Botan::Certificate_Store_MacOS Class Reference

#include <certstor_macos.h>

Inheritance diagram for Botan::Certificate_Store_MacOS:

Public Member Functions
std::vector< X509_DN >	all_subjects () const override
bool	certificate_known (const X509_Certificate &cert) const
	Certificate_Store_MacOS ()
	Certificate_Store_MacOS (Certificate_Store_MacOS &&)=default
	Certificate_Store_MacOS (const Certificate_Store_MacOS &)=default
virtual bool	contains (const X509_Certificate &cert) const
std::vector< X509_Certificate >	find_all_certs (const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const override
std::optional< X509_Certificate >	find_cert (const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const override
std::optional< X509_Certificate >	find_cert_by_issuer_dn_and_serial_number (const X509_DN &issuer_dn, std::span< const uint8_t > serial_number) const override
std::optional< X509_Certificate >	find_cert_by_pubkey_sha1 (const std::vector< uint8_t > &key_hash) const override
std::optional< X509_Certificate >	find_cert_by_raw_subject_dn_sha256 (const std::vector< uint8_t > &subject_hash) const override
std::optional< X509_CRL >	find_crl_for (const X509_Certificate &subject) const override
Certificate_Store_MacOS &	operator= (Certificate_Store_MacOS &&)=default
Certificate_Store_MacOS &	operator= (const Certificate_Store_MacOS &)=default

Detailed Description

Certificate Store that is backed by the system trust store on macOS. This opens a handle to the macOS keychain and serves certificate queries directly from there.

Definition at line 27 of file certstor_macos.h.

Constructor & Destructor Documentation

Certificate_Store_MacOS() [1/3]

Botan::Certificate_Store_MacOS::Certificate_Store_MacOS

(

)

Definition at line 335 of file certstor_macos.cpp.

: m_impl(std::make_shared<Certificate_Store_MacOS_Impl>()) {}

Referenced by Certificate_Store_MacOS(), Certificate_Store_MacOS(), operator=(), and operator=().

Certificate_Store_MacOS() [2/3]

Botan::Certificate_Store_MacOS::Certificate_Store_MacOS ( const Certificate_Store_MacOS & )

default

References Certificate_Store_MacOS().

Certificate_Store_MacOS() [3/3]

Botan::Certificate_Store_MacOS::Certificate_Store_MacOS ( Certificate_Store_MacOS && )

default

References Certificate_Store_MacOS().

Member Function Documentation

all_subjects()

std::vector< X509_DN > Botan::Certificate_Store_MacOS::all_subjects ( ) const

overridevirtual

Returns

DNs for all certificates managed by the store

Implements Botan::Certificate_Store.

Definition at line 337 of file certstor_macos.cpp.

                                                               {
   // Note: This fetches and parses all certificates in the trust store.
   //       Apple's API provides SecCertificateCopyNormalizedSubjectSequence
   //       which facilitates reading the certificate DN without parsing the
   //       entire certificate via X509_Certificate. However, this
   //       function applies the same DN "normalization" as stated above.
   const auto certificates = m_impl->findAll({});
 
   std::vector<X509_DN> output;
   std::transform(certificates.cbegin(),
                  certificates.cend(),
                  std::back_inserter(output),
                  [](const std::optional<X509_Certificate> cert) { return cert->subject_dn(); });
 
   return output;
}

certificate_known()

bool Botan::Certificate_Store::certificate_known ( const X509_Certificate & cert ) const

inherited

Old version of contains

Definition at line 24 of file certstor.cpp.

                                                                            {
   return contains(cert);
}

References contains().

Referenced by find_cert_by_issuer_dn_and_serial_number().

contains()

bool Botan::Certificate_Store::contains ( const X509_Certificate & cert ) const

virtualinherited

Returns

whether this certificate is contained within the store

Parameters

cert	certificate to be searched

Default implementation uses find_all_certs

Reimplemented in Botan::Certificate_Store_In_Memory, Botan::Certificate_Store_In_SQL, Botan::Certificate_Store_Windows, Botan::Flatfile_Certificate_Store, and Botan::System_Certificate_Store.

Definition at line 28 of file certstor.cpp.

                                                                        {
   for(const auto& cert : find_all_certs(searching.subject_dn(), searching.subject_key_id())) {
      if(cert == searching) {
         return true;
      }
   }
 
   return false;
}

References find_all_certs(), Botan::X509_Certificate::subject_dn(), and Botan::X509_Certificate::subject_key_id().

Referenced by certificate_known(), and find_cert_by_issuer_dn_and_serial_number().

find_all_certs()

std::vector< X509_Certificate > Botan::Certificate_Store_MacOS::find_all_certs ( const X509_DN & subject_dn, const std::vector< uint8_t > & key_id ) const

overridevirtual

Find all certificates with a given Subject DN. Subject DN and even the key identifier might not be unique.

Implements Botan::Certificate_Store.

Definition at line 366 of file certstor_macos.cpp.

                                                                                                              {
   Certificate_Store_MacOS_Impl::Query query;
   query.addParameter(kSecAttrSubject, normalizeAndSerialize(subject_dn));
 
   if(!key_id.empty()) {
      query.addParameter(kSecAttrSubjectKeyID, key_id);
   }
 
   return m_impl->findAll(std::move(query));
}

find_cert()

std::optional< X509_Certificate > Botan::Certificate_Store_MacOS::find_cert ( const X509_DN & subject_dn, const std::vector< uint8_t > & key_id ) const

overridevirtual

Find a certificate by Subject DN and (optionally) key identifier

Returns

the first certificate that matches

Reimplemented from Botan::Certificate_Store.

Definition at line 354 of file certstor_macos.cpp.

                                                                                                           {
   Certificate_Store_MacOS_Impl::Query query;
   query.addParameter(kSecAttrSubject, normalizeAndSerialize(subject_dn));
 
   if(!key_id.empty()) {
      query.addParameter(kSecAttrSubjectKeyID, key_id);
   }
 
   return m_impl->findOne(std::move(query));
}

find_cert_by_issuer_dn_and_serial_number()

std::optional< X509_Certificate > Botan::Certificate_Store_MacOS::find_cert_by_issuer_dn_and_serial_number ( const X509_DN & issuer_dn, std::span< const uint8_t > serial_number ) const

overridevirtual

Find a certificate by searching for one with a matching issuer DN and serial number. Used for CMS or PKCS#7.

Parameters

issuer_dn	the distinguished name of the issuer
serial_number	the certificate's serial number

Returns

a matching certificate or nullopt otherwise

Implements Botan::Certificate_Store.

Definition at line 396 of file certstor_macos.cpp.

                                                                         {
   Certificate_Store_MacOS_Impl::Query query;
   /*
   Directly using kSecAttrSerialNumber can't find the certificate
   Maybe macOS has a special encoding for the serial number
 
   query.addParameter(kSecAttrSerialNumber, serial_number);
   */
   query.addParameter(kSecAttrIssuer, normalizeAndSerialize(issuer_dn));
 
   /*
   This is a temporary solution
   Use only the issuer DN to find all certificates and filters the serial number, but may affect performance
   */
   for(const auto& cert : m_impl->findAll(std::move(query))) {
      if(std::ranges::equal(cert.serial_number(), serial_number)) {
         return cert;
      }
   }
 
   return std::nullopt;
}

find_cert_by_pubkey_sha1()

std::optional< X509_Certificate > Botan::Certificate_Store_MacOS::find_cert_by_pubkey_sha1 ( const std::vector< uint8_t > & key_hash ) const

overridevirtual

Find a certificate by searching for one with a matching SHA-1 hash of public key.

Returns

a matching certificate or nullptr otherwise

Implements Botan::Certificate_Store.

Definition at line 378 of file certstor_macos.cpp.

                                             {
   if(key_hash.size() != 20) {
      throw Invalid_Argument("Certificate_Store_MacOS::find_cert_by_pubkey_sha1 invalid hash");
   }
 
   Certificate_Store_MacOS_Impl::Query query;
   query.addParameter(kSecAttrPublicKeyHash, key_hash);
 
   return m_impl->findOne(std::move(query));
}

find_cert_by_raw_subject_dn_sha256()

std::optional< X509_Certificate > Botan::Certificate_Store_MacOS::find_cert_by_raw_subject_dn_sha256 ( const std::vector< uint8_t > & subject_hash ) const

overridevirtual

Exceptions

Not_Implemented

as this functionality is not available in the macOS certificate interface

Implements Botan::Certificate_Store.

Definition at line 390 of file certstor_macos.cpp.

                                                 {
   BOTAN_UNUSED(subject_hash);
   throw Not_Implemented("Certificate_Store_MacOS::find_cert_by_raw_subject_dn_sha256");
}

References BOTAN_UNUSED.

find_crl_for()

std::optional< X509_CRL > Botan::Certificate_Store_MacOS::find_crl_for ( const X509_Certificate & subject ) const

overridevirtual

Fetching CRLs is not supported by the keychain on macOS. This will always return an empty list.

Reimplemented from Botan::Certificate_Store.

Definition at line 420 of file certstor_macos.cpp.

                                                                                                 {
   BOTAN_UNUSED(subject);
   return {};
}

References BOTAN_UNUSED.

operator=() [1/2]

Certificate_Store_MacOS & Botan::Certificate_Store_MacOS::operator= ( Certificate_Store_MacOS && )

default

References Certificate_Store_MacOS().

operator=() [2/2]

Certificate_Store_MacOS & Botan::Certificate_Store_MacOS::operator= ( const Certificate_Store_MacOS & )

default

References Certificate_Store_MacOS().

---

The documentation for this class was generated from the following files:

• src/lib/x509/certstor_system_macos/certstor_macos.h
• src/lib/x509/certstor_system_macos/certstor_macos.cpp