diff options
author | Jack Lloyd <[email protected]> | 2016-08-10 02:42:35 -0400 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2016-08-10 02:42:35 -0400 |
commit | 3f4e00b7d856d9176d0332c5eb65b4afa406544f (patch) | |
tree | f2053006e7fa8f14a236ec74518c2e9d70e52406 /src/lib/cert | |
parent | e8302e1330560d4831107985848375e9cbb39a51 (diff) |
Merge GH #570 X509_Certificate APIs
Diffstat (limited to 'src/lib/cert')
-rw-r--r-- | src/lib/cert/x509/ocsp.cpp | 2 | ||||
-rw-r--r-- | src/lib/cert/x509/x509cert.cpp | 35 | ||||
-rw-r--r-- | src/lib/cert/x509/x509cert.h | 30 |
3 files changed, 58 insertions, 9 deletions
diff --git a/src/lib/cert/x509/ocsp.cpp b/src/lib/cert/x509/ocsp.cpp index 4f4a3aece..df8df3b39 100644 --- a/src/lib/cert/x509/ocsp.cpp +++ b/src/lib/cert/x509/ocsp.cpp @@ -81,7 +81,7 @@ void check_signature(const std::vector<byte>& tbs_response, // Otherwise attempt to chain the signing cert to a trust root - if(!certs[0].allowed_usage("PKIX.OCSPSigning")) + if(!certs[0].allowed_extended_usage("PKIX.OCSPSigning")) throw Exception("OCSP response cert does not allow OCSP signing"); auto result = x509_path_validate(certs, Path_Validation_Restrictions(), trusted_roots); diff --git a/src/lib/cert/x509/x509cert.cpp b/src/lib/cert/x509/x509cert.cpp index d7da00af0..bd3aff6d5 100644 --- a/src/lib/cert/x509/x509cert.cpp +++ b/src/lib/cert/x509/x509cert.cpp @@ -260,7 +260,7 @@ bool X509_Certificate::allowed_usage(Key_Constraints usage) const return ((constraints() & usage) != 0); } -bool X509_Certificate::allowed_usage(const std::string& usage) const +bool X509_Certificate::allowed_extended_usage(const std::string& usage) const { const std::vector<std::string> ex = ex_constraints(); @@ -281,13 +281,13 @@ bool X509_Certificate::allowed_usage(Usage_Type usage) const return true; case Usage_Type::TLS_SERVER_AUTH: - return allowed_usage(Key_Constraints(DATA_ENCIPHERMENT | KEY_ENCIPHERMENT | DIGITAL_SIGNATURE)) && allowed_usage("PKIX.ServerAuth"); + return allowed_usage(Key_Constraints(DATA_ENCIPHERMENT | KEY_ENCIPHERMENT | DIGITAL_SIGNATURE)) && allowed_extended_usage("PKIX.ServerAuth"); case Usage_Type::TLS_CLIENT_AUTH: - return allowed_usage(Key_Constraints(DIGITAL_SIGNATURE | NON_REPUDIATION)) && allowed_usage("PKIX.ClientAuth"); + return allowed_usage(Key_Constraints(DIGITAL_SIGNATURE | NON_REPUDIATION)) && allowed_extended_usage("PKIX.ClientAuth"); case Usage_Type::OCSP_RESPONDER: - return allowed_usage(Key_Constraints(DIGITAL_SIGNATURE | NON_REPUDIATION)) && allowed_usage("PKIX.OCSPSigning"); + return allowed_usage(Key_Constraints(DIGITAL_SIGNATURE | NON_REPUDIATION)) && allowed_extended_usage("PKIX.OCSPSigning"); case Usage_Type::CERTIFICATE_AUTHORITY: return is_CA_cert(); @@ -296,6 +296,33 @@ bool X509_Certificate::allowed_usage(Usage_Type usage) const return false; } +bool X509_Certificate::has_constraints(Key_Constraints constraints) const + { + if(this->constraints() == NO_CONSTRAINTS) + { + return false; + } + + return ((this->constraints() & constraints) != 0); + } + +bool X509_Certificate::has_ex_constraint(const std::string& ex_constraint) const + { + const std::vector<std::string> ex = ex_constraints(); + + if(ex.empty()) + { + return false; + } + + if(std::find(ex.begin(), ex.end(), ex_constraint) != ex.end()) + { + return true; + } + + return false; + } + /* * Return the path length constraint */ diff --git a/src/lib/cert/x509/x509cert.h b/src/lib/cert/x509/x509cert.h index 2875c8159..eb98f9c3d 100644 --- a/src/lib/cert/x509/x509cert.h +++ b/src/lib/cert/x509/x509cert.h @@ -140,17 +140,39 @@ class BOTAN_DLL X509_Certificate : public X509_Object */ bool is_CA_cert() const; + /** + * Returns true if the specified @param usage is set in the key usage extension + * or if no key usage constraints are set at all. + * To check if a certain key constraint is set in the certificate + * use @see X509_Certificate#has_constraints. + */ bool allowed_usage(Key_Constraints usage) const; /** - * Returns true if and only if name (referring to an extended key - * constraint, eg "PKIX.ServerAuth") is included in the extended - * key extension. + * Returns true if the specified @param usage is set in the extended key usage extension + * or if no extended key usage constraints are set at all. + * To check if a certain extended key constraint is set in the certificate + * use @see X509_Certificate#has_ex_constraint. */ - bool allowed_usage(const std::string& usage) const; + bool allowed_extended_usage(const std::string& usage) const; + /** + * Returns true if the required key and extended key constraints are set in the certificate + * for the specified @param usage or if no key constraints are set in both the key usage + * and extended key usage extension. + */ bool allowed_usage(Usage_Type usage) const; + /// Returns true if the specified @param constraints are included in the key usage extension. + bool has_constraints(Key_Constraints constraints) const; + + /** + * Returns true if and only if @param ex_constraint (referring to an extended key + * constraint, eg "PKIX.ServerAuth") is included in the extended + * key extension. + */ + bool has_ex_constraint(const std::string& ex_constraint) const; + /** * Get the path limit as defined in the BasicConstraints extension of * this certificate. |