aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPatrik Fiedler <[email protected]>2018-01-03 10:45:41 +0100
committerPatrik Fiedler <[email protected]>2018-01-03 11:22:28 +0100
commitcc5e87c0bf9553b1c18b1c487c4089111d3271d7 (patch)
tree7c09cc99f77df12539644b5abb774fd8d104226e
parent1cf931e3e5871361d286ded8463fd9cc55ceb4a6 (diff)
add the detection for the ca issuers field(1.3.6.1.5.5.7.48.2) in x509 certificates
-rw-r--r--src/lib/asn1/oids.cpp2
-rw-r--r--src/lib/x509/x509_ext.cpp13
-rw-r--r--src/lib/x509/x509_ext.h11
-rw-r--r--src/lib/x509/x509cert.cpp16
-rw-r--r--src/lib/x509/x509cert.h5
5 files changed, 44 insertions, 3 deletions
diff --git a/src/lib/asn1/oids.cpp b/src/lib/asn1/oids.cpp
index 2c97f1d29..e88fdc980 100644
--- a/src/lib/asn1/oids.cpp
+++ b/src/lib/asn1/oids.cpp
@@ -133,6 +133,7 @@ std::string lookup(const OID& oid)
if(oid_str == "1.3.6.1.4.1.8301.3.1.2.9.0.38") return "secp521r1";
if(oid_str == "1.3.6.1.5.5.7.1.1") return "PKIX.AuthorityInformationAccess";
if(oid_str == "1.3.6.1.5.5.7.3.1") return "PKIX.ServerAuth";
+ if(oid_str == "1.3.6.1.5.5.7.48.2") return "PKIX.CertificateAuthorityIssuers";
if(oid_str == "1.3.6.1.5.5.7.3.2") return "PKIX.ClientAuth";
if(oid_str == "1.3.6.1.5.5.7.3.3") return "PKIX.CodeSigning";
if(oid_str == "1.3.6.1.5.5.7.3.4") return "PKIX.EmailProtection";
@@ -303,6 +304,7 @@ OID lookup(const std::string& name)
if(name == "PKCS9.MessageDigest") return OID("1.2.840.113549.1.9.4");
if(name == "PKCS9.UnstructuredName") return OID("1.2.840.113549.1.9.2");
if(name == "PKIX.AuthorityInformationAccess") return OID("1.3.6.1.5.5.7.1.1");
+ if(name == "PKIX.CertificateAuthorityIssuers") return OID("1.3.6.1.5.5.7.48.2");
if(name == "PKIX.ClientAuth") return OID("1.3.6.1.5.5.7.3.2");
if(name == "PKIX.CodeSigning") return OID("1.3.6.1.5.5.7.3.3");
if(name == "PKIX.EmailProtection") return OID("1.3.6.1.5.5.7.3.4");
diff --git a/src/lib/x509/x509_ext.cpp b/src/lib/x509/x509_ext.cpp
index afb79f6bf..64f5765ac 100644
--- a/src/lib/x509/x509_ext.cpp
+++ b/src/lib/x509/x509_ext.cpp
@@ -777,6 +777,15 @@ void Authority_Information_Access::decode_inner(const std::vector<uint8_t>& in)
}
}
+ if(oid == OIDS::lookup("PKIX.CertificateAuthorityIssuers"))
+ {
+ BER_Object name = info.get_next_object();
+
+ if(name.type_tag == 6 && name.class_tag == CONTEXT_SPECIFIC)
+ {
+ m_ca_issuers.push_back(ASN1::to_string(name));
+ }
+ }
}
}
@@ -784,6 +793,10 @@ void Authority_Information_Access::contents_to(Data_Store& subject, Data_Store&)
{
if(!m_ocsp_responder.empty())
subject.add("OCSP.responder", m_ocsp_responder);
+ std::for_each(m_ca_issuers.begin(), m_ca_issuers.end(), [&subject] (const std::string& ca_issuer)
+ {
+ subject.add("PKIX.CertificateAuthorityIssuers", ca_issuer);
+ });
}
/*
diff --git a/src/lib/x509/x509_ext.h b/src/lib/x509/x509_ext.h
index 235496cbd..8e702daf1 100644
--- a/src/lib/x509/x509_ext.h
+++ b/src/lib/x509/x509_ext.h
@@ -544,21 +544,25 @@ class BOTAN_PUBLIC_API(2,0) Certificate_Policies final : public Certificate_Exte
std::vector<OID> m_oids;
};
+/**
+* Authority Information Access Extension
+*/
class BOTAN_PUBLIC_API(2,0) Authority_Information_Access final : public Certificate_Extension
{
public:
Authority_Information_Access* copy() const override
- { return new Authority_Information_Access(m_ocsp_responder); }
+ { return new Authority_Information_Access(m_ocsp_responder, m_ca_issuers); }
Authority_Information_Access() = default;
- explicit Authority_Information_Access(const std::string& ocsp) :
- m_ocsp_responder(ocsp) {}
+ explicit Authority_Information_Access(const std::string& ocsp, const std::vector<std::string>& ca_issuers = std::vector<std::string>()) :
+ m_ocsp_responder(ocsp), m_ca_issuers(ca_issuers) {}
std::string ocsp_responder() const { return m_ocsp_responder; }
static OID static_oid() { return OID("1.3.6.1.5.5.7.1.1"); }
OID oid_of() const override { return static_oid(); }
+ const std::vector<std::string> ca_issuers() const { return m_ca_issuers; }
private:
std::string oid_name() const override
@@ -572,6 +576,7 @@ class BOTAN_PUBLIC_API(2,0) Authority_Information_Access final : public Certific
void contents_to(Data_Store&, Data_Store&) const override;
std::string m_ocsp_responder;
+ std::vector<std::string> m_ca_issuers;
};
/**
diff --git a/src/lib/x509/x509cert.cpp b/src/lib/x509/x509cert.cpp
index dd0514dfb..f298006c0 100644
--- a/src/lib/x509/x509cert.cpp
+++ b/src/lib/x509/x509cert.cpp
@@ -47,6 +47,7 @@ struct X509_Certificate_Data
std::vector<std::string> m_crl_distribution_points;
std::string m_ocsp_responder;
+ std::vector<std::string> m_ca_issuers;
AlternativeName m_subject_alt_name;
AlternativeName m_issuer_alt_name;
@@ -262,6 +263,7 @@ std::unique_ptr<X509_Certificate_Data> parse_x509_cert_body(const X509_Object& o
if(auto ext = data->m_v3_extensions.get_extension_object_as<Cert_Extension::Authority_Information_Access>())
{
data->m_ocsp_responder = ext->ocsp_responder();
+ data->m_ca_issuers = ext->ca_issuers();
}
if(auto ext = data->m_v3_extensions.get_extension_object_as<Cert_Extension::CRL_Distribution_Points>())
@@ -543,6 +545,11 @@ std::string X509_Certificate::ocsp_responder() const
return data().m_ocsp_responder;
}
+std::vector<std::string> X509_Certificate::ca_issuers() const
+ {
+ return data().m_ca_issuers;
+ }
+
std::string X509_Certificate::crl_distribution_point() const
{
// just returns the first (arbitrarily)
@@ -815,6 +822,15 @@ std::string X509_Certificate::to_string() const
if(!ocsp_responder().empty())
out << "OCSP responder " << ocsp_responder() << "\n";
+
+ std::vector<std::string> ca_issuers = this->ca_issuers();
+ if(!ca_issuers.empty())
+ {
+ out << "CA Issuers:\n";
+ for(size_t i = 0; i != ca_issuers.size(); i++)
+ out << " URI: " << ca_issuers[i] << "\n";
+ }
+
if(!crl_distribution_point().empty())
out << "CRL " << crl_distribution_point() << "\n";
diff --git a/src/lib/x509/x509cert.h b/src/lib/x509/x509cert.h
index e87e5e436..a1448637d 100644
--- a/src/lib/x509/x509cert.h
+++ b/src/lib/x509/x509cert.h
@@ -346,6 +346,11 @@ class BOTAN_PUBLIC_API(2,0) X509_Certificate : public X509_Object
std::string ocsp_responder() const;
/**
+ * Return the listed addresses of ca issuers, or empty if not set
+ */
+ std::vector<std::string> ca_issuers() const;
+
+ /**
* Return the CRL distribution point, or empty if not set
*/
std::string crl_distribution_point() const;