Support for the authority information access extension, limited to

only grabbing type 6 (URL) values for OCSP which is likely the only
thing it's ever used for. Expose the value with new function
X509_Certificate::ocsp_responder

5 files changed, 86 insertions, 1 deletions

diff --git a/src/cert/x509/x509_ext.cpp b/src/cert/x509/x509_ext.cpp
index 7daa58f20..6be0c7571 100644
--- a/src/cert/x509/x509_ext.cpp
+++ b/src/cert/x509/x509_ext.cpp
@@ -10,6 +10,7 @@
 #include <botan/der_enc.h>
 #include <botan/ber_dec.h>
 #include <botan/oids.h>
+#include <botan/charset.h>
 #include <botan/internal/bit_ops.h>
 #include <algorithm>
 #include <memory>
@@ -32,8 +33,9 @@ Certificate_Extension* Extensions::get_extension(const OID& oid)
    X509_EXTENSION("X509v3.ExtendedKeyUsage", Extended_Key_Usage);
    X509_EXTENSION("X509v3.IssuerAlternativeName", Issuer_Alternative_Name);
    X509_EXTENSION("X509v3.SubjectAlternativeName", Subject_Alternative_Name);
-   X509_EXTENSION("X509v3.CRLNumber", CRL_Number);
    X509_EXTENSION("X509v3.CertificatePolicies", Certificate_Policies);
+   X509_EXTENSION("PKIX.AuthorityInformationAccess", Authority_Information_Access);
+   X509_EXTENSION("X509v3.CRLNumber", CRL_Number);
    X509_EXTENSION("X509v3.ReasonCode", CRL_ReasonCode);
 
    return nullptr;
@@ -501,6 +503,52 @@ void Certificate_Policies::contents_to(Data_Store& info, Data_Store&) const
       info.add("X509v3.CertificatePolicies", oids[i].as_string());
    }
 
+std::vector<byte> Authority_Information_Access::encode_inner() const
+   {
+   ASN1_String url(m_ocsp_responder, IA5_STRING);
+
+   return DER_Encoder()
+      .start_cons(SEQUENCE)
+      .start_cons(SEQUENCE)
+      .encode(OIDS::lookup("PKIX.OCSP"))
+      .add_object(ASN1_Tag(6), CONTEXT_SPECIFIC, url.iso_8859())
+      .end_cons()
+      .end_cons().get_contents_unlocked();
+   }
+
+void Authority_Information_Access::decode_inner(const std::vector<byte>& in)
+   {
+   BER_Decoder ber = BER_Decoder(in).start_cons(SEQUENCE);
+
+   while(ber.more_items())
+      {
+      OID oid;
+
+      BER_Decoder info = ber.start_cons(SEQUENCE);
+
+      info.decode(oid);
+
+      if(oid == OIDS::lookup("PKIX.OCSP"))
+         {
+         BER_Object name = info.get_next_object();
+
+         if(name.type_tag == 6 && name.class_tag == CONTEXT_SPECIFIC)
+            {
+            m_ocsp_responder = Charset::transcode(ASN1::to_string(name),
+                                                  LATIN1_CHARSET,
+                                                  LOCAL_CHARSET);
+            }
+
+         }
+      }
+   }
+
+void Authority_Information_Access::contents_to(Data_Store& subject, Data_Store&) const
+   {
+   if(m_ocsp_responder != "")
+      subject.add("OCSP.responder", m_ocsp_responder);
+   }
+
 /*
 * Checked accessor for the crl_number member
 */
diff --git a/src/cert/x509/x509_ext.h b/src/cert/x509/x509_ext.h
index 1e5d1adbb..63bbdb072 100644
--- a/src/cert/x509/x509_ext.h
+++ b/src/cert/x509/x509_ext.h
@@ -285,6 +285,31 @@ class BOTAN_DLL Certificate_Policies : public Certificate_Extension
       std::vector<OID> oids;
    };
 
+class BOTAN_DLL Authority_Information_Access : public Certificate_Extension
+   {
+   public:
+      Authority_Information_Access* copy() const
+         { return new Authority_Information_Access(m_ocsp_responder); }
+
+      Authority_Information_Access() {}
+
+      Authority_Information_Access(const std::string& ocsp) :
+         m_ocsp_responder(ocsp) {}
+
+   private:
+      std::string config_id() const { return "auth_information_access"; }
+      std::string oid_name() const { return "PKIX.AuthorityInformationAccess"; }
+
+      bool should_encode() const { return (m_ocsp_responder != ""); }
+
+      std::vector<byte> encode_inner() const;
+      void decode_inner(const std::vector<byte>&);
+
+      void contents_to(Data_Store&, Data_Store&) const;
+
+      std::string m_ocsp_responder;
+   };
+
 /**
 * CRL Number Extension
 */
diff --git a/src/cert/x509/x509cert.cpp b/src/cert/x509/x509cert.cpp
index e1aa2075f..05a548be4 100644
--- a/src/cert/x509/x509cert.cpp
+++ b/src/cert/x509/x509cert.cpp
@@ -276,6 +276,11 @@ std::vector<std::string> X509_Certificate::policies() const
    return lookup_oids(subject.get("X509v3.CertificatePolicies"));
    }
 
+std::string X509_Certificate::ocsp_responder() const
+   {
+   return subject.get1("OCSP.responder");
+   }
+
 /*
 * Return the authority key id
 */
diff --git a/src/cert/x509/x509cert.h b/src/cert/x509/x509cert.h
index 9df9eba0a..c226928dc 100644
--- a/src/cert/x509/x509cert.h
+++ b/src/cert/x509/x509cert.h
@@ -166,6 +166,11 @@ class BOTAN_DLL X509_Certificate : public X509_Object
       std::vector<std::string> policies() const;
 
       /**
+      * Return the listed address of an OCSP responder, or empty if not set
+      */
+      std::string ocsp_responder() const;
+
+      /**
       * @return a string describing the certificate
       */
       std::string to_string() const;
diff --git a/src/libstate/policy.cpp b/src/libstate/policy.cpp
index 4c6e0b2a5..00e95d2c0 100644
--- a/src/libstate/policy.cpp
+++ b/src/libstate/policy.cpp
@@ -193,6 +193,7 @@ void set_default_oids(Library_State& config)
    add_oid(config, "2.5.29.35", "X509v3.AuthorityKeyIdentifier");
    add_oid(config, "2.5.29.36", "X509v3.PolicyConstraints");
    add_oid(config, "2.5.29.37", "X509v3.ExtendedKeyUsage");
+   add_oid(config, "1.3.6.1.5.5.7.1.1", "PKIX.AuthorityInformationAccess");
 
    add_oid(config, "2.5.29.32.0", "X509v3.AnyPolicy");
 
@@ -208,6 +209,7 @@ void set_default_oids(Library_State& config)
 
    add_oid(config, "1.3.6.1.5.5.7.8.5", "PKIX.XMPPAddr");
 
+   add_oid(config, "1.3.6.1.5.5.7.48.1", "PKIX.OCSP");
    add_oid(config, "1.3.6.1.5.5.7.48.1.1", "PKIX.OCSP.BasicResponse");
 
    /* ECC domain parameters */