Botan  1.11.15
src/lib/cert/x509/x509_ext.cpp
Go to the documentation of this file.
00001 /*
00002 * X.509 Certificate Extensions
00003 * (C) 1999-2010,2012 Jack Lloyd
00004 *
00005 * Botan is released under the Simplified BSD License (see license.txt)
00006 */
00007 
00008 #include <botan/x509_ext.h>
00009 #include <botan/sha160.h>
00010 #include <botan/der_enc.h>
00011 #include <botan/ber_dec.h>
00012 #include <botan/oids.h>
00013 #include <botan/charset.h>
00014 #include <botan/internal/bit_ops.h>
00015 #include <algorithm>
00016 
00017 namespace Botan {
00018 
00019 /*
00020 * List of X.509 Certificate Extensions
00021 */
00022 Certificate_Extension* Extensions::get_extension(const OID& oid)
00023    {
00024 #define X509_EXTENSION(NAME, TYPE) \
00025    if(OIDS::name_of(oid, NAME))    \
00026       return new Cert_Extension::TYPE();
00027 
00028    X509_EXTENSION("X509v3.KeyUsage", Key_Usage);
00029    X509_EXTENSION("X509v3.BasicConstraints", Basic_Constraints);
00030    X509_EXTENSION("X509v3.SubjectKeyIdentifier", Subject_Key_ID);
00031    X509_EXTENSION("X509v3.AuthorityKeyIdentifier", Authority_Key_ID);
00032    X509_EXTENSION("X509v3.ExtendedKeyUsage", Extended_Key_Usage);
00033    X509_EXTENSION("X509v3.IssuerAlternativeName", Issuer_Alternative_Name);
00034    X509_EXTENSION("X509v3.SubjectAlternativeName", Subject_Alternative_Name);
00035    X509_EXTENSION("X509v3.CertificatePolicies", Certificate_Policies);
00036    X509_EXTENSION("X509v3.CRLDistributionPoints", CRL_Distribution_Points);
00037    X509_EXTENSION("PKIX.AuthorityInformationAccess", Authority_Information_Access);
00038    X509_EXTENSION("X509v3.CRLNumber", CRL_Number);
00039    X509_EXTENSION("X509v3.ReasonCode", CRL_ReasonCode);
00040 
00041    return nullptr;
00042    }
00043 
00044 /*
00045 * Extensions Copy Constructor
00046 */
00047 Extensions::Extensions(const Extensions& extensions) : ASN1_Object()
00048    {
00049    *this = extensions;
00050    }
00051 
00052 /*
00053 * Extensions Assignment Operator
00054 */
00055 Extensions& Extensions::operator=(const Extensions& other)
00056    {
00057    for(size_t i = 0; i != extensions.size(); ++i)
00058       delete extensions[i].first;
00059    extensions.clear();
00060 
00061    for(size_t i = 0; i != other.extensions.size(); ++i)
00062       extensions.push_back(
00063          std::make_pair(other.extensions[i].first->copy(),
00064                         other.extensions[i].second));
00065 
00066    m_throw_on_unknown_critical = other.m_throw_on_unknown_critical;
00067 
00068    return (*this);
00069    }
00070 
00071 /*
00072 * Return the OID of this extension
00073 */
00074 OID Certificate_Extension::oid_of() const
00075    {
00076    return OIDS::lookup(oid_name());
00077    }
00078 
00079 void Extensions::add(Certificate_Extension* extn, bool critical)
00080    {
00081    extensions.push_back(std::make_pair(extn, critical));
00082    }
00083 
00084 /*
00085 * Encode an Extensions list
00086 */
00087 void Extensions::encode_into(DER_Encoder& to_object) const
00088    {
00089    for(size_t i = 0; i != extensions.size(); ++i)
00090       {
00091       const Certificate_Extension* ext = extensions[i].first;
00092       const bool is_critical = extensions[i].second;
00093 
00094       const bool should_encode = ext->should_encode();
00095 
00096       if(should_encode)
00097          {
00098          to_object.start_cons(SEQUENCE)
00099                .encode(ext->oid_of())
00100                .encode_optional(is_critical, false)
00101                .encode(ext->encode_inner(), OCTET_STRING)
00102             .end_cons();
00103          }
00104       }
00105    }
00106 
00107 /*
00108 * Decode a list of Extensions
00109 */
00110 void Extensions::decode_from(BER_Decoder& from_source)
00111    {
00112    for(size_t i = 0; i != extensions.size(); ++i)
00113       delete extensions[i].first;
00114    extensions.clear();
00115 
00116    BER_Decoder sequence = from_source.start_cons(SEQUENCE);
00117 
00118    while(sequence.more_items())
00119       {
00120       OID oid;
00121       std::vector<byte> value;
00122       bool critical;
00123 
00124       sequence.start_cons(SEQUENCE)
00125             .decode(oid)
00126             .decode_optional(critical, BOOLEAN, UNIVERSAL, false)
00127             .decode(value, OCTET_STRING)
00128             .verify_end()
00129          .end_cons();
00130 
00131       Certificate_Extension* ext = get_extension(oid);
00132 
00133       if(!ext && critical && m_throw_on_unknown_critical)
00134          throw Decoding_Error("Encountered unknown X.509 extension marked "
00135                               "as critical; OID = " + oid.as_string());
00136 
00137       if(ext)
00138          {
00139          try
00140             {
00141             ext->decode_inner(value);
00142             }
00143          catch(std::exception& e)
00144             {
00145             throw Decoding_Error("Exception while decoding extension " +
00146                                  oid.as_string() + ": " + e.what());
00147             }
00148 
00149          extensions.push_back(std::make_pair(ext, critical));
00150          }
00151       }
00152 
00153    sequence.verify_end();
00154    }
00155 
00156 /*
00157 * Write the extensions to an info store
00158 */
00159 void Extensions::contents_to(Data_Store& subject_info,
00160                              Data_Store& issuer_info) const
00161    {
00162    for(size_t i = 0; i != extensions.size(); ++i)
00163       extensions[i].first->contents_to(subject_info, issuer_info);
00164    }
00165 
00166 /*
00167 * Delete an Extensions list
00168 */
00169 Extensions::~Extensions()
00170    {
00171    for(size_t i = 0; i != extensions.size(); ++i)
00172       delete extensions[i].first;
00173    }
00174 
00175 namespace Cert_Extension {
00176 
00177 /*
00178 * Checked accessor for the path_limit member
00179 */
00180 size_t Basic_Constraints::get_path_limit() const
00181    {
00182    if(!is_ca)
00183       throw Invalid_State("Basic_Constraints::get_path_limit: Not a CA");
00184    return path_limit;
00185    }
00186 
00187 /*
00188 * Encode the extension
00189 */
00190 std::vector<byte> Basic_Constraints::encode_inner() const
00191    {
00192    return DER_Encoder()
00193       .start_cons(SEQUENCE)
00194       .encode_if(is_ca,
00195                  DER_Encoder()
00196                     .encode(is_ca)
00197                     .encode_optional(path_limit, NO_CERT_PATH_LIMIT)
00198          )
00199       .end_cons()
00200    .get_contents_unlocked();
00201    }
00202 
00203 /*
00204 * Decode the extension
00205 */
00206 void Basic_Constraints::decode_inner(const std::vector<byte>& in)
00207    {
00208    BER_Decoder(in)
00209       .start_cons(SEQUENCE)
00210          .decode_optional(is_ca, BOOLEAN, UNIVERSAL, false)
00211          .decode_optional(path_limit, INTEGER, UNIVERSAL, NO_CERT_PATH_LIMIT)
00212          .verify_end()
00213       .end_cons();
00214 
00215    if(is_ca == false)
00216       path_limit = 0;
00217    }
00218 
00219 /*
00220 * Return a textual representation
00221 */
00222 void Basic_Constraints::contents_to(Data_Store& subject, Data_Store&) const
00223    {
00224    subject.add("X509v3.BasicConstraints.is_ca", (is_ca ? 1 : 0));
00225    subject.add("X509v3.BasicConstraints.path_constraint", path_limit);
00226    }
00227 
00228 /*
00229 * Encode the extension
00230 */
00231 std::vector<byte> Key_Usage::encode_inner() const
00232    {
00233    if(constraints == NO_CONSTRAINTS)
00234       throw Encoding_Error("Cannot encode zero usage constraints");
00235 
00236    const size_t unused_bits = low_bit(constraints) - 1;
00237 
00238    std::vector<byte> der;
00239    der.push_back(BIT_STRING);
00240    der.push_back(2 + ((unused_bits < 8) ? 1 : 0));
00241    der.push_back(unused_bits % 8);
00242    der.push_back((constraints >> 8) & 0xFF);
00243    if(constraints & 0xFF)
00244       der.push_back(constraints & 0xFF);
00245 
00246    return der;
00247    }
00248 
00249 /*
00250 * Decode the extension
00251 */
00252 void Key_Usage::decode_inner(const std::vector<byte>& in)
00253    {
00254    BER_Decoder ber(in);
00255 
00256    BER_Object obj = ber.get_next_object();
00257 
00258    if(obj.type_tag != BIT_STRING || obj.class_tag != UNIVERSAL)
00259       throw BER_Bad_Tag("Bad tag for usage constraint",
00260                         obj.type_tag, obj.class_tag);
00261 
00262    if(obj.value.size() != 2 && obj.value.size() != 3)
00263       throw BER_Decoding_Error("Bad size for BITSTRING in usage constraint");
00264 
00265    if(obj.value[0] >= 8)
00266       throw BER_Decoding_Error("Invalid unused bits in usage constraint");
00267 
00268    obj.value[obj.value.size()-1] &= (0xFF << obj.value[0]);
00269 
00270    u16bit usage = 0;
00271    for(size_t i = 1; i != obj.value.size(); ++i)
00272       usage = (obj.value[i] << 8) | usage;
00273 
00274    constraints = Key_Constraints(usage);
00275    }
00276 
00277 /*
00278 * Return a textual representation
00279 */
00280 void Key_Usage::contents_to(Data_Store& subject, Data_Store&) const
00281    {
00282    subject.add("X509v3.KeyUsage", constraints);
00283    }
00284 
00285 /*
00286 * Encode the extension
00287 */
00288 std::vector<byte> Subject_Key_ID::encode_inner() const
00289    {
00290    return DER_Encoder().encode(key_id, OCTET_STRING).get_contents_unlocked();
00291    }
00292 
00293 /*
00294 * Decode the extension
00295 */
00296 void Subject_Key_ID::decode_inner(const std::vector<byte>& in)
00297    {
00298    BER_Decoder(in).decode(key_id, OCTET_STRING).verify_end();
00299    }
00300 
00301 /*
00302 * Return a textual representation
00303 */
00304 void Subject_Key_ID::contents_to(Data_Store& subject, Data_Store&) const
00305    {
00306    subject.add("X509v3.SubjectKeyIdentifier", key_id);
00307    }
00308 
00309 /*
00310 * Subject_Key_ID Constructor
00311 */
00312 Subject_Key_ID::Subject_Key_ID(const std::vector<byte>& pub_key)
00313    {
00314    SHA_160 hash;
00315    key_id = unlock(hash.process(pub_key));
00316    }
00317 
00318 /*
00319 * Encode the extension
00320 */
00321 std::vector<byte> Authority_Key_ID::encode_inner() const
00322    {
00323    return DER_Encoder()
00324          .start_cons(SEQUENCE)
00325             .encode(key_id, OCTET_STRING, ASN1_Tag(0), CONTEXT_SPECIFIC)
00326          .end_cons()
00327       .get_contents_unlocked();
00328    }
00329 
00330 /*
00331 * Decode the extension
00332 */
00333 void Authority_Key_ID::decode_inner(const std::vector<byte>& in)
00334    {
00335    BER_Decoder(in)
00336       .start_cons(SEQUENCE)
00337       .decode_optional_string(key_id, OCTET_STRING, 0);
00338    }
00339 
00340 /*
00341 * Return a textual representation
00342 */
00343 void Authority_Key_ID::contents_to(Data_Store&, Data_Store& issuer) const
00344    {
00345    if(key_id.size())
00346       issuer.add("X509v3.AuthorityKeyIdentifier", key_id);
00347    }
00348 
00349 /*
00350 * Encode the extension
00351 */
00352 std::vector<byte> Alternative_Name::encode_inner() const
00353    {
00354    return DER_Encoder().encode(alt_name).get_contents_unlocked();
00355    }
00356 
00357 /*
00358 * Decode the extension
00359 */
00360 void Alternative_Name::decode_inner(const std::vector<byte>& in)
00361    {
00362    BER_Decoder(in).decode(alt_name);
00363    }
00364 
00365 /*
00366 * Return a textual representation
00367 */
00368 void Alternative_Name::contents_to(Data_Store& subject_info,
00369                                    Data_Store& issuer_info) const
00370    {
00371    std::multimap<std::string, std::string> contents =
00372       get_alt_name().contents();
00373 
00374    if(oid_name_str == "X509v3.SubjectAlternativeName")
00375       subject_info.add(contents);
00376    else if(oid_name_str == "X509v3.IssuerAlternativeName")
00377       issuer_info.add(contents);
00378    else
00379       throw Internal_Error("In Alternative_Name, unknown type " +
00380                            oid_name_str);
00381    }
00382 
00383 /*
00384 * Alternative_Name Constructor
00385 */
00386 Alternative_Name::Alternative_Name(const AlternativeName& alt_name,
00387                                    const std::string& oid_name_str)
00388    {
00389    this->alt_name = alt_name;
00390    this->oid_name_str = oid_name_str;
00391    }
00392 
00393 /*
00394 * Subject_Alternative_Name Constructor
00395 */
00396 Subject_Alternative_Name::Subject_Alternative_Name(
00397   const AlternativeName& name) :
00398    Alternative_Name(name, "X509v3.SubjectAlternativeName")
00399    {
00400    }
00401 
00402 /*
00403 * Issuer_Alternative_Name Constructor
00404 */
00405 Issuer_Alternative_Name::Issuer_Alternative_Name(const AlternativeName& name) :
00406    Alternative_Name(name, "X509v3.IssuerAlternativeName")
00407    {
00408    }
00409 
00410 /*
00411 * Encode the extension
00412 */
00413 std::vector<byte> Extended_Key_Usage::encode_inner() const
00414    {
00415    return DER_Encoder()
00416       .start_cons(SEQUENCE)
00417          .encode_list(oids)
00418       .end_cons()
00419    .get_contents_unlocked();
00420    }
00421 
00422 /*
00423 * Decode the extension
00424 */
00425 void Extended_Key_Usage::decode_inner(const std::vector<byte>& in)
00426    {
00427    BER_Decoder(in).decode_list(oids);
00428    }
00429 
00430 /*
00431 * Return a textual representation
00432 */
00433 void Extended_Key_Usage::contents_to(Data_Store& subject, Data_Store&) const
00434    {
00435    for(size_t i = 0; i != oids.size(); ++i)
00436       subject.add("X509v3.ExtendedKeyUsage", oids[i].as_string());
00437    }
00438 
00439 namespace {
00440 
00441 /*
00442 * A policy specifier
00443 */
00444 class Policy_Information : public ASN1_Object
00445    {
00446    public:
00447       OID oid;
00448 
00449       Policy_Information() {}
00450       Policy_Information(const OID& oid) : oid(oid) {}
00451 
00452       void encode_into(DER_Encoder& codec) const
00453          {
00454          codec.start_cons(SEQUENCE)
00455             .encode(oid)
00456             .end_cons();
00457          }
00458 
00459       void decode_from(BER_Decoder& codec)
00460          {
00461          codec.start_cons(SEQUENCE)
00462             .decode(oid)
00463             .discard_remaining()
00464             .end_cons();
00465          }
00466    };
00467 
00468 }
00469 
00470 /*
00471 * Encode the extension
00472 */
00473 std::vector<byte> Certificate_Policies::encode_inner() const
00474    {
00475    std::vector<Policy_Information> policies;
00476 
00477    for(size_t i = 0; i != oids.size(); ++i)
00478       policies.push_back(oids[i]);
00479 
00480    return DER_Encoder()
00481       .start_cons(SEQUENCE)
00482          .encode_list(policies)
00483       .end_cons()
00484    .get_contents_unlocked();
00485    }
00486 
00487 /*
00488 * Decode the extension
00489 */
00490 void Certificate_Policies::decode_inner(const std::vector<byte>& in)
00491    {
00492    std::vector<Policy_Information> policies;
00493 
00494    BER_Decoder(in).decode_list(policies);
00495 
00496    oids.clear();
00497    for(size_t i = 0; i != policies.size(); ++i)
00498       oids.push_back(policies[i].oid);
00499    }
00500 
00501 /*
00502 * Return a textual representation
00503 */
00504 void Certificate_Policies::contents_to(Data_Store& info, Data_Store&) const
00505    {
00506    for(size_t i = 0; i != oids.size(); ++i)
00507       info.add("X509v3.CertificatePolicies", oids[i].as_string());
00508    }
00509 
00510 std::vector<byte> Authority_Information_Access::encode_inner() const
00511    {
00512    ASN1_String url(m_ocsp_responder, IA5_STRING);
00513 
00514    return DER_Encoder()
00515       .start_cons(SEQUENCE)
00516       .start_cons(SEQUENCE)
00517       .encode(OIDS::lookup("PKIX.OCSP"))
00518       .add_object(ASN1_Tag(6), CONTEXT_SPECIFIC, url.iso_8859())
00519       .end_cons()
00520       .end_cons().get_contents_unlocked();
00521    }
00522 
00523 void Authority_Information_Access::decode_inner(const std::vector<byte>& in)
00524    {
00525    BER_Decoder ber = BER_Decoder(in).start_cons(SEQUENCE);
00526 
00527    while(ber.more_items())
00528       {
00529       OID oid;
00530 
00531       BER_Decoder info = ber.start_cons(SEQUENCE);
00532 
00533       info.decode(oid);
00534 
00535       if(oid == OIDS::lookup("PKIX.OCSP"))
00536          {
00537          BER_Object name = info.get_next_object();
00538 
00539          if(name.type_tag == 6 && name.class_tag == CONTEXT_SPECIFIC)
00540             {
00541             m_ocsp_responder = Charset::transcode(ASN1::to_string(name),
00542                                                   LATIN1_CHARSET,
00543                                                   LOCAL_CHARSET);
00544             }
00545 
00546          }
00547       }
00548    }
00549 
00550 void Authority_Information_Access::contents_to(Data_Store& subject, Data_Store&) const
00551    {
00552    if(m_ocsp_responder != "")
00553       subject.add("OCSP.responder", m_ocsp_responder);
00554    }
00555 
00556 /*
00557 * Checked accessor for the crl_number member
00558 */
00559 size_t CRL_Number::get_crl_number() const
00560    {
00561    if(!has_value)
00562       throw Invalid_State("CRL_Number::get_crl_number: Not set");
00563    return crl_number;
00564    }
00565 
00566 /*
00567 * Copy a CRL_Number extension
00568 */
00569 CRL_Number* CRL_Number::copy() const
00570    {
00571    if(!has_value)
00572       throw Invalid_State("CRL_Number::copy: Not set");
00573    return new CRL_Number(crl_number);
00574    }
00575 
00576 /*
00577 * Encode the extension
00578 */
00579 std::vector<byte> CRL_Number::encode_inner() const
00580    {
00581    return DER_Encoder().encode(crl_number).get_contents_unlocked();
00582    }
00583 
00584 /*
00585 * Decode the extension
00586 */
00587 void CRL_Number::decode_inner(const std::vector<byte>& in)
00588    {
00589    BER_Decoder(in).decode(crl_number);
00590    }
00591 
00592 /*
00593 * Return a textual representation
00594 */
00595 void CRL_Number::contents_to(Data_Store& info, Data_Store&) const
00596    {
00597    info.add("X509v3.CRLNumber", crl_number);
00598    }
00599 
00600 /*
00601 * Encode the extension
00602 */
00603 std::vector<byte> CRL_ReasonCode::encode_inner() const
00604    {
00605    return DER_Encoder()
00606       .encode(static_cast<size_t>(reason), ENUMERATED, UNIVERSAL)
00607    .get_contents_unlocked();
00608    }
00609 
00610 /*
00611 * Decode the extension
00612 */
00613 void CRL_ReasonCode::decode_inner(const std::vector<byte>& in)
00614    {
00615    size_t reason_code = 0;
00616    BER_Decoder(in).decode(reason_code, ENUMERATED, UNIVERSAL);
00617    reason = static_cast<CRL_Code>(reason_code);
00618    }
00619 
00620 /*
00621 * Return a textual representation
00622 */
00623 void CRL_ReasonCode::contents_to(Data_Store& info, Data_Store&) const
00624    {
00625    info.add("X509v3.CRLReasonCode", reason);
00626    }
00627 
00628 std::vector<byte> CRL_Distribution_Points::encode_inner() const
00629    {
00630    throw std::runtime_error("CRL_Distribution_Points encoding not implemented");
00631    }
00632 
00633 void CRL_Distribution_Points::decode_inner(const std::vector<byte>& buf)
00634    {
00635    BER_Decoder(buf).decode_list(m_distribution_points).verify_end();
00636    }
00637 
00638 void CRL_Distribution_Points::contents_to(Data_Store& info, Data_Store&) const
00639    {
00640    for(size_t i = 0; i != m_distribution_points.size(); ++i)
00641       {
00642       auto point = m_distribution_points[i].point().contents();
00643 
00644       auto uris = point.equal_range("URI");
00645 
00646       for(auto uri = uris.first; uri != uris.second; ++uri)
00647          info.add("CRL.DistributionPoint", uri->second);
00648       }
00649    }
00650 
00651 void CRL_Distribution_Points::Distribution_Point::encode_into(class DER_Encoder&) const
00652    {
00653    throw std::runtime_error("CRL_Distribution_Points encoding not implemented");
00654    }
00655 
00656 void CRL_Distribution_Points::Distribution_Point::decode_from(class BER_Decoder& ber)
00657    {
00658    ber.start_cons(SEQUENCE)
00659       .start_cons(ASN1_Tag(0), CONTEXT_SPECIFIC)
00660         .decode_optional_implicit(m_point, ASN1_Tag(0),
00661                                   ASN1_Tag(CONTEXT_SPECIFIC | CONSTRUCTED),
00662                                   SEQUENCE, CONSTRUCTED)
00663       .end_cons().end_cons();
00664    }
00665 
00666 }
00667 
00668 }