Botan  2.18.2
Crypto and TLS for C++11
x509_ca.h
Go to the documentation of this file.
1 /*
2 * X.509 Certificate Authority
3 * (C) 1999-2008 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #ifndef BOTAN_X509_CA_H_
9 #define BOTAN_X509_CA_H_
10 
11 #include <botan/x509cert.h>
12 #include <botan/x509_crl.h>
13 #include <chrono>
14 #include <map>
15 
16 #if defined(BOTAN_HAS_SYSTEM_RNG)
17  #include <botan/system_rng.h>
18 #endif
19 
20 namespace Botan {
21 
22 class BigInt;
23 class Private_Key;
24 class PKCS10_Request;
25 class PK_Signer;
26 
27 /**
28 * This class represents X.509 Certificate Authorities (CAs).
29 */
31  {
32  public:
33  /**
34  * Sign a PKCS#10 Request.
35  * @param req the request to sign
36  * @param rng the rng to use
37  * @param not_before the starting time for the certificate
38  * @param not_after the expiration time for the certificate
39  * @return resulting certificate
40  */
41  X509_Certificate sign_request(const PKCS10_Request& req,
43  const X509_Time& not_before,
44  const X509_Time& not_after) const;
45 
46  /**
47  * Sign a PKCS#10 Request.
48  * @param req the request to sign
49  * @param rng the rng to use
50  * @param serial_number the serial number the cert will be assigned.
51  * @param not_before the starting time for the certificate
52  * @param not_after the expiration time for the certificate
53  * @return resulting certificate
54  */
55  X509_Certificate sign_request(const PKCS10_Request& req,
57  const BigInt& serial_number,
58  const X509_Time& not_before,
59  const X509_Time& not_after) const;
60 
61  /**
62  * Get the certificate of this CA.
63  * @return CA certificate
64  */
65  X509_Certificate ca_certificate() const;
66 
67  /**
68  * Create a new and empty CRL for this CA.
69  * @param rng the random number generator to use
70  * @param issue_time the issue time (typically system_clock::now)
71  * @param next_update the time interval after issue_data within which
72  * a new CRL will be produced.
73  * @return new CRL
74  */
75  X509_CRL new_crl(RandomNumberGenerator& rng,
76  std::chrono::system_clock::time_point issue_time,
77  std::chrono::seconds next_update) const;
78 
79  /**
80  * Create a new CRL by with additional entries.
81  * @param last_crl the last CRL of this CA to add the new entries to
82  * @param new_entries contains the new CRL entries to be added to the CRL
83  * @param rng the random number generator to use
84  * @param issue_time the issue time (typically system_clock::now)
85  * @param next_update the time interval after issue_data within which
86  * a new CRL will be produced.
87  */
88  X509_CRL update_crl(const X509_CRL& last_crl,
89  const std::vector<CRL_Entry>& new_entries,
91  std::chrono::system_clock::time_point issue_time,
92  std::chrono::seconds next_update) const;
93 
94  /**
95  * Create a new and empty CRL for this CA.
96  * @param rng the random number generator to use
97  * @param next_update the time to set in next update in seconds
98  * as the offset from the current time
99  * @return new CRL
100  */
101  X509_CRL new_crl(RandomNumberGenerator& rng,
102  uint32_t next_update = 604800) const;
103 
104  /**
105  * Create a new CRL by with additional entries.
106  * @param last_crl the last CRL of this CA to add the new entries to
107  * @param new_entries contains the new CRL entries to be added to the CRL
108  * @param rng the random number generator to use
109  * @param next_update the time to set in next update in seconds
110  * as the offset from the current time
111  */
112  X509_CRL update_crl(const X509_CRL& last_crl,
113  const std::vector<CRL_Entry>& new_entries,
115  uint32_t next_update = 604800) const;
116 
117  /**
118  * Interface for creating new certificates
119  * @param signer a signing object
120  * @param rng a random number generator
121  * @param sig_algo the signature algorithm identifier
122  * @param pub_key the serialized public key
123  * @param not_before the start time of the certificate
124  * @param not_after the end time of the certificate
125  * @param issuer_dn the DN of the issuer
126  * @param subject_dn the DN of the subject
127  * @param extensions an optional list of certificate extensions
128  * @returns newly minted certificate
129  */
130  static X509_Certificate make_cert(PK_Signer* signer,
132  const AlgorithmIdentifier& sig_algo,
133  const std::vector<uint8_t>& pub_key,
134  const X509_Time& not_before,
135  const X509_Time& not_after,
136  const X509_DN& issuer_dn,
137  const X509_DN& subject_dn,
138  const Extensions& extensions);
139 
140  /**
141  * Interface for creating new certificates
142  * @param signer a signing object
143  * @param rng a random number generator
144  * @param serial_number the serial number the cert will be assigned
145  * @param sig_algo the signature algorithm identifier
146  * @param pub_key the serialized public key
147  * @param not_before the start time of the certificate
148  * @param not_after the end time of the certificate
149  * @param issuer_dn the DN of the issuer
150  * @param subject_dn the DN of the subject
151  * @param extensions an optional list of certificate extensions
152  * @returns newly minted certificate
153  */
154  static X509_Certificate make_cert(PK_Signer* signer,
156  const BigInt& serial_number,
157  const AlgorithmIdentifier& sig_algo,
158  const std::vector<uint8_t>& pub_key,
159  const X509_Time& not_before,
160  const X509_Time& not_after,
161  const X509_DN& issuer_dn,
162  const X509_DN& subject_dn,
163  const Extensions& extensions);
164 
165  /**
166  * Create a new CA object.
167  * @param ca_certificate the certificate of the CA
168  * @param key the private key of the CA
169  * @param hash_fn name of a hash function to use for signing
170  * @param rng the random generator to use
171  */
172  X509_CA(const X509_Certificate& ca_certificate,
173  const Private_Key& key,
174  const std::string& hash_fn,
175  RandomNumberGenerator& rng);
176 
177  /**
178  * Create a new CA object.
179  * @param ca_certificate the certificate of the CA
180  * @param key the private key of the CA
181  * @param opts additional options, e.g. padding, as key value pairs
182  * @param hash_fn name of a hash function to use for signing
183  * @param rng the random generator to use
184  */
185  X509_CA(const X509_Certificate& ca_certificate,
186  const Private_Key& key,
187  const std::map<std::string,std::string>& opts,
188  const std::string& hash_fn,
189  RandomNumberGenerator& rng);
190 
191 #if defined(BOTAN_HAS_SYSTEM_RNG)
192  BOTAN_DEPRECATED("Use version taking RNG object")
193  X509_CA(const X509_Certificate& ca_certificate,
194  const Private_Key& key,
195  const std::string& hash_fn) :
196  X509_CA(ca_certificate, key, hash_fn, system_rng())
197  {}
198 #endif
199 
200  X509_CA(const X509_CA&) = delete;
201  X509_CA& operator=(const X509_CA&) = delete;
202 
203  X509_CA(X509_CA&&) = default;
204  X509_CA& operator=(X509_CA&&) = default;
205 
206  ~X509_CA();
207 
208  private:
209  X509_CRL make_crl(const std::vector<CRL_Entry>& entries,
210  uint32_t crl_number,
212  std::chrono::system_clock::time_point issue_time,
213  std::chrono::seconds next_update) const;
214 
215  AlgorithmIdentifier m_ca_sig_algo;
216  X509_Certificate m_ca_cert;
217  std::string m_hash_fn;
218  std::unique_ptr<PK_Signer> m_signer;
219  };
220 
221 /**
222 * Choose the default signature format for a certain public key signature
223 * scheme.
224 * @param key will be the key to choose a padding scheme for
225 * @param rng the random generator to use
226 * @param hash_fn is the desired hash function
227 * @param alg_id will be set to the chosen scheme
228 * @return A PK_Signer object for generating signatures
229 */
232  const std::string& hash_fn,
233  AlgorithmIdentifier& alg_id);
234 
235 /**
236 * @verbatim
237 * Choose the default signature format for a certain public key signature
238 * scheme.
239 *
240 * The only option recognized by opts at this moment is "padding"
241 * Find an entry from src/build-data/oids.txt under [signature] of the form
242 * <sig_algo>/<padding>[(<hash_algo>)] and add {"padding",<padding>}
243 * to opts.
244 * @endverbatim
245 *
246 * @param key will be the key to choose a padding scheme for
247 * @param opts contains additional options for building the certificate
248 * @param rng the random generator to use
249 * @param hash_fn is the desired hash function
250 * @param alg_id will be set to the chosen scheme
251 * @return A PK_Signer object for generating signatures
252 */
254  const std::map<std::string,std::string>& opts,
256  const std::string& hash_fn,
257  AlgorithmIdentifier& alg_id);
258 
259 }
260 
261 #endif
RandomNumberGenerator & system_rng()
Definition: system_rng.cpp:283
int(* final)(unsigned char *, CTX *)
#define BOTAN_PUBLIC_API(maj, min)
Definition: compiler.h:31
Definition: bigint.h:1143
Definition: alg_id.cpp:13
PK_Signer * choose_sig_format(const Private_Key &key, RandomNumberGenerator &rng, const std::string &hash_fn, AlgorithmIdentifier &sig_algo)
Definition: x509_ca.cpp:318