8#include <botan/x509_ca.h>
10#include <botan/bigint.h>
11#include <botan/der_enc.h>
12#include <botan/pkcs10.h>
13#include <botan/pubkey.h>
14#include <botan/x509_ext.h>
15#include <botan/x509_key.h>
24 std::string_view hash_fn,
25 std::string_view padding_method,
28 if(!m_ca_cert.is_CA_cert()) {
29 throw Invalid_Argument(
"X509_CA: This certificate is not for a CA");
33 m_ca_sig_algo = m_signer->algorithm_identifier();
34 m_hash_fn = m_signer->hash_function();
44 std::string_view hash_fn) {
47 auto key = req.subject_public_key();
48 if(!constraints.compatible_with(*key)) {
49 throw Invalid_Argument(
"The requested key constraints are incompatible with the algorithm");
54 extensions.replace(std::make_unique<Cert_Extension::Basic_Constraints>(req.is_CA(), req.path_length_constraint()),
57 if(!constraints.empty()) {
58 extensions.replace(std::make_unique<Cert_Extension::Key_Usage>(constraints), true);
61 extensions.replace(std::make_unique<Cert_Extension::Authority_Key_ID>(ca_cert.subject_key_id()));
62 extensions.replace(std::make_unique<Cert_Extension::Subject_Key_ID>(req.raw_public_key(), hash_fn));
64 extensions.replace(std::make_unique<Cert_Extension::Subject_Alternative_Name>(req.subject_alt_name()));
66 extensions.replace(std::make_unique<Cert_Extension::Extended_Key_Usage>(req.ex_constraints()));
73 const BigInt& serial_number,
113 const std::vector<uint8_t>& pub_key,
119 const size_t SERIAL_BITS = 128;
120 BigInt serial_no(rng, SERIAL_BITS);
123 signer, rng, serial_no, sig_algo, pub_key, not_before, not_after, issuer_dn, subject_dn, extensions);
133 const std::vector<uint8_t>& pub_key,
139 const size_t X509_CERT_VERSION = 3;
143 signer, rng, sig_algo,
146 .encode(X509_CERT_VERSION-1)
177 return new_crl(rng, std::chrono::system_clock::now(), std::chrono::seconds(next_update));
184 const std::vector<CRL_Entry>& new_revoked,
186 uint32_t next_update)
const {
187 return update_crl(crl, new_revoked, rng, std::chrono::system_clock::now(), std::chrono::seconds(next_update));
191 std::chrono::system_clock::time_point issue_time,
192 std::chrono::seconds next_update)
const {
193 std::vector<CRL_Entry> empty;
194 return make_crl(empty, 1, rng, issue_time, next_update);
198 const std::vector<CRL_Entry>& new_revoked,
200 std::chrono::system_clock::time_point issue_time,
201 std::chrono::seconds next_update)
const {
202 std::vector<CRL_Entry> revoked = last_crl.
get_revoked();
204 std::copy(new_revoked.begin(), new_revoked.end(), std::back_inserter(revoked));
206 return make_crl(revoked, last_crl.
crl_number() + 1, rng, issue_time, next_update);
212X509_CRL X509_CA::make_crl(
const std::vector<CRL_Entry>& revoked,
215 std::chrono::system_clock::time_point issue_time,
216 std::chrono::seconds next_update)
const {
217 const size_t X509_CRL_VERSION = 2;
219 auto expire_time = issue_time + next_update;
222 extensions.
add(std::make_unique<Cert_Extension::Authority_Key_ID>(m_ca_cert.
subject_key_id()));
223 extensions.
add(std::make_unique<Cert_Extension::CRL_Number>(crl_number));
227 *m_signer, rng, m_ca_sig_algo,
229 .encode(X509_CRL_VERSION-1)
230 .encode(m_ca_sig_algo)
234 .encode_if(!revoked.empty(),
237 .encode_list(revoked)
std::vector< std::pair< std::unique_ptr< Certificate_Extension >, bool > > extensions() const
void add(std::unique_ptr< Certificate_Extension > extn, bool critical=false)
static Key_Constraints ca_constraints()
const X509_DN & subject_dn() const
const std::vector< uint8_t > & raw_public_key() const
X509_CRL new_crl(RandomNumberGenerator &rng, std::chrono::system_clock::time_point issue_time, std::chrono::seconds next_update) const
static X509_Certificate make_cert(PK_Signer &signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &sig_algo, const std::vector< uint8_t > &pub_key, const X509_Time ¬_before, const X509_Time ¬_after, const X509_DN &issuer_dn, const X509_DN &subject_dn, const Extensions &extensions)
X509_CRL update_crl(const X509_CRL &last_crl, const std::vector< CRL_Entry > &new_entries, RandomNumberGenerator &rng, std::chrono::system_clock::time_point issue_time, std::chrono::seconds next_update) const
X509_CA(const X509_Certificate &ca_certificate, const Private_Key &key, std::string_view hash_fn, std::string_view padding_method, RandomNumberGenerator &rng)
const AlgorithmIdentifier & algorithm_identifier() const
const X509_Certificate & ca_certificate() const
static Extensions choose_extensions(const PKCS10_Request &req, const X509_Certificate &ca_certificate, std::string_view hash_fn)
X509_Certificate sign_request(const PKCS10_Request &req, RandomNumberGenerator &rng, const X509_Time ¬_before, const X509_Time ¬_after) const
const std::vector< CRL_Entry > & get_revoked() const
uint32_t crl_number() const
const X509_DN & subject_dn() const
const std::vector< uint8_t > & subject_key_id() const
static std::unique_ptr< PK_Signer > choose_sig_format(const Private_Key &key, RandomNumberGenerator &rng, std::string_view hash_fn, std::string_view padding_algo)
static std::vector< uint8_t > make_signed(PK_Signer &signer, RandomNumberGenerator &rng, const AlgorithmIdentifier &alg_id, const secure_vector< uint8_t > &tbs)