Botan  2.4.0
Crypto and TLS for C++11
x509_ca.h
Go to the documentation of this file.
1 /*
2 * X.509 Certificate Authority
3 * (C) 1999-2008 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #ifndef BOTAN_X509_CA_H_
9 #define BOTAN_X509_CA_H_
10 
11 #include <botan/x509cert.h>
12 #include <botan/x509_crl.h>
13 #include <chrono>
14 
15 #if defined(BOTAN_HAS_SYSTEM_RNG)
16  #include <botan/system_rng.h>
17 #endif
18 
19 namespace Botan {
20 
21 class Private_Key;
22 class PKCS10_Request;
23 class PK_Signer;
24 
25 /**
26 * This class represents X.509 Certificate Authorities (CAs).
27 */
28 class BOTAN_PUBLIC_API(2,0) X509_CA final
29  {
30  public:
31  /**
32  * Sign a PKCS#10 Request.
33  * @param req the request to sign
34  * @param rng the rng to use
35  * @param not_before the starting time for the certificate
36  * @param not_after the expiration time for the certificate
37  * @return resulting certificate
38  */
39  X509_Certificate sign_request(const PKCS10_Request& req,
41  const X509_Time& not_before,
42  const X509_Time& not_after) const;
43 
44  /**
45  * Get the certificate of this CA.
46  * @return CA certificate
47  */
48  X509_Certificate ca_certificate() const;
49 
50  /**
51  * Create a new and empty CRL for this CA.
52  * @param rng the random number generator to use
53  * @param issue_time the issue time (typically system_clock::now)
54  * @param next_update the time interval after issue_data within which
55  * a new CRL will be produced.
56  * @return new CRL
57  */
58  X509_CRL new_crl(RandomNumberGenerator& rng,
59  std::chrono::system_clock::time_point issue_time,
60  std::chrono::seconds next_update) const;
61 
62  /**
63  * Create a new CRL by with additional entries.
64  * @param last_crl the last CRL of this CA to add the new entries to
65  * @param new_entries contains the new CRL entries to be added to the CRL
66  * @param rng the random number generator to use
67  * @param issue_time the issue time (typically system_clock::now)
68  * @param next_update the time interval after issue_data within which
69  * a new CRL will be produced.
70  */
71  X509_CRL update_crl(const X509_CRL& last_crl,
72  const std::vector<CRL_Entry>& new_entries,
74  std::chrono::system_clock::time_point issue_time,
75  std::chrono::seconds next_update) const;
76 
77  /**
78  * Create a new and empty CRL for this CA.
79  * @param rng the random number generator to use
80  * @param next_update the time to set in next update in seconds
81  * as the offset from the current time
82  * @return new CRL
83  */
84  X509_CRL new_crl(RandomNumberGenerator& rng,
85  uint32_t next_update = 604800) const;
86 
87  /**
88  * Create a new CRL by with additional entries.
89  * @param last_crl the last CRL of this CA to add the new entries to
90  * @param new_entries contains the new CRL entries to be added to the CRL
91  * @param rng the random number generator to use
92  * @param next_update the time to set in next update in seconds
93  * as the offset from the current time
94  */
95  X509_CRL update_crl(const X509_CRL& last_crl,
96  const std::vector<CRL_Entry>& new_entries,
98  uint32_t next_update = 604800) const;
99 
100  /**
101  * Interface for creating new certificates
102  * @param signer a signing object
103  * @param rng a random number generator
104  * @param sig_algo the signature algorithm identifier
105  * @param pub_key the serialized public key
106  * @param not_before the start time of the certificate
107  * @param not_after the end time of the certificate
108  * @param issuer_dn the DN of the issuer
109  * @param subject_dn the DN of the subject
110  * @param extensions an optional list of certificate extensions
111  * @returns newly minted certificate
112  */
113  static X509_Certificate make_cert(PK_Signer* signer,
115  const AlgorithmIdentifier& sig_algo,
116  const std::vector<uint8_t>& pub_key,
117  const X509_Time& not_before,
118  const X509_Time& not_after,
119  const X509_DN& issuer_dn,
120  const X509_DN& subject_dn,
121  const Extensions& extensions);
122 
123  /**
124  * Create a new CA object.
125  * @param ca_certificate the certificate of the CA
126  * @param key the private key of the CA
127  * @param hash_fn name of a hash function to use for signing
128  * @param rng the random generator to use
129  */
130  X509_CA(const X509_Certificate& ca_certificate,
131  const Private_Key& key,
132  const std::string& hash_fn,
133  RandomNumberGenerator& rng);
134 
135  /**
136  * Create a new CA object.
137  * @param ca_certificate the certificate of the CA
138  * @param key the private key of the CA
139  * @param opts additional options, e.g. padding, as key value pairs
140  * @param hash_fn name of a hash function to use for signing
141  * @param rng the random generator to use
142  */
143  X509_CA(const X509_Certificate& ca_certificate,
144  const Private_Key& key,
145  const std::map<std::string,std::string>& opts,
146  const std::string& hash_fn,
147  RandomNumberGenerator& rng);
148 
149 #if defined(BOTAN_HAS_SYSTEM_RNG)
150  BOTAN_DEPRECATED("Use version taking RNG object")
151  X509_CA(const X509_Certificate& ca_certificate,
152  const Private_Key& key,
153  const std::string& hash_fn) :
154  X509_CA(ca_certificate, key, hash_fn, system_rng())
155  {}
156 #endif
157 
158  X509_CA(const X509_CA&) = delete;
159  X509_CA& operator=(const X509_CA&) = delete;
160 
161 #if !defined(BOTAN_BUILD_COMPILER_IS_MSVC_2013)
162  X509_CA(X509_CA&&) = default;
163  X509_CA& operator=(X509_CA&&) = default;
164 #endif
165 
166  ~X509_CA();
167 
168  private:
169  X509_CRL make_crl(const std::vector<CRL_Entry>& entries,
170  uint32_t crl_number,
172  std::chrono::system_clock::time_point issue_time,
173  std::chrono::seconds next_update) const;
174 
175  AlgorithmIdentifier m_ca_sig_algo;
176  X509_Certificate m_ca_cert;
177  std::string m_hash_fn;
178  std::unique_ptr<PK_Signer> m_signer;
179  };
180 
181 /**
182 * Choose the default signature format for a certain public key signature
183 * scheme.
184 * @param key will be the key to choose a padding scheme for
185 * @param rng the random generator to use
186 * @param hash_fn is the desired hash function
187 * @param alg_id will be set to the chosen scheme
188 * @return A PK_Signer object for generating signatures
189 */
192  const std::string& hash_fn,
193  AlgorithmIdentifier& alg_id);
194 
195 /**
196 * @verbatim
197 * Choose the default signature format for a certain public key signature
198 * scheme.
199 *
200 * The only option recognized by opts at this moment is "padding"
201 * Find an entry from src/build-data/oids.txt under [signature] of the form
202 * <sig_algo>/<padding>[(<hash_algo>)] and add {"padding",<padding>}
203 * to opts.
204 * @endverbatim
205 *
206 * @param key will be the key to choose a padding scheme for
207 * @param opts contains additional options for building the certificate
208 * @param rng the random generator to use
209 * @param hash_fn is the desired hash function
210 * @param alg_id will be set to the chosen scheme
211 * @return A PK_Signer object for generating signatures
212 */
214  const std::map<std::string,std::string>& opts,
216  const std::string& hash_fn,
217  AlgorithmIdentifier& alg_id);
218 
219 }
220 
221 #endif
RandomNumberGenerator & system_rng()
Definition: system_rng.cpp:230
#define BOTAN_PUBLIC_API(maj, min)
Definition: compiler.h:27
Definition: alg_id.cpp:13
PK_Signer * choose_sig_format(const Private_Key &key, RandomNumberGenerator &rng, const std::string &hash_fn, AlgorithmIdentifier &sig_algo)
Definition: x509_ca.cpp:275