From cc5e87c0bf9553b1c18b1c487c4089111d3271d7 Mon Sep 17 00:00:00 2001 From: Patrik Fiedler Date: Wed, 3 Jan 2018 10:45:41 +0100 Subject: add the detection for the ca issuers field(1.3.6.1.5.5.7.48.2) in x509 certificates --- src/lib/x509/x509_ext.cpp | 13 +++++++++++++ src/lib/x509/x509_ext.h | 11 ++++++++--- src/lib/x509/x509cert.cpp | 16 ++++++++++++++++ src/lib/x509/x509cert.h | 5 +++++ 4 files changed, 42 insertions(+), 3 deletions(-) (limited to 'src/lib/x509') diff --git a/src/lib/x509/x509_ext.cpp b/src/lib/x509/x509_ext.cpp index afb79f6bf..64f5765ac 100644 --- a/src/lib/x509/x509_ext.cpp +++ b/src/lib/x509/x509_ext.cpp @@ -777,6 +777,15 @@ void Authority_Information_Access::decode_inner(const std::vector& in) } } + if(oid == OIDS::lookup("PKIX.CertificateAuthorityIssuers")) + { + BER_Object name = info.get_next_object(); + + if(name.type_tag == 6 && name.class_tag == CONTEXT_SPECIFIC) + { + m_ca_issuers.push_back(ASN1::to_string(name)); + } + } } } @@ -784,6 +793,10 @@ void Authority_Information_Access::contents_to(Data_Store& subject, Data_Store&) { if(!m_ocsp_responder.empty()) subject.add("OCSP.responder", m_ocsp_responder); + std::for_each(m_ca_issuers.begin(), m_ca_issuers.end(), [&subject] (const std::string& ca_issuer) + { + subject.add("PKIX.CertificateAuthorityIssuers", ca_issuer); + }); } /* diff --git a/src/lib/x509/x509_ext.h b/src/lib/x509/x509_ext.h index 235496cbd..8e702daf1 100644 --- a/src/lib/x509/x509_ext.h +++ b/src/lib/x509/x509_ext.h @@ -544,21 +544,25 @@ class BOTAN_PUBLIC_API(2,0) Certificate_Policies final : public Certificate_Exte std::vector m_oids; }; +/** +* Authority Information Access Extension +*/ class BOTAN_PUBLIC_API(2,0) Authority_Information_Access final : public Certificate_Extension { public: Authority_Information_Access* copy() const override - { return new Authority_Information_Access(m_ocsp_responder); } + { return new Authority_Information_Access(m_ocsp_responder, m_ca_issuers); } Authority_Information_Access() = default; - explicit Authority_Information_Access(const std::string& ocsp) : - m_ocsp_responder(ocsp) {} + explicit Authority_Information_Access(const std::string& ocsp, const std::vector& ca_issuers = std::vector()) : + m_ocsp_responder(ocsp), m_ca_issuers(ca_issuers) {} std::string ocsp_responder() const { return m_ocsp_responder; } static OID static_oid() { return OID("1.3.6.1.5.5.7.1.1"); } OID oid_of() const override { return static_oid(); } + const std::vector ca_issuers() const { return m_ca_issuers; } private: std::string oid_name() const override @@ -572,6 +576,7 @@ class BOTAN_PUBLIC_API(2,0) Authority_Information_Access final : public Certific void contents_to(Data_Store&, Data_Store&) const override; std::string m_ocsp_responder; + std::vector m_ca_issuers; }; /** diff --git a/src/lib/x509/x509cert.cpp b/src/lib/x509/x509cert.cpp index dd0514dfb..f298006c0 100644 --- a/src/lib/x509/x509cert.cpp +++ b/src/lib/x509/x509cert.cpp @@ -47,6 +47,7 @@ struct X509_Certificate_Data std::vector m_crl_distribution_points; std::string m_ocsp_responder; + std::vector m_ca_issuers; AlternativeName m_subject_alt_name; AlternativeName m_issuer_alt_name; @@ -262,6 +263,7 @@ std::unique_ptr parse_x509_cert_body(const X509_Object& o if(auto ext = data->m_v3_extensions.get_extension_object_as()) { data->m_ocsp_responder = ext->ocsp_responder(); + data->m_ca_issuers = ext->ca_issuers(); } if(auto ext = data->m_v3_extensions.get_extension_object_as()) @@ -543,6 +545,11 @@ std::string X509_Certificate::ocsp_responder() const return data().m_ocsp_responder; } +std::vector X509_Certificate::ca_issuers() const + { + return data().m_ca_issuers; + } + std::string X509_Certificate::crl_distribution_point() const { // just returns the first (arbitrarily) @@ -815,6 +822,15 @@ std::string X509_Certificate::to_string() const if(!ocsp_responder().empty()) out << "OCSP responder " << ocsp_responder() << "\n"; + + std::vector ca_issuers = this->ca_issuers(); + if(!ca_issuers.empty()) + { + out << "CA Issuers:\n"; + for(size_t i = 0; i != ca_issuers.size(); i++) + out << " URI: " << ca_issuers[i] << "\n"; + } + if(!crl_distribution_point().empty()) out << "CRL " << crl_distribution_point() << "\n"; diff --git a/src/lib/x509/x509cert.h b/src/lib/x509/x509cert.h index e87e5e436..a1448637d 100644 --- a/src/lib/x509/x509cert.h +++ b/src/lib/x509/x509cert.h @@ -345,6 +345,11 @@ class BOTAN_PUBLIC_API(2,0) X509_Certificate : public X509_Object */ std::string ocsp_responder() const; + /** + * Return the listed addresses of ca issuers, or empty if not set + */ + std::vector ca_issuers() const; + /** * Return the CRL distribution point, or empty if not set */ -- cgit v1.2.3 From be81e8d15a5b1698863dc09816f15d7fcaddca65 Mon Sep 17 00:00:00 2001 From: Patrik Fiedler Date: Wed, 3 Jan 2018 16:50:45 +0100 Subject: use range-based for loop instead of std::for_each --- src/build-data/oids.txt | 1 + src/lib/asn1/oids.cpp | 4 ++-- src/lib/x509/x509_ext.cpp | 6 ++---- 3 files changed, 5 insertions(+), 6 deletions(-) (limited to 'src/lib/x509') diff --git a/src/build-data/oids.txt b/src/build-data/oids.txt index 089523e69..321439e5b 100644 --- a/src/build-data/oids.txt +++ b/src/build-data/oids.txt @@ -235,6 +235,7 @@ 1.3.6.1.5.5.7.48.1 = PKIX.OCSP 1.3.6.1.5.5.7.48.1.1 = PKIX.OCSP.BasicResponse +1.3.6.1.5.5.7.48.2 = PKIX.CertificateAuthorityIssuers 1.3.6.1.4.1.311.20.2.2 = Microsoft SmartcardLogon diff --git a/src/lib/asn1/oids.cpp b/src/lib/asn1/oids.cpp index e88fdc980..b60ec24d2 100644 --- a/src/lib/asn1/oids.cpp +++ b/src/lib/asn1/oids.cpp @@ -1,7 +1,7 @@ /* * OID maps * -* This file was automatically generated by ./src/scripts/oids.py on 2017-12-05 +* This file was automatically generated by ./src/scripts/oids.py on 2018-01-03 * * All manual edits to this file will be lost. Edit the script * then regenerate this source file. @@ -133,7 +133,6 @@ std::string lookup(const OID& oid) if(oid_str == "1.3.6.1.4.1.8301.3.1.2.9.0.38") return "secp521r1"; if(oid_str == "1.3.6.1.5.5.7.1.1") return "PKIX.AuthorityInformationAccess"; if(oid_str == "1.3.6.1.5.5.7.3.1") return "PKIX.ServerAuth"; - if(oid_str == "1.3.6.1.5.5.7.48.2") return "PKIX.CertificateAuthorityIssuers"; if(oid_str == "1.3.6.1.5.5.7.3.2") return "PKIX.ClientAuth"; if(oid_str == "1.3.6.1.5.5.7.3.3") return "PKIX.CodeSigning"; if(oid_str == "1.3.6.1.5.5.7.3.4") return "PKIX.EmailProtection"; @@ -144,6 +143,7 @@ std::string lookup(const OID& oid) if(oid_str == "1.3.6.1.5.5.7.3.9") return "PKIX.OCSPSigning"; if(oid_str == "1.3.6.1.5.5.7.48.1") return "PKIX.OCSP"; if(oid_str == "1.3.6.1.5.5.7.48.1.1") return "PKIX.OCSP.BasicResponse"; + if(oid_str == "1.3.6.1.5.5.7.48.2") return "PKIX.CertificateAuthorityIssuers"; if(oid_str == "1.3.6.1.5.5.7.8.5") return "PKIX.XMPPAddr"; if(oid_str == "2.16.840.1.101.3.4.1.2") return "AES-128/CBC"; if(oid_str == "2.16.840.1.101.3.4.1.22") return "AES-192/CBC"; diff --git a/src/lib/x509/x509_ext.cpp b/src/lib/x509/x509_ext.cpp index 64f5765ac..c3b58236a 100644 --- a/src/lib/x509/x509_ext.cpp +++ b/src/lib/x509/x509_ext.cpp @@ -793,10 +793,8 @@ void Authority_Information_Access::contents_to(Data_Store& subject, Data_Store&) { if(!m_ocsp_responder.empty()) subject.add("OCSP.responder", m_ocsp_responder); - std::for_each(m_ca_issuers.begin(), m_ca_issuers.end(), [&subject] (const std::string& ca_issuer) - { - subject.add("PKIX.CertificateAuthorityIssuers", ca_issuer); - }); + for(const std::string& ca_issuer : m_ca_issuers) + subject.add("PKIX.CertificateAuthorityIssuers", ca_issuer); } /* -- cgit v1.2.3