Botan 2.19.5
Crypto and TLS for C&
Public Member Functions | Static Public Member Functions | Protected Member Functions | List of all members
Botan::X509_Certificate Class Reference

#include <x509cert.h>

Inheritance diagram for Botan::X509_Certificate:
Botan::X509_Object Botan::ASN1_Object

Public Member Functions

bool allowed_extended_usage (const OID &usage) const
 
bool allowed_extended_usage (const std::string &usage) const
 
bool allowed_usage (Key_Constraints usage) const
 
bool allowed_usage (Usage_Type usage) const
 
const std::vector< uint8_t > & authority_key_id () const
 
std::vector< uint8_t > BER_encode () const
 
std::vector< std::string > ca_issuers () const
 
const std::vector< OID > & certificate_policy_oids () const
 
bool check_signature (const Public_Key &key) const
 
bool check_signature (const Public_Key *key) const
 
Key_Constraints constraints () const
 
std::string crl_distribution_point () const
 
void decode_from (class BER_Decoder &from) override
 
void encode_into (class DER_Encoder &to) const override
 
std::string end_time () const
 
std::vector< std::string > ex_constraints () const
 
const std::vector< OID > & extended_key_usage () const
 
std::string fingerprint (const std::string &hash_name="SHA-1") const
 
bool has_constraints (Key_Constraints constraints) const
 
bool has_ex_constraint (const OID &ex_constraint) const
 
bool has_ex_constraint (const std::string &ex_constraint) const
 
std::string hash_used_for_signature () const
 
bool is_CA_cert () const
 
bool is_critical (const std::string &ex_name) const
 
bool is_self_signed () const
 
bool is_serial_negative () const
 
const AlternativeNameissuer_alt_name () const
 
const X509_DNissuer_dn () const
 
std::vector< std::string > issuer_info (const std::string &name) const
 
std::unique_ptr< Public_Keyload_subject_public_key () const
 
bool matches_dns_name (const std::string &name) const
 
const NameConstraintsname_constraints () const
 
const X509_Timenot_after () const
 
const X509_Timenot_before () const
 
std::string ocsp_responder () const
 
bool operator< (const X509_Certificate &other) const
 
X509_Certificateoperator= (const X509_Certificate &other)=default
 
bool operator== (const X509_Certificate &other) const
 
uint32_t path_limit () const
 
std::string PEM_encode () const
 
std::vector< std::string > policies () const
 
const std::vector< uint8_t > & raw_issuer_dn () const
 
std::vector< uint8_t > raw_issuer_dn_sha256 () const
 
const std::vector< uint8_t > & raw_subject_dn () const
 
std::vector< uint8_t > raw_subject_dn_sha256 () const
 
const std::vector< uint8_t > & serial_number () const
 
const std::vector< uint8_t > & signature () const
 
const AlgorithmIdentifiersignature_algorithm () const
 
const std::vector< uint8_t > & signed_body () const
 
std::string start_time () const
 
const AlternativeNamesubject_alt_name () const
 
const X509_DNsubject_dn () const
 
std::vector< std::string > subject_info (const std::string &name) const
 
const std::vector< uint8_t > & subject_key_id () const
 
Public_Keysubject_public_key () const
 
const AlgorithmIdentifiersubject_public_key_algo () const
 
const std::vector< uint8_t > & subject_public_key_bits () const
 
const std::vector< uint8_t > & subject_public_key_bitstring () const
 
const std::vector< uint8_t > & subject_public_key_bitstring_sha1 () const
 
const std::vector< uint8_t > & subject_public_key_info () const
 
std::vector< uint8_t > tbs_data () const
 
std::string to_string () const
 
const std::vector< uint8_t > & v2_issuer_key_id () const
 
const std::vector< uint8_t > & v2_subject_key_id () const
 
const Extensionsv3_extensions () const
 
Certificate_Status_Code verify_signature (const Public_Key &key) const
 
 X509_Certificate ()=default
 
 X509_Certificate (const std::vector< uint8_t > &in)
 
 X509_Certificate (const uint8_t data[], size_t length)
 
 X509_Certificate (const X509_Certificate &other)=default
 
 X509_Certificate (DataSource &source)
 
uint32_t x509_version () const
 

Static Public Member Functions

static std::unique_ptr< PK_Signerchoose_sig_format (AlgorithmIdentifier &sig_algo, const Private_Key &key, RandomNumberGenerator &rng, const std::string &hash_fn, const std::string &padding_algo)
 
static std::vector< uint8_t > make_signed (class PK_Signer *signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &alg_id, const secure_vector< uint8_t > &tbs)
 

Protected Member Functions

void load_data (DataSource &src)
 

Detailed Description

This class represents an X.509 Certificate

Definition at line 37 of file x509cert.h.

Constructor & Destructor Documentation

◆ X509_Certificate() [1/5]

Botan::X509_Certificate::X509_Certificate ( DataSource source)
explicit

Create a certificate from a data source providing the DER or PEM encoded certificate.

Parameters
sourcethe data source

Definition at line 86 of file x509cert.cpp.

87 {
88 load_data(src);
89 }
void load_data(DataSource &src)
Definition x509_obj.cpp:52

References Botan::X509_Object::load_data().

◆ X509_Certificate() [2/5]

Botan::X509_Certificate::X509_Certificate ( const std::vector< uint8_t > &  in)
explicit

Create a certificate from a buffer

Parameters
inthe buffer containing the DER-encoded certificate

Definition at line 91 of file x509cert.cpp.

92 {
93 DataSource_Memory src(vec.data(), vec.size());
94 load_data(src);
95 }

References Botan::X509_Object::load_data().

◆ X509_Certificate() [3/5]

Botan::X509_Certificate::X509_Certificate ( const uint8_t  data[],
size_t  length 
)

Create a certificate from a buffer

Parameters
datathe buffer containing the DER-encoded certificate
lengthlength of data in bytes

Definition at line 97 of file x509cert.cpp.

98 {
99 DataSource_Memory src(data, len);
100 load_data(src);
101 }

References Botan::X509_Object::load_data().

◆ X509_Certificate() [4/5]

Botan::X509_Certificate::X509_Certificate ( )
default

Create an uninitialized certificate object. Any attempts to access this object will throw an exception.

◆ X509_Certificate() [5/5]

Botan::X509_Certificate::X509_Certificate ( const X509_Certificate other)
default

Member Function Documentation

◆ allowed_extended_usage() [1/2]

bool Botan::X509_Certificate::allowed_extended_usage ( const OID usage) const

Returns true if the specified usage is set in the extended key usage extension, or if no extended key usage constraints are set at all. To check if a certain extended key constraint is set in the certificate use

See also
X509_Certificate::has_ex_constraint.

Definition at line 545 of file x509cert.cpp.

546 {
547 const std::vector<OID>& ex = extended_key_usage();
548 if(ex.empty())
549 return true;
550
551 if(std::find(ex.begin(), ex.end(), usage) != ex.end())
552 return true;
553
554 return false;
555 }
const std::vector< OID > & extended_key_usage() const
Definition x509cert.cpp:513

References extended_key_usage().

◆ allowed_extended_usage() [2/2]

bool Botan::X509_Certificate::allowed_extended_usage ( const std::string &  usage) const

Returns true if the specified

Parameters
usageis set in the extended key usage extension or if no extended key usage constraints are set at all. To check if a certain extended key constraint is set in the certificate use
See also
X509_Certificate::has_ex_constraint.

Definition at line 540 of file x509cert.cpp.

541 {
543 }
static OID from_string(const std::string &str)
Definition asn1_oid.cpp:62
bool allowed_extended_usage(const std::string &usage) const
Definition x509cert.cpp:540

References allowed_extended_usage(), and Botan::OID::from_string().

Referenced by allowed_extended_usage(), and allowed_usage().

◆ allowed_usage() [1/2]

bool Botan::X509_Certificate::allowed_usage ( Key_Constraints  usage) const

Returns true if the specified

Parameters
usageis set in the key usage extension or if no key usage constraints are set at all. To check if a certain key constraint is set in the certificate use
See also
X509_Certificate::has_constraints.

Definition at line 533 of file x509cert.cpp.

534 {
536 return true;
537 return ((constraints() & usage) == usage);
538 }
Key_Constraints constraints() const
Definition x509cert.cpp:508
@ NO_CONSTRAINTS
Definition pkix_enums.h:107

References constraints(), and Botan::NO_CONSTRAINTS.

Referenced by allowed_usage().

◆ allowed_usage() [2/2]

bool Botan::X509_Certificate::allowed_usage ( Usage_Type  usage) const

Returns true if the required key and extended key constraints are set in the certificate for the specified

Parameters
usageor if no key constraints are set in both the key usage and extended key usage extension.

Definition at line 557 of file x509cert.cpp.

558 {
559 // These follow suggestions in RFC 5280 4.2.1.12
560
561 switch(usage)
562 {
564 return true;
565
568
571
574
576 return is_CA_cert();
577
580 }
581
582 return false;
583 }
bool is_CA_cert() const
Definition x509cert.cpp:492
bool allowed_usage(Key_Constraints usage) const
Definition x509cert.cpp:533
@ DATA_ENCIPHERMENT
Definition pkix_enums.h:111
@ DIGITAL_SIGNATURE
Definition pkix_enums.h:108
@ KEY_AGREEMENT
Definition pkix_enums.h:112
@ KEY_ENCIPHERMENT
Definition pkix_enums.h:110
@ NON_REPUDIATION
Definition pkix_enums.h:109

References allowed_extended_usage(), allowed_usage(), Botan::CERTIFICATE_AUTHORITY, Botan::DATA_ENCIPHERMENT, Botan::DIGITAL_SIGNATURE, Botan::ENCRYPTION, is_CA_cert(), Botan::KEY_AGREEMENT, Botan::KEY_ENCIPHERMENT, Botan::NON_REPUDIATION, Botan::OCSP_RESPONDER, Botan::TLS_CLIENT_AUTH, Botan::TLS_SERVER_AUTH, and Botan::UNSPECIFIED.

◆ authority_key_id()

const std::vector< uint8_t > & Botan::X509_Certificate::authority_key_id ( ) const

Get the DER encoded AuthorityKeyIdentifier of this certificate.

Returns
DER encoded AuthorityKeyIdentifier

Definition at line 451 of file x509cert.cpp.

452 {
453 return data().m_authority_key_id;
454 }

Referenced by Botan::Certificate_Store_In_Memory::find_crl_for(), Botan::X509_CRL::is_revoked(), issuer_info(), and to_string().

◆ BER_encode()

std::vector< uint8_t > Botan::ASN1_Object::BER_encode ( ) const
inherited

Return the encoding of this object. This is a convenience method when just one object needs to be serialized. Use DER_Encoder for complicated encodings.

Definition at line 16 of file asn1_obj.cpp.

17 {
18 std::vector<uint8_t> output;
19 DER_Encoder der(output);
20 this->encode_into(der);
21 return output;
22 }
virtual void encode_into(DER_Encoder &to) const =0

References Botan::ASN1_Object::encode_into().

Referenced by Botan::PSSR::config_for_x509(), Botan::Certificate_Store_In_SQL::find_all_certs(), Botan::Certificate_Store_In_SQL::find_cert(), fingerprint(), Botan::Certificate_Store_In_SQL::insert_cert(), Botan::X509_Object::PEM_encode(), and Botan::Certificate_Store_In_SQL::revoke_cert().

◆ ca_issuers()

std::vector< std::string > Botan::X509_Certificate::ca_issuers ( ) const

Return the listed addresses of ca issuers, or empty if not set

Definition at line 619 of file x509cert.cpp.

620 {
621 return data().m_ca_issuers;
622 }

Referenced by to_string().

◆ certificate_policy_oids()

const std::vector< OID > & Botan::X509_Certificate::certificate_policy_oids ( ) const

Definition at line 518 of file x509cert.cpp.

519 {
520 return data().m_cert_policies;
521 }

Referenced by policies(), and to_string().

◆ check_signature() [1/2]

bool Botan::X509_Object::check_signature ( const Public_Key key) const
inherited

Check the signature on this data

Parameters
keythe public key purportedly used to sign this data
Returns
true if the signature is valid, otherwise false

Definition at line 178 of file x509_obj.cpp.

179 {
180 const Certificate_Status_Code code = verify_signature(pub_key);
181 return (code == Certificate_Status_Code::VERIFIED);
182 }
Certificate_Status_Code verify_signature(const Public_Key &key) const
Definition x509_obj.cpp:184
Certificate_Status_Code
Definition pkix_enums.h:17

References Botan::VERIFIED, and Botan::X509_Object::verify_signature().

Referenced by Botan::X509_Object::check_signature().

◆ check_signature() [2/2]

bool Botan::X509_Object::check_signature ( const Public_Key key) const
inherited

Check the signature on this data

Parameters
keythe public key purportedly used to sign this data the object will be deleted after use (this should have been a std::unique_ptr<Public_Key>)
Returns
true if the signature is valid, otherwise false

Definition at line 170 of file x509_obj.cpp.

171 {
172 if(!pub_key)
173 throw Invalid_Argument("No key provided for " + PEM_label() + " signature check");
174 std::unique_ptr<const Public_Key> key(pub_key);
175 return check_signature(*key);
176 }
virtual std::string PEM_label() const =0
bool check_signature(const Public_Key &key) const
Definition x509_obj.cpp:178

References Botan::X509_Object::check_signature(), and Botan::X509_Object::PEM_label().

◆ choose_sig_format()

std::unique_ptr< PK_Signer > Botan::X509_Object::choose_sig_format ( AlgorithmIdentifier sig_algo,
const Private_Key key,
RandomNumberGenerator rng,
const std::string &  hash_fn,
const std::string &  padding_algo 
)
staticinherited

Definition at line 411 of file x509_obj.cpp.

416 {
417 const Signature_Format format = key.default_x509_signature_format();
418
419 const std::string emsa = choose_sig_algo(sig_algo, key, hash_fn, padding_algo);
420
421 return std::unique_ptr<PK_Signer>(new PK_Signer(key, rng, emsa, format));
422 }
Signature_Format
Definition pk_keys.h:23

References Botan::Public_Key::default_x509_signature_format().

Referenced by Botan::choose_sig_format(), Botan::choose_sig_format(), and Botan::PKCS10_Request::create().

◆ constraints()

Key_Constraints Botan::X509_Certificate::constraints ( ) const

Get the key constraints as defined in the KeyUsage extension of this certificate.

Returns
key constraints

Definition at line 508 of file x509cert.cpp.

509 {
510 return data().m_key_constraints;
511 }

Referenced by allowed_usage(), has_constraints(), and to_string().

◆ crl_distribution_point()

std::string Botan::X509_Certificate::crl_distribution_point ( ) const

Return the CRL distribution point, or empty if not set

Definition at line 624 of file x509cert.cpp.

625 {
626 // just returns the first (arbitrarily)
627 if(data().m_crl_distribution_points.size() > 0)
628 return data().m_crl_distribution_points[0];
629 return "";
630 }

Referenced by to_string().

◆ decode_from()

void Botan::X509_Object::decode_from ( class BER_Decoder from)
overridevirtualinherited

Decode a BER encoded X509_Object See ASN1_Object::decode_from()

Implements Botan::ASN1_Object.

Definition at line 106 of file x509_obj.cpp.

107 {
108 from.start_cons(SEQUENCE)
109 .start_cons(SEQUENCE)
110 .raw_bytes(m_tbs_bits)
111 .end_cons()
112 .decode(m_sig_algo)
113 .decode(m_sig, BIT_STRING)
114 .end_cons();
115
116 force_decode();
117 }
@ BIT_STRING
Definition asn1_obj.h:37
@ SEQUENCE
Definition asn1_obj.h:42

References Botan::BIT_STRING, Botan::BER_Decoder::decode(), Botan::BER_Decoder::end_cons(), Botan::BER_Decoder::raw_bytes(), Botan::SEQUENCE, and Botan::BER_Decoder::start_cons().

Referenced by Botan::X509_Object::load_data().

◆ encode_into()

void Botan::X509_Object::encode_into ( class DER_Encoder to) const
overridevirtualinherited

DER encode an X509_Object See ASN1_Object::encode_into()

Implements Botan::ASN1_Object.

Definition at line 92 of file x509_obj.cpp.

93 {
94 to.start_cons(SEQUENCE)
95 .start_cons(SEQUENCE)
96 .raw_bytes(signed_body())
97 .end_cons()
98 .encode(signature_algorithm())
99 .encode(signature(), BIT_STRING)
100 .end_cons();
101 }
const std::vector< uint8_t > & signed_body() const
Definition x509_obj.h:42
const AlgorithmIdentifier & signature_algorithm() const
Definition x509_obj.h:47
const std::vector< uint8_t > & signature() const
Definition x509_obj.h:37

References Botan::BIT_STRING, Botan::DER_Encoder::encode(), Botan::DER_Encoder::end_cons(), Botan::DER_Encoder::raw_bytes(), Botan::SEQUENCE, Botan::X509_Object::signature(), Botan::X509_Object::signature_algorithm(), Botan::X509_Object::signed_body(), and Botan::DER_Encoder::start_cons().

◆ end_time()

std::string Botan::X509_Certificate::end_time ( ) const
inline

Get the notAfter of the certificate as a string

Returns
notAfter of the certificate

Definition at line 163 of file x509cert.h.

164 {
165 return not_after().to_string();
166 }
std::string to_string() const
Return an internal string representation of the time.
Definition asn1_time.cpp:53
const X509_Time & not_after() const
Definition x509cert.cpp:408

◆ ex_constraints()

std::vector< std::string > Botan::X509_Certificate::ex_constraints ( ) const

Get the key constraints as defined in the ExtendedKeyUsage extension of this certificate.

Returns
key constraints

Definition at line 755 of file x509cert.cpp.

756 {
757 return lookup_oids(extended_key_usage());
758 }

References extended_key_usage().

Referenced by to_string().

◆ extended_key_usage()

const std::vector< OID > & Botan::X509_Certificate::extended_key_usage ( ) const

Get the key usage as defined in the ExtendedKeyUsage extension of this certificate, or else an empty vector.

Returns
key usage

Definition at line 513 of file x509cert.cpp.

514 {
515 return data().m_extended_key_usage;
516 }

Referenced by allowed_extended_usage(), ex_constraints(), has_ex_constraint(), and to_string().

◆ fingerprint()

std::string Botan::X509_Certificate::fingerprint ( const std::string &  hash_name = "SHA-1") const
Returns
a fingerprint of the certificate
Parameters
hash_namehash function used to calculate the fingerprint

Definition at line 768 of file x509cert.cpp.

769 {
770 /*
771 * The SHA-1 and SHA-256 fingerprints are precomputed since these
772 * are the most commonly used. Especially, SHA-256 fingerprints are
773 * used for cycle detection during path construction.
774 *
775 * If SHA-1 or SHA-256 was missing at parsing time the vectors are
776 * left empty in which case we fall back to create_hex_fingerprint
777 * which will throw if the hash is unavailable.
778 */
779 if(hash_name == "SHA-256" && data().m_fingerprint_sha256.size() > 0)
780 return data().m_fingerprint_sha256;
781 else if(hash_name == "SHA-1" && data().m_fingerprint_sha1.size() > 0)
782 return data().m_fingerprint_sha1;
783 else
784 return create_hex_fingerprint(this->BER_encode(), hash_name);
785 }
std::vector< uint8_t > BER_encode() const
Definition asn1_obj.cpp:16
std::string create_hex_fingerprint(const uint8_t bits[], size_t bits_len, const std::string &hash_name)
Definition pk_keys.cpp:17

References Botan::ASN1_Object::BER_encode(), and Botan::create_hex_fingerprint().

Referenced by Botan::Certificate_Store_In_SQL::affirm_cert(), Botan::Certificate_Store_In_SQL::find_key(), Botan::Certificate_Store_In_SQL::insert_cert(), Botan::Certificate_Store_In_SQL::insert_key(), Botan::Certificate_Store_In_SQL::remove_cert(), and Botan::Certificate_Store_In_SQL::revoke_cert().

◆ has_constraints()

bool Botan::X509_Certificate::has_constraints ( Key_Constraints  constraints) const

Returns true if the specified

Parameters
constraintsare included in the key usage extension.

Definition at line 585 of file x509cert.cpp.

586 {
587 if(this->constraints() == NO_CONSTRAINTS)
588 {
589 return false;
590 }
591
592 return ((this->constraints() & constraints) != 0);
593 }

References constraints(), and Botan::NO_CONSTRAINTS.

◆ has_ex_constraint() [1/2]

bool Botan::X509_Certificate::has_ex_constraint ( const OID ex_constraint) const

Returns true if and only if OID

Parameters
ex_constraintis included in the extended key extension.

Definition at line 600 of file x509cert.cpp.

601 {
602 const std::vector<OID>& ex = extended_key_usage();
603 return (std::find(ex.begin(), ex.end(), usage) != ex.end());
604 }

References extended_key_usage().

◆ has_ex_constraint() [2/2]

bool Botan::X509_Certificate::has_ex_constraint ( const std::string &  ex_constraint) const

Returns true if and only if

Parameters
ex_constraint(referring to an extended key constraint, eg "PKIX.ServerAuth") is included in the extended key extension.

Definition at line 595 of file x509cert.cpp.

596 {
597 return has_ex_constraint(OID::from_string(ex_constraint));
598 }
bool has_ex_constraint(const std::string &ex_constraint) const
Definition x509cert.cpp:595

References Botan::OID::from_string(), and has_ex_constraint().

Referenced by has_ex_constraint().

◆ hash_used_for_signature()

std::string Botan::X509_Object::hash_used_for_signature ( ) const
inherited
Returns
hash algorithm that was used to generate signature

Definition at line 138 of file x509_obj.cpp.

139 {
140 const OID& oid = m_sig_algo.get_oid();
141 const std::vector<std::string> sig_info = split_on(oid.to_formatted_string(), '/');
142
143 if(sig_info.size() == 1 && sig_info[0] == "Ed25519")
144 return "SHA-512";
145 else if(sig_info.size() != 2)
146 throw Internal_Error("Invalid name format found for " + oid.to_string());
147
148 if(sig_info[1] == "EMSA4")
149 {
150 const OID hash_oid = decode_pss_params(signature_algorithm().get_parameters()).hash_algo.get_oid();
151 return hash_oid.to_formatted_string();
152 }
153 else
154 {
155 const std::vector<std::string> pad_and_hash =
156 parse_algorithm_name(sig_info[1]);
157
158 if(pad_and_hash.size() != 2)
159 {
160 throw Internal_Error("Invalid name format " + sig_info[1]);
161 }
162
163 return pad_and_hash[1];
164 }
165 }
const OID & get_oid() const
Definition asn1_obj.h:445
std::vector< std::string > split_on(const std::string &str, char delim)
Definition parsing.cpp:148
std::vector< std::string > parse_algorithm_name(const std::string &namex)
Definition parsing.cpp:95

References Botan::AlgorithmIdentifier::get_oid(), Botan::parse_algorithm_name(), Botan::X509_Object::signature_algorithm(), Botan::split_on(), Botan::OID::to_formatted_string(), and Botan::OID::to_string().

◆ is_CA_cert()

bool Botan::X509_Certificate::is_CA_cert ( ) const

Check whether this certificate is a CA certificate.

Returns
true if this certificate is a CA certificate

Definition at line 492 of file x509cert.cpp.

493 {
494 if(data().m_version < 3 && data().m_self_signed)
495 return true;
496
497 return data().m_is_ca_certificate;
498 }

Referenced by allowed_usage(), Botan::Cert_Extension::Name_Constraints::validate(), Botan::X509_CA::X509_CA(), and Botan::X509_CA::X509_CA().

◆ is_critical()

bool Botan::X509_Certificate::is_critical ( const std::string &  ex_name) const

Check whenever a given X509 Extension is marked critical in this certificate.

Definition at line 609 of file x509cert.cpp.

610 {
612 }
bool critical_extension_set(const OID &oid) const
Definition x509_ext.cpp:182
const Extensions & v3_extensions() const
Definition x509cert.cpp:528

References Botan::Extensions::critical_extension_set(), Botan::OID::from_string(), and v3_extensions().

Referenced by Botan::Cert_Extension::Name_Constraints::validate().

◆ is_self_signed()

bool Botan::X509_Certificate::is_self_signed ( ) const

Check whether this certificate is self signed. If the DN issuer and subject agree,

Returns
true if this certificate is self signed

Definition at line 398 of file x509cert.cpp.

399 {
400 return data().m_self_signed;
401 }

◆ is_serial_negative()

bool Botan::X509_Certificate::is_serial_negative ( ) const

Get the serial number's sign

Returns
1 iff the serial is negative.

Definition at line 466 of file x509cert.cpp.

467 {
468 return data().m_serial_negative;
469 }

◆ issuer_alt_name()

const AlternativeName & Botan::X509_Certificate::issuer_alt_name ( ) const

Return the issuer alternative names (DNS, IP, ...)

Definition at line 637 of file x509cert.cpp.

638 {
639 return data().m_issuer_alt_name;
640 }

Referenced by issuer_info().

◆ issuer_dn()

const X509_DN & Botan::X509_Certificate::issuer_dn ( ) const

Get the certificate's issuer distinguished name (DN).

Returns
issuer DN of this certificate

Definition at line 472 of file x509cert.cpp.

473 {
474 return data().m_issuer_dn;
475 }

Referenced by Botan::Certificate_Store_In_SQL::find_crl_for(), Botan::Certificate_Store_In_Memory::find_crl_for(), Botan::X509_CRL::is_revoked(), issuer_info(), Botan::OCSP::Request::Request(), and to_string().

◆ issuer_info()

std::vector< std::string > Botan::X509_Certificate::issuer_info ( const std::string &  name) const

Get a value for a specific subject_info parameter name.

Parameters
namethe name of the parameter to look up. Possible names are "X509.Certificate.v2.key_id" or "X509v3.AuthorityKeyIdentifier".
Returns
value(s) of the specified parameter

Definition at line 681 of file x509cert.cpp.

682 {
683 if(issuer_dn().has_field(req))
684 return issuer_dn().get_attribute(req);
685
686 if(issuer_alt_name().has_field(req))
687 return issuer_alt_name().get_attribute(req);
688
689 // These will be removed later:
690 if(req == "X509.Certificate.v2.key_id")
691 return {hex_encode(this->v2_issuer_key_id())};
692 if(req == "X509v3.AuthorityKeyIdentifier")
693 return {hex_encode(this->authority_key_id())};
694 if(req == "X509.Certificate.dn_bits")
695 return {hex_encode(this->raw_issuer_dn())};
696
697 return data().m_issuer_ds.get(req);
698 }
std::vector< std::string > get_attribute(const std::string &attr) const
const std::vector< uint8_t > & authority_key_id() const
Definition x509cert.cpp:451
const AlternativeName & issuer_alt_name() const
Definition x509cert.cpp:637
const X509_DN & issuer_dn() const
Definition x509cert.cpp:472
const std::vector< uint8_t > & v2_issuer_key_id() const
Definition x509cert.cpp:418
const std::vector< uint8_t > & raw_issuer_dn() const
Definition x509cert.cpp:482
std::vector< std::string > get_attribute(const std::string &attr) const
Definition x509_dn.cpp:109
void hex_encode(char output[], const uint8_t input[], size_t input_length, bool uppercase)
Definition hex.cpp:31

References authority_key_id(), Botan::X509_DN::get_attribute(), Botan::AlternativeName::get_attribute(), Botan::hex_encode(), issuer_alt_name(), issuer_dn(), raw_issuer_dn(), and v2_issuer_key_id().

◆ load_data()

void Botan::X509_Object::load_data ( DataSource src)
protectedinherited

Decodes from src as either DER or PEM data, then calls force_decode()

Definition at line 52 of file x509_obj.cpp.

53 {
54 try {
56 {
57 BER_Decoder dec(in);
58 decode_from(dec);
59 }
60 else
61 {
62 std::string got_label;
63 DataSource_Memory ber(PEM_Code::decode(in, got_label));
64
65 if(got_label != PEM_label())
66 {
67 bool is_alternate = false;
68 for(std::string alt_label : alternate_PEM_labels())
69 {
70 if(got_label == alt_label)
71 {
72 is_alternate = true;
73 break;
74 }
75 }
76
77 if(!is_alternate)
78 throw Decoding_Error("Unexpected PEM label for " + PEM_label() + " of " + got_label);
79 }
80
81 BER_Decoder dec(ber);
82 decode_from(dec);
83 }
84 }
85 catch(Decoding_Error& e)
86 {
87 throw Decoding_Error(PEM_label() + " decoding", e);
88 }
89 }
void decode_from(class BER_Decoder &from) override
Definition x509_obj.cpp:106
virtual std::vector< std::string > alternate_PEM_labels() const
Definition x509_obj.h:113
bool maybe_BER(DataSource &source)
Definition asn1_obj.cpp:222
bool matches(DataSource &source, const std::string &extra, size_t search_range)
Definition pem.cpp:142
secure_vector< uint8_t > decode(DataSource &source, std::string &label)
Definition pem.cpp:68

References Botan::X509_Object::alternate_PEM_labels(), Botan::PEM_Code::decode(), Botan::X509_Object::decode_from(), Botan::PEM_Code::matches(), Botan::ASN1::maybe_BER(), and Botan::X509_Object::PEM_label().

Referenced by Botan::PKCS10_Request::PKCS10_Request(), Botan::PKCS10_Request::PKCS10_Request(), X509_Certificate(), X509_Certificate(), X509_Certificate(), Botan::X509_CRL::X509_CRL(), and Botan::X509_CRL::X509_CRL().

◆ load_subject_public_key()

std::unique_ptr< Public_Key > Botan::X509_Certificate::load_subject_public_key ( ) const

Create a public key object associated with the public key bits in this certificate. If the public key bits was valid for X.509 encoding purposes but invalid algorithmically (for example, RSA with an even modulus) that will be detected at this point, and an exception will be thrown.

Returns
subject public key of this certificate

Definition at line 703 of file x509cert.cpp.

704 {
705 try
706 {
707 return std::unique_ptr<Public_Key>(X509::load_key(subject_public_key_info()));
708 }
709 catch(std::exception& e)
710 {
711 throw Decoding_Error("X509_Certificate::load_subject_public_key", e);
712 }
713 }
const std::vector< uint8_t > & subject_public_key_info() const
Definition x509cert.cpp:433
Public_Key * load_key(DataSource &source)
Definition x509_key.cpp:37

References Botan::X509::load_key(), and subject_public_key_info().

Referenced by subject_public_key().

◆ make_signed()

std::vector< uint8_t > Botan::X509_Object::make_signed ( class PK_Signer signer,
RandomNumberGenerator rng,
const AlgorithmIdentifier alg_id,
const secure_vector< uint8_t > &  tbs 
)
staticinherited

Create a signed X509 object.

Parameters
signerthe signer used to sign the object
rngthe random number generator to use
alg_idthe algorithm identifier of the signature scheme
tbsthe tbs bits to be signed
Returns
signed X509 object

Definition at line 303 of file x509_obj.cpp.

307 {
308 const std::vector<uint8_t> signature = signer->sign_message(tbs_bits, rng);
309
310 std::vector<uint8_t> output;
311 DER_Encoder(output)
312 .start_cons(SEQUENCE)
313 .raw_bytes(tbs_bits)
314 .encode(algo)
315 .encode(signature, BIT_STRING)
316 .end_cons();
317
318 return output;
319 }

References Botan::BIT_STRING, Botan::DER_Encoder::encode(), Botan::DER_Encoder::end_cons(), Botan::DER_Encoder::raw_bytes(), Botan::SEQUENCE, Botan::PK_Signer::sign_message(), Botan::X509_Object::signature(), and Botan::DER_Encoder::start_cons().

Referenced by Botan::PKCS10_Request::create(), and Botan::X509_CA::make_cert().

◆ matches_dns_name()

bool Botan::X509_Certificate::matches_dns_name ( const std::string &  name) const

Check if a certain DNS name matches up with the information in the cert

Parameters
nameDNS name to match

Definition at line 787 of file x509cert.cpp.

788 {
789 if(name.empty())
790 return false;
791
792 bool is_ipv4 = false;
793
794 try {
796 is_ipv4 = true;
797 }
798 catch(...) {}
799
800 std::vector<std::string> issued_names;
801
802 if(subject_alt_name().has_items()) {
803 issued_names = subject_alt_name().get_attribute(is_ipv4 ? "IP" : "DNS");
804 } else if(is_ipv4 == false) {
805 // Use CN only if no SAN is included
806 issued_names = subject_info("Name");
807 }
808
809 for(size_t i = 0; i != issued_names.size(); ++i)
810 {
811 if(is_ipv4)
812 {
813 if(issued_names[i] == name)
814 return true;
815 }
816 else
817 {
818 if(host_wildcard_match(issued_names[i], name))
819 return true;
820 }
821 }
822
823 return false;
824 }
std::vector< std::string > subject_info(const std::string &name) const
Definition x509cert.cpp:646
const AlternativeName & subject_alt_name() const
Definition x509cert.cpp:632
std::string name
uint32_t string_to_ipv4(const std::string &str)
Definition parsing.cpp:253
bool host_wildcard_match(const std::string &issued_, const std::string &host_)
Definition parsing.cpp:339

References Botan::AlternativeName::get_attribute(), Botan::host_wildcard_match(), name, Botan::string_to_ipv4(), subject_alt_name(), and subject_info().

Referenced by botan_x509_cert_hostname_match().

◆ name_constraints()

const NameConstraints & Botan::X509_Certificate::name_constraints ( ) const

Get the name constraints as defined in the NameConstraints extension of this certificate.

Returns
name constraints

Definition at line 523 of file x509cert.cpp.

524 {
525 return data().m_name_constraints;
526 }

Referenced by to_string().

◆ not_after()

const X509_Time & Botan::X509_Certificate::not_after ( ) const

Get the notAfter of the certificate as X509_Time

Returns
notAfter of the certificate

Definition at line 408 of file x509cert.cpp.

409 {
410 return data().m_not_after;
411 }

Referenced by botan_x509_cert_not_after(), subject_info(), and to_string().

◆ not_before()

const X509_Time & Botan::X509_Certificate::not_before ( ) const

Get the notBefore of the certificate as X509_Time

Returns
notBefore of the certificate

Definition at line 403 of file x509cert.cpp.

404 {
405 return data().m_not_before;
406 }

Referenced by botan_x509_cert_not_before(), subject_info(), and to_string().

◆ ocsp_responder()

std::string Botan::X509_Certificate::ocsp_responder ( ) const

Return the listed address of an OCSP responder, or empty if not set

Definition at line 614 of file x509cert.cpp.

615 {
616 return data().m_ocsp_responder;
617 }

Referenced by to_string().

◆ operator<()

bool Botan::X509_Certificate::operator< ( const X509_Certificate other) const

Impose an arbitrary (but consistent) ordering, eg to allow sorting a container of certificate objects.

Returns
true if this is less than other by some unspecified criteria

Definition at line 836 of file x509cert.cpp.

837 {
838 /* If signature values are not equal, sort by lexicographic ordering of that */
839 if(this->signature() != other.signature())
840 {
841 return (this->signature() < other.signature());
842 }
843
844 // Then compare the signed contents
845 return this->signed_body() < other.signed_body();
846 }

References Botan::X509_Object::signature(), and Botan::X509_Object::signed_body().

◆ operator=()

X509_Certificate & Botan::X509_Certificate::operator= ( const X509_Certificate other)
default

◆ operator==()

bool Botan::X509_Certificate::operator== ( const X509_Certificate other) const

Check to certificates for equality.

Returns
true both certificates are (binary) equal

Definition at line 829 of file x509cert.cpp.

830 {
831 return (this->signature() == other.signature() &&
832 this->signature_algorithm() == other.signature_algorithm() &&
833 this->signed_body() == other.signed_body());
834 }

References Botan::X509_Object::signature(), Botan::X509_Object::signature_algorithm(), and Botan::X509_Object::signed_body().

◆ path_limit()

uint32_t Botan::X509_Certificate::path_limit ( ) const

Get the path limit as defined in the BasicConstraints extension of this certificate.

Returns
path limit

Definition at line 500 of file x509cert.cpp.

501 {
502 if(data().m_version < 3 && data().m_self_signed)
503 return 32; // in theory infinite, but this is more than enough
504
505 return static_cast<uint32_t>(data().m_path_len_constraint);
506 }

◆ PEM_encode()

std::string Botan::X509_Object::PEM_encode ( ) const
inherited
Returns
PEM encoding of this

Definition at line 122 of file x509_obj.cpp.

123 {
125 }
std::string encode(const uint8_t der[], size_t length, const std::string &label, size_t width)
Definition pem.cpp:43

References Botan::ASN1_Object::BER_encode(), Botan::PEM_Code::encode(), and Botan::X509_Object::PEM_label().

◆ policies()

std::vector< std::string > Botan::X509_Certificate::policies ( ) const

Get the policies as defined in the CertificatePolicies extension of this certificate.

Returns
certificate policies

Definition at line 763 of file x509cert.cpp.

764 {
765 return lookup_oids(certificate_policy_oids());
766 }
const std::vector< OID > & certificate_policy_oids() const
Definition x509cert.cpp:518

References certificate_policy_oids().

Referenced by to_string().

◆ raw_issuer_dn()

const std::vector< uint8_t > & Botan::X509_Certificate::raw_issuer_dn ( ) const

Raw issuer DN bits

Definition at line 482 of file x509cert.cpp.

483 {
484 return data().m_issuer_dn_bits;
485 }

Referenced by Botan::OCSP::CertID::is_id_for(), and issuer_info().

◆ raw_issuer_dn_sha256()

std::vector< uint8_t > Botan::X509_Certificate::raw_issuer_dn_sha256 ( ) const

SHA-256 of Raw issuer DN

Definition at line 720 of file x509cert.cpp.

721 {
722 if(data().m_issuer_dn_bits_sha256.empty())
723 throw Encoding_Error("X509_Certificate::raw_issuer_dn_sha256 called but SHA-256 disabled in build");
724 return data().m_issuer_dn_bits_sha256;
725 }

◆ raw_subject_dn()

const std::vector< uint8_t > & Botan::X509_Certificate::raw_subject_dn ( ) const

Raw subject DN

Definition at line 487 of file x509cert.cpp.

488 {
489 return data().m_subject_dn_bits;
490 }

Referenced by Botan::OCSP::CertID::CertID(), and subject_info().

◆ raw_subject_dn_sha256()

std::vector< uint8_t > Botan::X509_Certificate::raw_subject_dn_sha256 ( ) const

SHA-256 of Raw subject DN

Definition at line 727 of file x509cert.cpp.

728 {
729 if(data().m_subject_dn_bits_sha256.empty())
730 throw Encoding_Error("X509_Certificate::raw_subject_dn_sha256 called but SHA-256 disabled in build");
731 return data().m_subject_dn_bits_sha256;
732 }

◆ serial_number()

const std::vector< uint8_t > & Botan::X509_Certificate::serial_number ( ) const

Get the serial number of this certificate.

Returns
certificates serial number

Definition at line 461 of file x509cert.cpp.

462 {
463 return data().m_serial;
464 }

Referenced by Botan::CRL_Entry::CRL_Entry(), Botan::OCSP::CertID::is_id_for(), Botan::X509_CRL::is_revoked(), subject_info(), and to_string().

◆ signature()

const std::vector< uint8_t > & Botan::X509_Object::signature ( ) const
inlineinherited
Returns
signature on tbs_data()

Definition at line 37 of file x509_obj.h.

37{ return m_sig; }

Referenced by Botan::X509_Object::encode_into(), Botan::X509_Object::make_signed(), operator<(), operator==(), and Botan::X509_Object::verify_signature().

◆ signature_algorithm()

const AlgorithmIdentifier & Botan::X509_Object::signature_algorithm ( ) const
inlineinherited
Returns
signature algorithm that was used to generate signature

Definition at line 47 of file x509_obj.h.

47{ return m_sig_algo; }

Referenced by Botan::X509_Object::encode_into(), Botan::X509_Object::hash_used_for_signature(), operator==(), to_string(), Botan::X509_Object::verify_signature(), and Botan::X509_CA::X509_CA().

◆ signed_body()

const std::vector< uint8_t > & Botan::X509_Object::signed_body ( ) const
inlineinherited
Returns
signed body

Definition at line 42 of file x509_obj.h.

42{ return m_tbs_bits; }

Referenced by Botan::X509_Object::encode_into(), operator<(), and operator==().

◆ start_time()

std::string Botan::X509_Certificate::start_time ( ) const
inline

Get the notBefore of the certificate as a string

Returns
notBefore of the certificate

Definition at line 154 of file x509cert.h.

155 {
156 return not_before().to_string();
157 }
const X509_Time & not_before() const
Definition x509cert.cpp:403

◆ subject_alt_name()

const AlternativeName & Botan::X509_Certificate::subject_alt_name ( ) const

Return the subject alternative names (DNS, IP, ...)

Definition at line 632 of file x509cert.cpp.

633 {
634 return data().m_subject_alt_name;
635 }

Referenced by Botan::NameConstraints::is_excluded(), Botan::NameConstraints::is_permitted(), Botan::GeneralName::matches(), matches_dns_name(), and subject_info().

◆ subject_dn()

const X509_DN & Botan::X509_Certificate::subject_dn ( ) const

◆ subject_info()

std::vector< std::string > Botan::X509_Certificate::subject_info ( const std::string &  name) const

Get a value for a specific subject_info parameter name.

Parameters
namethe name of the parameter to look up. Possible names include "X509.Certificate.version", "X509.Certificate.serial", "X509.Certificate.start", "X509.Certificate.end", "X509.Certificate.v2.key_id", "X509.Certificate.public_key", "X509v3.BasicConstraints.path_constraint", "X509v3.BasicConstraints.is_ca", "X509v3.NameConstraints", "X509v3.ExtendedKeyUsage", "X509v3.CertificatePolicies", "X509v3.SubjectKeyIdentifier", "X509.Certificate.serial", "X520.CommonName", "X520.Organization", "X520.Country", "RFC822" (Email in SAN) or "PKCS9.EmailAddress" (Email in DN).
Returns
value(s) of the specified parameter

Definition at line 646 of file x509cert.cpp.

647 {
648 if(req == "Email")
649 return this->subject_info("RFC822");
650
651 if(subject_dn().has_field(req))
652 return subject_dn().get_attribute(req);
653
654 if(subject_alt_name().has_field(req))
655 return subject_alt_name().get_attribute(req);
656
657 // These will be removed later:
658 if(req == "X509.Certificate.v2.key_id")
659 return {hex_encode(this->v2_subject_key_id())};
660 if(req == "X509v3.SubjectKeyIdentifier")
661 return {hex_encode(this->subject_key_id())};
662 if(req == "X509.Certificate.dn_bits")
663 return {hex_encode(this->raw_subject_dn())};
664 if(req == "X509.Certificate.start")
665 return {not_before().to_string()};
666 if(req == "X509.Certificate.end")
667 return {not_after().to_string()};
668
669 if(req == "X509.Certificate.version")
670 return {std::to_string(x509_version())};
671 if(req == "X509.Certificate.serial")
672 return {hex_encode(serial_number())};
673
674 return data().m_subject_ds.get(req);
675 }
const std::vector< uint8_t > & serial_number() const
Definition x509cert.cpp:461
const X509_DN & subject_dn() const
Definition x509cert.cpp:477
const std::vector< uint8_t > & raw_subject_dn() const
Definition x509cert.cpp:487
const std::vector< uint8_t > & subject_key_id() const
Definition x509cert.cpp:456
uint32_t x509_version() const
Definition x509cert.cpp:393
const std::vector< uint8_t > & v2_subject_key_id() const
Definition x509cert.cpp:423

References Botan::X509_DN::get_attribute(), Botan::AlternativeName::get_attribute(), Botan::hex_encode(), not_after(), not_before(), raw_subject_dn(), serial_number(), subject_alt_name(), subject_dn(), subject_info(), subject_key_id(), Botan::ASN1_Time::to_string(), v2_subject_key_id(), and x509_version().

Referenced by Botan::NameConstraints::is_excluded(), Botan::NameConstraints::is_permitted(), matches_dns_name(), and subject_info().

◆ subject_key_id()

const std::vector< uint8_t > & Botan::X509_Certificate::subject_key_id ( ) const

Get the DER encoded SubjectKeyIdentifier of this certificate.

Returns
DER encoded SubjectKeyIdentifier

Definition at line 456 of file x509cert.cpp.

457 {
458 return data().m_subject_key_id;
459 }

Referenced by Botan::Certificate_Store::certificate_known(), Botan::Certificate_Store_In_SQL::insert_cert(), Botan::Certificate_Store_In_SQL::remove_cert(), subject_info(), and to_string().

◆ subject_public_key()

Public_Key * Botan::X509_Certificate::subject_public_key ( ) const

Return a newly allocated copy of the public key associated with the subject of this certificate. This object is owned by the caller.

Prefer load_subject_public_key in new code

Returns
public key

Definition at line 715 of file x509cert.cpp.

716 {
717 return load_subject_public_key().release();
718 }
std::unique_ptr< Public_Key > load_subject_public_key() const
Definition x509cert.cpp:703

References load_subject_public_key().

Referenced by to_string(), Botan::TLS::Certificate_Verify::verify(), and Botan::OCSP::Response::verify_signature().

◆ subject_public_key_algo()

const AlgorithmIdentifier & Botan::X509_Certificate::subject_public_key_algo ( ) const

Return the algorithm identifier of the public key

Definition at line 413 of file x509cert.cpp.

414 {
415 return data().m_subject_public_key_algid;
416 }

Referenced by to_string().

◆ subject_public_key_bits()

const std::vector< uint8_t > & Botan::X509_Certificate::subject_public_key_bits ( ) const

Get the public key associated with this certificate. This includes the outer AlgorithmIdentifier

Returns
subject public key of this certificate

Definition at line 428 of file x509cert.cpp.

429 {
430 return data().m_subject_public_key_bits;
431 }

◆ subject_public_key_bitstring()

const std::vector< uint8_t > & Botan::X509_Certificate::subject_public_key_bitstring ( ) const

Get the bit string of the public key associated with this certificate

Returns
public key bits

Definition at line 438 of file x509cert.cpp.

439 {
440 return data().m_subject_public_key_bitstring;
441 }

Referenced by Botan::OCSP::CertID::CertID(), and Botan::OCSP::CertID::is_id_for().

◆ subject_public_key_bitstring_sha1()

const std::vector< uint8_t > & Botan::X509_Certificate::subject_public_key_bitstring_sha1 ( ) const

Get the SHA-1 bit string of the public key associated with this certificate. This is used for OCSP among other protocols. This function will throw if SHA-1 is not available.

Returns
hash of subject public key of this certificate

Definition at line 443 of file x509cert.cpp.

444 {
445 if(data().m_subject_public_key_bitstring_sha1.empty())
446 throw Encoding_Error("X509_Certificate::subject_public_key_bitstring_sha1 called but SHA-1 disabled in build");
447
448 return data().m_subject_public_key_bitstring_sha1;
449 }

◆ subject_public_key_info()

const std::vector< uint8_t > & Botan::X509_Certificate::subject_public_key_info ( ) const

Get the SubjectPublicKeyInfo associated with this certificate.

Returns
subject public key info of this certificate

Definition at line 433 of file x509cert.cpp.

434 {
435 return data().m_subject_public_key_bits_seq;
436 }

Referenced by load_subject_public_key().

◆ tbs_data()

std::vector< uint8_t > Botan::X509_Object::tbs_data ( ) const
inherited

The underlying data that is to be or was signed

Returns
data that is or was signed

Definition at line 130 of file x509_obj.cpp.

131 {
132 return ASN1::put_in_sequence(m_tbs_bits);
133 }
std::vector< uint8_t > put_in_sequence(const std::vector< uint8_t > &contents)
Definition asn1_obj.cpp:195

References Botan::ASN1::put_in_sequence().

Referenced by Botan::X509_Object::verify_signature().

◆ to_string()

std::string Botan::X509_Certificate::to_string ( ) const
Returns
a free-form string describing the certificate

Definition at line 856 of file x509cert.cpp.

857 {
858 std::ostringstream out;
859
860 out << "Version: " << this->x509_version() << "\n";
861 out << "Subject: " << subject_dn() << "\n";
862 out << "Issuer: " << issuer_dn() << "\n";
863 out << "Issued: " << this->not_before().readable_string() << "\n";
864 out << "Expires: " << this->not_after().readable_string() << "\n";
865
866 out << "Constraints:\n";
868 if(constraints == NO_CONSTRAINTS)
869 out << " None\n";
870 else
871 {
873 out << " Digital Signature\n";
875 out << " Non-Repudiation\n";
877 out << " Key Encipherment\n";
879 out << " Data Encipherment\n";
881 out << " Key Agreement\n";
883 out << " Cert Sign\n";
885 out << " CRL Sign\n";
887 out << " Encipher Only\n";
889 out << " Decipher Only\n";
890 }
891
892 const std::vector<OID>& policies = this->certificate_policy_oids();
893 if(!policies.empty())
894 {
895 out << "Policies: " << "\n";
896 for(auto oid : policies)
897 out << " " << oid.to_string() << "\n";
898 }
899
900 const std::vector<OID>& ex_constraints = this->extended_key_usage();
901 if(!ex_constraints.empty())
902 {
903 out << "Extended Constraints:\n";
904 for(auto&& oid : ex_constraints)
905 {
906 out << " " << oid.to_formatted_string() << "\n";
907 }
908 }
909
910 const NameConstraints& name_constraints = this->name_constraints();
911
912 if(!name_constraints.permitted().empty() || !name_constraints.excluded().empty())
913 {
914 out << "Name Constraints:\n";
915
916 if(!name_constraints.permitted().empty())
917 {
918 out << " Permit";
919 for(auto st: name_constraints.permitted())
920 {
921 out << " " << st.base();
922 }
923 out << "\n";
924 }
925
926 if(!name_constraints.excluded().empty())
927 {
928 out << " Exclude";
929 for(auto st: name_constraints.excluded())
930 {
931 out << " " << st.base();
932 }
933 out << "\n";
934 }
935 }
936
937 if(!ocsp_responder().empty())
938 out << "OCSP responder " << ocsp_responder() << "\n";
939
940 const std::vector<std::string> ca_issuers = this->ca_issuers();
941 if(!ca_issuers.empty())
942 {
943 out << "CA Issuers:\n";
944 for(size_t i = 0; i != ca_issuers.size(); i++)
945 out << " URI: " << ca_issuers[i] << "\n";
946 }
947
948 if(!crl_distribution_point().empty())
949 out << "CRL " << crl_distribution_point() << "\n";
950
951 out << "Signature algorithm: " << this->signature_algorithm().get_oid().to_formatted_string() << "\n";
952
953 out << "Serial number: " << hex_encode(this->serial_number()) << "\n";
954
955 if(this->authority_key_id().size())
956 out << "Authority keyid: " << hex_encode(this->authority_key_id()) << "\n";
957
958 if(this->subject_key_id().size())
959 out << "Subject keyid: " << hex_encode(this->subject_key_id()) << "\n";
960
961 try
962 {
963 std::unique_ptr<Public_Key> pubkey(this->subject_public_key());
964 out << "Public Key [" << pubkey->algo_name() << "-" << pubkey->key_length() << "]\n\n";
965 out << X509::PEM_encode(*pubkey);
966 }
967 catch(Decoding_Error&)
968 {
969 const AlgorithmIdentifier& alg_id = this->subject_public_key_algo();
970 out << "Failed to decode key with oid " << alg_id.get_oid().to_string() << "\n";
971 }
972
973 return out.str();
974 }
std::string readable_string() const
Returns a human friendly string replesentation of no particular formatting.
Definition asn1_time.cpp:93
const std::vector< GeneralSubtree > & permitted() const
Definition pkix_types.h:345
const std::vector< GeneralSubtree > & excluded() const
Definition pkix_types.h:350
std::string to_formatted_string() const
Definition asn1_oid.cpp:111
const NameConstraints & name_constraints() const
Definition x509cert.cpp:523
std::vector< std::string > ex_constraints() const
Definition x509cert.cpp:755
std::string ocsp_responder() const
Definition x509cert.cpp:614
std::vector< std::string > policies() const
Definition x509cert.cpp:763
std::string crl_distribution_point() const
Definition x509cert.cpp:624
Public_Key * subject_public_key() const
Definition x509cert.cpp:715
const AlgorithmIdentifier & subject_public_key_algo() const
Definition x509cert.cpp:413
std::vector< std::string > ca_issuers() const
Definition x509cert.cpp:619
std::string to_string() const
Definition x509cert.cpp:856
std::string PEM_encode(const Public_Key &key)
Definition x509_key.cpp:28
Key_Constraints
Definition pkix_enums.h:106
@ CRL_SIGN
Definition pkix_enums.h:114
@ KEY_CERT_SIGN
Definition pkix_enums.h:113
@ ENCIPHER_ONLY
Definition pkix_enums.h:115
@ DECIPHER_ONLY
Definition pkix_enums.h:116

References authority_key_id(), ca_issuers(), certificate_policy_oids(), constraints(), crl_distribution_point(), Botan::CRL_SIGN, Botan::DATA_ENCIPHERMENT, Botan::DECIPHER_ONLY, Botan::DIGITAL_SIGNATURE, Botan::ENCIPHER_ONLY, ex_constraints(), Botan::NameConstraints::excluded(), extended_key_usage(), Botan::AlgorithmIdentifier::get_oid(), Botan::hex_encode(), issuer_dn(), Botan::KEY_AGREEMENT, Botan::KEY_CERT_SIGN, Botan::KEY_ENCIPHERMENT, name_constraints(), Botan::NO_CONSTRAINTS, Botan::NON_REPUDIATION, not_after(), not_before(), ocsp_responder(), Botan::X509::PEM_encode(), Botan::NameConstraints::permitted(), policies(), Botan::ASN1_Time::readable_string(), serial_number(), Botan::X509_Object::signature_algorithm(), subject_dn(), subject_key_id(), subject_public_key(), subject_public_key_algo(), Botan::OID::to_formatted_string(), Botan::OID::to_string(), and x509_version().

◆ v2_issuer_key_id()

const std::vector< uint8_t > & Botan::X509_Certificate::v2_issuer_key_id ( ) const

Return the v2 issuer key ID. v2 key IDs are almost never used, instead see v3_subject_key_id.

Definition at line 418 of file x509cert.cpp.

419 {
420 return data().m_v2_issuer_key_id;
421 }

Referenced by issuer_info().

◆ v2_subject_key_id()

const std::vector< uint8_t > & Botan::X509_Certificate::v2_subject_key_id ( ) const

Return the v2 subject key ID. v2 key IDs are almost never used, instead see v3_subject_key_id.

Definition at line 423 of file x509cert.cpp.

424 {
425 return data().m_v2_subject_key_id;
426 }

Referenced by subject_info().

◆ v3_extensions()

const Extensions & Botan::X509_Certificate::v3_extensions ( ) const

Get all extensions of this certificate.

Returns
certificate extensions

Definition at line 528 of file x509cert.cpp.

529 {
530 return data().m_v3_extensions;
531 }

Referenced by is_critical().

◆ verify_signature()

Certificate_Status_Code Botan::X509_Object::verify_signature ( const Public_Key key) const
inherited

Check the signature on this data

Parameters
keythe public key purportedly used to sign this data
Returns
status of the signature - OK if verified or otherwise an indicator of the problem preventing verification.

Definition at line 184 of file x509_obj.cpp.

185 {
186 const std::vector<std::string> sig_info =
187 split_on(m_sig_algo.get_oid().to_formatted_string(), '/');
188
189 if(sig_info.size() < 1 || sig_info.size() > 2 || sig_info[0] != pub_key.algo_name())
191
192 const std::string pub_key_algo = sig_info[0];
193 std::string padding;
194 if(sig_info.size() == 2)
195 padding = sig_info[1];
196 else if(pub_key_algo == "Ed25519" || pub_key_algo == "XMSS")
197 padding = "Pure";
198 else
200
201 const Signature_Format format = pub_key.default_x509_signature_format();
202
203 if(padding == "EMSA4")
204 {
205 // "MUST contain RSASSA-PSS-params"
206 if(signature_algorithm().get_parameters().empty())
207 {
209 }
210
211 Pss_params pss_parameter = decode_pss_params(signature_algorithm().get_parameters());
212
213 // hash_algo must be SHA1, SHA2-224, SHA2-256, SHA2-384 or SHA2-512
214 const std::string hash_algo = pss_parameter.hash_algo.get_oid().to_formatted_string();
215 if(hash_algo != "SHA-160" &&
216 hash_algo != "SHA-224" &&
217 hash_algo != "SHA-256" &&
218 hash_algo != "SHA-384" &&
219 hash_algo != "SHA-512")
220 {
222 }
223
224 const std::string mgf_algo = pss_parameter.mask_gen_algo.get_oid().to_formatted_string();
225 if(mgf_algo != "MGF1")
226 {
228 }
229
230 // For MGF1, it is strongly RECOMMENDED that the underlying hash function be the same as the one identified by hashAlgorithm
231 // Must be SHA1, SHA2-224, SHA2-256, SHA2-384 or SHA2-512
232 if(pss_parameter.mask_gen_hash.get_oid() != pss_parameter.hash_algo.get_oid())
233 {
235 }
236
237 if(pss_parameter.trailer_field != 1)
238 {
240 }
241
242 padding += "(" + hash_algo + "," + mgf_algo + "," + std::to_string(pss_parameter.salt_len) + ")";
243 }
244 else
245 {
246 /*
247 * For all other signature types the signature parameters should
248 * be either NULL or empty. In theory there is some distinction between
249 * these but in practice they seem to be used somewhat interchangeably.
250 *
251 * The various RFCs all have prescriptions of what is allowed:
252 * RSA - NULL (RFC 3279)
253 * DSA - empty (RFC 3279)
254 * ECDSA - empty (RFC 3279)
255 * GOST - empty (RFC 4491)
256 * Ed25519 - empty (RFC 8410)
257 * XMSS - empty (draft-vangeest-x509-hash-sigs)
258 *
259 * But in practice we find RSA with empty and ECDSA will NULL all
260 * over the place so it's not really possible to enforce. For Ed25519
261 * and XMSS because they are new we attempt to enforce.
262 */
263 if(pub_key_algo == "Ed25519" || pub_key_algo == "XMSS")
264 {
265 if(!signature_algorithm().parameters_are_empty())
266 {
268 }
269 }
270 else
271 {
272 if(!signature_algorithm().parameters_are_null_or_empty())
273 {
275 }
276 }
277 }
278
279 try
280 {
281 PK_Verifier verifier(pub_key, padding, format);
282 const bool valid = verifier.verify_message(tbs_data(), signature());
283
284 if(valid)
286 else
288 }
289 catch(Algorithm_Not_Found&)
290 {
292 }
293 catch(...)
294 {
295 // This shouldn't happen, fallback to generic signature error
297 }
298 }
std::vector< uint8_t > tbs_data() const
Definition x509_obj.cpp:130
AlgorithmIdentifier hash_algo
Definition x509_obj.cpp:22

References Botan::Public_Key::algo_name(), Botan::Public_Key::default_x509_signature_format(), Botan::AlgorithmIdentifier::get_oid(), hash_algo, Botan::X509_Object::signature(), Botan::SIGNATURE_ALGO_BAD_PARAMS, Botan::SIGNATURE_ALGO_UNKNOWN, Botan::X509_Object::signature_algorithm(), Botan::SIGNATURE_ERROR, Botan::split_on(), Botan::X509_Object::tbs_data(), Botan::OID::to_formatted_string(), Botan::UNTRUSTED_HASH, Botan::VERIFIED, and Botan::PK_Verifier::verify_message().

Referenced by Botan::X509_Object::check_signature().

◆ x509_version()

uint32_t Botan::X509_Certificate::x509_version ( ) const

Get the X509 version of this certificate object.

Returns
X509 version

Definition at line 393 of file x509cert.cpp.

394 {
395 return static_cast<uint32_t>(data().m_version);
396 }

Referenced by subject_info(), and to_string().


The documentation for this class was generated from the following files: