1 /*
2 * Certificate Store
3 * (C) 1999-2010,2013 Jack Lloyd
4 * (C) 2017 Fabian Weissberg, Rohde & Schwarz Cybersecurity
5 *
6 * Botan is released under the Simplified BSD License (see license.txt)
7 */
8 
9 #include <botan/certstor.h>
10 #include <botan/pkix_types.h>
11 #include <botan/internal/filesystem.h>
12 #include <botan/hash.h>
13 #include <botan/data_src.h>
14 
15 namespace Botan {
16 
~Certificate_Store()17 Certificate_Store::~Certificate_Store() {}
18 
19 std::shared_ptr<const X509_Certificate>
find_cert(const X509_DN & subject_dn,const std::vector<uint8_t> & key_id) const20 Certificate_Store::find_cert(const X509_DN& subject_dn, const std::vector<uint8_t>& key_id) const
21    {
22    const auto certs = find_all_certs(subject_dn, key_id);
23 
24    if(certs.empty())
25       {
26       return nullptr;  // certificate not found
27       }
28 
29    // `count` might be greater than 1, but we'll just select the first match
30    return certs.front();
31    }
32 
find_crl_for(const X509_Certificate &) const33 std::shared_ptr<const X509_CRL> Certificate_Store::find_crl_for(const X509_Certificate&) const
34    {
35    return {};
36    }
37 
add_certificate(const X509_Certificate & cert)38 void Certificate_Store_In_Memory::add_certificate(const X509_Certificate& cert)
39    {
40    for(const auto& c : m_certs)
41       if(*c == cert)
42          return;
43 
44    m_certs.push_back(std::make_shared<const X509_Certificate>(cert));
45    }
46 
add_certificate(std::shared_ptr<const X509_Certificate> cert)47 void Certificate_Store_In_Memory::add_certificate(std::shared_ptr<const X509_Certificate> cert)
48    {
49    for(const auto& c : m_certs)
50       if(*c == *cert)
51          return;
52 
53    m_certs.push_back(cert);
54    }
55 
all_subjects() const56 std::vector<X509_DN> Certificate_Store_In_Memory::all_subjects() const
57    {
58    std::vector<X509_DN> subjects;
59    for(const auto& cert : m_certs)
60       subjects.push_back(cert->subject_dn());
61    return subjects;
62    }
63 
64 std::shared_ptr<const X509_Certificate>
find_cert(const X509_DN & subject_dn,const std::vector<uint8_t> & key_id) const65 Certificate_Store_In_Memory::find_cert(const X509_DN& subject_dn,
66                                        const std::vector<uint8_t>& key_id) const
67    {
68    for(const auto& cert : m_certs)
69       {
70       // Only compare key ids if set in both call and in the cert
71       if(key_id.size())
72          {
73          std::vector<uint8_t> skid = cert->subject_key_id();
74 
75          if(skid.size() && skid != key_id) // no match
76             continue;
77          }
78 
79       if(cert->subject_dn() == subject_dn)
80          return cert;
81       }
82 
83    return nullptr;
84    }
85 
find_all_certs(const X509_DN & subject_dn,const std::vector<uint8_t> & key_id) const86 std::vector<std::shared_ptr<const X509_Certificate>> Certificate_Store_In_Memory::find_all_certs(
87       const X509_DN& subject_dn,
88       const std::vector<uint8_t>& key_id) const
89    {
90    std::vector<std::shared_ptr<const X509_Certificate>> matches;
91 
92    for(const auto& cert : m_certs)
93       {
94       if(key_id.size())
95          {
96          std::vector<uint8_t> skid = cert->subject_key_id();
97 
98          if(skid.size() && skid != key_id) // no match
99             continue;
100          }
101 
102       if(cert->subject_dn() == subject_dn)
103          matches.push_back(cert);
104       }
105 
106    return matches;
107    }
108 
109 std::shared_ptr<const X509_Certificate>
find_cert_by_pubkey_sha1(const std::vector<uint8_t> & key_hash) const110 Certificate_Store_In_Memory::find_cert_by_pubkey_sha1(const std::vector<uint8_t>& key_hash) const
111    {
112    if(key_hash.size() != 20)
113       throw Invalid_Argument("Certificate_Store_In_Memory::find_cert_by_pubkey_sha1 invalid hash");
114 
115    std::unique_ptr<HashFunction> hash(HashFunction::create("SHA-1"));
116 
117    for(const auto& cert : m_certs){
118       hash->update(cert->subject_public_key_bitstring());
119       if(key_hash == hash->final_stdvec()) //final_stdvec also clears the hash to initial state
120          return cert;
121    }
122 
123    return nullptr;
124    }
125 
126 std::shared_ptr<const X509_Certificate>
find_cert_by_raw_subject_dn_sha256(const std::vector<uint8_t> & subject_hash) const127 Certificate_Store_In_Memory::find_cert_by_raw_subject_dn_sha256(const std::vector<uint8_t>& subject_hash) const
128    {
129    if(subject_hash.size() != 32)
130       throw Invalid_Argument("Certificate_Store_In_Memory::find_cert_by_raw_subject_dn_sha256 invalid hash");
131 
132    std::unique_ptr<HashFunction> hash(HashFunction::create("SHA-256"));
133 
134    for(const auto& cert : m_certs){
135       hash->update(cert->raw_subject_dn());
136       if(subject_hash == hash->final_stdvec()) //final_stdvec also clears the hash to initial state
137          return cert;
138    }
139 
140    return nullptr;
141    }
142 
add_crl(const X509_CRL & crl)143 void Certificate_Store_In_Memory::add_crl(const X509_CRL& crl)
144    {
145    std::shared_ptr<const X509_CRL> crl_s = std::make_shared<const X509_CRL>(crl);
146    return add_crl(crl_s);
147    }
148 
add_crl(std::shared_ptr<const X509_CRL> crl)149 void Certificate_Store_In_Memory::add_crl(std::shared_ptr<const X509_CRL> crl)
150    {
151    X509_DN crl_issuer = crl->issuer_dn();
152 
153    for(auto& c : m_crls)
154       {
155       // Found an update of a previously existing one; replace it
156       if(c->issuer_dn() == crl_issuer)
157          {
158          if(c->this_update() <= crl->this_update())
159             c = crl;
160          return;
161          }
162       }
163 
164    // Totally new CRL, add to the list
165    m_crls.push_back(crl);
166    }
167 
find_crl_for(const X509_Certificate & subject) const168 std::shared_ptr<const X509_CRL> Certificate_Store_In_Memory::find_crl_for(const X509_Certificate& subject) const
169    {
170    const std::vector<uint8_t>& key_id = subject.authority_key_id();
171 
172    for(const auto& c : m_crls)
173       {
174       // Only compare key ids if set in both call and in the CRL
175       if(key_id.size())
176          {
177          std::vector<uint8_t> akid = c->authority_key_id();
178 
179          if(akid.size() && akid != key_id) // no match
180             continue;
181          }
182 
183       if(c->issuer_dn() == subject.issuer_dn())
184          return c;
185       }
186 
187    return {};
188    }
189 
Certificate_Store_In_Memory(const X509_Certificate & cert)190 Certificate_Store_In_Memory::Certificate_Store_In_Memory(const X509_Certificate& cert)
191    {
192    add_certificate(cert);
193    }
194 
195 #if defined(BOTAN_TARGET_OS_HAS_FILESYSTEM)
Certificate_Store_In_Memory(const std::string & dir)196 Certificate_Store_In_Memory::Certificate_Store_In_Memory(const std::string& dir)
197    {
198    if(dir.empty())
199       return;
200 
201    std::vector<std::string> maybe_certs = get_files_recursive(dir);
202 
203    if(maybe_certs.empty())
204       {
205       maybe_certs.push_back(dir);
206       }
207 
208    for(auto&& cert_file : maybe_certs)
209       {
210       try
211          {
212          DataSource_Stream src(cert_file, true);
213          while(!src.end_of_data())
214             {
215             try
216                {
217                m_certs.push_back(std::make_shared<X509_Certificate>(src));
218                }
219             catch(std::exception&)
220                {
221                // stop searching for other certificate at first exception
222                break;
223                }
224             }
225          }
226       catch(std::exception&)
227          {
228          }
229       }
230    }
231 #endif
232 
233 }
234