Botan  2.6.0
Crypto and TLS for C++11
Public Member Functions | Static Public Member Functions | List of all members
Botan::X509_CA Class Referencefinal

#include <x509_ca.h>

Public Member Functions

X509_Certificate ca_certificate () const
 
X509_CRL new_crl (RandomNumberGenerator &rng, std::chrono::system_clock::time_point issue_time, std::chrono::seconds next_update) const
 
X509_CRL new_crl (RandomNumberGenerator &rng, uint32_t next_update=604800) const
 
X509_CAoperator= (const X509_CA &)=delete
 
X509_CAoperator= (X509_CA &&)=default
 
X509_Certificate sign_request (const PKCS10_Request &req, RandomNumberGenerator &rng, const X509_Time &not_before, const X509_Time &not_after) const
 
X509_Certificate sign_request (const PKCS10_Request &req, RandomNumberGenerator &rng, const BigInt &serial_number, const X509_Time &not_before, const X509_Time &not_after) const
 
X509_CRL update_crl (const X509_CRL &last_crl, const std::vector< CRL_Entry > &new_entries, RandomNumberGenerator &rng, std::chrono::system_clock::time_point issue_time, std::chrono::seconds next_update) const
 
X509_CRL update_crl (const X509_CRL &last_crl, const std::vector< CRL_Entry > &new_entries, RandomNumberGenerator &rng, uint32_t next_update=604800) const
 
 X509_CA (const X509_Certificate &ca_certificate, const Private_Key &key, const std::string &hash_fn, RandomNumberGenerator &rng)
 
 X509_CA (const X509_Certificate &ca_certificate, const Private_Key &key, const std::map< std::string, std::string > &opts, const std::string &hash_fn, RandomNumberGenerator &rng)
 
 X509_CA (const X509_CA &)=delete
 
 X509_CA (X509_CA &&)=default
 
 ~X509_CA ()
 

Static Public Member Functions

static X509_Certificate make_cert (PK_Signer *signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &sig_algo, const std::vector< uint8_t > &pub_key, const X509_Time &not_before, const X509_Time &not_after, const X509_DN &issuer_dn, const X509_DN &subject_dn, const Extensions &extensions)
 
static X509_Certificate make_cert (PK_Signer *signer, RandomNumberGenerator &rng, const BigInt &serial_number, const AlgorithmIdentifier &sig_algo, const std::vector< uint8_t > &pub_key, const X509_Time &not_before, const X509_Time &not_after, const X509_DN &issuer_dn, const X509_DN &subject_dn, const Extensions &extensions)
 

Detailed Description

This class represents X.509 Certificate Authorities (CAs).

Definition at line 29 of file x509_ca.h.

Constructor & Destructor Documentation

◆ X509_CA() [1/4]

Botan::X509_CA::X509_CA ( const X509_Certificate ca_certificate,
const Private_Key key,
const std::string &  hash_fn,
RandomNumberGenerator rng 
)

Create a new CA object.

Parameters
ca_certificatethe certificate of the CA
keythe private key of the CA
hash_fnname of a hash function to use for signing
rngthe random generator to use

Definition at line 29 of file x509_ca.cpp.

References Botan::choose_sig_format(), Botan::X509_Certificate::is_CA_cert(), Botan::OIDS::lookup(), and Botan::X509_Object::signature_algorithm().

32  :
33  m_ca_cert(c),
34  m_hash_fn(hash_fn)
35  {
36  if(!m_ca_cert.is_CA_cert())
37  throw Invalid_Argument("X509_CA: This certificate is not for a CA");
38 
39  std::map<std::string,std::string> opts;
40  // constructor without additional options: use the padding used in the CA certificate
41  // sig_oid_str = <sig_alg>/<padding>, so padding with all its options will look
42  // like a cipher mode to the scanner
43  std::string sig_oid_str = OIDS::lookup(c.signature_algorithm().oid);
44  SCAN_Name scanner(sig_oid_str);
45  std::string pad = scanner.cipher_mode();
46  if(!pad.empty())
47  opts.insert({"padding",pad});
48 
49  m_signer.reset(choose_sig_format(key, opts, rng, hash_fn, m_ca_sig_algo));
50  }
bool is_CA_cert() const
Definition: x509cert.cpp:444
PK_Signer * choose_sig_format(const Private_Key &key, RandomNumberGenerator &rng, const std::string &hash_fn, AlgorithmIdentifier &sig_algo)
Definition: x509_ca.cpp:318
std::string lookup(const OID &oid)
Definition: oids.cpp:113

◆ X509_CA() [2/4]

Botan::X509_CA::X509_CA ( const X509_Certificate ca_certificate,
const Private_Key key,
const std::map< std::string, std::string > &  opts,
const std::string &  hash_fn,
RandomNumberGenerator rng 
)

Create a new CA object.

Parameters
ca_certificatethe certificate of the CA
keythe private key of the CA
optsadditional options, e.g. padding, as key value pairs
hash_fnname of a hash function to use for signing
rngthe random generator to use

Definition at line 55 of file x509_ca.cpp.

References Botan::choose_sig_format(), and Botan::X509_Certificate::is_CA_cert().

59  : m_ca_cert(ca_certificate), m_hash_fn(hash_fn)
60  {
61  if(!m_ca_cert.is_CA_cert())
62  throw Invalid_Argument("X509_CA: This certificate is not for a CA");
63 
64  m_signer.reset(choose_sig_format(key, opts, rng, hash_fn, m_ca_sig_algo));
65  }
X509_Certificate ca_certificate() const
Definition: x509_ca.cpp:309
bool is_CA_cert() const
Definition: x509cert.cpp:444
PK_Signer * choose_sig_format(const Private_Key &key, RandomNumberGenerator &rng, const std::string &hash_fn, AlgorithmIdentifier &sig_algo)
Definition: x509_ca.cpp:318

◆ X509_CA() [3/4]

Botan::X509_CA::X509_CA ( const X509_CA )
delete

◆ X509_CA() [4/4]

Botan::X509_CA::X509_CA ( X509_CA &&  )
default

◆ ~X509_CA()

Botan::X509_CA::~X509_CA ( )

Definition at line 70 of file x509_ca.cpp.

71  {
72  /* for unique_ptr */
73  }

Member Function Documentation

◆ ca_certificate()

X509_Certificate Botan::X509_CA::ca_certificate ( ) const

Get the certificate of this CA.

Returns
CA certificate

Definition at line 309 of file x509_ca.cpp.

310  {
311  return m_ca_cert;
312  }

◆ make_cert() [1/2]

X509_Certificate Botan::X509_CA::make_cert ( PK_Signer signer,
RandomNumberGenerator rng,
const AlgorithmIdentifier sig_algo,
const std::vector< uint8_t > &  pub_key,
const X509_Time not_before,
const X509_Time not_after,
const X509_DN issuer_dn,
const X509_DN subject_dn,
const Extensions extensions 
)
static

Interface for creating new certificates

Parameters
signera signing object
rnga random number generator
sig_algothe signature algorithm identifier
pub_keythe serialized public key
not_beforethe start time of the certificate
not_afterthe end time of the certificate
issuer_dnthe DN of the issuer
subject_dnthe DN of the subject
extensionsan optional list of certificate extensions
Returns
newly minted certificate

Definition at line 150 of file x509_ca.cpp.

Referenced by Botan::X509::create_self_signed_cert(), and sign_request().

159  {
160  const size_t SERIAL_BITS = 128;
161  BigInt serial_no(rng, SERIAL_BITS);
162 
163  return make_cert(signer, rng, serial_no, sig_algo, pub_key,
164  not_before, not_after, issuer_dn, subject_dn, extensions);
165  }
static X509_Certificate make_cert(PK_Signer *signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &sig_algo, const std::vector< uint8_t > &pub_key, const X509_Time &not_before, const X509_Time &not_after, const X509_DN &issuer_dn, const X509_DN &subject_dn, const Extensions &extensions)
Definition: x509_ca.cpp:150

◆ make_cert() [2/2]

X509_Certificate Botan::X509_CA::make_cert ( PK_Signer signer,
RandomNumberGenerator rng,
const BigInt serial_number,
const AlgorithmIdentifier sig_algo,
const std::vector< uint8_t > &  pub_key,
const X509_Time not_before,
const X509_Time not_after,
const X509_DN issuer_dn,
const X509_DN subject_dn,
const Extensions extensions 
)
static

Interface for creating new certificates

Parameters
signera signing object
rnga random number generator
serial_numberthe serial number the cert will be assigned
sig_algothe signature algorithm identifier
pub_keythe serialized public key
not_beforethe start time of the certificate
not_afterthe end time of the certificate
issuer_dnthe DN of the issuer
subject_dnthe DN of the subject
extensionsan optional list of certificate extensions
Returns
newly minted certificate

Definition at line 170 of file x509_ca.cpp.

