Botan 3.9.0
Crypto and TLS for C&
Botan::X509_Certificate Class Reference

#include <x509cert.h>

Inheritance diagram for Botan::X509_Certificate:
Botan::X509_Object Botan::ASN1_Object

Public Member Functions

bool allowed_extended_usage (const OID &usage) const
bool allowed_extended_usage (std::string_view usage) const
bool allowed_usage (Key_Constraints usage) const
bool allowed_usage (Usage_Type usage) const
const std::vector< uint8_t > & authority_key_id () const
std::vector< uint8_t > BER_encode () const
std::vector< std::string > ca_issuers () const
const std::vector< OID > & certificate_policy_oids () const
bool check_signature (const Public_Key &key) const
Key_Constraints constraints () const
std::string crl_distribution_point () const
std::vector< std::string > crl_distribution_points () const
void decode_from (BER_Decoder &from) override
void encode_into (DER_Encoder &to) const override
const std::vector< OID > & extended_key_usage () const
std::string fingerprint (std::string_view hash_name="SHA-1") const
bool has_constraints (Key_Constraints constraints) const
bool has_ex_constraint (const OID &ex_constraint) const
bool has_ex_constraint (std::string_view ex_constraint) const
bool is_CA_cert () const
bool is_critical (std::string_view ex_name) const
bool is_self_signed () const
bool is_serial_negative () const
const AlternativeNameissuer_alt_name () const
const X509_DNissuer_dn () const
std::vector< std::string > issuer_info (std::string_view name) const
std::unique_ptr< Public_Keyload_subject_public_key () const
bool matches_dns_name (std::string_view name) const
const NameConstraintsname_constraints () const
const X509_Timenot_after () const
const X509_Timenot_before () const
std::string ocsp_responder () const
bool operator< (const X509_Certificate &other) const
X509_Certificateoperator= (const X509_Certificate &other)=default
X509_Certificateoperator= (X509_Certificate &&other)=default
bool operator== (const X509_Certificate &other) const
std::optional< size_t > path_length_constraint () const
uint32_t path_limit () const
std::string PEM_encode () const
const std::vector< uint8_t > & raw_issuer_dn () const
std::vector< uint8_t > raw_issuer_dn_sha256 () const
const std::vector< uint8_t > & raw_subject_dn () const
std::vector< uint8_t > raw_subject_dn_sha256 () const
const std::vector< uint8_t > & serial_number () const
const std::vector< uint8_t > & signature () const
const AlgorithmIdentifiersignature_algorithm () const
const std::vector< uint8_t > & signed_body () const
const AlternativeNamesubject_alt_name () const
const X509_DNsubject_dn () const
std::vector< std::string > subject_info (std::string_view name) const
const std::vector< uint8_t > & subject_key_id () const
std::unique_ptr< Public_Keysubject_public_key () const
const AlgorithmIdentifiersubject_public_key_algo () const
const std::vector< uint8_t > & subject_public_key_bits () const
const std::vector< uint8_t > & subject_public_key_bitstring () const
const std::vector< uint8_t > & subject_public_key_bitstring_sha1 () const
const std::vector< uint8_t > & subject_public_key_info () const
std::vector< uint8_t > tbs_data () const
std::string to_string () const
const std::vector< uint8_t > & v2_issuer_key_id () const
const std::vector< uint8_t > & v2_subject_key_id () const
const Extensionsv3_extensions () const
std::pair< Certificate_Status_Code, std::string > verify_signature (const Public_Key &key) const
 X509_Certificate ()=default
 X509_Certificate (const std::vector< uint8_t > &in)
 X509_Certificate (const uint8_t data[], size_t length)
 X509_Certificate (const X509_Certificate &other)=default
 X509_Certificate (DataSource &source)
 X509_Certificate (X509_Certificate &&other)=default
uint32_t x509_version () const
 ~X509_Certificate () override

Static Public Member Functions

static std::unique_ptr< PK_Signerchoose_sig_format (const Private_Key &key, RandomNumberGenerator &rng, std::string_view hash_fn, std::string_view padding_algo)
static std::vector< uint8_t > make_signed (PK_Signer &signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &alg_id, const secure_vector< uint8_t > &tbs)

Protected Member Functions

void load_data (DataSource &src)

Detailed Description

This class represents an X.509 Certificate

Definition at line 36 of file x509cert.h.

Constructor & Destructor Documentation

◆ X509_Certificate() [1/6]

Botan::X509_Certificate::X509_Certificate ( DataSource & source)
explicit

Create a certificate from a data source providing the DER or PEM encoded certificate.

Parameters
sourcethe data source

Definition at line 81 of file x509cert.cpp.

81 {
82 load_data(src);
83}
void load_data(DataSource &src)
Definition x509_obj.cpp:24

References Botan::X509_Object::load_data().

Referenced by operator<(), operator=(), operator=(), operator==(), X509_Certificate(), and X509_Certificate().

◆ X509_Certificate() [2/6]

Botan::X509_Certificate::X509_Certificate ( const std::vector< uint8_t > & in)
explicit

Create a certificate from a buffer

Parameters
inthe buffer containing the DER-encoded certificate

Definition at line 85 of file x509cert.cpp.

85 {
86 DataSource_Memory src(vec.data(), vec.size());
87 load_data(src);
88}

References Botan::X509_Object::load_data().

◆ X509_Certificate() [3/6]

Botan::X509_Certificate::X509_Certificate ( const uint8_t data[],
size_t length )

Create a certificate from a buffer

Parameters
datathe buffer containing the DER-encoded certificate
lengthlength of data in bytes

Definition at line 90 of file x509cert.cpp.

90 {
91 DataSource_Memory src(data, len);
92 load_data(src);
93}

References Botan::X509_Object::load_data().

◆ X509_Certificate() [4/6]

Botan::X509_Certificate::X509_Certificate ( )
default

Create an uninitialized certificate object. Any attempts to access this object will throw an exception.

◆ X509_Certificate() [5/6]

Botan::X509_Certificate::X509_Certificate ( const X509_Certificate & other)
default

References X509_Certificate().

◆ X509_Certificate() [6/6]

Botan::X509_Certificate::X509_Certificate ( X509_Certificate && other)
default

References X509_Certificate().

◆ ~X509_Certificate()

Botan::X509_Certificate::~X509_Certificate ( )
overridedefault

Member Function Documentation

◆ allowed_extended_usage() [1/2]

bool Botan::X509_Certificate::allowed_extended_usage ( const OID & usage) const

Returns true if the specified usage is set in the extended key usage extension, or if no extended key usage constraints are set at all. To check if a certain extended key constraint is set in the certificate use

See also
X509_Certificate::has_ex_constraint.

Definition at line 479 of file x509cert.cpp.

479 {
480 const std::vector<OID>& ex = extended_key_usage();
481 if(ex.empty()) {
482 return true;
483 }
484
485 if(std::find(ex.begin(), ex.end(), usage) != ex.end()) {
486 return true;
487 }
488
489 return false;
490}
const std::vector< OID > & extended_key_usage() const
Definition x509cert.cpp:447

References extended_key_usage().

◆ allowed_extended_usage() [2/2]

bool Botan::X509_Certificate::allowed_extended_usage ( std::string_view usage) const

Returns true if the specified

Parameters
usageis set in the extended key usage extension or if no extended key usage constraints are set at all. To check if a certain extended key constraint is set in the certificate use
See also
X509_Certificate::has_ex_constraint.

Definition at line 475 of file x509cert.cpp.

475 {
477}
static OID from_string(std::string_view str)
Definition asn1_oid.cpp:86
bool allowed_extended_usage(std::string_view usage) const
Definition x509cert.cpp:475

References allowed_extended_usage(), and Botan::OID::from_string().

Referenced by allowed_extended_usage(), and allowed_usage().

◆ allowed_usage() [1/2]

bool Botan::X509_Certificate::allowed_usage ( Key_Constraints usage) const

Returns true if the specified

Parameters
usageis set in the key usage extension or if no key usage constraints are set at all. To check if a certain key constraint is set in the certificate use
See also
X509_Certificate::has_constraints.

Definition at line 468 of file x509cert.cpp.

468 {
469 if(constraints().empty()) {
470 return true;
471 }
472 return constraints().includes(usage);
473}
bool includes(Key_Constraints::Bits other) const
Definition pkix_enums.h:171
Key_Constraints constraints() const
Definition x509cert.cpp:443

References constraints(), and Botan::Key_Constraints::includes().

Referenced by allowed_usage(), and Botan::PKIX::check_crl().

◆ allowed_usage() [2/2]

bool Botan::X509_Certificate::allowed_usage ( Usage_Type usage) const

Returns true if the required key and extended key constraints are set in the certificate for the specified

Parameters
usageor if no key constraints are set in both the key usage and extended key usage extension.

Definition at line 492 of file x509cert.cpp.

492 {
493 // These follow suggestions in RFC 5280 4.2.1.12
494
495 switch(usage) {
497 return true;
498
502 allowed_extended_usage("PKIX.ServerAuth");
503
506 allowed_extended_usage("PKIX.ClientAuth");
507
510 has_ex_constraint("PKIX.OCSPSigning");
511
513 return is_CA_cert();
514
517 }
518
519 return false;
520}
bool is_CA_cert() const
Definition x509cert.cpp:423
bool has_ex_constraint(std::string_view ex_constraint) const
Definition x509cert.cpp:522
bool allowed_usage(Key_Constraints usage) const
Definition x509cert.cpp:468

References allowed_extended_usage(), allowed_usage(), Botan::CERTIFICATE_AUTHORITY, Botan::Key_Constraints::DataEncipherment, Botan::Key_Constraints::DigitalSignature, Botan::ENCRYPTION, has_ex_constraint(), is_CA_cert(), Botan::Key_Constraints::KeyAgreement, Botan::Key_Constraints::KeyEncipherment, Botan::Key_Constraints::NonRepudiation, Botan::OCSP_RESPONDER, Botan::TLS_CLIENT_AUTH, Botan::TLS_SERVER_AUTH, and Botan::UNSPECIFIED.

◆ authority_key_id()

const std::vector< uint8_t > & Botan::X509_Certificate::authority_key_id ( ) const

Get the DER encoded AuthorityKeyIdentifier of this certificate.

Returns
DER encoded AuthorityKeyIdentifier

Definition at line 391 of file x509cert.cpp.

391 {
392 return data().m_authority_key_id;
393}

Referenced by Botan::PKIX::build_certificate_path(), Botan::Certificate_Store_In_Memory::find_crl_for(), Botan::X509_CRL::is_revoked(), and to_string().

◆ BER_encode()

std::vector< uint8_t > Botan::ASN1_Object::BER_encode ( ) const
inherited

Return the encoding of this object. This is a convenience method when just one object needs to be serialized. Use DER_Encoder for complicated encodings.

Definition at line 19 of file asn1_obj.cpp.

19 {
20 std::vector<uint8_t> output;
21 DER_Encoder der(output);
22 this->encode_into(der);
23 return output;
24}
virtual void encode_into(DER_Encoder &to) const =0

References encode_into().

Referenced by decode_from(), Botan::Certificate_Store_In_SQL::find_all_certs(), Botan::Certificate_Store_In_SQL::find_cert(), Botan::X509_Certificate::fingerprint(), Botan::Certificate_Store_In_SQL::insert_cert(), Botan::X509_Object::PEM_encode(), Botan::PSS_Params::PSS_Params(), and Botan::Certificate_Store_In_SQL::revoke_cert().

◆ ca_issuers()

std::vector< std::string > Botan::X509_Certificate::ca_issuers ( ) const

Return the listed addresses of ca issuers, or empty if not set

Definition at line 542 of file x509cert.cpp.

542 {
543 return data().m_ca_issuers;
544}

Referenced by to_string().

◆ certificate_policy_oids()

const std::vector< OID > & Botan::X509_Certificate::certificate_policy_oids ( ) const

Get the policies as defined in the CertificatePolicies extension of this certificate.

Returns
certificate policies

Definition at line 451 of file x509cert.cpp.

451 {
452 return data().m_cert_policies;
453}

Referenced by to_string().

◆ check_signature()

bool Botan::X509_Object::check_signature ( const Public_Key & key) const
inherited

Check the signature on this data

Parameters
keythe public key purportedly used to sign this data
Returns
true if the signature is valid, otherwise false

Definition at line 97 of file x509_obj.cpp.

97 {
98 const auto result = this->verify_signature(pub_key);
99 return (result.first == Certificate_Status_Code::VERIFIED);
100}
std::pair< Certificate_Status_Code, std::string > verify_signature(const Public_Key &key) const
Definition x509_obj.cpp:102

References Botan::VERIFIED, and verify_signature().

◆ choose_sig_format()

std::unique_ptr< PK_Signer > Botan::X509_Object::choose_sig_format ( const Private_Key & key,
RandomNumberGenerator & rng,
std::string_view hash_fn,
std::string_view padding_algo )
staticinherited

Choose and return a signature scheme appropriate for X.509 signing using the provided parameters.

Parameters
keywill be the key to choose a padding scheme for
rngthe random generator to use
hash_fnis the desired hash function
padding_algospecifies the padding method
Returns
a PK_Signer object for generating signatures

Definition at line 209 of file x509_obj.cpp.

212 {
213 const Signature_Format format = key._default_x509_signature_format();
214
215 if(!user_specified_padding.empty()) {
216 try {
217 auto pk_signer = std::make_unique<PK_Signer>(key, rng, user_specified_padding, format);
218 if(!hash_fn.empty() && pk_signer->hash_function() != hash_fn) {
219 throw Invalid_Argument(format_padding_error_message(
220 key.algo_name(), pk_signer->hash_function(), hash_fn, "", user_specified_padding));
221 }
222 return pk_signer;
223 } catch(Lookup_Error&) {}
224 }
225
226 const std::string padding = x509_signature_padding_for(key.algo_name(), hash_fn, user_specified_padding);
227
228 try {
229 auto pk_signer = std::make_unique<PK_Signer>(key, rng, padding, format);
230 if(!hash_fn.empty() && pk_signer->hash_function() != hash_fn) {
231 throw Invalid_Argument(format_padding_error_message(
232 key.algo_name(), pk_signer->hash_function(), hash_fn, padding, user_specified_padding));
233 }
234 return pk_signer;
235 } catch(Not_Implemented&) {
236 throw Invalid_Argument("Signatures using " + key.algo_name() + "/" + padding + " are not supported");
237 }
238}
Signature_Format
Definition pk_keys.h:32

References Botan::Asymmetric_Key::_default_x509_signature_format(), and Botan::Asymmetric_Key::algo_name().

Referenced by Botan::PKCS10_Request::create(), Botan::X509::create_self_signed_cert(), and Botan::X509_CA::X509_CA().

◆ constraints()

Key_Constraints Botan::X509_Certificate::constraints ( ) const

Get the key constraints as defined in the KeyUsage extension of this certificate.

Returns
key constraints

Definition at line 443 of file x509cert.cpp.

443 {
444 return data().m_key_constraints;
445}

Referenced by allowed_usage(), has_constraints(), and to_string().

◆ crl_distribution_point()

std::string Botan::X509_Certificate::crl_distribution_point ( ) const

Return the CRL distribution point, or empty if not set

Definition at line 550 of file x509cert.cpp.

550 {
551 // just returns the first (arbitrarily)
552 if(!data().m_crl_distribution_points.empty()) {
553 return data().m_crl_distribution_points[0];
554 }
555 return "";
556}

◆ crl_distribution_points()

std::vector< std::string > Botan::X509_Certificate::crl_distribution_points ( ) const

Return the CRL distribution points, or empty if not set

Definition at line 546 of file x509cert.cpp.

546 {
547 return data().m_crl_distribution_points;
548}

Referenced by Botan::PKIX::check_crl(), and to_string().

◆ decode_from()

void Botan::X509_Object::decode_from ( BER_Decoder & from)
overridevirtualinherited

Decode a BER encoded X509_Object See ASN1_Object::decode_from()

Implements Botan::ASN1_Object.

Definition at line 68 of file x509_obj.cpp.

68 {
69 from.start_sequence()
70 .start_sequence()
71 .raw_bytes(m_tbs_bits)
72 .end_cons()
73 .decode(m_sig_algo)
74 .decode(m_sig, ASN1_Type::BitString)
75 .end_cons();
76
77 force_decode();
78}

References Botan::BitString, Botan::BER_Decoder::decode(), Botan::BER_Decoder::end_cons(), Botan::BER_Decoder::raw_bytes(), and Botan::BER_Decoder::start_sequence().

Referenced by load_data().

◆ encode_into()

void Botan::X509_Object::encode_into ( DER_Encoder & to) const
overridevirtualinherited

DER encode an X509_Object See ASN1_Object::encode_into()

Implements Botan::ASN1_Object.

Definition at line 55 of file x509_obj.cpp.

55 {
56 to.start_sequence()
57 .start_sequence()
58 .raw_bytes(signed_body())
59 .end_cons()
60 .encode(signature_algorithm())
62 .end_cons();
63}
const std::vector< uint8_t > & signed_body() const
Definition x509_obj.h:45
const AlgorithmIdentifier & signature_algorithm() const
Definition x509_obj.h:50
const std::vector< uint8_t > & signature() const
Definition x509_obj.h:40

References Botan::BitString, Botan::DER_Encoder::encode(), Botan::DER_Encoder::end_cons(), Botan::DER_Encoder::raw_bytes(), signature(), signature_algorithm(), signed_body(), and Botan::DER_Encoder::start_sequence().

◆ extended_key_usage()

const std::vector< OID > & Botan::X509_Certificate::extended_key_usage ( ) const

Get the key usage as defined in the ExtendedKeyUsage extension of this certificate, or else an empty vector.

Returns
key usage

Definition at line 447 of file x509cert.cpp.

447 {
448 return data().m_extended_key_usage;
449}

Referenced by allowed_extended_usage(), has_ex_constraint(), and to_string().

◆ fingerprint()

std::string Botan::X509_Certificate::fingerprint ( std::string_view hash_name = "SHA-1") const
Returns
a fingerprint of the certificate
Parameters
hash_namehash function used to calculate the fingerprint

Definition at line 635 of file x509cert.cpp.

635 {
636 /*
637 * The SHA-1 and SHA-256 fingerprints are precomputed since these
638 * are the most commonly used. Especially, SHA-256 fingerprints are
639 * used for cycle detection during path construction.
640 *
641 * If SHA-1 or SHA-256 was missing at parsing time the vectors are
642 * left empty in which case we fall back to create_hex_fingerprint
643 * which will throw if the hash is unavailable.
644 */
645 if(hash_name == "SHA-256" && !data().m_fingerprint_sha256.empty()) {
646 return data().m_fingerprint_sha256;
647 } else if(hash_name == "SHA-1" && !data().m_fingerprint_sha1.empty()) {
648 return data().m_fingerprint_sha1;
649 } else {
650 return create_hex_fingerprint(this->BER_encode(), hash_name);
651 }
652}
std::vector< uint8_t > BER_encode() const
Definition asn1_obj.cpp:19
std::string create_hex_fingerprint(const uint8_t bits[], size_t bits_len, std::string_view hash_name)
Definition pk_keys.cpp:38

References Botan::ASN1_Object::BER_encode(), and Botan::create_hex_fingerprint().

Referenced by Botan::Certificate_Store_In_SQL::affirm_cert(), Botan::PKIX::build_certificate_path(), Botan::Certificate_Store_In_SQL::find_key(), Botan::Certificate_Store_In_SQL::insert_cert(), Botan::Certificate_Store_In_SQL::insert_key(), Botan::Certificate_Store_In_SQL::remove_cert(), and Botan::Certificate_Store_In_SQL::revoke_cert().

◆ has_constraints()

bool Botan::X509_Certificate::has_constraints ( Key_Constraints constraints) const

Returns true if and only if the specified

Parameters
constraintsare included in the key usage extension.

Typically for applications you want allowed_usage instead.

Definition at line 463 of file x509cert.cpp.

463 {
464 // Unlike allowed_usage, returns false if constraints was not set
465 return constraints().includes(usage);
466}

References constraints(), and Botan::Key_Constraints::includes().

◆ has_ex_constraint() [1/2]

bool Botan::X509_Certificate::has_ex_constraint ( const OID & ex_constraint) const

Returns true if and only if OID

Parameters
ex_constraintis included in the extended key extension.

Definition at line 526 of file x509cert.cpp.

526 {
527 const std::vector<OID>& ex = extended_key_usage();
528 return (std::find(ex.begin(), ex.end(), usage) != ex.end());
529}

References extended_key_usage().

◆ has_ex_constraint() [2/2]

bool Botan::X509_Certificate::has_ex_constraint ( std::string_view ex_constraint) const

Returns true if and only if OID

Parameters
ex_constraintis included in the extended key extension.

Definition at line 522 of file x509cert.cpp.

522 {
523 return has_ex_constraint(OID::from_string(ex_constraint));
524}

References Botan::OID::from_string(), and has_ex_constraint().

Referenced by allowed_usage(), and has_ex_constraint().

◆ is_CA_cert()

bool Botan::X509_Certificate::is_CA_cert ( ) const

Check whether this certificate is a CA certificate.

Returns
true if this certificate is a CA certificate

Definition at line 423 of file x509cert.cpp.

423 {
424 if(data().m_version < 3 && data().m_self_signed) {
425 return true;
426 }
427
428 return data().m_is_ca_certificate;
429}

Referenced by allowed_usage(), Botan::PKIX::check_chain(), Botan::Flatfile_Certificate_Store::Flatfile_Certificate_Store(), and Botan::Cert_Extension::Name_Constraints::validate().

◆ is_critical()

bool Botan::X509_Certificate::is_critical ( std::string_view ex_name) const

Check whenever a given X509 Extension is marked critical in this certificate.

Definition at line 534 of file x509cert.cpp.

534 {
536}
bool critical_extension_set(const OID &oid) const
Definition x509_ext.cpp:192
const Extensions & v3_extensions() const
Definition x509cert.cpp:459

References Botan::Extensions::critical_extension_set(), Botan::OID::from_string(), and v3_extensions().

Referenced by Botan::Cert_Extension::Name_Constraints::validate().

◆ is_self_signed()

bool Botan::X509_Certificate::is_self_signed ( ) const

Check whether this certificate is self signed. If the DN issuer and subject agree,

Returns
true if this certificate is self signed

Definition at line 347 of file x509cert.cpp.

347 {
348 return data().m_self_signed;
349}

Referenced by Botan::PKIX::build_certificate_path(), Botan::PKIX::check_chain(), Botan::Flatfile_Certificate_Store::Flatfile_Certificate_Store(), and to_string().

◆ is_serial_negative()

bool Botan::X509_Certificate::is_serial_negative ( ) const

Get the serial number's sign

Returns
1 iff the serial is negative.

Definition at line 403 of file x509cert.cpp.

403 {
404 return data().m_serial_negative;
405}

Referenced by Botan::PKIX::check_chain().

◆ issuer_alt_name()

const AlternativeName & Botan::X509_Certificate::issuer_alt_name ( ) const

Return the issuer alternative names (DNS, IP, ...)

Definition at line 562 of file x509cert.cpp.

562 {
563 return data().m_issuer_alt_name;
564}

Referenced by issuer_info().

◆ issuer_dn()

const X509_DN & Botan::X509_Certificate::issuer_dn ( ) const

Get the certificate's issuer distinguished name (DN).

Returns
issuer DN of this certificate

Definition at line 407 of file x509cert.cpp.

407 {
408 return data().m_issuer_dn;
409}

Referenced by Botan::PKIX::build_certificate_path(), Botan::PKIX::check_chain(), Botan::Certificate_Store_In_Memory::find_crl_for(), Botan::Certificate_Store_In_SQL::find_crl_for(), Botan::X509_CRL::is_revoked(), issuer_info(), Botan::OCSP::Request::Request(), and to_string().

◆ issuer_info()

std::vector< std::string > Botan::X509_Certificate::issuer_info ( std::string_view name) const

Get a value for a specific subject_info parameter name.

Parameters
namethe name of the parameter to look up. Possible names are "X509.Certificate.v2.key_id" or "X509v3.AuthorityKeyIdentifier".
Returns
value(s) of the specified parameter

Definition at line 602 of file x509cert.cpp.

602 {
603 return get_cert_user_info(req, issuer_dn(), issuer_alt_name());
604}
const AlternativeName & issuer_alt_name() const
Definition x509cert.cpp:562
const X509_DN & issuer_dn() const
Definition x509cert.cpp:407

References issuer_alt_name(), and issuer_dn().

◆ load_data()

void Botan::X509_Object::load_data ( DataSource & src)
protectedinherited

Decodes from src as either DER or PEM data, then calls force_decode()

Definition at line 24 of file x509_obj.cpp.

24 {
25 try {
26 if(ASN1::maybe_BER(in) && !PEM_Code::matches(in)) {
27 BER_Decoder dec(in);
28 decode_from(dec);
29 } else {
30 std::string got_label;
31 DataSource_Memory ber(PEM_Code::decode(in, got_label));
32
33 if(got_label != PEM_label()) {
34 bool is_alternate = false;
35 for(std::string_view alt_label : alternate_PEM_labels()) {
36 if(got_label == alt_label) {
37 is_alternate = true;
38 break;
39 }
40 }
41
42 if(!is_alternate) {
43 throw Decoding_Error("Unexpected PEM label for " + PEM_label() + " of " + got_label);
44 }
45 }
46
47 BER_Decoder dec(ber);
48 decode_from(dec);
49 }
50 } catch(Decoding_Error& e) {
51 throw Decoding_Error(PEM_label() + " decoding", e);
52 }
53}
void decode_from(BER_Decoder &from) override
Definition x509_obj.cpp:68
virtual std::vector< std::string > alternate_PEM_labels() const
Definition x509_obj.h:101
virtual std::string PEM_label() const =0
BOTAN_FORCE_INLINE BOTAN_FN_ISA_AES void dec(uint8x16_t &B, uint8x16_t K)
Definition aes_armv8.cpp:45
bool maybe_BER(DataSource &source)
Definition asn1_obj.cpp:192
bool matches(DataSource &source, std::string_view extra, size_t search_range)
Definition pem.cpp:140
secure_vector< uint8_t > decode(DataSource &source, std::string &label)
Definition pem.cpp:62

References alternate_PEM_labels(), Botan::PEM_Code::decode(), decode_from(), Botan::PEM_Code::matches(), Botan::ASN1::maybe_BER(), and PEM_label().

Referenced by Botan::PKCS10_Request::PKCS10_Request(), Botan::PKCS10_Request::PKCS10_Request(), Botan::X509_Certificate::X509_Certificate(), Botan::X509_Certificate::X509_Certificate(), Botan::X509_Certificate::X509_Certificate(), Botan::X509_CRL::X509_CRL(), Botan::X509_CRL::X509_CRL(), and X509_Object().

◆ load_subject_public_key()

std::unique_ptr< Public_Key > Botan::X509_Certificate::load_subject_public_key ( ) const

Create a public key object associated with the public key bits in this certificate. If the public key bits was valid for X.509 encoding purposes but invalid algorithmically (for example, RSA with an even modulus) that will be detected at this point, and an exception will be thrown.

Returns
subject public key of this certificate

Definition at line 617 of file x509cert.cpp.

617 {
618 return this->subject_public_key();
619}
std::unique_ptr< Public_Key > subject_public_key() const
Definition x509cert.cpp:609

References subject_public_key().

◆ make_signed()

std::vector< uint8_t > Botan::X509_Object::make_signed ( PK_Signer & signer,
RandomNumberGenerator & rng,
const AlgorithmIdentifier & alg_id,
const secure_vector< uint8_t > & tbs )
staticinherited

Create a signed X509 object.

Parameters
signerthe signer used to sign the object
rngthe random number generator to use
alg_idthe algorithm identifier of the signature scheme
tbsthe tbs bits to be signed
Returns
signed X509 object

Definition at line 125 of file x509_obj.cpp.

128 {
129 const std::vector<uint8_t> signature = signer.sign_message(tbs_bits, rng);
130
131 std::vector<uint8_t> output;
132 DER_Encoder(output)
133 .start_sequence()
134 .raw_bytes(tbs_bits)
135 .encode(algo)
137 .end_cons();
138
139 return output;
140}

References Botan::BitString, Botan::DER_Encoder::encode(), Botan::DER_Encoder::end_cons(), Botan::DER_Encoder::raw_bytes(), Botan::PK_Signer::sign_message(), signature(), and Botan::DER_Encoder::start_sequence().

Referenced by Botan::PKCS10_Request::create(), and Botan::X509_CA::make_cert().

◆ matches_dns_name()

bool Botan::X509_Certificate::matches_dns_name ( std::string_view name) const

Check if a certain DNS name matches up with the information in the cert

Parameters
nameDNS name to match

Note: this will also accept a dotted quad input, in which case the SAN for IPv4 addresses will be checked.

Definition at line 654 of file x509cert.cpp.

654 {
655 if(name.empty()) {
656 return false;
657 }
658
659 if(auto req_ipv4 = string_to_ipv4(name)) {
660 const auto& ipv4_names = subject_alt_name().ipv4_address();
661 return ipv4_names.contains(req_ipv4.value());
662 } else {
663 auto issued_names = subject_info("DNS");
664
665 // Fall back to CN only if no SAN is included
666 if(!data().m_subject_alt_name_exists) {
667 issued_names = subject_info("Name");
668 }
669
670 for(const auto& issued_name : issued_names) {
671 if(host_wildcard_match(issued_name, name)) {
672 return true;
673 }
674 }
675 }
676
677 return false;
678}
const std::set< uint32_t > & ipv4_address() const
Return the set of IPv4 addresses included in this alternative name.
Definition pkix_types.h:164
std::vector< std::string > subject_info(std::string_view name) const
Definition x509cert.cpp:595
const AlternativeName & subject_alt_name() const
Definition x509cert.cpp:558
bool host_wildcard_match(std::string_view issued_, std::string_view host_)
Definition parsing.cpp:252
std::optional< uint32_t > string_to_ipv4(std::string_view str)
Definition parsing.cpp:156

References Botan::host_wildcard_match(), Botan::AlternativeName::ipv4_address(), Botan::string_to_ipv4(), subject_alt_name(), and subject_info().

◆ name_constraints()

const NameConstraints & Botan::X509_Certificate::name_constraints ( ) const

Get the name constraints as defined in the NameConstraints extension of this certificate.

Returns
name constraints

Definition at line 455 of file x509cert.cpp.

455 {
456 return data().m_name_constraints;
457}

Referenced by to_string().

◆ not_after()

const X509_Time & Botan::X509_Certificate::not_after ( ) const

Get the notAfter of the certificate as X509_Time

Returns
notAfter of the certificate

Definition at line 355 of file x509cert.cpp.

355 {
356 return data().m_not_after;
357}

Referenced by Botan::PKIX::check_chain(), and to_string().

◆ not_before()

const X509_Time & Botan::X509_Certificate::not_before ( ) const

Get the notBefore of the certificate as X509_Time

Returns
notBefore of the certificate

Definition at line 351 of file x509cert.cpp.

351 {
352 return data().m_not_before;
353}

Referenced by Botan::PKIX::check_chain(), and to_string().

◆ ocsp_responder()

std::string Botan::X509_Certificate::ocsp_responder ( ) const

Return the listed address of an OCSP responder, or empty if not set

Definition at line 538 of file x509cert.cpp.

538 {
539 return data().m_ocsp_responder;
540}

Referenced by to_string().

◆ operator<()

bool Botan::X509_Certificate::operator< ( const X509_Certificate & other) const

Impose an arbitrary (but consistent) ordering, eg to allow sorting a container of certificate objects.

Returns
true if this is less than other by some unspecified criteria

Definition at line 688 of file x509cert.cpp.

688 {
689 /* If signature values are not equal, sort by lexicographic ordering of that */
690 if(this->signature() != other.signature()) {
691 return (this->signature() < other.signature());
692 }
693
694 // Then compare the signed contents
695 return this->signed_body() < other.signed_body();
696}

References Botan::X509_Object::signature(), Botan::X509_Object::signed_body(), and X509_Certificate().

◆ operator=() [1/2]

X509_Certificate & Botan::X509_Certificate::operator= ( const X509_Certificate & other)
default

References X509_Certificate().

◆ operator=() [2/2]

X509_Certificate & Botan::X509_Certificate::operator= ( X509_Certificate && other)
default

References X509_Certificate().

◆ operator==()

bool Botan::X509_Certificate::operator== ( const X509_Certificate & other) const

Check to certificates for equality.

Returns
true both certificates are (binary) equal

Definition at line 683 of file x509cert.cpp.

683 {
684 return (this->signature() == other.signature() && this->signature_algorithm() == other.signature_algorithm() &&
685 this->signed_body() == other.signed_body());
686}

References Botan::X509_Object::signature(), Botan::X509_Object::signature_algorithm(), Botan::X509_Object::signed_body(), and X509_Certificate().

◆ path_length_constraint()

std::optional< size_t > Botan::X509_Certificate::path_length_constraint ( ) const

Get the path length constraint as defined in the BasicConstraints extension.

Returns nullopt if either the extension is not set in the certificate, or if the pathLenConstraint field was absent from the extension.

Returns
path limit

Definition at line 439 of file x509cert.cpp.

439 {
440 return data().m_path_len_constraint;
441}

Referenced by Botan::PKIX::check_chain().

◆ path_limit()

uint32_t Botan::X509_Certificate::path_limit ( ) const

Get the path length constraint as defined in the BasicConstraints extension.

This returns an arbitrary value if the extension is not set (either 32 for v1 self-signed certificates, or else Cert_Extension::NO_CERT_PATH_LIMIT for v3 certificates without the extension)

Prefer path_length_constraint

Returns
path limit

Definition at line 431 of file x509cert.cpp.

431 {
432 if(data().m_version < 3 && data().m_self_signed) {
433 return 32; // in theory infinite, but this is more than enough
434 }
435
436 return static_cast<uint32_t>(data().m_path_len_constraint.value_or(Cert_Extension::NO_CERT_PATH_LIMIT));
437}

◆ PEM_encode()

std::string Botan::X509_Object::PEM_encode ( ) const
inherited
Returns
PEM encoding of this

Definition at line 83 of file x509_obj.cpp.

83 {
85}
std::string encode(const uint8_t der[], size_t length, std::string_view label, size_t width)
Definition pem.cpp:39

References Botan::ASN1_Object::BER_encode(), Botan::PEM_Code::encode(), and PEM_label().

◆ raw_issuer_dn()

const std::vector< uint8_t > & Botan::X509_Certificate::raw_issuer_dn ( ) const

Raw issuer DN bits

Definition at line 415 of file x509cert.cpp.

415 {
416 return data().m_issuer_dn_bits;
417}

Referenced by Botan::OCSP::CertID::is_id_for().

◆ raw_issuer_dn_sha256()

std::vector< uint8_t > Botan::X509_Certificate::raw_issuer_dn_sha256 ( ) const

SHA-256 of Raw issuer DN

Definition at line 621 of file x509cert.cpp.

621 {
622 if(data().m_issuer_dn_bits_sha256.empty()) {
623 throw Encoding_Error("X509_Certificate::raw_issuer_dn_sha256 called but SHA-256 disabled in build");
624 }
625 return data().m_issuer_dn_bits_sha256;
626}

◆ raw_subject_dn()

const std::vector< uint8_t > & Botan::X509_Certificate::raw_subject_dn ( ) const

Raw subject DN

Definition at line 419 of file x509cert.cpp.

419 {
420 return data().m_subject_dn_bits;
421}

Referenced by Botan::OCSP::CertID::CertID().

◆ raw_subject_dn_sha256()

std::vector< uint8_t > Botan::X509_Certificate::raw_subject_dn_sha256 ( ) const

SHA-256 of Raw subject DN

Definition at line 628 of file x509cert.cpp.

628 {
629 if(data().m_subject_dn_bits_sha256.empty()) {
630 throw Encoding_Error("X509_Certificate::raw_subject_dn_sha256 called but SHA-256 disabled in build");
631 }
632 return data().m_subject_dn_bits_sha256;
633}

Referenced by Botan::Flatfile_Certificate_Store::Flatfile_Certificate_Store().

◆ serial_number()

const std::vector< uint8_t > & Botan::X509_Certificate::serial_number ( ) const

Get the serial number of this certificate.

Returns
certificates serial number

Definition at line 399 of file x509cert.cpp.

399 {
400 return data().m_serial;
401}

Referenced by Botan::CRL_Entry::CRL_Entry(), Botan::OCSP::CertID::is_id_for(), Botan::X509_CRL::is_revoked(), and to_string().

◆ signature()

const std::vector< uint8_t > & Botan::X509_Object::signature ( ) const
inlineinherited
Returns
signature on tbs_data()

Definition at line 40 of file x509_obj.h.

40{ return m_sig; }

Referenced by encode_into(), make_signed(), Botan::X509_Certificate::operator<(), Botan::X509_Certificate::operator==(), and verify_signature().

◆ signature_algorithm()

const AlgorithmIdentifier & Botan::X509_Object::signature_algorithm ( ) const
inlineinherited
Returns
signature algorithm that was used to generate signature

Definition at line 50 of file x509_obj.h.

50{ return m_sig_algo; }

Referenced by Botan::PKIX::check_chain(), encode_into(), Botan::X509_Certificate::operator==(), Botan::X509_Certificate::to_string(), and verify_signature().

◆ signed_body()

const std::vector< uint8_t > & Botan::X509_Object::signed_body ( ) const
inlineinherited
Returns
signed body

Definition at line 45 of file x509_obj.h.

45{ return m_tbs_bits; }

Referenced by encode_into(), Botan::X509_Certificate::operator<(), and Botan::X509_Certificate::operator==().

◆ subject_alt_name()

const AlternativeName & Botan::X509_Certificate::subject_alt_name ( ) const

Return the subject alternative names (DNS, IP, ...)

Definition at line 558 of file x509cert.cpp.

558 {
559 return data().m_subject_alt_name;
560}

Referenced by Botan::NameConstraints::is_excluded(), Botan::NameConstraints::is_permitted(), Botan::GeneralName::matches(), matches_dns_name(), and subject_info().

◆ subject_dn()

◆ subject_info()

std::vector< std::string > Botan::X509_Certificate::subject_info ( std::string_view name) const

Get a value for a specific subject_info parameter name.

Parameters
namethe name of the parameter to look up. Possible names include "X509.Certificate.version", "X509.Certificate.serial", "X509.Certificate.start", "X509.Certificate.end", "X509.Certificate.v2.key_id", "X509.Certificate.public_key", "X509v3.BasicConstraints.path_constraint", "X509v3.BasicConstraints.is_ca", "X509v3.NameConstraints", "X509v3.ExtendedKeyUsage", "X509v3.CertificatePolicies", "X509v3.SubjectKeyIdentifier", "X509.Certificate.serial", "X520.CommonName", "X520.Organization", "X520.Country", "RFC822" (Email in SAN) or "PKCS9.EmailAddress" (Email in DN).
Returns
value(s) of the specified parameter

Definition at line 595 of file x509cert.cpp.

595 {
596 return get_cert_user_info(req, subject_dn(), subject_alt_name());
597}
const X509_DN & subject_dn() const
Definition x509cert.cpp:411

References subject_alt_name(), and subject_dn().

Referenced by Botan::NameConstraints::is_excluded(), Botan::NameConstraints::is_permitted(), and matches_dns_name().

◆ subject_key_id()

const std::vector< uint8_t > & Botan::X509_Certificate::subject_key_id ( ) const

Get the DER encoded SubjectKeyIdentifier of this certificate.

Returns
DER encoded SubjectKeyIdentifier

Definition at line 395 of file x509cert.cpp.

395 {
396 return data().m_subject_key_id;
397}

Referenced by Botan::Certificate_Store::certificate_known(), Botan::Certificate_Store_In_SQL::insert_cert(), Botan::Certificate_Store_In_SQL::remove_cert(), and to_string().

◆ subject_public_key()

std::unique_ptr< Public_Key > Botan::X509_Certificate::subject_public_key ( ) const

Create a public key object associated with the public key bits in this certificate. If the public key bits was valid for X.509 encoding purposes but invalid algorithmically (for example, RSA with an even modulus) that will be detected at this point, and an exception will be thrown.

Returns
subject public key of this certificate

Definition at line 609 of file x509cert.cpp.

609 {
610 try {
611 return std::unique_ptr<Public_Key>(X509::load_key(subject_public_key_info()));
612 } catch(std::exception& e) {
613 throw Decoding_Error("X509_Certificate::subject_public_key", e);
614 }
615}
const std::vector< uint8_t > & subject_public_key_info() const
Definition x509cert.cpp:375
std::unique_ptr< Public_Key > load_key(DataSource &source)
Definition x509_key.cpp:28

References Botan::X509::load_key(), and subject_public_key_info().

Referenced by Botan::PKIX::check_chain(), Botan::PKIX::check_crl(), load_subject_public_key(), to_string(), Botan::TLS::Certificate_Verify_12::verify(), and Botan::OCSP::Response::verify_signature().

◆ subject_public_key_algo()

const AlgorithmIdentifier & Botan::X509_Certificate::subject_public_key_algo ( ) const

Return the algorithm identifier of the public key

Definition at line 359 of file x509cert.cpp.

359 {
360 return data().m_subject_public_key_algid;
361}

Referenced by to_string().

◆ subject_public_key_bits()

const std::vector< uint8_t > & Botan::X509_Certificate::subject_public_key_bits ( ) const

Get the public key associated with this certificate. This includes the outer AlgorithmIdentifier

Returns
subject public key of this certificate

Definition at line 371 of file x509cert.cpp.

371 {
372 return data().m_subject_public_key_bits;
373}

◆ subject_public_key_bitstring()

const std::vector< uint8_t > & Botan::X509_Certificate::subject_public_key_bitstring ( ) const

Get the bit string of the public key associated with this certificate

Returns
public key bits

Definition at line 379 of file x509cert.cpp.

379 {
380 return data().m_subject_public_key_bitstring;
381}

Referenced by Botan::OCSP::CertID::CertID(), Botan::OCSP::CertID::is_id_for(), and to_string().

◆ subject_public_key_bitstring_sha1()

const std::vector< uint8_t > & Botan::X509_Certificate::subject_public_key_bitstring_sha1 ( ) const

Get the SHA-1 bit string of the public key associated with this certificate. This is used for OCSP among other protocols. This function will throw if SHA-1 is not available.

Returns
hash of subject public key of this certificate

Definition at line 383 of file x509cert.cpp.

383 {
384 if(data().m_subject_public_key_bitstring_sha1.empty()) {
385 throw Encoding_Error("X509_Certificate::subject_public_key_bitstring_sha1 called but SHA-1 disabled in build");
386 }
387
388 return data().m_subject_public_key_bitstring_sha1;
389}

Referenced by Botan::Flatfile_Certificate_Store::Flatfile_Certificate_Store().

◆ subject_public_key_info()

const std::vector< uint8_t > & Botan::X509_Certificate::subject_public_key_info ( ) const

Get the SubjectPublicKeyInfo associated with this certificate.

Returns
subject public key info of this certificate

Definition at line 375 of file x509cert.cpp.

375 {
376 return data().m_subject_public_key_bits_seq;
377}

Referenced by subject_public_key().

◆ tbs_data()

std::vector< uint8_t > Botan::X509_Object::tbs_data ( ) const
inherited

The underlying data that is to be or was signed

Returns
data that is or was signed

Definition at line 90 of file x509_obj.cpp.

90 {
91 return ASN1::put_in_sequence(m_tbs_bits);
92}
std::vector< uint8_t > put_in_sequence(const std::vector< uint8_t > &contents)
Definition asn1_obj.cpp:172

References Botan::ASN1::put_in_sequence().

Referenced by verify_signature().

◆ to_string()

std::string Botan::X509_Certificate::to_string ( ) const
Returns
a free-form string describing the certificate

Definition at line 705 of file x509cert.cpp.

705 {
706 std::ostringstream out;
707
708 out << "Version: " << this->x509_version() << "\n";
709 out << "Subject: " << subject_dn() << "\n";
710 out << "Issuer: " << issuer_dn() << "\n";
711 out << "Issued: " << this->not_before().readable_string() << "\n";
712 out << "Expires: " << this->not_after().readable_string() << "\n";
713
714 try {
715 auto pubkey = this->subject_public_key();
716 out << "Public Key [" << pubkey->algo_name() << "-" << pubkey->key_length() << "]\n\n";
717 out << X509::PEM_encode(*pubkey) << "\n";
718 } catch(const Decoding_Error& ex) {
719 const AlgorithmIdentifier& alg_id = this->subject_public_key_algo();
720 out << "Public Key Invalid!\n"
721 << " OID: " << alg_id.oid().to_formatted_string() << "\n"
722 << " Error: " << ex.what() << "\n"
723 << " Hex: " << hex_encode(this->subject_public_key_bitstring()) << "\n";
724 }
725
726 out << "Constraints:\n";
727 Key_Constraints constraints = this->constraints();
728 if(constraints.empty()) {
729 out << " No key constraints set\n";
730 } else {
732 out << " Digital Signature\n";
733 }
735 out << " Non-Repudiation\n";
736 }
738 out << " Key Encipherment\n";
739 }
741 out << " Data Encipherment\n";
742 }
744 out << " Key Agreement\n";
745 }
747 out << " Cert Sign\n";
748 }
750 out << " CRL Sign\n";
751 }
753 out << " Encipher Only\n";
754 }
756 out << " Decipher Only\n";
757 }
758 }
759
760 const std::vector<OID>& policies = this->certificate_policy_oids();
761 if(!policies.empty()) {
762 out << "Policies: "
763 << "\n";
764 for(const auto& oid : policies) {
765 out << " " << oid.to_string() << "\n";
766 }
767 }
768
769 const std::vector<OID>& ex_constraints = this->extended_key_usage();
770 if(!ex_constraints.empty()) {
771 out << "Extended Constraints:\n";
772 for(auto&& oid : ex_constraints) {
773 out << " " << oid.to_formatted_string() << "\n";
774 }
775 }
776
777 const NameConstraints& name_constraints = this->name_constraints();
778
779 if(!name_constraints.permitted().empty() || !name_constraints.excluded().empty()) {
780 out << "Name Constraints:\n";
781
782 if(!name_constraints.permitted().empty()) {
783 out << " Permit";
784 for(const auto& st : name_constraints.permitted()) {
785 out << " " << st.base();
786 }
787 out << "\n";
788 }
789
790 if(!name_constraints.excluded().empty()) {
791 out << " Exclude";
792 for(const auto& st : name_constraints.excluded()) {
793 out << " " << st.base();
794 }
795 out << "\n";
796 }
797 }
798
799 if(!ocsp_responder().empty()) {
800 out << "OCSP responder " << ocsp_responder() << "\n";
801 }
802
803 const std::vector<std::string> ca_issuers = this->ca_issuers();
804 if(!ca_issuers.empty()) {
805 out << "CA Issuers:\n";
806 for(const auto& ca_issuer : ca_issuers) {
807 out << " URI: " << ca_issuer << "\n";
808 }
809 }
810
811 for(const auto& cdp : crl_distribution_points()) {
812 out << "CRL " << cdp << "\n";
813 }
814
815 out << "Signature algorithm: " << this->signature_algorithm().oid().to_formatted_string() << "\n";
816
817 out << "Serial number: " << hex_encode(this->serial_number()) << "\n";
818
819 if(!this->authority_key_id().empty()) {
820 out << "Authority keyid: " << hex_encode(this->authority_key_id()) << "\n";
821 }
822
823 if(!this->subject_key_id().empty()) {
824 out << "Subject keyid: " << hex_encode(this->subject_key_id()) << "\n";
825 }
826
827 if(this->is_self_signed()) {
828 out << "Certificate is self signed\n";
829 }
830
831 return out.str();
832}
std::string readable_string() const
Returns a human friendly string replesentation of no particular formatting.
Definition asn1_time.cpp:98
const OID & oid() const
Definition asn1_obj.h:479
std::string to_formatted_string() const
Definition asn1_oid.cpp:139
const NameConstraints & name_constraints() const
Definition x509cert.cpp:455
const std::vector< uint8_t > & serial_number() const
Definition x509cert.cpp:399
const X509_Time & not_after() const
Definition x509cert.cpp:355
const std::vector< uint8_t > & authority_key_id() const
Definition x509cert.cpp:391
const std::vector< uint8_t > & subject_key_id() const
Definition x509cert.cpp:395
std::vector< std::string > crl_distribution_points() const
Definition x509cert.cpp:546
std::string ocsp_responder() const
Definition x509cert.cpp:538
uint32_t x509_version() const
Definition x509cert.cpp:343
const std::vector< OID > & certificate_policy_oids() const
Definition x509cert.cpp:451
bool is_self_signed() const
Definition x509cert.cpp:347
const AlgorithmIdentifier & subject_public_key_algo() const
Definition x509cert.cpp:359
std::vector< std::string > ca_issuers() const
Definition x509cert.cpp:542
const std::vector< uint8_t > & subject_public_key_bitstring() const
Definition x509cert.cpp:379
const X509_Time & not_before() const
Definition x509cert.cpp:351
std::string PEM_encode(const Public_Key &key)
Definition x509_key.cpp:21
void hex_encode(char output[], const uint8_t input[], size_t input_length, bool uppercase)
Definition hex.cpp:35

References authority_key_id(), ca_issuers(), certificate_policy_oids(), constraints(), crl_distribution_points(), Botan::Key_Constraints::CrlSign, Botan::Key_Constraints::DataEncipherment, Botan::Key_Constraints::DecipherOnly, Botan::Key_Constraints::DigitalSignature, Botan::Key_Constraints::empty(), Botan::Key_Constraints::EncipherOnly, extended_key_usage(), Botan::hex_encode(), is_self_signed(), issuer_dn(), Botan::Key_Constraints::KeyAgreement, Botan::Key_Constraints::KeyCertSign, Botan::Key_Constraints::KeyEncipherment, name_constraints(), Botan::Key_Constraints::NonRepudiation, not_after(), not_before(), ocsp_responder(), Botan::AlgorithmIdentifier::oid(), Botan::X509::PEM_encode(), Botan::NameConstraints::permitted(), Botan::ASN1_Time::readable_string(), serial_number(), Botan::X509_Object::signature_algorithm(), subject_dn(), subject_key_id(), subject_public_key(), subject_public_key_algo(), subject_public_key_bitstring(), Botan::OID::to_formatted_string(), Botan::Exception::what(), and x509_version().

◆ v2_issuer_key_id()

const std::vector< uint8_t > & Botan::X509_Certificate::v2_issuer_key_id ( ) const

Return the v2 issuer key ID. v2 key IDs are almost never used, instead see v3_subject_key_id.

Definition at line 363 of file x509cert.cpp.

363 {
364 return data().m_v2_issuer_key_id;
365}

Referenced by Botan::PKIX::check_chain().

◆ v2_subject_key_id()

const std::vector< uint8_t > & Botan::X509_Certificate::v2_subject_key_id ( ) const

Return the v2 subject key ID. v2 key IDs are almost never used, instead see v3_subject_key_id.

Definition at line 367 of file x509cert.cpp.

367 {
368 return data().m_v2_subject_key_id;
369}

Referenced by Botan::PKIX::check_chain().

◆ v3_extensions()

const Extensions & Botan::X509_Certificate::v3_extensions ( ) const

Get all extensions of this certificate.

Returns
certificate extensions

Definition at line 459 of file x509cert.cpp.

459 {
460 return data().m_v3_extensions;
461}

Referenced by Botan::PKIX::check_chain(), and is_critical().

◆ verify_signature()

std::pair< Certificate_Status_Code, std::string > Botan::X509_Object::verify_signature ( const Public_Key & key) const
inherited

Check the signature on this data

Parameters
keythe public key purportedly used to sign this data
Returns
status of the signature - OK if verified or otherwise an indicator of the problem preventing verification, along with the hash function that was used, for further policy checks. The second parameter is empty unless the validation was sucessful.

Definition at line 102 of file x509_obj.cpp.

102 {
103 try {
104 PK_Verifier verifier(pub_key, signature_algorithm());
105 const bool valid = verifier.verify_message(tbs_data(), signature());
106
107 if(valid) {
108 return std::make_pair(Certificate_Status_Code::VERIFIED, verifier.hash_function());
109 } else {
110 return std::make_pair(Certificate_Status_Code::SIGNATURE_ERROR, "");
111 }
112 } catch(Decoding_Error&) {
114 } catch(Algorithm_Not_Found&) {
115 return std::make_pair(Certificate_Status_Code::SIGNATURE_ALGO_UNKNOWN, "");
116 } catch(...) {
117 // This shouldn't happen, fallback to generic signature error
118 return std::make_pair(Certificate_Status_Code::SIGNATURE_ERROR, "");
119 }
120}
std::vector< uint8_t > tbs_data() const
Definition x509_obj.cpp:90

References Botan::PK_Verifier::hash_function(), signature(), Botan::SIGNATURE_ALGO_BAD_PARAMS, Botan::SIGNATURE_ALGO_UNKNOWN, signature_algorithm(), Botan::SIGNATURE_ERROR, tbs_data(), Botan::VERIFIED, and Botan::PK_Verifier::verify_message().

Referenced by Botan::PKIX::check_chain(), and check_signature().

◆ x509_version()

uint32_t Botan::X509_Certificate::x509_version ( ) const

Get the X509 version of this certificate object.

Returns
X509 version

Definition at line 343 of file x509cert.cpp.

343 {
344 return static_cast<uint32_t>(data().m_version);
345}

Referenced by Botan::PKIX::check_chain(), and to_string().


The documentation for this class was generated from the following files: