5079590438

Committed 25 May 2023 12:28PM UTC coverage: 92.228% (+0.5%) from 91.723%

Build # 5079590438

Build Type

Pull #3502

github

Pull Request Pull Request #3502: Apply clang-format to the codebase

Run Details

75589 of 81959 relevant lines covered (92.23%)

12139530.51 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

82.72

/src/cli/x509.cpp

/*
* (C) 2010,2014,2015,2018 Jack Lloyd
* (C) 2017 René Korthaus, Rohde & Schwarz Cybersecurity
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include "cli.h"

#if defined(BOTAN_HAS_X509_CERTIFICATES) && defined(BOTAN_TARGET_OS_HAS_FILESYSTEM)

   #include <botan/certstor.h>
   #include <botan/data_src.h>
   #include <botan/pk_keys.h>
   #include <botan/pkcs8.h>
   #include <botan/x509_ca.h>
   #include <botan/x509cert.h>
   #include <botan/x509path.h>
   #include <botan/x509self.h>

   #if defined(BOTAN_HAS_OCSP)
      #include <botan/ocsp.h>
   #endif

   #if defined(BOTAN_HAS_CERTSTOR_SYSTEM)
      #include <botan/certstor_system.h>
   #endif

namespace Botan_CLI {

   #if defined(BOTAN_HAS_CERTSTOR_SYSTEM)

class Trust_Root_Info final : public Command {
   public:
      Trust_Root_Info() : Command("trust_roots --dn --dn-only --display") {}

      std::string group() const override { return "x509"; }

      std::string description() const override { return "List certs in the system trust store"; }

      void go() override {
         Botan::System_Certificate_Store trust_roots;

         const auto dn_list = trust_roots.all_subjects();

         if(flag_set("dn-only")) {
            for(const auto& dn : dn_list)
               output() << dn << "\n";
         } else {
            for(const auto& dn : dn_list) {
               // Some certstores have more than one cert with a particular DN
               for(const auto& cert : trust_roots.find_all_certs(dn, std::vector<uint8_t>())) {
                  if(flag_set("dn"))
                     output() << "# " << dn << "\n";

                  if(flag_set("display"))
                     output() << cert.to_string() << "\n";

                  output() << cert.PEM_encode() << "\n";
               }
            }
         }
      }
};

BOTAN_REGISTER_COMMAND("trust_roots", Trust_Root_Info);

   #endif

class Sign_Cert final : public Command {
   public:
      Sign_Cert() :
            Command(
               "sign_cert --ca-key-pass= --hash= "
               "--duration=365 --emsa= ca_cert ca_key pkcs10_req") {}

      std::string group() const override { return "x509"; }

      std::string description() const override { return "Create a CA-signed X.509 certificate from a PKCS #10 CSR"; }

      void go() override {
         Botan::X509_Certificate ca_cert(get_arg("ca_cert"));

         const std::string key_file = get_arg("ca_key");
         const std::string pass = get_passphrase_arg("Password for " + key_file, "ca-key-pass");
         const std::string emsa = get_arg("emsa");
         const std::string hash = get_arg("hash");

         std::unique_ptr<Botan::Private_Key> key;
         Botan::DataSource_Stream key_stream(key_file);
         if(!pass.empty()) {
            key = Botan::PKCS8::load_key(key_stream, pass);
         } else {
            key = Botan::PKCS8::load_key(key_stream);
         }

         if(!key) {
            throw CLI_Error("Failed to load key from " + key_file);
         }

         Botan::X509_CA ca(ca_cert, *key, hash, emsa, rng());

         Botan::PKCS10_Request req(get_arg("pkcs10_req"));

         auto now = std::chrono::system_clock::now();

         Botan::X509_Time start_time(now);

         typedef std::chrono::duration<int, std::ratio<86400>> days;

         Botan::X509_Time end_time(now + days(get_arg_sz("duration")));

         Botan::X509_Certificate new_cert = ca.sign_request(req, rng(), start_time, end_time);

         output() << new_cert.PEM_encode();
      }
};

BOTAN_REGISTER_COMMAND("sign_cert", Sign_Cert);

class Cert_Info final : public Command {
   public:
      Cert_Info() : Command("cert_info --fingerprint file") {}

      std::string group() const override { return "x509"; }

      std::string description() const override { return "Parse X.509 certificate and display data fields"; }

      void go() override {
         const std::string arg_file = get_arg("file");

         std::vector<uint8_t> data = slurp_file(get_arg("file"));

         Botan::DataSource_Memory in(data);

         while(!in.end_of_data()) {
            try {
               Botan::X509_Certificate cert(in);

               try {
                  output() << cert.to_string() << std::endl;
               } catch(Botan::Exception& e) {
                  // to_string failed - report the exception and continue
                  output() << "X509_Certificate::to_string failed: " << e.what() << "\n";
               }

               if(flag_set("fingerprint"))
                  output() << "Fingerprint: " << cert.fingerprint("SHA-256") << std::endl;
            } catch(Botan::Exception& e) {
               if(!in.end_of_data()) {
                  output() << "X509_Certificate parsing failed " << e.what() << "\n";
               }
            }
         }
      }
};

BOTAN_REGISTER_COMMAND("cert_info", Cert_Info);

   #if defined(BOTAN_HAS_OCSP) && defined(BOTAN_HAS_HTTP_UTIL)

class OCSP_Check final : public Command {
   public:
      OCSP_Check() : Command("ocsp_check --timeout=3000 subject issuer") {}

      std::string group() const override { return "x509"; }

      std::string description() const override {
         return "Verify an X.509 certificate against the issuers OCSP responder";
      }

      void go() override {
         Botan::X509_Certificate subject(get_arg("subject"));
         Botan::X509_Certificate issuer(get_arg("issuer"));
         std::chrono::milliseconds timeout(get_arg_sz("timeout"));

         Botan::Certificate_Store_In_Memory cas;
         cas.add_certificate(issuer);
         Botan::OCSP::Response resp = Botan::OCSP::online_check(issuer, subject, timeout);

         auto status = resp.status_for(issuer, subject, std::chrono::system_clock::now());

         if(status == Botan::Certificate_Status_Code::OCSP_RESPONSE_GOOD) {
            output() << "OCSP check OK\n";
         } else {
            output() << "OCSP check failed " << Botan::Path_Validation_Result::status_string(status) << "\n";
         }
      }
};

BOTAN_REGISTER_COMMAND("ocsp_check", OCSP_Check);

   #endif  // OCSP && HTTP

class Cert_Verify final : public Command {
   public:
      Cert_Verify() : Command("cert_verify subject *ca_certs") {}

      std::string group() const override { return "x509"; }

      std::string description() const override {
         return "Verify if the passed X.509 certificate passes path validation";
      }

      void go() override {
         Botan::X509_Certificate subject_cert(get_arg("subject"));
         Botan::Certificate_Store_In_Memory trusted;

         for(const auto& certfile : get_arg_list("ca_certs")) {
            trusted.add_certificate(Botan::X509_Certificate(certfile));
         }

         Botan::Path_Validation_Restrictions restrictions;

         Botan::Path_Validation_Result result = Botan::x509_path_validate(subject_cert, restrictions, trusted);

         if(result.successful_validation()) {
            output() << "Certificate passes validation checks\n";
         } else {
            output() << "Certificate did not validate - " << result.result_string() << "\n";
         }
      }
};

BOTAN_REGISTER_COMMAND("cert_verify", Cert_Verify);

class Gen_Self_Signed final : public Command {
   public:
      Gen_Self_Signed() :
            Command(
               "gen_self_signed key CN --country= --dns= "
               "--organization= --email= --path-limit=1 --days=365 --key-pass= --ca --hash= --emsa= --der") {}

      std::string group() const override { return "x509"; }

      std::string description() const override { return "Generate a self signed X.509 certificate"; }

      void go() override {
         const std::string key_file = get_arg("key");
         const std::string passphrase = get_passphrase_arg("Passphrase for " + key_file, "key-pass");
         Botan::DataSource_Stream key_stream(key_file);
         std::unique_ptr<Botan::Private_Key> key = Botan::PKCS8::load_key(key_stream, passphrase);

         if(!key) {
            throw CLI_Error("Failed to load key from " + get_arg("key"));
         }

         const uint32_t lifetime = static_cast<uint32_t>(get_arg_sz("days") * 24 * 60 * 60);

         Botan::X509_Cert_Options opts("", lifetime);

         opts.common_name = get_arg("CN");
         opts.country = get_arg("country");
         opts.organization = get_arg("organization");
         opts.email = get_arg("email");
         opts.more_dns = Command::split_on(get_arg("dns"), ',');
         const bool der_format = flag_set("der");

         std::string emsa = get_arg("emsa");

         if(emsa.empty() == false)
            opts.set_padding_scheme(emsa);

         if(flag_set("ca")) {
            opts.CA_key(get_arg_sz("path-limit"));
         }

         Botan::X509_Certificate cert = Botan::X509::create_self_signed_cert(opts, *key, get_arg("hash"), rng());

         if(der_format) {
            auto der = cert.BER_encode();
            output().write(reinterpret_cast<const char*>(der.data()), der.size());
         } else
            output() << cert.PEM_encode();
      }
};

BOTAN_REGISTER_COMMAND("gen_self_signed", Gen_Self_Signed);

class Generate_PKCS10 final : public Command {
   public:
      Generate_PKCS10() :
            Command(
               "gen_pkcs10 key CN --country= --organization= "
               "--ca --path-limit=1 --email= --dns= --ext-ku= --key-pass= --hash= --emsa=") {}

      std::string group() const override { return "x509"; }

      std::string description() const override { return "Generate a PKCS #10 certificate signing request (CSR)"; }

      void go() override {
         Botan::DataSource_Stream key_stream(get_arg("key"));
         std::unique_ptr<Botan::Private_Key> key = Botan::PKCS8::load_key(key_stream, get_arg("key-pass"));

         if(!key) {
            throw CLI_Error("Failed to load key from " + get_arg("key"));
         }

         Botan::X509_Cert_Options opts;

         opts.common_name = get_arg("CN");
         opts.country = get_arg("country");
         opts.organization = get_arg("organization");
         opts.email = get_arg("email");
         opts.more_dns = Command::split_on(get_arg("dns"), ',');

         if(flag_set("ca")) {
            opts.CA_key(get_arg_sz("path-limit"));
         }

         for(const std::string& ext_ku : Command::split_on(get_arg("ext-ku"), ',')) {
            opts.add_ex_constraint(ext_ku);
         }

         std::string emsa = get_arg("emsa");

         if(emsa.empty() == false)
            opts.set_padding_scheme(emsa);

         Botan::PKCS10_Request req = Botan::X509::create_cert_req(opts, *key, get_arg("hash"), rng());

         output() << req.PEM_encode();
      }
};

BOTAN_REGISTER_COMMAND("gen_pkcs10", Generate_PKCS10);

}

#endif

1	/*
2	* (C) 2010,2014,2015,2018 Jack Lloyd
3	* (C) 2017 René Korthaus, Rohde & Schwarz Cybersecurity
4	*
5	* Botan is released under the Simplified BSD License (see license.txt)
6	*/
7
8	#include "cli.h"
9
10	#if defined(BOTAN_HAS_X509_CERTIFICATES) && defined(BOTAN_TARGET_OS_HAS_FILESYSTEM)
11
12	#include <botan/certstor.h>
13	#include <botan/data_src.h>
14	#include <botan/pk_keys.h>
15	#include <botan/pkcs8.h>
16	#include <botan/x509_ca.h>
17	#include <botan/x509cert.h>
18	#include <botan/x509path.h>
19	#include <botan/x509self.h>
20
21	#if defined(BOTAN_HAS_OCSP)
22	#include <botan/ocsp.h>
23	#endif
24
25	#if defined(BOTAN_HAS_CERTSTOR_SYSTEM)
26	#include <botan/certstor_system.h>
27	#endif
28
29	namespace Botan_CLI {
30
31	#if defined(BOTAN_HAS_CERTSTOR_SYSTEM)
32
33	class Trust_Root_Info final : public Command {
34	public:
35	Trust_Root_Info() : Command("trust_roots --dn --dn-only --display") {}	6✔
36
37	std::string group() const override { return "x509"; }	1✔
38
39	std::string description() const override { return "List certs in the system trust store"; }	1✔
40
41	void go() override {	2✔
42	Botan::System_Certificate_Store trust_roots;	2✔
43
44	const auto dn_list = trust_roots.all_subjects();	2✔
45
46	if(flag_set("dn-only")) {	2✔
47	for(const auto& dn : dn_list)	125✔
48	output() << dn << "\n";	124✔
49	} else {
50	for(const auto& dn : dn_list) {	125✔
51	// Some certstores have more than one cert with a particular DN
52	for(const auto& cert : trust_roots.find_all_certs(dn, std::vector<uint8_t>())) {	248✔
53	if(flag_set("dn"))	124✔
54	output() << "# " << dn << "\n";	×
55
56	if(flag_set("display"))	124✔
57	output() << cert.to_string() << "\n";	×
58
59	output() << cert.PEM_encode() << "\n";	372✔
60	}	124✔
61	}
62	}
63	}	2✔
64	};
65
66	BOTAN_REGISTER_COMMAND("trust_roots", Trust_Root_Info);	3✔
67
68	#endif
69
70	class Sign_Cert final : public Command {
71	public:
72	Sign_Cert() :	13✔
73	Command(
74	"sign_cert --ca-key-pass= --hash= "
75	"--duration=365 --emsa= ca_cert ca_key pkcs10_req") {}	26✔
76
77	std::string group() const override { return "x509"; }	1✔
78
79	std::string description() const override { return "Create a CA-signed X.509 certificate from a PKCS #10 CSR"; }	1✔
80
81	void go() override {	12✔
82	Botan::X509_Certificate ca_cert(get_arg("ca_cert"));	24✔
83
84	const std::string key_file = get_arg("ca_key");	12✔
85	const std::string pass = get_passphrase_arg("Password for " + key_file, "ca-key-pass");	24✔
86	const std::string emsa = get_arg("emsa");	12✔
87	const std::string hash = get_arg("hash");	12✔
88
89	std::unique_ptr<Botan::Private_Key> key;	12✔
90	Botan::DataSource_Stream key_stream(key_file);	12✔
91	if(!pass.empty()) {	12✔
92	key = Botan::PKCS8::load_key(key_stream, pass);	×
93	} else {
94	key = Botan::PKCS8::load_key(key_stream);	12✔
95	}
96
97	if(!key) {	12✔
98	throw CLI_Error("Failed to load key from " + key_file);	×
99	}
100
101	Botan::X509_CA ca(ca_cert, *key, hash, emsa, rng());	12✔
102
103	Botan::PKCS10_Request req(get_arg("pkcs10_req"));	24✔
104
105	auto now = std::chrono::system_clock::now();	12✔
106
107	Botan::X509_Time start_time(now);	12✔
108
109	typedef std::chrono::duration<int, std::ratio<86400>> days;	12✔
110
111	Botan::X509_Time end_time(now + days(get_arg_sz("duration")));	12✔
112
113	Botan::X509_Certificate new_cert = ca.sign_request(req, rng(), start_time, end_time);	12✔
114
115	output() << new_cert.PEM_encode();	24✔
116	}	24✔
117	};
118
119	BOTAN_REGISTER_COMMAND("sign_cert", Sign_Cert);	13✔
120
121	class Cert_Info final : public Command {
122	public:
123	Cert_Info() : Command("cert_info --fingerprint file") {}	4✔
124
125	std::string group() const override { return "x509"; }	1✔
126
127	std::string description() const override { return "Parse X.509 certificate and display data fields"; }	1✔
128
129	void go() override {	1✔
130	const std::string arg_file = get_arg("file");	1✔
131
132	std::vector<uint8_t> data = slurp_file(get_arg("file"));	2✔
133
134	Botan::DataSource_Memory in(data);	1✔
135
136	while(!in.end_of_data()) {	3✔
137	try {	2✔
138	Botan::X509_Certificate cert(in);	2✔
139
140	try {	1✔
141	output() << cert.to_string() << std::endl;	3✔
142	} catch(Botan::Exception& e) {	×
143	// to_string failed - report the exception and continue
144	output() << "X509_Certificate::to_string failed: " << e.what() << "\n";	×
145	}	×
146
147	if(flag_set("fingerprint"))	1✔
148	output() << "Fingerprint: " << cert.fingerprint("SHA-256") << std::endl;	3✔
149	} catch(Botan::Exception& e) {	2✔
150	if(!in.end_of_data()) {	1✔
151	output() << "X509_Certificate parsing failed " << e.what() << "\n";	×
152	}
153	}	1✔
154	}
155	}	3✔
156	};
157
158	BOTAN_REGISTER_COMMAND("cert_info", Cert_Info);	2✔
159
160	#if defined(BOTAN_HAS_OCSP) && defined(BOTAN_HAS_HTTP_UTIL)
161
162	class OCSP_Check final : public Command {
163	public:
164	OCSP_Check() : Command("ocsp_check --timeout=3000 subject issuer") {}	2✔
165
166	std::string group() const override { return "x509"; }	1✔
167
168	std::string description() const override {	1✔
169	return "Verify an X.509 certificate against the issuers OCSP responder";	1✔
170	}
171
172	void go() override {	×
173	Botan::X509_Certificate subject(get_arg("subject"));	×
174	Botan::X509_Certificate issuer(get_arg("issuer"));	×
175	std::chrono::milliseconds timeout(get_arg_sz("timeout"));	×
176
177	Botan::Certificate_Store_In_Memory cas;	×
178	cas.add_certificate(issuer);	×
179	Botan::OCSP::Response resp = Botan::OCSP::online_check(issuer, subject, timeout);	×
180
181	auto status = resp.status_for(issuer, subject, std::chrono::system_clock::now());	×
182
183	if(status == Botan::Certificate_Status_Code::OCSP_RESPONSE_GOOD) {	×
184	output() << "OCSP check OK\n";	×
185	} else {
186	output() << "OCSP check failed " << Botan::Path_Validation_Result::status_string(status) << "\n";	×
187	}
188	}	×
189	};
190
191	BOTAN_REGISTER_COMMAND("ocsp_check", OCSP_Check);	1✔
192
193	#endif // OCSP && HTTP
194
195	class Cert_Verify final : public Command {
196	public:
197	Cert_Verify() : Command("cert_verify subject *ca_certs") {}	18✔
198
199	std::string group() const override { return "x509"; }	1✔
200
201	std::string description() const override {	1✔
202	return "Verify if the passed X.509 certificate passes path validation";	1✔
203	}
204
205	void go() override {	8✔
206	Botan::X509_Certificate subject_cert(get_arg("subject"));	16✔
207	Botan::Certificate_Store_In_Memory trusted;	8✔
208
209	for(const auto& certfile : get_arg_list("ca_certs")) {	17✔
210	trusted.add_certificate(Botan::X509_Certificate(certfile));	9✔
211	}	8✔
212
213	Botan::Path_Validation_Restrictions restrictions;	16✔
214
215	Botan::Path_Validation_Result result = Botan::x509_path_validate(subject_cert, restrictions, trusted);	8✔
216
217	if(result.successful_validation()) {	8✔
218	output() << "Certificate passes validation checks\n";	5✔
219	} else {
220	output() << "Certificate did not validate - " << result.result_string() << "\n";	9✔
221	}
222	}	8✔
223	};
224
225	BOTAN_REGISTER_COMMAND("cert_verify", Cert_Verify);	9✔
226
227	class Gen_Self_Signed final : public Command {
228	public:
229	Gen_Self_Signed() :	9✔
230	Command(
231	"gen_self_signed key CN --country= --dns= "
232	"--organization= --email= --path-limit=1 --days=365 --key-pass= --ca --hash= --emsa= --der") {}	18✔
233
234	std::string group() const override { return "x509"; }	1✔
235
236	std::string description() const override { return "Generate a self signed X.509 certificate"; }	1✔
237
238	void go() override {	8✔
239	const std::string key_file = get_arg("key");	8✔
240	const std::string passphrase = get_passphrase_arg("Passphrase for " + key_file, "key-pass");	16✔
241	Botan::DataSource_Stream key_stream(key_file);	8✔
242	std::unique_ptr<Botan::Private_Key> key = Botan::PKCS8::load_key(key_stream, passphrase);	8✔
243
244	if(!key) {	8✔
245	throw CLI_Error("Failed to load key from " + get_arg("key"));	×
246	}
247
248	const uint32_t lifetime = static_cast<uint32_t>(get_arg_sz("days") * 24 * 60 * 60);	8✔
249
250	Botan::X509_Cert_Options opts("", lifetime);	8✔
251
252	opts.common_name = get_arg("CN");	8✔
253	opts.country = get_arg("country");	8✔
254	opts.organization = get_arg("organization");	8✔
255	opts.email = get_arg("email");	8✔
256	opts.more_dns = Command::split_on(get_arg("dns"), ',');	8✔
257	const bool der_format = flag_set("der");	8✔
258
259	std::string emsa = get_arg("emsa");	8✔
260
261	if(emsa.empty() == false)	8✔
262	opts.set_padding_scheme(emsa);	×
263
264	if(flag_set("ca")) {	8✔
265	opts.CA_key(get_arg_sz("path-limit"));	16✔
266	}
267
268	Botan::X509_Certificate cert = Botan::X509::create_self_signed_cert(opts, *key, get_arg("hash"), rng());	16✔
269
270	if(der_format) {	8✔
271	auto der = cert.BER_encode();	×
272	output().write(reinterpret_cast<const char*>(der.data()), der.size());	×
273	} else	×
274	output() << cert.PEM_encode();	24✔
275	}	24✔
276	};
277
278	BOTAN_REGISTER_COMMAND("gen_self_signed", Gen_Self_Signed);	9✔
279
280	class Generate_PKCS10 final : public Command {
281	public:
282	Generate_PKCS10() :	13✔
283	Command(
284	"gen_pkcs10 key CN --country= --organization= "
285	"--ca --path-limit=1 --email= --dns= --ext-ku= --key-pass= --hash= --emsa=") {}	26✔
286
287	std::string group() const override { return "x509"; }	1✔
288
289	std::string description() const override { return "Generate a PKCS #10 certificate signing request (CSR)"; }	1✔
290
291	void go() override {	12✔
292	Botan::DataSource_Stream key_stream(get_arg("key"));	24✔
293	std::unique_ptr<Botan::Private_Key> key = Botan::PKCS8::load_key(key_stream, get_arg("key-pass"));	24✔
294
295	if(!key) {	12✔
296	throw CLI_Error("Failed to load key from " + get_arg("key"));	×
297	}
298
299	Botan::X509_Cert_Options opts;	12✔
300
301	opts.common_name = get_arg("CN");	12✔
302	opts.country = get_arg("country");	12✔
303	opts.organization = get_arg("organization");	12✔
304	opts.email = get_arg("email");	12✔
305	opts.more_dns = Command::split_on(get_arg("dns"), ',');	12✔
306
307	if(flag_set("ca")) {	12✔
308	opts.CA_key(get_arg_sz("path-limit"));	8✔
309	}
310
311	for(const std::string& ext_ku : Command::split_on(get_arg("ext-ku"), ',')) {	12✔
312	opts.add_ex_constraint(ext_ku);	×
313	}	12✔
314
315	std::string emsa = get_arg("emsa");	12✔
316
317	if(emsa.empty() == false)	12✔
318	opts.set_padding_scheme(emsa);	×
319
320	Botan::PKCS10_Request req = Botan::X509::create_cert_req(opts, *key, get_arg("hash"), rng());	24✔
321
322	output() << req.PEM_encode();	24✔
323	}	24✔
324	};
325
326	BOTAN_REGISTER_COMMAND("gen_pkcs10", Generate_PKCS10);	13✔
327
328	}
329
330	#endif

randombit / botan / 5079590438

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous