Botan  2.15.0
Crypto and TLS for C++11
Public Member Functions | List of all members
Botan::Flatfile_Certificate_Store Class Referencefinal

#include <certstor_flatfile.h>

Inheritance diagram for Botan::Flatfile_Certificate_Store:
Botan::Certificate_Store

Public Member Functions

std::vector< X509_DNall_subjects () const override
 
bool certificate_known (const X509_Certificate &cert) const
 
std::vector< std::shared_ptr< const X509_Certificate > > find_all_certs (const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const override
 
virtual std::shared_ptr< const X509_Certificatefind_cert (const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const
 
std::shared_ptr< const X509_Certificatefind_cert_by_pubkey_sha1 (const std::vector< uint8_t > &key_hash) const override
 
std::shared_ptr< const X509_Certificatefind_cert_by_raw_subject_dn_sha256 (const std::vector< uint8_t > &subject_hash) const override
 
std::shared_ptr< const X509_CRLfind_crl_for (const X509_Certificate &subject) const override
 
 Flatfile_Certificate_Store (const std::string &file, bool ignore_non_ca=false)
 
 Flatfile_Certificate_Store (const Flatfile_Certificate_Store &)=default
 
 Flatfile_Certificate_Store (Flatfile_Certificate_Store &&)=default
 
Flatfile_Certificate_Storeoperator= (const Flatfile_Certificate_Store &)=default
 
Flatfile_Certificate_Storeoperator= (Flatfile_Certificate_Store &&)=default
 

Detailed Description

Certificate Store that is backed by a file of PEMs of trusted CAs.

Definition at line 22 of file certstor_flatfile.h.

Constructor & Destructor Documentation

◆ Flatfile_Certificate_Store() [1/3]

Botan::Flatfile_Certificate_Store::Flatfile_Certificate_Store ( const std::string &  file,
bool  ignore_non_ca = false 
)

Construct a new Certificate_Store given a file path to a file including PEMs of trusted self-signed CAs.

Parameters
filethe name of the file to read certificates from
ignore_non_caif true, certs that are not self-signed CA certs will be ignored. Otherwise (if false), an exception will be thrown instead.

Definition at line 41 of file certstor_flatfile.cpp.

42  {
43  if(file.empty())
44  {
45  throw Invalid_Argument("Flatfile_Certificate_Store::Flatfile_Certificate_Store invalid file path");
46  }
47 
48  DataSource_Stream file_stream(file);
49 
50  for(const std::vector<uint8_t>& der : decode_all_certificates(file_stream))
51  {
52  std::shared_ptr<const X509_Certificate> cert = std::make_shared<const X509_Certificate>(der.data(), der.size());
53 
54  /*
55  * Various weird or misconfigured system roots include intermediate certificates,
56  * or even stranger certificates which are not valid for cert issuance at all.
57  * Previously this code would error on such cases as an obvious misconfiguration,
58  * but we cannot fix the trust store. So instead just ignore any such certificate.
59  */
60  if(cert->is_self_signed() && cert->is_CA_cert())
61  {
62  m_all_subjects.push_back(cert->subject_dn());
63  m_dn_to_cert[cert->subject_dn()].push_back(cert);
64  m_pubkey_sha1_to_cert.emplace(cert->subject_public_key_bitstring_sha1(), cert);
65  m_subject_dn_sha256_to_cert.emplace(cert->raw_subject_dn_sha256(), cert);
66  }
67  else if(!ignore_non_ca)
68  {
69  throw Invalid_Argument("Flatfile_Certificate_Store received non CA cert " + cert->subject_dn().to_string());
70  }
71  }
72 
73  if(m_all_subjects.empty())
74  {
75  throw Invalid_Argument("Flatfile_Certificate_Store::Flatfile_Certificate_Store cert file is empty");
76  }
77  }

◆ Flatfile_Certificate_Store() [2/3]

Botan::Flatfile_Certificate_Store::Flatfile_Certificate_Store ( const Flatfile_Certificate_Store )
default

◆ Flatfile_Certificate_Store() [3/3]

Botan::Flatfile_Certificate_Store::Flatfile_Certificate_Store ( Flatfile_Certificate_Store &&  )
default

Member Function Documentation

◆ all_subjects()

std::vector< X509_DN > Botan::Flatfile_Certificate_Store::all_subjects ( ) const
overridevirtual
Returns
DNs for all certificates managed by the store

Implements Botan::Certificate_Store.

Definition at line 79 of file certstor_flatfile.cpp.

80  {
81  return m_all_subjects;
82  }

◆ certificate_known()

bool Botan::Certificate_Store::certificate_known ( const X509_Certificate cert) const
inlineinherited
Returns
whether the certificate is known
Parameters
certcertififcate to be searched

Definition at line 72 of file certstor.h.

References Botan::X509_Certificate::subject_dn(), and Botan::X509_Certificate::subject_key_id().

73  {
74  return find_cert(cert.subject_dn(), cert.subject_key_id()) != nullptr;
75  }
virtual std::shared_ptr< const X509_Certificate > find_cert(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const
Definition: certstor.cpp:19

◆ find_all_certs()

std::vector< std::shared_ptr< const X509_Certificate > > Botan::Flatfile_Certificate_Store::find_all_certs ( const X509_DN subject_dn,
const std::vector< uint8_t > &  key_id 
) const
overridevirtual

Find all certificates with a given Subject DN. Subject DN and even the key identifier might not be unique.

Implements Botan::Certificate_Store.

Definition at line 84 of file certstor_flatfile.cpp.

87  {
88  std::vector<std::shared_ptr<const X509_Certificate>> found_certs;
89  try
90  {
91  const auto certs = m_dn_to_cert.at(subject_dn);
92 
93  for(auto cert : certs)
94  {
95  if(key_id.empty() || key_id == cert->subject_key_id())
96  {
97  found_certs.push_back(cert);
98  }
99  }
100  }
101  catch(const std::out_of_range&)
102  {
103  return {};
104  }
105 
106  return found_certs;
107  }

◆ find_cert()

std::shared_ptr< const X509_Certificate > Botan::Certificate_Store::find_cert ( const X509_DN subject_dn,
const std::vector< uint8_t > &  key_id 
) const
virtualinherited

Find a certificate by Subject DN and (optionally) key identifier

Parameters
subject_dnthe subject's distinguished name
key_idan optional key id
Returns
a matching certificate or nullptr otherwise If more than one certificate in the certificate store matches, then a single value is selected arbitrarily.

Reimplemented in Botan::Certificate_Store_In_Memory, Botan::Certificate_Store_In_SQL, Botan::Certificate_Store_MacOS, Botan::Certificate_Store_Windows, and Botan::System_Certificate_Store.

Definition at line 19 of file certstor.cpp.

References Botan::Certificate_Store::find_all_certs().

20  {
21  const auto certs = find_all_certs(subject_dn, key_id);
22 
23  if(certs.empty())
24  {
25  return nullptr; // certificate not found
26  }
27 
28  // `count` might be greater than 1, but we'll just select the first match
29  return certs.front();
30  }
virtual std::vector< std::shared_ptr< const X509_Certificate > > find_all_certs(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const =0

◆ find_cert_by_pubkey_sha1()

std::shared_ptr< const X509_Certificate > Botan::Flatfile_Certificate_Store::find_cert_by_pubkey_sha1 ( const std::vector< uint8_t > &  key_hash) const
overridevirtual

Find a certificate by searching for one with a matching SHA-1 hash of public key.

Returns
a matching certificate or nullptr otherwise

Implements Botan::Certificate_Store.

Definition at line 110 of file certstor_flatfile.cpp.

111  {
112  if(key_hash.size() != 20)
113  {
114  throw Invalid_Argument("Flatfile_Certificate_Store::find_cert_by_pubkey_sha1 invalid hash");
115  }
116 
117  auto found_cert = m_pubkey_sha1_to_cert.find(key_hash);
118 
119  if(found_cert != m_pubkey_sha1_to_cert.end())
120  {
121  return found_cert->second;
122  }
123 
124  return nullptr;
125  }

◆ find_cert_by_raw_subject_dn_sha256()

std::shared_ptr< const X509_Certificate > Botan::Flatfile_Certificate_Store::find_cert_by_raw_subject_dn_sha256 ( const std::vector< uint8_t > &  subject_hash) const
overridevirtual

Find a certificate by searching for one with a matching SHA-256 hash of raw subject name. Used for OCSP.

Parameters
subject_hashSHA-256 hash of the subject's raw name
Returns
a matching certificate or nullptr otherwise

Implements Botan::Certificate_Store.

Definition at line 128 of file certstor_flatfile.cpp.

129  {
130  if(subject_hash.size() != 32)
131  { throw Invalid_Argument("Flatfile_Certificate_Store::find_cert_by_raw_subject_dn_sha256 invalid hash"); }
132 
133  auto found_cert = m_subject_dn_sha256_to_cert.find(subject_hash);
134 
135  if(found_cert != m_subject_dn_sha256_to_cert.end())
136  {
137  return found_cert->second;
138  }
139 
140  return nullptr;
141  }

◆ find_crl_for()

std::shared_ptr< const X509_CRL > Botan::Flatfile_Certificate_Store::find_crl_for ( const X509_Certificate subject) const
overridevirtual

Fetching CRLs is not supported by this certificate store. This will always return an empty list.

Reimplemented from Botan::Certificate_Store.

Definition at line 143 of file certstor_flatfile.cpp.

References BOTAN_UNUSED.

144  {
145  BOTAN_UNUSED(subject);
146  return {};
147  }
#define BOTAN_UNUSED(...)
Definition: assert.h:142

◆ operator=() [1/2]

Flatfile_Certificate_Store& Botan::Flatfile_Certificate_Store::operator= ( const Flatfile_Certificate_Store )
default

◆ operator=() [2/2]

Flatfile_Certificate_Store& Botan::Flatfile_Certificate_Store::operator= ( Flatfile_Certificate_Store &&  )
default

The documentation for this class was generated from the following files: