Botan  2.8.0
Crypto and TLS for C++11
ffi_cert.cpp
Go to the documentation of this file.
1 /*
2 * (C) 2015,2017,2018 Jack Lloyd
3 *
4 * Botan is released under the Simplified BSD License (see license.txt)
5 */
6 
7 #include <botan/ffi.h>
8 #include <botan/internal/ffi_util.h>
9 #include <botan/internal/ffi_pkey.h>
10 
11 #if defined(BOTAN_HAS_X509_CERTIFICATES)
12  #include <botan/x509cert.h>
13  #include <botan/x509path.h>
14  #include <botan/data_src.h>
15 #endif
16 
17 extern "C" {
18 
19 using namespace Botan_FFI;
20 
21 #if defined(BOTAN_HAS_X509_CERTIFICATES)
22 
23 BOTAN_FFI_DECLARE_STRUCT(botan_x509_cert_struct, Botan::X509_Certificate, 0x8F628937);
24 
25 #endif
26 
27 int botan_x509_cert_load_file(botan_x509_cert_t* cert_obj, const char* cert_path)
28  {
29  if(!cert_obj || !cert_path)
31 
32 #if defined(BOTAN_HAS_X509_CERTIFICATES) && defined(BOTAN_TARGET_OS_HAS_FILESYSTEM)
33 
34  return ffi_guard_thunk(BOTAN_CURRENT_FUNCTION, [=]() -> int {
35  std::unique_ptr<Botan::X509_Certificate> c(new Botan::X509_Certificate(cert_path));
36  *cert_obj = new botan_x509_cert_struct(c.release());
37  return BOTAN_FFI_SUCCESS;
38  });
39 
40 #else
42 #endif
43  }
44 
46  {
47  if(!cert_obj)
49 
50 #if defined(BOTAN_HAS_X509_CERTIFICATES) && defined(BOTAN_TARGET_OS_HAS_FILESYSTEM)
51 
52  return ffi_guard_thunk(BOTAN_CURRENT_FUNCTION, [=]() -> int {
53  std::unique_ptr<Botan::X509_Certificate> c(new Botan::X509_Certificate(safe_get(cert)));
54  *cert_obj = new botan_x509_cert_struct(c.release());
55  return BOTAN_FFI_SUCCESS;
56  });
57 
58 #else
59  BOTAN_UNUSED(cert);
61 #endif
62  }
63 
64 int botan_x509_cert_load(botan_x509_cert_t* cert_obj, const uint8_t cert_bits[], size_t cert_bits_len)
65  {
66  if(!cert_obj || !cert_bits)
68 
69 #if defined(BOTAN_HAS_X509_CERTIFICATES)
70  return ffi_guard_thunk(BOTAN_CURRENT_FUNCTION, [=]() -> int {
71  Botan::DataSource_Memory bits(cert_bits, cert_bits_len);
72  std::unique_ptr<Botan::X509_Certificate> c(new Botan::X509_Certificate(bits));
73  *cert_obj = new botan_x509_cert_struct(c.release());
74  return BOTAN_FFI_SUCCESS;
75  });
76 #else
77  BOTAN_UNUSED(cert_bits_len);
79 #endif
80  }
81 
83  {
84  if(key == nullptr)
86 
87  *key = nullptr;
88 
89 #if defined(BOTAN_HAS_X509_CERTIFICATES)
90  return ffi_guard_thunk(BOTAN_CURRENT_FUNCTION, [=]() -> int {
91  std::unique_ptr<Botan::Public_Key> publicKey = safe_get(cert).load_subject_public_key();
92  *key = new botan_pubkey_struct(publicKey.release());
93  return BOTAN_FFI_SUCCESS;
94  });
95 #else
96  BOTAN_UNUSED(cert);
98 #endif
99  }
100 
102  const char* key, size_t index,
103  uint8_t out[], size_t* out_len)
104  {
105 #if defined(BOTAN_HAS_X509_CERTIFICATES)
106  return BOTAN_FFI_DO(Botan::X509_Certificate, cert, c, { return write_str_output(out, out_len, c.issuer_info(key).at(index)); });
107 #else
108  BOTAN_UNUSED(cert, key, index, out, out_len);
110 #endif
111  }
112 
114  const char* key, size_t index,
115  uint8_t out[], size_t* out_len)
116  {
117 #if defined(BOTAN_HAS_X509_CERTIFICATES)
118  return BOTAN_FFI_DO(Botan::X509_Certificate, cert, c, { return write_str_output(out, out_len, c.subject_info(key).at(index)); });
119 #else
120  BOTAN_UNUSED(cert, key, index, out, out_len);
122 #endif
123  }
124 
125 int botan_x509_cert_to_string(botan_x509_cert_t cert, char out[], size_t* out_len)
126  {
127 #if defined(BOTAN_HAS_X509_CERTIFICATES)
128  return BOTAN_FFI_DO(Botan::X509_Certificate, cert, c, { return write_str_output(out, out_len, c.to_string()); });
129 #else
130  BOTAN_UNUSED(cert, out, out_len);
132 #endif
133  }
134 
135 int botan_x509_cert_allowed_usage(botan_x509_cert_t cert, unsigned int key_usage)
136  {
137 #if defined(BOTAN_HAS_X509_CERTIFICATES)
138  return BOTAN_FFI_DO(Botan::X509_Certificate, cert, c, {
139  const Botan::Key_Constraints k = static_cast<Botan::Key_Constraints>(key_usage);
140  if(c.allowed_usage(k))
141  return BOTAN_FFI_SUCCESS;
142  return 1;
143  });
144 #else
145  BOTAN_UNUSED(cert, key_usage);
147 #endif
148  }
149 
151  {
152 #if defined(BOTAN_HAS_X509_CERTIFICATES)
153  return BOTAN_FFI_CHECKED_DELETE(cert);
154 #else
155  BOTAN_UNUSED(cert);
157 #endif
158  }
159 
160 int botan_x509_cert_get_time_starts(botan_x509_cert_t cert, char out[], size_t* out_len)
161  {
162 #if defined(BOTAN_HAS_X509_CERTIFICATES)
163  return BOTAN_FFI_DO(Botan::X509_Certificate, cert, c, { return write_str_output(out, out_len, c.not_before().to_string()); });
164 #else
165  BOTAN_UNUSED(cert, out, out_len);
167 #endif
168  }
169 
170 int botan_x509_cert_get_time_expires(botan_x509_cert_t cert, char out[], size_t* out_len)
171  {
172 #if defined(BOTAN_HAS_X509_CERTIFICATES)
173  return BOTAN_FFI_DO(Botan::X509_Certificate, cert, c, { return write_str_output(out, out_len, c.not_after().to_string()); });
174 #else
175  BOTAN_UNUSED(cert, out, out_len);
177 #endif
178  }
179 
180 int botan_x509_cert_not_before(botan_x509_cert_t cert, uint64_t* time_since_epoch)
181  {
182 #if defined(BOTAN_HAS_X509_CERTIFICATES)
183  return BOTAN_FFI_DO(Botan::X509_Certificate, cert, c, {
184  *time_since_epoch = c.not_before().time_since_epoch();
185  });
186 #else
187  BOTAN_UNUSED(cert, time_since_epoch);
189 #endif
190  }
191 
192 int botan_x509_cert_not_after(botan_x509_cert_t cert, uint64_t* time_since_epoch)
193  {
194 #if defined(BOTAN_HAS_X509_CERTIFICATES)
195  return BOTAN_FFI_DO(Botan::X509_Certificate, cert, c, {
196  *time_since_epoch = c.not_after().time_since_epoch();
197  });
198 #else
199  BOTAN_UNUSED(cert, time_since_epoch);
201 #endif
202  }
203 
204 int botan_x509_cert_get_serial_number(botan_x509_cert_t cert, uint8_t out[], size_t* out_len)
205  {
206 #if defined(BOTAN_HAS_X509_CERTIFICATES)
207  return BOTAN_FFI_DO(Botan::X509_Certificate, cert, c, { return write_vec_output(out, out_len, c.serial_number()); });
208 #else
209  BOTAN_UNUSED(cert, out, out_len);
211 #endif
212  }
213 
214 int botan_x509_cert_get_fingerprint(botan_x509_cert_t cert, const char* hash, uint8_t out[], size_t* out_len)
215  {
216 #if defined(BOTAN_HAS_X509_CERTIFICATES)
217  return BOTAN_FFI_DO(Botan::X509_Certificate, cert, c, { return write_str_output(out, out_len, c.fingerprint(hash)); });
218 #else
219  BOTAN_UNUSED(cert, hash, out, out_len);
221 #endif
222  }
223 
224 int botan_x509_cert_get_authority_key_id(botan_x509_cert_t cert, uint8_t out[], size_t* out_len)
225  {
226 #if defined(BOTAN_HAS_X509_CERTIFICATES)
227  return BOTAN_FFI_DO(Botan::X509_Certificate, cert, c, { return write_vec_output(out, out_len, c.authority_key_id()); });
228 #else
229  BOTAN_UNUSED(cert, out, out_len);
231 #endif
232  }
233 
234 int botan_x509_cert_get_subject_key_id(botan_x509_cert_t cert, uint8_t out[], size_t* out_len)
235  {
236 #if defined(BOTAN_HAS_X509_CERTIFICATES)
237  return BOTAN_FFI_DO(Botan::X509_Certificate, cert, c, { return write_vec_output(out, out_len, c.subject_key_id()); });
238 #else
239  BOTAN_UNUSED(cert, out, out_len);
241 #endif
242  }
243 
244 int botan_x509_cert_get_public_key_bits(botan_x509_cert_t cert, uint8_t out[], size_t* out_len)
245  {
246 #if defined(BOTAN_HAS_X509_CERTIFICATES)
247  return BOTAN_FFI_DO(Botan::X509_Certificate, cert, c, { return write_vec_output(out, out_len, c.subject_public_key_bits()); });
248 #else
249  BOTAN_UNUSED(cert, out, out_len);
251 #endif
252  }
253 
254 int botan_x509_cert_hostname_match(botan_x509_cert_t cert, const char* hostname)
255  {
256  if(hostname == nullptr)
258 
259 #if defined(BOTAN_HAS_X509_CERTIFICATES)
260  return BOTAN_FFI_DO(Botan::X509_Certificate, cert, c,
261  { return c.matches_dns_name(hostname) ? 0 : -1; });
262 #else
263  BOTAN_UNUSED(cert);
265 #endif
266  }
267 
268 int botan_x509_cert_verify(int* result_code,
269  botan_x509_cert_t cert,
270  const botan_x509_cert_t* intermediates,
271  size_t intermediates_len,
272  const botan_x509_cert_t* trusted,
273  size_t trusted_len,
274  const char* trusted_path,
275  size_t required_strength,
276  const char* hostname_cstr,
277  uint64_t reference_time)
278  {
279  if(required_strength == 0)
280  required_strength = 110;
281 
282 #if defined(BOTAN_HAS_X509_CERTIFICATES)
283  return ffi_guard_thunk(BOTAN_CURRENT_FUNCTION, [=]() -> int {
284  const std::string hostname((hostname_cstr == nullptr) ? "" : hostname_cstr);
286  const auto validation_time = reference_time == 0 ?
287  std::chrono::system_clock::now() :
288  std::chrono::system_clock::from_time_t(static_cast<time_t>(reference_time));
289 
290  std::vector<Botan::X509_Certificate> end_certs;
291  end_certs.push_back(safe_get(cert));
292  for(size_t i = 0; i != intermediates_len; ++i)
293  end_certs.push_back(safe_get(intermediates[i]));
294 
295  std::unique_ptr<Botan::Certificate_Store> trusted_from_path;
296  std::unique_ptr<Botan::Certificate_Store_In_Memory> trusted_extra;
297  std::vector<Botan::Certificate_Store*> trusted_roots;
298 
299  if(trusted_path && *trusted_path)
300  {
301  trusted_from_path.reset(new Botan::Certificate_Store_In_Memory(trusted_path));
302  trusted_roots.push_back(trusted_from_path.get());
303  }
304 
305  if(trusted_len > 0)
306  {
307  trusted_extra.reset(new Botan::Certificate_Store_In_Memory);
308  for(size_t i = 0; i != trusted_len; ++i)
309  {
310  trusted_extra->add_certificate(safe_get(trusted[i]));
311  }
312  trusted_roots.push_back(trusted_extra.get());
313  }
314 
315  Botan::Path_Validation_Restrictions restrictions(false, required_strength);
316 
317  auto validation_result = Botan::x509_path_validate(end_certs,
318  restrictions,
319  trusted_roots,
320  hostname,
321  usage,
322  validation_time);
323 
324  if(result_code)
325  *result_code = static_cast<int>(validation_result.result());
326 
327  if(validation_result.successful_validation())
328  return 0;
329  else
330  return 1;
331  });
332 #else
333  BOTAN_UNUSED(result_code, cert, intermediates, intermediates_len, trusted);
334  BOTAN_UNUSED(trusted_len, trusted_path, hostname_cstr, reference_time);
336 #endif
337  }
338 
340  {
341  if(code < 0)
342  return nullptr;
343 
344 #if defined(BOTAN_HAS_X509_CERTIFICATES)
346  return Botan::to_string(sc);
347 #else
348  return nullptr;
349 #endif
350  }
351 
352 }
int ffi_guard_thunk(const char *func_name, std::function< int()> thunk)
Definition: ffi.cpp:28
int botan_x509_cert_destroy(botan_x509_cert_t cert)
Definition: ffi_cert.cpp:150
int botan_x509_cert_load(botan_x509_cert_t *cert_obj, const uint8_t cert_bits[], size_t cert_bits_len)
Definition: ffi_cert.cpp:64
int botan_x509_cert_not_before(botan_x509_cert_t cert, uint64_t *time_since_epoch)
Definition: ffi_cert.cpp:180
int botan_x509_cert_get_authority_key_id(botan_x509_cert_t cert, uint8_t out[], size_t *out_len)
Definition: ffi_cert.cpp:224
int botan_x509_cert_get_time_starts(botan_x509_cert_t cert, char out[], size_t *out_len)
Definition: ffi_cert.cpp:160
int botan_x509_cert_get_public_key_bits(botan_x509_cert_t cert, uint8_t out[], size_t *out_len)
Definition: ffi_cert.cpp:244
int write_vec_output(uint8_t out[], size_t *out_len, const std::vector< uint8_t, Alloc > &buf)
Definition: ffi_util.h:140
bool matches_dns_name(const std::string &name) const
Definition: x509cert.cpp:710
int botan_x509_cert_dup(botan_x509_cert_t *cert_obj, botan_x509_cert_t cert)
Definition: ffi_cert.cpp:45
int write_str_output(uint8_t out[], size_t *out_len, const std::string &str)
Definition: ffi_util.h:145
int botan_x509_cert_get_public_key(botan_x509_cert_t cert, botan_pubkey_t *key)
Definition: ffi_cert.cpp:82
int botan_x509_cert_get_subject_key_id(botan_x509_cert_t cert, uint8_t out[], size_t *out_len)
Definition: ffi_cert.cpp:234
const X509_Time & not_after() const
Definition: x509cert.cpp:359
struct botan_x509_cert_struct * botan_x509_cert_t
Definition: ffi.h:1423
int botan_x509_cert_load_file(botan_x509_cert_t *cert_obj, const char *cert_path)
Definition: ffi_cert.cpp:27
int botan_x509_cert_get_serial_number(botan_x509_cert_t cert, uint8_t out[], size_t *out_len)
Definition: ffi_cert.cpp:204
#define BOTAN_FFI_CHECKED_DELETE(o)
Definition: ffi_util.h:114
Path_Validation_Result x509_path_validate(const std::vector< X509_Certificate > &end_certs, const Path_Validation_Restrictions &restrictions, const std::vector< Certificate_Store *> &trusted_roots, const std::string &hostname, Usage_Type usage, std::chrono::system_clock::time_point ref_time, std::chrono::milliseconds ocsp_timeout, const std::vector< std::shared_ptr< const OCSP::Response >> &ocsp_resp)
Definition: x509path.cpp:830
#define BOTAN_UNUSED(...)
Definition: assert.h:142
int botan_x509_cert_get_fingerprint(botan_x509_cert_t cert, const char *hash, uint8_t out[], size_t *out_len)
Definition: ffi_cert.cpp:214
int botan_x509_cert_verify(int *result_code, botan_x509_cert_t cert, const botan_x509_cert_t *intermediates, size_t intermediates_len, const botan_x509_cert_t *trusted, size_t trusted_len, const char *trusted_path, size_t required_strength, const char *hostname_cstr, uint64_t reference_time)
Definition: ffi_cert.cpp:268
T & safe_get(botan_struct< T, M > *p)
Definition: ffi_util.h:59
int botan_x509_cert_get_subject_dn(botan_x509_cert_t cert, const char *key, size_t index, uint8_t out[], size_t *out_len)
Definition: ffi_cert.cpp:113
std::string to_string(const secure_vector< uint8_t > &bytes)
Definition: stl_util.h:25
const X509_Time & not_before() const
Definition: x509cert.cpp:354
#define BOTAN_CURRENT_FUNCTION
Definition: compiler.h:143
uint64_t time_since_epoch() const
Return time since epoch.
Definition: asn1_time.cpp:265
#define BOTAN_FFI_DECLARE_STRUCT(NAME, TYPE, MAGIC)
Definition: ffi_util.h:51
int botan_x509_cert_not_after(botan_x509_cert_t cert, uint64_t *time_since_epoch)
Definition: ffi_cert.cpp:192
int botan_x509_cert_allowed_usage(botan_x509_cert_t cert, unsigned int key_usage)
Definition: ffi_cert.cpp:135
int botan_x509_cert_to_string(botan_x509_cert_t cert, char out[], size_t *out_len)
Definition: ffi_cert.cpp:125
Certificate_Status_Code
Definition: cert_status.h:19
struct botan_pubkey_struct * botan_pubkey_t
Definition: ffi.h:1049
int botan_x509_cert_hostname_match(botan_x509_cert_t cert, const char *hostname)
Definition: ffi_cert.cpp:254
#define BOTAN_FFI_DO(T, obj, param, block)
Definition: ffi_util.h:86
MechanismType hash
int botan_x509_cert_get_time_expires(botan_x509_cert_t cert, char out[], size_t *out_len)
Definition: ffi_cert.cpp:170
Usage_Type
Definition: x509cert.h:25
const char * botan_x509_cert_validation_status(int code)
Definition: ffi_cert.cpp:339
int botan_x509_cert_get_issuer_dn(botan_x509_cert_t cert, const char *key, size_t index, uint8_t out[], size_t *out_len)
Definition: ffi_cert.cpp:101