Botan  2.18.2
Crypto and TLS for C++11
x509_ext.h
Go to the documentation of this file.
1 /*
2 * X.509 Certificate Extensions
3 * (C) 1999-2007,2012 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #ifndef BOTAN_X509_EXTENSIONS_H_
9 #define BOTAN_X509_EXTENSIONS_H_
10 
11 #include <botan/pkix_types.h>
12 #include <set>
13 
14 namespace Botan {
15 
16 class Data_Store;
17 class X509_Certificate;
18 
19 namespace Cert_Extension {
20 
21 static const size_t NO_CERT_PATH_LIMIT = 0xFFFFFFF0;
22 
23 /**
24 * Basic Constraints Extension
25 */
27  {
28  public:
29  Basic_Constraints* copy() const override
30  { return new Basic_Constraints(m_is_ca, m_path_limit); }
31 
32  Basic_Constraints(bool ca = false, size_t limit = 0) :
33  m_is_ca(ca), m_path_limit(limit) {}
34 
35  bool get_is_ca() const { return m_is_ca; }
36  size_t get_path_limit() const;
37 
38  static OID static_oid() { return OID("2.5.29.19"); }
39  OID oid_of() const override { return static_oid(); }
40 
41  private:
42  std::string oid_name() const override
43  { return "X509v3.BasicConstraints"; }
44 
45  std::vector<uint8_t> encode_inner() const override;
46  void decode_inner(const std::vector<uint8_t>&) override;
47  void contents_to(Data_Store&, Data_Store&) const override;
48 
49  bool m_is_ca;
50  size_t m_path_limit;
51  };
52 
53 /**
54 * Key Usage Constraints Extension
55 */
57  {
58  public:
59  Key_Usage* copy() const override { return new Key_Usage(m_constraints); }
60 
61  explicit Key_Usage(Key_Constraints c = NO_CONSTRAINTS) : m_constraints(c) {}
62 
63  Key_Constraints get_constraints() const { return m_constraints; }
64 
65  static OID static_oid() { return OID("2.5.29.15"); }
66  OID oid_of() const override { return static_oid(); }
67 
68  private:
69  std::string oid_name() const override { return "X509v3.KeyUsage"; }
70 
71  bool should_encode() const override
72  { return (m_constraints != NO_CONSTRAINTS); }
73  std::vector<uint8_t> encode_inner() const override;
74  void decode_inner(const std::vector<uint8_t>&) override;
75  void contents_to(Data_Store&, Data_Store&) const override;
76 
77  Key_Constraints m_constraints;
78  };
79 
80 /**
81 * Subject Key Identifier Extension
82 */
84  {
85  public:
86  Subject_Key_ID() = default;
87 
88  explicit Subject_Key_ID(const std::vector<uint8_t>& k) : m_key_id(k) {}
89 
90  Subject_Key_ID(const std::vector<uint8_t>& public_key,
91  const std::string& hash_fn);
92 
93  Subject_Key_ID* copy() const override
94  { return new Subject_Key_ID(m_key_id); }
95 
96  const std::vector<uint8_t>& get_key_id() const { return m_key_id; }
97 
98  static OID static_oid() { return OID("2.5.29.14"); }
99  OID oid_of() const override { return static_oid(); }
100 
101  private:
102 
103  std::string oid_name() const override
104  { return "X509v3.SubjectKeyIdentifier"; }
105 
106  bool should_encode() const override { return (m_key_id.size() > 0); }
107  std::vector<uint8_t> encode_inner() const override;
108  void decode_inner(const std::vector<uint8_t>&) override;
109  void contents_to(Data_Store&, Data_Store&) const override;
110 
111  std::vector<uint8_t> m_key_id;
112  };
113 
114 /**
115 * Authority Key Identifier Extension
116 */
118  {
119  public:
120  Authority_Key_ID* copy() const override
121  { return new Authority_Key_ID(m_key_id); }
122 
123  Authority_Key_ID() = default;
124  explicit Authority_Key_ID(const std::vector<uint8_t>& k) : m_key_id(k) {}
125 
126  const std::vector<uint8_t>& get_key_id() const { return m_key_id; }
127 
128  static OID static_oid() { return OID("2.5.29.35"); }
129  OID oid_of() const override { return static_oid(); }
130 
131  private:
132  std::string oid_name() const override
133  { return "X509v3.AuthorityKeyIdentifier"; }
134 
135  bool should_encode() const override { return (m_key_id.size() > 0); }
136  std::vector<uint8_t> encode_inner() const override;
137  void decode_inner(const std::vector<uint8_t>&) override;
138  void contents_to(Data_Store&, Data_Store&) const override;
139 
140  std::vector<uint8_t> m_key_id;
141  };
142 
143 /**
144 * Subject Alternative Name Extension
145 */
147  {
148  public:
149  const AlternativeName& get_alt_name() const { return m_alt_name; }
150 
151  static OID static_oid() { return OID("2.5.29.17"); }
152  OID oid_of() const override { return static_oid(); }
153 
154  Subject_Alternative_Name* copy() const override
155  { return new Subject_Alternative_Name(get_alt_name()); }
156 
158  m_alt_name(name) {}
159 
160  private:
161  std::string oid_name() const override { return "X509v3.SubjectAlternativeName"; }
162 
163  bool should_encode() const override { return m_alt_name.has_items(); }
164  std::vector<uint8_t> encode_inner() const override;
165  void decode_inner(const std::vector<uint8_t>&) override;
166  void contents_to(Data_Store&, Data_Store&) const override;
167 
168  AlternativeName m_alt_name;
169  };
170 
171 /**
172 * Issuer Alternative Name Extension
173 */
175  {
176  public:
177  const AlternativeName& get_alt_name() const { return m_alt_name; }
178 
179  static OID static_oid() { return OID("2.5.29.18"); }
180  OID oid_of() const override { return static_oid(); }
181 
182  Issuer_Alternative_Name* copy() const override
183  { return new Issuer_Alternative_Name(get_alt_name()); }
184 
186  m_alt_name(name) {}
187 
188  private:
189  std::string oid_name() const override { return "X509v3.IssuerAlternativeName"; }
190 
191  bool should_encode() const override { return m_alt_name.has_items(); }
192  std::vector<uint8_t> encode_inner() const override;
193  void decode_inner(const std::vector<uint8_t>&) override;
194  void contents_to(Data_Store&, Data_Store&) const override;
195 
196  AlternativeName m_alt_name;
197  };
198 
199 /**
200 * Extended Key Usage Extension
201 */
203  {
204  public:
205  Extended_Key_Usage* copy() const override
206  { return new Extended_Key_Usage(m_oids); }
207 
208  Extended_Key_Usage() = default;
209  explicit Extended_Key_Usage(const std::vector<OID>& o) : m_oids(o) {}
210 
211  const std::vector<OID>& get_oids() const { return m_oids; }
212 
213  static OID static_oid() { return OID("2.5.29.37"); }
214  OID oid_of() const override { return static_oid(); }
215 
216  private:
217  std::string oid_name() const override { return "X509v3.ExtendedKeyUsage"; }
218 
219  bool should_encode() const override { return (m_oids.size() > 0); }
220  std::vector<uint8_t> encode_inner() const override;
221  void decode_inner(const std::vector<uint8_t>&) override;
222  void contents_to(Data_Store&, Data_Store&) const override;
223 
224  std::vector<OID> m_oids;
225  };
226 
227 /**
228 * Name Constraints
229 */
231  {
232  public:
233  Name_Constraints* copy() const override
234  { return new Name_Constraints(m_name_constraints); }
235 
236  Name_Constraints() = default;
237  Name_Constraints(const NameConstraints &nc) : m_name_constraints(nc) {}
238 
239  void validate(const X509_Certificate& subject, const X509_Certificate& issuer,
240  const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path,
241  std::vector<std::set<Certificate_Status_Code>>& cert_status,
242  size_t pos) override;
243 
244  const NameConstraints& get_name_constraints() const { return m_name_constraints; }
245 
246  static OID static_oid() { return OID("2.5.29.30"); }
247  OID oid_of() const override { return static_oid(); }
248 
249  private:
250  std::string oid_name() const override
251  { return "X509v3.NameConstraints"; }
252 
253  bool should_encode() const override { return true; }
254  std::vector<uint8_t> encode_inner() const override;
255  void decode_inner(const std::vector<uint8_t>&) override;
256  void contents_to(Data_Store&, Data_Store&) const override;
257 
258  NameConstraints m_name_constraints;
259  };
260 
261 /**
262 * Certificate Policies Extension
263 */
265  {
266  public:
267  Certificate_Policies* copy() const override
268  { return new Certificate_Policies(m_oids); }
