diff options
author | lloyd <[email protected]> | 2010-03-10 16:30:50 +0000 |
---|---|---|
committer | lloyd <[email protected]> | 2010-03-10 16:30:50 +0000 |
commit | fd79f63a44ad0b59507ac67bdb3eccbe4d45adbc (patch) | |
tree | 2fc4ef1884d1d3dc18608b03ad4e675c68d0e137 /src/cert | |
parent | 66494f4d9db90d04d93874ee37e77a282dd71b07 (diff) |
Remove config options to toggle if X.509 extensions are critical or
not. Instead provide via Extensions::add(). No way to modify behavior
currently, it just follows the previous default police.
Remove the config options from Library_State entirely. Die, mutable
singletons, die.
Diffstat (limited to 'src/cert')
-rw-r--r-- | src/cert/x509/x509_ca.cpp | 12 | ||||
-rw-r--r-- | src/cert/x509/x509_ext.cpp | 65 | ||||
-rw-r--r-- | src/cert/x509/x509_ext.h | 5 | ||||
-rw-r--r-- | src/cert/x509/x509self.cpp | 13 |
4 files changed, 47 insertions, 48 deletions
diff --git a/src/cert/x509/x509_ca.cpp b/src/cert/x509/x509_ca.cpp index 1f3e643e9..ea7f3a405 100644 --- a/src/cert/x509/x509_ca.cpp +++ b/src/cert/x509/x509_ca.cpp @@ -63,19 +63,21 @@ X509_Certificate X509_CA::sign_request(const PKCS10_Request& req, Extensions extensions; + extensions.add( + new Cert_Extension::Basic_Constraints(req.is_CA(), req.path_limit()), + true); + + extensions.add(new Cert_Extension::Key_Usage(constraints), true); + extensions.add(new Cert_Extension::Authority_Key_ID(cert.subject_key_id())); extensions.add(new Cert_Extension::Subject_Key_ID(req.raw_public_key())); extensions.add( - new Cert_Extension::Basic_Constraints(req.is_CA(), req.path_limit())); + new Cert_Extension::Subject_Alternative_Name(req.subject_alt_name())); - extensions.add(new Cert_Extension::Key_Usage(constraints)); extensions.add( new Cert_Extension::Extended_Key_Usage(req.ex_constraints())); - extensions.add( - new Cert_Extension::Subject_Alternative_Name(req.subject_alt_name())); - return make_cert(signer, rng, ca_sig_algo, req.raw_public_key(), not_before, not_after, diff --git a/src/cert/x509/x509_ext.cpp b/src/cert/x509/x509_ext.cpp index 69b21d8b3..3e51d1fa2 100644 --- a/src/cert/x509/x509_ext.cpp +++ b/src/cert/x509/x509_ext.cpp @@ -1,6 +1,6 @@ /* * X.509 Certificate Extensions -* (C) 1999-2007 Jack Lloyd +* (C) 1999-2010 Jack Lloyd * * Distributed under the terms of the Botan license */ @@ -10,7 +10,6 @@ #include <botan/der_enc.h> #include <botan/ber_dec.h> #include <botan/oids.h> -#include <botan/libstate.h> #include <botan/internal/bit_ops.h> #include <algorithm> #include <memory> @@ -52,12 +51,14 @@ Extensions::Extensions(const Extensions& extensions) : ASN1_Object() */ Extensions& Extensions::operator=(const Extensions& other) { - for(u32bit j = 0; j != extensions.size(); ++j) - delete extensions[j]; + for(u32bit i = 0; i != extensions.size(); ++i) + delete extensions[i].first; extensions.clear(); - for(u32bit j = 0; j != other.extensions.size(); ++j) - extensions.push_back(other.extensions[j]->copy()); + for(u32bit i = 0; i != other.extensions.size(); ++i) + extensions.push_back( + std::make_pair(other.extensions[i].first->copy(), + other.extensions[i].second)); return (*this); } @@ -70,30 +71,22 @@ OID Certificate_Extension::oid_of() const return OIDS::lookup(oid_name()); } +void Extensions::add(Certificate_Extension* extn, bool critical) + { + extensions.push_back(std::make_pair(extn, critical)); + } + /* * Encode an Extensions list */ void Extensions::encode_into(DER_Encoder& to_object) const { - for(u32bit j = 0; j != extensions.size(); ++j) + for(u32bit i = 0; i != extensions.size(); ++i) { - const Certificate_Extension* ext = extensions[j]; - - std::string setting; - - if(ext->config_id() != "") - setting = global_state().option("x509/exts/" + ext->config_id()); - - if(setting == "") - setting = "yes"; - - if(setting != "yes" && setting != "no" && setting != "critical") - throw Invalid_Argument("X509_CA:: Invalid value for option " - "x509/exts/" + ext->config_id() + " of " + - setting); + const Certificate_Extension* ext = extensions[i].first; + const bool is_critical = extensions[i].second; - bool is_critical = (setting == "critical"); - bool should_encode = ext->should_encode() && (setting != "no"); + const bool should_encode = ext->should_encode(); if(should_encode) { @@ -111,8 +104,8 @@ void Extensions::encode_into(DER_Encoder& to_object) const */ void Extensions::decode_from(BER_Decoder& from_source) { - for(u32bit j = 0; j != extensions.size(); ++j) - delete extensions[j]; + for(u32bit i = 0; i != extensions.size(); ++i) + delete extensions[i].first; extensions.clear(); BER_Decoder sequence = from_source.start_cons(SEQUENCE); @@ -142,7 +135,7 @@ void Extensions::decode_from(BER_Decoder& from_source) ext->decode_inner(value); - extensions.push_back(ext); + extensions.push_back(std::make_pair(ext, critical)); } sequence.verify_end(); } @@ -153,8 +146,8 @@ void Extensions::decode_from(BER_Decoder& from_source) void Extensions::contents_to(Data_Store& subject_info, Data_Store& issuer_info) const { - for(u32bit j = 0; j != extensions.size(); ++j) - extensions[j]->contents_to(subject_info, issuer_info); + for(u32bit i = 0; i != extensions.size(); ++i) + extensions[i].first->contents_to(subject_info, issuer_info); } /* @@ -162,8 +155,8 @@ void Extensions::contents_to(Data_Store& subject_info, */ Extensions::~Extensions() { - for(u32bit j = 0; j != extensions.size(); ++j) - delete extensions[j]; + for(u32bit i = 0; i != extensions.size(); ++i) + delete extensions[i].first; } namespace Cert_Extension { @@ -262,8 +255,8 @@ void Key_Usage::decode_inner(const MemoryRegion<byte>& in) obj.value[obj.value.size()-1] &= (0xFF << obj.value[0]); u16bit usage = 0; - for(u32bit j = 1; j != obj.value.size(); ++j) - usage = (obj.value[j] << 8) | usage; + for(u32bit i = 1; i != obj.value.size(); ++i) + usage = (obj.value[i] << 8) | usage; constraints = Key_Constraints(usage); } @@ -434,8 +427,8 @@ void Extended_Key_Usage::decode_inner(const MemoryRegion<byte>& in) */ void Extended_Key_Usage::contents_to(Data_Store& subject, Data_Store&) const { - for(u32bit j = 0; j != oids.size(); ++j) - subject.add("X509v3.ExtendedKeyUsage", oids[j].as_string()); + for(u32bit i = 0; i != oids.size(); ++i) + subject.add("X509v3.ExtendedKeyUsage", oids[i].as_string()); } namespace { @@ -503,8 +496,8 @@ void Certificate_Policies::decode_inner(const MemoryRegion<byte>& in) */ void Certificate_Policies::contents_to(Data_Store& info, Data_Store&) const { - for(u32bit j = 0; j != oids.size(); ++j) - info.add("X509v3.ExtendedKeyUsage", oids[j].as_string()); + for(u32bit i = 0; i != oids.size(); ++i) + info.add("X509v3.ExtendedKeyUsage", oids[i].as_string()); } /* diff --git a/src/cert/x509/x509_ext.h b/src/cert/x509/x509_ext.h index 108215ee7..a5bfd357f 100644 --- a/src/cert/x509/x509_ext.h +++ b/src/cert/x509/x509_ext.h @@ -49,8 +49,7 @@ class BOTAN_DLL Extensions : public ASN1_Object void contents_to(Data_Store&, Data_Store&) const; - void add(Certificate_Extension* extn) - { extensions.push_back(extn); } + void add(Certificate_Extension* extn, bool critical = false); Extensions& operator=(const Extensions&); @@ -60,7 +59,7 @@ class BOTAN_DLL Extensions : public ASN1_Object private: static Certificate_Extension* get_extension(const OID&); - std::vector<Certificate_Extension*> extensions; + std::vector<std::pair<Certificate_Extension*, bool> > extensions; bool should_throw; }; diff --git a/src/cert/x509/x509self.cpp b/src/cert/x509/x509self.cpp index 89b63c8b2..68221cb4d 100644 --- a/src/cert/x509/x509self.cpp +++ b/src/cert/x509/x509self.cpp @@ -79,14 +79,19 @@ X509_Certificate create_self_signed_cert(const X509_Cert_Options& opts, Extensions extensions; - extensions.add(new Cert_Extension::Subject_Key_ID(pub_key)); - extensions.add(new Cert_Extension::Key_Usage(constraints)); extensions.add( - new Cert_Extension::Extended_Key_Usage(opts.ex_constraints)); + new Cert_Extension::Basic_Constraints(opts.is_CA, opts.path_limit), + true); + + extensions.add(new Cert_Extension::Key_Usage(constraints), true); + + extensions.add(new Cert_Extension::Subject_Key_ID(pub_key)); + extensions.add( new Cert_Extension::Subject_Alternative_Name(subject_alt)); + extensions.add( - new Cert_Extension::Basic_Constraints(opts.is_CA, opts.path_limit)); + new Cert_Extension::Extended_Key_Usage(opts.ex_constraints)); return X509_CA::make_cert(signer.get(), rng, sig_algo, pub_key, opts.start, opts.end, |