9#ifndef BOTAN_X509_EXTENSIONS_H_
10#define BOTAN_X509_EXTENSIONS_H_
12#include <botan/pkix_types.h>
28static const size_t NO_CERT_PATH_LIMIT = 0xFFFFFFF0;
35 std::unique_ptr<Certificate_Extension>
copy()
const override {
36 return std::make_unique<Basic_Constraints>(m_is_ca, m_path_length_constraint);
49 BOTAN_DEPRECATED(
"Use path_length_constraint") size_t get_path_limit() const;
51 bool is_ca()
const {
return m_is_ca; }
60 std::string oid_name()
const override {
return "X509v3.BasicConstraints"; }
62 std::vector<uint8_t> encode_inner()
const override;
63 void decode_inner(
const std::vector<uint8_t>& in)
override;
66 std::optional<size_t> m_path_length_constraint;
74 std::unique_ptr<Certificate_Extension>
copy()
const override {
75 return std::make_unique<Key_Usage>(m_constraints);
89 std::string oid_name()
const override {
return "X509v3.KeyUsage"; }
91 bool should_encode()
const override {
return !m_constraints.empty(); }
93 std::vector<uint8_t> encode_inner()
const override;
94 void decode_inner(
const std::vector<uint8_t>& in)
override;
96 Key_Constraints m_constraints;
108 Subject_Key_ID(
const std::vector<uint8_t>& public_key, std::string_view hash_fn);
110 std::unique_ptr<Certificate_Extension>
copy()
const override {
111 return std::make_unique<Subject_Key_ID>(m_key_id);
114 const std::vector<uint8_t>&
get_key_id()
const {
return m_key_id; }
121 std::string oid_name()
const override {
return "X509v3.SubjectKeyIdentifier"; }
123 bool should_encode()
const override {
return (!m_key_id.empty()); }
125 std::vector<uint8_t> encode_inner()
const override;
126 void decode_inner(
const std::vector<uint8_t>& in)
override;
128 std::vector<uint8_t> m_key_id;
136 std::unique_ptr<Certificate_Extension>
copy()
const override {
137 return std::make_unique<Authority_Key_ID>(m_key_id);
144 const std::vector<uint8_t>&
get_key_id()
const {
return m_key_id; }
151 std::string oid_name()
const override {
return "X509v3.AuthorityKeyIdentifier"; }
153 bool should_encode()
const override {
return (!m_key_id.empty()); }
155 std::vector<uint8_t> encode_inner()
const override;
156 void decode_inner(
const std::vector<uint8_t>& in)
override;
158 std::vector<uint8_t> m_key_id;
172 std::unique_ptr<Certificate_Extension>
copy()
const override {
173 return std::make_unique<Subject_Alternative_Name>(
get_alt_name());
179 std::string oid_name()
const override {
return "X509v3.SubjectAlternativeName"; }
181 bool should_encode()
const override {
return m_alt_name.has_items(); }
183 std::vector<uint8_t> encode_inner()
const override;
184 void decode_inner(
const std::vector<uint8_t>& in)
override;
186 AlternativeName m_alt_name;
200 std::unique_ptr<Certificate_Extension>
copy()
const override {
201 return std::make_unique<Issuer_Alternative_Name>(
get_alt_name());
207 std::string oid_name()
const override {
return "X509v3.IssuerAlternativeName"; }
209 bool should_encode()
const override {
return m_alt_name.has_items(); }
211 std::vector<uint8_t> encode_inner()
const override;
212 void decode_inner(
const std::vector<uint8_t>& in)
override;
214 AlternativeName m_alt_name;
222 std::unique_ptr<Certificate_Extension>
copy()
const override {
223 return std::make_unique<Extended_Key_Usage>(m_oids);
237 std::string oid_name()
const override {
return "X509v3.ExtendedKeyUsage"; }
239 bool should_encode()
const override {
return (!m_oids.empty()); }
241 std::vector<uint8_t> encode_inner()
const override;
242 void decode_inner(
const std::vector<uint8_t>& in)
override;
244 std::vector<OID> m_oids;
252 std::unique_ptr<Certificate_Extension>
copy()
const override {
253 return std::make_unique<Name_Constraints>(m_name_constraints);
262 const std::vector<X509_Certificate>& cert_path,
263 std::vector<std::set<Certificate_Status_Code>>& cert_status,
264 size_t pos)
override;
273 std::string oid_name()
const override {
return "X509v3.NameConstraints"; }
275 bool should_encode()
const override {
return true; }
277 std::vector<uint8_t> encode_inner()
const override;
278 void decode_inner(
const std::vector<uint8_t>& in)
override;
280 NameConstraints m_name_constraints;
288 std::unique_ptr<Certificate_Extension>
copy()
const override {
289 return std::make_unique<Certificate_Policies>(m_oids);
304 const std::vector<X509_Certificate>& cert_path,
305 std::vector<std::set<Certificate_Status_Code>>& cert_status,
306 size_t pos)
override;
309 std::string oid_name()
const override {
return "X509v3.CertificatePolicies"; }
311 bool should_encode()
const override {
return (!m_oids.empty()); }
313 std::vector<uint8_t> encode_inner()
const override;
314 void decode_inner(
const std::vector<uint8_t>& in)
override;
316 std::vector<OID> m_oids;
324 std::unique_ptr<Certificate_Extension>
copy()
const override {
325 return std::make_unique<Authority_Information_Access>(m_ocsp_responder, m_ca_issuers);
331 const std::vector<std::string>&
ca_issuers = std::vector<std::string>()) :
332 m_ocsp_responder(ocsp), m_ca_issuers(
ca_issuers) {}
340 const std::vector<std::string>&
ca_issuers()
const {
return m_ca_issuers; }
343 std::string oid_name()
const override {
return "PKIX.AuthorityInformationAccess"; }
345 bool should_encode()
const override {
return (!m_ocsp_responder.empty() || !m_ca_issuers.empty()); }
347 std::vector<uint8_t> encode_inner()
const override;
348 void decode_inner(
const std::vector<uint8_t>& in)
override;
350 std::string m_ocsp_responder;
351 std::vector<std::string> m_ca_issuers;
359 std::unique_ptr<Certificate_Extension>
copy()
const override;
365 size_t get_crl_number()
const;
372 std::string oid_name()
const override {
return "X509v3.CRLNumber"; }
374 bool should_encode()
const override {
return m_has_value; }
376 std::vector<uint8_t> encode_inner()
const override;
377 void decode_inner(
const std::vector<uint8_t>& in)
override;
388 std::unique_ptr<Certificate_Extension>
copy()
const override {
389 return std::make_unique<CRL_ReasonCode>(m_reason);
401 std::string oid_name()
const override {
return "X509v3.ReasonCode"; }
405 std::vector<uint8_t> encode_inner()
const override;
406 void decode_inner(
const std::vector<uint8_t>& in)
override;
430 std::unique_ptr<Certificate_Extension>
copy()
const override {
431 return std::make_unique<CRL_Distribution_Points>(m_distribution_points);
447 std::string oid_name()
const override {
return "X509v3.CRLDistributionPoints"; }
449 bool should_encode()
const override {
return !m_distribution_points.empty(); }
451 std::vector<uint8_t> encode_inner()
const override;
452 void decode_inner(
const std::vector<uint8_t>& in)
override;
454 std::vector<Distribution_Point> m_distribution_points;
455 std::vector<std::string> m_crl_distribution_urls;
467 m_distribution_point(distribution_point) {}
469 std::unique_ptr<Certificate_Extension>
copy()
const override {
470 return std::make_unique<CRL_Issuing_Distribution_Point>(m_distribution_point);
480 std::string
oid_name()
const override {
return "X509v3.CRLIssuingDistributionPoint"; }
485 void decode_inner(
const std::vector<uint8_t>& in)
override;
487 CRL_Distribution_Points::Distribution_Point m_distribution_point;
505 std::unique_ptr<Certificate_Extension>
copy()
const override {
return std::make_unique<OCSP_NoCheck>(); }
512 std::string
oid_name()
const override {
return "PKIX.OCSP.NoCheck"; }
516 std::vector<uint8_t>
encode_inner()
const override {
return {}; }
518 void decode_inner(
const std::vector<uint8_t>& in)
override;
548 const std::string& service_provider_code()
const;
550 const RangeContainer& telephone_number_range()
const;
552 const std::string& telephone_number()
const;
556 DataContainer m_data;
561 std::unique_ptr<Certificate_Extension>
copy()
const override {
return std::make_unique<TNAuthList>(*
this); }
567 const std::vector<Entry>&
entries()
const {
return m_tn_entries; }
570 std::string oid_name()
const override {
return "PKIX.TNAuthList"; }
572 bool should_encode()
const override {
return true; }
574 std::vector<uint8_t> encode_inner()
const override;
575 void decode_inner(
const std::vector<uint8_t>& in)
override;
577 std::vector<Entry> m_tn_entries;
595 static constexpr size_t Length =
static_cast<size_t>(V);
598 explicit IPAddress(std::span<const uint8_t> v);
600 std::array<uint8_t, Length>
value()
const {
return m_value; }
607 for(
auto it = m_value.rbegin(); it != m_value.rend(); it++) {
619 for(
size_t i = 0; i < rhs; i++) {
626 for(
size_t i = 0; i < Length; i++) {
628 return std::strong_ordering::less;
630 return std::strong_ordering::greater;
633 return std::strong_ordering::equal;
640 std::array<uint8_t, Length> m_value;
665 IPAddress<V> m_max{};
667 IPAddress<V> decode_single_address(std::vector<uint8_t> decoded,
bool min);
676 const std::optional<std::vector<IPAddressOrRange<V>>>&
ranges()
const {
return m_ip_addr_ranges; }
683 std::optional<std::vector<IPAddressOrRange<V>>> m_ip_addr_ranges;
696 m_safi(
safi), m_ip_addr_choice(choice) {
704 uint16_t
afi()
const {
return m_afi; }
706 std::optional<uint8_t>
safi()
const {
return m_safi; }
712 std::optional<uint8_t> m_safi;
713 AddrChoice m_ip_addr_choice;
718 explicit IPAddressBlocks(
const std::vector<IPAddressFamily>& blocks) : m_ip_addr_blocks(blocks) {
719 this->sort_and_merge();
722 std::unique_ptr<Certificate_Extension>
copy()
const override {
return std::make_unique<IPAddressBlocks>(*
this); }
730 const std::vector<X509_Certificate>& cert_path,
731 std::vector<std::set<Certificate_Status_Code>>& cert_status,
732 size_t pos)
override;
736 void add_address(
const std::array<uint8_t,
static_cast<size_t>(V)>& address,
737 std::optional<uint8_t> safi = std::nullopt) {
743 void add_address(
const std::array<uint8_t,
static_cast<std::size_t
>(V)>& min,
744 const std::array<uint8_t,
static_cast<std::size_t
>(V)>& max,
745 std::optional<uint8_t> safi = std::nullopt) {
753 void restrict(std::optional<uint8_t> safi = std::nullopt) {
754 std::vector<IPAddressOrRange<V>> addresses = {};
761 void inherit(std::optional<uint8_t> safi = std::nullopt) {
766 const std::vector<IPAddressFamily>&
addr_blocks()
const {
return m_ip_addr_blocks; }
769 std::string oid_name()
const override {
return "PKIX.IpAddrBlocks"; }
771 bool should_encode()
const override {
return true; }
773 std::vector<uint8_t> encode_inner()
const override;
774 void decode_inner(
const std::vector<uint8_t>& in)
override;
776 std::vector<IPAddressFamily> m_ip_addr_blocks;
778 void sort_and_merge();
780 IPAddressFamily merge(std::vector<IPAddressFamily>& blocks);
826 const std::optional<std::vector<ASIdOrRange>>&
ranges()
const {
return m_as_ranges; }
829 std::optional<std::vector<ASIdOrRange>> m_as_ranges;
838 const std::optional<ASIdentifierChoice>&
rdi) :
840 if(!m_asnum.has_value() && !m_rdi.has_value()) {
841 throw Decoding_Error(
"One of asnum, rdi must be present");
845 const std::optional<ASIdentifierChoice>&
asnum()
const {
return m_asnum; }
847 const std::optional<ASIdentifierChoice>&
rdi()
const {
return m_rdi; }
853 std::optional<ASIdentifierChoice> m_asnum;
854 std::optional<ASIdentifierChoice> m_rdi;
861 std::unique_ptr<Certificate_Extension>
copy()
const override {
return std::make_unique<ASBlocks>(*
this); }
869 const std::vector<X509_Certificate>& cert_path,
870 std::vector<std::set<Certificate_Status_Code>>& cert_status,
871 size_t pos)
override;
878 m_as_identifiers =
ASIdentifiers(add_new(m_as_identifiers.asnum(), min, max), m_as_identifiers.rdi());
883 std::vector<ASIdOrRange> empty;
895 m_as_identifiers =
ASIdentifiers(m_as_identifiers.asnum(), add_new(m_as_identifiers.rdi(), min, max));
900 std::vector<ASIdOrRange> empty;
910 ASIdentifiers m_as_identifiers;
912 std::string oid_name()
const override {
return "PKIX.AutonomousSysIds"; }
914 bool should_encode()
const override {
return true; }
916 static ASIdentifierChoice add_new(
const std::optional<ASIdentifierChoice>& old, asnum_t min, asnum_t max);
918 std::vector<uint8_t> encode_inner()
const override;
919 void decode_inner(
const std::vector<uint8_t>& in)
override;
930 std::unique_ptr<Certificate_Extension>
copy()
const override {
931 return std::make_unique<Unknown_Extension>(m_oid, m_critical);
953 const std::vector<X509_Certificate>& ,
954 std::vector<std::set<Certificate_Status_Code>>& cert_status,
955 size_t pos)
override {
962 std::string oid_name()
const override {
return ""; }
964 bool should_encode()
const override {
return true; }
966 std::vector<uint8_t> encode_inner()
const override;
967 void decode_inner(
const std::vector<uint8_t>& in)
override;
971 std::vector<uint8_t> m_bytes;
#define BOTAN_PUBLIC_API(maj, min)
#define BOTAN_DEPRECATED(msg)
#define BOTAN_FUTURE_EXPLICIT
void encode_into(DER_Encoder &to) const override
ASIdOrRange(asnum_t min, asnum_t max)
void decode_from(BER_Decoder &from) override
void encode_into(DER_Encoder &to) const override
ASIdentifierChoice()=default
void decode_from(BER_Decoder &from) override
const std::optional< std::vector< ASIdOrRange > > & ranges() const
const std::optional< ASIdentifierChoice > & asnum() const
ASIdentifiers(const std::optional< ASIdentifierChoice > &asnum, const std::optional< ASIdentifierChoice > &rdi)
const std::optional< ASIdentifierChoice > & rdi() const
void encode_into(DER_Encoder &to) const override
void decode_from(BER_Decoder &from) override
void inherit_asnum()
Mark the asnum entry as 'inherit'.
void restrict_rdi()
Make the extension contain no allowed rdi's.
void inherit_rdi()
Mark the rdi entry as 'inherit'.
void add_rdi(asnum_t min, asnum_t max)
Add an rdi range to this extension.
const ASIdentifiers & as_identifiers() const
ASBlocks(const ASIdentifiers &as_idents)
OID oid_of() const override
void restrict_asnum()
Make the extension contain no allowed asnum's.
std::unique_ptr< Certificate_Extension > copy() const override
void add_asnum(asnum_t asnum)
Add a single asnum to this extension.
void add_rdi(asnum_t rdi)
Add a single rdi to this extension.
void add_asnum(asnum_t min, asnum_t max)
Add an asnum range to this extension.
Authority_Key_ID(const std::vector< uint8_t > &k)
OID oid_of() const override
Authority_Key_ID()=default
std::unique_ptr< Certificate_Extension > copy() const override
const std::vector< uint8_t > & get_key_id() const
OID oid_of() const override
BOTAN_FUTURE_EXPLICIT Basic_Constraints(bool is_ca=false, size_t path_length_constraint=0)
std::unique_ptr< Certificate_Extension > copy() const override
std::optional< size_t > path_length_constraint() const
void encode_into(DER_Encoder &to) const override
Distribution_Point(const AlternativeName &name=AlternativeName())
void decode_from(BER_Decoder &from) override
const AlternativeName & point() const
CRL_Distribution_Points(const std::vector< Distribution_Point > &points)
CRL_Distribution_Points()=default
OID oid_of() const override
std::unique_ptr< Certificate_Extension > copy() const override
const std::vector< std::string > & crl_distribution_urls() const
const std::vector< Distribution_Point > & distribution_points() const
const AlternativeName & get_point() const
OID oid_of() const override
std::unique_ptr< Certificate_Extension > copy() const override
CRL_Issuing_Distribution_Point(const CRL_Distribution_Points::Distribution_Point &distribution_point)
CRL_Issuing_Distribution_Point()=default
OID oid_of() const override
std::unique_ptr< Certificate_Extension > copy() const override
BOTAN_FUTURE_EXPLICIT CRL_Number(size_t n)
std::unique_ptr< Certificate_Extension > copy() const override
CRL_Code get_reason() const
CRL_ReasonCode(CRL_Code r=CRL_Code::Unspecified)
OID oid_of() const override
Certificate_Policies()=default
const std::vector< OID > & get_policy_oids() const
std::unique_ptr< Certificate_Extension > copy() const override
Certificate_Policies(const std::vector< OID > &o)
OID oid_of() const override
OID oid_of() const override
const std::vector< OID > & object_identifiers() const
std::unique_ptr< Certificate_Extension > copy() const override
Extended_Key_Usage()=default
Extended_Key_Usage(const std::vector< OID > &o)
const std::optional< std::vector< IPAddressOrRange< V > > > & ranges() const
void decode_from(BER_Decoder &from) override
void encode_into(DER_Encoder &to) const override
IPAddressChoice()=default
IPAddressChoice(std::optional< std::span< const IPAddressOrRange< V > > > ranges)
