Botan 3.10.0
Crypto and TLS for C&
Public Member Functions | List of all members
Botan::Certificate_Store_In_SQL Class Reference

#include <certstor_sql.h>

Inheritance diagram for Botan::Certificate_Store_In_SQL:
Botan::Certificate_Store Botan::Certificate_Store_In_SQLite

Public Member Functions

void affirm_cert (const X509_Certificate &cert)
 Reverses the revocation for "cert".
std::vector< X509_DNall_subjects () const override
bool certificate_known (const X509_Certificate &cert) const
 Certificate_Store_In_SQL (std::shared_ptr< SQL_Database > db, std::string_view passwd, RandomNumberGenerator &rng, std::string_view table_prefix="")
std::vector< X509_Certificatefind_all_certs (const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const override
std::optional< X509_Certificatefind_cert (const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const override
std::optional< X509_Certificatefind_cert_by_issuer_dn_and_serial_number (const X509_DN &issuer_dn, std::span< const uint8_t > serial_number) const override
std::optional< X509_Certificatefind_cert_by_pubkey_sha1 (const std::vector< uint8_t > &key_hash) const override
std::optional< X509_Certificatefind_cert_by_raw_subject_dn_sha256 (const std::vector< uint8_t > &subject_hash) const override
std::vector< X509_Certificatefind_certs_for_key (const Private_Key &key) const
 Returns all certificates for private key "key".
std::optional< X509_CRLfind_crl_for (const X509_Certificate &issuer) const override
std::shared_ptr< const Private_Keyfind_key (const X509_Certificate &cert) const
 Returns the private key for "cert" or an empty shared_ptr if none was found.
std::vector< X509_CRLgenerate_crls () const
bool insert_cert (const X509_Certificate &cert)
bool insert_key (const X509_Certificate &cert, const Private_Key &key)
bool remove_cert (const X509_Certificate &cert)
void remove_key (const Private_Key &key)
 Removes "key" from the store.
void revoke_cert (const X509_Certificate &cert, CRL_Code reason, const X509_Time &time=X509_Time())
 Marks "cert" as revoked starting from "time".

Detailed Description

Certificate and private key store backed by an SQL database.

Definition at line 24 of file certstor_sql.h.

Constructor & Destructor Documentation

◆ Certificate_Store_In_SQL()

Botan::Certificate_Store_In_SQL::Certificate_Store_In_SQL ( std::shared_ptr< SQL_Database > db,
std::string_view passwd,
RandomNumberGenerator & rng,
std::string_view table_prefix = "" )
explicit

Create/open a certificate store.

Parameters
dbunderlying database storage
passwdpassword to encrypt private keys in the database
rngused for encrypting keys
table_prefixoptional prefix for db table names

Definition at line 19 of file certstor_sql.cpp.

22 :
23 m_rng(rng), m_database(std::move(db)), m_prefix(table_prefix), m_password(passwd) {
24 m_database->create_table("CREATE TABLE IF NOT EXISTS " + m_prefix +
25 "certificates ( \
26 fingerprint BLOB PRIMARY KEY, \
27 subject_dn BLOB, \
28 key_id BLOB, \
29 priv_fingerprint BLOB, \
30 certificate BLOB UNIQUE NOT NULL\
31 )");
32 m_database->create_table("CREATE TABLE IF NOT EXISTS " + m_prefix +
33 "keys (\
34 fingerprint BLOB PRIMARY KEY, \
35 key BLOB UNIQUE NOT NULL \
36 )");
37 m_database->create_table("CREATE TABLE IF NOT EXISTS " + m_prefix +
38 "revoked (\
39 fingerprint BLOB PRIMARY KEY, \
40 reason BLOB NOT NULL, \
41 time BLOB NOT NULL \
42 )");
43}

Referenced by Botan::Certificate_Store_In_SQLite::Certificate_Store_In_SQLite().

Member Function Documentation

◆ affirm_cert()

void Botan::Certificate_Store_In_SQL::affirm_cert ( const X509_Certificate & cert)

Reverses the revocation for "cert".

Definition at line 271 of file certstor_sql.cpp.

271 {
272 auto stmt = m_database->new_statement("DELETE FROM " + m_prefix + "revoked WHERE fingerprint == ?1");
273
274 stmt->bind(1, cert.fingerprint("SHA-256"));
275 stmt->spin();
276}

References Botan::X509_Certificate::fingerprint().

◆ all_subjects()

std::vector< X509_DN > Botan::Certificate_Store_In_SQL::all_subjects ( ) const
overridevirtual

Returns all subject DNs known to the store instance.

Implements Botan::Certificate_Store.

Definition at line 127 of file certstor_sql.cpp.

127 {
128 std::vector<X509_DN> ret;
129 auto stmt = m_database->new_statement("SELECT subject_dn FROM " + m_prefix + "certificates");
130
131 while(stmt->step()) {
132 auto blob = stmt->get_blob(0);
133 BER_Decoder dec(blob.first, blob.second);
134 X509_DN dn;
135
136 dn.decode_from(dec);
137
138 ret.push_back(dn);
139 }
140
141 return ret;
142}

References Botan::X509_DN::decode_from().

◆ certificate_known()

bool Botan::Certificate_Store::certificate_known ( const X509_Certificate & cert) const
inlineinherited
Returns
whether the certificate is known
Parameters
certcertififcate to be searched

Definition at line 80 of file certstor.h.

80 {
81 return find_cert(cert.subject_dn(), cert.subject_key_id()).has_value();
82 }
Botan::Certificate_Store::find_cert
virtual std::optional< X509_Certificate > find_cert(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const
Definition certstor.cpp:21

References find_cert(), Botan::X509_Certificate::subject_dn(), and Botan::X509_Certificate::subject_key_id().

◆ find_all_certs()

std::vector< X509_Certificate > Botan::Certificate_Store_In_SQL::find_all_certs ( const X509_DN & subject_dn,
const std::vector< uint8_t > & key_id ) const
overridevirtual

Find all certificates with a given Subject DN. Subject DN and even the key identifier might not be unique.

Implements Botan::Certificate_Store.

Definition at line 72 of file certstor_sql.cpp.

73 {
74 std::vector<X509_Certificate> certs;
75
76 std::shared_ptr<SQL_Database::Statement> stmt;
77
78 const std::vector<uint8_t> dn_encoding = subject_dn.BER_encode();
79
80 if(key_id.empty()) {
81 stmt = m_database->new_statement("SELECT certificate FROM " + m_prefix + "certificates WHERE subject_dn == ?1");
82 stmt->bind(1, dn_encoding);
83 } else {
84 stmt = m_database->new_statement("SELECT certificate FROM " + m_prefix +
85 "certificates WHERE\
86 subject_dn == ?1 AND (key_id == NULL OR key_id == ?2)");
87 stmt->bind(1, dn_encoding);
88 stmt->bind(2, key_id);
89 }
90
91 std::optional<X509_Certificate> cert;
92 while(stmt->step()) {
93 auto blob = stmt->get_blob(0);
94 certs.push_back(X509_Certificate(blob.first, blob.second));
95 }
96
97 return certs;
98}

References Botan::ASN1_Object::BER_encode().

◆ find_cert()

std::optional< X509_Certificate > Botan::Certificate_Store_In_SQL::find_cert ( const X509_DN & subject_dn,
const std::vector< uint8_t > & key_id ) const
overridevirtual

Returns the first certificate with matching subject DN and optional key ID.

Reimplemented from Botan::Certificate_Store.

Definition at line 46 of file certstor_sql.cpp.

47 {
48 std::shared_ptr<SQL_Database::Statement> stmt;
49
50 const std::vector<uint8_t> dn_encoding = subject_dn.BER_encode();
51
52 if(key_id.empty()) {
53 stmt = m_database->new_statement("SELECT certificate FROM " + m_prefix +
54 "certificates WHERE subject_dn == ?1 LIMIT 1");
55 stmt->bind(1, dn_encoding);
56 } else {
57 stmt = m_database->new_statement("SELECT certificate FROM " + m_prefix +
58 "certificates WHERE\
59 subject_dn == ?1 AND (key_id == NULL OR key_id == ?2) LIMIT 1");
60 stmt->bind(1, dn_encoding);
61 stmt->bind(2, key_id);
62 }
63
64 while(stmt->step()) {
65 auto blob = stmt->get_blob(0);
66 return X509_Certificate(blob.first, blob.second);
67 }
68
69 return std::optional<X509_Certificate>();
70}

References Botan::ASN1_Object::BER_encode().

Referenced by remove_cert().

◆ find_cert_by_issuer_dn_and_serial_number()

std::optional< X509_Certificate > Botan::Certificate_Store_In_SQL::find_cert_by_issuer_dn_and_serial_number ( const X509_DN & issuer_dn,
std::span< const uint8_t > serial_number ) const
overridevirtual

Find a certificate by searching for one with a matching issuer DN and serial number. Used for CMS or PKCS#7.

Parameters
issuer_dnthe distinguished name of the issuer
serial_numberthe certificate's serial number
Returns
a matching certificate or nullopt otherwise

Implements Botan::Certificate_Store.

Definition at line 110 of file certstor_sql.cpp.

111 {
112 throw Not_Implemented("Certificate_Store_In_SQL::find_cert_by_issuer_dn_and_serial_number");
113}

◆ find_cert_by_pubkey_sha1()

std::optional< X509_Certificate > Botan::Certificate_Store_In_SQL::find_cert_by_pubkey_sha1 ( const std::vector< uint8_t > & key_hash) const
overridevirtual

Find a certificate by searching for one with a matching SHA-1 hash of public key. Used for OCSP.

Parameters
key_hashSHA-1 hash of the subject's public key
Returns
a matching certificate or nullopt otherwise

Implements Botan::Certificate_Store.

Definition at line 100 of file certstor_sql.cpp.

101 {
102 throw Not_Implemented("Certificate_Store_In_SQL::find_cert_by_pubkey_sha1");
103}

◆ find_cert_by_raw_subject_dn_sha256()

std::optional< X509_Certificate > Botan::Certificate_Store_In_SQL::find_cert_by_raw_subject_dn_sha256 ( const std::vector< uint8_t > & subject_hash) const
overridevirtual

Find a certificate by searching for one with a matching SHA-256 hash of raw subject name. Used for OCSP.

Parameters
subject_hashSHA-256 hash of the subject's raw name
Returns
a matching certificate or nullopt otherwise

Implements Botan::Certificate_Store.

Definition at line 105 of file certstor_sql.cpp.

106 {
107 throw Not_Implemented("Certificate_Store_In_SQL::find_cert_by_raw_subject_dn_sha256");
108}

◆ find_certs_for_key()

std::vector< X509_Certificate > Botan::Certificate_Store_In_SQL::find_certs_for_key ( const Private_Key & key) const

Returns all certificates for private key "key".

Definition at line 201 of file certstor_sql.cpp.

201 {
202 auto fprint = key.fingerprint_private("SHA-256");
203 auto stmt =
204 m_database->new_statement("SELECT certificate FROM " + m_prefix + "certificates WHERE priv_fingerprint == ?1");
205
206 stmt->bind(1, fprint);
207
208 std::vector<X509_Certificate> certs;
209 while(stmt->step()) {
210 auto blob = stmt->get_blob(0);
211 certs.push_back(X509_Certificate(blob.first, blob.second));
212 }
213
214 return certs;
215}

References Botan::Private_Key::fingerprint_private().

◆ find_crl_for()

std::optional< X509_CRL > Botan::Certificate_Store_In_SQL::find_crl_for ( const X509_Certificate & issuer) const
overridevirtual

Generates a CRL for all certificates issued by the given issuer.

Reimplemented from Botan::Certificate_Store.

Definition at line 115 of file certstor_sql.cpp.

115 {
116 auto all_crls = generate_crls();
117
118 for(auto crl : all_crls) {
119 if(!crl.get_revoked().empty() && crl.issuer_dn() == subject.issuer_dn()) {
120 return crl;
121 }
122 }
123
124 return std::optional<X509_CRL>();
125}
Botan::Certificate_Store_In_SQL::generate_crls
std::vector< X509_CRL > generate_crls() const
Definition certstor_sql.cpp:278

References generate_crls(), and Botan::X509_Certificate::issuer_dn().

◆ find_key()

std::shared_ptr< const Private_Key > Botan::Certificate_Store_In_SQL::find_key ( const X509_Certificate & cert) const

Returns the private key for "cert" or an empty shared_ptr if none was found.

Definition at line 181 of file certstor_sql.cpp.

181 {
182 auto stmt = m_database->new_statement("SELECT key FROM " + m_prefix +
183 "keys "
184 "JOIN " +
185 m_prefix + "certificates ON " + m_prefix + "keys.fingerprint == " + m_prefix +
186 "certificates.priv_fingerprint "
187 "WHERE " +
188 m_prefix + "certificates.fingerprint == ?1");
189 stmt->bind(1, cert.fingerprint("SHA-256"));
190
191 std::shared_ptr<const Private_Key> key;
192 while(stmt->step()) {
193 auto blob = stmt->get_blob(0);
194 DataSource_Memory src(blob.first, blob.second);
195 key = PKCS8::load_key(src, m_password);
196 }
197
198 return key;
199}
Botan::PKCS8::load_key
std::unique_ptr< Private_Key > load_key(DataSource &source, const std::function< std::string()> &get_pass)
Definition pkcs8.cpp:314

References Botan::X509_Certificate::fingerprint(), and Botan::PKCS8::load_key().

Referenced by insert_key().

◆ generate_crls()

std::vector< X509_CRL > Botan::Certificate_Store_In_SQL::generate_crls ( ) const

Generates Certificate Revocation Lists for all certificates marked as revoked. A CRL is returned for each unique issuer DN.

Definition at line 278 of file certstor_sql.cpp.

278 {
279 auto stmt = m_database->new_statement("SELECT certificate,reason,time FROM " + m_prefix +
280 "revoked "
281 "JOIN " +
282 m_prefix + "certificates ON " + m_prefix +
283 "certificates.fingerprint == " + m_prefix + "revoked.fingerprint");
284
285 std::map<X509_DN, std::vector<CRL_Entry>> crls;
286 while(stmt->step()) {
287 auto blob = stmt->get_blob(0);
288 auto cert = X509_Certificate(std::vector<uint8_t>(blob.first, blob.first + blob.second));
289 auto code = static_cast<CRL_Code>(stmt->get_size_t(1));
290 auto ent = CRL_Entry(cert, code);
291
292 auto i = crls.find(cert.issuer_dn());
293 if(i == crls.end()) {
294 crls.insert(std::make_pair(cert.issuer_dn(), std::vector<CRL_Entry>({ent})));
295 } else {
296 i->second.push_back(ent);
297 }
298 }
299
300 X509_Time t(std::chrono::system_clock::now());
301
302 std::vector<X509_CRL> ret;
303 ret.reserve(crls.size());
304
305 for(const auto& p : crls) {
306 ret.push_back(X509_CRL(p.first, t, t, p.second));
307 }
308
309 return ret;
310}
Botan::X509_Time
ASN1_Time X509_Time
Definition asn1_obj.h:424

Referenced by find_crl_for().

◆ insert_cert()

bool Botan::Certificate_Store_In_SQL::insert_cert ( const X509_Certificate & cert)

Inserts "cert" into the store, returns false if the certificate is already known and true if insertion was successful.

Definition at line 144 of file certstor_sql.cpp.

144 {
145 const std::vector<uint8_t> dn_encoding = cert.subject_dn().BER_encode();
146 const std::vector<uint8_t> cert_encoding = cert.BER_encode();
147
148 auto stmt = m_database->new_statement("INSERT OR REPLACE INTO " + m_prefix +
149 "certificates (\
150 fingerprint, \
151 subject_dn, \
152 key_id, \
153 priv_fingerprint, \
154 certificate \
155 ) VALUES ( ?1, ?2, ?3, ?4, ?5 )");
156
157 stmt->bind(1, cert.fingerprint("SHA-256"));
158 stmt->bind(2, dn_encoding);
159 stmt->bind(3, cert.subject_key_id());
160 stmt->bind(4, std::vector<uint8_t>());
161 stmt->bind(5, cert_encoding);
162 stmt->spin();
163
164 return true;
165}

References Botan::ASN1_Object::BER_encode(), Botan::X509_Certificate::fingerprint(), Botan::X509_Certificate::subject_dn(), and Botan::X509_Certificate::subject_key_id().

Referenced by insert_key(), and revoke_cert().

◆ insert_key()

bool Botan::Certificate_Store_In_SQL::insert_key ( const X509_Certificate & cert,
const Private_Key & key )

Inserts "key" for "cert" into the store, returns false if the key is already known and true if insertion was successful.

Definition at line 217 of file certstor_sql.cpp.

217 {
218 insert_cert(cert);
219
220 if(find_key(cert)) {
221 return false;
222 }
223
224 auto pkcs8 = PKCS8::BER_encode(key, m_rng, m_password);
225 auto fprint = key.fingerprint_private("SHA-256");
226
227 auto stmt1 =
228 m_database->new_statement("INSERT OR REPLACE INTO " + m_prefix + "keys ( fingerprint, key ) VALUES ( ?1, ?2 )");
229
230 stmt1->bind(1, fprint);
231 stmt1->bind(2, pkcs8.data(), pkcs8.size());
232 stmt1->spin();
233
234 auto stmt2 = m_database->new_statement("UPDATE " + m_prefix +
235 "certificates SET priv_fingerprint = ?1 WHERE fingerprint == ?2");
236
237 stmt2->bind(1, fprint);
238 stmt2->bind(2, cert.fingerprint("SHA-256"));
239 stmt2->spin();
240
241 return true;
242}
Botan::Certificate_Store_In_SQL::insert_cert
bool insert_cert(const X509_Certificate &cert)
Definition certstor_sql.cpp:144
Botan::Certificate_Store_In_SQL::find_key
std::shared_ptr< const Private_Key > find_key(const X509_Certificate &cert) const
Returns the private key for "cert" or an empty shared_ptr if none was found.
Definition certstor_sql.cpp:181
Botan::PKCS8::BER_encode
std::vector< uint8_t > BER_encode(const Private_Key &key, RandomNumberGenerator &rng, std::string_view pass, std::chrono::milliseconds msec, std::string_view pbe_algo)
Definition pkcs8.cpp:161

References Botan::PKCS8::BER_encode(), find_key(), Botan::X509_Certificate::fingerprint(), Botan::Private_Key::fingerprint_private(), and insert_cert().

◆ remove_cert()

bool Botan::Certificate_Store_In_SQL::remove_cert ( const X509_Certificate & cert)

Removes "cert" from the store. Returns false if the certificate could not be found and true if removal was successful.

Definition at line 167 of file certstor_sql.cpp.

167 {
168 if(!find_cert(cert.subject_dn(), cert.subject_key_id())) {
169 return false;
170 }
171
172 auto stmt = m_database->new_statement("DELETE FROM " + m_prefix + "certificates WHERE fingerprint == ?1");
173
174 stmt->bind(1, cert.fingerprint("SHA-256"));
175 stmt->spin();
176
177 return true;
178}
Botan::Certificate_Store_In_SQL::find_cert
std::optional< X509_Certificate > find_cert(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const override
Definition certstor_sql.cpp:46

References find_cert(), Botan::X509_Certificate::fingerprint(), Botan::X509_Certificate::subject_dn(), and Botan::X509_Certificate::subject_key_id().

◆ remove_key()

void Botan::Certificate_Store_In_SQL::remove_key ( const Private_Key & key)

Removes "key" from the store.

Definition at line 244 of file certstor_sql.cpp.

244 {
245 auto fprint = key.fingerprint_private("SHA-256");
246 auto stmt = m_database->new_statement("DELETE FROM " + m_prefix + "keys WHERE fingerprint == ?1");
247
248 stmt->bind(1, fprint);
249 stmt->spin();
250}

References Botan::Private_Key::fingerprint_private().

◆ revoke_cert()

void Botan::Certificate_Store_In_SQL::revoke_cert ( const X509_Certificate & cert,
CRL_Code reason,
const X509_Time & time = X509_Time() )

Marks "cert" as revoked starting from "time".

Definition at line 253 of file certstor_sql.cpp.

253 {
254 insert_cert(cert);
255
256 auto stmt1 = m_database->new_statement("INSERT OR REPLACE INTO " + m_prefix +
257 "revoked ( fingerprint, reason, time ) VALUES ( ?1, ?2, ?3 )");
258
259 stmt1->bind(1, cert.fingerprint("SHA-256"));
260 stmt1->bind(2, static_cast<uint32_t>(code));
261
262 if(time.time_is_set()) {
263 stmt1->bind(3, time.BER_encode());
264 } else {
265 stmt1->bind(3, static_cast<size_t>(-1));
266 }
267
268 stmt1->spin();
269}

References Botan::ASN1_Object::BER_encode(), Botan::X509_Certificate::fingerprint(), insert_cert(), and Botan::ASN1_Time::time_is_set().

The documentation for this class was generated from the following files:
Generated by doxygen 1.15.0