Botan  2.18.1
Crypto and TLS for C++11
x509_ext.cpp
Go to the documentation of this file.
1 /*
2 * X.509 Certificate Extensions
3 * (C) 1999-2010,2012 Jack Lloyd
4 * (C) 2016 RenĂ© Korthaus, Rohde & Schwarz Cybersecurity
5 * (C) 2017 Fabian Weissberg, Rohde & Schwarz Cybersecurity
6 *
7 * Botan is released under the Simplified BSD License (see license.txt)
8 */
9 
10 #include <botan/x509_ext.h>
11 #include <botan/x509cert.h>
12 #include <botan/datastor.h>
13 #include <botan/der_enc.h>
14 #include <botan/ber_dec.h>
15 #include <botan/hash.h>
16 #include <botan/loadstor.h>
17 #include <botan/internal/bit_ops.h>
18 #include <algorithm>
19 #include <set>
20 #include <sstream>
21 
22 namespace Botan {
23 
24 /*
25 * Create a Certificate_Extension object of some kind to handle
26 */
27 std::unique_ptr<Certificate_Extension>
28 Extensions::create_extn_obj(const OID& oid,
29  bool critical,
30  const std::vector<uint8_t>& body)
31  {
32  const std::string oid_str = oid.to_string();
33 
34  std::unique_ptr<Certificate_Extension> extn;
35 
37  {
38  extn.reset(new Cert_Extension::Subject_Key_ID);
39  }
41  {
42  extn.reset(new Cert_Extension::Key_Usage);
43  }
45  {
46  extn.reset(new Cert_Extension::Subject_Alternative_Name);
47  }
49  {
50  extn.reset(new Cert_Extension::Issuer_Alternative_Name);
51  }
53  {
54  extn.reset(new Cert_Extension::Basic_Constraints);
55  }
57  {
58  extn.reset(new Cert_Extension::CRL_Number);
59  }
61  {
62  extn.reset(new Cert_Extension::CRL_ReasonCode);
63  }
65  {
66  extn.reset(new Cert_Extension::Authority_Key_ID);
67  }
69  {
70  extn.reset(new Cert_Extension::Name_Constraints);
71  }
73  {
74  extn.reset(new Cert_Extension::CRL_Distribution_Points);
75  }
77  {
78  extn.reset(new Cert_Extension::CRL_Issuing_Distribution_Point);
79  }
81  {
82  extn.reset(new Cert_Extension::Certificate_Policies);
83  }
85  {
86  extn.reset(new Cert_Extension::Extended_Key_Usage);
87  }
89  {
90  extn.reset(new Cert_Extension::Authority_Information_Access);
91  }
92  else
93  {
94  // some other unknown extension type
95  extn.reset(new Cert_Extension::Unknown_Extension(oid, critical));
96  }
97 
98  try
99  {
100  extn->decode_inner(body);
101  }
102  catch(Decoding_Error&)
103  {
104  extn.reset(new Cert_Extension::Unknown_Extension(oid, critical));
105  extn->decode_inner(body);
106  }
107  return extn;
108  }
109 
110 /*
111 * Validate the extension (the default implementation is a NOP)
112 */
114  const std::vector<std::shared_ptr<const X509_Certificate>>&,
115  std::vector<std::set<Certificate_Status_Code>>&,
116  size_t)
117  {
118  }
119 
120 /*
121 * Add a new cert
122 */
123 void Extensions::add(Certificate_Extension* extn, bool critical)
124  {
125  // sanity check: we don't want to have the same extension more than once
126  if(m_extension_info.count(extn->oid_of()) > 0)
127  {
128  const std::string name = extn->oid_name();
129  delete extn;
130  throw Invalid_Argument("Extension " + name + " already present in Extensions::add");
131  }
132 
133  const OID oid = extn->oid_of();
134  Extensions_Info info(critical, extn);
135  m_extension_oids.push_back(oid);
136  m_extension_info.emplace(oid, info);
137  }
138 
139 bool Extensions::add_new(Certificate_Extension* extn, bool critical)
140  {
141  if(m_extension_info.count(extn->oid_of()) > 0)
142  {
143  delete extn;
144  return false; // already exists
145  }
146 
147  const OID oid = extn->oid_of();
148  Extensions_Info info(critical, extn);
149  m_extension_oids.push_back(oid);
150  m_extension_info.emplace(oid, info);
151  return true;
152  }
153 
154 bool Extensions::remove(const OID& oid)
155  {
156  const bool erased = m_extension_info.erase(oid) > 0;
157 
158  if(erased)
159  {
160  m_extension_oids.erase(std::find(m_extension_oids.begin(), m_extension_oids.end(), oid));
161  }
162 
163  return erased;
164  }
165 
166 void Extensions::replace(Certificate_Extension* extn, bool critical)
167  {
168  // Remove it if it existed
169  remove(extn->oid_of());
170 
171  const OID oid = extn->oid_of();
172  Extensions_Info info(critical, extn);
173  m_extension_oids.push_back(oid);
174  m_extension_info.emplace(oid, info);
175  }
176 
177 bool Extensions::extension_set(const OID& oid) const
178  {
179  return (m_extension_info.find(oid) != m_extension_info.end());
180  }
181 
183  {
184  auto i = m_extension_info.find(oid);
185  if(i != m_extension_info.end())
186  return i->second.is_critical();
187  return false;
188  }
189 
190 std::vector<uint8_t> Extensions::get_extension_bits(const OID& oid) const
191  {
192  auto i = m_extension_info.find(oid);
193  if(i == m_extension_info.end())
194  throw Invalid_Argument("Extensions::get_extension_bits no such extension set");
195 
196  return i->second.bits();
197  }
198 
200  {
201  auto extn = m_extension_info.find(oid);
202  if(extn == m_extension_info.end())
203  return nullptr;
204 
205  return &extn->second.obj();
206  }
207 
208 std::unique_ptr<Certificate_Extension> Extensions::get(const OID& oid) const
209  {
210  if(const Certificate_Extension* ext = this->get_extension_object(oid))
211  {
212  return std::unique_ptr<Certificate_Extension>(ext->copy());
213  }
214  return nullptr;
215  }
216 
217 std::vector<std::pair<std::unique_ptr<Certificate_Extension>, bool>> Extensions::extensions() const
218  {
219  std::vector<std::pair<std::unique_ptr<Certificate_Extension>, bool>> exts;
220  for(auto&& ext : m_extension_info)
221  {
222  exts.push_back(
223  std::make_pair(
224  std::unique_ptr<Certificate_Extension>(ext.second.obj().copy()),
225  ext.second.is_critical())
226  );
227  }
228  return exts;
229  }
230 
231 std::map<OID, std::pair<std::vector<uint8_t>, bool>> Extensions::extensions_raw() const
232  {
233  std::map<OID, std::pair<std::vector<uint8_t>, bool>> out;
234  for(auto&& ext : m_extension_info)
235  {
236  out.emplace(ext.first,
237  std::make_pair(ext.second.bits(),
238  ext.second.is_critical()));
239  }
240  return out;
241  }
242 
243 /*
244 * Encode an Extensions list
245 */
246 void Extensions::encode_into(DER_Encoder& to_object) const
247  {
248  for(auto ext_info : m_extension_info)
249  {
250  const OID& oid = ext_info.first;
251  const bool should_encode = ext_info.second.obj().should_encode();
252 
253  if(should_encode)
254  {
255  const bool is_critical = ext_info.second.is_critical();
256  const std::vector<uint8_t>& ext_value = ext_info.second.bits();
257 
258  to_object.start_cons(SEQUENCE)
259  .encode(oid)
260  .encode_optional(is_critical, false)
261  .encode(ext_value, OCTET_STRING)
262  .end_cons();
263  }
264  }
265  }
266 
267 /*
268 * Decode a list of Extensions
269 */
271  {
272  m_extension_oids.clear();
273  m_extension_info.clear();
274 
275  BER_Decoder sequence = from_source.start_cons(SEQUENCE);
276 
277  while(sequence.more_items())
278  {
279  OID oid;
280  bool critical;
281  std::vector<uint8_t> bits;
282 
283  sequence.start_cons(SEQUENCE)
284  .decode(oid)
285  .decode_optional(critical, BOOLEAN, UNIVERSAL, false)
286  .decode(bits, OCTET_STRING)
287  .end_cons();
288 
289  std::unique_ptr<Certificate_Extension> obj = create_extn_obj(oid, critical, bits);
290  Extensions_Info info(critical, bits, obj.release());
291 
292  m_extension_oids.push_back(oid);
293  m_extension_info.emplace(oid, info);
294  }
295  sequence.verify_end();
296  }
297 
298 /*
299 * Write the extensions to an info store
300 */
302  Data_Store& issuer_info) const
303  {
304  for(auto&& m_extn_info : m_extension_info)
305  {
306  m_extn_info.second.obj().contents_to(subject_info, issuer_info);
307  subject_info.add(m_extn_info.second.obj().oid_name() + ".is_critical",
308  m_extn_info.second.is_critical());
309  }
310  }
311 
312 namespace Cert_Extension {
313 
314 /*
315 * Checked accessor for the path_limit member
316 */
318  {
319  if(!m_is_ca)
320  throw Invalid_State("Basic_Constraints::get_path_limit: Not a CA");
321  return m_path_limit;
322  }
323 
324 /*
325 * Encode the extension
326 */
327 std::vector<uint8_t> Basic_Constraints::encode_inner() const
328  {
329  std::vector<uint8_t> output;
330  DER_Encoder(output)
332  .encode_if(m_is_ca,
333  DER_Encoder()
334  .encode(m_is_ca)
335  .encode_optional(m_path_limit, NO_CERT_PATH_LIMIT)
336  )
337  .end_cons();
338  return output;
339  }
340 
341 /*
342 * Decode the extension
343 */
344 void Basic_Constraints::decode_inner(const std::vector<uint8_t>& in)
345  {
346  BER_Decoder(in)
348  .decode_optional(m_is_ca, BOOLEAN, UNIVERSAL, false)
349  .decode_optional(m_path_limit, INTEGER, UNIVERSAL, NO_CERT_PATH_LIMIT)
350  .end_cons();
351 
352  if(m_is_ca == false)
353  m_path_limit = 0;
354  }
355 
356 /*
357 * Return a textual representation
358 */
359 void Basic_Constraints::contents_to(Data_Store& subject, Data_Store&) const
360  {
361  subject.add("X509v3.BasicConstraints.is_ca", (m_is_ca ? 1 : 0));
362  subject.add("X509v3.BasicConstraints.path_constraint", static_cast<uint32_t>(m_path_limit));
363  }
364 
365 /*
366 * Encode the extension
367 */
368 std::vector<uint8_t> Key_Usage::encode_inner() const
369  {
370  if(m_constraints == NO_CONSTRAINTS)
371  throw Encoding_Error("Cannot encode zero usage constraints");
372 
373  const size_t unused_bits = ctz(static_cast<uint32_t>(m_constraints));
374 
375  std::vector<uint8_t> der;
376  der.push_back(BIT_STRING);
377  der.push_back(2 + ((unused_bits < 8) ? 1 : 0));
378  der.push_back(unused_bits % 8);
379  der.push_back((m_constraints >> 8) & 0xFF);
380  if(m_constraints & 0xFF)
381  der.push_back(m_constraints & 0xFF);
382 
383  return der;
384  }
385 
386 /*
387 * Decode the extension
388 */
389 void Key_Usage::decode_inner(const std::vector<uint8_t>& in)
390  {
391  BER_Decoder ber(in);
392 
393  BER_Object obj = ber.get_next_object();
394 
395  obj.assert_is_a(BIT_STRING, UNIVERSAL, "usage constraint");
396 
397  if(obj.length() != 2 && obj.length() != 3)
398  throw BER_Decoding_Error("Bad size for BITSTRING in usage constraint");
399 
400  uint16_t usage = 0;
401 
402  const uint8_t* bits = obj.bits();
403 
404  if(bits[0] >= 8)
405  throw BER_Decoding_Error("Invalid unused bits in usage constraint");
406 
407  const uint8_t mask = static_cast<uint8_t>(0xFF << bits[0]);
408 
409  if(obj.length() == 2)
410  {
411  usage = make_uint16(bits[1] & mask, 0);
412  }
413  else if(obj.length() == 3)
414  {
415  usage = make_uint16(bits[1], bits[2] & mask);
416  }
417 
418  m_constraints = Key_Constraints(usage);
419  }
420 
421 /*
422 * Return a textual representation
423 */
424 void Key_Usage::contents_to(Data_Store& subject, Data_Store&) const
425  {
426  subject.add("X509v3.KeyUsage", m_constraints);
427  }
428 
429 /*
430 * Encode the extension
431 */
432 std::vector<uint8_t> Subject_Key_ID::encode_inner() const
433  {
434  std::vector<uint8_t> output;
435  DER_Encoder(output).encode(m_key_id, OCTET_STRING);
436  return output;
437  }
438 
439 /*
440 * Decode the extension
441 */
442 void Subject_Key_ID::decode_inner(const std::vector<uint8_t>& in)
443  {
444  BER_Decoder(in).decode(m_key_id, OCTET_STRING).verify_end();
445  }
446 
447 /*
448 * Return a textual representation
449 */
450 void Subject_Key_ID::contents_to(Data_Store& subject, Data_Store&) const
451  {
452  subject.add("X509v3.SubjectKeyIdentifier", m_key_id);
453  }
454 
455 /*
456 * Subject_Key_ID Constructor
457 */
458 Subject_Key_ID::Subject_Key_ID(const std::vector<uint8_t>& pub_key, const std::string& hash_name)
459  {
460  std::unique_ptr<HashFunction> hash(HashFunction::create_or_throw(hash_name));
461 
462  m_key_id.resize(hash->output_length());
463 
464  hash->update(pub_key);
465  hash->final(m_key_id.data());
466 
467  // Truncate longer hashes, 192 bits here seems plenty
468  const size_t max_skid_len = (192 / 8);
469  if(m_key_id.size() > max_skid_len)
470  m_key_id.resize(max_skid_len);
471  }
472 
473 /*
474 * Encode the extension
475 */
476 std::vector<uint8_t> Authority_Key_ID::encode_inner() const
477  {
478  std::vector<uint8_t> output;
479  DER_Encoder(output)
482  .end_cons();
483  return output;
484  }
485 
486 /*
487 * Decode the extension
488 */
489 void Authority_Key_ID::decode_inner(const std::vector<uint8_t>& in)
490  {
491  BER_Decoder(in)
493  .decode_optional_string(m_key_id, OCTET_STRING, 0);
494  }
495 
496 /*
497 * Return a textual representation
498 */
499 void Authority_Key_ID::contents_to(Data_Store&, Data_Store& issuer) const
500  {
501  if(m_key_id.size())
502  issuer.add("X509v3.AuthorityKeyIdentifier", m_key_id);
503  }
504 
505 /*
506 * Encode the extension
507 */
508 std::vector<uint8_t> Subject_Alternative_Name::encode_inner() const
509  {
510  std::vector<uint8_t> output;
511  DER_Encoder(output).encode(m_alt_name);
512  return output;
513  }
514 
515 /*
516 * Encode the extension
517 */
518 std::vector<uint8_t> Issuer_Alternative_Name::encode_inner() const
519  {
520  std::vector<uint8_t> output;
521  DER_Encoder(output).encode(m_alt_name);
522  return output;
523  }
524 
525 /*
526 * Decode the extension
527 */
528 void Subject_Alternative_Name::decode_inner(const std::vector<uint8_t>& in)
529  {
530  BER_Decoder(in).decode(m_alt_name);
531  }
532 
533 /*
534 * Decode the extension
535 */
536 void Issuer_Alternative_Name::decode_inner(const std::vector<uint8_t>& in)
537  {
538  BER_Decoder(in).decode(m_alt_name);
539  }
540 
541 /*
542 * Return a textual representation
543 */
544 void Subject_Alternative_Name::contents_to(Data_Store& subject_info,
545  Data_Store&) const
546  {
547  subject_info.add(get_alt_name().contents());
548  }
549 
550 /*
551 * Return a textual representation
552 */
553 void Issuer_Alternative_Name::contents_to(Data_Store&, Data_Store& issuer_info) const
554  {
555  issuer_info.add(get_alt_name().contents());
556  }
557 
558 /*
559 * Encode the extension
560 */
561 std::vector<uint8_t> Extended_Key_Usage::encode_inner() const
562  {
563  std::vector<uint8_t> output;
564  DER_Encoder(output)
566  .encode_list(m_oids)
567  .end_cons();
568  return output;
569  }
570 
571 /*
572 * Decode the extension
573 */
574 void Extended_Key_Usage::decode_inner(const std::vector<uint8_t>& in)
575  {
576  BER_Decoder(in).decode_list(m_oids);
577  }
578 
579 /*
580 * Return a textual representation
581 */
582 void Extended_Key_Usage::contents_to(Data_Store& subject, Data_Store&) const
583  {
584  for(size_t i = 0; i != m_oids.size(); ++i)
585  subject.add("X509v3.ExtendedKeyUsage", m_oids[i].to_string());
586  }
587 
588 /*
589 * Encode the extension
590 */
591 std::vector<uint8_t> Name_Constraints::encode_inner() const
592  {
593  throw Not_Implemented("Name_Constraints encoding");
594  }
595 
596 
597 /*
598 * Decode the extension
599 */
600 void Name_Constraints::decode_inner(const std::vector<uint8_t>& in)
601  {
602  std::vector<GeneralSubtree> permit, exclude;
603  BER_Decoder ber(in);
604  BER_Decoder ext = ber.start_cons(SEQUENCE);
605  BER_Object per = ext.get_next_object();
606 
607  ext.push_back(per);
608  if(per.is_a(0, ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC)))
609  {
610  ext.decode_list(permit,ASN1_Tag(0),ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC));
611  if(permit.empty())
612  throw Encoding_Error("Empty Name Contraint list");
613  }
614 
615  BER_Object exc = ext.get_next_object();
616  ext.push_back(exc);
617  if(per.is_a(1, ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC)))
618  {
619  ext.decode_list(exclude,ASN1_Tag(1),ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC));
620  if(exclude.empty())
621  throw Encoding_Error("Empty Name Contraint list");
622  }
623 
624  ext.end_cons();
625 
626  if(permit.empty() && exclude.empty())
627  throw Encoding_Error("Empty Name Contraint extension");
628 
629  m_name_constraints = NameConstraints(std::move(permit),std::move(exclude));
630  }
631 
632 /*
633 * Return a textual representation
634 */
635 void Name_Constraints::contents_to(Data_Store& subject, Data_Store&) const
636  {
637  std::stringstream ss;
638 
639  for(const GeneralSubtree& gs: m_name_constraints.permitted())
640  {
641  ss << gs;
642  subject.add("X509v3.NameConstraints.permitted", ss.str());
643  ss.str(std::string());
644  }
645  for(const GeneralSubtree& gs: m_name_constraints.excluded())
646  {
647  ss << gs;
648  subject.add("X509v3.NameConstraints.excluded", ss.str());
649  ss.str(std::string());
650  }
651  }
652 
654  const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path,
655  std::vector<std::set<Certificate_Status_Code>>& cert_status,
656  size_t pos)
657  {
658  if(!m_name_constraints.permitted().empty() || !m_name_constraints.excluded().empty())
659  {
660  if(!subject.is_CA_cert())
661  {
662  cert_status.at(pos).insert(Certificate_Status_Code::NAME_CONSTRAINT_ERROR);
663  }
664 
665  const bool issuer_name_constraint_critical =
666  issuer.is_critical("X509v3.NameConstraints");
667 
668  // Check that all subordinate certs pass the name constraint
669  for(size_t j = 0; j < pos; ++j)
670  {
671  bool permitted = m_name_constraints.permitted().empty();
672  bool failed = false;
673 
674  for(auto c: m_name_constraints.permitted())
675  {
676  switch(c.base().matches(*cert_path.at(j)))
677  {
678  case GeneralName::MatchResult::NotFound:
679  case GeneralName::MatchResult::All:
680  permitted = true;
681  break;
682  case GeneralName::MatchResult::UnknownType:
683  failed = issuer_name_constraint_critical;
684  permitted = true;
685  break;
686  default:
687  break;
688  }
689  }
690 
691  for(auto c: m_name_constraints.excluded())
692  {
693  switch(c.base().matches(*cert_path.at(j)))
694  {
695  case GeneralName::MatchResult::All:
696  case GeneralName::MatchResult::Some:
697  failed = true;
698  break;
699  case GeneralName::MatchResult::UnknownType:
700  failed = issuer_name_constraint_critical;
701  break;
702  default:
703  break;
704  }
705  }
706 
707  if(failed || !permitted)
708  {
709  cert_status.at(j).insert(Certificate_Status_Code::NAME_CONSTRAINT_ERROR);
710  }
711  }
712  }
713  }
714 
715 namespace {
716 
717 /*
718 * A policy specifier
719 */
720 class Policy_Information final : public ASN1_Object
721  {
722  public:
723  Policy_Information() = default;
724  explicit Policy_Information(const OID& oid) : m_oid(oid) {}
725 
726  const OID& oid() const { return m_oid; }
727 
728  void encode_into(DER_Encoder& codec) const override
729  {
730  codec.start_cons(SEQUENCE)
731  .encode(m_oid)
732  .end_cons();
733  }
734 
735  void decode_from(BER_Decoder& codec) override
736  {
737  codec.start_cons(SEQUENCE)
738  .decode(m_oid)
739  .discard_remaining()
740  .end_cons();
741  }
742 
743  private:
744  OID m_oid;
745  };
746 
747 }
748 
749 /*
750 * Encode the extension
751 */
752 std::vector<uint8_t> Certificate_Policies::encode_inner() const
753  {
754  std::vector<Policy_Information> policies;
755 
756  for(size_t i = 0; i != m_oids.size(); ++i)
757  policies.push_back(Policy_Information(m_oids[i]));
758 
759  std::vector<uint8_t> output;
760  DER_Encoder(output)
761  .start_cons(SEQUENCE)
762  .encode_list(policies)
763  .end_cons();
764  return output;
765  }
766 
767 /*
768 * Decode the extension
769 */
770 void Certificate_Policies::decode_inner(const std::vector<uint8_t>& in)
771  {
772  std::vector<Policy_Information> policies;
773 
774  BER_Decoder(in).decode_list(policies);
775  m_oids.clear();
776  for(size_t i = 0; i != policies.size(); ++i)
777  m_oids.push_back(policies[i].oid());
778  }
779 
780 /*
781 * Return a textual representation
782 */
783 void Certificate_Policies::contents_to(Data_Store& info, Data_Store&) const
784  {
785  for(size_t i = 0; i != m_oids.size(); ++i)
786  info.add("X509v3.CertificatePolicies", m_oids[i].to_string());
787  }
788 
790  const X509_Certificate& /*subject*/,
791  const X509_Certificate& /*issuer*/,
792  const std::vector<std::shared_ptr<const X509_Certificate>>& /*cert_path*/,
793  std::vector<std::set<Certificate_Status_Code>>& cert_status,
794  size_t pos)
795  {
796  std::set<OID> oid_set(m_oids.begin(), m_oids.end());
797  if(oid_set.size() != m_oids.size())
798  {
799  cert_status.at(pos).insert(Certificate_Status_Code::DUPLICATE_CERT_POLICY);
800  }
801  }
802 
803 std::vector<uint8_t> Authority_Information_Access::encode_inner() const
804  {
805  ASN1_String url(m_ocsp_responder, IA5_STRING);
806 
807  std::vector<uint8_t> output;
808  DER_Encoder(output)
811  .encode(OID::from_string("PKIX.OCSP"))
812  .add_object(ASN1_Tag(6), CONTEXT_SPECIFIC, url.value())
813  .end_cons()
814  .end_cons();
815  return output;
816  }
817 
818 void Authority_Information_Access::decode_inner(const std::vector<uint8_t>& in)
819  {
821 
822  while(ber.more_items())
823  {
824  OID oid;
825 
826  BER_Decoder info = ber.start_cons(SEQUENCE);
827 
828  info.decode(oid);
829 
830  if(oid == OID::from_string("PKIX.OCSP"))
831  {
833 
834  if(name.is_a(6, CONTEXT_SPECIFIC))
835  {
836  m_ocsp_responder = ASN1::to_string(name);
837  }
838 
839  }
840  if(oid == OID::from_string("PKIX.CertificateAuthorityIssuers"))
841  {
842  BER_Object name = info.get_next_object();
843 
844  if(name.is_a(6, CONTEXT_SPECIFIC))
845  {
846  m_ca_issuers.push_back(ASN1::to_string(name));
847  }
848  }
849  }
850  }
851 
852 void Authority_Information_Access::contents_to(Data_Store& subject, Data_Store&) const
853  {
854  if(!m_ocsp_responder.empty())
855  subject.add("OCSP.responder", m_ocsp_responder);
856  for(const std::string& ca_issuer : m_ca_issuers)
857  subject.add("PKIX.CertificateAuthorityIssuers", ca_issuer);
858  }
859 
860 /*
861 * Checked accessor for the crl_number member
862 */
864  {
865  if(!m_has_value)
866  throw Invalid_State("CRL_Number::get_crl_number: Not set");
867  return m_crl_number;
868  }
869 
870 /*
871 * Copy a CRL_Number extension
872 */
874  {
875  if(!m_has_value)
876  throw Invalid_State("CRL_Number::copy: Not set");
877  return new CRL_Number(m_crl_number);
878  }
879 
880 /*
881 * Encode the extension
882 */
883 std::vector<uint8_t> CRL_Number::encode_inner() const
884  {
885  std::vector<uint8_t> output;
886  DER_Encoder(output).encode(m_crl_number);
887  return output;
888  }
889 
890 /*
891 * Decode the extension
892 */
893 void CRL_Number::decode_inner(const std::vector<uint8_t>& in)
894  {
895  BER_Decoder(in).decode(m_crl_number);
896  m_has_value = true;
897  }
898 
899 /*
900 * Return a textual representation
901 */
902 void CRL_Number::contents_to(Data_Store& info, Data_Store&) const
903  {
904  info.add("X509v3.CRLNumber", static_cast<uint32_t>(m_crl_number));
905  }
906 
907 /*
908 * Encode the extension
909 */
910 std::vector<uint8_t> CRL_ReasonCode::encode_inner() const
911  {
912  std::vector<uint8_t> output;
913  DER_Encoder(output).encode(static_cast<size_t>(m_reason), ENUMERATED, UNIVERSAL);
914  return output;
915  }
916 
917 /*
918 * Decode the extension
919 */
920 void CRL_ReasonCode::decode_inner(const std::vector<uint8_t>& in)
921  {
922  size_t reason_code = 0;
923  BER_Decoder(in).decode(reason_code, ENUMERATED, UNIVERSAL);
924  m_reason = static_cast<CRL_Code>(reason_code);
925  }
926 
927 /*
928 * Return a textual representation
929 */
930 void CRL_ReasonCode::contents_to(Data_Store& info, Data_Store&) const
931  {
932  info.add("X509v3.CRLReasonCode", m_reason);
933  }
934 
935 std::vector<uint8_t> CRL_Distribution_Points::encode_inner() const
936  {
937  throw Not_Implemented("CRL_Distribution_Points encoding");
938  }
939 
940 void CRL_Distribution_Points::decode_inner(const std::vector<uint8_t>& buf)
941  {
942  BER_Decoder(buf)
943  .decode_list(m_distribution_points)
944  .verify_end();
945 
946  std::stringstream ss;
947 
948  for(size_t i = 0; i != m_distribution_points.size(); ++i)
949  {
950  auto contents = m_distribution_points[i].point().contents();
951 
952  for(const auto& pair : contents)
953  {
954  ss << pair.first << ": " << pair.second << " ";
955  }
956  }
957 
958  m_crl_distribution_urls.push_back(ss.str());
959  }
960 
961 void CRL_Distribution_Points::contents_to(Data_Store& subject, Data_Store&) const
962  {
963  for(const std::string& crl_url : m_crl_distribution_urls)
964  subject.add("CRL.DistributionPoint", crl_url);
965  }
966 
968  {
969  throw Not_Implemented("CRL_Distribution_Points encoding");
970  }
971 
973  {
974  ber.start_cons(SEQUENCE)
976  .decode_optional_implicit(m_point, ASN1_Tag(0),
979  .end_cons().end_cons();
980  }
981 
982 std::vector<uint8_t> CRL_Issuing_Distribution_Point::encode_inner() const
983  {
984  throw Not_Implemented("CRL_Issuing_Distribution_Point encoding");
985  }
986 
987 void CRL_Issuing_Distribution_Point::decode_inner(const std::vector<uint8_t>& buf)
988  {
989  BER_Decoder(buf).decode(m_distribution_point).verify_end();
990  }
991 
992 void CRL_Issuing_Distribution_Point::contents_to(Data_Store& info, Data_Store&) const
993  {
994  auto contents = m_distribution_point.point().contents();
995  std::stringstream ss;
996 
997  for(const auto& pair : contents)
998  {
999  ss << pair.first << ": " << pair.second << " ";
1000  }
1001 
1002  info.add("X509v3.CRLIssuingDistributionPoint", ss.str());
1003  }
1004 
1005 std::vector<uint8_t> Unknown_Extension::encode_inner() const
1006  {
1007  return m_bytes;
1008  }
1009 
1010 void Unknown_Extension::decode_inner(const std::vector<uint8_t>& bytes)
1011  {
1012  // Just treat as an opaque blob at this level
1013  m_bytes = bytes;
1014  }
1015 
1016 void Unknown_Extension::contents_to(Data_Store&, Data_Store&) const
1017  {
1018  // No information store
1019  }
1020 
1021 }
1022 
1023 }
const AlternativeName & get_alt_name() const
Definition: x509_ext.h:149
size_t ctz(T n)
Definition: bit_ops.h:99
DER_Encoder & add_object(ASN1_Tag type_tag, ASN1_Tag class_tag, const uint8_t rep[], size_t length)
Definition: der_enc.cpp:249
virtual std::string oid_name() const =0
bool is_critical(const std::string &ex_name) const
Definition: x509cert.cpp:608
std::unique_ptr< Certificate_Extension > get(const OID &oid) const
Definition: x509_ext.cpp:208
DER_Encoder & encode_optional(const T &value, const T &default_value)
Definition: der_enc.h:120
static std::unique_ptr< HashFunction > create_or_throw(const std::string &algo_spec, const std::string &provider="")
Definition: hash.cpp:344
BER_Decoder & decode_optional_string(std::vector< uint8_t, Alloc > &out, ASN1_Tag real_type, uint16_t type_no, ASN1_Tag class_tag=CONTEXT_SPECIFIC)
Definition: ber_dec.h:293
int(* final)(unsigned char *, CTX *)
void encode_into(class DER_Encoder &) const override
Definition: x509_ext.cpp:967
std::vector< uint8_t > get_extension_bits(const OID &oid) const
Definition: x509_ext.cpp:190
void decode_from(class BER_Decoder &) override
Definition: x509_ext.cpp:270
bool critical_extension_set(const OID &oid) const
Definition: x509_ext.cpp:182
void replace(Certificate_Extension *extn, bool critical=false)
Definition: x509_ext.cpp:166
const std::vector< GeneralSubtree > & excluded() const
Definition: pkix_types.h:340
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:213
ASN1_Tag
Definition: asn1_obj.h:25
DER_Encoder & end_cons()
Definition: der_enc.cpp:191
DER_Encoder & encode_if(bool pred, DER_Encoder &enc)
Definition: der_enc.h:143
void validate(const X509_Certificate &subject, const X509_Certificate &issuer, const std::vector< std::shared_ptr< const X509_Certificate >> &cert_path, std::vector< std::set< Certificate_Status_Code >> &cert_status, size_t pos) override
Definition: x509_ext.cpp:653
BER_Decoder & decode(bool &out)
Definition: ber_dec.h:170
bool is_CA_cert() const
Definition: x509cert.cpp:491
void add(Certificate_Extension *extn, bool critical=false)
Definition: x509_ext.cpp:123
DER_Encoder & encode(bool b)
Definition: der_enc.cpp:285
BER_Decoder & decode_optional(T &out, ASN1_Tag type_tag, ASN1_Tag class_tag, const T &default_value=T())
Definition: ber_dec.h:337
std::string name
void encode_into(class DER_Encoder &) const override
Definition: x509_ext.cpp:246
bool add_new(Certificate_Extension *extn, bool critical=false)
Definition: x509_ext.cpp:139
std::string encode(const uint8_t der[], size_t length, const std::string &label, size_t width)
Definition: pem.cpp:43
BER_Decoder & end_cons()
Definition: ber_dec.cpp:300
const AlternativeName & get_alt_name() const
Definition: x509_ext.h:177
const std::vector< GeneralSubtree > & permitted() const
Definition: pkix_types.h:335
BER_Decoder start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
Definition: ber_dec.cpp:290
bool extension_set(const OID &oid) const
Definition: x509_ext.cpp:177
virtual OID oid_of() const =0
Definition: alg_id.cpp:13
BER_Decoder & decode_optional_implicit(T &out, ASN1_Tag type_tag, ASN1_Tag class_tag, ASN1_Tag real_type, ASN1_Tag real_class, const T &default_value=T())
Definition: ber_dec.h:369
void contents_to(Data_Store &, Data_Store &) const
Definition: x509_ext.cpp:301
void validate(const X509_Certificate &subject, const X509_Certificate &issuer, const std::vector< std::shared_ptr< const X509_Certificate >> &cert_path, std::vector< std::set< Certificate_Status_Code >> &cert_status, size_t pos) override
Definition: x509_ext.cpp:789
BER_Object get_next_object()
Definition: ber_dec.cpp:237
BER_Decoder & verify_end()
Definition: ber_dec.cpp:208
DER_Encoder & start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
Definition: der_enc.cpp:181
BER_Decoder & decode_list(std::vector< T > &out, ASN1_Tag type_tag=SEQUENCE, ASN1_Tag class_tag=UNIVERSAL)
Definition: ber_dec.h:398
virtual void validate(const X509_Certificate &subject, const X509_Certificate &issuer, const std::vector< std::shared_ptr< const X509_Certificate >> &cert_path, std::vector< std::set< Certificate_Status_Code >> &cert_status, size_t pos)
Definition: x509_ext.cpp:113
bool more_items() const
Definition: ber_dec.cpp:198
constexpr uint16_t make_uint16(uint8_t i0, uint8_t i1)
Definition: loadstor.h:54
bool remove(const OID &oid)
Definition: x509_ext.cpp:154
std::map< OID, std::pair< std::vector< uint8_t >, bool > > extensions_raw() const
Definition: x509_ext.cpp:231
Key_Constraints
Definition: pkix_enums.h:106
CRL_Number * copy() const override
Definition: x509_ext.cpp:873
MechanismType hash
const Certificate_Extension * get_extension_object(const OID &oid) const
Definition: x509_ext.cpp:199
void add(const std::multimap< std::string, std::string > &)
Definition: datastor.cpp:154
std::vector< std::pair< std::unique_ptr< Certificate_Extension >, bool > > extensions() const
Definition: x509_ext.cpp:217
static OID from_string(const std::string &str)
Definition: asn1_oid.cpp:62