269 
270  Certificate_Policies() = default;
271  explicit Certificate_Policies(const std::vector<OID>& o) : m_oids(o) {}
272 
273  BOTAN_DEPRECATED("Use get_policy_oids")
274  std::vector<OID> get_oids() const { return m_oids; }
275 
276  const std::vector<OID>& get_policy_oids() const { return m_oids; }
277 
278  static OID static_oid() { return OID("2.5.29.32"); }
279  OID oid_of() const override { return static_oid(); }
280 
281  void validate(const X509_Certificate& subject, const X509_Certificate& issuer,
282  const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path,
283  std::vector<std::set<Certificate_Status_Code>>& cert_status,
284  size_t pos) override;
285  private:
286  std::string oid_name() const override
287  { return "X509v3.CertificatePolicies"; }
288 
289  bool should_encode() const override { return (m_oids.size() > 0); }
290  std::vector<uint8_t> encode_inner() const override;
291  void decode_inner(const std::vector<uint8_t>&) override;
292  void contents_to(Data_Store&, Data_Store&) const override;
293 
294  std::vector<OID> m_oids;
295  };
296 
297 /**
298 * Authority Information Access Extension
299 */
301  {
302  public:
304  { return new Authority_Information_Access(m_ocsp_responder, m_ca_issuers); }
305 
306  Authority_Information_Access() = default;
307 
308  explicit Authority_Information_Access(const std::string& ocsp, const std::vector<std::string>& ca_issuers = std::vector<std::string>()) :
309  m_ocsp_responder(ocsp), m_ca_issuers(ca_issuers) {}
310 
311  std::string ocsp_responder() const { return m_ocsp_responder; }
312 
313  static OID static_oid() { return OID("1.3.6.1.5.5.7.1.1"); }
314  OID oid_of() const override { return static_oid(); }
315  const std::vector<std::string> ca_issuers() const { return m_ca_issuers; }
316 
317  private:
318  std::string oid_name() const override
319  { return "PKIX.AuthorityInformationAccess"; }
320 
321  bool should_encode() const override { return (!m_ocsp_responder.empty()); }
322 
323  std::vector<uint8_t> encode_inner() const override;
324  void decode_inner(const std::vector<uint8_t>&) override;
325 
326  void contents_to(Data_Store&, Data_Store&) const override;
327 
328  std::string m_ocsp_responder;
329  std::vector<std::string> m_ca_issuers;
330  };
331 
332 /**
333 * CRL Number Extension
334 */
336  {
337  public:
338  CRL_Number* copy() const override;
339 
340  CRL_Number() : m_has_value(false), m_crl_number(0) {}
341  CRL_Number(size_t n) : m_has_value(true), m_crl_number(n) {}
342 
343  size_t get_crl_number() const;
344 
345  static OID static_oid() { return OID("2.5.29.20"); }
346  OID oid_of() const override { return static_oid(); }
347 
348  private:
349  std::string oid_name() const override { return "X509v3.CRLNumber"; }
350 
351  bool should_encode() const override { return m_has_value; }
352  std::vector<uint8_t> encode_inner() const override;
353  void decode_inner(const std::vector<uint8_t>&) override;
354  void contents_to(Data_Store&, Data_Store&) const override;
355 
356  bool m_has_value;
357  size_t m_crl_number;
358  };
359 
360 /**
361 * CRL Entry Reason Code Extension
362 */
364  {
365  public:
366  CRL_ReasonCode* copy() const override
367  { return new CRL_ReasonCode(m_reason); }
368 
369  explicit CRL_ReasonCode(CRL_Code r = UNSPECIFIED) : m_reason(r) {}
370 
371  CRL_Code get_reason() const { return m_reason; }
372 
373  static OID static_oid() { return OID("2.5.29.21"); }
374  OID oid_of() const override { return static_oid(); }
375 
376  private:
377  std::string oid_name() const override { return "X509v3.ReasonCode"; }
378 
379  bool should_encode() const override { return (m_reason != UNSPECIFIED); }
380  std::vector<uint8_t> encode_inner() const override;
381  void decode_inner(const std::vector<uint8_t>&) override;
382  void contents_to(Data_Store&, Data_Store&) const override;
383 
384  CRL_Code m_reason;
385  };
386 
387 /**
388 * CRL Distribution Points Extension
389 * todo enforce restrictions from RFC 5280 4.2.1.13
390 */
392  {
393  public:
395  {
396  public:
397  void encode_into(class DER_Encoder&) const override;
398  void decode_from(class BER_Decoder&) override;
399 
400  const AlternativeName& point() const { return m_point; }
401  private:
402  AlternativeName m_point;
403  };
404 
405  CRL_Distribution_Points* copy() const override
406  { return new CRL_Distribution_Points(m_distribution_points); }
407 
408  CRL_Distribution_Points() = default;
409 
410  explicit CRL_Distribution_Points(const std::vector<Distribution_Point>& points) :
411  m_distribution_points(points) {}
412 
413  const std::vector<Distribution_Point>& distribution_points() const
414  { return m_distribution_points; }
415 
416  const std::vector<std::string>& crl_distribution_urls() const
417  { return m_crl_distribution_urls; }
418 
419  static OID static_oid() { return OID("2.5.29.31"); }
420  OID oid_of() const override { return static_oid(); }
421 
422  private:
423  std::string oid_name() const override
424  { return "X509v3.CRLDistributionPoints"; }
425 
426  bool should_encode() const override
427  { return !m_distribution_points.empty(); }
428 
429  std::vector<uint8_t> encode_inner() const override;
430  void decode_inner(const std::vector<uint8_t>&) override;
431  void contents_to(Data_Store&, Data_Store&) const override;
432 
433  std::vector<Distribution_Point> m_distribution_points;
434  std::vector<std::string> m_crl_distribution_urls;
435  };
436 
437 /**
438 * CRL Issuing Distribution Point Extension
439 * todo enforce restrictions from RFC 5280 5.2.5
440 */
442  {
443  public:
444  CRL_Issuing_Distribution_Point() = default;
445 
447  m_distribution_point(distribution_point) {}
448 
450  { return new CRL_Issuing_Distribution_Point(m_distribution_point); }
451 
452  const AlternativeName& get_point() const
453  { return m_distribution_point.point(); }
454 
455  static OID static_oid() { return OID("2.5.29.28"); }
456  OID oid_of() const override { return static_oid(); }
457 
458  private:
459  std::string oid_name() const override
460  { return "X509v3.CRLIssuingDistributionPoint"; }
461 
462  bool should_encode() const override { return true; }
463  std::vector<uint8_t> encode_inner() const override;
464  void decode_inner(const std::vector<uint8_t>&) override;
465  void contents_to(Data_Store&, Data_Store&) const override;
466 
467  CRL_Distribution_Points::Distribution_Point m_distribution_point;
468  };
469 
470 /**
471 * An unknown X.509 extension
472 * Will add a failure to the path validation result, if critical
473 */
475  {
476  public:
477  Unknown_Extension(const OID& oid, bool critical) :
478  m_oid(oid), m_critical(critical) {}
479 
480  Unknown_Extension* copy() const override
481  { return new Unknown_Extension(m_oid, m_critical); }
482 
483  /**
484  * Return the OID of this unknown extension
485  */
486  OID oid_of() const override
487  { return m_oid; }
488 
489  //static_oid not defined for Unknown_Extension
490 
491  /**
492  * Return the extension contents
493  */
494  const std::vector<uint8_t>& extension_contents() const { return m_bytes; }
495 
496  /**
497  * Return if this extension was marked critical
498  */
499  bool is_critical_extension() const { return m_critical; }
500 
502  const std::vector<std::shared_ptr<const X509_Certificate>>&,
503  std::vector<std::set<Certificate_Status_Code>>& cert_status,
504  size_t pos) override
505  {
506  if(m_critical)
507  {
508  cert_status.at(pos).insert(Certificate_Status_Code::UNKNOWN_CRITICAL_EXTENSION);
509  }
510  }
511 
512  private:
513  std::string oid_name() const override { return ""; }
514 
515  bool should_encode() const override { return true; }
516  std::vector<uint8_t> encode_inner() const override;
517  void decode_inner(const std::vector<uint8_t>&) override;
518  void contents_to(Data_Store&, Data_Store&) const override;
519 
520  OID m_oid;
521  bool m_critical;
522  std::vector<uint8_t> m_bytes;
523  };
524 
525  }
526 
527 }
528 
529 #endif
const AlternativeName & get_point() const
Definition: x509_ext.h:452
const AlternativeName & get_alt_name() const
Definition: x509_ext.h:149
CRL_Distribution_Points * copy() const override
Definition: x509_ext.h:405
const std::vector< uint8_t > & get_key_id() const
Definition: x509_ext.h:96
Key_Constraints get_constraints() const
Definition: x509_ext.h:63
Authority_Information_Access(const std::string &ocsp, const std::vector< std::string > &ca_issuers=std::vector< std::string >())
Definition: x509_ext.h:308
Key_Usage * copy() const override
Definition: x509_ext.h:59
const std::vector< OID > & get_policy_oids() const
Definition: x509_ext.h:276
const std::vector< uint8_t > & extension_contents() const
Definition: x509_ext.h:494
int(* final)(unsigned char *, CTX *)
#define BOTAN_PUBLIC_API(maj, min)
Definition: compiler.h:31
Definition: bigint.h:1143
Issuer_Alternative_Name(const AlternativeName &name=AlternativeName())
Definition: x509_ext.h:185
CRL_Issuing_Distribution_Point * copy() const override
Definition: x509_ext.h:449
Unknown_Extension * copy() const override
Definition: x509_ext.h:480
OID oid_of() const override
Definition: x509_ext.h:346
Subject_Alternative_Name * copy() const override
Definition: x509_ext.h:154
const std::vector< uint8_t > & get_key_id() const
Definition: x509_ext.h:126
Authority_Key_ID(const std::vector< uint8_t > &k)
Definition: x509_ext.h:124
const std::vector< std::string > & crl_distribution_urls() const
Definition: x509_ext.h:416
std::string name
Certificate_Policies(const std::vector< OID > &o)
Definition: x509_ext.h:271
Basic_Constraints(bool ca=false, size_t limit=0)
Definition: x509_ext.h:32
const AlternativeName & get_alt_name() const
Definition: x509_ext.h:177
CRL_ReasonCode * copy() const override
Definition: x509_ext.h:366
Name_Constraints * copy() const override
Definition: x509_ext.h:233
CRL_Distribution_Points(const std::vector< Distribution_Point > &points)
Definition: x509_ext.h:410
Basic_Constraints * copy() const override
Definition: x509_ext.h:29
Definition: alg_id.cpp:13
const std::vector< Distribution_Point > & distribution_points() const
Definition: x509_ext.h:413
Extended_Key_Usage(const std::vector< OID > &o)
Definition: x509_ext.h:209
Name_Constraints(const NameConstraints &nc)
Definition: x509_ext.h:237
Subject_Key_ID(const std::vector< uint8_t > &k)
Definition: x509_ext.h:88
OID oid_of() const override
Definition: x509_ext.h:66
Key_Usage(Key_Constraints c=NO_CONSTRAINTS)
Definition: x509_ext.h:61
OID oid_of() const override
Definition: x509_ext.h:99
CRL_Issuing_Distribution_Point(const CRL_Distribution_Points::Distribution_Point &distribution_point)
Definition: x509_ext.h:446
void validate(const X509_Certificate &, const X509_Certificate &, const std::vector< std::shared_ptr< const X509_Certificate >> &, std::vector< std::set< Certificate_Status_Code >> &cert_status, size_t pos) override
Definition: x509_ext.h:501
Issuer_Alternative_Name * copy() const override
Definition: x509_ext.h:182
CRL_ReasonCode(CRL_Code r=UNSPECIFIED)
Definition: x509_ext.h:369
Extended_Key_Usage * copy() const override
Definition: x509_ext.h:205
Authority_Information_Access * copy() const override
Definition: x509_ext.h:303
Unknown_Extension(const OID &oid, bool critical)
Definition: x509_ext.h:477
Key_Constraints
Definition: pkix_enums.h:106
const std::vector< OID > & get_oids() const
Definition: x509_ext.h:211
Authority_Key_ID * copy() const override
Definition: x509_ext.h:120
Subject_Key_ID * copy() const override
Definition: x509_ext.h:93
Subject_Alternative_Name(const AlternativeName &name=AlternativeName())
Definition: x509_ext.h:157
const std::vector< std::string > ca_issuers() const
Definition: x509_ext.h:315
const NameConstraints & get_name_constraints() const
Definition: x509_ext.h:244
Certificate_Policies * copy() const override
Definition: x509_ext.h:267
Name Constraints.
Definition: pkix_types.h:314