Botan::Certificate_Store_In_SQLite Class Reference

#include <certstor_sqlite.h>

Inheritance diagram for Botan::Certificate_Store_In_SQLite:

Public Member Functions
void	affirm_cert (const X509_Certificate &cert)
	Reverses the revocation for "cert".
std::vector< X509_DN >	all_subjects () const override
bool	certificate_known (const X509_Certificate &cert) const
	Certificate_Store_In_SQLite (std::string_view db_path, std::string_view passwd, RandomNumberGenerator &rng, std::string_view table_prefix="")
std::vector< X509_Certificate >	find_all_certs (const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const override
std::optional< X509_Certificate >	find_cert (const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const override
std::optional< X509_Certificate >	find_cert_by_issuer_dn_and_serial_number (const X509_DN &issuer_dn, std::span< const uint8_t > serial_number) const override
std::optional< X509_Certificate >	find_cert_by_pubkey_sha1 (const std::vector< uint8_t > &key_hash) const override
std::optional< X509_Certificate >	find_cert_by_raw_subject_dn_sha256 (const std::vector< uint8_t > &subject_hash) const override
std::vector< X509_Certificate >	find_certs_for_key (const Private_Key &key) const
	Returns all certificates for private key "key".
std::optional< X509_CRL >	find_crl_for (const X509_Certificate &issuer) const override
std::shared_ptr< const Private_Key >	find_key (const X509_Certificate &cert) const
	Returns the private key for "cert" or an empty shared_ptr if none was found.
std::vector< X509_CRL >	generate_crls () const
bool	insert_cert (const X509_Certificate &cert)
bool	insert_key (const X509_Certificate &cert, const Private_Key &key)
bool	remove_cert (const X509_Certificate &cert)
void	remove_key (const Private_Key &key)
	Removes "key" from the store.
void	revoke_cert (const X509_Certificate &cert, CRL_Code reason)
	Marks "cert" as revoked with no time specified.
void	revoke_cert (const X509_Certificate &cert, CRL_Code reason, const X509_Time &time)
	Marks "cert" as revoked starting from "time".

Detailed Description

Certificate and private key store backed by an sqlite (https://sqlite.org) database.

Definition at line 18 of file certstor_sqlite.h.

Constructor & Destructor Documentation

Certificate_Store_In_SQLite()

Botan::Certificate_Store_In_SQLite::Certificate_Store_In_SQLite	(	std::string_view	db_path,
		std::string_view	passwd,
		RandomNumberGenerator &	rng,
		std::string_view	table_prefix = "" )

Create/open a certificate store.

Parameters

db_path	path to the database file
passwd	password to encrypt private keys in the database
rng	used for encrypting keys
table_prefix	optional prefix for db table names

Definition at line 14 of file certstor_sqlite.cpp.

                                                                                      :
      Certificate_Store_In_SQL(std::make_shared<Sqlite3_Database>(db_path), passwd, rng, table_prefix) {}

References Botan::Certificate_Store_In_SQL::Certificate_Store_In_SQL().

Member Function Documentation

affirm_cert()

void Botan::Certificate_Store_In_SQL::affirm_cert ( const X509_Certificate & cert )

inherited

Reverses the revocation for "cert".

Definition at line 287 of file certstor_sql.cpp.

                                                                       {
   auto stmt = m_database->new_statement("DELETE FROM " + m_prefix + "revoked WHERE fingerprint == ?1");
 
   stmt->bind(1, cert.fingerprint("SHA-256"));
   stmt->spin();
}

References Botan::X509_Certificate::fingerprint().

all_subjects()

std::vector< X509_DN > Botan::Certificate_Store_In_SQL::all_subjects ( ) const

overridevirtualinherited

Returns all subject DNs known to the store instance.

Implements Botan::Certificate_Store.

Definition at line 128 of file certstor_sql.cpp.

                                                                {
   std::vector<X509_DN> ret;
   auto stmt = m_database->new_statement("SELECT subject_dn FROM " + m_prefix + "certificates");
 
   while(stmt->step()) {
      auto blob = stmt->get_blob(0);
      BER_Decoder dec(blob.first, blob.second);
      X509_DN dn;
 
      dn.decode_from(dec);
 
      ret.push_back(dn);
   }
 
   return ret;
}

References Botan::X509_DN::decode_from().

certificate_known()

bool Botan::Certificate_Store::certificate_known ( const X509_Certificate & cert ) const

inlineinherited

Returns

whether the certificate is known

Parameters

cert	certificate to be searched

Definition at line 80 of file certstor.h.

                                                                 {
         return find_cert(cert.subject_dn(), cert.subject_key_id()).has_value();
      }

References find_cert(), Botan::X509_Certificate::subject_dn(), and Botan::X509_Certificate::subject_key_id().

Referenced by Botan::PKIX::build_all_certificate_paths().

find_all_certs()

std::vector< X509_Certificate > Botan::Certificate_Store_In_SQL::find_all_certs ( const X509_DN & subject_dn, const std::vector< uint8_t > & key_id ) const

overridevirtualinherited

Find all certificates with a given Subject DN. Subject DN and even the key identifier might not be unique.

Implements Botan::Certificate_Store.

Definition at line 74 of file certstor_sql.cpp.

                                                                                                               {
   std::vector<X509_Certificate> certs;
 
   std::shared_ptr<SQL_Database::Statement> stmt;
 
   const std::vector<uint8_t> dn_encoding = subject_dn.BER_encode();
 
   if(key_id.empty()) {
      stmt = m_database->new_statement("SELECT certificate FROM " + m_prefix + "certificates WHERE subject_dn == ?1");
      stmt->bind(1, dn_encoding);
   } else {
      stmt = m_database->new_statement("SELECT certificate FROM " + m_prefix +
                                       "certificates WHERE\
                                        subject_dn == ?1 AND (key_id == NULL OR key_id == ?2)");
      stmt->bind(1, dn_encoding);
      stmt->bind(2, key_id);
   }
 
   while(stmt->step()) {
      auto blob = stmt->get_blob(0);
      certs.push_back(X509_Certificate(blob.first, blob.second));
   }
 
   return certs;
}

References Botan::ASN1_Object::BER_encode().

find_cert()

std::optional< X509_Certificate > Botan::Certificate_Store_In_SQL::find_cert ( const X509_DN & subject_dn, const std::vector< uint8_t > & key_id ) const

overridevirtualinherited

Returns the first certificate with matching subject DN and optional key ID.

Reimplemented from Botan::Certificate_Store.

Definition at line 48 of file certstor_sql.cpp.

                                                                                                            {
   std::shared_ptr<SQL_Database::Statement> stmt;
 
   const std::vector<uint8_t> dn_encoding = subject_dn.BER_encode();
 
   if(key_id.empty()) {
      stmt = m_database->new_statement("SELECT certificate FROM " + m_prefix +
                                       "certificates WHERE subject_dn == ?1 LIMIT 1");
      stmt->bind(1, dn_encoding);
   } else {
      stmt = m_database->new_statement("SELECT certificate FROM " + m_prefix +
                                       "certificates WHERE\
                                        subject_dn == ?1 AND (key_id == NULL OR key_id == ?2) LIMIT 1");
      stmt->bind(1, dn_encoding);
      stmt->bind(2, key_id);
   }
 
   while(stmt->step()) {
      auto blob = stmt->get_blob(0);
      return X509_Certificate(blob.first, blob.second);
   }
 
   return std::optional<X509_Certificate>();
}

References Botan::ASN1_Object::BER_encode().

Referenced by remove_cert().

find_cert_by_issuer_dn_and_serial_number()

std::optional< X509_Certificate > Botan::Certificate_Store_In_SQL::find_cert_by_issuer_dn_and_serial_number ( const X509_DN & issuer_dn, std::span< const uint8_t > serial_number ) const

overridevirtualinherited

Find a certificate by searching for one with a matching issuer DN and serial number. Used for CMS or PKCS#7.

Parameters

issuer_dn	the distinguished name of the issuer
serial_number	the certificate's serial number

Returns

a matching certificate or nullopt otherwise

Implements Botan::Certificate_Store.

Definition at line 111 of file certstor_sql.cpp.

                                                     {
   throw Not_Implemented("Certificate_Store_In_SQL::find_cert_by_issuer_dn_and_serial_number");
}

find_cert_by_pubkey_sha1()

std::optional< X509_Certificate > Botan::Certificate_Store_In_SQL::find_cert_by_pubkey_sha1 ( const std::vector< uint8_t > & key_hash ) const

overridevirtualinherited

Find a certificate by searching for one with a matching SHA-1 hash of public key. Used for OCSP.

Parameters

key_hash

SHA-1 hash of the subject's public key

Returns

a matching certificate or nullopt otherwise

Implements Botan::Certificate_Store.

Definition at line 101 of file certstor_sql.cpp.

                                      {
   throw Not_Implemented("Certificate_Store_In_SQL::find_cert_by_pubkey_sha1");
}

find_cert_by_raw_subject_dn_sha256()

std::optional< X509_Certificate > Botan::Certificate_Store_In_SQL::find_cert_by_raw_subject_dn_sha256 ( const std::vector< uint8_t > & subject_hash ) const

overridevirtualinherited

Find a certificate by searching for one with a matching SHA-256 hash of raw subject name. Used for OCSP.

Parameters

subject_hash

SHA-256 hash of the subject's raw name

Returns

a matching certificate or nullopt otherwise

Implements Botan::Certificate_Store.

Definition at line 106 of file certstor_sql.cpp.

                                      {
   throw Not_Implemented("Certificate_Store_In_SQL::find_cert_by_raw_subject_dn_sha256");
}

find_certs_for_key()

std::vector< X509_Certificate > Botan::Certificate_Store_In_SQL::find_certs_for_key ( const Private_Key & key ) const

inherited

Returns all certificates for private key "key".

Definition at line 202 of file certstor_sql.cpp.

                                                                                                     {
   auto fprint = key.fingerprint_private("SHA-256");
   auto stmt =
      m_database->new_statement("SELECT certificate FROM " + m_prefix + "certificates WHERE priv_fingerprint == ?1");
 
   stmt->bind(1, fprint);
 
   std::vector<X509_Certificate> certs;
   while(stmt->step()) {
      auto blob = stmt->get_blob(0);
      certs.push_back(X509_Certificate(blob.first, blob.second));
   }
 
   return certs;
}

References Botan::Private_Key::fingerprint_private().

find_crl_for()

std::optional< X509_CRL > Botan::Certificate_Store_In_SQL::find_crl_for ( const X509_Certificate & issuer ) const

overridevirtualinherited

Generates a CRL for all certificates issued by the given issuer.

Reimplemented from Botan::Certificate_Store.

Definition at line 116 of file certstor_sql.cpp.

                                                                                                  {
   const auto all_crls = generate_crls();
 
   for(const auto& crl : all_crls) {
      if(!crl.get_revoked().empty() && crl.issuer_dn() == subject.issuer_dn()) {
         return crl;
      }
   }
 
   return std::optional<X509_CRL>();
}

References generate_crls(), and Botan::X509_Certificate::issuer_dn().

find_key()

std::shared_ptr< const Private_Key > Botan::Certificate_Store_In_SQL::find_key ( const X509_Certificate & cert ) const

inherited

Returns the private key for "cert" or an empty shared_ptr if none was found.

Definition at line 182 of file certstor_sql.cpp.

                                                                                                      {
   auto stmt = m_database->new_statement("SELECT key FROM " + m_prefix +
                                         "keys "
                                         "JOIN " +
                                         m_prefix + "certificates ON " + m_prefix + "keys.fingerprint == " + m_prefix +
                                         "certificates.priv_fingerprint "
                                         "WHERE " +
                                         m_prefix + "certificates.fingerprint == ?1");
   stmt->bind(1, cert.fingerprint("SHA-256"));
 
   std::shared_ptr<const Private_Key> key;
   while(stmt->step()) {
      auto blob = stmt->get_blob(0);
      DataSource_Memory src(blob.first, blob.second);
      key = PKCS8::load_key(src, m_password);
   }
 
   return key;
}

References Botan::X509_Certificate::fingerprint(), and Botan::PKCS8::load_key().

Referenced by insert_key().

generate_crls()

std::vector< X509_CRL > Botan::Certificate_Store_In_SQL::generate_crls ( ) const

inherited

Generates Certificate Revocation Lists for all certificates marked as revoked. A CRL is returned for each unique issuer DN.

Definition at line 294 of file certstor_sql.cpp.

                                                                  {
   auto stmt = m_database->new_statement("SELECT certificate,reason,time FROM " + m_prefix +
                                         "revoked "
                                         "JOIN " +
                                         m_prefix + "certificates ON " + m_prefix +
                                         "certificates.fingerprint == " + m_prefix + "revoked.fingerprint");
 
   std::map<X509_DN, std::vector<CRL_Entry>> crls;
   while(stmt->step()) {
      auto blob = stmt->get_blob(0);
      auto cert = X509_Certificate(std::vector<uint8_t>(blob.first, blob.first + blob.second));
      auto code = static_cast<CRL_Code>(stmt->get_size_t(1));
      auto ent = CRL_Entry(cert, code);
 
      auto i = crls.find(cert.issuer_dn());
      if(i == crls.end()) {
         crls.insert(std::make_pair(cert.issuer_dn(), std::vector<CRL_Entry>({ent})));
      } else {
         i->second.push_back(ent);
      }
   }
 
   const X509_Time t(std::chrono::system_clock::now());
 
   std::vector<X509_CRL> ret;
   ret.reserve(crls.size());
 
   for(const auto& p : crls) {
      ret.push_back(X509_CRL(p.first, t, t, p.second));
   }
 
   return ret;
}

Referenced by find_crl_for().

insert_cert()

bool Botan::Certificate_Store_In_SQL::insert_cert ( const X509_Certificate & cert )

inherited

Inserts "cert" into the store, returns false if the certificate is already known and true if insertion was successful.

Definition at line 145 of file certstor_sql.cpp.

                                                                       {
   const std::vector<uint8_t> dn_encoding = cert.subject_dn().BER_encode();
   const std::vector<uint8_t> cert_encoding = cert.BER_encode();
 
   auto stmt = m_database->new_statement("INSERT OR REPLACE INTO " + m_prefix +
                                         "certificates (\
                                         fingerprint,          \
                                         subject_dn,           \
                                         key_id,               \
                                         priv_fingerprint,     \
                                         certificate           \
                                     ) VALUES ( ?1, ?2, ?3, ?4, ?5 )");
 
   stmt->bind(1, cert.fingerprint("SHA-256"));
   stmt->bind(2, dn_encoding);
   stmt->bind(3, cert.subject_key_id());
   stmt->bind(4, std::vector<uint8_t>());
   stmt->bind(5, cert_encoding);
   stmt->spin();
 
   return true;
}

References Botan::ASN1_Object::BER_encode(), Botan::X509_Certificate::fingerprint(), Botan::X509_Certificate::subject_dn(), and Botan::X509_Certificate::subject_key_id().

Referenced by insert_key(), revoke_cert(), and revoke_cert().

insert_key()

bool Botan::Certificate_Store_In_SQL::insert_key ( const X509_Certificate & cert, const Private_Key & key )

inherited

Inserts "key" for "cert" into the store, returns false if the key is already known and true if insertion was successful.

Definition at line 218 of file certstor_sql.cpp.

                                                                                              {
   insert_cert(cert);
 
   if(find_key(cert)) {
      return false;
   }
 
   auto pkcs8 = PKCS8::BER_encode(key, m_rng, m_password);
   auto fprint = key.fingerprint_private("SHA-256");
 
   auto stmt1 =
      m_database->new_statement("INSERT OR REPLACE INTO " + m_prefix + "keys ( fingerprint, key ) VALUES ( ?1, ?2 )");
 
   stmt1->bind(1, fprint);
   stmt1->bind(2, pkcs8.data(), pkcs8.size());
   stmt1->spin();
 
   auto stmt2 = m_database->new_statement("UPDATE " + m_prefix +
                                          "certificates SET priv_fingerprint = ?1 WHERE fingerprint == ?2");
 
   stmt2->bind(1, fprint);
   stmt2->bind(2, cert.fingerprint("SHA-256"));
   stmt2->spin();
 
   return true;
}

References Botan::PKCS8::BER_encode(), find_key(), Botan::X509_Certificate::fingerprint(), Botan::Private_Key::fingerprint_private(), and insert_cert().

remove_cert()

bool Botan::Certificate_Store_In_SQL::remove_cert ( const X509_Certificate & cert )

inherited

Removes "cert" from the store. Returns false if the certificate could not be found and true if removal was successful.

Definition at line 168 of file certstor_sql.cpp.

                                                                       {
   if(!find_cert(cert.subject_dn(), cert.subject_key_id())) {
      return false;
   }
 
   auto stmt = m_database->new_statement("DELETE FROM " + m_prefix + "certificates WHERE fingerprint == ?1");
 
   stmt->bind(1, cert.fingerprint("SHA-256"));
   stmt->spin();
 
   return true;
}

References find_cert(), Botan::X509_Certificate::fingerprint(), Botan::X509_Certificate::subject_dn(), and Botan::X509_Certificate::subject_key_id().

remove_key()

void Botan::Certificate_Store_In_SQL::remove_key ( const Private_Key & key )

inherited

Removes "key" from the store.

Definition at line 245 of file certstor_sql.cpp.

                                                                {
   auto fprint = key.fingerprint_private("SHA-256");
   auto stmt = m_database->new_statement("DELETE FROM " + m_prefix + "keys WHERE fingerprint == ?1");
 
   stmt->bind(1, fprint);
   stmt->spin();
}

References Botan::Private_Key::fingerprint_private().

revoke_cert() [1/2]

void Botan::Certificate_Store_In_SQL::revoke_cert ( const X509_Certificate & cert, CRL_Code reason )

inherited

Marks "cert" as revoked with no time specified.

Definition at line 274 of file certstor_sql.cpp.

                                                                                      {
   insert_cert(cert);
 
   auto stmt1 = m_database->new_statement("INSERT OR REPLACE INTO " + m_prefix +
                                          "revoked ( fingerprint, reason, time ) VALUES ( ?1, ?2, ?3 )");
 
   stmt1->bind(1, cert.fingerprint("SHA-256"));
   stmt1->bind(2, static_cast<uint32_t>(code));
   stmt1->bind(3, static_cast<size_t>(-1));
 
   stmt1->spin();
}

References Botan::X509_Certificate::fingerprint(), and insert_cert().

revoke_cert() [2/2]

void Botan::Certificate_Store_In_SQL::revoke_cert ( const X509_Certificate & cert, CRL_Code reason, const X509_Time & time )

inherited

Marks "cert" as revoked starting from "time".

Definition at line 254 of file certstor_sql.cpp.

                                                                                                             {
   // TODO(Botan4) require that time be valid
   insert_cert(cert);
 
   auto stmt1 = m_database->new_statement("INSERT OR REPLACE INTO " + m_prefix +
                                          "revoked ( fingerprint, reason, time ) VALUES ( ?1, ?2, ?3 )");
 
   stmt1->bind(1, cert.fingerprint("SHA-256"));
   stmt1->bind(2, static_cast<uint32_t>(code));
 
   if(time.time_is_set()) {
      stmt1->bind(3, time.BER_encode());
   } else {
      stmt1->bind(3, static_cast<size_t>(-1));
   }
 
   stmt1->spin();
}

References Botan::ASN1_Object::BER_encode(), Botan::X509_Certificate::fingerprint(), insert_cert(), and Botan::ASN1_Time::time_is_set().

---

The documentation for this class was generated from the following files:

• src/lib/x509/certstor_sqlite3/certstor_sqlite.h
• src/lib/x509/certstor_sqlite3/certstor_sqlite.cpp