LIEF: Library to Instrument Executable Formats Version 1.0.0
Loading...
Searching...
No Matches
x509.hpp
Go to the documentation of this file.
1/* Copyright 2017 - 2026 R. Thomas
2 * Copyright 2017 - 2026 Quarkslab
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16#ifndef LIEF_PE_X509_H
17#define LIEF_PE_X509_H
18#include <array>
19#include <memory>
20#include <vector>
21
22#include "LIEF/Object.hpp"
23#include "LIEF/visibility.h"
24
25#include "LIEF/PE/enums.hpp"
26
28
29#include "LIEF/enums.hpp"
30
31struct mbedtls_x509_crt;
32
33namespace LIEF {
34namespace PE {
35
36class Parser;
37class SignatureParser;
38class Signature;
39
40class RsaInfo;
41
43class LIEF_API x509 : public Object {
44
45 friend class Parser;
46 friend class SignatureParser;
47 friend class Signature;
48
49 public:
51 using date_t = std::array<int32_t, 6>;
52
53 using certificates_t = std::vector<x509>;
54
56 static certificates_t parse(const std::string& path);
57
59 static certificates_t parse(const std::vector<uint8_t>& content);
60
62 static bool check_time(const date_t& before, const date_t& after);
63
65 static bool time_is_past(const date_t& to);
66
68 static bool time_is_future(const date_t& from);
69
71 enum class KEY_TYPES : uint32_t {
72 NONE = 0,
74 ECKEY,
75 ECKEY_DH,
76 ECDSA,
77 RSA_ALT,
79 RSASSA_PSS,
80 };
81
85 enum class VERIFICATION_FLAGS : uint32_t {
87 OK = 0,
88
90 BADCERT_EXPIRED = 1 << 0,
91
93 BADCERT_REVOKED = 1 << 1,
94
96 BADCERT_CN_MISMATCH = 1 << 2,
97
99 BADCERT_NOT_TRUSTED = 1 << 3,
100
102 BADCRL_NOT_TRUSTED = 1 << 4,
103
105 BADCRL_EXPIRED = 1 << 5,
106
108 BADCERT_MISSING = 1 << 6,
109
111 BADCERT_SKIP_VERIFY = 1 << 7,
112
115 BADCERT_OTHER = 1 << 8,
116
118 BADCERT_FUTURE = 1 << 9,
119
121 BADCRL_FUTURE = 1 << 10,
122
124 BADCERT_KEY_USAGE = 1 << 11,
125
127 BADCERT_EXT_KEY_USAGE = 1 << 12,
128
130 BADCERT_NS_CERT_TYPE = 1 << 13,
131
133 BADCERT_BAD_MD = 1 << 14,
134
136 BADCERT_BAD_PK = 1 << 15,
137
140 BADCERT_BAD_KEY = 1 << 16,
141
143 BADCRL_BAD_MD = 1 << 17,
144
146 BADCRL_BAD_PK = 1 << 18,
147
149 BADCRL_BAD_KEY = 1 << 19,
150 };
151
154 enum class KEY_USAGE : uint32_t {
156 DIGITAL_SIGNATURE = 0,
159 NON_REPUDIATION,
160
162 KEY_ENCIPHERMENT,
163
166 DATA_ENCIPHERMENT,
167
169 KEY_AGREEMENT,
170
172 KEY_CERT_SIGN,
173
175 CRL_SIGN,
176
179 ENCIPHER_ONLY,
180
183 DECIPHER_ONLY,
184 };
185
186 x509(mbedtls_x509_crt* ca);
187 x509(const x509& other);
189 void swap(x509& other);
190
192 uint32_t version() const;
193
195 std::vector<uint8_t> serial_number() const;
196
199
202
205
207 std::string issuer() const;
208
210 std::string subject() const;
211
214 bool check_signature(const std::vector<uint8_t>& hash,
215 const std::vector<uint8_t>& signature,
216 ALGORITHMS digest) const;
217
219 std::vector<uint8_t> raw() const;
220
223
226 std::unique_ptr<RsaInfo> rsa_info() const;
227
230
232 VERIFICATION_FLAGS is_trusted_by(const std::vector<x509>& ca) const;
233
235 std::vector<oid_t> certificate_policies() const;
236
238 std::vector<KEY_USAGE> key_usage() const;
239
242 std::vector<oid_t> ext_key_usage() const;
243
244 bool is_ca() const;
245
247 std::vector<uint8_t> signature() const;
248
249 void accept(Visitor& visitor) const override;
250
251 ~x509() override;
252
253 LIEF_API friend std::ostream& operator<<(std::ostream& os,
254 const x509& x509_cert);
255
256 private:
257 x509();
258 mbedtls_x509_crt* x509_cert_ = nullptr;
259};
260
261}
262}
263
265
266#endif
Main interface to parse PE binaries. In particular, the static Parser::parse functions should be used...
Definition PE/Parser.hpp:53
Object that wraps a RSA key.
Definition RsaInfo.hpp:29
Definition SignatureParser.hpp:36
Main interface for the PKCS #7 signature scheme.
Definition Signature.hpp:40
std::string issuer() const
Issuer information.
void swap(x509 &other)
date_t valid_from() const
Start time of certificate validity.
KEY_USAGE
Key usage as defined in RFC #5280 - section-4.2.1.3.
Definition x509.hpp:154
std::vector< uint8_t > serial_number() const
Unique id for certificate issued by a specific CA.
std::vector< uint8_t > raw() const
The raw x509 bytes (DER encoded).
static certificates_t parse(const std::string &path)
Parse x509 certificate(s) from file path.
std::vector< uint8_t > signature() const
The signature of the certificate.
VERIFICATION_FLAGS verify(const x509 &ca) const
Verify that this certificate has been used to trust the given certificate.
friend class Signature
Definition x509.hpp:47
std::unique_ptr< RsaInfo > rsa_info() const
If the underlying public-key scheme is RSA, return the RSA information. Otherwise,...
void accept(Visitor &visitor) const override
x509 & operator=(x509 other)
std::string subject() const
Subject information.
std::vector< KEY_USAGE > key_usage() const
Purpose of the key contained in the certificate.
static bool time_is_past(const date_t &to)
True if the given time is in the past according to the clock's system.
static bool check_time(const date_t &before, const date_t &after)
Return True if before is before than after. False otherwise.
std::vector< x509 > certificates_t
Definition x509.hpp:53
oid_t signature_algorithm() const
Signature algorithm (OID).
bool is_ca() const
KEY_TYPES key_type() const
Return the underlying public-key scheme.
std::array< int32_t, 6 > date_t
Tuple (Year, Month, Day, Hour, Minute, Second).
Definition x509.hpp:51
~x509() override
friend class SignatureParser
Definition x509.hpp:46
x509(mbedtls_x509_crt *ca)
uint32_t version() const
X.509 version. (1=v1, 2=v2, 3=v3).
friend class Parser
Definition x509.hpp:45
bool check_signature(const std::vector< uint8_t > &hash, const std::vector< uint8_t > &signature, ALGORITHMS digest) const
Try to decrypt the given signature and check if it matches the given hash according to the hash algor...
VERIFICATION_FLAGS is_trusted_by(const std::vector< x509 > &ca) const
Verify that this certificate is trusted by the given CA list.
VERIFICATION_FLAGS
Mirror of mbedtls's X509 Verify codes: MBEDTLS_X509_XX.
Definition x509.hpp:85
x509(const x509 &other)
KEY_TYPES
Public key scheme.
Definition x509.hpp:71
static bool time_is_future(const date_t &from)
True if the given time is in the future according to the clock's system.
std::vector< oid_t > ext_key_usage() const
Indicates one or more purposes for which the certified public key may be used (OID types).
static certificates_t parse(const std::vector< uint8_t > &content)
Parse x509 certificate(s) from raw blob.
std::vector< oid_t > certificate_policies() const
Policy information terms as OID (see RFC #5280).
date_t valid_to() const
End time of certificate validity.
friend std::ostream & operator<<(std::ostream &os, const x509 &x509_cert)
Definition Visitor.hpp:212
#define ENABLE_BITMASK_OPERATORS(X)
Definition enums.hpp:24
Namespace related to the LIEF's PE module.
Definition Abstract/Header.hpp:32
ALGORITHMS
Cryptography algorithms.
Definition PE/enums.hpp:28
@ RSA
Definition PE/enums.hpp:39
std::string oid_t
Definition PE/signature/types.hpp:23
LIEF namespace.
Definition Abstract/Binary.hpp:41
Hash::value_type hash(const Object &v)
#define LIEF_API
Definition visibility.h:45