Botan 3.3.0
Crypto and TLS for C&
Public Member Functions | Static Public Member Functions | List of all members
Botan::X509_CA Class Referencefinal

#include <x509_ca.h>

Public Member Functions

const AlgorithmIdentifieralgorithm_identifier () const
 
const X509_Certificateca_certificate () const
 
const std::string & hash_function () const
 
X509_CRL new_crl (RandomNumberGenerator &rng, std::chrono::system_clock::time_point issue_time, std::chrono::seconds next_update) const
 
X509_CRL new_crl (RandomNumberGenerator &rng, uint32_t next_update=604800) const
 
X509_CAoperator= (const X509_CA &)=delete
 
X509_CAoperator= (X509_CA &&)=default
 
X509_Certificate sign_request (const PKCS10_Request &req, RandomNumberGenerator &rng, const BigInt &serial_number, const X509_Time &not_before, const X509_Time &not_after) const
 
X509_Certificate sign_request (const PKCS10_Request &req, RandomNumberGenerator &rng, const X509_Time &not_before, const X509_Time &not_after) const
 
PK_Signersignature_op ()
 
X509_CRL update_crl (const X509_CRL &last_crl, const std::vector< CRL_Entry > &new_entries, RandomNumberGenerator &rng, std::chrono::system_clock::time_point issue_time, std::chrono::seconds next_update) const
 
X509_CRL update_crl (const X509_CRL &last_crl, const std::vector< CRL_Entry > &new_entries, RandomNumberGenerator &rng, uint32_t next_update=604800) const
 
 X509_CA (const X509_CA &)=delete
 
 X509_CA (const X509_Certificate &ca_certificate, const Private_Key &key, const std::map< std::string, std::string > &opts, std::string_view hash_fn, RandomNumberGenerator &rng)
 
 X509_CA (const X509_Certificate &ca_certificate, const Private_Key &key, std::string_view hash_fn, RandomNumberGenerator &rng)
 
 X509_CA (const X509_Certificate &ca_certificate, const Private_Key &key, std::string_view hash_fn, std::string_view padding_method, RandomNumberGenerator &rng)
 
 X509_CA (X509_CA &&)=default
 
 ~X509_CA ()
 

Static Public Member Functions

static Extensions choose_extensions (const PKCS10_Request &req, const X509_Certificate &ca_certificate, std::string_view hash_fn)
 
static X509_Certificate make_cert (PK_Signer &signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &sig_algo, const std::vector< uint8_t > &pub_key, const X509_Time &not_before, const X509_Time &not_after, const X509_DN &issuer_dn, const X509_DN &subject_dn, const Extensions &extensions)
 
static X509_Certificate make_cert (PK_Signer &signer, RandomNumberGenerator &rng, const BigInt &serial_number, const AlgorithmIdentifier &sig_algo, const std::vector< uint8_t > &pub_key, const X509_Time &not_before, const X509_Time &not_after, const X509_DN &issuer_dn, const X509_DN &subject_dn, const Extensions &extensions)
 

Detailed Description

An interface capable of creating new X.509 certificates

Definition at line 27 of file x509_ca.h.

Constructor & Destructor Documentation

◆ X509_CA() [1/5]

Botan::X509_CA::X509_CA ( const X509_Certificate & ca_certificate,
const Private_Key & key,
std::string_view hash_fn,
std::string_view padding_method,
RandomNumberGenerator & rng )

Create a new CA object with custom padding option

This is mostly useful for creating RSA-PSS certificates

Parameters
ca_certificatethe certificate of the CA
keythe private key of the CA
hash_fnname of a hash function to use for signing
padding_methodname of the signature padding method to use
rngthe random generator to use

Definition at line 22 of file x509_ca.cpp.

26 :
27 m_ca_cert(cert) {
28 if(!m_ca_cert.is_CA_cert()) {
29 throw Invalid_Argument("X509_CA: This certificate is not for a CA");
30 }
31
32 m_signer = X509_Object::choose_sig_format(key, rng, hash_fn, padding_method);
33 m_ca_sig_algo = m_signer->algorithm_identifier();
34 m_hash_fn = m_signer->hash_function();
35}
bool is_CA_cert() const
Definition x509cert.cpp:374
static std::unique_ptr< PK_Signer > choose_sig_format(const Private_Key &key, RandomNumberGenerator &rng, std::string_view hash_fn, std::string_view padding_algo)
Definition x509_obj.cpp:209

References Botan::X509_Object::choose_sig_format(), and Botan::X509_Certificate::is_CA_cert().

◆ X509_CA() [2/5]

Botan::X509_CA::X509_CA ( const X509_Certificate & ca_certificate,
const Private_Key & key,
std::string_view hash_fn,
RandomNumberGenerator & rng )
inline

Create a new CA object.

Parameters
ca_certificatethe certificate of the CA
keythe private key of the CA
hash_fnname of a hash function to use for signing
rngthe random generator to use

Definition at line 210 of file x509_ca.h.

213 :
214 X509_CA(ca_certificate, key, hash_fn, "", rng) {}
X509_CA(const X509_Certificate &ca_certificate, const Private_Key &key, std::string_view hash_fn, std::string_view padding_method, RandomNumberGenerator &rng)
Definition x509_ca.cpp:22
const X509_Certificate & ca_certificate() const
Definition x509_ca.h:38

◆ X509_CA() [3/5]

Botan::X509_CA::X509_CA ( const X509_Certificate & ca_certificate,
const Private_Key & key,
const std::map< std::string, std::string > & opts,
std::string_view hash_fn,
RandomNumberGenerator & rng )
inline

Create a new CA object.

Parameters
ca_certificatethe certificate of the CA
keythe private key of the CA
optsadditional options, e.g. padding, as key value pairs
hash_fnname of a hash function to use for signing
rngthe random generator to use

Definition at line 226 of file x509_ca.h.

230 :
231 X509_CA(ca_certificate, key, hash_fn, opts.at("padding"), rng) {}

◆ X509_CA() [4/5]

Botan::X509_CA::X509_CA ( const X509_CA & )
delete

◆ X509_CA() [5/5]

Botan::X509_CA::X509_CA ( X509_CA && )
default

◆ ~X509_CA()

Botan::X509_CA::~X509_CA ( )
default

Member Function Documentation

◆ algorithm_identifier()

const AlgorithmIdentifier & Botan::X509_CA::algorithm_identifier ( ) const
inline

Return the algorithm identifier used to identify signatures that this CA will create.

Definition at line 33 of file x509_ca.h.

33{ return m_ca_sig_algo; }

Referenced by sign_request(), and sign_request().

◆ ca_certificate()

const X509_Certificate & Botan::X509_CA::ca_certificate ( ) const
inline

Return the CA's certificate

Definition at line 38 of file x509_ca.h.

38{ return m_ca_cert; }

Referenced by sign_request(), and sign_request().

◆ choose_extensions()

Extensions Botan::X509_CA::choose_extensions ( const PKCS10_Request & req,
const X509_Certificate & ca_certificate,
std::string_view hash_fn )
static

Return the set of extensions that will be used for a certificate.

This is a helper method that is used internally. It is also exposed so you can call it directly and then modify the extensions before creating a certificate using X509_CA::make_cert.

Definition at line 39 of file x509_ca.cpp.

41 {
42 const auto constraints = req.is_CA() ? Key_Constraints::ca_constraints() : req.constraints();
43
44 auto key = req.subject_public_key();
45 if(!constraints.compatible_with(*key)) {
46 throw Invalid_Argument("The requested key constraints are incompatible with the algorithm");
47 }
48
49 Extensions extensions = req.extensions();
50
51 extensions.replace(std::make_unique<Cert_Extension::Basic_Constraints>(req.is_CA(), req.path_limit()), true);
52
53 if(!constraints.empty()) {
54 extensions.replace(std::make_unique<Cert_Extension::Key_Usage>(constraints), true);
55 }
56
57 extensions.replace(std::make_unique<Cert_Extension::Authority_Key_ID>(ca_cert.subject_key_id()));
58 extensions.replace(std::make_unique<Cert_Extension::Subject_Key_ID>(req.raw_public_key(), hash_fn));
59
60 extensions.replace(std::make_unique<Cert_Extension::Subject_Alternative_Name>(req.subject_alt_name()));
61
62 extensions.replace(std::make_unique<Cert_Extension::Extended_Key_Usage>(req.ex_constraints()));
63
64 return extensions;
65}
static Key_Constraints ca_constraints()
Definition pkix_enums.h:149

References Botan::Key_Constraints::ca_constraints(), Botan::PKCS10_Request::constraints(), Botan::PKCS10_Request::ex_constraints(), Botan::PKCS10_Request::extensions(), Botan::PKCS10_Request::is_CA(), Botan::PKCS10_Request::path_limit(), Botan::PKCS10_Request::raw_public_key(), Botan::Extensions::replace(), Botan::PKCS10_Request::subject_alt_name(), Botan::X509_Certificate::subject_key_id(), and Botan::PKCS10_Request::subject_public_key().

Referenced by sign_request(), and sign_request().

◆ hash_function()

const std::string & Botan::X509_CA::hash_function ( ) const
inline

Return the hash function the CA is using to sign with

Definition at line 43 of file x509_ca.h.

43{ return m_hash_fn; }

◆ make_cert() [1/2]

X509_Certificate Botan::X509_CA::make_cert ( PK_Signer & signer,
RandomNumberGenerator & rng,
const AlgorithmIdentifier & sig_algo,
const std::vector< uint8_t > & pub_key,
const X509_Time & not_before,
const X509_Time & not_after,
const X509_DN & issuer_dn,
const X509_DN & subject_dn,
const Extensions & extensions )
static

Interface for creating new certificates

Parameters
signera signing object
rnga random number generator
sig_algothe signature algorithm identifier
pub_keythe serialized public key
not_beforethe start time of the certificate
not_afterthe end time of the certificate
issuer_dnthe DN of the issuer
subject_dnthe DN of the subject
extensionsan optional list of certificate extensions
Returns
newly minted certificate

Definition at line 106 of file x509_ca.cpp.

114 {
115 const size_t SERIAL_BITS = 128;
116 BigInt serial_no(rng, SERIAL_BITS);
117
118 return make_cert(
119 signer, rng, serial_no, sig_algo, pub_key, not_before, not_after, issuer_dn, subject_dn, extensions);
120}
static X509_Certificate make_cert(PK_Signer &signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &sig_algo, const std::vector< uint8_t > &pub_key, const X509_Time &not_before, const X509_Time &not_after, const X509_DN &issuer_dn, const X509_DN &subject_dn, const Extensions &extensions)
Definition x509_ca.cpp:106

References make_cert().

Referenced by Botan::X509::create_self_signed_cert(), make_cert(), sign_request(), and sign_request().

◆ make_cert() [2/2]

X509_Certificate Botan::X509_CA::make_cert ( PK_Signer & signer,
RandomNumberGenerator & rng,
const BigInt & serial_number,
const AlgorithmIdentifier & sig_algo,
const std::vector< uint8_t > & pub_key,
const X509_Time & not_before,
const X509_Time & not_after,
const X509_DN & issuer_dn,
const X509_DN & subject_dn,
const Extensions & extensions )
static

Interface for creating new certificates

Parameters
signera signing object
rnga random number generator
serial_numberthe serial number the cert will be assigned
sig_algothe signature algorithm identifier
pub_keythe serialized public key
not_beforethe start time of the certificate
not_afterthe end time of the certificate
issuer_dnthe DN of the issuer
subject_dnthe DN of the subject
extensionsan optional list of certificate extensions
Returns
newly minted certificate

Definition at line 125 of file x509_ca.cpp.

