9 #include <botan/x509_ext.h>
10 #include <botan/x509cert.h>
11 #include <botan/sha160.h>
12 #include <botan/der_enc.h>
13 #include <botan/ber_dec.h>
14 #include <botan/oids.h>
15 #include <botan/charset.h>
16 #include <botan/internal/bit_ops.h>
25 Certificate_Extension* Extensions::create_extension(
const OID& oid,
bool critical)
27 #define X509_EXTENSION(NAME, TYPE) \
28 if(oid == OIDS::lookup(NAME)) { return new Cert_Extension::TYPE(); }
35 X509_EXTENSION(
"X509v3.IssuerAlternativeName", Issuer_Alternative_Name);
36 X509_EXTENSION(
"X509v3.SubjectAlternativeName", Subject_Alternative_Name);
38 X509_EXTENSION(
"X509v3.CertificatePolicies", Certificate_Policies);
39 X509_EXTENSION(
"X509v3.CRLDistributionPoints", CRL_Distribution_Points);
40 X509_EXTENSION(
"PKIX.AuthorityInformationAccess", Authority_Information_Access);
44 return critical ?
new Cert_Extension::Unknown_Critical_Extension(oid) : nullptr;
62 for(
size_t i = 0; i != other.m_extensions.size(); ++i)
63 m_extensions.push_back(
64 std::make_pair(std::unique_ptr<Certificate_Extension>(other.m_extensions[i].first->copy()),
65 other.m_extensions[i].second));
67 m_extensions_raw = other.m_extensions_raw;
68 m_throw_on_unknown_critical = other.m_throw_on_unknown_critical;
85 const std::vector<std::shared_ptr<const X509_Certificate>>&,
86 std::vector<std::set<Certificate_Status_Code>>&,
94 for(
const auto& ext : m_extensions)
96 if(ext.first->oid_of() == extn->
oid_of())
102 if(m_extensions_raw.count(extn->
oid_of()) > 0)
107 m_extensions.push_back(std::make_pair(std::unique_ptr<Certificate_Extension>(extn), critical));
108 m_extensions_raw.emplace(extn->
oid_of(), std::make_pair(extn->
encode_inner(), critical));
113 for(
auto it = m_extensions.begin(); it != m_extensions.end(); ++it)
115 if(it->first->oid_of() == extn->
oid_of())
117 m_extensions.erase(it);
122 m_extensions.push_back(std::make_pair(std::unique_ptr<Certificate_Extension>(extn), critical));
128 for(
auto& ext : m_extensions)
130 if(ext.first->oid_of() == oid)
132 return std::unique_ptr<Certificate_Extension>(ext.first->copy());
141 std::vector<std::pair<std::unique_ptr<Certificate_Extension>,
bool>> exts;
142 for(
auto& ext : m_extensions)
144 exts.push_back(std::make_pair(std::unique_ptr<Certificate_Extension>(ext.first->copy()), ext.second));
151 return m_extensions_raw;
160 for(
size_t i = 0; i != m_extensions.size(); ++i)
163 const bool is_critical = m_extensions[i].second;
171 .encode_optional(is_critical,
false)
178 for(
const auto& ext_raw : m_extensions_raw)
180 const bool is_critical = ext_raw.second.second;
181 const OID oid = ext_raw.first;
182 const std::vector<uint8_t> value = ext_raw.second.first;
184 auto pos = std::find_if(std::begin(m_extensions), std::end(m_extensions),
185 [&oid](
const std::pair<std::unique_ptr<Certificate_Extension>,
bool>& ext) ->
bool
187 return ext.first->oid_of() == oid;
190 if(pos == std::end(m_extensions))
207 m_extensions.clear();
208 m_extensions_raw.clear();
215 std::vector<uint8_t> value;
224 m_extensions_raw.emplace(oid, std::make_pair(value, critical));
226 std::unique_ptr<Certificate_Extension> ext(create_extension(oid, critical));
228 if(!ext && critical && m_throw_on_unknown_critical)
229 throw Decoding_Error(
"Encountered unknown X.509 extension marked "
230 "as critical; OID = " + oid.
as_string());
236 ext->decode_inner(value);
238 catch(std::exception& e)
244 m_extensions.push_back(std::make_pair(std::move(ext), critical));
257 for(
size_t i = 0; i != m_extensions.size(); ++i)
259 m_extensions[i].first->contents_to(subject_info, issuer_info);
260 subject_info.
add(m_extensions[i].first->oid_name() +
".is_critical", (m_extensions[i].second ? 1 : 0));
265 namespace Cert_Extension {
273 throw Invalid_State(
"Basic_Constraints::get_path_limit: Not a CA");
280 std::vector<uint8_t> Basic_Constraints::encode_inner()
const
287 .encode_optional(m_path_limit, NO_CERT_PATH_LIMIT)
296 void Basic_Constraints::decode_inner(
const std::vector<uint8_t>& in)
311 void Basic_Constraints::contents_to(Data_Store& subject, Data_Store&)
const
313 subject.add(
"X509v3.BasicConstraints.is_ca", (m_is_ca ? 1 : 0));
314 subject.add(
"X509v3.BasicConstraints.path_constraint", static_cast<uint32_t>(m_path_limit));
320 std::vector<uint8_t> Key_Usage::encode_inner()
const
323 throw Encoding_Error(
"Cannot encode zero usage constraints");
325 const size_t unused_bits =
low_bit(m_constraints) - 1;
327 std::vector<uint8_t> der;
329 der.push_back(2 + ((unused_bits < 8) ? 1 : 0));
330 der.push_back(unused_bits % 8);
331 der.push_back((m_constraints >> 8) & 0xFF);
332 if(m_constraints & 0xFF)
333 der.push_back(m_constraints & 0xFF);
341 void Key_Usage::decode_inner(
const std::vector<uint8_t>& in)
345 BER_Object obj = ber.get_next_object();
348 throw BER_Bad_Tag(
"Bad tag for usage constraint",
349 obj.type_tag, obj.class_tag);
351 if(obj.value.size() != 2 && obj.value.size() != 3)
352 throw BER_Decoding_Error(
"Bad size for BITSTRING in usage constraint");
354 if(obj.value[0] >= 8)
355 throw BER_Decoding_Error(
"Invalid unused bits in usage constraint");
357 obj.value[obj.value.size()-1] &= (0xFF << obj.value[0]);
360 for(
size_t i = 1; i != obj.value.size(); ++i)
362 usage = (obj.value[i] << 8*(
sizeof(usage)-i)) | usage;
371 void Key_Usage::contents_to(Data_Store& subject, Data_Store&)
const
373 subject.add(
"X509v3.KeyUsage", m_constraints);
379 std::vector<uint8_t> Subject_Key_ID::encode_inner()
const
381 return DER_Encoder().encode(m_key_id,
OCTET_STRING).get_contents_unlocked();
387 void Subject_Key_ID::decode_inner(
const std::vector<uint8_t>& in)
389 BER_Decoder(in).decode(m_key_id,
OCTET_STRING).verify_end();
395 void Subject_Key_ID::contents_to(Data_Store& subject, Data_Store&)
const
397 subject.add(
"X509v3.SubjectKeyIdentifier", m_key_id);
409 std::vector<uint8_t> Authority_Key_ID::encode_inner()
const
421 void Authority_Key_ID::decode_inner(
const std::vector<uint8_t>& in)
431 void Authority_Key_ID::contents_to(Data_Store&, Data_Store& issuer)
const
434 issuer.add(
"X509v3.AuthorityKeyIdentifier", m_key_id);
440 std::vector<uint8_t> Alternative_Name::encode_inner()
const
442 return DER_Encoder().encode(m_alt_name).get_contents_unlocked();
448 void Alternative_Name::decode_inner(
const std::vector<uint8_t>& in)
450 BER_Decoder(in).
decode(m_alt_name);
456 void Alternative_Name::contents_to(Data_Store& subject_info,
457 Data_Store& issuer_info)
const
459 std::multimap<std::string, std::string> contents =
462 if(m_oid_name_str ==
"X509v3.SubjectAlternativeName")
463 subject_info.add(contents);
464 else if(m_oid_name_str ==
"X509v3.IssuerAlternativeName")
465 issuer_info.add(contents);
467 throw Internal_Error(
"In Alternative_Name, unknown type " +
475 const std::string& oid_name_str) :
476 m_oid_name_str(oid_name_str),
500 std::vector<uint8_t> Extended_Key_Usage::encode_inner()
const
512 void Extended_Key_Usage::decode_inner(
const std::vector<uint8_t>& in)
520 void Extended_Key_Usage::contents_to(Data_Store& subject, Data_Store&)
const
522 for(
size_t i = 0; i != m_oids.size(); ++i)
523 subject.add(
"X509v3.ExtendedKeyUsage", m_oids[i].as_string());
529 std::vector<uint8_t> Name_Constraints::encode_inner()
const
531 throw Not_Implemented(
"Name_Constraints encoding");
538 void Name_Constraints::decode_inner(
const std::vector<uint8_t>& in)
540 std::vector<GeneralSubtree> permit, exclude;
542 BER_Decoder ext = ber.start_cons(
SEQUENCE);
543 BER_Object per = ext.get_next_object();
550 throw Encoding_Error(
"Empty Name Contraint list");
553 BER_Object exc = ext.get_next_object();
559 throw Encoding_Error(
"Empty Name Contraint list");
564 if(permit.empty() && exclude.empty())
565 throw Encoding_Error(
"Empty Name Contraint extension");
567 m_name_constraints = NameConstraints(std::move(permit),std::move(exclude));
573 void Name_Constraints::contents_to(Data_Store& subject, Data_Store&)
const
575 std::stringstream ss;
577 for(
const GeneralSubtree& gs: m_name_constraints.
permitted())
580 subject.add(
"X509v3.NameConstraints.permitted", ss.str());
581 ss.str(std::string());
583 for(
const GeneralSubtree& gs: m_name_constraints.
excluded())
586 subject.add(
"X509v3.NameConstraints.excluded", ss.str());
587 ss.str(std::string());
592 const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path,
593 std::vector<std::set<Certificate_Status_Code>>& cert_status,
596 if(!m_name_constraints.
permitted().empty() || !m_name_constraints.
excluded().empty())
601 const bool at_self_signed_root = (pos == cert_path.size() - 1);
604 for(
size_t j = 0; j <= pos; ++j)
606 if(pos == j && at_self_signed_root)
609 bool permitted = m_name_constraints.
permitted().empty();
612 for(
auto c: m_name_constraints.
permitted())
614 switch(c.base().matches(*cert_path.at(j)))
616 case GeneralName::MatchResult::NotFound:
617 case GeneralName::MatchResult::All:
620 case GeneralName::MatchResult::UnknownType:
621 failed = issuer.
is_critical(
"X509v3.NameConstraints");
629 for(
auto c: m_name_constraints.
excluded())
631 switch(c.base().matches(*cert_path.at(j)))
633 case GeneralName::MatchResult::All:
634 case GeneralName::MatchResult::Some:
637 case GeneralName::MatchResult::UnknownType:
638 failed = issuer.
is_critical(
"X509v3.NameConstraints");
645 if(failed || !permitted)
661 Policy_Information() =
default;
662 explicit Policy_Information(
const OID& oid) :
m_oid(oid) {}
664 const OID& oid()
const {
return m_oid; }
666 void encode_into(DER_Encoder& codec)
const override
673 void decode_from(BER_Decoder& codec)
override
690 std::vector<uint8_t> Certificate_Policies::encode_inner()
const
692 std::vector<Policy_Information> policies;
694 for(
size_t i = 0; i != m_oids.size(); ++i)
695 policies.push_back(Policy_Information(m_oids[i]));
699 .encode_list(policies)
701 .get_contents_unlocked();
707 void Certificate_Policies::decode_inner(
const std::vector<uint8_t>& in)
709 std::vector<Policy_Information> policies;
711 BER_Decoder(in).decode_list(policies);
714 for(
size_t i = 0; i != policies.size(); ++i)
715 m_oids.push_back(policies[i].oid());
721 void Certificate_Policies::contents_to(Data_Store& info, Data_Store&)
const
723 for(
size_t i = 0; i != m_oids.size(); ++i)
724 info.add(
"X509v3.CertificatePolicies", m_oids[i].as_string());
727 std::vector<uint8_t> Authority_Information_Access::encode_inner()
const
729 ASN1_String url(m_ocsp_responder,
IA5_STRING);
737 .end_cons().get_contents_unlocked();
740 void Authority_Information_Access::decode_inner(
const std::vector<uint8_t>& in)
742 BER_Decoder ber = BER_Decoder(in).start_cons(
SEQUENCE);
744 while(ber.more_items())
748 BER_Decoder info = ber.start_cons(
SEQUENCE);
754 BER_Object name = info.get_next_object();
767 void Authority_Information_Access::contents_to(Data_Store& subject, Data_Store&)
const
769 if(!m_ocsp_responder.empty())
770 subject.add(
"OCSP.responder", m_ocsp_responder);
796 std::vector<uint8_t> CRL_Number::encode_inner()
const
804 void CRL_Number::decode_inner(
const std::vector<uint8_t>& in)
812 void CRL_Number::contents_to(Data_Store& info, Data_Store&)
const
814 info.add(
"X509v3.CRLNumber", static_cast<uint32_t>(m_crl_number));
820 std::vector<uint8_t> CRL_ReasonCode::encode_inner()
const
824 .get_contents_unlocked();
830 void CRL_ReasonCode::decode_inner(
const std::vector<uint8_t>& in)
832 size_t reason_code = 0;
834 m_reason =
static_cast<CRL_Code>(reason_code);
840 void CRL_ReasonCode::contents_to(Data_Store& info, Data_Store&)
const
842 info.add(
"X509v3.CRLReasonCode", m_reason);
845 std::vector<uint8_t> CRL_Distribution_Points::encode_inner()
const
847 throw Not_Implemented(
"CRL_Distribution_Points encoding");
850 void CRL_Distribution_Points::decode_inner(
const std::vector<uint8_t>& buf)
852 BER_Decoder(buf).decode_list(m_distribution_points).verify_end();
855 void CRL_Distribution_Points::contents_to(Data_Store& info, Data_Store&)
const
857 for(
size_t i = 0; i != m_distribution_points.size(); ++i)
859 auto point = m_distribution_points[i].point().contents();
861 auto uris = point.equal_range(
"URI");
863 for(
auto uri = uris.first; uri != uris.second; ++uri)
864 info.add(
"CRL.DistributionPoint", uri->second);
883 std::vector<uint8_t> Unknown_Critical_Extension::encode_inner()
const
888 void Unknown_Critical_Extension::decode_inner(
const std::vector<uint8_t>&)
std::map< OID, std::pair< std::vector< uint8_t >, bool > > extensions_raw() const
DER_Encoder & encode_list(const std::vector< T > &values)
virtual std::string oid_name() const =0
Issuer_Alternative_Name(const AlternativeName &=AlternativeName())
DER_Encoder & encode_optional(const T &value, const T &default_value)
std::vector< uint8_t > get_contents_unlocked()
size_t get_path_limit() const
BER_Decoder & decode_optional_string(std::vector< uint8_t, Alloc > &out, ASN1_Tag real_type, uint16_t type_no, ASN1_Tag class_tag=CONTEXT_SPECIFIC)
std::string encode(const uint8_t der[], size_t length, const std::string &label, size_t width)
Extensions(const Extensions &)
void encode_into(class DER_Encoder &) const override
Alternative_Name(const AlternativeName &, const std::string &oid_name)
const std::vector< GeneralSubtree > & permitted() const
void decode_from(class BER_Decoder &) override
void replace(Certificate_Extension *extn, bool critical=false)
BER_Decoder & decode(bool &v)
std::string to_string(const BER_Object &obj)
std::multimap< std::string, std::string > contents() const
void contents_to(Data_Store &, Data_Store &) const
std::vector< std::pair< std::unique_ptr< Certificate_Extension >, bool > > extensions() const
void validate(const X509_Certificate &subject, const X509_Certificate &issuer, const std::vector< std::shared_ptr< const X509_Certificate >> &cert_path, std::vector< std::set< Certificate_Status_Code >> &cert_status, size_t pos) override
void add(Certificate_Extension *extn, bool critical=false)
void decode_from(class BER_Decoder &) override
DER_Encoder & encode(bool b)
BER_Decoder & decode_optional(T &out, ASN1_Tag type_tag, ASN1_Tag class_tag, const T &default_value=T())
void encode_into(class DER_Encoder &) const override
const std::vector< GeneralSubtree > & excluded() const
std::string transcode(const std::string &str, Character_Set to, Character_Set from)
virtual std::vector< uint8_t > encode_inner() const =0
std::string lookup(const OID &oid)
std::unique_ptr< Certificate_Extension > get(const OID &oid) const
virtual bool should_encode() const
BER_Decoder start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
BER_Decoder & decode_optional_implicit(T &out, ASN1_Tag type_tag, ASN1_Tag class_tag, ASN1_Tag real_type, ASN1_Tag real_class, const T &default_value=T())
Subject_Alternative_Name(const AlternativeName &=AlternativeName())
std::vector< T > unlock(const secure_vector< T > &in)
AlternativeName get_alt_name() const
Extensions & operator=(const Extensions &)
DER_Encoder & encode_if(bool pred, DER_Encoder &enc)
BER_Decoder & verify_end()
std::string as_string() const
bool is_critical(const std::string &ex_name) const
DER_Encoder & start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
BER_Decoder & decode_list(std::vector< T > &out, ASN1_Tag type_tag=SEQUENCE, ASN1_Tag class_tag=UNIVERSAL)
virtual void validate(const X509_Certificate &subject, const X509_Certificate &issuer, const std::vector< std::shared_ptr< const X509_Certificate >> &cert_path, std::vector< std::set< Certificate_Status_Code >> &cert_status, size_t pos)
CRL_Number * copy() const override
void add(const std::multimap< std::string, std::string > &)
size_t get_crl_number() const
virtual OID oid_of() const
#define X509_EXTENSION(NAME, TYPE)