Botan  1.10.9
Classes | Public Types | Public Member Functions | List of all members
Botan::X509_Store Class Reference

#include <x509stor.h>

Public Types

enum  Cert_Usage {
  ANY = 0x00, TLS_SERVER = 0x01, TLS_CLIENT = 0x02, CODE_SIGNING = 0x04,
  EMAIL_PROTECTION = 0x08, TIME_STAMPING = 0x10, CRL_SIGNING = 0x20
}
 

Public Member Functions

void add_cert (const X509_Certificate &, bool=false)
 
void add_certs (DataSource &)
 
X509_Code add_crl (const X509_CRL &)
 
void add_new_certstore (Certificate_Store *)
 
void add_trusted_certs (DataSource &)
 
std::vector< X509_Certificateget_cert_chain (const X509_Certificate &)
 
std::string PEM_encode () const
 
X509_Code validate_cert (const X509_Certificate &, Cert_Usage=ANY)
 
 X509_Store (u32bit time_slack=24 *60 *60, u32bit cache_results=30 *60)
 
 X509_Store (const X509_Store &)
 
 ~X509_Store ()
 

Detailed Description

X.509 Certificate Store

Definition at line 48 of file x509stor.h.

Member Enumeration Documentation

Enumerator
ANY 
TLS_SERVER 
TLS_CLIENT 
CODE_SIGNING 
EMAIL_PROTECTION 
TIME_STAMPING 
CRL_SIGNING 

Definition at line 51 of file x509stor.h.

Constructor & Destructor Documentation

Botan::X509_Store::X509_Store ( u32bit  time_slack = 24*60*60,
u32bit  cache_results = 30*60 
)

Definition at line 171 of file x509stor.cpp.

172  {
173  revoked_info_valid = true;
174 
175  validation_cache_timeout = cache_timeout;
176  time_slack = slack;
177  }
Botan::X509_Store::X509_Store ( const X509_Store other)

Definition at line 182 of file x509stor.cpp.

183  {
184  certs = other.certs;
185  revoked = other.revoked;
186  revoked_info_valid = other.revoked_info_valid;
187  for(size_t j = 0; j != other.stores.size(); ++j)
188  stores[j] = other.stores[j]->clone();
189  time_slack = other.time_slack;
190  validation_cache_timeout = other.validation_cache_timeout;
191  }
Botan::X509_Store::~X509_Store ( )

Definition at line 196 of file x509stor.cpp.

197  {
198  for(size_t j = 0; j != stores.size(); ++j)
199  delete stores[j];
200  }

Member Function Documentation

void Botan::X509_Store::add_cert ( const X509_Certificate cert,
bool  trusted = false 
)

Definition at line 473 of file x509stor.cpp.

References Botan::X509_Certificate::is_self_signed(), Botan::X509_Certificate::subject_dn(), and Botan::X509_Certificate::subject_key_id().

474  {
475  if(trusted && !cert.is_self_signed())
476  throw Invalid_Argument("X509_Store: Trusted certs must be self-signed");
477 
478  if(find_cert(cert.subject_dn(), cert.subject_key_id()) == NO_CERT_FOUND)
479  {
480  revoked_info_valid = false;
481  Cert_Info info(cert, trusted);
482  certs.push_back(info);
483  }
484  else if(trusted)
485  {
486  for(size_t j = 0; j != certs.size(); ++j)
487  {
488  const X509_Certificate& this_cert = certs[j].cert;
489  if(this_cert == cert)
490  certs[j].trusted = trusted;
491  }
492  }
493  }
std::invalid_argument Invalid_Argument
Definition: exceptn.h:20
void Botan::X509_Store::add_certs ( DataSource source)

Definition at line 514 of file x509stor.cpp.

515  {
516  do_add_certs(source, false);
517  }
X509_Code Botan::X509_Store::add_crl ( const X509_CRL crl)

Definition at line 530 of file x509stor.cpp.

References Botan::X509_CRL::authority_key_id(), Botan::CRL_HAS_EXPIRED, Botan::CRL_ISSUER_NOT_FOUND, Botan::CRL_NOT_YET_VALID, CRL_SIGNING, Botan::X509_CRL::get_revoked(), Botan::X509_CRL::issuer_dn(), Botan::X509_CRL::next_update(), Botan::REMOVE_FROM_CRL, Botan::X509_Certificate::subject_dn(), Botan::X509_Certificate::subject_key_id(), Botan::X509_Certificate::subject_public_key(), Botan::system_time(), Botan::X509_CRL::this_update(), validate_cert(), and Botan::VERIFIED.

531  {
532  s32bit time_check = validity_check(crl.this_update(), crl.next_update(),
533  system_time(), time_slack);
534 
535  if(time_check < 0) return CRL_NOT_YET_VALID;
536  else if(time_check > 0) return CRL_HAS_EXPIRED;
537 
538  size_t cert_index = NO_CERT_FOUND;
539 
540  for(size_t j = 0; j != certs.size(); ++j)
541  {
542  const X509_Certificate& this_cert = certs[j].cert;
543  if(compare_ids(this_cert.subject_key_id(), crl.authority_key_id()))
544  {
545  if(this_cert.subject_dn() == crl.issuer_dn())
546  cert_index = j;
547  }
548  }
549 
550  if(cert_index == NO_CERT_FOUND)
551  return CRL_ISSUER_NOT_FOUND;
552 
553  const X509_Certificate& ca_cert = certs[cert_index].cert;
554 
555  X509_Code verify_result = validate_cert(ca_cert, CRL_SIGNING);
556  if(verify_result != VERIFIED)
557  return verify_result;
558 
559  verify_result = check_sig(crl, ca_cert.subject_public_key());
560  if(verify_result != VERIFIED)
561  return verify_result;
562 
563  std::vector<CRL_Entry> revoked_certs = crl.get_revoked();
564 
565  for(size_t j = 0; j != revoked_certs.size(); ++j)
566  {
567  CRL_Data revoked_info;
568  revoked_info.issuer = crl.issuer_dn();
569  revoked_info.serial = revoked_certs[j].serial_number();
570  revoked_info.auth_key_id = crl.authority_key_id();
571 
572  std::vector<CRL_Data>::iterator p =
573  std::find(revoked.begin(), revoked.end(), revoked_info);
574 
575  if(revoked_certs[j].reason_code() == REMOVE_FROM_CRL)
576  {
577  if(p == revoked.end()) continue;
578  revoked.erase(p);
579  }
580  else
581  {
582  if(p != revoked.end()) continue;
583  revoked.push_back(revoked_info);
584  }
585  }
586 
587  std::sort(revoked.begin(), revoked.end());
588  revoked_info_valid = false;
589 
590  return VERIFIED;
591  }
signed int s32bit
Definition: types.h:37
X509_Code validate_cert(const X509_Certificate &, Cert_Usage=ANY)
Definition: x509stor.cpp:205
X509_Code
Definition: x509stor.h:20
u64bit system_time()
Definition: time.cpp:73
void Botan::X509_Store::add_new_certstore ( Certificate_Store certstore)

Definition at line 465 of file x509stor.cpp.

466  {
467  stores.push_back(certstore);
468  }
void Botan::X509_Store::add_trusted_certs ( DataSource source)

Definition at line 522 of file x509stor.cpp.

523  {
524  do_add_certs(source, true);
525  }
std::vector< X509_Certificate > Botan::X509_Store::get_cert_chain ( const X509_Certificate cert)

Definition at line 448 of file x509stor.cpp.

References Botan::VERIFIED.

449  {
450  std::vector<X509_Certificate> result;
451  std::vector<size_t> indexes;
452  X509_Code chaining_result = construct_cert_chain(cert, indexes, true);
453 
454  if(chaining_result != VERIFIED)
455  throw Invalid_State("X509_Store::get_cert_chain: Can't construct chain");
456 
457  for(size_t j = 0; j != indexes.size(); ++j)
458  result.push_back(certs[indexes[j]].cert);
459  return result;
460  }
X509_Code
Definition: x509stor.h:20
std::string Botan::X509_Store::PEM_encode ( ) const

Definition at line 596 of file x509stor.cpp.

597  {
598  std::string cert_store;
599  for(size_t j = 0; j != certs.size(); ++j)
600  cert_store += certs[j].cert.PEM_encode();
601  return cert_store;
602  }
X509_Code Botan::X509_Store::validate_cert ( const X509_Certificate cert,
Cert_Usage  cert_usage = ANY 
)

Definition at line 205 of file x509stor.cpp.

References Botan::CERT_HAS_EXPIRED, Botan::CERT_IS_REVOKED, Botan::CERT_NOT_YET_VALID, Botan::X509_Certificate::end_time(), Botan::X509_Certificate::start_time(), Botan::system_time(), and Botan::VERIFIED.

Referenced by add_crl().

207  {
208  recompute_revoked_info();
209 
210  std::vector<size_t> indexes;
211  X509_Code chaining_result = construct_cert_chain(cert, indexes);
212  if(chaining_result != VERIFIED)
213  return chaining_result;
214 
215  const u64bit current_time = system_time();
216 
217  s32bit time_check = validity_check(cert.start_time(), cert.end_time(),
218  current_time, time_slack);
219  if(time_check < 0) return CERT_NOT_YET_VALID;
220  else if(time_check > 0) return CERT_HAS_EXPIRED;
221 
222  X509_Code sig_check_result = check_sig(cert, certs[indexes[0]]);
223  if(sig_check_result != VERIFIED)
224  return sig_check_result;
225 
226  if(is_revoked(cert))
227  return CERT_IS_REVOKED;
228 
229  for(size_t j = 0; j != indexes.size() - 1; ++j)
230  {
231  const X509_Certificate& current_cert = certs[indexes[j]].cert;
232 
233  time_check = validity_check(current_cert.start_time(),
234  current_cert.end_time(),
235  current_time,
236  time_slack);
237 
238  if(time_check < 0) return CERT_NOT_YET_VALID;
239  else if(time_check > 0) return CERT_HAS_EXPIRED;
240 
241  sig_check_result = check_sig(certs[indexes[j]], certs[indexes[j+1]]);
242  if(sig_check_result != VERIFIED)
243  return sig_check_result;
244  }
245 
246  return usage_check(cert, cert_usage);
247  }
signed int s32bit
Definition: types.h:37
unsigned long long u64bit
Definition: types.h:49
X509_Code
Definition: x509stor.h:20
u64bit system_time()
Definition: time.cpp:73

The documentation for this class was generated from the following files: