Botan  2.7.0
Crypto and TLS for C++11
x509_ext.cpp
Go to the documentation of this file.
1 /*
2 * X.509 Certificate Extensions
3 * (C) 1999-2010,2012 Jack Lloyd
4 * (C) 2016 RenĂ© Korthaus, Rohde & Schwarz Cybersecurity
5 * (C) 2017 Fabian Weissberg, Rohde & Schwarz Cybersecurity
6 *
7 * Botan is released under the Simplified BSD License (see license.txt)
8 */
9 
10 #include <botan/x509_ext.h>
11 #include <botan/x509cert.h>
12 #include <botan/datastor.h>
13 #include <botan/der_enc.h>
14 #include <botan/ber_dec.h>
15 #include <botan/oids.h>
16 #include <botan/hash.h>
17 #include <botan/internal/bit_ops.h>
18 #include <algorithm>
19 #include <set>
20 #include <sstream>
21 
22 namespace Botan {
23 
24 /*
25 * Create a Certificate_Extension object of some kind to handle
26 */
27 std::unique_ptr<Certificate_Extension>
28 Extensions::create_extn_obj(const OID& oid,
29  bool critical,
30  const std::vector<uint8_t>& body)
31  {
32  const std::string oid_str = oid.as_string();
33 
34  std::unique_ptr<Certificate_Extension> extn;
35 
37  {
38  extn.reset(new Cert_Extension::Subject_Key_ID);
39  }
41  {
42  extn.reset(new Cert_Extension::Key_Usage);
43  }
45  {
46  extn.reset(new Cert_Extension::Subject_Alternative_Name);
47  }
49  {
50  extn.reset(new Cert_Extension::Issuer_Alternative_Name);
51  }
53  {
54  extn.reset(new Cert_Extension::Basic_Constraints);
55  }
57  {
58  extn.reset(new Cert_Extension::CRL_Number);
59  }
61  {
62  extn.reset(new Cert_Extension::CRL_ReasonCode);
63  }
65  {
66  extn.reset(new Cert_Extension::Authority_Key_ID);
67  }
69  {
70  extn.reset(new Cert_Extension::Name_Constraints);
71  }
73  {
74  extn.reset(new Cert_Extension::CRL_Distribution_Points);
75  }
77  {
78  extn.reset(new Cert_Extension::CRL_Issuing_Distribution_Point);
79  }
81  {
82  extn.reset(new Cert_Extension::Certificate_Policies);
83  }
85  {
86  extn.reset(new Cert_Extension::Extended_Key_Usage);
87  }
89  {
90  extn.reset(new Cert_Extension::Authority_Information_Access);
91  }
92  else
93  {
94  // some other unknown extension type
95  extn.reset(new Cert_Extension::Unknown_Extension(oid, critical));
96  }
97 
98  try
99  {
100  extn->decode_inner(body);
101  }
102  catch(Decoding_Error& e)
103  {
104  throw Decoding_Error("Decoding X.509 extension " + oid.as_string() + " failed", e.what());
105  }
106  return extn;
107  }
108 
109 /*
110 * Validate the extension (the default implementation is a NOP)
111 */
113  const std::vector<std::shared_ptr<const X509_Certificate>>&,
114  std::vector<std::set<Certificate_Status_Code>>&,
115  size_t)
116  {
117  }
118 
119 /*
120 * Add a new cert
121 */
122 void Extensions::add(Certificate_Extension* extn, bool critical)
123  {
124  // sanity check: we don't want to have the same extension more than once
125  if(m_extension_info.count(extn->oid_of()) > 0)
126  throw Invalid_Argument(extn->oid_name() + " extension already present in Extensions::add");
127 
128  const OID oid = extn->oid_of();
129  Extensions_Info info(critical, extn);
130  m_extension_oids.push_back(oid);
131  m_extension_info.emplace(oid, info);
132  }
133 
134 bool Extensions::add_new(Certificate_Extension* extn, bool critical)
135  {
136  if(m_extension_info.count(extn->oid_of()) > 0)
137  {
138  delete extn;
139  return false; // already exists
140  }
141 
142  const OID oid = extn->oid_of();
143  Extensions_Info info(critical, extn);
144  m_extension_oids.push_back(oid);
145  m_extension_info.emplace(oid, info);
146  return true;
147  }
148 
149 void Extensions::replace(Certificate_Extension* extn, bool critical)
150  {
151  // Remove it if it existed
152  m_extension_info.erase(extn->oid_of());
153 
154  const OID oid = extn->oid_of();
155  Extensions_Info info(critical, extn);
156  m_extension_oids.push_back(oid);
157  m_extension_info.emplace(oid, info);
158  }
159 
160 bool Extensions::extension_set(const OID& oid) const
161  {
162  return (m_extension_info.find(oid) != m_extension_info.end());
163  }
164 
166  {
167  auto i = m_extension_info.find(oid);
168  if(i != m_extension_info.end())
169  return i->second.is_critical();
170  return false;
171  }
172 
174  {
175  auto extn = m_extension_info.find(oid);
176  if(extn == m_extension_info.end())
177  return nullptr;
178 
179  return &extn->second.obj();
180  }
181 
182 std::unique_ptr<Certificate_Extension> Extensions::get(const OID& oid) const
183  {
184  if(const Certificate_Extension* ext = this->get_extension_object(oid))
185  {
186  return std::unique_ptr<Certificate_Extension>(ext->copy());
187  }
188  return nullptr;
189  }
190 
191 std::vector<std::pair<std::unique_ptr<Certificate_Extension>, bool>> Extensions::extensions() const
192  {
193  std::vector<std::pair<std::unique_ptr<Certificate_Extension>, bool>> exts;
194  for(auto&& ext : m_extension_info)
195  {
196  exts.push_back(
197  std::make_pair(
198  std::unique_ptr<Certificate_Extension>(ext.second.obj().copy()),
199  ext.second.is_critical())
200  );
201  }
202  return exts;
203  }
204 
205 std::map<OID, std::pair<std::vector<uint8_t>, bool>> Extensions::extensions_raw() const
206  {
207  std::map<OID, std::pair<std::vector<uint8_t>, bool>> out;
208  for(auto&& ext : m_extension_info)
209  {
210  out.emplace(ext.first,
211  std::make_pair(ext.second.bits(),
212  ext.second.is_critical()));
213  }
214  return out;
215  }
216 
217 /*
218 * Encode an Extensions list
219 */
220 void Extensions::encode_into(DER_Encoder& to_object) const
221  {
222  for(auto ext_info : m_extension_info)
223  {
224  const OID& oid = ext_info.first;
225  const bool should_encode = ext_info.second.obj().should_encode();
226 
227  if(should_encode)
228  {
229  const bool is_critical = ext_info.second.is_critical();
230  const std::vector<uint8_t>& ext_value = ext_info.second.bits();
231 
232  to_object.start_cons(SEQUENCE)
233  .encode(oid)
234  .encode_optional(is_critical, false)
235  .encode(ext_value, OCTET_STRING)
236  .end_cons();
237  }
238  }
239  }
240 
241 /*
242 * Decode a list of Extensions
243 */
245  {
246  m_extension_oids.clear();
247  m_extension_info.clear();
248 
249  BER_Decoder sequence = from_source.start_cons(SEQUENCE);
250 
251  while(sequence.more_items())
252  {
253  OID oid;
254  bool critical;
255  std::vector<uint8_t> bits;
256 
257  sequence.start_cons(SEQUENCE)
258  .decode(oid)
259  .decode_optional(critical, BOOLEAN, UNIVERSAL, false)
260  .decode(bits, OCTET_STRING)
261  .end_cons();
262 
263  std::unique_ptr<Certificate_Extension> obj = create_extn_obj(oid, critical, bits);
264  Extensions_Info info(critical, bits, obj.release());
265 
266  m_extension_oids.push_back(oid);
267  m_extension_info.emplace(oid, info);
268  }
269  sequence.verify_end();
270  }
271 
272 /*
273 * Write the extensions to an info store
274 */
276  Data_Store& issuer_info) const
277  {
278  for(auto&& m_extn_info : m_extension_info)
279  {
280  m_extn_info.second.obj().contents_to(subject_info, issuer_info);
281  subject_info.add(m_extn_info.second.obj().oid_name() + ".is_critical",
282  m_extn_info.second.is_critical());
283  }
284  }
285 
286 namespace Cert_Extension {
287 
288 /*
289 * Checked accessor for the path_limit member
290 */
292  {
293  if(!m_is_ca)
294  throw Invalid_State("Basic_Constraints::get_path_limit: Not a CA");
295  return m_path_limit;
296  }
297 
298 /*
299 * Encode the extension
300 */
301 std::vector<uint8_t> Basic_Constraints::encode_inner() const
302  {
303  std::vector<uint8_t> output;
304  DER_Encoder(output)
306  .encode_if(m_is_ca,
307  DER_Encoder()
308  .encode(m_is_ca)
309  .encode_optional(m_path_limit, NO_CERT_PATH_LIMIT)
310  )
311  .end_cons();
312  return output;
313  }
314 
315 /*
316 * Decode the extension
317 */
318 void Basic_Constraints::decode_inner(const std::vector<uint8_t>& in)
319  {
320  BER_Decoder(in)
322  .decode_optional(m_is_ca, BOOLEAN, UNIVERSAL, false)
323  .decode_optional(m_path_limit, INTEGER, UNIVERSAL, NO_CERT_PATH_LIMIT)
324  .end_cons();
325 
326  if(m_is_ca == false)
327  m_path_limit = 0;
328  }
329 
330 /*
331 * Return a textual representation
332 */
333 void Basic_Constraints::contents_to(Data_Store& subject, Data_Store&) const
334  {
335  subject.add("X509v3.BasicConstraints.is_ca", (m_is_ca ? 1 : 0));
336  subject.add("X509v3.BasicConstraints.path_constraint", static_cast<uint32_t>(m_path_limit));
337  }
338 
339 /*
340 * Encode the extension
341 */
342 std::vector<uint8_t> Key_Usage::encode_inner() const
343  {
344  if(m_constraints == NO_CONSTRAINTS)
345  throw Encoding_Error("Cannot encode zero usage constraints");
346 
347  const size_t unused_bits = low_bit(m_constraints) - 1;
348 
349  std::vector<uint8_t> der;
350  der.push_back(BIT_STRING);
351  der.push_back(2 + ((unused_bits < 8) ? 1 : 0));
352  der.push_back(unused_bits % 8);
353  der.push_back((m_constraints >> 8) & 0xFF);
354  if(m_constraints & 0xFF)
355  der.push_back(m_constraints & 0xFF);
356 
357  return der;
358  }
359 
360 /*
361 * Decode the extension
362 */
363 void Key_Usage::decode_inner(const std::vector<uint8_t>& in)
364  {
365  BER_Decoder ber(in);
366 
367  BER_Object obj = ber.get_next_object();
368 
369  obj.assert_is_a(BIT_STRING, UNIVERSAL, "usage constraint");
370 
371  if(obj.length() != 2 && obj.length() != 3)
372  throw BER_Decoding_Error("Bad size for BITSTRING in usage constraint");
373 
374  uint16_t usage = 0;
375 
376  const uint8_t* bits = obj.bits();
377 
378  if(bits[0] >= 8)
379  throw BER_Decoding_Error("Invalid unused bits in usage constraint");
380 
381  const uint8_t mask = static_cast<uint8_t>(0xFF << bits[0]);
382 
383  if(obj.length() == 2)
384  {
385  usage = make_uint16(bits[1] & mask, 0);
386  }
387  else if(obj.length() == 3)
388  {
389  usage = make_uint16(bits[1], bits[2] & mask);
390  }
391 
392  m_constraints = Key_Constraints(usage);
393  }
394 
395 /*
396 * Return a textual representation
397 */
398 void Key_Usage::contents_to(Data_Store& subject, Data_Store&) const
399  {
400  subject.add("X509v3.KeyUsage", m_constraints);
401  }
402 
403 /*
404 * Encode the extension
405 */
406 std::vector<uint8_t> Subject_Key_ID::encode_inner() const
407  {
408  std::vector<uint8_t> output;
409  DER_Encoder(output).encode(m_key_id, OCTET_STRING);
410  return output;
411  }
412 
413 /*
414 * Decode the extension
415 */
416 void Subject_Key_ID::decode_inner(const std::vector<uint8_t>& in)
417  {
418  BER_Decoder(in).decode(m_key_id, OCTET_STRING).verify_end();
419  }
420 
421 /*
422 * Return a textual representation
423 */
424 void Subject_Key_ID::contents_to(Data_Store& subject, Data_Store&) const
425  {
426  subject.add("X509v3.SubjectKeyIdentifier", m_key_id);
427  }
428 
429 /*
430 * Subject_Key_ID Constructor
431 */
432 Subject_Key_ID::Subject_Key_ID(const std::vector<uint8_t>& pub_key, const std::string& hash_name)
433  {
434  std::unique_ptr<HashFunction> hash(HashFunction::create_or_throw(hash_name));
435 
436  m_key_id.resize(hash->output_length());
437 
438  hash->update(pub_key);
439  hash->final(m_key_id.data());
440 
441  // Truncate longer hashes, 192 bits here seems plenty
442  const size_t max_skid_len = (192 / 8);
443  if(m_key_id.size() > max_skid_len)
444  m_key_id.resize(max_skid_len);
445  }
446 
447 /*
448 * Encode the extension
449 */
450 std::vector<uint8_t> Authority_Key_ID::encode_inner() const
451  {
452  std::vector<uint8_t> output;
453  DER_Encoder(output)
456  .end_cons();
457  return output;
458  }
459 
460 /*
461 * Decode the extension
462 */
463 void Authority_Key_ID::decode_inner(const std::vector<uint8_t>& in)
464  {
465  BER_Decoder(in)
467  .decode_optional_string(m_key_id, OCTET_STRING, 0);
468  }
469 
470 /*
471 * Return a textual representation
472 */
473 void Authority_Key_ID::contents_to(Data_Store&, Data_Store& issuer) const
474  {
475  if(m_key_id.size())
476  issuer.add("X509v3.AuthorityKeyIdentifier", m_key_id);
477  }
478 
479 /*
480 * Encode the extension
481 */
482 std::vector<uint8_t> Subject_Alternative_Name::encode_inner() const
483  {
484  std::vector<uint8_t> output;
485  DER_Encoder(output).encode(m_alt_name);
486  return output;
487  }
488 
489 /*
490 * Encode the extension
491 */
492 std::vector<uint8_t> Issuer_Alternative_Name::encode_inner() const
493  {
494  std::vector<uint8_t> output;
495  DER_Encoder(output).encode(m_alt_name);
496  return output;
497  }
498 
499 /*
500 * Decode the extension
501 */
502 void Subject_Alternative_Name::decode_inner(const std::vector<uint8_t>& in)
503  {
504  BER_Decoder(in).decode(m_alt_name);
505  }
506 
507 /*
508 * Decode the extension
509 */
510 void Issuer_Alternative_Name::decode_inner(const std::vector<uint8_t>& in)
511  {
512  BER_Decoder(in).decode(m_alt_name);
513  }
514 
515 /*
516 * Return a textual representation
517 */
518 void Subject_Alternative_Name::contents_to(Data_Store& subject_info,
519  Data_Store&) const
520  {
521  subject_info.add(get_alt_name().contents());
522  }
523 
524 /*
525 * Return a textual representation
526 */
527 void Issuer_Alternative_Name::contents_to(Data_Store&, Data_Store& issuer_info) const
528  {
529  issuer_info.add(get_alt_name().contents());
530  }
531 
532 /*
533 * Encode the extension
534 */
535 std::vector<uint8_t> Extended_Key_Usage::encode_inner() const
536  {
537  std::vector<uint8_t> output;
538  DER_Encoder(output)
540  .encode_list(m_oids)
541  .end_cons();
542  return output;
543  }
544 
545 /*
546 * Decode the extension
547 */
548 void Extended_Key_Usage::decode_inner(const std::vector<uint8_t>& in)
549  {
550  BER_Decoder(in).decode_list(m_oids);
551  }
552 
553 /*
554 * Return a textual representation
555 */
556 void Extended_Key_Usage::contents_to(Data_Store& subject, Data_Store&) const
557  {
558  for(size_t i = 0; i != m_oids.size(); ++i)
559  subject.add("X509v3.ExtendedKeyUsage", m_oids[i].as_string());
560  }
561 
562 /*
563 * Encode the extension
564 */
565 std::vector<uint8_t> Name_Constraints::encode_inner() const
566  {
567  throw Not_Implemented("Name_Constraints encoding");
568  }
569 
570 
571 /*
572 * Decode the extension
573 */
574 void Name_Constraints::decode_inner(const std::vector<uint8_t>& in)
575  {
576  std::vector<GeneralSubtree> permit, exclude;
577  BER_Decoder ber(in);
578  BER_Decoder ext = ber.start_cons(SEQUENCE);
579  BER_Object per = ext.get_next_object();
580 
581  ext.push_back(per);
582  if(per.is_a(0, ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC)))
583  {
584  ext.decode_list(permit,ASN1_Tag(0),ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC));
585  if(permit.empty())
586  throw Encoding_Error("Empty Name Contraint list");
587  }
588 
589  BER_Object exc = ext.get_next_object();
590  ext.push_back(exc);
591  if(per.is_a(1, ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC)))
592  {
593  ext.decode_list(exclude,ASN1_Tag(1),ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC));
594  if(exclude.empty())
595  throw Encoding_Error("Empty Name Contraint list");
596  }
597 
598  ext.end_cons();
599 
600  if(permit.empty() && exclude.empty())
601  throw Encoding_Error("Empty Name Contraint extension");
602 
603  m_name_constraints = NameConstraints(std::move(permit),std::move(exclude));
604  }
605 
606 /*
607 * Return a textual representation
608 */
609 void Name_Constraints::contents_to(Data_Store& subject, Data_Store&) const
610  {
611  std::stringstream ss;
612 
613  for(const GeneralSubtree& gs: m_name_constraints.permitted())
614  {
615  ss << gs;
616  subject.add("X509v3.NameConstraints.permitted", ss.str());
617  ss.str(std::string());
618  }
619  for(const GeneralSubtree& gs: m_name_constraints.excluded())
620  {
621  ss << gs;
622  subject.add("X509v3.NameConstraints.excluded", ss.str());
623  ss.str(std::string());
624  }
625  }
626 
628  const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path,
629  std::vector<std::set<Certificate_Status_Code>>& cert_status,
630  size_t pos)
631  {
632  if(!m_name_constraints.permitted().empty() || !m_name_constraints.excluded().empty())
633  {
634  if(!subject.is_CA_cert() || !subject.is_critical("X509v3.NameConstraints"))
635  cert_status.at(pos).insert(Certificate_Status_Code::NAME_CONSTRAINT_ERROR);
636 
637  const bool issuer_name_constraint_critical =
638  issuer.is_critical("X509v3.NameConstraints");
639 
640  const bool at_self_signed_root = (pos == cert_path.size() - 1);
641 
642  // Check that all subordinate certs pass the name constraint
643  for(size_t j = 0; j <= pos; ++j)
644  {
645  if(pos == j && at_self_signed_root)
646  continue;
647 
648  bool permitted = m_name_constraints.permitted().empty();
649  bool failed = false;
650 
651  for(auto c: m_name_constraints.permitted())
652  {
653  switch(c.base().matches(*cert_path.at(j)))
654  {
655  case GeneralName::MatchResult::NotFound:
656  case GeneralName::MatchResult::All:
657  permitted = true;
658  break;
659  case GeneralName::MatchResult::UnknownType:
660  failed = issuer_name_constraint_critical;
661  permitted = true;
662  break;
663  default:
664  break;
665  }
666  }
667 
668  for(auto c: m_name_constraints.excluded())
669  {
670  switch(c.base().matches(*cert_path.at(j)))
671  {
672  case GeneralName::MatchResult::All:
673  case GeneralName::MatchResult::Some:
674  failed = true;
675  break;
676  case GeneralName::MatchResult::UnknownType:
677  failed = issuer_name_constraint_critical;
678  break;
679  default:
680  break;
681  }
682  }
683 
684  if(failed || !permitted)
685  {
686  cert_status.at(j).insert(Certificate_Status_Code::NAME_CONSTRAINT_ERROR);
687  }
688  }
689  }
690  }
691 
692 namespace {
693 
694 /*
695 * A policy specifier
696 */
697 class Policy_Information final : public ASN1_Object
698  {
699  public:
700  Policy_Information() = default;
701  explicit Policy_Information(const OID& oid) : m_oid(oid) {}
702 
703  const OID& oid() const { return m_oid; }
704 
705  void encode_into(DER_Encoder& codec) const override
706  {
707  codec.start_cons(SEQUENCE)
708  .encode(m_oid)
709  .end_cons();
710  }
711 
712  void decode_from(BER_Decoder& codec) override
713  {
714  codec.start_cons(SEQUENCE)
715  .decode(m_oid)
716  .discard_remaining()
717  .end_cons();
718  }
719 
720  private:
721  OID m_oid;
722  };
723 
724 }
725 
726 /*
727 * Encode the extension
728 */
729 std::vector<uint8_t> Certificate_Policies::encode_inner() const
730  {
731  std::vector<Policy_Information> policies;
732 
733  for(size_t i = 0; i != m_oids.size(); ++i)
734  policies.push_back(Policy_Information(m_oids[i]));
735 
736  std::vector<uint8_t> output;
737  DER_Encoder(output)
738  .start_cons(SEQUENCE)
739  .encode_list(policies)
740  .end_cons();
741  return output;
742  }
743 
744 /*
745 * Decode the extension