134 {
135 const size_t X509_CERT_VERSION = 3;
136
137 // clang-format off
138 return X509_Certificate(X509_Object::make_signed(
139 signer, rng, sig_algo,
140 DER_Encoder().start_sequence()
141 .start_explicit(0)
142 .encode(X509_CERT_VERSION-1)
143 .end_explicit()
144
145 .encode(serial_no)
146
147 .encode(sig_algo)
148 .encode(issuer_dn)
149
150 .start_sequence()
151 .encode(not_before)
152 .encode(not_after)
153 .end_cons()
154
155 .encode(subject_dn)
156 .raw_bytes(pub_key)
157
158 .start_explicit(3)
159 .start_sequence()
160 .encode(extensions)
161 .end_cons()
162 .end_explicit()
163 .end_cons()
164 .get_contents()
165 ));
166 // clang-format on
167}
static std::vector< uint8_t > make_signed(PK_Signer &signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &alg_id, const secure_vector< uint8_t > &tbs)
Definition x509_obj.cpp:125
std::string encode(const uint8_t der[], size_t length, std::string_view label, size_t width)
Definition pem.cpp:39

References Botan::X509_Object::make_signed().

◆ new_crl() [1/2]

X509_CRL Botan::X509_CA::new_crl ( RandomNumberGenerator & rng,
std::chrono::system_clock::time_point issue_time,
std::chrono::seconds next_update ) const

Create a new and empty CRL for this CA.

Parameters
rngthe random number generator to use
issue_timethe issue time (typically system_clock::now)
next_updatethe time interval after issue_data within which a new CRL will be produced.
Returns
new CRL

Definition at line 186 of file x509_ca.cpp.

188 {
189 std::vector<CRL_Entry> empty;
190 return make_crl(empty, 1, rng, issue_time, next_update);
191}

Referenced by new_crl().

◆ new_crl() [2/2]

X509_CRL Botan::X509_CA::new_crl ( RandomNumberGenerator & rng,
uint32_t next_update = 604800 ) const

Create a new and empty CRL for this CA.

Parameters
rngthe random number generator to use
next_updatethe time to set in next update in seconds as the offset from the current time
Returns
new CRL

Definition at line 172 of file x509_ca.cpp.

172 {
173 return new_crl(rng, std::chrono::system_clock::now(), std::chrono::seconds(next_update));
174}
X509_CRL new_crl(RandomNumberGenerator &rng, std::chrono::system_clock::time_point issue_time, std::chrono::seconds next_update) const
Definition x509_ca.cpp:186

References new_crl().

◆ operator=() [1/2]

X509_CA & Botan::X509_CA::operator= ( const X509_CA & )
delete

◆ operator=() [2/2]

X509_CA & Botan::X509_CA::operator= ( X509_CA && )
default

◆ sign_request() [1/2]

X509_Certificate Botan::X509_CA::sign_request ( const PKCS10_Request & req,
RandomNumberGenerator & rng,
const BigInt & serial_number,
const X509_Time & not_before,
const X509_Time & not_after ) const

Sign a PKCS#10 Request.

Parameters
reqthe request to sign
rngthe rng to use
serial_numberthe serial number the cert will be assigned.
not_beforethe starting time for the certificate
not_afterthe expiration time for the certificate
Returns
resulting certificate

Definition at line 67 of file x509_ca.cpp.

71 {
72 auto extensions = choose_extensions(req, m_ca_cert, m_hash_fn);
73
74 return make_cert(*m_signer,
75 rng,
76 serial_number,
78 req.raw_public_key(),
79 not_before,
80 not_after,
81 ca_certificate().subject_dn(),
82 req.subject_dn(),
83 extensions);
84}
const AlgorithmIdentifier & algorithm_identifier() const
Definition x509_ca.h:33
static Extensions choose_extensions(const PKCS10_Request &req, const X509_Certificate &ca_certificate, std::string_view hash_fn)
Definition x509_ca.cpp:39
const X509_DN & subject_dn() const
Definition x509cert.cpp:362

References algorithm_identifier(), ca_certificate(), choose_extensions(), make_cert(), Botan::PKCS10_Request::raw_public_key(), and Botan::PKCS10_Request::subject_dn().

◆ sign_request() [2/2]

X509_Certificate Botan::X509_CA::sign_request ( const PKCS10_Request & req,
RandomNumberGenerator & rng,
const X509_Time & not_before,
const X509_Time & not_after ) const

Sign a PKCS#10 Request.

Parameters
reqthe request to sign
rngthe rng to use
not_beforethe starting time for the certificate
not_afterthe expiration time for the certificate
Returns
resulting certificate

Definition at line 89 of file x509_ca.cpp.

92 {
93 auto extensions = choose_extensions(req, m_ca_cert, m_hash_fn);
94
95 return make_cert(*m_signer,
96 rng,
98 req.raw_public_key(),
99 not_before,
100 not_after,
101 ca_certificate().subject_dn(),
102 req.subject_dn(),
103 extensions);
104}

References algorithm_identifier(), ca_certificate(), choose_extensions(), make_cert(), Botan::PKCS10_Request::raw_public_key(), and Botan::PKCS10_Request::subject_dn().

◆ signature_op()

PK_Signer & Botan::X509_CA::signature_op ( )
inline

Return the signature object this CA uses to sign with

Definition at line 48 of file x509_ca.h.

48{ return *m_signer; }

◆ update_crl() [1/2]

X509_CRL Botan::X509_CA::update_crl ( const X509_CRL & last_crl,
const std::vector< CRL_Entry > & new_entries,
RandomNumberGenerator & rng,
std::chrono::system_clock::time_point issue_time,
std::chrono::seconds next_update ) const

Create a new CRL by with additional entries.

Parameters
last_crlthe last CRL of this CA to add the new entries to
new_entriescontains the new CRL entries to be added to the CRL
rngthe random number generator to use
issue_timethe issue time (typically system_clock::now)
next_updatethe time interval after issue_data within which a new CRL will be produced.

Definition at line 193 of file x509_ca.cpp.

197 {
198 std::vector<CRL_Entry> revoked = last_crl.get_revoked();
199
200 std::copy(new_revoked.begin(), new_revoked.end(), std::back_inserter(revoked));
201
202 return make_crl(revoked, last_crl.crl_number() + 1, rng, issue_time, next_update);
203}

References Botan::X509_CRL::crl_number(), and Botan::X509_CRL::get_revoked().

Referenced by update_crl().

◆ update_crl() [2/2]

X509_CRL Botan::X509_CA::update_crl ( const X509_CRL & last_crl,
const std::vector< CRL_Entry > & new_entries,
RandomNumberGenerator & rng,
uint32_t next_update = 604800 ) const

Create a new CRL by with additional entries.

Parameters
last_crlthe last CRL of this CA to add the new entries to
new_entriescontains the new CRL entries to be added to the CRL
rngthe random number generator to use
next_updatethe time to set in next update in seconds as the offset from the current time

Definition at line 179 of file x509_ca.cpp.

182 {
183 return update_crl(crl, new_revoked, rng, std::chrono::system_clock::now(), std::chrono::seconds(next_update));
184}
X509_CRL update_crl(const X509_CRL &last_crl, const std::vector< CRL_Entry > &new_entries, RandomNumberGenerator &rng, std::chrono::system_clock::time_point issue_time, std::chrono::seconds next_update) const
Definition x509_ca.cpp:193

References update_crl().


The documentation for this class was generated from the following files: