Coverage Report

Created: 2020-02-14 15:38

/src/botan/src/lib/x509/x509_ext.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* X.509 Certificate Extensions
3
* (C) 1999-2010,2012 Jack Lloyd
4
* (C) 2016 René Korthaus, Rohde & Schwarz Cybersecurity
5
* (C) 2017 Fabian Weissberg, Rohde & Schwarz Cybersecurity
6
*
7
* Botan is released under the Simplified BSD License (see license.txt)
8
*/
9
10
#include <botan/x509_ext.h>
11
#include <botan/x509cert.h>
12
#include <botan/datastor.h>
13
#include <botan/der_enc.h>
14
#include <botan/ber_dec.h>
15
#include <botan/hash.h>
16
#include <botan/loadstor.h>
17
#include <botan/internal/bit_ops.h>
18
#include <algorithm>
19
#include <set>
20
#include <sstream>
21
22
namespace Botan {
23
24
/*
25
* Create a Certificate_Extension object of some kind to handle
26
*/
27
std::unique_ptr<Certificate_Extension>
28
Extensions::create_extn_obj(const OID& oid,
29
                            bool critical,
30
                            const std::vector<uint8_t>& body)
31
39.4k
   {
32
39.4k
   const std::string oid_str = oid.to_string();
33
39.4k
34
39.4k
   std::unique_ptr<Certificate_Extension> extn;
35
39.4k
36
39.4k
   if(oid == Cert_Extension::Subject_Key_ID::static_oid())
37
1.89k
      {
38
1.89k
      extn.reset(new Cert_Extension::Subject_Key_ID);
39
1.89k
      }
40
37.5k
   else if(oid == Cert_Extension::Key_Usage::static_oid())
41
1.39k
      {
42
1.39k
      extn.reset(new Cert_Extension::Key_Usage);
43
1.39k
      }
44
36.1k
   else if(oid == Cert_Extension::Subject_Alternative_Name::static_oid())
45
2.28k
      {
46
2.28k
      extn.reset(new Cert_Extension::Subject_Alternative_Name);
47
2.28k
      }
48
33.8k
   else if(oid == Cert_Extension::Issuer_Alternative_Name::static_oid())
49
1.41k
      {
50
1.41k
      extn.reset(new Cert_Extension::Issuer_Alternative_Name);
51
1.41k
      }
52
32.4k
   else if(oid == Cert_Extension::Basic_Constraints::static_oid())
53
1.67k
      {
54
1.67k
      extn.reset(new Cert_Extension::Basic_Constraints);
55
1.67k
      }
56
30.7k
   else if(oid == Cert_Extension::CRL_Number::static_oid())
57
652
      {
58
652
      extn.reset(new Cert_Extension::CRL_Number);
59
652
      }
60
30.0k
   else if(oid == Cert_Extension::CRL_ReasonCode::static_oid())
61
2.69k
      {
62
2.69k
      extn.reset(new Cert_Extension::CRL_ReasonCode);
63
2.69k
      }
64
27.3k
   else if(oid == Cert_Extension::Authority_Key_ID::static_oid())
65
1.80k
      {
66
1.80k
      extn.reset(new Cert_Extension::Authority_Key_ID);
67
1.80k
      }
68
25.5k
   else if(oid == Cert_Extension::Name_Constraints::static_oid())
69
3.66k
      {
70
3.66k
      extn.reset(new Cert_Extension::Name_Constraints);
71
3.66k
      }
72
21.9k
   else if(oid == Cert_Extension::CRL_Distribution_Points::static_oid())
73
1.65k
      {
74
1.65k
      extn.reset(new Cert_Extension::CRL_Distribution_Points);
75
1.65k
      }
76
20.2k
   else if(oid == Cert_Extension::CRL_Issuing_Distribution_Point::static_oid())
77
462
      {
78
462
      extn.reset(new Cert_Extension::CRL_Issuing_Distribution_Point);
79
462
      }
80
19.8k
   else if(oid == Cert_Extension::Certificate_Policies::static_oid())
81
1.09k
      {
82
1.09k
      extn.reset(new Cert_Extension::Certificate_Policies);
83
1.09k
      }
84
18.7k
   else if(oid == Cert_Extension::Extended_Key_Usage::static_oid())
85
1.17k
      {
86
1.17k
      extn.reset(new Cert_Extension::Extended_Key_Usage);
87
1.17k
      }
88
17.5k
   else if(oid == Cert_Extension::Authority_Information_Access::static_oid())
89
675
      {
90
675
      extn.reset(new Cert_Extension::Authority_Information_Access);
91
675
      }
92
16.8k
   else
93
16.8k
      {
94
16.8k
      // some other unknown extension type
95
16.8k
      extn.reset(new Cert_Extension::Unknown_Extension(oid, critical));
96
16.8k
      }
97
39.4k
98
39.4k
   try
99
39.4k
      {
100
39.4k
      extn->decode_inner(body);
101
39.4k
      }
102
39.4k
   catch(Decoding_Error&)
103
39.4k
      {
104
14.2k
      extn.reset(new Cert_Extension::Unknown_Extension(oid, critical));
105
14.2k
      extn->decode_inner(body);
106
14.2k
      }
107
39.4k
   return extn;
108
39.4k
   }
109
110
/*
111
* Validate the extension (the default implementation is a NOP)
112
*/
113
void Certificate_Extension::validate(const X509_Certificate&, const X509_Certificate&,
114
      const std::vector<std::shared_ptr<const X509_Certificate>>&,
115
      std::vector<std::set<Certificate_Status_Code>>&,
116
      size_t)
117
0
   {
118
0
   }
119
120
/*
121
* Add a new cert
122
*/
123
void Extensions::add(Certificate_Extension* extn, bool critical)
124
0
   {
125
0
   // sanity check: we don't want to have the same extension more than once
126
0
   if(m_extension_info.count(extn->oid_of()) > 0)
127
0
      {
128
0
      const std::string name = extn->oid_name();
129
0
      delete extn;
130
0
      throw Invalid_Argument("Extension " + name + " already present in Extensions::add");
131
0
      }
132
0
133
0
   const OID oid = extn->oid_of();
134
0
   Extensions_Info info(critical, extn);
135
0
   m_extension_oids.push_back(oid);
136
0
   m_extension_info.emplace(oid, info);
137
0
   }
138
139
bool Extensions::add_new(Certificate_Extension* extn, bool critical)
140
0
   {
141
0
   if(m_extension_info.count(extn->oid_of()) > 0)
142
0
      {
143
0
      delete extn;
144
0
      return false; // already exists
145
0
      }
146
0
147
0
   const OID oid = extn->oid_of();
148
0
   Extensions_Info info(critical, extn);
149
0
   m_extension_oids.push_back(oid);
150
0
   m_extension_info.emplace(oid, info);
151
0
   return true;
152
0
   }
153
154
bool Extensions::remove(const OID& oid)
155
0
   {
156
0
   const bool erased = m_extension_info.erase(oid) > 0;
157
0
158
0
   if(erased)
159
0
      {
160
0
      m_extension_oids.erase(std::find(m_extension_oids.begin(), m_extension_oids.end(), oid));
161
0
      }
162
0
163
0
   return erased;
164
0
   }
165
166
void Extensions::replace(Certificate_Extension* extn, bool critical)
167
0
   {
168
0
   // Remove it if it existed
169
0
   remove(extn->oid_of());
170
0
171
0
   const OID oid = extn->oid_of();
172
0
   Extensions_Info info(critical, extn);
173
0
   m_extension_oids.push_back(oid);
174
0
   m_extension_info.emplace(oid, info);
175
0
   }
176
177
bool Extensions::extension_set(const OID& oid) const
178
0
   {
179
0
   return (m_extension_info.find(oid) != m_extension_info.end());
180
0
   }
181
182
bool Extensions::critical_extension_set(const OID& oid) const
183
0
   {
184
0
   auto i = m_extension_info.find(oid);
185
0
   if(i != m_extension_info.end())
186
0
      return i->second.is_critical();
187
0
   return false;
188
0
   }
189
190
std::vector<uint8_t> Extensions::get_extension_bits(const OID& oid) const
191
0
   {
192
0
   auto i = m_extension_info.find(oid);
193
0
   if(i == m_extension_info.end())
194
0
      throw Invalid_Argument("Extensions::get_extension_bits no such extension set");
195
0
196
0
   return i->second.bits();
197
0
   }
198
199
const Certificate_Extension* Extensions::get_extension_object(const OID& oid) const
200
134k
   {
201
134k
   auto extn = m_extension_info.find(oid);
202
134k
   if(extn == m_extension_info.end())
203
127k
      return nullptr;
204
6.94k
205
6.94k
   return &extn->second.obj();
206
6.94k
   }
207
208
std::unique_ptr<Certificate_Extension> Extensions::get(const OID& oid) const
209
0
   {
210
0
   if(const Certificate_Extension* ext = this->get_extension_object(oid))
211
0
      {
212
0
      return std::unique_ptr<Certificate_Extension>(ext->copy());
213
0
      }
214
0
   return nullptr;
215
0
   }
216
217
std::vector<std::pair<std::unique_ptr<Certificate_Extension>, bool>> Extensions::extensions() const
218
0
   {
219
0
   std::vector<std::pair<std::unique_ptr<Certificate_Extension>, bool>> exts;
220
0
   for(auto&& ext : m_extension_info)
221
0
      {
222
0
      exts.push_back(
223
0
         std::make_pair(
224
0
            std::unique_ptr<Certificate_Extension>(ext.second.obj().copy()),
225
0
            ext.second.is_critical())
226
0
         );
227
0
      }
228
0
   return exts;
229
0
   }
230
231
std::map<OID, std::pair<std::vector<uint8_t>, bool>> Extensions::extensions_raw() const
232
0
   {
233
0
   std::map<OID, std::pair<std::vector<uint8_t>, bool>> out;
234
0
   for(auto&& ext : m_extension_info)
235
0
      {
236
0
      out.emplace(ext.first,
237
0
                  std::make_pair(ext.second.bits(),
238
0
                                 ext.second.is_critical()));
239
0
      }
240
0
   return out;
241
0
   }
242
243
/*
244
* Encode an Extensions list
245
*/
246
void Extensions::encode_into(DER_Encoder& to_object) const
247
0
   {
248
0
   for(auto ext_info : m_extension_info)
249
0
      {
250
0
      const OID& oid = ext_info.first;
251
0
      const bool should_encode = ext_info.second.obj().should_encode();
252
0
253
0
      if(should_encode)
254
0
         {
255
0
         const bool is_critical = ext_info.second.is_critical();
256
0
         const std::vector<uint8_t>& ext_value = ext_info.second.bits();
257
0
258
0
         to_object.start_cons(SEQUENCE)
259
0
               .encode(oid)
260
0
               .encode_optional(is_critical, false)
261
0
               .encode(ext_value, OCTET_STRING)
262
0
            .end_cons();
263
0
         }
264
0
      }
265
0
   }
266
267
/*
268
* Decode a list of Extensions
269
*/
270
void Extensions::decode_from(BER_Decoder& from_source)
271
10.7k
   {
272
10.7k
   m_extension_oids.clear();
273
10.7k
   m_extension_info.clear();
274
10.7k
275
10.7k
   BER_Decoder sequence = from_source.start_cons(SEQUENCE);
276
10.7k
277
52.6k
   while(sequence.more_items())
278
41.8k
      {
279
41.8k
      OID oid;
280
41.8k
      bool critical;
281
41.8k
      std::vector<uint8_t> bits;
282
41.8k
283
41.8k
      sequence.start_cons(SEQUENCE)
284
41.8k
         .decode(oid)
285
41.8k
         .decode_optional(critical, BOOLEAN, UNIVERSAL, false)
286
41.8k
         .decode(bits, OCTET_STRING)
287
41.8k
      .end_cons();
288
41.8k
289
41.8k
      std::unique_ptr<Certificate_Extension> obj = create_extn_obj(oid, critical, bits);
290
41.8k
      Extensions_Info info(critical, bits, obj.release());
291
41.8k
292
41.8k
      m_extension_oids.push_back(oid);
293
41.8k
      m_extension_info.emplace(oid, info);
294
41.8k
      }
295
10.7k
   sequence.verify_end();
296
10.7k
   }
297
298
/*
299
* Write the extensions to an info store
300
*/
301
void Extensions::contents_to(Data_Store& subject_info,
302
                             Data_Store& issuer_info) const
303
11.7k
   {
304
11.7k
   for(auto&& m_extn_info : m_extension_info)
305
13.1k
      {
306
13.1k
      m_extn_info.second.obj().contents_to(subject_info, issuer_info);
307
13.1k
      subject_info.add(m_extn_info.second.obj().oid_name() + ".is_critical",
308
13.1k
                       m_extn_info.second.is_critical());
309
13.1k
      }
310
11.7k
   }
311
312
namespace Cert_Extension {
313
314
/*
315
* Checked accessor for the path_limit member
316
*/
317
size_t Basic_Constraints::get_path_limit() const
318
75
   {
319
75
   if(!m_is_ca)
320
0
      throw Invalid_State("Basic_Constraints::get_path_limit: Not a CA");
321
75
   return m_path_limit;
322
75
   }
323
324
/*
325
* Encode the extension
326
*/
327
std::vector<uint8_t> Basic_Constraints::encode_inner() const
328
0
   {
329
0
   std::vector<uint8_t> output;
330
0
   DER_Encoder(output)
331
0
      .start_cons(SEQUENCE)
332
0
      .encode_if(m_is_ca,
333
0
                 DER_Encoder()
334
0
                    .encode(m_is_ca)
335
0
                    .encode_optional(m_path_limit, NO_CERT_PATH_LIMIT)
336
0
         )
337
0
      .end_cons();
338
0
   return output;
339
0
   }
340
341
/*
342
* Decode the extension
343
*/
344
void Basic_Constraints::decode_inner(const std::vector<uint8_t>& in)
345
1.67k
   {
346
1.67k
   BER_Decoder(in)
347
1.67k
      .start_cons(SEQUENCE)
348
1.67k
         .decode_optional(m_is_ca, BOOLEAN, UNIVERSAL, false)
349
1.67k
         .decode_optional(m_path_limit, INTEGER, UNIVERSAL, NO_CERT_PATH_LIMIT)
350
1.67k
      .end_cons();
351
1.67k
352
1.67k
   if(m_is_ca == false)
353
465
      m_path_limit = 0;
354
1.67k
   }
355
356
/*
357
* Return a textual representation
358
*/
359
void Basic_Constraints::contents_to(Data_Store& subject, Data_Store&) const
360
276
   {
361
276
   subject.add("X509v3.BasicConstraints.is_ca", (m_is_ca ? 1 : 0));
362
276
   subject.add("X509v3.BasicConstraints.path_constraint", static_cast<uint32_t>(m_path_limit));
363
276
   }
364
365
/*
366
* Encode the extension
367
*/
368
std::vector<uint8_t> Key_Usage::encode_inner() const
369
0
   {
370
0
   if(m_constraints == NO_CONSTRAINTS)
371
0
      throw Encoding_Error("Cannot encode zero usage constraints");
372
0
373
0
   const size_t unused_bits = ctz(static_cast<uint32_t>(m_constraints));
374
0
375
0
   std::vector<uint8_t> der;
376
0
   der.push_back(BIT_STRING);
377
0
   der.push_back(2 + ((unused_bits < 8) ? 1 : 0));
378
0
   der.push_back(unused_bits % 8);
379
0
   der.push_back((m_constraints >> 8) & 0xFF);
380
0
   if(m_constraints & 0xFF)
381
0
      der.push_back(m_constraints & 0xFF);
382
0
383
0
   return der;
384
0
   }
385
386
/*
387
* Decode the extension
388
*/
389
void Key_Usage::decode_inner(const std::vector<uint8_t>& in)
390
1.39k
   {
391
1.39k
   BER_Decoder ber(in);
392
1.39k
393
1.39k
   BER_Object obj = ber.get_next_object();
394
1.39k
395
1.39k
   obj.assert_is_a(BIT_STRING, UNIVERSAL, "usage constraint");
396
1.39k
397
1.39k
   if(obj.length() != 2 && obj.length() != 3)
398
99
      throw BER_Decoding_Error("Bad size for BITSTRING in usage constraint");
399
1.29k
400
1.29k
   uint16_t usage = 0;
401
1.29k
402
1.29k
      const uint8_t* bits = obj.bits();
403
1.29k
404
1.29k
   if(bits[0] >= 8)
405
229
      throw BER_Decoding_Error("Invalid unused bits in usage constraint");
406
1.06k
407
1.06k
   const uint8_t mask = static_cast<uint8_t>(0xFF << bits[0]);
408
1.06k
409
1.06k
   if(obj.length() == 2)
410
347
      {
411
347
      usage = make_uint16(bits[1] & mask, 0);
412
347
      }
413
720
   else if(obj.length() == 3)
414
76
      {
415
76
      usage = make_uint16(bits[1], bits[2] & mask);
416
76
      }
417
1.06k
418
1.06k
   m_constraints = Key_Constraints(usage);
419
1.06k
   }
420
421
/*
422
* Return a textual representation
423
*/
424
void Key_Usage::contents_to(Data_Store& subject, Data_Store&) const
425
120
   {
426
120
   subject.add("X509v3.KeyUsage", m_constraints);
427
120
   }
428
429
/*
430
* Encode the extension
431
*/
432
std::vector<uint8_t> Subject_Key_ID::encode_inner() const
433
0
   {
434
0
   std::vector<uint8_t> output;
435
0
   DER_Encoder(output).encode(m_key_id, OCTET_STRING);
436
0
   return output;
437
0
   }
438
439
/*
440
* Decode the extension
441
*/
442
void Subject_Key_ID::decode_inner(const std::vector<uint8_t>& in)
443
1.89k
   {
444
1.89k
   BER_Decoder(in).decode(m_key_id, OCTET_STRING).verify_end();
445
1.89k
   }
446
447
/*
448
* Return a textual representation
449
*/
450
void Subject_Key_ID::contents_to(Data_Store& subject, Data_Store&) const
451
600
   {
452
600
   subject.add("X509v3.SubjectKeyIdentifier", m_key_id);
453
600
   }
454
455
/*
456
* Subject_Key_ID Constructor
457
*/
458
Subject_Key_ID::Subject_Key_ID(const std::vector<uint8_t>& pub_key, const std::string& hash_name)
459
0
   {
460
0
   std::unique_ptr<HashFunction> hash(HashFunction::create_or_throw(hash_name));
461
0
462
0
   m_key_id.resize(hash->output_length());
463
0
464
0
   hash->update(pub_key);
465
0
   hash->final(m_key_id.data());
466
0
467
0
   // Truncate longer hashes, 192 bits here seems plenty
468
0
   const size_t max_skid_len = (192 / 8);
469
0
   if(m_key_id.size() > max_skid_len)
470
0
      m_key_id.resize(max_skid_len);
471
0
   }
472
473
/*
474
* Encode the extension
475
*/
476
std::vector<uint8_t> Authority_Key_ID::encode_inner() const
477
0
   {
478
0
   std::vector<uint8_t> output;
479
0
   DER_Encoder(output)
480
0
      .start_cons(SEQUENCE)
481
0
         .encode(m_key_id, OCTET_STRING, ASN1_Tag(0), CONTEXT_SPECIFIC)
482
0
      .end_cons();
483
0
   return output;
484
0
   }
485
486
/*
487
* Decode the extension
488
*/
489
void Authority_Key_ID::decode_inner(const std::vector<uint8_t>& in)
490
1.80k
   {
491
1.80k
   BER_Decoder(in)
492
1.80k
      .start_cons(SEQUENCE)
493
1.80k
      .decode_optional_string(m_key_id, OCTET_STRING, 0);
494
1.80k
   }
495
496
/*
497
* Return a textual representation
498
*/
499
void Authority_Key_ID::contents_to(Data_Store&, Data_Store& issuer) const
500
653
   {
501
653
   if(m_key_id.size())
502
537
      issuer.add("X509v3.AuthorityKeyIdentifier", m_key_id);
503
653
   }
504
505
/*
506
* Encode the extension
507
*/
508
std::vector<uint8_t> Subject_Alternative_Name::encode_inner() const
509
0
   {
510
0
   std::vector<uint8_t> output;
511
0
   DER_Encoder(output).encode(m_alt_name);
512
0
   return output;
513
0
   }
514
515
/*
516
* Encode the extension
517
*/
518
std::vector<uint8_t> Issuer_Alternative_Name::encode_inner() const
519
0
   {
520
0
   std::vector<uint8_t> output;
521
0
   DER_Encoder(output).encode(m_alt_name);
522
0
   return output;
523
0
   }
524
525
/*
526
* Decode the extension
527
*/
528
void Subject_Alternative_Name::decode_inner(const std::vector<uint8_t>& in)
529
2.28k
   {
530
2.28k
   BER_Decoder(in).decode(m_alt_name);
531
2.28k
   }
532
533
/*
534
* Decode the extension
535
*/
536
void Issuer_Alternative_Name::decode_inner(const std::vector<uint8_t>& in)
537
1.41k
   {
538
1.41k
   BER_Decoder(in).decode(m_alt_name);
539
1.41k
   }
540
541
/*
542
* Return a textual representation
543
*/
544
void Subject_Alternative_Name::contents_to(Data_Store& subject_info,
545
                                           Data_Store&) const
546
300
   {
547
300
   subject_info.add(get_alt_name().contents());
548
300
   }
549
550
/*
551
* Return a textual representation
552
*/
553
void Issuer_Alternative_Name::contents_to(Data_Store&, Data_Store& issuer_info) const
554
181
   {
555
181
   issuer_info.add(get_alt_name().contents());
556
181
   }
557
558
/*
559
* Encode the extension
560
*/
561
std::vector<uint8_t> Extended_Key_Usage::encode_inner() const
562
0
   {
563
0
   std::vector<uint8_t> output;
564
0
   DER_Encoder(output)
565
0
      .start_cons(SEQUENCE)
566
0
         .encode_list(m_oids)
567
0
      .end_cons();
568
0
   return output;
569
0
   }
570
571
/*
572
* Decode the extension
573
*/
574
void Extended_Key_Usage::decode_inner(const std::vector<uint8_t>& in)
575
1.17k
   {
576
1.17k
   BER_Decoder(in).decode_list(m_oids);
577
1.17k
   }
578
579
/*
580
* Return a textual representation
581
*/
582
void Extended_Key_Usage::contents_to(Data_Store& subject, Data_Store&) const
583
169
   {
584
603
   for(size_t i = 0; i != m_oids.size(); ++i)
585
434
      subject.add("X509v3.ExtendedKeyUsage", m_oids[i].to_string());
586
169
   }
587
588
/*
589
* Encode the extension
590
*/
591
std::vector<uint8_t> Name_Constraints::encode_inner() const
592
0
   {
593
0
   throw Not_Implemented("Name_Constraints encoding");
594
0
   }
595
596
597
/*
598
* Decode the extension
599
*/
600
void Name_Constraints::decode_inner(const std::vector<uint8_t>& in)
601
3.66k
   {
602
3.66k
   std::vector<GeneralSubtree> permit, exclude;
603
3.66k
   BER_Decoder ber(in);
604
3.66k
   BER_Decoder ext = ber.start_cons(SEQUENCE);
605
3.66k
   BER_Object per = ext.get_next_object();
606
3.66k
607
3.66k
   ext.push_back(per);
608
3.66k
   if(per.is_a(0, ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC)))
609
803
      {
610
803
      ext.decode_list(permit,ASN1_Tag(0),ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC));
611
803
      if(permit.empty())
612
6
         throw Encoding_Error("Empty Name Contraint list");
613
3.66k
      }
614
3.66k
615
3.66k
   BER_Object exc = ext.get_next_object();
616
3.66k
   ext.push_back(exc);
617
3.66k
   if(per.is_a(1, ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC)))
618
1.98k
      {
619
1.98k
      ext.decode_list(exclude,ASN1_Tag(1),ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC));
620
1.98k
      if(exclude.empty())
621
4
         throw Encoding_Error("Empty Name Contraint list");
622
3.65k
      }
623
3.65k
624
3.65k
   ext.end_cons();
625
3.65k
626
3.65k
   if(permit.empty() && exclude.empty())
627
32
      throw Encoding_Error("Empty Name Contraint extension");
628
3.62k
629
3.62k
   m_name_constraints = NameConstraints(std::move(permit),std::move(exclude));
630
3.62k
   }
631
632
/*
633
* Return a textual representation
634
*/
635
void Name_Constraints::contents_to(Data_Store& subject, Data_Store&) const
636
78
   {
637
78
   std::stringstream ss;
638
78
639
78
   for(const GeneralSubtree& gs: m_name_constraints.permitted())
640
91
      {
641
91
      ss << gs;
642
91
      subject.add("X509v3.NameConstraints.permitted", ss.str());
643
91
      ss.str(std::string());
644
91
      }
645
78
   for(const GeneralSubtree& gs: m_name_constraints.excluded())
646
156
      {
647
156
      ss << gs;
648
156
      subject.add("X509v3.NameConstraints.excluded", ss.str());
649
156
      ss.str(std::string());
650
156
      }
651
78
   }
652
653
void Name_Constraints::validate(const X509_Certificate& subject, const X509_Certificate& issuer,
654
      const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path,
655
      std::vector<std::set<Certificate_Status_Code>>& cert_status,
656
      size_t pos)
657
0
   {
658
0
   if(!m_name_constraints.permitted().empty() || !m_name_constraints.excluded().empty())
659
0
      {
660
0
      if(!subject.is_CA_cert() || !subject.is_critical("X509v3.NameConstraints"))
661
0
         cert_status.at(pos).insert(Certificate_Status_Code::NAME_CONSTRAINT_ERROR);
662
0
663
0
      const bool issuer_name_constraint_critical =
664
0
         issuer.is_critical("X509v3.NameConstraints");
665
0
666
0
      const bool at_self_signed_root = (pos == cert_path.size() - 1);
667
0
668
0
      // Check that all subordinate certs pass the name constraint
669
0
      for(size_t j = 0; j <= pos; ++j)
670
0
         {
671
0
         if(pos == j && at_self_signed_root)
672
0
            continue;
673
0
674
0
         bool permitted = m_name_constraints.permitted().empty();
675
0
         bool failed = false;
676
0
677
0
         for(auto c: m_name_constraints.permitted())
678
0
            {
679
0
            switch(c.base().matches(*cert_path.at(j)))
680
0
               {
681
0
               case GeneralName::MatchResult::NotFound:
682
0
               case GeneralName::MatchResult::All:
683
0
                  permitted = true;
684
0
                  break;
685
0
               case GeneralName::MatchResult::UnknownType:
686
0
                  failed = issuer_name_constraint_critical;
687
0
                  permitted = true;
688
0
                  break;
689
0
               default:
690
0
                  break;
691
0
               }
692
0
            }
693
0
694
0
         for(auto c: m_name_constraints.excluded())
695
0
            {
696
0
            switch(c.base().matches(*cert_path.at(j)))
697
0
               {
698
0
               case GeneralName::MatchResult::All:
699
0
               case GeneralName::MatchResult::Some:
700
0
                  failed = true;
701
0
                  break;
702
0
               case GeneralName::MatchResult::UnknownType:
703
0
                  failed = issuer_name_constraint_critical;
704
0
                  break;
705
0
               default:
706
0
                  break;
707
0
               }
708
0
            }
709
0
710
0
         if(failed || !permitted)
711
0
            {
712
0
            cert_status.at(j).insert(Certificate_Status_Code::NAME_CONSTRAINT_ERROR);
713
0
            }
714
0
         }
715
0
      }
716
0
   }
717
718
namespace {
719
720
/*
721
* A policy specifier
722
*/
723
class Policy_Information final : public ASN1_Object
724
   {
725
   public:
726
1.40k
      Policy_Information() = default;
727
0
      explicit Policy_Information(const OID& oid) : m_oid(oid) {}
728
729
875
      const OID& oid() const { return m_oid; }
730
731
      void encode_into(DER_Encoder& codec) const override
732
0
         {
733
0
         codec.start_cons(SEQUENCE)
734
0
            .encode(m_oid)
735
0
            .end_cons();
736
0
         }
737
738
      void decode_from(BER_Decoder& codec) override
739
1.40k
         {
740
1.40k
         codec.start_cons(SEQUENCE)
741
1.40k
            .decode(m_oid)
742
1.40k
            .discard_remaining()
743
1.40k
            .end_cons();
744
1.40k
         }
745
746
   private:
747
      OID m_oid;
748
   };
749
750
}
751
752
/*
753
* Encode the extension
754
*/
755
std::vector<uint8_t> Certificate_Policies::encode_inner() const
756
0
   {
757
0
   std::vector<Policy_Information> policies;
758
0
759
0
   for(size_t i = 0; i != m_oids.size(); ++i)
760
0
      policies.push_back(Policy_Information(m_oids[i]));
761
0
762
0
   std::vector<uint8_t> output;
763
0
   DER_Encoder(output)
764
0
      .start_cons(SEQUENCE)
765
0
         .encode_list(policies)
766
0
      .end_cons();
767
0
   return output;
768
0
   }
769
770
/*
771
* Decode the extension
772
*/
773
void Certificate_Policies::decode_inner(const std::vector<uint8_t>& in)
774
1.09k
   {
775
1.09k
   std::vector<Policy_Information> policies;
776
1.09k
777
1.09k
   BER_Decoder(in).decode_list(policies);
778
1.09k
   m_oids.clear();
779
1.97k
   for(size_t i = 0; i != policies.size(); ++i)
780
875
      m_oids.push_back(policies[i].oid());
781
1.09k
   }
782
783
/*
784
* Return a textual representation
785
*/
786
void Certificate_Policies::contents_to(Data_Store& info, Data_Store&) const
787
121
   {
788
299
   for(size_t i = 0; i != m_oids.size(); ++i)
789
178
      info.add("X509v3.CertificatePolicies", m_oids[i].to_string());
790
121
   }
791
792
void Certificate_Policies::validate(
793
   const X509_Certificate& /*subject*/,
794
   const X509_Certificate& /*issuer*/,
795
   const std::vector<std::shared_ptr<const X509_Certificate>>& /*cert_path*/,
796
   std::vector<std::set<Certificate_Status_Code>>& cert_status,
797
   size_t pos)
798
0
   {
799
0
   std::set<OID> oid_set(m_oids.begin(), m_oids.end());
800
0
   if(oid_set.size() != m_oids.size())
801
0
      {
802
0
      cert_status.at(pos).insert(Certificate_Status_Code::DUPLICATE_CERT_POLICY);
803
0
      }
804
0
   }
805
806
std::vector<uint8_t> Authority_Information_Access::encode_inner() const
807
0
   {
808
0
   ASN1_String url(m_ocsp_responder, IA5_STRING);
809
0
810
0
   std::vector<uint8_t> output;
811
0
   DER_Encoder(output)
812
0
      .start_cons(SEQUENCE)
813
0
      .start_cons(SEQUENCE)
814
0
      .encode(OID::from_string("PKIX.OCSP"))
815
0
      .add_object(ASN1_Tag(6), CONTEXT_SPECIFIC, url.value())
816
0
      .end_cons()
817
0
      .end_cons();
818
0
   return output;
819
0
   }
820
821
void Authority_Information_Access::decode_inner(const std::vector<uint8_t>& in)
822
675
   {
823
675
   BER_Decoder ber = BER_Decoder(in).start_cons(SEQUENCE);
824
675
825
1.44k
   while(ber.more_items())
826
768
      {
827
768
      OID oid;
828
768
829
768
      BER_Decoder info = ber.start_cons(SEQUENCE);
830
768
831
768
      info.decode(oid);
832
768
833
768
      if(oid == OID::from_string("PKIX.OCSP"))
834
140
         {
835
140
         BER_Object name = info.get_next_object();
836
140
837
140
         if(name.is_a(6, CONTEXT_SPECIFIC))
838
43
            {
839
43
            m_ocsp_responder = ASN1::to_string(name);
840
43
            }
841
140
842
140
         }
843
768
      if(oid == OID::from_string("PKIX.CertificateAuthorityIssuers"))
844
149
         {
845
149
         BER_Object name = info.get_next_object();
846
149
847
149
         if(name.is_a(6, CONTEXT_SPECIFIC))
848
84
            {
849
84
            m_ca_issuers.push_back(ASN1::to_string(name));
850
84
            }
851
149
         }
852
768
      }
853
675
   }
854
855
void Authority_Information_Access::contents_to(Data_Store& subject, Data_Store&) const
856
65
   {
857
65
   if(!m_ocsp_responder.empty())
858
9
      subject.add("OCSP.responder", m_ocsp_responder);
859
65
   for(const std::string& ca_issuer : m_ca_issuers)
860
52
      subject.add("PKIX.CertificateAuthorityIssuers", ca_issuer);
861
65
   }
862
863
/*
864
* Checked accessor for the crl_number member
865
*/
866
size_t CRL_Number::get_crl_number() const
867
1
   {
868
1
   if(!m_has_value)
869
0
      throw Invalid_State("CRL_Number::get_crl_number: Not set");
870
1
   return m_crl_number;
871
1
   }
872
873
/*
874
* Copy a CRL_Number extension
875
*/
876
CRL_Number* CRL_Number::copy() const
877
0
   {
878
0
   if(!m_has_value)
879
0
      throw Invalid_State("CRL_Number::copy: Not set");
880
0
   return new CRL_Number(m_crl_number);
881
0
   }
882
883
/*
884
* Encode the extension
885
*/
886
std::vector<uint8_t> CRL_Number::encode_inner() const
887
0
   {
888
0
   std::vector<uint8_t> output;
889
0
   DER_Encoder(output).encode(m_crl_number);
890
0
   return output;
891
0
   }
892
893
/*
894
* Decode the extension
895
*/
896
void CRL_Number::decode_inner(const std::vector<uint8_t>& in)
897
652
   {
898
652
   BER_Decoder(in).decode(m_crl_number);
899
652
   m_has_value = true;
900
652
   }
901
902
/*
903
* Return a textual representation
904
*/
905
void CRL_Number::contents_to(Data_Store& info, Data_Store&) const
906
20
   {
907
20
   info.add("X509v3.CRLNumber", static_cast<uint32_t>(m_crl_number));
908
20
   }
909
910
/*
911
* Encode the extension
912
*/
913
std::vector<uint8_t> CRL_ReasonCode::encode_inner() const
914
0
   {
915
0
   std::vector<uint8_t> output;
916
0
   DER_Encoder(output).encode(static_cast<size_t>(m_reason), ENUMERATED, UNIVERSAL);
917
0
   return output;
918
0
   }
919
920
/*
921
* Decode the extension
922
*/
923
void CRL_ReasonCode::decode_inner(const std::vector<uint8_t>& in)
924
2.69k
   {
925
2.69k
   size_t reason_code = 0;
926
2.69k
   BER_Decoder(in).decode(reason_code, ENUMERATED, UNIVERSAL);
927
2.69k
   m_reason = static_cast<CRL_Code>(reason_code);
928
2.69k
   }
929
930
/*
931
* Return a textual representation
932
*/
933
void CRL_ReasonCode::contents_to(Data_Store& info, Data_Store&) const
934
19
   {
935
19
   info.add("X509v3.CRLReasonCode", m_reason);
936
19
   }
937
938
std::vector<uint8_t> CRL_Distribution_Points::encode_inner() const
939
0
   {
940
0
   throw Not_Implemented("CRL_Distribution_Points encoding");
941
0
   }
942
943
void CRL_Distribution_Points::decode_inner(const std::vector<uint8_t>& buf)
944
1.65k
   {
945
1.65k
   BER_Decoder(buf)
946
1.65k
      .decode_list(m_distribution_points)
947
1.65k
      .verify_end();
948
1.65k
949
1.65k
   std::stringstream ss;
950
1.65k
951
2.20k
   for(size_t i = 0; i != m_distribution_points.size(); ++i)
952
545
      {
953
545
      auto contents = m_distribution_points[i].point().contents();
954
545
955
545
      for(const auto& pair : contents)
956
2.84k
         {
957
2.84k
         ss << pair.first << ": " << pair.second << " ";
958
2.84k
         }
959
545
      }
960
1.65k
961
1.65k
   m_crl_distribution_urls.push_back(ss.str());
962
1.65k
   }
963
964
void CRL_Distribution_Points::contents_to(Data_Store& subject, Data_Store&) const
965
73
   {
966
73
   for(const std::string& crl_url : m_crl_distribution_urls)
967
73
      subject.add("CRL.DistributionPoint", crl_url);
968
73
   }
969
970
void CRL_Distribution_Points::Distribution_Point::encode_into(class DER_Encoder&) const
971
0
   {
972
0
   throw Not_Implemented("CRL_Distribution_Points encoding");
973
0
   }
974
975
void CRL_Distribution_Points::Distribution_Point::decode_from(class BER_Decoder& ber)
976
1.79k
   {
977
1.79k
   ber.start_cons(SEQUENCE)
978
1.79k
      .start_cons(ASN1_Tag(0), CONTEXT_SPECIFIC)
979
1.79k
        .decode_optional_implicit(m_point, ASN1_Tag(0),
980
1.79k
                                  ASN1_Tag(CONTEXT_SPECIFIC | CONSTRUCTED),
981
1.79k
                                  SEQUENCE, CONSTRUCTED)
982
1.79k
      .end_cons().end_cons();
983
1.79k
   }
984
985
std::vector<uint8_t> CRL_Issuing_Distribution_Point::encode_inner() const
986
0
   {
987
0
   throw Not_Implemented("CRL_Issuing_Distribution_Point encoding");
988
0
   }
989
990
void CRL_Issuing_Distribution_Point::decode_inner(const std::vector<uint8_t>& buf)
991
462
   {
992
462
   BER_Decoder(buf).decode(m_distribution_point).verify_end();
993
462
   }
994
995
void CRL_Issuing_Distribution_Point::contents_to(Data_Store& info, Data_Store&) const
996
16
   {
997
16
   auto contents = m_distribution_point.point().contents();
998
16
   std::stringstream ss;
999
16
1000
16
   for(const auto& pair : contents)
1001
34
      {
1002
34
      ss << pair.first << ": " << pair.second << " ";
1003
34
      }
1004
16
1005
16
   info.add("X509v3.CRLIssuingDistributionPoint", ss.str());
1006
16
   }
1007
1008
std::vector<uint8_t> Unknown_Extension::encode_inner() const
1009
0
   {
1010
0
   return m_bytes;
1011
0
   }
1012
1013
void Unknown_Extension::decode_inner(const std::vector<uint8_t>& bytes)
1014
31.1k
   {
1015
31.1k
   // Just treat as an opaque blob at this level
1016
31.1k
   m_bytes = bytes;
1017
31.1k
   }
1018
1019
void Unknown_Extension::contents_to(Data_Store&, Data_Store&) const
1020
10.4k
   {
1021
10.4k
   // No information store
1022
10.4k
   }
1023
1024
}
1025
1026
}