Botan  2.1.0
Crypto and TLS for C++11
x509_crl.cpp
Go to the documentation of this file.
1 /*
2 * X.509 CRL
3 * (C) 1999-2007 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #include <botan/x509_crl.h>
9 #include <botan/x509_ext.h>
10 #include <botan/x509cert.h>
11 #include <botan/ber_dec.h>
12 #include <botan/parsing.h>
13 #include <botan/bigint.h>
14 #include <botan/oids.h>
15 
16 namespace Botan {
17 
18 /*
19 * Load a X.509 CRL
20 */
21 X509_CRL::X509_CRL(DataSource& in, bool touc) :
22  X509_Object(in, "X509 CRL/CRL"), m_throw_on_unknown_critical(touc)
23  {
24  do_decode();
25  }
26 
27 #if defined(BOTAN_TARGET_OS_HAS_FILESYSTEM)
28 /*
29 * Load a X.509 CRL
30 */
31 X509_CRL::X509_CRL(const std::string& fsname, bool touc) :
32  X509_Object(fsname, "CRL/X509 CRL"), m_throw_on_unknown_critical(touc)
33  {
34  do_decode();
35  }
36 #endif
37 
38 X509_CRL::X509_CRL(const std::vector<uint8_t>& in, bool touc) :
39  X509_Object(in, "CRL/X509 CRL"), m_throw_on_unknown_critical(touc)
40  {
41  do_decode();
42  }
43 
44 X509_CRL::X509_CRL(const X509_DN& issuer, const X509_Time& thisUpdate,
45  const X509_Time& nextUpdate, const std::vector<CRL_Entry>& revoked) :
46  X509_Object(), m_throw_on_unknown_critical(false), m_revoked(revoked)
47  {
48  m_info.add(issuer.contents());
49  m_info.add("X509.CRL.start", thisUpdate.to_string());
50  m_info.add("X509.CRL.end", nextUpdate.to_string());
51  }
52 
53 /**
54 * Check if this particular certificate is listed in the CRL
55 */
56 bool X509_CRL::is_revoked(const X509_Certificate& cert) const
57  {
58  /*
59  If the cert wasn't issued by the CRL issuer, it's possible the cert
60  is revoked, but not by this CRL. Maybe throw an exception instead?
61  */
62  if(cert.issuer_dn() != issuer_dn())
63  return false;
64 
65  std::vector<uint8_t> crl_akid = authority_key_id();
66  std::vector<uint8_t> cert_akid = cert.authority_key_id();
67 
68  if(!crl_akid.empty() && !cert_akid.empty())
69  if(crl_akid != cert_akid)
70  return false;
71 
72  std::vector<uint8_t> cert_serial = cert.serial_number();
73 
74  bool is_revoked = false;
75 
76  for(size_t i = 0; i != m_revoked.size(); ++i)
77  {
78  if(cert_serial == m_revoked[i].serial_number())
79  {
80  if(m_revoked[i].reason_code() == REMOVE_FROM_CRL)
81  is_revoked = false;
82  else
83  is_revoked = true;
84  }
85  }
86 
87  return is_revoked;
88  }
89 
90 /*
91 * Decode the TBSCertList data
92 */
93 void X509_CRL::force_decode()
94  {
95  BER_Decoder tbs_crl(m_tbs_bits);
96 
97  size_t version;
98  tbs_crl.decode_optional(version, INTEGER, UNIVERSAL);
99 
100  if(version != 0 && version != 1)
101  throw X509_CRL_Error("Unknown X.509 CRL version " +
102  std::to_string(version+1));
103 
104  AlgorithmIdentifier sig_algo_inner;
105  tbs_crl.decode(sig_algo_inner);
106 
107  if(m_sig_algo != sig_algo_inner)
108  throw X509_CRL_Error("Algorithm identifier mismatch");
109 
110  X509_DN dn_issuer;
111  tbs_crl.decode(dn_issuer);
112  m_info.add(dn_issuer.contents());
113 
114  X509_Time start, end;
115  tbs_crl.decode(start).decode(end);
116  m_info.add("X509.CRL.start", start.to_string());
117  m_info.add("X509.CRL.end", end.to_string());
118 
119  BER_Object next = tbs_crl.get_next_object();
120 
121  if(next.type_tag == SEQUENCE && next.class_tag == CONSTRUCTED)
122  {
123  BER_Decoder cert_list(next.value);
124 
125  while(cert_list.more_items())
126  {
127  CRL_Entry entry(m_throw_on_unknown_critical);
128  cert_list.decode(entry);
129  m_revoked.push_back(entry);
130  }
131  next = tbs_crl.get_next_object();
132  }
133 
134  if(next.type_tag == 0 &&
136  {
137  BER_Decoder crl_options(next.value);
138 
139  Extensions extensions(m_throw_on_unknown_critical);
140 
141  crl_options.decode(extensions).verify_end();
142 
143  extensions.contents_to(m_info, m_info);
144 
145  next = tbs_crl.get_next_object();
146  }
147 
148  if(next.type_tag != NO_OBJECT)
149  throw X509_CRL_Error("Unknown tag in CRL");
150 
151  tbs_crl.verify_end();
152  }
153 
154 /*
155 * Return the list of revoked certificates
156 */
157 std::vector<CRL_Entry> X509_CRL::get_revoked() const
158  {
159  return m_revoked;
160  }
161 
162 /*
163 * Return the distinguished name of the issuer
164 */
166  {
167  return create_dn(m_info);
168  }
169 
170 /*
171 * Return the key identifier of the issuer
172 */
173 std::vector<uint8_t> X509_CRL::authority_key_id() const
174  {
175  return m_info.get1_memvec("X509v3.AuthorityKeyIdentifier");
176  }
177 
178 /*
179 * Return the CRL number of this CRL
180 */
181 uint32_t X509_CRL::crl_number() const
182  {
183  return m_info.get1_uint32("X509v3.CRLNumber");
184  }
185 
186 /*
187 * Return the issue data of the CRL
188 */
190  {
191  return X509_Time(m_info.get1("X509.CRL.start"), ASN1_Tag::UTC_OR_GENERALIZED_TIME);
192  }
193 
194 /*
195 * Return the date when a new CRL will be issued
196 */
198  {
199  return X509_Time(m_info.get1("X509.CRL.end"), ASN1_Tag::UTC_OR_GENERALIZED_TIME);
200  }
201 
202 }
AlgorithmIdentifier m_sig_algo
Definition: x509_obj.h:109
std::vector< uint8_t > get1_memvec(const std::string &) const
Definition: datastor.cpp:92
bool is_revoked(const X509_Certificate &cert) const
Definition: x509_crl.cpp:56
X509_Time this_update() const
Definition: x509_crl.cpp:189
std::vector< uint8_t > serial_number() const
Definition: x509cert.cpp:427
uint32_t get1_uint32(const std::string &, uint32_t=0) const
Definition: datastor.cpp:109
X509_DN issuer_dn() const
Definition: x509_crl.cpp:165
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:47
std::string get1(const std::string &key) const
Definition: datastor.cpp:62
X509_Time next_update() const
Definition: x509_crl.cpp:197
std::vector< uint8_t > m_tbs_bits
Definition: x509_obj.h:110
secure_vector< uint8_t > value
Definition: asn1_obj.h:94
X509_DN create_dn(const Data_Store &info)
Definition: x509cert.cpp:673
X509_CRL(DataSource &source, bool throw_on_unknown_critical=false)
Definition: x509_crl.cpp:21
ASN1_Tag
Definition: asn1_obj.h:22
Definition: alg_id.cpp:13
Definition: crl_ent.h:40
std::vector< CRL_Entry > get_revoked() const
Definition: x509_crl.cpp:157
std::string to_string() const
Return an internal string representation of the time.
Definition: asn1_time.cpp:60
ASN1_Tag class_tag
Definition: asn1_obj.h:91
std::vector< uint8_t > authority_key_id() const
Definition: x509_crl.cpp:173
ASN1_Tag type_tag
Definition: asn1_obj.h:91
X509_DN issuer_dn() const
Definition: x509cert.cpp:432
std::multimap< std::string, std::string > contents() const
Definition: x509_dn.cpp:85
std::vector< uint8_t > authority_key_id() const
Definition: x509cert.cpp:411
void add(const std::multimap< std::string, std::string > &)
Definition: datastor.cpp:154
uint32_t crl_number() const
Definition: x509_crl.cpp:181