Botan 3.12.0
Crypto and TLS for C&
Classes | Public Member Functions | Static Public Member Functions | Protected Member Functions | List of all members
Botan::X509_Certificate Class Reference

#include <x509cert.h>

Inheritance diagram for Botan::X509_Certificate:
Botan::X509_Object Botan::ASN1_Object

Classes

class  Tag
class  TagHash

Public Member Functions

bool allowed_extended_usage (const OID &usage) const
bool allowed_extended_usage (std::string_view usage) const
bool allowed_usage (Key_Constraints usage) const
bool allowed_usage (Usage_Type usage) const
const std::vector< uint8_t > & authority_key_id () const
std::vector< uint8_t > BER_encode () const
std::vector< std::string > ca_issuers () const
std::span< const uint8_t, 20 > certificate_data_sha1 () const
std::span< const uint8_t, 32 > certificate_data_sha256 () const
const std::vector< OID > & certificate_policy_oids () const
bool check_signature (const Public_Key &key) const
Key_Constraints constraints () const
std::string crl_distribution_point () const
std::vector< std::string > crl_distribution_points () const
void decode_from (BER_Decoder &from) override
void encode_into (DER_Encoder &to) const override
const std::vector< OID > & extended_key_usage () const
std::string fingerprint (std::string_view hash_name="SHA-1") const
bool has_constraints (Key_Constraints constraints) const
bool has_ex_constraint (const OID &ex_constraint) const
bool has_ex_constraint (std::string_view ex_constraint) const
bool is_CA_cert () const
bool is_critical (std::string_view ex_name) const
bool is_self_signed () const
bool is_serial_negative () const
const AlternativeNameissuer_alt_name () const
const X509_DNissuer_dn () const
std::vector< std::string > issuer_info (std::string_view name) const
std::unique_ptr< Public_Keyload_subject_public_key () const
bool matches_dns_name (std::string_view name) const
const NameConstraintsname_constraints () const
const X509_Timenot_after () const
const X509_Timenot_before () const
std::string ocsp_responder () const
const std::vector< std::string > & ocsp_responders () const
bool operator< (const X509_Certificate &other) const
X509_Certificateoperator= (const X509_Certificate &other)=default
X509_Certificateoperator= (X509_Certificate &&other)=default
bool operator== (const X509_Certificate &other) const
std::optional< size_t > path_length_constraint () const
uint32_t path_limit () const
std::string PEM_encode () const
const std::vector< uint8_t > & raw_issuer_dn () const
const std::vector< uint8_t > & raw_issuer_dn_sha256 () const
const std::vector< uint8_t > & raw_subject_dn () const
const std::vector< uint8_t > & raw_subject_dn_sha256 () const
const std::vector< uint8_t > & serial_number () const
const std::vector< uint8_t > & signature () const
const AlgorithmIdentifiersignature_algorithm () const
const std::vector< uint8_t > & signed_body () const
const AlternativeNamesubject_alt_name () const
const X509_DNsubject_dn () const
std::vector< std::string > subject_info (std::string_view name) const
const std::vector< uint8_t > & subject_key_id () const
std::unique_ptr< Public_Keysubject_public_key () const
const AlgorithmIdentifiersubject_public_key_algo () const
const std::vector< uint8_t > & subject_public_key_bits () const
const std::vector< uint8_t > & subject_public_key_bitstring () const
const std::vector< uint8_t > & subject_public_key_bitstring_sha1 () const
const std::vector< uint8_t > & subject_public_key_info () const
Tag tag () const
std::vector< uint8_t > tbs_data () const
std::string to_string () const
const std::vector< uint8_t > & v2_issuer_key_id () const
const std::vector< uint8_t > & v2_subject_key_id () const
const Extensionsv3_extensions () const
std::pair< Certificate_Status_Code, std::string > verify_signature (const Public_Key &key) const
 X509_Certificate ()=default
 X509_Certificate (const uint8_t data[], size_t length)
 X509_Certificate (const X509_Certificate &other)=default
 X509_Certificate (DataSource &source)
 X509_Certificate (std::span< const uint8_t > in)
 X509_Certificate (X509_Certificate &&other)=default
uint32_t x509_version () const
 ~X509_Certificate () override

Static Public Member Functions

static std::unique_ptr< PK_Signerchoose_sig_format (const Private_Key &key, RandomNumberGenerator &rng, std::string_view hash_fn, std::string_view padding_algo)
static std::vector< uint8_t > make_signed (PK_Signer &signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &alg_id, std::span< const uint8_t > tbs)

Protected Member Functions

void load_data (DataSource &src)

Detailed Description

This class represents an X.509 Certificate

TODO(Botan4) mark this final once PKCS11_X509_Certificate is fixed

Definition at line 32 of file x509cert.h.

Constructor & Destructor Documentation

◆ X509_Certificate() [1/6]

Botan::X509_Certificate::X509_Certificate ( DataSource & source)
explicit

Create a certificate from a data source providing the DER or PEM encoded certificate.

Parameters
sourcethe data source

Definition at line 86 of file x509cert.cpp.

86 {
87 load_data(src);
88}
Botan::X509_Object::load_data
void load_data(DataSource &src)
Definition x509_obj.cpp:24

References Botan::X509_Object::load_data().

Referenced by operator<(), operator=(), operator=(), operator==(), X509_Certificate(), X509_Certificate(), and X509_Certificate().

◆ X509_Certificate() [2/6]

Botan::X509_Certificate::X509_Certificate ( std::span< const uint8_t > in)
explicit

Create a certificate from a buffer

Parameters
inthe buffer containing the DER-encoded certificate

Definition at line 90 of file x509cert.cpp.

90 {
91 DataSource_Memory src(in);
92 load_data(src);
93}

References Botan::X509_Object::load_data().

◆ X509_Certificate() [3/6]

Botan::X509_Certificate::X509_Certificate ( const uint8_t data[],
size_t length )
inline

Create a certificate from a buffer

Parameters
datathe buffer containing the DER-encoded certificate
lengthlength of data in bytes

Definition at line 469 of file x509cert.h.

469: X509_Certificate(std::span{data, length}) {}
Botan::X509_Certificate::X509_Certificate
X509_Certificate()=default

References X509_Certificate().

◆ X509_Certificate() [4/6]

Botan::X509_Certificate::X509_Certificate ( )
default

Create an uninitialized certificate object. Any attempts to access this object will throw an exception.

◆ X509_Certificate() [5/6]

Botan::X509_Certificate::X509_Certificate ( const X509_Certificate & other)
default

References X509_Certificate().

◆ X509_Certificate() [6/6]

Botan::X509_Certificate::X509_Certificate ( X509_Certificate && other)
default

References X509_Certificate().

◆ ~X509_Certificate()

Botan::X509_Certificate::~X509_Certificate ( )
overridedefault

Member Function Documentation

◆ allowed_extended_usage() [1/2]

bool Botan::X509_Certificate::allowed_extended_usage ( const OID & usage) const

Returns true if the specified usage is set in the extended key usage extension, or if no extended key usage constraints are set at all. To check if a certain extended key constraint is set in the certificate use

See also
X509_Certificate::has_ex_constraint.

Definition at line 497 of file x509cert.cpp.

497 {
498 const std::vector<OID>& ex = extended_key_usage();
499 if(ex.empty()) {
500 return true;
501 }
502
503 if(has_ex_constraint(usage)) {
504 return true;
505 }
506
507 return false;
508}
Botan::X509_Certificate::extended_key_usage
const std::vector< OID > & extended_key_usage() const
Definition x509cert.cpp:465
Botan::X509_Certificate::has_ex_constraint
bool has_ex_constraint(std::string_view ex_constraint) const
Definition x509cert.cpp:540

References extended_key_usage(), and has_ex_constraint().

◆ allowed_extended_usage() [2/2]

bool Botan::X509_Certificate::allowed_extended_usage ( std::string_view usage) const

Returns true if the specified

Parameters
usageis set in the extended key usage extension or if no extended key usage constraints are set at all. To check if a certain extended key constraint is set in the certificate use
See also
X509_Certificate::has_ex_constraint.

Definition at line 493 of file x509cert.cpp.

