Botan
1.11.15
|
00001 /* 00002 * X.509 Certificate Extensions 00003 * (C) 1999-2010,2012 Jack Lloyd 00004 * 00005 * Botan is released under the Simplified BSD License (see license.txt) 00006 */ 00007 00008 #include <botan/x509_ext.h> 00009 #include <botan/sha160.h> 00010 #include <botan/der_enc.h> 00011 #include <botan/ber_dec.h> 00012 #include <botan/oids.h> 00013 #include <botan/charset.h> 00014 #include <botan/internal/bit_ops.h> 00015 #include <algorithm> 00016 00017 namespace Botan { 00018 00019 /* 00020 * List of X.509 Certificate Extensions 00021 */ 00022 Certificate_Extension* Extensions::get_extension(const OID& oid) 00023 { 00024 #define X509_EXTENSION(NAME, TYPE) \ 00025 if(OIDS::name_of(oid, NAME)) \ 00026 return new Cert_Extension::TYPE(); 00027 00028 X509_EXTENSION("X509v3.KeyUsage", Key_Usage); 00029 X509_EXTENSION("X509v3.BasicConstraints", Basic_Constraints); 00030 X509_EXTENSION("X509v3.SubjectKeyIdentifier", Subject_Key_ID); 00031 X509_EXTENSION("X509v3.AuthorityKeyIdentifier", Authority_Key_ID); 00032 X509_EXTENSION("X509v3.ExtendedKeyUsage", Extended_Key_Usage); 00033 X509_EXTENSION("X509v3.IssuerAlternativeName", Issuer_Alternative_Name); 00034 X509_EXTENSION("X509v3.SubjectAlternativeName", Subject_Alternative_Name); 00035 X509_EXTENSION("X509v3.CertificatePolicies", Certificate_Policies); 00036 X509_EXTENSION("X509v3.CRLDistributionPoints", CRL_Distribution_Points); 00037 X509_EXTENSION("PKIX.AuthorityInformationAccess", Authority_Information_Access); 00038 X509_EXTENSION("X509v3.CRLNumber", CRL_Number); 00039 X509_EXTENSION("X509v3.ReasonCode", CRL_ReasonCode); 00040 00041 return nullptr; 00042 } 00043 00044 /* 00045 * Extensions Copy Constructor 00046 */ 00047 Extensions::Extensions(const Extensions& extensions) : ASN1_Object() 00048 { 00049 *this = extensions; 00050 } 00051 00052 /* 00053 * Extensions Assignment Operator 00054 */ 00055 Extensions& Extensions::operator=(const Extensions& other) 00056 { 00057 for(size_t i = 0; i != extensions.size(); ++i) 00058 delete extensions[i].first; 00059 extensions.clear(); 00060 00061 for(size_t i = 0; i != other.extensions.size(); ++i) 00062 extensions.push_back( 00063 std::make_pair(other.extensions[i].first->copy(), 00064 other.extensions[i].second)); 00065 00066 m_throw_on_unknown_critical = other.m_throw_on_unknown_critical; 00067 00068 return (*this); 00069 } 00070 00071 /* 00072 * Return the OID of this extension 00073 */ 00074 OID Certificate_Extension::oid_of() const 00075 { 00076 return OIDS::lookup(oid_name()); 00077 } 00078 00079 void Extensions::add(Certificate_Extension* extn, bool critical) 00080 { 00081 extensions.push_back(std::make_pair(extn, critical)); 00082 } 00083 00084 /* 00085 * Encode an Extensions list 00086 */ 00087 void Extensions::encode_into(DER_Encoder& to_object) const 00088 { 00089 for(size_t i = 0; i != extensions.size(); ++i) 00090 { 00091 const Certificate_Extension* ext = extensions[i].first; 00092 const bool is_critical = extensions[i].second; 00093 00094 const bool should_encode = ext->should_encode(); 00095 00096 if(should_encode) 00097 { 00098 to_object.start_cons(SEQUENCE) 00099 .encode(ext->oid_of()) 00100 .encode_optional(is_critical, false) 00101 .encode(ext->encode_inner(), OCTET_STRING) 00102 .end_cons(); 00103 } 00104 } 00105 } 00106 00107 /* 00108 * Decode a list of Extensions 00109 */ 00110 void Extensions::decode_from(BER_Decoder& from_source) 00111 { 00112 for(size_t i = 0; i != extensions.size(); ++i) 00113 delete extensions[i].first; 00114 extensions.clear(); 00115 00116 BER_Decoder sequence = from_source.start_cons(SEQUENCE); 00117 00118 