diff options
author | Jack Lloyd <[email protected]> | 2017-11-14 09:21:18 -0500 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2017-11-14 16:19:44 -0500 |
commit | 69886de61e73c5a5d507c660281124db84bede62 (patch) | |
tree | d91a0a4c86c2498fec89c0cc56a6aecf650b603c | |
parent | c2239949daf06c1e3b47ac9652750aca8e344796 (diff) |
Use new APIs in path validation and name constraint handling
-rw-r--r-- | src/lib/x509/name_constraint.cpp | 13 | ||||
-rw-r--r-- | src/lib/x509/x509path.cpp | 7 |
2 files changed, 14 insertions, 6 deletions
diff --git a/src/lib/x509/name_constraint.cpp b/src/lib/x509/name_constraint.cpp index e098bcd8d..21145824b 100644 --- a/src/lib/x509/name_constraint.cpp +++ b/src/lib/x509/name_constraint.cpp @@ -6,6 +6,7 @@ */ #include <botan/name_constraint.h> +#include <botan/asn1_alt_name.h> #include <botan/ber_dec.h> #include <botan/loadstor.h> #include <botan/x509_dn.h> @@ -105,14 +106,18 @@ GeneralName::MatchResult GeneralName::matches(const X509_Certificate& cert) cons std::vector<std::string> nam; std::function<bool(const GeneralName*, const std::string&)> match_fn; + const X509_DN& dn = cert.subject_dn(); + const AlternativeName& alt_name = cert.subject_alt_name(); + if(type() == "DNS") { match_fn = std::mem_fn(&GeneralName::matches_dns); - nam = cert.subject_info("DNS"); + + nam = alt_name.get_attribute("DNS"); if(nam.empty()) { - nam = cert.subject_info("CN"); + nam = dn.get_attribute("CN"); } } else if(type() == "DN") @@ -120,13 +125,13 @@ GeneralName::MatchResult GeneralName::matches(const X509_Certificate& cert) cons match_fn = std::mem_fn(&GeneralName::matches_dn); std::stringstream ss; - ss << cert.subject_dn(); + ss << dn; nam.push_back(ss.str()); } else if(type() == "IP") { match_fn = std::mem_fn(&GeneralName::matches_ip); - nam = cert.subject_info("IP"); + nam = alt_name.get_attribute("IP"); } else { diff --git a/src/lib/x509/x509path.cpp b/src/lib/x509/x509path.cpp index fcc5bf0ba..c10b15715 100644 --- a/src/lib/x509/x509path.cpp +++ b/src/lib/x509/x509path.cpp @@ -6,6 +6,7 @@ */ #include <botan/x509path.h> +#include <botan/x509_ext.h> #include <botan/pk_keys.h> #include <botan/ocsp.h> #include <algorithm> @@ -67,10 +68,10 @@ PKIX::check_chain(const std::vector<std::shared_ptr<const X509_Certificate>>& ce } // Check all certs for valid time range - if(validation_time < X509_Time(subject->start_time(), ASN1_Tag::UTC_OR_GENERALIZED_TIME)) + if(validation_time < subject->not_before()) status.insert(Certificate_Status_Code::CERT_NOT_YET_VALID); - if(validation_time > X509_Time(subject->end_time(), ASN1_Tag::UTC_OR_GENERALIZED_TIME)) + if(validation_time > subject->not_after()) status.insert(Certificate_Status_Code::CERT_HAS_EXPIRED); // Check issuer constraints @@ -495,7 +496,9 @@ PKIX::build_certificate_path(std::vector<std::shared_ptr<const X509_Certificate> const std::string fprint = issuer->fingerprint("SHA-256"); if(certs_seen.count(fprint) > 0) // already seen? + { return Certificate_Status_Code::CERT_CHAIN_LOOP; + } certs_seen.insert(fprint); cert_path.push_back(issuer); |