9#include <botan/x509cert.h>
11#include <botan/ber_dec.h>
12#include <botan/bigint.h>
13#include <botan/hash.h>
15#include <botan/pk_keys.h>
16#include <botan/x509_ext.h>
17#include <botan/x509_key.h>
18#include <botan/internal/parsing.h>
24struct X509_Certificate_Data {
25 std::vector<uint8_t> m_serial;
26 AlgorithmIdentifier m_sig_algo_inner;
29 std::vector<uint8_t> m_issuer_dn_bits;
30 std::vector<uint8_t> m_subject_dn_bits;
33 std::vector<uint8_t> m_subject_public_key_bits;
34 std::vector<uint8_t> m_subject_public_key_bits_seq;
35 std::vector<uint8_t> m_subject_public_key_bitstring;
36 std::vector<uint8_t> m_subject_public_key_bitstring_sha1;
37 AlgorithmIdentifier m_subject_public_key_algid;
39 std::vector<uint8_t> m_v2_issuer_key_id;
40 std::vector<uint8_t> m_v2_subject_key_id;
41 Extensions m_v3_extensions;
43 std::vector<OID> m_extended_key_usage;
44 std::vector<uint8_t> m_authority_key_id;
45 std::vector<uint8_t> m_subject_key_id;
46 std::vector<OID> m_cert_policies;
48 std::vector<std::string> m_crl_distribution_points;
49 std::string m_ocsp_responder;
50 std::vector<std::string> m_ca_issuers;
52 std::vector<uint8_t> m_issuer_dn_bits_sha256;
53 std::vector<uint8_t> m_subject_dn_bits_sha256;
55 std::string m_fingerprint_sha1;
56 std::string m_fingerprint_sha256;
58 AlternativeName m_subject_alt_name;
59 AlternativeName m_issuer_alt_name;
60 NameConstraints m_name_constraints;
63 size_t m_path_len_constraint = 0;
64 Key_Constraints m_key_constraints;
65 bool m_self_signed =
false;
66 bool m_is_ca_certificate =
false;
67 bool m_serial_negative =
false;
70std::string X509_Certificate::PEM_label()
const {
74std::vector<std::string> X509_Certificate::alternate_PEM_labels()
const {
75 return {
"X509 CERTIFICATE"};
92#if defined(BOTAN_TARGET_OS_HAS_FILESYSTEM)
101std::unique_ptr<X509_Certificate_Data> parse_x509_cert_body(
const X509_Object& obj) {
102 auto data = std::make_unique<X509_Certificate_Data>();
105 BER_Object public_key;
106 BER_Object v3_exts_data;
108 BER_Decoder(obj.signed_body())
111 .decode(data->m_sig_algo_inner)
112 .decode(data->m_issuer_dn)
114 .decode(data->m_not_before)
115 .decode(data->m_not_after)
117 .decode(data->m_subject_dn)
118 .get_next(public_key)
121 .get_next(v3_exts_data)
122 .verify_end(
"TBSCertificate has extra data after extensions block");
124 if(data->m_version > 2) {
125 throw Decoding_Error(
"Unknown X.509 cert version " + std::to_string(data->m_version));
127 if(obj.signature_algorithm() != data->m_sig_algo_inner) {
128 throw Decoding_Error(
"X.509 Certificate had differing algorithm identifers in inner and outer ID fields");
134 data->m_serial_negative = serial_bn.is_negative();
137 data->m_version += 1;
143 data->m_subject_public_key_bits.assign(public_key.bits(), public_key.bits() + public_key.length());
147 BER_Decoder(data->m_subject_public_key_bits)
148 .decode(data->m_subject_public_key_algid)
153 BER_Decoder(v3_exts_data).decode(data->m_v3_extensions).verify_end();
154 }
else if(v3_exts_data.is_set()) {
155 throw BER_Bad_Tag(
"Unknown tag in X.509 cert", v3_exts_data.tagging());
159 if(
auto ext = data->m_v3_extensions.get_extension_object_as<Cert_Extension::Key_Usage>()) {
160 data->m_key_constraints = ext->get_constraints();
165 if(data->m_key_constraints.empty()) {
166 throw Decoding_Error(
"Certificate has invalid encoding for KeyUsage");
170 if(
auto ext = data->m_v3_extensions.get_extension_object_as<Cert_Extension::Subject_Key_ID>()) {
171 data->m_subject_key_id = ext->get_key_id();
174 if(
auto ext = data->m_v3_extensions.get_extension_object_as<Cert_Extension::Authority_Key_ID>()) {
175 data->m_authority_key_id = ext->get_key_id();
178 if(
auto ext = data->m_v3_extensions.get_extension_object_as<Cert_Extension::Name_Constraints>()) {
179 data->m_name_constraints = ext->get_name_constraints();
182 if(
auto ext = data->m_v3_extensions.get_extension_object_as<Cert_Extension::Basic_Constraints>()) {
183 if(ext->get_is_ca() ==
true) {
192 data->m_is_ca_certificate =
true;
193 data->m_path_len_constraint = ext->get_path_limit();
198 if(
auto ext = data->m_v3_extensions.get_extension_object_as<Cert_Extension::Issuer_Alternative_Name>()) {
199 data->m_issuer_alt_name = ext->get_alt_name();
202 if(
auto ext = data->m_v3_extensions.get_extension_object_as<Cert_Extension::Subject_Alternative_Name>()) {
203 data->m_subject_alt_name = ext->get_alt_name();
206 if(
auto ext = data->m_v3_extensions.get_extension_object_as<Cert_Extension::Extended_Key_Usage>()) {
207 data->m_extended_key_usage = ext->object_identifiers();
210 if(
auto ext = data->m_v3_extensions.get_extension_object_as<Cert_Extension::Certificate_Policies>()) {
211 data->m_cert_policies = ext->get_policy_oids();
214 if(
auto ext = data->m_v3_extensions.get_extension_object_as<Cert_Extension::Authority_Information_Access>()) {
215 data->m_ocsp_responder = ext->ocsp_responder();
216 data->m_ca_issuers = ext->ca_issuers();
219 if(
auto ext = data->m_v3_extensions.get_extension_object_as<Cert_Extension::CRL_Distribution_Points>()) {
220 data->m_crl_distribution_points = ext->crl_distribution_urls();
224 if(data->m_subject_dn == data->m_issuer_dn) {
225 if(data->m_subject_key_id.empty() ==
false && data->m_authority_key_id.empty() ==
false) {
226 data->m_self_signed = (data->m_subject_key_id == data->m_authority_key_id);
233 data->m_self_signed =
true;
236 auto pub_key =
X509::load_key(data->m_subject_public_key_bits_seq);
238 const auto sig_status = obj.verify_signature(*pub_key);
242 data->m_self_signed =
true;
244 data->m_self_signed =
false;
252 const std::vector<uint8_t> full_encoding = obj.BER_encode();
256 sha1->update(data->m_subject_public_key_bitstring);
257 data->m_subject_public_key_bitstring_sha1 = sha1->final_stdvec();
265 sha256->update(data->m_issuer_dn_bits);
266 data->m_issuer_dn_bits_sha256 = sha256->final_stdvec();
268 sha256->update(data->m_subject_dn_bits);
269 data->m_subject_dn_bits_sha256 = sha256->final_stdvec();
282void X509_Certificate::force_decode() {
284 m_data = parse_x509_cert_body(*
this);
287const X509_Certificate_Data& X509_Certificate::data()
const {
288 if(m_data ==
nullptr) {
289 throw Invalid_State(
"X509_Certificate uninitialized");
295 return static_cast<uint32_t
>(data().m_version);
299 return data().m_self_signed;
303 return data().m_not_before;
307 return data().m_not_after;
311 return data().m_subject_public_key_algid;
315 return data().m_v2_issuer_key_id;
319 return data().m_v2_subject_key_id;
323 return data().m_subject_public_key_bits;
327 return data().m_subject_public_key_bits_seq;
331 return data().m_subject_public_key_bitstring;
335 if(data().m_subject_public_key_bitstring_sha1.empty()) {
336 throw Encoding_Error(
"X509_Certificate::subject_public_key_bitstring_sha1 called but SHA-1 disabled in build");
339 return data().m_subject_public_key_bitstring_sha1;
343 return data().m_authority_key_id;
347 return data().m_subject_key_id;
351 return data().m_serial;
355 return data().m_serial_negative;
359 return data().m_issuer_dn;
363 return data().m_subject_dn;
367 return data().m_issuer_dn_bits;
371 return data().m_subject_dn_bits;
375 if(data().m_version < 3 && data().m_self_signed) {
379 return data().m_is_ca_certificate;
383 if(data().m_version < 3 && data().m_self_signed) {
387 return static_cast<uint32_t
>(data().m_path_len_constraint);
391 return data().m_key_constraints;
395 return data().m_extended_key_usage;
399 return data().m_cert_policies;
403 return data().m_name_constraints;
407 return data().m_v3_extensions;
432 if(std::find(ex.begin(), ex.end(), usage) != ex.end()) {
475 return (std::find(ex.begin(), ex.end(), usage) != ex.end());
486 return data().m_ocsp_responder;
490 return data().m_ca_issuers;
495 if(!data().m_crl_distribution_points.empty()) {
496 return data().m_crl_distribution_points[0];
502 return data().m_subject_alt_name;
506 return data().m_issuer_alt_name;
549 }
catch(std::exception& e) {
559 if(data().m_issuer_dn_bits_sha256.empty()) {
560 throw Encoding_Error(
"X509_Certificate::raw_issuer_dn_sha256 called but SHA-256 disabled in build");
562 return data().m_issuer_dn_bits_sha256;
566 if(data().m_subject_dn_bits_sha256.empty()) {
567 throw Encoding_Error(
"X509_Certificate::raw_subject_dn_sha256 called but SHA-256 disabled in build");
569 return data().m_subject_dn_bits_sha256;
582 if(hash_name ==
"SHA-256" && !data().m_fingerprint_sha256.empty()) {
583 return data().m_fingerprint_sha256;
584 }
else if(hash_name ==
"SHA-1" && !data().m_fingerprint_sha1.empty()) {
585 return data().m_fingerprint_sha1;
599 if(issued_names.empty()) {
603 for(
const auto& issued_name : issued_names) {
634 return !(cert1 == cert2);
638 std::ostringstream out;
642 out <<
"Issuer: " <<
issuer_dn() <<
"\n";
646 out <<
"Constraints:\n";
648 if(constraints.
empty()) {
652 out <<
" Digital Signature\n";
655 out <<
" Non-Repudiation\n";
658 out <<
" Key Encipherment\n";
661 out <<
" Data Encipherment\n";
664 out <<
" Key Agreement\n";
667 out <<
" Cert Sign\n";
670 out <<
" CRL Sign\n";
673 out <<
" Encipher Only\n";
676 out <<
" Decipher Only\n";
681 if(!policies.empty()) {
684 for(
const auto& oid : policies) {
685 out <<
" " << oid.to_string() <<
"\n";
690 if(!ex_constraints.empty()) {
691 out <<
"Extended Constraints:\n";
692 for(
auto&& oid : ex_constraints) {
693 out <<
" " << oid.to_formatted_string() <<
"\n";
700 out <<
"Name Constraints:\n";
705 out <<
" " << st.base();
713 out <<
" " << st.base();
724 if(!ca_issuers.empty()) {
725 out <<
"CA Issuers:\n";
727 out <<
" URI: " << ca_issuer <<
"\n";
749 out <<
"Public Key [" << pubkey->algo_name() <<
"-" << pubkey->key_length() <<
"]\n\n";
753 out <<
"Failed to decode key with oid " << alg_id.
oid().
to_string() <<
"\n";
std::vector< uint8_t > BER_encode() const
std::string readable_string() const
Returns a human friendly string replesentation of no particular formatting.
std::vector< std::string > get_attribute(std::string_view attr) const
static std::vector< uint8_t > encode(const BigInt &n)
bool critical_extension_set(const OID &oid) const
static std::unique_ptr< HashFunction > create(std::string_view algo_spec, std::string_view provider="")
bool includes(Key_Constraints::Bits other) const
const std::vector< GeneralSubtree > & permitted() const
const std::vector< GeneralSubtree > & excluded() const
std::string to_formatted_string() const
std::string to_string() const
static OID from_string(std::string_view str)
const std::vector< OID > & extended_key_usage() const
Key_Constraints constraints() const
bool operator==(const X509_Certificate &other) const
const NameConstraints & name_constraints() const
X509_Certificate()=default
bool is_critical(std::string_view ex_name) const
const std::vector< uint8_t > & serial_number() const
std::string fingerprint(std::string_view hash_name="SHA-1") const
const X509_DN & subject_dn() const
std::vector< uint8_t > raw_subject_dn_sha256() const
uint32_t path_limit() const
const X509_Time & not_after() const
const std::vector< uint8_t > & authority_key_id() const
bool allowed_extended_usage(std::string_view usage) const
const AlternativeName & issuer_alt_name() const
const std::vector< uint8_t > & raw_subject_dn() const
const std::vector< uint8_t > & subject_key_id() const
const std::vector< uint8_t > & subject_public_key_bits() const
bool has_constraints(Key_Constraints constraints) const
const Extensions & v3_extensions() const
bool has_ex_constraint(std::string_view ex_constraint) const
const std::vector< uint8_t > & subject_public_key_bitstring_sha1() const
bool allowed_usage(Key_Constraints usage) const
const X509_DN & issuer_dn() const
const std::vector< uint8_t > & v2_issuer_key_id() const
std::string ocsp_responder() const
bool matches_dns_name(std::string_view name) const
std::vector< std::string > subject_info(std::string_view name) const
uint32_t x509_version() const
std::string crl_distribution_point() const
const std::vector< OID > & certificate_policy_oids() const
std::unique_ptr< Public_Key > load_subject_public_key() const
bool is_self_signed() const
const std::vector< uint8_t > & raw_issuer_dn() const
bool operator<(const X509_Certificate &other) const
const AlgorithmIdentifier & subject_public_key_algo() const
const AlternativeName & subject_alt_name() const
std::vector< std::string > ca_issuers() const
const std::vector< uint8_t > & subject_public_key_info() const
std::vector< uint8_t > raw_issuer_dn_sha256() const
bool is_serial_negative() const
const std::vector< uint8_t > & subject_public_key_bitstring() const
std::unique_ptr< Public_Key > subject_public_key() const
const std::vector< uint8_t > & v2_subject_key_id() const
const X509_Time & not_before() const
std::vector< std::string > issuer_info(std::string_view name) const
std::string to_string() const
std::vector< std::string > get_attribute(std::string_view attr) const
const std::vector< uint8_t > & signed_body() const
const AlgorithmIdentifier & signature_algorithm() const
const std::vector< uint8_t > & signature() const
void load_data(DataSource &src)
std::vector< uint8_t > put_in_sequence(const std::vector< uint8_t > &contents)
std::unique_ptr< Public_Key > load_key(DataSource &source)
std::string PEM_encode(const Public_Key &key)
bool operator!=(const AlgorithmIdentifier &a1, const AlgorithmIdentifier &a2)
bool host_wildcard_match(std::string_view issued_, std::string_view host_)
void hex_encode(char output[], const uint8_t input[], size_t input_length, bool uppercase)
std::string create_hex_fingerprint(const uint8_t bits[], size_t bits_len, std::string_view hash_name)