Botan  2.6.0
Crypto and TLS for C++11
certstor.cpp
Go to the documentation of this file.
1 /*
2 * Certificate Store
3 * (C) 1999-2010,2013 Jack Lloyd
4 * (C) 2017 Fabian Weissberg, Rohde & Schwarz Cybersecurity
5 *
6 * Botan is released under the Simplified BSD License (see license.txt)
7 */
8 
9 #include <botan/certstor.h>
10 #include <botan/internal/filesystem.h>
11 #include <botan/hash.h>
12 #include <botan/data_src.h>
13 
14 namespace Botan {
15 
16 std::shared_ptr<const X509_CRL> Certificate_Store::find_crl_for(const X509_Certificate&) const
17  {
18  return {};
19  }
20 
22  {
23  for(const auto& c : m_certs)
24  if(*c == cert)
25  return;
26 
27  m_certs.push_back(std::make_shared<const X509_Certificate>(cert));
28  }
29 
30 void Certificate_Store_In_Memory::add_certificate(std::shared_ptr<const X509_Certificate> cert)
31  {
32  for(const auto& c : m_certs)
33  if(*c == *cert)
34  return;
35 
36  m_certs.push_back(cert);
37  }
38 
39 std::vector<X509_DN> Certificate_Store_In_Memory::all_subjects() const
40  {
41  std::vector<X509_DN> subjects;
42  for(const auto& cert : m_certs)
43  subjects.push_back(cert->subject_dn());
44  return subjects;
45  }
46 
47 std::shared_ptr<const X509_Certificate>
49  const std::vector<uint8_t>& key_id) const
50  {
51  for(const auto& cert : m_certs)
52  {
53  // Only compare key ids if set in both call and in the cert
54  if(key_id.size())
55  {
56  std::vector<uint8_t> skid = cert->subject_key_id();
57 
58  if(skid.size() && skid != key_id) // no match
59  continue;
60  }
61 
62  if(cert->subject_dn() == subject_dn)
63  return cert;
64  }
65 
66  return nullptr;
67  }
68 
69 std::vector<std::shared_ptr<const X509_Certificate>> Certificate_Store_In_Memory::find_all_certs(
70  const X509_DN& subject_dn,
71  const std::vector<uint8_t>& key_id) const
72  {
73  std::vector<std::shared_ptr<const X509_Certificate>> matches;
74 
75  for(const auto& cert : m_certs)
76  {
77  if(key_id.size())
78  {
79  std::vector<uint8_t> skid = cert->subject_key_id();
80 
81  if(skid.size() && skid != key_id) // no match
82  continue;
83  }
84 
85  if(cert->subject_dn() == subject_dn)
86  matches.push_back(cert);
87  }
88 
89  return matches;
90  }
91 
92 std::shared_ptr<const X509_Certificate>
93 Certificate_Store_In_Memory::find_cert_by_pubkey_sha1(const std::vector<uint8_t>& key_hash) const
94  {
95  if(key_hash.size() != 20)
96  throw Invalid_Argument("Certificate_Store_In_Memory::find_cert_by_pubkey_sha1 invalid hash");
97 
98  std::unique_ptr<HashFunction> hash(HashFunction::create("SHA-1"));
99 
100  for(const auto& cert : m_certs){
101  hash->update(cert->subject_public_key_bitstring());
102  if(key_hash == hash->final_stdvec()) //final_stdvec also clears the hash to initial state
103  return cert;
104  }
105 
106  return nullptr;
107  }
108 
109 std::shared_ptr<const X509_Certificate>
110 Certificate_Store_In_Memory::find_cert_by_raw_subject_dn_sha256(const std::vector<uint8_t>& subject_hash) const
111  {
112  if(subject_hash.size() != 32)
113  throw Invalid_Argument("Certificate_Store_In_Memory::find_cert_by_raw_subject_dn_sha256 invalid hash");
114 
115  std::unique_ptr<HashFunction> hash(HashFunction::create("SHA-256"));
116 
117  for(const auto& cert : m_certs){
118  hash->update(cert->raw_subject_dn());
119  if(subject_hash == hash->final_stdvec()) //final_stdvec also clears the hash to initial state
120  return cert;
121  }
122 
123  return nullptr;
124  }
125 
127  {
128  std::shared_ptr<const X509_CRL> crl_s = std::make_shared<const X509_CRL>(crl);
129  return add_crl(crl_s);
130  }
131 
132 void Certificate_Store_In_Memory::add_crl(std::shared_ptr<const X509_CRL> crl)
133  {
134  X509_DN crl_issuer = crl->issuer_dn();
135 
136  for(auto& c : m_crls)
137  {
138  // Found an update of a previously existing one; replace it
139  if(c->issuer_dn() == crl_issuer)
140  {
141  if(c->this_update() <= crl->this_update())
142  c = crl;
143  return;
144  }
145  }
146 
147  // Totally new CRL, add to the list
148  m_crls.push_back(crl);
149  }
150 
151 std::shared_ptr<const X509_CRL> Certificate_Store_In_Memory::find_crl_for(const X509_Certificate& subject) const
152  {
153  const std::vector<uint8_t>& key_id = subject.authority_key_id();
154 
155  for(const auto& c : m_crls)
156  {
157  // Only compare key ids if set in both call and in the CRL
158  if(key_id.size())
159  {
160  std::vector<uint8_t> akid = c->authority_key_id();
161 
162  if(akid.size() && akid != key_id) // no match
163  continue;
164  }
165 
166  if(c->issuer_dn() == subject.issuer_dn())
167  return c;
168  }
169 
170  return {};
171  }
172 
174  {
175  add_certificate(cert);
176  }
177 
178 #if defined(BOTAN_TARGET_OS_HAS_FILESYSTEM)
180  {
181  if(dir.empty())
182  return;
183 
184  std::vector<std::string> maybe_certs = get_files_recursive(dir);
185 
186  if(maybe_certs.empty())
187  {
188  maybe_certs.push_back(dir);
189  }
190 
191  for(auto&& cert_file : maybe_certs)
192  {
193  try
194  {
195  DataSource_Stream src(cert_file, true);
196  while(!src.end_of_data())
197  {
198  try
199  {
200  m_certs.push_back(std::make_shared<X509_Certificate>(src));
201  }
202  catch(std::exception&)
203  {
204  // stop searching for other certificate at first exception
205  break;
206  }
207  }
208  }
209  catch(std::exception&)
210  {
211  }
212  }
213  }
214 #endif
215 
216 }
std::vector< std::shared_ptr< const X509_Certificate > > find_all_certs(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const override
Definition: certstor.cpp:69
std::shared_ptr< const X509_Certificate > find_cert_by_raw_subject_dn_sha256(const std::vector< uint8_t > &subject_hash) const override
Definition: certstor.cpp:110
virtual std::shared_ptr< const X509_CRL > find_crl_for(const X509_Certificate &subject) const
Definition: certstor.cpp:16
std::shared_ptr< const X509_Certificate > find_cert(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const override
Definition: certstor.cpp:48
const std::vector< uint8_t > & authority_key_id() const
Definition: x509cert.cpp:403
std::shared_ptr< const X509_CRL > find_crl_for(const X509_Certificate &subject) const override
Definition: certstor.cpp:151
bool matches(DataSource &source, const std::string &extra, size_t search_range)
Definition: pem.cpp:142
std::vector< X509_DN > all_subjects() const override
Definition: certstor.cpp:39
static std::unique_ptr< HashFunction > create(const std::string &algo_spec, const std::string &provider="")
Definition: hash.cpp:106
const X509_DN & issuer_dn() const
Definition: x509cert.cpp:424
Definition: alg_id.cpp:13
void add_certificate(const X509_Certificate &cert)
Definition: certstor.cpp:21
std::shared_ptr< const X509_Certificate > find_cert_by_pubkey_sha1(const std::vector< uint8_t > &key_hash) const override
Definition: certstor.cpp:93
void add_crl(const X509_CRL &crl)
Definition: certstor.cpp:126
std::vector< std::string > get_files_recursive(const std::string &dir)
Definition: filesystem.cpp:178
MechanismType hash