Botan
1.11.15
|
00001 /* 00002 * X.509 CRL 00003 * (C) 1999-2007 Jack Lloyd 00004 * 00005 * Botan is released under the Simplified BSD License (see license.txt) 00006 */ 00007 00008 #include <botan/x509_crl.h> 00009 #include <botan/x509_ext.h> 00010 #include <botan/x509cert.h> 00011 #include <botan/ber_dec.h> 00012 #include <botan/parsing.h> 00013 #include <botan/bigint.h> 00014 #include <botan/oids.h> 00015 00016 namespace Botan { 00017 00018 /* 00019 * Load a X.509 CRL 00020 */ 00021 X509_CRL::X509_CRL(DataSource& in, bool touc) : 00022 X509_Object(in, "X509 CRL/CRL"), throw_on_unknown_critical(touc) 00023 { 00024 do_decode(); 00025 } 00026 00027 /* 00028 * Load a X.509 CRL 00029 */ 00030 X509_CRL::X509_CRL(const std::string& in, bool touc) : 00031 X509_Object(in, "CRL/X509 CRL"), throw_on_unknown_critical(touc) 00032 { 00033 do_decode(); 00034 } 00035 00036 X509_CRL::X509_CRL(const std::vector<byte>& in, bool touc) : 00037 X509_Object(in, "CRL/X509 CRL"), throw_on_unknown_critical(touc) 00038 { 00039 do_decode(); 00040 } 00041 00042 /** 00043 * Check if this particular certificate is listed in the CRL 00044 */ 00045 bool X509_CRL::is_revoked(const X509_Certificate& cert) const 00046 { 00047 /* 00048 If the cert wasn't issued by the CRL issuer, it's possible the cert 00049 is revoked, but not by this CRL. Maybe throw an exception instead? 00050 */ 00051 if(cert.issuer_dn() != issuer_dn()) 00052 return false; 00053 00054 std::vector<byte> crl_akid = authority_key_id(); 00055 std::vector<byte> cert_akid = cert.authority_key_id(); 00056 00057 if(!crl_akid.empty() && !cert_akid.empty()) 00058 if(crl_akid != cert_akid) 00059 return false; 00060 00061 std::vector<byte> cert_serial = cert.serial_number(); 00062 00063 bool is_revoked = false; 00064 00065 for(size_t i = 0; i != revoked.size(); ++i) 00066 { 00067 if(cert_serial == revoked[i].serial_number()) 00068 { 00069 if(revoked[i].reason_code() == REMOVE_FROM_CRL) 00070 is_revoked = false; 00071 else 00072 is_revoked = true; 00073 } 00074 } 00075 00076 return is_revoked; 00077 } 00078 00079 /* 00080 * Decode the TBSCertList data 00081 */ 00082 void X509_CRL::force_decode() 00083 { 00084 BER_Decoder tbs_crl(tbs_bits); 00085 00086 size_t version; 00087 tbs_crl.decode_optional(version, INTEGER, UNIVERSAL); 00088 00089 if(version != 0 && version != 1) 00090 throw X509_CRL_Error("Unknown X.509 CRL version " + 00091 std::to_string(version+1)); 00092 00093 AlgorithmIdentifier sig_algo_inner; 00094 tbs_crl.decode(sig_algo_inner); 00095 00096 if(sig_algo != sig_algo_inner) 00097 throw X509_CRL_Error("Algorithm identifier mismatch"); 00098 00099 X509_DN dn_issuer; 00100 tbs_crl.decode(dn_issuer); 00101 info.add(dn_issuer.contents()); 00102 00103 X509_Time start, end; 00104 tbs_crl.decode(start).decode(end); 00105 info.add("X509.CRL.start", start.readable_string()); 00106 info.add("X509.CRL.end", end.readable_string()); 00107 00108 BER_Object next = tbs_crl.get_next_object(); 00109 00110 if(next.type_tag == SEQUENCE && next.class_tag == CONSTRUCTED) 00111 { 00112 BER_Decoder cert_list(next.value); 00113 00114 while(cert_list.more_items()) 00115 { 00116 CRL_Entry entry(throw_on_unknown_critical); 00117 cert_list.decode(entry); 00118 revoked.push_back(entry); 00119 } 00120 next = tbs_crl.get_next_object(); 00121 } 00122 00123 if(next.type_tag == 0 && 00124 next.class_tag == ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC)) 00125 { 00126 BER_Decoder crl_options(next.value); 00127 00128 Extensions extensions(throw_on_unknown_critical); 00129 00130 crl_options.decode(extensions).verify_end(); 00131 00132 extensions.contents_to(info, info); 00133 00134 next = tbs_crl.get_next_object(); 00135 } 00136 00137 if(next.type_tag != NO_OBJECT) 00138 throw X509_CRL_Error("Unknown tag in CRL"); 00139 00140 tbs_crl.verify_end(); 00141 } 00142 00143 /* 00144 * Return the list of revoked certificates 00145 */ 00146 std::vector<CRL_Entry> X509_CRL::get_revoked() const 00147 { 00148 return revoked; 00149 } 00150 00151 /* 00152 * Return the distinguished name of the issuer 00153 */ 00154 X509_DN X509_CRL::issuer_dn() const 00155 { 00156 return create_dn(info); 00157 } 00158 00159 /* 00160 * Return the key identifier of the issuer 00161 */ 00162 std::vector<byte> X509_CRL::authority_key_id() const 00163 { 00164 return info.get1_memvec("X509v3.AuthorityKeyIdentifier"); 00165 } 00166 00167 /* 00168 * Return the CRL number of this CRL 00169 */ 00170 u32bit X509_CRL::crl_number() const 00171 { 00172 return info.get1_u32bit("X509v3.CRLNumber"); 00173 } 00174 00175 /* 00176 * Return the issue data of the CRL 00177 */ 00178 X509_Time X509_CRL::this_update() const 00179 { 00180 return info.get1("X509.CRL.start"); 00181 } 00182 00183 /* 00184 * Return the date when a new CRL will be issued 00185 */ 00186 X509_Time X509_CRL::next_update() const 00187 { 00188 return info.get1("X509.CRL.end"); 00189 } 00190 00191 }