Botan  2.4.0
Crypto and TLS for C++11
Public Member Functions | Static Public Member Functions | Protected Member Functions | List of all members
Botan::X509_Certificate Class Reference

#include <x509cert.h>

Inheritance diagram for Botan::X509_Certificate:
Botan::X509_Object Botan::ASN1_Object

Public Member Functions

bool allowed_extended_usage (const std::string &usage) const
 
bool allowed_extended_usage (const OID &usage) const
 
bool allowed_usage (Key_Constraints usage) const
 
bool allowed_usage (Usage_Type usage) const
 
const std::vector< uint8_t > & authority_key_id () const
 
std::vector< uint8_t > BER_encode () const
 
std::vector< std::string > ca_issuers () const
 
const std::vector< OID > & certificate_policy_oids () const
 
bool check_signature (const Public_Key &key) const
 
bool check_signature (const Public_Key *key) const
 
Key_Constraints constraints () const
 
std::string crl_distribution_point () const
 
void decode_from (class BER_Decoder &from) override
 
void encode_into (class DER_Encoder &to) const override
 
std::string end_time () const
 
std::vector< std::string > ex_constraints () const
 
const std::vector< OID > & extended_key_usage () const
 
std::string fingerprint (const std::string &hash_name="SHA-1") const
 
bool has_constraints (Key_Constraints constraints) const
 
bool has_ex_constraint (const std::string &ex_constraint) const
 
bool has_ex_constraint (const OID &ex_constraint) const
 
std::string hash_used_for_signature () const
 
bool is_CA_cert () const
 
bool is_critical (const std::string &ex_name) const
 
bool is_self_signed () const
 
bool is_serial_negative () const
 
const AlternativeNameissuer_alt_name () const
 
const X509_DNissuer_dn () const
 
std::vector< std::string > issuer_info (const std::string &name) const
 
std::unique_ptr< Public_Keyload_subject_public_key () const
 
bool matches_dns_name (const std::string &name) const
 
const NameConstraintsname_constraints () const
 
const X509_Timenot_after () const
 
const X509_Timenot_before () const
 
std::string ocsp_responder () const
 
bool operator< (const X509_Certificate &other) const
 
X509_Certificateoperator= (const X509_Certificate &other)=default
 
bool operator== (const X509_Certificate &other) const
 
uint32_t path_limit () const
 
std::string PEM_encode () const
 
std::vector< std::string > policies () const
 
const std::vector< uint8_t > & raw_issuer_dn () const
 
std::vector< uint8_t > raw_issuer_dn_sha256 () const
 
const std::vector< uint8_t > & raw_subject_dn () const
 
std::vector< uint8_t > raw_subject_dn_sha256 () const
 
const std::vector< uint8_t > & serial_number () const
 
const std::vector< uint8_t > & signature () const
 
const AlgorithmIdentifiersignature_algorithm () const
 
const std::vector< uint8_t > & signed_body () const
 
std::string start_time () const
 
const AlternativeNamesubject_alt_name () const
 
const X509_DNsubject_dn () const
 
std::vector< std::string > subject_info (const std::string &name) const
 
const std::vector< uint8_t > & subject_key_id () const
 
Public_Keysubject_public_key () const
 
const AlgorithmIdentifiersubject_public_key_algo () const
 
const std::vector< uint8_t > & subject_public_key_bits () const
 
const std::vector< uint8_t > & subject_public_key_bitstring () const
 
const std::vector< uint8_t > & subject_public_key_bitstring_sha1 () const
 
std::vector< uint8_t > tbs_data () const
 
std::string to_string () const
 
const std::vector< uint8_t > & v2_issuer_key_id () const
 
const std::vector< uint8_t > & v2_subject_key_id () const
 
const Extensionsv3_extensions () const
 
Certificate_Status_Code verify_signature (const Public_Key &key) const
 
 X509_Certificate (DataSource &source)
 
 X509_Certificate (const std::vector< uint8_t > &in)
 
 X509_Certificate ()=default
 
 X509_Certificate (const X509_Certificate &other)=default
 
uint32_t x509_version () const
 

Static Public Member Functions

static std::vector< uint8_t > make_signed (class PK_Signer *signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &alg_id, const secure_vector< uint8_t > &tbs)
 

Protected Member Functions

void load_data (DataSource &src)
 

Detailed Description

This class represents an X.509 Certificate

Definition at line 39 of file x509cert.h.

Constructor & Destructor Documentation

◆ X509_Certificate() [1/4]

Botan::X509_Certificate::X509_Certificate ( DataSource source)
explicit

Create a certificate from a data source providing the DER or PEM encoded certificate.

Parameters
sourcethe data source

Definition at line 77 of file x509cert.cpp.

78  {
79  load_data(src);
80  }
void load_data(DataSource &src)
Definition: x509_obj.cpp:52

◆ X509_Certificate() [2/4]

Botan::X509_Certificate::X509_Certificate ( const std::vector< uint8_t > &  in)
explicit

◆ X509_Certificate() [3/4]

Botan::X509_Certificate::X509_Certificate ( )
default

Create an uninitialized certificate object. Any attempts to access this object will throw an exception.

Referenced by X509_Certificate().

◆ X509_Certificate() [4/4]

Botan::X509_Certificate::X509_Certificate ( const X509_Certificate other)
default

Member Function Documentation

◆ allowed_extended_usage() [1/2]

bool Botan::X509_Certificate::allowed_extended_usage ( const std::string &  usage) const

Returns true if the specified

Parameters
usageis set in the extended key usage extension or if no extended key usage constraints are set at all. To check if a certain extended key constraint is set in the certificate use
See also
X509_Certificate::has_ex_constraint.

Definition at line 472 of file x509cert.cpp.

References Botan::OIDS::str2oid().

473  {
474  return allowed_extended_usage(OIDS::str2oid(usage));
475  }
OID str2oid(const std::string &name)
Definition: oids.h:37
bool allowed_extended_usage(const std::string &usage) const
Definition: x509cert.cpp:472

◆ allowed_extended_usage() [2/2]

bool Botan::X509_Certificate::allowed_extended_usage ( const OID usage) const

Returns true if the specified usage is set in the extended key usage extension, or if no extended key usage constraints are set at all. To check if a certain extended key constraint is set in the certificate use

See also
X509_Certificate::has_ex_constraint.

Definition at line 477 of file x509cert.cpp.

478  {
479  const std::vector<OID>& ex = extended_key_usage();
480  if(ex.empty())
481  return true;
482 
483  if(std::find(ex.begin(), ex.end(), usage) != ex.end())
484  return true;
485 
486  return false;
487  }
const std::vector< OID > & extended_key_usage() const
Definition: x509cert.cpp:445

◆ allowed_usage() [1/2]

bool Botan::X509_Certificate::allowed_usage ( Key_Constraints  usage) const

Returns true if the specified

Parameters
usageis set in the key usage extension or if no key usage constraints are set at all. To check if a certain key constraint is set in the certificate use
See also
X509_Certificate::has_constraints.

Definition at line 465 of file x509cert.cpp.

References Botan::NO_CONSTRAINTS.

466  {
467  if(constraints() == NO_CONSTRAINTS)
468  return true;
469  return ((constraints() & usage) == usage);
470  }
Key_Constraints constraints() const
Definition: x509cert.cpp:440

◆ allowed_usage() [2/2]

bool Botan::X509_Certificate::allowed_usage ( Usage_Type  usage) const

Returns true if the required key and extended key constraints are set in the certificate for the specified

Parameters
usageor if no key constraints are set in both the key usage and extended key usage extension.

Definition at line 489 of file x509cert.cpp.

References Botan::CERTIFICATE_AUTHORITY, Botan::DIGITAL_SIGNATURE, Botan::KEY_AGREEMENT, Botan::KEY_ENCIPHERMENT, Botan::NON_REPUDIATION, Botan::OCSP_RESPONDER, Botan::TLS_CLIENT_AUTH, Botan::TLS_SERVER_AUTH, and Botan::UNSPECIFIED.

490  {
491  // These follow suggestions in RFC 5280 4.2.1.12
492 
493  switch(usage)
494  {
496  return true;
497 
500 
503 
506 
508  return is_CA_cert();
509  }
510 
511  return false;
512  }
bool allowed_usage(Key_Constraints usage) const
Definition: x509cert.cpp:465
bool is_CA_cert() const
Definition: x509cert.cpp:430
bool allowed_extended_usage(const std::string &usage) const
Definition: x509cert.cpp:472

◆ authority_key_id()

const std::vector< uint8_t > & Botan::X509_Certificate::authority_key_id ( ) const

Get the DER encoded AuthorityKeyIdentifier of this certificate.

Returns
DER encoded AuthorityKeyIdentifier

Definition at line 389 of file x509cert.cpp.

Referenced by Botan::PKIX::build_certificate_path(), Botan::Certificate_Store_In_Memory::find_crl_for(), and Botan::X509_CRL::is_revoked().

390  {
391  return data().m_authority_key_id;
392  }

◆ BER_encode()

std::vector< uint8_t > Botan::X509_Object::BER_encode ( ) const
inherited
Returns
BER encoding of this

Definition at line 122 of file x509_obj.cpp.

References Botan::DER_Encoder::get_contents_unlocked().

123  {
124  DER_Encoder der;
125  encode_into(der);
126  return der.get_contents_unlocked();
127  }
void encode_into(class DER_Encoder &to) const override
Definition: x509_obj.cpp:92

◆ ca_issuers()

std::vector< std::string > Botan::X509_Certificate::ca_issuers ( ) const

Return the listed addresses of ca issuers, or empty if not set

Definition at line 548 of file x509cert.cpp.

549  {
550  return data().m_ca_issuers;
551  }

◆ certificate_policy_oids()

const std::vector< OID > & Botan::X509_Certificate::certificate_policy_oids ( ) const

Definition at line 450 of file x509cert.cpp.

451  {
452  return data().m_cert_policies;
453  }

◆ check_signature() [1/2]

bool Botan::X509_Object::check_signature ( const Public_Key key) const
inherited

Check the signature on this data

Parameters
keythe public key purportedly used to sign this data
Returns
true if the signature is valid, otherwise false

Definition at line 186 of file x509_obj.cpp.

References Botan::VERIFIED.

187  {
188  const Certificate_Status_Code code = verify_signature(pub_key);
189  return (code == Certificate_Status_Code::VERIFIED);
190  }
Certificate_Status_Code verify_signature(const Public_Key &key) const
Definition: x509_obj.cpp:192
Certificate_Status_Code
Definition: cert_status.h:18

◆ check_signature() [2/2]

bool Botan::X509_Object::check_signature ( const Public_Key key) const
inherited

Check the signature on this data

Parameters
keythe public key purportedly used to sign this data the object will be deleted after use (this should have been a std::unique_ptr<Public_Key>)
Returns
true if the signature is valid, otherwise false

Definition at line 178 of file x509_obj.cpp.

179  {
180  if(!pub_key)
181  throw Exception("No key provided for " + PEM_label() + " signature check");
182  std::unique_ptr<const Public_Key> key(pub_key);
183  return check_signature(*key);
184  }
virtual std::string PEM_label() const =0
bool check_signature(const Public_Key &key) const
Definition: x509_obj.cpp:186

◆ constraints()

Key_Constraints Botan::X509_Certificate::constraints ( ) const

Get the key constraints as defined in the KeyUsage extension of this certificate.

Returns
key constraints

Definition at line 440 of file x509cert.cpp.

441  {
442  return data().m_key_constraints;
443  }

◆ crl_distribution_point()

std::string Botan::X509_Certificate::crl_distribution_point ( ) const

Return the CRL distribution point, or empty if not set

Definition at line 553 of file x509cert.cpp.

554  {
555  // just returns the first (arbitrarily)
556  if(data().m_crl_distribution_points.size() > 0)
557  return data().m_crl_distribution_points[0];
558  return "";
559  }

◆ decode_from()

void Botan::X509_Object::decode_from ( class BER_Decoder from)
overridevirtualinherited

Decode a BER encoded X509_Object See ASN1_Object::decode_from()

Implements Botan::ASN1_Object.

Definition at line 106 of file x509_obj.cpp.

References Botan::BIT_STRING, Botan::BER_Decoder::decode(), Botan::BER_Decoder::end_cons(), Botan::BER_Decoder::raw_bytes(), Botan::SEQUENCE, and Botan::BER_Decoder::start_cons().

107  {
108  from.start_cons(SEQUENCE)
109  .start_cons(SEQUENCE)
110  .raw_bytes(m_tbs_bits)
111  .end_cons()
112  .decode(m_sig_algo)
113  .decode(m_sig, BIT_STRING)
114  .end_cons();
115 
116  force_decode();
117  }

◆ encode_into()

void Botan::X509_Object::encode_into ( class DER_Encoder to) const
overridevirtualinherited

DER encode an X509_Object See ASN1_Object::encode_into()

Implements Botan::ASN1_Object.

Definition at line 92 of file x509_obj.cpp.

References Botan::BIT_STRING, Botan::DER_Encoder::encode(), Botan::DER_Encoder::end_cons(), Botan::DER_Encoder::raw_bytes(), Botan::SEQUENCE, and Botan::DER_Encoder::start_cons().

Referenced by Botan::Certificate_Store_In_SQL::insert_cert().

93  {
94  to.start_cons(SEQUENCE)
95  .start_cons(SEQUENCE)
96  .raw_bytes(signed_body())
97  .end_cons()
98  .encode(signature_algorithm())
99  .encode(signature(), BIT_STRING)
100  .end_cons();
101  }
const AlgorithmIdentifier & signature_algorithm() const
Definition: x509_obj.h:47
const std::vector< uint8_t > & signature() const
Definition: x509_obj.h:37
const std::vector< uint8_t > & signed_body() const
Definition: x509_obj.h:42

◆ end_time()

std::string Botan::X509_Certificate::end_time ( ) const
inline

Get the notAfter of the certificate as a string

Returns
notAfter of the certificate

Definition at line 160 of file x509cert.h.

References BOTAN_PUBLIC_API, Botan::operator!=(), Botan::operator<(), Botan::operator==(), and Botan::to_string().

161  {
162  return not_after().to_string();
163  }
const X509_Time & not_after() const
Definition: x509cert.cpp:351
std::string to_string() const
Return an internal string representation of the time.
Definition: asn1_time.cpp:53

◆ ex_constraints()

std::vector< std::string > Botan::X509_Certificate::ex_constraints ( ) const

Get the key constraints as defined in the ExtendedKeyUsage extension of this certificate.

Returns
key constraints

Definition at line 676 of file x509cert.cpp.

677  {
678  return lookup_oids(extended_key_usage());
679  }
const std::vector< OID > & extended_key_usage() const
Definition: x509cert.cpp:445

◆ extended_key_usage()

const std::vector< OID > & Botan::X509_Certificate::extended_key_usage ( ) const

Get the key usage as defined in the ExtendedKeyUsage extension of this certificate, or else an empty vector.

Returns
key usage

Definition at line 445 of file x509cert.cpp.

446  {
447  return data().m_extended_key_usage;
448  }

◆ fingerprint()

std::string Botan::X509_Certificate::fingerprint ( const std::string &  hash_name = "SHA-1") const
Returns
a fingerprint of the certificate
Parameters
hash_namehash function used to calculate the fingerprint

Definition at line 689 of file x509cert.cpp.

References Botan::PKCS8::BER_encode(), and Botan::create_hex_fingerprint().

Referenced by Botan::Certificate_Store_In_SQL::affirm_cert(), Botan::Certificate_Store_In_SQL::find_key(), Botan::Certificate_Store_In_SQL::insert_cert(), Botan::Certificate_Store_In_SQL::insert_key(), Botan::Certificate_Store_In_SQL::remove_cert(), and Botan::Certificate_Store_In_SQL::revoke_cert().

690  {
691  return create_hex_fingerprint(this->BER_encode(), hash_name);
692  }
std::vector< uint8_t > BER_encode() const
Definition: x509_obj.cpp:122
std::string create_hex_fingerprint(const uint8_t bits[], size_t bits_len, const std::string &hash_name)
Definition: pk_keys.cpp:17

◆ has_constraints()

bool Botan::X509_Certificate::has_constraints ( Key_Constraints  constraints) const

Returns true if the specified

Parameters
constraintsare included in the key usage extension.

Definition at line 514 of file x509cert.cpp.

References Botan::NO_CONSTRAINTS.

515  {
516  if(this->constraints() == NO_CONSTRAINTS)
517  {
518  return false;
519  }
520 
521  return ((this->constraints() & constraints) != 0);
522  }
Key_Constraints constraints() const
Definition: x509cert.cpp:440

◆ has_ex_constraint() [1/2]

bool Botan::X509_Certificate::has_ex_constraint ( const std::string &  ex_constraint) const

Returns true if and only if

Parameters
ex_constraint(referring to an extended key constraint, eg "PKIX.ServerAuth") is included in the extended key extension.

Definition at line 524 of file x509cert.cpp.

References Botan::OIDS::str2oid().

525  {
526  return has_ex_constraint(OIDS::str2oid(ex_constraint));
527  }
OID str2oid(const std::string &name)
Definition: oids.h:37
bool has_ex_constraint(const std::string &ex_constraint) const
Definition: x509cert.cpp:524

◆ has_ex_constraint() [2/2]

bool Botan::X509_Certificate::has_ex_constraint ( const OID ex_constraint) const

Returns true if and only if OID

Parameters
ex_constraintis included in the extended key extension.

Definition at line 529 of file x509cert.cpp.

530  {
531  const std::vector<OID>& ex = extended_key_usage();
532  return (std::find(ex.begin(), ex.end(), usage) != ex.end());
533  }
const std::vector< OID > & extended_key_usage() const
Definition: x509cert.cpp:445

◆ hash_used_for_signature()

std::string Botan::X509_Object::hash_used_for_signature ( ) const
inherited
Returns
hash algorithm that was used to generate signature

Definition at line 148 of file x509_obj.cpp.

References Botan::OID::as_string(), hash_algo, Botan::OIDS::lookup(), Botan::parse_algorithm_name(), and Botan::split_on().

149  {
150  const OID& oid = m_sig_algo.get_oid();
151  std::vector<std::string> sig_info = split_on(OIDS::lookup(oid), '/');
152 
153  if(sig_info.size() != 2)
154  throw Internal_Error("Invalid name format found for " +
155  oid.as_string());
156 
157  if(sig_info[1] == "EMSA4")
158  {
159  return OIDS::lookup(decode_pss_params(signature_algorithm().get_parameters()).hash_algo.get_oid());
160  }
161  else
162  {
163  std::vector<std::string> pad_and_hash =
164  parse_algorithm_name(sig_info[1]);
165 
166  if(pad_and_hash.size() != 2)
167  {
168  throw Internal_Error("Invalid name format " + sig_info[1]);
169  }
170 
171  return pad_and_hash[1];
172  }
173  }
const AlgorithmIdentifier & signature_algorithm() const
Definition: x509_obj.h:47
std::vector< std::string > split_on(const std::string &str, char delim)
Definition: parsing.cpp:142
std::vector< std::string > parse_algorithm_name(const std::string &namex)
Definition: parsing.cpp:89
AlgorithmIdentifier hash_algo
Definition: x509_obj.cpp:22
const OID & get_oid() const
Definition: alg_id.h:37
std::string lookup(const OID &oid)
Definition: oids.cpp:18

◆ is_CA_cert()

bool Botan::X509_Certificate::is_CA_cert ( ) const

Check whether this certificate is a CA certificate.

Returns
true if this certificate is a CA certificate

Definition at line 430 of file x509cert.cpp.

Referenced by Botan::Cert_Extension::Name_Constraints::validate(), and Botan::X509_CA::X509_CA().

431  {
432  return data().m_is_ca_certificate;
433  }

◆ is_critical()

bool Botan::X509_Certificate::is_critical ( const std::string &  ex_name) const

Check whenever a given X509 Extension is marked critical in this certificate.

Definition at line 538 of file x509cert.cpp.

References Botan::OIDS::str2oid().

Referenced by Botan::Cert_Extension::Name_Constraints::validate().

539  {
541  }
bool critical_extension_set(const OID &oid) const
Definition: x509_ext.cpp:150
OID str2oid(const std::string &name)
Definition: oids.h:37
const Extensions & v3_extensions() const
Definition: x509cert.cpp:460

◆ is_self_signed()

bool Botan::X509_Certificate::is_self_signed ( ) const

Check whether this certificate is self signed. If the DN issuer and subject agree,

Returns
true if this certificate is self signed

Definition at line 341 of file x509cert.cpp.

342  {
343  return data().m_self_signed;
344  }

◆ is_serial_negative()

bool Botan::X509_Certificate::is_serial_negative ( ) const

Get the serial number's sign

Returns
1 iff the serial is negative.

Definition at line 404 of file x509cert.cpp.

405  {
406  return data().m_serial_negative;
407  }

◆ issuer_alt_name()

const AlternativeName & Botan::X509_Certificate::issuer_alt_name ( ) const

Definition at line 566 of file x509cert.cpp.

567  {
568  return data().m_issuer_alt_name;
569  }

◆ issuer_dn()

const X509_DN & Botan::X509_Certificate::issuer_dn ( ) const

Get the certificate's issuer distinguished name (DN).

Returns
issuer DN of this certificate

Definition at line 410 of file x509cert.cpp.

Referenced by Botan::PKIX::build_certificate_path(), Botan::Certificate_Store_In_SQL::find_crl_for(), Botan::Certificate_Store_In_Memory::find_crl_for(), Botan::X509_CRL::is_revoked(), Botan::OCSP::Request::Request(), and Botan::OCSP::Response::status_for().

411  {
412  return data().m_issuer_dn;
413  }

◆ issuer_info()

std::vector< std::string > Botan::X509_Certificate::issuer_info ( const std::string &  name) const

Get a value for a specific subject_info parameter name.

Parameters
namethe name of the parameter to look up. Possible names are "X509.Certificate.v2.key_id" or "X509v3.AuthorityKeyIdentifier".
Returns
value(s) of the specified parameter

Definition at line 607 of file x509cert.cpp.

References Botan::hex_encode().

608  {
609  if(issuer_dn().has_field(req))
610  return issuer_dn().get_attribute(req);
611 
612  if(issuer_alt_name().has_field(req))
613  return issuer_alt_name().get_attribute(req);
614 
615  // These will be removed later:
616  if(req == "X509.Certificate.v2.key_id")
617  return {hex_encode(this->v2_issuer_key_id())};
618  if(req == "X509v3.AuthorityKeyIdentifier")
619  return {hex_encode(this->authority_key_id())};
620  if(req == "X509.Certificate.dn_bits")
621  return {hex_encode(this->raw_issuer_dn())};
622 
623  return data().m_issuer_ds.get(req);
624  }
void hex_encode(char output[], const uint8_t input[], size_t input_length, bool uppercase)
Definition: hex.cpp:14
const std::vector< uint8_t > & authority_key_id() const
Definition: x509cert.cpp:389
const AlternativeName & issuer_alt_name() const
Definition: x509cert.cpp:566
std::vector< std::string > get_attribute(const std::string &attr) const
Definition: x509_dn.cpp:113
std::vector< std::string > get_attribute(const std::string &attr) const
const X509_DN & issuer_dn() const
Definition: x509cert.cpp:410
const std::vector< uint8_t > & v2_issuer_key_id() const
Definition: x509cert.cpp:361
const std::vector< uint8_t > & raw_issuer_dn() const
Definition: x509cert.cpp:420

◆ load_data()

void Botan::X509_Object::load_data ( DataSource src)
protectedinherited

Decodes from src as either DER or PEM data, then calls force_decode()

Definition at line 52 of file x509_obj.cpp.

References Botan::PEM_Code::decode(), Botan::PEM_Code::matches(), Botan::ASN1::maybe_BER(), and Botan::Exception::what().

53  {
54  try {
55  if(ASN1::maybe_BER(in) && !PEM_Code::matches(in))
56  {
57  BER_Decoder dec(in);
58  decode_from(dec);
59  }
60  else
61  {
62  std::string got_label;
63  DataSource_Memory ber(PEM_Code::decode(in, got_label));
64 
65  if(got_label != PEM_label())
66  {
67  bool is_alternate = false;
68  for(std::string alt_label : alternate_PEM_labels())
69  {
70  if(got_label == alt_label)
71  {
72  is_alternate = true;
73  break;
74  }
75  }
76 
77  if(!is_alternate)
78  throw Decoding_Error("Unexpected PEM label for " + PEM_label() + " of " + got_label);
79  }
80 
81  BER_Decoder dec(ber);
82  decode_from(dec);
83  }
84  }
85  catch(Decoding_Error& e)
86  {
87  throw Decoding_Error(PEM_label() + " decoding failed: " + e.what());
88  }
89  }
virtual std::vector< std::string > alternate_PEM_labels() const
Definition: x509_obj.h:118
virtual std::string PEM_label() const =0
bool maybe_BER(DataSource &source)
Definition: asn1_obj.cpp:116
void decode_from(class BER_Decoder &from) override
Definition: x509_obj.cpp:106
bool matches(DataSource &source, const std::string &extra, size_t search_range)
Definition: pem.cpp:142
secure_vector< uint8_t > decode(DataSource &source, std::string &label)
Definition: pem.cpp:68

◆ load_subject_public_key()

std::unique_ptr< Public_Key > Botan::X509_Certificate::load_subject_public_key ( ) const

Create a public key object associated with the public key bits in this certificate. If the public key bits was valid for X.509 encoding purposes but invalid algorithmically (for example, RSA with an even modulus) that will be detected at this point, and an exception will be thrown.

Returns
subject public key of this certificate

Definition at line 629 of file x509cert.cpp.

References Botan::X509::load_key(), and Botan::ASN1::put_in_sequence().

630  {
631  try
632  {
633  return std::unique_ptr<Public_Key>(X509::load_key(ASN1::put_in_sequence(this->subject_public_key_bits())));
634  }
635  catch(std::exception& e)
636  {
637  throw Decoding_Error("X509_Certificate::load_subject_public_key", e.what());
638  }
639  }
const std::vector< uint8_t > & subject_public_key_bits() const
Definition: x509cert.cpp:371
std::vector< uint8_t > put_in_sequence(const std::vector< uint8_t > &contents)
Definition: asn1_obj.cpp:96
Public_Key * load_key(DataSource &source)
Definition: x509_key.cpp:37

◆ make_signed()

std::vector< uint8_t > Botan::X509_Object::make_signed ( class PK_Signer signer,
RandomNumberGenerator rng,
const AlgorithmIdentifier alg_id,
const secure_vector< uint8_t > &  tbs 
)
staticinherited

Create a signed X509 object.

Parameters
signerthe signer used to sign the object
rngthe random number generator to use
alg_idthe algorithm identifier of the signature scheme
tbsthe tbs bits to be signed
Returns
signed X509 object

Definition at line 271 of file x509_obj.cpp.

References Botan::BIT_STRING, Botan::DER_Encoder::encode(), Botan::DER_Encoder::end_cons(), Botan::DER_Encoder::get_contents_unlocked(), Botan::DER_Encoder::raw_bytes(), Botan::SEQUENCE, Botan::PK_Signer::sign_message(), and Botan::DER_Encoder::start_cons().

Referenced by Botan::X509::create_cert_req(), Botan::X509_CA::make_cert(), and Botan::X509_CA::update_crl().

275  {
276  const std::vector<uint8_t> signature = signer->sign_message(tbs_bits, rng);
277 
278  return DER_Encoder()
279  .start_cons(SEQUENCE)
280  .raw_bytes(tbs_bits)
281  .encode(algo)
282  .encode(signature, BIT_STRING)
283  .end_cons()
284  .get_contents_unlocked();
285  }
const std::vector< uint8_t > & signature() const
Definition: x509_obj.h:37

◆ matches_dns_name()

bool Botan::X509_Certificate::matches_dns_name ( const std::string &  name) const

Check if a certain DNS name matches up with the information in the cert

Parameters
nameDNS name to match

Definition at line 694 of file x509cert.cpp.

References Botan::host_wildcard_match().

695  {
696  if(name.empty())
697  return false;
698 
699  std::vector<std::string> issued_names = subject_info("DNS");
700 
701  // Fall back to CN only if no DNS names are set (RFC 6125 sec 6.4.4)
702  if(issued_names.empty())
703  issued_names = subject_info("Name");
704 
705  for(size_t i = 0; i != issued_names.size(); ++i)
706  {
707  if(host_wildcard_match(issued_names[i], name))
708  return true;
709  }
710 
711  return false;
712  }
bool host_wildcard_match(const std::string &issued, const std::string &host)
Definition: parsing.cpp:341
std::vector< std::string > subject_info(const std::string &name) const
Definition: x509cert.cpp:575

◆ name_constraints()

const NameConstraints & Botan::X509_Certificate::name_constraints ( ) const

Get the name constraints as defined in the NameConstraints extension of this certificate.

Returns
name constraints

Definition at line 455 of file x509cert.cpp.

456  {
457  return data().m_name_constraints;
458  }

◆ not_after()

const X509_Time & Botan::X509_Certificate::not_after ( ) const

Get the notAfter of the certificate as X509_Time

Returns
notAfter of the certificate

Definition at line 351 of file x509cert.cpp.

352  {
353  return data().m_not_after;
354  }

◆ not_before()

const X509_Time & Botan::X509_Certificate::not_before ( ) const

Get the notBefore of the certificate as X509_Time

Returns
notBefore of the certificate

Definition at line 346 of file x509cert.cpp.

347  {
348  return data().m_not_before;
349  }

◆ ocsp_responder()

std::string Botan::X509_Certificate::ocsp_responder ( ) const

Return the listed address of an OCSP responder, or empty if not set

Definition at line 543 of file x509cert.cpp.

Referenced by Botan::OCSP::Response::status_for().

544  {
545  return data().m_ocsp_responder;
546  }

◆ operator<()

bool Botan::X509_Certificate::operator< ( const X509_Certificate other) const

Impose an arbitrary (but consistent) ordering

Returns
true if this is less than other by some unspecified criteria

Definition at line 724 of file x509cert.cpp.

References Botan::X509_Object::signature(), and Botan::X509_Object::signed_body().

725  {
726  /* If signature values are not equal, sort by lexicographic ordering of that */
727  if(this->signature() != other.signature())
728  {
729  return (this->signature() < other.signature());
730  }
731 
732  // Then compare the signed contents
733  return this->signed_body() < other.signed_body();
734  }
const std::vector< uint8_t > & signature() const
Definition: x509_obj.h:37
const std::vector< uint8_t > & signed_body() const
Definition: x509_obj.h:42

◆ operator=()

X509_Certificate& Botan::X509_Certificate::operator= ( const X509_Certificate other)
default

◆ operator==()

bool Botan::X509_Certificate::operator== ( const X509_Certificate other) const

Check to certificates for equality.

Returns
true both certificates are (binary) equal

Definition at line 717 of file x509cert.cpp.

References Botan::X509_Object::signature(), Botan::X509_Object::signature_algorithm(), and Botan::X509_Object::signed_body().

718  {
719  return (this->signature() == other.signature() &&
720  this->signature_algorithm() == other.signature_algorithm() &&
721  this->signed_body() == other.signed_body());
722  }
const AlgorithmIdentifier & signature_algorithm() const
Definition: x509_obj.h:47
const std::vector< uint8_t > & signature() const
Definition: x509_obj.h:37
const std::vector< uint8_t > & signed_body() const
Definition: x509_obj.h:42

◆ path_limit()

uint32_t Botan::X509_Certificate::path_limit ( ) const

Get the path limit as defined in the BasicConstraints extension of this certificate.

Returns
path limit

Definition at line 435 of file x509cert.cpp.

436  {
437  return data().m_path_len_constraint;
438  }

◆ PEM_encode()

std::string Botan::X509_Object::PEM_encode ( ) const
inherited
Returns
PEM encoding of this

Definition at line 132 of file x509_obj.cpp.

References Botan::PKCS8::BER_encode(), and Botan::PEM_Code::encode().

133  {
135  }
virtual std::string PEM_label() const =0
std::string encode(const uint8_t der[], size_t length, const std::string &label, size_t width)
Definition: pem.cpp:43
std::vector< uint8_t > BER_encode() const
Definition: x509_obj.cpp:122

◆ policies()

std::vector< std::string > Botan::X509_Certificate::policies ( ) const

Get the policies as defined in the CertificatePolicies extension of this certificate.

Returns
certificate policies

Definition at line 684 of file x509cert.cpp.

685  {
686  return lookup_oids(certificate_policy_oids());
687  }
const std::vector< OID > & certificate_policy_oids() const
Definition: x509cert.cpp:450

◆ raw_issuer_dn()

const std::vector< uint8_t > & Botan::X509_Certificate::raw_issuer_dn ( ) const

Raw issuer DN bits

Definition at line 420 of file x509cert.cpp.

Referenced by Botan::OCSP::CertID::is_id_for().

421  {
422  return data().m_issuer_dn_bits;
423  }

◆ raw_issuer_dn_sha256()

std::vector< uint8_t > Botan::X509_Certificate::raw_issuer_dn_sha256 ( ) const

SHA-256 of Raw issuer DN

Definition at line 641 of file x509cert.cpp.

References Botan::HashFunction::create_or_throw(), and hash.

642  {
643  std::unique_ptr<HashFunction> hash(HashFunction::create_or_throw("SHA-256"));
644  hash->update(raw_issuer_dn());
645  return hash->final_stdvec();
646  }
static std::unique_ptr< HashFunction > create_or_throw(const std::string &algo_spec, const std::string &provider="")
Definition: hash.cpp:345
MechanismType hash
const std::vector< uint8_t > & raw_issuer_dn() const
Definition: x509cert.cpp:420

◆ raw_subject_dn()

const std::vector< uint8_t > & Botan::X509_Certificate::raw_subject_dn ( ) const

Raw subject DN

Definition at line 425 of file x509cert.cpp.

Referenced by Botan::OCSP::CertID::CertID().

426  {
427  return data().m_subject_dn_bits;
428  }

◆ raw_subject_dn_sha256()

std::vector< uint8_t > Botan::X509_Certificate::raw_subject_dn_sha256 ( ) const

SHA-256 of Raw subject DN

Definition at line 648 of file x509cert.cpp.

References Botan::HashFunction::create(), hash, and Botan::OIDS::oid2str().

649  {
650  std::unique_ptr<HashFunction> hash(HashFunction::create("SHA-256"));
651  hash->update(raw_subject_dn());
652  return hash->final_stdvec();
653  }
const std::vector< uint8_t > & raw_subject_dn() const
Definition: x509cert.cpp:425
static std::unique_ptr< HashFunction > create(const std::string &algo_spec, const std::string &provider="")
Definition: hash.cpp:106
MechanismType hash

◆ serial_number()

const std::vector< uint8_t > & Botan::X509_Certificate::serial_number ( ) const

Get the serial number of this certificate.

Returns
certificates serial number

Definition at line 399 of file x509cert.cpp.

Referenced by Botan::CRL_Entry::CRL_Entry(), Botan::OCSP::CertID::is_id_for(), Botan::X509_CRL::is_revoked(), and Botan::OCSP::Response::status_for().

400  {
401  return data().m_serial;
402  }

◆ signature()

const std::vector<uint8_t>& Botan::X509_Object::signature ( ) const
inlineinherited
Returns
signature on tbs_data()

Definition at line 37 of file x509_obj.h.

Referenced by operator<(), and operator==().

37 { return m_sig; }

◆ signature_algorithm()

const AlgorithmIdentifier& Botan::X509_Object::signature_algorithm ( ) const
inlineinherited
Returns
signature algorithm that was used to generate signature

Definition at line 47 of file x509_obj.h.

References Botan::PKCS8::BER_encode(), and Botan::PKCS8::PEM_encode().

Referenced by Botan::X509_CRL::is_revoked(), operator==(), Botan::X509_CA::X509_CA(), and X509_Certificate().

47 { return m_sig_algo; }

◆ signed_body()

const std::vector<uint8_t>& Botan::X509_Object::signed_body ( ) const
inlineinherited
Returns
signed body

Definition at line 42 of file x509_obj.h.

Referenced by Botan::X509_CRL::is_revoked(), operator<(), operator==(), and X509_Certificate().

42 { return m_tbs_bits; }

◆ start_time()

std::string Botan::X509_Certificate::start_time ( ) const
inline

Get the notBefore of the certificate as a string

Returns
notBefore of the certificate

Definition at line 151 of file x509cert.h.

152  {
153  return not_before().to_string();
154  }
std::string to_string() const
Return an internal string representation of the time.
Definition: asn1_time.cpp:53
const X509_Time & not_before() const
Definition: x509cert.cpp:346

◆ subject_alt_name()

const AlternativeName & Botan::X509_Certificate::subject_alt_name ( ) const

Definition at line 561 of file x509cert.cpp.

Referenced by Botan::GeneralName::matches().

562  {
563  return data().m_subject_alt_name;
564  }

◆ subject_dn()

const X509_DN & Botan::X509_Certificate::subject_dn ( ) const

Get the certificate's subject distinguished name (DN).

Returns
subject DN of this certificate

Definition at line 415 of file x509cert.cpp.

Referenced by Botan::Certificate_Store::certificate_known(), Botan::Certificate_Store_In_SQL::insert_cert(), Botan::GeneralName::matches(), Botan::Certificate_Store_In_SQL::remove_cert(), Botan::OCSP::Request::Request(), Botan::X509_CA::sign_request(), Botan::OCSP::Response::status_for(), and Botan::X509_CA::update_crl().

416  {
417  return data().m_subject_dn;
418  }

◆ subject_info()

std::vector< std::string > Botan::X509_Certificate::subject_info ( const std::string &  name) const

Get a value for a specific subject_info parameter name.

Parameters
namethe name of the parameter to look up. Possible names include "X509.Certificate.version", "X509.Certificate.serial", "X509.Certificate.start", "X509.Certificate.end", "X509.Certificate.v2.key_id", "X509.Certificate.public_key", "X509v3.BasicConstraints.path_constraint", "X509v3.BasicConstraints.is_ca", "X509v3.NameConstraints", "X509v3.ExtendedKeyUsage", "X509v3.CertificatePolicies", "X509v3.SubjectKeyIdentifier", "X509.Certificate.serial", "X520.CommonName", "X520.Organization", "X520.Country", "RFC822" (Email in SAN) or "PKCS9.EmailAddress" (Email in DN).
Returns
value(s) of the specified parameter

Definition at line 575 of file x509cert.cpp.

References Botan::hex_encode(), and Botan::ASN1::to_string().

576  {
577  if(subject_dn().has_field(req))
578  return subject_dn().get_attribute(req);
579 
580  if(subject_alt_name().has_field(req))
581  return subject_alt_name().get_attribute(req);
582 
583  // These will be removed later:
584  if(req == "X509.Certificate.v2.key_id")
585  return {hex_encode(this->v2_subject_key_id())};
586  if(req == "X509v3.SubjectKeyIdentifier")
587  return {hex_encode(this->subject_key_id())};
588  if(req == "X509.Certificate.dn_bits")
589  return {hex_encode(this->raw_subject_dn())};
590  if(req == "X509.Certificate.start")
591  return {not_before().to_string()};
592  if(req == "X509.Certificate.end")
593  return {not_after().to_string()};
594 
595  if(req == "X509.Certificate.version")
596  return {std::to_string(x509_version())};
597  if(req == "X509.Certificate.serial")
598  return {hex_encode(serial_number())};
599 
600  return data().m_subject_ds.get(req);
601  }
void hex_encode(char output[], const uint8_t input[], size_t input_length, bool uppercase)
Definition: hex.cpp:14
const std::vector< uint8_t > & raw_subject_dn() const
Definition: x509cert.cpp:425
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:108
const std::vector< uint8_t > & subject_key_id() const
Definition: x509cert.cpp:394
uint32_t x509_version() const
Definition: x509cert.cpp:336
std::vector< std::string > get_attribute(const std::string &attr) const
Definition: x509_dn.cpp:113
const X509_DN & subject_dn() const
Definition: x509cert.cpp:415
const X509_Time & not_after() const
Definition: x509cert.cpp:351
std::vector< std::string > get_attribute(const std::string &attr) const
std::string to_string() const
Return an internal string representation of the time.
Definition: asn1_time.cpp:53
const X509_Time & not_before() const
Definition: x509cert.cpp:346
const std::vector< uint8_t > & serial_number() const
Definition: x509cert.cpp:399
const std::vector< uint8_t > & v2_subject_key_id() const
Definition: x509cert.cpp:366
const AlternativeName & subject_alt_name() const
Definition: x509cert.cpp:561

◆ subject_key_id()

const std::vector< uint8_t > & Botan::X509_Certificate::subject_key_id ( ) const

Get the DER encoded SubjectKeyIdentifier of this certificate.

Returns
DER encoded SubjectKeyIdentifier

Definition at line 394 of file x509cert.cpp.

Referenced by Botan::Certificate_Store::certificate_known(), Botan::Certificate_Store_In_SQL::insert_cert(), Botan::Certificate_Store_In_SQL::remove_cert(), Botan::X509_CA::sign_request(), and Botan::X509_CA::update_crl().

395  {
396  return data().m_subject_key_id;
397  }

◆ subject_public_key()

Public_Key* Botan::X509_Certificate::subject_public_key ( ) const
inline

Return a newly allocated copy of the public key associated with the subject of this certificate. This object is owned by the caller.

Returns
public key

Definition at line 49 of file x509cert.h.

Referenced by Botan::TLS::Certificate_Verify::verify(), and Botan::OCSP::Response::verify_signature().

50  {
51  return load_subject_public_key().release();
52  }
std::unique_ptr< Public_Key > load_subject_public_key() const
Definition: x509cert.cpp:629

◆ subject_public_key_algo()

const AlgorithmIdentifier & Botan::X509_Certificate::subject_public_key_algo ( ) const

Return the algorithm identifier of the public key

Definition at line 356 of file x509cert.cpp.

357  {
358  return data().m_subject_public_key_algid;
359  }

◆ subject_public_key_bits()

const std::vector< uint8_t > & Botan::X509_Certificate::subject_public_key_bits ( ) const

Get the public key associated with this certificate. This includes the outer AlgorithmIdentifier

Returns
subject public key of this certificate

Definition at line 371 of file x509cert.cpp.

372  {
373  return data().m_subject_public_key_bits;
374  }

◆ subject_public_key_bitstring()

const std::vector< uint8_t > & Botan::X509_Certificate::subject_public_key_bitstring ( ) const

Get the bit string of the public key associated with this certificate

Returns
public key bits

Definition at line 376 of file x509cert.cpp.

Referenced by Botan::OCSP::CertID::CertID(), and Botan::OCSP::CertID::is_id_for().

377  {
378  return data().m_subject_public_key_bitstring;
379  }

◆ subject_public_key_bitstring_sha1()

const std::vector< uint8_t > & Botan::X509_Certificate::subject_public_key_bitstring_sha1 ( ) const

Get the SHA-1 bit string of the public key associated with this certificate. This is used for OCSP among other protocols. This function will throw if SHA-1 is not available.

Returns
hash of subject public key of this certificate

Definition at line 381 of file x509cert.cpp.

382  {
383  if(data().m_subject_public_key_bitstring_sha1.empty())
384  throw Encoding_Error("X509_Certificate::subject_public_key_bitstring_sha1 called but SHA-1 disabled in build");
385 
386  return data().m_subject_public_key_bitstring_sha1;
387  }

◆ tbs_data()

std::vector< uint8_t > Botan::X509_Object::tbs_data ( ) const
inherited

The underlying data that is to be or was signed

Returns
data that is or was signed

Definition at line 140 of file x509_obj.cpp.

References Botan::ASN1::put_in_sequence().

141  {
142  return ASN1::put_in_sequence(m_tbs_bits);
143  }
std::vector< uint8_t > put_in_sequence(const std::vector< uint8_t > &contents)
Definition: asn1_obj.cpp:96

◆ to_string()

std::string Botan::X509_Certificate::to_string ( ) const
Returns
a free-form string describing the certificate

Definition at line 744 of file x509cert.cpp.

References Botan::OID::as_string(), Botan::CRL_SIGN, Botan::DATA_ENCIPHERMENT, Botan::DECIPHER_ONLY, Botan::DIGITAL_SIGNATURE, Botan::ENCIPHER_ONLY, Botan::NameConstraints::excluded(), Botan::AlgorithmIdentifier::get_oid(), Botan::hex_encode(), Botan::KEY_AGREEMENT, Botan::KEY_CERT_SIGN, Botan::KEY_ENCIPHERMENT, Botan::NO_CONSTRAINTS, Botan::NON_REPUDIATION, Botan::OIDS::oid2str(), Botan::X509::PEM_encode(), and Botan::NameConstraints::permitted().

745  {
746  std::ostringstream out;
747 
748  out << "Version: " << this->x509_version() << "\n";
749  out << "Subject: " << subject_dn() << "\n";
750  out << "Issuer: " << issuer_dn() << "\n";
751  out << "Issued: " << this->not_before().readable_string() << "\n";
752  out << "Expires: " << this->not_after().readable_string() << "\n";
753 
754  out << "Constraints:\n";
756  if(constraints == NO_CONSTRAINTS)
757  out << " None\n";
758  else
759  {
760  if(constraints & DIGITAL_SIGNATURE)
761  out << " Digital Signature\n";
762  if(constraints & NON_REPUDIATION)
763  out << " Non-Repudiation\n";
764  if(constraints & KEY_ENCIPHERMENT)
765  out << " Key Encipherment\n";
766  if(constraints & DATA_ENCIPHERMENT)
767  out << " Data Encipherment\n";
768  if(constraints & KEY_AGREEMENT)
769  out << " Key Agreement\n";
770  if(constraints & KEY_CERT_SIGN)
771  out << " Cert Sign\n";
772  if(constraints & CRL_SIGN)
773  out << " CRL Sign\n";
774  if(constraints & ENCIPHER_ONLY)
775  out << " Encipher Only\n";
776  if(constraints & DECIPHER_ONLY)
777  out << " Decipher Only\n";
778  }
779 
780  const std::vector<OID> policies = this->certificate_policy_oids();
781  if(!policies.empty())
782  {
783  out << "Policies: " << "\n";
784  for(auto oid : policies)
785  out << " " << oid.as_string() << "\n";
786  }
787 
788  std::vector<OID> ex_constraints = this->extended_key_usage();
789  if(!ex_constraints.empty())
790  {
791  out << "Extended Constraints:\n";
792  for(size_t i = 0; i != ex_constraints.size(); i++)
793  out << " " << OIDS::oid2str(ex_constraints[i]) << "\n";
794  }
795 
796  const NameConstraints& name_constraints = this->name_constraints();
797 
798  if(!name_constraints.permitted().empty() || !name_constraints.excluded().empty())
799  {
800  out << "Name Constraints:\n";
801 
802  if(!name_constraints.permitted().empty())
803  {
804  out << " Permit";
805  for(auto st: name_constraints.permitted())
806  {
807  out << " " << st.base();
808  }
809  out << "\n";
810  }
811 
812  if(!name_constraints.excluded().empty())
813  {
814  out << " Exclude";
815  for(auto st: name_constraints.excluded())
816  {
817  out << " " << st.base();
818  }
819  out << "\n";
820  }
821  }
822 
823  if(!ocsp_responder().empty())
824  out << "OCSP responder " << ocsp_responder() << "\n";
825 
826  std::vector<std::string> ca_issuers = this->ca_issuers();
827  if(!ca_issuers.empty())
828  {
829  out << "CA Issuers:\n";
830  for(size_t i = 0; i != ca_issuers.size(); i++)
831  out << " URI: " << ca_issuers[i] << "\n";
832  }
833 
834  if(!crl_distribution_point().empty())
835  out << "CRL " << crl_distribution_point() << "\n";
836 
837  out << "Signature algorithm: " <<
838  OIDS::oid2str(this->signature_algorithm().get_oid()) << "\n";
839 
840  out << "Serial number: " << hex_encode(this->serial_number()) << "\n";
841 
842  if(this->authority_key_id().size())
843  out << "Authority keyid: " << hex_encode(this->authority_key_id()) << "\n";
844 
845  if(this->subject_key_id().size())
846  out << "Subject keyid: " << hex_encode(this->subject_key_id()) << "\n";
847 
848  try
849  {
850  std::unique_ptr<Public_Key> pubkey(this->subject_public_key());
851  out << "Public Key [" << pubkey->algo_name() << "-" << pubkey->key_length() << "]\n\n";
852  out << X509::PEM_encode(*pubkey);
853  }
854  catch(Decoding_Error&)
855  {
856  const AlgorithmIdentifier& alg_id = this->subject_public_key_algo();
857  out << "Failed to decode key with oid " << alg_id.get_oid().as_string() << "\n";
858  }
859 
860  return out.str();
861  }
void hex_encode(char output[], const uint8_t input[], size_t input_length, bool uppercase)
Definition: hex.cpp:14
std::vector< std::string > ex_constraints() const
Definition: x509cert.cpp:676
const AlgorithmIdentifier & signature_algorithm() const
Definition: x509_obj.h:47
std::string PEM_encode(const Public_Key &key)
Definition: x509_key.cpp:28
std::string crl_distribution_point() const
Definition: x509cert.cpp:553
Public_Key * subject_public_key() const
Definition: x509cert.h:49
const std::vector< OID > & certificate_policy_oids() const
Definition: x509cert.cpp:450
const std::vector< uint8_t > & authority_key_id() const
Definition: x509cert.cpp:389
const std::vector< uint8_t > & subject_key_id() const
Definition: x509cert.cpp:394
std::string ocsp_responder() const
Definition: x509cert.cpp:543
Key_Constraints constraints() const
Definition: x509cert.cpp:440
uint32_t x509_version() const
Definition: x509cert.cpp:336
const X509_DN & subject_dn() const
Definition: x509cert.cpp:415
const X509_Time & not_after() const
Definition: x509cert.cpp:351
const AlgorithmIdentifier & subject_public_key_algo() const
Definition: x509cert.cpp:356
std::string readable_string() const
Returns a human friendly string replesentation of no particular formatting.
Definition: asn1_time.cpp:93
std::vector< std::string > policies() const
Definition: x509cert.cpp:684
const std::vector< OID > & extended_key_usage() const
Definition: x509cert.cpp:445
const X509_DN & issuer_dn() const
Definition: x509cert.cpp:410
std::vector< std::string > ca_issuers() const
Definition: x509cert.cpp:548
std::string oid2str(const OID &oid)
Definition: oids.h:32
const X509_Time & not_before() const
Definition: x509cert.cpp:346
const NameConstraints & name_constraints() const
Definition: x509cert.cpp:455
const std::vector< uint8_t > & serial_number() const
Definition: x509cert.cpp:399

◆ v2_issuer_key_id()

const std::vector< uint8_t > & Botan::X509_Certificate::v2_issuer_key_id ( ) const

Return the v2 issuer key ID. v2 key IDs are almost never used, instead see v3_subject_key_id.

Definition at line 361 of file x509cert.cpp.

362  {
363  return data().m_v2_issuer_key_id;
364  }

◆ v2_subject_key_id()

const std::vector< uint8_t > & Botan::X509_Certificate::v2_subject_key_id ( ) const

Return the v2 subject key ID. v2 key IDs are almost never used, instead see v3_subject_key_id.

Definition at line 366 of file x509cert.cpp.

367  {
368  return data().m_v2_subject_key_id;
369  }

◆ v3_extensions()

const Extensions & Botan::X509_Certificate::v3_extensions ( ) const

Get all extensions of this certificate.

Returns
certificate extensions

Definition at line 460 of file x509cert.cpp.

461  {
462  return data().m_v3_extensions;
463  }

◆ verify_signature()

Certificate_Status_Code Botan::X509_Object::verify_signature ( const Public_Key key) const
inherited

Check the signature on this data

Parameters
keythe public key purportedly used to sign this data
Returns
status of the signature - OK if verified or otherwise an indicator of the problem preventing verification.

Definition at line 192 of file x509_obj.cpp.

References Botan::Public_Key::algo_name(), Botan::DER_SEQUENCE, hash_algo, Botan::IEEE_1363, Botan::OIDS::lookup(), Botan::Public_Key::message_parts(), Botan::SIGNATURE_ALGO_BAD_PARAMS, Botan::SIGNATURE_ALGO_UNKNOWN, Botan::SIGNATURE_ERROR, Botan::split_on(), Botan::ASN1::to_string(), Botan::UNTRUSTED_HASH, Botan::VERIFIED, and Botan::PK_Verifier::verify_message().

Referenced by X509_Certificate().

193  {
194  const std::vector<std::string> sig_info =
195  split_on(OIDS::lookup(m_sig_algo.get_oid()), '/');
196 
197  if(sig_info.size() != 2 || sig_info[0] != pub_key.algo_name())
199 
200  std::string padding = sig_info[1];
201  const Signature_Format format =
202  (pub_key.message_parts() >= 2) ? DER_SEQUENCE : IEEE_1363;
203 
204  if(padding == "EMSA4")
205  {
206  // "MUST contain RSASSA-PSS-params"
207  if(signature_algorithm().parameters.empty())
208  {
210  }
211 
212  Pss_params pss_parameter = decode_pss_params(signature_algorithm().parameters);
213 
214  // hash_algo must be SHA1, SHA2-224, SHA2-256, SHA2-384 or SHA2-512
215  const std::string hash_algo = OIDS::lookup(pss_parameter.hash_algo.oid);
216  if(hash_algo != "SHA-160" &&
217  hash_algo != "SHA-224" &&
218  hash_algo != "SHA-256" &&
219  hash_algo != "SHA-384" &&
220  hash_algo != "SHA-512")
221  {
223  }
224 
225  const std::string mgf_algo = OIDS::lookup(pss_parameter.mask_gen_algo.oid);
226  if(mgf_algo != "MGF1")
227  {
229  }
230 
231  // For MGF1, it is strongly RECOMMENDED that the underlying hash function be the same as the one identified by hashAlgorithm
232  // Must be SHA1, SHA2-224, SHA2-256, SHA2-384 or SHA2-512
233  if(pss_parameter.mask_gen_hash.oid != pss_parameter.hash_algo.oid)
234  {
236  }
237 
238  if(pss_parameter.trailer_field != 1)
239  {
241  }
242 
243  // salt_len is actually not used for verification. Length is inferred from the signature
244  padding += "(" + hash_algo + "," + mgf_algo + "," + std::to_string(pss_parameter.salt_len) + ")";
245  }
246 
247  try
248  {
249  PK_Verifier verifier(pub_key, padding, format);
250  const bool valid = verifier.verify_message(tbs_data(), signature());
251 
252  if(valid)
254  else
256  }
257  catch(Algorithm_Not_Found&)
258  {
260  }
261  catch(...)
262  {
263  // This shouldn't happen, fallback to generic signature error
265  }
266  }
const AlgorithmIdentifier & signature_algorithm() const
Definition: x509_obj.h:47
std::vector< uint8_t > parameters
Definition: alg_id.h:45
std::vector< std::string > split_on(const std::string &str, char delim)
Definition: parsing.cpp:142
Signature_Format
Definition: pubkey.h:27
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:108
const std::vector< uint8_t > & signature() const
Definition: x509_obj.h:37
std::vector< uint8_t > tbs_data() const
Definition: x509_obj.cpp:140
AlgorithmIdentifier hash_algo
Definition: x509_obj.cpp:22
const OID & get_oid() const
Definition: alg_id.h:37
std::string lookup(const OID &oid)
Definition: oids.cpp:18

◆ x509_version()

uint32_t Botan::X509_Certificate::x509_version ( ) const

Get the X509 version of this certificate object.

Returns
X509 version

Definition at line 336 of file x509cert.cpp.

337  {
338  return data().m_version;
339  }

The documentation for this class was generated from the following files: