Botan 3.11.0
Crypto and TLS for C&
certstor_sql.cpp
Go to the documentation of this file.
1/*
2* Certificate Store in SQL
3* (C) 2016 Kai Michaelis, Rohde & Schwarz Cybersecurity
4* (C) 2018 Jack Lloyd
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/certstor_sql.h>
10
11#include <botan/asn1_obj.h>
12#include <botan/asn1_time.h>
13#include <botan/ber_dec.h>
14#include <botan/data_src.h>
15#include <botan/pk_keys.h>
16#include <botan/pkcs8.h>
17#include <botan/pkix_types.h>
18
19namespace Botan {
20
21Certificate_Store_In_SQL::Certificate_Store_In_SQL(std::shared_ptr<SQL_Database> db,
22 std::string_view passwd,
23 RandomNumberGenerator& rng,
24 std::string_view table_prefix) :
25 m_rng(rng), m_database(std::move(db)), m_prefix(table_prefix), m_password(passwd) {
26 m_database->create_table("CREATE TABLE IF NOT EXISTS " + m_prefix +
27 "certificates ( \
28 fingerprint BLOB PRIMARY KEY, \
29 subject_dn BLOB, \
30 key_id BLOB, \
31 priv_fingerprint BLOB, \
32 certificate BLOB UNIQUE NOT NULL\
33 )");
34 m_database->create_table("CREATE TABLE IF NOT EXISTS " + m_prefix +
35 "keys (\
36 fingerprint BLOB PRIMARY KEY, \
37 key BLOB UNIQUE NOT NULL \
38 )");
39 m_database->create_table("CREATE TABLE IF NOT EXISTS " + m_prefix +
40 "revoked (\
41 fingerprint BLOB PRIMARY KEY, \
42 reason BLOB NOT NULL, \
43 time BLOB NOT NULL \
44 )");
45}
46
47// Certificate handling
48std::optional<X509_Certificate> Certificate_Store_In_SQL::find_cert(const X509_DN& subject_dn,
49 const std::vector<uint8_t>& key_id) const {
50 std::shared_ptr<SQL_Database::Statement> stmt;
51
52 const std::vector<uint8_t> dn_encoding = subject_dn.BER_encode();
53
54 if(key_id.empty()) {
55 stmt = m_database->new_statement("SELECT certificate FROM " + m_prefix +
56 "certificates WHERE subject_dn == ?1 LIMIT 1");
57 stmt->bind(1, dn_encoding);
58 } else {
59 stmt = m_database->new_statement("SELECT certificate FROM " + m_prefix +
60 "certificates WHERE\
61 subject_dn == ?1 AND (key_id == NULL OR key_id == ?2) LIMIT 1");
62 stmt->bind(1, dn_encoding);
63 stmt->bind(2, key_id);
64 }
65
66 while(stmt->step()) {
67 auto blob = stmt->get_blob(0);
68 return X509_Certificate(blob.first, blob.second);
69 }
70
71 return std::optional<X509_Certificate>();
72}
73
74std::vector<X509_Certificate> Certificate_Store_In_SQL::find_all_certs(const X509_DN& subject_dn,
75 const std::vector<uint8_t>& key_id) const {
76 std::vector<X509_Certificate> certs;
77
78 std::shared_ptr<SQL_Database::Statement> stmt;
79
80 const std::vector<uint8_t> dn_encoding = subject_dn.BER_encode();
81
82 if(key_id.empty()) {
83 stmt = m_database->new_statement("SELECT certificate FROM " + m_prefix + "certificates WHERE subject_dn == ?1");
84 stmt->bind(1, dn_encoding);
85 } else {
86 stmt = m_database->new_statement("SELECT certificate FROM " + m_prefix +
87 "certificates WHERE\
88 subject_dn == ?1 AND (key_id == NULL OR key_id == ?2)");
89 stmt->bind(1, dn_encoding);
90 stmt->bind(2, key_id);
91 }
92
93 while(stmt->step()) {
94 auto blob = stmt->get_blob(0);
95 certs.push_back(X509_Certificate(blob.first, blob.second));
96 }
97
98 return certs;
99}
100
101std::optional<X509_Certificate> Certificate_Store_In_SQL::find_cert_by_pubkey_sha1(
102 const std::vector<uint8_t>& /*key_hash*/) const {
103 throw Not_Implemented("Certificate_Store_In_SQL::find_cert_by_pubkey_sha1");
104}
105
106std::optional<X509_Certificate> Certificate_Store_In_SQL::find_cert_by_raw_subject_dn_sha256(
107 const std::vector<uint8_t>& /*subject_hash*/) const {
108 throw Not_Implemented("Certificate_Store_In_SQL::find_cert_by_raw_subject_dn_sha256");
109}
110
111std::optional<X509_Certificate> Certificate_Store_In_SQL::find_cert_by_issuer_dn_and_serial_number(
112 const X509_DN& /*issuer_dn*/, std::span<const uint8_t> /*serial_number*/) const {
113 throw Not_Implemented("Certificate_Store_In_SQL::find_cert_by_issuer_dn_and_serial_number");
114}
115
116std::optional<X509_CRL> Certificate_Store_In_SQL::find_crl_for(const X509_Certificate& subject) const {
117 const auto all_crls = generate_crls();
118
119 for(const auto& crl : all_crls) {
120 if(!crl.get_revoked().empty() && crl.issuer_dn() == subject.issuer_dn()) {
121 return crl;
122 }
123 }
124
125 return std::optional<X509_CRL>();
126}
127
128std::vector<X509_DN> Certificate_Store_In_SQL::all_subjects() const {
129 std::vector<X509_DN> ret;
130 auto stmt = m_database->new_statement("SELECT subject_dn FROM " + m_prefix + "certificates");
131
132 while(stmt->step()) {
133 auto blob = stmt->get_blob(0);
134 BER_Decoder dec(blob.first, blob.second);
135 X509_DN dn;
136
137 dn.decode_from(dec);
138
139 ret.push_back(dn);
140 }
141
142 return ret;
143}
144
145bool Certificate_Store_In_SQL::insert_cert(const X509_Certificate& cert) {
146 const std::vector<uint8_t> dn_encoding = cert.subject_dn().BER_encode();
147 const std::vector<uint8_t> cert_encoding = cert.BER_encode();
148
149 auto stmt = m_database->new_statement("INSERT OR REPLACE INTO " + m_prefix +
150 "certificates (\
151 fingerprint, \
152 subject_dn, \
153 key_id, \
154 priv_fingerprint, \
155 certificate \
156 ) VALUES ( ?1, ?2, ?3, ?4, ?5 )");
157
158 stmt->bind(1, cert.fingerprint("SHA-256"));
159 stmt->bind(2, dn_encoding);
160 stmt->bind(3, cert.subject_key_id());
161 stmt->bind(4, std::vector<uint8_t>());
162 stmt->bind(5, cert_encoding);
163 stmt->spin();
164
165 return true;
166}
167
168bool Certificate_Store_In_SQL::remove_cert(const X509_Certificate& cert) {
169 if(!find_cert(cert.subject_dn(), cert.subject_key_id())) {
170 return false;
171 }
172
173 auto stmt = m_database->new_statement("DELETE FROM " + m_prefix + "certificates WHERE fingerprint == ?1");
174
175 stmt->bind(1, cert.fingerprint("SHA-256"));
176 stmt->spin();
177
178 return true;
179}
180
181// Private key handling
182std::shared_ptr<const Private_Key> Certificate_Store_In_SQL::find_key(const X509_Certificate& cert) const {
183 auto stmt = m_database->new_statement("SELECT key FROM " + m_prefix +
184 "keys "
185 "JOIN " +
186 m_prefix + "certificates ON " + m_prefix + "keys.fingerprint == " + m_prefix +
187 "certificates.priv_fingerprint "
188 "WHERE " +
189 m_prefix + "certificates.fingerprint == ?1");
190 stmt->bind(1, cert.fingerprint("SHA-256"));
191
192 std::shared_ptr<const Private_Key> key;
193 while(stmt->step()) {
194 auto blob = stmt->get_blob(0);
195 DataSource_Memory src(blob.first, blob.second);
196 key = PKCS8::load_key(src, m_password);
197 }
198
199 return key;
200}
201
202std::vector<X509_Certificate> Certificate_Store_In_SQL::find_certs_for_key(const Private_Key& key) const {
203 auto fprint = key.fingerprint_private("SHA-256");
204 auto stmt =
205 m_database->new_statement("SELECT certificate FROM " + m_prefix + "certificates WHERE priv_fingerprint == ?1");
206
207 stmt->bind(1, fprint);
208
209 std::vector<X509_Certificate> certs;
210 while(stmt->step()) {
211 auto blob = stmt->get_blob(0);
212 certs.push_back(X509_Certificate(blob.first, blob.second));
213 }
214
215 return certs;
216}
217
218bool Certificate_Store_In_SQL::insert_key(const X509_Certificate& cert, const Private_Key& key) {
219 insert_cert(cert);
220
221 if(find_key(cert)) {
222 return false;
223 }
224
225 auto pkcs8 = PKCS8::BER_encode(key, m_rng, m_password);
226 auto fprint = key.fingerprint_private("SHA-256");
227
228 auto stmt1 =
229 m_database->new_statement("INSERT OR REPLACE INTO " + m_prefix + "keys ( fingerprint, key ) VALUES ( ?1, ?2 )");
230
231 stmt1->bind(1, fprint);
232 stmt1->bind(2, pkcs8.data(), pkcs8.size());
233 stmt1->spin();
234
235 auto stmt2 = m_database->new_statement("UPDATE " + m_prefix +
236 "certificates SET priv_fingerprint = ?1 WHERE fingerprint == ?2");
237
238 stmt2->bind(1, fprint);
239 stmt2->bind(2, cert.fingerprint("SHA-256"));
240 stmt2->spin();
241
242 return true;
243}
244
245void Certificate_Store_In_SQL::remove_key(const Private_Key& key) {
246 auto fprint = key.fingerprint_private("SHA-256");
247 auto stmt = m_database->new_statement("DELETE FROM " + m_prefix + "keys WHERE fingerprint == ?1");
248
249 stmt->bind(1, fprint);
250 stmt->spin();
251}
252
253// Revocation
254void Certificate_Store_In_SQL::revoke_cert(const X509_Certificate& cert, CRL_Code code, const X509_Time& time) {
255 // TODO(Botan4) require that time be valid
256 insert_cert(cert);
257
258 auto stmt1 = m_database->new_statement("INSERT OR REPLACE INTO " + m_prefix +
259 "revoked ( fingerprint, reason, time ) VALUES ( ?1, ?2, ?3 )");
260
261 stmt1->bind(1, cert.fingerprint("SHA-256"));
262 stmt1->bind(2, static_cast<uint32_t>(code));
263
264 if(time.time_is_set()) {
265 stmt1->bind(3, time.BER_encode());
266 } else {
267 stmt1->bind(3, static_cast<size_t>(-1));
268 }
269
270 stmt1->spin();
271}
272
273// Revocation
274void Certificate_Store_In_SQL::revoke_cert(const X509_Certificate& cert, CRL_Code code) {
275 insert_cert(cert);
276
277 auto stmt1 = m_database->new_statement("INSERT OR REPLACE INTO " + m_prefix +
278 "revoked ( fingerprint, reason, time ) VALUES ( ?1, ?2, ?3 )");
279
280 stmt1->bind(1, cert.fingerprint("SHA-256"));
281 stmt1->bind(2, static_cast<uint32_t>(code));
282 stmt1->bind(3, static_cast<size_t>(-1));
283
284 stmt1->spin();
285}
286
287void Certificate_Store_In_SQL::affirm_cert(const X509_Certificate& cert) {
288 auto stmt = m_database->new_statement("DELETE FROM " + m_prefix + "revoked WHERE fingerprint == ?1");
289
290 stmt->bind(1, cert.fingerprint("SHA-256"));
291 stmt->spin();
292}
293
294std::vector<X509_CRL> Certificate_Store_In_SQL::generate_crls() const {
295 auto stmt = m_database->new_statement("SELECT certificate,reason,time FROM " + m_prefix +
296 "revoked "
297 "JOIN " +
298 m_prefix + "certificates ON " + m_prefix +
299 "certificates.fingerprint == " + m_prefix + "revoked.fingerprint");
300
301 std::map<X509_DN, std::vector<CRL_Entry>> crls;
302 while(stmt->step()) {
303 auto blob = stmt->get_blob(0);
304 auto cert = X509_Certificate(std::vector<uint8_t>(blob.first, blob.first + blob.second));
305 auto code = static_cast<CRL_Code>(stmt->get_size_t(1));
306 auto ent = CRL_Entry(cert, code);
307
308 auto i = crls.find(cert.issuer_dn());
309 if(i == crls.end()) {
310 crls.insert(std::make_pair(cert.issuer_dn(), std::vector<CRL_Entry>({ent})));
311 } else {
312 i->second.push_back(ent);
313 }
314 }
315
316 const X509_Time t(std::chrono::system_clock::now());
317
318 std::vector<X509_CRL> ret;
319 ret.reserve(crls.size());
320
321 for(const auto& p : crls) {
322 ret.push_back(X509_CRL(p.first, t, t, p.second));
323 }
324
325 return ret;
326}
327
328} // namespace Botan
Botan::ASN1_Object::BER_encode
std::vector< uint8_t > BER_encode() const
Definition asn1_obj.cpp:20
Botan::ASN1_Time::time_is_set
bool time_is_set() const
Return if the time has been set somehow.
Definition asn1_time.cpp:112
Botan::BER_Decoder
Definition ber_dec.h:25
Botan::CRL_Entry
Definition x509_crl.h:29
Botan::Certificate_Store_In_SQL::find_cert_by_issuer_dn_and_serial_number
std::optional< X509_Certificate > find_cert_by_issuer_dn_and_serial_number(const X509_DN &issuer_dn, std::span< const uint8_t > serial_number) const override
Definition certstor_sql.cpp:111
Botan::Certificate_Store_In_SQL::all_subjects
std::vector< X509_DN > all_subjects() const override
Definition certstor_sql.cpp:128
Botan::Certificate_Store_In_SQL::insert_cert
bool insert_cert(const X509_Certificate &cert)
Definition certstor_sql.cpp:145
Botan::Certificate_Store_In_SQL::find_all_certs
std::vector< X509_Certificate > find_all_certs(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const override
Definition certstor_sql.cpp:74
Botan::Certificate_Store_In_SQL::find_cert_by_raw_subject_dn_sha256
std::optional< X509_Certificate > find_cert_by_raw_subject_dn_sha256(const std::vector< uint8_t > &subject_hash) const override
Definition certstor_sql.cpp:106
Botan::Certificate_Store_In_SQL::revoke_cert
void revoke_cert(const X509_Certificate &cert, CRL_Code reason, const X509_Time &time)
Marks "cert" as revoked starting from "time".
Definition certstor_sql.cpp:254
Botan::Certificate_Store_In_SQL::find_crl_for
std::optional< X509_CRL > find_crl_for(const X509_Certificate &issuer) const override
Definition certstor_sql.cpp:116
Botan::Certificate_Store_In_SQL::Certificate_Store_In_SQL
Certificate_Store_In_SQL(std::shared_ptr< SQL_Database > db, std::string_view passwd, RandomNumberGenerator &rng, std::string_view table_prefix="")
Definition certstor_sql.cpp:21
Botan::Certificate_Store_In_SQL::find_certs_for_key
std::vector< X509_Certificate > find_certs_for_key(const Private_Key &key) const
Returns all certificates for private key "key".
Definition certstor_sql.cpp:202
Botan::Certificate_Store_In_SQL::affirm_cert
void affirm_cert(const X509_Certificate &cert)
Reverses the revocation for "cert".
Definition certstor_sql.cpp:287
Botan::Certificate_Store_In_SQL::remove_cert
bool remove_cert(const X509_Certificate &cert)
Definition certstor_sql.cpp:168
Botan::Certificate_Store_In_SQL::find_key
std::shared_ptr< const Private_Key > find_key(const X509_Certificate &cert) const
Returns the private key for "cert" or an empty shared_ptr if none was found.
Definition certstor_sql.cpp:182
Botan::Certificate_Store_In_SQL::find_cert
std::optional< X509_Certificate > find_cert(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const override
Definition certstor_sql.cpp:48
Botan::Certificate_Store_In_SQL::remove_key
void remove_key(const Private_Key &key)
Removes "key" from the store.
Definition certstor_sql.cpp:245
Botan::Certificate_Store_In_SQL::insert_key
bool insert_key(const X509_Certificate &cert, const Private_Key &key)
Definition certstor_sql.cpp:218
Botan::Certificate_Store_In_SQL::find_cert_by_pubkey_sha1
std::optional< X509_Certificate > find_cert_by_pubkey_sha1(const std::vector< uint8_t > &key_hash) const override
Definition certstor_sql.cpp:101
Botan::Certificate_Store_In_SQL::generate_crls
std::vector< X509_CRL > generate_crls() const
Definition certstor_sql.cpp:294
Botan::DataSource_Memory
Definition data_src.h:111
Botan::Not_Implemented
Definition exceptn.h:335
Botan::Private_Key
Definition pk_keys.h:294
Botan::Private_Key::fingerprint_private
std::string fingerprint_private(std::string_view alg) const
Definition pk_keys.cpp:94
Botan::X509_CRL
Definition x509_crl.h:90
Botan::X509_Certificate
Definition x509cert.h:27
Botan::X509_Certificate::fingerprint
std::string fingerprint(std::string_view hash_name="SHA-1") const
Definition x509cert.cpp:648
Botan::X509_Certificate::subject_dn
const X509_DN & subject_dn() const
Definition x509cert.cpp:414
Botan::X509_Certificate::subject_key_id
const std::vector< uint8_t > & subject_key_id() const
Definition x509cert.cpp:398
Botan::X509_Certificate::issuer_dn
const X509_DN & issuer_dn() const
Definition x509cert.cpp:410
Botan::X509_DN
Definition pkix_types.h:41
Botan::X509_DN::decode_from
void decode_from(BER_Decoder &from) override
Definition x509_dn.cpp:348
Botan::PKCS8::BER_encode
std::vector< uint8_t > BER_encode(const Private_Key &key, RandomNumberGenerator &rng, std::string_view pass, std::chrono::milliseconds msec, std::string_view pbe_algo)
Definition pkcs8.cpp:161
Botan::PKCS8::load_key
std::unique_ptr< Private_Key > load_key(DataSource &source, const std::function< std::string()> &get_pass)
Definition pkcs8.cpp:314
Botan::X509_Time
ASN1_Time X509_Time
Definition asn1_obj.h:23
Generated by doxygen 1.15.0