Botan 3.0.0
Crypto and TLS for C&
x509_ca.h
Go to the documentation of this file.
1/*
2* X.509 Certificate Authority
3* (C) 1999-2008 Jack Lloyd
4*
5* Botan is released under the Simplified BSD License (see license.txt)
6*/
7
8#ifndef BOTAN_X509_CA_H_
9#define BOTAN_X509_CA_H_
10
11#include <botan/x509cert.h>
12#include <botan/x509_crl.h>
13#include <chrono>
14#include <map>
15
16namespace Botan {
17
18class RandomNumberGenerator;
19class BigInt;
20class Private_Key;
21class PKCS10_Request;
22class PK_Signer;
23
24/**
25* An interface capable of creating new X.509 certificates
26*/
28 {
29 public:
30 /**
31 * Return the algorithm identifier used to identify signatures that
32 * this CA will create.
33 */
34 const AlgorithmIdentifier algorithm_identifier() const { return m_ca_sig_algo; }
35
36 /**
37 * Return the CA's certificate
38 */
39 const X509_Certificate& ca_certificate() const { return m_ca_cert; }
40
41 /**
42 * Return the hash function the CA is using to sign with
43 */
44 const std::string& hash_function() const { return m_hash_fn; }
45
46 /**
47 * Return the signature object this CA uses to sign with
48 */
49 PK_Signer& signature_op() { return *m_signer.get(); }
50
51 /**
52 * Sign a PKCS#10 Request.
53 * @param req the request to sign
54 * @param rng the rng to use
55 * @param not_before the starting time for the certificate
56 * @param not_after the expiration time for the certificate
57 * @return resulting certificate
58 */
59 X509_Certificate sign_request(const PKCS10_Request& req,
61 const X509_Time& not_before,
62 const X509_Time& not_after) const;
63
64 /**
65 * Sign a PKCS#10 Request.
66 * @param req the request to sign
67 * @param rng the rng to use
68 * @param serial_number the serial number the cert will be assigned.
69 * @param not_before the starting time for the certificate
70 * @param not_after the expiration time for the certificate
71 * @return resulting certificate
72 */
73 X509_Certificate sign_request(const PKCS10_Request& req,
75 const BigInt& serial_number,
76 const X509_Time& not_before,
77 const X509_Time& not_after) const;
78
79 /**
80 * Create a new and empty CRL for this CA.
81 * @param rng the random number generator to use
82 * @param issue_time the issue time (typically system_clock::now)
83 * @param next_update the time interval after issue_data within which
84 * a new CRL will be produced.
85 * @return new CRL
86 */
88 std::chrono::system_clock::time_point issue_time,
89 std::chrono::seconds next_update) const;
90
91 /**
92 * Create a new CRL by with additional entries.
93 * @param last_crl the last CRL of this CA to add the new entries to
94 * @param new_entries contains the new CRL entries to be added to the CRL
95 * @param rng the random number generator to use
96 * @param issue_time the issue time (typically system_clock::now)
97 * @param next_update the time interval after issue_data within which
98 * a new CRL will be produced.
99 */
100 X509_CRL update_crl(const X509_CRL& last_crl,
101 const std::vector<CRL_Entry>& new_entries,
103 std::chrono::system_clock::time_point issue_time,
104 std::chrono::seconds next_update) const;
105
106 /**
107 * Create a new and empty CRL for this CA.
108 * @param rng the random number generator to use
109 * @param next_update the time to set in next update in seconds
110 * as the offset from the current time
111 * @return new CRL
112 */
113 X509_CRL new_crl(RandomNumberGenerator& rng,
114 uint32_t next_update = 604800) const;
115
116 /**
117 * Create a new CRL by with additional entries.
118 * @param last_crl the last CRL of this CA to add the new entries to
119 * @param new_entries contains the new CRL entries to be added to the CRL
120 * @param rng the random number generator to use
121 * @param next_update the time to set in next update in seconds
122 * as the offset from the current time
123 */
124 X509_CRL update_crl(const X509_CRL& last_crl,
125 const std::vector<CRL_Entry>& new_entries,
127 uint32_t next_update = 604800) const;
128
129 /**
130 * Return the set of extensions that will be used for a certificate.
131 *
132 * This is a helper method that is used internally. It is also exposed
133 * so you can call it directly and then modify the extensions before
134 * creating a certificate using X509_CA::make_cert.
135 */
136 static Extensions choose_extensions(const PKCS10_Request& req,
137 const X509_Certificate& ca_certificate,
138 std::string_view hash_fn);
139
140 /**
141 * Interface for creating new certificates
142 * @param signer a signing object
143 * @param rng a random number generator
144 * @param sig_algo the signature algorithm identifier
145 * @param pub_key the serialized public key
146 * @param not_before the start time of the certificate
147 * @param not_after the end time of the certificate
148 * @param issuer_dn the DN of the issuer
149 * @param subject_dn the DN of the subject
150 * @param extensions an optional list of certificate extensions
151 * @returns newly minted certificate
152 */
153 static X509_Certificate make_cert(PK_Signer& signer,
155 const AlgorithmIdentifier& sig_algo,
156 const std::vector<uint8_t>& pub_key,
157 const X509_Time& not_before,
158 const X509_Time& not_after,
159 const X509_DN& issuer_dn,
160 const X509_DN& subject_dn,
161 const Extensions& extensions);
162
163 /**
164 * Interface for creating new certificates
165 * @param signer a signing object
166 * @param rng a random number generator
167 * @param serial_number the serial number the cert will be assigned
168 * @param sig_algo the signature algorithm identifier
169 * @param pub_key the serialized public key
170 * @param not_before the start time of the certificate
171 * @param not_after the end time of the certificate
172 * @param issuer_dn the DN of the issuer
173 * @param subject_dn the DN of the subject
174 * @param extensions an optional list of certificate extensions
175 * @returns newly minted certificate
176 */
177 static X509_Certificate make_cert(PK_Signer& signer,
179 const BigInt& serial_number,
180 const AlgorithmIdentifier& sig_algo,
181 const std::vector<uint8_t>& pub_key,
182 const X509_Time& not_before,
183 const X509_Time& not_after,
184 const X509_DN& issuer_dn,
185 const X509_DN& subject_dn,
186 const Extensions& extensions);
187
188 /**
189 * Create a new CA object with custom padding option
190 *
191 * This is mostly useful for creating RSA-PSS certificates
192 *
193 * @param ca_certificate the certificate of the CA
194 * @param key the private key of the CA
195 * @param hash_fn name of a hash function to use for signing
196 * @param padding_method name of the signature padding method to use
197 * @param rng the random generator to use
198 */
199 X509_CA(const X509_Certificate& ca_certificate,
200 const Private_Key& key,
201 std::string_view hash_fn,
202 std::string_view padding_method,
204
205 /**
206 * Create a new CA object.
207 * @param ca_certificate the certificate of the CA
208 * @param key the private key of the CA
209 * @param hash_fn name of a hash function to use for signing
210 * @param rng the random generator to use
211 */
212 X509_CA(const X509_Certificate& ca_certificate,
213 const Private_Key& key,
214 std::string_view hash_fn,
216 X509_CA(ca_certificate,
217 key,
218 hash_fn,
219 "",
220 rng) {}
221
222 /**
223 * Create a new CA object.
224 * @param ca_certificate the certificate of the CA
225 * @param key the private key of the CA
226 * @param opts additional options, e.g. padding, as key value pairs
227 * @param hash_fn name of a hash function to use for signing
228 * @param rng the random generator to use
229 */
230 BOTAN_DEPRECATED("Use version taking padding as an explicit arg")
231 X509_CA(const X509_Certificate& ca_certificate,
232 const Private_Key& key,
233 const std::map<std::string,std::string>& opts,
234 std::string_view hash_fn,
236 X509_CA(ca_certificate, key, hash_fn, opts.at("padding"), rng) {}
237
238 X509_CA(const X509_CA&) = delete;
239 X509_CA& operator=(const X509_CA&) = delete;
240
241 X509_CA(X509_CA&&) = default;
242 X509_CA& operator=(X509_CA&&) = default;
243
245
246 private:
247 X509_CRL make_crl(const std::vector<CRL_Entry>& entries,
248 uint32_t crl_number,
250 std::chrono::system_clock::time_point issue_time,
251 std::chrono::seconds next_update) const;
252
253 AlgorithmIdentifier m_ca_sig_algo;
254 X509_Certificate m_ca_cert;
255 std::string m_hash_fn;
256 std::unique_ptr<PK_Signer> m_signer;
257 };
258
259}
260
261#endif
X509_CA(const X509_Certificate &ca_certificate, const Private_Key &key, std::string_view hash_fn, RandomNumberGenerator &rng)
Definition: x509_ca.h:212
X509_CA & operator=(X509_CA &&)=default
PK_Signer & signature_op()
Definition: x509_ca.h:49
const AlgorithmIdentifier algorithm_identifier() const
Definition: x509_ca.h:34
X509_CA & operator=(const X509_CA &)=delete
X509_CA(const X509_CA &)=delete
const X509_Certificate & ca_certificate() const
Definition: x509_ca.h:39
X509_CA(X509_CA &&)=default
const std::string & hash_function() const
Definition: x509_ca.h:44
int(* final)(unsigned char *, CTX *)
#define BOTAN_PUBLIC_API(maj, min)
Definition: compiler.h:31
Definition: alg_id.cpp:12
Definition: bigint.h:1092