Botan 3.0.0
Crypto and TLS for C&
Public Member Functions | Static Public Member Functions | Protected Member Functions | List of all members
Botan::PKCS10_Request Class Referencefinal

#include <pkcs10.h>

Inheritance diagram for Botan::PKCS10_Request:
Botan::X509_Object Botan::ASN1_Object

Public Member Functions

std::vector< uint8_t > BER_encode () const
 
std::string challenge_password () const
 
bool check_signature (const Public_Key &key) const
 
Key_Constraints constraints () const
 
void decode_from (BER_Decoder &from) override
 
void encode_into (DER_Encoder &to) const override
 
std::vector< OIDex_constraints () const
 
const Extensionsextensions () const
 
bool is_CA () const
 
size_t path_limit () const
 
std::string PEM_encode () const
 
 PKCS10_Request (const std::vector< uint8_t > &vec)
 
 PKCS10_Request (DataSource &source)
 
const std::vector< uint8_t > & raw_public_key () const
 
const std::vector< uint8_t > & signature () const
 
const AlgorithmIdentifiersignature_algorithm () const
 
const std::vector< uint8_t > & signed_body () const
 
const AlternativeNamesubject_alt_name () const
 
const X509_DNsubject_dn () const
 
std::unique_ptr< Public_Keysubject_public_key () const
 
std::vector< uint8_t > tbs_data () const
 
std::pair< Certificate_Status_Code, std::string > verify_signature (const Public_Key &key) const
 

Static Public Member Functions

static std::unique_ptr< PK_Signerchoose_sig_format (const Private_Key &key, RandomNumberGenerator &rng, std::string_view hash_fn, std::string_view padding_algo)
 
static PKCS10_Request create (const Private_Key &key, const X509_DN &subject_dn, const Extensions &extensions, std::string_view hash_fn, RandomNumberGenerator &rng, std::string_view padding_scheme="", std::string_view challenge="")
 
static std::vector< uint8_t > make_signed (PK_Signer &signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &alg_id, const secure_vector< uint8_t > &tbs)
 

Protected Member Functions

void load_data (DataSource &src)
 

Detailed Description

PKCS #10 Certificate Request.

Definition at line 28 of file pkcs10.h.

Constructor & Destructor Documentation

◆ PKCS10_Request() [1/2]

Botan::PKCS10_Request::PKCS10_Request ( DataSource source)
explicit

Create a PKCS#10 Request from a data source.

Parameters
sourcethe data source providing the DER encoded request

Definition at line 38 of file pkcs10.cpp.

39 {
40 load_data(src);
41 }
void load_data(DataSource &src)
Definition: x509_obj.cpp:23

References Botan::X509_Object::load_data().

◆ PKCS10_Request() [2/2]

Botan::PKCS10_Request::PKCS10_Request ( const std::vector< uint8_t > &  vec)
explicit

Create a PKCS#10 Request from binary data.

Parameters
veca std::vector containing the DER value

Definition at line 43 of file pkcs10.cpp.

44 {
45 DataSource_Memory src(vec.data(), vec.size());
46 load_data(src);
47 }

References Botan::X509_Object::load_data().

Member Function Documentation

◆ BER_encode()

std::vector< uint8_t > Botan::ASN1_Object::BER_encode ( ) const
inherited

Return the encoding of this object. This is a convenience method when just one object needs to be serialized. Use DER_Encoder for complicated encodings.

Definition at line 17 of file asn1_obj.cpp.

18 {
19 std::vector<uint8_t> output;
20 DER_Encoder der(output);
21 this->encode_into(der);
22 return output;
23 }
virtual void encode_into(DER_Encoder &to) const =0

References Botan::ASN1_Object::encode_into().

Referenced by Botan::PSS_Params::decode_from(), Botan::Certificate_Store_In_SQL::find_all_certs(), Botan::Certificate_Store_In_SQL::find_cert(), Botan::X509_Certificate::fingerprint(), Botan::Certificate_Store_In_SQL::insert_cert(), Botan::X509_Object::PEM_encode(), and Botan::Certificate_Store_In_SQL::revoke_cert().

