Botan 3.3.0
Crypto and TLS for C&
Public Member Functions | Static Public Member Functions | Protected Member Functions | List of all members
Botan::X509_Certificate Class Reference

#include <x509cert.h>

Inheritance diagram for Botan::X509_Certificate:
Botan::X509_Object Botan::ASN1_Object

Public Member Functions

bool allowed_extended_usage (const OID &usage) const
 
bool allowed_extended_usage (std::string_view usage) const
 
bool allowed_usage (Key_Constraints usage) const
 
bool allowed_usage (Usage_Type usage) const
 
const std::vector< uint8_t > & authority_key_id () const
 
std::vector< uint8_t > BER_encode () const
 
std::vector< std::string > ca_issuers () const
 
const std::vector< OID > & certificate_policy_oids () const
 
bool check_signature (const Public_Key &key) const
 
Key_Constraints constraints () const
 
std::string crl_distribution_point () const
 
void decode_from (BER_Decoder &from) override
 
void encode_into (DER_Encoder &to) const override
 
const std::vector< OID > & extended_key_usage () const
 
std::string fingerprint (std::string_view hash_name="SHA-1") const
 
bool has_constraints (Key_Constraints constraints) const
 
bool has_ex_constraint (const OID &ex_constraint) const
 
bool has_ex_constraint (std::string_view ex_constraint) const
 
bool is_CA_cert () const
 
bool is_critical (std::string_view ex_name) const
 
bool is_self_signed () const
 
bool is_serial_negative () const
 
const AlternativeNameissuer_alt_name () const
 
const X509_DNissuer_dn () const
 
std::vector< std::string > issuer_info (std::string_view name) const
 
std::unique_ptr< Public_Keyload_subject_public_key () const
 
bool matches_dns_name (std::string_view name) const
 
const NameConstraintsname_constraints () const
 
const X509_Timenot_after () const
 
const X509_Timenot_before () const
 
std::string ocsp_responder () const
 
bool operator< (const X509_Certificate &other) const
 
X509_Certificateoperator= (const X509_Certificate &other)=default
 
bool operator== (const X509_Certificate &other) const
 
uint32_t path_limit () const
 
std::string PEM_encode () const
 
const std::vector< uint8_t > & raw_issuer_dn () const
 
std::vector< uint8_t > raw_issuer_dn_sha256 () const
 
const std::vector< uint8_t > & raw_subject_dn () const
 
std::vector< uint8_t > raw_subject_dn_sha256 () const
 
const std::vector< uint8_t > & serial_number () const
 
const std::vector< uint8_t > & signature () const
 
const AlgorithmIdentifiersignature_algorithm () const
 
const std::vector< uint8_t > & signed_body () const
 
const AlternativeNamesubject_alt_name () const
 
const X509_DNsubject_dn () const
 
std::vector< std::string > subject_info (std::string_view name) const
 
const std::vector< uint8_t > & subject_key_id () const
 
std::unique_ptr< Public_Keysubject_public_key () const
 
const AlgorithmIdentifiersubject_public_key_algo () const
 
const std::vector< uint8_t > & subject_public_key_bits () const
 
const std::vector< uint8_t > & subject_public_key_bitstring () const
 
const std::vector< uint8_t > & subject_public_key_bitstring_sha1 () const
 
const std::vector< uint8_t > & subject_public_key_info () const
 
std::vector< uint8_t > tbs_data () const
 
std::string to_string () const
 
const std::vector< uint8_t > & v2_issuer_key_id () const
 
const std::vector< uint8_t > & v2_subject_key_id () const
 
const Extensionsv3_extensions () const
 
std::pair< Certificate_Status_Code, std::string > verify_signature (const Public_Key &key) const
 
 X509_Certificate ()=default
 
 X509_Certificate (const std::vector< uint8_t > &in)
 
 X509_Certificate (const uint8_t data[], size_t length)
 
 X509_Certificate (const X509_Certificate &other)=default
 
 X509_Certificate (DataSource &source)
 
uint32_t x509_version () const
 

Static Public Member Functions

static std::unique_ptr< PK_Signerchoose_sig_format (const Private_Key &key, RandomNumberGenerator &rng, std::string_view hash_fn, std::string_view padding_algo)
 
static std::vector< uint8_t > make_signed (PK_Signer &signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &alg_id, const secure_vector< uint8_t > &tbs)
 

Protected Member Functions

void load_data (DataSource &src)
 

Detailed Description

This class represents an X.509 Certificate

Definition at line 36 of file x509cert.h.

Constructor & Destructor Documentation

◆ X509_Certificate() [1/5]

Botan::X509_Certificate::X509_Certificate ( DataSource & source)
explicit

Create a certificate from a data source providing the DER or PEM encoded certificate.

Parameters
sourcethe data source

Definition at line 78 of file x509cert.cpp.

78 {
79 load_data(src);
80}
void load_data(DataSource &src)
Definition x509_obj.cpp:24

References Botan::X509_Object::load_data().

◆ X509_Certificate() [2/5]

Botan::X509_Certificate::X509_Certificate ( const std::vector< uint8_t > & in)
explicit

Create a certificate from a buffer

Parameters
inthe buffer containing the DER-encoded certificate

Definition at line 82 of file x509cert.cpp.

82 {
83 DataSource_Memory src(vec.data(), vec.size());
84 load_data(src);
85}

References Botan::X509_Object::load_data().

◆ X509_Certificate() [3/5]

Botan::X509_Certificate::X509_Certificate ( const uint8_t data[],
size_t length )

Create a certificate from a buffer

Parameters
datathe buffer containing the DER-encoded certificate
lengthlength of data in bytes

Definition at line 87 of file x509cert.cpp.

87 {
88 DataSource_Memory src(data, len);
89 load_data(src);
90}

References Botan::X509_Object::load_data().

◆ X509_Certificate() [4/5]

Botan::X509_Certificate::X509_Certificate ( )
default

Create an uninitialized certificate object. Any attempts to access this object will throw an exception.

◆ X509_Certificate() [5/5]

Botan::X509_Certificate::X509_Certificate ( const X509_Certificate & other)
default

Member Function Documentation

◆ allowed_extended_usage() [1/2]

bool Botan::X509_Certificate::allowed_extended_usage ( const OID & usage) const

Returns true if the specified usage is set in the extended key usage extension, or if no extended key usage constraints are set at all. To check if a certain extended key constraint is set in the certificate use

See also
X509_Certificate::has_ex_constraint.

Definition at line 426 of file x509cert.cpp.

426 {
427 const std::vector<OID>& ex = extended_key_usage();
428 if(ex.empty()) {
429 return true;
430 }
431
432 if(std::find(ex.begin(), ex.end(), usage) != ex.end()) {
433 return true;
434 }
435
436 return false;
437}
const std::vector< OID > & extended_key_usage() const
Definition x509cert.cpp:394

References extended_key_usage().

◆ allowed_extended_usage() [2/2]

bool Botan::X509_Certificate::allowed_extended_usage ( std::string_view usage) const

Returns true if the specified

Parameters
usageis set in the extended key usage extension or if no extended key usage constraints are set at all. To check if a certain extended key constraint is set in the certificate use
See also
X509_Certificate::has_ex_constraint.

Definition at line 422 of file x509cert.cpp.

422 {
424}
static OID from_string(std::string_view str)
Definition asn1_oid.cpp:74
bool allowed_extended_usage(std::string_view usage) const
Definition x509cert.cpp:422

References allowed_extended_usage(), and Botan::OID::from_string().

Referenced by allowed_extended_usage(), and allowed_usage().

◆ allowed_usage() [1/2]

bool Botan::X509_Certificate::allowed_usage ( Key_Constraints usage) const

Returns true if the specified

Parameters
usageis set in the key usage extension or if no key usage constraints are set at all. To check if a certain key constraint is set in the certificate use
See also
X509_Certificate::has_constraints.

Definition at line 415 of file x509cert.cpp.

415 {
416 if(constraints().empty()) {
417 return true;
418 }
419 return constraints().includes(usage);
420}
bool includes(Key_Constraints::Bits other) const
Definition pkix_enums.h:158
Key_Constraints constraints() const
Definition x509cert.cpp:390

References constraints(), and Botan::Key_Constraints::includes().

Referenced by allowed_usage(), and Botan::PKIX::check_crl().

◆ allowed_usage() [2/2]

bool Botan::X509_Certificate::allowed_usage ( Usage_Type usage) const

Returns true if the required key and extended key constraints are set in the certificate for the specified

Parameters
usageor if no key constraints are set in both the key usage and extended key usage extension.

Definition at line 439 of file x509cert.cpp.

439 {
440 // These follow suggestions in RFC 5280 4.2.1.12
441
442 switch(usage) {
444 return true;
445
449 allowed_extended_usage("PKIX.ServerAuth");
450
453 allowed_extended_usage("PKIX.ClientAuth");
454
457 has_ex_constraint("PKIX.OCSPSigning");
458
460 return is_CA_cert();
461
464 }
465
466 return false;
467}
bool is_CA_cert() const
Definition x509cert.cpp:374
bool has_ex_constraint(std::string_view ex_constraint) const
Definition x509cert.cpp:469
bool allowed_usage(Key_Constraints usage) const
Definition x509cert.cpp:415

References allowed_extended_usage(), allowed_usage(), Botan::CERTIFICATE_AUTHORITY, Botan::Key_Constraints::DataEncipherment, Botan::Key_Constraints::DigitalSignature, Botan::ENCRYPTION, has_ex_constraint(), is_CA_cert(), Botan::Key_Constraints::KeyAgreement, Botan::Key_Constraints::KeyEncipherment, Botan::Key_Constraints::NonRepudiation, Botan::OCSP_RESPONDER, Botan::TLS_CLIENT_AUTH, Botan::TLS_SERVER_AUTH, and Botan::UNSPECIFIED.

◆ authority_key_id()

const std::vector< uint8_t > & Botan::X509_Certificate::authority_key_id ( ) const

Get the DER encoded AuthorityKeyIdentifier of this certificate.

Returns
DER encoded AuthorityKeyIdentifier

Definition at line 342 of file x509cert.cpp.

342 {
343 return data().m_authority_key_id;
344}

Referenced by Botan::PKIX::build_certificate_path(), Botan::Certificate_Store_In_Memory::find_crl_for(), Botan::X509_CRL::is_revoked(), and to_string().

◆ BER_encode()

std::vector< uint8_t > Botan::ASN1_Object::BER_encode ( ) const
inherited

Return the encoding of this object. This is a convenience method when just one object needs to be serialized. Use DER_Encoder for complicated encodings.

Definition at line 19 of file asn1_obj.cpp.

19 {
20 std::vector<uint8_t> output;
21 DER_Encoder der(output);
22 this->encode_into(der);
23 return output;
24}
virtual void encode_into(DER_Encoder &to) const =0

References Botan::ASN1_Object::encode_into().

Referenced by Botan::PSS_Params::decode_from(), Botan::Certificate_Store_In_SQL::find_all_certs(), Botan::Certificate_Store_In_SQL::find_cert(), fingerprint(), Botan::Certificate_Store_In_SQL::insert_cert(), Botan::X509_Object::PEM_encode(), and Botan::Certificate_Store_In_SQL::revoke_cert().

◆ ca_issuers()

std::vector< std::string > Botan::X509_Certificate::ca_issuers ( ) const

Return the listed addresses of ca issuers, or empty if not set

Definition at line 489 of file x509cert.cpp.

489 {
490 return data().m_ca_issuers;
491}

Referenced by to_string().

◆ certificate_policy_oids()

const std::vector< OID > & Botan::X509_Certificate::certificate_policy_oids ( ) const

Get the policies as defined in the CertificatePolicies extension of this certificate.

Returns
certificate policies

Definition at line 398 of file x509cert.cpp.

398 {
399 return data().m_cert_policies;
400}

Referenced by to_string().

◆ check_signature()

bool Botan::X509_Object::check_signature ( const Public_Key & key) const
inherited

Check the signature on this data

Parameters
keythe public key purportedly used to sign this data
Returns
true if the signature is valid, otherwise false

Definition at line 97 of file x509_obj.cpp.

97 {
98 const auto result = this->verify_signature(pub_key);
99 return (result.first == Certificate_Status_Code::VERIFIED);
100}
std::pair< Certificate_Status_Code, std::string > verify_signature(const Public_Key &key) const
Definition x509_obj.cpp:102

References Botan::VERIFIED, and Botan::X509_Object::verify_signature().

◆ choose_sig_format()

std::unique_ptr< PK_Signer > Botan::X509_Object::choose_sig_format ( const Private_Key & key,
RandomNumberGenerator & rng,
std::string_view hash_fn,
std::string_view padding_algo )
staticinherited

Choose and return a signature scheme appropriate for X.509 signing using the provided parameters.

Parameters
keywill be the key to choose a padding scheme for
rngthe random generator to use
hash_fnis the desired hash function
padding_algospecifies the padding method
Returns
a PK_Signer object for generating signatures

Definition at line 209 of file x509_obj.cpp.

212 {
213 const Signature_Format format = key.default_x509_signature_format();
214
215 if(!user_specified_padding.empty()) {
216 try {
217 auto pk_signer = std::make_unique<PK_Signer>(key, rng, user_specified_padding, format);
218 if(!hash_fn.empty() && pk_signer->hash_function() != hash_fn) {
219 throw Invalid_Argument(format_padding_error_message(
220 key.algo_name(), pk_signer->hash_function(), hash_fn, "", user_specified_padding));
221 }
222 return pk_signer;
223 } catch(Lookup_Error&) {}
224 }
225
226 const std::string padding = x509_signature_padding_for(key.algo_name(), hash_fn, user_specified_padding);
227
228 try {
229 auto pk_signer = std::make_unique<PK_Signer>(key, rng, padding, format);
230 if(!hash_fn.empty() && pk_signer->hash_function() != hash_fn) {
231 throw Invalid_Argument(format_padding_error_message(
232 key.algo_name(), pk_signer->hash_function(), hash_fn, padding, user_specified_padding));
233 }
234 return pk_signer;
235 } catch(Not_Implemented&) {
236 throw Invalid_Argument("Signatures using " + key.algo_name() + "/" + padding + " are not supported");
237 }
238}
Signature_Format
Definition pk_keys.h:31

References Botan::Asymmetric_Key::algo_name(), and Botan::Public_Key::default_x509_signature_format().

Referenced by Botan::PKCS10_Request::create(), Botan::X509::create_self_signed_cert(), and Botan::X509_CA::X509_CA().

◆ constraints()

Key_Constraints Botan::X509_Certificate::constraints ( ) const

Get the key constraints as defined in the KeyUsage extension of this certificate.

Returns
key constraints

Definition at line 390 of file x509cert.cpp.

390 {
391 return data().m_key_constraints;
392}

Referenced by allowed_usage(), has_constraints(), and to_string().

◆ crl_distribution_point()

std::string Botan::X509_Certificate::crl_distribution_point ( ) const

Return the CRL distribution point, or empty if not set

Definition at line 493 of file x509cert.cpp.

493 {
494 // just returns the first (arbitrarily)
495 if(!data().m_crl_distribution_points.empty()) {
496 return data().m_crl_distribution_points[0];
497 }
498 return "";
499}

Referenced by Botan::PKIX::check_crl(), and to_string().

◆ decode_from()

void Botan::X509_Object::decode_from ( BER_Decoder & from)
overridevirtualinherited

Decode a BER encoded X509_Object See ASN1_Object::decode_from()

Implements Botan::ASN1_Object.

Definition at line 68 of file x509_obj.cpp.

68 {
69 from.start_sequence()
70 .start_sequence()
71 .raw_bytes(m_tbs_bits)
72 .end_cons()
73 .decode(m_sig_algo)
74 .decode(m_sig, ASN1_Type::BitString)
75 .end_cons();
76
77 force_decode();
78}

References Botan::BitString, Botan::BER_Decoder::decode(), Botan::BER_Decoder::end_cons(), Botan::BER_Decoder::raw_bytes(), and Botan::BER_Decoder::start_sequence().

Referenced by Botan::X509_Object::load_data().

◆ encode_into()

void Botan::X509_Object::encode_into ( DER_Encoder & to) const
overridevirtualinherited

DER encode an X509_Object See ASN1_Object::encode_into()

Implements Botan::ASN1_Object.

Definition at line 55 of file x509_obj.cpp.

55 {
56 to.start_sequence()
57 .start_sequence()
58 .raw_bytes(signed_body())
59 .end_cons()
60 .encode(signature_algorithm())
62 .end_cons();
63}
const std::vector< uint8_t > & signed_body() const
Definition x509_obj.h:42
const AlgorithmIdentifier & signature_algorithm() const
Definition x509_obj.h:47
const std::vector< uint8_t > & signature() const
Definition x509_obj.h:37

References Botan::BitString, Botan::DER_Encoder::encode(), Botan::DER_Encoder::end_cons(), Botan::DER_Encoder::raw_bytes(), Botan::X509_Object::signature(), Botan::X509_Object::signature_algorithm(), Botan::X509_Object::signed_body(), and Botan::DER_Encoder::start_sequence().

◆ extended_key_usage()

const std::vector< OID > & Botan::X509_Certificate::extended_key_usage ( ) const

Get the key usage as defined in the ExtendedKeyUsage extension of this certificate, or else an empty vector.

Returns
key usage

Definition at line 394 of file x509cert.cpp.

394 {
395 return data().m_extended_key_usage;
396}

Referenced by allowed_extended_usage(), has_ex_constraint(), and to_string().

◆ fingerprint()

std::string Botan::X509_Certificate::fingerprint ( std::string_view hash_name = "SHA-1") const
Returns
a fingerprint of the certificate
Parameters
hash_namehash function used to calculate the fingerprint

Definition at line 572 of file x509cert.cpp.

572 {
573 /*
574 * The SHA-1 and SHA-256 fingerprints are precomputed since these
575 * are the most commonly used. Especially, SHA-256 fingerprints are
576 * used for cycle detection during path construction.
577 *
578 * If SHA-1 or SHA-256 was missing at parsing time the vectors are
579 * left empty in which case we fall back to create_hex_fingerprint
580 * which will throw if the hash is unavailable.
581 */
582 if(hash_name == "SHA-256" && !data().m_fingerprint_sha256.empty()) {
583 return data().m_fingerprint_sha256;
584 } else if(hash_name == "SHA-1" && !data().m_fingerprint_sha1.empty()) {
585 return data().m_fingerprint_sha1;
586 } else {
587 return create_hex_fingerprint(this->BER_encode(), hash_name);
588 }
589}
std::vector< uint8_t > BER_encode() const
Definition asn1_obj.cpp:19
std::string create_hex_fingerprint(const uint8_t bits[], size_t bits_len, std::string_view hash_name)
Definition pk_keys.cpp:30

References Botan::ASN1_Object::BER_encode(), and Botan::create_hex_fingerprint().

Referenced by Botan::Certificate_Store_In_SQL::affirm_cert(), Botan::PKIX::build_certificate_path(), Botan::Certificate_Store_In_SQL::find_key(), Botan::Certificate_Store_In_SQL::insert_cert(), Botan::Certificate_Store_In_SQL::insert_key(), Botan::Certificate_Store_In_SQL::remove_cert(), and Botan::Certificate_Store_In_SQL::revoke_cert().

◆ has_constraints()

bool Botan::X509_Certificate::has_constraints ( Key_Constraints constraints) const

Returns true if and only if the specified

Parameters
constraintsare included in the key usage extension.

Typically for applications you want allowed_usage instead.

Definition at line 410 of file x509cert.cpp.

410 {
411 // Unlike allowed_usage, returns false if constraints was not set
412 return constraints().includes(usage);
413}

References constraints(), and Botan::Key_Constraints::includes().

◆ has_ex_constraint() [1/2]

bool Botan::X509_Certificate::has_ex_constraint ( const OID & ex_constraint) const

Returns true if and only if OID

Parameters
ex_constraintis included in the extended key extension.

Definition at line 473 of file x509cert.cpp.

473 {
474 const std::vector<OID>& ex = extended_key_usage();
475 return (std::find(ex.begin(), ex.end(), usage) != ex.end());
476}

References extended_key_usage().

◆ has_ex_constraint() [2/2]

bool Botan::X509_Certificate::has_ex_constraint ( std::string_view ex_constraint) const

Returns true if and only if OID

Parameters
ex_constraintis included in the extended key extension.

Definition at line 469 of file x509cert.cpp.

469 {
470 return has_ex_constraint(OID::from_string(ex_constraint));
471}

References Botan::OID::from_string(), and has_ex_constraint().

Referenced by allowed_usage(), and has_ex_constraint().

◆ is_CA_cert()

bool Botan::X509_Certificate::is_CA_cert ( ) const

Check whether this certificate is a CA certificate.

Returns
true if this certificate is a CA certificate

Definition at line 374 of file x509cert.cpp.

374 {
375 if(data().m_version < 3 && data().m_self_signed) {
376 return true;
377 }
378
379 return data().m_is_ca_certificate;
380}

Referenced by allowed_usage(), Botan::PKIX::check_chain(), Botan::Flatfile_Certificate_Store::Flatfile_Certificate_Store(), Botan::Cert_Extension::Name_Constraints::validate(), and Botan::X509_CA::X509_CA().

◆ is_critical()

bool Botan::X509_Certificate::is_critical ( std::string_view ex_name) const

Check whenever a given X509 Extension is marked critical in this certificate.

Definition at line 481 of file x509cert.cpp.

481 {
483}
bool critical_extension_set(const OID &oid) const
Definition x509_ext.cpp:173
const Extensions & v3_extensions() const
Definition x509cert.cpp:406

References Botan::Extensions::critical_extension_set(), Botan::OID::from_string(), and v3_extensions().

Referenced by Botan::Cert_Extension::Name_Constraints::validate().

◆ is_self_signed()

bool Botan::X509_Certificate::is_self_signed ( ) const

Check whether this certificate is self signed. If the DN issuer and subject agree,

Returns
true if this certificate is self signed

Definition at line 298 of file x509cert.cpp.

298 {
299 return data().m_self_signed;
300}

Referenced by Botan::PKIX::build_certificate_path(), Botan::PKIX::check_chain(), and Botan::Flatfile_Certificate_Store::Flatfile_Certificate_Store().

◆ is_serial_negative()

bool Botan::X509_Certificate::is_serial_negative ( ) const

Get the serial number's sign

Returns
1 iff the serial is negative.

Definition at line 354 of file x509cert.cpp.

354 {
355 return data().m_serial_negative;
356}

Referenced by Botan::PKIX::check_chain().

◆ issuer_alt_name()

const AlternativeName & Botan::X509_Certificate::issuer_alt_name ( ) const

Return the issuer alternative names (DNS, IP, ...)

Definition at line 505 of file x509cert.cpp.

505 {
506 return data().m_issuer_alt_name;
507}

Referenced by issuer_info().

◆ issuer_dn()

const X509_DN & Botan::X509_Certificate::issuer_dn ( ) const

Get the certificate's issuer distinguished name (DN).

Returns
issuer DN of this certificate

Definition at line 358 of file x509cert.cpp.

358 {
359 return data().m_issuer_dn;
360}

Referenced by Botan::PKIX::build_certificate_path(), Botan::PKIX::check_chain(), Botan::Certificate_Store_In_SQL::find_crl_for(), Botan::Certificate_Store_In_Memory::find_crl_for(), Botan::X509_CRL::is_revoked(), issuer_info(), Botan::OCSP::Request::Request(), and to_string().

◆ issuer_info()

std::vector< std::string > Botan::X509_Certificate::issuer_info ( std::string_view name) const

Get a value for a specific subject_info parameter name.

Parameters
namethe name of the parameter to look up. Possible names are "X509.Certificate.v2.key_id" or "X509v3.AuthorityKeyIdentifier".
Returns
value(s) of the specified parameter

Definition at line 531 of file x509cert.cpp.

531 {
532 if(issuer_dn().has_field(req)) {
533 return issuer_dn().get_attribute(req);
534 }
535
536 if(issuer_alt_name().has_field(req)) {
537 return issuer_alt_name().get_attribute(req);
538 }
539
540 return {};
541}
std::vector< std::string > get_attribute(std::string_view attr) const
const AlternativeName & issuer_alt_name() const
Definition x509cert.cpp:505
const X509_DN & issuer_dn() const
Definition x509cert.cpp:358
std::vector< std::string > get_attribute(std::string_view attr) const
Definition x509_dn.cpp:172

References Botan::X509_DN::get_attribute(), Botan::AlternativeName::get_attribute(), issuer_alt_name(), and issuer_dn().

◆ load_data()

void Botan::X509_Object::load_data ( DataSource & src)
protectedinherited

Decodes from src as either DER or PEM data, then calls force_decode()

Definition at line 24 of file x509_obj.cpp.

24 {
25 try {
26 if(ASN1::maybe_BER(in) && !PEM_Code::matches(in)) {
27 BER_Decoder dec(in);
28 decode_from(dec);
29 } else {
30 std::string got_label;
31 DataSource_Memory ber(PEM_Code::decode(in, got_label));
32
33 if(got_label != PEM_label()) {
34 bool is_alternate = false;
35 for(std::string_view alt_label : alternate_PEM_labels()) {
36 if(got_label == alt_label) {
37 is_alternate = true;
38 break;
39 }
40 }
41
42 if(!is_alternate) {
43 throw Decoding_Error("Unexpected PEM label for " + PEM_label() + " of " + got_label);
44 }
45 }
46
47 BER_Decoder dec(ber);
48 decode_from(dec);
49 }
50 } catch(Decoding_Error& e) {
51 throw Decoding_Error(PEM_label() + " decoding", e);
52 }
53}
void decode_from(BER_Decoder &from) override
Definition x509_obj.cpp:68
virtual std::vector< std::string > alternate_PEM_labels() const
Definition x509_obj.h:101
virtual std::string PEM_label() const =0
bool maybe_BER(DataSource &source)
Definition asn1_obj.cpp:192
bool matches(DataSource &source, std::string_view extra, size_t search_range)
Definition pem.cpp:137
secure_vector< uint8_t > decode(DataSource &source, std::string &label)
Definition pem.cpp:62

References Botan::X509_Object::alternate_PEM_labels(), Botan::PEM_Code::decode(), Botan::X509_Object::decode_from(), Botan::PEM_Code::matches(), Botan::ASN1::maybe_BER(), and Botan::X509_Object::PEM_label().

Referenced by Botan::PKCS10_Request::PKCS10_Request(), Botan::PKCS10_Request::PKCS10_Request(), X509_Certificate(), X509_Certificate(), X509_Certificate(), Botan::X509_CRL::X509_CRL(), and Botan::X509_CRL::X509_CRL().

◆ load_subject_public_key()

std::unique_ptr< Public_Key > Botan::X509_Certificate::load_subject_public_key ( ) const

Create a public key object associated with the public key bits in this certificate. If the public key bits was valid for X.509 encoding purposes but invalid algorithmically (for example, RSA with an even modulus) that will be detected at this point, and an exception will be thrown.

Returns
subject public key of this certificate

Definition at line 554 of file x509cert.cpp.

554 {
555 return this->subject_public_key();
556}
std::unique_ptr< Public_Key > subject_public_key() const
Definition x509cert.cpp:546

References subject_public_key().

◆ make_signed()

std::vector< uint8_t > Botan::X509_Object::make_signed ( PK_Signer & signer,
RandomNumberGenerator & rng,
const AlgorithmIdentifier & alg_id,
const secure_vector< uint8_t > & tbs )
staticinherited

Create a signed X509 object.

Parameters
signerthe signer used to sign the object
rngthe random number generator to use
alg_idthe algorithm identifier of the signature scheme
tbsthe tbs bits to be signed
Returns
signed X509 object

Definition at line 125 of file x509_obj.cpp.

128 {
129 const std::vector<uint8_t> signature = signer.sign_message(tbs_bits, rng);
130
131 std::vector<uint8_t> output;
132 DER_Encoder(output)
133 .start_sequence()
134 .raw_bytes(tbs_bits)
135 .encode(algo)
137 .end_cons();
138
139 return output;
140}

References Botan::BitString, Botan::DER_Encoder::encode(), Botan::DER_Encoder::end_cons(), Botan::DER_Encoder::raw_bytes(), Botan::PK_Signer::sign_message(), Botan::X509_Object::signature(), and Botan::DER_Encoder::start_sequence().

Referenced by Botan::PKCS10_Request::create(), and Botan::X509_CA::make_cert().

◆ matches_dns_name()

bool Botan::X509_Certificate::matches_dns_name ( std::string_view name) const

Check if a certain DNS name matches up with the information in the cert

Parameters
nameDNS name to match

Definition at line 591 of file x509cert.cpp.

591 {
592 if(name.empty()) {
593 return false;
594 }
595
596 auto issued_names = subject_info("DNS");
597
598 // Fall back to CN only if no DNS names are set (RFC 6125 sec 6.4.4)
599 if(issued_names.empty()) {
600 issued_names = subject_info("Name");
601 }
602
603 for(const auto& issued_name : issued_names) {
604 if(host_wildcard_match(issued_name, name)) {
605 return true;
606 }
607 }
608
609 return false;
610}
std::vector< std::string > subject_info(std::string_view name) const
Definition x509cert.cpp:512
std::string name
bool host_wildcard_match(std::string_view issued_, std::string_view host_)
Definition parsing.cpp:207

References Botan::host_wildcard_match(), name, and subject_info().

◆ name_constraints()

const NameConstraints & Botan::X509_Certificate::name_constraints ( ) const

Get the name constraints as defined in the NameConstraints extension of this certificate.

Returns
name constraints

Definition at line 402 of file x509cert.cpp.

402 {
403 return data().m_name_constraints;
404}

Referenced by to_string().

◆ not_after()

const X509_Time & Botan::X509_Certificate::not_after ( ) const

Get the notAfter of the certificate as X509_Time

Returns
notAfter of the certificate

Definition at line 306 of file x509cert.cpp.

306 {
307 return data().m_not_after;
308}

Referenced by Botan::PKIX::check_chain(), and to_string().

◆ not_before()

const X509_Time & Botan::X509_Certificate::not_before ( ) const

Get the notBefore of the certificate as X509_Time

Returns
notBefore of the certificate

Definition at line 302 of file x509cert.cpp.

302 {
303 return data().m_not_before;
304}

Referenced by Botan::PKIX::check_chain(), and to_string().

◆ ocsp_responder()

std::string Botan::X509_Certificate::ocsp_responder ( ) const

Return the listed address of an OCSP responder, or empty if not set

Definition at line 485 of file x509cert.cpp.

485 {
486 return data().m_ocsp_responder;
487}

Referenced by to_string().

◆ operator<()

bool Botan::X509_Certificate::operator< ( const X509_Certificate & other) const

Impose an arbitrary (but consistent) ordering, eg to allow sorting a container of certificate objects.

Returns
true if this is less than other by some unspecified criteria

Definition at line 620 of file x509cert.cpp.

620 {
621 /* If signature values are not equal, sort by lexicographic ordering of that */
622 if(this->signature() != other.signature()) {
623 return (this->signature() < other.signature());
624 }
625
626 // Then compare the signed contents
627 return this->signed_body() < other.signed_body();
628}

References Botan::X509_Object::signature(), and Botan::X509_Object::signed_body().

◆ operator=()

X509_Certificate & Botan::X509_Certificate::operator= ( const X509_Certificate & other)
default

◆ operator==()

bool Botan::X509_Certificate::operator== ( const X509_Certificate & other) const

Check to certificates for equality.

Returns
true both certificates are (binary) equal

Definition at line 615 of file x509cert.cpp.

615 {
616 return (this->signature() == other.signature() && this->signature_algorithm() == other.signature_algorithm() &&
617 this->signed_body() == other.signed_body());
618}

References Botan::X509_Object::signature(), Botan::X509_Object::signature_algorithm(), and Botan::X509_Object::signed_body().

◆ path_limit()

uint32_t Botan::X509_Certificate::path_limit ( ) const

Get the path limit as defined in the BasicConstraints extension of this certificate.

Returns
path limit

Definition at line 382 of file x509cert.cpp.

382 {
383 if(data().m_version < 3 && data().m_self_signed) {
384 return 32; // in theory infinite, but this is more than enough
385 }
386
387 return static_cast<uint32_t>(data().m_path_len_constraint);
388}

Referenced by Botan::PKIX::check_chain().

◆ PEM_encode()

std::string Botan::X509_Object::PEM_encode ( ) const
inherited
Returns
PEM encoding of this

Definition at line 83 of file x509_obj.cpp.

83 {
85}
std::string encode(const uint8_t der[], size_t length, std::string_view label, size_t width)
Definition pem.cpp:39

References Botan::ASN1_Object::BER_encode(), Botan::PEM_Code::encode(), and Botan::X509_Object::PEM_label().

◆ raw_issuer_dn()

const std::vector< uint8_t > & Botan::X509_Certificate::raw_issuer_dn ( ) const

Raw issuer DN bits

Definition at line 366 of file x509cert.cpp.

366 {
367 return data().m_issuer_dn_bits;
368}

Referenced by Botan::OCSP::CertID::is_id_for().

◆ raw_issuer_dn_sha256()

std::vector< uint8_t > Botan::X509_Certificate::raw_issuer_dn_sha256 ( ) const

SHA-256 of Raw issuer DN

Definition at line 558 of file x509cert.cpp.

558 {
559 if(data().m_issuer_dn_bits_sha256.empty()) {
560 throw Encoding_Error("X509_Certificate::raw_issuer_dn_sha256 called but SHA-256 disabled in build");
561 }
562 return data().m_issuer_dn_bits_sha256;
563}

◆ raw_subject_dn()

const std::vector< uint8_t > & Botan::X509_Certificate::raw_subject_dn ( ) const

Raw subject DN

Definition at line 370 of file x509cert.cpp.

370 {
371 return data().m_subject_dn_bits;
372}

Referenced by Botan::OCSP::CertID::CertID().

◆ raw_subject_dn_sha256()

std::vector< uint8_t > Botan::X509_Certificate::raw_subject_dn_sha256 ( ) const

SHA-256 of Raw subject DN

Definition at line 565 of file x509cert.cpp.

565 {
566 if(data().m_subject_dn_bits_sha256.empty()) {
567 throw Encoding_Error("X509_Certificate::raw_subject_dn_sha256 called but SHA-256 disabled in build");
568 }
569 return data().m_subject_dn_bits_sha256;
570}

Referenced by Botan::Flatfile_Certificate_Store::Flatfile_Certificate_Store().

◆ serial_number()

const std::vector< uint8_t > & Botan::X509_Certificate::serial_number ( ) const

Get the serial number of this certificate.

Returns
certificates serial number

Definition at line 350 of file x509cert.cpp.

350 {
351 return data().m_serial;
352}

Referenced by Botan::CRL_Entry::CRL_Entry(), Botan::OCSP::CertID::is_id_for(), Botan::X509_CRL::is_revoked(), and to_string().

◆ signature()

const std::vector< uint8_t > & Botan::X509_Object::signature ( ) const
inlineinherited
Returns
signature on tbs_data()

Definition at line 37 of file x509_obj.h.

37{ return m_sig; }

Referenced by Botan::X509_Object::encode_into(), Botan::X509_Object::make_signed(), operator<(), operator==(), and Botan::X509_Object::verify_signature().

◆ signature_algorithm()

const AlgorithmIdentifier & Botan::X509_Object::signature_algorithm ( ) const
inlineinherited
Returns
signature algorithm that was used to generate signature

Definition at line 47 of file x509_obj.h.

47{ return m_sig_algo; }

Referenced by Botan::PKIX::check_chain(), Botan::X509_Object::encode_into(), operator==(), to_string(), and Botan::X509_Object::verify_signature().

◆ signed_body()

const std::vector< uint8_t > & Botan::X509_Object::signed_body ( ) const
inlineinherited
Returns
signed body

Definition at line 42 of file x509_obj.h.

42{ return m_tbs_bits; }

Referenced by Botan::X509_Object::encode_into(), operator<(), and operator==().

◆ subject_alt_name()

const AlternativeName & Botan::X509_Certificate::subject_alt_name ( ) const

Return the subject alternative names (DNS, IP, ...)

Definition at line 501 of file x509cert.cpp.

501 {
502 return data().m_subject_alt_name;
503}

Referenced by Botan::GeneralName::matches(), and subject_info().

◆ subject_dn()

const X509_DN & Botan::X509_Certificate::subject_dn ( ) const

◆ subject_info()

std::vector< std::string > Botan::X509_Certificate::subject_info ( std::string_view name) const

Get a value for a specific subject_info parameter name.

Parameters
namethe name of the parameter to look up. Possible names include "X509.Certificate.version", "X509.Certificate.serial", "X509.Certificate.start", "X509.Certificate.end", "X509.Certificate.v2.key_id", "X509.Certificate.public_key", "X509v3.BasicConstraints.path_constraint", "X509v3.BasicConstraints.is_ca", "X509v3.NameConstraints", "X509v3.ExtendedKeyUsage", "X509v3.CertificatePolicies", "X509v3.SubjectKeyIdentifier", "X509.Certificate.serial", "X520.CommonName", "X520.Organization", "X520.Country", "RFC822" (Email in SAN) or "PKCS9.EmailAddress" (Email in DN).
Returns
value(s) of the specified parameter

Definition at line 512 of file x509cert.cpp.

512 {
513 if(req == "Email") {
514 return this->subject_info("RFC822");
515 }
516
517 if(subject_dn().has_field(req)) {
518 return subject_dn().get_attribute(req);
519 }
520
521 if(subject_alt_name().has_field(req)) {
522 return subject_alt_name().get_attribute(req);
523 }
524
525 return {};
526}
const X509_DN & subject_dn() const
Definition x509cert.cpp:362
const AlternativeName & subject_alt_name() const
Definition x509cert.cpp:501

References Botan::X509_DN::get_attribute(), Botan::AlternativeName::get_attribute(), subject_alt_name(), subject_dn(), and subject_info().

Referenced by matches_dns_name(), and subject_info().

◆ subject_key_id()

const std::vector< uint8_t > & Botan::X509_Certificate::subject_key_id ( ) const

Get the DER encoded SubjectKeyIdentifier of this certificate.

Returns
DER encoded SubjectKeyIdentifier

Definition at line 346 of file x509cert.cpp.

346 {
347 return data().m_subject_key_id;
348}

Referenced by Botan::Certificate_Store::certificate_known(), Botan::X509_CA::choose_extensions(), Botan::Certificate_Store_In_SQL::insert_cert(), Botan::Certificate_Store_In_SQL::remove_cert(), and to_string().

◆ subject_public_key()

std::unique_ptr< Public_Key > Botan::X509_Certificate::subject_public_key ( ) const

Create a public key object associated with the public key bits in this certificate. If the public key bits was valid for X.509 encoding purposes but invalid algorithmically (for example, RSA with an even modulus) that will be detected at this point, and an exception will be thrown.

Returns
subject public key of this certificate

Definition at line 546 of file x509cert.cpp.

546 {
547 try {
548 return std::unique_ptr<Public_Key>(X509::load_key(subject_public_key_info()));
549 } catch(std::exception& e) {
550 throw Decoding_Error("X509_Certificate::subject_public_key", e);
551 }
552}
const std::vector< uint8_t > & subject_public_key_info() const
Definition x509cert.cpp:326
std::unique_ptr< Public_Key > load_key(DataSource &source)
Definition x509_key.cpp:28

References Botan::X509::load_key(), and subject_public_key_info().

Referenced by Botan::PKIX::check_chain(), Botan::PKIX::check_crl(), load_subject_public_key(), to_string(), Botan::TLS::Certificate_Verify_12::verify(), and Botan::OCSP::Response::verify_signature().

◆ subject_public_key_algo()

const AlgorithmIdentifier & Botan::X509_Certificate::subject_public_key_algo ( ) const

Return the algorithm identifier of the public key

Definition at line 310 of file x509cert.cpp.

310 {
311 return data().m_subject_public_key_algid;
312}

Referenced by to_string().

◆ subject_public_key_bits()

const std::vector< uint8_t > & Botan::X509_Certificate::subject_public_key_bits ( ) const

Get the public key associated with this certificate. This includes the outer AlgorithmIdentifier

Returns
subject public key of this certificate

Definition at line 322 of file x509cert.cpp.

322 {
323 return data().m_subject_public_key_bits;
324}

◆ subject_public_key_bitstring()

const std::vector< uint8_t > & Botan::X509_Certificate::subject_public_key_bitstring ( ) const

Get the bit string of the public key associated with this certificate

Returns
public key bits

Definition at line 330 of file x509cert.cpp.

330 {
331 return data().m_subject_public_key_bitstring;
332}

Referenced by Botan::OCSP::CertID::CertID(), and Botan::OCSP::CertID::is_id_for().

◆ subject_public_key_bitstring_sha1()

const std::vector< uint8_t > & Botan::X509_Certificate::subject_public_key_bitstring_sha1 ( ) const

Get the SHA-1 bit string of the public key associated with this certificate. This is used for OCSP among other protocols. This function will throw if SHA-1 is not available.

Returns
hash of subject public key of this certificate

Definition at line 334 of file x509cert.cpp.

334 {
335 if(data().m_subject_public_key_bitstring_sha1.empty()) {
336 throw Encoding_Error("X509_Certificate::subject_public_key_bitstring_sha1 called but SHA-1 disabled in build");
337 }
338
339 return data().m_subject_public_key_bitstring_sha1;
340}

Referenced by Botan::Flatfile_Certificate_Store::Flatfile_Certificate_Store().

◆ subject_public_key_info()

const std::vector< uint8_t > & Botan::X509_Certificate::subject_public_key_info ( ) const

Get the SubjectPublicKeyInfo associated with this certificate.

Returns
subject public key info of this certificate

Definition at line 326 of file x509cert.cpp.

326 {
327 return data().m_subject_public_key_bits_seq;
328}

Referenced by subject_public_key().

◆ tbs_data()

std::vector< uint8_t > Botan::X509_Object::tbs_data ( ) const
inherited

The underlying data that is to be or was signed

Returns
data that is or was signed

Definition at line 90 of file x509_obj.cpp.

90 {
91 return ASN1::put_in_sequence(m_tbs_bits);
92}
std::vector< uint8_t > put_in_sequence(const std::vector< uint8_t > &contents)
Definition asn1_obj.cpp:172

References Botan::ASN1::put_in_sequence().

Referenced by Botan::X509_Object::verify_signature().

◆ to_string()

std::string Botan::X509_Certificate::to_string ( ) const
Returns
a free-form string describing the certificate

Definition at line 637 of file x509cert.cpp.

637 {
638 std::ostringstream out;
639
640 out << "Version: " << this->x509_version() << "\n";
641 out << "Subject: " << subject_dn() << "\n";
642 out << "Issuer: " << issuer_dn() << "\n";
643 out << "Issued: " << this->not_before().readable_string() << "\n";
644 out << "Expires: " << this->not_after().readable_string() << "\n";
645
646 out << "Constraints:\n";
647 Key_Constraints constraints = this->constraints();
648 if(constraints.empty()) {
649 out << " None\n";
650 } else {
652 out << " Digital Signature\n";
653 }
655 out << " Non-Repudiation\n";
656 }
658 out << " Key Encipherment\n";
659 }
661 out << " Data Encipherment\n";
662 }
664 out << " Key Agreement\n";
665 }
667 out << " Cert Sign\n";
668 }
670 out << " CRL Sign\n";
671 }
673 out << " Encipher Only\n";
674 }
676 out << " Decipher Only\n";
677 }
678 }
679
680 const std::vector<OID>& policies = this->certificate_policy_oids();
681 if(!policies.empty()) {
682 out << "Policies: "
683 << "\n";
684 for(const auto& oid : policies) {
685 out << " " << oid.to_string() << "\n";
686 }
687 }
688
689 const std::vector<OID>& ex_constraints = this->extended_key_usage();
690 if(!ex_constraints.empty()) {
691 out << "Extended Constraints:\n";
692 for(auto&& oid : ex_constraints) {
693 out << " " << oid.to_formatted_string() << "\n";
694 }
695 }
696
697 const NameConstraints& name_constraints = this->name_constraints();
698
699 if(!name_constraints.permitted().empty() || !name_constraints.excluded().empty()) {
700 out << "Name Constraints:\n";
701
702 if(!name_constraints.permitted().empty()) {
703 out << " Permit";
704 for(const auto& st : name_constraints.permitted()) {
705 out << " " << st.base();
706 }
707 out << "\n";
708 }
709
710 if(!name_constraints.excluded().empty()) {
711 out << " Exclude";
712 for(const auto& st : name_constraints.excluded()) {
713 out << " " << st.base();
714 }
715 out << "\n";
716 }
717 }
718
719 if(!ocsp_responder().empty()) {
720 out << "OCSP responder " << ocsp_responder() << "\n";
721 }
722
723 const std::vector<std::string> ca_issuers = this->ca_issuers();
724 if(!ca_issuers.empty()) {
725 out << "CA Issuers:\n";
726 for(const auto& ca_issuer : ca_issuers) {
727 out << " URI: " << ca_issuer << "\n";
728 }
729 }
730
731 if(!crl_distribution_point().empty()) {
732 out << "CRL " << crl_distribution_point() << "\n";
733 }
734
735 out << "Signature algorithm: " << this->signature_algorithm().oid().to_formatted_string() << "\n";
736
737 out << "Serial number: " << hex_encode(this->serial_number()) << "\n";
738
739 if(!this->authority_key_id().empty()) {
740 out << "Authority keyid: " << hex_encode(this->authority_key_id()) << "\n";
741 }
742
743 if(!this->subject_key_id().empty()) {
744 out << "Subject keyid: " << hex_encode(this->subject_key_id()) << "\n";
745 }
746
747 try {
748 auto pubkey = this->subject_public_key();
749 out << "Public Key [" << pubkey->algo_name() << "-" << pubkey->key_length() << "]\n\n";
750 out << X509::PEM_encode(*pubkey);
751 } catch(Decoding_Error&) {
752 const AlgorithmIdentifier& alg_id = this->subject_public_key_algo();
753 out << "Failed to decode key with oid " << alg_id.oid().to_string() << "\n";
754 }
755
756 return out.str();
757}
std::string readable_string() const
Returns a human friendly string replesentation of no particular formatting.
Definition asn1_time.cpp:92
const OID & oid() const
Definition asn1_obj.h:455
const std::vector< GeneralSubtree > & permitted() const
Definition pkix_types.h:313
const std::vector< GeneralSubtree > & excluded() const
Definition pkix_types.h:318
std::string to_formatted_string() const
Definition asn1_oid.cpp:114
const NameConstraints & name_constraints() const
Definition x509cert.cpp:402
const std::vector< uint8_t > & serial_number() const
Definition x509cert.cpp:350
const X509_Time & not_after() const
Definition x509cert.cpp:306
const std::vector< uint8_t > & authority_key_id() const
Definition x509cert.cpp:342
const std::vector< uint8_t > & subject_key_id() const
Definition x509cert.cpp:346
std::string ocsp_responder() const
Definition x509cert.cpp:485
uint32_t x509_version() const
Definition x509cert.cpp:294
std::string crl_distribution_point() const
Definition x509cert.cpp:493
const std::vector< OID > & certificate_policy_oids() const
Definition x509cert.cpp:398
const AlgorithmIdentifier & subject_public_key_algo() const
Definition x509cert.cpp:310
std::vector< std::string > ca_issuers() const
Definition x509cert.cpp:489
const X509_Time & not_before() const
Definition x509cert.cpp:302
std::string PEM_encode(const Public_Key &key)
Definition x509_key.cpp:21
void hex_encode(char output[], const uint8_t input[], size_t input_length, bool uppercase)
Definition hex.cpp:33

References authority_key_id(), ca_issuers(), certificate_policy_oids(), constraints(), crl_distribution_point(), Botan::Key_Constraints::CrlSign, Botan::Key_Constraints::DataEncipherment, Botan::Key_Constraints::DecipherOnly, Botan::Key_Constraints::DigitalSignature, Botan::Key_Constraints::empty(), Botan::Key_Constraints::EncipherOnly, Botan::NameConstraints::excluded(), extended_key_usage(), Botan::hex_encode(), Botan::Key_Constraints::includes(), issuer_dn(), Botan::Key_Constraints::KeyAgreement, Botan::Key_Constraints::KeyCertSign, Botan::Key_Constraints::KeyEncipherment, name_constraints(), Botan::Key_Constraints::NonRepudiation, not_after(), not_before(), ocsp_responder(), Botan::AlgorithmIdentifier::oid(), Botan::X509::PEM_encode(), Botan::NameConstraints::permitted(), Botan::ASN1_Time::readable_string(), serial_number(), Botan::X509_Object::signature_algorithm(), subject_dn(), subject_key_id(), subject_public_key(), subject_public_key_algo(), Botan::OID::to_formatted_string(), Botan::OID::to_string(), and x509_version().

◆ v2_issuer_key_id()

const std::vector< uint8_t > & Botan::X509_Certificate::v2_issuer_key_id ( ) const

Return the v2 issuer key ID. v2 key IDs are almost never used, instead see v3_subject_key_id.

Definition at line 314 of file x509cert.cpp.

314 {
315 return data().m_v2_issuer_key_id;
316}

Referenced by Botan::PKIX::check_chain().

◆ v2_subject_key_id()

const std::vector< uint8_t > & Botan::X509_Certificate::v2_subject_key_id ( ) const

Return the v2 subject key ID. v2 key IDs are almost never used, instead see v3_subject_key_id.

Definition at line 318 of file x509cert.cpp.

318 {
319 return data().m_v2_subject_key_id;
320}

Referenced by Botan::PKIX::check_chain().

◆ v3_extensions()

const Extensions & Botan::X509_Certificate::v3_extensions ( ) const

Get all extensions of this certificate.

Returns
certificate extensions

Definition at line 406 of file x509cert.cpp.

406 {
407 return data().m_v3_extensions;
408}

Referenced by Botan::PKIX::check_chain(), and is_critical().

◆ verify_signature()

std::pair< Certificate_Status_Code, std::string > Botan::X509_Object::verify_signature ( const Public_Key & key) const
inherited

Check the signature on this data

Parameters
keythe public key purportedly used to sign this data
Returns
status of the signature - OK if verified or otherwise an indicator of the problem preventing verification, along with the hash function that was used, for further policy checks. The second parameter is empty unless the validation was sucessful.

Definition at line 102 of file x509_obj.cpp.

102 {
103 try {
104 PK_Verifier verifier(pub_key, signature_algorithm());
105 const bool valid = verifier.verify_message(tbs_data(), signature());
106
107 if(valid) {
108 return std::make_pair(Certificate_Status_Code::VERIFIED, verifier.hash_function());
109 } else {
110 return std::make_pair(Certificate_Status_Code::SIGNATURE_ERROR, "");
111 }
112 } catch(Decoding_Error&) {
114 } catch(Algorithm_Not_Found&) {
115 return std::make_pair(Certificate_Status_Code::SIGNATURE_ALGO_UNKNOWN, "");
116 } catch(...) {
117 // This shouldn't happen, fallback to generic signature error
118 return std::make_pair(Certificate_Status_Code::SIGNATURE_ERROR, "");
119 }
120}
std::vector< uint8_t > tbs_data() const
Definition x509_obj.cpp:90

References Botan::PK_Verifier::hash_function(), Botan::X509_Object::signature(), Botan::SIGNATURE_ALGO_BAD_PARAMS, Botan::SIGNATURE_ALGO_UNKNOWN, Botan::X509_Object::signature_algorithm(), Botan::SIGNATURE_ERROR, Botan::X509_Object::tbs_data(), Botan::VERIFIED, and Botan::PK_Verifier::verify_message().

Referenced by Botan::PKIX::check_chain(), and Botan::X509_Object::check_signature().

◆ x509_version()

uint32_t Botan::X509_Certificate::x509_version ( ) const

Get the X509 version of this certificate object.

Returns
X509 version

Definition at line 294 of file x509cert.cpp.

294 {
295 return static_cast<uint32_t>(data().m_version);
296}

Referenced by Botan::PKIX::check_chain(), and to_string().


The documentation for this class was generated from the following files: