/src/botan/build/include/botan/name_constraint.h
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * X.509 Name Constraint |
3 | | * (C) 2015 Kai Michaelis |
4 | | * |
5 | | * Botan is released under the Simplified BSD License (see license.txt) |
6 | | */ |
7 | | |
8 | | #ifndef BOTAN_NAME_CONSTRAINT_H_ |
9 | | #define BOTAN_NAME_CONSTRAINT_H_ |
10 | | |
11 | | #include <botan/asn1_obj.h> |
12 | | #include <ostream> |
13 | | #include <limits> |
14 | | |
15 | | namespace Botan { |
16 | | |
17 | | class BER_Encoder; |
18 | | class DER_Encoder; |
19 | | class X509_Certificate; |
20 | | |
21 | | /** |
22 | | * @brief X.509 GeneralName Type |
23 | | * |
24 | | * Handles parsing GeneralName types in their BER and canonical string |
25 | | * encoding. Allows matching GeneralNames against each other using |
26 | | * the rules laid out in the RFC 5280, sec. 4.2.1.10 (Name Contraints). |
27 | | */ |
28 | | class BOTAN_PUBLIC_API(2,0) GeneralName final : public ASN1_Object |
29 | | { |
30 | | public: |
31 | | enum MatchResult : int |
32 | | { |
33 | | All, |
34 | | Some, |
35 | | None, |
36 | | NotFound, |
37 | | UnknownType, |
38 | | }; |
39 | | |
40 | | /** |
41 | | * Creates an empty GeneralName. |
42 | | */ |
43 | 4.44k | GeneralName() = default; |
44 | | |
45 | | /** |
46 | | * Creates a new GeneralName for its string format. |
47 | | * @param str type and name, colon-separated, e.g., "DNS:google.com" |
48 | | */ |
49 | | GeneralName(const std::string& str); |
50 | | |
51 | | void encode_into(DER_Encoder&) const override; |
52 | | |
53 | | void decode_from(BER_Decoder&) override; |
54 | | |
55 | | /** |
56 | | * @return Type of the name. Can be DN, DNS, IP, RFC822 or URI. |
57 | | */ |
58 | 226 | const std::string& type() const { return m_type; } |
59 | | |
60 | | /** |
61 | | * @return The name as string. Format depends on type. |
62 | | */ |
63 | 226 | const std::string& name() const { return m_name; } |
64 | | |
65 | | /** |
66 | | * Checks whether a given certificate (partially) matches this name. |
67 | | * @param cert certificate to be matched |
68 | | * @return the match result |
69 | | */ |
70 | | MatchResult matches(const X509_Certificate& cert) const; |
71 | | |
72 | | private: |
73 | | std::string m_type; |
74 | | std::string m_name; |
75 | | |
76 | | bool matches_dns(const std::string&) const; |
77 | | bool matches_dn(const std::string&) const; |
78 | | bool matches_ip(const std::string&) const; |
79 | | }; |
80 | | |
81 | | std::ostream& operator<<(std::ostream& os, const GeneralName& gn); |
82 | | |
83 | | /** |
84 | | * @brief A single Name Constraint |
85 | | * |
86 | | * The Name Constraint extension adds a minimum and maximum path |
87 | | * length to a GeneralName to form a constraint. The length limits |
88 | | * are currently unused. |
89 | | */ |
90 | | class BOTAN_PUBLIC_API(2,0) GeneralSubtree final : public ASN1_Object |
91 | | { |
92 | | public: |
93 | | /** |
94 | | * Creates an empty name constraint. |
95 | | */ |
96 | | GeneralSubtree() : m_base(), m_minimum(0), m_maximum(std::numeric_limits<std::size_t>::max()) |
97 | 4.44k | {} |
98 | | |
99 | | /*** |
100 | | * Creates a new name constraint. |
101 | | * @param base name |
102 | | * @param min minimum path length |
103 | | * @param max maximum path length |
104 | | */ |
105 | | GeneralSubtree(const GeneralName& base, size_t min, size_t max) |
106 | | : m_base(base), m_minimum(min), m_maximum(max) |
107 | 0 | {} |
108 | | |
109 | | /** |
110 | | * Creates a new name constraint for its string format. |
111 | | * @param str name constraint |
112 | | */ |
113 | | GeneralSubtree(const std::string& str); |
114 | | |
115 | | void encode_into(DER_Encoder&) const override; |
116 | | |
117 | | void decode_from(BER_Decoder&) override; |
118 | | |
119 | | /** |
120 | | * @return name |
121 | | */ |
122 | 226 | const GeneralName& base() const { return m_base; } |
123 | | |
124 | | /** |
125 | | * @return minimum path length |
126 | | */ |
127 | 226 | size_t minimum() const { return m_minimum; } |
128 | | |
129 | | /** |
130 | | * @return maximum path length |
131 | | */ |
132 | 226 | size_t maximum() const { return m_maximum; } |
133 | | |
134 | | private: |
135 | | GeneralName m_base; |
136 | | size_t m_minimum; |
137 | | size_t m_maximum; |
138 | | }; |
139 | | |
140 | | std::ostream& operator<<(std::ostream& os, const GeneralSubtree& gs); |
141 | | |
142 | | /** |
143 | | * @brief Name Constraints |
144 | | * |
145 | | * Wraps the Name Constraints associated with a certificate. |
146 | | */ |
147 | | class BOTAN_PUBLIC_API(2,0) NameConstraints final |
148 | | { |
149 | | public: |
150 | | /** |
151 | | * Creates an empty name NameConstraints. |
152 | | */ |
153 | 15.4k | NameConstraints() : m_permitted_subtrees(), m_excluded_subtrees() {} |
154 | | |
155 | | /** |
156 | | * Creates NameConstraints from a list of permitted and excluded subtrees. |
157 | | * @param permitted_subtrees names for which the certificate is permitted |
158 | | * @param excluded_subtrees names for which the certificate is not permitted |
159 | | */ |
160 | | NameConstraints(std::vector<GeneralSubtree>&& permitted_subtrees, |
161 | | std::vector<GeneralSubtree>&& excluded_subtrees) |
162 | | : m_permitted_subtrees(permitted_subtrees), m_excluded_subtrees(excluded_subtrees) |
163 | 749 | {} |
164 | | |
165 | | /** |
166 | | * @return permitted names |
167 | | */ |
168 | 65 | const std::vector<GeneralSubtree>& permitted() const { return m_permitted_subtrees; } |
169 | | |
170 | | /** |
171 | | * @return excluded names |
172 | | */ |
173 | 65 | const std::vector<GeneralSubtree>& excluded() const { return m_excluded_subtrees; } |
174 | | |
175 | | private: |
176 | | std::vector<GeneralSubtree> m_permitted_subtrees; |
177 | | std::vector<GeneralSubtree> m_excluded_subtrees; |
178 | | }; |
179 | | |
180 | | } |
181 | | |
182 | | #endif |