Botan  2.1.0
Crypto and TLS for C++11
x509cert.h
Go to the documentation of this file.
1 /*
2 * X.509 Certificates
3 * (C) 1999-2007,2015 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #ifndef BOTAN_X509_CERTS_H__
9 #define BOTAN_X509_CERTS_H__
10 
11 #include <botan/x509_obj.h>
12 #include <botan/x509_dn.h>
13 #include <botan/x509_key.h>
14 #include <botan/x509_ext.h>
15 #include <botan/asn1_alt_name.h>
16 #include <botan/datastor.h>
17 #include <botan/key_constraint.h>
18 #include <botan/name_constraint.h>
19 #include <map>
20 #include <memory>
21 
22 namespace Botan {
23 
24 enum class Usage_Type
25  {
26  UNSPECIFIED, // no restrictions
31  };
32 
33 /**
34 * This class represents X.509 Certificate
35 */
36 class BOTAN_DLL X509_Certificate : public X509_Object
37  {
38  public:
39  /**
40  * Get the public key associated with this certificate.
41  * @return subject public key of this certificate
42  */
43  Public_Key* subject_public_key() const;
44 
45  /**
46  * Get the public key associated with this certificate.
47  * @return subject public key of this certificate
48  */
49  std::vector<uint8_t> subject_public_key_bits() const;
50 
51  /**
52  * Get the bit string of the public key associated with this certificate
53  * @return subject public key of this certificate
54  */
55  std::vector<uint8_t> subject_public_key_bitstring() const;
56 
57  /**
58  * Get the SHA-1 bit string of the public key associated with this certificate.
59  * This is used for OCSP among other protocols
60  * @return hash of subject public key of this certificate
61  */
62  std::vector<uint8_t> subject_public_key_bitstring_sha1() const;
63 
64  /**
65  * Get the certificate's issuer distinguished name (DN).
66  * @return issuer DN of this certificate
67  */
68  X509_DN issuer_dn() const;
69 
70  /**
71  * Get the certificate's subject distinguished name (DN).
72  * @return subject DN of this certificate
73  */
74  X509_DN subject_dn() const;
75 
76  /**
77  * Get a value for a specific subject_info parameter name.
78  * @param name the name of the parameter to look up. Possible names are
79  * "X509.Certificate.version", "X509.Certificate.serial",
80  * "X509.Certificate.start", "X509.Certificate.end",
81  * "X509.Certificate.v2.key_id", "X509.Certificate.public_key",
82  * "X509v3.BasicConstraints.path_constraint",
83  * "X509v3.BasicConstraints.is_ca", "X509v3.NameConstraints",
84  * "X509v3.ExtendedKeyUsage", "X509v3.CertificatePolicies",
85  * "X509v3.SubjectKeyIdentifier" or "X509.Certificate.serial".
86  * @return value(s) of the specified parameter
87  */
88  std::vector<std::string> subject_info(const std::string& name) const;
89 
90  /**
91  * Get a value for a specific subject_info parameter name.
92  * @param name the name of the parameter to look up. Possible names are
93  * "X509.Certificate.v2.key_id" or "X509v3.AuthorityKeyIdentifier".
94  * @return value(s) of the specified parameter
95  */
96  std::vector<std::string> issuer_info(const std::string& name) const;
97 
98  /**
99  * Raw issuer DN
100  */
101  std::vector<uint8_t> raw_issuer_dn() const;
102 
103  /**
104  * SHA-256 of Raw issuer DN
105  */
106  std::vector<uint8_t> raw_issuer_dn_sha256() const;
107 
108  /**
109  * Raw subject DN
110  */
111  std::vector<uint8_t> raw_subject_dn() const;
112 
113  /**
114  * SHA-256 of Raw subject DN
115  */
116  std::vector<uint8_t> raw_subject_dn_sha256() const;
117 
118  /**
119  * Get the notBefore of the certificate.
120  * @return notBefore of the certificate
121  */
122  std::string start_time() const;
123 
124  /**
125  * Get the notAfter of the certificate.
126  * @return notAfter of the certificate
127  */
128  std::string end_time() const;
129 
130  /**
131  * Get the X509 version of this certificate object.
132  * @return X509 version
133  */
134  uint32_t x509_version() const;
135 
136  /**
137  * Get the serial number of this certificate.
138  * @return certificates serial number
139  */
140  std::vector<uint8_t> serial_number() const;
141 
142  /**
143  * Get the DER encoded AuthorityKeyIdentifier of this certificate.
144  * @return DER encoded AuthorityKeyIdentifier
145  */
146  std::vector<uint8_t> authority_key_id() const;
147 
148  /**
149  * Get the DER encoded SubjectKeyIdentifier of this certificate.
150  * @return DER encoded SubjectKeyIdentifier
151  */
152  std::vector<uint8_t> subject_key_id() const;
153 
154  /**
155  * Check whether this certificate is self signed.
156  * @return true if this certificate is self signed
157  */
158  bool is_self_signed() const { return m_self_signed; }
159 
160  /**
161  * Check whether this certificate is a CA certificate.
162  * @return true if this certificate is a CA certificate
163  */
164  bool is_CA_cert() const;
165 
166  /**
167  * Returns true if the specified @param usage is set in the key usage extension
168  * or if no key usage constraints are set at all.
169  * To check if a certain key constraint is set in the certificate
170  * use @see X509_Certificate#has_constraints.
171  */
172  bool allowed_usage(Key_Constraints usage) const;
173 
174  /**
175  * Returns true if the specified @param usage is set in the extended key usage extension
176  * or if no extended key usage constraints are set at all.
177  * To check if a certain extended key constraint is set in the certificate
178  * use @see X509_Certificate#has_ex_constraint.
179  */
180  bool allowed_extended_usage(const std::string& usage) const;
181 
182  /**
183  * Returns true if the required key and extended key constraints are set in the certificate
184  * for the specified @param usage or if no key constraints are set in both the key usage
185  * and extended key usage extension.
186  */
187  bool allowed_usage(Usage_Type usage) const;
188 
189  /// Returns true if the specified @param constraints are included in the key usage extension.
190  bool has_constraints(Key_Constraints constraints) const;
191 
192  /**
193  * Returns true if and only if @param ex_constraint (referring to an extended key
194  * constraint, eg "PKIX.ServerAuth") is included in the extended
195  * key extension.
196  */
197  bool has_ex_constraint(const std::string& ex_constraint) const;
198 
199  /**
200  * Get the path limit as defined in the BasicConstraints extension of
201  * this certificate.
202  * @return path limit
203  */
204  uint32_t path_limit() const;
205 
206  /**
207  * Check whenever a given X509 Extension is marked critical in this
208  * certificate.
209  */
210  bool is_critical(const std::string& ex_name) const;
211 
212  /**
213  * Get the key constraints as defined in the KeyUsage extension of this
214  * certificate.
215  * @return key constraints
216  */
217  Key_Constraints constraints() const;
218 
219  /**
220  * Get the key constraints as defined in the ExtendedKeyUsage
221  * extension of this certificate.
222  * @return key constraints
223  */
224  std::vector<std::string> ex_constraints() const;
225 
226  /**
227  * Get the name constraints as defined in the NameConstraints
228  * extension of this certificate.
229  * @return name constraints
230  */
231  NameConstraints name_constraints() const;
232 
233  /**
234  * Get the policies as defined in the CertificatePolicies extension
235  * of this certificate.
236  * @return certificate policies
237  */
238  std::vector<std::string> policies() const;
239 
240  /**
241  * Get all extensions of this certificate.
242  * @return certificate extensions
243  */
244  Extensions v3_extensions() const;
245 
246  /**
247  * Return the listed address of an OCSP responder, or empty if not set
248  */
249  std::string ocsp_responder() const;
250 
251  /**
252  * Return the CRL distribution point, or empty if not set
253  */
254  std::string crl_distribution_point() const;
255 
256  /**
257  * @return a string describing the certificate
258  */
259  std::string to_string() const;
260 
261  /**
262  * @return a fingerprint of the certificate
263  * @param hash_name hash function used to calculate the fingerprint
264  */
265  std::string fingerprint(const std::string& hash_name = "SHA-1") const;
266 
267  /**
268  * Check if a certain DNS name matches up with the information in
269  * the cert
270  * @param name DNS name to match
271  */
272  bool matches_dns_name(const std::string& name) const;
273 
274  /**
275  * Check to certificates for equality.
276  * @return true both certificates are (binary) equal
277  */
278  bool operator==(const X509_Certificate& other) const;
279 
280  /**
281  * Impose an arbitrary (but consistent) ordering
282  * @return true if this is less than other by some unspecified criteria
283  */
284  bool operator<(const X509_Certificate& other) const;
285 
286  /**
287  * Create a certificate from a data source providing the DER or
288  * PEM encoded certificate.
289  * @param source the data source
290  */
291  explicit X509_Certificate(DataSource& source);
292 
293 #if defined(BOTAN_TARGET_OS_HAS_FILESYSTEM)
294  /**
295  * Create a certificate from a file containing the DER or PEM
296  * encoded certificate.
297  * @param filename the name of the certificate file
298  */
299  explicit X509_Certificate(const std::string& filename);
300 #endif
301 
302  /**
303  * Create a certificate from a buffer
304  * @param in the buffer containing the DER-encoded certificate
305  */
306  explicit X509_Certificate(const std::vector<uint8_t>& in);
307 
308  X509_Certificate(const X509_Certificate& other) = default;
309 
310  X509_Certificate& operator=(const X509_Certificate& other) = default;
311 
312  private:
313  void force_decode() override;
314  friend class X509_CA;
315  friend class BER_Decoder;
316 
317  X509_Certificate() = default;
318 
319  Data_Store m_subject, m_issuer;
320  bool m_self_signed;
321  Extensions m_v3_extensions;
322  };
323 
324 /**
325 * Check two certificates for inequality
326 * @param cert1 The first certificate
327 * @param cert2 The second certificate
328 * @return true if the arguments represent different certificates,
329 * false if they are binary identical
330 */
331 BOTAN_DLL bool operator!=(const X509_Certificate& cert1, const X509_Certificate& cert2);
332 
333 /*
334 * Data Store Extraction Operations
335 */
336 
337 /*
338 * Create and populate a X509_DN
339 * @param info data store containing DN information
340 * @return DN containing attributes from data store
341 */
342 BOTAN_DLL X509_DN create_dn(const Data_Store& info);
343 
344 /*
345 * Create and populate an AlternativeName
346 * @param info data store containing AlternativeName information
347 * @return AlternativeName containing attributes from data store
348 */
349 BOTAN_DLL AlternativeName create_alt_name(const Data_Store& info);
350 
351 }
352 
353 #endif
bool operator!=(const AlgorithmIdentifier &a1, const AlgorithmIdentifier &a2)
Definition: alg_id.cpp:82
bool operator==(const AlgorithmIdentifier &a1, const AlgorithmIdentifier &a2)
Definition: alg_id.cpp:67
bool operator<(const OID &a, const OID &b)
Definition: asn1_oid.cpp:105
X509_DN create_dn(const Data_Store &info)
Definition: x509cert.cpp:673
AlternativeName create_alt_name(const Data_Store &info)
Definition: x509cert.cpp:692
Definition: alg_id.cpp:13
std::string to_string(const secure_vector< uint8_t > &bytes)
Definition: stl_util.h:25
bool is_self_signed() const
Definition: x509cert.h:158
Usage_Type
Definition: x509cert.h:24
Name Constraints.