◆ challenge_password()

std::string Botan::PKCS10_Request::challenge_password ( ) const

Get the challenge password for this request

Returns
challenge password for this request

Definition at line 200 of file pkcs10.cpp.

201 {
202 return data().m_challenge;
203 }

◆ check_signature()

bool Botan::X509_Object::check_signature ( const Public_Key key) const
inherited

Check the signature on this data

Parameters
keythe public key purportedly used to sign this data
Returns
true if the signature is valid, otherwise false

Definition at line 109 of file x509_obj.cpp.

110 {
111 const auto result = this->verify_signature(pub_key);
112 return (result.first == Certificate_Status_Code::VERIFIED);
113 }
std::pair< Certificate_Status_Code, std::string > verify_signature(const Public_Key &key) const
Definition: x509_obj.cpp:116

References Botan::VERIFIED, and Botan::X509_Object::verify_signature().

◆ choose_sig_format()

std::unique_ptr< PK_Signer > Botan::X509_Object::choose_sig_format ( const Private_Key key,
RandomNumberGenerator rng,
std::string_view  hash_fn,
std::string_view  padding_algo 
)
staticinherited

Choose and return a signature scheme appropriate for X.509 signing using the provided parameters.

Parameters
keywill be the key to choose a padding scheme for
rngthe random generator to use
hash_fnis the desired hash function
padding_algospecifies the padding method
Returns
a PK_Signer object for generating signatures

Definition at line 244 of file x509_obj.cpp.

249 {
250 const Signature_Format format = key.default_x509_signature_format();
251
252 if(!user_specified_padding.empty())
253 {
254 try
255 {
256 auto pk_signer = std::make_unique<PK_Signer>(key, rng, user_specified_padding, format);
257 if(!hash_fn.empty() && pk_signer->hash_function() != hash_fn)
258 {
259 throw Invalid_Argument(
260 format_padding_error_message(key.algo_name(), pk_signer->hash_function(),
261 hash_fn, "", user_specified_padding)
262 );
263 }
264 return pk_signer;
265 }
266 catch(Lookup_Error&) {}
267 }
268
269 const std::string padding = x509_signature_padding_for(key.algo_name(), hash_fn, user_specified_padding);
270
271 try
272 {
273 auto pk_signer = std::make_unique<PK_Signer>(key, rng, padding, format);
274 if(!hash_fn.empty() && pk_signer->hash_function() != hash_fn)
275 {
276 throw Invalid_Argument(
277 format_padding_error_message(key.algo_name(), pk_signer->hash_function(),
278 hash_fn, padding, user_specified_padding));
279 }
280 return pk_signer;
281 }
282 catch(Not_Implemented&)
283 {
284 throw Invalid_Argument("Signatures using " + key.algo_name() + "/" + padding + " are not supported");
285 }
286 }
Signature_Format
Definition: pk_keys.h:29

References Botan::Asymmetric_Key::algo_name(), and Botan::Public_Key::default_x509_signature_format().

Referenced by create(), Botan::X509::create_self_signed_cert(), and Botan::X509_CA::X509_CA().

◆ constraints()

Key_Constraints Botan::PKCS10_Request::constraints ( ) const

Get the key constraints for the key associated with this PKCS#10 object.

Returns
key constraints

Definition at line 249 of file pkcs10.cpp.

250 {
251 if(auto ext = extensions().get(OID::from_string("X509v3.KeyUsage")))
252 {
253 return dynamic_cast<Cert_Extension::Key_Usage&>(*ext).get_constraints();
254 }
255
257 }
static OID from_string(std::string_view str)
Definition: asn1_oid.cpp:78
const Extensions & extensions() const
Definition: pkcs10.cpp:241

References extensions(), Botan::OID::from_string(), Botan::Cert_Extension::Key_Usage::get_constraints(), and Botan::Key_Constraints::None.

Referenced by Botan::X509_CA::choose_extensions().

◆ create()

PKCS10_Request Botan::PKCS10_Request::create ( const Private_Key key,
const X509_DN subject_dn,
const Extensions extensions,
std::string_view  hash_fn,
RandomNumberGenerator rng,
std::string_view  padding_scheme = "",
std::string_view  challenge = "" 
)
static

Create a new PKCS10 certificate request

Parameters
keythe key that will be included in the certificate request
subject_dnthe DN to be placed in the request
extensionsextensions to include in the request
hash_fnthe hash function to use to create the signature
rnga random number generator
padding_schemeif set specifies the padding scheme, otherwise an algorithm-specific default is used.
challengea challenge string to be included in the PKCS10 request, sometimes used for revocation purposes.

Definition at line 58 of file pkcs10.cpp.

65 {
66 auto signer = choose_sig_format(key, rng, hash_fn, padding_scheme);
67 const AlgorithmIdentifier sig_algo = signer->algorithm_identifier();
68
69 const size_t PKCS10_VERSION = 0;
70
71 DER_Encoder tbs_req;
72
73 tbs_req.start_sequence()
74 .encode(PKCS10_VERSION)
75 .encode(subject_dn)
76 .raw_bytes(key.subject_public_key())
77 .start_explicit(0);
78
79 if(challenge.empty() == false)
80 {
81 std::vector<uint8_t> value;
82 DER_Encoder(value).encode(ASN1_String(challenge));
83 tbs_req.encode(Attribute("PKCS9.ChallengePassword", value));
84 }
85
86 std::vector<uint8_t> extension_req;
87 DER_Encoder(extension_req).start_sequence().encode(extensions).end_cons();
88 tbs_req.encode(Attribute("PKCS9.ExtensionRequest", extension_req));
89
90 // end the start_explicit above
91 tbs_req.end_explicit().end_cons();
92
93 const std::vector<uint8_t> req =
94 X509_Object::make_signed(*signer, rng, sig_algo,
95 tbs_req.get_contents());
96
97 return PKCS10_Request(req);
98 }
PKCS10_Request(DataSource &source)
Definition: pkcs10.cpp:38
const X509_DN & subject_dn() const
Definition: pkcs10.cpp:208
static std::unique_ptr< PK_Signer > choose_sig_format(const Private_Key &key, RandomNumberGenerator &rng, std::string_view hash_fn, std::string_view padding_algo)
Definition: x509_obj.cpp:244
static std::vector< uint8_t > make_signed(PK_Signer &signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &alg_id, const secure_vector< uint8_t > &tbs)
Definition: x509_obj.cpp:146
CK_ATTRIBUTE Attribute
Definition: p11.h:847

References Botan::X509_Object::choose_sig_format(), Botan::DER_Encoder::encode(), Botan::DER_Encoder::end_cons(), Botan::DER_Encoder::end_explicit(), extensions(), Botan::DER_Encoder::get_contents(), Botan::X509_Object::make_signed(), Botan::DER_Encoder::raw_bytes(), Botan::DER_Encoder::start_explicit(), Botan::DER_Encoder::start_sequence(), subject_dn(), and Botan::Public_Key::subject_public_key().

Referenced by Botan::X509::create_cert_req().

◆ decode_from()

void Botan::X509_Object::decode_from ( BER_Decoder from)
overridevirtualinherited

Decode a BER encoded X509_Object See ASN1_Object::decode_from()

Implements Botan::ASN1_Object.

Definition at line 77 of file x509_obj.cpp.

78 {
79 from.start_sequence()
80 .start_sequence()
81 .raw_bytes(m_tbs_bits)
82 .end_cons()
83 .decode(m_sig_algo)
84 .decode(m_sig, ASN1_Type::BitString)
85 .end_cons();
86
87 force_decode();
88 }

References Botan::BitString, Botan::BER_Decoder::decode(), Botan::BER_Decoder::end_cons(), and Botan::BER_Decoder::start_sequence().

Referenced by Botan::X509_Object::load_data().

◆ encode_into()

void Botan::X509_Object::encode_into ( DER_Encoder to) const
overridevirtualinherited

DER encode an X509_Object See ASN1_Object::encode_into()

Implements Botan::ASN1_Object.

Definition at line 63 of file x509_obj.cpp.

64 {
65 to.start_sequence()
66 .start_sequence()
67 .raw_bytes(signed_body())
68 .end_cons()
69 .encode(signature_algorithm())
71 .end_cons();
72 }
const std::vector< uint8_t > & signed_body() const
Definition: x509_obj.h:43
const AlgorithmIdentifier & signature_algorithm() const
Definition: x509_obj.h:48
const std::vector< uint8_t > & signature() const
Definition: x509_obj.h:38

References Botan::BitString, Botan::DER_Encoder::encode(), Botan::DER_Encoder::end_cons(), Botan::DER_Encoder::raw_bytes(), Botan::X509_Object::signature(), Botan::X509_Object::signature_algorithm(), Botan::X509_Object::signed_body(), and Botan::DER_Encoder::start_sequence().

◆ ex_constraints()

std::vector< OID > Botan::PKCS10_Request::ex_constraints ( ) const

Get the extendend key constraints (if any).

Returns
extended key constraints

Definition at line 262 of file pkcs10.cpp.

263 {
264 if(auto ext = extensions().get(OID::from_string("X509v3.ExtendedKeyUsage")))
265 {
266 return dynamic_cast<Cert_Extension::Extended_Key_Usage&>(*ext).object_identifiers();
267 }
268
269 return {};
270 }

References extensions(), Botan::OID::from_string(), and Botan::Cert_Extension::Extended_Key_Usage::object_identifiers().

Referenced by Botan::X509_CA::choose_extensions().

◆ extensions()

const Extensions & Botan::PKCS10_Request::extensions ( ) const

Get the X509v3 extensions.

Returns
X509v3 extensions

Definition at line 241 of file pkcs10.cpp.

242 {
243 return data().m_extensions;
244 }

Referenced by Botan::X509_CA::choose_extensions(), constraints(), create(), ex_constraints(), is_CA(), and path_limit().

◆ is_CA()

bool Botan::PKCS10_Request::is_CA ( ) const

Find out whether this is a CA request.

Returns
true if it is a CA request, false otherwise.

Definition at line 275 of file pkcs10.cpp.

276 {
277 if(auto ext = extensions().get(OID::from_string("X509v3.BasicConstraints")))
278 {
279 return dynamic_cast<Cert_Extension::Basic_Constraints&>(*ext).get_is_ca();
280 }
281
282 return false;
283 }

References extensions(), Botan::OID::from_string(), and Botan::Cert_Extension::Basic_Constraints::get_is_ca().

Referenced by Botan::X509_CA::choose_extensions().

◆ load_data()

void Botan::X509_Object::load_data ( DataSource src)
protectedinherited

Decodes from src as either DER or PEM data, then calls force_decode()

Definition at line 23 of file x509_obj.cpp.

24 {
25 try {
27 {
28 BER_Decoder dec(in);
29 decode_from(dec);
30 }
31 else
32 {
33 std::string got_label;
34 DataSource_Memory ber(PEM_Code::decode(in, got_label));
35
36 if(got_label != PEM_label())
37 {
38 bool is_alternate = false;
39 for(std::string_view alt_label : alternate_PEM_labels())
40 {
41 if(got_label == alt_label)
42 {
43 is_alternate = true;
44 break;
45 }
46 }
47
48 if(!is_alternate)
49 throw Decoding_Error("Unexpected PEM label for " + PEM_label() + " of " + got_label);
50 }
51
52 BER_Decoder dec(ber);
53 decode_from(dec);
54 }
55 }
56 catch(Decoding_Error& e)
57 {
58 throw Decoding_Error(PEM_label() + " decoding", e);
59 }
60 }
void decode_from(BER_Decoder &from) override
Definition: x509_obj.cpp:77
virtual std::vector< std::string > alternate_PEM_labels() const
Definition: x509_obj.h:102
virtual std::string PEM_label() const =0
bool maybe_BER(DataSource &source)
Definition: asn1_obj.cpp:219
bool matches(DataSource &source, std::string_view extra, size_t search_range)
Definition: pem.cpp:144
secure_vector< uint8_t > decode(DataSource &source, std::string &label)
Definition: pem.cpp:70

References Botan::X509_Object::alternate_PEM_labels(), Botan::PEM_Code::decode(), Botan::X509_Object::decode_from(), Botan::PEM_Code::matches(), Botan::ASN1::maybe_BER(), and Botan::X509_Object::PEM_label().

Referenced by PKCS10_Request(), Botan::X509_Certificate::X509_Certificate(), and Botan::X509_CRL::X509_CRL().

◆ make_signed()

std::vector< uint8_t > Botan::X509_Object::make_signed ( PK_Signer signer,
RandomNumberGenerator rng,
const AlgorithmIdentifier alg_id,
const secure_vector< uint8_t > &  tbs 
)
staticinherited

Create a signed X509 object.

Parameters
signerthe signer used to sign the object
rngthe random number generator to use
alg_idthe algorithm identifier of the signature scheme
tbsthe tbs bits to be signed
Returns
signed X509 object

Definition at line 146 of file x509_obj.cpp.

150 {
151 const std::vector<uint8_t> signature = signer.sign_message(tbs_bits, rng);
152
153 std::vector<uint8_t> output;
154 DER_Encoder(output)
155 .start_sequence()
156 .raw_bytes(tbs_bits)
157 .encode(algo)
159 .end_cons();
160
161 return output;
162 }

References Botan::BitString, Botan::DER_Encoder::encode(), Botan::DER_Encoder::end_cons(), Botan::DER_Encoder::raw_bytes(), Botan::PK_Signer::sign_message(), Botan::X509_Object::signature(), and Botan::DER_Encoder::start_sequence().

Referenced by create(), and Botan::X509_CA::make_cert().

◆ path_limit()

size_t Botan::PKCS10_Request::path_limit ( ) const

Return the constraint on the path length defined in the BasicConstraints extension.

Returns
path limit

Definition at line 288 of file pkcs10.cpp.

289 {
290 if(auto ext = extensions().get(OID::from_string("X509v3.BasicConstraints")))
291 {
292 Cert_Extension::Basic_Constraints& basic_constraints = dynamic_cast<Cert_Extension::Basic_Constraints&>(*ext);
293 if(basic_constraints.get_is_ca())
294 {
295 return basic_constraints.get_path_limit();
296 }
297 }
298
299 return 0;
300 }

References extensions(), Botan::OID::from_string(), Botan::Cert_Extension::Basic_Constraints::get_is_ca(), and Botan::Cert_Extension::Basic_Constraints::get_path_limit().

Referenced by Botan::X509_CA::choose_extensions().

◆ PEM_encode()

std::string Botan::X509_Object::PEM_encode ( ) const
inherited
Returns
PEM encoding of this

Definition at line 93 of file x509_obj.cpp.

94 {
96 }
std::vector< uint8_t > BER_encode() const
Definition: asn1_obj.cpp:17
std::string encode(const uint8_t der[], size_t length, std::string_view label, size_t width)
Definition: pem.cpp:42

References Botan::ASN1_Object::BER_encode(), Botan::PEM_Code::encode(), and Botan::X509_Object::PEM_label().

◆ raw_public_key()

const std::vector< uint8_t > & Botan::PKCS10_Request::raw_public_key ( ) const

Get the raw DER encoded public key.

Returns
raw DER encoded public key

Definition at line 216 of file pkcs10.cpp.

217 {
218 return data().m_public_key_bits;
219 }

Referenced by Botan::X509_CA::choose_extensions(), Botan::X509_CA::sign_request(), and subject_public_key().

◆ signature()

const std::vector< uint8_t > & Botan::X509_Object::signature ( ) const
inlineinherited

◆ signature_algorithm()

const AlgorithmIdentifier & Botan::X509_Object::signature_algorithm ( ) const
inlineinherited
Returns
signature algorithm that was used to generate signature

Definition at line 48 of file x509_obj.h.

48{ return m_sig_algo; }

Referenced by Botan::PKIX::check_chain(), Botan::X509_Object::encode_into(), Botan::X509_Certificate::operator==(), Botan::X509_Certificate::to_string(), and Botan::X509_Object::verify_signature().

◆ signed_body()

const std::vector< uint8_t > & Botan::X509_Object::signed_body ( ) const
inlineinherited
Returns
signed body

Definition at line 43 of file x509_obj.h.

43{ return m_tbs_bits; }

Referenced by Botan::X509_Object::encode_into(), Botan::X509_Certificate::operator<(), and Botan::X509_Certificate::operator==().

◆ subject_alt_name()

const AlternativeName & Botan::PKCS10_Request::subject_alt_name ( ) const

Get the subject alternative name.

Returns
subject alternative name.

Definition at line 233 of file pkcs10.cpp.

234 {
235 return data().m_alt_name;
236 }

Referenced by Botan::X509_CA::choose_extensions().

◆ subject_dn()

const X509_DN & Botan::PKCS10_Request::subject_dn ( ) const

Get the subject DN.

Returns
subject DN

Definition at line 208 of file pkcs10.cpp.

209 {
210 return data().m_subject_dn;
211 }

Referenced by create(), and Botan::X509_CA::sign_request().

◆ subject_public_key()

std::unique_ptr< Public_Key > Botan::PKCS10_Request::subject_public_key ( ) const

Get the subject public key.

Returns
subject public key

Definition at line 224 of file pkcs10.cpp.

225 {
226 DataSource_Memory source(raw_public_key());
227 return X509::load_key(source);
228 }
const std::vector< uint8_t > & raw_public_key() const
Definition: pkcs10.cpp:216
std::unique_ptr< Public_Key > load_key(DataSource &source)
Definition: x509_key.cpp:29

References Botan::X509::load_key(), and raw_public_key().

Referenced by Botan::X509_CA::choose_extensions().

◆ tbs_data()

std::vector< uint8_t > Botan::X509_Object::tbs_data ( ) const
inherited

The underlying data that is to be or was signed

Returns
data that is or was signed

Definition at line 101 of file x509_obj.cpp.

102 {
103 return ASN1::put_in_sequence(m_tbs_bits);
104 }
std::vector< uint8_t > put_in_sequence(const std::vector< uint8_t > &contents)
Definition: asn1_obj.cpp:192

References Botan::ASN1::put_in_sequence().

Referenced by Botan::X509_Object::verify_signature().

◆ verify_signature()

std::pair< Certificate_Status_Code, std::string > Botan::X509_Object::verify_signature ( const Public_Key key) const
inherited

Check the signature on this data

Parameters
keythe public key purportedly used to sign this data
Returns
status of the signature - OK if verified or otherwise an indicator of the problem preventing verification, along with the hash function that was used, for further policy checks. The second parameter is empty unless the validation was sucessful.

Definition at line 116 of file x509_obj.cpp.

117 {
118 try
119 {
120 PK_Verifier verifier(pub_key, signature_algorithm());
121 const bool valid = verifier.verify_message(tbs_data(), signature());
122
123 if(valid)
124 return std::make_pair(Certificate_Status_Code::VERIFIED, verifier.hash_function());
125 else
126 return std::make_pair(Certificate_Status_Code::SIGNATURE_ERROR, "");
127 }
128 catch(Decoding_Error&)
129 {
131 }
132 catch(Algorithm_Not_Found&)
133 {
134 return std::make_pair(Certificate_Status_Code::SIGNATURE_ALGO_UNKNOWN, "");
135 }
136 catch(...)
137 {
138 // This shouldn't happen, fallback to generic signature error
139 return std::make_pair(Certificate_Status_Code::SIGNATURE_ERROR, "");
140 }
141 }
std::vector< uint8_t > tbs_data() const
Definition: x509_obj.cpp:101

References Botan::PK_Verifier::hash_function(), Botan::X509_Object::signature(), Botan::SIGNATURE_ALGO_BAD_PARAMS, Botan::SIGNATURE_ALGO_UNKNOWN, Botan::X509_Object::signature_algorithm(), Botan::SIGNATURE_ERROR, Botan::X509_Object::tbs_data(), Botan::VERIFIED, and Botan::PK_Verifier::verify_message().

Referenced by Botan::PKIX::check_chain(), and Botan::X509_Object::check_signature().


The documentation for this class was generated from the following files: