aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/x509
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/x509')
-rw-r--r--src/lib/x509/asn1_alt_name.cpp6
-rw-r--r--src/lib/x509/ocsp.cpp2
-rw-r--r--src/lib/x509/ocsp_types.cpp3
-rw-r--r--src/lib/x509/pkcs10.cpp14
-rw-r--r--src/lib/x509/x509_ca.cpp2
-rw-r--r--src/lib/x509/x509_dn.cpp18
-rw-r--r--src/lib/x509/x509_ext.cpp6
-rw-r--r--src/lib/x509/x509_obj.cpp12
-rw-r--r--src/lib/x509/x509cert.cpp20
-rw-r--r--src/lib/x509/x509opt.cpp2
-rw-r--r--src/lib/x509/x509path.cpp7
-rw-r--r--src/lib/x509/x509self.cpp2
12 files changed, 46 insertions, 48 deletions
diff --git a/src/lib/x509/asn1_alt_name.cpp b/src/lib/x509/asn1_alt_name.cpp
index 4e052ca58..60e767543 100644
--- a/src/lib/x509/asn1_alt_name.cpp
+++ b/src/lib/x509/asn1_alt_name.cpp
@@ -69,10 +69,14 @@ std::multimap<std::string, std::string> AlternativeName::contents() const
std::multimap<std::string, std::string> names;
for(auto i = m_alt_info.begin(); i != m_alt_info.end(); ++i)
+ {
multimap_insert(names, i->first, i->second);
+ }
for(auto i = m_othernames.begin(); i != m_othernames.end(); ++i)
- multimap_insert(names, OIDS::lookup(i->first), i->second.value());
+ {
+ multimap_insert(names, OIDS::oid2str_or_raw(i->first), i->second.value());
+ }
return names;
}
diff --git a/src/lib/x509/ocsp.cpp b/src/lib/x509/ocsp.cpp
index 249ce7817..b119c4490 100644
--- a/src/lib/x509/ocsp.cpp
+++ b/src/lib/x509/ocsp.cpp
@@ -164,7 +164,7 @@ Certificate_Status_Code Response::verify_signature(const X509_Certificate& issue
std::unique_ptr<Public_Key> pub_key(issuer.subject_public_key());
const std::vector<std::string> sig_info =
- split_on(OIDS::lookup(m_sig_algo.get_oid()), '/');
+ split_on(OIDS::oid2str_or_throw(m_sig_algo.get_oid()), '/');
if(sig_info.size() != 2 || sig_info[0] != pub_key->algo_name())
return Certificate_Status_Code::OCSP_RESPONSE_INVALID;
diff --git a/src/lib/x509/ocsp_types.cpp b/src/lib/x509/ocsp_types.cpp
index 3eda5c05b..98c63a31b 100644
--- a/src/lib/x509/ocsp_types.cpp
+++ b/src/lib/x509/ocsp_types.cpp
@@ -39,7 +39,8 @@ bool CertID::is_id_for(const X509_Certificate& issuer,
if(BigInt::decode(subject.serial_number()) != m_subject_serial)
return false;
- std::unique_ptr<HashFunction> hash(HashFunction::create(OIDS::lookup(m_hash_id.get_oid())));
+ const std::string hash_algo = OIDS::oid2str_or_throw(m_hash_id.get_oid());
+ std::unique_ptr<HashFunction> hash = HashFunction::create(hash_algo);
if(m_issuer_dn_hash != unlock(hash->process(subject.raw_issuer_dn())))
return false;
diff --git a/src/lib/x509/pkcs10.cpp b/src/lib/x509/pkcs10.cpp
index 2da002cd1..1270e4159 100644
--- a/src/lib/x509/pkcs10.cpp
+++ b/src/lib/x509/pkcs10.cpp
@@ -148,19 +148,19 @@ std::unique_ptr<PKCS10_Data> decode_pkcs10(const std::vector<uint8_t>& body)
const OID& oid = attr.get_oid();
BER_Decoder value(attr.get_parameters());
- if(oid == OIDS::lookup("PKCS9.EmailAddress"))
+ if(oid == OIDS::str2oid_or_throw("PKCS9.EmailAddress"))
{
ASN1_String email;
value.decode(email);
pkcs9_email.insert(email.value());
}
- else if(oid == OIDS::lookup("PKCS9.ChallengePassword"))
+ else if(oid == OIDS::str2oid_or_throw("PKCS9.ChallengePassword"))
{
ASN1_String challenge_password;
value.decode(challenge_password);
data->m_challenge = challenge_password.value();
}
- else if(oid == OIDS::lookup("PKCS9.ExtensionRequest"))
+ else if(oid == OIDS::str2oid_or_throw("PKCS9.ExtensionRequest"))
{
value.decode(data->m_extensions).verify_end();
}
@@ -260,7 +260,7 @@ const Extensions& PKCS10_Request::extensions() const
*/
Key_Constraints PKCS10_Request::constraints() const
{
- if(auto ext = extensions().get(OIDS::lookup("X509v3.KeyUsage")))
+ if(auto ext = extensions().get(OIDS::str2oid_or_throw("X509v3.KeyUsage")))
{
return dynamic_cast<Cert_Extension::Key_Usage&>(*ext).get_constraints();
}
@@ -273,7 +273,7 @@ Key_Constraints PKCS10_Request::constraints() const
*/
std::vector<OID> PKCS10_Request::ex_constraints() const
{
- if(auto ext = extensions().get(OIDS::lookup("X509v3.ExtendedKeyUsage")))
+ if(auto ext = extensions().get(OIDS::str2oid_or_throw("X509v3.ExtendedKeyUsage")))
{
return dynamic_cast<Cert_Extension::Extended_Key_Usage&>(*ext).get_oids();
}
@@ -286,7 +286,7 @@ std::vector<OID> PKCS10_Request::ex_constraints() const
*/
bool PKCS10_Request::is_CA() const
{
- if(auto ext = extensions().get(OIDS::lookup("X509v3.BasicConstraints")))
+ if(auto ext = extensions().get(OIDS::str2oid_or_throw("X509v3.BasicConstraints")))
{
return dynamic_cast<Cert_Extension::Basic_Constraints&>(*ext).get_is_ca();
}
@@ -299,7 +299,7 @@ bool PKCS10_Request::is_CA() const
*/
size_t PKCS10_Request::path_limit() const
{
- if(auto ext = extensions().get(OIDS::lookup("X509v3.BasicConstraints")))
+ if(auto ext = extensions().get(OIDS::str2oid_or_throw("X509v3.BasicConstraints")))
{
Cert_Extension::Basic_Constraints& basic_constraints = dynamic_cast<Cert_Extension::Basic_Constraints&>(*ext);
if(basic_constraints.get_is_ca())
diff --git a/src/lib/x509/x509_ca.cpp b/src/lib/x509/x509_ca.cpp
index 73eea4a95..74ca1bcfc 100644
--- a/src/lib/x509/x509_ca.cpp
+++ b/src/lib/x509/x509_ca.cpp
@@ -40,7 +40,7 @@ X509_CA::X509_CA(const X509_Certificate& c,
// constructor without additional options: use the padding used in the CA certificate
// sig_oid_str = <sig_alg>/<padding>, so padding with all its options will look
// like a cipher mode to the scanner
- std::string sig_oid_str = OIDS::lookup(c.signature_algorithm().oid);
+ std::string sig_oid_str = OIDS::oid2str_or_throw(c.signature_algorithm().oid);
SCAN_Name scanner(sig_oid_str);
std::string pad = scanner.cipher_mode();
if(!pad.empty())
diff --git a/src/lib/x509/x509_dn.cpp b/src/lib/x509/x509_dn.cpp
index 6e2707673..e9d825256 100644
--- a/src/lib/x509/x509_dn.cpp
+++ b/src/lib/x509/x509_dn.cpp
@@ -23,7 +23,7 @@ namespace Botan {
void X509_DN::add_attribute(const std::string& type,
const std::string& str)
{
- add_attribute(OIDS::lookup(type), str);
+ add_attribute(OIDS::str2oid_or_throw(type), str);
}
/*
@@ -59,10 +59,7 @@ std::multimap<std::string, std::string> X509_DN::contents() const
for(auto& i : m_rdn)
{
- std::string str_value = OIDS::oid2str(i.first);
-
- if(str_value.empty())
- str_value = i.first.to_string();
+ const std::string str_value = OIDS::oid2str_or_raw(i.first);
multimap_insert(retval, str_value, i.second.value());
}
return retval;
@@ -70,7 +67,7 @@ std::multimap<std::string, std::string> X509_DN::contents() const
bool X509_DN::has_field(const std::string& attr) const
{
- return has_field(OIDS::lookup(deref_info_field(attr)));
+ return has_field(OIDS::str2oid_or_throw(deref_info_field(attr)));
}
bool X509_DN::has_field(const OID& oid) const
@@ -86,7 +83,7 @@ bool X509_DN::has_field(const OID& oid) const
std::string X509_DN::get_first_attribute(const std::string& attr) const
{
- const OID oid = OIDS::lookup(deref_info_field(attr));
+ const OID oid = OIDS::str2oid_or_throw(deref_info_field(attr));
return get_first_attribute(oid).value();
}
@@ -108,7 +105,7 @@ ASN1_String X509_DN::get_first_attribute(const OID& oid) const
*/
std::vector<std::string> X509_DN::get_attribute(const std::string& attr) const
{
- const OID oid = OIDS::lookup(deref_info_field(attr));
+ const OID oid = OIDS::str2oid_or_throw(deref_info_field(attr));
std::vector<std::string> values;
@@ -304,10 +301,7 @@ namespace {
std::string to_short_form(const OID& oid)
{
- const std::string long_id = OIDS::oid2str(oid);
-
- if(long_id.empty())
- return oid.to_string();
+ const std::string long_id = OIDS::oid2str_or_raw(oid);
if(long_id == "X520.CommonName")
return "CN";
diff --git a/src/lib/x509/x509_ext.cpp b/src/lib/x509/x509_ext.cpp
index 9b938f4d3..cfcc7da59 100644
--- a/src/lib/x509/x509_ext.cpp
+++ b/src/lib/x509/x509_ext.cpp
@@ -786,7 +786,7 @@ std::vector<uint8_t> Authority_Information_Access::encode_inner() const
DER_Encoder(output)
.start_cons(SEQUENCE)
.start_cons(SEQUENCE)
- .encode(OIDS::lookup("PKIX.OCSP"))
+ .encode(OIDS::str2oid_or_throw("PKIX.OCSP"))
.add_object(ASN1_Tag(6), CONTEXT_SPECIFIC, url.value())
.end_cons()
.end_cons();
@@ -805,7 +805,7 @@ void Authority_Information_Access::decode_inner(const std::vector<uint8_t>& in)
info.decode(oid);
- if(oid == OIDS::lookup("PKIX.OCSP"))
+ if(oid == OIDS::str2oid_or_throw("PKIX.OCSP"))
{
BER_Object name = info.get_next_object();
@@ -815,7 +815,7 @@ void Authority_Information_Access::decode_inner(const std::vector<uint8_t>& in)
}
}
- if(oid == OIDS::lookup("PKIX.CertificateAuthorityIssuers"))
+ if(oid == OIDS::str2oid_or_throw("PKIX.CertificateAuthorityIssuers"))
{
BER_Object name = info.get_next_object();
diff --git a/src/lib/x509/x509_obj.cpp b/src/lib/x509/x509_obj.cpp
index dd1e51cd7..dded17b4b 100644
--- a/src/lib/x509/x509_obj.cpp
+++ b/src/lib/x509/x509_obj.cpp
@@ -139,7 +139,7 @@ std::vector<uint8_t> X509_Object::tbs_data() const
std::string X509_Object::hash_used_for_signature() const
{
const OID& oid = m_sig_algo.get_oid();
- const std::vector<std::string> sig_info = split_on(OIDS::lookup(oid), '/');
+ const std::vector<std::string> sig_info = split_on(OIDS::oid2str_or_throw(oid), '/');
if(sig_info.size() == 1 && sig_info[0] == "Ed25519")
return "SHA-512";
@@ -148,7 +148,7 @@ std::string X509_Object::hash_used_for_signature() const
if(sig_info[1] == "EMSA4")
{
- return OIDS::lookup(decode_pss_params(signature_algorithm().get_parameters()).hash_algo.get_oid());
+ return OIDS::oid2str_or_throw(decode_pss_params(signature_algorithm().get_parameters()).hash_algo.get_oid());
}
else
{
@@ -184,7 +184,7 @@ bool X509_Object::check_signature(const Public_Key& pub_key) const
Certificate_Status_Code X509_Object::verify_signature(const Public_Key& pub_key) const
{
const std::vector<std::string> sig_info =
- split_on(OIDS::lookup(m_sig_algo.get_oid()), '/');
+ split_on(OIDS::oid2str_or_throw(m_sig_algo.get_oid()), '/');
if(sig_info.size() < 1 || sig_info.size() > 2 || sig_info[0] != pub_key.algo_name())
return Certificate_Status_Code::SIGNATURE_ALGO_BAD_PARAMS;
@@ -210,7 +210,7 @@ Certificate_Status_Code X509_Object::verify_signature(const Public_Key& pub_key)
Pss_params pss_parameter = decode_pss_params(signature_algorithm().parameters);
// hash_algo must be SHA1, SHA2-224, SHA2-256, SHA2-384 or SHA2-512
- const std::string hash_algo = OIDS::lookup(pss_parameter.hash_algo.oid);
+ const std::string hash_algo = OIDS::oid2str_or_throw(pss_parameter.hash_algo.oid);
if(hash_algo != "SHA-160" &&
hash_algo != "SHA-224" &&
hash_algo != "SHA-256" &&
@@ -220,7 +220,7 @@ Certificate_Status_Code X509_Object::verify_signature(const Public_Key& pub_key)
return Certificate_Status_Code::UNTRUSTED_HASH;
}
- const std::string mgf_algo = OIDS::lookup(pss_parameter.mask_gen_algo.oid);
+ const std::string mgf_algo = OIDS::oid2str_or_throw(pss_parameter.mask_gen_algo.oid);
if(mgf_algo != "MGF1")
{
return Certificate_Status_Code::SIGNATURE_ALGO_BAD_PARAMS;
@@ -354,7 +354,7 @@ std::string choose_sig_algo(AlgorithmIdentifier& sig_algo,
}
else
{
- sig_algo = AlgorithmIdentifier(OIDS::lookup("Ed25519"), AlgorithmIdentifier::USE_EMPTY_PARAM);
+ sig_algo = AlgorithmIdentifier(OIDS::str2oid_or_throw("Ed25519"), AlgorithmIdentifier::USE_EMPTY_PARAM);
return "Pure";
}
}
diff --git a/src/lib/x509/x509cert.cpp b/src/lib/x509/x509cert.cpp
index 0212267ec..890360c8a 100644
--- a/src/lib/x509/x509cert.cpp
+++ b/src/lib/x509/x509cert.cpp
@@ -148,7 +148,7 @@ std::unique_ptr<X509_Certificate_Data> parse_x509_cert_body(const X509_Object& o
BER_Decoder(public_key).decode(public_key_alg_id).discard_remaining();
std::vector<std::string> public_key_info =
- split_on(OIDS::oid2str(public_key_alg_id.get_oid()), '/');
+ split_on(OIDS::oid2str_or_throw(public_key_alg_id.get_oid()), '/');
if(!public_key_info.empty() && public_key_info[0] == "RSA")
{
@@ -500,7 +500,7 @@ bool X509_Certificate::allowed_usage(Key_Constraints usage) const
bool X509_Certificate::allowed_extended_usage(const std::string& usage) const
{
- return allowed_extended_usage(OIDS::str2oid(usage));
+ return allowed_extended_usage(OIDS::str2oid_or_throw(usage));
}
bool X509_Certificate::allowed_extended_usage(const OID& usage) const
@@ -552,7 +552,7 @@ bool X509_Certificate::has_constraints(Key_Constraints constraints) const
bool X509_Certificate::has_ex_constraint(const std::string& ex_constraint) const
{
- return has_ex_constraint(OIDS::str2oid(ex_constraint));
+ return has_ex_constraint(OIDS::str2oid_or_throw(ex_constraint));
}
bool X509_Certificate::has_ex_constraint(const OID& usage) const
@@ -566,7 +566,7 @@ bool X509_Certificate::has_ex_constraint(const OID& usage) const
*/
bool X509_Certificate::is_critical(const std::string& ex_name) const
{
- return v3_extensions().critical_extension_set(OIDS::str2oid(ex_name));
+ return v3_extensions().critical_extension_set(OIDS::str2oid_or_throw(ex_name));
}
std::string X509_Certificate::ocsp_responder() const
@@ -695,7 +695,7 @@ std::vector<std::string> lookup_oids(const std::vector<OID>& oids)
for(const OID& oid : oids)
{
- out.push_back(OIDS::oid2str(oid));
+ out.push_back(OIDS::oid2str_or_raw(oid));
}
return out;
}
@@ -823,12 +823,8 @@ std::string X509_Certificate::to_string() const
out << "Extended Constraints:\n";
for(auto&& oid : ex_constraints)
{
- const std::string oid_str = OIDS::oid2str(oid);
-
- if(oid_str.empty())
- out << " " << oid.to_string() << "\n";
- else
- out << " " << oid_str << "\n";
+ const std::string oid_str = OIDS::oid2str_or_raw(oid);
+ out << " " << oid.to_string() << "\n";
}
}
@@ -874,7 +870,7 @@ std::string X509_Certificate::to_string() const
out << "CRL " << crl_distribution_point() << "\n";
out << "Signature algorithm: " <<
- OIDS::oid2str(this->signature_algorithm().get_oid()) << "\n";
+ OIDS::oid2str_or_raw(this->signature_algorithm().get_oid()) << "\n";
out << "Serial number: " << hex_encode(this->serial_number()) << "\n";
diff --git a/src/lib/x509/x509opt.cpp b/src/lib/x509/x509opt.cpp
index e31ead91f..723d57742 100644
--- a/src/lib/x509/x509opt.cpp
+++ b/src/lib/x509/x509opt.cpp
@@ -49,7 +49,7 @@ void X509_Cert_Options::add_ex_constraint(const OID& oid)
*/
void X509_Cert_Options::add_ex_constraint(const std::string& oid_str)
{
- ex_constraints.push_back(OIDS::lookup(oid_str));
+ ex_constraints.push_back(OIDS::str2oid_or_throw(oid_str));
}
/*
diff --git a/src/lib/x509/x509path.cpp b/src/lib/x509/x509path.cpp
index cecefcc79..52be8263f 100644
--- a/src/lib/x509/x509path.cpp
+++ b/src/lib/x509/x509path.cpp
@@ -117,7 +117,7 @@ PKIX::check_chain(const std::vector<std::shared_ptr<const X509_Certificate>>& ce
std::unique_ptr<Public_Key> issuer_key(issuer->subject_public_key());
// Check the signature algorithm
- if(OIDS::lookup(subject->signature_algorithm().oid).empty())
+ if(OIDS::oid2str_or_empty(subject->signature_algorithm().oid).empty())
{
status.insert(Certificate_Status_Code::SIGNATURE_ALGO_UNKNOWN);
}
@@ -298,8 +298,11 @@ PKIX::check_crl(const std::vector<std::shared_ptr<const X509_Certificate>>& cert
for(const auto& extension : crls[i]->extensions().extensions())
{
+ // XXX this is wrong - the OID might be defined but the extention not full parsed
+ // for example see #1652
+
// is the extension critical and unknown?
- if(extension.second && OIDS::lookup(extension.first->oid_of()) == "")
+ if(extension.second && OIDS::oid2str_or_empty(extension.first->oid_of()) == "")
{
/* NIST Certificate Path Valiadation Testing document: "When an implementation does not recognize a critical extension in the
* crlExtensions field, it shall assume that identified certificates have been revoked and are no longer valid"
diff --git a/src/lib/x509/x509self.cpp b/src/lib/x509/x509self.cpp
index d84544eff..d848185ec 100644
--- a/src/lib/x509/x509self.cpp
+++ b/src/lib/x509/x509self.cpp
@@ -35,7 +35,7 @@ void load_info(const X509_Cert_Options& opts, X509_DN& subject_dn,
subject_dn.add_attribute("X520.SerialNumber", opts.serial_number);
subject_alt = AlternativeName(opts.email, opts.uri, opts.dns, opts.ip);
- subject_alt.add_othername(OIDS::lookup("PKIX.XMPPAddr"),
+ subject_alt.add_othername(OIDS::str2oid_or_throw("PKIX.XMPPAddr"),
opts.xmpp, UTF8_STRING);
for(auto dns : opts.more_dns)