Botan 3.11.1
Crypto and TLS for C&
certstor.cpp
Go to the documentation of this file.
1/*
2* Certificate Store
3* (C) 1999-2010,2013 Jack Lloyd
4* (C) 2017 Fabian Weissberg, Rohde & Schwarz Cybersecurity
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/certstor.h>
10
11#include <botan/asn1_time.h>
12#include <botan/data_src.h>
13#include <botan/hash.h>
14#include <botan/pkix_types.h>
15#include <botan/internal/filesystem.h>
16#include <algorithm>
17
18namespace Botan {
19
20Certificate_Store::~Certificate_Store() = default;
21
22bool Certificate_Store::certificate_known(const X509_Certificate& searching) const {
23 for(const auto& cert : find_all_certs(searching.subject_dn(), searching.subject_key_id())) {
24 if(cert == searching) {
25 return true;
26 }
27 }
28
29 return false;
30}
31
32std::optional<X509_Certificate> Certificate_Store::find_cert(const X509_DN& subject_dn,
33 const std::vector<uint8_t>& key_id) const {
34 const auto certs = find_all_certs(subject_dn, key_id);
35
36 if(certs.empty()) {
37 return std::nullopt;
38 }
39
40 // `count` might be greater than 1, but we'll just select the first match
41 return certs.front();
42}
43
44std::optional<X509_CRL> Certificate_Store::find_crl_for(const X509_Certificate& /*unused*/) const {
45 return std::nullopt;
46}
47
48void Certificate_Store_In_Memory::add_certificate(const X509_Certificate& cert) {
49 for(const auto& c : m_certs) {
50 if(c == cert) {
51 return;
52 }
53 }
54
55 m_certs.push_back(cert);
56}
57
58std::vector<X509_DN> Certificate_Store_In_Memory::all_subjects() const {
59 std::vector<X509_DN> subjects;
60 subjects.reserve(m_certs.size());
61 for(const auto& cert : m_certs) {
62 subjects.push_back(cert.subject_dn());
63 }
64 return subjects;
65}
66
67std::optional<X509_Certificate> Certificate_Store_In_Memory::find_cert(const X509_DN& subject_dn,
68 const std::vector<uint8_t>& key_id) const {
69 for(const auto& cert : m_certs) {
70 // Only compare key ids if set in both call and in the cert
71 if(!key_id.empty()) {
72 const std::vector<uint8_t>& skid = cert.subject_key_id();
73
74 if(!skid.empty() && skid != key_id) { // no match
75 continue;
76 }
77 }
78
79 if(cert.subject_dn() == subject_dn) {
80 return cert;
81 }
82 }
83
84 return std::nullopt;
85}
86
87std::vector<X509_Certificate> Certificate_Store_In_Memory::find_all_certs(const X509_DN& subject_dn,
88 const std::vector<uint8_t>& key_id) const {
89 std::vector<X509_Certificate> matches;
90
91 for(const auto& cert : m_certs) {
92 if(!key_id.empty()) {
93 const std::vector<uint8_t>& skid = cert.subject_key_id();
94
95 if(!skid.empty() && skid != key_id) { // no match
96 continue;
97 }
98 }
99
100 if(cert.subject_dn() == subject_dn) {
101 matches.push_back(cert);
102 }
103 }
104
105 return matches;
106}
107
108std::optional<X509_Certificate> Certificate_Store_In_Memory::find_cert_by_pubkey_sha1(
109 const std::vector<uint8_t>& key_hash) const {
110 if(key_hash.size() != 20) {
111 throw Invalid_Argument("Certificate_Store_In_Memory::find_cert_by_pubkey_sha1 invalid hash");
112 }
113
114 auto hash = HashFunction::create_or_throw("SHA-1");
115
116 for(const auto& cert : m_certs) {
117 hash->update(cert.subject_public_key_bitstring());
118 if(key_hash == hash->final_stdvec()) { //final_stdvec also clears the hash to initial state
119 return cert;
120 }
121 }
122
123 return std::nullopt;
124}
125
126std::optional<X509_Certificate> Certificate_Store_In_Memory::find_cert_by_raw_subject_dn_sha256(
127 const std::vector<uint8_t>& subject_hash) const {
128 if(subject_hash.size() != 32) {
129 throw Invalid_Argument("Certificate_Store_In_Memory::find_cert_by_raw_subject_dn_sha256 invalid hash");
130 }
131
132 auto hash = HashFunction::create_or_throw("SHA-256");
133
134 for(const auto& cert : m_certs) {
135 hash->update(cert.raw_subject_dn());
136 if(subject_hash == hash->final_stdvec()) { //final_stdvec also clears the hash to initial state
137 return cert;
138 }
139 }
140
141 return std::nullopt;
142}
143
144std::optional<X509_Certificate> Certificate_Store_In_Memory::find_cert_by_issuer_dn_and_serial_number(
145 const X509_DN& issuer_dn, std::span<const uint8_t> serial_number) const {
146 for(const auto& cert : m_certs) {
147 if(cert.issuer_dn() == issuer_dn && std::ranges::equal(cert.serial_number(), serial_number)) {
148 return cert;
149 }
150 }
151
152 return std::nullopt;
153}
154
155void Certificate_Store_In_Memory::add_crl(const X509_CRL& crl) {
156 const X509_DN& crl_issuer = crl.issuer_dn();
157
158 for(auto& c : m_crls) {
159 // Found an update of a previously existing one; replace it
160 if(c.issuer_dn() == crl_issuer) {
161 if(c.this_update() <= crl.this_update()) {
162 c = crl;
163 }
164 return;
165 }
166 }
167
168 // Totally new CRL, add to the list
169 m_crls.push_back(crl);
170}
171
172std::optional<X509_CRL> Certificate_Store_In_Memory::find_crl_for(const X509_Certificate& subject) const {
173 const std::vector<uint8_t>& key_id = subject.authority_key_id();
174
175 for(const auto& c : m_crls) {
176 // Only compare key ids if set in both call and in the CRL
177 if(!key_id.empty()) {
178 const std::vector<uint8_t>& akid = c.authority_key_id();
179
180 if(!akid.empty() && akid != key_id) { // no match
181 continue;
182 }
183 }
184
185 if(c.issuer_dn() == subject.issuer_dn()) {
186 return c;
187 }
188 }
189
190 return {};
191}
192
196
201
202#if defined(BOTAN_TARGET_OS_HAS_FILESYSTEM)
203Certificate_Store_In_Memory::Certificate_Store_In_Memory(std::string_view dir) {
204 if(dir.empty()) {
205 return;
206 }
207
208 std::vector<std::string> maybe_certs = get_files_recursive(dir);
209
210 if(maybe_certs.empty()) {
211 maybe_certs.push_back(std::string(dir));
212 }
213
214 for(auto&& cert_file : maybe_certs) {
215 try {
216 DataSource_Stream src(cert_file, true);
217 while(!src.end_of_data()) {
218 try {
219 const X509_Certificate cert(src);
220 m_certs.push_back(cert);
221 } catch(std::exception&) {
222 // stop searching for other certificate at first exception
223 break;
224 }
225 }
226 } catch(std::exception&) {}
227 }
228}
229#endif
230
231} // namespace Botan
Botan::Certificate_Store_In_Memory::find_cert_by_issuer_dn_and_serial_number
std::optional< X509_Certificate > find_cert_by_issuer_dn_and_serial_number(const X509_DN &issuer_dn, std::span< const uint8_t > serial_number) const override
Definition certstor.cpp:144
Botan::Certificate_Store_In_Memory::find_all_certs
std::vector< X509_Certificate > find_all_certs(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const override
Definition certstor.cpp:87
Botan::Certificate_Store_In_Memory::find_cert_by_pubkey_sha1
std::optional< X509_Certificate > find_cert_by_pubkey_sha1(const std::vector< uint8_t > &key_hash) const override
Definition certstor.cpp:108
Botan::Certificate_Store_In_Memory::find_cert
std::optional< X509_Certificate > find_cert(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const override
Definition certstor.cpp:67
Botan::Certificate_Store_In_Memory::Certificate_Store_In_Memory
Certificate_Store_In_Memory()=default
Botan::Certificate_Store_In_Memory::add_crl
void add_crl(const X509_CRL &crl)
Definition certstor.cpp:155
Botan::Certificate_Store_In_Memory::find_cert_by_raw_subject_dn_sha256
std::optional< X509_Certificate > find_cert_by_raw_subject_dn_sha256(const std::vector< uint8_t > &subject_hash) const override
Definition certstor.cpp:126
Botan::Certificate_Store_In_Memory::find_crl_for
std::optional< X509_CRL > find_crl_for(const X509_Certificate &subject) const override
Definition certstor.cpp:172
Botan::Certificate_Store_In_Memory::add_certificate
void add_certificate(const X509_Certificate &cert)
Definition certstor.cpp:48
Botan::Certificate_Store_In_Memory::all_subjects
std::vector< X509_DN > all_subjects() const override
Definition certstor.cpp:58
Botan::Certificate_Store::find_crl_for
virtual std::optional< X509_CRL > find_crl_for(const X509_Certificate &subject) const
Definition certstor.cpp:44
Botan::Certificate_Store::certificate_known
bool certificate_known(const X509_Certificate &cert) const
Definition certstor.cpp:22
Botan::Certificate_Store::~Certificate_Store
virtual ~Certificate_Store()
Botan::Certificate_Store::find_all_certs
virtual std::vector< X509_Certificate > find_all_certs(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const =0
Botan::Certificate_Store::find_cert
virtual std::optional< X509_Certificate > find_cert(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const
Definition certstor.cpp:32
Botan::HashFunction::create_or_throw
static std::unique_ptr< HashFunction > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition hash.cpp:308
Botan::Invalid_Argument
Definition exceptn.h:132
Botan::X509_CRL
Definition x509_crl.h:90
Botan::X509_CRL::this_update
const X509_Time & this_update() const
Definition x509_crl.cpp:235
Botan::X509_CRL::issuer_dn
const X509_DN & issuer_dn() const
Definition x509_crl.cpp:214
Botan::X509_Certificate
Definition x509cert.h:27
Botan::X509_Certificate::subject_dn
const X509_DN & subject_dn() const
Definition x509cert.cpp:414
Botan::X509_Certificate::authority_key_id
const std::vector< uint8_t > & authority_key_id() const
Definition x509cert.cpp:394
Botan::X509_Certificate::subject_key_id
const std::vector< uint8_t > & subject_key_id() const
Definition x509cert.cpp:398
Botan::X509_Certificate::issuer_dn
const X509_DN & issuer_dn() const
Definition x509cert.cpp:410
Botan::X509_DN
Definition pkix_types.h:41
Botan::get_files_recursive
std::vector< std::string > get_files_recursive(std::string_view dir)
Definition filesystem.cpp:123
Generated by doxygen 1.15.0