Botan 3.0.0-alpha0
Crypto and TLS for C&
x509_ext.cpp
Go to the documentation of this file.
1/*
2* X.509 Certificate Extensions
3* (C) 1999-2010,2012 Jack Lloyd
4* (C) 2016 René Korthaus, Rohde & Schwarz Cybersecurity
5* (C) 2017 Fabian Weissberg, Rohde & Schwarz Cybersecurity
6*
7* Botan is released under the Simplified BSD License (see license.txt)
8*/
9
10#include <botan/x509_ext.h>
11#include <botan/x509cert.h>
12#include <botan/der_enc.h>
13#include <botan/ber_dec.h>
14#include <botan/hash.h>
15#include <botan/internal/loadstor.h>
16#include <botan/internal/bit_ops.h>
17#include <algorithm>
18#include <set>
19#include <sstream>
20
21namespace Botan {
22
23namespace {
24
25std::unique_ptr<Certificate_Extension>
26extension_from_oid(const OID& oid)
27 {
29 return std::make_unique<Cert_Extension::Subject_Key_ID>();
30
32 return std::make_unique<Cert_Extension::Key_Usage>();
33
35 return std::make_unique<Cert_Extension::Subject_Alternative_Name>();
36
38 return std::make_unique<Cert_Extension::Issuer_Alternative_Name>();
39
41 return std::make_unique<Cert_Extension::Basic_Constraints>();
42
44 return std::make_unique<Cert_Extension::CRL_Number>();
45
47 return std::make_unique<Cert_Extension::CRL_ReasonCode>();
48
50 return std::make_unique<Cert_Extension::Authority_Key_ID>();
51
53 return std::make_unique<Cert_Extension::Name_Constraints>();
54
56 return std::make_unique<Cert_Extension::CRL_Distribution_Points>();
57
59 return std::make_unique<Cert_Extension::CRL_Issuing_Distribution_Point>();
60
62 return std::make_unique<Cert_Extension::Certificate_Policies>();
63
65 return std::make_unique<Cert_Extension::Extended_Key_Usage>();
66
68 return std::make_unique<Cert_Extension::Authority_Information_Access>();
69
70 return nullptr; // unknown
71 }
72
73}
74
75/*
76* Create a Certificate_Extension object of some kind to handle
77*/
78std::unique_ptr<Certificate_Extension>
79Extensions::create_extn_obj(const OID& oid,
80 bool critical,
81 const std::vector<uint8_t>& body)
82 {
83 const std::string oid_str = oid.to_string();
84
85 std::unique_ptr<Certificate_Extension> extn = extension_from_oid(oid);
86
87 if(!extn)
88 {
89 // some other unknown extension type
90 extn = std::make_unique<Cert_Extension::Unknown_Extension>(oid, critical);
91 }
92
93 try
94 {
95 extn->decode_inner(body);
96 }
97 catch(Decoding_Error&)
98 {
99 extn.reset(new Cert_Extension::Unknown_Extension(oid, critical));
100 extn->decode_inner(body);
101 }
102 return extn;
103 }
104
105/*
106* Validate the extension (the default implementation is a NOP)
107*/
108void Certificate_Extension::validate(const X509_Certificate& /*unused*/, const X509_Certificate& /*unused*/,
109 const std::vector<X509_Certificate>& /*unused*/,
110 std::vector<std::set<Certificate_Status_Code>>& /*unused*/,
111 size_t /*unused*/)
112 {
113 }
114
115/*
116* Add a new cert
117*/
118void Extensions::add(std::unique_ptr<Certificate_Extension> extn, bool critical)
119 {
120 // sanity check: we don't want to have the same extension more than once
121 if(m_extension_info.count(extn->oid_of()) > 0)
122 {
123 const std::string name = extn->oid_name();
124 throw Invalid_Argument("Extension " + name + " already present in Extensions::add");
125 }
126
127 const OID oid = extn->oid_of();
128 Extensions_Info info(critical, std::move(extn));
129 m_extension_oids.push_back(oid);
130 m_extension_info.emplace(oid, info);
131 }
132
133bool Extensions::add_new(std::unique_ptr<Certificate_Extension> extn, bool critical)
134 {
135 if(m_extension_info.count(extn->oid_of()) > 0)
136 {
137 return false; // already exists
138 }
139
140 const OID oid = extn->oid_of();
141 Extensions_Info info(critical, std::move(extn));
142 m_extension_oids.push_back(oid);
143 m_extension_info.emplace(oid, info);
144 return true;
145 }
146
147bool Extensions::remove(const OID& oid)
148 {
149 const bool erased = m_extension_info.erase(oid) > 0;
150
151 if(erased)
152 {
153 m_extension_oids.erase(std::find(m_extension_oids.begin(), m_extension_oids.end(), oid));
154 }
155
156 return erased;
157 }
158
159void Extensions::replace(std::unique_ptr<Certificate_Extension> extn, bool critical)
160 {
161 // Remove it if it existed
162 remove(extn->oid_of());
163
164 const OID oid = extn->oid_of();
165 Extensions_Info info(critical, std::move(extn));
166 m_extension_oids.push_back(oid);
167 m_extension_info.emplace(oid, info);
168 }
169
170bool Extensions::extension_set(const OID& oid) const
171 {
172 return (m_extension_info.find(oid) != m_extension_info.end());
173 }
174
176 {
177 auto i = m_extension_info.find(oid);
178 if(i != m_extension_info.end())
179 return i->second.is_critical();
180 return false;
181 }
182
183std::vector<uint8_t> Extensions::get_extension_bits(const OID& oid) const
184 {
185 auto i = m_extension_info.find(oid);
186 if(i == m_extension_info.end())
187 throw Invalid_Argument("Extensions::get_extension_bits no such extension set");
188
189 return i->second.bits();
190 }
191
193 {
194 auto extn = m_extension_info.find(oid);
195 if(extn == m_extension_info.end())
196 return nullptr;
197
198 return &extn->second.obj();
199 }
200
201std::unique_ptr<Certificate_Extension> Extensions::get(const OID& oid) const
202 {
203 if(const Certificate_Extension* ext = this->get_extension_object(oid))
204 {
205 return ext->copy();
206 }
207 return nullptr;
208 }
209
210std::vector<std::pair<std::unique_ptr<Certificate_Extension>, bool>> Extensions::extensions() const
211 {
212 std::vector<std::pair<std::unique_ptr<Certificate_Extension>, bool>> exts;
213 for(auto&& ext : m_extension_info)
214 {
215 exts.push_back(
216 std::make_pair(
217 ext.second.obj().copy(),
218 ext.second.is_critical())
219 );
220 }
221 return exts;
222 }
223
224std::map<OID, std::pair<std::vector<uint8_t>, bool>> Extensions::extensions_raw() const
225 {
226 std::map<OID, std::pair<std::vector<uint8_t>, bool>> out;
227 for(auto&& ext : m_extension_info)
228 {
229 out.emplace(ext.first,
230 std::make_pair(ext.second.bits(),
231 ext.second.is_critical()));
232 }
233 return out;
234 }
235
236/*
237* Encode an Extensions list
238*/
240 {
241 for(const auto& ext_info : m_extension_info)
242 {
243 const OID& oid = ext_info.first;
244 const bool should_encode = ext_info.second.obj().should_encode();
245
246 if(should_encode)
247 {
248 const bool is_critical = ext_info.second.is_critical();
249 const std::vector<uint8_t>& ext_value = ext_info.second.bits();
250
251 to_object.start_sequence()
252 .encode(oid)
253 .encode_optional(is_critical, false)
254 .encode(ext_value, ASN1_Type::OctetString)
255 .end_cons();
256 }
257 }
258 }
259
260/*
261* Decode a list of Extensions
262*/
264 {
265 m_extension_oids.clear();
266 m_extension_info.clear();
267
268 BER_Decoder sequence = from_source.start_sequence();
269
270 while(sequence.more_items())
271 {
272 OID oid;
273 bool critical;
274 std::vector<uint8_t> bits;
275
276 sequence.start_sequence()
277 .decode(oid)
280 .end_cons();
281
282 std::unique_ptr<Certificate_Extension> obj = create_extn_obj(oid, critical, bits);
283 Extensions_Info info(critical, bits, std::move(obj));
284
285 m_extension_oids.push_back(oid);
286 m_extension_info.emplace(oid, info);
287 }
288 sequence.verify_end();
289 }
290
291namespace Cert_Extension {
292
293/*
294* Checked accessor for the path_limit member
295*/
297 {
298 if(!m_is_ca)
299 throw Invalid_State("Basic_Constraints::get_path_limit: Not a CA");
300 return m_path_limit;
301 }
302
303/*
304* Encode the extension
305*/
306std::vector<uint8_t> Basic_Constraints::encode_inner() const
307 {
308 std::vector<uint8_t> output;
309 DER_Encoder(output)
311 .encode_if(m_is_ca,
313 .encode(m_is_ca)
314 .encode_optional(m_path_limit, NO_CERT_PATH_LIMIT)
315 )
316 .end_cons();
317 return output;
318 }
319
320/*
321* Decode the extension
322*/
323void Basic_Constraints::decode_inner(const std::vector<uint8_t>& in)
324 {
325 BER_Decoder(in)
328 .decode_optional(m_path_limit, ASN1_Type::Integer, ASN1_Class::Universal, NO_CERT_PATH_LIMIT)
329 .end_cons();
330
331 if(m_is_ca == false)
332 m_path_limit = 0;
333 }
334
335/*
336* Encode the extension
337*/
338std::vector<uint8_t> Key_Usage::encode_inner() const
339 {
340 if(m_constraints == NO_CONSTRAINTS)
341 throw Encoding_Error("Cannot encode zero usage constraints");
342
343 const size_t unused_bits = ctz(static_cast<uint32_t>(m_constraints));
344
345 std::vector<uint8_t> der;
346 der.push_back(static_cast<uint8_t>(ASN1_Type::BitString));
347 der.push_back(2 + ((unused_bits < 8) ? 1 : 0));
348 der.push_back(unused_bits % 8);
349 der.push_back((m_constraints >> 8) & 0xFF);
350 if(m_constraints & 0xFF)
351 der.push_back(m_constraints & 0xFF);
352
353 return der;
354 }
355
356/*
357* Decode the extension
358*/
359void Key_Usage::decode_inner(const std::vector<uint8_t>& in)
360 {
361 BER_Decoder ber(in);
362
363 BER_Object obj = ber.get_next_object();
364
365 obj.assert_is_a(ASN1_Type::BitString, ASN1_Class::Universal, "usage constraint");
366
367 if(obj.length() != 2 && obj.length() != 3)
368 throw BER_Decoding_Error("Bad size for BITSTRING in usage constraint");
369
370 uint16_t usage = 0;
371
372 const uint8_t* bits = obj.bits();
373
374 if(bits[0] >= 8)
375 throw BER_Decoding_Error("Invalid unused bits in usage constraint");
376
377 const uint8_t mask = static_cast<uint8_t>(0xFF << bits[0]);
378
379 if(obj.length() == 2)
380 {
381 usage = make_uint16(bits[1] & mask, 0);
382 }
383 else if(obj.length() == 3)
384 {
385 usage = make_uint16(bits[1], bits[2] & mask);
386 }
387
388 m_constraints = Key_Constraints(usage);
389 }
390
391/*
392* Encode the extension
393*/
394std::vector<uint8_t> Subject_Key_ID::encode_inner() const
395 {
396 std::vector<uint8_t> output;
397 DER_Encoder(output).encode(m_key_id, ASN1_Type::OctetString);
398 return output;
399 }
400
401/*
402* Decode the extension
403*/
404void Subject_Key_ID::decode_inner(const std::vector<uint8_t>& in)
405 {
406 BER_Decoder(in).decode(m_key_id, ASN1_Type::OctetString).verify_end();
407 }
408
409/*
410* Subject_Key_ID Constructor
411*/
412Subject_Key_ID::Subject_Key_ID(const std::vector<uint8_t>& pub_key, const std::string& hash_name)
413 {
414 std::unique_ptr<HashFunction> hash(HashFunction::create_or_throw(hash_name));
415
416 m_key_id.resize(hash->output_length());
417
418 hash->update(pub_key);
419 hash->final(m_key_id.data());
420
421 // Truncate longer hashes, 192 bits here seems plenty
422 const size_t max_skid_len = (192 / 8);
423 if(m_key_id.size() > max_skid_len)
424 m_key_id.resize(max_skid_len);
425 }
426
427/*
428* Encode the extension
429*/
430std::vector<uint8_t> Authority_Key_ID::encode_inner() const
431 {
432 std::vector<uint8_t> output;
433 DER_Encoder(output)
436 .end_cons();
437 return output;
438 }
439
440/*
441* Decode the extension
442*/
443void Authority_Key_ID::decode_inner(const std::vector<uint8_t>& in)
444 {
445 BER_Decoder(in)
448 }
449
450/*
451* Encode the extension
452*/
453std::vector<uint8_t> Subject_Alternative_Name::encode_inner() const
454 {
455 std::vector<uint8_t> output;
456 DER_Encoder(output).encode(m_alt_name);
457 return output;
458 }
459
460/*
461* Encode the extension
462*/
463std::vector<uint8_t> Issuer_Alternative_Name::encode_inner() const
464 {
465 std::vector<uint8_t> output;
466 DER_Encoder(output).encode(m_alt_name);
467 return output;
468 }
469
470/*
471* Decode the extension
472*/
473void Subject_Alternative_Name::decode_inner(const std::vector<uint8_t>& in)
474 {
475 BER_Decoder(in).decode(m_alt_name);
476 }
477
478/*
479* Decode the extension
480*/
481void Issuer_Alternative_Name::decode_inner(const std::vector<uint8_t>& in)
482 {
483 BER_Decoder(in).decode(m_alt_name);
484 }
485
486/*
487* Encode the extension
488*/
489std::vector<uint8_t> Extended_Key_Usage::encode_inner() const
490 {
491 std::vector<uint8_t> output;
492 DER_Encoder(output)
494 .encode_list(m_oids)
495 .end_cons();
496 return output;
497 }
498
499/*
500* Decode the extension
501*/
502void Extended_Key_Usage::decode_inner(const std::vector<uint8_t>& in)
503 {
504 BER_Decoder(in).decode_list(m_oids);
505 }
506
507/*
508* Encode the extension
509*/
510std::vector<uint8_t> Name_Constraints::encode_inner() const
511 {
512 throw Not_Implemented("Name_Constraints encoding");
513 }
514
515
516/*
517* Decode the extension
518*/
519void Name_Constraints::decode_inner(const std::vector<uint8_t>& in)
520 {
521 std::vector<GeneralSubtree> permit, exclude;
522 BER_Decoder ber(in);
523 BER_Decoder ext = ber.start_sequence();
524 BER_Object per = ext.get_next_object();
525
526 ext.push_back(per);
528 {
530 if(permit.empty())
531 throw Encoding_Error("Empty Name Contraint list");
532 }
533
534 BER_Object exc = ext.get_next_object();
535 ext.push_back(exc);
537 {
538 ext.decode_list(exclude, ASN1_Type(1), ASN1_Class::Constructed | ASN1_Class::ContextSpecific);
539 if(exclude.empty())
540 throw Encoding_Error("Empty Name Contraint list");
541 }
542
543 ext.end_cons();
544
545 if(permit.empty() && exclude.empty())
546 throw Encoding_Error("Empty Name Contraint extension");
547
548 m_name_constraints = NameConstraints(std::move(permit),std::move(exclude));
549 }
550
552 const std::vector<X509_Certificate>& cert_path,
553 std::vector<std::set<Certificate_Status_Code>>& cert_status,
554 size_t pos)
555 {
556 if(!m_name_constraints.permitted().empty() || !m_name_constraints.excluded().empty())
557 {
558 if(!subject.is_CA_cert())
559 {
560 cert_status.at(pos).insert(Certificate_Status_Code::NAME_CONSTRAINT_ERROR);
561 }
562
563 const bool issuer_name_constraint_critical =
564 issuer.is_critical("X509v3.NameConstraints");
565
566 // Check that all subordinate certs pass the name constraint
567 for(size_t j = 0; j < pos; ++j)
568 {
569 bool permitted = m_name_constraints.permitted().empty();
570 bool failed = false;
571
572 for(const auto& c: m_name_constraints.permitted())
573 {
574 switch(c.base().matches(cert_path.at(j)))
575 {
576 case GeneralName::MatchResult::NotFound:
577 case GeneralName::MatchResult::All:
578 permitted = true;
579 break;
580 case GeneralName::MatchResult::UnknownType:
581 failed = issuer_name_constraint_critical;
582 permitted = true;
583 break;
584 default:
585 break;
586 }
587 }
588
589 for(const auto& c: m_name_constraints.excluded())
590 {
591 switch(c.base().matches(cert_path.at(j)))
592 {
593 case GeneralName::MatchResult::All:
594 case GeneralName::MatchResult::Some:
595 failed = true;
596 break;
597 case GeneralName::MatchResult::UnknownType:
598 failed = issuer_name_constraint_critical;
599 break;
600 default:
601 break;
602 }
603 }
604
605 if(failed || !permitted)
606 {
607 cert_status.at(j).insert(Certificate_Status_Code::NAME_CONSTRAINT_ERROR);
608 }
609 }
610 }
611 }
612
613namespace {
614
615/*
616* A policy specifier
617*/
618class Policy_Information final : public ASN1_Object
619 {
620 public:
621 Policy_Information() = default;
622 explicit Policy_Information(const OID& oid) : m_oid(oid) {}
623
624 const OID& oid() const { return m_oid; }
625
626 void encode_into(DER_Encoder& codec) const override
627 {
628 codec.start_sequence()
629 .encode(m_oid)
630 .end_cons();
631 }
632
633 void decode_from(BER_Decoder& codec) override
634 {
635 codec.start_sequence()
636 .decode(m_oid)
637 .discard_remaining()
638 .end_cons();
639 }
640
641 private:
642 OID m_oid;
643 };
644
645}
646
647/*
648* Encode the extension
649*/
650std::vector<uint8_t> Certificate_Policies::encode_inner() const
651 {
652 std::vector<Policy_Information> policies;
653
654 for(const auto& oid : m_oids)
655 policies.push_back(Policy_Information(oid));
656
657 std::vector<uint8_t> output;
658 DER_Encoder(output)
659 .start_sequence()
660 .encode_list(policies)
661 .end_cons();
662 return output;
663 }
664
665/*
666* Decode the extension
667*/
668void Certificate_Policies::decode_inner(const std::vector<uint8_t>& in)
669 {
670 std::vector<Policy_Information> policies;
671
672 BER_Decoder(in).decode_list(policies);
673 m_oids.clear();
674 for(const auto& policy : policies)
675 m_oids.push_back(policy.oid());
676 }
677
679 const X509_Certificate& /*subject*/,
680 const X509_Certificate& /*issuer*/,
681 const std::vector<X509_Certificate>& /*cert_path*/,
682 std::vector<std::set<Certificate_Status_Code>>& cert_status,
683 size_t pos)
684 {
685 std::set<OID> oid_set(m_oids.begin(), m_oids.end());
686 if(oid_set.size() != m_oids.size())
687 {
688 cert_status.at(pos).insert(Certificate_Status_Code::DUPLICATE_CERT_POLICY);
689 }
690 }
691
692std::vector<uint8_t> Authority_Information_Access::encode_inner() const
693 {
694 ASN1_String url(m_ocsp_responder, ASN1_Type::Ia5String);
695
696 std::vector<uint8_t> output;
697 DER_Encoder(output)
700 .encode(OID::from_string("PKIX.OCSP"))
702 .end_cons()
703 .end_cons();
704 return output;
705 }
706
707void Authority_Information_Access::decode_inner(const std::vector<uint8_t>& in)
708 {
710
711 while(ber.more_items())
712 {
713 OID oid;
714
715 BER_Decoder info = ber.start_sequence();
716
717 info.decode(oid);
718
719 if(oid == OID::from_string("PKIX.OCSP"))
720 {
722
724 {
725 m_ocsp_responder = ASN1::to_string(name);
726 }
727
728 }
729 if(oid == OID::from_string("PKIX.CertificateAuthorityIssuers"))
730 {
731 BER_Object name = info.get_next_object();
732
734 {
735 m_ca_issuers.push_back(ASN1::to_string(name));
736 }
737 }
738 }
739 }
740
741/*
742* Checked accessor for the crl_number member
743*/
745 {
746 if(!m_has_value)
747 throw Invalid_State("CRL_Number::get_crl_number: Not set");
748 return m_crl_number;
749 }
750
751/*
752* Copy a CRL_Number extension
753*/
754std::unique_ptr<Certificate_Extension> CRL_Number::copy() const
755 {
756 if(!m_has_value)
757 throw Invalid_State("CRL_Number::copy: Not set");
758 return std::make_unique<CRL_Number>(m_crl_number);
759 }
760
761/*
762* Encode the extension
763*/
764std::vector<uint8_t> CRL_Number::encode_inner() const
765 {
766 std::vector<uint8_t> output;
767 DER_Encoder(output).encode(m_crl_number);
768 return output;
769 }
770
771/*
772* Decode the extension
773*/
774void CRL_Number::decode_inner(const std::vector<uint8_t>& in)
775 {
776 BER_Decoder(in).decode(m_crl_number);
777 m_has_value = true;
778 }
779
780/*
781* Encode the extension
782*/
783std::vector<uint8_t> CRL_ReasonCode::encode_inner() const
784 {
785 std::vector<uint8_t> output;
786 DER_Encoder(output).encode(static_cast<size_t>(m_reason), ASN1_Type::Enumerated, ASN1_Class::Universal);
787 return output;
788 }
789
790/*
791* Decode the extension
792*/
793void CRL_ReasonCode::decode_inner(const std::vector<uint8_t>& in)
794 {
795 size_t reason_code = 0;
796 BER_Decoder(in).decode(reason_code, ASN1_Type::Enumerated, ASN1_Class::Universal);
797 m_reason = static_cast<CRL_Code>(reason_code);
798 }
799
800std::vector<uint8_t> CRL_Distribution_Points::encode_inner() const
801 {
802 throw Not_Implemented("CRL_Distribution_Points encoding");
803 }
804
805void CRL_Distribution_Points::decode_inner(const std::vector<uint8_t>& buf)
806 {
807 BER_Decoder(buf)
808 .decode_list(m_distribution_points)
809 .verify_end();
810
811 std::stringstream ss;
812
813 for(const auto& distribution_point : m_distribution_points)
814 {
815 auto contents = distribution_point.point().contents();
816
817 for(const auto& pair : contents)
818 {
819 ss << pair.first << ": " << pair.second << " ";
820 }
821 }
822
823 m_crl_distribution_urls.push_back(ss.str());
824 }
825
827 {
828 throw Not_Implemented("CRL_Distribution_Points encoding");
829 }
830
832 {
833 ber.start_sequence()
838 .end_cons().end_cons();
839 }
840
841std::vector<uint8_t> CRL_Issuing_Distribution_Point::encode_inner() const
842 {
843 throw Not_Implemented("CRL_Issuing_Distribution_Point encoding");
844 }
845
846void CRL_Issuing_Distribution_Point::decode_inner(const std::vector<uint8_t>& buf)
847 {
848 BER_Decoder(buf).decode(m_distribution_point).verify_end();
849 }
850
851std::vector<uint8_t> Unknown_Extension::encode_inner() const
852 {
853 return m_bytes;
854 }
855
856void Unknown_Extension::decode_inner(const std::vector<uint8_t>& bytes)
857 {
858 // Just treat as an opaque blob at this level
859 m_bytes = bytes;
860 }
861
862}
863
864}
BER_Object get_next_object()
Definition: ber_dec.cpp:239
BER_Decoder & decode(bool &out)
Definition: ber_dec.h:187
bool more_items() const
Definition: ber_dec.cpp:200
BER_Decoder & verify_end()
Definition: ber_dec.cpp:210
BER_Decoder & end_cons()
Definition: ber_dec.cpp:303
BER_Decoder & decode_list(std::vector< T > &out, ASN1_Type type_tag=ASN1_Type::Sequence, ASN1_Class class_tag=ASN1_Class::Universal)
Definition: ber_dec.h:426
BER_Decoder start_sequence()
Definition: ber_dec.h:111
BER_Decoder start_context_specific(uint32_t tag)
Definition: ber_dec.h:121
BER_Decoder & decode_optional(T &out, ASN1_Type type_tag, ASN1_Class class_tag, const T &default_value=T())
Definition: ber_dec.h:365
BER_Decoder & decode_optional_string(std::vector< uint8_t, Alloc > &out, ASN1_Type real_type, uint32_t expected_tag, ASN1_Class class_tag=ASN1_Class::ContextSpecific)
Definition: ber_dec.h:310
BER_Decoder & decode_optional_implicit(T &out, ASN1_Type type_tag, ASN1_Class class_tag, ASN1_Type real_type, ASN1_Class real_class, const T &default_value=T())
Definition: ber_dec.h:397
std::unique_ptr< Certificate_Extension > copy() const override
Definition: x509_ext.cpp:754
void validate(const X509_Certificate &subject, const X509_Certificate &issuer, const std::vector< X509_Certificate > &cert_path, std::vector< std::set< Certificate_Status_Code > > &cert_status, size_t pos) override
Definition: x509_ext.cpp:678
void validate(const X509_Certificate &subject, const X509_Certificate &issuer, const std::vector< X509_Certificate > &cert_path, std::vector< std::set< Certificate_Status_Code > > &cert_status, size_t pos) override
Definition: x509_ext.cpp:551
virtual void validate(const X509_Certificate &subject, const X509_Certificate &issuer, const std::vector< X509_Certificate > &cert_path, std::vector< std::set< Certificate_Status_Code > > &cert_status, size_t pos)
Definition: x509_ext.cpp:108
DER_Encoder & add_object(ASN1_Type type_tag, ASN1_Class class_tag, const uint8_t rep[], size_t length)
Definition: der_enc.cpp:252
DER_Encoder & encode_optional(const T &value, const T &default_value)
Definition: der_enc.h:141
DER_Encoder & start_sequence()
Definition: der_enc.h:66
DER_Encoder & encode_if(bool pred, DER_Encoder &enc)
Definition: der_enc.h:164
DER_Encoder & end_cons()
Definition: der_enc.cpp:194
DER_Encoder & encode(bool b)
Definition: der_enc.cpp:288
const Certificate_Extension * get_extension_object(const OID &oid) const
Definition: x509_ext.cpp:192
std::map< OID, std::pair< std::vector< uint8_t >, bool > > extensions_raw() const
Definition: x509_ext.cpp:224
std::unique_ptr< Certificate_Extension > get(const OID &oid) const
Definition: x509_ext.cpp:201
void decode_from(BER_Decoder &) override
Definition: x509_ext.cpp:263
bool remove(const OID &oid)
Definition: x509_ext.cpp:147
std::vector< uint8_t > get_extension_bits(const OID &oid) const
Definition: x509_ext.cpp:183
bool critical_extension_set(const OID &oid) const
Definition: x509_ext.cpp:175
std::vector< std::pair< std::unique_ptr< Certificate_Extension >, bool > > extensions() const
Definition: x509_ext.cpp:210
void encode_into(DER_Encoder &) const override
Definition: x509_ext.cpp:239
void replace(std::unique_ptr< Certificate_Extension > extn, bool critical=false)
Definition: x509_ext.cpp:159
bool add_new(std::unique_ptr< Certificate_Extension > extn, bool critical=false)
Definition: x509_ext.cpp:133
bool extension_set(const OID &oid) const
Definition: x509_ext.cpp:170
void add(std::unique_ptr< Certificate_Extension > extn, bool critical=false)
Definition: x509_ext.cpp:118
static std::unique_ptr< HashFunction > create_or_throw(const std::string &algo_spec, const std::string &provider="")
Definition: hash.cpp:312
const std::vector< GeneralSubtree > & permitted() const
Definition: pkix_types.h:334
const std::vector< GeneralSubtree > & excluded() const
Definition: pkix_types.h:339
static OID from_string(const std::string &str)
Definition: asn1_oid.cpp:61
bool is_CA_cert() const
Definition: x509cert.cpp:480
bool is_critical(const std::string &ex_name) const
Definition: x509cert.cpp:592
std::string name
int(* final)(unsigned char *, CTX *)
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:209
std::string encode(const uint8_t der[], size_t length, const std::string &label, size_t width)
Definition: pem.cpp:41
Definition: alg_id.cpp:13
constexpr size_t ctz(T n)
Definition: bit_ops.h:99
ASN1_Type
Definition: asn1_obj.h:39
Key_Constraints
Definition: pkix_enums.h:102
@ NO_CONSTRAINTS
Definition: pkix_enums.h:103
constexpr uint16_t make_uint16(uint8_t i0, uint8_t i1)
Definition: loadstor.h:65
MechanismType hash