9#include <botan/x509cert.h>
11#include <botan/ber_dec.h>
12#include <botan/bigint.h>
13#include <botan/hash.h>
15#include <botan/pk_keys.h>
16#include <botan/x509_ext.h>
17#include <botan/x509_key.h>
18#include <botan/internal/parsing.h>
24struct X509_Certificate_Data {
25 std::vector<uint8_t> m_serial;
26 AlgorithmIdentifier m_sig_algo_inner;
29 std::vector<uint8_t> m_issuer_dn_bits;
30 std::vector<uint8_t> m_subject_dn_bits;
33 std::vector<uint8_t> m_subject_public_key_bits;
34 std::vector<uint8_t> m_subject_public_key_bits_seq;
35 std::vector<uint8_t> m_subject_public_key_bitstring;
36 std::vector<uint8_t> m_subject_public_key_bitstring_sha1;
37 AlgorithmIdentifier m_subject_public_key_algid;
39 std::vector<uint8_t> m_v2_issuer_key_id;
40 std::vector<uint8_t> m_v2_subject_key_id;
41 Extensions m_v3_extensions;
43 std::vector<OID> m_extended_key_usage;
44 std::vector<uint8_t> m_authority_key_id;
45 std::vector<uint8_t> m_subject_key_id;
46 std::vector<OID> m_cert_policies;
48 std::vector<std::string> m_crl_distribution_points;
49 std::string m_ocsp_responder;
50 std::vector<std::string> m_ca_issuers;
52 std::vector<uint8_t> m_issuer_dn_bits_sha256;
53 std::vector<uint8_t> m_subject_dn_bits_sha256;
55 std::string m_fingerprint_sha1;
56 std::string m_fingerprint_sha256;
58 AlternativeName m_subject_alt_name;
59 AlternativeName m_issuer_alt_name;
60 NameConstraints m_name_constraints;
63 std::optional<size_t> m_path_len_constraint;
64 Key_Constraints m_key_constraints;
65 bool m_self_signed =
false;
66 bool m_is_ca_certificate =
false;
67 bool m_serial_negative =
false;
68 bool m_subject_alt_name_exists =
false;
78 return {
"X509 CERTIFICATE"};
95#if defined(BOTAN_TARGET_OS_HAS_FILESYSTEM)
104std::unique_ptr<X509_Certificate_Data> parse_x509_cert_body(
const X509_Object& obj) {
105 auto data = std::make_unique<X509_Certificate_Data>();
108 BER_Object public_key;
109 BER_Object v3_exts_data;
111 BER_Decoder(obj.signed_body())
114 .decode(data->m_sig_algo_inner)
115 .decode(data->m_issuer_dn)
117 .decode(data->m_not_before)
118 .decode(data->m_not_after)
120 .decode(data->m_subject_dn)
121 .get_next(public_key)
124 .get_next(v3_exts_data)
125 .verify_end(
"TBSCertificate has extra data after extensions block");
127 if(data->m_version > 2) {
128 throw Decoding_Error(
"Unknown X.509 cert version " + std::to_string(data->m_version));
130 if(obj.signature_algorithm() != data->m_sig_algo_inner) {
131 throw Decoding_Error(
"X.509 Certificate had differing algorithm identifers in inner and outer ID fields");
137 data->m_version += 1;
139 data->m_serial = serial_bn.serialize();
141 data->m_serial_negative = serial_bn.is_negative();
145 data->m_subject_public_key_bits.assign(public_key.bits(), public_key.bits() + public_key.length());
150 .
decode(data->m_subject_public_key_algid)
156 }
else if(v3_exts_data.is_set()) {
157 throw BER_Bad_Tag(
"Unknown tag in X.509 cert", v3_exts_data.tagging());
162 data->m_key_constraints = ext->get_constraints();
167 if(data->m_key_constraints.empty()) {
168 throw Decoding_Error(
"Certificate has invalid encoding for KeyUsage");
173 data->m_subject_key_id = ext->get_key_id();
177 data->m_authority_key_id = ext->get_key_id();
181 data->m_name_constraints = ext->get_name_constraints();
185 data->m_extended_key_usage = ext->object_identifiers();
197 if(data->m_extended_key_usage.empty()) {
198 throw Decoding_Error(
"Certificate has invalid empty EKU extension");
203 if(ext->is_ca() ==
true) {
211 const bool allowed_by_ku =
222 const bool allowed_by_ext_ku = [](
const std::vector<OID>& ext_ku) ->
bool {
231 for(
const auto& oid : ext_ku) {
232 if(oid == server_auth || oid == client_auth || oid == ocsp_sign) {
238 }(data->m_extended_key_usage);
240 if(allowed_by_ku && allowed_by_ext_ku) {
241 data->m_is_ca_certificate =
true;
242 data->m_path_len_constraint = ext->path_length_constraint();
248 data->m_issuer_alt_name = ext->get_alt_name();
252 data->m_subject_alt_name = ext->get_alt_name();
259 data->m_subject_alt_name_exists = data->m_v3_extensions.extension_set(san_oid);
262 data->m_cert_policies = ext->get_policy_oids();
266 data->m_ocsp_responder = ext->ocsp_responder();
267 data->m_ca_issuers = ext->ca_issuers();
271 data->m_crl_distribution_points = ext->crl_distribution_urls();
275 if(data->m_subject_dn == data->m_issuer_dn) {
276 if(data->m_subject_key_id.empty() ==
false && data->m_authority_key_id.empty() ==
false) {
277 data->m_self_signed = (data->m_subject_key_id == data->m_authority_key_id);
284 data->m_self_signed =
true;
287 auto pub_key =
X509::load_key(data->m_subject_public_key_bits_seq);
289 const auto sig_status = obj.verify_signature(*pub_key);
293 data->m_self_signed =
true;
295 data->m_self_signed =
false;
303 const std::vector<uint8_t> full_encoding = obj.BER_encode();
306 sha1->update(data->m_subject_public_key_bitstring);
307 data->m_subject_public_key_bitstring_sha1 = sha1->final_stdvec();
314 sha256->update(data->m_issuer_dn_bits);
315 data->m_issuer_dn_bits_sha256 = sha256->final_stdvec();
317 sha256->update(data->m_subject_dn_bits);
318 data->m_subject_dn_bits_sha256 = sha256->final_stdvec();
331void X509_Certificate::force_decode() {
333 m_data = parse_x509_cert_body(*
this);
336const X509_Certificate_Data& X509_Certificate::data()
const {
337 if(m_data ==
nullptr) {
338 throw Invalid_State(
"X509_Certificate uninitialized");
344 return static_cast<uint32_t
>(data().m_version);
348 return data().m_self_signed;
352 return data().m_not_before;
356 return data().m_not_after;
360 return data().m_subject_public_key_algid;
364 return data().m_v2_issuer_key_id;
368 return data().m_v2_subject_key_id;
372 return data().m_subject_public_key_bits;
376 return data().m_subject_public_key_bits_seq;
380 return data().m_subject_public_key_bitstring;
384 if(data().m_subject_public_key_bitstring_sha1.empty()) {
385 throw Encoding_Error(
"X509_Certificate::subject_public_key_bitstring_sha1 called but SHA-1 disabled in build");
388 return data().m_subject_public_key_bitstring_sha1;
392 return data().m_authority_key_id;
396 return data().m_subject_key_id;
400 return data().m_serial;
404 return data().m_serial_negative;
408 return data().m_issuer_dn;
412 return data().m_subject_dn;
416 return data().m_issuer_dn_bits;
420 return data().m_subject_dn_bits;
424 if(data().m_version < 3 && data().m_self_signed) {
428 return data().m_is_ca_certificate;
432 if(data().m_version < 3 && data().m_self_signed) {
436 return static_cast<uint32_t
>(data().m_path_len_constraint.value_or(Cert_Extension::NO_CERT_PATH_LIMIT));
440 return data().m_path_len_constraint;
444 return data().m_key_constraints;
448 return data().m_extended_key_usage;
452 return data().m_cert_policies;
456 return data().m_name_constraints;
460 return data().m_v3_extensions;
485 if(std::find(ex.begin(), ex.end(), usage) != ex.end()) {
528 return (std::find(ex.begin(), ex.end(), usage) != ex.end());
539 return data().m_ocsp_responder;
543 return data().m_ca_issuers;
547 return data().m_crl_distribution_points;
552 if(!data().m_crl_distribution_points.empty()) {
553 return data().m_crl_distribution_points[0];
559 return data().m_subject_alt_name;
563 return data().m_issuer_alt_name;
568std::vector<std::string> get_cert_user_info(std::string_view req,
const X509_DN& dn,
const AlternativeName& alt_name) {
569 auto set_to_vector = [](
const std::set<std::string>& s) -> std::vector<std::string> {
return {s.begin(), s.end()}; };
573 }
else if(req ==
"RFC822" || req ==
"Email") {
574 return set_to_vector(alt_name.
email());
575 }
else if(req ==
"DNS") {
576 return set_to_vector(alt_name.
dns());
577 }
else if(req ==
"URI") {
578 return set_to_vector(alt_name.
uris());
579 }
else if(req ==
"IP") {
580 std::vector<std::string> ip_str;
612 }
catch(std::exception& e) {
622 if(data().m_issuer_dn_bits_sha256.empty()) {
623 throw Encoding_Error(
"X509_Certificate::raw_issuer_dn_sha256 called but SHA-256 disabled in build");
625 return data().m_issuer_dn_bits_sha256;
629 if(data().m_subject_dn_bits_sha256.empty()) {
630 throw Encoding_Error(
"X509_Certificate::raw_subject_dn_sha256 called but SHA-256 disabled in build");
632 return data().m_subject_dn_bits_sha256;
645 if(hash_name ==
"SHA-256" && !data().m_fingerprint_sha256.empty()) {
646 return data().m_fingerprint_sha256;
647 }
else if(hash_name ==
"SHA-1" && !data().m_fingerprint_sha1.empty()) {
648 return data().m_fingerprint_sha1;
661 return ipv4_names.contains(req_ipv4.value());
666 if(!data().m_subject_alt_name_exists) {
670 for(
const auto& issued_name : issued_names) {
702 return !(cert1 == cert2);
706 std::ostringstream out;
710 out <<
"Issuer: " <<
issuer_dn() <<
"\n";
716 out <<
"Public Key [" << pubkey->algo_name() <<
"-" << pubkey->key_length() <<
"]\n\n";
720 out <<
"Public Key Invalid!\n"
722 <<
" Error: " << ex.
what() <<
"\n"
726 out <<
"Constraints:\n";
728 if(constraints.
empty()) {
729 out <<
" No key constraints set\n";
732 out <<
" Digital Signature\n";
735 out <<
" Non-Repudiation\n";
738 out <<
" Key Encipherment\n";
741 out <<
" Data Encipherment\n";
744 out <<
" Key Agreement\n";
747 out <<
" Cert Sign\n";
750 out <<
" CRL Sign\n";
753 out <<
" Encipher Only\n";
756 out <<
" Decipher Only\n";
761 if(!policies.empty()) {
764 for(
const auto& oid : policies) {
765 out <<
" " << oid.to_string() <<
"\n";
770 if(!ex_constraints.empty()) {
771 out <<
"Extended Constraints:\n";
772 for(
auto&& oid : ex_constraints) {
773 out <<
" " << oid.to_formatted_string() <<
"\n";
780 out <<
"Name Constraints:\n";
785 out <<
" " << st.base();
793 out <<
" " << st.base();
804 if(!ca_issuers.empty()) {
805 out <<
"CA Issuers:\n";
807 out <<
" URI: " << ca_issuer <<
"\n";
812 out <<
"CRL " << cdp <<
"\n";
828 out <<
"Certificate is self signed\n";
std::vector< uint8_t > BER_encode() const
std::string readable_string() const
Returns a human friendly string replesentation of no particular formatting.
const std::set< uint32_t > & ipv4_address() const
Return the set of IPv4 addresses included in this alternative name.
const std::set< std::string > & uris() const
Return the set of URIs included in this alternative name.
const std::set< std::string > & dns() const
Return the set of DNS names included in this alternative name.
const std::set< std::string > & email() const
Return the set of email addresses included in this alternative name.
BER_Decoder & decode(bool &out)
BER_Decoder & verify_end()
const char * what() const noexcept override
bool critical_extension_set(const OID &oid) const
static std::unique_ptr< HashFunction > create(std::string_view algo_spec, std::string_view provider="")
bool includes(Key_Constraints::Bits other) const
const std::vector< GeneralSubtree > & permitted() const
std::string to_formatted_string() const
static std::optional< OID > from_name(std::string_view name)
static OID from_string(std::string_view str)
const std::vector< OID > & extended_key_usage() const
Key_Constraints constraints() const
bool operator==(const X509_Certificate &other) const
const NameConstraints & name_constraints() const
X509_Certificate()=default
bool is_critical(std::string_view ex_name) const
const std::vector< uint8_t > & serial_number() const
std::string fingerprint(std::string_view hash_name="SHA-1") const
const X509_DN & subject_dn() const
std::vector< uint8_t > raw_subject_dn_sha256() const
uint32_t path_limit() const
const X509_Time & not_after() const
const std::vector< uint8_t > & authority_key_id() const
bool allowed_extended_usage(std::string_view usage) const
const AlternativeName & issuer_alt_name() const
const std::vector< uint8_t > & raw_subject_dn() const
const std::vector< uint8_t > & subject_key_id() const
~X509_Certificate() override
const std::vector< uint8_t > & subject_public_key_bits() const
bool has_constraints(Key_Constraints constraints) const
std::optional< size_t > path_length_constraint() const
const Extensions & v3_extensions() const
bool has_ex_constraint(std::string_view ex_constraint) const
std::vector< std::string > crl_distribution_points() const
const std::vector< uint8_t > & subject_public_key_bitstring_sha1() const
bool allowed_usage(Key_Constraints usage) const
const X509_DN & issuer_dn() const
const std::vector< uint8_t > & v2_issuer_key_id() const
std::string ocsp_responder() const
bool matches_dns_name(std::string_view name) const
std::vector< std::string > subject_info(std::string_view name) const
uint32_t x509_version() const
std::string crl_distribution_point() const
const std::vector< OID > & certificate_policy_oids() const
std::unique_ptr< Public_Key > load_subject_public_key() const
X509_Certificate(DataSource &source)
bool is_self_signed() const
const std::vector< uint8_t > & raw_issuer_dn() const
bool operator<(const X509_Certificate &other) const
const AlgorithmIdentifier & subject_public_key_algo() const
const AlternativeName & subject_alt_name() const
std::vector< std::string > ca_issuers() const
const std::vector< uint8_t > & subject_public_key_info() const
std::vector< uint8_t > raw_issuer_dn_sha256() const
bool is_serial_negative() const
const std::vector< uint8_t > & subject_public_key_bitstring() const
std::unique_ptr< Public_Key > subject_public_key() const
const std::vector< uint8_t > & v2_subject_key_id() const
const X509_Time & not_before() const
std::vector< std::string > issuer_info(std::string_view name) const
std::string to_string() const
bool has_field(const OID &oid) const
std::vector< std::string > get_attribute(std::string_view attr) const
const std::vector< uint8_t > & signed_body() const
const AlgorithmIdentifier & signature_algorithm() const
virtual std::vector< std::string > alternate_PEM_labels() const
const std::vector< uint8_t > & signature() const
void load_data(DataSource &src)
virtual std::string PEM_label() const =0
std::vector< uint8_t > put_in_sequence(const std::vector< uint8_t > &contents)
std::unique_ptr< Public_Key > load_key(DataSource &source)
std::string PEM_encode(const Public_Key &key)
bool operator!=(const AlgorithmIdentifier &a1, const AlgorithmIdentifier &a2)
bool host_wildcard_match(std::string_view issued_, std::string_view host_)
void hex_encode(char output[], const uint8_t input[], size_t input_length, bool uppercase)
std::string create_hex_fingerprint(const uint8_t bits[], size_t bits_len, std::string_view hash_name)
std::optional< uint32_t > string_to_ipv4(std::string_view str)
std::string ipv4_to_string(uint32_t ip)