Botan 3.11.0
Crypto and TLS for C&
x509_ca.cpp
Go to the documentation of this file.
1/*
2* X.509 Certificate Authority
3* (C) 1999-2010,2023 Jack Lloyd
4*
5* Botan is released under the Simplified BSD License (see license.txt)
6*/
7
8#include <botan/x509_ca.h>
9
10#include <botan/asn1_obj.h>
11#include <botan/asn1_time.h>
12#include <botan/bigint.h>
13#include <botan/der_enc.h>
14#include <botan/pkcs10.h>
15#include <botan/pubkey.h>
16#include <botan/x509_ext.h>
17
18namespace Botan {
19
20/*
21* Load the certificate and private key
22*/
23X509_CA::X509_CA(const X509_Certificate& cert,
24 const Private_Key& key,
25 std::string_view hash_fn,
26 std::string_view padding_method,
27 RandomNumberGenerator& rng) :
28 m_ca_cert(cert) {
29 if(!m_ca_cert.is_CA_cert()) {
30 throw Invalid_Argument("X509_CA: This certificate is not for a CA");
31 }
32
33 m_signer = X509_Object::choose_sig_format(key, rng, hash_fn, padding_method);
34 m_ca_sig_algo = m_signer->algorithm_identifier();
35 m_hash_fn = m_signer->hash_function();
36}
37
38X509_CA::X509_CA(X509_CA&&) noexcept = default;
39X509_CA& X509_CA::operator=(X509_CA&&) noexcept = default;
40
41X509_CA::~X509_CA() = default;
42
43Extensions X509_CA::choose_extensions(const PKCS10_Request& req,
44 const X509_Certificate& ca_cert,
45 std::string_view hash_fn) {
46 const auto constraints = req.is_CA() ? Key_Constraints::ca_constraints() : req.constraints();
47
48 auto key = req.subject_public_key();
49 if(!constraints.compatible_with(*key)) {
50 throw Invalid_Argument("The requested key constraints are incompatible with the algorithm");
51 }
52
53 Extensions extensions = req.extensions();
54
55 extensions.replace(std::make_unique<Cert_Extension::Basic_Constraints>(req.is_CA(), req.path_length_constraint()),
56 true);
57
58 if(!constraints.empty()) {
59 extensions.replace(std::make_unique<Cert_Extension::Key_Usage>(constraints), true);
60 }
61
62 extensions.replace(std::make_unique<Cert_Extension::Authority_Key_ID>(ca_cert.subject_key_id()));
63 extensions.replace(std::make_unique<Cert_Extension::Subject_Key_ID>(req.raw_public_key(), hash_fn));
64
65 extensions.replace(std::make_unique<Cert_Extension::Subject_Alternative_Name>(req.subject_alt_name()));
66
67 extensions.replace(std::make_unique<Cert_Extension::Extended_Key_Usage>(req.ex_constraints()));
68
69 return extensions;
70}
71
72X509_Certificate X509_CA::sign_request(const PKCS10_Request& req,
73 RandomNumberGenerator& rng,
74 const BigInt& serial_number,
75 const X509_Time& not_before,
76 const X509_Time& not_after) const {
77 auto extensions = choose_extensions(req, m_ca_cert, m_hash_fn);
78
79 return make_cert(*m_signer,
80 rng,
81 serial_number,
82 algorithm_identifier(),
83 req.raw_public_key(),
84 not_before,
85 not_after,
86 ca_certificate().subject_dn(),
87 req.subject_dn(),
88 extensions);
89}
90
91/*
92* Sign a PKCS #10 certificate request
93*/
94X509_Certificate X509_CA::sign_request(const PKCS10_Request& req,
95 RandomNumberGenerator& rng,
96 const X509_Time& not_before,
97 const X509_Time& not_after) const {
98 auto extensions = choose_extensions(req, m_ca_cert, m_hash_fn);
99
100 return make_cert(*m_signer,
101 rng,
102 algorithm_identifier(),
103 req.raw_public_key(),
104 not_before,
105 not_after,
106 ca_certificate().subject_dn(),
107 req.subject_dn(),
108 extensions);
109}
110
111X509_Certificate X509_CA::make_cert(PK_Signer& signer,
112 RandomNumberGenerator& rng,
113 const AlgorithmIdentifier& sig_algo,
114 const std::vector<uint8_t>& pub_key,
115 const X509_Time& not_before,
116 const X509_Time& not_after,
117 const X509_DN& issuer_dn,
118 const X509_DN& subject_dn,
119 const Extensions& extensions) {
120 const size_t SERIAL_BITS = 128;
121 const BigInt serial_no(rng, SERIAL_BITS);
122
123 return make_cert(
124 signer, rng, serial_no, sig_algo, pub_key, not_before, not_after, issuer_dn, subject_dn, extensions);
125}
126
127/*
128* Create a new certificate
129*/
130X509_Certificate X509_CA::make_cert(PK_Signer& signer,
131 RandomNumberGenerator& rng,
132 const BigInt& serial_no,
133 const AlgorithmIdentifier& sig_algo,
134 const std::vector<uint8_t>& pub_key,
135 const X509_Time& not_before,
136 const X509_Time& not_after,
137 const X509_DN& issuer_dn,
138 const X509_DN& subject_dn,
139 const Extensions& extensions) {
140 const size_t X509_CERT_VERSION = 3;
141
142 // clang-format off
143 return X509_Certificate(X509_Object::make_signed(
144 signer, rng, sig_algo,
145 DER_Encoder().start_sequence()
146 .start_explicit(0)
147 .encode(X509_CERT_VERSION-1)
148 .end_explicit()
149
150 .encode(serial_no)
151
152 .encode(sig_algo)
153 .encode(issuer_dn)
154
155 .start_sequence()
156 .encode(not_before)
157 .encode(not_after)
158 .end_cons()
159
160 .encode(subject_dn)
161 .raw_bytes(pub_key)
162
163 .start_explicit(3)
164 .start_sequence()
165 .encode(extensions)
166 .end_cons()
167 .end_explicit()
168 .end_cons()
169 .get_contents_unlocked()
170 ));
171 // clang-format on
172}
173
174/*
175* Create a new, empty CRL
176*/
177X509_CRL X509_CA::new_crl(RandomNumberGenerator& rng, uint32_t next_update) const {
178 return new_crl(rng, std::chrono::system_clock::now(), std::chrono::seconds(next_update));
179}
180
181/*
182* Update a CRL with new entries
183*/
184X509_CRL X509_CA::update_crl(const X509_CRL& crl,
185 const std::vector<CRL_Entry>& new_revoked,
186 RandomNumberGenerator& rng,
187 uint32_t next_update) const {
188 return update_crl(crl, new_revoked, rng, std::chrono::system_clock::now(), std::chrono::seconds(next_update));
189}
190
191X509_CRL X509_CA::new_crl(RandomNumberGenerator& rng,
192 std::chrono::system_clock::time_point issue_time,
193 std::chrono::seconds next_update) const {
194 const std::vector<CRL_Entry> empty;
195 return make_crl(empty, 1, rng, issue_time, next_update);
196}
197
198X509_CRL X509_CA::update_crl(const X509_CRL& last_crl,
199 const std::vector<CRL_Entry>& new_revoked,
200 RandomNumberGenerator& rng,
201 std::chrono::system_clock::time_point issue_time,
202 std::chrono::seconds next_update) const {
203 std::vector<CRL_Entry> revoked = last_crl.get_revoked();
204
205 std::copy(new_revoked.begin(), new_revoked.end(), std::back_inserter(revoked));
206
207 return make_crl(revoked, last_crl.crl_number() + 1, rng, issue_time, next_update);
208}
209
210/*
211* Create a CRL
212*/
213X509_CRL X509_CA::make_crl(const std::vector<CRL_Entry>& revoked,
214 uint32_t crl_number,
215 RandomNumberGenerator& rng,
216 std::chrono::system_clock::time_point issue_time,
217 std::chrono::seconds next_update) const {
218 const size_t X509_CRL_VERSION = 2;
219
220 auto expire_time = issue_time + next_update;
221
222 Extensions extensions;
223 extensions.add(std::make_unique<Cert_Extension::Authority_Key_ID>(m_ca_cert.subject_key_id()));
224 extensions.add(std::make_unique<Cert_Extension::CRL_Number>(crl_number));
225
226 // clang-format off
227 const std::vector<uint8_t> crl = X509_Object::make_signed(
228 *m_signer, rng, m_ca_sig_algo,
229 DER_Encoder().start_sequence()
230 .encode(X509_CRL_VERSION-1)
231 .encode(m_ca_sig_algo)
232 .encode(m_ca_cert.subject_dn())
233 .encode(X509_Time(issue_time))
234 .encode(X509_Time(expire_time))
235 .encode_if(!revoked.empty(),
236 DER_Encoder()
237 .start_sequence()
238 .encode_list(revoked)
239 .end_cons()
240 )
241 .start_explicit(0)
242 .start_sequence()
243 .encode(extensions)
244 .end_cons()
245 .end_explicit()
246 .end_cons()
247 .get_contents_unlocked());
248 // clang-format on
249
250 return X509_CRL(crl);
251}
252
253} // namespace Botan
Botan::DER_Encoder
Definition der_enc.h:25
Botan::Extensions::extensions
std::vector< std::pair< std::unique_ptr< Certificate_Extension >, bool > > extensions() const
Definition x509_ext.cpp:225
Botan::Extensions::add
void add(std::unique_ptr< Certificate_Extension > extn, bool critical=false)
Definition x509_ext.cpp:143
Botan::Key_Constraints::ca_constraints
static Key_Constraints ca_constraints()
Definition pkix_enums.h:161
Botan::PKCS10_Request
Definition pkcs10.h:28
Botan::PKCS10_Request::subject_dn
const X509_DN & subject_dn() const
Definition pkcs10.cpp:189
Botan::PKCS10_Request::raw_public_key
const std::vector< uint8_t > & raw_public_key() const
Definition pkcs10.cpp:196
Botan::PK_Signer
Definition pubkey.h:154
Botan::Private_Key
Definition pk_keys.h:294
Botan::X509_CA
Definition x509_ca.h:27
Botan::X509_CA::new_crl
X509_CRL new_crl(RandomNumberGenerator &rng, std::chrono::system_clock::time_point issue_time, std::chrono::seconds next_update) const
Definition x509_ca.cpp:191
Botan::X509_CA::make_cert
static X509_Certificate make_cert(PK_Signer &signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &sig_algo, const std::vector< uint8_t > &pub_key, const X509_Time &not_before, const X509_Time &not_after, const X509_DN &issuer_dn, const X509_DN &subject_dn, const Extensions &extensions)
Definition x509_ca.cpp:111
Botan::X509_CA::update_crl
X509_CRL update_crl(const X509_CRL &last_crl, const std::vector< CRL_Entry > &new_entries, RandomNumberGenerator &rng, std::chrono::system_clock::time_point issue_time, std::chrono::seconds next_update) const
Definition x509_ca.cpp:198
Botan::X509_CA::X509_CA
X509_CA(const X509_Certificate &ca_certificate, const Private_Key &key, std::string_view hash_fn, std::string_view padding_method, RandomNumberGenerator &rng)
Definition x509_ca.cpp:23
Botan::X509_CA::algorithm_identifier
const AlgorithmIdentifier & algorithm_identifier() const
Definition x509_ca.h:33
Botan::X509_CA::ca_certificate
const X509_Certificate & ca_certificate() const
Definition x509_ca.h:38
Botan::X509_CA::choose_extensions
static Extensions choose_extensions(const PKCS10_Request &req, const X509_Certificate &ca_certificate, std::string_view hash_fn)
Definition x509_ca.cpp:43
Botan::X509_CA::sign_request
X509_Certificate sign_request(const PKCS10_Request &req, RandomNumberGenerator &rng, const X509_Time &not_before, const X509_Time &not_after) const
Definition x509_ca.cpp:94
Botan::X509_CRL
Definition x509_crl.h:90
Botan::X509_CRL::get_revoked
const std::vector< CRL_Entry > & get_revoked() const
Definition x509_crl.cpp:203
Botan::X509_CRL::crl_number
uint32_t crl_number() const
Definition x509_crl.cpp:228
Botan::X509_Certificate
Definition x509cert.h:27
Botan::X509_Certificate::subject_dn
const X509_DN & subject_dn() const
Definition x509cert.cpp:414
Botan::X509_Certificate::subject_key_id
const std::vector< uint8_t > & subject_key_id() const
Definition x509cert.cpp:398
Botan::X509_DN
Definition pkix_types.h:41
Botan::X509_Object::choose_sig_format
static std::unique_ptr< PK_Signer > choose_sig_format(const Private_Key &key, RandomNumberGenerator &rng, std::string_view hash_fn, std::string_view padding_algo)
Definition x509_obj.cpp:209
Botan::X509_Object::make_signed
static std::vector< uint8_t > make_signed(PK_Signer &signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &alg_id, std::span< const uint8_t > tbs)
Definition x509_obj.cpp:125
Botan::X509_Time
ASN1_Time X509_Time
Definition asn1_obj.h:23
Generated by doxygen 1.15.0