aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/x509/key_constraint.cpp
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2016-11-03 10:30:13 -0400
committerJack Lloyd <[email protected]>2016-11-03 10:30:13 -0400
commit341fd32b46363cad4c2caee3fca166695100ba07 (patch)
tree89a98aa28a431f2625268cf61e7adf903fd24a98 /src/lib/x509/key_constraint.cpp
parent1e72720661383466807ac496b941af41d756a2ce (diff)
Move cert/x509 to top level and pem and pbes2 to pubkey.
The `cert` dir was just an artifact of having previously supported CVC (smartcard cert format), removed a long time ago. The pem and pbes2 code is directly related to the pubkey code, in fact the only caller of pbes2 (likely anywhere, not just in the library) is in pkcs8.cpp
Diffstat (limited to 'src/lib/x509/key_constraint.cpp')
-rw-r--r--src/lib/x509/key_constraint.cpp45
1 files changed, 45 insertions, 0 deletions
diff --git a/src/lib/x509/key_constraint.cpp b/src/lib/x509/key_constraint.cpp
new file mode 100644
index 000000000..30d1cb3b8
--- /dev/null
+++ b/src/lib/x509/key_constraint.cpp
@@ -0,0 +1,45 @@
+/*
+* KeyUsage
+* (C) 1999-2007 Jack Lloyd
+* (C) 2016 René Korthaus, Rohde & Schwarz Cybersecurity
+*
+* Botan is released under the Simplified BSD License (see license.txt)
+*/
+
+#include <botan/key_constraint.h>
+#include <botan/x509_key.h>
+
+namespace Botan {
+
+/*
+* Make sure the given key constraints are permitted for the given key type
+*/
+void verify_cert_constraints_valid_for_key_type(const Public_Key& pub_key,
+ Key_Constraints constraints)
+ {
+ const std::string name = pub_key.algo_name();
+
+ size_t permitted = 0;
+
+ if(name == "DH" || name == "ECDH")
+ {
+ permitted |= KEY_AGREEMENT | ENCIPHER_ONLY | DECIPHER_ONLY;
+ }
+
+ if(name == "RSA" || name == "ElGamal")
+ {
+ permitted |= KEY_ENCIPHERMENT | DATA_ENCIPHERMENT;
+ }
+
+ if(name == "RSA" || name == "DSA" || name == "ECDSA" || name == "ECGDSA" || name == "ECKCDSA")
+ {
+ permitted |= DIGITAL_SIGNATURE | NON_REPUDIATION | KEY_CERT_SIGN | CRL_SIGN;
+ }
+
+ if ( ( constraints & permitted ) != constraints )
+ {
+ throw Exception("Constraint not permitted for key type " + name);
+ }
+ }
+
+}