Botan  1.11.15
src/lib/cert/x509/x509_crl.cpp
Go to the documentation of this file.
00001 /*
00002 * X.509 CRL
00003 * (C) 1999-2007 Jack Lloyd
00004 *
00005 * Botan is released under the Simplified BSD License (see license.txt)
00006 */
00007 
00008 #include <botan/x509_crl.h>
00009 #include <botan/x509_ext.h>
00010 #include <botan/x509cert.h>
00011 #include <botan/ber_dec.h>
00012 #include <botan/parsing.h>
00013 #include <botan/bigint.h>
00014 #include <botan/oids.h>
00015 
00016 namespace Botan {
00017 
00018 /*
00019 * Load a X.509 CRL
00020 */
00021 X509_CRL::X509_CRL(DataSource& in, bool touc) :
00022    X509_Object(in, "X509 CRL/CRL"), throw_on_unknown_critical(touc)
00023    {
00024    do_decode();
00025    }
00026 
00027 /*
00028 * Load a X.509 CRL
00029 */
00030 X509_CRL::X509_CRL(const std::string& in, bool touc) :
00031    X509_Object(in, "CRL/X509 CRL"), throw_on_unknown_critical(touc)
00032    {
00033    do_decode();
00034    }
00035 
00036 X509_CRL::X509_CRL(const std::vector<byte>& in, bool touc) :
00037    X509_Object(in, "CRL/X509 CRL"), throw_on_unknown_critical(touc)
00038    {
00039    do_decode();
00040    }
00041 
00042 /**
00043 * Check if this particular certificate is listed in the CRL
00044 */
00045 bool X509_CRL::is_revoked(const X509_Certificate& cert) const
00046    {
00047    /*
00048    If the cert wasn't issued by the CRL issuer, it's possible the cert
00049    is revoked, but not by this CRL. Maybe throw an exception instead?
00050    */
00051    if(cert.issuer_dn() != issuer_dn())
00052       return false;
00053 
00054    std::vector<byte> crl_akid = authority_key_id();
00055    std::vector<byte> cert_akid = cert.authority_key_id();
00056 
00057    if(!crl_akid.empty() && !cert_akid.empty())
00058       if(crl_akid != cert_akid)
00059          return false;
00060 
00061    std::vector<byte> cert_serial = cert.serial_number();
00062 
00063    bool is_revoked = false;
00064 
00065    for(size_t i = 0; i != revoked.size(); ++i)
00066       {
00067       if(cert_serial == revoked[i].serial_number())
00068          {
00069          if(revoked[i].reason_code() == REMOVE_FROM_CRL)
00070             is_revoked = false;
00071          else
00072             is_revoked = true;
00073          }
00074       }
00075 
00076    return is_revoked;
00077    }
00078 
00079 /*
00080 * Decode the TBSCertList data
00081 */
00082 void X509_CRL::force_decode()
00083    {
00084    BER_Decoder tbs_crl(tbs_bits);
00085 
00086    size_t version;
00087    tbs_crl.decode_optional(version, INTEGER, UNIVERSAL);
00088 
00089    if(version != 0 && version != 1)
00090       throw X509_CRL_Error("Unknown X.509 CRL version " +
00091                            std::to_string(version+1));
00092 
00093    AlgorithmIdentifier sig_algo_inner;
00094    tbs_crl.decode(sig_algo_inner);
00095 
00096    if(sig_algo != sig_algo_inner)
00097       throw X509_CRL_Error("Algorithm identifier mismatch");
00098 
00099    X509_DN dn_issuer;
00100    tbs_crl.decode(dn_issuer);
00101    info.add(dn_issuer.contents());
00102 
00103    X509_Time start, end;
00104    tbs_crl.decode(start).decode(end);
00105    info.add("X509.CRL.start", start.readable_string());
00106    info.add("X509.CRL.end", end.readable_string());
00107 
00108    BER_Object next = tbs_crl.get_next_object();
00109 
00110    if(next.type_tag == SEQUENCE && next.class_tag == CONSTRUCTED)
00111       {
00112       BER_Decoder cert_list(next.value);
00113 
00114       while(cert_list.more_items())
00115          {
00116          CRL_Entry entry(throw_on_unknown_critical);
00117          cert_list.decode(entry);
00118          revoked.push_back(entry);
00119          }
00120       next = tbs_crl.get_next_object();
00121       }
00122 
00123    if(next.type_tag == 0 &&
00124       next.class_tag == ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC))
00125       {
00126       BER_Decoder crl_options(next.value);
00127 
00128       Extensions extensions(throw_on_unknown_critical);
00129 
00130       crl_options.decode(extensions).verify_end();
00131 
00132       extensions.contents_to(info, info);
00133 
00134       next = tbs_crl.get_next_object();
00135       }
00136 
00137    if(next.type_tag != NO_OBJECT)
00138       throw X509_CRL_Error("Unknown tag in CRL");
00139 
00140    tbs_crl.verify_end();
00141    }
00142 
00143 /*
00144 * Return the list of revoked certificates
00145 */
00146 std::vector<CRL_Entry> X509_CRL::get_revoked() const
00147    {
00148    return revoked;
00149    }
00150 
00151 /*
00152 * Return the distinguished name of the issuer
00153 */
00154 X509_DN X509_CRL::issuer_dn() const
00155    {
00156    return create_dn(info);
00157    }
00158 
00159 /*
00160 * Return the key identifier of the issuer
00161 */
00162 std::vector<byte> X509_CRL::authority_key_id() const
00163    {
00164    return info.get1_memvec("X509v3.AuthorityKeyIdentifier");
00165    }
00166 
00167 /*
00168 * Return the CRL number of this CRL
00169 */
00170 u32bit X509_CRL::crl_number() const
00171    {
00172    return info.get1_u32bit("X509v3.CRLNumber");
00173    }
00174 
00175 /*
00176 * Return the issue data of the CRL
00177 */
00178 X509_Time X509_CRL::this_update() const
00179    {
00180    return info.get1("X509.CRL.start");
00181    }
00182 
00183 /*
00184 * Return the date when a new CRL will be issued
00185 */
00186 X509_Time X509_CRL::next_update() const
00187    {
00188    return info.get1("X509.CRL.end");
00189    }
00190 
00191 }