aboutsummaryrefslogtreecommitdiffstats
path: root/src/cert
diff options
context:
space:
mode:
Diffstat (limited to 'src/cert')
-rw-r--r--src/cert/cvc/asn1_eac_tm.cpp112
-rw-r--r--src/cert/cvc/cvc_gen_cert.h6
-rw-r--r--src/cert/cvc/cvc_self.cpp36
-rw-r--r--src/cert/cvc/eac_asn_obj.h62
-rw-r--r--src/cert/cvc/info.txt1
-rw-r--r--src/cert/x509/crl_ent.cpp3
-rw-r--r--src/cert/x509/pkcs10.cpp2
-rw-r--r--src/cert/x509/x509_ca.cpp14
-rw-r--r--src/cert/x509/x509_ca.h6
-rw-r--r--src/cert/x509/x509_crl.cpp2
-rw-r--r--src/cert/x509/x509cert.cpp61
-rw-r--r--src/cert/x509/x509find.cpp95
-rw-r--r--src/cert/x509/x509find.h56
-rw-r--r--src/cert/x509/x509opt.cpp8
-rw-r--r--src/cert/x509/x509self.cpp4
-rw-r--r--src/cert/x509/x509stor.cpp40
-rw-r--r--src/cert/x509/x509stor.h39
17 files changed, 238 insertions, 309 deletions
diff --git a/src/cert/cvc/asn1_eac_tm.cpp b/src/cert/cvc/asn1_eac_tm.cpp
index b048d3aa5..ddb42266a 100644
--- a/src/cert/cvc/asn1_eac_tm.cpp
+++ b/src/cert/cvc/asn1_eac_tm.cpp
@@ -1,7 +1,7 @@
/*
* EAC Time Types
* (C) 2007 FlexSecure GmbH
-* 2008 Jack Lloyd
+* 2008-2009 Jack Lloyd
*
* Distributed under the terms of the Botan license
*/
@@ -22,7 +22,7 @@ SecureVector<byte> enc_two_digit(u32bit in)
{
SecureVector<byte> result;
in %= 100;
- if (in < 10)
+ if(in < 10)
result.append(0x00);
else
{
@@ -50,9 +50,10 @@ u32bit dec_two_digit(byte b1, byte b2)
/*
* Create an EAC_Time
*/
-EAC_Time::EAC_Time(u64bit timer, ASN1_Tag t) : tag(t)
+EAC_Time::EAC_Time(const std::chrono::system_clock::time_point& time,
+ ASN1_Tag t) : tag(t)
{
- calendar_point cal = calendar_value(timer);
+ calendar_point cal = calendar_value(time);
year = cal.year;
month = cal.month;
@@ -62,11 +63,11 @@ EAC_Time::EAC_Time(u64bit timer, ASN1_Tag t) : tag(t)
/*
* Create an EAC_Time
*/
-EAC_Time::EAC_Time(const std::string& t_spec, ASN1_Tag t)
- :tag(t)
+EAC_Time::EAC_Time(const std::string& t_spec, ASN1_Tag t) : tag(t)
{
set_to(t_spec);
}
+
/*
* Create an EAC_Time
*/
@@ -83,7 +84,7 @@ EAC_Time::EAC_Time(u32bit y, u32bit m, u32bit d, ASN1_Tag t)
*/
void EAC_Time::set_to(const std::string& time_str)
{
- if (time_str == "")
+ if(time_str == "")
{
year = month = day = 0;
return;
@@ -92,28 +93,28 @@ void EAC_Time::set_to(const std::string& time_str)
std::vector<std::string> params;
std::string current;
- for (u32bit j = 0; j != time_str.size(); ++j)
+ for(u32bit j = 0; j != time_str.size(); ++j)
{
- if (Charset::is_digit(time_str[j]))
+ if(Charset::is_digit(time_str[j]))
current += time_str[j];
else
{
- if (current != "")
+ if(current != "")
params.push_back(current);
current.clear();
}
}
- if (current != "")
+ if(current != "")
params.push_back(current);
- if (params.size() != 3)
+ if(params.size() != 3)
throw Invalid_Argument("Invalid time specification " + time_str);
year = to_u32bit(params[0]);
month = to_u32bit(params[1]);
day = to_u32bit(params[2]);
- if (!passes_sanity_check())
+ if(!passes_sanity_check())
throw Invalid_Argument("Invalid time specification " + time_str);
}
@@ -132,15 +133,10 @@ void EAC_Time::encode_into(DER_Encoder& der) const
*/
std::string EAC_Time::as_string() const
{
- if (time_is_set() == false)
+ if(time_is_set() == false)
throw Invalid_State("EAC_Time::as_string: No time set");
- std::string asn1rep;
- asn1rep = to_string(year, 2);
-
- asn1rep += to_string(month, 2) + to_string(day, 2);
-
- return asn1rep;
+ return std::to_string(year * 10000 + month * 100 + day);
}
/*
@@ -156,15 +152,14 @@ bool EAC_Time::time_is_set() const
*/
std::string EAC_Time::readable_string() const
{
- if (time_is_set() == false)
+ if(time_is_set() == false)
throw Invalid_State("EAC_Time::readable_string: No time set");
- std::string readable;
- readable += to_string(year, 2) + "/";
- readable += to_string(month, 2) + "/";
- readable += to_string(day, 2) + " ";
+ std::string output(11, 0);
+
+ std::sprintf(&output[0], "%04d/%02d/%02d", year, month, day);
- return readable;
+ return output;
}
/*
@@ -172,11 +167,11 @@ std::string EAC_Time::readable_string() const
*/
bool EAC_Time::passes_sanity_check() const
{
- if (year < 2000 || year > 2099)
+ if(year < 2000 || year > 2099)
return false;
- if (month == 0 || month > 12)
+ if(month == 0 || month > 12)
return false;
- if (day == 0 || day > 31)
+ if(day == 0 || day > 31)
return false;
return true;
@@ -185,11 +180,11 @@ bool EAC_Time::passes_sanity_check() const
/*
* modification functions
*/
-
void EAC_Time::add_years(u32bit years)
{
year += years;
}
+
void EAC_Time::add_months(u32bit months)
{
year += months/12;
@@ -201,23 +196,22 @@ void EAC_Time::add_months(u32bit months)
}
}
-
/*
* Compare this time against another
*/
s32bit EAC_Time::cmp(const EAC_Time& other) const
{
- if (time_is_set() == false)
+ if(time_is_set() == false)
throw Invalid_State("EAC_Time::cmp: No time set");
const s32bit EARLIER = -1, LATER = 1, SAME_TIME = 0;
- if (year < other.year) return EARLIER;
- if (year > other.year) return LATER;
- if (month < other.month) return EARLIER;
- if (month > other.month) return LATER;
- if (day < other.day) return EARLIER;
- if (day > other.day) return LATER;
+ if(year < other.year) return EARLIER;
+ if(year > other.year) return LATER;
+ if(month < other.month) return EARLIER;
+ if(month > other.month) return LATER;
+ if(day < other.day) return EARLIER;
+ if(day > other.day) return LATER;
return SAME_TIME;
}
@@ -229,22 +223,27 @@ bool operator==(const EAC_Time& t1, const EAC_Time& t2)
{
return (t1.cmp(t2) == 0);
}
+
bool operator!=(const EAC_Time& t1, const EAC_Time& t2)
{
return (t1.cmp(t2) != 0);
}
+
bool operator<=(const EAC_Time& t1, const EAC_Time& t2)
{
return (t1.cmp(t2) <= 0);
}
+
bool operator>=(const EAC_Time& t1, const EAC_Time& t2)
{
return (t1.cmp(t2) >= 0);
}
+
bool operator>(const EAC_Time& t1, const EAC_Time& t2)
{
return (t1.cmp(t2) > 0);
}
+
bool operator<(const EAC_Time& t1, const EAC_Time& t2)
{
return (t1.cmp(t2) < 0);
@@ -281,19 +280,6 @@ void EAC_Time::decode_from(BER_Decoder& source)
}
-u32bit EAC_Time::get_year() const
- {
- return year;
- }
-u32bit EAC_Time::get_month() const
- {
- return month;
- }
-u32bit EAC_Time::get_day() const
- {
- return day;
- }
-
/*
* make the value an octet string for encoding
*/
@@ -306,28 +292,4 @@ SecureVector<byte> EAC_Time::encoded_eac_time() const
return result;
}
-ASN1_Ced::ASN1_Ced(std::string const& str)
- : EAC_Time(str, ASN1_Tag(37))
- {}
-
-ASN1_Ced::ASN1_Ced(u64bit val)
- : EAC_Time(val, ASN1_Tag(37))
- {}
-
-ASN1_Ced::ASN1_Ced(EAC_Time const& other)
- : EAC_Time(other.get_year(), other.get_month(), other.get_day(), ASN1_Tag(37))
- {}
-
-ASN1_Cex::ASN1_Cex(std::string const& str)
- : EAC_Time(str, ASN1_Tag(36))
- {}
-
-ASN1_Cex::ASN1_Cex(u64bit val)
- : EAC_Time(val, ASN1_Tag(36))
- {}
-
-ASN1_Cex::ASN1_Cex(EAC_Time const& other)
- : EAC_Time(other.get_year(), other.get_month(), other.get_day(), ASN1_Tag(36))
- {}
-
}
diff --git a/src/cert/cvc/cvc_gen_cert.h b/src/cert/cvc/cvc_gen_cert.h
index 61861df41..7b125c10d 100644
--- a/src/cert/cvc/cvc_gen_cert.h
+++ b/src/cert/cvc/cvc_gen_cert.h
@@ -31,7 +31,7 @@ class EAC1_1_gen_CVC : public EAC1_1_obj<Derived> // CRTP continuation from EAC1
* Get this certificates public key.
* @result this certificates public key
*/
- std::auto_ptr<Public_Key> subject_public_key() const;
+ std::unique_ptr<Public_Key> subject_public_key() const;
/**
* Find out whether this object is self signed.
@@ -121,9 +121,9 @@ MemoryVector<byte> EAC1_1_gen_CVC<Derived>::make_signed(
}
template<typename Derived>
-std::auto_ptr<Public_Key> EAC1_1_gen_CVC<Derived>::subject_public_key() const
+std::unique_ptr<Public_Key> EAC1_1_gen_CVC<Derived>::subject_public_key() const
{
- return std::auto_ptr<Public_Key>(new ECDSA_PublicKey(*m_pk));
+ return std::unique_ptr<Public_Key>(new ECDSA_PublicKey(*m_pk));
}
template<typename Derived> SecureVector<byte> EAC1_1_gen_CVC<Derived>::build_cert_body(MemoryRegion<byte> const& tbs)
diff --git a/src/cert/cvc/cvc_self.cpp b/src/cert/cvc/cvc_self.cpp
index fbd042676..9489ede85 100644
--- a/src/cert/cvc/cvc_self.cpp
+++ b/src/cert/cvc/cvc_self.cpp
@@ -163,11 +163,13 @@ EAC1_1_ADO create_ado_req(Private_Key const& key,
{
throw Invalid_Argument("CVC_EAC::create_self_signed_cert(): unsupported key type");
}
+
std::string padding_and_hash = padding_and_hash_from_oid(req.signature_algorithm().oid);
PK_Signer signer(*priv_key, padding_and_hash);
SecureVector<byte> tbs_bits = req.BER_encode();
tbs_bits.append(DER_Encoder().encode(car).get_contents());
- MemoryVector<byte> signed_cert = EAC1_1_ADO::make_signed(signer, tbs_bits, rng);
+ MemoryVector<byte> signed_cert = EAC1_1_ADO::make_signed(signer,
+ tbs_bits, rng);
DataSource_Memory source(signed_cert);
return EAC1_1_ADO(source);
@@ -190,9 +192,8 @@ EAC1_1_CVC create_cvca(Private_Key const& key,
}
EAC1_1_CVC_Options opts;
opts.car = car;
- const u64bit current_time = system_time();
- opts.ced = ASN1_Ced(current_time);
+ opts.ced = ASN1_Ced(std::chrono::system_clock::now());
opts.cex = ASN1_Cex(opts.ced);
opts.cex.add_months(cvca_validity_months);
opts.holder_auth_templ = (CVCA | (iris * IRIS) | (fingerpr * FINGERPRINT));
@@ -207,12 +208,12 @@ EAC1_1_CVC link_cvca(EAC1_1_CVC const& signer,
EAC1_1_CVC const& signee,
RandomNumberGenerator& rng)
{
- ECDSA_PrivateKey const* priv_key = dynamic_cast<ECDSA_PrivateKey const*>(&key);
+ const ECDSA_PrivateKey* priv_key = dynamic_cast<ECDSA_PrivateKey const*>(&key);
+
if (priv_key == 0)
- {
- throw Invalid_Argument("CVC_EAC::create_self_signed_cert(): unsupported key type");
- }
- ASN1_Ced ced(system_time());
+ throw Invalid_Argument("link_cvca(): unsupported key type");
+
+ ASN1_Ced ced(std::chrono::system_clock::now());
ASN1_Cex cex(signee.get_cex());
if (*static_cast<EAC_Time*>(&ced) > *static_cast<EAC_Time*>(&cex))
{
@@ -229,7 +230,7 @@ EAC1_1_CVC link_cvca(EAC1_1_CVC const& signer,
AlgorithmIdentifier sig_algo = signer.signature_algorithm();
std::string padding_and_hash = padding_and_hash_from_oid(sig_algo.oid);
PK_Signer pk_signer(*priv_key, padding_and_hash);
- std::auto_ptr<Public_Key> pk = signee.subject_public_key();
+ std::unique_ptr<Public_Key> pk = signee.subject_public_key();
ECDSA_PublicKey* subj_pk = dynamic_cast<ECDSA_PublicKey*>(pk.get());
subj_pk->set_parameter_encoding(EC_DOMPAR_ENC_EXPLICIT);
@@ -259,13 +260,19 @@ EAC1_1_CVC sign_request(EAC1_1_CVC const& signer_cert,
throw Invalid_Argument("CVC_EAC::create_self_signed_cert(): unsupported key type");
}
std::string chr_str = signee.get_chr().value();
- chr_str += to_string(seqnr, seqnr_len);
+
+ std::string seqnr_string = std::to_string(seqnr);
+
+ while(seqnr_string.size() < seqnr_len)
+ seqnr_string = '0' + seqnr_string;
+
+ chr_str += seqnr_string;
ASN1_Chr chr(chr_str);
std::string padding_and_hash = padding_and_hash_from_oid(signee.signature_algorithm().oid);
PK_Signer pk_signer(*priv_key, padding_and_hash);
- std::auto_ptr<Public_Key> pk = signee.subject_public_key();
+ std::unique_ptr<Public_Key> pk = signee.subject_public_key();
ECDSA_PublicKey* subj_pk = dynamic_cast<ECDSA_PublicKey*>(pk.get());
- std::auto_ptr<Public_Key> signer_pk = signer_cert.subject_public_key();
+ std::unique_ptr<Public_Key> signer_pk = signer_cert.subject_public_key();
// for the case that the domain parameters are not set...
// (we use those from the signer because they must fit)
@@ -274,8 +281,9 @@ EAC1_1_CVC sign_request(EAC1_1_CVC const& signer_cert,
subj_pk->set_parameter_encoding(EC_DOMPAR_ENC_IMPLICITCA);
AlgorithmIdentifier sig_algo(signer_cert.signature_algorithm());
- const u64bit current_time = system_time();
- ASN1_Ced ced(current_time);
+
+ ASN1_Ced ced(std::chrono::system_clock::now());
+
u32bit chat_val;
u32bit chat_low = signer_cert.get_chat_value() & 0x3; // take the chat rights from signer
ASN1_Cex cex(ced);
diff --git a/src/cert/cvc/eac_asn_obj.h b/src/cert/cvc/eac_asn_obj.h
index d0bab6fdd..dc4f82578 100644
--- a/src/cert/cvc/eac_asn_obj.h
+++ b/src/cert/cvc/eac_asn_obj.h
@@ -56,7 +56,6 @@ class BOTAN_DLL EAC_Time : public ASN1_Object
* e.g. "2007 08 01"
*/
void set_to(const std::string& str);
- //void set_to(const std::string&, ASN1_Tag);
/**
* Add the specified number of years to this.
@@ -74,24 +73,28 @@ class BOTAN_DLL EAC_Time : public ASN1_Object
* Get the year value of this objects.
* @return year value
*/
- u32bit get_year() const;
+ u32bit get_year() const { return year; }
/**
* Get the month value of this objects.
* @return month value
*/
- u32bit get_month() const;
+ u32bit get_month() const { return month; }
/**
* Get the day value of this objects.
* @return day value
*/
- u32bit get_day() const;
+ u32bit get_day() const { return day; }
- EAC_Time(u64bit, ASN1_Tag t = ASN1_Tag(0));
- //EAC_Time(const std::string& = "");
- EAC_Time(const std::string&, ASN1_Tag = ASN1_Tag(0));
- EAC_Time(u32bit year, u32bit month, u32bit day, ASN1_Tag = ASN1_Tag(0));
+ EAC_Time(const std::chrono::system_clock::time_point& time,
+ ASN1_Tag tag = ASN1_Tag(0));
+
+ EAC_Time(const std::string& yyyy_mm_dd,
+ ASN1_Tag tag = ASN1_Tag(0));
+
+ EAC_Time(u32bit year, u32bit month, u32bit day,
+ ASN1_Tag tag = ASN1_Tag(0));
virtual ~EAC_Time() {}
private:
@@ -113,25 +116,25 @@ class BOTAN_DLL ASN1_Ced : public EAC_Time
* @param str a string in the format "yyyy mm dd",
* e.g. "2007 08 01"
*/
- ASN1_Ced(std::string const& str = "");
+ ASN1_Ced(std::string const& str = "") :
+ EAC_Time(str, ASN1_Tag(37)) {}
/**
- * Construct a CED from a timer value.
- * @param time the number of seconds elapsed midnight, 1st
- * January 1970 GMT (or 7pm, 31st December 1969 EST) up to the
- * desired date
+ * Construct a CED from a time point
*/
- ASN1_Ced(u64bit time);
+ ASN1_Ced(const std::chrono::system_clock::time_point& time) :
+ EAC_Time(time, ASN1_Tag(37)) {}
/**
* Copy constructor (for general EAC_Time objects).
* @param other the object to copy from
*/
- ASN1_Ced(EAC_Time const& other);
- //ASN1_Ced(ASN1_Cex const& cex);
+ ASN1_Ced(EAC_Time const& other) :
+ EAC_Time(other.get_year(), other.get_month(), other.get_day(),
+ ASN1_Tag(37))
+ {}
};
-
/**
* This class represents CVC CEXs. Only limited sanity checks of
* the inputted date value are performed.
@@ -140,27 +143,20 @@ class BOTAN_DLL ASN1_Cex : public EAC_Time
{
public:
/**
- * Construct a CED from a string value.
+ * Construct a CEX from a string value.
* @param str a string in the format "yyyy mm dd",
* e.g. "2007 08 01"
*/
- ASN1_Cex(std::string const& str="");
+ ASN1_Cex(std::string const& str = "") :
+ EAC_Time(str, ASN1_Tag(36)) {}
- /**
- * Construct a CED from a timer value.
- * @param time the number of seconds elapsed
- * midnight, 1st
- * January 1970 GMT (or 7pm, 31st December 1969 EST)
- * up to the desired date
- */
- ASN1_Cex(u64bit time);
+ ASN1_Cex(const std::chrono::system_clock::time_point& time) :
+ EAC_Time(time, ASN1_Tag(36)) {}
- /**
- * Copy constructor (for general EAC_Time objects).
- * @param other the object to copy from
- */
- ASN1_Cex(EAC_Time const& other);
- //ASN1_Cex(ASN1_Ced const& ced);
+ ASN1_Cex(EAC_Time const& other) :
+ EAC_Time(other.get_year(), other.get_month(), other.get_day(),
+ ASN1_Tag(36))
+ {}
};
/**
diff --git a/src/cert/cvc/info.txt b/src/cert/cvc/info.txt
index 0d5687770..91de3bc19 100644
--- a/src/cert/cvc/info.txt
+++ b/src/cert/cvc/info.txt
@@ -1,5 +1,4 @@
define CARD_VERIFIABLE_CERTIFICATES
-
load_on auto
<header:public>
diff --git a/src/cert/x509/crl_ent.cpp b/src/cert/x509/crl_ent.cpp
index 42a742ebb..e7ce1a57a 100644
--- a/src/cert/x509/crl_ent.cpp
+++ b/src/cert/x509/crl_ent.cpp
@@ -11,7 +11,6 @@
#include <botan/ber_dec.h>
#include <botan/bigint.h>
#include <botan/oids.h>
-#include <botan/time.h>
namespace Botan {
@@ -31,7 +30,7 @@ CRL_Entry::CRL_Entry(const X509_Certificate& cert, CRL_Code why) :
throw_on_unknown_critical(false)
{
serial = cert.serial_number();
- time = X509_Time(system_time());
+ time = X509_Time(std::chrono::system_clock::now());
reason = why;
}
diff --git a/src/cert/x509/pkcs10.cpp b/src/cert/x509/pkcs10.cpp
index 81bb58555..e78439757 100644
--- a/src/cert/x509/pkcs10.cpp
+++ b/src/cert/x509/pkcs10.cpp
@@ -45,7 +45,7 @@ void PKCS10_Request::force_decode()
cert_req_info.decode(version);
if(version != 0)
throw Decoding_Error("Unknown version code in PKCS #10 request: " +
- to_string(version));
+ std::to_string(version));
X509_DN dn_subject;
cert_req_info.decode(dn_subject);
diff --git a/src/cert/x509/x509_ca.cpp b/src/cert/x509/x509_ca.cpp
index ea7f3a405..5af824946 100644
--- a/src/cert/x509/x509_ca.cpp
+++ b/src/cert/x509/x509_ca.cpp
@@ -14,10 +14,6 @@
#include <botan/parsing.h>
#include <botan/lookup.h>
#include <botan/oids.h>
-#include <botan/time.h>
-#include <algorithm>
-#include <typeinfo>
-#include <iterator>
#include <memory>
#include <set>
@@ -57,7 +53,7 @@ X509_Certificate X509_CA::sign_request(const PKCS10_Request& req,
constraints = Key_Constraints(KEY_CERT_SIGN | CRL_SIGN);
else
{
- std::auto_ptr<Public_Key> key(req.subject_public_key());
+ std::unique_ptr<Public_Key> key(req.subject_public_key());
constraints = X509::find_constraints(*key, req.constraints());
}
@@ -171,8 +167,7 @@ X509_CRL X509_CA::update_crl(const X509_CRL& crl,
for(u32bit j = 0; j != already_revoked.size(); ++j)
{
- std::set<SecureVector<byte> >::const_iterator i;
- i = removed_from_crl.find(already_revoked[j].serial_number());
+ auto i = removed_from_crl.find(already_revoked[j].serial_number());
if(i == removed_from_crl.end())
all_revoked.push_back(already_revoked[j]);
@@ -199,7 +194,8 @@ X509_CRL X509_CA::make_crl(const std::vector<CRL_Entry>& revoked,
next_update = timespec_to_u32bit("7d");
// Totally stupid: ties encoding logic to the return of std::time!!
- const u64bit current_time = system_time();
+ auto current_time = std::chrono::system_clock::now();
+ auto expire_time = current_time + std::chrono::seconds(next_update);
Extensions extensions;
extensions.add(
@@ -212,7 +208,7 @@ X509_CRL X509_CA::make_crl(const std::vector<CRL_Entry>& revoked,
.encode(ca_sig_algo)
.encode(cert.issuer_dn())
.encode(X509_Time(current_time))
- .encode(X509_Time(current_time + next_update))
+ .encode(X509_Time(expire_time))
.encode_if(revoked.size() > 0,
DER_Encoder()
.start_cons(SEQUENCE)
diff --git a/src/cert/x509/x509_ca.h b/src/cert/x509/x509_ca.h
index 97be6a415..7aca26d03 100644
--- a/src/cert/x509/x509_ca.h
+++ b/src/cert/x509/x509_ca.h
@@ -99,11 +99,11 @@ class BOTAN_DLL X509_CA
const Private_Key& key,
const std::string& hash_fn);
+ X509_CA(const X509_CA&) = delete;
+ X509_CA& operator=(const X509_CA&) = delete;
+
~X509_CA();
private:
- X509_CA(const X509_CA&) {}
- X509_CA& operator=(const X509_CA&) { return (*this); }
-
X509_CRL make_crl(const std::vector<CRL_Entry>& entries,
u32bit crl_number, u32bit next_update,
RandomNumberGenerator& rng) const;
diff --git a/src/cert/x509/x509_crl.cpp b/src/cert/x509/x509_crl.cpp
index f6a344dba..3613c1a91 100644
--- a/src/cert/x509/x509_crl.cpp
+++ b/src/cert/x509/x509_crl.cpp
@@ -44,7 +44,7 @@ void X509_CRL::force_decode()
if(version != 0 && version != 1)
throw X509_CRL_Error("Unknown X.509 CRL version " +
- to_string(version+1));
+ std::to_string(version+1));
AlgorithmIdentifier sig_algo_inner;
tbs_crl.decode(sig_algo_inner);
diff --git a/src/cert/x509/x509cert.cpp b/src/cert/x509/x509cert.cpp
index 05f23298b..e3844e8e9 100644
--- a/src/cert/x509/x509cert.cpp
+++ b/src/cert/x509/x509cert.cpp
@@ -27,12 +27,8 @@ std::vector<std::string> lookup_oids(const std::vector<std::string>& in)
{
std::vector<std::string> out;
- std::vector<std::string>::const_iterator i = in.begin();
- while(i != in.end())
- {
+ for(auto i = in.begin(); i != in.end(); ++i)
out.push_back(OIDS::lookup(OID(*i)));
- ++i;
- }
return out;
}
@@ -84,7 +80,7 @@ void X509_Certificate::force_decode()
.decode(dn_subject);
if(version > 2)
- throw Decoding_Error("Unknown X.509 cert version " + to_string(version));
+ throw Decoding_Error("Unknown X.509 cert version " + std::to_string(version));
if(sig_algo != sig_algo_inner)
throw Decoding_Error("Algorithm identifier mismatch");
@@ -304,25 +300,16 @@ bool operator!=(const X509_Certificate& cert1, const X509_Certificate& cert2)
*/
X509_DN create_dn(const Data_Store& info)
{
- class DN_Matcher : public Data_Store::Matcher
+ auto names = info.search_for(
+ [](const std::string& key, const std::string&)
{
- public:
- bool operator()(const std::string& key, const std::string&) const
- {
- if(key.find("X520.") != std::string::npos)
- return true;
- return false;
- }
- };
-
- std::multimap<std::string, std::string> names =
- info.search_with(DN_Matcher());
+ return (key.find("X520.") != std::string::npos);
+ });
X509_DN dn;
- std::multimap<std::string, std::string>::iterator j;
- for(j = names.begin(); j != names.end(); ++j)
- dn.add_attribute(j->first, j->second);
+ for(auto i = names.begin(); i != names.end(); ++i)
+ dn.add_attribute(i->first, i->second);
return dn;
}
@@ -332,33 +319,19 @@ X509_DN create_dn(const Data_Store& info)
*/
AlternativeName create_alt_name(const Data_Store& info)
{
- class AltName_Matcher : public Data_Store::Matcher
+ auto names = info.search_for(
+ [](const std::string& key, const std::string&)
{
- public:
- bool operator()(const std::string& key, const std::string&) const
- {
- for(u32bit j = 0; j != matches.size(); ++j)
- if(key.compare(matches[j]) == 0)
- return true;
- return false;
- }
-
- AltName_Matcher(const std::string& match_any_of)
- {
- matches = split_on(match_any_of, '/');
- }
- private:
- std::vector<std::string> matches;
- };
-
- std::multimap<std::string, std::string> names =
- info.search_with(AltName_Matcher("RFC822/DNS/URI/IP"));
+ return (key == "RFC822" ||
+ key == "DNS" ||
+ key == "URI" ||
+ key == "IP");
+ });
AlternativeName alt_name;
- std::multimap<std::string, std::string>::iterator j;
- for(j = names.begin(); j != names.end(); ++j)
- alt_name.add_attribute(j->first, j->second);
+ for(auto i = names.begin(); i != names.end(); ++i)
+ alt_name.add_attribute(i->first, i->second);
return alt_name;
}
diff --git a/src/cert/x509/x509find.cpp b/src/cert/x509/x509find.cpp
index 257367da9..41643a94a 100644
--- a/src/cert/x509/x509find.cpp
+++ b/src/cert/x509/x509find.cpp
@@ -11,6 +11,8 @@
namespace Botan {
+namespace X509_Store_Search {
+
namespace {
/*
@@ -42,70 +44,65 @@ bool ignore_case(const std::string& searching_for, const std::string& found)
/*
* Search based on the contents of a DN entry
*/
-bool DN_Check::match(const X509_Certificate& cert) const
+std::function<bool (const X509_Certificate&)>
+by_dn(const std::string& dn_entry,
+ const std::string& to_find,
+ DN_Search_Type method)
{
- std::vector<std::string> info = cert.subject_info(dn_entry);
-
- for(u32bit j = 0; j != info.size(); ++j)
- if(compare(info[j], looking_for))
- return true;
- return false;
- }
+ if(method == SUBSTRING_MATCHING)
+ return by_dn(dn_entry, to_find, substring_match);
+ else if(method == IGNORE_CASE)
+ return by_dn(dn_entry, to_find, ignore_case);
-/*
-* DN_Check Constructor
-*/
-DN_Check::DN_Check(const std::string& dn_entry, const std::string& looking_for,
- compare_fn func)
- {
- this->dn_entry = dn_entry;
- this->looking_for = looking_for;
- compare = func;
+ throw Invalid_Argument("Unknown method argument to by_dn");
}
-/*
-* DN_Check Constructor
-*/
-DN_Check::DN_Check(const std::string& dn_entry, const std::string& looking_for,
- Search_Type method)
+std::function<bool (const X509_Certificate&)>
+by_dn(const std::string& dn_entry,
+ const std::string& to_find,
+ std::function<bool (std::string, std::string)> compare)
{
- this->dn_entry = dn_entry;
- this->looking_for = looking_for;
+ return [&](const X509_Certificate& cert)
+ {
+ std::vector<std::string> info = cert.subject_info(dn_entry);
- if(method == SUBSTRING_MATCHING)
- compare = &substring_match;
- else if(method == IGNORE_CASE)
- compare = &ignore_case;
- else
- throw Invalid_Argument("Unknown method argument to DN_Check()");
+ for(u32bit i = 0; i != info.size(); ++i)
+ if(compare(info[i], to_find))
+ return true;
+ return false;
+ };
}
-/*
-* Match by issuer and serial number
-*/
-bool IandS_Match::match(const X509_Certificate& cert) const
+std::function<bool (const X509_Certificate&)>
+by_issuer_and_serial(const X509_DN& issuer, const MemoryRegion<byte>& serial)
{
- if(cert.serial_number() != serial)
- return false;
- return (cert.issuer_dn() == issuer);
+ /* Serial number compare is much faster than X.509 DN, and unlikely
+ to collide even across issuers, so do that first to fail fast
+ */
+
+ return [&](const X509_Certificate& cert)
+ {
+ if(cert.serial_number() != serial)
+ return false;
+ return (cert.issuer_dn() == issuer);
+ };
}
-/*
-* IandS_Match Constructor
-*/
-IandS_Match::IandS_Match(const X509_DN& issuer,
- const MemoryRegion<byte>& serial)
+std::function<bool (const X509_Certificate&)>
+by_issuer_and_serial(const X509_DN& issuer, const BigInt& serial)
{
- this->issuer = issuer;
- this->serial = serial;
+ return by_issuer_and_serial(issuer, BigInt::encode(serial));
}
-/*
-* Match by subject key identifier
-*/
-bool SKID_Match::match(const X509_Certificate& cert) const
+std::function<bool (const X509_Certificate&)>
+by_skid(const MemoryRegion<byte>& subject_key_id)
{
- return (cert.subject_key_id() == skid);
+ return [&](const X509_Certificate& cert)
+ {
+ return (cert.subject_key_id() == subject_key_id);
+ };
}
}
+
+}
diff --git a/src/cert/x509/x509find.h b/src/cert/x509/x509find.h
index 5624b717b..1bf29dfbc 100644
--- a/src/cert/x509/x509find.h
+++ b/src/cert/x509/x509find.h
@@ -9,51 +9,43 @@
#define BOTAN_X509_CERT_STORE_SEARCH_H__
#include <botan/x509stor.h>
+#include <botan/bigint.h>
namespace Botan {
-/**
+namespace X509_Store_Search {
+
+/*
* Search based on the contents of a DN entry
*/
-class BOTAN_DLL DN_Check : public X509_Store::Search_Func
- {
- public:
- typedef bool (*compare_fn)(const std::string&, const std::string&);
- enum Search_Type { SUBSTRING_MATCHING, IGNORE_CASE };
+enum DN_Search_Type { SUBSTRING_MATCHING, IGNORE_CASE };
- bool match(const X509_Certificate& cert) const;
+std::function<bool (const X509_Certificate&)>
+by_dn(const std::string& dn_entry,
+ const std::string& to_find,
+ DN_Search_Type method);
- DN_Check(const std::string&, const std::string&, compare_fn);
- DN_Check(const std::string&, const std::string&, Search_Type);
- private:
- std::string dn_entry, looking_for;
- compare_fn compare;
- };
+std::function<bool (const X509_Certificate&)>
+by_dn(const std::string& dn_entry,
+ const std::string& to_find,
+ std::function<bool (std::string, std::string)> method);
/**
-* Search for a certificate by issuer/serial
+* Search for certs by issuer + serial number
*/
-class BOTAN_DLL IandS_Match : public X509_Store::Search_Func
- {
- public:
- bool match(const X509_Certificate& cert) const;
- IandS_Match(const X509_DN&, const MemoryRegion<byte>&);
- private:
- X509_DN issuer;
- MemoryVector<byte> serial;
- };
+std::function<bool (const X509_Certificate&)>
+by_issuer_and_serial(const X509_DN& issuer, const MemoryRegion<byte>& serial);
+
+std::function<bool (const X509_Certificate&)>
+by_issuer_and_serial(const X509_DN& issuer, const BigInt& serial);
/**
-* Search for a certificate by subject keyid
+* Search for certs by subject key identifier
*/
-class BOTAN_DLL SKID_Match : public X509_Store::Search_Func
- {
- public:
- bool match(const X509_Certificate& cert) const;
- SKID_Match(const MemoryRegion<byte>& s) : skid(s) {}
- private:
- MemoryVector<byte> skid;
- };
+std::function<bool (const X509_Certificate&)>
+by_skid(const MemoryRegion<byte>& subject_key_id);
+
+}
}
diff --git a/src/cert/x509/x509opt.cpp b/src/cert/x509/x509opt.cpp
index 0702ebf19..8d235ad5d 100644
--- a/src/cert/x509/x509opt.cpp
+++ b/src/cert/x509/x509opt.cpp
@@ -8,7 +8,7 @@
#include <botan/x509self.h>
#include <botan/oids.h>
#include <botan/parsing.h>
-#include <botan/time.h>
+#include <chrono>
namespace Botan {
@@ -78,16 +78,16 @@ void X509_Cert_Options::sanity_check() const
* Initialize the certificate options
*/
X509_Cert_Options::X509_Cert_Options(const std::string& initial_opts,
- u32bit expiration_time_in_seconds)
+ u32bit expiration_time)
{
is_CA = false;
path_limit = 0;
constraints = NO_CONSTRAINTS;
- const u64bit now = system_time();
+ auto now = std::chrono::system_clock::now();
start = X509_Time(now);
- end = X509_Time(now + expiration_time_in_seconds);
+ end = X509_Time(now + std::chrono::seconds(expiration_time));
if(initial_opts == "")
return;
diff --git a/src/cert/x509/x509self.cpp b/src/cert/x509/x509self.cpp
index e420ca503..6e570d3b6 100644
--- a/src/cert/x509/x509self.cpp
+++ b/src/cert/x509/x509self.cpp
@@ -54,7 +54,7 @@ X509_Certificate create_self_signed_cert(const X509_Cert_Options& opts,
opts.sanity_check();
MemoryVector<byte> pub_key = X509::BER_encode(key);
- std::auto_ptr<PK_Signer> signer(choose_sig_format(key, hash_fn, sig_algo));
+ std::unique_ptr<PK_Signer> signer(choose_sig_format(key, hash_fn, sig_algo));
load_info(opts, subject_dn, subject_alt);
Key_Constraints constraints;
@@ -100,7 +100,7 @@ PKCS10_Request create_cert_req(const X509_Cert_Options& opts,
opts.sanity_check();
MemoryVector<byte> pub_key = X509::BER_encode(key);
- std::auto_ptr<PK_Signer> signer(choose_sig_format(key, hash_fn, sig_algo));
+ std::unique_ptr<PK_Signer> signer(choose_sig_format(key, hash_fn, sig_algo));
load_info(opts, subject_dn, subject_alt);
const u32bit PKCS10_VERSION = 0;
diff --git a/src/cert/x509/x509stor.cpp b/src/cert/x509/x509stor.cpp
index a24d4a070..6b2c0eee0 100644
--- a/src/cert/x509/x509stor.cpp
+++ b/src/cert/x509/x509stor.cpp
@@ -9,8 +9,8 @@
#include <botan/parsing.h>
#include <botan/pubkey.h>
#include <botan/oids.h>
-#include <botan/time.h>
#include <algorithm>
+#include <chrono>
#include <memory>
namespace Botan {
@@ -21,13 +21,14 @@ namespace {
* Do a validity check
*/
s32bit validity_check(const X509_Time& start, const X509_Time& end,
- u64bit current_time, u32bit slack)
+ const std::chrono::system_clock::time_point& now,
+ std::chrono::seconds slack)
{
const s32bit NOT_YET_VALID = -1, VALID_TIME = 0, EXPIRED = 1;
- if(start.cmp(current_time + slack) > 0)
+ if(start.cmp(now + slack) > 0)
return NOT_YET_VALID;
- if(end.cmp(current_time - slack) < 0)
+ if(end.cmp(now - slack) < 0)
return EXPIRED;
return VALID_TIME;
}
@@ -168,7 +169,8 @@ bool X509_Store::CRL_Data::operator<(const X509_Store::CRL_Data& other) const
/*
* X509_Store Constructor
*/
-X509_Store::X509_Store(u32bit slack, u32bit cache_timeout)
+X509_Store::X509_Store(std::chrono::seconds slack,
+ std::chrono::seconds cache_timeout)
{
revoked_info_valid = true;
@@ -211,10 +213,11 @@ X509_Code X509_Store::validate_cert(const X509_Certificate& cert,
if(chaining_result != VERIFIED)
return chaining_result;
- const u64bit current_time = system_time();
+ auto current_time = std::chrono::system_clock::now();
s32bit time_check = validity_check(cert.start_time(), cert.end_time(),
current_time, time_slack);
+
if(time_check < 0) return CERT_NOT_YET_VALID;
else if(time_check > 0) return CERT_HAS_EXPIRED;
@@ -379,7 +382,7 @@ X509_Code X509_Store::check_sig(const Cert_Info& cert_info,
*/
X509_Code X509_Store::check_sig(const X509_Object& object, Public_Key* key)
{
- std::auto_ptr<Public_Key> pub_key(key);
+ std::unique_ptr<Public_Key> pub_key(key);
try {
std::vector<std::string> sig_info =
@@ -450,12 +453,12 @@ bool X509_Store::is_revoked(const X509_Certificate& cert) const
* Retrieve all the certificates in the store
*/
std::vector<X509_Certificate>
-X509_Store::get_certs(const Search_Func& search) const
+X509_Store::get_certs(std::function<bool (const X509_Certificate&)> pred) const
{
std::vector<X509_Certificate> found_certs;
for(u32bit j = 0; j != certs.size(); ++j)
{
- if(search.match(certs[j].cert))
+ if(pred(certs[j].cert))
found_certs.push_back(certs[j].cert);
}
return found_certs;
@@ -549,8 +552,10 @@ void X509_Store::add_trusted_certs(DataSource& source)
*/
X509_Code X509_Store::add_crl(const X509_CRL& crl)
{
+ auto current_time = std::chrono::system_clock::now();
+
s32bit time_check = validity_check(crl.this_update(), crl.next_update(),
- system_time(), time_slack);
+ current_time, time_slack);
if(time_check < 0) return CRL_NOT_YET_VALID;
else if(time_check > 0) return CRL_HAS_EXPIRED;
@@ -589,8 +594,7 @@ X509_Code X509_Store::add_crl(const X509_CRL& crl)
revoked_info.serial = revoked_certs[j].serial_number();
revoked_info.auth_key_id = crl.authority_key_id();
- std::vector<CRL_Data>::iterator p =
- std::find(revoked.begin(), revoked.end(), revoked_info);
+ auto p = std::find(revoked.begin(), revoked.end(), revoked_info);
if(revoked_certs[j].reason_code() == REMOVE_FROM_CRL)
{
@@ -628,8 +632,8 @@ X509_Store::Cert_Info::Cert_Info(const X509_Certificate& c,
bool t) : cert(c), trusted(t)
{
checked = false;
+ last_checked = std::chrono::system_clock::time_point::min();
result = UNKNOWN_X509_ERROR;
- last_checked = 0;
}
/*
@@ -647,9 +651,9 @@ X509_Code X509_Store::Cert_Info::verify_result() const
*/
void X509_Store::Cert_Info::set_result(X509_Code code) const
{
- result = code;
- last_checked = system_time();
checked = true;
+ last_checked = std::chrono::system_clock::now();
+ result = code;
}
/*
@@ -663,16 +667,16 @@ bool X509_Store::Cert_Info::is_trusted() const
/*
* Check if this certificate has been verified
*/
-bool X509_Store::Cert_Info::is_verified(u32bit timeout) const
+bool X509_Store::Cert_Info::is_verified(std::chrono::seconds timeout) const
{
if(!checked)
return false;
if(result != VERIFIED && result != CERT_NOT_YET_VALID)
return true;
- const u64bit current_time = system_time();
+ auto now = std::chrono::system_clock::now();
- if(current_time > last_checked + timeout)
+ if(now > last_checked + timeout)
checked = false;
return checked;
diff --git a/src/cert/x509/x509stor.h b/src/cert/x509/x509stor.h
index 7c3895635..8f2d5b405 100644
--- a/src/cert/x509/x509stor.h
+++ b/src/cert/x509/x509stor.h
@@ -11,6 +11,7 @@
#include <botan/x509cert.h>
#include <botan/x509_crl.h>
#include <botan/certstor.h>
+#include <functional>
namespace Botan {
@@ -48,16 +49,6 @@ enum X509_Code {
class BOTAN_DLL X509_Store
{
public:
- /**
- * A callback for searching the store
- */
- class BOTAN_DLL Search_Func
- {
- public:
- virtual bool match(const X509_Certificate&) const = 0;
- virtual ~Search_Func() {}
- };
-
enum Cert_Usage {
ANY = 0x00,
TLS_SERVER = 0x01,
@@ -70,7 +61,13 @@ class BOTAN_DLL X509_Store
X509_Code validate_cert(const X509_Certificate&, Cert_Usage = ANY);
- std::vector<X509_Certificate> get_certs(const Search_Func&) const;
+ /**
+ * @param match the matching function
+ * @return list of certs for which match returns true
+ */
+ std::vector<X509_Certificate>
+ get_certs(std::function<bool (const X509_Certificate&)> match) const;
+
std::vector<X509_Certificate> get_cert_chain(const X509_Certificate&);
std::string PEM_encode() const;
@@ -83,14 +80,18 @@ class BOTAN_DLL X509_Store
static X509_Code check_sig(const X509_Object&, Public_Key*);
- X509_Store(u32bit time_slack = 24*60*60,
- u32bit cache_results = 30*60);
+ X509_Store& operator=(const X509_Store&) = delete;
+
+ /**
+ * @param slack the slack in checking validity times against current clock
+ * @param cache how long to cache validation results before rechecking
+ */
+ X509_Store(std::chrono::seconds slack = std::chrono::seconds(24*60*60),
+ std::chrono::seconds cache = std::chrono::seconds(30*60));
X509_Store(const X509_Store&);
~X509_Store();
private:
- X509_Store& operator=(const X509_Store&) { return (*this); }
-
class BOTAN_DLL CRL_Data
{
public:
@@ -104,7 +105,7 @@ class BOTAN_DLL X509_Store
class BOTAN_DLL Cert_Info
{
public:
- bool is_verified(u32bit timeout) const;
+ bool is_verified(std::chrono::seconds cache_timeout) const;
bool is_trusted() const;
X509_Code verify_result() const;
void set_result(X509_Code) const;
@@ -115,7 +116,7 @@ class BOTAN_DLL X509_Store
private:
mutable bool checked;
mutable X509_Code result;
- mutable u64bit last_checked;
+ mutable std::chrono::system_clock::time_point last_checked;
};
u32bit find_cert(const X509_DN&, const MemoryRegion<byte>&) const;
@@ -130,10 +131,12 @@ class BOTAN_DLL X509_Store
bool is_revoked(const X509_Certificate&) const;
static const u32bit NO_CERT_FOUND = 0xFFFFFFFF;
+
std::vector<Cert_Info> certs;
std::vector<CRL_Data> revoked;
std::vector<Certificate_Store*> stores;
- u32bit time_slack, validation_cache_timeout;
+
+ std::chrono::seconds time_slack, validation_cache_timeout;
mutable bool revoked_info_valid;
};