diff options
| author | David Clark <david.a.clark@nokia.com> | 2010-11-18 16:20:48 +1000 |
|---|---|---|
| committer | David Clark <david.a.clark@nokia.com> | 2010-11-18 16:20:48 +1000 |
| commit | c223232bc15106750da632598047a35ad3762723 (patch) | |
| tree | 403f7aa2c3a5a912edce6feae869046c89d29178 /botan/src/cert | |
| parent | b984b0b62076067f1f75db5a7eda5aaa2cdaad2a (diff) | |
Diffstat (limited to 'botan/src/cert')
46 files changed, 0 insertions, 7180 deletions
diff --git a/botan/src/cert/cvc/asn1_eac_str.cpp b/botan/src/cert/cvc/asn1_eac_str.cpp deleted file mode 100644 index a306ffb..0000000 --- a/botan/src/cert/cvc/asn1_eac_str.cpp +++ /dev/null @@ -1,130 +0,0 @@ -/* -* Simple ASN.1 String Types -* (C) 2007 FlexSecure GmbH -* 2008 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#include <botan/eac_asn_obj.h> -#include <botan/der_enc.h> -#include <botan/ber_dec.h> -#include <botan/charset.h> -#include <botan/parsing.h> -#include <sstream> - -namespace Botan { - -/* -* Create an ASN1_EAC_String -*/ -ASN1_EAC_String::ASN1_EAC_String(const std::string& str, ASN1_Tag t) : tag(t) - { - iso_8859_str = Charset::transcode(str, LOCAL_CHARSET, LATIN1_CHARSET); - if (!sanity_check()) - { - throw Invalid_Argument("attempted to construct ASN1_EAC_String with illegal characters"); - } - } - -/* -* Return this string in ISO 8859-1 encoding -*/ -std::string ASN1_EAC_String::iso_8859() const - { - return iso_8859_str; - } - -/* -* Return this string in local encoding -*/ -std::string ASN1_EAC_String::value() const - { - return Charset::transcode(iso_8859_str, LATIN1_CHARSET, LOCAL_CHARSET); - } - -/* -* Return the type of this string object -*/ -ASN1_Tag ASN1_EAC_String::tagging() const - { - return tag; - } - -/* -* DER encode an ASN1_EAC_String -*/ -void ASN1_EAC_String::encode_into(DER_Encoder& encoder) const - { - std::string value = iso_8859(); - encoder.add_object(tagging(), APPLICATION, value); - } - -/* -* Decode a BER encoded ASN1_EAC_String -*/ -void ASN1_EAC_String::decode_from(BER_Decoder& source) - { - BER_Object obj = source.get_next_object(); - if (obj.type_tag != this->tag) - { - - std::string message("decoding type mismatch for ASN1_EAC_String, tag is "); - std::stringstream ss; - std::string str_is; - ss << std::hex << obj.type_tag; - ss >> str_is; - message.append(str_is); - message.append(", while it should be "); - std::stringstream ss2; - std::string str_should; - ss2 << std::hex << this->tag; - ss2 >> str_should; - message.append(str_should); - throw Decoding_Error(message); - } - Character_Set charset_is; - charset_is = LATIN1_CHARSET; - - try - { - *this = ASN1_EAC_String( - Charset::transcode(ASN1::to_string(obj), charset_is, LOCAL_CHARSET), - obj.type_tag); - } - catch (Invalid_Argument inv_arg) - { - throw Decoding_Error(std::string("error while decoding ASN1_EAC_String: ") + std::string(inv_arg.what())); - } - } - -// checks for compliance to the alphabet defined in TR-03110 v1.10, 2007-08-20 -// p. 43 -bool ASN1_EAC_String::sanity_check() const - { - const byte* rep = reinterpret_cast<const byte*>(iso_8859_str.data()); - const u32bit rep_len = iso_8859_str.size(); - for (u32bit i=0; i<rep_len; i++) - { - if ((rep[i] < 0x20) || ((rep[i] >= 0x7F) && (rep[i] < 0xA0))) - { - return false; - } - } - return true; - } - -bool operator==(const ASN1_EAC_String& lhs, const ASN1_EAC_String& rhs) - { - return (lhs.iso_8859() == rhs.iso_8859()); - } - -ASN1_Car::ASN1_Car(std::string const& str) - : ASN1_EAC_String(str, ASN1_Tag(2)) - {} - -ASN1_Chr::ASN1_Chr(std::string const& str) - : ASN1_EAC_String(str, ASN1_Tag(32)) - {} - -} diff --git a/botan/src/cert/cvc/asn1_eac_tm.cpp b/botan/src/cert/cvc/asn1_eac_tm.cpp deleted file mode 100644 index 05533b5..0000000 --- a/botan/src/cert/cvc/asn1_eac_tm.cpp +++ /dev/null @@ -1,361 +0,0 @@ -/* -* EAC Time Types -* (C) 2007 FlexSecure GmbH -* 2008 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#include <botan/eac_asn_obj.h> -#include <botan/der_enc.h> -#include <botan/ber_dec.h> -#include <botan/charset.h> -#include <botan/parsing.h> -#include <ctime> -#include <sstream> - -namespace Botan { - -namespace { - -/* -* Convert a time_t to a struct tm -*/ -std::tm get_tm(u64bit timer) - { - std::time_t time_val = static_cast<std::time_t>(timer); - - std::tm* tm_p = std::gmtime(&time_val); - if (tm_p == 0) - throw Encoding_Error("EAC_Time: gmtime could not encode " + - to_string(timer)); - return (*tm_p); - } -SecureVector<byte> enc_two_digit(u32bit in) - { - SecureVector<byte> result; - in %= 100; - if (in < 10) - { - result.append(0x00); - } - else - { - u32bit y_first_pos = (in - (in%10))/10; - result.append(static_cast<byte>(y_first_pos)); - } - u32bit y_sec_pos = in%10; - result.append(static_cast<byte>(y_sec_pos)); - return result; - } -u32bit dec_two_digit(byte b1, byte b2) - { - u32bit upper = (u32bit)b1; - u32bit lower = (u32bit)b2; - if (upper > 9 || lower > 9) - { - throw Invalid_Argument("u32bit dec_two_digit(byte b1, byte b2): value too large"); - } - return upper*10 + lower; - - } -} - -/* -* Create an EAC_Time -*/ -EAC_Time::EAC_Time(u64bit timer, ASN1_Tag t) - :tag(t) - { - std::tm time_info = get_tm(timer); - - year = time_info.tm_year + 1900; - month = time_info.tm_mon + 1; - day = time_info.tm_mday; - - } - -/* -* Create an EAC_Time -*/ -EAC_Time::EAC_Time(const std::string& t_spec, ASN1_Tag t) - :tag(t) - { - set_to(t_spec); - } -/* -* Create an EAC_Time -*/ -EAC_Time::EAC_Time(u32bit y, u32bit m, u32bit d, ASN1_Tag t) - : year(y), - month(m), - day(d), - tag(t) - { - } - -/* -* Set the time with a human readable string -*/ -void EAC_Time::set_to(const std::string& time_str) - { - if (time_str == "") - { - year = month = day = 0; - return; - } - - std::vector<std::string> params; - std::string current; - - for (u32bit j = 0; j != time_str.size(); ++j) - { - if (Charset::is_digit(time_str[j])) - current += time_str[j]; - else - { - if (current != "") - params.push_back(current); - current.clear(); - } - } - if (current != "") - params.push_back(current); - - if (params.size() != 3) - throw Invalid_Argument("Invalid time specification " + time_str); - - year = to_u32bit(params[0]); - month = to_u32bit(params[1]); - day = to_u32bit(params[2]); - - if (!passes_sanity_check()) - throw Invalid_Argument("Invalid time specification " + time_str); - } - - -/* -* DER encode a EAC_Time -*/ -void EAC_Time::encode_into(DER_Encoder& der) const - { - der.add_object(tag, APPLICATION, - encoded_eac_time()); - } - -/* -* Return a string representation of the time -*/ -std::string EAC_Time::as_string() const - { - if (time_is_set() == false) - throw Invalid_State("EAC_Time::as_string: No time set"); - - std::string asn1rep; - asn1rep = to_string(year, 2); - - asn1rep += to_string(month, 2) + to_string(day, 2); - - return asn1rep; - } - -/* -* Return if the time has been set somehow -*/ -bool EAC_Time::time_is_set() const - { - return (year != 0); - } - -/* -* Return a human readable string representation -*/ -std::string EAC_Time::readable_string() const - { - if (time_is_set() == false) - throw Invalid_State("EAC_Time::readable_string: No time set"); - - std::string readable; - readable += to_string(year, 2) + "/"; - readable += to_string(month, 2) + "/"; - readable += to_string(day, 2) + " "; - - return readable; - } - -/* -* Do a general sanity check on the time -*/ -bool EAC_Time::passes_sanity_check() const - { - if (year < 2000 || year > 2099) - return false; - if (month == 0 || month > 12) - return false; - if (day == 0 || day > 31) - return false; - - return true; - } - -/****************************************** -* modification functions -******************************************/ - -void EAC_Time::add_years(u32bit years) - { - year += years; - } -void EAC_Time::add_months(u32bit months) - { - year += months/12; - month += months % 12; - if(month > 12) - { - year += 1; - month -= 12; - } - } - - -/* -* Compare this time against another -*/ -s32bit EAC_Time::cmp(const EAC_Time& other) const - { - if (time_is_set() == false) - throw Invalid_State("EAC_Time::cmp: No time set"); - - const s32bit EARLIER = -1, LATER = 1, SAME_TIME = 0; - - if (year < other.year) return EARLIER; - if (year > other.year) return LATER; - if (month < other.month) return EARLIER; - if (month > other.month) return LATER; - if (day < other.day) return EARLIER; - if (day > other.day) return LATER; - - return SAME_TIME; - } - -/* -* Compare two EAC_Times for in various ways -*/ -bool operator==(const EAC_Time& t1, const EAC_Time& t2) - { - return (t1.cmp(t2) == 0); - } -bool operator!=(const EAC_Time& t1, const EAC_Time& t2) - { - return (t1.cmp(t2) != 0); - } -bool operator<=(const EAC_Time& t1, const EAC_Time& t2) - { - return (t1.cmp(t2) <= 0); - } -bool operator>=(const EAC_Time& t1, const EAC_Time& t2) - { - return (t1.cmp(t2) >= 0); - } -bool operator>(const EAC_Time& t1, const EAC_Time& t2) - { - return (t1.cmp(t2) > 0); - } -bool operator<(const EAC_Time& t1, const EAC_Time& t2) - { - return (t1.cmp(t2) < 0); - } - -/* -* Decode a BER encoded EAC_Time -*/ -void EAC_Time::decode_from(BER_Decoder& source) - { - BER_Object obj = source.get_next_object(); - if (obj.type_tag != this->tag) - { - std::string message("decoding type mismatch for EAC_Time, tag is "); - std::stringstream ss; - std::string str_is; - ss << std::hex << obj.type_tag; - ss >> str_is; - message.append(str_is); - message.append(", while it should be "); - std::stringstream ss2; - std::string str_should; - ss2 << std::hex << this->tag; - ss2 >> str_should; - message.append(str_should); - throw Decoding_Error(message); - - } - if (obj.value.size() != 6) - { - throw Decoding_Error("EAC_Time decoding failed"); - } - try - { - u32bit tmp_year = dec_two_digit(obj.value[0], obj.value[1]); - u32bit tmp_mon = dec_two_digit(obj.value[2], obj.value[3]); - u32bit tmp_day = dec_two_digit(obj.value[4], obj.value[5]); - year = tmp_year + 2000; - month = tmp_mon; - day = tmp_day; - } - catch (Invalid_Argument) - { - throw Decoding_Error("EAC_Time decoding failed"); - } - - } - -u32bit EAC_Time::get_year() const - { - return year; - } -u32bit EAC_Time::get_month() const - { - return month; - } -u32bit EAC_Time::get_day() const - { - return day; - } - -/* -* make the value an octet string for encoding -*/ -SecureVector<byte> EAC_Time::encoded_eac_time() const - { - SecureVector<byte> result; - result.append(enc_two_digit(year)); - result.append(enc_two_digit(month)); - result.append(enc_two_digit(day)); - return result; - } - -ASN1_Ced::ASN1_Ced(std::string const& str) - : EAC_Time(str, ASN1_Tag(37)) - {} - -ASN1_Ced::ASN1_Ced(u64bit val) - : EAC_Time(val, ASN1_Tag(37)) - {} - -ASN1_Ced::ASN1_Ced(EAC_Time const& other) - : EAC_Time(other.get_year(), other.get_month(), other.get_day(), ASN1_Tag(37)) - {} - -ASN1_Cex::ASN1_Cex(std::string const& str) - : EAC_Time(str, ASN1_Tag(36)) - {} - -ASN1_Cex::ASN1_Cex(u64bit val) - : EAC_Time(val, ASN1_Tag(36)) - {} - -ASN1_Cex::ASN1_Cex(EAC_Time const& other) - : EAC_Time(other.get_year(), other.get_month(), other.get_day(), ASN1_Tag(36)) - {} - -} diff --git a/botan/src/cert/cvc/cvc_ado.cpp b/botan/src/cert/cvc/cvc_ado.cpp deleted file mode 100644 index 6e1484e..0000000 --- a/botan/src/cert/cvc/cvc_ado.cpp +++ /dev/null @@ -1,135 +0,0 @@ -/* -* CVC Certificate Constructor -* (C) 2007 FlexSecure GmbH -* 2008 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#include <botan/cvc_ado.h> -#include <fstream> -#include <assert.h> - -namespace Botan { - -EAC1_1_ADO::EAC1_1_ADO(std::tr1::shared_ptr<DataSource> in) - { - init(in); - do_decode(); - } - -EAC1_1_ADO::EAC1_1_ADO(const std::string& in) - { - std::tr1::shared_ptr<DataSource> stream(new DataSource_Stream(in, true)); - init(stream); - do_decode(); - } - -void EAC1_1_ADO::force_decode() - { - SecureVector<byte> inner_cert; - BER_Decoder(tbs_bits) - .start_cons(ASN1_Tag(33)) - .raw_bytes(inner_cert) - .end_cons() - .decode(m_car) - .verify_end(); - - SecureVector<byte> req_bits = DER_Encoder() - .start_cons(ASN1_Tag(33), APPLICATION) - .raw_bytes(inner_cert) - .end_cons() - .get_contents(); - - std::tr1::shared_ptr<DataSource> req_source(new DataSource_Memory(req_bits)); - m_req = EAC1_1_Req(req_source); - sig_algo = m_req.sig_algo; - } - -MemoryVector<byte> EAC1_1_ADO::make_signed( - std::auto_ptr<PK_Signer> signer, - const MemoryRegion<byte>& tbs_bits, - RandomNumberGenerator& rng) - { - SecureVector<byte> concat_sig = - EAC1_1_obj<EAC1_1_ADO>::make_signature(signer.get(), tbs_bits, rng); - assert(concat_sig.size() % 2 == 0); - MemoryVector<byte> result = DER_Encoder() - .start_cons(ASN1_Tag(7), APPLICATION) - .raw_bytes(tbs_bits) - .encode(concat_sig, OCTET_STRING, ASN1_Tag(55), APPLICATION) - .end_cons() - .get_contents(); - return result; - } - -ASN1_Car EAC1_1_ADO::get_car() const - { - return m_car; - } - -void EAC1_1_ADO::decode_info(SharedPtrConverter<DataSource> source, - SecureVector<byte> & res_tbs_bits, - ECDSA_Signature & res_sig) - { - SecureVector<byte> concat_sig; - SecureVector<byte> cert_inner_bits; - ASN1_Car car; - BER_Decoder(*source.get_ptr().get()) - .start_cons(ASN1_Tag(7)) - .start_cons(ASN1_Tag(33)) - .raw_bytes(cert_inner_bits) - .end_cons() - .decode(car) - .decode(concat_sig, OCTET_STRING, ASN1_Tag(55), APPLICATION) - .end_cons(); - - SecureVector<byte> enc_cert = DER_Encoder() - .start_cons(ASN1_Tag(33), APPLICATION) - .raw_bytes(cert_inner_bits) - .end_cons() - .get_contents(); - SecureVector<byte> enc_car = DER_Encoder() - .encode(car) - .get_contents(); - res_tbs_bits = enc_cert; - res_tbs_bits.append(enc_car); - res_sig = decode_concatenation(concat_sig); - - - } -void EAC1_1_ADO::encode(Pipe& out, X509_Encoding encoding) const - { - SecureVector<byte> concat_sig(EAC1_1_obj<EAC1_1_ADO>::m_sig.get_concatenation()); - SecureVector<byte> der = DER_Encoder() - .start_cons(ASN1_Tag(7), APPLICATION) - .raw_bytes(tbs_bits) - .encode(concat_sig, OCTET_STRING, ASN1_Tag(55), APPLICATION) - .end_cons() - .get_contents(); - if(encoding == PEM) - throw Invalid_Argument("EAC1_1_ADO::encode() cannot PEM encode an EAC object"); - else - out.write(der); - } - -SecureVector<byte> EAC1_1_ADO::tbs_data() const - { - return tbs_bits; - } - -bool EAC1_1_ADO::operator==(EAC1_1_ADO const& rhs) const - { - assert(((this->m_req == rhs.m_req) && (this->tbs_data() == rhs.tbs_data())) || - ((this->m_req != rhs.m_req) && (this->tbs_data() != rhs.tbs_data()))); - return (this->get_concat_sig() == rhs.get_concat_sig() - && this->tbs_data() == rhs.tbs_data() - && this->get_car() == rhs.get_car()); - } - -EAC1_1_Req EAC1_1_ADO::get_request() const - { - return m_req; - } - -} diff --git a/botan/src/cert/cvc/cvc_ado.h b/botan/src/cert/cvc/cvc_ado.h deleted file mode 100644 index 2c4f3ce..0000000 --- a/botan/src/cert/cvc/cvc_ado.h +++ /dev/null @@ -1,101 +0,0 @@ -/* -* EAC1_1 CVC ADO -* (C) 2008 Falko Strenzke -* strenzke@flexsecure.de -* -* Distributed under the terms of the Botan license -*/ - -#ifndef BOTAN_EAC_CVC_ADO_H__ -#define BOTAN_EAC_CVC_ADO_H__ - -#include <botan/x509_key.h> -#include <botan/pubkey_enums.h> -#include <botan/pubkey.h> -#include <botan/ecdsa.h> -#include <botan/eac_obj.h> -#include <botan/cvc_req.h> -#include <string> - -namespace Botan { - -/** -* This class represents a TR03110 (EAC) v1.1 CVC ADO request -*/ - - // CRTP continuation from EAC1_1_obj -class BOTAN_DLL EAC1_1_ADO : public EAC1_1_obj<EAC1_1_ADO> - { - public: - friend class EAC1_1_obj<EAC1_1_ADO>; - - /** - * Construct a CVC ADO request from a DER encoded CVC ADO request file. - * @param str the path to the DER encoded file - */ - EAC1_1_ADO(const std::string& str); - - /** - * Construct a CVC ADO request from a data source - * @param source the data source - */ - EAC1_1_ADO(std::tr1::shared_ptr<DataSource> source); - - /** - * Create a signed CVC ADO request from to be signed (TBS) data - * @param signer the signer used to sign the CVC ADO request - * @param tbs_bits the TBS data to sign - */ - static MemoryVector<byte> make_signed( - std::auto_ptr<PK_Signer> signer, - const MemoryRegion<byte>& tbs_bits, - RandomNumberGenerator& rng); - - /** - * Get the CAR of this CVC ADO request - * @result the CAR of this CVC ADO request - */ - ASN1_Car get_car() const; - - /** - * Get the CVC request contained in this object. - * @result the CVC request inside this CVC ADO request - */ - EAC1_1_Req get_request() const; - - /** - * Encode this object into a pipe. Only DER is supported. - * @param out the pipe to encode this object into - * @param encoding the encoding type to use, must be DER - */ - void encode(Pipe& out, X509_Encoding encoding) const; - - bool operator==(EAC1_1_ADO const& rhs) const; - - /** - * Get the TBS data of this CVC ADO request. - * @result the TBS data - */ - SecureVector<byte> tbs_data() const; - - virtual ~EAC1_1_ADO() {} - private: - ASN1_Car m_car; - EAC1_1_Req m_req; - - void force_decode(); - static void decode_info(SharedPtrConverter<DataSource> source, - SecureVector<byte> & res_tbs_bits, - ECDSA_Signature & res_sig); - }; - -inline bool operator!=(EAC1_1_ADO const& lhs, EAC1_1_ADO const& rhs) - { - return (!(lhs == rhs)); - } - -} - -#endif - - diff --git a/botan/src/cert/cvc/cvc_ca.cpp b/botan/src/cert/cvc/cvc_ca.cpp deleted file mode 100644 index 638d3f9..0000000 --- a/botan/src/cert/cvc/cvc_ca.cpp +++ /dev/null @@ -1,46 +0,0 @@ -#include <botan/cvc_ca.h> -#include <botan/cvc_cert.h> -#include <botan/der_enc.h> -#include <botan/util.h> -#include <botan/oids.h> -namespace Botan { - -EAC1_1_CVC EAC1_1_CVC_CA::make_cert(std::auto_ptr<PK_Signer> signer, - MemoryRegion<byte> const& public_key, - ASN1_Car const& car, - ASN1_Chr const& chr, - byte holder_auth_templ, - ASN1_Ced ced, - ASN1_Cex cex, - RandomNumberGenerator& rng) - { - OID chat_oid(OIDS::lookup("CertificateHolderAuthorizationTemplate")); - MemoryVector<byte> enc_chat_val; - enc_chat_val.append(holder_auth_templ); - - MemoryVector<byte> enc_cpi; - enc_cpi.append(0x00); - MemoryVector<byte> tbs = DER_Encoder() - .encode(enc_cpi, OCTET_STRING, ASN1_Tag(41), APPLICATION) // cpi - .encode(car) - .raw_bytes(public_key) - .encode(chr) - .start_cons(ASN1_Tag(76), APPLICATION) - .encode(chat_oid) - .encode(enc_chat_val, OCTET_STRING, ASN1_Tag(19), APPLICATION) - .end_cons() - .encode(ced) - .encode(cex) - .get_contents(); - - MemoryVector<byte> signed_cert = - EAC1_1_CVC::make_signed(signer, - EAC1_1_CVC::build_cert_body(tbs), - rng); - - std::tr1::shared_ptr<DataSource> source(new DataSource_Memory(signed_cert)); - - return EAC1_1_CVC(source); - } - -} diff --git a/botan/src/cert/cvc/cvc_ca.h b/botan/src/cert/cvc/cvc_ca.h deleted file mode 100644 index 3ec307b..0000000 --- a/botan/src/cert/cvc/cvc_ca.h +++ /dev/null @@ -1,51 +0,0 @@ -/* -* EAC1.1 CVC Certificate Authority -* (C) 2007 FlexSecure GmbH -* 2008 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#ifndef BOTAN_CVC_CA_H__ -#define BOTAN_CVC_CA_H__ - -#include <botan/pkcs8.h> -#include <botan/pkcs10.h> -#include <botan/pubkey.h> -#include <botan/cvc_cert.h> - -namespace Botan { - -/** -* This class represents a CVC CA. -*/ -class BOTAN_DLL EAC1_1_CVC_CA - { - public: - - /** - * Create an arbitrary EAC 1.1 CVC. - * The desired key encoding must be set within the key (if applicable). - * @param signer the signer used to sign the certificate - * @param public_key the DER encoded public key to appear in - * the certificate - * @param car the CAR of the certificate - * @param chr the CHR of the certificate - * @param holder_auth_templ the holder authorization value byte to - * appear in the CHAT of the certificate - * @param ced the CED to appear in the certificate - * @param ced the CEX to appear in the certificate - */ - static EAC1_1_CVC make_cert(std::auto_ptr<PK_Signer> signer, - MemoryRegion<byte> const& public_key, - ASN1_Car const& car, - ASN1_Chr const& chr, - byte holder_auth_templ, - ASN1_Ced ced, - ASN1_Cex cex, - RandomNumberGenerator& rng); - }; - -} - -#endif diff --git a/botan/src/cert/cvc/cvc_cert.cpp b/botan/src/cert/cvc/cvc_cert.cpp deleted file mode 100644 index d2be12d..0000000 --- a/botan/src/cert/cvc/cvc_cert.cpp +++ /dev/null @@ -1,102 +0,0 @@ -/* - (C) 2007 FlexSecure GmbH - 2008 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#include <botan/cvc_cert.h> -#include <botan/cvc_key.h> -#include <botan/ecdsa.h> - -namespace Botan { - -ASN1_Car EAC1_1_CVC::get_car() const - { - return m_car; - } - -ASN1_Ced EAC1_1_CVC::get_ced() const - { - return m_ced; - } -ASN1_Cex EAC1_1_CVC::get_cex() const - { - return m_cex; - } -u32bit EAC1_1_CVC::get_chat_value() const - { - return m_chat_val; - } - -/* -* Decode the TBSCertificate data -*/ -void EAC1_1_CVC::force_decode() - { - SecureVector<byte> enc_pk; - SecureVector<byte> enc_chat_val; - u32bit cpi; - BER_Decoder tbs_cert(tbs_bits); - tbs_cert.decode(cpi, ASN1_Tag(41), APPLICATION) - .decode(m_car) - .start_cons(ASN1_Tag(73)) - .raw_bytes(enc_pk) - .end_cons() - .decode(m_chr) - .start_cons(ASN1_Tag(76)) - .decode(m_chat_oid) - .decode(enc_chat_val, OCTET_STRING, ASN1_Tag(19), APPLICATION) - .end_cons() - .decode(m_ced) - .decode(m_cex) - .verify_end(); - - if(enc_chat_val.size() != 1) - throw Decoding_Error("CertificateHolderAuthorizationValue was not of length 1"); - - if(cpi != 0) - throw Decoding_Error("EAC1_1 certificate´s cpi was not 0"); - - // FIXME: PK algos have no notion of EAC encoder/decoder currently -#if 0 - ECDSA_PublicKey tmp_pk; - std::auto_ptr<EAC1_1_CVC_Decoder> dec = tmp_pk.cvc_eac1_1_decoder(); - sig_algo = dec->public_key(enc_pk); - - - m_pk = tmp_pk; - m_chat_val = enc_chat_val[0]; - self_signed = false; - if(m_car.iso_8859() == m_chr.iso_8859()) - { - self_signed= true; - } -#endif - } - -/* -* CVC Certificate Constructor -*/ -EAC1_1_CVC::EAC1_1_CVC(std::tr1::shared_ptr<DataSource>& in) - { - init(in); - self_signed = false; - do_decode(); - } - -EAC1_1_CVC::EAC1_1_CVC(const std::string& in) - { - std::tr1::shared_ptr<DataSource> stream(new DataSource_Stream(in, true)); - init(stream); - self_signed = false; - do_decode(); - } - -bool EAC1_1_CVC::operator==(EAC1_1_CVC const& rhs) const - { - return (tbs_data() == rhs.tbs_data() - && get_concat_sig() == rhs.get_concat_sig()); - } - -} diff --git a/botan/src/cert/cvc/cvc_cert.h b/botan/src/cert/cvc/cvc_cert.h deleted file mode 100644 index 17671d3..0000000 --- a/botan/src/cert/cvc/cvc_cert.h +++ /dev/null @@ -1,94 +0,0 @@ -/* -* EAC1_1 CVC -* (C) 2008 Falko Strenzke -* 2008 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#ifndef BOTAN_CVC_EAC_H__ -#define BOTAN_CVC_EAC_H__ - -#include <botan/x509_key.h> -#include <botan/pubkey_enums.h> -#include <botan/signed_obj.h> -#include <botan/pubkey.h> -#include <botan/ecdsa.h> -#include <botan/ecdsa_sig.h> -#include <botan/eac_obj.h> -#include <botan/cvc_gen_cert.h> -#include <string> - -namespace Botan { - -/** -* This class represents TR03110 (EAC) v1.1 CV Certificates -*/ -class BOTAN_DLL EAC1_1_CVC : public EAC1_1_gen_CVC<EAC1_1_CVC>//Signed_Object - { - public: - friend class EAC1_1_obj<EAC1_1_CVC>; - - /** - * Get the CAR of the certificate. - * @result the CAR of the certificate - */ - ASN1_Car get_car() const; - - /** - * Get the CED of this certificate. - * @result the CED this certificate - */ - ASN1_Ced get_ced() const; - - /** - * Get the CEX of this certificate. - * @result the CEX this certificate - */ - ASN1_Cex get_cex() const; - - /** - * Get the CHAT value. - * @result the CHAT value - */ - u32bit get_chat_value() const; - - bool operator==(const EAC1_1_CVC&) const; - - /** - * Construct a CVC from a data source - * @param source the data source - */ - EAC1_1_CVC(std::tr1::shared_ptr<DataSource>& source); - - /** - * Construct a CVC from a file - * @param str the path to the certificate file - */ - EAC1_1_CVC(const std::string& str); - - virtual ~EAC1_1_CVC() {} - private: - void force_decode(); - friend class EAC1_1_CVC_CA; - EAC1_1_CVC() {} - - ASN1_Car m_car; - ASN1_Ced m_ced; - ASN1_Cex m_cex; - byte m_chat_val; - OID m_chat_oid; - }; - -/* -* Comparison -*/ -inline bool operator!=(EAC1_1_CVC const& lhs, EAC1_1_CVC const& rhs) - { - return !(lhs == rhs); - } - -} - -#endif - diff --git a/botan/src/cert/cvc/cvc_gen_cert.h b/botan/src/cert/cvc/cvc_gen_cert.h deleted file mode 100644 index 4a78802..0000000 --- a/botan/src/cert/cvc/cvc_gen_cert.h +++ /dev/null @@ -1,177 +0,0 @@ -/* -* EAC1_1 general CVC -* (C) 2008 Falko Strenzke -* 2008 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#ifndef BOTAN_EAC_CVC_GEN_CERT_H__ -#define BOTAN_EAC_CVC_GEN_CERT_H__ - -#include <botan/x509_key.h> -#include <botan/eac_asn_obj.h> -#include <botan/pubkey_enums.h> -#include <botan/pubkey.h> -#include <botan/ecdsa_sig.h> -#include <string> -#include <assert.h> - -namespace Botan { - -/** -* This class represents TR03110 (EAC) v1.1 generalized CV Certificates -*/ -template<typename Derived> -class BOTAN_DLL EAC1_1_gen_CVC : public EAC1_1_obj<Derived> // CRTP continuation from EAC1_1_obj - { - friend class EAC1_1_obj<EAC1_1_gen_CVC>; - - public: - - /** - * Get this certificates public key. - * @result this certificates public key - */ - std::auto_ptr<Public_Key> subject_public_key() const; - - /** - * Find out whether this object is self signed. - * @result true if this object is self signed - */ - bool is_self_signed() const; - - /** - * Get the CHR of the certificate. - * @result the CHR of the certificate - */ - ASN1_Chr get_chr() const; - - /** - * Put the DER encoded version of this object into a pipe. PEM - * is not supported. - * @param out the pipe to push the DER encoded version into - * @param encoding the encoding to use. Must be DER. - */ - void encode(Pipe& out, X509_Encoding encoding) const; - - /** - * Get the to-be-signed (TBS) data of this object. - * @result the TBS data of this object - */ - SecureVector<byte> tbs_data() const; - - /** - * Build the DER encoded certifcate body of an object - * @param tbs the data to be signed - * @result the correctly encoded body of the object - */ - static SecureVector<byte> build_cert_body(MemoryRegion<byte> const& tbs); - - /** - * Create a signed generalized CVC object. - * @param signer the signer used to sign this object - * @param tbs_bits the body the generalized CVC object to be signed - * @result the DER encoded signed generalized CVC object - */ - static MemoryVector<byte> make_signed( - std::auto_ptr<PK_Signer> signer, - const MemoryRegion<byte>& tbs_bits, - RandomNumberGenerator& rng); - virtual ~EAC1_1_gen_CVC<Derived>() - {} - - protected: - ECDSA_PublicKey m_pk; // public key - ASN1_Chr m_chr; - bool self_signed; - - static void decode_info(SharedPtrConverter<DataSource> source, - SecureVector<byte> & res_tbs_bits, - ECDSA_Signature & res_sig); - - }; - -template<typename Derived> ASN1_Chr EAC1_1_gen_CVC<Derived>::get_chr() const - { - return m_chr; - } - -template<typename Derived> bool EAC1_1_gen_CVC<Derived>::is_self_signed() const - { - return self_signed; - } - -template<typename Derived> MemoryVector<byte> EAC1_1_gen_CVC<Derived>::make_signed( - std::auto_ptr<PK_Signer> signer, - const MemoryRegion<byte>& tbs_bits, - RandomNumberGenerator& rng) // static - { - SecureVector<byte> concat_sig = EAC1_1_obj<Derived>::make_signature(signer.get(), tbs_bits, rng); - assert(concat_sig.size() % 2 == 0); - return DER_Encoder() - .start_cons(ASN1_Tag(33), APPLICATION) - .raw_bytes(tbs_bits) - .encode(concat_sig, OCTET_STRING, ASN1_Tag(55), APPLICATION) - .end_cons() - .get_contents(); - } - -template<typename Derived> std::auto_ptr<Public_Key> EAC1_1_gen_CVC<Derived>::subject_public_key() const - { - return std::auto_ptr<Public_Key>(new ECDSA_PublicKey(m_pk)); - } - -template<typename Derived> SecureVector<byte> EAC1_1_gen_CVC<Derived>::build_cert_body(MemoryRegion<byte> const& tbs) - { - return DER_Encoder() - .start_cons(ASN1_Tag(78), APPLICATION) - .raw_bytes(tbs) - .end_cons().get_contents(); - } - -template<typename Derived> SecureVector<byte> EAC1_1_gen_CVC<Derived>::tbs_data() const - { - return build_cert_body(EAC1_1_obj<Derived>::tbs_bits); - } - -template<typename Derived> void EAC1_1_gen_CVC<Derived>::encode(Pipe& out, X509_Encoding encoding) const - { - SecureVector<byte> concat_sig(EAC1_1_obj<Derived>::m_sig.get_concatenation()); - SecureVector<byte> der = DER_Encoder() - .start_cons(ASN1_Tag(33), APPLICATION) - .start_cons(ASN1_Tag(78), APPLICATION) - .raw_bytes(EAC1_1_obj<Derived>::tbs_bits) - .end_cons() - .encode(concat_sig, OCTET_STRING, ASN1_Tag(55), APPLICATION) - .end_cons() - .get_contents(); - - if (encoding == PEM) - throw Invalid_Argument("EAC1_1_gen_CVC::encode() cannot PEM encode an EAC object"); - else - out.write(der); - } - -template<typename Derived> -void EAC1_1_gen_CVC<Derived>::decode_info( - SharedPtrConverter<DataSource> source, - SecureVector<byte> & res_tbs_bits, - ECDSA_Signature & res_sig) - { - SecureVector<byte> concat_sig; - BER_Decoder(*source.get_shared().get()) - .start_cons(ASN1_Tag(33)) - .start_cons(ASN1_Tag(78)) - .raw_bytes(res_tbs_bits) - .end_cons() - .decode(concat_sig, OCTET_STRING, ASN1_Tag(55), APPLICATION) - .end_cons(); - res_sig = decode_concatenation(concat_sig); - } - -} - -#endif - - diff --git a/botan/src/cert/cvc/cvc_key.h b/botan/src/cert/cvc/cvc_key.h deleted file mode 100644 index 67b6cef..0000000 --- a/botan/src/cert/cvc/cvc_key.h +++ /dev/null @@ -1,54 +0,0 @@ -/* -* EAC CVC Public Key -* (C) 2008 FlexSecure Gmbh -* Falko Strenzke -* strenzke@flexsecure.de -* -* Distributed under the terms of the Botan license -*/ - -#ifndef BOTAN_EAC1_1_CVC_PUBLIC_KEY_H__ -#define BOTAN_EAC1_1_CVC_PUBLIC_KEY_H__ - -#include <botan/pipe.h> -#include <botan/pk_keys.h> -#include <botan/alg_id.h> - -namespace Botan { - -/** -* This class represents EAC 1.1 CVC public key encoders. -*/ -class BOTAN_DLL EAC1_1_CVC_Encoder - { - public: - /** - * Get the DER encoded CVC public key. - * @param alg_id the algorithm identifier to use in the encoding - * @return the DER encoded public key - */ - virtual MemoryVector<byte> - public_key(const AlgorithmIdentifier& enc) const = 0; - - virtual ~EAC1_1_CVC_Encoder() {} - }; - -/** -* This class represents EAC 1.1 CVC public key decoders. -*/ -class BOTAN_DLL EAC1_1_CVC_Decoder - { - public: - /** - * Decode a CVC public key. - * @param enc the DER encoded public key to decode - * @return the algorithm identifier found in the encoded public key - */ - virtual AlgorithmIdentifier const - public_key(const MemoryRegion<byte>& enc) = 0; - - virtual ~EAC1_1_CVC_Decoder() {} - }; -} - -#endif diff --git a/botan/src/cert/cvc/cvc_req.cpp b/botan/src/cert/cvc/cvc_req.cpp deleted file mode 100644 index 70a44ba..0000000 --- a/botan/src/cert/cvc/cvc_req.cpp +++ /dev/null @@ -1,68 +0,0 @@ -/* - (C) 2007 FlexSecure GmbH - 2008 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#include <botan/cvc_cert.h> -#include <botan/der_enc.h> -#include <botan/ber_dec.h> -#include <botan/pem.h> -#include <botan/parsing.h> -#include <assert.h> -#include <botan/cvc_key.h> -#include <botan/oids.h> -#include <botan/look_pk.h> -#include <botan/cvc_req.h> -#include <botan/freestore.h> - -namespace Botan { - -bool EAC1_1_Req::operator==(EAC1_1_Req const& rhs) const - { - return (this->tbs_data() == rhs.tbs_data() - && this->get_concat_sig() == rhs.get_concat_sig()); - } - -void EAC1_1_Req::force_decode() - { - SecureVector<byte> enc_pk; - BER_Decoder tbs_cert(tbs_bits); - u32bit cpi; - tbs_cert.decode(cpi, ASN1_Tag(41), APPLICATION) - .start_cons(ASN1_Tag(73)) - .raw_bytes(enc_pk) - .end_cons() - .decode(m_chr) - .verify_end(); - if(cpi != 0) - { - throw Decoding_Error("EAC1_1 request´s cpi was not 0"); - } - - // FIXME: No EAC support in ECDSA -#if 0 - ECDSA_PublicKey tmp_pk; - std::auto_ptr<EAC1_1_CVC_Decoder> dec = tmp_pk.cvc_eac1_1_decoder(); - sig_algo = dec->public_key(enc_pk); - m_pk = tmp_pk; -#endif - } - -EAC1_1_Req::EAC1_1_Req(std::tr1::shared_ptr<DataSource> in) - { - init(in); - self_signed = true; - do_decode(); - } - -EAC1_1_Req::EAC1_1_Req(const std::string& in) - { - std::tr1::shared_ptr<DataSource> stream(new DataSource_Stream(in, true)); - init(stream); - self_signed = true; - do_decode(); - } - -} diff --git a/botan/src/cert/cvc/cvc_req.h b/botan/src/cert/cvc/cvc_req.h deleted file mode 100644 index 96b6a44..0000000 --- a/botan/src/cert/cvc/cvc_req.h +++ /dev/null @@ -1,62 +0,0 @@ -/* -* EAC1_1 CVC Request -* (C) 2008 Falko Strenzke -* strenzke@flexsecure.de -* -* Distributed under the terms of the Botan license -*/ - -#ifndef BOTAN_EAC_CVC_REQ_H__ -#define BOTAN_EAC_CVC_REQ_H__ - -#include <botan/x509_key.h> -#include <botan/pubkey_enums.h> -#include <botan/cvc_gen_cert.h> - -namespace Botan { - -/** -* This class represents TR03110 v1.1 EAC CV Certificate Requests. -*/ -class BOTAN_DLL EAC1_1_Req : public EAC1_1_gen_CVC<EAC1_1_Req> - { - public: - friend class EAC1_1_Req_CA; - friend class EAC1_1_ADO; - friend class EAC1_1_obj<EAC1_1_Req>; - - /** - * Compare for equality with other - * @param other compare for equality with this object - */ - bool operator==(const EAC1_1_Req& other) const; - - /** - * Construct a CVC request from a data source. - * @param source the data source - */ - EAC1_1_Req(std::tr1::shared_ptr<DataSource> source); - - /** - * Construct a CVC request from a DER encoded CVC reqeust file. - * @param str the path to the DER encoded file - */ - EAC1_1_Req(const std::string& str); - - virtual ~EAC1_1_Req(){} - private: - void force_decode(); - EAC1_1_Req() {} - }; - -/* -* Comparison Operator -*/ -inline bool operator!=(EAC1_1_Req const& lhs, EAC1_1_Req const& rhs) - { - return !(lhs == rhs); - } - -} - -#endif diff --git a/botan/src/cert/cvc/cvc_self.cpp b/botan/src/cert/cvc/cvc_self.cpp deleted file mode 100644 index 91ea387..0000000 --- a/botan/src/cert/cvc/cvc_self.cpp +++ /dev/null @@ -1,327 +0,0 @@ -/* - (C) 2007 FlexSecure GmbH - 2008 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#include <botan/cvc_self.h> -#include <botan/cvc_cert.h> -#include <botan/cvc_ca.h> -#include <botan/alg_id.h> -#include <botan/cvc_key.h> -#include <botan/oids.h> -#include <botan/look_pk.h> -#include <botan/cvc_req.h> -#include <botan/cvc_ado.h> -#include <botan/util.h> -#include <sstream> - -namespace Botan { - -namespace { - -/******************************* -* cvc CHAT values -*******************************/ -enum CHAT_values{ - CVCA = 0xC0, - DVCA_domestic = 0x80, - DVCA_foreign = 0x40, - IS = 0x00, - - IRIS = 0x02, - FINGERPRINT = 0x01 -}; - -std::string padding_and_hash_from_oid(OID const& oid) - { - std::string padding_and_hash = OIDS::lookup(oid); // use the hash - assert(padding_and_hash.substr(0,6) == "ECDSA/"); // can only be ECDSA for now - assert(padding_and_hash.find("/",0) == 5); - padding_and_hash.erase(0, padding_and_hash.find("/",0) + 1); - return padding_and_hash; - } -std::string fixed_len_seqnr(u32bit seqnr, u32bit len) - { - std::stringstream ss; - std::string result; - ss << seqnr; - ss >> result; - if (result.size() > len) - { - throw Invalid_Argument("fixed_len_seqnr(): number too high to be encoded in provided length"); - } - while (result.size() < len) - { - result.insert(0,"0"); - } - return result; - } - -} -namespace CVC_EAC -{ - -EAC1_1_CVC create_self_signed_cert(Private_Key const& key, - EAC1_1_CVC_Options const& opt, - RandomNumberGenerator& rng) - { - // NOTE: we ignore - // the value - // of opt.chr - ECDSA_PrivateKey const* priv_key = dynamic_cast<ECDSA_PrivateKey const*>(&key); - - if (priv_key == 0) - { - throw Invalid_Argument("CVC_EAC::create_self_signed_cert(): unsupported key type"); - } - - ASN1_Chr chr(opt.car.value()); - - AlgorithmIdentifier sig_algo; - std::string padding_and_hash(eac_cvc_emsa + "(" + opt.hash_alg + ")"); - sig_algo.oid = OIDS::lookup(priv_key->algo_name() + "/" + padding_and_hash); - sig_algo = AlgorithmIdentifier(sig_algo.oid, AlgorithmIdentifier::USE_NULL_PARAM); - - std::auto_ptr<Botan::PK_Signer> signer(get_pk_signer(*priv_key, padding_and_hash)); - -#if 0 // FIXME - std::auto_ptr<EAC1_1_CVC_Encoder> enc(priv_key->cvc_eac1_1_encoder()); - MemoryVector<byte> enc_public_key = enc->public_key(sig_algo); -#else - MemoryVector<byte> enc_public_key; -#endif - - return EAC1_1_CVC_CA::make_cert(signer, enc_public_key, opt.car, chr, opt.holder_auth_templ, opt.ced, opt.cex, rng); - - } - -EAC1_1_Req create_cvc_req(Private_Key const& key, - ASN1_Chr const& chr, - std::string const& hash_alg, - RandomNumberGenerator& rng) - { - - ECDSA_PrivateKey const* priv_key = dynamic_cast<ECDSA_PrivateKey const*>(&key); - if (priv_key == 0) - { - throw Invalid_Argument("CVC_EAC::create_self_signed_cert(): unsupported key type"); - } - AlgorithmIdentifier sig_algo; - std::string padding_and_hash(eac_cvc_emsa + "(" + hash_alg + ")"); - sig_algo.oid = OIDS::lookup(priv_key->algo_name() + "/" + padding_and_hash); - sig_algo = AlgorithmIdentifier(sig_algo.oid, AlgorithmIdentifier::USE_NULL_PARAM); - - std::auto_ptr<Botan::PK_Signer> signer(get_pk_signer(*priv_key, padding_and_hash)); - -#if 0 // FIXME - std::auto_ptr<EAC1_1_CVC_Encoder> enc(priv_key->cvc_eac1_1_encoder()); - MemoryVector<byte> enc_public_key = enc->public_key(sig_algo); -#else - MemoryVector<byte> enc_public_key; -#endif - - MemoryVector<byte> enc_cpi; - enc_cpi.append(0x00); - MemoryVector<byte> tbs = DER_Encoder() - .encode(enc_cpi, OCTET_STRING, ASN1_Tag(41), APPLICATION) - .raw_bytes(enc_public_key) - .encode(chr) - .get_contents(); - - MemoryVector<byte> signed_cert = EAC1_1_gen_CVC<EAC1_1_Req>::make_signed(signer, EAC1_1_gen_CVC<EAC1_1_Req>::build_cert_body(tbs), rng); - std::tr1::shared_ptr<DataSource> source(new DataSource_Memory(signed_cert)); - return EAC1_1_Req(source); - } - -EAC1_1_ADO create_ado_req(Private_Key const& key, - EAC1_1_Req const& req, - ASN1_Car const& car, - RandomNumberGenerator& rng) - { - - ECDSA_PrivateKey const* priv_key = dynamic_cast<ECDSA_PrivateKey const*>(&key); - if (priv_key == 0) - { - throw Invalid_Argument("CVC_EAC::create_self_signed_cert(): unsupported key type"); - } - std::string padding_and_hash = padding_and_hash_from_oid(req.signature_algorithm().oid); - std::auto_ptr<Botan::PK_Signer> signer(get_pk_signer(*priv_key, padding_and_hash)); - SecureVector<byte> tbs_bits = req.BER_encode(); - tbs_bits.append(DER_Encoder().encode(car).get_contents()); - MemoryVector<byte> signed_cert = EAC1_1_ADO::make_signed(signer, tbs_bits, rng); - std::tr1::shared_ptr<DataSource> source(new DataSource_Memory(signed_cert)); - return EAC1_1_ADO(source); - } - -} // namespace CVC_EAC -namespace DE_EAC -{ - -EAC1_1_CVC create_cvca(Private_Key const& key, - std::string const& hash, - ASN1_Car const& car, bool iris, bool fingerpr, - u32bit cvca_validity_months, - RandomNumberGenerator& rng) - { - ECDSA_PrivateKey const* priv_key = dynamic_cast<ECDSA_PrivateKey const*>(&key); - if (priv_key == 0) - { - throw Invalid_Argument("CVC_EAC::create_self_signed_cert(): unsupported key type"); - } - EAC1_1_CVC_Options opts; - opts.car = car; - const u64bit current_time = system_time(); - - opts.ced = ASN1_Ced(current_time); - opts.cex = ASN1_Cex(opts.ced); - opts.cex.add_months(cvca_validity_months); - opts.holder_auth_templ = (CVCA | (iris * IRIS) | (fingerpr * FINGERPRINT)); - opts.hash_alg = hash; - return Botan::CVC_EAC::create_self_signed_cert(*priv_key, opts, rng); - } - - - -EAC1_1_CVC link_cvca(EAC1_1_CVC const& signer, - Private_Key const& key, - EAC1_1_CVC const& signee, - RandomNumberGenerator& rng) - { - ECDSA_PrivateKey const* priv_key = dynamic_cast<ECDSA_PrivateKey const*>(&key); - if (priv_key == 0) - { - throw Invalid_Argument("CVC_EAC::create_self_signed_cert(): unsupported key type"); - } - ASN1_Ced ced(system_time()); - ASN1_Cex cex(signee.get_cex()); - if (*static_cast<EAC_Time*>(&ced) > *static_cast<EAC_Time*>(&cex)) - { - std::string detail("link_cvca(): validity periods of provided certificates don't overlap: currend time = ced = "); - detail += ced.as_string(); - detail += ", signee.cex = "; - detail += cex.as_string(); - throw Invalid_Argument(detail); - } - if (signer.signature_algorithm() != signee.signature_algorithm()) - { - throw Invalid_Argument("link_cvca(): signature algorithms of signer and signee don´t match"); - } - AlgorithmIdentifier sig_algo = signer.signature_algorithm(); - std::string padding_and_hash = padding_and_hash_from_oid(sig_algo.oid); - std::auto_ptr<Botan::PK_Signer> pk_signer(get_pk_signer(*priv_key, padding_and_hash)); - std::auto_ptr<Public_Key> pk = signee.subject_public_key(); - ECDSA_PublicKey* subj_pk = dynamic_cast<ECDSA_PublicKey*>(pk.get()); - subj_pk->set_parameter_encoding(ENC_EXPLICIT); - -#if 0 // FIXME - std::auto_ptr<EAC1_1_CVC_Encoder> enc(subj_pk->cvc_eac1_1_encoder()); - MemoryVector<byte> enc_public_key = enc->public_key(sig_algo); -#else - MemoryVector<byte> enc_public_key; -#endif - - return EAC1_1_CVC_CA::make_cert(pk_signer, enc_public_key, - signer.get_car(), - signee.get_chr(), - signer.get_chat_value(), - ced, - cex, - rng); - } - -EAC1_1_CVC sign_request(EAC1_1_CVC const& signer_cert, - Private_Key const& key, - EAC1_1_Req const& signee, - u32bit seqnr, - u32bit seqnr_len, - bool domestic, - u32bit dvca_validity_months, - u32bit ca_is_validity_months, - RandomNumberGenerator& rng) - { - ECDSA_PrivateKey const* priv_key = dynamic_cast<ECDSA_PrivateKey const*>(&key); - if (priv_key == 0) - { - throw Invalid_Argument("CVC_EAC::create_self_signed_cert(): unsupported key type"); - } - std::string chr_str = signee.get_chr().value(); - chr_str.append(fixed_len_seqnr(seqnr, seqnr_len)); - ASN1_Chr chr(chr_str); - std::string padding_and_hash = padding_and_hash_from_oid(signee.signature_algorithm().oid); - std::auto_ptr<Botan::PK_Signer> pk_signer(get_pk_signer(*priv_key, padding_and_hash)); - std::auto_ptr<Public_Key> pk = signee.subject_public_key(); - ECDSA_PublicKey* subj_pk = dynamic_cast<ECDSA_PublicKey*>(pk.get()); - std::auto_ptr<Public_Key> signer_pk = signer_cert.subject_public_key(); - - // for the case that the domain parameters are not set... - // (we use those from the signer because they must fit) - subj_pk->set_domain_parameters(priv_key->domain_parameters()); - - subj_pk->set_parameter_encoding(ENC_IMPLICITCA); - -#if 0 // FIXME - std::auto_ptr<EAC1_1_CVC_Encoder> enc(subj_pk->cvc_eac1_1_encoder()); - MemoryVector<byte> enc_public_key = enc->public_key(sig_algo); -#else - MemoryVector<byte> enc_public_key; -#endif - - AlgorithmIdentifier sig_algo(signer_cert.signature_algorithm()); - const u64bit current_time = system_time(); - ASN1_Ced ced(current_time); - u32bit chat_val; - u32bit chat_low = signer_cert.get_chat_value() & 0x3; // take the chat rights from signer - ASN1_Cex cex(ced); - if ((signer_cert.get_chat_value() & CVCA) == CVCA) - { - // we sign a dvca - cex.add_months(dvca_validity_months); - if (domestic) - { - chat_val = DVCA_domestic | chat_low; - } - else - { - chat_val = DVCA_foreign | chat_low; - } - } - else if ((signer_cert.get_chat_value() & DVCA_domestic) == DVCA_domestic || - (signer_cert.get_chat_value() & DVCA_foreign) == DVCA_foreign) - { - cex.add_months(ca_is_validity_months); - chat_val = IS | chat_low; - } - else - { - throw Invalid_Argument("sign_request(): encountered illegal value for CHAT"); - // (IS cannot sign certificates) - } - return EAC1_1_CVC_CA::make_cert(pk_signer, enc_public_key, - ASN1_Car(signer_cert.get_chr().iso_8859()), - chr, - chat_val, - ced, - cex, - rng); - } - -EAC1_1_Req create_cvc_req(Private_Key const& prkey, - ASN1_Chr const& chr, - std::string const& hash_alg, - RandomNumberGenerator& rng) - { - ECDSA_PrivateKey const* priv_key = dynamic_cast<ECDSA_PrivateKey const*>(&prkey); - if (priv_key == 0) - { - throw Invalid_Argument("CVC_EAC::create_self_signed_cert(): unsupported key type"); - } - ECDSA_PrivateKey key(*priv_key); - key.set_parameter_encoding(ENC_IMPLICITCA); - return Botan::CVC_EAC::create_cvc_req(key, chr, hash_alg, rng); - } - -} // namespace DE_EAC - -} diff --git a/botan/src/cert/cvc/cvc_self.h b/botan/src/cert/cvc/cvc_self.h deleted file mode 100644 index db23547..0000000 --- a/botan/src/cert/cvc/cvc_self.h +++ /dev/null @@ -1,167 +0,0 @@ -/* -* CVC Self-Signed Certificate -* (C) 2007 FlexSecure GmbH -* 2008 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#ifndef BOTAN_CVC_EAC_SELF_H__ -#define BOTAN_CVC_EAC_SELF_H__ - -#include <botan/pkcs8.h> -#include <botan/pkcs10.h> -#include <botan/cvc_cert.h> -#include <botan/ecdsa.h> -#include <botan/asn1_obj.h> -#include <botan/cvc_req.h> -#include <botan/cvc_ado.h> - -namespace Botan { - -/** -* This class represents a set of options used for the creation of CVC certificates -*/ -class BOTAN_DLL EAC1_1_CVC_Options - { - public: - - ASN1_Car car; - ASN1_Chr chr; - byte holder_auth_templ; - ASN1_Ced ced; - ASN1_Cex cex; - std::string hash_alg; - }; - -/** -* This namespace represents general EAC 1.1 convenience functions. -*/ -namespace CVC_EAC { - -/** -* Create a selfsigned CVCA -* @param rng the rng to use -* @param key the ECDSA private key to be used to sign the certificate -* @param opts used to set several parameters. Necessary are: -* car, holder_auth_templ, hash_alg, ced, cex and hash_alg -* @result the self signed certificate -*/ - -EAC1_1_CVC create_self_signed_cert(Private_Key const& key, - EAC1_1_CVC_Options const& opts, - RandomNumberGenerator& rng); -/** -* Create a CVC request. The key encoding will be according to the provided private key. -* @param priv_key the private key associated with the requesting entity -* @param chr the chr to appear in the certificate (to be provided without -* sequence number) -* @param hash_alg the string defining the hash algorithm to be used for the creation -* of the signature -* @param rng the rng to use -* @result the new request -*/ -EAC1_1_Req create_cvc_req(Private_Key const& priv_key, - ASN1_Chr const& chr, - std::string const& hash_alg, - RandomNumberGenerator& rng); - -/** -* Create an ADO from a request object. -* @param priv_key the private key used to sign the ADO -* @param req the request forming the body of the ADO -* @param car the CAR forming the body of the ADO, i.e. the -* CHR of the entity associated with the provided private key -* @param rng the rng to use -*/ -EAC1_1_ADO create_ado_req(Private_Key const& priv_key, - EAC1_1_Req const& req, - ASN1_Car const& car, - RandomNumberGenerator& rng); -} -/** -* This namespace represents EAC 1.1 CVC convenience functions following the specific german -* requirements. -*/ -namespace DE_EAC { - -/** -* Create a CVCA certificate. -* @param priv_key the private key associated with the CVCA certificate -* to be created -* @param hash the string identifying the hash algorithm to be used -* for signing the certificate to be created -* @param car the CAR of the certificate to be created -* @param iris indicates whether the entity associated with the certificate -* shall be entitled to read the biometrical iris image -* @param fingerpr indicates whether the entity associated with the certificate -* shall be entitled to read the biometrical fingerprint image -* @param rng the rng to use -* @result the CVCA certificate created -*/ -EAC1_1_CVC create_cvca(Private_Key const& priv_key, - std::string const& hash, - ASN1_Car const& car, - bool iris, - bool fingerpr, - u32bit cvca_validity_months, - RandomNumberGenerator& rng); - -/** -* Create a link certificate between two CVCA certificates. The key -* encoding will be implicitCA. -* @param signer the cvca certificate associated with the signing -* entity -* @param priv_key the private key associated with the signer -* @param to_be_signed the certificate which whose CAR/CHR will be -* the holder of the link certificate -* @param rng a random number generator -*/ -EAC1_1_CVC link_cvca(EAC1_1_CVC const& signer, - Private_Key const& priv_key, - EAC1_1_CVC const& to_be_signed, - RandomNumberGenerator& rng); - -/** -* Create a CVC request. The key encoding will be implicitCA. -* @param priv_key the private key associated with the requesting entity -* @param chr the chr to appear in the certificate (to be provided without -* sequence number) -* @param hash_alg the string defining the hash algorithm to be used for the creation -* of the signature -* @param rng a random number generator -* @result the new request -*/ -EAC1_1_Req create_cvc_req(Private_Key const& priv_key, - ASN1_Chr const& chr, - std::string const& hash_alg, - RandomNumberGenerator& rng); - -/** -* Sign a CVC request. -* @param signer_cert the certificate of the signing entity -* @param priv_key the private key of the signing entity -* @param req the request to be signed -* @param seqnr the sequence number of the certificate to be created -* @param seqnr_len the number of digits the sequence number will be -* encoded in -* @param domestic indicates whether to sign a domestic or a foreign certificate: -* set to true for domestic -* @param rng a random number generator -* @result the new certificate -* -**/ -EAC1_1_CVC sign_request(EAC1_1_CVC const& signer_cert, - Private_Key const& priv_key, - EAC1_1_Req const& req, - u32bit seqnr, - u32bit seqnr_len, - bool domestic, - u32bit dvca_validity_months, - u32bit ca_is_validity_months, - RandomNumberGenerator& rng); -} - -} - -#endif diff --git a/botan/src/cert/cvc/eac_asn_obj.h b/botan/src/cert/cvc/eac_asn_obj.h deleted file mode 100644 index 3e70f6b..0000000 --- a/botan/src/cert/cvc/eac_asn_obj.h +++ /dev/null @@ -1,244 +0,0 @@ -/* -* EAC ASN.1 Objects -* (C) 2007-2008 FlexSecure GmbH -* 2008 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#ifndef BOTAN_EAC_ASN1_OBJ_H__ -#define BOTAN_EAC_ASN1_OBJ_H__ - -#include <botan/asn1_obj.h> -#include <vector> -#include <map> - -namespace Botan { - -/** -* This class represents CVC EAC Time objects. -* It only models year, month and day. Only limited sanity checks of -* the inputted date value are performed. -*/ -class BOTAN_DLL EAC_Time : public ASN1_Object - { - public: - void encode_into(class DER_Encoder&) const; - void decode_from(class BER_Decoder&); - - /** - * Get a this objects value as a string. - * @return the date string - */ - std::string as_string() const; - - /** - * Get a this objects value as a readable formatted string. - * @return the date string - */ - std::string readable_string() const; - - /** - * Find out whether this object's values have been set. - * @return true if this object's internal values are set - */ - bool time_is_set() const; - - /** - * Compare this to another EAC_Time object. - * @return -1 if this object's date is earlier than - * other, +1 in the opposite case, and 0 if both dates are - * equal. - */ - s32bit cmp(const EAC_Time& other) const; - - /** - * Set this' value by a string value. - * @param str a string in the format "yyyy mm dd", - * e.g. "2007 08 01" - */ - void set_to(const std::string& str); - //void set_to(const std::string&, ASN1_Tag); - - /** - * Add the specified number of years to this. - * @param years the number of years to add - */ - void add_years(u32bit years); - - /** - * Add the specified number of months to this. - * @param months the number of months to add - */ - void add_months(u32bit months); - - /** - * Get the year value of this objects. - * @return the year value - */ - u32bit get_year() const; - - /** - * Get the month value of this objects. - * @return the month value - */ - u32bit get_month() const; - - /** - * Get the day value of this objects. - * @return the day value - */ - u32bit get_day() const; - - EAC_Time(u64bit, ASN1_Tag t = ASN1_Tag(0)); - //EAC_Time(const std::string& = ""); - EAC_Time(const std::string&, ASN1_Tag = ASN1_Tag(0)); - EAC_Time(u32bit year, u32bit month, u32bit day, ASN1_Tag = ASN1_Tag(0)); - - virtual ~EAC_Time() {} - private: - SecureVector<byte> encoded_eac_time() const; - bool passes_sanity_check() const; - u32bit year, month, day; - ASN1_Tag tag; - }; - -/** -* This class represents CVC CEDs. Only limited sanity checks of -* the inputted date value are performed. -*/ -class BOTAN_DLL ASN1_Ced : public EAC_Time - { - public: - /** - * Construct a CED from a string value. - * @param str a string in the format "yyyy mm dd", - * e.g. "2007 08 01" - */ - ASN1_Ced(std::string const& str = ""); - - /** - * Construct a CED from a timer value. - * @param time the number of seconds elapsed midnight, 1st - * January 1970 GMT (or 7pm, 31st December 1969 EST) up to the - * desired date - */ - ASN1_Ced(u64bit time); - - /** - * Copy constructor (for general EAC_Time objects). - * @param other the object to copy from - */ - ASN1_Ced(EAC_Time const& other); - //ASN1_Ced(ASN1_Cex const& cex); - }; - - -/** -* This class represents CVC CEXs. Only limited sanity checks of -* the inputted date value are performed. -*/ -class BOTAN_DLL ASN1_Cex : public EAC_Time - { - public: - /** - * Construct a CED from a string value. - * @param str a string in the format "yyyy mm dd", - * e.g. "2007 08 01" - */ - ASN1_Cex(std::string const& str=""); - - /** - * Construct a CED from a timer value. - * @param time the number of seconds elapsed - * midnight, 1st - * January 1970 GMT (or 7pm, 31st December 1969 EST) - * up to the desired date - */ - ASN1_Cex(u64bit time); - - /** - * Copy constructor (for general EAC_Time objects). - * @param other the object to copy from - */ - ASN1_Cex(EAC_Time const& other); - //ASN1_Cex(ASN1_Ced const& ced); - }; - -/** -* Base class for car/chr of cv certificates. -*/ -class BOTAN_DLL ASN1_EAC_String: public ASN1_Object - { - public: - void encode_into(class DER_Encoder&) const; - void decode_from(class BER_Decoder&); - - /** - * Get this objects string value. - * @return the string value - */ - std::string value() const; - - /** - * Get this objects string value. - * @return the string value in iso8859 encoding - */ - std::string iso_8859() const; - - ASN1_Tag tagging() const; - ASN1_EAC_String(const std::string& str, ASN1_Tag the_tag); - - virtual ~ASN1_EAC_String() {} - protected: - bool sanity_check() const; - private: - std::string iso_8859_str; - ASN1_Tag tag; - }; - -/** -* This class represents CARs of CVCs. (String tagged with 2) -*/ -class BOTAN_DLL ASN1_Car : public ASN1_EAC_String - { - public: - /** - * Create a CAR with the specified content. - * @param str the CAR value - */ - ASN1_Car(std::string const& str = ""); - }; - -/** -* This class represents CHRs of CVCs (tag 32) -*/ -class BOTAN_DLL ASN1_Chr : public ASN1_EAC_String - { - public: - /** - * Create a CHR with the specified content. - * @param str the CHR value - */ - ASN1_Chr(std::string const& str = ""); - }; - -/* -* Comparison Operations -*/ -bool operator==(const EAC_Time&, const EAC_Time&); -bool operator!=(const EAC_Time&, const EAC_Time&); -bool operator<=(const EAC_Time&, const EAC_Time&); -bool operator>=(const EAC_Time&, const EAC_Time&); -bool operator>(const EAC_Time&, const EAC_Time&); -bool operator<(const EAC_Time&, const EAC_Time&); - -bool operator==(const ASN1_EAC_String&, const ASN1_EAC_String&); -inline bool operator!=(const ASN1_EAC_String& lhs, const ASN1_EAC_String& rhs) - { - return !(lhs == rhs); - } - -} - -#endif diff --git a/botan/src/cert/cvc/eac_obj.h b/botan/src/cert/cvc/eac_obj.h deleted file mode 100644 index 04afd7e..0000000 --- a/botan/src/cert/cvc/eac_obj.h +++ /dev/null @@ -1,131 +0,0 @@ -/* -* EAC1_1 objects -* (C) 2008 Falko Strenzke -* strenzke@flexsecure.de -* -* Distributed under the terms of the Botan license -*/ - -#ifndef BOTAN_EAC_OBJ_H__ -#define BOTAN_EAC_OBJ_H__ - -#include <botan/pubkey.h> -#include <botan/x509_key.h> -#include <botan/signed_obj.h> -#include <botan/pubkey_enums.h> -#include <botan/pubkey.h> -#include <botan/parsing.h> -#include <botan/pem.h> -#include <botan/oids.h> -#include <botan/look_pk.h> -#include <botan/ecdsa_sig.h> -#include <string> - -namespace Botan { - -const std::string eac_cvc_emsa("EMSA1_BSI"); - -/* -* TR03110 v1.1 EAC CV Certificate -*/ -template<typename Derived> // CRTP is used enable the call sequence: -class BOTAN_DLL EAC1_1_obj : public EAC_Signed_Object - { - // data members first: - protected: - - ECDSA_Signature m_sig; - - // member functions here: - public: - /** - * Return the signature as a concatenation of the encoded parts. - * @result the concatenated signature - */ - SecureVector<byte> get_concat_sig() const; - - /** - * Verify the signature of this objects. - * @param pub_key the public key to verify the signature with - * @result true if the verification succeeded - */ - virtual bool check_signature(Public_Key& pub_key) const; - - protected: - void init(SharedPtrConverter<DataSource> in); - - static SecureVector<byte> make_signature(PK_Signer* signer, - const MemoryRegion<byte>& tbs_bits, - RandomNumberGenerator& rng); - - virtual ~EAC1_1_obj<Derived>(){} - - }; - -template<typename Derived> SecureVector<byte> EAC1_1_obj<Derived>::get_concat_sig() const - { - return m_sig.get_concatenation(); - } - -template<typename Derived> SecureVector<byte> -EAC1_1_obj<Derived>::make_signature(PK_Signer* signer, - const MemoryRegion<byte>& tbs_bits, - RandomNumberGenerator& rng) - { - // this is the signature as a der sequence - SecureVector<byte> seq_sig = signer->sign_message(tbs_bits, rng); - - ECDSA_Signature sig(decode_seq(seq_sig)); - SecureVector<byte> concat_sig(sig.get_concatenation()); - return concat_sig; - } - -template<typename Derived> void EAC1_1_obj<Derived>::init(SharedPtrConverter<DataSource> in) - { - try - { - Derived::decode_info(in.get_shared(), tbs_bits, m_sig); - } - catch(Decoding_Error) - { - throw Decoding_Error(PEM_label_pref + " decoding failed"); - } - } - -template<typename Derived> -bool EAC1_1_obj<Derived>::check_signature(Public_Key& pub_key) const - { - try - { - std::vector<std::string> sig_info = - split_on(OIDS::lookup(sig_algo.oid), '/'); - - if(sig_info.size() != 2 || sig_info[0] != pub_key.algo_name()) - { - return false; - } - - std::string padding = sig_info[1]; - Signature_Format format = - (pub_key.message_parts() >= 2) ? DER_SEQUENCE : IEEE_1363; - - if(!dynamic_cast<PK_Verifying_wo_MR_Key*>(&pub_key)) - return false; - - std::auto_ptr<ECDSA_Signature_Encoder> enc(new ECDSA_Signature_Encoder(&m_sig)); - SecureVector<byte> seq_sig = enc->signature_bits(); - SecureVector<byte> to_sign = tbs_data(); - - PK_Verifying_wo_MR_Key& sig_key = dynamic_cast<PK_Verifying_wo_MR_Key&>(pub_key); - std::auto_ptr<PK_Verifier> verifier(get_pk_verifier(sig_key, padding, format)); - return verifier->verify_message(to_sign, seq_sig); - } - catch(...) - { - return false; - } - } - -} - -#endif diff --git a/botan/src/cert/cvc/ecdsa_sig.cpp b/botan/src/cert/cvc/ecdsa_sig.cpp deleted file mode 100644 index c33a455..0000000 --- a/botan/src/cert/cvc/ecdsa_sig.cpp +++ /dev/null @@ -1,64 +0,0 @@ - -#include <botan/ecdsa_sig.h> -#include <memory> - -namespace Botan { - -ECDSA_Signature::ECDSA_Signature(const BigInt& r, const BigInt& s) - : m_r(r), - m_s(s) - {} - -ECDSA_Signature::ECDSA_Signature(const ECDSA_Signature& other) - : m_r(other.m_r), m_s(other.m_s) - {} - -ECDSA_Signature const& ECDSA_Signature::operator=(const ECDSA_Signature& other) - { - m_r = other.m_r; - m_s = other.m_s; - return *this; - } - -bool operator==(const ECDSA_Signature& lhs, const ECDSA_Signature& rhs) - { - return (lhs.get_r() == rhs.get_r() && lhs.get_s() == rhs.get_s()); - } - -SecureVector<byte> const ECDSA_Signature::get_concatenation() const - { - u32bit enc_len = m_r > m_s ? m_r.bytes() : m_s.bytes(); // use the larger - - SecureVector<byte> sv_r = BigInt::encode_1363(m_r, enc_len); - SecureVector<byte> sv_s = BigInt::encode_1363(m_s, enc_len); - - SecureVector<byte> result(sv_r); - result.append(sv_s); - return result; - } - -ECDSA_Signature const decode_seq(MemoryRegion<byte> const& seq) - { - ECDSA_Signature sig; - - std::auto_ptr<ECDSA_Signature_Decoder> dec(new ECDSA_Signature_Decoder(&sig)); - dec->signature_bits(seq); - return sig; - } - -ECDSA_Signature const decode_concatenation(MemoryRegion<byte> const& concat) - { - if(concat.size() % 2 != 0) - throw Invalid_Argument("Erroneous length of signature"); - - u32bit rs_len = concat.size()/2; - SecureVector<byte> sv_r; - SecureVector<byte> sv_s; - sv_r.set(concat.begin(), rs_len); - sv_s.set(&concat[rs_len], rs_len); - BigInt r = BigInt::decode(sv_r, sv_r.size()); - BigInt s = BigInt::decode(sv_s, sv_s.size()); - return ECDSA_Signature(r, s); - } - -} diff --git a/botan/src/cert/cvc/ecdsa_sig.h b/botan/src/cert/cvc/ecdsa_sig.h deleted file mode 100644 index 15015c7..0000000 --- a/botan/src/cert/cvc/ecdsa_sig.h +++ /dev/null @@ -1,88 +0,0 @@ -/* -* ECDSA -* (C) 2007 Falko Strenzke, FlexSecure GmbH -* (C) 2008 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#ifndef BOTAN_ECDSA_SIGNATURE_H__ -#define BOTAN_ECDSA_SIGNATURE_H__ - -#include <botan/bigint.h> -#include <botan/der_enc.h> -#include <botan/ber_dec.h> - -namespace Botan { - -class BOTAN_DLL ECDSA_Signature - { - public: - friend class ECDSA_Signature_Decoder; - - ECDSA_Signature() {} - ECDSA_Signature(const BigInt& r, const BigInt& s); - ECDSA_Signature(ECDSA_Signature const& other); - ECDSA_Signature const& operator=(ECDSA_Signature const& other); - - const BigInt& get_r() const { return m_r; } - const BigInt& get_s() const { return m_s; } - - /** - * return the r||s - */ - SecureVector<byte> const get_concatenation() const; - private: - BigInt m_r; - BigInt m_s; - }; - -/* Equality of ECDSA_Signature */ -bool operator==(const ECDSA_Signature& lhs, const ECDSA_Signature& rhs); -inline bool operator!=(const ECDSA_Signature& lhs, const ECDSA_Signature& rhs) - { - return !(lhs == rhs); - } - -class BOTAN_DLL ECDSA_Signature_Decoder - { - public: - void signature_bits(const MemoryRegion<byte>& bits) - { - BER_Decoder(bits) - .start_cons(SEQUENCE) - .decode(m_signature->m_r) - .decode(m_signature->m_s) - .verify_end() - .end_cons(); - } - ECDSA_Signature_Decoder(ECDSA_Signature* signature) : m_signature(signature) - {} - private: - ECDSA_Signature* m_signature; - }; - -class BOTAN_DLL ECDSA_Signature_Encoder - { - public: - MemoryVector<byte> signature_bits() const - { - return DER_Encoder() - .start_cons(SEQUENCE) - .encode(m_signature->get_r()) - .encode(m_signature->get_s()) - .end_cons() - .get_contents(); - } - ECDSA_Signature_Encoder(const ECDSA_Signature* signature) : m_signature(signature) - {} - private: - const ECDSA_Signature* m_signature; - }; - -ECDSA_Signature const decode_seq(MemoryRegion<byte> const& seq); -ECDSA_Signature const decode_concatenation(MemoryRegion<byte> const& concatenation); - -} - -#endif diff --git a/botan/src/cert/cvc/freestore.h b/botan/src/cert/cvc/freestore.h deleted file mode 100644 index f95afa8..0000000 --- a/botan/src/cert/cvc/freestore.h +++ /dev/null @@ -1,85 +0,0 @@ -/** -* (C) 2007 Christoph Ludwig -* ludwig@fh-worms.de -**/ - -#ifndef BOTAN_FREESTORE_H__ -#define BOTAN_FREESTORE_H__ - -#include <botan/build.h> - -#if defined(BOTAN_USE_STD_TR1) - #include <tr1/memory> -#elif defined(BOTAN_USE_BOOST_TR1) - #include <boost/tr1/memory.hpp> -#else - #error "Please choose a TR1 implementation in build.h" -#endif - -namespace Botan { - -/** -* This class is intended as an function call parameter type and -* enables convenient automatic conversions between plain and smart -* pointer types. It internally stores a SharedPointer which can be -* accessed. -* -* Distributed under the terms of the Botan license -*/ -template<typename T> -class BOTAN_DLL SharedPtrConverter - { - public: - typedef std::tr1::shared_ptr<T> SharedPtr; - - /** - * Construct a null pointer equivalent object. - */ - SharedPtrConverter() : ptr() {} - - /** - * Copy constructor. - */ - SharedPtrConverter(SharedPtrConverter const& other) : - ptr(other.ptr) {} - - /** - * Construct a converter object from another pointer type. - * @param p the pointer which shall be set as the internally stored - * pointer value of this converter. - */ - template<typename Ptr> - SharedPtrConverter(Ptr p) - : ptr(p) {} - - /** - * Get the internally stored shared pointer. - * @return the internally stored shared pointer - */ - SharedPtr const& get_ptr() const { return this->ptr; } - - /** - * Get the internally stored shared pointer. - * @return the internally stored shared pointer - */ - SharedPtr get_ptr() { return this->ptr; } - - /** - * Get the internally stored shared pointer. - * @return the internally stored shared pointer - */ - SharedPtr const& get_shared() const { return this->ptr; } - - /** - * Get the internally stored shared pointer. - * @return the internally stored shared pointer - */ - SharedPtr get_shared() { return this->ptr; } - - private: - SharedPtr ptr; - }; - -} - -#endif diff --git a/botan/src/cert/cvc/info.txt b/botan/src/cert/cvc/info.txt deleted file mode 100644 index e3e11f5..0000000 --- a/botan/src/cert/cvc/info.txt +++ /dev/null @@ -1,44 +0,0 @@ -realname "Card Verifiable Certificates" - -define CARD_VERIFIABLE_CERTIFICATES - -uses_tr1 yes - -load_on auto - -<add> -asn1_eac_str.cpp -asn1_eac_tm.cpp -ecdsa_sig.cpp -ecdsa_sig.h -cvc_ado.cpp -cvc_ado.h -cvc_ca.cpp -cvc_ca.h -cvc_cert.cpp -cvc_cert.h -cvc_gen_cert.h -cvc_key.h -cvc_req.cpp -cvc_req.h -cvc_self.cpp -cvc_self.h -eac_asn_obj.h -eac_obj.h -signed_obj.cpp -signed_obj.h -freestore.h -</add> - -<requires> -asn1 -bigint -ecdsa -filters -libstate -oid_lookup -pem -pk_codecs -pubkey -x509 -</requires> diff --git a/botan/src/cert/cvc/signed_obj.cpp b/botan/src/cert/cvc/signed_obj.cpp deleted file mode 100644 index 4a08ed0..0000000 --- a/botan/src/cert/cvc/signed_obj.cpp +++ /dev/null @@ -1,67 +0,0 @@ -/* -* X.509 SIGNED Object -* (C) 1999-2007 Jack Lloyd -* 2007 FlexSecure GmbH -* -* Distributed under the terms of the Botan license -*/ - -#include <botan/signed_obj.h> - -namespace Botan { - -/* -* Return a BER encoded X.509 object -*/ -SecureVector<byte> EAC_Signed_Object::BER_encode() const - { - Pipe ber; - ber.start_msg(); - encode(ber, RAW_BER); - ber.end_msg(); - return ber.read_all(); - } - -/* -* Return a PEM encoded X.509 object -*/ -std::string EAC_Signed_Object::PEM_encode() const - { - Pipe pem; - pem.start_msg(); - encode(pem, PEM); - pem.end_msg(); - return pem.read_all_as_string(); - } - -/* -* Return the algorithm used to sign this object -*/ -AlgorithmIdentifier EAC_Signed_Object::signature_algorithm() const - { - return sig_algo; - } - -/* -* Try to decode the actual information -*/ -void EAC_Signed_Object::do_decode() - { - try { - force_decode(); - } - catch(Decoding_Error& e) - { - const std::string what = e.what(); - throw Decoding_Error(PEM_label_pref + " decoding failed (" + - what.substr(23, std::string::npos) + ")"); - } - catch(Invalid_Argument& e) - { - const std::string what = e.what(); - throw Decoding_Error(PEM_label_pref + " decoding failed (" + - what.substr(7, std::string::npos) + ")"); - } - } - -} diff --git a/botan/src/cert/cvc/signed_obj.h b/botan/src/cert/cvc/signed_obj.h deleted file mode 100644 index 3c233d2..0000000 --- a/botan/src/cert/cvc/signed_obj.h +++ /dev/null @@ -1,93 +0,0 @@ -/* -* EAC SIGNED Object -* (C) 2007 FlexSecure GmbH -* 2008 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#ifndef BOTAN_EAC_SIGNED_OBJECT_H__ -#define BOTAN_EAC_SIGNED_OBJECT_H__ - -#include <botan/asn1_obj.h> -#include <botan/pubkey_enums.h> -#include <botan/freestore.h> -#include <botan/pipe.h> -#include <vector> - -namespace Botan { - -/** -* This class represents abstract signed EAC object -*/ -class BOTAN_DLL EAC_Signed_Object - { - public: - /** - * Get the TBS (to-be-signed) data in this object. - * @return the DER encoded TBS data of this object - */ - virtual SecureVector<byte> tbs_data() const = 0; - - /** - * Get the signature of this object as a concatenation, i.e. if the - * signature consists of multiple parts (like in the case of ECDSA) - * these will be concatenated. - * @return the signature as a concatenation of its parts - */ - - /* - NOTE: this is here only because abstract signature objects have - not yet been introduced - */ - virtual SecureVector<byte> get_concat_sig() const = 0; - - /** - * Get the signature algorithm identifier used to sign this object. - * @result the signature algorithm identifier - */ - AlgorithmIdentifier signature_algorithm() const; - - /** - * Check the signature of this object. - * @param key the public key associated with this signed object - * @return true if the signature was created by the private key - * associated with this public key - */ - virtual bool check_signature(class Public_Key&) const = 0; - - /** - * Write this object DER encoded into a specified pipe. - * @param pipe the pipe to write the encoded object to - * @param enc the encoding type to use - */ - virtual void encode(Pipe&, X509_Encoding = PEM) const = 0; - - /** - * BER encode this object. - * @return the result containing the BER representation of this object. - */ - SecureVector<byte> BER_encode() const; - - /** - * PEM encode this object. - * @return the result containing the PEM representation of this object. - */ - std::string PEM_encode() const; - - virtual ~EAC_Signed_Object() {} - protected: - void do_decode(); - EAC_Signed_Object() {} - - AlgorithmIdentifier sig_algo; - SecureVector<byte> tbs_bits; - std::string PEM_label_pref; - std::vector<std::string> PEM_labels_allowed; - private: - virtual void force_decode() = 0; - }; - -} - -#endif diff --git a/botan/src/cert/x509/certstor.cpp b/botan/src/cert/x509/certstor.cpp deleted file mode 100644 index 96f2699..0000000 --- a/botan/src/cert/x509/certstor.cpp +++ /dev/null @@ -1,48 +0,0 @@ -/* -* Certificate Store -* (C) 1999-2007 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#include <botan/certstor.h> - -namespace Botan { - -/* -* Search by name -*/ -std::vector<X509_Certificate> -Certificate_Store::by_name(const std::string&) const - { - return std::vector<X509_Certificate>(); - } - -/* -* Search by email -*/ -std::vector<X509_Certificate> -Certificate_Store::by_email(const std::string&) const - { - return std::vector<X509_Certificate>(); - } - -/* -* Search by X.500 distinguished name -*/ -std::vector<X509_Certificate> -Certificate_Store::by_dn(const X509_DN&) const - { - return std::vector<X509_Certificate>(); - } - -/* -* Find any CRLs that might be useful -*/ -std::vector<X509_CRL> -Certificate_Store::get_crls_for(const X509_Certificate&) const - { - return std::vector<X509_CRL>(); - } - -} diff --git a/botan/src/cert/x509/certstor.h b/botan/src/cert/x509/certstor.h deleted file mode 100644 index d5004e3..0000000 --- a/botan/src/cert/x509/certstor.h +++ /dev/null @@ -1,39 +0,0 @@ -/* -* Certificate Store -* (C) 1999-2007 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#ifndef BOTAN_CERT_STORE_H__ -#define BOTAN_CERT_STORE_H__ - -#include <botan/x509cert.h> -#include <botan/x509_crl.h> - -namespace Botan { - -/* -* Certificate Store Interface -*/ -class BOTAN_DLL Certificate_Store - { - public: - virtual std::vector<X509_Certificate> - by_SKID(const MemoryRegion<byte>&) const = 0; - - virtual std::vector<X509_Certificate> by_name(const std::string&) const; - virtual std::vector<X509_Certificate> by_email(const std::string&) const; - virtual std::vector<X509_Certificate> by_dn(const X509_DN&) const; - - virtual std::vector<X509_CRL> - get_crls_for(const X509_Certificate&) const; - - virtual Certificate_Store* clone() const = 0; - - virtual ~Certificate_Store() {} - }; - -} - -#endif diff --git a/botan/src/cert/x509/crl_ent.cpp b/botan/src/cert/x509/crl_ent.cpp deleted file mode 100644 index afea8cf..0000000 --- a/botan/src/cert/x509/crl_ent.cpp +++ /dev/null @@ -1,107 +0,0 @@ -/* -* CRL Entry -* (C) 1999-2007 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#include <botan/crl_ent.h> -#include <botan/x509_ext.h> -#include <botan/der_enc.h> -#include <botan/ber_dec.h> -#include <botan/bigint.h> -#include <botan/oids.h> -#include <botan/util.h> - -namespace Botan { - -/* -* Create a CRL_Entry -*/ -CRL_Entry::CRL_Entry(bool t_on_unknown_crit) : - throw_on_unknown_critical(t_on_unknown_crit) - { - reason = UNSPECIFIED; - } - -/* -* Create a CRL_Entry -*/ -CRL_Entry::CRL_Entry(const X509_Certificate& cert, CRL_Code why) : - throw_on_unknown_critical(false) - { - serial = cert.serial_number(); - time = X509_Time(system_time()); - reason = why; - } - -/* -* Compare two CRL_Entrys for equality -*/ -bool operator==(const CRL_Entry& a1, const CRL_Entry& a2) - { - if(a1.serial_number() != a2.serial_number()) - return false; - if(a1.expire_time() != a2.expire_time()) - return false; - if(a1.reason_code() != a2.reason_code()) - return false; - return true; - } - -/* -* Compare two CRL_Entrys for inequality -*/ -bool operator!=(const CRL_Entry& a1, const CRL_Entry& a2) - { - return !(a1 == a2); - } - -/* -* Compare two CRL_Entrys -*/ -bool operator<(const CRL_Entry& a1, const CRL_Entry& a2) - { - return (a1.expire_time().cmp(a2.expire_time()) < 0); - } - -/* -* DER encode a CRL_Entry -*/ -void CRL_Entry::encode_into(DER_Encoder& der) const - { - Extensions extensions; - - extensions.add(new Cert_Extension::CRL_ReasonCode(reason)); - - der.start_cons(SEQUENCE) - .encode(BigInt::decode(serial, serial.size())) - .encode(time) - .encode(extensions) - .end_cons(); - } - -/* -* Decode a BER encoded CRL_Entry -*/ -void CRL_Entry::decode_from(BER_Decoder& source) - { - BigInt serial_number_bn; - - source.start_cons(SEQUENCE) - .decode(serial_number_bn) - .decode(time); - - if(source.more_items()) - { - Extensions extensions(throw_on_unknown_critical); - source.decode(extensions); - Data_Store info; - extensions.contents_to(info, info); - reason = CRL_Code(info.get1_u32bit("X509v3.CRLReasonCode")); - } - - serial = BigInt::encode(serial_number_bn); - } - -} diff --git a/botan/src/cert/x509/crl_ent.h b/botan/src/cert/x509/crl_ent.h deleted file mode 100644 index 050356c..0000000 --- a/botan/src/cert/x509/crl_ent.h +++ /dev/null @@ -1,78 +0,0 @@ -/* -* CRL Entry -* (C) 1999-2007 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#ifndef BOTAN_CRL_ENTRY_H__ -#define BOTAN_CRL_ENTRY_H__ - -#include <botan/x509cert.h> - -namespace Botan { - -/** -* This class represents CRL entries -*/ -class BOTAN_DLL CRL_Entry : public ASN1_Object - { - public: - void encode_into(class DER_Encoder&) const; - void decode_from(class BER_Decoder&); - - /** - * Get the serial number of the certificate associated with this entry. - * @return the certificate's serial number - */ - MemoryVector<byte> serial_number() const { return serial; } - - /** - * Get the revocation date of the certificate associated with this entry - * @return the certificate's revocation date - */ - X509_Time expire_time() const { return time; } - - /** - * Get the entries reason code - * @return the reason code - */ - CRL_Code reason_code() const { return reason; } - - /** - * Construct an empty CRL entry. - */ - CRL_Entry(bool throw_on_unknown_critical_extension = false); - - /** - * Construct an CRL entry. - * @param cert the certificate to revoke - * @param reason the reason code to set in the entry - */ - CRL_Entry(const X509_Certificate&, CRL_Code = UNSPECIFIED); - - private: - bool throw_on_unknown_critical; - MemoryVector<byte> serial; - X509_Time time; - CRL_Code reason; - }; - -/** -* Test two CRL entries for equality in all fields. -*/ -BOTAN_DLL bool operator==(const CRL_Entry&, const CRL_Entry&); - -/** -* Test two CRL entries for inequality in at least one field. -*/ -BOTAN_DLL bool operator!=(const CRL_Entry&, const CRL_Entry&); - -/** -* Order two entries based on the revocation date. -*/ -BOTAN_DLL bool operator<(const CRL_Entry&, const CRL_Entry&); - -} - -#endif diff --git a/botan/src/cert/x509/info.txt b/botan/src/cert/x509/info.txt deleted file mode 100644 index 552e2aa..0000000 --- a/botan/src/cert/x509/info.txt +++ /dev/null @@ -1,45 +0,0 @@ -realname "X.509" - -define X509 - -load_on auto - -<add> -certstor.h -certstor.cpp -crl_ent.cpp -crl_ent.h -pkcs10.h -pkcs10.cpp -x509_ca.cpp -x509_ca.h -x509_crl.cpp -x509_crl.h -x509_ext.cpp -x509_ext.h -x509_obj.cpp -x509_obj.h -x509cert.cpp -x509cert.h -x509find.cpp -x509find.h -x509opt.cpp -x509self.cpp -x509self.h -x509stor.cpp -x509stor.h -</add> - -<requires> -asn1 -bigint -datastor -filters -libstate -oid_lookup -pem -pk_codecs -pubkey -rng -sha1 -</requires> diff --git a/botan/src/cert/x509/pkcs10.cpp b/botan/src/cert/x509/pkcs10.cpp deleted file mode 100644 index 5617cec..0000000 --- a/botan/src/cert/x509/pkcs10.cpp +++ /dev/null @@ -1,200 +0,0 @@ -/* -* PKCS #10 -* (C) 1999-2007 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#include <botan/pkcs10.h> -#include <botan/der_enc.h> -#include <botan/ber_dec.h> -#include <botan/parsing.h> -#include <botan/x509stor.h> -#include <botan/x509_ext.h> -#include <botan/oids.h> -#include <botan/pem.h> - -namespace Botan { - -/* -* PKCS10_Request Constructor -*/ -PKCS10_Request::PKCS10_Request(DataSource& in) : - X509_Object(in, "CERTIFICATE REQUEST/NEW CERTIFICATE REQUEST") - { - do_decode(); - } - -/* -* PKCS10_Request Constructor -*/ -PKCS10_Request::PKCS10_Request(const std::string& in) : - X509_Object(in, "CERTIFICATE REQUEST/NEW CERTIFICATE REQUEST") - { - do_decode(); - } - -/* -* Deocde the CertificateRequestInfo -*/ -void PKCS10_Request::force_decode() - { - BER_Decoder cert_req_info(tbs_bits); - - u32bit version; - cert_req_info.decode(version); - if(version != 0) - throw Decoding_Error("Unknown version code in PKCS #10 request: " + - to_string(version)); - - X509_DN dn_subject; - cert_req_info.decode(dn_subject); - - info.add(dn_subject.contents()); - - BER_Object public_key = cert_req_info.get_next_object(); - if(public_key.type_tag != SEQUENCE || public_key.class_tag != CONSTRUCTED) - throw BER_Bad_Tag("PKCS10_Request: Unexpected tag for public key", - public_key.type_tag, public_key.class_tag); - - info.add("X509.Certificate.public_key", - PEM_Code::encode( - ASN1::put_in_sequence(public_key.value), - "PUBLIC KEY" - ) - ); - - BER_Object attr_bits = cert_req_info.get_next_object(); - - if(attr_bits.type_tag == 0 && - attr_bits.class_tag == ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC)) - { - BER_Decoder attributes(attr_bits.value); - while(attributes.more_items()) - { - Attribute attr; - attributes.decode(attr); - handle_attribute(attr); - } - attributes.verify_end(); - } - else if(attr_bits.type_tag != NO_OBJECT) - throw BER_Bad_Tag("PKCS10_Request: Unexpected tag for attributes", - attr_bits.type_tag, attr_bits.class_tag); - - cert_req_info.verify_end(); - - X509_Code sig_check = X509_Store::check_sig(*this, subject_public_key()); - if(sig_check != VERIFIED) - throw Decoding_Error("PKCS #10 request: Bad signature detected"); - } - -/* -* Handle attributes in a PKCS #10 request -*/ -void PKCS10_Request::handle_attribute(const Attribute& attr) - { - BER_Decoder value(attr.parameters); - - if(attr.oid == OIDS::lookup("PKCS9.EmailAddress")) - { - ASN1_String email; - value.decode(email); - info.add("RFC822", email.value()); - } - else if(attr.oid == OIDS::lookup("PKCS9.ChallengePassword")) - { - ASN1_String challenge_password; - value.decode(challenge_password); - info.add("PKCS9.ChallengePassword", challenge_password.value()); - } - else if(attr.oid == OIDS::lookup("PKCS9.ExtensionRequest")) - { - Extensions extensions; - value.decode(extensions).verify_end(); - - Data_Store issuer_info; - extensions.contents_to(info, issuer_info); - } - } - -/* -* Return the challenge password (if any) -*/ -std::string PKCS10_Request::challenge_password() const - { - return info.get1("PKCS9.ChallengePassword"); - } - -/* -* Return the name of the requestor -*/ -X509_DN PKCS10_Request::subject_dn() const - { - return create_dn(info); - } - -/* -* Return the public key of the requestor -*/ -MemoryVector<byte> PKCS10_Request::raw_public_key() const - { - DataSource_Memory source(info.get1("X509.Certificate.public_key")); - return PEM_Code::decode_check_label(source, "PUBLIC KEY"); - } - -/* -* Return the public key of the requestor -*/ -Public_Key* PKCS10_Request::subject_public_key() const - { - DataSource_Memory source(info.get1("X509.Certificate.public_key")); - return X509::load_key(source); - } - -/* -* Return the alternative names of the requestor -*/ -AlternativeName PKCS10_Request::subject_alt_name() const - { - return create_alt_name(info); - } - -/* -* Return the key constraints (if any) -*/ -Key_Constraints PKCS10_Request::constraints() const - { - return Key_Constraints(info.get1_u32bit("X509v3.KeyUsage", NO_CONSTRAINTS)); - } - -/* -* Return the extendend key constraints (if any) -*/ -std::vector<OID> PKCS10_Request::ex_constraints() const - { - std::vector<std::string> oids = info.get("X509v3.ExtendedKeyUsage"); - - std::vector<OID> result; - for(u32bit j = 0; j != oids.size(); ++j) - result.push_back(OID(oids[j])); - return result; - } - -/* -* Return is a CA certificate is requested -*/ -bool PKCS10_Request::is_CA() const - { - return info.get1_u32bit("X509v3.BasicConstraints.is_ca"); - } - -/* -* Return the desired path limit (if any) -*/ -u32bit PKCS10_Request::path_limit() const - { - return info.get1_u32bit("X509v3.BasicConstraints.path_constraint", 0); - } - -} diff --git a/botan/src/cert/x509/pkcs10.h b/botan/src/cert/x509/pkcs10.h deleted file mode 100644 index 9b435de..0000000 --- a/botan/src/cert/x509/pkcs10.h +++ /dev/null @@ -1,101 +0,0 @@ -/* -* PKCS #10 -* (C) 1999-2007 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#ifndef BOTAN_PKCS10_H__ -#define BOTAN_PKCS10_H__ - -#include <botan/x509_obj.h> -#include <botan/pkcs8.h> -#include <botan/datastor.h> -#include <vector> - -namespace Botan { - -/** -* PKCS #10 Certificate Request. -*/ -class BOTAN_DLL PKCS10_Request : public X509_Object - { - public: - /** - * Get the subject public key. - * @return the subject public key - */ - Public_Key* subject_public_key() const; - - /** - * Get the raw DER encoded public key. - * @return the raw DER encoded public key - */ - MemoryVector<byte> raw_public_key() const; - - /** - * Get the subject DN. - * @return the subject DN - */ - X509_DN subject_dn() const; - - /** - * Get the subject alternative name. - * @return the subject alternative name. - */ - AlternativeName subject_alt_name() const; - - /** - * Get the key constraints for the key associated with this - * PKCS#10 object. - * @return the key constraints - */ - Key_Constraints constraints() const; - - /** - * Get the extendend key constraints (if any). - * @return the extended key constraints - */ - std::vector<OID> ex_constraints() const; - - /** - * Find out whether this is a CA request. - * @result true if it is a CA request, false otherwise. - */ - bool is_CA() const; - - /** - * Return the constraint on the path length defined - * in the BasicConstraints extension. - * @return the path limit - */ - u32bit path_limit() const; - - /** - * Get the challenge password for this request - * @return the challenge password for this request - */ - std::string challenge_password() const; - - /** - * Create a PKCS#10 Request from a data source. - * @param source the data source providing the DER encoded request - */ - PKCS10_Request(DataSource& source); - - /** - * Create a PKCS#10 Request from a file. - * @param filename the name of the file containing the DER or PEM - * encoded request file - */ - PKCS10_Request(const std::string& filename); - private: - void force_decode(); - void handle_attribute(const Attribute&); - - Data_Store info; - }; - -} - -#endif diff --git a/botan/src/cert/x509/x509_ca.cpp b/botan/src/cert/x509/x509_ca.cpp deleted file mode 100644 index 41e3147..0000000 --- a/botan/src/cert/x509/x509_ca.cpp +++ /dev/null @@ -1,284 +0,0 @@ -/* -* X.509 Certificate Authority -* (C) 1999-2008 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#include <botan/x509_ca.h> -#include <botan/x509stor.h> -#include <botan/der_enc.h> -#include <botan/ber_dec.h> -#include <botan/look_pk.h> -#include <botan/bigint.h> -#include <botan/parsing.h> -#include <botan/oids.h> -#include <botan/util.h> -#include <algorithm> -#include <typeinfo> -#include <iterator> -#include <memory> -#include <set> - -namespace Botan { - -/* -* Load the certificate and private key -*/ -X509_CA::X509_CA(const X509_Certificate& c, - const Private_Key& key) : cert(c) - { - const Private_Key* key_pointer = &key; - if(!dynamic_cast<const PK_Signing_Key*>(key_pointer)) - throw Invalid_Argument("X509_CA: " + key.algo_name() + " cannot sign"); - - if(!cert.is_CA_cert()) - throw Invalid_Argument("X509_CA: This certificate is not for a CA"); - - signer = choose_sig_format(key, ca_sig_algo); - } - -/* -* Sign a PKCS #10 certificate request -*/ -X509_Certificate X509_CA::sign_request(const PKCS10_Request& req, - RandomNumberGenerator& rng, - const X509_Time& not_before, - const X509_Time& not_after) - { - Key_Constraints constraints; - if(req.is_CA()) - constraints = Key_Constraints(KEY_CERT_SIGN | CRL_SIGN); - else - { - std::auto_ptr<Public_Key> key(req.subject_public_key()); - constraints = X509::find_constraints(*key, req.constraints()); - } - - Extensions extensions; - - extensions.add(new Cert_Extension::Authority_Key_ID(cert.subject_key_id())); - extensions.add(new Cert_Extension::Subject_Key_ID(req.raw_public_key())); - - extensions.add( - new Cert_Extension::Basic_Constraints(req.is_CA(), req.path_limit())); - - extensions.add(new Cert_Extension::Key_Usage(constraints)); - extensions.add( - new Cert_Extension::Extended_Key_Usage(req.ex_constraints())); - - extensions.add( - new Cert_Extension::Subject_Alternative_Name(req.subject_alt_name())); - - return make_cert(signer, rng, ca_sig_algo, req.raw_public_key(), - not_before, not_after, - cert.subject_dn(), req.subject_dn(), - extensions); - } - -/* -* Create a new certificate -*/ -X509_Certificate X509_CA::make_cert(PK_Signer* signer, - RandomNumberGenerator& rng, - const AlgorithmIdentifier& sig_algo, - const MemoryRegion<byte>& pub_key, - const X509_Time& not_before, - const X509_Time& not_after, - const X509_DN& issuer_dn, - const X509_DN& subject_dn, - const Extensions& extensions) - { - const u32bit X509_CERT_VERSION = 3; - const u32bit SERIAL_BITS = 128; - - BigInt serial_no(rng, SERIAL_BITS); - - DataSource_Memory source(X509_Object::make_signed(signer, rng, sig_algo, - DER_Encoder().start_cons(SEQUENCE) - .start_explicit(0) - .encode(X509_CERT_VERSION-1) - .end_explicit() - - .encode(serial_no) - - .encode(sig_algo) - .encode(issuer_dn) - - .start_cons(SEQUENCE) - .encode(not_before) - .encode(not_after) - .end_cons() - - .encode(subject_dn) - .raw_bytes(pub_key) - - .start_explicit(3) - .start_cons(SEQUENCE) - .encode(extensions) - .end_cons() - .end_explicit() - .end_cons() - .get_contents() - )); - - return X509_Certificate(source); - } - -/* -* Create a new, empty CRL -*/ -X509_CRL X509_CA::new_crl(RandomNumberGenerator& rng, - u32bit next_update) const - { - std::vector<CRL_Entry> empty; - return make_crl(empty, 1, next_update, rng); - } - -/* -* Update a CRL with new entries -*/ -X509_CRL X509_CA::update_crl(const X509_CRL& crl, - const std::vector<CRL_Entry>& new_revoked, - RandomNumberGenerator& rng, - u32bit next_update) const - { - std::vector<CRL_Entry> already_revoked = crl.get_revoked(); - std::vector<CRL_Entry> all_revoked; - - X509_Store store; - store.add_cert(cert, true); - if(store.add_crl(crl) != VERIFIED) - throw Invalid_Argument("X509_CA::update_crl: Invalid CRL provided"); - - std::set<SecureVector<byte> > removed_from_crl; - for(u32bit j = 0; j != new_revoked.size(); ++j) - { - if(new_revoked[j].reason_code() == DELETE_CRL_ENTRY) - removed_from_crl.insert(new_revoked[j].serial_number()); - else - all_revoked.push_back(new_revoked[j]); - } - - for(u32bit j = 0; j != already_revoked.size(); ++j) - { - std::set<SecureVector<byte> >::const_iterator i; - i = removed_from_crl.find(already_revoked[j].serial_number()); - - if(i == removed_from_crl.end()) - all_revoked.push_back(already_revoked[j]); - } - std::sort(all_revoked.begin(), all_revoked.end()); - - std::vector<CRL_Entry> cert_list; - std::unique_copy(all_revoked.begin(), all_revoked.end(), - std::back_inserter(cert_list)); - - return make_crl(cert_list, crl.crl_number() + 1, next_update, rng); - } - -/* -* Create a CRL -*/ -X509_CRL X509_CA::make_crl(const std::vector<CRL_Entry>& revoked, - u32bit crl_number, u32bit next_update, - RandomNumberGenerator& rng) const - { - const u32bit X509_CRL_VERSION = 2; - - if(next_update == 0) - next_update = timespec_to_u32bit("7d"); - - // Totally stupid: ties encoding logic to the return of std::time!! - const u64bit current_time = system_time(); - - Extensions extensions; - extensions.add( - new Cert_Extension::Authority_Key_ID(cert.subject_key_id())); - extensions.add(new Cert_Extension::CRL_Number(crl_number)); - - DataSource_Memory source(X509_Object::make_signed(signer, rng, ca_sig_algo, - DER_Encoder().start_cons(SEQUENCE) - .encode(X509_CRL_VERSION-1) - .encode(ca_sig_algo) - .encode(cert.issuer_dn()) - .encode(X509_Time(current_time)) - .encode(X509_Time(current_time + next_update)) - .encode_if(revoked.size() > 0, - DER_Encoder() - .start_cons(SEQUENCE) - .encode_list(revoked) - .end_cons() - ) - .start_explicit(0) - .start_cons(SEQUENCE) - .encode(extensions) - .end_cons() - .end_explicit() - .end_cons() - .get_contents() - )); - - return X509_CRL(source); - } - -/* -* Return the CA's certificate -*/ -X509_Certificate X509_CA::ca_certificate() const - { - return cert; - } - -/* -* X509_CA Destructor -*/ -X509_CA::~X509_CA() - { - delete signer; - } - -/* -* Choose a signing format for the key -*/ -PK_Signer* choose_sig_format(const Private_Key& key, - AlgorithmIdentifier& sig_algo) - { - std::string padding; - Signature_Format format; - - const std::string algo_name = key.algo_name(); - - if(algo_name == "RSA") - { - padding = "EMSA3(SHA-160)"; - format = IEEE_1363; - } - else if(algo_name == "DSA") - { - padding = "EMSA1(SHA-160)"; - format = DER_SEQUENCE; - } - else if(algo_name == "ECDSA") - { - padding = "EMSA1_BSI(SHA-160)"; - format = IEEE_1363; - } - else - throw Invalid_Argument("Unknown X.509 signing key type: " + algo_name); - - sig_algo.oid = OIDS::lookup(algo_name + "/" + padding); - - std::auto_ptr<X509_Encoder> encoding(key.x509_encoder()); - if(!encoding.get()) - throw Encoding_Error("Key " + algo_name + " does not support " - "X.509 encoding"); - - sig_algo.parameters = encoding->alg_id().parameters; - - const PK_Signing_Key& sig_key = dynamic_cast<const PK_Signing_Key&>(key); - - return get_pk_signer(sig_key, padding, format); - } - -} diff --git a/botan/src/cert/x509/x509_ca.h b/botan/src/cert/x509/x509_ca.h deleted file mode 100644 index ef2a8d1..0000000 --- a/botan/src/cert/x509/x509_ca.h +++ /dev/null @@ -1,108 +0,0 @@ -/* -* X.509 Certificate Authority -* (C) 1999-2008 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#ifndef BOTAN_X509_CA_H__ -#define BOTAN_X509_CA_H__ - -#include <botan/x509cert.h> -#include <botan/x509_crl.h> -#include <botan/x509_ext.h> -#include <botan/pkcs8.h> -#include <botan/pkcs10.h> -#include <botan/pubkey.h> - -namespace Botan { - -/** -* This class represents X.509 Certificate Authorities (CAs). -*/ -class BOTAN_DLL X509_CA - { - public: - - /** - * Sign a PKCS#10 Request. - * @param req the request to sign - * @param rng the rng to use - * @param not_before the starting time for the certificate - * @param not_after the expiration time for the certificate - * @return the resulting certificate - */ - X509_Certificate sign_request(const PKCS10_Request& req, - RandomNumberGenerator& rng, - const X509_Time& not_before, - const X509_Time& not_after); - - /** - * Get the certificate of this CA. - * @return the CA certificate - */ - X509_Certificate ca_certificate() const; - - /** - * Create a new and empty CRL for this CA. - * @param rng the random number generator to use - * @param next_update the time to set in next update in seconds - * as the offset from the current time - * @return the new CRL - */ - X509_CRL new_crl(RandomNumberGenerator& rng, u32bit = 0) const; - - /** - * Create a new CRL by with additional entries. - * @param last_crl the last CRL of this CA to add the new entries to - * @param new_entries contains the new CRL entries to be added to the CRL - * @param rng the random number generator to use - * @param next_update the time to set in next update in seconds - * as the offset from the current time - */ - X509_CRL update_crl(const X509_CRL& last_crl, - const std::vector<CRL_Entry>& new_entries, - RandomNumberGenerator& rng, - u32bit next_update = 0) const; - - static X509_Certificate make_cert(PK_Signer*, - RandomNumberGenerator&, - const AlgorithmIdentifier&, - const MemoryRegion<byte>&, - const X509_Time&, const X509_Time&, - const X509_DN&, const X509_DN&, - const Extensions&); - - /** - * Create a new CA object. - * @param ca_certificate the certificate of the CA - * @param key the private key of the CA - */ - X509_CA(const X509_Certificate& ca_certificate, const Private_Key& key); - ~X509_CA(); - private: - X509_CA(const X509_CA&) {} - X509_CA& operator=(const X509_CA&) { return (*this); } - - X509_CRL make_crl(const std::vector<CRL_Entry>&, - u32bit, u32bit, RandomNumberGenerator&) const; - - AlgorithmIdentifier ca_sig_algo; - X509_Certificate cert; - PK_Signer* signer; - }; - -/** -* Choose the default signature format for a certain public key signature -* scheme. -* @param key will be the key to choose a padding scheme for -* @param alg_id will be set to the chosen scheme -* @return A PK_Signer object for generating signatures -*/ -BOTAN_DLL PK_Signer* choose_sig_format(const Private_Key& key, - AlgorithmIdentifier& alg_id); - - -} - -#endif diff --git a/botan/src/cert/x509/x509_crl.cpp b/botan/src/cert/x509/x509_crl.cpp deleted file mode 100644 index f6a344d..0000000 --- a/botan/src/cert/x509/x509_crl.cpp +++ /dev/null @@ -1,147 +0,0 @@ -/* -* X.509 CRL -* (C) 1999-2007 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#include <botan/x509_crl.h> -#include <botan/x509_ext.h> -#include <botan/ber_dec.h> -#include <botan/parsing.h> -#include <botan/bigint.h> -#include <botan/oids.h> - -namespace Botan { - -/* -* Load a X.509 CRL -*/ -X509_CRL::X509_CRL(DataSource& in, bool touc) : - X509_Object(in, "X509 CRL/CRL"), throw_on_unknown_critical(touc) - { - do_decode(); - } - -/* -* Load a X.509 CRL -*/ -X509_CRL::X509_CRL(const std::string& in, bool touc) : - X509_Object(in, "CRL/X509 CRL"), throw_on_unknown_critical(touc) - { - do_decode(); - } - -/* -* Decode the TBSCertList data -*/ -void X509_CRL::force_decode() - { - BER_Decoder tbs_crl(tbs_bits); - - u32bit version; - tbs_crl.decode_optional(version, INTEGER, UNIVERSAL); - - if(version != 0 && version != 1) - throw X509_CRL_Error("Unknown X.509 CRL version " + - to_string(version+1)); - - AlgorithmIdentifier sig_algo_inner; - tbs_crl.decode(sig_algo_inner); - - if(sig_algo != sig_algo_inner) - throw X509_CRL_Error("Algorithm identifier mismatch"); - - X509_DN dn_issuer; - tbs_crl.decode(dn_issuer); - info.add(dn_issuer.contents()); - - X509_Time start, end; - tbs_crl.decode(start).decode(end); - info.add("X509.CRL.start", start.readable_string()); - info.add("X509.CRL.end", end.readable_string()); - - BER_Object next = tbs_crl.get_next_object(); - - if(next.type_tag == SEQUENCE && next.class_tag == CONSTRUCTED) - { - BER_Decoder cert_list(next.value); - - while(cert_list.more_items()) - { - CRL_Entry entry(throw_on_unknown_critical); - cert_list.decode(entry); - revoked.push_back(entry); - } - next = tbs_crl.get_next_object(); - } - - if(next.type_tag == 0 && - next.class_tag == ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC)) - { - BER_Decoder crl_options(next.value); - - Extensions extensions(throw_on_unknown_critical); - - crl_options.decode(extensions).verify_end(); - - extensions.contents_to(info, info); - - next = tbs_crl.get_next_object(); - } - - if(next.type_tag != NO_OBJECT) - throw X509_CRL_Error("Unknown tag in CRL"); - - tbs_crl.verify_end(); - } - -/* -* Return the list of revoked certificates -*/ -std::vector<CRL_Entry> X509_CRL::get_revoked() const - { - return revoked; - } - -/* -* Return the distinguished name of the issuer -*/ -X509_DN X509_CRL::issuer_dn() const - { - return create_dn(info); - } - -/* -* Return the key identifier of the issuer -*/ -MemoryVector<byte> X509_CRL::authority_key_id() const - { - return info.get1_memvec("X509v3.AuthorityKeyIdentifier"); - } - -/* -* Return the CRL number of this CRL -*/ -u32bit X509_CRL::crl_number() const - { - return info.get1_u32bit("X509v3.CRLNumber"); - } - -/* -* Return the issue data of the CRL -*/ -X509_Time X509_CRL::this_update() const - { - return info.get1("X509.CRL.start"); - } - -/* -* Return the date when a new CRL will be issued -*/ -X509_Time X509_CRL::next_update() const - { - return info.get1("X509.CRL.end"); - } - -} diff --git a/botan/src/cert/x509/x509_crl.h b/botan/src/cert/x509/x509_crl.h deleted file mode 100644 index 6caef42..0000000 --- a/botan/src/cert/x509/x509_crl.h +++ /dev/null @@ -1,90 +0,0 @@ -/* -* X.509 CRL -* (C) 1999-2007 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#ifndef BOTAN_X509_CRL_H__ -#define BOTAN_X509_CRL_H__ - -#include <botan/x509_obj.h> -#include <botan/crl_ent.h> -#include <vector> - -namespace Botan { - -/** -* This class represents X.509 Certificate Revocation Lists (CRLs). -*/ -class BOTAN_DLL X509_CRL : public X509_Object - { - public: - /** - * This class represents CRL related errors. - */ - struct X509_CRL_Error : public Exception - { - X509_CRL_Error(const std::string& error) : - Exception("X509_CRL: " + error) {} - }; - - /** - * Get the entries of this CRL in the form of a vector. - * @return a vector containing the entries of this CRL. - */ - std::vector<CRL_Entry> get_revoked() const; - - /** - * Get the issuer DN of this CRL. - * @return the CRLs issuer DN - */ - X509_DN issuer_dn() const; - - /** - * Get the AuthorityKeyIdentifier of this CRL. - * @return this CRLs AuthorityKeyIdentifier - */ - MemoryVector<byte> authority_key_id() const; - - /** - * Get the serial number of this CRL. - * @return the CRLs serial number - */ - u32bit crl_number() const; - - /** - * Get the CRL's thisUpdate value. - * @return the CRLs thisUpdate - */ - X509_Time this_update() const; - - /** - * Get the CRL's nextUpdate value. - * @return the CRLs nextdUpdate - */ - X509_Time next_update() const; - - /** - * Construct a CRL from a data source. - * @param source the data source providing the DER or PEM encoded CRL. - */ - X509_CRL(DataSource&, bool throw_on_unknown_critical = false); - - /** - * Construct a CRL from a file containing the DER or PEM encoded CRL. - * @param filename the name of the CRL file - */ - X509_CRL(const std::string& filename, - bool throw_on_unknown_critical = false); - private: - void force_decode(); - - bool throw_on_unknown_critical; - std::vector<CRL_Entry> revoked; - Data_Store info; - }; - -} - -#endif diff --git a/botan/src/cert/x509/x509_ext.cpp b/botan/src/cert/x509/x509_ext.cpp deleted file mode 100644 index 5e07cbd..0000000 --- a/botan/src/cert/x509/x509_ext.cpp +++ /dev/null @@ -1,581 +0,0 @@ -/* -* X.509 Certificate Extensions -* (C) 1999-2007 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#include <botan/x509_ext.h> -#include <botan/sha160.h> -#include <botan/der_enc.h> -#include <botan/ber_dec.h> -#include <botan/oids.h> -#include <botan/libstate.h> -#include <botan/bit_ops.h> -#include <algorithm> -#include <memory> - -namespace Botan { - -/* -* List of X.509 Certificate Extensions -*/ -Certificate_Extension* Extensions::get_extension(const OID& oid) - { -#define X509_EXTENSION(NAME, TYPE) \ - if(OIDS::name_of(oid, NAME)) \ - return new Cert_Extension::TYPE(); - - X509_EXTENSION("X509v3.KeyUsage", Key_Usage); - X509_EXTENSION("X509v3.BasicConstraints", Basic_Constraints); - X509_EXTENSION("X509v3.SubjectKeyIdentifier", Subject_Key_ID); - X509_EXTENSION("X509v3.AuthorityKeyIdentifier", Authority_Key_ID); - X509_EXTENSION("X509v3.ExtendedKeyUsage", Extended_Key_Usage); - X509_EXTENSION("X509v3.IssuerAlternativeName", Issuer_Alternative_Name); - X509_EXTENSION("X509v3.SubjectAlternativeName", Subject_Alternative_Name); - X509_EXTENSION("X509v3.CRLNumber", CRL_Number); - X509_EXTENSION("X509v3.CertificatePolicies", Certificate_Policies); - - return 0; - } - -/* -* Extensions Copy Constructor -*/ -Extensions::Extensions(const Extensions& extensions) : ASN1_Object() - { - *this = extensions; - } - -/* -* Extensions Assignment Operator -*/ -Extensions& Extensions::operator=(const Extensions& other) - { - for(u32bit j = 0; j != extensions.size(); ++j) - delete extensions[j]; - extensions.clear(); - - for(u32bit j = 0; j != other.extensions.size(); ++j) - extensions.push_back(other.extensions[j]->copy()); - - return (*this); - } - -/* -* Return the OID of this extension -*/ -OID Certificate_Extension::oid_of() const - { - return OIDS::lookup(oid_name()); - } - -/* -* Encode an Extensions list -*/ -void Extensions::encode_into(DER_Encoder& to_object) const - { - for(u32bit j = 0; j != extensions.size(); ++j) - { - const Certificate_Extension* ext = extensions[j]; - - std::string setting; - - if(ext->config_id() != "") - setting = global_state().option("x509/exts/" + ext->config_id()); - - if(setting == "") - setting = "yes"; - - if(setting != "yes" && setting != "no" && setting != "critical") - throw Invalid_Argument("X509_CA:: Invalid value for option " - "x509/exts/" + ext->config_id() + " of " + - setting); - - bool is_critical = (setting == "critical"); - bool should_encode = ext->should_encode() && (setting != "no"); - - if(should_encode) - { - to_object.start_cons(SEQUENCE) - .encode(ext->oid_of()) - .encode_optional(is_critical, false) - .encode(ext->encode_inner(), OCTET_STRING) - .end_cons(); - } - } - } - -/* -* Decode a list of Extensions -*/ -void Extensions::decode_from(BER_Decoder& from_source) - { - for(u32bit j = 0; j != extensions.size(); ++j) - delete extensions[j]; - extensions.clear(); - - BER_Decoder sequence = from_source.start_cons(SEQUENCE); - while(sequence.more_items()) - { - OID oid; - MemoryVector<byte> value; - bool critical; - - sequence.start_cons(SEQUENCE) - .decode(oid) - .decode_optional(critical, BOOLEAN, UNIVERSAL, false) - .decode(value, OCTET_STRING) - .verify_end() - .end_cons(); - - Certificate_Extension* ext = get_extension(oid); - - if(!ext) - { - if(!critical || !should_throw) - continue; - - throw Decoding_Error("Encountered unknown X.509 extension marked " - "as critical; OID = " + oid.as_string()); - } - - ext->decode_inner(value); - - extensions.push_back(ext); - } - sequence.verify_end(); - } - -/* -* Write the extensions to an info store -*/ -void Extensions::contents_to(Data_Store& subject_info, - Data_Store& issuer_info) const - { - for(u32bit j = 0; j != extensions.size(); ++j) - extensions[j]->contents_to(subject_info, issuer_info); - } - -/* -* Delete an Extensions list -*/ -Extensions::~Extensions() - { - for(u32bit j = 0; j != extensions.size(); ++j) - delete extensions[j]; - } - -namespace Cert_Extension { - -/* -* Checked accessor for the path_limit member -*/ -u32bit Basic_Constraints::get_path_limit() const - { - if(!is_ca) - throw Invalid_State("Basic_Constraints::get_path_limit: Not a CA"); - return path_limit; - } - -/* -* Encode the extension -*/ -MemoryVector<byte> Basic_Constraints::encode_inner() const - { - return DER_Encoder() - .start_cons(SEQUENCE) - .encode_if(is_ca, - DER_Encoder() - .encode(is_ca) - .encode_optional(path_limit, NO_CERT_PATH_LIMIT) - ) - .end_cons() - .get_contents(); - } - -/* -* Decode the extension -*/ -void Basic_Constraints::decode_inner(const MemoryRegion<byte>& in) - { - BER_Decoder(in) - .start_cons(SEQUENCE) - .decode_optional(is_ca, BOOLEAN, UNIVERSAL, false) - .decode_optional(path_limit, INTEGER, UNIVERSAL, NO_CERT_PATH_LIMIT) - .verify_end() - .end_cons(); - - if(is_ca == false) - path_limit = 0; - } - -/* -* Return a textual representation -*/ -void Basic_Constraints::contents_to(Data_Store& subject, Data_Store&) const - { - subject.add("X509v3.BasicConstraints.is_ca", (is_ca ? 1 : 0)); - subject.add("X509v3.BasicConstraints.path_constraint", path_limit); - } - -/* -* Encode the extension -*/ -MemoryVector<byte> Key_Usage::encode_inner() const - { - if(constraints == NO_CONSTRAINTS) - throw Encoding_Error("Cannot encode zero usage constraints"); - - const u32bit unused_bits = low_bit(constraints) - 1; - - SecureVector<byte> der; - der.append(BIT_STRING); - der.append(2 + ((unused_bits < 8) ? 1 : 0)); - der.append(unused_bits % 8); - der.append((constraints >> 8) & 0xFF); - if(constraints & 0xFF) - der.append(constraints & 0xFF); - - return der; - } - -/* -* Decode the extension -*/ -void Key_Usage::decode_inner(const MemoryRegion<byte>& in) - { - BER_Decoder ber(in); - - BER_Object obj = ber.get_next_object(); - - if(obj.type_tag != BIT_STRING || obj.class_tag != UNIVERSAL) - throw BER_Bad_Tag("Bad tag for usage constraint", - obj.type_tag, obj.class_tag); - - if(obj.value.size() != 2 && obj.value.size() != 3) - throw BER_Decoding_Error("Bad size for BITSTRING in usage constraint"); - - if(obj.value[0] >= 8) - throw BER_Decoding_Error("Invalid unused bits in usage constraint"); - - obj.value[obj.value.size()-1] &= (0xFF << obj.value[0]); - - u16bit usage = 0; - for(u32bit j = 1; j != obj.value.size(); ++j) - usage = (obj.value[j] << 8) | usage; - - constraints = Key_Constraints(usage); - } - -/* -* Return a textual representation -*/ -void Key_Usage::contents_to(Data_Store& subject, Data_Store&) const - { - subject.add("X509v3.KeyUsage", constraints); - } - -/* -* Encode the extension -*/ -MemoryVector<byte> Subject_Key_ID::encode_inner() const - { - return DER_Encoder().encode(key_id, OCTET_STRING).get_contents(); - } - -/* -* Decode the extension -*/ -void Subject_Key_ID::decode_inner(const MemoryRegion<byte>& in) - { - BER_Decoder(in).decode(key_id, OCTET_STRING).verify_end(); - } - -/* -* Return a textual representation -*/ -void Subject_Key_ID::contents_to(Data_Store& subject, Data_Store&) const - { - subject.add("X509v3.SubjectKeyIdentifier", key_id); - } - -/* -* Subject_Key_ID Constructor -*/ -Subject_Key_ID::Subject_Key_ID(const MemoryRegion<byte>& pub_key) - { - SHA_160 hash; - key_id = hash.process(pub_key); - } - -/* -* Encode the extension -*/ -MemoryVector<byte> Authority_Key_ID::encode_inner() const - { - return DER_Encoder() - .start_cons(SEQUENCE) - .encode(key_id, OCTET_STRING, ASN1_Tag(0), CONTEXT_SPECIFIC) - .end_cons() - .get_contents(); - } - -/* -* Decode the extension -*/ -void Authority_Key_ID::decode_inner(const MemoryRegion<byte>& in) - { - BER_Decoder(in) - .start_cons(SEQUENCE) - .decode_optional_string(key_id, OCTET_STRING, 0); - } - -/* -* Return a textual representation -*/ -void Authority_Key_ID::contents_to(Data_Store&, Data_Store& issuer) const - { - if(key_id.size()) - issuer.add("X509v3.AuthorityKeyIdentifier", key_id); - } - -/* -* Encode the extension -*/ -MemoryVector<byte> Alternative_Name::encode_inner() const - { - return DER_Encoder().encode(alt_name).get_contents(); - } - -/* -* Decode the extension -*/ -void Alternative_Name::decode_inner(const MemoryRegion<byte>& in) - { - BER_Decoder(in).decode(alt_name); - } - -/* -* Return a textual representation -*/ -void Alternative_Name::contents_to(Data_Store& subject_info, - Data_Store& issuer_info) const - { - std::multimap<std::string, std::string> contents = - get_alt_name().contents(); - - if(oid_name_str == "X509v3.SubjectAlternativeName") - subject_info.add(contents); - else if(oid_name_str == "X509v3.IssuerAlternativeName") - issuer_info.add(contents); - else - throw Internal_Error("In Alternative_Name, unknown type " + - oid_name_str); - } - -/* -* Alternative_Name Constructor -*/ -Alternative_Name::Alternative_Name(const AlternativeName& alt_name, - const std::string& oid_name_str, - const std::string& config_name_str) - { - this->alt_name = alt_name; - this->oid_name_str = oid_name_str; - this->config_name_str = config_name_str; - } - -/* -* Subject_Alternative_Name Constructor -*/ -Subject_Alternative_Name::Subject_Alternative_Name( - const AlternativeName& name) : - - Alternative_Name(name, "X509v3.SubjectAlternativeName", - "subject_alternative_name") - { - } - -/* -* Issuer_Alternative_Name Constructor -*/ -Issuer_Alternative_Name::Issuer_Alternative_Name(const AlternativeName& name) : - Alternative_Name(name, "X509v3.IssuerAlternativeName", - "issuer_alternative_name") - { - } - -/* -* Encode the extension -*/ -MemoryVector<byte> Extended_Key_Usage::encode_inner() const - { - return DER_Encoder() - .start_cons(SEQUENCE) - .encode_list(oids) - .end_cons() - .get_contents(); - } - -/* -* Decode the extension -*/ -void Extended_Key_Usage::decode_inner(const MemoryRegion<byte>& in) - { - BER_Decoder(in) - .start_cons(SEQUENCE) - .decode_list(oids) - .end_cons(); - } - -/* -* Return a textual representation -*/ -void Extended_Key_Usage::contents_to(Data_Store& subject, Data_Store&) const - { - for(u32bit j = 0; j != oids.size(); ++j) - subject.add("X509v3.ExtendedKeyUsage", oids[j].as_string()); - } - -namespace { - -/* -* A policy specifier -*/ -class Policy_Information : public ASN1_Object - { - public: - OID oid; - - void encode_into(DER_Encoder& codec) const - { - codec.start_cons(SEQUENCE) - .encode(oid) - .end_cons(); - } - - void decode_from(BER_Decoder& codec) - { - codec.start_cons(SEQUENCE) - .decode(oid) - .discard_remaining() - .end_cons(); - } - }; - -} - -/* -* Encode the extension -*/ -MemoryVector<byte> Certificate_Policies::encode_inner() const - { - throw Exception("Certificate_Policies::encode_inner: Bugged"); - - std::vector<Policy_Information> policies; - - return DER_Encoder() - .start_cons(SEQUENCE) - .encode_list(policies) - .end_cons() - .get_contents(); - } - -/* -* Decode the extension -*/ -void Certificate_Policies::decode_inner(const MemoryRegion<byte>& in) - { - std::vector<Policy_Information> policies; - - BER_Decoder(in) - .start_cons(SEQUENCE) - .decode_list(policies) - .end_cons(); - } - -/* -* Return a textual representation -*/ -void Certificate_Policies::contents_to(Data_Store& info, Data_Store&) const - { - for(u32bit j = 0; j != oids.size(); ++j) - info.add("X509v3.ExtendedKeyUsage", oids[j].as_string()); - } - -/* -* Checked accessor for the crl_number member -*/ -u32bit CRL_Number::get_crl_number() const - { - if(!has_value) - throw Invalid_State("CRL_Number::get_crl_number: Not set"); - return crl_number; - } - -/* -* Copy a CRL_Number extension -*/ -CRL_Number* CRL_Number::copy() const - { - if(!has_value) - throw Invalid_State("CRL_Number::copy: Not set"); - return new CRL_Number(crl_number); - } - -/* -* Encode the extension -*/ -MemoryVector<byte> CRL_Number::encode_inner() const - { - return DER_Encoder().encode(crl_number).get_contents(); - } - -/* -* Decode the extension -*/ -void CRL_Number::decode_inner(const MemoryRegion<byte>& in) - { - BER_Decoder(in).decode(crl_number); - } - -/* -* Return a textual representation -*/ -void CRL_Number::contents_to(Data_Store& info, Data_Store&) const - { - info.add("X509v3.CRLNumber", crl_number); - } - -/* -* Encode the extension -*/ -MemoryVector<byte> CRL_ReasonCode::encode_inner() const - { - return DER_Encoder() - .encode(static_cast<u32bit>(reason), ENUMERATED, UNIVERSAL) - .get_contents(); - } - -/* -* Decode the extension -*/ -void CRL_ReasonCode::decode_inner(const MemoryRegion<byte>& in) - { - u32bit reason_code = 0; - BER_Decoder(in).decode(reason_code, ENUMERATED, UNIVERSAL); - reason = static_cast<CRL_Code>(reason_code); - } - -/* -* Return a textual representation -*/ -void CRL_ReasonCode::contents_to(Data_Store& info, Data_Store&) const - { - info.add("X509v3.CRLReasonCode", reason); - } - -} - -} diff --git a/botan/src/cert/x509/x509_ext.h b/botan/src/cert/x509/x509_ext.h deleted file mode 100644 index 108215e..0000000 --- a/botan/src/cert/x509/x509_ext.h +++ /dev/null @@ -1,317 +0,0 @@ -/* -* X.509 Certificate Extensions -* (C) 1999-2007 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#ifndef BOTAN_X509_EXTENSIONS_H__ -#define BOTAN_X509_EXTENSIONS_H__ - -#include <botan/asn1_int.h> -#include <botan/asn1_oid.h> -#include <botan/asn1_obj.h> -#include <botan/datastor.h> -#include <botan/pubkey_enums.h> - -namespace Botan { - -/* -* X.509 Certificate Extension -*/ -class BOTAN_DLL Certificate_Extension - { - public: - OID oid_of() const; - - virtual Certificate_Extension* copy() const = 0; - - virtual void contents_to(Data_Store&, Data_Store&) const = 0; - virtual std::string config_id() const = 0; - virtual std::string oid_name() const = 0; - - virtual ~Certificate_Extension() {} - protected: - friend class Extensions; - virtual bool should_encode() const { return true; } - virtual MemoryVector<byte> encode_inner() const = 0; - virtual void decode_inner(const MemoryRegion<byte>&) = 0; - }; - -/* -* X.509 Certificate Extension List -*/ -class BOTAN_DLL Extensions : public ASN1_Object - { - public: - void encode_into(class DER_Encoder&) const; - void decode_from(class BER_Decoder&); - - void contents_to(Data_Store&, Data_Store&) const; - - void add(Certificate_Extension* extn) - { extensions.push_back(extn); } - - Extensions& operator=(const Extensions&); - - Extensions(const Extensions&); - Extensions(bool st = true) : should_throw(st) {} - ~Extensions(); - private: - static Certificate_Extension* get_extension(const OID&); - - std::vector<Certificate_Extension*> extensions; - bool should_throw; - }; - -namespace Cert_Extension { - -/* -* Basic Constraints Extension -*/ -class BOTAN_DLL Basic_Constraints : public Certificate_Extension - { - public: - Basic_Constraints* copy() const - { return new Basic_Constraints(is_ca, path_limit); } - - Basic_Constraints(bool ca = false, u32bit limit = 0) : - is_ca(ca), path_limit(limit) {} - - bool get_is_ca() const { return is_ca; } - u32bit get_path_limit() const; - private: - std::string config_id() const { return "basic_constraints"; } - std::string oid_name() const { return "X509v3.BasicConstraints"; } - - MemoryVector<byte> encode_inner() const; - void decode_inner(const MemoryRegion<byte>&); - void contents_to(Data_Store&, Data_Store&) const; - - bool is_ca; - u32bit path_limit; - }; - -/* -* Key Usage Constraints Extension -*/ -class BOTAN_DLL Key_Usage : public Certificate_Extension - { - public: - Key_Usage* copy() const { return new Key_Usage(constraints); } - - Key_Usage(Key_Constraints c = NO_CONSTRAINTS) : constraints(c) {} - - Key_Constraints get_constraints() const { return constraints; } - private: - std::string config_id() const { return "key_usage"; } - std::string oid_name() const { return "X509v3.KeyUsage"; } - - bool should_encode() const { return (constraints != NO_CONSTRAINTS); } - MemoryVector<byte> encode_inner() const; - void decode_inner(const MemoryRegion<byte>&); - void contents_to(Data_Store&, Data_Store&) const; - - Key_Constraints constraints; - }; - -/* -* Subject Key Identifier Extension -*/ -class BOTAN_DLL Subject_Key_ID : public Certificate_Extension - { - public: - Subject_Key_ID* copy() const { return new Subject_Key_ID(key_id); } - - Subject_Key_ID() {} - Subject_Key_ID(const MemoryRegion<byte>&); - - MemoryVector<byte> get_key_id() const { return key_id; } - private: - std::string config_id() const { return "subject_key_id"; } - std::string oid_name() const { return "X509v3.SubjectKeyIdentifier"; } - - bool should_encode() const { return (key_id.size() > 0); } - MemoryVector<byte> encode_inner() const; - void decode_inner(const MemoryRegion<byte>&); - void contents_to(Data_Store&, Data_Store&) const; - - MemoryVector<byte> key_id; - }; - -/* -* Authority Key Identifier Extension -*/ -class BOTAN_DLL Authority_Key_ID : public Certificate_Extension - { - public: - Authority_Key_ID* copy() const { return new Authority_Key_ID(key_id); } - - Authority_Key_ID() {} - Authority_Key_ID(const MemoryRegion<byte>& k) : key_id(k) {} - - MemoryVector<byte> get_key_id() const { return key_id; } - private: - std::string config_id() const { return "authority_key_id"; } - std::string oid_name() const { return "X509v3.AuthorityKeyIdentifier"; } - - bool should_encode() const { return (key_id.size() > 0); } - MemoryVector<byte> encode_inner() const; - void decode_inner(const MemoryRegion<byte>&); - void contents_to(Data_Store&, Data_Store&) const; - - MemoryVector<byte> key_id; - }; - -/* -* Alternative Name Extension Base Class -*/ -class BOTAN_DLL Alternative_Name : public Certificate_Extension - { - public: - AlternativeName get_alt_name() const { return alt_name; } - - protected: - Alternative_Name(const AlternativeName&, - const std::string&, const std::string&); - - Alternative_Name(const std::string&, const std::string&); - private: - std::string config_id() const { return config_name_str; } - std::string oid_name() const { return oid_name_str; } - - bool should_encode() const { return alt_name.has_items(); } - MemoryVector<byte> encode_inner() const; - void decode_inner(const MemoryRegion<byte>&); - void contents_to(Data_Store&, Data_Store&) const; - - std::string config_name_str, oid_name_str; - AlternativeName alt_name; - }; - -/* -* Subject Alternative Name Extension -*/ -class BOTAN_DLL Subject_Alternative_Name : public Alternative_Name - { - public: - Subject_Alternative_Name* copy() const - { return new Subject_Alternative_Name(get_alt_name()); } - - Subject_Alternative_Name(const AlternativeName& = AlternativeName()); - }; - -/* -* Issuer Alternative Name Extension -*/ -class BOTAN_DLL Issuer_Alternative_Name : public Alternative_Name - { - public: - Issuer_Alternative_Name* copy() const - { return new Issuer_Alternative_Name(get_alt_name()); } - - Issuer_Alternative_Name(const AlternativeName& = AlternativeName()); - }; - -/* -* Extended Key Usage Extension -*/ -class BOTAN_DLL Extended_Key_Usage : public Certificate_Extension - { - public: - Extended_Key_Usage* copy() const { return new Extended_Key_Usage(oids); } - - Extended_Key_Usage() {} - Extended_Key_Usage(const std::vector<OID>& o) : oids(o) {} - - std::vector<OID> get_oids() const { return oids; } - private: - std::string config_id() const { return "extended_key_usage"; } - std::string oid_name() const { return "X509v3.ExtendedKeyUsage"; } - - bool should_encode() const { return (oids.size() > 0); } - MemoryVector<byte> encode_inner() const; - void decode_inner(const MemoryRegion<byte>&); - void contents_to(Data_Store&, Data_Store&) const; - - std::vector<OID> oids; - }; - -/* -* Certificate Policies Extension -*/ -class BOTAN_DLL Certificate_Policies : public Certificate_Extension - { - public: - Certificate_Policies* copy() const - { return new Certificate_Policies(oids); } - - Certificate_Policies() {} - Certificate_Policies(const std::vector<OID>& o) : oids(o) {} - - std::vector<OID> get_oids() const { return oids; } - private: - std::string config_id() const { return "policy_info"; } - std::string oid_name() const { return "X509v3.CertificatePolicies"; } - - bool should_encode() const { return (oids.size() > 0); } - MemoryVector<byte> encode_inner() const; - void decode_inner(const MemoryRegion<byte>&); - void contents_to(Data_Store&, Data_Store&) const; - - std::vector<OID> oids; - }; - -/* -* CRL Number Extension -*/ -class BOTAN_DLL CRL_Number : public Certificate_Extension - { - public: - CRL_Number* copy() const; - - CRL_Number() : has_value(false), crl_number(0) {} - CRL_Number(u32bit n) : has_value(true), crl_number(n) {} - - u32bit get_crl_number() const; - private: - std::string config_id() const { return "crl_number"; } - std::string oid_name() const { return "X509v3.CRLNumber"; } - - bool should_encode() const { return has_value; } - MemoryVector<byte> encode_inner() const; - void decode_inner(const MemoryRegion<byte>&); - void contents_to(Data_Store&, Data_Store&) const; - - bool has_value; - u32bit crl_number; - }; - -/* -* CRL Entry Reason Code Extension -*/ -class BOTAN_DLL CRL_ReasonCode : public Certificate_Extension - { - public: - CRL_ReasonCode* copy() const { return new CRL_ReasonCode(reason); } - - CRL_ReasonCode(CRL_Code r = UNSPECIFIED) : reason(r) {} - - CRL_Code get_reason() const { return reason; } - private: - std::string config_id() const { return "crl_reason"; } - std::string oid_name() const { return "X509v3.ReasonCode"; } - - bool should_encode() const { return (reason != UNSPECIFIED); } - MemoryVector<byte> encode_inner() const; - void decode_inner(const MemoryRegion<byte>&); - void contents_to(Data_Store&, Data_Store&) const; - - CRL_Code reason; - }; - -} - -} - -#endif diff --git a/botan/src/cert/x509/x509_obj.cpp b/botan/src/cert/x509/x509_obj.cpp deleted file mode 100644 index 31b4a30..0000000 --- a/botan/src/cert/x509/x509_obj.cpp +++ /dev/null @@ -1,235 +0,0 @@ -/* -* X.509 SIGNED Object -* (C) 1999-2007 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#include <botan/x509_obj.h> -#include <botan/x509_key.h> -#include <botan/look_pk.h> -#include <botan/oids.h> -#include <botan/der_enc.h> -#include <botan/ber_dec.h> -#include <botan/parsing.h> -#include <botan/pem.h> -#include <algorithm> -#include <memory> - -namespace Botan { - -/* -* Create a generic X.509 object -*/ -X509_Object::X509_Object(DataSource& stream, const std::string& labels) - { - init(stream, labels); - } - -/* -* Createa a generic X.509 object -*/ -X509_Object::X509_Object(const std::string& file, const std::string& labels) - { - DataSource_Stream stream(file, true); - init(stream, labels); - } - -/* -* Read a PEM or BER X.509 object -*/ -void X509_Object::init(DataSource& in, const std::string& labels) - { - PEM_labels_allowed = split_on(labels, '/'); - if(PEM_labels_allowed.size() < 1) - throw Invalid_Argument("Bad labels argument to X509_Object"); - - PEM_label_pref = PEM_labels_allowed[0]; - std::sort(PEM_labels_allowed.begin(), PEM_labels_allowed.end()); - - try { - if(ASN1::maybe_BER(in) && !PEM_Code::matches(in)) - decode_info(in); - else - { - std::string got_label; - DataSource_Memory ber(PEM_Code::decode(in, got_label)); - - if(!std::binary_search(PEM_labels_allowed.begin(), - PEM_labels_allowed.end(), got_label)) - throw Decoding_Error("Invalid PEM label: " + got_label); - decode_info(ber); - } - } - catch(Decoding_Error) - { - throw Decoding_Error(PEM_label_pref + " decoding failed"); - } - } - -/* -* Read a BER encoded X.509 object -*/ -void X509_Object::decode_info(DataSource& source) - { - BER_Decoder(source) - .start_cons(SEQUENCE) - .start_cons(SEQUENCE) - .raw_bytes(tbs_bits) - .end_cons() - .decode(sig_algo) - .decode(sig, BIT_STRING) - .verify_end() - .end_cons(); - } - -/* -* Return a BER or PEM encoded X.509 object -*/ -void X509_Object::encode(Pipe& out, X509_Encoding encoding) const - { - SecureVector<byte> der = DER_Encoder() - .start_cons(SEQUENCE) - .start_cons(SEQUENCE) - .raw_bytes(tbs_bits) - .end_cons() - .encode(sig_algo) - .encode(sig, BIT_STRING) - .end_cons() - .get_contents(); - - if(encoding == PEM) - out.write(PEM_Code::encode(der, PEM_label_pref)); - else - out.write(der); - } - -/* -* Return a BER encoded X.509 object -*/ -SecureVector<byte> X509_Object::BER_encode() const - { - Pipe ber; - ber.start_msg(); - encode(ber, RAW_BER); - ber.end_msg(); - return ber.read_all(); - } - -/* -* Return a PEM encoded X.509 object -*/ -std::string X509_Object::PEM_encode() const - { - Pipe pem; - pem.start_msg(); - encode(pem, PEM); - pem.end_msg(); - return pem.read_all_as_string(); - } - -/* -* Return the TBS data -*/ -SecureVector<byte> X509_Object::tbs_data() const - { - return ASN1::put_in_sequence(tbs_bits); - } - -/* -* Return the signature of this object -*/ -SecureVector<byte> X509_Object::signature() const - { - return sig; - } - -/* -* Return the algorithm used to sign this object -*/ -AlgorithmIdentifier X509_Object::signature_algorithm() const - { - return sig_algo; - } - -/* -* Check the signature on an object -*/ -bool X509_Object::check_signature(Public_Key& pub_key) const - { - try { - std::vector<std::string> sig_info = - split_on(OIDS::lookup(sig_algo.oid), '/'); - - if(sig_info.size() != 2 || sig_info[0] != pub_key.algo_name()) - return false; - - std::string padding = sig_info[1]; - Signature_Format format = - (pub_key.message_parts() >= 2) ? DER_SEQUENCE : IEEE_1363; - - std::auto_ptr<PK_Verifier> verifier; - - if(dynamic_cast<PK_Verifying_with_MR_Key*>(&pub_key)) - { - PK_Verifying_with_MR_Key& sig_key = - dynamic_cast<PK_Verifying_with_MR_Key&>(pub_key); - verifier.reset(get_pk_verifier(sig_key, padding, format)); - } - else if(dynamic_cast<PK_Verifying_wo_MR_Key*>(&pub_key)) - { - PK_Verifying_wo_MR_Key& sig_key = - dynamic_cast<PK_Verifying_wo_MR_Key&>(pub_key); - verifier.reset(get_pk_verifier(sig_key, padding, format)); - } - else - return false; - - return verifier->verify_message(tbs_data(), signature()); - } - catch(...) - { - return false; - } - } - -/* -* Apply the X.509 SIGNED macro -*/ -MemoryVector<byte> X509_Object::make_signed(PK_Signer* signer, - RandomNumberGenerator& rng, - const AlgorithmIdentifier& algo, - const MemoryRegion<byte>& tbs_bits) - { - return DER_Encoder() - .start_cons(SEQUENCE) - .raw_bytes(tbs_bits) - .encode(algo) - .encode(signer->sign_message(tbs_bits, rng), BIT_STRING) - .end_cons() - .get_contents(); - } - -/* -* Try to decode the actual information -*/ -void X509_Object::do_decode() - { - try { - force_decode(); - } - catch(Decoding_Error& e) - { - const std::string what = e.what(); - throw Decoding_Error(PEM_label_pref + " decoding failed (" + - what.substr(23, std::string::npos) + ")"); - } - catch(Invalid_Argument& e) - { - const std::string what = e.what(); - throw Decoding_Error(PEM_label_pref + " decoding failed (" + - what.substr(7, std::string::npos) + ")"); - } - } - -} diff --git a/botan/src/cert/x509/x509_obj.h b/botan/src/cert/x509/x509_obj.h deleted file mode 100644 index c7f92fa..0000000 --- a/botan/src/cert/x509/x509_obj.h +++ /dev/null @@ -1,67 +0,0 @@ -/* -* X.509 SIGNED Object -* (C) 1999-2007 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#ifndef BOTAN_X509_OBJECT_H__ -#define BOTAN_X509_OBJECT_H__ - -#include <botan/asn1_obj.h> -#include <botan/pipe.h> -#include <botan/pubkey_enums.h> -#include <botan/rng.h> -#include <vector> - -namespace Botan { - -/** -* This class represents abstract X.509 signed objects as -* in the X.500 SIGNED macro -*/ -class BOTAN_DLL X509_Object - { - public: - SecureVector<byte> tbs_data() const; - SecureVector<byte> signature() const; - AlgorithmIdentifier signature_algorithm() const; - - /** - * Create a signed X509 object. - * @param signer the signer used to sign the object - * @param rng the random number generator to use - * @param alg_id the algorithm identifier of the signature scheme - * @param tbs the tbs bits to be signed - * @return the signed X509 object - */ - static MemoryVector<byte> make_signed(class PK_Signer* signer, - RandomNumberGenerator& rng, - const AlgorithmIdentifier& alg_id, - const MemoryRegion<byte>& tbs); - - bool check_signature(class Public_Key&) const; - - void encode(Pipe&, X509_Encoding = PEM) const; - SecureVector<byte> BER_encode() const; - std::string PEM_encode() const; - - X509_Object(DataSource&, const std::string&); - X509_Object(const std::string&, const std::string&); - virtual ~X509_Object() {} - protected: - void do_decode(); - X509_Object() {} - AlgorithmIdentifier sig_algo; - SecureVector<byte> tbs_bits, sig; - private: - virtual void force_decode() = 0; - void init(DataSource&, const std::string&); - void decode_info(DataSource&); - std::vector<std::string> PEM_labels_allowed; - std::string PEM_label_pref; - }; - -} - -#endif diff --git a/botan/src/cert/x509/x509cert.cpp b/botan/src/cert/x509/x509cert.cpp deleted file mode 100644 index ac5839f..0000000 --- a/botan/src/cert/x509/x509cert.cpp +++ /dev/null @@ -1,366 +0,0 @@ -/* -* X.509 Certificates -* (C) 1999-2007 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#include <botan/x509cert.h> -#include <botan/x509_ext.h> -#include <botan/der_enc.h> -#include <botan/ber_dec.h> -#include <botan/stl_util.h> -#include <botan/parsing.h> -#include <botan/bigint.h> -#include <botan/oids.h> -#include <botan/pem.h> -#include <algorithm> - -namespace Botan { - -namespace { - -/* -* Lookup each OID in the vector -*/ -std::vector<std::string> lookup_oids(const std::vector<std::string>& in) - { - std::vector<std::string> out; - - std::vector<std::string>::const_iterator i = in.begin(); - while(i != in.end()) - { - out.push_back(OIDS::lookup(OID(*i))); - ++i; - } - return out; - } - -} - -/* -* X509_Certificate Constructor -*/ -X509_Certificate::X509_Certificate(DataSource& in) : - X509_Object(in, "CERTIFICATE/X509 CERTIFICATE") - { - self_signed = false; - do_decode(); - } - -/* -* X509_Certificate Constructor -*/ -X509_Certificate::X509_Certificate(const std::string& in) : - X509_Object(in, "CERTIFICATE/X509 CERTIFICATE") - { - self_signed = false; - do_decode(); - } - -/* -* Decode the TBSCertificate data -*/ -void X509_Certificate::force_decode() - { - u32bit version; - BigInt serial_bn; - AlgorithmIdentifier sig_algo_inner; - X509_DN dn_issuer, dn_subject; - X509_Time start, end; - - BER_Decoder tbs_cert(tbs_bits); - - tbs_cert.decode_optional(version, ASN1_Tag(0), - ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC)) - .decode(serial_bn) - .decode(sig_algo_inner) - .decode(dn_issuer) - .start_cons(SEQUENCE) - .decode(start) - .decode(end) - .verify_end() - .end_cons() - .decode(dn_subject); - - if(version > 2) - throw Decoding_Error("Unknown X.509 cert version " + to_string(version)); - if(sig_algo != sig_algo_inner) - throw Decoding_Error("Algorithm identifier mismatch"); - - self_signed = (dn_subject == dn_issuer); - - subject.add(dn_subject.contents()); - issuer.add(dn_issuer.contents()); - - BER_Object public_key = tbs_cert.get_next_object(); - if(public_key.type_tag != SEQUENCE || public_key.class_tag != CONSTRUCTED) - throw BER_Bad_Tag("X509_Certificate: Unexpected tag for public key", - public_key.type_tag, public_key.class_tag); - - MemoryVector<byte> v2_issuer_key_id, v2_subject_key_id; - - tbs_cert.decode_optional_string(v2_issuer_key_id, BIT_STRING, 1); - tbs_cert.decode_optional_string(v2_subject_key_id, BIT_STRING, 2); - - BER_Object v3_exts_data = tbs_cert.get_next_object(); - if(v3_exts_data.type_tag == 3 && - v3_exts_data.class_tag == ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC)) - { - Extensions extensions; - - BER_Decoder(v3_exts_data.value).decode(extensions).verify_end(); - - extensions.contents_to(subject, issuer); - } - else if(v3_exts_data.type_tag != NO_OBJECT) - throw BER_Bad_Tag("Unknown tag in X.509 cert", - v3_exts_data.type_tag, v3_exts_data.class_tag); - - if(tbs_cert.more_items()) - throw Decoding_Error("TBSCertificate has more items that expected"); - - subject.add("X509.Certificate.version", version); - subject.add("X509.Certificate.serial", BigInt::encode(serial_bn)); - subject.add("X509.Certificate.start", start.readable_string()); - subject.add("X509.Certificate.end", end.readable_string()); - - issuer.add("X509.Certificate.v2.key_id", v2_issuer_key_id); - subject.add("X509.Certificate.v2.key_id", v2_subject_key_id); - - subject.add("X509.Certificate.public_key", - PEM_Code::encode( - ASN1::put_in_sequence(public_key.value), - "PUBLIC KEY" - ) - ); - - if(is_CA_cert() && - !subject.has_value("X509v3.BasicConstraints.path_constraint")) - { - u32bit limit = (x509_version() < 3) ? NO_CERT_PATH_LIMIT : 0; - subject.add("X509v3.BasicConstraints.path_constraint", limit); - } - } - -/* -* Return the X.509 version in use -*/ -u32bit X509_Certificate::x509_version() const - { - return (subject.get1_u32bit("X509.Certificate.version") + 1); - } - -/* -* Return the time this cert becomes valid -*/ -std::string X509_Certificate::start_time() const - { - return subject.get1("X509.Certificate.start"); - } - -/* -* Return the time this cert becomes invalid -*/ -std::string X509_Certificate::end_time() const - { - return subject.get1("X509.Certificate.end"); - } - -/* -* Return information about the subject -*/ -std::vector<std::string> -X509_Certificate::subject_info(const std::string& what) const - { - return subject.get(X509_DN::deref_info_field(what)); - } - -/* -* Return information about the issuer -*/ -std::vector<std::string> -X509_Certificate::issuer_info(const std::string& what) const - { - return issuer.get(X509_DN::deref_info_field(what)); - } - -/* -* Return the public key in this certificate -*/ -Public_Key* X509_Certificate::subject_public_key() const - { - DataSource_Memory source(subject.get1("X509.Certificate.public_key")); - return X509::load_key(source); - } - -/* -* Check if the certificate is for a CA -*/ -bool X509_Certificate::is_CA_cert() const - { - if(!subject.get1_u32bit("X509v3.BasicConstraints.is_ca")) - return false; - if((constraints() & KEY_CERT_SIGN) || (constraints() == NO_CONSTRAINTS)) - return true; - return false; - } - -/* -* Return the path length constraint -*/ -u32bit X509_Certificate::path_limit() const - { - return subject.get1_u32bit("X509v3.BasicConstraints.path_constraint", 0); - } - -/* -* Return the key usage constraints -*/ -Key_Constraints X509_Certificate::constraints() const - { - return Key_Constraints(subject.get1_u32bit("X509v3.KeyUsage", - NO_CONSTRAINTS)); - } - -/* -* Return the list of extended key usage OIDs -*/ -std::vector<std::string> X509_Certificate::ex_constraints() const - { - return lookup_oids(subject.get("X509v3.ExtendedKeyUsage")); - } - -/* -* Return the list of certificate policies -*/ -std::vector<std::string> X509_Certificate::policies() const - { - return lookup_oids(subject.get("X509v3.CertificatePolicies")); - } - -/* -* Return the authority key id -*/ -MemoryVector<byte> X509_Certificate::authority_key_id() const - { - return issuer.get1_memvec("X509v3.AuthorityKeyIdentifier"); - } - -/* -* Return the subject key id -*/ -MemoryVector<byte> X509_Certificate::subject_key_id() const - { - return subject.get1_memvec("X509v3.SubjectKeyIdentifier"); - } - -/* -* Return the certificate serial number -*/ -MemoryVector<byte> X509_Certificate::serial_number() const - { - return subject.get1_memvec("X509.Certificate.serial"); - } - -/* -* Return the distinguished name of the issuer -*/ -X509_DN X509_Certificate::issuer_dn() const - { - return create_dn(issuer); - } - -/* -* Return the distinguished name of the subject -*/ -X509_DN X509_Certificate::subject_dn() const - { - return create_dn(subject); - } - -/* -* Compare two certificates for equality -*/ -bool X509_Certificate::operator==(const X509_Certificate& other) const - { - return (sig == other.sig && - sig_algo == other.sig_algo && - self_signed == other.self_signed && - issuer == other.issuer && - subject == other.subject); - } - -/* -* X.509 Certificate Comparison -*/ -bool operator!=(const X509_Certificate& cert1, const X509_Certificate& cert2) - { - return !(cert1 == cert2); - } - -/* -* Create and populate a X509_DN -*/ -X509_DN create_dn(const Data_Store& info) - { - class DN_Matcher : public Data_Store::Matcher - { - public: - bool operator()(const std::string& key, const std::string&) const - { - if(key.find("X520.") != std::string::npos) - return true; - return false; - } - }; - - std::multimap<std::string, std::string> names = - info.search_with(DN_Matcher()); - - X509_DN dn; - - std::multimap<std::string, std::string>::iterator j; - for(j = names.begin(); j != names.end(); ++j) - dn.add_attribute(j->first, j->second); - - return dn; - } - -/* -* Create and populate an AlternativeName -*/ -AlternativeName create_alt_name(const Data_Store& info) - { - class AltName_Matcher : public Data_Store::Matcher - { - public: - bool operator()(const std::string& key, const std::string&) const - { - for(u32bit j = 0; j != matches.size(); ++j) - if(key.compare(matches[j]) == 0) - return true; - return false; - } - - AltName_Matcher(const std::string& match_any_of) - { - matches = split_on(match_any_of, '/'); - } - private: - std::vector<std::string> matches; - }; - - std::multimap<std::string, std::string> names = - info.search_with(AltName_Matcher("RFC822/DNS/URI/IP")); - - AlternativeName alt_name; - - std::multimap<std::string, std::string>::iterator j; - for(j = names.begin(); j != names.end(); ++j) - alt_name.add_attribute(j->first, j->second); - - return alt_name; - } - -} diff --git a/botan/src/cert/x509/x509cert.h b/botan/src/cert/x509/x509cert.h deleted file mode 100644 index 4a9d11f..0000000 --- a/botan/src/cert/x509/x509cert.h +++ /dev/null @@ -1,185 +0,0 @@ -/* -* X.509 Certificates -* (C) 1999-2007 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#ifndef BOTAN_X509_CERTS_H__ -#define BOTAN_X509_CERTS_H__ - -#include <botan/x509_obj.h> -#include <botan/x509_key.h> -#include <botan/datastor.h> -#include <botan/pubkey_enums.h> -#include <map> - -namespace Botan { - -/** -* This class represents X.509 Certificate -*/ -class BOTAN_DLL X509_Certificate : public X509_Object - { - public: - /** - * Get the public key associated with this certificate. - * @return the subject public key of this certificate - */ - Public_Key* subject_public_key() const; - - /** - * Get the issuer certificate DN. - * @return the issuer DN of this certificate - */ - X509_DN issuer_dn() const; - - /** - * Get the subject certificate DN. - * @return the subject DN of this certificate - */ - X509_DN subject_dn() const; - - /** - * Get a value for a specific subject_info parameter name. - * @param name the name of the paramter to look up. Possible names are - * "X509.Certificate.version", "X509.Certificate.serial", - * "X509.Certificate.start", "X509.Certificate.end", - * "X509.Certificate.v2.key_id", "X509.Certificate.public_key", - * "X509v3.BasicConstraints.path_constraint", - * "X509v3.BasicConstraints.is_ca", "X509v3.ExtendedKeyUsage", - * "X509v3.CertificatePolicies", "X509v3.SubjectKeyIdentifier" or - * "X509.Certificate.serial". - * @return the value(s) of the specified parameter - */ - std::vector<std::string> subject_info(const std::string& name) const; - - /** - * Get a value for a specific subject_info parameter name. - * @param name the name of the paramter to look up. Possible names are - * "X509.Certificate.v2.key_id" or "X509v3.AuthorityKeyIdentifier". - * @return the value(s) of the specified parameter - */ - std::vector<std::string> issuer_info(const std::string& name) const; - - /** - * Get the notBefore of the certificate. - * @return the notBefore of the certificate - */ - std::string start_time() const; - - /** - * Get the notAfter of the certificate. - * @return the notAfter of the certificate - */ - std::string end_time() const; - - /** - * Get the X509 version of this certificate object. - * @return the X509 version - */ - u32bit x509_version() const; - - /** - * Get the serial number of this certificate. - * @return the certificates serial number - */ - MemoryVector<byte> serial_number() const; - - /** - * Get the DER encoded AuthorityKeyIdentifier of this certificate. - * @return the DER encoded AuthorityKeyIdentifier - */ - MemoryVector<byte> authority_key_id() const; - - /** - * Get the DER encoded SubjectKeyIdentifier of this certificate. - * @return the DER encoded SubjectKeyIdentifier - */ - MemoryVector<byte> subject_key_id() const; - - /** - * Check whether this certificate is self signed. - * @return true if this certificate is self signed - */ - bool is_self_signed() const { return self_signed; } - - /** - * Check whether this certificate is a CA certificate. - * @return true if this certificate is a CA certificate - */ - bool is_CA_cert() const; - - /** - * Get the path limit as defined in the BasicConstraints extension of - * this certificate. - * @return the path limit - */ - u32bit path_limit() const; - - /** - * Get the key constraints as defined in the KeyUsage extension of this - * certificate. - * @return the key constraints - */ - Key_Constraints constraints() const; - - /** - * Get the key constraints as defined in the ExtendedKeyUsage - * extension of this - * certificate. - * @return the key constraints - */ - std::vector<std::string> ex_constraints() const; - - /** - * Get the policies as defined in the CertificatePolicies extension - * of this certificate. - * @return the certificate policies - */ - std::vector<std::string> policies() const; - - /** - * Check to certificates for equality. - * @return true both certificates are (binary) equal - */ - bool operator==(const X509_Certificate& other) const; - - /** - * Create a certificate from a data source providing the DER or - * PEM encoded certificate. - * @param source the data source - */ - X509_Certificate(DataSource& source); - - /** - * Create a certificate from a file containing the DER or PEM - * encoded certificate. - * @param filename the name of the certificate file - */ - X509_Certificate(const std::string& filename); - private: - void force_decode(); - friend class X509_CA; - X509_Certificate() {} - - Data_Store subject, issuer; - bool self_signed; - }; - -/** -* Check two certificates for inequality -* @return true if the arguments represent different certificates, -* false if they are binary identical -*/ -BOTAN_DLL bool operator!=(const X509_Certificate&, const X509_Certificate&); - -/* -* Data Store Extraction Operations -*/ -BOTAN_DLL X509_DN create_dn(const Data_Store&); -BOTAN_DLL AlternativeName create_alt_name(const Data_Store&); - -} - -#endif diff --git a/botan/src/cert/x509/x509find.cpp b/botan/src/cert/x509/x509find.cpp deleted file mode 100644 index 257367d..0000000 --- a/botan/src/cert/x509/x509find.cpp +++ /dev/null @@ -1,111 +0,0 @@ -/* -* X.509 Certificate Store Searching -* (C) 1999-2007 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#include <botan/x509find.h> -#include <botan/charset.h> -#include <algorithm> - -namespace Botan { - -namespace { - -/* -* Compare based on case-insensive substrings -*/ -bool substring_match(const std::string& searching_for, - const std::string& found) - { - if(std::search(found.begin(), found.end(), searching_for.begin(), - searching_for.end(), Charset::caseless_cmp) != found.end()) - return true; - return false; - } - -/* -* Compare based on case-insensive match -*/ -bool ignore_case(const std::string& searching_for, const std::string& found) - { - if(searching_for.size() != found.size()) - return false; - - return std::equal(found.begin(), found.end(), - searching_for.begin(), Charset::caseless_cmp); - } - -} - -/* -* Search based on the contents of a DN entry -*/ -bool DN_Check::match(const X509_Certificate& cert) const - { - std::vector<std::string> info = cert.subject_info(dn_entry); - - for(u32bit j = 0; j != info.size(); ++j) - if(compare(info[j], looking_for)) - return true; - return false; - } - -/* -* DN_Check Constructor -*/ -DN_Check::DN_Check(const std::string& dn_entry, const std::string& looking_for, - compare_fn func) - { - this->dn_entry = dn_entry; - this->looking_for = looking_for; - compare = func; - } - -/* -* DN_Check Constructor -*/ -DN_Check::DN_Check(const std::string& dn_entry, const std::string& looking_for, - Search_Type method) - { - this->dn_entry = dn_entry; - this->looking_for = looking_for; - - if(method == SUBSTRING_MATCHING) - compare = &substring_match; - else if(method == IGNORE_CASE) - compare = &ignore_case; - else - throw Invalid_Argument("Unknown method argument to DN_Check()"); - } - -/* -* Match by issuer and serial number -*/ -bool IandS_Match::match(const X509_Certificate& cert) const - { - if(cert.serial_number() != serial) - return false; - return (cert.issuer_dn() == issuer); - } - -/* -* IandS_Match Constructor -*/ -IandS_Match::IandS_Match(const X509_DN& issuer, - const MemoryRegion<byte>& serial) - { - this->issuer = issuer; - this->serial = serial; - } - -/* -* Match by subject key identifier -*/ -bool SKID_Match::match(const X509_Certificate& cert) const - { - return (cert.subject_key_id() == skid); - } - -} diff --git a/botan/src/cert/x509/x509find.h b/botan/src/cert/x509/x509find.h deleted file mode 100644 index a7a84c7..0000000 --- a/botan/src/cert/x509/x509find.h +++ /dev/null @@ -1,60 +0,0 @@ -/* -* X.509 Certificate Store Searching -* (C) 1999-2007 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#ifndef BOTAN_X509_CERT_STORE_SEARCH_H__ -#define BOTAN_X509_CERT_STORE_SEARCH_H__ - -#include <botan/x509stor.h> - -namespace Botan { - -/* -* Search based on the contents of a DN entry -*/ -class BOTAN_DLL DN_Check : public X509_Store::Search_Func - { - public: - typedef bool (*compare_fn)(const std::string&, const std::string&); - enum Search_Type { SUBSTRING_MATCHING, IGNORE_CASE }; - - bool match(const X509_Certificate& cert) const; - - DN_Check(const std::string&, const std::string&, compare_fn); - DN_Check(const std::string&, const std::string&, Search_Type); - private: - std::string dn_entry, looking_for; - compare_fn compare; - }; - -/* -* Search for a certificate by issuer/serial -*/ -class BOTAN_DLL IandS_Match : public X509_Store::Search_Func - { - public: - bool match(const X509_Certificate& cert) const; - IandS_Match(const X509_DN&, const MemoryRegion<byte>&); - private: - X509_DN issuer; - MemoryVector<byte> serial; - }; - -/* -* Search for a certificate by subject keyid -*/ -class BOTAN_DLL SKID_Match : public X509_Store::Search_Func - { - public: - bool match(const X509_Certificate& cert) const; - SKID_Match(const MemoryRegion<byte>& s) : skid(s) {} - private: - MemoryVector<byte> skid; - }; - -} - -#endif diff --git a/botan/src/cert/x509/x509opt.cpp b/botan/src/cert/x509/x509opt.cpp deleted file mode 100644 index de9d589..0000000 --- a/botan/src/cert/x509/x509opt.cpp +++ /dev/null @@ -1,108 +0,0 @@ -/* -* X.509 Certificate Options -* (C) 1999-2007 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#include <botan/x509self.h> -#include <botan/util.h> -#include <botan/parsing.h> -#include <botan/oids.h> -#include <ctime> - -namespace Botan { - -/* -* Set when the certificate should become valid -*/ -void X509_Cert_Options::not_before(const std::string& time_string) - { - start = X509_Time(time_string); - } - -/* -* Set when the certificate should expire -*/ -void X509_Cert_Options::not_after(const std::string& time_string) - { - end = X509_Time(time_string); - } - -/* -* Set key constraint information -*/ -void X509_Cert_Options::add_constraints(Key_Constraints usage) - { - constraints = usage; - } - -/* -* Set key constraint information -*/ -void X509_Cert_Options::add_ex_constraint(const OID& oid) - { - ex_constraints.push_back(oid); - } - -/* -* Set key constraint information -*/ -void X509_Cert_Options::add_ex_constraint(const std::string& oid_str) - { - ex_constraints.push_back(OIDS::lookup(oid_str)); - } - -/* -* Mark this certificate for CA usage -*/ -void X509_Cert_Options::CA_key(u32bit limit) - { - is_CA = true; - path_limit = limit; - } - -/* -* Do basic sanity checks -*/ -void X509_Cert_Options::sanity_check() const - { - if(common_name == "" || country == "") - throw Encoding_Error("X.509 certificate: name and country MUST be set"); - if(country.size() != 2) - throw Encoding_Error("Invalid ISO country code: " + country); - if(start >= end) - throw Encoding_Error("X509_Cert_Options: invalid time constraints"); - } - -/* -* Initialize the certificate options -*/ -X509_Cert_Options::X509_Cert_Options(const std::string& initial_opts, - u32bit expiration_time_in_seconds) - { - is_CA = false; - path_limit = 0; - constraints = NO_CONSTRAINTS; - - const u32bit now = system_time(); - - start = X509_Time(now); - end = X509_Time(now + expiration_time_in_seconds); - - if(initial_opts == "") - return; - - std::vector<std::string> parsed = split_on(initial_opts, '/'); - - if(parsed.size() > 4) - throw Invalid_Argument("X.509 cert options: Too many names: " - + initial_opts); - - if(parsed.size() >= 1) common_name = parsed[0]; - if(parsed.size() >= 2) country = parsed[1]; - if(parsed.size() >= 3) organization = parsed[2]; - if(parsed.size() == 4) org_unit = parsed[3]; - } - -} diff --git a/botan/src/cert/x509/x509self.cpp b/botan/src/cert/x509/x509self.cpp deleted file mode 100644 index 8afb22a..0000000 --- a/botan/src/cert/x509/x509self.cpp +++ /dev/null @@ -1,176 +0,0 @@ -/* -* PKCS #10/Self Signed Cert Creation -* (C) 1999-2008 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#include <botan/x509self.h> -#include <botan/x509_ext.h> -#include <botan/x509_ca.h> -#include <botan/der_enc.h> -#include <botan/look_pk.h> -#include <botan/oids.h> -#include <botan/pipe.h> -#include <memory> - -namespace Botan { - -namespace { - -/* -* Shared setup for self-signed items -*/ -MemoryVector<byte> shared_setup(const X509_Cert_Options& opts, - const Private_Key& key) - { - const Private_Key* key_pointer = &key; - if(!dynamic_cast<const PK_Signing_Key*>(key_pointer)) - throw Invalid_Argument("Key type " + key.algo_name() + " cannot sign"); - - opts.sanity_check(); - - Pipe key_encoder; - key_encoder.start_msg(); - X509::encode(key, key_encoder, RAW_BER); - key_encoder.end_msg(); - - return key_encoder.read_all(); - } - -/* -* Load information from the X509_Cert_Options -*/ -void load_info(const X509_Cert_Options& opts, X509_DN& subject_dn, - AlternativeName& subject_alt) - { - subject_dn.add_attribute("X520.CommonName", opts.common_name); - subject_dn.add_attribute("X520.Country", opts.country); - subject_dn.add_attribute("X520.State", opts.state); - subject_dn.add_attribute("X520.Locality", opts.locality); - subject_dn.add_attribute("X520.Organization", opts.organization); - subject_dn.add_attribute("X520.OrganizationalUnit", opts.org_unit); - subject_dn.add_attribute("X520.SerialNumber", opts.serial_number); - subject_alt = AlternativeName(opts.email, opts.uri, opts.dns, opts.ip); - subject_alt.add_othername(OIDS::lookup("PKIX.XMPPAddr"), - opts.xmpp, UTF8_STRING); - } - -} - -namespace X509 { - -/* -* Create a new self-signed X.509 certificate -*/ -X509_Certificate create_self_signed_cert(const X509_Cert_Options& opts, - const Private_Key& key, - RandomNumberGenerator& rng) - { - AlgorithmIdentifier sig_algo; - X509_DN subject_dn; - AlternativeName subject_alt; - - MemoryVector<byte> pub_key = shared_setup(opts, key); - std::auto_ptr<PK_Signer> signer(choose_sig_format(key, sig_algo)); - load_info(opts, subject_dn, subject_alt); - - Key_Constraints constraints; - if(opts.is_CA) - constraints = Key_Constraints(KEY_CERT_SIGN | CRL_SIGN); - else - constraints = find_constraints(key, opts.constraints); - - Extensions extensions; - - extensions.add(new Cert_Extension::Subject_Key_ID(pub_key)); - extensions.add(new Cert_Extension::Key_Usage(constraints)); - extensions.add( - new Cert_Extension::Extended_Key_Usage(opts.ex_constraints)); - extensions.add( - new Cert_Extension::Subject_Alternative_Name(subject_alt)); - extensions.add( - new Cert_Extension::Basic_Constraints(opts.is_CA, opts.path_limit)); - - return X509_CA::make_cert(signer.get(), rng, sig_algo, pub_key, - opts.start, opts.end, - subject_dn, subject_dn, - extensions); - } - -/* -* Create a PKCS #10 certificate request -*/ -PKCS10_Request create_cert_req(const X509_Cert_Options& opts, - const Private_Key& key, - RandomNumberGenerator& rng) - { - AlgorithmIdentifier sig_algo; - X509_DN subject_dn; - AlternativeName subject_alt; - - MemoryVector<byte> pub_key = shared_setup(opts, key); - std::auto_ptr<PK_Signer> signer(choose_sig_format(key, sig_algo)); - load_info(opts, subject_dn, subject_alt); - - const u32bit PKCS10_VERSION = 0; - - Extensions extensions; - - extensions.add( - new Cert_Extension::Basic_Constraints(opts.is_CA, opts.path_limit)); - extensions.add( - new Cert_Extension::Key_Usage( - opts.is_CA ? Key_Constraints(KEY_CERT_SIGN | CRL_SIGN) : - find_constraints(key, opts.constraints) - ) - ); - extensions.add( - new Cert_Extension::Extended_Key_Usage(opts.ex_constraints)); - extensions.add( - new Cert_Extension::Subject_Alternative_Name(subject_alt)); - - DER_Encoder tbs_req; - - tbs_req.start_cons(SEQUENCE) - .encode(PKCS10_VERSION) - .encode(subject_dn) - .raw_bytes(pub_key) - .start_explicit(0); - - if(opts.challenge != "") - { - ASN1_String challenge(opts.challenge, DIRECTORY_STRING); - - tbs_req.encode( - Attribute("PKCS9.ChallengePassword", - DER_Encoder().encode(challenge).get_contents() - ) - ); - } - - tbs_req.encode( - Attribute("PKCS9.ExtensionRequest", - DER_Encoder() - .start_cons(SEQUENCE) - .encode(extensions) - .end_cons() - .get_contents() - ) - ) - .end_explicit() - .end_cons(); - - DataSource_Memory source( - X509_Object::make_signed(signer.get(), - rng, - sig_algo, - tbs_req.get_contents()) - ); - - return PKCS10_Request(source); - } - -} - -} diff --git a/botan/src/cert/x509/x509self.h b/botan/src/cert/x509/x509self.h deleted file mode 100644 index bd3e291..0000000 --- a/botan/src/cert/x509/x509self.h +++ /dev/null @@ -1,198 +0,0 @@ -/* -* X.509 Self-Signed Certificate -* (C) 1999-2007 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#ifndef BOTAN_X509_SELF_H__ -#define BOTAN_X509_SELF_H__ - -#include <botan/x509cert.h> -#include <botan/pkcs8.h> -#include <botan/pkcs10.h> - -namespace Botan { - -/** -* Options for X.509 certificates. -*/ -class BOTAN_DLL X509_Cert_Options - { - public: - /** - * the subject common name - */ - std::string common_name; - - /** - * the subject counry - */ - std::string country; - - /** - * the subject organization - */ - std::string organization; - - /** - * the subject organizational unit - */ - std::string org_unit; - - /** - * the subject locality - */ - std::string locality; - - /** - * the subject state - */ - std::string state; - - /** - * the subject serial number - */ - std::string serial_number; - - /** - * the subject email adress - */ - std::string email; - - /** - * the subject URI - */ - std::string uri; - - /** - * the subject IPv4 address - */ - std::string ip; - - /** - * the subject DNS - */ - std::string dns; - - /** - * the subject XMPP - */ - std::string xmpp; - - /** - * the subject challenge password - */ - std::string challenge; - - /** - * the subject notBefore - */ - X509_Time start; - /** - * the subject notAfter - */ - X509_Time end; - - /** - * Indicates whether the certificate request - */ - bool is_CA; - - /** - * Indicates the BasicConstraints path limit - */ - u32bit path_limit; - - /** - * The key constraints for the subject public key - */ - Key_Constraints constraints; - - /** - * The key extended constraints for the subject public key - */ - std::vector<OID> ex_constraints; - - /** - * Check the options set in this object for validity. - */ - void sanity_check() const; - - /** - * Mark the certificate as a CA certificate and set the path limit. - * @param limit the path limit to be set in the BasicConstraints extension. - */ - void CA_key(u32bit limit = 1); - - /** - * Set the notBefore of the certificate. - * @param time the notBefore value of the certificate - */ - void not_before(const std::string& time); - - /** - * Set the notAfter of the certificate. - * @param time the notAfter value of the certificate - */ - void not_after(const std::string& time); - - /** - * Add the key constraints of the KeyUsage extension. - * @param constr the constraints to set - */ - void add_constraints(Key_Constraints constr); - - /** - * Add constraints to the ExtendedKeyUsage extension. - * @param oid the oid to add - */ - void add_ex_constraint(const OID& oid); - - /** - * Add constraints to the ExtendedKeyUsage extension. - * @param name the name to look up the oid to add - */ - void add_ex_constraint(const std::string& name); - - /** - * Construct a new options object - * @param opts define the common name of this object. An example for this - * parameter would be "common_name/country/organization/organizational_unit". - * @param expire_time the expiration time (from the current clock in seconds) - */ - X509_Cert_Options(const std::string& opts = "", - u32bit expire_time = 365 * 24 * 60 * 60); - }; - -namespace X509 { - -/** -* Create a self-signed X.509 certificate. -* @param opts the options defining the certificate to create -* @param key the private key used for signing, i.e. the key -* associated with this self-signed certificate -* @param rng the rng to use -* @return the newly created self-signed certificate -*/ -BOTAN_DLL X509_Certificate -create_self_signed_cert(const X509_Cert_Options& opts, - const Private_Key& key, - RandomNumberGenerator& rng); - -/** -* Create a PKCS#10 certificate request. -* @param opts the options defining the request to create -* @param key the key used to sign this request -* @param rng the rng to use -* @return the newly created PKCS#10 request -*/ -BOTAN_DLL PKCS10_Request create_cert_req(const X509_Cert_Options& opts, - const Private_Key& key, - RandomNumberGenerator& rng); - -} - -} - -#endif diff --git a/botan/src/cert/x509/x509stor.cpp b/botan/src/cert/x509/x509stor.cpp deleted file mode 100644 index cb61bc2..0000000 --- a/botan/src/cert/x509/x509stor.cpp +++ /dev/null @@ -1,695 +0,0 @@ -/* -* X.509 Certificate Store -* (C) 1999-2007 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#include <botan/x509stor.h> -#include <botan/parsing.h> -#include <botan/pubkey.h> -#include <botan/look_pk.h> -#include <botan/oids.h> -#include <botan/util.h> -#include <algorithm> -#include <memory> - -namespace Botan { - -namespace { - -/* -* Do a validity check -*/ -s32bit validity_check(const X509_Time& start, const X509_Time& end, - u64bit current_time, u32bit slack) - { - const s32bit NOT_YET_VALID = -1, VALID_TIME = 0, EXPIRED = 1; - - if(start.cmp(current_time + slack) > 0) - return NOT_YET_VALID; - if(end.cmp(current_time - slack) < 0) - return EXPIRED; - return VALID_TIME; - } - -/* -* Compare the value of unique ID fields -*/ -bool compare_ids(const MemoryVector<byte>& id1, - const MemoryVector<byte>& id2) - { - if(!id1.size() || !id2.size()) - return true; - return (id1 == id2); - } - -/* -* Check a particular usage restriction -*/ -bool check_usage(const X509_Certificate& cert, X509_Store::Cert_Usage usage, - X509_Store::Cert_Usage check_for, Key_Constraints constraints) - { - if((usage & check_for) == 0) - return true; - if(cert.constraints() == NO_CONSTRAINTS) - return true; - if(cert.constraints() & constraints) - return true; - return false; - } - -/* -* Check a particular usage restriction -*/ -bool check_usage(const X509_Certificate& cert, X509_Store::Cert_Usage usage, - X509_Store::Cert_Usage check_for, - const std::string& usage_oid) - { - if((usage & check_for) == 0) - return true; - - const std::vector<std::string> constraints = cert.ex_constraints(); - - if(constraints.empty()) - return true; - - return std::binary_search(constraints.begin(), constraints.end(), - usage_oid); - } - -/* -* Check the usage restrictions -*/ -X509_Code usage_check(const X509_Certificate& cert, - X509_Store::Cert_Usage usage) - { - if(usage == X509_Store::ANY) - return VERIFIED; - - if(!check_usage(cert, usage, X509_Store::CRL_SIGNING, CRL_SIGN)) - return CA_CERT_NOT_FOR_CRL_ISSUER; - - if(!check_usage(cert, usage, X509_Store::TLS_SERVER, "PKIX.ServerAuth")) - return INVALID_USAGE; - if(!check_usage(cert, usage, X509_Store::TLS_CLIENT, "PKIX.ClientAuth")) - return INVALID_USAGE; - if(!check_usage(cert, usage, X509_Store::CODE_SIGNING, "PKIX.CodeSigning")) - return INVALID_USAGE; - if(!check_usage(cert, usage, X509_Store::EMAIL_PROTECTION, - "PKIX.EmailProtection")) - return INVALID_USAGE; - if(!check_usage(cert, usage, X509_Store::TIME_STAMPING, - "PKIX.TimeStamping")) - return INVALID_USAGE; - - return VERIFIED; - } - -} - -/* -* Define equality for revocation data -*/ -bool X509_Store::CRL_Data::operator==(const CRL_Data& other) const - { - if(issuer != other.issuer) - return false; - if(serial != other.serial) - return false; - return compare_ids(auth_key_id, other.auth_key_id); - } - -/* -* Define inequality for revocation data -*/ -bool X509_Store::CRL_Data::operator!=(const CRL_Data& other) const - { - return !((*this) == other); - } - -/* -* Define an ordering for revocation data -*/ -bool X509_Store::CRL_Data::operator<(const X509_Store::CRL_Data& other) const - { - if(*this == other) - return false; - - const MemoryVector<byte>& serial1 = serial; - const MemoryVector<byte>& key_id1 = auth_key_id; - const MemoryVector<byte>& serial2 = other.serial; - const MemoryVector<byte>& key_id2 = other.auth_key_id; - - if(compare_ids(key_id1, key_id2) == false) - { - if(std::lexicographical_compare(key_id1.begin(), key_id1.end(), - key_id2.begin(), key_id2.end())) - return true; - - if(std::lexicographical_compare(key_id2.begin(), key_id2.end(), - key_id1.begin(), key_id1.end())) - return false; - } - - if(compare_ids(serial1, serial2) == false) - { - if(std::lexicographical_compare(serial1.begin(), serial1.end(), - serial2.begin(), serial2.end())) - return true; - - if(std::lexicographical_compare(serial2.begin(), serial2.end(), - serial1.begin(), serial1.end())) - return false; - } - - return (issuer < other.issuer); - } - -/* -* X509_Store Constructor -*/ -X509_Store::X509_Store(u32bit slack, u32bit cache_timeout) - { - revoked_info_valid = true; - - validation_cache_timeout = cache_timeout; - time_slack = slack; - } - -/* -* X509_Store Copy Constructor -*/ -X509_Store::X509_Store(const X509_Store& other) - { - certs = other.certs; - revoked = other.revoked; - revoked_info_valid = other.revoked_info_valid; - for(u32bit j = 0; j != other.stores.size(); ++j) - stores[j] = other.stores[j]->clone(); - time_slack = other.time_slack; - } - -/* -* X509_Store Destructor -*/ -X509_Store::~X509_Store() - { - for(u32bit j = 0; j != stores.size(); ++j) - delete stores[j]; - } - -/* -* Verify a certificate's authenticity -*/ -X509_Code X509_Store::validate_cert(const X509_Certificate& cert, - Cert_Usage cert_usage) - { - recompute_revoked_info(); - - std::vector<u32bit> indexes; - X509_Code chaining_result = construct_cert_chain(cert, indexes); - if(chaining_result != VERIFIED) - return chaining_result; - - const u64bit current_time = system_time(); - - s32bit time_check = validity_check(cert.start_time(), cert.end_time(), - current_time, time_slack); - if(time_check < 0) return CERT_NOT_YET_VALID; - else if(time_check > 0) return CERT_HAS_EXPIRED; - - X509_Code sig_check_result = check_sig(cert, certs[indexes[0]]); - if(sig_check_result != VERIFIED) - return sig_check_result; - - if(is_revoked(cert)) - return CERT_IS_REVOKED; - - for(u32bit j = 0; j != indexes.size() - 1; ++j) - { - const X509_Certificate& current_cert = certs[indexes[j]].cert; - - time_check = validity_check(current_cert.start_time(), - current_cert.end_time(), - current_time, - time_slack); - - if(time_check < 0) return CERT_NOT_YET_VALID; - else if(time_check > 0) return CERT_HAS_EXPIRED; - - sig_check_result = check_sig(certs[indexes[j]], certs[indexes[j+1]]); - if(sig_check_result != VERIFIED) - return sig_check_result; - } - - return usage_check(cert, cert_usage); - } - -/* -* Find this certificate -*/ -u32bit X509_Store::find_cert(const X509_DN& subject_dn, - const MemoryRegion<byte>& subject_key_id) const - { - for(u32bit j = 0; j != certs.size(); ++j) - { - const X509_Certificate& this_cert = certs[j].cert; - if(compare_ids(this_cert.subject_key_id(), subject_key_id) && - this_cert.subject_dn() == subject_dn) - return j; - } - return NO_CERT_FOUND; - } - -/* -* Find the parent of this certificate -*/ -u32bit X509_Store::find_parent_of(const X509_Certificate& cert) - { - const X509_DN issuer_dn = cert.issuer_dn(); - const MemoryVector<byte> auth_key_id = cert.authority_key_id(); - - u32bit index = find_cert(issuer_dn, auth_key_id); - - if(index != NO_CERT_FOUND) - return index; - - if(auth_key_id.size()) - { - for(u32bit j = 0; j != stores.size(); ++j) - { - std::vector<X509_Certificate> got = stores[j]->by_SKID(auth_key_id); - - if(got.empty()) - continue; - - for(u32bit k = 0; k != got.size(); ++k) - add_cert(got[k]); - return find_cert(issuer_dn, auth_key_id); - } - } - - return NO_CERT_FOUND; - } - -/* -* Construct a chain of certificate relationships -*/ -X509_Code X509_Store::construct_cert_chain(const X509_Certificate& end_cert, - std::vector<u32bit>& indexes, - bool need_full_chain) - { - u32bit parent = find_parent_of(end_cert); - - while(true) - { - if(parent == NO_CERT_FOUND) - return CERT_ISSUER_NOT_FOUND; - indexes.push_back(parent); - - if(certs[parent].is_verified(validation_cache_timeout)) - if(certs[parent].verify_result() != VERIFIED) - return certs[parent].verify_result(); - - const X509_Certificate& parent_cert = certs[parent].cert; - if(!parent_cert.is_CA_cert()) - return CA_CERT_NOT_FOR_CERT_ISSUER; - - if(certs[parent].is_trusted()) - break; - if(parent_cert.is_self_signed()) - return CANNOT_ESTABLISH_TRUST; - - if(parent_cert.path_limit() < indexes.size() - 1) - return CERT_CHAIN_TOO_LONG; - - parent = find_parent_of(parent_cert); - } - - if(need_full_chain) - return VERIFIED; - - while(true) - { - if(indexes.size() < 2) - break; - - const u32bit cert = indexes.back(); - - if(certs[cert].is_verified(validation_cache_timeout)) - { - if(certs[cert].verify_result() != VERIFIED) - throw Internal_Error("X509_Store::construct_cert_chain"); - indexes.pop_back(); - } - else - break; - } - - const u32bit last_cert = indexes.back(); - const u32bit parent_of_last_cert = find_parent_of(certs[last_cert].cert); - if(parent_of_last_cert == NO_CERT_FOUND) - return CERT_ISSUER_NOT_FOUND; - indexes.push_back(parent_of_last_cert); - - return VERIFIED; - } - -/* -* Check the CAs signature on a certificate -*/ -X509_Code X509_Store::check_sig(const Cert_Info& cert_info, - const Cert_Info& ca_cert_info) const - { - if(cert_info.is_verified(validation_cache_timeout)) - return cert_info.verify_result(); - - const X509_Certificate& cert = cert_info.cert; - const X509_Certificate& ca_cert = ca_cert_info.cert; - - X509_Code verify_code = check_sig(cert, ca_cert.subject_public_key()); - - cert_info.set_result(verify_code); - - return verify_code; - } - -/* -* Check a CA's signature -*/ -X509_Code X509_Store::check_sig(const X509_Object& object, Public_Key* key) - { - std::auto_ptr<Public_Key> pub_key(key); - std::auto_ptr<PK_Verifier> verifier; - - try { - std::vector<std::string> sig_info = - split_on(OIDS::lookup(object.signature_algorithm().oid), '/'); - - if(sig_info.size() != 2 || sig_info[0] != pub_key->algo_name()) - return SIGNATURE_ERROR; - - std::string padding = sig_info[1]; - Signature_Format format; - if(key->message_parts() >= 2) format = DER_SEQUENCE; - else format = IEEE_1363; - - if(dynamic_cast<PK_Verifying_with_MR_Key*>(pub_key.get())) - { - PK_Verifying_with_MR_Key* sig_key = - dynamic_cast<PK_Verifying_with_MR_Key*>(pub_key.get()); - verifier.reset(get_pk_verifier(*sig_key, padding, format)); - } - else if(dynamic_cast<PK_Verifying_wo_MR_Key*>(pub_key.get())) - { - PK_Verifying_wo_MR_Key* sig_key = - dynamic_cast<PK_Verifying_wo_MR_Key*>(pub_key.get()); - verifier.reset(get_pk_verifier(*sig_key, padding, format)); - } - else - return CA_CERT_CANNOT_SIGN; - - bool valid = verifier->verify_message(object.tbs_data(), - object.signature()); - - if(valid) - return VERIFIED; - else - return SIGNATURE_ERROR; - } - catch(Decoding_Error) { return CERT_FORMAT_ERROR; } - catch(Exception) {} - - return UNKNOWN_X509_ERROR; - } - -/* -* Recompute the revocation status of the certs -*/ -void X509_Store::recompute_revoked_info() const - { - if(revoked_info_valid) - return; - - for(u32bit j = 0; j != certs.size(); ++j) - { - if((certs[j].is_verified(validation_cache_timeout)) && - (certs[j].verify_result() != VERIFIED)) - continue; - - if(is_revoked(certs[j].cert)) - certs[j].set_result(CERT_IS_REVOKED); - } - - revoked_info_valid = true; - } - -/* -* Check if a certificate is revoked -*/ -bool X509_Store::is_revoked(const X509_Certificate& cert) const - { - CRL_Data revoked_info; - revoked_info.issuer = cert.issuer_dn(); - revoked_info.serial = cert.serial_number(); - revoked_info.auth_key_id = cert.authority_key_id(); - - if(std::binary_search(revoked.begin(), revoked.end(), revoked_info)) - return true; - return false; - } - -/* -* Retrieve all the certificates in the store -*/ -std::vector<X509_Certificate> -X509_Store::get_certs(const Search_Func& search) const - { - std::vector<X509_Certificate> found_certs; - for(u32bit j = 0; j != certs.size(); ++j) - { - if(search.match(certs[j].cert)) - found_certs.push_back(certs[j].cert); - } - return found_certs; - } - -/* -* Construct a path back to a root for this cert -*/ -std::vector<X509_Certificate> -X509_Store::get_cert_chain(const X509_Certificate& cert) - { - std::vector<X509_Certificate> result; - std::vector<u32bit> indexes; - X509_Code chaining_result = construct_cert_chain(cert, indexes, true); - - if(chaining_result != VERIFIED) - throw Invalid_State("X509_Store::get_cert_chain: Can't construct chain"); - - for(u32bit j = 0; j != indexes.size(); ++j) - result.push_back(certs[indexes[j]].cert); - return result; - } - -/* -* Add a certificate store to the list of stores -*/ -void X509_Store::add_new_certstore(Certificate_Store* certstore) - { - stores.push_back(certstore); - } - -/* -* Add a certificate to the store -*/ -void X509_Store::add_cert(const X509_Certificate& cert, bool trusted) - { - if(trusted && !cert.is_self_signed()) - throw Invalid_Argument("X509_Store: Trusted certs must be self-signed"); - - if(find_cert(cert.subject_dn(), cert.subject_key_id()) == NO_CERT_FOUND) - { - revoked_info_valid = false; - Cert_Info info(cert, trusted); - certs.push_back(info); - } - else if(trusted) - { - for(u32bit j = 0; j != certs.size(); ++j) - { - const X509_Certificate& this_cert = certs[j].cert; - if(this_cert == cert) - certs[j].trusted = trusted; - } - } - } - -/* -* Add one or more certificates to the store -*/ -void X509_Store::do_add_certs(DataSource& source, bool trusted) - { - while(!source.end_of_data()) - { - try { - X509_Certificate cert(source); - add_cert(cert, trusted); - } - catch(Decoding_Error) {} - catch(Invalid_Argument) {} - } - } - -/* -* Add one or more certificates to the store -*/ -void X509_Store::add_certs(DataSource& source) - { - do_add_certs(source, false); - } - -/* -* Add one or more certificates to the store -*/ -void X509_Store::add_trusted_certs(DataSource& source) - { - do_add_certs(source, true); - } - -/* -* Add one or more certificates to the store -*/ -X509_Code X509_Store::add_crl(const X509_CRL& crl) - { - s32bit time_check = validity_check(crl.this_update(), crl.next_update(), - system_time(), time_slack); - - if(time_check < 0) return CRL_NOT_YET_VALID; - else if(time_check > 0) return CRL_HAS_EXPIRED; - - u32bit cert_index = NO_CERT_FOUND; - - for(u32bit j = 0; j != certs.size(); ++j) - { - const X509_Certificate& this_cert = certs[j].cert; - if(compare_ids(this_cert.subject_key_id(), crl.authority_key_id())) - { - if(this_cert.subject_dn() == crl.issuer_dn()) - cert_index = j; - } - } - - if(cert_index == NO_CERT_FOUND) - return CRL_ISSUER_NOT_FOUND; - - const X509_Certificate& ca_cert = certs[cert_index].cert; - - X509_Code verify_result = validate_cert(ca_cert, CRL_SIGNING); - if(verify_result != VERIFIED) - return verify_result; - - verify_result = check_sig(crl, ca_cert.subject_public_key()); - if(verify_result != VERIFIED) - return verify_result; - - std::vector<CRL_Entry> revoked_certs = crl.get_revoked(); - - for(u32bit j = 0; j != revoked_certs.size(); ++j) - { - CRL_Data revoked_info; - revoked_info.issuer = crl.issuer_dn(); - revoked_info.serial = revoked_certs[j].serial_number(); - revoked_info.auth_key_id = crl.authority_key_id(); - - std::vector<CRL_Data>::iterator p = - std::find(revoked.begin(), revoked.end(), revoked_info); - - if(revoked_certs[j].reason_code() == REMOVE_FROM_CRL) - { - if(p == revoked.end()) continue; - revoked.erase(p); - } - else - { - if(p != revoked.end()) continue; - revoked.push_back(revoked_info); - } - } - - std::sort(revoked.begin(), revoked.end()); - revoked_info_valid = false; - - return VERIFIED; - } - -/* -* PEM encode the set of certificates -*/ -std::string X509_Store::PEM_encode() const - { - std::string cert_store; - for(u32bit j = 0; j != certs.size(); ++j) - cert_store += certs[j].cert.PEM_encode(); - return cert_store; - } - -/* -* Create a Cert_Info structure -*/ -X509_Store::Cert_Info::Cert_Info(const X509_Certificate& c, - bool t) : cert(c), trusted(t) - { - checked = false; - result = UNKNOWN_X509_ERROR; - last_checked = 0; - } - -/* -* Return the verification results -*/ -X509_Code X509_Store::Cert_Info::verify_result() const - { - if(!checked) - throw Invalid_State("Cert_Info::verify_result() called; not checked"); - return result; - } - -/* -* Set the verification results -*/ -void X509_Store::Cert_Info::set_result(X509_Code code) const - { - result = code; - last_checked = system_time(); - checked = true; - } - -/* -* Check if this certificate can be trusted -*/ -bool X509_Store::Cert_Info::is_trusted() const - { - return trusted; - } - -/* -* Check if this certificate has been verified -*/ -bool X509_Store::Cert_Info::is_verified(u32bit timeout) const - { - if(!checked) - return false; - if(result != VERIFIED && result != CERT_NOT_YET_VALID) - return true; - - const u64bit current_time = system_time(); - - if(current_time > last_checked + timeout) - checked = false; - - return checked; - } - -} diff --git a/botan/src/cert/x509/x509stor.h b/botan/src/cert/x509/x509stor.h deleted file mode 100644 index 4e60378..0000000 --- a/botan/src/cert/x509/x509stor.h +++ /dev/null @@ -1,143 +0,0 @@ -/* -* X.509 Certificate Store -* (C) 1999-2007 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#ifndef BOTAN_X509_CERT_STORE_H__ -#define BOTAN_X509_CERT_STORE_H__ - -#include <botan/x509cert.h> -#include <botan/x509_crl.h> -#include <botan/certstor.h> - -namespace Botan { - -/* -* X.509 Certificate Validation Result -*/ -enum X509_Code { - VERIFIED, - UNKNOWN_X509_ERROR, - CANNOT_ESTABLISH_TRUST, - CERT_CHAIN_TOO_LONG, - SIGNATURE_ERROR, - POLICY_ERROR, - INVALID_USAGE, - - CERT_FORMAT_ERROR, - CERT_ISSUER_NOT_FOUND, - CERT_NOT_YET_VALID, - CERT_HAS_EXPIRED, - CERT_IS_REVOKED, - - CRL_FORMAT_ERROR, - CRL_ISSUER_NOT_FOUND, - CRL_NOT_YET_VALID, - CRL_HAS_EXPIRED, - - CA_CERT_CANNOT_SIGN, - CA_CERT_NOT_FOR_CERT_ISSUER, - CA_CERT_NOT_FOR_CRL_ISSUER -}; - -/* -* X.509 Certificate Store -*/ -class BOTAN_DLL X509_Store - { - public: - class BOTAN_DLL Search_Func - { - public: - virtual bool match(const X509_Certificate&) const = 0; - virtual ~Search_Func() {} - }; - - enum Cert_Usage { - ANY = 0x00, - TLS_SERVER = 0x01, - TLS_CLIENT = 0x02, - CODE_SIGNING = 0x04, - EMAIL_PROTECTION = 0x08, - TIME_STAMPING = 0x10, - CRL_SIGNING = 0x20 - }; - - X509_Code validate_cert(const X509_Certificate&, Cert_Usage = ANY); - - std::vector<X509_Certificate> get_certs(const Search_Func&) const; - std::vector<X509_Certificate> get_cert_chain(const X509_Certificate&); - std::string PEM_encode() const; - - /* - * Made CRL_Data public for XLC for Cell 0.9, otherwise cannot - * instantiate member variable std::vector<CRL_Data> revoked - */ - class BOTAN_DLL CRL_Data - { - public: - X509_DN issuer; - MemoryVector<byte> serial, auth_key_id; - bool operator==(const CRL_Data&) const; - bool operator!=(const CRL_Data&) const; - bool operator<(const CRL_Data&) const; - }; - - X509_Code add_crl(const X509_CRL&); - void add_cert(const X509_Certificate&, bool = false); - void add_certs(DataSource&); - void add_trusted_certs(DataSource&); - - void add_new_certstore(Certificate_Store*); - - static X509_Code check_sig(const X509_Object&, Public_Key*); - - X509_Store(u32bit time_slack = 24*60*60, - u32bit cache_results = 30*60); - - X509_Store(const X509_Store&); - ~X509_Store(); - private: - X509_Store& operator=(const X509_Store&) { return (*this); } - - class BOTAN_DLL Cert_Info - { - public: - bool is_verified(u32bit timeout) const; - bool is_trusted() const; - X509_Code verify_result() const; - void set_result(X509_Code) const; - Cert_Info(const X509_Certificate&, bool = false); - - X509_Certificate cert; - bool trusted; - private: - mutable bool checked; - mutable X509_Code result; - mutable u64bit last_checked; - }; - - u32bit find_cert(const X509_DN&, const MemoryRegion<byte>&) const; - X509_Code check_sig(const Cert_Info&, const Cert_Info&) const; - void recompute_revoked_info() const; - - void do_add_certs(DataSource&, bool); - X509_Code construct_cert_chain(const X509_Certificate&, - std::vector<u32bit>&, bool = false); - - u32bit find_parent_of(const X509_Certificate&); - bool is_revoked(const X509_Certificate&) const; - - static const u32bit NO_CERT_FOUND = 0xFFFFFFFF; - std::vector<Cert_Info> certs; - std::vector<CRL_Data> revoked; - std::vector<Certificate_Store*> stores; - u32bit time_slack, validation_cache_timeout; - mutable bool revoked_info_valid; - }; - -} - -#endif |