Botan 3.12.0
Crypto and TLS for C&
Public Member Functions | List of all members
Botan::Flatfile_Certificate_Store Class Referencefinal

#include <certstor_flatfile.h>

Inheritance diagram for Botan::Flatfile_Certificate_Store:
Botan::Certificate_Store

Public Member Functions

std::vector< X509_DNall_subjects () const override
bool certificate_known (const X509_Certificate &cert) const
bool contains (const X509_Certificate &cert) const override
std::vector< X509_Certificatefind_all_certs (const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const override
virtual std::optional< X509_Certificatefind_cert (const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const
std::optional< X509_Certificatefind_cert_by_issuer_dn_and_serial_number (const X509_DN &issuer_dn, std::span< const uint8_t > serial_number) const override
std::optional< X509_Certificatefind_cert_by_pubkey_sha1 (const std::vector< uint8_t > &key_hash) const override
std::optional< X509_Certificatefind_cert_by_raw_subject_dn_sha256 (const std::vector< uint8_t > &subject_hash) const override
std::optional< X509_CRLfind_crl_for (const X509_Certificate &subject) const override
 Flatfile_Certificate_Store (const Flatfile_Certificate_Store &)=default
 Flatfile_Certificate_Store (Flatfile_Certificate_Store &&)=default
BOTAN_FUTURE_EXPLICIT Flatfile_Certificate_Store (std::string_view file, bool ignore_non_ca=false)
Flatfile_Certificate_Storeoperator= (const Flatfile_Certificate_Store &)=default
Flatfile_Certificate_Storeoperator= (Flatfile_Certificate_Store &&)=default
 ~Flatfile_Certificate_Store () override=default

Detailed Description

Certificate Store that is backed by a file of PEMs of trusted CAs.

Definition at line 23 of file certstor_flatfile.h.

Constructor & Destructor Documentation

◆ Flatfile_Certificate_Store() [1/3]

Botan::Flatfile_Certificate_Store::Flatfile_Certificate_Store ( std::string_view file,
bool ignore_non_ca = false )

Construct a new Certificate_Store given a file path to a file including PEMs of trusted self-signed CAs.

Parameters
filethe name of the file to read certificates from
ignore_non_caif true, certs that are not self-signed CA certs will be ignored. Otherwise (if false), an exception will be thrown instead.

Definition at line 41 of file certstor_flatfile.cpp.

41 {
42 if(file.empty()) {
43 throw Invalid_Argument("Flatfile_Certificate_Store::Flatfile_Certificate_Store invalid file path");
44 }
45
46 DataSource_Stream file_stream(file);
47
48 for(const std::vector<uint8_t>& der : decode_all_certificates(file_stream)) {
49 X509_Certificate cert(der);
50
51 /*
52 * Various weird or misconfigured system roots include intermediate certificates,
53 * or even stranger certificates which are not valid for cert issuance at all.
54 * Previously this code would error on such cases as an obvious misconfiguration,
55 * but we cannot fix the trust store. So instead just ignore any such certificate.
56 */
57 if(cert.is_self_signed() && cert.is_CA_cert()) {
58 const auto tag = cert.tag();
59
60 // dedup
61 if(!m_cert_tags.contains(tag)) {
62 m_cert_tags.insert(tag);
63 m_all_subjects.push_back(cert.subject_dn());
64 m_dn_to_cert[cert.subject_dn()].push_back(cert);
65 m_pubkey_sha1_to_cert.emplace(cert.subject_public_key_bitstring_sha1(), cert);
66 m_subject_dn_sha256_to_cert.emplace(cert.raw_subject_dn_sha256(), cert);
67 m_issuer_dn_to_cert[cert.issuer_dn()].push_back(cert);
68 }
69 } else if(!ignore_non_ca) {
70 throw Invalid_Argument("Flatfile_Certificate_Store received non CA cert " + cert.subject_dn().to_string());
71 }
72 }
73
74 if(m_all_subjects.empty()) {
75 throw Invalid_Argument("Flatfile_Certificate_Store::Flatfile_Certificate_Store cert file is empty");
76 }
77}

References Botan::X509_Certificate::is_CA_cert(), Botan::X509_Certificate::is_self_signed(), Botan::X509_Certificate::issuer_dn(), Botan::X509_Certificate::raw_subject_dn_sha256(), Botan::X509_Certificate::subject_dn(), Botan::X509_Certificate::subject_public_key_bitstring_sha1(), Botan::X509_Certificate::tag(), and Botan::X509_DN::to_string().

Referenced by Flatfile_Certificate_Store(), Flatfile_Certificate_Store(), operator=(), and operator=().

◆ Flatfile_Certificate_Store() [2/3]

Botan::Flatfile_Certificate_Store::Flatfile_Certificate_Store ( const Flatfile_Certificate_Store & )
default

References Flatfile_Certificate_Store().

◆ Flatfile_Certificate_Store() [3/3]

Botan::Flatfile_Certificate_Store::Flatfile_Certificate_Store ( Flatfile_Certificate_Store && )
default

References Flatfile_Certificate_Store().

◆ ~Flatfile_Certificate_Store()

Botan::Flatfile_Certificate_Store::~Flatfile_Certificate_Store ( )
overridedefault

References all_subjects(), contains(), find_all_certs(), find_cert_by_issuer_dn_and_serial_number(), find_cert_by_pubkey_sha1(), find_cert_by_raw_subject_dn_sha256(), and find_crl_for().

Member Function Documentation

◆ all_subjects()

std::vector< X509_DN > Botan::Flatfile_Certificate_Store::all_subjects ( ) const
overridevirtual
Returns
DNs for all certificates managed by the store

Implements Botan::Certificate_Store.

Definition at line 79 of file certstor_flatfile.cpp.

79 {
80 return m_all_subjects;
81}

Referenced by ~Flatfile_Certificate_Store().

◆ certificate_known()

bool Botan::Certificate_Store::certificate_known ( const X509_Certificate & cert) const
inherited

Old version of contains

Definition at line 24 of file certstor.cpp.

24 {
25 return contains(cert);
26}
Botan::Certificate_Store::contains
virtual bool contains(const X509_Certificate &cert) const
Definition certstor.cpp:28

References contains().

Referenced by find_cert_by_issuer_dn_and_serial_number().

◆ contains()

bool Botan::Flatfile_Certificate_Store::contains ( const X509_Certificate & cert) const
overridevirtual
Returns
whether this certificate is contained within the store
Parameters
certcertificate to be searched

Default implementation uses find_all_certs

Reimplemented from Botan::Certificate_Store.

Definition at line 83 of file certstor_flatfile.cpp.

83 {
84 return m_cert_tags.contains(cert.tag());
85}

References Botan::X509_Certificate::tag().

Referenced by ~Flatfile_Certificate_Store().

◆ find_all_certs()

std::vector< X509_Certificate > Botan::Flatfile_Certificate_Store::find_all_certs ( const X509_DN & subject_dn,
const std::vector< uint8_t > & key_id ) const
overridevirtual

Find all certificates with a given Subject DN. Subject DN and even the key identifier might not be unique.

Implements Botan::Certificate_Store.

Definition at line 87 of file certstor_flatfile.cpp.

88 {
89 if(!m_dn_to_cert.contains(subject_dn)) {
90 return {};
91 }
92
93 const auto& certs = m_dn_to_cert.at(subject_dn);
94
95 std::vector<X509_Certificate> found_certs;
96 for(const auto& cert : certs) {
97 if(!key_id.empty()) {
98 const std::vector<uint8_t>& skid = cert.subject_key_id();
99 if(!skid.empty() && skid != key_id) {
100 continue;
101 }
102 }
103 found_certs.push_back(cert);
104 }
105
106 return found_certs;
107}

Referenced by ~Flatfile_Certificate_Store().

◆ find_cert()

std::optional< X509_Certificate > Botan::Certificate_Store::find_cert ( const X509_DN & subject_dn,
const std::vector< uint8_t > & key_id ) const
virtualinherited

Find a certificate by Subject DN and (optionally) key identifier

Parameters
subject_dnthe subject's distinguished name
key_idan optional key id
Returns
a matching certificate or nullopt otherwise If more than one certificate in the certificate store matches, then a single value is selected arbitrarily.

Reimplemented in Botan::Certificate_Store_In_Memory, Botan::Certificate_Store_In_SQL, Botan::Certificate_Store_MacOS, Botan::Certificate_Store_Windows, and Botan::System_Certificate_Store.

Definition at line 38 of file certstor.cpp.

39 {
40 const auto certs = find_all_certs(subject_dn, key_id);
41
42 if(certs.empty()) {
43 return std::nullopt;
44 }
45
46 // `count` might be greater than 1, but we'll just select the first match
47 return certs.front();
48}
Botan::Certificate_Store::find_all_certs
virtual std::vector< X509_Certificate > find_all_certs(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const =0

References find_all_certs().

Referenced by Botan::OCSP::Response::find_signing_certificate(), and ~Certificate_Store().

◆ find_cert_by_issuer_dn_and_serial_number()

std::optional< X509_Certificate > Botan::Flatfile_Certificate_Store::find_cert_by_issuer_dn_and_serial_number ( const X509_DN & issuer_dn,
std::span< const uint8_t > serial_number ) const
overridevirtual

Find a certificate by searching for one with a matching issuer DN and serial number. Used for CMS or PKCS#7.

Parameters
issuer_dnthe distinguished name of the issuer
serial_numberthe certificate's serial number
Returns
a matching certificate or nullopt otherwise

Implements Botan::Certificate_Store.

Definition at line 139 of file certstor_flatfile.cpp.

140 {
141 if(!m_issuer_dn_to_cert.contains(issuer_dn)) {
142 return std::nullopt;
143 }
144
145 const auto& certs = m_issuer_dn_to_cert.at(issuer_dn);
146
147 for(const auto& cert : certs) {
148 if(std::ranges::equal(cert.serial_number(), serial_number)) {
149 return cert;
150 }
151 }
152
153 return std::nullopt;
154}

Referenced by ~Flatfile_Certificate_Store().

◆ find_cert_by_pubkey_sha1()

std::optional< X509_Certificate > Botan::Flatfile_Certificate_Store::find_cert_by_pubkey_sha1 ( const std::vector< uint8_t > & key_hash) const
overridevirtual

Find a certificate by searching for one with a matching SHA-1 hash of public key.

Returns
a matching certificate or nullptr otherwise

Implements Botan::Certificate_Store.

Definition at line 109 of file certstor_flatfile.cpp.

110 {
111 if(key_hash.size() != 20) {
112 throw Invalid_Argument("Flatfile_Certificate_Store::find_cert_by_pubkey_sha1 invalid hash");
113 }
114
115 auto found_cert = m_pubkey_sha1_to_cert.find(key_hash);
116
117 if(found_cert != m_pubkey_sha1_to_cert.end()) {
118 return found_cert->second;
119 }
120
121 return std::nullopt;
122}

Referenced by ~Flatfile_Certificate_Store().

◆ find_cert_by_raw_subject_dn_sha256()

std::optional< X509_Certificate > Botan::Flatfile_Certificate_Store::find_cert_by_raw_subject_dn_sha256 ( const std::vector< uint8_t > & subject_hash) const
overridevirtual

Find a certificate by searching for one with a matching SHA-256 hash of raw subject name. Used for OCSP.

Parameters
subject_hashSHA-256 hash of the subject's raw name
Returns
a matching certificate or nullopt otherwise

Implements Botan::Certificate_Store.

Definition at line 124 of file certstor_flatfile.cpp.

125 {
126 if(subject_hash.size() != 32) {
127 throw Invalid_Argument("Flatfile_Certificate_Store::find_cert_by_raw_subject_dn_sha256 invalid hash");
128 }
129
130 auto found_cert = m_subject_dn_sha256_to_cert.find(subject_hash);
131
132 if(found_cert != m_subject_dn_sha256_to_cert.end()) {
133 return found_cert->second;
134 }
135
136 return std::nullopt;
137}

Referenced by ~Flatfile_Certificate_Store().

◆ find_crl_for()

std::optional< X509_CRL > Botan::Flatfile_Certificate_Store::find_crl_for ( const X509_Certificate & subject) const
overridevirtual

Fetching CRLs is not supported by this certificate store. This will always return an empty list.

Reimplemented from Botan::Certificate_Store.

Definition at line 156 of file certstor_flatfile.cpp.

156 {
157 BOTAN_UNUSED(subject);
158 return {};
159}
BOTAN_UNUSED
#define BOTAN_UNUSED
Definition assert.h:144

References BOTAN_UNUSED.

Referenced by ~Flatfile_Certificate_Store().

◆ operator=() [1/2]

Flatfile_Certificate_Store & Botan::Flatfile_Certificate_Store::operator= ( const Flatfile_Certificate_Store & )
default

References Flatfile_Certificate_Store().

◆ operator=() [2/2]

Flatfile_Certificate_Store & Botan::Flatfile_Certificate_Store::operator= ( Flatfile_Certificate_Store && )
default

References Flatfile_Certificate_Store().

The documentation for this class was generated from the following files:
Generated by doxygen 1.16.1