Botan 2.19.4
Crypto and TLS for C&
x509_ext.cpp
Go to the documentation of this file.
1/*
2* X.509 Certificate Extensions
3* (C) 1999-2010,2012 Jack Lloyd
4* (C) 2016 René Korthaus, Rohde & Schwarz Cybersecurity
5* (C) 2017 Fabian Weissberg, Rohde & Schwarz Cybersecurity
6*
7* Botan is released under the Simplified BSD License (see license.txt)
8*/
9
10#include <botan/x509_ext.h>
11#include <botan/x509cert.h>
12#include <botan/datastor.h>
13#include <botan/der_enc.h>
14#include <botan/ber_dec.h>
15#include <botan/hash.h>
16#include <botan/loadstor.h>
17#include <botan/internal/bit_ops.h>
18#include <algorithm>
19#include <set>
20#include <sstream>
21
22namespace Botan {
23
24/*
25* Create a Certificate_Extension object of some kind to handle
26*/
27std::unique_ptr<Certificate_Extension>
28Extensions::create_extn_obj(const OID& oid,
29 bool critical,
30 const std::vector<uint8_t>& body)
31 {
32 const std::string oid_str = oid.to_string();
33
34 std::unique_ptr<Certificate_Extension> extn;
35
37 {
38 extn.reset(new Cert_Extension::Subject_Key_ID);
39 }
41 {
42 extn.reset(new Cert_Extension::Key_Usage);
43 }
45 {
46 extn.reset(new Cert_Extension::Subject_Alternative_Name);
47 }
49 {
50 extn.reset(new Cert_Extension::Issuer_Alternative_Name);
51 }
53 {
54 extn.reset(new Cert_Extension::Basic_Constraints);
55 }
57 {
58 extn.reset(new Cert_Extension::CRL_Number);
59 }
61 {
62 extn.reset(new Cert_Extension::CRL_ReasonCode);
63 }
65 {
66 extn.reset(new Cert_Extension::Authority_Key_ID);
67 }
69 {
70 extn.reset(new Cert_Extension::Name_Constraints);
71 }
73 {
74 extn.reset(new Cert_Extension::CRL_Distribution_Points);
75 }
77 {
78 extn.reset(new Cert_Extension::CRL_Issuing_Distribution_Point);
79 }
81 {
82 extn.reset(new Cert_Extension::Certificate_Policies);
83 }
85 {
86 extn.reset(new Cert_Extension::Extended_Key_Usage);
87 }
89 {
90 extn.reset(new Cert_Extension::Authority_Information_Access);
91 }
92 else
93 {
94 // some other unknown extension type
95 extn.reset(new Cert_Extension::Unknown_Extension(oid, critical));
96 }
97
98 try
99 {
100 extn->decode_inner(body);
101 }
102 catch(Decoding_Error&)
103 {
104 extn.reset(new Cert_Extension::Unknown_Extension(oid, critical));
105 extn->decode_inner(body);
106 }
107 return extn;
108 }
109
110/*
111* Validate the extension (the default implementation is a NOP)
112*/
114 const std::vector<std::shared_ptr<const X509_Certificate>>&,
115 std::vector<std::set<Certificate_Status_Code>>&,
116 size_t)
117 {
118 }
119
120/*
121* Add a new cert
122*/
123void Extensions::add(Certificate_Extension* extn, bool critical)
124 {
125 // sanity check: we don't want to have the same extension more than once
126 if(m_extension_info.count(extn->oid_of()) > 0)
127 {
128 const std::string name = extn->oid_name();
129 delete extn;
130 throw Invalid_Argument("Extension " + name + " already present in Extensions::add");
131 }
132
133 const OID oid = extn->oid_of();
134 Extensions_Info info(critical, extn);
135 m_extension_oids.push_back(oid);
136 m_extension_info[oid] = info;
137 }
138
140 {
141 if(m_extension_info.count(extn->oid_of()) > 0)
142 {
143 delete extn;
144 return false; // already exists
145 }
146
147 const OID oid = extn->oid_of();
148 Extensions_Info info(critical, extn);
149 m_extension_oids.push_back(oid);
150 m_extension_info[oid] = info;
151 return true;
152 }
153
154bool Extensions::remove(const OID& oid)
155 {
156 const bool erased = m_extension_info.erase(oid) > 0;
157
158 if(erased)
159 {
160 m_extension_oids.erase(std::find(m_extension_oids.begin(), m_extension_oids.end(), oid));
161 }
162
163 return erased;
164 }
165
167 {
168 // Remove it if it existed
169 remove(extn->oid_of());
170
171 const OID oid = extn->oid_of();
172 Extensions_Info info(critical, extn);
173 m_extension_oids.push_back(oid);
174 m_extension_info[oid] = info;
175 }
176
177bool Extensions::extension_set(const OID& oid) const
178 {
179 return (m_extension_info.find(oid) != m_extension_info.end());
180 }
181
183 {
184 auto i = m_extension_info.find(oid);
185 if(i != m_extension_info.end())
186 return i->second.is_critical();
187 return false;
188 }
189
190std::vector<uint8_t> Extensions::get_extension_bits(const OID& oid) const
191 {
192 auto i = m_extension_info.find(oid);
193 if(i == m_extension_info.end())
194 throw Invalid_Argument("Extensions::get_extension_bits no such extension set");
195
196 return i->second.bits();
197 }
198
200 {
201 auto extn = m_extension_info.find(oid);
202 if(extn == m_extension_info.end())
203 return nullptr;
204
205 return &extn->second.obj();
206 }
207
208std::unique_ptr<Certificate_Extension> Extensions::get(const OID& oid) const
209 {
210 if(const Certificate_Extension* ext = this->get_extension_object(oid))
211 {
212 return std::unique_ptr<Certificate_Extension>(ext->copy());
213 }
214 return nullptr;
215 }
216
217std::vector<std::pair<std::unique_ptr<Certificate_Extension>, bool>> Extensions::extensions() const
218 {
219 std::vector<std::pair<std::unique_ptr<Certificate_Extension>, bool>> exts;
220 for(auto&& ext : m_extension_info)
221 {
222 exts.push_back(
223 std::make_pair(
224 std::unique_ptr<Certificate_Extension>(ext.second.obj().copy()),
225 ext.second.is_critical())
226 );
227 }
228 return exts;
229 }
230
231std::map<OID, std::pair<std::vector<uint8_t>, bool>> Extensions::extensions_raw() const
232 {
233 std::map<OID, std::pair<std::vector<uint8_t>, bool>> out;
234 for(auto&& ext : m_extension_info)
235 {
236 const auto bits = ext.second.bits();
237 const bool is_critical = ext.second.is_critical();
238
239 out[ext.first] = std::make_pair(bits, is_critical);
240 }
241 return out;
242 }
243
244/*
245* Encode an Extensions list
246*/
248 {
249 for(auto ext_info : m_extension_info)
250 {
251 const OID& oid = ext_info.first;
252 const bool should_encode = ext_info.second.obj().should_encode();
253
254 if(should_encode)
255 {
256 const bool is_critical = ext_info.second.is_critical();
257 const std::vector<uint8_t>& ext_value = ext_info.second.bits();
258
259 to_object.start_cons(SEQUENCE)
260 .encode(oid)
261 .encode_optional(is_critical, false)
262 .encode(ext_value, OCTET_STRING)
263 .end_cons();
264 }
265 }
266 }
267
268/*
269* Decode a list of Extensions
270*/
272 {
273 m_extension_oids.clear();
274 m_extension_info.clear();
275
276 BER_Decoder sequence = from_source.start_cons(SEQUENCE);
277
278 while(sequence.more_items())
279 {
280 OID oid;
281 bool critical;
282 std::vector<uint8_t> bits;
283
284 sequence.start_cons(SEQUENCE)
285 .decode(oid)
286 .decode_optional(critical, BOOLEAN, UNIVERSAL, false)
287 .decode(bits, OCTET_STRING)
288 .end_cons();
289
290 std::unique_ptr<Certificate_Extension> obj = create_extn_obj(oid, critical, bits);
291 Extensions_Info info(critical, bits, obj.release());
292
293 m_extension_oids.push_back(oid);
294 m_extension_info[oid] = info;
295 }
296 sequence.verify_end();
297 }
298
299/*
300* Write the extensions to an info store
301*/
303 Data_Store& issuer_info) const
304 {
305 for(auto&& m_extn_info : m_extension_info)
306 {
307 m_extn_info.second.obj().contents_to(subject_info, issuer_info);
308 subject_info.add(m_extn_info.second.obj().oid_name() + ".is_critical",
309 m_extn_info.second.is_critical());
310 }
311 }
312
313namespace Cert_Extension {
314
315/*
316* Checked accessor for the path_limit member
317*/
319 {
320 if(!m_is_ca)
321 throw Invalid_State("Basic_Constraints::get_path_limit: Not a CA");
322 return m_path_limit;
323 }
324
325/*
326* Encode the extension
327*/
328std::vector<uint8_t> Basic_Constraints::encode_inner() const
329 {
330 std::vector<uint8_t> output;
331 DER_Encoder(output)
333 .encode_if(m_is_ca,
335 .encode(m_is_ca)
336 .encode_optional(m_path_limit, NO_CERT_PATH_LIMIT)
337 )
338 .end_cons();
339 return output;
340 }
341
342/*
343* Decode the extension
344*/
345void Basic_Constraints::decode_inner(const std::vector<uint8_t>& in)
346 {
347 BER_Decoder(in)
349 .decode_optional(m_is_ca, BOOLEAN, UNIVERSAL, false)
350 .decode_optional(m_path_limit, INTEGER, UNIVERSAL, NO_CERT_PATH_LIMIT)
351 .end_cons();
352
353 if(m_is_ca == false)
354 m_path_limit = 0;
355 }
356
357/*
358* Return a textual representation
359*/
360void Basic_Constraints::contents_to(Data_Store& subject, Data_Store&) const
361 {
362 subject.add("X509v3.BasicConstraints.is_ca", (m_is_ca ? 1 : 0));
363 subject.add("X509v3.BasicConstraints.path_constraint", static_cast<uint32_t>(m_path_limit));
364 }
365
366/*
367* Encode the extension
368*/
369std::vector<uint8_t> Key_Usage::encode_inner() const
370 {
371 if(m_constraints == NO_CONSTRAINTS)
372 throw Encoding_Error("Cannot encode zero usage constraints");
373
374 const size_t unused_bits = ctz(static_cast<uint32_t>(m_constraints));
375
376 std::vector<uint8_t> der;
377 der.push_back(BIT_STRING);
378 der.push_back(2 + ((unused_bits < 8) ? 1 : 0));
379 der.push_back(unused_bits % 8);
380 der.push_back((m_constraints >> 8) & 0xFF);
381 if(m_constraints & 0xFF)
382 der.push_back(m_constraints & 0xFF);
383
384 return der;
385 }
386
387/*
388* Decode the extension
389*/
390void Key_Usage::decode_inner(const std::vector<uint8_t>& in)
391 {
392 BER_Decoder ber(in);
393
394 BER_Object obj = ber.get_next_object();
395
396 obj.assert_is_a(BIT_STRING, UNIVERSAL, "usage constraint");
397
398 if(obj.length() != 2 && obj.length() != 3)
399 throw BER_Decoding_Error("Bad size for BITSTRING in usage constraint");
400
401 uint16_t usage = 0;
402
403 const uint8_t* bits = obj.bits();
404
405 if(bits[0] >= 8)
406 throw BER_Decoding_Error("Invalid unused bits in usage constraint");
407
408 const uint8_t mask = static_cast<uint8_t>(0xFF << bits[0]);
409
410 if(obj.length() == 2)
411 {
412 usage = make_uint16(bits[1] & mask, 0);
413 }
414 else if(obj.length() == 3)
415 {
416 usage = make_uint16(bits[1], bits[2] & mask);
417 }
418
419 m_constraints = Key_Constraints(usage);
420 }
421
422/*
423* Return a textual representation
424*/
425void Key_Usage::contents_to(Data_Store& subject, Data_Store&) const
426 {
427 subject.add("X509v3.KeyUsage", m_constraints);
428 }
429
430/*
431* Encode the extension
432*/
433std::vector<uint8_t> Subject_Key_ID::encode_inner() const
434 {
435 std::vector<uint8_t> output;
436 DER_Encoder(output).encode(m_key_id, OCTET_STRING);
437 return output;
438 }
439
440/*
441* Decode the extension
442*/
443void Subject_Key_ID::decode_inner(const std::vector<uint8_t>& in)
444 {
445 BER_Decoder(in).decode(m_key_id, OCTET_STRING).verify_end();
446 }
447
448/*
449* Return a textual representation
450*/
451void Subject_Key_ID::contents_to(Data_Store& subject, Data_Store&) const
452 {
453 subject.add("X509v3.SubjectKeyIdentifier", m_key_id);
454 }
455
456/*
457* Subject_Key_ID Constructor
458*/
459Subject_Key_ID::Subject_Key_ID(const std::vector<uint8_t>& pub_key, const std::string& hash_name)
460 {
461 std::unique_ptr<HashFunction> hash(HashFunction::create_or_throw(hash_name));
462
463 m_key_id.resize(hash->output_length());
464
465 hash->update(pub_key);
466 hash->final(m_key_id.data());
467
468 // Truncate longer hashes, 192 bits here seems plenty
469 const size_t max_skid_len = (192 / 8);
470 if(m_key_id.size() > max_skid_len)
471 m_key_id.resize(max_skid_len);
472 }
473
474/*
475* Encode the extension
476*/
477std::vector<uint8_t> Authority_Key_ID::encode_inner() const
478 {
479 std::vector<uint8_t> output;
480 DER_Encoder(output)
483 .end_cons();
484 return output;
485 }
486
487/*
488* Decode the extension
489*/
490void Authority_Key_ID::decode_inner(const std::vector<uint8_t>& in)
491 {
492 BER_Decoder(in)
495 }
496
497/*
498* Return a textual representation
499*/
500void Authority_Key_ID::contents_to(Data_Store&, Data_Store& issuer) const
501 {
502 if(m_key_id.size())
503 issuer.add("X509v3.AuthorityKeyIdentifier", m_key_id);
504 }
505
506/*
507* Encode the extension
508*/
509std::vector<uint8_t> Subject_Alternative_Name::encode_inner() const
510 {
511 std::vector<uint8_t> output;
512 DER_Encoder(output).encode(m_alt_name);
513 return output;
514 }
515
516/*
517* Encode the extension
518*/
519std::vector<uint8_t> Issuer_Alternative_Name::encode_inner() const
520 {
521 std::vector<uint8_t> output;
522 DER_Encoder(output).encode(m_alt_name);
523 return output;
524 }
525
526/*
527* Decode the extension
528*/
529void Subject_Alternative_Name::decode_inner(const std::vector<uint8_t>& in)
530 {
531 BER_Decoder(in).decode(m_alt_name);
532 }
533
534/*
535* Decode the extension
536*/
537void Issuer_Alternative_Name::decode_inner(const std::vector<uint8_t>& in)
538 {
539 BER_Decoder(in).decode(m_alt_name);
540 }
541
542/*
543* Return a textual representation
544*/
545void Subject_Alternative_Name::contents_to(Data_Store& subject_info,
546 Data_Store&) const
547 {
548 subject_info.add(get_alt_name().contents());
549 }
550
551/*
552* Return a textual representation
553*/
554void Issuer_Alternative_Name::contents_to(Data_Store&, Data_Store& issuer_info) const
555 {
556 issuer_info.add(get_alt_name().contents());
557 }
558
559/*
560* Encode the extension
561*/
562std::vector<uint8_t> Extended_Key_Usage::encode_inner() const
563 {
564 std::vector<uint8_t> output;
565 DER_Encoder(output)
567 .encode_list(m_oids)
568 .end_cons();
569 return output;
570 }
571
572/*
573* Decode the extension
574*/
575void Extended_Key_Usage::decode_inner(const std::vector<uint8_t>& in)
576 {
577 BER_Decoder(in).decode_list(m_oids);
578 }
579
580/*
581* Return a textual representation
582*/
583void Extended_Key_Usage::contents_to(Data_Store& subject, Data_Store&) const
584 {
585 for(size_t i = 0; i != m_oids.size(); ++i)
586 subject.add("X509v3.ExtendedKeyUsage", m_oids[i].to_string());
587 }
588
589/*
590* Encode the extension
591*/
592std::vector<uint8_t> Name_Constraints::encode_inner() const
593 {
594 throw Not_Implemented("Name_Constraints encoding");
595 }
596
597
598/*
599* Decode the extension
600*/
601void Name_Constraints::decode_inner(const std::vector<uint8_t>& in)
602 {
603 std::vector<GeneralSubtree> permit, exclude;
604 BER_Decoder ber(in);
605 BER_Decoder ext = ber.start_cons(SEQUENCE);
606 BER_Object per = ext.get_next_object();
607
608 ext.push_back(per);
609 if(per.is_a(0, ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC)))
610 {
611 ext.decode_list(permit,ASN1_Tag(0),ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC));
612 if(permit.empty())
613 throw Encoding_Error("Empty Name Contraint list");
614 }
615
616 BER_Object exc = ext.get_next_object();
617 ext.push_back(exc);
618 if(per.is_a(1, ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC)))
619 {
620 ext.decode_list(exclude,ASN1_Tag(1),ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC));
621 if(exclude.empty())
622 throw Encoding_Error("Empty Name Contraint list");
623 }
624
625 ext.end_cons();
626
627 if(permit.empty() && exclude.empty())
628 throw Encoding_Error("Empty Name Contraint extension");
629
630 m_name_constraints = NameConstraints(std::move(permit),std::move(exclude));
631 }
632
633/*
634* Return a textual representation
635*/
636void Name_Constraints::contents_to(Data_Store& subject, Data_Store&) const
637 {
638 std::stringstream ss;
639
640 for(const GeneralSubtree& gs: m_name_constraints.permitted())
641 {
642 ss << gs;
643 subject.add("X509v3.NameConstraints.permitted", ss.str());
644 ss.str(std::string());
645 }
646 for(const GeneralSubtree& gs: m_name_constraints.excluded())
647 {
648 ss << gs;
649 subject.add("X509v3.NameConstraints.excluded", ss.str());
650 ss.str(std::string());
651 }
652 }
653
655 const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path,
656 std::vector<std::set<Certificate_Status_Code>>& cert_status,
657 size_t pos)
658 {
659 if(!m_name_constraints.permitted().empty() || !m_name_constraints.excluded().empty())
660 {
661 if(!subject.is_CA_cert())
662 {
663 cert_status.at(pos).insert(Certificate_Status_Code::NAME_CONSTRAINT_ERROR);
664 }
665
666 const bool issuer_name_constraint_critical =
667 issuer.is_critical("X509v3.NameConstraints");
668
669 // Check that all subordinate certs pass the name constraint
670 for(size_t j = 0; j < pos; ++j)
671 {
672 bool permitted = m_name_constraints.permitted().empty();
673 bool failed = false;
674
675 for(auto c: m_name_constraints.permitted())
676 {
677 switch(c.base().matches(*cert_path.at(j)))
678 {
679 case GeneralName::MatchResult::NotFound:
680 case GeneralName::MatchResult::All:
681 permitted = true;
682 break;
683 case GeneralName::MatchResult::UnknownType:
684 failed = issuer_name_constraint_critical;
685 permitted = true;
686 break;
687 default:
688 break;
689 }
690 }
691
692 for(auto c: m_name_constraints.excluded())
693 {
694 switch(c.base().matches(*cert_path.at(j)))
695 {
696 case GeneralName::MatchResult::All:
697 case GeneralName::MatchResult::Some:
698 failed = true;
699 break;
700 case GeneralName::MatchResult::UnknownType:
701 failed = issuer_name_constraint_critical;
702 break;
703 default:
704 break;
705 }
706 }
707
708 if(failed || !permitted)
709 {
710 cert_status.at(j).insert(Certificate_Status_Code::NAME_CONSTRAINT_ERROR);
711 }
712 }
713 }
714 }
715
716namespace {
717
718/*
719* A policy specifier
720*/
721class Policy_Information final : public ASN1_Object
722 {
723 public:
724 Policy_Information() = default;
725 explicit Policy_Information(const OID& oid) : m_oid(oid) {}
726
727 const OID& oid() const { return m_oid; }
728
729 void encode_into(DER_Encoder& codec) const override
730 {
731 codec.start_cons(SEQUENCE)
732 .encode(m_oid)
733 .end_cons();
734 }
735
736 void decode_from(BER_Decoder& codec) override
737 {
738 codec.start_cons(SEQUENCE)
739 .decode(m_oid)
740 .discard_remaining()
741 .end_cons();
742 }
743
744 private:
745 OID m_oid;
746 };
747
748}
749
750/*
751* Encode the extension
752*/
753std::vector<uint8_t> Certificate_Policies::encode_inner() const
754 {
755 std::vector<Policy_Information> policies;
756
757 for(size_t i = 0; i != m_oids.size(); ++i)
758 policies.push_back(Policy_Information(m_oids[i]));
759
760 std::vector<uint8_t> output;
761 DER_Encoder(output)
762 .start_cons(SEQUENCE)
763 .encode_list(policies)
764 .end_cons();
765 return output;
766 }
767
768/*
769* Decode the extension
770*/
771void Certificate_Policies::decode_inner(const std::vector<uint8_t>& in)
772 {
773 std::vector<Policy_Information> policies;
774
775 BER_Decoder(in).decode_list(policies);
776 m_oids.clear();
777 for(size_t i = 0; i != policies.size(); ++i)
778 m_oids.push_back(policies[i].oid());
779 }
780
781/*
782* Return a textual representation
783*/
784void Certificate_Policies::contents_to(Data_Store& info, Data_Store&) const
785 {
786 for(size_t i = 0; i != m_oids.size(); ++i)
787 info.add("X509v3.CertificatePolicies", m_oids[i].to_string());
788 }
789
791 const X509_Certificate& /*subject*/,
792 const X509_Certificate& /*issuer*/,
793 const std::vector<std::shared_ptr<const X509_Certificate>>& /*cert_path*/,
794 std::vector<std::set<Certificate_Status_Code>>& cert_status,
795 size_t pos)
796 {
797 std::set<OID> oid_set(m_oids.begin(), m_oids.end());
798 if(oid_set.size() != m_oids.size())
799 {
800 cert_status.at(pos).insert(Certificate_Status_Code::DUPLICATE_CERT_POLICY);
801 }
802 }
803
804std::vector<uint8_t> Authority_Information_Access::encode_inner() const
805 {
806 ASN1_String url(m_ocsp_responder, IA5_STRING);
807
808 std::vector<uint8_t> output;
809 DER_Encoder(output)
812 .encode(OID::from_string("PKIX.OCSP"))
813 .add_object(ASN1_Tag(6), CONTEXT_SPECIFIC, url.value())
814 .end_cons()
815 .end_cons();
816 return output;
817 }
818
819void Authority_Information_Access::decode_inner(const std::vector<uint8_t>& in)
820 {
822
823 while(ber.more_items())
824 {
825 OID oid;
826
827 BER_Decoder info = ber.start_cons(SEQUENCE);
828
829 info.decode(oid);
830
831 if(oid == OID::from_string("PKIX.OCSP"))
832 {
834
835 if(name.is_a(6, CONTEXT_SPECIFIC))
836 {
837 m_ocsp_responder = ASN1::to_string(name);
838 }
839
840 }
841 if(oid == OID::from_string("PKIX.CertificateAuthorityIssuers"))
842 {
843 BER_Object name = info.get_next_object();
844
845 if(name.is_a(6, CONTEXT_SPECIFIC))
846 {
847 m_ca_issuers.push_back(ASN1::to_string(name));
848 }
849 }
850 }
851 }
852
853void Authority_Information_Access::contents_to(Data_Store& subject, Data_Store&) const
854 {
855 if(!m_ocsp_responder.empty())
856 subject.add("OCSP.responder", m_ocsp_responder);
857 for(const std::string& ca_issuer : m_ca_issuers)
858 subject.add("PKIX.CertificateAuthorityIssuers", ca_issuer);
859 }
860
861/*
862* Checked accessor for the crl_number member
863*/
865 {
866 if(!m_has_value)
867 throw Invalid_State("CRL_Number::get_crl_number: Not set");
868 return m_crl_number;
869 }
870
871/*
872* Copy a CRL_Number extension
873*/
875 {
876 if(!m_has_value)
877 throw Invalid_State("CRL_Number::copy: Not set");
878 return new CRL_Number(m_crl_number);
879 }
880
881/*
882* Encode the extension
883*/
884std::vector<uint8_t> CRL_Number::encode_inner() const
885 {
886 std::vector<uint8_t> output;
887 DER_Encoder(output).encode(m_crl_number);
888 return output;
889 }
890
891/*
892* Decode the extension
893*/
894void CRL_Number::decode_inner(const std::vector<uint8_t>& in)
895 {
896 BER_Decoder(in).decode(m_crl_number);
897 m_has_value = true;
898 }
899
900/*
901* Return a textual representation
902*/
903void CRL_Number::contents_to(Data_Store& info, Data_Store&) const
904 {
905 info.add("X509v3.CRLNumber", static_cast<uint32_t>(m_crl_number));
906 }
907
908/*
909* Encode the extension
910*/
911std::vector<uint8_t> CRL_ReasonCode::encode_inner() const
912 {
913 std::vector<uint8_t> output;
914 DER_Encoder(output).encode(static_cast<size_t>(m_reason), ENUMERATED, UNIVERSAL);
915 return output;
916 }
917
918/*
919* Decode the extension
920*/
921void CRL_ReasonCode::decode_inner(const std::vector<uint8_t>& in)
922 {
923 size_t reason_code = 0;
924 BER_Decoder(in).decode(reason_code, ENUMERATED, UNIVERSAL);
925 m_reason = static_cast<CRL_Code>(reason_code);
926 }
927
928/*
929* Return a textual representation
930*/
931void CRL_ReasonCode::contents_to(Data_Store& info, Data_Store&) const
932 {
933 info.add("X509v3.CRLReasonCode", m_reason);
934 }
935
936std::vector<uint8_t> CRL_Distribution_Points::encode_inner() const
937 {
938 throw Not_Implemented("CRL_Distribution_Points encoding");
939 }
940
941void CRL_Distribution_Points::decode_inner(const std::vector<uint8_t>& buf)
942 {
943 BER_Decoder(buf)
944 .decode_list(m_distribution_points)
945 .verify_end();
946
947 std::stringstream ss;
948
949 for(size_t i = 0; i != m_distribution_points.size(); ++i)
950 {
951 auto contents = m_distribution_points[i].point().contents();
952
953 for(const auto& pair : contents)
954 {
955 ss << pair.first << ": " << pair.second << " ";
956 }
957 }
958
959 m_crl_distribution_urls.push_back(ss.str());
960 }
961
962void CRL_Distribution_Points::contents_to(Data_Store& subject, Data_Store&) const
963 {
964 for(const std::string& crl_url : m_crl_distribution_urls)
965 subject.add("CRL.DistributionPoint", crl_url);
966 }
967
969 {
970 throw Not_Implemented("CRL_Distribution_Points encoding");
971 }
972
974 {
980 .end_cons().end_cons();
981 }
982
983std::vector<uint8_t> CRL_Issuing_Distribution_Point::encode_inner() const
984 {
985 throw Not_Implemented("CRL_Issuing_Distribution_Point encoding");
986 }
987
988void CRL_Issuing_Distribution_Point::decode_inner(const std::vector<uint8_t>& buf)
989 {
990 BER_Decoder(buf).decode(m_distribution_point).verify_end();
991 }
992
993void CRL_Issuing_Distribution_Point::contents_to(Data_Store& info, Data_Store&) const
994 {
995 auto contents = m_distribution_point.point().contents();
996 std::stringstream ss;
997
998 for(const auto& pair : contents)
999 {
1000 ss << pair.first << ": " << pair.second << " ";
1001 }
1002
1003 info.add("X509v3.CRLIssuingDistributionPoint", ss.str());
1004 }
1005
1006std::vector<uint8_t> Unknown_Extension::encode_inner() const
1007 {
1008 return m_bytes;
1009 }
1010
1011void Unknown_Extension::decode_inner(const std::vector<uint8_t>& bytes)
1012 {
1013 // Just treat as an opaque blob at this level
1014 m_bytes = bytes;
1015 }
1016
1017void Unknown_Extension::contents_to(Data_Store&, Data_Store&) const
1018 {
1019 // No information store
1020 }
1021
1022}
1023
1024}
BER_Decoder start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
Definition: ber_dec.cpp:290
BER_Decoder & decode_list(std::vector< T > &out, ASN1_Tag type_tag=SEQUENCE, ASN1_Tag class_tag=UNIVERSAL)
Definition: ber_dec.h:398
BER_Object get_next_object()
Definition: ber_dec.cpp:237
BER_Decoder & decode(bool &out)
Definition: ber_dec.h:170
bool more_items() const
Definition: ber_dec.cpp:198
BER_Decoder & decode_optional_string(std::vector< uint8_t, Alloc > &out, ASN1_Tag real_type, uint16_t type_no, ASN1_Tag class_tag=CONTEXT_SPECIFIC)
Definition: ber_dec.h:293
BER_Decoder & decode_optional(T &out, ASN1_Tag type_tag, ASN1_Tag class_tag, const T &default_value=T())
Definition: ber_dec.h:337
BER_Decoder & verify_end()
Definition: ber_dec.cpp:208
BER_Decoder & end_cons()
Definition: ber_dec.cpp:300
BER_Decoder & decode_optional_implicit(T &out, ASN1_Tag type_tag, ASN1_Tag class_tag, ASN1_Tag real_type, ASN1_Tag real_class, const T &default_value=T())
Definition: ber_dec.h:369
void encode_into(class DER_Encoder &) const override
Definition: x509_ext.cpp:968
CRL_Number * copy() const override
Definition: x509_ext.cpp:874
void validate(const X509_Certificate &subject, const X509_Certificate &issuer, const std::vector< std::shared_ptr< const X509_Certificate > > &cert_path, std::vector< std::set< Certificate_Status_Code > > &cert_status, size_t pos) override
Definition: x509_ext.cpp:790
const AlternativeName & get_alt_name() const
Definition: x509_ext.h:177
void validate(const X509_Certificate &subject, const X509_Certificate &issuer, const std::vector< std::shared_ptr< const X509_Certificate > > &cert_path, std::vector< std::set< Certificate_Status_Code > > &cert_status, size_t pos) override
Definition: x509_ext.cpp:654
const AlternativeName & get_alt_name() const
Definition: x509_ext.h:149
virtual void validate(const X509_Certificate &subject, const X509_Certificate &issuer, const std::vector< std::shared_ptr< const X509_Certificate > > &cert_path, std::vector< std::set< Certificate_Status_Code > > &cert_status, size_t pos)
Definition: x509_ext.cpp:113
virtual std::string oid_name() const =0
virtual OID oid_of() const =0
DER_Encoder & encode_optional(const T &value, const T &default_value)
Definition: der_enc.h:120
DER_Encoder & add_object(ASN1_Tag type_tag, ASN1_Tag class_tag, const uint8_t rep[], size_t length)
Definition: der_enc.cpp:249
DER_Encoder & start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
Definition: der_enc.cpp:181
DER_Encoder & encode_if(bool pred, DER_Encoder &enc)
Definition: der_enc.h:143
DER_Encoder & end_cons()
Definition: der_enc.cpp:191
DER_Encoder & encode(bool b)
Definition: der_enc.cpp:285
void add(const std::multimap< std::string, std::string > &)
Definition: datastor.cpp:154
const Certificate_Extension * get_extension_object(const OID &oid) const
Definition: x509_ext.cpp:199
void decode_from(class BER_Decoder &) override
Definition: x509_ext.cpp:271
std::map< OID, std::pair< std::vector< uint8_t >, bool > > extensions_raw() const
Definition: x509_ext.cpp:231
void replace(Certificate_Extension *extn, bool critical=false)
Definition: x509_ext.cpp:166
std::unique_ptr< Certificate_Extension > get(const OID &oid) const
Definition: x509_ext.cpp:208
bool remove(const OID &oid)
Definition: x509_ext.cpp:154
void contents_to(Data_Store &, Data_Store &) const
Definition: x509_ext.cpp:302
std::vector< uint8_t > get_extension_bits(const OID &oid) const
Definition: x509_ext.cpp:190
bool critical_extension_set(const OID &oid) const
Definition: x509_ext.cpp:182
std::vector< std::pair< std::unique_ptr< Certificate_Extension >, bool > > extensions() const
Definition: x509_ext.cpp:217
bool add_new(Certificate_Extension *extn, bool critical=false)
Definition: x509_ext.cpp:139
void encode_into(class DER_Encoder &) const override
Definition: x509_ext.cpp:247
void add(Certificate_Extension *extn, bool critical=false)
Definition: x509_ext.cpp:123
bool extension_set(const OID &oid) const
Definition: x509_ext.cpp:177
static std::unique_ptr< HashFunction > create_or_throw(const std::string &algo_spec, const std::string &provider="")
Definition: hash.cpp:329
const std::vector< GeneralSubtree > & permitted() const
Definition: pkix_types.h:335
const std::vector< GeneralSubtree > & excluded() const
Definition: pkix_types.h:340
static OID from_string(const std::string &str)
Definition: asn1_oid.cpp:62
bool is_CA_cert() const
Definition: x509cert.cpp:491
bool is_critical(const std::string &ex_name) const
Definition: x509cert.cpp:608
std::string name
int(* final)(unsigned char *, CTX *)
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:213
std::string encode(const uint8_t der[], size_t length, const std::string &label, size_t width)
Definition: pem.cpp:43
Definition: alg_id.cpp:13
size_t ctz(T n)
Definition: bit_ops.h:99
ASN1_Tag
Definition: asn1_obj.h:25
@ CONSTRUCTED
Definition: asn1_obj.h:30
@ IA5_STRING
Definition: asn1_obj.h:49
@ BIT_STRING
Definition: asn1_obj.h:37
@ SEQUENCE
Definition: asn1_obj.h:42
@ BOOLEAN
Definition: asn1_obj.h:35
@ CONTEXT_SPECIFIC
Definition: asn1_obj.h:28
@ ENUMERATED
Definition: asn1_obj.h:41
@ OCTET_STRING
Definition: asn1_obj.h:38
@ UNIVERSAL
Definition: asn1_obj.h:26
@ INTEGER
Definition: asn1_obj.h:36
Key_Constraints
Definition: pkix_enums.h:106
@ NO_CONSTRAINTS
Definition: pkix_enums.h:107
constexpr uint16_t make_uint16(uint8_t i0, uint8_t i1)
Definition: loadstor.h:54
MechanismType hash