Botan 3.2.0
Crypto and TLS for C&
x509_ca.cpp
Go to the documentation of this file.
1/*
2* X.509 Certificate Authority
3* (C) 1999-2010,2023 Jack Lloyd
4*
5* Botan is released under the Simplified BSD License (see license.txt)
6*/
7
8#include <botan/x509_ca.h>
9
10#include <botan/bigint.h>
11#include <botan/der_enc.h>
12#include <botan/pkcs10.h>
13#include <botan/pubkey.h>
14#include <botan/x509_ext.h>
15#include <botan/x509_key.h>
16
17namespace Botan {
18
19/*
20* Load the certificate and private key
21*/
22X509_CA::X509_CA(const X509_Certificate& cert,
23 const Private_Key& key,
24 std::string_view hash_fn,
25 std::string_view padding_method,
26 RandomNumberGenerator& rng) :
27 m_ca_cert(cert) {
28 if(!m_ca_cert.is_CA_cert()) {
29 throw Invalid_Argument("X509_CA: This certificate is not for a CA");
30 }
31
32 m_signer = X509_Object::choose_sig_format(key, rng, hash_fn, padding_method);
33 m_ca_sig_algo = m_signer->algorithm_identifier();
34 m_hash_fn = m_signer->hash_function();
35}
36
37X509_CA::~X509_CA() = default;
38
39Extensions X509_CA::choose_extensions(const PKCS10_Request& req,
40 const X509_Certificate& ca_cert,
41 std::string_view hash_fn) {
42 const auto constraints = req.is_CA() ? Key_Constraints::ca_constraints() : req.constraints();
43
44 auto key = req.subject_public_key();
45 if(!constraints.compatible_with(*key)) {
46 throw Invalid_Argument("The requested key constraints are incompatible with the algorithm");
47 }
48
49 Extensions extensions = req.extensions();
50
51 extensions.replace(std::make_unique<Cert_Extension::Basic_Constraints>(req.is_CA(), req.path_limit()), true);
52
53 if(!constraints.empty()) {
54 extensions.replace(std::make_unique<Cert_Extension::Key_Usage>(constraints), true);
55 }
56
57 extensions.replace(std::make_unique<Cert_Extension::Authority_Key_ID>(ca_cert.subject_key_id()));
58 extensions.replace(std::make_unique<Cert_Extension::Subject_Key_ID>(req.raw_public_key(), hash_fn));
59
60 extensions.replace(std::make_unique<Cert_Extension::Subject_Alternative_Name>(req.subject_alt_name()));
61
62 extensions.replace(std::make_unique<Cert_Extension::Extended_Key_Usage>(req.ex_constraints()));
63
64 return extensions;
65}
66
67X509_Certificate X509_CA::sign_request(const PKCS10_Request& req,
68 RandomNumberGenerator& rng,
69 const BigInt& serial_number,
70 const X509_Time& not_before,
71 const X509_Time& not_after) const {
72 auto extensions = choose_extensions(req, m_ca_cert, m_hash_fn);
73
74 return make_cert(*m_signer,
75 rng,
76 serial_number,
77 algorithm_identifier(),
78 req.raw_public_key(),
79 not_before,
80 not_after,
81 ca_certificate().subject_dn(),
82 req.subject_dn(),
83 extensions);
84}
85
86/*
87* Sign a PKCS #10 certificate request
88*/
89X509_Certificate X509_CA::sign_request(const PKCS10_Request& req,
90 RandomNumberGenerator& rng,
91 const X509_Time& not_before,
92 const X509_Time& not_after) const {
93 auto extensions = choose_extensions(req, m_ca_cert, m_hash_fn);
94
95 return make_cert(*m_signer,
96 rng,
97 algorithm_identifier(),
98 req.raw_public_key(),
99 not_before,
100 not_after,
101 ca_certificate().subject_dn(),
102 req.subject_dn(),
103 extensions);
104}
105
106X509_Certificate X509_CA::make_cert(PK_Signer& signer,
107 RandomNumberGenerator& rng,
108 const AlgorithmIdentifier& sig_algo,
109 const std::vector<uint8_t>& pub_key,
110 const X509_Time& not_before,
111 const X509_Time& not_after,
112 const X509_DN& issuer_dn,
113 const X509_DN& subject_dn,
114 const Extensions& extensions) {
115 const size_t SERIAL_BITS = 128;
116 BigInt serial_no(rng, SERIAL_BITS);
117
118 return make_cert(
119 signer, rng, serial_no, sig_algo, pub_key, not_before, not_after, issuer_dn, subject_dn, extensions);
120}
121
122/*
123* Create a new certificate
124*/
125X509_Certificate X509_CA::make_cert(PK_Signer& signer,
126 RandomNumberGenerator& rng,
127 const BigInt& serial_no,
128 const AlgorithmIdentifier& sig_algo,
129 const std::vector<uint8_t>& pub_key,
130 const X509_Time& not_before,
131 const X509_Time& not_after,
132 const X509_DN& issuer_dn,
133 const X509_DN& subject_dn,
134 const Extensions& extensions) {
135 const size_t X509_CERT_VERSION = 3;
136
137 // clang-format off
138 return X509_Certificate(X509_Object::make_signed(
139 signer, rng, sig_algo,
140 DER_Encoder().start_sequence()
141 .start_explicit(0)
142 .encode(X509_CERT_VERSION-1)
143 .end_explicit()
144
145 .encode(serial_no)
146
147 .encode(sig_algo)
148 .encode(issuer_dn)
149
150 .start_sequence()
151 .encode(not_before)
152 .encode(not_after)
153 .end_cons()
154
155 .encode(subject_dn)
156 .raw_bytes(pub_key)
157
158 .start_explicit(3)
159 .start_sequence()
160 .encode(extensions)
161 .end_cons()
162 .end_explicit()
163 .end_cons()
164 .get_contents()
165 ));
166 // clang-format on
167}
168
169/*
170* Create a new, empty CRL
171*/
172X509_CRL X509_CA::new_crl(RandomNumberGenerator& rng, uint32_t next_update) const {
173 return new_crl(rng, std::chrono::system_clock::now(), std::chrono::seconds(next_update));
174}
175
176/*
177* Update a CRL with new entries
178*/
179X509_CRL X509_CA::update_crl(const X509_CRL& crl,
180 const std::vector<CRL_Entry>& new_revoked,
181 RandomNumberGenerator& rng,
182 uint32_t next_update) const {
183 return update_crl(crl, new_revoked, rng, std::chrono::system_clock::now(), std::chrono::seconds(next_update));
184}
185
186X509_CRL X509_CA::new_crl(RandomNumberGenerator& rng,
187 std::chrono::system_clock::time_point issue_time,
188 std::chrono::seconds next_update) const {
189 std::vector<CRL_Entry> empty;
190 return make_crl(empty, 1, rng, issue_time, next_update);
191}
192
193X509_CRL X509_CA::update_crl(const X509_CRL& last_crl,
194 const std::vector<CRL_Entry>& new_revoked,
195 RandomNumberGenerator& rng,
196 std::chrono::system_clock::time_point issue_time,
197 std::chrono::seconds next_update) const {
198 std::vector<CRL_Entry> revoked = last_crl.get_revoked();
199
200 std::copy(new_revoked.begin(), new_revoked.end(), std::back_inserter(revoked));
201
202 return make_crl(revoked, last_crl.crl_number() + 1, rng, issue_time, next_update);
203}
204
205/*
206* Create a CRL
207*/
208X509_CRL X509_CA::make_crl(const std::vector<CRL_Entry>& revoked,
209 uint32_t crl_number,
210 RandomNumberGenerator& rng,
211 std::chrono::system_clock::time_point issue_time,
212 std::chrono::seconds next_update) const {
213 const size_t X509_CRL_VERSION = 2;
214
215 auto expire_time = issue_time + next_update;
216
217 Extensions extensions;
218 extensions.add(std::make_unique<Cert_Extension::Authority_Key_ID>(m_ca_cert.subject_key_id()));
219 extensions.add(std::make_unique<Cert_Extension::CRL_Number>(crl_number));
220
221 // clang-format off
222 const std::vector<uint8_t> crl = X509_Object::make_signed(
223 *m_signer, rng, m_ca_sig_algo,
224 DER_Encoder().start_sequence()
225 .encode(X509_CRL_VERSION-1)
226 .encode(m_ca_sig_algo)
227 .encode(m_ca_cert.subject_dn())
228 .encode(X509_Time(issue_time))
229 .encode(X509_Time(expire_time))
230 .encode_if(!revoked.empty(),
231 DER_Encoder()
232 .start_sequence()
233 .encode_list(revoked)
234 .end_cons()
235 )
236 .start_explicit(0)
237 .start_sequence()
238 .encode(extensions)
239 .end_cons()
240 .end_explicit()
241 .end_cons()
242 .get_contents());
243 // clang-format on
244
245 return X509_CRL(crl);
246}
247
248} // namespace Botan
Botan::ASN1_Time
Definition asn1_obj.h:341
Botan::DER_Encoder
Definition der_enc.h:22
Botan::Extensions::replace
void replace(std::unique_ptr< Certificate_Extension > extn, bool critical=false)
Definition x509_ext.cpp:159
Botan::Extensions::add
void add(std::unique_ptr< Certificate_Extension > extn, bool critical=false)
Definition x509_ext.cpp:124
Botan::Invalid_Argument
Definition exceptn.h:131
Botan::Key_Constraints::ca_constraints
static Key_Constraints ca_constraints()
Definition pkix_enums.h:149
Botan::PKCS10_Request
Definition pkcs10.h:28
Botan::PKCS10_Request::subject_public_key
std::unique_ptr< Public_Key > subject_public_key() const
Definition pkcs10.cpp:203
Botan::PKCS10_Request::subject_dn
const X509_DN & subject_dn() const
Definition pkcs10.cpp:189
Botan::PKCS10_Request::ex_constraints
std::vector< OID > ex_constraints() const
Definition pkcs10.cpp:236
Botan::PKCS10_Request::path_limit
size_t path_limit() const
Definition pkcs10.cpp:258
Botan::PKCS10_Request::raw_public_key
const std::vector< uint8_t > & raw_public_key() const
Definition pkcs10.cpp:196
Botan::PKCS10_Request::constraints
Key_Constraints constraints() const
Definition pkcs10.cpp:225
Botan::PKCS10_Request::is_CA
bool is_CA() const
Definition pkcs10.cpp:247
Botan::PKCS10_Request::subject_alt_name
const AlternativeName & subject_alt_name() const
Definition pkcs10.cpp:211
Botan::PKCS10_Request::extensions
const Extensions & extensions() const
Definition pkcs10.cpp:218
Botan::PK_Signer
Definition pubkey.h:155
Botan::Private_Key
Definition pk_keys.h:240
Botan::X509_CA::new_crl
X509_CRL new_crl(RandomNumberGenerator &rng, std::chrono::system_clock::time_point issue_time, std::chrono::seconds next_update) const
Definition x509_ca.cpp:186
Botan::X509_CA::make_cert
static X509_Certificate make_cert(PK_Signer &signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &sig_algo, const std::vector< uint8_t > &pub_key, const X509_Time &not_before, const X509_Time &not_after, const X509_DN &issuer_dn, const X509_DN &subject_dn, const Extensions &extensions)
Definition x509_ca.cpp:106
Botan::X509_CA::update_crl
X509_CRL update_crl(const X509_CRL &last_crl, const std::vector< CRL_Entry > &new_entries, RandomNumberGenerator &rng, std::chrono::system_clock::time_point issue_time, std::chrono::seconds next_update) const
Definition x509_ca.cpp:193
Botan::X509_CA::~X509_CA
~X509_CA()
Botan::X509_CA::X509_CA
X509_CA(const X509_Certificate &ca_certificate, const Private_Key &key, std::string_view hash_fn, std::string_view padding_method, RandomNumberGenerator &rng)
Definition x509_ca.cpp:22
Botan::X509_CA::algorithm_identifier
const AlgorithmIdentifier & algorithm_identifier() const
Definition x509_ca.h:33
Botan::X509_CA::ca_certificate
const X509_Certificate & ca_certificate() const
Definition x509_ca.h:38
Botan::X509_CA::choose_extensions
static Extensions choose_extensions(const PKCS10_Request &req, const X509_Certificate &ca_certificate, std::string_view hash_fn)
Definition x509_ca.cpp:39
Botan::X509_CA::sign_request
X509_Certificate sign_request(const PKCS10_Request &req, RandomNumberGenerator &rng, const X509_Time &not_before, const X509_Time &not_after) const
Definition x509_ca.cpp:89
Botan::X509_CRL
Definition x509_crl.h:89
Botan::X509_CRL::get_revoked
const std::vector< CRL_Entry > & get_revoked() const
Definition x509_crl.cpp:196
Botan::X509_CRL::crl_number
uint32_t crl_number() const
Definition x509_crl.cpp:217
Botan::X509_Certificate
Definition x509cert.h:36
Botan::X509_Certificate::is_CA_cert
bool is_CA_cert() const
Definition x509cert.cpp:374
Botan::X509_Certificate::subject_dn
const X509_DN & subject_dn() const
Definition x509cert.cpp:362
Botan::X509_Certificate::subject_key_id
const std::vector< uint8_t > & subject_key_id() const
Definition x509cert.cpp:346
Botan::X509_DN
Definition pkix_types.h:37
Botan::X509_Object::choose_sig_format
static std::unique_ptr< PK_Signer > choose_sig_format(const Private_Key &key, RandomNumberGenerator &rng, std::string_view hash_fn, std::string_view padding_algo)
Definition x509_obj.cpp:209
Botan::X509_Object::make_signed
static std::vector< uint8_t > make_signed(PK_Signer &signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &alg_id, const secure_vector< uint8_t > &tbs)
Definition x509_obj.cpp:125
Botan::X509_Time
ASN1_Time X509_Time
Definition asn1_obj.h:402
Generated by doxygen 1.9.8