Botan  2.1.0
Crypto and TLS for C++11
Public Member Functions | Static Public Member Functions | Protected Member Functions | Protected Attributes | Friends | List of all members
Botan::X509_Certificate Class Reference

#include <x509cert.h>

Inheritance diagram for Botan::X509_Certificate:
Botan::X509_Object Botan::ASN1_Object

Public Member Functions

bool allowed_extended_usage (const std::string &usage) const
 
bool allowed_usage (Key_Constraints usage) const
 
bool allowed_usage (Usage_Type usage) const
 
std::vector< uint8_t > authority_key_id () const
 
std::vector< uint8_t > BER_encode () const
 
bool check_signature (const Public_Key &key) const
 
bool check_signature (const Public_Key *key) const
 
Key_Constraints constraints () const
 
std::string crl_distribution_point () const
 
void decode_from (class BER_Decoder &from) override
 
void encode_into (class DER_Encoder &to) const override
 
std::string end_time () const
 
std::vector< std::string > ex_constraints () const
 
std::string fingerprint (const std::string &hash_name="SHA-1") const
 
bool has_constraints (Key_Constraints constraints) const
 Returns true if the specified. More...
 
bool has_ex_constraint (const std::string &ex_constraint) const
 
std::string hash_used_for_signature () const
 
bool is_CA_cert () const
 
bool is_critical (const std::string &ex_name) const
 
bool is_self_signed () const
 
X509_DN issuer_dn () const
 
std::vector< std::string > issuer_info (const std::string &name) const
 
bool matches_dns_name (const std::string &name) const
 
NameConstraints name_constraints () const
 
std::string ocsp_responder () const
 
bool operator< (const X509_Certificate &other) const
 
X509_Certificateoperator= (const X509_Certificate &other)=default
 
bool operator== (const X509_Certificate &other) const
 
uint32_t path_limit () const
 
std::string PEM_encode () const
 
std::vector< std::string > policies () const
 
std::vector< uint8_t > raw_issuer_dn () const
 
std::vector< uint8_t > raw_issuer_dn_sha256 () const
 
std::vector< uint8_t > raw_subject_dn () const
 
std::vector< uint8_t > raw_subject_dn_sha256 () const
 
std::vector< uint8_t > serial_number () const
 
std::vector< uint8_t > signature () const
 
AlgorithmIdentifier signature_algorithm () const
 
std::string start_time () const
 
X509_DN subject_dn () const
 
std::vector< std::string > subject_info (const std::string &name) const
 
std::vector< uint8_t > subject_key_id () const
 
Public_Keysubject_public_key () const
 
std::vector< uint8_t > subject_public_key_bits () const
 
std::vector< uint8_t > subject_public_key_bitstring () const
 
std::vector< uint8_t > subject_public_key_bitstring_sha1 () const
 
std::vector< uint8_t > tbs_data () const
 
std::string to_string () const
 
Extensions v3_extensions () const
 
 X509_Certificate (DataSource &source)
 
 X509_Certificate (const std::vector< uint8_t > &in)
 
 X509_Certificate (const X509_Certificate &other)=default
 
uint32_t x509_version () const
 

Static Public Member Functions

static std::vector< uint8_t > make_signed (class PK_Signer *signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &alg_id, const secure_vector< uint8_t > &tbs)
 

Protected Member Functions

void do_decode ()
 

Protected Attributes

std::vector< uint8_t > m_sig
 
AlgorithmIdentifier m_sig_algo
 
std::vector< uint8_t > m_tbs_bits
 

Friends

class BER_Decoder
 
class X509_CA
 

Detailed Description

This class represents X.509 Certificate

Definition at line 36 of file x509cert.h.

Constructor & Destructor Documentation

Botan::X509_Certificate::X509_Certificate ( DataSource source)
explicit

Create a certificate from a data source providing the DER or PEM encoded certificate.

Parameters
sourcethe data source

Definition at line 45 of file x509cert.cpp.

References Botan::X509_Object::do_decode().

45  :
46  X509_Object(in, "CERTIFICATE/X509 CERTIFICATE"),
47  m_self_signed(false),
48  m_v3_extensions(false)
49  {
50  do_decode();
51  }
X509_Object()=default
Botan::X509_Certificate::X509_Certificate ( const std::vector< uint8_t > &  in)
explicit

Create a certificate from a buffer

Parameters
inthe buffer containing the DER-encoded certificate

Definition at line 69 of file x509cert.cpp.

References Botan::X509_Object::do_decode().

69  :
70  X509_Object(in, "CERTIFICATE/X509 CERTIFICATE"),
71  m_self_signed(false),
72  m_v3_extensions(false)
73  {
74  do_decode();
75  }
X509_Object()=default
Botan::X509_Certificate::X509_Certificate ( const X509_Certificate other)
default

Member Function Documentation

bool Botan::X509_Certificate::allowed_extended_usage ( const std::string &  usage) const

Returns true if the specified

Parameters
usageis set in the extended key usage extension or if no extended key usage constraints are set at all. To check if a certain extended key constraint is set in the certificate use
See also
X509_Certificate::has_ex_constraint.

Definition at line 267 of file x509cert.cpp.

References ex_constraints().

Referenced by allowed_usage().

268  {
269  const std::vector<std::string> ex = ex_constraints();
270 
271  if(ex.empty())
272  return true;
273 
274  if(std::find(ex.begin(), ex.end(), usage) != ex.end())
275  return true;
276 
277  return false;
278  }
std::vector< std::string > ex_constraints() const
Definition: x509cert.cpp:360
bool Botan::X509_Certificate::allowed_usage ( Key_Constraints  usage) const

Returns true if the specified

Parameters
usageis set in the key usage extension or if no key usage constraints are set at all. To check if a certain key constraint is set in the certificate use
See also
X509_Certificate::has_constraints.

Definition at line 260 of file x509cert.cpp.

References constraints(), and Botan::NO_CONSTRAINTS.

Referenced by allowed_usage(), and is_CA_cert().

