diff options
Diffstat (limited to 'botan/src/cert')
46 files changed, 7180 insertions, 0 deletions
diff --git a/botan/src/cert/cvc/asn1_eac_str.cpp b/botan/src/cert/cvc/asn1_eac_str.cpp new file mode 100644 index 0000000..a306ffb --- /dev/null +++ b/botan/src/cert/cvc/asn1_eac_str.cpp @@ -0,0 +1,130 @@ +/* +* Simple ASN.1 String Types +* (C) 2007 FlexSecure GmbH +* 2008 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#include <botan/eac_asn_obj.h> +#include <botan/der_enc.h> +#include <botan/ber_dec.h> +#include <botan/charset.h> +#include <botan/parsing.h> +#include <sstream> + +namespace Botan { + +/* +* Create an ASN1_EAC_String +*/ +ASN1_EAC_String::ASN1_EAC_String(const std::string& str, ASN1_Tag t) : tag(t) + { + iso_8859_str = Charset::transcode(str, LOCAL_CHARSET, LATIN1_CHARSET); + if (!sanity_check()) + { + throw Invalid_Argument("attempted to construct ASN1_EAC_String with illegal characters"); + } + } + +/* +* Return this string in ISO 8859-1 encoding +*/ +std::string ASN1_EAC_String::iso_8859() const + { + return iso_8859_str; + } + +/* +* Return this string in local encoding +*/ +std::string ASN1_EAC_String::value() const + { + return Charset::transcode(iso_8859_str, LATIN1_CHARSET, LOCAL_CHARSET); + } + +/* +* Return the type of this string object +*/ +ASN1_Tag ASN1_EAC_String::tagging() const + { + return tag; + } + +/* +* DER encode an ASN1_EAC_String +*/ +void ASN1_EAC_String::encode_into(DER_Encoder& encoder) const + { + std::string value = iso_8859(); + encoder.add_object(tagging(), APPLICATION, value); + } + +/* +* Decode a BER encoded ASN1_EAC_String +*/ +void ASN1_EAC_String::decode_from(BER_Decoder& source) + { + BER_Object obj = source.get_next_object(); + if (obj.type_tag != this->tag) + { + + std::string message("decoding type mismatch for ASN1_EAC_String, tag is "); + std::stringstream ss; + std::string str_is; + ss << std::hex << obj.type_tag; + ss >> str_is; + message.append(str_is); + message.append(", while it should be "); + std::stringstream ss2; + std::string str_should; + ss2 << std::hex << this->tag; + ss2 >> str_should; + message.append(str_should); + throw Decoding_Error(message); + } + Character_Set charset_is; + charset_is = LATIN1_CHARSET; + + try + { + *this = ASN1_EAC_String( + Charset::transcode(ASN1::to_string(obj), charset_is, LOCAL_CHARSET), + obj.type_tag); + } + catch (Invalid_Argument inv_arg) + { + throw Decoding_Error(std::string("error while decoding ASN1_EAC_String: ") + std::string(inv_arg.what())); + } + } + +// checks for compliance to the alphabet defined in TR-03110 v1.10, 2007-08-20 +// p. 43 +bool ASN1_EAC_String::sanity_check() const + { + const byte* rep = reinterpret_cast<const byte*>(iso_8859_str.data()); + const u32bit rep_len = iso_8859_str.size(); + for (u32bit i=0; i<rep_len; i++) + { + if ((rep[i] < 0x20) || ((rep[i] >= 0x7F) && (rep[i] < 0xA0))) + { + return false; + } + } + return true; + } + +bool operator==(const ASN1_EAC_String& lhs, const ASN1_EAC_String& rhs) + { + return (lhs.iso_8859() == rhs.iso_8859()); + } + +ASN1_Car::ASN1_Car(std::string const& str) + : ASN1_EAC_String(str, ASN1_Tag(2)) + {} + +ASN1_Chr::ASN1_Chr(std::string const& str) + : ASN1_EAC_String(str, ASN1_Tag(32)) + {} + +} diff --git a/botan/src/cert/cvc/asn1_eac_tm.cpp b/botan/src/cert/cvc/asn1_eac_tm.cpp new file mode 100644 index 0000000..05533b5 --- /dev/null +++ b/botan/src/cert/cvc/asn1_eac_tm.cpp @@ -0,0 +1,361 @@ +/* +* EAC Time Types +* (C) 2007 FlexSecure GmbH +* 2008 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#include <botan/eac_asn_obj.h> +#include <botan/der_enc.h> +#include <botan/ber_dec.h> +#include <botan/charset.h> +#include <botan/parsing.h> +#include <ctime> +#include <sstream> + +namespace Botan { + +namespace { + +/* +* Convert a time_t to a struct tm +*/ +std::tm get_tm(u64bit timer) + { + std::time_t time_val = static_cast<std::time_t>(timer); + + std::tm* tm_p = std::gmtime(&time_val); + if (tm_p == 0) + throw Encoding_Error("EAC_Time: gmtime could not encode " + + to_string(timer)); + return (*tm_p); + } +SecureVector<byte> enc_two_digit(u32bit in) + { + SecureVector<byte> result; + in %= 100; + if (in < 10) + { + result.append(0x00); + } + else + { + u32bit y_first_pos = (in - (in%10))/10; + result.append(static_cast<byte>(y_first_pos)); + } + u32bit y_sec_pos = in%10; + result.append(static_cast<byte>(y_sec_pos)); + return result; + } +u32bit dec_two_digit(byte b1, byte b2) + { + u32bit upper = (u32bit)b1; + u32bit lower = (u32bit)b2; + if (upper > 9 || lower > 9) + { + throw Invalid_Argument("u32bit dec_two_digit(byte b1, byte b2): value too large"); + } + return upper*10 + lower; + + } +} + +/* +* Create an EAC_Time +*/ +EAC_Time::EAC_Time(u64bit timer, ASN1_Tag t) + :tag(t) + { + std::tm time_info = get_tm(timer); + + year = time_info.tm_year + 1900; + month = time_info.tm_mon + 1; + day = time_info.tm_mday; + + } + +/* +* Create an EAC_Time +*/ +EAC_Time::EAC_Time(const std::string& t_spec, ASN1_Tag t) + :tag(t) + { + set_to(t_spec); + } +/* +* Create an EAC_Time +*/ +EAC_Time::EAC_Time(u32bit y, u32bit m, u32bit d, ASN1_Tag t) + : year(y), + month(m), + day(d), + tag(t) + { + } + +/* +* Set the time with a human readable string +*/ +void EAC_Time::set_to(const std::string& time_str) + { + if (time_str == "") + { + year = month = day = 0; + return; + } + + std::vector<std::string> params; + std::string current; + + for (u32bit j = 0; j != time_str.size(); ++j) + { + if (Charset::is_digit(time_str[j])) + current += time_str[j]; + else + { + if (current != "") + params.push_back(current); + current.clear(); + } + } + if (current != "") + params.push_back(current); + + if (params.size() != 3) + throw Invalid_Argument("Invalid time specification " + time_str); + + year = to_u32bit(params[0]); + month = to_u32bit(params[1]); + day = to_u32bit(params[2]); + + if (!passes_sanity_check()) + throw Invalid_Argument("Invalid time specification " + time_str); + } + + +/* +* DER encode a EAC_Time +*/ +void EAC_Time::encode_into(DER_Encoder& der) const + { + der.add_object(tag, APPLICATION, + encoded_eac_time()); + } + +/* +* Return a string representation of the time +*/ +std::string EAC_Time::as_string() const + { + if (time_is_set() == false) + throw Invalid_State("EAC_Time::as_string: No time set"); + + std::string asn1rep; + asn1rep = to_string(year, 2); + + asn1rep += to_string(month, 2) + to_string(day, 2); + + return asn1rep; + } + +/* +* Return if the time has been set somehow +*/ +bool EAC_Time::time_is_set() const + { + return (year != 0); + } + +/* +* Return a human readable string representation +*/ +std::string EAC_Time::readable_string() const + { + if (time_is_set() == false) + throw Invalid_State("EAC_Time::readable_string: No time set"); + + std::string readable; + readable += to_string(year, 2) + "/"; + readable += to_string(month, 2) + "/"; + readable += to_string(day, 2) + " "; + + return readable; + } + +/* +* Do a general sanity check on the time +*/ +bool EAC_Time::passes_sanity_check() const + { + if (year < 2000 || year > 2099) + return false; + if (month == 0 || month > 12) + return false; + if (day == 0 || day > 31) + return false; + + return true; + } + +/****************************************** +* modification functions +******************************************/ + +void EAC_Time::add_years(u32bit years) + { + year += years; + } +void EAC_Time::add_months(u32bit months) + { + year += months/12; + month += months % 12; + if(month > 12) + { + year += 1; + month -= 12; + } + } + + +/* +* Compare this time against another +*/ +s32bit EAC_Time::cmp(const EAC_Time& other) const + { + if (time_is_set() == false) + throw Invalid_State("EAC_Time::cmp: No time set"); + + const s32bit EARLIER = -1, LATER = 1, SAME_TIME = 0; + + if (year < other.year) return EARLIER; + if (year > other.year) return LATER; + if (month < other.month) return EARLIER; + if (month > other.month) return LATER; + if (day < other.day) return EARLIER; + if (day > other.day) return LATER; + + return SAME_TIME; + } + +/* +* Compare two EAC_Times for in various ways +*/ +bool operator==(const EAC_Time& t1, const EAC_Time& t2) + { + return (t1.cmp(t2) == 0); + } +bool operator!=(const EAC_Time& t1, const EAC_Time& t2) + { + return (t1.cmp(t2) != 0); + } +bool operator<=(const EAC_Time& t1, const EAC_Time& t2) + { + return (t1.cmp(t2) <= 0); + } +bool operator>=(const EAC_Time& t1, const EAC_Time& t2) + { + return (t1.cmp(t2) >= 0); + } +bool operator>(const EAC_Time& t1, const EAC_Time& t2) + { + return (t1.cmp(t2) > 0); + } +bool operator<(const EAC_Time& t1, const EAC_Time& t2) + { + return (t1.cmp(t2) < 0); + } + +/* +* Decode a BER encoded EAC_Time +*/ +void EAC_Time::decode_from(BER_Decoder& source) + { + BER_Object obj = source.get_next_object(); + if (obj.type_tag != this->tag) + { + std::string message("decoding type mismatch for EAC_Time, tag is "); + std::stringstream ss; + std::string str_is; + ss << std::hex << obj.type_tag; + ss >> str_is; + message.append(str_is); + message.append(", while it should be "); + std::stringstream ss2; + std::string str_should; + ss2 << std::hex << this->tag; + ss2 >> str_should; + message.append(str_should); + throw Decoding_Error(message); + + } + if (obj.value.size() != 6) + { + throw Decoding_Error("EAC_Time decoding failed"); + } + try + { + u32bit tmp_year = dec_two_digit(obj.value[0], obj.value[1]); + u32bit tmp_mon = dec_two_digit(obj.value[2], obj.value[3]); + u32bit tmp_day = dec_two_digit(obj.value[4], obj.value[5]); + year = tmp_year + 2000; + month = tmp_mon; + day = tmp_day; + } + catch (Invalid_Argument) + { + throw Decoding_Error("EAC_Time decoding failed"); + } + + } + +u32bit EAC_Time::get_year() const + { + return year; + } +u32bit EAC_Time::get_month() const + { + return month; + } +u32bit EAC_Time::get_day() const + { + return day; + } + +/* +* make the value an octet string for encoding +*/ +SecureVector<byte> EAC_Time::encoded_eac_time() const + { + SecureVector<byte> result; + result.append(enc_two_digit(year)); + result.append(enc_two_digit(month)); + result.append(enc_two_digit(day)); + return result; + } + +ASN1_Ced::ASN1_Ced(std::string const& str) + : EAC_Time(str, ASN1_Tag(37)) + {} + +ASN1_Ced::ASN1_Ced(u64bit val) + : EAC_Time(val, ASN1_Tag(37)) + {} + +ASN1_Ced::ASN1_Ced(EAC_Time const& other) + : EAC_Time(other.get_year(), other.get_month(), other.get_day(), ASN1_Tag(37)) + {} + +ASN1_Cex::ASN1_Cex(std::string const& str) + : EAC_Time(str, ASN1_Tag(36)) + {} + +ASN1_Cex::ASN1_Cex(u64bit val) + : EAC_Time(val, ASN1_Tag(36)) + {} + +ASN1_Cex::ASN1_Cex(EAC_Time const& other) + : EAC_Time(other.get_year(), other.get_month(), other.get_day(), ASN1_Tag(36)) + {} + +} diff --git a/botan/src/cert/cvc/cvc_ado.cpp b/botan/src/cert/cvc/cvc_ado.cpp new file mode 100644 index 0000000..6e1484e --- /dev/null +++ b/botan/src/cert/cvc/cvc_ado.cpp @@ -0,0 +1,135 @@ +/* +* CVC Certificate Constructor +* (C) 2007 FlexSecure GmbH +* 2008 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#include <botan/cvc_ado.h> +#include <fstream> +#include <assert.h> + +namespace Botan { + +EAC1_1_ADO::EAC1_1_ADO(std::tr1::shared_ptr<DataSource> in) + { + init(in); + do_decode(); + } + +EAC1_1_ADO::EAC1_1_ADO(const std::string& in) + { + std::tr1::shared_ptr<DataSource> stream(new DataSource_Stream(in, true)); + init(stream); + do_decode(); + } + +void EAC1_1_ADO::force_decode() + { + SecureVector<byte> inner_cert; + BER_Decoder(tbs_bits) + .start_cons(ASN1_Tag(33)) + .raw_bytes(inner_cert) + .end_cons() + .decode(m_car) + .verify_end(); + + SecureVector<byte> req_bits = DER_Encoder() + .start_cons(ASN1_Tag(33), APPLICATION) + .raw_bytes(inner_cert) + .end_cons() + .get_contents(); + + std::tr1::shared_ptr<DataSource> req_source(new DataSource_Memory(req_bits)); + m_req = EAC1_1_Req(req_source); + sig_algo = m_req.sig_algo; + } + +MemoryVector<byte> EAC1_1_ADO::make_signed( + std::auto_ptr<PK_Signer> signer, + const MemoryRegion<byte>& tbs_bits, + RandomNumberGenerator& rng) + { + SecureVector<byte> concat_sig = + EAC1_1_obj<EAC1_1_ADO>::make_signature(signer.get(), tbs_bits, rng); + assert(concat_sig.size() % 2 == 0); + MemoryVector<byte> result = DER_Encoder() + .start_cons(ASN1_Tag(7), APPLICATION) + .raw_bytes(tbs_bits) + .encode(concat_sig, OCTET_STRING, ASN1_Tag(55), APPLICATION) + .end_cons() + .get_contents(); + return result; + } + +ASN1_Car EAC1_1_ADO::get_car() const + { + return m_car; + } + +void EAC1_1_ADO::decode_info(SharedPtrConverter<DataSource> source, + SecureVector<byte> & res_tbs_bits, + ECDSA_Signature & res_sig) + { + SecureVector<byte> concat_sig; + SecureVector<byte> cert_inner_bits; + ASN1_Car car; + BER_Decoder(*source.get_ptr().get()) + .start_cons(ASN1_Tag(7)) + .start_cons(ASN1_Tag(33)) + .raw_bytes(cert_inner_bits) + .end_cons() + .decode(car) + .decode(concat_sig, OCTET_STRING, ASN1_Tag(55), APPLICATION) + .end_cons(); + + SecureVector<byte> enc_cert = DER_Encoder() + .start_cons(ASN1_Tag(33), APPLICATION) + .raw_bytes(cert_inner_bits) + .end_cons() + .get_contents(); + SecureVector<byte> enc_car = DER_Encoder() + .encode(car) + .get_contents(); + res_tbs_bits = enc_cert; + res_tbs_bits.append(enc_car); + res_sig = decode_concatenation(concat_sig); + + + } +void EAC1_1_ADO::encode(Pipe& out, X509_Encoding encoding) const + { + SecureVector<byte> concat_sig(EAC1_1_obj<EAC1_1_ADO>::m_sig.get_concatenation()); + SecureVector<byte> der = DER_Encoder() + .start_cons(ASN1_Tag(7), APPLICATION) + .raw_bytes(tbs_bits) + .encode(concat_sig, OCTET_STRING, ASN1_Tag(55), APPLICATION) + .end_cons() + .get_contents(); + if(encoding == PEM) + throw Invalid_Argument("EAC1_1_ADO::encode() cannot PEM encode an EAC object"); + else + out.write(der); + } + +SecureVector<byte> EAC1_1_ADO::tbs_data() const + { + return tbs_bits; + } + +bool EAC1_1_ADO::operator==(EAC1_1_ADO const& rhs) const + { + assert(((this->m_req == rhs.m_req) && (this->tbs_data() == rhs.tbs_data())) || + ((this->m_req != rhs.m_req) && (this->tbs_data() != rhs.tbs_data()))); + return (this->get_concat_sig() == rhs.get_concat_sig() + && this->tbs_data() == rhs.tbs_data() + && this->get_car() == rhs.get_car()); + } + +EAC1_1_Req EAC1_1_ADO::get_request() const + { + return m_req; + } + +} diff --git a/botan/src/cert/cvc/cvc_ado.h b/botan/src/cert/cvc/cvc_ado.h new file mode 100644 index 0000000..2c4f3ce --- /dev/null +++ b/botan/src/cert/cvc/cvc_ado.h @@ -0,0 +1,101 @@ +/* +* EAC1_1 CVC ADO +* (C) 2008 Falko Strenzke +* strenzke@flexsecure.de +* +* Distributed under the terms of the Botan license +*/ + +#ifndef BOTAN_EAC_CVC_ADO_H__ +#define BOTAN_EAC_CVC_ADO_H__ + +#include <botan/x509_key.h> +#include <botan/pubkey_enums.h> +#include <botan/pubkey.h> +#include <botan/ecdsa.h> +#include <botan/eac_obj.h> +#include <botan/cvc_req.h> +#include <string> + +namespace Botan { + +/** +* This class represents a TR03110 (EAC) v1.1 CVC ADO request +*/ + + // CRTP continuation from EAC1_1_obj +class BOTAN_DLL EAC1_1_ADO : public EAC1_1_obj<EAC1_1_ADO> + { + public: + friend class EAC1_1_obj<EAC1_1_ADO>; + + /** + * Construct a CVC ADO request from a DER encoded CVC ADO request file. + * @param str the path to the DER encoded file + */ + EAC1_1_ADO(const std::string& str); + + /** + * Construct a CVC ADO request from a data source + * @param source the data source + */ + EAC1_1_ADO(std::tr1::shared_ptr<DataSource> source); + + /** + * Create a signed CVC ADO request from to be signed (TBS) data + * @param signer the signer used to sign the CVC ADO request + * @param tbs_bits the TBS data to sign + */ + static MemoryVector<byte> make_signed( + std::auto_ptr<PK_Signer> signer, + const MemoryRegion<byte>& tbs_bits, + RandomNumberGenerator& rng); + + /** + * Get the CAR of this CVC ADO request + * @result the CAR of this CVC ADO request + */ + ASN1_Car get_car() const; + + /** + * Get the CVC request contained in this object. + * @result the CVC request inside this CVC ADO request + */ + EAC1_1_Req get_request() const; + + /** + * Encode this object into a pipe. Only DER is supported. + * @param out the pipe to encode this object into + * @param encoding the encoding type to use, must be DER + */ + void encode(Pipe& out, X509_Encoding encoding) const; + + bool operator==(EAC1_1_ADO const& rhs) const; + + /** + * Get the TBS data of this CVC ADO request. + * @result the TBS data + */ + SecureVector<byte> tbs_data() const; + + virtual ~EAC1_1_ADO() {} + private: + ASN1_Car m_car; + EAC1_1_Req m_req; + + void force_decode(); + static void decode_info(SharedPtrConverter<DataSource> source, + SecureVector<byte> & res_tbs_bits, + ECDSA_Signature & res_sig); + }; + +inline bool operator!=(EAC1_1_ADO const& lhs, EAC1_1_ADO const& rhs) + { + return (!(lhs == rhs)); + } + +} + +#endif + + diff --git a/botan/src/cert/cvc/cvc_ca.cpp b/botan/src/cert/cvc/cvc_ca.cpp new file mode 100644 index 0000000..638d3f9 --- /dev/null +++ b/botan/src/cert/cvc/cvc_ca.cpp @@ -0,0 +1,46 @@ +#include <botan/cvc_ca.h> +#include <botan/cvc_cert.h> +#include <botan/der_enc.h> +#include <botan/util.h> +#include <botan/oids.h> +namespace Botan { + +EAC1_1_CVC EAC1_1_CVC_CA::make_cert(std::auto_ptr<PK_Signer> signer, + MemoryRegion<byte> const& public_key, + ASN1_Car const& car, + ASN1_Chr const& chr, + byte holder_auth_templ, + ASN1_Ced ced, + ASN1_Cex cex, + RandomNumberGenerator& rng) + { + OID chat_oid(OIDS::lookup("CertificateHolderAuthorizationTemplate")); + MemoryVector<byte> enc_chat_val; + enc_chat_val.append(holder_auth_templ); + + MemoryVector<byte> enc_cpi; + enc_cpi.append(0x00); + MemoryVector<byte> tbs = DER_Encoder() + .encode(enc_cpi, OCTET_STRING, ASN1_Tag(41), APPLICATION) // cpi + .encode(car) + .raw_bytes(public_key) + .encode(chr) + .start_cons(ASN1_Tag(76), APPLICATION) + .encode(chat_oid) + .encode(enc_chat_val, OCTET_STRING, ASN1_Tag(19), APPLICATION) + .end_cons() + .encode(ced) + .encode(cex) + .get_contents(); + + MemoryVector<byte> signed_cert = + EAC1_1_CVC::make_signed(signer, + EAC1_1_CVC::build_cert_body(tbs), + rng); + + std::tr1::shared_ptr<DataSource> source(new DataSource_Memory(signed_cert)); + + return EAC1_1_CVC(source); + } + +} diff --git a/botan/src/cert/cvc/cvc_ca.h b/botan/src/cert/cvc/cvc_ca.h new file mode 100644 index 0000000..3ec307b --- /dev/null +++ b/botan/src/cert/cvc/cvc_ca.h @@ -0,0 +1,51 @@ +/* +* EAC1.1 CVC Certificate Authority +* (C) 2007 FlexSecure GmbH +* 2008 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#ifndef BOTAN_CVC_CA_H__ +#define BOTAN_CVC_CA_H__ + +#include <botan/pkcs8.h> +#include <botan/pkcs10.h> +#include <botan/pubkey.h> +#include <botan/cvc_cert.h> + +namespace Botan { + +/** +* This class represents a CVC CA. +*/ +class BOTAN_DLL EAC1_1_CVC_CA + { + public: + + /** + * Create an arbitrary EAC 1.1 CVC. + * The desired key encoding must be set within the key (if applicable). + * @param signer the signer used to sign the certificate + * @param public_key the DER encoded public key to appear in + * the certificate + * @param car the CAR of the certificate + * @param chr the CHR of the certificate + * @param holder_auth_templ the holder authorization value byte to + * appear in the CHAT of the certificate + * @param ced the CED to appear in the certificate + * @param ced the CEX to appear in the certificate + */ + static EAC1_1_CVC make_cert(std::auto_ptr<PK_Signer> signer, + MemoryRegion<byte> const& public_key, + ASN1_Car const& car, + ASN1_Chr const& chr, + byte holder_auth_templ, + ASN1_Ced ced, + ASN1_Cex cex, + RandomNumberGenerator& rng); + }; + +} + +#endif diff --git a/botan/src/cert/cvc/cvc_cert.cpp b/botan/src/cert/cvc/cvc_cert.cpp new file mode 100644 index 0000000..d2be12d --- /dev/null +++ b/botan/src/cert/cvc/cvc_cert.cpp @@ -0,0 +1,102 @@ +/* + (C) 2007 FlexSecure GmbH + 2008 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#include <botan/cvc_cert.h> +#include <botan/cvc_key.h> +#include <botan/ecdsa.h> + +namespace Botan { + +ASN1_Car EAC1_1_CVC::get_car() const + { + return m_car; + } + +ASN1_Ced EAC1_1_CVC::get_ced() const + { + return m_ced; + } +ASN1_Cex EAC1_1_CVC::get_cex() const + { + return m_cex; + } +u32bit EAC1_1_CVC::get_chat_value() const + { + return m_chat_val; + } + +/* +* Decode the TBSCertificate data +*/ +void EAC1_1_CVC::force_decode() + { + SecureVector<byte> enc_pk; + SecureVector<byte> enc_chat_val; + u32bit cpi; + BER_Decoder tbs_cert(tbs_bits); + tbs_cert.decode(cpi, ASN1_Tag(41), APPLICATION) + .decode(m_car) + .start_cons(ASN1_Tag(73)) + .raw_bytes(enc_pk) + .end_cons() + .decode(m_chr) + .start_cons(ASN1_Tag(76)) + .decode(m_chat_oid) + .decode(enc_chat_val, OCTET_STRING, ASN1_Tag(19), APPLICATION) + .end_cons() + .decode(m_ced) + .decode(m_cex) + .verify_end(); + + if(enc_chat_val.size() != 1) + throw Decoding_Error("CertificateHolderAuthorizationValue was not of length 1"); + + if(cpi != 0) + throw Decoding_Error("EAC1_1 certificate´s cpi was not 0"); + + // FIXME: PK algos have no notion of EAC encoder/decoder currently +#if 0 + ECDSA_PublicKey tmp_pk; + std::auto_ptr<EAC1_1_CVC_Decoder> dec = tmp_pk.cvc_eac1_1_decoder(); + sig_algo = dec->public_key(enc_pk); + + + m_pk = tmp_pk; + m_chat_val = enc_chat_val[0]; + self_signed = false; + if(m_car.iso_8859() == m_chr.iso_8859()) + { + self_signed= true; + } +#endif + } + +/* +* CVC Certificate Constructor +*/ +EAC1_1_CVC::EAC1_1_CVC(std::tr1::shared_ptr<DataSource>& in) + { + init(in); + self_signed = false; + do_decode(); + } + +EAC1_1_CVC::EAC1_1_CVC(const std::string& in) + { + std::tr1::shared_ptr<DataSource> stream(new DataSource_Stream(in, true)); + init(stream); + self_signed = false; + do_decode(); + } + +bool EAC1_1_CVC::operator==(EAC1_1_CVC const& rhs) const + { + return (tbs_data() == rhs.tbs_data() + && get_concat_sig() == rhs.get_concat_sig()); + } + +} diff --git a/botan/src/cert/cvc/cvc_cert.h b/botan/src/cert/cvc/cvc_cert.h new file mode 100644 index 0000000..17671d3 --- /dev/null +++ b/botan/src/cert/cvc/cvc_cert.h @@ -0,0 +1,94 @@ +/* +* EAC1_1 CVC +* (C) 2008 Falko Strenzke +* 2008 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#ifndef BOTAN_CVC_EAC_H__ +#define BOTAN_CVC_EAC_H__ + +#include <botan/x509_key.h> +#include <botan/pubkey_enums.h> +#include <botan/signed_obj.h> +#include <botan/pubkey.h> +#include <botan/ecdsa.h> +#include <botan/ecdsa_sig.h> +#include <botan/eac_obj.h> +#include <botan/cvc_gen_cert.h> +#include <string> + +namespace Botan { + +/** +* This class represents TR03110 (EAC) v1.1 CV Certificates +*/ +class BOTAN_DLL EAC1_1_CVC : public EAC1_1_gen_CVC<EAC1_1_CVC>//Signed_Object + { + public: + friend class EAC1_1_obj<EAC1_1_CVC>; + + /** + * Get the CAR of the certificate. + * @result the CAR of the certificate + */ + ASN1_Car get_car() const; + + /** + * Get the CED of this certificate. + * @result the CED this certificate + */ + ASN1_Ced get_ced() const; + + /** + * Get the CEX of this certificate. + * @result the CEX this certificate + */ + ASN1_Cex get_cex() const; + + /** + * Get the CHAT value. + * @result the CHAT value + */ + u32bit get_chat_value() const; + + bool operator==(const EAC1_1_CVC&) const; + + /** + * Construct a CVC from a data source + * @param source the data source + */ + EAC1_1_CVC(std::tr1::shared_ptr<DataSource>& source); + + /** + * Construct a CVC from a file + * @param str the path to the certificate file + */ + EAC1_1_CVC(const std::string& str); + + virtual ~EAC1_1_CVC() {} + private: + void force_decode(); + friend class EAC1_1_CVC_CA; + EAC1_1_CVC() {} + + ASN1_Car m_car; + ASN1_Ced m_ced; + ASN1_Cex m_cex; + byte m_chat_val; + OID m_chat_oid; + }; + +/* +* Comparison +*/ +inline bool operator!=(EAC1_1_CVC const& lhs, EAC1_1_CVC const& rhs) + { + return !(lhs == rhs); + } + +} + +#endif + diff --git a/botan/src/cert/cvc/cvc_gen_cert.h b/botan/src/cert/cvc/cvc_gen_cert.h new file mode 100644 index 0000000..4a78802 --- /dev/null +++ b/botan/src/cert/cvc/cvc_gen_cert.h @@ -0,0 +1,177 @@ +/* +* EAC1_1 general CVC +* (C) 2008 Falko Strenzke +* 2008 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#ifndef BOTAN_EAC_CVC_GEN_CERT_H__ +#define BOTAN_EAC_CVC_GEN_CERT_H__ + +#include <botan/x509_key.h> +#include <botan/eac_asn_obj.h> +#include <botan/pubkey_enums.h> +#include <botan/pubkey.h> +#include <botan/ecdsa_sig.h> +#include <string> +#include <assert.h> + +namespace Botan { + +/** +* This class represents TR03110 (EAC) v1.1 generalized CV Certificates +*/ +template<typename Derived> +class BOTAN_DLL EAC1_1_gen_CVC : public EAC1_1_obj<Derived> // CRTP continuation from EAC1_1_obj + { + friend class EAC1_1_obj<EAC1_1_gen_CVC>; + + public: + + /** + * Get this certificates public key. + * @result this certificates public key + */ + std::auto_ptr<Public_Key> subject_public_key() const; + + /** + * Find out whether this object is self signed. + * @result true if this object is self signed + */ + bool is_self_signed() const; + + /** + * Get the CHR of the certificate. + * @result the CHR of the certificate + */ + ASN1_Chr get_chr() const; + + /** + * Put the DER encoded version of this object into a pipe. PEM + * is not supported. + * @param out the pipe to push the DER encoded version into + * @param encoding the encoding to use. Must be DER. + */ + void encode(Pipe& out, X509_Encoding encoding) const; + + /** + * Get the to-be-signed (TBS) data of this object. + * @result the TBS data of this object + */ + SecureVector<byte> tbs_data() const; + + /** + * Build the DER encoded certifcate body of an object + * @param tbs the data to be signed + * @result the correctly encoded body of the object + */ + static SecureVector<byte> build_cert_body(MemoryRegion<byte> const& tbs); + + /** + * Create a signed generalized CVC object. + * @param signer the signer used to sign this object + * @param tbs_bits the body the generalized CVC object to be signed + * @result the DER encoded signed generalized CVC object + */ + static MemoryVector<byte> make_signed( + std::auto_ptr<PK_Signer> signer, + const MemoryRegion<byte>& tbs_bits, + RandomNumberGenerator& rng); + virtual ~EAC1_1_gen_CVC<Derived>() + {} + + protected: + ECDSA_PublicKey m_pk; // public key + ASN1_Chr m_chr; + bool self_signed; + + static void decode_info(SharedPtrConverter<DataSource> source, + SecureVector<byte> & res_tbs_bits, + ECDSA_Signature & res_sig); + + }; + +template<typename Derived> ASN1_Chr EAC1_1_gen_CVC<Derived>::get_chr() const + { + return m_chr; + } + +template<typename Derived> bool EAC1_1_gen_CVC<Derived>::is_self_signed() const + { + return self_signed; + } + +template<typename Derived> MemoryVector<byte> EAC1_1_gen_CVC<Derived>::make_signed( + std::auto_ptr<PK_Signer> signer, + const MemoryRegion<byte>& tbs_bits, + RandomNumberGenerator& rng) // static + { + SecureVector<byte> concat_sig = EAC1_1_obj<Derived>::make_signature(signer.get(), tbs_bits, rng); + assert(concat_sig.size() % 2 == 0); + return DER_Encoder() + .start_cons(ASN1_Tag(33), APPLICATION) + .raw_bytes(tbs_bits) + .encode(concat_sig, OCTET_STRING, ASN1_Tag(55), APPLICATION) + .end_cons() + .get_contents(); + } + +template<typename Derived> std::auto_ptr<Public_Key> EAC1_1_gen_CVC<Derived>::subject_public_key() const + { + return std::auto_ptr<Public_Key>(new ECDSA_PublicKey(m_pk)); + } + +template<typename Derived> SecureVector<byte> EAC1_1_gen_CVC<Derived>::build_cert_body(MemoryRegion<byte> const& tbs) + { + return DER_Encoder() + .start_cons(ASN1_Tag(78), APPLICATION) + .raw_bytes(tbs) + .end_cons().get_contents(); + } + +template<typename Derived> SecureVector<byte> EAC1_1_gen_CVC<Derived>::tbs_data() const + { + return build_cert_body(EAC1_1_obj<Derived>::tbs_bits); + } + +template<typename Derived> void EAC1_1_gen_CVC<Derived>::encode(Pipe& out, X509_Encoding encoding) const + { + SecureVector<byte> concat_sig(EAC1_1_obj<Derived>::m_sig.get_concatenation()); + SecureVector<byte> der = DER_Encoder() + .start_cons(ASN1_Tag(33), APPLICATION) + .start_cons(ASN1_Tag(78), APPLICATION) + .raw_bytes(EAC1_1_obj<Derived>::tbs_bits) + .end_cons() + .encode(concat_sig, OCTET_STRING, ASN1_Tag(55), APPLICATION) + .end_cons() + .get_contents(); + + if (encoding == PEM) + throw Invalid_Argument("EAC1_1_gen_CVC::encode() cannot PEM encode an EAC object"); + else + out.write(der); + } + +template<typename Derived> +void EAC1_1_gen_CVC<Derived>::decode_info( + SharedPtrConverter<DataSource> source, + SecureVector<byte> & res_tbs_bits, + ECDSA_Signature & res_sig) + { + SecureVector<byte> concat_sig; + BER_Decoder(*source.get_shared().get()) + .start_cons(ASN1_Tag(33)) + .start_cons(ASN1_Tag(78)) + .raw_bytes(res_tbs_bits) + .end_cons() + .decode(concat_sig, OCTET_STRING, ASN1_Tag(55), APPLICATION) + .end_cons(); + res_sig = decode_concatenation(concat_sig); + } + +} + +#endif + + diff --git a/botan/src/cert/cvc/cvc_key.h b/botan/src/cert/cvc/cvc_key.h new file mode 100644 index 0000000..67b6cef --- /dev/null +++ b/botan/src/cert/cvc/cvc_key.h @@ -0,0 +1,54 @@ +/* +* EAC CVC Public Key +* (C) 2008 FlexSecure Gmbh +* Falko Strenzke +* strenzke@flexsecure.de +* +* Distributed under the terms of the Botan license +*/ + +#ifndef BOTAN_EAC1_1_CVC_PUBLIC_KEY_H__ +#define BOTAN_EAC1_1_CVC_PUBLIC_KEY_H__ + +#include <botan/pipe.h> +#include <botan/pk_keys.h> +#include <botan/alg_id.h> + +namespace Botan { + +/** +* This class represents EAC 1.1 CVC public key encoders. +*/ +class BOTAN_DLL EAC1_1_CVC_Encoder + { + public: + /** + * Get the DER encoded CVC public key. + * @param alg_id the algorithm identifier to use in the encoding + * @return the DER encoded public key + */ + virtual MemoryVector<byte> + public_key(const AlgorithmIdentifier& enc) const = 0; + + virtual ~EAC1_1_CVC_Encoder() {} + }; + +/** +* This class represents EAC 1.1 CVC public key decoders. +*/ +class BOTAN_DLL EAC1_1_CVC_Decoder + { + public: + /** + * Decode a CVC public key. + * @param enc the DER encoded public key to decode + * @return the algorithm identifier found in the encoded public key + */ + virtual AlgorithmIdentifier const + public_key(const MemoryRegion<byte>& enc) = 0; + + virtual ~EAC1_1_CVC_Decoder() {} + }; +} + +#endif diff --git a/botan/src/cert/cvc/cvc_req.cpp b/botan/src/cert/cvc/cvc_req.cpp new file mode 100644 index 0000000..70a44ba --- /dev/null +++ b/botan/src/cert/cvc/cvc_req.cpp @@ -0,0 +1,68 @@ +/* + (C) 2007 FlexSecure GmbH + 2008 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#include <botan/cvc_cert.h> +#include <botan/der_enc.h> +#include <botan/ber_dec.h> +#include <botan/pem.h> +#include <botan/parsing.h> +#include <assert.h> +#include <botan/cvc_key.h> +#include <botan/oids.h> +#include <botan/look_pk.h> +#include <botan/cvc_req.h> +#include <botan/freestore.h> + +namespace Botan { + +bool EAC1_1_Req::operator==(EAC1_1_Req const& rhs) const + { + return (this->tbs_data() == rhs.tbs_data() + && this->get_concat_sig() == rhs.get_concat_sig()); + } + +void EAC1_1_Req::force_decode() + { + SecureVector<byte> enc_pk; + BER_Decoder tbs_cert(tbs_bits); + u32bit cpi; + tbs_cert.decode(cpi, ASN1_Tag(41), APPLICATION) + .start_cons(ASN1_Tag(73)) + .raw_bytes(enc_pk) + .end_cons() + .decode(m_chr) + .verify_end(); + if(cpi != 0) + { + throw Decoding_Error("EAC1_1 request´s cpi was not 0"); + } + + // FIXME: No EAC support in ECDSA +#if 0 + ECDSA_PublicKey tmp_pk; + std::auto_ptr<EAC1_1_CVC_Decoder> dec = tmp_pk.cvc_eac1_1_decoder(); + sig_algo = dec->public_key(enc_pk); + m_pk = tmp_pk; +#endif + } + +EAC1_1_Req::EAC1_1_Req(std::tr1::shared_ptr<DataSource> in) + { + init(in); + self_signed = true; + do_decode(); + } + +EAC1_1_Req::EAC1_1_Req(const std::string& in) + { + std::tr1::shared_ptr<DataSource> stream(new DataSource_Stream(in, true)); + init(stream); + self_signed = true; + do_decode(); + } + +} diff --git a/botan/src/cert/cvc/cvc_req.h b/botan/src/cert/cvc/cvc_req.h new file mode 100644 index 0000000..96b6a44 --- /dev/null +++ b/botan/src/cert/cvc/cvc_req.h @@ -0,0 +1,62 @@ +/* +* EAC1_1 CVC Request +* (C) 2008 Falko Strenzke +* strenzke@flexsecure.de +* +* Distributed under the terms of the Botan license +*/ + +#ifndef BOTAN_EAC_CVC_REQ_H__ +#define BOTAN_EAC_CVC_REQ_H__ + +#include <botan/x509_key.h> +#include <botan/pubkey_enums.h> +#include <botan/cvc_gen_cert.h> + +namespace Botan { + +/** +* This class represents TR03110 v1.1 EAC CV Certificate Requests. +*/ +class BOTAN_DLL EAC1_1_Req : public EAC1_1_gen_CVC<EAC1_1_Req> + { + public: + friend class EAC1_1_Req_CA; + friend class EAC1_1_ADO; + friend class EAC1_1_obj<EAC1_1_Req>; + + /** + * Compare for equality with other + * @param other compare for equality with this object + */ + bool operator==(const EAC1_1_Req& other) const; + + /** + * Construct a CVC request from a data source. + * @param source the data source + */ + EAC1_1_Req(std::tr1::shared_ptr<DataSource> source); + + /** + * Construct a CVC request from a DER encoded CVC reqeust file. + * @param str the path to the DER encoded file + */ + EAC1_1_Req(const std::string& str); + + virtual ~EAC1_1_Req(){} + private: + void force_decode(); + EAC1_1_Req() {} + }; + +/* +* Comparison Operator +*/ +inline bool operator!=(EAC1_1_Req const& lhs, EAC1_1_Req const& rhs) + { + return !(lhs == rhs); + } + +} + +#endif diff --git a/botan/src/cert/cvc/cvc_self.cpp b/botan/src/cert/cvc/cvc_self.cpp new file mode 100644 index 0000000..91ea387 --- /dev/null +++ b/botan/src/cert/cvc/cvc_self.cpp @@ -0,0 +1,327 @@ +/* + (C) 2007 FlexSecure GmbH + 2008 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#include <botan/cvc_self.h> +#include <botan/cvc_cert.h> +#include <botan/cvc_ca.h> +#include <botan/alg_id.h> +#include <botan/cvc_key.h> +#include <botan/oids.h> +#include <botan/look_pk.h> +#include <botan/cvc_req.h> +#include <botan/cvc_ado.h> +#include <botan/util.h> +#include <sstream> + +namespace Botan { + +namespace { + +/******************************* +* cvc CHAT values +*******************************/ +enum CHAT_values{ + CVCA = 0xC0, + DVCA_domestic = 0x80, + DVCA_foreign = 0x40, + IS = 0x00, + + IRIS = 0x02, + FINGERPRINT = 0x01 +}; + +std::string padding_and_hash_from_oid(OID const& oid) + { + std::string padding_and_hash = OIDS::lookup(oid); // use the hash + assert(padding_and_hash.substr(0,6) == "ECDSA/"); // can only be ECDSA for now + assert(padding_and_hash.find("/",0) == 5); + padding_and_hash.erase(0, padding_and_hash.find("/",0) + 1); + return padding_and_hash; + } +std::string fixed_len_seqnr(u32bit seqnr, u32bit len) + { + std::stringstream ss; + std::string result; + ss << seqnr; + ss >> result; + if (result.size() > len) + { + throw Invalid_Argument("fixed_len_seqnr(): number too high to be encoded in provided length"); + } + while (result.size() < len) + { + result.insert(0,"0"); + } + return result; + } + +} +namespace CVC_EAC +{ + +EAC1_1_CVC create_self_signed_cert(Private_Key const& key, + EAC1_1_CVC_Options const& opt, + RandomNumberGenerator& rng) + { + // NOTE: we ignore + // the value + // of opt.chr + ECDSA_PrivateKey const* priv_key = dynamic_cast<ECDSA_PrivateKey const*>(&key); + + if (priv_key == 0) + { + throw Invalid_Argument("CVC_EAC::create_self_signed_cert(): unsupported key type"); + } + + ASN1_Chr chr(opt.car.value()); + + AlgorithmIdentifier sig_algo; + std::string padding_and_hash(eac_cvc_emsa + "(" + opt.hash_alg + ")"); + sig_algo.oid = OIDS::lookup(priv_key->algo_name() + "/" + padding_and_hash); + sig_algo = AlgorithmIdentifier(sig_algo.oid, AlgorithmIdentifier::USE_NULL_PARAM); + + std::auto_ptr<Botan::PK_Signer> signer(get_pk_signer(*priv_key, padding_and_hash)); + +#if 0 // FIXME + std::auto_ptr<EAC1_1_CVC_Encoder> enc(priv_key->cvc_eac1_1_encoder()); + MemoryVector<byte> enc_public_key = enc->public_key(sig_algo); +#else + MemoryVector<byte> enc_public_key; +#endif + + return EAC1_1_CVC_CA::make_cert(signer, enc_public_key, opt.car, chr, opt.holder_auth_templ, opt.ced, opt.cex, rng); + + } + +EAC1_1_Req create_cvc_req(Private_Key const& key, + ASN1_Chr const& chr, + std::string const& hash_alg, + RandomNumberGenerator& rng) + { + + ECDSA_PrivateKey const* priv_key = dynamic_cast<ECDSA_PrivateKey const*>(&key); + if (priv_key == 0) + { + throw Invalid_Argument("CVC_EAC::create_self_signed_cert(): unsupported key type"); + } + AlgorithmIdentifier sig_algo; + std::string padding_and_hash(eac_cvc_emsa + "(" + hash_alg + ")"); + sig_algo.oid = OIDS::lookup(priv_key->algo_name() + "/" + padding_and_hash); + sig_algo = AlgorithmIdentifier(sig_algo.oid, AlgorithmIdentifier::USE_NULL_PARAM); + + std::auto_ptr<Botan::PK_Signer> signer(get_pk_signer(*priv_key, padding_and_hash)); + +#if 0 // FIXME + std::auto_ptr<EAC1_1_CVC_Encoder> enc(priv_key->cvc_eac1_1_encoder()); + MemoryVector<byte> enc_public_key = enc->public_key(sig_algo); +#else + MemoryVector<byte> enc_public_key; +#endif + + MemoryVector<byte> enc_cpi; + enc_cpi.append(0x00); + MemoryVector<byte> tbs = DER_Encoder() + .encode(enc_cpi, OCTET_STRING, ASN1_Tag(41), APPLICATION) + .raw_bytes(enc_public_key) + .encode(chr) + .get_contents(); + + MemoryVector<byte> signed_cert = EAC1_1_gen_CVC<EAC1_1_Req>::make_signed(signer, EAC1_1_gen_CVC<EAC1_1_Req>::build_cert_body(tbs), rng); + std::tr1::shared_ptr<DataSource> source(new DataSource_Memory(signed_cert)); + return EAC1_1_Req(source); + } + +EAC1_1_ADO create_ado_req(Private_Key const& key, + EAC1_1_Req const& req, + ASN1_Car const& car, + RandomNumberGenerator& rng) + { + + ECDSA_PrivateKey const* priv_key = dynamic_cast<ECDSA_PrivateKey const*>(&key); + if (priv_key == 0) + { + throw Invalid_Argument("CVC_EAC::create_self_signed_cert(): unsupported key type"); + } + std::string padding_and_hash = padding_and_hash_from_oid(req.signature_algorithm().oid); + std::auto_ptr<Botan::PK_Signer> signer(get_pk_signer(*priv_key, padding_and_hash)); + SecureVector<byte> tbs_bits = req.BER_encode(); + tbs_bits.append(DER_Encoder().encode(car).get_contents()); + MemoryVector<byte> signed_cert = EAC1_1_ADO::make_signed(signer, tbs_bits, rng); + std::tr1::shared_ptr<DataSource> source(new DataSource_Memory(signed_cert)); + return EAC1_1_ADO(source); + } + +} // namespace CVC_EAC +namespace DE_EAC +{ + +EAC1_1_CVC create_cvca(Private_Key const& key, + std::string const& hash, + ASN1_Car const& car, bool iris, bool fingerpr, + u32bit cvca_validity_months, + RandomNumberGenerator& rng) + { + ECDSA_PrivateKey const* priv_key = dynamic_cast<ECDSA_PrivateKey const*>(&key); + if (priv_key == 0) + { + throw Invalid_Argument("CVC_EAC::create_self_signed_cert(): unsupported key type"); + } + EAC1_1_CVC_Options opts; + opts.car = car; + const u64bit current_time = system_time(); + + opts.ced = ASN1_Ced(current_time); + opts.cex = ASN1_Cex(opts.ced); + opts.cex.add_months(cvca_validity_months); + opts.holder_auth_templ = (CVCA | (iris * IRIS) | (fingerpr * FINGERPRINT)); + opts.hash_alg = hash; + return Botan::CVC_EAC::create_self_signed_cert(*priv_key, opts, rng); + } + + + +EAC1_1_CVC link_cvca(EAC1_1_CVC const& signer, + Private_Key const& key, + EAC1_1_CVC const& signee, + RandomNumberGenerator& rng) + { + ECDSA_PrivateKey const* priv_key = dynamic_cast<ECDSA_PrivateKey const*>(&key); + if (priv_key == 0) + { + throw Invalid_Argument("CVC_EAC::create_self_signed_cert(): unsupported key type"); + } + ASN1_Ced ced(system_time()); + ASN1_Cex cex(signee.get_cex()); + if (*static_cast<EAC_Time*>(&ced) > *static_cast<EAC_Time*>(&cex)) + { + std::string detail("link_cvca(): validity periods of provided certificates don't overlap: currend time = ced = "); + detail += ced.as_string(); + detail += ", signee.cex = "; + detail += cex.as_string(); + throw Invalid_Argument(detail); + } + if (signer.signature_algorithm() != signee.signature_algorithm()) + { + throw Invalid_Argument("link_cvca(): signature algorithms of signer and signee don´t match"); + } + AlgorithmIdentifier sig_algo = signer.signature_algorithm(); + std::string padding_and_hash = padding_and_hash_from_oid(sig_algo.oid); + std::auto_ptr<Botan::PK_Signer> pk_signer(get_pk_signer(*priv_key, padding_and_hash)); + std::auto_ptr<Public_Key> pk = signee.subject_public_key(); + ECDSA_PublicKey* subj_pk = dynamic_cast<ECDSA_PublicKey*>(pk.get()); + subj_pk->set_parameter_encoding(ENC_EXPLICIT); + +#if 0 // FIXME + std::auto_ptr<EAC1_1_CVC_Encoder> enc(subj_pk->cvc_eac1_1_encoder()); + MemoryVector<byte> enc_public_key = enc->public_key(sig_algo); +#else + MemoryVector<byte> enc_public_key; +#endif + + return EAC1_1_CVC_CA::make_cert(pk_signer, enc_public_key, + signer.get_car(), + signee.get_chr(), + signer.get_chat_value(), + ced, + cex, + rng); + } + +EAC1_1_CVC sign_request(EAC1_1_CVC const& signer_cert, + Private_Key const& key, + EAC1_1_Req const& signee, + u32bit seqnr, + u32bit seqnr_len, + bool domestic, + u32bit dvca_validity_months, + u32bit ca_is_validity_months, + RandomNumberGenerator& rng) + { + ECDSA_PrivateKey const* priv_key = dynamic_cast<ECDSA_PrivateKey const*>(&key); + if (priv_key == 0) + { + throw Invalid_Argument("CVC_EAC::create_self_signed_cert(): unsupported key type"); + } + std::string chr_str = signee.get_chr().value(); + chr_str.append(fixed_len_seqnr(seqnr, seqnr_len)); + ASN1_Chr chr(chr_str); + std::string padding_and_hash = padding_and_hash_from_oid(signee.signature_algorithm().oid); + std::auto_ptr<Botan::PK_Signer> pk_signer(get_pk_signer(*priv_key, padding_and_hash)); + std::auto_ptr<Public_Key> pk = signee.subject_public_key(); + ECDSA_PublicKey* subj_pk = dynamic_cast<ECDSA_PublicKey*>(pk.get()); + std::auto_ptr<Public_Key> signer_pk = signer_cert.subject_public_key(); + + // for the case that the domain parameters are not set... + // (we use those from the signer because they must fit) + subj_pk->set_domain_parameters(priv_key->domain_parameters()); + + subj_pk->set_parameter_encoding(ENC_IMPLICITCA); + +#if 0 // FIXME + std::auto_ptr<EAC1_1_CVC_Encoder> enc(subj_pk->cvc_eac1_1_encoder()); + MemoryVector<byte> enc_public_key = enc->public_key(sig_algo); +#else + MemoryVector<byte> enc_public_key; +#endif + + AlgorithmIdentifier sig_algo(signer_cert.signature_algorithm()); + const u64bit current_time = system_time(); + ASN1_Ced ced(current_time); + u32bit chat_val; + u32bit chat_low = signer_cert.get_chat_value() & 0x3; // take the chat rights from signer + ASN1_Cex cex(ced); + if ((signer_cert.get_chat_value() & CVCA) == CVCA) + { + // we sign a dvca + cex.add_months(dvca_validity_months); + if (domestic) + { + chat_val = DVCA_domestic | chat_low; + } + else + { + chat_val = DVCA_foreign | chat_low; + } + } + else if ((signer_cert.get_chat_value() & DVCA_domestic) == DVCA_domestic || + (signer_cert.get_chat_value() & DVCA_foreign) == DVCA_foreign) + { + cex.add_months(ca_is_validity_months); + chat_val = IS | chat_low; + } + else + { + throw Invalid_Argument("sign_request(): encountered illegal value for CHAT"); + // (IS cannot sign certificates) + } + return EAC1_1_CVC_CA::make_cert(pk_signer, enc_public_key, + ASN1_Car(signer_cert.get_chr().iso_8859()), + chr, + chat_val, + ced, + cex, + rng); + } + +EAC1_1_Req create_cvc_req(Private_Key const& prkey, + ASN1_Chr const& chr, + std::string const& hash_alg, + RandomNumberGenerator& rng) + { + ECDSA_PrivateKey const* priv_key = dynamic_cast<ECDSA_PrivateKey const*>(&prkey); + if (priv_key == 0) + { + throw Invalid_Argument("CVC_EAC::create_self_signed_cert(): unsupported key type"); + } + ECDSA_PrivateKey key(*priv_key); + key.set_parameter_encoding(ENC_IMPLICITCA); + return Botan::CVC_EAC::create_cvc_req(key, chr, hash_alg, rng); + } + +} // namespace DE_EAC + +} diff --git a/botan/src/cert/cvc/cvc_self.h b/botan/src/cert/cvc/cvc_self.h new file mode 100644 index 0000000..db23547 --- /dev/null +++ b/botan/src/cert/cvc/cvc_self.h @@ -0,0 +1,167 @@ +/* +* CVC Self-Signed Certificate +* (C) 2007 FlexSecure GmbH +* 2008 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#ifndef BOTAN_CVC_EAC_SELF_H__ +#define BOTAN_CVC_EAC_SELF_H__ + +#include <botan/pkcs8.h> +#include <botan/pkcs10.h> +#include <botan/cvc_cert.h> +#include <botan/ecdsa.h> +#include <botan/asn1_obj.h> +#include <botan/cvc_req.h> +#include <botan/cvc_ado.h> + +namespace Botan { + +/** +* This class represents a set of options used for the creation of CVC certificates +*/ +class BOTAN_DLL EAC1_1_CVC_Options + { + public: + + ASN1_Car car; + ASN1_Chr chr; + byte holder_auth_templ; + ASN1_Ced ced; + ASN1_Cex cex; + std::string hash_alg; + }; + +/** +* This namespace represents general EAC 1.1 convenience functions. +*/ +namespace CVC_EAC { + +/** +* Create a selfsigned CVCA +* @param rng the rng to use +* @param key the ECDSA private key to be used to sign the certificate +* @param opts used to set several parameters. Necessary are: +* car, holder_auth_templ, hash_alg, ced, cex and hash_alg +* @result the self signed certificate +*/ + +EAC1_1_CVC create_self_signed_cert(Private_Key const& key, + EAC1_1_CVC_Options const& opts, + RandomNumberGenerator& rng); +/** +* Create a CVC request. The key encoding will be according to the provided private key. +* @param priv_key the private key associated with the requesting entity +* @param chr the chr to appear in the certificate (to be provided without +* sequence number) +* @param hash_alg the string defining the hash algorithm to be used for the creation +* of the signature +* @param rng the rng to use +* @result the new request +*/ +EAC1_1_Req create_cvc_req(Private_Key const& priv_key, + ASN1_Chr const& chr, + std::string const& hash_alg, + RandomNumberGenerator& rng); + +/** +* Create an ADO from a request object. +* @param priv_key the private key used to sign the ADO +* @param req the request forming the body of the ADO +* @param car the CAR forming the body of the ADO, i.e. the +* CHR of the entity associated with the provided private key +* @param rng the rng to use +*/ +EAC1_1_ADO create_ado_req(Private_Key const& priv_key, + EAC1_1_Req const& req, + ASN1_Car const& car, + RandomNumberGenerator& rng); +} +/** +* This namespace represents EAC 1.1 CVC convenience functions following the specific german +* requirements. +*/ +namespace DE_EAC { + +/** +* Create a CVCA certificate. +* @param priv_key the private key associated with the CVCA certificate +* to be created +* @param hash the string identifying the hash algorithm to be used +* for signing the certificate to be created +* @param car the CAR of the certificate to be created +* @param iris indicates whether the entity associated with the certificate +* shall be entitled to read the biometrical iris image +* @param fingerpr indicates whether the entity associated with the certificate +* shall be entitled to read the biometrical fingerprint image +* @param rng the rng to use +* @result the CVCA certificate created +*/ +EAC1_1_CVC create_cvca(Private_Key const& priv_key, + std::string const& hash, + ASN1_Car const& car, + bool iris, + bool fingerpr, + u32bit cvca_validity_months, + RandomNumberGenerator& rng); + +/** +* Create a link certificate between two CVCA certificates. The key +* encoding will be implicitCA. +* @param signer the cvca certificate associated with the signing +* entity +* @param priv_key the private key associated with the signer +* @param to_be_signed the certificate which whose CAR/CHR will be +* the holder of the link certificate +* @param rng a random number generator +*/ +EAC1_1_CVC link_cvca(EAC1_1_CVC const& signer, + Private_Key const& priv_key, + EAC1_1_CVC const& to_be_signed, + RandomNumberGenerator& rng); + +/** +* Create a CVC request. The key encoding will be implicitCA. +* @param priv_key the private key associated with the requesting entity +* @param chr the chr to appear in the certificate (to be provided without +* sequence number) +* @param hash_alg the string defining the hash algorithm to be used for the creation +* of the signature +* @param rng a random number generator +* @result the new request +*/ +EAC1_1_Req create_cvc_req(Private_Key const& priv_key, + ASN1_Chr const& chr, + std::string const& hash_alg, + RandomNumberGenerator& rng); + +/** +* Sign a CVC request. +* @param signer_cert the certificate of the signing entity +* @param priv_key the private key of the signing entity +* @param req the request to be signed +* @param seqnr the sequence number of the certificate to be created +* @param seqnr_len the number of digits the sequence number will be +* encoded in +* @param domestic indicates whether to sign a domestic or a foreign certificate: +* set to true for domestic +* @param rng a random number generator +* @result the new certificate +* +**/ +EAC1_1_CVC sign_request(EAC1_1_CVC const& signer_cert, + Private_Key const& priv_key, + EAC1_1_Req const& req, + u32bit seqnr, + u32bit seqnr_len, + bool domestic, + u32bit dvca_validity_months, + u32bit ca_is_validity_months, + RandomNumberGenerator& rng); +} + +} + +#endif diff --git a/botan/src/cert/cvc/eac_asn_obj.h b/botan/src/cert/cvc/eac_asn_obj.h new file mode 100644 index 0000000..3e70f6b --- /dev/null +++ b/botan/src/cert/cvc/eac_asn_obj.h @@ -0,0 +1,244 @@ +/* +* EAC ASN.1 Objects +* (C) 2007-2008 FlexSecure GmbH +* 2008 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#ifndef BOTAN_EAC_ASN1_OBJ_H__ +#define BOTAN_EAC_ASN1_OBJ_H__ + +#include <botan/asn1_obj.h> +#include <vector> +#include <map> + +namespace Botan { + +/** +* This class represents CVC EAC Time objects. +* It only models year, month and day. Only limited sanity checks of +* the inputted date value are performed. +*/ +class BOTAN_DLL EAC_Time : public ASN1_Object + { + public: + void encode_into(class DER_Encoder&) const; + void decode_from(class BER_Decoder&); + + /** + * Get a this objects value as a string. + * @return the date string + */ + std::string as_string() const; + + /** + * Get a this objects value as a readable formatted string. + * @return the date string + */ + std::string readable_string() const; + + /** + * Find out whether this object's values have been set. + * @return true if this object's internal values are set + */ + bool time_is_set() const; + + /** + * Compare this to another EAC_Time object. + * @return -1 if this object's date is earlier than + * other, +1 in the opposite case, and 0 if both dates are + * equal. + */ + s32bit cmp(const EAC_Time& other) const; + + /** + * Set this' value by a string value. + * @param str a string in the format "yyyy mm dd", + * e.g. "2007 08 01" + */ + void set_to(const std::string& str); + //void set_to(const std::string&, ASN1_Tag); + + /** + * Add the specified number of years to this. + * @param years the number of years to add + */ + void add_years(u32bit years); + + /** + * Add the specified number of months to this. + * @param months the number of months to add + */ + void add_months(u32bit months); + + /** + * Get the year value of this objects. + * @return the year value + */ + u32bit get_year() const; + + /** + * Get the month value of this objects. + * @return the month value + */ + u32bit get_month() const; + + /** + * Get the day value of this objects. + * @return the day value + */ + u32bit get_day() const; + + EAC_Time(u64bit, ASN1_Tag t = ASN1_Tag(0)); + //EAC_Time(const std::string& = ""); + EAC_Time(const std::string&, ASN1_Tag = ASN1_Tag(0)); + EAC_Time(u32bit year, u32bit month, u32bit day, ASN1_Tag = ASN1_Tag(0)); + + virtual ~EAC_Time() {} + private: + SecureVector<byte> encoded_eac_time() const; + bool passes_sanity_check() const; + u32bit year, month, day; + ASN1_Tag tag; + }; + +/** +* This class represents CVC CEDs. Only limited sanity checks of +* the inputted date value are performed. +*/ +class BOTAN_DLL ASN1_Ced : public EAC_Time + { + public: + /** + * Construct a CED from a string value. + * @param str a string in the format "yyyy mm dd", + * e.g. "2007 08 01" + */ + ASN1_Ced(std::string const& str = ""); + + /** + * Construct a CED from a timer value. + * @param time the number of seconds elapsed midnight, 1st + * January 1970 GMT (or 7pm, 31st December 1969 EST) up to the + * desired date + */ + ASN1_Ced(u64bit time); + + /** + * Copy constructor (for general EAC_Time objects). + * @param other the object to copy from + */ + ASN1_Ced(EAC_Time const& other); + //ASN1_Ced(ASN1_Cex const& cex); + }; + + +/** +* This class represents CVC CEXs. Only limited sanity checks of +* the inputted date value are performed. +*/ +class BOTAN_DLL ASN1_Cex : public EAC_Time + { + public: + /** + * Construct a CED from a string value. + * @param str a string in the format "yyyy mm dd", + * e.g. "2007 08 01" + */ + ASN1_Cex(std::string const& str=""); + + /** + * Construct a CED from a timer value. + * @param time the number of seconds elapsed + * midnight, 1st + * January 1970 GMT (or 7pm, 31st December 1969 EST) + * up to the desired date + */ + ASN1_Cex(u64bit time); + + /** + * Copy constructor (for general EAC_Time objects). + * @param other the object to copy from + */ + ASN1_Cex(EAC_Time const& other); + //ASN1_Cex(ASN1_Ced const& ced); + }; + +/** +* Base class for car/chr of cv certificates. +*/ +class BOTAN_DLL ASN1_EAC_String: public ASN1_Object + { + public: + void encode_into(class DER_Encoder&) const; + void decode_from(class BER_Decoder&); + + /** + * Get this objects string value. + * @return the string value + */ + std::string value() const; + + /** + * Get this objects string value. + * @return the string value in iso8859 encoding + */ + std::string iso_8859() const; + + ASN1_Tag tagging() const; + ASN1_EAC_String(const std::string& str, ASN1_Tag the_tag); + + virtual ~ASN1_EAC_String() {} + protected: + bool sanity_check() const; + private: + std::string iso_8859_str; + ASN1_Tag tag; + }; + +/** +* This class represents CARs of CVCs. (String tagged with 2) +*/ +class BOTAN_DLL ASN1_Car : public ASN1_EAC_String + { + public: + /** + * Create a CAR with the specified content. + * @param str the CAR value + */ + ASN1_Car(std::string const& str = ""); + }; + +/** +* This class represents CHRs of CVCs (tag 32) +*/ +class BOTAN_DLL ASN1_Chr : public ASN1_EAC_String + { + public: + /** + * Create a CHR with the specified content. + * @param str the CHR value + */ + ASN1_Chr(std::string const& str = ""); + }; + +/* +* Comparison Operations +*/ +bool operator==(const EAC_Time&, const EAC_Time&); +bool operator!=(const EAC_Time&, const EAC_Time&); +bool operator<=(const EAC_Time&, const EAC_Time&); +bool operator>=(const EAC_Time&, const EAC_Time&); +bool operator>(const EAC_Time&, const EAC_Time&); +bool operator<(const EAC_Time&, const EAC_Time&); + +bool operator==(const ASN1_EAC_String&, const ASN1_EAC_String&); +inline bool operator!=(const ASN1_EAC_String& lhs, const ASN1_EAC_String& rhs) + { + return !(lhs == rhs); + } + +} + +#endif diff --git a/botan/src/cert/cvc/eac_obj.h b/botan/src/cert/cvc/eac_obj.h new file mode 100644 index 0000000..04afd7e --- /dev/null +++ b/botan/src/cert/cvc/eac_obj.h @@ -0,0 +1,131 @@ +/* +* EAC1_1 objects +* (C) 2008 Falko Strenzke +* strenzke@flexsecure.de +* +* Distributed under the terms of the Botan license +*/ + +#ifndef BOTAN_EAC_OBJ_H__ +#define BOTAN_EAC_OBJ_H__ + +#include <botan/pubkey.h> +#include <botan/x509_key.h> +#include <botan/signed_obj.h> +#include <botan/pubkey_enums.h> +#include <botan/pubkey.h> +#include <botan/parsing.h> +#include <botan/pem.h> +#include <botan/oids.h> +#include <botan/look_pk.h> +#include <botan/ecdsa_sig.h> +#include <string> + +namespace Botan { + +const std::string eac_cvc_emsa("EMSA1_BSI"); + +/* +* TR03110 v1.1 EAC CV Certificate +*/ +template<typename Derived> // CRTP is used enable the call sequence: +class BOTAN_DLL EAC1_1_obj : public EAC_Signed_Object + { + // data members first: + protected: + + ECDSA_Signature m_sig; + + // member functions here: + public: + /** + * Return the signature as a concatenation of the encoded parts. + * @result the concatenated signature + */ + SecureVector<byte> get_concat_sig() const; + + /** + * Verify the signature of this objects. + * @param pub_key the public key to verify the signature with + * @result true if the verification succeeded + */ + virtual bool check_signature(Public_Key& pub_key) const; + + protected: + void init(SharedPtrConverter<DataSource> in); + + static SecureVector<byte> make_signature(PK_Signer* signer, + const MemoryRegion<byte>& tbs_bits, + RandomNumberGenerator& rng); + + virtual ~EAC1_1_obj<Derived>(){} + + }; + +template<typename Derived> SecureVector<byte> EAC1_1_obj<Derived>::get_concat_sig() const + { + return m_sig.get_concatenation(); + } + +template<typename Derived> SecureVector<byte> +EAC1_1_obj<Derived>::make_signature(PK_Signer* signer, + const MemoryRegion<byte>& tbs_bits, + RandomNumberGenerator& rng) + { + // this is the signature as a der sequence + SecureVector<byte> seq_sig = signer->sign_message(tbs_bits, rng); + + ECDSA_Signature sig(decode_seq(seq_sig)); + SecureVector<byte> concat_sig(sig.get_concatenation()); + return concat_sig; + } + +template<typename Derived> void EAC1_1_obj<Derived>::init(SharedPtrConverter<DataSource> in) + { + try + { + Derived::decode_info(in.get_shared(), tbs_bits, m_sig); + } + catch(Decoding_Error) + { + throw Decoding_Error(PEM_label_pref + " decoding failed"); + } + } + +template<typename Derived> +bool EAC1_1_obj<Derived>::check_signature(Public_Key& pub_key) const + { + try + { + std::vector<std::string> sig_info = + split_on(OIDS::lookup(sig_algo.oid), '/'); + + if(sig_info.size() != 2 || sig_info[0] != pub_key.algo_name()) + { + return false; + } + + std::string padding = sig_info[1]; + Signature_Format format = + (pub_key.message_parts() >= 2) ? DER_SEQUENCE : IEEE_1363; + + if(!dynamic_cast<PK_Verifying_wo_MR_Key*>(&pub_key)) + return false; + + std::auto_ptr<ECDSA_Signature_Encoder> enc(new ECDSA_Signature_Encoder(&m_sig)); + SecureVector<byte> seq_sig = enc->signature_bits(); + SecureVector<byte> to_sign = tbs_data(); + + PK_Verifying_wo_MR_Key& sig_key = dynamic_cast<PK_Verifying_wo_MR_Key&>(pub_key); + std::auto_ptr<PK_Verifier> verifier(get_pk_verifier(sig_key, padding, format)); + return verifier->verify_message(to_sign, seq_sig); + } + catch(...) + { + return false; + } + } + +} + +#endif diff --git a/botan/src/cert/cvc/ecdsa_sig.cpp b/botan/src/cert/cvc/ecdsa_sig.cpp new file mode 100644 index 0000000..c33a455 --- /dev/null +++ b/botan/src/cert/cvc/ecdsa_sig.cpp @@ -0,0 +1,64 @@ + +#include <botan/ecdsa_sig.h> +#include <memory> + +namespace Botan { + +ECDSA_Signature::ECDSA_Signature(const BigInt& r, const BigInt& s) + : m_r(r), + m_s(s) + {} + +ECDSA_Signature::ECDSA_Signature(const ECDSA_Signature& other) + : m_r(other.m_r), m_s(other.m_s) + {} + +ECDSA_Signature const& ECDSA_Signature::operator=(const ECDSA_Signature& other) + { + m_r = other.m_r; + m_s = other.m_s; + return *this; + } + +bool operator==(const ECDSA_Signature& lhs, const ECDSA_Signature& rhs) + { + return (lhs.get_r() == rhs.get_r() && lhs.get_s() == rhs.get_s()); + } + +SecureVector<byte> const ECDSA_Signature::get_concatenation() const + { + u32bit enc_len = m_r > m_s ? m_r.bytes() : m_s.bytes(); // use the larger + + SecureVector<byte> sv_r = BigInt::encode_1363(m_r, enc_len); + SecureVector<byte> sv_s = BigInt::encode_1363(m_s, enc_len); + + SecureVector<byte> result(sv_r); + result.append(sv_s); + return result; + } + +ECDSA_Signature const decode_seq(MemoryRegion<byte> const& seq) + { + ECDSA_Signature sig; + + std::auto_ptr<ECDSA_Signature_Decoder> dec(new ECDSA_Signature_Decoder(&sig)); + dec->signature_bits(seq); + return sig; + } + +ECDSA_Signature const decode_concatenation(MemoryRegion<byte> const& concat) + { + if(concat.size() % 2 != 0) + throw Invalid_Argument("Erroneous length of signature"); + + u32bit rs_len = concat.size()/2; + SecureVector<byte> sv_r; + SecureVector<byte> sv_s; + sv_r.set(concat.begin(), rs_len); + sv_s.set(&concat[rs_len], rs_len); + BigInt r = BigInt::decode(sv_r, sv_r.size()); + BigInt s = BigInt::decode(sv_s, sv_s.size()); + return ECDSA_Signature(r, s); + } + +} diff --git a/botan/src/cert/cvc/ecdsa_sig.h b/botan/src/cert/cvc/ecdsa_sig.h new file mode 100644 index 0000000..15015c7 --- /dev/null +++ b/botan/src/cert/cvc/ecdsa_sig.h @@ -0,0 +1,88 @@ +/* +* ECDSA +* (C) 2007 Falko Strenzke, FlexSecure GmbH +* (C) 2008 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#ifndef BOTAN_ECDSA_SIGNATURE_H__ +#define BOTAN_ECDSA_SIGNATURE_H__ + +#include <botan/bigint.h> +#include <botan/der_enc.h> +#include <botan/ber_dec.h> + +namespace Botan { + +class BOTAN_DLL ECDSA_Signature + { + public: + friend class ECDSA_Signature_Decoder; + + ECDSA_Signature() {} + ECDSA_Signature(const BigInt& r, const BigInt& s); + ECDSA_Signature(ECDSA_Signature const& other); + ECDSA_Signature const& operator=(ECDSA_Signature const& other); + + const BigInt& get_r() const { return m_r; } + const BigInt& get_s() const { return m_s; } + + /** + * return the r||s + */ + SecureVector<byte> const get_concatenation() const; + private: + BigInt m_r; + BigInt m_s; + }; + +/* Equality of ECDSA_Signature */ +bool operator==(const ECDSA_Signature& lhs, const ECDSA_Signature& rhs); +inline bool operator!=(const ECDSA_Signature& lhs, const ECDSA_Signature& rhs) + { + return !(lhs == rhs); + } + +class BOTAN_DLL ECDSA_Signature_Decoder + { + public: + void signature_bits(const MemoryRegion<byte>& bits) + { + BER_Decoder(bits) + .start_cons(SEQUENCE) + .decode(m_signature->m_r) + .decode(m_signature->m_s) + .verify_end() + .end_cons(); + } + ECDSA_Signature_Decoder(ECDSA_Signature* signature) : m_signature(signature) + {} + private: + ECDSA_Signature* m_signature; + }; + +class BOTAN_DLL ECDSA_Signature_Encoder + { + public: + MemoryVector<byte> signature_bits() const + { + return DER_Encoder() + .start_cons(SEQUENCE) + .encode(m_signature->get_r()) + .encode(m_signature->get_s()) + .end_cons() + .get_contents(); + } + ECDSA_Signature_Encoder(const ECDSA_Signature* signature) : m_signature(signature) + {} + private: + const ECDSA_Signature* m_signature; + }; + +ECDSA_Signature const decode_seq(MemoryRegion<byte> const& seq); +ECDSA_Signature const decode_concatenation(MemoryRegion<byte> const& concatenation); + +} + +#endif diff --git a/botan/src/cert/cvc/freestore.h b/botan/src/cert/cvc/freestore.h new file mode 100644 index 0000000..f95afa8 --- /dev/null +++ b/botan/src/cert/cvc/freestore.h @@ -0,0 +1,85 @@ +/** +* (C) 2007 Christoph Ludwig +* ludwig@fh-worms.de +**/ + +#ifndef BOTAN_FREESTORE_H__ +#define BOTAN_FREESTORE_H__ + +#include <botan/build.h> + +#if defined(BOTAN_USE_STD_TR1) + #include <tr1/memory> +#elif defined(BOTAN_USE_BOOST_TR1) + #include <boost/tr1/memory.hpp> +#else + #error "Please choose a TR1 implementation in build.h" +#endif + +namespace Botan { + +/** +* This class is intended as an function call parameter type and +* enables convenient automatic conversions between plain and smart +* pointer types. It internally stores a SharedPointer which can be +* accessed. +* +* Distributed under the terms of the Botan license +*/ +template<typename T> +class BOTAN_DLL SharedPtrConverter + { + public: + typedef std::tr1::shared_ptr<T> SharedPtr; + + /** + * Construct a null pointer equivalent object. + */ + SharedPtrConverter() : ptr() {} + + /** + * Copy constructor. + */ + SharedPtrConverter(SharedPtrConverter const& other) : + ptr(other.ptr) {} + + /** + * Construct a converter object from another pointer type. + * @param p the pointer which shall be set as the internally stored + * pointer value of this converter. + */ + template<typename Ptr> + SharedPtrConverter(Ptr p) + : ptr(p) {} + + /** + * Get the internally stored shared pointer. + * @return the internally stored shared pointer + */ + SharedPtr const& get_ptr() const { return this->ptr; } + + /** + * Get the internally stored shared pointer. + * @return the internally stored shared pointer + */ + SharedPtr get_ptr() { return this->ptr; } + + /** + * Get the internally stored shared pointer. + * @return the internally stored shared pointer + */ + SharedPtr const& get_shared() const { return this->ptr; } + + /** + * Get the internally stored shared pointer. + * @return the internally stored shared pointer + */ + SharedPtr get_shared() { return this->ptr; } + + private: + SharedPtr ptr; + }; + +} + +#endif diff --git a/botan/src/cert/cvc/info.txt b/botan/src/cert/cvc/info.txt new file mode 100644 index 0000000..e3e11f5 --- /dev/null +++ b/botan/src/cert/cvc/info.txt @@ -0,0 +1,44 @@ +realname "Card Verifiable Certificates" + +define CARD_VERIFIABLE_CERTIFICATES + +uses_tr1 yes + +load_on auto + +<add> +asn1_eac_str.cpp +asn1_eac_tm.cpp +ecdsa_sig.cpp +ecdsa_sig.h +cvc_ado.cpp +cvc_ado.h +cvc_ca.cpp +cvc_ca.h +cvc_cert.cpp +cvc_cert.h +cvc_gen_cert.h +cvc_key.h +cvc_req.cpp +cvc_req.h +cvc_self.cpp +cvc_self.h +eac_asn_obj.h +eac_obj.h +signed_obj.cpp +signed_obj.h +freestore.h +</add> + +<requires> +asn1 +bigint +ecdsa +filters +libstate +oid_lookup +pem +pk_codecs +pubkey +x509 +</requires> diff --git a/botan/src/cert/cvc/signed_obj.cpp b/botan/src/cert/cvc/signed_obj.cpp new file mode 100644 index 0000000..4a08ed0 --- /dev/null +++ b/botan/src/cert/cvc/signed_obj.cpp @@ -0,0 +1,67 @@ +/* +* X.509 SIGNED Object +* (C) 1999-2007 Jack Lloyd +* 2007 FlexSecure GmbH +* +* Distributed under the terms of the Botan license +*/ + +#include <botan/signed_obj.h> + +namespace Botan { + +/* +* Return a BER encoded X.509 object +*/ +SecureVector<byte> EAC_Signed_Object::BER_encode() const + { + Pipe ber; + ber.start_msg(); + encode(ber, RAW_BER); + ber.end_msg(); + return ber.read_all(); + } + +/* +* Return a PEM encoded X.509 object +*/ +std::string EAC_Signed_Object::PEM_encode() const + { + Pipe pem; + pem.start_msg(); + encode(pem, PEM); + pem.end_msg(); + return pem.read_all_as_string(); + } + +/* +* Return the algorithm used to sign this object +*/ +AlgorithmIdentifier EAC_Signed_Object::signature_algorithm() const + { + return sig_algo; + } + +/* +* Try to decode the actual information +*/ +void EAC_Signed_Object::do_decode() + { + try { + force_decode(); + } + catch(Decoding_Error& e) + { + const std::string what = e.what(); + throw Decoding_Error(PEM_label_pref + " decoding failed (" + + what.substr(23, std::string::npos) + ")"); + } + catch(Invalid_Argument& e) + { + const std::string what = e.what(); + throw Decoding_Error(PEM_label_pref + " decoding failed (" + + what.substr(7, std::string::npos) + ")"); + } + } + +} diff --git a/botan/src/cert/cvc/signed_obj.h b/botan/src/cert/cvc/signed_obj.h new file mode 100644 index 0000000..3c233d2 --- /dev/null +++ b/botan/src/cert/cvc/signed_obj.h @@ -0,0 +1,93 @@ +/* +* EAC SIGNED Object +* (C) 2007 FlexSecure GmbH +* 2008 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#ifndef BOTAN_EAC_SIGNED_OBJECT_H__ +#define BOTAN_EAC_SIGNED_OBJECT_H__ + +#include <botan/asn1_obj.h> +#include <botan/pubkey_enums.h> +#include <botan/freestore.h> +#include <botan/pipe.h> +#include <vector> + +namespace Botan { + +/** +* This class represents abstract signed EAC object +*/ +class BOTAN_DLL EAC_Signed_Object + { + public: + /** + * Get the TBS (to-be-signed) data in this object. + * @return the DER encoded TBS data of this object + */ + virtual SecureVector<byte> tbs_data() const = 0; + + /** + * Get the signature of this object as a concatenation, i.e. if the + * signature consists of multiple parts (like in the case of ECDSA) + * these will be concatenated. + * @return the signature as a concatenation of its parts + */ + + /* + NOTE: this is here only because abstract signature objects have + not yet been introduced + */ + virtual SecureVector<byte> get_concat_sig() const = 0; + + /** + * Get the signature algorithm identifier used to sign this object. + * @result the signature algorithm identifier + */ + AlgorithmIdentifier signature_algorithm() const; + + /** + * Check the signature of this object. + * @param key the public key associated with this signed object + * @return true if the signature was created by the private key + * associated with this public key + */ + virtual bool check_signature(class Public_Key&) const = 0; + + /** + * Write this object DER encoded into a specified pipe. + * @param pipe the pipe to write the encoded object to + * @param enc the encoding type to use + */ + virtual void encode(Pipe&, X509_Encoding = PEM) const = 0; + + /** + * BER encode this object. + * @return the result containing the BER representation of this object. + */ + SecureVector<byte> BER_encode() const; + + /** + * PEM encode this object. + * @return the result containing the PEM representation of this object. + */ + std::string PEM_encode() const; + + virtual ~EAC_Signed_Object() {} + protected: + void do_decode(); + EAC_Signed_Object() {} + + AlgorithmIdentifier sig_algo; + SecureVector<byte> tbs_bits; + std::string PEM_label_pref; + std::vector<std::string> PEM_labels_allowed; + private: + virtual void force_decode() = 0; + }; + +} + +#endif diff --git a/botan/src/cert/x509/certstor.cpp b/botan/src/cert/x509/certstor.cpp new file mode 100644 index 0000000..96f2699 --- /dev/null +++ b/botan/src/cert/x509/certstor.cpp @@ -0,0 +1,48 @@ +/* +* Certificate Store +* (C) 1999-2007 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#include <botan/certstor.h> + +namespace Botan { + +/* +* Search by name +*/ +std::vector<X509_Certificate> +Certificate_Store::by_name(const std::string&) const + { + return std::vector<X509_Certificate>(); + } + +/* +* Search by email +*/ +std::vector<X509_Certificate> +Certificate_Store::by_email(const std::string&) const + { + return std::vector<X509_Certificate>(); + } + +/* +* Search by X.500 distinguished name +*/ +std::vector<X509_Certificate> +Certificate_Store::by_dn(const X509_DN&) const + { + return std::vector<X509_Certificate>(); + } + +/* +* Find any CRLs that might be useful +*/ +std::vector<X509_CRL> +Certificate_Store::get_crls_for(const X509_Certificate&) const + { + return std::vector<X509_CRL>(); + } + +} diff --git a/botan/src/cert/x509/certstor.h b/botan/src/cert/x509/certstor.h new file mode 100644 index 0000000..d5004e3 --- /dev/null +++ b/botan/src/cert/x509/certstor.h @@ -0,0 +1,39 @@ +/* +* Certificate Store +* (C) 1999-2007 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#ifndef BOTAN_CERT_STORE_H__ +#define BOTAN_CERT_STORE_H__ + +#include <botan/x509cert.h> +#include <botan/x509_crl.h> + +namespace Botan { + +/* +* Certificate Store Interface +*/ +class BOTAN_DLL Certificate_Store + { + public: + virtual std::vector<X509_Certificate> + by_SKID(const MemoryRegion<byte>&) const = 0; + + virtual std::vector<X509_Certificate> by_name(const std::string&) const; + virtual std::vector<X509_Certificate> by_email(const std::string&) const; + virtual std::vector<X509_Certificate> by_dn(const X509_DN&) const; + + virtual std::vector<X509_CRL> + get_crls_for(const X509_Certificate&) const; + + virtual Certificate_Store* clone() const = 0; + + virtual ~Certificate_Store() {} + }; + +} + +#endif diff --git a/botan/src/cert/x509/crl_ent.cpp b/botan/src/cert/x509/crl_ent.cpp new file mode 100644 index 0000000..afea8cf --- /dev/null +++ b/botan/src/cert/x509/crl_ent.cpp @@ -0,0 +1,107 @@ +/* +* CRL Entry +* (C) 1999-2007 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#include <botan/crl_ent.h> +#include <botan/x509_ext.h> +#include <botan/der_enc.h> +#include <botan/ber_dec.h> +#include <botan/bigint.h> +#include <botan/oids.h> +#include <botan/util.h> + +namespace Botan { + +/* +* Create a CRL_Entry +*/ +CRL_Entry::CRL_Entry(bool t_on_unknown_crit) : + throw_on_unknown_critical(t_on_unknown_crit) + { + reason = UNSPECIFIED; + } + +/* +* Create a CRL_Entry +*/ +CRL_Entry::CRL_Entry(const X509_Certificate& cert, CRL_Code why) : + throw_on_unknown_critical(false) + { + serial = cert.serial_number(); + time = X509_Time(system_time()); + reason = why; + } + +/* +* Compare two CRL_Entrys for equality +*/ +bool operator==(const CRL_Entry& a1, const CRL_Entry& a2) + { + if(a1.serial_number() != a2.serial_number()) + return false; + if(a1.expire_time() != a2.expire_time()) + return false; + if(a1.reason_code() != a2.reason_code()) + return false; + return true; + } + +/* +* Compare two CRL_Entrys for inequality +*/ +bool operator!=(const CRL_Entry& a1, const CRL_Entry& a2) + { + return !(a1 == a2); + } + +/* +* Compare two CRL_Entrys +*/ +bool operator<(const CRL_Entry& a1, const CRL_Entry& a2) + { + return (a1.expire_time().cmp(a2.expire_time()) < 0); + } + +/* +* DER encode a CRL_Entry +*/ +void CRL_Entry::encode_into(DER_Encoder& der) const + { + Extensions extensions; + + extensions.add(new Cert_Extension::CRL_ReasonCode(reason)); + + der.start_cons(SEQUENCE) + .encode(BigInt::decode(serial, serial.size())) + .encode(time) + .encode(extensions) + .end_cons(); + } + +/* +* Decode a BER encoded CRL_Entry +*/ +void CRL_Entry::decode_from(BER_Decoder& source) + { + BigInt serial_number_bn; + + source.start_cons(SEQUENCE) + .decode(serial_number_bn) + .decode(time); + + if(source.more_items()) + { + Extensions extensions(throw_on_unknown_critical); + source.decode(extensions); + Data_Store info; + extensions.contents_to(info, info); + reason = CRL_Code(info.get1_u32bit("X509v3.CRLReasonCode")); + } + + serial = BigInt::encode(serial_number_bn); + } + +} diff --git a/botan/src/cert/x509/crl_ent.h b/botan/src/cert/x509/crl_ent.h new file mode 100644 index 0000000..050356c --- /dev/null +++ b/botan/src/cert/x509/crl_ent.h @@ -0,0 +1,78 @@ +/* +* CRL Entry +* (C) 1999-2007 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#ifndef BOTAN_CRL_ENTRY_H__ +#define BOTAN_CRL_ENTRY_H__ + +#include <botan/x509cert.h> + +namespace Botan { + +/** +* This class represents CRL entries +*/ +class BOTAN_DLL CRL_Entry : public ASN1_Object + { + public: + void encode_into(class DER_Encoder&) const; + void decode_from(class BER_Decoder&); + + /** + * Get the serial number of the certificate associated with this entry. + * @return the certificate's serial number + */ + MemoryVector<byte> serial_number() const { return serial; } + + /** + * Get the revocation date of the certificate associated with this entry + * @return the certificate's revocation date + */ + X509_Time expire_time() const { return time; } + + /** + * Get the entries reason code + * @return the reason code + */ + CRL_Code reason_code() const { return reason; } + + /** + * Construct an empty CRL entry. + */ + CRL_Entry(bool throw_on_unknown_critical_extension = false); + + /** + * Construct an CRL entry. + * @param cert the certificate to revoke + * @param reason the reason code to set in the entry + */ + CRL_Entry(const X509_Certificate&, CRL_Code = UNSPECIFIED); + + private: + bool throw_on_unknown_critical; + MemoryVector<byte> serial; + X509_Time time; + CRL_Code reason; + }; + +/** +* Test two CRL entries for equality in all fields. +*/ +BOTAN_DLL bool operator==(const CRL_Entry&, const CRL_Entry&); + +/** +* Test two CRL entries for inequality in at least one field. +*/ +BOTAN_DLL bool operator!=(const CRL_Entry&, const CRL_Entry&); + +/** +* Order two entries based on the revocation date. +*/ +BOTAN_DLL bool operator<(const CRL_Entry&, const CRL_Entry&); + +} + +#endif diff --git a/botan/src/cert/x509/info.txt b/botan/src/cert/x509/info.txt new file mode 100644 index 0000000..552e2aa --- /dev/null +++ b/botan/src/cert/x509/info.txt @@ -0,0 +1,45 @@ +realname "X.509" + +define X509 + +load_on auto + +<add> +certstor.h +certstor.cpp +crl_ent.cpp +crl_ent.h +pkcs10.h +pkcs10.cpp +x509_ca.cpp +x509_ca.h +x509_crl.cpp +x509_crl.h +x509_ext.cpp +x509_ext.h +x509_obj.cpp +x509_obj.h +x509cert.cpp +x509cert.h +x509find.cpp +x509find.h +x509opt.cpp +x509self.cpp +x509self.h +x509stor.cpp +x509stor.h +</add> + +<requires> +asn1 +bigint +datastor +filters +libstate +oid_lookup +pem +pk_codecs +pubkey +rng +sha1 +</requires> diff --git a/botan/src/cert/x509/pkcs10.cpp b/botan/src/cert/x509/pkcs10.cpp new file mode 100644 index 0000000..5617cec --- /dev/null +++ b/botan/src/cert/x509/pkcs10.cpp @@ -0,0 +1,200 @@ +/* +* PKCS #10 +* (C) 1999-2007 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#include <botan/pkcs10.h> +#include <botan/der_enc.h> +#include <botan/ber_dec.h> +#include <botan/parsing.h> +#include <botan/x509stor.h> +#include <botan/x509_ext.h> +#include <botan/oids.h> +#include <botan/pem.h> + +namespace Botan { + +/* +* PKCS10_Request Constructor +*/ +PKCS10_Request::PKCS10_Request(DataSource& in) : + X509_Object(in, "CERTIFICATE REQUEST/NEW CERTIFICATE REQUEST") + { + do_decode(); + } + +/* +* PKCS10_Request Constructor +*/ +PKCS10_Request::PKCS10_Request(const std::string& in) : + X509_Object(in, "CERTIFICATE REQUEST/NEW CERTIFICATE REQUEST") + { + do_decode(); + } + +/* +* Deocde the CertificateRequestInfo +*/ +void PKCS10_Request::force_decode() + { + BER_Decoder cert_req_info(tbs_bits); + + u32bit version; + cert_req_info.decode(version); + if(version != 0) + throw Decoding_Error("Unknown version code in PKCS #10 request: " + + to_string(version)); + + X509_DN dn_subject; + cert_req_info.decode(dn_subject); + + info.add(dn_subject.contents()); + + BER_Object public_key = cert_req_info.get_next_object(); + if(public_key.type_tag != SEQUENCE || public_key.class_tag != CONSTRUCTED) + throw BER_Bad_Tag("PKCS10_Request: Unexpected tag for public key", + public_key.type_tag, public_key.class_tag); + + info.add("X509.Certificate.public_key", + PEM_Code::encode( + ASN1::put_in_sequence(public_key.value), + "PUBLIC KEY" + ) + ); + + BER_Object attr_bits = cert_req_info.get_next_object(); + + if(attr_bits.type_tag == 0 && + attr_bits.class_tag == ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC)) + { + BER_Decoder attributes(attr_bits.value); + while(attributes.more_items()) + { + Attribute attr; + attributes.decode(attr); + handle_attribute(attr); + } + attributes.verify_end(); + } + else if(attr_bits.type_tag != NO_OBJECT) + throw BER_Bad_Tag("PKCS10_Request: Unexpected tag for attributes", + attr_bits.type_tag, attr_bits.class_tag); + + cert_req_info.verify_end(); + + X509_Code sig_check = X509_Store::check_sig(*this, subject_public_key()); + if(sig_check != VERIFIED) + throw Decoding_Error("PKCS #10 request: Bad signature detected"); + } + +/* +* Handle attributes in a PKCS #10 request +*/ +void PKCS10_Request::handle_attribute(const Attribute& attr) + { + BER_Decoder value(attr.parameters); + + if(attr.oid == OIDS::lookup("PKCS9.EmailAddress")) + { + ASN1_String email; + value.decode(email); + info.add("RFC822", email.value()); + } + else if(attr.oid == OIDS::lookup("PKCS9.ChallengePassword")) + { + ASN1_String challenge_password; + value.decode(challenge_password); + info.add("PKCS9.ChallengePassword", challenge_password.value()); + } + else if(attr.oid == OIDS::lookup("PKCS9.ExtensionRequest")) + { + Extensions extensions; + value.decode(extensions).verify_end(); + + Data_Store issuer_info; + extensions.contents_to(info, issuer_info); + } + } + +/* +* Return the challenge password (if any) +*/ +std::string PKCS10_Request::challenge_password() const + { + return info.get1("PKCS9.ChallengePassword"); + } + +/* +* Return the name of the requestor +*/ +X509_DN PKCS10_Request::subject_dn() const + { + return create_dn(info); + } + +/* +* Return the public key of the requestor +*/ +MemoryVector<byte> PKCS10_Request::raw_public_key() const + { + DataSource_Memory source(info.get1("X509.Certificate.public_key")); + return PEM_Code::decode_check_label(source, "PUBLIC KEY"); + } + +/* +* Return the public key of the requestor +*/ +Public_Key* PKCS10_Request::subject_public_key() const + { + DataSource_Memory source(info.get1("X509.Certificate.public_key")); + return X509::load_key(source); + } + +/* +* Return the alternative names of the requestor +*/ +AlternativeName PKCS10_Request::subject_alt_name() const + { + return create_alt_name(info); + } + +/* +* Return the key constraints (if any) +*/ +Key_Constraints PKCS10_Request::constraints() const + { + return Key_Constraints(info.get1_u32bit("X509v3.KeyUsage", NO_CONSTRAINTS)); + } + +/* +* Return the extendend key constraints (if any) +*/ +std::vector<OID> PKCS10_Request::ex_constraints() const + { + std::vector<std::string> oids = info.get("X509v3.ExtendedKeyUsage"); + + std::vector<OID> result; + for(u32bit j = 0; j != oids.size(); ++j) + result.push_back(OID(oids[j])); + return result; + } + +/* +* Return is a CA certificate is requested +*/ +bool PKCS10_Request::is_CA() const + { + return info.get1_u32bit("X509v3.BasicConstraints.is_ca"); + } + +/* +* Return the desired path limit (if any) +*/ +u32bit PKCS10_Request::path_limit() const + { + return info.get1_u32bit("X509v3.BasicConstraints.path_constraint", 0); + } + +} diff --git a/botan/src/cert/x509/pkcs10.h b/botan/src/cert/x509/pkcs10.h new file mode 100644 index 0000000..9b435de --- /dev/null +++ b/botan/src/cert/x509/pkcs10.h @@ -0,0 +1,101 @@ +/* +* PKCS #10 +* (C) 1999-2007 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#ifndef BOTAN_PKCS10_H__ +#define BOTAN_PKCS10_H__ + +#include <botan/x509_obj.h> +#include <botan/pkcs8.h> +#include <botan/datastor.h> +#include <vector> + +namespace Botan { + +/** +* PKCS #10 Certificate Request. +*/ +class BOTAN_DLL PKCS10_Request : public X509_Object + { + public: + /** + * Get the subject public key. + * @return the subject public key + */ + Public_Key* subject_public_key() const; + + /** + * Get the raw DER encoded public key. + * @return the raw DER encoded public key + */ + MemoryVector<byte> raw_public_key() const; + + /** + * Get the subject DN. + * @return the subject DN + */ + X509_DN subject_dn() const; + + /** + * Get the subject alternative name. + * @return the subject alternative name. + */ + AlternativeName subject_alt_name() const; + + /** + * Get the key constraints for the key associated with this + * PKCS#10 object. + * @return the key constraints + */ + Key_Constraints constraints() const; + + /** + * Get the extendend key constraints (if any). + * @return the extended key constraints + */ + std::vector<OID> ex_constraints() const; + + /** + * Find out whether this is a CA request. + * @result true if it is a CA request, false otherwise. + */ + bool is_CA() const; + + /** + * Return the constraint on the path length defined + * in the BasicConstraints extension. + * @return the path limit + */ + u32bit path_limit() const; + + /** + * Get the challenge password for this request + * @return the challenge password for this request + */ + std::string challenge_password() const; + + /** + * Create a PKCS#10 Request from a data source. + * @param source the data source providing the DER encoded request + */ + PKCS10_Request(DataSource& source); + + /** + * Create a PKCS#10 Request from a file. + * @param filename the name of the file containing the DER or PEM + * encoded request file + */ + PKCS10_Request(const std::string& filename); + private: + void force_decode(); + void handle_attribute(const Attribute&); + + Data_Store info; + }; + +} + +#endif diff --git a/botan/src/cert/x509/x509_ca.cpp b/botan/src/cert/x509/x509_ca.cpp new file mode 100644 index 0000000..41e3147 --- /dev/null +++ b/botan/src/cert/x509/x509_ca.cpp @@ -0,0 +1,284 @@ +/* +* X.509 Certificate Authority +* (C) 1999-2008 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#include <botan/x509_ca.h> +#include <botan/x509stor.h> +#include <botan/der_enc.h> +#include <botan/ber_dec.h> +#include <botan/look_pk.h> +#include <botan/bigint.h> +#include <botan/parsing.h> +#include <botan/oids.h> +#include <botan/util.h> +#include <algorithm> +#include <typeinfo> +#include <iterator> +#include <memory> +#include <set> + +namespace Botan { + +/* +* Load the certificate and private key +*/ +X509_CA::X509_CA(const X509_Certificate& c, + const Private_Key& key) : cert(c) + { + const Private_Key* key_pointer = &key; + if(!dynamic_cast<const PK_Signing_Key*>(key_pointer)) + throw Invalid_Argument("X509_CA: " + key.algo_name() + " cannot sign"); + + if(!cert.is_CA_cert()) + throw Invalid_Argument("X509_CA: This certificate is not for a CA"); + + signer = choose_sig_format(key, ca_sig_algo); + } + +/* +* Sign a PKCS #10 certificate request +*/ +X509_Certificate X509_CA::sign_request(const PKCS10_Request& req, + RandomNumberGenerator& rng, + const X509_Time& not_before, + const X509_Time& not_after) + { + Key_Constraints constraints; + if(req.is_CA()) + constraints = Key_Constraints(KEY_CERT_SIGN | CRL_SIGN); + else + { + std::auto_ptr<Public_Key> key(req.subject_public_key()); + constraints = X509::find_constraints(*key, req.constraints()); + } + + Extensions extensions; + + extensions.add(new Cert_Extension::Authority_Key_ID(cert.subject_key_id())); + extensions.add(new Cert_Extension::Subject_Key_ID(req.raw_public_key())); + + extensions.add( + new Cert_Extension::Basic_Constraints(req.is_CA(), req.path_limit())); + + extensions.add(new Cert_Extension::Key_Usage(constraints)); + extensions.add( + new Cert_Extension::Extended_Key_Usage(req.ex_constraints())); + + extensions.add( + new Cert_Extension::Subject_Alternative_Name(req.subject_alt_name())); + + return make_cert(signer, rng, ca_sig_algo, req.raw_public_key(), + not_before, not_after, + cert.subject_dn(), req.subject_dn(), + extensions); + } + +/* +* Create a new certificate +*/ +X509_Certificate X509_CA::make_cert(PK_Signer* signer, + RandomNumberGenerator& rng, + const AlgorithmIdentifier& sig_algo, + const MemoryRegion<byte>& pub_key, + const X509_Time& not_before, + const X509_Time& not_after, + const X509_DN& issuer_dn, + const X509_DN& subject_dn, + const Extensions& extensions) + { + const u32bit X509_CERT_VERSION = 3; + const u32bit SERIAL_BITS = 128; + + BigInt serial_no(rng, SERIAL_BITS); + + DataSource_Memory source(X509_Object::make_signed(signer, rng, sig_algo, + DER_Encoder().start_cons(SEQUENCE) + .start_explicit(0) + .encode(X509_CERT_VERSION-1) + .end_explicit() + + .encode(serial_no) + + .encode(sig_algo) + .encode(issuer_dn) + + .start_cons(SEQUENCE) + .encode(not_before) + .encode(not_after) + .end_cons() + + .encode(subject_dn) + .raw_bytes(pub_key) + + .start_explicit(3) + .start_cons(SEQUENCE) + .encode(extensions) + .end_cons() + .end_explicit() + .end_cons() + .get_contents() + )); + + return X509_Certificate(source); + } + +/* +* Create a new, empty CRL +*/ +X509_CRL X509_CA::new_crl(RandomNumberGenerator& rng, + u32bit next_update) const + { + std::vector<CRL_Entry> empty; + return make_crl(empty, 1, next_update, rng); + } + +/* +* Update a CRL with new entries +*/ +X509_CRL X509_CA::update_crl(const X509_CRL& crl, + const std::vector<CRL_Entry>& new_revoked, + RandomNumberGenerator& rng, + u32bit next_update) const + { + std::vector<CRL_Entry> already_revoked = crl.get_revoked(); + std::vector<CRL_Entry> all_revoked; + + X509_Store store; + store.add_cert(cert, true); + if(store.add_crl(crl) != VERIFIED) + throw Invalid_Argument("X509_CA::update_crl: Invalid CRL provided"); + + std::set<SecureVector<byte> > removed_from_crl; + for(u32bit j = 0; j != new_revoked.size(); ++j) + { + if(new_revoked[j].reason_code() == DELETE_CRL_ENTRY) + removed_from_crl.insert(new_revoked[j].serial_number()); + else + all_revoked.push_back(new_revoked[j]); + } + + for(u32bit j = 0; j != already_revoked.size(); ++j) + { + std::set<SecureVector<byte> >::const_iterator i; + i = removed_from_crl.find(already_revoked[j].serial_number()); + + if(i == removed_from_crl.end()) + all_revoked.push_back(already_revoked[j]); + } + std::sort(all_revoked.begin(), all_revoked.end()); + + std::vector<CRL_Entry> cert_list; + std::unique_copy(all_revoked.begin(), all_revoked.end(), + std::back_inserter(cert_list)); + + return make_crl(cert_list, crl.crl_number() + 1, next_update, rng); + } + +/* +* Create a CRL +*/ +X509_CRL X509_CA::make_crl(const std::vector<CRL_Entry>& revoked, + u32bit crl_number, u32bit next_update, + RandomNumberGenerator& rng) const + { + const u32bit X509_CRL_VERSION = 2; + + if(next_update == 0) + next_update = timespec_to_u32bit("7d"); + + // Totally stupid: ties encoding logic to the return of std::time!! + const u64bit current_time = system_time(); + + Extensions extensions; + extensions.add( + new Cert_Extension::Authority_Key_ID(cert.subject_key_id())); + extensions.add(new Cert_Extension::CRL_Number(crl_number)); + + DataSource_Memory source(X509_Object::make_signed(signer, rng, ca_sig_algo, + DER_Encoder().start_cons(SEQUENCE) + .encode(X509_CRL_VERSION-1) + .encode(ca_sig_algo) + .encode(cert.issuer_dn()) + .encode(X509_Time(current_time)) + .encode(X509_Time(current_time + next_update)) + .encode_if(revoked.size() > 0, + DER_Encoder() + .start_cons(SEQUENCE) + .encode_list(revoked) + .end_cons() + ) + .start_explicit(0) + .start_cons(SEQUENCE) + .encode(extensions) + .end_cons() + .end_explicit() + .end_cons() + .get_contents() + )); + + return X509_CRL(source); + } + +/* +* Return the CA's certificate +*/ +X509_Certificate X509_CA::ca_certificate() const + { + return cert; + } + +/* +* X509_CA Destructor +*/ +X509_CA::~X509_CA() + { + delete signer; + } + +/* +* Choose a signing format for the key +*/ +PK_Signer* choose_sig_format(const Private_Key& key, + AlgorithmIdentifier& sig_algo) + { + std::string padding; + Signature_Format format; + + const std::string algo_name = key.algo_name(); + + if(algo_name == "RSA") + { + padding = "EMSA3(SHA-160)"; + format = IEEE_1363; + } + else if(algo_name == "DSA") + { + padding = "EMSA1(SHA-160)"; + format = DER_SEQUENCE; + } + else if(algo_name == "ECDSA") + { + padding = "EMSA1_BSI(SHA-160)"; + format = IEEE_1363; + } + else + throw Invalid_Argument("Unknown X.509 signing key type: " + algo_name); + + sig_algo.oid = OIDS::lookup(algo_name + "/" + padding); + + std::auto_ptr<X509_Encoder> encoding(key.x509_encoder()); + if(!encoding.get()) + throw Encoding_Error("Key " + algo_name + " does not support " + "X.509 encoding"); + + sig_algo.parameters = encoding->alg_id().parameters; + + const PK_Signing_Key& sig_key = dynamic_cast<const PK_Signing_Key&>(key); + + return get_pk_signer(sig_key, padding, format); + } + +} diff --git a/botan/src/cert/x509/x509_ca.h b/botan/src/cert/x509/x509_ca.h new file mode 100644 index 0000000..ef2a8d1 --- /dev/null +++ b/botan/src/cert/x509/x509_ca.h @@ -0,0 +1,108 @@ +/* +* X.509 Certificate Authority +* (C) 1999-2008 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#ifndef BOTAN_X509_CA_H__ +#define BOTAN_X509_CA_H__ + +#include <botan/x509cert.h> +#include <botan/x509_crl.h> +#include <botan/x509_ext.h> +#include <botan/pkcs8.h> +#include <botan/pkcs10.h> +#include <botan/pubkey.h> + +namespace Botan { + +/** +* This class represents X.509 Certificate Authorities (CAs). +*/ +class BOTAN_DLL X509_CA + { + public: + + /** + * Sign a PKCS#10 Request. + * @param req the request to sign + * @param rng the rng to use + * @param not_before the starting time for the certificate + * @param not_after the expiration time for the certificate + * @return the resulting certificate + */ + X509_Certificate sign_request(const PKCS10_Request& req, + RandomNumberGenerator& rng, + const X509_Time& not_before, + const X509_Time& not_after); + + /** + * Get the certificate of this CA. + * @return the CA certificate + */ + X509_Certificate ca_certificate() const; + + /** + * Create a new and empty CRL for this CA. + * @param rng the random number generator to use + * @param next_update the time to set in next update in seconds + * as the offset from the current time + * @return the new CRL + */ + X509_CRL new_crl(RandomNumberGenerator& rng, u32bit = 0) const; + + /** + * Create a new CRL by with additional entries. + * @param last_crl the last CRL of this CA to add the new entries to + * @param new_entries contains the new CRL entries to be added to the CRL + * @param rng the random number generator to use + * @param next_update the time to set in next update in seconds + * as the offset from the current time + */ + X509_CRL update_crl(const X509_CRL& last_crl, + const std::vector<CRL_Entry>& new_entries, + RandomNumberGenerator& rng, + u32bit next_update = 0) const; + + static X509_Certificate make_cert(PK_Signer*, + RandomNumberGenerator&, + const AlgorithmIdentifier&, + const MemoryRegion<byte>&, + const X509_Time&, const X509_Time&, + const X509_DN&, const X509_DN&, + const Extensions&); + + /** + * Create a new CA object. + * @param ca_certificate the certificate of the CA + * @param key the private key of the CA + */ + X509_CA(const X509_Certificate& ca_certificate, const Private_Key& key); + ~X509_CA(); + private: + X509_CA(const X509_CA&) {} + X509_CA& operator=(const X509_CA&) { return (*this); } + + X509_CRL make_crl(const std::vector<CRL_Entry>&, + u32bit, u32bit, RandomNumberGenerator&) const; + + AlgorithmIdentifier ca_sig_algo; + X509_Certificate cert; + PK_Signer* signer; + }; + +/** +* Choose the default signature format for a certain public key signature +* scheme. +* @param key will be the key to choose a padding scheme for +* @param alg_id will be set to the chosen scheme +* @return A PK_Signer object for generating signatures +*/ +BOTAN_DLL PK_Signer* choose_sig_format(const Private_Key& key, + AlgorithmIdentifier& alg_id); + + +} + +#endif diff --git a/botan/src/cert/x509/x509_crl.cpp b/botan/src/cert/x509/x509_crl.cpp new file mode 100644 index 0000000..f6a344d --- /dev/null +++ b/botan/src/cert/x509/x509_crl.cpp @@ -0,0 +1,147 @@ +/* +* X.509 CRL +* (C) 1999-2007 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#include <botan/x509_crl.h> +#include <botan/x509_ext.h> +#include <botan/ber_dec.h> +#include <botan/parsing.h> +#include <botan/bigint.h> +#include <botan/oids.h> + +namespace Botan { + +/* +* Load a X.509 CRL +*/ +X509_CRL::X509_CRL(DataSource& in, bool touc) : + X509_Object(in, "X509 CRL/CRL"), throw_on_unknown_critical(touc) + { + do_decode(); + } + +/* +* Load a X.509 CRL +*/ +X509_CRL::X509_CRL(const std::string& in, bool touc) : + X509_Object(in, "CRL/X509 CRL"), throw_on_unknown_critical(touc) + { + do_decode(); + } + +/* +* Decode the TBSCertList data +*/ +void X509_CRL::force_decode() + { + BER_Decoder tbs_crl(tbs_bits); + + u32bit version; + tbs_crl.decode_optional(version, INTEGER, UNIVERSAL); + + if(version != 0 && version != 1) + throw X509_CRL_Error("Unknown X.509 CRL version " + + to_string(version+1)); + + AlgorithmIdentifier sig_algo_inner; + tbs_crl.decode(sig_algo_inner); + + if(sig_algo != sig_algo_inner) + throw X509_CRL_Error("Algorithm identifier mismatch"); + + X509_DN dn_issuer; + tbs_crl.decode(dn_issuer); + info.add(dn_issuer.contents()); + + X509_Time start, end; + tbs_crl.decode(start).decode(end); + info.add("X509.CRL.start", start.readable_string()); + info.add("X509.CRL.end", end.readable_string()); + + BER_Object next = tbs_crl.get_next_object(); + + if(next.type_tag == SEQUENCE && next.class_tag == CONSTRUCTED) + { + BER_Decoder cert_list(next.value); + + while(cert_list.more_items()) + { + CRL_Entry entry(throw_on_unknown_critical); + cert_list.decode(entry); + revoked.push_back(entry); + } + next = tbs_crl.get_next_object(); + } + + if(next.type_tag == 0 && + next.class_tag == ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC)) + { + BER_Decoder crl_options(next.value); + + Extensions extensions(throw_on_unknown_critical); + + crl_options.decode(extensions).verify_end(); + + extensions.contents_to(info, info); + + next = tbs_crl.get_next_object(); + } + + if(next.type_tag != NO_OBJECT) + throw X509_CRL_Error("Unknown tag in CRL"); + + tbs_crl.verify_end(); + } + +/* +* Return the list of revoked certificates +*/ +std::vector<CRL_Entry> X509_CRL::get_revoked() const + { + return revoked; + } + +/* +* Return the distinguished name of the issuer +*/ +X509_DN X509_CRL::issuer_dn() const + { + return create_dn(info); + } + +/* +* Return the key identifier of the issuer +*/ +MemoryVector<byte> X509_CRL::authority_key_id() const + { + return info.get1_memvec("X509v3.AuthorityKeyIdentifier"); + } + +/* +* Return the CRL number of this CRL +*/ +u32bit X509_CRL::crl_number() const + { + return info.get1_u32bit("X509v3.CRLNumber"); + } + +/* +* Return the issue data of the CRL +*/ +X509_Time X509_CRL::this_update() const + { + return info.get1("X509.CRL.start"); + } + +/* +* Return the date when a new CRL will be issued +*/ +X509_Time X509_CRL::next_update() const + { + return info.get1("X509.CRL.end"); + } + +} diff --git a/botan/src/cert/x509/x509_crl.h b/botan/src/cert/x509/x509_crl.h new file mode 100644 index 0000000..6caef42 --- /dev/null +++ b/botan/src/cert/x509/x509_crl.h @@ -0,0 +1,90 @@ +/* +* X.509 CRL +* (C) 1999-2007 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#ifndef BOTAN_X509_CRL_H__ +#define BOTAN_X509_CRL_H__ + +#include <botan/x509_obj.h> +#include <botan/crl_ent.h> +#include <vector> + +namespace Botan { + +/** +* This class represents X.509 Certificate Revocation Lists (CRLs). +*/ +class BOTAN_DLL X509_CRL : public X509_Object + { + public: + /** + * This class represents CRL related errors. + */ + struct X509_CRL_Error : public Exception + { + X509_CRL_Error(const std::string& error) : + Exception("X509_CRL: " + error) {} + }; + + /** + * Get the entries of this CRL in the form of a vector. + * @return a vector containing the entries of this CRL. + */ + std::vector<CRL_Entry> get_revoked() const; + + /** + * Get the issuer DN of this CRL. + * @return the CRLs issuer DN + */ + X509_DN issuer_dn() const; + + /** + * Get the AuthorityKeyIdentifier of this CRL. + * @return this CRLs AuthorityKeyIdentifier + */ + MemoryVector<byte> authority_key_id() const; + + /** + * Get the serial number of this CRL. + * @return the CRLs serial number + */ + u32bit crl_number() const; + + /** + * Get the CRL's thisUpdate value. + * @return the CRLs thisUpdate + */ + X509_Time this_update() const; + + /** + * Get the CRL's nextUpdate value. + * @return the CRLs nextdUpdate + */ + X509_Time next_update() const; + + /** + * Construct a CRL from a data source. + * @param source the data source providing the DER or PEM encoded CRL. + */ + X509_CRL(DataSource&, bool throw_on_unknown_critical = false); + + /** + * Construct a CRL from a file containing the DER or PEM encoded CRL. + * @param filename the name of the CRL file + */ + X509_CRL(const std::string& filename, + bool throw_on_unknown_critical = false); + private: + void force_decode(); + + bool throw_on_unknown_critical; + std::vector<CRL_Entry> revoked; + Data_Store info; + }; + +} + +#endif diff --git a/botan/src/cert/x509/x509_ext.cpp b/botan/src/cert/x509/x509_ext.cpp new file mode 100644 index 0000000..5e07cbd --- /dev/null +++ b/botan/src/cert/x509/x509_ext.cpp @@ -0,0 +1,581 @@ +/* +* X.509 Certificate Extensions +* (C) 1999-2007 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#include <botan/x509_ext.h> +#include <botan/sha160.h> +#include <botan/der_enc.h> +#include <botan/ber_dec.h> +#include <botan/oids.h> +#include <botan/libstate.h> +#include <botan/bit_ops.h> +#include <algorithm> +#include <memory> + +namespace Botan { + +/* +* List of X.509 Certificate Extensions +*/ +Certificate_Extension* Extensions::get_extension(const OID& oid) + { +#define X509_EXTENSION(NAME, TYPE) \ + if(OIDS::name_of(oid, NAME)) \ + return new Cert_Extension::TYPE(); + + X509_EXTENSION("X509v3.KeyUsage", Key_Usage); + X509_EXTENSION("X509v3.BasicConstraints", Basic_Constraints); + X509_EXTENSION("X509v3.SubjectKeyIdentifier", Subject_Key_ID); + X509_EXTENSION("X509v3.AuthorityKeyIdentifier", Authority_Key_ID); + X509_EXTENSION("X509v3.ExtendedKeyUsage", Extended_Key_Usage); + X509_EXTENSION("X509v3.IssuerAlternativeName", Issuer_Alternative_Name); + X509_EXTENSION("X509v3.SubjectAlternativeName", Subject_Alternative_Name); + X509_EXTENSION("X509v3.CRLNumber", CRL_Number); + X509_EXTENSION("X509v3.CertificatePolicies", Certificate_Policies); + + return 0; + } + +/* +* Extensions Copy Constructor +*/ +Extensions::Extensions(const Extensions& extensions) : ASN1_Object() + { + *this = extensions; + } + +/* +* Extensions Assignment Operator +*/ +Extensions& Extensions::operator=(const Extensions& other) + { + for(u32bit j = 0; j != extensions.size(); ++j) + delete extensions[j]; + extensions.clear(); + + for(u32bit j = 0; j != other.extensions.size(); ++j) + extensions.push_back(other.extensions[j]->copy()); + + return (*this); + } + +/* +* Return the OID of this extension +*/ +OID Certificate_Extension::oid_of() const + { + return OIDS::lookup(oid_name()); + } + +/* +* Encode an Extensions list +*/ +void Extensions::encode_into(DER_Encoder& to_object) const + { + for(u32bit j = 0; j != extensions.size(); ++j) + { + const Certificate_Extension* ext = extensions[j]; + + std::string setting; + + if(ext->config_id() != "") + setting = global_state().option("x509/exts/" + ext->config_id()); + + if(setting == "") + setting = "yes"; + + if(setting != "yes" && setting != "no" && setting != "critical") + throw Invalid_Argument("X509_CA:: Invalid value for option " + "x509/exts/" + ext->config_id() + " of " + + setting); + + bool is_critical = (setting == "critical"); + bool should_encode = ext->should_encode() && (setting != "no"); + + if(should_encode) + { + to_object.start_cons(SEQUENCE) + .encode(ext->oid_of()) + .encode_optional(is_critical, false) + .encode(ext->encode_inner(), OCTET_STRING) + .end_cons(); + } + } + } + +/* +* Decode a list of Extensions +*/ +void Extensions::decode_from(BER_Decoder& from_source) + { + for(u32bit j = 0; j != extensions.size(); ++j) + delete extensions[j]; + extensions.clear(); + + BER_Decoder sequence = from_source.start_cons(SEQUENCE); + while(sequence.more_items()) + { + OID oid; + MemoryVector<byte> value; + bool critical; + + sequence.start_cons(SEQUENCE) + .decode(oid) + .decode_optional(critical, BOOLEAN, UNIVERSAL, false) + .decode(value, OCTET_STRING) + .verify_end() + .end_cons(); + + Certificate_Extension* ext = get_extension(oid); + + if(!ext) + { + if(!critical || !should_throw) + continue; + + throw Decoding_Error("Encountered unknown X.509 extension marked " + "as critical; OID = " + oid.as_string()); + } + + ext->decode_inner(value); + + extensions.push_back(ext); + } + sequence.verify_end(); + } + +/* +* Write the extensions to an info store +*/ +void Extensions::contents_to(Data_Store& subject_info, + Data_Store& issuer_info) const + { + for(u32bit j = 0; j != extensions.size(); ++j) + extensions[j]->contents_to(subject_info, issuer_info); + } + +/* +* Delete an Extensions list +*/ +Extensions::~Extensions() + { + for(u32bit j = 0; j != extensions.size(); ++j) + delete extensions[j]; + } + +namespace Cert_Extension { + +/* +* Checked accessor for the path_limit member +*/ +u32bit Basic_Constraints::get_path_limit() const + { + if(!is_ca) + throw Invalid_State("Basic_Constraints::get_path_limit: Not a CA"); + return path_limit; + } + +/* +* Encode the extension +*/ +MemoryVector<byte> Basic_Constraints::encode_inner() const + { + return DER_Encoder() + .start_cons(SEQUENCE) + .encode_if(is_ca, + DER_Encoder() + .encode(is_ca) + .encode_optional(path_limit, NO_CERT_PATH_LIMIT) + ) + .end_cons() + .get_contents(); + } + +/* +* Decode the extension +*/ +void Basic_Constraints::decode_inner(const MemoryRegion<byte>& in) + { + BER_Decoder(in) + .start_cons(SEQUENCE) + .decode_optional(is_ca, BOOLEAN, UNIVERSAL, false) + .decode_optional(path_limit, INTEGER, UNIVERSAL, NO_CERT_PATH_LIMIT) + .verify_end() + .end_cons(); + + if(is_ca == false) + path_limit = 0; + } + +/* +* Return a textual representation +*/ +void Basic_Constraints::contents_to(Data_Store& subject, Data_Store&) const + { + subject.add("X509v3.BasicConstraints.is_ca", (is_ca ? 1 : 0)); + subject.add("X509v3.BasicConstraints.path_constraint", path_limit); + } + +/* +* Encode the extension +*/ +MemoryVector<byte> Key_Usage::encode_inner() const + { + if(constraints == NO_CONSTRAINTS) + throw Encoding_Error("Cannot encode zero usage constraints"); + + const u32bit unused_bits = low_bit(constraints) - 1; + + SecureVector<byte> der; + der.append(BIT_STRING); + der.append(2 + ((unused_bits < 8) ? 1 : 0)); + der.append(unused_bits % 8); + der.append((constraints >> 8) & 0xFF); + if(constraints & 0xFF) + der.append(constraints & 0xFF); + + return der; + } + +/* +* Decode the extension +*/ +void Key_Usage::decode_inner(const MemoryRegion<byte>& in) + { + BER_Decoder ber(in); + + BER_Object obj = ber.get_next_object(); + + if(obj.type_tag != BIT_STRING || obj.class_tag != UNIVERSAL) + throw BER_Bad_Tag("Bad tag for usage constraint", + obj.type_tag, obj.class_tag); + + if(obj.value.size() != 2 && obj.value.size() != 3) + throw BER_Decoding_Error("Bad size for BITSTRING in usage constraint"); + + if(obj.value[0] >= 8) + throw BER_Decoding_Error("Invalid unused bits in usage constraint"); + + obj.value[obj.value.size()-1] &= (0xFF << obj.value[0]); + + u16bit usage = 0; + for(u32bit j = 1; j != obj.value.size(); ++j) + usage = (obj.value[j] << 8) | usage; + + constraints = Key_Constraints(usage); + } + +/* +* Return a textual representation +*/ +void Key_Usage::contents_to(Data_Store& subject, Data_Store&) const + { + subject.add("X509v3.KeyUsage", constraints); + } + +/* +* Encode the extension +*/ +MemoryVector<byte> Subject_Key_ID::encode_inner() const + { + return DER_Encoder().encode(key_id, OCTET_STRING).get_contents(); + } + +/* +* Decode the extension +*/ +void Subject_Key_ID::decode_inner(const MemoryRegion<byte>& in) + { + BER_Decoder(in).decode(key_id, OCTET_STRING).verify_end(); + } + +/* +* Return a textual representation +*/ +void Subject_Key_ID::contents_to(Data_Store& subject, Data_Store&) const + { + subject.add("X509v3.SubjectKeyIdentifier", key_id); + } + +/* +* Subject_Key_ID Constructor +*/ +Subject_Key_ID::Subject_Key_ID(const MemoryRegion<byte>& pub_key) + { + SHA_160 hash; + key_id = hash.process(pub_key); + } + +/* +* Encode the extension +*/ +MemoryVector<byte> Authority_Key_ID::encode_inner() const + { + return DER_Encoder() + .start_cons(SEQUENCE) + .encode(key_id, OCTET_STRING, ASN1_Tag(0), CONTEXT_SPECIFIC) + .end_cons() + .get_contents(); + } + +/* +* Decode the extension +*/ +void Authority_Key_ID::decode_inner(const MemoryRegion<byte>& in) + { + BER_Decoder(in) + .start_cons(SEQUENCE) + .decode_optional_string(key_id, OCTET_STRING, 0); + } + +/* +* Return a textual representation +*/ +void Authority_Key_ID::contents_to(Data_Store&, Data_Store& issuer) const + { + if(key_id.size()) + issuer.add("X509v3.AuthorityKeyIdentifier", key_id); + } + +/* +* Encode the extension +*/ +MemoryVector<byte> Alternative_Name::encode_inner() const + { + return DER_Encoder().encode(alt_name).get_contents(); + } + +/* +* Decode the extension +*/ +void Alternative_Name::decode_inner(const MemoryRegion<byte>& in) + { + BER_Decoder(in).decode(alt_name); + } + +/* +* Return a textual representation +*/ +void Alternative_Name::contents_to(Data_Store& subject_info, + Data_Store& issuer_info) const + { + std::multimap<std::string, std::string> contents = + get_alt_name().contents(); + + if(oid_name_str == "X509v3.SubjectAlternativeName") + subject_info.add(contents); + else if(oid_name_str == "X509v3.IssuerAlternativeName") + issuer_info.add(contents); + else + throw Internal_Error("In Alternative_Name, unknown type " + + oid_name_str); + } + +/* +* Alternative_Name Constructor +*/ +Alternative_Name::Alternative_Name(const AlternativeName& alt_name, + const std::string& oid_name_str, + const std::string& config_name_str) + { + this->alt_name = alt_name; + this->oid_name_str = oid_name_str; + this->config_name_str = config_name_str; + } + +/* +* Subject_Alternative_Name Constructor +*/ +Subject_Alternative_Name::Subject_Alternative_Name( + const AlternativeName& name) : + + Alternative_Name(name, "X509v3.SubjectAlternativeName", + "subject_alternative_name") + { + } + +/* +* Issuer_Alternative_Name Constructor +*/ +Issuer_Alternative_Name::Issuer_Alternative_Name(const AlternativeName& name) : + Alternative_Name(name, "X509v3.IssuerAlternativeName", + "issuer_alternative_name") + { + } + +/* +* Encode the extension +*/ +MemoryVector<byte> Extended_Key_Usage::encode_inner() const + { + return DER_Encoder() + .start_cons(SEQUENCE) + .encode_list(oids) + .end_cons() + .get_contents(); + } + +/* +* Decode the extension +*/ +void Extended_Key_Usage::decode_inner(const MemoryRegion<byte>& in) + { + BER_Decoder(in) + .start_cons(SEQUENCE) + .decode_list(oids) + .end_cons(); + } + +/* +* Return a textual representation +*/ +void Extended_Key_Usage::contents_to(Data_Store& subject, Data_Store&) const + { + for(u32bit j = 0; j != oids.size(); ++j) + subject.add("X509v3.ExtendedKeyUsage", oids[j].as_string()); + } + +namespace { + +/* +* A policy specifier +*/ +class Policy_Information : public ASN1_Object + { + public: + OID oid; + + void encode_into(DER_Encoder& codec) const + { + codec.start_cons(SEQUENCE) + .encode(oid) + .end_cons(); + } + + void decode_from(BER_Decoder& codec) + { + codec.start_cons(SEQUENCE) + .decode(oid) + .discard_remaining() + .end_cons(); + } + }; + +} + +/* +* Encode the extension +*/ +MemoryVector<byte> Certificate_Policies::encode_inner() const + { + throw Exception("Certificate_Policies::encode_inner: Bugged"); + + std::vector<Policy_Information> policies; + + return DER_Encoder() + .start_cons(SEQUENCE) + .encode_list(policies) + .end_cons() + .get_contents(); + } + +/* +* Decode the extension +*/ +void Certificate_Policies::decode_inner(const MemoryRegion<byte>& in) + { + std::vector<Policy_Information> policies; + + BER_Decoder(in) + .start_cons(SEQUENCE) + .decode_list(policies) + .end_cons(); + } + +/* +* Return a textual representation +*/ +void Certificate_Policies::contents_to(Data_Store& info, Data_Store&) const + { + for(u32bit j = 0; j != oids.size(); ++j) + info.add("X509v3.ExtendedKeyUsage", oids[j].as_string()); + } + +/* +* Checked accessor for the crl_number member +*/ +u32bit CRL_Number::get_crl_number() const + { + if(!has_value) + throw Invalid_State("CRL_Number::get_crl_number: Not set"); + return crl_number; + } + +/* +* Copy a CRL_Number extension +*/ +CRL_Number* CRL_Number::copy() const + { + if(!has_value) + throw Invalid_State("CRL_Number::copy: Not set"); + return new CRL_Number(crl_number); + } + +/* +* Encode the extension +*/ +MemoryVector<byte> CRL_Number::encode_inner() const + { + return DER_Encoder().encode(crl_number).get_contents(); + } + +/* +* Decode the extension +*/ +void CRL_Number::decode_inner(const MemoryRegion<byte>& in) + { + BER_Decoder(in).decode(crl_number); + } + +/* +* Return a textual representation +*/ +void CRL_Number::contents_to(Data_Store& info, Data_Store&) const + { + info.add("X509v3.CRLNumber", crl_number); + } + +/* +* Encode the extension +*/ +MemoryVector<byte> CRL_ReasonCode::encode_inner() const + { + return DER_Encoder() + .encode(static_cast<u32bit>(reason), ENUMERATED, UNIVERSAL) + .get_contents(); + } + +/* +* Decode the extension +*/ +void CRL_ReasonCode::decode_inner(const MemoryRegion<byte>& in) + { + u32bit reason_code = 0; + BER_Decoder(in).decode(reason_code, ENUMERATED, UNIVERSAL); + reason = static_cast<CRL_Code>(reason_code); + } + +/* +* Return a textual representation +*/ +void CRL_ReasonCode::contents_to(Data_Store& info, Data_Store&) const + { + info.add("X509v3.CRLReasonCode", reason); + } + +} + +} diff --git a/botan/src/cert/x509/x509_ext.h b/botan/src/cert/x509/x509_ext.h new file mode 100644 index 0000000..108215e --- /dev/null +++ b/botan/src/cert/x509/x509_ext.h @@ -0,0 +1,317 @@ +/* +* X.509 Certificate Extensions +* (C) 1999-2007 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#ifndef BOTAN_X509_EXTENSIONS_H__ +#define BOTAN_X509_EXTENSIONS_H__ + +#include <botan/asn1_int.h> +#include <botan/asn1_oid.h> +#include <botan/asn1_obj.h> +#include <botan/datastor.h> +#include <botan/pubkey_enums.h> + +namespace Botan { + +/* +* X.509 Certificate Extension +*/ +class BOTAN_DLL Certificate_Extension + { + public: + OID oid_of() const; + + virtual Certificate_Extension* copy() const = 0; + + virtual void contents_to(Data_Store&, Data_Store&) const = 0; + virtual std::string config_id() const = 0; + virtual std::string oid_name() const = 0; + + virtual ~Certificate_Extension() {} + protected: + friend class Extensions; + virtual bool should_encode() const { return true; } + virtual MemoryVector<byte> encode_inner() const = 0; + virtual void decode_inner(const MemoryRegion<byte>&) = 0; + }; + +/* +* X.509 Certificate Extension List +*/ +class BOTAN_DLL Extensions : public ASN1_Object + { + public: + void encode_into(class DER_Encoder&) const; + void decode_from(class BER_Decoder&); + + void contents_to(Data_Store&, Data_Store&) const; + + void add(Certificate_Extension* extn) + { extensions.push_back(extn); } + + Extensions& operator=(const Extensions&); + + Extensions(const Extensions&); + Extensions(bool st = true) : should_throw(st) {} + ~Extensions(); + private: + static Certificate_Extension* get_extension(const OID&); + + std::vector<Certificate_Extension*> extensions; + bool should_throw; + }; + +namespace Cert_Extension { + +/* +* Basic Constraints Extension +*/ +class BOTAN_DLL Basic_Constraints : public Certificate_Extension + { + public: + Basic_Constraints* copy() const + { return new Basic_Constraints(is_ca, path_limit); } + + Basic_Constraints(bool ca = false, u32bit limit = 0) : + is_ca(ca), path_limit(limit) {} + + bool get_is_ca() const { return is_ca; } + u32bit get_path_limit() const; + private: + std::string config_id() const { return "basic_constraints"; } + std::string oid_name() const { return "X509v3.BasicConstraints"; } + + MemoryVector<byte> encode_inner() const; + void decode_inner(const MemoryRegion<byte>&); + void contents_to(Data_Store&, Data_Store&) const; + + bool is_ca; + u32bit path_limit; + }; + +/* +* Key Usage Constraints Extension +*/ +class BOTAN_DLL Key_Usage : public Certificate_Extension + { + public: + Key_Usage* copy() const { return new Key_Usage(constraints); } + + Key_Usage(Key_Constraints c = NO_CONSTRAINTS) : constraints(c) {} + + Key_Constraints get_constraints() const { return constraints; } + private: + std::string config_id() const { return "key_usage"; } + std::string oid_name() const { return "X509v3.KeyUsage"; } + + bool should_encode() const { return (constraints != NO_CONSTRAINTS); } + MemoryVector<byte> encode_inner() const; + void decode_inner(const MemoryRegion<byte>&); + void contents_to(Data_Store&, Data_Store&) const; + + Key_Constraints constraints; + }; + +/* +* Subject Key Identifier Extension +*/ +class BOTAN_DLL Subject_Key_ID : public Certificate_Extension + { + public: + Subject_Key_ID* copy() const { return new Subject_Key_ID(key_id); } + + Subject_Key_ID() {} + Subject_Key_ID(const MemoryRegion<byte>&); + + MemoryVector<byte> get_key_id() const { return key_id; } + private: + std::string config_id() const { return "subject_key_id"; } + std::string oid_name() const { return "X509v3.SubjectKeyIdentifier"; } + + bool should_encode() const { return (key_id.size() > 0); } + MemoryVector<byte> encode_inner() const; + void decode_inner(const MemoryRegion<byte>&); + void contents_to(Data_Store&, Data_Store&) const; + + MemoryVector<byte> key_id; + }; + +/* +* Authority Key Identifier Extension +*/ +class BOTAN_DLL Authority_Key_ID : public Certificate_Extension + { + public: + Authority_Key_ID* copy() const { return new Authority_Key_ID(key_id); } + + Authority_Key_ID() {} + Authority_Key_ID(const MemoryRegion<byte>& k) : key_id(k) {} + + MemoryVector<byte> get_key_id() const { return key_id; } + private: + std::string config_id() const { return "authority_key_id"; } + std::string oid_name() const { return "X509v3.AuthorityKeyIdentifier"; } + + bool should_encode() const { return (key_id.size() > 0); } + MemoryVector<byte> encode_inner() const; + void decode_inner(const MemoryRegion<byte>&); + void contents_to(Data_Store&, Data_Store&) const; + + MemoryVector<byte> key_id; + }; + +/* +* Alternative Name Extension Base Class +*/ +class BOTAN_DLL Alternative_Name : public Certificate_Extension + { + public: + AlternativeName get_alt_name() const { return alt_name; } + + protected: + Alternative_Name(const AlternativeName&, + const std::string&, const std::string&); + + Alternative_Name(const std::string&, const std::string&); + private: + std::string config_id() const { return config_name_str; } + std::string oid_name() const { return oid_name_str; } + + bool should_encode() const { return alt_name.has_items(); } + MemoryVector<byte> encode_inner() const; + void decode_inner(const MemoryRegion<byte>&); + void contents_to(Data_Store&, Data_Store&) const; + + std::string config_name_str, oid_name_str; + AlternativeName alt_name; + }; + +/* +* Subject Alternative Name Extension +*/ +class BOTAN_DLL Subject_Alternative_Name : public Alternative_Name + { + public: + Subject_Alternative_Name* copy() const + { return new Subject_Alternative_Name(get_alt_name()); } + + Subject_Alternative_Name(const AlternativeName& = AlternativeName()); + }; + +/* +* Issuer Alternative Name Extension +*/ +class BOTAN_DLL Issuer_Alternative_Name : public Alternative_Name + { + public: + Issuer_Alternative_Name* copy() const + { return new Issuer_Alternative_Name(get_alt_name()); } + + Issuer_Alternative_Name(const AlternativeName& = AlternativeName()); + }; + +/* +* Extended Key Usage Extension +*/ +class BOTAN_DLL Extended_Key_Usage : public Certificate_Extension + { + public: + Extended_Key_Usage* copy() const { return new Extended_Key_Usage(oids); } + + Extended_Key_Usage() {} + Extended_Key_Usage(const std::vector<OID>& o) : oids(o) {} + + std::vector<OID> get_oids() const { return oids; } + private: + std::string config_id() const { return "extended_key_usage"; } + std::string oid_name() const { return "X509v3.ExtendedKeyUsage"; } + + bool should_encode() const { return (oids.size() > 0); } + MemoryVector<byte> encode_inner() const; + void decode_inner(const MemoryRegion<byte>&); + void contents_to(Data_Store&, Data_Store&) const; + + std::vector<OID> oids; + }; + +/* +* Certificate Policies Extension +*/ +class BOTAN_DLL Certificate_Policies : public Certificate_Extension + { + public: + Certificate_Policies* copy() const + { return new Certificate_Policies(oids); } + + Certificate_Policies() {} + Certificate_Policies(const std::vector<OID>& o) : oids(o) {} + + std::vector<OID> get_oids() const { return oids; } + private: + std::string config_id() const { return "policy_info"; } + std::string oid_name() const { return "X509v3.CertificatePolicies"; } + + bool should_encode() const { return (oids.size() > 0); } + MemoryVector<byte> encode_inner() const; + void decode_inner(const MemoryRegion<byte>&); + void contents_to(Data_Store&, Data_Store&) const; + + std::vector<OID> oids; + }; + +/* +* CRL Number Extension +*/ +class BOTAN_DLL CRL_Number : public Certificate_Extension + { + public: + CRL_Number* copy() const; + + CRL_Number() : has_value(false), crl_number(0) {} + CRL_Number(u32bit n) : has_value(true), crl_number(n) {} + + u32bit get_crl_number() const; + private: + std::string config_id() const { return "crl_number"; } + std::string oid_name() const { return "X509v3.CRLNumber"; } + + bool should_encode() const { return has_value; } + MemoryVector<byte> encode_inner() const; + void decode_inner(const MemoryRegion<byte>&); + void contents_to(Data_Store&, Data_Store&) const; + + bool has_value; + u32bit crl_number; + }; + +/* +* CRL Entry Reason Code Extension +*/ +class BOTAN_DLL CRL_ReasonCode : public Certificate_Extension + { + public: + CRL_ReasonCode* copy() const { return new CRL_ReasonCode(reason); } + + CRL_ReasonCode(CRL_Code r = UNSPECIFIED) : reason(r) {} + + CRL_Code get_reason() const { return reason; } + private: + std::string config_id() const { return "crl_reason"; } + std::string oid_name() const { return "X509v3.ReasonCode"; } + + bool should_encode() const { return (reason != UNSPECIFIED); } + MemoryVector<byte> encode_inner() const; + void decode_inner(const MemoryRegion<byte>&); + void contents_to(Data_Store&, Data_Store&) const; + + CRL_Code reason; + }; + +} + +} + +#endif diff --git a/botan/src/cert/x509/x509_obj.cpp b/botan/src/cert/x509/x509_obj.cpp new file mode 100644 index 0000000..31b4a30 --- /dev/null +++ b/botan/src/cert/x509/x509_obj.cpp @@ -0,0 +1,235 @@ +/* +* X.509 SIGNED Object +* (C) 1999-2007 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#include <botan/x509_obj.h> +#include <botan/x509_key.h> +#include <botan/look_pk.h> +#include <botan/oids.h> +#include <botan/der_enc.h> +#include <botan/ber_dec.h> +#include <botan/parsing.h> +#include <botan/pem.h> +#include <algorithm> +#include <memory> + +namespace Botan { + +/* +* Create a generic X.509 object +*/ +X509_Object::X509_Object(DataSource& stream, const std::string& labels) + { + init(stream, labels); + } + +/* +* Createa a generic X.509 object +*/ +X509_Object::X509_Object(const std::string& file, const std::string& labels) + { + DataSource_Stream stream(file, true); + init(stream, labels); + } + +/* +* Read a PEM or BER X.509 object +*/ +void X509_Object::init(DataSource& in, const std::string& labels) + { + PEM_labels_allowed = split_on(labels, '/'); + if(PEM_labels_allowed.size() < 1) + throw Invalid_Argument("Bad labels argument to X509_Object"); + + PEM_label_pref = PEM_labels_allowed[0]; + std::sort(PEM_labels_allowed.begin(), PEM_labels_allowed.end()); + + try { + if(ASN1::maybe_BER(in) && !PEM_Code::matches(in)) + decode_info(in); + else + { + std::string got_label; + DataSource_Memory ber(PEM_Code::decode(in, got_label)); + + if(!std::binary_search(PEM_labels_allowed.begin(), + PEM_labels_allowed.end(), got_label)) + throw Decoding_Error("Invalid PEM label: " + got_label); + decode_info(ber); + } + } + catch(Decoding_Error) + { + throw Decoding_Error(PEM_label_pref + " decoding failed"); + } + } + +/* +* Read a BER encoded X.509 object +*/ +void X509_Object::decode_info(DataSource& source) + { + BER_Decoder(source) + .start_cons(SEQUENCE) + .start_cons(SEQUENCE) + .raw_bytes(tbs_bits) + .end_cons() + .decode(sig_algo) + .decode(sig, BIT_STRING) + .verify_end() + .end_cons(); + } + +/* +* Return a BER or PEM encoded X.509 object +*/ +void X509_Object::encode(Pipe& out, X509_Encoding encoding) const + { + SecureVector<byte> der = DER_Encoder() + .start_cons(SEQUENCE) + .start_cons(SEQUENCE) + .raw_bytes(tbs_bits) + .end_cons() + .encode(sig_algo) + .encode(sig, BIT_STRING) + .end_cons() + .get_contents(); + + if(encoding == PEM) + out.write(PEM_Code::encode(der, PEM_label_pref)); + else + out.write(der); + } + +/* +* Return a BER encoded X.509 object +*/ +SecureVector<byte> X509_Object::BER_encode() const + { + Pipe ber; + ber.start_msg(); + encode(ber, RAW_BER); + ber.end_msg(); + return ber.read_all(); + } + +/* +* Return a PEM encoded X.509 object +*/ +std::string X509_Object::PEM_encode() const + { + Pipe pem; + pem.start_msg(); + encode(pem, PEM); + pem.end_msg(); + return pem.read_all_as_string(); + } + +/* +* Return the TBS data +*/ +SecureVector<byte> X509_Object::tbs_data() const + { + return ASN1::put_in_sequence(tbs_bits); + } + +/* +* Return the signature of this object +*/ +SecureVector<byte> X509_Object::signature() const + { + return sig; + } + +/* +* Return the algorithm used to sign this object +*/ +AlgorithmIdentifier X509_Object::signature_algorithm() const + { + return sig_algo; + } + +/* +* Check the signature on an object +*/ +bool X509_Object::check_signature(Public_Key& pub_key) const + { + try { + std::vector<std::string> sig_info = + split_on(OIDS::lookup(sig_algo.oid), '/'); + + if(sig_info.size() != 2 || sig_info[0] != pub_key.algo_name()) + return false; + + std::string padding = sig_info[1]; + Signature_Format format = + (pub_key.message_parts() >= 2) ? DER_SEQUENCE : IEEE_1363; + + std::auto_ptr<PK_Verifier> verifier; + + if(dynamic_cast<PK_Verifying_with_MR_Key*>(&pub_key)) + { + PK_Verifying_with_MR_Key& sig_key = + dynamic_cast<PK_Verifying_with_MR_Key&>(pub_key); + verifier.reset(get_pk_verifier(sig_key, padding, format)); + } + else if(dynamic_cast<PK_Verifying_wo_MR_Key*>(&pub_key)) + { + PK_Verifying_wo_MR_Key& sig_key = + dynamic_cast<PK_Verifying_wo_MR_Key&>(pub_key); + verifier.reset(get_pk_verifier(sig_key, padding, format)); + } + else + return false; + + return verifier->verify_message(tbs_data(), signature()); + } + catch(...) + { + return false; + } + } + +/* +* Apply the X.509 SIGNED macro +*/ +MemoryVector<byte> X509_Object::make_signed(PK_Signer* signer, + RandomNumberGenerator& rng, + const AlgorithmIdentifier& algo, + const MemoryRegion<byte>& tbs_bits) + { + return DER_Encoder() + .start_cons(SEQUENCE) + .raw_bytes(tbs_bits) + .encode(algo) + .encode(signer->sign_message(tbs_bits, rng), BIT_STRING) + .end_cons() + .get_contents(); + } + +/* +* Try to decode the actual information +*/ +void X509_Object::do_decode() + { + try { + force_decode(); + } + catch(Decoding_Error& e) + { + const std::string what = e.what(); + throw Decoding_Error(PEM_label_pref + " decoding failed (" + + what.substr(23, std::string::npos) + ")"); + } + catch(Invalid_Argument& e) + { + const std::string what = e.what(); + throw Decoding_Error(PEM_label_pref + " decoding failed (" + + what.substr(7, std::string::npos) + ")"); + } + } + +} diff --git a/botan/src/cert/x509/x509_obj.h b/botan/src/cert/x509/x509_obj.h new file mode 100644 index 0000000..c7f92fa --- /dev/null +++ b/botan/src/cert/x509/x509_obj.h @@ -0,0 +1,67 @@ +/* +* X.509 SIGNED Object +* (C) 1999-2007 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#ifndef BOTAN_X509_OBJECT_H__ +#define BOTAN_X509_OBJECT_H__ + +#include <botan/asn1_obj.h> +#include <botan/pipe.h> +#include <botan/pubkey_enums.h> +#include <botan/rng.h> +#include <vector> + +namespace Botan { + +/** +* This class represents abstract X.509 signed objects as +* in the X.500 SIGNED macro +*/ +class BOTAN_DLL X509_Object + { + public: + SecureVector<byte> tbs_data() const; + SecureVector<byte> signature() const; + AlgorithmIdentifier signature_algorithm() const; + + /** + * Create a signed X509 object. + * @param signer the signer used to sign the object + * @param rng the random number generator to use + * @param alg_id the algorithm identifier of the signature scheme + * @param tbs the tbs bits to be signed + * @return the signed X509 object + */ + static MemoryVector<byte> make_signed(class PK_Signer* signer, + RandomNumberGenerator& rng, + const AlgorithmIdentifier& alg_id, + const MemoryRegion<byte>& tbs); + + bool check_signature(class Public_Key&) const; + + void encode(Pipe&, X509_Encoding = PEM) const; + SecureVector<byte> BER_encode() const; + std::string PEM_encode() const; + + X509_Object(DataSource&, const std::string&); + X509_Object(const std::string&, const std::string&); + virtual ~X509_Object() {} + protected: + void do_decode(); + X509_Object() {} + AlgorithmIdentifier sig_algo; + SecureVector<byte> tbs_bits, sig; + private: + virtual void force_decode() = 0; + void init(DataSource&, const std::string&); + void decode_info(DataSource&); + std::vector<std::string> PEM_labels_allowed; + std::string PEM_label_pref; + }; + +} + +#endif diff --git a/botan/src/cert/x509/x509cert.cpp b/botan/src/cert/x509/x509cert.cpp new file mode 100644 index 0000000..ac5839f --- /dev/null +++ b/botan/src/cert/x509/x509cert.cpp @@ -0,0 +1,366 @@ +/* +* X.509 Certificates +* (C) 1999-2007 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#include <botan/x509cert.h> +#include <botan/x509_ext.h> +#include <botan/der_enc.h> +#include <botan/ber_dec.h> +#include <botan/stl_util.h> +#include <botan/parsing.h> +#include <botan/bigint.h> +#include <botan/oids.h> +#include <botan/pem.h> +#include <algorithm> + +namespace Botan { + +namespace { + +/* +* Lookup each OID in the vector +*/ +std::vector<std::string> lookup_oids(const std::vector<std::string>& in) + { + std::vector<std::string> out; + + std::vector<std::string>::const_iterator i = in.begin(); + while(i != in.end()) + { + out.push_back(OIDS::lookup(OID(*i))); + ++i; + } + return out; + } + +} + +/* +* X509_Certificate Constructor +*/ +X509_Certificate::X509_Certificate(DataSource& in) : + X509_Object(in, "CERTIFICATE/X509 CERTIFICATE") + { + self_signed = false; + do_decode(); + } + +/* +* X509_Certificate Constructor +*/ +X509_Certificate::X509_Certificate(const std::string& in) : + X509_Object(in, "CERTIFICATE/X509 CERTIFICATE") + { + self_signed = false; + do_decode(); + } + +/* +* Decode the TBSCertificate data +*/ +void X509_Certificate::force_decode() + { + u32bit version; + BigInt serial_bn; + AlgorithmIdentifier sig_algo_inner; + X509_DN dn_issuer, dn_subject; + X509_Time start, end; + + BER_Decoder tbs_cert(tbs_bits); + + tbs_cert.decode_optional(version, ASN1_Tag(0), + ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC)) + .decode(serial_bn) + .decode(sig_algo_inner) + .decode(dn_issuer) + .start_cons(SEQUENCE) + .decode(start) + .decode(end) + .verify_end() + .end_cons() + .decode(dn_subject); + + if(version > 2) + throw Decoding_Error("Unknown X.509 cert version " + to_string(version)); + if(sig_algo != sig_algo_inner) + throw Decoding_Error("Algorithm identifier mismatch"); + + self_signed = (dn_subject == dn_issuer); + + subject.add(dn_subject.contents()); + issuer.add(dn_issuer.contents()); + + BER_Object public_key = tbs_cert.get_next_object(); + if(public_key.type_tag != SEQUENCE || public_key.class_tag != CONSTRUCTED) + throw BER_Bad_Tag("X509_Certificate: Unexpected tag for public key", + public_key.type_tag, public_key.class_tag); + + MemoryVector<byte> v2_issuer_key_id, v2_subject_key_id; + + tbs_cert.decode_optional_string(v2_issuer_key_id, BIT_STRING, 1); + tbs_cert.decode_optional_string(v2_subject_key_id, BIT_STRING, 2); + + BER_Object v3_exts_data = tbs_cert.get_next_object(); + if(v3_exts_data.type_tag == 3 && + v3_exts_data.class_tag == ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC)) + { + Extensions extensions; + + BER_Decoder(v3_exts_data.value).decode(extensions).verify_end(); + + extensions.contents_to(subject, issuer); + } + else if(v3_exts_data.type_tag != NO_OBJECT) + throw BER_Bad_Tag("Unknown tag in X.509 cert", + v3_exts_data.type_tag, v3_exts_data.class_tag); + + if(tbs_cert.more_items()) + throw Decoding_Error("TBSCertificate has more items that expected"); + + subject.add("X509.Certificate.version", version); + subject.add("X509.Certificate.serial", BigInt::encode(serial_bn)); + subject.add("X509.Certificate.start", start.readable_string()); + subject.add("X509.Certificate.end", end.readable_string()); + + issuer.add("X509.Certificate.v2.key_id", v2_issuer_key_id); + subject.add("X509.Certificate.v2.key_id", v2_subject_key_id); + + subject.add("X509.Certificate.public_key", + PEM_Code::encode( + ASN1::put_in_sequence(public_key.value), + "PUBLIC KEY" + ) + ); + + if(is_CA_cert() && + !subject.has_value("X509v3.BasicConstraints.path_constraint")) + { + u32bit limit = (x509_version() < 3) ? NO_CERT_PATH_LIMIT : 0; + subject.add("X509v3.BasicConstraints.path_constraint", limit); + } + } + +/* +* Return the X.509 version in use +*/ +u32bit X509_Certificate::x509_version() const + { + return (subject.get1_u32bit("X509.Certificate.version") + 1); + } + +/* +* Return the time this cert becomes valid +*/ +std::string X509_Certificate::start_time() const + { + return subject.get1("X509.Certificate.start"); + } + +/* +* Return the time this cert becomes invalid +*/ +std::string X509_Certificate::end_time() const + { + return subject.get1("X509.Certificate.end"); + } + +/* +* Return information about the subject +*/ +std::vector<std::string> +X509_Certificate::subject_info(const std::string& what) const + { + return subject.get(X509_DN::deref_info_field(what)); + } + +/* +* Return information about the issuer +*/ +std::vector<std::string> +X509_Certificate::issuer_info(const std::string& what) const + { + return issuer.get(X509_DN::deref_info_field(what)); + } + +/* +* Return the public key in this certificate +*/ +Public_Key* X509_Certificate::subject_public_key() const + { + DataSource_Memory source(subject.get1("X509.Certificate.public_key")); + return X509::load_key(source); + } + +/* +* Check if the certificate is for a CA +*/ +bool X509_Certificate::is_CA_cert() const + { + if(!subject.get1_u32bit("X509v3.BasicConstraints.is_ca")) + return false; + if((constraints() & KEY_CERT_SIGN) || (constraints() == NO_CONSTRAINTS)) + return true; + return false; + } + +/* +* Return the path length constraint +*/ +u32bit X509_Certificate::path_limit() const + { + return subject.get1_u32bit("X509v3.BasicConstraints.path_constraint", 0); + } + +/* +* Return the key usage constraints +*/ +Key_Constraints X509_Certificate::constraints() const + { + return Key_Constraints(subject.get1_u32bit("X509v3.KeyUsage", + NO_CONSTRAINTS)); + } + +/* +* Return the list of extended key usage OIDs +*/ +std::vector<std::string> X509_Certificate::ex_constraints() const + { + return lookup_oids(subject.get("X509v3.ExtendedKeyUsage")); + } + +/* +* Return the list of certificate policies +*/ +std::vector<std::string> X509_Certificate::policies() const + { + return lookup_oids(subject.get("X509v3.CertificatePolicies")); + } + +/* +* Return the authority key id +*/ +MemoryVector<byte> X509_Certificate::authority_key_id() const + { + return issuer.get1_memvec("X509v3.AuthorityKeyIdentifier"); + } + +/* +* Return the subject key id +*/ +MemoryVector<byte> X509_Certificate::subject_key_id() const + { + return subject.get1_memvec("X509v3.SubjectKeyIdentifier"); + } + +/* +* Return the certificate serial number +*/ +MemoryVector<byte> X509_Certificate::serial_number() const + { + return subject.get1_memvec("X509.Certificate.serial"); + } + +/* +* Return the distinguished name of the issuer +*/ +X509_DN X509_Certificate::issuer_dn() const + { + return create_dn(issuer); + } + +/* +* Return the distinguished name of the subject +*/ +X509_DN X509_Certificate::subject_dn() const + { + return create_dn(subject); + } + +/* +* Compare two certificates for equality +*/ +bool X509_Certificate::operator==(const X509_Certificate& other) const + { + return (sig == other.sig && + sig_algo == other.sig_algo && + self_signed == other.self_signed && + issuer == other.issuer && + subject == other.subject); + } + +/* +* X.509 Certificate Comparison +*/ +bool operator!=(const X509_Certificate& cert1, const X509_Certificate& cert2) + { + return !(cert1 == cert2); + } + +/* +* Create and populate a X509_DN +*/ +X509_DN create_dn(const Data_Store& info) + { + class DN_Matcher : public Data_Store::Matcher + { + public: + bool operator()(const std::string& key, const std::string&) const + { + if(key.find("X520.") != std::string::npos) + return true; + return false; + } + }; + + std::multimap<std::string, std::string> names = + info.search_with(DN_Matcher()); + + X509_DN dn; + + std::multimap<std::string, std::string>::iterator j; + for(j = names.begin(); j != names.end(); ++j) + dn.add_attribute(j->first, j->second); + + return dn; + } + +/* +* Create and populate an AlternativeName +*/ +AlternativeName create_alt_name(const Data_Store& info) + { + class AltName_Matcher : public Data_Store::Matcher + { + public: + bool operator()(const std::string& key, const std::string&) const + { + for(u32bit j = 0; j != matches.size(); ++j) + if(key.compare(matches[j]) == 0) + return true; + return false; + } + + AltName_Matcher(const std::string& match_any_of) + { + matches = split_on(match_any_of, '/'); + } + private: + std::vector<std::string> matches; + }; + + std::multimap<std::string, std::string> names = + info.search_with(AltName_Matcher("RFC822/DNS/URI/IP")); + + AlternativeName alt_name; + + std::multimap<std::string, std::string>::iterator j; + for(j = names.begin(); j != names.end(); ++j) + alt_name.add_attribute(j->first, j->second); + + return alt_name; + } + +} diff --git a/botan/src/cert/x509/x509cert.h b/botan/src/cert/x509/x509cert.h new file mode 100644 index 0000000..4a9d11f --- /dev/null +++ b/botan/src/cert/x509/x509cert.h @@ -0,0 +1,185 @@ +/* +* X.509 Certificates +* (C) 1999-2007 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#ifndef BOTAN_X509_CERTS_H__ +#define BOTAN_X509_CERTS_H__ + +#include <botan/x509_obj.h> +#include <botan/x509_key.h> +#include <botan/datastor.h> +#include <botan/pubkey_enums.h> +#include <map> + +namespace Botan { + +/** +* This class represents X.509 Certificate +*/ +class BOTAN_DLL X509_Certificate : public X509_Object + { + public: + /** + * Get the public key associated with this certificate. + * @return the subject public key of this certificate + */ + Public_Key* subject_public_key() const; + + /** + * Get the issuer certificate DN. + * @return the issuer DN of this certificate + */ + X509_DN issuer_dn() const; + + /** + * Get the subject certificate DN. + * @return the subject DN of this certificate + */ + X509_DN subject_dn() const; + + /** + * Get a value for a specific subject_info parameter name. + * @param name the name of the paramter to look up. Possible names are + * "X509.Certificate.version", "X509.Certificate.serial", + * "X509.Certificate.start", "X509.Certificate.end", + * "X509.Certificate.v2.key_id", "X509.Certificate.public_key", + * "X509v3.BasicConstraints.path_constraint", + * "X509v3.BasicConstraints.is_ca", "X509v3.ExtendedKeyUsage", + * "X509v3.CertificatePolicies", "X509v3.SubjectKeyIdentifier" or + * "X509.Certificate.serial". + * @return the value(s) of the specified parameter + */ + std::vector<std::string> subject_info(const std::string& name) const; + + /** + * Get a value for a specific subject_info parameter name. + * @param name the name of the paramter to look up. Possible names are + * "X509.Certificate.v2.key_id" or "X509v3.AuthorityKeyIdentifier". + * @return the value(s) of the specified parameter + */ + std::vector<std::string> issuer_info(const std::string& name) const; + + /** + * Get the notBefore of the certificate. + * @return the notBefore of the certificate + */ + std::string start_time() const; + + /** + * Get the notAfter of the certificate. + * @return the notAfter of the certificate + */ + std::string end_time() const; + + /** + * Get the X509 version of this certificate object. + * @return the X509 version + */ + u32bit x509_version() const; + + /** + * Get the serial number of this certificate. + * @return the certificates serial number + */ + MemoryVector<byte> serial_number() const; + + /** + * Get the DER encoded AuthorityKeyIdentifier of this certificate. + * @return the DER encoded AuthorityKeyIdentifier + */ + MemoryVector<byte> authority_key_id() const; + + /** + * Get the DER encoded SubjectKeyIdentifier of this certificate. + * @return the DER encoded SubjectKeyIdentifier + */ + MemoryVector<byte> subject_key_id() const; + + /** + * Check whether this certificate is self signed. + * @return true if this certificate is self signed + */ + bool is_self_signed() const { return self_signed; } + + /** + * Check whether this certificate is a CA certificate. + * @return true if this certificate is a CA certificate + */ + bool is_CA_cert() const; + + /** + * Get the path limit as defined in the BasicConstraints extension of + * this certificate. + * @return the path limit + */ + u32bit path_limit() const; + + /** + * Get the key constraints as defined in the KeyUsage extension of this + * certificate. + * @return the key constraints + */ + Key_Constraints constraints() const; + + /** + * Get the key constraints as defined in the ExtendedKeyUsage + * extension of this + * certificate. + * @return the key constraints + */ + std::vector<std::string> ex_constraints() const; + + /** + * Get the policies as defined in the CertificatePolicies extension + * of this certificate. + * @return the certificate policies + */ + std::vector<std::string> policies() const; + + /** + * Check to certificates for equality. + * @return true both certificates are (binary) equal + */ + bool operator==(const X509_Certificate& other) const; + + /** + * Create a certificate from a data source providing the DER or + * PEM encoded certificate. + * @param source the data source + */ + X509_Certificate(DataSource& source); + + /** + * Create a certificate from a file containing the DER or PEM + * encoded certificate. + * @param filename the name of the certificate file + */ + X509_Certificate(const std::string& filename); + private: + void force_decode(); + friend class X509_CA; + X509_Certificate() {} + + Data_Store subject, issuer; + bool self_signed; + }; + +/** +* Check two certificates for inequality +* @return true if the arguments represent different certificates, +* false if they are binary identical +*/ +BOTAN_DLL bool operator!=(const X509_Certificate&, const X509_Certificate&); + +/* +* Data Store Extraction Operations +*/ +BOTAN_DLL X509_DN create_dn(const Data_Store&); +BOTAN_DLL AlternativeName create_alt_name(const Data_Store&); + +} + +#endif diff --git a/botan/src/cert/x509/x509find.cpp b/botan/src/cert/x509/x509find.cpp new file mode 100644 index 0000000..257367d --- /dev/null +++ b/botan/src/cert/x509/x509find.cpp @@ -0,0 +1,111 @@ +/* +* X.509 Certificate Store Searching +* (C) 1999-2007 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#include <botan/x509find.h> +#include <botan/charset.h> +#include <algorithm> + +namespace Botan { + +namespace { + +/* +* Compare based on case-insensive substrings +*/ +bool substring_match(const std::string& searching_for, + const std::string& found) + { + if(std::search(found.begin(), found.end(), searching_for.begin(), + searching_for.end(), Charset::caseless_cmp) != found.end()) + return true; + return false; + } + +/* +* Compare based on case-insensive match +*/ +bool ignore_case(const std::string& searching_for, const std::string& found) + { + if(searching_for.size() != found.size()) + return false; + + return std::equal(found.begin(), found.end(), + searching_for.begin(), Charset::caseless_cmp); + } + +} + +/* +* Search based on the contents of a DN entry +*/ +bool DN_Check::match(const X509_Certificate& cert) const + { + std::vector<std::string> info = cert.subject_info(dn_entry); + + for(u32bit j = 0; j != info.size(); ++j) + if(compare(info[j], looking_for)) + return true; + return false; + } + +/* +* DN_Check Constructor +*/ +DN_Check::DN_Check(const std::string& dn_entry, const std::string& looking_for, + compare_fn func) + { + this->dn_entry = dn_entry; + this->looking_for = looking_for; + compare = func; + } + +/* +* DN_Check Constructor +*/ +DN_Check::DN_Check(const std::string& dn_entry, const std::string& looking_for, + Search_Type method) + { + this->dn_entry = dn_entry; + this->looking_for = looking_for; + + if(method == SUBSTRING_MATCHING) + compare = &substring_match; + else if(method == IGNORE_CASE) + compare = &ignore_case; + else + throw Invalid_Argument("Unknown method argument to DN_Check()"); + } + +/* +* Match by issuer and serial number +*/ +bool IandS_Match::match(const X509_Certificate& cert) const + { + if(cert.serial_number() != serial) + return false; + return (cert.issuer_dn() == issuer); + } + +/* +* IandS_Match Constructor +*/ +IandS_Match::IandS_Match(const X509_DN& issuer, + const MemoryRegion<byte>& serial) + { + this->issuer = issuer; + this->serial = serial; + } + +/* +* Match by subject key identifier +*/ +bool SKID_Match::match(const X509_Certificate& cert) const + { + return (cert.subject_key_id() == skid); + } + +} diff --git a/botan/src/cert/x509/x509find.h b/botan/src/cert/x509/x509find.h new file mode 100644 index 0000000..a7a84c7 --- /dev/null +++ b/botan/src/cert/x509/x509find.h @@ -0,0 +1,60 @@ +/* +* X.509 Certificate Store Searching +* (C) 1999-2007 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#ifndef BOTAN_X509_CERT_STORE_SEARCH_H__ +#define BOTAN_X509_CERT_STORE_SEARCH_H__ + +#include <botan/x509stor.h> + +namespace Botan { + +/* +* Search based on the contents of a DN entry +*/ +class BOTAN_DLL DN_Check : public X509_Store::Search_Func + { + public: + typedef bool (*compare_fn)(const std::string&, const std::string&); + enum Search_Type { SUBSTRING_MATCHING, IGNORE_CASE }; + + bool match(const X509_Certificate& cert) const; + + DN_Check(const std::string&, const std::string&, compare_fn); + DN_Check(const std::string&, const std::string&, Search_Type); + private: + std::string dn_entry, looking_for; + compare_fn compare; + }; + +/* +* Search for a certificate by issuer/serial +*/ +class BOTAN_DLL IandS_Match : public X509_Store::Search_Func + { + public: + bool match(const X509_Certificate& cert) const; + IandS_Match(const X509_DN&, const MemoryRegion<byte>&); + private: + X509_DN issuer; + MemoryVector<byte> serial; + }; + +/* +* Search for a certificate by subject keyid +*/ +class BOTAN_DLL SKID_Match : public X509_Store::Search_Func + { + public: + bool match(const X509_Certificate& cert) const; + SKID_Match(const MemoryRegion<byte>& s) : skid(s) {} + private: + MemoryVector<byte> skid; + }; + +} + +#endif diff --git a/botan/src/cert/x509/x509opt.cpp b/botan/src/cert/x509/x509opt.cpp new file mode 100644 index 0000000..de9d589 --- /dev/null +++ b/botan/src/cert/x509/x509opt.cpp @@ -0,0 +1,108 @@ +/* +* X.509 Certificate Options +* (C) 1999-2007 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#include <botan/x509self.h> +#include <botan/util.h> +#include <botan/parsing.h> +#include <botan/oids.h> +#include <ctime> + +namespace Botan { + +/* +* Set when the certificate should become valid +*/ +void X509_Cert_Options::not_before(const std::string& time_string) + { + start = X509_Time(time_string); + } + +/* +* Set when the certificate should expire +*/ +void X509_Cert_Options::not_after(const std::string& time_string) + { + end = X509_Time(time_string); + } + +/* +* Set key constraint information +*/ +void X509_Cert_Options::add_constraints(Key_Constraints usage) + { + constraints = usage; + } + +/* +* Set key constraint information +*/ +void X509_Cert_Options::add_ex_constraint(const OID& oid) + { + ex_constraints.push_back(oid); + } + +/* +* Set key constraint information +*/ +void X509_Cert_Options::add_ex_constraint(const std::string& oid_str) + { + ex_constraints.push_back(OIDS::lookup(oid_str)); + } + +/* +* Mark this certificate for CA usage +*/ +void X509_Cert_Options::CA_key(u32bit limit) + { + is_CA = true; + path_limit = limit; + } + +/* +* Do basic sanity checks +*/ +void X509_Cert_Options::sanity_check() const + { + if(common_name == "" || country == "") + throw Encoding_Error("X.509 certificate: name and country MUST be set"); + if(country.size() != 2) + throw Encoding_Error("Invalid ISO country code: " + country); + if(start >= end) + throw Encoding_Error("X509_Cert_Options: invalid time constraints"); + } + +/* +* Initialize the certificate options +*/ +X509_Cert_Options::X509_Cert_Options(const std::string& initial_opts, + u32bit expiration_time_in_seconds) + { + is_CA = false; + path_limit = 0; + constraints = NO_CONSTRAINTS; + + const u32bit now = system_time(); + + start = X509_Time(now); + end = X509_Time(now + expiration_time_in_seconds); + + if(initial_opts == "") + return; + + std::vector<std::string> parsed = split_on(initial_opts, '/'); + + if(parsed.size() > 4) + throw Invalid_Argument("X.509 cert options: Too many names: " + + initial_opts); + + if(parsed.size() >= 1) common_name = parsed[0]; + if(parsed.size() >= 2) country = parsed[1]; + if(parsed.size() >= 3) organization = parsed[2]; + if(parsed.size() == 4) org_unit = parsed[3]; + } + +} diff --git a/botan/src/cert/x509/x509self.cpp b/botan/src/cert/x509/x509self.cpp new file mode 100644 index 0000000..8afb22a --- /dev/null +++ b/botan/src/cert/x509/x509self.cpp @@ -0,0 +1,176 @@ +/* +* PKCS #10/Self Signed Cert Creation +* (C) 1999-2008 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#include <botan/x509self.h> +#include <botan/x509_ext.h> +#include <botan/x509_ca.h> +#include <botan/der_enc.h> +#include <botan/look_pk.h> +#include <botan/oids.h> +#include <botan/pipe.h> +#include <memory> + +namespace Botan { + +namespace { + +/* +* Shared setup for self-signed items +*/ +MemoryVector<byte> shared_setup(const X509_Cert_Options& opts, + const Private_Key& key) + { + const Private_Key* key_pointer = &key; + if(!dynamic_cast<const PK_Signing_Key*>(key_pointer)) + throw Invalid_Argument("Key type " + key.algo_name() + " cannot sign"); + + opts.sanity_check(); + + Pipe key_encoder; + key_encoder.start_msg(); + X509::encode(key, key_encoder, RAW_BER); + key_encoder.end_msg(); + + return key_encoder.read_all(); + } + +/* +* Load information from the X509_Cert_Options +*/ +void load_info(const X509_Cert_Options& opts, X509_DN& subject_dn, + AlternativeName& subject_alt) + { + subject_dn.add_attribute("X520.CommonName", opts.common_name); + subject_dn.add_attribute("X520.Country", opts.country); + subject_dn.add_attribute("X520.State", opts.state); + subject_dn.add_attribute("X520.Locality", opts.locality); + subject_dn.add_attribute("X520.Organization", opts.organization); + subject_dn.add_attribute("X520.OrganizationalUnit", opts.org_unit); + subject_dn.add_attribute("X520.SerialNumber", opts.serial_number); + subject_alt = AlternativeName(opts.email, opts.uri, opts.dns, opts.ip); + subject_alt.add_othername(OIDS::lookup("PKIX.XMPPAddr"), + opts.xmpp, UTF8_STRING); + } + +} + +namespace X509 { + +/* +* Create a new self-signed X.509 certificate +*/ +X509_Certificate create_self_signed_cert(const X509_Cert_Options& opts, + const Private_Key& key, + RandomNumberGenerator& rng) + { + AlgorithmIdentifier sig_algo; + X509_DN subject_dn; + AlternativeName subject_alt; + + MemoryVector<byte> pub_key = shared_setup(opts, key); + std::auto_ptr<PK_Signer> signer(choose_sig_format(key, sig_algo)); + load_info(opts, subject_dn, subject_alt); + + Key_Constraints constraints; + if(opts.is_CA) + constraints = Key_Constraints(KEY_CERT_SIGN | CRL_SIGN); + else + constraints = find_constraints(key, opts.constraints); + + Extensions extensions; + + extensions.add(new Cert_Extension::Subject_Key_ID(pub_key)); + extensions.add(new Cert_Extension::Key_Usage(constraints)); + extensions.add( + new Cert_Extension::Extended_Key_Usage(opts.ex_constraints)); + extensions.add( + new Cert_Extension::Subject_Alternative_Name(subject_alt)); + extensions.add( + new Cert_Extension::Basic_Constraints(opts.is_CA, opts.path_limit)); + + return X509_CA::make_cert(signer.get(), rng, sig_algo, pub_key, + opts.start, opts.end, + subject_dn, subject_dn, + extensions); + } + +/* +* Create a PKCS #10 certificate request +*/ +PKCS10_Request create_cert_req(const X509_Cert_Options& opts, + const Private_Key& key, + RandomNumberGenerator& rng) + { + AlgorithmIdentifier sig_algo; + X509_DN subject_dn; + AlternativeName subject_alt; + + MemoryVector<byte> pub_key = shared_setup(opts, key); + std::auto_ptr<PK_Signer> signer(choose_sig_format(key, sig_algo)); + load_info(opts, subject_dn, subject_alt); + + const u32bit PKCS10_VERSION = 0; + + Extensions extensions; + + extensions.add( + new Cert_Extension::Basic_Constraints(opts.is_CA, opts.path_limit)); + extensions.add( + new Cert_Extension::Key_Usage( + opts.is_CA ? Key_Constraints(KEY_CERT_SIGN | CRL_SIGN) : + find_constraints(key, opts.constraints) + ) + ); + extensions.add( + new Cert_Extension::Extended_Key_Usage(opts.ex_constraints)); + extensions.add( + new Cert_Extension::Subject_Alternative_Name(subject_alt)); + + DER_Encoder tbs_req; + + tbs_req.start_cons(SEQUENCE) + .encode(PKCS10_VERSION) + .encode(subject_dn) + .raw_bytes(pub_key) + .start_explicit(0); + + if(opts.challenge != "") + { + ASN1_String challenge(opts.challenge, DIRECTORY_STRING); + + tbs_req.encode( + Attribute("PKCS9.ChallengePassword", + DER_Encoder().encode(challenge).get_contents() + ) + ); + } + + tbs_req.encode( + Attribute("PKCS9.ExtensionRequest", + DER_Encoder() + .start_cons(SEQUENCE) + .encode(extensions) + .end_cons() + .get_contents() + ) + ) + .end_explicit() + .end_cons(); + + DataSource_Memory source( + X509_Object::make_signed(signer.get(), + rng, + sig_algo, + tbs_req.get_contents()) + ); + + return PKCS10_Request(source); + } + +} + +} diff --git a/botan/src/cert/x509/x509self.h b/botan/src/cert/x509/x509self.h new file mode 100644 index 0000000..bd3e291 --- /dev/null +++ b/botan/src/cert/x509/x509self.h @@ -0,0 +1,198 @@ +/* +* X.509 Self-Signed Certificate +* (C) 1999-2007 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#ifndef BOTAN_X509_SELF_H__ +#define BOTAN_X509_SELF_H__ + +#include <botan/x509cert.h> +#include <botan/pkcs8.h> +#include <botan/pkcs10.h> + +namespace Botan { + +/** +* Options for X.509 certificates. +*/ +class BOTAN_DLL X509_Cert_Options + { + public: + /** + * the subject common name + */ + std::string common_name; + + /** + * the subject counry + */ + std::string country; + + /** + * the subject organization + */ + std::string organization; + + /** + * the subject organizational unit + */ + std::string org_unit; + + /** + * the subject locality + */ + std::string locality; + + /** + * the subject state + */ + std::string state; + + /** + * the subject serial number + */ + std::string serial_number; + + /** + * the subject email adress + */ + std::string email; + + /** + * the subject URI + */ + std::string uri; + + /** + * the subject IPv4 address + */ + std::string ip; + + /** + * the subject DNS + */ + std::string dns; + + /** + * the subject XMPP + */ + std::string xmpp; + + /** + * the subject challenge password + */ + std::string challenge; + + /** + * the subject notBefore + */ + X509_Time start; + /** + * the subject notAfter + */ + X509_Time end; + + /** + * Indicates whether the certificate request + */ + bool is_CA; + + /** + * Indicates the BasicConstraints path limit + */ + u32bit path_limit; + + /** + * The key constraints for the subject public key + */ + Key_Constraints constraints; + + /** + * The key extended constraints for the subject public key + */ + std::vector<OID> ex_constraints; + + /** + * Check the options set in this object for validity. + */ + void sanity_check() const; + + /** + * Mark the certificate as a CA certificate and set the path limit. + * @param limit the path limit to be set in the BasicConstraints extension. + */ + void CA_key(u32bit limit = 1); + + /** + * Set the notBefore of the certificate. + * @param time the notBefore value of the certificate + */ + void not_before(const std::string& time); + + /** + * Set the notAfter of the certificate. + * @param time the notAfter value of the certificate + */ + void not_after(const std::string& time); + + /** + * Add the key constraints of the KeyUsage extension. + * @param constr the constraints to set + */ + void add_constraints(Key_Constraints constr); + + /** + * Add constraints to the ExtendedKeyUsage extension. + * @param oid the oid to add + */ + void add_ex_constraint(const OID& oid); + + /** + * Add constraints to the ExtendedKeyUsage extension. + * @param name the name to look up the oid to add + */ + void add_ex_constraint(const std::string& name); + + /** + * Construct a new options object + * @param opts define the common name of this object. An example for this + * parameter would be "common_name/country/organization/organizational_unit". + * @param expire_time the expiration time (from the current clock in seconds) + */ + X509_Cert_Options(const std::string& opts = "", + u32bit expire_time = 365 * 24 * 60 * 60); + }; + +namespace X509 { + +/** +* Create a self-signed X.509 certificate. +* @param opts the options defining the certificate to create +* @param key the private key used for signing, i.e. the key +* associated with this self-signed certificate +* @param rng the rng to use +* @return the newly created self-signed certificate +*/ +BOTAN_DLL X509_Certificate +create_self_signed_cert(const X509_Cert_Options& opts, + const Private_Key& key, + RandomNumberGenerator& rng); + +/** +* Create a PKCS#10 certificate request. +* @param opts the options defining the request to create +* @param key the key used to sign this request +* @param rng the rng to use +* @return the newly created PKCS#10 request +*/ +BOTAN_DLL PKCS10_Request create_cert_req(const X509_Cert_Options& opts, + const Private_Key& key, + RandomNumberGenerator& rng); + +} + +} + +#endif diff --git a/botan/src/cert/x509/x509stor.cpp b/botan/src/cert/x509/x509stor.cpp new file mode 100644 index 0000000..cb61bc2 --- /dev/null +++ b/botan/src/cert/x509/x509stor.cpp @@ -0,0 +1,695 @@ +/* +* X.509 Certificate Store +* (C) 1999-2007 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#include <botan/x509stor.h> +#include <botan/parsing.h> +#include <botan/pubkey.h> +#include <botan/look_pk.h> +#include <botan/oids.h> +#include <botan/util.h> +#include <algorithm> +#include <memory> + +namespace Botan { + +namespace { + +/* +* Do a validity check +*/ +s32bit validity_check(const X509_Time& start, const X509_Time& end, + u64bit current_time, u32bit slack) + { + const s32bit NOT_YET_VALID = -1, VALID_TIME = 0, EXPIRED = 1; + + if(start.cmp(current_time + slack) > 0) + return NOT_YET_VALID; + if(end.cmp(current_time - slack) < 0) + return EXPIRED; + return VALID_TIME; + } + +/* +* Compare the value of unique ID fields +*/ +bool compare_ids(const MemoryVector<byte>& id1, + const MemoryVector<byte>& id2) + { + if(!id1.size() || !id2.size()) + return true; + return (id1 == id2); + } + +/* +* Check a particular usage restriction +*/ +bool check_usage(const X509_Certificate& cert, X509_Store::Cert_Usage usage, + X509_Store::Cert_Usage check_for, Key_Constraints constraints) + { + if((usage & check_for) == 0) + return true; + if(cert.constraints() == NO_CONSTRAINTS) + return true; + if(cert.constraints() & constraints) + return true; + return false; + } + +/* +* Check a particular usage restriction +*/ +bool check_usage(const X509_Certificate& cert, X509_Store::Cert_Usage usage, + X509_Store::Cert_Usage check_for, + const std::string& usage_oid) + { + if((usage & check_for) == 0) + return true; + + const std::vector<std::string> constraints = cert.ex_constraints(); + + if(constraints.empty()) + return true; + + return std::binary_search(constraints.begin(), constraints.end(), + usage_oid); + } + +/* +* Check the usage restrictions +*/ +X509_Code usage_check(const X509_Certificate& cert, + X509_Store::Cert_Usage usage) + { + if(usage == X509_Store::ANY) + return VERIFIED; + + if(!check_usage(cert, usage, X509_Store::CRL_SIGNING, CRL_SIGN)) + return CA_CERT_NOT_FOR_CRL_ISSUER; + + if(!check_usage(cert, usage, X509_Store::TLS_SERVER, "PKIX.ServerAuth")) + return INVALID_USAGE; + if(!check_usage(cert, usage, X509_Store::TLS_CLIENT, "PKIX.ClientAuth")) + return INVALID_USAGE; + if(!check_usage(cert, usage, X509_Store::CODE_SIGNING, "PKIX.CodeSigning")) + return INVALID_USAGE; + if(!check_usage(cert, usage, X509_Store::EMAIL_PROTECTION, + "PKIX.EmailProtection")) + return INVALID_USAGE; + if(!check_usage(cert, usage, X509_Store::TIME_STAMPING, + "PKIX.TimeStamping")) + return INVALID_USAGE; + + return VERIFIED; + } + +} + +/* +* Define equality for revocation data +*/ +bool X509_Store::CRL_Data::operator==(const CRL_Data& other) const + { + if(issuer != other.issuer) + return false; + if(serial != other.serial) + return false; + return compare_ids(auth_key_id, other.auth_key_id); + } + +/* +* Define inequality for revocation data +*/ +bool X509_Store::CRL_Data::operator!=(const CRL_Data& other) const + { + return !((*this) == other); + } + +/* +* Define an ordering for revocation data +*/ +bool X509_Store::CRL_Data::operator<(const X509_Store::CRL_Data& other) const + { + if(*this == other) + return false; + + const MemoryVector<byte>& serial1 = serial; + const MemoryVector<byte>& key_id1 = auth_key_id; + const MemoryVector<byte>& serial2 = other.serial; + const MemoryVector<byte>& key_id2 = other.auth_key_id; + + if(compare_ids(key_id1, key_id2) == false) + { + if(std::lexicographical_compare(key_id1.begin(), key_id1.end(), + key_id2.begin(), key_id2.end())) + return true; + + if(std::lexicographical_compare(key_id2.begin(), key_id2.end(), + key_id1.begin(), key_id1.end())) + return false; + } + + if(compare_ids(serial1, serial2) == false) + { + if(std::lexicographical_compare(serial1.begin(), serial1.end(), + serial2.begin(), serial2.end())) + return true; + + if(std::lexicographical_compare(serial2.begin(), serial2.end(), + serial1.begin(), serial1.end())) + return false; + } + + return (issuer < other.issuer); + } + +/* +* X509_Store Constructor +*/ +X509_Store::X509_Store(u32bit slack, u32bit cache_timeout) + { + revoked_info_valid = true; + + validation_cache_timeout = cache_timeout; + time_slack = slack; + } + +/* +* X509_Store Copy Constructor +*/ +X509_Store::X509_Store(const X509_Store& other) + { + certs = other.certs; + revoked = other.revoked; + revoked_info_valid = other.revoked_info_valid; + for(u32bit j = 0; j != other.stores.size(); ++j) + stores[j] = other.stores[j]->clone(); + time_slack = other.time_slack; + } + +/* +* X509_Store Destructor +*/ +X509_Store::~X509_Store() + { + for(u32bit j = 0; j != stores.size(); ++j) + delete stores[j]; + } + +/* +* Verify a certificate's authenticity +*/ +X509_Code X509_Store::validate_cert(const X509_Certificate& cert, + Cert_Usage cert_usage) + { + recompute_revoked_info(); + + std::vector<u32bit> indexes; + X509_Code chaining_result = construct_cert_chain(cert, indexes); + if(chaining_result != VERIFIED) + return chaining_result; + + const u64bit current_time = system_time(); + + s32bit time_check = validity_check(cert.start_time(), cert.end_time(), + current_time, time_slack); + if(time_check < 0) return CERT_NOT_YET_VALID; + else if(time_check > 0) return CERT_HAS_EXPIRED; + + X509_Code sig_check_result = check_sig(cert, certs[indexes[0]]); + if(sig_check_result != VERIFIED) + return sig_check_result; + + if(is_revoked(cert)) + return CERT_IS_REVOKED; + + for(u32bit j = 0; j != indexes.size() - 1; ++j) + { + const X509_Certificate& current_cert = certs[indexes[j]].cert; + + time_check = validity_check(current_cert.start_time(), + current_cert.end_time(), + current_time, + time_slack); + + if(time_check < 0) return CERT_NOT_YET_VALID; + else if(time_check > 0) return CERT_HAS_EXPIRED; + + sig_check_result = check_sig(certs[indexes[j]], certs[indexes[j+1]]); + if(sig_check_result != VERIFIED) + return sig_check_result; + } + + return usage_check(cert, cert_usage); + } + +/* +* Find this certificate +*/ +u32bit X509_Store::find_cert(const X509_DN& subject_dn, + const MemoryRegion<byte>& subject_key_id) const + { + for(u32bit j = 0; j != certs.size(); ++j) + { + const X509_Certificate& this_cert = certs[j].cert; + if(compare_ids(this_cert.subject_key_id(), subject_key_id) && + this_cert.subject_dn() == subject_dn) + return j; + } + return NO_CERT_FOUND; + } + +/* +* Find the parent of this certificate +*/ +u32bit X509_Store::find_parent_of(const X509_Certificate& cert) + { + const X509_DN issuer_dn = cert.issuer_dn(); + const MemoryVector<byte> auth_key_id = cert.authority_key_id(); + + u32bit index = find_cert(issuer_dn, auth_key_id); + + if(index != NO_CERT_FOUND) + return index; + + if(auth_key_id.size()) + { + for(u32bit j = 0; j != stores.size(); ++j) + { + std::vector<X509_Certificate> got = stores[j]->by_SKID(auth_key_id); + + if(got.empty()) + continue; + + for(u32bit k = 0; k != got.size(); ++k) + add_cert(got[k]); + return find_cert(issuer_dn, auth_key_id); + } + } + + return NO_CERT_FOUND; + } + +/* +* Construct a chain of certificate relationships +*/ +X509_Code X509_Store::construct_cert_chain(const X509_Certificate& end_cert, + std::vector<u32bit>& indexes, + bool need_full_chain) + { + u32bit parent = find_parent_of(end_cert); + + while(true) + { + if(parent == NO_CERT_FOUND) + return CERT_ISSUER_NOT_FOUND; + indexes.push_back(parent); + + if(certs[parent].is_verified(validation_cache_timeout)) + if(certs[parent].verify_result() != VERIFIED) + return certs[parent].verify_result(); + + const X509_Certificate& parent_cert = certs[parent].cert; + if(!parent_cert.is_CA_cert()) + return CA_CERT_NOT_FOR_CERT_ISSUER; + + if(certs[parent].is_trusted()) + break; + if(parent_cert.is_self_signed()) + return CANNOT_ESTABLISH_TRUST; + + if(parent_cert.path_limit() < indexes.size() - 1) + return CERT_CHAIN_TOO_LONG; + + parent = find_parent_of(parent_cert); + } + + if(need_full_chain) + return VERIFIED; + + while(true) + { + if(indexes.size() < 2) + break; + + const u32bit cert = indexes.back(); + + if(certs[cert].is_verified(validation_cache_timeout)) + { + if(certs[cert].verify_result() != VERIFIED) + throw Internal_Error("X509_Store::construct_cert_chain"); + indexes.pop_back(); + } + else + break; + } + + const u32bit last_cert = indexes.back(); + const u32bit parent_of_last_cert = find_parent_of(certs[last_cert].cert); + if(parent_of_last_cert == NO_CERT_FOUND) + return CERT_ISSUER_NOT_FOUND; + indexes.push_back(parent_of_last_cert); + + return VERIFIED; + } + +/* +* Check the CAs signature on a certificate +*/ +X509_Code X509_Store::check_sig(const Cert_Info& cert_info, + const Cert_Info& ca_cert_info) const + { + if(cert_info.is_verified(validation_cache_timeout)) + return cert_info.verify_result(); + + const X509_Certificate& cert = cert_info.cert; + const X509_Certificate& ca_cert = ca_cert_info.cert; + + X509_Code verify_code = check_sig(cert, ca_cert.subject_public_key()); + + cert_info.set_result(verify_code); + + return verify_code; + } + +/* +* Check a CA's signature +*/ +X509_Code X509_Store::check_sig(const X509_Object& object, Public_Key* key) + { + std::auto_ptr<Public_Key> pub_key(key); + std::auto_ptr<PK_Verifier> verifier; + + try { + std::vector<std::string> sig_info = + split_on(OIDS::lookup(object.signature_algorithm().oid), '/'); + + if(sig_info.size() != 2 || sig_info[0] != pub_key->algo_name()) + return SIGNATURE_ERROR; + + std::string padding = sig_info[1]; + Signature_Format format; + if(key->message_parts() >= 2) format = DER_SEQUENCE; + else format = IEEE_1363; + + if(dynamic_cast<PK_Verifying_with_MR_Key*>(pub_key.get())) + { + PK_Verifying_with_MR_Key* sig_key = + dynamic_cast<PK_Verifying_with_MR_Key*>(pub_key.get()); + verifier.reset(get_pk_verifier(*sig_key, padding, format)); + } + else if(dynamic_cast<PK_Verifying_wo_MR_Key*>(pub_key.get())) + { + PK_Verifying_wo_MR_Key* sig_key = + dynamic_cast<PK_Verifying_wo_MR_Key*>(pub_key.get()); + verifier.reset(get_pk_verifier(*sig_key, padding, format)); + } + else + return CA_CERT_CANNOT_SIGN; + + bool valid = verifier->verify_message(object.tbs_data(), + object.signature()); + + if(valid) + return VERIFIED; + else + return SIGNATURE_ERROR; + } + catch(Decoding_Error) { return CERT_FORMAT_ERROR; } + catch(Exception) {} + + return UNKNOWN_X509_ERROR; + } + +/* +* Recompute the revocation status of the certs +*/ +void X509_Store::recompute_revoked_info() const + { + if(revoked_info_valid) + return; + + for(u32bit j = 0; j != certs.size(); ++j) + { + if((certs[j].is_verified(validation_cache_timeout)) && + (certs[j].verify_result() != VERIFIED)) + continue; + + if(is_revoked(certs[j].cert)) + certs[j].set_result(CERT_IS_REVOKED); + } + + revoked_info_valid = true; + } + +/* +* Check if a certificate is revoked +*/ +bool X509_Store::is_revoked(const X509_Certificate& cert) const + { + CRL_Data revoked_info; + revoked_info.issuer = cert.issuer_dn(); + revoked_info.serial = cert.serial_number(); + revoked_info.auth_key_id = cert.authority_key_id(); + + if(std::binary_search(revoked.begin(), revoked.end(), revoked_info)) + return true; + return false; + } + +/* +* Retrieve all the certificates in the store +*/ +std::vector<X509_Certificate> +X509_Store::get_certs(const Search_Func& search) const + { + std::vector<X509_Certificate> found_certs; + for(u32bit j = 0; j != certs.size(); ++j) + { + if(search.match(certs[j].cert)) + found_certs.push_back(certs[j].cert); + } + return found_certs; + } + +/* +* Construct a path back to a root for this cert +*/ +std::vector<X509_Certificate> +X509_Store::get_cert_chain(const X509_Certificate& cert) + { + std::vector<X509_Certificate> result; + std::vector<u32bit> indexes; + X509_Code chaining_result = construct_cert_chain(cert, indexes, true); + + if(chaining_result != VERIFIED) + throw Invalid_State("X509_Store::get_cert_chain: Can't construct chain"); + + for(u32bit j = 0; j != indexes.size(); ++j) + result.push_back(certs[indexes[j]].cert); + return result; + } + +/* +* Add a certificate store to the list of stores +*/ +void X509_Store::add_new_certstore(Certificate_Store* certstore) + { + stores.push_back(certstore); + } + +/* +* Add a certificate to the store +*/ +void X509_Store::add_cert(const X509_Certificate& cert, bool trusted) + { + if(trusted && !cert.is_self_signed()) + throw Invalid_Argument("X509_Store: Trusted certs must be self-signed"); + + if(find_cert(cert.subject_dn(), cert.subject_key_id()) == NO_CERT_FOUND) + { + revoked_info_valid = false; + Cert_Info info(cert, trusted); + certs.push_back(info); + } + else if(trusted) + { + for(u32bit j = 0; j != certs.size(); ++j) + { + const X509_Certificate& this_cert = certs[j].cert; + if(this_cert == cert) + certs[j].trusted = trusted; + } + } + } + +/* +* Add one or more certificates to the store +*/ +void X509_Store::do_add_certs(DataSource& source, bool trusted) + { + while(!source.end_of_data()) + { + try { + X509_Certificate cert(source); + add_cert(cert, trusted); + } + catch(Decoding_Error) {} + catch(Invalid_Argument) {} + } + } + +/* +* Add one or more certificates to the store +*/ +void X509_Store::add_certs(DataSource& source) + { + do_add_certs(source, false); + } + +/* +* Add one or more certificates to the store +*/ +void X509_Store::add_trusted_certs(DataSource& source) + { + do_add_certs(source, true); + } + +/* +* Add one or more certificates to the store +*/ +X509_Code X509_Store::add_crl(const X509_CRL& crl) + { + s32bit time_check = validity_check(crl.this_update(), crl.next_update(), + system_time(), time_slack); + + if(time_check < 0) return CRL_NOT_YET_VALID; + else if(time_check > 0) return CRL_HAS_EXPIRED; + + u32bit cert_index = NO_CERT_FOUND; + + for(u32bit j = 0; j != certs.size(); ++j) + { + const X509_Certificate& this_cert = certs[j].cert; + if(compare_ids(this_cert.subject_key_id(), crl.authority_key_id())) + { + if(this_cert.subject_dn() == crl.issuer_dn()) + cert_index = j; + } + } + + if(cert_index == NO_CERT_FOUND) + return CRL_ISSUER_NOT_FOUND; + + const X509_Certificate& ca_cert = certs[cert_index].cert; + + X509_Code verify_result = validate_cert(ca_cert, CRL_SIGNING); + if(verify_result != VERIFIED) + return verify_result; + + verify_result = check_sig(crl, ca_cert.subject_public_key()); + if(verify_result != VERIFIED) + return verify_result; + + std::vector<CRL_Entry> revoked_certs = crl.get_revoked(); + + for(u32bit j = 0; j != revoked_certs.size(); ++j) + { + CRL_Data revoked_info; + revoked_info.issuer = crl.issuer_dn(); + revoked_info.serial = revoked_certs[j].serial_number(); + revoked_info.auth_key_id = crl.authority_key_id(); + + std::vector<CRL_Data>::iterator p = + std::find(revoked.begin(), revoked.end(), revoked_info); + + if(revoked_certs[j].reason_code() == REMOVE_FROM_CRL) + { + if(p == revoked.end()) continue; + revoked.erase(p); + } + else + { + if(p != revoked.end()) continue; + revoked.push_back(revoked_info); + } + } + + std::sort(revoked.begin(), revoked.end()); + revoked_info_valid = false; + + return VERIFIED; + } + +/* +* PEM encode the set of certificates +*/ +std::string X509_Store::PEM_encode() const + { + std::string cert_store; + for(u32bit j = 0; j != certs.size(); ++j) + cert_store += certs[j].cert.PEM_encode(); + return cert_store; + } + +/* +* Create a Cert_Info structure +*/ +X509_Store::Cert_Info::Cert_Info(const X509_Certificate& c, + bool t) : cert(c), trusted(t) + { + checked = false; + result = UNKNOWN_X509_ERROR; + last_checked = 0; + } + +/* +* Return the verification results +*/ +X509_Code X509_Store::Cert_Info::verify_result() const + { + if(!checked) + throw Invalid_State("Cert_Info::verify_result() called; not checked"); + return result; + } + +/* +* Set the verification results +*/ +void X509_Store::Cert_Info::set_result(X509_Code code) const + { + result = code; + last_checked = system_time(); + checked = true; + } + +/* +* Check if this certificate can be trusted +*/ +bool X509_Store::Cert_Info::is_trusted() const + { + return trusted; + } + +/* +* Check if this certificate has been verified +*/ +bool X509_Store::Cert_Info::is_verified(u32bit timeout) const + { + if(!checked) + return false; + if(result != VERIFIED && result != CERT_NOT_YET_VALID) + return true; + + const u64bit current_time = system_time(); + + if(current_time > last_checked + timeout) + checked = false; + + return checked; + } + +} diff --git a/botan/src/cert/x509/x509stor.h b/botan/src/cert/x509/x509stor.h new file mode 100644 index 0000000..4e60378 --- /dev/null +++ b/botan/src/cert/x509/x509stor.h @@ -0,0 +1,143 @@ +/* +* X.509 Certificate Store +* (C) 1999-2007 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#ifndef BOTAN_X509_CERT_STORE_H__ +#define BOTAN_X509_CERT_STORE_H__ + +#include <botan/x509cert.h> +#include <botan/x509_crl.h> +#include <botan/certstor.h> + +namespace Botan { + +/* +* X.509 Certificate Validation Result +*/ +enum X509_Code { + VERIFIED, + UNKNOWN_X509_ERROR, + CANNOT_ESTABLISH_TRUST, + CERT_CHAIN_TOO_LONG, + SIGNATURE_ERROR, + POLICY_ERROR, + INVALID_USAGE, + + CERT_FORMAT_ERROR, + CERT_ISSUER_NOT_FOUND, + CERT_NOT_YET_VALID, + CERT_HAS_EXPIRED, + CERT_IS_REVOKED, + + CRL_FORMAT_ERROR, + CRL_ISSUER_NOT_FOUND, + CRL_NOT_YET_VALID, + CRL_HAS_EXPIRED, + + CA_CERT_CANNOT_SIGN, + CA_CERT_NOT_FOR_CERT_ISSUER, + CA_CERT_NOT_FOR_CRL_ISSUER +}; + +/* +* X.509 Certificate Store +*/ +class BOTAN_DLL X509_Store + { + public: + class BOTAN_DLL Search_Func + { + public: + virtual bool match(const X509_Certificate&) const = 0; + virtual ~Search_Func() {} + }; + + enum Cert_Usage { + ANY = 0x00, + TLS_SERVER = 0x01, + TLS_CLIENT = 0x02, + CODE_SIGNING = 0x04, + EMAIL_PROTECTION = 0x08, + TIME_STAMPING = 0x10, + CRL_SIGNING = 0x20 + }; + + X509_Code validate_cert(const X509_Certificate&, Cert_Usage = ANY); + + std::vector<X509_Certificate> get_certs(const Search_Func&) const; + std::vector<X509_Certificate> get_cert_chain(const X509_Certificate&); + std::string PEM_encode() const; + + /* + * Made CRL_Data public for XLC for Cell 0.9, otherwise cannot + * instantiate member variable std::vector<CRL_Data> revoked + */ + class BOTAN_DLL CRL_Data + { + public: + X509_DN issuer; + MemoryVector<byte> serial, auth_key_id; + bool operator==(const CRL_Data&) const; + bool operator!=(const CRL_Data&) const; + bool operator<(const CRL_Data&) const; + }; + + X509_Code add_crl(const X509_CRL&); + void add_cert(const X509_Certificate&, bool = false); + void add_certs(DataSource&); + void add_trusted_certs(DataSource&); + + void add_new_certstore(Certificate_Store*); + + static X509_Code check_sig(const X509_Object&, Public_Key*); + + X509_Store(u32bit time_slack = 24*60*60, + u32bit cache_results = 30*60); + + X509_Store(const X509_Store&); + ~X509_Store(); + private: + X509_Store& operator=(const X509_Store&) { return (*this); } + + class BOTAN_DLL Cert_Info + { + public: + bool is_verified(u32bit timeout) const; + bool is_trusted() const; + X509_Code verify_result() const; + void set_result(X509_Code) const; + Cert_Info(const X509_Certificate&, bool = false); + + X509_Certificate cert; + bool trusted; + private: + mutable bool checked; + mutable X509_Code result; + mutable u64bit last_checked; + }; + + u32bit find_cert(const X509_DN&, const MemoryRegion<byte>&) const; + X509_Code check_sig(const Cert_Info&, const Cert_Info&) const; + void recompute_revoked_info() const; + + void do_add_certs(DataSource&, bool); + X509_Code construct_cert_chain(const X509_Certificate&, + std::vector<u32bit>&, bool = false); + + u32bit find_parent_of(const X509_Certificate&); + bool is_revoked(const X509_Certificate&) const; + + static const u32bit NO_CERT_FOUND = 0xFFFFFFFF; + std::vector<Cert_Info> certs; + std::vector<CRL_Data> revoked; + std::vector<Certificate_Store*> stores; + u32bit time_slack, validation_cache_timeout; + mutable bool revoked_info_valid; + }; + +} + +#endif |