Coverage Report

Created: 2021-05-04 09:02

/src/botan/build/include/botan/certstor.h
Line
Count
Source (jump to first uncovered line)
1
/*
2
* Certificate Store
3
* (C) 1999-2010,2013 Jack Lloyd
4
*
5
* Botan is released under the Simplified BSD License (see license.txt)
6
*/
7
8
#ifndef BOTAN_CERT_STORE_H_
9
#define BOTAN_CERT_STORE_H_
10
11
#include <botan/x509cert.h>
12
#include <botan/x509_crl.h>
13
#include <optional>
14
15
namespace Botan {
16
17
/**
18
* Certificate Store Interface
19
*/
20
class BOTAN_PUBLIC_API(2,0) Certificate_Store
21
   {
22
   public:
23
      virtual ~Certificate_Store();
24
25
      /**
26
      * Find a certificate by Subject DN and (optionally) key identifier
27
      * @param subject_dn the subject's distinguished name
28
      * @param key_id an optional key id
29
      * @return a matching certificate or nullopt otherwise
30
      * If more than one certificate in the certificate store matches, then
31
      * a single value is selected arbitrarily.
32
      */
33
      virtual std::optional<X509_Certificate>
34
         find_cert(const X509_DN& subject_dn, const std::vector<uint8_t>& key_id) const;
35
36
      /**
37
      * Find all certificates with a given Subject DN.
38
      * Subject DN and even the key identifier might not be unique.
39
      */
40
      virtual std::vector<X509_Certificate> find_all_certs(
41
         const X509_DN& subject_dn, const std::vector<uint8_t>& key_id) const = 0;
42
43
44
      /**
45
      * Find a certificate by searching for one with a matching SHA-1 hash of
46
      * public key. Used for OCSP.
47
      * @param key_hash SHA-1 hash of the subject's public key
48
      * @return a matching certificate or nullopt otherwise
49
      */
50
      virtual std::optional<X509_Certificate>
51
         find_cert_by_pubkey_sha1(const std::vector<uint8_t>& key_hash) const = 0;
52
53
      /**
54
      * Find a certificate by searching for one with a matching SHA-256 hash of
55
      * raw subject name. Used for OCSP.
56
      * @param subject_hash SHA-256 hash of the subject's raw name
57
      * @return a matching certificate or nullopt otherwise
58
      */
59
      virtual std::optional<X509_Certificate>
60
         find_cert_by_raw_subject_dn_sha256(const std::vector<uint8_t>& subject_hash) const = 0;
61
62
      /**
63
      * Finds a CRL for the given certificate
64
      * @param subject the subject certificate
65
      * @return the CRL for subject or nullopt otherwise
66
      */
67
      virtual std::optional<X509_CRL> find_crl_for(const X509_Certificate& subject) const;
68
69
      /**
70
      * @return whether the certificate is known
71
      * @param cert certififcate to be searched
72
      */
73
      bool certificate_known(const X509_Certificate& cert) const
74
0
         {
75
0
         return find_cert(cert.subject_dn(), cert.subject_key_id()).has_value();
76
0
         }
77
78
      // remove this (used by TLS::Server)
79
      virtual std::vector<X509_DN> all_subjects() const = 0;
80
   };
81
82
/**
83
* In Memory Certificate Store
84
*/
85
class BOTAN_PUBLIC_API(2,0) Certificate_Store_In_Memory final : public Certificate_Store
86
   {
87
   public:
88
      /**
89
      * Attempt to parse all files in dir (including subdirectories)
90
      * as certificates. Ignores errors.
91
      */
92
      explicit Certificate_Store_In_Memory(const std::string& dir);
93
94
      /**
95
      * Adds given certificate to the store.
96
      */
97
      explicit Certificate_Store_In_Memory(const X509_Certificate& cert);
98
99
      /**
100
      * Create an empty store.
101
      */
102
0
      Certificate_Store_In_Memory() = default;
103
104
      /**
105
      * Add a certificate to the store.
106
      * @param cert certificate to be added
107
      */
108
      void add_certificate(const X509_Certificate& cert);
109
110
      /**
111
      * Add a certificate revocation list (CRL) to the store.
112
      * @param crl CRL to be added
113
      */
114
      void add_crl(const X509_CRL& crl);
115
116
      /**
117
      * @return DNs for all certificates managed by the store
118
      */
119
      std::vector<X509_DN> all_subjects() const override;
120
121
      /*
122
      * Find a certificate by Subject DN and (optionally) key identifier
123
      * @return the first certificate that matches
124
      */
125
      std::optional<X509_Certificate> find_cert(
126
         const X509_DN& subject_dn,
127
         const std::vector<uint8_t>& key_id) const override;
128
129
      /*
130
      * Find all certificates with a given Subject DN.
131
      * Subject DN and even the key identifier might not be unique.
132
      */
133
      std::vector<X509_Certificate> find_all_certs(
134
         const X509_DN& subject_dn, const std::vector<uint8_t>& key_id) const override;
135
136
      std::optional<X509_Certificate>
137
         find_cert_by_pubkey_sha1(const std::vector<uint8_t>& key_hash) const override;
138
139
      std::optional<X509_Certificate>
140
         find_cert_by_raw_subject_dn_sha256(const std::vector<uint8_t>& subject_hash) const override;
141
142
      /**
143
      * Finds a CRL for the given certificate
144
      */
145
      std::optional<X509_CRL> find_crl_for(const X509_Certificate& subject) const override;
146
   private:
147
      // TODO: Add indexing on the DN and key id to avoid linear search
148
      std::vector<X509_Certificate> m_certs;
149
      std::vector<X509_CRL> m_crls;
150
   };
151
152
}
153
154
#endif