261  {
262  if(constraints() == NO_CONSTRAINTS)
263  return true;
264  return ((constraints() & usage) == usage);
265  }
Key_Constraints constraints() const
Definition: x509cert.cpp:351
bool Botan::X509_Certificate::allowed_usage ( Usage_Type  usage) const

Returns true if the required key and extended key constraints are set in the certificate for the specified

Parameters
usageor if no key constraints are set in both the key usage and extended key usage extension.

Definition at line 280 of file x509cert.cpp.

References allowed_extended_usage(), allowed_usage(), Botan::CERTIFICATE_AUTHORITY, Botan::DIGITAL_SIGNATURE, is_CA_cert(), Botan::KEY_AGREEMENT, Botan::KEY_ENCIPHERMENT, Botan::NON_REPUDIATION, Botan::OCSP_RESPONDER, Botan::TLS_CLIENT_AUTH, Botan::TLS_SERVER_AUTH, and Botan::UNSPECIFIED.

281  {
282  // These follow suggestions in RFC 5280 4.2.1.12
283 
284  switch(usage)
285  {
287  return true;
288 
291 
294 
297 
299  return is_CA_cert();
300  }
301 
302  return false;
303  }
bool is_CA_cert() const
Definition: x509cert.cpp:252
bool allowed_usage(Key_Constraints usage) const
Definition: x509cert.cpp:260
bool allowed_extended_usage(const std::string &usage) const
Definition: x509cert.cpp:267
std::vector< uint8_t > Botan::X509_Certificate::authority_key_id ( ) const

Get the DER encoded AuthorityKeyIdentifier of this certificate.

Returns
DER encoded AuthorityKeyIdentifier

Definition at line 411 of file x509cert.cpp.

References Botan::Data_Store::get1_memvec().

Referenced by Botan::PKIX::build_certificate_path(), Botan::Certificate_Store_In_Memory::find_crl_for(), Botan::X509_CRL::is_revoked(), and to_string().

412  {
413  return m_issuer.get1_memvec("X509v3.AuthorityKeyIdentifier");
414  }
std::vector< uint8_t > get1_memvec(const std::string &) const
Definition: datastor.cpp:92
std::vector< uint8_t > Botan::X509_Object::BER_encode ( ) const
inherited
Returns
BER encoding of this

Definition at line 114 of file x509_obj.cpp.

References Botan::X509_Object::encode_into(), and Botan::DER_Encoder::get_contents_unlocked().

Referenced by fingerprint(), and Botan::X509_Object::PEM_encode().

115  {
116  DER_Encoder der;
117  encode_into(der);
118  return der.get_contents_unlocked();
119  }
void encode_into(class DER_Encoder &to) const override
Definition: x509_obj.cpp:86
bool Botan::X509_Object::check_signature ( const Public_Key key) const
inherited

Check the signature on this data

Parameters
keythe public key purportedly used to sign this data
Returns
true if the signature is valid, otherwise false

Definition at line 188 of file x509_obj.cpp.

References Botan::Public_Key::algo_name(), Botan::DER_SEQUENCE, Botan::IEEE_1363, Botan::OIDS::lookup(), Botan::X509_Object::m_sig_algo, Botan::Public_Key::message_parts(), Botan::AlgorithmIdentifier::oid, Botan::X509_Object::signature(), Botan::split_on(), Botan::X509_Object::tbs_data(), and Botan::PK_Verifier::verify_message().

Referenced by Botan::X509_Object::check_signature().

189  {
190  try {
191  std::vector<std::string> sig_info =
193 
194  if(sig_info.size() != 2 || sig_info[0] != pub_key.algo_name())
195  return false;
196 
197  std::string padding = sig_info[1];
198  Signature_Format format =
199  (pub_key.message_parts() >= 2) ? DER_SEQUENCE : IEEE_1363;
200 
201  PK_Verifier verifier(pub_key, padding, format);
202 
203  return verifier.verify_message(tbs_data(), signature());
204  }
205  catch(std::exception&)
206  {
207  return false;
208  }
209  }
AlgorithmIdentifier m_sig_algo
Definition: x509_obj.h:109
Signature_Format
Definition: pubkey.h:29
std::vector< std::string > split_on(const std::string &str, char delim)
Definition: parsing.cpp:138
std::string lookup(const OID &oid)
Definition: oids.cpp:18
std::vector< uint8_t > signature() const
Definition: x509_obj.cpp:140
std::vector< uint8_t > tbs_data() const
Definition: x509_obj.cpp:132
bool Botan::X509_Object::check_signature ( const Public_Key key) const
inherited

Check the signature on this data

Parameters
keythe public key purportedly used to sign this data the pointer will be deleted after use
Returns
true if the signature is valid, otherwise false

Definition at line 177 of file x509_obj.cpp.

References Botan::X509_Object::check_signature().

178  {
179  if(!pub_key)
180  throw Exception("No key provided for " + m_PEM_label_pref + " signature check");
181  std::unique_ptr<const Public_Key> key(pub_key);
182  return check_signature(*key);
183 }
bool check_signature(const Public_Key &key) const
Definition: x509_obj.cpp:188
Key_Constraints Botan::X509_Certificate::constraints ( ) const

Get the key constraints as defined in the KeyUsage extension of this certificate.

Returns
key constraints

Definition at line 351 of file x509cert.cpp.

References Botan::Data_Store::get1_uint32(), and Botan::NO_CONSTRAINTS.

Referenced by allowed_usage(), has_constraints(), and to_string().

352  {
353  return Key_Constraints(m_subject.get1_uint32("X509v3.KeyUsage",
354  NO_CONSTRAINTS));
355  }
uint32_t get1_uint32(const std::string &, uint32_t=0) const
Definition: datastor.cpp:109
std::string Botan::X509_Certificate::crl_distribution_point ( ) const

Return the CRL distribution point, or empty if not set

Definition at line 403 of file x509cert.cpp.

References Botan::Data_Store::get1().

Referenced by to_string().

404  {
405  return m_subject.get1("CRL.DistributionPoint", "");
406  }
std::string get1(const std::string &key) const
Definition: datastor.cpp:62
void Botan::X509_Object::decode_from ( class BER_Decoder from)
overridevirtualinherited

Decode a BER encoded X509_Object See ASN1_Object::decode_from()

Implements Botan::ASN1_Object.

Definition at line 100 of file x509_obj.cpp.

References Botan::BIT_STRING, Botan::BER_Decoder::decode(), Botan::BER_Decoder::end_cons(), Botan::X509_Object::m_sig, Botan::X509_Object::m_sig_algo, Botan::X509_Object::m_tbs_bits, Botan::BER_Decoder::raw_bytes(), Botan::SEQUENCE, and Botan::BER_Decoder::start_cons().

101  {
102  from.start_cons(SEQUENCE)
103  .start_cons(SEQUENCE)
104  .raw_bytes(m_tbs_bits)
105  .end_cons()
106  .decode(m_sig_algo)
107  .decode(m_sig, BIT_STRING)
108  .end_cons();
109  }
AlgorithmIdentifier m_sig_algo
Definition: x509_obj.h:109
std::vector< uint8_t > m_tbs_bits
Definition: x509_obj.h:110
std::vector< uint8_t > m_sig
Definition: x509_obj.h:110
void Botan::X509_Object::do_decode ( )
protectedinherited

Definition at line 231 of file x509_obj.cpp.

References Botan::Exception::what().

Referenced by Botan::PKCS10_Request::PKCS10_Request(), X509_Certificate(), and Botan::X509_CRL::X509_CRL().

232  {
233  try {
234  force_decode();
235  }
236  catch(Decoding_Error& e)
237  {
238  throw Decoding_Error(m_PEM_label_pref + " decoding failed (" +
239  e.what() + ")");
240  }
241  catch(Invalid_Argument& e)
242  {
243  throw Decoding_Error(m_PEM_label_pref + " decoding failed (" +
244  e.what() + ")");
245  }
246  }
void Botan::X509_Object::encode_into ( class DER_Encoder to) const
overridevirtualinherited

DER encode an X509_Object See ASN1_Object::encode_into()

Implements Botan::ASN1_Object.

Definition at line 86 of file x509_obj.cpp.

References Botan::BIT_STRING, Botan::DER_Encoder::encode(), Botan::DER_Encoder::end_cons(), Botan::X509_Object::m_sig, Botan::X509_Object::m_sig_algo, Botan::X509_Object::m_tbs_bits, Botan::DER_Encoder::raw_bytes(), Botan::SEQUENCE, and Botan::DER_Encoder::start_cons().

Referenced by Botan::X509_Object::BER_encode(), and Botan::Certificate_Store_In_SQL::insert_cert().

87  {
88  to.start_cons(SEQUENCE)
89  .start_cons(SEQUENCE)
90  .raw_bytes(m_tbs_bits)
91  .end_cons()
92  .encode(m_sig_algo)
93  .encode(m_sig, BIT_STRING)
94  .end_cons();
95  }
AlgorithmIdentifier m_sig_algo
Definition: x509_obj.h:109
std::vector< uint8_t > m_tbs_bits
Definition: x509_obj.h:110
std::vector< uint8_t > m_sig
Definition: x509_obj.h:110
std::string Botan::X509_Certificate::end_time ( ) const

Get the notAfter of the certificate.

Returns
notAfter of the certificate

Definition at line 189 of file x509cert.cpp.

References Botan::Data_Store::get1().

Referenced by to_string().

190  {
191  return m_subject.get1("X509.Certificate.end");
192  }
std::string get1(const std::string &key) const
Definition: datastor.cpp:62
std::vector< std::string > Botan::X509_Certificate::ex_constraints ( ) const

Get the key constraints as defined in the ExtendedKeyUsage extension of this certificate.

Returns
key constraints

Definition at line 360 of file x509cert.cpp.

References Botan::Data_Store::get().

Referenced by allowed_extended_usage(), has_ex_constraint(), and to_string().

361  {
362  return lookup_oids(m_subject.get("X509v3.ExtendedKeyUsage"));
363  }
std::vector< std::string > get(const std::string &) const
Definition: datastor.cpp:50
std::string Botan::X509_Certificate::fingerprint ( const std::string &  hash_name = "SHA-1") const
Returns
a fingerprint of the certificate
Parameters
hash_namehash function used to calculate the fingerprint

Definition at line 466 of file x509cert.cpp.

References Botan::X509_Object::BER_encode(), Botan::HashFunction::create(), hash, and Botan::hex_encode().

Referenced by Botan::Certificate_Store_In_SQL::affirm_cert(), Botan::Certificate_Store_In_SQL::find_key(), Botan::Certificate_Store_In_SQL::insert_cert(), Botan::Certificate_Store_In_SQL::insert_key(), Botan::Certificate_Store_In_SQL::remove_cert(), and Botan::Certificate_Store_In_SQL::revoke_cert().

467  {
468  std::unique_ptr<HashFunction> hash(HashFunction::create(hash_name));
469  hash->update(this->BER_encode());
470  const auto hex_print = hex_encode(hash->final());
471 
472  std::string formatted_print;
473 
474  for(size_t i = 0; i != hex_print.size(); i += 2)
475  {
476  formatted_print.push_back(hex_print[i]);
477  formatted_print.push_back(hex_print[i+1]);
478 
479  if(i != hex_print.size() - 2)
480  formatted_print.push_back(':');
481  }
482 
483  return formatted_print;
484  }
std::vector< uint8_t > BER_encode() const
Definition: x509_obj.cpp:114
static std::unique_ptr< HashFunction > create(const std::string &algo_spec, const std::string &provider="")
Definition: hash.cpp:93
void hex_encode(char output[], const uint8_t input[], size_t input_length, bool uppercase)
Definition: hex.cpp:14
MechanismType hash
bool Botan::X509_Certificate::has_constraints ( Key_Constraints  constraints) const

Returns true if the specified.

Parameters
constraintsare included in the key usage extension.

Definition at line 305 of file x509cert.cpp.

References constraints(), and Botan::NO_CONSTRAINTS.

306  {
307  if(this->constraints() == NO_CONSTRAINTS)
308  {
309  return false;
310  }
311 
312  return ((this->constraints() & constraints) != 0);
313  }
Key_Constraints constraints() const
Definition: x509cert.cpp:351
bool Botan::X509_Certificate::has_ex_constraint ( const std::string &  ex_constraint) const

Returns true if and only if

Parameters
ex_constraint(referring to an extended key constraint, eg "PKIX.ServerAuth") is included in the extended key extension.

Definition at line 315 of file x509cert.cpp.

References ex_constraints().

316  {
317  const std::vector<std::string> ex = ex_constraints();
318 
319  if(ex.empty())
320  {
321  return false;
322  }
323 
324  if(std::find(ex.begin(), ex.end(), ex_constraint) != ex.end())
325  {
326  return true;
327  }
328 
329  return false;
330  }
std::vector< std::string > ex_constraints() const
Definition: x509cert.cpp:360
std::string Botan::X509_Object::hash_used_for_signature ( ) const
inherited
Returns
hash algorithm that was used to generate signature

Definition at line 156 of file x509_obj.cpp.

References Botan::OID::as_string(), Botan::OIDS::lookup(), Botan::X509_Object::m_sig_algo, Botan::AlgorithmIdentifier::oid, Botan::parse_algorithm_name(), and Botan::split_on().

157  {
158  std::vector<std::string> sig_info =
160 
161  if(sig_info.size() != 2)
162  throw Internal_Error("Invalid name format found for " +
164 
165  std::vector<std::string> pad_and_hash =
166  parse_algorithm_name(sig_info[1]);
167 
168  if(pad_and_hash.size() != 2)
169  throw Internal_Error("Invalid name format " + sig_info[1]);
170 
171  return pad_and_hash[1];
172  }
std::vector< std::string > parse_algorithm_name(const std::string &namex)
Definition: parsing.cpp:85
AlgorithmIdentifier m_sig_algo
Definition: x509_obj.h:109
std::vector< std::string > split_on(const std::string &str, char delim)
Definition: parsing.cpp:138
std::string lookup(const OID &oid)
Definition: oids.cpp:18
std::string as_string() const
Definition: asn1_oid.cpp:50
bool Botan::X509_Certificate::is_CA_cert ( ) const

Check whether this certificate is a CA certificate.

Returns
true if this certificate is a CA certificate

Definition at line 252 of file x509cert.cpp.

References allowed_usage(), Botan::Data_Store::get1_uint32(), and Botan::KEY_CERT_SIGN.

Referenced by allowed_usage(), Botan::Cert_Extension::Name_Constraints::validate(), and Botan::X509_CA::X509_CA().

253  {
254  if(!m_subject.get1_uint32("X509v3.BasicConstraints.is_ca"))
255  return false;
256 
258  }
uint32_t get1_uint32(const std::string &, uint32_t=0) const
Definition: datastor.cpp:109
bool allowed_usage(Key_Constraints usage) const
Definition: x509cert.cpp:260
bool Botan::X509_Certificate::is_critical ( const std::string &  ex_name) const

Check whenever a given X509 Extension is marked critical in this certificate.

Definition at line 343 of file x509cert.cpp.

References Botan::Data_Store::get1_uint32().

Referenced by Botan::Cert_Extension::Name_Constraints::validate().

344  {
345  return !!m_subject.get1_uint32(ex_name + ".is_critical",0);
346  }
uint32_t get1_uint32(const std::string &, uint32_t=0) const
Definition: datastor.cpp:109
bool Botan::X509_Certificate::is_self_signed ( ) const
inline

Check whether this certificate is self signed.

Returns
true if this certificate is self signed

Definition at line 158 of file x509cert.h.

158 { return m_self_signed; }
X509_DN Botan::X509_Certificate::issuer_dn ( ) const

Get the certificate's issuer distinguished name (DN).

Returns
issuer DN of this certificate

Definition at line 432 of file x509cert.cpp.

References Botan::create_dn().

Referenced by Botan::PKIX::build_certificate_path(), Botan::Certificate_Store_In_SQL::find_crl_for(), Botan::Certificate_Store_In_Memory::find_crl_for(), Botan::X509_CRL::is_revoked(), and Botan::OCSP::Request::Request().

433  {
434  return create_dn(m_issuer);
435  }
X509_DN create_dn(const Data_Store &info)
Definition: x509cert.cpp:673
std::vector< std::string > Botan::X509_Certificate::issuer_info ( const std::string &  name) const

Get a value for a specific subject_info parameter name.

Parameters
namethe name of the parameter to look up. Possible names are "X509.Certificate.v2.key_id" or "X509v3.AuthorityKeyIdentifier".
Returns
value(s) of the specified parameter

Definition at line 207 of file x509cert.cpp.

References Botan::X509_DN::deref_info_field(), and Botan::Data_Store::get().

Referenced by to_string().

208  {
209  return m_issuer.get(X509_DN::deref_info_field(what));
210  }
static std::string deref_info_field(const std::string &)
Definition: x509_dn.cpp:119
std::vector< std::string > get(const std::string &) const
Definition: datastor.cpp:50
std::vector< uint8_t > Botan::X509_Object::make_signed ( class PK_Signer signer,
RandomNumberGenerator rng,
const AlgorithmIdentifier alg_id,
const secure_vector< uint8_t > &  tbs 
)
staticinherited

Create a signed X509 object.

Parameters
signerthe signer used to sign the object
rngthe random number generator to use
alg_idthe algorithm identifier of the signature scheme
tbsthe tbs bits to be signed
Returns
signed X509 object

Definition at line 214 of file x509_obj.cpp.

References Botan::BIT_STRING, Botan::DER_Encoder::encode(), Botan::DER_Encoder::get_contents_unlocked(), Botan::DER_Encoder::raw_bytes(), Botan::SEQUENCE, Botan::PK_Signer::sign_message(), and Botan::DER_Encoder::start_cons().

Referenced by Botan::X509::create_cert_req(), and Botan::X509_CA::make_cert().

218  {
219  return DER_Encoder()
220  .start_cons(SEQUENCE)
221  .raw_bytes(tbs_bits)
222  .encode(algo)
223  .encode(signer->sign_message(tbs_bits, rng), BIT_STRING)
224  .end_cons()
225  .get_contents_unlocked();
226  }
bool Botan::X509_Certificate::matches_dns_name ( const std::string &  name) const

Check if a certain DNS name matches up with the information in the cert

Parameters
nameDNS name to match

Definition at line 486 of file x509cert.cpp.

References Botan::host_wildcard_match(), and subject_info().

487  {
488  if(name.empty())
489  return false;
490 
491  std::vector<std::string> issued_names = subject_info("DNS");
492 
493  // Fall back to CN only if no DNS names are set (RFC 6125 sec 6.4.4)
494  if(issued_names.empty())
495  issued_names = subject_info("Name");
496 
497  for(size_t i = 0; i != issued_names.size(); ++i)
498  {
499  if(host_wildcard_match(issued_names[i], name))
500  return true;
501  }
502 
503  return false;
504  }
std::vector< std::string > subject_info(const std::string &name) const
Definition: x509cert.cpp:198
bool host_wildcard_match(const std::string &issued, const std::string &host)
Definition: parsing.cpp:337
NameConstraints Botan::X509_Certificate::name_constraints ( ) const

Get the name constraints as defined in the NameConstraints extension of this certificate.

Returns
name constraints

Definition at line 368 of file x509cert.cpp.

References Botan::Data_Store::get().

Referenced by to_string().

369  {
370  std::vector<GeneralSubtree> permit, exclude;
371 
372  for(const std::string& v: m_subject.get("X509v3.NameConstraints.permitted"))
373  {
374  permit.push_back(GeneralSubtree(v));
375  }
376 
377  for(const std::string& v: m_subject.get("X509v3.NameConstraints.excluded"))
378  {
379  exclude.push_back(GeneralSubtree(v));
380  }
381 
382  return NameConstraints(std::move(permit),std::move(exclude));
383  }
std::vector< std::string > get(const std::string &) const
Definition: datastor.cpp:50
std::string Botan::X509_Certificate::ocsp_responder ( ) const

Return the listed address of an OCSP responder, or empty if not set

Definition at line 398 of file x509cert.cpp.

References Botan::Data_Store::get1().

Referenced by to_string().

399  {
400  return m_subject.get1("OCSP.responder", "");
401  }
std::string get1(const std::string &key) const
Definition: datastor.cpp:62
bool Botan::X509_Certificate::operator< ( const X509_Certificate other) const

Impose an arbitrary (but consistent) ordering

Returns
true if this is less than other by some unspecified criteria

Definition at line 518 of file x509cert.cpp.

References Botan::X509_Object::m_sig, and Botan::X509_Object::m_tbs_bits.

519  {
520  /* If signature values are not equal, sort by lexicographic ordering of that */
521  if(m_sig != other.m_sig)
522  {
523  if(m_sig < other.m_sig)
524  return true;
525  return false;
526  }
527 
528  // Then compare the signed contents
529  return m_tbs_bits < other.m_tbs_bits;
530  }
std::vector< uint8_t > m_tbs_bits
Definition: x509_obj.h:110
std::vector< uint8_t > m_sig
Definition: x509_obj.h:110
X509_Certificate& Botan::X509_Certificate::operator= ( const X509_Certificate other)
default
bool Botan::X509_Certificate::operator== ( const X509_Certificate other) const

Check to certificates for equality.

Returns
true both certificates are (binary) equal

Definition at line 509 of file x509cert.cpp.

References Botan::X509_Object::m_sig, and Botan::X509_Object::m_sig_algo.

510  {
511  return (m_sig == other.m_sig &&
512  m_sig_algo == other.m_sig_algo &&
513  m_self_signed == other.m_self_signed &&
514  m_issuer == other.m_issuer &&
515  m_subject == other.m_subject);
516  }
AlgorithmIdentifier m_sig_algo
Definition: x509_obj.h:109
std::vector< uint8_t > m_sig
Definition: x509_obj.h:110
uint32_t Botan::X509_Certificate::path_limit ( ) const

Get the path limit as defined in the BasicConstraints extension of this certificate.

Returns
path limit

Definition at line 335 of file x509cert.cpp.

References Botan::Data_Store::get1_uint32().

336  {
337  return m_subject.get1_uint32("X509v3.BasicConstraints.path_constraint", 0);
338  }
uint32_t get1_uint32(const std::string &, uint32_t=0) const
Definition: datastor.cpp:109
std::string Botan::X509_Object::PEM_encode ( ) const
inherited
Returns
PEM encoding of this

Definition at line 124 of file x509_obj.cpp.

References Botan::X509_Object::BER_encode(), and Botan::PEM_Code::encode().

125  {
126  return PEM_Code::encode(BER_encode(), m_PEM_label_pref);
127  }
std::vector< uint8_t > BER_encode() const
Definition: x509_obj.cpp:114
std::string encode(const uint8_t der[], size_t length, const std::string &label, size_t width)
Definition: pem.cpp:43
std::vector< std::string > Botan::X509_Certificate::policies ( ) const

Get the policies as defined in the CertificatePolicies extension of this certificate.

Returns
certificate policies

Definition at line 388 of file x509cert.cpp.

References Botan::Data_Store::get().

Referenced by to_string().

389  {
390  return lookup_oids(m_subject.get("X509v3.CertificatePolicies"));
391  }
std::vector< std::string > get(const std::string &) const
Definition: datastor.cpp:50
std::vector< uint8_t > Botan::X509_Certificate::raw_issuer_dn ( ) const

Raw issuer DN

Definition at line 437 of file x509cert.cpp.

References Botan::Data_Store::get1_memvec().

Referenced by Botan::OCSP::CertID::is_id_for(), and raw_issuer_dn_sha256().

438  {
439  return m_issuer.get1_memvec("X509.Certificate.dn_bits");
440  }
std::vector< uint8_t > get1_memvec(const std::string &) const
Definition: datastor.cpp:92
std::vector< uint8_t > Botan::X509_Certificate::raw_issuer_dn_sha256 ( ) const

SHA-256 of Raw issuer DN

Definition at line 442 of file x509cert.cpp.

References Botan::HashFunction::create(), hash, and raw_issuer_dn().

443  {
444  std::unique_ptr<HashFunction> hash(HashFunction::create("SHA-256"));
445  hash->update(raw_issuer_dn());
446  return hash->final_stdvec();
447  }
static std::unique_ptr< HashFunction > create(const std::string &algo_spec, const std::string &provider="")
Definition: hash.cpp:93
std::vector< uint8_t > raw_issuer_dn() const
Definition: x509cert.cpp:437
MechanismType hash
std::vector< uint8_t > Botan::X509_Certificate::raw_subject_dn ( ) const

Raw subject DN

Definition at line 454 of file x509cert.cpp.

References Botan::Data_Store::get1_memvec().

Referenced by Botan::OCSP::CertID::CertID(), and raw_subject_dn_sha256().

455  {
456  return m_subject.get1_memvec("X509.Certificate.dn_bits");
457  }
std::vector< uint8_t > get1_memvec(const std::string &) const
Definition: datastor.cpp:92
std::vector< uint8_t > Botan::X509_Certificate::raw_subject_dn_sha256 ( ) const

SHA-256 of Raw subject DN

Definition at line 459 of file x509cert.cpp.

References Botan::HashFunction::create(), hash, and raw_subject_dn().

460  {
461  std::unique_ptr<HashFunction> hash(HashFunction::create("SHA-256"));
462  hash->update(raw_subject_dn());
463  return hash->final_stdvec();
464  }
std::vector< uint8_t > raw_subject_dn() const
Definition: x509cert.cpp:454
static std::unique_ptr< HashFunction > create(const std::string &algo_spec, const std::string &provider="")
Definition: hash.cpp:93
MechanismType hash
std::vector< uint8_t > Botan::X509_Certificate::serial_number ( ) const

Get the serial number of this certificate.

Returns
certificates serial number

Definition at line 427 of file x509cert.cpp.

References Botan::Data_Store::get1_memvec().

Referenced by Botan::CRL_Entry::CRL_Entry(), Botan::OCSP::CertID::is_id_for(), Botan::X509_CRL::is_revoked(), and to_string().

428  {
429  return m_subject.get1_memvec("X509.Certificate.serial");
430  }
std::vector< uint8_t > get1_memvec(const std::string &) const
Definition: datastor.cpp:92
std::vector< uint8_t > Botan::X509_Object::signature ( ) const
inherited
Returns
signature on tbs_data()

Definition at line 140 of file x509_obj.cpp.

References Botan::X509_Object::m_sig.

Referenced by Botan::X509_Object::check_signature().

141  {
142  return m_sig;
143  }
std::vector< uint8_t > m_sig
Definition: x509_obj.h:110
AlgorithmIdentifier Botan::X509_Object::signature_algorithm ( ) const
inherited
Returns
signature algorithm that was used to generate signature

Definition at line 148 of file x509_obj.cpp.

References Botan::X509_Object::m_sig_algo.

Referenced by to_string().

149  {
150  return m_sig_algo;
151  }
AlgorithmIdentifier m_sig_algo
Definition: x509_obj.h:109
std::string Botan::X509_Certificate::start_time ( ) const

Get the notBefore of the certificate.

Returns
notBefore of the certificate

Definition at line 181 of file x509cert.cpp.

References Botan::Data_Store::get1().

Referenced by to_string().

182  {
183  return m_subject.get1("X509.Certificate.start");
184  }
std::string get1(const std::string &key) const
Definition: datastor.cpp:62
X509_DN Botan::X509_Certificate::subject_dn ( ) const

Get the certificate's subject distinguished name (DN).

Returns
subject DN of this certificate

Definition at line 449 of file x509cert.cpp.

References Botan::create_dn().

Referenced by Botan::Certificate_Store::certificate_known(), Botan::Certificate_Store_In_SQL::insert_cert(), Botan::GeneralName::matches(), Botan::Certificate_Store_In_SQL::remove_cert(), Botan::OCSP::Request::Request(), and Botan::X509_CA::sign_request().

450  {
451  return create_dn(m_subject);
452  }
X509_DN create_dn(const Data_Store &info)
Definition: x509cert.cpp:673
std::vector< std::string > Botan::X509_Certificate::subject_info ( const std::string &  name) const

Get a value for a specific subject_info parameter name.

Parameters
namethe name of the parameter to look up. Possible names are "X509.Certificate.version", "X509.Certificate.serial", "X509.Certificate.start", "X509.Certificate.end", "X509.Certificate.v2.key_id", "X509.Certificate.public_key", "X509v3.BasicConstraints.path_constraint", "X509v3.BasicConstraints.is_ca", "X509v3.NameConstraints", "X509v3.ExtendedKeyUsage", "X509v3.CertificatePolicies", "X509v3.SubjectKeyIdentifier" or "X509.Certificate.serial".
Returns
value(s) of the specified parameter

Definition at line 198 of file x509cert.cpp.

References Botan::X509_DN::deref_info_field(), and Botan::Data_Store::get().

Referenced by Botan::GeneralName::matches(), matches_dns_name(), and to_string().

199  {
200  return m_subject.get(X509_DN::deref_info_field(what));
201  }
static std::string deref_info_field(const std::string &)
Definition: x509_dn.cpp:119
std::vector< std::string > get(const std::string &) const
Definition: datastor.cpp:50
std::vector< uint8_t > Botan::X509_Certificate::subject_key_id ( ) const

Get the DER encoded SubjectKeyIdentifier of this certificate.

Returns
DER encoded SubjectKeyIdentifier

Definition at line 419 of file x509cert.cpp.

References Botan::Data_Store::get1_memvec().

Referenced by Botan::Certificate_Store::certificate_known(), Botan::Certificate_Store_In_SQL::insert_cert(), Botan::Certificate_Store_In_SQL::remove_cert(), Botan::X509_CA::sign_request(), and to_string().

420  {
421  return m_subject.get1_memvec("X509v3.SubjectKeyIdentifier");
422  }
std::vector< uint8_t > get1_memvec(const std::string &) const
Definition: datastor.cpp:92
Public_Key * Botan::X509_Certificate::subject_public_key ( ) const

Get the public key associated with this certificate.

Returns
subject public key of this certificate

Definition at line 215 of file x509cert.cpp.

References Botan::X509::load_key(), Botan::ASN1::put_in_sequence(), and subject_public_key_bits().

Referenced by to_string(), Botan::TLS::Certificate_Verify::verify(), and Botan::OCSP::Response::verify_signature().

216  {
217  return X509::load_key(
219  }
Public_Key * load_key(DataSource &source)
Definition: x509_key.cpp:37
std::vector< uint8_t > subject_public_key_bits() const
Definition: x509cert.cpp:221
std::vector< uint8_t > put_in_sequence(const std::vector< uint8_t > &contents)
Definition: asn1_obj.cpp:35
std::vector< uint8_t > Botan::X509_Certificate::subject_public_key_bits ( ) const

Get the public key associated with this certificate.

Returns
subject public key of this certificate

Definition at line 221 of file x509cert.cpp.

References Botan::Data_Store::get1(), and Botan::hex_decode().

Referenced by subject_public_key(), and subject_public_key_bitstring().

222  {
223  return hex_decode(m_subject.get1("X509.Certificate.public_key"));
224  }
std::string get1(const std::string &key) const
Definition: datastor.cpp:62
size_t hex_decode(uint8_t output[], const char input[], size_t input_length, size_t &input_consumed, bool ignore_ws)
Definition: hex.cpp:49
std::vector< uint8_t > Botan::X509_Certificate::subject_public_key_bitstring ( ) const

Get the bit string of the public key associated with this certificate

Returns
subject public key of this certificate

Definition at line 226 of file x509cert.cpp.

References BER_Decoder, Botan::BIT_STRING, and subject_public_key_bits().

Referenced by Botan::OCSP::CertID::CertID(), Botan::OCSP::CertID::is_id_for(), and subject_public_key_bitstring_sha1().

227  {
228  // TODO: cache this
229  const std::vector<uint8_t> key_bits = subject_public_key_bits();
230 
231  AlgorithmIdentifier public_key_algid;
232  std::vector<uint8_t> public_key_bitstr;
233 
234  BER_Decoder(key_bits)
235  .decode(public_key_algid)
236  .decode(public_key_bitstr, BIT_STRING);
237 
238  return public_key_bitstr;
239  }
friend class BER_Decoder
Definition: x509cert.h:315
std::vector< uint8_t > subject_public_key_bits() const
Definition: x509cert.cpp:221
std::vector< uint8_t > Botan::X509_Certificate::subject_public_key_bitstring_sha1 ( ) const

Get the SHA-1 bit string of the public key associated with this certificate. This is used for OCSP among other protocols

Returns
hash of subject public key of this certificate

Definition at line 241 of file x509cert.cpp.

References Botan::HashFunction::create(), hash, and subject_public_key_bitstring().

242  {
243  // TODO: cache this value
244  std::unique_ptr<HashFunction> hash(HashFunction::create("SHA-1"));
245  hash->update(this->subject_public_key_bitstring());
246  return hash->final_stdvec();
247  }
std::vector< uint8_t > subject_public_key_bitstring() const
Definition: x509cert.cpp:226
static std::unique_ptr< HashFunction > create(const std::string &algo_spec, const std::string &provider="")
Definition: hash.cpp:93
MechanismType hash
std::vector< uint8_t > Botan::X509_Object::tbs_data ( ) const
inherited

The underlying data that is to be or was signed

Returns
data that is or was signed

Definition at line 132 of file x509_obj.cpp.

References Botan::X509_Object::m_tbs_bits, and Botan::ASN1::put_in_sequence().

Referenced by Botan::X509_Object::check_signature().

133  {
135  }
std::vector< uint8_t > m_tbs_bits
Definition: x509_obj.h:110
std::vector< uint8_t > put_in_sequence(const std::vector< uint8_t > &contents)
Definition: asn1_obj.cpp:35
std::string Botan::X509_Certificate::to_string ( ) const
Returns
a string describing the certificate

Definition at line 540 of file x509cert.cpp.

References authority_key_id(), constraints(), crl_distribution_point(), Botan::CRL_SIGN, Botan::DATA_ENCIPHERMENT, Botan::DECIPHER_ONLY, Botan::DIGITAL_SIGNATURE, Botan::ENCIPHER_ONLY, end_time(), ex_constraints(), Botan::NameConstraints::excluded(), Botan::hex_encode(), issuer_info(), Botan::KEY_AGREEMENT, Botan::KEY_CERT_SIGN, Botan::KEY_ENCIPHERMENT, Botan::OIDS::lookup(), name_constraints(), Botan::NO_CONSTRAINTS, Botan::NON_REPUDIATION, ocsp_responder(), Botan::X509::PEM_encode(), Botan::NameConstraints::permitted(), policies(), serial_number(), Botan::X509_Object::signature_algorithm(), start_time(), subject_info(), subject_key_id(), subject_public_key(), and x509_version().

541  {
542  const std::vector<std::string> dn_fields{
543  "Name",
544  "Email",
545  "Organization",
546  "Organizational Unit",
547  "Locality",
548  "State",
549  "Country",
550  "IP",
551  "DNS",
552  "URI",
553  "PKIX.XMPPAddr"
554  };
555 
556  std::ostringstream out;
557 
558  for(auto&& field : dn_fields)
559  {
560  for(auto&& val : subject_info(field))
561  {
562  out << "Subject " << field << ": " << val << "\n";
563  }
564  }
565 
566  for(auto&& field : dn_fields)
567  {
568  for(auto&& val : issuer_info(field))
569  {
570  out << "Issuer " << field << ": " << val << "\n";
571  }
572  }
573 
574  out << "Version: " << this->x509_version() << "\n";
575 
576  out << "Not valid before: " << this->start_time() << "\n";
577  out << "Not valid after: " << this->end_time() << "\n";
578 
579  out << "Constraints:\n";
581  if(constraints == NO_CONSTRAINTS)
582  out << " None\n";
583  else
584  {
585  if(constraints & DIGITAL_SIGNATURE)
586  out << " Digital Signature\n";
587  if(constraints & NON_REPUDIATION)
588  out << " Non-Repudiation\n";
589  if(constraints & KEY_ENCIPHERMENT)
590  out << " Key Encipherment\n";
591  if(constraints & DATA_ENCIPHERMENT)
592  out << " Data Encipherment\n";
593  if(constraints & KEY_AGREEMENT)
594  out << " Key Agreement\n";
595  if(constraints & KEY_CERT_SIGN)
596  out << " Cert Sign\n";
597  if(constraints & CRL_SIGN)
598  out << " CRL Sign\n";
599  if(constraints & ENCIPHER_ONLY)
600  out << " Encipher Only\n";
601  if(constraints & DECIPHER_ONLY)
602  out << " Decipher Only\n";
603  }
604 
605  std::vector<std::string> policies = this->policies();
606  if(!policies.empty())
607  {
608  out << "Policies: " << "\n";
609  for(size_t i = 0; i != policies.size(); i++)
610  out << " " << policies[i] << "\n";
611  }
612 
613  std::vector<std::string> ex_constraints = this->ex_constraints();
614  if(!ex_constraints.empty())
615  {
616  out << "Extended Constraints:\n";
617  for(size_t i = 0; i != ex_constraints.size(); i++)
618  out << " " << ex_constraints[i] << "\n";
619  }
620 
621  NameConstraints name_constraints = this->name_constraints();
622  if(!name_constraints.permitted().empty() ||
623  !name_constraints.excluded().empty())
624  {
625  out << "Name Constraints:\n";
626 
627  if(!name_constraints.permitted().empty())
628  {
629  out << " Permit";
630  for(auto st: name_constraints.permitted())
631  {
632  out << " " << st.base();
633  }
634  out << "\n";
635  }
636 
637  if(!name_constraints.excluded().empty())
638  {
639  out << " Exclude";
640  for(auto st: name_constraints.excluded())
641  {
642  out << " " << st.base();
643  }
644  out << "\n";
645  }
646  }
647 
648  if(!ocsp_responder().empty())
649  out << "OCSP responder " << ocsp_responder() << "\n";
650  if(!crl_distribution_point().empty())
651  out << "CRL " << crl_distribution_point() << "\n";
652 
653  out << "Signature algorithm: " <<
654  OIDS::lookup(this->signature_algorithm().oid) << "\n";
655 
656  out << "Serial number: " << hex_encode(this->serial_number()) << "\n";
657 
658  if(this->authority_key_id().size())
659  out << "Authority keyid: " << hex_encode(this->authority_key_id()) << "\n";
660 
661  if(this->subject_key_id().size())
662  out << "Subject keyid: " << hex_encode(this->subject_key_id()) << "\n";
663 
664  std::unique_ptr<X509_PublicKey> pubkey(this->subject_public_key());
665  out << "Public Key:\n" << X509::PEM_encode(*pubkey);
666 
667  return out.str();
668  }
std::vector< uint8_t > serial_number() const
Definition: x509cert.cpp:427
std::string ocsp_responder() const
Definition: x509cert.cpp:398
Key_Constraints constraints() const
Definition: x509cert.cpp:351
std::string crl_distribution_point() const
Definition: x509cert.cpp:403
NameConstraints name_constraints() const
Definition: x509cert.cpp:368
std::string end_time() const
Definition: x509cert.cpp:189
std::string lookup(const OID &oid)
Definition: oids.cpp:18
std::string start_time() const
Definition: x509cert.cpp:181
std::string PEM_encode(const Public_Key &key)
Definition: x509_key.cpp:28
uint32_t x509_version() const
Definition: x509cert.cpp:173
std::vector< std::string > policies() const
Definition: x509cert.cpp:388
std::vector< std::string > subject_info(const std::string &name) const
Definition: x509cert.cpp:198
std::vector< std::string > ex_constraints() const
Definition: x509cert.cpp:360
std::vector< uint8_t > subject_key_id() const
Definition: x509cert.cpp:419
std::vector< std::string > issuer_info(const std::string &name) const
Definition: x509cert.cpp:207
Public_Key * subject_public_key() const
Definition: x509cert.cpp:215
void hex_encode(char output[], const uint8_t input[], size_t input_length, bool uppercase)
Definition: hex.cpp:14
std::vector< uint8_t > authority_key_id() const
Definition: x509cert.cpp:411
AlgorithmIdentifier signature_algorithm() const
Definition: x509_obj.cpp:148
Extensions Botan::X509_Certificate::v3_extensions ( ) const

Get all extensions of this certificate.

Returns
certificate extensions

Definition at line 393 of file x509cert.cpp.

394  {
395  return m_v3_extensions;
396  }
uint32_t Botan::X509_Certificate::x509_version ( ) const

Get the X509 version of this certificate object.

Returns
X509 version

Definition at line 173 of file x509cert.cpp.

References Botan::Data_Store::get1_uint32().

Referenced by to_string().

174  {
175  return (m_subject.get1_uint32("X509.Certificate.version") + 1);
176  }
uint32_t get1_uint32(const std::string &, uint32_t=0) const
Definition: datastor.cpp:109

Friends And Related Function Documentation

friend class BER_Decoder
friend

Definition at line 315 of file x509cert.h.

Referenced by subject_public_key_bitstring().

friend class X509_CA
friend

Definition at line 314 of file x509cert.h.

Member Data Documentation

std::vector<uint8_t> Botan::X509_Object::m_sig
protectedinherited
AlgorithmIdentifier Botan::X509_Object::m_sig_algo
protectedinherited
std::vector<uint8_t> Botan::X509_Object::m_tbs_bits
protectedinherited

The documentation for this class was generated from the following files: