Botan 3.11.0
Crypto and TLS for C&
certstor.cpp
Go to the documentation of this file.
1/*
2* Certificate Store
3* (C) 1999-2010,2013 Jack Lloyd
4* (C) 2017 Fabian Weissberg, Rohde & Schwarz Cybersecurity
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/certstor.h>
10
11#include <botan/asn1_time.h>
12#include <botan/data_src.h>
13#include <botan/hash.h>
14#include <botan/pkix_types.h>
15#include <botan/internal/filesystem.h>
16#include <algorithm>
17
18namespace Botan {
19
20Certificate_Store::~Certificate_Store() = default;
21
22std::optional<X509_Certificate> Certificate_Store::find_cert(const X509_DN& subject_dn,
23 const std::vector<uint8_t>& key_id) const {
24 const auto certs = find_all_certs(subject_dn, key_id);
25
26 if(certs.empty()) {
27 return std::nullopt;
28 }
29
30 // `count` might be greater than 1, but we'll just select the first match
31 return certs.front();
32}
33
34std::optional<X509_CRL> Certificate_Store::find_crl_for(const X509_Certificate& /*unused*/) const {
35 return std::nullopt;
36}
37
38void Certificate_Store_In_Memory::add_certificate(const X509_Certificate& cert) {
39 for(const auto& c : m_certs) {
40 if(c == cert) {
41 return;
42 }
43 }
44
45 m_certs.push_back(cert);
46}
47
48std::vector<X509_DN> Certificate_Store_In_Memory::all_subjects() const {
49 std::vector<X509_DN> subjects;
50 subjects.reserve(m_certs.size());
51 for(const auto& cert : m_certs) {
52 subjects.push_back(cert.subject_dn());
53 }
54 return subjects;
55}
56
57std::optional<X509_Certificate> Certificate_Store_In_Memory::find_cert(const X509_DN& subject_dn,
58 const std::vector<uint8_t>& key_id) const {
59 for(const auto& cert : m_certs) {
60 // Only compare key ids if set in both call and in the cert
61 if(!key_id.empty()) {
62 const std::vector<uint8_t>& skid = cert.subject_key_id();
63
64 if(!skid.empty() && skid != key_id) { // no match
65 continue;
66 }
67 }
68
69 if(cert.subject_dn() == subject_dn) {
70 return cert;
71 }
72 }
73
74 return std::nullopt;
75}
76
77std::vector<X509_Certificate> Certificate_Store_In_Memory::find_all_certs(const X509_DN& subject_dn,
78 const std::vector<uint8_t>& key_id) const {
79 std::vector<X509_Certificate> matches;
80
81 for(const auto& cert : m_certs) {
82 if(!key_id.empty()) {
83 const std::vector<uint8_t>& skid = cert.subject_key_id();
84
85 if(!skid.empty() && skid != key_id) { // no match
86 continue;
87 }
88 }
89
90 if(cert.subject_dn() == subject_dn) {
91 matches.push_back(cert);
92 }
93 }
94
95 return matches;
96}
97
98std::optional<X509_Certificate> Certificate_Store_In_Memory::find_cert_by_pubkey_sha1(
99 const std::vector<uint8_t>& key_hash) const {
100 if(key_hash.size() != 20) {
101 throw Invalid_Argument("Certificate_Store_In_Memory::find_cert_by_pubkey_sha1 invalid hash");
102 }
103
104 auto hash = HashFunction::create_or_throw("SHA-1");
105
106 for(const auto& cert : m_certs) {
107 hash->update(cert.subject_public_key_bitstring());
108 if(key_hash == hash->final_stdvec()) { //final_stdvec also clears the hash to initial state
109 return cert;
110 }
111 }
112
113 return std::nullopt;
114}
115
116std::optional<X509_Certificate> Certificate_Store_In_Memory::find_cert_by_raw_subject_dn_sha256(
117 const std::vector<uint8_t>& subject_hash) const {
118 if(subject_hash.size() != 32) {
119 throw Invalid_Argument("Certificate_Store_In_Memory::find_cert_by_raw_subject_dn_sha256 invalid hash");
120 }
121
122 auto hash = HashFunction::create_or_throw("SHA-256");
123
124 for(const auto& cert : m_certs) {
125 hash->update(cert.raw_subject_dn());
126 if(subject_hash == hash->final_stdvec()) { //final_stdvec also clears the hash to initial state
127 return cert;
128 }
129 }
130
131 return std::nullopt;
132}
133
134std::optional<X509_Certificate> Certificate_Store_In_Memory::find_cert_by_issuer_dn_and_serial_number(
135 const X509_DN& issuer_dn, std::span<const uint8_t> serial_number) const {
136 for(const auto& cert : m_certs) {
137 if(cert.issuer_dn() == issuer_dn && std::ranges::equal(cert.serial_number(), serial_number)) {
138 return cert;
139 }
140 }
141
142 return std::nullopt;
143}
144
145void Certificate_Store_In_Memory::add_crl(const X509_CRL& crl) {
146 const X509_DN& crl_issuer = crl.issuer_dn();
147
148 for(auto& c : m_crls) {
149 // Found an update of a previously existing one; replace it
150 if(c.issuer_dn() == crl_issuer) {
151 if(c.this_update() <= crl.this_update()) {
152 c = crl;
153 }
154 return;
155 }
156 }
157
158 // Totally new CRL, add to the list
159 m_crls.push_back(crl);
160}
161
162std::optional<X509_CRL> Certificate_Store_In_Memory::find_crl_for(const X509_Certificate& subject) const {
163 const std::vector<uint8_t>& key_id = subject.authority_key_id();
164
165 for(const auto& c : m_crls) {
166 // Only compare key ids if set in both call and in the CRL
167 if(!key_id.empty()) {
168 const std::vector<uint8_t>& akid = c.authority_key_id();
169
170 if(!akid.empty() && akid != key_id) { // no match
171 continue;
172 }
173 }
174
175 if(c.issuer_dn() == subject.issuer_dn()) {
176 return c;
177 }
178 }
179
180 return {};
181}
182
186
191
192#if defined(BOTAN_TARGET_OS_HAS_FILESYSTEM)
193Certificate_Store_In_Memory::Certificate_Store_In_Memory(std::string_view dir) {
194 if(dir.empty()) {
195 return;
196 }
197
198 std::vector<std::string> maybe_certs = get_files_recursive(dir);
199
200 if(maybe_certs.empty()) {
201 maybe_certs.push_back(std::string(dir));
202 }
203
204 for(auto&& cert_file : maybe_certs) {
205 try {
206 DataSource_Stream src(cert_file, true);
207 while(!src.end_of_data()) {
208 try {
209 const X509_Certificate cert(src);
210 m_certs.push_back(cert);
211 } catch(std::exception&) {
212 // stop searching for other certificate at first exception
213 break;
214 }
215 }
216 } catch(std::exception&) {}
217 }
218}
219#endif
220
221} // namespace Botan
Botan::Certificate_Store_In_Memory::find_cert_by_issuer_dn_and_serial_number
std::optional< X509_Certificate > find_cert_by_issuer_dn_and_serial_number(const X509_DN &issuer_dn, std::span< const uint8_t > serial_number) const override
Definition certstor.cpp:134
Botan::Certificate_Store_In_Memory::find_all_certs
std::vector< X509_Certificate > find_all_certs(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const override
Definition certstor.cpp:77
Botan::Certificate_Store_In_Memory::find_cert_by_pubkey_sha1
std::optional< X509_Certificate > find_cert_by_pubkey_sha1(const std::vector< uint8_t > &key_hash) const override
Definition certstor.cpp:98
Botan::Certificate_Store_In_Memory::find_cert
std::optional< X509_Certificate > find_cert(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const override
Definition certstor.cpp:57
Botan::Certificate_Store_In_Memory::Certificate_Store_In_Memory
Certificate_Store_In_Memory()=default
Botan::Certificate_Store_In_Memory::add_crl
void add_crl(const X509_CRL &crl)
Definition certstor.cpp:145
Botan::Certificate_Store_In_Memory::find_cert_by_raw_subject_dn_sha256
std::optional< X509_Certificate > find_cert_by_raw_subject_dn_sha256(const std::vector< uint8_t > &subject_hash) const override
Definition certstor.cpp:116
Botan::Certificate_Store_In_Memory::find_crl_for
std::optional< X509_CRL > find_crl_for(const X509_Certificate &subject) const override
Definition certstor.cpp:162
Botan::Certificate_Store_In_Memory::add_certificate
void add_certificate(const X509_Certificate &cert)
Definition certstor.cpp:38
Botan::Certificate_Store_In_Memory::all_subjects
std::vector< X509_DN > all_subjects() const override
Definition certstor.cpp:48
Botan::Certificate_Store::find_crl_for
virtual std::optional< X509_CRL > find_crl_for(const X509_Certificate &subject) const
Definition certstor.cpp:34
Botan::Certificate_Store::~Certificate_Store
virtual ~Certificate_Store()
Botan::Certificate_Store::find_all_certs
virtual std::vector< X509_Certificate > find_all_certs(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const =0
Botan::Certificate_Store::find_cert
virtual std::optional< X509_Certificate > find_cert(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const
Definition certstor.cpp:22
Botan::HashFunction::create_or_throw
static std::unique_ptr< HashFunction > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition hash.cpp:308
Botan::Invalid_Argument
Definition exceptn.h:132
Botan::X509_CRL
Definition x509_crl.h:90
Botan::X509_CRL::this_update
const X509_Time & this_update() const
Definition x509_crl.cpp:235
Botan::X509_CRL::issuer_dn
const X509_DN & issuer_dn() const
Definition x509_crl.cpp:214
Botan::X509_Certificate
Definition x509cert.h:27
Botan::X509_Certificate::authority_key_id
const std::vector< uint8_t > & authority_key_id() const
Definition x509cert.cpp:394
Botan::X509_Certificate::issuer_dn
const X509_DN & issuer_dn() const
Definition x509cert.cpp:410
Botan::X509_DN
Definition pkix_types.h:41
Botan::get_files_recursive
std::vector< std::string > get_files_recursive(std::string_view dir)
Definition filesystem.cpp:123
Generated by doxygen 1.15.0