consolidate into Flatfile_Certificate_Store

author: Patrick Schmidt <[email protected]> 2019-04-11 11:16:38 +0200
committer: Rene Meusel <[email protected]> 2019-04-12 13:59:17 +0200
commit: e609d6084ac700e7a3fb966ac176b1b8bcf616ff (patch)
tree: 5369f29d57ce6f4bfaaa09a63ef34c0038c08a35 /src
parent: 26f04c686d07f82bc93bfc4ac80123e21258f6dd (diff)
7 files changed, 36 insertions, 88 deletions
diff --git a/src/build-data/os/linux.txt b/src/build-data/os/linux.txt
index dfda7ce9f..208e13b9b 100644
--- a/src/build-data/os/linux.txt
+++ b/src/build-data/os/linux.txt
@@ -10,8 +10,6 @@ proc_fs
 clock_gettime
 getauxval
 
-linux_certstore
-
 # not enabled by default as only available in newer kernel/glibc
 #getrandom
 
diff --git a/src/lib/x509/certstor_flatfile/certstor_flatfile.cpp b/src/lib/x509/certstor_flatfile/certstor_flatfile.cpp
index 261204925..cf0ca2d90 100644
--- a/src/lib/x509/certstor_flatfile/certstor_flatfile.cpp
+++ b/src/lib/x509/certstor_flatfile/certstor_flatfile.cpp
@@ -14,16 +14,22 @@
 
 namespace Botan {
 namespace {
-std::vector<secure_vector<uint8_t>> decode_all(DataSource& source)
+std::vector<std::vector<uint8_t>> decode_all_certificates(DataSource& source)
    {
-   std::vector<secure_vector<uint8_t>> pems;
+   std::vector<std::vector<uint8_t>> pems;
 
    while(!source.end_of_data())
       {
       std::string label;
+      std::vector<uint8_t> cert;
       try
          {
-         pems.push_back(PEM_Code::decode(source, label));
+         cert = unlock(PEM_Code::decode(source, label));
+
+         if(label == "CERTIFICATE" || label == "X509 CERTIFICATE" || label == "TRUSTED CERTIFICATE")
+            {
+            pems.push_back(cert);
+            }
          }
       catch(const Decoding_Error&) {}
       }
@@ -32,28 +38,34 @@ std::vector<secure_vector<uint8_t>> decode_all(DataSource& source)
    }
 }
 
-Flatfile_Certificate_Store::Flatfile_Certificate_Store()
-   {
-   }
-
 Flatfile_Certificate_Store::Flatfile_Certificate_Store(const std::string& file)
    {
    if(file.empty())
       {
-      return;
+      throw Invalid_Argument("Flatfile_Certificate_Store::Flatfile_Certificate_Store invalid file path");
       }
 
    DataSource_Stream file_stream(file);
 
-   for(const secure_vector<uint8_t> der : decode_all(file_stream))
+   for(const std::vector<uint8_t> der : decode_all_certificates(file_stream))
       {
       std::shared_ptr<const X509_Certificate> cert = std::make_shared<const X509_Certificate>(der.data(), der.size());
 
+      if(!cert->is_self_signed() || !cert->is_CA_cert())
+         {
+         throw Invalid_Argument("Flatfile_Certificate_Store::Flatfile_Certificate_Store certificate is not self-signed CA");
+         }
+
       m_all_subjects.push_back(cert->subject_dn());
       m_dn_to_cert.emplace(cert->subject_dn(), cert);
       m_pubkey_sha1_to_cert.emplace(cert->subject_public_key_bitstring_sha1(), cert);
       m_subject_dn_sha256_to_cert.emplace(cert->raw_subject_dn_sha256(), cert);
       }
+
+   if(m_all_subjects.empty())
+      {
+      throw Invalid_Argument("Flatfile_Certificate_Store::Flatfile_Certificate_Store cert file is empty");
+      }
    }
 
 std::vector<X509_DN> Flatfile_Certificate_Store::all_subjects() const
diff --git a/src/lib/x509/certstor_flatfile/certstor_flatfile.h b/src/lib/x509/certstor_flatfile/certstor_flatfile.h
index 8ecca9401..611bd3895 100644
--- a/src/lib/x509/certstor_flatfile/certstor_flatfile.h
+++ b/src/lib/x509/certstor_flatfile/certstor_flatfile.h
@@ -19,11 +19,13 @@ namespace Botan {
 /**
 * Certificate Store that is backed by a file of PEMs of trusted CAs.
 */
-class BOTAN_PUBLIC_API(2, 11) Flatfile_Certificate_Store : public Certificate_Store
+class BOTAN_PUBLIC_API(2, 11) Flatfile_Certificate_Store final : public Certificate_Store
    {
    public:
-      Flatfile_Certificate_Store();
-
+      /**
+      * Construct a new Certificate_Store given a file path to a file including
+      * PEMs of trusted self-signed CAs.
+      */
       Flatfile_Certificate_Store(const std::string& file);
 
       Flatfile_Certificate_Store(const Flatfile_Certificate_Store&) = default;
@@ -59,9 +61,6 @@ class BOTAN_PUBLIC_API(2, 11) Flatfile_Certificate_Store : public Certificate_St
       std::shared_ptr<const X509_Certificate>
       find_cert_by_pubkey_sha1(const std::vector<uint8_t>& key_hash) const override;
 
-      /**
-       * @throws Botan::Not_Implemented
-       */
       std::shared_ptr<const X509_Certificate>
       find_cert_by_raw_subject_dn_sha256(const std::vector<uint8_t>& subject_hash) const override;
 
diff --git a/src/lib/x509/certstor_system_linux/certstor_linux.cpp b/src/lib/x509/certstor_system_linux/certstor_linux.cpp
deleted file mode 100644
index dcd325933..000000000
--- a/src/lib/x509/certstor_system_linux/certstor_linux.cpp
+++ /dev/null
@@ -1,18 +0,0 @@
-/*
-* Certificate Store
-* (C) 1999-2019 Jack Lloyd
-* (C) 2019      Patrick Schmidt
-*
-* Botan is released under the Simplified BSD License (see license.txt)
-*/
-
-#include <botan/build.h>
-
-#include <botan/certstor_linux.h>
-
-namespace Botan {
-Certificate_Store_Linux::Certificate_Store_Linux() :
-   Flatfile_Certificate_Store(BOTAN_LINUX_CERTSTORE_DEFAULT_FILE)
-   {
-   }
-}
diff --git a/src/lib/x509/certstor_system_linux/certstor_linux.h b/src/lib/x509/certstor_system_linux/certstor_linux.h
deleted file mode 100644
index d92364da9..000000000
--- a/src/lib/x509/certstor_system_linux/certstor_linux.h
+++ /dev/null
@@ -1,27 +0,0 @@
-/*
-* Certificate Store
-* (C) 1999-2019 Jack Lloyd
-* (C) 2019      Patrick Schmidt
-*
-* Botan is released under the Simplified BSD License (see license.txt)
-*/
-
-#ifndef BOTAN_CERT_STORE_SYSTEM_LINUX_H_
-#define BOTAN_CERT_STORE_SYSTEM_LINUX_H_
-
-#include <botan/certstor_flatfile.h>
-
-namespace Botan {
-
-/**
-* Certificate Store that is backed by a file of PEMs of trusted CAs located at
-* BOTAN_LINUX_CERTSTORE_DEFAULT_FILE.
-*/
-class BOTAN_PUBLIC_API(2, 11) Certificate_Store_Linux final : public Flatfile_Certificate_Store
-   {
-   public:
-      Certificate_Store_Linux();
-   };
-}
-
-#endif
diff --git a/src/lib/x509/certstor_system_linux/info.txt b/src/lib/x509/certstor_system_linux/info.txt
deleted file mode 100644
index 53a82dbb6..000000000
--- a/src/lib/x509/certstor_system_linux/info.txt
+++ /dev/null
@@ -1,16 +0,0 @@
-<defines>
-CERTSTOR_LINUX -> 20190402
-</defines>
-
-<os_features>
-linux_certstore
-</os_features>
-
-<requires>
-certstor_flatfile
-</requires>
-
-<header:public>
-certstor_linux.h
-</header:public>
-
diff --git a/src/tests/test_certstor_linux.cpp b/src/tests/test_certstor_linux.cpp
index 5cd991a44..05114231b 100644
--- a/src/tests/test_certstor_linux.cpp
+++ b/src/tests/test_certstor_linux.cpp
@@ -7,10 +7,10 @@
 
