Botan  1.10.9
x509_ext.cpp
Go to the documentation of this file.
1 /*
2 * X.509 Certificate Extensions
3 * (C) 1999-2010 Jack Lloyd
4 *
5 * Distributed under the terms of the Botan license
6 */
7 
8 #include <botan/x509_ext.h>
9 #include <botan/sha160.h>
10 #include <botan/der_enc.h>
11 #include <botan/ber_dec.h>
12 #include <botan/oids.h>
13 #include <botan/internal/bit_ops.h>
14 #include <algorithm>
15 #include <memory>
16 
17 namespace Botan {
18 
19 /*
20 * List of X.509 Certificate Extensions
21 */
22 Certificate_Extension* Extensions::get_extension(const OID& oid)
23  {
24 #define X509_EXTENSION(NAME, TYPE) \
25  if(OIDS::name_of(oid, NAME)) \
26  return new Cert_Extension::TYPE();
27 
28  X509_EXTENSION("X509v3.KeyUsage", Key_Usage);
29  X509_EXTENSION("X509v3.BasicConstraints", Basic_Constraints);
30  X509_EXTENSION("X509v3.SubjectKeyIdentifier", Subject_Key_ID);
31  X509_EXTENSION("X509v3.AuthorityKeyIdentifier", Authority_Key_ID);
32  X509_EXTENSION("X509v3.ExtendedKeyUsage", Extended_Key_Usage);
33  X509_EXTENSION("X509v3.IssuerAlternativeName", Issuer_Alternative_Name);
34  X509_EXTENSION("X509v3.SubjectAlternativeName", Subject_Alternative_Name);
35  X509_EXTENSION("X509v3.CRLNumber", CRL_Number);
36  X509_EXTENSION("X509v3.CertificatePolicies", Certificate_Policies);
37  X509_EXTENSION("X509v3.ReasonCode", CRL_ReasonCode);
38 
39  return 0;
40  }
41 
42 /*
43 * Extensions Copy Constructor
44 */
46  {
47  *this = extensions;
48  }
49 
50 /*
51 * Extensions Assignment Operator
52 */
54  {
55  for(size_t i = 0; i != extensions.size(); ++i)
56  delete extensions[i].first;
57  extensions.clear();
58 
59  for(size_t i = 0; i != other.extensions.size(); ++i)
60  extensions.push_back(
61  std::make_pair(other.extensions[i].first->copy(),
62  other.extensions[i].second));
63 
64  should_throw = other.should_throw;
65 
66  return (*this);
67  }
68 
69 /*
70 * Return the OID of this extension
71 */
73  {
74  return OIDS::lookup(oid_name());
75  }
76 
77 void Extensions::add(Certificate_Extension* extn, bool critical)
78  {
79  extensions.push_back(std::make_pair(extn, critical));
80  }
81 
82 /*
83 * Encode an Extensions list
84 */
85 void Extensions::encode_into(DER_Encoder& to_object) const
86  {
87  for(size_t i = 0; i != extensions.size(); ++i)
88  {
89  const Certificate_Extension* ext = extensions[i].first;
90  const bool is_critical = extensions[i].second;
91 
92  const bool should_encode = ext->should_encode();
93 
94  if(should_encode)
95  {
96  to_object.start_cons(SEQUENCE)
97  .encode(ext->oid_of())
98  .encode_optional(is_critical, false)
100  .end_cons();
101  }
102  }
103  }
104 
105 /*
106 * Decode a list of Extensions
107 */
109  {
110  for(size_t i = 0; i != extensions.size(); ++i)
111  delete extensions[i].first;
112  extensions.clear();
113 
114  BER_Decoder sequence = from_source.start_cons(SEQUENCE);
115 
116  while(sequence.more_items())
117  {
118  OID oid;
119  MemoryVector<byte> value;
120  bool critical;
121 
122  sequence.start_cons(SEQUENCE)
123  .decode(oid)
124  .decode_optional(critical, BOOLEAN, UNIVERSAL, false)
125  .decode(value, OCTET_STRING)
126  .verify_end()
127  .end_cons();
128 
129  Certificate_Extension* ext = get_extension(oid);
130 
131  if(!ext)
132  {
133  if(!critical || !should_throw)
134  continue;
135 
136  throw Decoding_Error("Encountered unknown X.509 extension marked "
137  "as critical; OID = " + oid.as_string());
138  }
139 
140  ext->decode_inner(value);
141 
142  extensions.push_back(std::make_pair(ext, critical));
143  }
144  sequence.verify_end();
145  }
146 
147 /*
148 * Write the extensions to an info store
149 */
151  Data_Store& issuer_info) const
152  {
153  for(size_t i = 0; i != extensions.size(); ++i)
154  extensions[i].first->contents_to(subject_info, issuer_info);
155  }
156 
157 /*
158 * Delete an Extensions list
159 */
161  {
162  for(size_t i = 0; i != extensions.size(); ++i)
163  delete extensions[i].first;
164  }
165 
166 namespace Cert_Extension {
167 
168 /*
169 * Checked accessor for the path_limit member
170 */
172  {
173  if(!is_ca)
174  throw Invalid_State("Basic_Constraints::get_path_limit: Not a CA");
175  return path_limit;
176  }
177 
178 /*
179 * Encode the extension
180 */
181 MemoryVector<byte> Basic_Constraints::encode_inner() const
182  {
183  return DER_Encoder()
185  .encode_if(is_ca,
186  DER_Encoder()
187  .encode(is_ca)
188  .encode_optional(path_limit, NO_CERT_PATH_LIMIT)
189  )
190  .end_cons()
191  .get_contents();
192  }
193 
194 /*
195 * Decode the extension
196 */
197 void Basic_Constraints::decode_inner(const MemoryRegion<byte>& in)
198  {
199  BER_Decoder(in)
201  .decode_optional(is_ca, BOOLEAN, UNIVERSAL, false)
202  .decode_optional(path_limit, INTEGER, UNIVERSAL, NO_CERT_PATH_LIMIT)
203  .verify_end()
204  .end_cons();
205 
206  if(is_ca == false)
207  path_limit = 0;
208  }
209 
210 /*
211 * Return a textual representation
212 */
213 void Basic_Constraints::contents_to(Data_Store& subject, Data_Store&) const
214  {
215  subject.add("X509v3.BasicConstraints.is_ca", (is_ca ? 1 : 0));
216  subject.add("X509v3.BasicConstraints.path_constraint", path_limit);
217  }
218 
219 /*
220 * Encode the extension
221 */
222 MemoryVector<byte> Key_Usage::encode_inner() const
223  {
224  if(constraints == NO_CONSTRAINTS)
225  throw Encoding_Error("Cannot encode zero usage constraints");
226 
227  const size_t unused_bits = low_bit(constraints) - 1;
228 
229  MemoryVector<byte> der;
230  der.push_back(BIT_STRING);
231  der.push_back(2 + ((unused_bits < 8) ? 1 : 0));
232  der.push_back(unused_bits % 8);
233  der.push_back((constraints >> 8) & 0xFF);
234  if(constraints & 0xFF)
235  der.push_back(constraints & 0xFF);
236 
237  return der;
238  }
239 
240 /*
241 * Decode the extension
242 */
243 void Key_Usage::decode_inner(const MemoryRegion<byte>& in)
244  {
245  BER_Decoder ber(in);
246 
247  BER_Object obj = ber.get_next_object();
248 
249  if(obj.type_tag != BIT_STRING || obj.class_tag != UNIVERSAL)
250  throw BER_Bad_Tag("Bad tag for usage constraint",
251  obj.type_tag, obj.class_tag);
252 
253  if(obj.value.size() != 2 && obj.value.size() != 3)
254  throw BER_Decoding_Error("Bad size for BITSTRING in usage constraint");
255 
256  if(obj.value[0] >= 8)
257  throw BER_Decoding_Error("Invalid unused bits in usage constraint");
258 
259  obj.value[obj.value.size()-1] &= (0xFF << obj.value[0]);
260 
261  u16bit usage = 0;
262  for(size_t i = 1; i != obj.value.size(); ++i)
263  usage = (obj.value[i] << 8) | usage;
264 
265  constraints = Key_Constraints(usage);
266  }
267 
268 /*
269 * Return a textual representation
270 */
271 void Key_Usage::contents_to(Data_Store& subject, Data_Store&) const
272  {
273  subject.add("X509v3.KeyUsage", constraints);
274  }
275 
276 /*
277 * Encode the extension
278 */
279 MemoryVector<byte> Subject_Key_ID::encode_inner() const
280  {
281  return DER_Encoder().encode(key_id, OCTET_STRING).get_contents();
282  }
283 
284 /*
285 * Decode the extension
286 */
287 void Subject_Key_ID::decode_inner(const MemoryRegion<byte>& in)
288  {
289  BER_Decoder(in).decode(key_id, OCTET_STRING).verify_end();
290  }
291 
292 /*
293 * Return a textual representation
294 */
295 void Subject_Key_ID::contents_to(Data_Store& subject, Data_Store&) const
296  {
297  subject.add("X509v3.SubjectKeyIdentifier", key_id);
298  }
299 
300 /*
301 * Subject_Key_ID Constructor
302 */
304  {
305  SHA_160 hash;
306  key_id = hash.process(pub_key);
307  }
308 
309 /*
310 * Encode the extension
311 */
312 MemoryVector<byte> Authority_Key_ID::encode_inner() const
313  {
314  return DER_Encoder()
317  .end_cons()
318  .get_contents();
319  }
320 
321 /*
322 * Decode the extension
323 */
324 void Authority_Key_ID::decode_inner(const MemoryRegion<byte>& in)
325  {
326  BER_Decoder(in)
329  }
330 
331 /*
332 * Return a textual representation
333 */
334 void Authority_Key_ID::contents_to(Data_Store&, Data_Store& issuer) const
335  {
336  if(key_id.size())
337  issuer.add("X509v3.AuthorityKeyIdentifier", key_id);
338  }
339 
340 /*
341 * Encode the extension
342 */
343 MemoryVector<byte> Alternative_Name::encode_inner() const
344  {
345  return DER_Encoder().encode(alt_name).get_contents();
346  }
347 
348 /*
349 * Decode the extension
350 */
351 void Alternative_Name::decode_inner(const MemoryRegion<byte>& in)
352  {
353  BER_Decoder(in).decode(alt_name);
354  }
355 
356 /*
357 * Return a textual representation
358 */
359 void Alternative_Name::contents_to(Data_Store& subject_info,
360  Data_Store& issuer_info) const
361  {
362  std::multimap<std::string, std::string> contents =
364 
365  if(oid_name_str == "X509v3.SubjectAlternativeName")
366  subject_info.add(contents);
367  else if(oid_name_str == "X509v3.IssuerAlternativeName")
368  issuer_info.add(contents);
369  else
370  throw Internal_Error("In Alternative_Name, unknown type " +
371  oid_name_str);
372  }
373 
374 /*
375 * Alternative_Name Constructor
376 */
378  const std::string& oid_name_str,
379  const std::string& config_name_str)
380  {
381  this->alt_name = alt_name;
382  this->oid_name_str = oid_name_str;
383  this->config_name_str = config_name_str;
384  }
385 
386 /*
387 * Subject_Alternative_Name Constructor
388 */
390  const AlternativeName& name) :
391 
392  Alternative_Name(name, "X509v3.SubjectAlternativeName",
393  "subject_alternative_name")
394  {
395  }
396 
397 /*
398 * Issuer_Alternative_Name Constructor
399 */
401  Alternative_Name(name, "X509v3.IssuerAlternativeName",
402  "issuer_alternative_name")
403  {
404  }
405 
406 /*
407 * Encode the extension
408 */
409 MemoryVector<byte> Extended_Key_Usage::encode_inner() const
410  {
411  return DER_Encoder()
413  .encode_list(oids)
414  .end_cons()
415  .get_contents();
416  }
417 
418 /*
419 * Decode the extension
420 */
421 void Extended_Key_Usage::decode_inner(const MemoryRegion<byte>& in)
422  {
423  BER_Decoder(in)
425  .decode_list(oids)
426  .end_cons();
427  }
428 
429 /*
430 * Return a textual representation
431 */
432 void Extended_Key_Usage::contents_to(Data_Store& subject, Data_Store&) const
433  {
434  for(size_t i = 0; i != oids.size(); ++i)
435  subject.add("X509v3.ExtendedKeyUsage", oids[i].as_string());
436  }
437 
438 namespace {
439 
440 /*
441 * A policy specifier
442 */
443 class Policy_Information : public ASN1_Object
444  {
445  public:
446  OID oid;
447 
448  Policy_Information() {}
449  Policy_Information(const OID& oid) : oid(oid) {}
450 
451  void encode_into(DER_Encoder& codec) const
452  {
453  codec.start_cons(SEQUENCE)
454  .encode(oid)
455  .end_cons();
456  }
457 
458  void decode_from(BER_Decoder& codec)
459  {
460  codec.start_cons(SEQUENCE)
461  .decode(oid)
462  .discard_remaining()
463  .end_cons();
464  }
465  };
466 
467 }
468 
469 /*
470 * Encode the extension
471 */
472 MemoryVector<byte> Certificate_Policies::encode_inner() const
473  {
474  std::vector<Policy_Information> policies;
475 
476  for(size_t i = 0; i != oids.size(); ++i)
477  policies.push_back(oids[i]);
478 
479  return DER_Encoder()
480  .start_cons(SEQUENCE)
481  .encode_list(policies)
482  .end_cons()
483  .get_contents();
484  }
485 
486 /*
487 * Decode the extension
488 */
489 void Certificate_Policies::decode_inner(const MemoryRegion<byte>& in)
490  {
491  std::vector<Policy_Information> policies;
492 
493  BER_Decoder(in)
494  .start_cons(SEQUENCE)
495  .decode_list(policies)
496  .end_cons();
497 
498  oids.clear();
499  for(size_t i = 0; i != policies.size(); ++i)
500  oids.push_back(policies[i].oid);
501  }
502 
503 /*
504 * Return a textual representation
505 */
506 void Certificate_Policies::contents_to(Data_Store& info, Data_Store&) const
507  {
508  for(size_t i = 0; i != oids.size(); ++i)
509  info.add("X509v3.ExtendedKeyUsage", oids[i].as_string());
510  }
511 
512 /*
513 * Checked accessor for the crl_number member
514 */
516  {
517  if(!has_value)
518  throw Invalid_State("CRL_Number::get_crl_number: Not set");
519  return crl_number;
520  }
521 
522 /*
523 * Copy a CRL_Number extension
524 */
526  {
527  if(!has_value)
528  throw Invalid_State("CRL_Number::copy: Not set");
529  return new CRL_Number(crl_number);
530  }
531 
532 /*
533 * Encode the extension
534 */
535 MemoryVector<byte> CRL_Number::encode_inner() const
536  {
537  return DER_Encoder().encode(crl_number).get_contents();
538  }
539 
540 /*
541 * Decode the extension
542 */
543 void CRL_Number::decode_inner(const MemoryRegion<byte>& in)
544  {
545  BER_Decoder(in).decode(crl_number);
546  }
547 
548 /*
549 * Return a textual representation
550 */
551 void CRL_Number::contents_to(Data_Store& info, Data_Store&) const
552  {
553  info.add("X509v3.CRLNumber", crl_number);
554  }
555 
556 /*
557 * Encode the extension
558 */
559 MemoryVector<byte> CRL_ReasonCode::encode_inner() const
560  {
561  return DER_Encoder()
562  .encode(static_cast<size_t>(reason), ENUMERATED, UNIVERSAL)
563  .get_contents();
564  }
565 
566 /*
567 * Decode the extension
568 */
569 void CRL_ReasonCode::decode_inner(const MemoryRegion<byte>& in)
570  {
571  size_t reason_code = 0;
572  BER_Decoder(in).decode(reason_code, ENUMERATED, UNIVERSAL);
573  reason = static_cast<CRL_Code>(reason_code);
574  }
575 
576 /*
577 * Return a textual representation
578 */
579 void CRL_ReasonCode::contents_to(Data_Store& info, Data_Store&) const
580  {
581  info.add("X509v3.CRLReasonCode", reason);
582  }
583 
584 }
585 
586 }
DER_Encoder & encode_list(const std::vector< T > &values)
Definition: der_enc.h:75
virtual std::string oid_name() const =0
SecureVector< byte > get_contents()
Definition: der_enc.cpp:122
Issuer_Alternative_Name(const AlternativeName &=AlternativeName())
Definition: x509_ext.cpp:400
virtual MemoryVector< byte > encode_inner() const =0
Alternative_Name(const AlternativeName &, const std::string &, const std::string &)
Definition: x509_ext.cpp:377
BER_Decoder & decode_optional_string(MemoryRegion< byte > &, ASN1_Tag, u16bit)
Definition: ber_dec.cpp:472
BER_Decoder & decode(bool &)
Definition: ber_dec.cpp:338
Extensions(const Extensions &)
Definition: x509_ext.cpp:45
CRL_Number * copy() const
Definition: x509_ext.cpp:525
std::multimap< std::string, std::string > contents() const
Definition: asn1_alt.cpp:100
void contents_to(Data_Store &, Data_Store &) const
Definition: x509_ext.cpp:150
DER_Encoder & end_cons()
Definition: der_enc.cpp:145
BER_Decoder start_cons(ASN1_Tag, ASN1_Tag=UNIVERSAL)
Definition: ber_dec.cpp:232
void add(Certificate_Extension *extn, bool critical=false)
Definition: x509_ext.cpp:77
BER_Decoder & decode_list(std::vector< T > &out, bool clear_out=true)
Definition: ber_dec.h:125
void decode_from(class BER_Decoder &)
Definition: x509_ext.cpp:108
DER_Encoder & encode(bool b)
Definition: der_enc.cpp:209
BER_Decoder & decode_optional(T &out, ASN1_Tag type_tag, ASN1_Tag class_tag, const T &default_value=T())
Definition: ber_dec.h:95
BER_Decoder & end_cons()
Definition: ber_dec.cpp:246
bool more_items() const
Definition: ber_dec.cpp:150
std::string lookup(const OID &oid)
Definition: oids.cpp:31
ASN1_Tag
Definition: asn1_int.h:19
unsigned short u16bit
Definition: types.h:27
virtual bool should_encode() const
Definition: x509_ext.h:58
SecureVector< byte > process(const byte in[], size_t length)
Definition: buf_comp.h:101
size_t size() const
Definition: secmem.h:29
Subject_Alternative_Name(const AlternativeName &=AlternativeName())
Definition: x509_ext.cpp:389
std::string encode(const byte der[], size_t length, const std::string &label, size_t width)
Definition: pem.cpp:19
AlternativeName get_alt_name() const
Definition: x509_ext.h:195
Extensions & operator=(const Extensions &)
Definition: x509_ext.cpp:53
DER_Encoder & encode_if(bool pred, DER_Encoder &enc)
Definition: der_enc.cpp:327
BER_Decoder & verify_end()
Definition: ber_dec.cpp:160
std::string as_string() const
Definition: asn1_oid.cpp:50
DER_Encoder & start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
Definition: der_enc.cpp:135
void encode_into(class DER_Encoder &) const
Definition: x509_ext.cpp:85
Key_Constraints
Definition: pubkey_enums.h:18
virtual void decode_inner(const MemoryRegion< byte > &)=0
OID oid
Definition: x509_ext.cpp:446
size_t low_bit(T n)
Definition: bit_ops.h:48
#define X509_EXTENSION(NAME, TYPE)