10#include <botan/x509_ext.h>
11#include <botan/x509cert.h>
12#include <botan/datastor.h>
13#include <botan/der_enc.h>
14#include <botan/ber_dec.h>
15#include <botan/hash.h>
16#include <botan/loadstor.h>
17#include <botan/internal/bit_ops.h>
27std::unique_ptr<Certificate_Extension>
28Extensions::create_extn_obj(
const OID& oid,
30 const std::vector<uint8_t>& body)
32 const std::string oid_str = oid.to_string();
34 std::unique_ptr<Certificate_Extension> extn;
38 extn.reset(
new Cert_Extension::Subject_Key_ID);
42 extn.reset(
new Cert_Extension::Key_Usage);
46 extn.reset(
new Cert_Extension::Subject_Alternative_Name);
50 extn.reset(
new Cert_Extension::Issuer_Alternative_Name);
54 extn.reset(
new Cert_Extension::Basic_Constraints);
58 extn.reset(
new Cert_Extension::CRL_Number);
62 extn.reset(
new Cert_Extension::CRL_ReasonCode);
66 extn.reset(
new Cert_Extension::Authority_Key_ID);
70 extn.reset(
new Cert_Extension::Name_Constraints);
74 extn.reset(
new Cert_Extension::CRL_Distribution_Points);
78 extn.reset(
new Cert_Extension::CRL_Issuing_Distribution_Point);
82 extn.reset(
new Cert_Extension::Certificate_Policies);
86 extn.reset(
new Cert_Extension::Extended_Key_Usage);
90 extn.reset(
new Cert_Extension::Authority_Information_Access);
95 extn.reset(
new Cert_Extension::Unknown_Extension(oid, critical));
100 extn->decode_inner(body);
102 catch(Decoding_Error&)
104 extn.reset(
new Cert_Extension::Unknown_Extension(oid, critical));
105 extn->decode_inner(body);
114 const std::vector<std::shared_ptr<const X509_Certificate>>&,
115 std::vector<std::set<Certificate_Status_Code>>&,
126 if(m_extension_info.count(extn->
oid_of()) > 0)
134 Extensions_Info info(critical, extn);
135 m_extension_oids.push_back(oid);
136 m_extension_info[oid] = info;
141 if(m_extension_info.count(extn->
oid_of()) > 0)
148 Extensions_Info info(critical, extn);
149 m_extension_oids.push_back(oid);
150 m_extension_info[oid] = info;
156 const bool erased = m_extension_info.erase(oid) > 0;
160 m_extension_oids.erase(std::find(m_extension_oids.begin(), m_extension_oids.end(), oid));
172 Extensions_Info info(critical, extn);
173 m_extension_oids.push_back(oid);
174 m_extension_info[oid] = info;
179 return (m_extension_info.find(oid) != m_extension_info.end());
184 auto i = m_extension_info.find(oid);
185 if(i != m_extension_info.end())
186 return i->second.is_critical();
192 auto i = m_extension_info.find(oid);
193 if(i == m_extension_info.end())
194 throw Invalid_Argument(
"Extensions::get_extension_bits no such extension set");
196 return i->second.bits();
201 auto extn = m_extension_info.find(oid);
202 if(extn == m_extension_info.end())
205 return &extn->second.obj();
212 return std::unique_ptr<Certificate_Extension>(ext->copy());
219 std::vector<std::pair<std::unique_ptr<Certificate_Extension>,
bool>> exts;
220 for(
auto&& ext : m_extension_info)
224 std::unique_ptr<Certificate_Extension>(ext.second.obj().copy()),
225 ext.second.is_critical())
233 std::map<OID, std::pair<std::vector<uint8_t>,
bool>> out;
234 for(
auto&& ext : m_extension_info)
236 const auto bits = ext.second.bits();
237 const bool is_critical = ext.second.is_critical();
239 out[ext.first] = std::make_pair(bits, is_critical);
249 for(
auto ext_info : m_extension_info)
251 const OID& oid = ext_info.first;
252 const bool should_encode = ext_info.second.obj().should_encode();
256 const bool is_critical = ext_info.second.is_critical();
257 const std::vector<uint8_t>& ext_value = ext_info.second.bits();
273 m_extension_oids.clear();
274 m_extension_info.clear();
282 std::vector<uint8_t> bits;
290 std::unique_ptr<Certificate_Extension> obj = create_extn_obj(oid, critical, bits);
291 Extensions_Info info(critical, bits, obj.release());
293 m_extension_oids.push_back(oid);
294 m_extension_info[oid] = info;
305 for(
auto&& m_extn_info : m_extension_info)
307 m_extn_info.second.obj().contents_to(subject_info, issuer_info);
308 subject_info.
add(m_extn_info.second.obj().oid_name() +
".is_critical",
309 m_extn_info.second.is_critical());
313namespace Cert_Extension {
321 throw Invalid_State(
"Basic_Constraints::get_path_limit: Not a CA");
328std::vector<uint8_t> Basic_Constraints::encode_inner()
const
330 std::vector<uint8_t> output;
336 .encode_optional(m_path_limit, NO_CERT_PATH_LIMIT)
345void Basic_Constraints::decode_inner(
const std::vector<uint8_t>& in)
360void Basic_Constraints::contents_to(Data_Store& subject, Data_Store&)
const
362 subject.add(
"X509v3.BasicConstraints.is_ca", (m_is_ca ? 1 : 0));
363 subject.add(
"X509v3.BasicConstraints.path_constraint",
static_cast<uint32_t
>(m_path_limit));
369std::vector<uint8_t> Key_Usage::encode_inner()
const
372 throw Encoding_Error(
"Cannot encode zero usage constraints");
374 const size_t unused_bits =
ctz(
static_cast<uint32_t
>(m_constraints));
376 std::vector<uint8_t> der;
378 der.push_back(2 + ((unused_bits < 8) ? 1 : 0));
379 der.push_back(unused_bits % 8);
380 der.push_back((m_constraints >> 8) & 0xFF);
381 if(m_constraints & 0xFF)
382 der.push_back(m_constraints & 0xFF);
390void Key_Usage::decode_inner(
const std::vector<uint8_t>& in)
394 BER_Object obj = ber.get_next_object();
398 if(obj.length() != 2 && obj.length() != 3)
399 throw BER_Decoding_Error(
"Bad size for BITSTRING in usage constraint");
403 const uint8_t* bits = obj.bits();
406 throw BER_Decoding_Error(
"Invalid unused bits in usage constraint");
408 const uint8_t mask =
static_cast<uint8_t
>(0xFF << bits[0]);
410 if(obj.length() == 2)
414 else if(obj.length() == 3)
425void Key_Usage::contents_to(Data_Store& subject, Data_Store&)
const
427 subject.add(
"X509v3.KeyUsage", m_constraints);
433std::vector<uint8_t> Subject_Key_ID::encode_inner()
const
435 std::vector<uint8_t> output;
443void Subject_Key_ID::decode_inner(
const std::vector<uint8_t>& in)
445 BER_Decoder(in).decode(m_key_id,
OCTET_STRING).verify_end();
451void Subject_Key_ID::contents_to(Data_Store& subject, Data_Store&)
const
453 subject.add(
"X509v3.SubjectKeyIdentifier", m_key_id);
463 m_key_id.resize(
hash->output_length());
465 hash->update(pub_key);
466 hash->final(m_key_id.data());
469 const size_t max_skid_len = (192 / 8);
470 if(m_key_id.size() > max_skid_len)
471 m_key_id.resize(max_skid_len);
477std::vector<uint8_t> Authority_Key_ID::encode_inner()
const
479 std::vector<uint8_t> output;
490void Authority_Key_ID::decode_inner(
const std::vector<uint8_t>& in)
500void Authority_Key_ID::contents_to(Data_Store&, Data_Store& issuer)
const
503 issuer.add(
"X509v3.AuthorityKeyIdentifier", m_key_id);
509std::vector<uint8_t> Subject_Alternative_Name::encode_inner()
const
511 std::vector<uint8_t> output;
512 DER_Encoder(output).encode(m_alt_name);
519std::vector<uint8_t> Issuer_Alternative_Name::encode_inner()
const
521 std::vector<uint8_t> output;
522 DER_Encoder(output).encode(m_alt_name);
529void Subject_Alternative_Name::decode_inner(
const std::vector<uint8_t>& in)
531 BER_Decoder(in).
decode(m_alt_name);
537void Issuer_Alternative_Name::decode_inner(
const std::vector<uint8_t>& in)
539 BER_Decoder(in).
decode(m_alt_name);
545void Subject_Alternative_Name::contents_to(Data_Store& subject_info,
554void Issuer_Alternative_Name::contents_to(Data_Store&, Data_Store& issuer_info)
const
562std::vector<uint8_t> Extended_Key_Usage::encode_inner()
const
564 std::vector<uint8_t> output;
575void Extended_Key_Usage::decode_inner(
const std::vector<uint8_t>& in)
583void Extended_Key_Usage::contents_to(Data_Store& subject, Data_Store&)
const
585 for(
size_t i = 0; i != m_oids.size(); ++i)
586 subject.add(
"X509v3.ExtendedKeyUsage", m_oids[i].to_string());
592std::vector<uint8_t> Name_Constraints::encode_inner()
const
594 throw Not_Implemented(
"Name_Constraints encoding");
601void Name_Constraints::decode_inner(
const std::vector<uint8_t>& in)
603 std::vector<GeneralSubtree> permit, exclude;
605 BER_Decoder ext = ber.start_cons(
SEQUENCE);
606 BER_Object per = ext.get_next_object();
613 throw Encoding_Error(
"Empty Name Contraint list");
616 BER_Object exc = ext.get_next_object();
622 throw Encoding_Error(
"Empty Name Contraint list");
627 if(permit.empty() && exclude.empty())
628 throw Encoding_Error(
"Empty Name Contraint extension");
630 m_name_constraints = NameConstraints(std::move(permit),std::move(exclude));
636void Name_Constraints::contents_to(Data_Store& subject, Data_Store&)
const
638 std::stringstream ss;
640 for(
const GeneralSubtree& gs: m_name_constraints.
permitted())
643 subject.add(
"X509v3.NameConstraints.permitted", ss.str());
644 ss.str(std::string());
646 for(
const GeneralSubtree& gs: m_name_constraints.
excluded())
649 subject.add(
"X509v3.NameConstraints.excluded", ss.str());
650 ss.str(std::string());
655 const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path,
656 std::vector<std::set<Certificate_Status_Code>>& cert_status,
659 if(!m_name_constraints.
permitted().empty() || !m_name_constraints.
excluded().empty())
666 const bool issuer_name_constraint_critical =
670 for(
size_t j = 0; j < pos; ++j)
672 bool permitted = m_name_constraints.
permitted().empty();
675 for(
auto c: m_name_constraints.
permitted())
677 switch(c.base().matches(*cert_path.at(j)))
679 case GeneralName::MatchResult::NotFound:
680 case GeneralName::MatchResult::All:
683 case GeneralName::MatchResult::UnknownType:
684 failed = issuer_name_constraint_critical;
692 for(
auto c: m_name_constraints.
excluded())
694 switch(c.base().matches(*cert_path.at(j)))
696 case GeneralName::MatchResult::All:
697 case GeneralName::MatchResult::Some:
700 case GeneralName::MatchResult::UnknownType:
701 failed = issuer_name_constraint_critical;
708 if(failed || !permitted)
724 Policy_Information() =
default;
725 explicit Policy_Information(
const OID& oid) : m_oid(oid) {}
727 const OID& oid()
const {
return m_oid; }
729 void encode_into(DER_Encoder& codec)
const override
736 void decode_from(BER_Decoder& codec)
override
753std::vector<uint8_t> Certificate_Policies::encode_inner()
const
755 std::vector<Policy_Information> policies;
757 for(
size_t i = 0; i != m_oids.size(); ++i)
758 policies.push_back(Policy_Information(m_oids[i]));
760 std::vector<uint8_t> output;
763 .encode_list(policies)
771void Certificate_Policies::decode_inner(
const std::vector<uint8_t>& in)
773 std::vector<Policy_Information> policies;
775 BER_Decoder(in).decode_list(policies);
777 for(
size_t i = 0; i != policies.size(); ++i)
778 m_oids.push_back(policies[i].oid());
784void Certificate_Policies::contents_to(Data_Store& info, Data_Store&)
const
786 for(
size_t i = 0; i != m_oids.size(); ++i)
787 info.add(
"X509v3.CertificatePolicies", m_oids[i].to_string());
793 const std::vector<std::shared_ptr<const X509_Certificate>>& ,
794 std::vector<std::set<Certificate_Status_Code>>& cert_status,
797 std::set<OID> oid_set(m_oids.begin(), m_oids.end());
798 if(oid_set.size() != m_oids.size())
804std::vector<uint8_t> Authority_Information_Access::encode_inner()
const
808 std::vector<uint8_t> output;
819void Authority_Information_Access::decode_inner(
const std::vector<uint8_t>& in)
853void Authority_Information_Access::contents_to(Data_Store& subject, Data_Store&)
const
855 if(!m_ocsp_responder.empty())
856 subject.add(
"OCSP.responder", m_ocsp_responder);
857 for(
const std::string& ca_issuer : m_ca_issuers)
858 subject.add(
"PKIX.CertificateAuthorityIssuers", ca_issuer);
884std::vector<uint8_t> CRL_Number::encode_inner()
const
886 std::vector<uint8_t> output;
894void CRL_Number::decode_inner(
const std::vector<uint8_t>& in)
903void CRL_Number::contents_to(Data_Store& info, Data_Store&)
const
905 info.add(
"X509v3.CRLNumber",
static_cast<uint32_t
>(m_crl_number));
911std::vector<uint8_t> CRL_ReasonCode::encode_inner()
const
913 std::vector<uint8_t> output;
921void CRL_ReasonCode::decode_inner(
const std::vector<uint8_t>& in)
923 size_t reason_code = 0;
925 m_reason =
static_cast<CRL_Code>(reason_code);
931void CRL_ReasonCode::contents_to(Data_Store& info, Data_Store&)
const
933 info.add(
"X509v3.CRLReasonCode", m_reason);
936std::vector<uint8_t> CRL_Distribution_Points::encode_inner()
const
938 throw Not_Implemented(
"CRL_Distribution_Points encoding");
941void CRL_Distribution_Points::decode_inner(
const std::vector<uint8_t>& buf)
944 .decode_list(m_distribution_points)
947 std::stringstream ss;
949 for(
size_t i = 0; i != m_distribution_points.size(); ++i)
951 auto contents = m_distribution_points[i].point().contents();
953 for(
const auto& pair : contents)
955 ss << pair.first <<
": " << pair.second <<
" ";
959 m_crl_distribution_urls.push_back(ss.str());
962void CRL_Distribution_Points::contents_to(Data_Store& subject, Data_Store&)
const
964 for(
const std::string& crl_url : m_crl_distribution_urls)
965 subject.add(
"CRL.DistributionPoint", crl_url);
983std::vector<uint8_t> CRL_Issuing_Distribution_Point::encode_inner()
const
988void CRL_Issuing_Distribution_Point::decode_inner(
const std::vector<uint8_t>& buf)
995 auto contents = m_distribution_point.point().contents();
996 std::stringstream ss;
998 for(
const auto& pair : contents)
1000 ss << pair.first <<
": " << pair.second <<
" ";
1003 info.
add(
"X509v3.CRLIssuingDistributionPoint", ss.str());
1006std::vector<uint8_t> Unknown_Extension::encode_inner()
const
1011void Unknown_Extension::decode_inner(
const std::vector<uint8_t>& bytes)
1017void Unknown_Extension::contents_to(Data_Store&, Data_Store&)
const
BER_Decoder start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
BER_Decoder & decode_list(std::vector< T > &out, ASN1_Tag type_tag=SEQUENCE, ASN1_Tag class_tag=UNIVERSAL)
BER_Object get_next_object()
BER_Decoder & decode(bool &out)
BER_Decoder & decode_optional_string(std::vector< uint8_t, Alloc > &out, ASN1_Tag real_type, uint16_t type_no, ASN1_Tag class_tag=CONTEXT_SPECIFIC)
BER_Decoder & decode_optional(T &out, ASN1_Tag type_tag, ASN1_Tag class_tag, const T &default_value=T())
BER_Decoder & verify_end()
BER_Decoder & decode_optional_implicit(T &out, ASN1_Tag type_tag, ASN1_Tag class_tag, ASN1_Tag real_type, ASN1_Tag real_class, const T &default_value=T())
size_t get_path_limit() const
void decode_from(class BER_Decoder &) override
void encode_into(class DER_Encoder &) const override
CRL_Number * copy() const override
size_t get_crl_number() const
void validate(const X509_Certificate &subject, const X509_Certificate &issuer, const std::vector< std::shared_ptr< const X509_Certificate > > &cert_path, std::vector< std::set< Certificate_Status_Code > > &cert_status, size_t pos) override
const AlternativeName & get_alt_name() const
void validate(const X509_Certificate &subject, const X509_Certificate &issuer, const std::vector< std::shared_ptr< const X509_Certificate > > &cert_path, std::vector< std::set< Certificate_Status_Code > > &cert_status, size_t pos) override
const AlternativeName & get_alt_name() const
virtual void validate(const X509_Certificate &subject, const X509_Certificate &issuer, const std::vector< std::shared_ptr< const X509_Certificate > > &cert_path, std::vector< std::set< Certificate_Status_Code > > &cert_status, size_t pos)
virtual std::string oid_name() const =0
virtual OID oid_of() const =0
DER_Encoder & encode_optional(const T &value, const T &default_value)
DER_Encoder & add_object(ASN1_Tag type_tag, ASN1_Tag class_tag, const uint8_t rep[], size_t length)
DER_Encoder & start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
DER_Encoder & encode_if(bool pred, DER_Encoder &enc)
DER_Encoder & encode(bool b)
void add(const std::multimap< std::string, std::string > &)
const Certificate_Extension * get_extension_object(const OID &oid) const
void decode_from(class BER_Decoder &) override
std::map< OID, std::pair< std::vector< uint8_t >, bool > > extensions_raw() const
void replace(Certificate_Extension *extn, bool critical=false)
std::unique_ptr< Certificate_Extension > get(const OID &oid) const
bool remove(const OID &oid)
void contents_to(Data_Store &, Data_Store &) const
std::vector< uint8_t > get_extension_bits(const OID &oid) const
bool critical_extension_set(const OID &oid) const
std::vector< std::pair< std::unique_ptr< Certificate_Extension >, bool > > extensions() const
bool add_new(Certificate_Extension *extn, bool critical=false)
void encode_into(class DER_Encoder &) const override
void add(Certificate_Extension *extn, bool critical=false)
bool extension_set(const OID &oid) const
static std::unique_ptr< HashFunction > create_or_throw(const std::string &algo_spec, const std::string &provider="")
const std::vector< GeneralSubtree > & permitted() const
const std::vector< GeneralSubtree > & excluded() const
static OID from_string(const std::string &str)
bool is_critical(const std::string &ex_name) const
int(* final)(unsigned char *, CTX *)
std::string to_string(const BER_Object &obj)
std::string encode(const uint8_t der[], size_t length, const std::string &label, size_t width)
constexpr uint16_t make_uint16(uint8_t i0, uint8_t i1)