Botan 3.12.0
Crypto and TLS for C&
Public Member Functions | List of all members
Botan::X509_Certificate_Cache Class Referencefinal

#include <x509_cert_cache.h>

Public Member Functions

X509_Certificate find_or_insert (std::span< const uint8_t > encoding)
 X509_Certificate_Cache (size_t max_entries=64)

Detailed Description

A cache for X.509 certificates

This is primarily useful for system certificate stores (Windows, macOS) where repeated lookups via native APIs return raw DER bytes that must be parsed each time. The cache deduplicates these by keying on the SHA-256 hash of the DER encoding.

Definition at line 30 of file x509_cert_cache.h.

Constructor & Destructor Documentation

◆ X509_Certificate_Cache()

Botan::X509_Certificate_Cache::X509_Certificate_Cache ( size_t max_entries = 64)
explicit
Parameters
max_entriesmaximum number of certificates to cache. When the cache is full, an entry is evicted to make room. If 0, caching is disabled entirely.

Definition at line 13 of file x509_cert_cache.cpp.

13: m_max_entries(max_entries) {}

Member Function Documentation

◆ find_or_insert()

X509_Certificate Botan::X509_Certificate_Cache::find_or_insert ( std::span< const uint8_t > encoding)

Look up a certificate by its DER encoding, or parse and cache it.

If a certificate with the same DER encoding (by SHA-256 hash) is already in the cache, returns a (cheap, shared_ptr-backed) copy. Otherwise, parses the DER encoding into an X509_Certificate, inserts it into the cache, and returns it.

If the cache was constructed with max_entries == 0, always parses and never caches.

Parameters
encodingDER-encoded certificate
Returns
the cached or newly parsed certificate
Exceptions
Decoding_Errorif the encoding is not a valid certificate

Definition at line 15 of file x509_cert_cache.cpp.

15 {
16 if(m_max_entries == 0) {
17 return X509_Certificate(encoding);
18 }
19
20 // Hash the DER
21 auto sha256 = HashFunction::create_or_throw("SHA-256");
22 DER_Hash hash;
23 sha256->update(encoding);
24 sha256->final(hash.m_hash);
25
26 // Check for a cache hit
27 {
28 const lock_guard_type<mutex_type> lock(m_mutex);
29 if(auto it = m_cache.find(hash); it != m_cache.end()) {
30 return it->second;
31 }
32 }
33
34 // Deserialize the certificate
35 X509_Certificate cert(encoding);
36
37 // Lock again
38 const lock_guard_type<mutex_type> lock(m_mutex);
39
40 // Check for a cache hit (possibly racing with another thread)
41 if(auto it = m_cache.find(hash); it != m_cache.end()) {
42 return it->second;
43 }
44
45 // Evict if required
46 //
47 // Effectively this is just a random drop, might make sense to add LRU here
48 while(m_cache.size() >= m_max_entries) {
49 m_cache.erase(m_cache.begin());
50 }
51
52 // Add the newly deserialized cert to the cache
53 auto it = m_cache.emplace(hash, std::move(cert)).first;
54 return it->second;
55}
Botan::HashFunction::create_or_throw
static std::unique_ptr< HashFunction > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition hash.cpp:308
Botan::lock
secure_vector< T > lock(const std::vector< T > &in)
Definition secmem.h:80
Botan::lock_guard_type
lock_guard< T > lock_guard_type
Definition mutex.h:55

References Botan::HashFunction::create_or_throw(), and Botan::lock().

The documentation for this class was generated from the following files:
Generated by doxygen 1.16.1