Remove protected data members from X509_Object

Just need const accessors, no reason for any subclass to modify values.

5 files changed, 27 insertions, 41 deletions

diff --git a/src/lib/x509/pkcs10.cpp b/src/lib/x509/pkcs10.cpp
index ab52769f7..911d6958c 100644
--- a/src/lib/x509/pkcs10.cpp
+++ b/src/lib/x509/pkcs10.cpp
@@ -48,7 +48,7 @@ PKCS10_Request::PKCS10_Request(const std::vector<uint8_t>& in) :
 */
 void PKCS10_Request::force_decode()
    {
-   BER_Decoder cert_req_info(m_tbs_bits);
+   BER_Decoder cert_req_info(signed_body());
 
    size_t version;
    cert_req_info.decode(version);
diff --git a/src/lib/x509/x509_crl.cpp b/src/lib/x509/x509_crl.cpp
index 41a93d6d0..e27733d32 100644
--- a/src/lib/x509/x509_crl.cpp
+++ b/src/lib/x509/x509_crl.cpp
@@ -89,7 +89,7 @@ bool X509_CRL::is_revoked(const X509_Certificate& cert) const
 */
 void X509_CRL::force_decode()
    {
-   BER_Decoder tbs_crl(m_tbs_bits);
+   BER_Decoder tbs_crl(signed_body());
 
    size_t version;
    tbs_crl.decode_optional(version, INTEGER, UNIVERSAL);
@@ -101,7 +101,7 @@ void X509_CRL::force_decode()
    AlgorithmIdentifier sig_algo_inner;
    tbs_crl.decode(sig_algo_inner);
 
-   if(m_sig_algo != sig_algo_inner)
+   if(signature_algorithm() != sig_algo_inner)
       throw X509_CRL_Error("Algorithm identifier mismatch");
 
    X509_DN dn_issuer;
diff --git a/src/lib/x509/x509_obj.cpp b/src/lib/x509/x509_obj.cpp
index b4ad086af..3f2aa5518 100644
--- a/src/lib/x509/x509_obj.cpp
+++ b/src/lib/x509/x509_obj.cpp
@@ -86,10 +86,10 @@ void X509_Object::encode_into(DER_Encoder& to) const
    {
    to.start_cons(SEQUENCE)
          .start_cons(SEQUENCE)
-            .raw_bytes(m_tbs_bits)
+            .raw_bytes(signed_body())
          .end_cons()
-         .encode(m_sig_algo)
-         .encode(m_sig, BIT_STRING)
+         .encode(signature_algorithm())
+         .encode(signature(), BIT_STRING)
       .end_cons();
    }
 
@@ -134,32 +134,16 @@ std::vector<uint8_t> X509_Object::tbs_data() const
    }
 
 /*
-* Return the signature of this object
-*/
-std::vector<uint8_t> X509_Object::signature() const
-   {
-   return m_sig;
-   }
-
-/*
-* Return the algorithm used to sign this object
-*/
-AlgorithmIdentifier X509_Object::signature_algorithm() const
-   {
-   return m_sig_algo;
-   }
-
-/*
 * Return the hash used in generating the signature
 */
 std::string X509_Object::hash_used_for_signature() const
    {
-   std::vector<std::string> sig_info =
-      split_on(OIDS::lookup(m_sig_algo.oid), '/');
+   const OID oid = m_sig_algo.oid;
+   std::vector<std::string> sig_info = split_on(OIDS::lookup(oid), '/');
 
    if(sig_info.size() != 2)
       throw Internal_Error("Invalid name format found for " +
-                           m_sig_algo.oid.as_string());
+                           oid.as_string());
 
    std::vector<std::string> pad_and_hash =
       parse_algorithm_name(sig_info[1]);
diff --git a/src/lib/x509/x509_obj.h b/src/lib/x509/x509_obj.h
index be686a8c0..720cd1a39 100644
--- a/src/lib/x509/x509_obj.h
+++ b/src/lib/x509/x509_obj.h
@@ -33,12 +33,17 @@ class BOTAN_PUBLIC_API(2,0) X509_Object : public ASN1_Object
       /**
       * @return signature on tbs_data()
       */
-      std::vector<uint8_t> signature() const;
+      const std::vector<uint8_t>& signature() const { return m_sig; }
+
+      /**
+      * @return signed body
+      */
+      const std::vector<uint8_t>& signed_body() const { return m_tbs_bits; }
 
       /**
       * @return signature algorithm that was used to generate signature
       */
-      AlgorithmIdentifier signature_algorithm() const;
+      const AlgorithmIdentifier& signature_algorithm() const { return m_sig_algo; }
 
       /**
       * @return hash algorithm that was used to generate signature
@@ -108,12 +113,13 @@ class BOTAN_PUBLIC_API(2,0) X509_Object : public ASN1_Object
 
       void do_decode();
       X509_Object() = default;
-      AlgorithmIdentifier m_sig_algo;
-      std::vector<uint8_t> m_tbs_bits, m_sig;
+
    private:
       virtual void force_decode() = 0;
       void init(DataSource&, const std::string&);
 
+      AlgorithmIdentifier m_sig_algo;
+      std::vector<uint8_t> m_tbs_bits, m_sig;
       std::vector<std::string> m_PEM_labels_allowed;
       std::string m_PEM_label_pref;
    };
diff --git a/src/lib/x509/x509cert.cpp b/src/lib/x509/x509cert.cpp
index f2872d805..c81f74cba 100644
--- a/src/lib/x509/x509cert.cpp
+++ b/src/lib/x509/x509cert.cpp
@@ -82,7 +82,7 @@ void X509_Certificate::force_decode()
    X509_DN dn_issuer, dn_subject;
    X509_Time start, end;
 
-   BER_Decoder tbs_cert(m_tbs_bits);
+   BER_Decoder tbs_cert(signed_body());
 
    tbs_cert.decode_optional(version, ASN1_Tag(0),
                             ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC))
@@ -97,7 +97,7 @@ void X509_Certificate::force_decode()
 
    if(version > 2)
       throw Decoding_Error("Unknown X.509 cert version " + std::to_string(version));
-   if(m_sig_algo != sig_algo_inner)
+   if(signature_algorithm() != sig_algo_inner)
       throw Decoding_Error("Algorithm identifier mismatch");
 
 
@@ -505,25 +505,21 @@ bool X509_Certificate::matches_dns_name(const std::string& name) const
 */
 bool X509_Certificate::operator==(const X509_Certificate& other) const
    {
-   return (m_sig == other.m_sig &&
-           m_sig_algo == other.m_sig_algo &&
-           m_self_signed == other.m_self_signed &&
-           m_issuer == other.m_issuer &&
-           m_subject == other.m_subject);
+   return (this->signature() == other.signature() &&
+           this->signature_algorithm() == other.signature_algorithm() &&
+           this->signed_body() == other.signed_body());
    }
 
 bool X509_Certificate::operator<(const X509_Certificate& other) const
    {
    /* If signature values are not equal, sort by lexicographic ordering of that */
-   if(m_sig != other.m_sig)
+   if(this->signature() != other.signature())
       {
-      if(m_sig < other.m_sig)
-         return true;
-      return false;
+      return (this->signature() < other.signature());
       }
 
    // Then compare the signed contents
-   return m_tbs_bits < other.m_tbs_bits;
+   return this->signed_body() < other.signed_body();
    }
 
 /*