Botan 2.19.5
Crypto and TLS for C&
Public Member Functions | List of all members
Botan::NameConstraints Class Referencefinal

Name Constraints. More...

#include <pkix_types.h>

Public Member Functions

const std::vector< GeneralSubtree > & excluded () const
 
bool is_excluded (const X509_Certificate &cert, bool reject_unknown) const
 
bool is_permitted (const X509_Certificate &cert, bool reject_unknown) const
 
 NameConstraints ()
 
 NameConstraints (std::vector< GeneralSubtree > &&permitted_subtrees, std::vector< GeneralSubtree > &&excluded_subtrees)
 
const std::vector< GeneralSubtree > & permitted () const
 

Detailed Description

Name Constraints.

Wraps the Name Constraints associated with a certificate.

Definition at line 326 of file pkix_types.h.

Constructor & Destructor Documentation

◆ NameConstraints() [1/2]

Botan::NameConstraints::NameConstraints ( )
inline

Creates an empty name NameConstraints.

Definition at line 332 of file pkix_types.h.

332: m_permitted_subtrees(), m_excluded_subtrees() {}

◆ NameConstraints() [2/2]

Botan::NameConstraints::NameConstraints ( std::vector< GeneralSubtree > &&  permitted_subtrees,
std::vector< GeneralSubtree > &&  excluded_subtrees 
)

Creates NameConstraints from a list of permitted and excluded subtrees.

Parameters
permitted_subtreesnames for which the certificate is permitted
excluded_subtreesnames for which the certificate is not permitted

Definition at line 291 of file name_constraint.cpp.

292 :
293 m_permitted_subtrees(permitted_subtrees), m_excluded_subtrees(excluded_subtrees)
294 {
295 for(const auto& c : m_permitted_subtrees)
296 {
297 m_permitted_name_types.insert(c.base().type());
298 }
299 for(const auto& c : m_excluded_subtrees)
300 {
301 m_excluded_name_types.insert(c.base().type());
302 }
303 }

Member Function Documentation

◆ excluded()

const std::vector< GeneralSubtree > & Botan::NameConstraints::excluded ( ) const
inline
Returns
excluded names

Definition at line 350 of file pkix_types.h.

350{ return m_excluded_subtrees; }

Referenced by is_excluded(), Botan::X509_Certificate::to_string(), and Botan::Cert_Extension::Name_Constraints::validate().

◆ is_excluded()

bool Botan::NameConstraints::is_excluded ( const X509_Certificate cert,
bool  reject_unknown 
) const

Return true if any of the names in the certificate are excluded

Definition at line 444 of file name_constraint.cpp.

444 {
445 if(excluded().empty()) {
446 return false;
447 }
448
449 const auto& alt_name = cert.subject_alt_name();
450
451 if(reject_unknown) {
452 if(m_excluded_name_types.find("URI") != m_excluded_name_types.end() && !alt_name.get_attribute("URI").empty()) {
453 return false;
454 }
455 if(m_excluded_name_types.find("RFC822") != m_excluded_name_types.end() && !alt_name.get_attribute("RFC822").empty()) {
456 return false;
457 }
458 }
459
460 auto is_excluded_dn = [&](const X509_DN& dn) {
461 // If no restrictions, then immediate accept
462 if(m_excluded_name_types.find("DN") == m_excluded_name_types.end()) {
463 return false;
464 }
465
466 if(dn.empty()) {
467 return false;
468 }
469
470 for(const auto& c : m_excluded_subtrees) {
471 if(c.base().type() == "DN" && c.base().matches_dn_obj(dn)) {
472 return true;
473 }
474 }
475
476 // There is at least one excluded name and we didn't match
477 return false;
478 };
479
480 auto is_excluded_dns_name = [&](const std::string& name) {
481 if(name.empty() || name[0] == '.') {
482 return true;
483 }
484
485 // If no restrictions, then immediate accept
486 if(m_excluded_name_types.find("DNS") == m_excluded_name_types.end()) {
487 return false;
488 }
489
490 for(const auto& c : m_excluded_subtrees) {
491 if(c.base().type() == "DNS" && c.base().matches_dns(name)) {
492 return true;
493 }
494 }
495
496 // There is at least one excluded name and we didn't match
497 return false;
498 };
499
500 auto is_excluded_ipv4 = [&](const std::string& ipv4) {
501 // If no restrictions, then immediate accept
502 if(m_excluded_name_types.find("IP") == m_excluded_name_types.end()) {
503 return false;
504 }
505
506 for(const auto& c : m_excluded_subtrees) {
507 if(c.base().type() == "IP" && c.base().matches_ip(ipv4)) {
508 return true;
509 }
510 }
511
512 // There is at least one excluded name and we didn't match
513 return false;
514 };
515
516 if(is_excluded_dn(cert.subject_dn())) {
517 return true;
518 }
519
520 if(is_excluded_dn(alt_name.dn())) {
521 return true;
522 }
523
524 for(const auto& alt_dns : alt_name.get_attribute("DNS")) {
525 if(is_excluded_dns_name(alt_dns)) {
526 return true;
527 }
528 }
529
530 for(const auto& alt_ipv4 : alt_name.get_attribute("IP")) {
531 if(is_excluded_ipv4(alt_ipv4)) {
532 return true;
533 }
534 }
535
536 if(!alt_name.has_items())
537 {
538 for(const auto& cn : cert.subject_info("Name"))
539 {
540 if(cn.find(".") != std::string::npos)
541 {
542 if(looks_like_ipv4(cn))
543 {
544 if(is_excluded_ipv4(cn))
545 {
546 return true;
547 }
548 }
549 else
550 {
551 if(is_excluded_dns_name(cn))
552 {
553 return true;
554 }
555 }
556 }
557 }
558 }
559
560 // We didn't encounter a name that matched any prohibited name
561 return false;
562}
const std::vector< GeneralSubtree > & excluded() const
Definition pkix_types.h:350
std::string name

References excluded(), name, Botan::X509_Certificate::subject_alt_name(), Botan::X509_Certificate::subject_dn(), and Botan::X509_Certificate::subject_info().

Referenced by Botan::Cert_Extension::Name_Constraints::validate().

◆ is_permitted()

bool Botan::NameConstraints::is_permitted ( const X509_Certificate cert,
bool  reject_unknown 
) const

Return true if all of the names in the certificate are permitted

Definition at line 323 of file name_constraint.cpp.

323 {
324 if(permitted().empty()) {
325 return true;
326 }
327
328 const auto& alt_name = cert.subject_alt_name();
329
330 if(reject_unknown) {
331 if(m_permitted_name_types.find("URI") != m_permitted_name_types.end() && !alt_name.get_attribute("URI").empty()) {
332 return false;
333 }
334 if(m_permitted_name_types.find("RFC822") != m_permitted_name_types.end() && !alt_name.get_attribute("RFC822").empty()) {
335 return false;
336 }
337 }
338
339 auto is_permitted_dn = [&](const X509_DN& dn) {
340 // If no restrictions, then immediate accept
341 if(m_permitted_name_types.find("DN") == m_permitted_name_types.end()) {
342 return true;
343 }
344
345 if(dn.empty()) {
346 return true;
347 }
348
349 for(const auto& c : m_permitted_subtrees) {
350 if(c.base().type() == "DN" && c.base().matches_dn_obj(dn)) {
351 return true;
352 }
353 }
354
355 // There is at least one permitted name and we didn't match
356 return false;
357 };
358
359 auto is_permitted_dns_name = [&](const std::string& name) {
360 if(name.empty() || name[0] == '.') {
361 return false;
362 }
363
364 // If no restrictions, then immediate accept
365 if(m_permitted_name_types.find("DNS") == m_permitted_name_types.end()) {
366 return true;
367 }
368
369 for(const auto& c : m_permitted_subtrees) {
370 if(c.base().type() == "DNS" && c.base().matches_dns(name)) {
371 return true;
372 }
373 }
374
375 // There is at least one permitted name and we didn't match
376 return false;
377 };
378
379 auto is_permitted_ipv4 = [&](const std::string& ipv4) {
380 // If no restrictions, then immediate accept
381 if(m_permitted_name_types.find("IP") == m_permitted_name_types.end()) {
382 return true;
383 }
384
385 for(const auto& c : m_permitted_subtrees) {
386 if(c.base().type() == "IP" && c.base().matches_ip(ipv4)) {
387 return true;
388 }
389 }
390
391 // There is at least one permitted name and we didn't match
392 return false;
393 };
394
395 if(!is_permitted_dn(cert.subject_dn())) {
396 return false;
397 }
398
399 if(!is_permitted_dn(alt_name.dn()))
400 {
401 return false;
402 }
403
404 for(const auto& alt_dns : alt_name.get_attribute("DNS")) {
405 if(!is_permitted_dns_name(alt_dns)) {
406 return false;
407 }
408 }
409
410 for(const auto& alt_ipv4 : alt_name.get_attribute("IP")) {
411 if(!is_permitted_ipv4(alt_ipv4)) {
412 return false;
413 }
414 }
415
416 if(!alt_name.has_items())
417 {
418 for(const auto& cn : cert.subject_info("Name"))
419 {
420 if(cn.find(".") != std::string::npos)
421 {
422 if(looks_like_ipv4(cn))
423 {
424 if(!is_permitted_ipv4(cn))
425 {
426 return false;
427 }
428 }
429 else
430 {
431 if(!is_permitted_dns_name(cn))
432 {
433 return false;
434 }
435 }
436 }
437 }
438 }
439
440 // We didn't encounter a name that doesn't have a matching constraint
441 return true;
442}
const std::vector< GeneralSubtree > & permitted() const
Definition pkix_types.h:345

References name, permitted(), Botan::X509_Certificate::subject_alt_name(), Botan::X509_Certificate::subject_dn(), and Botan::X509_Certificate::subject_info().

Referenced by Botan::Cert_Extension::Name_Constraints::validate().

◆ permitted()

const std::vector< GeneralSubtree > & Botan::NameConstraints::permitted ( ) const
inline
Returns
permitted names

Definition at line 345 of file pkix_types.h.

345{ return m_permitted_subtrees; }

Referenced by is_permitted(), Botan::X509_Certificate::to_string(), and Botan::Cert_Extension::Name_Constraints::validate().


The documentation for this class was generated from the following files: