aboutsummaryrefslogtreecommitdiffstats
path: root/src/cert
diff options
context:
space:
mode:
authorlloyd <[email protected]>2010-03-10 16:30:50 +0000
committerlloyd <[email protected]>2010-03-10 16:30:50 +0000
commitfd79f63a44ad0b59507ac67bdb3eccbe4d45adbc (patch)
tree2fc4ef1884d1d3dc18608b03ad4e675c68d0e137 /src/cert
parent66494f4d9db90d04d93874ee37e77a282dd71b07 (diff)
Remove config options to toggle if X.509 extensions are critical or
not. Instead provide via Extensions::add(). No way to modify behavior currently, it just follows the previous default police. Remove the config options from Library_State entirely. Die, mutable singletons, die.
Diffstat (limited to 'src/cert')
-rw-r--r--src/cert/x509/x509_ca.cpp12
-rw-r--r--src/cert/x509/x509_ext.cpp65
-rw-r--r--src/cert/x509/x509_ext.h5
-rw-r--r--src/cert/x509/x509self.cpp13
4 files changed, 47 insertions, 48 deletions
diff --git a/src/cert/x509/x509_ca.cpp b/src/cert/x509/x509_ca.cpp
index 1f3e643e9..ea7f3a405 100644
--- a/src/cert/x509/x509_ca.cpp
+++ b/src/cert/x509/x509_ca.cpp
@@ -63,19 +63,21 @@ X509_Certificate X509_CA::sign_request(const PKCS10_Request& req,
Extensions extensions;
+ extensions.add(
+ new Cert_Extension::Basic_Constraints(req.is_CA(), req.path_limit()),
+ true);
+
+ extensions.add(new Cert_Extension::Key_Usage(constraints), true);
+
extensions.add(new Cert_Extension::Authority_Key_ID(cert.subject_key_id()));
extensions.add(new Cert_Extension::Subject_Key_ID(req.raw_public_key()));
extensions.add(
- new Cert_Extension::Basic_Constraints(req.is_CA(), req.path_limit()));
+ new Cert_Extension::Subject_Alternative_Name(req.subject_alt_name()));
- extensions.add(new Cert_Extension::Key_Usage(constraints));
extensions.add(
new Cert_Extension::Extended_Key_Usage(req.ex_constraints()));
- extensions.add(
- new Cert_Extension::Subject_Alternative_Name(req.subject_alt_name()));
-
return make_cert(signer, rng, ca_sig_algo,
req.raw_public_key(),
not_before, not_after,
diff --git a/src/cert/x509/x509_ext.cpp b/src/cert/x509/x509_ext.cpp
index 69b21d8b3..3e51d1fa2 100644
--- a/src/cert/x509/x509_ext.cpp
+++ b/src/cert/x509/x509_ext.cpp
@@ -1,6 +1,6 @@
/*
* X.509 Certificate Extensions
-* (C) 1999-2007 Jack Lloyd
+* (C) 1999-2010 Jack Lloyd
*
* Distributed under the terms of the Botan license
*/
@@ -10,7 +10,6 @@
#include <botan/der_enc.h>
#include <botan/ber_dec.h>
#include <botan/oids.h>
-#include <botan/libstate.h>
#include <botan/internal/bit_ops.h>
#include <algorithm>
#include <memory>
@@ -52,12 +51,14 @@ Extensions::Extensions(const Extensions& extensions) : ASN1_Object()
*/
Extensions& Extensions::operator=(const Extensions& other)
{
- for(u32bit j = 0; j != extensions.size(); ++j)
- delete extensions[j];
+ for(u32bit i = 0; i != extensions.size(); ++i)
+ delete extensions[i].first;
extensions.clear();
- for(u32bit j = 0; j != other.extensions.size(); ++j)
- extensions.push_back(other.extensions[j]->copy());
+ for(u32bit i = 0; i != other.extensions.size(); ++i)
+ extensions.push_back(
+ std::make_pair(other.extensions[i].first->copy(),
+ other.extensions[i].second));
return (*this);
}
@@ -70,30 +71,22 @@ OID Certificate_Extension::oid_of() const
return OIDS::lookup(oid_name());
}
+void Extensions::add(Certificate_Extension* extn, bool critical)
+ {
+ extensions.push_back(std::make_pair(extn, critical));
+ }
+
/*
* Encode an Extensions list
*/
void Extensions::encode_into(DER_Encoder& to_object) const
{
- for(u32bit j = 0; j != extensions.size(); ++j)
+ for(u32bit i = 0; i != extensions.size(); ++i)
{
- const Certificate_Extension* ext = extensions[j];
-
- std::string setting;
-
- if(ext->config_id() != "")
- setting = global_state().option("x509/exts/" + ext->config_id());
-
- if(setting == "")
- setting = "yes";
-
- if(setting != "yes" && setting != "no" && setting != "critical")
- throw Invalid_Argument("X509_CA:: Invalid value for option "
- "x509/exts/" + ext->config_id() + " of " +
- setting);
+ const Certificate_Extension* ext = extensions[i].first;
+ const bool is_critical = extensions[i].second;
- bool is_critical = (setting == "critical");
- bool should_encode = ext->should_encode() && (setting != "no");
+ const bool should_encode = ext->should_encode();
if(should_encode)
{
@@ -111,8 +104,8 @@ void Extensions::encode_into(DER_Encoder& to_object) const
*/
void Extensions::decode_from(BER_Decoder& from_source)
{
- for(u32bit j = 0; j != extensions.size(); ++j)
- delete extensions[j];
+ for(u32bit i = 0; i != extensions.size(); ++i)
+ delete extensions[i].first;
extensions.clear();
BER_Decoder sequence = from_source.start_cons(SEQUENCE);
@@ -142,7 +135,7 @@ void Extensions::decode_from(BER_Decoder& from_source)
ext->decode_inner(value);
- extensions.push_back(ext);
+ extensions.push_back(std::make_pair(ext, critical));
}
sequence.verify_end();
}
@@ -153,8 +146,8 @@ void Extensions::decode_from(BER_Decoder& from_source)
void Extensions::contents_to(Data_Store& subject_info,
Data_Store& issuer_info) const
{
- for(u32bit j = 0; j != extensions.size(); ++j)
- extensions[j]->contents_to(subject_info, issuer_info);
+ for(u32bit i = 0; i != extensions.size(); ++i)
+ extensions[i].first->contents_to(subject_info, issuer_info);
}
/*
@@ -162,8 +155,8 @@ void Extensions::contents_to(Data_Store& subject_info,
*/
Extensions::~Extensions()
{
- for(u32bit j = 0; j != extensions.size(); ++j)
- delete extensions[j];
+ for(u32bit i = 0; i != extensions.size(); ++i)
+ delete extensions[i].first;
}
namespace Cert_Extension {
@@ -262,8 +255,8 @@ void Key_Usage::decode_inner(const MemoryRegion<byte>& in)
obj.value[obj.value.size()-1] &= (0xFF << obj.value[0]);
u16bit usage = 0;
- for(u32bit j = 1; j != obj.value.size(); ++j)
- usage = (obj.value[j] << 8) | usage;
+ for(u32bit i = 1; i != obj.value.size(); ++i)
+ usage = (obj.value[i] << 8) | usage;
constraints = Key_Constraints(usage);
}
@@ -434,8 +427,8 @@ void Extended_Key_Usage::decode_inner(const MemoryRegion<byte>& in)
*/
void Extended_Key_Usage::contents_to(Data_Store& subject, Data_Store&) const
{
- for(u32bit j = 0; j != oids.size(); ++j)
- subject.add("X509v3.ExtendedKeyUsage", oids[j].as_string());
+ for(u32bit i = 0; i != oids.size(); ++i)
+ subject.add("X509v3.ExtendedKeyUsage", oids[i].as_string());
}
namespace {
@@ -503,8 +496,8 @@ void Certificate_Policies::decode_inner(const MemoryRegion<byte>& in)
*/
void Certificate_Policies::contents_to(Data_Store& info, Data_Store&) const
{
- for(u32bit j = 0; j != oids.size(); ++j)
- info.add("X509v3.ExtendedKeyUsage", oids[j].as_string());
+ for(u32bit i = 0; i != oids.size(); ++i)
+ info.add("X509v3.ExtendedKeyUsage", oids[i].as_string());
}
/*
diff --git a/src/cert/x509/x509_ext.h b/src/cert/x509/x509_ext.h
index 108215ee7..a5bfd357f 100644
--- a/src/cert/x509/x509_ext.h
+++ b/src/cert/x509/x509_ext.h
@@ -49,8 +49,7 @@ class BOTAN_DLL Extensions : public ASN1_Object
void contents_to(Data_Store&, Data_Store&) const;
- void add(Certificate_Extension* extn)
- { extensions.push_back(extn); }
+ void add(Certificate_Extension* extn, bool critical = false);
Extensions& operator=(const Extensions&);
@@ -60,7 +59,7 @@ class BOTAN_DLL Extensions : public ASN1_Object
private:
static Certificate_Extension* get_extension(const OID&);
- std::vector<Certificate_Extension*> extensions;
+ std::vector<std::pair<Certificate_Extension*, bool> > extensions;
bool should_throw;
};
diff --git a/src/cert/x509/x509self.cpp b/src/cert/x509/x509self.cpp
index 89b63c8b2..68221cb4d 100644
--- a/src/cert/x509/x509self.cpp
+++ b/src/cert/x509/x509self.cpp
@@ -79,14 +79,19 @@ X509_Certificate create_self_signed_cert(const X509_Cert_Options& opts,
Extensions extensions;
- extensions.add(new Cert_Extension::Subject_Key_ID(pub_key));
- extensions.add(new Cert_Extension::Key_Usage(constraints));
extensions.add(
- new Cert_Extension::Extended_Key_Usage(opts.ex_constraints));
+ new Cert_Extension::Basic_Constraints(opts.is_CA, opts.path_limit),
+ true);
+
+ extensions.add(new Cert_Extension::Key_Usage(constraints), true);
+
+ extensions.add(new Cert_Extension::Subject_Key_ID(pub_key));
+
extensions.add(
new Cert_Extension::Subject_Alternative_Name(subject_alt));
+
extensions.add(
- new Cert_Extension::Basic_Constraints(opts.is_CA, opts.path_limit));
+ new Cert_Extension::Extended_Key_Usage(opts.ex_constraints));
return X509_CA::make_cert(signer.get(), rng, sig_algo, pub_key,
opts.start, opts.end,