Merge GH #1381 Support caIssuers in AIA X509 extension

author: Jack Lloyd <[email protected]> 2018-01-03 12:17:02 -0500
committer: Jack Lloyd <[email protected]> 2018-01-03 12:17:02 -0500
commit: c697fe0a2f199b4ccc415f5a3e2d0182d91a8fa7 (patch)
tree: 4c4d397ce577af7f9f4dbd49ba6159567432bf2d /src/lib/x509
parent: b1297f6352e2a24db7cd0776a788ac4570f1dcb2 (diff)
parent: b8b962648f8b8b564026e18a94e2e0f3f4757626 (diff)
4 files changed, 40 insertions, 3 deletions
diff --git a/src/lib/x509/x509_ext.cpp b/src/lib/x509/x509_ext.cpp
index afb79f6bf..c3b58236a 100644
--- a/src/lib/x509/x509_ext.cpp
+++ b/src/lib/x509/x509_ext.cpp
@@ -777,6 +777,15 @@ void Authority_Information_Access::decode_inner(const std::vector<uint8_t>& in)
             }
 
          }
+      if(oid == OIDS::lookup("PKIX.CertificateAuthorityIssuers"))
+         {
+         BER_Object name = info.get_next_object();
+
+         if(name.type_tag == 6 && name.class_tag == CONTEXT_SPECIFIC)
+            {
+            m_ca_issuers.push_back(ASN1::to_string(name));
+            }
+         }
       }
    }
 
@@ -784,6 +793,8 @@ void Authority_Information_Access::contents_to(Data_Store& subject, Data_Store&)
    {
    if(!m_ocsp_responder.empty())
       subject.add("OCSP.responder", m_ocsp_responder);
+   for(const std::string& ca_issuer : m_ca_issuers)
+      subject.add("PKIX.CertificateAuthorityIssuers", ca_issuer);
    }
 
 /*
diff --git a/src/lib/x509/x509_ext.h b/src/lib/x509/x509_ext.h
index 235496cbd..8e702daf1 100644
--- a/src/lib/x509/x509_ext.h
+++ b/src/lib/x509/x509_ext.h
@@ -544,21 +544,25 @@ class BOTAN_PUBLIC_API(2,0) Certificate_Policies final : public Certificate_Exte
       std::vector<OID> m_oids;
    };
 
+/**
+* Authority Information Access Extension
+*/
 class BOTAN_PUBLIC_API(2,0) Authority_Information_Access final : public Certificate_Extension
    {
    public:
       Authority_Information_Access* copy() const override
-         { return new Authority_Information_Access(m_ocsp_responder); }
+         { return new Authority_Information_Access(m_ocsp_responder, m_ca_issuers); }
 
       Authority_Information_Access() = default;
 
-      explicit Authority_Information_Access(const std::string& ocsp) :
-         m_ocsp_responder(ocsp) {}
+      explicit Authority_Information_Access(const std::string& ocsp, const std::vector<std::string>& ca_issuers = std::vector<std::string>()) :
+         m_ocsp_responder(ocsp), m_ca_issuers(ca_issuers) {}
 
       std::string ocsp_responder() const { return m_ocsp_responder; }
 
       static OID static_oid() { return OID("1.3.6.1.5.5.7.1.1"); }
       OID oid_of() const override { return static_oid(); }
+      const std::vector<std::string> ca_issuers() const { return m_ca_issuers; }
 
    private:
       std::string oid_name() const override
@@ -572,6 +576,7 @@ class BOTAN_PUBLIC_API(2,0) Authority_Information_Access final : public Certific
       void contents_to(Data_Store&, Data_Store&) const override;
 
       std::string m_ocsp_responder;
+      std::vector<std::string> m_ca_issuers;
    };
 
 /**
diff --git a/src/lib/x509/x509cert.cpp b/src/lib/x509/x509cert.cpp
index dd0514dfb..f298006c0 100644
--- a/src/lib/x509/x509cert.cpp
+++ b/src/lib/x509/x509cert.cpp
@@ -47,6 +47,7 @@ struct X509_Certificate_Data
 
    std::vector<std::string> m_crl_distribution_points;
    std::string m_ocsp_responder;
+   std::vector<std::string> m_ca_issuers;
 
    AlternativeName m_subject_alt_name;
    AlternativeName m_issuer_alt_name;
@@ -262,6 +263,7 @@ std::unique_ptr<X509_Certificate_Data> parse_x509_cert_body(const X509_Object& o
    if(auto ext = data->m_v3_extensions.get_extension_object_as<Cert_Extension::Authority_Information_Access>())
       {
       data->m_ocsp_responder = ext->ocsp_responder();
+      data->m_ca_issuers = ext->ca_issuers();
       }
 
    if(auto ext = data->m_v3_extensions.get_extension_object_as<Cert_Extension::CRL_Distribution_Points>())
@@ -543,6 +545,11 @@ std::string X509_Certificate::ocsp_responder() const
    return data().m_ocsp_responder;
    }
 
+std::vector<std::string> X509_Certificate::ca_issuers() const
+   {
+   return data().m_ca_issuers;
+   }
+
 std::string X509_Certificate::crl_distribution_point() const
    {
    // just returns the first (arbitrarily)
@@ -815,6 +822,15 @@ std::string X509_Certificate::to_string() const
 
    if(!ocsp_responder().empty())
       out << "OCSP responder " << ocsp_responder() << "\n";
+
+   std::vector<std::string> ca_issuers = this->ca_issuers();
+   if(!ca_issuers.empty())
+      {
+      out << "CA Issuers:\n";
+      for(size_t i = 0; i != ca_issuers.size(); i++)
+         out << "   URI: " << ca_issuers[i] << "\n";
+      }
+
    if(!crl_distribution_point().empty())
       out << "CRL " << crl_distribution_point() << "\n";
 
diff --git a/src/lib/x509/x509cert.h b/src/lib/x509/x509cert.h
index e87e5e436..a1448637d 100644
--- a/src/lib/x509/x509cert.h
+++ b/src/lib/x509/x509cert.h
@@ -346,6 +346,11 @@ class BOTAN_PUBLIC_API(2,0) X509_Certificate : public X509_Object
       std::string ocsp_responder() const;
 
       /**
+      * Return the listed addresses of ca issuers, or empty if not set
+      */
+      std::vector<std::string> ca_issuers() const;
+
+      /**
       * Return the CRL distribution point, or empty if not set
       */
       std::string crl_distribution_point() const;
author	Jack Lloyd <[email protected]>	2018-01-03 12:17:02 -0500
committer	Jack Lloyd <[email protected]>	2018-01-03 12:17:02 -0500
commit	c697fe0a2f199b4ccc415f5a3e2d0182d91a8fa7 (patch)
tree	4c4d397ce577af7f9f4dbd49ba6159567432bf2d /src/lib/x509
parent	b1297f6352e2a24db7cd0776a788ac4570f1dcb2 (diff)
parent	b8b962648f8b8b564026e18a94e2e0f3f4757626 (diff)