diff options
Diffstat (limited to 'src/cert/x509')
-rw-r--r-- | src/cert/x509/pkcs10.cpp | 2 | ||||
-rw-r--r-- | src/cert/x509/x509_ca.cpp | 10 | ||||
-rw-r--r-- | src/cert/x509/x509_ca.h | 6 | ||||
-rw-r--r-- | src/cert/x509/x509_crl.cpp | 2 | ||||
-rw-r--r-- | src/cert/x509/x509_obj.cpp | 2 | ||||
-rw-r--r-- | src/cert/x509/x509cert.cpp | 61 | ||||
-rw-r--r-- | src/cert/x509/x509find.cpp | 95 | ||||
-rw-r--r-- | src/cert/x509/x509find.h | 58 | ||||
-rw-r--r-- | src/cert/x509/x509self.cpp | 4 | ||||
-rw-r--r-- | src/cert/x509/x509stor.cpp | 11 | ||||
-rw-r--r-- | src/cert/x509/x509stor.h | 20 |
11 files changed, 114 insertions, 157 deletions
diff --git a/src/cert/x509/pkcs10.cpp b/src/cert/x509/pkcs10.cpp index 5617cece4..5645552a0 100644 --- a/src/cert/x509/pkcs10.cpp +++ b/src/cert/x509/pkcs10.cpp @@ -45,7 +45,7 @@ void PKCS10_Request::force_decode() cert_req_info.decode(version); if(version != 0) throw Decoding_Error("Unknown version code in PKCS #10 request: " + - to_string(version)); + std::to_string(version)); X509_DN dn_subject; cert_req_info.decode(dn_subject); diff --git a/src/cert/x509/x509_ca.cpp b/src/cert/x509/x509_ca.cpp index 16b7b3b9b..80e808177 100644 --- a/src/cert/x509/x509_ca.cpp +++ b/src/cert/x509/x509_ca.cpp @@ -15,9 +15,6 @@ #include <botan/look_pk.h> #include <botan/oids.h> #include <botan/time.h> -#include <algorithm> -#include <typeinfo> -#include <iterator> #include <memory> #include <set> @@ -61,7 +58,7 @@ X509_Certificate X509_CA::sign_request(const PKCS10_Request& req, constraints = Key_Constraints(KEY_CERT_SIGN | CRL_SIGN); else { - std::auto_ptr<Public_Key> key(req.subject_public_key()); + std::unique_ptr<Public_Key> key(req.subject_public_key()); constraints = X509::find_constraints(*key, req.constraints()); } @@ -173,8 +170,7 @@ X509_CRL X509_CA::update_crl(const X509_CRL& crl, for(u32bit j = 0; j != already_revoked.size(); ++j) { - std::set<SecureVector<byte> >::const_iterator i; - i = removed_from_crl.find(already_revoked[j].serial_number()); + auto i = removed_from_crl.find(already_revoked[j].serial_number()); if(i == removed_from_crl.end()) all_revoked.push_back(already_revoked[j]); @@ -275,7 +271,7 @@ PK_Signer* choose_sig_format(const Private_Key& key, sig_algo.oid = OIDS::lookup(algo_name + "/" + padding); - std::auto_ptr<X509_Encoder> encoding(key.x509_encoder()); + std::unique_ptr<X509_Encoder> encoding(key.x509_encoder()); if(!encoding.get()) throw Encoding_Error("Key " + algo_name + " does not support " "X.509 encoding"); diff --git a/src/cert/x509/x509_ca.h b/src/cert/x509/x509_ca.h index 6eb4bbbef..b680bd0e4 100644 --- a/src/cert/x509/x509_ca.h +++ b/src/cert/x509/x509_ca.h @@ -97,11 +97,11 @@ class BOTAN_DLL X509_CA const Private_Key& key, const std::string& hash_fn); + X509_CA(const X509_CA&) = delete; + X509_CA& operator=(const X509_CA&) = delete; + ~X509_CA(); private: - X509_CA(const X509_CA&) {} - X509_CA& operator=(const X509_CA&) { return (*this); } - X509_CRL make_crl(const std::vector<CRL_Entry>& entries, u32bit crl_number, u32bit next_update, RandomNumberGenerator& rng) const; diff --git a/src/cert/x509/x509_crl.cpp b/src/cert/x509/x509_crl.cpp index f6a344dba..3613c1a91 100644 --- a/src/cert/x509/x509_crl.cpp +++ b/src/cert/x509/x509_crl.cpp @@ -44,7 +44,7 @@ void X509_CRL::force_decode() if(version != 0 && version != 1) throw X509_CRL_Error("Unknown X.509 CRL version " + - to_string(version+1)); + std::to_string(version+1)); AlgorithmIdentifier sig_algo_inner; tbs_crl.decode(sig_algo_inner); diff --git a/src/cert/x509/x509_obj.cpp b/src/cert/x509/x509_obj.cpp index 31b4a309f..95a1c1cca 100644 --- a/src/cert/x509/x509_obj.cpp +++ b/src/cert/x509/x509_obj.cpp @@ -168,7 +168,7 @@ bool X509_Object::check_signature(Public_Key& pub_key) const Signature_Format format = (pub_key.message_parts() >= 2) ? DER_SEQUENCE : IEEE_1363; - std::auto_ptr<PK_Verifier> verifier; + std::unique_ptr<PK_Verifier> verifier; if(dynamic_cast<PK_Verifying_with_MR_Key*>(&pub_key)) { diff --git a/src/cert/x509/x509cert.cpp b/src/cert/x509/x509cert.cpp index ac5839fb6..32c508a0c 100644 --- a/src/cert/x509/x509cert.cpp +++ b/src/cert/x509/x509cert.cpp @@ -27,12 +27,8 @@ std::vector<std::string> lookup_oids(const std::vector<std::string>& in) { std::vector<std::string> out; - std::vector<std::string>::const_iterator i = in.begin(); - while(i != in.end()) - { + for(auto i = in.begin(); i != in.end(); ++i) out.push_back(OIDS::lookup(OID(*i))); - ++i; - } return out; } @@ -84,7 +80,7 @@ void X509_Certificate::force_decode() .decode(dn_subject); if(version > 2) - throw Decoding_Error("Unknown X.509 cert version " + to_string(version)); + throw Decoding_Error("Unknown X.509 cert version " + std::to_string(version)); if(sig_algo != sig_algo_inner) throw Decoding_Error("Algorithm identifier mismatch"); @@ -304,25 +300,16 @@ bool operator!=(const X509_Certificate& cert1, const X509_Certificate& cert2) */ X509_DN create_dn(const Data_Store& info) { - class DN_Matcher : public Data_Store::Matcher + auto names = info.search_for( + [](const std::string& key, const std::string&) { - public: - bool operator()(const std::string& key, const std::string&) const - { - if(key.find("X520.") != std::string::npos) - return true; - return false; - } - }; - - std::multimap<std::string, std::string> names = - info.search_with(DN_Matcher()); + return (key.find("X520.") != std::string::npos); + }); X509_DN dn; - std::multimap<std::string, std::string>::iterator j; - for(j = names.begin(); j != names.end(); ++j) - dn.add_attribute(j->first, j->second); + for(auto i = names.begin(); i != names.end(); ++i) + dn.add_attribute(i->first, i->second); return dn; } @@ -332,33 +319,19 @@ X509_DN create_dn(const Data_Store& info) */ AlternativeName create_alt_name(const Data_Store& info) { - class AltName_Matcher : public Data_Store::Matcher + auto names = info.search_for( + [](const std::string& key, const std::string&) { - public: - bool operator()(const std::string& key, const std::string&) const - { - for(u32bit j = 0; j != matches.size(); ++j) - if(key.compare(matches[j]) == 0) - return true; - return false; - } - - AltName_Matcher(const std::string& match_any_of) - { - matches = split_on(match_any_of, '/'); - } - private: - std::vector<std::string> matches; - }; - - std::multimap<std::string, std::string> names = - info.search_with(AltName_Matcher("RFC822/DNS/URI/IP")); + return (key == "RFC822" || + key == "DNS" || + key == "URI" || + key == "IP"); + }); AlternativeName