Botan 3.7.1
Crypto and TLS for C&
certstor_flatfile.cpp
Go to the documentation of this file.
1/*
2* Certificate Store
3* (C) 1999-2019 Jack Lloyd
4* (C) 2019 Patrick Schmidt
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/certstor_flatfile.h>
10
11#include <botan/assert.h>
12#include <botan/data_src.h>
13#include <botan/pem.h>
14#include <botan/pkix_types.h>
15#include <stdexcept>
16
17namespace Botan {
18namespace {
19std::vector<std::vector<uint8_t>> decode_all_certificates(DataSource& source) {
20 std::vector<std::vector<uint8_t>> pems;
21
22 while(!source.end_of_data()) {
23 std::string label;
24 std::vector<uint8_t> cert;
25 try {
26 cert = unlock(PEM_Code::decode(source, label));
27
28 if(label == "CERTIFICATE" || label == "X509 CERTIFICATE" || label == "TRUSTED CERTIFICATE") {
29 pems.push_back(cert);
30 }
31 } catch(const Decoding_Error&) {}
32 }
33
34 return pems;
35}
36} // namespace
37
38Flatfile_Certificate_Store::Flatfile_Certificate_Store(std::string_view file, bool ignore_non_ca) {
39 if(file.empty()) {
40 throw Invalid_Argument("Flatfile_Certificate_Store::Flatfile_Certificate_Store invalid file path");
41 }
42
43 DataSource_Stream file_stream(file);
44
45 for(const std::vector<uint8_t>& der : decode_all_certificates(file_stream)) {
46 X509_Certificate cert(der);
47
48 /*
49 * Various weird or misconfigured system roots include intermediate certificates,
50 * or even stranger certificates which are not valid for cert issuance at all.
51 * Previously this code would error on such cases as an obvious misconfiguration,
52 * but we cannot fix the trust store. So instead just ignore any such certificate.
53 */
54 if(cert.is_self_signed() && cert.is_CA_cert()) {
55 m_all_subjects.push_back(cert.subject_dn());
56 m_dn_to_cert[cert.subject_dn()].push_back(cert);
57 m_pubkey_sha1_to_cert.emplace(cert.subject_public_key_bitstring_sha1(), cert);
58 m_subject_dn_sha256_to_cert.emplace(cert.raw_subject_dn_sha256(), cert);
59 } else if(!ignore_non_ca) {
60 throw Invalid_Argument("Flatfile_Certificate_Store received non CA cert " + cert.subject_dn().to_string());
61 }
62 }
63
64 if(m_all_subjects.empty()) {
65 throw Invalid_Argument("Flatfile_Certificate_Store::Flatfile_Certificate_Store cert file is empty");
66 }
67}
68
69std::vector<X509_DN> Flatfile_Certificate_Store::all_subjects() const {
70 return m_all_subjects;
71}
72
73std::vector<X509_Certificate> Flatfile_Certificate_Store::find_all_certs(const X509_DN& subject_dn,
74 const std::vector<uint8_t>& key_id) const {
75 std::vector<X509_Certificate> found_certs;
76 try {
77 const auto certs = m_dn_to_cert.at(subject_dn);
78
79 for(const auto& cert : certs) {
80 if(key_id.empty() || key_id == cert.subject_key_id()) {
81 found_certs.push_back(cert);
82 }
83 }
84 } catch(const std::out_of_range&) {
85 return {};
86 }
87
88 return found_certs;
89}
90
92 const std::vector<uint8_t>& key_hash) const {
93 if(key_hash.size() != 20) {
94 throw Invalid_Argument("Flatfile_Certificate_Store::find_cert_by_pubkey_sha1 invalid hash");
95 }
96
97 auto found_cert = m_pubkey_sha1_to_cert.find(key_hash);
98
99 if(found_cert != m_pubkey_sha1_to_cert.end()) {
100 return found_cert->second;
101 }
102
103 return std::nullopt;
104}
105
107 const std::vector<uint8_t>& subject_hash) const {
108 if(subject_hash.size() != 32) {
109 throw Invalid_Argument("Flatfile_Certificate_Store::find_cert_by_raw_subject_dn_sha256 invalid hash");
110 }
111
112 auto found_cert = m_subject_dn_sha256_to_cert.find(subject_hash);
113
114 if(found_cert != m_subject_dn_sha256_to_cert.end()) {
115 return found_cert->second;
116 }
117
118 return std::nullopt;
119}
120
121std::optional<X509_CRL> Flatfile_Certificate_Store::find_crl_for(const X509_Certificate& subject) const {
122 BOTAN_UNUSED(subject);
123 return {};
124}
125} // namespace Botan
#define BOTAN_UNUSED
Definition assert.h:118
std::optional< X509_CRL > find_crl_for(const X509_Certificate &subject) const override
std::vector< X509_DN > all_subjects() const override
std::optional< X509_Certificate > find_cert_by_raw_subject_dn_sha256(const std::vector< uint8_t > &subject_hash) const override
std::vector< X509_Certificate > find_all_certs(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const override
std::optional< X509_Certificate > find_cert_by_pubkey_sha1(const std::vector< uint8_t > &key_hash) const override
Flatfile_Certificate_Store(std::string_view file, bool ignore_non_ca=false)
bool is_CA_cert() const
Definition x509cert.cpp:421
const X509_DN & subject_dn() const
Definition x509cert.cpp:409
std::vector< uint8_t > raw_subject_dn_sha256() const
Definition x509cert.cpp:622
const std::vector< uint8_t > & subject_public_key_bitstring_sha1() const
Definition x509cert.cpp:381
bool is_self_signed() const
Definition x509cert.cpp:345
std::string to_string() const
Definition x509_dn.cpp:402
secure_vector< uint8_t > decode(DataSource &source, std::string &label)
Definition pem.cpp:62
std::vector< T > unlock(const secure_vector< T > &in)
Definition secmem.h:75