type::Sequence, ASN1_Class class_tag=ASN1_Class::Universal)
BER_Decoder start_sequence()
BER_Decoder start_context_specific(uint32_t tag)
BER_Decoder & decode_optional(T &out, ASN1_Type type_tag, ASN1_Class class_tag, const T &default_value=T())
BER_Decoder & decode_optional_string(std::vector< uint8_t, Alloc > &out, ASN1_Type real_type, uint32_t expected_tag, ASN1_Class class_tag=ASN1_Class::ContextSpecific)
BER_Decoder & decode_optional_implicit(T &out, ASN1_Type type_tag, ASN1_Class class_tag, ASN1_Type real_type, ASN1_Class real_class, const T &default_value=T())
size_t get_path_limit() const
void decode_from(BER_Decoder &) override
void encode_into(DER_Encoder &) const override
size_t get_crl_number() const
std::unique_ptr< Certificate_Extension > copy() const override
void validate(const X509_Certificate &subject, const X509_Certificate &issuer, const std::vector< X509_Certificate > &cert_path, std::vector< std::set< Certificate_Status_Code > > &cert_status, size_t pos) override
void validate(const X509_Certificate &subject, const X509_Certificate &issuer, const std::vector< X509_Certificate > &cert_path, std::vector< std::set< Certificate_Status_Code > > &cert_status, size_t pos) override
virtual void validate(const X509_Certificate &subject, const X509_Certificate &issuer, const std::vector< X509_Certificate > &cert_path, std::vector< std::set< Certificate_Status_Code > > &cert_status, size_t pos)
DER_Encoder & add_object(ASN1_Type type_tag, ASN1_Class class_tag, const uint8_t rep[], size_t length)
DER_Encoder & encode_optional(const T &value, const T &default_value)
DER_Encoder & start_sequence()
DER_Encoder & encode_if(bool pred, DER_Encoder &enc)
DER_Encoder & encode(bool b)
const Certificate_Extension * get_extension_object(const OID &oid) const
std::map< OID, std::pair< std::vector< uint8_t >, bool > > extensions_raw() const
std::unique_ptr< Certificate_Extension > get(const OID &oid) const
void decode_from(BER_Decoder &) override
bool remove(const OID &oid)
std::vector< uint8_t > get_extension_bits(const OID &oid) const
bool critical_extension_set(const OID &oid) const
std::vector< std::pair< std::unique_ptr< Certificate_Extension >, bool > > extensions() const
void encode_into(DER_Encoder &) const override
void replace(std::unique_ptr< Certificate_Extension > extn, bool critical=false)
bool add_new(std::unique_ptr< Certificate_Extension > extn, bool critical=false)
bool extension_set(const OID &oid) const
void add(std::unique_ptr< Certificate_Extension > extn, bool critical=false)
static std::unique_ptr< HashFunction > create_or_throw(const std::string &algo_spec, const std::string &provider="")
const std::vector< GeneralSubtree > & permitted() const
const std::vector< GeneralSubtree > & excluded() const
static OID from_string(const std::string &str)
bool is_critical(const std::string &ex_name) const
int(* final)(unsigned char *, CTX *)
std::string to_string(const BER_Object &obj)
std::string encode(const uint8_t der[], size_t length, const std::string &label, size_t width)
constexpr size_t ctz(T n)
constexpr uint16_t make_uint16(uint8_t i0, uint8_t i1)