Botan  2.8.0
Crypto and TLS for C++11
x509_ca.h
Go to the documentation of this file.
1 /*
2 * X.509 Certificate Authority
3 * (C) 1999-2008 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #ifndef BOTAN_X509_CA_H_
9 #define BOTAN_X509_CA_H_
10 
11 #include <botan/x509cert.h>
12 #include <botan/x509_crl.h>
13 #include <chrono>
14 
15 #if defined(BOTAN_HAS_SYSTEM_RNG)
16  #include <botan/system_rng.h>
17 #endif
18 
19 namespace Botan {
20 
21 class BigInt;
22 class Private_Key;
23 class PKCS10_Request;
24 class PK_Signer;
25 
26 /**
27 * This class represents X.509 Certificate Authorities (CAs).
28 */
30  {
31  public:
32  /**
33  * Sign a PKCS#10 Request.
34  * @param req the request to sign
35  * @param rng the rng to use
36  * @param not_before the starting time for the certificate
37  * @param not_after the expiration time for the certificate
38  * @return resulting certificate
39  */
40  X509_Certificate sign_request(const PKCS10_Request& req,
42  const X509_Time& not_before,
43  const X509_Time& not_after) const;
44 
45  /**
46  * Sign a PKCS#10 Request.
47  * @param req the request to sign
48  * @param rng the rng to use
49  * @param serial_number the serial number the cert will be assigned.
50  * @param not_before the starting time for the certificate
51  * @param not_after the expiration time for the certificate
52  * @return resulting certificate
53  */
54  X509_Certificate sign_request(const PKCS10_Request& req,
56  const BigInt& serial_number,
57  const X509_Time& not_before,
58  const X509_Time& not_after) const;
59 
60  /**
61  * Get the certificate of this CA.
62  * @return CA certificate
63  */
64  X509_Certificate ca_certificate() const;
65 
66  /**
67  * Create a new and empty CRL for this CA.
68  * @param rng the random number generator to use
69  * @param issue_time the issue time (typically system_clock::now)
70  * @param next_update the time interval after issue_data within which
71  * a new CRL will be produced.
72  * @return new CRL
73  */
74  X509_CRL new_crl(RandomNumberGenerator& rng,
75  std::chrono::system_clock::time_point issue_time,
76  std::chrono::seconds next_update) const;
77 
78  /**
79  * Create a new CRL by with additional entries.
80  * @param last_crl the last CRL of this CA to add the new entries to
81  * @param new_entries contains the new CRL entries to be added to the CRL
82  * @param rng the random number generator to use
83  * @param issue_time the issue time (typically system_clock::now)
84  * @param next_update the time interval after issue_data within which
85  * a new CRL will be produced.
86  */
87  X509_CRL update_crl(const X509_CRL& last_crl,
88  const std::vector<CRL_Entry>& new_entries,
90  std::chrono::system_clock::time_point issue_time,
91  std::chrono::seconds next_update) const;
92 
93  /**
94  * Create a new and empty CRL for this CA.
95  * @param rng the random number generator to use
96  * @param next_update the time to set in next update in seconds
97  * as the offset from the current time
98  * @return new CRL
99  */
100  X509_CRL new_crl(RandomNumberGenerator& rng,
101  uint32_t next_update = 604800) const;
102 
103  /**
104  * Create a new CRL by with additional entries.
105  * @param last_crl the last CRL of this CA to add the new entries to
106  * @param new_entries contains the new CRL entries to be added to the CRL
107  * @param rng the random number generator to use
108  * @param next_update the time to set in next update in seconds
109  * as the offset from the current time
110  */
111  X509_CRL update_crl(const X509_CRL& last_crl,
112  const std::vector<CRL_Entry>& new_entries,
114  uint32_t next_update = 604800) const;
115 
116  /**
117  * Interface for creating new certificates
118  * @param signer a signing object
119  * @param rng a random number generator
120  * @param sig_algo the signature algorithm identifier
121  * @param pub_key the serialized public key
122  * @param not_before the start time of the certificate
123  * @param not_after the end time of the certificate
124  * @param issuer_dn the DN of the issuer
125  * @param subject_dn the DN of the subject
126  * @param extensions an optional list of certificate extensions
127  * @returns newly minted certificate
128  */
129  static X509_Certificate make_cert(PK_Signer* signer,
131  const AlgorithmIdentifier& sig_algo,
132  const std::vector<uint8_t>& pub_key,
133  const X509_Time& not_before,
134  const X509_Time& not_after,
135  const X509_DN& issuer_dn,
136  const X509_DN& subject_dn,
137  const Extensions& extensions);
138 
139  /**
140  * Interface for creating new certificates
141  * @param signer a signing object
142  * @param rng a random number generator
143  * @param serial_number the serial number the cert will be assigned
144  * @param sig_algo the signature algorithm identifier
145  * @param pub_key the serialized public key
146  * @param not_before the start time of the certificate
147  * @param not_after the end time of the certificate
148  * @param issuer_dn the DN of the issuer
149  * @param subject_dn the DN of the subject
150  * @param extensions an optional list of certificate extensions
151  * @returns newly minted certificate
152  */
153  static X509_Certificate make_cert(PK_Signer* signer,
155  const BigInt& serial_number,
156  const AlgorithmIdentifier& sig_algo,
157  const std::vector<uint8_t>& pub_key,
158  const X509_Time& not_before,
159  const X509_Time& not_after,
160  const X509_DN& issuer_dn,
161  const X509_DN& subject_dn,
162  const Extensions& extensions);
163 
164  /**
165  * Create a new CA object.
166  * @param ca_certificate the certificate of the CA
167  * @param key the private key of the CA
168  * @param hash_fn name of a hash function to use for signing
169  * @param rng the random generator to use
170  */
171  X509_CA(const X509_Certificate& ca_certificate,
172  const Private_Key& key,
173  const std::string& hash_fn,
174  RandomNumberGenerator& rng);
175 
176  /**
177  * Create a new CA object.
178  * @param ca_certificate the certificate of the CA
179  * @param key the private key of the CA
180  * @param opts additional options, e.g. padding, as key value pairs
181  * @param hash_fn name of a hash function to use for signing
182  * @param rng the random generator to use
183  */
184  X509_CA(const X509_Certificate& ca_certificate,
185  const Private_Key& key,
186  const std::map<std::string,std::string>& opts,
187  const std::string& hash_fn,
188  RandomNumberGenerator& rng);
189 
190 #if defined(BOTAN_HAS_SYSTEM_RNG)
191  BOTAN_DEPRECATED("Use version taking RNG object")
192  X509_CA(const X509_Certificate& ca_certificate,
193  const Private_Key& key,
194  const std::string& hash_fn) :
195  X509_CA(ca_certificate, key, hash_fn, system_rng())
196  {}
197 #endif
198 
199  X509_CA(const X509_CA&) = delete;
200  X509_CA& operator=(const X509_CA&) = delete;
201 
202 #if !defined(BOTAN_BUILD_COMPILER_IS_MSVC_2013)
203  X509_CA(X509_CA&&) = default;
204  X509_CA& operator=(X509_CA&&) = default;
205 #endif
206 
207  ~X509_CA();
208 
209  private:
210  X509_CRL make_crl(const std::vector<CRL_Entry>& entries,
211  uint32_t crl_number,
213  std::chrono::system_clock::time_point issue_time,
214  std::chrono::seconds next_update) const;
215 
216  AlgorithmIdentifier m_ca_sig_algo;
217  X509_Certificate m_ca_cert;
218  std::string m_hash_fn;
219  std::unique_ptr<PK_Signer> m_signer;
220  };
221 
222 /**
223 * Choose the default signature format for a certain public key signature
224 * scheme.
225 * @param key will be the key to choose a padding scheme for
226 * @param rng the random generator to use
227 * @param hash_fn is the desired hash function
228 * @param alg_id will be set to the chosen scheme
229 * @return A PK_Signer object for generating signatures
230 */
233  const std::string& hash_fn,
234  AlgorithmIdentifier& alg_id);
235 
236 /**
237 * @verbatim
238 * Choose the default signature format for a certain public key signature
239 * scheme.
240 *
241 * The only option recognized by opts at this moment is "padding"
242 * Find an entry from src/build-data/oids.txt under [signature] of the form
243 * <sig_algo>/<padding>[(<hash_algo>)] and add {"padding",<padding>}
244 * to opts.
245 * @endverbatim
246 *
247 * @param key will be the key to choose a padding scheme for
248 * @param opts contains additional options for building the certificate
249 * @param rng the random generator to use
250 * @param hash_fn is the desired hash function
251 * @param alg_id will be set to the chosen scheme
252 * @return A PK_Signer object for generating signatures
253 */
255  const std::map<std::string,std::string>& opts,
257  const std::string& hash_fn,
258  AlgorithmIdentifier& alg_id);
259 
260 }
261 
262 #endif
RandomNumberGenerator & system_rng()
Definition: system_rng.cpp:279
int(* final)(unsigned char *, CTX *)
#define BOTAN_PUBLIC_API(maj, min)
Definition: compiler.h:27
Definition: bigint.h:891
Definition: alg_id.cpp:13
PK_Signer * choose_sig_format(const Private_Key &key, RandomNumberGenerator &rng, const std::string &hash_fn, AlgorithmIdentifier &sig_algo)
Definition: x509_ca.cpp:318