void encode_into(DER_Encoder &to) const override
std::variant< IPAddressChoice< Version::IPv4 >, IPAddressChoice< Version::IPv6 > > AddrChoice
IPAddressFamily(const AddrChoice &choice, std::optional< uint8_t > safi=std::nullopt)
std::optional< uint8_t > safi() const
void decode_from(BER_Decoder &from) override
const AddrChoice & addr_choice() const
IPAddressFamily()=default
IPAddress< V > min() const
void encode_into(DER_Encoder &to) const override
IPAddressOrRange(const IPAddress< V > &min, const IPAddress< V > &max)
IPAddressOrRange(const IPAddress< V > &addr)
IPAddressOrRange()=default
void decode_from(BER_Decoder &from) override
IPAddress< V > max() const
IPAddress(std::span< const uint8_t > v)
friend class IPAddressBlocks
friend bool operator==(const IPAddress< V > &lhs, const IPAddress< V > &rhs)
friend IPAddress< V > operator+(IPAddress< V > lhs, size_t rhs)
friend std::strong_ordering operator<=>(const IPAddress< V > lhs, const IPAddress< V > &rhs)
std::array< uint8_t, Length > value() const
void inherit(std::optional< uint8_t > safi=std::nullopt)
Mark the specified IP version as 'inherit' (for the specified SAFI, if any)
void add_address(const std::array< uint8_t, static_cast< size_t >(V)> &address, std::optional< uint8_t > safi=std::nullopt)
Add a single IP address to this extension (for the specified SAFI, if any)
IPAddressBlocks()=default
std::unique_ptr< Certificate_Extension > copy() const override
void restrict(std::optional< uint8_t > safi=std::nullopt)
Make the extension contain no allowed IP addresses for the specified IP version (and SAFI,...
void add_address(const std::array< uint8_t, static_cast< std::size_t >(V)> &min, const std::array< uint8_t, static_cast< std::size_t >(V)> &max, std::optional< uint8_t > safi=std::nullopt)
Add an IP address range to this extension (for the specified SAFI, if any)
const std::vector< IPAddressFamily > & addr_blocks() const
IPAddressBlocks(const std::vector< IPAddressFamily > &blocks)
OID oid_of() const override
std::unique_ptr< Certificate_Extension > copy() const override
const AlternativeName & get_alt_name() const
Issuer_Alternative_Name(const AlternativeName &name=AlternativeName())
OID oid_of() const override
std::unique_ptr< Certificate_Extension > copy() const override
OID oid_of() const override
Key_Usage(Key_Constraints c)
Key_Constraints get_constraints() const
BOTAN_FUTURE_EXPLICIT Name_Constraints(const NameConstraints &nc)
OID oid_of() const override
const NameConstraints & get_name_constraints() const
std::unique_ptr< Certificate_Extension > copy() const override
Name_Constraints()=default
std::unique_ptr< Certificate_Extension > copy() const override
OID oid_of() const override
const AlternativeName & get_alt_name() const
OID oid_of() const override
Subject_Alternative_Name(const AlternativeName &name=AlternativeName())
std::unique_ptr< Certificate_Extension > copy() const override
OID oid_of() const override
Subject_Key_ID(const std::vector< uint8_t > &k)
std::unique_ptr< Certificate_Extension > copy() const override
const std::vector< uint8_t > & get_key_id() const
std::vector< TelephoneNumberRangeData > RangeContainer
void decode_from(class BER_Decoder &from) override
void encode_into(DER_Encoder &to) const override
std::variant< ASN1_String, RangeContainer > DataContainer
std::unique_ptr< Certificate_Extension > copy() const override
OID oid_of() const override
const std::vector< Entry > & entries() const
void validate(const X509_Certificate &, const X509_Certificate &, const std::vector< X509_Certificate > &, std::vector< std::set< Certificate_Status_Code > > &cert_status, size_t pos) override
OID oid_of() const override
std::unique_ptr< Certificate_Extension > copy() const override
Unknown_Extension(const OID &oid, bool critical)
const std::vector< uint8_t > & extension_contents() const
bool is_critical_extension() const
virtual bool should_encode() const
virtual std::string oid_name() const =0
virtual std::vector< uint8_t > encode_inner() const =0
@ UNKNOWN_CRITICAL_EXTENSION