Add Unknown_Critical_Extension type

author: René Korthaus <[email protected]> 2016-04-10 19:45:52 +0200
committer: René Korthaus <[email protected]> 2016-04-10 19:45:52 +0200
commit: 51e49a04f968931c6bd0f9a77d69cabe2c0fc710 (patch)
tree: 43a20a941cb054c879f138fd13526499f6d68dc1 /src/lib/cert
parent: 6bb53f89ef97bb8c5bee8d78c85ccb96a29e8f46 (diff)
3 files changed, 43 insertions, 16 deletions
diff --git a/src/lib/cert/x509/x509_ext.cpp b/src/lib/cert/x509/x509_ext.cpp
index 0125719cc..7dd6100ee 100644
--- a/src/lib/cert/x509/x509_ext.cpp
+++ b/src/lib/cert/x509/x509_ext.cpp
@@ -20,7 +20,7 @@ namespace Botan {
 /*
 * List of X.509 Certificate Extensions
 */
-Certificate_Extension* Extensions::get_extension(const OID& oid)
+Certificate_Extension* Extensions::get_extension(const OID& oid, bool critical)
    {
 #define X509_EXTENSION(NAME, TYPE) \
    if(OIDS::name_of(oid, NAME))    \
@@ -40,7 +40,7 @@ Certificate_Extension* Extensions::get_extension(const OID& oid)
    X509_EXTENSION("X509v3.CRLNumber", CRL_Number);
    X509_EXTENSION("X509v3.ReasonCode", CRL_ReasonCode);
 
-   return nullptr;
+   return critical ? new Cert_Extension::Unknown_Critical_Extension() : nullptr;
    }
 
 /*
@@ -146,7 +146,7 @@ void Extensions::decode_from(BER_Decoder& from_source)
 
       m_extensions_raw.emplace(oid, std::make_pair(value, critical));
 
-      std::unique_ptr<Certificate_Extension> ext(get_extension(oid));
+      std::unique_ptr<Certificate_Extension> ext(get_extension(oid, critical));
 
       if(!ext && critical && m_throw_on_unknown_critical)
          throw Decoding_Error("Encountered unknown X.509 extension marked "
@@ -184,11 +184,6 @@ void Extensions::contents_to(Data_Store& subject_info,
       }
    }
 
-bool Extensions::is_known_extension(const OID& oid)
-   {
-   return get_extension(oid) != nullptr;
-   }
-
 
 namespace Cert_Extension {
 
@@ -745,6 +740,20 @@ void CRL_Distribution_Points::Distribution_Point::decode_from(class BER_Decoder&
       .end_cons().end_cons();
    }
 
+std::vector<byte> Unknown_Critical_Extension::encode_inner() const
+   {
+   throw Exception("Unknown_Critical_Extension encoding not implemented");
+   }
+
+void Unknown_Critical_Extension::decode_inner(const std::vector<byte>& buf)
+   {
+   }
+
+void Unknown_Critical_Extension::contents_to(Data_Store& info, Data_Store&) const
+   {
+   // TODO: textual representation?
+   }
+
 }
 
 }
diff --git a/src/lib/cert/x509/x509_ext.h b/src/lib/cert/x509/x509_ext.h
index 2dfc71509..e1e8666ff 100644
--- a/src/lib/cert/x509/x509_ext.h
+++ b/src/lib/cert/x509/x509_ext.h
@@ -90,8 +90,6 @@ class BOTAN_DLL Extensions : public ASN1_Object
 
       std::map<OID, std::pair<std::vector<byte>, bool>> extensions_raw() const;
 
-      static bool is_known_extension(const OID& oid);
-
       Extensions& operator=(const Extensions&);
 
       Extensions(const Extensions&);
@@ -99,7 +97,7 @@ class BOTAN_DLL Extensions : public ASN1_Object
       explicit Extensions(bool st = true) : m_throw_on_unknown_critical(st) {}
 
    private:
-      static Certificate_Extension* get_extension(const OID&);
+      static Certificate_Extension* get_extension(const OID&, bool);
 
       std::vector<std::pair<std::unique_ptr<Certificate_Extension>, bool>> m_extensions;
       bool m_throw_on_unknown_critical;
@@ -478,6 +476,31 @@ class BOTAN_DLL CRL_Distribution_Points final : public Certificate_Extension
       std::vector<Distribution_Point> m_distribution_points;
    };
 
+/**
+* An unknown X.509 extension marked as critical
+* Will always add a failure to the path validation result.
+*/
+class BOTAN_DLL Unknown_Critical_Extension final : public Certificate_Extension
+   {
+   public:
+      Unknown_Critical_Extension* copy() const override
+         { return new Unknown_Critical_Extension(); }
+
+      void validate(const X509_Certificate& /* current_cert */, std::set<Certificate_Status_Code>& status,
+                  const std::vector<X509_Certificate>& /* cert_path */)
+         {
+         status.insert(Certificate_Status_Code::UNKNOWN_CRITICAL_EXTENSION);
+         }
+   private:
+      std::string oid_name() const override
+         { return "Unknown OID name"; }
+
+      bool should_encode() const { return false; }
+      std::vector<byte> encode_inner() const override;
+      void decode_inner(const std::vector<byte>&) override;
+      void contents_to(Data_Store&, Data_Store&) const override;
+   };
+
 }
 
 }
diff --git a/src/lib/cert/x509/x509path.cpp b/src/lib/cert/x509/x509path.cpp
index dfd45f951..3f760cd54 100644
--- a/src/lib/cert/x509/x509path.cpp
+++ b/src/lib/cert/x509/x509path.cpp
@@ -205,11 +205,6 @@ check_chain(const std::vector<X509_Certificate>& cert_path,
          Extensions extensions = subject.v3_extensions();
          for (auto& extension : extensions.extensions())
             {
-            if(!Extensions::is_known_extension(extension.first->oid_of()) && extension.second)
-               {
-               status.insert(Certificate_Status_Code::UNKNOWN_CRITICAL_EXTENSION);
-               continue;
-               }
             extension.first->validate(cert_path[i], status, cert_path);
             }
       }
author	René Korthaus <[email protected]>	2016-04-10 19:45:52 +0200
committer	René Korthaus <[email protected]>	2016-04-10 19:45:52 +0200
commit	51e49a04f968931c6bd0f9a77d69cabe2c0fc710 (patch)
tree	43a20a941cb054c879f138fd13526499f6d68dc1 /src/lib/cert
parent	6bb53f89ef97bb8c5bee8d78c85ccb96a29e8f46 (diff)