746 */
747 void Certificate_Policies::decode_inner(const std::vector<uint8_t>& in)
748  {
749  std::vector<Policy_Information> policies;
750 
751  BER_Decoder(in).decode_list(policies);
752  m_oids.clear();
753  for(size_t i = 0; i != policies.size(); ++i)
754  m_oids.push_back(policies[i].oid());
755  }
756 
757 /*
758 * Return a textual representation
759 */
760 void Certificate_Policies::contents_to(Data_Store& info, Data_Store&) const
761  {
762  for(size_t i = 0; i != m_oids.size(); ++i)
763  info.add("X509v3.CertificatePolicies", m_oids[i].as_string());
764  }
765 
767  const X509_Certificate& /*subject*/,
768  const X509_Certificate& /*issuer*/,
769  const std::vector<std::shared_ptr<const X509_Certificate>>& /*cert_path*/,
770  std::vector<std::set<Certificate_Status_Code>>& cert_status,
771  size_t pos)
772  {
773  std::set<OID> oid_set(m_oids.begin(), m_oids.end());
774  if(oid_set.size() != m_oids.size())
775  {
776  cert_status.at(pos).insert(Certificate_Status_Code::DUPLICATE_CERT_POLICY);
777  }
778  }
779 
780 std::vector<uint8_t> Authority_Information_Access::encode_inner() const
781  {
782  ASN1_String url(m_ocsp_responder, IA5_STRING);
783 
784  std::vector<uint8_t> output;
785  DER_Encoder(output)
788  .encode(OIDS::lookup("PKIX.OCSP"))
789  .add_object(ASN1_Tag(6), CONTEXT_SPECIFIC, url.value())
790  .end_cons()
791  .end_cons();
792  return output;
793  }
794 
795 void Authority_Information_Access::decode_inner(const std::vector<uint8_t>& in)
796  {
798 
799  while(ber.more_items())
800  {
801  OID oid;
802 
803  BER_Decoder info = ber.start_cons(SEQUENCE);
804 
805  info.decode(oid);
806 
807  if(oid == OIDS::lookup("PKIX.OCSP"))
808  {
809  BER_Object name = info.get_next_object();
810 
811  if(name.is_a(6, CONTEXT_SPECIFIC))
812  {
813  m_ocsp_responder = ASN1::to_string(name);
814  }
815 
816  }
817  if(oid == OIDS::lookup("PKIX.CertificateAuthorityIssuers"))
818  {
819  BER_Object name = info.get_next_object();
820 
821  if(name.is_a(6, CONTEXT_SPECIFIC))
822  {
823  m_ca_issuers.push_back(ASN1::to_string(name));
824  }
825  }
826  }
827  }
828 
829 void Authority_Information_Access::contents_to(Data_Store& subject, Data_Store&) const
830  {
831  if(!m_ocsp_responder.empty())
832  subject.add("OCSP.responder", m_ocsp_responder);
833  for(const std::string& ca_issuer : m_ca_issuers)
834  subject.add("PKIX.CertificateAuthorityIssuers", ca_issuer);
835  }
836 
837 /*
838 * Checked accessor for the crl_number member
839 */
841  {
842  if(!m_has_value)
843  throw Invalid_State("CRL_Number::get_crl_number: Not set");
844  return m_crl_number;
845  }
846 
847 /*
848 * Copy a CRL_Number extension
849 */
851  {
852  if(!m_has_value)
853  throw Invalid_State("CRL_Number::copy: Not set");
854  return new CRL_Number(m_crl_number);
855  }
856 
857 /*
858 * Encode the extension
859 */
860 std::vector<uint8_t> CRL_Number::encode_inner() const
861  {
862  std::vector<uint8_t> output;
863  DER_Encoder(output).encode(m_crl_number);
864  return output;
865  }
866 
867 /*
868 * Decode the extension
869 */
870 void CRL_Number::decode_inner(const std::vector<uint8_t>& in)
871  {
872  BER_Decoder(in).decode(m_crl_number);
873  m_has_value = true;
874  }
875 
876 /*
877 * Return a textual representation
878 */
879 void CRL_Number::contents_to(Data_Store& info, Data_Store&) const
880  {
881  info.add("X509v3.CRLNumber", static_cast<uint32_t>(m_crl_number));
882  }
883 
884 /*
885 * Encode the extension
886 */
887 std::vector<uint8_t> CRL_ReasonCode::encode_inner() const
888  {
889  std::vector<uint8_t> output;
890  DER_Encoder(output).encode(static_cast<size_t>(m_reason), ENUMERATED, UNIVERSAL);
891  return output;
892  }
893 
894 /*
895 * Decode the extension
896 */
897 void CRL_ReasonCode::decode_inner(const std::vector<uint8_t>& in)
898  {
899  size_t reason_code = 0;
900  BER_Decoder(in).decode(reason_code, ENUMERATED, UNIVERSAL);
901  m_reason = static_cast<CRL_Code>(reason_code);
902  }
903 
904 /*
905 * Return a textual representation
906 */
907 void CRL_ReasonCode::contents_to(Data_Store& info, Data_Store&) const
908  {
909  info.add("X509v3.CRLReasonCode", m_reason);
910  }
911 
912 std::vector<uint8_t> CRL_Distribution_Points::encode_inner() const
913  {
914  throw Not_Implemented("CRL_Distribution_Points encoding");
915  }
916 
917 void CRL_Distribution_Points::decode_inner(const std::vector<uint8_t>& buf)
918  {
919  BER_Decoder(buf)
920  .decode_list(m_distribution_points)
921  .verify_end();
922 
923  std::stringstream ss;
924 
925  for(size_t i = 0; i != m_distribution_points.size(); ++i)
926  {
927  auto contents = m_distribution_points[i].point().contents();
928 
929  for(const auto& pair : contents)
930  {
931  ss << pair.first << ": " << pair.second << " ";
932  }
933  }
934 
935  m_crl_distribution_urls.push_back(ss.str());
936  }
937 
938 void CRL_Distribution_Points::contents_to(Data_Store& subject, Data_Store&) const
939  {
940  for(const std::string& crl_url : m_crl_distribution_urls)
941  subject.add("CRL.DistributionPoint", crl_url);
942  }
943 
945  {
946  throw Not_Implemented("CRL_Distribution_Points encoding");
947  }
948 
950  {
951  ber.start_cons(SEQUENCE)
953  .decode_optional_implicit(m_point, ASN1_Tag(0),
956  .end_cons().end_cons();
957  }
958 
959 std::vector<uint8_t> CRL_Issuing_Distribution_Point::encode_inner() const
960  {
961  throw Not_Implemented("CRL_Issuing_Distribution_Point encoding");
962  }
963 
964 void CRL_Issuing_Distribution_Point::decode_inner(const std::vector<uint8_t>& buf)
965  {
966  BER_Decoder(buf).decode(m_distribution_point).verify_end();
967  }
968 
969 void CRL_Issuing_Distribution_Point::contents_to(Data_Store& info, Data_Store&) const
970  {
971  auto contents = m_distribution_point.point().contents();
972  std::stringstream ss;
973 
974  for(const auto& pair : contents)
975  {
976  ss << pair.first << ": " << pair.second << " ";
977  }
978 
979  info.add("X509v3.CRLIssuingDistributionPoint", ss.str());
980  }
981 
982 std::vector<uint8_t> Unknown_Extension::encode_inner() const
983  {
984  return m_bytes;
985  }
986 
987 void Unknown_Extension::decode_inner(const std::vector<uint8_t>& bytes)
988  {
989  // Just treat as an opaque blob at this level
990  m_bytes = bytes;
991  }
992 
993 void Unknown_Extension::contents_to(Data_Store&, Data_Store&) const
994  {
995  // No information store
996  }
997 
998 }
999 
1000 }
const AlternativeName & get_alt_name() const
Definition: x509_ext.h:410
DER_Encoder & add_object(ASN1_Tag type_tag, ASN1_Tag class_tag, const uint8_t rep[], size_t length)
Definition: der_enc.cpp:249
virtual std::string oid_name() const =0
bool is_critical(const std::string &ex_name) const
Definition: x509cert.cpp:551
std::unique_ptr< Certificate_Extension > get(const OID &oid) const
Definition: x509_ext.cpp:182
DER_Encoder & encode_optional(const T &value, const T &default_value)
Definition: der_enc.h:114
static std::unique_ptr< HashFunction > create_or_throw(const std::string &algo_spec, const std::string &provider="")
Definition: hash.cpp:345
BER_Decoder & decode_optional_string(std::vector< uint8_t, Alloc > &out, ASN1_Tag real_type, uint16_t type_no, ASN1_Tag class_tag=CONTEXT_SPECIFIC)
Definition: ber_dec.h:293
CRL_Code
Definition: crl_ent.h:22
bool is_a(ASN1_Tag type_tag, ASN1_Tag class_tag) const
Definition: asn1_obj.cpp:71
void encode_into(class DER_Encoder &) const override
Definition: x509_ext.cpp:944
void decode_from(class BER_Decoder &) override
Definition: x509_ext.cpp:244
bool critical_extension_set(const OID &oid) const
Definition: x509_ext.cpp:165
void replace(Certificate_Extension *extn, bool critical=false)
Definition: x509_ext.cpp:149
const std::vector< GeneralSubtree > & excluded() const
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:210
ASN1_Tag
Definition: asn1_obj.h:22
DER_Encoder & end_cons()
Definition: der_enc.cpp:191
DER_Encoder & encode_if(bool pred, DER_Encoder &enc)
Definition: der_enc.h:137
void validate(const X509_Certificate &subject, const X509_Certificate &issuer, const std::vector< std::shared_ptr< const X509_Certificate >> &cert_path, std::vector< std::set< Certificate_Status_Code >> &cert_status, size_t pos) override
Definition: x509_ext.cpp:627
BER_Decoder & decode(bool &out)
Definition: ber_dec.h:170
bool is_CA_cert() const
Definition: x509cert.cpp:443
void add(Certificate_Extension *extn, bool critical=false)
Definition: x509_ext.cpp:122
DER_Encoder & encode(bool b)
Definition: der_enc.cpp:285
BER_Decoder & decode_optional(T &out, ASN1_Tag type_tag, ASN1_Tag class_tag, const T &default_value=T())
Definition: ber_dec.h:337
void encode_into(class DER_Encoder &) const override
Definition: x509_ext.cpp:220
bool add_new(Certificate_Extension *extn, bool critical=false)
Definition: x509_ext.cpp:134
std::string encode(const uint8_t der[], size_t length, const std::string &label, size_t width)
Definition: pem.cpp:43
BER_Decoder & end_cons()
Definition: ber_dec.cpp:300
const AlternativeName & get_alt_name() const
Definition: x509_ext.h:438
const std::vector< GeneralSubtree > & permitted() const
BER_Decoder start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
Definition: ber_dec.cpp:290
bool extension_set(const OID &oid) const
Definition: x509_ext.cpp:160
virtual OID oid_of() const =0
Definition: alg_id.cpp:13
BER_Decoder & decode_optional_implicit(T &out, ASN1_Tag type_tag, ASN1_Tag class_tag, ASN1_Tag real_type, ASN1_Tag real_class, const T &default_value=T())
Definition: ber_dec.h:369
void contents_to(Data_Store &, Data_Store &) const
Definition: x509_ext.cpp:275
void validate(const X509_Certificate &subject, const X509_Certificate &issuer, const std::vector< std::shared_ptr< const X509_Certificate >> &cert_path, std::vector< std::set< Certificate_Status_Code >> &cert_status, size_t pos) override
Definition: x509_ext.cpp:766
BER_Object get_next_object()
Definition: ber_dec.cpp:237
BER_Decoder & verify_end()
Definition: ber_dec.cpp:208
uint16_t make_uint16(uint8_t i0, uint8_t i1)
Definition: loadstor.h:52
DER_Encoder & start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
Definition: der_enc.cpp:181
BER_Decoder & decode_list(std::vector< T > &out, ASN1_Tag type_tag=SEQUENCE, ASN1_Tag class_tag=UNIVERSAL)
Definition: ber_dec.h:398
virtual void validate(const X509_Certificate &subject, const X509_Certificate &issuer, const std::vector< std::shared_ptr< const X509_Certificate >> &cert_path, std::vector< std::set< Certificate_Status_Code >> &cert_status, size_t pos)
Definition: x509_ext.cpp:112
bool more_items() const
Definition: ber_dec.cpp:198
std::map< OID, std::pair< std::vector< uint8_t >, bool > > extensions_raw() const
Definition: x509_ext.cpp:205
std::string lookup(const OID &oid)
Definition: oids.cpp:113
CRL_Number * copy() const override
Definition: x509_ext.cpp:850
MechanismType hash
const Certificate_Extension * get_extension_object(const OID &oid) const
Definition: x509_ext.cpp:173
void add(const std::multimap< std::string, std::string > &)
Definition: datastor.cpp:154
size_t low_bit(T n)
Definition: bit_ops.h:52
std::vector< std::pair< std::unique_ptr< Certificate_Extension >, bool > > extensions() const
Definition: x509_ext.cpp:191