Botan  2.4.0
Crypto and TLS for C++11
Public Member Functions | Static Public Member Functions | Protected Member Functions | List of all members
Botan::PKCS10_Request Class Referencefinal

#include <pkcs10.h>

Inheritance diagram for Botan::PKCS10_Request:
Botan::X509_Object Botan::ASN1_Object

Public Member Functions

std::vector< uint8_t > BER_encode () const
 
std::string challenge_password () const
 
bool check_signature (const Public_Key &key) const
 
bool check_signature (const Public_Key *key) const
 
Key_Constraints constraints () const
 
void decode_from (class BER_Decoder &from) override
 
void encode_into (class DER_Encoder &to) const override
 
std::vector< OIDex_constraints () const
 
const Extensionsextensions () const
 
std::string hash_used_for_signature () const
 
bool is_CA () const
 
size_t path_limit () const
 
std::string PEM_encode () const
 
 PKCS10_Request (DataSource &source)
 
 PKCS10_Request (const std::vector< uint8_t > &vec)
 
const std::vector< uint8_t > & raw_public_key () const
 
const std::vector< uint8_t > & signature () const
 
const AlgorithmIdentifiersignature_algorithm () const
 
const std::vector< uint8_t > & signed_body () const
 
const AlternativeNamesubject_alt_name () const
 
const X509_DNsubject_dn () const
 
Public_Keysubject_public_key () const
 
std::vector< uint8_t > tbs_data () const
 
Certificate_Status_Code verify_signature (const Public_Key &key) const
 

Static Public Member Functions

static std::vector< uint8_t > make_signed (class PK_Signer *signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &alg_id, const secure_vector< uint8_t > &tbs)
 

Protected Member Functions

void load_data (DataSource &src)
 

Detailed Description

PKCS #10 Certificate Request.

Definition at line 27 of file pkcs10.h.

Constructor & Destructor Documentation

◆ PKCS10_Request() [1/2]

Botan::PKCS10_Request::PKCS10_Request ( DataSource source)
explicit

Create a PKCS#10 Request from a data source.

Parameters
sourcethe data source providing the DER encoded request

Definition at line 36 of file pkcs10.cpp.

Referenced by PKCS10_Request().

37  {
38  load_data(src);
39  }
void load_data(DataSource &src)
Definition: x509_obj.cpp:52

◆ PKCS10_Request() [2/2]

Botan::PKCS10_Request::PKCS10_Request ( const std::vector< uint8_t > &  vec)
explicit

Member Function Documentation

◆ BER_encode()

std::vector< uint8_t > Botan::X509_Object::BER_encode ( ) const
inherited
Returns
BER encoding of this

Definition at line 122 of file x509_obj.cpp.

References Botan::DER_Encoder::get_contents_unlocked().

123  {
124  DER_Encoder der;
125  encode_into(der);
126  return der.get_contents_unlocked();
127  }
void encode_into(class DER_Encoder &to) const override
Definition: x509_obj.cpp:92

◆ challenge_password()

std::string Botan::PKCS10_Request::challenge_password ( ) const

Get the challenge password for this request

Returns
challenge password for this request

Definition at line 159 of file pkcs10.cpp.

160  {
161  return data().m_challenge;
162  }

◆ check_signature() [1/2]

bool Botan::X509_Object::check_signature ( const Public_Key key) const
inherited

Check the signature on this data

Parameters
keythe public key purportedly used to sign this data
Returns
true if the signature is valid, otherwise false

Definition at line 186 of file x509_obj.cpp.

References Botan::VERIFIED.

187  {
188  const Certificate_Status_Code code = verify_signature(pub_key);
189  return (code == Certificate_Status_Code::VERIFIED);
190  }
Certificate_Status_Code verify_signature(const Public_Key &key) const
Definition: x509_obj.cpp:192
Certificate_Status_Code
Definition: cert_status.h:18

◆ check_signature() [2/2]

bool Botan::X509_Object::check_signature ( const Public_Key key) const
inherited

Check the signature on this data

Parameters
keythe public key purportedly used to sign this data the object will be deleted after use (this should have been a std::unique_ptr<Public_Key>)
Returns
true if the signature is valid, otherwise false

Definition at line 178 of file x509_obj.cpp.

179  {
180  if(!pub_key)
181  throw Exception("No key provided for " + PEM_label() + " signature check");
182  std::unique_ptr<const Public_Key> key(pub_key);
183  return check_signature(*key);
184  }
virtual std::string PEM_label() const =0
bool check_signature(const Public_Key &key) const
Definition: x509_obj.cpp:186

◆ constraints()

Key_Constraints Botan::PKCS10_Request::constraints ( ) const

Get the key constraints for the key associated with this PKCS#10 object.

Returns
key constraints

Definition at line 208 of file pkcs10.cpp.

References Botan::Cert_Extension::Key_Usage::get_constraints(), Botan::OIDS::lookup(), and Botan::NO_CONSTRAINTS.

Referenced by Botan::X509_CA::sign_request().

209  {
210  if(auto ext = extensions().get(OIDS::lookup("X509v3.KeyUsage")))
211  {
212  return dynamic_cast<Cert_Extension::Key_Usage&>(*ext).get_constraints();
213  }
214 
215  return NO_CONSTRAINTS;
216  }
const Extensions & extensions() const
Definition: pkcs10.cpp:200
std::string lookup(const OID &oid)
Definition: oids.cpp:18

◆ decode_from()

void Botan::X509_Object::decode_from ( class BER_Decoder from)
overridevirtualinherited

Decode a BER encoded X509_Object See ASN1_Object::decode_from()

Implements Botan::ASN1_Object.

Definition at line 106 of file x509_obj.cpp.

References Botan::BIT_STRING, Botan::BER_Decoder::decode(), Botan::BER_Decoder::end_cons(), Botan::BER_Decoder::raw_bytes(), Botan::SEQUENCE, and Botan::BER_Decoder::start_cons().

107  {
108  from.start_cons(SEQUENCE)
109  .start_cons(SEQUENCE)
110  .raw_bytes(m_tbs_bits)
111  .end_cons()
112  .decode(m_sig_algo)
113  .decode(m_sig, BIT_STRING)
114  .end_cons();
115 
116  force_decode();
117  }

◆ encode_into()

void Botan::X509_Object::encode_into ( class DER_Encoder to) const
overridevirtualinherited

DER encode an X509_Object See ASN1_Object::encode_into()

Implements Botan::ASN1_Object.

Definition at line 92 of file x509_obj.cpp.

References Botan::BIT_STRING, Botan::DER_Encoder::encode(), Botan::DER_Encoder::end_cons(), Botan::DER_Encoder::raw_bytes(), Botan::SEQUENCE, and Botan::DER_Encoder::start_cons().

Referenced by Botan::Certificate_Store_In_SQL::insert_cert().

93  {
94  to.start_cons(SEQUENCE)
95  .start_cons(SEQUENCE)
96  .raw_bytes(signed_body())
97  .end_cons()
98  .encode(signature_algorithm())
99  .encode(signature(), BIT_STRING)
100  .end_cons();
101  }
const AlgorithmIdentifier & signature_algorithm() const
Definition: x509_obj.h:47
const std::vector< uint8_t > & signature() const
Definition: x509_obj.h:37
const std::vector< uint8_t > & signed_body() const
Definition: x509_obj.h:42

◆ ex_constraints()

std::vector< OID > Botan::PKCS10_Request::ex_constraints ( ) const

Get the extendend key constraints (if any).

Returns
extended key constraints

Definition at line 221 of file pkcs10.cpp.

References Botan::Cert_Extension::Extended_Key_Usage::get_oids(), and Botan::OIDS::lookup().

Referenced by Botan::X509_CA::sign_request().

222  {
223  if(auto ext = extensions().get(OIDS::lookup("X509v3.ExtendedKeyUsage")))
224  {
225  return dynamic_cast<Cert_Extension::Extended_Key_Usage&>(*ext).get_oids();
226  }
227 
228  return {};
229  }
const Extensions & extensions() const
Definition: pkcs10.cpp:200
std::string lookup(const OID &oid)
Definition: oids.cpp:18

◆ extensions()

const Extensions & Botan::PKCS10_Request::extensions ( ) const

Get the X509v3 extensions.

Returns
X509v3 extensions

Definition at line 200 of file pkcs10.cpp.

Referenced by Botan::X509_CA::sign_request().

201  {
202  return data().m_extensions;
203  }

◆ hash_used_for_signature()

std::string Botan::X509_Object::hash_used_for_signature ( ) const
inherited
Returns
hash algorithm that was used to generate signature

Definition at line 148 of file x509_obj.cpp.

References Botan::OID::as_string(), hash_algo, Botan::OIDS::lookup(), Botan::parse_algorithm_name(), and Botan::split_on().

149  {
150  const OID& oid = m_sig_algo.get_oid();
151  std::vector<std::string> sig_info = split_on(OIDS::lookup(oid), '/');
152 
153  if(sig_info.size() != 2)
154  throw Internal_Error("Invalid name format found for " +
155  oid.as_string());
156 
157  if(sig_info[1] == "EMSA4")
158  {
159  return OIDS::lookup(decode_pss_params(signature_algorithm().get_parameters()).hash_algo.get_oid());
160  }
161  else
162  {
163  std::vector<std::string> pad_and_hash =
164  parse_algorithm_name(sig_info[1]);
165 
166  if(pad_and_hash.size() != 2)
167  {
168  throw Internal_Error("Invalid name format " + sig_info[1]);
169  }
170 
171  return pad_and_hash[1];
172  }
173  }
const AlgorithmIdentifier & signature_algorithm() const
Definition: x509_obj.h:47
std::vector< std::string > split_on(const std::string &str, char delim)
Definition: parsing.cpp:142
std::vector< std::string > parse_algorithm_name(const std::string &namex)
Definition: parsing.cpp:89
AlgorithmIdentifier hash_algo
Definition: x509_obj.cpp:22
const OID & get_oid() const
Definition: alg_id.h:37
std::string lookup(const OID &oid)
Definition: oids.cpp:18

◆ is_CA()

bool Botan::PKCS10_Request::is_CA ( ) const

Find out whether this is a CA request.

Returns
true if it is a CA request, false otherwise.

Definition at line 234 of file pkcs10.cpp.

References Botan::Cert_Extension::Basic_Constraints::get_is_ca(), and Botan::OIDS::lookup().

Referenced by Botan::X509_CA::sign_request().

235  {
236  if(auto ext = extensions().get(OIDS::lookup("X509v3.BasicConstraints")))
237  {
238  return dynamic_cast<Cert_Extension::Basic_Constraints&>(*ext).get_is_ca();
239  }
240 
241  return false;
242  }
const Extensions & extensions() const
Definition: pkcs10.cpp:200
std::string lookup(const OID &oid)
Definition: oids.cpp:18

◆ load_data()

void Botan::X509_Object::load_data ( DataSource src)
protectedinherited

Decodes from src as either DER or PEM data, then calls force_decode()

Definition at line 52 of file x509_obj.cpp.

References Botan::PEM_Code::decode(), Botan::PEM_Code::matches(), Botan::ASN1::maybe_BER(), and Botan::Exception::what().

53  {
54  try {
55  if(ASN1::maybe_BER(in) && !PEM_Code::matches(in))
56  {
57  BER_Decoder dec(in);
58  decode_from(dec);
59  }
60  else
61  {
62  std::string got_label;
63  DataSource_Memory ber(PEM_Code::decode(in, got_label));
64 
65  if(got_label != PEM_label())
66  {
67  bool is_alternate = false;
68  for(std::string alt_label : alternate_PEM_labels())
69  {
70  if(got_label == alt_label)
71  {
72  is_alternate = true;
73  break;
74  }
75  }
76 
77  if(!is_alternate)
78  throw Decoding_Error("Unexpected PEM label for " + PEM_label() + " of " + got_label);
79  }
80 
81  BER_Decoder dec(ber);
82  decode_from(dec);
83  }
84  }
85  catch(Decoding_Error& e)
86  {
87  throw Decoding_Error(PEM_label() + " decoding failed: " + e.what());
88  }
89  }
virtual std::vector< std::string > alternate_PEM_labels() const
Definition: x509_obj.h:118
virtual std::string PEM_label() const =0
bool maybe_BER(DataSource &source)
Definition: asn1_obj.cpp:116
void decode_from(class BER_Decoder &from) override
Definition: x509_obj.cpp:106
bool matches(DataSource &source, const std::string &extra, size_t search_range)
Definition: pem.cpp:142
secure_vector< uint8_t > decode(DataSource &source, std::string &label)
Definition: pem.cpp:68

◆ make_signed()

std::vector< uint8_t > Botan::X509_Object::make_signed ( class PK_Signer signer,
RandomNumberGenerator rng,
const AlgorithmIdentifier alg_id,
const secure_vector< uint8_t > &  tbs 
)
staticinherited

Create a signed X509 object.

Parameters
signerthe signer used to sign the object
rngthe random number generator to use
alg_idthe algorithm identifier of the signature scheme
tbsthe tbs bits to be signed
Returns
signed X509 object

Definition at line 271 of file x509_obj.cpp.

References Botan::BIT_STRING, Botan::DER_Encoder::encode(), Botan::DER_Encoder::end_cons(), Botan::DER_Encoder::get_contents_unlocked(), Botan::DER_Encoder::raw_bytes(), Botan::SEQUENCE, Botan::PK_Signer::sign_message(), and Botan::DER_Encoder::start_cons().

Referenced by Botan::X509::create_cert_req(), Botan::X509_CA::make_cert(), and Botan::X509_CA::update_crl().

275  {
276  const std::vector<uint8_t> signature = signer->sign_message(tbs_bits, rng);
277 
278  return DER_Encoder()
279  .start_cons(SEQUENCE)
280  .raw_bytes(tbs_bits)
281  .encode(algo)
282  .encode(signature, BIT_STRING)
283  .end_cons()
284  .get_contents_unlocked();
285  }
const std::vector< uint8_t > & signature() const
Definition: x509_obj.h:37

◆ path_limit()

size_t Botan::PKCS10_Request::path_limit ( ) const

Return the constraint on the path length defined in the BasicConstraints extension.

Returns
path limit

Definition at line 247 of file pkcs10.cpp.

References Botan::Cert_Extension::Basic_Constraints::get_is_ca(), Botan::Cert_Extension::Basic_Constraints::get_path_limit(), and Botan::OIDS::lookup().

Referenced by Botan::X509_CA::sign_request().

248  {
249  if(auto ext = extensions().get(OIDS::lookup("X509v3.BasicConstraints")))
250  {
251  Cert_Extension::Basic_Constraints& basic_constraints = dynamic_cast<Cert_Extension::Basic_Constraints&>(*ext);
252  if(basic_constraints.get_is_ca())
253  {
254  return basic_constraints.get_path_limit();
255  }
256  }
257 
258  return 0;
259  }
const Extensions & extensions() const
Definition: pkcs10.cpp:200
std::string lookup(const OID &oid)
Definition: oids.cpp:18

◆ PEM_encode()

std::string Botan::X509_Object::PEM_encode ( ) const
inherited
Returns
PEM encoding of this

Definition at line 132 of file x509_obj.cpp.

References Botan::PKCS8::BER_encode(), and Botan::PEM_Code::encode().

133  {
135  }
virtual std::string PEM_label() const =0
std::string encode(const uint8_t der[], size_t length, const std::string &label, size_t width)
Definition: pem.cpp:43
std::vector< uint8_t > BER_encode() const
Definition: x509_obj.cpp:122

◆ raw_public_key()

const std::vector< uint8_t > & Botan::PKCS10_Request::raw_public_key ( ) const

Get the raw DER encoded public key.

Returns
raw DER encoded public key

Definition at line 175 of file pkcs10.cpp.

Referenced by Botan::X509_CA::sign_request().

176  {
177  return data().m_public_key_bits;
178  }

◆ signature()

const std::vector<uint8_t>& Botan::X509_Object::signature ( ) const
inlineinherited
Returns
signature on tbs_data()

Definition at line 37 of file x509_obj.h.

Referenced by Botan::X509_Certificate::operator<(), and Botan::X509_Certificate::operator==().

37 { return m_sig; }

◆ signature_algorithm()

const AlgorithmIdentifier& Botan::X509_Object::signature_algorithm ( ) const
inlineinherited
Returns
signature algorithm that was used to generate signature

Definition at line 47 of file x509_obj.h.

References Botan::PKCS8::BER_encode(), and Botan::PKCS8::PEM_encode().

Referenced by Botan::X509_CRL::is_revoked(), Botan::X509_Certificate::operator==(), Botan::X509_CA::X509_CA(), and Botan::X509_Certificate::X509_Certificate().

47 { return m_sig_algo; }

◆ signed_body()

const std::vector<uint8_t>& Botan::X509_Object::signed_body ( ) const
inlineinherited

◆ subject_alt_name()

const AlternativeName & Botan::PKCS10_Request::subject_alt_name ( ) const

Get the subject alternative name.

Returns
subject alternative name.

Definition at line 192 of file pkcs10.cpp.

Referenced by Botan::X509_CA::sign_request().

193  {
194  return data().m_alt_name;
195  }

◆ subject_dn()

const X509_DN & Botan::PKCS10_Request::subject_dn ( ) const

Get the subject DN.

Returns
subject DN

Definition at line 167 of file pkcs10.cpp.

Referenced by Botan::X509_CA::sign_request().

168  {
169  return data().m_subject_dn;
170  }

◆ subject_public_key()

Public_Key * Botan::PKCS10_Request::subject_public_key ( ) const

Get the subject public key.

Returns
subject public key

Definition at line 183 of file pkcs10.cpp.

References Botan::X509::load_key().

Referenced by Botan::X509_CA::sign_request().

184  {
185  DataSource_Memory source(raw_public_key());
186  return X509::load_key(source);
187  }
const std::vector< uint8_t > & raw_public_key() const
Definition: pkcs10.cpp:175
Public_Key * load_key(DataSource &source)
Definition: x509_key.cpp:37

◆ tbs_data()

std::vector< uint8_t > Botan::X509_Object::tbs_data ( ) const
inherited

The underlying data that is to be or was signed

Returns
data that is or was signed

Definition at line 140 of file x509_obj.cpp.

References Botan::ASN1::put_in_sequence().

141  {
142  return ASN1::put_in_sequence(m_tbs_bits);
143  }
std::vector< uint8_t > put_in_sequence(const std::vector< uint8_t > &contents)
Definition: asn1_obj.cpp:96

◆ verify_signature()

Certificate_Status_Code Botan::X509_Object::verify_signature ( const Public_Key key) const
inherited

Check the signature on this data

Parameters
keythe public key purportedly used to sign this data
Returns
status of the signature - OK if verified or otherwise an indicator of the problem preventing verification.

Definition at line 192 of file x509_obj.cpp.

References Botan::Public_Key::algo_name(), Botan::DER_SEQUENCE, hash_algo, Botan::IEEE_1363, Botan::OIDS::lookup(), Botan::Public_Key::message_parts(), Botan::SIGNATURE_ALGO_BAD_PARAMS, Botan::SIGNATURE_ALGO_UNKNOWN, Botan::SIGNATURE_ERROR, Botan::split_on(), Botan::ASN1::to_string(), Botan::UNTRUSTED_HASH, Botan::VERIFIED, and Botan::PK_Verifier::verify_message().

Referenced by Botan::X509_Certificate::X509_Certificate().

193  {
194  const std::vector<std::string> sig_info =
195  split_on(OIDS::lookup(m_sig_algo.get_oid()), '/');
196 
197  if(sig_info.size() != 2 || sig_info[0] != pub_key.algo_name())
199 
200  std::string padding = sig_info[1];
201  const Signature_Format format =
202  (pub_key.message_parts() >= 2) ? DER_SEQUENCE : IEEE_1363;
203 
204  if(padding == "EMSA4")
205  {
206  // "MUST contain RSASSA-PSS-params"
207  if(signature_algorithm().parameters.empty())
208  {
210  }
211 
212  Pss_params pss_parameter = decode_pss_params(signature_algorithm().parameters);
213 
214  // hash_algo must be SHA1, SHA2-224, SHA2-256, SHA2-384 or SHA2-512
215  const std::string hash_algo = OIDS::lookup(pss_parameter.hash_algo.oid);
216  if(hash_algo != "SHA-160" &&
217  hash_algo != "SHA-224" &&
218  hash_algo != "SHA-256" &&
219  hash_algo != "SHA-384" &&
220  hash_algo != "SHA-512")
221  {
223  }
224 
225  const std::string mgf_algo = OIDS::lookup(pss_parameter.mask_gen_algo.oid);
226  if(mgf_algo != "MGF1")
227  {
229  }
230 
231  // For MGF1, it is strongly RECOMMENDED that the underlying hash function be the same as the one identified by hashAlgorithm
232  // Must be SHA1, SHA2-224, SHA2-256, SHA2-384 or SHA2-512
233  if(pss_parameter.mask_gen_hash.oid != pss_parameter.hash_algo.oid)
234  {
236  }
237 
238  if(pss_parameter.trailer_field != 1)
239  {
241  }
242 
243  // salt_len is actually not used for verification. Length is inferred from the signature
244  padding += "(" + hash_algo + "," + mgf_algo + "," + std::to_string(pss_parameter.salt_len) + ")";
245  }
246 
247  try
248  {
249  PK_Verifier verifier(pub_key, padding, format);
250  const bool valid = verifier.verify_message(tbs_data(), signature());
251 
252  if(valid)
254  else
256  }
257  catch(Algorithm_Not_Found&)
258  {
260  }
261  catch(...)
262  {
263  // This shouldn't happen, fallback to generic signature error
265  }
266  }
const AlgorithmIdentifier & signature_algorithm() const
Definition: x509_obj.h:47
std::vector< uint8_t > parameters
Definition: alg_id.h:45
std::vector< std::string > split_on(const std::string &str, char delim)
Definition: parsing.cpp:142
Signature_Format
Definition: pubkey.h:27
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:108
const std::vector< uint8_t > & signature() const
Definition: x509_obj.h:37
std::vector< uint8_t > tbs_data() const
Definition: x509_obj.cpp:140
AlgorithmIdentifier hash_algo
Definition: x509_obj.cpp:22
const OID & get_oid() const
Definition: alg_id.h:37
std::string lookup(const OID &oid)
Definition: oids.cpp:18

The documentation for this class was generated from the following files: