#include <pkcs10.h>

Inheritance diagram for Botan::PKCS10_Request:

Public Member Functions
std::vector< uint8_t >	BER_encode () const

std::string	challenge_password () const

bool	check_signature (const Public_Key &key) const

Key_Constraints	constraints () const

void	decode_from (BER_Decoder &from) override

void	encode_into (DER_Encoder &to) const override

std::vector< OID >	ex_constraints () const

const Extensions &	extensions () const

bool	is_CA () const

size_t	path_limit () const

std::string	PEM_encode () const

	PKCS10_Request (const std::vector< uint8_t > &vec)

	PKCS10_Request (DataSource &source)

const std::vector< uint8_t > &	raw_public_key () const

const std::vector< uint8_t > &	signature () const

const AlgorithmIdentifier &	signature_algorithm () const

const std::vector< uint8_t > &	signed_body () const

const AlternativeName &	subject_alt_name () const

const X509_DN &	subject_dn () const

std::unique_ptr< Public_Key >	subject_public_key () const

std::vector< uint8_t >	tbs_data () const

std::pair< Certificate_Status_Code, std::string >	verify_signature (const Public_Key &key) const

Static Public Member Functions
static std::unique_ptr< PK_Signer >	choose_sig_format (const Private_Key &key, RandomNumberGenerator &rng, std::string_view hash_fn, std::string_view padding_algo)

static PKCS10_Request	create (const Private_Key &key, const X509_DN &subject_dn, const Extensions &extensions, std::string_view hash_fn, RandomNumberGenerator &rng, std::string_view padding_scheme="", std::string_view challenge="")

static std::vector< uint8_t >	make_signed (PK_Signer &signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &alg_id, const secure_vector< uint8_t > &tbs)

Protected Member Functions
void	load_data (DataSource &src)

Detailed Description

PKCS #10 Certificate Request.

Definition at line 28 of file pkcs10.h.

Constructor & Destructor Documentation

◆ PKCS10_Request() [1/2]

Botan::PKCS10_Request::PKCS10_Request ( DataSource & source )

explicit

Create a PKCS#10 Request from a data source.

Parameters

source the data source providing the DER encoded request

Definition at line 38 of file pkcs10.cpp.

   {
   load_data(src);
   }

References Botan::X509_Object::load_data().

◆ PKCS10_Request() [2/2]

Botan::PKCS10_Request::PKCS10_Request ( const std::vector< uint8_t > & vec )

explicit

Create a PKCS#10 Request from binary data.

Parameters

vec	a std::vector containing the DER value

Definition at line 43 of file pkcs10.cpp.

   {
   DataSource_Memory src(vec.data(), vec.size());
   load_data(src);
   }

References Botan::X509_Object::load_data().

Member Function Documentation

◆ BER_encode()

std::vector< uint8_t > Botan::ASN1_Object::BER_encode ( ) const

inherited

Return the encoding of this object. This is a convenience method when just one object needs to be serialized. Use DER_Encoder for complicated encodings.

Definition at line 17 of file asn1_obj.cpp.

   {
   std::vector<uint8_t> output;
   DER_Encoder der(output);
   this->encode_into(der);
   return output;
   }

References Botan::ASN1_Object::encode_into().

Referenced by Botan::PSS_Params::decode_from(), Botan::Certificate_Store_In_SQL::find_all_certs(), Botan::Certificate_Store_In_SQL::find_cert(), Botan::X509_Certificate::fingerprint(), Botan::Certificate_Store_In_SQL::insert_cert(), Botan::X509_Object::PEM_encode(), and Botan::Certificate_Store_In_SQL::revoke_cert().

◆ challenge_password()

std::string Botan::PKCS10_Request::challenge_password ( ) const

Get the challenge password for this request

Returns: challenge password for this request

Definition at line 200 of file pkcs10.cpp.

   {
   return data().m_challenge;
   }

◆ check_signature()

bool Botan::X509_Object::check_signature ( const Public_Key & key ) const

inherited

Check the signature on this data

Parameters

key	the public key purportedly used to sign this data

Returns: true if the signature is valid, otherwise false

Definition at line 109 of file x509_obj.cpp.

   {
   const auto result = this->verify_signature(pub_key);
   return (result.first == Certificate_Status_Code::VERIFIED);
   }

References Botan::VERIFIED, and Botan::X509_Object::verify_signature().

◆ choose_sig_format()

std::unique_ptr< PK_Signer > Botan::X509_Object::choose_sig_format	(	const Private_Key &	key,
		RandomNumberGenerator &	rng,
		std::string_view	hash_fn,
		std::string_view	padding_algo
	)

staticinherited

Choose and return a signature scheme appropriate for X.509 signing using the provided parameters.

Parameters

key	will be the key to choose a padding scheme for
rng	the random generator to use
hash_fn	is the desired hash function
padding_algo	specifies the padding method

Returns: a PK_Signer object for generating signatures

Definition at line 244 of file x509_obj.cpp.

   {
   const Signature_Format format = key.default_x509_signature_format();
 
   if(!user_specified_padding.empty())
      {
      try
         {
         auto pk_signer = std::make_unique<PK_Signer>(key, rng, user_specified_padding, format);
         if(!hash_fn.empty() && pk_signer->hash_function() != hash_fn)
            {
            throw Invalid_Argument(
               format_padding_error_message(key.algo_name(), pk_signer->hash_function(),
                                            hash_fn, "", user_specified_padding)
               );
            }
         return pk_signer;
         }
      catch(Lookup_Error&) {}
      }
 
   const std::string padding = x509_signature_padding_for(key.algo_name(), hash_fn, user_specified_padding);
 
   try
      {
      auto pk_signer = std::make_unique<PK_Signer>(key, rng, padding, format);
      if(!hash_fn.empty() && pk_signer->hash_function() != hash_fn)
         {
         throw Invalid_Argument(
            format_padding_error_message(key.algo_name(), pk_signer->hash_function(),
                                         hash_fn, padding, user_specified_padding));
         }
      return pk_signer;
      }
   catch(Not_Implemented&)
      {
      throw Invalid_Argument("Signatures using " + key.algo_name() + "/" + padding + " are not supported");
      }
   }

References Botan::Asymmetric_Key::algo_name(), and Botan::Public_Key::default_x509_signature_format().

Referenced by create(), Botan::X509::create_self_signed_cert(), and Botan::X509_CA::X509_CA().

◆ constraints()

Key_Constraints Botan::PKCS10_Request::constraints ( ) const

Get the key constraints for the key associated with this PKCS#10 object.

Returns: key constraints

Definition at line 249 of file pkcs10.cpp.

   {
   if(auto ext = extensions().get(OID::from_string("X509v3.KeyUsage")))
      {
      return dynamic_cast<Cert_Extension::Key_Usage&>(*ext).get_constraints();
      }
 
   return Key_Constraints::None;
   }

References extensions(), Botan::OID::from_string(), Botan::Cert_Extension::Key_Usage::get_constraints(), and Botan::Key_Constraints::None.

Referenced by Botan::X509_CA::choose_extensions().

◆ create()

PKCS10_Request Botan::PKCS10_Request::create	(	const Private_Key &	key,
		const X509_DN &	subject_dn,
		const Extensions &	extensions,
		std::string_view	hash_fn,
		RandomNumberGenerator &	rng,
		std::string_view	padding_scheme = `""`,
		std::string_view	challenge = `""`
	)

static

Create a new PKCS10 certificate request

Parameters

key	the key that will be included in the certificate request
subject_dn	the DN to be placed in the request
extensions	extensions to include in the request
hash_fn	the hash function to use to create the signature
rng	a random number generator
padding_scheme	if set specifies the padding scheme, otherwise an algorithm-specific default is used.
challenge	a challenge string to be included in the PKCS10 request, sometimes used for revocation purposes.

Definition at line 58 of file pkcs10.cpp.

   {
   auto signer = choose_sig_format(key, rng, hash_fn, padding_scheme);
   const AlgorithmIdentifier sig_algo = signer->algorithm_identifier();
 
   const size_t PKCS10_VERSION = 0;
 
   DER_Encoder tbs_req;
 
   tbs_req.start_sequence()
      .encode(PKCS10_VERSION)
      .encode(subject_dn)
      .raw_bytes(key.subject_public_key())
      .start_explicit(0);
 
   if(challenge.empty() == false)
      {
      std::vector<uint8_t> value;
      DER_Encoder(value).encode(ASN1_String(challenge));
      tbs_req.encode(Attribute("PKCS9.ChallengePassword", value));
      }
 
   std::vector<uint8_t> extension_req;
   DER_Encoder(extension_req).start_sequence().encode(extensions).end_cons();
   tbs_req.encode(Attribute("PKCS9.ExtensionRequest", extension_req));
 
   // end the start_explicit above
   tbs_req.end_explicit().end_cons();
 
   const std::vector<uint8_t> req =
      X509_Object::make_signed(*signer, rng, sig_algo,
                               tbs_req.get_contents());
 
   return PKCS10_Request(req);
   }

References Botan::X509_Object::choose_sig_format(), Botan::DER_Encoder::encode(), Botan::DER_Encoder::end_cons(), Botan::DER_Encoder::end_explicit(), extensions(), Botan::DER_Encoder::get_contents(), Botan::X509_Object::make_signed(), Botan::DER_Encoder::raw_bytes(), Botan::DER_Encoder::start_explicit(), Botan::DER_Encoder::start_sequence(), subject_dn(), and Botan::Public_Key::subject_public_key().

Referenced by Botan::X509::create_cert_req().

◆ decode_from()

void Botan::X509_Object::decode_from ( BER_Decoder & from )

overridevirtualinherited

Decode a BER encoded X509_Object See ASN1_Object::decode_from()

Implements Botan::ASN1_Object.

Definition at line 77 of file x509_obj.cpp.

   {
   from.start_sequence()
         .start_sequence()
            .raw_bytes(m_tbs_bits)
         .end_cons()
         .decode(m_sig_algo)
         .decode(m_sig, ASN1_Type::BitString)
      .end_cons();
 
   force_decode();
   }

References Botan::BitString, Botan::BER_Decoder::decode(), Botan::BER_Decoder::end_cons(), and Botan::BER_Decoder::start_sequence().

Referenced by Botan::X509_Object::load_data().

◆ encode_into()

void Botan::X509_Object::encode_into ( DER_Encoder & to ) const

overridevirtualinherited

DER encode an X509_Object See ASN1_Object::encode_into()

Implements Botan::ASN1_Object.

Definition at line 63 of file x509_obj.cpp.

   {
   to.start_sequence()
         .start_sequence()
            .raw_bytes(signed_body())
         .end_cons()
         .encode(signature_algorithm())
         .encode(signature(), ASN1_Type::BitString)
      .end_cons();
   }

References Botan::BitString, Botan::DER_Encoder::encode(), Botan::DER_Encoder::end_cons(), Botan::DER_Encoder::raw_bytes(), Botan::X509_Object::signature(), Botan::X509_Object::signature_algorithm(), Botan::X509_Object::signed_body(), and Botan::DER_Encoder::start_sequence().

◆ ex_constraints()

std::vector< OID > Botan::PKCS10_Request::ex_constraints ( ) const

Get the extendend key constraints (if any).

Returns: extended key constraints

Definition at line 262 of file pkcs10.cpp.

   {
   if(auto ext = extensions().get(OID::from_string("X509v3.ExtendedKeyUsage")))
      {
      return dynamic_cast<Cert_Extension::Extended_Key_Usage&>(*ext).object_identifiers();
      }
 
   return {};
   }

References extensions(), Botan::OID::from_string(), and Botan::Cert_Extension::Extended_Key_Usage::object_identifiers().

Referenced by Botan::X509_CA::choose_extensions().

◆ extensions()

const Extensions & Botan::PKCS10_Request::extensions ( ) const

Get the X509v3 extensions.

Returns: X509v3 extensions

Definition at line 241 of file pkcs10.cpp.

   {
   return data().m_extensions;
   }

Referenced by Botan::X509_CA::choose_extensions(), constraints(), create(), ex_constraints(), is_CA(), and path_limit().

◆ is_CA()

bool Botan::PKCS10_Request::is_CA ( ) const

Find out whether this is a CA request.

Returns: true if it is a CA request, false otherwise.

Definition at line 275 of file pkcs10.cpp.

   {
   if(auto ext = extensions().get(OID::from_string("X509v3.BasicConstraints")))
      {
      return dynamic_cast<Cert_Extension::Basic_Constraints&>(*ext).get_is_ca();
      }
 
   return false;
   }

References extensions(), Botan::OID::from_string(), and Botan::Cert_Extension::Basic_Constraints::get_is_ca().

Referenced by Botan::X509_CA::choose_extensions().

◆ load_data()

void Botan::X509_Object::load_data ( DataSource & src )

protectedinherited

Decodes from src as either DER or PEM data, then calls force_decode()

Definition at line 23 of file x509_obj.cpp.

   {
   try {
      if(ASN1::maybe_BER(in) && !PEM_Code::matches(in))
         {
         BER_Decoder dec(in);
         decode_from(dec);
         }
      else
         {
         std::string got_label;
         DataSource_Memory ber(PEM_Code::decode(in, got_label));
 
         if(got_label != PEM_label())
            {
            bool is_alternate = false;
            for(std::string_view alt_label : alternate_PEM_labels())
               {
               if(got_label == alt_label)
                  {
                  is_alternate = true;
                  break;
                  }
               }
 
            if(!is_alternate)
               throw Decoding_Error("Unexpected PEM label for " + PEM_label() + " of " + got_label);
            }
 
         BER_Decoder dec(ber);
         decode_from(dec);
         }
      }
   catch(Decoding_Error& e)
      {
      throw Decoding_Error(PEM_label() + " decoding", e);
      }
   }

References Botan::X509_Object::alternate_PEM_labels(), Botan::PEM_Code::decode(), Botan::X509_Object::decode_from(), Botan::PEM_Code::matches(), Botan::ASN1::maybe_BER(), and Botan::X509_Object::PEM_label().

Referenced by PKCS10_Request(), Botan::X509_Certificate::X509_Certificate(), and Botan::X509_CRL::X509_CRL().

◆ make_signed()

std::vector< uint8_t > Botan::X509_Object::make_signed	(	PK_Signer &	signer,
		RandomNumberGenerator &	rng,
		const AlgorithmIdentifier &	alg_id,
		const secure_vector< uint8_t > &	tbs
	)

staticinherited

Create a signed X509 object.

Parameters

signer	the signer used to sign the object
rng	the random number generator to use
alg_id	the algorithm identifier of the signature scheme
tbs	the tbs bits to be signed

Returns: signed X509 object

Definition at line 146 of file x509_obj.cpp.

   {
   const std::vector<uint8_t> signature = signer.sign_message(tbs_bits, rng);
 
   std::vector<uint8_t> output;
   DER_Encoder(output)
      .start_sequence()
         .raw_bytes(tbs_bits)
         .encode(algo)
         .encode(signature, ASN1_Type::BitString)
      .end_cons();
 
   return output;
   }

References Botan::BitString, Botan::DER_Encoder::encode(), Botan::DER_Encoder::end_cons(), Botan::DER_Encoder::raw_bytes(), Botan::PK_Signer::sign_message(), Botan::X509_Object::signature(), and Botan::DER_Encoder::start_sequence().

Referenced by create(), and Botan::X509_CA::make_cert().

◆ path_limit()

size_t Botan::PKCS10_Request::path_limit ( ) const

Return the constraint on the path length defined in the BasicConstraints extension.

Returns: path limit

Definition at line 288 of file pkcs10.cpp.

   {
   if(auto ext = extensions().get(OID::from_string("X509v3.BasicConstraints")))
      {
      Cert_Extension::Basic_Constraints& basic_constraints = dynamic_cast<Cert_Extension::Basic_Constraints&>(*ext);
      if(basic_constraints.get_is_ca())
         {
         return basic_constraints.get_path_limit();
         }
      }
 
   return 0;
   }

References extensions(), Botan::OID::from_string(), Botan::Cert_Extension::Basic_Constraints::get_is_ca(), and Botan::Cert_Extension::Basic_Constraints::get_path_limit().

Referenced by Botan::X509_CA::choose_extensions().

◆ PEM_encode()

std::string Botan::X509_Object::PEM_encode ( ) const

inherited

Returns: PEM encoding of this

Definition at line 93 of file x509_obj.cpp.

   {
   return PEM_Code::encode(BER_encode(), PEM_label());
   }

References Botan::ASN1_Object::BER_encode(), Botan::PEM_Code::encode(), and Botan::X509_Object::PEM_label().

◆ raw_public_key()

const std::vector< uint8_t > & Botan::PKCS10_Request::raw_public_key ( ) const

Get the raw DER encoded public key.

Returns: raw DER encoded public key

Definition at line 216 of file pkcs10.cpp.

   {
   return data().m_public_key_bits;
   }

Referenced by Botan::X509_CA::choose_extensions(), Botan::X509_CA::sign_request(), and subject_public_key().

◆ signature()

const std::vector< uint8_t > & Botan::X509_Object::signature ( ) const

inlineinherited

Returns: signature on tbs_data()

Definition at line 38 of file x509_obj.h.

38{ return m_sig; }

Referenced by Botan::X509_Object::encode_into(), Botan::X509_Object::make_signed(), Botan::X509_Certificate::operator<(), Botan::X509_Certificate::operator==(), and Botan::X509_Object::verify_signature().

◆ signature_algorithm()

const AlgorithmIdentifier & Botan::X509_Object::signature_algorithm ( ) const

inlineinherited

Returns: signature algorithm that was used to generate signature

Definition at line 48 of file x509_obj.h.

48{ return m_sig_algo; }

Referenced by Botan::PKIX::check_chain(), Botan::X509_Object::encode_into(), Botan::X509_Certificate::operator==(), Botan::X509_Certificate::to_string(), and Botan::X509_Object::verify_signature().

◆ signed_body()

const std::vector< uint8_t > & Botan::X509_Object::signed_body ( ) const

inlineinherited

Returns: signed body

Definition at line 43 of file x509_obj.h.

43{ return m_tbs_bits; }

Referenced by Botan::X509_Object::encode_into(), Botan::X509_Certificate::operator<(), and Botan::X509_Certificate::operator==().

◆ subject_alt_name()

const AlternativeName & Botan::PKCS10_Request::subject_alt_name ( ) const

Get the subject alternative name.

Returns: subject alternative name.

Definition at line 233 of file pkcs10.cpp.

   {
   return data().m_alt_name;
   }

Referenced by Botan::X509_CA::choose_extensions().

◆ subject_dn()

const X509_DN & Botan::PKCS10_Request::subject_dn ( ) const

Get the subject DN.

Returns: subject DN

Definition at line 208 of file pkcs10.cpp.

   {
   return data().m_subject_dn;
   }

Referenced by create(), and Botan::X509_CA::sign_request().

◆ subject_public_key()

std::unique_ptr< Public_Key > Botan::PKCS10_Request::subject_public_key ( ) const

Get the subject public key.

Returns: subject public key

Definition at line 224 of file pkcs10.cpp.

   {
   DataSource_Memory source(raw_public_key());
   return X509::load_key(source);
   }

References Botan::X509::load_key(), and raw_public_key().

Referenced by Botan::X509_CA::choose_extensions().

◆ tbs_data()

std::vector< uint8_t > Botan::X509_Object::tbs_data ( ) const

inherited

The underlying data that is to be or was signed

Returns: data that is or was signed

Definition at line 101 of file x509_obj.cpp.

   {
   return ASN1::put_in_sequence(m_tbs_bits);
   }

References Botan::ASN1::put_in_sequence().

Referenced by Botan::X509_Object::verify_signature().

◆ verify_signature()

std::pair< Certificate_Status_Code, std::string > Botan::X509_Object::verify_signature ( const Public_Key & key ) const

inherited

Check the signature on this data

Parameters

key	the public key purportedly used to sign this data

Returns: status of the signature - OK if verified or otherwise an indicator of the problem preventing verification, along with the hash function that was used, for further policy checks. The second parameter is empty unless the validation was sucessful.

Definition at line 116 of file x509_obj.cpp.

   {
   try
      {
      PK_Verifier verifier(pub_key, signature_algorithm());
      const bool valid = verifier.verify_message(tbs_data(), signature());
 
      if(valid)
         return std::make_pair(Certificate_Status_Code::VERIFIED, verifier.hash_function());
      else
         return std::make_pair(Certificate_Status_Code::SIGNATURE_ERROR, "");
      }
   catch(Decoding_Error&)
      {
      return std::make_pair(Certificate_Status_Code::SIGNATURE_ALGO_BAD_PARAMS, "");
      }
   catch(Algorithm_Not_Found&)
      {
      return std::make_pair(Certificate_Status_Code::SIGNATURE_ALGO_UNKNOWN, "");
      }
   catch(...)
      {
      // This shouldn't happen, fallback to generic signature error
      return std::make_pair(Certificate_Status_Code::SIGNATURE_ERROR, "");
      }
   }

References Botan::PK_Verifier::hash_function(), Botan::X509_Object::signature(), Botan::SIGNATURE_ALGO_BAD_PARAMS, Botan::SIGNATURE_ALGO_UNKNOWN, Botan::X509_Object::signature_algorithm(), Botan::SIGNATURE_ERROR, Botan::X509_Object::tbs_data(), Botan::VERIFIED, and Botan::PK_Verifier::verify_message().

Referenced by Botan::PKIX::check_chain(), and Botan::X509_Object::check_signature().

The documentation for this class was generated from the following files:

src/lib/x509/pkcs10.h
src/lib/x509/pkcs10.cpp

Public Member Functions

Static Public Member Functions

Protected Member Functions

Detailed Description

Constructor & Destructor Documentation

◆ PKCS10_Request() [1/2]

◆ PKCS10_Request() [2/2]

Member Function Documentation

◆ BER_encode()

◆ challenge_password()

◆ check_signature()

◆ choose_sig_format()

◆ constraints()

◆ create()

◆ decode_from()

◆ encode_into()

◆ ex_constraints()

◆ extensions()

◆ is_CA()

◆ load_data()

◆ make_signed()

◆ path_limit()

◆ PEM_encode()

◆ raw_public_key()

◆ signature()

◆ signature_algorithm()

◆ signed_body()

◆ subject_alt_name()

◆ subject_dn()

◆ subject_public_key()

◆ tbs_data()

◆ verify_signature()