Botan::Certificate_Store_In_SQL Class Reference

#include <certstor_sql.h>

Inheritance diagram for Botan::Certificate_Store_In_SQL:

Public Member Functions
void	affirm_cert (const X509_Certificate &)
	Reverses the revokation for "cert". More...
std::vector< X509_DN >	all_subjects () const override
bool	certificate_known (const X509_Certificate &cert) const
	Certificate_Store_In_SQL (const std::shared_ptr< SQL_Database > db, const std::string &passwd, RandomNumberGenerator &rng, const std::string &table_prefix="")
std::vector< std::shared_ptr< const X509_Certificate > >	find_all_certs (const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const override
std::shared_ptr< const X509_Certificate >	find_cert (const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const override
std::shared_ptr< const X509_Certificate >	find_cert_by_pubkey_sha1 (const std::vector< uint8_t > &key_hash) const override
std::shared_ptr< const X509_Certificate >	find_cert_by_raw_subject_dn_sha256 (const std::vector< uint8_t > &subject_hash) const override
std::vector< std::shared_ptr< const X509_Certificate > >	find_certs_for_key (const Private_Key &key) const
	Returns all certificates for private key "key". More...
std::shared_ptr< const X509_CRL >	find_crl_for (const X509_Certificate &issuer) const override
std::shared_ptr< const Private_Key >	find_key (const X509_Certificate &) const
	Returns the private key for "cert" or an empty shared_ptr if none was found. More...
std::vector< X509_CRL >	generate_crls () const
bool	insert_cert (const X509_Certificate &cert)
bool	insert_key (const X509_Certificate &cert, const Private_Key &key)
bool	remove_cert (const X509_Certificate &cert)
void	remove_key (const Private_Key &key)
	Removes "key" from the store. More...
void	revoke_cert (const X509_Certificate &, CRL_Code, const X509_Time &time=X509_Time())
	Marks "cert" as revoked starting from "time". More...

Detailed Description

Certificate and private key store backed by an SQL database.

Definition at line 25 of file certstor_sql.h.

Constructor & Destructor Documentation

Botan::Certificate_Store_In_SQL::Certificate_Store_In_SQL ( const std::shared_ptr< SQL_Database >  db, const std::string &  passwd, RandomNumberGenerator &  rng, const std::string &  table_prefix = ""  )

explicit

Create/open a certificate store.

Parameters

db	underlying database storage
passwd	password to encrypt private keys in the database
rng	used for encrypting keys
table_prefix	optional prefix for db table names

Definition at line 17 of file certstor_sql.cpp.

                                                                                  :
   m_rng(rng),
   m_database(db),
   m_prefix(table_prefix),
   m_password(passwd)
   {
   m_database->create_table("CREATE TABLE IF NOT EXISTS " +
                             m_prefix + "certificates (                \
                                 fingerprint       BLOB PRIMARY KEY,   \
                                 subject_dn        BLOB,               \
                                 key_id            BLOB,               \
                                 priv_fingerprint  BLOB,               \
                                 certificate       BLOB UNIQUE NOT NULL\
                             )");
   m_database->create_table("CREATE TABLE IF NOT EXISTS " + m_prefix + "keys (\
                                 fingerprint BLOB PRIMARY KEY,                \
                                 key         BLOB UNIQUE NOT NULL             \
                             )");
   m_database->create_table("CREATE TABLE IF NOT EXISTS " + m_prefix + "revoked (\
                                 fingerprint BLOB PRIMARY KEY,                   \
                                 reason      BLOB NOT NULL,                      \
                                 time        BLOB NOT NULL                       \
                            )");
   }

Member Function Documentation

void Botan::Certificate_Store_In_SQL::affirm_cert

(

const X509_Certificate &

cert

)

Reverses the revokation for "cert".

Definition at line 291 of file certstor_sql.cpp.

References Botan::X509_Certificate::fingerprint().

   {
   auto stmt = m_database->new_statement("DELETE FROM " + m_prefix + "revoked WHERE fingerprint == ?1");

   stmt->bind(1,cert.fingerprint("SHA-256"));
   stmt->spin();
   }

std::vector< X509_DN > Botan::Certificate_Store_In_SQL::all_subjects ( ) const

overridevirtual

Returns all subject DNs known to the store instance.

Implements Botan::Certificate_Store.

Definition at line 137 of file certstor_sql.cpp.

References Botan::X509_DN::decode_from().

   {
   std::vector<X509_DN> ret;
   auto stmt = m_database->new_statement("SELECT subject_dn FROM " + m_prefix + "certificates");

   while(stmt->step())
      {
      auto blob = stmt->get_blob(0);
      BER_Decoder dec(blob.first,blob.second);
      X509_DN dn;

      dn.decode_from(dec);

      ret.push_back(dn);
      }

   return ret;
   }

bool Botan::Certificate_Store::certificate_known ( const X509_Certificate &  cert ) const

inlineinherited

Returns

whether the certificate is known

Parameters

cert	certififcate to be searched

Definition at line 70 of file certstor.h.

References Botan::X509_Certificate::subject_dn(), and Botan::X509_Certificate::subject_key_id().

         {
         return find_cert(cert.subject_dn(), cert.subject_key_id()) != nullptr;
         }

std::vector< std::shared_ptr< const X509_Certificate > > Botan::Certificate_Store_In_SQL::find_all_certs ( const X509_DN &  subject_dn, const std::vector< uint8_t > &  key_id  ) const

overridevirtual

Find all certificates with a given Subject DN. Subject DN and even the key identifier might not be unique.

Implements Botan::Certificate_Store.

Definition at line 79 of file certstor_sql.cpp.

References Botan::ASN1_Object::BER_encode().

   {
   std::vector<std::shared_ptr<const X509_Certificate>> certs;

   std::shared_ptr<SQL_Database::Statement> stmt;

   const std::vector<uint8_t> dn_encoding = subject_dn.BER_encode();

   if(key_id.empty())
      {
      stmt = m_database->new_statement("SELECT certificate FROM " + m_prefix + "certificates WHERE subject_dn == ?1");
      stmt->bind(1, dn_encoding);
      }
   else
      {
      stmt = m_database->new_statement("SELECT certificate FROM " + m_prefix + "certificates WHERE\
                                        subject_dn == ?1 AND (key_id == NULL OR key_id == ?2)");
      stmt->bind(1, dn_encoding);
      stmt->bind(2, key_id);
      }

   std::shared_ptr<const X509_Certificate> cert;
   while(stmt->step())
      {
      auto blob = stmt->get_blob(0);
      certs.push_back(std::make_shared<X509_Certificate>(
            std::vector<uint8_t>(blob.first,blob.first + blob.second)));
      }

   return certs;
   }

std::shared_ptr< const X509_Certificate > Botan::Certificate_Store_In_SQL::find_cert ( const X509_DN &  subject_dn, const std::vector< uint8_t > &  key_id  ) const

overridevirtual

Returns the first certificate with matching subject DN and optional key ID.

Implements Botan::Certificate_Store.

Definition at line 47 of file certstor_sql.cpp.

References Botan::ASN1_Object::BER_encode().

Referenced by remove_cert().

   {
   std::shared_ptr<SQL_Database::Statement> stmt;

   const std::vector<uint8_t> dn_encoding = subject_dn.BER_encode();

   if(key_id.empty())
      {
      stmt = m_database->new_statement("SELECT certificate FROM " + m_prefix + "certificates WHERE subject_dn == ?1");
      stmt->bind(1, dn_encoding);
      }
   else
      {
      stmt = m_database->new_statement("SELECT certificate FROM " + m_prefix + "certificates WHERE\
                                        subject_dn == ?1 AND (key_id == NULL OR key_id == ?2)");
      stmt->bind(1, dn_encoding);
      stmt->bind(2,key_id);
      }

   std::shared_ptr<const X509_Certificate> cert;
   while(stmt->step())
      {
      auto blob = stmt->get_blob(0);
      cert = std::make_shared<X509_Certificate>(
            std::vector<uint8_t>(blob.first,blob.first + blob.second));

      }

   return cert;
   }

std::shared_ptr< const X509_Certificate > Botan::Certificate_Store_In_SQL::find_cert_by_pubkey_sha1 ( const std::vector< uint8_t > &  key_hash ) const

overridevirtual

Find a certificate by searching for one with a matching SHA-1 hash of public key. Used for OCSP.

Parameters

key_hash

SHA-1 hash of the subject's public key

Returns

a matching certificate or nullptr otherwise

Implements Botan::Certificate_Store.

Definition at line 112 of file certstor_sql.cpp.

   {
   throw Not_Implemented("Certificate_Store_In_SQL::find_cert_by_pubkey_sha1");
   }

std::shared_ptr< const X509_Certificate > Botan::Certificate_Store_In_SQL::find_cert_by_raw_subject_dn_sha256 ( const std::vector< uint8_t > &  subject_hash ) const

overridevirtual

Find a certificate by searching for one with a matching SHA-256 hash of raw subject name. Used for OCSP.

Parameters

subject_hash

SHA-256 hash of the subject's raw name

Returns

a matching certificate or nullptr otherwise

Implements Botan::Certificate_Store.

Definition at line 118 of file certstor_sql.cpp.

   {
   throw Not_Implemented("Certificate_Store_In_SQL::find_cert_by_raw_subject_dn_sha256");
   }

std::vector< std::shared_ptr< const X509_Certificate > > Botan::Certificate_Store_In_SQL::find_certs_for_key

(

const Private_Key &

key

)

const

Returns all certificates for private key "key".

Definition at line 215 of file certstor_sql.cpp.

References Botan::Private_Key::fingerprint_private().

   {
   auto fpr = key.fingerprint_private("SHA-256");
   auto stmt = m_database->new_statement("SELECT certificate FROM " + m_prefix + "certificates WHERE priv_fingerprint == ?1");

   stmt->bind(1,fpr);

   std::vector<std::shared_ptr<const X509_Certificate>> certs;
   while(stmt->step())
      {
      auto blob = stmt->get_blob(0);
      certs.push_back(std::make_shared<X509_Certificate>(
            std::vector<uint8_t>(blob.first,blob.first + blob.second)));
      }

   return certs;
   }

std::shared_ptr< const X509_CRL > Botan::Certificate_Store_In_SQL::find_crl_for ( const X509_Certificate &  issuer ) const

overridevirtual

Generates a CRL for all certificates issued by the given issuer.

Reimplemented from Botan::Certificate_Store.

Definition at line 124 of file certstor_sql.cpp.

References generate_crls(), and Botan::X509_Certificate::issuer_dn().

   {
   auto all_crls = generate_crls();

   for(auto crl: all_crls)
      {
      if(!crl.get_revoked().empty() && crl.issuer_dn() == subject.issuer_dn())
         return std::shared_ptr<X509_CRL>(new X509_CRL(crl));
      }

   return std::shared_ptr<X509_CRL>();
   }

std::shared_ptr< const Private_Key > Botan::Certificate_Store_In_SQL::find_key

(

const X509_Certificate &

cert

)

const

Returns the private key for "cert" or an empty shared_ptr if none was found.

Definition at line 195 of file certstor_sql.cpp.

References Botan::X509_Certificate::fingerprint(), and Botan::PKCS8::load_key().

Referenced by insert_key().

   {
   auto stmt = m_database->new_statement("SELECT key FROM " + m_prefix + "keys "
       "JOIN " + m_prefix + "certificates ON " +
       m_prefix + "keys.fingerprint == " + m_prefix + "certificates.priv_fingerprint "
       "WHERE " + m_prefix + "certificates.fingerprint == ?1");
   stmt->bind(1,cert.fingerprint("SHA-256"));

   std::shared_ptr<const Private_Key> key;
   while(stmt->step())
      {
      auto blob = stmt->get_blob(0);
      DataSource_Memory src(blob.first,blob.second);
      key.reset(PKCS8::load_key(src, m_rng, m_password));
      }

   return key;
   }

std::vector< X509_CRL > Botan::Certificate_Store_In_SQL::generate_crls

(

)

const

Generates Certificate Revocation Lists for all certificates marked as revoked. A CRL is returned for each unique issuer DN.

Definition at line 299 of file certstor_sql.cpp.

Referenced by find_crl_for().

   {
   auto stmt = m_database->new_statement(
         "SELECT certificate,reason,time FROM " + m_prefix + "revoked "
         "JOIN " + m_prefix + "certificates ON " +
         m_prefix + "certificates.fingerprint == " + m_prefix + "revoked.fingerprint");

   std::map<X509_DN,std::vector<CRL_Entry>> crls;
   while(stmt->step())
      {
      auto blob = stmt->get_blob(0);
      auto cert = X509_Certificate(
            std::vector<uint8_t>(blob.first,blob.first + blob.second));
      auto code = static_cast<CRL_Code>(stmt->get_size_t(1));
      auto ent = CRL_Entry(cert,code);

      auto i = crls.find(cert.issuer_dn());
      if(i == crls.end())
         {
         crls.insert(std::make_pair(cert.issuer_dn(),std::vector<CRL_Entry>({ent})));
         }
      else
         {
         i->second.push_back(ent);
         }
      }

   std::vector<X509_CRL> ret;
   X509_Time t(std::chrono::system_clock::now());

   for(auto p: crls)
      {
      ret.push_back(X509_CRL(p.first,t,t,p.second));
      }

   return ret;
   }

bool Botan::Certificate_Store_In_SQL::insert_cert

(

const X509_Certificate &

cert

)

Inserts "cert" into the store, returns false if the certificate is already known and true if insertion was successful.

Definition at line 156 of file certstor_sql.cpp.

References Botan::ASN1_Object::BER_encode(), Botan::X509_Certificate::fingerprint(), Botan::X509_Certificate::subject_dn(), and Botan::X509_Certificate::subject_key_id().

Referenced by insert_key(), and revoke_cert().

   {
   const std::vector<uint8_t> dn_encoding = cert.subject_dn().BER_encode();
   const std::vector<uint8_t> cert_encoding = cert.BER_encode();

   auto stmt = m_database->new_statement("INSERT OR REPLACE INTO " +
                                     m_prefix + "certificates (\
                                         fingerprint,          \
                                         subject_dn,           \
                                         key_id,               \
                                         priv_fingerprint,     \
                                         certificate           \
                                     ) VALUES ( ?1, ?2, ?3, ?4, ?5 )");

   stmt->bind(1,cert.fingerprint("SHA-256"));
   stmt->bind(2,dn_encoding);
   stmt->bind(3,cert.subject_key_id());
   stmt->bind(4,std::vector<uint8_t>());
   stmt->bind(5,cert_encoding);
   stmt->spin();

   return true;
   }

bool Botan::Certificate_Store_In_SQL::insert_key	(	const X509_Certificate &	cert,
		const Private_Key &	key
	)

Inserts "key" for "cert" into the store, returns false if the key is already known and true if insertion was successful.

Definition at line 233 of file certstor_sql.cpp.

References Botan::PKCS8::BER_encode(), find_key(), Botan::X509_Certificate::fingerprint(), Botan::Private_Key::fingerprint_private(), and insert_cert().

                                                                                              {
   insert_cert(cert);

   if(find_key(cert))
      return false;

   auto pkcs8 = PKCS8::BER_encode(key, m_rng, m_password);
   auto fpr = key.fingerprint_private("SHA-256");

   auto stmt1 = m_database->new_statement(
         "INSERT OR REPLACE INTO " + m_prefix + "keys ( fingerprint, key ) VALUES ( ?1, ?2 )");

   stmt1->bind(1,fpr);
   stmt1->bind(2,pkcs8.data(),pkcs8.size());
   stmt1->spin();

   auto stmt2 = m_database->new_statement(
         "UPDATE " + m_prefix + "certificates SET priv_fingerprint = ?1 WHERE fingerprint == ?2");

   stmt2->bind(1,fpr);
   stmt2->bind(2,cert.fingerprint("SHA-256"));
   stmt2->spin();

   return true;
   }

bool Botan::Certificate_Store_In_SQL::remove_cert

(

const X509_Certificate &

cert

)

Removes "cert" from the store. Returns false if the certificate could not be found and true if removal was successful.

Definition at line 181 of file certstor_sql.cpp.

References find_cert(), Botan::X509_Certificate::fingerprint(), Botan::X509_Certificate::subject_dn(), and Botan::X509_Certificate::subject_key_id().

   {
   if(!find_cert(cert.subject_dn(),cert.subject_key_id()))
      return false;

   auto stmt = m_database->new_statement("DELETE FROM " + m_prefix + "certificates WHERE fingerprint == ?1");

   stmt->bind(1,cert.fingerprint("SHA-256"));
   stmt->spin();

   return true;
   }

void Botan::Certificate_Store_In_SQL::remove_key

(

const Private_Key &

key

)

Removes "key" from the store.

Definition at line 259 of file certstor_sql.cpp.

References Botan::Private_Key::fingerprint_private().

   {
   auto fpr = key.fingerprint_private("SHA-256");
   auto stmt = m_database->new_statement("DELETE FROM " + m_prefix + "keys WHERE fingerprint == ?1");

   stmt->bind(1,fpr);
   stmt->spin();
   }

void Botan::Certificate_Store_In_SQL::revoke_cert	(	const X509_Certificate &	cert,
		CRL_Code	code,
		const X509_Time &	time = X509_Time()
	)

Marks "cert" as revoked starting from "time".

Definition at line 269 of file certstor_sql.cpp.

References Botan::ASN1_Object::BER_encode(), Botan::X509_Certificate::fingerprint(), insert_cert(), and Botan::X509_Time::time_is_set().

   {
   insert_cert(cert);

   auto stmt1 = m_database->new_statement(
         "INSERT OR REPLACE INTO " + m_prefix + "revoked ( fingerprint, reason, time ) VALUES ( ?1, ?2, ?3 )");

   stmt1->bind(1,cert.fingerprint("SHA-256"));
   stmt1->bind(2,code);

   if(time.time_is_set())
      {
      stmt1->bind(3, time.BER_encode());
      }
   else
      {
      stmt1->bind(3, static_cast<size_t>(-1));
      }

   stmt1->spin();
   }

---

The documentation for this class was generated from the following files:

• src/lib/x509/certstor_sql/certstor_sql.h
• src/lib/x509/certstor_sql/certstor_sql.cpp