References Botan::PEM_Code::encode(), Botan::X509_Object::make_signed(), and Botan::SEQUENCE.

180  {
181  const size_t X509_CERT_VERSION = 3;
182 
183  // clang-format off
184  return X509_Certificate(X509_Object::make_signed(
185  signer, rng, sig_algo,
186  DER_Encoder().start_cons(SEQUENCE)
187  .start_explicit(0)
188  .encode(X509_CERT_VERSION-1)
189  .end_explicit()
190 
191  .encode(serial_no)
192 
193  .encode(sig_algo)
194  .encode(issuer_dn)
195 
196  .start_cons(SEQUENCE)
197  .encode(not_before)
198  .encode(not_after)
199  .end_cons()
200 
201  .encode(subject_dn)
202  .raw_bytes(pub_key)
203 
204  .start_explicit(3)
205  .start_cons(SEQUENCE)
206  .encode(extensions)
207  .end_cons()
208  .end_explicit()
209  .end_cons()
210  .get_contents()
211  ));
212  // clang-format on
213  }
static std::vector< uint8_t > make_signed(class PK_Signer *signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &alg_id, const secure_vector< uint8_t > &tbs)
Definition: x509_obj.cpp:280
std::string encode(const uint8_t der[], size_t length, const std::string &label, size_t width)
Definition: pem.cpp:43

◆ new_crl() [1/2]

X509_CRL Botan::X509_CA::new_crl ( RandomNumberGenerator rng,
std::chrono::system_clock::time_point  issue_time,
std::chrono::seconds  next_update 
) const

Create a new and empty CRL for this CA.

Parameters
rngthe random number generator to use
issue_timethe issue time (typically system_clock::now)
next_updatethe time interval after issue_data within which a new CRL will be produced.
Returns
new CRL

Definition at line 240 of file x509_ca.cpp.

Referenced by new_crl().

243  {
244  std::vector<CRL_Entry> empty;
245  return make_crl(empty, 1, rng, issue_time, next_update);
246  }

◆ new_crl() [2/2]

X509_CRL Botan::X509_CA::new_crl ( RandomNumberGenerator rng,
uint32_t  next_update = 604800 
) const

Create a new and empty CRL for this CA.

Parameters
rngthe random number generator to use
next_updatethe time to set in next update in seconds as the offset from the current time
Returns
new CRL

Definition at line 218 of file x509_ca.cpp.

References new_crl().

220  {
221  return new_crl(rng,
222  std::chrono::system_clock::now(),
223  std::chrono::seconds(next_update));
224  }
X509_CRL new_crl(RandomNumberGenerator &rng, std::chrono::system_clock::time_point issue_time, std::chrono::seconds next_update) const
Definition: x509_ca.cpp:240

◆ operator=() [1/2]

X509_CA& Botan::X509_CA::operator= ( const X509_CA )
delete

◆ operator=() [2/2]

X509_CA& Botan::X509_CA::operator= ( X509_CA &&  )
default

◆ sign_request() [1/2]

X509_Certificate Botan::X509_CA::sign_request ( const PKCS10_Request req,
RandomNumberGenerator rng,
const X509_Time not_before,
const X509_Time not_after 
) const

Sign a PKCS#10 Request.

Parameters
reqthe request to sign
rngthe rng to use
not_beforethe starting time for the certificate
not_afterthe expiration time for the certificate
Returns
resulting certificate

Definition at line 136 of file x509_ca.cpp.

References make_cert(), Botan::PKCS10_Request::raw_public_key(), Botan::PKCS10_Request::subject_dn(), and Botan::X509_Certificate::subject_dn().

140  {
141  auto extensions = choose_extensions(req, m_ca_cert, m_hash_fn);
142 
143  return make_cert(m_signer.get(), rng, m_ca_sig_algo,
144  req.raw_public_key(),
145  not_before, not_after,
146  m_ca_cert.subject_dn(), req.subject_dn(),
147  extensions);
148  }
static X509_Certificate make_cert(PK_Signer *signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &sig_algo, const std::vector< uint8_t > &pub_key, const X509_Time &not_before, const X509_Time &not_after, const X509_DN &issuer_dn, const X509_DN &subject_dn, const Extensions &extensions)
Definition: x509_ca.cpp:150
const X509_DN & subject_dn() const
Definition: x509cert.cpp:429

◆ sign_request() [2/2]

X509_Certificate Botan::X509_CA::sign_request ( const PKCS10_Request req,
RandomNumberGenerator rng,
const BigInt serial_number,
const X509_Time not_before,
const X509_Time not_after 
) const

Sign a PKCS#10 Request.

Parameters
reqthe request to sign
rngthe rng to use
serial_numberthe serial number the cert will be assigned.
not_beforethe starting time for the certificate
not_afterthe expiration time for the certificate
Returns
resulting certificate

Definition at line 118 of file x509_ca.cpp.

References make_cert(), Botan::PKCS10_Request::raw_public_key(), Botan::PKCS10_Request::subject_dn(), and Botan::X509_Certificate::subject_dn().

123  {
124  auto extensions = choose_extensions(req, m_ca_cert, m_hash_fn);
125 
126  return make_cert(m_signer.get(), rng, serial_number,
127  m_ca_sig_algo, req.raw_public_key(),
128  not_before, not_after,
129  m_ca_cert.subject_dn(), req.subject_dn(),
130  extensions);
131  }
static X509_Certificate make_cert(PK_Signer *signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &sig_algo, const std::vector< uint8_t > &pub_key, const X509_Time &not_before, const X509_Time &not_after, const X509_DN &issuer_dn, const X509_DN &subject_dn, const Extensions &extensions)
Definition: x509_ca.cpp:150
const X509_DN & subject_dn() const
Definition: x509cert.cpp:429

◆ update_crl() [1/2]

X509_CRL Botan::X509_CA::update_crl ( const X509_CRL last_crl,
const std::vector< CRL_Entry > &  new_entries,
RandomNumberGenerator rng,
std::chrono::system_clock::time_point  issue_time,
std::chrono::seconds  next_update 
) const

Create a new CRL by with additional entries.

Parameters
last_crlthe last CRL of this CA to add the new entries to
new_entriescontains the new CRL entries to be added to the CRL
rngthe random number generator to use
issue_timethe issue time (typically system_clock::now)
next_updatethe time interval after issue_data within which a new CRL will be produced.

Definition at line 248 of file x509_ca.cpp.

References Botan::X509_CRL::crl_number(), and Botan::X509_CRL::get_revoked().

Referenced by update_crl().

253  {
254  std::vector<CRL_Entry> revoked = last_crl.get_revoked();
255 
256  std::copy(new_revoked.begin(), new_revoked.end(),
257  std::back_inserter(revoked));
258 
259  return make_crl(revoked, last_crl.crl_number() + 1, rng, issue_time, next_update);
260  }

◆ update_crl() [2/2]

X509_CRL Botan::X509_CA::update_crl ( const X509_CRL last_crl,
const std::vector< CRL_Entry > &  new_entries,
RandomNumberGenerator rng,
uint32_t  next_update = 604800 
) const

Create a new CRL by with additional entries.

Parameters
last_crlthe last CRL of this CA to add the new entries to
new_entriescontains the new CRL entries to be added to the CRL
rngthe random number generator to use
next_updatethe time to set in next update in seconds as the offset from the current time

Definition at line 229 of file x509_ca.cpp.

References update_crl().

233  {
234  return update_crl(crl, new_revoked, rng,
235  std::chrono::system_clock::now(),
236  std::chrono::seconds(next_update));
237  }
X509_CRL update_crl(const X509_CRL &last_crl, const std::vector< CRL_Entry > &new_entries, RandomNumberGenerator &rng, std::chrono::system_clock::time_point issue_time, std::chrono::seconds next_update) const
Definition: x509_ca.cpp:248

The documentation for this class was generated from the following files: