Botan 3.5.0
Crypto and TLS for C&
certstor.cpp
Go to the documentation of this file.
1/*
2* Certificate Store
3* (C) 1999-2010,2013 Jack Lloyd
4* (C) 2017 Fabian Weissberg, Rohde & Schwarz Cybersecurity
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/certstor.h>
10
11#include <botan/data_src.h>
12#include <botan/hash.h>
13#include <botan/pkix_types.h>
14#include <botan/internal/filesystem.h>
15
16namespace Botan {
17
19
20std::optional<X509_Certificate> Certificate_Store::find_cert(const X509_DN& subject_dn,
21 const std::vector<uint8_t>& key_id) const {
22 const auto certs = find_all_certs(subject_dn, key_id);
23
24 if(certs.empty()) {
25 return std::nullopt;
26 }
27
28 // `count` might be greater than 1, but we'll just select the first match
29 return certs.front();
30}
31
32std::optional<X509_CRL> Certificate_Store::find_crl_for(const X509_Certificate& /*unused*/) const {
33 return std::nullopt;
34}
35
37 for(const auto& c : m_certs) {
38 if(c == cert) {
39 return;
40 }
41 }
42
43 m_certs.push_back(cert);
44}
45
46std::vector<X509_DN> Certificate_Store_In_Memory::all_subjects() const {
47 std::vector<X509_DN> subjects;
48 subjects.reserve(m_certs.size());
49 for(const auto& cert : m_certs) {
50 subjects.push_back(cert.subject_dn());
51 }
52 return subjects;
53}
54
55std::optional<X509_Certificate> Certificate_Store_In_Memory::find_cert(const X509_DN& subject_dn,
56 const std::vector<uint8_t>& key_id) const {
57 for(const auto& cert : m_certs) {
58 // Only compare key ids if set in both call and in the cert
59 if(!key_id.empty()) {
60 const std::vector<uint8_t>& skid = cert.subject_key_id();
61
62 if(!skid.empty() && skid != key_id) { // no match
63 continue;
64 }
65 }
66
67 if(cert.subject_dn() == subject_dn) {
68 return cert;
69 }
70 }
71
72 return std::nullopt;
73}
74
75std::vector<X509_Certificate> Certificate_Store_In_Memory::find_all_certs(const X509_DN& subject_dn,
76 const std::vector<uint8_t>& key_id) const {
77 std::vector<X509_Certificate> matches;
78
79 for(const auto& cert : m_certs) {
80 if(!key_id.empty()) {
81 const std::vector<uint8_t>& skid = cert.subject_key_id();
82
83 if(!skid.empty() && skid != key_id) { // no match
84 continue;
85 }
86 }
87
88 if(cert.subject_dn() == subject_dn) {
89 matches.push_back(cert);
90 }
91 }
92
93 return matches;
94}
95
97 const std::vector<uint8_t>& key_hash) const {
98 if(key_hash.size() != 20) {
99 throw Invalid_Argument("Certificate_Store_In_Memory::find_cert_by_pubkey_sha1 invalid hash");
100 }
101
102 auto hash = HashFunction::create("SHA-1");
103
104 for(const auto& cert : m_certs) {
105 hash->update(cert.subject_public_key_bitstring());
106 if(key_hash == hash->final_stdvec()) { //final_stdvec also clears the hash to initial state
107 return cert;
108 }
109 }
110
111 return std::nullopt;
112}
113
115 const std::vector<uint8_t>& subject_hash) const {
116 if(subject_hash.size() != 32) {
117 throw Invalid_Argument("Certificate_Store_In_Memory::find_cert_by_raw_subject_dn_sha256 invalid hash");
118 }
119
120 auto hash = HashFunction::create("SHA-256");
121
122 for(const auto& cert : m_certs) {
123 hash->update(cert.raw_subject_dn());
124 if(subject_hash == hash->final_stdvec()) { //final_stdvec also clears the hash to initial state
125 return cert;
126 }
127 }
128
129 return std::nullopt;
130}
131
133 const X509_DN& crl_issuer = crl.issuer_dn();
134
135 for(auto& c : m_crls) {
136 // Found an update of a previously existing one; replace it
137 if(c.issuer_dn() == crl_issuer) {
138 if(c.this_update() <= crl.this_update()) {
139 c = crl;
140 }
141 return;
142 }
143 }
144
145 // Totally new CRL, add to the list
146 m_crls.push_back(crl);
147}
148
149std::optional<X509_CRL> Certificate_Store_In_Memory::find_crl_for(const X509_Certificate& subject) const {
150 const std::vector<uint8_t>& key_id = subject.authority_key_id();
151
152 for(const auto& c : m_crls) {
153 // Only compare key ids if set in both call and in the CRL
154 if(!key_id.empty()) {
155 const std::vector<uint8_t>& akid = c.authority_key_id();
156
157 if(!akid.empty() && akid != key_id) { // no match
158 continue;
159 }
160 }
161
162 if(c.issuer_dn() == subject.issuer_dn()) {
163 return c;
164 }
165 }
166
167 return {};
168}
169
173
174#if defined(BOTAN_TARGET_OS_HAS_FILESYSTEM)
176 if(dir.empty()) {
177 return;
178 }
179
180 std::vector<std::string> maybe_certs = get_files_recursive(dir);
181
182 if(maybe_certs.empty()) {
183 maybe_certs.push_back(std::string(dir));
184 }
185
186 for(auto&& cert_file : maybe_certs) {
187 try {
188 DataSource_Stream src(cert_file, true);
189 while(!src.end_of_data()) {
190 try {
191 X509_Certificate cert(src);
192 m_certs.push_back(cert);
193 } catch(std::exception&) {
194 // stop searching for other certificate at first exception
195 break;
196 }
197 }
198 } catch(std::exception&) {}
199 }
200}
201#endif
202
203} // namespace Botan
std::vector< X509_Certificate > find_all_certs(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const override
Definition certstor.cpp:75
std::optional< X509_Certificate > find_cert_by_pubkey_sha1(const std::vector< uint8_t > &key_hash) const override
Definition certstor.cpp:96
std::optional< X509_Certificate > find_cert(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const override
Definition certstor.cpp:55
void add_crl(const X509_CRL &crl)
Definition certstor.cpp:132
std::optional< X509_Certificate > find_cert_by_raw_subject_dn_sha256(const std::vector< uint8_t > &subject_hash) const override
Definition certstor.cpp:114
std::optional< X509_CRL > find_crl_for(const X509_Certificate &subject) const override
Definition certstor.cpp:149
void add_certificate(const X509_Certificate &cert)
Definition certstor.cpp:36
std::vector< X509_DN > all_subjects() const override
Definition certstor.cpp:46
virtual std::optional< X509_CRL > find_crl_for(const X509_Certificate &subject) const
Definition certstor.cpp:32
virtual std::vector< X509_Certificate > find_all_certs(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const =0
virtual std::optional< X509_Certificate > find_cert(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const
Definition certstor.cpp:20
static std::unique_ptr< HashFunction > create(std::string_view algo_spec, std::string_view provider="")
Definition hash.cpp:107
const X509_Time & this_update() const
Definition x509_crl.cpp:219
const X509_DN & issuer_dn() const
Definition x509_crl.cpp:198
const std::vector< uint8_t > & authority_key_id() const
Definition x509cert.cpp:375
const X509_DN & issuer_dn() const
Definition x509cert.cpp:391
std::vector< std::string > get_files_recursive(std::string_view dir)