9#include <botan/x509cert.h>
10#include <botan/x509_key.h>
11#include <botan/datastor.h>
12#include <botan/pk_keys.h>
13#include <botan/x509_ext.h>
14#include <botan/ber_dec.h>
15#include <botan/parsing.h>
16#include <botan/bigint.h>
17#include <botan/oids.h>
18#include <botan/hash.h>
25struct X509_Certificate_Data
27 std::vector<uint8_t> m_serial;
28 AlgorithmIdentifier m_sig_algo_inner;
31 std::vector<uint8_t> m_issuer_dn_bits;
32 std::vector<uint8_t> m_subject_dn_bits;
35 std::vector<uint8_t> m_subject_public_key_bits;
36 std::vector<uint8_t> m_subject_public_key_bits_seq;
37 std::vector<uint8_t> m_subject_public_key_bitstring;
38 std::vector<uint8_t> m_subject_public_key_bitstring_sha1;
39 AlgorithmIdentifier m_subject_public_key_algid;
41 std::vector<uint8_t> m_v2_issuer_key_id;
42 std::vector<uint8_t> m_v2_subject_key_id;
43 Extensions m_v3_extensions;
45 std::vector<OID> m_extended_key_usage;
46 std::vector<uint8_t> m_authority_key_id;
47 std::vector<uint8_t> m_subject_key_id;
48 std::vector<OID> m_cert_policies;
50 std::vector<std::string> m_crl_distribution_points;
51 std::string m_ocsp_responder;
52 std::vector<std::string> m_ca_issuers;
54 std::vector<uint8_t> m_issuer_dn_bits_sha256;
55 std::vector<uint8_t> m_subject_dn_bits_sha256;
57 std::string m_fingerprint_sha1;
58 std::string m_fingerprint_sha256;
60 AlternativeName m_subject_alt_name;
61 AlternativeName m_issuer_alt_name;
62 NameConstraints m_name_constraints;
64 Data_Store m_subject_ds;
65 Data_Store m_issuer_ds;
68 size_t m_path_len_constraint = 0;
70 bool m_self_signed =
false;
71 bool m_is_ca_certificate =
false;
72 bool m_serial_negative =
false;
75std::string X509_Certificate::PEM_label()
const
80std::vector<std::string> X509_Certificate::alternate_PEM_labels()
const
82 return {
"X509 CERTIFICATE" };
102#if defined(BOTAN_TARGET_OS_HAS_FILESYSTEM)
112std::unique_ptr<X509_Certificate_Data> parse_x509_cert_body(
const X509_Object& obj)
114 std::unique_ptr<X509_Certificate_Data> data(
new X509_Certificate_Data);
117 BER_Object public_key;
118 BER_Object v3_exts_data;
120 BER_Decoder(obj.signed_body())
123 .decode(data->m_sig_algo_inner)
124 .decode(data->m_issuer_dn)
126 .decode(data->m_not_before)
127 .decode(data->m_not_after)
129 .decode(data->m_subject_dn)
130 .get_next(public_key)
131 .decode_optional_string(data->m_v2_issuer_key_id,
BIT_STRING, 1)
132 .decode_optional_string(data->m_v2_subject_key_id,
BIT_STRING, 2)
133 .get_next(v3_exts_data)
134 .verify_end(
"TBSCertificate has extra data after extensions block");
136 if(data->m_version > 2)
137 throw Decoding_Error(
"Unknown X.509 cert version " + std::to_string(data->m_version));
138 if(obj.signature_algorithm() != data->m_sig_algo_inner)
139 throw Decoding_Error(
"X.509 Certificate had differing algorithm identifers in inner and outer ID fields");
144 data->m_serial_negative = serial_bn.is_negative();
147 data->m_version += 1;
154 AlgorithmIdentifier public_key_alg_id;
155 BER_Decoder(public_key).decode(public_key_alg_id).discard_remaining();
157 const std::vector<std::string> public_key_info =
160 if(!public_key_info.empty() && public_key_info[0] ==
"RSA")
163 if(public_key_info.size() >= 2)
165 if(public_key_info[1] ==
"EMSA4")
181 if(public_key_alg_id != obj.signature_algorithm())
183 throw Decoding_Error(
"Algorithm identifier mismatch");
192 throw Decoding_Error(
"RSA algorithm parameters field MUST contain NULL");
197 data->m_subject_public_key_bits.assign(public_key.bits(), public_key.bits() + public_key.length());
201 BER_Decoder(data->m_subject_public_key_bits)
202 .decode(data->m_subject_public_key_algid)
203 .decode(data->m_subject_public_key_bitstring,
BIT_STRING);
208 BER_Decoder(v3_exts_data).decode(data->m_v3_extensions).verify_end();
210 else if(v3_exts_data.is_set())
212 throw BER_Bad_Tag(
"Unknown tag in X.509 cert", v3_exts_data.tagging());
216 if(
auto ext = data->m_v3_extensions.get_extension_object_as<Cert_Extension::Key_Usage>())
218 data->m_key_constraints = ext->get_constraints();
225 throw Decoding_Error(
"Certificate has invalid encoding for KeyUsage");
233 if(
auto ext = data->m_v3_extensions.get_extension_object_as<Cert_Extension::Subject_Key_ID>())
235 data->m_subject_key_id = ext->get_key_id();
238 if(
auto ext = data->m_v3_extensions.get_extension_object_as<Cert_Extension::Authority_Key_ID>())
240 data->m_authority_key_id = ext->get_key_id();
243 if(
auto ext = data->m_v3_extensions.get_extension_object_as<Cert_Extension::Name_Constraints>())
245 data->m_name_constraints = ext->get_name_constraints();
248 if(
auto ext = data->m_v3_extensions.get_extension_object_as<Cert_Extension::Basic_Constraints>())
250 if(ext->get_is_ca() ==
true)
262 data->m_is_ca_certificate =
true;
263 data->m_path_len_constraint = ext->get_path_limit();
268 if(
auto ext = data->m_v3_extensions.get_extension_object_as<Cert_Extension::Issuer_Alternative_Name>())
270 data->m_issuer_alt_name = ext->get_alt_name();
273 if(
auto ext = data->m_v3_extensions.get_extension_object_as<Cert_Extension::Subject_Alternative_Name>())
275 data->m_subject_alt_name = ext->get_alt_name();
278 if(
auto ext = data->m_v3_extensions.get_extension_object_as<Cert_Extension::Extended_Key_Usage>())
280 data->m_extended_key_usage = ext->get_oids();
283 if(
auto ext = data->m_v3_extensions.get_extension_object_as<Cert_Extension::Certificate_Policies>())
285 data->m_cert_policies = ext->get_policy_oids();
288 if(
auto ext = data->m_v3_extensions.get_extension_object_as<Cert_Extension::Authority_Information_Access>())
290 data->m_ocsp_responder = ext->ocsp_responder();
291 data->m_ca_issuers = ext->ca_issuers();
294 if(
auto ext = data->m_v3_extensions.get_extension_object_as<Cert_Extension::CRL_Distribution_Points>())
296 data->m_crl_distribution_points = ext->crl_distribution_urls();
300 if(data->m_subject_dn == data->m_issuer_dn)
302 if(data->m_subject_key_id.empty() ==
false && data->m_authority_key_id.empty() ==
false)
304 data->m_self_signed = (data->m_subject_key_id == data->m_authority_key_id);
313 data->m_self_signed =
true;
317 std::unique_ptr<Public_Key> pub_key(
X509::load_key(data->m_subject_public_key_bits_seq));
324 data->m_self_signed =
true;
328 data->m_self_signed =
false;
338 const std::vector<uint8_t> full_encoding = obj.BER_encode();
343 sha1->update(data->m_subject_public_key_bitstring);
344 data->m_subject_public_key_bitstring_sha1 = sha1->final_stdvec();
353 sha256->update(data->m_issuer_dn_bits);
354 data->m_issuer_dn_bits_sha256 = sha256->final_stdvec();
356 sha256->update(data->m_subject_dn_bits);
357 data->m_subject_dn_bits_sha256 = sha256->final_stdvec();
362 data->m_subject_ds.add(data->m_subject_dn.contents());
363 data->m_issuer_ds.add(data->m_issuer_dn.contents());
364 data->m_v3_extensions.contents_to(data->m_subject_ds, data->m_issuer_ds);
374void X509_Certificate::force_decode()
378 std::unique_ptr<X509_Certificate_Data> data = parse_x509_cert_body(*
this);
380 m_data.reset(data.release());
383const X509_Certificate_Data& X509_Certificate::data()
const
385 if(m_data ==
nullptr)
387 throw Invalid_State(
"X509_Certificate uninitialized");
389 return *m_data.get();
394 return static_cast<uint32_t
>(data().m_version);
399 return data().m_self_signed;
404 return data().m_not_before;
409 return data().m_not_after;
414 return data().m_subject_public_key_algid;
419 return data().m_v2_issuer_key_id;
424 return data().m_v2_subject_key_id;
429 return data().m_subject_public_key_bits;
434 return data().m_subject_public_key_bits_seq;
439 return data().m_subject_public_key_bitstring;
444 if(data().m_subject_public_key_bitstring_sha1.empty())
445 throw Encoding_Error(
"X509_Certificate::subject_public_key_bitstring_sha1 called but SHA-1 disabled in build");
447 return data().m_subject_public_key_bitstring_sha1;
452 return data().m_authority_key_id;
457 return data().m_subject_key_id;
462 return data().m_serial;
467 return data().m_serial_negative;
473 return data().m_issuer_dn;
478 return data().m_subject_dn;
483 return data().m_issuer_dn_bits;
488 return data().m_subject_dn_bits;
493 if(data().m_version < 3 && data().m_self_signed)
496 return data().m_is_ca_certificate;
501 if(data().m_version < 3 && data().m_self_signed)
504 return static_cast<uint32_t
>(data().m_path_len_constraint);
509 return data().m_key_constraints;
514 return data().m_extended_key_usage;
519 return data().m_cert_policies;
524 return data().m_name_constraints;
529 return data().m_v3_extensions;
550 if(std::find(ex.begin(), ex.end(), usage) != ex.end())
602 return (std::find(ex.begin(), ex.end(), usage) != ex.end());
615 return data().m_ocsp_responder;
620 return data().m_ca_issuers;
626 if(data().m_crl_distribution_points.size() > 0)
627 return data().m_crl_distribution_points[0];
633 return data().m_subject_alt_name;
638 return data().m_issuer_alt_name;
644std::vector<std::string>
657 if(req ==
"X509.Certificate.v2.key_id")
659 if(req ==
"X509v3.SubjectKeyIdentifier")
661 if(req ==
"X509.Certificate.dn_bits")
663 if(req ==
"X509.Certificate.start")
665 if(req ==
"X509.Certificate.end")
668 if(req ==
"X509.Certificate.version")
670 if(req ==
"X509.Certificate.serial")
673 return data().m_subject_ds.get(req);
679std::vector<std::string>
689 if(req ==
"X509.Certificate.v2.key_id")
691 if(req ==
"X509v3.AuthorityKeyIdentifier")
693 if(req ==
"X509.Certificate.dn_bits")
696 return data().m_issuer_ds.get(req);
708 catch(std::exception& e)
710 throw Decoding_Error(
"X509_Certificate::load_subject_public_key", e);
721 if(data().m_issuer_dn_bits_sha256.empty())
722 throw Encoding_Error(
"X509_Certificate::raw_issuer_dn_sha256 called but SHA-256 disabled in build");
723 return data().m_issuer_dn_bits_sha256;
728 if(data().m_subject_dn_bits_sha256.empty())
729 throw Encoding_Error(
"X509_Certificate::raw_subject_dn_sha256 called but SHA-256 disabled in build");
730 return data().m_subject_dn_bits_sha256;
738std::vector<std::string> lookup_oids(
const std::vector<OID>& oids)
740 std::vector<std::string> out;
742 for(
const OID& oid : oids)
744 out.push_back(oid.to_formatted_string());
778 if(hash_name ==
"SHA-256" && data().m_fingerprint_sha256.size() > 0)
779 return data().m_fingerprint_sha256;
780 else if(hash_name ==
"SHA-1" && data().m_fingerprint_sha1.size() > 0)
781 return data().m_fingerprint_sha1;
791 std::vector<std::string> issued_names =
subject_info(
"DNS");
794 if(issued_names.empty())
797 for(
size_t i = 0; i != issued_names.size(); ++i)
833 return !(cert1 == cert2);
838 std::ostringstream out;
842 out <<
"Issuer: " <<
issuer_dn() <<
"\n";
846 out <<
"Constraints:\n";
853 out <<
" Digital Signature\n";
855 out <<
" Non-Repudiation\n";
857 out <<
" Key Encipherment\n";
859 out <<
" Data Encipherment\n";
861 out <<
" Key Agreement\n";
863 out <<
" Cert Sign\n";
865 out <<
" CRL Sign\n";
867 out <<
" Encipher Only\n";
869 out <<
" Decipher Only\n";
873 if(!policies.empty())
875 out <<
"Policies: " <<
"\n";
877 out <<
" " << oid.to_string() <<
"\n";
881 if(!ex_constraints.empty())
883 out <<
"Extended Constraints:\n";
886 out <<
" " << oid.to_formatted_string() <<
"\n";
894 out <<
"Name Constraints:\n";
901 out <<
" " << st.base();
911 out <<
" " << st.base();
921 if(!ca_issuers.empty())
923 out <<
"CA Issuers:\n";
924 for(
size_t i = 0; i !=
ca_issuers.size(); i++)
944 out <<
"Public Key [" << pubkey->algo_name() <<
"-" << pubkey->key_length() <<
"]\n\n";
950 out <<
"Failed to decode key with oid " << alg_id.
get_oid().
to_string() <<
"\n";
std::vector< uint8_t > BER_encode() const
std::string to_string() const
Return an internal string representation of the time.
std::string readable_string() const
Returns a human friendly string replesentation of no particular formatting.
const OID & get_oid() const
std::vector< std::string > get_attribute(const std::string &attr) const
static std::vector< uint8_t > encode(const BigInt &n)
bool critical_extension_set(const OID &oid) const
static std::unique_ptr< HashFunction > create(const std::string &algo_spec, const std::string &provider="")
const std::vector< GeneralSubtree > & permitted() const
const std::vector< GeneralSubtree > & excluded() const
std::string to_formatted_string() const
static OID from_string(const std::string &str)
std::string to_string() const
const std::vector< OID > & extended_key_usage() const
Key_Constraints constraints() const
bool operator==(const X509_Certificate &other) const
const NameConstraints & name_constraints() const
X509_Certificate()=default
std::vector< std::string > issuer_info(const std::string &name) const
const std::vector< uint8_t > & serial_number() const
std::vector< std::string > ex_constraints() const
const X509_DN & subject_dn() const
std::vector< uint8_t > raw_subject_dn_sha256() const
bool allowed_extended_usage(const std::string &usage) const
uint32_t path_limit() const
const X509_Time & not_after() const
const std::vector< uint8_t > & authority_key_id() const
const AlternativeName & issuer_alt_name() const
const std::vector< uint8_t > & raw_subject_dn() const
const std::vector< uint8_t > & subject_key_id() const
const std::vector< uint8_t > & subject_public_key_bits() const
bool has_constraints(Key_Constraints constraints) const
const Extensions & v3_extensions() const
std::vector< std::string > subject_info(const std::string &name) const
const std::vector< uint8_t > & subject_public_key_bitstring_sha1() const
bool allowed_usage(Key_Constraints usage) const
const X509_DN & issuer_dn() const
const std::vector< uint8_t > & v2_issuer_key_id() const
std::string ocsp_responder() const
bool has_ex_constraint(const std::string &ex_constraint) const
uint32_t x509_version() const
std::vector< std::string > policies() const
std::string crl_distribution_point() const
const std::vector< OID > & certificate_policy_oids() const
std::unique_ptr< Public_Key > load_subject_public_key() const
bool is_self_signed() const
const std::vector< uint8_t > & raw_issuer_dn() const
bool operator<(const X509_Certificate &other) const
Public_Key * subject_public_key() const
const AlgorithmIdentifier & subject_public_key_algo() const
bool matches_dns_name(const std::string &name) const
const AlternativeName & subject_alt_name() const
std::vector< std::string > ca_issuers() const
const std::vector< uint8_t > & subject_public_key_info() const
std::vector< uint8_t > raw_issuer_dn_sha256() const
bool is_serial_negative() const
const std::vector< uint8_t > & subject_public_key_bitstring() const
std::string fingerprint(const std::string &hash_name="SHA-1") const
const std::vector< uint8_t > & v2_subject_key_id() const
const X509_Time & not_before() const
std::string to_string() const
bool is_critical(const std::string &ex_name) const
std::vector< std::string > get_attribute(const std::string &attr) const
const std::vector< uint8_t > & signed_body() const
const AlgorithmIdentifier & signature_algorithm() const
const std::vector< uint8_t > & signature() const
void load_data(DataSource &src)
std::vector< uint8_t > put_in_sequence(const std::vector< uint8_t > &contents)
BOTAN_UNSTABLE_API std::string oid2str_or_empty(const OID &oid)
Public_Key * load_key(DataSource &source)
std::string PEM_encode(const Public_Key &key)
std::vector< std::string > split_on(const std::string &str, char delim)
bool operator!=(const AlgorithmIdentifier &a1, const AlgorithmIdentifier &a2)
void hex_encode(char output[], const uint8_t input[], size_t input_length, bool uppercase)
std::string create_hex_fingerprint(const uint8_t bits[], size_t bits_len, const std::string &hash_name)
bool host_wildcard_match(const std::string &issued_, const std::string &host_)