#include <certstor_flatfile.h>
Inheritance diagram for Botan::Flatfile_Certificate_Store:
Public Member Functions | |
| std::vector< X509_DN > | all_subjects () const override |
| bool | certificate_known (const X509_Certificate &cert) const |
| std::vector< std::shared_ptr< const X509_Certificate > > | find_all_certs (const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const override |
| virtual std::shared_ptr< const X509_Certificate > | find_cert (const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const |
| std::shared_ptr< const X509_Certificate > | find_cert_by_pubkey_sha1 (const std::vector< uint8_t > &key_hash) const override |
| std::shared_ptr< const X509_Certificate > | find_cert_by_raw_subject_dn_sha256 (const std::vector< uint8_t > &subject_hash) const override |
| std::shared_ptr< const X509_CRL > | find_crl_for (const X509_Certificate &subject) const override |
| Flatfile_Certificate_Store (const Flatfile_Certificate_Store &)=default | |
| Flatfile_Certificate_Store (const std::string &file, bool ignore_non_ca=false) | |
| Flatfile_Certificate_Store (Flatfile_Certificate_Store &&)=default | |
| Flatfile_Certificate_Store & | operator= (const Flatfile_Certificate_Store &)=default |
| Flatfile_Certificate_Store & | operator= (Flatfile_Certificate_Store &&)=default |
Detailed Description
Certificate Store that is backed by a file of PEMs of trusted CAs.
Definition at line 22 of file certstor_flatfile.h.
Constructor & Destructor Documentation
◆ Flatfile_Certificate_Store() [1/3]
| Botan::Flatfile_Certificate_Store::Flatfile_Certificate_Store | ( | const std::string & | file, |
| bool | ignore_non_ca = false |
||
| ) |
Construct a new Certificate_Store given a file path to a file including PEMs of trusted self-signed CAs.
- Parameters
-
file the name of the file to read certificates from ignore_non_ca if true, certs that are not self-signed CA certs will be ignored. Otherwise (if false), an exception will be thrown instead.
Definition at line 41 of file certstor_flatfile.cpp.
42 {
43 if(file.empty())
44 {
45 throw Invalid_Argument("Flatfile_Certificate_Store::Flatfile_Certificate_Store invalid file path");
46 }
47
48 DataSource_Stream file_stream(file);
49
50 for(const std::vector<uint8_t>& der : decode_all_certificates(file_stream))
51 {
52 std::shared_ptr<const X509_Certificate> cert = std::make_shared<const X509_Certificate>(der.data(), der.size());
53
54 /*
55 * Various weird or misconfigured system roots include intermediate certificates,
56 * or even stranger certificates which are not valid for cert issuance at all.
57 * Previously this code would error on such cases as an obvious misconfiguration,
58 * but we cannot fix the trust store. So instead just ignore any such certificate.
59 */
60 if(cert->is_self_signed() && cert->is_CA_cert())
61 {
62 m_all_subjects.push_back(cert->subject_dn());
63 m_dn_to_cert[cert->subject_dn()].push_back(cert);
64 m_pubkey_sha1_to_cert.emplace(cert->subject_public_key_bitstring_sha1(), cert);
65 m_subject_dn_sha256_to_cert.emplace(cert->raw_subject_dn_sha256(), cert);
66 }
67 else if(!ignore_non_ca)
68 {
69 throw Invalid_Argument("Flatfile_Certificate_Store received non CA cert " + cert->subject_dn().to_string());
70 }
71 }
72
73 if(m_all_subjects.empty())
74 {
75 throw Invalid_Argument("Flatfile_Certificate_Store::Flatfile_Certificate_Store cert file is empty");
76 }
77 }
◆ Flatfile_Certificate_Store() [2/3]
|
default |
◆ Flatfile_Certificate_Store() [3/3]
|
default |
Member Function Documentation
◆ all_subjects()
|
overridevirtual |
- Returns
- DNs for all certificates managed by the store
Implements Botan::Certificate_Store.
Definition at line 79 of file certstor_flatfile.cpp.
80 {
81 return m_all_subjects;
82 }
◆ certificate_known()
|
inlineinherited |
- Returns
- whether the certificate is known
- Parameters
-
cert certififcate to be searched
Definition at line 72 of file certstor.h.
73 {
75 }
virtual std::shared_ptr< const X509_Certificate > find_cert(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const
Definition: certstor.cpp:20
References Botan::X509_Certificate::subject_dn(), and Botan::X509_Certificate::subject_key_id().
◆ find_all_certs()
|
overridevirtual |
Find all certificates with a given Subject DN. Subject DN and even the key identifier might not be unique.
Implements Botan::Certificate_Store.
Definition at line 84 of file certstor_flatfile.cpp.
87 {
88 std::vector<std::shared_ptr<const X509_Certificate>> found_certs;
89 try
90 {
91 const auto certs = m_dn_to_cert.at(subject_dn);
92
93 for(auto cert : certs)
94 {
95 if(key_id.empty() || key_id == cert->subject_key_id())
96 {
97 found_certs.push_back(cert);
98 }
99 }
100 }
101 catch(const std::out_of_range&)
102 {
103 return {};
104 }
105
106 return found_certs;
107 }
◆ find_cert()
|
virtualinherited |
Find a certificate by Subject DN and (optionally) key identifier
- Parameters
-
subject_dn the subject's distinguished name key_id an optional key id
- Returns
- a matching certificate or nullptr otherwise If more than one certificate in the certificate store matches, then a single value is selected arbitrarily.
Reimplemented in Botan::Certificate_Store_In_Memory, Botan::Certificate_Store_In_SQL, Botan::System_Certificate_Store, Botan::Certificate_Store_MacOS, and Botan::Certificate_Store_Windows.
Definition at line 20 of file certstor.cpp.
21 {
23
24 if(certs.empty())
25 {
26 return nullptr; // certificate not found
27 }
28
29 // `count` might be greater than 1, but we'll just select the first match
30 return certs.front();
31 }
virtual std::vector< std::shared_ptr< const X509_Certificate > > find_all_certs(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const =0
References Botan::Certificate_Store::find_all_certs().
◆ find_cert_by_pubkey_sha1()
|
overridevirtual |
Find a certificate by searching for one with a matching SHA-1 hash of public key.
- Returns
- a matching certificate or nullptr otherwise
Implements Botan::Certificate_Store.
Definition at line 110 of file certstor_flatfile.cpp.
111 {
112 if(key_hash.size() != 20)
113 {
114 throw Invalid_Argument("Flatfile_Certificate_Store::find_cert_by_pubkey_sha1 invalid hash");
115 }
116
117 auto found_cert = m_pubkey_sha1_to_cert.find(key_hash);
118
119 if(found_cert != m_pubkey_sha1_to_cert.end())
120 {
121 return found_cert->second;
122 }
123
124 return nullptr;
125 }
◆ find_cert_by_raw_subject_dn_sha256()
|
overridevirtual |
Find a certificate by searching for one with a matching SHA-256 hash of raw subject name. Used for OCSP.
- Parameters
-
subject_hash SHA-256 hash of the subject's raw name
- Returns
- a matching certificate or nullptr otherwise
Implements Botan::Certificate_Store.
Definition at line 128 of file certstor_flatfile.cpp.
129 {
130 if(subject_hash.size() != 32)
131 { throw Invalid_Argument("Flatfile_Certificate_Store::find_cert_by_raw_subject_dn_sha256 invalid hash"); }
132
133 auto found_cert = m_subject_dn_sha256_to_cert.find(subject_hash);
134
135 if(found_cert != m_subject_dn_sha256_to_cert.end())
136 {
137 return found_cert->second;
138 }
139
140 return nullptr;
141 }
◆ find_crl_for()
|
overridevirtual |
Fetching CRLs is not supported by this certificate store. This will always return an empty list.
Reimplemented from Botan::Certificate_Store.
Definition at line 143 of file certstor_flatfile.cpp.
References BOTAN_UNUSED.
◆ operator=() [1/2]
|
default |
◆ operator=() [2/2]
|
default |
The documentation for this class was generated from the following files:
- src/lib/x509/certstor_flatfile/certstor_flatfile.h
- src/lib/x509/certstor_flatfile/certstor_flatfile.cpp
