9#include <botan/certstor_sql.h>
10#include <botan/pk_keys.h>
11#include <botan/ber_dec.h>
12#include <botan/pkcs8.h>
13#include <botan/data_src.h>
14#include <botan/pkix_types.h>
19 const std::string& passwd,
21 const std::string& table_prefix) :
23 m_database(
std::move(db)),
24 m_prefix(table_prefix),
27 m_database->create_table(
"CREATE TABLE IF NOT EXISTS " +
28 m_prefix +
"certificates ( \
29 fingerprint BLOB PRIMARY KEY, \
32 priv_fingerprint BLOB, \
33 certificate BLOB UNIQUE NOT NULL\
35 m_database->create_table(
"CREATE TABLE IF NOT EXISTS " + m_prefix +
"keys (\
36 fingerprint BLOB PRIMARY KEY, \
37 key BLOB UNIQUE NOT NULL \
39 m_database->create_table(
"CREATE TABLE IF NOT EXISTS " + m_prefix +
"revoked (\
40 fingerprint BLOB PRIMARY KEY, \
41 reason BLOB NOT NULL, \
47std::optional<X509_Certificate>
50 std::shared_ptr<SQL_Database::Statement> stmt;
52 const std::vector<uint8_t> dn_encoding = subject_dn.
BER_encode();
56 stmt = m_database->new_statement(
"SELECT certificate FROM " + m_prefix +
"certificates WHERE subject_dn == ?1 LIMIT 1");
57 stmt->bind(1, dn_encoding);
61 stmt = m_database->new_statement(
"SELECT certificate FROM " + m_prefix +
"certificates WHERE\
62 subject_dn == ?1 AND (key_id == NULL OR key_id == ?2) LIMIT 1");
63 stmt->bind(1, dn_encoding);
69 auto blob = stmt->get_blob(0);
73 return std::optional<X509_Certificate>();
76std::vector<X509_Certificate>
79 std::vector<X509_Certificate> certs;
81 std::shared_ptr<SQL_Database::Statement> stmt;
83 const std::vector<uint8_t> dn_encoding = subject_dn.
BER_encode();
87 stmt = m_database->new_statement(
"SELECT certificate FROM " + m_prefix +
"certificates WHERE subject_dn == ?1");
88 stmt->bind(1, dn_encoding);
92 stmt = m_database->new_statement(
"SELECT certificate FROM " + m_prefix +
"certificates WHERE\
93 subject_dn == ?1 AND (key_id == NULL OR key_id == ?2)");
94 stmt->bind(1, dn_encoding);
95 stmt->bind(2, key_id);
98 std::optional<X509_Certificate> cert;
101 auto blob = stmt->get_blob(0);
108std::optional<X509_Certificate>
111 throw Not_Implemented(
"Certificate_Store_In_SQL::find_cert_by_pubkey_sha1");
114std::optional<X509_Certificate>
117 throw Not_Implemented(
"Certificate_Store_In_SQL::find_cert_by_raw_subject_dn_sha256");
120std::optional<X509_CRL>
125 for(
auto crl: all_crls)
127 if(!crl.get_revoked().empty() && crl.issuer_dn() == subject.
issuer_dn())
131 return std::optional<X509_CRL>();
136 std::vector<X509_DN> ret;
137 auto stmt = m_database->new_statement(
"SELECT subject_dn FROM " + m_prefix +
"certificates");
141 auto blob = stmt->get_blob(0);
156 const std::vector<uint8_t> cert_encoding = cert.
BER_encode();
158 auto stmt = m_database->new_statement(
"INSERT OR REPLACE INTO " +
159 m_prefix +
"certificates (\
165 ) VALUES ( ?1, ?2, ?3, ?4, ?5 )");
168 stmt->bind(2,dn_encoding);
170 stmt->bind(4,std::vector<uint8_t>());
171 stmt->bind(5,cert_encoding);
183 auto stmt = m_database->new_statement(
"DELETE FROM " + m_prefix +
"certificates WHERE fingerprint == ?1");
194 auto stmt = m_database->new_statement(
"SELECT key FROM " + m_prefix +
"keys "
195 "JOIN " + m_prefix +
"certificates ON " +
196 m_prefix +
"keys.fingerprint == " + m_prefix +
"certificates.priv_fingerprint "
197 "WHERE " + m_prefix +
"certificates.fingerprint == ?1");
200 std::shared_ptr<const Private_Key> key;
203 auto blob = stmt->get_blob(0);
211std::vector<X509_Certificate>
215 auto stmt = m_database->new_statement(
"SELECT certificate FROM " + m_prefix +
"certificates WHERE priv_fingerprint == ?1");
219 std::vector<X509_Certificate> certs;
222 auto blob = stmt->get_blob(0);
238 auto stmt1 = m_database->new_statement(
239 "INSERT OR REPLACE INTO " + m_prefix +
"keys ( fingerprint, key ) VALUES ( ?1, ?2 )");
242 stmt1->bind(2,pkcs8.data(),pkcs8.size());
245 auto stmt2 = m_database->new_statement(
246 "UPDATE " + m_prefix +
"certificates SET priv_fingerprint = ?1 WHERE fingerprint == ?2");
258 auto stmt = m_database->new_statement(
"DELETE FROM " + m_prefix +
"keys WHERE fingerprint == ?1");
269 auto stmt1 = m_database->new_statement(
270 "INSERT OR REPLACE INTO " + m_prefix +
"revoked ( fingerprint, reason, time ) VALUES ( ?1, ?2, ?3 )");
273 stmt1->bind(2,
static_cast<uint32_t
>(code));
281 stmt1->bind(3,
static_cast<size_t>(-1));
289 auto stmt = m_database->new_statement(
"DELETE FROM " + m_prefix +
"revoked WHERE fingerprint == ?1");
297 auto stmt = m_database->new_statement(
298 "SELECT certificate,reason,time FROM " + m_prefix +
"revoked "
299 "JOIN " + m_prefix +
"certificates ON " +
300 m_prefix +
"certificates.fingerprint == " + m_prefix +
"revoked.fingerprint");
302 std::map<X509_DN,std::vector<CRL_Entry>> crls;
305 auto blob = stmt->get_blob(0);
307 std::vector<uint8_t>(blob.first,blob.first + blob.second));
308 auto code =
static_cast<CRL_Code>(stmt->get_size_t(1));
311 auto i = crls.find(cert.issuer_dn());
314 crls.insert(std::make_pair(cert.issuer_dn(),std::vector<CRL_Entry>({ent})));
318 i->second.push_back(ent);
322 X509_Time t(std::chrono::system_clock::now());
324 std::vector<X509_CRL> ret;
325 ret.reserve(crls.size());
327 for(
const auto& p: crls)
329 ret.push_back(
X509_CRL(p.first, t, t, p.second));
std::vector< uint8_t > BER_encode() const
bool time_is_set() const
Return if the time has been set somehow.
Certificate_Store_In_SQL(const std::shared_ptr< SQL_Database > db, const std::string &passwd, RandomNumberGenerator &rng, const std::string &table_prefix="")
void affirm_cert(const X509_Certificate &)
Reverses the revokation for "cert".
std::vector< X509_DN > all_subjects() const override
std::shared_ptr< const Private_Key > find_key(const X509_Certificate &) const
Returns the private key for "cert" or an empty shared_ptr if none was found.
bool insert_cert(const X509_Certificate &cert)
std::vector< X509_Certificate > find_all_certs(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const override
std::optional< X509_Certificate > find_cert_by_raw_subject_dn_sha256(const std::vector< uint8_t > &subject_hash) const override
void revoke_cert(const X509_Certificate &, CRL_Code, const X509_Time &time=X509_Time())
Marks "cert" as revoked starting from "time".
std::optional< X509_CRL > find_crl_for(const X509_Certificate &issuer) const override
std::vector< X509_Certificate > find_certs_for_key(const Private_Key &key) const
Returns all certificates for private key "key".
bool remove_cert(const X509_Certificate &cert)
std::optional< X509_Certificate > find_cert(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const override
void remove_key(const Private_Key &key)
Removes "key" from the store.
bool insert_key(const X509_Certificate &cert, const Private_Key &key)
std::optional< X509_Certificate > find_cert_by_pubkey_sha1(const std::vector< uint8_t > &key_hash) const override
std::vector< X509_CRL > generate_crls() const
std::string fingerprint_private(const std::string &alg) const
const X509_DN & subject_dn() const
const std::vector< uint8_t > & subject_key_id() const
const X509_DN & issuer_dn() const
std::string fingerprint(const std::string &hash_name="SHA-1") const
void decode_from(BER_Decoder &) override
std::vector< uint8_t > BER_encode(const Private_Key &key, RandomNumberGenerator &rng, const std::string &pass, std::chrono::milliseconds msec, const std::string &pbe_algo)
std::unique_ptr< Private_Key > load_key(DataSource &source, const std::function< std::string()> &get_pass)