aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2017-11-14 09:21:18 -0500
committerJack Lloyd <[email protected]>2017-11-14 16:19:44 -0500
commit69886de61e73c5a5d507c660281124db84bede62 (patch)
treed91a0a4c86c2498fec89c0cc56a6aecf650b603c
parentc2239949daf06c1e3b47ac9652750aca8e344796 (diff)
Use new APIs in path validation and name constraint handling
-rw-r--r--src/lib/x509/name_constraint.cpp13
-rw-r--r--src/lib/x509/x509path.cpp7
2 files changed, 14 insertions, 6 deletions
diff --git a/src/lib/x509/name_constraint.cpp b/src/lib/x509/name_constraint.cpp
index e098bcd8d..21145824b 100644
--- a/src/lib/x509/name_constraint.cpp
+++ b/src/lib/x509/name_constraint.cpp
@@ -6,6 +6,7 @@
*/
#include <botan/name_constraint.h>
+#include <botan/asn1_alt_name.h>
#include <botan/ber_dec.h>
#include <botan/loadstor.h>
#include <botan/x509_dn.h>
@@ -105,14 +106,18 @@ GeneralName::MatchResult GeneralName::matches(const X509_Certificate& cert) cons
std::vector<std::string> nam;
std::function<bool(const GeneralName*, const std::string&)> match_fn;
+ const X509_DN& dn = cert.subject_dn();
+ const AlternativeName& alt_name = cert.subject_alt_name();
+
if(type() == "DNS")
{
match_fn = std::mem_fn(&GeneralName::matches_dns);
- nam = cert.subject_info("DNS");
+
+ nam = alt_name.get_attribute("DNS");
if(nam.empty())
{
- nam = cert.subject_info("CN");
+ nam = dn.get_attribute("CN");
}
}
else if(type() == "DN")
@@ -120,13 +125,13 @@ GeneralName::MatchResult GeneralName::matches(const X509_Certificate& cert) cons
match_fn = std::mem_fn(&GeneralName::matches_dn);
std::stringstream ss;
- ss << cert.subject_dn();
+ ss << dn;
nam.push_back(ss.str());
}
else if(type() == "IP")
{
match_fn = std::mem_fn(&GeneralName::matches_ip);
- nam = cert.subject_info("IP");
+ nam = alt_name.get_attribute("IP");
}
else
{
diff --git a/src/lib/x509/x509path.cpp b/src/lib/x509/x509path.cpp
index fcc5bf0ba..c10b15715 100644
--- a/src/lib/x509/x509path.cpp
+++ b/src/lib/x509/x509path.cpp
@@ -6,6 +6,7 @@
*/
#include <botan/x509path.h>
+#include <botan/x509_ext.h>
#include <botan/pk_keys.h>
#include <botan/ocsp.h>
#include <algorithm>
@@ -67,10 +68,10 @@ PKIX::check_chain(const std::vector<std::shared_ptr<const X509_Certificate>>& ce
}
// Check all certs for valid time range
- if(validation_time < X509_Time(subject->start_time(), ASN1_Tag::UTC_OR_GENERALIZED_TIME))
+ if(validation_time < subject->not_before())
status.insert(Certificate_Status_Code::CERT_NOT_YET_VALID);
- if(validation_time > X509_Time(subject->end_time(), ASN1_Tag::UTC_OR_GENERALIZED_TIME))
+ if(validation_time > subject->not_after())
status.insert(Certificate_Status_Code::CERT_HAS_EXPIRED);
// Check issuer constraints
@@ -495,7 +496,9 @@ PKIX::build_certificate_path(std::vector<std::shared_ptr<const X509_Certificate>
const std::string fprint = issuer->fingerprint("SHA-256");
if(certs_seen.count(fprint) > 0) // already seen?
+ {
return Certificate_Status_Code::CERT_CHAIN_LOOP;
+ }
certs_seen.insert(fprint);
cert_path.push_back(issuer);