/src/botan/build/include/public/botan/pkix_enums.h
Line | Count | Source |
1 | | /* |
2 | | * (C) 2013,2023 Jack Lloyd |
3 | | * |
4 | | * Botan is released under the Simplified BSD License (see license.txt) |
5 | | */ |
6 | | |
7 | | #ifndef BOTAN_X509_PKIX_ENUMS_H_ |
8 | | #define BOTAN_X509_PKIX_ENUMS_H_ |
9 | | |
10 | | #include <botan/types.h> |
11 | | #include <string> |
12 | | |
13 | | namespace Botan { |
14 | | |
15 | | class Public_Key; |
16 | | |
17 | | /** |
18 | | * Certificate validation status code |
19 | | */ |
20 | | enum class Certificate_Status_Code : uint16_t { |
21 | | // TODO(Botan4) renumber this, e.g. Validation Errors -> IP_ADDR_BLOCKS_ERROR |
22 | | // TODO(Botan4) rename variants to CamelCase |
23 | | OK = 0, |
24 | | VERIFIED = 0, |
25 | | |
26 | | // Revocation status |
27 | | OCSP_RESPONSE_GOOD = 1, |
28 | | OCSP_SIGNATURE_OK = 2, |
29 | | VALID_CRL_CHECKED = 3, |
30 | | OCSP_NO_HTTP = 4, |
31 | | |
32 | | // Warnings |
33 | | FIRST_WARNING_STATUS = 500, |
34 | | CERT_SERIAL_NEGATIVE = 500, |
35 | | DN_TOO_LONG = 501, |
36 | | OCSP_NO_REVOCATION_URL = 502, |
37 | | OCSP_SERVER_NOT_AVAILABLE = 503, |
38 | | TRUSTED_CERT_HAS_EXPIRED = 504, |
39 | | TRUSTED_CERT_NOT_YET_VALID = 505, |
40 | | |
41 | | // Errors |
42 | | FIRST_ERROR_STATUS = 1000, |
43 | | |
44 | | SIGNATURE_METHOD_TOO_WEAK = 1000, |
45 | | UNTRUSTED_HASH = 1001, |
46 | | NO_REVOCATION_DATA = 1002, |
47 | | NO_MATCHING_CRLDP = 1003, |
48 | | OCSP_ISSUER_NOT_TRUSTED = 1004, |
49 | | |
50 | | // Time problems |
51 | | CERT_NOT_YET_VALID = 2000, |
52 | | CERT_HAS_EXPIRED = 2001, |
53 | | OCSP_NOT_YET_VALID = 2002, |
54 | | OCSP_HAS_EXPIRED = 2003, |
55 | | CRL_NOT_YET_VALID = 2004, |
56 | | CRL_HAS_EXPIRED = 2005, |
57 | | OCSP_IS_TOO_OLD = 2006, |
58 | | |
59 | | // Chain generation problems |
60 | | CERT_ISSUER_NOT_FOUND = 3000, |
61 | | CANNOT_ESTABLISH_TRUST = 3001, |
62 | | CERT_CHAIN_LOOP = 3002, |
63 | | CHAIN_LACKS_TRUST_ROOT = 3003, |
64 | | CHAIN_NAME_MISMATCH = 3004, |
65 | | |
66 | | // Validation errors |
67 | | POLICY_ERROR = 4000, |
68 | | INVALID_USAGE = 4001, |
69 | | CERT_CHAIN_TOO_LONG = 4002, |
70 | | CA_CERT_NOT_FOR_CERT_ISSUER = 4003, |
71 | | NAME_CONSTRAINT_ERROR = 4004, |
72 | | IPADDR_BLOCKS_ERROR = 4011, |
73 | | AS_BLOCKS_ERROR = 4012, |
74 | | |
75 | | // Revocation errors |
76 | | CA_CERT_NOT_FOR_CRL_ISSUER = 4005, |
77 | | OCSP_CERT_NOT_LISTED = 4006, |
78 | | OCSP_BAD_STATUS = 4007, |
79 | | |
80 | | // Other problems |
81 | | CERT_NAME_NOMATCH = 4008, |
82 | | UNKNOWN_CRITICAL_EXTENSION = 4009, |
83 | | DUPLICATE_CERT_EXTENSION = 4010, |
84 | | OCSP_SIGNATURE_ERROR = 4501, |
85 | | OCSP_ISSUER_NOT_FOUND = 4502, |
86 | | OCSP_RESPONSE_MISSING_KEYUSAGE = 4503, |
87 | | OCSP_RESPONSE_INVALID = 4504, |
88 | | EXT_IN_V1_V2_CERT = 4505, |
89 | | DUPLICATE_CERT_POLICY = 4506, |
90 | | V2_IDENTIFIERS_IN_V1_CERT = 4507, |
91 | | |
92 | | // Hard failures |
93 | | CERT_IS_REVOKED = 5000, |
94 | | CRL_BAD_SIGNATURE = 5001, |
95 | | SIGNATURE_ERROR = 5002, |
96 | | CERT_PUBKEY_INVALID = 5003, |
97 | | SIGNATURE_ALGO_UNKNOWN = 5004, |
98 | | SIGNATURE_ALGO_BAD_PARAMS = 5005 |
99 | | }; |
100 | | |
101 | | /** |
102 | | * Convert a status code to a human readable diagnostic message |
103 | | * @param code the certificate status |
104 | | * @return string literal constant, or nullptr if code unknown |
105 | | */ |
106 | | BOTAN_PUBLIC_API(2, 0) const char* to_string(Certificate_Status_Code code); |
107 | | |
108 | | /** |
109 | | * X.509v3 Key Constraints. |
110 | | * If updating update copy in ffi.h |
111 | | */ |
112 | | class BOTAN_PUBLIC_API(3, 0) Key_Constraints final { |
113 | | public: |
114 | | enum Bits : uint16_t /* NOLINT(*-use-enum-class) */ { |
115 | | None = 0, |
116 | | DigitalSignature = 1 << 15, |
117 | | NonRepudiation = 1 << 14, |
118 | | KeyEncipherment = 1 << 13, |
119 | | DataEncipherment = 1 << 12, |
120 | | KeyAgreement = 1 << 11, |
121 | | KeyCertSign = 1 << 10, |
122 | | CrlSign = 1 << 9, |
123 | | EncipherOnly = 1 << 8, |
124 | | DecipherOnly = 1 << 7, |
125 | | |
126 | | // Deprecated SHOUTING_CASE names for Key_Constraints |
127 | | // will be removed in a future major release |
128 | | NO_CONSTRAINTS BOTAN_DEPRECATED("Use None") = None, |
129 | | DIGITAL_SIGNATURE BOTAN_DEPRECATED("Use DigitalSignature") = DigitalSignature, |
130 | | NON_REPUDIATION BOTAN_DEPRECATED("Use NonRepudiation") = NonRepudiation, |
131 | | KEY_ENCIPHERMENT BOTAN_DEPRECATED("Use KeyEncipherment") = KeyEncipherment, |
132 | | DATA_ENCIPHERMENT BOTAN_DEPRECATED("Use DataEncipherment") = DataEncipherment, |
133 | | KEY_AGREEMENT BOTAN_DEPRECATED("Use KeyAgreement") = KeyAgreement, |
134 | | KEY_CERT_SIGN BOTAN_DEPRECATED("Use KeyCertSign") = KeyCertSign, |
135 | | CRL_SIGN BOTAN_DEPRECATED("Use CrlSign") = CrlSign, |
136 | | ENCIPHER_ONLY BOTAN_DEPRECATED("Use EncipherOnly") = EncipherOnly, |
137 | | DECIPHER_ONLY BOTAN_DEPRECATED("Use DecipherOnly") = DecipherOnly, |
138 | | }; |
139 | | |
140 | | Key_Constraints(const Key_Constraints& other) = default; |
141 | | Key_Constraints(Key_Constraints&& other) = default; |
142 | | Key_Constraints& operator=(const Key_Constraints& other) = default; |
143 | | Key_Constraints& operator=(Key_Constraints&& other) = default; |
144 | | ~Key_Constraints() = default; |
145 | | |
146 | | // NOLINTNEXTLINE(*-explicit-conversions) |
147 | 4.37k | Key_Constraints(Key_Constraints::Bits bits) : m_value(bits) {} |
148 | | |
149 | 2.14k | explicit Key_Constraints(uint32_t bits) : m_value(bits) {} |
150 | | |
151 | 38.1k | Key_Constraints() : m_value(0) {} |
152 | | |
153 | | /** |
154 | | * Return typical constraints for a CA certificate. |
155 | | * |
156 | | * The reasons for KeyCertSign and CrlSign should be obvious |
157 | | * |
158 | | * CAB baseline requirements are that DigitalSignature should be set |
159 | | * if the certificate is used to sign OCSP responses. |
160 | | */ |
161 | 0 | static Key_Constraints ca_constraints() { |
162 | 0 | return Key_Constraints(Key_Constraints::KeyCertSign | Key_Constraints::CrlSign | |
163 | 0 | Key_Constraints::DigitalSignature); |
164 | 0 | } |
165 | | |
166 | 922 | bool operator==(const Key_Constraints&) const = default; |
167 | | |
168 | 0 | void operator|=(Key_Constraints::Bits other) { m_value |= other; } |
169 | | |
170 | | // Return true if all bits in mask are set |
171 | 888 | bool includes(Key_Constraints::Bits other) const { return (m_value & other) == other; } |
172 | | |
173 | 3 | bool includes(Key_Constraints other) const { return (m_value & other.m_value) == other.m_value; } |
174 | | |
175 | | // Return true if any of the bits provided are set |
176 | 500 | bool includes_any(auto&&... bits) const { return (m_value & (bits | ...)) > 0; } |
177 | | |
178 | 2.27k | bool empty() const { return m_value == 0; } |
179 | | |
180 | 0 | uint32_t value() const { return m_value; } |
181 | | |
182 | | std::string to_string() const; |
183 | | |
184 | | /** |
185 | | * Check that key constraints are permitted for a specific public key. |
186 | | * @param key the public key on which the constraints shall be enforced on |
187 | | * @return false if the constraints are not permitted for this key |
188 | | */ |
189 | | bool compatible_with(const Public_Key& key) const; |
190 | | |
191 | | private: |
192 | | uint32_t m_value; |
193 | | }; |
194 | | |
195 | | /** |
196 | | * X.509v2 CRL Reason Code. |
197 | | */ |
198 | | enum class CRL_Code : uint8_t { |
199 | | Unspecified = 0, |
200 | | KeyCompromise = 1, |
201 | | CaCompromise = 2, |
202 | | AffiliationChanged = 3, |
203 | | Superseded = 4, |
204 | | CessationOfOperation = 5, |
205 | | CertificateHold = 6, |
206 | | RemoveFromCrl = 8, |
207 | | PrivilegeWithdrawn = 9, |
208 | | AaCompromise = 10, |
209 | | }; |
210 | | |
211 | | } // namespace Botan |
212 | | |
213 | | #endif |