Botan 2.19.1
Crypto and TLS for C&
x509_ext.h
Go to the documentation of this file.
1/*
2* X.509 Certificate Extensions
3* (C) 1999-2007,2012 Jack Lloyd
4*
5* Botan is released under the Simplified BSD License (see license.txt)
6*/
7
8#ifndef BOTAN_X509_EXTENSIONS_H_
9#define BOTAN_X509_EXTENSIONS_H_
10
11#include <botan/pkix_types.h>
12#include <set>
13
14namespace Botan {
15
16class Data_Store;
17class X509_Certificate;
18
19namespace Cert_Extension {
20
21static const size_t NO_CERT_PATH_LIMIT = 0xFFFFFFF0;
22
23/**
24* Basic Constraints Extension
25*/
27 {
28 public:
29 Basic_Constraints* copy() const override
30 { return new Basic_Constraints(m_is_ca, m_path_limit); }
31
32 Basic_Constraints(bool ca = false, size_t limit = 0) :
33 m_is_ca(ca), m_path_limit(limit) {}
34
35 bool get_is_ca() const { return m_is_ca; }
36 size_t get_path_limit() const;
37
38 static OID static_oid() { return OID("2.5.29.19"); }
39 OID oid_of() const override { return static_oid(); }
40
41 private:
42 std::string oid_name() const override
43 { return "X509v3.BasicConstraints"; }
44
45 std::vector<uint8_t> encode_inner() const override;
46 void decode_inner(const std::vector<uint8_t>&) override;
47 void contents_to(Data_Store&, Data_Store&) const override;
48
49 bool m_is_ca;
50 size_t m_path_limit;
51 };
52
53/**
54* Key Usage Constraints Extension
55*/
57 {
58 public:
59 Key_Usage* copy() const override { return new Key_Usage(m_constraints); }
60
61 explicit Key_Usage(Key_Constraints c = NO_CONSTRAINTS) : m_constraints(c) {}
62
63 Key_Constraints get_constraints() const { return m_constraints; }
64
65 static OID static_oid() { return OID("2.5.29.15"); }
66 OID oid_of() const override { return static_oid(); }
67
68 private:
69 std::string oid_name() const override { return "X509v3.KeyUsage"; }
70
71 bool should_encode() const override
72 { return (m_constraints != NO_CONSTRAINTS); }
73 std::vector<uint8_t> encode_inner() const override;
74 void decode_inner(const std::vector<uint8_t>&) override;
75 void contents_to(Data_Store&, Data_Store&) const override;
76
77 Key_Constraints m_constraints;
78 };
79
80/**
81* Subject Key Identifier Extension
82*/
84 {
85 public:
86 Subject_Key_ID() = default;
87
88 explicit Subject_Key_ID(const std::vector<uint8_t>& k) : m_key_id(k) {}
89
90 Subject_Key_ID(const std::vector<uint8_t>& public_key,
91 const std::string& hash_fn);
92
93 Subject_Key_ID* copy() const override
94 { return new Subject_Key_ID(m_key_id); }
95
96 const std::vector<uint8_t>& get_key_id() const { return m_key_id; }
97
98 static OID static_oid() { return OID("2.5.29.14"); }
99 OID oid_of() const override { return static_oid(); }
100
101 private:
102
103 std::string oid_name() const override
104 { return "X509v3.SubjectKeyIdentifier"; }
105
106 bool should_encode() const override { return (m_key_id.size() > 0); }
107 std::vector<uint8_t> encode_inner() const override;
108 void decode_inner(const std::vector<uint8_t>&) override;
109 void contents_to(Data_Store&, Data_Store&) const override;
110
111 std::vector<uint8_t> m_key_id;
112 };
113
114/**
115* Authority Key Identifier Extension
116*/
118 {
119 public:
120 Authority_Key_ID* copy() const override
121 { return new Authority_Key_ID(m_key_id); }
122
123 Authority_Key_ID() = default;
124 explicit Authority_Key_ID(const std::vector<uint8_t>& k) : m_key_id(k) {}
125
126 const std::vector<uint8_t>& get_key_id() const { return m_key_id; }
127
128 static OID static_oid() { return OID("2.5.29.35"); }
129 OID oid_of() const override { return static_oid(); }
130
131 private:
132 std::string oid_name() const override
133 { return "X509v3.AuthorityKeyIdentifier"; }
134
135 bool should_encode() const override { return (m_key_id.size() > 0); }
136 std::vector<uint8_t> encode_inner() const override;
137 void decode_inner(const std::vector<uint8_t>&) override;
138 void contents_to(Data_Store&, Data_Store&) const override;
139
140 std::vector<uint8_t> m_key_id;
141 };
142
143/**
144* Subject Alternative Name Extension
145*/
147 {
148 public:
149 const AlternativeName& get_alt_name() const { return m_alt_name; }
150
151 static OID static_oid() { return OID("2.5.29.17"); }
152 OID oid_of() const override { return static_oid(); }
153
155 { return new Subject_Alternative_Name(get_alt_name()); }
156
158 m_alt_name(name) {}
159
160 private:
161 std::string oid_name() const override { return "X509v3.SubjectAlternativeName"; }
162
163 bool should_encode() const override { return m_alt_name.has_items(); }
164 std::vector<uint8_t> encode_inner() const override;
165 void decode_inner(const std::vector<uint8_t>&) override;
166 void contents_to(Data_Store&, Data_Store&) const override;
167
168 AlternativeName m_alt_name;
169 };
170
171/**
172* Issuer Alternative Name Extension
173*/
175 {
176 public:
177 const AlternativeName& get_alt_name() const { return m_alt_name; }
178
179 static OID static_oid() { return OID("2.5.29.18"); }
180 OID oid_of() const override { return static_oid(); }
181
183 { return new Issuer_Alternative_Name(get_alt_name()); }
184
186 m_alt_name(name) {}
187
188 private:
189 std::string oid_name() const override { return "X509v3.IssuerAlternativeName"; }
190
191 bool should_encode() const override { return m_alt_name.has_items(); }
192 std::vector<uint8_t> encode_inner() const override;
193 void decode_inner(const std::vector<uint8_t>&) override;
194 void contents_to(Data_Store&, Data_Store&) const override;
195
196 AlternativeName m_alt_name;
197 };
198
199/**
200* Extended Key Usage Extension
201*/
203 {
204 public:
205 Extended_Key_Usage* copy() const override
206 { return new Extended_Key_Usage(m_oids); }
207
209 explicit Extended_Key_Usage(const std::vector<OID>& o) : m_oids(o) {}
210
211 const std::vector<OID>& get_oids() const { return m_oids; }
212
213 static OID static_oid() { return OID("2.5.29.37"); }
214 OID oid_of() const override { return static_oid(); }
215
216 private:
217 std::string oid_name() const override { return "X509v3.ExtendedKeyUsage"; }
218
219 bool should_encode() const override { return (m_oids.size() > 0); }
220 std::vector<uint8_t> encode_inner() const override;
221 void decode_inner(const std::vector<uint8_t>&) override;
222 void contents_to(Data_Store&, Data_Store&) const override;
223
224 std::vector<OID> m_oids;
225 };
226
227/**
228* Name Constraints
229*/
231 {
232 public:
233 Name_Constraints* copy() const override
234 { return new Name_Constraints(m_name_constraints); }
235
236 Name_Constraints() = default;
237 Name_Constraints(const NameConstraints &nc) : m_name_constraints(nc) {}
238
239 void validate(const X509_Certificate& subject, const X509_Certificate& issuer,
240 const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path,
241 std::vector<std::set<Certificate_Status_Code>>& cert_status,
242 size_t pos) override;
243
244 const NameConstraints& get_name_constraints() const { return m_name_constraints; }
245
246 static OID static_oid() { return OID("2.5.29.30"); }
247 OID oid_of() const override { return static_oid(); }
248
249 private:
250 std::string oid_name() const override
251 { return "X509v3.NameConstraints"; }
252
253 bool should_encode() const override { return true; }
254 std::vector<uint8_t> encode_inner() const override;
255 void decode_inner(const std::vector<uint8_t>&) override;
256 void contents_to(Data_Store&, Data_Store&) const override;
257
258 NameConstraints m_name_constraints;
259 };
260
261/**
262* Certificate Policies Extension
263*/
265 {
266 public:
267 Certificate_Policies* copy() const override
268 { return new Certificate_Policies(m_oids); }
269
271 explicit Certificate_Policies(const std::vector<OID>& o) : m_oids(o) {}
272
273 BOTAN_DEPRECATED("Use get_policy_oids")
274 std::vector<OID> get_oids() const { return m_oids; }
275
276 const std::vector<OID>& get_policy_oids() const { return m_oids; }
277
278 static OID static_oid() { return OID("2.5.29.32"); }
279 OID oid_of() const override { return static_oid(); }
280
281 void validate(const X509_Certificate& subject, const X509_Certificate& issuer,
282 const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path,
283 std::vector<std::set<Certificate_Status_Code>>& cert_status,
284 size_t pos) override;
285 private:
286 std::string oid_name() const override
287 { return "X509v3.CertificatePolicies"; }
288
289 bool should_encode() const override { return (m_oids.size() > 0); }
290 std::vector<uint8_t> encode_inner() const override;
291 void decode_inner(const std::vector<uint8_t>&) override;
292 void contents_to(Data_Store&, Data_Store&) const override;
293
294 std::vector<OID> m_oids;
295 };
296
297/**
298* Authority Information Access Extension
299*/
301 {
302 public:
304 { return new Authority_Information_Access(m_ocsp_responder, m_ca_issuers); }
305
307
308 explicit Authority_Information_Access(const std::string& ocsp, const std::vector<std::string>& ca_issuers = std::vector<std::string>()) :
309 m_ocsp_responder(ocsp), m_ca_issuers(ca_issuers) {}
310
311 std::string ocsp_responder() const { return m_ocsp_responder; }
312
313 static OID static_oid() { return OID("1.3.6.1.5.5.7.1.1"); }
314 OID oid_of() const override { return static_oid(); }
315 const std::vector<std::string> ca_issuers() const { return m_ca_issuers; }
316
317 private:
318 std::string oid_name() const override
319 { return "PKIX.AuthorityInformationAccess"; }
320
321 bool should_encode() const override { return (!m_ocsp_responder.empty()); }
322
323 std::vector<uint8_t> encode_inner() const override;
324 void decode_inner(const std::vector<uint8_t>&) override;
325
326 void contents_to(Data_Store&, Data_Store&) const override;
327
328 std::string m_ocsp_responder;
329 std::vector<std::string> m_ca_issuers;
330 };
331
332/**
333* CRL Number Extension
334*/
336 {
337 public:
338 CRL_Number* copy() const override;
339
340 CRL_Number() : m_has_value(false), m_crl_number(0) {}
341 CRL_Number(size_t n) : m_has_value(true), m_crl_number(n) {}
342
343 size_t get_crl_number() const;
344
345 static OID static_oid() { return OID("2.5.29.20"); }
346 OID oid_of() const override { return static_oid(); }
347
348 private:
349 std::string oid_name() const override { return "X509v3.CRLNumber"; }
350
351 bool should_encode() const override { return m_has_value; }
352 std::vector<uint8_t> encode_inner() const override;
353 void decode_inner(const std::vector<uint8_t>&) override;
354 void contents_to(Data_Store&, Data_Store&) const override;
355
356 bool m_has_value;
357 size_t m_crl_number;
358 };
359
360/**
361* CRL Entry Reason Code Extension
362*/
364 {
365 public:
366 CRL_ReasonCode* copy() const override
367 { return new CRL_ReasonCode(m_reason); }
368
369 explicit CRL_ReasonCode(CRL_Code r = UNSPECIFIED) : m_reason(r) {}
370
371 CRL_Code get_reason() const { return m_reason; }
372
373 static OID static_oid() { return OID("2.5.29.21"); }
374 OID oid_of() const override { return static_oid(); }
375
376 private:
377 std::string oid_name() const override { return "X509v3.ReasonCode"; }
378
379 bool should_encode() const override { return (m_reason != UNSPECIFIED); }
380 std::vector<uint8_t> encode_inner() const override;
381 void decode_inner(const std::vector<uint8_t>&) override;
382 void contents_to(Data_Store&, Data_Store&) const override;
383
384 CRL_Code m_reason;
385 };
386
387/**
388* CRL Distribution Points Extension
389* todo enforce restrictions from RFC 5280 4.2.1.13
390*/
392 {
393 public:
395 {
396 public:
397 void encode_into(class DER_Encoder&) const override;
398 void decode_from(class BER_Decoder&) override;
399
400 const AlternativeName& point() const { return m_point; }
401 private:
402 AlternativeName m_point;
403 };
404
406 { return new CRL_Distribution_Points(m_distribution_points); }
407
409
410 explicit CRL_Distribution_Points(const std::vector<Distribution_Point>& points) :
411 m_distribution_points(points) {}
412
413 const std::vector<Distribution_Point>& distribution_points() const
414 { return m_distribution_points; }
415
416 const std::vector<std::string>& crl_distribution_urls() const
417 { return m_crl_distribution_urls; }
418
419 static OID static_oid() { return OID("2.5.29.31"); }
420 OID oid_of() const override { return static_oid(); }
421
422 private:
423 std::string oid_name() const override
424 { return "X509v3.CRLDistributionPoints"; }
425
426 bool should_encode() const override
427 { return !m_distribution_points.empty(); }
428
429 std::vector<uint8_t> encode_inner() const override;
430 void decode_inner(const std::vector<uint8_t>&) override;
431 void contents_to(Data_Store&, Data_Store&) const override;
432
433 std::vector<Distribution_Point> m_distribution_points;
434 std::vector<std::string> m_crl_distribution_urls;
435 };
436
437/**
438* CRL Issuing Distribution Point Extension
439* todo enforce restrictions from RFC 5280 5.2.5
440*/
442 {
443 public:
445
447 m_distribution_point(distribution_point) {}
448
450 { return new CRL_Issuing_Distribution_Point(m_distribution_point); }
451
453 { return m_distribution_point.point(); }
454
455 static OID static_oid() { return OID("2.5.29.28"); }
456 OID oid_of() const override { return static_oid(); }
457
458 private:
459 std::string oid_name() const override
460 { return "X509v3.CRLIssuingDistributionPoint"; }
461
462 bool should_encode() const override { return true; }
463 std::vector<uint8_t> encode_inner() const override;
464 void decode_inner(const std::vector<uint8_t>&) override;
465 void contents_to(Data_Store&, Data_Store&) const override;
466
467 CRL_Distribution_Points::Distribution_Point m_distribution_point;
468 };
469
470/**
471* An unknown X.509 extension
472* Will add a failure to the path validation result, if critical
473*/
475 {
476 public:
477 Unknown_Extension(const OID& oid, bool critical) :
478 m_oid(oid), m_critical(critical) {}
479
480 Unknown_Extension* copy() const override
481 { return new Unknown_Extension(m_oid, m_critical); }
482
483 /**
484 * Return the OID of this unknown extension
485 */
486 OID oid_of() const override
487 { return m_oid; }
488
489 //static_oid not defined for Unknown_Extension
490
491 /**
492 * Return the extension contents
493 */
494 const std::vector<uint8_t>& extension_contents() const { return m_bytes; }
495
496 /**
497 * Return if this extension was marked critical
498 */
499 bool is_critical_extension() const { return m_critical; }
500
502 const std::vector<std::shared_ptr<const X509_Certificate>>&,
503 std::vector<std::set<Certificate_Status_Code>>& cert_status,
504 size_t pos) override
505 {
506 if(m_critical)
507 {
508 cert_status.at(pos).insert(Certificate_Status_Code::UNKNOWN_CRITICAL_EXTENSION);
509 }
510 }
511
512 private:
513 std::string oid_name() const override { return ""; }
514
515 bool should_encode() const override { return true; }
516 std::vector<uint8_t> encode_inner() const override;
517 void decode_inner(const std::vector<uint8_t>&) override;
518 void contents_to(Data_Store&, Data_Store&) const override;
519
520 OID m_oid;
521 bool m_critical;
522 std::vector<uint8_t> m_bytes;
523 };
524
525 }
526
527}
528
529#endif
Authority_Information_Access(const std::string &ocsp, const std::vector< std::string > &ca_issuers=std::vector< std::string >())
Definition: x509_ext.h:308
const std::vector< std::string > ca_issuers() const
Definition: x509_ext.h:315
Authority_Information_Access * copy() const override
Definition: x509_ext.h:303
Authority_Key_ID(const std::vector< uint8_t > &k)
Definition: x509_ext.h:124
const std::vector< uint8_t > & get_key_id() const
Definition: x509_ext.h:126
Authority_Key_ID * copy() const override
Definition: x509_ext.h:120
Basic_Constraints(bool ca=false, size_t limit=0)
Definition: x509_ext.h:32
Basic_Constraints * copy() const override
Definition: x509_ext.h:29
CRL_Distribution_Points(const std::vector< Distribution_Point > &points)
Definition: x509_ext.h:410
CRL_Distribution_Points * copy() const override
Definition: x509_ext.h:405
const std::vector< std::string > & crl_distribution_urls() const
Definition: x509_ext.h:416
const std::vector< Distribution_Point > & distribution_points() const
Definition: x509_ext.h:413
const AlternativeName & get_point() const
Definition: x509_ext.h:452
CRL_Issuing_Distribution_Point(const CRL_Distribution_Points::Distribution_Point &distribution_point)
Definition: x509_ext.h:446
CRL_Issuing_Distribution_Point * copy() const override
Definition: x509_ext.h:449
OID oid_of() const override
Definition: x509_ext.h:346
CRL_ReasonCode * copy() const override
Definition: x509_ext.h:366
CRL_ReasonCode(CRL_Code r=UNSPECIFIED)
Definition: x509_ext.h:369
Certificate_Policies * copy() const override
Definition: x509_ext.h:267
const std::vector< OID > & get_policy_oids() const
Definition: x509_ext.h:276
Certificate_Policies(const std::vector< OID > &o)
Definition: x509_ext.h:271
Extended_Key_Usage * copy() const override
Definition: x509_ext.h:205
Extended_Key_Usage(const std::vector< OID > &o)
Definition: x509_ext.h:209
const std::vector< OID > & get_oids() const
Definition: x509_ext.h:211
const AlternativeName & get_alt_name() const
Definition: x509_ext.h:177
Issuer_Alternative_Name(const AlternativeName &name=AlternativeName())
Definition: x509_ext.h:185
Issuer_Alternative_Name * copy() const override
Definition: x509_ext.h:182
OID oid_of() const override
Definition: x509_ext.h:66
Key_Constraints get_constraints() const
Definition: x509_ext.h:63
Key_Usage(Key_Constraints c=NO_CONSTRAINTS)
Definition: x509_ext.h:61
Key_Usage * copy() const override
Definition: x509_ext.h:59
Name_Constraints(const NameConstraints &nc)
Definition: x509_ext.h:237
const NameConstraints & get_name_constraints() const
Definition: x509_ext.h:244
Name_Constraints * copy() const override
Definition: x509_ext.h:233
Subject_Alternative_Name * copy() const override
Definition: x509_ext.h:154
const AlternativeName & get_alt_name() const
Definition: x509_ext.h:149
Subject_Alternative_Name(const AlternativeName &name=AlternativeName())
Definition: x509_ext.h:157
OID oid_of() const override
Definition: x509_ext.h:99
Subject_Key_ID * copy() const override
Definition: x509_ext.h:93
Subject_Key_ID(const std::vector< uint8_t > &k)
Definition: x509_ext.h:88
const std::vector< uint8_t > & get_key_id() const
Definition: x509_ext.h:96
Unknown_Extension(const OID &oid, bool critical)
Definition: x509_ext.h:477
Unknown_Extension * copy() const override
Definition: x509_ext.h:480
const std::vector< uint8_t > & extension_contents() const
Definition: x509_ext.h:494
void validate(const X509_Certificate &, const X509_Certificate &, const std::vector< std::shared_ptr< const X509_Certificate > > &, std::vector< std::set< Certificate_Status_Code > > &cert_status, size_t pos) override
Definition: x509_ext.h:501
Name Constraints.
Definition: pkix_types.h:315
std::string name
int(* final)(unsigned char *, CTX *)
#define BOTAN_PUBLIC_API(maj, min)
Definition: compiler.h:31
Definition: alg_id.cpp:13
Key_Constraints
Definition: pkix_enums.h:106
@ NO_CONSTRAINTS
Definition: pkix_enums.h:107
Definition: bigint.h:1143