Botan 3.10.0
Crypto and TLS for C&
certstor.cpp
Go to the documentation of this file.
1/*
2* Certificate Store
3* (C) 1999-2010,2013 Jack Lloyd
4* (C) 2017 Fabian Weissberg, Rohde & Schwarz Cybersecurity
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/certstor.h>
10
11#include <botan/assert.h>
12#include <botan/data_src.h>
13#include <botan/hash.h>
14#include <botan/pkix_types.h>
15#include <botan/internal/filesystem.h>
16
17namespace Botan {
18
19Certificate_Store::~Certificate_Store() = default;
20
21std::optional<X509_Certificate> Certificate_Store::find_cert(const X509_DN& subject_dn,
22 const std::vector<uint8_t>& key_id) const {
23 const auto certs = find_all_certs(subject_dn, key_id);
24
25 if(certs.empty()) {
26 return std::nullopt;
27 }
28
29 // `count` might be greater than 1, but we'll just select the first match
30 return certs.front();
31}
32
33std::optional<X509_CRL> Certificate_Store::find_crl_for(const X509_Certificate& /*unused*/) const {
34 return std::nullopt;
35}
36
37void Certificate_Store_In_Memory::add_certificate(const X509_Certificate& cert) {
38 for(const auto& c : m_certs) {
39 if(c == cert) {
40 return;
41 }
42 }
43
44 m_certs.push_back(cert);
45}
46
47std::vector<X509_DN> Certificate_Store_In_Memory::all_subjects() const {
48 std::vector<X509_DN> subjects;
49 subjects.reserve(m_certs.size());
50 for(const auto& cert : m_certs) {
51 subjects.push_back(cert.subject_dn());
52 }
53 return subjects;
54}
55
56std::optional<X509_Certificate> Certificate_Store_In_Memory::find_cert(const X509_DN& subject_dn,
57 const std::vector<uint8_t>& key_id) const {
58 for(const auto& cert : m_certs) {
59 // Only compare key ids if set in both call and in the cert
60 if(!key_id.empty()) {
61 const std::vector<uint8_t>& skid = cert.subject_key_id();
62
63 if(!skid.empty() && skid != key_id) { // no match
64 continue;
65 }
66 }
67
68 if(cert.subject_dn() == subject_dn) {
69 return cert;
70 }
71 }
72
73 return std::nullopt;
74}
75
76std::vector<X509_Certificate> Certificate_Store_In_Memory::find_all_certs(const X509_DN& subject_dn,
77 const std::vector<uint8_t>& key_id) const {
78 std::vector<X509_Certificate> matches;
79
80 for(const auto& cert : m_certs) {
81 if(!key_id.empty()) {
82 const std::vector<uint8_t>& skid = cert.subject_key_id();
83
84 if(!skid.empty() && skid != key_id) { // no match
85 continue;
86 }
87 }
88
89 if(cert.subject_dn() == subject_dn) {
90 matches.push_back(cert);
91 }
92 }
93
94 return matches;
95}
96
97std::optional<X509_Certificate> Certificate_Store_In_Memory::find_cert_by_pubkey_sha1(
98 const std::vector<uint8_t>& key_hash) const {
99 if(key_hash.size() != 20) {
100 throw Invalid_Argument("Certificate_Store_In_Memory::find_cert_by_pubkey_sha1 invalid hash");
101 }
102
103 auto hash = HashFunction::create_or_throw("SHA-1");
104
105 for(const auto& cert : m_certs) {
106 hash->update(cert.subject_public_key_bitstring());
107 if(key_hash == hash->final_stdvec()) { //final_stdvec also clears the hash to initial state
108 return cert;
109 }
110 }
111
112 return std::nullopt;
113}
114
115std::optional<X509_Certificate> Certificate_Store_In_Memory::find_cert_by_raw_subject_dn_sha256(
116 const std::vector<uint8_t>& subject_hash) const {
117 if(subject_hash.size() != 32) {
118 throw Invalid_Argument("Certificate_Store_In_Memory::find_cert_by_raw_subject_dn_sha256 invalid hash");
119 }
120
121 auto hash = HashFunction::create_or_throw("SHA-256");
122
123 for(const auto& cert : m_certs) {
124 hash->update(cert.raw_subject_dn());
125 if(subject_hash == hash->final_stdvec()) { //final_stdvec also clears the hash to initial state
126 return cert;
127 }
128 }
129
130 return std::nullopt;
131}
132
133std::optional<X509_Certificate> Certificate_Store_In_Memory::find_cert_by_issuer_dn_and_serial_number(
134 const X509_DN& issuer_dn, std::span<const uint8_t> serial_number) const {
135 for(const auto& cert : m_certs) {
136 if(cert.issuer_dn() == issuer_dn && std::ranges::equal(cert.serial_number(), serial_number)) {
137 return cert;
138 }
139 }
140
141 return std::nullopt;
142}
143
144void Certificate_Store_In_Memory::add_crl(const X509_CRL& crl) {
145 const X509_DN& crl_issuer = crl.issuer_dn();
146
147 for(auto& c : m_crls) {
148 // Found an update of a previously existing one; replace it
149 if(c.issuer_dn() == crl_issuer) {
150 if(c.this_update() <= crl.this_update()) {
151 c = crl;
152 }
153 return;
154 }
155 }
156
157 // Totally new CRL, add to the list
158 m_crls.push_back(crl);
159}
160
161std::optional<X509_CRL> Certificate_Store_In_Memory::find_crl_for(const X509_Certificate& subject) const {
162 const std::vector<uint8_t>& key_id = subject.authority_key_id();
163
164 for(const auto& c : m_crls) {
165 // Only compare key ids if set in both call and in the CRL
166 if(!key_id.empty()) {
167 const std::vector<uint8_t>& akid = c.authority_key_id();
168
169 if(!akid.empty() && akid != key_id) { // no match
170 continue;
171 }
172 }
173
174 if(c.issuer_dn() == subject.issuer_dn()) {
175 return c;
176 }
177 }
178
179 return {};
180}
181
185
190
191#if defined(BOTAN_TARGET_OS_HAS_FILESYSTEM)
192Certificate_Store_In_Memory::Certificate_Store_In_Memory(std::string_view dir) {
193 if(dir.empty()) {
194 return;
195 }
196
197 std::vector<std::string> maybe_certs = get_files_recursive(dir);
198
199 if(maybe_certs.empty()) {
200 maybe_certs.push_back(std::string(dir));
201 }
202
203 for(auto&& cert_file : maybe_certs) {
204 try {
205 DataSource_Stream src(cert_file, true);
206 while(!src.end_of_data()) {
207 try {
208 X509_Certificate cert(src);
209 m_certs.push_back(cert);
210 } catch(std::exception&) {
211 // stop searching for other certificate at first exception
212 break;
213 }
214 }
215 } catch(std::exception&) {}
216 }
217}
218#endif
219
220} // namespace Botan
Botan::Certificate_Store_In_Memory::find_cert_by_issuer_dn_and_serial_number
std::optional< X509_Certificate > find_cert_by_issuer_dn_and_serial_number(const X509_DN &issuer_dn, std::span< const uint8_t > serial_number) const override
Definition certstor.cpp:133
Botan::Certificate_Store_In_Memory::find_all_certs
std::vector< X509_Certificate > find_all_certs(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const override
Definition certstor.cpp:76
Botan::Certificate_Store_In_Memory::find_cert_by_pubkey_sha1
std::optional< X509_Certificate > find_cert_by_pubkey_sha1(const std::vector< uint8_t > &key_hash) const override
Definition certstor.cpp:97
Botan::Certificate_Store_In_Memory::find_cert
std::optional< X509_Certificate > find_cert(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const override
Definition certstor.cpp:56
Botan::Certificate_Store_In_Memory::Certificate_Store_In_Memory
Certificate_Store_In_Memory()=default
Botan::Certificate_Store_In_Memory::add_crl
void add_crl(const X509_CRL &crl)
Definition certstor.cpp:144
Botan::Certificate_Store_In_Memory::find_cert_by_raw_subject_dn_sha256
std::optional< X509_Certificate > find_cert_by_raw_subject_dn_sha256(const std::vector< uint8_t > &subject_hash) const override
Definition certstor.cpp:115
Botan::Certificate_Store_In_Memory::find_crl_for
std::optional< X509_CRL > find_crl_for(const X509_Certificate &subject) const override
Definition certstor.cpp:161
Botan::Certificate_Store_In_Memory::add_certificate
void add_certificate(const X509_Certificate &cert)
Definition certstor.cpp:37
Botan::Certificate_Store_In_Memory::all_subjects
std::vector< X509_DN > all_subjects() const override
Definition certstor.cpp:47
Botan::Certificate_Store::find_crl_for
virtual std::optional< X509_CRL > find_crl_for(const X509_Certificate &subject) const
Definition certstor.cpp:33
Botan::Certificate_Store::~Certificate_Store
virtual ~Certificate_Store()
Botan::Certificate_Store::find_all_certs
virtual std::vector< X509_Certificate > find_all_certs(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const =0
Botan::Certificate_Store::find_cert
virtual std::optional< X509_Certificate > find_cert(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const
Definition certstor.cpp:21
Botan::HashFunction::create_or_throw
static std::unique_ptr< HashFunction > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition hash.cpp:308
Botan::Invalid_Argument
Definition exceptn.h:131
Botan::X509_CRL
Definition x509_crl.h:90
Botan::X509_CRL::this_update
const X509_Time & this_update() const
Definition x509_crl.cpp:232
Botan::X509_CRL::issuer_dn
const X509_DN & issuer_dn() const
Definition x509_crl.cpp:211
Botan::X509_Certificate
Definition x509cert.h:36
Botan::X509_Certificate::authority_key_id
const std::vector< uint8_t > & authority_key_id() const
Definition x509cert.cpp:391
Botan::X509_Certificate::issuer_dn
const X509_DN & issuer_dn() const
Definition x509cert.cpp:407
Botan::X509_DN
Definition pkix_types.h:41
Botan::get_files_recursive
std::vector< std::string > get_files_recursive(std::string_view dir)
Definition filesystem.cpp:123
Generated by doxygen 1.15.0