while(sequence.more_items()) 00119 { 00120 OID oid; 00121 std::vector<byte> value; 00122 bool critical; 00123 00124 sequence.start_cons(SEQUENCE) 00125 .decode(oid) 00126 .decode_optional(critical, BOOLEAN, UNIVERSAL, false) 00127 .decode(value, OCTET_STRING) 00128 .verify_end() 00129 .end_cons(); 00130 00131 Certificate_Extension* ext = get_extension(oid); 00132 00133 if(!ext && critical && m_throw_on_unknown_critical) 00134 throw Decoding_Error("Encountered unknown X.509 extension marked " 00135 "as critical; OID = " + oid.as_string()); 00136 00137 if(ext) 00138 { 00139 try 00140 { 00141 ext->decode_inner(value); 00142 } 00143 catch(std::exception& e) 00144 { 00145 throw Decoding_Error("Exception while decoding extension " + 00146 oid.as_string() + ": " + e.what()); 00147 } 00148 00149 extensions.push_back(std::make_pair(ext, critical)); 00150 } 00151 } 00152 00153 sequence.verify_end(); 00154 } 00155 00156 /* 00157 * Write the extensions to an info store 00158 */ 00159 void Extensions::contents_to(Data_Store& subject_info, 00160 Data_Store& issuer_info) const 00161 { 00162 for(size_t i = 0; i != extensions.size(); ++i) 00163 extensions[i].first->contents_to(subject_info, issuer_info); 00164 } 00165 00166 /* 00167 * Delete an Extensions list 00168 */ 00169 Extensions::~Extensions() 00170 { 00171 for(size_t i = 0; i != extensions.size(); ++i) 00172 delete extensions[i].first; 00173 } 00174 00175 namespace Cert_Extension { 00176 00177 /* 00178 * Checked accessor for the path_limit member 00179 */ 00180 size_t Basic_Constraints::get_path_limit() const 00181 { 00182 if(!is_ca) 00183 throw Invalid_State("Basic_Constraints::get_path_limit: Not a CA"); 00184 return path_limit; 00185 } 00186 00187 /* 00188 * Encode the extension 00189 */ 00190 std::vector<byte> Basic_Constraints::encode_inner() const 00191 { 00192 return DER_Encoder() 00193 .start_cons(SEQUENCE) 00194 .encode_if(is_ca, 00195 DER_Encoder() 00196 .encode(is_ca) 00197 .encode_optional(path_limit, NO_CERT_PATH_LIMIT) 00198 ) 00199 .end_cons() 00200 .get_contents_unlocked(); 00201 } 00202 00203 /* 00204 * Decode the extension 00205 */ 00206 void Basic_Constraints::decode_inner(const std::vector<byte>& in) 00207 { 00208 BER_Decoder(in) 00209 .start_cons(SEQUENCE) 00210 .decode_optional(is_ca, BOOLEAN, UNIVERSAL, false) 00211 .decode_optional(path_limit, INTEGER, UNIVERSAL, NO_CERT_PATH_LIMIT) 00212 .verify_end() 00213 .end_cons(); 00214 00215 if(is_ca == false) 00216 path_limit = 0; 00217 } 00218 00219 /* 00220 * Return a textual representation 00221 */ 00222 void Basic_Constraints::contents_to(Data_Store& subject, Data_Store&) const 00223 { 00224 subject.add("X509v3.BasicConstraints.is_ca", (is_ca ? 1 : 0)); 00225 subject.add("X509v3.BasicConstraints.path_constraint", path_limit); 00226 } 00227 00228 /* 00229 * Encode the extension 00230 */ 00231 std::vector<byte> Key_Usage::encode_inner() const 00232 { 00233 if(constraints == NO_CONSTRAINTS) 00234 throw Encoding_Error("Cannot encode zero usage constraints"); 00235 00236 const size_t unused_bits = low_bit(constraints) - 1; 00237 00238 std::vector<byte> der; 00239 der.push_back(BIT_STRING); 00240 der.push_back(2 + ((unused_bits < 8) ? 1 : 0)); 00241 der.push_back(unused_bits % 8); 00242 der.push_back((constraints >> 8) & 0xFF); 00243 if(constraints & 0xFF) 00244 der.push_back(constraints & 0xFF); 00245 00246 return der; 00247 } 00248 00249 /* 00250 * Decode the extension 00251 */ 00252 void Key_Usage::decode_inner(const std::vector<byte>& in) 00253 { 00254 BER_Decoder ber(in); 00255 00256 BER_Object obj = ber.get_next_object(); 00257 00258 if(obj.type_tag != BIT_STRING || obj.class_tag != UNIVERSAL) 00259 throw BER_Bad_Tag("Bad tag for usage constraint", 00260 obj.type_tag, obj.class_tag); 00261 00262 if(obj.value.size() != 2 && obj.value.size() != 3) 00263 throw BER_Decoding_Error("Bad size for BITSTRING in usage constraint"); 00264 00265 if(obj.value[0] >= 8) 00266 throw BER_Decoding_Error("Invalid unused bits in usage constraint"); 00267 00268 obj.value[obj.value.size()-1] &= (0xFF << obj.value[0]); 00269 00270 u16bit usage = 0; 00271 for(size_t i = 1; i != obj.value.size(); ++i) 00272 usage = (obj.value[i] << 8) | usage; 00273 00274 constraints = Key_Constraints(usage); 00275 } 00276 00277 /* 00278 * Return a textual representation 00279 */ 00280 void Key_Usage::contents_to(Data_Store& subject, Data_Store&) const 00281 { 00282 subject.add("X509v3.KeyUsage", constraints); 00283 } 00284 00285 /* 00286 * Encode the extension 00287 */ 00288 std::vector<byte> Subject_Key_ID::encode_inner() const 00289 { 00290 return DER_Encoder().encode(key_id, OCTET_STRING).get_contents_unlocked(); 00291 } 00292 00293 /* 00294 * Decode the extension 00295 */ 00296 void Subject_Key_ID::decode_inner(const std::vector<byte>& in) 00297 { 00298 BER_Decoder(in).decode(key_id, OCTET_STRING).verify_end(); 00299 } 00300 00301 /* 00302 * Return a textual representation 00303 */ 00304 void Subject_Key_ID::contents_to(Data_Store& subject, Data_Store&) const 00305 { 00306 subject.add("X509v3.SubjectKeyIdentifier", key_id); 00307 } 00308 00309 /* 00310 * Subject_Key_ID Constructor 00311 */ 00312 Subject_Key_ID::Subject_Key_ID(const std::vector<byte>& pub_key) 00313 { 00314 SHA_160 hash; 00315 key_id = unlock(hash.process(pub_key)); 00316 } 00317 00318 /* 00319 * Encode the extension 00320 */ 00321 std::vector<byte> Authority_Key_ID::encode_inner() const 00322 { 00323 return DER_Encoder() 00324 .start_cons(SEQUENCE) 00325 .encode(key_id, OCTET_STRING, ASN1_Tag(0), CONTEXT_SPECIFIC) 00326 .end_cons() 00327 .get_contents_unlocked(); 00328 } 00329 00330 /* 00331 * Decode the extension 00332 */ 00333 void Authority_Key_ID::decode_inner(const std::vector<byte>& in) 00334 { 00335 BER_Decoder(in) 00336 .start_cons(SEQUENCE) 00337 .decode_optional_string(key_id, OCTET_STRING, 0); 00338 } 00339 00340 /* 00341 * Return a textual representation 00342 */ 00343 void Authority_Key_ID::contents_to(Data_Store&, Data_Store& issuer) const 00344 { 00345 if(key_id.size()) 00346 issuer.add("X509v3.AuthorityKeyIdentifier", key_id); 00347 } 00348 00349 /* 00350 * Encode the extension 00351 */ 00352 std::vector<byte> Alternative_Name::encode_inner() const 00353 { 00354 return DER_Encoder().encode(alt_name).get_contents_unlocked(); 00355 } 00356 00357 /* 00358 * Decode the extension 00359 */ 00360 void Alternative_Name::decode_inner(const std::vector<byte>& in) 00361 { 00362 BER_Decoder(in).decode(alt_name); 00363 } 00364 00365 /* 00366 * Return a textual representation 00367 */ 00368 void Alternative_Name::contents_to(Data_Store& subject_info, 00369 Data_Store& issuer_info) const 00370 { 00371 std::multimap<std::string, std::string> contents = 00372 get_alt_name().contents(); 00373 00374 if(oid_name_str == "X509v3.SubjectAlternativeName") 00375 subject_info.add(contents); 00376 else if(oid_name_str == "X509v3.IssuerAlternativeName") 00377 issuer_info.add(contents); 00378 else 00379 throw Internal_Error("In Alternative_Name, unknown type " + 00380 oid_name_str); 00381 } 00382 00383 /* 00384 * Alternative_Name Constructor 00385 */ 00386 Alternative_Name::Alternative_Name(const AlternativeName& alt_name, 00387 const std::string& oid_name_str) 00388 { 00389 this->alt_name = alt_name; 00390 this->oid_name_str = oid_name_str; 00391 } 00392 00393 /* 00394 * Subject_Alternative_Name Constructor 00395 */ 00396 Subject_Alternative_Name::Subject_Alternative_Name( 00397 const AlternativeName& name) : 00398 Alternative_Name(name, "X509v3.SubjectAlternativeName") 00399 { 00400 } 00401 00402 /* 00403 * Issuer_Alternative_Name Constructor 00404 */ 00405 Issuer_Alternative_Name::Issuer_Alternative_Name(const AlternativeName& name) : 00406 Alternative_Name(name, "X509v3.IssuerAlternativeName") 00407 { 00408 } 00409 00410 /* 00411 * Encode the extension 00412 */ 00413 std::vector<byte> Extended_Key_Usage::encode_inner() const 00414 { 00415 return DER_Encoder() 00416 .start_cons(SEQUENCE) 00417 .encode_list(oids) 00418 .end_cons() 00419 .get_contents_unlocked(); 00420 } 00421 00422 /* 00423 * Decode the extension 00424 */ 00425 void Extended_Key_Usage::decode_inner(const std::vector<byte>& in) 00426 { 00427 BER_Decoder(in).decode_list(oids); 00428 } 00429 00430 /* 00431 * Return a textual representation 00432 */ 00433 void Extended_Key_Usage::contents_to(Data_Store& subject, Data_Store&) const 00434 { 00435 for(size_t i = 0; i != oids.size(); ++i) 00436 subject.add("X509v3.ExtendedKeyUsage", oids[i].as_string()); 00437 } 00438 00439 namespace { 00440 00441 /* 00442 * A policy specifier 00443 */ 00444 class Policy_Information : public ASN1_Object 00445 { 00446 public: 00447 OID oid; 00448 00449 Policy_Information() {} 00450 Policy_Information(const OID& oid) : oid(oid) {} 00451 00452 void encode_into(DER_Encoder& codec) const 00453 { 00454 codec.start_cons(SEQUENCE) 00455 .encode(oid) 00456 .end_cons(); 00457 } 00458 00459 void decode_from(BER_Decoder& codec) 00460 { 00461 codec.start_cons(SEQUENCE) 00462 .decode(oid) 00463 .discard_remaining() 00464 .end_cons(); 00465 } 00466 }; 00467 00468 } 00469 00470 /* 00471 * Encode the extension 00472 */ 00473 std::vector<byte> Certificate_Policies::encode_inner() const 00474 { 00475 std::vector<Policy_Information> policies; 00476 00477 for(size_t i = 0; i != oids.size(); ++i) 00478 policies.push_back(oids[i]); 00479 00480 return DER_Encoder() 00481 .start_cons(SEQUENCE) 00482 .encode_list(policies) 00483 .end_cons() 00484 .get_contents_unlocked(); 00485 } 00486 00487 /* 00488 * Decode the extension 00489 */ 00490 void Certificate_Policies::decode_inner(const std::vector<byte>& in) 00491 { 00492 std::vector<Policy_Information> policies; 00493 00494 BER_Decoder(in).decode_list(policies); 00495 00496 oids.clear(); 00497 for(size_t i = 0; i != policies.size(); ++i) 00498 oids.push_back(policies[i].oid); 00499 } 00500 00501 /* 00502 * Return a textual representation 00503 */ 00504 void Certificate_Policies::contents_to(Data_Store& info, Data_Store&) const 00505 { 00506 for(size_t i = 0; i != oids.size(); ++i) 00507 info.add("X509v3.CertificatePolicies", oids[i].as_string()); 00508 } 00509 00510 std::vector<byte> Authority_Information_Access::encode_inner() const 00511 { 00512 ASN1_String url(m_ocsp_responder, IA5_STRING); 00513 00514 return DER_Encoder() 00515 .start_cons(SEQUENCE) 00516 .start_cons(SEQUENCE) 00517 .encode(OIDS::lookup("PKIX.OCSP")) 00518 .add_object(ASN1_Tag(6), CONTEXT_SPECIFIC, url.iso_8859()) 00519 .end_cons() 00520 .end_cons().get_contents_unlocked(); 00521 } 00522 00523 void Authority_Information_Access::decode_inner(const std::vector<byte>& in) 00524 { 00525 BER_Decoder ber = BER_Decoder(in).start_cons(SEQUENCE); 00526 00527 while(ber.more_items()) 00528 { 00529 OID oid; 00530 00531 BER_Decoder info = ber.start_cons(SEQUENCE); 00532 00533 info.decode(oid); 00534 00535 if(oid == OIDS::lookup("PKIX.OCSP")) 00536 { 00537 BER_Object name = info.get_next_object(); 00538 00539 if(name.type_tag == 6 && name.class_tag == CONTEXT_SPECIFIC) 00540 { 00541 m_ocsp_responder = Charset::transcode(ASN1::to_string(name), 00542 LATIN1_CHARSET, 00543 LOCAL_CHARSET); 00544 } 00545 00546 } 00547 } 00548 } 00549 00550 void Authority_Information_Access::contents_to(Data_Store& subject, Data_Store&) const 00551 { 00552 if(m_ocsp_responder != "") 00553 subject.add("OCSP.responder", m_ocsp_responder); 00554 } 00555 00556 /* 00557 * Checked accessor for the crl_number member 00558 */ 00559 size_t CRL_Number::get_crl_number() const 00560 { 00561 if(!has_value) 00562 throw Invalid_State("CRL_Number::get_crl_number: Not set"); 00563 return crl_number; 00564 } 00565 00566 /* 00567 * Copy a CRL_Number extension 00568 */ 00569 CRL_Number* CRL_Number::copy() const 00570 { 00571 if(!has_value) 00572 throw Invalid_State("CRL_Number::copy: Not set"); 00573 return new CRL_Number(crl_number); 00574 } 00575 00576 /* 00577 * Encode the extension 00578 */ 00579 std::vector<byte> CRL_Number::encode_inner() const 00580 { 00581 return DER_Encoder().encode(crl_number).get_contents_unlocked(); 00582 } 00583 00584 /* 00585 * Decode the extension 00586 */ 00587 void CRL_Number::decode_inner(const std::vector<byte>& in) 00588 { 00589 BER_Decoder(in).decode(crl_number); 00590 } 00591 00592 /* 00593 * Return a textual representation 00594 */ 00595 void CRL_Number::contents_to(Data_Store& info, Data_Store&) const 00596 { 00597 info.add("X509v3.CRLNumber", crl_number); 00598 } 00599 00600 /* 00601 * Encode the extension 00602 */ 00603 std::vector<byte> CRL_ReasonCode::encode_inner() const 00604 { 00605 return DER_Encoder() 00606 .encode(static_cast<size_t>(reason), ENUMERATED, UNIVERSAL) 00607 .get_contents_unlocked(); 00608 } 00609 00610 /* 00611 * Decode the extension 00612 */ 00613 void CRL_ReasonCode::decode_inner(const std::vector<byte>& in) 00614 { 00615 size_t reason_code = 0; 00616 BER_Decoder(in).decode(reason_code, ENUMERATED, UNIVERSAL); 00617 reason = static_cast<CRL_Code>(reason_code); 00618 } 00619 00620 /* 00621 * Return a textual representation 00622 */ 00623 void CRL_ReasonCode::contents_to(Data_Store& info, Data_Store&) const 00624 { 00625 info.add("X509v3.CRLReasonCode", reason); 00626 } 00627 00628 std::vector<byte> CRL_Distribution_Points::encode_inner() const 00629 { 00630 throw std::runtime_error("CRL_Distribution_Points encoding not implemented"); 00631 } 00632 00633 void CRL_Distribution_Points::decode_inner(const std::vector<byte>& buf) 00634 { 00635 BER_Decoder(buf).decode_list(m_distribution_points).verify_end(); 00636 } 00637 00638 void CRL_Distribution_Points::contents_to(Data_Store& info, Data_Store&) const 00639 { 00640 for(size_t i = 0; i != m_distribution_points.size(); ++i) 00641 { 00642 auto point = m_distribution_points[i].point().contents(); 00643 00644 auto uris = point.equal_range("URI"); 00645 00646 for(auto uri = uris.first; uri != uris.second; ++uri) 00647 info.add("CRL.DistributionPoint", uri->second); 00648 } 00649 } 00650 00651 void CRL_Distribution_Points::Distribution_Point::encode_into(class DER_Encoder&) const 00652 { 00653 throw std::runtime_error("CRL_Distribution_Points encoding not implemented"); 00654 } 00655 00656 void CRL_Distribution_Points::Distribution_Point::decode_from(class BER_Decoder& ber) 00657 { 00658 ber.start_cons(SEQUENCE) 00659 .start_cons(ASN1_Tag(0), CONTEXT_SPECIFIC) 00660 .decode_optional_implicit(m_point, ASN1_Tag(0), 00661 ASN1_Tag(CONTEXT_SPECIFIC | CONSTRUCTED), 00662 SEQUENCE, CONSTRUCTED) 00663 .end_cons().end_cons(); 00664 } 00665 00666 } 00667 00668 }