Botan  2.7.0
Crypto and TLS for C++11
Public Member Functions | Static Public Member Functions | Protected Member Functions | List of all members
Botan::X509_Certificate Class Reference

#include <x509cert.h>

Inheritance diagram for Botan::X509_Certificate:
Botan::X509_Object Botan::ASN1_Object

Public Member Functions

bool allowed_extended_usage (const std::string &usage) const
 
bool allowed_extended_usage (const OID &usage) const
 
bool allowed_usage (Key_Constraints usage) const
 
bool allowed_usage (Usage_Type usage) const
 
const std::vector< uint8_t > & authority_key_id () const
 
std::vector< uint8_t > BER_encode () const
 
std::vector< std::string > ca_issuers () const
 
const std::vector< OID > & certificate_policy_oids () const
 
bool check_signature (const Public_Key &key) const
 
bool check_signature (const Public_Key *key) const
 
Key_Constraints constraints () const
 
std::string crl_distribution_point () const
 
void decode_from (class BER_Decoder &from) override
 
void encode_into (class DER_Encoder &to) const override
 
std::string end_time () const
 
std::vector< std::string > ex_constraints () const
 
const std::vector< OID > & extended_key_usage () const
 
std::string fingerprint (const std::string &hash_name="SHA-1") const
 
bool has_constraints (Key_Constraints constraints) const
 
bool has_ex_constraint (const std::string &ex_constraint) const
 
bool has_ex_constraint (const OID &ex_constraint) const
 
std::string hash_used_for_signature () const
 
bool is_CA_cert () const
 
bool is_critical (const std::string &ex_name) const
 
bool is_self_signed () const
 
bool is_serial_negative () const
 
const AlternativeNameissuer_alt_name () const
 
const X509_DNissuer_dn () const
 
std::vector< std::string > issuer_info (const std::string &name) const
 
std::unique_ptr< Public_Keyload_subject_public_key () const
 
bool matches_dns_name (const std::string &name) const
 
const NameConstraintsname_constraints () const
 
const X509_Timenot_after () const
 
const X509_Timenot_before () const
 
std::string ocsp_responder () const
 
bool operator< (const X509_Certificate &other) const
 
X509_Certificateoperator= (const X509_Certificate &other)=default
 
bool operator== (const X509_Certificate &other) const
 
uint32_t path_limit () const
 
std::string PEM_encode () const
 
std::vector< std::string > policies () const
 
const std::vector< uint8_t > & raw_issuer_dn () const
 
std::vector< uint8_t > raw_issuer_dn_sha256 () const
 
const std::vector< uint8_t > & raw_subject_dn () const
 
std::vector< uint8_t > raw_subject_dn_sha256 () const
 
const std::vector< uint8_t > & serial_number () const
 
const std::vector< uint8_t > & signature () const
 
const AlgorithmIdentifiersignature_algorithm () const
 
const std::vector< uint8_t > & signed_body () const
 
std::string start_time () const
 
const AlternativeNamesubject_alt_name () const
 
const X509_DNsubject_dn () const
 
std::vector< std::string > subject_info (const std::string &name) const
 
const std::vector< uint8_t > & subject_key_id () const
 
Public_Keysubject_public_key () const
 
const AlgorithmIdentifiersubject_public_key_algo () const
 
const std::vector< uint8_t > & subject_public_key_bits () const
 
const std::vector< uint8_t > & subject_public_key_bitstring () const
 
const std::vector< uint8_t > & subject_public_key_bitstring_sha1 () const
 
const std::vector< uint8_t > & subject_public_key_info () const
 
std::vector< uint8_t > tbs_data () const
 
std::string to_string () const
 
const std::vector< uint8_t > & v2_issuer_key_id () const
 
const std::vector< uint8_t > & v2_subject_key_id () const
 
const Extensionsv3_extensions () const
 
Certificate_Status_Code verify_signature (const Public_Key &key) const
 
 X509_Certificate (DataSource &source)
 
 X509_Certificate (const std::vector< uint8_t > &in)
 
 X509_Certificate (const uint8_t data[], size_t length)
 
 X509_Certificate ()=default
 
 X509_Certificate (const X509_Certificate &other)=default
 
uint32_t x509_version () const
 

Static Public Member Functions

static std::unique_ptr< PK_Signerchoose_sig_format (AlgorithmIdentifier &sig_algo, const Private_Key &key, RandomNumberGenerator &rng, const std::string &hash_fn, const std::string &padding_algo)
 
static std::vector< uint8_t > make_signed (class PK_Signer *signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &alg_id, const secure_vector< uint8_t > &tbs)
 

Protected Member Functions

void load_data (DataSource &src)
 

Detailed Description

This class represents an X.509 Certificate

Definition at line 39 of file x509cert.h.

Constructor & Destructor Documentation

◆ X509_Certificate() [1/5]

Botan::X509_Certificate::X509_Certificate ( DataSource source)
explicit

Create a certificate from a data source providing the DER or PEM encoded certificate.

Parameters
sourcethe data source

Definition at line 78 of file x509cert.cpp.

References Botan::X509_Object::load_data().

79  {
80  load_data(src);
81  }
void load_data(DataSource &src)
Definition: x509_obj.cpp:53

◆ X509_Certificate() [2/5]

Botan::X509_Certificate::X509_Certificate ( const std::vector< uint8_t > &  in)
explicit

Create a certificate from a buffer

Parameters
inthe buffer containing the DER-encoded certificate

Definition at line 83 of file x509cert.cpp.

References Botan::X509_Object::load_data().

84  {
85  DataSource_Memory src(vec.data(), vec.size());
86  load_data(src);
87  }
void load_data(DataSource &src)
Definition: x509_obj.cpp:53

◆ X509_Certificate() [3/5]

Botan::X509_Certificate::X509_Certificate ( const uint8_t  data[],
size_t  length 
)

Create a certificate from a buffer

Parameters
datathe buffer containing the DER-encoded certificate
lengthlength of data in bytes

Definition at line 89 of file x509cert.cpp.

References Botan::X509_Object::load_data().

90  {
91  DataSource_Memory src(data, len);
92  load_data(src);
93  }
void load_data(DataSource &src)
Definition: x509_obj.cpp:53

◆ X509_Certificate() [4/5]

Botan::X509_Certificate::X509_Certificate ( )
default

Create an uninitialized certificate object. Any attempts to access this object will throw an exception.

◆ X509_Certificate() [5/5]

Botan::X509_Certificate::X509_Certificate ( const X509_Certificate other)
default

Member Function Documentation

◆ allowed_extended_usage() [1/2]

bool Botan::X509_Certificate::allowed_extended_usage ( const std::string &  usage) const

Returns true if the specified

Parameters
usageis set in the extended key usage extension or if no extended key usage constraints are set at all. To check if a certain extended key constraint is set in the certificate use
See also
X509_Certificate::has_ex_constraint.

Definition at line 485 of file x509cert.cpp.

References Botan::OIDS::str2oid().

Referenced by allowed_usage().

486  {
487  return allowed_extended_usage(OIDS::str2oid(usage));
488  }
OID str2oid(const std::string &name)
Definition: oids.h:53
bool allowed_extended_usage(const std::string &usage) const
Definition: x509cert.cpp:485

◆ allowed_extended_usage() [2/2]

bool Botan::X509_Certificate::allowed_extended_usage ( const OID usage) const

Returns true if the specified usage is set in the extended key usage extension, or if no extended key usage constraints are set at all. To check if a certain extended key constraint is set in the certificate use

See also
X509_Certificate::has_ex_constraint.

Definition at line 490 of file x509cert.cpp.

References extended_key_usage().

491  {
492  const std::vector<OID>& ex = extended_key_usage();
493  if(ex.empty())
494  return true;
495 
496  if(std::find(ex.begin(), ex.end(), usage) != ex.end())
497  return true;
498 
499  return false;
500  }
const std::vector< OID > & extended_key_usage() const
Definition: x509cert.cpp:458

◆ allowed_usage() [1/2]

bool Botan::X509_Certificate::allowed_usage ( Key_Constraints  usage) const

Returns true if the specified

Parameters
usageis set in the key usage extension or if no key usage constraints are set at all. To check if a certain key constraint is set in the certificate use
See also
X509_Certificate::has_constraints.

Definition at line 478 of file x509cert.cpp.

References constraints(), and Botan::NO_CONSTRAINTS.

Referenced by allowed_usage().

479  {
480  if(constraints() == NO_CONSTRAINTS)
481  return true;
482  return ((constraints() & usage) == usage);
483  }
Key_Constraints constraints() const
Definition: x509cert.cpp:453

◆ allowed_usage() [2/2]

bool Botan::X509_Certificate::allowed_usage ( Usage_Type  usage) const

Returns true if the required key and extended key constraints are set in the certificate for the specified

Parameters
usageor if no key constraints are set in both the key usage and extended key usage extension.

Definition at line 502 of file x509cert.cpp.

References allowed_extended_usage(), allowed_usage(), Botan::CERTIFICATE_AUTHORITY, Botan::DIGITAL_SIGNATURE, is_CA_cert(), Botan::KEY_AGREEMENT, Botan::KEY_ENCIPHERMENT, Botan::NON_REPUDIATION, Botan::OCSP_RESPONDER, Botan::TLS_CLIENT_AUTH, Botan::TLS_SERVER_AUTH, and Botan::UNSPECIFIED.

503  {
504  // These follow suggestions in RFC 5280 4.2.1.12
505 
506  switch(usage)
507  {
509  return true;
510 
513 
516 
519 
521  return is_CA_cert();
522  }
523 
524  return false;
525  }
bool allowed_usage(Key_Constraints usage) const
Definition: x509cert.cpp:478
bool is_CA_cert() const
Definition: x509cert.cpp:443
bool allowed_extended_usage(const std::string &usage) const
Definition: x509cert.cpp:485

◆ authority_key_id()

const std::vector< uint8_t > & Botan::X509_Certificate::authority_key_id ( ) const

Get the DER encoded AuthorityKeyIdentifier of this certificate.

Returns
DER encoded AuthorityKeyIdentifier

Definition at line 402 of file x509cert.cpp.

Referenced by Botan::PKIX::build_certificate_path(), Botan::Certificate_Store_In_Memory::find_crl_for(), Botan::X509_CRL::is_revoked(), issuer_info(), and to_string().

403  {
404  return data().m_authority_key_id;
405  }

◆ BER_encode()

std::vector< uint8_t > Botan::ASN1_Object::BER_encode ( ) const
inherited

Return the encoding of this object. This is a convenience method when just one object needs to be serialized. Use DER_Encoder for complicated encodings.

Definition at line 16 of file asn1_obj.cpp.

References Botan::ASN1_Object::encode_into().

Referenced by Botan::PSSR::config_for_x509(), Botan::Certificate_Store_In_SQL::find_all_certs(), Botan::Certificate_Store_In_SQL::find_cert(), fingerprint(), Botan::Certificate_Store_In_SQL::insert_cert(), Botan::X509_Object::PEM_encode(), and Botan::Certificate_Store_In_SQL::revoke_cert().

17  {
18  std::vector<uint8_t> output;
19  DER_Encoder der(output);
20  this->encode_into(der);
21  return output;
22  }
virtual void encode_into(DER_Encoder &to) const =0

◆ ca_issuers()

std::vector< std::string > Botan::X509_Certificate::ca_issuers ( ) const

Return the listed addresses of ca issuers, or empty if not set

Definition at line 561 of file x509cert.cpp.

Referenced by to_string().

562  {
563  return data().m_ca_issuers;
564  }

◆ certificate_policy_oids()

const std::vector< OID > & Botan::X509_Certificate::certificate_policy_oids ( ) const

Definition at line 463 of file x509cert.cpp.

Referenced by policies(), and to_string().

464  {
465  return data().m_cert_policies;
466  }

◆ check_signature() [1/2]

bool Botan::X509_Object::check_signature ( const Public_Key key) const
inherited

Check the signature on this data

Parameters
keythe public key purportedly used to sign this data
Returns
true if the signature is valid, otherwise false

Definition at line 178 of file x509_obj.cpp.

References Botan::VERIFIED, and Botan::X509_Object::verify_signature().

Referenced by Botan::X509_Object::check_signature().

179  {
180  const Certificate_Status_Code code = verify_signature(pub_key);
181  return (code == Certificate_Status_Code::VERIFIED);
182  }
Certificate_Status_Code verify_signature(const Public_Key &key) const
Definition: x509_obj.cpp:184
Certificate_Status_Code
Definition: cert_status.h:18

◆ check_signature() [2/2]

bool Botan::X509_Object::check_signature ( const Public_Key key) const
inherited

Check the signature on this data

Parameters
keythe public key purportedly used to sign this data the object will be deleted after use (this should have been a std::unique_ptr<Public_Key>)
Returns
true if the signature is valid, otherwise false

Definition at line 170 of file x509_obj.cpp.

References Botan::X509_Object::check_signature(), and Botan::X509_Object::PEM_label().

171  {
172  if(!pub_key)
173  throw Exception("No key provided for " + PEM_label() + " signature check");
174  std::unique_ptr<const Public_Key> key(pub_key);
175  return check_signature(*key);
176  }
virtual std::string PEM_label() const =0
bool check_signature(const Public_Key &key) const
Definition: x509_obj.cpp:178

◆ choose_sig_format()

std::unique_ptr< PK_Signer > Botan::X509_Object::choose_sig_format ( AlgorithmIdentifier sig_algo,
const Private_Key key,
RandomNumberGenerator rng,
const std::string &  hash_fn,
const std::string &  padding_algo 
)
staticinherited

Definition at line 366 of file x509_obj.cpp.

References Botan::DER_SEQUENCE, Botan::IEEE_1363, and Botan::Public_Key::message_parts().

Referenced by Botan::choose_sig_format(), and Botan::PKCS10_Request::create().

371  {
372  const Signature_Format format = (key.message_parts() > 1) ? DER_SEQUENCE : IEEE_1363;
373 
374  const std::string emsa = choose_sig_algo(sig_algo, key, hash_fn, padding_algo);
375 
376  return std::unique_ptr<PK_Signer>(new PK_Signer(key, rng, emsa, format));
377  }
Signature_Format
Definition: pubkey.h:27

◆ constraints()

Key_Constraints Botan::X509_Certificate::constraints ( ) const

Get the key constraints as defined in the KeyUsage extension of this certificate.

Returns
key constraints

Definition at line 453 of file x509cert.cpp.

Referenced by allowed_usage(), has_constraints(), and to_string().

454  {
455  return data().m_key_constraints;
456  }

◆ crl_distribution_point()

std::string Botan::X509_Certificate::crl_distribution_point ( ) const

Return the CRL distribution point, or empty if not set

Definition at line 566 of file x509cert.cpp.

Referenced by to_string().

567  {
568  // just returns the first (arbitrarily)
569  if(data().m_crl_distribution_points.size() > 0)
570  return data().m_crl_distribution_points[0];
571  return "";
572  }

◆ decode_from()

void Botan::X509_Object::decode_from ( class BER_Decoder from)
overridevirtualinherited

Decode a BER encoded X509_Object See ASN1_Object::decode_from()

Implements Botan::ASN1_Object.

Definition at line 107 of file x509_obj.cpp.

References Botan::BIT_STRING, Botan::BER_Decoder::decode(), Botan::BER_Decoder::end_cons(), Botan::BER_Decoder::raw_bytes(), Botan::SEQUENCE, and Botan::BER_Decoder::start_cons().

Referenced by Botan::X509_Object::load_data().

108  {
109  from.start_cons(SEQUENCE)
110  .start_cons(SEQUENCE)
111  .raw_bytes(m_tbs_bits)
112  .end_cons()
113  .decode(m_sig_algo)
114  .decode(m_sig, BIT_STRING)
115  .end_cons();
116 
117  force_decode();
118  }

◆ encode_into()

void Botan::X509_Object::encode_into ( class DER_Encoder to) const
overridevirtualinherited

DER encode an X509_Object See ASN1_Object::encode_into()

Implements Botan::ASN1_Object.

Definition at line 93 of file x509_obj.cpp.

References Botan::BIT_STRING, Botan::DER_Encoder::encode(), Botan::DER_Encoder::end_cons(), Botan::DER_Encoder::raw_bytes(), Botan::SEQUENCE, Botan::X509_Object::signature(), Botan::X509_Object::signature_algorithm(), Botan::X509_Object::signed_body(), and Botan::DER_Encoder::start_cons().

94  {
95  to.start_cons(SEQUENCE)
96  .start_cons(SEQUENCE)
97  .raw_bytes(signed_body())
98  .end_cons()
99  .encode(signature_algorithm())
100  .encode(signature(), BIT_STRING)
101  .end_cons();
102  }
const AlgorithmIdentifier & signature_algorithm() const
Definition: x509_obj.h:48
const std::vector< uint8_t > & signature() const
Definition: x509_obj.h:38
const std::vector< uint8_t > & signed_body() const
Definition: x509_obj.h:43

◆ end_time()

std::string Botan::X509_Certificate::end_time ( ) const
inline

Get the notAfter of the certificate as a string

Returns
notAfter of the certificate

Definition at line 166 of file x509cert.h.

167  {
168  return not_after().to_string();
169  }
const X509_Time & not_after() const
Definition: x509cert.cpp:359
std::string to_string() const
Return an internal string representation of the time.
Definition: asn1_time.cpp:53

◆ ex_constraints()

std::vector< std::string > Botan::X509_Certificate::ex_constraints ( ) const

Get the key constraints as defined in the ExtendedKeyUsage extension of this certificate.

Returns
key constraints

Definition at line 692 of file x509cert.cpp.

References extended_key_usage().

Referenced by to_string().

693  {
694  return lookup_oids(extended_key_usage());
695  }
const std::vector< OID > & extended_key_usage() const
Definition: x509cert.cpp:458

◆ extended_key_usage()

const std::vector< OID > & Botan::X509_Certificate::extended_key_usage ( ) const

Get the key usage as defined in the ExtendedKeyUsage extension of this certificate, or else an empty vector.

Returns
key usage

Definition at line 458 of file x509cert.cpp.

Referenced by allowed_extended_usage(), ex_constraints(), has_ex_constraint(), and to_string().

459  {
460  return data().m_extended_key_usage;
461  }

◆ fingerprint()

std::string Botan::X509_Certificate::fingerprint ( const std::string &  hash_name = "SHA-1") const
Returns
a fingerprint of the certificate
Parameters
hash_namehash function used to calculate the fingerprint

Definition at line 705 of file x509cert.cpp.

References Botan::ASN1_Object::BER_encode(), and Botan::create_hex_fingerprint().

Referenced by Botan::Certificate_Store_In_SQL::affirm_cert(), Botan::Certificate_Store_In_SQL::find_key(), Botan::Certificate_Store_In_SQL::insert_cert(), Botan::Certificate_Store_In_SQL::insert_key(), Botan::Certificate_Store_In_SQL::remove_cert(), and Botan::Certificate_Store_In_SQL::revoke_cert().

706  {
707  return create_hex_fingerprint(this->BER_encode(), hash_name);
708  }
std::vector< uint8_t > BER_encode() const
Definition: asn1_obj.cpp:16
std::string create_hex_fingerprint(const uint8_t bits[], size_t bits_len, const std::string &hash_name)
Definition: pk_keys.cpp:17

◆ has_constraints()

bool Botan::X509_Certificate::has_constraints ( Key_Constraints  constraints) const

Returns true if the specified

Parameters
constraintsare included in the key usage extension.

Definition at line 527 of file x509cert.cpp.

References constraints(), and Botan::NO_CONSTRAINTS.

528  {
529  if(this->constraints() == NO_CONSTRAINTS)
530  {
531  return false;
532  }
533 
534  return ((this->constraints() & constraints) != 0);
535  }
Key_Constraints constraints() const
Definition: x509cert.cpp:453

◆ has_ex_constraint() [1/2]

bool Botan::X509_Certificate::has_ex_constraint ( const std::string &  ex_constraint) const

Returns true if and only if

Parameters
ex_constraint(referring to an extended key constraint, eg "PKIX.ServerAuth") is included in the extended key extension.

Definition at line 537 of file x509cert.cpp.

References Botan::OIDS::str2oid().

538  {
539  return has_ex_constraint(OIDS::str2oid(ex_constraint));
540  }
OID str2oid(const std::string &name)
Definition: oids.h:53
bool has_ex_constraint(const std::string &ex_constraint) const
Definition: x509cert.cpp:537

◆ has_ex_constraint() [2/2]

bool Botan::X509_Certificate::has_ex_constraint ( const OID ex_constraint) const

Returns true if and only if OID

Parameters
ex_constraintis included in the extended key extension.

Definition at line 542 of file x509cert.cpp.

References extended_key_usage().

543  {
544  const std::vector<OID>& ex = extended_key_usage();
545  return (std::find(ex.begin(), ex.end(), usage) != ex.end());
546  }
const std::vector< OID > & extended_key_usage() const
Definition: x509cert.cpp:458

◆ hash_used_for_signature()

std::string Botan::X509_Object::hash_used_for_signature ( ) const
inherited
Returns
hash algorithm that was used to generate signature

Definition at line 139 of file x509_obj.cpp.

References Botan::OID::as_string(), Botan::AlgorithmIdentifier::get_oid(), hash_algo, Botan::OIDS::lookup(), Botan::parse_algorithm_name(), Botan::X509_Object::signature_algorithm(), and Botan::split_on().

140  {
141  const OID& oid = m_sig_algo.get_oid();
142  const std::vector<std::string> sig_info = split_on(OIDS::lookup(oid), '/');
143 
144  if(sig_info.size() == 1 && sig_info[0] == "Ed25519")
145  return "SHA-512";
146  else if(sig_info.size() != 2)
147  throw Internal_Error("Invalid name format found for " + oid.as_string());
148 
149  if(sig_info[1] == "EMSA4")
150  {
151  return OIDS::lookup(decode_pss_params(signature_algorithm().get_parameters()).hash_algo.get_oid());
152  }
153  else
154  {
155  const std::vector<std::string> pad_and_hash =
156  parse_algorithm_name(sig_info[1]);
157 
158  if(pad_and_hash.size() != 2)
159  {
160  throw Internal_Error("Invalid name format " + sig_info[1]);
161  }
162 
163  return pad_and_hash[1];
164  }
165  }
const AlgorithmIdentifier & signature_algorithm() const
Definition: x509_obj.h:48
std::vector< std::string > split_on(const std::string &str, char delim)
Definition: parsing.cpp:144
std::vector< std::string > parse_algorithm_name(const std::string &namex)
Definition: parsing.cpp:91
AlgorithmIdentifier hash_algo
Definition: x509_obj.cpp:23
const OID & get_oid() const
Definition: alg_id.h:37
std::string lookup(const OID &oid)
Definition: oids.cpp:113

◆ is_CA_cert()

bool Botan::X509_Certificate::is_CA_cert ( ) const

Check whether this certificate is a CA certificate.

Returns
true if this certificate is a CA certificate

Definition at line 443 of file x509cert.cpp.

Referenced by allowed_usage(), Botan::Cert_Extension::Name_Constraints::validate(), and Botan::X509_CA::X509_CA().

444  {
445  return data().m_is_ca_certificate;
446  }

◆ is_critical()

bool Botan::X509_Certificate::is_critical ( const std::string &  ex_name) const

Check whenever a given X509 Extension is marked critical in this certificate.

Definition at line 551 of file x509cert.cpp.

References Botan::Extensions::critical_extension_set(), Botan::OIDS::str2oid(), and v3_extensions().

Referenced by Botan::Cert_Extension::Name_Constraints::validate().

552  {
554  }
bool critical_extension_set(const OID &oid) const
Definition: x509_ext.cpp:165
OID str2oid(const std::string &name)
Definition: oids.h:53
const Extensions & v3_extensions() const
Definition: x509cert.cpp:473

◆ is_self_signed()

bool Botan::X509_Certificate::is_self_signed ( ) const

Check whether this certificate is self signed. If the DN issuer and subject agree,

Returns
true if this certificate is self signed

Definition at line 349 of file x509cert.cpp.

350  {
351  return data().m_self_signed;
352  }

◆ is_serial_negative()

bool Botan::X509_Certificate::is_serial_negative ( ) const

Get the serial number's sign

Returns
1 iff the serial is negative.

Definition at line 417 of file x509cert.cpp.

418  {
419  return data().m_serial_negative;
420  }

◆ issuer_alt_name()

const AlternativeName & Botan::X509_Certificate::issuer_alt_name ( ) const

Return the issuer alternative names (DNS, IP, ...)

Definition at line 579 of file x509cert.cpp.

Referenced by issuer_info().

580  {
581  return data().m_issuer_alt_name;
582  }

◆ issuer_dn()

const X509_DN & Botan::X509_Certificate::issuer_dn ( ) const

Get the certificate's issuer distinguished name (DN).

Returns
issuer DN of this certificate

Definition at line 423 of file x509cert.cpp.

Referenced by Botan::PKIX::build_certificate_path(), Botan::Certificate_Store_In_SQL::find_crl_for(), Botan::Certificate_Store_In_Memory::find_crl_for(), Botan::X509_CRL::is_revoked(), issuer_info(), Botan::OCSP::Request::Request(), and to_string().

424  {
425  return data().m_issuer_dn;
426  }

◆ issuer_info()

std::vector< std::string > Botan::X509_Certificate::issuer_info ( const std::string &  name) const

Get a value for a specific subject_info parameter name.

Parameters
namethe name of the parameter to look up. Possible names are "X509.Certificate.v2.key_id" or "X509v3.AuthorityKeyIdentifier".
Returns
value(s) of the specified parameter

Definition at line 623 of file x509cert.cpp.

References authority_key_id(), Botan::AlternativeName::get_attribute(), Botan::X509_DN::get_attribute(), Botan::hex_encode(), issuer_alt_name(), issuer_dn(), raw_issuer_dn(), and v2_issuer_key_id().

624  {
625  if(issuer_dn().has_field(req))
626  return issuer_dn().get_attribute(req);
627 
628  if(issuer_alt_name().has_field(req))
629  return issuer_alt_name().get_attribute(req);
630 
631  // These will be removed later:
632  if(req == "X509.Certificate.v2.key_id")
633  return {hex_encode(this->v2_issuer_key_id())};
634  if(req == "X509v3.AuthorityKeyIdentifier")
635  return {hex_encode(this->authority_key_id())};
636  if(req == "X509.Certificate.dn_bits")
637  return {hex_encode(this->raw_issuer_dn())};
638 
639  return data().m_issuer_ds.get(req);
640  }
void hex_encode(char output[], const uint8_t input[], size_t input_length, bool uppercase)
Definition: hex.cpp:14
const std::vector< uint8_t > & authority_key_id() const
Definition: x509cert.cpp:402
const AlternativeName & issuer_alt_name() const
Definition: x509cert.cpp:579
std::vector< std::string > get_attribute(const std::string &attr) const
Definition: x509_dn.cpp:108
std::vector< std::string > get_attribute(const std::string &attr) const
const X509_DN & issuer_dn() const
Definition: x509cert.cpp:423
const std::vector< uint8_t > & v2_issuer_key_id() const
Definition: x509cert.cpp:369
const std::vector< uint8_t > & raw_issuer_dn() const
Definition: x509cert.cpp:433

◆ load_data()

void Botan::X509_Object::load_data ( DataSource src)
protectedinherited

Decodes from src as either DER or PEM data, then calls force_decode()

Definition at line 53 of file x509_obj.cpp.

References Botan::X509_Object::alternate_PEM_labels(), Botan::PEM_Code::decode(), Botan::X509_Object::decode_from(), Botan::PEM_Code::matches(), Botan::ASN1::maybe_BER(), Botan::X509_Object::PEM_label(), and Botan::Exception::what().

Referenced by Botan::PKCS10_Request::PKCS10_Request(), X509_Certificate(), and Botan::X509_CRL::X509_CRL().

54  {
55  try {
56  if(ASN1::maybe_BER(in) && !PEM_Code::matches(in))
57  {
58  BER_Decoder dec(in);
59  decode_from(dec);
60  }
61  else
62  {
63  std::string got_label;
64  DataSource_Memory ber(PEM_Code::decode(in, got_label));
65 
66  if(got_label != PEM_label())
67  {
68  bool is_alternate = false;
69  for(std::string alt_label : alternate_PEM_labels())
70  {
71  if(got_label == alt_label)
72  {
73  is_alternate = true;
74  break;
75  }
76  }
77 
78  if(!is_alternate)
79  throw Decoding_Error("Unexpected PEM label for " + PEM_label() + " of " + got_label);
80  }
81 
82  BER_Decoder dec(ber);
83  decode_from(dec);
84  }
85  }
86  catch(Decoding_Error& e)
87  {
88  throw Decoding_Error(PEM_label() + " decoding failed: " + e.what());
89  }
90  }
virtual std::vector< std::string > alternate_PEM_labels() const
Definition: x509_obj.h:114
virtual std::string PEM_label() const =0
bool maybe_BER(DataSource &source)
Definition: asn1_obj.cpp:219
void decode_from(class BER_Decoder &from) override
Definition: x509_obj.cpp:107
bool matches(DataSource &source, const std::string &extra, size_t search_range)
Definition: pem.cpp:142
secure_vector< uint8_t > decode(DataSource &source, std::string &label)
Definition: pem.cpp:68

◆ load_subject_public_key()

std::unique_ptr< Public_Key > Botan::X509_Certificate::load_subject_public_key ( ) const

Create a public key object associated with the public key bits in this certificate. If the public key bits was valid for X.509 encoding purposes but invalid algorithmically (for example, RSA with an even modulus) that will be detected at this point, and an exception will be thrown.

Returns
subject public key of this certificate

Definition at line 645 of file x509cert.cpp.

References Botan::X509::load_key(), and subject_public_key_info().

646  {
647  try
648  {
649  return std::unique_ptr<Public_Key>(X509::load_key(subject_public_key_info()));
650  }
651  catch(std::exception& e)
652  {
653  throw Decoding_Error("X509_Certificate::load_subject_public_key", e.what());
654  }
655  }
const std::vector< uint8_t > & subject_public_key_info() const
Definition: x509cert.cpp:384
Public_Key * load_key(DataSource &source)
Definition: x509_key.cpp:37

◆ make_signed()

std::vector< uint8_t > Botan::X509_Object::make_signed ( class PK_Signer signer,
RandomNumberGenerator rng,
const AlgorithmIdentifier alg_id,
const secure_vector< uint8_t > &  tbs 
)
staticinherited

Create a signed X509 object.

Parameters
signerthe signer used to sign the object
rngthe random number generator to use
alg_idthe algorithm identifier of the signature scheme
tbsthe tbs bits to be signed
Returns
signed X509 object

Definition at line 270 of file x509_obj.cpp.

References Botan::BIT_STRING, Botan::DER_Encoder::encode(), Botan::DER_Encoder::end_cons(), Botan::DER_Encoder::raw_bytes(), Botan::SEQUENCE, Botan::PK_Signer::sign_message(), Botan::X509_Object::signature(), and Botan::DER_Encoder::start_cons().

Referenced by Botan::PKCS10_Request::create(), and Botan::X509_CA::make_cert().

274  {
275  const std::vector<uint8_t> signature = signer->sign_message(tbs_bits, rng);
276 
277  std::vector<uint8_t> output;
278  DER_Encoder(output)
279  .start_cons(SEQUENCE)
280  .raw_bytes(tbs_bits)
281  .encode(algo)
282  .encode(signature, BIT_STRING)
283  .end_cons();
284 
285  return output;
286  }
const std::vector< uint8_t > & signature() const
Definition: x509_obj.h:38

◆ matches_dns_name()

bool Botan::X509_Certificate::matches_dns_name ( const std::string &  name) const

Check if a certain DNS name matches up with the information in the cert

Parameters
nameDNS name to match

Definition at line 710 of file x509cert.cpp.

References Botan::host_wildcard_match(), and subject_info().

Referenced by botan_x509_cert_hostname_match().

711  {
712  if(name.empty())
713  return false;
714 
715  std::vector<std::string> issued_names = subject_info("DNS");
716 
717  // Fall back to CN only if no DNS names are set (RFC 6125 sec 6.4.4)
718  if(issued_names.empty())
719  issued_names = subject_info("Name");
720 
721  for(size_t i = 0; i != issued_names.size(); ++i)
722  {
723  if(host_wildcard_match(issued_names[i], name))
724  return true;
725  }
726 
727  return false;
728  }
bool host_wildcard_match(const std::string &issued_, const std::string &host_)
Definition: parsing.cpp:358
std::vector< std::string > subject_info(const std::string &name) const
Definition: x509cert.cpp:588

◆ name_constraints()

const NameConstraints & Botan::X509_Certificate::name_constraints ( ) const

Get the name constraints as defined in the NameConstraints extension of this certificate.

Returns
name constraints

Definition at line 468 of file x509cert.cpp.

Referenced by to_string().

469  {
470  return data().m_name_constraints;
471  }

◆ not_after()

const X509_Time & Botan::X509_Certificate::not_after ( ) const

Get the notAfter of the certificate as X509_Time

Returns
notAfter of the certificate

Definition at line 359 of file x509cert.cpp.

Referenced by subject_info(), and to_string().

360  {
361  return data().m_not_after;
362  }

◆ not_before()

const X509_Time & Botan::X509_Certificate::not_before ( ) const

Get the notBefore of the certificate as X509_Time

Returns
notBefore of the certificate

Definition at line 354 of file x509cert.cpp.

Referenced by subject_info(), and to_string().

355  {
356  return data().m_not_before;
357  }

◆ ocsp_responder()

std::string Botan::X509_Certificate::ocsp_responder ( ) const

Return the listed address of an OCSP responder, or empty if not set

Definition at line 556 of file x509cert.cpp.

Referenced by to_string().

557  {
558  return data().m_ocsp_responder;
559  }

◆ operator<()

bool Botan::X509_Certificate::operator< ( const X509_Certificate other) const

Impose an arbitrary (but consistent) ordering, eg to allow sorting a container of certificate objects.

Returns
true if this is less than other by some unspecified criteria

Definition at line 740 of file x509cert.cpp.

References Botan::X509_Object::signature(), and Botan::X509_Object::signed_body().

741  {
742  /* If signature values are not equal, sort by lexicographic ordering of that */
743  if(this->signature() != other.signature())
744  {
745  return (this->signature() < other.signature());
746  }
747 
748  // Then compare the signed contents
749  return this->signed_body() < other.signed_body();
750  }
const std::vector< uint8_t > & signature() const
Definition: x509_obj.h:38
const std::vector< uint8_t > & signed_body() const
Definition: x509_obj.h:43

◆ operator=()

X509_Certificate& Botan::X509_Certificate::operator= ( const X509_Certificate other)
default

◆ operator==()

bool Botan::X509_Certificate::operator== ( const X509_Certificate other) const

Check to certificates for equality.

Returns
true both certificates are (binary) equal

Definition at line 733 of file x509cert.cpp.

References Botan::X509_Object::signature(), Botan::X509_Object::signature_algorithm(), and Botan::X509_Object::signed_body().

734  {
735  return (this->signature() == other.signature() &&
736  this->signature_algorithm() == other.signature_algorithm() &&
737  this->signed_body() == other.signed_body());
738  }
const AlgorithmIdentifier & signature_algorithm() const
Definition: x509_obj.h:48
const std::vector< uint8_t > & signature() const
Definition: x509_obj.h:38
const std::vector< uint8_t > & signed_body() const
Definition: x509_obj.h:43

◆ path_limit()

uint32_t Botan::X509_Certificate::path_limit ( ) const

Get the path limit as defined in the BasicConstraints extension of this certificate.

Returns
path limit

Definition at line 448 of file x509cert.cpp.

449  {
450  return data().m_path_len_constraint;
451  }

◆ PEM_encode()

std::string Botan::X509_Object::PEM_encode ( ) const
inherited
Returns
PEM encoding of this

Definition at line 123 of file x509_obj.cpp.

References Botan::ASN1_Object::BER_encode(), Botan::PEM_Code::encode(), and Botan::X509_Object::PEM_label().

124  {
126  }
virtual std::string PEM_label() const =0
std::vector< uint8_t > BER_encode() const
Definition: asn1_obj.cpp:16
std::string encode(const uint8_t der[], size_t length, const std::string &label, size_t width)
Definition: pem.cpp:43

◆ policies()

std::vector< std::string > Botan::X509_Certificate::policies ( ) const

Get the policies as defined in the CertificatePolicies extension of this certificate.

Returns
certificate policies

Definition at line 700 of file x509cert.cpp.

References certificate_policy_oids().

Referenced by to_string().

701  {
702  return lookup_oids(certificate_policy_oids());
703  }
const std::vector< OID > & certificate_policy_oids() const
Definition: x509cert.cpp:463

◆ raw_issuer_dn()

const std::vector< uint8_t > & Botan::X509_Certificate::raw_issuer_dn ( ) const

Raw issuer DN bits

Definition at line 433 of file x509cert.cpp.

Referenced by Botan::OCSP::CertID::is_id_for(), issuer_info(), and raw_issuer_dn_sha256().

434  {
435  return data().m_issuer_dn_bits;
436  }

◆ raw_issuer_dn_sha256()

std::vector< uint8_t > Botan::X509_Certificate::raw_issuer_dn_sha256 ( ) const

SHA-256 of Raw issuer DN

Definition at line 657 of file x509cert.cpp.

References Botan::HashFunction::create_or_throw(), hash, and raw_issuer_dn().

658  {
659  std::unique_ptr<HashFunction> hash(HashFunction::create_or_throw("SHA-256"));
660  hash->update(raw_issuer_dn());
661  return hash->final_stdvec();
662  }
static std::unique_ptr< HashFunction > create_or_throw(const std::string &algo_spec, const std::string &provider="")
Definition: hash.cpp:345
MechanismType hash
const std::vector< uint8_t > & raw_issuer_dn() const
Definition: x509cert.cpp:433

◆ raw_subject_dn()

const std::vector< uint8_t > & Botan::X509_Certificate::raw_subject_dn ( ) const

Raw subject DN

Definition at line 438 of file x509cert.cpp.

Referenced by Botan::OCSP::CertID::CertID(), raw_subject_dn_sha256(), and subject_info().

439  {
440  return data().m_subject_dn_bits;
441  }

◆ raw_subject_dn_sha256()

std::vector< uint8_t > Botan::X509_Certificate::raw_subject_dn_sha256 ( ) const

SHA-256 of Raw subject DN

Definition at line 664 of file x509cert.cpp.

References Botan::HashFunction::create(), hash, and raw_subject_dn().

665  {
666  std::unique_ptr<HashFunction> hash(HashFunction::create("SHA-256"));
667  hash->update(raw_subject_dn());
668  return hash->final_stdvec();
669  }
const std::vector< uint8_t > & raw_subject_dn() const
Definition: x509cert.cpp:438
static std::unique_ptr< HashFunction > create(const std::string &algo_spec, const std::string &provider="")
Definition: hash.cpp:106
MechanismType hash

◆ serial_number()

const std::vector< uint8_t > & Botan::X509_Certificate::serial_number ( ) const

Get the serial number of this certificate.

Returns
certificates serial number

Definition at line 412 of file x509cert.cpp.

Referenced by Botan::CRL_Entry::CRL_Entry(), Botan::OCSP::CertID::is_id_for(), Botan::X509_CRL::is_revoked(), subject_info(), and to_string().

413  {
414  return data().m_serial;
415  }

◆ signature()

const std::vector<uint8_t>& Botan::X509_Object::signature ( ) const
inlineinherited
Returns
signature on tbs_data()

Definition at line 38 of file x509_obj.h.

Referenced by Botan::X509_Object::encode_into(), Botan::X509_Object::make_signed(), operator<(), operator==(), and Botan::X509_Object::verify_signature().

38 { return m_sig; }

◆ signature_algorithm()

const AlgorithmIdentifier& Botan::X509_Object::signature_algorithm ( ) const
inlineinherited
Returns
signature algorithm that was used to generate signature

Definition at line 48 of file x509_obj.h.

Referenced by Botan::X509_Object::encode_into(), Botan::X509_Object::hash_used_for_signature(), operator==(), to_string(), Botan::X509_Object::verify_signature(), and Botan::X509_CA::X509_CA().

48 { return m_sig_algo; }

◆ signed_body()

const std::vector<uint8_t>& Botan::X509_Object::signed_body ( ) const
inlineinherited
Returns
signed body

Definition at line 43 of file x509_obj.h.

Referenced by Botan::X509_Object::encode_into(), operator<(), and operator==().

43 { return m_tbs_bits; }

◆ start_time()

std::string Botan::X509_Certificate::start_time ( ) const
inline

Get the notBefore of the certificate as a string

Returns
notBefore of the certificate

Definition at line 157 of file x509cert.h.

158  {
159  return not_before().to_string();
160  }
std::string to_string() const
Return an internal string representation of the time.
Definition: asn1_time.cpp:53
const X509_Time & not_before() const
Definition: x509cert.cpp:354

◆ subject_alt_name()

const AlternativeName & Botan::X509_Certificate::subject_alt_name ( ) const

Return the subject alternative names (DNS, IP, ...)

Definition at line 574 of file x509cert.cpp.

Referenced by Botan::GeneralName::matches(), and subject_info().

575  {
576  return data().m_subject_alt_name;
577  }

◆ subject_dn()

const X509_DN & Botan::X509_Certificate::subject_dn ( ) const

Get the certificate's subject distinguished name (DN).

Returns
subject DN of this certificate

Definition at line 428 of file x509cert.cpp.

Referenced by Botan::Certificate_Store::certificate_known(), Botan::Certificate_Store_In_SQL::insert_cert(), Botan::GeneralName::matches(), Botan::Certificate_Store_In_SQL::remove_cert(), Botan::OCSP::Request::Request(), Botan::X509_CA::sign_request(), subject_info(), and to_string().

429  {
430  return data().m_subject_dn;
431  }

◆ subject_info()

std::vector< std::string > Botan::X509_Certificate::subject_info ( const std::string &  name) const

Get a value for a specific subject_info parameter name.

Parameters
namethe name of the parameter to look up. Possible names include "X509.Certificate.version", "X509.Certificate.serial", "X509.Certificate.start", "X509.Certificate.end", "X509.Certificate.v2.key_id", "X509.Certificate.public_key", "X509v3.BasicConstraints.path_constraint", "X509v3.BasicConstraints.is_ca", "X509v3.NameConstraints", "X509v3.ExtendedKeyUsage", "X509v3.CertificatePolicies", "X509v3.SubjectKeyIdentifier", "X509.Certificate.serial", "X520.CommonName", "X520.Organization", "X520.Country", "RFC822" (Email in SAN) or "PKCS9.EmailAddress" (Email in DN).
Returns
value(s) of the specified parameter

Definition at line 588 of file x509cert.cpp.

References Botan::AlternativeName::get_attribute(), Botan::X509_DN::get_attribute(), Botan::hex_encode(), not_after(), not_before(), raw_subject_dn(), serial_number(), subject_alt_name(), subject_dn(), subject_key_id(), Botan::X509_Time::to_string(), Botan::ASN1::to_string(), v2_subject_key_id(), and x509_version().

Referenced by matches_dns_name().

589  {
590  if(req == "Email")
591  return this->subject_info("RFC822");
592 
593  if(subject_dn().has_field(req))
594  return subject_dn().get_attribute(req);
595 
596  if(subject_alt_name().has_field(req))
597  return subject_alt_name().get_attribute(req);
598 
599  // These will be removed later:
600  if(req == "X509.Certificate.v2.key_id")
601  return {hex_encode(this->v2_subject_key_id())};
602  if(req == "X509v3.SubjectKeyIdentifier")
603  return {hex_encode(this->subject_key_id())};
604  if(req == "X509.Certificate.dn_bits")
605  return {hex_encode(this->raw_subject_dn())};
606  if(req == "X509.Certificate.start")
607  return {not_before().to_string()};
608  if(req == "X509.Certificate.end")
609  return {not_after().to_string()};
610 
611  if(req == "X509.Certificate.version")
612  return {std::to_string(x509_version())};
613  if(req == "X509.Certificate.serial")
614  return {hex_encode(serial_number())};
615 
616  return data().m_subject_ds.get(req);
617  }
void hex_encode(char output[], const uint8_t input[], size_t input_length, bool uppercase)
Definition: hex.cpp:14
const std::vector< uint8_t > & raw_subject_dn() const
Definition: x509cert.cpp:438
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:210
const std::vector< uint8_t > & subject_key_id() const
Definition: x509cert.cpp:407
uint32_t x509_version() const
Definition: x509cert.cpp:344
std::vector< std::string > get_attribute(const std::string &attr) const
Definition: x509_dn.cpp:108
const X509_DN & subject_dn() const
Definition: x509cert.cpp:428
const X509_Time & not_after() const
Definition: x509cert.cpp:359
std::vector< std::string > get_attribute(const std::string &attr) const
std::string to_string() const
Return an internal string representation of the time.
Definition: asn1_time.cpp:53
const X509_Time & not_before() const
Definition: x509cert.cpp:354
const std::vector< uint8_t > & serial_number() const
Definition: x509cert.cpp:412
const std::vector< uint8_t > & v2_subject_key_id() const
Definition: x509cert.cpp:374
std::vector< std::string > subject_info(const std::string &name) const
Definition: x509cert.cpp:588
const AlternativeName & subject_alt_name() const
Definition: x509cert.cpp:574

◆ subject_key_id()

const std::vector< uint8_t > & Botan::X509_Certificate::subject_key_id ( ) const

Get the DER encoded SubjectKeyIdentifier of this certificate.

Returns
DER encoded SubjectKeyIdentifier

Definition at line 407 of file x509cert.cpp.

Referenced by Botan::Certificate_Store::certificate_known(), Botan::Certificate_Store_In_SQL::insert_cert(), Botan::Certificate_Store_In_SQL::remove_cert(), subject_info(), and to_string().

408  {
409  return data().m_subject_key_id;
410  }

◆ subject_public_key()

Public_Key* Botan::X509_Certificate::subject_public_key ( ) const
inline

Return a newly allocated copy of the public key associated with the subject of this certificate. This object is owned by the caller.

Returns
public key

Definition at line 49 of file x509cert.h.

Referenced by to_string(), Botan::TLS::Certificate_Verify::verify(), and Botan::OCSP::Response::verify_signature().

50  {
51  return load_subject_public_key().release();
52  }
std::unique_ptr< Public_Key > load_subject_public_key() const
Definition: x509cert.cpp:645

◆ subject_public_key_algo()

const AlgorithmIdentifier & Botan::X509_Certificate::subject_public_key_algo ( ) const

Return the algorithm identifier of the public key

Definition at line 364 of file x509cert.cpp.

Referenced by to_string().

365  {
366  return data().m_subject_public_key_algid;
367  }

◆ subject_public_key_bits()

const std::vector< uint8_t > & Botan::X509_Certificate::subject_public_key_bits ( ) const

Get the public key associated with this certificate. This includes the outer AlgorithmIdentifier

Returns
subject public key of this certificate

Definition at line 379 of file x509cert.cpp.

380  {
381  return data().m_subject_public_key_bits;
382  }

◆ subject_public_key_bitstring()

const std::vector< uint8_t > & Botan::X509_Certificate::subject_public_key_bitstring ( ) const

Get the bit string of the public key associated with this certificate

Returns
public key bits

Definition at line 389 of file x509cert.cpp.

Referenced by Botan::OCSP::CertID::CertID(), and Botan::OCSP::CertID::is_id_for().

390  {
391  return data().m_subject_public_key_bitstring;
392  }

◆ subject_public_key_bitstring_sha1()

const std::vector< uint8_t > & Botan::X509_Certificate::subject_public_key_bitstring_sha1 ( ) const

Get the SHA-1 bit string of the public key associated with this certificate. This is used for OCSP among other protocols. This function will throw if SHA-1 is not available.

Returns
hash of subject public key of this certificate

Definition at line 394 of file x509cert.cpp.

395  {
396  if(data().m_subject_public_key_bitstring_sha1.empty())
397  throw Encoding_Error("X509_Certificate::subject_public_key_bitstring_sha1 called but SHA-1 disabled in build");
398 
399  return data().m_subject_public_key_bitstring_sha1;
400  }

◆ subject_public_key_info()

const std::vector< uint8_t > & Botan::X509_Certificate::subject_public_key_info ( ) const

Get the SubjectPublicKeyInfo associated with this certificate.

Returns
subject public key info of this certificate

Definition at line 384 of file x509cert.cpp.

Referenced by load_subject_public_key().

385  {
386  return data().m_subject_public_key_bits_seq;
387  }

◆ tbs_data()

std::vector< uint8_t > Botan::X509_Object::tbs_data ( ) const
inherited

The underlying data that is to be or was signed

Returns
data that is or was signed

Definition at line 131 of file x509_obj.cpp.

References Botan::ASN1::put_in_sequence().

Referenced by Botan::X509_Object::verify_signature().

132  {
133  return ASN1::put_in_sequence(m_tbs_bits);
134  }
std::vector< uint8_t > put_in_sequence(const std::vector< uint8_t > &contents)
Definition: asn1_obj.cpp:192

◆ to_string()

std::string Botan::X509_Certificate::to_string ( ) const
Returns
a free-form string describing the certificate

Definition at line 760 of file x509cert.cpp.

References Botan::OID::as_string(), authority_key_id(), ca_issuers(), certificate_policy_oids(), constraints(), crl_distribution_point(), Botan::CRL_SIGN, Botan::DATA_ENCIPHERMENT, Botan::DECIPHER_ONLY, Botan::DIGITAL_SIGNATURE, Botan::ENCIPHER_ONLY, ex_constraints(), Botan::NameConstraints::excluded(), extended_key_usage(), Botan::AlgorithmIdentifier::get_oid(), Botan::hex_encode(), issuer_dn(), Botan::KEY_AGREEMENT, Botan::KEY_CERT_SIGN, Botan::KEY_ENCIPHERMENT, name_constraints(), Botan::NO_CONSTRAINTS, Botan::NON_REPUDIATION, not_after(), not_before(), ocsp_responder(), Botan::OIDS::oid2str(), Botan::X509::PEM_encode(), Botan::NameConstraints::permitted(), policies(), Botan::X509_Time::readable_string(), serial_number(), Botan::X509_Object::signature_algorithm(), subject_dn(), subject_key_id(), subject_public_key(), subject_public_key_algo(), and x509_version().

761  {
762  std::ostringstream out;
763 
764  out << "Version: " << this->x509_version() << "\n";
765  out << "Subject: " << subject_dn() << "\n";
766  out << "Issuer: " << issuer_dn() << "\n";
767  out << "Issued: " << this->not_before().readable_string() << "\n";
768  out << "Expires: " << this->not_after().readable_string() << "\n";
769 
770  out << "Constraints:\n";
772  if(constraints == NO_CONSTRAINTS)
773  out << " None\n";
774  else
775  {
777  out << " Digital Signature\n";
779  out << " Non-Repudiation\n";
781  out << " Key Encipherment\n";
783  out << " Data Encipherment\n";
785  out << " Key Agreement\n";
787  out << " Cert Sign\n";
788  if(constraints & CRL_SIGN)
789  out << " CRL Sign\n";
791  out << " Encipher Only\n";
793  out << " Decipher Only\n";
794  }
795 
796  const std::vector<OID> policies = this->certificate_policy_oids();
797  if(!policies.empty())
798  {
799  out << "Policies: " << "\n";
800  for(auto oid : policies)
801  out << " " << oid.as_string() << "\n";
802  }
803 
804  std::vector<OID> ex_constraints = this->extended_key_usage();
805  if(!ex_constraints.empty())
806  {
807  out << "Extended Constraints:\n";
808  for(size_t i = 0; i != ex_constraints.size(); i++)
809  out << " " << OIDS::oid2str(ex_constraints[i]) << "\n";
810  }
811 
812  const NameConstraints& name_constraints = this->name_constraints();
813 
814  if(!name_constraints.permitted().empty() || !name_constraints.excluded().empty())
815  {
816  out << "Name Constraints:\n";
817 
818  if(!name_constraints.permitted().empty())
819  {
820  out << " Permit";
821  for(auto st: name_constraints.permitted())
822  {
823  out << " " << st.base();
824  }
825  out << "\n";
826  }
827 
828  if(!name_constraints.excluded().empty())
829  {
830  out << " Exclude";
831  for(auto st: name_constraints.excluded())
832  {
833  out << " " << st.base();
834  }
835  out << "\n";
836  }
837  }
838 
839  if(!ocsp_responder().empty())
840  out << "OCSP responder " << ocsp_responder() << "\n";
841 
842  std::vector<std::string> ca_issuers = this->ca_issuers();
843  if(!ca_issuers.empty())
844  {
845  out << "CA Issuers:\n";
846  for(size_t i = 0; i != ca_issuers.size(); i++)
847  out << " URI: " << ca_issuers[i] << "\n";
848  }
849 
850  if(!crl_distribution_point().empty())
851  out << "CRL " << crl_distribution_point() << "\n";
852 
853  out << "Signature algorithm: " <<
854  OIDS::oid2str(this->signature_algorithm().get_oid()) << "\n";
855 
856  out << "Serial number: " << hex_encode(this->serial_number()) << "\n";
857 
858  if(this->authority_key_id().size())
859  out << "Authority keyid: " << hex_encode(this->authority_key_id()) << "\n";
860 
861  if(this->subject_key_id().size())
862  out << "Subject keyid: " << hex_encode(this->subject_key_id()) << "\n";
863 
864  try
865  {
866  std::unique_ptr<Public_Key> pubkey(this->subject_public_key());
867  out << "Public Key [" << pubkey->algo_name() << "-" << pubkey->key_length() << "]\n\n";
868  out << X509::PEM_encode(*pubkey);
869  }
870  catch(Decoding_Error&)
871  {
872  const AlgorithmIdentifier& alg_id = this->subject_public_key_algo();
873  out << "Failed to decode key with oid " << alg_id.get_oid().as_string() << "\n";
874  }
875 
876  return out.str();
877  }
void hex_encode(char output[], const uint8_t input[], size_t input_length, bool uppercase)
Definition: hex.cpp:14
std::vector< std::string > ex_constraints() const
Definition: x509cert.cpp:692
const AlgorithmIdentifier & signature_algorithm() const
Definition: x509_obj.h:48
std::string PEM_encode(const Public_Key &key)
Definition: x509_key.cpp:28
std::string crl_distribution_point() const
Definition: x509cert.cpp:566
Public_Key * subject_public_key() const
Definition: x509cert.h:49
const std::vector< OID > & certificate_policy_oids() const
Definition: x509cert.cpp:463
const std::vector< GeneralSubtree > & excluded() const
const std::vector< uint8_t > & authority_key_id() const
Definition: x509cert.cpp:402
const std::vector< uint8_t > & subject_key_id() const
Definition: x509cert.cpp:407
std::string ocsp_responder() const
Definition: x509cert.cpp:556
Key_Constraints constraints() const
Definition: x509cert.cpp:453
uint32_t x509_version() const
Definition: x509cert.cpp:344
const X509_DN & subject_dn() const
Definition: x509cert.cpp:428
const X509_Time & not_after() const
Definition: x509cert.cpp:359
const AlgorithmIdentifier & subject_public_key_algo() const
Definition: x509cert.cpp:364
const std::vector< GeneralSubtree > & permitted() const
std::string readable_string() const
Returns a human friendly string replesentation of no particular formatting.
Definition: asn1_time.cpp:93
std::vector< std::string > policies() const
Definition: x509cert.cpp:700
const std::vector< OID > & extended_key_usage() const
Definition: x509cert.cpp:458
const X509_DN & issuer_dn() const
Definition: x509cert.cpp:423
std::vector< std::string > ca_issuers() const
Definition: x509cert.cpp:561
std::string oid2str(const OID &oid)
Definition: oids.h:48
const X509_Time & not_before() const
Definition: x509cert.cpp:354
const NameConstraints & name_constraints() const
Definition: x509cert.cpp:468
const std::vector< uint8_t > & serial_number() const
Definition: x509cert.cpp:412

◆ v2_issuer_key_id()

const std::vector< uint8_t > & Botan::X509_Certificate::v2_issuer_key_id ( ) const

Return the v2 issuer key ID. v2 key IDs are almost never used, instead see v3_subject_key_id.

Definition at line 369 of file x509cert.cpp.

Referenced by issuer_info().

370  {
371  return data().m_v2_issuer_key_id;
372  }

◆ v2_subject_key_id()

const std::vector< uint8_t > & Botan::X509_Certificate::v2_subject_key_id ( ) const

Return the v2 subject key ID. v2 key IDs are almost never used, instead see v3_subject_key_id.

Definition at line 374 of file x509cert.cpp.

Referenced by subject_info().

375  {
376  return data().m_v2_subject_key_id;
377  }

◆ v3_extensions()

const Extensions & Botan::X509_Certificate::v3_extensions ( ) const

Get all extensions of this certificate.

Returns
certificate extensions

Definition at line 473 of file x509cert.cpp.

Referenced by is_critical().

474  {
475  return data().m_v3_extensions;
476  }

◆ verify_signature()

Certificate_Status_Code Botan::X509_Object::verify_signature ( const Public_Key key) const
inherited

Check the signature on this data

Parameters
keythe public key purportedly used to sign this data
Returns
status of the signature - OK if verified or otherwise an indicator of the problem preventing verification.

Definition at line 184 of file x509_obj.cpp.

References Botan::Public_Key::algo_name(), Botan::DER_SEQUENCE, Botan::AlgorithmIdentifier::get_oid(), hash_algo, Botan::IEEE_1363, Botan::OIDS::lookup(), Botan::Public_Key::message_parts(), Botan::AlgorithmIdentifier::parameters, Botan::X509_Object::signature(), Botan::SIGNATURE_ALGO_BAD_PARAMS, Botan::SIGNATURE_ALGO_UNKNOWN, Botan::X509_Object::signature_algorithm(), Botan::SIGNATURE_ERROR, Botan::split_on(), Botan::X509_Object::tbs_data(), Botan::ASN1::to_string(), Botan::UNTRUSTED_HASH, Botan::VERIFIED, and Botan::PK_Verifier::verify_message().

Referenced by Botan::X509_Object::check_signature().

185  {
186  const std::vector<std::string> sig_info =
187  split_on(OIDS::lookup(m_sig_algo.get_oid()), '/');
188 
189  if(sig_info.size() < 1 || sig_info.size() > 2 || sig_info[0] != pub_key.algo_name())
191 
192  std::string padding;
193  if(sig_info.size() == 2)
194  padding = sig_info[1];
195  else if(sig_info[0] == "Ed25519")
196  padding = "Pure";
197  else
199 
200  const Signature_Format format =
201  (pub_key.message_parts() >= 2) ? DER_SEQUENCE : IEEE_1363;
202 
203  if(padding == "EMSA4")
204  {
205  // "MUST contain RSASSA-PSS-params"
206  if(signature_algorithm().parameters.empty())
207  {
209  }
210 
211  Pss_params pss_parameter = decode_pss_params(signature_algorithm().parameters);
212 
213  // hash_algo must be SHA1, SHA2-224, SHA2-256, SHA2-384 or SHA2-512
214  const std::string hash_algo = OIDS::lookup(pss_parameter.hash_algo.oid);
215  if(hash_algo != "SHA-160" &&
216  hash_algo != "SHA-224" &&
217  hash_algo != "SHA-256" &&
218  hash_algo != "SHA-384" &&
219  hash_algo != "SHA-512")
220  {
222  }
223 
224  const std::string mgf_algo = OIDS::lookup(pss_parameter.mask_gen_algo.oid);
225  if(mgf_algo != "MGF1")
226  {
228  }
229 
230  // For MGF1, it is strongly RECOMMENDED that the underlying hash function be the same as the one identified by hashAlgorithm
231  // Must be SHA1, SHA2-224, SHA2-256, SHA2-384 or SHA2-512
232  if(pss_parameter.mask_gen_hash.oid != pss_parameter.hash_algo.oid)
233  {
235  }
236 
237  if(pss_parameter.trailer_field != 1)
238  {
240  }
241 
242  // salt_len is actually not used for verification. Length is inferred from the signature
243  padding += "(" + hash_algo + "," + mgf_algo + "," + std::to_string(pss_parameter.salt_len) + ")";
244  }
245 
246  try
247  {
248  PK_Verifier verifier(pub_key, padding, format);
249  const bool valid = verifier.verify_message(tbs_data(), signature());
250 
251  if(valid)
253  else
255  }
256  catch(Algorithm_Not_Found&)
257  {
259  }
260  catch(...)
261  {
262  // This shouldn't happen, fallback to generic signature error
264  }
265  }
const AlgorithmIdentifier & signature_algorithm() const
Definition: x509_obj.h:48
std::vector< uint8_t > parameters
Definition: alg_id.h:46
std::vector< std::string > split_on(const std::string &str, char delim)
Definition: parsing.cpp:144
Signature_Format
Definition: pubkey.h:27
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:210
const std::vector< uint8_t > & signature() const
Definition: x509_obj.h:38
std::vector< uint8_t > tbs_data() const
Definition: x509_obj.cpp:131
AlgorithmIdentifier hash_algo
Definition: x509_obj.cpp:23
const OID & get_oid() const
Definition: alg_id.h:37
std::string lookup(const OID &oid)
Definition: oids.cpp:113

◆ x509_version()

uint32_t Botan::X509_Certificate::x509_version ( ) const

Get the X509 version of this certificate object.

Returns
X509 version

Definition at line 344 of file x509cert.cpp.

Referenced by subject_info(), and to_string().

345  {
346  return data().m_version;
347  }

The documentation for this class was generated from the following files: