Botan 3.5.0
Crypto and TLS for C&
certstor_sql.cpp
Go to the documentation of this file.
1/*
2* Certificate Store in SQL
3* (C) 2016 Kai Michaelis, Rohde & Schwarz Cybersecurity
4* (C) 2018 Jack Lloyd
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/certstor_sql.h>
10
11#include <botan/ber_dec.h>
12#include <botan/data_src.h>
13#include <botan/pk_keys.h>
14#include <botan/pkcs8.h>
15#include <botan/pkix_types.h>
16
17namespace Botan {
18
20 std::string_view passwd,
22 std::string_view table_prefix) :
23 m_rng(rng), m_database(std::move(db)), m_prefix(table_prefix), m_password(passwd) {
24 m_database->create_table("CREATE TABLE IF NOT EXISTS " + m_prefix +
25 "certificates ( \
26 fingerprint BLOB PRIMARY KEY, \
27 subject_dn BLOB, \
28 key_id BLOB, \
29 priv_fingerprint BLOB, \
30 certificate BLOB UNIQUE NOT NULL\
31 )");
32 m_database->create_table("CREATE TABLE IF NOT EXISTS " + m_prefix +
33 "keys (\
34 fingerprint BLOB PRIMARY KEY, \
35 key BLOB UNIQUE NOT NULL \
36 )");
37 m_database->create_table("CREATE TABLE IF NOT EXISTS " + m_prefix +
38 "revoked (\
39 fingerprint BLOB PRIMARY KEY, \
40 reason BLOB NOT NULL, \
41 time BLOB NOT NULL \
42 )");
43}
44
45// Certificate handling
46std::optional<X509_Certificate> Certificate_Store_In_SQL::find_cert(const X509_DN& subject_dn,
47 const std::vector<uint8_t>& key_id) const {
48 std::shared_ptr<SQL_Database::Statement> stmt;
49
50 const std::vector<uint8_t> dn_encoding = subject_dn.BER_encode();
51
52 if(key_id.empty()) {
53 stmt = m_database->new_statement("SELECT certificate FROM " + m_prefix +
54 "certificates WHERE subject_dn == ?1 LIMIT 1");
55 stmt->bind(1, dn_encoding);
56 } else {
57 stmt = m_database->new_statement("SELECT certificate FROM " + m_prefix +
58 "certificates WHERE\
59 subject_dn == ?1 AND (key_id == NULL OR key_id == ?2) LIMIT 1");
60 stmt->bind(1, dn_encoding);
61 stmt->bind(2, key_id);
62 }
63
64 while(stmt->step()) {
65 auto blob = stmt->get_blob(0);
66 return X509_Certificate(blob.first, blob.second);
67 }
68
69 return std::optional<X509_Certificate>();
70}
71
72std::vector<X509_Certificate> Certificate_Store_In_SQL::find_all_certs(const X509_DN& subject_dn,
73 const std::vector<uint8_t>& key_id) const {
74 std::vector<X509_Certificate> certs;
75
76 std::shared_ptr<SQL_Database::Statement> stmt;
77
78 const std::vector<uint8_t> dn_encoding = subject_dn.BER_encode();
79
80 if(key_id.empty()) {
81 stmt = m_database->new_statement("SELECT certificate FROM " + m_prefix + "certificates WHERE subject_dn == ?1");
82 stmt->bind(1, dn_encoding);
83 } else {
84 stmt = m_database->new_statement("SELECT certificate FROM " + m_prefix +
85 "certificates WHERE\
86 subject_dn == ?1 AND (key_id == NULL OR key_id == ?2)");
87 stmt->bind(1, dn_encoding);
88 stmt->bind(2, key_id);
89 }
90
91 std::optional<X509_Certificate> cert;
92 while(stmt->step()) {
93 auto blob = stmt->get_blob(0);
94 certs.push_back(X509_Certificate(blob.first, blob.second));
95 }
96
97 return certs;
98}
99
101 const std::vector<uint8_t>& /*key_hash*/) const {
102 throw Not_Implemented("Certificate_Store_In_SQL::find_cert_by_pubkey_sha1");
103}
104
106 const std::vector<uint8_t>& /*subject_hash*/) const {
107 throw Not_Implemented("Certificate_Store_In_SQL::find_cert_by_raw_subject_dn_sha256");
108}
109
110std::optional<X509_CRL> Certificate_Store_In_SQL::find_crl_for(const X509_Certificate& subject) const {
111 auto all_crls = generate_crls();
112
113 for(auto crl : all_crls) {
114 if(!crl.get_revoked().empty() && crl.issuer_dn() == subject.issuer_dn()) {
115 return crl;
116 }
117 }
118
119 return std::optional<X509_CRL>();
120}
121
122std::vector<X509_DN> Certificate_Store_In_SQL::all_subjects() const {
123 std::vector<X509_DN> ret;
124 auto stmt = m_database->new_statement("SELECT subject_dn FROM " + m_prefix + "certificates");
125
126 while(stmt->step()) {
127 auto blob = stmt->get_blob(0);
128 BER_Decoder dec(blob.first, blob.second);
129 X509_DN dn;
130
131 dn.decode_from(dec);
132
133 ret.push_back(dn);
134 }
135
136 return ret;
137}
138
140 const std::vector<uint8_t> dn_encoding = cert.subject_dn().BER_encode();
141 const std::vector<uint8_t> cert_encoding = cert.BER_encode();
142
143 auto stmt = m_database->new_statement("INSERT OR REPLACE INTO " + m_prefix +
144 "certificates (\
145 fingerprint, \
146 subject_dn, \
147 key_id, \
148 priv_fingerprint, \
149 certificate \
150 ) VALUES ( ?1, ?2, ?3, ?4, ?5 )");
151
152 stmt->bind(1, cert.fingerprint("SHA-256"));
153 stmt->bind(2, dn_encoding);
154 stmt->bind(3, cert.subject_key_id());
155 stmt->bind(4, std::vector<uint8_t>());
156 stmt->bind(5, cert_encoding);
157 stmt->spin();
158
159 return true;
160}
161
163 if(!find_cert(cert.subject_dn(), cert.subject_key_id())) {
164 return false;
165 }
166
167 auto stmt = m_database->new_statement("DELETE FROM " + m_prefix + "certificates WHERE fingerprint == ?1");
168
169 stmt->bind(1, cert.fingerprint("SHA-256"));
170 stmt->spin();
171
172 return true;
173}
174
175// Private key handling
176std::shared_ptr<const Private_Key> Certificate_Store_In_SQL::find_key(const X509_Certificate& cert) const {
177 auto stmt = m_database->new_statement("SELECT key FROM " + m_prefix +
178 "keys "
179 "JOIN " +
180 m_prefix + "certificates ON " + m_prefix + "keys.fingerprint == " + m_prefix +
181 "certificates.priv_fingerprint "
182 "WHERE " +
183 m_prefix + "certificates.fingerprint == ?1");
184 stmt->bind(1, cert.fingerprint("SHA-256"));
185
186 std::shared_ptr<const Private_Key> key;
187 while(stmt->step()) {
188 auto blob = stmt->get_blob(0);
189 DataSource_Memory src(blob.first, blob.second);
190 key = PKCS8::load_key(src, m_password);
191 }
192
193 return key;
194}
195
196std::vector<X509_Certificate> Certificate_Store_In_SQL::find_certs_for_key(const Private_Key& key) const {
197 auto fpr = key.fingerprint_private("SHA-256");
198 auto stmt =
199 m_database->new_statement("SELECT certificate FROM " + m_prefix + "certificates WHERE priv_fingerprint == ?1");
200
201 stmt->bind(1, fpr);
202
203 std::vector<X509_Certificate> certs;
204 while(stmt->step()) {
205 auto blob = stmt->get_blob(0);
206 certs.push_back(X509_Certificate(blob.first, blob.second));
207 }
208
209 return certs;
210}
211
213 insert_cert(cert);
214
215 if(find_key(cert)) {
216 return false;
217 }
218
219 auto pkcs8 = PKCS8::BER_encode(key, m_rng, m_password);
220 auto fpr = key.fingerprint_private("SHA-256");
221
222 auto stmt1 =
223 m_database->new_statement("INSERT OR REPLACE INTO " + m_prefix + "keys ( fingerprint, key ) VALUES ( ?1, ?2 )");
224
225 stmt1->bind(1, fpr);
226 stmt1->bind(2, pkcs8.data(), pkcs8.size());
227 stmt1->spin();
228
229 auto stmt2 = m_database->new_statement("UPDATE " + m_prefix +
230 "certificates SET priv_fingerprint = ?1 WHERE fingerprint == ?2");
231
232 stmt2->bind(1, fpr);
233 stmt2->bind(2, cert.fingerprint("SHA-256"));
234 stmt2->spin();
235
236 return true;
237}
238
240 auto fpr = key.fingerprint_private("SHA-256");
241 auto stmt = m_database->new_statement("DELETE FROM " + m_prefix + "keys WHERE fingerprint == ?1");
242
243 stmt->bind(1, fpr);
244 stmt->spin();
245}
246
247// Revocation
249 insert_cert(cert);
250
251 auto stmt1 = m_database->new_statement("INSERT OR REPLACE INTO " + m_prefix +
252 "revoked ( fingerprint, reason, time ) VALUES ( ?1, ?2, ?3 )");
253
254 stmt1->bind(1, cert.fingerprint("SHA-256"));
255 stmt1->bind(2, static_cast<uint32_t>(code));
256
257 if(time.time_is_set()) {
258 stmt1->bind(3, time.BER_encode());
259 } else {
260 stmt1->bind(3, static_cast<size_t>(-1));
261 }
262
263 stmt1->spin();
264}
265
267 auto stmt = m_database->new_statement("DELETE FROM " + m_prefix + "revoked WHERE fingerprint == ?1");
268
269 stmt->bind(1, cert.fingerprint("SHA-256"));
270 stmt->spin();
271}
272
273std::vector<X509_CRL> Certificate_Store_In_SQL::generate_crls() const {
274 auto stmt = m_database->new_statement("SELECT certificate,reason,time FROM " + m_prefix +
275 "revoked "
276 "JOIN " +
277 m_prefix + "certificates ON " + m_prefix +
278 "certificates.fingerprint == " + m_prefix + "revoked.fingerprint");
279
280 std::map<X509_DN, std::vector<CRL_Entry>> crls;
281 while(stmt->step()) {
282 auto blob = stmt->get_blob(0);
283 auto cert = X509_Certificate(std::vector<uint8_t>(blob.first, blob.first + blob.second));
284 auto code = static_cast<CRL_Code>(stmt->get_size_t(1));
285 auto ent = CRL_Entry(cert, code);
286
287 auto i = crls.find(cert.issuer_dn());
288 if(i == crls.end()) {
289 crls.insert(std::make_pair(cert.issuer_dn(), std::vector<CRL_Entry>({ent})));
290 } else {
291 i->second.push_back(ent);
292 }
293 }
294
295 X509_Time t(std::chrono::system_clock::now());
296
297 std::vector<X509_CRL> ret;
298 ret.reserve(crls.size());
299
300 for(const auto& p : crls) {
301 ret.push_back(X509_CRL(p.first, t, t, p.second));
302 }
303
304 return ret;
305}
306
307} // namespace Botan
std::vector< uint8_t > BER_encode() const
Definition asn1_obj.cpp:19
bool time_is_set() const
Return if the time has been set somehow.
Definition x509_crl.h:28
void affirm_cert(const X509_Certificate &)
Reverses the revokation for "cert".
std::vector< X509_DN > all_subjects() const override
std::shared_ptr< const Private_Key > find_key(const X509_Certificate &) const
Returns the private key for "cert" or an empty shared_ptr if none was found.
bool insert_cert(const X509_Certificate &cert)
std::vector< X509_Certificate > find_all_certs(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const override
std::optional< X509_Certificate > find_cert_by_raw_subject_dn_sha256(const std::vector< uint8_t > &subject_hash) const override
void revoke_cert(const X509_Certificate &, CRL_Code, const X509_Time &time=X509_Time())
Marks "cert" as revoked starting from "time".
std::optional< X509_CRL > find_crl_for(const X509_Certificate &issuer) const override
Certificate_Store_In_SQL(std::shared_ptr< SQL_Database > db, std::string_view passwd, RandomNumberGenerator &rng, std::string_view table_prefix="")
std::vector< X509_Certificate > find_certs_for_key(const Private_Key &key) const
Returns all certificates for private key "key".
bool remove_cert(const X509_Certificate &cert)
std::optional< X509_Certificate > find_cert(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const override
void remove_key(const Private_Key &key)
Removes "key" from the store.
bool insert_key(const X509_Certificate &cert, const Private_Key &key)
std::optional< X509_Certificate > find_cert_by_pubkey_sha1(const std::vector< uint8_t > &key_hash) const override
std::vector< X509_CRL > generate_crls() const
std::string fingerprint_private(std::string_view alg) const
Definition pk_keys.cpp:86
std::string fingerprint(std::string_view hash_name="SHA-1") const
Definition x509cert.cpp:615
const X509_DN & subject_dn() const
Definition x509cert.cpp:395
const std::vector< uint8_t > & subject_key_id() const
Definition x509cert.cpp:379
const X509_DN & issuer_dn() const
Definition x509cert.cpp:391
void decode_from(BER_Decoder &) override
Definition x509_dn.cpp:347
std::vector< uint8_t > BER_encode(const Private_Key &key, RandomNumberGenerator &rng, std::string_view pass, std::chrono::milliseconds msec, std::string_view pbe_algo)
Definition pkcs8.cpp:163
std::unique_ptr< Private_Key > load_key(DataSource &source, const std::function< std::string()> &get_pass)
Definition pkcs8.cpp:316