Botan 3.9.0
Crypto and TLS for C&
x509_ca.cpp
Go to the documentation of this file.
1/*
2* X.509 Certificate Authority
3* (C) 1999-2010,2023 Jack Lloyd
4*
5* Botan is released under the Simplified BSD License (see license.txt)
6*/
7
8#include <botan/x509_ca.h>
9
10#include <botan/bigint.h>
11#include <botan/der_enc.h>
12#include <botan/pkcs10.h>
13#include <botan/pubkey.h>
14#include <botan/x509_ext.h>
15#include <botan/x509_key.h>
16
17namespace Botan {
18
19/*
20* Load the certificate and private key
21*/
23 const Private_Key& key,
24 std::string_view hash_fn,
25 std::string_view padding_method,
27 m_ca_cert(cert) {
28 if(!m_ca_cert.is_CA_cert()) {
29 throw Invalid_Argument("X509_CA: This certificate is not for a CA");
30 }
31
32 m_signer = X509_Object::choose_sig_format(key, rng, hash_fn, padding_method);
33 m_ca_sig_algo = m_signer->algorithm_identifier();
34 m_hash_fn = m_signer->hash_function();
35}
36
37X509_CA::X509_CA(X509_CA&&) noexcept = default;
38X509_CA& X509_CA::operator=(X509_CA&&) noexcept = default;
39
40X509_CA::~X509_CA() = default;
41
43 const X509_Certificate& ca_cert,
44 std::string_view hash_fn) {
45 const auto constraints = req.is_CA() ? Key_Constraints::ca_constraints() : req.constraints();
46
47 auto key = req.subject_public_key();
48 if(!constraints.compatible_with(*key)) {
49 throw Invalid_Argument("The requested key constraints are incompatible with the algorithm");
50 }
51
52 Extensions extensions = req.extensions();
53
54 extensions.replace(std::make_unique<Cert_Extension::Basic_Constraints>(req.is_CA(), req.path_length_constraint()),
55 true);
56
57 if(!constraints.empty()) {
58 extensions.replace(std::make_unique<Cert_Extension::Key_Usage>(constraints), true);
59 }
60
61 extensions.replace(std::make_unique<Cert_Extension::Authority_Key_ID>(ca_cert.subject_key_id()));
62 extensions.replace(std::make_unique<Cert_Extension::Subject_Key_ID>(req.raw_public_key(), hash_fn));
63
64 extensions.replace(std::make_unique<Cert_Extension::Subject_Alternative_Name>(req.subject_alt_name()));
65
66 extensions.replace(std::make_unique<Cert_Extension::Extended_Key_Usage>(req.ex_constraints()));
67
68 return extensions;
69}
70
73 const BigInt& serial_number,
74 const X509_Time& not_before,
75 const X509_Time& not_after) const {
76 auto extensions = choose_extensions(req, m_ca_cert, m_hash_fn);
77
78 return make_cert(*m_signer,
79 rng,
80 serial_number,
82 req.raw_public_key(),
83 not_before,
84 not_after,
85 ca_certificate().subject_dn(),
86 req.subject_dn(),
87 extensions);
88}
89
90/*
91* Sign a PKCS #10 certificate request
92*/
95 const X509_Time& not_before,
96 const X509_Time& not_after) const {
97 auto extensions = choose_extensions(req, m_ca_cert, m_hash_fn);
98
99 return make_cert(*m_signer,
100 rng,
102 req.raw_public_key(),
103 not_before,
104 not_after,
105 ca_certificate().subject_dn(),
106 req.subject_dn(),
107 extensions);
108}
109
112 const AlgorithmIdentifier& sig_algo,
113 const std::vector<uint8_t>& pub_key,
114 const X509_Time& not_before,
115 const X509_Time& not_after,
116 const X509_DN& issuer_dn,
117 const X509_DN& subject_dn,
118 const Extensions& extensions) {
119 const size_t SERIAL_BITS = 128;
120 BigInt serial_no(rng, SERIAL_BITS);
121
122 return make_cert(
123 signer, rng, serial_no, sig_algo, pub_key, not_before, not_after, issuer_dn, subject_dn, extensions);
124}
125
126/*
127* Create a new certificate
128*/
131 const BigInt& serial_no,
132 const AlgorithmIdentifier& sig_algo,
133 const std::vector<uint8_t>& pub_key,
134 const X509_Time& not_before,
135 const X509_Time& not_after,
136 const X509_DN& issuer_dn,
137 const X509_DN& subject_dn,
138 const Extensions& extensions) {
139 const size_t X509_CERT_VERSION = 3;
140
141 // clang-format off
143 signer, rng, sig_algo,
144 DER_Encoder().start_sequence()
145 .start_explicit(0)
146 .encode(X509_CERT_VERSION-1)
147 .end_explicit()
148
149 .encode(serial_no)
150
151 .encode(sig_algo)
152 .encode(issuer_dn)
153
154 .start_sequence()
155 .encode(not_before)
156 .encode(not_after)
157 .end_cons()
158
159 .encode(subject_dn)
160 .raw_bytes(pub_key)
161
162 .start_explicit(3)
163 .start_sequence()
164 .encode(extensions)
165 .end_cons()
166 .end_explicit()
167 .end_cons()
168 .get_contents()
169 ));
170 // clang-format on
171}
172
173/*
174* Create a new, empty CRL
175*/
176X509_CRL X509_CA::new_crl(RandomNumberGenerator& rng, uint32_t next_update) const {
177 return new_crl(rng, std::chrono::system_clock::now(), std::chrono::seconds(next_update));
178}
179
180/*
181* Update a CRL with new entries
182*/
184 const std::vector<CRL_Entry>& new_revoked,
186 uint32_t next_update) const {
187 return update_crl(crl, new_revoked, rng, std::chrono::system_clock::now(), std::chrono::seconds(next_update));
188}
189
191 std::chrono::system_clock::time_point issue_time,
192 std::chrono::seconds next_update) const {
193 std::vector<CRL_Entry> empty;
194 return make_crl(empty, 1, rng, issue_time, next_update);
195}
196
198 const std::vector<CRL_Entry>& new_revoked,
200 std::chrono::system_clock::time_point issue_time,
201 std::chrono::seconds next_update) const {
202 std::vector<CRL_Entry> revoked = last_crl.get_revoked();
203
204 std::copy(new_revoked.begin(), new_revoked.end(), std::back_inserter(revoked));
205
206 return make_crl(revoked, last_crl.crl_number() + 1, rng, issue_time, next_update);
207}
208
209/*
210* Create a CRL
211*/
212X509_CRL X509_CA::make_crl(const std::vector<CRL_Entry>& revoked,
213 uint32_t crl_number,
215 std::chrono::system_clock::time_point issue_time,
216 std::chrono::seconds next_update) const {
217 const size_t X509_CRL_VERSION = 2;
218
219 auto expire_time = issue_time + next_update;
220
221 Extensions extensions;
222 extensions.add(std::make_unique<Cert_Extension::Authority_Key_ID>(m_ca_cert.subject_key_id()));
223 extensions.add(std::make_unique<Cert_Extension::CRL_Number>(crl_number));
224
225 // clang-format off
226 const std::vector<uint8_t> crl = X509_Object::make_signed(
227 *m_signer, rng, m_ca_sig_algo,
228 DER_Encoder().start_sequence()
229 .encode(X509_CRL_VERSION-1)
230 .encode(m_ca_sig_algo)
231 .encode(m_ca_cert.subject_dn())
232 .encode(X509_Time(issue_time))
233 .encode(X509_Time(expire_time))
234 .encode_if(!revoked.empty(),
236 .start_sequence()
237 .encode_list(revoked)
238 .end_cons()
239 )
240 .start_explicit(0)
241 .start_sequence()
242 .encode(extensions)
243 .end_cons()
244 .end_explicit()
245 .end_cons()
246 .get_contents());
247 // clang-format on
248
249 return X509_CRL(crl);
250}
251
252} // namespace Botan
std::vector< std::pair< std::unique_ptr< Certificate_Extension >, bool > > extensions() const
Definition x509_ext.cpp:225
void add(std::unique_ptr< Certificate_Extension > extn, bool critical=false)
Definition x509_ext.cpp:143
static Key_Constraints ca_constraints()
Definition pkix_enums.h:161
const X509_DN & subject_dn() const
Definition pkcs10.cpp:189
const std::vector< uint8_t > & raw_public_key() const
Definition pkcs10.cpp:196
X509_CRL new_crl(RandomNumberGenerator &rng, std::chrono::system_clock::time_point issue_time, std::chrono::seconds next_update) const
Definition x509_ca.cpp:190
static X509_Certificate make_cert(PK_Signer &signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &sig_algo, const std::vector< uint8_t > &pub_key, const X509_Time &not_before, const X509_Time &not_after, const X509_DN &issuer_dn, const X509_DN &subject_dn, const Extensions &extensions)
Definition x509_ca.cpp:110
X509_CRL update_crl(const X509_CRL &last_crl, const std::vector< CRL_Entry > &new_entries, RandomNumberGenerator &rng, std::chrono::system_clock::time_point issue_time, std::chrono::seconds next_update) const
Definition x509_ca.cpp:197
X509_CA(const X509_Certificate &ca_certificate, const Private_Key &key, std::string_view hash_fn, std::string_view padding_method, RandomNumberGenerator &rng)
Definition x509_ca.cpp:22
const AlgorithmIdentifier & algorithm_identifier() const
Definition x509_ca.h:33
const X509_Certificate & ca_certificate() const
Definition x509_ca.h:38
static Extensions choose_extensions(const PKCS10_Request &req, const X509_Certificate &ca_certificate, std::string_view hash_fn)
Definition x509_ca.cpp:42
X509_Certificate sign_request(const PKCS10_Request &req, RandomNumberGenerator &rng, const X509_Time &not_before, const X509_Time &not_after) const
Definition x509_ca.cpp:93
const std::vector< CRL_Entry > & get_revoked() const
Definition x509_crl.cpp:202
uint32_t crl_number() const
Definition x509_crl.cpp:227
const X509_DN & subject_dn() const
Definition x509cert.cpp:411
const std::vector< uint8_t > & subject_key_id() const
Definition x509cert.cpp:395
static std::unique_ptr< PK_Signer > choose_sig_format(const Private_Key &key, RandomNumberGenerator &rng, std::string_view hash_fn, std::string_view padding_algo)
Definition x509_obj.cpp:209
static std::vector< uint8_t > make_signed(PK_Signer &signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &alg_id, const secure_vector< uint8_t > &tbs)
Definition x509_obj.cpp:125
ASN1_Time X509_Time
Definition asn1_obj.h:424