Botan::X509_CA Class Reference

#include <x509_ca.h>

Public Member Functions
const AlgorithmIdentifier &	algorithm_identifier () const
const X509_Certificate &	ca_certificate () const
const std::string &	hash_function () const
X509_CRL	new_crl (RandomNumberGenerator &rng, std::chrono::system_clock::time_point issue_time, std::chrono::seconds next_update) const
X509_CRL	new_crl (RandomNumberGenerator &rng, uint32_t next_update=604800) const
X509_CA &	operator= (const X509_CA &)=delete
X509_CA &	operator= (X509_CA &&)=default
X509_Certificate	sign_request (const PKCS10_Request &req, RandomNumberGenerator &rng, const BigInt &serial_number, const X509_Time &not_before, const X509_Time &not_after) const
X509_Certificate	sign_request (const PKCS10_Request &req, RandomNumberGenerator &rng, const X509_Time &not_before, const X509_Time &not_after) const
PK_Signer &	signature_op ()
X509_CRL	update_crl (const X509_CRL &last_crl, const std::vector< CRL_Entry > &new_entries, RandomNumberGenerator &rng, std::chrono::system_clock::time_point issue_time, std::chrono::seconds next_update) const
X509_CRL	update_crl (const X509_CRL &last_crl, const std::vector< CRL_Entry > &new_entries, RandomNumberGenerator &rng, uint32_t next_update=604800) const
	X509_CA (const X509_CA &)=delete
	X509_CA (const X509_Certificate &ca_certificate, const Private_Key &key, const std::map< std::string, std::string > &opts, std::string_view hash_fn, RandomNumberGenerator &rng)
	X509_CA (const X509_Certificate &ca_certificate, const Private_Key &key, std::string_view hash_fn, RandomNumberGenerator &rng)
	X509_CA (const X509_Certificate &ca_certificate, const Private_Key &key, std::string_view hash_fn, std::string_view padding_method, RandomNumberGenerator &rng)
	X509_CA (X509_CA &&)=default
	~X509_CA ()

Static Public Member Functions
static Extensions	choose_extensions (const PKCS10_Request &req, const X509_Certificate &ca_certificate, std::string_view hash_fn)
static X509_Certificate	make_cert (PK_Signer &signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &sig_algo, const std::vector< uint8_t > &pub_key, const X509_Time &not_before, const X509_Time &not_after, const X509_DN &issuer_dn, const X509_DN &subject_dn, const Extensions &extensions)
static X509_Certificate	make_cert (PK_Signer &signer, RandomNumberGenerator &rng, const BigInt &serial_number, const AlgorithmIdentifier &sig_algo, const std::vector< uint8_t > &pub_key, const X509_Time &not_before, const X509_Time &not_after, const X509_DN &issuer_dn, const X509_DN &subject_dn, const Extensions &extensions)

Detailed Description

An interface capable of creating new X.509 certificates

Definition at line 27 of file x509_ca.h.

Constructor & Destructor Documentation

X509_CA() [1/5]

Botan::X509_CA::X509_CA	(	const X509_Certificate &	ca_certificate,
		const Private_Key &	key,
		std::string_view	hash_fn,
		std::string_view	padding_method,
		RandomNumberGenerator &	rng
	)

Create a new CA object with custom padding option

This is mostly useful for creating RSA-PSS certificates

Parameters

ca_certificate	the certificate of the CA
key	the private key of the CA
hash_fn	name of a hash function to use for signing
padding_method	name of the signature padding method to use
rng	the random generator to use

Definition at line 22 of file x509_ca.cpp.

                                             :
      m_ca_cert(cert) {
   if(!m_ca_cert.is_CA_cert()) {
      throw Invalid_Argument("X509_CA: This certificate is not for a CA");
   }
 
   m_signer = X509_Object::choose_sig_format(key, rng, hash_fn, padding_method);
   m_ca_sig_algo = m_signer->algorithm_identifier();
   m_hash_fn = m_signer->hash_function();
}

References Botan::X509_Object::choose_sig_format(), and Botan::X509_Certificate::is_CA_cert().

X509_CA() [2/5]

Botan::X509_CA::X509_CA ( const X509_Certificate &  ca_certificate, const Private_Key &  key, std::string_view  hash_fn, RandomNumberGenerator &  rng  )

inline

Create a new CA object.

Parameters

ca_certificate	the certificate of the CA
key	the private key of the CA
hash_fn	name of a hash function to use for signing
rng	the random generator to use

Definition at line 210 of file x509_ca.h.

                                          :
            X509_CA(ca_certificate, key, hash_fn, "", rng) {}

X509_CA() [3/5]

Botan::X509_CA::X509_CA ( const X509_Certificate &  ca_certificate, const Private_Key &  key, const std::map< std::string, std::string > &  opts, std::string_view  hash_fn, RandomNumberGenerator &  rng  )

inline

Create a new CA object.

Parameters

ca_certificate	the certificate of the CA
key	the private key of the CA
opts	additional options, e.g. padding, as key value pairs
hash_fn	name of a hash function to use for signing
rng	the random generator to use

Definition at line 226 of file x509_ca.h.

                                          :
            X509_CA(ca_certificate, key, hash_fn, opts.at("padding"), rng) {}

X509_CA() [4/5]

Botan::X509_CA::X509_CA ( const X509_CA &  )

delete

X509_CA() [5/5]

Botan::X509_CA::X509_CA ( X509_CA &&  )

default

~X509_CA()

Botan::X509_CA::~X509_CA ( )

default

Member Function Documentation

algorithm_identifier()

const AlgorithmIdentifier & Botan::X509_CA::algorithm_identifier ( ) const

inline

Return the algorithm identifier used to identify signatures that this CA will create.

Definition at line 33 of file x509_ca.h.

{ return m_ca_sig_algo; }

Referenced by sign_request(), and sign_request().

ca_certificate()

const X509_Certificate & Botan::X509_CA::ca_certificate ( ) const

inline

Return the CA's certificate

Definition at line 38 of file x509_ca.h.

{ return m_ca_cert; }

Referenced by sign_request(), and sign_request().

choose_extensions()

Extensions Botan::X509_CA::choose_extensions ( const PKCS10_Request &  req, const X509_Certificate &  ca_certificate, std::string_view  hash_fn  )

static

Return the set of extensions that will be used for a certificate.

This is a helper method that is used internally. It is also exposed so you can call it directly and then modify the extensions before creating a certificate using X509_CA::make_cert.

Definition at line 39 of file x509_ca.cpp.

                                                              {
   const auto constraints = req.is_CA() ? Key_Constraints::ca_constraints() : req.constraints();
 
   auto key = req.subject_public_key();
   if(!constraints.compatible_with(*key)) {
      throw Invalid_Argument("The requested key constraints are incompatible with the algorithm");
   }
 
   Extensions extensions = req.extensions();
 
   extensions.replace(std::make_unique<Cert_Extension::Basic_Constraints>(req.is_CA(), req.path_limit()), true);
 
   if(!constraints.empty()) {
      extensions.replace(std::make_unique<Cert_Extension::Key_Usage>(constraints), true);
   }
 
   extensions.replace(std::make_unique<Cert_Extension::Authority_Key_ID>(ca_cert.subject_key_id()));
   extensions.replace(std::make_unique<Cert_Extension::Subject_Key_ID>(req.raw_public_key(), hash_fn));
 
   extensions.replace(std::make_unique<Cert_Extension::Subject_Alternative_Name>(req.subject_alt_name()));
 
   extensions.replace(std::make_unique<Cert_Extension::Extended_Key_Usage>(req.ex_constraints()));
 
   return extensions;
}

References Botan::Key_Constraints::ca_constraints(), Botan::PKCS10_Request::constraints(), Botan::PKCS10_Request::ex_constraints(), Botan::PKCS10_Request::extensions(), Botan::PKCS10_Request::is_CA(), Botan::PKCS10_Request::path_limit(), Botan::PKCS10_Request::raw_public_key(), Botan::Extensions::replace(), Botan::PKCS10_Request::subject_alt_name(), Botan::X509_Certificate::subject_key_id(), and Botan::PKCS10_Request::subject_public_key().

Referenced by sign_request(), and sign_request().

hash_function()

const std::string & Botan::X509_CA::hash_function ( ) const

inline

Return the hash function the CA is using to sign with

Definition at line 43 of file x509_ca.h.

{ return m_hash_fn; }

make_cert() [1/2]

X509_Certificate Botan::X509_CA::make_cert ( PK_Signer &  signer, RandomNumberGenerator &  rng, const AlgorithmIdentifier &  sig_algo, const std::vector< uint8_t > &  pub_key, const X509_Time &  not_before, const X509_Time &  not_after, const X509_DN &  issuer_dn, const X509_DN &  subject_dn, const Extensions &  extensions  )

static

Interface for creating new certificates

Parameters

signer	a signing object
rng	a random number generator
sig_algo	the signature algorithm identifier
pub_key	the serialized public key
not_before	the start time of the certificate
not_after	the end time of the certificate
issuer_dn	the DN of the issuer
subject_dn	the DN of the subject
extensions	an optional list of certificate extensions

Returns

newly minted certificate

Definition at line 106 of file x509_ca.cpp.

                                                                  {
   const size_t SERIAL_BITS = 128;
   BigInt serial_no(rng, SERIAL_BITS);
 
   return make_cert(
      signer, rng, serial_no, sig_algo, pub_key, not_before, not_after, issuer_dn, subject_dn, extensions);
}

References make_cert().

Referenced by Botan::X509::create_self_signed_cert(), make_cert(), sign_request(), and sign_request().

make_cert() [2/2]

X509_Certificate Botan::X509_CA::make_cert ( PK_Signer &  signer, RandomNumberGenerator &  rng, const BigInt &  serial_number, const AlgorithmIdentifier &  sig_algo, const std::vector< uint8_t > &  pub_key, const X509_Time &  not_before, const X509_Time &  not_after, const X509_DN &  issuer_dn, const X509_DN &  subject_dn, const Extensions &  extensions  )

static

Interface for creating new certificates

Parameters

signer	a signing object
rng	a random number generator
serial_number	the serial number the cert will be assigned
sig_algo	the signature algorithm identifier
pub_key	the serialized public key
not_before	the start time of the certificate
not_after	the end time of the certificate
issuer_dn	the DN of the issuer
subject_dn	the DN of the subject
extensions	an optional list of certificate extensions

Returns

newly minted certificate

Definition at line 125 of file x509_ca.cpp.

                                                                  {
   const size_t X509_CERT_VERSION = 3;
 
   // clang-format off
   return X509_Certificate(X509_Object::make_signed(
      signer, rng, sig_algo,
      DER_Encoder().start_sequence()
         .start_explicit(0)
            .encode(X509_CERT_VERSION-1)
         .end_explicit()
 
         .encode(serial_no)
 
         .encode(sig_algo)
         .encode(issuer_dn)
 
         .start_sequence()
            .encode(not_before)
            .encode(not_after)
         .end_cons()
 
         .encode(subject_dn)
         .raw_bytes(pub_key)
 
         .start_explicit(3)
            .start_sequence()
               .encode(extensions)
             .end_cons()
         .end_explicit()
      .end_cons()
      .get_contents()
      ));
   // clang-format on
}

References Botan::X509_Object::make_signed().

new_crl() [1/2]

X509_CRL Botan::X509_CA::new_crl	(	RandomNumberGenerator &	rng,
		std::chrono::system_clock::time_point	issue_time,
		std::chrono::seconds	next_update
	)		const

Create a new and empty CRL for this CA.

Parameters

rng	the random number generator to use
issue_time	the issue time (typically system_clock::now)
next_update	the time interval after issue_data within which a new CRL will be produced.

Returns

new CRL

Definition at line 186 of file x509_ca.cpp.

                                                              {
   std::vector<CRL_Entry> empty;
   return make_crl(empty, 1, rng, issue_time, next_update);
}

Referenced by new_crl().

new_crl() [2/2]

X509_CRL Botan::X509_CA::new_crl	(	RandomNumberGenerator &	rng,
		uint32_t	next_update = 604800
	)		const

Create a new and empty CRL for this CA.

Parameters

rng	the random number generator to use
next_update	the time to set in next update in seconds as the offset from the current time

Returns

new CRL

Definition at line 172 of file x509_ca.cpp.

                                                                                {
   return new_crl(rng, std::chrono::system_clock::now(), std::chrono::seconds(next_update));
}

References new_crl().

operator=() [1/2]

X509_CA & Botan::X509_CA::operator= ( const X509_CA &  )

delete

operator=() [2/2]

X509_CA & Botan::X509_CA::operator= ( X509_CA &&  )

default

sign_request() [1/2]

X509_Certificate Botan::X509_CA::sign_request	(	const PKCS10_Request &	req,
		RandomNumberGenerator &	rng,
		const BigInt &	serial_number,
		const X509_Time &	not_before,
		const X509_Time &	not_after
	)		const

Sign a PKCS#10 Request.

Parameters

req	the request to sign
rng	the rng to use
serial_number	the serial number the cert will be assigned.
not_before	the starting time for the certificate
not_after	the expiration time for the certificate

Returns

resulting certificate

Definition at line 67 of file x509_ca.cpp.

                                                                         {
   auto extensions = choose_extensions(req, m_ca_cert, m_hash_fn);
 
   return make_cert(*m_signer,
                    rng,
                    serial_number,
                    algorithm_identifier(),
                    req.raw_public_key(),
                    not_before,
                    not_after,
                    ca_certificate().subject_dn(),
                    req.subject_dn(),
                    extensions);
}

References algorithm_identifier(), ca_certificate(), choose_extensions(), make_cert(), Botan::PKCS10_Request::raw_public_key(), and Botan::PKCS10_Request::subject_dn().

sign_request() [2/2]

X509_Certificate Botan::X509_CA::sign_request	(	const PKCS10_Request &	req,
		RandomNumberGenerator &	rng,
		const X509_Time &	not_before,
		const X509_Time &	not_after
	)		const

Sign a PKCS#10 Request.

Parameters

req	the request to sign
rng	the rng to use
not_before	the starting time for the certificate
not_after	the expiration time for the certificate

Returns

resulting certificate

Definition at line 89 of file x509_ca.cpp.

                                                                         {
   auto extensions = choose_extensions(req, m_ca_cert, m_hash_fn);
 
   return make_cert(*m_signer,
                    rng,
                    algorithm_identifier(),
                    req.raw_public_key(),
                    not_before,
                    not_after,
                    ca_certificate().subject_dn(),
                    req.subject_dn(),
                    extensions);
}

References algorithm_identifier(), ca_certificate(), choose_extensions(), make_cert(), Botan::PKCS10_Request::raw_public_key(), and Botan::PKCS10_Request::subject_dn().

signature_op()

PK_Signer & Botan::X509_CA::signature_op ( )

inline

Return the signature object this CA uses to sign with

Definition at line 48 of file x509_ca.h.

{ return *m_signer; }

update_crl() [1/2]

X509_CRL Botan::X509_CA::update_crl	(	const X509_CRL &	last_crl,
		const std::vector< CRL_Entry > &	new_entries,
		RandomNumberGenerator &	rng,
		std::chrono::system_clock::time_point	issue_time,
		std::chrono::seconds	next_update
	)		const

Create a new CRL by with additional entries.

Parameters

last_crl	the last CRL of this CA to add the new entries to
new_entries	contains the new CRL entries to be added to the CRL
rng	the random number generator to use
issue_time	the issue time (typically system_clock::now)
next_update	the time interval after issue_data within which a new CRL will be produced.

Definition at line 193 of file x509_ca.cpp.

                                                                 {
   std::vector<CRL_Entry> revoked = last_crl.get_revoked();
 
   std::copy(new_revoked.begin(), new_revoked.end(), std::back_inserter(revoked));
 
   return make_crl(revoked, last_crl.crl_number() + 1, rng, issue_time, next_update);
}

References Botan::X509_CRL::crl_number(), and Botan::X509_CRL::get_revoked().

Referenced by update_crl().

update_crl() [2/2]

X509_CRL Botan::X509_CA::update_crl	(	const X509_CRL &	last_crl,
		const std::vector< CRL_Entry > &	new_entries,
		RandomNumberGenerator &	rng,
		uint32_t	next_update = 604800
	)		const

Create a new CRL by with additional entries.

Parameters

last_crl	the last CRL of this CA to add the new entries to
new_entries	contains the new CRL entries to be added to the CRL
rng	the random number generator to use
next_update	the time to set in next update in seconds as the offset from the current time

Definition at line 179 of file x509_ca.cpp.

                                                         {
   return update_crl(crl, new_revoked, rng, std::chrono::system_clock::now(), std::chrono::seconds(next_update));
}

References update_crl().

---

The documentation for this class was generated from the following files:

• src/lib/x509/x509_ca.h
• src/lib/x509/x509_ca.cpp