1 /*
2 * Certificate Store
3 * (C) 1999-2010,2013 Jack Lloyd
4 * (C) 2017 Fabian Weissberg, Rohde & Schwarz Cybersecurity
5 *
6 * Botan is released under the Simplified BSD License (see license.txt)
7 */
8
9 #include <botan/certstor.h>
10 #include <botan/pkix_types.h>
11 #include <botan/internal/filesystem.h>
12 #include <botan/hash.h>
13 #include <botan/data_src.h>
14
15 namespace Botan {
16
~Certificate_Store()17 Certificate_Store::~Certificate_Store() {}
18
19 std::shared_ptr<const X509_Certificate>
find_cert(const X509_DN & subject_dn,const std::vector<uint8_t> & key_id) const20 Certificate_Store::find_cert(const X509_DN& subject_dn, const std::vector<uint8_t>& key_id) const
21 {
22 const auto certs = find_all_certs(subject_dn, key_id);
23
24 if(certs.empty())
25 {
26 return nullptr; // certificate not found
27 }
28
29 // `count` might be greater than 1, but we'll just select the first match
30 return certs.front();
31 }
32
find_crl_for(const X509_Certificate &) const33 std::shared_ptr<const X509_CRL> Certificate_Store::find_crl_for(const X509_Certificate&) const
34 {
35 return {};
36 }
37
add_certificate(const X509_Certificate & cert)38 void Certificate_Store_In_Memory::add_certificate(const X509_Certificate& cert)
39 {
40 for(const auto& c : m_certs)
41 if(*c == cert)
42 return;
43
44 m_certs.push_back(std::make_shared<const X509_Certificate>(cert));
45 }
46
add_certificate(std::shared_ptr<const X509_Certificate> cert)47 void Certificate_Store_In_Memory::add_certificate(std::shared_ptr<const X509_Certificate> cert)
48 {
49 for(const auto& c : m_certs)
50 if(*c == *cert)
51 return;
52
53 m_certs.push_back(cert);
54 }
55
all_subjects() const56 std::vector<X509_DN> Certificate_Store_In_Memory::all_subjects() const
57 {
58 std::vector<X509_DN> subjects;
59 for(const auto& cert : m_certs)
60 subjects.push_back(cert->subject_dn());
61 return subjects;
62 }
63
64 std::shared_ptr<const X509_Certificate>
find_cert(const X509_DN & subject_dn,const std::vector<uint8_t> & key_id) const65 Certificate_Store_In_Memory::find_cert(const X509_DN& subject_dn,
66 const std::vector<uint8_t>& key_id) const
67 {
68 for(const auto& cert : m_certs)
69 {
70 // Only compare key ids if set in both call and in the cert
71 if(key_id.size())
72 {
73 std::vector<uint8_t> skid = cert->subject_key_id();
74
75 if(skid.size() && skid != key_id) // no match
76 continue;
77 }
78
79 if(cert->subject_dn() == subject_dn)
80 return cert;
81 }
82
83 return nullptr;
84 }
85
find_all_certs(const X509_DN & subject_dn,const std::vector<uint8_t> & key_id) const86 std::vector<std::shared_ptr<const X509_Certificate>> Certificate_Store_In_Memory::find_all_certs(
87 const X509_DN& subject_dn,
88 const std::vector<uint8_t>& key_id) const
89 {
90 std::vector<std::shared_ptr<const X509_Certificate>> matches;
91
92 for(const auto& cert : m_certs)
93 {
94 if(key_id.size())
95 {
96 std::vector<uint8_t> skid = cert->subject_key_id();
97
98 if(skid.size() && skid != key_id) // no match
99 continue;
100 }
101
102 if(cert->subject_dn() == subject_dn)
103 matches.push_back(cert);
104 }
105
106 return matches;
107 }
108
109 std::shared_ptr<const X509_Certificate>
find_cert_by_pubkey_sha1(const std::vector<uint8_t> & key_hash) const110 Certificate_Store_In_Memory::find_cert_by_pubkey_sha1(const std::vector<uint8_t>& key_hash) const
111 {
112 if(key_hash.size() != 20)
113 throw Invalid_Argument("Certificate_Store_In_Memory::find_cert_by_pubkey_sha1 invalid hash");
114
115 std::unique_ptr<HashFunction> hash(HashFunction::create("SHA-1"));
116
117 for(const auto& cert : m_certs){
118 hash->update(cert->subject_public_key_bitstring());
119 if(key_hash == hash->final_stdvec()) //final_stdvec also clears the hash to initial state
120 return cert;
121 }
122
123 return nullptr;
124 }
125
126 std::shared_ptr<const X509_Certificate>
find_cert_by_raw_subject_dn_sha256(const std::vector<uint8_t> & subject_hash) const127 Certificate_Store_In_Memory::find_cert_by_raw_subject_dn_sha256(const std::vector<uint8_t>& subject_hash) const
128 {
129 if(subject_hash.size() != 32)
130 throw Invalid_Argument("Certificate_Store_In_Memory::find_cert_by_raw_subject_dn_sha256 invalid hash");
131
132 std::unique_ptr<HashFunction> hash(HashFunction::create("SHA-256"));
133
134 for(const auto& cert : m_certs){
135 hash->update(cert->raw_subject_dn());
136 if(subject_hash == hash->final_stdvec()) //final_stdvec also clears the hash to initial state
137 return cert;
138 }
139
140 return nullptr;
141 }
142
add_crl(const X509_CRL & crl)143 void Certificate_Store_In_Memory::add_crl(const X509_CRL& crl)
144 {
145 std::shared_ptr<const X509_CRL> crl_s = std::make_shared<const X509_CRL>(crl);
146 return add_crl(crl_s);
147 }
148
add_crl(std::shared_ptr<const X509_CRL> crl)149 void Certificate_Store_In_Memory::add_crl(std::shared_ptr<const X509_CRL> crl)
150 {
151 X509_DN crl_issuer = crl->issuer_dn();
152
153 for(auto& c : m_crls)
154 {
155 // Found an update of a previously existing one; replace it
156 if(c->issuer_dn() == crl_issuer)
157 {
158 if(c->this_update() <= crl->this_update())
159 c = crl;
160 return;
161 }
162 }
163
164 // Totally new CRL, add to the list
165 m_crls.push_back(crl);
166 }
167
find_crl_for(const X509_Certificate & subject) const168 std::shared_ptr<const X509_CRL> Certificate_Store_In_Memory::find_crl_for(const X509_Certificate& subject) const
169 {
170 const std::vector<uint8_t>& key_id = subject.authority_key_id();
171
172 for(const auto& c : m_crls)
173 {
174 // Only compare key ids if set in both call and in the CRL
175 if(key_id.size())
176 {
177 std::vector<uint8_t> akid = c->authority_key_id();
178
179 if(akid.size() && akid != key_id) // no match
180 continue;
181 }
182
183 if(c->issuer_dn() == subject.issuer_dn())
184 return c;
185 }
186
187 return {};
188 }
189
Certificate_Store_In_Memory(const X509_Certificate & cert)190 Certificate_Store_In_Memory::Certificate_Store_In_Memory(const X509_Certificate& cert)
191 {
192 add_certificate(cert);
193 }
194
195 #if defined(BOTAN_TARGET_OS_HAS_FILESYSTEM)
Certificate_Store_In_Memory(const std::string & dir)196 Certificate_Store_In_Memory::Certificate_Store_In_Memory(const std::string& dir)
197 {
198 if(dir.empty())
199 return;
200
201 std::vector<std::string> maybe_certs = get_files_recursive(dir);
202
203 if(maybe_certs.empty())
204 {
205 maybe_certs.push_back(dir);
206 }
207
208 for(auto&& cert_file : maybe_certs)
209 {
210 try
211 {
212 DataSource_Stream src(cert_file, true);
213 while(!src.end_of_data())
214 {
215 try
216 {
217 m_certs.push_back(std::make_shared<X509_Certificate>(src));
218 }
219 catch(std::exception&)
220 {
221 // stop searching for other certificate at first exception
222 break;
223 }
224 }
225 }
226 catch(std::exception&)
227 {
228 }
229 }
230 }
231 #endif
232
233 }
234