Botan  2.15.0
Crypto and TLS for C++11
certstor.h
Go to the documentation of this file.
1 /*
2 * Certificate Store
3 * (C) 1999-2010,2013 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #ifndef BOTAN_CERT_STORE_H_
9 #define BOTAN_CERT_STORE_H_
10 
11 #include <botan/x509cert.h>
12 #include <botan/x509_crl.h>
13 
14 namespace Botan {
15 
16 /**
17 * Certificate Store Interface
18 */
20  {
21  public:
22  virtual ~Certificate_Store();
23 
24  /**
25  * Find a certificate by Subject DN and (optionally) key identifier
26  * @param subject_dn the subject's distinguished name
27  * @param key_id an optional key id
28  * @return a matching certificate or nullptr otherwise
29  * If more than one certificate in the certificate store matches, then
30  * a single value is selected arbitrarily.
31  */
32  virtual std::shared_ptr<const X509_Certificate>
33  find_cert(const X509_DN& subject_dn, const std::vector<uint8_t>& key_id) const;
34 
35  /**
36  * Find all certificates with a given Subject DN.
37  * Subject DN and even the key identifier might not be unique.
38  */
39  virtual std::vector<std::shared_ptr<const X509_Certificate>> find_all_certs(
40  const X509_DN& subject_dn, const std::vector<uint8_t>& key_id) const = 0;
41 
42 
43  /**
44  * Find a certificate by searching for one with a matching SHA-1 hash of
45  * public key. Used for OCSP.
46  * @param key_hash SHA-1 hash of the subject's public key
47  * @return a matching certificate or nullptr otherwise
48  */
49  virtual std::shared_ptr<const X509_Certificate>
50  find_cert_by_pubkey_sha1(const std::vector<uint8_t>& key_hash) const = 0;
51 
52  /**
53  * Find a certificate by searching for one with a matching SHA-256 hash of
54  * raw subject name. Used for OCSP.
55  * @param subject_hash SHA-256 hash of the subject's raw name
56  * @return a matching certificate or nullptr otherwise
57  */
58  virtual std::shared_ptr<const X509_Certificate>
59  find_cert_by_raw_subject_dn_sha256(const std::vector<uint8_t>& subject_hash) const = 0;
60 
61  /**
62  * Finds a CRL for the given certificate
63  * @param subject the subject certificate
64  * @return the CRL for subject or nullptr otherwise
65  */
66  virtual std::shared_ptr<const X509_CRL> find_crl_for(const X509_Certificate& subject) const;
67 
68  /**
69  * @return whether the certificate is known
70  * @param cert certififcate to be searched
71  */
72  bool certificate_known(const X509_Certificate& cert) const
73  {
74  return find_cert(cert.subject_dn(), cert.subject_key_id()) != nullptr;
75  }
76 
77  // remove this (used by TLS::Server)
78  virtual std::vector<X509_DN> all_subjects() const = 0;
79  };
80 
81 /**
82 * In Memory Certificate Store
83 */
85  {
86  public:
87  /**
88  * Attempt to parse all files in dir (including subdirectories)
89  * as certificates. Ignores errors.
90  */
91  explicit Certificate_Store_In_Memory(const std::string& dir);
92 
93  /**
94  * Adds given certificate to the store.
95  */
96  explicit Certificate_Store_In_Memory(const X509_Certificate& cert);
97 
98  /**
99  * Create an empty store.
100  */
101  Certificate_Store_In_Memory() = default;
102 
103  /**
104  * Add a certificate to the store.
105  * @param cert certificate to be added
106  */
107  void add_certificate(const X509_Certificate& cert);
108 
109  /**
110  * Add a certificate already in a shared_ptr to the store.
111  * @param cert certificate to be added
112  */
113  void add_certificate(std::shared_ptr<const X509_Certificate> cert);
114 
115  /**
116  * Add a certificate revocation list (CRL) to the store.
117  * @param crl CRL to be added
118  */
119  void add_crl(const X509_CRL& crl);
120 
121  /**
122  * Add a certificate revocation list (CRL) to the store as a shared_ptr
123  * @param crl CRL to be added
124  */
125  void add_crl(std::shared_ptr<const X509_CRL> crl);
126 
127  /**
128  * @return DNs for all certificates managed by the store
129  */
130  std::vector<X509_DN> all_subjects() const override;
131 
132  /*
133  * Find a certificate by Subject DN and (optionally) key identifier
134  * @return the first certificate that matches
135  */
136  std::shared_ptr<const X509_Certificate> find_cert(
137  const X509_DN& subject_dn,
138  const std::vector<uint8_t>& key_id) const override;
139 
140  /*
141  * Find all certificates with a given Subject DN.
142  * Subject DN and even the key identifier might not be unique.
143  */
144  std::vector<std::shared_ptr<const X509_Certificate>> find_all_certs(
145  const X509_DN& subject_dn, const std::vector<uint8_t>& key_id) const override;
146 
147  std::shared_ptr<const X509_Certificate>
148  find_cert_by_pubkey_sha1(const std::vector<uint8_t>& key_hash) const override;
149 
150  std::shared_ptr<const X509_Certificate>
151  find_cert_by_raw_subject_dn_sha256(const std::vector<uint8_t>& subject_hash) const override;
152 
153  /**
154  * Finds a CRL for the given certificate
155  */
156  std::shared_ptr<const X509_CRL> find_crl_for(const X509_Certificate& subject) const override;
157  private:
158  // TODO: Add indexing on the DN and key id to avoid linear search
159  std::vector<std::shared_ptr<const X509_Certificate>> m_certs;
160  std::vector<std::shared_ptr<const X509_CRL>> m_crls;
161  };
162 
163 }
164 
165 #endif
bool certificate_known(const X509_Certificate &cert) const
Definition: certstor.h:72
int(* final)(unsigned char *, CTX *)
#define BOTAN_PUBLIC_API(maj, min)
Definition: compiler.h:31
const std::vector< uint8_t > & subject_key_id() const
Definition: x509cert.cpp:454
const X509_DN & subject_dn() const
Definition: x509cert.cpp:475
Definition: alg_id.cpp:13