diff options
Diffstat (limited to 'src/lib/cert')
31 files changed, 151 insertions, 2472 deletions
diff --git a/src/lib/cert/cvc/asn1_eac_str.cpp b/src/lib/cert/cvc/asn1_eac_str.cpp deleted file mode 100644 index 72ad24926..000000000 --- a/src/lib/cert/cvc/asn1_eac_str.cpp +++ /dev/null @@ -1,127 +0,0 @@ -/* -* Simple ASN.1 String Types -* (C) 2007 FlexSecure GmbH -* 2008-2011 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#include <botan/eac_asn_obj.h> -#include <botan/der_enc.h> -#include <botan/ber_dec.h> -#include <botan/charset.h> -#include <botan/parsing.h> -#include <sstream> -#include <ios> - -namespace Botan { - -/* -* Create an ASN1_EAC_String -*/ -ASN1_EAC_String::ASN1_EAC_String(const std::string& str, ASN1_Tag t) : m_tag(t) - { - m_iso_8859_str = Charset::transcode(str, LOCAL_CHARSET, LATIN1_CHARSET); - - if(!sanity_check()) - throw Invalid_Argument("ASN1_EAC_String contains illegal characters"); - } - -/* -* Return this string in ISO 8859-1 encoding -*/ -std::string ASN1_EAC_String::iso_8859() const - { - return m_iso_8859_str; - } - -/* -* Return this string in local encoding -*/ -std::string ASN1_EAC_String::value() const - { - return Charset::transcode(m_iso_8859_str, LATIN1_CHARSET, LOCAL_CHARSET); - } - -/* -* Return the type of this string object -*/ -ASN1_Tag ASN1_EAC_String::tagging() const - { - return m_tag; - } - -/* -* DER encode an ASN1_EAC_String -*/ -void ASN1_EAC_String::encode_into(DER_Encoder& encoder) const - { - std::string value = iso_8859(); - encoder.add_object(tagging(), APPLICATION, value); - } - -/* -* Decode a BER encoded ASN1_EAC_String -*/ -void ASN1_EAC_String::decode_from(BER_Decoder& source) - { - BER_Object obj = source.get_next_object(); - - if(obj.type_tag != m_tag) - { - std::stringstream ss; - - ss << "ASN1_EAC_String tag mismatch, tag was " - << std::hex << obj.type_tag - << " expected " - << std::hex << m_tag; - - throw Decoding_Error(ss.str()); - } - - Character_Set charset_is; - charset_is = LATIN1_CHARSET; - - try - { - *this = ASN1_EAC_String( - Charset::transcode(ASN1::to_string(obj), LOCAL_CHARSET, charset_is), - obj.type_tag); - } - catch(Invalid_Argument& inv_arg) - { - throw Decoding_Error(std::string("ASN1_EAC_String decoding failed: ") + - inv_arg.what()); - } - } - -// checks for compliance to the alphabet defined in TR-03110 v1.10, 2007-08-20 -// p. 43 -bool ASN1_EAC_String::sanity_check() const - { - const byte* rep = reinterpret_cast<const byte*>(m_iso_8859_str.data()); - const size_t rep_len = m_iso_8859_str.size(); - - for(size_t i = 0; i != rep_len; ++i) - { - if((rep[i] < 0x20) || ((rep[i] >= 0x7F) && (rep[i] < 0xA0))) - return false; - } - - return true; - } - -bool operator==(const ASN1_EAC_String& lhs, const ASN1_EAC_String& rhs) - { - return (lhs.iso_8859() == rhs.iso_8859()); - } - -ASN1_Car::ASN1_Car(std::string const& str) - : ASN1_EAC_String(str, ASN1_Tag(2)) - {} - -ASN1_Chr::ASN1_Chr(std::string const& str) - : ASN1_EAC_String(str, ASN1_Tag(32)) - {} - -} diff --git a/src/lib/cert/cvc/asn1_eac_tm.cpp b/src/lib/cert/cvc/asn1_eac_tm.cpp deleted file mode 100644 index 9c65fcf6a..000000000 --- a/src/lib/cert/cvc/asn1_eac_tm.cpp +++ /dev/null @@ -1,297 +0,0 @@ -/* -* EAC Time Types -* (C) 2007 FlexSecure GmbH -* 2008-2009 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#include <botan/eac_asn_obj.h> -#include <botan/der_enc.h> -#include <botan/ber_dec.h> -#include <botan/charset.h> -#include <botan/parsing.h> -#include <botan/internal/rounding.h> -#include <botan/calendar.h> -#include <sstream> -#include <iomanip> - -namespace Botan { - -namespace { - -std::vector<byte> enc_two_digit(u32bit in) - { - std::vector<byte> result; - in %= 100; - if(in < 10) - result.push_back(0x00); - else - { - u32bit y_first_pos = round_down<u32bit>(in, 10) / 10; - result.push_back(static_cast<byte>(y_first_pos)); - } - - u32bit y_sec_pos = in % 10; - result.push_back(static_cast<byte>(y_sec_pos)); - return result; - } - -u32bit dec_two_digit(byte b1, byte b2) - { - u32bit upper = b1; - u32bit lower = b2; - - if(upper > 9 || lower > 9) - throw Invalid_Argument("CVC dec_two_digit value too large"); - - return upper*10 + lower; - } - -} - -/* -* Create an EAC_Time -*/ -EAC_Time::EAC_Time(const std::chrono::system_clock::time_point& time, - ASN1_Tag t) : m_tag(t) - { - calendar_point cal = calendar_value(time); - - m_year = cal.year; - m_month = cal.month; - m_day = cal.day; - } - -/* -* Create an EAC_Time -*/ -EAC_Time::EAC_Time(const std::string& t_spec, ASN1_Tag t) : m_tag(t) - { - set_to(t_spec); - } - -/* -* Create an EAC_Time -*/ -EAC_Time::EAC_Time(u32bit y, u32bit m, u32bit d, ASN1_Tag t) : - m_year(y), m_month(m), m_day(d), m_tag(t) - { - } - -/* -* Set the time with a human readable string -*/ -void EAC_Time::set_to(const std::string& time_str) - { - if(time_str == "") - { - m_year = m_month = m_day = 0; - return; - } - - std::vector<std::string> params; - std::string current; - - for(u32bit j = 0; j != time_str.size(); ++j) - { - if(Charset::is_digit(time_str[j])) - current += time_str[j]; - else - { - if(current != "") - params.push_back(current); - current.clear(); - } - } - if(current != "") - params.push_back(current); - - if(params.size() != 3) - throw Invalid_Argument("Invalid time specification " + time_str); - - m_year = to_u32bit(params[0]); - m_month = to_u32bit(params[1]); - m_day = to_u32bit(params[2]); - - if(!passes_sanity_check()) - throw Invalid_Argument("Invalid time specification " + time_str); - } - - -/* -* DER encode a EAC_Time -*/ -void EAC_Time::encode_into(DER_Encoder& der) const - { - der.add_object(m_tag, APPLICATION, - encoded_eac_time()); - } - -/* -* Return a string representation of the time -*/ -std::string EAC_Time::as_string() const - { - if(time_is_set() == false) - throw Invalid_State("EAC_Time::as_string: No time set"); - - return std::to_string(m_year * 10000 + m_month * 100 + m_day); - } - -/* -* Return if the time has been set somehow -*/ -bool EAC_Time::time_is_set() const - { - return (m_year != 0); - } - -/* -* Return a human readable string representation -*/ -std::string EAC_Time::readable_string() const - { - if(time_is_set() == false) - throw Invalid_State("EAC_Time::readable_string: No time set"); - - // desired format: "%04d/%02d/%02d" - std::stringstream output; - output << std::setfill('0') - << std::setw(4) << m_year << "/" - << std::setw(2) << m_month << "/" - << std::setw(2) << m_day; - return output.str(); - } - -/* -* Do a general sanity check on the time -*/ -bool EAC_Time::passes_sanity_check() const - { - if(m_year < 2000 || m_year > 2099) - return false; - if(m_month == 0 || m_month > 12) - return false; - if(m_day == 0 || m_day > 31) - return false; - - return true; - } - -/* -* modification functions -*/ -void EAC_Time::add_years(u32bit years) - { - m_year += years; - } - -void EAC_Time::add_months(u32bit months) - { - m_year += months/12; - m_month += months % 12; - if(m_month > 12) - { - m_year += 1; - m_month -= 12; - } - } - -/* -* Compare this time against another -*/ -s32bit EAC_Time::cmp(const EAC_Time& other) const - { - if(time_is_set() == false) - throw Invalid_State("EAC_Time::cmp: No time set"); - - const s32bit EARLIER = -1, LATER = 1, SAME_TIME = 0; - - if(m_year < other.m_year) return EARLIER; - if(m_year > other.m_year) return LATER; - if(m_month < other.m_month) return EARLIER; - if(m_month > other.m_month) return LATER; - if(m_day < other.m_day) return EARLIER; - if(m_day > other.m_day) return LATER; - - return SAME_TIME; - } - -/* -* Compare two EAC_Times for in various ways -*/ -bool operator==(const EAC_Time& t1, const EAC_Time& t2) - { - return (t1.cmp(t2) == 0); - } - -bool operator!=(const EAC_Time& t1, const EAC_Time& t2) - { - return (t1.cmp(t2) != 0); - } - -bool operator<=(const EAC_Time& t1, const EAC_Time& t2) - { - return (t1.cmp(t2) <= 0); - } - -bool operator>=(const EAC_Time& t1, const EAC_Time& t2) - { - return (t1.cmp(t2) >= 0); - } - -bool operator>(const EAC_Time& t1, const EAC_Time& t2) - { - return (t1.cmp(t2) > 0); - } - -bool operator<(const EAC_Time& t1, const EAC_Time& t2) - { - return (t1.cmp(t2) < 0); - } - -/* -* Decode a BER encoded EAC_Time -*/ -void EAC_Time::decode_from(BER_Decoder& source) - { - BER_Object obj = source.get_next_object(); - - if(obj.type_tag != m_tag) - throw BER_Decoding_Error("Tag mismatch when decoding"); - - if(obj.value.size() != 6) - { - throw Decoding_Error("EAC_Time decoding failed"); - } - - try - { - u32bit tmp_year = dec_two_digit(obj.value[0], obj.value[1]); - u32bit tmp_mon = dec_two_digit(obj.value[2], obj.value[3]); - u32bit tmp_day = dec_two_digit(obj.value[4], obj.value[5]); - m_year = tmp_year + 2000; - m_month = tmp_mon; - m_day = tmp_day; - } - catch (Invalid_Argument) - { - throw Decoding_Error("EAC_Time decoding failed"); - } - - } - -/* -* make the value an octet string for encoding -*/ -std::vector<byte> EAC_Time::encoded_eac_time() const - { - std::vector<byte> result; - result += enc_two_digit(m_year); - result += enc_two_digit(m_month); - result += enc_two_digit(m_day); - return result; - } - -} diff --git a/src/lib/cert/cvc/cvc_ado.cpp b/src/lib/cert/cvc/cvc_ado.cpp deleted file mode 100644 index f803c6bf3..000000000 --- a/src/lib/cert/cvc/cvc_ado.cpp +++ /dev/null @@ -1,127 +0,0 @@ -/* -* CVC Certificate Constructor -* (C) 2007 FlexSecure GmbH -* 2008 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#include <botan/cvc_ado.h> -#include <fstream> - -namespace Botan { - -EAC1_1_ADO::EAC1_1_ADO(DataSource& in) - { - init(in); - do_decode(); - } - -EAC1_1_ADO::EAC1_1_ADO(const std::string& in) - { - DataSource_Stream stream(in, true); - init(stream); - do_decode(); - } - -void EAC1_1_ADO::force_decode() - { - std::vector<byte> inner_cert; - BER_Decoder(m_tbs_bits) - .start_cons(ASN1_Tag(33)) - .raw_bytes(inner_cert) - .end_cons() - .decode(m_car) - .verify_end(); - - std::vector<byte> req_bits = DER_Encoder() - .start_cons(ASN1_Tag(33), APPLICATION) - .raw_bytes(inner_cert) - .end_cons() - .get_contents_unlocked(); - - DataSource_Memory req_source(req_bits); - m_req = EAC1_1_Req(req_source); - m_sig_algo = m_req.m_sig_algo; - } - -std::vector<byte> EAC1_1_ADO::make_signed(PK_Signer& signer, - const std::vector<byte>& tbs_bits, - RandomNumberGenerator& rng) - { - const std::vector<byte> concat_sig = signer.sign_message(tbs_bits, rng); - - return DER_Encoder() - .start_cons(ASN1_Tag(7), APPLICATION) - .raw_bytes(tbs_bits) - .encode(concat_sig, OCTET_STRING, ASN1_Tag(55), APPLICATION) - .end_cons() - .get_contents_unlocked(); - } - -ASN1_Car EAC1_1_ADO::get_car() const - { - return m_car; - } - -void EAC1_1_ADO::decode_info(DataSource& source, - std::vector<byte> & res_tbs_bits, - ECDSA_Signature & res_sig) - { - std::vector<byte> concat_sig; - std::vector<byte> cert_inner_bits; - ASN1_Car car; - - BER_Decoder(source) - .start_cons(ASN1_Tag(7)) - .start_cons(ASN1_Tag(33)) - .raw_bytes(cert_inner_bits) - .end_cons() - .decode(car) - .decode(concat_sig, OCTET_STRING, ASN1_Tag(55), APPLICATION) - .end_cons(); - - std::vector<byte> enc_cert = DER_Encoder() - .start_cons(ASN1_Tag(33), APPLICATION) - .raw_bytes(cert_inner_bits) - .end_cons() - .get_contents_unlocked(); - - res_tbs_bits = enc_cert; - res_tbs_bits += DER_Encoder().encode(car).get_contents(); - res_sig = decode_concatenation(concat_sig); - } - -void EAC1_1_ADO::encode(Pipe& out, X509_Encoding encoding) const - { - if(encoding == PEM) - throw Invalid_Argument("EAC1_1_ADO::encode() cannot PEM encode an EAC object"); - - auto concat_sig = EAC1_1_obj<EAC1_1_ADO>::m_sig.get_concatenation(); - - out.write(DER_Encoder() - .start_cons(ASN1_Tag(7), APPLICATION) - .raw_bytes(m_tbs_bits) - .encode(concat_sig, OCTET_STRING, ASN1_Tag(55), APPLICATION) - .end_cons() - .get_contents()); - } - -std::vector<byte> EAC1_1_ADO::tbs_data() const - { - return m_tbs_bits; - } - -bool EAC1_1_ADO::operator==(EAC1_1_ADO const& rhs) const - { - return (this->get_concat_sig() == rhs.get_concat_sig() - && this->tbs_data() == rhs.tbs_data() - && this->get_car() == rhs.get_car()); - } - -EAC1_1_Req EAC1_1_ADO::get_request() const - { - return m_req; - } - -} diff --git a/src/lib/cert/cvc/cvc_ado.h b/src/lib/cert/cvc/cvc_ado.h deleted file mode 100644 index 4b861ec81..000000000 --- a/src/lib/cert/cvc/cvc_ado.h +++ /dev/null @@ -1,98 +0,0 @@ -/* -* EAC1_1 CVC ADO -* (C) 2008 Falko Strenzke -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#ifndef BOTAN_EAC_CVC_ADO_H__ -#define BOTAN_EAC_CVC_ADO_H__ - -#include <botan/eac_obj.h> -#include <botan/eac_asn_obj.h> -#include <botan/cvc_req.h> -#include <string> - -namespace Botan { - -/** -* This class represents a TR03110 (EAC) v1.1 CVC ADO request -*/ - - // CRTP continuation from EAC1_1_obj -class BOTAN_DLL EAC1_1_ADO : public EAC1_1_obj<EAC1_1_ADO> - { - public: - friend class EAC1_1_obj<EAC1_1_ADO>; - - /** - * Construct a CVC ADO request from a DER encoded CVC ADO request file. - * @param str the path to the DER encoded file - */ - EAC1_1_ADO(const std::string& str); - - /** - * Construct a CVC ADO request from a data source - * @param source the data source - */ - EAC1_1_ADO(DataSource& source); - - /** - * Create a signed CVC ADO request from to be signed (TBS) data - * @param signer the signer used to sign the CVC ADO request - * @param tbs_bits the TBS data to sign - * @param rng a random number generator - */ - static std::vector<byte> make_signed( - PK_Signer& signer, - const std::vector<byte>& tbs_bits, - RandomNumberGenerator& rng); - - /** - * Get the CAR of this CVC ADO request - * @result the CAR of this CVC ADO request - */ - ASN1_Car get_car() const; - - /** - * Get the CVC request contained in this object. - * @result the CVC request inside this CVC ADO request - */ - EAC1_1_Req get_request() const; - - /** - * Encode this object into a pipe. Only DER is supported. - * @param out the pipe to encode this object into - * @param encoding the encoding type to use, must be DER - */ - void encode(Pipe& out, X509_Encoding encoding) const; - - bool operator==(EAC1_1_ADO const& rhs) const; - - /** - * Get the TBS data of this CVC ADO request. - * @result the TBS data - */ - std::vector<byte> tbs_data() const; - - virtual ~EAC1_1_ADO() {} - private: - ASN1_Car m_car; - EAC1_1_Req m_req; - - void force_decode(); - static void decode_info(DataSource& source, - std::vector<byte> & res_tbs_bits, - ECDSA_Signature & res_sig); - }; - -inline bool operator!=(EAC1_1_ADO const& lhs, EAC1_1_ADO const& rhs) - { - return (!(lhs == rhs)); - } - -} - -#endif - - diff --git a/src/lib/cert/cvc/cvc_cert.cpp b/src/lib/cert/cvc/cvc_cert.cpp deleted file mode 100644 index 280a8acda..000000000 --- a/src/lib/cert/cvc/cvc_cert.cpp +++ /dev/null @@ -1,135 +0,0 @@ -/* -* (C) 2007 FlexSecure GmbH -* 2008-2010 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#include <botan/cvc_cert.h> -#include <botan/oids.h> - -namespace Botan { - -ASN1_Car EAC1_1_CVC::get_car() const - { - return m_car; - } - -ASN1_Ced EAC1_1_CVC::get_ced() const - { - return m_ced; - } -ASN1_Cex EAC1_1_CVC::get_cex() const - { - return m_cex; - } -u32bit EAC1_1_CVC::get_chat_value() const - { - return m_chat_val; - } - -/* -* Decode the TBSCertificate data -*/ -void EAC1_1_CVC::force_decode() - { - std::vector<byte> enc_pk; - std::vector<byte> enc_chat_val; - size_t cpi; - BER_Decoder tbs_cert(m_tbs_bits); - tbs_cert.decode(cpi, ASN1_Tag(41), APPLICATION) - .decode(m_car) - .start_cons(ASN1_Tag(73)) - .raw_bytes(enc_pk) - .end_cons() - .decode(m_chr) - .start_cons(ASN1_Tag(76)) - .decode(m_chat_oid) - .decode(enc_chat_val, OCTET_STRING, ASN1_Tag(19), APPLICATION) - .end_cons() - .decode(m_ced) - .decode(m_cex) - .verify_end(); - - if(enc_chat_val.size() != 1) - throw Decoding_Error("CertificateHolderAuthorizationValue was not of length 1"); - - if(cpi != 0) - throw Decoding_Error("EAC1_1 certificate's cpi was not 0"); - - m_pk = decode_eac1_1_key(enc_pk, m_sig_algo); - - m_chat_val = enc_chat_val[0]; - - m_self_signed = (m_car.iso_8859() == m_chr.iso_8859()); - } - -/* -* CVC Certificate Constructor -*/ -EAC1_1_CVC::EAC1_1_CVC(DataSource& in) - { - init(in); - m_self_signed = false; - do_decode(); - } - -EAC1_1_CVC::EAC1_1_CVC(const std::string& in) - { - DataSource_Stream stream(in, true); - init(stream); - m_self_signed = false; - do_decode(); - } - -bool EAC1_1_CVC::operator==(EAC1_1_CVC const& rhs) const - { - return (tbs_data() == rhs.tbs_data() - && get_concat_sig() == rhs.get_concat_sig()); - } - -ECDSA_PublicKey* decode_eac1_1_key(const std::vector<byte>&, - AlgorithmIdentifier&) - { - throw Internal_Error("decode_eac1_1_key: Unimplemented"); - return 0; - } - -EAC1_1_CVC make_cvc_cert(PK_Signer& signer, - const std::vector<byte>& public_key, - ASN1_Car const& car, - ASN1_Chr const& chr, - byte holder_auth_templ, - ASN1_Ced ced, - ASN1_Cex cex, - RandomNumberGenerator& rng) - { - OID chat_oid(OIDS::lookup("CertificateHolderAuthorizationTemplate")); - std::vector<byte> enc_chat_val; - enc_chat_val.push_back(holder_auth_templ); - - std::vector<byte> enc_cpi; - enc_cpi.push_back(0x00); - std::vector<byte> tbs = DER_Encoder() - .encode(enc_cpi, OCTET_STRING, ASN1_Tag(41), APPLICATION) // cpi - .encode(car) - .raw_bytes(public_key) - .encode(chr) - .start_cons(ASN1_Tag(76), APPLICATION) - .encode(chat_oid) - .encode(enc_chat_val, OCTET_STRING, ASN1_Tag(19), APPLICATION) - .end_cons() - .encode(ced) - .encode(cex) - .get_contents_unlocked(); - - std::vector<byte> signed_cert = - EAC1_1_CVC::make_signed(signer, - EAC1_1_CVC::build_cert_body(tbs), - rng); - - DataSource_Memory source(signed_cert); - return EAC1_1_CVC(source); - } - -} diff --git a/src/lib/cert/cvc/cvc_cert.h b/src/lib/cert/cvc/cvc_cert.h deleted file mode 100644 index a45388550..000000000 --- a/src/lib/cert/cvc/cvc_cert.h +++ /dev/null @@ -1,116 +0,0 @@ -/* -* EAC1_1 CVC -* (C) 2008 Falko Strenzke -* 2008 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#ifndef BOTAN_CVC_EAC_H__ -#define BOTAN_CVC_EAC_H__ - -#include <botan/cvc_gen_cert.h> -#include <botan/ecdsa.h> -#include <string> - -namespace Botan { - -/** -* This class represents TR03110 (EAC) v1.1 CV Certificates -*/ -class BOTAN_DLL EAC1_1_CVC : public EAC1_1_gen_CVC<EAC1_1_CVC>//Signed_Object - { - public: - friend class EAC1_1_obj<EAC1_1_CVC>; - - /** - * Get the CAR of the certificate. - * @result the CAR of the certificate - */ - ASN1_Car get_car() const; - - /** - * Get the CED of this certificate. - * @result the CED this certificate - */ - ASN1_Ced get_ced() const; - - /** - * Get the CEX of this certificate. - * @result the CEX this certificate - */ - ASN1_Cex get_cex() const; - - /** - * Get the CHAT value. - * @result the CHAT value - */ - u32bit get_chat_value() const; - - bool operator==(const EAC1_1_CVC&) const; - - /** - * Construct a CVC from a data source - * @param source the data source - */ - EAC1_1_CVC(DataSource& source); - - /** - * Construct a CVC from a file - * @param str the path to the certificate file - */ - EAC1_1_CVC(const std::string& str); - - virtual ~EAC1_1_CVC() {} - private: - void force_decode(); - EAC1_1_CVC() {} - - ASN1_Car m_car; - ASN1_Ced m_ced; - ASN1_Cex m_cex; - byte m_chat_val; - OID m_chat_oid; - }; - -/* -* Comparison -*/ -inline bool operator!=(EAC1_1_CVC const& lhs, EAC1_1_CVC const& rhs) - { - return !(lhs == rhs); - } - -/** -* Create an arbitrary EAC 1.1 CVC. -* The desired key encoding must be set within the key (if applicable). -* @param signer the signer used to sign the certificate -* @param public_key the DER encoded public key to appear in -* the certificate -* @param car the CAR of the certificate -* @param chr the CHR of the certificate -* @param holder_auth_templ the holder authorization value byte to -* appear in the CHAT of the certificate -* @param ced the CED to appear in the certificate -* @param cex the CEX to appear in the certificate -* @param rng a random number generator -*/ -EAC1_1_CVC BOTAN_DLL make_cvc_cert(PK_Signer& signer, - const std::vector<byte>& public_key, - ASN1_Car const& car, - ASN1_Chr const& chr, - byte holder_auth_templ, - ASN1_Ced ced, - ASN1_Cex cex, - RandomNumberGenerator& rng); - -/** -* Decode an EAC encoding ECDSA key -*/ -BOTAN_DLL ECDSA_PublicKey* decode_eac1_1_key(const std::vector<byte>& enc_key, - AlgorithmIdentifier& sig_algo); - -} - -#endif - diff --git a/src/lib/cert/cvc/cvc_gen_cert.h b/src/lib/cert/cvc/cvc_gen_cert.h deleted file mode 100644 index 2c3bca73d..000000000 --- a/src/lib/cert/cvc/cvc_gen_cert.h +++ /dev/null @@ -1,180 +0,0 @@ -/* -* EAC1_1 general CVC -* (C) 2008 Falko Strenzke -* 2008-2010 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#ifndef BOTAN_EAC_CVC_GEN_CERT_H__ -#define BOTAN_EAC_CVC_GEN_CERT_H__ - -#include <botan/eac_obj.h> -#include <botan/eac_asn_obj.h> -#include <botan/ecdsa.h> -#include <botan/pubkey.h> - -namespace Botan { - -/** -* This class represents TR03110 (EAC) v1.1 generalized CV Certificates -*/ -template<typename Derived> -class EAC1_1_gen_CVC : public EAC1_1_obj<Derived> // CRTP continuation from EAC1_1_obj - { - friend class EAC1_1_obj<EAC1_1_gen_CVC>; - - public: - - /** - * Get this certificates public key. - * @result this certificates public key - */ - Public_Key* subject_public_key() const; - - /** - * Find out whether this object is self signed. - * @result true if this object is self signed - */ - bool is_self_signed() const; - - /** - * Get the CHR of the certificate. - * @result the CHR of the certificate - */ - ASN1_Chr get_chr() const; - - /** - * Put the DER encoded version of this object into a pipe. PEM - * is not supported. - * @param out the pipe to push the DER encoded version into - * @param encoding the encoding to use. Must be DER. - */ - void encode(Pipe& out, X509_Encoding encoding) const; - - /** - * Get the to-be-signed (TBS) data of this object. - * @result the TBS data of this object - */ - std::vector<byte> tbs_data() const; - - /** - * Build the DER encoded certifcate body of an object - * @param tbs the data to be signed - * @result the correctly encoded body of the object - */ - static std::vector<byte> build_cert_body(const std::vector<byte>& tbs); - - /** - * Create a signed generalized CVC object. - * @param signer the signer used to sign this object - * @param tbs_bits the body the generalized CVC object to be signed - * @param rng a random number generator - * @result the DER encoded signed generalized CVC object - */ - static std::vector<byte> make_signed( - PK_Signer& signer, - const std::vector<byte>& tbs_bits, - RandomNumberGenerator& rng); - - EAC1_1_gen_CVC() { m_pk = nullptr; } - - virtual ~EAC1_1_gen_CVC<Derived>() - { delete m_pk; } - - protected: - ECDSA_PublicKey* m_pk; - ASN1_Chr m_chr; - bool m_self_signed; - - static void decode_info(DataSource& source, - std::vector<byte> & res_tbs_bits, - ECDSA_Signature & res_sig); - - }; - -template<typename Derived> ASN1_Chr EAC1_1_gen_CVC<Derived>::get_chr() const - { - return m_chr; - } - -template<typename Derived> bool EAC1_1_gen_CVC<Derived>::is_self_signed() const - { - return m_self_signed; - } - -template<typename Derived> -std::vector<byte> EAC1_1_gen_CVC<Derived>::make_signed( - PK_Signer& signer, - const std::vector<byte>& tbs_bits, - RandomNumberGenerator& rng) // static - { - const auto concat_sig = signer.sign_message(tbs_bits, rng); - - return DER_Encoder() - .start_cons(ASN1_Tag(33), APPLICATION) - .raw_bytes(tbs_bits) - .encode(concat_sig, OCTET_STRING, ASN1_Tag(55), APPLICATION) - .end_cons() - .get_contents_unlocked(); - } - -template<typename Derived> -Public_Key* EAC1_1_gen_CVC<Derived>::subject_public_key() const - { - return new ECDSA_PublicKey(*m_pk); - } - -template<typename Derived> std::vector<byte> EAC1_1_gen_CVC<Derived>::build_cert_body(const std::vector<byte>& tbs) - { - return DER_Encoder() - .start_cons(ASN1_Tag(78), APPLICATION) - .raw_bytes(tbs) - .end_cons().get_contents_unlocked(); - } - -template<typename Derived> std::vector<byte> EAC1_1_gen_CVC<Derived>::tbs_data() const - { - return build_cert_body(EAC1_1_obj<Derived>::m_tbs_bits); - } - -template<typename Derived> void EAC1_1_gen_CVC<Derived>::encode(Pipe& out, X509_Encoding encoding) const - { - std::vector<byte> concat_sig(EAC1_1_obj<Derived>::m_sig.get_concatenation()); - std::vector<byte> der = DER_Encoder() - .start_cons(ASN1_Tag(33), APPLICATION) - .start_cons(ASN1_Tag(78), APPLICATION) - .raw_bytes(EAC1_1_obj<Derived>::m_tbs_bits) - .end_cons() - .encode(concat_sig, OCTET_STRING, ASN1_Tag(55), APPLICATION) - .end_cons() - .get_contents_unlocked(); - - if (encoding == PEM) - throw Invalid_Argument("EAC1_1_gen_CVC::encode() cannot PEM encode an EAC object"); - else - out.write(der); - } - -template<typename Derived> -void EAC1_1_gen_CVC<Derived>::decode_info( - DataSource& source, - std::vector<byte> & res_tbs_bits, - ECDSA_Signature & res_sig) - { - std::vector<byte> concat_sig; - BER_Decoder(source) - .start_cons(ASN1_Tag(33)) - .start_cons(ASN1_Tag(78)) - .raw_bytes(res_tbs_bits) - .end_cons() - .decode(concat_sig, OCTET_STRING, ASN1_Tag(55), APPLICATION) - .end_cons(); - res_sig = decode_concatenation(concat_sig); - } - -} - -#endif - - diff --git a/src/lib/cert/cvc/cvc_req.cpp b/src/lib/cert/cvc/cvc_req.cpp deleted file mode 100644 index 1cb6b50ac..000000000 --- a/src/lib/cert/cvc/cvc_req.cpp +++ /dev/null @@ -1,53 +0,0 @@ -/* -* (C) 2007 FlexSecure GmbH -* 2008-2010 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#include <botan/cvc_req.h> -#include <botan/cvc_cert.h> -#include <botan/ber_dec.h> - -namespace Botan { - -bool EAC1_1_Req::operator==(EAC1_1_Req const& rhs) const - { - return (this->tbs_data() == rhs.tbs_data() && - this->get_concat_sig() == rhs.get_concat_sig()); - } - -void EAC1_1_Req::force_decode() - { - std::vector<byte> enc_pk; - BER_Decoder tbs_cert(m_tbs_bits); - size_t cpi; - tbs_cert.decode(cpi, ASN1_Tag(41), APPLICATION) - .start_cons(ASN1_Tag(73)) - .raw_bytes(enc_pk) - .end_cons() - .decode(m_chr) - .verify_end(); - - if(cpi != 0) - throw Decoding_Error("EAC1_1 requests cpi was not 0"); - - m_pk = decode_eac1_1_key(enc_pk, m_sig_algo); - } - -EAC1_1_Req::EAC1_1_Req(DataSource& in) - { - init(in); - m_self_signed = true; - do_decode(); - } - -EAC1_1_Req::EAC1_1_Req(const std::string& in) - { - DataSource_Stream stream(in, true); - init(stream); - m_self_signed = true; - do_decode(); - } - -} diff --git a/src/lib/cert/cvc/cvc_req.h b/src/lib/cert/cvc/cvc_req.h deleted file mode 100644 index b71a8e764..000000000 --- a/src/lib/cert/cvc/cvc_req.h +++ /dev/null @@ -1,59 +0,0 @@ -/* -* EAC1_1 CVC Request -* (C) 2008 Falko Strenzke -* 2010 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#ifndef BOTAN_EAC_CVC_REQ_H__ -#define BOTAN_EAC_CVC_REQ_H__ - -#include <botan/cvc_gen_cert.h> - -namespace Botan { - -/** -* This class represents TR03110 v1.1 EAC CV Certificate Requests. -*/ -class BOTAN_DLL EAC1_1_Req : public EAC1_1_gen_CVC<EAC1_1_Req> - { - public: - friend class EAC1_1_ADO; - friend class EAC1_1_obj<EAC1_1_Req>; - - /** - * Compare for equality with other - * @param other compare for equality with this object - */ - bool operator==(const EAC1_1_Req& other) const; - - /** - * Construct a CVC request from a data source. - * @param source the data source - */ - EAC1_1_Req(DataSource& source); - - /** - * Construct a CVC request from a DER encoded CVC request file. - * @param str the path to the DER encoded file - */ - EAC1_1_Req(const std::string& str); - - virtual ~EAC1_1_Req(){} - private: - void force_decode(); - EAC1_1_Req() {} - }; - -/* -* Comparison Operator -*/ -inline bool operator!=(EAC1_1_Req const& lhs, EAC1_1_Req const& rhs) - { - return !(lhs == rhs); - } - -} - -#endif diff --git a/src/lib/cert/cvc/cvc_self.cpp b/src/lib/cert/cvc/cvc_self.cpp deleted file mode 100644 index fdc66bbfd..000000000 --- a/src/lib/cert/cvc/cvc_self.cpp +++ /dev/null @@ -1,339 +0,0 @@ -/* -* (C) 2007 FlexSecure GmbH -* 2008-2010 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#include <botan/cvc_self.h> -#include <botan/ecc_key.h> -#include <botan/point_gfp.h> -#include <botan/oids.h> -#include <sstream> - -namespace Botan { - -namespace { - -/* -* cvc CHAT values -*/ -enum CHAT_values{ - CVCA = 0xC0, - DVCA_domestic = 0x80, - DVCA_foreign = 0x40, - IS = 0x00, - - IRIS = 0x02, - FINGERPRINT = 0x01 -}; - -void encode_eac_bigint(DER_Encoder& der, const BigInt& x, ASN1_Tag tag) - { - der.encode(BigInt::encode_1363(x, x.bytes()), OCTET_STRING, tag); - } - -std::vector<byte> eac_1_1_encoding(const EC_PublicKey* key, - const OID& sig_algo) - { - if(key->domain_format() == EC_DOMPAR_ENC_OID) - throw Encoding_Error("CVC encoder: cannot encode parameters by OID"); - - const EC_Group& domain = key->domain(); - - // This is why we can't have nice things - - DER_Encoder enc; - enc.start_cons(ASN1_Tag(73), APPLICATION) - .encode(sig_algo); - - if(key->domain_format() == EC_DOMPAR_ENC_EXPLICIT) - { - encode_eac_bigint(enc, domain.get_curve().get_p(), ASN1_Tag(1)); - encode_eac_bigint(enc, domain.get_curve().get_a(), ASN1_Tag(2)); - encode_eac_bigint(enc, domain.get_curve().get_b(), ASN1_Tag(3)); - - enc.encode(EC2OSP(domain.get_base_point(), PointGFp::UNCOMPRESSED), - OCTET_STRING, ASN1_Tag(4)); - - encode_eac_bigint(enc, domain.get_order(), ASN1_Tag(4)); - } - - enc.encode(EC2OSP(key->public_point(), PointGFp::UNCOMPRESSED), - OCTET_STRING, ASN1_Tag(6)); - - if(key->domain_format() == EC_DOMPAR_ENC_EXPLICIT) - encode_eac_bigint(enc, domain.get_cofactor(), ASN1_Tag(7)); - - enc.end_cons(); - - return enc.get_contents_unlocked(); - } - -std::string padding_and_hash_from_oid(OID const& oid) - { - std::string padding_and_hash = OIDS::lookup(oid); // use the hash - - if(padding_and_hash.substr(0,6) != "ECDSA/") - throw Invalid_State("CVC: Can only use ECDSA, not " + padding_and_hash); - - padding_and_hash.erase(0, padding_and_hash.find("/") + 1); - return padding_and_hash; - } - -} - -namespace CVC_EAC { - -EAC1_1_CVC create_self_signed_cert(Private_Key const& key, - EAC1_1_CVC_Options const& opt, - RandomNumberGenerator& rng) - { - // NOTE: we ignore the value of opt.chr - - const ECDSA_PrivateKey* priv_key = dynamic_cast<const ECDSA_PrivateKey*>(&key); - - if(priv_key == 0) - throw Invalid_Argument("CVC_EAC::create_self_signed_cert(): unsupported key type"); - - ASN1_Chr chr(opt.car.value()); - - AlgorithmIdentifier sig_algo; - std::string padding_and_hash("EMSA1_BSI(" + opt.hash_alg + ")"); - sig_algo.oid = OIDS::lookup(priv_key->algo_name() + "/" + padding_and_hash); - sig_algo = AlgorithmIdentifier(sig_algo.oid, AlgorithmIdentifier::USE_NULL_PARAM); - - PK_Signer signer(*priv_key, padding_and_hash); - - std::vector<byte> enc_public_key = eac_1_1_encoding(priv_key, sig_algo.oid); - - return make_cvc_cert(signer, - enc_public_key, - opt.car, chr, - opt.holder_auth_templ, - opt.ced, opt.cex, rng); - } - -EAC1_1_Req create_cvc_req(Private_Key const& key, - ASN1_Chr const& chr, - std::string const& hash_alg, - RandomNumberGenerator& rng) - { - - ECDSA_PrivateKey const* priv_key = dynamic_cast<ECDSA_PrivateKey const*>(&key); - if (priv_key == 0) - { - throw Invalid_Argument("CVC_EAC::create_self_signed_cert(): unsupported key type"); - } - AlgorithmIdentifier sig_algo; - std::string padding_and_hash("EMSA1_BSI(" + hash_alg + ")"); - sig_algo.oid = OIDS::lookup(priv_key->algo_name() + "/" + padding_and_hash); - sig_algo = AlgorithmIdentifier(sig_algo.oid, AlgorithmIdentifier::USE_NULL_PARAM); - - PK_Signer signer(*priv_key, padding_and_hash); - - std::vector<byte> enc_public_key = eac_1_1_encoding(priv_key, sig_algo.oid); - - std::vector<byte> enc_cpi; - enc_cpi.push_back(0x00); - std::vector<byte> tbs = DER_Encoder() - .encode(enc_cpi, OCTET_STRING, ASN1_Tag(41), APPLICATION) - .raw_bytes(enc_public_key) - .encode(chr) - .get_contents_unlocked(); - - std::vector<byte> signed_cert = - EAC1_1_gen_CVC<EAC1_1_Req>::make_signed(signer, - EAC1_1_gen_CVC<EAC1_1_Req>::build_cert_body(tbs), - rng); - - DataSource_Memory source(signed_cert); - return EAC1_1_Req(source); - } - -EAC1_1_ADO create_ado_req(Private_Key const& key, - EAC1_1_Req const& req, - ASN1_Car const& car, - RandomNumberGenerator& rng) - { - - ECDSA_PrivateKey const* priv_key = dynamic_cast<ECDSA_PrivateKey const*>(&key); - if (priv_key == 0) - { - throw Invalid_Argument("CVC_EAC::create_self_signed_cert(): unsupported key type"); - } - - std::string padding_and_hash = padding_and_hash_from_oid(req.signature_algorithm().oid); - PK_Signer signer(*priv_key, padding_and_hash); - std::vector<byte> tbs_bits = req.BER_encode(); - tbs_bits += DER_Encoder().encode(car).get_contents(); - - std::vector<byte> signed_cert = - EAC1_1_ADO::make_signed(signer, tbs_bits, rng); - - DataSource_Memory source(signed_cert); - return EAC1_1_ADO(source); - } - -} // namespace CVC_EAC -namespace DE_EAC -{ - -EAC1_1_CVC create_cvca(Private_Key const& key, - std::string const& hash, - ASN1_Car const& car, bool iris, bool fingerpr, - u32bit cvca_validity_months, - RandomNumberGenerator& rng) - { - ECDSA_PrivateKey const* priv_key = dynamic_cast<ECDSA_PrivateKey const*>(&key); - if (priv_key == 0) - { - throw Invalid_Argument("CVC_EAC::create_self_signed_cert(): unsupported key type"); - } - EAC1_1_CVC_Options opts; - opts.car = car; - - opts.ced = ASN1_Ced(std::chrono::system_clock::now()); - opts.cex = ASN1_Cex(opts.ced); - opts.cex.add_months(cvca_validity_months); - opts.holder_auth_templ = (CVCA | (iris * IRIS) | (fingerpr * FINGERPRINT)); - opts.hash_alg = hash; - return CVC_EAC::create_self_signed_cert(*priv_key, opts, rng); - } - - - -EAC1_1_CVC link_cvca(EAC1_1_CVC const& signer, - Private_Key const& key, - EAC1_1_CVC const& signee, - RandomNumberGenerator& rng) - { - const ECDSA_PrivateKey* priv_key = dynamic_cast<ECDSA_PrivateKey const*>(&key); - - if (priv_key == 0) - throw Invalid_Argument("link_cvca(): unsupported key type"); - - ASN1_Ced ced(std::chrono::system_clock::now()); - ASN1_Cex cex(signee.get_cex()); - if (*static_cast<EAC_Time*>(&ced) > *static_cast<EAC_Time*>(&cex)) - { - std::string detail("link_cvca(): validity periods of provided certificates don't overlap: currend time = ced = "); - detail += ced.as_string(); - detail += ", signee.cex = "; - detail += cex.as_string(); - throw Invalid_Argument(detail); - } - if (signer.signature_algorithm() != signee.signature_algorithm()) - { - throw Invalid_Argument("link_cvca(): signature algorithms of signer and signee don't match"); - } - AlgorithmIdentifier sig_algo = signer.signature_algorithm(); - std::string padding_and_hash = padding_and_hash_from_oid(sig_algo.oid); - PK_Signer pk_signer(*priv_key, padding_and_hash); - std::unique_ptr<Public_Key> pk(signee.subject_public_key()); - ECDSA_PublicKey* subj_pk = dynamic_cast<ECDSA_PublicKey*>(pk.get()); - subj_pk->set_parameter_encoding(EC_DOMPAR_ENC_EXPLICIT); - - std::vector<byte> enc_public_key = eac_1_1_encoding(priv_key, sig_algo.oid); - - return make_cvc_cert(pk_signer, enc_public_key, - signer.get_car(), - signee.get_chr(), - signer.get_chat_value(), - ced, cex, - rng); - } - -EAC1_1_CVC sign_request(EAC1_1_CVC const& signer_cert, - Private_Key const& key, - EAC1_1_Req const& signee, - u32bit seqnr, - u32bit seqnr_len, - bool domestic, - u32bit dvca_validity_months, - u32bit ca_is_validity_months, - RandomNumberGenerator& rng) - { - ECDSA_PrivateKey const* priv_key = dynamic_cast<ECDSA_PrivateKey const*>(&key); - if (priv_key == 0) - { - throw Invalid_Argument("CVC_EAC::create_self_signed_cert(): unsupported key type"); - } - std::string chr_str = signee.get_chr().value(); - - std::string seqnr_string = std::to_string(seqnr); - - while(seqnr_string.size() < seqnr_len) - seqnr_string = '0' + seqnr_string; - - chr_str += seqnr_string; - ASN1_Chr chr(chr_str); - std::string padding_and_hash = padding_and_hash_from_oid(signee.signature_algorithm().oid); - PK_Signer pk_signer(*priv_key, padding_and_hash); - std::unique_ptr<Public_Key> pk(signee.subject_public_key()); - ECDSA_PublicKey* subj_pk = dynamic_cast<ECDSA_PublicKey*>(pk.get()); - std::unique_ptr<Public_Key> signer_pk(signer_cert.subject_public_key()); - - // for the case that the domain parameters are not set... - // (we use those from the signer because they must fit) - //subj_pk->set_domain_parameters(priv_key->domain_parameters()); - - subj_pk->set_parameter_encoding(EC_DOMPAR_ENC_IMPLICITCA); - - AlgorithmIdentifier sig_algo(signer_cert.signature_algorithm()); - - ASN1_Ced ced(std::chrono::system_clock::now()); - - u32bit chat_val; - u32bit chat_low = signer_cert.get_chat_value() & 0x3; // take the chat rights from signer - ASN1_Cex cex(ced); - if ((signer_cert.get_chat_value() & CVCA) == CVCA) - { - // we sign a dvca - cex.add_months(dvca_validity_months); - if (domestic) - chat_val = DVCA_domestic | chat_low; - else - chat_val = DVCA_foreign | chat_low; - } - else if ((signer_cert.get_chat_value() & DVCA_domestic) == DVCA_domestic || - (signer_cert.get_chat_value() & DVCA_foreign) == DVCA_foreign) - { - cex.add_months(ca_is_validity_months); - chat_val = IS | chat_low; - } - else - { - throw Invalid_Argument("sign_request(): encountered illegal value for CHAT"); - // (IS cannot sign certificates) - } - - std::vector<byte> enc_public_key = eac_1_1_encoding(priv_key, sig_algo.oid); - - return make_cvc_cert(pk_signer, enc_public_key, - ASN1_Car(signer_cert.get_chr().iso_8859()), - chr, - chat_val, - ced, - cex, - rng); - } - -EAC1_1_Req create_cvc_req(Private_Key const& prkey, - ASN1_Chr const& chr, - std::string const& hash_alg, - RandomNumberGenerator& rng) - { - ECDSA_PrivateKey const* priv_key = dynamic_cast<ECDSA_PrivateKey const*>(&prkey); - if (priv_key == 0) - { - throw Invalid_Argument("CVC_EAC::create_self_signed_cert(): unsupported key type"); - } - ECDSA_PrivateKey key(*priv_key); - key.set_parameter_encoding(EC_DOMPAR_ENC_IMPLICITCA); - return CVC_EAC::create_cvc_req(key, chr, hash_alg, rng); - } - -} // namespace DE_EAC - -} diff --git a/src/lib/cert/cvc/cvc_self.h b/src/lib/cert/cvc/cvc_self.h deleted file mode 100644 index d56e96c40..000000000 --- a/src/lib/cert/cvc/cvc_self.h +++ /dev/null @@ -1,180 +0,0 @@ -/* -* CVC Self-Signed Certificate -* (C) 2007 FlexSecure GmbH -* 2008 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#ifndef BOTAN_CVC_EAC_SELF_H__ -#define BOTAN_CVC_EAC_SELF_H__ - -#include <botan/cvc_cert.h> -#include <botan/ecdsa.h> -#include <botan/asn1_obj.h> -#include <botan/cvc_req.h> -#include <botan/cvc_ado.h> - -namespace Botan { - -/** -* This class represents a set of options used for the creation of CVC certificates -*/ -class BOTAN_DLL EAC1_1_CVC_Options - { - public: - - // public member variable: - ASN1_Car car; - - // public member variable: - ASN1_Chr chr; - - // public member variable: - byte holder_auth_templ; - - // public member variable: - ASN1_Ced ced; - - // public member variable: - ASN1_Cex cex; - - // public member variable: - std::string hash_alg; - }; - -/** -* This namespace represents general EAC 1.1 convenience functions. -*/ -namespace CVC_EAC { - -/** -* Create a selfsigned CVCA -* @param rng the rng to use -* @param key the ECDSA private key to be used to sign the certificate -* @param opts used to set several parameters. Necessary are: -* car, holder_auth_templ, hash_alg, ced, cex and hash_alg -* @result the self signed certificate -*/ - -EAC1_1_CVC BOTAN_DLL create_self_signed_cert(Private_Key const& key, - EAC1_1_CVC_Options const& opts, - RandomNumberGenerator& rng); -/** -* Create a CVC request. The key encoding will be according to the provided private key. -* @param priv_key the private key associated with the requesting entity -* @param chr the chr to appear in the certificate (to be provided without -* sequence number) -* @param hash_alg the string defining the hash algorithm to be used for the creation -* of the signature -* @param rng the rng to use -* @result the new request -*/ -EAC1_1_Req BOTAN_DLL create_cvc_req(Private_Key const& priv_key, - ASN1_Chr const& chr, - std::string const& hash_alg, - RandomNumberGenerator& rng); - -/** -* Create an ADO from a request object. -* @param priv_key the private key used to sign the ADO -* @param req the request forming the body of the ADO -* @param car the CAR forming the body of the ADO, i.e. the -* CHR of the entity associated with the provided private key -* @param rng the rng to use -*/ -EAC1_1_ADO BOTAN_DLL create_ado_req(Private_Key const& priv_key, - EAC1_1_Req const& req, - ASN1_Car const& car, - RandomNumberGenerator& rng); -} -/** -* This namespace represents EAC 1.1 CVC convenience functions -* following the specific german requirements. -*/ - -namespace DE_EAC { - -/** -* Create a CVCA certificate. -* @param priv_key the private key associated with the CVCA certificate -* to be created -* @param hash the string identifying the hash algorithm to be used -* for signing the certificate to be created -* @param car the CAR of the certificate to be created -* @param iris indicates whether the entity associated with the certificate -* shall be entitled to read the biometrical iris image -* @param fingerpr indicates whether the entity associated with the certificate -* shall be entitled to read the biometrical fingerprint image -* @param cvca_validity_months length of time in months this will be valid -* @param rng a random number generator -* @result the CVCA certificate created -*/ -EAC1_1_CVC BOTAN_DLL create_cvca(Private_Key const& priv_key, - std::string const& hash, - ASN1_Car const& car, - bool iris, - bool fingerpr, - u32bit cvca_validity_months, - RandomNumberGenerator& rng); - -/** -* Create a link certificate between two CVCA certificates. The key -* encoding will be implicitCA. -* @param signer the cvca certificate associated with the signing -* entity -* @param priv_key the private key associated with the signer -* @param to_be_signed the certificate which whose CAR/CHR will be -* the holder of the link certificate -* @param rng a random number generator -*/ -EAC1_1_CVC BOTAN_DLL link_cvca(EAC1_1_CVC const& signer, - Private_Key const& priv_key, - EAC1_1_CVC const& to_be_signed, - RandomNumberGenerator& rng); - -/** -* Create a CVC request. The key encoding will be implicitCA. -* @param priv_key the private key associated with the requesting entity -* @param chr the chr to appear in the certificate (to be provided without -* sequence number) -* @param hash_alg the string defining the hash algorithm to be used for the creation -* of the signature -* @param rng a random number generator -* @result the new request -*/ -EAC1_1_Req BOTAN_DLL create_cvc_req(Private_Key const& priv_key, - ASN1_Chr const& chr, - std::string const& hash_alg, - RandomNumberGenerator& rng); - -/** -* Sign a CVC request. -* @param signer_cert the certificate of the signing entity -* @param priv_key the private key of the signing entity -* @param req the request to be signed -* @param seqnr the sequence number of the certificate to be created -* @param seqnr_len the number of digits the sequence number will be -* encoded in -* @param domestic indicates whether to sign a domestic or a foreign -* certificate: set to true for domestic -* @param dvca_validity_months validity period in months -* @param ca_is_validity_months validity period in months -* @param rng a random number generator -* @result the new certificate -* -**/ -EAC1_1_CVC BOTAN_DLL sign_request(EAC1_1_CVC const& signer_cert, - Private_Key const& priv_key, - EAC1_1_Req const& req, - u32bit seqnr, - u32bit seqnr_len, - bool domestic, - u32bit dvca_validity_months, - u32bit ca_is_validity_months, - RandomNumberGenerator& rng); -} - -} - -#endif diff --git a/src/lib/cert/cvc/eac_asn_obj.h b/src/lib/cert/cvc/eac_asn_obj.h deleted file mode 100644 index b4dcb6342..000000000 --- a/src/lib/cert/cvc/eac_asn_obj.h +++ /dev/null @@ -1,239 +0,0 @@ -/* -* EAC ASN.1 Objects -* (C) 2007-2008 FlexSecure GmbH -* 2008-2010 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#ifndef BOTAN_EAC_ASN1_OBJ_H__ -#define BOTAN_EAC_ASN1_OBJ_H__ - -#include <botan/asn1_obj.h> -#include <chrono> - -namespace Botan { - -/** -* This class represents CVC EAC Time objects. -* It only models year, month and day. Only limited sanity checks of -* the inputted date value are performed. -*/ -class BOTAN_DLL EAC_Time : public ASN1_Object - { - public: - void encode_into(class DER_Encoder&) const; - void decode_from(class BER_Decoder&); - - /** - * Get a this objects value as a string. - * @return date string - */ - std::string as_string() const; - - /** - * Get a this objects value as a readable formatted string. - * @return date string - */ - std::string readable_string() const; - - /** - * Find out whether this object's values have been set. - * @return true if this object's internal values are set - */ - bool time_is_set() const; - - /** - * Compare this to another EAC_Time object. - * @return -1 if this object's date is earlier than - * other, +1 in the opposite case, and 0 if both dates are - * equal. - */ - s32bit cmp(const EAC_Time& other) const; - - /** - * Set this' value by a string value. - * @param str a string in the format "yyyy mm dd", - * e.g. "2007 08 01" - */ - void set_to(const std::string& str); - - /** - * Add the specified number of years to this. - * @param years the number of years to add - */ - void add_years(u32bit years); - - /** - * Add the specified number of months to this. - * @param months the number of months to add - */ - void add_months(u32bit months); - - /** - * Get the year value of this objects. - * @return year value - */ - u32bit get_year() const { return m_year; } - - /** - * Get the month value of this objects. - * @return month value - */ - u32bit get_month() const { return m_month; } - - /** - * Get the day value of this objects. - * @return day value - */ - u32bit get_day() const { return m_day; } - - EAC_Time(const std::chrono::system_clock::time_point& time, - ASN1_Tag tag = ASN1_Tag(0)); - - EAC_Time(const std::string& yyyy_mm_dd, - ASN1_Tag tag = ASN1_Tag(0)); - - EAC_Time(u32bit year, u32bit month, u32bit day, - ASN1_Tag tag = ASN1_Tag(0)); - - virtual ~EAC_Time() {} - private: - std::vector<byte> encoded_eac_time() const; - bool passes_sanity_check() const; - u32bit m_year, m_month, m_day; - ASN1_Tag m_tag; - }; - -/** -* This class represents CVC CEDs. Only limited sanity checks of -* the inputted date value are performed. -*/ -class BOTAN_DLL ASN1_Ced : public EAC_Time - { - public: - /** - * Construct a CED from a string value. - * @param str a string in the format "yyyy mm dd", - * e.g. "2007 08 01" - */ - ASN1_Ced(const std::string& str = "") : - EAC_Time(str, ASN1_Tag(37)) {} - - /** - * Construct a CED from a time point - */ - ASN1_Ced(const std::chrono::system_clock::time_point& time) : - EAC_Time(time, ASN1_Tag(37)) {} - - /** - * Copy constructor (for general EAC_Time objects). - * @param other the object to copy from - */ - ASN1_Ced(const EAC_Time& other) : - EAC_Time(other.get_year(), other.get_month(), other.get_day(), - ASN1_Tag(37)) - {} - }; - -/** -* This class represents CVC CEXs. Only limited sanity checks of -* the inputted date value are performed. -*/ -class BOTAN_DLL ASN1_Cex : public EAC_Time - { - public: - /** - * Construct a CEX from a string value. - * @param str a string in the format "yyyy mm dd", - * e.g. "2007 08 01" - */ - ASN1_Cex(const std::string& str = "") : - EAC_Time(str, ASN1_Tag(36)) {} - - ASN1_Cex(const std::chrono::system_clock::time_point& time) : - EAC_Time(time, ASN1_Tag(36)) {} - - ASN1_Cex(const EAC_Time& other) : - EAC_Time(other.get_year(), other.get_month(), other.get_day(), - ASN1_Tag(36)) - {} - }; - -/** -* Base class for car/chr of cv certificates. -*/ -class BOTAN_DLL ASN1_EAC_String: public ASN1_Object - { - public: - void encode_into(class DER_Encoder&) const; - void decode_from(class BER_Decoder&); - - /** - * Get this objects string value. - * @return string value - */ - std::string value() const; - - /** - * Get this objects string value. - * @return string value in iso8859 encoding - */ - std::string iso_8859() const; - - ASN1_Tag tagging() const; - ASN1_EAC_String(const std::string& str, ASN1_Tag the_tag); - - virtual ~ASN1_EAC_String() {} - protected: - bool sanity_check() const; - private: - std::string m_iso_8859_str; - ASN1_Tag m_tag; - }; - -/** -* This class represents CARs of CVCs. (String tagged with 2) -*/ -class BOTAN_DLL ASN1_Car : public ASN1_EAC_String - { - public: - /** - * Create a CAR with the specified content. - * @param str the CAR value - */ - ASN1_Car(std::string const& str = ""); - }; - -/** -* This class represents CHRs of CVCs (tag 32) -*/ -class BOTAN_DLL ASN1_Chr : public ASN1_EAC_String - { - public: - /** - * Create a CHR with the specified content. - * @param str the CHR value - */ - ASN1_Chr(std::string const& str = ""); - }; - -/* -* Comparison Operations -*/ -bool BOTAN_DLL operator==(const EAC_Time&, const EAC_Time&); -bool BOTAN_DLL operator!=(const EAC_Time&, const EAC_Time&); -bool BOTAN_DLL operator<=(const EAC_Time&, const EAC_Time&); -bool BOTAN_DLL operator>=(const EAC_Time&, const EAC_Time&); -bool BOTAN_DLL operator>(const EAC_Time&, const EAC_Time&); -bool BOTAN_DLL operator<(const EAC_Time&, const EAC_Time&); - -bool BOTAN_DLL operator==(const ASN1_EAC_String&, const ASN1_EAC_String&); -inline bool operator!=(const ASN1_EAC_String& lhs, const ASN1_EAC_String& rhs) - { - return !(lhs == rhs); - } - -} - -#endif diff --git a/src/lib/cert/cvc/eac_obj.h b/src/lib/cert/cvc/eac_obj.h deleted file mode 100644 index a6e676076..000000000 --- a/src/lib/cert/cvc/eac_obj.h +++ /dev/null @@ -1,55 +0,0 @@ -/* -* EAC1_1 objects -* (C) 2008 Falko Strenzke -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#ifndef BOTAN_EAC_OBJ_H__ -#define BOTAN_EAC_OBJ_H__ - -#include <botan/signed_obj.h> -#include <botan/ecdsa_sig.h> - -namespace Botan { - -/** -* TR03110 v1.1 EAC CV Certificate -*/ -template<typename Derived> // CRTP is used enable the call sequence: -class EAC1_1_obj : public EAC_Signed_Object - { - public: - /** - * Return the signature as a concatenation of the encoded parts. - * @result the concatenated signature - */ - std::vector<byte> get_concat_sig() const - { return m_sig.get_concatenation(); } - - bool check_signature(class Public_Key& key) const - { - return EAC_Signed_Object::check_signature(key, m_sig.DER_encode()); - } - - protected: - ECDSA_Signature m_sig; - - void init(DataSource& in) - { - try - { - Derived::decode_info(in, m_tbs_bits, m_sig); - } - catch(Decoding_Error) - { - throw Decoding_Error(m_PEM_label_pref + " decoding failed"); - } - } - - virtual ~EAC1_1_obj<Derived>(){} - }; - -} - -#endif diff --git a/src/lib/cert/cvc/ecdsa_sig.cpp b/src/lib/cert/cvc/ecdsa_sig.cpp deleted file mode 100644 index 5e85d7932..000000000 --- a/src/lib/cert/cvc/ecdsa_sig.cpp +++ /dev/null @@ -1,59 +0,0 @@ -/* -* ECDSA Signature -* (C) 2007 Falko Strenzke, FlexSecure GmbH -* (C) 2008-2010 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#include <botan/ecdsa_sig.h> - -namespace Botan { - -ECDSA_Signature::ECDSA_Signature(const std::vector<byte>& ber) - { - BER_Decoder(ber) - .start_cons(SEQUENCE) - .decode(m_r) - .decode(m_s) - .end_cons() - .verify_end(); - } - -std::vector<byte> ECDSA_Signature::DER_encode() const - { - return DER_Encoder() - .start_cons(SEQUENCE) - .encode(get_r()) - .encode(get_s()) - .end_cons() - .get_contents_unlocked(); - } - -std::vector<byte> ECDSA_Signature::get_concatenation() const - { - // use the larger - const size_t enc_len = m_r > m_s ? m_r.bytes() : m_s.bytes(); - - const auto sv_r = BigInt::encode_1363(m_r, enc_len); - const auto sv_s = BigInt::encode_1363(m_s, enc_len); - - secure_vector<byte> result(sv_r); - result += sv_s; - return unlock(result); - } - -ECDSA_Signature decode_concatenation(const std::vector<byte>& concat) - { - if(concat.size() % 2 != 0) - throw Invalid_Argument("Erroneous length of signature"); - - const size_t rs_len = concat.size() / 2; - - BigInt r = BigInt::decode(&concat[0], rs_len); - BigInt s = BigInt::decode(&concat[rs_len], rs_len); - - return ECDSA_Signature(r, s); - } - -} diff --git a/src/lib/cert/cvc/ecdsa_sig.h b/src/lib/cert/cvc/ecdsa_sig.h deleted file mode 100644 index 2845cbec9..000000000 --- a/src/lib/cert/cvc/ecdsa_sig.h +++ /dev/null @@ -1,61 +0,0 @@ -/* -* ECDSA Signature -* (C) 2007 Falko Strenzke, FlexSecure GmbH -* (C) 2008-2010 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#ifndef BOTAN_ECDSA_SIGNATURE_H__ -#define BOTAN_ECDSA_SIGNATURE_H__ - -#include <botan/bigint.h> -#include <botan/der_enc.h> -#include <botan/ber_dec.h> - -namespace Botan { - -/** -* Class representing an ECDSA signature -*/ -class BOTAN_DLL ECDSA_Signature - { - public: - friend class ECDSA_Signature_Decoder; - - ECDSA_Signature() {} - ECDSA_Signature(const BigInt& r, const BigInt& s) : - m_r(r), m_s(s) {} - - ECDSA_Signature(const std::vector<byte>& ber); - - const BigInt& get_r() const { return m_r; } - const BigInt& get_s() const { return m_s; } - - /** - * return the r||s - */ - std::vector<byte> get_concatenation() const; - - std::vector<byte> DER_encode() const; - - bool operator==(const ECDSA_Signature& other) const - { - return (get_r() == other.get_r() && get_s() == other.get_s()); - } - - private: - BigInt m_r; - BigInt m_s; - }; - -inline bool operator!=(const ECDSA_Signature& lhs, const ECDSA_Signature& rhs) - { - return !(lhs == rhs); - } - -ECDSA_Signature decode_concatenation(const std::vector<byte>& concatenation); - -} - -#endif diff --git a/src/lib/cert/cvc/info.txt b/src/lib/cert/cvc/info.txt deleted file mode 100644 index e3da5435e..000000000 --- a/src/lib/cert/cvc/info.txt +++ /dev/null @@ -1,35 +0,0 @@ -define CARD_VERIFIABLE_CERTIFICATES 20131128 -load_on request - -<header:public> -cvc_ado.h -cvc_cert.h -cvc_gen_cert.h -cvc_req.h -cvc_self.h -eac_asn_obj.h -eac_obj.h -ecdsa_sig.h -signed_obj.h -</header:public> - -<source> -asn1_eac_str.cpp -asn1_eac_tm.cpp -ecdsa_sig.cpp -cvc_ado.cpp -cvc_cert.cpp -cvc_req.cpp -cvc_self.cpp -signed_obj.cpp -</source> - -<requires> -asn1 -bigint -ecdsa -filters -oid_lookup -pem -pubkey -</requires> diff --git a/src/lib/cert/cvc/signed_obj.cpp b/src/lib/cert/cvc/signed_obj.cpp deleted file mode 100644 index 1e3849663..000000000 --- a/src/lib/cert/cvc/signed_obj.cpp +++ /dev/null @@ -1,95 +0,0 @@ -/* -* EAC SIGNED Object -* (C) 1999-2010 Jack Lloyd -* 2007 FlexSecure GmbH -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#include <botan/signed_obj.h> -#include <botan/pubkey.h> -#include <botan/oids.h> - -namespace Botan { - -/* -* Return a BER encoded X.509 object -*/ -std::vector<byte> EAC_Signed_Object::BER_encode() const - { - Pipe ber; - ber.start_msg(); - encode(ber, RAW_BER); - ber.end_msg(); - return unlock(ber.read_all()); - } - -/* -* Return a PEM encoded X.509 object -*/ -std::string EAC_Signed_Object::PEM_encode() const - { - Pipe pem; - pem.start_msg(); - encode(pem, PEM); - pem.end_msg(); - return pem.read_all_as_string(); - } - -/* -* Return the algorithm used to sign this object -*/ -AlgorithmIdentifier EAC_Signed_Object::signature_algorithm() const - { - return m_sig_algo; - } - -bool EAC_Signed_Object::check_signature(Public_Key& pub_key, - const std::vector<byte>& sig) const - { - try - { - std::vector<std::string> sig_info = - split_on(OIDS::lookup(m_sig_algo.oid), '/'); - - if(sig_info.size() != 2 || sig_info[0] != pub_key.algo_name()) - { - return false; - } - - std::string padding = sig_info[1]; - Signature_Format format = - (pub_key.message_parts() >= 2) ? DER_SEQUENCE : IEEE_1363; - - std::vector<byte> to_sign = tbs_data(); - - PK_Verifier verifier(pub_key, padding, format); - return verifier.verify_message(to_sign, sig); - } - catch(...) - { - return false; - } - } - -/* -* Try to decode the actual information -*/ -void EAC_Signed_Object::do_decode() - { - try { - force_decode(); - } - catch(Decoding_Error& e) - { - const std::string what = e.what(); - throw Decoding_Error(m_PEM_label_pref + " decoding failed (" + what + ")"); - } - catch(Invalid_Argument& e) - { - const std::string what = e.what(); - throw Decoding_Error(m_PEM_label_pref + " decoding failed (" + what + ")"); - } - } - -} diff --git a/src/lib/cert/cvc/signed_obj.h b/src/lib/cert/cvc/signed_obj.h deleted file mode 100644 index b3fe20f31..000000000 --- a/src/lib/cert/cvc/signed_obj.h +++ /dev/null @@ -1,95 +0,0 @@ -/* -* EAC SIGNED Object -* (C) 2007 FlexSecure GmbH -* 2008 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#ifndef BOTAN_EAC_SIGNED_OBJECT_H__ -#define BOTAN_EAC_SIGNED_OBJECT_H__ - -#include <botan/asn1_obj.h> -#include <botan/x509_key.h> -#include <botan/pipe.h> -#include <vector> - -namespace Botan { - -/** -* This class represents abstract signed EAC object -*/ -class BOTAN_DLL EAC_Signed_Object - { - public: - /** - * Get the TBS (to-be-signed) data in this object. - * @return DER encoded TBS data of this object - */ - virtual std::vector<byte> tbs_data() const = 0; - - /** - * Get the signature of this object as a concatenation, i.e. if the - * signature consists of multiple parts (like in the case of ECDSA) - * these will be concatenated. - * @return signature as a concatenation of its parts - */ - - /* - NOTE: this is here only because abstract signature objects have - not yet been introduced - */ - virtual std::vector<byte> get_concat_sig() const = 0; - - /** - * Get the signature algorithm identifier used to sign this object. - * @result the signature algorithm identifier - */ - AlgorithmIdentifier signature_algorithm() const; - - /** - * Check the signature of this object. - * @param key the public key associated with this signed object - * @param sig the signature we are checking - * @return true if the signature was created by the private key - * associated with this public key - */ - bool check_signature(class Public_Key& key, - const std::vector<byte>& sig) const; - - /** - * Write this object DER encoded into a specified pipe. - * @param pipe the pipe to write the encoded object to - * @param encoding the encoding type to use - */ - virtual void encode(Pipe& pipe, - X509_Encoding encoding = PEM) const = 0; - - /** - * BER encode this object. - * @return result containing the BER representation of this object. - */ - std::vector<byte> BER_encode() const; - - /** - * PEM encode this object. - * @return result containing the PEM representation of this object. - */ - std::string PEM_encode() const; - - virtual ~EAC_Signed_Object() {} - protected: - void do_decode(); - EAC_Signed_Object() {} - - AlgorithmIdentifier m_sig_algo; - std::vector<byte> m_tbs_bits; - std::string m_PEM_label_pref; - std::vector<std::string> m_PEM_labels_allowed; - private: - virtual void force_decode() = 0; - }; - -} - -#endif diff --git a/src/lib/cert/x509/key_constraint.cpp b/src/lib/cert/x509/key_constraint.cpp index 24791b34a..a90af013c 100644 --- a/src/lib/cert/x509/key_constraint.cpp +++ b/src/lib/cert/x509/key_constraint.cpp @@ -1,69 +1,46 @@ /* * KeyUsage * (C) 1999-2007 Jack Lloyd +* (C) 2016 René Korthaus, Rohde & Schwarz Cybersecurity * * Botan is released under the Simplified BSD License (see license.txt) */ #include <botan/key_constraint.h> #include <botan/x509_key.h> -#include <botan/ber_dec.h> namespace Botan { -namespace BER { - -/* -* Decode a BER encoded KeyUsage -*/ -void decode(BER_Decoder& source, Key_Constraints& key_usage) - { - BER_Object obj = source.get_next_object(); - - if(obj.type_tag != BIT_STRING || obj.class_tag != UNIVERSAL) - throw BER_Bad_Tag("Bad tag for usage constraint", - obj.type_tag, obj.class_tag); - if(obj.value.size() != 2 && obj.value.size() != 3) - throw BER_Decoding_Error("Bad size for BITSTRING in usage constraint"); - if(obj.value[0] >= 8) - throw BER_Decoding_Error("Invalid unused bits in usage constraint"); - - const byte mask = (0xFF << obj.value[0]); - obj.value[obj.value.size()-1] &= mask; - - u16bit usage = 0; - for(size_t j = 1; j != obj.value.size(); ++j) - usage = (obj.value[j] << 8) | usage; - - key_usage = Key_Constraints(usage); - } - -} - /* -* Find the allowable key constraints +* Make sure the given key constraints are permitted for the given key type */ -Key_Constraints find_constraints(const Public_Key& pub_key, - Key_Constraints limits) +void verify_cert_constraints_valid_for_key_type(const Public_Key& pub_key, + Key_Constraints constraints) { const std::string name = pub_key.algo_name(); - size_t constraints = 0; + size_t permitted = 0; if(name == "DH" || name == "ECDH") - constraints |= KEY_AGREEMENT; + { + permitted |= KEY_AGREEMENT | ENCIPHER_ONLY | DECIPHER_ONLY; + } if(name == "RSA" || name == "ElGamal") - constraints |= KEY_ENCIPHERMENT | DATA_ENCIPHERMENT; + { + permitted |= KEY_ENCIPHERMENT | DATA_ENCIPHERMENT; + } if(name == "RSA" || name == "RW" || name == "NR" || - name == "DSA" || name == "ECDSA") - constraints |= DIGITAL_SIGNATURE | NON_REPUDIATION; - - if(limits) - constraints &= limits; - - return Key_Constraints(constraints); + name == "DSA" || name == "ECDSA" || name == "ECGDSA" || name == "ECKCDSA") + { + permitted |= DIGITAL_SIGNATURE | NON_REPUDIATION | KEY_CERT_SIGN | CRL_SIGN; + } + + if ( ( constraints & permitted ) != constraints ) + { + throw Exception("Constraint not permitted for key type " + name); + } } } diff --git a/src/lib/cert/x509/key_constraint.h b/src/lib/cert/x509/key_constraint.h index 179e413b5..b67eb7010 100644 --- a/src/lib/cert/x509/key_constraint.h +++ b/src/lib/cert/x509/key_constraint.h @@ -1,6 +1,7 @@ /* * Enumerations * (C) 1999-2007 Jack Lloyd +* (C) 2016 René Korthaus, Rohde & Schwarz Cybersecurity * * Botan is released under the Simplified BSD License (see license.txt) */ @@ -8,7 +9,7 @@ #ifndef BOTAN_ENUMS_H__ #define BOTAN_ENUMS_H__ -#include <botan/ber_dec.h> +#include <botan/build.h> namespace Botan { @@ -32,26 +33,13 @@ enum Key_Constraints { class Public_Key; /** -* Create the key constraints for a specific public key. -* @param pub_key the public key from which the basic set of -* constraints to be placed in the return value is derived -* @param limits additional limits that will be incorporated into the -* return value -* @return combination of key type specific constraints and -* additional limits +* Check that key constraints are permitted for a specific public key. +* @param pub_key the public key on which the constraints shall be enforced on +* @param constrains the constraints that shall be enforced on the key +* @throw Exception if the given constraints are not permitted for this key */ - -BOTAN_DLL Key_Constraints find_constraints(const Public_Key& pub_key, - Key_Constraints limits); - -/** -* BER Decoding Function for key constraints -*/ -namespace BER { - -void BOTAN_DLL decode(BER_Decoder&, Key_Constraints&); - -} +BOTAN_DLL void verify_cert_constraints_valid_for_key_type(const Public_Key& pub_key, + Key_Constraints constraints); } diff --git a/src/lib/cert/x509/name_constraint.cpp b/src/lib/cert/x509/name_constraint.cpp index a1ed19856..83f6386ba 100644 --- a/src/lib/cert/x509/name_constraint.cpp +++ b/src/lib/cert/x509/name_constraint.cpp @@ -33,7 +33,7 @@ GeneralName::GeneralName(const std::string& v) : GeneralName() void GeneralName::encode_into(class DER_Encoder&) const { - throw Exception("General Name encoding not implemented"); + throw Not_Implemented("GeneralName encoding"); } void GeneralName::decode_from(class BER_Decoder& ber) @@ -249,7 +249,7 @@ GeneralSubtree::GeneralSubtree(const std::string& v) : GeneralSubtree() void GeneralSubtree::encode_into(class DER_Encoder&) const { - throw std::runtime_error("General Subtree encoding not implemented"); + throw Not_Implemented("General Subtree encoding"); } void GeneralSubtree::decode_from(class BER_Decoder& ber) diff --git a/src/lib/cert/x509/ocsp.cpp b/src/lib/cert/x509/ocsp.cpp index 4f4a3aece..df8df3b39 100644 --- a/src/lib/cert/x509/ocsp.cpp +++ b/src/lib/cert/x509/ocsp.cpp @@ -81,7 +81,7 @@ void check_signature(const std::vector<byte>& tbs_response, // Otherwise attempt to chain the signing cert to a trust root - if(!certs[0].allowed_usage("PKIX.OCSPSigning")) + if(!certs[0].allowed_extended_usage("PKIX.OCSPSigning")) throw Exception("OCSP response cert does not allow OCSP signing"); auto result = x509_path_validate(certs, Path_Validation_Restrictions(), trusted_roots); diff --git a/src/lib/cert/x509/ocsp_types.cpp b/src/lib/cert/x509/ocsp_types.cpp index ba5b825f7..d470c2fa1 100644 --- a/src/lib/cert/x509/ocsp_types.cpp +++ b/src/lib/cert/x509/ocsp_types.cpp @@ -92,7 +92,7 @@ void CertID::decode_from(class BER_Decoder& from) void SingleResponse::encode_into(class DER_Encoder&) const { - throw Exception("Not implemented (SingleResponse::encode_into)"); + throw Not_Implemented("SingleResponse::encode_into"); } void SingleResponse::decode_from(class BER_Decoder& from) diff --git a/src/lib/cert/x509/x509_ca.cpp b/src/lib/cert/x509/x509_ca.cpp index 46c8c65f2..58c6676f4 100644 --- a/src/lib/cert/x509/x509_ca.cpp +++ b/src/lib/cert/x509/x509_ca.cpp @@ -52,11 +52,14 @@ X509_Certificate X509_CA::sign_request(const PKCS10_Request& req, { Key_Constraints constraints; if(req.is_CA()) + { constraints = Key_Constraints(KEY_CERT_SIGN | CRL_SIGN); + } else { std::unique_ptr<Public_Key> key(req.subject_public_key()); - constraints = find_constraints(*key, req.constraints()); + verify_cert_constraints_valid_for_key_type(*key, req.constraints()); + constraints = req.constraints(); } Extensions extensions; @@ -65,7 +68,10 @@ X509_Certificate X509_CA::sign_request(const PKCS10_Request& req, new Cert_Extension::Basic_Constraints(req.is_CA(), req.path_limit()), true); - extensions.add(new Cert_Extension::Key_Usage(constraints), true); + if(constraints != NO_CONSTRAINTS) + { + extensions.add(new Cert_Extension::Key_Usage(constraints), true); + } extensions.add(new Cert_Extension::Authority_Key_ID(m_cert.subject_key_id())); extensions.add(new Cert_Extension::Subject_Key_ID(req.raw_public_key())); @@ -233,13 +239,17 @@ PK_Signer* choose_sig_format(const Private_Key& key, std::string padding; if(algo_name == "RSA") + { padding = "EMSA3"; - else if(algo_name == "DSA") + } + else if(algo_name == "DSA" || algo_name == "ECDSA" || algo_name == "ECGDSA" || algo_name == "ECKCDSA") + { padding = "EMSA1"; - else if(algo_name == "ECDSA") - padding = "EMSA1_BSI"; + } else + { throw Invalid_Argument("Unknown X.509 signing key type: " + algo_name); + } const Signature_Format format = (key.message_parts() > 1) ? DER_SEQUENCE : IEEE_1363; diff --git a/src/lib/cert/x509/x509_ca.h b/src/lib/cert/x509/x509_ca.h index 6ea51cd06..ba3724f5e 100644 --- a/src/lib/cert/x509/x509_ca.h +++ b/src/lib/cert/x509/x509_ca.h @@ -22,7 +22,6 @@ namespace Botan { class BOTAN_DLL X509_CA { public: - /** * Sign a PKCS#10 Request. * @param req the request to sign diff --git a/src/lib/cert/x509/x509_ext.cpp b/src/lib/cert/x509/x509_ext.cpp index 85d40bf21..650c20d53 100644 --- a/src/lib/cert/x509/x509_ext.cpp +++ b/src/lib/cert/x509/x509_ext.cpp @@ -1,6 +1,7 @@ /* * X.509 Certificate Extensions * (C) 1999-2010,2012 Jack Lloyd +* (C) 2016 René Korthaus, Rohde & Schwarz Cybersecurity * * Botan is released under the Simplified BSD License (see license.txt) */ @@ -293,7 +294,9 @@ void Key_Usage::decode_inner(const std::vector<byte>& in) u16bit usage = 0; for(size_t i = 1; i != obj.value.size(); ++i) - usage = (obj.value[i] << 8) | usage; + { + usage = (obj.value[i] << 8*(sizeof(usage)-i)) | usage; + } m_constraints = Key_Constraints(usage); } @@ -461,7 +464,7 @@ void Extended_Key_Usage::contents_to(Data_Store& subject, Data_Store&) const */ std::vector<byte> Name_Constraints::encode_inner() const { - throw std::runtime_error("Name_Constraints encoding not implemented"); + throw Not_Implemented("Name_Constraints encoding"); } @@ -777,7 +780,7 @@ void CRL_ReasonCode::contents_to(Data_Store& info, Data_Store&) const std::vector<byte> CRL_Distribution_Points::encode_inner() const { - throw Exception("CRL_Distribution_Points encoding not implemented"); + throw Not_Implemented("CRL_Distribution_Points encoding"); } void CRL_Distribution_Points::decode_inner(const std::vector<byte>& buf) @@ -800,7 +803,7 @@ void CRL_Distribution_Points::contents_to(Data_Store& info, Data_Store&) const void CRL_Distribution_Points::Distribution_Point::encode_into(class DER_Encoder&) const { - throw Exception("CRL_Distribution_Points encoding not implemented"); + throw Not_Implemented("CRL_Distribution_Points encoding"); } void CRL_Distribution_Points::Distribution_Point::decode_from(class BER_Decoder& ber) @@ -815,16 +818,15 @@ void CRL_Distribution_Points::Distribution_Point::decode_from(class BER_Decoder& std::vector<byte> Unknown_Critical_Extension::encode_inner() const { - throw Exception("Unknown_Critical_Extension encoding not implemented"); + throw Not_Implemented("Unknown_Critical_Extension encoding"); } -void Unknown_Critical_Extension::decode_inner(const std::vector<byte>& buf) +void Unknown_Critical_Extension::decode_inner(const std::vector<byte>&) { } -void Unknown_Critical_Extension::contents_to(Data_Store& info, Data_Store&) const +void Unknown_Critical_Extension::contents_to(Data_Store&, Data_Store&) const { - // TODO: textual representation? } } diff --git a/src/lib/cert/x509/x509cert.cpp b/src/lib/cert/x509/x509cert.cpp index d7da00af0..ffedf43f0 100644 --- a/src/lib/cert/x509/x509cert.cpp +++ b/src/lib/cert/x509/x509cert.cpp @@ -1,6 +1,7 @@ /* * X.509 Certificates * (C) 1999-2010,2015 Jack Lloyd +* (C) 2016 René Korthaus, Rohde & Schwarz Cybersecurity * * Botan is released under the Simplified BSD License (see license.txt) */ @@ -257,10 +258,10 @@ bool X509_Certificate::allowed_usage(Key_Constraints usage) const { if(constraints() == NO_CONSTRAINTS) return true; - return ((constraints() & usage) != 0); + return ((constraints() & usage) == usage); } -bool X509_Certificate::allowed_usage(const std::string& usage) const +bool X509_Certificate::allowed_extended_usage(const std::string& usage) const { const std::vector<std::string> ex = ex_constraints(); @@ -275,19 +276,21 @@ bool X509_Certificate::allowed_usage(const std::string& usage) const bool X509_Certificate::allowed_usage(Usage_Type usage) const { + // These follow suggestions in RFC 5280 4.2.1.12 + switch(usage) { case Usage_Type::UNSPECIFIED: return true; case Usage_Type::TLS_SERVER_AUTH: - return allowed_usage(Key_Constraints(DATA_ENCIPHERMENT | KEY_ENCIPHERMENT | DIGITAL_SIGNATURE)) && allowed_usage("PKIX.ServerAuth"); + return (allowed_usage(KEY_AGREEMENT) || allowed_usage(KEY_ENCIPHERMENT) || allowed_usage(DIGITAL_SIGNATURE)) && allowed_extended_usage("PKIX.ServerAuth"); case Usage_Type::TLS_CLIENT_AUTH: - return allowed_usage(Key_Constraints(DIGITAL_SIGNATURE | NON_REPUDIATION)) && allowed_usage("PKIX.ClientAuth"); + return (allowed_usage(DIGITAL_SIGNATURE) || allowed_usage(KEY_AGREEMENT)) && allowed_extended_usage("PKIX.ClientAuth"); case Usage_Type::OCSP_RESPONDER: - return allowed_usage(Key_Constraints(DIGITAL_SIGNATURE | NON_REPUDIATION)) && allowed_usage("PKIX.OCSPSigning"); + return (allowed_usage(DIGITAL_SIGNATURE) || allowed_usage(NON_REPUDIATION)) && allowed_extended_usage("PKIX.OCSPSigning"); case Usage_Type::CERTIFICATE_AUTHORITY: return is_CA_cert(); @@ -296,6 +299,33 @@ bool X509_Certificate::allowed_usage(Usage_Type usage) const return false; } +bool X509_Certificate::has_constraints(Key_Constraints constraints) const + { + if(this->constraints() == NO_CONSTRAINTS) + { + return false; + } + + return ((this->constraints() & constraints) != 0); + } + +bool X509_Certificate::has_ex_constraint(const std::string& ex_constraint) const + { + const std::vector<std::string> ex = ex_constraints(); + + if(ex.empty()) + { + return false; + } + + if(std::find(ex.begin(), ex.end(), ex_constraint) != ex.end()) + { + return true; + } + + return false; + } + /* * Return the path length constraint */ @@ -538,7 +568,7 @@ std::string X509_Certificate::to_string() const if(constraints & DIGITAL_SIGNATURE) out << " Digital Signature\n"; if(constraints & NON_REPUDIATION) - out << " Non-Repuidation\n"; + out << " Non-Repudiation\n"; if(constraints & KEY_ENCIPHERMENT) out << " Key Encipherment\n"; if(constraints & DATA_ENCIPHERMENT) @@ -549,6 +579,10 @@ std::string X509_Certificate::to_string() const out << " Cert Sign\n"; if(constraints & CRL_SIGN) out << " CRL Sign\n"; + if(constraints & ENCIPHER_ONLY) + out << " Encipher Only\n"; + if(constraints & DECIPHER_ONLY) + out << " Decipher Only\n"; } std::vector<std::string> policies = this->policies(); diff --git a/src/lib/cert/x509/x509cert.h b/src/lib/cert/x509/x509cert.h index c521cf7ca..eb98f9c3d 100644 --- a/src/lib/cert/x509/x509cert.h +++ b/src/lib/cert/x509/x509cert.h @@ -33,7 +33,7 @@ enum class Usage_Type /** * This class represents X.509 Certificate */ -class BOTAN_DLL X509_Certificate final : public X509_Object +class BOTAN_DLL X509_Certificate : public X509_Object { public: /** @@ -140,17 +140,39 @@ class BOTAN_DLL X509_Certificate final : public X509_Object */ bool is_CA_cert() const; + /** + * Returns true if the specified @param usage is set in the key usage extension + * or if no key usage constraints are set at all. + * To check if a certain key constraint is set in the certificate + * use @see X509_Certificate#has_constraints. + */ bool allowed_usage(Key_Constraints usage) const; /** - * Returns true if and only if name (referring to an extended key - * constraint, eg "PKIX.ServerAuth") is included in the extended - * key extension. + * Returns true if the specified @param usage is set in the extended key usage extension + * or if no extended key usage constraints are set at all. + * To check if a certain extended key constraint is set in the certificate + * use @see X509_Certificate#has_ex_constraint. */ - bool allowed_usage(const std::string& usage) const; + bool allowed_extended_usage(const std::string& usage) const; + /** + * Returns true if the required key and extended key constraints are set in the certificate + * for the specified @param usage or if no key constraints are set in both the key usage + * and extended key usage extension. + */ bool allowed_usage(Usage_Type usage) const; + /// Returns true if the specified @param constraints are included in the key usage extension. + bool has_constraints(Key_Constraints constraints) const; + + /** + * Returns true if and only if @param ex_constraint (referring to an extended key + * constraint, eg "PKIX.ServerAuth") is included in the extended + * key extension. + */ + bool has_ex_constraint(const std::string& ex_constraint) const; + /** * Get the path limit as defined in the BasicConstraints extension of * this certificate. diff --git a/src/lib/cert/x509/x509opt.cpp b/src/lib/cert/x509/x509opt.cpp index 158f4c779..2dd2098fe 100644 --- a/src/lib/cert/x509/x509opt.cpp +++ b/src/lib/cert/x509/x509opt.cpp @@ -62,19 +62,6 @@ void X509_Cert_Options::CA_key(size_t limit) } /* -* Do basic sanity checks -*/ -void X509_Cert_Options::sanity_check() const - { - if(common_name.empty() || country.empty()) - throw Encoding_Error("X.509 certificate: name and country MUST be set"); - if(country.size() != 2) - throw Encoding_Error("Invalid ISO country code: " + country); - if(start >= end) - throw Encoding_Error("X509_Cert_Options: invalid time constraints"); - } - -/* * Initialize the certificate options */ X509_Cert_Options::X509_Cert_Options(const std::string& initial_opts, diff --git a/src/lib/cert/x509/x509self.cpp b/src/lib/cert/x509/x509self.cpp index 7d1c01c37..102e24f77 100644 --- a/src/lib/cert/x509/x509self.cpp +++ b/src/lib/cert/x509/x509self.cpp @@ -49,17 +49,20 @@ X509_Certificate create_self_signed_cert(const X509_Cert_Options& opts, X509_DN subject_dn; AlternativeName subject_alt; - opts.sanity_check(); - std::vector<byte> pub_key = X509::BER_encode(key); std::unique_ptr<PK_Signer> signer(choose_sig_format(key, hash_fn, sig_algo)); load_info(opts, subject_dn, subject_alt); Key_Constraints constraints; if(opts.is_CA) + { constraints = Key_Constraints(KEY_CERT_SIGN | CRL_SIGN); + } else - constraints = find_constraints(key, opts.constraints); + { + verify_cert_constraints_valid_for_key_type(key, opts.constraints); + constraints = opts.constraints; + } Extensions extensions; @@ -67,7 +70,10 @@ X509_Certificate create_self_signed_cert(const X509_Cert_Options& opts, new Cert_Extension::Basic_Constraints(opts.is_CA, opts.path_limit), true); - extensions.add(new Cert_Extension::Key_Usage(constraints), true); + if(constraints != NO_CONSTRAINTS) + { + extensions.add(new Cert_Extension::Key_Usage(constraints), true); + } extensions.add(new Cert_Extension::Subject_Key_ID(pub_key)); @@ -95,24 +101,33 @@ PKCS10_Request create_cert_req(const X509_Cert_Options& opts, X509_DN subject_dn; AlternativeName subject_alt; - opts.sanity_check(); - std::vector<byte> pub_key = X509::BER_encode(key); std::unique_ptr<PK_Signer> signer(choose_sig_format(key, hash_fn, sig_algo)); load_info(opts, subject_dn, subject_alt); const size_t PKCS10_VERSION = 0; + Key_Constraints constraints; + if(opts.is_CA) + { + constraints = Key_Constraints(KEY_CERT_SIGN | CRL_SIGN); + } + else + { + verify_cert_constraints_valid_for_key_type(key, opts.constraints); + constraints = opts.constraints; + } + Extensions extensions; extensions.add( new Cert_Extension::Basic_Constraints(opts.is_CA, opts.path_limit)); - extensions.add( - new Cert_Extension::Key_Usage( - opts.is_CA ? Key_Constraints(KEY_CERT_SIGN | CRL_SIGN) : - find_constraints(key, opts.constraints) - ) - ); + + if(constraints != NO_CONSTRAINTS) + { + extensions.add( + new Cert_Extension::Key_Usage(constraints)); + } extensions.add( new Cert_Extension::Extended_Key_Usage(opts.ex_constraints)); extensions.add( diff --git a/src/lib/cert/x509/x509self.h b/src/lib/cert/x509/x509self.h index a4bbad214..401b2eb2f 100644 --- a/src/lib/cert/x509/x509self.h +++ b/src/lib/cert/x509/x509self.h @@ -115,11 +115,6 @@ class BOTAN_DLL X509_Cert_Options std::vector<OID> ex_constraints; /** - * Check the options set in this object for validity. - */ - void sanity_check() const; - - /** * Mark the certificate as a CA certificate and set the path limit. * @param limit the path limit to be set in the BasicConstraints extension. */ |