Botan  2.1.0
Crypto and TLS for C++11
name_constraint.h
Go to the documentation of this file.
1 /*
2 * X.509 Name Constraint
3 * (C) 2015 Kai Michaelis
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #ifndef BOTAN_NAME_CONSTRAINT_H__
9 #define BOTAN_NAME_CONSTRAINT_H__
10 
11 #include <botan/asn1_obj.h>
12 #include <ostream>
13 
14 namespace Botan {
15 
16 class X509_Certificate;
17 
18 /**
19 * @brief X.509 GeneralName Type
20 *
21 * Handles parsing GeneralName types in their BER and canonical string
22 * encoding. Allows matching GeneralNames against each other using
23 * the rules laid out in the RFC 5280, sec. 4.2.1.10 (Name Contraints).
24 */
25 class BOTAN_DLL GeneralName : public ASN1_Object
26  {
27  public:
28  enum MatchResult : int
29  {
30  All,
35  };
36 
37  /**
38  * Creates an empty GeneralName.
39  */
40  GeneralName() = default;
41 
42  /**
43  * Creates a new GeneralName for its string format.
44  * @param str type and name, colon-separated, e.g., "DNS:google.com"
45  */
46  GeneralName(const std::string& str);
47 
48  void encode_into(class DER_Encoder&) const override;
49 
50  void decode_from(class BER_Decoder&) override;
51 
52  /**
53  * @return Type of the name. Can be DN, DNS, IP, RFC822 or URI.
54  */
55  const std::string& type() const { return m_type; }
56 
57  /**
58  * @return The name as string. Format depends on type.
59  */
60  const std::string& name() const { return m_name; }
61 
62  /**
63  * Checks whether a given certificate (partially) matches this name.
64  * @param cert certificate to be matched
65  * @return the match result
66  */
67  MatchResult matches(const X509_Certificate& cert) const;
68 
69  private:
70  std::string m_type;
71  std::string m_name;
72 
73  bool matches_dns(const std::string&) const;
74  bool matches_dn(const std::string&) const;
75  bool matches_ip(const std::string&) const;
76  };
77 
78 std::ostream& operator<<(std::ostream& os, const GeneralName& gn);
79 
80 /**
81 * @brief A single Name Constraint
82 *
83 * The Name Constraint extension adds a minimum and maximum path
84 * length to a GeneralName to form a constraint. The length limits
85 * are currently unused.
86 */
87 class BOTAN_DLL GeneralSubtree : public ASN1_Object
88  {
89  public:
90  /**
91  * Creates an empty name constraint.
92  */
93  GeneralSubtree() : m_base(), m_minimum(0), m_maximum(std::numeric_limits<std::size_t>::max())
94  {}
95 
96  /***
97  * Creates a new name constraint.
98  * @param base name
99  * @param min minimum path length
100  * @param max maximum path length
101  */
102  GeneralSubtree(GeneralName base, size_t min, size_t max)
103  : m_base(base), m_minimum(min), m_maximum(max)
104  {}
105 
106  /**
107  * Creates a new name constraint for its string format.
108  * @param str name constraint
109  */
110  GeneralSubtree(const std::string& str);
111 
112  void encode_into(class DER_Encoder&) const override;
113 
114  void decode_from(class BER_Decoder&) override;
115 
116  /**
117  * @return name
118  */
119  GeneralName base() const { return m_base; }
120 
121  /**
122  * @return minimum path length
123  */
124  size_t minimum() const { return m_minimum; }
125 
126  /**
127  * @return maximum path length
128  */
129  size_t maximum() const { return m_maximum; }
130 
131  private:
132  GeneralName m_base;
133  size_t m_minimum;
134  size_t m_maximum;
135  };
136 
137 std::ostream& operator<<(std::ostream& os, const GeneralSubtree& gs);
138 
139 /**
140 * @brief Name Constraints
141 *
142 * Wraps the Name Constraints associated with a certificate.
143 */
144 class BOTAN_DLL NameConstraints
145  {
146  public:
147  /**
148  * Creates an empty name NameConstraints.
149  */
150  NameConstraints() : m_permitted_subtrees(), m_excluded_subtrees() {}
151 
152  /**
153  * Creates NameConstraints from a list of permitted and excluded subtrees.
154  * @param permitted_subtrees names for which the certificate is permitted
155  * @param excluded_subtrees names for which the certificate is not permitted
156  */
157  NameConstraints(std::vector<GeneralSubtree>&& permitted_subtrees,
158  std::vector<GeneralSubtree>&& excluded_subtrees)
159  : m_permitted_subtrees(permitted_subtrees), m_excluded_subtrees(excluded_subtrees)
160  {}
161 
162  /**
163  * @return permitted names
164  */
165  const std::vector<GeneralSubtree>& permitted() const { return m_permitted_subtrees; }
166 
167  /**
168  * @return excluded names
169  */
170  const std::vector<GeneralSubtree>& excluded() const { return m_excluded_subtrees; }
171 
172  private:
173  std::vector<GeneralSubtree> m_permitted_subtrees;
174  std::vector<GeneralSubtree> m_excluded_subtrees;
175 };
176 
177 }
178 
179 #endif
std::string m_name
GeneralSubtree(GeneralName base, size_t min, size_t max)
std::ostream & operator<<(std::ostream &out, const X509_DN &dn)
Definition: x509_dn.cpp:299
Definition: bigint.h:619
const std::vector< GeneralSubtree > & permitted() const
size_t maximum() const
const std::vector< GeneralSubtree > & excluded() const
NameConstraints(std::vector< GeneralSubtree > &&permitted_subtrees, std::vector< GeneralSubtree > &&excluded_subtrees)
Definition: alg_id.cpp:13
X.509 GeneralName Type.
bool matches(DataSource &source, const std::string &extra, size_t search_range)
Definition: pem.cpp:140
A single Name Constraint.
T max(T a, T b)
Definition: ct_utils.h:173
const std::string & name() const
size_t minimum() const
const std::string & type() const
GeneralName base() const
T min(T a, T b)
Definition: ct_utils.h:180
Name Constraints.