diff options
author | Patrik Fiedler <[email protected]> | 2018-01-03 10:45:41 +0100 |
---|---|---|
committer | Patrik Fiedler <[email protected]> | 2018-01-03 11:22:28 +0100 |
commit | cc5e87c0bf9553b1c18b1c487c4089111d3271d7 (patch) | |
tree | 7c09cc99f77df12539644b5abb774fd8d104226e | |
parent | 1cf931e3e5871361d286ded8463fd9cc55ceb4a6 (diff) |
add the detection for the ca issuers field(1.3.6.1.5.5.7.48.2) in x509 certificates
-rw-r--r-- | src/lib/asn1/oids.cpp | 2 | ||||
-rw-r--r-- | src/lib/x509/x509_ext.cpp | 13 | ||||
-rw-r--r-- | src/lib/x509/x509_ext.h | 11 | ||||
-rw-r--r-- | src/lib/x509/x509cert.cpp | 16 | ||||
-rw-r--r-- | src/lib/x509/x509cert.h | 5 |
5 files changed, 44 insertions, 3 deletions
diff --git a/src/lib/asn1/oids.cpp b/src/lib/asn1/oids.cpp index 2c97f1d29..e88fdc980 100644 --- a/src/lib/asn1/oids.cpp +++ b/src/lib/asn1/oids.cpp @@ -133,6 +133,7 @@ std::string lookup(const OID& oid) if(oid_str == "1.3.6.1.4.1.8301.3.1.2.9.0.38") return "secp521r1"; if(oid_str == "1.3.6.1.5.5.7.1.1") return "PKIX.AuthorityInformationAccess"; if(oid_str == "1.3.6.1.5.5.7.3.1") return "PKIX.ServerAuth"; + if(oid_str == "1.3.6.1.5.5.7.48.2") return "PKIX.CertificateAuthorityIssuers"; if(oid_str == "1.3.6.1.5.5.7.3.2") return "PKIX.ClientAuth"; if(oid_str == "1.3.6.1.5.5.7.3.3") return "PKIX.CodeSigning"; if(oid_str == "1.3.6.1.5.5.7.3.4") return "PKIX.EmailProtection"; @@ -303,6 +304,7 @@ OID lookup(const std::string& name) if(name == "PKCS9.MessageDigest") return OID("1.2.840.113549.1.9.4"); if(name == "PKCS9.UnstructuredName") return OID("1.2.840.113549.1.9.2"); if(name == "PKIX.AuthorityInformationAccess") return OID("1.3.6.1.5.5.7.1.1"); + if(name == "PKIX.CertificateAuthorityIssuers") return OID("1.3.6.1.5.5.7.48.2"); if(name == "PKIX.ClientAuth") return OID("1.3.6.1.5.5.7.3.2"); if(name == "PKIX.CodeSigning") return OID("1.3.6.1.5.5.7.3.3"); if(name == "PKIX.EmailProtection") return OID("1.3.6.1.5.5.7.3.4"); diff --git a/src/lib/x509/x509_ext.cpp b/src/lib/x509/x509_ext.cpp index afb79f6bf..64f5765ac 100644 --- a/src/lib/x509/x509_ext.cpp +++ b/src/lib/x509/x509_ext.cpp @@ -777,6 +777,15 @@ void Authority_Information_Access::decode_inner(const std::vector<uint8_t>& in) } } + if(oid == OIDS::lookup("PKIX.CertificateAuthorityIssuers")) + { + BER_Object name = info.get_next_object(); + + if(name.type_tag == 6 && name.class_tag == CONTEXT_SPECIFIC) + { + m_ca_issuers.push_back(ASN1::to_string(name)); + } + } } } @@ -784,6 +793,10 @@ void Authority_Information_Access::contents_to(Data_Store& subject, Data_Store&) { if(!m_ocsp_responder.empty()) subject.add("OCSP.responder", m_ocsp_responder); + std::for_each(m_ca_issuers.begin(), m_ca_issuers.end(), [&subject] (const std::string& ca_issuer) + { + subject.add("PKIX.CertificateAuthorityIssuers", ca_issuer); + }); } /* diff --git a/src/lib/x509/x509_ext.h b/src/lib/x509/x509_ext.h index 235496cbd..8e702daf1 100644 --- a/src/lib/x509/x509_ext.h +++ b/src/lib/x509/x509_ext.h @@ -544,21 +544,25 @@ class BOTAN_PUBLIC_API(2,0) Certificate_Policies final : public Certificate_Exte std::vector<OID> m_oids; }; +/** +* Authority Information Access Extension +*/ class BOTAN_PUBLIC_API(2,0) Authority_Information_Access final : public Certificate_Extension { public: Authority_Information_Access* copy() const override - { return new Authority_Information_Access(m_ocsp_responder); } + { return new Authority_Information_Access(m_ocsp_responder, m_ca_issuers); } Authority_Information_Access() = default; - explicit Authority_Information_Access(const std::string& ocsp) : - m_ocsp_responder(ocsp) {} + explicit Authority_Information_Access(const std::string& ocsp, const std::vector<std::string>& ca_issuers = std::vector<std::string>()) : + m_ocsp_responder(ocsp), m_ca_issuers(ca_issuers) {} std::string ocsp_responder() const { return m_ocsp_responder; } static OID static_oid() { return OID("1.3.6.1.5.5.7.1.1"); } OID oid_of() const override { return static_oid(); } + const std::vector<std::string> ca_issuers() const { return m_ca_issuers; } private: std::string oid_name() const override @@ -572,6 +576,7 @@ class BOTAN_PUBLIC_API(2,0) Authority_Information_Access final : public Certific void contents_to(Data_Store&, Data_Store&) const override; std::string m_ocsp_responder; + std::vector<std::string> m_ca_issuers; }; /** diff --git a/src/lib/x509/x509cert.cpp b/src/lib/x509/x509cert.cpp index dd0514dfb..f298006c0 100644 --- a/src/lib/x509/x509cert.cpp +++ b/src/lib/x509/x509cert.cpp @@ -47,6 +47,7 @@ struct X509_Certificate_Data std::vector<std::string> m_crl_distribution_points; std::string m_ocsp_responder; + std::vector<std::string> m_ca_issuers; AlternativeName m_subject_alt_name; AlternativeName m_issuer_alt_name; @@ -262,6 +263,7 @@ std::unique_ptr<X509_Certificate_Data> parse_x509_cert_body(const X509_Object& o if(auto ext = data->m_v3_extensions.get_extension_object_as<Cert_Extension::Authority_Information_Access>()) { data->m_ocsp_responder = ext->ocsp_responder(); + data->m_ca_issuers = ext->ca_issuers(); } if(auto ext = data->m_v3_extensions.get_extension_object_as<Cert_Extension::CRL_Distribution_Points>()) @@ -543,6 +545,11 @@ std::string X509_Certificate::ocsp_responder() const return data().m_ocsp_responder; } +std::vector<std::string> X509_Certificate::ca_issuers() const + { + return data().m_ca_issuers; + } + std::string X509_Certificate::crl_distribution_point() const { // just returns the first (arbitrarily) @@ -815,6 +822,15 @@ std::string X509_Certificate::to_string() const if(!ocsp_responder().empty()) out << "OCSP responder " << ocsp_responder() << "\n"; + + std::vector<std::string> ca_issuers = this->ca_issuers(); + if(!ca_issuers.empty()) + { + out << "CA Issuers:\n"; + for(size_t i = 0; i != ca_issuers.size(); i++) + out << " URI: " << ca_issuers[i] << "\n"; + } + if(!crl_distribution_point().empty()) out << "CRL " << crl_distribution_point() << "\n"; diff --git a/src/lib/x509/x509cert.h b/src/lib/x509/x509cert.h index e87e5e436..a1448637d 100644 --- a/src/lib/x509/x509cert.h +++ b/src/lib/x509/x509cert.h @@ -346,6 +346,11 @@ class BOTAN_PUBLIC_API(2,0) X509_Certificate : public X509_Object std::string ocsp_responder() const; /** + * Return the listed addresses of ca issuers, or empty if not set + */ + std::vector<std::string> ca_issuers() const; + + /** * Return the CRL distribution point, or empty if not set */ std::string crl_distribution_point() const; |