Botan  2.15.0
Crypto and TLS for C++11
Public Member Functions | List of all members
Botan::Certificate_Store_In_SQLite Class Referencefinal

#include <certstor_sqlite.h>

Inheritance diagram for Botan::Certificate_Store_In_SQLite:
Botan::Certificate_Store_In_SQL Botan::Certificate_Store

Public Member Functions

void affirm_cert (const X509_Certificate &)
 Reverses the revokation for "cert". More...
 
std::vector< X509_DNall_subjects () const override
 
bool certificate_known (const X509_Certificate &cert) const
 
 Certificate_Store_In_SQLite (const std::string &db_path, const std::string &passwd, RandomNumberGenerator &rng, const std::string &table_prefix="")
 
std::vector< std::shared_ptr< const X509_Certificate > > find_all_certs (const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const override
 
std::shared_ptr< const X509_Certificatefind_cert (const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const override
 
std::shared_ptr< const X509_Certificatefind_cert_by_pubkey_sha1 (const std::vector< uint8_t > &key_hash) const override
 
std::shared_ptr< const X509_Certificatefind_cert_by_raw_subject_dn_sha256 (const std::vector< uint8_t > &subject_hash) const override
 
std::vector< std::shared_ptr< const X509_Certificate > > find_certs_for_key (const Private_Key &key) const
 Returns all certificates for private key "key". More...
 
std::shared_ptr< const X509_CRLfind_crl_for (const X509_Certificate &issuer) const override
 
std::shared_ptr< const Private_Keyfind_key (const X509_Certificate &) const
 Returns the private key for "cert" or an empty shared_ptr if none was found. More...
 
std::vector< X509_CRLgenerate_crls () const
 
bool insert_cert (const X509_Certificate &cert)
 
bool insert_key (const X509_Certificate &cert, const Private_Key &key)
 
bool remove_cert (const X509_Certificate &cert)
 
void remove_key (const Private_Key &key)
 Removes "key" from the store. More...
 
void revoke_cert (const X509_Certificate &, CRL_Code, const X509_Time &time=X509_Time())
 Marks "cert" as revoked starting from "time". More...
 

Detailed Description

Certificate and private key store backed by an sqlite (https://sqlite.org) database.

Definition at line 18 of file certstor_sqlite.h.

Constructor & Destructor Documentation

◆ Certificate_Store_In_SQLite()

Botan::Certificate_Store_In_SQLite::Certificate_Store_In_SQLite ( const std::string &  db_path,
const std::string &  passwd,
RandomNumberGenerator rng,
const std::string &  table_prefix = "" 
)

Create/open a certificate store.

Parameters
db_pathpath to the database file
passwdpassword to encrypt private keys in the database
rngused for encrypting keys
table_prefixoptional prefix for db table names

Definition at line 13 of file certstor_sqlite.cpp.

16  :
17  Certificate_Store_In_SQL(std::make_shared<Sqlite3_Database>(db_path), passwd, rng, table_prefix)
18  {}
Certificate_Store_In_SQL(const std::shared_ptr< SQL_Database > db, const std::string &passwd, RandomNumberGenerator &rng, const std::string &table_prefix="")

Member Function Documentation

◆ affirm_cert()

void Botan::Certificate_Store_In_SQL::affirm_cert ( const X509_Certificate cert)
inherited

Reverses the revokation for "cert".

Definition at line 288 of file certstor_sql.cpp.

References Botan::X509_Certificate::fingerprint().

289  {
290  auto stmt = m_database->new_statement("DELETE FROM " + m_prefix + "revoked WHERE fingerprint == ?1");
291 
292  stmt->bind(1,cert.fingerprint("SHA-256"));
293  stmt->spin();
294  }

◆ all_subjects()

std::vector< X509_DN > Botan::Certificate_Store_In_SQL::all_subjects ( ) const
overridevirtualinherited

Returns all subject DNs known to the store instance.

Implements Botan::Certificate_Store.

Definition at line 134 of file certstor_sql.cpp.

References Botan::X509_DN::decode_from().

135  {
136  std::vector<X509_DN> ret;
137  auto stmt = m_database->new_statement("SELECT subject_dn FROM " + m_prefix + "certificates");
138 
139  while(stmt->step())
140  {
141  auto blob = stmt->get_blob(0);
142  BER_Decoder dec(blob.first,blob.second);
143  X509_DN dn;
144 
145  dn.decode_from(dec);
146 
147  ret.push_back(dn);
148  }
149 
150  return ret;
151  }

◆ certificate_known()

bool Botan::Certificate_Store::certificate_known ( const X509_Certificate cert) const
inlineinherited
Returns
whether the certificate is known
Parameters
certcertififcate to be searched

Definition at line 72 of file certstor.h.

References Botan::X509_Certificate::subject_dn(), and Botan::X509_Certificate::subject_key_id().

73  {
74  return find_cert(cert.subject_dn(), cert.subject_key_id()) != nullptr;
75  }
virtual std::shared_ptr< const X509_Certificate > find_cert(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const
Definition: certstor.cpp:19

◆ find_all_certs()

std::vector< std::shared_ptr< const X509_Certificate > > Botan::Certificate_Store_In_SQL::find_all_certs ( const X509_DN subject_dn,
const std::vector< uint8_t > &  key_id 
) const
overridevirtualinherited

Find all certificates with a given Subject DN. Subject DN and even the key identifier might not be unique.

Implements Botan::Certificate_Store.

Definition at line 76 of file certstor_sql.cpp.

References Botan::ASN1_Object::BER_encode().

77  {
78  std::vector<std::shared_ptr<const X509_Certificate>> certs;
79 
80  std::shared_ptr<SQL_Database::Statement> stmt;
81 
82  const std::vector<uint8_t> dn_encoding = subject_dn.BER_encode();
83 
84  if(key_id.empty())
85  {
86  stmt = m_database->new_statement("SELECT certificate FROM " + m_prefix + "certificates WHERE subject_dn == ?1");
87  stmt->bind(1, dn_encoding);
88  }
89  else
90  {
91  stmt = m_database->new_statement("SELECT certificate FROM " + m_prefix + "certificates WHERE\
92  subject_dn == ?1 AND (key_id == NULL OR key_id == ?2)");
93  stmt->bind(1, dn_encoding);
94  stmt->bind(2, key_id);
95  }
96 
97  std::shared_ptr<const X509_Certificate> cert;
98  while(stmt->step())
99  {
100  auto blob = stmt->get_blob(0);
101  certs.push_back(std::make_shared<X509_Certificate>(
102  std::vector<uint8_t>(blob.first,blob.first + blob.second)));
103  }
104 
105  return certs;
106  }

◆ find_cert()

std::shared_ptr< const X509_Certificate > Botan::Certificate_Store_In_SQL::find_cert ( const X509_DN subject_dn,
const std::vector< uint8_t > &  key_id 
) const
overridevirtualinherited

Returns the first certificate with matching subject DN and optional key ID.

Reimplemented from Botan::Certificate_Store.

Definition at line 47 of file certstor_sql.cpp.

References Botan::ASN1_Object::BER_encode().

Referenced by Botan::Certificate_Store_In_SQL::remove_cert().

48  {
49  std::shared_ptr<SQL_Database::Statement> stmt;
50 
51  const std::vector<uint8_t> dn_encoding = subject_dn.BER_encode();
52 
53  if(key_id.empty())
54  {
55  stmt = m_database->new_statement("SELECT certificate FROM " + m_prefix + "certificates WHERE subject_dn == ?1 LIMIT 1");
56  stmt->bind(1, dn_encoding);
57  }
58  else
59  {
60  stmt = m_database->new_statement("SELECT certificate FROM " + m_prefix + "certificates WHERE\
61  subject_dn == ?1 AND (key_id == NULL OR key_id == ?2) LIMIT 1");
62  stmt->bind(1, dn_encoding);
63  stmt->bind(2,key_id);
64  }
65 
66  while(stmt->step())
67  {
68  auto blob = stmt->get_blob(0);
69  return std::make_shared<X509_Certificate>(std::vector<uint8_t>(blob.first, blob.first + blob.second));
70  }
71 
72  return std::shared_ptr<const X509_Certificate>();
73  }

◆ find_cert_by_pubkey_sha1()

std::shared_ptr< const X509_Certificate > Botan::Certificate_Store_In_SQL::find_cert_by_pubkey_sha1 ( const std::vector< uint8_t > &  key_hash) const
overridevirtualinherited

Find a certificate by searching for one with a matching SHA-1 hash of public key. Used for OCSP.

Parameters
key_hashSHA-1 hash of the subject's public key
Returns
a matching certificate or nullptr otherwise

Implements Botan::Certificate_Store.

Definition at line 109 of file certstor_sql.cpp.

110  {
111  throw Not_Implemented("Certificate_Store_In_SQL::find_cert_by_pubkey_sha1");
112  }

◆ find_cert_by_raw_subject_dn_sha256()

std::shared_ptr< const X509_Certificate > Botan::Certificate_Store_In_SQL::find_cert_by_raw_subject_dn_sha256 ( const std::vector< uint8_t > &  subject_hash) const
overridevirtualinherited

Find a certificate by searching for one with a matching SHA-256 hash of raw subject name. Used for OCSP.

Parameters
subject_hashSHA-256 hash of the subject's raw name
Returns
a matching certificate or nullptr otherwise

Implements Botan::Certificate_Store.

Definition at line 115 of file certstor_sql.cpp.

116  {
117  throw Not_Implemented("Certificate_Store_In_SQL::find_cert_by_raw_subject_dn_sha256");
118  }

◆ find_certs_for_key()

std::vector< std::shared_ptr< const X509_Certificate > > Botan::Certificate_Store_In_SQL::find_certs_for_key ( const Private_Key key) const
inherited

Returns all certificates for private key "key".

Definition at line 212 of file certstor_sql.cpp.

References Botan::Private_Key::fingerprint_private().

213  {
214  auto fpr = key.fingerprint_private("SHA-256");
215  auto stmt = m_database->new_statement("SELECT certificate FROM " + m_prefix + "certificates WHERE priv_fingerprint == ?1");
216 
217  stmt->bind(1,fpr);
218 
219  std::vector<std::shared_ptr<const X509_Certificate>> certs;
220  while(stmt->step())
221  {
222  auto blob = stmt->get_blob(0);
223  certs.push_back(std::make_shared<X509_Certificate>(
224  std::vector<uint8_t>(blob.first,blob.first + blob.second)));
225  }
226 
227  return certs;
228  }

◆ find_crl_for()

std::shared_ptr< const X509_CRL > Botan::Certificate_Store_In_SQL::find_crl_for ( const X509_Certificate issuer) const
overridevirtualinherited

Generates a CRL for all certificates issued by the given issuer.

Reimplemented from Botan::Certificate_Store.

Definition at line 121 of file certstor_sql.cpp.

References Botan::Certificate_Store_In_SQL::generate_crls(), and Botan::X509_Certificate::issuer_dn().

122  {
123  auto all_crls = generate_crls();
124 
125  for(auto crl: all_crls)
126  {
127  if(!crl.get_revoked().empty() && crl.issuer_dn() == subject.issuer_dn())
128  return std::shared_ptr<X509_CRL>(new X509_CRL(crl));
129  }
130 
131  return std::shared_ptr<X509_CRL>();
132  }
std::vector< X509_CRL > generate_crls() const

◆ find_key()

std::shared_ptr< const Private_Key > Botan::Certificate_Store_In_SQL::find_key ( const X509_Certificate cert) const
inherited

Returns the private key for "cert" or an empty shared_ptr if none was found.

Definition at line 192 of file certstor_sql.cpp.

References Botan::X509_Certificate::fingerprint(), and Botan::PKCS8::load_key().

Referenced by Botan::Certificate_Store_In_SQL::insert_key().

193  {
194  auto stmt = m_database->new_statement("SELECT key FROM " + m_prefix + "keys "
195  "JOIN " + m_prefix + "certificates ON " +
196  m_prefix + "keys.fingerprint == " + m_prefix + "certificates.priv_fingerprint "
197  "WHERE " + m_prefix + "certificates.fingerprint == ?1");
198  stmt->bind(1,cert.fingerprint("SHA-256"));
199 
200  std::shared_ptr<const Private_Key> key;
201  while(stmt->step())
202  {
203  auto blob = stmt->get_blob(0);
204  DataSource_Memory src(blob.first,blob.second);
205  key.reset(PKCS8::load_key(src, m_rng, m_password));
206  }
207 
208  return key;
209  }
std::unique_ptr< Private_Key > load_key(DataSource &source, std::function< std::string()> get_pass)
Definition: pkcs8.cpp:366

◆ generate_crls()

std::vector< X509_CRL > Botan::Certificate_Store_In_SQL::generate_crls ( ) const
inherited

Generates Certificate Revocation Lists for all certificates marked as revoked. A CRL is returned for each unique issuer DN.

Definition at line 296 of file certstor_sql.cpp.

Referenced by Botan::Certificate_Store_In_SQL::find_crl_for().

297  {
298  auto stmt = m_database->new_statement(
299  "SELECT certificate,reason,time FROM " + m_prefix + "revoked "
300  "JOIN " + m_prefix + "certificates ON " +
301  m_prefix + "certificates.fingerprint == " + m_prefix + "revoked.fingerprint");
302 
303  std::map<X509_DN,std::vector<CRL_Entry>> crls;
304  while(stmt->step())
305  {
306  auto blob = stmt->get_blob(0);
307  auto cert = X509_Certificate(
308  std::vector<uint8_t>(blob.first,blob.first + blob.second));
309  auto code = static_cast<CRL_Code>(stmt->get_size_t(1));
310  auto ent = CRL_Entry(cert,code);
311 
312  auto i = crls.find(cert.issuer_dn());
313  if(i == crls.end())
314  {
315  crls.insert(std::make_pair(cert.issuer_dn(),std::vector<CRL_Entry>({ent})));
316  }
317  else
318  {
319  i->second.push_back(ent);
320  }
321  }
322 
323  std::vector<X509_CRL> ret;
324  X509_Time t(std::chrono::system_clock::now());
325 
326  for(auto p: crls)
327  {
328  ret.push_back(X509_CRL(p.first,t,t,p.second));
329  }
330 
331  return ret;
332  }
CRL_Code
Definition: crl_ent.h:23

◆ insert_cert()

bool Botan::Certificate_Store_In_SQL::insert_cert ( const X509_Certificate cert)
inherited

Inserts "cert" into the store, returns false if the certificate is already known and true if insertion was successful.

Definition at line 153 of file certstor_sql.cpp.

References Botan::ASN1_Object::BER_encode(), Botan::X509_Certificate::fingerprint(), Botan::X509_Certificate::subject_dn(), and Botan::X509_Certificate::subject_key_id().

Referenced by Botan::Certificate_Store_In_SQL::insert_key(), and Botan::Certificate_Store_In_SQL::revoke_cert().

154  {
155  const std::vector<uint8_t> dn_encoding = cert.subject_dn().BER_encode();
156  const std::vector<uint8_t> cert_encoding = cert.BER_encode();
157 
158  auto stmt = m_database->new_statement("INSERT OR REPLACE INTO " +
159  m_prefix + "certificates (\
160  fingerprint, \
161  subject_dn, \
162  key_id, \
163  priv_fingerprint, \
164  certificate \
165  ) VALUES ( ?1, ?2, ?3, ?4, ?5 )");
166 
167  stmt->bind(1,cert.fingerprint("SHA-256"));
168  stmt->bind(2,dn_encoding);
169  stmt->bind(3,cert.subject_key_id());
170  stmt->bind(4,std::vector<uint8_t>());
171  stmt->bind(5,cert_encoding);
172  stmt->spin();
173 
174  return true;
175  }

◆ insert_key()

bool Botan::Certificate_Store_In_SQL::insert_key ( const X509_Certificate cert,
const Private_Key key 
)
inherited

Inserts "key" for "cert" into the store, returns false if the key is already known and true if insertion was successful.

Definition at line 230 of file certstor_sql.cpp.

References Botan::PKCS8::BER_encode(), Botan::Certificate_Store_In_SQL::find_key(), Botan::X509_Certificate::fingerprint(), Botan::Private_Key::fingerprint_private(), and Botan::Certificate_Store_In_SQL::insert_cert().

230  {
231  insert_cert(cert);
232 
233  if(find_key(cert))
234  return false;
235 
236  auto pkcs8 = PKCS8::BER_encode(key, m_rng, m_password);
237  auto fpr = key.fingerprint_private("SHA-256");
238 
239  auto stmt1 = m_database->new_statement(
240  "INSERT OR REPLACE INTO " + m_prefix + "keys ( fingerprint, key ) VALUES ( ?1, ?2 )");
241 
242  stmt1->bind(1,fpr);
243  stmt1->bind(2,pkcs8.data(),pkcs8.size());
244  stmt1->spin();
245 
246  auto stmt2 = m_database->new_statement(
247  "UPDATE " + m_prefix + "certificates SET priv_fingerprint = ?1 WHERE fingerprint == ?2");
248 
249  stmt2->bind(1,fpr);
250  stmt2->bind(2,cert.fingerprint("SHA-256"));
251  stmt2->spin();
252 
253  return true;
254  }
bool insert_cert(const X509_Certificate &cert)
std::shared_ptr< const Private_Key > find_key(const X509_Certificate &) const
Returns the private key for "cert" or an empty shared_ptr if none was found.
secure_vector< uint8_t > BER_encode(const Private_Key &key)
Definition: pkcs8.cpp:139

◆ remove_cert()

bool Botan::Certificate_Store_In_SQL::remove_cert ( const X509_Certificate cert)
inherited

Removes "cert" from the store. Returns false if the certificate could not be found and true if removal was successful.

Definition at line 178 of file certstor_sql.cpp.

References Botan::Certificate_Store_In_SQL::find_cert(), Botan::X509_Certificate::fingerprint(), Botan::X509_Certificate::subject_dn(), and Botan::X509_Certificate::subject_key_id().

179  {
180  if(!find_cert(cert.subject_dn(),cert.subject_key_id()))
181  return false;
182 
183  auto stmt = m_database->new_statement("DELETE FROM " + m_prefix + "certificates WHERE fingerprint == ?1");
184 
185  stmt->bind(1,cert.fingerprint("SHA-256"));
186  stmt->spin();
187 
188  return true;
189  }
std::shared_ptr< const X509_Certificate > find_cert(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const override

◆ remove_key()

void Botan::Certificate_Store_In_SQL::remove_key ( const Private_Key key)
inherited

Removes "key" from the store.

Definition at line 256 of file certstor_sql.cpp.

References Botan::Private_Key::fingerprint_private().

257  {
258  auto fpr = key.fingerprint_private("SHA-256");
259  auto stmt = m_database->new_statement("DELETE FROM " + m_prefix + "keys WHERE fingerprint == ?1");
260 
261  stmt->bind(1,fpr);
262  stmt->spin();
263  }

◆ revoke_cert()

void Botan::Certificate_Store_In_SQL::revoke_cert ( const X509_Certificate cert,
CRL_Code  code,
const X509_Time time = X509_Time() 
)
inherited

Marks "cert" as revoked starting from "time".

Definition at line 266 of file certstor_sql.cpp.

References Botan::ASN1_Object::BER_encode(), Botan::X509_Certificate::fingerprint(), Botan::Certificate_Store_In_SQL::insert_cert(), and Botan::X509_Time::time_is_set().

267  {
268  insert_cert(cert);
269 
270  auto stmt1 = m_database->new_statement(
271  "INSERT OR REPLACE INTO " + m_prefix + "revoked ( fingerprint, reason, time ) VALUES ( ?1, ?2, ?3 )");
272 
273  stmt1->bind(1,cert.fingerprint("SHA-256"));
274  stmt1->bind(2,code);
275 
276  if(time.time_is_set())
277  {
278  stmt1->bind(3, time.BER_encode());
279  }
280  else
281  {
282  stmt1->bind(3, static_cast<size_t>(-1));
283  }
284 
285  stmt1->spin();
286  }
bool insert_cert(const X509_Certificate &cert)

The documentation for this class was generated from the following files: