Botan  2.11.0
Crypto and TLS for C++11
x509_ca.h
Go to the documentation of this file.
1 /*
2 * X.509 Certificate Authority
3 * (C) 1999-2008 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #ifndef BOTAN_X509_CA_H_
9 #define BOTAN_X509_CA_H_
10 
11 #include <botan/x509cert.h>
12 #include <botan/x509_crl.h>
13 #include <chrono>
14 
15 #if defined(BOTAN_HAS_SYSTEM_RNG)
16  #include <botan/system_rng.h>
17 #endif
18 
19 namespace Botan {
20 
21 class BigInt;
22 class Private_Key;
23 class PKCS10_Request;
24 class PK_Signer;
25 
26 /**
27 * This class represents X.509 Certificate Authorities (CAs).
28 */
30  {
31  public:
32  /**
33  * Sign a PKCS#10 Request.
34  * @param req the request to sign
35  * @param rng the rng to use
36  * @param not_before the starting time for the certificate
37  * @param not_after the expiration time for the certificate
38  * @return resulting certificate
39  */
40  X509_Certificate sign_request(const PKCS10_Request& req,
42  const X509_Time& not_before,
43  const X509_Time& not_after) const;
44 
45  /**
46  * Sign a PKCS#10 Request.
47  * @param req the request to sign
48  * @param rng the rng to use
49  * @param serial_number the serial number the cert will be assigned.
50  * @param not_before the starting time for the certificate
51  * @param not_after the expiration time for the certificate
52  * @return resulting certificate
53  */
54  X509_Certificate sign_request(const PKCS10_Request& req,
56  const BigInt& serial_number,
57  const X509_Time& not_before,
58  const X509_Time& not_after) const;
59 
60  /**
61  * Get the certificate of this CA.
62  * @return CA certificate
63  */
64  X509_Certificate ca_certificate() const;
65 
66  /**
67  * Create a new and empty CRL for this CA.
68  * @param rng the random number generator to use
69  * @param issue_time the issue time (typically system_clock::now)
70  * @param next_update the time interval after issue_data within which
71  * a new CRL will be produced.
72  * @return new CRL
73  */
74  X509_CRL new_crl(RandomNumberGenerator& rng,
75  std::chrono::system_clock::time_point issue_time,
76  std::chrono::seconds next_update) const;
77 
78  /**
79  * Create a new CRL by with additional entries.
80  * @param last_crl the last CRL of this CA to add the new entries to
81  * @param new_entries contains the new CRL entries to be added to the CRL
82  * @param rng the random number generator to use
83  * @param issue_time the issue time (typically system_clock::now)
84  * @param next_update the time interval after issue_data within which
85  * a new CRL will be produced.
86  */
87  X509_CRL update_crl(const X509_CRL& last_crl,
88  const std::vector<CRL_Entry>& new_entries,
90  std::chrono::system_clock::time_point issue_time,
91  std::chrono::seconds next_update) const;
92 
93  /**
94  * Create a new and empty CRL for this CA.
95  * @param rng the random number generator to use
96  * @param next_update the time to set in next update in seconds
97  * as the offset from the current time
98  * @return new CRL
99  */
100  X509_CRL new_crl(RandomNumberGenerator& rng,
101  uint32_t next_update = 604800) const;
102 
103  /**
104  * Create a new CRL by with additional entries.
105  * @param last_crl the last CRL of this CA to add the new entries to
106  * @param new_entries contains the new CRL entries to be added to the CRL
107  * @param rng the random number generator to use
108  * @param next_update the time to set in next update in seconds
109  * as the offset from the current time
110  */
111  X509_CRL update_crl(const X509_CRL& last_crl,
112  const std::vector<CRL_Entry>& new_entries,
114  uint32_t next_update = 604800) const;
115 
116  /**
117  * Interface for creating new certificates
118  * @param signer a signing object
119  * @param rng a random number generator
120  * @param sig_algo the signature algorithm identifier
121  * @param pub_key the serialized public key
122  * @param not_before the start time of the certificate
123  * @param not_after the end time of the certificate
124  * @param issuer_dn the DN of the issuer
125  * @param subject_dn the DN of the subject
126  * @param extensions an optional list of certificate extensions
127  * @returns newly minted certificate
128  */
129  static X509_Certificate make_cert(PK_Signer* signer,
131  const AlgorithmIdentifier& sig_algo,
132  const std::vector<uint8_t>& pub_key,
133  const X509_Time& not_before,
134  const X509_Time& not_after,
135  const X509_DN& issuer_dn,
136  const X509_DN& subject_dn,
137  const Extensions& extensions);
138 
139  /**
140  * Interface for creating new certificates
141  * @param signer a signing object
142  * @param rng a random number generator
143  * @param serial_number the serial number the cert will be assigned
144  * @param sig_algo the signature algorithm identifier
145  * @param pub_key the serialized public key
146  * @param not_before the start time of the certificate
147  * @param not_after the end time of the certificate
148  * @param issuer_dn the DN of the issuer
149  * @param subject_dn the DN of the subject
150  * @param extensions an optional list of certificate extensions
151  * @returns newly minted certificate
152  */
153  static X509_Certificate make_cert(PK_Signer* signer,
155  const BigInt& serial_number,
156  const AlgorithmIdentifier& sig_algo,
157  const std::vector<uint8_t>& pub_key,
158  const X509_Time& not_before,
159  const X509_Time& not_after,
160  const X509_DN& issuer_dn,
161  const X509_DN& subject_dn,
162  const Extensions& extensions);
163 
164  /**
165  * Create a new CA object.
166  * @param ca_certificate the certificate of the CA
167  * @param key the private key of the CA
168  * @param hash_fn name of a hash function to use for signing
169  * @param rng the random generator to use
170  */
171  X509_CA(const X509_Certificate& ca_certificate,
172  const Private_Key& key,
173  const std::string& hash_fn,
174  RandomNumberGenerator& rng);
175 
176  /**
177  * Create a new CA object.
178  * @param ca_certificate the certificate of the CA
179  * @param key the private key of the CA
180  * @param opts additional options, e.g. padding, as key value pairs
181  * @param hash_fn name of a hash function to use for signing
182  * @param rng the random generator to use
183  */
184  X509_CA(const X509_Certificate& ca_certificate,
185  const Private_Key& key,
186  const std::map<std::string,std::string>& opts,
187  const std::string& hash_fn,
188  RandomNumberGenerator& rng);
189 
190 #if defined(BOTAN_HAS_SYSTEM_RNG)
191  BOTAN_DEPRECATED("Use version taking RNG object")
192  X509_CA(const X509_Certificate& ca_certificate,
193  const Private_Key& key,
194  const std::string& hash_fn) :
195  X509_CA(ca_certificate, key, hash_fn, system_rng())
196  {}
197 #endif
198 
199  X509_CA(const X509_CA&) = delete;
200  X509_CA& operator=(const X509_CA&) = delete;
201 
202  X509_CA(X509_CA&&) = default;
203  X509_CA& operator=(X509_CA&&) = default;
204 
205  ~X509_CA();
206 
207  private:
208  X509_CRL make_crl(const std::vector<CRL_Entry>& entries,
209  uint32_t crl_number,
211  std::chrono::system_clock::time_point issue_time,
212  std::chrono::seconds next_update) const;
213 
214  AlgorithmIdentifier m_ca_sig_algo;
215  X509_Certificate m_ca_cert;
216  std::string m_hash_fn;
217  std::unique_ptr<PK_Signer> m_signer;
218  };
219 
220 /**
221 * Choose the default signature format for a certain public key signature
222 * scheme.
223 * @param key will be the key to choose a padding scheme for
224 * @param rng the random generator to use
225 * @param hash_fn is the desired hash function
226 * @param alg_id will be set to the chosen scheme
227 * @return A PK_Signer object for generating signatures
228 */
231  const std::string& hash_fn,
232  AlgorithmIdentifier& alg_id);
233 
234 /**
235 * @verbatim
236 * Choose the default signature format for a certain public key signature
237 * scheme.
238 *
239 * The only option recognized by opts at this moment is "padding"
240 * Find an entry from src/build-data/oids.txt under [signature] of the form
241 * <sig_algo>/<padding>[(<hash_algo>)] and add {"padding",<padding>}
242 * to opts.
243 * @endverbatim
244 *
245 * @param key will be the key to choose a padding scheme for
246 * @param opts contains additional options for building the certificate
247 * @param rng the random generator to use
248 * @param hash_fn is the desired hash function
249 * @param alg_id will be set to the chosen scheme
250 * @return A PK_Signer object for generating signatures
251 */
253  const std::map<std::string,std::string>& opts,
255  const std::string& hash_fn,
256  AlgorithmIdentifier& alg_id);
257 
258 }
259 
260 #endif
RandomNumberGenerator & system_rng()
Definition: system_rng.cpp:279
int(* final)(unsigned char *, CTX *)
#define BOTAN_PUBLIC_API(maj, min)
Definition: compiler.h:31
Definition: bigint.h:1136
Definition: alg_id.cpp:13
PK_Signer * choose_sig_format(const Private_Key &key, RandomNumberGenerator &rng, const std::string &hash_fn, AlgorithmIdentifier &sig_algo)
Definition: x509_ca.cpp:318