10 #include <botan/x509_ext.h>
11 #include <botan/x509cert.h>
12 #include <botan/datastor.h>
13 #include <botan/der_enc.h>
14 #include <botan/ber_dec.h>
15 #include <botan/hash.h>
16 #include <botan/loadstor.h>
17 #include <botan/internal/bit_ops.h>
27 std::unique_ptr<Certificate_Extension>
28 Extensions::create_extn_obj(
const OID& oid,
30 const std::vector<uint8_t>& body)
32 const std::string oid_str = oid.to_string();
34 std::unique_ptr<Certificate_Extension> extn;
38 extn.reset(
new Cert_Extension::Subject_Key_ID);
42 extn.reset(
new Cert_Extension::Key_Usage);
46 extn.reset(
new Cert_Extension::Subject_Alternative_Name);
50 extn.reset(
new Cert_Extension::Issuer_Alternative_Name);
54 extn.reset(
new Cert_Extension::Basic_Constraints);
58 extn.reset(
new Cert_Extension::CRL_Number);
62 extn.reset(
new Cert_Extension::CRL_ReasonCode);
66 extn.reset(
new Cert_Extension::Authority_Key_ID);
70 extn.reset(
new Cert_Extension::Name_Constraints);
74 extn.reset(
new Cert_Extension::CRL_Distribution_Points);
78 extn.reset(
new Cert_Extension::CRL_Issuing_Distribution_Point);
82 extn.reset(
new Cert_Extension::Certificate_Policies);
86 extn.reset(
new Cert_Extension::Extended_Key_Usage);
90 extn.reset(
new Cert_Extension::Authority_Information_Access);
95 extn.reset(
new Cert_Extension::Unknown_Extension(oid, critical));
100 extn->decode_inner(body);
102 catch(Decoding_Error&)
104 extn.reset(
new Cert_Extension::Unknown_Extension(oid, critical));
105 extn->decode_inner(body);
114 const std::vector<std::shared_ptr<const X509_Certificate>>&,
115 std::vector<std::set<Certificate_Status_Code>>&,
126 if(m_extension_info.count(extn->
oid_of()) > 0)
130 throw Invalid_Argument(
"Extension " + name +
" already present in Extensions::add");
134 Extensions_Info info(critical, extn);
135 m_extension_oids.push_back(oid);
136 m_extension_info.emplace(oid, info);
141 if(m_extension_info.count(extn->
oid_of()) > 0)
148 Extensions_Info info(critical, extn);
149 m_extension_oids.push_back(oid);
150 m_extension_info.emplace(oid, info);
156 const bool erased = m_extension_info.erase(oid) > 0;
160 m_extension_oids.erase(std::find(m_extension_oids.begin(), m_extension_oids.end(), oid));
172 Extensions_Info info(critical, extn);
173 m_extension_oids.push_back(oid);
174 m_extension_info.emplace(oid, info);
179 return (m_extension_info.find(oid) != m_extension_info.end());
184 auto i = m_extension_info.find(oid);
185 if(i != m_extension_info.end())
186 return i->second.is_critical();
192 auto i = m_extension_info.find(oid);
193 if(i == m_extension_info.end())
194 throw Invalid_Argument(
"Extensions::get_extension_bits no such extension set");
196 return i->second.bits();
201 auto extn = m_extension_info.find(oid);
202 if(extn == m_extension_info.end())
205 return &extn->second.obj();
212 return std::unique_ptr<Certificate_Extension>(ext->copy());
219 std::vector<std::pair<std::unique_ptr<Certificate_Extension>,
bool>> exts;
220 for(
auto&& ext : m_extension_info)
224 std::unique_ptr<Certificate_Extension>(ext.second.obj().copy()),
225 ext.second.is_critical())
233 std::map<OID, std::pair<std::vector<uint8_t>,
bool>> out;
234 for(
auto&& ext : m_extension_info)
236 out.emplace(ext.first,
237 std::make_pair(ext.second.bits(),
238 ext.second.is_critical()));
248 for(
auto ext_info : m_extension_info)
250 const OID& oid = ext_info.first;
251 const bool should_encode = ext_info.second.obj().should_encode();
255 const bool is_critical = ext_info.second.is_critical();
256 const std::vector<uint8_t>& ext_value = ext_info.second.bits();
272 m_extension_oids.clear();
273 m_extension_info.clear();
281 std::vector<uint8_t> bits;
289 std::unique_ptr<Certificate_Extension> obj = create_extn_obj(oid, critical, bits);
290 Extensions_Info info(critical, bits, obj.release());
292 m_extension_oids.push_back(oid);
293 m_extension_info.emplace(oid, info);
304 for(
auto&& m_extn_info : m_extension_info)
306 m_extn_info.second.obj().contents_to(subject_info, issuer_info);
307 subject_info.
add(m_extn_info.second.obj().oid_name() +
".is_critical",
308 m_extn_info.second.is_critical());
312 namespace Cert_Extension {
320 throw Invalid_State(
"Basic_Constraints::get_path_limit: Not a CA");
327 std::vector<uint8_t> Basic_Constraints::encode_inner()
const
329 std::vector<uint8_t> output;
335 .encode_optional(m_path_limit, NO_CERT_PATH_LIMIT)
344 void Basic_Constraints::decode_inner(
const std::vector<uint8_t>& in)
359 void Basic_Constraints::contents_to(Data_Store& subject, Data_Store&)
const
361 subject.add(
"X509v3.BasicConstraints.is_ca", (m_is_ca ? 1 : 0));
362 subject.add(
"X509v3.BasicConstraints.path_constraint", static_cast<uint32_t>(m_path_limit));
368 std::vector<uint8_t> Key_Usage::encode_inner()
const
371 throw Encoding_Error(
"Cannot encode zero usage constraints");
373 const size_t unused_bits =
ctz(static_cast<uint32_t>(m_constraints));
375 std::vector<uint8_t> der;
377 der.push_back(2 + ((unused_bits < 8) ? 1 : 0));
378 der.push_back(unused_bits % 8);
379 der.push_back((m_constraints >> 8) & 0xFF);
380 if(m_constraints & 0xFF)
381 der.push_back(m_constraints & 0xFF);
389 void Key_Usage::decode_inner(
const std::vector<uint8_t>& in)
393 BER_Object obj = ber.get_next_object();
397 if(obj.length() != 2 && obj.length() != 3)
398 throw BER_Decoding_Error(
"Bad size for BITSTRING in usage constraint");
402 const uint8_t* bits = obj.bits();
405 throw BER_Decoding_Error(
"Invalid unused bits in usage constraint");
407 const uint8_t mask =
static_cast<uint8_t
>(0xFF << bits[0]);
409 if(obj.length() == 2)
413 else if(obj.length() == 3)
424 void Key_Usage::contents_to(Data_Store& subject, Data_Store&)
const
426 subject.add(
"X509v3.KeyUsage", m_constraints);
432 std::vector<uint8_t> Subject_Key_ID::encode_inner()
const
434 std::vector<uint8_t> output;
442 void Subject_Key_ID::decode_inner(
const std::vector<uint8_t>& in)
444 BER_Decoder(in).decode(m_key_id,
OCTET_STRING).verify_end();
450 void Subject_Key_ID::contents_to(Data_Store& subject, Data_Store&)
const
452 subject.add(
"X509v3.SubjectKeyIdentifier", m_key_id);
462 m_key_id.resize(hash->output_length());
464 hash->update(pub_key);
465 hash->final(m_key_id.data());
468 const size_t max_skid_len = (192 / 8);
469 if(m_key_id.size() > max_skid_len)
470 m_key_id.resize(max_skid_len);
476 std::vector<uint8_t> Authority_Key_ID::encode_inner()
const
478 std::vector<uint8_t> output;
489 void Authority_Key_ID::decode_inner(
const std::vector<uint8_t>& in)
499 void Authority_Key_ID::contents_to(Data_Store&, Data_Store& issuer)
const
502 issuer.add(
"X509v3.AuthorityKeyIdentifier", m_key_id);
508 std::vector<uint8_t> Subject_Alternative_Name::encode_inner()
const
510 std::vector<uint8_t> output;
511 DER_Encoder(output).encode(m_alt_name);
518 std::vector<uint8_t> Issuer_Alternative_Name::encode_inner()
const
520 std::vector<uint8_t> output;
521 DER_Encoder(output).encode(m_alt_name);
528 void Subject_Alternative_Name::decode_inner(
const std::vector<uint8_t>& in)
530 BER_Decoder(in).
decode(m_alt_name);
536 void Issuer_Alternative_Name::decode_inner(
const std::vector<uint8_t>& in)
538 BER_Decoder(in).
decode(m_alt_name);
544 void Subject_Alternative_Name::contents_to(Data_Store& subject_info,
553 void Issuer_Alternative_Name::contents_to(Data_Store&, Data_Store& issuer_info)
const
561 std::vector<uint8_t> Extended_Key_Usage::encode_inner()
const
563 std::vector<uint8_t> output;
574 void Extended_Key_Usage::decode_inner(
const std::vector<uint8_t>& in)
582 void Extended_Key_Usage::contents_to(Data_Store& subject, Data_Store&)
const
584 for(
size_t i = 0; i != m_oids.size(); ++i)
585 subject.add(
"X509v3.ExtendedKeyUsage", m_oids[i].to_string());
591 std::vector<uint8_t> Name_Constraints::encode_inner()
const
593 throw Not_Implemented(
"Name_Constraints encoding");
600 void Name_Constraints::decode_inner(
const std::vector<uint8_t>& in)
602 std::vector<GeneralSubtree> permit, exclude;
604 BER_Decoder ext = ber.start_cons(
SEQUENCE);
605 BER_Object per = ext.get_next_object();
612 throw Encoding_Error(
"Empty Name Contraint list");
615 BER_Object exc = ext.get_next_object();
621 throw Encoding_Error(
"Empty Name Contraint list");
626 if(permit.empty() && exclude.empty())
627 throw Encoding_Error(
"Empty Name Contraint extension");
629 m_name_constraints = NameConstraints(std::move(permit),std::move(exclude));
635 void Name_Constraints::contents_to(Data_Store& subject, Data_Store&)
const
637 std::stringstream ss;
639 for(
const GeneralSubtree& gs: m_name_constraints.
permitted())
642 subject.add(
"X509v3.NameConstraints.permitted", ss.str());
643 ss.str(std::string());
645 for(
const GeneralSubtree& gs: m_name_constraints.
excluded())
648 subject.add(
"X509v3.NameConstraints.excluded", ss.str());
649 ss.str(std::string());
654 const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path,
655 std::vector<std::set<Certificate_Status_Code>>& cert_status,
658 if(!m_name_constraints.
permitted().empty() || !m_name_constraints.
excluded().empty())
665 const bool issuer_name_constraint_critical =
669 for(
size_t j = 0; j < pos; ++j)
671 bool permitted = m_name_constraints.
permitted().empty();
674 for(
auto c: m_name_constraints.
permitted())
676 switch(c.base().matches(*cert_path.at(j)))
678 case GeneralName::MatchResult::NotFound:
679 case GeneralName::MatchResult::All:
682 case GeneralName::MatchResult::UnknownType:
683 failed = issuer_name_constraint_critical;
691 for(
auto c: m_name_constraints.
excluded())
693 switch(c.base().matches(*cert_path.at(j)))
695 case GeneralName::MatchResult::All:
696 case GeneralName::MatchResult::Some:
699 case GeneralName::MatchResult::UnknownType:
700 failed = issuer_name_constraint_critical;
707 if(failed || !permitted)
723 Policy_Information() =
default;
724 explicit Policy_Information(
const OID& oid) :
m_oid(oid) {}
726 const OID& oid()
const {
return m_oid; }
728 void encode_into(DER_Encoder& codec)
const override
735 void decode_from(BER_Decoder& codec)
override
752 std::vector<uint8_t> Certificate_Policies::encode_inner()
const
754 std::vector<Policy_Information> policies;
756 for(
size_t i = 0; i != m_oids.size(); ++i)
757 policies.push_back(Policy_Information(m_oids[i]));
759 std::vector<uint8_t> output;
762 .encode_list(policies)
770 void Certificate_Policies::decode_inner(
const std::vector<uint8_t>& in)
772 std::vector<Policy_Information> policies;
774 BER_Decoder(in).decode_list(policies);
776 for(
size_t i = 0; i != policies.size(); ++i)
777 m_oids.push_back(policies[i].oid());
783 void Certificate_Policies::contents_to(Data_Store& info, Data_Store&)
const
785 for(
size_t i = 0; i != m_oids.size(); ++i)
786 info.add(
"X509v3.CertificatePolicies", m_oids[i].to_string());
792 const std::vector<std::shared_ptr<const X509_Certificate>>& ,
793 std::vector<std::set<Certificate_Status_Code>>& cert_status,
796 std::set<OID> oid_set(m_oids.begin(), m_oids.end());
797 if(oid_set.size() != m_oids.size())
803 std::vector<uint8_t> Authority_Information_Access::encode_inner()
const
807 std::vector<uint8_t> output;
818 void Authority_Information_Access::decode_inner(
const std::vector<uint8_t>& in)
852 void Authority_Information_Access::contents_to(Data_Store& subject, Data_Store&)
const
854 if(!m_ocsp_responder.empty())
855 subject.add(
"OCSP.responder", m_ocsp_responder);
856 for(
const std::string& ca_issuer : m_ca_issuers)
857 subject.add(
"PKIX.CertificateAuthorityIssuers", ca_issuer);
883 std::vector<uint8_t> CRL_Number::encode_inner()
const
885 std::vector<uint8_t> output;
893 void CRL_Number::decode_inner(
const std::vector<uint8_t>& in)
902 void CRL_Number::contents_to(Data_Store& info, Data_Store&)
const
904 info.add(
"X509v3.CRLNumber", static_cast<uint32_t>(m_crl_number));
910 std::vector<uint8_t> CRL_ReasonCode::encode_inner()
const
912 std::vector<uint8_t> output;
920 void CRL_ReasonCode::decode_inner(
const std::vector<uint8_t>& in)
922 size_t reason_code = 0;
924 m_reason =
static_cast<CRL_Code>(reason_code);
930 void CRL_ReasonCode::contents_to(Data_Store& info, Data_Store&)
const
932 info.add(
"X509v3.CRLReasonCode", m_reason);
935 std::vector<uint8_t> CRL_Distribution_Points::encode_inner()
const
937 throw Not_Implemented(
"CRL_Distribution_Points encoding");
940 void CRL_Distribution_Points::decode_inner(
const std::vector<uint8_t>& buf)
943 .decode_list(m_distribution_points)
946 std::stringstream ss;
948 for(
size_t i = 0; i != m_distribution_points.size(); ++i)
950 auto contents = m_distribution_points[i].point().contents();
952 for(
const auto& pair : contents)
954 ss << pair.first <<
": " << pair.second <<
" ";
958 m_crl_distribution_urls.push_back(ss.str());
961 void CRL_Distribution_Points::contents_to(Data_Store& subject, Data_Store&)
const
963 for(
const std::string& crl_url : m_crl_distribution_urls)
964 subject.add(
"CRL.DistributionPoint", crl_url);
982 std::vector<uint8_t> CRL_Issuing_Distribution_Point::encode_inner()
const
987 void CRL_Issuing_Distribution_Point::decode_inner(
const std::vector<uint8_t>& buf)
994 auto contents = m_distribution_point.point().contents();
995 std::stringstream ss;
997 for(
const auto& pair : contents)
999 ss << pair.first <<
": " << pair.second <<
" ";
1002 info.
add(
"X509v3.CRLIssuingDistributionPoint", ss.str());
1005 std::vector<uint8_t> Unknown_Extension::encode_inner()
const
1010 void Unknown_Extension::decode_inner(
const std::vector<uint8_t>& bytes)
1016 void Unknown_Extension::contents_to(Data_Store&, Data_Store&)
const
std::map< OID, std::pair< std::vector< uint8_t >, bool > > extensions_raw() const
DER_Encoder & add_object(ASN1_Tag type_tag, ASN1_Tag class_tag, const uint8_t rep[], size_t length)
virtual std::string oid_name() const =0
DER_Encoder & encode_optional(const T &value, const T &default_value)
static std::unique_ptr< HashFunction > create_or_throw(const std::string &algo_spec, const std::string &provider="")
size_t get_path_limit() const
BER_Decoder & decode_optional_string(std::vector< uint8_t, Alloc > &out, ASN1_Tag real_type, uint16_t type_no, ASN1_Tag class_tag=CONTEXT_SPECIFIC)
int(* final)(unsigned char *, CTX *)
void encode_into(class DER_Encoder &) const override
bool extension_set(const OID &oid) const
const std::vector< GeneralSubtree > & permitted() const
void decode_from(class BER_Decoder &) override
void replace(Certificate_Extension *extn, bool critical=false)
std::string to_string(const BER_Object &obj)
void contents_to(Data_Store &, Data_Store &) const
bool is_a(ASN1_Tag type_tag, ASN1_Tag class_tag) const
DER_Encoder & encode_if(bool pred, DER_Encoder &enc)
std::vector< std::pair< std::unique_ptr< Certificate_Extension >, bool > > extensions() const
void validate(const X509_Certificate &subject, const X509_Certificate &issuer, const std::vector< std::shared_ptr< const X509_Certificate >> &cert_path, std::vector< std::set< Certificate_Status_Code >> &cert_status, size_t pos) override
BER_Decoder & decode(bool &out)
void add(Certificate_Extension *extn, bool critical=false)
const AlternativeName & get_alt_name() const
void decode_from(class BER_Decoder &) override
DER_Encoder & encode(bool b)
BER_Decoder & decode_optional(T &out, ASN1_Tag type_tag, ASN1_Tag class_tag, const T &default_value=T())
bool critical_extension_set(const OID &oid) const
void encode_into(class DER_Encoder &) const override
bool add_new(Certificate_Extension *extn, bool critical=false)
const std::vector< GeneralSubtree > & excluded() const
std::string encode(const uint8_t der[], size_t length, const std::string &label, size_t width)
const Certificate_Extension * get_extension_object(const OID &oid) const
std::unique_ptr< Certificate_Extension > get(const OID &oid) const
BER_Decoder start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
virtual OID oid_of() const =0
const AlternativeName & get_alt_name() const
BER_Decoder & decode_optional_implicit(T &out, ASN1_Tag type_tag, ASN1_Tag class_tag, ASN1_Tag real_type, ASN1_Tag real_class, const T &default_value=T())
void validate(const X509_Certificate &subject, const X509_Certificate &issuer, const std::vector< std::shared_ptr< const X509_Certificate >> &cert_path, std::vector< std::set< Certificate_Status_Code >> &cert_status, size_t pos) override
std::vector< uint8_t > get_extension_bits(const OID &oid) const
BER_Object get_next_object()
BER_Decoder & verify_end()
bool is_critical(const std::string &ex_name) const
DER_Encoder & start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
BER_Decoder & decode_list(std::vector< T > &out, ASN1_Tag type_tag=SEQUENCE, ASN1_Tag class_tag=UNIVERSAL)
virtual void validate(const X509_Certificate &subject, const X509_Certificate &issuer, const std::vector< std::shared_ptr< const X509_Certificate >> &cert_path, std::vector< std::set< Certificate_Status_Code >> &cert_status, size_t pos)
constexpr uint16_t make_uint16(uint8_t i0, uint8_t i1)
bool remove(const OID &oid)
CRL_Number * copy() const override
void add(const std::multimap< std::string, std::string > &)
size_t get_crl_number() const
static OID from_string(const std::string &str)