 #include "tests.h"
 
-#if defined(BOTAN_HAS_CERTSTOR_LINUX)
+#if defined(BOTAN_HAS_CERTSTOR_FLATFILE) && defined(BOTAN_SYSTEM_CERT_BUNDLE)
 
 #include "test_certstor_utils.h"
-#include <botan/certstor_linux.h>
+#include <botan/certstor_flatfile.h>
 #include <botan/ber_dec.h>
 #include <botan/der_enc.h>
 #include <botan/hex.h>
@@ -26,7 +26,7 @@ Test::Result open_certificate_store()
    try
       {
       result.start_timer();
-      Botan::Certificate_Store_Linux unused;
+      Botan::Flatfile_Certificate_Store unused(BOTAN_SYSTEM_CERT_BUNDLE);
       result.end_timer();
       result.test_gt("found some certificates", unused.all_subjects().size(), 0);
       }
@@ -47,7 +47,7 @@ Test::Result find_certificate_by_pubkey_sha1()
    try
       {
       result.start_timer();
-      Botan::Certificate_Store_Linux certstore;
+      Botan::Flatfile_Certificate_Store certstore(BOTAN_SYSTEM_CERT_BUNDLE);
       auto cert = certstore.find_cert_by_pubkey_sha1(get_key_id());
       result.end_timer();
 
@@ -65,7 +65,7 @@ Test::Result find_certificate_by_pubkey_sha1()
 
    result.test_throws("on invalid SHA1 hash data", [&]
       {
-      Botan::Certificate_Store_Linux certstore;
+      Botan::Flatfile_Certificate_Store certstore(BOTAN_SYSTEM_CERT_BUNDLE);
       certstore.find_cert_by_pubkey_sha1({});
       });
 
@@ -81,7 +81,7 @@ Test::Result find_cert_by_subject_dn()
       auto dn = get_dn();
 
       result.start_timer();
-      Botan::Certificate_Store_Linux certstore;
+      Botan::Flatfile_Certificate_Store certstore(BOTAN_SYSTEM_CERT_BUNDLE);
       auto cert = certstore.find_cert(dn, std::vector<uint8_t>());
       result.end_timer();
 
@@ -109,7 +109,7 @@ Test::Result find_cert_by_subject_dn_and_key_id()
       auto dn = get_dn();
 
       result.start_timer();
-      Botan::Certificate_Store_Linux certstore;
+      Botan::Flatfile_Certificate_Store certstore(BOTAN_SYSTEM_CERT_BUNDLE);
       auto cert = certstore.find_cert(dn, get_key_id());
       result.end_timer();
 
@@ -137,7 +137,7 @@ Test::Result find_certs_by_subject_dn_and_key_id()
       auto dn = get_dn();
 
       result.start_timer();
-      Botan::Certificate_Store_Linux certstore;
+      Botan::Flatfile_Certificate_Store certstore(BOTAN_SYSTEM_CERT_BUNDLE);
       auto certs = certstore.find_all_certs(dn, get_key_id());
       result.end_timer();
 
@@ -164,7 +164,7 @@ Test::Result find_all_subjects()
    try
       {
       result.start_timer();
-      Botan::Certificate_Store_Linux certstore;
+      Botan::Flatfile_Certificate_Store certstore(BOTAN_SYSTEM_CERT_BUNDLE);
       auto subjects = certstore.all_subjects();
       result.end_timer();
 
@@ -202,7 +202,7 @@ Test::Result no_certificate_matches()
       auto kid = get_unknown_key_id();
 
       result.start_timer();
-      Botan::Certificate_Store_Linux certstore;
+      Botan::Flatfile_Certificate_Store certstore(BOTAN_SYSTEM_CERT_BUNDLE);
 
       auto certs = certstore.find_all_certs(dn, kid);
       auto cert = certstore.find_cert(dn, kid);
author	Patrick Schmidt <[email protected]>	2019-04-11 11:16:38 +0200
committer	Rene Meusel <[email protected]>	2019-04-12 13:59:17 +0200
commit	e609d6084ac700e7a3fb966ac176b1b8bcf616ff (patch)
tree	5369f29d57ce6f4bfaaa09a63ef34c0038c08a35 /src
parent	26f04c686d07f82bc93bfc4ac80123e21258f6dd (diff)