alt_name; - std::multimap<std::string, std::string>::iterator j; - for(j = names.begin(); j != names.end(); ++j) - alt_name.add_attribute(j->first, j->second); + for(auto i = names.begin(); i != names.end(); ++i) + alt_name.add_attribute(i->first, i->second); return alt_name; } diff --git a/src/cert/x509/x509find.cpp b/src/cert/x509/x509find.cpp index 257367da9..41643a94a 100644 --- a/src/cert/x509/x509find.cpp +++ b/src/cert/x509/x509find.cpp @@ -11,6 +11,8 @@ namespace Botan { +namespace X509_Store_Search { + namespace { /* @@ -42,70 +44,65 @@ bool ignore_case(const std::string& searching_for, const std::string& found) /* * Search based on the contents of a DN entry */ -bool DN_Check::match(const X509_Certificate& cert) const +std::function<bool (const X509_Certificate&)> +by_dn(const std::string& dn_entry, + const std::string& to_find, + DN_Search_Type method) { - std::vector<std::string> info = cert.subject_info(dn_entry); - - for(u32bit j = 0; j != info.size(); ++j) - if(compare(info[j], looking_for)) - return true; - return false; - } + if(method == SUBSTRING_MATCHING) + return by_dn(dn_entry, to_find, substring_match); + else if(method == IGNORE_CASE) + return by_dn(dn_entry, to_find, ignore_case); -/* -* DN_Check Constructor -*/ -DN_Check::DN_Check(const std::string& dn_entry, const std::string& looking_for, - compare_fn func) - { - this->dn_entry = dn_entry; - this->looking_for = looking_for; - compare = func; + throw Invalid_Argument("Unknown method argument to by_dn"); } -/* -* DN_Check Constructor -*/ -DN_Check::DN_Check(const std::string& dn_entry, const std::string& looking_for, - Search_Type method) +std::function<bool (const X509_Certificate&)> +by_dn(const std::string& dn_entry, + const std::string& to_find, + std::function<bool (std::string, std::string)> compare) { - this->dn_entry = dn_entry; - this->looking_for = looking_for; + return [&](const X509_Certificate& cert) + { + std::vector<std::string> info = cert.subject_info(dn_entry); - if(method == SUBSTRING_MATCHING) - compare = &substring_match; - else if(method == IGNORE_CASE) - compare = &ignore_case; - else - throw Invalid_Argument("Unknown method argument to DN_Check()"); + for(u32bit i = 0; i != info.size(); ++i) + if(compare(info[i], to_find)) + return true; + return false; + }; } -/* -* Match by issuer and serial number -*/ -bool IandS_Match::match(const X509_Certificate& cert) const +std::function<bool (const X509_Certificate&)> +by_issuer_and_serial(const X509_DN& issuer, const MemoryRegion<byte>& serial) { - if(cert.serial_number() != serial) - return false; - return (cert.issuer_dn() == issuer); + /* Serial number compare is much faster than X.509 DN, and unlikely + to collide even across issuers, so do that first to fail fast + */ + + return [&](const X509_Certificate& cert) + { + if(cert.serial_number() != serial) + return false; + return (cert.issuer_dn() == issuer); + }; } -/* -* IandS_Match Constructor -*/ -IandS_Match::IandS_Match(const X509_DN& issuer, - const MemoryRegion<byte>& serial) +std::function<bool (const X509_Certificate&)> +by_issuer_and_serial(const X509_DN& issuer, const BigInt& serial) { - this->issuer = issuer; - this->serial = serial; + return by_issuer_and_serial(issuer, BigInt::encode(serial)); } -/* -* Match by subject key identifier -*/ -bool SKID_Match::match(const X509_Certificate& cert) const +std::function<bool (const X509_Certificate&)> +by_skid(const MemoryRegion<byte>& subject_key_id) { - return (cert.subject_key_id() == skid); + return [&](const X509_Certificate& cert) + { + return (cert.subject_key_id() == subject_key_id); + }; } } + +} diff --git a/src/cert/x509/x509find.h b/src/cert/x509/x509find.h index a7a84c7a5..1bf29dfbc 100644 --- a/src/cert/x509/x509find.h +++ b/src/cert/x509/x509find.h @@ -9,51 +9,43 @@ #define BOTAN_X509_CERT_STORE_SEARCH_H__ #include <botan/x509stor.h> +#include <botan/bigint.h> namespace Botan { +namespace X509_Store_Search { + /* * Search based on the contents of a DN entry */ -class BOTAN_DLL DN_Check : public X509_Store::Search_Func - { - public: - typedef bool (*compare_fn)(const std::string&, const std::string&); - enum Search_Type { SUBSTRING_MATCHING, IGNORE_CASE }; +enum DN_Search_Type { SUBSTRING_MATCHING, IGNORE_CASE }; - bool match(const X509_Certificate& cert) const; +std::function<bool (const X509_Certificate&)> +by_dn(const std::string& dn_entry, + const std::string& to_find, + DN_Search_Type method); - DN_Check(const std::string&, const std::string&, compare_fn); - DN_Check(const std::string&, const std::string&, Search_Type); - private: - std::string dn_entry, looking_for; - compare_fn compare; - }; +std::function<bool (const X509_Certificate&)> +by_dn(const std::string& dn_entry, + const std::string& to_find, + std::function<bool (std::string, std::string)> method); -/* -* Search for a certificate by issuer/serial +/** +* Search for certs by issuer + serial number */ -class BOTAN_DLL IandS_Match : public X509_Store::Search_Func - { - public: - bool match(const X509_Certificate& cert) const; - IandS_Match(const X509_DN&, const MemoryRegion<byte>&); - private: - X509_DN issuer; - MemoryVector<byte> serial; - }; +std::function<bool (const X509_Certificate&)> +by_issuer_and_serial(const X509_DN& issuer, const MemoryRegion<byte>& serial); -/* -* Search for a certificate by subject keyid +std::function<bool (const X509_Certificate&)> +by_issuer_and_serial(const X509_DN& issuer, const BigInt& serial); + +/** +* Search for certs by subject key identifier */ -class BOTAN_DLL SKID_Match : public X509_Store::Search_Func - { - public: - bool match(const X509_Certificate& cert) const; - SKID_Match(const MemoryRegion<byte>& s) : skid(s) {} - private: - MemoryVector<byte> skid; - }; +std::function<bool (const X509_Certificate&)> +by_skid(const MemoryRegion<byte>& subject_key_id); + +} } diff --git a/src/cert/x509/x509self.cpp b/src/cert/x509/x509self.cpp index f915c6ff5..df31897bb 100644 --- a/src/cert/x509/x509self.cpp +++ b/src/cert/x509/x509self.cpp @@ -73,7 +73,7 @@ X509_Certificate create_self_signed_cert(const X509_Cert_Options& opts, AlternativeName subject_alt; MemoryVector<byte> pub_key = shared_setup(opts, key); - std::auto_ptr<PK_Signer> signer(choose_sig_format(key, hash_fn, sig_algo)); + std::unique_ptr<PK_Signer> signer(choose_sig_format(key, hash_fn, sig_algo)); load_info(opts, subject_dn, subject_alt); Key_Constraints constraints; @@ -112,7 +112,7 @@ PKCS10_Request create_cert_req(const X509_Cert_Options& opts, AlternativeName subject_alt; MemoryVector<byte> pub_key = shared_setup(opts, key); - std::auto_ptr<PK_Signer> signer(choose_sig_format(key, hash_fn, sig_algo)); + std::unique_ptr<PK_Signer> signer(choose_sig_format(key, hash_fn, sig_algo)); load_info(opts, subject_dn, subject_alt); const u32bit PKCS10_VERSION = 0; diff --git a/src/cert/x509/x509stor.cpp b/src/cert/x509/x509stor.cpp index e9e8f4575..323890f2d 100644 --- a/src/cert/x509/x509stor.cpp +++ b/src/cert/x509/x509stor.cpp @@ -380,8 +380,8 @@ X509_Code X509_Store::check_sig(const Cert_Info& cert_info, */ X509_Code X509_Store::check_sig(const X509_Object& object, Public_Key* key) { - std::auto_ptr<Public_Key> pub_key(key); - std::auto_ptr<PK_Verifier> verifier; + std::unique_ptr<Public_Key> pub_key(key); + std::unique_ptr<PK_Verifier> verifier; try { std::vector<std::string> sig_info = @@ -464,12 +464,12 @@ bool X509_Store::is_revoked(const X509_Certificate& cert) const * Retrieve all the certificates in the store */ std::vector<X509_Certificate> -X509_Store::get_certs(const Search_Func& search) const +X509_Store::get_certs(std::function<bool (const X509_Certificate&)> pred) const { std::vector<X509_Certificate> found_certs; for(u32bit j = 0; j != certs.size(); ++j) { - if(search.match(certs[j].cert)) + if(pred(certs[j].cert)) found_certs.push_back(certs[j].cert); } return found_certs; @@ -603,8 +603,7 @@ X509_Code X509_Store::add_crl(const X509_CRL& crl) revoked_info.serial = revoked_certs[j].serial_number(); revoked_info.auth_key_id = crl.authority_key_id(); - std::vector<CRL_Data>::iterator p = - std::find(revoked.begin(), revoked.end(), revoked_info); + auto p = std::find(revoked.begin(), revoked.end(), revoked_info); if(revoked_certs[j].reason_code() == REMOVE_FROM_CRL) { diff --git a/src/cert/x509/x509stor.h b/src/cert/x509/x509stor.h index 4e6037883..958b6da0f 100644 --- a/src/cert/x509/x509stor.h +++ b/src/cert/x509/x509stor.h @@ -11,6 +11,7 @@ #include <botan/x509cert.h> #include <botan/x509_crl.h> #include <botan/certstor.h> +#include <functional> namespace Botan { @@ -48,13 +49,6 @@ enum X509_Code { class BOTAN_DLL X509_Store { public: - class BOTAN_DLL Search_Func - { - public: - virtual bool match(const X509_Certificate&) const = 0; - virtual ~Search_Func() {} - }; - enum Cert_Usage { ANY = 0x00, TLS_SERVER = 0x01, @@ -67,7 +61,13 @@ class BOTAN_DLL X509_Store X509_Code validate_cert(const X509_Certificate&, Cert_Usage = ANY); - std::vector<X509_Certificate> get_certs(const Search_Func&) const; + /** + * @param match the matching function + * @return list of certs for which match returns true + */ + std::vector<X509_Certificate> + get_certs(std::function<bool (const X509_Certificate&)> match) const; + std::vector<X509_Certificate> get_cert_chain(const X509_Certificate&); std::string PEM_encode() const; @@ -94,14 +94,14 @@ class BOTAN_DLL X509_Store static X509_Code check_sig(const X509_Object&, Public_Key*); + X509_Store& operator=(const X509_Store&) = delete; + X509_Store(u32bit time_slack = 24*60*60, u32bit cache_results = 30*60); X509_Store(const X509_Store&); ~X509_Store(); private: - X509_Store& operator=(const X509_Store&) { return (*this); } - class BOTAN_DLL Cert_Info { public: |