1 /* 2 * Certificate Store in SQL 3 * (C) 2016 Kai Michaelis, Rohde & Schwarz Cybersecurity 4 * 5 * Botan is released under the Simplified BSD License (see license.txt) 6 */ 7 8 #ifndef BOTAN_CERT_STORE_SQL_H_ 9 #define BOTAN_CERT_STORE_SQL_H_ 10 11 #include <botan/certstor.h> 12 #include <botan/x509cert.h> 13 #include <botan/x509_crl.h> 14 #include <botan/database.h> 15 #include <botan/mutex.h> 16 17 namespace Botan { 18 19 class Private_Key; 20 class RandomNumberGenerator; 21 22 /** 23 * Certificate and private key store backed by an SQL database. 24 */ 25 class BOTAN_PUBLIC_API(2,0) Certificate_Store_In_SQL : public Certificate_Store 26 { 27 public: 28 /** 29 * Create/open a certificate store. 30 * @param db underlying database storage 31 * @param passwd password to encrypt private keys in the database 32 * @param rng used for encrypting keys 33 * @param table_prefix optional prefix for db table names 34 */ 35 explicit Certificate_Store_In_SQL(const std::shared_ptr<SQL_Database> db, 36 const std::string& passwd, 37 RandomNumberGenerator& rng, 38 const std::string& table_prefix = ""); 39 40 /** 41 * Returns the first certificate with matching subject DN and optional key ID. 42 */ 43 std::shared_ptr<const X509_Certificate> 44 find_cert(const X509_DN& subject_dn, const std::vector<uint8_t>& key_id) const override; 45 46 /* 47 * Find all certificates with a given Subject DN. 48 * Subject DN and even the key identifier might not be unique. 49 */ 50 std::vector<std::shared_ptr<const X509_Certificate>> find_all_certs( 51 const X509_DN& subject_dn, const std::vector<uint8_t>& key_id) const override; 52 53 std::shared_ptr<const X509_Certificate> 54 find_cert_by_pubkey_sha1(const std::vector<uint8_t>& key_hash) const override; 55 56 std::shared_ptr<const X509_Certificate> 57 find_cert_by_raw_subject_dn_sha256(const std::vector<uint8_t>& subject_hash) const override; 58 59 /** 60 * Returns all subject DNs known to the store instance. 61 */ 62 std::vector<X509_DN> all_subjects() const override; 63 64 /** 65 * Inserts "cert" into the store, returns false if the certificate is 66 * already known and true if insertion was successful. 67 */ 68 bool insert_cert(const X509_Certificate& cert); 69 70 /** 71 * Removes "cert" from the store. Returns false if the certificate could not 72 * be found and true if removal was successful. 73 */ 74 bool remove_cert(const X509_Certificate& cert); 75 76 /// Returns the private key for "cert" or an empty shared_ptr if none was found. 77 std::shared_ptr<const Private_Key> find_key(const X509_Certificate&) const; 78 79 /// Returns all certificates for private key "key". 80 std::vector<std::shared_ptr<const X509_Certificate>> 81 find_certs_for_key(const Private_Key& key) const; 82 83 /** 84 * Inserts "key" for "cert" into the store, returns false if the key is 85 * already known and true if insertion was successful. 86 */ 87 bool insert_key(const X509_Certificate& cert, const Private_Key& key); 88 89 /// Removes "key" from the store. 90 void remove_key(const Private_Key& key); 91 92 /// Marks "cert" as revoked starting from "time". 93 void revoke_cert(const X509_Certificate&, CRL_Code, const X509_Time& time = X509_Time()); 94 95 /// Reverses the revokation for "cert". 96 void affirm_cert(const X509_Certificate&); 97 98 /** 99 * Generates Certificate Revocation Lists for all certificates marked as revoked. 100 * A CRL is returned for each unique issuer DN. 101 */ 102 std::vector<X509_CRL> generate_crls() const; 103 104 /** 105 * Generates a CRL for all certificates issued by the given issuer. 106 */ 107 std::shared_ptr<const X509_CRL> 108 find_crl_for(const X509_Certificate& issuer) const override; 109 110 private: 111 RandomNumberGenerator& m_rng; 112 std::shared_ptr<SQL_Database> m_database; 113 std::string m_prefix; 114 std::string m_password; 115 mutex_type m_mutex; 116 }; 117 118 } 119 #endif 120