24872040145

Committed 24 Apr 2026 01:10AM UTC coverage: 89.401% (-0.07%) from 89.474%

Build # 24872040145

Build Type

push

github

Committed by

web-flow

Commit Message

Merge pull request #5539 from randombit/jack/cert-cache

Refactor and optimize Windows certificate store

Coverage Stats

106671 of 119318 relevant lines covered (89.4%)

11479699.69 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

70.83

/src/lib/x509/name_constraint.cpp

/*
* X.509 Name Constraint
* (C) 2015 Kai Michaelis
*     2024,2026 Jack Lloyd
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/pkix_types.h>

#include <botan/ber_dec.h>
#include <botan/x509cert.h>
#include <botan/internal/concat_util.h>
#include <botan/internal/fmt.h>
#include <botan/internal/int_utils.h>
#include <botan/internal/loadstor.h>
#include <botan/internal/parsing.h>
#include <botan/internal/stl_util.h>
#include <botan/internal/x509_utils.h>
#include <span>

namespace Botan {

class DER_Encoder;

namespace {

std::string canonicalize_dns_name(std::string_view name) {
   return tolower_string(name);
}

}  // namespace

std::string GeneralName::type() const {
   switch(m_type) {
      case NameType::Unknown:
         throw Encoding_Error("Could not convert unknown NameType to string");
      case NameType::RFC822:
         return "RFC822";
      case NameType::DNS:
         return "DNS";
      case NameType::URI:
         return "URI";
      case NameType::DN:
         return "DN";
      case NameType::IPv4:
         return "IP";
      case NameType::IPv6:
         return "IPv6";
      case NameType::Other:
         return "Other";
   }

   BOTAN_ASSERT_UNREACHABLE();
}

GeneralName GeneralName::email(std::string_view email) {
   return GeneralName::make<RFC822_IDX>(email);
}

GeneralName GeneralName::dns(std::string_view dns) {
   return GeneralName::make<DNS_IDX>(dns);
}

GeneralName GeneralName::uri(std::string_view uri) {
   return GeneralName::make<URI_IDX>(uri);
}

GeneralName GeneralName::directory_name(Botan::X509_DN dn) {
   return GeneralName::make<DN_IDX>(std::move(dn));
}

GeneralName GeneralName::ipv4_address(uint32_t ipv4) {
   return GeneralName::ipv4_address(IPv4Address(ipv4));
}

GeneralName GeneralName::ipv4_address(uint32_t ipv4, uint32_t mask) {
   auto subnet = IPv4Subnet::from_address_and_mask(ipv4, mask);
   if(!subnet.has_value()) {
      throw Invalid_Argument("IPv4 subnet mask is not a contiguous CIDR prefix");
   }
   return GeneralName::make<IPV4_IDX>(*subnet);
}

GeneralName GeneralName::ipv4_address(IPv4Address ipv4) {
   return GeneralName::make<IPV4_IDX>(IPv4Subnet::host(ipv4));
}

GeneralName GeneralName::ipv4_address(const IPv4Subnet& subnet) {
   return GeneralName::make<IPV4_IDX>(subnet);
}

GeneralName GeneralName::ipv6_address(const IPv6Address& ipv6) {
   return GeneralName::make<IPV6_IDX>(IPv6Subnet::host(ipv6));
}

GeneralName GeneralName::ipv6_address(const IPv6Subnet& subnet) {
   return GeneralName::make<IPV6_IDX>(subnet);
}

std::string GeneralName::name() const {
   const size_t index = m_name.index();

   if(index == RFC822_IDX) {
      return std::get<RFC822_IDX>(m_name);
   } else if(index == DNS_IDX) {
      return std::get<DNS_IDX>(m_name);
   } else if(index == URI_IDX) {
      return std::get<URI_IDX>(m_name);
   } else if(index == DN_IDX) {
      return std::get<DN_IDX>(m_name).to_string();
   } else if(index == IPV4_IDX) {
      const auto& subnet = std::get<IPV4_IDX>(m_name);
      return subnet.is_host() ? subnet.address().to_string() : subnet.to_string();
   } else if(index == IPV6_IDX) {
      const auto& subnet = std::get<IPV6_IDX>(m_name);
      return subnet.is_host() ? subnet.address().to_string() : subnet.to_string();
   } else {
      BOTAN_ASSERT_UNREACHABLE();
   }
}

std::vector<uint8_t> GeneralName::binary_name() const {
   return std::visit(Botan::overloaded{
                        [](const Botan::X509_DN& dn) { return Botan::ASN1::put_in_sequence(dn.get_bits()); },
                        [](const IPv4Subnet& subnet) { return subnet.serialize(); },
                        [](const IPv6Subnet& subnet) { return subnet.serialize(); },
                        [](const auto&) -> std::vector<uint8_t> {
                           throw Invalid_State("Cannot convert GeneralName to binary string");
                        },
                     },
                     m_name);
}

void GeneralName::encode_into(DER_Encoder& /*to*/) const {
   throw Not_Implemented("GeneralName encoding");
}

void GeneralName::decode_from(BER_Decoder& ber) {
   const BER_Object obj = ber.get_next_object();

   if(obj.is_a(0, ASN1_Class::ExplicitContextSpecific)) {
      m_type = NameType::Other;
   } else if(obj.is_a(1, ASN1_Class::ContextSpecific)) {
      m_type = NameType::RFC822;
      m_name.emplace<RFC822_IDX>(ASN1::to_string(obj));
   } else if(obj.is_a(2, ASN1_Class::ContextSpecific)) {
      // Store it in case insensitive form so we don't have to do it
      // again while matching
      auto dns = canonicalize_dns_name(ASN1::to_string(obj));
      // An empty DNS subtree has no clear meaning, reject immediately
      if(dns.empty()) {
         throw Decoding_Error("Empty DNS name in GeneralName");
      }
      m_type = NameType::DNS;
      m_name.emplace<DNS_IDX>(std::move(dns));
   } else if(obj.is_a(6, ASN1_Class::ContextSpecific)) {
      m_type = NameType::URI;
      m_name.emplace<URI_IDX>(ASN1::to_string(obj));
   } else if(obj.is_a(4, ASN1_Class::ContextSpecific | ASN1_Class::Constructed)) {
      X509_DN dn;
      BER_Decoder dec(obj, ber.limits());
      dn.decode_from(dec);
      m_type = NameType::DN;
      m_name.emplace<DN_IDX>(dn);
   } else if(obj.is_a(7, ASN1_Class::ContextSpecific)) {
      if(obj.length() == 8) {
         const auto addr_and_mask = std::span<const uint8_t, 8>{obj.bits(), 8};
         auto subnet = IPv4Subnet::from_address_and_mask(addr_and_mask);
         if(!subnet.has_value()) {
            throw Decoding_Error("IPv4 name constraint mask is not a contiguous CIDR prefix");
         }

         m_type = NameType::IPv4;
         m_name.emplace<IPV4_IDX>(*subnet);
      } else if(obj.length() == 32) {
         const auto addr_and_mask = std::span<const uint8_t, 32>{obj.bits(), 32};
         auto subnet = IPv6Subnet::from_address_and_mask(addr_and_mask);
         if(!subnet.has_value()) {
            throw Decoding_Error("IPv6 name constraint mask is not a contiguous CIDR prefix");
         }

         m_type = NameType::IPv6;
         m_name.emplace<IPV6_IDX>(*subnet);
      } else {
         throw Decoding_Error("Invalid IP name constraint size " + std::to_string(obj.length()));
      }
   } else {
      m_type = NameType::Unknown;
   }
}

bool GeneralName::matches_dns(const std::string& dns_name) const {
   if(m_type == NameType::DNS) {
      const auto& constraint = std::get<DNS_IDX>(m_name);
      return matches_dns(dns_name, constraint);
   }
   return false;
}

bool GeneralName::matches_ipv4(uint32_t ip) const {
   if(m_type == NameType::IPv4) {
      return std::get<IPV4_IDX>(m_name).contains(IPv4Address(ip));
   }
   return false;
}

bool GeneralName::matches_ipv6(const IPv6Address& ip) const {
   if(m_type == NameType::IPv6) {
      return std::get<IPV6_IDX>(m_name).contains(ip);
   }
   return false;
}

bool GeneralName::matches_dn(const X509_DN& dn) const {
   if(m_type == NameType::DN) {
      const X509_DN& constraint = std::get<DN_IDX>(m_name);
      return matches_dn(dn, constraint);
   }
   return false;
}

GeneralName::MatchResult GeneralName::matches(const X509_Certificate& cert) const {
   class MatchScore final {
      public:
         MatchScore() : m_any(false), m_some(false), m_all(true) {}

         void add(bool m) {
            m_any = true;
            m_some |= m;
            m_all &= m;
         }

         MatchResult result() const {
            if(!m_any) {
               return MatchResult::NotFound;
            } else if(m_all) {
               return MatchResult::All;
            } else if(m_some) {
               return MatchResult::Some;
            } else {
               return MatchResult::None;
            }
         }

      private:
         bool m_any;
         bool m_some;
         bool m_all;
   };

   const X509_DN& dn = cert.subject_dn();
   const AlternativeName& alt_name = cert.subject_alt_name();

   MatchScore score;

   if(m_type == NameType::DNS) {
      const auto& constraint = std::get<DNS_IDX>(m_name);

      const auto& alt_names = alt_name.dns();

      for(const std::string& dns : alt_names) {
         score.add(matches_dns(dns, constraint));
      }

      if(alt_name.count() == 0) {
         // Check CN instead...
         for(const std::string& cn : dn.get_attribute("CN")) {
            if(!string_to_ipv4(cn).has_value()) {
               score.add(matches_dns(canonicalize_dns_name(cn), constraint));
            }
         }
      }
   } else if(m_type == NameType::DN) {
      const X509_DN& constraint = std::get<DN_IDX>(m_name);
      score.add(matches_dn(dn, constraint));

      for(const auto& alt_dn : alt_name.directory_names()) {
         score.add(matches_dn(alt_dn, constraint));
      }
   } else if(m_type == NameType::IPv4) {
      const auto& subnet = std::get<IPV4_IDX>(m_name);

      if(alt_name.count() == 0) {
         // Check CN instead...
         for(const std::string& cn : dn.get_attribute("CN")) {
            if(auto ipv4 = string_to_ipv4(cn)) {
               score.add(subnet.contains(IPv4Address(*ipv4)));
            }
         }
      } else {
         for(const uint32_t ipv4 : alt_name.ipv4_address()) {
            score.add(subnet.contains(IPv4Address(ipv4)));
         }
      }
   } else if(m_type == NameType::IPv6) {
      for(const auto& ipv6 : alt_name.ipv6_address()) {
         score.add(matches_ipv6(ipv6));
      }
   } else {
      // URI and email name constraint matching not implemented
      return MatchResult::UnknownType;
   }

   return score.result();
}

//static
bool GeneralName::matches_dns(std::string_view name, std::string_view constraint) {
   // both constraint and name are assumed already tolower
   if(name.size() == constraint.size()) {
      return name == constraint;
   } else if(constraint.size() > name.size()) {
      // The constraint is longer than the issued name: not possibly a match
      return false;
   } else {
      BOTAN_ASSERT_NOMSG(name.size() > constraint.size());

      if(constraint.empty()) {
         return true;
      }

      const std::string_view substr = name.substr(name.size() - constraint.size(), constraint.size());

      if(constraint.front() == '.') {
         return substr == constraint;
      } else if(substr[0] == '.') {
         return substr.substr(1) == constraint;
      } else {
         return substr == constraint && name[name.size() - constraint.size() - 1] == '.';
      }
   }
}

//static
bool GeneralName::matches_dn(const X509_DN& name, const X509_DN& constraint) {
   // Perform DN matching by comparing RDNs in sequence, i.e.,
   // whether the constraint is a prefix of the name.
   const auto& name_info = name.dn_info();
   const auto& constraint_info = constraint.dn_info();

   if(constraint_info.size() > name_info.size()) {
      return false;
   }

   for(size_t i = 0; i < constraint_info.size(); ++i) {
      if(name_info[i].first != constraint_info[i].first ||
         !x500_name_cmp(name_info[i].second.value(), constraint_info[i].second.value())) {
         return false;
      }
   }

   return !constraint_info.empty();
}

std::ostream& operator<<(std::ostream& os, const GeneralName& gn) {
   os << gn.type() << ":" << gn.name();
   return os;
}

GeneralSubtree::GeneralSubtree() = default;

void GeneralSubtree::encode_into(DER_Encoder& /*to*/) const {
   throw Not_Implemented("GeneralSubtree encoding");
}

void GeneralSubtree::decode_from(BER_Decoder& ber) {
   /*
   * RFC 5280 Section 4.2.1.10:
   *    Within this profile, the minimum and maximum fields are not used with any
   *    name forms, thus, the minimum MUST be zero, and maximum MUST be absent.
   */
   size_t minimum = 0;

   ber.start_sequence()
      .decode(m_base)
      .decode_optional(minimum, ASN1_Type(0), ASN1_Class::ContextSpecific, size_t(0))
      .end_cons();

   if(minimum != 0) {
      throw Decoding_Error("GeneralSubtree minimum must be 0");
   }
}

std::ostream& operator<<(std::ostream& os, const GeneralSubtree& gs) {
   os << gs.base();
   return os;
}

NameConstraints::NameConstraints(std::vector<GeneralSubtree>&& permitted_subtrees,
                                 std::vector<GeneralSubtree>&& excluded_subtrees) :
      m_permitted_subtrees(std::move(permitted_subtrees)), m_excluded_subtrees(std::move(excluded_subtrees)) {
   for(const auto& c : m_permitted_subtrees) {
      m_permitted_name_types.insert(c.base().type_code());
   }
   for(const auto& c : m_excluded_subtrees) {
      m_excluded_name_types.insert(c.base().type_code());
   }
}

namespace {

bool exceeds_limit(size_t dn_count, size_t alt_count, size_t constraint_count) {
   /**
   * OpenSSL uses a similar limit, but applies it to the total number of
   * constraints, while we apply it to permitted and excluded independently.
   */
   constexpr size_t MAX_NC_CHECKS = (1 << 16);

   if(auto names = checked_add(dn_count, alt_count)) {
      if(auto product = checked_mul(*names, constraint_count)) {
         if(*product < MAX_NC_CHECKS) {
            return false;
         }
      }
   }
   return true;
}

}  // namespace

bool NameConstraints::is_permitted(const X509_Certificate& cert, bool reject_unknown) const {
   if(permitted().empty()) {
      return true;
   }

   const auto& alt_name = cert.subject_alt_name();

   if(exceeds_limit(cert.subject_dn().count(), alt_name.count(), permitted().size())) {
      return false;
   }

   if(reject_unknown) {
      if(m_permitted_name_types.contains(GeneralName::NameType::Other) && !alt_name.other_names().empty()) {
         return false;
      }
      if(m_permitted_name_types.contains(GeneralName::NameType::URI) && !alt_name.uris().empty()) {
         return false;
      }
      if(m_permitted_name_types.contains(GeneralName::NameType::RFC822) && !alt_name.email().empty()) {
         return false;
      }
   }

   auto is_permitted_dn = [&](const X509_DN& dn) {
      // If no restrictions, then immediate accept
      if(!m_permitted_name_types.contains(GeneralName::NameType::DN)) {
         return true;
      }

      for(const auto& c : m_permitted_subtrees) {
         if(c.base().matches_dn(dn)) {
            return true;
         }
      }

      // There is at least one permitted name and we didn't match
      return false;
   };

   auto is_permitted_dns_name = [&](const std::string& name) {
      if(name.empty() || name.starts_with(".")) {
         return false;
      }

      // If no restrictions, then immediate accept
      if(!m_permitted_name_types.contains(GeneralName::NameType::DNS)) {
         return true;
      }

      for(const auto& c : m_permitted_subtrees) {
         if(c.base().matches_dns(name)) {
            return true;
         }
      }

      // There is at least one permitted name and we didn't match
      return false;
   };

   /*
   RFC 5280 4.2.1.10: iPAddress is a single GeneralName element where
   IPv4 and IPv6 are distinguished only by the length.

   An iPAddress subtree of either version therefore restricts the iPAddress name
   form for both versions.
   */
   const bool ip_form_restricted = m_permitted_name_types.contains(GeneralName::NameType::IPv4) ||
                                   m_permitted_name_types.contains(GeneralName::NameType::IPv6);

   auto is_permitted_ipv4 = [&](uint32_t ipv4) {
      if(!ip_form_restricted) {
         return true;
      }

      for(const auto& c : m_permitted_subtrees) {
         if(c.base().matches_ipv4(ipv4)) {
            return true;
         }
      }

      // We might here check if there are any IPv6 permitted names which are
      // mapped IPv4 addresses, and if so check if any of those apply. It's not
      // clear if this is desirable, and RFC 5280 is completely silent on the issue.

      // There is at least one permitted iPAddress name and we didn't match
      return false;
   };

   auto is_permitted_ipv6 = [&](const IPv6Address& ipv6) {
      if(!ip_form_restricted) {
         return true;
      }

      for(const auto& c : m_permitted_subtrees) {
         if(c.base().matches_ipv6(ipv6)) {
            return true;
         }
      }

      // There is at least one permitted iPAddress name and we didn't match
      return false;
   };

   if(!is_permitted_dn(cert.subject_dn())) {
      return false;
   }

   for(const auto& alt_dn : alt_name.directory_names()) {
      if(!is_permitted_dn(alt_dn)) {
         return false;
      }
   }

   for(const auto& alt_dns : alt_name.dns()) {
      if(!is_permitted_dns_name(alt_dns)) {
         return false;
      }
   }

   for(const auto& alt_ipv4 : alt_name.ipv4_address()) {
      if(!is_permitted_ipv4(alt_ipv4)) {
         return false;
      }
   }

   for(const auto& alt_ipv6 : alt_name.ipv6_address()) {
      if(!is_permitted_ipv6(alt_ipv6)) {
         return false;
      }
   }

   if(alt_name.count() == 0) {
      for(const auto& cn : cert.subject_info("Name")) {
         if(cn.find(".") != std::string::npos) {
            if(auto ipv4 = string_to_ipv4(cn)) {
               if(!is_permitted_ipv4(ipv4.value())) {
                  return false;
               }
            } else {
               if(!is_permitted_dns_name(canonicalize_dns_name(cn))) {
                  return false;
               }
            }
         }
      }
   }

   // We didn't encounter a name that doesn't have a matching constraint
   return true;
}

bool NameConstraints::is_excluded(const X509_Certificate& cert, bool reject_unknown) const {
   if(excluded().empty()) {
      return false;
   }

   const auto& alt_name = cert.subject_alt_name();

   if(exceeds_limit(cert.subject_dn().count(), alt_name.count(), excluded().size())) {
      return true;
   }

   if(reject_unknown) {
      // This is one is overly broad: we should just reject if there is a name constraint
      // with the same OID as one of the other names
      if(m_excluded_name_types.contains(GeneralName::NameType::Other) && !alt_name.other_names().empty()) {
         return true;
      }
      if(m_excluded_name_types.contains(GeneralName::NameType::URI) && !alt_name.uris().empty()) {
         return true;
      }
      if(m_excluded_name_types.contains(GeneralName::NameType::RFC822) && !alt_name.email().empty()) {
         return true;
      }
   }

   auto is_excluded_dn = [&](const X509_DN& dn) {
      // If no restrictions, then immediate accept
      if(!m_excluded_name_types.contains(GeneralName::NameType::DN)) {
         return false;
      }

      for(const auto& c : m_excluded_subtrees) {
         if(c.base().matches_dn(dn)) {
            return true;
         }
      }

      // There is at least one excluded name and we didn't match
      return false;
   };

   auto is_excluded_dns_name = [&](const std::string& name) {
      if(name.empty() || name.starts_with(".")) {
         return true;
      }

      // If no restrictions, then immediate accept
      if(!m_excluded_name_types.contains(GeneralName::NameType::DNS)) {
         return false;
      }

      const bool name_has_wildcard = (name.find('*') != std::string::npos);

      for(const auto& c : m_excluded_subtrees) {
         if(c.base().matches_dns(name)) {
            return true;
         }

         /*
         RFC 5280 4.2.1.10 - "any name matching a restriction in the
         excludedSubtrees field is invalid".

         If the cert has a wildcard SAN (*.example.com), and that wildcard
         could be matched against an excluded name, it must be rejected.
         */
         if(name_has_wildcard && c.base().m_type == GeneralName::NameType::DNS) {
            const auto& constraint = std::get<GeneralName::DNS_IDX>(c.base().m_name);
            if(host_wildcard_match(name, constraint)) {
               return true;
            }
         }
      }

      // There is at least one excluded name and we didn't match
      return false;
   };

   auto is_excluded_ipv4 = [&](uint32_t ipv4) {
      if(m_excluded_name_types.contains(GeneralName::NameType::IPv4)) {
         for(const auto& c : m_excluded_subtrees) {
            if(c.base().matches_ipv4(ipv4)) {
               return true;
            }
         }
      }

      // This name did not match any of the excluded names
      return false;
   };

   auto is_excluded_ipv6 = [&](const IPv6Address& ipv6) {
      if(m_excluded_name_types.contains(GeneralName::NameType::IPv6)) {
         for(const auto& c : m_excluded_subtrees) {
            if(c.base().matches_ipv6(ipv6)) {
               return true;
            }
         }
      }

      // An IPv4-mapped IPv6 address names an IPv4 address so verify that
      // address is not restricted by an IPv4 excludes rule
      if(m_excluded_name_types.contains(GeneralName::NameType::IPv4)) {
         if(auto embedded_v4 = ipv6.as_ipv4()) {
            for(const auto& c : m_excluded_subtrees) {
               if(c.base().matches_ipv4(*embedded_v4)) {
                  return true;
               }
            }
         }
      }

      // This name did not match any of the excluded names
      return false;
   };

   if(is_excluded_dn(cert.subject_dn())) {
      return true;
   }

   for(const auto& alt_dn : alt_name.directory_names()) {
      if(is_excluded_dn(alt_dn)) {
         return true;
      }
   }

   for(const auto& alt_dns : alt_name.dns()) {
      if(is_excluded_dns_name(alt_dns)) {
         return true;
      }
   }

   for(const auto& alt_ipv4 : alt_name.ipv4_address()) {
      if(is_excluded_ipv4(alt_ipv4)) {
         return true;
      }
   }

   for(const auto& alt_ipv6 : alt_name.ipv6_address()) {
      if(is_excluded_ipv6(alt_ipv6)) {
         return true;
      }
   }

   if(alt_name.count() == 0) {
      for(const auto& cn : cert.subject_info("Name")) {
         if(cn.find(".") != std::string::npos) {
            if(auto ipv4 = string_to_ipv4(cn)) {
               if(is_excluded_ipv4(ipv4.value())) {
                  return true;
               }
            } else {
               if(is_excluded_dns_name(canonicalize_dns_name(cn))) {
                  return true;
               }
            }
         }
      }
   }

   // We didn't encounter a name that matched any prohibited name
   return false;
}

}  // namespace Botan

randombit / botan / 24872040145

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous