Botan  2.1.0
Crypto and TLS for C++11
Public Member Functions | List of all members
Botan::Cert_Extension::Name_Constraints Class Reference

#include <x509_ext.h>

Inheritance diagram for Botan::Cert_Extension::Name_Constraints:
Botan::Certificate_Extension

Public Member Functions

Name_Constraintscopy () const override
 
 Name_Constraints ()=default
 
 Name_Constraints (const NameConstraints &nc)
 
virtual OID oid_of () const
 
void validate (const X509_Certificate &subject, const X509_Certificate &issuer, const std::vector< std::shared_ptr< const X509_Certificate >> &cert_path, std::vector< std::set< Certificate_Status_Code >> &cert_status, size_t pos) override
 

Detailed Description

Name Constraints

Definition at line 359 of file x509_ext.h.

Constructor & Destructor Documentation

Botan::Cert_Extension::Name_Constraints::Name_Constraints ( )
default
Botan::Cert_Extension::Name_Constraints::Name_Constraints ( const NameConstraints nc)
inline

Definition at line 366 of file x509_ext.h.

366 : m_name_constraints(nc) {}

Member Function Documentation

Name_Constraints* Botan::Cert_Extension::Name_Constraints::copy ( ) const
inlineoverridevirtual

Make a copy of this extension

Returns
copy of this

Implements Botan::Certificate_Extension.

Definition at line 362 of file x509_ext.h.

363  { return new Name_Constraints(m_name_constraints); }
OID Botan::Certificate_Extension::oid_of ( ) const
virtualinherited
Returns
OID representing this extension

Reimplemented in Botan::Cert_Extension::Unknown_Critical_Extension.

Definition at line 76 of file x509_ext.cpp.

References Botan::OIDS::lookup(), and Botan::Certificate_Extension::oid_name().

Referenced by Botan::Extensions::add(), Botan::Extensions::encode_into(), and Botan::Extensions::replace().

77  {
78  return OIDS::lookup(oid_name());
79  }
virtual std::string oid_name() const =0
std::string lookup(const OID &oid)
Definition: oids.cpp:18
void Botan::Cert_Extension::Name_Constraints::validate ( const X509_Certificate subject,
const X509_Certificate issuer,
const std::vector< std::shared_ptr< const X509_Certificate >> &  cert_path,
std::vector< std::set< Certificate_Status_Code >> &  cert_status,
size_t  pos 
)
overridevirtual

Reimplemented from Botan::Certificate_Extension.

Definition at line 591 of file x509_ext.cpp.

References Botan::NameConstraints::excluded(), Botan::X509_Certificate::is_CA_cert(), Botan::X509_Certificate::is_critical(), Botan::NAME_CONSTRAINT_ERROR, and Botan::NameConstraints::permitted().

595  {
596  if(!m_name_constraints.permitted().empty() || !m_name_constraints.excluded().empty())
597  {
598  if(!subject.is_CA_cert() || !subject.is_critical("X509v3.NameConstraints"))
599  cert_status.at(pos).insert(Certificate_Status_Code::NAME_CONSTRAINT_ERROR);
600 
601  const bool at_self_signed_root = (pos == cert_path.size() - 1);
602 
603  // Check that all subordinate certs pass the name constraint
604  for(size_t j = 0; j <= pos; ++j)
605  {
606  if(pos == j && at_self_signed_root)
607  continue;
608 
609  bool permitted = m_name_constraints.permitted().empty();
610  bool failed = false;
611 
612  for(auto c: m_name_constraints.permitted())
613  {
614  switch(c.base().matches(*cert_path.at(j)))
615  {
616  case GeneralName::MatchResult::NotFound:
617  case GeneralName::MatchResult::All:
618  permitted = true;
619  break;
620  case GeneralName::MatchResult::UnknownType:
621  failed = issuer.is_critical("X509v3.NameConstraints");
622  permitted = true;
623  break;
624  default:
625  break;
626  }
627  }
628 
629  for(auto c: m_name_constraints.excluded())
630  {
631  switch(c.base().matches(*cert_path.at(j)))
632  {
633  case GeneralName::MatchResult::All:
634  case GeneralName::MatchResult::Some:
635  failed = true;
636  break;
637  case GeneralName::MatchResult::UnknownType:
638  failed = issuer.is_critical("X509v3.NameConstraints");
639  break;
640  default:
641  break;
642  }
643  }
644 
645  if(failed || !permitted)
646  {
647  cert_status.at(j).insert(Certificate_Status_Code::NAME_CONSTRAINT_ERROR);
648  }
649  }
650  }
651  }
const std::vector< GeneralSubtree > & permitted() const
const std::vector< GeneralSubtree > & excluded() const

The documentation for this class was generated from the following files: