doxygen/certstor__sql_8cpp_source.html

/*

* Certificate Store in SQL

* (C) 2016 Kai Michaelis, Rohde & Schwarz Cybersecurity

* (C) 2018 Jack Lloyd

*

* Botan is released under the Simplified BSD License (see license.txt)

*/


#include <botan/certstor_sql.h>


#include <botan/asn1_obj.h>

#include <botan/asn1_time.h>

#include <botan/ber_dec.h>

#include <botan/data_src.h>

#include <botan/pk_keys.h>

#include <botan/pkcs8.h>

#include <botan/pkix_types.h>


namespace Botan {


Certificate_Store_In_SQL::Certificate_Store_In_SQL(std::shared_ptr<SQL_Database> db,

                                                   std::string_view passwd,

                                                   RandomNumberGenerator& rng,

                                                   std::string_view table_prefix) :

      m_rng(rng), m_database(std::move(db)), m_prefix(table_prefix), m_password(passwd) {

   m_database->create_table("CREATE TABLE IF NOT EXISTS " + m_prefix +

                            "certificates (                \

                                 fingerprint       BLOB PRIMARY KEY,   \

                                 subject_dn        BLOB,               \

                                 key_id            BLOB,               \

                                 priv_fingerprint  BLOB,               \

                                 certificate       BLOB UNIQUE NOT NULL\

                             )");

   m_database->create_table("CREATE TABLE IF NOT EXISTS " + m_prefix +

                            "keys (\

                                 fingerprint BLOB PRIMARY KEY,                \

                                 key         BLOB UNIQUE NOT NULL             \

                             )");

   m_database->create_table("CREATE TABLE IF NOT EXISTS " + m_prefix +

                            "revoked (\

                                 fingerprint BLOB PRIMARY KEY,                   \

                                 reason      BLOB NOT NULL,                      \

                                 time        BLOB NOT NULL                       \

                            )");

}


// Certificate handling


std::optional<X509_Certificate> Certificate_Store_In_SQL::find_cert(const X509_DN& subject_dn,

                                                                    const std::vector<uint8_t>& key_id) const {

   std::shared_ptr<SQL_Database::Statement> stmt;


   const std::vector<uint8_t> dn_encoding = subject_dn.BER_encode();


   if(key_id.empty()) {

      stmt = m_database->new_statement("SELECT certificate FROM " + m_prefix +

                                       "certificates WHERE subject_dn == ?1 LIMIT 1");

      stmt->bind(1, dn_encoding);

   } else {

      stmt = m_database->new_statement("SELECT certificate FROM " + m_prefix +

                                       "certificates WHERE\

                                        subject_dn == ?1 AND (key_id IS NULL OR key_id == ?2) LIMIT 1");

      stmt->bind(1, dn_encoding);

      stmt->bind(2, key_id);

   }


   while(stmt->step()) {

      auto blob = stmt->get_blob(0);

      return X509_Certificate(blob.first, blob.second);

   }


   return std::optional<X509_Certificate>();

}


std::vector<X509_Certificate> Certificate_Store_In_SQL::find_all_certs(const X509_DN& subject_dn,

                                                                       const std::vector<uint8_t>& key_id) const {

   std::vector<X509_Certificate> certs;


   std::shared_ptr<SQL_Database::Statement> stmt;


   const std::vector<uint8_t> dn_encoding = subject_dn.BER_encode();


   if(key_id.empty()) {

      stmt = m_database->new_statement("SELECT certificate FROM " + m_prefix + "certificates WHERE subject_dn == ?1");

      stmt->bind(1, dn_encoding);

   } else {

      stmt = m_database->new_statement("SELECT certificate FROM " + m_prefix +

                                       "certificates WHERE\

                                        subject_dn == ?1 AND (key_id IS NULL OR key_id == ?2)");

      stmt->bind(1, dn_encoding);

      stmt->bind(2, key_id);

   }


   while(stmt->step()) {

      auto blob = stmt->get_blob(0);

      certs.push_back(X509_Certificate(blob.first, blob.second));

   }


   return certs;

}


std::optional<X509_Certificate> Certificate_Store_In_SQL::find_cert_by_pubkey_sha1(

   const std::vector<uint8_t>& /*key_hash*/) const {

   throw Not_Implemented("Certificate_Store_In_SQL::find_cert_by_pubkey_sha1");

}


std::optional<X509_Certificate> Certificate_Store_In_SQL::find_cert_by_raw_subject_dn_sha256(

   const std::vector<uint8_t>& /*subject_hash*/) const {

   throw Not_Implemented("Certificate_Store_In_SQL::find_cert_by_raw_subject_dn_sha256");

}


std::optional<X509_Certificate> Certificate_Store_In_SQL::find_cert_by_issuer_dn_and_serial_number(

   const X509_DN& /*issuer_dn*/, std::span<const uint8_t> /*serial_number*/) const {

   throw Not_Implemented("Certificate_Store_In_SQL::find_cert_by_issuer_dn_and_serial_number");

}


std::optional<X509_CRL> Certificate_Store_In_SQL::find_crl_for(const X509_Certificate& subject) const {

   const auto all_crls = generate_crls();


   for(const auto& crl : all_crls) {

      if(!crl.get_revoked().empty() && crl.issuer_dn() == subject.issuer_dn()) {

         return crl;

      }

   }


   return std::optional<X509_CRL>();

}


std::vector<X509_DN> Certificate_Store_In_SQL::all_subjects() const {

   std::vector<X509_DN> ret;

   auto stmt = m_database->new_statement("SELECT subject_dn FROM " + m_prefix + "certificates");


   while(stmt->step()) {

      auto blob = stmt->get_blob(0);

      BER_Decoder dec(std::span<const uint8_t>{blob.first, blob.second}, BER_Decoder::Limits::DER());

      X509_DN dn;


      dn.decode_from(dec);


      ret.push_back(dn);

   }


   return ret;

}


bool Certificate_Store_In_SQL::insert_cert(const X509_Certificate& cert) {

   const std::vector<uint8_t> dn_encoding = cert.subject_dn().BER_encode();

   const std::vector<uint8_t> cert_encoding = cert.BER_encode();


   auto stmt = m_database->new_statement("INSERT OR REPLACE INTO " + m_prefix +

                                         "certificates (\

                                         fingerprint,          \

                                         subject_dn,           \

                                         key_id,               \

                                         priv_fingerprint,     \

                                         certificate           \

                                     ) VALUES ( ?1, ?2, ?3, ?4, ?5 )");


   stmt->bind(1, cert.fingerprint("SHA-256"));

   stmt->bind(2, dn_encoding);

   stmt->bind(3, cert.subject_key_id());

   stmt->bind(4, std::vector<uint8_t>());

   stmt->bind(5, cert_encoding);

   stmt->spin();


   return true;

}


bool Certificate_Store_In_SQL::contains(const X509_Certificate& cert) const {

   auto stmt = m_database->new_statement("SELECT 1 FROM " + m_prefix + "certificates WHERE fingerprint == ?1");

   stmt->bind(1, cert.fingerprint("SHA-256"));

   return stmt->step();

}


bool Certificate_Store_In_SQL::remove_cert(const X509_Certificate& cert) {

   if(!find_cert(cert.subject_dn(), cert.subject_key_id())) {

      return false;

   }


   auto stmt = m_database->new_statement("DELETE FROM " + m_prefix + "certificates WHERE fingerprint == ?1");


   stmt->bind(1, cert.fingerprint("SHA-256"));

   stmt->spin();


   return true;

}


// Private key handling


std::shared_ptr<const Private_Key> Certificate_Store_In_SQL::find_key(const X509_Certificate& cert) const {

   auto stmt = m_database->new_statement("SELECT key FROM " + m_prefix +

                                         "keys "

                                         "JOIN " +

                                         m_prefix + "certificates ON " + m_prefix + "keys.fingerprint == " + m_prefix +

                                         "certificates.priv_fingerprint "

                                         "WHERE " +

                                         m_prefix + "certificates.fingerprint == ?1");

   stmt->bind(1, cert.fingerprint("SHA-256"));


   std::shared_ptr<const Private_Key> key;

   while(stmt->step()) {

      auto blob = stmt->get_blob(0);

      DataSource_Memory src(blob.first, blob.second);

      key = PKCS8::load_key(src, m_password);

   }


   return key;

}


std::vector<X509_Certificate> Certificate_Store_In_SQL::find_certs_for_key(const Private_Key& key) const {

   auto fprint = key.fingerprint_private("SHA-256");

   auto stmt =

      m_database->new_statement("SELECT certificate FROM " + m_prefix + "certificates WHERE priv_fingerprint == ?1");


   stmt->bind(1, fprint);


   std::vector<X509_Certificate> certs;

   while(stmt->step()) {

      auto blob = stmt->get_blob(0);

      certs.push_back(X509_Certificate(blob.first, blob.second));

   }


   return certs;

}


bool Certificate_Store_In_SQL::insert_key(const X509_Certificate& cert, const Private_Key& key) {

   insert_cert(cert);


   if(find_key(cert)) {

      return false;

   }


   auto pkcs8 = PKCS8::BER_encode(key, m_rng, m_password);

   auto fprint = key.fingerprint_private("SHA-256");


   auto stmt1 =

      m_database->new_statement("INSERT OR REPLACE INTO " + m_prefix + "keys ( fingerprint, key ) VALUES ( ?1, ?2 )");


   stmt1->bind(1, fprint);

   stmt1->bind(2, pkcs8.data(), pkcs8.size());

   stmt1->spin();


   auto stmt2 = m_database->new_statement("UPDATE " + m_prefix +

                                          "certificates SET priv_fingerprint = ?1 WHERE fingerprint == ?2");


   stmt2->bind(1, fprint);

   stmt2->bind(2, cert.fingerprint("SHA-256"));

   stmt2->spin();


   return true;

}


void Certificate_Store_In_SQL::remove_key(const Private_Key& key) {

   auto fprint = key.fingerprint_private("SHA-256");

   auto stmt = m_database->new_statement("DELETE FROM " + m_prefix + "keys WHERE fingerprint == ?1");


   stmt->bind(1, fprint);

   stmt->spin();

}


// Revocation


void Certificate_Store_In_SQL::revoke_cert(const X509_Certificate& cert, CRL_Code code, const X509_Time& time) {

   // TODO(Botan4) require that time be valid

   insert_cert(cert);


   auto stmt1 = m_database->new_statement("INSERT OR REPLACE INTO " + m_prefix +

                                          "revoked ( fingerprint, reason, time ) VALUES ( ?1, ?2, ?3 )");


   stmt1->bind(1, cert.fingerprint("SHA-256"));

   stmt1->bind(2, static_cast<uint32_t>(code));


   if(time.time_is_set()) {

      stmt1->bind(3, time.BER_encode());

   } else {

      stmt1->bind(3, static_cast<size_t>(-1));

   }


   stmt1->spin();

}


// Revocation


void Certificate_Store_In_SQL::revoke_cert(const X509_Certificate& cert, CRL_Code code) {

   insert_cert(cert);


   auto stmt1 = m_database->new_statement("INSERT OR REPLACE INTO " + m_prefix +

                                          "revoked ( fingerprint, reason, time ) VALUES ( ?1, ?2, ?3 )");


   stmt1->bind(1, cert.fingerprint("SHA-256"));

   stmt1->bind(2, static_cast<uint32_t>(code));

   stmt1->bind(3, static_cast<size_t>(-1));


   stmt1->spin();

}


void Certificate_Store_In_SQL::affirm_cert(const X509_Certificate& cert) {

   auto stmt = m_database->new_statement("DELETE FROM " + m_prefix + "revoked WHERE fingerprint == ?1");


   stmt->bind(1, cert.fingerprint("SHA-256"));

   stmt->spin();

}


std::vector<X509_CRL> Certificate_Store_In_SQL::generate_crls() const {

   auto stmt = m_database->new_statement("SELECT certificate,reason,time FROM " + m_prefix +

                                         "revoked "

                                         "JOIN " +

                                         m_prefix + "certificates ON " + m_prefix +

                                         "certificates.fingerprint == " + m_prefix + "revoked.fingerprint");


   std::map<X509_DN, std::vector<CRL_Entry>> crls;

   while(stmt->step()) {

      auto blob = stmt->get_blob(0);

      auto cert = X509_Certificate(std::vector<uint8_t>(blob.first, blob.first + blob.second));

      auto code = static_cast<CRL_Code>(stmt->get_size_t(1));

      auto ent = CRL_Entry(cert, code);


      auto i = crls.find(cert.issuer_dn());

      if(i == crls.end()) {

         crls.insert(std::make_pair(cert.issuer_dn(), std::vector<CRL_Entry>({ent})));

      } else {

         i->second.push_back(ent);

      }

   }


   const X509_Time t(std::chrono::system_clock::now());


   std::vector<X509_CRL> ret;

   ret.reserve(crls.size());


   for(const auto& p : crls) {

      ret.push_back(X509_CRL(p.first, t, t, p.second));

   }


   return ret;

}


}  // namespace Botan

Botan::ASN1_Object::BER_encode
std::vector< uint8_t > BER_encode() const
Definition asn1_obj.cpp:20

Botan::ASN1_Time::time_is_set
bool time_is_set() const
Return if the time has been set somehow.
Definition asn1_time.cpp:123

Botan::BER_Decoder::Limits::DER
static Limits DER()
Definition ber_dec.h:35

Botan::BER_Decoder
Definition ber_dec.h:25

Botan::CRL_Entry
Definition x509_crl.h:29

Botan::Certificate_Store_In_SQL::find_cert_by_issuer_dn_and_serial_number
std::optional< X509_Certificate > find_cert_by_issuer_dn_and_serial_number(const X509_DN &issuer_dn, std::span< const uint8_t > serial_number) const override
Definition certstor_sql.cpp:111

Botan::Certificate_Store_In_SQL::all_subjects
std::vector< X509_DN > all_subjects() const override
Definition certstor_sql.cpp:128

Botan::Certificate_Store_In_SQL::insert_cert
bool insert_cert(const X509_Certificate &cert)
Definition certstor_sql.cpp:145

Botan::Certificate_Store_In_SQL::find_all_certs
std::vector< X509_Certificate > find_all_certs(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const override
Definition certstor_sql.cpp:74

Botan::Certificate_Store_In_SQL::find_cert_by_raw_subject_dn_sha256
std::optional< X509_Certificate > find_cert_by_raw_subject_dn_sha256(const std::vector< uint8_t > &subject_hash) const override
Definition certstor_sql.cpp:106

Botan::Certificate_Store_In_SQL::contains
bool contains(const X509_Certificate &cert) const override
Definition certstor_sql.cpp:168

Botan::Certificate_Store_In_SQL::revoke_cert
void revoke_cert(const X509_Certificate &cert, CRL_Code reason, const X509_Time &time)
Marks "cert" as revoked starting from "time".
Definition certstor_sql.cpp:260

Botan::Certificate_Store_In_SQL::find_crl_for
std::optional< X509_CRL > find_crl_for(const X509_Certificate &issuer) const override
Definition certstor_sql.cpp:116

Botan::Certificate_Store_In_SQL::Certificate_Store_In_SQL
Certificate_Store_In_SQL(std::shared_ptr< SQL_Database > db, std::string_view passwd, RandomNumberGenerator &rng, std::string_view table_prefix="")
Definition certstor_sql.cpp:21

Botan::Certificate_Store_In_SQL::find_certs_for_key
std::vector< X509_Certificate > find_certs_for_key(const Private_Key &key) const
Returns all certificates for private key "key".
Definition certstor_sql.cpp:208

Botan::Certificate_Store_In_SQL::affirm_cert
void affirm_cert(const X509_Certificate &cert)
Reverses the revocation for "cert".
Definition certstor_sql.cpp:293

Botan::Certificate_Store_In_SQL::remove_cert
bool remove_cert(const X509_Certificate &cert)
Definition certstor_sql.cpp:174

Botan::Certificate_Store_In_SQL::find_key
std::shared_ptr< const Private_Key > find_key(const X509_Certificate &cert) const
Returns the private key for "cert" or an empty shared_ptr if none was found.
Definition certstor_sql.cpp:188

Botan::Certificate_Store_In_SQL::find_cert
std::optional< X509_Certificate > find_cert(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const override
Definition certstor_sql.cpp:48

Botan::Certificate_Store_In_SQL::remove_key
void remove_key(const Private_Key &key)
Removes "key" from the store.
Definition certstor_sql.cpp:251

Botan::Certificate_Store_In_SQL::insert_key
bool insert_key(const X509_Certificate &cert, const Private_Key &key)
Definition certstor_sql.cpp:224

Botan::Certificate_Store_In_SQL::find_cert_by_pubkey_sha1
std::optional< X509_Certificate > find_cert_by_pubkey_sha1(const std::vector< uint8_t > &key_hash) const override
Definition certstor_sql.cpp:101

Botan::Certificate_Store_In_SQL::generate_crls
std::vector< X509_CRL > generate_crls() const
Definition certstor_sql.cpp:300

Botan::DataSource_Memory
Definition data_src.h:111

Botan::Not_Implemented
Definition exceptn.h:335

Botan::Private_Key
Definition pk_keys.h:301

Botan::Private_Key::fingerprint_private
std::string fingerprint_private(std::string_view alg) const
Definition pk_keys.cpp:101

Botan::RandomNumberGenerator
Definition rng.h:39

Botan::X509_CRL
Definition x509_crl.h:90

Botan::X509_Certificate
Definition x509cert.h:32

Botan::X509_Certificate::fingerprint
std::string fingerprint(std::string_view hash_name="SHA-1") const
Definition x509cert.cpp:685

Botan::X509_Certificate::subject_dn
const X509_DN & subject_dn() const
Definition x509cert.cpp:418

Botan::X509_Certificate::subject_key_id
const std::vector< uint8_t > & subject_key_id() const
Definition x509cert.cpp:402

Botan::X509_Certificate::issuer_dn
const X509_DN & issuer_dn() const
Definition x509cert.cpp:414

Botan::X509_DN
Definition pkix_types.h:43

Botan::X509_DN::decode_from
void decode_from(BER_Decoder &from) override
Definition x509_dn.cpp:338

Botan::PKCS8::BER_encode
std::vector< uint8_t > BER_encode(const Private_Key &key, RandomNumberGenerator &rng, std::string_view pass, std::chrono::milliseconds msec, std::string_view pbe_algo)
Definition pkcs8.cpp:166

Botan::PKCS8::load_key
std::unique_ptr< Private_Key > load_key(DataSource &source, const std::function< std::string()> &get_pass)
Definition pkcs8.cpp:319

Botan
Definition alg_id.cpp:13

Botan::X509_Time
ASN1_Time X509_Time
Definition asn1_obj.h:23

Botan::CRL_Code
CRL_Code
Definition pkix_enums.h:204