493 {
494 return allowed_extended_usage(OID::from_string(usage));
495}
Botan::OID::from_string
static OID from_string(std::string_view str)
Definition asn1_oid.cpp:86
Botan::X509_Certificate::allowed_extended_usage
bool allowed_extended_usage(std::string_view usage) const
Definition x509cert.cpp:493

References allowed_extended_usage(), and Botan::OID::from_string().

Referenced by allowed_extended_usage(), and allowed_usage().

◆ allowed_usage() [1/2]

bool Botan::X509_Certificate::allowed_usage ( Key_Constraints usage) const

Returns true if the specified

Parameters
usageis set in the key usage extension or if no key usage constraints are set at all. To check if a certain key constraint is set in the certificate use
See also
X509_Certificate::has_constraints.

Definition at line 486 of file x509cert.cpp.

486 {
487 if(constraints().empty()) {
488 return true;
489 }
490 return constraints().includes(usage);
491}
Botan::Key_Constraints::includes
bool includes(Key_Constraints::Bits other) const
Definition pkix_enums.h:177
Botan::X509_Certificate::constraints
Key_Constraints constraints() const
Definition x509cert.cpp:461

References constraints(), and Botan::Key_Constraints::includes().

Referenced by allowed_usage(), and Botan::PKIX::check_crl().

◆ allowed_usage() [2/2]

bool Botan::X509_Certificate::allowed_usage ( Usage_Type usage) const

Returns true if the required key and extended key constraints are set in the certificate for the specified

Parameters
usageor if no key constraints are set in both the key usage and extended key usage extension.

Definition at line 510 of file x509cert.cpp.

510 {
511 // These follow suggestions in RFC 5280 4.2.1.12
512
513 switch(usage) {
514 case Usage_Type::UNSPECIFIED:
515 return true;
516
517 case Usage_Type::TLS_SERVER_AUTH:
518 return (allowed_usage(Key_Constraints::KeyAgreement) || allowed_usage(Key_Constraints::KeyEncipherment) ||
519 allowed_usage(Key_Constraints::DigitalSignature)) &&
520 allowed_extended_usage("PKIX.ServerAuth");
521
522 case Usage_Type::TLS_CLIENT_AUTH:
523 return (allowed_usage(Key_Constraints::DigitalSignature) || allowed_usage(Key_Constraints::KeyAgreement)) &&
524 allowed_extended_usage("PKIX.ClientAuth");
525
526 case Usage_Type::OCSP_RESPONDER:
527 return (allowed_usage(Key_Constraints::DigitalSignature) || allowed_usage(Key_Constraints::NonRepudiation)) &&
528 has_ex_constraint("PKIX.OCSPSigning");
529
530 case Usage_Type::CERTIFICATE_AUTHORITY:
531 return is_CA_cert();
532
533 case Usage_Type::ENCRYPTION:
534 return (allowed_usage(Key_Constraints::KeyEncipherment) || allowed_usage(Key_Constraints::DataEncipherment));
535 }
536
537 return false;
538}
Botan::Key_Constraints::DigitalSignature
@ DigitalSignature
Definition pkix_enums.h:122
Botan::Key_Constraints::NonRepudiation
@ NonRepudiation
Definition pkix_enums.h:123
Botan::Key_Constraints::DataEncipherment
@ DataEncipherment
Definition pkix_enums.h:125
Botan::Key_Constraints::KeyEncipherment
@ KeyEncipherment
Definition pkix_enums.h:124
Botan::Key_Constraints::KeyAgreement
@ KeyAgreement
Definition pkix_enums.h:126
Botan::X509_Certificate::is_CA_cert
bool is_CA_cert() const
Definition x509cert.cpp:441
Botan::X509_Certificate::allowed_usage
bool allowed_usage(Key_Constraints usage) const
Definition x509cert.cpp:486

References allowed_extended_usage(), allowed_usage(), Botan::CERTIFICATE_AUTHORITY, Botan::Key_Constraints::DataEncipherment, Botan::Key_Constraints::DigitalSignature, Botan::ENCRYPTION, has_ex_constraint(), is_CA_cert(), Botan::Key_Constraints::KeyAgreement, Botan::Key_Constraints::KeyEncipherment, Botan::Key_Constraints::NonRepudiation, Botan::OCSP_RESPONDER, Botan::TLS_CLIENT_AUTH, Botan::TLS_SERVER_AUTH, and Botan::UNSPECIFIED.

◆ authority_key_id()

const std::vector< uint8_t > & Botan::X509_Certificate::authority_key_id ( ) const

Get the DER encoded AuthorityKeyIdentifier of this certificate.

Returns
DER encoded AuthorityKeyIdentifier

Definition at line 398 of file x509cert.cpp.

398 {
399 return data().m_authority_key_id;
400}

Referenced by botan_x509_cert_view_binary_values(), Botan::Certificate_Store_In_Memory::find_crl_for(), Botan::X509_CRL::is_revoked(), and to_string().

◆ BER_encode()

std::vector< uint8_t > Botan::ASN1_Object::BER_encode ( ) const
inherited

Return the encoding of this object. This is a convenience method when just one object needs to be serialized. Use DER_Encoder for complicated encodings.

Definition at line 20 of file asn1_obj.cpp.

20 {
21 std::vector<uint8_t> output;
22 DER_Encoder der(output);
23 this->encode_into(der);
24 return output;
25}
Botan::ASN1_Object::encode_into
virtual void encode_into(DER_Encoder &to) const =0

References encode_into().

Referenced by decode_from(), Botan::Certificate_Store_In_SQL::find_all_certs(), Botan::Certificate_Store_In_SQL::find_cert(), Botan::X509_Certificate::fingerprint(), Botan::Certificate_Store_In_SQL::insert_cert(), Botan::X509_Object::PEM_encode(), Botan::PSS_Params::PSS_Params(), and Botan::Certificate_Store_In_SQL::revoke_cert().

◆ ca_issuers()

std::vector< std::string > Botan::X509_Certificate::ca_issuers ( ) const

Return the listed addresses of ca issuers, or empty if not set

Definition at line 586 of file x509cert.cpp.

586 {
587 return data().m_ca_issuers;
588}

Referenced by to_string().

◆ certificate_data_sha1()

std::span< const uint8_t, 20 > Botan::X509_Certificate::certificate_data_sha1 ( ) const

SHA-1 of the entire certificate DER encoding

Definition at line 430 of file x509cert.cpp.

430 {
431 if(data().m_fingerprint_sha1.empty()) {
432 throw Not_Implemented("SHA-1 not available");
433 }
434 return data().m_cert_data_sha1;
435}

◆ certificate_data_sha256()

std::span< const uint8_t, 32 > Botan::X509_Certificate::certificate_data_sha256 ( ) const

SHA-256 of the entire certificate DER encoding

Definition at line 437 of file x509cert.cpp.

437 {
438 return data().m_cert_data_sha256;
439}

◆ certificate_policy_oids()

const std::vector< OID > & Botan::X509_Certificate::certificate_policy_oids ( ) const

Get the policies as defined in the CertificatePolicies extension of this certificate.

Returns
certificate policies

Definition at line 469 of file x509cert.cpp.

469 {
470 return data().m_cert_policies;
471}

Referenced by to_string().

◆ check_signature()

bool Botan::X509_Object::check_signature ( const Public_Key & key) const
inherited

Check the signature on this data

Parameters
keythe public key purportedly used to sign this data
Returns
true if the signature is valid, otherwise false

Definition at line 125 of file x509_obj.cpp.

125 {
126 const auto result = this->verify_signature(pub_key);
127 return (result.first == Certificate_Status_Code::VERIFIED);
128}
Botan::X509_Object::verify_signature
std::pair< Certificate_Status_Code, std::string > verify_signature(const Public_Key &key) const
Definition x509_obj.cpp:130

References Botan::VERIFIED, and verify_signature().

◆ choose_sig_format()

std::unique_ptr< PK_Signer > Botan::X509_Object::choose_sig_format ( const Private_Key & key,
RandomNumberGenerator & rng,
std::string_view hash_fn,
std::string_view padding_algo )
staticinherited

Choose and return a signature scheme appropriate for X.509 signing using the provided parameters.

Parameters
keywill be the key to choose a padding scheme for
Random Number Generatorsthe random generator to use
hash_fnis the desired hash function
padding_algospecifies the padding method
Returns
a PK_Signer object for generating signatures

Definition at line 237 of file x509_obj.cpp.

240 {
241 const Signature_Format format = key._default_x509_signature_format();
242
243 if(!user_specified_padding.empty()) {
244 try {
245 auto pk_signer = std::make_unique<PK_Signer>(key, rng, user_specified_padding, format);
246 if(!hash_fn.empty() && pk_signer->hash_function() != hash_fn) {
247 throw Invalid_Argument(format_padding_error_message(
248 key.algo_name(), pk_signer->hash_function(), hash_fn, "", user_specified_padding));
249 }
250 return pk_signer;
251 } catch(Lookup_Error&) {}
252 }
253
254 const std::string padding = x509_signature_padding_for(key.algo_name(), hash_fn, user_specified_padding);
255
256 try {
257 auto pk_signer = std::make_unique<PK_Signer>(key, rng, padding, format);
258 if(!hash_fn.empty() && pk_signer->hash_function() != hash_fn) {
259 throw Invalid_Argument(format_padding_error_message(
260 key.algo_name(), pk_signer->hash_function(), hash_fn, padding, user_specified_padding));
261 }
262 return pk_signer;
263 } catch(Not_Implemented&) {
264 throw Invalid_Argument("Signatures using " + key.algo_name() + "/" + padding + " are not supported");
265 }
266}
Botan::Signature_Format
Signature_Format
Definition pk_keys.h:32

References Botan::Asymmetric_Key::_default_x509_signature_format(), and Botan::Asymmetric_Key::algo_name().

Referenced by Botan::PKCS10_Request::create(), Botan::X509::create_self_signed_cert(), and Botan::X509_CA::X509_CA().

◆ constraints()

Key_Constraints Botan::X509_Certificate::constraints ( ) const

Get the key constraints as defined in the KeyUsage extension of this certificate.

Returns
key constraints

Definition at line 461 of file x509cert.cpp.

461 {
462 return data().m_key_constraints;
463}

Referenced by allowed_usage(), has_constraints(), and to_string().

◆ crl_distribution_point()

std::string Botan::X509_Certificate::crl_distribution_point ( ) const

Return the CRL distribution point, or empty if not set

Definition at line 594 of file x509cert.cpp.

594 {
595 // just returns the first (arbitrarily)
596 if(!data().m_crl_distribution_points.empty()) {
597 return data().m_crl_distribution_points[0];
598 }
599 return "";
600}

◆ crl_distribution_points()

std::vector< std::string > Botan::X509_Certificate::crl_distribution_points ( ) const

Return the CRL distribution points, or empty if not set

Definition at line 590 of file x509cert.cpp.

590 {
591 return data().m_crl_distribution_points;
592}

Referenced by to_string().

◆ decode_from()

void Botan::X509_Object::decode_from ( BER_Decoder & from)
overridevirtualinherited

Decode a BER encoded X509_Object See ASN1_Object::decode_from()

Implements Botan::ASN1_Object.

Definition at line 93 of file x509_obj.cpp.

93 {
94 auto data = std::make_shared<Signed_Data>();
95
96 from.start_sequence()
97 .start_sequence()
98 .raw_bytes(data->m_tbs_bits)
99 .end_cons()
100 .decode(data->m_sig_algo)
101 .decode(data->m_sig, ASN1_Type::BitString)
102 .end_cons();
103
104 m_signed_data = std::move(data);
105 force_decode();
106}

References Botan::BitString, Botan::BER_Decoder::decode(), Botan::BER_Decoder::end_cons(), Botan::BER_Decoder::raw_bytes(), and Botan::BER_Decoder::start_sequence().

Referenced by load_data().

◆ encode_into()

void Botan::X509_Object::encode_into ( DER_Encoder & to) const
overridevirtualinherited

DER encode an X509_Object See ASN1_Object::encode_into()

Implements Botan::ASN1_Object.

Definition at line 80 of file x509_obj.cpp.

80 {
81 to.start_sequence()
82 .start_sequence()
83 .raw_bytes(signed_body())
84 .end_cons()
85 .encode(signature_algorithm())
86 .encode(signature(), ASN1_Type::BitString)
87 .end_cons();
88}
Botan::X509_Object::signed_body
const std::vector< uint8_t > & signed_body() const
Definition x509_obj.cpp:66
Botan::X509_Object::signature_algorithm
const AlgorithmIdentifier & signature_algorithm() const
Definition x509_obj.cpp:73
Botan::X509_Object::signature
const std::vector< uint8_t > & signature() const
Definition x509_obj.cpp:59

References Botan::BitString, Botan::DER_Encoder::encode(), Botan::DER_Encoder::end_cons(), Botan::DER_Encoder::raw_bytes(), signature(), signature_algorithm(), signed_body(), and Botan::DER_Encoder::start_sequence().

◆ extended_key_usage()

const std::vector< OID > & Botan::X509_Certificate::extended_key_usage ( ) const

Get the key usage as defined in the ExtendedKeyUsage extension of this certificate, or else an empty vector.

Returns
key usage

Definition at line 465 of file x509cert.cpp.

465 {
466 return data().m_extended_key_usage;
467}

Referenced by allowed_extended_usage(), has_ex_constraint(), and to_string().

◆ fingerprint()

std::string Botan::X509_Certificate::fingerprint ( std::string_view hash_name = "SHA-1") const
Returns
a fingerprint of the certificate
Parameters
hash_namehash function used to calculate the fingerprint

Definition at line 685 of file x509cert.cpp.

685 {
686 /*
687 * The SHA-1 and SHA-256 fingerprints are precomputed since these
688 * are the most commonly used. Especially, SHA-256 fingerprints are
689 * used for cycle detection during path construction.
690 *
691 * If SHA-1 or SHA-256 was missing at parsing time the vectors are
692 * left empty in which case we fall back to create_hex_fingerprint
693 * which will throw if the hash is unavailable.
694 */
695 if(hash_name == "SHA-256" && !data().m_fingerprint_sha256.empty()) {
696 return data().m_fingerprint_sha256;
697 } else if(hash_name == "SHA-1" && !data().m_fingerprint_sha1.empty()) {
698 return data().m_fingerprint_sha1;
699 } else {
700 return create_hex_fingerprint(this->BER_encode(), hash_name);
701 }
702}
Botan::ASN1_Object::BER_encode
std::vector< uint8_t > BER_encode() const
Definition asn1_obj.cpp:20
Botan::create_hex_fingerprint
std::string create_hex_fingerprint(std::span< const uint8_t > bits, std::string_view hash_name)
Definition pk_keys.cpp:38

References Botan::ASN1_Object::BER_encode(), and Botan::create_hex_fingerprint().

Referenced by Botan::Certificate_Store_In_SQL::affirm_cert(), Botan::Certificate_Store_In_SQL::contains(), Botan::Certificate_Store_In_SQL::find_key(), Botan::Certificate_Store_In_SQL::insert_cert(), Botan::Certificate_Store_In_SQL::insert_key(), Botan::Certificate_Store_In_SQL::remove_cert(), Botan::Certificate_Store_In_SQL::revoke_cert(), and Botan::Certificate_Store_In_SQL::revoke_cert().

◆ has_constraints()

bool Botan::X509_Certificate::has_constraints ( Key_Constraints constraints) const

Returns true if and only if the specified

Parameters
constraintsare included in the key usage extension.

Typically for applications you want allowed_usage instead.

Definition at line 481 of file x509cert.cpp.

481 {
482 // Unlike allowed_usage, returns false if constraints was not set
483 return constraints().includes(usage);
484}

References constraints(), and Botan::Key_Constraints::includes().

◆ has_ex_constraint() [1/2]

bool Botan::X509_Certificate::has_ex_constraint ( const OID & ex_constraint) const

Returns true if and only if OID

Parameters
ex_constraintis included in the extended key extension.

Definition at line 544 of file x509cert.cpp.

544 {
545 const auto any_eku = OID::from_name("X509v3.AnyExtendedKeyUsage");
546 const auto ocsp_eku = OID::from_name("PKIX.OCSPSigning");
547
548 for(const auto& ext_ku : extended_key_usage()) {
549 if(ext_ku == usage) {
550 return true;
551 }
552
553 /*
554 Do not accept AnyExtendedKeyUsage for OCSP due to RFC 6960 4.2.2.2:
555
556 OCSP signing delegation SHALL be designated by the inclusion of
557 id-kp-OCSPSigning in an extended key usage certificate extension
558 included in the OCSP response signer's certificate.
559 */
560 if(ext_ku == any_eku && usage != ocsp_eku) {
561 return true;
562 }
563 }
564
565 return false;
566}
Botan::OID::from_name
static std::optional< OID > from_name(std::string_view name)
Definition asn1_oid.cpp:72

References extended_key_usage(), and Botan::OID::from_name().

◆ has_ex_constraint() [2/2]

bool Botan::X509_Certificate::has_ex_constraint ( std::string_view ex_constraint) const

Returns true if and only if OID

Parameters
ex_constraintis included in the extended key extension.

Definition at line 540 of file x509cert.cpp.

540 {
541 return has_ex_constraint(OID::from_string(ex_constraint));
542}

References Botan::OID::from_string(), and has_ex_constraint().

Referenced by allowed_extended_usage(), allowed_usage(), and has_ex_constraint().

◆ is_CA_cert()

bool Botan::X509_Certificate::is_CA_cert ( ) const

Check whether this certificate is a CA certificate.

Returns
true if this certificate is a CA certificate

Definition at line 441 of file x509cert.cpp.

441 {
442 if(data().m_version < 3 && data().m_self_signed) {
443 return true;
444 }
445
446 return data().m_is_ca_certificate;
447}

Referenced by allowed_usage(), Botan::Flatfile_Certificate_Store::Flatfile_Certificate_Store(), and Botan::Cert_Extension::Name_Constraints::validate().

◆ is_critical()

bool Botan::X509_Certificate::is_critical ( std::string_view ex_name) const

Check whenever a given X509 Extension is marked critical in this certificate.

Definition at line 571 of file x509cert.cpp.

571 {
572 return v3_extensions().critical_extension_set(OID::from_string(ex_name));
573}
Botan::Extensions::critical_extension_set
bool critical_extension_set(const OID &oid) const
Definition x509_ext.cpp:215
Botan::X509_Certificate::v3_extensions
const Extensions & v3_extensions() const
Definition x509cert.cpp:477

References Botan::Extensions::critical_extension_set(), Botan::OID::from_string(), and v3_extensions().

Referenced by Botan::Cert_Extension::Name_Constraints::validate().

◆ is_self_signed()

bool Botan::X509_Certificate::is_self_signed ( ) const

Check whether this certificate is self signed. If the DN issuer and subject agree,

Returns
true if this certificate is self signed

Definition at line 354 of file x509cert.cpp.

354 {
355 return data().m_self_signed;
356}

Referenced by Botan::PKIX::check_chain(), Botan::Flatfile_Certificate_Store::Flatfile_Certificate_Store(), and to_string().

◆ is_serial_negative()

bool Botan::X509_Certificate::is_serial_negative ( ) const

Get the serial number's sign

Returns
1 iff the serial is negative.

Definition at line 410 of file x509cert.cpp.

410 {
411 return data().m_serial_negative;
412}

Referenced by Botan::PKIX::check_chain().

◆ issuer_alt_name()

const AlternativeName & Botan::X509_Certificate::issuer_alt_name ( ) const

Return the issuer alternative names (DNS, IP, ...)

Definition at line 606 of file x509cert.cpp.

606 {
607 return data().m_issuer_alt_name;
608}

Referenced by botan_x509_cert_issuer_alternative_names(), botan_x509_cert_issuer_alternative_names_count(), and issuer_info().

◆ issuer_dn()

const X509_DN & Botan::X509_Certificate::issuer_dn ( ) const

Get the certificate's issuer distinguished name (DN).

Returns
issuer DN of this certificate

Definition at line 414 of file x509cert.cpp.

414 {
415 return data().m_issuer_dn;
416}

Referenced by Botan::PKIX::check_chain(), Botan::Certificate_Store_In_Memory::find_crl_for(), Botan::Certificate_Store_In_SQL::find_crl_for(), Botan::Flatfile_Certificate_Store::Flatfile_Certificate_Store(), Botan::X509_CRL::is_revoked(), issuer_info(), Botan::OCSP::Request::Request(), and to_string().

◆ issuer_info()

std::vector< std::string > Botan::X509_Certificate::issuer_info ( std::string_view name) const

Get a value for a specific subject_info parameter name.

Parameters
namethe name of the parameter to look up. Possible names are "X509.Certificate.v2.key_id" or "X509v3.AuthorityKeyIdentifier".
Returns
value(s) of the specified parameter

Definition at line 652 of file x509cert.cpp.

652 {
653 return get_cert_user_info(req, issuer_dn(), issuer_alt_name());
654}
Botan::X509_Certificate::issuer_alt_name
const AlternativeName & issuer_alt_name() const
Definition x509cert.cpp:606
Botan::X509_Certificate::issuer_dn
const X509_DN & issuer_dn() const
Definition x509cert.cpp:414

References issuer_alt_name(), and issuer_dn().

◆ load_data()

void Botan::X509_Object::load_data ( DataSource & src)
protectedinherited

Decodes from src as either DER or PEM data, then calls force_decode()

Definition at line 24 of file x509_obj.cpp.

24 {
25 try {
26 if(ASN1::maybe_BER(in) && !PEM_Code::matches(in)) {
27 BER_Decoder dec(in, BER_Decoder::Limits::DER());
28 decode_from(dec);
29 // Call to verify_end omitted here since we have to sometimes decode
30 // multiple certificates encoded sequentially in a DataSource
31 } else {
32 std::string got_label;
33 DataSource_Memory ber(PEM_Code::decode(in, got_label));
34
35 if(got_label != PEM_label()) {
36 bool is_alternate = false;
37 for(const std::string_view alt_label : alternate_PEM_labels()) {
38 if(got_label == alt_label) {
39 is_alternate = true;
40 break;
41 }
42 }
43
44 if(!is_alternate) {
45 throw Decoding_Error("Unexpected PEM label for " + PEM_label() + " of " + got_label);
46 }
47 }
48
49 BER_Decoder dec(ber, BER_Decoder::Limits::DER());
50 decode_from(dec);
51 // Call to verify_end omitted here since we have to sometimes decode
52 // multiple certificates encoded sequentially in a DataSource
53 }
54 } catch(Decoding_Error& e) {
55 throw Decoding_Error(PEM_label() + " decoding", e);
56 }
57}
Botan::BER_Decoder::Limits::DER
static Limits DER()
Definition ber_dec.h:35
Botan::X509_Object::decode_from
void decode_from(BER_Decoder &from) override
Definition x509_obj.cpp:93
Botan::X509_Object::alternate_PEM_labels
virtual std::vector< std::string > alternate_PEM_labels() const
Definition x509_obj.h:102
Botan::X509_Object::PEM_label
virtual std::string PEM_label() const =0
Botan::ASN1::maybe_BER
bool maybe_BER(DataSource &source)
Definition asn1_obj.cpp:197
Botan::PEM_Code::matches
bool matches(DataSource &source, std::string_view extra, size_t search_range)
Definition pem.cpp:143
Botan::PEM_Code::decode
secure_vector< uint8_t > decode(DataSource &source, std::string &label)
Definition pem.cpp:62

References alternate_PEM_labels(), Botan::PEM_Code::decode(), decode_from(), Botan::BER_Decoder::Limits::DER(), Botan::PEM_Code::matches(), Botan::ASN1::maybe_BER(), and PEM_label().

Referenced by Botan::PKCS10_Request::PKCS10_Request(), Botan::PKCS10_Request::PKCS10_Request(), Botan::X509_Certificate::X509_Certificate(), Botan::X509_Certificate::X509_Certificate(), Botan::X509_CRL::X509_CRL(), Botan::X509_CRL::X509_CRL(), and X509_Object().

◆ load_subject_public_key()

std::unique_ptr< Public_Key > Botan::X509_Certificate::load_subject_public_key ( ) const

Create a public key object associated with the public key bits in this certificate. If the public key bits was valid for X.509 encoding purposes but invalid algorithmically (for example, RSA with an even modulus) that will be detected at this point, and an exception will be thrown.

Returns
subject public key of this certificate

Definition at line 667 of file x509cert.cpp.

667 {
668 return this->subject_public_key();
669}
Botan::X509_Certificate::subject_public_key
std::unique_ptr< Public_Key > subject_public_key() const
Definition x509cert.cpp:659

References subject_public_key().

◆ make_signed()

std::vector< uint8_t > Botan::X509_Object::make_signed ( PK_Signer & signer,
RandomNumberGenerator & rng,
const AlgorithmIdentifier & alg_id,
std::span< const uint8_t > tbs )
staticinherited

Create a signed X509 object.

Parameters
signerthe signer used to sign the object
Random Number Generatorsthe random number generator to use
alg_idthe algorithm identifier of the signature scheme
tbsthe tbs bits to be signed
Returns
signed X509 object

Definition at line 153 of file x509_obj.cpp.

156 {
157 const std::vector<uint8_t> signature = signer.sign_message(tbs_bits, rng);
158
159 std::vector<uint8_t> output;
160 DER_Encoder(output)
161 .start_sequence()
162 .raw_bytes(tbs_bits)
163 .encode(algo)
164 .encode(signature, ASN1_Type::BitString)
165 .end_cons();
166
167 return output;
168}

References Botan::BitString, Botan::DER_Encoder::encode(), Botan::DER_Encoder::end_cons(), Botan::DER_Encoder::raw_bytes(), Botan::PK_Signer::sign_message(), signature(), and Botan::DER_Encoder::start_sequence().

Referenced by Botan::PKCS10_Request::create(), and Botan::X509_CA::make_cert().

◆ matches_dns_name()

bool Botan::X509_Certificate::matches_dns_name ( std::string_view name) const

Check if a certain DNS name matches up with the information in the cert

Parameters
nameDNS name to match

Note: this will also accept a dotted quad input, in which case the SAN for IPv4 addresses will be checked.

Definition at line 708 of file x509cert.cpp.

708 {
709 if(name.empty()) {
710 return false;
711 }
712
713 if(auto req_ipv4 = string_to_ipv4(name)) {
714 const auto& ipv4_names = subject_alt_name().ipv4_address();
715 return ipv4_names.contains(req_ipv4.value());
716 }
717
718 if(auto req_ipv6 = IPv6Address::from_string(name)) {
719 const auto& ipv6_names = subject_alt_name().ipv6_address();
720 return ipv6_names.contains(req_ipv6.value());
721 }
722
723 auto issued_names = subject_info("DNS");
724
725 // Fall back to CN only if no SAN is included
726 if(!data().m_subject_alt_name_exists) {
727 issued_names = subject_info("Name");
728 }
729
730 for(const auto& issued_name : issued_names) {
731 if(host_wildcard_match(issued_name, name)) {
732 return true;
733 }
734 }
735
736 return false;
737}
Botan::AlternativeName::ipv4_address
const std::set< uint32_t > & ipv4_address() const
Return the set of IPv4 addresses included in this alternative name.
Definition pkix_types.h:186
Botan::AlternativeName::ipv6_address
const std::set< IPv6Address > & ipv6_address() const
Return the set of IPv6 addresses included in this alternative name.
Definition pkix_types.h:189
Botan::IPv6Address::from_string
static std::optional< IPv6Address > from_string(std::string_view str)
Definition ipv6_address.cpp:24
Botan::X509_Certificate::subject_info
std::vector< std::string > subject_info(std::string_view name) const
Definition x509cert.cpp:645
Botan::X509_Certificate::subject_alt_name
const AlternativeName & subject_alt_name() const
Definition x509cert.cpp:602
Botan::string_to_ipv4
std::optional< uint32_t > string_to_ipv4(std::string_view str)
Definition parsing.cpp:155
Botan::host_wildcard_match
bool host_wildcard_match(std::string_view issued, std::string_view host)
Definition parsing.cpp:389

References Botan::IPv6Address::from_string(), Botan::host_wildcard_match(), Botan::AlternativeName::ipv4_address(), Botan::AlternativeName::ipv6_address(), Botan::string_to_ipv4(), subject_alt_name(), and subject_info().

◆ name_constraints()

const NameConstraints & Botan::X509_Certificate::name_constraints ( ) const

Get the name constraints as defined in the NameConstraints extension of this certificate.

Returns
name constraints

Definition at line 473 of file x509cert.cpp.

473 {
474 return data().m_name_constraints;
475}

Referenced by botan_x509_cert_excluded_name_constraints(), botan_x509_cert_permitted_name_constraints(), and to_string().

◆ not_after()

const X509_Time & Botan::X509_Certificate::not_after ( ) const

Get the notAfter of the certificate as X509_Time

Returns
notAfter of the certificate

Definition at line 362 of file x509cert.cpp.

362 {
363 return data().m_not_after;
364}

Referenced by Botan::PKIX::check_chain(), and to_string().

◆ not_before()

const X509_Time & Botan::X509_Certificate::not_before ( ) const

Get the notBefore of the certificate as X509_Time

Returns
notBefore of the certificate

Definition at line 358 of file x509cert.cpp.

358 {
359 return data().m_not_before;
360}

Referenced by Botan::PKIX::check_chain(), and to_string().

◆ ocsp_responder()

std::string Botan::X509_Certificate::ocsp_responder ( ) const

Return the listed address of an OCSP responder, or empty if not set

Definition at line 575 of file x509cert.cpp.

575 {
576 if(data().m_ocsp_responders.empty()) {
577 return {};
578 }
579 return data().m_ocsp_responders[0];
580}

Referenced by to_string().

◆ ocsp_responders()

const std::vector< std::string > & Botan::X509_Certificate::ocsp_responders ( ) const

Return the listed addresses of OCSP responders, or empty if not set

Definition at line 582 of file x509cert.cpp.

582 {
583 return data().m_ocsp_responders;
584}

Referenced by to_string().

◆ operator<()

bool Botan::X509_Certificate::operator< ( const X509_Certificate & other) const

Impose an arbitrary (but consistent) ordering, eg to allow sorting a container of certificate objects.

Returns
true if this is less than other by some unspecified criteria

Definition at line 747 of file x509cert.cpp.

747 {
748 /* If signature values are not equal, sort by lexicographic ordering of that */
749 if(this->signature() != other.signature()) {
750 return (this->signature() < other.signature());
751 }
752
753 // Then compare the signed contents
754 return this->signed_body() < other.signed_body();
755}

References Botan::X509_Object::signature(), Botan::X509_Object::signed_body(), and X509_Certificate().

◆ operator=() [1/2]

X509_Certificate & Botan::X509_Certificate::operator= ( const X509_Certificate & other)
default

References X509_Certificate().

◆ operator=() [2/2]

X509_Certificate & Botan::X509_Certificate::operator= ( X509_Certificate && other)
default

References X509_Certificate().

◆ operator==()

bool Botan::X509_Certificate::operator== ( const X509_Certificate & other) const

Check to certificates for equality.

Returns
true both certificates are (binary) equal

Definition at line 742 of file x509cert.cpp.

742 {
743 return (this->signature() == other.signature() && this->signature_algorithm() == other.signature_algorithm() &&
744 this->signed_body() == other.signed_body());
745}

References Botan::X509_Object::signature(), Botan::X509_Object::signature_algorithm(), Botan::X509_Object::signed_body(), and X509_Certificate().

◆ path_length_constraint()

std::optional< size_t > Botan::X509_Certificate::path_length_constraint ( ) const

Get the path length constraint as defined in the BasicConstraints extension.

Returns nullopt if either the extension is not set in the certificate, or if the pathLenConstraint field was absent from the extension.

Returns
path limit

Definition at line 457 of file x509cert.cpp.

457 {
458 return data().m_path_len_constraint;
459}

Referenced by Botan::PKIX::check_chain().

◆ path_limit()

uint32_t Botan::X509_Certificate::path_limit ( ) const

Get the path length constraint as defined in the BasicConstraints extension.

This returns an arbitrary value if the extension is not set (either 32 for v1 self-signed certificates, or else Cert_Extension::NO_CERT_PATH_LIMIT for v3 certificates without the extension)

Prefer path_length_constraint

Returns
path limit

Definition at line 449 of file x509cert.cpp.

449 {
450 if(data().m_version < 3 && data().m_self_signed) {
451 return 32; // in theory infinite, but this is more than enough
452 }
453
454 return static_cast<uint32_t>(data().m_path_len_constraint.value_or(Cert_Extension::NO_CERT_PATH_LIMIT));
455}

◆ PEM_encode()

std::string Botan::X509_Object::PEM_encode ( ) const
inherited
Returns
PEM encoding of this

Definition at line 111 of file x509_obj.cpp.

111 {
112 return PEM_Code::encode(BER_encode(), PEM_label());
113}
Botan::PEM_Code::encode
std::string encode(const uint8_t der[], size_t length, std::string_view label, size_t width)
Definition pem.cpp:39

References Botan::ASN1_Object::BER_encode(), Botan::PEM_Code::encode(), and PEM_label().

◆ raw_issuer_dn()

const std::vector< uint8_t > & Botan::X509_Certificate::raw_issuer_dn ( ) const

Raw issuer DN bits

Definition at line 422 of file x509cert.cpp.

422 {
423 return data().m_issuer_dn_bits;
424}

Referenced by botan_x509_cert_view_binary_values(), and Botan::OCSP::CertID::is_id_for().

◆ raw_issuer_dn_sha256()

const std::vector< uint8_t > & Botan::X509_Certificate::raw_issuer_dn_sha256 ( ) const

SHA-256 of Raw issuer DN

Definition at line 671 of file x509cert.cpp.

671 {
672 if(data().m_issuer_dn_bits_sha256.empty()) {
673 throw Encoding_Error("X509_Certificate::raw_issuer_dn_sha256 called but SHA-256 disabled in build");
674 }
675 return data().m_issuer_dn_bits_sha256;
676}

◆ raw_subject_dn()

const std::vector< uint8_t > & Botan::X509_Certificate::raw_subject_dn ( ) const

Raw subject DN

Definition at line 426 of file x509cert.cpp.

426 {
427 return data().m_subject_dn_bits;
428}

Referenced by botan_x509_cert_view_binary_values(), and Botan::OCSP::CertID::CertID().

◆ raw_subject_dn_sha256()

const std::vector< uint8_t > & Botan::X509_Certificate::raw_subject_dn_sha256 ( ) const

SHA-256 of Raw subject DN

Definition at line 678 of file x509cert.cpp.

678 {
679 if(data().m_subject_dn_bits_sha256.empty()) {
680 throw Encoding_Error("X509_Certificate::raw_subject_dn_sha256 called but SHA-256 disabled in build");
681 }
682 return data().m_subject_dn_bits_sha256;
683}

Referenced by Botan::Flatfile_Certificate_Store::Flatfile_Certificate_Store().

◆ serial_number()

const std::vector< uint8_t > & Botan::X509_Certificate::serial_number ( ) const

Get the serial number of this certificate.

Returns
certificates serial number

Definition at line 406 of file x509cert.cpp.

406 {
407 return data().m_serial;
408}

Referenced by botan_x509_cert_serial_number(), botan_x509_cert_view_binary_values(), Botan::OCSP::CertID::is_id_for(), Botan::X509_CRL::is_revoked(), and to_string().

◆ signature()

const std::vector< uint8_t > & Botan::X509_Object::signature ( ) const
inherited
Returns
signature on tbs_data()

Definition at line 59 of file x509_obj.cpp.

59 {
60 if(!m_signed_data) {
61 throw Invalid_State("X509_Object uninitialized");
62 }
63 return m_signed_data->m_sig;
64}

Referenced by encode_into(), make_signed(), Botan::X509_Certificate::operator<(), Botan::X509_Certificate::operator==(), and verify_signature().

◆ signature_algorithm()

const AlgorithmIdentifier & Botan::X509_Object::signature_algorithm ( ) const
inherited
Returns
signature algorithm that was used to generate signature

Definition at line 73 of file x509_obj.cpp.

73 {
74 if(!m_signed_data) {
75 throw Invalid_State("X509_Object uninitialized");
76 }
77 return m_signed_data->m_sig_algo;
78}

Referenced by Botan::PKIX::check_chain(), encode_into(), Botan::X509_Certificate::operator==(), Botan::X509_Certificate::to_string(), and verify_signature().

◆ signed_body()

const std::vector< uint8_t > & Botan::X509_Object::signed_body ( ) const
inherited
Returns
signed body

Definition at line 66 of file x509_obj.cpp.

66 {
67 if(!m_signed_data) {
68 throw Invalid_State("X509_Object uninitialized");
69 }
70 return m_signed_data->m_tbs_bits;
71}

Referenced by encode_into(), Botan::X509_Certificate::operator<(), Botan::X509_Certificate::operator==(), and tbs_data().

◆ subject_alt_name()

const AlternativeName & Botan::X509_Certificate::subject_alt_name ( ) const

Return the subject alternative names (DNS, IP, ...)

Definition at line 602 of file x509cert.cpp.

602 {
603 return data().m_subject_alt_name;
604}

Referenced by botan_x509_cert_subject_alternative_names(), botan_x509_cert_subject_alternative_names_count(), Botan::NameConstraints::is_excluded(), Botan::NameConstraints::is_permitted(), Botan::GeneralName::matches(), matches_dns_name(), and subject_info().

◆ subject_dn()

const X509_DN & Botan::X509_Certificate::subject_dn ( ) const

Get the certificate's subject distinguished name (DN).

Returns
subject DN of this certificate

Definition at line 418 of file x509cert.cpp.

418 {
419 return data().m_subject_dn;
420}

Referenced by Botan::Certificate_Store_In_Memory::add_certificate(), Botan::PKIX::check_chain(), Botan::Certificate_Store::contains(), Botan::Flatfile_Certificate_Store::Flatfile_Certificate_Store(), Botan::Certificate_Store_In_SQL::insert_cert(), Botan::NameConstraints::is_excluded(), Botan::NameConstraints::is_permitted(), Botan::GeneralName::matches(), Botan::Certificate_Store_In_SQL::remove_cert(), Botan::OCSP::Request::Request(), subject_info(), and to_string().

◆ subject_info()

std::vector< std::string > Botan::X509_Certificate::subject_info ( std::string_view name) const

Get a value for a specific subject_info parameter name.

Parameters
namethe name of the parameter to look up. Possible names include "X509.Certificate.version", "X509.Certificate.serial", "X509.Certificate.start", "X509.Certificate.end", "X509.Certificate.v2.key_id", "X509.Certificate.public_key", "X509v3.BasicConstraints.path_constraint", "X509v3.BasicConstraints.is_ca", "X509v3.NameConstraints", "X509v3.ExtendedKeyUsage", "X509v3.CertificatePolicies", "X509v3.SubjectKeyIdentifier", "X509.Certificate.serial", "X520.CommonName", "X520.Organization", "X520.Country", "RFC822" (Email in SAN) or "PKCS9.EmailAddress" (Email in DN).
Returns
value(s) of the specified parameter

Definition at line 645 of file x509cert.cpp.

645 {
646 return get_cert_user_info(req, subject_dn(), subject_alt_name());
647}
Botan::X509_Certificate::subject_dn
const X509_DN & subject_dn() const
Definition x509cert.cpp:418

References subject_alt_name(), and subject_dn().

Referenced by Botan::NameConstraints::is_excluded(), Botan::NameConstraints::is_permitted(), and matches_dns_name().

◆ subject_key_id()

const std::vector< uint8_t > & Botan::X509_Certificate::subject_key_id ( ) const

Get the DER encoded SubjectKeyIdentifier of this certificate.

Returns
DER encoded SubjectKeyIdentifier

Definition at line 402 of file x509cert.cpp.

402 {
403 return data().m_subject_key_id;
404}

Referenced by botan_x509_cert_view_binary_values(), Botan::Certificate_Store::contains(), Botan::Certificate_Store_In_SQL::insert_cert(), Botan::Certificate_Store_In_SQL::remove_cert(), and to_string().

◆ subject_public_key()

std::unique_ptr< Public_Key > Botan::X509_Certificate::subject_public_key ( ) const

Create a public key object associated with the public key bits in this certificate. If the public key bits was valid for X.509 encoding purposes but invalid algorithmically (for example, RSA with an even modulus) that will be detected at this point, and an exception will be thrown.

Returns
subject public key of this certificate

Definition at line 659 of file x509cert.cpp.

659 {
660 try {
661 return std::unique_ptr<Public_Key>(X509::load_key(subject_public_key_info()));
662 } catch(std::exception& e) {
663 throw Decoding_Error("X509_Certificate::subject_public_key", e);
664 }
665}
Botan::X509_Certificate::subject_public_key_info
const std::vector< uint8_t > & subject_public_key_info() const
Definition x509cert.cpp:382
Botan::X509::load_key
std::unique_ptr< Public_Key > load_key(DataSource &source)
Definition x509_key.cpp:28

References Botan::X509::load_key(), and subject_public_key_info().

Referenced by Botan::PKIX::check_chain(), Botan::PKIX::check_crl(), load_subject_public_key(), to_string(), Botan::TLS::Certificate_Verify_12::verify(), and Botan::OCSP::Response::verify_signature().

◆ subject_public_key_algo()

const AlgorithmIdentifier & Botan::X509_Certificate::subject_public_key_algo ( ) const

Return the algorithm identifier of the public key

Definition at line 366 of file x509cert.cpp.

366 {
367 return data().m_subject_public_key_algid;
368}

Referenced by to_string().

◆ subject_public_key_bits()

const std::vector< uint8_t > & Botan::X509_Certificate::subject_public_key_bits ( ) const

Get the public key associated with this certificate. This includes the outer AlgorithmIdentifier

Returns
subject public key of this certificate

Definition at line 378 of file x509cert.cpp.

378 {
379 return data().m_subject_public_key_bits;
380}

◆ subject_public_key_bitstring()

const std::vector< uint8_t > & Botan::X509_Certificate::subject_public_key_bitstring ( ) const

Get the bit string of the public key associated with this certificate

Returns
public key bits

Definition at line 386 of file x509cert.cpp.

386 {
387 return data().m_subject_public_key_bitstring;
388}

Referenced by Botan::OCSP::CertID::CertID(), Botan::OCSP::CertID::is_id_for(), and to_string().

◆ subject_public_key_bitstring_sha1()

const std::vector< uint8_t > & Botan::X509_Certificate::subject_public_key_bitstring_sha1 ( ) const

Get the SHA-1 bit string of the public key associated with this certificate. This is used for OCSP among other protocols. This function will throw if SHA-1 is not available.

Returns
hash of subject public key of this certificate

Definition at line 390 of file x509cert.cpp.

390 {
391 if(data().m_subject_public_key_bitstring_sha1.empty()) {
392 throw Encoding_Error("X509_Certificate::subject_public_key_bitstring_sha1 called but SHA-1 disabled in build");
393 }
394
395 return data().m_subject_public_key_bitstring_sha1;
396}

Referenced by Botan::Flatfile_Certificate_Store::Flatfile_Certificate_Store().

◆ subject_public_key_info()

const std::vector< uint8_t > & Botan::X509_Certificate::subject_public_key_info ( ) const

Get the SubjectPublicKeyInfo associated with this certificate.

Returns
subject public key info of this certificate

Definition at line 382 of file x509cert.cpp.

382 {
383 return data().m_subject_public_key_bits_seq;
384}

Referenced by botan_x509_cert_view_binary_values(), and subject_public_key().

◆ tag()

X509_Certificate::Tag Botan::X509_Certificate::tag ( ) const

Return a collision resistant binary "tag" of this certificate

Definition at line 704 of file x509cert.cpp.

704 {
705 return Tag(data().m_cert_data_sha256);
706}
Botan::X509_Certificate::Tag
Definition x509cert.h:389

Referenced by Botan::Certificate_Store_In_Memory::add_certificate(), Botan::Certificate_Store_In_Memory::contains(), Botan::Flatfile_Certificate_Store::contains(), Botan::Flatfile_Certificate_Store::Flatfile_Certificate_Store(), and Botan::X509_Certificate::TagHash::operator()().

◆ tbs_data()

std::vector< uint8_t > Botan::X509_Object::tbs_data ( ) const
inherited

The underlying data that is to be or was signed

Returns
data that is or was signed

Definition at line 118 of file x509_obj.cpp.

118 {
119 return ASN1::put_in_sequence(signed_body());
120}
Botan::ASN1::put_in_sequence
std::vector< uint8_t > put_in_sequence(const std::vector< uint8_t > &contents)
Definition asn1_obj.cpp:177

References Botan::ASN1::put_in_sequence(), and signed_body().

Referenced by verify_signature().

◆ to_string()

std::string Botan::X509_Certificate::to_string ( ) const
Returns
a free-form string describing the certificate

Definition at line 764 of file x509cert.cpp.

764 {
765 std::ostringstream out;
766
767 out << "Version: " << this->x509_version() << "\n";
768 out << "Subject: " << subject_dn() << "\n";
769 out << "Issuer: " << issuer_dn() << "\n";
770 out << "Issued: " << this->not_before().readable_string() << "\n";
771 out << "Expires: " << this->not_after().readable_string() << "\n";
772
773 try {
774 auto pubkey = this->subject_public_key();
775 out << "Public Key [" << pubkey->algo_name() << "-" << pubkey->key_length() << "]\n\n";
776 out << X509::PEM_encode(*pubkey) << "\n";
777 } catch(const Decoding_Error& ex) {
778 const AlgorithmIdentifier& alg_id = this->subject_public_key_algo();
779 out << "Public Key Invalid!\n"
780 << " OID: " << alg_id.oid().to_formatted_string() << "\n"
781 << " Error: " << ex.what() << "\n"
782 << " Hex: " << hex_encode(this->subject_public_key_bitstring()) << "\n";
783 }
784
785 out << "Constraints:\n";
786 const Key_Constraints constraints = this->constraints();
787 if(constraints.empty()) {
788 out << " No key constraints set\n";
789 } else {
790 if(constraints.includes(Key_Constraints::DigitalSignature)) {
791 out << " Digital Signature\n";
792 }
793 if(constraints.includes(Key_Constraints::NonRepudiation)) {
794 out << " Non-Repudiation\n";
795 }
796 if(constraints.includes(Key_Constraints::KeyEncipherment)) {
797 out << " Key Encipherment\n";
798 }
799 if(constraints.includes(Key_Constraints::DataEncipherment)) {
800 out << " Data Encipherment\n";
801 }
802 if(constraints.includes(Key_Constraints::KeyAgreement)) {
803 out << " Key Agreement\n";
804 }
805 if(constraints.includes(Key_Constraints::KeyCertSign)) {
806 out << " Cert Sign\n";
807 }
808 if(constraints.includes(Key_Constraints::CrlSign)) {
809 out << " CRL Sign\n";
810 }
811 if(constraints.includes(Key_Constraints::EncipherOnly)) {
812 out << " Encipher Only\n";
813 }
814 if(constraints.includes(Key_Constraints::DecipherOnly)) {
815 out << " Decipher Only\n";
816 }
817 }
818
819 const std::vector<OID>& policies = this->certificate_policy_oids();
820 if(!policies.empty()) {
821 out << "Policies: "
822 << "\n";
823 for(const auto& oid : policies) {
824 out << " " << oid.to_string() << "\n";
825 }
826 }
827
828 const std::vector<OID>& ex_constraints = this->extended_key_usage();
829 if(!ex_constraints.empty()) {
830 out << "Extended Constraints:\n";
831 for(auto&& oid : ex_constraints) {
832 out << " " << oid.to_formatted_string() << "\n";
833 }
834 }
835
836 const NameConstraints& name_constraints = this->name_constraints();
837
838 if(!name_constraints.permitted().empty() || !name_constraints.excluded().empty()) {
839 out << "Name Constraints:\n";
840
841 if(!name_constraints.permitted().empty()) {
842 out << " Permit";
843 for(const auto& st : name_constraints.permitted()) {
844 out << " " << st.base();
845 }
846 out << "\n";
847 }
848
849 if(!name_constraints.excluded().empty()) {
850 out << " Exclude";
851 for(const auto& st : name_constraints.excluded()) {
852 out << " " << st.base();
853 }
854 out << "\n";
855 }
856 }
857
858 const auto& ocsp_responders = this->ocsp_responders();
859 if(!ocsp_responders.empty()) {
860 out << "OCSP Responders:\n";
861 for(const auto& ocsp_responder : ocsp_responders) {
862 out << " URI: " << ocsp_responder << "\n";
863 }
864 }
865
866 const std::vector<std::string> ca_issuers = this->ca_issuers();
867 if(!ca_issuers.empty()) {
868 out << "CA Issuers:\n";
869 for(const auto& ca_issuer : ca_issuers) {
870 out << " URI: " << ca_issuer << "\n";
871 }
872 }
873
874 for(const auto& cdp : crl_distribution_points()) {
875 out << "CRL " << cdp << "\n";
876 }
877
878 out << "Signature algorithm: " << this->signature_algorithm().oid().to_formatted_string() << "\n";
879
880 out << "Serial number: " << hex_encode(this->serial_number()) << "\n";
881
882 if(!this->authority_key_id().empty()) {
883 out << "Authority keyid: " << hex_encode(this->authority_key_id()) << "\n";
884 }
885
886 if(!this->subject_key_id().empty()) {
887 out << "Subject keyid: " << hex_encode(this->subject_key_id()) << "\n";
888 }
889
890 if(this->is_self_signed()) {
891 out << "Certificate is self signed\n";
892 }
893
894 return out.str();
895}
Botan::ASN1_Time::readable_string
std::string readable_string() const
Returns a human friendly string representation of no particular formatting.
Definition asn1_time.cpp:109
Botan::AlgorithmIdentifier::oid
const OID & oid() const
Definition asn1_obj.h:407
Botan::Key_Constraints::CrlSign
@ CrlSign
Definition pkix_enums.h:128
Botan::Key_Constraints::KeyCertSign
@ KeyCertSign
Definition pkix_enums.h:127
Botan::Key_Constraints::DecipherOnly
@ DecipherOnly
Definition pkix_enums.h:130
Botan::Key_Constraints::EncipherOnly
@ EncipherOnly
Definition pkix_enums.h:129
Botan::OID::to_formatted_string
std::string to_formatted_string() const
Definition asn1_oid.cpp:139
Botan::X509_Certificate::name_constraints
const NameConstraints & name_constraints() const
Definition x509cert.cpp:473
Botan::X509_Certificate::serial_number
const std::vector< uint8_t > & serial_number() const
Definition x509cert.cpp:406
Botan::X509_Certificate::not_after
const X509_Time & not_after() const
Definition x509cert.cpp:362
Botan::X509_Certificate::authority_key_id
const std::vector< uint8_t > & authority_key_id() const
Definition x509cert.cpp:398
Botan::X509_Certificate::subject_key_id
const std::vector< uint8_t > & subject_key_id() const
Definition x509cert.cpp:402
Botan::X509_Certificate::crl_distribution_points
std::vector< std::string > crl_distribution_points() const
Definition x509cert.cpp:590
Botan::X509_Certificate::ocsp_responder
std::string ocsp_responder() const
Definition x509cert.cpp:575
Botan::X509_Certificate::x509_version
uint32_t x509_version() const
Definition x509cert.cpp:350
Botan::X509_Certificate::certificate_policy_oids
const std::vector< OID > & certificate_policy_oids() const
Definition x509cert.cpp:469
Botan::X509_Certificate::is_self_signed
bool is_self_signed() const
Definition x509cert.cpp:354
Botan::X509_Certificate::subject_public_key_algo
const AlgorithmIdentifier & subject_public_key_algo() const
Definition x509cert.cpp:366
Botan::X509_Certificate::ocsp_responders
const std::vector< std::string > & ocsp_responders() const
Definition x509cert.cpp:582
Botan::X509_Certificate::ca_issuers
std::vector< std::string > ca_issuers() const
Definition x509cert.cpp:586
Botan::X509_Certificate::subject_public_key_bitstring
const std::vector< uint8_t > & subject_public_key_bitstring() const
Definition x509cert.cpp:386
Botan::X509_Certificate::not_before
const X509_Time & not_before() const
Definition x509cert.cpp:358
Botan::X509::PEM_encode
std::string PEM_encode(const Public_Key &key)
Definition x509_key.cpp:21
Botan::hex_encode
void hex_encode(char output[], const uint8_t input[], size_t input_length, bool uppercase)
Definition hex.cpp:34

References authority_key_id(), ca_issuers(), certificate_policy_oids(), constraints(), crl_distribution_points(), Botan::Key_Constraints::CrlSign, Botan::Key_Constraints::DataEncipherment, Botan::Key_Constraints::DecipherOnly, Botan::Key_Constraints::DigitalSignature, Botan::Key_Constraints::empty(), Botan::Key_Constraints::EncipherOnly, extended_key_usage(), Botan::hex_encode(), is_self_signed(), issuer_dn(), Botan::Key_Constraints::KeyAgreement, Botan::Key_Constraints::KeyCertSign, Botan::Key_Constraints::KeyEncipherment, name_constraints(), Botan::Key_Constraints::NonRepudiation, not_after(), not_before(), ocsp_responder(), ocsp_responders(), Botan::AlgorithmIdentifier::oid(), Botan::X509::PEM_encode(), Botan::NameConstraints::permitted(), Botan::ASN1_Time::readable_string(), serial_number(), Botan::X509_Object::signature_algorithm(), subject_dn(), subject_key_id(), subject_public_key(), subject_public_key_algo(), subject_public_key_bitstring(), Botan::OID::to_formatted_string(), Botan::Exception::what(), and x509_version().

◆ v2_issuer_key_id()

const std::vector< uint8_t > & Botan::X509_Certificate::v2_issuer_key_id ( ) const

Return the v2 issuer key ID. v2 key IDs are almost never used, instead see v3_subject_key_id.

Definition at line 370 of file x509cert.cpp.

370 {
371 return data().m_v2_issuer_key_id;
372}

Referenced by Botan::PKIX::check_chain().

◆ v2_subject_key_id()

const std::vector< uint8_t > & Botan::X509_Certificate::v2_subject_key_id ( ) const

Return the v2 subject key ID. v2 key IDs are almost never used, instead see v3_subject_key_id.

Definition at line 374 of file x509cert.cpp.

374 {
375 return data().m_v2_subject_key_id;
376}

Referenced by Botan::PKIX::check_chain().

◆ v3_extensions()

const Extensions & Botan::X509_Certificate::v3_extensions ( ) const

Get all extensions of this certificate.

Returns
certificate extensions

Definition at line 477 of file x509cert.cpp.

477 {
478 return data().m_v3_extensions;
479}

Referenced by botan_x509_cert_issuer_alternative_names(), botan_x509_cert_subject_alternative_names(), Botan::PKIX::check_chain(), Botan::X509_CRL::has_matching_distribution_point(), and is_critical().

◆ verify_signature()

std::pair< Certificate_Status_Code, std::string > Botan::X509_Object::verify_signature ( const Public_Key & key) const
inherited

Check the signature on this data

Parameters
keythe public key purportedly used to sign this data
Returns
status of the signature - OK if verified or otherwise an indicator of the problem preventing verification, along with the hash function that was used, for further policy checks. The second parameter is empty unless the validation was successful.

Definition at line 130 of file x509_obj.cpp.

130 {
131 try {
132 PK_Verifier verifier(pub_key, signature_algorithm());
133 const bool valid = verifier.verify_message(tbs_data(), signature());
134
135 if(valid) {
136 return std::make_pair(Certificate_Status_Code::VERIFIED, verifier.hash_function());
137 } else {
138 return std::make_pair(Certificate_Status_Code::SIGNATURE_ERROR, "");
139 }
140 } catch(Decoding_Error&) {
141 return std::make_pair(Certificate_Status_Code::SIGNATURE_ALGO_BAD_PARAMS, "");
142 } catch(Algorithm_Not_Found&) {
143 return std::make_pair(Certificate_Status_Code::SIGNATURE_ALGO_UNKNOWN, "");
144 } catch(...) {
145 // This shouldn't happen, fallback to generic signature error
146 return std::make_pair(Certificate_Status_Code::SIGNATURE_ERROR, "");
147 }
148}
Botan::X509_Object::tbs_data
std::vector< uint8_t > tbs_data() const
Definition x509_obj.cpp:118

References Botan::PK_Verifier::hash_function(), signature(), Botan::SIGNATURE_ALGO_BAD_PARAMS, Botan::SIGNATURE_ALGO_UNKNOWN, signature_algorithm(), Botan::SIGNATURE_ERROR, tbs_data(), Botan::VERIFIED, and Botan::PK_Verifier::verify_message().

Referenced by Botan::PKIX::check_chain(), and check_signature().

◆ x509_version()

uint32_t Botan::X509_Certificate::x509_version ( ) const

Get the X509 version of this certificate object.

Returns
X509 version

Definition at line 350 of file x509cert.cpp.

350 {
351 return static_cast<uint32_t>(data().m_version);
352}

Referenced by Botan::PKIX::check_chain(), and to_string().

The documentation for this class was generated from the following files:
Generated by doxygen 1.16.1