Botan  2.18.1
Crypto and TLS for C++11
certstor.cpp
Go to the documentation of this file.
1 /*
2 * Certificate Store
3 * (C) 1999-2010,2013 Jack Lloyd
4 * (C) 2017 Fabian Weissberg, Rohde & Schwarz Cybersecurity
5 *
6 * Botan is released under the Simplified BSD License (see license.txt)
7 */
8 
9 #include <botan/certstor.h>
10 #include <botan/pkix_types.h>
11 #include <botan/internal/filesystem.h>
12 #include <botan/hash.h>
13 #include <botan/data_src.h>
14 
15 namespace Botan {
16 
18 
19 std::shared_ptr<const X509_Certificate>
20 Certificate_Store::find_cert(const X509_DN& subject_dn, const std::vector<uint8_t>& key_id) const
21  {
22  const auto certs = find_all_certs(subject_dn, key_id);
23 
24  if(certs.empty())
25  {
26  return nullptr; // certificate not found
27  }
28 
29  // `count` might be greater than 1, but we'll just select the first match
30  return certs.front();
31  }
32 
33 std::shared_ptr<const X509_CRL> Certificate_Store::find_crl_for(const X509_Certificate&) const
34  {
35  return {};
36  }
37 
39  {
40  for(const auto& c : m_certs)
41  if(*c == cert)
42  return;
43 
44  m_certs.push_back(std::make_shared<const X509_Certificate>(cert));
45  }
46 
47 void Certificate_Store_In_Memory::add_certificate(std::shared_ptr<const X509_Certificate> cert)
48  {
49  for(const auto& c : m_certs)
50  if(*c == *cert)
51  return;
52 
53  m_certs.push_back(cert);
54  }
55 
56 std::vector<X509_DN> Certificate_Store_In_Memory::all_subjects() const
57  {
58  std::vector<X509_DN> subjects;
59  for(const auto& cert : m_certs)
60  subjects.push_back(cert->subject_dn());
61  return subjects;
62  }
63 
64 std::shared_ptr<const X509_Certificate>
66  const std::vector<uint8_t>& key_id) const
67  {
68  for(const auto& cert : m_certs)
69  {
70  // Only compare key ids if set in both call and in the cert
71  if(key_id.size())
72  {
73  std::vector<uint8_t> skid = cert->subject_key_id();
74 
75  if(skid.size() && skid != key_id) // no match
76  continue;
77  }
78 
79  if(cert->subject_dn() == subject_dn)
80  return cert;
81  }
82 
83  return nullptr;
84  }
85 
86 std::vector<std::shared_ptr<const X509_Certificate>> Certificate_Store_In_Memory::find_all_certs(
87  const X509_DN& subject_dn,
88  const std::vector<uint8_t>& key_id) const
89  {
90  std::vector<std::shared_ptr<const X509_Certificate>> matches;
91 
92  for(const auto& cert : m_certs)
93  {
94  if(key_id.size())
95  {
96  std::vector<uint8_t> skid = cert->subject_key_id();
97 
98  if(skid.size() && skid != key_id) // no match
99  continue;
100  }
101 
102  if(cert->subject_dn() == subject_dn)
103  matches.push_back(cert);
104  }
105 
106  return matches;
107  }
108 
109 std::shared_ptr<const X509_Certificate>
110 Certificate_Store_In_Memory::find_cert_by_pubkey_sha1(const std::vector<uint8_t>& key_hash) const
111  {
112  if(key_hash.size() != 20)
113  throw Invalid_Argument("Certificate_Store_In_Memory::find_cert_by_pubkey_sha1 invalid hash");
114 
115  std::unique_ptr<HashFunction> hash(HashFunction::create("SHA-1"));
116 
117  for(const auto& cert : m_certs){
118  hash->update(cert->subject_public_key_bitstring());
119  if(key_hash == hash->final_stdvec()) //final_stdvec also clears the hash to initial state
120  return cert;
121  }
122 
123  return nullptr;
124  }
125 
126 std::shared_ptr<const X509_Certificate>
127 Certificate_Store_In_Memory::find_cert_by_raw_subject_dn_sha256(const std::vector<uint8_t>& subject_hash) const
128  {
129  if(subject_hash.size() != 32)
130  throw Invalid_Argument("Certificate_Store_In_Memory::find_cert_by_raw_subject_dn_sha256 invalid hash");
131 
132  std::unique_ptr<HashFunction> hash(HashFunction::create("SHA-256"));
133 
134  for(const auto& cert : m_certs){
135  hash->update(cert->raw_subject_dn());
136  if(subject_hash == hash->final_stdvec()) //final_stdvec also clears the hash to initial state
137  return cert;
138  }
139 
140  return nullptr;
141  }
142 
144  {
145  std::shared_ptr<const X509_CRL> crl_s = std::make_shared<const X509_CRL>(crl);
146  return add_crl(crl_s);
147  }
148 
149 void Certificate_Store_In_Memory::add_crl(std::shared_ptr<const X509_CRL> crl)
150  {
151  X509_DN crl_issuer = crl->issuer_dn();
152 
153  for(auto& c : m_crls)
154  {
155  // Found an update of a previously existing one; replace it
156  if(c->issuer_dn() == crl_issuer)
157  {
158  if(c->this_update() <= crl->this_update())
159  c = crl;
160  return;
161  }
162  }
163 
164  // Totally new CRL, add to the list
165  m_crls.push_back(crl);
166  }
167 
168 std::shared_ptr<const X509_CRL> Certificate_Store_In_Memory::find_crl_for(const X509_Certificate& subject) const
169  {
170  const std::vector<uint8_t>& key_id = subject.authority_key_id();
171 
172  for(const auto& c : m_crls)
173  {
174  // Only compare key ids if set in both call and in the CRL
175  if(key_id.size())
176  {
177  std::vector<uint8_t> akid = c->authority_key_id();
178 
179  if(akid.size() && akid != key_id) // no match
180  continue;
181  }
182 
183  if(c->issuer_dn() == subject.issuer_dn())
184  return c;
185  }
186 
187  return {};
188  }
189 
191  {
192  add_certificate(cert);
193  }
194 
195 #if defined(BOTAN_TARGET_OS_HAS_FILESYSTEM)
197  {
198  if(dir.empty())
199  return;
200 
201  std::vector<std::string> maybe_certs = get_files_recursive(dir);
202 
203  if(maybe_certs.empty())
204  {
205  maybe_certs.push_back(dir);
206  }
207 
208  for(auto&& cert_file : maybe_certs)
209  {
210  try
211  {
212  DataSource_Stream src(cert_file, true);
213  while(!src.end_of_data())
214  {
215  try
216  {
217  m_certs.push_back(std::make_shared<X509_Certificate>(src));
218  }
219  catch(std::exception&)
220  {
221  // stop searching for other certificate at first exception
222  break;
223  }
224  }
225  }
226  catch(std::exception&)
227  {
228  }
229  }
230  }
231 #endif
232 
233 }
std::vector< std::shared_ptr< const X509_Certificate > > find_all_certs(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const override
Definition: certstor.cpp:86
std::shared_ptr< const X509_Certificate > find_cert_by_raw_subject_dn_sha256(const std::vector< uint8_t > &subject_hash) const override
Definition: certstor.cpp:127
virtual std::shared_ptr< const X509_CRL > find_crl_for(const X509_Certificate &subject) const
Definition: certstor.cpp:33
std::shared_ptr< const X509_Certificate > find_cert(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const override
Definition: certstor.cpp:65
const std::vector< uint8_t > & authority_key_id() const
Definition: x509cert.cpp:450
std::shared_ptr< const X509_CRL > find_crl_for(const X509_Certificate &subject) const override
Definition: certstor.cpp:168
bool matches(DataSource &source, const std::string &extra, size_t search_range)
Definition: pem.cpp:142
std::vector< X509_DN > all_subjects() const override
Definition: certstor.cpp:56
static std::unique_ptr< HashFunction > create(const std::string &algo_spec, const std::string &provider="")
Definition: hash.cpp:106
virtual std::shared_ptr< const X509_Certificate > find_cert(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const
Definition: certstor.cpp:20
const X509_DN & issuer_dn() const
Definition: x509cert.cpp:471
Definition: alg_id.cpp:13
void add_certificate(const X509_Certificate &cert)
Definition: certstor.cpp:38
std::shared_ptr< const X509_Certificate > find_cert_by_pubkey_sha1(const std::vector< uint8_t > &key_hash) const override
Definition: certstor.cpp:110
virtual ~Certificate_Store()
Definition: certstor.cpp:17
void add_crl(const X509_CRL &crl)
Definition: certstor.cpp:143
std::vector< std::string > get_files_recursive(const std::string &dir)
Definition: filesystem.cpp:126
MechanismType hash
virtual std::vector< std::shared_ptr< const X509_Certificate > > find_all_certs(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const =0